teleton 0.4.0 → 0.5.1

package/dist/server-BQY7CM2N.js

@@ -0,0 +1,1120 @@
+import {
+  WorkspaceSecurityError,
+  validateDirectory,
+  validatePath,
+  validateReadPath,
+  validateWritePath
+} from "./chunk-5WWR4CU3.js";
+import "./chunk-O4R7V5Y2.js";
+import {
+  WORKSPACE_ROOT
+} from "./chunk-EYWNOHMJ.js";
+import {
+  getTaskStore
+} from "./chunk-NUGDTPE4.js";
+import "./chunk-QGM4M3NI.js";
+
+// src/webui/server.ts
+import { Hono as Hono9 } from "hono";
+import { serve } from "@hono/node-server";
+import { cors } from "hono/cors";
+import { bodyLimit } from "hono/body-limit";
+import { setCookie, getCookie, deleteCookie } from "hono/cookie";
+import { existsSync as existsSync2, readFileSync as readFileSync3 } from "fs";
+import { join as join3, dirname, resolve, relative as relative2 } from "path";
+import { fileURLToPath } from "url";
+
+// src/webui/middleware/auth.ts
+import { randomBytes, timingSafeEqual } from "crypto";
+var COOKIE_NAME = "teleton_session";
+var COOKIE_MAX_AGE = 7 * 24 * 60 * 60;
+function generateToken() {
+  return randomBytes(32).toString("base64url");
+}
+function maskToken(token) {
+  if (token.length < 12) return "****";
+  return `${token.slice(0, 4)}...${token.slice(-4)}`;
+}
+function safeCompare(a, b) {
+  if (!a || !b) return false;
+  const bufA = Buffer.from(a);
+  const bufB = Buffer.from(b);
+  if (bufA.length !== bufB.length) return false;
+  return timingSafeEqual(bufA, bufB);
+}
+
+// src/webui/log-interceptor.ts
+var LogInterceptor = class {
+  listeners = /* @__PURE__ */ new Set();
+  isPatched = false;
+  originalMethods = {
+    log: console.log,
+    warn: console.warn,
+    error: console.error
+  };
+  install() {
+    if (this.isPatched) return;
+    const levels = ["log", "warn", "error"];
+    for (const level of levels) {
+      const original = this.originalMethods[level];
+      console[level] = (...args) => {
+        original.apply(console, args);
+        if (this.listeners.size > 0) {
+          const entry = {
+            level,
+            message: args.map((arg) => typeof arg === "string" ? arg : JSON.stringify(arg)).join(" "),
+            timestamp: Date.now()
+          };
+          for (const listener of this.listeners) {
+            try {
+              listener(entry);
+            } catch (err) {
+              original.call(console, "\u274C Log listener error:", err);
+            }
+          }
+        }
+      };
+    }
+    this.isPatched = true;
+  }
+  uninstall() {
+    if (!this.isPatched) return;
+    console.log = this.originalMethods.log;
+    console.warn = this.originalMethods.warn;
+    console.error = this.originalMethods.error;
+    this.isPatched = false;
+  }
+  addListener(listener) {
+    this.listeners.add(listener);
+    return () => this.listeners.delete(listener);
+  }
+  removeListener(listener) {
+    this.listeners.delete(listener);
+  }
+  clear() {
+    this.listeners.clear();
+  }
+};
+var logInterceptor = new LogInterceptor();
+
+// src/webui/routes/status.ts
+import { Hono } from "hono";
+function createStatusRoutes(deps) {
+  const app = new Hono();
+  app.get("/", (c) => {
+    try {
+      const config = deps.agent.getConfig();
+      const sessionCountRow = deps.memory.db.prepare("SELECT COUNT(*) as count FROM sessions").get();
+      const data = {
+        uptime: process.uptime(),
+        model: config.agent.model,
+        provider: config.agent.provider,
+        sessionCount: sessionCountRow?.count ?? 0,
+        paused: false,
+        // TODO: get from message handler
+        toolCount: deps.toolRegistry.getAll().length
+      };
+      const response = {
+        success: true,
+        data
+      };
+      return c.json(response);
+    } catch (error) {
+      const response = {
+        success: false,
+        error: error instanceof Error ? error.message : String(error)
+      };
+      return c.json(response, 500);
+    }
+  });
+  return app;
+}
+
+// src/webui/routes/tools.ts
+import { Hono as Hono2 } from "hono";
+function createToolsRoutes(deps) {
+  const app = new Hono2();
+  app.get("/", (c) => {
+    try {
+      const allTools = deps.toolRegistry.getAll();
+      const modules = deps.toolRegistry.getAvailableModules();
+      const toolMap = new Map(allTools.map((t) => [t.name, t]));
+      const moduleData = modules.map((moduleName) => {
+        const moduleToolNames = deps.toolRegistry.getModuleTools(moduleName);
+        const toolsInfo = moduleToolNames.map((toolEntry) => {
