teleton 0.5.2 → 0.6.0

package/dist/{server-BQY7CM2N.js → server-RSWVCVY3.js}

@@ -1,27 +1,45 @@
+import {
+  CONFIGURABLE_KEYS,
+  deleteNestedValue,
+  getNestedValue,
+  readRawConfig,
+  setNestedValue,
+  writeRawConfig
+} from "./chunk-2QUJLHCZ.js";
 import {
   WorkspaceSecurityError,
+  adaptPlugin,
+  deletePluginSecret,
+  ensurePluginDeps,
+  listPluginSecretKeys,
   validateDirectory,
   validatePath,
   validateReadPath,
-  validateWritePath
-} from "./chunk-5WWR4CU3.js";
-import "./chunk-O4R7V5Y2.js";
+  validateWritePath,
+  writePluginSecret
+} from "./chunk-4IPJ25HE.js";
+import "./chunk-ECSCVEQQ.js";
+import "./chunk-GDCODBNO.js";
+import "./chunk-4DU3C27M.js";
+import "./chunk-RO62LO6Z.js";
 import {
+  WORKSPACE_PATHS,
   WORKSPACE_ROOT
 } from "./chunk-EYWNOHMJ.js";
 import {
   getTaskStore
 } from "./chunk-NUGDTPE4.js";
+import "./chunk-QUAPFI2N.js";
 import "./chunk-QGM4M3NI.js";
 
 // src/webui/server.ts
-import { Hono as Hono9 } from "hono";
+import { Hono as Hono12 } from "hono";
 import { serve } from "@hono/node-server";
 import { cors } from "hono/cors";
 import { bodyLimit } from "hono/body-limit";
 import { setCookie, getCookie, deleteCookie } from "hono/cookie";
-import { existsSync as existsSync2, readFileSync as readFileSync3 } from "fs";
-import { join as join3, dirname, resolve, relative as relative2 } from "path";
+import { existsSync as existsSync3, readFileSync as readFileSync3 } from "fs";
+import { join as join4, dirname, resolve as resolve2, relative as relative2 } from "path";
 import { fileURLToPath } from "url";
 
 // src/webui/middleware/auth.ts
@@ -174,6 +192,55 @@ function createToolsRoutes(deps) {
       return c.json(response, 500);
     }
   });
+  app.get("/rag", (c) => {
+    try {
+      const config = deps.agent.getConfig();
+      const toolIndex = deps.toolRegistry.getToolIndex();
+      const response = {
+        success: true,
+        data: {
+          enabled: config.tool_rag.enabled,
+          indexed: toolIndex?.isIndexed ?? false,
+          topK: config.tool_rag.top_k,
+          totalTools: deps.toolRegistry.count,
+          alwaysInclude: config.tool_rag.always_include,
+          skipUnlimitedProviders: config.tool_rag.skip_unlimited_providers
+        }
+      };
+      return c.json(response);
+    } catch (error) {
+      return c.json({ success: false, error: String(error) }, 500);
+    }
+  });
+  app.put("/rag", async (c) => {
+    try {
+      const config = deps.agent.getConfig();
+      const body = await c.req.json();
+      const { enabled, topK } = body;
+      if (enabled !== void 0) {
+        config.tool_rag.enabled = enabled;
+      }
+      if (topK !== void 0) {
+        if (topK < 5 || topK > 200) {
+          return c.json({ success: false, error: "topK must be between 5 and 200" }, 400);
+        }
+        config.tool_rag.top_k = topK;
+      }
+      const toolIndex = deps.toolRegistry.getToolIndex();
+      const response = {
+        success: true,
+        data: {
+          enabled: config.tool_rag.enabled,
+          indexed: toolIndex?.isIndexed ?? false,
+          topK: config.tool_rag.top_k,
+          totalTools: deps.toolRegistry.count
+        }
+      };
+      return c.json(response);
+    } catch (error) {
+      return c.json({ success: false, error: String(error) }, 500);
+    }
+  });
   app.put("/:name", async (c) => {
     try {
       const toolName = c.req.param("name");
@@ -327,9 +394,9 @@ function createLogsRoutes(_deps) {
         }),
         event: "log"
       });
-      await new Promise((resolve2) => {
-        if (aborted) return resolve2();
-        stream.onAbort(() => resolve2());
+      await new Promise((resolve3) => {
+        if (aborted) return resolve3();
+        stream.onAbort(() => resolve3());
       });
       if (cleanup) cleanup();
     });
@@ -551,8 +618,124 @@ function createPluginsRoutes(deps) {
   return app;
 }
 
-// src/webui/routes/workspace.ts
+// src/webui/routes/mcp.ts
 import { Hono as Hono7 } from "hono";
+var SAFE_PACKAGE_RE = /^[@a-zA-Z0-9._\/-]+$/;
+var SAFE_ARG_RE = /^[a-zA-Z0-9._\/:=@-]+$/;
+function createMcpRoutes(deps) {
+  const app = new Hono7();
+  app.get("/", (c) => {
