yaport 0.1.0

package/dist/server/cli.js

@@ -0,0 +1,967 @@
+import express from "express";
+import { spawn } from "node:child_process";
+import { statSync } from "node:fs";
+import { chmod, mkdir, mkdtemp, readFile, rm, writeFile } from "node:fs/promises";
+import { homedir, tmpdir } from "node:os";
+import { dirname, join, resolve } from "node:path";
+import { fileURLToPath } from "node:url";
+import { ZodError, z } from "zod";
+import { createHash, randomUUID } from "node:crypto";
+//#region src/shared/sshTimeouts.ts
+var CONNECT_TIMEOUT_SECONDS_OPTIONS = [
+	8,
+	15,
+	30,
+	60
+];
+var COMMAND_TIMEOUT_SECONDS_OPTIONS = [
+	12,
+	30,
+	45,
+	90
+];
+function defaultCommandTimeoutSeconds(connectTimeoutSeconds) {
+	return connectTimeoutSeconds >= 60 ? 90 : 45;
+}
+//#endregion
+//#region src/server/machineStore.ts
+var passwordSchema = z.preprocess((value) => value === "" ? void 0 : value, z.string().min(1).max(1024).refine((value) => !/[\r\n]/.test(value), "Password must be a single line.").optional());
+var connectionEndpointSchema = z.object({
+	host: z.string().trim().min(1).max(255).regex(/^[A-Za-z0-9_.:-]+$/),
+	port: z.coerce.number().int().min(1).max(65535).optional(),
+	user: z.string().trim().min(1).max(64).regex(/^[A-Za-z0-9._-]+$/).optional(),
+	password: passwordSchema
+});
+var connectTimeoutSchema = timeoutChoiceSchema(CONNECT_TIMEOUT_SECONDS_OPTIONS, "连接超时");
+var commandTimeoutSchema = timeoutChoiceSchema(COMMAND_TIMEOUT_SECONDS_OPTIONS, "命令超时");
+var machineInputSchema = z.object({
+	name: z.string().trim().min(1).max(80),
+	host: connectionEndpointSchema.shape.host,
+	password: connectionEndpointSchema.shape.password,
+	port: connectionEndpointSchema.shape.port,
+	user: connectionEndpointSchema.shape.user,
+	connectTimeoutSeconds: connectTimeoutSchema.optional(),
+	commandTimeoutSeconds: commandTimeoutSchema.optional(),
+	jumpHosts: z.array(connectionEndpointSchema).max(2).optional()
+}).transform((input) => {
+	const connectTimeoutSeconds = input.connectTimeoutSeconds ?? 15;
+	return {
+		...input,
+		connectTimeoutSeconds,
+		commandTimeoutSeconds: input.commandTimeoutSeconds ?? defaultCommandTimeoutSeconds(connectTimeoutSeconds)
+	};
+}).superRefine((input, context) => {
+	if (input.commandTimeoutSeconds <= input.connectTimeoutSeconds) context.addIssue({
+		code: "custom",
+		path: ["commandTimeoutSeconds"],
+		message: "命令超时必须大于连接超时。"
+	});
+});
+var emptyMachineFile = { machines: [] };
+function timeoutChoiceSchema(options, label) {
+	return z.coerce.number().int().refine((value) => options.includes(value), { message: `${label}必须是 ${options.join(" / ")} 秒之一。` });
+}
+var JsonMachineStore = class {
+	filePath;
+	constructor(filePath) {
+		this.filePath = filePath;
+	}
+	async list() {
+		return (await this.read()).machines;
+	}
+	async get(id) {
+		return (await this.list()).find((machine) => machine.id === id);
+	}
+	async add(input) {
+		const file = await this.read();
+		const machine = {
+			id: randomUUID(),
+			...input,
+			createdAt: (/* @__PURE__ */ new Date()).toISOString()
+		};
+		await this.write({ machines: [...file.machines, machine] });
+		return machine;
+	}
+	async read() {
+		try {
+			const raw = await readFile(this.filePath, "utf8");
+			const parsed = JSON.parse(raw);
+			return { machines: Array.isArray(parsed.machines) ? parsed.machines : [] };
+		} catch (error) {
+			if (error instanceof Error && "code" in error && error.code === "ENOENT") return emptyMachineFile;
+			throw error;
+		}
+	}
+	async write(file) {
+		await mkdir(dirname(this.filePath), {
+			recursive: true,
+			mode: 448
+		});
+		await writeFile(this.filePath, `${JSON.stringify(file, null, 2)}\n`, {
+			encoding: "utf8",
+			mode: 384
+		});
+		await chmod(this.filePath, 384);
+	}
+};
+//#endregion
+//#region src/server/nginxExternalRoutes.ts
+function parseNginxExternalRoutes(config) {
+	return extractServerBlocks(stripComments(config)).flatMap((block) => {
+		const validNames = block.serverNames.filter(isDisplayableServerName);
+		return block.listens.flatMap((listen) => validNames.map((serverName) => ({
+			port: listen.port,
+			serverName,
+			source: "nginx",
+			url: routeUrl(serverName, listen)
+		})));
+	});
+}
+function attachExternalRoutes(ports, routes) {