+          const tool = toolMap.get(toolEntry.name);
+          if (!tool) return null;
+          const config = deps.toolRegistry.getToolConfig(toolEntry.name);
+          return {
+            name: tool.name,
+            description: tool.description || "",
+            module: moduleName,
+            scope: config?.scope ?? toolEntry.scope,
+            category: deps.toolRegistry.getToolCategory(tool.name),
+            enabled: config?.enabled ?? true
+          };
+        }).filter((t) => t !== null);
+        return {
+          name: moduleName,
+          toolCount: moduleToolNames.length,
+          tools: toolsInfo,
+          isPlugin: deps.toolRegistry.isPluginModule(moduleName)
+        };
+      });
+      const response = {
+        success: true,
+        data: moduleData
+      };
+      return c.json(response);
+    } catch (error) {
+      const response = {
+        success: false,
+        error: error instanceof Error ? error.message : String(error)
+      };
+      return c.json(response, 500);
+    }
+  });
+  app.put("/:name", async (c) => {
+    try {
+      const toolName = c.req.param("name");
+      const body = await c.req.json();
+      if (!deps.toolRegistry.has(toolName)) {
+        const response2 = {
+          success: false,
+          error: `Tool "${toolName}" not found`
+        };
+        return c.json(response2, 404);
+      }
+      const { enabled, scope } = body;
+      const VALID_SCOPES = ["always", "dm-only", "group-only", "admin-only"];
+      if (scope !== void 0 && !VALID_SCOPES.includes(scope)) {
+        const response2 = {
+          success: false,
+          error: `Invalid scope "${scope}". Must be one of: ${VALID_SCOPES.join(", ")}`
+        };
+        return c.json(response2, 400);
+      }
+      if (enabled !== void 0) {
+        const success = deps.toolRegistry.setToolEnabled(toolName, enabled);
+        if (!success) {
+          const response2 = {
+            success: false,
+            error: "Failed to update tool enabled status"
+          };
+          return c.json(response2, 500);
+        }
+      }
+      if (scope !== void 0) {
+        const success = deps.toolRegistry.updateToolScope(
+          toolName,
+          scope
+        );
+        if (!success) {
+          const response2 = {
+            success: false,
+            error: "Failed to update tool scope"
+          };
+          return c.json(response2, 500);
+        }
+      }
+      const config = deps.toolRegistry.getToolConfig(toolName);
+      const response = {
+        success: true,
+        data: {
+          tool: toolName,
+          enabled: config?.enabled ?? true,
+          scope: config?.scope ?? "always"
+        }
+      };
+      return c.json(response);
+    } catch (error) {
+      const response = {
+        success: false,
+        error: error instanceof Error ? error.message : String(error)
+      };
+      return c.json(response, 500);
+    }
+  });
+  app.get("/:name/config", (c) => {
+    try {
+      const toolName = c.req.param("name");
+      if (!deps.toolRegistry.has(toolName)) {
+        const response2 = {
+          success: false,
+          error: `Tool "${toolName}" not found`
+        };
+        return c.json(response2, 404);
+      }
+      const config = deps.toolRegistry.getToolConfig(toolName);
+      const response = {
+        success: true,
+        data: {
+          tool: toolName,
+          enabled: config?.enabled ?? true,
+          scope: config?.scope ?? "always"
+        }
+      };
+      return c.json(response);
+    } catch (error) {
+      const response = {
+        success: false,
+        error: error instanceof Error ? error.message : String(error)
+      };
+      return c.json(response, 500);
+    }
+  });
+  app.get("/:module", (c) => {
+    try {
+      const moduleName = c.req.param("module");
+      const allTools = deps.toolRegistry.getAll();
+      const toolMap = new Map(allTools.map((t) => [t.name, t]));
+      const moduleToolNames = deps.toolRegistry.getModuleTools(moduleName);
+      const toolsInfo = moduleToolNames.map((toolEntry) => {
+        const tool = toolMap.get(toolEntry.name);
+        if (!tool) return null;
+        const config = deps.toolRegistry.getToolConfig(toolEntry.name);
+        return {
+          name: tool.name,
+          description: tool.description || "",
+          module: moduleName,
+          scope: config?.scope ?? toolEntry.scope,
+          category: deps.toolRegistry.getToolCategory(tool.name),
