Class: Clacky::Server::HttpServer

Inherits:

Object

• Object
• Clacky::Server::HttpServer

Defined in:

lib/clacky/server/http_server.rb

Overview

HttpServer runs an embedded WEBrick HTTP server with WebSocket support.

Routes:

GET  /ws                     → WebSocket upgrade (all real-time communication)
*    /api/*                  → JSON REST API (sessions, tasks, schedules)
GET  /**                     → static files served from lib/clacky/web/ directory

Defined Under Namespace

Classes: WebSocketConnection

Constant Summary

WEB_ROOT =

File.expand_path("../web", __dir__)

EXCHANGE_RATE_PRIMARY_BASE_URL =

"https://open.er-api.com/v6/latest"

EXCHANGE_RATE_FALLBACK_URL =

"https://api.frankfurter.app/latest"

DEFAULT_SOUL_MD =

Default SOUL.md written when the user skips the onboard conversation. A richer version is created by the Agent during the soul_setup phase.

<<~MD.freeze
  # Clacky — Agent Soul

  You are Clacky, a friendly and capable AI coding assistant and technical
  co-founder. You are sharp, concise, and proactive. You speak plainly and
  avoid unnecessary formality. You love helping people ship great software.

  ## Personality
  - Warm and encouraging, but direct and honest
  - Think step-by-step before acting; explain your reasoning briefly
  - Prefer doing over talking — use tools, write code, ship results
  - Adapt your language and tone to match the user's style

  ## Strengths
  - Full-stack software development (Ruby, Python, JS, and more)
  - Architectural thinking and code review
  - Debugging tricky problems with patience and creativity
  - Breaking big goals into small, executable steps
MD

DEFAULT_SOUL_MD_ZH =

Default SOUL.md for Chinese-language users.

<<~MD.freeze
  # Clacky — 助手灵魂

  你是 Clacky，一位友好、能干的 AI 编程助手和技术联合创始人。
  你思维敏锐、言简意赅、主动积极。你说话直接，不喜欢过度客套。
  你热爱帮助用户打造优秀的软件产品。

  **重要：始终用中文回复用户。**

  ## 性格特点
  - 热情鼓励，但直接诚实
  - 行动前先思考；简要说明你的推理过程
  - 重行动而非空谈 —— 善用工具，写代码，交付结果
  - 根据用户的风格调整语气和表达方式

  ## 核心能力
  - 全栈软件开发（Ruby、Python、JS 等）
  - 架构设计与代码审查
  - 耐心细致地调试复杂问题
  - 将大目标拆解为可执行的小步骤
MD

BRAND_HEARTBEAT_MUTEX =

Process-wide mutex guarding heartbeat trigger state. Used by #trigger_async_heartbeat! to ensure only one heartbeat Thread is in flight at a time, no matter how many concurrent /api/brand/status requests arrive from the Web UI poller.

Mutex.new

BRAND_DIST_REFRESH_MUTEX =

Mutex + inflight flag for async distribution refresh. Mirrors the heartbeat pattern above so the same guarantees hold: at most one refresh thread per process regardless of how many concurrent /api/brand/status polls arrive from the Web UI.

Mutex.new

IGNORED_FILE_ENTRIES =

GET /api/sessions/:id/files?path=<relative dir> Lists one directory level inside the session’s working_dir (lazy, per-layer). Path traversal outside working_dir is rejected. Noisy dirs are hidden.

%w[.git .svn .hg node_modules .DS_Store .bundle vendor/bundle tmp .sass-cache].freeze

PROFILE_USER_AGENTS_DIR =

── Profile API (USER.md / SOUL.md) ──────────────────────────────

User can override the built-in defaults by writing their own ~/.clacky/agents/USER.md and ~/.clacky/agents/SOUL.md. These endpoints let the Web UI read and edit those files.

File.expand_path("~/.clacky/agents").freeze

PROFILE_DEFAULT_AGENTS_DIR =

File.expand_path("../../default_agents", __dir__).freeze

PROFILE_MAX_BYTES =

Hard limit; prevents runaway content.

50_000

MEMORIES_DIR =

── Memories API (~/.clacky/memories/*.md) ───────────────────────

Long-term memories are plain Markdown files with YAML frontmatter stored under ~/.clacky/memories/. These endpoints let the user inspect, edit, create, and delete them from the Web UI.

File.expand_path("~/.clacky/memories").freeze

MEMORY_MAX_BYTES =

50_000

@@brand_heartbeat_inflight =

Tracks whether a heartbeat Thread is currently running.

false

@@brand_dist_refresh_inflight =

false

Instance Method Summary

• #_dispatch_rest(req, res) ⇒ Object
• #api_add_model(req, res) ⇒ Object

  POST /api/config/models Body: { model, base_url, api_key, anthropic_format, type? } Creates a new model entry, returns { ok:true, id, index } so the frontend can record the new id without reloading the whole list.

• #api_benchmark_session_models(session_id, _req, res) ⇒ Object

  POST /api/sessions/:id/benchmark.

• #api_billing_clear(req, res) ⇒ Object

  DELETE /api/billing/clear # Clears billing records Query params: scope (today|all, default: today).

• #api_billing_daily(req, res) ⇒ Object

  GET /api/billing/daily Returns daily cost breakdown Query params: days (default: 30), model (optional).

• #api_billing_records(req, res) ⇒ Object

  GET /api/billing/records Returns recent billing records Query params: limit (default: 100), model, session_id.

• #api_billing_sessions(req, res) ⇒ Object

  GET /api/billing/sessions Returns session-level billing summary Query params: period (day|week|month|year|all, default: month), model, limit.

• #api_billing_summary(req, res) ⇒ Object

  GET /api/billing/summary Returns billing summary for a time period Query params: period (day|week|month|year|all, default: month), model (optional).

• #api_brand_activate(req, res) ⇒ Object

  POST /api/brand/activate Body: { license_key: “XXXX-XXXX-XXXX-XXXX-XXXX” } Activates the license and persists the result to brand.yml.

• #api_brand_info(res) ⇒ Object

  GET /api/brand Returns brand metadata consumed by the WebUI on boot to dynamically replace branding strings.

• #api_brand_skill_install(slug, req, res) ⇒ Object

  POST /api/brand/skills/:name/install Downloads and installs (or updates) the given brand skill.

• #api_brand_skills(res) ⇒ Object

  POST /api/store/skills/:slug/install.

• #api_brand_status(res) ⇒ Object

  GET /api/brand/status Returns whether brand activation is needed.

• #api_browser_configure(req, res) ⇒ Object

  POST /api/browser/configure Called by browser-setup skill to write browser.yml and hot-reload the daemon.

• #api_browser_reload(res) ⇒ Object

  POST /api/browser/reload Called by browser-setup skill after writing browser.yml.

• #api_browser_status(res) ⇒ Object

  GET /api/browser/status Returns real daemon liveness from BrowserManager (not just yml read).

• #api_browser_toggle(res) ⇒ Object

  POST /api/browser/toggle.

• #api_change_session_working_dir(session_id, req, res) ⇒ Object
• #api_create_cron_task(req, res) ⇒ Object

  POST /api/cron-tasks — create task file + schedule in one step Body: { name, content, cron, enabled? }.

• #api_create_session(req, res) ⇒ Object
• #api_delete_channel(platform, res) ⇒ Object

  DELETE /api/channels/:platform Disables the platform (keeps credentials, sets enabled: false).

• #api_delete_cron_task(name, res) ⇒ Object

  DELETE /api/cron-tasks/:name — remove task file + schedule.

• #api_delete_model(id, res) ⇒ Object

  DELETE /api/config/models/:id.

• #api_delete_session(session_id, res) ⇒ Object
• #api_exchange_rate(req, res) ⇒ Object

  GET /api/exchange-rate?from=USD&to=CNY Fetches the latest exchange rate on demand.

• #api_export_session(session_id, res) ⇒ Object

  Export a session bundle as a .zip download containing: - session.json (always) - chunk-*.md (0..N archived conversation chunks) - logs/clacky-YYYY-MM-DD.log (today’s logger file, if present) Useful for debugging — user clicks “download” in the WebUI status bar and we can ask them to attach the zip to a bug report.

• #api_file_action(req, res) ⇒ Object

  POST /api/file-action Unified file action endpoint — open locally or download.

• #api_fork_session(session_id, req, res) ⇒ Object
• #api_get_config(res) ⇒ Object

  GET /api/config — return current model configurations.

• #api_get_media_config(res) ⇒ Object

  GET /api/config/media Used by the Settings UI to render the tri-state media controls.

• #api_get_ocr_config(res) ⇒ Object

  GET /api/config/ocr Returns the OCR sidecar state for the Settings UI.

• #api_get_settings(res) ⇒ Object

  GET /api/config/settings — return advanced settings.

• #api_get_version(res) ⇒ Object

  GET /api/version Returns current version and latest version from RubyGems (cached for 1 hour).

• #api_group_history(chat_id, res) ⇒ Object
• #api_internal_ocr_image(req, res) ⇒ Object

  POST /api/internal/ocr-image Internal endpoint used by parser scripts (e.g. pdf_parser_vlm.py) to transcribe a single image via the configured OCR sidecar.

• #api_list_channel_users(platform, res) ⇒ Object

  GET /api/channels/:platform/users Returns the list of known user IDs for the given platform.

• #api_list_channels(res) ⇒ Object
• #api_list_cron_tasks(res) ⇒ Object

  GET /api/cron-tasks.

• #api_list_providers(res) ⇒ Object

  GET /api/providers — return built-in provider presets for quick setup.

• #api_list_sessions(req, res) ⇒ Object

  ── REST API ──────────────────────────────────────────────────────────────.

• #api_list_skills(res) ⇒ Object

  GET /api/skills — list all loaded skills with metadata.

• #api_mcp_call(name, req, res) ⇒ Object

  POST /api/mcp/:name/call body: { tool: “…”, arguments: … } Forwards a tools/call to the configured MCP server and returns its raw result.

• #api_mcp_create(req, res) ⇒ Object

  POST /api/mcp { name, command, args[], env{}, cwd?, description? }.

• #api_mcp_delete(name, req, res) ⇒ Object

  DELETE /api/mcp/:name.

• #api_mcp_list(res) ⇒ Object

  GET /api/mcp Lists configured MCP servers without spawning any subprocess.

• #api_mcp_probe(name, res) ⇒ Object

  POST /api/mcp/:name/probe Spawns the MCP server briefly to fetch its tool catalog, then shuts it down.

• #api_mcp_toggle(name, req, res) ⇒ Object

  PATCH /api/mcp/:name/enabled body: { enabled: true|false }.

• #api_mcp_tools(name, res) ⇒ Object

  GET /api/mcp/:name/tools Returns the live tool catalog for an MCP server, using the process-wide registry.

• #api_mcp_update(name, req, res) ⇒ Object

  PUT /api/mcp/:name { command, args[], env{}, cwd?, description? } Replaces the entire spec.

• #api_media_image(req, res) ⇒ Object

  POST /api/media/image Body: { “prompt”: “…”, “aspect_ratio”: “landscape|square|portrait”, “output_dir”: “<absolute path, optional>” } Routes to the model configured with type=image in agent_config.

• #api_media_types(res) ⇒ Object

  GET /api/media/types Returns which media types are configured in agent_config.models.

• #api_onboard_complete(req, res) ⇒ Object

  POST /api/onboard/complete Called after key setup is done (soul_setup is optional/skipped).

• #api_onboard_skip_soul(req, res) ⇒ Object

  POST /api/onboard/skip-soul Writes a minimal SOUL.md so the soul_setup phase is not re-triggered on the next server start when the user chooses to skip the conversation.

• #api_onboard_status(res) ⇒ Object

  GET /api/onboard/status Phase “key_setup” → no API key configured yet Phase “soul_setup” → key configured, but ~/.clacky/agents/SOUL.md missing needs_onboard: false → fully set up.

• #api_rename_session(session_id, req, res) ⇒ Object
• #api_restart(req, res) ⇒ Object

  POST /api/restart Re-execs the current process so the newly installed gem version is loaded.

• #api_run_cron_task(name, res) ⇒ Object

  POST /api/cron-tasks/:name/run — execute immediately.

• #api_save_channel(platform, req, res) ⇒ Object

  POST /api/channels/:platform Body: { fields… } (platform-specific credential fields) Saves credentials and optionally (re)starts the adapter.

• #api_send_channel_message(platform, req, res) ⇒ Object

  POST /api/channels/:platform/send Proactively send a message to a user via the given IM platform.

• #api_serve_local_image(req, res) ⇒ Object

  GET /api/local-image?path=file:///path/to/image.png GET /api/local-image?path=/path/to/image.png.

• #api_session_files(session_id, req, res) ⇒ Object
• #api_session_messages(session_id, req, res) ⇒ Object

  GET /api/sessions/:id/messages?limit=20&before=1709123456.789 Replays conversation history for a session via the agent’s replay_history method.

• #api_session_skills(session_id, res) ⇒ Object

  GET /api/sessions/:id/skills — list user-invocable skills for a session, filtered by the session’s agent profile.

• #api_set_default_model(id, res) ⇒ Object

  POST /api/config/models/:id/default Makes the identified model the new “default” (global initial model for new sessions AND current model for this server instance).

• #api_store_skills(res) ⇒ Object

  GET /api/brand/skills Fetches the brand skills list from the cloud, enriched with local installed version.

• #api_switch_session_model(session_id, req, res) ⇒ Object
• #api_switch_session_reasoning_effort(session_id, req, res) ⇒ Object

  PATCH /api/sessions/:id/reasoning_effort Body: { “reasoning_effort”: “off” | “low” | “medium” | “high” }.

• #api_switch_session_submodel(session_id, req, res) ⇒ Object

  PATCH /api/sessions/:id/submodel Body: { “model_name”: “dsk-deepseek-v4-pro” | null }.

• #api_test_channel(platform, req, res) ⇒ Object

  POST /api/channels/:platform/test Body: { fields… } (credentials to test — NOT saved) Tests connectivity using the provided credentials without persisting.

• #api_test_config(req, res) ⇒ Object

  POST /api/config/test — test connection for a single model config Body: { model, base_url, api_key, anthropic_format }.

• #api_test_media_config(req, res) ⇒ Object

  PATCH /api/config/media/:kind Body: { source: “off”|“auto”|“custom”, model?, base_url?, api_key?, anthropic_format? } off / auto — remove any custom entry; “auto” lets the virtual derivation in AgentConfig#find_model_by_type take over.

• #api_test_ocr_config(req, res) ⇒ Object

  POST /api/config/ocr/test Reuses the media preflight (GET /models) — same connectivity check.

• #api_toggle_channel(platform, req, res) ⇒ Object

  PATCH /api/channels/:platform/enabled Body: { enabled: true|false } Toggles the platform on/off without touching credentials.

• #api_toggle_skill(name, req, res) ⇒ Object

  Body: { enabled: true/false }.

• #api_tool_browser(req, res) ⇒ Object

  GET /api/channels Returns current config and running status for all supported platforms.

• #api_update_cron_task(name, req, res) ⇒ Object

  PATCH /api/cron-tasks/:name — update content and/or cron/enabled Body: { content?, cron?, enabled? }.

• #api_update_media_config(kind, req, res) ⇒ Object
• #api_update_model(id, req, res) ⇒ Object

  PATCH /api/config/models/:id Body: any subset of { model, base_url, api_key, anthropic_format, type } Rules (the whole reason we moved off bulk save): - Missing key → field untouched - api_key with “****” (masked display value) → IGNORED (never overwrites) - api_key empty string → IGNORED (defensive; treat as “not changed”) - api_key real non-masked value → stored - type=“default” transparently clears the marker on other models - Unknown id → 404.

• #api_update_ocr_config(req, res) ⇒ Object

  PATCH /api/config/ocr Body: { source: “off”|“auto”|“custom”, model?, base_url?, api_key?, anthropic_format? } Mirrors api_update_media_config but for the single “ocr” type.

• #api_update_settings(req, res) ⇒ Object

  PATCH /api/config/settings — update advanced settings.

• #api_upgrade_version(req, res) ⇒ Object

  POST /api/version/upgrade Upgrades openclacky in a background thread, streaming output via WebSocket broadcast.

• #api_upload_file(req, res) ⇒ Object

  POST /api/upload Accepts a multipart/form-data file upload (field name: “file”).

• #broadcast(session_id, event) ⇒ Object

  Broadcast an event to all clients subscribed to a session.

• #broadcast_all(event) ⇒ Object

  Broadcast an event to every connected client (regardless of session subscription).

• #broadcast_session_update(session_id) ⇒ Object

  Broadcast a session_update event to all clients so they can patch their local session list without needing a full session_list refresh.

• #build_session(name:, working_dir: nil, permission_mode: :confirm_all, profile: "general", source: :manual, model_id: nil) ⇒ Object

  Create a session in the registry and wire up Agent + WebUIController.

• #build_session_from_data(session_data, permission_mode: :confirm_all) ⇒ Object

  Restore a persisted session from saved session_data (from SessionManager).

• #create_default_session ⇒ Object

  Auto-restore persisted sessions (or create a fresh default) when the server starts.

• #default_working_dir ⇒ Object

  ── Helpers ───────────────────────────────────────────────────────────────.

• #deliver_confirmation(session_id, conf_id, result) ⇒ Object
• #dispatch(req, res) ⇒ Object

  ── Router ────────────────────────────────────────────────────────────────.

• #fetch_exchange_rate(from, to) ⇒ Object
• #fetch_exchange_rate_json(url) ⇒ Object
• #fetch_frankfurter_exchange_rate(from, to) ⇒ Object
• #fetch_open_exchange_rate(from, to) ⇒ Object
• #handle_user_message(session_id, content, files = []) ⇒ Object

  ── Session actions ───────────────────────────────────────────────────────.

• #handle_websocket(req, res) ⇒ Object

  Hijacks the TCP socket from WEBrick and upgrades it to WebSocket.

