npm - zoe-agent - Versions diffs - 0.3.1 - Mend

zoe-agent 0.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (267) hide show

package/CHANGELOG.md +154 -0
package/LICENSE +96 -0
package/README.md +568 -0
package/dist/adapters/cli/agent.d.ts +59 -0
package/dist/adapters/cli/agent.js +232 -0
package/dist/adapters/cli/bootstrap.d.ts +25 -0
package/dist/adapters/cli/bootstrap.js +204 -0
package/dist/adapters/cli/commands/build-registry.d.ts +14 -0
package/dist/adapters/cli/commands/build-registry.js +88 -0
package/dist/adapters/cli/commands/clear.d.ts +7 -0
package/dist/adapters/cli/commands/clear.js +10 -0
package/dist/adapters/cli/commands/compact.d.ts +13 -0
package/dist/adapters/cli/commands/compact.js +96 -0
package/dist/adapters/cli/commands/exit.d.ts +7 -0
package/dist/adapters/cli/commands/exit.js +9 -0
package/dist/adapters/cli/commands/gateway.d.ts +7 -0
package/dist/adapters/cli/commands/gateway.js +152 -0
package/dist/adapters/cli/commands/help.d.ts +9 -0
package/dist/adapters/cli/commands/help.js +12 -0
package/dist/adapters/cli/commands/models.d.ts +10 -0
package/dist/adapters/cli/commands/models.js +32 -0
package/dist/adapters/cli/commands/registry.d.ts +70 -0
package/dist/adapters/cli/commands/registry.js +111 -0
package/dist/adapters/cli/commands/settings-utils.d.ts +38 -0
package/dist/adapters/cli/commands/settings-utils.js +182 -0
package/dist/adapters/cli/commands/settings.d.ts +9 -0
package/dist/adapters/cli/commands/settings.js +395 -0
package/dist/adapters/cli/commands/skills.d.ts +7 -0
package/dist/adapters/cli/commands/skills.js +21 -0
package/dist/adapters/cli/config-loader.d.ts +27 -0
package/dist/adapters/cli/config-loader.js +48 -0
package/dist/adapters/cli/docker-utils.d.ts +37 -0
package/dist/adapters/cli/docker-utils.js +90 -0
package/dist/adapters/cli/index.d.ts +2 -0
package/dist/adapters/cli/index.js +88 -0
package/dist/adapters/cli/repl.d.ts +22 -0
package/dist/adapters/cli/repl.js +256 -0
package/dist/adapters/cli/setup.d.ts +19 -0
package/dist/adapters/cli/setup.js +613 -0
package/dist/adapters/cli/system-prompts.d.ts +56 -0
package/dist/adapters/cli/system-prompts.js +131 -0
package/dist/adapters/cli/tui/app.d.ts +58 -0
package/dist/adapters/cli/tui/app.js +314 -0
package/dist/adapters/cli/tui/components/assistant-message.d.ts +5 -0
package/dist/adapters/cli/tui/components/assistant-message.js +9 -0
package/dist/adapters/cli/tui/components/autocomplete.d.ts +19 -0
package/dist/adapters/cli/tui/components/autocomplete.js +75 -0
package/dist/adapters/cli/tui/components/command-palette.d.ts +15 -0
package/dist/adapters/cli/tui/components/command-palette.js +50 -0
package/dist/adapters/cli/tui/components/diff-viewer.d.ts +5 -0
package/dist/adapters/cli/tui/components/diff-viewer.js +109 -0
package/dist/adapters/cli/tui/components/error-message.d.ts +5 -0
package/dist/adapters/cli/tui/components/error-message.js +8 -0
package/dist/adapters/cli/tui/components/footer.d.ts +20 -0
package/dist/adapters/cli/tui/components/footer.js +19 -0
package/dist/adapters/cli/tui/components/goal-status.d.ts +12 -0
package/dist/adapters/cli/tui/components/goal-status.js +22 -0
package/dist/adapters/cli/tui/components/info-message.d.ts +5 -0
package/dist/adapters/cli/tui/components/info-message.js +8 -0
package/dist/adapters/cli/tui/components/logo-banner.d.ts +7 -0
package/dist/adapters/cli/tui/components/logo-banner.js +33 -0
package/dist/adapters/cli/tui/components/markdown.d.ts +9 -0
package/dist/adapters/cli/tui/components/markdown.js +92 -0
