npm - whale-code - Versions diffs - 6.5.5 → 6.5.7 - Mend

whale-code 6.5.5 → 6.5.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2089) hide show

package/README.md +39 -31
package/bin/{swagmanager-mcp.js → whale-code.js} +40 -2
package/dist/cli/__tests__/print-mode-streaming.test.js +270 -0
package/dist/cli/__tests__/print-mode.basic-output.test.js +230 -0
package/dist/cli/__tests__/print-mode.session-errors.test.js +252 -0
package/dist/cli/__tests__/print-mode.test.js +273 -0
package/dist/cli/__tests__/serve-mode-messages.test.js +338 -0
package/dist/cli/__tests__/serve-mode.messages.part2.test.js +266 -0
package/dist/cli/__tests__/serve-mode.messages.test.js +277 -0
package/dist/cli/__tests__/serve-mode.startup-http.test.js +279 -0
package/dist/cli/__tests__/serve-mode.test.js +345 -0
package/dist/cli/app.d.ts +1 -0
package/dist/cli/app.js +154 -72
package/dist/cli/app.js.map +1 -0
package/dist/cli/chat/AgentSelector.js +105 -10
package/dist/cli/chat/AgentSelector.js.map +1 -0
package/dist/cli/chat/ChatApp.d.ts +8 -5
package/dist/cli/chat/ChatApp.js +253 -315
package/dist/cli/chat/ChatApp.js.map +1 -0
package/dist/cli/chat/ChatInput.d.ts +3 -2
package/dist/cli/chat/ChatInput.js +1111 -770
package/dist/cli/chat/ChatInput.js.map +1 -0
package/dist/cli/chat/ImsgManager.d.ts +20 -0
package/dist/cli/chat/ImsgManager.js +341 -0
package/dist/cli/chat/ImsgManager.js.map +1 -0
package/dist/cli/chat/MarkdownText.d.ts +2 -1
package/dist/cli/chat/MarkdownText.js +44 -15
package/dist/cli/chat/MarkdownText.js.map +1 -0
package/dist/cli/chat/MemoryManager.js +182 -46
package/dist/cli/chat/MemoryManager.js.map +1 -0
package/dist/cli/chat/MessageList.d.ts +3 -4
package/dist/cli/chat/MessageList.js +195 -49
package/dist/cli/chat/MessageList.js.map +1 -0
package/dist/cli/chat/ModelSelector.js +282 -63
package/dist/cli/chat/ModelSelector.js.map +1 -0
package/dist/cli/chat/NodeManager.js +61 -84
package/dist/cli/chat/NodeManager.js.map +1 -0
package/dist/cli/chat/NodeSelector.js +171 -30
package/dist/cli/chat/NodeSelector.js.map +1 -0
package/dist/cli/chat/OverlayContext.d.ts +27 -0
package/dist/cli/chat/OverlayContext.js +2 -0
package/dist/cli/chat/OverlayContext.js.map +1 -0
package/dist/cli/chat/PlanApproval.js +282 -57
package/dist/cli/chat/PlanApproval.js.map +1 -0
package/dist/cli/chat/RewindConfirmation.d.ts +12 -0
package/dist/cli/chat/RewindConfirmation.js +243 -0
package/dist/cli/chat/RewindConfirmation.js.map +1 -0
package/dist/cli/chat/RewindViewer.js +560 -144
package/dist/cli/chat/RewindViewer.js.map +1 -0
package/dist/cli/chat/SessionManager.js +138 -30
package/dist/cli/chat/SessionManager.js.map +1 -0
package/dist/cli/chat/SlashMenu.d.ts +7 -24
package/dist/cli/chat/SlashMenu.js +150 -190
package/dist/cli/chat/SlashMenu.js.map +1 -0
package/dist/cli/chat/StatusBar.d.ts +5 -2
package/dist/cli/chat/StatusBar.js +188 -10
package/dist/cli/chat/StatusBar.js.map +1 -0
package/dist/cli/chat/StoreSelector.js +147 -18
package/dist/cli/chat/StoreSelector.js.map +1 -0
package/dist/cli/chat/StreamingText.d.ts +0 -3
package/dist/cli/chat/StreamingText.js +21 -6
package/dist/cli/chat/StreamingText.js.map +1 -0
package/dist/cli/chat/SubagentPanel.d.ts +6 -7
package/dist/cli/chat/SubagentPanel.js +253 -91
package/dist/cli/chat/SubagentPanel.js.map +1 -0
package/dist/cli/chat/TeamPanel.d.ts +1 -0
package/dist/cli/chat/TeamPanel.js +201 -29
package/dist/cli/chat/TeamPanel.js.map +1 -0
package/dist/cli/chat/ThemeSelector.js +84 -24
package/dist/cli/chat/ThemeSelector.js.map +1 -0
package/dist/cli/chat/ToolIndicator.d.ts +7 -23
package/dist/cli/chat/ToolIndicator.js +635 -430
package/dist/cli/chat/ToolIndicator.js.map +1 -0
package/dist/cli/chat/chat-input-menu-handler.d.ts +32 -0
package/dist/cli/chat/components/LiveArea.d.ts +12 -0
package/dist/cli/chat/components/LiveArea.js +252 -0
package/dist/cli/chat/components/LiveArea.js.map +1 -0
package/dist/cli/chat/components/OverlayRouter.d.ts +13 -0
package/dist/cli/chat/components/OverlayRouter.js +257 -0
package/dist/cli/chat/components/OverlayRouter.js.map +1 -0
package/dist/cli/chat/components/StaticMessages.d.ts +9 -0
package/dist/cli/chat/components/StaticMessages.js +132 -0
package/dist/cli/chat/components/StaticMessages.js.map +1 -0
package/dist/cli/chat/hooks/agent-loop-events.d.ts +77 -0
package/dist/cli/chat/hooks/agent-loop-events.js +171 -0
package/dist/cli/chat/hooks/agent-loop-events.js.map +1 -0
package/dist/cli/chat/hooks/slash-command-config-system.d.ts +11 -0
package/dist/cli/chat/hooks/slash-command-config-system.js +177 -0
package/dist/cli/chat/hooks/slash-command-config-system.js.map +1 -0
package/dist/cli/chat/hooks/slash-command-handlers-system.d.ts +12 -0
package/dist/cli/chat/hooks/slash-command-handlers-system.js +127 -0
package/dist/cli/chat/hooks/slash-command-handlers-system.js.map +1 -0
package/dist/cli/chat/hooks/slash-command-handlers.d.ts +21 -0
package/dist/cli/chat/hooks/slash-command-handlers.js +222 -0
package/dist/cli/chat/hooks/slash-command-handlers.js.map +1 -0
package/dist/cli/chat/hooks/slash-imsg-handlers.js +148 -0
package/dist/cli/chat/hooks/slash-imsg-handlers.js.map +1 -0
package/dist/cli/chat/hooks/slash-node-handlers.d.ts +26 -0
package/dist/cli/chat/hooks/slash-node-handlers.js +226 -0
package/dist/cli/chat/hooks/slash-node-handlers.js.map +1 -0
package/dist/cli/chat/hooks/useAgentLoop.d.ts +2 -20
package/dist/cli/chat/hooks/useAgentLoop.js +344 -373
package/dist/cli/chat/hooks/useAgentLoop.js.map +1 -0
package/dist/cli/chat/hooks/useElapsedClock.d.ts +19 -0
package/dist/cli/chat/hooks/useElapsedClock.js +80 -0
package/dist/cli/chat/hooks/useElapsedClock.js.map +1 -0
package/dist/cli/chat/hooks/useOverlayHandlers.d.ts +23 -0
package/dist/cli/chat/hooks/useOverlayHandlers.js +125 -0
package/dist/cli/chat/hooks/useOverlayHandlers.js.map +1 -0
package/dist/cli/chat/hooks/useSlashCommands.d.ts +14 -33
package/dist/cli/chat/hooks/useSlashCommands.js +167 -616
package/dist/cli/chat/hooks/useSlashCommands.js.map +1 -0
package/dist/cli/chat/hooks/useStreamingReducer.d.ts +66 -0
package/dist/cli/chat/imsg-manager-render.d.ts +29 -0
package/dist/cli/chat/imsg-manager-render.js +294 -0
package/dist/cli/chat/imsg-manager-render.js.map +1 -0
package/dist/cli/chat/slash-commands.d.ts +37 -0
package/dist/cli/chat/slash-commands.js +194 -0
package/dist/cli/chat/slash-commands.js.map +1 -0
package/dist/cli/chat/store.d.ts +115 -0
package/dist/cli/chat/store.js +177 -0
package/dist/cli/chat/store.js.map +1 -0
package/dist/cli/chat/tool-indicator-helpers.d.ts +14 -0
package/dist/cli/chat/tool-indicator-helpers.js +167 -0
package/dist/cli/chat/tool-indicator-helpers.js.map +1 -0
package/dist/cli/chat/tool-indicator-summary.d.ts +6 -0
package/dist/cli/chat/tool-indicator-summary.js +103 -0
package/dist/cli/chat/tool-indicator-summary.js.map +1 -0
package/dist/cli/chat/tool-indicator-types.d.ts +66 -0
package/dist/cli/chat/tool-indicator-types.js +177 -0
package/dist/cli/chat/tool-indicator-types.js.map +1 -0
package/dist/cli/commands/__tests__/config-cmd.test.js +270 -0
package/dist/cli/commands/__tests__/doctor.test.js +257 -0
package/dist/cli/commands/__tests__/imsg-node-bridge.test.js +99 -0
package/dist/cli/commands/__tests__/imsg-utils.test.js +73 -0
package/dist/cli/commands/__tests__/init.test.js +214 -0
package/dist/cli/commands/__tests__/mcp.test.js +287 -0
package/dist/cli/commands/config-cmd.js +56 -57
package/dist/cli/commands/config-cmd.js.map +1 -0
package/dist/cli/commands/db.js +184 -169
package/dist/cli/commands/db.js.map +1 -0
package/dist/cli/commands/doctor.js +212 -122
package/dist/cli/commands/doctor.js.map +1 -0
package/dist/cli/commands/imsg-config.d.ts +31 -0
package/dist/cli/commands/imsg-config.js +104 -0
package/dist/cli/commands/imsg-config.js.map +1 -0
package/dist/cli/commands/imsg-node-bridge.d.ts +25 -0
package/dist/cli/commands/imsg-node-bridge.js +229 -0
package/dist/cli/commands/imsg-node-bridge.js.map +1 -0
package/dist/cli/commands/imsg-utils.d.ts +14 -0
package/dist/cli/commands/imsg-utils.js +42 -0
package/dist/cli/commands/imsg-utils.js.map +1 -0
package/dist/cli/commands/imsg-watcher-helpers.d.ts +40 -0
package/dist/cli/commands/imsg-watcher-helpers.js +184 -0
package/dist/cli/commands/imsg-watcher-helpers.js.map +1 -0
package/dist/cli/commands/imsg-watcher.d.ts +11 -0
package/dist/cli/commands/imsg-watcher.js +230 -0
package/dist/cli/commands/imsg-watcher.js.map +1 -0
package/dist/cli/commands/imsg.d.ts +14 -0
package/dist/cli/commands/imsg.js +181 -0
package/dist/cli/commands/imsg.js.map +1 -0
package/dist/cli/commands/init.js +211 -244
package/dist/cli/commands/init.js.map +1 -0
package/dist/cli/commands/mcp.js +127 -122
package/dist/cli/commands/mcp.js.map +1 -0
package/dist/cli/commands/sessions.d.ts +9 -0
package/dist/cli/commands/sessions.js +93 -0
package/dist/cli/commands/sessions.js.map +1 -0
package/dist/cli/login/LoginApp.js +358 -141
package/dist/cli/login/LoginApp.js.map +1 -0
package/dist/cli/print-mode.js +196 -177
package/dist/cli/print-mode.js.map +1 -0
package/dist/cli/serve-mode-persistence.d.ts +18 -0
package/dist/cli/serve-mode-persistence.js +157 -0
package/dist/cli/serve-mode-persistence.js.map +1 -0
package/dist/cli/serve-mode-query.d.ts +9 -0
package/dist/cli/serve-mode-query.js +247 -0
package/dist/cli/serve-mode-query.js.map +1 -0
package/dist/cli/serve-mode-types.d.ts +29 -0
package/dist/cli/serve-mode-types.js +56 -0
package/dist/cli/serve-mode-types.js.map +1 -0
package/dist/cli/serve-mode.js +615 -530
package/dist/cli/serve-mode.js.map +1 -0
package/dist/cli/services/__tests__/agent-definitions.test.js +153 -0
package/dist/cli/services/__tests__/agent-events-global.test.js +39 -0
package/dist/cli/services/__tests__/agent-events.part2.test.js +113 -0
package/dist/cli/services/__tests__/agent-events.test.js +157 -0
package/dist/cli/services/__tests__/agent-loop-auth.test.js +392 -0
package/dist/cli/services/__tests__/agent-loop-budget.test.js +389 -0
package/dist/cli/services/__tests__/agent-loop-tools-lifecycle.test.js +430 -0
package/dist/cli/services/__tests__/agent-loop-tools-maxturns.test.js +486 -0
package/dist/cli/services/__tests__/agent-loop-utils-execution.test.js +528 -0
package/dist/cli/services/__tests__/agent-loop-utils-helpers.test.js +466 -0
package/dist/cli/services/__tests__/agent-worker-base-execute.test.js +257 -0
package/dist/cli/services/__tests__/agent-worker-base-helpers.test.js +198 -0
package/dist/cli/services/__tests__/agent-worker-base.test.js +278 -0
package/dist/cli/services/__tests__/auth-service-exports.test.js +41 -0
package/dist/cli/services/__tests__/auth-service.part2.test.js +169 -0
package/dist/cli/services/__tests__/auth-service.test.js +242 -0
package/dist/cli/services/__tests__/background-processes.test.js +282 -0
package/dist/cli/services/__tests__/claude-md-loader.test.js +134 -0
package/dist/cli/services/__tests__/config-store.test.js +247 -0
package/dist/cli/services/__tests__/debug-log.test.js +199 -0
package/dist/cli/services/__tests__/edge-cases-caching.test.js +174 -0
package/dist/cli/services/__tests__/edge-cases-compaction-core.test.js +226 -0
package/dist/cli/services/__tests__/edge-cases-compaction-openai.test.js +152 -0
package/dist/cli/services/__tests__/edge-cases-compaction-shapes.test.js +53 -0
package/dist/cli/services/__tests__/edge-cases-compaction-thinking.test.js +226 -0
package/dist/cli/services/__tests__/edge-cases-compaction.test.js +131 -0
package/dist/cli/services/__tests__/edge-cases-paths.test.js +86 -0
package/dist/cli/services/__tests__/error-logger-messages.test.js +81 -0
package/dist/cli/services/__tests__/error-logger-transport.test.js +119 -0
package/dist/cli/services/__tests__/error-logger.test.js +264 -0
package/dist/cli/services/__tests__/file-history.test.js +136 -0
package/dist/cli/services/__tests__/git-context-cache-reset.test.js +223 -0
package/dist/cli/services/__tests__/git-context.test.js +241 -0
package/dist/cli/services/__tests__/interactive-tools-execute.test.js +166 -0
package/dist/cli/services/__tests__/interactive-tools-plan.test.js +197 -0
package/dist/cli/services/__tests__/interactive-tools.part2.test.js +168 -0
package/dist/cli/services/__tests__/interactive-tools.test.js +179 -0
package/dist/cli/services/__tests__/keybinding-manager.test.js +205 -0
package/dist/cli/services/__tests__/local-tools-dispatch.test.js +404 -0
package/dist/cli/services/__tests__/local-tools.test.js +238 -0
package/dist/cli/services/__tests__/lsp-manager.test.js +364 -0
package/dist/cli/services/__tests__/mcp-client-connect-disconnect.test.js +310 -0
package/dist/cli/services/__tests__/mcp-client.test.js +93 -0
package/dist/cli/services/__tests__/memory-manager.test.js +154 -0
package/dist/cli/services/__tests__/model-manager-utils.test.js +154 -0
package/dist/cli/services/__tests__/model-manager.test.js +175 -0
package/dist/cli/services/__tests__/permission-modes.test.js +222 -0
package/dist/cli/services/__tests__/ripgrep.test.js +328 -0
package/dist/cli/services/__tests__/server-tools-execute.test.js +317 -0
package/dist/cli/services/__tests__/server-tools.test.js +272 -0
package/dist/cli/services/__tests__/session-persistence.test.js +245 -0
package/dist/cli/services/__tests__/subagent-basic.test.js +489 -0
package/dist/cli/services/__tests__/subagent-edge.test.js +545 -0
package/dist/cli/services/__tests__/subagent-prompts.test.js +558 -0
package/dist/cli/services/__tests__/subagent-worker-errors.test.js +255 -0
package/dist/cli/services/__tests__/subagent-worker.test.js +242 -0
package/dist/cli/services/__tests__/system-prompt.test.js +210 -0
package/dist/cli/services/__tests__/team-lead-comms-messaging.test.js +250 -0
package/dist/cli/services/__tests__/team-lead-comms-result.test.js +232 -0
package/dist/cli/services/__tests__/team-lead-comms-stop.test.js +344 -0
package/dist/cli/services/__tests__/team-lead-comms.test.js +285 -0
package/dist/cli/services/__tests__/team-lead-create.test.js +327 -0
package/dist/cli/services/__tests__/team-lead-run.test.js +318 -0
package/dist/cli/services/__tests__/team-lead-stop.test.js +199 -0
package/dist/cli/services/__tests__/team-state-comms.test.js +240 -0
package/dist/cli/services/__tests__/team-state-core.test.js +230 -0
package/dist/cli/services/__tests__/team-state-tasks-complete-fail-available.test.js +224 -0
package/dist/cli/services/__tests__/team-state-tasks.test.js +184 -0
package/dist/cli/services/__tests__/telemetry-ai-metadata.test.js +116 -0
package/dist/cli/services/__tests__/telemetry.part2.test.js +195 -0
package/dist/cli/services/__tests__/telemetry.test.js +176 -0
package/dist/cli/services/agent-config.d.ts +5 -1
package/dist/cli/services/agent-config.js +66 -36
package/dist/cli/services/agent-config.js.map +1 -0
package/dist/cli/services/agent-definitions.d.ts +4 -1
package/dist/cli/services/agent-definitions.js +97 -56
package/dist/cli/services/agent-definitions.js.map +1 -0
package/dist/cli/services/agent-event-types.d.ts +148 -0
package/dist/cli/services/agent-event-types.js +2 -0
package/dist/cli/services/agent-event-types.js.map +1 -0
package/dist/cli/services/agent-events.js +225 -162
package/dist/cli/services/agent-events.js.map +1 -0
package/dist/cli/services/agent-loop-iteration.d.ts +13 -0
package/dist/cli/services/agent-loop-setup.d.ts +32 -0
package/dist/cli/services/agent-loop-shell-summarize.d.ts +11 -0
package/dist/cli/services/agent-loop-shell-summarize.js +94 -0
package/dist/cli/services/agent-loop-shell-summarize.js.map +1 -0
package/dist/cli/services/agent-loop-tools.d.ts +37 -0
package/dist/cli/services/agent-loop-tools.js +243 -0
package/dist/cli/services/agent-loop-tools.js.map +1 -0
package/dist/cli/services/agent-loop-types.d.ts +52 -0
package/dist/cli/services/agent-loop-types.js +25 -0
package/dist/cli/services/agent-loop-types.js.map +1 -0
package/dist/cli/services/agent-loop.d.ts +2 -2
package/dist/cli/services/agent-loop.js +1135 -702
package/dist/cli/services/agent-loop.js.map +1 -0
package/dist/cli/services/agent-worker-base-api.d.ts +19 -0
package/dist/cli/services/agent-worker-base-helpers.d.ts +27 -0
package/dist/cli/services/agent-worker-base-tools.d.ts +16 -0
package/dist/cli/services/agent-worker-base-types.d.ts +81 -0
package/dist/cli/services/agent-worker-base.d.ts +35 -5
package/dist/cli/services/agent-worker-base.js +337 -153
package/dist/cli/services/agent-worker-base.js.map +1 -0
package/dist/cli/services/api-retry.js +69 -64
package/dist/cli/services/api-retry.js.map +1 -0
package/dist/cli/services/auth-service.d.ts +3 -3
package/dist/cli/services/auth-service.js +213 -136
package/dist/cli/services/auth-service.js.map +1 -0
package/dist/cli/services/background-agents.d.ts +26 -0
package/dist/cli/services/background-processes-ops.d.ts +24 -0
package/dist/cli/services/background-processes.d.ts +2 -1
package/dist/cli/services/background-processes.js +347 -267
package/dist/cli/services/background-processes.js.map +1 -0
package/dist/cli/services/background-tool-defs.d.ts +50 -0
package/dist/cli/services/browser-auth.d.ts +2 -2
package/dist/cli/services/browser-auth.js +159 -118
package/dist/cli/services/browser-auth.js.map +1 -0
package/dist/cli/services/claude-md-loader.js +40 -36
package/dist/cli/services/claude-md-loader.js.map +1 -0
package/dist/cli/services/cli-agent-loop.d.ts +41 -0
package/dist/cli/services/cli-agent-loop.js +104 -0
package/dist/cli/services/cli-agent-loop.js.map +1 -0
package/dist/cli/services/config-modules-model.test.js +133 -0
package/dist/cli/services/config-modules-permission.test.js +85 -0
package/dist/cli/services/config-modules-permissions.test.js +85 -0
package/dist/cli/services/config-modules-session.test.js +297 -0
package/dist/cli/services/config-store.d.ts +14 -4
package/dist/cli/services/config-store.js +249 -117
package/dist/cli/services/config-store.js.map +1 -0
package/dist/cli/services/debug-log.d.ts +1 -1
package/dist/cli/services/debug-log.js +34 -35
package/dist/cli/services/debug-log.js.map +1 -0
package/dist/cli/services/env-detect.d.ts +7 -0
package/dist/cli/services/env-detect.js +9 -0
package/dist/cli/services/env-detect.js.map +1 -0
package/dist/cli/services/error-logger-internals.d.ts +25 -0
package/dist/cli/services/error-logger-internals.js +111 -0
package/dist/cli/services/error-logger-internals.js.map +1 -0
package/dist/cli/services/error-logger.js +187 -169
package/dist/cli/services/error-logger.js.map +1 -0
package/dist/cli/services/file-history.d.ts +1 -1
package/dist/cli/services/file-history.js +50 -54
package/dist/cli/services/file-history.js.map +1 -0
package/dist/cli/services/format-server-response-columns.test.js +265 -0
package/dist/cli/services/format-server-response-fallback.test.js +65 -0
package/dist/cli/services/format-server-response-formatters.d.ts +18 -0
package/dist/cli/services/format-server-response-formatters.js +195 -0
package/dist/cli/services/format-server-response-formatters.js.map +1 -0
package/dist/cli/services/format-server-response-primitives-basic.test.js +261 -0
package/dist/cli/services/format-server-response-primitives-nested.test.js +188 -0
package/dist/cli/services/format-server-response-primitives.test.js +300 -0
package/dist/cli/services/format-server-response-realworld.test.js +248 -0
package/dist/cli/services/format-server-response-values.test.js +247 -0
package/dist/cli/services/format-server-response.js +334 -372
package/dist/cli/services/format-server-response.js.map +1 -0
package/dist/cli/services/git-context.js +61 -45
package/dist/cli/services/git-context.js.map +1 -0
package/dist/cli/services/hooks-execute.d.ts +47 -0
package/dist/cli/services/hooks-execute.js +181 -0
package/dist/cli/services/hooks-execute.js.map +1 -0
package/dist/cli/services/hooks-runners.test.js +184 -0
package/dist/cli/services/hooks.d.ts +2 -2
package/dist/cli/services/hooks.glob-load.test.js +233 -0
package/dist/cli/services/hooks.js +195 -180
package/dist/cli/services/hooks.js.map +1 -0
package/dist/cli/services/hooks.run-hooks.test.js +184 -0
package/dist/cli/services/hooks.test.js +233 -0
package/dist/cli/services/ink-incremental.d.ts +19 -0
package/dist/cli/services/ink-incremental.js +59 -0
package/dist/cli/services/ink-incremental.js.map +1 -0
package/dist/cli/services/ink-resize-fix.js +54 -44
package/dist/cli/services/ink-resize-fix.js.map +1 -0
package/dist/cli/services/ink-sync-output.d.ts +12 -0
package/dist/cli/services/ink-sync-output.js +16 -0
package/dist/cli/services/ink-sync-output.js.map +1 -0
package/dist/cli/services/interactive-tool-defs.d.ts +80 -0
package/dist/cli/services/interactive-tools.d.ts +5 -2
package/dist/cli/services/interactive-tools.js +283 -213
package/dist/cli/services/interactive-tools.js.map +1 -0
package/dist/cli/services/keybinding-manager.d.ts +13 -1
package/dist/cli/services/keybinding-manager.js +131 -63
package/dist/cli/services/keybinding-manager.js.map +1 -0
package/dist/cli/services/local-tools-agent-defs-tasks.d.ts +6 -0
package/dist/cli/services/local-tools-agent-defs-tasks.js +245 -0
package/dist/cli/services/local-tools-agent-defs-tasks.js.map +1 -0
package/dist/cli/services/local-tools-agent-defs-utils.d.ts +6 -0
package/dist/cli/services/local-tools-agent-defs-utils.js +198 -0
package/dist/cli/services/local-tools-agent-defs-utils.js.map +1 -0
package/dist/cli/services/local-tools-agent-defs.d.ts +10 -0
package/dist/cli/services/local-tools-agent-defs.js +13 -0
package/dist/cli/services/local-tools-agent-defs.js.map +1 -0
package/dist/cli/services/local-tools-definitions.d.ts +6 -0
package/dist/cli/services/local-tools-files.test.js +256 -0
package/dist/cli/services/local-tools-read-many.d.ts +6 -0
package/dist/cli/services/local-tools.d.ts +1 -1
package/dist/cli/services/local-tools.js +938 -657
package/dist/cli/services/local-tools.js.map +1 -0
package/dist/cli/services/lsp-config.d.ts +13 -0
package/dist/cli/services/lsp-config.js +72 -0
package/dist/cli/services/lsp-config.js.map +1 -0
package/dist/cli/services/lsp-formatters.d.ts +11 -0
package/dist/cli/services/lsp-formatters.js +209 -0
package/dist/cli/services/lsp-formatters.js.map +1 -0
package/dist/cli/services/lsp-manager.js +757 -594
package/dist/cli/services/lsp-manager.js.map +1 -0
package/dist/cli/services/lsp-protocol.d.ts +9 -0
package/dist/cli/services/lsp-protocol.js +40 -0
package/dist/cli/services/lsp-protocol.js.map +1 -0
package/dist/cli/services/lsp-server-docs.d.ts +8 -0
package/dist/cli/services/lsp-server-docs.js +132 -0
package/dist/cli/services/lsp-server-docs.js.map +1 -0
package/dist/cli/services/lsp-server-documents.d.ts +8 -0
package/dist/cli/services/lsp-server-documents.js +132 -0
package/dist/cli/services/lsp-server-documents.js.map +1 -0
package/dist/cli/services/lsp-server.d.ts +40 -0
package/dist/cli/services/lsp-server.js +270 -0
package/dist/cli/services/lsp-server.js.map +1 -0
package/dist/cli/services/mcp-client.d.ts +1 -1
package/dist/cli/services/mcp-client.js +173 -134
package/dist/cli/services/mcp-client.js.map +1 -0
package/dist/cli/services/memory-manager.js +53 -40
package/dist/cli/services/memory-manager.js.map +1 -0
package/dist/cli/services/model-manager.js +55 -40
package/dist/cli/services/model-manager.js.map +1 -0
package/dist/cli/services/model-router.js +115 -85
package/dist/cli/services/model-router.js.map +1 -0
package/dist/cli/services/model-router.test.js +245 -0
package/dist/cli/services/paths.d.ts +30 -0
package/dist/cli/services/paths.js +81 -0
package/dist/cli/services/paths.js.map +1 -0
package/dist/cli/services/permission-modes.js +45 -25
package/dist/cli/services/permission-modes.js.map +1 -0
package/dist/cli/services/project-index.d.ts +41 -0
package/dist/cli/services/project-index.js +286 -0
package/dist/cli/services/project-index.js.map +1 -0
package/dist/cli/services/rewind-rewindTo.test.js +202 -0
package/dist/cli/services/rewind.js +182 -168
package/dist/cli/services/rewind.js.map +1 -0
package/dist/cli/services/rewind.test.js +175 -0
package/dist/cli/services/ripgrep.js +115 -115
package/dist/cli/services/ripgrep.js.map +1 -0
package/dist/cli/services/sandbox.d.ts +1 -1
package/dist/cli/services/sandbox.js +58 -37
package/dist/cli/services/sandbox.js.map +1 -0
package/dist/cli/services/sandbox.test.js +198 -0
package/dist/cli/services/server-tools-client.d.ts +46 -0
package/dist/cli/services/server-tools-client.js +211 -0
package/dist/cli/services/server-tools-client.js.map +1 -0
package/dist/cli/services/server-tools-media.d.ts +21 -0
package/dist/cli/services/server-tools-media.js +163 -0
package/dist/cli/services/server-tools-media.js.map +1 -0
package/dist/cli/services/server-tools-preprocess.d.ts +23 -0
package/dist/cli/services/server-tools-preprocess.js +386 -0
package/dist/cli/services/server-tools-preprocess.js.map +1 -0
package/dist/cli/services/server-tools.d.ts +2 -0
package/dist/cli/services/server-tools.js +763 -565
package/dist/cli/services/server-tools.js.map +1 -0
package/dist/cli/services/session-client.d.ts +78 -0
package/dist/cli/services/session-client.js +197 -0
package/dist/cli/services/session-client.js.map +1 -0
package/dist/cli/services/session-persistence.d.ts +3 -0
package/dist/cli/services/session-persistence.js +81 -74
package/dist/cli/services/session-persistence.js.map +1 -0
package/dist/cli/services/subagent-execution.d.ts +12 -0
package/dist/cli/services/subagent-loop-v2.d.ts +36 -0
package/dist/cli/services/subagent-loop-v2.js +238 -0
package/dist/cli/services/subagent-loop-v2.js.map +1 -0
package/dist/cli/services/subagent-tools.d.ts +10 -0
package/dist/cli/services/subagent-tools.js +96 -0
package/dist/cli/services/subagent-tools.js.map +1 -0
package/dist/cli/services/subagent-types.d.ts +57 -0
package/dist/cli/services/subagent-types.js +218 -0
package/dist/cli/services/subagent-types.js.map +1 -0
package/dist/cli/services/subagent-worker.js +42 -27
package/dist/cli/services/subagent-worker.js.map +1 -0
package/dist/cli/services/subagent.d.ts +2 -0
package/dist/cli/services/subagent.js +606 -433
package/dist/cli/services/subagent.js.map +1 -0
package/dist/cli/services/system-prompt.js +111 -80
package/dist/cli/services/system-prompt.js.map +1 -0
package/dist/cli/services/task-decomposer.d.ts +1 -1
package/dist/cli/services/task-decomposer.js +172 -139
package/dist/cli/services/task-decomposer.js.map +1 -0
package/dist/cli/services/team-lead-auto.d.ts +11 -0
package/dist/cli/services/team-lead-execution.d.ts +28 -0
package/dist/cli/services/team-lead-types.d.ts +37 -0
package/dist/cli/services/team-lead-types.js +2 -0
package/dist/cli/services/team-lead-types.js.map +1 -0
package/dist/cli/services/team-lead.d.ts +62 -2
package/dist/cli/services/team-lead.js +863 -528
package/dist/cli/services/team-lead.js.map +1 -0
package/dist/cli/services/team-state-members.d.ts +11 -0
package/dist/cli/services/team-state-members.js +185 -0
package/dist/cli/services/team-state-members.js.map +1 -0
package/dist/cli/services/team-state-messaging.d.ts +16 -0
package/dist/cli/services/team-state-messaging.js +90 -0
package/dist/cli/services/team-state-messaging.js.map +1 -0
package/dist/cli/services/team-state-tasks.d.ts +12 -0
package/dist/cli/services/team-state-tasks.js +23 -0
package/dist/cli/services/team-state-tasks.js.map +1 -0
package/dist/cli/services/team-state-types.d.ts +54 -0
package/dist/cli/services/team-state-types.js +129 -0
package/dist/cli/services/team-state-types.js.map +1 -0
package/dist/cli/services/team-state.d.ts +5 -0
package/dist/cli/services/team-state.js +348 -319
package/dist/cli/services/team-state.js.map +1 -0
package/dist/cli/services/teammate-loop.js +557 -0
package/dist/cli/services/teammate-loop.js.map +1 -0
package/dist/cli/services/teammate-prompt.d.ts +2 -0
package/dist/cli/services/teammate-prompt.js +68 -0
package/dist/cli/services/teammate-prompt.js.map +1 -0
package/dist/cli/services/teammate-tools.d.ts +6 -0
package/dist/cli/services/teammate-tools.js +158 -0
package/dist/cli/services/teammate-tools.js.map +1 -0
package/dist/cli/services/teammate-types.d.ts +36 -0
package/dist/cli/services/teammate-types.js +43 -0
package/dist/cli/services/teammate-types.js.map +1 -0
package/dist/cli/services/teammate-worker-helpers.d.ts +71 -0
package/dist/cli/services/teammate-worker-helpers.js +183 -0
package/dist/cli/services/teammate-worker-helpers.js.map +1 -0
package/dist/cli/services/teammate-worker-task-cleanup.d.ts +27 -0
package/dist/cli/services/teammate-worker-task-cleanup.js +91 -0
package/dist/cli/services/teammate-worker-task-cleanup.js.map +1 -0
package/dist/cli/services/teammate-worker-task-loop.d.ts +35 -0
package/dist/cli/services/teammate-worker-task-loop.js +273 -0
package/dist/cli/services/teammate-worker-task-loop.js.map +1 -0
package/dist/cli/services/teammate-worker.d.ts +13 -0
package/dist/cli/services/teammate-worker.js +294 -0
package/dist/cli/services/teammate-worker.js.map +1 -0
package/dist/cli/services/teammate.d.ts +8 -2
package/dist/cli/services/teammate.js +857 -569
package/dist/cli/services/teammate.js.map +1 -0
package/dist/cli/services/telemetry-spans.d.ts +17 -0
package/dist/cli/services/telemetry-spans.js +172 -0
package/dist/cli/services/telemetry-spans.js.map +1 -0
package/dist/cli/services/telemetry.d.ts +6 -1
package/dist/cli/services/telemetry.js +180 -157
package/dist/cli/services/telemetry.js.map +1 -0
package/dist/cli/services/tools/__tests__/agent-tools-tasks-teams.test.js +250 -0
package/dist/cli/services/tools/__tests__/agent-tools-teams.test.js +200 -0
package/dist/cli/services/tools/__tests__/agent-tools.test.js +340 -0
package/dist/cli/services/tools/__tests__/file-ops-cache.test.js +152 -0
package/dist/cli/services/tools/__tests__/file-ops-notebook.test.js +249 -0
package/dist/cli/services/tools/__tests__/file-ops-read.test.js +261 -0
package/dist/cli/services/tools/__tests__/file-ops-write.test.js +292 -0
package/dist/cli/services/tools/__tests__/search-tools-rg.test.js +92 -0
package/dist/cli/services/tools/__tests__/search-tools.part2.test.js +174 -0
package/dist/cli/services/tools/__tests__/search-tools.test.js +227 -0
package/dist/cli/services/tools/__tests__/shell-exec-allowed-core.test.js +163 -0
package/dist/cli/services/tools/__tests__/shell-exec-allowed-extended.test.js +220 -0
package/dist/cli/services/tools/__tests__/shell-exec-allowed.part2.test.js +215 -0
package/dist/cli/services/tools/__tests__/shell-exec-allowed.test.js +154 -0
package/dist/cli/services/tools/__tests__/shell-exec-blocked.test.js +132 -0
package/dist/cli/services/tools/__tests__/shell-exec-execution.test.js +245 -0
package/dist/cli/services/tools/__tests__/task-manager-create.test.js +110 -0
package/dist/cli/services/tools/__tests__/task-manager-crud.test.js +339 -0
package/dist/cli/services/tools/__tests__/task-manager-list-get.test.js +343 -0
package/dist/cli/services/tools/__tests__/task-manager-query.test.js +346 -0
package/dist/cli/services/tools/__tests__/task-manager-routing.test.js +58 -0
package/dist/cli/services/tools/__tests__/task-manager-update.test.js +224 -0
package/dist/cli/services/tools/__tests__/task-manager.test.js +159 -0
package/dist/cli/services/tools/__tests__/web-tools-html-search.test.js +227 -0
package/dist/cli/services/tools/__tests__/web-tools.test.js +285 -0
package/dist/cli/services/tools/agent-tools-tasks.d.ts +10 -0
package/dist/cli/services/tools/agent-tools-tasks.js +216 -0
package/dist/cli/services/tools/agent-tools-tasks.js.map +1 -0
package/dist/cli/services/tools/agent-tools-team.d.ts +8 -0
package/dist/cli/services/tools/agent-tools-team.js +101 -0
package/dist/cli/services/tools/agent-tools-team.js.map +1 -0
package/dist/cli/services/tools/agent-tools.d.ts +3 -3
package/dist/cli/services/tools/agent-tools.js +555 -324
package/dist/cli/services/tools/agent-tools.js.map +1 -0
package/dist/cli/services/tools/file-ops-notebook.d.ts +9 -0
package/dist/cli/services/tools/file-ops-notebook.js +186 -0
package/dist/cli/services/tools/file-ops-notebook.js.map +1 -0
package/dist/cli/services/tools/file-ops-read.d.ts +11 -0
package/dist/cli/services/tools/file-ops-read.js +237 -0
package/dist/cli/services/tools/file-ops-read.js.map +1 -0
package/dist/cli/services/tools/file-ops-write.d.ts +8 -0
package/dist/cli/services/tools/file-ops-write.js +260 -0
package/dist/cli/services/tools/file-ops-write.js.map +1 -0
package/dist/cli/services/tools/file-ops.d.ts +1 -0
package/dist/cli/services/tools/file-ops.js +727 -447
package/dist/cli/services/tools/file-ops.js.map +1 -0
package/dist/cli/services/tools/html-to-text.d.ts +6 -0
package/dist/cli/services/tools/html-to-text.js +118 -0
package/dist/cli/services/tools/html-to-text.js.map +1 -0
package/dist/cli/services/tools/search-tools.js +231 -162
package/dist/cli/services/tools/search-tools.js.map +1 -0
package/dist/cli/services/tools/shell-exec.js +197 -151
package/dist/cli/services/tools/shell-exec.js.map +1 -0
package/dist/cli/services/tools/shell-exec.test.js +148 -0
package/dist/cli/services/tools/ssrf-guard.d.ts +6 -0
package/dist/cli/services/tools/ssrf-guard.js +80 -0
package/dist/cli/services/tools/ssrf-guard.js.map +1 -0
package/dist/cli/services/tools/task-manager.js +206 -173
package/dist/cli/services/tools/task-manager.js.map +1 -0
package/dist/cli/services/tools/web-tools.js +388 -341
package/dist/cli/services/tools/web-tools.js.map +1 -0
package/dist/cli/setup/SetupApp.d.ts +2 -2
package/dist/cli/setup/SetupApp.js +608 -160
package/dist/cli/setup/SetupApp.js.map +1 -0
package/dist/cli/setup/SetupComponents.d.ts +10 -0
package/dist/cli/setup/SetupComponents.js +144 -0
package/dist/cli/setup/SetupComponents.js.map +1 -0
package/dist/cli/setup/setup-cli-targets.d.ts +9 -0
package/dist/cli/setup/setup-cli-targets.js +49 -0
package/dist/cli/setup/setup-cli-targets.js.map +1 -0
package/dist/cli/shared/ErrorBoundary.d.ts +22 -0
package/dist/cli/shared/ErrorBoundary.js +73 -0
package/dist/cli/shared/ErrorBoundary.js.map +1 -0
package/dist/cli/shared/InlineErrorBoundary.d.ts +22 -0
package/dist/cli/shared/InlineErrorBoundary.js +35 -0
package/dist/cli/shared/InlineErrorBoundary.js.map +1 -0
package/dist/cli/shared/MatrixIntro.js +67 -69
package/dist/cli/shared/MatrixIntro.js.map +1 -0
package/dist/cli/shared/SharedTick.d.ts +10 -0
package/dist/cli/shared/SpinnerSlot.d.ts +22 -0
package/dist/cli/shared/SpinnerSlot.js +156 -0
package/dist/cli/shared/SpinnerSlot.js.map +1 -0
package/dist/cli/shared/Theme.d.ts +1 -1
package/dist/cli/shared/Theme.js +136 -92
package/dist/cli/shared/Theme.js.map +1 -0
package/dist/cli/shared/WhaleBanner.js +100 -11
package/dist/cli/shared/WhaleBanner.js.map +1 -0
package/dist/cli/shared/__tests__/markdown.test.js +188 -0
package/dist/cli/shared/format-utils.d.ts +16 -0
package/dist/cli/shared/format-utils.js +121 -0
package/dist/cli/shared/format-utils.js.map +1 -0
package/dist/cli/shared/markdown-chart.d.ts +8 -0
package/dist/cli/shared/markdown-chart.js +92 -0
