vibora 0.1.10 → 0.1.12

package/server/index.js

@@ -3101,128 +3101,6 @@ var Hono2 = class extends Hono {
   }
 };
 
-// node_modules/hono/dist/utils/encode.js
-var decodeBase64 = (str) => {
-  const binary = atob(str);
-  const bytes = new Uint8Array(new ArrayBuffer(binary.length));
-  const half = binary.length / 2;
-  for (let i = 0, j = binary.length - 1;i <= half; i++, j--) {
-    bytes[i] = binary.charCodeAt(i);
-    bytes[j] = binary.charCodeAt(j);
-  }
-  return bytes;
-};
-
-// node_modules/hono/dist/utils/basic-auth.js
-var CREDENTIALS_REGEXP = /^ *(?:[Bb][Aa][Ss][Ii][Cc]) +([A-Za-z0-9._~+/-]+=*) *$/;
-var USER_PASS_REGEXP = /^([^:]*):(.*)$/;
-var utf8Decoder = new TextDecoder;
-var auth = (req) => {
-  const match2 = CREDENTIALS_REGEXP.exec(req.headers.get("Authorization") || "");
-  if (!match2) {
-    return;
-  }
-  let userPass = undefined;
-  try {
-    userPass = USER_PASS_REGEXP.exec(utf8Decoder.decode(decodeBase64(match2[1])));
-  } catch {}
-  if (!userPass) {
-    return;
-  }
-  return { username: userPass[1], password: userPass[2] };
-};
-
-// node_modules/hono/dist/utils/crypto.js
-var sha256 = async (data) => {
-  const algorithm = { name: "SHA-256", alias: "sha256" };
-  const hash = await createHash(data, algorithm);
-  return hash;
-};
-var createHash = async (data, algorithm) => {
-  let sourceBuffer;
-  if (ArrayBuffer.isView(data) || data instanceof ArrayBuffer) {
-    sourceBuffer = data;
-  } else {
-    if (typeof data === "object") {
-      data = JSON.stringify(data);
-    }
-    sourceBuffer = new TextEncoder().encode(String(data));
-  }
-  if (crypto && crypto.subtle) {
-    const buffer = await crypto.subtle.digest({
-      name: algorithm.name
-    }, sourceBuffer);
-    const hash = Array.prototype.map.call(new Uint8Array(buffer), (x) => ("00" + x.toString(16)).slice(-2)).join("");
-    return hash;
-  }
-  return null;
-};
-
-// node_modules/hono/dist/utils/buffer.js
-var timingSafeEqual = async (a, b, hashFunction) => {
-  if (!hashFunction) {
-    hashFunction = sha256;
-  }
-  const [sa, sb] = await Promise.all([hashFunction(a), hashFunction(b)]);
-  if (!sa || !sb) {
-    return false;
-  }
-  return sa === sb && a === b;
-};
-
-// node_modules/hono/dist/middleware/basic-auth/index.js
-var basicAuth = (options, ...users) => {
-  const usernamePasswordInOptions = "username" in options && "password" in options;
-  const verifyUserInOptions = "verifyUser" in options;
-  if (!(usernamePasswordInOptions || verifyUserInOptions)) {
-    throw new Error('basic auth middleware requires options for "username and password" or "verifyUser"');
-  }
-  if (!options.realm) {
-    options.realm = "Secure Area";
-  }
-  if (!options.invalidUserMessage) {
-    options.invalidUserMessage = "Unauthorized";
-  }
-  if (usernamePasswordInOptions) {
-    users.unshift({ username: options.username, password: options.password });
-  }
-  return async function basicAuth2(ctx, next) {
-    const requestUser = auth(ctx.req.raw);
-    if (requestUser) {
-      if (verifyUserInOptions) {
-        if (await options.verifyUser(requestUser.username, requestUser.password, ctx)) {
-          await next();
-          return;
-        }
-      } else {
-        for (const user of users) {
-          const [usernameEqual, passwordEqual] = await Promise.all([
-            timingSafeEqual(user.username, requestUser.username, options.hashFunction),
-            timingSafeEqual(user.password, requestUser.password, options.hashFunction)
-          ]);
-          if (usernameEqual && passwordEqual) {
-            await next();
-            return;
-          }
-        }
-      }
-    }
-    const status = 401;
-    const headers = {
-      "WWW-Authenticate": 'Basic realm="' + options.realm?.replace(/"/g, "\\\"") + '"'
-    };
-    const responseMessage = typeof options.invalidUserMessage === "function" ? await options.invalidUserMessage(ctx) : options.invalidUserMessage;
-    const res = typeof responseMessage === "string" ? new Response(responseMessage, { status, headers }) : new Response(JSON.stringify(responseMessage), {
-      status,
-      headers: {
-        ...headers,
-        "content-type": "application/json"
-      }
-    });
-    throw new HTTPException(status, { res });
-  };
-};
-
 // node_modules/hono/dist/middleware/cors/index.js
 var cors = (options) => {
   const defaults = {
@@ -3368,10 +3246,263 @@ var logger = (fn = console.log) => {
   };
 };
 
+// node_modules/hono/dist/helper/factory/index.js
+var Factory = class {
+  initApp;
+  #defaultAppOptions;
+  constructor(init) {
+    this.initApp = init?.initApp;
+    this.#defaultAppOptions = init?.defaultAppOptions;
+  }
+  createApp = (options) => {
+    const app = new Hono2(options && this.#defaultAppOptions ? { ...this.#defaultAppOptions, ...options } : options ?? this.#defaultAppOptions);
+    if (this.initApp) {
+      this.initApp(app);