package/dist/adapters/cli/tui/components/message-area.d.ts +19 -0
package/dist/adapters/cli/tui/components/message-area.js +55 -0
package/dist/adapters/cli/tui/components/permission-prompt.d.ts +13 -0
package/dist/adapters/cli/tui/components/permission-prompt.js +32 -0
package/dist/adapters/cli/tui/components/prompt-area.d.ts +22 -0
package/dist/adapters/cli/tui/components/prompt-area.js +68 -0
package/dist/adapters/cli/tui/components/text-input.d.ts +27 -0
package/dist/adapters/cli/tui/components/text-input.js +142 -0
package/dist/adapters/cli/tui/components/tool-call-block.d.ts +11 -0
package/dist/adapters/cli/tui/components/tool-call-block.js +68 -0
package/dist/adapters/cli/tui/components/user-message.d.ts +5 -0
package/dist/adapters/cli/tui/components/user-message.js +8 -0
package/dist/adapters/cli/tui/diff/file-write-meta.d.ts +11 -0
package/dist/adapters/cli/tui/diff/file-write-meta.js +11 -0
package/dist/adapters/cli/tui/diff/line-diff.d.ts +17 -0
package/dist/adapters/cli/tui/diff/line-diff.js +44 -0
package/dist/adapters/cli/tui/feed-serializer.d.ts +29 -0
package/dist/adapters/cli/tui/feed-serializer.js +70 -0
package/dist/adapters/cli/tui/file-index.d.ts +8 -0
package/dist/adapters/cli/tui/file-index.js +41 -0
package/dist/adapters/cli/tui/hooks/use-agent.d.ts +54 -0
package/dist/adapters/cli/tui/hooks/use-agent.js +177 -0
package/dist/adapters/cli/tui/hooks/use-feed.d.ts +16 -0
package/dist/adapters/cli/tui/hooks/use-feed.js +25 -0
package/dist/adapters/cli/tui/hooks/use-file-watcher.d.ts +10 -0
package/dist/adapters/cli/tui/hooks/use-file-watcher.js +43 -0
package/dist/adapters/cli/tui/hooks/use-keybindings.d.ts +16 -0
package/dist/adapters/cli/tui/hooks/use-keybindings.js +25 -0
package/dist/adapters/cli/tui/hooks/use-theme.d.ts +8 -0
package/dist/adapters/cli/tui/hooks/use-theme.js +12 -0
package/dist/adapters/cli/tui/index.d.ts +19 -0
package/dist/adapters/cli/tui/index.js +206 -0
package/dist/adapters/cli/tui/ink-reset.d.ts +29 -0
package/dist/adapters/cli/tui/ink-reset.js +57 -0
package/dist/adapters/cli/tui/layout.d.ts +15 -0
package/dist/adapters/cli/tui/layout.js +15 -0
package/dist/adapters/cli/tui/logo/gradient.d.ts +11 -0
package/dist/adapters/cli/tui/logo/gradient.js +31 -0
package/dist/adapters/cli/tui/overlays/help-dialog.d.ts +4 -0
package/dist/adapters/cli/tui/overlays/help-dialog.js +26 -0
package/dist/adapters/cli/tui/overlays/model-selector.d.ts +14 -0
package/dist/adapters/cli/tui/overlays/model-selector.js +43 -0
package/dist/adapters/cli/tui/overlays/session-selector.d.ts +35 -0
package/dist/adapters/cli/tui/overlays/session-selector.js +162 -0
package/dist/adapters/cli/tui/overlays/settings-overlay.d.ts +24 -0
package/dist/adapters/cli/tui/overlays/settings-overlay.js +126 -0
package/dist/adapters/cli/tui/session-export.d.ts +21 -0
package/dist/adapters/cli/tui/session-export.js +63 -0
package/dist/adapters/cli/tui/theme.d.ts +23 -0
package/dist/adapters/cli/tui/theme.js +22 -0
package/dist/adapters/cli/tui/types.d.ts +52 -0
package/dist/adapters/cli/tui/types.js +12 -0
package/dist/adapters/sdk/agent.d.ts +20 -0
package/dist/adapters/sdk/agent.js +356 -0
package/dist/adapters/sdk/http.d.ts +43 -0
package/dist/adapters/sdk/http.js +61 -0
package/dist/adapters/sdk/index.d.ts +58 -0
package/dist/adapters/sdk/index.js +209 -0
package/dist/adapters/sdk/settings.d.ts +18 -0
package/dist/adapters/sdk/settings.js +57 -0
package/dist/adapters/sdk/tools.d.ts +7 -0
package/dist/adapters/sdk/tools.js +13 -0
package/dist/adapters/server/auth.d.ts +53 -0