+	const routesByPort = /* @__PURE__ */ new Map();
+	for (const route of routes) routesByPort.set(route.port, [...routesByPort.get(route.port) ?? [], route]);
+	return ports.map((port) => {
+		const externalRoutes = routesByPort.get(port.port);
+		if (!externalRoutes?.length) return port;
+		return {
+			...port,
+			externalRoutes
+		};
+	});
+}
+function stripComments(config) {
+	return config.split("\n").map((line) => line.replace(/(^|[^\\])#.*/, "$1")).join("\n");
+}
+function extractServerBlocks(config) {
+	const blocks = [];
+	const serverBlockPattern = /server\s*\{/g;
+	let match;
+	while (match = serverBlockPattern.exec(config)) {
+		const blockStart = match.index + match[0].length;
+		const blockEnd = findMatchingBrace(config, blockStart - 1);
+		if (blockEnd === -1) continue;
+		blocks.push(parseServerBlock(config.slice(blockStart, blockEnd)));
+		serverBlockPattern.lastIndex = blockEnd + 1;
+	}
+	return blocks;
+}
+function findMatchingBrace(config, openBraceIndex) {
+	let depth = 0;
+	for (let index = openBraceIndex; index < config.length; index += 1) {
+		if (config[index] === "{") depth += 1;
+		if (config[index] === "}") {
+			depth -= 1;
+			if (depth === 0) return index;
+		}
+	}
+	return -1;
+}
+function parseServerBlock(block) {
+	const directives = block.split(";").map((directive) => directive.trim()).filter(Boolean);
+	return {
+		listens: directives.filter((directive) => directive.startsWith("listen ")).flatMap(parseListenDirective),
+		serverNames: directives.filter((directive) => directive.startsWith("server_name ")).flatMap(parseServerNames)
+	};
+}
+function parseListenDirective(directive) {
+	const tokens = directive.split(/\s+/).slice(1);
+	const endpoint = tokens[0];
+	if (!endpoint) return [];
+	const port = parseListenPort(endpoint);
+	if (!port) return [];
+	return [{
+		port,
+		ssl: tokens.includes("ssl")
+	}];
+}
+function parseListenPort(endpoint) {
+	const normalized = endpoint.startsWith("[") ? endpoint.replace(/^\[[^\]]+\]:/, "") : endpoint;
+	const portValue = normalized.includes(":") ? normalized.slice(normalized.lastIndexOf(":") + 1) : normalized;
+	const port = Number(portValue);
+	if (!Number.isInteger(port) || port < 1 || port > 65535) return;
+	return port;
+}
+function parseServerNames(directive) {
+	return directive.split(/\s+/).slice(1);
+}
+function isDisplayableServerName(serverName) {
+	return Boolean(serverName) && serverName !== "_" && !serverName.includes("$") && /^[A-Za-z0-9.-]+$/.test(serverName);
+}
+function routeUrl(serverName, listen) {
+	if (listen.port === 443) return `https://${serverName}`;
+	return `http://${serverName}:${listen.port}`;
+}
+//#endregion
+//#region src/server/portInventory.ts
+function parseSsListeningPorts(output) {
+	return output.split("\n").map((line) => line.trim()).filter(Boolean).flatMap((line) => parseSsLine(line));
+}
+function parseSsLine(line) {
+	const columns = line.split(/\s+/);
+	const protocol = normalizeProtocol(columns[0]);
+	const state = columns[1];
+	const endpoint = parseEndpoint(columns[4]);
+	if (!protocol || !state || !endpoint) return [];
+	const rawProcess = columns.slice(6).join(" ") || void 0;
+	const process = rawProcess ? parseProcess(rawProcess) : {};
+	return [{
+		protocol,
+		state,
+		address: endpoint.address,
+		port: endpoint.port,
+		...process,
+		rawProcess
+	}];
+}
+function normalizeProtocol(value) {
+	if (!value) return;
+	if (value.startsWith("tcp")) return "tcp";
+	if (value.startsWith("udp")) return "udp";
+}
+function parseEndpoint(value) {
+	if (!value) return;
+	if (value.startsWith("[")) {
+		const closeBracketIndex = value.lastIndexOf("]:");
+		if (closeBracketIndex === -1) return;
+		return endpointFromParts(value.slice(1, closeBracketIndex), value.slice(closeBracketIndex + 2));
+	}
+	const portSeparatorIndex = value.lastIndexOf(":");
+	if (portSeparatorIndex === -1) return;
+	return endpointFromParts(value.slice(0, portSeparatorIndex), value.slice(portSeparatorIndex + 1));
+}
+function endpointFromParts(address, portValue) {
+	const port = Number(portValue);
+	if (!Number.isInteger(port) || port < 0 || port > 65535) return;
+	return {
+		address,
+		port
+	};
+}
+function parseProcess(value) {
+	const match = value.match(/\("([^"]+)",pid=(\d+)/);
+	if (!match) return {};