+          enabled: config?.enabled ?? true
+        };
+      }).filter((t) => t !== null);
+      const response = {
+        success: true,
+        data: toolsInfo
+      };
+      return c.json(response);
+    } catch (error) {
+      const response = {
+        success: false,
+        error: error instanceof Error ? error.message : String(error)
+      };
+      return c.json(response, 500);
+    }
+  });
+  return app;
+}
+
+// src/webui/routes/logs.ts
+import { Hono as Hono3 } from "hono";
+import { streamSSE } from "hono/streaming";
+function createLogsRoutes(_deps) {
+  const app = new Hono3();
+  app.get("/stream", (c) => {
+    return streamSSE(c, async (stream) => {
+      let cleanup;
+      let aborted = false;
+      stream.onAbort(() => {
+        aborted = true;
+        if (cleanup) cleanup();
+      });
+      cleanup = logInterceptor.addListener((entry) => {
+        if (!aborted) {
+          stream.writeSSE({
+            data: JSON.stringify(entry),
+            event: "log"
+          });
+        }
+      });
+      await stream.writeSSE({
+        data: JSON.stringify({
+          level: "log",
+          message: "\u{1F310} WebUI log stream connected",
+          timestamp: Date.now()
+        }),
+        event: "log"
+      });
+      await new Promise((resolve2) => {
+        if (aborted) return resolve2();
+        stream.onAbort(() => resolve2());
+      });
+      if (cleanup) cleanup();
+    });
+  });
+  return app;
+}
+
+// src/webui/routes/memory.ts
+import { Hono as Hono4 } from "hono";
+function createMemoryRoutes(deps) {
+  const app = new Hono4();
+  app.get("/search", async (c) => {
+    try {
+      const query = c.req.query("q") || "";
+      const limit = parseInt(c.req.query("limit") || "10", 10);
+      if (!query) {
+        const response2 = {
+          success: false,
+          error: "Query parameter 'q' is required"
+        };
+        return c.json(response2, 400);
+      }
+      const sanitizedQuery = '"' + query.replace(/"/g, '""') + '"';
+      const results = deps.memory.db.prepare(
+        `
+          SELECT
+            k.id,
+            k.text,
+            k.source,
+            k.path,
+            bm25(knowledge_fts) as score
+          FROM knowledge_fts
+          JOIN knowledge k ON knowledge_fts.rowid = k.rowid
+          WHERE knowledge_fts MATCH ?
+          ORDER BY score DESC
+          LIMIT ?
+        `
+      ).all(sanitizedQuery, limit);
+      const searchResults = results.map((row) => ({
+        id: row.id,
+        text: row.text,
+        source: row.path || row.source,
+        score: Math.max(0, 1 - row.score / 10),
+        // Normalize BM25 score to 0-1 range
+        keywordScore: Math.max(0, 1 - row.score / 10)
+      }));
+      const response = {
+        success: true,
+        data: searchResults
+      };
+      return c.json(response);
+    } catch (error) {
+      const response = {
+        success: false,
+        error: error instanceof Error ? error.message : String(error)
+      };
+      return c.json(response, 500);
+    }
+  });
+  app.get("/sessions", (c) => {
+    try {
+      const rows = deps.memory.db.prepare(
+        `
+          SELECT
+            chat_id,
+            id,
+            message_count,
+            context_tokens,
+            updated_at
+          FROM sessions
+          ORDER BY updated_at DESC
+        `
+      ).all();
+      const sessions = rows.map((row) => ({
+        chatId: row.chat_id,
+        sessionId: row.id,
+        messageCount: row.message_count,
+        contextTokens: row.context_tokens,
+        lastActivity: row.updated_at
+      }));
+      const response = {
+        success: true,
+        data: sessions
+      };
+      return c.json(response);
+    } catch (error) {
+      const response = {
+        success: false,
+        error: error instanceof Error ? error.message : String(error)
+      };
+      return c.json(response, 500);
+    }
+  });
+  app.get("/stats", (c) => {
+    try {
+      const stats = {
+        knowledge: deps.memory.db.prepare("SELECT COUNT(*) as count FROM knowledge").get().count,
+        sessions: deps.memory.db.prepare("SELECT COUNT(*) as count FROM sessions").get().count,
+        messages: deps.memory.db.prepare("SELECT COUNT(*) as count FROM tg_messages").get().count,
+        chats: deps.memory.db.prepare("SELECT COUNT(*) as count FROM tg_chats").get().count
+      };
+      const response = {
+        success: true,
+        data: stats