package/dist/cli/shared/markdown-chart.js.map +1 -0
package/dist/cli/shared/markdown-diff.d.ts +15 -0
package/dist/cli/shared/markdown-diff.js +205 -0
package/dist/cli/shared/markdown-diff.js.map +1 -0
package/dist/cli/shared/markdown-helpers.d.ts +33 -0
package/dist/cli/shared/markdown-helpers.js +129 -0
package/dist/cli/shared/markdown-helpers.js.map +1 -0
package/dist/cli/shared/markdown-table.d.ts +10 -0
package/dist/cli/shared/markdown-table.js +227 -0
package/dist/cli/shared/markdown-table.js.map +1 -0
package/dist/cli/shared/markdown.d.ts +2 -4
package/dist/cli/shared/markdown.js +658 -703
package/dist/cli/shared/markdown.js.map +1 -0
package/dist/cli/shared/marked-terminal.d.js +2 -0
package/dist/cli/shared/marked-terminal.d.js.map +1 -0
package/dist/cli/shared/theme-manager.js +99 -90
package/dist/cli/shared/theme-manager.js.map +1 -0
package/dist/cli/shared/theme-presets.js +256 -254
package/dist/cli/shared/theme-presets.js.map +1 -0
package/dist/cli/shared/useLatestRef.d.ts +11 -0
package/dist/cli/shared/useLatestRef.js +34 -0
package/dist/cli/shared/useLatestRef.js.map +1 -0
package/dist/cli/shared/useSyncState.d.ts +11 -0
package/dist/cli/shared/useSyncState.js +39 -0
package/dist/cli/shared/useSyncState.js.map +1 -0
package/dist/cli/status/StatusApp.js +235 -86
package/dist/cli/status/StatusApp.js.map +1 -0
package/dist/cli/stores/StoreApp.js +278 -66
package/dist/cli/stores/StoreApp.js.map +1 -0
package/dist/index-agent.d.ts +11 -0
package/dist/index-agent.js +83 -0
package/dist/index-agent.js.map +1 -0
package/dist/index-auth.d.ts +22 -0
package/dist/index-auth.js +114 -0
package/dist/index-auth.js.map +1 -0
package/dist/index-handlers.d.ts +25 -0
package/dist/index-handlers.js +164 -0
package/dist/index-handlers.js.map +1 -0
package/dist/index-tools.d.ts +22 -0
package/dist/index-tools.js +115 -0
package/dist/index-tools.js.map +1 -0
package/dist/index.d.ts +2 -2
package/dist/index.js +509 -396
package/dist/index.js.map +1 -0
package/dist/local-agent/__tests__/connection-disconnect.test.js +201 -0
package/dist/local-agent/__tests__/connection-lifecycle.test.js +289 -0
package/dist/local-agent/__tests__/connection-msghandling.test.js +311 -0
package/dist/local-agent/__tests__/connection-reconnect.test.js +230 -0
package/dist/local-agent/__tests__/connection-toolexec.test.js +253 -0
package/dist/local-agent/__tests__/discovery.test.js +328 -0
package/dist/local-agent/__tests__/executor-background.test.js +219 -0
package/dist/local-agent/__tests__/executor-exec.test.js +221 -0
package/dist/local-agent/__tests__/executor-jobs-sessions.test.js +220 -0
package/dist/local-agent/__tests__/executor-system-info.test.js +133 -0
package/dist/local-agent/__tests__/executor-systeminfo.test.js +109 -0
package/dist/local-agent/__tests__/executor.test.js +235 -0
package/dist/local-agent/__tests__/index.test.js +139 -0
package/dist/local-agent/connection-handlers.d.ts +8 -0
package/dist/local-agent/connection-handlers.js +112 -0
package/dist/local-agent/connection-handlers.js.map +1 -0
package/dist/local-agent/connection-tools.d.ts +8 -0
package/dist/local-agent/connection-tools.js +111 -0
package/dist/local-agent/connection-tools.js.map +1 -0
package/dist/local-agent/connection.d.ts +2 -2
package/dist/local-agent/connection.js +352 -293
package/dist/local-agent/connection.js.map +1 -0
package/dist/local-agent/discovery.js +259 -122
package/dist/local-agent/discovery.js.map +1 -0
package/dist/local-agent/executor-jobs.d.ts +12 -0
package/dist/local-agent/executor-jobs.js +143 -0
package/dist/local-agent/executor-jobs.js.map +1 -0
package/dist/local-agent/executor.d.ts +3 -0
package/dist/local-agent/executor.js +218 -195
package/dist/local-agent/executor.js.map +1 -0
package/dist/local-agent/index.d.ts +2 -2
package/dist/local-agent/index.js +156 -156
package/dist/local-agent/index.js.map +1 -0
package/dist/node/__tests__/cli-channels.test.js +293 -0
package/dist/node/__tests__/cli-config-edge.test.js +154 -0
package/dist/node/__tests__/cli-config.test.js +215 -0
package/dist/node/__tests__/config.test.js +292 -0
package/dist/node/__tests__/runtime-heartbeat.test.js +153 -0
package/dist/node/__tests__/runtime-lifecycle-init.test.js +263 -0
package/dist/node/__tests__/runtime-lifecycle-stats.test.js +180 -0
package/dist/node/__tests__/runtime-lifecycle.test.js +305 -0
package/dist/node/__tests__/runtime-relay.test.js +341 -0
package/dist/node/adapters/__tests__/base.test.js +286 -0
package/dist/node/adapters/__tests__/discord.test.js +284 -0
package/dist/node/adapters/__tests__/email-send.test.js +295 -0
package/dist/node/adapters/__tests__/email.inbound-send.test.js +217 -0
package/dist/node/adapters/__tests__/email.lifecycle.test.js +211 -0
package/dist/node/adapters/__tests__/email.test.js +290 -0
package/dist/node/adapters/__tests__/email.webhook-send.test.js +251 -0
package/dist/node/adapters/__tests__/imessage-filter.test.js +183 -0
package/dist/node/adapters/__tests__/imessage-lifecycle.test.js +215 -0
package/dist/node/adapters/__tests__/imessage-send-restart.test.js +227 -0
package/dist/node/adapters/__tests__/slack.part2.test.js +135 -0
package/dist/node/adapters/__tests__/slack.test.js +241 -0
package/dist/node/adapters/__tests__/sms-extras.test.js +108 -0
package/dist/node/adapters/__tests__/sms-lifecycle.test.js +203 -0
package/dist/node/adapters/__tests__/sms-messaging.test.js +266 -0
package/dist/node/adapters/__tests__/sms.part2.test.js +174 -0
package/dist/node/adapters/__tests__/sms.test.js +253 -0
package/dist/node/adapters/__tests__/telegram-polling.test.js +256 -0
package/dist/node/adapters/__tests__/telegram-send.test.js +166 -0
package/dist/node/adapters/__tests__/webchat-inbound.test.js +188 -0
package/dist/node/adapters/__tests__/webchat-outbound.test.js +178 -0
package/dist/node/adapters/__tests__/whatsapp-inbound.test.js +200 -0
package/dist/node/adapters/__tests__/whatsapp-send.test.js +212 -0
package/dist/node/adapters/__tests__/whatsapp.test.js +280 -0
package/dist/node/adapters/base.js +18 -8
package/dist/node/adapters/base.js.map +1 -0
package/dist/node/adapters/discord-gateway.d.ts +42 -0
package/dist/node/adapters/discord-gateway.js +169 -0
package/dist/node/adapters/discord-gateway.js.map +1 -0
package/dist/node/adapters/discord.js +286 -275
package/dist/node/adapters/discord.js.map +1 -0
package/dist/node/adapters/email.js +189 -202
package/dist/node/adapters/email.js.map +1 -0
package/dist/node/adapters/imessage.d.ts +11 -0
package/dist/node/adapters/imessage.js +165 -145
package/dist/node/adapters/imessage.js.map +1 -0
package/dist/node/adapters/slack.js +237 -236
package/dist/node/adapters/slack.js.map +1 -0
package/dist/node/adapters/sms.js +149 -151
package/dist/node/adapters/sms.js.map +1 -0
package/dist/node/adapters/telegram.js +88 -92
package/dist/node/adapters/telegram.js.map +1 -0
package/dist/node/adapters/webchat.js +160 -136
package/dist/node/adapters/webchat.js.map +1 -0
package/dist/node/adapters/whatsapp.js +212 -215
package/dist/node/adapters/whatsapp.js.map +1 -0
package/dist/node/cli-channels.d.ts +6 -0
package/dist/node/cli-channels.js +229 -0
package/dist/node/cli-channels.js.map +1 -0
package/dist/node/cli-node.d.ts +9 -0
package/dist/node/cli-node.js +186 -0
package/dist/node/cli-node.js.map +1 -0
package/dist/node/cli-portal.d.ts +11 -0
package/dist/node/cli-portal.js +503 -0
package/dist/node/cli-portal.js.map +1 -0
package/dist/node/cli.js +884 -653
package/dist/node/cli.js.map +1 -0
package/dist/node/config.js +20 -18
package/dist/node/config.js.map +1 -0
package/dist/node/gateway-client.js +191 -181
package/dist/node/gateway-client.js.map +1 -0
package/dist/node/portal/clipboard.js +161 -130
package/dist/node/portal/clipboard.js.map +1 -0
package/dist/node/portal/discovery.js +51 -45
package/dist/node/portal/discovery.js.map +1 -0
package/dist/node/portal/forward.js +64 -58
package/dist/node/portal/forward.js.map +1 -0
package/dist/node/portal/index.js +246 -221
package/dist/node/portal/index.js.map +1 -0
package/dist/node/portal/multiplexer.js +192 -182
package/dist/node/portal/multiplexer.js.map +1 -0
package/dist/node/portal/permissions.js +102 -70
package/dist/node/portal/permissions.js.map +1 -0
package/dist/node/portal/portal-target.d.ts +16 -0
package/dist/node/portal/portal-target.js +102 -0
package/dist/node/portal/portal-target.js.map +1 -0
package/dist/node/portal/protocol-frames.d.ts +33 -0
package/dist/node/portal/protocol-frames.js +170 -0
package/dist/node/portal/protocol-frames.js.map +1 -0
package/dist/node/portal/protocol.js +153 -116
package/dist/node/portal/protocol.js.map +1 -0
package/dist/node/portal/screen.js +80 -69
package/dist/node/portal/screen.js.map +1 -0
package/dist/node/portal/session.js +124 -117
package/dist/node/portal/session.js.map +1 -0
package/dist/node/portal/shell.js +140 -113
package/dist/node/portal/shell.js.map +1 -0
package/dist/node/portal/stream.js +77 -75
package/dist/node/portal/stream.js.map +1 -0
package/dist/node/portal/transfer.js +190 -167
package/dist/node/portal/transfer.js.map +1 -0
package/dist/node/portal/ui.js +124 -99
package/dist/node/portal/ui.js.map +1 -0
package/dist/node/remote-desktop/compile-helper.js +50 -45
package/dist/node/remote-desktop/compile-helper.js.map +1 -0
package/dist/node/remote-desktop/index.js +215 -187
package/dist/node/remote-desktop/index.js.map +1 -0
package/dist/node/remote-desktop/protocol.js +45 -29
package/dist/node/remote-desktop/protocol.js.map +1 -0
package/dist/node/runtime-network.d.ts +25 -0
package/dist/node/runtime-network.js +226 -0
package/dist/node/runtime-network.js.map +1 -0
package/dist/node/runtime-utils.d.ts +27 -0
package/dist/node/runtime-utils.js +99 -0
package/dist/node/runtime-utils.js.map +1 -0
package/dist/node/runtime.d.ts +1 -0
package/dist/node/runtime.js +562 -409
package/dist/node/runtime.js.map +1 -0
package/dist/node/task-runner.d.ts +33 -0
package/dist/node/task-runner.js +276 -0
package/dist/node/task-runner.js.map +1 -0
package/dist/server/__tests__/gateway-fast-fail.test.js +160 -0
package/dist/server/__tests__/local-agent-gateway.test.js +186 -0
package/dist/server/__tests__/proxy-handlers-delegation.test.js +240 -0
package/dist/server/__tests__/proxy-handlers-validation.test.js +211 -0
package/dist/server/__tests__/proxy-handlers.part2.test.js +240 -0
package/dist/server/__tests__/proxy-handlers.test.js +213 -0
package/dist/server/__tests__/strip-base64-e2e.test.js +303 -0
package/dist/server/__tests__/strip-base64.test.js +256 -0
package/dist/server/__tests__/tool-router-agent-tools.test.js +324 -0
package/dist/server/__tests__/tool-router-execute-core.test.js +357 -0
package/dist/server/__tests__/tool-router-execute-permissions.test.js +332 -0
package/dist/server/__tests__/tool-router-execute.test.js +348 -0
package/dist/server/__tests__/tool-router-load.test.js +432 -0
package/dist/server/__tests__/tool-router-permissions.test.js +359 -0
package/dist/server/__tests__/tool-router-registry-cache.test.js +383 -0
package/dist/server/__tests__/tool-router-registry-handlers.test.js +272 -0
package/dist/server/__tests__/tool-router-registry.test.js +331 -0
package/dist/server/__tests__/validation-inventory.test.js +250 -0
package/dist/server/__tests__/validation-misc.test.js +243 -0
package/dist/server/__tests__/validation-supply-chain.test.js +188 -0
package/dist/server/__tests__/worker.test.js +265 -0
package/dist/server/handlers/__test-utils__/test-db.d.ts +2 -0
package/dist/server/handlers/__test-utils__/test-db.js +52 -89
package/dist/server/handlers/__test-utils__/test-db.js.map +1 -0
package/dist/server/handlers/__tests__/conversation-lock.test.js +117 -0
package/dist/server/handlers/__tests__/e2e/auth-cross-platform-login.e2e.test.js +268 -0
package/dist/server/handlers/__tests__/e2e/auth-cross-platform-tokens.e2e.test.js +264 -0
package/dist/server/handlers/__tests__/e2e/email-pipeline-send.e2e.test.js +214 -0
package/dist/server/handlers/__tests__/e2e/email-pipeline-threads.e2e.test.js +168 -0
package/dist/server/handlers/__tests__/e2e/error-logging-pipeline-dedup.e2e.test.js +229 -0
package/dist/server/handlers/__tests__/e2e/error-logging-pipeline.e2e.test.js +239 -0
package/dist/server/handlers/__tests__/e2e/error-logging-rate-limit.e2e.test.js +150 -0
package/dist/server/handlers/__tests__/e2e/inventory-sync-guards.e2e.test.js +177 -0
package/dist/server/handlers/__tests__/e2e/inventory-sync.e2e.test.js +228 -0
package/dist/server/handlers/__tests__/e2e/inventory-sync.part2.e2e.test.js +188 -0
package/dist/server/handlers/__tests__/e2e/order-lifecycle-fulfillment.e2e.test.js +295 -0
package/dist/server/handlers/__tests__/e2e/order-lifecycle.e2e.test.js +277 -0
package/dist/server/handlers/__tests__/e2e/order-lifecycle.fulfillment.e2e.test.js +307 -0
package/dist/server/handlers/__tests__/e2e/order-lifecycle.setup.e2e.test.js +177 -0
package/dist/server/handlers/__tests__/e2e/storefront-checkout-cart.e2e.test.js +255 -0
package/dist/server/handlers/__tests__/e2e/storefront-checkout-webhook.e2e.test.js +231 -0
package/dist/server/handlers/__tests__/e2e/workflow-execution-failures.e2e.test.js +235 -0
package/dist/server/handlers/__tests__/e2e/workflow-execution.e2e.test.js +294 -0
package/dist/server/handlers/__tests__/e2e/workflow-security.e2e.test.js +311 -0
package/dist/server/handlers/__tests__/e2e/workflow-security.part2.e2e.test.js +267 -0
package/dist/server/handlers/__tests__/workflow-cache.test.js +237 -0
package/dist/server/handlers/analytics-errors-edge.test.js +173 -0
package/dist/server/handlers/analytics.js +553 -260
package/dist/server/handlers/analytics.js.map +1 -0
package/dist/server/handlers/analytics.test.js +280 -0
package/dist/server/handlers/api-docs-examples-ext.d.ts +9 -0
package/dist/server/handlers/api-docs-examples-ext.js +278 -0
package/dist/server/handlers/api-docs-examples-ext.js.map +1 -0
package/dist/server/handlers/api-docs-examples.d.ts +8 -0
package/dist/server/handlers/api-docs-examples.js +221 -0
package/dist/server/handlers/api-docs-examples.js.map +1 -0
package/dist/server/handlers/api-docs-sections-ext.d.ts +2 -0
package/dist/server/handlers/api-docs-sections-ext.js +497 -0
package/dist/server/handlers/api-docs-sections-ext.js.map +1 -0
package/dist/server/handlers/api-docs-sections.d.ts +21 -0
package/dist/server/handlers/api-docs-sections.js +293 -0
package/dist/server/handlers/api-docs-sections.js.map +1 -0
package/dist/server/handlers/api-docs.d.ts +2 -0
package/dist/server/handlers/api-docs.js +1205 -893
package/dist/server/handlers/api-docs.js.map +1 -0
package/dist/server/handlers/api-keys.js +291 -242
package/dist/server/handlers/api-keys.js.map +1 -0
package/dist/server/handlers/api-keys.part2.test.js +157 -0
package/dist/server/handlers/api-keys.test.js +161 -0
package/dist/server/handlers/billing-core.d.ts +28 -0
package/dist/server/handlers/billing-core.js +126 -0
package/dist/server/handlers/billing-core.js.map +1 -0
package/dist/server/handlers/billing-routes.d.ts +9 -0
package/dist/server/handlers/billing-routes.js +243 -0
package/dist/server/handlers/billing-routes.js.map +1 -0
package/dist/server/handlers/billing-routes.test.js +123 -0
package/dist/server/handlers/billing.js +330 -239
package/dist/server/handlers/billing.js.map +1 -0
package/dist/server/handlers/billing.test.js +215 -0
package/dist/server/handlers/browser-actions-errors.test.js +94 -0
package/dist/server/handlers/browser-actions.d.ts +35 -0
package/dist/server/handlers/browser-actions.js +171 -0
package/dist/server/handlers/browser-actions.js.map +1 -0
package/dist/server/handlers/browser-actions.part2.test.js +190 -0
package/dist/server/handlers/browser-actions.test.js +190 -0
package/dist/server/handlers/browser-captcha.d.ts +6 -0
package/dist/server/handlers/browser-captcha.js +172 -0
package/dist/server/handlers/browser-captcha.js.map +1 -0
package/dist/server/handlers/browser-lifecycle.d.ts +9 -0
package/dist/server/handlers/browser-lifecycle.js +142 -0
package/dist/server/handlers/browser-lifecycle.js.map +1 -0
package/dist/server/handlers/browser-validation.test.js +257 -0
package/dist/server/handlers/browser.js +468 -395
package/dist/server/handlers/browser.js.map +1 -0
package/dist/server/handlers/catalog-advanced.d.ts +9 -0
package/dist/server/handlers/catalog-advanced.js +352 -0
package/dist/server/handlers/catalog-advanced.js.map +1 -0
package/dist/server/handlers/catalog-categories.d.ts +5 -0
package/dist/server/handlers/catalog-categories.js +181 -0
package/dist/server/handlers/catalog-categories.js.map +1 -0
package/dist/server/handlers/catalog-products.d.ts +5 -0
package/dist/server/handlers/catalog-products.js +404 -0
package/dist/server/handlers/catalog-products.js.map +1 -0
package/dist/server/handlers/catalog-schemas.d.ts +5 -0
package/dist/server/handlers/catalog-schemas.js +426 -0
package/dist/server/handlers/catalog-schemas.js.map +1 -0
package/dist/server/handlers/catalog.js +1377 -978
package/dist/server/handlers/catalog.js.map +1 -0
package/dist/server/handlers/catalog.test.js +297 -0
package/dist/server/handlers/clickhouse.js +157 -109
package/dist/server/handlers/clickhouse.js.map +1 -0
package/dist/server/handlers/comms-documents-advanced.d.ts +8 -0
package/dist/server/handlers/comms-documents-advanced.js +159 -0
package/dist/server/handlers/comms-documents-advanced.js.map +1 -0
package/dist/server/handlers/comms-documents.d.ts +10 -0
package/dist/server/handlers/comms-documents.js +445 -0
package/dist/server/handlers/comms-documents.js.map +1 -0
package/dist/server/handlers/comms-email.d.ts +10 -0
package/dist/server/handlers/comms-email.js +492 -0
package/dist/server/handlers/comms-email.js.map +1 -0
package/dist/server/handlers/comms-pdf-generation.d.ts +8 -0
package/dist/server/handlers/comms-pdf-generation.js +327 -0
package/dist/server/handlers/comms-pdf-generation.js.map +1 -0
package/dist/server/handlers/comms-pdf-helpers.d.ts +9 -0
package/dist/server/handlers/comms-pdf-helpers.js +126 -0
package/dist/server/handlers/comms-pdf-helpers.js.map +1 -0
package/dist/server/handlers/comms-shared.d.ts +3 -0
package/dist/server/handlers/comms-shared.js +28 -0
package/dist/server/handlers/comms-shared.js.map +1 -0
package/dist/server/handlers/comms.js +1439 -984
package/dist/server/handlers/comms.js.map +1 -0
package/dist/server/handlers/comms.test.js +289 -0
package/dist/server/handlers/creations-actions.d.ts +21 -0
package/dist/server/handlers/creations-actions.js +250 -0
package/dist/server/handlers/creations-actions.js.map +1 -0
package/dist/server/handlers/creations-advanced-collections.test.js +214 -0
package/dist/server/handlers/creations-advanced-generate.test.js +142 -0
package/dist/server/handlers/creations-advanced.test.js +171 -0
package/dist/server/handlers/creations-collections-preview.test.js +214 -0
package/dist/server/handlers/creations-crud.d.ts +35 -0
package/dist/server/handlers/creations-crud.js +248 -0
package/dist/server/handlers/creations-crud.js.map +1 -0
package/dist/server/handlers/creations-crud.test.js +260 -0
package/dist/server/handlers/creations-generate.d.ts +21 -0
package/dist/server/handlers/creations-generate.js +256 -0
package/dist/server/handlers/creations-generate.js.map +1 -0
package/dist/server/handlers/creations-mutations.test.js +197 -0
package/dist/server/handlers/creations.js +461 -394
package/dist/server/handlers/creations.js.map +1 -0
package/dist/server/handlers/crm-customers-read.d.ts +58 -0
package/dist/server/handlers/crm-customers-read.js +208 -0
package/dist/server/handlers/crm-customers-read.js.map +1 -0
package/dist/server/handlers/crm-customers-write.d.ts +54 -0
package/dist/server/handlers/crm-customers-write.js +414 -0
package/dist/server/handlers/crm-customers-write.js.map +1 -0
package/dist/server/handlers/crm-utils.d.ts +6 -0
package/dist/server/handlers/crm-utils.js +19 -0
package/dist/server/handlers/crm-utils.js.map +1 -0
package/dist/server/handlers/crm.js +1082 -791
package/dist/server/handlers/crm.js.map +1 -0
package/dist/server/handlers/crm.test.js +179 -0
package/dist/server/handlers/discovery-advertise.d.ts +18 -0
package/dist/server/handlers/discovery-advertise.js +101 -0
package/dist/server/handlers/discovery-advertise.js.map +1 -0
package/dist/server/handlers/discovery-advertise.test.js +185 -0
package/dist/server/handlers/discovery-scan.d.ts +19 -0
package/dist/server/handlers/discovery-scan.js +107 -0
package/dist/server/handlers/discovery-scan.js.map +1 -0
package/dist/server/handlers/discovery-scan.test.js +233 -0
package/dist/server/handlers/discovery.js +251 -232
package/dist/server/handlers/discovery.js.map +1 -0
package/dist/server/handlers/embeddings-embed-search.test.js +196 -0
package/dist/server/handlers/embeddings-index-delete-stats.test.js +140 -0
package/dist/server/handlers/embeddings-search.test.js +221 -0
package/dist/server/handlers/embeddings.js +241 -164
package/dist/server/handlers/embeddings.js.map +1 -0
package/dist/server/handlers/embeddings.test.js +137 -0
package/dist/server/handlers/enrichment-breach.d.ts +8 -0
package/dist/server/handlers/enrichment-breach.js +266 -0
package/dist/server/handlers/enrichment-breach.js.map +1 -0
package/dist/server/handlers/enrichment-data.d.ts +13 -0
package/dist/server/handlers/enrichment-data.js +145 -0
package/dist/server/handlers/enrichment-data.js.map +1 -0
package/dist/server/handlers/enrichment-enrich.d.ts +6 -0
package/dist/server/handlers/enrichment-enrich.js +235 -0
package/dist/server/handlers/enrichment-enrich.js.map +1 -0
package/dist/server/handlers/enrichment-helpers.d.ts +10 -0
package/dist/server/handlers/enrichment-helpers.js +17 -0
package/dist/server/handlers/enrichment-helpers.js.map +1 -0
package/dist/server/handlers/enrichment-mutations.test.js +240 -0
package/dist/server/handlers/enrichment-queries.test.js +181 -0
package/dist/server/handlers/enrichment-validation.test.js +177 -0
package/dist/server/handlers/enrichment-writes.d.ts +16 -0
package/dist/server/handlers/enrichment-writes.js +226 -0
package/dist/server/handlers/enrichment-writes.js.map +1 -0
package/dist/server/handlers/enrichment.js +887 -718
package/dist/server/handlers/enrichment.js.map +1 -0
package/dist/server/handlers/image-gen-actions.d.ts +18 -0
package/dist/server/handlers/image-gen-actions.js +183 -0
package/dist/server/handlers/image-gen-actions.js.map +1 -0
package/dist/server/handlers/image-gen-providers.d.ts +29 -0
package/dist/server/handlers/image-gen-providers.js +161 -0
package/dist/server/handlers/image-gen-providers.js.map +1 -0
package/dist/server/handlers/image-gen.js +467 -376
package/dist/server/handlers/image-gen.js.map +1 -0
package/dist/server/handlers/image-gen.test.js +205 -0
package/dist/server/handlers/inventory-audit.d.ts +10 -0
package/dist/server/handlers/inventory-audit.js +90 -0
package/dist/server/handlers/inventory-audit.js.map +1 -0
package/dist/server/handlers/inventory-helpers.d.ts +8 -0
package/dist/server/handlers/inventory-helpers.js +19 -0
package/dist/server/handlers/inventory-helpers.js.map +1 -0
package/dist/server/handlers/inventory-query.d.ts +67 -0
package/dist/server/handlers/inventory-query.js +299 -0
package/dist/server/handlers/inventory-query.js.map +1 -0
package/dist/server/handlers/inventory.js +797 -424
package/dist/server/handlers/inventory.js.map +1 -0
package/dist/server/handlers/inventory.test.js +380 -0
package/dist/server/handlers/kali-background.test.js +222 -0
package/dist/server/handlers/kali-errors.test.js +92 -0
package/dist/server/handlers/kali-validation.test.js +234 -0
package/dist/server/handlers/kali.js +272 -230
package/dist/server/handlers/kali.js.map +1 -0
package/dist/server/handlers/llm-providers-actions.test.js +220 -0
package/dist/server/handlers/llm-providers-anthropic.test.js +239 -0
package/dist/server/handlers/llm-providers-clients.d.ts +6 -0
package/dist/server/handlers/llm-providers-clients.js +296 -0
package/dist/server/handlers/llm-providers-clients.js.map +1 -0
package/dist/server/handlers/llm-providers-credentials.d.ts +3 -0
package/dist/server/handlers/llm-providers-credentials.js +109 -0
package/dist/server/handlers/llm-providers-credentials.js.map +1 -0
package/dist/server/handlers/llm-providers-failover.test.js +232 -0
package/dist/server/handlers/llm-providers-models.d.ts +67 -0
package/dist/server/handlers/llm-providers-models.js +213 -0
package/dist/server/handlers/llm-providers-models.js.map +1 -0
package/dist/server/handlers/llm-providers-providers.test.js +300 -0
package/dist/server/handlers/llm-providers-validation.test.js +239 -0
package/dist/server/handlers/llm-providers.js +803 -580
package/dist/server/handlers/llm-providers.js.map +1 -0
package/dist/server/handlers/local-agent-tools.test.js +224 -0
package/dist/server/handlers/local-agent.js +133 -105
package/dist/server/handlers/local-agent.js.map +1 -0
package/dist/server/handlers/local-agent.test.js +198 -0
package/dist/server/handlers/local-agent.tools-status.test.js +204 -0
package/dist/server/handlers/local-agent.validation-exec.test.js +182 -0
package/dist/server/handlers/media-actions.d.ts +14 -0
package/dist/server/handlers/media-actions.js +398 -0
package/dist/server/handlers/media-actions.js.map +1 -0
package/dist/server/handlers/media-crud.d.ts +9 -0
package/dist/server/handlers/media-crud.js +365 -0
package/dist/server/handlers/media-crud.js.map +1 -0
package/dist/server/handlers/media-upload.d.ts +4 -0
package/dist/server/handlers/media-upload.js +179 -0
package/dist/server/handlers/media-upload.js.map +1 -0
package/dist/server/handlers/media-utils.d.ts +14 -0
package/dist/server/handlers/media-utils.js +33 -0
package/dist/server/handlers/media-utils.js.map +1 -0
package/dist/server/handlers/media.js +1179 -857
package/dist/server/handlers/media.js.map +1 -0
package/dist/server/handlers/meta-ads-advanced.d.ts +46 -0
package/dist/server/handlers/meta-ads-advanced.js +222 -0
package/dist/server/handlers/meta-ads-advanced.js.map +1 -0
package/dist/server/handlers/meta-ads-audience-rules.test.js +243 -0
package/dist/server/handlers/meta-ads-audience-targeting.test.js +205 -0
package/dist/server/handlers/meta-ads-audiences-targeting.test.js +383 -0
package/dist/server/handlers/meta-ads-audiences.d.ts +48 -0
package/dist/server/handlers/meta-ads-audiences.js +214 -0
package/dist/server/handlers/meta-ads-audiences.js.map +1 -0
package/dist/server/handlers/meta-ads-crud-ads.test.js +136 -0
package/dist/server/handlers/meta-ads-crud-campaigns.test.js +189 -0
package/dist/server/handlers/meta-ads-crud-create.test.js +303 -0
package/dist/server/handlers/meta-ads-crud-list-update.test.js +259 -0
package/dist/server/handlers/meta-ads-crud-read.d.ts +78 -0
package/dist/server/handlers/meta-ads-crud-read.js +204 -0
package/dist/server/handlers/meta-ads-crud-read.js.map +1 -0
package/dist/server/handlers/meta-ads-crud-write.d.ts +105 -0
package/dist/server/handlers/meta-ads-crud-write.js +390 -0
package/dist/server/handlers/meta-ads-crud-write.js.map +1 -0
package/dist/server/handlers/meta-ads-crud.d.ts +9 -0
package/dist/server/handlers/meta-ads-crud.js +12 -0
package/dist/server/handlers/meta-ads-crud.js.map +1 -0
package/dist/server/handlers/meta-ads-delete-publish-sync.test.js +282 -0
package/dist/server/handlers/meta-ads-graph-api.d.ts +25 -0
package/dist/server/handlers/meta-ads-graph-api.js +155 -0
package/dist/server/handlers/meta-ads-graph-api.js.map +1 -0
package/dist/server/handlers/meta-ads-insights.test.js +80 -0
package/dist/server/handlers/meta-ads-list-get.test.js +237 -0
package/dist/server/handlers/meta-ads-media.d.ts +16 -0
package/dist/server/handlers/meta-ads-media.js +205 -0
package/dist/server/handlers/meta-ads-media.js.map +1 -0
package/dist/server/handlers/meta-ads-pixels-rules.d.ts +127 -0
package/dist/server/handlers/meta-ads-pixels-rules.js +463 -0
package/dist/server/handlers/meta-ads-pixels-rules.js.map +1 -0
package/dist/server/handlers/meta-ads-publish-ad.d.ts +11 -0
package/dist/server/handlers/meta-ads-publish-ad.js +229 -0
package/dist/server/handlers/meta-ads-publish-ad.js.map +1 -0
package/dist/server/handlers/meta-ads-publish-delete.test.js +254 -0
package/dist/server/handlers/meta-ads-publish-helpers.js +117 -0
package/dist/server/handlers/meta-ads-publish-helpers.js.map +1 -0
package/dist/server/handlers/meta-ads-publish-sync.test.js +205 -0
package/dist/server/handlers/meta-ads-publish.d.ts +14 -0
package/dist/server/handlers/meta-ads-publish.js +194 -0
package/dist/server/handlers/meta-ads-publish.js.map +1 -0
package/dist/server/handlers/meta-ads-publish.test.js +254 -0
package/dist/server/handlers/meta-ads-sync-insights.test.js +184 -0
package/dist/server/handlers/meta-ads-targeting.d.ts +27 -0
package/dist/server/handlers/meta-ads-targeting.js +323 -0
package/dist/server/handlers/meta-ads-targeting.js.map +1 -0
package/dist/server/handlers/meta-ads-types.d.ts +49 -0
package/dist/server/handlers/meta-ads-types.js +59 -0
package/dist/server/handlers/meta-ads-types.js.map +1 -0
package/dist/server/handlers/meta-ads-update.test.js +117 -0
package/dist/server/handlers/meta-ads.d.ts +25 -0
package/dist/server/handlers/meta-ads.js +3049 -2084
package/dist/server/handlers/meta-ads.js.map +1 -0
package/dist/server/handlers/nodes-channels.test.js +413 -0
package/dist/server/handlers/nodes-events.test.js +131 -0
package/dist/server/handlers/nodes-handlers-channels-messages.d.ts +20 -0
package/dist/server/handlers/nodes-handlers-channels-messages.js +314 -0
package/dist/server/handlers/nodes-handlers-channels-messages.js.map +1 -0
package/dist/server/handlers/nodes-handlers-channels.d.ts +19 -0
package/dist/server/handlers/nodes-handlers-channels.js +225 -0
package/dist/server/handlers/nodes-handlers-channels.js.map +1 -0
package/dist/server/handlers/nodes-handlers-mgmt.d.ts +33 -0
package/dist/server/handlers/nodes-handlers-mgmt.js +418 -0
package/dist/server/handlers/nodes-handlers-mgmt.js.map +1 -0
package/dist/server/handlers/nodes-list-delete.test.js +171 -0
package/dist/server/handlers/nodes-messages-delivery.test.js +208 -0
package/dist/server/handlers/nodes-messages.test.js +211 -0
package/dist/server/handlers/nodes-register.test.js +277 -0
package/dist/server/handlers/nodes-routes-channels.d.ts +9 -0
package/dist/server/handlers/nodes-routes-channels.js +217 -0
package/dist/server/handlers/nodes-routes-channels.js.map +1 -0
package/dist/server/handlers/nodes-routes-crud.d.ts +9 -0
package/dist/server/handlers/nodes-routes-crud.js +290 -0
package/dist/server/handlers/nodes-routes-crud.js.map +1 -0
package/dist/server/handlers/nodes-routes-delivery.d.ts +9 -0
package/dist/server/handlers/nodes-routes-delivery.js +226 -0
package/dist/server/handlers/nodes-routes-delivery.js.map +1 -0
package/dist/server/handlers/nodes-routes-messages.d.ts +9 -0
package/dist/server/handlers/nodes-routes-messages.js +218 -0
package/dist/server/handlers/nodes-routes-messages.js.map +1 -0
package/dist/server/handlers/nodes-routes-register.d.ts +9 -0
package/dist/server/handlers/nodes-routes-register.js +239 -0
package/dist/server/handlers/nodes-routes-register.js.map +1 -0
package/dist/server/handlers/nodes-types.d.ts +82 -0
package/dist/server/handlers/nodes-types.js +220 -0
package/dist/server/handlers/nodes-types.js.map +1 -0
package/dist/server/handlers/nodes-utils.d.ts +70 -0
package/dist/server/handlers/nodes-utils.js +214 -0
package/dist/server/handlers/nodes-utils.js.map +1 -0
package/dist/server/handlers/nodes.js +1321 -913
package/dist/server/handlers/nodes.js.map +1 -0
package/dist/server/handlers/nodes.test.js +353 -0
package/dist/server/handlers/operations.js +183 -157
package/dist/server/handlers/operations.js.map +1 -0
package/dist/server/handlers/operations.test.js +136 -0
package/dist/server/handlers/platform-telemetry.d.ts +10 -0
package/dist/server/handlers/platform-telemetry.js +372 -0
package/dist/server/handlers/platform-telemetry.js.map +1 -0
package/dist/server/handlers/platform-telemetry.test.js +200 -0
package/dist/server/handlers/platform-websearch.test.js +160 -0
package/dist/server/handlers/platform.js +346 -210
package/dist/server/handlers/platform.js.map +1 -0
package/dist/server/handlers/remove-bg.js +118 -86
package/dist/server/handlers/remove-bg.js.map +1 -0
package/dist/server/handlers/sessions-handlers.d.ts +23 -0
package/dist/server/handlers/sessions-handlers.js +374 -0
package/dist/server/handlers/sessions-handlers.js.map +1 -0
package/dist/server/handlers/storefront-cart.d.ts +31 -0
package/dist/server/handlers/storefront-cart.js +381 -0
package/dist/server/handlers/storefront-cart.js.map +1 -0
package/dist/server/handlers/storefront.js +586 -446
package/dist/server/handlers/storefront.js.map +1 -0
package/dist/server/handlers/storefront.test.js +329 -0
package/dist/server/handlers/supply-chain-transfers.d.ts +10 -0
package/dist/server/handlers/supply-chain-transfers.js +214 -0
package/dist/server/handlers/supply-chain-transfers.js.map +1 -0
package/dist/server/handlers/supply-chain-utils.d.ts +2 -0
package/dist/server/handlers/supply-chain-utils.js +21 -0
package/dist/server/handlers/supply-chain-utils.js.map +1 -0
package/dist/server/handlers/supply-chain.js +546 -326
package/dist/server/handlers/supply-chain.js.map +1 -0
package/dist/server/handlers/supply-chain.test.js +347 -0
package/dist/server/handlers/transcription.js +106 -97
package/dist/server/handlers/transcription.js.map +1 -0
package/dist/server/handlers/transcription.test.js +118 -0
package/dist/server/handlers/video-gen-providers.d.ts +30 -0
package/dist/server/handlers/video-gen-providers.js +205 -0
package/dist/server/handlers/video-gen-providers.js.map +1 -0
package/dist/server/handlers/video-gen-sora.d.ts +5 -0
package/dist/server/handlers/video-gen-sora.js +87 -0
package/dist/server/handlers/video-gen-sora.js.map +1 -0
package/dist/server/handlers/video-gen-veo.js +114 -0
package/dist/server/handlers/video-gen-veo.js.map +1 -0
package/dist/server/handlers/video-gen.js +593 -424
package/dist/server/handlers/video-gen.js.map +1 -0
package/dist/server/handlers/video-gen.test.js +146 -0
package/dist/server/handlers/voice-handlers-audio.d.ts +9 -0
package/dist/server/handlers/voice-handlers-audio.js +229 -0
package/dist/server/handlers/voice-handlers-audio.js.map +1 -0
package/dist/server/handlers/voice-handlers-music.d.ts +5 -0
package/dist/server/handlers/voice-handlers-music.js +124 -0
package/dist/server/handlers/voice-handlers-music.js.map +1 -0
package/dist/server/handlers/voice-handlers-pvc.d.ts +8 -0
package/dist/server/handlers/voice-handlers-pvc.js +345 -0
package/dist/server/handlers/voice-handlers-pvc.js.map +1 -0
package/dist/server/handlers/voice-handlers-tts.d.ts +5 -0
package/dist/server/handlers/voice-handlers-tts.js +142 -0
package/dist/server/handlers/voice-handlers-tts.js.map +1 -0
package/dist/server/handlers/voice-handlers-voices.d.ts +8 -0