+	return {
+		processName: match[1],
+		pid: Number(match[2])
+	};
+}
+//#endregion
+//#region src/server/sshPortInventory.ts
+var SshCommandError = class extends Error {
+	stderr;
+	constructor(message, stderr) {
+		super(message);
+		this.stderr = stderr;
+		this.name = "SshCommandError";
+	}
+};
+var CONTROL_SOCKET_DIRECTORY = "/tmp/yaport-ssh";
+var NGINX_EXTERNAL_ROUTE_CACHE_MS = 300 * 1e3;
+var nginxExternalRouteCache = /* @__PURE__ */ new Map();
+async function collectPortInventory(machine, runner = runSsh, options = {}) {
+	const sshOptions = buildSshOptions(machine);
+	const sshArgsOptions = await buildSshArgsOptions(machine, options);
+	const { stdout } = await runner(buildSshArgs(machine, [
+		"ss",
+		"-H",
+		"-lntup"
+	], sshArgsOptions), sshOptions);
+	const ports = parseSsListeningPorts(stdout);
+	const [portsWithCommandsResult, externalRoutesResult] = await Promise.allSettled([attachProcessCommands(machine, ports, runner, sshOptions, sshArgsOptions), readCachedNginxExternalRoutes(machine, runner, sshOptions, sshArgsOptions)]);
+	return attachExternalRoutes(portsWithCommandsResult.status === "fulfilled" ? portsWithCommandsResult.value : ports, externalRoutesResult.status === "fulfilled" ? externalRoutesResult.value : []);
+}
+async function attachProcessCommands(machine, ports, runner, sshOptions, sshArgsOptions) {
+	const pids = [...new Set(ports.map((port) => port.pid).filter((pid) => typeof pid === "number"))];
+	if (pids.length === 0) return ports;
+	try {
+		const { stdout } = await runner(buildSshArgs(machine, [
+			"ps",
+			"-ww",
+			"-p",
+			pids.join(","),
+			"-o",
+			"pid=,args="
+		], sshArgsOptions), sshOptions);
+		const commands = parsePsCommands(stdout);
+		return ports.map((port) => {
+			const processCommand = port.pid ? commands.get(port.pid) : void 0;
+			return processCommand ? {
+				...port,
+				processCommand
+			} : port;
+		});
+	} catch {
+		return ports;
+	}
+}
+async function readCachedNginxExternalRoutes(machine, runner, sshOptions, sshArgsOptions) {
+	const cacheKey = machineConnectionCacheKey(machine);
+	const cached = nginxExternalRouteCache.get(cacheKey);
+	if (cached && cached.expiresAt > Date.now()) return cached.routes;
+	try {
+		const routes = parseNginxExternalRoutes((await runner(buildSshArgs(machine, ["nginx", "-T"], sshArgsOptions), sshOptions)).stdout);
+		nginxExternalRouteCache.set(cacheKey, {
+			expiresAt: Date.now() + NGINX_EXTERNAL_ROUTE_CACHE_MS,
+			routes
+		});
+		return routes;
+	} catch {
+		nginxExternalRouteCache.set(cacheKey, {
+			expiresAt: Date.now() + NGINX_EXTERNAL_ROUTE_CACHE_MS,
+			routes: []
+		});
+		return [];
+	}
+}
+function buildSshOptions(machine) {
+	const entries = buildAskPassEntries(machine);
+	const connectTimeoutSeconds = machine.connectTimeoutSeconds ?? 15;
+	return {
+		timeoutMs: (machine.commandTimeoutSeconds ?? defaultCommandTimeoutSeconds(connectTimeoutSeconds)) * 1e3,
+		...entries.length ? { askPass: { entries } } : {}
+	};
+}
+function parsePsCommands(output) {
+	const commands = /* @__PURE__ */ new Map();
+	for (const line of output.split("\n")) {
+		const match = line.trim().match(/^(\d+)\s+(.+)$/);
+		if (!match) continue;
+		commands.set(Number(match[1]), match[2]);
+	}
+	return commands;
+}
+async function buildSshArgsOptions(machine, options) {
+	if (!options.reuseConnection) return {};
+	await mkdir(CONTROL_SOCKET_DIRECTORY, {
+		recursive: true,
+		mode: 448
+	});
+	return { controlPath: join(CONTROL_SOCKET_DIRECTORY, machineConnectionHash(machine).slice(0, 40)) };
+}
+function buildSshArgs(machine, command, options = {}) {
+	const hasPasswords = buildAskPassEntries(machine).length > 0;
+	const args = ["-o", hasPasswords ? "BatchMode=no" : "BatchMode=yes"];
+	if (hasPasswords) args.push("-o", "PasswordAuthentication=yes", "-o", "KbdInteractiveAuthentication=yes", "-o", "NumberOfPasswordPrompts=1");
+	args.push("-o", `ConnectTimeout=${machine.connectTimeoutSeconds ?? 15}`);
+	if (options.controlPath) args.push("-o", "ControlMaster=auto", "-o", "ControlPersist=5m", "-o", `ControlPath=${options.controlPath}`);
+	if (machine.jumpHosts?.length) args.push("-J", machine.jumpHosts.map(formatJumpHost).join(","));
+	if (machine.port) args.push("-p", String(machine.port));
+	return [