+    const response = {
+      success: true,
+      data: deps.mcpServers
+    };
+    return c.json(response);
+  });
+  app.post("/", async (c) => {
+    try {
+      const body = await c.req.json();
+      if (!body.package && !body.url) {
+        return c.json(
+          { success: false, error: "Either 'package' or 'url' is required" },
+          400
+        );
+      }
+      if (body.package && !SAFE_PACKAGE_RE.test(body.package)) {
+        return c.json(
+          {
+            success: false,
+            error: "Invalid package name \u2014 only alphanumeric, @, /, ., - allowed"
+          },
+          400
+        );
+      }
+      if (body.args) {
+        for (const arg of body.args) {
+          if (!SAFE_ARG_RE.test(arg)) {
+            return c.json(
+              {
+                success: false,
+                error: `Invalid argument "${arg}" \u2014 only alphanumeric, ., /, :, =, @, - allowed`
+              },
+              400
+            );
+          }
+        }
+      }
+      const raw = readRawConfig(deps.configPath);
+      if (!raw.mcp || typeof raw.mcp !== "object") raw.mcp = { servers: {} };
+      const mcp = raw.mcp;
+      if (!mcp.servers || typeof mcp.servers !== "object") mcp.servers = {};
+      const servers = mcp.servers;
+      const serverName = body.name || deriveServerName(body.package || body.url || "unknown");
+      if (servers[serverName]) {
+        return c.json(
+          { success: false, error: `Server "${serverName}" already exists` },
+          409
+        );
+      }
+      const entry = {};
+      if (body.url) {
+        entry.url = body.url;
+      } else {
+        entry.command = "npx";
+        entry.args = ["-y", body.package, ...body.args || []];
+      }
+      if (body.scope && body.scope !== "always") entry.scope = body.scope;
+      if (body.env && Object.keys(body.env).length > 0) entry.env = body.env;
+      servers[serverName] = entry;
+      writeRawConfig(raw, deps.configPath);
+      return c.json({
+        success: true,
+        data: { name: serverName, message: "Server added. Restart teleton to connect." }
+      });
+    } catch (error) {
+      return c.json(
+        {
+          success: false,
+          error: error instanceof Error ? error.message : String(error)
+        },
+        500
+      );
+    }
+  });
+  app.delete("/:name", (c) => {
+    try {
+      const name = c.req.param("name");
+      const raw = readRawConfig(deps.configPath);
+      const mcp = raw.mcp || {};
+      const servers = mcp.servers || {};
+      if (!servers[name]) {
+        return c.json(
+          { success: false, error: `Server "${name}" not found` },
+          404
+        );
+      }
+      delete servers[name];
+      writeRawConfig(raw, deps.configPath);
+      return c.json({
+        success: true,
+        data: { name, message: "Server removed. Restart teleton to apply." }
+      });
+    } catch (error) {
+      return c.json(
+        {
+          success: false,
+          error: error instanceof Error ? error.message : String(error)
+        },
+        500
+      );
+    }
+  });
+  return app;
+}
+function deriveServerName(pkg) {
+  const unscoped = pkg.includes("/") ? pkg.split("/").pop() : pkg;
+  return unscoped.replace(/^server-/, "").replace(/^mcp-server-/, "").replace(/^mcp-/, "");
+}
+
+// src/webui/routes/workspace.ts
+import { Hono as Hono8 } from "hono";
 import {
   readFileSync as readFileSync2,
   writeFileSync as writeFileSync2,
@@ -614,7 +797,7 @@ function listDir(absPath, recursive) {
   return entries;
 }
 function createWorkspaceRoutes(_deps) {
-  const app = new Hono7();
+  const app = new Hono8();
   app.get("/", (c) => {
     try {
       const subpath = c.req.query("path") || "";
@@ -778,10 +961,10 @@ function createWorkspaceRoutes(_deps) {
 }
 
 // src/webui/routes/tasks.ts
-import { Hono as Hono8 } from "hono";
+import { Hono as Hono9 } from "hono";
 var VALID_STATUSES = ["pending", "in_progress", "done", "failed", "cancelled"];
 function createTasksRoutes(deps) {
-  const app = new Hono8();
+  const app = new Hono9();
   function store() {
     return getTaskStore(deps.memory.db);
   }
@@ -889,23 +1072,616 @@ function createTasksRoutes(deps) {