package/dist/server/handlers/voice-handlers-voices.js +321 -0
package/dist/server/handlers/voice-handlers-voices.js.map +1 -0
package/dist/server/handlers/voice-utils.d.ts +32 -0
package/dist/server/handlers/voice-utils.js +281 -0
package/dist/server/handlers/voice-utils.js.map +1 -0
package/dist/server/handlers/voice.js +1458 -1039
package/dist/server/handlers/voice.js.map +1 -0
package/dist/server/handlers/voice.test.js +153 -0
package/dist/server/handlers/workflow-crud-advanced.d.ts +8 -0
package/dist/server/handlers/workflow-crud-advanced.js +275 -0
package/dist/server/handlers/workflow-crud-advanced.js.map +1 -0
package/dist/server/handlers/workflow-crud-core.d.ts +8 -0
package/dist/server/handlers/workflow-crud-core.js +286 -0
package/dist/server/handlers/workflow-crud-core.js.map +1 -0
package/dist/server/handlers/workflow-crud-events.d.ts +8 -0
package/dist/server/handlers/workflow-crud-events.js +483 -0
package/dist/server/handlers/workflow-crud-events.js.map +1 -0
package/dist/server/handlers/workflow-crud-runs-lifecycle.d.ts +8 -0
package/dist/server/handlers/workflow-crud-runs-lifecycle.js +231 -0
package/dist/server/handlers/workflow-crud-runs-lifecycle.js.map +1 -0
package/dist/server/handlers/workflow-crud-runs-versioning.d.ts +8 -0
package/dist/server/handlers/workflow-crud-runs-versioning.js +319 -0
package/dist/server/handlers/workflow-crud-runs-versioning.js.map +1 -0
package/dist/server/handlers/workflow-crud-runs.d.ts +8 -0
package/dist/server/handlers/workflow-crud-runs.js +18 -0
package/dist/server/handlers/workflow-crud-runs.js.map +1 -0
package/dist/server/handlers/workflow-steps-advancement.d.ts +13 -0
package/dist/server/handlers/workflow-steps-advancement.js +197 -0
package/dist/server/handlers/workflow-steps-advancement.js.map +1 -0
package/dist/server/handlers/workflow-steps-circuit-breaker.d.ts +7 -0
package/dist/server/handlers/workflow-steps-circuit-breaker.js +131 -0
package/dist/server/handlers/workflow-steps-circuit-breaker.js.map +1 -0
package/dist/server/handlers/workflow-steps-completion.d.ts +5 -0
package/dist/server/handlers/workflow-steps-completion.js +254 -0
package/dist/server/handlers/workflow-steps-completion.js.map +1 -0
package/dist/server/handlers/workflow-steps-cron.d.ts +4 -0
package/dist/server/handlers/workflow-steps-cron.js +259 -0
package/dist/server/handlers/workflow-steps-cron.js.map +1 -0
package/dist/server/handlers/workflow-steps-engine-execute.d.ts +3 -0
package/dist/server/handlers/workflow-steps-engine-execute.js +388 -0
package/dist/server/handlers/workflow-steps-engine-execute.js.map +1 -0
package/dist/server/handlers/workflow-steps-engine-inline.d.ts +2 -0
package/dist/server/handlers/workflow-steps-engine-inline.js +91 -0
package/dist/server/handlers/workflow-steps-engine-inline.js.map +1 -0
package/dist/server/handlers/workflow-steps-engine-persist.d.ts +5 -0
package/dist/server/handlers/workflow-steps-engine-persist.js +192 -0
package/dist/server/handlers/workflow-steps-engine-persist.js.map +1 -0
package/dist/server/handlers/workflow-steps-engine-process.d.ts +7 -0
package/dist/server/handlers/workflow-steps-engine-process.js +290 -0
package/dist/server/handlers/workflow-steps-engine-process.js.map +1 -0
package/dist/server/handlers/workflow-steps-engine.d.ts +3 -0
package/dist/server/handlers/workflow-steps-engine.js +10 -0
package/dist/server/handlers/workflow-steps-engine.js.map +1 -0
package/dist/server/handlers/workflow-steps-executors-llm.d.ts +7 -0
package/dist/server/handlers/workflow-steps-executors-llm.js +265 -0
package/dist/server/handlers/workflow-steps-executors-llm.js.map +1 -0
package/dist/server/handlers/workflow-steps-executors.d.ts +9 -0
package/dist/server/handlers/workflow-steps-executors.js +188 -0
package/dist/server/handlers/workflow-steps-executors.js.map +1 -0
package/dist/server/handlers/workflow-steps-maintenance.d.ts +4 -0
package/dist/server/handlers/workflow-steps-maintenance.js +256 -0
package/dist/server/handlers/workflow-steps-maintenance.js.map +1 -0
package/dist/server/handlers/workflow-steps-types.d.ts +84 -0
package/dist/server/handlers/workflow-steps-types.js +179 -0
package/dist/server/handlers/workflow-steps-types.js.map +1 -0
package/dist/server/handlers/workflow-steps-webhook.d.ts +5 -0
package/dist/server/handlers/workflow-steps-webhook.js +179 -0
package/dist/server/handlers/workflow-steps-webhook.js.map +1 -0
package/dist/server/handlers/workflow-steps.js +2837 -2116
package/dist/server/handlers/workflow-steps.js.map +1 -0
package/dist/server/handlers/workflow-steps.test.js +330 -0
package/dist/server/handlers/workflows-extras.test.js +65 -0
package/dist/server/handlers/workflows.js +1630 -933
package/dist/server/handlers/workflows.js.map +1 -0
package/dist/server/handlers/workflows.part2.test.js +170 -0
package/dist/server/handlers/workflows.test.js +281 -0
package/dist/server/index.js +1702 -2596
package/dist/server/index.js.map +1 -0
package/dist/server/lib/__tests__/batch-client-conversion-jsonl.test.js +171 -0
package/dist/server/lib/__tests__/batch-client-polling.test.js +292 -0
package/dist/server/lib/__tests__/batch-client-queue.test.js +270 -0
package/dist/server/lib/__tests__/clickhouse-buffer.test.js +236 -0
package/dist/server/lib/__tests__/code-worker-edge-cases.test.js +118 -0
package/dist/server/lib/__tests__/code-worker-pool-execute.test.js +193 -0
package/dist/server/lib/__tests__/code-worker-pool-execution.test.js +165 -0
package/dist/server/lib/__tests__/code-worker-pool-init.test.js +131 -0
package/dist/server/lib/__tests__/code-worker-pool.test.js +194 -0
package/dist/server/lib/__tests__/code-worker-sandbox-ops.test.js +123 -0
package/dist/server/lib/__tests__/code-worker-sandbox.test.js +217 -0
package/dist/server/lib/__tests__/code-worker.test.js +179 -0
package/dist/server/lib/__tests__/compaction-service-generate.test.js +229 -0
package/dist/server/lib/__tests__/compaction-service.test.js +319 -0
package/dist/server/lib/__tests__/otel.test.js +146 -0
package/dist/server/lib/__tests__/prompt-sanitizer-validation.test.js +165 -0
package/dist/server/lib/__tests__/prompt-sanitizer.sanitize.test.js +343 -0
package/dist/server/lib/__tests__/prompt-sanitizer.test.js +328 -0
package/dist/server/lib/__tests__/prompt-sanitizer.validate-tool.test.js +145 -0
package/dist/server/lib/__tests__/provider-capabilities.test.js +263 -0
package/dist/server/lib/__tests__/provider-failover-routing.test.js +145 -0
package/dist/server/lib/__tests__/provider-failover-state.test.js +131 -0
package/dist/server/lib/__tests__/rate-limiter-budgets.test.js +216 -0
package/dist/server/lib/__tests__/rate-limiter.budgets-tools.test.js +113 -0
package/dist/server/lib/__tests__/rate-limiter.check-request.test.js +141 -0
package/dist/server/lib/__tests__/rate-limiter.stats-lifecycle.test.js +135 -0
package/dist/server/lib/__tests__/rate-limiter.test.js +207 -0
package/dist/server/lib/__tests__/server-agent-loop-abort-conditions.test.js +544 -0
package/dist/server/lib/__tests__/server-agent-loop-abort.part2.test.js +504 -0
package/dist/server/lib/__tests__/server-agent-loop-abort.test.js +396 -0
package/dist/server/lib/__tests__/server-agent-loop-compaction.test.js +397 -0
package/dist/server/lib/__tests__/server-agent-loop-failover.test.js +356 -0
package/dist/server/lib/__tests__/server-agent-loop-features-caching.test.js +519 -0
package/dist/server/lib/__tests__/server-agent-loop-features-edges.test.js +512 -0
package/dist/server/lib/__tests__/server-subagent-bailout.test.js +194 -0
package/dist/server/lib/__tests__/server-subagent-basics.test.js +348 -0
package/dist/server/lib/__tests__/server-subagent-errors-abort.test.js +319 -0
package/dist/server/lib/__tests__/server-subagent-errors-progress.test.js +253 -0
package/dist/server/lib/__tests__/server-subagent-errors.part2.test.js +253 -0
package/dist/server/lib/__tests__/server-subagent-errors.test.js +319 -0
package/dist/server/lib/__tests__/session-checkpoint-load.test.js +275 -0
package/dist/server/lib/__tests__/session-checkpoint-save.test.js +159 -0
package/dist/server/lib/__tests__/ssrf-guard.test.js +93 -0
package/dist/server/lib/__tests__/supabase-client.test.js +111 -0
package/dist/server/lib/__tests__/template-resolver.test.js +317 -0
package/dist/server/lib/__tests__/utils-timeout.test.js +49 -0
package/dist/server/lib/__tests__/utils.test.js +322 -0
package/dist/server/lib/agent-loop-executor.d.ts +7 -0
package/dist/server/lib/agent-loop-executor.js +224 -0
package/dist/server/lib/agent-loop-executor.js.map +1 -0
package/dist/server/lib/agent-loop-turn.d.ts +53 -0
package/dist/server/lib/agent-loop-turn.js +166 -0
package/dist/server/lib/agent-loop-turn.js.map +1 -0
package/dist/server/lib/agent-loop-types.d.ts +118 -0
package/dist/server/lib/agent-loop-types.js +53 -0
package/dist/server/lib/agent-loop-types.js.map +1 -0
package/dist/server/lib/batch-client-anthropic.d.ts +10 -0
package/dist/server/lib/batch-client-anthropic.js +144 -0
package/dist/server/lib/batch-client-anthropic.js.map +1 -0
package/dist/server/lib/batch-client-openai.d.ts +10 -0
package/dist/server/lib/batch-client-openai.js +172 -0
package/dist/server/lib/batch-client-openai.js.map +1 -0
package/dist/server/lib/batch-client-types.d.ts +54 -0
package/dist/server/lib/batch-client-types.js +27 -0
package/dist/server/lib/batch-client-types.js.map +1 -0
package/dist/server/lib/batch-client.js +471 -409
package/dist/server/lib/batch-client.js.map +1 -0
package/dist/server/lib/clickhouse-buffer.js +118 -104
package/dist/server/lib/clickhouse-buffer.js.map +1 -0
package/dist/server/lib/clickhouse-client.js +107 -107
package/dist/server/lib/clickhouse-client.js.map +1 -0
package/dist/server/lib/coa-renderer-components.d.ts +15 -0
package/dist/server/lib/coa-renderer-components.js +361 -0
package/dist/server/lib/coa-renderer-components.js.map +1 -0
package/dist/server/lib/coa-renderer-pages.d.ts +15 -0
package/dist/server/lib/coa-renderer-pages.js +467 -0
package/dist/server/lib/coa-renderer-pages.js.map +1 -0
package/dist/server/lib/coa-renderer-styles.d.ts +525 -0
package/dist/server/lib/coa-renderer-styles.js +540 -0
package/dist/server/lib/coa-renderer-styles.js.map +1 -0
package/dist/server/lib/coa-renderer-tokens.d.ts +107 -0
package/dist/server/lib/coa-renderer-tokens.js +46 -0
package/dist/server/lib/coa-renderer-tokens.js.map +1 -0
package/dist/server/lib/coa-renderer.js +1786 -356
package/dist/server/lib/coa-renderer.js.map +1 -0
package/dist/server/lib/code-worker-pool.js +227 -177
package/dist/server/lib/code-worker-pool.js.map +1 -0
package/dist/server/lib/code-worker.js +174 -164
package/dist/server/lib/code-worker.js.map +1 -0
package/dist/server/lib/compaction-service.d.ts +2 -12
package/dist/server/lib/compaction-service.js +74 -184
package/dist/server/lib/compaction-service.js.map +1 -0
package/dist/server/lib/logger.js +36 -24
package/dist/server/lib/logger.js.map +1 -0
package/dist/server/lib/otel.js +101 -80
package/dist/server/lib/otel.js.map +1 -0
package/dist/server/lib/pdf-renderer-calc.d.ts +7 -0
package/dist/server/lib/pdf-renderer-calc.js +272 -0
package/dist/server/lib/pdf-renderer-calc.js.map +1 -0
package/dist/server/lib/pdf-renderer-generation.d.ts +73 -0
package/dist/server/lib/pdf-renderer-generation.js +298 -0
package/dist/server/lib/pdf-renderer-generation.js.map +1 -0
package/dist/server/lib/pdf-renderer-layout.d.ts +2 -0
package/dist/server/lib/pdf-renderer-layout.js +144 -0
package/dist/server/lib/pdf-renderer-layout.js.map +1 -0
package/dist/server/lib/pdf-renderer-validation.d.ts +14 -0
package/dist/server/lib/pdf-renderer-validation.js +220 -0
package/dist/server/lib/pdf-renderer-validation.js.map +1 -0
package/dist/server/lib/pdf-renderer.js +952 -788
package/dist/server/lib/pdf-renderer.js.map +1 -0
package/dist/server/lib/prompt-sanitizer.js +188 -108
package/dist/server/lib/prompt-sanitizer.js.map +1 -0
package/dist/server/lib/provider-capabilities.js +136 -138
package/dist/server/lib/provider-capabilities.js.map +1 -0
package/dist/server/lib/provider-failover.js +190 -168
package/dist/server/lib/provider-failover.js.map +1 -0
package/dist/server/lib/rate-limiter.js +186 -117
package/dist/server/lib/rate-limiter.js.map +1 -0
package/dist/server/lib/react-pdf-layout-elements.d.ts +8 -0
package/dist/server/lib/react-pdf-layout-elements.js +366 -0
package/dist/server/lib/react-pdf-layout-elements.js.map +1 -0
package/dist/server/lib/react-pdf-layout-labels.d.ts +38 -0
package/dist/server/lib/react-pdf-layout-labels.js +217 -0
package/dist/server/lib/react-pdf-layout-labels.js.map +1 -0
package/dist/server/lib/react-pdf-layout.js +551 -382
package/dist/server/lib/react-pdf-layout.js.map +1 -0
package/dist/server/lib/server-agent-loop-init.d.ts +28 -0
package/dist/server/lib/server-agent-loop-init.js +138 -0
package/dist/server/lib/server-agent-loop-init.js.map +1 -0
package/dist/server/lib/server-agent-loop-v2.d.ts +110 -0
package/dist/server/lib/server-agent-loop-v2.js +340 -0
package/dist/server/lib/server-agent-loop-v2.js.map +1 -0
package/dist/server/lib/server-agent-loop.d.ts +4 -1
package/dist/server/lib/server-agent-loop.js +907 -634
package/dist/server/lib/server-agent-loop.js.map +1 -0
package/dist/server/lib/server-subagent-loop.d.ts +3 -0
package/dist/server/lib/server-subagent-loop.js +267 -0
package/dist/server/lib/server-subagent-loop.js.map +1 -0
package/dist/server/lib/server-subagent.js +260 -164
package/dist/server/lib/server-subagent.js.map +1 -0
package/dist/server/lib/session-checkpoint.js +105 -96
package/dist/server/lib/session-checkpoint.js.map +1 -0
package/dist/server/lib/session-types.d.ts +106 -0
package/dist/server/lib/session-types.js +2 -0
package/dist/server/lib/session-types.js.map +1 -0
package/dist/server/lib/ssrf-guard.js +193 -184
package/dist/server/lib/ssrf-guard.js.map +1 -0
package/dist/server/lib/supabase-client.js +94 -82
package/dist/server/lib/supabase-client.js.map +1 -0
package/dist/server/lib/template-resolver.js +154 -176
package/dist/server/lib/template-resolver.js.map +1 -0
package/dist/server/lib/utils.js +242 -133
package/dist/server/lib/utils.js.map +1 -0
package/dist/server/local-agent-gateway-api.d.ts +34 -0
package/dist/server/local-agent-gateway-api.js +156 -0
package/dist/server/local-agent-gateway-api.js.map +1 -0
package/dist/server/local-agent-gateway-handler.d.ts +3 -0
package/dist/server/local-agent-gateway-handler.js +292 -0
package/dist/server/local-agent-gateway-handler.js.map +1 -0
package/dist/server/local-agent-gateway-init.d.ts +21 -0
package/dist/server/local-agent-gateway-init.js +143 -0
package/dist/server/local-agent-gateway-init.js.map +1 -0
package/dist/server/local-agent-gateway-messages.d.ts +12 -0
package/dist/server/local-agent-gateway-messages.js +108 -0
package/dist/server/local-agent-gateway-messages.js.map +1 -0
package/dist/server/local-agent-gateway-stats.d.ts +53 -0
package/dist/server/local-agent-gateway-stats.js +129 -0
package/dist/server/local-agent-gateway-stats.js.map +1 -0
package/dist/server/local-agent-gateway-types.d.ts +94 -0
package/dist/server/local-agent-gateway-types.js +78 -0
package/dist/server/local-agent-gateway-types.js.map +1 -0
package/dist/server/local-agent-gateway.d.ts +8 -2
package/dist/server/local-agent-gateway.js +825 -627
package/dist/server/local-agent-gateway.js.map +1 -0
package/dist/server/providers/__tests__/anthropic-adapter.test.js +228 -0
package/dist/server/providers/__tests__/anthropic-betas-toolchoice.test.js +257 -0
package/dist/server/providers/__tests__/anthropic-errors.test.js +262 -0
package/dist/server/providers/__tests__/anthropic-stream-core.test.js +275 -0
package/dist/server/providers/__tests__/anthropic-streaming-betas.test.js +247 -0
package/dist/server/providers/__tests__/anthropic-streaming-core.test.js +275 -0
package/dist/server/providers/__tests__/bedrock-config.test.js +177 -0
package/dist/server/providers/__tests__/bedrock-stream-behavior-streaming.test.js +272 -0
package/dist/server/providers/__tests__/bedrock-stream-behavior-toolchoice.test.js +214 -0
package/dist/server/providers/__tests__/bedrock-stream-behavior.part2.test.js +165 -0
package/dist/server/providers/__tests__/bedrock-stream-behavior.test.js +309 -0
package/dist/server/providers/__tests__/bedrock-stream-body-credentials.test.js +170 -0
package/dist/server/providers/__tests__/bedrock-stream-body-extras.test.js +183 -0
package/dist/server/providers/__tests__/bedrock-stream-body-request.test.js +305 -0
package/dist/server/providers/__tests__/bedrock-stream-body.part2.test.js +305 -0
package/dist/server/providers/__tests__/bedrock-stream-body.test.js +175 -0
package/dist/server/providers/__tests__/bedrock-stream-errors.test.js +165 -0
package/dist/server/providers/__tests__/gemini-config-methods.test.js +182 -0
package/dist/server/providers/__tests__/gemini-config-streaming.test.js +257 -0
package/dist/server/providers/__tests__/gemini-conversion-messages.test.js +247 -0
package/dist/server/providers/__tests__/gemini-conversion-schema.test.js +365 -0
package/dist/server/providers/__tests__/gemini-tools-choice.test.js +221 -0
package/dist/server/providers/__tests__/gemini-tools-fn.test.js +252 -0
package/dist/server/providers/__tests__/openai-config.test.js +194 -0
package/dist/server/providers/__tests__/openai-conversion.test.js +276 -0
package/dist/server/providers/__tests__/openai-messages.test.js +261 -0
package/dist/server/providers/__tests__/openai-streaming.test.js +394 -0
package/dist/server/providers/__tests__/openai-tools-cache.test.js +227 -0
package/dist/server/providers/__tests__/registry.test.js +183 -0
package/dist/server/providers/__tests__/shared.test.js +297 -0
package/dist/server/providers/anthropic.js +250 -172
package/dist/server/providers/anthropic.js.map +1 -0
package/dist/server/providers/bedrock.js +217 -158
package/dist/server/providers/bedrock.js.map +1 -0
package/dist/server/providers/gemini-conversion.d.ts +17 -0
package/dist/server/providers/gemini-conversion.js +185 -0
package/dist/server/providers/gemini-conversion.js.map +1 -0
package/dist/server/providers/gemini-streaming.d.ts +18 -0
package/dist/server/providers/gemini-streaming.js +187 -0
package/dist/server/providers/gemini-streaming.js.map +1 -0
package/dist/server/providers/gemini.js +548 -418
package/dist/server/providers/gemini.js.map +1 -0
package/dist/server/providers/openai-adapter.d.ts +15 -0
package/dist/server/providers/openai-adapter.js +423 -0
package/dist/server/providers/openai-adapter.js.map +1 -0
package/dist/server/providers/openai-conversion.d.ts +21 -0
package/dist/server/providers/openai-conversion.js +191 -0
package/dist/server/providers/openai-conversion.js.map +1 -0
package/dist/server/providers/openai.js +571 -437
package/dist/server/providers/openai.js.map +1 -0
package/dist/server/providers/registry.js +23 -18
package/dist/server/providers/registry.js.map +1 -0
package/dist/server/providers/shared.js +123 -95
package/dist/server/providers/shared.js.map +1 -0
package/dist/server/providers/types.js +1 -11
package/dist/server/providers/types.js.map +1 -0
package/dist/server/proxy-handlers.js +209 -165
package/dist/server/proxy-handlers.js.map +1 -0
package/dist/server/server-agent.d.ts +21 -0
package/dist/server/server-agent.js +162 -0
package/dist/server/server-agent.js.map +1 -0
package/dist/server/server-chat.d.ts +6 -0
package/dist/server/server-chat.js +210 -0
package/dist/server/server-chat.js.map +1 -0
package/dist/server/server-cost-guard.d.ts +16 -0
package/dist/server/server-cost-guard.js +141 -0
package/dist/server/server-cost-guard.js.map +1 -0
package/dist/server/server-executors.d.ts +10 -0
package/dist/server/server-executors.js +110 -0
package/dist/server/server-executors.js.map +1 -0
package/dist/server/server-helpers.d.ts +49 -0
package/dist/server/server-helpers.js +210 -0
package/dist/server/server-helpers.js.map +1 -0
package/dist/server/server-persist.d.ts +43 -0
package/dist/server/server-persist.js +249 -0
package/dist/server/server-persist.js.map +1 -0
package/dist/server/server-rate-limit.d.ts +9 -0
package/dist/server/server-rate-limit.js +77 -0
package/dist/server/server-rate-limit.js.map +1 -0
package/dist/server/server-routes-approvals.d.ts +4 -0
package/dist/server/server-routes-approvals.js +238 -0
package/dist/server/server-routes-approvals.js.map +1 -0
package/dist/server/server-routes-auth.d.ts +7 -0
package/dist/server/server-routes-auth.js +532 -0
package/dist/server/server-routes-auth.js.map +1 -0
package/dist/server/server-routes-events.d.ts +4 -0
package/dist/server/server-routes-events.js +167 -0
package/dist/server/server-routes-events.js.map +1 -0
package/dist/server/server-routes-public.d.ts +24 -0
package/dist/server/server-routes-public.js +453 -0
package/dist/server/server-routes-public.js.map +1 -0
package/dist/server/server-routes-waitpoints.d.ts +4 -0
package/dist/server/server-routes-waitpoints.js +190 -0
package/dist/server/server-routes-waitpoints.js.map +1 -0
package/dist/server/server-routes-webchat.d.ts +14 -0
package/dist/server/server-routes-webchat.js +307 -0
package/dist/server/server-routes-webchat.js.map +1 -0
package/dist/server/server-routes-workflows.d.ts +5 -0
package/dist/server/server-routes-workflows.js +289 -0
package/dist/server/server-routes-workflows.js.map +1 -0
package/dist/server/server-sse.d.ts +13 -0
package/dist/server/server-sse.js +197 -0
package/dist/server/server-sse.js.map +1 -0
package/dist/server/server-store-circuit-breaker.d.ts +32 -0
package/dist/server/server-store-circuit-breaker.js +211 -0
package/dist/server/server-store-circuit-breaker.js.map +1 -0
package/dist/server/server-store.d.ts +5 -0
package/dist/server/server-store.js +71 -0
package/dist/server/server-store.js.map +1 -0
package/dist/server/server-trace.d.ts +41 -0
package/dist/server/server-trace.js +133 -0
package/dist/server/server-trace.js.map +1 -0
package/dist/server/server-worker.d.ts +4 -0
package/dist/server/server-worker.js +127 -0
package/dist/server/server-worker.js.map +1 -0
package/dist/server/session-events.d.ts +27 -0
package/dist/server/session-events.js +69 -0
package/dist/server/session-events.js.map +1 -0
package/dist/server/session-manager.d.ts +52 -0
package/dist/server/session-manager.js +502 -0
package/dist/server/session-manager.js.map +1 -0
package/dist/server/tool-router-discovery.d.ts +33 -0
package/dist/server/tool-router-discovery.js +218 -0
package/dist/server/tool-router-discovery.js.map +1 -0
package/dist/server/tool-router-types.d.ts +91 -0
package/dist/server/tool-router-types.js +336 -0
package/dist/server/tool-router-types.js.map +1 -0
package/dist/server/tool-router-user-tools.d.ts +16 -0
package/dist/server/tool-router-user-tools.js +269 -0
package/dist/server/tool-router-user-tools.js.map +1 -0
package/dist/server/tool-router.js +959 -599
package/dist/server/tool-router.js.map +1 -0
package/dist/server/validation-schemas.d.ts +12 -0
package/dist/server/validation-schemas.js +251 -0
package/dist/server/validation-schemas.js.map +1 -0
package/dist/server/validation.js +248 -188
package/dist/server/validation.js.map +1 -0
package/dist/server/worker.js +202 -133
package/dist/server/worker.js.map +1 -0
package/dist/setup.d.ts +2 -2
package/dist/setup.js +151 -147
package/dist/setup.js.map +1 -0
package/dist/shared/agent-core-config.d.ts +12 -0
package/dist/shared/agent-core-config.js +77 -0
package/dist/shared/agent-core-config.js.map +1 -0
package/dist/shared/agent-core-config.test.js +132 -0
package/dist/shared/agent-core-context-thinking.test.js +293 -0
package/dist/shared/agent-core-loop-calls.test.js +174 -0
package/dist/shared/agent-core-loop-detector-bail.test.js +201 -0
package/dist/shared/agent-core-loop-detector.test.js +195 -0
package/dist/shared/agent-core-loop-errors.test.js +258 -0
package/dist/shared/agent-core-loop.d.ts +53 -0
package/dist/shared/agent-core-loop.js +251 -0
package/dist/shared/agent-core-loop.js.map +1 -0
package/dist/shared/agent-core-pricing.test.js +191 -0
package/dist/shared/agent-core-sanitize-retry.test.js +129 -0
package/dist/shared/agent-core-tools.d.ts +32 -0
package/dist/shared/agent-core-tools.js +323 -0
package/dist/shared/agent-core-tools.js.map +1 -0
package/dist/shared/agent-core-types.d.ts +182 -0
package/dist/shared/agent-core-types.js +265 -0
package/dist/shared/agent-core-types.js.map +1 -0
package/dist/shared/agent-core.d.ts +115 -26
package/dist/shared/agent-core.js +956 -522
package/dist/shared/agent-core.js.map +1 -0
package/dist/shared/agent-loop-base.d.ts +130 -0
package/dist/shared/agent-loop-base.js +347 -0
package/dist/shared/agent-loop-base.js.map +1 -0
package/dist/shared/anthropic-types.js +1 -6
package/dist/shared/anthropic-types.js.map +1 -0
package/dist/shared/api-client-build-request.test.js +228 -0
package/dist/shared/api-client-build-system-caching.test.js +107 -0
package/dist/shared/api-client-build.test.js +223 -0
package/dist/shared/api-client-config.d.ts +21 -0
package/dist/shared/api-client-helpers.d.ts +57 -0
package/dist/shared/api-client-helpers.test.js +261 -0
package/dist/shared/api-client-proxy-happy.test.js +255 -0
package/dist/shared/api-client-proxy-retry.test.js +307 -0
package/dist/shared/api-client-proxy.d.ts +26 -0
package/dist/shared/api-client-proxy.test.js +255 -0
package/dist/shared/api-client-retry.test.js +307 -0
package/dist/shared/api-client-system-trimming.test.js +261 -0
package/dist/shared/api-client-trimming.d.ts +36 -0
package/dist/shared/api-client.d.ts +16 -9
package/dist/shared/api-client.js +419 -327
package/dist/shared/api-client.js.map +1 -0
package/dist/shared/api-client.test.js +228 -0
package/dist/shared/compaction-thinking.test.js +315 -0
package/dist/shared/compaction-trimming.test.js +223 -0
package/dist/shared/compaction.d.ts +36 -0
package/dist/shared/compaction.js +138 -0
package/dist/shared/compaction.js.map +1 -0
package/dist/shared/constants.js +67 -64
package/dist/shared/constants.js.map +1 -0
package/dist/shared/exec-validator.d.ts +29 -0
package/dist/shared/exec-validator.js +106 -0
package/dist/shared/exec-validator.js.map +1 -0
package/dist/shared/imsg-constants.d.ts +8 -0
package/dist/shared/imsg-constants.js +13 -0
package/dist/shared/imsg-constants.js.map +1 -0
package/dist/shared/sse-parser-callbacks.test.js +422 -0
package/dist/shared/sse-parser-collect.test.js +252 -0
package/dist/shared/sse-parser-e2e.test.js +558 -0
package/dist/shared/sse-parser-parse.test.js +253 -0
package/dist/shared/sse-parser.js +221 -219
package/dist/shared/sse-parser.js.map +1 -0
package/dist/shared/tool-dispatch-advanced-batch-build.test.js +405 -0
package/dist/shared/tool-dispatch-advanced.test.js +320 -0
package/dist/shared/tool-dispatch-basic.test.js +278 -0
package/dist/shared/tool-dispatch-content.d.ts +14 -0
package/dist/shared/tool-dispatch-parallel.test.js +378 -0
package/dist/shared/tool-dispatch.d.ts +4 -0
package/dist/shared/tool-dispatch.js +226 -165
package/dist/shared/tool-dispatch.js.map +1 -0
package/dist/shared/types.js +1 -6
package/dist/shared/types.js.map +1 -0
package/dist/types/cli-highlight.d.js +2 -0
package/dist/types/cli-highlight.d.js.map +1 -0
package/dist/types/diff.d.js +2 -0
package/dist/types/diff.d.js.map +1 -0
package/dist/types/pdf-parse.d.js +2 -0
package/dist/types/pdf-parse.d.js.map +1 -0
package/dist/updater.d.ts +1 -1
package/dist/updater.js +118 -92
package/dist/updater.js.map +1 -0
package/dist/webchat/__tests__/widget-messaging.test.js +323 -0
package/dist/webchat/__tests__/widget.test.js +273 -0
package/dist/webchat/widget-styles.d.ts +7 -0
package/dist/webchat/widget-styles.js +11 -0
package/dist/webchat/widget-styles.js.map +1 -0
package/dist/webchat/widget.js +227 -380
package/dist/webchat/widget.js.map +1 -0
package/package.json +24 -11
package/src/cli/services/builtin-skills/verify.md +72 -0
package/vendor/ink/build/ansi-tokenizer.d.ts +38 -0
package/vendor/ink/build/ansi-tokenizer.js +316 -0
package/vendor/ink/build/ansi-tokenizer.js.map +1 -0
package/vendor/ink/build/apply-styles.js +175 -0
package/vendor/ink/build/build-layout.js +77 -0
package/vendor/ink/build/calculate-wrapped-text.js +53 -0
package/vendor/ink/build/colorize.d.ts +3 -0
package/vendor/ink/build/colorize.js +48 -0
package/vendor/ink/build/colorize.js.map +1 -0
package/vendor/ink/build/components/AccessibilityContext.d.ts +3 -0
package/vendor/ink/build/components/AccessibilityContext.js +5 -0
package/vendor/ink/build/components/AccessibilityContext.js.map +1 -0
package/vendor/ink/build/components/App.d.ts +18 -0
package/vendor/ink/build/components/App.js +351 -0
package/vendor/ink/build/components/App.js.map +1 -0
package/vendor/ink/build/components/AppContext.d.ts +15 -0
package/vendor/ink/build/components/AppContext.js +11 -0
package/vendor/ink/build/components/AppContext.js.map +1 -0
package/vendor/ink/build/components/BackgroundContext.d.ts +4 -0
package/vendor/ink/build/components/BackgroundContext.js +3 -0
package/vendor/ink/build/components/BackgroundContext.js.map +1 -0
package/vendor/ink/build/components/Box.d.ts +117 -0
package/vendor/ink/build/components/Box.js +34 -0
package/vendor/ink/build/components/Box.js.map +1 -0
package/vendor/ink/build/components/Color.js +62 -0
package/vendor/ink/build/components/Cursor.d.ts +83 -0
package/vendor/ink/build/components/Cursor.js +53 -0
package/vendor/ink/build/components/Cursor.js.map +1 -0
package/vendor/ink/build/components/CursorContext.d.ts +11 -0
package/vendor/ink/build/components/CursorContext.js +8 -0
package/vendor/ink/build/components/CursorContext.js.map +1 -0
package/vendor/ink/build/components/ErrorBoundary.d.ts +18 -0
package/vendor/ink/build/components/ErrorBoundary.js +23 -0
package/vendor/ink/build/components/ErrorBoundary.js.map +1 -0
package/vendor/ink/build/components/ErrorOverview.d.ts +6 -0
package/vendor/ink/build/components/ErrorOverview.js +84 -0
package/vendor/ink/build/components/ErrorOverview.js.map +1 -0
package/vendor/ink/build/components/FocusContext.d.ts +16 -0
package/vendor/ink/build/components/FocusContext.js +17 -0
package/vendor/ink/build/components/FocusContext.js.map +1 -0
package/vendor/ink/build/components/Newline.d.ts +13 -0
package/vendor/ink/build/components/Newline.js +8 -0
package/vendor/ink/build/components/Newline.js.map +1 -0
package/vendor/ink/build/components/Spacer.d.ts +7 -0
package/vendor/ink/build/components/Spacer.js +11 -0
package/vendor/ink/build/components/Spacer.js.map +1 -0
package/vendor/ink/build/components/Static.d.ts +24 -0
package/vendor/ink/build/components/Static.js +28 -0
package/vendor/ink/build/components/Static.js.map +1 -0
package/vendor/ink/build/components/StderrContext.d.ts +15 -0
package/vendor/ink/build/components/StderrContext.js +13 -0
package/vendor/ink/build/components/StderrContext.js.map +1 -0
package/vendor/ink/build/components/StdinContext.d.ts +22 -0
package/vendor/ink/build/components/StdinContext.js +19 -0
package/vendor/ink/build/components/StdinContext.js.map +1 -0
package/vendor/ink/build/components/StdoutContext.d.ts +15 -0
package/vendor/ink/build/components/StdoutContext.js +13 -0
package/vendor/ink/build/components/StdoutContext.js.map +1 -0
package/vendor/ink/build/components/Text.d.ts +55 -0
package/vendor/ink/build/components/Text.js +50 -0
package/vendor/ink/build/components/Text.js.map +1 -0
package/vendor/ink/build/components/Transform.d.ts +16 -0
package/vendor/ink/build/components/Transform.js +15 -0
package/vendor/ink/build/components/Transform.js.map +1 -0
package/vendor/ink/build/cursor-helpers.d.ts +38 -0
package/vendor/ink/build/cursor-helpers.js +56 -0
package/vendor/ink/build/cursor-helpers.js.map +1 -0
package/vendor/ink/build/devtools-window-polyfill.d.ts +1 -0
package/vendor/ink/build/devtools-window-polyfill.js +65 -0
package/vendor/ink/build/devtools-window-polyfill.js.map +1 -0
package/vendor/ink/build/devtools.d.ts +1 -0
package/vendor/ink/build/devtools.js +11 -0
package/vendor/ink/build/devtools.js.map +1 -0
package/vendor/ink/build/dom.d.ts +56 -0
package/vendor/ink/build/dom.js +124 -0
package/vendor/ink/build/dom.js.map +1 -0
package/vendor/ink/build/experimental/apply-style.js +140 -0
package/vendor/ink/build/experimental/dom.js +123 -0
package/vendor/ink/build/experimental/output.js +91 -0
package/vendor/ink/build/experimental/reconciler.js +141 -0
package/vendor/ink/build/experimental/renderer.js +81 -0
package/vendor/ink/build/get-max-width.d.ts +3 -0
package/vendor/ink/build/get-max-width.js +10 -0
package/vendor/ink/build/get-max-width.js.map +1 -0
package/vendor/ink/build/hooks/use-app.d.ts +5 -0
package/vendor/ink/build/hooks/use-app.js +8 -0
package/vendor/ink/build/hooks/use-app.js.map +1 -0
package/vendor/ink/build/hooks/use-cursor.d.ts +12 -0
package/vendor/ink/build/hooks/use-cursor.js +29 -0
package/vendor/ink/build/hooks/use-cursor.js.map +1 -0
package/vendor/ink/build/hooks/use-focus-manager.d.ts +28 -0
package/vendor/ink/build/hooks/use-focus-manager.js +17 -0
package/vendor/ink/build/hooks/use-focus-manager.js.map +1 -0
package/vendor/ink/build/hooks/use-focus.d.ts +29 -0
package/vendor/ink/build/hooks/use-focus.js +42 -0
package/vendor/ink/build/hooks/use-focus.js.map +1 -0
package/vendor/ink/build/hooks/use-input.d.ts +131 -0
package/vendor/ink/build/hooks/use-input.js +124 -0
package/vendor/ink/build/hooks/use-input.js.map +1 -0
package/vendor/ink/build/hooks/use-is-screen-reader-enabled.d.ts +5 -0
package/vendor/ink/build/hooks/use-is-screen-reader-enabled.js +11 -0
package/vendor/ink/build/hooks/use-is-screen-reader-enabled.js.map +1 -0
package/vendor/ink/build/hooks/use-stderr.d.ts +5 -0
package/vendor/ink/build/hooks/use-stderr.js +8 -0
package/vendor/ink/build/hooks/use-stderr.js.map +1 -0
package/vendor/ink/build/hooks/use-stdin.d.ts +5 -0
package/vendor/ink/build/hooks/use-stdin.js +8 -0
package/vendor/ink/build/hooks/use-stdin.js.map +1 -0
package/vendor/ink/build/hooks/use-stdout.d.ts +5 -0
package/vendor/ink/build/hooks/use-stdout.js +8 -0
package/vendor/ink/build/hooks/use-stdout.js.map +1 -0
package/vendor/ink/build/hooks/useInput.js +38 -0
package/vendor/ink/build/index.d.ts +34 -0
package/vendor/ink/build/index.js +20 -0
package/vendor/ink/build/index.js.map +1 -0
package/vendor/ink/build/ink.d.ts +90 -0
package/vendor/ink/build/ink.js +677 -0
package/vendor/ink/build/ink.js.map +1 -0
package/vendor/ink/build/input-parser.d.ts +7 -0
package/vendor/ink/build/input-parser.js +154 -0
package/vendor/ink/build/input-parser.js.map +1 -0
package/vendor/ink/build/instance.js +205 -0
package/vendor/ink/build/instances.d.ts +3 -0
package/vendor/ink/build/instances.js +8 -0
package/vendor/ink/build/instances.js.map +1 -0
package/vendor/ink/build/kitty-keyboard.d.ts +23 -0
package/vendor/ink/build/kitty-keyboard.js +32 -0
package/vendor/ink/build/kitty-keyboard.js.map +1 -0
package/vendor/ink/build/layout.d.ts +7 -0
package/vendor/ink/build/layout.js +33 -0