+		...args,
+		formatSshTarget(machine),
+		...command
+	];
+}
+function machineConnectionCacheKey(machine) {
+	return `${machine.id}:${machineConnectionHash(machine)}`;
+}
+function machineConnectionHash(machine) {
+	return createHash("sha256").update(JSON.stringify(machineConnectionIdentity(machine))).digest("hex");
+}
+function machineConnectionIdentity(machine) {
+	return {
+		host: machine.host,
+		port: machine.port,
+		user: machine.user,
+		jumpHosts: machine.jumpHosts?.map((jumpHost) => ({
+			host: jumpHost.host,
+			port: jumpHost.port,
+			user: jumpHost.user
+		}))
+	};
+}
+function buildAskPassEntries(machine) {
+	return [...machine.jumpHosts ?? [], machine].flatMap((endpoint) => endpoint.password ? [{
+		password: endpoint.password,
+		promptKeys: buildPromptKeys(endpoint)
+	}] : []);
+}
+function buildPromptKeys(endpoint) {
+	return [...endpoint.user ? [`${endpoint.user}@${endpoint.host}`] : [], endpoint.host];
+}
+function formatJumpHost(jumpHost) {
+	const target = formatSshTarget(jumpHost);
+	return jumpHost.port ? `${target}:${jumpHost.port}` : target;
+}
+function formatSshTarget(target) {
+	return target.user ? `${target.user}@${target.host}` : target.host;
+}
+async function runSsh(args, options) {
+	const askPass = options.askPass ? await createAskPass(options.askPass) : void 0;
+	const controller = new AbortController();
+	const timeout = setTimeout(() => controller.abort(), options.timeoutMs);
+	try {
+		return await new Promise((resolve, reject) => {
+			const child = spawn("ssh", args, {
+				env: {
+					...process.env,
+					...askPass?.env ?? {}
+				},
+				stdio: [
+					"ignore",
+					"pipe",
+					"pipe"
+				],
+				signal: controller.signal
+			});
+			let stdout = "";
+			let stderr = "";
+			child.stdout.setEncoding("utf8");
+			child.stderr.setEncoding("utf8");
+			child.stdout.on("data", (chunk) => {
+				stdout += chunk;
+			});
+			child.stderr.on("data", (chunk) => {
+				stderr += chunk;
+			});
+			child.on("error", (error) => {
+				clearTimeout(timeout);
+				reject(new SshCommandError(error.message, stderr));
+			});
+			child.on("close", (code) => {
+				clearTimeout(timeout);
+				if (controller.signal.aborted) {
+					reject(new SshCommandError("SSH command timed out.", stderr));
+					return;
+				}
+				if (code !== 0) {
+					reject(new SshCommandError(`SSH command failed with exit code ${code}.`, stderr));
+					return;
+				}
+				resolve({
+					stdout,
+					stderr
+				});
+			});
+		});
+	} finally {
+		await askPass?.cleanup();
+	}
+}
+async function createAskPass(config) {
+	const directory = await mkdtemp(join(tmpdir(), "yaport-askpass-"));
+	const scriptPath = join(directory, "askpass.cjs");
+	await writeFile(scriptPath, buildAskPassScript(config), {
+		encoding: "utf8",
+		mode: 448
+	});
+	return {
+		cleanup: async () => {
+			await rm(directory, {
+				force: true,
+				recursive: true
+			});
+		},
+		env: {
+			DISPLAY: process.env.DISPLAY || "yaport",
+			SSH_ASKPASS: scriptPath,
+			SSH_ASKPASS_REQUIRE: "force"
+		}
+	};
+}
+function buildAskPassScript(config) {
+	return `#!/usr/bin/env node
+const entries = ${JSON.stringify(config.entries)};
+const prompt = process.argv.slice(2).join(" ").toLowerCase();
+const rankedEntries = entries
+  .map((entry) => ({
+    ...entry,
+    promptKeys: [...entry.promptKeys].sort((left, right) => right.length - left.length)
+  }))
+  .sort((left, right) => (right.promptKeys[0]?.length ?? 0) - (left.promptKeys[0]?.length ?? 0));
+
+for (const entry of rankedEntries) {
+  if (entry.promptKeys.some((key) => key && prompt.includes(String(key).toLowerCase()))) {
+    process.stdout.write(entry.password);
+    process.exit(0);
+  }
+}
+
+if (rankedEntries.length === 1) {
+  process.stdout.write(rankedEntries[0].password);
+  process.exit(0);
+}
+
+process.exit(1);
+`;
+}
+//#endregion
+//#region src/server/app.ts
+function createApp(dependencies) {
+	const app = express();
+	app.use(express.json());
+	app.get("/api/health", (_request, response) => {
+		response.json({ ok: true });
+	});
+	app.get("/api/machines", asyncHandler(async (_request, response) => {
+		const machines = await dependencies.machineStore.list();
+		response.json({ machines: machines.map(stripMachineSecrets$1) });
+	}));