   return app;
 }
 
+// src/webui/routes/config.ts
+import { Hono as Hono10 } from "hono";
+function createConfigRoutes(deps) {
+  const app = new Hono10();
+  app.get("/", (c) => {
+    try {
+      const raw = readRawConfig(deps.configPath);
+      const data = Object.entries(CONFIGURABLE_KEYS).map(([key, meta]) => {
+        const value = getNestedValue(raw, key);
+        const isSet = value != null && value !== "";
+        return {
+          key,
+          set: isSet,
+          value: isSet ? meta.mask(String(value)) : null,
+          sensitive: meta.sensitive,
+          type: meta.type,
+          category: meta.category,
+          description: meta.description,
+          ...meta.options ? { options: meta.options } : {}
+        };
+      });
+      const response = { success: true, data };
+      return c.json(response);
+    } catch (err) {
+      return c.json(
+        { success: false, error: err instanceof Error ? err.message : String(err) },
+        500
+      );
+    }
+  });
+  app.put("/:key", async (c) => {
+    const key = c.req.param("key");
+    const meta = CONFIGURABLE_KEYS[key];
+    if (!meta) {
+      const allowed = Object.keys(CONFIGURABLE_KEYS).join(", ");
+      return c.json(
+        {
+          success: false,
+          error: `Key "${key}" is not configurable. Allowed: ${allowed}`
+        },
+        400
+      );
+    }
+    let body;
+    try {
+      body = await c.req.json();
+    } catch {
+      return c.json({ success: false, error: "Invalid JSON body" }, 400);
+    }
+    const value = body.value;
+    if (value == null || typeof value !== "string") {
+      return c.json(
+        { success: false, error: "Missing or invalid 'value' field" },
+        400
+      );
+    }
+    const validationErr = meta.validate(value);
+    if (validationErr) {
+      return c.json(
+        { success: false, error: `Invalid value for ${key}: ${validationErr}` },
+        400
+      );
+    }
+    try {
+      const parsed = meta.parse(value);
+      const raw = readRawConfig(deps.configPath);
+      setNestedValue(raw, key, parsed);
+      writeRawConfig(raw, deps.configPath);
+      const runtimeConfig = deps.agent.getConfig();
+      setNestedValue(runtimeConfig, key, parsed);
+      const result = {
+        key,
+        set: true,
+        value: meta.mask(value),
+        sensitive: meta.sensitive,
+        type: meta.type,
+        category: meta.category,
+        description: meta.description,
+        ...meta.options ? { options: meta.options } : {}
+      };
+      return c.json({ success: true, data: result });
+    } catch (err) {
+      return c.json(
+        { success: false, error: err instanceof Error ? err.message : String(err) },
+        500
+      );
+    }
+  });
+  app.delete("/:key", (c) => {
+    const key = c.req.param("key");
+    const meta = CONFIGURABLE_KEYS[key];
+    if (!meta) {
+      const allowed = Object.keys(CONFIGURABLE_KEYS).join(", ");
+      return c.json(
+        {
+          success: false,
+          error: `Key "${key}" is not configurable. Allowed: ${allowed}`
+        },
+        400
+      );
+    }
+    try {
+      const raw = readRawConfig(deps.configPath);
+      deleteNestedValue(raw, key);
+      writeRawConfig(raw, deps.configPath);
+      const runtimeConfig = deps.agent.getConfig();
+      deleteNestedValue(runtimeConfig, key);
+      const result = {
+        key,
+        set: false,
+        value: null,
+        sensitive: meta.sensitive,
+        type: meta.type,
+        category: meta.category,
+        description: meta.description,
+        ...meta.options ? { options: meta.options } : {}
+      };
+      return c.json({ success: true, data: result });
+    } catch (err) {
+      return c.json(
+        { success: false, error: err instanceof Error ? err.message : String(err) },
+        500
+      );
+    }
+  });
+  return app;
+}
+
+// src/webui/routes/marketplace.ts
+import { Hono as Hono11 } from "hono";
+
+// src/webui/services/marketplace.ts
+import { existsSync as existsSync2, mkdirSync as mkdirSync2, writeFileSync as writeFileSync3, rmSync as rmSync2 } from "fs";
+import { join as join3, resolve } from "path";