+      };
+      return c.json(response);
+    } catch (error) {
+      const response = {
+        success: false,
+        error: error instanceof Error ? error.message : String(error)
+      };
+      return c.json(response, 500);
+    }
+  });
+  return app;
+}
+
+// src/webui/routes/soul.ts
+import { Hono as Hono5 } from "hono";
+import { readFileSync, writeFileSync } from "fs";
+import { join } from "path";
+var SOUL_FILES = ["SOUL.md", "SECURITY.md", "STRATEGY.md", "MEMORY.md"];
+function isSoulFile(filename) {
+  return SOUL_FILES.includes(filename);
+}
+function createSoulRoutes(_deps) {
+  const app = new Hono5();
+  app.get("/:file", (c) => {
+    try {
+      const filename = c.req.param("file");
+      if (!isSoulFile(filename)) {
+        const response = {
+          success: false,
+          error: `Invalid soul file. Must be one of: ${SOUL_FILES.join(", ")}`
+        };
+        return c.json(response, 400);
+      }
+      const filePath = join(WORKSPACE_ROOT, filename);
+      try {
+        const content = readFileSync(filePath, "utf-8");
+        const response = {
+          success: true,
+          data: { content }
+        };
+        return c.json(response);
+      } catch (error) {
+        if (error.code === "ENOENT") {
+          const response = {
+            success: true,
+            data: { content: "" }
+          };
+          return c.json(response);
+        }
+        throw error;
+      }
+    } catch (error) {
+      const response = {
+        success: false,
+        error: error instanceof Error ? error.message : String(error)
+      };
+      return c.json(response, 500);
+    }
+  });
+  app.put("/:file", async (c) => {
+    try {
+      const filename = c.req.param("file");
+      if (!isSoulFile(filename)) {
+        const response2 = {
+          success: false,
+          error: `Invalid soul file. Must be one of: ${SOUL_FILES.join(", ")}`
+        };
+        return c.json(response2, 400);
+      }
+      const body = await c.req.json();
+      if (typeof body.content !== "string") {
+        const response2 = {
+          success: false,
+          error: "Request body must contain 'content' field with string value"
+        };
+        return c.json(response2, 400);
+      }
+      const MAX_SOUL_SIZE = 1024 * 1024;
+      if (Buffer.byteLength(body.content, "utf-8") > MAX_SOUL_SIZE) {
+        const response2 = {
+          success: false,
+          error: "Soul file content exceeds 1MB limit"
+        };
+        return c.json(response2, 413);
+      }
+      const filePath = join(WORKSPACE_ROOT, filename);
+      writeFileSync(filePath, body.content, "utf-8");
+      const response = {
+        success: true,
+        data: { message: `${filename} updated successfully` }
+      };
+      return c.json(response);
+    } catch (error) {
+      const response = {
+        success: false,
+        error: error instanceof Error ? error.message : String(error)
+      };
+      return c.json(response, 500);
+    }
+  });
+  return app;
+}
+
+// src/webui/routes/plugins.ts
+import { Hono as Hono6 } from "hono";
+function createPluginsRoutes(deps) {
+  const app = new Hono6();
+  app.get("/", (c) => {
+    const response = {
+      success: true,
+      data: deps.plugins
+    };
+    return c.json(response);
+  });
+  return app;
+}
+
+// src/webui/routes/workspace.ts
+import { Hono as Hono7 } from "hono";
+import {
+  readFileSync as readFileSync2,
+  writeFileSync as writeFileSync2,
+  mkdirSync,
+  rmSync,
+  renameSync,
+  readdirSync,
+  statSync,
+  existsSync
+} from "fs";
+import { join as join2, relative } from "path";
+function errorResponse(c, error, status = 500) {
+  const message = error instanceof Error ? error.message : String(error);
+  const code = error instanceof WorkspaceSecurityError ? 403 : status;
+  const response = { success: false, error: message };
+  return c.json(response, code);
+}
+function getWorkspaceStats(dir) {
+  let files = 0;
+  let size = 0;
+  if (!existsSync(dir)) return { files, size };
+  for (const entry of readdirSync(dir, { withFileTypes: true })) {
+    const fullPath = join2(dir, entry.name);
+    if (entry.isDirectory()) {
+      const sub = getWorkspaceStats(fullPath);
+      files += sub.files;
+      size += sub.size;
+    } else if (entry.isFile()) {
+      files++;
+      try {
+        size += statSync(fullPath).size;
+      } catch {
+      }
+    }
+  }
+  return { files, size };
+}
+function listDir(absPath, recursive) {