• #initialize(host: "127.0.0.1", port: 7070, agent_config:, client_factory:, brand_test: false, sessions_dir: nil, socket: nil, master_pid: nil) ⇒ HttpServer constructor

  A new instance of HttpServer.

• #interrupt_session(session_id) ⇒ Object

  Interrupt a running agent session.

• #json_response(res, status, data) ⇒ Object
• #mask_api_key(key) ⇒ Object

  Mask API key for display: show first 8 + last 4 chars, middle replaced with **** Mask an api_key for safe display / transport to the browser.

• #normalize_currency_code(value, fallback:) ⇒ Object
• #not_found(res) ⇒ Object
• #on_ws_close(conn) ⇒ Object
• #on_ws_message(conn, raw) ⇒ Object
• #on_ws_open(conn) ⇒ Object
• #parse_exchange_rate_date(value) ⇒ Object
• #parse_json_body(req) ⇒ Object
• #positive_float(value) ⇒ Object
• #serve_file_download(res, path) ⇒ Object

  Stream a file to the client as a download.

• #start ⇒ Object
• #start_pending_task(session_id) ⇒ Object

  Start the pending task for a session.

• #subscribe(session_id, conn) ⇒ Object

  ── WebSocket subscription management ─────────────────────────────────────.

• #trigger_async_distribution_refresh! ⇒ Object

  Fire a public-distribution refresh in a background Thread.

• #trigger_async_heartbeat! ⇒ Object

  Fire a heartbeat in a background Thread without blocking the caller.

• #unsubscribe(conn) ⇒ Object
• #unsubscribe_all(session_id) ⇒ Object
• #websocket_upgrade?(req) ⇒ Boolean

  ── WebSocket ─────────────────────────────────────────────────────────────.

Constructor Details

#initialize(host: "127.0.0.1", port: 7070, agent_config:, client_factory:, brand_test: false, sessions_dir: nil, socket: nil, master_pid: nil) ⇒ HttpServer

Returns a new instance of HttpServer.

# File 'lib/clacky/server/http_server.rb', line 158

def initialize(host: "127.0.0.1", port: 7070, agent_config:, client_factory:, brand_test: false, sessions_dir: nil, socket: nil, master_pid: nil)
  @host           = host
  @port           = port
  @agent_config   = agent_config
  @client_factory = client_factory  # callable: -> { Clacky::Client.new(...) }
  @brand_test     = brand_test      # when true, skip remote API calls for license activation
  @inherited_socket  = socket        # TCPServer socket passed from Master (nil = standalone mode)
  @master_pid        = master_pid    # Master PID so we can send USR1 on upgrade/restart
  # Capture the absolute path of the entry script and original ARGV at startup,
  # so api_restart can re-exec the correct binary even if cwd changes later.
  @restart_script = File.expand_path($0)
  @restart_argv   = ARGV.dup
  @session_manager = Clacky::SessionManager.new(sessions_dir: sessions_dir)
  @registry        = SessionRegistry.new(
    session_manager:  @session_manager,
    session_restorer: method(:build_session_from_data),
    agent_config:     @agent_config
  )
  @ws_clients      = {}   # session_id => [WebSocketConnection, ...]
  @all_ws_conns    = []   # every connected WS client, regardless of session subscription
  @ws_mutex        = Mutex.new
  # Version cache: { latest: "x.y.z", checked_at: Time }
  @version_cache   = nil
  @version_mutex   = Mutex.new
  @scheduler       = Scheduler.new(
    session_registry: @registry,
    session_builder:  method(:build_session),
    task_runner:      method(:run_agent_task)
  )
  @channel_manager = Clacky::Channel::ChannelManager.new(
    session_registry:  @registry,
    session_builder:   method(:build_session),
    run_agent_task:    method(:run_agent_task),
    interrupt_session: method(:interrupt_session),
    channel_config:    Clacky::ChannelConfig.load
  )
  @browser_manager = Clacky::BrowserManager.instance
  @skill_loader    = Clacky::SkillLoader.new(working_dir: nil, brand_config: Clacky::BrandConfig.load)
  # Lazy: process-wide MCP registry. Created on first /api/mcp/:name access
  # so test setups that override Dir.home in before-hooks still work.
  @mcp_registry_mutex = Mutex.new
  # Access key authentication:
  # - localhost (127.0.0.1 / ::1) is always trusted; auth is skipped entirely.
  # - Any other bind address requires CLACKY_ACCESS_KEY env var.
  @localhost_only      = local_host?(@host)
  @access_key          = @localhost_only ? nil : resolve_access_key
  @auth_failures       = {}
  @auth_failures_mutex = Mutex.new
  if @localhost_only
    Clacky::Logger.info("[HttpServer] Localhost mode — authentication disabled")
  else
    Clacky::Logger.info("[HttpServer] Public mode — access key authentication ENABLED")
  end
end

Instance Method Details

#_dispatch_rest(req, res) ⇒ Object

# File 'lib/clacky/server/http_server.rb', line 423

def _dispatch_rest(req, res)
  path   = req.path
  method = req.request_method

  case [method, path]
  when ["GET",    "/api/sessions"]      then api_list_sessions(req, res)
  when ["POST",   "/api/sessions"]      then api_create_session(req, res)
  when ["GET",    "/api/cron-tasks"]    then api_list_cron_tasks(res)
  when ["POST",   "/api/cron-tasks"]    then api_create_cron_task(req, res)
  when ["GET",    "/api/skills"]         then api_list_skills(res)
  when ["GET",    "/api/config"]        then api_get_config(res)
  when ["GET",    "/api/config/settings"]  then api_get_settings(res)
  when ["GET",    "/api/exchange-rate"]    then api_exchange_rate(req, res)
  when ["PATCH",  "/api/config/settings"]  then api_update_settings(req, res)
  when ["POST",   "/api/config/models"] then api_add_model(req, res)
  when ["POST",   "/api/config/test"]   then api_test_config(req, res)
  when ["POST",   "/api/config/media/test"] then api_test_media_config(req, res)
  when ["GET",    "/api/config/media"]  then api_get_media_config(res)
  when ["GET",    "/api/config/ocr"]    then api_get_ocr_config(res)
  when ["PATCH",  "/api/config/ocr"]    then api_update_ocr_config(req, res)
  when ["POST",   "/api/config/ocr/test"] then api_test_ocr_config(req, res)
  when ["POST",   "/api/internal/ocr-image"] then api_internal_ocr_image(req, res)
  when ["GET",    "/api/providers"]     then api_list_providers(res)
  when ["GET",    "/api/onboard/status"]    then api_onboard_status(res)
  when ["GET",    "/api/browser/status"]    then api_browser_status(res)
  when ["POST",   "/api/browser/configure"]  then api_browser_configure(req, res)
  when ["POST",   "/api/browser/reload"]    then api_browser_reload(res)
  when ["POST",   "/api/browser/toggle"]    then api_browser_toggle(res)
  when ["POST",   "/api/onboard/complete"]  then api_onboard_complete(req, res)
  when ["POST",   "/api/onboard/skip-soul"] then api_onboard_skip_soul(req, res)
  when ["GET",    "/api/store/skills"]          then api_store_skills(res)
  when ["GET",    "/api/brand/status"]      then api_brand_status(res)
  when ["POST",   "/api/brand/activate"]    then api_brand_activate(req, res)
  when ["DELETE", "/api/brand/license"]     then api_brand_deactivate(res)
  when ["GET",    "/api/brand/skills"]      then api_brand_skills(res)
  when ["GET",    "/api/brand"]             then api_brand_info(res)
  when ["GET",    "/api/creator/skills"]    then api_creator_skills(res)
  when ["GET",    "/api/trash"]     then api_trash(req, res)
  when ["POST",   "/api/trash/restore"] then api_trash_restore(req, res)
  when ["DELETE", "/api/trash"]     then api_trash_delete(req, res)
  when ["GET",    "/api/trash/sessions"]     then api_trash_sessions(req, res)
  when ["POST",   "/api/trash/sessions/restore"] then api_trash_session_restore(req, res)
  when ["DELETE", "/api/trash/sessions"]     then api_trash_sessions_delete(req, res)
  when ["GET",    "/api/profile"]   then api_profile_get(res)
  when ["PUT",    "/api/profile"]   then api_profile_put(req, res)
  when ["GET",    "/api/memories"]  then api_memories_list(res)
  when ["POST",   "/api/memories"]  then api_memories_create(req, res)
  when ["GET",    "/api/channels"]          then api_list_channels(res)
  when ["GET",    "/api/mcp"]               then api_mcp_list(res)
  when ["POST",   "/api/tool/browser"]      then api_tool_browser(req, res)
  when ["POST",   "/api/upload"]            then api_upload_file(req, res)
  when ["POST",   "/api/file-action"]       then api_file_action(req, res)
  when ["GET",    "/api/local-image"]       then api_serve_local_image(req, res)
  when ["POST",   "/api/media/image"]       then api_media_image(req, res)
  when ["GET",    "/api/media/types"]       then api_media_types(res)
  when ["GET",    "/api/version"]           then api_get_version(res)
  when ["POST",   "/api/version/upgrade"]   then api_upgrade_version(req, res)
  when ["POST",   "/api/restart"]           then api_restart(req, res)
  when ["GET",    "/api/billing/summary"]   then api_billing_summary(req, res)
  when ["GET",    "/api/billing/daily"]     then api_billing_daily(req, res)
  when ["GET",    "/api/billing/records"]   then api_billing_records(req, res)
  when ["GET",    "/api/billing/sessions"]  then api_billing_sessions(req, res)
  when ["DELETE", "/api/billing/clear"]     then api_billing_clear(req, res)        when ["PATCH",  "/api/sessions/:id/model"] then api_switch_session_model(req, res)
  when ["PATCH",  "/api/sessions/:id/working_dir"] then api_change_session_working_dir(req, res)
  else
    if method == "POST" && path.match?(%r{^/api/channels/[^/]+/send$})
      platform = path.sub("/api/channels/", "").sub("/send", "")
      api_send_channel_message(platform, req, res)
    elsif method == "GET" && path.match?(%r{^/api/channels/group_history/})
      chat_id = URI.decode_www_form_component(path.sub("/api/channels/group_history/", ""))
      api_group_history(chat_id, res)
    elsif method == "GET" && path.match?(%r{^/api/channels/[^/]+/users$})
      platform = path.sub("/api/channels/", "").sub("/users", "")
      api_list_channel_users(platform, res)
    elsif method == "POST" && path.match?(%r{^/api/channels/[^/]+/test$})
      platform = path.sub("/api/channels/", "").sub("/test", "")
      api_test_channel(platform, req, res)
    elsif method == "PATCH" && path.match?(%r{^/api/channels/[^/]+/enabled$})
      platform = path.sub("/api/channels/", "").sub("/enabled", "")
      api_toggle_channel(platform, req, res)
    elsif method == "POST" && path.start_with?("/api/channels/")
      platform = path.sub("/api/channels/", "")
      api_save_channel(platform, req, res)
    elsif method == "DELETE" && path.start_with?("/api/channels/")
      platform = path.sub("/api/channels/", "")
      api_delete_channel(platform, res)
    elsif method == "POST" && path.match?(%r{^/api/mcp/[^/]+/probe$})
      name = path.sub("/api/mcp/", "").sub("/probe", "")
      api_mcp_probe(name, res)
    elsif method == "GET" && path.match?(%r{^/api/mcp/[^/]+/tools$})
      name = path.sub("/api/mcp/", "").sub("/tools", "")
      api_mcp_tools(name, res)
    elsif method == "POST" && path.match?(%r{^/api/mcp/[^/]+/call$})
      name = path.sub("/api/mcp/", "").sub("/call", "")
      api_mcp_call(name, req, res)
    elsif method == "POST" && path == "/api/mcp"
      api_mcp_create(req, res)
    elsif method == "PATCH" && path.match?(%r{^/api/mcp/[^/]+/enabled$})
      name = path.sub("/api/mcp/", "").sub("/enabled", "")
      api_mcp_toggle(name, req, res)
    elsif method == "PUT" && path.match?(%r{^/api/mcp/[^/]+$})
      name = path.sub("/api/mcp/", "")
      api_mcp_update(name, req, res)
    elsif method == "DELETE" && path.match?(%r{^/api/mcp/[^/]+$})
      name = path.sub("/api/mcp/", "")
      api_mcp_delete(name, req, res)
    elsif method == "GET" && path.match?(%r{^/api/sessions/[^/]+/skills$})
      session_id = path.sub("/api/sessions/", "").sub("/skills", "")
      api_session_skills(session_id, res)
    elsif method == "GET" && path.match?(%r{^/api/sessions/[^/]+/files$})
      session_id = path.sub("/api/sessions/", "").sub("/files", "")
      api_session_files(session_id, req, res)
    elsif method == "GET" && path.match?(%r{^/api/sessions/[^/]+/export$})
      session_id = path.sub("/api/sessions/", "").sub("/export", "")
      api_export_session(session_id, res)
    elsif method == "GET" && path.match?(%r{^/api/sessions/[^/]+/messages$})
      session_id = path.sub("/api/sessions/", "").sub("/messages", "")
      api_session_messages(session_id, req, res)
    elsif method == "PATCH" && path.match?(%r{^/api/sessions/[^/]+$})
      session_id = path.sub("/api/sessions/", "")
      api_rename_session(session_id, req, res)
    elsif method == "PATCH" && path.match?(%r{^/api/sessions/[^/]+/model$})
      session_id = path.sub("/api/sessions/", "").sub("/model", "")
      api_switch_session_model(session_id, req, res)
    elsif method == "PATCH" && path.match?(%r{^/api/sessions/[^/]+/reasoning_effort$})
      session_id = path.sub("/api/sessions/", "").sub("/reasoning_effort", "")
      api_switch_session_reasoning_effort(session_id, req, res)
    elsif method == "PATCH" && path.match?(%r{^/api/sessions/[^/]+/submodel$})
      session_id = path.sub("/api/sessions/", "").sub("/submodel", "")
      api_switch_session_submodel(session_id, req, res)
    elsif method == "POST" && path.match?(%r{^/api/sessions/[^/]+/benchmark$})
      session_id = path.sub("/api/sessions/", "").sub("/benchmark", "")
      api_benchmark_session_models(session_id, req, res)
    elsif method == "PATCH" && path.match?(%r{^/api/sessions/[^/]+/working_dir$})
      session_id = path.sub("/api/sessions/", "").sub("/working_dir", "")
      api_change_session_working_dir(session_id, req, res)
    elsif method == "POST" && path.match?(%r{^/api/sessions/[^/]+/fork$})
      session_id = path.sub("/api/sessions/", "").sub("/fork", "")
      api_fork_session(session_id, req, res)
    elsif method == "DELETE" && path.start_with?("/api/sessions/")
      session_id = path.sub("/api/sessions/", "")
      api_delete_session(session_id, res)
    elsif method == "DELETE" && path.match?(%r{^/api/trash/sessions/[^/]+$})
      session_id = path.sub("/api/trash/sessions/", "")
      api_trash_session_delete_one(session_id, res)
    elsif method == "POST" && path.match?(%r{^/api/config/models/[^/]+/default$})
      id = path.sub("/api/config/models/", "").sub("/default", "")
      api_set_default_model(id, res)
    elsif method == "PATCH" && path.match?(%r{^/api/config/models/[^/]+$})
      id = path.sub("/api/config/models/", "")
      api_update_model(id, req, res)
    elsif method == "DELETE" && path.match?(%r{^/api/config/models/[^/]+$})
      id = path.sub("/api/config/models/", "")
      api_delete_model(id, res)
    elsif method == "PATCH" && path.match?(%r{^/api/config/media/(image|video|audio)$})
      kind = path.sub("/api/config/media/", "")
      api_update_media_config(kind, req, res)
    elsif method == "POST" && path.match?(%r{^/api/cron-tasks/[^/]+/run$})
      name = URI.decode_www_form_component(path.sub("/api/cron-tasks/", "").sub("/run", ""))
      api_run_cron_task(name, res)
    elsif method == "PATCH" && path.match?(%r{^/api/cron-tasks/[^/]+$})
      name = URI.decode_www_form_component(path.sub("/api/cron-tasks/", ""))
      api_update_cron_task(name, req, res)
    elsif method == "DELETE" && path.match?(%r{^/api/cron-tasks/[^/]+$})
      name = URI.decode_www_form_component(path.sub("/api/cron-tasks/", ""))
      api_delete_cron_task(name, res)
    elsif method == "PATCH" && path.match?(%r{^/api/skills/[^/]+/toggle$})
      name = URI.decode_www_form_component(path.sub("/api/skills/", "").sub("/toggle", ""))
      api_toggle_skill(name, req, res)
    elsif method == "POST" && path.match?(%r{^/api/brand/skills/[^/]+/install$})
      slug = URI.decode_www_form_component(path.sub("/api/brand/skills/", "").sub("/install", ""))
      api_brand_skill_install(slug, req, res)
    elsif method == "POST" && path.match?(%r{^/api/my-skills/[^/]+/publish$})
      name = URI.decode_www_form_component(path.sub("/api/my-skills/", "").sub("/publish", ""))
      api_publish_my_skill(name, req, res)
    elsif method == "GET" && path.match?(%r{^/api/memories/[^/]+$})
      filename = URI.decode_www_form_component(path.sub("/api/memories/", ""))
      api_memories_get(filename, res)
    elsif method == "PUT" && path.match?(%r{^/api/memories/[^/]+$})
      filename = URI.decode_www_form_component(path.sub("/api/memories/", ""))
      api_memories_update(filename, req, res)
    elsif method == "DELETE" && path.match?(%r{^/api/memories/[^/]+$})
      filename = URI.decode_www_form_component(path.sub("/api/memories/", ""))
      api_memories_delete(filename, res)
    else
      not_found(res)
    end
  end
end

#api_add_model(req, res) ⇒ Object

POST /api/config/models Body: { model, base_url, api_key, anthropic_format, type? } Creates a new model entry, returns { ok:true, id, index } so the frontend can record the new id without reloading the whole list.