+    }
+    return app;
+  };
+  createMiddleware = (middleware) => middleware;
+  createHandlers = (...handlers) => {
+    return handlers.filter((handler) => handler !== undefined);
+  };
+};
+var createMiddleware = (middleware) => middleware;
+
+// node_modules/hono/dist/utils/cookie.js
+var algorithm = { name: "HMAC", hash: "SHA-256" };
+var getCryptoKey = async (secret) => {
+  const secretBuf = typeof secret === "string" ? new TextEncoder().encode(secret) : secret;
+  return await crypto.subtle.importKey("raw", secretBuf, algorithm, false, ["sign", "verify"]);
+};
+var makeSignature = async (value, secret) => {
+  const key = await getCryptoKey(secret);
+  const signature = await crypto.subtle.sign(algorithm.name, key, new TextEncoder().encode(value));
+  return btoa(String.fromCharCode(...new Uint8Array(signature)));
+};
+var verifySignature = async (base64Signature, value, secret) => {
+  try {
+    const signatureBinStr = atob(base64Signature);
+    const signature = new Uint8Array(signatureBinStr.length);
+    for (let i = 0, len = signatureBinStr.length;i < len; i++) {
+      signature[i] = signatureBinStr.charCodeAt(i);
+    }
+    return await crypto.subtle.verify(algorithm, secret, signature, new TextEncoder().encode(value));
+  } catch {
+    return false;
+  }
+};
+var validCookieNameRegEx = /^[\w!#$%&'*.^`|~+-]+$/;
+var validCookieValueRegEx = /^[ !#-:<-[\]-~]*$/;
+var parse = (cookie, name) => {
+  if (name && cookie.indexOf(name) === -1) {
+    return {};
+  }
+  const pairs = cookie.trim().split(";");
+  const parsedCookie = {};
+  for (let pairStr of pairs) {
+    pairStr = pairStr.trim();
+    const valueStartPos = pairStr.indexOf("=");
+    if (valueStartPos === -1) {
+      continue;
+    }
+    const cookieName = pairStr.substring(0, valueStartPos).trim();
+    if (name && name !== cookieName || !validCookieNameRegEx.test(cookieName)) {
+      continue;
+    }
+    let cookieValue = pairStr.substring(valueStartPos + 1).trim();
+    if (cookieValue.startsWith('"') && cookieValue.endsWith('"')) {
+      cookieValue = cookieValue.slice(1, -1);
+    }
+    if (validCookieValueRegEx.test(cookieValue)) {
+      parsedCookie[cookieName] = cookieValue.indexOf("%") !== -1 ? tryDecode(cookieValue, decodeURIComponent_) : cookieValue;
+      if (name) {
+        break;
+      }
+    }
+  }
+  return parsedCookie;
+};
+var parseSigned = async (cookie, secret, name) => {
+  const parsedCookie = {};
+  const secretKey = await getCryptoKey(secret);
+  for (const [key, value] of Object.entries(parse(cookie, name))) {
+    const signatureStartPos = value.lastIndexOf(".");
+    if (signatureStartPos < 1) {
+      continue;
+    }
+    const signedValue = value.substring(0, signatureStartPos);
+    const signature = value.substring(signatureStartPos + 1);
+    if (signature.length !== 44 || !signature.endsWith("=")) {
+      continue;
+    }
+    const isVerified = await verifySignature(signature, signedValue, secretKey);
+    parsedCookie[key] = isVerified ? signedValue : false;
+  }
+  return parsedCookie;
+};
+var _serialize = (name, value, opt = {}) => {
+  let cookie = `${name}=${value}`;
+  if (name.startsWith("__Secure-") && !opt.secure) {
+    throw new Error("__Secure- Cookie must have Secure attributes");
+  }
+  if (name.startsWith("__Host-")) {
+    if (!opt.secure) {
+      throw new Error("__Host- Cookie must have Secure attributes");
+    }
+    if (opt.path !== "/") {
+      throw new Error('__Host- Cookie must have Path attributes with "/"');
+    }
+    if (opt.domain) {
+      throw new Error("__Host- Cookie must not have Domain attributes");
+    }
+  }
+  if (opt && typeof opt.maxAge === "number" && opt.maxAge >= 0) {
+    if (opt.maxAge > 34560000) {
+      throw new Error("Cookies Max-Age SHOULD NOT be greater than 400 days (34560000 seconds) in duration.");
+    }
+    cookie += `; Max-Age=${opt.maxAge | 0}`;
+  }
+  if (opt.domain && opt.prefix !== "host") {
+    cookie += `; Domain=${opt.domain}`;
+  }
+  if (opt.path) {
+    cookie += `; Path=${opt.path}`;
+  }
+  if (opt.expires) {
+    if (opt.expires.getTime() - Date.now() > 34560000000) {
+      throw new Error("Cookies Expires SHOULD NOT be greater than 400 days (34560000 seconds) in the future.");
+    }
+    cookie += `; Expires=${opt.expires.toUTCString()}`;
+  }
+  if (opt.httpOnly) {
+    cookie += "; HttpOnly";
+  }
+  if (opt.secure) {
+    cookie += "; Secure";
+  }
+  if (opt.sameSite) {
+    cookie += `; SameSite=${opt.sameSite.charAt(0).toUpperCase() + opt.sameSite.slice(1)}`;
+  }
+  if (opt.priority) {
+    cookie += `; Priority=${opt.priority.charAt(0).toUpperCase() + opt.priority.slice(1)}`;
+  }
+  if (opt.partitioned) {
+    if (!opt.secure) {
+      throw new Error("Partitioned Cookie must have Secure attributes");
+    }
+    cookie += "; Partitioned";
+  }
+  return cookie;
+};