+  if (!existsSync(absPath)) return [];
+  const entries = [];
+  for (const entry of readdirSync(absPath, { withFileTypes: true })) {
+    const fullPath = join2(absPath, entry.name);
+    const relPath = relative(WORKSPACE_ROOT, fullPath);
+    try {
+      const stats = statSync(fullPath);
+      entries.push({
+        name: entry.name,
+        path: relPath,
+        isDirectory: entry.isDirectory(),
+        size: entry.isDirectory() ? 0 : stats.size,
+        mtime: stats.mtime.toISOString()
+      });
+      if (recursive && entry.isDirectory()) {
+        entries.push(...listDir(fullPath, true));
+      }
+    } catch {
+    }
+  }
+  return entries;
+}
+function createWorkspaceRoutes(_deps) {
+  const app = new Hono7();
+  app.get("/", (c) => {
+    try {
+      const subpath = c.req.query("path") || "";
+      const recursive = c.req.query("recursive") === "true";
+      const validated = subpath ? validateDirectory(subpath) : {
+        absolutePath: WORKSPACE_ROOT,
+        relativePath: "",
+        exists: existsSync(WORKSPACE_ROOT),
+        isDirectory: true,
+        extension: "",
+        filename: ""
+      };
+      if (!validated.exists) {
+        const response2 = { success: true, data: [] };
+        return c.json(response2);
+      }
+      const entries = listDir(validated.absolutePath, recursive);
+      entries.sort((a, b) => {
+        if (a.isDirectory !== b.isDirectory) return a.isDirectory ? -1 : 1;
+        return a.name.localeCompare(b.name);
+      });
+      const response = { success: true, data: entries };
+      return c.json(response);
+    } catch (error) {
+      return errorResponse(c, error);
+    }
+  });
+  app.get("/read", (c) => {
+    try {
+      const path = c.req.query("path");
+      if (!path) {
+        const response2 = { success: false, error: "Missing 'path' query parameter" };
+        return c.json(response2, 400);
+      }
+      const validated = validateReadPath(path);
+      const stats = statSync(validated.absolutePath);
+      if (stats.size > 1024 * 1024) {
+        const response2 = { success: false, error: "File too large to read (max 1MB)" };
+        return c.json(response2, 413);
+      }
+      const content = readFileSync2(validated.absolutePath, "utf-8");
+      const response = {
+        success: true,
+        data: { content, size: stats.size }
+      };
+      return c.json(response);
+    } catch (error) {
+      return errorResponse(c, error);
+    }
+  });
+  app.post("/write", async (c) => {
+    try {
+      const body = await c.req.json();
+      if (!body.path || typeof body.content !== "string") {
+        const response2 = {
+          success: false,
+          error: "Request body must contain 'path' and 'content'"
+        };
+        return c.json(response2, 400);
+      }
+      const validated = validateWritePath(body.path);
+      const parentDir = join2(validated.absolutePath, "..");
+      mkdirSync(parentDir, { recursive: true });
+      writeFileSync2(validated.absolutePath, body.content, "utf-8");
+      const response = {
+        success: true,
+        data: { message: `File saved: ${validated.relativePath}` }
+      };
+      return c.json(response);
+    } catch (error) {
+      return errorResponse(c, error);
+    }
+  });
+  app.post("/mkdir", async (c) => {
+    try {
+      const body = await c.req.json();
+      if (!body.path) {
+        const response2 = { success: false, error: "Request body must contain 'path'" };
+        return c.json(response2, 400);
+      }
+      const validated = validateDirectory(body.path);
+      mkdirSync(validated.absolutePath, { recursive: true });
+      const response = {
+        success: true,
+        data: { message: `Directory created: ${validated.relativePath}` }
+      };
+      return c.json(response);
+    } catch (error) {
+      return errorResponse(c, error);
+    }
+  });
+  app.delete("/", async (c) => {
+    try {
+      const body = await c.req.json();
+      if (!body.path) {
+        const response2 = { success: false, error: "Request body must contain 'path'" };
+        return c.json(response2, 400);
+      }
+      const validated = validatePath(body.path, false);
+      if (validated.isDirectory && !body.recursive) {
+        const contents = readdirSync(validated.absolutePath);
+        if (contents.length > 0) {
+          const response2 = {
+            success: false,
+            error: "Directory is not empty. Set recursive=true to delete recursively."