# File 'lib/clacky/server/http_server.rb', line 3963

def api_add_model(req, res)
  body = parse_json_body(req)
  return json_response(res, 400, { error: "Invalid JSON" }) unless body

  model    = body["model"].to_s.strip
  base_url = body["base_url"].to_s.strip
  api_key  = body["api_key"].to_s
  # Masked placeholders are never a valid api_key on creation —
  # a brand-new model MUST come with a real key.
  if api_key.empty? || api_key.include?("****")
    return json_response(res, 422, { error: "api_key is required" })
  end

  entry = {
    "id"               => SecureRandom.uuid,
    "model"            => model,
    "base_url"         => base_url,
    "api_key"          => api_key,
    "anthropic_format" => body["anthropic_format"] || false
  }
  type = body["type"].to_s
  unless type.empty?
    # Preserve the single-slot "default" invariant.
    if type == "default"
      @agent_config.models.each { |m| m.delete("type") if m["type"] == "default" }
    end
    entry["type"] = type
  end

  @agent_config.models << entry
  # If this is the only model and no default marker exists yet,
  # adopt it as the default so downstream lookups resolve cleanly.
  if @agent_config.models.none? { |m| m["type"] == "default" }
    entry["type"] = "default"
    @agent_config.current_model_id    = entry["id"]
    @agent_config.current_model_index = @agent_config.models.length - 1
  elsif type == "default"
    # Re-anchor current_* to the newly-defaulted entry.
    @agent_config.current_model_id    = entry["id"]
    @agent_config.current_model_index = @agent_config.models.length - 1
  end

  @agent_config.save
  json_response(res, 200, {
    ok:    true,
    id:    entry["id"],
    index: @agent_config.models.length - 1
  })
rescue => e
  json_response(res, 422, { error: e.message })
end

#api_benchmark_session_models(session_id, _req, res) ⇒ Object

POST /api/sessions/:id/benchmark

Speed-test every configured model in one shot so the user can pick the fastest available model for this session. We send a minimal one-token request to each model *in parallel* (one thread per model) and measure total HTTP duration — for non-streaming calls this equals the user’s perceived time-to-first-token, so the field is named ‘ttft_ms` for forward-compatibility with a future streaming implementation.

Cost note: each request is ‘max_tokens: 1` + a 2-byte prompt, so the total cost across a dozen models is well under one cent.

Response shape:

{
  ok: true,
  results: [
    { model_id: "...", model: "...", ttft_ms: 812, ok: true },
    { model_id: "...", model: "...", ok: false, error: "timeout" },
    ...
  ]
}

# File 'lib/clacky/server/http_server.rb', line 4379

def api_benchmark_session_models(session_id, _req, res)
  return json_response(res, 404, { error: "Session not found" }) unless @registry.ensure(session_id)

  # Snapshot the models list — @agent_config.models is a shared reference
  # that the user might mutate from the settings panel during the test;
  # a shallow dup is enough since we only read string fields below.
  models = Array(@agent_config.models).dup
  return json_response(res, 200, { ok: true, results: [] }) if models.empty?

  # Kick off one thread per model. We deliberately cap per-request wall
  # time inside each thread via a Faraday timeout so a single dead model
  # can't block the response. The outer join uses a generous ceiling
  # (timeout + small buffer) as a last-resort safety net.
  per_model_timeout = 15
  threads = models.map do |m|
    Thread.new do
      Thread.current.report_on_exception = false
      benchmark_single_model(m, per_model_timeout)
    end
  end

  results = threads.map do |t|
    if t.join(per_model_timeout + 3)
      t.value rescue { ok: false, error: "thread failed" }
    else
      t.kill
      { ok: false, error: "Request timed out" }
    end
  end

  json_response(res, 200, { ok: true, results: results })
rescue => e
  Clacky::Logger.error("[benchmark] #{e.class}: #{e.message}", error: e)
  json_response(res, 500, { error: e.message })
end

#api_billing_clear(req, res) ⇒ Object

DELETE /api/billing/clear # Clears billing records Query params: scope (today|all, default: today)

# File 'lib/clacky/server/http_server.rb', line 1776

def api_billing_clear(req, res)
  require_relative "../billing/billing_store"

  query = URI.decode_www_form(req.query_string.to_s).to_h
  scope = query["scope"] || "today"

  store = Clacky::Billing::BillingStore.new
  deleted = store.clear(scope: scope.to_sym)

  json_response(res, 200, { ok: true, deleted: deleted, scope: scope })
rescue => e
  json_response(res, 500, { error: e.message })
end

#api_billing_daily(req, res) ⇒ Object

GET /api/billing/daily Returns daily cost breakdown Query params: days (default: 30), model (optional)

# File 'lib/clacky/server/http_server.rb', line 1721

def api_billing_daily(req, res)
  require_relative "../billing/billing_store"

  query = URI.decode_www_form(req.query_string.to_s).to_h
  days  = [(query["days"] || "30").to_i, 90].min
  model = query["model"]

  store = Clacky::Billing::BillingStore.new
  daily = store.daily_breakdown(days: days, model: model)

  json_response(res, 200, { days: daily })
end

#api_billing_records(req, res) ⇒ Object

GET /api/billing/records Returns recent billing records Query params: limit (default: 100), model, session_id

# File 'lib/clacky/server/http_server.rb', line 1737

def api_billing_records(req, res)
  require_relative "../billing/billing_store"

  query      = URI.decode_www_form(req.query_string.to_s).to_h
  limit      = [(query["limit"] || "100").to_i, 500].min
  model      = query["model"]
  session_id = query["session_id"]

  store   = Clacky::Billing::BillingStore.new
  records = store.query(model: model, session_id: session_id, limit: limit)

  json_response(res, 200, {
    records: records.map(&:to_h),
    count: records.size
  })
end

#api_billing_sessions(req, res) ⇒ Object

GET /api/billing/sessions Returns session-level billing summary Query params: period (day|week|month|year|all, default: month), model, limit

# File 'lib/clacky/server/http_server.rb', line 1757

def api_billing_sessions(req, res)
  require_relative "../billing/billing_store"

  query = URI.decode_www_form(req.query_string.to_s).to_h
  period = (query["period"] || "month").to_sym
  model = query["model"]
  limit = [(query["limit"] || "50").to_i, 200].min

  store = Clacky::Billing::BillingStore.new
  sessions = store.session_summary(period: period, model: model, limit: limit)

  json_response(res, 200, {
    sessions: sessions,
    count: sessions.size
  })
end

#api_billing_summary(req, res) ⇒ Object

GET /api/billing/summary Returns billing summary for a time period Query params: period (day|week|month|year|all, default: month), model (optional)

# File 'lib/clacky/server/http_server.rb', line 1705

def api_billing_summary(req, res)
  require_relative "../billing/billing_store"

  query  = URI.decode_www_form(req.query_string.to_s).to_h
  period = (query["period"] || "month").to_sym
  model  = query["model"]

  store   = Clacky::Billing::BillingStore.new
  summary = store.summary(period: period, model: model)

  json_response(res, 200, summary)
end

#api_brand_activate(req, res) ⇒ Object

POST /api/brand/activate Body: { license_key: “XXXX-XXXX-XXXX-XXXX-XXXX” } Activates the license and persists the result to brand.yml.

# File 'lib/clacky/server/http_server.rb', line 1494

def api_brand_activate(req, res)
  body = parse_json_body(req)
  key  = body["license_key"].to_s.strip

  if key.empty?
    json_response(res, 422, { ok: false, error: "license_key is required" })
    return
  end

  brand  = Clacky::BrandConfig.load
  result = @brand_test ? brand.activate_mock!(key) : brand.activate!(key)

  if result[:success]
    # Refresh skill_loader with the now-activated brand config so brand
    # skills are loadable from this point forward (e.g. after sync).
    @skill_loader = Clacky::SkillLoader.new(working_dir: nil, brand_config: brand)
    json_response(res, 200, {
      ok:            true,
      product_name:  result[:product_name] || brand.product_name,
      user_id:       result[:user_id] || brand.license_user_id,
      user_licensed: brand.user_licensed?
    })
  else
    json_response(res, 422, { ok: false, error: result[:message] })
  end
end

#api_brand_info(res) ⇒ Object

GET /api/brand Returns brand metadata consumed by the WebUI on boot to dynamically replace branding strings.

# File 'lib/clacky/server/http_server.rb', line 1693

def api_brand_info(res)
  brand = Clacky::BrandConfig.load
  json_response(res, 200, brand.to_h)
end

#api_brand_skill_install(slug, req, res) ⇒ Object

POST /api/brand/skills/:name/install Downloads and installs (or updates) the given brand skill. Body may optionally contain { skill_info: … } from the frontend cache; otherwise we re-fetch to get the download_url.

# File 'lib/clacky/server/http_server.rb', line 1627

def api_brand_skill_install(slug, req, res)
  brand = Clacky::BrandConfig.load

  # Free-mode: branded but not activated. Fall back to the public free
  # skills endpoint and install with encrypted: false. Paid (encrypted)
  # skills still require activation and will return 404 here.
  unless brand.activated?
    fetch_result = brand.fetch_free_skills!
    unless fetch_result[:success]
      json_response(res, 422, { ok: false, error: fetch_result[:error] })
      return
    end

    skill_info = fetch_result[:skills].find { |s| s["name"] == slug }
    unless skill_info
      json_response(res, 404, { ok: false, error: "Skill '#{slug}' is not a free skill — activate your license to access it." })
      return
    end

    result = brand.install_free_skill!(skill_info)
    if result[:success]
      @skill_loader = Clacky::SkillLoader.new(working_dir: nil, brand_config: brand)
      json_response(res, 200, { ok: true, name: result[:name], version: result[:version] })
    else
      json_response(res, 422, { ok: false, error: result[:error] })
    end
    return
  end

  # Re-fetch the skills list to get the authoritative download_url
  if @brand_test
    all_skills = mock_brand_skills(brand)[:skills]
  else
    fetch_result = brand.fetch_brand_skills!
    unless fetch_result[:success]
      json_response(res, 422, { ok: false, error: fetch_result[:error] })
      return
    end
    all_skills = fetch_result[:skills]
  end

  skill_info = all_skills.find { |s| s["name"] == slug }
  unless skill_info
    json_response(res, 404, { ok: false, error: "Skill '#{slug}' not found in license" })
    return
  end

  # In brand-test mode use the mock installer which writes a real .enc file
  # so the full decrypt → load → invoke code-path is exercised end-to-end.
  result = @brand_test ? brand.install_mock_brand_skill!(skill_info) : brand.install_brand_skill!(skill_info)

  if result[:success]
    # Reload skills so the Agent can pick up the new skill immediately.
    # Re-create the loader with the current brand_config so brand skills are decryptable.
    @skill_loader = Clacky::SkillLoader.new(working_dir: nil, brand_config: brand)
    json_response(res, 200, { ok: true, name: result[:name], version: result[:version] })
  else
    json_response(res, 422, { ok: false, error: result[:error] })
  end
rescue StandardError, ScriptError => e
  json_response(res, 500, { ok: false, error: e.message })
end

#api_brand_skills(res) ⇒ Object

POST /api/store/skills/:slug/install

# File 'lib/clacky/server/http_server.rb', line 1558

def api_brand_skills(res)
  brand = Clacky::BrandConfig.load

  unless brand.activated?
    # Free-mode: branded but no license. Return the unencrypted skills
    # available to anonymous installs so the Brand Skills tab is not
    # empty and the user can install/use them without a serial number.
    # Each skill is tagged is_free=true so the UI can show a "Free" badge.
    result = brand.fetch_free_skills!

    if result[:success]
      free_skills = result[:skills].map { |s| s.merge("is_free" => true) }
      json_response(res, 200, {
        ok:                true,
        skills:            free_skills,
        free_mode:         true,
        paid_skills_count: result[:paid_skills_count].to_i
      })
    else
      json_response(res, 200, {
        ok:                true,
        skills:            [],
        free_mode:         true,
        paid_skills_count: 0,
        warning_code:      "remote_unavailable",
        warning:           result[:error] || "Could not reach the license server."
      })
    end
    return
  end

  if @brand_test
    # Return mock skills in brand-test mode instead of calling the remote API
    result = mock_brand_skills(brand)
  else
    result = brand.fetch_brand_skills!
  end

  if result[:success]
    json_response(res, 200, { ok: true, skills: result[:skills], expires_at: result[:expires_at] })
  else
    # Remote API failed — fall back to locally installed skills so the user
    # can still see and use what they already have. Surface a soft warning.
    local_skills = brand.installed_brand_skills.map do |name, meta|
      {
        "name"              => meta["name"] || name,
        "name_zh"           => meta["name_zh"].to_s,
        # Use locally cached description so it renders correctly offline
        "description"       => meta["description"].to_s,
        "description_zh"    => meta["description_zh"].to_s,
        "installed_version" => meta["version"],
        "needs_update"      => false
      }
    end
    json_response(res, 200, {
      ok:           true,
      skills:       local_skills,
      # warning_code lets the frontend render a localized message.
      # `warning` is kept for back-compat and as an English fallback.
      warning_code: "remote_unavailable",
      warning:      "Could not reach the license server. Showing locally installed skills only."
    })
  end
end

#api_brand_status(res) ⇒ Object

GET /api/brand/status Returns whether brand activation is needed. Mirrors the onboard/status pattern so the frontend can gate on it.

Response:

{ branded: false }                              → no brand, nothing to do
{ branded: true, needs_activation: true,
  product_name: "JohnAI" }                     → license key required
{ branded: true, needs_activation: false,
  product_name: "JohnAI", warning: "..." }     → activated, possible warning

# File 'lib/clacky/server/http_server.rb', line 1416

def api_brand_status(res)
  brand = Clacky::BrandConfig.load

  unless brand.branded?
    json_response(res, 200, { branded: false })
    return
  end

  unless brand.activated?
    # Refresh public brand assets (logo, theme, homepage_url, support_*)
    # if due. This catches the common case of `install.sh --brand-name=X`
    # which writes only product_name + package_name — without this poll
    # the user would never see the brand's logo/theme until activation.
    # Completely asynchronous: we do NOT wait for the network round-trip.
    #
    # `distribution_refresh_pending` lets the Web UI know a refresh is
    # in flight, so it can re-poll /api/brand shortly and apply the
    # logo/theme without requiring the user to activate or refresh the
    # page first.
    refresh_pending = false
    if brand.distribution_refresh_due?
      trigger_async_distribution_refresh!
      refresh_pending = true
    end

    json_response(res, 200, {
      branded:                       true,
      needs_activation:              true,
      product_name:                  brand.product_name,
      test_mode:                     @brand_test,
      distribution_refresh_pending:  refresh_pending
    })
    return
  end

  # Send heartbeat asynchronously if interval has elapsed (once per day).
  #
  # We must NOT block this HTTP response on the heartbeat call: a slow or
  # unreachable license server would otherwise stall the Web UI's first
  # paint for up to ~92s (2 hosts × 2 attempts × 23s timeout). The fresh
  # expires_at / last_heartbeat will be picked up on the next /api/brand/status
  # poll, which is sufficient for a once-per-day check.
  if brand.heartbeat_due?
    trigger_async_heartbeat!
  else
    Clacky::Logger.debug("[Brand] api_brand_status: heartbeat not due yet")
  end

  Clacky::Logger.debug("[Brand] api_brand_status: expired=#{brand.expired?} grace_exceeded=#{brand.grace_period_exceeded?} expires_at=#{brand.license_expires_at&.iso8601 || "nil"}")

  warning = nil
  if brand.expired?
    warning = "Your #{brand.product_name} license has expired. Please renew to continue."
  elsif brand.grace_period_exceeded?
    warning = "License server unreachable for more than 3 days. Please check your connection."
  elsif brand.license_expires_at && !brand.expired?
    days_remaining = ((brand.license_expires_at - Time.now.utc) / 86_400).ceil
    if days_remaining <= 7
      warning = "Your #{brand.product_name} license expires in #{days_remaining} day#{"s" if days_remaining != 1}. Please renew soon."
    end
  end

  Clacky::Logger.debug("[Brand] api_brand_status: warning=#{warning.inspect}")

  json_response(res, 200, {
    branded:          true,
    needs_activation: false,
    product_name:     brand.product_name,
    warning:          warning,
    test_mode:        @brand_test,
    user_licensed:    brand.user_licensed?,
    license_user_id:  brand.license_user_id
  })
end

#api_browser_configure(req, res) ⇒ Object

POST /api/browser/configure Called by browser-setup skill to write browser.yml and hot-reload the daemon. Body: { chrome_version: “146” }

# File 'lib/clacky/server/http_server.rb', line 828

def api_browser_configure(req, res)
  body          = JSON.parse(req.body.to_s) rescue {}
  chrome_version = body["chrome_version"].to_s.strip
  return json_response(res, 422, { ok: false, error: "chrome_version is required" }) if chrome_version.empty?

  @browser_manager.configure(chrome_version: chrome_version)
  json_response(res, 200, { ok: true })
rescue StandardError => e
  json_response(res, 500, { ok: false, error: e.message })
end

#api_browser_reload(res) ⇒ Object

POST /api/browser/reload Called by browser-setup skill after writing browser.yml. Hot-reloads the MCP daemon with the new configuration.

# File 'lib/clacky/server/http_server.rb', line 842

def api_browser_reload(res)
  @browser_manager.reload
  json_response(res, 200, { ok: true })
rescue StandardError => e
  json_response(res, 500, { ok: false, error: e.message })
end

#api_browser_status(res) ⇒ Object

GET /api/browser/status Returns real daemon liveness from BrowserManager (not just yml read).