+var serialize = (name, value, opt) => {
+  value = encodeURIComponent(value);
+  return _serialize(name, value, opt);
+};
+var serializeSigned = async (name, value, secret, opt = {}) => {
+  const signature = await makeSignature(value, secret);
+  value = `${value}.${signature}`;
+  value = encodeURIComponent(value);
+  return _serialize(name, value, opt);
+};
+
+// node_modules/hono/dist/helper/cookie/index.js
+var getCookie = (c, key, prefix) => {
+  const cookie = c.req.raw.headers.get("Cookie");
+  if (typeof key === "string") {
+    if (!cookie) {
+      return;
+    }
+    let finalKey = key;
+    if (prefix === "secure") {
+      finalKey = "__Secure-" + key;
+    } else if (prefix === "host") {
+      finalKey = "__Host-" + key;
+    }
+    const obj2 = parse(cookie, finalKey);
+    return obj2[finalKey];
+  }
+  if (!cookie) {
+    return {};
+  }
+  const obj = parse(cookie);
+  return obj;
+};
+var getSignedCookie = async (c, secret, key, prefix) => {
+  const cookie = c.req.raw.headers.get("Cookie");
+  if (typeof key === "string") {
+    if (!cookie) {
+      return;
+    }
+    let finalKey = key;
+    if (prefix === "secure") {
+      finalKey = "__Secure-" + key;
+    } else if (prefix === "host") {
+      finalKey = "__Host-" + key;
+    }
+    const obj2 = await parseSigned(cookie, secret, finalKey);
+    return obj2[finalKey];
+  }
+  if (!cookie) {
+    return {};
+  }
+  const obj = await parseSigned(cookie, secret);
+  return obj;
+};
+var generateCookie = (name, value, opt) => {
+  let cookie;
+  if (opt?.prefix === "secure") {
+    cookie = serialize("__Secure-" + name, value, { path: "/", ...opt, secure: true });
+  } else if (opt?.prefix === "host") {
+    cookie = serialize("__Host-" + name, value, {
+      ...opt,
+      path: "/",
+      secure: true,
+      domain: undefined
+    });
+  } else {
+    cookie = serialize(name, value, { path: "/", ...opt });
+  }
+  return cookie;
+};
+var setCookie = (c, name, value, opt) => {
+  const cookie = generateCookie(name, value, opt);
+  c.header("Set-Cookie", cookie, { append: true });
+};
+var generateSignedCookie = async (name, value, secret, opt) => {
+  let cookie;
+  if (opt?.prefix === "secure") {
+    cookie = await serializeSigned("__Secure-" + name, value, secret, {
+      path: "/",
+      ...opt,
+      secure: true
+    });
+  } else if (opt?.prefix === "host") {
+    cookie = await serializeSigned("__Host-" + name, value, secret, {
+      ...opt,
+      path: "/",
+      secure: true,
+      domain: undefined
+    });
+  } else {
+    cookie = await serializeSigned(name, value, secret, { path: "/", ...opt });
+  }
+  return cookie;
+};
+var setSignedCookie = async (c, name, value, secret, opt) => {
+  const cookie = await generateSignedCookie(name, value, secret, opt);
+  c.header("set-cookie", cookie, { append: true });
+};
+var deleteCookie = (c, name, opt) => {
+  const deletedCookie = getCookie(c, name, opt?.prefix);
+  setCookie(c, name, "", { ...opt, maxAge: 0 });
+  return deletedCookie;
+};
+
 // server/lib/settings.ts
 import * as fs from "fs";
 import * as path from "path";
 import * as os from "os";
+import * as crypto3 from "crypto";
 var DEFAULT_SETTINGS = {
   port: 3333,
   defaultGitReposDir: os.homedir(),
@@ -3477,6 +3608,13 @@ function getSettings() {
 function getSetting(key) {
   return getSettings()[key];
 }
+function getSessionSecret() {
+  const settings = getSettings();
+  if (!settings.basicAuthPassword) {
+    return null;
+  }
+  return crypto3.createHash("sha256").update(settings.basicAuthPassword + "vibora-session").digest("hex");
+}
 function updateSettings(updates) {
   ensureViboraDir();
   const current = getSettings();
@@ -3542,6 +3680,44 @@ function updateNotificationSettings(updates) {
   return updated;
 }
 
+// server/middleware/auth.ts
+var SESSION_COOKIE_NAME = "vibora_session";
+var PUBLIC_PATHS = ["/health", "/api/auth/login", "/api/auth/check"];
+var sessionAuthMiddleware = createMiddleware(async (c, next) => {
+  const settings = getSettings();
+  if (!settings.basicAuthUsername || !settings.basicAuthPassword) {
+    return next();
+  }
+  const path2 = c.req.path;
+  if (PUBLIC_PATHS.some((p) => path2 === p || path2.startsWith(p + "/"))) {
+    return next();
+  }
+  const secret = getSessionSecret();
+  if (secret) {
+    const sessionCookie = await getSignedCookie(c, secret, SESSION_COOKIE_NAME);
+    if (sessionCookie) {
+      try {
+        const session = JSON.parse(sessionCookie);
+        if (session.exp && session.exp > Date.now()) {
+          return next();
+        }
+      } catch {}
+    }
+  }
+  const authHeader = c.req.header("Authorization");
+  if (authHeader?.startsWith("Basic ")) {
+    const base64Credentials = authHeader.slice(6);
+    try {
+      const credentials = atob(base64Credentials);
+      const [username, password] = credentials.split(":");