+          };
+          return c.json(response2, 400);
+        }
+      }
+      rmSync(validated.absolutePath, { recursive: !!body.recursive });
+      const response = {
+        success: true,
+        data: { message: `Deleted: ${validated.relativePath}` }
+      };
+      return c.json(response);
+    } catch (error) {
+      return errorResponse(c, error);
+    }
+  });
+  app.post("/rename", async (c) => {
+    try {
+      const body = await c.req.json();
+      if (!body.from || !body.to) {
+        const response2 = {
+          success: false,
+          error: "Request body must contain 'from' and 'to'"
+        };
+        return c.json(response2, 400);
+      }
+      const fromValidated = validatePath(body.from, false);
+      const toValidated = validatePath(body.to, true);
+      const parentDir = join2(toValidated.absolutePath, "..");
+      mkdirSync(parentDir, { recursive: true });
+      renameSync(fromValidated.absolutePath, toValidated.absolutePath);
+      const response = {
+        success: true,
+        data: { message: `Renamed: ${fromValidated.relativePath} \u2192 ${toValidated.relativePath}` }
+      };
+      return c.json(response);
+    } catch (error) {
+      return errorResponse(c, error);
+    }
+  });
+  app.get("/info", (c) => {
+    try {
+      const stats = getWorkspaceStats(WORKSPACE_ROOT);
+      const response = {
+        success: true,
+        data: {
+          root: WORKSPACE_ROOT,
+          totalFiles: stats.files,
+          totalSize: stats.size
+        }
+      };
+      return c.json(response);
+    } catch (error) {
+      return errorResponse(c, error);
+    }
+  });
+  return app;
+}
+
+// src/webui/routes/tasks.ts
+import { Hono as Hono8 } from "hono";
+var VALID_STATUSES = ["pending", "in_progress", "done", "failed", "cancelled"];
+function createTasksRoutes(deps) {
+  const app = new Hono8();
+  function store() {
+    return getTaskStore(deps.memory.db);
+  }
+  app.get("/", (c) => {
+    try {
+      const status = c.req.query("status");
+      const filter = status && VALID_STATUSES.includes(status) ? { status } : void 0;
+      const tasks = store().listTasks(filter);
+      const enriched = tasks.map((t) => ({
+        ...t,
+        createdAt: t.createdAt.toISOString(),
+        startedAt: t.startedAt?.toISOString() ?? null,
+        completedAt: t.completedAt?.toISOString() ?? null,
+        scheduledFor: t.scheduledFor?.toISOString() ?? null,
+        dependencies: store().getDependencies(t.id),
+        dependents: store().getDependents(t.id)
+      }));
+      const response = { success: true, data: enriched };
+      return c.json(response);
+    } catch (error) {
+      const response = {
+        success: false,
+        error: error instanceof Error ? error.message : String(error)
+      };
+      return c.json(response, 500);
+    }
+  });
+  app.get("/:id", (c) => {
+    try {
+      const task = store().getTask(c.req.param("id"));
+      if (!task) {
+        const response2 = { success: false, error: "Task not found" };
+        return c.json(response2, 404);
+      }
+      const enriched = {
+        ...task,
+        createdAt: task.createdAt.toISOString(),
+        startedAt: task.startedAt?.toISOString() ?? null,
+        completedAt: task.completedAt?.toISOString() ?? null,
+        scheduledFor: task.scheduledFor?.toISOString() ?? null,
+        dependencies: store().getDependencies(task.id),
+        dependents: store().getDependents(task.id)
+      };
+      const response = { success: true, data: enriched };
+      return c.json(response);
+    } catch (error) {
+      const response = {
+        success: false,
+        error: error instanceof Error ? error.message : String(error)
+      };
+      return c.json(response, 500);
+    }
+  });
+  app.delete("/:id", (c) => {
+    try {
+      const deleted = store().deleteTask(c.req.param("id"));
+      if (!deleted) {
+        const response2 = { success: false, error: "Task not found" };
+        return c.json(response2, 404);
+      }
+      const response = { success: true, data: { message: "Task deleted" } };
+      return c.json(response);
+    } catch (error) {
+      const response = {
+        success: false,
+        error: error instanceof Error ? error.message : String(error)