package/dist/adapters/server/auth.js +168 -0
package/dist/adapters/server/index.d.ts +40 -0
package/dist/adapters/server/index.js +255 -0
package/dist/adapters/server/rest-gateway.d.ts +13 -0
package/dist/adapters/server/rest-gateway.js +218 -0
package/dist/adapters/server/rest.d.ts +37 -0
package/dist/adapters/server/rest.js +341 -0
package/dist/adapters/server/server-core.d.ts +55 -0
package/dist/adapters/server/server-core.js +121 -0
package/dist/adapters/server/session-store.d.ts +81 -0
package/dist/adapters/server/session-store.js +272 -0
package/dist/adapters/server/settings-handlers.d.ts +24 -0
package/dist/adapters/server/settings-handlers.js +360 -0
package/dist/adapters/server/standalone.d.ts +19 -0
package/dist/adapters/server/standalone.js +113 -0
package/dist/adapters/server/websocket.d.ts +26 -0
package/dist/adapters/server/websocket.js +68 -0
package/dist/adapters/server/ws-handlers.d.ts +32 -0
package/dist/adapters/server/ws-handlers.js +523 -0
package/dist/adapters/server/ws-types.d.ts +304 -0
package/dist/adapters/server/ws-types.js +7 -0
package/dist/core/agent-loop.d.ts +68 -0
package/dist/core/agent-loop.js +423 -0
package/dist/core/config.d.ts +115 -0
package/dist/core/config.js +189 -0
package/dist/core/errors.d.ts +58 -0
package/dist/core/errors.js +88 -0
package/dist/core/hooks.d.ts +35 -0
package/dist/core/hooks.js +49 -0
package/dist/core/index.d.ts +23 -0
package/dist/core/index.js +29 -0
package/dist/core/message-convert.d.ts +41 -0
package/dist/core/message-convert.js +94 -0
package/dist/core/middleware/auth.d.ts +24 -0
package/dist/core/middleware/auth.js +28 -0
package/dist/core/middleware/logging.d.ts +23 -0
package/dist/core/middleware/logging.js +28 -0
package/dist/core/middleware/rate-limit.d.ts +27 -0
package/dist/core/middleware/rate-limit.js +38 -0
package/dist/core/middleware/semantic-tools.d.ts +10 -0
package/dist/core/middleware/semantic-tools.js +43 -0
package/dist/core/middleware.d.ts +48 -0
package/dist/core/middleware.js +38 -0
package/dist/core/permission.d.ts +25 -0
package/dist/core/permission.js +50 -0
package/dist/core/provider-config.d.ts +129 -0
package/dist/core/provider-config.js +273 -0
package/dist/core/provider-env.d.ts +39 -0
package/dist/core/provider-env.js +142 -0
package/dist/core/provider-resolver.d.ts +12 -0
package/dist/core/provider-resolver.js +12 -0
package/dist/core/session-store.d.ts +75 -0
package/dist/core/session-store.js +245 -0
package/dist/core/settings-manager.d.ts +57 -0
package/dist/core/settings-manager.js +359 -0
package/dist/core/settings-schema.d.ts +38 -0
package/dist/core/settings-schema.js +171 -0
package/dist/core/skill-catalog.d.ts +6 -0
package/dist/core/skill-catalog.js +17 -0
package/dist/core/skill-invoker.d.ts +127 -0
package/dist/core/skill-invoker.js +182 -0
package/dist/core/stream-accumulator.d.ts +21 -0
package/dist/core/stream-accumulator.js +51 -0
package/dist/core/stream-manager.d.ts +58 -0
package/dist/core/stream-manager.js +212 -0
package/dist/core/tool-executor.d.ts +84 -0
package/dist/core/tool-executor.js +256 -0
package/dist/core/types.d.ts +259 -0
package/dist/core/types.js +11 -0
package/dist/gateway/gateway.d.ts +52 -0
package/dist/gateway/gateway.js +537 -0
package/dist/gateway/index.d.ts +21 -0
package/dist/gateway/index.js +31 -0
package/dist/gateway/openapi-importer.d.ts +15 -0
package/dist/gateway/openapi-importer.js +66 -0
package/dist/gateway/semantic-scorer.d.ts +7 -0
package/dist/gateway/semantic-scorer.js +24 -0
package/dist/gateway/settings-adapter.d.ts +49 -0