+import { pathToFileURL } from "url";
+var REGISTRY_URL = "https://raw.githubusercontent.com/TONresistor/teleton-plugins/main/registry.json";
+var PLUGIN_BASE_URL = "https://raw.githubusercontent.com/TONresistor/teleton-plugins/main";
+var GITHUB_API_BASE = "https://api.github.com/repos/TONresistor/teleton-plugins/contents";
+var CACHE_TTL = 5 * 60 * 1e3;
+var PLUGINS_DIR = WORKSPACE_PATHS.PLUGINS_DIR;
+var VALID_ID = /^[a-z0-9][a-z0-9-]*$/;
+var MarketplaceService = class {
+  deps;
+  cache = null;
+  fetchPromise = null;
+  manifestCache = /* @__PURE__ */ new Map();
+  installing = /* @__PURE__ */ new Set();
+  constructor(deps) {
+    this.deps = deps;
+  }
+  // ── Registry ────────────────────────────────────────────────────────
+  async getRegistry(forceRefresh = false) {
+    if (!forceRefresh && this.cache && Date.now() - this.cache.fetchedAt < CACHE_TTL) {
+      return this.cache.entries;
+    }
+    if (this.fetchPromise) return this.fetchPromise;
+    this.fetchPromise = this.fetchRegistry();
+    try {
+      const entries = await this.fetchPromise;
+      this.cache = { entries, fetchedAt: Date.now() };
+      return entries;
+    } catch (err) {
+      if (this.cache) {
+        console.warn("[marketplace] Registry fetch failed, using stale cache:", err);
+        return this.cache.entries;
+      }
+      throw err;
+    } finally {
+      this.fetchPromise = null;
+    }
+  }
+  async fetchRegistry() {
+    const res = await fetch(REGISTRY_URL);
+    if (!res.ok) throw new Error(`Registry fetch failed: ${res.status} ${res.statusText}`);
+    const data = await res.json();
+    const plugins = Array.isArray(data) ? data : data?.plugins;
+    if (!Array.isArray(plugins)) throw new Error("Registry has no plugins array");
+    const VALID_PATH = /^[a-zA-Z0-9][a-zA-Z0-9._\/-]*$/;
+    for (const entry of plugins) {
+      if (!entry.id || !entry.name || !entry.path) {
+        throw new Error(`Invalid registry entry: missing required fields (id=${entry.id ?? "?"})`);
+      }
+      if (!VALID_PATH.test(entry.path) || entry.path.includes("..")) {
+        throw new Error(`Invalid registry path for "${entry.id}": "${entry.path}"`);
+      }
+    }
+    return plugins;
+  }
+  // ── Remote manifest ─────────────────────────────────────────────────
+  async fetchRemoteManifest(entry) {
+    const cached = this.manifestCache.get(entry.id);
+    if (cached && Date.now() - cached.fetchedAt < CACHE_TTL) {
+      return cached.data;
+    }
+    const url = `${PLUGIN_BASE_URL}/${entry.path}/manifest.json`;
+    const res = await fetch(url);
+    if (!res.ok) {
+      return {
+        name: entry.name,
+        version: "0.0.0",
+        description: entry.description,
+        author: entry.author
+      };
+    }
+    const raw = await res.json();
+    const data = {
+      ...raw,
+      author: normalizeAuthor(raw.author)
+    };
+    this.manifestCache.set(entry.id, { data, fetchedAt: Date.now() });
+    return data;
+  }
+  // ── List plugins (combined view) ────────────────────────────────────
+  async listPlugins(forceRefresh = false) {
+    const registry = await this.getRegistry(forceRefresh);
+    const results = [];
+    const manifests = await Promise.allSettled(
+      registry.map((entry) => this.fetchRemoteManifest(entry))
+    );
+    for (let i = 0; i < registry.length; i++) {
+      const entry = registry[i];
+      const manifestResult = manifests[i];
+      const manifest = manifestResult.status === "fulfilled" ? manifestResult.value : {
+        name: entry.name,
+        version: "0.0.0",
+        description: entry.description,
+        author: entry.author
+      };
+      const installed = this.deps.modules.find((m) => m.name === entry.id || m.name === entry.name);
+      const installedVersion = installed?.version ?? null;
+      const remoteVersion = manifest.version || "0.0.0";
+      let status = "available";
+      if (installedVersion) {
+        status = installedVersion !== remoteVersion ? "updatable" : "installed";
+      }
+      let toolCount = manifest.tools?.length ?? 0;
+      let tools = manifest.tools ?? [];
+      if (installed) {
+        const moduleTools = this.deps.toolRegistry.getModuleTools(installed.name);