package/vendor/ink/build/layout.js.map +1 -0
package/vendor/ink/build/log-update.d.ts +19 -0
package/vendor/ink/build/log-update.js +250 -0
package/vendor/ink/build/log-update.js.map +1 -0
package/vendor/ink/build/measure-element.d.ts +16 -0
package/vendor/ink/build/measure-element.js +9 -0
package/vendor/ink/build/measure-element.js.map +1 -0
package/vendor/ink/build/measure-text.d.ts +6 -0
package/vendor/ink/build/measure-text.js +21 -0
package/vendor/ink/build/measure-text.js.map +1 -0
package/vendor/ink/build/options.d.ts +52 -0
package/vendor/ink/build/options.js +2 -0
package/vendor/ink/build/options.js.map +1 -0
package/vendor/ink/build/output.d.ts +35 -0
package/vendor/ink/build/output.js +183 -0
package/vendor/ink/build/output.js.map +1 -0
package/vendor/ink/build/parse-keypress.d.ts +22 -0
package/vendor/ink/build/parse-keypress.js +493 -0
package/vendor/ink/build/parse-keypress.js.map +1 -0
package/vendor/ink/build/reconciler.d.ts +4 -0
package/vendor/ink/build/reconciler.js +274 -0
package/vendor/ink/build/reconciler.js.map +1 -0
package/vendor/ink/build/render-background.d.ts +4 -0
package/vendor/ink/build/render-background.js +25 -0
package/vendor/ink/build/render-background.js.map +1 -0
package/vendor/ink/build/render-border.d.ts +4 -0
package/vendor/ink/build/render-border.js +73 -0
package/vendor/ink/build/render-border.js.map +1 -0
package/vendor/ink/build/render-node-to-output.d.ts +14 -0
package/vendor/ink/build/render-node-to-output.js +147 -0
package/vendor/ink/build/render-node-to-output.js.map +1 -0
package/vendor/ink/build/render-to-string.d.ts +38 -0
package/vendor/ink/build/render-to-string.js +115 -0
package/vendor/ink/build/render-to-string.js.map +1 -0
package/vendor/ink/build/render.d.ts +121 -0
package/vendor/ink/build/render.js +55 -0
package/vendor/ink/build/render.js.map +1 -0
package/vendor/ink/build/renderer.d.ts +8 -0
package/vendor/ink/build/renderer.js +55 -0
package/vendor/ink/build/renderer.js.map +1 -0
package/vendor/ink/build/sanitize-ansi.d.ts +2 -0
package/vendor/ink/build/sanitize-ansi.js +27 -0
package/vendor/ink/build/sanitize-ansi.js.map +1 -0
package/vendor/ink/build/screen-reader-update.d.ts +13 -0
package/vendor/ink/build/screen-reader-update.js +38 -0
package/vendor/ink/build/screen-reader-update.js.map +1 -0
package/vendor/ink/build/squash-text-nodes.d.ts +3 -0
package/vendor/ink/build/squash-text-nodes.js +36 -0
package/vendor/ink/build/squash-text-nodes.js.map +1 -0
package/vendor/ink/build/styles.d.ts +240 -0
package/vendor/ink/build/styles.js +232 -0
package/vendor/ink/build/styles.js.map +1 -0
package/vendor/ink/build/utils.d.ts +2 -0
package/vendor/ink/build/utils.js +4 -0
package/vendor/ink/build/utils.js.map +1 -0
package/vendor/ink/build/wrap-text.d.ts +3 -0
package/vendor/ink/build/wrap-text.js +31 -0
package/vendor/ink/build/wrap-text.js.map +1 -0
package/vendor/ink/build/write-synchronized.d.ts +4 -0
package/vendor/ink/build/write-synchronized.js +7 -0
package/vendor/ink/build/write-synchronized.js.map +1 -0
package/vendor/ink/license +10 -0
package/vendor/ink/node_modules/@types/node/LICENSE +21 -0
package/vendor/ink/node_modules/@types/node/README.md +15 -0
package/vendor/ink/node_modules/@types/node/assert/strict.d.ts +105 -0
package/vendor/ink/node_modules/@types/node/assert.d.ts +955 -0
package/vendor/ink/node_modules/@types/node/async_hooks.d.ts +623 -0
package/vendor/ink/node_modules/@types/node/buffer.buffer.d.ts +466 -0
package/vendor/ink/node_modules/@types/node/buffer.d.ts +1810 -0
package/vendor/ink/node_modules/@types/node/child_process.d.ts +1428 -0
package/vendor/ink/node_modules/@types/node/cluster.d.ts +486 -0
package/vendor/ink/node_modules/@types/node/compatibility/iterators.d.ts +21 -0
package/vendor/ink/node_modules/@types/node/console.d.ts +151 -0
package/vendor/ink/node_modules/@types/node/constants.d.ts +20 -0
package/vendor/ink/node_modules/@types/node/crypto.d.ts +4065 -0
package/vendor/ink/node_modules/@types/node/dgram.d.ts +564 -0
package/vendor/ink/node_modules/@types/node/diagnostics_channel.d.ts +576 -0
package/vendor/ink/node_modules/@types/node/dns/promises.d.ts +503 -0
package/vendor/ink/node_modules/@types/node/dns.d.ts +922 -0
package/vendor/ink/node_modules/@types/node/domain.d.ts +166 -0
package/vendor/ink/node_modules/@types/node/events.d.ts +1054 -0
package/vendor/ink/node_modules/@types/node/fs/promises.d.ts +1329 -0
package/vendor/ink/node_modules/@types/node/fs.d.ts +4676 -0
package/vendor/ink/node_modules/@types/node/globals.d.ts +150 -0
package/vendor/ink/node_modules/@types/node/globals.typedarray.d.ts +101 -0
package/vendor/ink/node_modules/@types/node/http.d.ts +2167 -0
package/vendor/ink/node_modules/@types/node/http2.d.ts +2480 -0
package/vendor/ink/node_modules/@types/node/https.d.ts +405 -0
package/vendor/ink/node_modules/@types/node/index.d.ts +115 -0
package/vendor/ink/node_modules/@types/node/inspector/promises.d.ts +41 -0
package/vendor/ink/node_modules/@types/node/inspector.d.ts +224 -0
package/vendor/ink/node_modules/@types/node/inspector.generated.d.ts +4226 -0
package/vendor/ink/node_modules/@types/node/module.d.ts +819 -0
package/vendor/ink/node_modules/@types/node/net.d.ts +933 -0
package/vendor/ink/node_modules/@types/node/os.d.ts +507 -0
package/vendor/ink/node_modules/@types/node/package.json +155 -0
package/vendor/ink/node_modules/@types/node/path/posix.d.ts +8 -0
package/vendor/ink/node_modules/@types/node/path/win32.d.ts +8 -0
package/vendor/ink/node_modules/@types/node/path.d.ts +187 -0
package/vendor/ink/node_modules/@types/node/perf_hooks.d.ts +643 -0
package/vendor/ink/node_modules/@types/node/process.d.ts +2156 -0
package/vendor/ink/node_modules/@types/node/punycode.d.ts +117 -0
package/vendor/ink/node_modules/@types/node/querystring.d.ts +152 -0
package/vendor/ink/node_modules/@types/node/quic.d.ts +910 -0
package/vendor/ink/node_modules/@types/node/readline/promises.d.ts +161 -0
package/vendor/ink/node_modules/@types/node/readline.d.ts +541 -0
package/vendor/ink/node_modules/@types/node/repl.d.ts +415 -0
package/vendor/ink/node_modules/@types/node/sea.d.ts +162 -0
package/vendor/ink/node_modules/@types/node/sqlite.d.ts +955 -0
package/vendor/ink/node_modules/@types/node/stream/consumers.d.ts +38 -0
package/vendor/ink/node_modules/@types/node/stream/promises.d.ts +211 -0
package/vendor/ink/node_modules/@types/node/stream/web.d.ts +296 -0
package/vendor/ink/node_modules/@types/node/stream.d.ts +1760 -0
package/vendor/ink/node_modules/@types/node/string_decoder.d.ts +67 -0
package/vendor/ink/node_modules/@types/node/test/reporters.d.ts +96 -0
package/vendor/ink/node_modules/@types/node/test.d.ts +2240 -0
package/vendor/ink/node_modules/@types/node/timers/promises.d.ts +108 -0
package/vendor/ink/node_modules/@types/node/timers.d.ts +159 -0
package/vendor/ink/node_modules/@types/node/tls.d.ts +1198 -0
package/vendor/ink/node_modules/@types/node/trace_events.d.ts +197 -0
package/vendor/ink/node_modules/@types/node/ts5.6/buffer.buffer.d.ts +462 -0
package/vendor/ink/node_modules/@types/node/ts5.6/compatibility/float16array.d.ts +71 -0
package/vendor/ink/node_modules/@types/node/ts5.6/globals.typedarray.d.ts +36 -0
package/vendor/ink/node_modules/@types/node/ts5.6/index.d.ts +117 -0
package/vendor/ink/node_modules/@types/node/ts5.7/compatibility/float16array.d.ts +72 -0
package/vendor/ink/node_modules/@types/node/ts5.7/index.d.ts +117 -0
package/vendor/ink/node_modules/@types/node/tty.d.ts +250 -0
package/vendor/ink/node_modules/@types/node/url.d.ts +519 -0
package/vendor/ink/node_modules/@types/node/util/types.d.ts +558 -0
package/vendor/ink/node_modules/@types/node/util.d.ts +1662 -0
package/vendor/ink/node_modules/@types/node/v8.d.ts +983 -0
package/vendor/ink/node_modules/@types/node/vm.d.ts +1208 -0
package/vendor/ink/node_modules/@types/node/wasi.d.ts +202 -0
package/vendor/ink/node_modules/@types/node/web-globals/abortcontroller.d.ts +59 -0
package/vendor/ink/node_modules/@types/node/web-globals/blob.d.ts +23 -0
package/vendor/ink/node_modules/@types/node/web-globals/console.d.ts +9 -0
package/vendor/ink/node_modules/@types/node/web-globals/crypto.d.ts +39 -0
package/vendor/ink/node_modules/@types/node/web-globals/domexception.d.ts +68 -0
package/vendor/ink/node_modules/@types/node/web-globals/encoding.d.ts +11 -0
package/vendor/ink/node_modules/@types/node/web-globals/events.d.ts +106 -0
package/vendor/ink/node_modules/@types/node/web-globals/fetch.d.ts +69 -0
package/vendor/ink/node_modules/@types/node/web-globals/importmeta.d.ts +13 -0
package/vendor/ink/node_modules/@types/node/web-globals/messaging.d.ts +23 -0
package/vendor/ink/node_modules/@types/node/web-globals/navigator.d.ts +25 -0
package/vendor/ink/node_modules/@types/node/web-globals/performance.d.ts +45 -0
package/vendor/ink/node_modules/@types/node/web-globals/storage.d.ts +24 -0
package/vendor/ink/node_modules/@types/node/web-globals/streams.d.ts +115 -0
package/vendor/ink/node_modules/@types/node/web-globals/timers.d.ts +44 -0
package/vendor/ink/node_modules/@types/node/web-globals/url.d.ts +24 -0
package/vendor/ink/node_modules/@types/node/worker_threads.d.ts +717 -0
package/vendor/ink/node_modules/@types/node/zlib.d.ts +618 -0
package/vendor/ink/node_modules/node-pty/LICENSE +69 -0
package/vendor/ink/node_modules/node-pty/README.md +164 -0
package/vendor/ink/node_modules/node-pty/binding.gyp +150 -0
package/vendor/ink/node_modules/node-pty/lib/conpty_console_list_agent.js +25 -0
package/vendor/ink/node_modules/node-pty/lib/eventEmitter2.js +47 -0
package/vendor/ink/node_modules/node-pty/lib/index.js +52 -0
package/vendor/ink/node_modules/node-pty/lib/interfaces.js +7 -0
package/vendor/ink/node_modules/node-pty/lib/shared/conout.js +11 -0
package/vendor/ink/node_modules/node-pty/lib/terminal.js +190 -0
package/vendor/ink/node_modules/node-pty/lib/types.js +7 -0
package/vendor/ink/node_modules/node-pty/lib/unixTerminal.js +349 -0
package/vendor/ink/node_modules/node-pty/lib/utils.js +39 -0
package/vendor/ink/node_modules/node-pty/lib/windowsConoutConnection.js +125 -0
package/vendor/ink/node_modules/node-pty/lib/windowsPtyAgent.js +287 -0
package/vendor/ink/node_modules/node-pty/lib/windowsTerminal.js +201 -0
package/vendor/ink/node_modules/node-pty/lib/worker/conoutSocketWorker.js +22 -0
package/vendor/ink/node_modules/node-pty/package.json +65 -0
package/vendor/ink/node_modules/node-pty/prebuilds/darwin-arm64/pty.node +0 -0
package/vendor/ink/node_modules/node-pty/prebuilds/darwin-arm64/spawn-helper +0 -0
package/vendor/ink/node_modules/node-pty/prebuilds/darwin-x64/pty.node +0 -0
package/vendor/ink/node_modules/node-pty/prebuilds/darwin-x64/spawn-helper +0 -0
package/vendor/ink/node_modules/node-pty/prebuilds/linux-arm64/pty.node +0 -0
package/vendor/ink/node_modules/node-pty/prebuilds/linux-x64/pty.node +0 -0
package/vendor/ink/node_modules/node-pty/prebuilds/win32-arm64/conpty/OpenConsole.exe +0 -0
package/vendor/ink/node_modules/node-pty/prebuilds/win32-arm64/conpty/conpty.dll +0 -0
package/vendor/ink/node_modules/node-pty/prebuilds/win32-arm64/conpty.node +0 -0
package/vendor/ink/node_modules/node-pty/prebuilds/win32-arm64/conpty.pdb +0 -0
package/vendor/ink/node_modules/node-pty/prebuilds/win32-arm64/conpty_console_list.node +0 -0
package/vendor/ink/node_modules/node-pty/prebuilds/win32-arm64/conpty_console_list.pdb +0 -0
package/vendor/ink/node_modules/node-pty/prebuilds/win32-x64/conpty/OpenConsole.exe +0 -0
package/vendor/ink/node_modules/node-pty/prebuilds/win32-x64/conpty/conpty.dll +0 -0
package/vendor/ink/node_modules/node-pty/prebuilds/win32-x64/conpty.node +0 -0
package/vendor/ink/node_modules/node-pty/prebuilds/win32-x64/conpty.pdb +0 -0
package/vendor/ink/node_modules/node-pty/prebuilds/win32-x64/conpty_console_list.node +0 -0
package/vendor/ink/node_modules/node-pty/prebuilds/win32-x64/conpty_console_list.pdb +0 -0
package/vendor/ink/node_modules/node-pty/scripts/post-install.js +76 -0
package/vendor/ink/node_modules/node-pty/scripts/prebuild.js +34 -0
package/vendor/ink/node_modules/node-pty/src/unix/pty.cc +875 -0
package/vendor/ink/node_modules/node-pty/src/unix/spawn-helper.cc +23 -0
package/vendor/ink/node_modules/node-pty/src/win/conpty.cc +582 -0
package/vendor/ink/node_modules/node-pty/src/win/conpty.h +41 -0
package/vendor/ink/node_modules/node-pty/src/win/conpty_console_list.cc +44 -0
package/vendor/ink/node_modules/node-pty/src/win/path_util.cc +95 -0
package/vendor/ink/node_modules/node-pty/src/win/path_util.h +26 -0
package/vendor/ink/node_modules/node-pty/third_party/conpty/1.23.251008001/win10-arm64/OpenConsole.exe +0 -0
package/vendor/ink/node_modules/node-pty/third_party/conpty/1.23.251008001/win10-arm64/conpty.dll +0 -0
package/vendor/ink/node_modules/node-pty/third_party/conpty/1.23.251008001/win10-x64/OpenConsole.exe +0 -0
package/vendor/ink/node_modules/node-pty/third_party/conpty/1.23.251008001/win10-x64/conpty.dll +0 -0
package/vendor/ink/node_modules/node-pty/typings/node-pty.d.ts +215 -0
package/vendor/ink/node_modules/undici-types/LICENSE +21 -0
package/vendor/ink/node_modules/undici-types/README.md +6 -0
package/vendor/ink/node_modules/undici-types/agent.d.ts +32 -0
package/vendor/ink/node_modules/undici-types/api.d.ts +43 -0
package/vendor/ink/node_modules/undici-types/balanced-pool.d.ts +30 -0
package/vendor/ink/node_modules/undici-types/cache-interceptor.d.ts +173 -0
package/vendor/ink/node_modules/undici-types/cache.d.ts +36 -0
package/vendor/ink/node_modules/undici-types/client-stats.d.ts +15 -0
package/vendor/ink/node_modules/undici-types/client.d.ts +108 -0
package/vendor/ink/node_modules/undici-types/connector.d.ts +34 -0
package/vendor/ink/node_modules/undici-types/content-type.d.ts +21 -0
package/vendor/ink/node_modules/undici-types/cookies.d.ts +30 -0
package/vendor/ink/node_modules/undici-types/diagnostics-channel.d.ts +74 -0
package/vendor/ink/node_modules/undici-types/dispatcher.d.ts +276 -0
package/vendor/ink/node_modules/undici-types/env-http-proxy-agent.d.ts +22 -0
package/vendor/ink/node_modules/undici-types/errors.d.ts +161 -0
package/vendor/ink/node_modules/undici-types/eventsource.d.ts +66 -0
package/vendor/ink/node_modules/undici-types/fetch.d.ts +211 -0
package/vendor/ink/node_modules/undici-types/formdata.d.ts +108 -0
package/vendor/ink/node_modules/undici-types/global-dispatcher.d.ts +9 -0
package/vendor/ink/node_modules/undici-types/global-origin.d.ts +7 -0
package/vendor/ink/node_modules/undici-types/h2c-client.d.ts +73 -0
package/vendor/ink/node_modules/undici-types/handlers.d.ts +15 -0
package/vendor/ink/node_modules/undici-types/header.d.ts +160 -0
package/vendor/ink/node_modules/undici-types/index.d.ts +88 -0
package/vendor/ink/node_modules/undici-types/interceptors.d.ts +73 -0
package/vendor/ink/node_modules/undici-types/mock-agent.d.ts +68 -0
package/vendor/ink/node_modules/undici-types/mock-call-history.d.ts +111 -0
package/vendor/ink/node_modules/undici-types/mock-client.d.ts +27 -0
package/vendor/ink/node_modules/undici-types/mock-errors.d.ts +12 -0
package/vendor/ink/node_modules/undici-types/mock-interceptor.d.ts +94 -0
package/vendor/ink/node_modules/undici-types/mock-pool.d.ts +27 -0
package/vendor/ink/node_modules/undici-types/package.json +55 -0
package/vendor/ink/node_modules/undici-types/patch.d.ts +29 -0
package/vendor/ink/node_modules/undici-types/pool-stats.d.ts +19 -0
package/vendor/ink/node_modules/undici-types/pool.d.ts +41 -0
package/vendor/ink/node_modules/undici-types/proxy-agent.d.ts +29 -0
package/vendor/ink/node_modules/undici-types/readable.d.ts +68 -0
package/vendor/ink/node_modules/undici-types/retry-agent.d.ts +8 -0
package/vendor/ink/node_modules/undici-types/retry-handler.d.ts +125 -0
package/vendor/ink/node_modules/undici-types/round-robin-pool.d.ts +41 -0
package/vendor/ink/node_modules/undici-types/snapshot-agent.d.ts +109 -0
package/vendor/ink/node_modules/undici-types/util.d.ts +18 -0
package/vendor/ink/node_modules/undici-types/utility.d.ts +7 -0
package/vendor/ink/node_modules/undici-types/webidl.d.ts +341 -0
package/vendor/ink/node_modules/undici-types/websocket.d.ts +186 -0
package/vendor/ink/package.json +201 -0
package/vendor/ink/readme.md +2636 -0
package/bin/swag-agent.js +0 -9
package/dist/server/lib/pg-rate-limiter.d.ts +0 -21
package/dist/server/lib/pg-rate-limiter.js +0 -86

package/dist/server/index.js CHANGED Viewed

@@ -3,2702 +3,1808 @@
 // model-aware context management, cost tracking, compaction block handling
 //
 // Shares agent-core with CLI via src/shared/agent-core.ts
 import http from "node:http";
-import { randomUUID, timingSafeEqual, createHash } from "node:crypto";
+import { randomUUID } from "node:crypto";
 import Anthropic from "@anthropic-ai/sdk";
 import { createLogger } from "./lib/logger.js";
 const log = createLogger("server");
-import { sanitizeError, resolveAgentLoopConfig, } from "../shared/agent-core.js";
-import { MODELS } from "../shared/constants.js";
+import { sanitizeError } from "../shared/agent-core.js";
 import { handleProxy } from "./proxy-handlers.js";
 import { handleNodeRoutes, setNodeAgentInvoker } from "./handlers/nodes.js";
 import { handleTranscribe } from "./handlers/transcription.js";
 import { handleBillingRoutes, incrementUsage, checkPlanLimits } from "./handlers/billing.js";
+import { handleSessionRoutes } from "./handlers/sessions-handlers.js";
 import { generateCompaction } from "./lib/compaction-service.js";
 import { initLocalAgentGateway, shutdownGateway as shutdownAgentGateway, getGatewayStats } from "./local-agent-gateway.js";
 import { initSupabase, getServiceClient } from "./lib/supabase-client.js";
 import { loadCheckpoint, markOrphaned } from "./lib/session-checkpoint.js";
 import { rateLimiter } from "./lib/rate-limiter.js";
 import { sanitizeAndLog } from "./lib/prompt-sanitizer.js";
-import { processWorkflowSteps, processWaitingSteps, handleWebhookIngestion, executeInlineChain, setToolExecutor, setAgentExecutor, setTokenBroadcaster, setStepErrorBroadcaster, verifyGuestApprovalSignature, initWorkerPool, getPoolStats, shutdownPool, processScheduleTriggers, enforceWorkflowTimeouts, processEventTriggers, cleanupOrphanedSteps, processDlqRetries } from "./handlers/workflows.js";
-import { runServerAgentLoop } from "./lib/server-agent-loop.js";
-import { loadTools, loadUserTools, getToolsForAgent, executeTool, loadAgentConfig, setExtendedToolsCache, getExtendedToolsIndex, flushSpans, } from "./tool-router.js";
-import { queueSpan, auditRowToSpan, classifyErrorType } from "./lib/clickhouse-buffer.js";
-import pg from "pg";
+import { generateOpenApiSpec } from "./handlers/api-docs.js";
+import { processWorkflowSteps, handleWebhookIngestion, executeInlineChain, initWorkerPool, getPoolStats, shutdownPool, verifyGuestApprovalSignature } from "./handlers/workflows.js";
+import { loadUserTools, executeTool, flushSpans } from "./tool-router.js";
+import { queueSpan, auditRowToSpan } from "./lib/clickhouse-buffer.js";
+// Extracted modules — single source of truth (no inline duplicates)
+import { safeCompare, getCorsHeaders, jsonResponse, readBody } from "./server-helpers.js";
+import { sendIpRateLimit } from "./server-rate-limit.js";
+import { resolveAndValidateStoreId } from "./server-store.js";
+import { getSseClients, safeSseWrite, sendWorkflowSSE, getTotalSseClients, sseCleanupInterval, MAX_SSE_CLIENTS_PER_RUN, MAX_SSE_TOTAL_CLIENTS, setupPgListen, closePgClient, pgListenReady } from "./server-sse.js";
+import { handleAgentChat } from "./server-chat.js";
+import { wireToolExecutor, wireAgentExecutor, wireBroadcasters, invokeAgentForChannel } from "./server-executors.js";
+import { startWorkerLoop, stopWorkerLoop } from "./server-worker.js";
+import { getCircuitBreakerStats } from "./server-store-circuit-breaker.js";
 // ============================================================================
 // PROCESS ERROR HANDLERS
 // ============================================================================
 process.on("unhandledRejection", (reason, _promise) => {
-    log.error({ err: reason }, "unhandled rejection");
+  log.error({
+    err: reason
+  }, "unhandled rejection");
 });
-process.on("uncaughtException", (err) => {
-    log.fatal({ err }, "uncaught exception");
-    process.exit(1);
+process.on("uncaughtException", err => {
+  log.fatal({
+    err
+  }, "uncaught exception");
+  process.exit(1);
 });
 // ============================================================================
 // ENV CONFIG
 // ============================================================================
 const PORT = parseInt(process.env.PORT || "8080", 10);
 const SUPABASE_URL = process.env.SUPABASE_URL;
 const SUPABASE_SERVICE_ROLE_KEY = process.env.SUPABASE_SERVICE_ROLE_KEY;
 const SERVICE_ROLE_JWT = process.env.SERVICE_ROLE_JWT || "";
 const ANTHROPIC_API_KEY = process.env.ANTHROPIC_API_KEY;
-const ALLOWED_ORIGINS = (process.env.ALLOWED_ORIGINS || "http://localhost:3000,http://127.0.0.1:3000").split(",").map(s => s.trim());
 const FLY_INTERNAL_SECRET = process.env.FLY_INTERNAL_SECRET || "";
 if (!FLY_INTERNAL_SECRET) {
-    console.warn("[SECURITY] FLY_INTERNAL_SECRET is not set — internal endpoints are unprotected");
+  console.warn("[SECURITY] FLY_INTERNAL_SECRET is not set — internal endpoints are unprotected");
 }
 // ============================================================================
 // READINESS STATE
 // ============================================================================
-let pgListenReady = false;
 let workerPoolReady = false;
 function isReady() {
-    return workerPoolReady; // PG listen is optional (SSE only)
+  return workerPoolReady; // PG listen is optional (SSE only)
 }
 // Webchat agent invoker — set later to avoid circular deps (same as node agent invoker)
 let webchatAgentInvoker = null;
 // ============================================================================
-// RATE LIMITING — Phase 7.2 token-bucket (see lib/rate-limiter.ts)
+// HTTP SERVER
 // ============================================================================
-/** Check IP rate limit and send 429 with proper headers if exceeded */
-function sendIpRateLimit(res, ip, headers) {
-    const result = rateLimiter.checkRequest(`ip:${ip}`, "unauthenticated");
-    if (result.allowed)
-        return false; // not rate-limited
-    res.writeHead(429, {
-        "Retry-After": String(Math.ceil(result.retryAfterMs / 1000) || 1),
-        "X-RateLimit-Remaining": "0",
-        "Content-Type": "application/json",
-        ...headers,
+// Connection tracking for graceful shutdown draining
+let activeRequests = 0;
+const server = http.createServer(async (req, res) => {
+  activeRequests++;
+  res.on("close", () => {
+    activeRequests--;
+  });
+  const origin = req.headers.origin || "";
+  const corsHeaders = getCorsHeaders(origin);
+  // Health check — readiness-aware for Fly.io
+  if (req.method === "GET" && (req.url === "/" || req.url === "/health")) {
+    const ready = isReady();
+    const status = ready ? 200 : 503;
+    const agentStats = getGatewayStats();
+    const cbStats = getCircuitBreakerStats();
+    jsonResponse(res, status, {
+      status: ready ? "ok" : "starting",
+      version: process.env.npm_package_version || "6.4.0",
+      uptime: Math.floor(process.uptime()),
+      pg_listen: pgListenReady,
+      worker_pool: workerPoolReady,
+      local_agents: agentStats.total_agents,
+      circuit_breakers: cbStats
+    }, corsHeaders);
+    return;
+  }
+  // OpenAPI spec — public, no auth required (for Scalar docs viewer)
+  if (req.method === "GET" && req.url === "/openapi.json") {
+    const spec = generateOpenApiSpec();
+    res.writeHead(200, {
+      ...corsHeaders,
+      "Content-Type": "application/json",
+      "Cache-Control": "public, max-age=3600"
     });
-    res.end(JSON.stringify({ error: "Too many requests" }));
-    return true; // was rate-limited
-}
-// Agent chat rate limiting — per-store + global concurrent cap
-const agentChatLimiter = new Map();
-const AGENT_CHAT_MAX_PER_MIN = 60;
-const AGENT_CHAT_MAX_CONCURRENT = 10;
-let agentChatConcurrent = 0;
-// Periodically clean up stale entries from agentChatLimiter to prevent unbounded Map growth
-setInterval(() => {
-    const now = Date.now();
-    for (const [key, entry] of agentChatLimiter) {
-        if (now - entry.windowStart > 120_000) {
-            agentChatLimiter.delete(key);
-        }
-    }
-}, 60_000);
-function checkAgentChatRateLimit(storeId) {
-    // Concurrent check
-    if (agentChatConcurrent >= AGENT_CHAT_MAX_CONCURRENT) {
-        return { allowed: false, error: "Too many concurrent agent sessions. Please wait." };
-    }
-    // Per-store per-minute check
-    const now = Date.now();
-    let entry = agentChatLimiter.get(storeId);
-    if (!entry || now - entry.windowStart > 60_000) {
-        entry = { count: 0, windowStart: now };
-        agentChatLimiter.set(storeId, entry);
-    }
-    entry.count++;
-    if (entry.count > AGENT_CHAT_MAX_PER_MIN) {
-        return { allowed: false, error: `Rate limit exceeded: ${AGENT_CHAT_MAX_PER_MIN}/min for agent chat` };
-    }
-    return { allowed: true };
-}
-// Timing-safe secret comparison to prevent timing attacks
-// Hash both values to fixed length before comparing — avoids leaking secret length
-function safeCompare(a, b) {
-    if (!a || !b)
-        return false;
-    const hashA = createHash("sha256").update(a).digest();
-    const hashB = createHash("sha256").update(b).digest();
-    return timingSafeEqual(hashA, hashB);
-}
-// Tool registry, user tools, executor, and agent loader are in ./tool-router.ts
-// ============================================================================
-// STORE CONTEXT — Server-derived store resolution (Apple-style)
-// The server NEVER blindly trusts a client-supplied storeId. Instead it:
-//   1. Resolves the user's stores from the `users` table via auth.uid()
-//   2. Validates the client hint against the resolved set
-//   3. Falls back to the user's first store if no hint provided
-//   4. Returns null if no store can be resolved (caller must fail closed)
-// ============================================================================
-async function resolveAndValidateStoreId(supabase, clientStoreId, user, isServiceRole, _token, requestUserId) {
-    // Service-role callers: trusted ONLY for internal server-to-server calls
-    // (workflows, cron jobs) that have NO associated user. When a userId is
-    // present (e.g. MCP CLI using env-var service role key), we MUST still
-    // validate store membership to prevent cross-tenant access.
-    if (isServiceRole) {
-        const srUserId = user?.id || requestUserId;
-        if (!srUserId)
-            return clientStoreId || null; // true internal call — pass through
-        if (!clientStoreId)
-            return null; // user-context call without store hint
-        // Validate the user actually belongs to the requested store
-        const { data: membership } = await supabase
-            .from("store_members")
-            .select("id")
-            .eq("store_id", clientStoreId)
-            .eq("user_id", srUserId)
-            .limit(1)
-            .maybeSingle();
-        if (membership)
-            return clientStoreId;
-        // Fallback: check users table (legacy single-store pattern)
-        const { data: userRow } = await supabase
-            .from("users")
-            .select("store_id")
-            .eq("auth_user_id", srUserId)
-            .eq("store_id", clientStoreId)
-            .maybeSingle();
-        if (userRow)
-            return clientStoreId;
-        log.warn({ userId: srUserId, clientStoreId }, "resolveStoreId: service-role caller userId not authorized for store");
-        return null;
-    }
-    if (!user?.id)
-        return null;
-    // Resolve user's actual stores from the `users` table (auth_user_id = auth.uid())
-    const { data: userStores, error } = await supabase
-        .from("users")
-        .select("store_id")
-        .eq("auth_user_id", user.id)
-        .not("store_id", "is", null);
-    if (error || !userStores?.length) {
-        log.warn({ userId: user.id, error }, "resolveStoreId: user has no stores");
-        return null;
-    }
-    const storeIds = userStores.map((r) => r.store_id);
-    // If client provided a hint, validate it's in the user's set
-    if (clientStoreId) {
-        if (storeIds.includes(clientStoreId)) {
-            return clientStoreId;
-        }
-        log.warn({ userId: user.id, clientStoreId, userStores: storeIds }, "resolveStoreId: client storeId not in user's stores");
-        return null; // Reject — don't silently fall back
-    }
-    // No client hint — use first store (single-store users), or require explicit selection
-    if (storeIds.length === 1) {
-        return storeIds[0];
-    }
-    // Multi-store user without a hint — can't guess
-    log.warn({ userId: user.id, storeCount: storeIds.length }, "resolveStoreId: multi-store user must specify storeId");
-    return null;
-}
-// ============================================================================
-// CORS
-// ============================================================================
-function getCorsHeaders(origin) {
-    const headers = {
-        "X-Content-Type-Options": "nosniff",
-        "X-Frame-Options": "DENY",
-        "X-XSS-Protection": "0",
-        "Referrer-Policy": "strict-origin-when-cross-origin",
+    res.end(JSON.stringify(spec));
+    return;
+  }
+  // CORS preflight
+  if (req.method === "OPTIONS") {
+    res.writeHead(204, corsHeaders);
+    res.end();
+    return;
+  }
+  const url = new URL(req.url || "/", `http://${req.headers.host || "localhost"}`);
+  const pathname = url.pathname;
+  // ================================================================
+  // Phase 3: SSE stream for workflow run progress
+  // GET /workflows/runs/:id/stream
+  // ================================================================
+  if (req.method === "GET" && pathname.match(/^\/workflows\/runs\/[a-f0-9-]+\/stream$/)) {
+    const runId = pathname.split("/")[3];
+    // Auth check
+    const authHeader = req.headers.authorization;
+    const token = authHeader?.startsWith("Bearer ") ? authHeader.substring(7) : "";
+    const isInternal = safeCompare(token, FLY_INTERNAL_SECRET) || safeCompare(token, SUPABASE_SERVICE_ROLE_KEY) || safeCompare(token, SERVICE_ROLE_JWT);
+    if (!isInternal && !token) {
+      jsonResponse(res, 401, {
+        error: "Missing authorization"
+      }, corsHeaders);
+      return;
+    }
+    if (!isInternal) {
+      const sb = getServiceClient();
+      const {
+        data: {
+          user: authUser
+        },
+        error: authError
+      } = await sb.auth.getUser(token);
+      if (authError || !authUser) {
+        jsonResponse(res, 401, {
+          error: "Invalid or expired token"
+        }, corsHeaders);
+        return;
+      }
+      // P1 FIX: Verify user belongs to the run's store (prevent cross-store SSE snooping)
+      const {
+        data: sseRun
+      } = await sb.from("workflow_runs").select("store_id").eq("id", runId).single();
+      if (sseRun) {
+        const {
+          data: membership
+        } = await sb.from("store_members").select("id").eq("store_id", sseRun.store_id).eq("user_id", authUser.id).single();
+        if (!membership) {
+          jsonResponse(res, 403, {
+            error: "Not authorized to view this run"
+          }, corsHeaders);
+          return;
+        }
+      }
+    }
+    // H6 FIX: Enforce per-run and total client limits
+    const sseClients = getSseClients();
+    const existingClients = sseClients.get(runId)?.size || 0;
+    if (existingClients >= MAX_SSE_CLIENTS_PER_RUN) {
+      jsonResponse(res, 429, {
+        error: "Too many SSE clients for this run"
+      }, corsHeaders);
+      return;
+    }
+    if (getTotalSseClients() >= MAX_SSE_TOTAL_CLIENTS) {
+      jsonResponse(res, 429, {
+        error: "Too many total SSE connections"
+      }, corsHeaders);
+      return;
+    }
+    // Start SSE stream
+    res.writeHead(200, {
+      "Content-Type": "text/event-stream",
+      "Cache-Control": "no-cache",
+      Connection: "keep-alive",
+      ...corsHeaders
+    });
+    // Send snapshot
+    const sb = getServiceClient();
+    const {
+      data: run
+    } = await sb.from("workflow_runs").select("id, workflow_id, status, trigger_type, current_step_key, error_message, error_step_key, started_at, completed_at, duration_ms").eq("id", runId).single();
+    const {
+      data: stepRuns
+    } = await sb.from("workflow_step_runs").select("id, step_key, step_type, status, error_message, duration_ms, started_at, completed_at").eq("run_id", runId).order("created_at", {
+      ascending: true
+    });
+    sendWorkflowSSE(res, {
+      type: "snapshot",
+      run,
+      steps: stepRuns || []
+    });
+    // Register client
+    if (!sseClients.has(runId)) sseClients.set(runId, new Set());
+    sseClients.get(runId).add(res);
+    // Cleanup on disconnect
+    const cleanup = () => {
+      clearInterval(heartbeat);
+      const clients = sseClients.get(runId);
+      if (clients) {
+        clients.delete(res);
+        if (clients.size === 0) sseClients.delete(runId);
+      }
     };
-    if (ALLOWED_ORIGINS.includes("*")) {
-        headers["Access-Control-Allow-Origin"] = "*";
-    }
-    else if (origin && ALLOWED_ORIGINS.includes(origin)) {
-        headers["Access-Control-Allow-Origin"] = origin;
-        headers["Vary"] = "Origin";
-    }
-    // If origin doesn't match, no CORS header = browser blocks the request
-    headers["Access-Control-Allow-Methods"] = "GET, POST, OPTIONS";
-    headers["Access-Control-Allow-Headers"] = "Content-Type, Authorization, X-Store-Id";
-    return headers;
-}
-// ============================================================================
-// PHASE 3: SSE STREAMING — real-time workflow run progress
-// ============================================================================
-// Map<runId, Set<ServerResponse>> for multiplexing SSE clients
-const sseClients = new Map();
-const MAX_SSE_CLIENTS_PER_RUN = 10;
-const MAX_SSE_TOTAL_CLIENTS = 100;
-/** Safe SSE write — returns false and calls cleanup if the connection is dead */
-function safeSseWrite(res, data, cleanup) {
+    // Heartbeat — uses safeSseWrite so dead connections are cleaned up immediately
+    const heartbeat = setInterval(() => {
+      if (!safeSseWrite(res, `: heartbeat\n\n`, cleanup)) {
+        clearInterval(heartbeat);
+      }
+    }, 15_000);
+    req.on("close", cleanup);
+    req.on("error", cleanup);
+    return;
+  }
+  // ================================================================
+  // Guest approval — signed URL, no auth required (GET)
+  // GET /approvals/guest/:id?action=approve&expires=...&sig=...