package/dist/gateway/settings-adapter.js +137 -0
package/dist/gateway/tool-factory.d.ts +9 -0
package/dist/gateway/tool-factory.js +414 -0
package/dist/gateway/types.d.ts +68 -0
package/dist/gateway/types.js +7 -0
package/dist/models-catalog.js +46 -0
package/dist/providers/anthropic.d.ts +22 -0
package/dist/providers/anthropic.js +148 -0
package/dist/providers/factory.d.ts +10 -0
package/dist/providers/factory.js +25 -0
package/dist/providers/openai.d.ts +15 -0
package/dist/providers/openai.js +71 -0
package/dist/providers/types.d.ts +48 -0
package/dist/providers/types.js +1 -0
package/dist/skills/args.d.ts +37 -0
package/dist/skills/args.js +99 -0
package/dist/skills/index.d.ts +11 -0
package/dist/skills/index.js +23 -0
package/dist/skills/loader.d.ts +3 -0
package/dist/skills/loader.js +59 -0
package/dist/skills/parser.d.ts +7 -0
package/dist/skills/parser.js +152 -0
package/dist/skills/registry.d.ts +13 -0
package/dist/skills/registry.js +74 -0
package/dist/skills/resolver.d.ts +19 -0
package/dist/skills/resolver.js +116 -0
package/dist/skills/types.d.ts +74 -0
package/dist/skills/types.js +50 -0
package/dist/tools/browser.d.ts +2 -0
package/dist/tools/browser.js +68 -0
package/dist/tools/core.d.ts +20 -0
package/dist/tools/core.js +244 -0
package/dist/tools/email.d.ts +2 -0
package/dist/tools/email.js +61 -0
package/dist/tools/image.d.ts +2 -0
package/dist/tools/image.js +257 -0
package/dist/tools/index.d.ts +2 -0
package/dist/tools/index.js +88 -0
package/dist/tools/interface.d.ts +22 -0
package/dist/tools/interface.js +1 -0
package/dist/tools/notify.d.ts +2 -0
package/dist/tools/notify.js +100 -0
package/dist/tools/prompt-optimizer.d.ts +2 -0
package/dist/tools/prompt-optimizer.js +65 -0
package/dist/tools/screenshot.d.ts +2 -0
package/dist/tools/screenshot.js +184 -0
package/dist/tools/search.d.ts +2 -0
package/dist/tools/search.js +78 -0
package/dist/tools/todos.d.ts +10 -0
package/dist/tools/todos.js +50 -0
package/package.json +119 -0
package/skills/docker-ops/SKILL.md +329 -0
package/skills/k8s-deploy/SKILL.md +397 -0
package/skills/log-analyzer/SKILL.md +331 -0
package/skills/speckit-analyze/SKILL.md +260 -0
package/skills/speckit-checklist/SKILL.md +374 -0
package/skills/speckit-clarify/SKILL.md +286 -0
package/skills/speckit-constitution/SKILL.md +157 -0
package/skills/speckit-implement/SKILL.md +224 -0
package/skills/speckit-plan/SKILL.md +171 -0
package/skills/speckit-specify/SKILL.md +346 -0
package/skills/speckit-tasks/SKILL.md +215 -0
package/skills/speckit-taskstoissues/SKILL.md +107 -0

package/dist/adapters/server/ws-handlers.js ADDED Viewed

@@ -0,0 +1,523 @@
+/**
+ * Zoe Server — WebSocket Protocol Handlers
+ *
+ * All handler functions, safeSend helper, and active connections registry.
+ * Extracted from websocket.ts for single-responsibility.
+ */
+import * as crypto from "crypto";
+import { authMiddleware, hasScope } from "./auth.js";
+import { hashKey } from "./session-store.js";
+import { handleWsGetSettings, handleWsUpdateSettings } from "./settings-handlers.js";
+// ── Active connections registry ──────────────────────────────────────
+const activeConnections = new Map();
+// ── Pending tool approvals ───────────────────────────────────────────
+const pendingApprovals = new Map();
+/**
+ * Get the number of currently active WebSocket connections.
+ */
+export function getActiveConnectionCount() {
+    return activeConnections.size;
+}
+/**
+ * Get all connected WS clients (excluding the given one).
+ * Used by settings broadcast to notify other connections of changes.