+      if (username === settings.basicAuthUsername && password === settings.basicAuthPassword) {
+        return next();
+      }
+    } catch {}
+  }
+  throw new HTTPException(401, { message: "Unauthorized" });
+});
+
 // server/app.ts
 import { readFile } from "fs/promises";
 import { join as join11 } from "path";
@@ -7439,7 +7615,7 @@ function drizzle(...params) {
 })(drizzle || (drizzle = {}));
 
 // node_modules/drizzle-orm/migrator.js
-import crypto3 from "crypto";
+import crypto4 from "crypto";
 import fs2 from "fs";
 function readMigrationFiles(config) {
   const migrationFolderTo = config.migrationsFolder;
@@ -7461,7 +7637,7 @@ function readMigrationFiles(config) {
         sql: result,
         bps: journalEntry.breakpoints,
         folderMillis: journalEntry.when,
-        hash: crypto3.createHash("sha256").update(query).digest("hex")
+        hash: crypto4.createHash("sha256").update(query).digest("hex")
       });
     } catch {
       throw new Error(`No file ${migrationPath} found in ${migrationFolderTo} folder`);
@@ -138191,6 +138367,37 @@ app3.post("/merge-to-main", async (c) => {
         error: "Failed to determine worktree branch"
       }, 500);
     }
+    try {
+      const worktreeStatus = gitExec(worktreePath, "status --porcelain");
+      if (worktreeStatus.trim()) {
+        const lines = worktreeStatus.trim().split(`
+`).filter((l) => l);
+        const untracked = [];
+        const uncommitted = [];
+        for (const line of lines) {
+          const statusCode = line.substring(0, 2);
+          const filename = line.substring(3);
+          if (statusCode === "??") {
+            untracked.push(filename);
+          } else {
+            uncommitted.push(filename);
+          }
+        }
+        const messages = [];
+        if (uncommitted.length > 0) {
+          messages.push(`${uncommitted.length} uncommitted change(s)`);
+        }
+        if (untracked.length > 0) {
+          messages.push(`${untracked.length} untracked file(s)`);
+        }
+        return c.json({
+          error: `Worktree has ${messages.join(" and ")}. Please commit or stash changes before merging.`,
+          hasUncommittedChanges: true,
+          uncommittedFiles: uncommitted,
+          untrackedFiles: untracked
+        }, 409);
+      }
+    } catch {}
     const defaultBranch = getDefaultBranch(repoPath, baseBranch);
     let originalBranch;
     try {
@@ -138785,8 +138992,145 @@ app6.post("/", async (c) => {
 });
 var uploads_default = app6;
 
+// node_modules/hono/dist/utils/stream.js
+var StreamingApi = class {
+  writer;
+  encoder;
+  writable;
+  abortSubscribers = [];
+  responseReadable;
+  aborted = false;
+  closed = false;
+  constructor(writable, _readable) {
+    this.writable = writable;
+    this.writer = writable.getWriter();
+    this.encoder = new TextEncoder;
+    const reader = _readable.getReader();
+    this.abortSubscribers.push(async () => {
+      await reader.cancel();
+    });
+    this.responseReadable = new ReadableStream({
+      async pull(controller) {
+        const { done, value } = await reader.read();
+        done ? controller.close() : controller.enqueue(value);
+      },
+      cancel: () => {
+        this.abort();
+      }
+    });
+  }
+  async write(input) {
+    try {
+      if (typeof input === "string") {
+        input = this.encoder.encode(input);
+      }
+      await this.writer.write(input);
+    } catch {}
+    return this;
+  }
+  async writeln(input) {
+    await this.write(input + `
+`);
+    return this;
+  }
+  sleep(ms) {
+    return new Promise((res) => setTimeout(res, ms));
+  }
+  async close() {
+    try {
+      await this.writer.close();
+    } catch {}
+    this.closed = true;
+  }
+  async pipe(body) {
+    this.writer.releaseLock();
+    await body.pipeTo(this.writable, { preventClose: true });
+    this.writer = this.writable.getWriter();
+  }
+  onAbort(listener) {
+    this.abortSubscribers.push(listener);
+  }
+  abort() {
+    if (!this.aborted) {
+      this.aborted = true;
+      this.abortSubscribers.forEach((subscriber) => subscriber());
+    }
+  }
+};
+
+// node_modules/hono/dist/helper/streaming/utils.js
+var isOldBunVersion = () => {
+  const version2 = typeof Bun !== "undefined" ? Bun.version : undefined;
+  if (version2 === undefined) {
+    return false;
+  }
+  const result = version2.startsWith("1.1") || version2.startsWith("1.0") || version2.startsWith("0.");
+  isOldBunVersion = () => result;
+  return result;
+};
+
+// node_modules/hono/dist/helper/streaming/sse.js
+var SSEStreamingApi = class extends StreamingApi {
+  constructor(writable, readable) {
+    super(writable, readable);
+  }
+  async writeSSE(message) {
+    const data = await resolveCallback(message.data, HtmlEscapedCallbackPhase.Stringify, false, {});
+    const dataLines = data.split(`
+`).map((line) => {
+      return `data: ${line}`;