+      };
+      return c.json(response, 500);
+    }
+  });
+  app.post("/clean-done", (c) => {
+    try {
+      const doneTasks = store().listTasks({ status: "done" });
+      let deleted = 0;
+      for (const t of doneTasks) {
+        if (store().deleteTask(t.id)) deleted++;
+      }
+      const response = { success: true, data: { deleted } };
+      return c.json(response);
+    } catch (error) {
+      const response = {
+        success: false,
+        error: error instanceof Error ? error.message : String(error)
+      };
+      return c.json(response, 500);
+    }
+  });
+  app.post("/:id/cancel", (c) => {
+    try {
+      const updated = store().cancelTask(c.req.param("id"));
+      if (!updated) {
+        const response2 = { success: false, error: "Task not found" };
+        return c.json(response2, 404);
+      }
+      const response = { success: true, data: updated };
+      return c.json(response);
+    } catch (error) {
+      const response = {
+        success: false,
+        error: error instanceof Error ? error.message : String(error)
+      };
+      return c.json(response, 500);
+    }
+  });
+  return app;
+}
+
+// src/webui/server.ts
+function findWebDist() {
+  const candidates = [
+    resolve("dist/web"),
+    // npm start / teleton start (from project root)
+    resolve("web")
+    // fallback
+  ];
+  const __dirname = dirname(fileURLToPath(import.meta.url));
+  candidates.push(
+    resolve(__dirname, "web"),
+    // dist/web when __dirname = dist/
+    resolve(__dirname, "../dist/web")
+    // when running with tsx from src/
+  );
+  for (const candidate of candidates) {
+    if (existsSync2(join3(candidate, "index.html"))) {
+      return candidate;
+    }
+  }
+  return null;
+}
+var WebUIServer = class {
+  app;
+  server = null;
+  deps;
+  authToken;
+  constructor(deps) {
+    this.deps = deps;
+    this.app = new Hono9();
+    this.authToken = deps.config.auth_token || generateToken();
+    this.setupMiddleware();
+    this.setupRoutes();
+  }
+  /** Set an HttpOnly session cookie */
+  setSessionCookie(c) {
+    setCookie(c, COOKIE_NAME, this.authToken, {
+      path: "/",
+      httpOnly: true,
+      sameSite: "Strict",
+      secure: false,
+      // localhost is HTTP
+      maxAge: COOKIE_MAX_AGE
+    });
+  }
+  setupMiddleware() {
+    this.app.use(
+      "*",
+      cors({
+        origin: this.deps.config.cors_origins,
+        credentials: true,
+        allowMethods: ["GET", "HEAD", "PUT", "POST", "DELETE", "PATCH"],
+        allowHeaders: ["Content-Type", "Authorization"],
+        maxAge: 3600
+      })
+    );
+    if (this.deps.config.log_requests) {
+      this.app.use("*", async (c, next) => {
+        const start = Date.now();
+        await next();
+        const duration = Date.now() - start;
+        console.log(`\u{1F4E1} ${c.req.method} ${c.req.path} \u2192 ${c.res.status} (${duration}ms)`);
+      });
+    }
+    this.app.use(
+      "*",
+      bodyLimit({
+        maxSize: 2 * 1024 * 1024,
+        // 2MB
+        onError: (c) => c.json({ success: false, error: "Request body too large (max 2MB)" }, 413)
+      })
+    );
+    this.app.use("*", async (c, next) => {
+      await next();
+      c.res.headers.set("X-Content-Type-Options", "nosniff");
+      c.res.headers.set("X-Frame-Options", "DENY");
+      c.res.headers.set("Referrer-Policy", "strict-origin-when-cross-origin");
+    });
+    this.app.use("/api/*", async (c, next) => {
+      const cookieToken = getCookie(c, COOKIE_NAME);
+      if (cookieToken && safeCompare(cookieToken, this.authToken)) {
+        return next();
+      }
+      const authHeader = c.req.header("Authorization");
+      if (authHeader) {
+        const match = authHeader.match(/^Bearer\s+(.+)$/i);
+        if (match && safeCompare(match[1], this.authToken)) {
+          return next();
+        }
+      }
+      const queryToken = c.req.query("token");
+      if (queryToken && safeCompare(queryToken, this.authToken)) {
+        return next();
+      }
+      return c.json({ success: false, error: "Unauthorized" }, 401);
+    });
+  }
+  setupRoutes() {
+    this.app.get("/health", (c) => c.json({ status: "ok" }));
+    this.app.get("/auth/exchange", (c) => {
+      const token = c.req.query("token");