# File 'lib/clacky/server/http_server.rb', line 821

def api_browser_status(res)
  json_response(res, 200, @browser_manager.status)
end

#api_browser_toggle(res) ⇒ Object

POST /api/browser/toggle

# File 'lib/clacky/server/http_server.rb', line 850

def api_browser_toggle(res)
  enabled = @browser_manager.toggle
  json_response(res, 200, { ok: true, enabled: enabled })
rescue StandardError => e
  json_response(res, 500, { ok: false, error: e.message })
end

#api_change_session_working_dir(session_id, req, res) ⇒ Object

# File 'lib/clacky/server/http_server.rb', line 4454

def api_change_session_working_dir(session_id, req, res)
  body = parse_json_body(req)
  new_dir = body["working_dir"].to_s.strip

  return json_response(res, 400, { error: "working_dir is required" }) if new_dir.empty?
  return json_response(res, 404, { error: "Session not found" }) unless @registry.ensure(session_id)

  # Expand ~ to home directory
  expanded_dir = File.expand_path(new_dir)

  # Auto-create the directory if it doesn't exist yet.
  FileUtils.mkdir_p(expanded_dir)

  agent = nil
  @registry.with_session(session_id) { |s| agent = s[:agent] }
  
  # Change the agent's working directory
  agent.change_working_dir(expanded_dir)
  
  # Persist the change
  @session_manager.save(agent.to_session_data)
  
  # Broadcast update to all clients
  broadcast_session_update(session_id)
  
  json_response(res, 200, { ok: true, working_dir: expanded_dir })
rescue => e
  json_response(res, 500, { error: e.message })
end

#api_create_cron_task(req, res) ⇒ Object

POST /api/cron-tasks — create task file + schedule in one step Body: { name, content, cron, enabled? }

# File 'lib/clacky/server/http_server.rb', line 2926

def api_create_cron_task(req, res)
  body    = parse_json_body(req)
  name    = body["name"].to_s.strip
  content = body["content"].to_s
  cron    = body["cron"].to_s.strip
  enabled = body.key?("enabled") ? body["enabled"] : true

  return json_response(res, 422, { error: "name is required" })    if name.empty?
  return json_response(res, 422, { error: "content is required" }) if content.empty?
  return json_response(res, 422, { error: "cron is required" })    if cron.empty?

  fields = cron.strip.split(/\s+/)
  unless fields.size == 5
    return json_response(res, 422, { error: "cron must have 5 fields (min hour dom month dow)" })
  end

  @scheduler.create_cron_task(name: name, content: content, cron: cron, enabled: enabled)
  json_response(res, 201, { ok: true, name: name })
end

#api_create_session(req, res) ⇒ Object

# File 'lib/clacky/server/http_server.rb', line 642

def api_create_session(req, res)
  body = parse_json_body(req)
  name = body["name"]
  return json_response(res, 400, { error: "name is required" }) if name.nil? || name.strip.empty?

  # Optional agent_profile; defaults to "general" if omitted or invalid
  profile = body["agent_profile"].to_s.strip
  profile = "general" if profile.empty?

  # Optional source; defaults to :manual. Accept "system" for skill-launched sessions
  # (e.g. /onboard, /browser-setup, /channel-manager).
  raw_source = body["source"].to_s.strip
  source = %w[manual cron channel setup].include?(raw_source) ? raw_source.to_sym : :manual

  raw_dir = body["working_dir"].to_s.strip
  working_dir = raw_dir.empty? ? default_working_dir : File.expand_path(raw_dir)

  # Optional model override — passed as a stable model id (matches the
  # id returned by GET /api/config). Name-based override was removed:
  # a bare model name can't disambiguate between entries from different
  # providers (e.g. "deepseek-v4-pro" on DeepSeek direct vs its dsk-*
  # alias on OpenClacky/Bedrock), and mutating current_model["model"]
  # kept the wrong api_key / base_url / api format, producing
  # "unknown model" errors at the provider.
  model_id_override = body["model_id"].to_s.strip
  model_id_override = nil if model_id_override.empty?

  if model_id_override && !@agent_config.models.any? { |m| m["id"] == model_id_override }
    return json_response(res, 400, { error: "Model not found in configuration" })
  end

  # Create working directory if it doesn't exist
  # Allow multiple sessions in the same directory
  FileUtils.mkdir_p(working_dir)

  session_id = build_session(name: name, working_dir: working_dir, profile: profile, source: source, model_id: model_id_override)
  broadcast_session_update(session_id)
  json_response(res, 201, { session: @registry.session_summary(session_id) })
end

#api_delete_channel(platform, res) ⇒ Object

DELETE /api/channels/:platform Disables the platform (keeps credentials, sets enabled: false).

# File 'lib/clacky/server/http_server.rb', line 2743

def api_delete_channel(platform, res)
  platform = platform.to_sym
  config   = Clacky::ChannelConfig.load
  config.disable_platform(platform)
  config.save

  @channel_manager.reload_platform(platform, config)

  json_response(res, 200, { ok: true })
rescue StandardError => e
  json_response(res, 422, { ok: false, error: e.message })
end

#api_delete_cron_task(name, res) ⇒ Object

DELETE /api/cron-tasks/:name — remove task file + schedule

# File 'lib/clacky/server/http_server.rb', line 2965

def api_delete_cron_task(name, res)
  if @scheduler.delete_cron_task(name)
    json_response(res, 200, { ok: true })
  else
    json_response(res, 404, { error: "Cron task not found: #{name}" })
  end
end

#api_delete_model(id, res) ⇒ Object

DELETE /api/config/models/:id

# File 'lib/clacky/server/http_server.rb', line 4076

def api_delete_model(id, res)
  models = @agent_config.models
  return json_response(res, 404, { error: "model not found" }) unless models.any? { |m| m["id"] == id }
  return json_response(res, 422, { error: "cannot delete the last model" }) if models.length <= 1

  index = models.find_index { |m| m["id"] == id }
  removed = models.delete_at(index)

  # Re-anchor current_* if we just deleted the active model.
  if @agent_config.current_model_id == removed["id"]
    new_default = models.find { |m| m["type"] == "default" } || models.first
    # If the removed model was the default, promote the new current
    # model so the config always has exactly one default entry.
    if removed["type"] == "default" && new_default && new_default["type"] != "default"
      new_default["type"] = "default"
    end
    @agent_config.current_model_id    = new_default["id"]
    @agent_config.current_model_index = models.find_index { |m| m["id"] == new_default["id"] } || 0
  elsif @agent_config.current_model_index >= models.length
    @agent_config.current_model_index = models.length - 1
  end

  @agent_config.save
  json_response(res, 200, { ok: true })
rescue => e
  json_response(res, 422, { error: e.message })
end

#api_delete_session(session_id, res) ⇒ Object

# File 'lib/clacky/server/http_server.rb', line 4493

def api_delete_session(session_id, res)
  # A session exists if it's either in the runtime registry OR on disk.
  # Old sessions that were never restored into memory this server run
  # (e.g. shown via "load more" in the WebUI list) are disk-only — we
  # must still be able to delete them. Previously this endpoint only
  # consulted @registry and returned 404 for disk-only sessions,
  # causing the "can't delete old sessions" bug.
  in_registry = @registry.exist?(session_id)
  on_disk     = !@session_manager.load(session_id).nil?

  unless in_registry || on_disk
    return json_response(res, 404, { error: "Session not found" })
  end

  # Registry delete is best-effort — only meaningful when the session
  # is actually live (cancels idle timer, interrupts the agent thread).
  # For disk-only sessions this is a no-op and returns false, which is
  # fine and no longer blocks the disk cleanup below.
  @registry.delete(session_id) if in_registry

  # Soft-delete: move session to trash instead of permanently destroying it.
  @session_manager.soft_delete(session_id) if on_disk

  # Notify any still-connected clients (mainly matters when the
  # session was live, but harmless otherwise).
  broadcast(session_id, { type: "session_deleted", session_id: session_id })
  unsubscribe_all(session_id)

  json_response(res, 200, { ok: true })
end

#api_exchange_rate(req, res) ⇒ Object

GET /api/exchange-rate?from=USD&to=CNY Fetches the latest exchange rate on demand. The browser still owns the saved preference in localStorage; this API is only a lightweight proxy that avoids CORS issues and normalizes provider responses.

# File 'lib/clacky/server/http_server.rb', line 712

def api_exchange_rate(req, res)
  query = URI.decode_www_form(req.query_string.to_s).to_h
  from  = normalize_currency_code(query["from"], fallback: "USD")
  to    = normalize_currency_code(query["to"], fallback: "CNY")

  unless from && to
    return json_response(res, 400, { error: "from and to must be 3-letter currency codes" })
  end

  data = fetch_exchange_rate(from, to)
  json_response(res, 200, data)
rescue StandardError => e
  Clacky::Logger.warn("[ExchangeRate] failed: #{e.class}: #{e.message}")
  json_response(res, 502, { error: "Failed to fetch exchange rate" })
end

#api_export_session(session_id, res) ⇒ Object

Export a session bundle as a .zip download containing:

- session.json          (always)
- chunk-*.md            (0..N archived conversation chunks)
- logs/clacky-YYYY-MM-DD.log  (today's logger file, if present)

Useful for debugging — user clicks “download” in the WebUI status bar and we can ask them to attach the zip to a bug report.

# File 'lib/clacky/server/http_server.rb', line 4530

def api_export_session(session_id, res)
  bundle = @session_manager.files_for(session_id)
  unless bundle
    return json_response(res, 404, { error: "Session not found" })
  end

  require "zip"

  short_id = bundle[:session][:session_id].to_s[0..7]
  # Build the zip entirely in memory — session files are small (< few MB).
  buffer = Zip::OutputStream.write_buffer do |zos|
    zos.put_next_entry("session.json")
    zos.write(File.binread(bundle[:json_path]))

    bundle[:chunks].each do |chunk_path|
      # Preserve original chunk filename so the ordering (chunk-1.md, chunk-2.md, ...) is clear.
      zos.put_next_entry(File.basename(chunk_path))
      zos.write(File.binread(chunk_path))
    end

    log_path = Clacky::Logger.current_log_file
    if log_path && File.exist?(log_path)
      zos.put_next_entry("logs/#{File.basename(log_path)}")
      zos.write(File.binread(log_path))
    end
  end
  buffer.rewind
  data = buffer.read

  filename = "clacky-session-#{short_id}.zip"
  res.status = 200
  res.content_type = "application/zip"
  res["Content-Disposition"] = %(attachment; filename="#{filename}")
  res["Access-Control-Allow-Origin"] = "*"
  # Force a fresh copy each time — debugging sessions get new chunks over time.
  res["Cache-Control"] = "no-store"
  res.body = data
rescue => e
  Clacky::Logger.error("Session export failed: #{e.message}") if defined?(Clacky::Logger)
  json_response(res, 500, { error: "Export failed: #{e.message}" })
end

#api_file_action(req, res) ⇒ Object

POST /api/file-action Unified file action endpoint — open locally or download. Body: { path: String, action: “open” | “download” }

open:     opens the file with the OS default handler (local deployments).
download: returns the file as a download (remote deployments).

# File 'lib/clacky/server/http_server.rb', line 2621

def api_file_action(req, res)
  body = parse_json_body(req)
  path = body["path"]
  action = body["action"] || "open"

  return json_response(res, 400, { error: "path is required" }) unless path && !path.empty?

  # Expand ~ to the user's home directory (e.g. "~/Desktop/file.pdf").
  # Ruby's File.exist? does NOT automatically expand ~ — that's a shell feature.
  path = File.expand_path(path)

  # On WSL the file may be specified as a Windows path (e.g. "C:/Users/…").
  # Convert it to the Linux-side path so File.exist? works.
  linux_path = Utils::EnvironmentDetector.win_to_linux_path(path)

  return json_response(res, 404, { error: "file not found" }) unless File.exist?(linux_path)

  case action
  when "open"
    result = Utils::EnvironmentDetector.open_file(linux_path)
    return json_response(res, 501, { error: "unsupported OS" }) if result.nil?
    json_response(res, 200, { ok: true })
  when "download"
    serve_file_download(res, linux_path)
  else
    json_response(res, 400, { error: "invalid action. Must be 'open' or 'download'" })
  end
rescue => e
  json_response(res, 500, { ok: false, error: e.message })
end

#api_fork_session(session_id, req, res) ⇒ Object

# File 'lib/clacky/server/http_server.rb', line 4484

def api_fork_session(session_id, req, res)
  fork_data = @session_manager.fork(session_id)
  return json_response(res, 404, { error: "Session not found" }) unless fork_data

  fork_id = fork_data[:session_id]
  broadcast_session_update(fork_id)
  json_response(res, 201, { session: @registry.snapshot(fork_id) })
end

#api_get_config(res) ⇒ Object

GET /api/config — return current model configurations

# File 'lib/clacky/server/http_server.rb', line 3888

def api_get_config(res)
  models = @agent_config.models.map.with_index do |m, i|
    {
      id:               m["id"],   # Stable runtime id — use this for switching
      index:            i,
      model:            m["model"],
      base_url:         m["base_url"],
      api_key_masked:   mask_api_key(m["api_key"]),
      anthropic_format: m["anthropic_format"] || false,
      type:             m["type"]
    }
  end
  # Filter out auto-injected models (lite, derived media) AND media
  # entries (image/video/audio) — those are managed via the dedicated
  # media-config UI, not the chat-model card list.
  models.reject! do |m|
    raw = @agent_config.models[m[:index]]
    raw["auto_injected"] || Clacky::Providers::MEDIA_KINDS.include?(raw["type"].to_s)
  end
  json_response(res, 200, {
    models: models,
    current_index: @agent_config.current_model_index,
    current_id: @agent_config.current_model&.dig("id")
  })
end

#api_get_media_config(res) ⇒ Object

GET /api/config/media Used by the Settings UI to render the tri-state media controls. Per-kind payload mirrors AgentConfig#media_state.

# File 'lib/clacky/server/http_server.rb', line 934

def api_get_media_config(res)
  out = {}
  Clacky::Providers::MEDIA_KINDS.each do |t|
    state = @agent_config.media_state(t)
    entry = @agent_config.find_model_by_type(t)
    out[t] = {
      source:     state["source"],
      model:      state["model"],
      base_url:   state["base_url"],
      api_key_masked: entry ? mask_api_key(entry["api_key"]) : nil,
      provider:   state["provider"],
      available:  state["available"],
      aliases:    state["aliases"] || {},
      stale:      state["stale"] || false,
      requested_model: state["requested_model"],
      configured: state["configured"]
    }
  end

  # Surface what the current default model can offer, even when the
  # user is currently in "off" — the UI uses this to render the
  # auto-mode preview ("Auto would use X").
  default = @agent_config.find_model_by_type("default")
  provider_id = default && Clacky::Providers.resolve_provider(
    base_url: default["base_url"],
    api_key:  default["api_key"]
  )
  defaults = {}
  Clacky::Providers::MEDIA_KINDS.each do |t|
    defaults[t] = {
      provider:  provider_id,
      model:     provider_id ? Clacky::Providers.default_media_model(provider_id, t) : nil,
      available: provider_id ? Clacky::Providers.media_models(provider_id, t) : [],
      aliases:   provider_id ? Clacky::Providers.media_model_aliases(provider_id, t) : {}
    }
  end

  json_response(res, 200, { media: out, default_provider: defaults })
end

#api_get_ocr_config(res) ⇒ Object

GET /api/config/ocr Returns the OCR sidecar state for the Settings UI. Mirrors media_state in shape so the UI can render OCR with the same row component.

# File 'lib/clacky/server/http_server.rb', line 1111

def api_get_ocr_config(res)
  state = @agent_config.ocr_state
  entry = @agent_config.find_model_by_type("ocr")

  out = {
    source:         state["source"],
    model:          state["model"],
    base_url:       state["base_url"],
    api_key_masked: entry ? mask_api_key(entry["api_key"]) : nil,
    provider:       state["provider"],
    available:      state["available"],
    stale:          state["stale"] || false,
    requested_model: state["requested_model"],
    configured:     state["configured"],
    primary:        state["primary"] || false
  }

  # Auto-mode preview: surface what the OCR sidecar *would* be if the
  # user flipped to "auto" — derived from the same provider as the
  # current default model.
  default = @agent_config.find_model_by_type("default")
  provider_id = default && Clacky::Providers.resolve_provider(
    base_url: default["base_url"],
    api_key:  default["api_key"]
  )
  default_preview = {
    provider:  provider_id,
    model:     provider_id ? Clacky::Providers.default_ocr_model(provider_id) : nil,
    available: provider_id ? Clacky::Providers.ocr_models(provider_id) : []
  }

  json_response(res, 200, { ocr: out, default_provider: default_preview })
end

#api_get_settings(res) ⇒ Object

GET /api/config/settings — return advanced settings

# File 'lib/clacky/server/http_server.rb', line 3915

def api_get_settings(res)
  json_response(res, 200, {
    ok: true,
    enable_compression: @agent_config.enable_compression,
    enable_prompt_caching: @agent_config.enable_prompt_caching,
    memory_update_enabled: @agent_config.memory_update_enabled
  })
end

#api_get_version(res) ⇒ Object

GET /api/version Returns current version and latest version from RubyGems (cached for 1 hour).

# File 'lib/clacky/server/http_server.rb', line 1792

def api_get_version(res)
  current = Clacky::VERSION
  latest  = fetch_latest_version_cached
  brand   = Clacky::BrandConfig.load
  cli_cmd = brand.branded? && brand.package_name && !brand.package_name.empty? ? brand.package_name : "openclacky"
  json_response(res, 200, {
    current:      current,
    latest:       latest,
    needs_update: latest ? version_older?(current, latest) : false,
    launcher:     ENV["CLACKY_LAUNCHER"] || "cli",
    cli_command:  cli_cmd
  })
end

#api_group_history(chat_id, res) ⇒ Object

# File 'lib/clacky/server/http_server.rb', line 2588

def api_group_history(chat_id, res)
  messages = @channel_manager.group_history(chat_id)
  json_response(res, 200, { chat_id: chat_id, messages: messages })
rescue StandardError => e
  json_response(res, 500, { ok: false, error: e.message })
end

#api_internal_ocr_image(req, res) ⇒ Object

POST /api/internal/ocr-image Internal endpoint used by parser scripts (e.g. pdf_parser_vlm.py) to transcribe a single image via the configured OCR sidecar. Localhost- only by virtue of the standard auth path: when the server binds to 127.0.0.1 (@localhost_only), check_access_key returns true without requiring a token, so parsers running on the same host can call this endpoint with no extra wiring.