+    }).join(`
+`);
+    const sseData = [
+      message.event && `event: ${message.event}`,
+      dataLines,
+      message.id && `id: ${message.id}`,
+      message.retry && `retry: ${message.retry}`
+    ].filter(Boolean).join(`
+`) + `
+
+`;
+    await this.write(sseData);
+  }
+};
+var run = async (stream2, cb, onError) => {
+  try {
+    await cb(stream2);
+  } catch (e) {
+    if (e instanceof Error && onError) {
+      await onError(e, stream2);
+      await stream2.writeSSE({
+        event: "error",
+        data: e.message
+      });
+    } else {
+      console.error(e);
+    }
+  } finally {
+    stream2.close();
+  }
+};
+var contextStash = /* @__PURE__ */ new WeakMap;
+var streamSSE = (c, cb, onError) => {
+  const { readable, writable } = new TransformStream;
+  const stream2 = new SSEStreamingApi(writable, readable);
+  if (isOldBunVersion()) {
+    c.req.raw.signal.addEventListener("abort", () => {
+      if (!stream2.closed) {
+        stream2.abort();
+      }
+    });
+  }
+  contextStash.set(stream2.responseReadable, c);
+  c.header("Transfer-Encoding", "chunked");
+  c.header("Content-Type", "text/event-stream");
+  c.header("Cache-Control", "no-cache");
+  c.header("Connection", "keep-alive");
+  run(stream2, cb, onError);
+  return c.newResponse(stream2.responseReadable);
+};
+
 // server/routes/worktrees.ts
-import { execSync as execSync4 } from "child_process";
 import * as fs6 from "fs";
 import * as path8 from "path";
 function formatBytes(bytes) {
@@ -138797,28 +139141,27 @@ function formatBytes(bytes) {
   const i = Math.floor(Math.log(bytes) / Math.log(k));
   return `${parseFloat((bytes / Math.pow(k, i)).toFixed(1))} ${sizes[i]}`;
 }
-function getDirectorySize(dirPath) {
+async function getDirectorySizeAsync(dirPath) {
   try {
     const platform = process.platform;
-    if (platform === "darwin") {
-      const output = execSync4(`du -sk "${dirPath}" 2>/dev/null`, { encoding: "utf-8" });
-      const sizeKb = parseInt(output.split("\t")[0], 10);
-      return sizeKb * 1024;
-    } else {
-      const output = execSync4(`du -sb "${dirPath}" 2>/dev/null`, { encoding: "utf-8" });
-      return parseInt(output.split("\t")[0], 10);
-    }
+    const cmd = platform === "darwin" ? ["du", "-sk", dirPath] : ["du", "-sb", dirPath];
+    const proc2 = Bun.spawn(cmd, { stdout: "pipe", stderr: "pipe" });
+    const output = await new Response(proc2.stdout).text();
+    const sizeValue = parseInt(output.split("\t")[0], 10);
+    return platform === "darwin" ? sizeValue * 1024 : sizeValue;
   } catch {
     return 0;
   }
 }
-function getGitBranch(gitPath) {
+async function getGitBranchAsync(gitPath) {
   try {
-    const branch = execSync4("git rev-parse --abbrev-ref HEAD", {
+    const proc2 = Bun.spawn(["git", "rev-parse", "--abbrev-ref", "HEAD"], {
       cwd: gitPath,
-      encoding: "utf-8"
-    }).trim();
-    return branch;
+      stdout: "pipe",
+      stderr: "pipe"
+    });
+    const output = await new Response(proc2.stdout).text();
+    return output.trim() || "unknown";
   } catch {
     return "unknown";
   }
@@ -138834,91 +139177,131 @@ function destroyTerminalsForWorktree2(worktreePath) {
     }
   } catch {}
 }
-function deleteWorktree(worktreePath, repoPath) {
+async function deleteWorktree(worktreePath, repoPath) {
   if (!fs6.existsSync(worktreePath))
     return;
   if (repoPath && fs6.existsSync(repoPath)) {
     try {
-      execSync4(`git worktree remove "${worktreePath}" --force`, {
+      const proc2 = Bun.spawn(["git", "worktree", "remove", worktreePath, "--force"], {
         cwd: repoPath,
-        encoding: "utf-8"
+        stdout: "pipe",
+        stderr: "pipe"
       });
-      return;
+      await proc2.exited;
+      if (proc2.exitCode === 0)
+        return;
     } catch {}
   }
   fs6.rmSync(worktreePath, { recursive: true, force: true });
   if (repoPath && fs6.existsSync(repoPath)) {
     try {
-      execSync4("git worktree prune", { cwd: repoPath, encoding: "utf-8" });
+      Bun.spawn(["git", "worktree", "prune"], { cwd: repoPath });
     } catch {}
   }
 }
 var app7 = new Hono2;
 app7.get("/", (c) => {
-  const worktreeBasePath = getWorktreeBasePath();
-  if (!fs6.existsSync(worktreeBasePath)) {
-    const response2 = {
-      worktrees: [],
-      summary: {
-        total: 0,
-        orphaned: 0,
-        totalSize: 0,
-        totalSizeFormatted: "0 B"
+  return streamSSE(c, async (stream3) => {
+    const worktreeBasePath = getWorktreeBasePath();
+    if (!fs6.existsSync(worktreeBasePath)) {
+      await stream3.writeSSE({
+        event: "worktree:basic",
+        data: JSON.stringify([])
+      });
+      await stream3.writeSSE({
+        event: "worktree:complete",
+        data: JSON.stringify({
+          total: 0,
+          orphaned: 0,
+          totalSize: 0,
+          totalSizeFormatted: "0 B"
+        })
+      });
+      return;