+        const allToolDefs = this.deps.toolRegistry.getAll();
+        const toolMap = new Map(allToolDefs.map((t) => [t.name, t]));
+        tools = moduleTools.map((mt) => ({
+          name: mt.name,
+          description: toolMap.get(mt.name)?.description ?? ""
+        }));
+        toolCount = tools.length;
+      }
+      results.push({
+        id: entry.id,
+        name: entry.name,
+        description: manifest.description || entry.description,
+        author: manifest.author || entry.author,
+        tags: entry.tags,
+        remoteVersion,
+        installedVersion,
+        status,
+        toolCount,
+        tools,
+        secrets: manifest.secrets
+      });
+    }
+    return results;
+  }
+  // ── Install ─────────────────────────────────────────────────────────
+  async installPlugin(pluginId) {
+    this.validateId(pluginId);
+    if (this.installing.has(pluginId)) {
+      throw new ConflictError(`Plugin "${pluginId}" is already being installed`);
+    }
+    const existing = this.findModuleByPluginId(pluginId);
+    if (existing) {
+      throw new ConflictError(`Plugin "${pluginId}" is already installed`);
+    }
+    this.installing.add(pluginId);
+    const pluginDir = join3(PLUGINS_DIR, pluginId);
+    try {
+      const registry = await this.getRegistry();
+      const entry = registry.find((e) => e.id === pluginId);
+      if (!entry) throw new Error(`Plugin "${pluginId}" not found in registry`);
+      const manifest = await this.fetchRemoteManifest(entry);
+      mkdirSync2(pluginDir, { recursive: true });
+      await this.downloadDir(entry.path, pluginDir);
+      await ensurePluginDeps(pluginDir, pluginId);
+      const indexPath = join3(pluginDir, "index.js");
+      const moduleUrl = pathToFileURL(indexPath).href + `?t=${Date.now()}`;
+      const mod = await import(moduleUrl);
+      const adapted = adaptPlugin(
+        mod,
+        pluginId,
+        this.deps.config,
+        this.deps.loadedModuleNames,
+        this.deps.sdkDeps
+      );
+      adapted.migrate?.(this.deps.pluginContext.db);
+      const tools = adapted.tools(this.deps.config);
+      const toolCount = this.deps.toolRegistry.registerPluginTools(adapted.name, tools);
+      await adapted.start?.(this.deps.pluginContext);
+      this.deps.modules.push(adapted);
+      this.deps.rewireHooks();
+      return {
+        name: adapted.name,
+        version: adapted.version,
+        toolCount
+      };
+    } catch (err) {
+      if (existsSync2(pluginDir)) {
+        try {
+          rmSync2(pluginDir, { recursive: true, force: true });
+        } catch (cleanupErr) {
+          console.error(`[marketplace] Failed to cleanup ${pluginDir}:`, cleanupErr);
+        }
+      }
+      throw err;
+    } finally {
+      this.installing.delete(pluginId);
+    }
+  }
+  // ── Uninstall ───────────────────────────────────────────────────────
+  async uninstallPlugin(pluginId) {
+    this.validateId(pluginId);
+    if (this.installing.has(pluginId)) {
+      throw new ConflictError(`Plugin "${pluginId}" has an operation in progress`);
+    }
+    const mod = this.findModuleByPluginId(pluginId);
+    if (!mod) {
+      throw new Error(`Plugin "${pluginId}" is not installed`);
+    }
+    const moduleName = mod.name;
+    const idx = this.deps.modules.indexOf(mod);
+    this.installing.add(pluginId);
+    try {
+      await mod.stop?.();
+      this.deps.toolRegistry.removePluginTools(moduleName);
+      if (idx >= 0) this.deps.modules.splice(idx, 1);
+      this.deps.rewireHooks();
+      const pluginDir = join3(PLUGINS_DIR, pluginId);
+      if (existsSync2(pluginDir)) {
+        rmSync2(pluginDir, { recursive: true, force: true });
+      }
+      return { message: `Plugin "${pluginId}" uninstalled successfully` };
+    } finally {
+      this.installing.delete(pluginId);
+    }
+  }
+  // ── Update ──────────────────────────────────────────────────────────
+  async updatePlugin(pluginId) {
+    await this.uninstallPlugin(pluginId);
+    return this.installPlugin(pluginId);
+  }
+  // ── Helpers ─────────────────────────────────────────────────────────
+  /**
+   * Resolve a registry plugin ID to the actual loaded module.