+  // ================================================================
+  const guestApprovalMatch = pathname.match(/^\/approvals\/guest\/([a-f0-9-]+)$/);
+  if (guestApprovalMatch && req.method === "GET") {
+    const clientIp = req.headers["x-forwarded-for"]?.toString().split(",")[0]?.trim() || req.socket.remoteAddress || "unknown";
+    if (sendIpRateLimit(res, clientIp, corsHeaders)) return;
+    const stepRunId = guestApprovalMatch[1];
+    const urlParams = new URL(req.url || "", `http://${req.headers.host}`).searchParams;
+    const action = urlParams.get("action") || "";
+    const expires = urlParams.get("expires") || "";
+    const sig = urlParams.get("sig") || "";
+    if (!action || !expires || !sig) {
+      jsonResponse(res, 400, {
+        error: "Missing action, expires, or sig parameter"
+      }, corsHeaders);
+      return;
+    }
+    if (new Date(expires) < new Date()) {
+      jsonResponse(res, 410, {
+        error: "This approval link has expired"
+      }, corsHeaders);
+      return;
+    }
+    if (!verifyGuestApprovalSignature(stepRunId, action, expires, sig)) {
+      jsonResponse(res, 403, {
+        error: "Invalid signature"
+      }, corsHeaders);
+      return;
+    }
+    const guestSupabase = getServiceClient();
+    const {
+      data: approval
+    } = await guestSupabase.from("workflow_approval_requests").select("id, store_id, run_id, status").eq("step_run_id", stepRunId).limit(1);
+    if (!approval?.length) {
+      jsonResponse(res, 404, {
+        error: "Approval not found"
+      }, corsHeaders);
+      return;
+    }
+    if (approval[0].status !== "pending") {
+      jsonResponse(res, 409, {
+        error: `Approval already ${approval[0].status}`
+      }, corsHeaders);
+      return;
+    }
+    const isApprove = action === "approve" || action === "approved";
+    const {
+      data: guestResult,
+      error: guestErr
+    } = await guestSupabase.rpc("respond_to_approval", {
+      p_approval_id: approval[0].id,
+      p_store_id: approval[0].store_id,
+      p_response: isApprove ? "approved" : "rejected",
+      p_response_data: {
+        guest: true,
+        action
+      },
+      p_responded_by: null
+    });
+    if (guestErr) {
+      jsonResponse(res, 500, {
+        success: false,
+        error: guestErr.message
+      }, corsHeaders);
+      return;
+    }
+    if (guestResult?.success && approval[0].run_id) {
+      try {
+        await executeInlineChain(guestSupabase, approval[0].run_id);
+      } catch (err) {
+        log.error({
+          err: err.message,
+          runId: approval[0].run_id
+        }, "inline chain failed after guest approval");
+      }
+    }
+    res.writeHead(200, {
+      "Content-Type": "text/html",
+      ...corsHeaders
+    });
+    res.end(`<!DOCTYPE html><html><body style="font-family:system-ui;text-align:center;padding:40px">
+      <h2>${isApprove ? "Approved" : "Rejected"}</h2>
+      <p>Your response has been recorded. You can close this window.</p>
+    </body></html>`);
+    return;
+  }
+  // ================================================================
+  // Webchat — anonymous access for embedded chat widgets
+  // POST /webchat/channels/:id/messages  — send message (+ agent auto-reply)
+  // GET  /webchat/channels/:id/history   — load conversation history
+  // GET  /webchat/widget.js              — serve compiled widget JS
+  // ================================================================
+  // Webchat CORS: allow any origin (widget is embedded on customer sites)
+  const webchatCors = {
+    ...corsHeaders,
+    "Access-Control-Allow-Origin": "*"
+  };
+  const webchatMsgMatch = pathname.match(/^\/webchat\/channels\/([a-f0-9-]+)\/messages$/);
+  if (webchatMsgMatch && req.method === "POST") {
+    const clientIp = req.headers["x-forwarded-for"]?.toString().split(",")[0]?.trim() || req.socket.remoteAddress || "unknown";
+    if (sendIpRateLimit(res, clientIp, webchatCors)) return;
+    let rawBody;
     try {
-        if (res.destroyed || res.writableEnded) {
-            cleanup();
-            return false;
-        }
-        res.write(data);
-        return true;
-    }
-    catch {
-        cleanup();
-        return false;
-    }
-}
-function sendWorkflowSSE(res, data) {
+      rawBody = await readBody(req);
+    } catch {
+      jsonResponse(res, 413, {
+        error: "Request body too large"
+      }, webchatCors);
+      return;
+    }
+    const channelId = webchatMsgMatch[1];
+    let wcBody;
     try {
-        if (res.destroyed || res.writableEnded)
-            return;
-        res.write(`data: ${JSON.stringify(data)}\n\n`);
-    }
-    catch { /* client disconnected — benign */ }
-}
-function broadcastToRun(runId, data) {
-    const clients = sseClients.get(runId);
-    if (!clients?.size)
-        return;
-    // H6 FIX: Prune dead connections during broadcast
-    for (const res of clients) {
-        if (res.destroyed || res.writableEnded) {
-            clients.delete(res);
-            continue;
-        }
-        sendWorkflowSSE(res, data);
-    }
-    if (clients.size === 0)
-        sseClients.delete(runId);
-}
-function getTotalSseClients() {
-    let total = 0;
-    for (const clients of sseClients.values())
-        total += clients.size;
-    return total;
-}
-// H6 FIX: Periodic stale connection cleanup (every 60s)
-const sseCleanupInterval = setInterval(() => {
-    for (const [rid, clients] of sseClients) {
-        for (const res of clients) {
-            if (res.destroyed || res.writableEnded) {
-                clients.delete(res);
-            }
-        }
-        if (clients.size === 0)
-            sseClients.delete(rid);
-    }
-}, 60_000);
-// pg LISTEN for real-time notifications
-const DATABASE_URL = process.env.DATABASE_URL || "";
-let pgClient = null;
-let pgReconnectAttempts = 0;
-const MAX_PG_RECONNECT_DELAY = 10_000; // 10s max — keep SSE reconnect snappy
-async function setupPgListen() {
-    if (!DATABASE_URL) {
-        log.info("DATABASE_URL not set — SSE streaming disabled, using worker-only mode");
+      wcBody = JSON.parse(rawBody);
+    } catch {
+      jsonResponse(res, 400, {
+        error: "Invalid JSON"
+      }, webchatCors);
+      return;
+    }
+    if (!wcBody.content || typeof wcBody.content !== "string") {
+      jsonResponse(res, 400, {
+        error: "content (string) is required"
+      }, webchatCors);
+      return;
+    }
+    if (wcBody.content.length > 5000) {
+      jsonResponse(res, 400, {
+        error: "Message too long (max 5000 characters)"
+      }, webchatCors);
+      return;
+    }
+    const supabase = getServiceClient();
+    // Verify channel exists and is a webchat channel
+    const {
+      data: channel
+    } = await supabase.from("channels").select("id, store_id, node_id, agent_id, type, config").eq("id", channelId).eq("type", "webchat").single();
+    if (!channel) {
+      jsonResponse(res, 404, {
+        error: "Webchat channel not found"
+      }, webchatCors);
+      return;
+    }
+    // Rate limit per store (best-effort)
+    try {
+      const planCheck = await checkPlanLimits(supabase, channel.store_id, "message");
+      if (!planCheck.allowed) {
+        jsonResponse(res, 429, {
+          error: planCheck.reason || "Plan limit reached"
+        }, webchatCors);
         return;
-    }
+      }
+    } catch {/* billing tables may not exist yet */}
+    const senderId = wcBody.sender_id || "anonymous";
+    // Resolve conversation: reuse if sender had activity < 30 min ago, else new UUID
+    let conversationId = wcBody.conversation_id || "";
+    if (!conversationId) {
+      const thirtyMinAgo = new Date(Date.now() - 30 * 60 * 1000).toISOString();
+      const {
+        data: recent
+      } = await supabase.from("channel_messages").select("conversation_id").eq("channel_id", channelId).eq("sender_id", senderId).gt("created_at", thirtyMinAgo).not("conversation_id", "is", null).order("created_at", {
+        ascending: false
+      }).limit(1);
+      conversationId = recent?.length && recent[0].conversation_id || randomUUID();
+    }
+    // Insert inbound message
+    const {
+      data: message,
+      error: msgErr
+    } = await supabase.from("channel_messages").insert({
+      store_id: channel.store_id,
+      channel_id: channelId,
+      direction: "inbound",
+      sender_id: senderId,
+      sender_name: wcBody.sender_name || "Visitor",
+      content: wcBody.content,
+      content_type: "text",
+      metadata: {
+        source: "webchat",
+        ip: clientIp,
+        widget_version: "1.0.0"
+      },
+      agent_id: channel.agent_id,
+      conversation_id: conversationId
+    }).select("id, direction, content, conversation_id, created_at").single();
+    if (msgErr) {
+      jsonResponse(res, 500, {
+        error: msgErr.message
+      }, webchatCors);
+      return;
+    }
+    // Track usage + channel stats (best-effort)
+    incrementUsage(supabase, channel.store_id, {
+      messages_in: 1
+    }).catch(() => {});
     try {
-        // Strip sslmode from URL (pg v8 treats sslmode=require as verify-full) and set ssl manually
-        const cleanUrl = DATABASE_URL.replace(/[?&]sslmode=[^&]*/g, "").replace(/\?$/, "");
-        pgClient = new pg.Client({ connectionString: cleanUrl, ssl: { rejectUnauthorized: false } });
-        await pgClient.connect();
-        await pgClient.query("LISTEN workflow_step_event");
-        await pgClient.query("LISTEN workflow_run_event");
-        await pgClient.query("LISTEN workflow_step_pending");
-        await pgClient.query("LISTEN workflow_event");
-        await pgClient.query("LISTEN automation_event");
-        // Reset reconnect counter on successful connection
-        pgReconnectAttempts = 0;
-        pgListenReady = true;
-        // Debounced event trigger processing — fires at most once per 100ms
-        let eventTriggerTimer = null;
-        function debouncedEventProcess() {
-            if (eventTriggerTimer)
-                return;
-            eventTriggerTimer = setTimeout(async () => {
-                eventTriggerTimer = null;
-                try {
-                    const sb = getServiceClient();
-                    const count = await processEventTriggers(sb);
-                    if (count > 0)
-                        log.info({ count }, "instant event processing");
-                }
-                catch (err) {
-                    log.error({ err: err.message }, "event trigger processing error");
-                }
-            }, 100);
-        }
-        pgClient.on("notification", (msg) => {
-            if (!msg.payload)
-                return;
-            try {
-                const data = JSON.parse(msg.payload);
-                // Automation event — trigger immediate processing
-                if (msg.channel === "automation_event") {
-                    debouncedEventProcess();
-                    return;
-                }
-                const runId = data.run_id;
-                if (!runId)
-                    return;
-                if (msg.channel === "workflow_step_event") {
-                    broadcastToRun(runId, { type: "step_update", ...data });
-                }
-                else if (msg.channel === "workflow_run_event") {
-                    broadcastToRun(runId, { type: "run_update", ...data });
-                }
-                else if (msg.channel === "workflow_event") {
-                    broadcastToRun(runId, { type: "event", event_type: data.event_type, ...data });
-                }
-                else if (msg.channel === "workflow_step_pending") {
-                    // Phase 3.1: NOTIFY-driven step execution — immediate pickup (~50ms vs 5s polling)
-                    const sb = getServiceClient();
-                    processWorkflowSteps(sb, 1).catch((err) => {
-                        log.error({ err: err.message, runId }, "NOTIFY-driven step processing failed");
-                    });
-                }
-            }
-            catch (err) {
-                log.error({ err: err.message }, "failed to parse pg notification");
-            }
-        });
-        pgClient.on("error", (err) => {
-            log.error({ err: err.message }, "pg-listen connection error");
-            pgClient = null;
-            // Reconnect with exponential backoff
-            pgReconnectAttempts++;
-            const delay = Math.min(1000 * Math.pow(2, pgReconnectAttempts - 1), MAX_PG_RECONNECT_DELAY);
-            log.warn({ delayMs: delay, attempt: pgReconnectAttempts }, "pg-listen reconnecting");
-            setTimeout(() => setupPgListen(), delay);
-        });
-        log.info("pg-listen active on workflow_step_event, workflow_run_event, workflow_step_pending, workflow_event, automation_event");
-    }
-    catch (err) {
-        log.error({ err: err.message }, "pg-listen failed to connect");
-        pgClient = null;
-        // Reconnect with exponential backoff on initial connection failure too
-        pgReconnectAttempts++;
-        const delay = Math.min(1000 * Math.pow(2, pgReconnectAttempts - 1), MAX_PG_RECONNECT_DELAY);
-        log.warn({ delayMs: delay, attempt: pgReconnectAttempts }, "pg-listen reconnecting");
-        setTimeout(() => setupPgListen(), delay);
-    }
-}
-// ============================================================================
-// HELPERS
-// ============================================================================
-function getAnthropicClient(agent) {
-    const key = agent.api_key || ANTHROPIC_API_KEY;
-    return new Anthropic({ apiKey: key, timeout: 15 * 60 * 1000 }); // 15 min for tool-heavy requests
-}
-function sendSSE(res, event) {
+      await supabase.rpc("increment_channel_stats", {
+        p_channel_id: channelId
+      });
+    } catch {/* ok */}
+    // Auto-invoke agent if assigned
+    let agentResponse = null;
+    if (channel.agent_id && webchatAgentInvoker) {
+      try {
+        const result = await webchatAgentInvoker(supabase, channel.agent_id, wcBody.content, channel.store_id, conversationId);
+        if (result.success && result.response) {
+          const {
+            data: outMsg
+          } = await supabase.from("channel_messages").insert({
+            store_id: channel.store_id,
+            channel_id: channelId,
+            direction: "outbound",
+            sender_id: "agent",
+            sender_name: "AI Agent",
+            content: result.response,
+            content_type: "text",
+            metadata: {
+              agent_id: channel.agent_id,
+              auto_response: true,
+              source: "webchat"
+            },
+            agent_id: channel.agent_id,
+            conversation_id: conversationId
+          }).select("id, direction, content, conversation_id, created_at").single();
+          agentResponse = outMsg;
+          incrementUsage(supabase, channel.store_id, {
+            messages_out: 1,
+            agent_invocations: 1
+          }).catch(() => {});
+        }
+      } catch (err) {
+        log.error({
+          err: err.message
+        }, "webchat agent error");
+      }
+    }
+    jsonResponse(res, 201, {
+      success: true,
+      message,
+      agent_response: agentResponse,
+      conversation_id: conversationId
+    }, webchatCors);
+    return;
+  }
+  // GET /webchat/channels/:id/history — load conversation history for widget
+  const webchatHistoryMatch = pathname.match(/^\/webchat\/channels\/([a-f0-9-]+)\/history$/);
+  if (webchatHistoryMatch && req.method === "GET") {
+    const clientIp = req.headers["x-forwarded-for"]?.toString().split(",")[0]?.trim() || req.socket.remoteAddress || "unknown";
+    if (sendIpRateLimit(res, clientIp, webchatCors)) return;
+    const channelId = webchatHistoryMatch[1];
+    const params = url.searchParams;
+    const senderId = params.get("sender_id") || "";
+    const reqConvId = params.get("conversation_id") || "";
+    if (!senderId) {
+      jsonResponse(res, 400, {
+        error: "sender_id query parameter required"
+      }, webchatCors);
+      return;
+    }
+    const supabase = getServiceClient();
+    // Verify channel is webchat type
+    const {
+      data: wcChannel
+    } = await supabase.from("channels").select("id, type").eq("id", channelId).eq("type", "webchat").single();
+    if (!wcChannel) {
+      jsonResponse(res, 404, {
+        error: "Webchat channel not found"
+      }, webchatCors);
+      return;
+    }
+    // Get messages — by conversation_id if available, or by sender
+    // P0 FIX: Always filter by sender_id to prevent cross-sender data leak
+    let query = supabase.from("channel_messages").select("id, direction, sender_id, sender_name, content, content_type, created_at").eq("channel_id", channelId);
+    // P0 FIX: Validate senderId against strict pattern to prevent PostgREST filter injection
+    // Only allow alphanumeric characters, hyphens, and underscores (blocks .eq., .neq., dots, etc.)
+    if (!/^[a-zA-Z0-9_-]+$/.test(senderId)) {
+      jsonResponse(res, 400, {
+        error: "Invalid sender_id format"
+      }, webchatCors);
+      return;
+    }
+    if (reqConvId) {
+      // P0 FIX: Use parameterized .in() filter instead of string interpolation in .or()
+      query = query.eq("conversation_id", reqConvId).in("sender_id", [senderId, "agent"]);
+    } else {
+      query = query.in("sender_id", [senderId, "agent"]);
+    }
+    const {
+      data: messages,
+      error: histErr
+    } = await query.order("created_at", {
+      ascending: true
+    }).limit(50);
+    if (histErr) {
+      jsonResponse(res, 500, {
+        error: histErr.message
+      }, webchatCors);
+      return;
+    }
+    jsonResponse(res, 200, {
+      success: true,
+      messages: messages || []
+    }, webchatCors);
+    return;
+  }
+  // GET /webchat/widget.js — serve compiled widget JavaScript
+  if (pathname === "/webchat/widget.js" && req.method === "GET") {
+    const fs = await import("node:fs");
+    const path = await import("node:path");
+    // Try multiple possible locations for the built widget file
+    const possiblePaths = [path.join(import.meta.dirname || __dirname, "../../dist/webchat/widget.js"), path.join(import.meta.dirname || __dirname, "../../../dist/webchat/widget.js"), path.join(process.cwd(), "dist/webchat/widget.js")];
+    let widgetJs = null;
+    for (const p of possiblePaths) {
+      try {
+        widgetJs = fs.readFileSync(p, "utf-8");
+        break;
+      } catch {/* try next */}
+    }
+    if (widgetJs) {
+      res.writeHead(200, {
+        "Content-Type": "application/javascript",
+        "Cache-Control": "public, max-age=3600",
+        ...webchatCors
+      });
+      res.end(widgetJs);
+    } else {
+      res.writeHead(200, {
+        "Content-Type": "application/javascript",
+        ...webchatCors
+      });
+      res.end('console.warn("[WhaleChat] Widget JS not built. Run: npx esbuild src/webchat/widget.ts --bundle --minify --outfile=dist/webchat/widget.js");');
+    }
+    return;
+  }
+  // ================================================================
+  // Billing & Usage routes
+  // ================================================================
+  if (pathname.startsWith("/usage") || pathname.startsWith("/billing/")) {
+    const authHeader = req.headers.authorization;
+    const token = authHeader?.startsWith("Bearer ") ? authHeader.substring(7) : "";
+    if (!token) {
+      req.resume();
+      jsonResponse(res, 401, {
+        error: "Missing authorization"
+      }, corsHeaders);
+      return;
+    }
+    let rawBody;
     try {
-        if (res.destroyed || res.writableEnded)
-            return;
-        res.write(`data: ${JSON.stringify(event)}\n\n`);
-    }
-    catch { /* client disconnected — benign */ }
-}
-function jsonResponse(res, status, data, corsHeaders) {
-    res.writeHead(status, { "Content-Type": "application/json", ...corsHeaders });
-    res.end(JSON.stringify(data));
-}
-/**
- * Strip large base64 data fields from a JSON string up to `keepFrom` offset.
- * Uses a linear indexOf scan — safe on strings of any size (no regex stack overflow).
- * Handles both `"data":"<base64>"` (Anthropic image blocks) and
- * `"__IMAGE__<mime>__<base64>"` text values (Read tool marker format).
- */
-function stripLargeBase64Fields(raw, keepFrom) {
-    const MIN_DATA_LEN = 8_000;
-    // ── Pass 1: Strip "data":"<large base64>" fields (Anthropic image source blocks) ──
-    let result = raw;
-    {
-        const DATA_MARKER = '"data":"';
-        const parts = [];
-        let pos = 0;
-        while (pos < keepFrom) {
-            const idx = result.indexOf(DATA_MARKER, pos);
-            if (idx === -1 || idx >= keepFrom) {
-                parts.push(result.slice(pos, keepFrom));
-                pos = keepFrom;
-                break;
-            }
-            parts.push(result.slice(pos, idx + DATA_MARKER.length));
-            pos = idx + DATA_MARKER.length;
-            // Find closing quote (base64 has no backslashes, so simple scan is safe)
-            let end = pos;
-            while (end < result.length && result[end] !== '"')
-                end++;
-            if (end - pos >= MIN_DATA_LEN && end <= keepFrom) {
-                // Large data field in the prune zone — replace with empty
-                parts.push('"');
-                pos = end + 1; // skip past the original closing quote (already replaced)
-            }
-            // else: small field or near keepFrom boundary — leave intact
-        }
-        parts.push(result.slice(keepFrom)); // always keep tail intact
-        result = parts.join("");
-    }
-    // ── Pass 2: Strip __IMAGE__<mime>__<large base64> text markers ──
-    // If the client-side tool-dispatch regex failed to convert these to image
-    // content blocks, they stay as huge text strings in tool_result content.
-    // They appear in JSON as: "__IMAGE__image/png__iVBOR...very long..."
-    {
-        const IMG_MARKER = "__IMAGE__";
-        const adjustedKeepFrom = Math.min(keepFrom, result.length);
-        const parts = [];
-        let pos = 0;
-        while (pos < adjustedKeepFrom) {
-            const idx = result.indexOf(IMG_MARKER, pos);
-            if (idx === -1 || idx >= adjustedKeepFrom) {
-                parts.push(result.slice(pos, adjustedKeepFrom));
-                pos = adjustedKeepFrom;
-                break;
-            }
-            parts.push(result.slice(pos, idx));
-            // Find the end of this text value (closing quote of the JSON string)
-            let end = idx;
-            while (end < result.length && result[end] !== '"')
-                end++;
-            if (end - idx >= MIN_DATA_LEN && end <= adjustedKeepFrom) {
-                // Large __IMAGE__ marker in the prune zone — replace with placeholder
-                parts.push("[image pruned]");
-                pos = end; // land on closing quote; next iteration emits it
-            }
-            else {
-                // Small or near boundary — keep intact
-                parts.push(result.slice(idx, idx + IMG_MARKER.length));
-                pos = idx + IMG_MARKER.length;
-            }
-        }
-        parts.push(result.slice(adjustedKeepFrom));
-        result = parts.join("");
-    }
-    return result;
-}
-async function readBody(req) {
-    // 500MB hard limit — conversation history with many large images can be very large.
-    // For bodies over 10MB we prune old base64 image data from the raw string before
-    // JSON.parse, so subsequent requests in the same conversation stay bounded.
-    const MAX_BODY = 524_288_000; // 500MB
-    return new Promise((resolve, reject) => {
-        const chunks = [];
-        let size = 0;
-        let rejected = false;
-        req.on("data", (chunk) => {
-            size += chunk.length;
-            if (size > MAX_BODY && !rejected) {
-                rejected = true;
-                req.resume(); // drain to avoid Fly proxy 502
-                reject(new Error("Request body too large (max 500MB)"));
-                return;
-            }
-            if (!rejected)
-                chunks.push(chunk);
-        });
-        req.on("end", () => {
-            if (rejected)
-                return;
-            // Detect body truncation: if Content-Length was sent and we received less
-            const declaredLen = parseInt(req.headers["content-length"] || "0", 10);
-            if (declaredLen > 0 && size < declaredLen) {
-                log.error({ declaredLen, receivedLen: size }, "Request body truncated during transmission");
-                reject(new Error(`Body truncated: expected ${declaredLen} bytes, got ${size}`));
-                return;
-            }
-            let raw = Buffer.concat(chunks).toString("utf8");
-            // Strip old base64 data from history when body is large.
-            // Threshold lowered to 1MB — image-heavy conversations (e.g. reading
-            // product photos) easily exceed 10MB with just a few images.
-            // Keep the last 1MB intact (current user message with fresh images).
-            // Uses a linear scan to avoid String.replace() stack overflow on huge strings.
-            if (raw.length > 1_000_000) {
-                const keepFrom = Math.max(0, raw.length - 1_048_576); // keep last 1MB
-                raw = stripLargeBase64Fields(raw, keepFrom);
-                log.info({ originalBytes: size, prunedBytes: Buffer.byteLength(raw) }, "Pruned old base64 data from request body");
-            }
-            resolve(raw);
-        });
-        req.on("error", reject);
-    });
-}
-// ============================================================================
-// HISTORY COMPACTION
-// ============================================================================
-/**
- * Compact conversation history to fit within a total character budget.
- *
- * Does NOT truncate individual messages or tool results — Anthropic's
- * context_management API handles clearing old tool uses (clear_tool_uses_20250919)
- * and compacting context (compact_20260112) when the context window grows.
- *
- * This function only enforces a total budget by walking newest→oldest and
- * dropping the oldest messages that don't fit.
- */
-function compactHistory(history, maxHistoryChars) {
-    if (!history?.length)
-        return [];
-    let totalChars = 0;
-    const compacted = [];
-    for (let i = history.length - 1; i >= 0; i--) {
-        const msg = history[i];
-        const msgChars = JSON.stringify(msg.content).length;
-        if (totalChars + msgChars > maxHistoryChars)
-            break;
-        totalChars += msgChars;
-        compacted.unshift(msg);
-    }
-    // Ensure starts with user message
-    while (compacted.length > 0 && compacted[0].role !== "user")
-        compacted.shift();
-    return compacted;
-}
-// ============================================================================
-// SHARED AGENT HELPERS — used by both SSE chat and channel agent paths
-// ============================================================================
-/** Build the full system prompt for an agent. Both SSE chat and channel paths
- *  call this so the prompt logic is never duplicated. */
-async function buildAgentSystemPrompt(supabase, agent, storeId, message, tools, opts) {
-    // --- STATIC portion (cache-friendly, same across conversations) ---
-    // Sanitize the DB-stored agent system prompt to prevent injection attacks
-    const rawAgentPrompt = agent.system_prompt || "You are a helpful assistant.";
-    let systemPrompt = sanitizeAndLog(rawAgentPrompt, "buildAgentSystemPrompt", { agentId: agent.id });
-    if (storeId)
-        systemPrompt += `\n\nYou are operating for store_id: ${storeId}. Always include this in tool calls that require it.`;
-    if (!agent.can_modify)
-        systemPrompt += "\n\nIMPORTANT: You have read-only access. Do not attempt to modify any data.";
-    if (agent.tone && agent.tone !== "professional")
-        systemPrompt += `\n\nTone: Respond in a ${agent.tone} tone.`;
-    if (agent.verbosity === "concise")
-        systemPrompt += "\n\nBe concise — short answers, minimal explanation.";
-    else if (agent.verbosity === "verbose")
-        systemPrompt += "\n\nBe thorough — provide detailed answers with full context.";
-    if (agent.context_config) {
-        const ctx = agent.context_config;
-        if (ctx.includeLocations && ctx.locationIds?.length)
-            systemPrompt += `\n\nFocus on these locations: ${ctx.locationIds.join(", ")}`;
-        if (ctx.includeCustomers && ctx.customerSegments?.length)
-            systemPrompt += `\n\nFocus on these customer segments: ${ctx.customerSegments.join(", ")}`;
-    }
-    // Tool manifest — core tools (full schemas already loaded)
-    const toolNames = tools.map(t => t.name);
-    systemPrompt += `\n\n## Available Tools\nYou have ${toolNames.length} core tools available in this session:\n${toolNames.join(", ")}\n\nFor local machine operations, use the \`local_agent\` tool (exec, tools, discover actions). For cloud security tools, use \`kali\`. Do NOT reference CLI-local tools like read_file, write_file, edit_file, glob, grep, run_command — those are not available in this environment.`;
-    // Extended tools index — names + one-line descriptions only (saves ~20K tokens)
-    const extendedTools = opts?.extendedTools || [];
-    if (extendedTools.length > 0) {
-        systemPrompt += `\n\n## Extended Tools (call discover_tools to activate)\nThese tools are available but not loaded yet. Call \`discover_tools\` with the tool name(s) before using them:\n`;
-        for (const t of extendedTools) {
-            // First sentence only for compact display
-            const shortDesc = t.description.split(".")[0];
-            systemPrompt += `- **${t.name}**: ${shortDesc}\n`;
-        }
-    }
-    // --- DYNAMIC portion (changes per conversation, prepended to user message) ---
-    const dynamicParts = [];
-    // Client-provided session context (SSE chat sends this from SwiftUI/web)
-    if (opts?.clientContext && typeof opts.clientContext === "object") {
-        const context = opts.clientContext;
-        const ctxParts = [];
-        if (context.storeName)
-            ctxParts.push(`Store: ${context.storeName}`);
-        if (context.locationName) {
-            let loc = `Location: ${context.locationName}`;
-            if (context.locationAddress)
-                loc += ` (${context.locationAddress})`;
-            if (context.locationType)
-                loc += ` [${context.locationType}]`;
-            ctxParts.push(loc);
-        }
-        if (context.userName) {
-            ctxParts.push(`User: ${context.userName}${opts.userEmail ? ` (${opts.userEmail})` : ""}`);
-        }
-        else if (opts.userEmail) {
-            ctxParts.push(`User: ${opts.userEmail}`);
-        }
-        if (context.conversationType) {
-            ctxParts.push(`Channel: ${context.conversationTitle || context.conversationType} (${context.conversationType})`);
-        }
-        if (ctxParts.length) {
-            dynamicParts.push(`## Current Session Context\n${ctxParts.join("\n")}`);
-        }
-    }
-    // Parallel DB lookups: customer fetch + memory recall
-    const customerPromise = (opts?.senderContext?.customerId && storeId)
-        ? Promise.resolve(supabase.from("v_store_customers")
-            .select("first_name, last_name, email, phone, loyalty_tier, total_orders, total_spent, lifetime_value")
-            .eq("id", opts.senderContext.customerId).eq("store_id", storeId).single()).then(({ data }) => data).catch(() => null)
-        : Promise.resolve(null);
-    const memoryPromise = storeId
-        ? Promise.resolve(supabase.rpc("recall_memory", {
-            p_agent_id: agent.id,
-            p_query: message.substring(0, 200),
-            p_type: null,
-            p_limit: 5,
-        })).then(({ data }) => data).catch((err) => { log.warn({ err: err.message }, "memory recall failed"); return null; })
-        : Promise.resolve(null);
-    const [cust, memories] = await Promise.all([customerPromise, memoryPromise]);
-    // Channel-specific customer context injection
-    if (cust && opts?.senderContext?.customerId) {
-        dynamicParts.push(`## Current Customer\nName: ${cust.first_name} ${cust.last_name}\nEmail: ${cust.email || "N/A"}\nPhone: ${cust.phone || "N/A"}\nLoyalty: ${cust.loyalty_tier || "None"}\nOrders: ${cust.total_orders || 0}\nSpent: $${(cust.total_spent || 0).toFixed(2)}\nCustomer ID: ${opts.senderContext.customerId}`);
-    }
-    else if (opts?.senderContext) {
-        const sc = opts.senderContext;
-        dynamicParts.push(`## Sender\nID: ${sc.senderId}\nName: ${sc.senderName || "Unknown"}\nChannel: ${sc.channelType || "unknown"}${sc.channelName ? ` (${sc.channelName})` : ""}\n(No customer record matched — use CRM tools to look them up if needed)`);
-    }
-    // Memory recall — inject relevant memories (capped at 5, 100 chars each)
-    if (memories?.length) {
-        const memBlock = memories.map((m) => `- [${m.memory_type}] ${m.key}: ${JSON.stringify(m.value).substring(0, 100)}`).join("\n");
-        dynamicParts.push(`## Agent Memory\nRelevant memories from previous conversations:\n${memBlock}`);
-    }
-    const dynamicContext = dynamicParts.join("\n\n");
-    return { systemPrompt, dynamicContext };
-}
-/** Persist everything after an agent turn — messages, audit, memory, cost.