+    }
+    const allTasks = db.select().from(tasks).all();
+    const worktreeToTask = new Map;
+    for (const task of allTasks) {
+      if (task.worktreePath) {
+        worktreeToTask.set(task.worktreePath, task);
       }
-    };
-    return c.json(response2);
-  }
-  const allTasks = db.select().from(tasks).all();
-  const worktreeToTask = new Map;
-  for (const task of allTasks) {
-    if (task.worktreePath) {
-      worktreeToTask.set(task.worktreePath, task);
     }
-  }
-  const entries = fs6.readdirSync(worktreeBasePath, { withFileTypes: true });
-  const worktrees = [];
-  for (const entry of entries) {
-    if (!entry.isDirectory())
-      continue;
-    const fullPath = path8.join(worktreeBasePath, entry.name);
-    const gitPath = path8.join(fullPath, ".git");
-    if (!fs6.existsSync(gitPath))
-      continue;
-    const size = getDirectorySize(fullPath);
-    const branch = getGitBranch(fullPath);
-    const stats = fs6.statSync(fullPath);
-    const linkedTask = worktreeToTask.get(fullPath);
-    worktrees.push({
-      path: fullPath,
-      name: entry.name,
-      size,
-      sizeFormatted: formatBytes(size),
-      branch,
-      lastModified: stats.mtime.toISOString(),
-      isOrphaned: !linkedTask,
-      taskId: linkedTask?.id,
-      taskTitle: linkedTask?.title,
-      repoPath: linkedTask?.repoPath
+    const entries = fs6.readdirSync(worktreeBasePath, { withFileTypes: true });
+    const basicWorktrees = [];
+    const pathsToProcess = [];
+    for (const entry of entries) {
+      if (!entry.isDirectory())
+        continue;
+      const fullPath = path8.join(worktreeBasePath, entry.name);
+      const gitPath = path8.join(fullPath, ".git");
+      if (!fs6.existsSync(gitPath))
+        continue;
+      const stats = fs6.statSync(fullPath);
+      const linkedTask = worktreeToTask.get(fullPath);
+      basicWorktrees.push({
+        path: fullPath,
+        name: entry.name,
+        lastModified: stats.mtime.toISOString(),
+        isOrphaned: !linkedTask,
+        taskId: linkedTask?.id,
+        taskTitle: linkedTask?.title,
+        taskStatus: linkedTask?.status,
+        repoPath: linkedTask?.repoPath
+      });
+      pathsToProcess.push(fullPath);
+    }
+    basicWorktrees.sort((a, b) => {
+      if (a.isOrphaned !== b.isOrphaned) {
+        return a.isOrphaned ? -1 : 1;
+      }
+      return new Date(b.lastModified).getTime() - new Date(a.lastModified).getTime();
     });
-  }
-  worktrees.sort((a, b) => {
-    if (a.isOrphaned !== b.isOrphaned) {
-      return a.isOrphaned ? -1 : 1;
+    await stream3.writeSSE({
+      event: "worktree:basic",
+      data: JSON.stringify(basicWorktrees)
+    });
+    let totalSize = 0;
+    const CONCURRENCY = 4;
+    async function processWorktree(fullPath) {
+      try {
+        const [size, branch] = await Promise.all([
+          getDirectorySizeAsync(fullPath),
+          getGitBranchAsync(fullPath)
+        ]);
+        totalSize += size;
+        await stream3.writeSSE({
+          event: "worktree:details",
+          data: JSON.stringify({
+            path: fullPath,
+            size,
+            sizeFormatted: formatBytes(size),
+            branch
+          })
+        });
+      } catch (error) {
+        await stream3.writeSSE({
+          event: "worktree:error",
+          data: JSON.stringify({
+            path: fullPath,
+            error: error instanceof Error ? error.message : "Unknown error"
+          })
+        });
+      }
     }
-    return new Date(b.lastModified).getTime() - new Date(a.lastModified).getTime();
-  });
-  const totalSize = worktrees.reduce((sum, w) => sum + w.size, 0);
-  const orphanedCount = worktrees.filter((w) => w.isOrphaned).length;
-  const response = {
-    worktrees,
-    summary: {
-      total: worktrees.length,
-      orphaned: orphanedCount,
-      totalSize,
-      totalSizeFormatted: formatBytes(totalSize)
+    for (let i = 0;i < pathsToProcess.length; i += CONCURRENCY) {
+      const batch = pathsToProcess.slice(i, i + CONCURRENCY);
+      await Promise.all(batch.map(processWorktree));
     }
-  };
-  return c.json(response);
+    await stream3.writeSSE({
+      event: "worktree:complete",
+      data: JSON.stringify({
+        total: basicWorktrees.length,
+        orphaned: basicWorktrees.filter((w) => w.isOrphaned).length,
+        totalSize,
+        totalSizeFormatted: formatBytes(totalSize)
+      })
+    });
+  });
 });
 app7.delete("/", async (c) => {
   try {
@@ -138936,7 +139319,7 @@ app7.delete("/", async (c) => {
     }
     const linkedTask = db.select().from(tasks).where(eq(tasks.worktreePath, body.worktreePath)).get();
     destroyTerminalsForWorktree2(body.worktreePath);
-    deleteWorktree(body.worktreePath, body.repoPath || linkedTask?.repoPath);
+    await deleteWorktree(body.worktreePath, body.repoPath || linkedTask?.repoPath);
     let deletedTaskId;