+   * Handles name mismatch: registry id "fragment" → module name "Fragment Marketplace".
+   */
+  findModuleByPluginId(pluginId) {
+    let mod = this.deps.modules.find((m) => m.name === pluginId);
+    if (mod) return mod;
+    const entry = this.cache?.entries.find((e) => e.id === pluginId);
+    if (entry) {
+      mod = this.deps.modules.find((m) => m.name === entry.name);
+    }
+    return mod ?? null;
+  }
+  /**
+   * Recursively download a GitHub directory to a local path.
+   * Uses the GitHub Contents API to list files, then fetches each via raw.githubusercontent.
+   */
+  async downloadDir(remotePath, localDir, depth = 0) {
+    if (depth > 5) throw new Error("Plugin directory too deeply nested");
+    const res = await fetch(`${GITHUB_API_BASE}/${remotePath}`);
+    if (!res.ok) throw new Error(`Failed to list directory "${remotePath}": ${res.status}`);
+    const entries = await res.json();
+    for (const item of entries) {
+      if (!item.name || /[/\\]/.test(item.name) || item.name === ".." || item.name === ".") {
+        throw new Error(`Invalid entry name in plugin directory: "${item.name}"`);
+      }
+      const target = resolve(localDir, item.name);
+      if (!target.startsWith(resolve(PLUGINS_DIR))) {
+        throw new Error(`Path escape detected: ${target}`);
+      }
+      if (item.type === "dir") {
+        mkdirSync2(target, { recursive: true });
+        await this.downloadDir(item.path, target, depth + 1);
+      } else if (item.type === "file" && item.download_url) {
+        const url = new URL(item.download_url);
+        if (!url.hostname.endsWith("githubusercontent.com") && !url.hostname.endsWith("github.com")) {
+          throw new Error(`Untrusted download host: ${url.hostname}`);
+        }
+        const fileRes = await fetch(item.download_url);
+        if (!fileRes.ok) throw new Error(`Failed to download ${item.name}: ${fileRes.status}`);
+        const content = await fileRes.text();
+        writeFileSync3(target, content, "utf-8");
+      }
+    }
+  }
+  validateId(id) {
+    if (!VALID_ID.test(id)) {
+      throw new Error(`Invalid plugin ID: "${id}"`);
+    }
+  }
+};
+function normalizeAuthor(author) {
+  if (typeof author === "string") return author;
+  if (author && typeof author === "object" && "name" in author) {
+    return String(author.name);
+  }
+  return "unknown";
+}
+var ConflictError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "ConflictError";
+  }
+};
+
+// src/webui/routes/marketplace.ts
+var VALID_ID2 = /^[a-z0-9][a-z0-9-]*$/;
+var VALID_KEY = /^[a-zA-Z][a-zA-Z0-9_]*$/;
+function createMarketplaceRoutes(deps) {
+  const app = new Hono11();
+  let service = null;
+  const getService = () => {
+    if (!deps.marketplace) return null;
+    service ??= new MarketplaceService({ ...deps.marketplace, toolRegistry: deps.toolRegistry });
+    return service;
+  };
+  app.get("/", async (c) => {
+    const svc = getService();
+    if (!svc) {
+      return c.json({ success: false, error: "Marketplace not configured" }, 501);
+    }
+    try {
+      const refresh = c.req.query("refresh") === "true";
+      const plugins = await svc.listPlugins(refresh);
+      return c.json({ success: true, data: plugins });
+    } catch (err) {
+      return c.json(
+        { success: false, error: err instanceof Error ? err.message : String(err) },
+        500
+      );
+    }
+  });
+  app.post("/install", async (c) => {
+    const svc = getService();
+    if (!svc) {
+      return c.json({ success: false, error: "Marketplace not configured" }, 501);
+    }
+    try {
+      const body = await c.req.json();
+      if (!body.id) {
+        return c.json({ success: false, error: "Missing plugin id" }, 400);
+      }
+      const result = await svc.installPlugin(body.id);
+      deps.plugins.length = 0;
+      deps.plugins.push(
+        ...deps.marketplace.modules.filter((m) => deps.toolRegistry.isPluginModule(m.name)).map((m) => ({ name: m.name, version: m.version ?? "0.0.0" }))