+ */
+export function getOtherClients(excludeWs) {
+    const clients = [];
+    for (const [ws, state] of activeConnections) {
+        if (ws !== excludeWs) {
+            clients.push({ ws, state });
+        }
+    }
+    return clients;
+}
+// ── Send helper ──────────────────────────────────────────────────────
+export function safeSend(ws, message) {
+    try {
+        if (ws.readyState === 1 /* OPEN */) {
+            ws.send(JSON.stringify(message));
+        }
+    }
+    catch {
+        // Connection may have closed
+    }
+}
+// ── Protocol handler ─────────────────────────────────────────────────
+export function handleConnection(ws, req, ctx) {
+    // Auth check — the token should have been validated during upgrade,
+    // but verify again for safety
+    const key = authMiddleware(req);
+    if (!key) {
+        safeSend(ws, {
+            type: "error",
+            code: "UNAUTHORIZED",
+            retryable: false,
+            message: "Authentication required",
+        });
+        ws.close(4001, "Unauthorized");
+        return;
+    }
+    const state = {
+        sessionId: null,
+        currentAbortController: null,
+        activeProvider: null,
+        activeModel: null,
+        maxPermissionLevel: ctx.maxPermissionLevel,
+        apiKeyHash: hashKey(key.key),
+        apiKey: key,
+    };
+    activeConnections.set(ws, state);
+    // ── Message dispatch ───────────────────────────────────────────────
+    ws.on("message", (data) => {
+        let msg;
+        try {
+            msg = JSON.parse(data.toString("utf-8"));
+        }
+        catch {
+            safeSend(ws, {
+                type: "error",
+                code: "INVALID_MESSAGE",
+                retryable: false,
+                message: "Invalid JSON message",
+            });
+            return;
+        }
+        switch (msg.type) {
+            case "chat":
+                handleChat(ws, msg, state, ctx);
+                break;
+            case "abort":
+                handleAbort(ws, msg, state);
+                break;
+            case "tool_approval_response":
+                handleToolApprovalResponse(ws, msg);
+                break;
+            case "resume":
+                void handleResume(ws, msg, state, ctx);
+                break;
+            case "reconnect":
+                void handleReconnect(ws, msg, state, ctx);
+                break;
+            case "switch_provider":
+                handleSwitchProvider(ws, msg, state);
+                break;
+            case "list_models":
+                handleListModels(ws, ctx);
+                break;
+            case "list_skills":
+                handleListSkills(ws, ctx);
+                break;
+            case "ping":
+                safeSend(ws, {
+                    type: "pong",
+                    serverTime: new Date().toISOString(),
+                });
+                break;
+            case "get_settings":
+                handleWsSettingsMessage(ws, msg, state, ctx, (sCtx) => handleWsGetSettings(msg, ws, state, sCtx));
+                break;
+            case "update_settings":
+                handleWsSettingsMessage(ws, msg, state, ctx, (sCtx) => void handleWsUpdateSettings(msg, ws, state, sCtx));
+                break;
+            case "list_providers":
+                handleWsSettingsMessage(ws, msg, state, ctx, (sCtx) => handleWsListProviders(msg, ws, state, sCtx));
+                break;
+            case "set_provider":
+                handleWsSettingsMessage(ws, msg, state, ctx, (sCtx) => void handleWsSetProvider(msg, ws, state, sCtx));
+                break;
+            case "remove_provider":
+                handleWsSettingsMessage(ws, msg, state, ctx, (sCtx) => void handleWsRemoveProvider(msg, ws, state, sCtx));
+                break;
+            default:
+                safeSend(ws, {
+                    type: "error",
+                    code: "UNKNOWN_MESSAGE_TYPE",
+                    retryable: false,
+                    message: `Unknown message type: ${msg.type}`,
+                });
+        }
+    });
+    // ── Close ──────────────────────────────────────────────────────────
+    ws.on("close", () => {
+        // Abort any in-flight stream
+        if (state.currentAbortController) {
+            state.currentAbortController.abort();
+            state.currentAbortController = null;
+        }
+        activeConnections.delete(ws);
+    });
+    // ── Error ──────────────────────────────────────────────────────────
+    ws.on("error", (err) => {
+        console.error("[ws] Connection error:", err.message);
+        if (state.currentAbortController) {
+            state.currentAbortController.abort();
+            state.currentAbortController = null;
+        }
+        activeConnections.delete(ws);
+    });
+}
+// ── Chat handler ─────────────────────────────────────────────────────
+function handleChat(ws, msg, state, ctx) {
+    const serverMsgId = crypto.randomUUID();
+    // Acknowledge