     if (linkedTask) {
       const columnTasks = db.select().from(tasks).where(eq(tasks.status, linkedTask.status)).all();
@@ -139446,7 +139829,7 @@ function expand2(template, context) {
     return template.replace(/\/$/, "");
   }
 }
-function parse(options) {
+function parse2(options) {
   let method = options.method.toUpperCase();
   let url = (options.url || "/").replace(/:([a-z]\w+)/g, "{$1}");
   let headers = Object.assign({}, options.headers);
@@ -139501,7 +139884,7 @@ function parse(options) {
   return Object.assign({ method, url, headers }, typeof body !== "undefined" ? { body } : null, options.request ? { request: options.request } : null);
 }
 function endpointWithDefaults(defaults2, route, options) {
-  return parse(merge(defaults2, route, options));
+  return parse2(merge(defaults2, route, options));
 }
 function withDefaults(oldDefaults, newDefaults) {
   const DEFAULTS2 = merge(oldDefaults, newDefaults);
@@ -139510,7 +139893,7 @@ function withDefaults(oldDefaults, newDefaults) {
     DEFAULTS: DEFAULTS2,
     defaults: withDefaults.bind(null, DEFAULTS2),
     merge: merge.bind(null, DEFAULTS2),
-    parse
+    parse: parse2
   });
 }
 var endpoint = withDefaults(null, DEFAULTS);
@@ -139861,7 +140244,7 @@ var b64url = "(?:[a-zA-Z0-9_-]+)";
 var sep3 = "\\.";
 var jwtRE = new RegExp(`^${b64url}${sep3}${b64url}${sep3}${b64url}$`);
 var isJWT = jwtRE.test.bind(jwtRE);
-async function auth2(token) {
+async function auth(token) {
   const isApp = isJWT(token);
   const isInstallation = token.startsWith("v1.") || token.startsWith("ghs_");
   const isUserToServer = token.startsWith("ghu_");
@@ -139891,7 +140274,7 @@ var createTokenAuth = function createTokenAuth2(token) {
     throw new Error("[@octokit/auth-token] Token passed to createTokenAuth is not a string");
   }
   token = token.replace(/^(token|bearer) +/i, "");
-  return Object.assign(auth2.bind(null, token), {
+  return Object.assign(auth.bind(null, token), {
     hook: hook.bind(null, token)
   });
 };
@@ -139978,20 +140361,20 @@ class Octokit {
           type: "unauthenticated"
         });
       } else {
-        const auth3 = createTokenAuth(options.auth);
-        hook2.wrap("request", auth3.hook);
-        this.auth = auth3;
+        const auth2 = createTokenAuth(options.auth);
+        hook2.wrap("request", auth2.hook);
+        this.auth = auth2;
       }
     } else {
       const { authStrategy, ...otherOptions } = options;
-      const auth3 = authStrategy(Object.assign({
+      const auth2 = authStrategy(Object.assign({
         request: this.request,
         log: this.log,
         octokit: this,
         octokitOptions: otherOptions
       }, options.auth));
-      hook2.wrap("request", auth3.hook);
-      this.auth = auth3;
+      hook2.wrap("request", auth2.hook);
+      this.auth = auth2;
     }
     const classConstructor = this.constructor;
     for (let i = 0;i < classConstructor.plugins.length; ++i) {
@@ -142816,6 +143199,59 @@ app11.get("/prs", async (c) => {
 });
 var github_default = app11;
 
+// server/routes/auth.ts
+var SESSION_COOKIE_NAME2 = "vibora_session";
+var SESSION_EXPIRY_MS = 14 * 24 * 60 * 60 * 1000;
+var app12 = new Hono2;
+app12.post("/login", async (c) => {
+  const { username, password } = await c.req.json();
+  const settings = getSettings();
+  if (!settings.basicAuthUsername || !settings.basicAuthPassword) {
+    return c.json({ error: "Authentication not configured" }, 500);
+  }
+  if (username !== settings.basicAuthUsername || password !== settings.basicAuthPassword) {
+    return c.json({ error: "Invalid credentials" }, 401);
+  }
+  const secret = getSessionSecret();
+  if (!secret) {
+    return c.json({ error: "Session secret not available" }, 500);
+  }
+  const expiry = Date.now() + SESSION_EXPIRY_MS;
+  const sessionData = JSON.stringify({ exp: expiry });
+  await setSignedCookie(c, SESSION_COOKIE_NAME2, sessionData, secret, {
+    path: "/",
+    httpOnly: true,
+    sameSite: "Strict",
+    maxAge: SESSION_EXPIRY_MS / 1000
+  });
+  return c.json({ success: true, expiresAt: new Date(expiry).toISOString() });
+});
+app12.post("/logout", async (c) => {
+  deleteCookie(c, SESSION_COOKIE_NAME2, { path: "/" });
+  return c.json({ success: true });
+});
+app12.get("/check", async (c) => {
+  const settings = getSettings();
+  if (!settings.basicAuthUsername || !settings.basicAuthPassword) {
+    return c.json({ authRequired: false, authenticated: true });
+  }
+  const secret = getSessionSecret();
+  if (!secret) {
+    return c.json({ authRequired: true, authenticated: false });
+  }
+  const sessionCookie = await getSignedCookie(c, secret, SESSION_COOKIE_NAME2);
+  if (sessionCookie) {
+    try {
+      const session = JSON.parse(sessionCookie);
+      if (session.exp && session.exp > Date.now()) {
+        return c.json({ authRequired: true, authenticated: true });