- *  Called by both SSE chat and channel paths so nothing is ever missed. */
-async function persistAgentTurn(supabase, agent, opts) {
-    const { conversationId, storeId, agentId, agentModel, traceId, message, result, source, chatStartTime, chatEndTime, userId, userEmail, senderContext } = opts;
-    // ── Persist user + assistant messages to ai_messages ──
+      rawBody = await readBody(req);
+    } catch {
+      jsonResponse(res, 413, {
+        error: "Request body too large"
+      }, corsHeaders);
+      return;
+    }
+    let billingBody = null;
     try {
-        await supabase.from("ai_messages").insert([
-            {
-                conversation_id: conversationId, role: "user",
-                content: [{ type: "text", text: message }],
-                token_count: Math.ceil(message.length / 4),
-            },
-            {
-                conversation_id: conversationId, role: "assistant",
-                content: [{ type: "text", text: result.finalText || "" }],
-                is_tool_use: result.toolCallCount > 0,
-                tool_names: result.toolsUsed?.length ? result.toolsUsed : null,
-                token_count: result.tokens.input + result.tokens.output,
-            },
-        ]);
-    }
-    catch (err) {
-        log.error({ err: err.message }, "message persist failed");
-    }
-    // ── Update conversation metadata ──
+      if (rawBody) billingBody = JSON.parse(rawBody);
+    } catch {
+      jsonResponse(res, 400, {
+        error: "Invalid JSON"
+      }, corsHeaders);
+      return;
+    }
+    const supabase = getServiceClient();
+    // Extract userId from JWT for checkout/portal endpoints
+    let billingUserId;
     try {
-        await supabase.from("ai_conversations").update({
-            metadata: {
-                agentName: agent.name,
-                source,
-                model: agentModel,
-                lastTurnTokens: result.tokens.input + result.tokens.output,
-                lastToolCalls: result.toolCallCount,
-                lastDurationMs: chatEndTime - chatStartTime,
-                // Channel-specific (null when SSE chat — that's fine, no clutter)
-                ...(senderContext ? {
-                    channel_type: senderContext.channelType || null,
-                    channel_id: senderContext.channelId || null,
-                    channel_name: senderContext.channelName || null,
-                    sender_id: senderContext.senderId || null,
-                    customer_id: senderContext.customerId || null,
-                    customer_name: senderContext.customerName || null,
-                } : {}),
-            },
-        }).eq("id", conversationId);
-    }
-    catch (err) {
-        log.error({ err: err.message }, "conversation update failed");
-    }
-    // ── Telemetry: user message → ClickHouse ──
+      const payload = JSON.parse(Buffer.from(token.split(".")[1], "base64url").toString());
+      billingUserId = payload.sub;
+    } catch {/* not a JWT — service role key */}
+    const result = await handleBillingRoutes(pathname, req.method || "GET", billingBody, supabase, {
+      userId: billingUserId,
+      isServiceRole: safeCompare(token, SUPABASE_SERVICE_ROLE_KEY) || safeCompare(token, SERVICE_ROLE_JWT)
+    });
+    if (result) {
+      jsonResponse(res, result.status, result.body, corsHeaders);
+    } else {
+      jsonResponse(res, 404, {
+        error: `No route: ${req.method} ${pathname}`
+      }, corsHeaders);
+    }
+    return;
+  }
+  // ================================================================
+  // Node & Channel management routes (supports GET, POST, PUT, DELETE)
+  // Must be before the method gate since GET /channels/:id/messages is valid
+  // ================================================================
+  if (pathname.startsWith("/nodes") || pathname.startsWith("/channels")) {
+    const authHeader = req.headers.authorization;
+    const token = authHeader?.startsWith("Bearer ") ? authHeader.substring(7) : "";
+    if (!token) {
+      req.resume();
+      jsonResponse(res, 401, {
+        error: "Missing authorization"
+      }, corsHeaders);
+      return;
+    }
+    let rawBody;
     try {
-        queueSpan(auditRowToSpan({
-            action: "chat.user_message",
-            severity: "info",
-            store_id: storeId || null,
-            resource_type: "chat_message",
-            resource_id: agentId,
-            request_id: traceId,
-            conversation_id: conversationId,
-            user_id: userId || null,
-            user_email: userEmail || null,
-            source,
-            service_name: "agent-server",
-            span_kind: "INTERNAL",
-            status_code: "OK",
-            start_time: new Date().toISOString(),
-            end_time: new Date().toISOString(),
-            duration_ms: 0,
-            input_bytes: typeof message === "string" ? message.length : 0,
-            details: {
-                message_preview: message.substring(0, 200),
-                agent_id: agentId,
-                model: agentModel,
-                conversation_id: conversationId,
-                ...(senderContext ? {
-                    channel_type: senderContext.channelType || null,
-                    sender_id: senderContext.senderId || null,
-                    customer_id: senderContext.customerId || null,
-                } : {}),
-            },
-        }));
-    }
-    catch (err) {
-        log.error({ err: err.message }, "audit user_message failed");
-    }
-    // ── Telemetry: assistant response → ClickHouse ──
+      rawBody = await readBody(req);
+    } catch {
+      jsonResponse(res, 413, {
+        error: "Request body too large"
+      }, corsHeaders);
+      return;
+    }
+    let nodeBody = null;
     try {
-        queueSpan(auditRowToSpan({
-            action: "chat.assistant_response",
-            severity: "info",
-            store_id: storeId || null,
-            resource_type: "chat_message",
-            resource_id: agentId,
-            request_id: traceId,
-            conversation_id: conversationId,
-            duration_ms: chatEndTime - chatStartTime,
-            user_id: userId || null,
-            user_email: userEmail || null,
-            source,
-            input_tokens: result.tokens.input,
-            output_tokens: result.tokens.output,
-            total_cost: result.costUsd,
-            model: agentModel,
-            trace_id: traceId,
-            span_kind: "INTERNAL",
-            service_name: "agent-server",
-            status_code: "OK",
-            start_time: new Date(chatStartTime).toISOString(),
-            end_time: new Date(chatEndTime).toISOString(),
-            stop_reason: result.stopReason || undefined,
-            turn_number: result.turnCount || 1,
-            details: {
-                response_preview: (result.finalText || "").substring(0, 500),
-                agent_id: agentId,
-                model: agentModel,
-                "gen_ai.request.model": agentModel,
-                "gen_ai.usage.input_tokens": result.tokens.input,
-                "gen_ai.usage.output_tokens": result.tokens.output,
-                "gen_ai.usage.cache_creation_tokens": result.tokens.cacheCreation || 0,
-                "gen_ai.usage.cache_read_tokens": result.tokens.cacheRead || 0,
-                "gen_ai.usage.cost": result.costUsd,
-                turn_count: result.turnCount || 1,
-                tool_calls: result.toolCallCount,
-                tool_names: result.toolsUsed,
-                conversation_id: conversationId,
-                session_cost_usd: result.costUsd,
-                cache_creation_tokens: result.tokens.cacheCreation || 0,
-                cache_read_tokens: result.tokens.cacheRead || 0,
-                cache_hit_rate: result.tokens.input > 0
-                    ? Math.round((result.tokens.cacheRead || 0) / ((result.tokens.cacheRead || 0) + result.tokens.input) * 10000) / 100
-                    : 0,
-                cache_cost_savings_pct: result.tokens.input > 0 && (result.tokens.cacheRead || 0) > 0
-                    ? Math.round((result.tokens.cacheRead || 0) * 0.9 / ((result.tokens.cacheRead || 0) + result.tokens.input) * 10000) / 100
-                    : 0,
-                loop_detector_stats: result.loopDetectorStats || null,
-                turns: result.turns || [],
-                ...(senderContext ? {
-                    channel_type: senderContext.channelType || null,
-                    channel_id: senderContext.channelId || null,
-                    channel_name: senderContext.channelName || null,
-                    sender_id: senderContext.senderId || null,
-                    customer_id: senderContext.customerId || null,
-                    customer_name: senderContext.customerName || null,
-                } : {}),
-            },
-        }));
-    }
-    catch (err) {
-        log.error({ err: err.message }, "audit assistant_response failed");
-    }
-    // ── Memory extraction — awaited with retry ──
-    if (storeId && result.finalText && result.finalText.length > 50) {
-        try {
-            await extractAndStoreMemories(supabase, getAnthropicClient(agent), agentId, storeId, message, result.finalText);
-        }
-        catch (err1) {
-            // Retry once after 2s
-            try {
-                await new Promise(r => setTimeout(r, 2000));
-                await extractAndStoreMemories(supabase, getAnthropicClient(agent), agentId, storeId, message, result.finalText);
-            }
-            catch (err2) {
-                log.error({ err: err2.message }, "memory extract failed after retry");
-                queueSpan(auditRowToSpan({
-                    action: "memory.extraction_failed", severity: "warning",
-                    store_id: storeId || null, resource_type: "agent_memory",
-                    resource_id: agentId, conversation_id: conversationId,
-                    user_id: userId || null, user_email: userEmail || null,
-                    error_type: classifyErrorType(err2.message) || undefined,
-                    service_name: "agent-server", span_kind: "INTERNAL", status_code: "ERROR",
-                    start_time: new Date().toISOString(), end_time: new Date().toISOString(),
-                    error_message: err2.message,
-                    details: { error: err2.message, user_message_preview: message.substring(0, 100) },
-                }));
-            }
-        }
-    }
-    // ── Cost budget tracking — awaited with retry ──
-    if (storeId && result.costUsd > 0) {
-        try {
-            await updateCostBudgets(supabase, storeId, agentId, result.costUsd);
-        }
-        catch (err1) {
-            try {
-                await new Promise(r => setTimeout(r, 1000));
-                await updateCostBudgets(supabase, storeId, agentId, result.costUsd);
-            }
-            catch (err2) {
-                log.error({ err: err2.message }, "cost budget update failed after retry");
-                // Flag conversation metadata so budget sync can be reconciled later
-                await supabase.from("ai_conversations").update({
-                    metadata: { budget_sync_failed: true, failed_cost_usd: result.costUsd },
-                }).eq("id", conversationId).then(() => { });
-            }
-        }
-    }
-}
-// ============================================================================
-// AGENT CHAT HANDLER
-// ============================================================================
-async function handleAgentChat(req, res, supabase, body, user, isServiceRole, token, corsHeaders) {
-    const { agentId, message, conversationHistory, source, conversationId, context, attachments } = body;
-    let storeId = body.storeId;
-    if (!agentId || !message) {
-        jsonResponse(res, 400, { error: "agentId and message required" }, corsHeaders);
+      if (rawBody) nodeBody = JSON.parse(rawBody);
+    } catch {
+      jsonResponse(res, 400, {
+        error: "Invalid JSON"
+      }, corsHeaders);
+      return;
+    }
+    const supabase = getServiceClient();
+    let userId;
+    const isServiceRole = safeCompare(token, SUPABASE_SERVICE_ROLE_KEY) || safeCompare(token, SERVICE_ROLE_JWT);
+    if (!isServiceRole) {
+      const {
+        data: {
+          user: authUser
+        }
+      } = await supabase.auth.getUser(token);
+      if (authUser) userId = authUser.id;
+    }
+    const result = await handleNodeRoutes(pathname, req.method || "GET", nodeBody, supabase, {
+      userId,
+      isServiceRole,
+      rawToken: token
+    }, url.searchParams);
+    if (result) {
+      jsonResponse(res, result.status, result.body, corsHeaders);
+    } else {
+      jsonResponse(res, 404, {
+        error: `No route: ${req.method} ${pathname}`
+      }, corsHeaders);
+    }
+    return;
+  }
+  // ================================================================
+  // Session API routes (supports GET, POST)
+  // Must be before the method gate since GET /sessions is valid
+  // ================================================================
+  if (pathname.startsWith("/sessions")) {
+    const authHeader = req.headers.authorization;
+    const token = authHeader?.startsWith("Bearer ") ? authHeader.substring(7) : "";
+    if (!token) {
+      req.resume();
+      jsonResponse(res, 401, {
+        error: "Missing authorization"
+      }, corsHeaders);
+      return;
+    }
+    const supabase = getServiceClient();
+    let userId;
+    const isServiceRole = safeCompare(token, SUPABASE_SERVICE_ROLE_KEY) || safeCompare(token, SERVICE_ROLE_JWT);
+    if (!isServiceRole) {
+      const {
+        data: {
+          user: authUser
+        }
+      } = await supabase.auth.getUser(token);
+      if (authUser) userId = authUser.id;
+    }
+    const handled = await handleSessionRoutes(req, res, pathname, url, corsHeaders, supabase, {
+      userId,
+      isServiceRole
+    });
+    if (!handled) {
+      jsonResponse(res, 404, {
+        error: `No route: ${req.method} ${pathname}`
+      }, corsHeaders);
+    }
+    return;
+  }
+  if (req.method !== "POST" && req.method !== "DELETE" && req.method !== "PUT") {
+    jsonResponse(res, 405, {
+      error: "Method not allowed"
+    }, corsHeaders);
+    return;
+  }
+  try {
+    // ================================================================
+    // Phase 4.2: Resume conversation from checkpoint
+    // POST /conversations/:id/resume
+    // ================================================================
+    const resumeMatch = pathname.match(/^\/conversations\/([a-f0-9-]+)\/resume$/);
+    if (resumeMatch && req.method === "POST") {
+      const convId = resumeMatch[1];
+      const authHeader = req.headers.authorization;
+      const token = authHeader?.startsWith("Bearer ") ? authHeader.substring(7) : "";
+      const isInternal = safeCompare(token, FLY_INTERNAL_SECRET) || safeCompare(token, SUPABASE_SERVICE_ROLE_KEY) || safeCompare(token, SERVICE_ROLE_JWT);
+      if (!isInternal && !token) {
+        jsonResponse(res, 401, {
+          error: "Missing authorization"
+        }, corsHeaders);
         return;
-    }
-    if (typeof message === "string" && message.length > 100_000) {
-        jsonResponse(res, 400, { error: "Message too long (max 100K characters)" }, corsHeaders);
+      }
+      const supabase = getServiceClient();
+      if (!isInternal) {
+        const {
+          data: {
+            user: authUser
+          },
+          error: authError
+        } = await supabase.auth.getUser(token);
+        if (authError || !authUser) {
+          jsonResponse(res, 401, {
+            error: "Invalid or expired token"
+          }, corsHeaders);
+          return;
+        }
+      }
+      // Drain the request body (even if we don't use it) to prevent Fly proxy stalls
+      try {
+        await readBody(req);
+      } catch {/* body not needed */}
+      const checkpoint = await loadCheckpoint(supabase, convId);
+      if (!checkpoint) {
+        jsonResponse(res, 404, {
+          error: "No checkpoint found for this conversation"
+        }, corsHeaders);
         return;
-    }
-    // Server-derived store resolution — never trust client blindly
-    const resolvedStoreId = await resolveAndValidateStoreId(supabase, storeId, user, isServiceRole, token, body.userId);
-    // For service-role callers (workflows, internal), also try body.userId fallback
-    if (!resolvedStoreId && isServiceRole && body.userId) {
-        const { data: srStores } = await supabase
-            .from("users")
-            .select("store_id")
-            .eq("auth_user_id", body.userId)
-            .not("store_id", "is", null)
-            .limit(1);
-        if (srStores?.length) {
-            storeId = srStores[0].store_id;
-        }
-    }
-    else {
-        storeId = resolvedStoreId || undefined;
-    }
-    // Fail closed: non-service-role requests MUST have a resolved store
-    if (!storeId && !isServiceRole) {
-        jsonResponse(res, 400, { error: "storeId required for agent chat" }, corsHeaders);
+      }
+      // Parse messages back from serialized form
+      let parsedMessages;
+      try {
+        parsedMessages = JSON.parse(checkpoint.messages);
+      } catch {
+        jsonResponse(res, 422, {
+          error: "Checkpoint messages corrupted"
+        }, corsHeaders);
         return;
-    }
-    log.info({ storeId: storeId || "NONE", source: body.source || "unknown", isServiceRole, userId: user?.id || body.userId || "NONE" }, "agent-chat request");
-    // Agent chat rate limiting — per-store + concurrent cap
-    const rateLimitStoreId = storeId || agentId; // fallback to agentId if no store
-    const rateCheck = checkAgentChatRateLimit(rateLimitStoreId);
-    if (!rateCheck.allowed) {
-        res.writeHead(429, { "Content-Type": "application/json", ...corsHeaders });
-        res.end(JSON.stringify({ error: rateCheck.error }));
+      }
+      jsonResponse(res, 200, {
+        success: true,
+        conversation_id: checkpoint.conversation_id,
+        turn: checkpoint.turn,
+        messages: parsedMessages,
+        tokens_used: checkpoint.tokens_used,
+        cost_so_far: checkpoint.cost_so_far,
+        tools_used: checkpoint.tools_used,
+        checkpointed_at: checkpoint.created_at
+      }, corsHeaders);
+      return;
+    }
+    // ================================================================
+    // Phase 2: Approval response endpoint
+    // POST /approvals/:id/respond
+    // ================================================================
+    const approvalMatch = pathname.match(/^\/approvals\/([a-f0-9-]+)\/respond$/);
+    if (approvalMatch) {
+      const approvalId = approvalMatch[1];
+      const authHeader = req.headers.authorization;
+      const token = authHeader?.startsWith("Bearer ") ? authHeader.substring(7) : "";
+      const isInternal = safeCompare(token, FLY_INTERNAL_SECRET) || safeCompare(token, SUPABASE_SERVICE_ROLE_KEY) || safeCompare(token, SERVICE_ROLE_JWT);
+      if (!isInternal && !token) {
+        jsonResponse(res, 401, {
+          error: "Missing authorization"
+        }, corsHeaders);
         return;
-    }
-    agentChatConcurrent++;
-    try {
-        const userId = user?.id || body.userId || "";
-        const userEmail = user?.email || body.userEmail || null;
-        const agent = await loadAgentConfig(supabase, agentId, storeId);
-        if (!agent) {
-            jsonResponse(res, 404, { error: "Agent not found" }, corsHeaders);
-            return;
-        }
-        const { core: coreTools, extended: extendedTools } = await loadTools(supabase);
-        setExtendedToolsCache(extendedTools); // Populate discover_tools handler cache
-        const { rows: userToolRows, defs: userToolDefs } = storeId
-            ? await loadUserTools(supabase, storeId)
-            : { rows: [], defs: [] };
-        const tools = getToolsForAgent(agent, coreTools, userToolDefs);
-        const traceId = randomUUID();
-        const agentModel = agent.model || MODELS.SONNET;
-        // Resolve or create conversation
-        let activeConversationId;
-        if (conversationId) {
-            activeConversationId = conversationId;
-        }
-        else {
-            let conv = await supabase
-                .from("ai_conversations")
-                .insert({
-                store_id: storeId || null,
-                user_id: userId || null,
-                agent_id: agentId,
-                title: message.substring(0, 100),
-                metadata: { agentName: agent.name, source: source || "whale_chat" },
-            })
-                .select("id")
-                .single();
-            if (conv.error) {
-                log.error({ err: conv.error.message, details: conv.error.details, hint: conv.error.hint, storeId, userId, agentId }, "conversation create failed");
-                // Retry without user_id (may be FK constraint)
-                conv = await supabase
-                    .from("ai_conversations")
-                    .insert({
-                    store_id: storeId || null,
-                    agent_id: agentId,
-                    title: message.substring(0, 100),
-                    metadata: { agentName: agent.name, source: source || "whale_chat", userId, userEmail },
-                })
-                    .select("id")
-                    .single();
-                if (conv.error) {
-                    log.error({ err: conv.error.message, details: conv.error.details, hint: conv.error.hint }, "conversation retry create failed");
-                }
-            }
-            activeConversationId = conv.data?.id || randomUUID();
-            log.info({ conversationId: activeConversationId, fromDb: !!conv.data?.id }, "conversation resolved");
-        }
-        // Build system prompt — shared helper ensures SSE chat + channel paths are identical
-        const { systemPrompt, dynamicContext } = await buildAgentSystemPrompt(supabase, agent, storeId, message, tools, {
-            clientContext: context, userId, userEmail, extendedTools: getExtendedToolsIndex(),
-        });
-        const anthropic = getAnthropicClient(agent);
-        // Resolve all behavioral config from DB — single source of truth
-        const resolved = resolveAgentLoopConfig(agent, "sse");
-        if (resolved.defaultsUsed.length > 0) {
-            log.info({ agentId, defaults: resolved.defaultsUsed }, "agent config defaults applied");
-        }
-        const MAX_HISTORY_CHARS = resolved.maxHistoryChars;
-        // Build user message — multi-modal if image attachments present
-        let userContent;
-        if (attachments?.length) {
-            const contentBlocks = [];
-            for (const att of attachments) {
-                if (att.type === "image" && att.media_type && att.data) {
-                    contentBlocks.push({
-                        type: "image",
-                        source: { type: "base64", media_type: att.media_type, data: att.data },
-                    });
-                }
-            }
-            contentBlocks.push({ type: "text", text: message });
-            userContent = contentBlocks;
-        }
-        else {
-            userContent = message;
-        }
-        // Prepend dynamic context to user message to keep system prompt static (cache-friendly)
-        const contextPrefix = dynamicContext ? `[Context]\n${dynamicContext}\n\n[User Message]\n` : "";
-        const finalUserContent = typeof userContent === "string"
-            ? contextPrefix + userContent
-            : [...(contextPrefix ? [{ type: "text", text: contextPrefix }] : []), ...userContent];
-        const messages = [
-            ...compactHistory(conversationHistory || [], MAX_HISTORY_CHARS),
-            { role: "user", content: finalUserContent },
-        ];
-        // Start SSE stream
-        res.writeHead(200, {
-            "Content-Type": "text/event-stream",
-            "Cache-Control": "no-cache",
-            Connection: "keep-alive",
-            ...corsHeaders,
-        });
-        // Client disconnect detection
-        let clientDisconnected = false;
-        req.on("close", () => { clientDisconnected = true; });
-        const startedAt = Date.now();
-        const chatStartTime = Date.now();
+      }
+      const supabase = getServiceClient();
+      let userId = null;
+      if (!isInternal) {
+        const {
+          data: {
+            user: authUser
+          },
+          error: authError
+        } = await supabase.auth.getUser(token);
+        if (authError || !authUser) {
+          jsonResponse(res, 401, {
+            error: "Invalid or expired token"
+          }, corsHeaders);
+          return;
+        }
+        userId = authUser.id;
+      }
+      let rawBody;
+      try {
+        rawBody = await readBody(req);
+      } catch {
+        jsonResponse(res, 413, {
+          error: "Request body too large"
+        }, corsHeaders);
+        return;
+      }
+      let body;
+      try {
+        body = JSON.parse(rawBody);
+      } catch {
+        jsonResponse(res, 400, {
+          error: "Invalid JSON"
+        }, corsHeaders);
+        return;
+      }
+      if (!body.status) {
+        jsonResponse(res, 400, {
+          error: "status required (approved/rejected)"
+        }, corsHeaders);
+        return;
+      }
+      // Get store_id from approval
+      const {
+        data: approval
+      } = await supabase.from("workflow_approval_requests").select("store_id, run_id").eq("id", approvalId).single();
+      if (!approval) {
+        jsonResponse(res, 404, {
+          error: "Approval not found"
+        }, corsHeaders);
+        return;
+      }
+      // P1 FIX: Verify user has access to the approval's store
+      if (!isInternal && userId) {
+        const {
+          data: approvalMembership
+        } = await supabase.from("store_members").select("id").eq("store_id", approval.store_id).eq("user_id", userId).single();
+        if (!approvalMembership) {
+          jsonResponse(res, 403, {
+            error: "Not authorized to respond to this approval"
+          }, corsHeaders);
+          return;
+        }
+      }
+      const {
+        data: result,
+        error
+      } = await supabase.rpc("respond_to_approval", {
+        p_approval_id: approvalId,
+        p_store_id: approval.store_id,
+        p_response: body.status,
+        p_response_data: body.response_data || {},
+        p_responded_by: userId || body.responded_by || null
+      });
+      if (error) {
+        jsonResponse(res, 500, {
+          success: false,
+          error: error.message
+        }, corsHeaders);
+        return;
+      }
+      // Inline resume — execute next step immediately
+      if (result?.success && approval.run_id) {
         try {
-            const result = await runServerAgentLoop({
-                anthropic,
-                supabase,
-                model: agentModel,
-                systemPrompt,
-                messages,
-                tools,
-                extendedTools,
-                // All behavioral knobs from resolved config — DB is single source of truth
-                maxTurns: resolved.maxTurns,
-                temperature: resolved.temperature,
-                maxTokens: resolved.maxTokens,
-                maxConcurrentTools: resolved.maxConcurrentTools,
-                enableDelegation: resolved.enableDelegation,
-                enableModelRouting: resolved.enableModelRouting,
-                contextOverrides: resolved.contextOverrides,
-                subagentMaxTokens: resolved.subagentMaxTokens,
-                subagentMaxTurns: resolved.subagentMaxTurns,
-                subagentTemperature: resolved.subagentTemperature,
-                storeId,
-                traceId,
-                userId,
-                userEmail,
-                source,
-                conversationId: activeConversationId,
-                agentId,
-                executeTool: async (toolName, args, sourceOverride, onToolProgress) => {
-                    const toolArgs = { ...args };
-                    if (!toolArgs.store_id && storeId)
-                        toolArgs.store_id = storeId;
-                    return executeTool(supabase, toolName, toolArgs, storeId, traceId, userId, userEmail, sourceOverride || source, activeConversationId, userToolRows, agentId, onToolProgress, true);
-                },
-                onToolProgress: (name, progress) => sendSSE(res, { type: "tool_progress", name, progress }),
-                onText: (text) => sendSSE(res, { type: "text", text }),
-                onToolStart: (name, input) => {
-                    // Only send when input is available — deduplicates streaming double-fire
-                    // (sse-parser fires onToolStart twice: once on content_block_start without input,
-                    // once on content_block_stop with parsed input)
-                    if (input !== undefined) {
-                        sendSSE(res, { type: "tool_start", name, input });
-                    }
-                },
-                onToolResult: (name, success, r) => sendSSE(res, { type: "tool_result", name, success, result: r }),
-                onSubagentProgress: (evt) => {
-                    sendSSE(res, { type: "subagent", subagentId: evt.subagentId, subagentEvent: evt.event, name: evt.toolName });
-                },
-                clientDisconnected: { get value() { return clientDisconnected; } },
-                startedAt,
-                maxDurationMs: resolved.maxDurationMs,
-            });
-            // Send usage SSE
-            sendSSE(res, {
-                type: "usage",
-                usage: {
-                    input_tokens: result.tokens.input,
-                    output_tokens: result.tokens.output,
-                    cache_creation_tokens: result.tokens.cacheCreation,
-                    cache_read_tokens: result.tokens.cacheRead,
-                    cost_usd: result.costUsd,
-                },
-            });
-            // Persist everything — shared helper ensures SSE chat + channel paths are identical
-            await persistAgentTurn(supabase, agent, {
-                conversationId: activeConversationId,
-                storeId, agentId, agentModel, traceId, message, result,
-                source: source || "whale_chat",
-                chatStartTime, chatEndTime: Date.now(),
-                userId, userEmail,
-            });
-            sendSSE(res, { type: "done", conversationId: activeConversationId });
-        }
-        catch (err) {
-            sendSSE(res, { type: "error", error: sanitizeError(err) });
+          await executeInlineChain(supabase, approval.run_id);
+        } catch (err) {
+          log.error({
+            err: err.message
+          }, "inline chain failed after approval");
         }
-        res.end();
-    }
-    finally {
-        agentChatConcurrent--;
+      }
+      jsonResponse(res, result?.success ? 200 : 422, result, corsHeaders);
+      return;
     }
-}
-// ============================================================================
-// MEMORY EXTRACTION — extract key facts after agent conversation
-// ============================================================================
-async function extractAndStoreMemories(supabase, anthropic, agentId, storeId, userMessage, assistantResponse) {
-    const extraction = await anthropic.messages.create({
-        model: "claude-haiku-4-5-20251001",
-        max_tokens: 500,
-        system: `Extract key facts worth remembering from this conversation turn.
-Return JSON array: [{"key": "short_key", "value": {"detail": "..."}, "type": "short_term|long_term|entity"}]
-Rules:
-- Only extract genuinely useful facts (preferences, decisions, corrections, entities)
-- "entity" for people/businesses/products mentioned
-- "long_term" for preferences, patterns, decisions
-- "short_term" for context that may expire
-- Return [] if nothing worth remembering
-- Max 3 items per turn`,
-        messages: [{
-                role: "user",
-                content: `User: ${userMessage.substring(0, 500)}\n\nAssistant: ${assistantResponse.substring(0, 1000)}`
-            }],
-    });
-    const text = extraction.content.find(b => b.type === "text")?.text || "[]";
-    const match = text.match(/\[[\s\S]*\]/);
-    if (!match)
+    // ================================================================
+    // Waitpoint completion — API endpoint
+    // POST /waitpoints/:token/complete
+    // ================================================================
+    const waitpointMatch = pathname.match(/^\/waitpoints\/([a-f0-9-]+)\/complete$/);
+    if (waitpointMatch) {
+      const token = waitpointMatch[1];
+      const authHeader = req.headers.authorization;
+      const authToken = authHeader?.startsWith("Bearer ") ? authHeader.substring(7) : "";
+      const isInternal = safeCompare(authToken, FLY_INTERNAL_SECRET) || safeCompare(authToken, SUPABASE_SERVICE_ROLE_KEY) || safeCompare(authToken, SERVICE_ROLE_JWT);
+      if (!isInternal && !authToken) {
+        jsonResponse(res, 401, {
+          error: "Missing authorization"
+        }, corsHeaders);
         return;
-    let items;
-    try {
-        items = JSON.parse(match[0]);
-    }
-    catch {
-        return; // Malformed JSON from extraction
-    }
-    for (const item of items.slice(0, 3)) {
-        if (!item.key)
-            continue;
-        await supabase.rpc("store_memory", {
-            p_agent_id: agentId,
-            p_store_id: storeId,
-            p_type: item.type || "short_term",
-            p_key: item.key,
-            p_value: item.value || {},
-        });
-    }
-}
-// ============================================================================
-// COST BUDGET TRACKING — increment active budgets after each conversation
-// ============================================================================
-// P0 FIX: Atomic cost budget increment via RPC (fixes TOCTOU race on concurrent updates)
-async function updateCostBudgets(supabase, storeId, agentId, costUsd) {
-    const { error } = await supabase.rpc("increment_cost_budget", {
-        p_store_id: storeId,
-        p_agent_id: agentId,
-        p_cost_usd: costUsd,
-    });
-    if (error) {
-        console.error("[cost-budget] increment_cost_budget RPC failed:", error.message);
-    }
-}
-// ============================================================================
-// HTTP SERVER
-// ============================================================================
-// Connection tracking for graceful shutdown draining
-let activeRequests = 0;
-const server = http.createServer(async (req, res) => {
-    activeRequests++;
-    res.on("close", () => { activeRequests--; });
-    const origin = req.headers.origin || "";
-    const corsHeaders = getCorsHeaders(origin);
-    // Health check — readiness-aware for Fly.io
-    if (req.method === "GET" && (req.url === "/" || req.url === "/health")) {
-        const ready = isReady();
-        const status = ready ? 200 : 503;
-        const agentStats = getGatewayStats();
-        jsonResponse(res, status, {
-            status: ready ? "ok" : "starting",
-            version: process.env.npm_package_version || "6.4.0",
-            uptime: Math.floor(process.uptime()),
-            pg_listen: pgListenReady,
-            worker_pool: workerPoolReady,
-            local_agents: agentStats.total_agents,
+      }
+      const supabase = getServiceClient();
+      let rawBody;
+      try {
+        rawBody = await readBody(req);
+      } catch {
+        jsonResponse(res, 413, {
+          error: "Request body too large"
         }, corsHeaders);
         return;
-    }
-    // CORS preflight
-    if (req.method === "OPTIONS") {
-        res.writeHead(204, corsHeaders);
-        res.end();
+      }
+      let body;
+      try {
+        body = JSON.parse(rawBody || "{}");
+      } catch {
+        jsonResponse(res, 400, {
+          error: "Invalid JSON"
+        }, corsHeaders);
         return;
-    }
-    const url = new URL(req.url || "/", `http://${req.headers.host || "localhost"}`);
-    const pathname = url.pathname;
+      }
+      // Find waitpoint
+      const {
+        data: wp
+      } = await supabase.from("waitpoint_tokens").select("id, run_id, step_run_id, store_id, expires_at, status").eq("token", token).single();
+      if (!wp) {
+        jsonResponse(res, 404, {
+          error: "Waitpoint token not found"
+        }, corsHeaders);
+        return;
+      }
+      if (wp.status === "completed") {
+        jsonResponse(res, 409, {
+          error: "Waitpoint already completed"
+        }, corsHeaders);
+        return;
+      }
+      if (new Date(wp.expires_at) < new Date()) {
+        jsonResponse(res, 410, {
+          error: "Waitpoint expired"
+        }, corsHeaders);
+        return;
+      }
+      // Complete it
+      await supabase.from("waitpoint_tokens").update({
+        status: "completed",
+        completion_data: body.data || {},
+        completed_at: new Date().toISOString()
+      }).eq("id", wp.id);
+      await supabase.from("workflow_step_runs").update({
+        status: "pending",
+        input: {
+          waitpoint_completed: true,
+          waitpoint_data: body.data || {}
+        }
+      }).eq("id", wp.step_run_id).eq("status", "waiting");
+      // Inline resume
+      try {
+        await executeInlineChain(supabase, wp.run_id);
+      } catch (err) {
+        log.error({
+          err: err.message,
+          runId: wp.run_id
+        }, "inline chain failed after waitpoint");
+      }
+      jsonResponse(res, 200, {
+        success: true,
+        run_id: wp.run_id
+      }, corsHeaders);
+      return;
+    }
     // ================================================================
-    // Phase 3: SSE stream for workflow run progress
-    // GET /workflows/runs/:id/stream
+    // Webhook ingestion — no auth required (uses HMAC verification)
+    // POST /webhooks/:slug
     // ================================================================
-    if (req.method === "GET" && pathname.match(/^\/workflows\/runs\/[a-f0-9-]+\/stream$/)) {
-        const runId = pathname.split("/")[3];
-        // Auth check
-        const authHeader = req.headers.authorization;
-        const token = authHeader?.startsWith("Bearer ") ? authHeader.substring(7) : "";
-        const isInternal = safeCompare(token, FLY_INTERNAL_SECRET) || safeCompare(token, SUPABASE_SERVICE_ROLE_KEY) || safeCompare(token, SERVICE_ROLE_JWT);
-        if (!isInternal && !token) {
-            jsonResponse(res, 401, { error: "Missing authorization" }, corsHeaders);
-            return;
-        }
-        if (!isInternal) {
-            const sb = getServiceClient();
-            const { data: { user: authUser }, error: authError } = await sb.auth.getUser(token);
-            if (authError || !authUser) {
-                jsonResponse(res, 401, { error: "Invalid or expired token" }, corsHeaders);
-                return;
-            }
-            // P1 FIX: Verify user belongs to the run's store (prevent cross-store SSE snooping)
-            const { data: sseRun } = await sb.from("workflow_runs")
-                .select("store_id").eq("id", runId).single();
-            if (sseRun) {
-                const { data: membership } = await sb.from("store_members")
-                    .select("id").eq("store_id", sseRun.store_id).eq("user_id", authUser.id).single();
-                if (!membership) {
-                    jsonResponse(res, 403, { error: "Not authorized to view this run" }, corsHeaders);
-                    return;
-                }
-            }
-        }
-        // H6 FIX: Enforce per-run and total client limits
-        const existingClients = sseClients.get(runId)?.size || 0;
-        if (existingClients >= MAX_SSE_CLIENTS_PER_RUN) {
-            jsonResponse(res, 429, { error: "Too many SSE clients for this run" }, corsHeaders);
-            return;
-        }
-        if (getTotalSseClients() >= MAX_SSE_TOTAL_CLIENTS) {
-            jsonResponse(res, 429, { error: "Too many total SSE connections" }, corsHeaders);
-            return;
-        }
-        // Start SSE stream
-        res.writeHead(200, {
-            "Content-Type": "text/event-stream",
-            "Cache-Control": "no-cache",
-            Connection: "keep-alive",
-            ...corsHeaders,
-        });
-        // Send snapshot
-        const sb = getServiceClient();
-        const { data: run } = await sb.from("workflow_runs")
-            .select("id, workflow_id, status, trigger_type, current_step_key, error_message, error_step_key, started_at, completed_at, duration_ms")
-            .eq("id", runId).single();
-        const { data: stepRuns } = await sb.from("workflow_step_runs")
-            .select("id, step_key, step_type, status, error_message, duration_ms, started_at, completed_at")
-            .eq("run_id", runId).order("created_at", { ascending: true });
-        sendWorkflowSSE(res, { type: "snapshot", run, steps: stepRuns || [] });
-        // Register client
-        if (!sseClients.has(runId))
-            sseClients.set(runId, new Set());
-        sseClients.get(runId).add(res);
-        // Cleanup on disconnect
-        const cleanup = () => {
-            clearInterval(heartbeat);
-            const clients = sseClients.get(runId);
-            if (clients) {
-                clients.delete(res);
-                if (clients.size === 0)
-                    sseClients.delete(runId);
-            }
-        };
-        // Heartbeat — uses safeSseWrite so dead connections are cleaned up immediately
-        const heartbeat = setInterval(() => {
-            if (!safeSseWrite(res, `: heartbeat\n\n`, cleanup)) {
-                clearInterval(heartbeat);
-            }
-        }, 15_000);
-        req.on("close", cleanup);
-        req.on("error", cleanup);
+    const webhookMatch = pathname.match(/^\/webhooks\/([a-zA-Z0-9_-]+)$/);
+    if (webhookMatch) {
+      const whClientIp = req.headers["x-forwarded-for"]?.toString().split(",")[0]?.trim() || req.socket.remoteAddress || "unknown";
+      if (sendIpRateLimit(res, whClientIp, corsHeaders)) return;
+      const slug = webhookMatch[1];
+      let rawBody;
+      try {
+        rawBody = await readBody(req);
+      } catch {
+        jsonResponse(res, 413, {
+          error: "Request body too large"
+        }, corsHeaders);
         return;
+      }
+      const supabase = getServiceClient();
+      const headers = {};
+      for (const [k, v] of Object.entries(req.headers)) {
+        if (typeof v === "string") headers[k] = v;
+      }
+      const result = await handleWebhookIngestion(supabase, slug, rawBody, headers);
+      // Phase 1: Inline execution for webhook-triggered workflows
+      if (result.body.run_id && result.status === 200) {
+        try {
+          await executeInlineChain(supabase, result.body.run_id);
+        } catch (err) {
+          log.error({
+            err: err.message
+          }, "webhook inline chain error");
+        }
+      }
+      jsonResponse(res, result.status, result.body, corsHeaders);
+      return;
     }
     // ================================================================
-    // Guest approval — signed URL, no auth required (GET)
-    // GET /approvals/guest/:id?action=approve&expires=...&sig=...
+    // Fire event — service-role or internal auth
+    // POST /events
     // ================================================================
-    const guestApprovalMatch = pathname.match(/^\/approvals\/guest\/([a-f0-9-]+)$/);
-    if (guestApprovalMatch && req.method === "GET") {
-        const clientIp = req.headers["x-forwarded-for"]?.toString().split(",")[0]?.trim() || req.socket.remoteAddress || "unknown";
-        if (sendIpRateLimit(res, clientIp, corsHeaders))
-            return;
-        const stepRunId = guestApprovalMatch[1];
-        const urlParams = new URL(req.url || "", `http://${req.headers.host}`).searchParams;
-        const action = urlParams.get("action") || "";
-        const expires = urlParams.get("expires") || "";
-        const sig = urlParams.get("sig") || "";
-        if (!action || !expires || !sig) {
-            jsonResponse(res, 400, { error: "Missing action, expires, or sig parameter" }, corsHeaders);
-            return;
-        }
-        if (new Date(expires) < new Date()) {
-            jsonResponse(res, 410, { error: "This approval link has expired" }, corsHeaders);
-            return;
-        }
-        if (!verifyGuestApprovalSignature(stepRunId, action, expires, sig)) {
-            jsonResponse(res, 403, { error: "Invalid signature" }, corsHeaders);
-            return;
-        }
-        const guestSupabase = getServiceClient();
-        const { data: approval } = await guestSupabase.from("workflow_approval_requests")
-            .select("id, store_id, run_id, status").eq("step_run_id", stepRunId).limit(1);
-        if (!approval?.length) {
-            jsonResponse(res, 404, { error: "Approval not found" }, corsHeaders);
-            return;
-        }
-        if (approval[0].status !== "pending") {
-            jsonResponse(res, 409, { error: `Approval already ${approval[0].status}` }, corsHeaders);
-            return;
-        }
-        const isApprove = action === "approve" || action === "approved";
-        const { data: guestResult, error: guestErr } = await guestSupabase.rpc("respond_to_approval", {
-            p_approval_id: approval[0].id,
-            p_store_id: approval[0].store_id,
-            p_response: isApprove ? "approved" : "rejected",
-            p_response_data: { guest: true, action },
-            p_responded_by: null,
-        });
-        if (guestErr) {
-            jsonResponse(res, 500, { success: false, error: guestErr.message }, corsHeaders);
-            return;
-        }
-        if (guestResult?.success && approval[0].run_id) {
-            try {
-                await executeInlineChain(guestSupabase, approval[0].run_id);
-            }
-            catch (err) {
-                log.error({ err: err.message, runId: approval[0].run_id }, "inline chain failed after guest approval");
-            }
-        }
-        res.writeHead(200, { "Content-Type": "text/html", ...corsHeaders });
-        res.end(`<!DOCTYPE html><html><body style="font-family:system-ui;text-align:center;padding:40px">
-      <h2>${isApprove ? "Approved" : "Rejected"}</h2>
-      <p>Your response has been recorded. You can close this window.</p>
-    </body></html>`);
+    if (pathname === "/events") {
+      const authHeader = req.headers.authorization;
+      const token = authHeader?.startsWith("Bearer ") ? authHeader.substring(7) : "";
+      const isInternal = safeCompare(token, FLY_INTERNAL_SECRET) || safeCompare(token, SUPABASE_SERVICE_ROLE_KEY) || safeCompare(token, SERVICE_ROLE_JWT);
+      if (!isInternal && !token) {
+        jsonResponse(res, 401, {
+          error: "Missing authorization"
+        }, corsHeaders);
         return;
+      }
+      const supabase = getServiceClient();
+      // Verify user auth if not internal
+      if (!isInternal) {
+        const {
+          data: {
+            user: authUser
+          },
+          error: authError
+        } = await supabase.auth.getUser(token);
+        if (authError || !authUser) {
+          jsonResponse(res, 401, {
+            error: "Invalid or expired token"
+          }, corsHeaders);
+          return;
+        }
+      }
+      let rawBody;
+      try {
+        rawBody = await readBody(req);
+      } catch {
+        jsonResponse(res, 413, {
+          error: "Request body too large"
+        }, corsHeaders);
+        return;
+      }
+      let body;
+      try {
+        body = JSON.parse(rawBody || "{}");
+      } catch {
+        jsonResponse(res, 400, {
+          error: "Invalid JSON"
+        }, corsHeaders);
+        return;
+      }
+      if (!body.store_id || !body.event_type) {
+        jsonResponse(res, 400, {
+          error: "store_id and event_type required"
+        }, corsHeaders);
+        return;
+      }
+      // Idempotency: if client provides idempotency_key, check for duplicate
+      if (body.idempotency_key) {
+        const {
+          data: existing
+        } = await supabase.from("workflow_events").select("id").eq("idempotency_key", body.idempotency_key).limit(1);
+        if (existing && existing.length > 0) {
+          jsonResponse(res, 200, {
+            success: true,
+            event_id: existing[0].id,
+            deduplicated: true
+          }, corsHeaders);
+          return;
+        }
+      }
+      const {
+        data: eventId,
+        error: fireErr
+      } = await supabase.rpc("fire_event", {
+        p_store_id: body.store_id,
+        p_event_type: body.event_type,
+        p_event_payload: body.payload || {},
+        p_source: body.source || "api"
+      });
+      if (fireErr) {
+        jsonResponse(res, 500, {
+          success: false,
+          error: fireErr.message
+        }, corsHeaders);
+      } else {
+        jsonResponse(res, 200, {
+          success: true,
+          event_id: eventId
+        }, corsHeaders);
+      }
+      return;
     }
     // ================================================================
-    // Webchat — anonymous access for embedded chat widgets
-    // POST /webchat/channels/:id/messages  — send message (+ agent auto-reply)
-    // GET  /webchat/channels/:id/history   — load conversation history
-    // GET  /webchat/widget.js              — serve compiled widget JS
+    // Internal workflow processing — verified by internal secret
+    // POST /workflows/process
     // ================================================================
-    // Webchat CORS: allow any origin (widget is embedded on customer sites)
-    const webchatCors = { ...corsHeaders, "Access-Control-Allow-Origin": "*" };
-    const webchatMsgMatch = pathname.match(/^\/webchat\/channels\/([a-f0-9-]+)\/messages$/);
-    if (webchatMsgMatch && req.method === "POST") {
-        const clientIp = req.headers["x-forwarded-for"]?.toString().split(",")[0]?.trim() || req.socket.remoteAddress || "unknown";
-        if (sendIpRateLimit(res, clientIp, webchatCors))
-            return;
-        let rawBody;
-        try {
-            rawBody = await readBody(req);
-        }
-        catch {
-            jsonResponse(res, 413, { error: "Request body too large" }, webchatCors);
-            return;
-        }
-        const channelId = webchatMsgMatch[1];
-        let wcBody;
-        try {
-            wcBody = JSON.parse(rawBody);
-        }
-        catch {
-            jsonResponse(res, 400, { error: "Invalid JSON" }, webchatCors);
-            return;
-        }
-        if (!wcBody.content || typeof wcBody.content !== "string") {
-            jsonResponse(res, 400, { error: "content (string) is required" }, webchatCors);
-            return;
-        }
-        if (wcBody.content.length > 5000) {
-            jsonResponse(res, 400, { error: "Message too long (max 5000 characters)" }, webchatCors);
-            return;
-        }
-        const supabase = getServiceClient();
-        // Verify channel exists and is a webchat channel
-        const { data: channel } = await supabase
-            .from("channels")
-            .select("id, store_id, node_id, agent_id, type, config")
-            .eq("id", channelId)
-            .eq("type", "webchat")
-            .single();
-        if (!channel) {
-            jsonResponse(res, 404, { error: "Webchat channel not found" }, webchatCors);
-            return;
-        }
-        // Rate limit per store (best-effort)
-        try {
-            const planCheck = await checkPlanLimits(supabase, channel.store_id, "message");
-            if (!planCheck.allowed) {
-                jsonResponse(res, 429, { error: planCheck.reason || "Plan limit reached" }, webchatCors);
-                return;
-            }
-        }
-        catch { /* billing tables may not exist yet */ }
-        const senderId = wcBody.sender_id || "anonymous";
-        // Resolve conversation: reuse if sender had activity < 30 min ago, else new UUID
-        let conversationId = wcBody.conversation_id || "";
-        if (!conversationId) {
-            const thirtyMinAgo = new Date(Date.now() - 30 * 60 * 1000).toISOString();
-            const { data: recent } = await supabase
-                .from("channel_messages")
-                .select("conversation_id")
-                .eq("channel_id", channelId)
-                .eq("sender_id", senderId)
-                .gt("created_at", thirtyMinAgo)
-                .not("conversation_id", "is", null)
-                .order("created_at", { ascending: false })
-                .limit(1);
-            conversationId = (recent?.length && recent[0].conversation_id) || randomUUID();
-        }
-        // Insert inbound message
-        const { data: message, error: msgErr } = await supabase
-            .from("channel_messages")
-            .insert({
-            store_id: channel.store_id,
-            channel_id: channelId,
-            direction: "inbound",
-            sender_id: senderId,
-            sender_name: wcBody.sender_name || "Visitor",
-            content: wcBody.content,
-            content_type: "text",
-            metadata: { source: "webchat", ip: clientIp, widget_version: "1.0.0" },
-            agent_id: channel.agent_id,
-            conversation_id: conversationId,
-        })
-            .select("id, direction, content, conversation_id, created_at")
-            .single();
-        if (msgErr) {
-            jsonResponse(res, 500, { error: msgErr.message }, webchatCors);
-            return;
-        }
-        // Track usage + channel stats (best-effort)
-        incrementUsage(supabase, channel.store_id, { messages_in: 1 }).catch(() => { });
-        try {
-            await supabase.rpc("increment_channel_stats", { p_channel_id: channelId });
-        }
-        catch { /* ok */ }
-        // Auto-invoke agent if assigned
-        let agentResponse = null;
-        if (channel.agent_id && webchatAgentInvoker) {
-            try {
-                const result = await webchatAgentInvoker(supabase, channel.agent_id, wcBody.content, channel.store_id, conversationId);
-                if (result.success && result.response) {
-                    const { data: outMsg } = await supabase
-                        .from("channel_messages")
-                        .insert({
-                        store_id: channel.store_id,
-                        channel_id: channelId,
-                        direction: "outbound",
-                        sender_id: "agent",
-                        sender_name: "AI Agent",
-                        content: result.response,
-                        content_type: "text",
-                        metadata: { agent_id: channel.agent_id, auto_response: true, source: "webchat" },
-                        agent_id: channel.agent_id,
-                        conversation_id: conversationId,
-                    })
-                        .select("id, direction, content, conversation_id, created_at")
-                        .single();
-                    agentResponse = outMsg;
-                    incrementUsage(supabase, channel.store_id, { messages_out: 1, agent_invocations: 1 }).catch(() => { });
-                }
-            }
-            catch (err) {
-                log.error({ err: err.message }, "webchat agent error");
-            }
-        }
-        jsonResponse(res, 201, { success: true, message, agent_response: agentResponse, conversation_id: conversationId }, webchatCors);
-        return;
-    }
-    // GET /webchat/channels/:id/history — load conversation history for widget
-    const webchatHistoryMatch = pathname.match(/^\/webchat\/channels\/([a-f0-9-]+)\/history$/);
-    if (webchatHistoryMatch && req.method === "GET") {
-        const clientIp = req.headers["x-forwarded-for"]?.toString().split(",")[0]?.trim() || req.socket.remoteAddress || "unknown";
-        if (sendIpRateLimit(res, clientIp, webchatCors))
-            return;
-        const channelId = webchatHistoryMatch[1];
-        const params = url.searchParams;
-        const senderId = params.get("sender_id") || "";
-        const reqConvId = params.get("conversation_id") || "";
-        if (!senderId) {
-            jsonResponse(res, 400, { error: "sender_id query parameter required" }, webchatCors);
-            return;
-        }
-        const supabase = getServiceClient();
-        // Verify channel is webchat type
-        const { data: wcChannel } = await supabase
-            .from("channels")
-            .select("id, type")
-            .eq("id", channelId)
-            .eq("type", "webchat")
-            .single();
-        if (!wcChannel) {
-            jsonResponse(res, 404, { error: "Webchat channel not found" }, webchatCors);
-            return;
-        }
-        // Get messages — by conversation_id if available, or by sender
-        // P0 FIX: Always filter by sender_id to prevent cross-sender data leak
-        let query = supabase
-            .from("channel_messages")
-            .select("id, direction, sender_id, sender_name, content, content_type, created_at")
-            .eq("channel_id", channelId);
-        // P0 FIX: Validate senderId against strict pattern to prevent PostgREST filter injection
-        // Only allow alphanumeric characters, hyphens, and underscores (blocks .eq., .neq., dots, etc.)