Request: multipart/form-data with field “image” (binary), optional “prompt”

OR JSON body { "data_url": "data:image/png;base64,...", "prompt": "..." }

Response: { ok: true, text: “…” } or { ok: false, message: “…” }

# File 'lib/clacky/server/http_server.rb', line 1236

def api_internal_ocr_image(req, res)
  entry = @agent_config.find_model_by_type("ocr")
  unless entry
    return json_response(res, 503, { ok: false, message: "OCR sidecar not configured" })
  end

  prompt   = nil
  data_url = nil
  bytes    = nil
  mime     = "image/png"

  ctype = req.content_type.to_s
  if ctype.start_with?("multipart/form-data")
    parts = req.query
    if (img = parts["image"])
      bytes = img.respond_to?(:read) ? img.read : img.to_s
      mime  = (img.respond_to?(:[]) ? img["content-type"].to_s : nil)
      mime  = "image/png" if mime.nil? || mime.empty?
    end
    prompt = parts["prompt"].to_s if parts["prompt"]
  else
    body = parse_json_body(req) || {}
    data_url = body["data_url"].to_s
    prompt   = body["prompt"].to_s if body["prompt"]
  end

  image =
    if bytes && !bytes.empty?
      { bytes: bytes, mime_type: mime }
    elsif data_url && !data_url.empty?
      { data_url: data_url }
    else
      return json_response(res, 400, { ok: false, message: "image or data_url required" })
    end

  text = Clacky::Vision::Resolver.new(entry).describe(image, prompt: prompt)
  if text && !text.strip.empty?
    json_response(res, 200, { ok: true, text: text })
  else
    json_response(res, 200, { ok: false, message: "OCR returned empty result" })
  end
rescue => e
  json_response(res, 500, { ok: false, message: e.message })
end

#api_list_channel_users(platform, res) ⇒ Object

GET /api/channels/:platform/users Returns the list of known user IDs for the given platform. These are users who have sent at least one message to the bot in this server session.

For Weixin: returns users with a cached context_token (required for proactive messaging). For Feishu / WeCom: returns user IDs extracted from channel session bindings.

Response:

200 { users: ["uid1", "uid2", ...] }

# File 'lib/clacky/server/http_server.rb', line 2580

def api_list_channel_users(platform, res)
  platform = platform.to_sym
  users    = @channel_manager.known_users(platform)
  json_response(res, 200, { platform: platform, users: users })
rescue StandardError => e
  json_response(res, 500, { ok: false, error: e.message })
end

#api_list_channels(res) ⇒ Object

# File 'lib/clacky/server/http_server.rb', line 2230

def api_list_channels(res)
  config   = Clacky::ChannelConfig.load
  running  = @channel_manager.running_platforms

  platforms = Clacky::Channel::Adapters.all.map do |klass|
    platform = klass.platform_id
    raw      = config.instance_variable_get(:@channels)[platform.to_s] || {}
    {
      platform:  platform,
      enabled:   !!raw["enabled"],
      running:   running.include?(platform),
      has_config: !config.platform_config(platform).nil?
    }.merge(platform_safe_fields(platform, config))
  end

  json_response(res, 200, { channels: platforms })
end

#api_list_cron_tasks(res) ⇒ Object

GET /api/cron-tasks

# File 'lib/clacky/server/http_server.rb', line 2920

def api_list_cron_tasks(res)
  json_response(res, 200, { cron_tasks: @scheduler.list_cron_tasks })
end

#api_list_providers(res) ⇒ Object

GET /api/providers — return built-in provider presets for quick setup

# File 'lib/clacky/server/http_server.rb', line 4174

def api_list_providers(res)
  providers = Clacky::Providers::PRESETS.map do |id, preset|
    {
      id:                id,
      name:              preset["name"],
      base_url:          preset["base_url"],
      default_model:     preset["default_model"],
      models:            preset["models"] || [],
      # Frontend uses this to render a Base URL dropdown (regional /
      # billing-plan variants) when present. Absent for single-endpoint
      # providers — UI renders a plain text input in that case.
      endpoint_variants: preset["endpoint_variants"],
      website_url:       preset["website_url"]
    }
  end
  json_response(res, 200, { providers: providers })
end

#api_list_sessions(req, res) ⇒ Object

── REST API ──────────────────────────────────────────────────────────────

# File 'lib/clacky/server/http_server.rb', line 615

def api_list_sessions(req, res)
  query   = URI.decode_www_form(req.query_string.to_s).to_h
  limit   = [query["limit"].to_i.then { |n| n > 0 ? n : 20 }, 50].min
  before  = query["before"].to_s.strip.then  { |v| v.empty? ? nil : v }
  q       = query["q"].to_s.strip.then       { |v| v.empty? ? nil : v }
  q_scope = query["q_scope"].to_s.strip.then { |v| %w[name content].include?(v) ? v : "name" }
  date    = query["date"].to_s.strip.then    { |v| v.empty? ? nil : v }
  type    = query["type"].to_s.strip.then    { |v| v.empty? ? nil : v }
  # Backward-compat: ?source=<x> and ?profile=coding → type
  type ||= query["profile"].to_s.strip.then { |v| v.empty? ? nil : v }
  type ||= query["source"].to_s.strip.then  { |v| v.empty? ? nil : v }

  # Fetch one extra NON-PINNED row to detect has_more without a separate count query.
  # `registry.list` always returns ALL matching pinned rows first (on the
  # first page; `before` == nil), followed by non-pinned rows up to `limit+1`.
  # So has_more is determined by whether the non-pinned section overflowed.
  sessions = @registry.list(limit: limit + 1, before: before, q: q, q_scope: q_scope, date: date, type: type)

  # Split pinned vs non-pinned to apply has_more only to the non-pinned tail.
  pinned_part, non_pinned_part = sessions.partition { |s| s[:pinned] }
  has_more = non_pinned_part.size > limit
  non_pinned_part = non_pinned_part.first(limit)
  sessions = pinned_part + non_pinned_part

  json_response(res, 200, { sessions: sessions, has_more: has_more, cron_count: @registry.cron_count })
end

#api_list_skills(res) ⇒ Object

GET /api/skills — list all loaded skills with metadata

# File 'lib/clacky/server/http_server.rb', line 2995

def api_list_skills(res)
  @skill_loader.load_all  # refresh from disk on each request
  upload_meta = Clacky::BrandConfig.load_upload_meta
  shadowed    = @skill_loader.shadowed_by_local

  skills = @skill_loader.all_skills.reject(&:brand_skill).map do |skill|
    source = @skill_loader.loaded_from[skill.identifier]
    meta   = upload_meta[skill.identifier] || {}

    # Compute local modification time of SKILL.md for "has local changes" indicator
    skill_md_path = File.join(skill.directory.to_s, "SKILL.md")
    local_modified_at = File.exist?(skill_md_path) ? File.mtime(skill_md_path).utc.iso8601 : nil

    entry = {
      name:              skill.identifier,
      name_zh:           skill.name_zh,
      description:       skill.context_description,
      description_zh:    skill.description_zh,
      source:            source,
      enabled:           !skill.disabled?,
      invalid:           skill.invalid?,
      warnings:          skill.warnings,
      platform_version:  meta["platform_version"],
      uploaded_at:       meta["uploaded_at"],
      local_modified_at: local_modified_at,
      # true when this local skill is shadowing a same-named brand skill
      shadowing_brand:   shadowed.key?(skill.identifier)
    }
    entry[:invalid_reason] = skill.invalid_reason if skill.invalid?
    entry
  end
  json_response(res, 200, { skills: skills })
end

#api_mcp_call(name, req, res) ⇒ Object

POST /api/mcp/:name/call body: { tool: “…”, arguments: … } Forwards a tools/call to the configured MCP server and returns its raw result. Subagents call this from their shell tool via curl — there is no Ruby-side bridge tool anymore.

# File 'lib/clacky/server/http_server.rb', line 2338

def api_mcp_call(name, req, res)
  unless mcp_registry.configured?(name)
    json_response(res, 404, { ok: false, error: "MCP server '#{name}' not found in mcp.json" })
    return
  end

  body = parse_json_body(req) || {}
  tool = body["tool"] || body[:tool]
  arguments = body["arguments"] || body[:arguments] || {}

  if tool.nil? || tool.to_s.strip.empty?
    json_response(res, 400, { ok: false, error: "missing required field: tool" })
    return
  end

  result = mcp_registry.call_tool(name, tool, arguments)
  json_response(res, 200, { ok: true, result: result })
rescue Clacky::Mcp::Client::McpError, Clacky::Mcp::Client::TransportError => e
  json_response(res, 502, { ok: false, error: e.message })
rescue StandardError => e
  json_response(res, 500, { ok: false, error: e.message })
end

#api_mcp_create(req, res) ⇒ Object

POST /api/mcp { name, command, args[], env{}, cwd?, description? }

# File 'lib/clacky/server/http_server.rb', line 2423

def api_mcp_create(req, res)
  return unless mcp_localhost_only(req, res)

  body = parse_json_body(req)
  name, spec, err = mcp_validate_spec(body)
  if err
    json_response(res, 400, { ok: false, error: err })
    return
  end

  data = mcp_load_raw_config
  if data["mcpServers"].key?(name)
    json_response(res, 409, { ok: false, error: "MCP server '#{name}' already exists. Use PUT to update." })
    return
  end

  data["mcpServers"][name] = spec
  mcp_write_raw_config(data)
  @mcp_registry_mutex.synchronize { @mcp_registry&.reload }
  json_response(res, 200, { ok: true, name: name, config_path: mcp_config_path })
end

#api_mcp_delete(name, req, res) ⇒ Object

DELETE /api/mcp/:name

# File 'lib/clacky/server/http_server.rb', line 2470

def api_mcp_delete(name, req, res)
  return unless mcp_localhost_only(req, res)

  data = mcp_load_raw_config
  unless data["mcpServers"].key?(name)
    json_response(res, 404, { ok: false, error: "MCP server '#{name}' not found" })
    return
  end

  data["mcpServers"].delete(name)
  mcp_write_raw_config(data)
  @mcp_registry_mutex.synchronize { @mcp_registry&.reload }
  json_response(res, 200, { ok: true, name: name })
end

#api_mcp_list(res) ⇒ Object

GET /api/mcp Lists configured MCP servers without spawning any subprocess. Honors both ~/.clacky/mcp.json (global) and project-level overrides.

# File 'lib/clacky/server/http_server.rb', line 2251

def api_mcp_list(res)
  data = mcp_load_raw_config
  servers = (data["mcpServers"] || {}).map do |name, spec|
    next nil unless spec.is_a?(Hash)

    type = (spec["type"] || (spec["url"] ? "http" : "stdio")).to_s
    {
      name:        name.to_s,
      type:        type,
      description: spec["description"] || "",
      command:     spec["command"],
      args:        Array(spec["args"]),
      url:         spec["url"],
      disabled:    spec["disabled"] == true,
      has_env:     spec["env"].is_a?(Hash) && !spec["env"].empty?,
      has_headers: spec["headers"].is_a?(Hash) && !spec["headers"].empty?,
    }
  end.compact

  json_response(res, 200, {
    configured:    !servers.empty?,
    config_path:   mcp_config_path,
    config_exists: File.exist?(mcp_config_path),
    servers:       servers,
  })
end

#api_mcp_probe(name, res) ⇒ Object

POST /api/mcp/:name/probe Spawns the MCP server briefly to fetch its tool catalog, then shuts it down. Used by the WebUI to display each server’s tool list on demand. No state survives the request — the next agent run does its own lazy spawn.

# File 'lib/clacky/server/http_server.rb', line 2282

def api_mcp_probe(name, res)
  registry = Clacky::Mcp::Registry.new(idle_timeout: 0)
  unless registry.configured?(name)
    json_response(res, 404, { ok: false, error: "MCP server '#{name}' not found in mcp.json" })
    return
  end

  tools = registry.tool_definitions(name).map do |defn|
    fn = defn[:function] || defn["function"] || {}
    {
      name:         fn[:name] || fn["name"],
      description:  fn[:description] || fn["description"] || "",
      input_schema: fn[:parameters] || fn["parameters"] || {},
    }
  end

  json_response(res, 200, { ok: true, name: name, tools: tools, tool_count: tools.length })
rescue Clacky::Mcp::Client::McpError, Clacky::Mcp::Client::TransportError => e
  json_response(res, 502, { ok: false, error: e.message })
rescue StandardError => e
  json_response(res, 500, { ok: false, error: e.message })
ensure
  registry&.shutdown
end

#api_mcp_toggle(name, req, res) ⇒ Object

PATCH /api/mcp/:name/enabled body: { enabled: true|false }

# File 'lib/clacky/server/http_server.rb', line 2486

def api_mcp_toggle(name, req, res)
  return unless mcp_localhost_only(req, res)

  body = parse_json_body(req) || {}
  enabled = body["enabled"]
  if enabled.nil? || ![true, false].include?(enabled)
    json_response(res, 400, { ok: false, error: "enabled (boolean) is required" })
    return
  end

  data = mcp_load_raw_config
  spec = data["mcpServers"][name]
  unless spec.is_a?(Hash)
    json_response(res, 404, { ok: false, error: "MCP server '#{name}' not found" })
    return
  end

  if enabled
    spec.delete("disabled")
  else
    spec["disabled"] = true
  end
  mcp_write_raw_config(data)

  @mcp_registry_mutex.synchronize { @mcp_registry&.reload }

  json_response(res, 200, { ok: true, name: name, disabled: spec["disabled"] == true })
end

#api_mcp_tools(name, res) ⇒ Object

GET /api/mcp/:name/tools Returns the live tool catalog for an MCP server, using the process-wide registry. The first call cold-starts the server; later calls hit cache. Subagents use this as a discovery endpoint, replacing the deleted mcp_call tool’s hidden tool list.

# File 'lib/clacky/server/http_server.rb', line 2312

def api_mcp_tools(name, res)
  unless mcp_registry.configured?(name)
    json_response(res, 404, { ok: false, error: "MCP server '#{name}' not found in mcp.json" })
    return
  end

  tools = mcp_registry.tool_definitions(name).map do |defn|
    fn = defn[:function] || defn["function"] || {}
    {
      name:         fn[:name] || fn["name"],
      description:  fn[:description] || fn["description"] || "",
      input_schema: fn[:parameters] || fn["parameters"] || {},
    }
  end

  json_response(res, 200, { ok: true, name: name, tools: tools, tool_count: tools.length })
rescue Clacky::Mcp::Client::McpError, Clacky::Mcp::Client::TransportError => e
  json_response(res, 502, { ok: false, error: e.message })
rescue StandardError => e
  json_response(res, 500, { ok: false, error: e.message })
end

#api_mcp_update(name, req, res) ⇒ Object

PUT /api/mcp/:name { command, args[], env{}, cwd?, description? } Replaces the entire spec. Path :name wins over body name.

# File 'lib/clacky/server/http_server.rb', line 2447

def api_mcp_update(name, req, res)
  return unless mcp_localhost_only(req, res)

  body = parse_json_body(req).merge("name" => name)
  _, spec, err = mcp_validate_spec(body)
  if err
    json_response(res, 400, { ok: false, error: err })
    return
  end

  data = mcp_load_raw_config
  unless data["mcpServers"].key?(name)
    json_response(res, 404, { ok: false, error: "MCP server '#{name}' not found" })
    return
  end

  data["mcpServers"][name] = spec
  mcp_write_raw_config(data)
  @mcp_registry_mutex.synchronize { @mcp_registry&.reload }
  json_response(res, 200, { ok: true, name: name })
end

#api_media_image(req, res) ⇒ Object

POST /api/media/image Body: { “prompt”: “…”, “aspect_ratio”: “landscape|square|portrait”,

"output_dir": "<absolute path, optional>" }

Routes to the model configured with type=image in agent_config.

# File 'lib/clacky/server/http_server.rb', line 861

def api_media_image(req, res)
  body = parse_json_body(req)
  return json_response(res, 400, { error: "Invalid JSON" }) unless body

  prompt = body["prompt"].to_s
  if prompt.strip.empty?
    return json_response(res, 422, { error: "prompt is required" })
  end

  aspect_ratio = body["aspect_ratio"].to_s
  aspect_ratio = "landscape" if aspect_ratio.empty?
  output_dir   = body["output_dir"].to_s
  output_dir   = @agent_config.default_working_dir || Dir.pwd if output_dir.empty?

  result = Clacky::Media::Generator.new(@agent_config).generate_image(
    prompt: prompt,
    aspect_ratio: aspect_ratio,
    output_dir: output_dir
  )
  if result["success"]
    log_media_usage(result, prompt: prompt)
  end
  status = result["success"] ? 200 : 422
  json_response(res, status, result)
rescue StandardError => e
  json_response(res, 500, { error: e.message })
end

#api_media_types(res) ⇒ Object

GET /api/media/types Returns which media types are configured in agent_config.models. Used by the media-gen skill to decide whether to surface generation capabilities to the user.

# File 'lib/clacky/server/http_server.rb', line 912

def api_media_types(res)
  out = {}
  Clacky::Providers::MEDIA_KINDS.each do |t|
    state = @agent_config.media_state(t)
    out[t] =
      if state["configured"]
        {
          configured: true,
          model:      state["model"],
          base_url:   state["base_url"],
          source:     state["source"]
        }
      else
        { configured: false, source: "off" }
      end
  end
  json_response(res, 200, out)
end

#api_onboard_complete(req, res) ⇒ Object

POST /api/onboard/complete Called after key setup is done (soul_setup is optional/skipped). Creates the default session if none exists yet, returns it.