+    safeSend(ws, {
+        type: "ack",
+        clientMsgId: msg.id,
+        serverMsgId,
+        timestamp: new Date().toISOString(),
+    });
+    // Create session if needed
+    if (!state.sessionId && msg.sessionId) {
+        state.sessionId = msg.sessionId;
+    }
+    // Set up abort controller
+    const abortController = new AbortController();
+    state.currentAbortController = abortController;
+    // Resolve options with connection-level overrides
+    const provider = msg.options?.provider ?? state.activeProvider ?? undefined;
+    const model = msg.options?.model ?? state.activeModel ?? undefined;
+    // Resolve permission level with server ceiling
+    let effectivePermissionLevel = msg.options?.permissionLevel ?? state.permissionLevel;
+    if (effectivePermissionLevel && state.maxPermissionLevel) {
+        const levels = ["strict", "moderate", "permissive"];
+        const maxIdx = levels.indexOf(state.maxPermissionLevel);
+        const reqIdx = levels.indexOf(effectivePermissionLevel);
+        // QA-009: Unknown levels (-1) are capped to the server ceiling
+        if (reqIdx === -1 || reqIdx > maxIdx) {
+            effectivePermissionLevel = state.maxPermissionLevel;
+        }
+    }
+    // Stream text
+    try {
+        ctx.streamText({
+            message: msg.message,
+            model,
+            provider,
+            tools: msg.options?.tools,
+            maxSteps: msg.options?.maxSteps ?? 10,
+            skills: msg.options?.skills,
+            sessionId: state.sessionId ?? undefined,
+            permissionLevel: effectivePermissionLevel,
+            approveTool: createServerApproveTool(ws),
+            signal: abortController.signal,
+            onText: (delta) => {
+                safeSend(ws, {
+                    type: "text",
+                    delta,
+                    serverMsgId,
+                });
+            },
+            onToolCall: (info) => {
+                safeSend(ws, {
+                    type: "tool_call",
+                    callId: info.callId,
+                    name: info.name,
+                    args: info.args,
+                });
+            },
+            onToolResult: (info) => {
+                safeSend(ws, {
+                    type: "tool_result",
+                    callId: info.callId,
+                    output: info.output,
+                    success: info.success,
+                });
+            },
+            onStep: (step) => {
+                // Estimate progress — we don't know totalSteps ahead of time
+                safeSend(ws, {
+                    type: "progress",
+                    step: 0,
+                    totalSteps: 0,
+                    percentage: 0,
+                    activity: step.content ?? step.type,
+                });
+            },
+            onError: (error) => {
+                safeSend(ws, {
+                    type: "error",
+                    code: error.code || "STREAM_ERROR",
+                    retryable: error.code === "PROVIDER_ERROR",
+                    message: error.message,
+                    provider: error.provider,
+                    tool: error.tool,
+                });
+            },
+            onDone: (result) => {
+                safeSend(ws, {
+                    type: "done",
+                    serverMsgId,
+                    usage: result.usage,
+                    finishReason: result.finishReason,
+                });
+                // Add assistant message to session
+                if (state.sessionId) {
+                    const assistantMsg = {
+                        id: serverMsgId,
+                        role: "assistant",
+                        content: result.text,
+                        timestamp: Date.now(),
+                    };
+                    ctx.sessionManager.addMessage(state.sessionId, assistantMsg);
+                }
+                state.currentAbortController = null;
+            },
+        });
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : "Stream failed";
+        safeSend(ws, {
+            type: "error",
+            code: "STREAM_ERROR",
+            retryable: false,
+            message,
+        });
+        state.currentAbortController = null;
+    }
+}
+// ── Abort handler ────────────────────────────────────────────────────
+function handleAbort(ws, _msg, state) {
+    if (state.currentAbortController) {
+        state.currentAbortController.abort();
+        state.currentAbortController = null;
+        safeSend(ws, {
+            type: "error",
+            code: "ABORTED",
+            retryable: false,
+            message: "Request aborted by client",
+        });
+    }
+}
+// ── Tool approval handler ────────────────────────────────────────────
+const APPROVAL_TIMEOUT_MS = 30_000; // 30 seconds
+/**
+ * Create an `approveTool` callback for the server adapter.
+ * Sends a `tool_approval_request` to the client and waits for a
+ * `tool_approval_response`. Falls back to auto-deny on timeout.