+      if (!token || !safeCompare(token, this.authToken)) {
+        return c.json({ success: false, error: "Invalid token" }, 401);
+      }
+      this.setSessionCookie(c);
+      return c.redirect("/");
+    });
+    this.app.post("/auth/login", async (c) => {
+      try {
+        const body = await c.req.json();
+        if (!body.token || !safeCompare(body.token, this.authToken)) {
+          return c.json({ success: false, error: "Invalid token" }, 401);
+        }
+        this.setSessionCookie(c);
+        return c.json({ success: true });
+      } catch {
+        return c.json({ success: false, error: "Invalid request body" }, 400);
+      }
+    });
+    this.app.post("/auth/logout", (c) => {
+      deleteCookie(c, COOKIE_NAME, { path: "/" });
+      return c.json({ success: true });
+    });
+    this.app.get("/auth/check", (c) => {
+      const cookieToken = getCookie(c, COOKIE_NAME);
+      const authenticated = !!(cookieToken && safeCompare(cookieToken, this.authToken));
+      return c.json({ success: true, data: { authenticated } });
+    });
+    this.app.route("/api/status", createStatusRoutes(this.deps));
+    this.app.route("/api/tools", createToolsRoutes(this.deps));
+    this.app.route("/api/logs", createLogsRoutes(this.deps));
+    this.app.route("/api/memory", createMemoryRoutes(this.deps));
+    this.app.route("/api/soul", createSoulRoutes(this.deps));
+    this.app.route("/api/plugins", createPluginsRoutes(this.deps));
+    this.app.route("/api/workspace", createWorkspaceRoutes(this.deps));
+    this.app.route("/api/tasks", createTasksRoutes(this.deps));
+    const webDist = findWebDist();
+    if (webDist) {
+      const indexHtml = readFileSync3(join3(webDist, "index.html"), "utf-8");
+      const mimeTypes = {
+        js: "application/javascript",
+        css: "text/css",
+        svg: "image/svg+xml",
+        png: "image/png",
+        jpg: "image/jpeg",
+        jpeg: "image/jpeg",
+        ico: "image/x-icon",
+        json: "application/json",
+        woff2: "font/woff2",
+        woff: "font/woff"
+      };
+      this.app.get("*", (c) => {
+        const filePath = resolve(join3(webDist, c.req.path));
+        const rel = relative2(webDist, filePath);
+        if (rel.startsWith("..") || resolve(filePath) !== filePath) {
+          return c.html(indexHtml);
+        }
+        try {
+          const content = readFileSync3(filePath);
+          const ext = filePath.split(".").pop() || "";
+          if (mimeTypes[ext]) {
+            const immutable = c.req.path.startsWith("/assets/");
+            return c.body(content, 200, {
+              "Content-Type": mimeTypes[ext],
+              "Cache-Control": immutable ? "public, max-age=31536000, immutable" : "public, max-age=3600"
+            });
+          }
+        } catch {
+        }
+        return c.html(indexHtml);
+      });
+    }
+    this.app.onError((err, c) => {
+      console.error("WebUI error:", err);
+      return c.json(
+        {
+          success: false,
+          error: err.message || "Internal server error"
+        },
+        500
+      );
+    });
+  }
+  async start() {
+    return new Promise((resolve2, reject) => {
+      try {
+        logInterceptor.install();
+        this.server = serve(
+          {
+            fetch: this.app.fetch,
+            hostname: this.deps.config.host,
+            port: this.deps.config.port
+          },
+          (info) => {
+            const url = `http://${info.address}:${info.port}`;
+            console.log(`
+\u{1F310} WebUI server running`);
+            console.log(`   URL: ${url}/auth/exchange?token=${this.authToken}`);
+            console.log(
+              `   Token: ${maskToken(this.authToken)} (use Bearer header for API access)
+`
+            );
+            resolve2();
+          }
+        );
+      } catch (error) {
+        logInterceptor.uninstall();
+        reject(error);
+      }
+    });
+  }
+  async stop() {
+    if (this.server) {
+      return new Promise((resolve2) => {
+        this.server.close(() => {
+          logInterceptor.uninstall();
+          console.log("\u{1F310} WebUI server stopped");
+          resolve2();
+        });
+      });
+    }
+  }
+  getToken() {
+    return this.authToken;
+  }
+};
+export {
+  WebUIServer
+};