# File 'lib/clacky/server/http_server.rb', line 1284

def api_onboard_complete(req, res)
  create_default_session if @registry.list(limit: 1).empty?
  first_session = @registry.list(limit: 1).first
  json_response(res, 200, { ok: true, session: first_session })
end

#api_onboard_skip_soul(req, res) ⇒ Object

POST /api/onboard/skip-soul Writes a minimal SOUL.md so the soul_setup phase is not re-triggered on the next server start when the user chooses to skip the conversation.

# File 'lib/clacky/server/http_server.rb', line 1293

def api_onboard_skip_soul(req, res)
  body = parse_json_body(req)
  lang = body["lang"].to_s.strip
  soul_content = lang == "zh" ? DEFAULT_SOUL_MD_ZH : DEFAULT_SOUL_MD

  agents_dir = File.expand_path("~/.clacky/agents")
  FileUtils.mkdir_p(agents_dir)
  soul_path = File.join(agents_dir, "SOUL.md")
  unless File.exist?(soul_path)
    File.write(soul_path, soul_content)
  end
  json_response(res, 200, { ok: true })
end

#api_onboard_status(res) ⇒ Object

GET /api/onboard/status Phase “key_setup” → no API key configured yet Phase “soul_setup” → key configured, but ~/.clacky/agents/SOUL.md missing needs_onboard: false → fully set up

# File 'lib/clacky/server/http_server.rb', line 811

def api_onboard_status(res)
  if !@agent_config.models_configured?
    json_response(res, 200, { needs_onboard: true, phase: "key_setup" })
  else
    json_response(res, 200, { needs_onboard: false })
  end
end

#api_rename_session(session_id, req, res) ⇒ Object

# File 'lib/clacky/server/http_server.rb', line 4222

def api_rename_session(session_id, req, res)
  body = parse_json_body(req)
  new_name = body["name"]&.to_s&.strip
  pinned = body["pinned"]

  return json_response(res, 404, { error: "Session not found" }) unless @registry.ensure(session_id)

  agent = nil
  @registry.with_session(session_id) { |s| agent = s[:agent] }
  
  # Update name if provided
  if new_name && !new_name.empty?
    agent.rename(new_name)
  end
  
  # Update pinned status if provided
  if !pinned.nil?
    agent.pinned = pinned
  end
  
  # Save session data
  @session_manager.save(agent.to_session_data)
  
  # Broadcast update event
  update_data = { type: "session_updated", session_id: session_id }
  update_data[:name] = new_name if new_name && !new_name.empty?
  update_data[:pinned] = pinned unless pinned.nil?
  broadcast(session_id, update_data)
  
  response_data = { ok: true }
  response_data[:name] = new_name if new_name && !new_name.empty?
  response_data[:pinned] = pinned unless pinned.nil?
  json_response(res, 200, response_data)
rescue => e
  json_response(res, 500, { error: e.message })
end

#api_restart(req, res) ⇒ Object

POST /api/restart Re-execs the current process so the newly installed gem version is loaded. Uses the absolute script path captured at startup to avoid relative-path issues. Responds 200 first, then waits briefly for WEBrick to flush the response before exec.

# File 'lib/clacky/server/http_server.rb', line 2087

def api_restart(req, res)
  json_response(res, 200, { ok: true, message: "Restarting…" })

  Thread.new do
    sleep 0.5  # Let WEBrick flush the HTTP response

    if @master_pid
      # Worker mode: tell master to hot-restart. Master will TERM us after the
      # new worker boots; our trap("TERM") then runs shutdown_proc, which detaches
      # the inherited listen socket before WEBrick shutdown. Do NOT exit(0) here —
      # that bypasses trap handlers and lets the OS close(fd) on a socket shared
      # with master+new worker, corrupting the listener on Linux/WSL.
      Clacky::Logger.info("[Restart] Sending USR1 to master (PID=#{@master_pid})")
      begin
        Process.kill("USR1", @master_pid)
      rescue Errno::ESRCH
        Clacky::Logger.warn("[Restart] Master PID=#{@master_pid} not found, falling back to exec.")
        standalone_exec_restart
      end
    else
      # Standalone mode (no master): fall back to the original exec approach.
      standalone_exec_restart
    end
  end
end

#api_run_cron_task(name, res) ⇒ Object

POST /api/cron-tasks/:name/run — execute immediately

# File 'lib/clacky/server/http_server.rb', line 2974

def api_run_cron_task(name, res)
  unless @scheduler.list_tasks.include?(name)
    return json_response(res, 404, { error: "Cron task not found: #{name}" })
  end

  prompt       = @scheduler.read_task(name)
  session_name = "▶ #{name} #{Time.now.strftime("%H:%M")}"
  working_dir  = File.expand_path("~/clacky_workspace")
  FileUtils.mkdir_p(working_dir)

  session_id = build_session(name: session_name, working_dir: working_dir, permission_mode: :auto_approve)
  @registry.update(session_id, pending_task: prompt, pending_working_dir: working_dir)

  json_response(res, 202, { ok: true, session: @registry.session_summary(session_id) })
rescue => e
  json_response(res, 422, { error: e.message })
end

#api_save_channel(platform, req, res) ⇒ Object

POST /api/channels/:platform Body: { fields… } (platform-specific credential fields) Saves credentials and optionally (re)starts the adapter.

# File 'lib/clacky/server/http_server.rb', line 2705

def api_save_channel(platform, req, res)
  platform = platform.to_sym
  body     = parse_json_body(req)
  config   = Clacky::ChannelConfig.load

  fields = body.transform_keys(&:to_sym).reject { |k, _| k == :platform }
  fields = fields.transform_values { |v| v.is_a?(String) ? v.strip : v }

  # Record when the token was last updated so clients can detect re-login
  fields[:token_updated_at] = Time.now.to_i if platform == :weixin && fields.key?(:token)
  fields[:token_updated_at] = Time.now.to_i if platform == :discord && fields.key?(:bot_token)

  # Validate credentials against live API before persisting.
  # Merge with existing config so partial updates (e.g. allowed_users only) still validate correctly.
  klass = Clacky::Channel::Adapters.find(platform)
  if klass && klass.respond_to?(:test_connection)
    existing = config.platform_config(platform) || {}
    merged   = existing.merge(fields)
    result   = klass.test_connection(merged)
    unless result[:ok]
      json_response(res, 422, { ok: false, error: result[:error] || "Credential validation failed" })
      return
    end
  end

  config.set_platform(platform, **fields)
  config.save

  # Hot-reload: stop existing adapter for this platform (if running) and restart
  @channel_manager.reload_platform(platform, config)

  json_response(res, 200, { ok: true })
rescue StandardError => e
  json_response(res, 422, { ok: false, error: e.message })
end

#api_send_channel_message(platform, req, res) ⇒ Object

POST /api/channels/:platform/send Proactively send a message to a user via the given IM platform.

Body:

{ "message": "hello",            # required
  "user_id": "some_user_id" }    # optional — defaults to most-recently active user

Response:

200 { ok: true }
400 { ok: false, error: "..." }  — missing/invalid params or platform not running
503 { ok: false, error: "..." }  — no known users (nobody has messaged the bot yet)

Constraints:

- The platform adapter must be running (channel must be enabled + connected).
- For Weixin (iLink protocol), a context_token is required per message. This is
  automatically looked up from the in-memory cache populated by inbound messages.
  If no token exists for the target user (i.e. the user has never messaged the bot
  in this server session), the message cannot be delivered.

# File 'lib/clacky/server/http_server.rb', line 2533

def api_send_channel_message(platform, req, res)
  platform = platform.to_sym
  body     = parse_json_body(req)
  message  = body["message"].to_s.strip

  if message.empty?
    json_response(res, 400, { ok: false, error: "message is required" })
    return
  end

  # Resolve target user_id
  user_id = body["user_id"].to_s.strip
  if user_id.empty?
    # Default to the most-recently active user for this platform
    known = @channel_manager.known_users(platform)
    if known.empty?
      json_response(res, 503, {
        ok:    false,
        error: "No known users for :#{platform}. The user must send a message to the bot first."
      })
      return
    end
    user_id = known.last
  end

  result = @channel_manager.send_to_user(platform, user_id, message)
  if result.nil?
    json_response(res, 400, {
      ok:    false,
      error: "Failed to send message. The :#{platform} adapter may not be running, or no context_token is available for user #{user_id}."
    })
  else
    json_response(res, 200, { ok: true, platform: platform, user_id: user_id })
  end
rescue StandardError => e
  json_response(res, 500, { ok: false, error: e.message })
end

#api_serve_local_image(req, res) ⇒ Object

GET /api/local-image?path=file:///path/to/image.png GET /api/local-image?path=/path/to/image.png

Serves a local image file with the correct Content-Type. Used by the Web UI to render local images that would otherwise be blocked by the browser’s security policy (file:// from http:// origin).

# File 'lib/clacky/server/http_server.rb', line 2672

def api_serve_local_image(req, res)
  raw_path = URI.decode_www_form(req.query_string.to_s).to_h["path"].to_s
  return json_response(res, 400, { error: "path is required" }) if raw_path.empty?

  # Strip file:// prefix if present
  path = raw_path.sub(%r{\Afile://}, "")
  path = CGI.unescape(path)
  path = File.expand_path(path)

  # On WSL the file may be specified as a Windows path (e.g. "C:/Users/…").
  # Convert it to the Linux-side path so File.exist? works.
  path = Utils::EnvironmentDetector.win_to_linux_path(path)

  # Security: only serve image files
  ext = File.extname(path).downcase
  unless Utils::FileProcessor::LOCAL_IMAGE_EXTENSIONS.include?(ext)
    return json_response(res, 403, { error: "not an image file" })
  end

  return json_response(res, 404, { error: "file not found" }) unless File.exist?(path)

  mime = Utils::FileProcessor::MIME_TYPES[ext] || "application/octet-stream"
  res.status         = 200
  res["Content-Type"] = mime
  res["Cache-Control"] = "private, max-age=3600"
  res.body = File.binread(path)
rescue => e
  json_response(res, 500, { error: e.message })
end

#api_session_files(session_id, req, res) ⇒ Object

# File 'lib/clacky/server/http_server.rb', line 3078

def api_session_files(session_id, req, res)
  unless @registry.ensure(session_id)
    return json_response(res, 404, { error: "Session not found" })
  end
  session = @registry.get(session_id)
  agent   = session && session[:agent]
  return json_response(res, 404, { error: "Session not found" }) unless agent

  root = File.expand_path(agent.working_dir.to_s)
  return json_response(res, 404, { error: "Working directory not found" }) unless Dir.exist?(root)

  query = URI.decode_www_form(req.query_string.to_s).to_h
  rel = query["path"].to_s
  absolute_mode = query["absolute"] == "true"

  # Absolute mode: allow browsing outside working directory (e.g., root "/")
  if absolute_mode
    target = File.expand_path(rel.empty? ? "/" : rel)
    display_root = target
    # Normalize rel for API response
    rel = target
  else
    rel = rel.sub(%r{\A/+}, "").strip
    target = File.expand_path(File.join(root, rel))
    display_root = root

    # Reject traversal outside the working directory.
    unless target == root || target.start_with?("#{root}/")
      return json_response(res, 403, { error: "Path outside working directory" })
    end
  end

  return json_response(res, 404, { error: "Directory not found" }) unless Dir.exist?(target)
  entries = Dir.children(target).reject { |name| IGNORED_FILE_ENTRIES.include?(name) }

  items = entries.filter_map do |name|
    full = File.join(target, name)
    is_dir = File.directory?(full)
    # Skip symlinks pointing outside the root, and anything unreadable.
    next unless File.exist?(full)
    {
      name:  name,
      path:  "#{rel}/#{name}".gsub(%r{/+}, "/"),
      type:  is_dir ? "dir" : "file",
      size:  is_dir ? nil : (File.size(full) rescue nil)
    }
  rescue StandardError
    nil
  end

  # Directories first, then files; both case-insensitive alphabetical.
  items.sort_by! { |it| [it[:type] == "dir" ? 0 : 1, it[:name].downcase] }

  json_response(res, 200, { root: display_root, path: rel, entries: items })
rescue StandardError => e
  json_response(res, 500, { error: e.message })
end

#api_session_messages(session_id, req, res) ⇒ Object

GET /api/sessions/:id/messages?limit=20&before=1709123456.789 Replays conversation history for a session via the agent’s replay_history method. Returns a list of UI events (same format as WS events) for the frontend to render.

# File 'lib/clacky/server/http_server.rb', line 4195

def api_session_messages(session_id, req, res)
  unless @registry.ensure(session_id)
    Clacky::Logger.warn("[messages] registry.ensure failed", session_id: session_id)
    return json_response(res, 404, { error: "Session not found" })
  end

  # Parse query params
  query   = URI.decode_www_form(req.query_string.to_s).to_h
  limit   = [query["limit"].to_i.then { |n| n > 0 ? n : 20 }, 100].min
  before  = query["before"]&.to_f

  agent = nil
  @registry.with_session(session_id) { |s| agent = s[:agent] }

  unless agent
    Clacky::Logger.warn("[messages] agent is nil", session_id: session_id)
    return json_response(res, 200, { events: [], has_more: false })
  end

  # Collect events emitted by replay_history via a lightweight collector UI
  collected = []
  collector = HistoryCollector.new(session_id, collected)
  result    = agent.replay_history(collector, limit: limit, before: before)

  json_response(res, 200, { events: collected, has_more: result[:has_more] })
end

#api_session_skills(session_id, res) ⇒ Object

GET /api/sessions/:id/skills — list user-invocable skills for a session, filtered by the session’s agent profile. Used by the frontend slash-command autocomplete so only skills valid for the current profile are suggested.

# File 'lib/clacky/server/http_server.rb', line 3032

def api_session_skills(session_id, res)
  unless @registry.ensure(session_id)
    json_response(res, 404, { error: "Session not found" })
    return
  end
  session = @registry.get(session_id)
  unless session
    json_response(res, 404, { error: "Session not found" })
    return
  end

  agent = session[:agent]
  unless agent
    json_response(res, 404, { error: "Agent not found" })
    return
  end

  agent.skill_loader.load_all
  profile = agent.agent_profile

  skills = agent.skill_loader.user_invocable_skills
  skills = skills.select { |s| s.allowed_for_agent?(profile.name) } if profile

  loader      = agent.skill_loader
  loaded_from = loader.loaded_from

            skill_data = skills.map do |skill|
    source_type = loaded_from[skill.identifier]
    {
      name:           skill.identifier,
      name_zh:        skill.name_zh,
      description:    skill.description || skill.context_description,
      description_zh: skill.description_zh,
      encrypted:      skill.encrypted?,
      source_type:    source_type
    }
  end

  json_response(res, 200, { skills: skill_data })
end

#api_set_default_model(id, res) ⇒ Object

POST /api/config/models/:id/default Makes the identified model the new “default” (global initial model for new sessions AND current model for this server instance).

# File 'lib/clacky/server/http_server.rb', line 4107

def api_set_default_model(id, res)
  ok = @agent_config.set_default_model_by_id(id)
  return json_response(res, 404, { error: "model not found" }) unless ok

  @agent_config.current_model_id    = id
  @agent_config.current_model_index = @agent_config.models.find_index { |m| m["id"] == id } || 0
  @agent_config.save
  json_response(res, 200, { ok: true })
rescue => e
  json_response(res, 422, { error: e.message })
end

#api_store_skills(res) ⇒ Object

GET /api/brand/skills Fetches the brand skills list from the cloud, enriched with local installed version. Returns 200 with skill list, or 403 when license is not activated. If the remote API call fails, falls back to locally installed skills with a warning. GET /api/store/skills Returns the public skill store catalog from the OpenClacky Cloud API. Requires an activated license — uses HMAC auth with scope: “store” to fetch platform-wide published public skills (not filtered by the user’s own skills). Falls back to the hardcoded catalog when license is not activated or API is unavailable.

# File 'lib/clacky/server/http_server.rb', line 1541

def api_store_skills(res)
  brand  = Clacky::BrandConfig.load
  result = brand.fetch_store_skills!

  if result[:success]
    json_response(res, 200, { ok: true, skills: result[:skills] })
  else
    # License not activated or remote API unavailable — return empty list
    json_response(res, 200, {
      ok:      true,
      skills:  [],
      warning: result[:error] || "Could not reach the skill store."
    })
  end
end

#api_switch_session_model(session_id, req, res) ⇒ Object

# File 'lib/clacky/server/http_server.rb', line 4259

def api_switch_session_model(session_id, req, res)
  body = parse_json_body(req)
  model_id = body["model_id"].to_s.strip

  return json_response(res, 400, { error: "model_id is required" }) if model_id.empty?
  return json_response(res, 404, { error: "Session not found" }) unless @registry.ensure(session_id)

  agent = nil
  @registry.with_session(session_id) { |s| agent = s[:agent] }

  # With Plan B (shared @models reference), every session's AgentConfig
  # points at the same @models array as the global @agent_config. So
  # resolving the model by stable id here and in agent.switch_model_by_id
  # will always agree — no more index divergence after add/delete.
  target_model = @agent_config.models.find { |m| m["id"] == model_id }
  if target_model.nil?
    return json_response(res, 400, { error: "Model not found in configuration" })
  end

  # Switch to the model by id (unified interface with CLI)
  # Handles: config.switch_model_by_id + client rebuild + message_compressor rebuild
  success = agent.switch_model_by_id(model_id)

  unless success
    return json_response(res, 500, { error: "Failed to switch model" })
  end

  # Persist the change (saves to session file, NOT global config.yml)
  @session_manager.save(agent.to_session_data)

  # Broadcast update to all clients
  broadcast_session_update(session_id)

  json_response(res, 200, { ok: true, model_id: model_id, model: target_model["model"] })
rescue => e
  json_response(res, 500, { error: e.message })
end

#api_switch_session_reasoning_effort(session_id, req, res) ⇒ Object

PATCH /api/sessions/:id/reasoning_effort Body: { “reasoning_effort”: “off” | “low” | “medium” | “high” }

# File 'lib/clacky/server/http_server.rb', line 4299

def api_switch_session_reasoning_effort(session_id, req, res)
  body = parse_json_body(req)
  raw = body["reasoning_effort"]
  return json_response(res, 404, { error: "Session not found" }) unless @registry.ensure(session_id)

  agent = nil
  @registry.with_session(session_id) { |s| agent = s[:agent] }
  return json_response(res, 404, { error: "Session not found" }) unless agent

  agent.reasoning_effort = raw
  @session_manager.save(agent.to_session_data)
  broadcast_session_update(session_id)

  json_response(res, 200, { ok: true, reasoning_effort: agent.reasoning_effort })
rescue => e
  json_response(res, 500, { error: e.message })
end

#api_switch_session_submodel(session_id, req, res) ⇒ Object

PATCH /api/sessions/:id/submodel Body: { “model_name”: “dsk-deepseek-v4-pro” | null }

Pin this session to a sub-model under its current card without touching credentials or the global @models. Pass null/empty to clear and fall back to the card default. The name must appear in the provider preset’s “models” list — anything else is rejected.