+	app.post("/api/machines", asyncHandler(async (request, response) => {
+		const input = machineInputSchema.parse(request.body);
+		const machine = await dependencies.machineStore.add(input);
+		response.status(201).json({ machine: stripMachineSecrets$1(machine) });
+	}));
+	app.get("/api/machines/:id/ports", asyncHandler(async (request, response) => {
+		const machineId = String(request.params.id);
+		const machine = await dependencies.machineStore.get(machineId);
+		if (!machine) {
+			response.status(404).json({ error: "Remote machine not found." });
+			return;
+		}
+		const ports = await dependencies.collectPortInventory(machine, { reuseConnection: request.get("X-Yaport-Reuse-Connection") === "1" });
+		response.json({
+			machineId: machine.id,
+			collectedAt: (/* @__PURE__ */ new Date()).toISOString(),
+			ports
+		});
+	}));
+	app.use((error, _request, response, _next) => {
+		if (error instanceof ZodError) {
+			response.status(400).json({
+				error: "Invalid remote machine.",
+				issues: error.issues.map((issue) => ({
+					path: issue.path.join("."),
+					message: issue.message
+				}))
+			});
+			return;
+		}
+		if (error instanceof SshCommandError) {
+			response.status(502).json({
+				error: "SSH query failed.",
+				message: formatSshErrorMessage(error),
+				stderr: sanitizeSshStderr(error.stderr)
+			});
+			return;
+		}
+		response.status(500).json({ error: "Unexpected server error." });
+	});
+	return app;
+}
+function asyncHandler(handler) {
+	return (request, response, next) => {
+		handler(request, response).catch(next);
+	};
+}
+function stripMachineSecrets$1(machine) {
+	const { password: _password, jumpHosts, ...publicMachine } = machine;
+	return {
+		...publicMachine,
+		...jumpHosts ? { jumpHosts: jumpHosts.map(stripJumpHostSecrets$1) } : {}
+	};
+}
+function stripJumpHostSecrets$1(jumpHost) {
+	const { password: _password, ...publicJumpHost } = jumpHost;
+	return publicJumpHost;
+}
+function formatSshErrorMessage(error) {
+	const stderr = sanitizeSshStderr(error.stderr);
+	const reason = sshFailureReason(stderr.toLowerCase(), error.message);
+	if (!stderr) return reason;
+	return `${reason}\nOpenSSH 输出：${stderr}`;
+}
+function sshFailureReason(normalizedStderr, fallbackMessage) {
+	if (normalizedStderr.includes("timed out during banner exchange")) return "SSH 连接建立超时。通常是跳板链路或目标机器握手太慢，可以把连接超时调到 30 或 60 秒，命令超时调到 90 秒。";
+	if (normalizedStderr.includes("connection timed out")) return "SSH 连接超时。请检查目标机器、跳板机链路和连接超时设置。";
+	if (normalizedStderr.includes("permission denied")) return "SSH 认证失败。请检查用户名、密码、SSH key 或跳板机账号。";
+	if (normalizedStderr.includes("could not resolve hostname") || normalizedStderr.includes("name or service not known")) return "SSH 主机解析失败。请检查 Host、OpenSSH alias 或 DNS。";
+	if (normalizedStderr.includes("no route to host")) return "SSH 网络不可达。请检查本机到目标机器或跳板机的网络路径。";
+	if (normalizedStderr.includes("connection refused")) return "SSH 连接被拒绝。请检查目标机器 SSH 服务是否启动、端口是否正确。";
+	if (normalizedStderr.includes("host key verification failed")) return "SSH 主机校验失败。请在本机终端先执行一次 ssh 并确认 host key。";
+	if (normalizedStderr.includes("too many authentication failures")) return "SSH 认证尝试次数过多。请检查本机 ssh-agent 里的 key，或改用明确的 OpenSSH alias 配置。";
+	return `SSH 查询失败：${fallbackMessage}`;
+}
+function sanitizeSshStderr(stderr) {
+	return stderr.replace(/\u001b\[[0-9;]*m/g, "").replace(/\r\n/g, "\n").replace(/\r/g, "\n").split("\n").map((line) => line.trim()).filter(Boolean).join("\n").slice(0, 1200);
+}
+//#endregion
+//#region src/server/runtime.ts
+var DEFAULT_HOST = "127.0.0.1";
+var DEFAULT_PORT = 5173;
+function defaultDataFile(cwd = process.cwd(), home = homedir()) {
+	const cwdConfigDirectory = resolve(cwd, ".yaport");
+	const homeConfigDirectory = resolve(home, ".yaport");
+	if (directoryExists(cwdConfigDirectory)) return join(cwdConfigDirectory, "machines.json");
+	if (directoryExists(homeConfigDirectory)) return join(homeConfigDirectory, "machines.json");
+	return join(cwdConfigDirectory, "machines.json");
+}
+function directoryExists(path) {
+	try {
+		return statSync(path).isDirectory();
+	} catch {
+		return false;
+	}
+}
+function browserOpenCommand(url, platform = process.platform) {
+	if (platform === "darwin") return {
+		command: "open",
+		args: [url]
+	};