+ */
+export function createServerApproveTool(ws) {
+    return async (call) => {
+        const callId = crypto.randomUUID();
+        safeSend(ws, {
+            type: "tool_approval_request",
+            callId,
+            name: call.name,
+            args: call.args,
+        });
+        return new Promise((resolve) => {
+            const timer = setTimeout(() => {
+                pendingApprovals.delete(callId);
+                resolve(false); // Timeout → deny
+            }, APPROVAL_TIMEOUT_MS);
+            pendingApprovals.set(callId, { resolve, timer, ws, toolName: call.name, createdAt: Date.now() });
+        });
+    };
+}
+function handleToolApprovalResponse(ws, msg) {
+    const pending = pendingApprovals.get(msg.callId);
+    if (!pending)
+        return;
+    // QA-001: Only the originating connection may resolve the approval
+    if (pending.ws !== ws)
+        return;
+    // Defense-in-depth: verify the tool name matches the pending request
+    if (msg.name !== pending.toolName)
+        return;
+    // Reject expired approvals (defense-in-depth, timer should have fired)
+    if (Date.now() - pending.createdAt > APPROVAL_TIMEOUT_MS) {
+        clearTimeout(pending.timer);
+        pendingApprovals.delete(msg.callId);
+        pending.resolve(false);
+        return;
+    }
+    clearTimeout(pending.timer);
+    pendingApprovals.delete(msg.callId);
+    pending.resolve(msg.approved);
+}
+// ── Resume handler ───────────────────────────────────────────────────
+async function handleResume(ws, msg, state, ctx) {
+    const session = await ctx.sessionManager.getSession(msg.sessionId, state.apiKeyHash);
+    if (!session) {
+        safeSend(ws, {
+            type: "error",
+            code: "SESSION_NOT_FOUND",
+            retryable: false,
+            message: `Session ${msg.sessionId} not found or expired`,
+        });
+        return;
+    }
+    state.sessionId = msg.sessionId;
+    safeSend(ws, {
+        type: "session_resumed",
+        sessionId: msg.sessionId,
+        messages: session.messages,
+    });
+}
+// ── Reconnect handler ────────────────────────────────────────────────
+async function handleReconnect(ws, msg, state, ctx) {
+    const session = await ctx.sessionManager.getSession(msg.sessionId, state.apiKeyHash);
+    if (!session) {
+        safeSend(ws, {
+            type: "error",
+            code: "SESSION_NOT_FOUND",
+            retryable: false,
+            message: `Session ${msg.sessionId} not found or expired`,
+        });
+        return;
+    }
+    state.sessionId = msg.sessionId;
+    // Replay messages — optionally only those after lastSeenId
+    let messages = session.messages;
+    if (msg.lastSeenId) {
+        const lastIndex = messages.findIndex((m) => m.id === msg.lastSeenId);
+        if (lastIndex !== -1) {
+            messages = messages.slice(lastIndex + 1);
+        }
+    }
+    safeSend(ws, {
+        type: "replay",
+        messages,
+        currentStatus: "ready",
+    });
+}
+// ── Switch provider handler ──────────────────────────────────────────
+function handleSwitchProvider(ws, msg, state) {
+    state.activeProvider = msg.provider;
+    if (msg.model) {
+        state.activeModel = msg.model;
+    }
+    safeSend(ws, {
+        type: "ack",
+        clientMsgId: "",
+        serverMsgId: crypto.randomUUID(),
+        timestamp: new Date().toISOString(),
+    });
+}
+// ── List models handler ──────────────────────────────────────────────
+function handleListModels(ws, ctx) {
+    safeSend(ws, {
+        type: "models_list",
+        models: ctx.listModels(),
+    });
+}
+// ── List skills handler ──────────────────────────────────────────────
+function handleListSkills(ws, ctx) {
+    safeSend(ws, {
+        type: "skills_list",
+        skills: ctx.listSkills(),
+    });
+}
+// ── Settings dispatch helper ────────────────────────────────────────────
+function handleWsSettingsMessage(ws, _msg, _state, ctx, fn) {
+    const sCtx = ctx.settingsHandlerContext;
+    if (!sCtx) {
+        safeSend(ws, {
+            type: "error",
+            code: "SERVICE_UNAVAILABLE",
+            retryable: false,
+            message: "Settings not configured",
+        });
+        return;
+    }
+    fn(sCtx);
+}
+// ── WS scope helper ─────────────────────────────────────────────────────
+function requireWsScope(state, scope) {
+    return !!state.apiKey && hasScope(state.apiKey, scope);
+}
+// ── WS Settings: list providers ─────────────────────────────────────────