# File 'lib/clacky/server/http_server.rb', line 4324

def api_switch_session_submodel(session_id, req, res)
  body = parse_json_body(req)
  raw = body["model_name"]
  model_name = raw.is_a?(String) ? raw.strip : nil

  return json_response(res, 404, { error: "Session not found" }) unless @registry.ensure(session_id)

  agent = nil
  @registry.with_session(session_id) { |s| agent = s[:agent] }
  return json_response(res, 404, { error: "Session not found" }) unless agent

  if model_name && !model_name.empty?
    info = agent.current_model_info
    provider_id = info && Clacky::Providers.find_by_base_url(info[:base_url])
    allowed = provider_id ? Clacky::Providers.models(provider_id) : []
    if allowed.empty?
      return json_response(res, 400, { error: "Current model has no provider preset; sub-model switching unavailable" })
    end
    unless allowed.include?(model_name)
      return json_response(res, 400, { error: "Sub-model '#{model_name}' not listed under provider '#{provider_id}'" })
    end
  else
    model_name = nil
  end

  agent.set_session_sub_model(model_name)
  @session_manager.save(agent.to_session_data)
  broadcast_session_update(session_id)

  json_response(res, 200, { ok: true, sub_model: agent.current_model_info[:sub_model] })
rescue => e
  json_response(res, 500, { error: e.message })
end

#api_test_channel(platform, req, res) ⇒ Object

POST /api/channels/:platform/test Body: { fields… } (credentials to test — NOT saved) Tests connectivity using the provided credentials without persisting.

# File 'lib/clacky/server/http_server.rb', line 2787

def api_test_channel(platform, req, res)
  platform = platform.to_sym
  body     = parse_json_body(req)
  fields   = body.transform_keys(&:to_sym).reject { |k, _| k == :platform }

  klass = Clacky::Channel::Adapters.find(platform)
  unless klass
    json_response(res, 404, { ok: false, error: "Unknown platform: #{platform}" })
    return
  end

  result = klass.test_connection(fields)
  json_response(res, 200, result)
rescue StandardError => e
  json_response(res, 200, { ok: false, error: e.message })
end

#api_test_config(req, res) ⇒ Object

POST /api/config/test — test connection for a single model config Body: { model, base_url, api_key, anthropic_format }

# File 'lib/clacky/server/http_server.rb', line 4121

def api_test_config(req, res)
  body = parse_json_body(req)
  return json_response(res, 400, { error: "Invalid JSON" }) unless body

  api_key = body["api_key"].to_s
  if api_key.include?("****")
    idx = body["index"]&.to_i || @agent_config.current_model_index
    api_key = @agent_config.models.dig(idx, "api_key").to_s
  end

  model            = body["model"].to_s
  base_url         = body["base_url"].to_s
  anthropic_format = body["anthropic_format"] || false

  result, used_base_url = try_test_with_base_url(api_key, base_url, model, anthropic_format)

  if result[:success] && used_base_url != base_url
    json_response(res, 200, {
      ok:                  true,
      message:             "Connected (auto-corrected base_url to add /v1)",
      effective_base_url:  used_base_url
    })
  elsif result[:success]
    json_response(res, 200, { ok: true, message: "Connected successfully" })
  else
    json_response(res, 200, { ok: false, message: result[:error].to_s, error_code: result[:error_code] })
  end
rescue => e
  json_response(res, 200, { ok: false, message: e.message })
end

#api_test_media_config(req, res) ⇒ Object

PATCH /api/config/media/:kind Body: { source: “off”|“auto”|“custom”, model?, base_url?, api_key?,

anthropic_format? }

off / auto — remove any custom entry; “auto” lets the virtual derivation in AgentConfig#find_model_by_type take over. custom — replace any existing custom entry with the supplied fields. POST /api/config/media/test Body: { kind, source, model, base_url, api_key } Lightweight preflight: GET <base_url>/models to verify connectivity, auth, and that the requested model is exposed by the endpoint. No image is generated — zero cost, sub-second.

# File 'lib/clacky/server/http_server.rb', line 985

def api_test_media_config(req, res)
  body = parse_json_body(req) || {}
  kind = body["kind"].to_s
  return json_response(res, 422, { error: "invalid kind" }) unless %w[image video audio].include?(kind)
  return json_response(res, 422, { error: "only image kind supported" }) unless kind == "image"

  api_key = body["api_key"].to_s
  if api_key.empty? || api_key.include?("****")
    existing = @agent_config.find_model_by_type(kind) || {}
    api_key = existing["api_key"].to_s
  end

  model    = body["model"].to_s.strip
  base_url = body["base_url"].to_s.strip

  if model.empty? || base_url.empty? || api_key.empty?
    return json_response(res, 200, { ok: false, message: "model, base_url, api_key are required" })
  end

  result = preflight_media_endpoint(base_url: base_url, api_key: api_key, model: model)
  json_response(res, 200, result)
rescue => e
  json_response(res, 200, { ok: false, message: e.message })
end

#api_test_ocr_config(req, res) ⇒ Object

POST /api/config/ocr/test Reuses the media preflight (GET /models) — same connectivity check.

# File 'lib/clacky/server/http_server.rb', line 1204

def api_test_ocr_config(req, res)
  body = parse_json_body(req) || {}
  api_key = body["api_key"].to_s
  if api_key.empty? || api_key.include?("****")
    existing = @agent_config.find_model_by_type("ocr") || {}
    api_key = existing["api_key"].to_s
  end

  model    = body["model"].to_s.strip
  base_url = body["base_url"].to_s.strip

  if model.empty? || base_url.empty? || api_key.empty?
    return json_response(res, 200, { ok: false, message: "model, base_url, api_key are required" })
  end

  result = preflight_media_endpoint(base_url: base_url, api_key: api_key, model: model)
  json_response(res, 200, result)
rescue => e
  json_response(res, 200, { ok: false, message: e.message })
end

#api_toggle_channel(platform, req, res) ⇒ Object

PATCH /api/channels/:platform/enabled Body: { enabled: true|false } Toggles the platform on/off without touching credentials. Enabling requires the platform to already be configured.

# File 'lib/clacky/server/http_server.rb', line 2760

def api_toggle_channel(platform, req, res)
  platform = platform.to_sym
  enabled  = parse_json_body(req)["enabled"] == true

  config = Clacky::ChannelConfig.load

  if enabled
    unless config.platform_config(platform)
      json_response(res, 422, { ok: false, error: "Platform is not configured yet" })
      return
    end
    config.enable_platform(platform)
  else
    config.disable_platform(platform)
  end

  config.save
  @channel_manager.reload_platform(platform, config)

  json_response(res, 200, { ok: true, enabled: config.enabled?(platform) })
rescue StandardError => e
  json_response(res, 422, { ok: false, error: e.message })
end

#api_toggle_skill(name, req, res) ⇒ Object

Body: { enabled: true/false }

# File 'lib/clacky/server/http_server.rb', line 3136

def api_toggle_skill(name, req, res)
  body    = parse_json_body(req)
  enabled = body["enabled"]

  if enabled.nil?
    json_response(res, 422, { error: "enabled field required" })
    return
  end

  skill = @skill_loader.toggle_skill(name, enabled: enabled)
  json_response(res, 200, { ok: true, name: skill.identifier, enabled: !skill.disabled? })
rescue Clacky::AgentError => e
  json_response(res, 422, { error: e.message })
end

#api_tool_browser(req, res) ⇒ Object

GET /api/channels Returns current config and running status for all supported platforms. POST /api/tool/browser Executes a browser tool action via the shared BrowserManager daemon. Used by skill scripts to reuse the server’s existing Chrome connection without spawning a second MCP daemon.

Request body: JSON with same params as the browser tool

{ "action": "snapshot", "interactive": true, ... }

Response: JSON result from the browser tool

# File 'lib/clacky/server/http_server.rb', line 2217

def api_tool_browser(req, res)
  params = parse_json_body(req)
  action = params["action"]
  return json_response(res, 400, { error: "action is required" }) if action.nil? || action.empty?

  tool   = Clacky::Tools::Browser.new
  result = tool.execute(**params.transform_keys(&:to_sym))

  json_response(res, 200, result)
rescue StandardError => e
  json_response(res, 500, { error: e.message })
end

#api_update_cron_task(name, req, res) ⇒ Object

PATCH /api/cron-tasks/:name — update content and/or cron/enabled Body: { content?, cron?, enabled? }

# File 'lib/clacky/server/http_server.rb', line 2948

def api_update_cron_task(name, req, res)
  body    = parse_json_body(req)
  content = body["content"]
  cron    = body["cron"]&.to_s&.strip
  enabled = body["enabled"]

  if cron && cron.split(/\s+/).size != 5
    return json_response(res, 422, { error: "cron must have 5 fields (min hour dom month dow)" })
  end

  @scheduler.update_cron_task(name, content: content, cron: cron, enabled: enabled)
  json_response(res, 200, { ok: true, name: name })
rescue => e
  json_response(res, 404, { error: e.message })
end

#api_update_media_config(kind, req, res) ⇒ Object

# File 'lib/clacky/server/http_server.rb', line 1059

def api_update_media_config(kind, req, res)
  body = parse_json_body(req) || {}
  source = body["source"].to_s
  unless %w[off auto custom].include?(source)
    return json_response(res, 422, { error: "invalid source" })
  end

  @agent_config.models.reject! { |m| m["type"] == kind }

  case source
  when "off"
    @agent_config.models << {
      "id"       => SecureRandom.uuid,
      "type"     => kind,
      "disabled" => true
    }
  when "auto"
    override = body["model"].to_s.strip
    unless override.empty?
      @agent_config.models << {
        "id"    => SecureRandom.uuid,
        "type"  => kind,
        "model" => override
      }
    end
  when "custom"
    model    = body["model"].to_s.strip
    base_url = body["base_url"].to_s.strip
    api_key  = body["api_key"].to_s
    if model.empty? || base_url.empty? || api_key.empty? || api_key.include?("****")
      return json_response(res, 422, { error: "model, base_url, api_key are required" })
    end

    @agent_config.models << {
      "id"               => SecureRandom.uuid,
      "model"            => model,
      "base_url"         => base_url,
      "api_key"          => api_key,
      "anthropic_format" => body["anthropic_format"] || false,
      "type"             => kind
    }
  end

  @agent_config.save
  json_response(res, 200, { ok: true, state: @agent_config.media_state(kind) })
rescue => e
  json_response(res, 422, { error: e.message })
end

#api_update_model(id, req, res) ⇒ Object

PATCH /api/config/models/:id Body: any subset of { model, base_url, api_key, anthropic_format, type } Rules (the whole reason we moved off bulk save):

- Missing key  → field untouched
- api_key with "****" (masked display value) → IGNORED (never overwrites)
- api_key empty string → IGNORED (defensive; treat as "not changed")
- api_key real non-masked value → stored
- type="default" transparently clears the marker on other models
- Unknown id → 404

# File 'lib/clacky/server/http_server.rb', line 4024

def api_update_model(id, req, res)
  body = parse_json_body(req)
  return json_response(res, 400, { error: "Invalid JSON" }) unless body

  target = @agent_config.models.find { |m| m["id"] == id }
  return json_response(res, 404, { error: "model not found" }) unless target

  if body.key?("model")
    v = body["model"].to_s.strip
    target["model"] = v unless v.empty?
  end
  if body.key?("base_url")
    v = body["base_url"].to_s.strip
    target["base_url"] = v unless v.empty?
  end
  if body.key?("anthropic_format")
    target["anthropic_format"] = !!body["anthropic_format"]
  end
  if body.key?("api_key")
    new_key = body["api_key"].to_s
    # Only store a real, unmasked, non-empty value. This is the
    # single place the "api_key disappeared" bug can no longer
    # happen — there is no path that writes "" into api_key.
    if !new_key.empty? && !new_key.include?("****")
      target["api_key"] = new_key
    end
  end
  if body.key?("type")
    new_type = body["type"]
    new_type = nil if new_type.is_a?(String) && new_type.strip.empty?
    if new_type == "default"
      @agent_config.models.each do |m|
        next if m["id"] == id
        m.delete("type") if m["type"] == "default"
      end
      target["type"] = "default"
      @agent_config.current_model_id    = target["id"]
      @agent_config.current_model_index = @agent_config.models.find_index { |m| m["id"] == id } || 0
    elsif new_type.nil?
      target.delete("type")
    else
      target["type"] = new_type
    end
  end

  @agent_config.save
  json_response(res, 200, { ok: true })
rescue => e
  json_response(res, 422, { error: e.message })
end

#api_update_ocr_config(req, res) ⇒ Object

PATCH /api/config/ocr Body: { source: “off”|“auto”|“custom”, model?, base_url?, api_key?,

anthropic_format? }

Mirrors api_update_media_config but for the single “ocr” type.

# File 'lib/clacky/server/http_server.rb', line 1149

def api_update_ocr_config(req, res)
  body = parse_json_body(req) || {}
  source = body["source"].to_s
  unless %w[off auto custom].include?(source)
    return json_response(res, 422, { error: "invalid source" })
  end

  @agent_config.models.reject! { |m| m["type"] == "ocr" }

  case source
  when "off"
    @agent_config.models << {
      "id"       => SecureRandom.uuid,
      "type"     => "ocr",
      "disabled" => true
    }
  when "auto"
    override = body["model"].to_s.strip
    unless override.empty?
      @agent_config.models << {
        "id"    => SecureRandom.uuid,
        "type"  => "ocr",
        "model" => override
      }
    end
  when "custom"
    model    = body["model"].to_s.strip
    base_url = body["base_url"].to_s.strip
    api_key  = body["api_key"].to_s
    if api_key.include?("****")
      existing = @agent_config.models.find { |m| m["type"] == "ocr" && m["api_key"] }
      api_key = existing ? existing["api_key"].to_s : ""
    end
    if model.empty? || base_url.empty? || api_key.empty?
      return json_response(res, 422, { error: "model, base_url, api_key are required" })
    end

    @agent_config.models << {
      "id"               => SecureRandom.uuid,
      "model"            => model,
      "base_url"         => base_url,
      "api_key"          => api_key,
      "anthropic_format" => body["anthropic_format"] || false,
      "type"             => "ocr"
    }
  end

  @agent_config.save
  json_response(res, 200, { ok: true, state: @agent_config.ocr_state })
rescue => e
  json_response(res, 422, { error: e.message })
end

#api_update_settings(req, res) ⇒ Object

PATCH /api/config/settings — update advanced settings

# File 'lib/clacky/server/http_server.rb', line 3925

def api_update_settings(req, res)
  body = parse_json_body(req)
  return json_response(res, 400, { error: "Invalid JSON" }) unless body

  if body.key?("enable_compression")
    @agent_config.enable_compression = !!body["enable_compression"]
  end
  if body.key?("enable_prompt_caching")
    @agent_config.enable_prompt_caching = !!body["enable_prompt_caching"]
  end
  if body.key?("memory_update_enabled")
    @agent_config.memory_update_enabled = !!body["memory_update_enabled"]
  end

  @agent_config.save
  json_response(res, 200, { ok: true })
rescue => e
  json_response(res, 422, { error: e.message })
end

#api_upgrade_version(req, res) ⇒ Object

POST /api/version/upgrade Upgrades openclacky in a background thread, streaming output via WebSocket broadcast. If the user’s gem source is the official RubyGems, use ‘gem update`. Otherwise (e.g. Aliyun mirror) download the .gem from OSS CDN to bypass mirror lag.

# File 'lib/clacky/server/http_server.rb', line 1810

def api_upgrade_version(req, res)
  json_response(res, 202, { ok: true, message: "Upgrade started" })

  Thread.new do
    begin
      if official_gem_source?
        upgrade_via_gem_update
      else
        upgrade_via_oss_cdn
      end
    rescue StandardError => e
      Clacky::Logger.error("[Upgrade] Exception: #{e.class}: #{e.message}\n#{e.backtrace.first(5).join("\n")}")
      broadcast_all(type: "upgrade_log", line: "\n✗ Error during upgrade: #{e.message}\n")
      broadcast_all(type: "upgrade_complete", success: false)
    end
  end
end

#api_upload_file(req, res) ⇒ Object

POST /api/upload Accepts a multipart/form-data file upload (field name: “file”). Runs the file through FileProcessor: saves original + generates structured preview (Markdown) for Office/ZIP files so the agent can read them directly.

# File 'lib/clacky/server/http_server.rb', line 2599

def api_upload_file(req, res)
  upload = parse_multipart_upload(req, "file")
  unless upload
    json_response(res, 400, { ok: false, error: "No file field found in multipart body" })
    return
  end

  saved = Clacky::Utils::FileProcessor.save(
    body:     upload[:data],
    filename: upload[:filename].to_s
  )

  json_response(res, 200, { ok: true, name: saved[:name], path: saved[:path] })
rescue => e
  json_response(res, 500, { ok: false, error: e.message })
end

#broadcast(session_id, event) ⇒ Object

Broadcast an event to all clients subscribed to a session. Dead connections (broken pipe / closed socket / deadline exceeded) are removed automatically. Connections already marked closed are skipped upfront so one sluggish client can’t delay delivery to healthy ones.