+	if (platform === "win32") return {
+		command: "cmd",
+		args: [
+			"/c",
+			"start",
+			"",
+			url
+		]
+	};
+	return {
+		command: "xdg-open",
+		args: [url]
+	};
+}
+function listenUrl(host, port) {
+	return `http://${formatUrlHost(host)}:${port}`;
+}
+function localBrowserUrl(host, port) {
+	if (host === "0.0.0.0" || host === "::") return listenUrl("127.0.0.1", port);
+	return listenUrl(host, port);
+}
+function openBrowser(url) {
+	const { command, args } = browserOpenCommand(url);
+	const child = spawn(command, args, {
+		detached: true,
+		stdio: "ignore"
+	});
+	child.on("error", () => {});
+	child.unref();
+}
+async function createYaportHttpApp(mode, dataFile) {
+	const app = createApp({
+		machineStore: new JsonMachineStore(dataFile),
+		collectPortInventory: (machine, options) => collectPortInventory(machine, void 0, options)
+	});
+	if (mode === "production") {
+		const clientDirectory = resolve(dirname(fileURLToPath(import.meta.url)), "../client");
+		app.use(express.static(clientDirectory));
+		app.use(async (request, response, next) => {
+			if (request.path.startsWith("/api/")) {
+				next();
+				return;
+			}
+			response.type("html").send(await readFile(join(clientDirectory, "index.html"), "utf8"));
+		});
+		return app;
+	}
+	const devServer = await (await import("vite")).createServer({
+		server: { middlewareMode: true },
+		appType: "spa"
+	});
+	app.use(devServer.middlewares);
+	return app;
+}
+async function startYaportServer(options) {
+	const host = options.host ?? "127.0.0.1";
+	const url = listenUrl(host, options.port);
+	const browserUrl = localBrowserUrl(host, options.port);
+	(await createYaportHttpApp(options.mode, options.dataFile)).listen(options.port, host, () => {
+		console.log(`丫口 listening on ${url}`);
+		console.log(`Remote machines are stored at ${options.dataFile}`);
+		if (options.open) {
+			openBrowser(browserUrl);
+			console.log(`Opened ${browserUrl}`);
+		}
+	});
+}
+function formatUrlHost(host) {
+	if (host.includes(":") && !host.startsWith("[")) return `[${host}]`;
+	return host;
+}
+//#endregion
+//#region src/server/cli.ts
+var usage = `Usage: yaport [serve options]
+Usage: yaport serve [options]
+Usage: yaport add-machine --name <name> --host <host> [connection options]
+
+Start the 丫口 local web UI.
+
+Commands:
+  serve                 Start the local web UI. This is the default command.
+  add-machine           Add a remote machine to the local 丫口 data file.
+
+Serve options:
+  --host <host>          Host to bind. Default: ${DEFAULT_HOST}
+  --port <port>          Port to listen on. Default: ${DEFAULT_PORT}
+  --data-file <path>     Remote machine config file. Default lookup: ./.yaport, then ~/.yaport.
+  --no-open              Do not open the web UI after the server starts.
+  -h, --help             Print this help message
+
+add-machine required options:
+  --name <name>          Display name in the UI.
+  --host <host>          SSH host, IP, or OpenSSH alias. For "ssh erya", use --host erya.
+
+add-machine connection options:
+  --user <user>          SSH user. Omit for OpenSSH aliases that already define User.
+  --port <port>          SSH port. Omit for OpenSSH aliases that already define Port.
+  --password <value>     SSH password for the target machine. Prefer --password-env.
+  --password-env <env>   Read the target machine SSH password from an environment variable.
+  --connect-timeout <seconds>
+                         SSH connection timeout. Choices: ${CONNECT_TIMEOUT_SECONDS_OPTIONS.join(", ")}. Default: 15.
+  --command-timeout <seconds>
+                         Local command timeout. Choices: ${COMMAND_TIMEOUT_SECONDS_OPTIONS.join(", ")}. Default: 45.
+
+add-machine jump host options:
+  --jump1-host <host>          First jump host. Order matches OpenSSH ProxyJump.
+  --jump1-user <user>          First jump host SSH user.
+  --jump1-port <port>          First jump host SSH port.
+  --jump1-password <value>     First jump host SSH password. Prefer --jump1-password-env.
+  --jump1-password-env <env>   Read first jump host password from an environment variable.
+  --jump2-host <host>          Second jump host.
+  --jump2-user <user>          Second jump host SSH user.
+  --jump2-port <port>          Second jump host SSH port.