-        if (!/^[a-zA-Z0-9_-]+$/.test(senderId)) {
-            jsonResponse(res, 400, { error: "Invalid sender_id format" }, webchatCors);
-            return;
-        }
-        if (reqConvId) {
-            // P0 FIX: Use parameterized .in() filter instead of string interpolation in .or()
-            query = query.eq("conversation_id", reqConvId)
-                .in("sender_id", [senderId, "agent"]);
-        }
-        else {
-            query = query.in("sender_id", [senderId, "agent"]);
-        }
-        const { data: messages, error: histErr } = await query
-            .order("created_at", { ascending: true })
-            .limit(50);
-        if (histErr) {
-            jsonResponse(res, 500, { error: histErr.message }, webchatCors);
-            return;
-        }
-        jsonResponse(res, 200, { success: true, messages: messages || [] }, webchatCors);
+    if (pathname === "/workflows/process") {
+      const authHeader = req.headers.authorization;
+      const token = authHeader?.startsWith("Bearer ") ? authHeader.substring(7) : "";
+      if (!FLY_INTERNAL_SECRET || !safeCompare(token, FLY_INTERNAL_SECRET) && !safeCompare(token, SUPABASE_SERVICE_ROLE_KEY) && !safeCompare(token, SERVICE_ROLE_JWT)) {
+        jsonResponse(res, 401, {
+          error: "Unauthorized"
+        }, corsHeaders);
         return;
-    }
-    // GET /webchat/widget.js — serve compiled widget JavaScript
-    if (pathname === "/webchat/widget.js" && req.method === "GET") {
-        const fs = await import("node:fs");
-        const path = await import("node:path");
-        // Try multiple possible locations for the built widget file
-        const possiblePaths = [
-            path.join(import.meta.dirname || __dirname, "../../dist/webchat/widget.js"),
-            path.join(import.meta.dirname || __dirname, "../../../dist/webchat/widget.js"),
-            path.join(process.cwd(), "dist/webchat/widget.js"),
-        ];
-        let widgetJs = null;
-        for (const p of possiblePaths) {
-            try {
-                widgetJs = fs.readFileSync(p, "utf-8");
-                break;
-            }
-            catch { /* try next */ }
-        }
-        if (widgetJs) {
-            res.writeHead(200, {
-                "Content-Type": "application/javascript",
-                "Cache-Control": "public, max-age=3600",
-                ...webchatCors,
-            });
-            res.end(widgetJs);
-        }
-        else {
-            res.writeHead(200, {
-                "Content-Type": "application/javascript",
-                ...webchatCors,
-            });
-            res.end('console.warn("[WhaleChat] Widget JS not built. Run: npx esbuild src/webchat/widget.ts --bundle --minify --outfile=dist/webchat/widget.js");');
-        }
+      }
+      let rawBody;
+      try {
+        rawBody = await readBody(req);
+      } catch {
+        rawBody = "{}";
+      }
+      let body;
+      try {
+        body = JSON.parse(rawBody || "{}");
+      } catch {
+        jsonResponse(res, 400, {
+          error: "Invalid JSON"
+        }, corsHeaders);
         return;
-    }
+      }
+      const supabase = getServiceClient();
+      const result = await processWorkflowSteps(supabase, body.batch_size || 10);
+      jsonResponse(res, 200, {
+        success: true,
+        ...result
+      }, corsHeaders);
+      return;
+    }
     // ================================================================
-    // Billing & Usage routes
+    // Start workflow run — service-role or user auth
+    // POST /workflows/start
     // ================================================================
-    if (pathname.startsWith("/usage") || pathname.startsWith("/billing/")) {
-        const authHeader = req.headers.authorization;
-        const token = authHeader?.startsWith("Bearer ") ? authHeader.substring(7) : "";
-        if (!token) {
-            req.resume();
-            jsonResponse(res, 401, { error: "Missing authorization" }, corsHeaders);
-            return;
-        }
-        let rawBody;
-        try {
-            rawBody = await readBody(req);
-        }
-        catch {
-            jsonResponse(res, 413, { error: "Request body too large" }, corsHeaders);
-            return;
-        }
-        let billingBody = null;
-        try {
-            if (rawBody)
-                billingBody = JSON.parse(rawBody);
-        }
-        catch {
-            jsonResponse(res, 400, { error: "Invalid JSON" }, corsHeaders);
-            return;
-        }
-        const supabase = getServiceClient();
-        // Extract userId from JWT for checkout/portal endpoints
-        let billingUserId;
-        try {
-            const payload = JSON.parse(Buffer.from(token.split(".")[1], "base64url").toString());
-            billingUserId = payload.sub;
-        }
-        catch { /* not a JWT — service role key */ }
-        const result = await handleBillingRoutes(pathname, req.method || "GET", billingBody, supabase, {
-            userId: billingUserId,
-            isServiceRole: safeCompare(token, SUPABASE_SERVICE_ROLE_KEY) || safeCompare(token, SERVICE_ROLE_JWT),
-        });
-        if (result) {
-            jsonResponse(res, result.status, result.body, corsHeaders);
-        }
-        else {
-            jsonResponse(res, 404, { error: `No route: ${req.method} ${pathname}` }, corsHeaders);
-        }
+    if (pathname === "/workflows/start") {
+      const authHeader = req.headers.authorization;
+      const token = authHeader?.startsWith("Bearer ") ? authHeader.substring(7) : "";
+      const isInternal = safeCompare(token, FLY_INTERNAL_SECRET) || safeCompare(token, SUPABASE_SERVICE_ROLE_KEY) || safeCompare(token, SERVICE_ROLE_JWT);
+      if (!isInternal && !token) {
+        jsonResponse(res, 401, {
+          error: "Missing authorization"
+        }, corsHeaders);
         return;
-    }
+      }
+      const supabase = getServiceClient();
+      // Verify user auth if not internal
+      if (!isInternal) {
+        const {
+          data: {
+            user: authUser
+          },
+          error: authError
+        } = await supabase.auth.getUser(token);
+        if (authError || !authUser) {
+          jsonResponse(res, 401, {
+            error: "Invalid or expired token"
+          }, corsHeaders);
+          return;
+        }
+      }
+      let rawBody;
+      try {
+        rawBody = await readBody(req);
+      } catch {
+        jsonResponse(res, 413, {
+          error: "Request body too large"
+        }, corsHeaders);
+        return;
+      }
+      let body;
+      try {
+        body = JSON.parse(rawBody);
+      } catch {
+        jsonResponse(res, 400, {
+          error: "Invalid JSON"
+        }, corsHeaders);
+        return;
+      }
+      // P0 FIX: Verify the workflow belongs to the requesting store before starting a run
+      if (body.workflow_id && body.store_id) {
+        const {
+          data: wfOwner,
+          error: wfOwnerErr
+        } = await supabase.from("workflows").select("id").eq("id", body.workflow_id).eq("store_id", body.store_id).single();
+        if (wfOwnerErr || !wfOwner) {
+          jsonResponse(res, 403, {
+            error: "Workflow does not belong to this store"
+          }, corsHeaders);
+          return;
+        }
+      }
+      const {
+        data,
+        error
+      } = await supabase.rpc("start_workflow_run", {
+        p_workflow_id: body.workflow_id,
+        p_store_id: body.store_id,
+        p_trigger_type: body.trigger_type || "api",
+        p_trigger_payload: body.trigger_payload || {},
+        p_idempotency_key: body.idempotency_key || null
+      });
+      if (error) {
+        jsonResponse(res, 500, {
+          success: false,
+          error: error.message
+        }, corsHeaders);
+      } else {
+        // Phase 4: Set version_id if workflow has a published version
+        // Phase 1: Inline execution for API-triggered workflows
+        if (data?.success && data.run_id && !data.deduplicated) {
+          try {
+            const {
+              data: wf
+            } = await supabase.from("workflows").select("published_version_id").eq("id", body.workflow_id).single();
+            if (wf?.published_version_id) {
+              await supabase.from("workflow_runs").update({
+                version_id: wf.published_version_id
+              }).eq("id", data.run_id);
+            }
+            await executeInlineChain(supabase, data.run_id);
+          } catch (err) {
+            log.error({
+              err: err.message
+            }, "start-inline chain error");
+          }
+        }
+        jsonResponse(res, data?.success ? 200 : 422, data, corsHeaders);
+      }
+      return;
+    }
     // ================================================================
-    // Node & Channel management routes (supports GET, POST, PUT, DELETE)
-    // Must be before the method gate since GET /channels/:id/messages is valid
+    // Standard auth gate for all other POST routes
     // ================================================================
-    if (pathname.startsWith("/nodes") || pathname.startsWith("/channels")) {
-        const authHeader = req.headers.authorization;
-        const token = authHeader?.startsWith("Bearer ") ? authHeader.substring(7) : "";
-        if (!token) {
-            req.resume();
-            jsonResponse(res, 401, { error: "Missing authorization" }, corsHeaders);
-            return;
-        }
-        let rawBody;
-        try {
-            rawBody = await readBody(req);
-        }
-        catch {
-            jsonResponse(res, 413, { error: "Request body too large" }, corsHeaders);
-            return;
-        }
-        let nodeBody = null;
-        try {
-            if (rawBody)
-                nodeBody = JSON.parse(rawBody);
-        }
-        catch {
-            jsonResponse(res, 400, { error: "Invalid JSON" }, corsHeaders);
-            return;
-        }
-        const supabase = getServiceClient();
-        let userId;
-        const isServiceRole = safeCompare(token, SUPABASE_SERVICE_ROLE_KEY) || safeCompare(token, SERVICE_ROLE_JWT);
-        if (!isServiceRole) {
-            const { data: { user: authUser } } = await supabase.auth.getUser(token);
-            if (authUser)
-                userId = authUser.id;
-        }
-        const result = await handleNodeRoutes(pathname, req.method || "GET", nodeBody, supabase, {
-            userId,
-            isServiceRole,
-            rawToken: token,
-        }, url.searchParams);
-        if (result) {
-            jsonResponse(res, result.status, result.body, corsHeaders);
-        }
-        else {
-            jsonResponse(res, 404, { error: `No route: ${req.method} ${pathname}` }, corsHeaders);
-        }
+    log.info({
+      method: req.method,
+      path: pathname,
+      contentLength: req.headers["content-length"] || "?"
+    }, "request");
+    const authHeader = req.headers.authorization;
+    if (!authHeader?.startsWith("Bearer ")) {
+      req.resume(); // drain body to avoid Fly proxy stall
+      jsonResponse(res, 401, {
+        error: "Missing authorization"
+      }, corsHeaders);
+      return;
+    }
+    // Read body FIRST — before async auth calls (getUser, rate_limit).
+    // Node.js request streams are paused until consumed. If we do async network
+    // calls before reading, the TCP receive buffer fills up and Fly's proxy
+    // stalls with "error writing a body to connection" on large requests.
+    let rawBody;
+    try {
+      rawBody = await readBody(req);
+    } catch {
+      jsonResponse(res, 413, {
+        error: "Request body too large (max 500MB)"
+      }, corsHeaders);
+      return;
+    }
+    const token = authHeader.substring(7);
+    const supabase = getServiceClient();
+    // Check service-role key
+    let user = null;
+    const isServiceRole = safeCompare(token, SUPABASE_SERVICE_ROLE_KEY) || safeCompare(token, SERVICE_ROLE_JWT);
+    if (!isServiceRole) {
+      try {
+        const {
+          data: {
+            user: authUser
+          },
+          error: authError
+        } = await supabase.auth.getUser(token);
+        if (authError || !authUser) {
+          jsonResponse(res, 401, {
+            error: "Invalid or expired token"
+          }, corsHeaders);
+          return;
+        }
+        user = authUser;
+      } catch (authErr) {
+        log.error({
+          err: authErr.message
+        }, "auth getUser failed");
+        jsonResponse(res, 502, {
+          error: "Auth service unavailable, please retry"
+        }, corsHeaders);
         return;
+      }
     }
-    if (req.method !== "POST" && req.method !== "DELETE" && req.method !== "PUT") {
-        jsonResponse(res, 405, { error: "Method not allowed" }, corsHeaders);
+    // In-memory token-bucket rate limiting (sole rate check — no DB round-trip)
+    {
+      const tier = isServiceRole ? "serviceRole" : user ? "authenticated" : "unauthenticated";
+      const rateLimitKey = user ? `user:${user.id}` : `ip:${req.socket.remoteAddress || "unknown"}`;
+      const memResult = rateLimiter.checkRequest(rateLimitKey, tier);
+      if (!memResult.allowed) {
+        res.writeHead(429, {
+          "Retry-After": String(Math.ceil(memResult.retryAfterMs / 1000)),
+          "X-RateLimit-Remaining": "0",
+          "X-RateLimit-Bucket": memResult.bucket,
+          "Content-Type": "application/json",
+          ...corsHeaders
+        });
+        res.end(JSON.stringify({
+          error: "Rate limit exceeded"
+        }));
         return;
+      }
     }
+    let body;
     try {
-        // ================================================================
-        // Phase 4.2: Resume conversation from checkpoint
-        // POST /conversations/:id/resume
-        // ================================================================
-        const resumeMatch = pathname.match(/^\/conversations\/([a-f0-9-]+)\/resume$/);
-        if (resumeMatch && req.method === "POST") {
-            const convId = resumeMatch[1];
-            const authHeader = req.headers.authorization;
-            const token = authHeader?.startsWith("Bearer ") ? authHeader.substring(7) : "";
-            const isInternal = safeCompare(token, FLY_INTERNAL_SECRET) || safeCompare(token, SUPABASE_SERVICE_ROLE_KEY) || safeCompare(token, SERVICE_ROLE_JWT);
-            if (!isInternal && !token) {
-                jsonResponse(res, 401, { error: "Missing authorization" }, corsHeaders);
-                return;
-            }
-            const supabase = getServiceClient();
-            if (!isInternal) {
-                const { data: { user: authUser }, error: authError } = await supabase.auth.getUser(token);
-                if (authError || !authUser) {
-                    jsonResponse(res, 401, { error: "Invalid or expired token" }, corsHeaders);
-                    return;
-                }
-            }
-            // Drain the request body (even if we don't use it) to prevent Fly proxy stalls
-            try {
-                await readBody(req);
-            }
-            catch { /* body not needed */ }
-            const checkpoint = await loadCheckpoint(supabase, convId);
-            if (!checkpoint) {
-                jsonResponse(res, 404, { error: "No checkpoint found for this conversation" }, corsHeaders);
-                return;
-            }
-            // Parse messages back from serialized form
-            let parsedMessages;
-            try {
-                parsedMessages = JSON.parse(checkpoint.messages);
-            }
-            catch {
-                jsonResponse(res, 422, { error: "Checkpoint messages corrupted" }, corsHeaders);
-                return;
-            }
-            jsonResponse(res, 200, {
-                success: true,
-                conversation_id: checkpoint.conversation_id,
-                turn: checkpoint.turn,
-                messages: parsedMessages,
-                tokens_used: checkpoint.tokens_used,
-                cost_so_far: checkpoint.cost_so_far,
-                tools_used: checkpoint.tools_used,
-                checkpointed_at: checkpoint.created_at,
-            }, corsHeaders);
-            return;
-        }
-        // ================================================================
-        // Phase 2: Approval response endpoint
-        // POST /approvals/:id/respond
-        // ================================================================
-        const approvalMatch = pathname.match(/^\/approvals\/([a-f0-9-]+)\/respond$/);
-        if (approvalMatch) {
-            const approvalId = approvalMatch[1];
-            const authHeader = req.headers.authorization;
-            const token = authHeader?.startsWith("Bearer ") ? authHeader.substring(7) : "";
-            const isInternal = safeCompare(token, FLY_INTERNAL_SECRET) || safeCompare(token, SUPABASE_SERVICE_ROLE_KEY) || safeCompare(token, SERVICE_ROLE_JWT);
-            if (!isInternal && !token) {
-                jsonResponse(res, 401, { error: "Missing authorization" }, corsHeaders);
-                return;
-            }
-            const supabase = getServiceClient();
-            let userId = null;
-            if (!isInternal) {
-                const { data: { user: authUser }, error: authError } = await supabase.auth.getUser(token);
-                if (authError || !authUser) {
-                    jsonResponse(res, 401, { error: "Invalid or expired token" }, corsHeaders);
-                    return;
-                }
-                userId = authUser.id;
-            }
-            let rawBody;
-            try {
-                rawBody = await readBody(req);
-            }
-            catch {
-                jsonResponse(res, 413, { error: "Request body too large" }, corsHeaders);
-                return;
-            }
-            let body;
-            try {
-                body = JSON.parse(rawBody);
-            }
-            catch {
-                jsonResponse(res, 400, { error: "Invalid JSON" }, corsHeaders);
-                return;
-            }
-            if (!body.status) {
-                jsonResponse(res, 400, { error: "status required (approved/rejected)" }, corsHeaders);
-                return;
-            }
-            // Get store_id from approval
-            const { data: approval } = await supabase.from("workflow_approval_requests")
-                .select("store_id, run_id").eq("id", approvalId).single();
-            if (!approval) {
-                jsonResponse(res, 404, { error: "Approval not found" }, corsHeaders);
-                return;
-            }
-            // P1 FIX: Verify user has access to the approval's store
-            if (!isInternal && userId) {
-                const { data: approvalMembership } = await supabase.from("store_members")
-                    .select("id").eq("store_id", approval.store_id).eq("user_id", userId).single();
-                if (!approvalMembership) {
-                    jsonResponse(res, 403, { error: "Not authorized to respond to this approval" }, corsHeaders);
-                    return;
-                }
-            }
-            const { data: result, error } = await supabase.rpc("respond_to_approval", {
-                p_approval_id: approvalId,
-                p_store_id: approval.store_id,
-                p_response: body.status,
-                p_response_data: body.response_data || {},
-                p_responded_by: userId || body.responded_by || null,
-            });
-            if (error) {
-                jsonResponse(res, 500, { success: false, error: error.message }, corsHeaders);
-                return;
-            }
-            // Inline resume — execute next step immediately
-            if (result?.success && approval.run_id) {
-                try {
-                    await executeInlineChain(supabase, approval.run_id);
-                }
-                catch (err) {
-                    log.error({ err: err.message }, "inline chain failed after approval");
-                }
-            }
-            jsonResponse(res, result?.success ? 200 : 422, result, corsHeaders);
-            return;
-        }
-        // ================================================================
-        // Waitpoint completion — API endpoint
-        // POST /waitpoints/:token/complete
-        // ================================================================
-        const waitpointMatch = pathname.match(/^\/waitpoints\/([a-f0-9-]+)\/complete$/);
-        if (waitpointMatch) {
-            const token = waitpointMatch[1];
-            const authHeader = req.headers.authorization;
-            const authToken = authHeader?.startsWith("Bearer ") ? authHeader.substring(7) : "";
-            const isInternal = safeCompare(authToken, FLY_INTERNAL_SECRET) || safeCompare(authToken, SUPABASE_SERVICE_ROLE_KEY) || safeCompare(authToken, SERVICE_ROLE_JWT);
-            if (!isInternal && !authToken) {
-                jsonResponse(res, 401, { error: "Missing authorization" }, corsHeaders);
-                return;
-            }
-            const supabase = getServiceClient();
-            let rawBody;
-            try {
-                rawBody = await readBody(req);
-            }
-            catch {
-                jsonResponse(res, 413, { error: "Request body too large" }, corsHeaders);
-                return;
-            }
-            let body;
-            try {
-                body = JSON.parse(rawBody || "{}");
-            }
-            catch {
-                jsonResponse(res, 400, { error: "Invalid JSON" }, corsHeaders);
-                return;
-            }
-            // Find waitpoint
-            const { data: wp } = await supabase.from("waitpoint_tokens")
-                .select("id, run_id, step_run_id, store_id, expires_at, status")
-                .eq("token", token).single();
-            if (!wp) {
-                jsonResponse(res, 404, { error: "Waitpoint token not found" }, corsHeaders);
-                return;
-            }
-            if (wp.status === "completed") {
-                jsonResponse(res, 409, { error: "Waitpoint already completed" }, corsHeaders);
-                return;
-            }
-            if (new Date(wp.expires_at) < new Date()) {
-                jsonResponse(res, 410, { error: "Waitpoint expired" }, corsHeaders);
-                return;
-            }
-            // Complete it
-            await supabase.from("waitpoint_tokens").update({
-                status: "completed", completion_data: body.data || {}, completed_at: new Date().toISOString(),
-            }).eq("id", wp.id);
-            await supabase.from("workflow_step_runs").update({
-                status: "pending", input: { waitpoint_completed: true, waitpoint_data: body.data || {} },
-            }).eq("id", wp.step_run_id).eq("status", "waiting");
-            // Inline resume
-            try {
-                await executeInlineChain(supabase, wp.run_id);
-            }
-            catch (err) {
-                log.error({ err: err.message, runId: wp.run_id }, "inline chain failed after waitpoint");
-            }
-            jsonResponse(res, 200, { success: true, run_id: wp.run_id }, corsHeaders);
-            return;
-        }
-        // ================================================================
-        // Webhook ingestion — no auth required (uses HMAC verification)
-        // POST /webhooks/:slug
-        // ================================================================
-        const webhookMatch = pathname.match(/^\/webhooks\/([a-zA-Z0-9_-]+)$/);
-        if (webhookMatch) {
-            const whClientIp = req.headers["x-forwarded-for"]?.toString().split(",")[0]?.trim() || req.socket.remoteAddress || "unknown";
-            if (sendIpRateLimit(res, whClientIp, corsHeaders))
-                return;
-            const slug = webhookMatch[1];
-            let rawBody;
-            try {
-                rawBody = await readBody(req);
-            }
-            catch {
-                jsonResponse(res, 413, { error: "Request body too large" }, corsHeaders);
-                return;
-            }
-            const supabase = getServiceClient();
-            const headers = {};
-            for (const [k, v] of Object.entries(req.headers)) {
-                if (typeof v === "string")
-                    headers[k] = v;
-            }
-            const result = await handleWebhookIngestion(supabase, slug, rawBody, headers);
-            // Phase 1: Inline execution for webhook-triggered workflows
-            if (result.body.run_id && result.status === 200) {
-                try {
-                    await executeInlineChain(supabase, result.body.run_id);
-                }
-                catch (err) {
-                    log.error({ err: err.message }, "webhook inline chain error");
-                }
-            }
-            jsonResponse(res, result.status, result.body, corsHeaders);
-            return;
-        }
-        // ================================================================
-        // Fire event — service-role or internal auth
-        // POST /events
-        // ================================================================
-        if (pathname === "/events") {
-            const authHeader = req.headers.authorization;
-            const token = authHeader?.startsWith("Bearer ") ? authHeader.substring(7) : "";
-            const isInternal = safeCompare(token, FLY_INTERNAL_SECRET) || safeCompare(token, SUPABASE_SERVICE_ROLE_KEY) || safeCompare(token, SERVICE_ROLE_JWT);
-            if (!isInternal && !token) {
-                jsonResponse(res, 401, { error: "Missing authorization" }, corsHeaders);
-                return;
-            }
-            const supabase = getServiceClient();
-            // Verify user auth if not internal
-            if (!isInternal) {
-                const { data: { user: authUser }, error: authError } = await supabase.auth.getUser(token);
-                if (authError || !authUser) {
-                    jsonResponse(res, 401, { error: "Invalid or expired token" }, corsHeaders);
-                    return;
-                }
-            }
-            let rawBody;
-            try {
-                rawBody = await readBody(req);
-            }
-            catch {
-                jsonResponse(res, 413, { error: "Request body too large" }, corsHeaders);
-                return;
-            }
-            let body;
-            try {
-                body = JSON.parse(rawBody || "{}");
-            }
-            catch {
-                jsonResponse(res, 400, { error: "Invalid JSON" }, corsHeaders);
-                return;
-            }
-            if (!body.store_id || !body.event_type) {
-                jsonResponse(res, 400, { error: "store_id and event_type required" }, corsHeaders);
-                return;
-            }
-            // Idempotency: if client provides idempotency_key, check for duplicate
-            if (body.idempotency_key) {
-                const { data: existing } = await supabase.from("workflow_events")
-                    .select("id")
-                    .eq("idempotency_key", body.idempotency_key)
-                    .limit(1);
-                if (existing && existing.length > 0) {
-                    jsonResponse(res, 200, { success: true, event_id: existing[0].id, deduplicated: true }, corsHeaders);
-                    return;
-                }
-            }
-            const { data: eventId, error: fireErr } = await supabase.rpc("fire_event", {
-                p_store_id: body.store_id,
-                p_event_type: body.event_type,
-                p_event_payload: body.payload || {},
-                p_source: body.source || "api",
-            });
-            if (fireErr) {
-                jsonResponse(res, 500, { success: false, error: fireErr.message }, corsHeaders);
-            }
-            else {
-                jsonResponse(res, 200, { success: true, event_id: eventId }, corsHeaders);
-            }
-            return;
-        }
-        // ================================================================
-        // Internal workflow processing — verified by internal secret
-        // POST /workflows/process
-        // ================================================================
-        if (pathname === "/workflows/process") {
-            const authHeader = req.headers.authorization;
-            const token = authHeader?.startsWith("Bearer ") ? authHeader.substring(7) : "";
-            if (!FLY_INTERNAL_SECRET || (!safeCompare(token, FLY_INTERNAL_SECRET) && !safeCompare(token, SUPABASE_SERVICE_ROLE_KEY) && !safeCompare(token, SERVICE_ROLE_JWT))) {
-                jsonResponse(res, 401, { error: "Unauthorized" }, corsHeaders);
-                return;
-            }
-            let rawBody;
-            try {
-                rawBody = await readBody(req);
-            }
-            catch {
-                rawBody = "{}";
-            }
-            let body;
-            try {
-                body = JSON.parse(rawBody || "{}");
-            }
-            catch {
-                jsonResponse(res, 400, { error: "Invalid JSON" }, corsHeaders);
-                return;
-            }
-            const supabase = getServiceClient();
-            const result = await processWorkflowSteps(supabase, body.batch_size || 10);
-            jsonResponse(res, 200, { success: true, ...result }, corsHeaders);
-            return;
-        }
-        // ================================================================
-        // Start workflow run — service-role or user auth
-        // POST /workflows/start
-        // ================================================================
-        if (pathname === "/workflows/start") {
-            const authHeader = req.headers.authorization;
-            const token = authHeader?.startsWith("Bearer ") ? authHeader.substring(7) : "";
-            const isInternal = safeCompare(token, FLY_INTERNAL_SECRET) || safeCompare(token, SUPABASE_SERVICE_ROLE_KEY) || safeCompare(token, SERVICE_ROLE_JWT);
-            if (!isInternal && !token) {
-                jsonResponse(res, 401, { error: "Missing authorization" }, corsHeaders);
-                return;
-            }
-            const supabase = getServiceClient();
-            // Verify user auth if not internal
-            if (!isInternal) {
-                const { data: { user: authUser }, error: authError } = await supabase.auth.getUser(token);
-                if (authError || !authUser) {
-                    jsonResponse(res, 401, { error: "Invalid or expired token" }, corsHeaders);
-                    return;
-                }
-            }
-            let rawBody;
-            try {
-                rawBody = await readBody(req);
-            }
-            catch {
-                jsonResponse(res, 413, { error: "Request body too large" }, corsHeaders);
-                return;
-            }
-            let body;
-            try {
-                body = JSON.parse(rawBody);
-            }
-            catch {
-                jsonResponse(res, 400, { error: "Invalid JSON" }, corsHeaders);
-                return;
-            }
-            // P0 FIX: Verify the workflow belongs to the requesting store before starting a run
-            if (body.workflow_id && body.store_id) {
-                const { data: wfOwner, error: wfOwnerErr } = await supabase
-                    .from("workflows")
-                    .select("id")
-                    .eq("id", body.workflow_id)
-                    .eq("store_id", body.store_id)
-                    .single();
-                if (wfOwnerErr || !wfOwner) {
-                    jsonResponse(res, 403, { error: "Workflow does not belong to this store" }, corsHeaders);
-                    return;
-                }
-            }
-            const { data, error } = await supabase.rpc("start_workflow_run", {
-                p_workflow_id: body.workflow_id,
-                p_store_id: body.store_id,
-                p_trigger_type: body.trigger_type || "api",
-                p_trigger_payload: body.trigger_payload || {},
-                p_idempotency_key: body.idempotency_key || null,
-            });
-            if (error) {
-                jsonResponse(res, 500, { success: false, error: error.message }, corsHeaders);
-            }
-            else {
-                // Phase 4: Set version_id if workflow has a published version
-                // Phase 1: Inline execution for API-triggered workflows
-                if (data?.success && data.run_id && !data.deduplicated) {
-                    try {
-                        const { data: wf } = await supabase.from("workflows")
-                            .select("published_version_id").eq("id", body.workflow_id).single();
-                        if (wf?.published_version_id) {
-                            await supabase.from("workflow_runs").update({ version_id: wf.published_version_id }).eq("id", data.run_id);
-                        }
-                        await executeInlineChain(supabase, data.run_id);
-                    }
-                    catch (err) {
-                        log.error({ err: err.message }, "start-inline chain error");
-                    }
-                }
-                jsonResponse(res, data?.success ? 200 : 422, data, corsHeaders);
-            }
-            return;
-        }
-        // ================================================================
-        // Standard auth gate for all other POST routes
-        // ================================================================
-        log.info({ method: req.method, path: pathname, contentLength: req.headers["content-length"] || "?" }, "request");
-        const authHeader = req.headers.authorization;
-        if (!authHeader?.startsWith("Bearer ")) {
-            req.resume(); // drain body to avoid Fly proxy stall
-            jsonResponse(res, 401, { error: "Missing authorization" }, corsHeaders);
-            return;
-        }
-        // Read body FIRST — before async auth calls (getUser, rate_limit).
-        // Node.js request streams are paused until consumed. If we do async network
-        // calls before reading, the TCP receive buffer fills up and Fly's proxy
-        // stalls with "error writing a body to connection" on large requests.
-        let rawBody;
+      body = JSON.parse(rawBody);
+    } catch (parseErr) {
+      const errMsg = parseErr instanceof Error ? parseErr.message : String(parseErr);
+      const bodyLen = rawBody.length;
+      const tail = bodyLen > 200 ? rawBody.slice(bodyLen - 200) : rawBody;
+      log.error({
+        bodyLen,
+        errMsg,
+        tail
+      }, "JSON parse failed on request body");
+      jsonResponse(res, 400, {
+        error: "Invalid JSON in request body",
+        detail: errMsg,
+        body_length: bodyLen
+      }, corsHeaders);
+      return;
+    }
+    // Anthropic API proxy mode
+    if (body.mode === "proxy") {
+      await handleProxy(res, body, corsHeaders);
+      return;
+    }
+    // Audio transcription mode (OpenAI Whisper)
+    if (body.mode === "transcribe") {
+      const {
+        audio_base64,
+        media_type,
+        store_id
+      } = body;
+      if (!audio_base64 || !media_type) {
+        jsonResponse(res, 400, {
+          error: "audio_base64 and media_type required"
+        }, corsHeaders);
+        return;
+      }
+      const sid = store_id || body.storeId;
+      if (!sid) {
+        jsonResponse(res, 400, {
+          error: "store_id required for transcription (needed to resolve OpenAI API key)"
+        }, corsHeaders);
+        return;
+      }
+      const result = await handleTranscribe(supabase, sid, audio_base64, media_type);
+      jsonResponse(res, result.success ? 200 : 422, result, corsHeaders);
+      return;
+    }
+    // Conversation compaction mode (Haiku summarization for non-Anthropic providers)
+    if (body.mode === "compact") {
+      const {
+        messages: compactMessages,
+        system_prompt
+      } = body;
+      if (!compactMessages || !Array.isArray(compactMessages) || !system_prompt) {
+        jsonResponse(res, 400, {
+          error: "messages (array) and system_prompt required"
+        }, corsHeaders);
+        return;
+      }
+      const anthropic = new Anthropic({
+        apiKey: ANTHROPIC_API_KEY
+      });
+      // Sanitize user-provided system prompt before passing to compaction
+      const sanitizedCompactPrompt = sanitizeAndLog(system_prompt, "compactionEndpoint");
+      const compactionResult = await generateCompaction({
+        anthropic,
+        messages: compactMessages,
+        systemPrompt: sanitizedCompactPrompt
+      });
+      jsonResponse(res, compactionResult.success ? 200 : 422, {
+        success: compactionResult.success,
+        compaction_content: compactionResult.content,
+        error: compactionResult.error
+      }, corsHeaders);
+      return;
+    }
+    // Direct tool execution mode
+    if (body.mode === "tool") {
+      const {
+        tool_name,
+        args,
+        store_id,
+        conversation_id,
+        trace_id
+      } = body;
+      if (!tool_name) {
+        jsonResponse(res, 400, {
+          error: "tool_name required"
+        }, corsHeaders);
+        return;
+      }
+      // Resolve and validate store_id (server-derived, not blindly trusted)
+      const resolvedToolStoreId = await resolveAndValidateStoreId(supabase, store_id || body.storeId, user, isServiceRole, token, body.userId);
+      if (!resolvedToolStoreId && !isServiceRole) {
+        jsonResponse(res, 400, {
+          error: "store_id required for tool execution"
+        }, corsHeaders);
+        return;
+      }
+      const validToolStoreId = resolvedToolStoreId || store_id;
+      // Phase 7.2: Per-tool rate limiting
+      const toolUserId = user?.id || body.userId || "anon";
+      const toolLimit = rateLimiter.checkToolLimit(toolUserId, tool_name);
+      if (!toolLimit.allowed) {
+        res.writeHead(429, {
+          "Retry-After": String(Math.ceil(toolLimit.retryAfterMs / 1000)),
+          "X-RateLimit-Remaining": "0",
+          "X-RateLimit-Bucket": toolLimit.bucket,
+          "Content-Type": "application/json",
+          ...corsHeaders
+        });
+        res.end(JSON.stringify({
+          error: `Tool rate limit exceeded for ${tool_name}`
+        }));
+        return;
+      }
+      // Load user tools if this is a user_tool__ prefixed call
+      let utRows;
+      if (tool_name.startsWith("user_tool__") && validToolStoreId) {
+        const {
+          rows
+        } = await loadUserTools(supabase, validToolStoreId);
+        utRows = rows;
+      }
+      const result = await executeTool(supabase, tool_name, args || {}, validToolStoreId || undefined, trace_id || undefined, user?.id || body.userId || null, user?.email || body.userEmail || null, body.source || "whale-code", conversation_id || undefined, utRows);
+      // Always 200 for tool results — success/failure is in the JSON body.