+      );
+      return c.json({ success: true, data: result });
+    } catch (err) {
+      const status = err instanceof ConflictError ? 409 : 500;
+      return c.json(
+        { success: false, error: err instanceof Error ? err.message : String(err) },
+        status
+      );
+    }
+  });
+  app.post("/uninstall", async (c) => {
+    const svc = getService();
+    if (!svc) {
+      return c.json({ success: false, error: "Marketplace not configured" }, 501);
+    }
+    try {
+      const body = await c.req.json();
+      if (!body.id) {
+        return c.json({ success: false, error: "Missing plugin id" }, 400);
+      }
+      const result = await svc.uninstallPlugin(body.id);
+      deps.plugins.length = 0;
+      deps.plugins.push(
+        ...deps.marketplace.modules.filter((m) => deps.toolRegistry.isPluginModule(m.name)).map((m) => ({ name: m.name, version: m.version ?? "0.0.0" }))
+      );
+      return c.json({ success: true, data: result });
+    } catch (err) {
+      const status = err instanceof ConflictError ? 409 : 500;
+      return c.json(
+        { success: false, error: err instanceof Error ? err.message : String(err) },
+        status
+      );
+    }
+  });
+  app.post("/update", async (c) => {
+    const svc = getService();
+    if (!svc) {
+      return c.json({ success: false, error: "Marketplace not configured" }, 501);
+    }
+    try {
+      const body = await c.req.json();
+      if (!body.id) {
+        return c.json({ success: false, error: "Missing plugin id" }, 400);
+      }
+      const result = await svc.updatePlugin(body.id);
+      deps.plugins.length = 0;
+      deps.plugins.push(
+        ...deps.marketplace.modules.filter((m) => deps.toolRegistry.isPluginModule(m.name)).map((m) => ({ name: m.name, version: m.version ?? "0.0.0" }))
+      );
+      return c.json({ success: true, data: result });
+    } catch (err) {
+      const status = err instanceof ConflictError ? 409 : 500;
+      return c.json(
+        { success: false, error: err instanceof Error ? err.message : String(err) },
+        status
+      );
+    }
+  });
+  app.get("/secrets/:pluginId", async (c) => {
+    const svc = getService();
+    if (!svc) {
+      return c.json({ success: false, error: "Marketplace not configured" }, 501);
+    }
+    const pluginId = c.req.param("pluginId");
+    if (!VALID_ID2.test(pluginId)) {
+      return c.json({ success: false, error: "Invalid plugin ID" }, 400);
+    }
+    try {
+      const plugins = await svc.listPlugins();
+      const plugin = plugins.find((p) => p.id === pluginId);
+      const declared = plugin?.secrets ?? {};
+      const configured = listPluginSecretKeys(pluginId);
+      return c.json({ success: true, data: { declared, configured } });
+    } catch (err) {
+      return c.json(
+        { success: false, error: err instanceof Error ? err.message : String(err) },
+        500
+      );
+    }
+  });
+  app.put("/secrets/:pluginId/:key", async (c) => {
+    const pluginId = c.req.param("pluginId");
+    const key = c.req.param("key");
+    if (!VALID_ID2.test(pluginId)) {
+      return c.json({ success: false, error: "Invalid plugin ID" }, 400);
+    }
+    if (!key || !VALID_KEY.test(key)) {
+      return c.json(
+        { success: false, error: "Invalid key name \u2014 use letters, digits, underscores" },
+        400
+      );
+    }
+    try {
+      const body = await c.req.json();
+      if (typeof body.value !== "string" || !body.value) {
+        return c.json({ success: false, error: "Missing or invalid value" }, 400);
+      }
+      writePluginSecret(pluginId, key, body.value);
+      return c.json({
+        success: true,
+        data: { key, set: true }
+      });
+    } catch (err) {
+      return c.json(
+        { success: false, error: err instanceof Error ? err.message : String(err) },
+        500
+      );
+    }
+  });
+  app.delete("/secrets/:pluginId/:key", async (c) => {
+    const pluginId = c.req.param("pluginId");