+  --jump2-password <value>     Second jump host SSH password. Prefer --jump2-password-env.
+  --jump2-password-env <env>   Read second jump host password from an environment variable.
+
+add-machine output options:
+  --json                 Print deterministic JSON. Passwords are never printed.
+  --data-file <path>     Remote machine config file. Default lookup: ./.yaport, then ~/.yaport.
+
+Examples:
+  yaport add-machine --name Erya --host erya --json
+  TARGET_PASSWORD='[redacted-target-password]' yaport add-machine --name Prod --host 10.0.0.5 --user root --password-env TARGET_PASSWORD --json
+  JUMP_PASSWORD='[redacted-jump-password]' TARGET_PASSWORD='[redacted-target-password]' yaport add-machine --name Prod --host prod.internal --user app --password-env TARGET_PASSWORD --connect-timeout 30 --command-timeout 90 --jump1-host jump.internal --jump1-user ops --jump1-password-env JUMP_PASSWORD --json
+
+Agent notes:
+  - Prefer --json for machine-readable output.
+  - Prefer --password-env and --jumpN-password-env to avoid putting passwords in process arguments.
+  - Omit --user and --port when --host is an OpenSSH alias such as "erya".
+  - The command is non-interactive. Missing required flags fail fast with a non-zero exit code.
+`;
+function parseCliOptions(argv, env = process.env) {
+	if (argv[0] === "add-machine") return parseAddMachineOptions(argv.slice(1), env);
+	if (argv[0] === "serve") return parseServeOptions(argv.slice(1), env);
+	return parseServeOptions(argv, env);
+}
+function parseServeOptions(argv, env) {
+	const options = {
+		command: "serve",
+		help: false,
+		host: env.HOST ?? "127.0.0.1",
+		open: true,
+		port: Number(env.PORT ?? 5173),
+		dataFile: env.YAPORT_DATA_FILE ?? defaultDataFile()
+	};
+	for (let index = 0; index < argv.length; index += 1) {
+		const arg = argv[index];
+		if (arg === "-h" || arg === "--help") {
+			options.help = true;
+			continue;
+		}
+		if (arg === "--host") {
+			options.host = readValue(argv, index, arg);
+			index += 1;
+			continue;
+		}
+		if (arg === "--port") {
+			options.port = Number(readValue(argv, index, arg));
+			index += 1;
+			continue;
+		}
+		if (arg === "--data-file") {
+			options.dataFile = readValue(argv, index, arg);
+			index += 1;
+			continue;
+		}
+		if (arg === "--no-open") {
+			options.open = false;
+			continue;
+		}
+		throw new Error(`Unknown option: ${arg}`);
+	}
+	if (!Number.isInteger(options.port) || options.port < 1 || options.port > 65535) throw new Error("Port must be an integer between 1 and 65535.");
+	return options;
+}
+function parseAddMachineOptions(argv, env) {
+	const machine = {};
+	const jumps = [{}, {}];
+	const options = {
+		command: "add-machine",
+		dataFile: env.YAPORT_DATA_FILE ?? defaultDataFile(),
+		help: false,
+		json: false
+	};
+	for (let index = 0; index < argv.length; index += 1) {
+		const arg = argv[index];
+		if (arg === "-h" || arg === "--help") {
+			options.help = true;
+			continue;
+		}
+		if (arg === "--json") {
+			options.json = true;
+			continue;
+		}
+		if (arg === "--data-file") {
+			options.dataFile = readValue(argv, index, arg);
+			index += 1;
+			continue;
+		}
+		if (arg === "--name") {
+			machine.name = readValue(argv, index, arg);
+			index += 1;
+			continue;
+		}
+		if (arg === "--host") {
+			machine.host = readValue(argv, index, arg);
+			index += 1;
+			continue;
+		}
+		if (arg === "--user") {
+			machine.user = readValue(argv, index, arg);
+			index += 1;
+			continue;
+		}
+		if (arg === "--port") {
+			machine.port = parsePortValue(readValue(argv, index, arg), arg);
+			index += 1;
+			continue;
+		}
+		if (arg === "--password") {
+			machine.password = readValue(argv, index, arg);
+			index += 1;
+			continue;
+		}
+		if (arg === "--password-env") {
+			machine.passwordEnv = readValue(argv, index, arg);
+			index += 1;
+			continue;
+		}
+		if (arg === "--connect-timeout") {
+			machine.connectTimeoutSeconds = parseTimeoutValue(readValue(argv, index, arg), arg, CONNECT_TIMEOUT_SECONDS_OPTIONS);
+			index += 1;
+			continue;
+		}
+		if (arg === "--command-timeout") {
+			machine.commandTimeoutSeconds = parseTimeoutValue(readValue(argv, index, arg), arg, COMMAND_TIMEOUT_SECONDS_OPTIONS);
+			index += 1;
+			continue;
+		}
+		const jumpMatch = arg.match(/^--jump([12])-(host|password|password-env|port|user)$/);
+		if (jumpMatch) {
+			const jump = jumps[Number(jumpMatch[1]) - 1];
+			const field = jumpMatch[2];