+      // HTTP 500 causes MCP clients to throw before reading the error message.
+      jsonResponse(res, 200, result, corsHeaders);
+      return;
+    }
+    // Streaming tool execution mode (NDJSON) — for tools with live progress (kali, etc.)
+    if (body.mode === "tool_stream") {
+      const {
+        tool_name,
+        args,
+        store_id
+      } = body;
+      if (!tool_name) {
+        jsonResponse(res, 400, {
+          error: "tool_name required"
+        }, corsHeaders);
+        return;
+      }
+      // Resolve and validate store_id
+      const resolvedStreamStoreId = await resolveAndValidateStoreId(supabase, store_id || body.storeId, user, isServiceRole, token, body.userId);
+      if (!resolvedStreamStoreId && !isServiceRole) {
+        jsonResponse(res, 400, {
+          error: "store_id required for tool execution"
+        }, corsHeaders);
+        return;
+      }
+      const validStreamStoreId = resolvedStreamStoreId || store_id;
+      // Phase 7.2: Per-tool rate limiting (stream mode)
+      const streamToolUserId = user?.id || body.userId || "anon";
+      const streamToolLimit = rateLimiter.checkToolLimit(streamToolUserId, tool_name);
+      if (!streamToolLimit.allowed) {
+        res.writeHead(429, {
+          "Retry-After": String(Math.ceil(streamToolLimit.retryAfterMs / 1000)),
+          "X-RateLimit-Remaining": "0",
+          "X-RateLimit-Bucket": streamToolLimit.bucket,
+          "Content-Type": "application/json",
+          ...corsHeaders
+        });
+        res.end(JSON.stringify({
+          error: `Tool rate limit exceeded for ${tool_name}`
+        }));
+        return;
+      }
+      res.writeHead(200, {
+        "Content-Type": "application/x-ndjson",
+        "Transfer-Encoding": "chunked",
+        ...corsHeaders
+      });
+      const onToolProgress = (_name, progress) => {
         try {
-            rawBody = await readBody(req);
-        }
-        catch {
-            jsonResponse(res, 413, { error: "Request body too large (max 500MB)" }, corsHeaders);
-            return;
-        }
-        const token = authHeader.substring(7);
-        const supabase = getServiceClient();
-        // Check service-role key
-        let user = null;
-        const isServiceRole = safeCompare(token, SUPABASE_SERVICE_ROLE_KEY) || safeCompare(token, SERVICE_ROLE_JWT);
-        if (!isServiceRole) {
-            try {
-                const { data: { user: authUser }, error: authError, } = await supabase.auth.getUser(token);
-                if (authError || !authUser) {
-                    jsonResponse(res, 401, { error: "Invalid or expired token" }, corsHeaders);
-                    return;
-                }
-                user = authUser;
-            }
-            catch (authErr) {
-                log.error({ err: authErr.message }, "auth getUser failed");
-                jsonResponse(res, 502, { error: "Auth service unavailable, please retry" }, corsHeaders);
-                return;
-            }
-        }
-        // Phase 7.2: In-memory token-bucket rate limiting (fast, before Supabase RPC)
-        {
-            const tier = isServiceRole ? "serviceRole" : user ? "authenticated" : "unauthenticated";
-            const rateLimitKey = user ? `user:${user.id}` : `ip:${req.socket.remoteAddress || "unknown"}`;
-            const memResult = rateLimiter.checkRequest(rateLimitKey, tier);
-            if (!memResult.allowed) {
-                res.writeHead(429, {
-                    "Retry-After": String(Math.ceil(memResult.retryAfterMs / 1000)),
-                    "X-RateLimit-Remaining": "0",
-                    "X-RateLimit-Bucket": memResult.bucket,
-                    "Content-Type": "application/json",
-                    ...corsHeaders,
-                });
-                res.end(JSON.stringify({ error: "Rate limit exceeded" }));
-                return;
-            }
-        }
-        // Persistent rate limiting via Supabase RPC (secondary check, skip for service-role) — 100 req/60s
-        if (user) {
-            const { data: rl } = await supabase.rpc("check_rate_limit", {
-                p_user_id: user.id,
-                p_window_seconds: 60,
-                p_max_requests: 100,
-            });
-            if (rl?.[0] && !rl[0].allowed) {
-                res.writeHead(429, {
-                    "Retry-After": String(rl[0].retry_after_seconds),
-                    "X-RateLimit-Remaining": "0",
-                    "Content-Type": "application/json",
-                    ...corsHeaders,
-                });
-                res.end(JSON.stringify({ error: "Rate limit exceeded" }));
-                return;
-            }
-        }
-        let body;
+          // Structured status events from kali — relay as type "status" for CLI ToolProgress handling
+          const p = progress;
+          if (p && p.type === "status" && p.progress) {
+            res.write(JSON.stringify({
+              type: "status",
+              progress: p.progress
+            }) + "\n");
+          } else {
+            res.write(JSON.stringify({
+              type: "progress",
+              progress
+            }) + "\n");
+          }
+        } catch {/* client disconnected */}
+      };
+      try {
+        const result = await executeTool(supabase, tool_name, args || {}, validStreamStoreId || undefined, body.trace_id || undefined, user?.id || body.userId || null, user?.email || body.userEmail || null, body.source || "whale-code-stream", body.conversation_id || undefined, undefined, undefined, onToolProgress);
+        res.write(JSON.stringify({
+          type: "result",
+          ...result
+        }) + "\n");
+      } catch (err) {
+        res.write(JSON.stringify({
+          type: "result",
+          success: false,
+          error: sanitizeError(err)
+        }) + "\n");
+      }
+      res.end();
+      return;
+    }
+    // CLI telemetry ingest — batch of spans from Whale Code CLI
+    if (body.mode === "telemetry_ingest") {
+      const spans = body.spans;
+      if (!Array.isArray(spans) || spans.length === 0) {
+        jsonResponse(res, 400, {
+          error: "spans array required"
+        }, corsHeaders);
+        return;
+      }
+      // Cap at 500 spans per request to prevent abuse
+      const batch = spans.slice(0, 500);
+      let queued = 0;
+      for (const raw of batch) {
         try {
-            body = JSON.parse(rawBody);
-        }
-        catch (parseErr) {
-            const errMsg = parseErr instanceof Error ? parseErr.message : String(parseErr);
-            const bodyLen = rawBody.length;
-            const tail = bodyLen > 200 ? rawBody.slice(bodyLen - 200) : rawBody;
-            log.error({ bodyLen, errMsg, tail }, "JSON parse failed on request body");
-            jsonResponse(res, 400, {
-                error: "Invalid JSON in request body",
-                detail: errMsg,
-                body_length: bodyLen,
-            }, corsHeaders);
-            return;
-        }
-        // Anthropic API proxy mode
-        if (body.mode === "proxy") {
-            await handleProxy(res, body, corsHeaders);
-            return;
-        }
-        // Audio transcription mode (OpenAI Whisper)
-        if (body.mode === "transcribe") {
-            const { audio_base64, media_type, store_id } = body;
-            if (!audio_base64 || !media_type) {
-                jsonResponse(res, 400, { error: "audio_base64 and media_type required" }, corsHeaders);
-                return;
-            }
-            const sid = store_id || body.storeId;
-            if (!sid) {
-                jsonResponse(res, 400, { error: "store_id required for transcription (needed to resolve OpenAI API key)" }, corsHeaders);
-                return;
-            }
-            const result = await handleTranscribe(supabase, sid, audio_base64, media_type);
-            jsonResponse(res, result.success ? 200 : 422, result, corsHeaders);
-            return;
-        }
-        // Conversation compaction mode (Haiku summarization for non-Anthropic providers)
-        if (body.mode === "compact") {
-            const { messages: compactMessages, system_prompt } = body;
-            if (!compactMessages || !Array.isArray(compactMessages) || !system_prompt) {
-                jsonResponse(res, 400, { error: "messages (array) and system_prompt required" }, corsHeaders);
-                return;
-            }
-            const anthropic = new Anthropic({ apiKey: ANTHROPIC_API_KEY });
-            // Sanitize user-provided system prompt before passing to compaction
-            const sanitizedCompactPrompt = sanitizeAndLog(system_prompt, "compactionEndpoint");
-            const compactionResult = await generateCompaction({
-                anthropic,
-                messages: compactMessages,
-                systemPrompt: sanitizedCompactPrompt,
-            });
-            jsonResponse(res, compactionResult.success ? 200 : 422, {
-                success: compactionResult.success,
-                compaction_content: compactionResult.content,
-                error: compactionResult.error,
-            }, corsHeaders);
-            return;
-        }
-        // Direct tool execution mode
-        if (body.mode === "tool") {
-            const { tool_name, args, store_id, conversation_id, trace_id } = body;
-            if (!tool_name) {
-                jsonResponse(res, 400, { error: "tool_name required" }, corsHeaders);
-                return;
-            }
-            // Resolve and validate store_id (server-derived, not blindly trusted)
-            const resolvedToolStoreId = await resolveAndValidateStoreId(supabase, store_id || body.storeId, user, isServiceRole, token, body.userId);
-            if (!resolvedToolStoreId && !isServiceRole) {
-                jsonResponse(res, 400, { error: "store_id required for tool execution" }, corsHeaders);
-                return;
-            }
-            const validToolStoreId = resolvedToolStoreId || store_id;
-            // Phase 7.2: Per-tool rate limiting
-            const toolUserId = user?.id || body.userId || "anon";
-            const toolLimit = rateLimiter.checkToolLimit(toolUserId, tool_name);
-            if (!toolLimit.allowed) {
-                res.writeHead(429, {
-                    "Retry-After": String(Math.ceil(toolLimit.retryAfterMs / 1000)),
-                    "X-RateLimit-Remaining": "0",
-                    "X-RateLimit-Bucket": toolLimit.bucket,
-                    "Content-Type": "application/json",
-                    ...corsHeaders,
-                });
-                res.end(JSON.stringify({ error: `Tool rate limit exceeded for ${tool_name}` }));
-                return;
-            }
-            // Load user tools if this is a user_tool__ prefixed call
-            let utRows;
-            if (tool_name.startsWith("user_tool__") && validToolStoreId) {
-                const { rows } = await loadUserTools(supabase, validToolStoreId);
-                utRows = rows;
-            }
-            const result = await executeTool(supabase, tool_name, (args || {}), validToolStoreId || undefined, trace_id || undefined, user?.id || body.userId || null, user?.email || body.userEmail || null, body.source || "whale-code", conversation_id || undefined, utRows);
-            // Always 200 for tool results — success/failure is in the JSON body.
-            // HTTP 500 causes MCP clients to throw before reading the error message.
-            jsonResponse(res, 200, result, corsHeaders);
-            return;
-        }
-        // Streaming tool execution mode (NDJSON) — for tools with live progress (kali, etc.)
-        if (body.mode === "tool_stream") {
-            const { tool_name, args, store_id } = body;
-            if (!tool_name) {
-                jsonResponse(res, 400, { error: "tool_name required" }, corsHeaders);
-                return;
-            }
-            // Resolve and validate store_id
-            const resolvedStreamStoreId = await resolveAndValidateStoreId(supabase, store_id || body.storeId, user, isServiceRole, token, body.userId);
-            if (!resolvedStreamStoreId && !isServiceRole) {
-                jsonResponse(res, 400, { error: "store_id required for tool execution" }, corsHeaders);
-                return;
-            }
-            const validStreamStoreId = resolvedStreamStoreId || store_id;
-            // Phase 7.2: Per-tool rate limiting (stream mode)
-            const streamToolUserId = user?.id || body.userId || "anon";
-            const streamToolLimit = rateLimiter.checkToolLimit(streamToolUserId, tool_name);
-            if (!streamToolLimit.allowed) {
-                res.writeHead(429, {
-                    "Retry-After": String(Math.ceil(streamToolLimit.retryAfterMs / 1000)),
-                    "X-RateLimit-Remaining": "0",
-                    "X-RateLimit-Bucket": streamToolLimit.bucket,
-                    "Content-Type": "application/json",
-                    ...corsHeaders,
-                });
-                res.end(JSON.stringify({ error: `Tool rate limit exceeded for ${tool_name}` }));
-                return;
-            }
-            res.writeHead(200, {
-                "Content-Type": "application/x-ndjson",
-                "Transfer-Encoding": "chunked",
-                ...corsHeaders,
+          // Enforce store_id from auth context, not client-provided
+          const resolvedStoreId = await resolveAndValidateStoreId(supabase, raw.store_id || body.store_id, user, isServiceRole, token, body.userId);
+          raw.store_id = resolvedStoreId || raw.store_id || null;
+          raw.user_id = raw.user_id || user?.id || body.userId || null;
+          raw.user_email = raw.user_email || user?.email || body.userEmail || null;
+          queueSpan(auditRowToSpan(raw));
+          queued++;
+        } catch {
+          // Skip malformed spans
+        }
+      }
+      // Also upsert ai_conversations row if conversation_id provided
+      if (body.conversation_id && body.store_id) {
+        try {
+          const convStoreId = await resolveAndValidateStoreId(supabase, body.store_id, user, isServiceRole, token, body.userId);
+          if (convStoreId) {
+            await supabase.from("ai_conversations").upsert({
+              id: body.conversation_id,
+              store_id: convStoreId,
+              user_id: user?.id || body.userId || null,
+              title: body.conversation_title || "CLI Session",
+              metadata: {
+                source: body.source || "whale_cli",
+                hostname: body.hostname,
+                version: body.version
+              }
+            }, {
+              onConflict: "id"
             });
-            const onToolProgress = (_name, progress) => {
-                try {
-                    // Structured status events from kali — relay as type "status" for CLI ToolProgress handling
-                    const p = progress;
-                    if (p && p.type === "status" && p.progress) {
-                        res.write(JSON.stringify({ type: "status", progress: p.progress }) + "\n");
-                    }
-                    else {
-                        res.write(JSON.stringify({ type: "progress", progress }) + "\n");
-                    }
-                }
-                catch { /* client disconnected */ }
-            };
-            try {
-                const result = await executeTool(supabase, tool_name, (args || {}), validStreamStoreId || undefined, body.trace_id || undefined, user?.id || body.userId || null, user?.email || body.userEmail || null, body.source || "whale-code-stream", body.conversation_id || undefined, undefined, undefined, onToolProgress);
-                res.write(JSON.stringify({ type: "result", ...result }) + "\n");
-            }
-            catch (err) {
-                res.write(JSON.stringify({ type: "result", success: false, error: sanitizeError(err) }) + "\n");
-            }
-            res.end();
-            return;
-        }
-        // CLI telemetry ingest — batch of spans from Whale Code CLI
-        if (body.mode === "telemetry_ingest") {
-            const spans = body.spans;
-            if (!Array.isArray(spans) || spans.length === 0) {
-                jsonResponse(res, 400, { error: "spans array required" }, corsHeaders);
-                return;
-            }
-            // Cap at 500 spans per request to prevent abuse
-            const batch = spans.slice(0, 500);
-            let queued = 0;
-            for (const raw of batch) {
-                try {
-                    // Enforce store_id from auth context, not client-provided
-                    const resolvedStoreId = await resolveAndValidateStoreId(supabase, raw.store_id || body.store_id, user, isServiceRole, token, body.userId);
-                    raw.store_id = resolvedStoreId || raw.store_id || null;
-                    raw.user_id = raw.user_id || user?.id || body.userId || null;
-                    raw.user_email = raw.user_email || user?.email || body.userEmail || null;
-                    queueSpan(auditRowToSpan(raw));
-                    queued++;
-                }
-                catch {
-                    // Skip malformed spans
-                }
-            }
-            // Also upsert ai_conversations row if conversation_id provided
-            if (body.conversation_id && body.store_id) {
-                try {
-                    const convStoreId = await resolveAndValidateStoreId(supabase, body.store_id, user, isServiceRole, token, body.userId);
-                    if (convStoreId) {
-                        await supabase.from("ai_conversations").upsert({
-                            id: body.conversation_id,
-                            store_id: convStoreId,
-                            user_id: user?.id || body.userId || null,
-                            title: body.conversation_title || "CLI Session",
-                            metadata: {
-                                source: body.source || "whale_cli",
-                                hostname: body.hostname,
-                                version: body.version,
-                            },
-                        }, { onConflict: "id" });
-                    }
-                }
-                catch {
-                    // Non-critical — spans still ingested
-                }
-            }
-            jsonResponse(res, 200, { success: true, queued }, corsHeaders);
-            return;
-        }
-        // Agent chat mode (SSE)
-        await handleAgentChat(req, res, supabase, body, user, isServiceRole, token, corsHeaders);
-    }
-    catch (err) {
-        if (!res.headersSent) {
-            jsonResponse(res, 500, { error: sanitizeError(err) }, corsHeaders);
-        }
-    }
-});
-// Inject tool executor into workflow engine (avoids circular dependency)
-setToolExecutor((supabase, toolName, args, storeId, traceId) => {
-    // Store boundary validation: prevent workflows from accessing other stores
-    if (args.store_id && args.store_id !== storeId) {
-        return Promise.resolve({ success: false, error: "Store boundary violation: workflow cannot access other stores" });
-    }
-    args.store_id = storeId; // Force the workflow's store
-    return executeTool(supabase, toolName, args, storeId, traceId, null, null, "workflow_engine");
+          }
+        } catch {
+          // Non-critical — spans still ingested
+        }
+      }
+      jsonResponse(res, 200, {
+        success: true,
+        queued
+      }, corsHeaders);
+      return;
+    }
+    // Agent chat mode (SSE)
+    await handleAgentChat(req, res, supabase, body, user, isServiceRole, token, corsHeaders);
+  } catch (err) {
+    if (!res.headersSent) {
+      jsonResponse(res, 500, {
+        error: sanitizeError(err)
+      }, corsHeaders);
+    }
+  }
 });
-// Inject agent executor for "agent" step type in workflows
-setAgentExecutor(async (supabase, agentId, prompt, storeId, maxTurns = 5, onToken, traceId) => {
-    const agent = await loadAgentConfig(supabase, agentId, storeId);
-    if (!agent)
-        return { success: false, error: `Agent ${agentId} not found` };
-    // Workflow agents get all tools (no lazy loading — they run headless)
-    const { all: allTools } = await loadTools(supabase);
-    const { rows: userToolRows, defs: userToolDefs } = await loadUserTools(supabase, storeId);
-    const tools = getToolsForAgent(agent, allTools, userToolDefs);
-    const agentModel = agent.model || MODELS.SONNET;
-    // Resolve all behavioral config from DB — workflow maxTurns caps agent config
-    const resolved = resolveAgentLoopConfig(agent, "workflow", maxTurns);
-    if (resolved.defaultsUsed.length > 0) {
-        log.info({ agentId, callPath: "workflow", defaults: resolved.defaultsUsed }, "workflow agent config defaults applied");
-    }
-    // Build full system prompt — shared helper ensures workflow gets same context as SSE/channel
-    // (previously hand-built, missing location/customer context)
-    const { systemPrompt } = await buildAgentSystemPrompt(supabase, agent, storeId, prompt, tools);
-    try {
-        const result = await runServerAgentLoop({
-            anthropic: getAnthropicClient(agent),
-            supabase,
-            model: agentModel,
-            systemPrompt,
-            messages: [{ role: "user", content: prompt }],
-            tools,
-            // All behavioral knobs from resolved config — DB is single source of truth
-            maxTurns: resolved.maxTurns,
-            temperature: resolved.temperature,
-            maxTokens: resolved.maxTokens,
-            maxConcurrentTools: resolved.maxConcurrentTools,
-            enableDelegation: resolved.enableDelegation,
-            enableModelRouting: resolved.enableModelRouting,
-            contextOverrides: resolved.contextOverrides,
-            subagentMaxTokens: resolved.subagentMaxTokens,
-            subagentMaxTurns: resolved.subagentMaxTurns,
-            subagentTemperature: resolved.subagentTemperature,
-            storeId,
-            source: "workflow_agent",
-            agentId,
-            traceId,
-            executeTool: async (toolName, args) => {
-                const toolArgs = { ...args };
-                if (!toolArgs.store_id)
-                    toolArgs.store_id = storeId;
-                return executeTool(supabase, toolName, toolArgs, storeId, traceId, null, null, "workflow_agent", undefined, userToolRows, agentId, undefined, true);
-            },
-            enableStreaming: !!onToken,
-            onText: onToken || undefined,
-            maxDurationMs: resolved.maxDurationMs,
-        });
-        return { success: true, response: result.finalText || "(no response)" };
-    }
-    catch (err) {
-        return { success: false, error: sanitizeError(err) };
-    }
-});
-// Inject token broadcaster for real-time agent step streaming
-setTokenBroadcaster((runId, stepKey, token) => {
-    broadcastToRun(runId, { type: "agent_token", run_id: runId, step_key: stepKey, token });
-});
-// Inject step error broadcaster for real-time workflow error surfacing
-setStepErrorBroadcaster((runId, data) => {
-    broadcastToRun(runId, data);
-});
-// Shared agent invoker — used by channel messages, webchat, and any source
-// Uses shared helpers so it's IDENTICAL to CLI chat — same prompt, tools, memory, persistence, audit
-async function invokeAgentForChannel(supabase, agentId, message, storeId, conversationId, senderContext) {
-    const agent = await loadAgentConfig(supabase, agentId, storeId);
-    if (!agent)
-        return { success: false, error: `Agent ${agentId} not found` };
-    const { core: coreTools, extended: extendedTools } = await loadTools(supabase);
-    setExtendedToolsCache(extendedTools);
-    const { rows: userToolRows, defs: userToolDefs } = await loadUserTools(supabase, storeId);
-    const tools = getToolsForAgent(agent, coreTools, userToolDefs);
-    const agentModel = agent.model || MODELS.SONNET;
-    // Resolve all behavioral config from DB — channel has 15-turn safety cap built in
-    const resolved = resolveAgentLoopConfig(agent, "channel");
-    if (resolved.defaultsUsed.length > 0) {
-        log.info({ agentId, callPath: "channel", defaults: resolved.defaultsUsed }, "channel agent config defaults applied");
-    }
-    // Build system prompt — shared helper, identical to SSE chat
-    const { systemPrompt, dynamicContext } = await buildAgentSystemPrompt(supabase, agent, storeId, message, tools, { senderContext, extendedTools: getExtendedToolsIndex() });
-    // Update ai_conversations with agent_id (fire-and-forget)
-    if (conversationId) {
-        Promise.resolve(supabase.from("ai_conversations").update({ agent_id: agentId }).eq("id", conversationId).is("agent_id", null)).catch(() => { });
-    }
-    // Load conversation history with size-based compaction (same as SSE chat)
-    const MAX_HISTORY_CHARS = resolved.maxHistoryChars;
-    let loadedHistory = [];
-    if (conversationId) {
-        try {
-            const { data: history } = await supabase
-                .from("ai_messages")
-                .select("role, content")
-                .eq("conversation_id", conversationId)
-                .order("created_at", { ascending: true })
-                .limit(50);
-            if (history?.length) {
-                const raw = [];
-                for (const m of history) {
-                    if (m.role === "user" || m.role === "assistant") {
-                        raw.push({ role: m.role, content: m.content });
-                    }
-                }
-                loadedHistory = compactHistory(raw, MAX_HISTORY_CHARS);
-            }
-        }
-        catch { /* history not critical */ }
-    }
-    // Prepend dynamic context to user message to keep system prompt static (cache-friendly)
-    const contextPrefix = dynamicContext ? `[Context]\n${dynamicContext}\n\n[User Message]\n` : "";
-    const finalMessage = contextPrefix + message;
-    const messages = [...loadedHistory, { role: "user", content: finalMessage }];
-    const traceId = randomUUID();
-    const chatStartTime = Date.now();
-    try {
-        const result = await runServerAgentLoop({
-            anthropic: getAnthropicClient(agent),
-            supabase,
-            model: agentModel,
-            systemPrompt,
-            messages,
-            tools,
-            extendedTools,
-            // All behavioral knobs from resolved config — DB is single source of truth
-            maxTurns: resolved.maxTurns,
-            temperature: resolved.temperature,
-            maxTokens: resolved.maxTokens,
-            maxConcurrentTools: resolved.maxConcurrentTools,
-            enableDelegation: resolved.enableDelegation,
-            enableModelRouting: resolved.enableModelRouting,
-            contextOverrides: resolved.contextOverrides,
-            subagentMaxTokens: resolved.subagentMaxTokens,
-            subagentMaxTurns: resolved.subagentMaxTurns,
-            subagentTemperature: resolved.subagentTemperature,
-            storeId,
-            source: "channel_agent",
-            agentId,
-            traceId,
-            conversationId,
-            executeTool: async (toolName, args) => {
-                const toolArgs = { ...args };
-                if (!toolArgs.store_id)
-                    toolArgs.store_id = storeId;
-                // Pass sender context as user identity so node-triggered tool calls aren't anonymous
-                const senderUserId = senderContext?.customerId || null;
-                const senderUserLabel = senderContext?.customerName || senderContext?.senderName
-                    || (senderContext?.senderId ? `${senderContext.channelType}:${senderContext.senderId}` : null);
-                return executeTool(supabase, toolName, toolArgs, storeId, traceId, senderUserId, senderUserLabel, "channel_agent", conversationId, userToolRows, agentId, undefined, true);
-            },
-            enableStreaming: false,
-            maxDurationMs: resolved.maxDurationMs,
-        });
-        // Persist everything — shared helper, identical to SSE chat
-        await persistAgentTurn(supabase, agent, {
-            conversationId, storeId, agentId, agentModel, traceId, message, result,
-            source: "channel_agent",
-            chatStartTime, chatEndTime: Date.now(),
-            userId: senderContext?.customerId || undefined,
-            userEmail: senderContext?.customerName || senderContext?.senderName
-                || (senderContext?.senderId ? `${senderContext.channelType}:${senderContext.senderId}` : undefined),
-            senderContext,
-        });
-        return { success: true, response: result.finalText || "(no response)" };
-    }
-    catch (err) {
-        return { success: false, error: err.message };
-    }
-}
+// Wire executors into workflow engine (extracted modules — no inline duplicates)
+wireToolExecutor();
+wireAgentExecutor();
+wireBroadcasters();
 // Wire both channel and webchat to the same invoker
 setNodeAgentInvoker(invokeAgentForChannel);
 webchatAgentInvoker = invokeAgentForChannel;
-// ============================================================================
-// NODE OFFLINE DETECTION
-// ============================================================================
-async function enforceNodeOfflineStatus(supabase) {
-    const threshold = new Date(Date.now() - 3 * 60_000).toISOString(); // 3 missed heartbeats (60s interval)
-    const { data } = await supabase
-        .from("nodes")
-        .update({ status: "offline" })
-        .eq("status", "online")
-        .lt("last_heartbeat", threshold)
-        .select("id");
-    return data?.length || 0;
-}
-// ============================================================================
-// PERSISTENT WORKFLOW WORKER LOOP (5-second interval)
-// ============================================================================
-// Phase 3.1: Increased from 5s to 15s — NOTIFY-driven execution handles the fast path
-// Worker loop is now a safety net for missed notifications
-const BASE_WORKER_INTERVAL_MS = 15_000;
-const MAX_WORKER_INTERVAL_MS = 60_000;
-let workerRunning = false;
-let consecutiveErrors = 0;
-let currentWorkerInterval = BASE_WORKER_INTERVAL_MS;
-async function workflowWorkerLoop() {
-    if (workerRunning)
-        return; // Prevent concurrent runs
-    workerRunning = true;
-    try {
-        const supabase = getServiceClient();
-        const [stepResult, waitingResolved] = await Promise.all([
-            processWorkflowSteps(supabase, 10),
-            processWaitingSteps(supabase),
-            Promise.resolve(supabase.rpc("expire_pending_waitpoints")).then(() => { }).catch(e => log.warn({ err: e.message }, "expire_pending_waitpoints failed")), // Non-fatal
-        ]);
-        // Schedule triggers + timeout enforcement + event triggers + orphan cleanup + DLQ retries + node offline detection
-        const [scheduled, timedOut, eventsProcessed, orphansCleaned, dlqRetried, nodesOfflined] = await Promise.all([
-            processScheduleTriggers(supabase).catch(e => { log.warn({ err: e.message }, "processScheduleTriggers failed"); return 0; }),
-            enforceWorkflowTimeouts(supabase).catch(e => { log.warn({ err: e.message }, "enforceWorkflowTimeouts failed"); return 0; }),
-            processEventTriggers(supabase).catch(e => { log.warn({ err: e.message }, "processEventTriggers failed"); return 0; }),
-            cleanupOrphanedSteps(supabase).catch(e => { log.warn({ err: e.message }, "cleanupOrphanedSteps failed"); return 0; }),
-            processDlqRetries(supabase).catch(e => { log.warn({ err: e.message }, "processDlqRetries failed"); return 0; }),
-            enforceNodeOfflineStatus(supabase).catch(e => { log.warn({ err: e.message }, "enforceNodeOfflineStatus failed"); return 0; }),
-        ]);
-        if (stepResult.processed > 0 || waitingResolved > 0 || scheduled > 0 || timedOut > 0 || eventsProcessed > 0 || stepResult.reclaimed > 0 || orphansCleaned > 0 || dlqRetried > 0 || nodesOfflined > 0) {
-            log.info({ processed: stepResult.processed, errors: stepResult.errors, reclaimed: stepResult.reclaimed || 0, waiting: waitingResolved, scheduled, timedOut, events: eventsProcessed, orphans: orphansCleaned, dlqRetries: dlqRetried, nodesOfflined }, "worker tick");
-        }
-        // Reset backoff on success
-        if (consecutiveErrors > 0) {
-            consecutiveErrors = 0;
-            if (currentWorkerInterval !== BASE_WORKER_INTERVAL_MS) {
-                currentWorkerInterval = BASE_WORKER_INTERVAL_MS;
-                clearInterval(workerInterval);
-                workerInterval = setInterval(workflowWorkerLoop, currentWorkerInterval);
-                log.info({ intervalMs: currentWorkerInterval }, "worker interval reset after recovery");
-            }
-        }
-    }
-    catch (err) {
-        consecutiveErrors++;
-        log.error({ err: sanitizeError(err), consecutiveErrors }, "worker error");
-        // Exponential backoff: 5s → 10s → 20s → 40s → 60s (cap)
-        if (consecutiveErrors >= 3) {
-            const newInterval = Math.min(BASE_WORKER_INTERVAL_MS * Math.pow(2, consecutiveErrors - 2), MAX_WORKER_INTERVAL_MS);
-            if (newInterval !== currentWorkerInterval) {
-                currentWorkerInterval = newInterval;
-                clearInterval(workerInterval);
-                workerInterval = setInterval(workflowWorkerLoop, currentWorkerInterval);
-                log.warn({ intervalMs: currentWorkerInterval, consecutiveErrors }, "worker interval increased due to repeated errors");
-            }
-        }
-    }
-    finally {
-        workerRunning = false;
-    }
-}
-let workerInterval = setInterval(workflowWorkerLoop, BASE_WORKER_INTERVAL_MS);
+// Start persistent workflow worker loop (extracted module)
+startWorkerLoop();
 // Initialize shared Supabase client with retry logic before server starts
 initSupabase(SUPABASE_URL, SUPABASE_SERVICE_ROLE_KEY);
 server.listen(PORT, () => {
-    log.info({ port: PORT, supabaseUrl: SUPABASE_URL, runtime: process.version, workerIntervalMs: BASE_WORKER_INTERVAL_MS }, "server listening");
-    // Initialize code worker pool for fast code step execution
-    try {
-        initWorkerPool();
-        const stats = getPoolStats();
-        log.info({ workers: stats.total }, "code worker pool initialized");
-        workerPoolReady = true;
-    }
-    catch (err) {
-        log.error({ err: err.message }, "worker pool init failed");
-    }
-    // Initialize local agent WebSocket gateway
-    try {
-        initLocalAgentGateway(server);
-    }
-    catch (err) {
-        log.error({ err: err.message }, "local-agent gateway init failed");
-    }
-    // Phase 3: Start pg LISTEN for real-time SSE streaming
-    setupPgListen().catch((err) => {
-        log.error({ err: err.message }, "pg-listen setup failed");
-    });
-    // Phase 4.2: Mark orphaned conversations as resumable
-    const serverBootTime = new Date();
-    markOrphaned(getServiceClient(), serverBootTime)
-        .then((count) => {
-        if (count > 0)
-            log.info({ count }, "orphaned conversations marked resumable");
-    })
-        .catch((err) => {
-        log.warn({ err: err.message }, "markOrphaned failed (table may not exist yet)");
-    });
+  log.info({
+    port: PORT,
+    supabaseUrl: SUPABASE_URL,
+    runtime: process.version
+  }, "server listening");
+  // Initialize code worker pool for fast code step execution
+  try {
+    initWorkerPool();
+    const stats = getPoolStats();
+    log.info({
+      workers: stats.total
+    }, "code worker pool initialized");
+    workerPoolReady = true;
+  } catch (err) {
+    log.error({
+      err: err.message
+    }, "worker pool init failed");
+  }
+  // Initialize local agent WebSocket gateway
+  try {
+    initLocalAgentGateway(server);
+  } catch (err) {
+    log.error({
+      err: err.message
+    }, "local-agent gateway init failed");
+  }
+  // Phase 3: Start pg LISTEN for real-time SSE streaming
+  setupPgListen().catch(err => {
+    log.error({
+      err: err.message
+    }, "pg-listen setup failed");
+  });
+  // Phase 4.2: Mark orphaned conversations as resumable
+  const serverBootTime = new Date();
+  markOrphaned(getServiceClient(), serverBootTime).then(count => {
+    if (count > 0) log.info({
+      count
+    }, "orphaned conversations marked resumable");
+  }).catch(err => {
+    log.warn({
+      err: err.message
+    }, "markOrphaned failed (table may not exist yet)");
+  });
 });
 // ============================================================================
 // GRACEFUL SHUTDOWN
 // ============================================================================
 async function gracefulShutdown(signal) {
-    log.info({ signal, activeRequests }, "received shutdown signal, shutting down gracefully");
-    // 1. Stop accepting new connections
-    server.close(() => {
-        log.info("HTTP server closed");
-    });
-    // 2. Clear workflow worker intervals
-    clearInterval(workerInterval);
-    clearInterval(sseCleanupInterval);
-    // 3. Close all SSE client connections
-    for (const [, clients] of sseClients) {
-        for (const res of clients) {
-            try {
-                res.end();
-            }
-            catch { /* client already disconnected — benign */ }
-        }
-        clients.clear();
-    }
-    sseClients.clear();
-    // 3b. Flush ClickHouse span buffer before shutdown (prevents data loss on crash)
-    try {
-        await flushSpans();
-        log.info("span buffer flushed");
-    }
-    catch (err) {
-        log.error({ err: err.message }, "span buffer flush error");
-    }
-    // 4. Shut down code worker pool
-    try {
-        shutdownPool();
-        log.info("worker pool shut down");
-    }
-    catch (err) {
-        log.error({ err: err.message }, "worker pool shutdown error");
-    }
-    // 4b. Shut down local agent gateway
-    try {
-        shutdownAgentGateway();
-    }
-    catch (err) {
-        log.error({ err: err.message }, "agent gateway shutdown error");
-    }
-    // 4c. Shut down rate limiter
-    rateLimiter.shutdown();
-    // 5. Close pg LISTEN connection
-    if (pgClient) {
-        pgClient.end().catch(() => { });
-        pgClient = null;
-        log.info("pg LISTEN connection closed");
-    }
-    // 6. Wait for active requests to drain (up to 25 seconds)
-    const drainStart = Date.now();
-    const drainInterval = setInterval(() => {
-        if (activeRequests <= 0 || Date.now() - drainStart > 25_000) {
-            clearInterval(drainInterval);
-            log.info({ activeRequests }, "drain complete, exiting");
-            process.exit(activeRequests > 0 ? 1 : 0);
-        }
-        log.info({ activeRequests }, "waiting for active requests to drain...");
-    }, 1000);
-    // 7. Force exit after 30 seconds if graceful shutdown hangs (increased from 10s)
-    setTimeout(() => {
-        log.fatal({ activeRequests }, "graceful shutdown timed out after 30s, forcing exit");
-        process.exit(1);
-    }, 30_000).unref();
+  log.info({
+    signal,
+    activeRequests
+  }, "received shutdown signal, shutting down gracefully");
+  // 1. Stop accepting new connections
+  server.close(() => {
+    log.info("HTTP server closed");
+  });
+  // 2. Clear workflow worker + SSE cleanup intervals
+  stopWorkerLoop();
+  clearInterval(sseCleanupInterval);
+  // 3. Close all SSE client connections
+  const sseClients = getSseClients();
+  for (const [, clients] of sseClients) {
+    for (const res of clients) {
+      try {
+        res.end();
+      } catch {/* client already disconnected — benign */}
+    }
+    clients.clear();
+  }
+  sseClients.clear();
+  // 3b. Flush ClickHouse span buffer before shutdown (prevents data loss on crash)
+  try {
+    await flushSpans();
+    log.info("span buffer flushed");
+  } catch (err) {
+    log.error({
+      err: err.message
+    }, "span buffer flush error");
+  }
+  // 4. Shut down code worker pool
+  try {
+    shutdownPool();
+    log.info("worker pool shut down");
+  } catch (err) {
+    log.error({
+      err: err.message
+    }, "worker pool shutdown error");
+  }
+  // 4b. Shut down local agent gateway
+  try {
+    shutdownAgentGateway();
+  } catch (err) {
+    log.error({
+      err: err.message
+    }, "agent gateway shutdown error");
+  }
+  // 4c. Shut down rate limiter
+  rateLimiter.shutdown();
+  // 5. Close pg LISTEN connection
+  closePgClient();
+  // 6. Wait for active requests to drain (up to 25 seconds)
+  const drainStart = Date.now();
+  const drainInterval = setInterval(() => {
+    if (activeRequests <= 0 || Date.now() - drainStart > 25_000) {
+      clearInterval(drainInterval);
+      log.info({
+        activeRequests
+      }, "drain complete, exiting");
+      process.exit(activeRequests > 0 ? 1 : 0);
+    }
+    log.info({
+      activeRequests
+    }, "waiting for active requests to drain...");
+  }, 1000);
+  // 7. Force exit after 30 seconds if graceful shutdown hangs (increased from 10s)
+  setTimeout(() => {
+    log.fatal({
+      activeRequests
+    }, "graceful shutdown timed out after 30s, forcing exit");
+    process.exit(1);
+  }, 30_000).unref();
 }
 process.on("SIGTERM", () => gracefulShutdown("SIGTERM"));
 process.on("SIGINT", () => gracefulShutdown("SIGINT"));
+//# sourceMappingURL=index.js.map