+function handleWsListProviders(msg, ws, state, ctx) {
+    if (!requireWsScope(state, "agent:read")) {
+        safeSend(ws, { type: "providers_list", id: msg.id, providers: {}, error: { code: "FORBIDDEN", message: "Requires agent:read scope" } });
+        return;
+    }
+    const providers = {};
+    for (const pType of ["openai", "anthropic", "glm", "openai-compatible"]) {
+        const prefix = `providers.${pType === "openai-compatible" ? "openai-compat" : pType}`;
+        const apiKeyVal = ctx.settingsManager.get(`${prefix}.apiKey`).value;
+        if (apiKeyVal != null) {
+            providers[pType] = { type: pType };
+            const model = ctx.settingsManager.get(`${prefix}.model`).value;
+            if (model)
+                providers[pType].model = model;
+            if (pType === "openai-compatible") {
+                const baseUrl = ctx.settingsManager.get(`${prefix}.baseUrl`).value;
+                if (baseUrl)
+                    providers[pType].baseUrl = baseUrl;
+            }
+        }
+    }
+    safeSend(ws, { type: "providers_list", id: msg.id, providers });
+}
+// ── WS Settings: set provider ───────────────────────────────────────────
+async function handleWsSetProvider(msg, ws, state, ctx) {
+    if (!requireWsScope(state, "admin")) {
+        safeSend(ws, { type: "settings_updated", id: msg.id, error: { code: "FORBIDDEN", message: "Requires admin scope" } });
+        return;
+    }
+    const { type: providerType, apiKey, baseUrl, model } = msg.provider;
+    const VALID_PROVIDER_TYPES = new Set(["openai", "anthropic", "glm", "openai-compatible"]);
+    if (!providerType || !VALID_PROVIDER_TYPES.has(providerType)) {
+        safeSend(ws, { type: "settings_updated", id: msg.id, error: { code: "VALIDATION_ERROR", message: "Invalid provider type" } });
+        return;
+    }
+    const prefix = `providers.${providerType === "openai-compatible" ? "openai-compat" : providerType}`;
+    try {
+        if (apiKey)
+            await ctx.settingsManager.set(`${prefix}.apiKey`, apiKey);
+        if (model)
+            await ctx.settingsManager.set(`${prefix}.model`, model);
+        if (baseUrl && providerType === "openai-compatible")
+            await ctx.settingsManager.set(`${prefix}.baseUrl`, baseUrl);
+    }
+    catch (e) {
+        safeSend(ws, { type: "settings_updated", id: msg.id, error: { code: "SET_ERROR", message: e.message } });
+        return;
+    }
+    safeSend(ws, { type: "settings_updated", id: msg.id, applied: { [providerType]: true }, requiresRestart: false, restartAffected: [] });
+}
+// ── WS Settings: remove provider ────────────────────────────────────────
+async function handleWsRemoveProvider(msg, ws, state, ctx) {
+    if (!requireWsScope(state, "admin")) {
+        safeSend(ws, { type: "settings_updated", id: msg.id, error: { code: "FORBIDDEN", message: "Requires admin scope" } });
+        return;
+    }
+    const VALID_PROVIDER_TYPES = new Set(["openai", "anthropic", "glm", "openai-compatible"]);
+    if (!msg.providerType || !VALID_PROVIDER_TYPES.has(msg.providerType)) {
+        safeSend(ws, { type: "settings_updated", id: msg.id, error: { code: "VALIDATION_ERROR", message: "Invalid provider type" } });
+        return;
+    }
+    const prefix = `providers.${msg.providerType === "openai-compatible" ? "openai-compat" : msg.providerType}`;
+    try {
+        await ctx.settingsManager.reset(`${prefix}.apiKey`);
+        try {
+            await ctx.settingsManager.reset(`${prefix}.model`);
+        }
+        catch { /* may not exist */ }
+        try {
+            await ctx.settingsManager.reset(`${prefix}.baseUrl`);
+        }
+        catch { /* may not exist */ }
+    }
+    catch (e) {
+        safeSend(ws, { type: "settings_updated", id: msg.id, error: { code: "RESET_ERROR", message: e.message } });
+        return;
+    }
+    safeSend(ws, { type: "settings_updated", id: msg.id, applied: { removed: msg.providerType }, requiresRestart: false, restartAffected: [] });
+}
+// ── Active connections accessor (for closeWebSocket) ──────────────────
+/**
+ * Close all active connections and clear the registry.
+ * Used by closeWebSocket() during shutdown.
+ */
+export function closeAllConnections() {
+    for (const [ws] of activeConnections) {
+        try {
+            ws.close(1001, "Server shutting down");
+        }
+        catch {
+            // Ignore errors during shutdown
+        }
+    }
+    activeConnections.clear();
+}