+			const value = readValue(argv, index, arg);
+			if (field === "host") jump.host = value;
+			else if (field === "password") jump.password = value;
+			else if (field === "password-env") jump.passwordEnv = value;
+			else if (field === "port") jump.port = parsePortValue(value, arg);
+			else jump.user = value;
+			index += 1;
+			continue;
+		}
+		throw new Error(`Unknown option: ${arg}`);
+	}
+	if (options.help) return options;
+	const input = machineInputSchema.parse({
+		name: requiredValue(machine.name, "--name"),
+		host: requiredValue(machine.host, "--host"),
+		...machine.connectTimeoutSeconds ? { connectTimeoutSeconds: machine.connectTimeoutSeconds } : {},
+		...machine.commandTimeoutSeconds ? { commandTimeoutSeconds: machine.commandTimeoutSeconds } : {},
+		...connectionFields(machine, "target machine", env),
+		jumpHosts: compactJumpHosts(jumps, env)
+	});
+	return {
+		...options,
+		input
+	};
+}
+function readValue(argv, optionIndex, optionName) {
+	const value = argv[optionIndex + 1];
+	if (!value || value.startsWith("-")) throw new Error(`${optionName} requires a value.`);
+	return value;
+}
+function parsePortValue(value, optionName) {
+	const port = Number(value);
+	if (!Number.isInteger(port) || port < 1 || port > 65535) throw new Error(`${optionName} must be an integer between 1 and 65535.`);
+	return port;
+}
+function parseTimeoutValue(value, optionName, choices) {
+	const timeout = Number(value);
+	if (!Number.isInteger(timeout) || !choices.includes(timeout)) throw new Error(`${optionName} must be one of: ${choices.join(", ")}.`);
+	return timeout;
+}
+function requiredValue(value, optionName) {
+	if (!value) throw new Error(`${optionName} is required.`);
+	return value;
+}
+function compactJumpHosts(jumps, env) {
+	const compacted = jumps.flatMap((jump, index) => {
+		if (!Boolean(jump.host || jump.password || jump.passwordEnv || jump.port || jump.user)) return [];
+		if (!jump.host) throw new Error(`--jump${index + 1}-host is required when any jump${index + 1} option is used.`);
+		return [{
+			host: jump.host,
+			...connectionFields(jump, `jump${index + 1}`, env)
+		}];
+	});
+	return compacted.length ? compacted : void 0;
+}
+function connectionFields(endpoint, label, env) {
+	if (endpoint.password && endpoint.passwordEnv) throw new Error(`${label} cannot use both password and password-env.`);
+	const password = endpoint.passwordEnv ? readPasswordFromEnv(endpoint.passwordEnv, env) : endpoint.password;
+	return {
+		...password ? { password } : {},
+		...endpoint.port ? { port: endpoint.port } : {},
+		...endpoint.user ? { user: endpoint.user } : {}
+	};
+}
+function readPasswordFromEnv(name, env) {
+	const password = env[name];
+	if (!password) throw new Error(`Environment variable ${name} is not set or is empty.`);
+	return password;
+}
+async function main() {
+	let options;
+	try {
+		options = parseCliOptions(process.argv.slice(2));
+	} catch (error) {
+		console.error(error instanceof Error ? error.message : "Invalid CLI options.");
+		console.error("");
+		console.error(usage);
+		process.exitCode = 1;
+		return;
+	}
+	if (options.help) {
+		console.log(usage);
+		return;
+	}
+	if (options.command === "add-machine") {
+		await addMachine(options);
+		return;
+	}
+	await startYaportServer({
+		host: options.host,
+		port: options.port,
+		dataFile: options.dataFile,
+		mode: "production",
+		open: options.open
+	});
+}
+async function addMachine(options) {
+	if (!options.input) throw new Error("Missing add-machine input.");
+	const publicMachine = stripMachineSecrets(await new JsonMachineStore(options.dataFile).add(options.input));
+	if (options.json) {
+		console.log(JSON.stringify({
+			dataFile: options.dataFile,
+			machine: publicMachine
+		}, null, 2));
+		return;
+	}
+	console.log(`Added remote machine ${publicMachine.name} (${publicMachine.id})`);
+	console.log(`Host: ${publicMachine.host}`);
+	console.log(`Remote machines are stored at ${options.dataFile}`);
+}
+function stripMachineSecrets(machine) {
+	const { password: _password, jumpHosts, ...publicMachine } = machine;
+	return {
+		...publicMachine,
+		...jumpHosts ? { jumpHosts: jumpHosts.map(stripJumpHostSecrets) } : {}
+	};
+}
+function stripJumpHostSecrets(jumpHost) {
+	const { password: _password, ...publicJumpHost } = jumpHost;
+	return publicJumpHost;
+}
+if (import.meta.url === `file://${process.argv[1]}`) main();
+//#endregion
+export { main, parseCliOptions };