+    const key = c.req.param("key");
+    if (!VALID_ID2.test(pluginId)) {
+      return c.json({ success: false, error: "Invalid plugin ID" }, 400);
+    }
+    if (!key || !VALID_KEY.test(key)) {
+      return c.json(
+        { success: false, error: "Invalid key name \u2014 use letters, digits, underscores" },
+        400
+      );
+    }
+    try {
+      deletePluginSecret(pluginId, key);
+      return c.json({
+        success: true,
+        data: { key, set: false }
+      });
+    } catch (err) {
+      return c.json(
+        { success: false, error: err instanceof Error ? err.message : String(err) },
+        500
+      );
+    }
+  });
+  return app;
+}
+
 // src/webui/server.ts
 function findWebDist() {
   const candidates = [
-    resolve("dist/web"),
+    resolve2("dist/web"),
     // npm start / teleton start (from project root)
-    resolve("web")
+    resolve2("web")
     // fallback
   ];
   const __dirname = dirname(fileURLToPath(import.meta.url));
   candidates.push(
-    resolve(__dirname, "web"),
+    resolve2(__dirname, "web"),
     // dist/web when __dirname = dist/
-    resolve(__dirname, "../dist/web")
+    resolve2(__dirname, "../dist/web")
     // when running with tsx from src/
   );
   for (const candidate of candidates) {
-    if (existsSync2(join3(candidate, "index.html"))) {
+    if (existsSync3(join4(candidate, "index.html"))) {
       return candidate;
     }
   }
@@ -918,7 +1694,7 @@ var WebUIServer = class {
   authToken;
   constructor(deps) {
     this.deps = deps;
-    this.app = new Hono9();
+    this.app = new Hono12();
     this.authToken = deps.config.auth_token || generateToken();
     this.setupMiddleware();
     this.setupRoutes();
@@ -1023,11 +1799,14 @@ var WebUIServer = class {
     this.app.route("/api/memory", createMemoryRoutes(this.deps));
     this.app.route("/api/soul", createSoulRoutes(this.deps));
     this.app.route("/api/plugins", createPluginsRoutes(this.deps));
+    this.app.route("/api/mcp", createMcpRoutes(this.deps));
     this.app.route("/api/workspace", createWorkspaceRoutes(this.deps));
     this.app.route("/api/tasks", createTasksRoutes(this.deps));
+    this.app.route("/api/config", createConfigRoutes(this.deps));
+    this.app.route("/api/marketplace", createMarketplaceRoutes(this.deps));
     const webDist = findWebDist();
     if (webDist) {
-      const indexHtml = readFileSync3(join3(webDist, "index.html"), "utf-8");
+      const indexHtml = readFileSync3(join4(webDist, "index.html"), "utf-8");
       const mimeTypes = {
         js: "application/javascript",
         css: "text/css",
@@ -1041,9 +1820,9 @@ var WebUIServer = class {
         woff: "font/woff"
       };
       this.app.get("*", (c) => {
-        const filePath = resolve(join3(webDist, c.req.path));
+        const filePath = resolve2(join4(webDist, c.req.path));
         const rel = relative2(webDist, filePath);
-        if (rel.startsWith("..") || resolve(filePath) !== filePath) {
+        if (rel.startsWith("..") || resolve2(filePath) !== filePath) {
           return c.html(indexHtml);
         }
         try {
@@ -1073,7 +1852,7 @@ var WebUIServer = class {
     });
   }
   async start() {
-    return new Promise((resolve2, reject) => {
+    return new Promise((resolve3, reject) => {
       try {
         logInterceptor.install();
         this.server = serve(
@@ -1091,7 +1870,7 @@ var WebUIServer = class {
               `   Token: ${maskToken(this.authToken)} (use Bearer header for API access)
 `
             );
-            resolve2();
+            resolve3();
           }
         );
       } catch (error) {
@@ -1102,11 +1881,11 @@ var WebUIServer = class {
   }
   async stop() {
     if (this.server) {
-      return new Promise((resolve2) => {
+      return new Promise((resolve3) => {
         this.server.close(() => {
           logInterceptor.uninstall();
           console.log("\u{1F310} WebUI server stopped");
-          resolve2();
+          resolve3();
         });
       });
     }