+      }
+    } catch {}
+  }
+  return c.json({ authRequired: true, authenticated: false });
+});
+var auth_default = app12;
+
 // server/app.ts
 function getDistPath() {
   if (process.env.VIBORA_PACKAGE_ROOT) {
@@ -142824,31 +143260,26 @@ function getDistPath() {
   return join11(process.cwd(), "dist");
 }
 function createApp() {
-  const app12 = new Hono2;
-  app12.use("*", logger());
-  app12.use("*", cors({
+  const app13 = new Hono2;
+  app13.use("*", logger());
+  app13.use("*", cors({
     origin: "*",
     allowMethods: ["GET", "POST", "PATCH", "PUT", "DELETE", "OPTIONS"],
     allowHeaders: ["Content-Type", "Authorization"]
   }));
-  const settings = getSettings();
-  if (settings.basicAuthUsername && settings.basicAuthPassword) {
-    app12.use("*", basicAuth({
-      username: settings.basicAuthUsername,
-      password: settings.basicAuthPassword
-    }));
-  }
-  app12.route("/health", health_default);
-  app12.route("/api/tasks", tasks_default);
-  app12.route("/api/git", git_default);
-  app12.route("/api/fs", filesystem_default);
-  app12.route("/api/config", config_default);
-  app12.route("/api/uploads", uploads_default);
-  app12.route("/api/worktrees", worktrees_default);
-  app12.route("/api/terminal-view-state", terminal_view_state_default);
-  app12.route("/api/repositories", repositories_default);
-  app12.route("/api/linear", linear_default);
-  app12.route("/api/github", github_default);
+  app13.use("*", sessionAuthMiddleware);
+  app13.route("/health", health_default);
+  app13.route("/api/tasks", tasks_default);
+  app13.route("/api/git", git_default);
+  app13.route("/api/fs", filesystem_default);
+  app13.route("/api/config", config_default);
+  app13.route("/api/uploads", uploads_default);
+  app13.route("/api/worktrees", worktrees_default);
+  app13.route("/api/terminal-view-state", terminal_view_state_default);
+  app13.route("/api/repositories", repositories_default);
+  app13.route("/api/linear", linear_default);
+  app13.route("/api/github", github_default);
+  app13.route("/api/auth", auth_default);
   if (process.env.VIBORA_PACKAGE_ROOT) {
     const distPath = getDistPath();
     const serveFile = async (filePath) => {
@@ -142871,7 +143302,7 @@ function createApp() {
         headers: { "Content-Type": mimeTypes[ext2 || ""] || "application/octet-stream" }
       });
     };
-    app12.get("/assets/*", async (c) => {
+    app13.get("/assets/*", async (c) => {
       const assetPath = join11(distPath, c.req.path);
       if (existsSync10(assetPath)) {
         return serveFile(assetPath);
@@ -142880,7 +143311,7 @@ function createApp() {
     });
     const staticFiles = ["favicon.ico", "vibora-icon.png", "vibora-logo.jpeg", "vite.svg"];
     for (const file of staticFiles) {
-      app12.get(`/${file}`, async () => {
+      app13.get(`/${file}`, async () => {
         const filePath = join11(distPath, file);
         if (existsSync10(filePath)) {
           return serveFile(filePath);
@@ -142888,7 +143319,7 @@ function createApp() {
         return new Response("Not Found", { status: 404 });
       });
     }
-    app12.get("*", async (c, next) => {
+    app13.get("*", async (c, next) => {
       const path9 = c.req.path;
       if (path9.startsWith("/api/") || path9.startsWith("/ws/") || path9 === "/health") {
         return next();
@@ -142897,11 +143328,11 @@ function createApp() {
       return c.html(html);
     });
   }
-  return app12;
+  return app13;
 }
 
 // server/services/pr-monitor.ts
-import { execSync as execSync5 } from "child_process";
+import { execSync as execSync4 } from "child_process";
 var POLL_INTERVAL = 60000;
 function parsePrUrl(url) {
   const match3 = url.match(/github\.com\/([^/]+)\/([^/]+)\/pull\/(\d+)/);
@@ -142916,7 +143347,7 @@ function checkPrStatus(prUrl) {
     return null;
   }
   try {
-    const output = execSync5(`gh pr view ${parsed.number} --repo ${parsed.owner}/${parsed.repo} --json state,mergedAt`, { encoding: "utf-8", timeout: 1e4, stdio: ["pipe", "pipe", "pipe"] });
+    const output = execSync4(`gh pr view ${parsed.number} --repo ${parsed.owner}/${parsed.repo} --json state,mergedAt`, { encoding: "utf-8", timeout: 1e4, stdio: ["pipe", "pipe", "pipe"] });
     const data = JSON.parse(output);
     return {
       state: data.state,
@@ -142983,11 +143414,11 @@ setBroadcastDestroyed((terminalId) => {
     payload: { terminalId }
   });
 });
-var app12 = createApp();
-var { injectWebSocket, upgradeWebSocket } = createNodeWebSocket({ app: app12 });
-app12.get("/ws/terminal", upgradeWebSocket(() => terminalWebSocketHandlers));
+var app13 = createApp();
+var { injectWebSocket, upgradeWebSocket } = createNodeWebSocket({ app: app13 });
+app13.get("/ws/terminal", upgradeWebSocket(() => terminalWebSocketHandlers));
 var server = serve({
-  fetch: app12.fetch,
+  fetch: app13.fetch,
   port: PORT,
   hostname: "0.0.0.0"
 }, (info) => {