# File 'lib/clacky/server/http_server.rb', line 5008

def broadcast(session_id, event)
  clients = @ws_mutex.synchronize { (@ws_clients[session_id] || []).dup }
  dead = []
  clients.each do |conn|
    if conn.closed?
      dead << conn
      next
    end
    dead << conn unless conn.send_json(event)
  end
  return if dead.empty?

  @ws_mutex.synchronize do
    (@ws_clients[session_id] || []).reject! { |conn| dead.include?(conn) }
    @all_ws_conns.reject! { |conn| dead.include?(conn) }
  end
end

#broadcast_all(event) ⇒ Object

Broadcast an event to every connected client (regardless of session subscription). Dead connections are removed automatically.

# File 'lib/clacky/server/http_server.rb', line 5028

def broadcast_all(event)
  clients = @ws_mutex.synchronize { @all_ws_conns.dup }
  dead = []
  clients.each do |conn|
    if conn.closed?
      dead << conn
      next
    end
    dead << conn unless conn.send_json(event)
  end
  return if dead.empty?

  @ws_mutex.synchronize do
    @all_ws_conns.reject! { |conn| dead.include?(conn) }
    @ws_clients.each_value { |list| list.reject! { |conn| dead.include?(conn) } }
  end
end

#broadcast_session_update(session_id) ⇒ Object

Broadcast a session_update event to all clients so they can patch their local session list without needing a full session_list refresh.

# File 'lib/clacky/server/http_server.rb', line 5048

def broadcast_session_update(session_id)
  session = @registry.snapshot(session_id)
  return unless session

  broadcast_all(type: "session_update", session: session)
end

#build_session(name:, working_dir: nil, permission_mode: :confirm_all, profile: "general", source: :manual, model_id: nil) ⇒ Object

Create a session in the registry and wire up Agent + WebUIController. Returns the new session_id. Build a new agent session.

Parameters:

• name (String) —

  display name for the session

• working_dir (String) (defaults to: nil) —

  working directory for the agent

• permission_mode (Symbol) (defaults to: :confirm_all) —

  :confirm_all (default, human present) or :auto_approve (unattended — suppresses request_user_feedback waits)

# File 'lib/clacky/server/http_server.rb', line 5068

def build_session(name:, working_dir: nil, permission_mode: :confirm_all, profile: "general", source: :manual, model_id: nil)
  working_dir ||= default_working_dir
  FileUtils.mkdir_p(working_dir) unless Dir.exist?(working_dir)
  session_id = Clacky::SessionManager.generate_id
  @registry.create(session_id: session_id)

  config = @agent_config.deep_copy
  config.permission_mode = permission_mode

  # Apply model override BEFORE creating the client — otherwise the
  # client is built from the default model entry and may route through
  # the wrong provider (e.g. sending a deepseek-v4-pro request to the
  # Bedrock-format OpenClacky endpoint, which replies "unknown model").
  #
  # We use switch_model_by_id (not a name-based rewrite of
  # current_model["model"]) because:
  #   1. Ids uniquely identify an entry across providers; names can
  #      collide between entries (deepseek vs dsk-deepseek aliases).
  #   2. switch_model_by_id only flips per-session @current_model_id
  #      in the dup'd config — it never mutates the shared @models
  #      array (see AgentConfig#deep_copy's shared-ref contract).
  #      A name rewrite would have leaked into every live session
  #      AND corrupted the on-disk config at next save.
  config.switch_model_by_id(model_id) if model_id

  # Build client from the (possibly overridden) config so api format
  # detection (Bedrock vs OpenAI vs Anthropic) uses the correct model.
  client = Clacky::Client.new(
    config.api_key,
    base_url: config.base_url,
    model: config.model_name,
    anthropic_format: config.anthropic_format?
  )

  broadcaster = method(:broadcast)
  ui = WebUIController.new(session_id, broadcaster)
  agent = Clacky::Agent.new(client, config, working_dir: working_dir, ui: ui, profile: profile,
                            session_id: session_id, source: source)
  agent.rename(name) unless name.nil? || name.empty?
  idle_timer = build_idle_timer(session_id, agent)

  @registry.with_session(session_id) do |s|
    s[:agent]      = agent
    s[:ui]         = ui
    s[:idle_timer] = idle_timer
  end

  # Persist an initial snapshot so the session is immediately visible in registry.list
  # (which reads from disk). Without this, new sessions only appear after their first task.
  @session_manager.save(agent.to_session_data)

  session_id
end

#build_session_from_data(session_data, permission_mode: :confirm_all) ⇒ Object

Restore a persisted session from saved session_data (from SessionManager). The agent keeps its original session_id so the frontend URL hash stays valid across server restarts.

# File 'lib/clacky/server/http_server.rb', line 5125

def build_session_from_data(session_data, permission_mode: :confirm_all)
  original_id = session_data[:session_id]

  client = @client_factory.call
  config = @agent_config.deep_copy
  config.permission_mode = permission_mode
  broadcaster = method(:broadcast)
  ui = WebUIController.new(original_id, broadcaster)
  # Restore the agent profile from the persisted session; fall back to "general"
  # for sessions saved before the agent_profile field was introduced.
  profile = session_data[:agent_profile].to_s
  profile = "general" if profile.empty?
  agent = Clacky::Agent.from_session(client, config, session_data, ui: ui, profile: profile)
  idle_timer = build_idle_timer(original_id, agent)

  # Register session atomically with a fully-built agent so no concurrent
  # caller ever sees agent=nil for this session. The duplicate-restore guard
  # is handled upstream by SessionRegistry#ensure via @restoring.
  @registry.create(session_id: original_id)
  @registry.with_session(original_id) do |s|
    s[:agent]      = agent
    s[:ui]         = ui
    s[:idle_timer] = idle_timer
  end

  original_id
end

#create_default_session ⇒ Object

Auto-restore persisted sessions (or create a fresh default) when the server starts. Skipped when no API key is configured (onboard flow will handle it).

Strategy: load the most recent sessions from ~/.clacky/sessions/ for the current working directory and restore them into @registry so their IDs are stable across restarts (frontend hash stays valid). If no persisted sessions exist, fall back to creating a brand-new default session.

# File 'lib/clacky/server/http_server.rb', line 689

def create_default_session
  return unless @agent_config.models_configured?

  # Restore up to 2 sessions per source type from disk. Earlier this was
  # 5/source (≤20 sessions), which exceeded max_idle_agents=10 and caused
  # the first user message after a restart to spend several seconds in
  # evict_excess_idle! serializing 10+ sessions back to disk. 2/source
  # keeps the most-recent items hot for fast switch without blowing the
  # idle budget.
  @registry.restore_from_disk(n: 2)

  # If nothing was restored (no persisted sessions), create a fresh default.
  unless @registry.list(limit: 1).any?
    working_dir = default_working_dir
    FileUtils.mkdir_p(working_dir) unless Dir.exist?(working_dir)
    build_session(name: "Session 1", working_dir: working_dir)
  end
end

#default_working_dir ⇒ Object

── Helpers ───────────────────────────────────────────────────────────────

# File 'lib/clacky/server/http_server.rb', line 5057

def default_working_dir
  @agent_config&.default_working_dir || File.expand_path("~/clacky_workspace")
end

#deliver_confirmation(session_id, conf_id, result) ⇒ Object

# File 'lib/clacky/server/http_server.rb', line 4768

def deliver_confirmation(session_id, conf_id, result)
  ui = nil
  @registry.with_session(session_id) { |s| ui = s[:ui] }
  ui&.deliver_confirmation(conf_id, result)
end

#dispatch(req, res) ⇒ Object

── Router ────────────────────────────────────────────────────────────────

# File 'lib/clacky/server/http_server.rb', line 376

def dispatch(req, res)
  path   = req.path
  method = req.request_method

  # Access key guard (skip for WebSocket upgrades)
  return unless check_access_key(req, res)

  # WebSocket upgrade — no timeout applied (long-lived connection)
  if websocket_upgrade?(req)
    handle_websocket(req, res)
    return
  end

  # Wrap all REST handlers in a timeout so a hung handler (e.g. infinite
  # recursion in chunk parsing) returns a proper 503 instead of an empty 200.
  #
  # Brand/license endpoints call PlatformHttpClient which retries across two
  # hosts with OPEN_TIMEOUT=8s per attempt × 2 attempts = up to ~16s on the
  # primary alone, before failing over to the fallback domain.  Give them a
  # generous 90s so retry + failover can complete without being cut short.
  timeout_sec = if path.start_with?("/api/brand")
    90
  elsif path == "/api/tool/browser"
    30
  elsif path == "/api/exchange-rate"
    20
  elsif path.end_with?("/benchmark")
    20
  elsif path == "/api/media/image"
    # Image generation routes through OpenRouter (chat completions
    # with modalities:["image"]); end-to-end latency is commonly
    # 20-60s and can exceed 2 minutes for or-gpt-image-2 under load.
    300
  else
    10
  end
  Timeout.timeout(timeout_sec) do
    _dispatch_rest(req, res)
  end
rescue Timeout::Error
  Clacky::Logger.warn("[HTTP 503] #{method} #{path} timed out after #{timeout_sec}s")
  json_response(res, 503, { error: "Request timed out" })
rescue => e
  Clacky::Logger.warn("[HTTP 500] #{e.class}: #{e.message}\n#{e.backtrace.first(5).join("\n")}")
  json_response(res, 500, { error: e.message })
end

#fetch_exchange_rate(from, to) ⇒ Object

# File 'lib/clacky/server/http_server.rb', line 734

def fetch_exchange_rate(from, to)
  fetch_open_exchange_rate(from, to)
rescue StandardError => primary_error
  Clacky::Logger.warn("[ExchangeRate] primary source failed: #{primary_error.message}")
  fetch_frankfurter_exchange_rate(from, to)
end

#fetch_exchange_rate_json(url) ⇒ Object

# File 'lib/clacky/server/http_server.rb', line 776

def fetch_exchange_rate_json(url)
  uri = URI(url)
  http = Net::HTTP.new(uri.host, uri.port)
  http.use_ssl = uri.scheme == "https"
  http.open_timeout = 5
  http.read_timeout = 8

  req = Net::HTTP::Get.new(uri.request_uri, "Accept" => "application/json")
  response = http.request(req)
  raise "HTTP #{response.code}" unless response.is_a?(Net::HTTPSuccess)

  JSON.parse(response.body.to_s)
end

#fetch_frankfurter_exchange_rate(from, to) ⇒ Object

# File 'lib/clacky/server/http_server.rb', line 759

def fetch_frankfurter_exchange_rate(from, to)
  query = URI.encode_www_form("from" => from, "to" => to)
  data  = fetch_exchange_rate_json("#{EXCHANGE_RATE_FALLBACK_URL}?#{query}")

  rate = positive_float(data.dig("rates", to))
  raise "frankfurter.app missing #{to} rate" unless rate

  {
    from: from,
    to: to,
    rate: rate,
    date: data["date"].to_s,
    updated_at: data["date"].to_s,
    source: "frankfurter.app"
  }
end

#fetch_open_exchange_rate(from, to) ⇒ Object

# File 'lib/clacky/server/http_server.rb', line 741

def fetch_open_exchange_rate(from, to)
  data = fetch_exchange_rate_json("#{EXCHANGE_RATE_PRIMARY_BASE_URL}/#{URI.encode_www_form_component(from)}")
  raise "open.er-api.com returned #{data["result"] || "unknown"}" unless data["result"] == "success"

  rate = positive_float(data.dig("rates", to))
  raise "open.er-api.com missing #{to} rate" unless rate

  updated_at = data["time_last_update_utc"].to_s
  {
    from: from,
    to: to,
    rate: rate,
    date: parse_exchange_rate_date(updated_at),
    updated_at: updated_at,
    source: "open.er-api.com"
  }
end

#handle_user_message(session_id, content, files = []) ⇒ Object

── Session actions ───────────────────────────────────────────────────────

# File 'lib/clacky/server/http_server.rb', line 4725

def handle_user_message(session_id, content, files = [])
  return unless @registry.exist?(session_id)

  session = @registry.get(session_id)
  
  # If session is running, interrupt it first (mimics CLI behavior)
  if session[:status] == :running
    interrupt_session(session_id)

    # Give the old thread a short window to exit cleanly.
    # In the common case it returns within milliseconds (Thread#raise
    # lands on a tight loop or LLM read). If it can't be reached in
    # time (e.g. blocked in a slow subagent syscall), we proceed anyway:
    # the agent's check_stale! checkpoints will refuse to mutate
    # history once the new thread takes over.
    old_thread = nil
    @registry.with_session(session_id) { |s| old_thread = s[:thread] }
    old_thread&.join(2)
  end

  agent = nil
  @registry.with_session(session_id) { |s| agent = s[:agent] }
  return unless agent

  # Auto-name the session from the first user message (before agent starts running).
  # Skip if the name looks like it was set by the user (not a system-generated "Session N").
  if agent.history.empty? && agent.name.match?(/\ASession \d+\z/)
    auto_name = content.gsub(/\s+/, " ").strip[0, 30]
    auto_name += "…" if content.strip.length > 30
    agent.rename(auto_name)
    broadcast(session_id, { type: "session_renamed", session_id: session_id, name: auto_name })
  end

  # Broadcast user message through web_ui so channel subscribers (飞书/企微) receive it.
  web_ui = nil
  @registry.with_session(session_id) { |s| web_ui = s[:ui] }
  web_ui&.show_user_message(content, source: :web)

  # File references are now handled inside agent.run — injected as a system_injected
  # message after the user message, so replay_history skips them automatically.
  run_agent_task(session_id, agent) { agent.run(content, files: files) }
end

#handle_websocket(req, res) ⇒ Object

Hijacks the TCP socket from WEBrick and upgrades it to WebSocket.

# File 'lib/clacky/server/http_server.rb', line 4579

def handle_websocket(req, res)
  socket = req.instance_variable_get(:@socket)

  # Server handshake — parse the upgrade request
  handshake = WebSocket::Handshake::Server.new
  handshake << build_handshake_request(req)
  unless handshake.finished? && handshake.valid?
    Clacky::Logger.warn("WebSocket handshake invalid")
    return
  end

  # Send the 101 Switching Protocols response
  socket.write(handshake.to_s)

  version  = handshake.version
  incoming = WebSocket::Frame::Incoming::Server.new(version: version)
  conn     = WebSocketConnection.new(socket, version)

  on_ws_open(conn)

  begin
    buf = String.new("", encoding: "BINARY")
    loop do
      chunk = socket.read_nonblock(4096, buf, exception: false)
      case chunk
      when :wait_readable
        IO.select([socket], nil, nil, 30)
      when nil
        break  # EOF
      else
        incoming << chunk.dup
        while (frame = incoming.next)
          case frame.type
          when :text
            on_ws_message(conn, frame.data)
          when :binary
            on_ws_message(conn, frame.data)
          when :ping
            conn.send_raw(:pong, frame.data)
          when :close
            conn.send_raw(:close, "")
            break
          end
        end
      end
    end
  rescue IOError, Errno::ECONNRESET, Errno::EPIPE, Errno::EBADF
    # Client disconnected or socket became invalid
  ensure
    on_ws_close(conn)
    socket.close rescue nil
  end

  # Tell WEBrick not to send any response (we handled everything)
  res.instance_variable_set(:@header, {})
  res.status = -1
rescue => e
  Clacky::Logger.error("WebSocket handler error: #{e.class}: #{e.message}")
end

#interrupt_session(session_id) ⇒ Object

Interrupt a running agent session.

Thread#raise alone is not reliable enough in practice — it’s best-effort against blocked syscalls (socket writes, OpenSSL read, ConditionVariable#wait with a held mutex) and we’ve seen sessions that stay “running” forever even after multiple interrupt attempts.

Strategy: three-tier escalation in a background watchdog Thread so the HTTP handler returns immediately.

Tier 1 (t=0): Thread#raise(AgentInterrupted).
              Unblocks most pure-Ruby waits and Faraday reads.
              Handles the common case.
Tier 2 (t=3): force-close this session's WebSocket connections
              so any send_raw stuck on socket write wakes up.
              Try Thread#raise again (idempotent).
Tier 3 (t=8): Thread#kill — last resort. Leaks any held
              resources but frees the session so the user can
              move on.

Each transition is logged so that when users report “stuck sessions” we can see in the log whether tier 2/3 ever had to fire — that’s our signal to dig deeper on the underlying block.

# File 'lib/clacky/server/http_server.rb', line 4797

def interrupt_session(session_id)
  thread = nil
  @registry.with_session(session_id) do |s|
    s[:idle_timer]&.cancel
    thread = s[:thread]

    next unless thread&.alive?

    Clacky::Logger.info("[interrupt] session=#{session_id} tier=1 raise")
    begin
      thread.raise(Clacky::AgentInterrupted, "Interrupted by user")
    rescue ThreadError => e
      Clacky::Logger.warn("[interrupt] tier=1 raise failed: #{e.message}")
    end
  end

  return unless thread&.alive?

  start_interrupt_watchdog(session_id, thread)
end

#json_response(res, status, data) ⇒ Object

# File 'lib/clacky/server/http_server.rb', line 5182

def json_response(res, status, data)
  res.status       = status
  res.content_type = "application/json; charset=utf-8"
  res["Access-Control-Allow-Origin"] = "*"
  res.body = JSON.generate(data)
end

#mask_api_key(key) ⇒ Object

Mask API key for display: show first 8 + last 4 chars, middle replaced with **** Mask an api_key for safe display / transport to the browser.

Contract: the returned string MUST contain “****” so callers (incl. the frontend) can reliably detect “this is a display placeholder, not a real key” and refuse to treat it as input. The old behaviour of returning the raw value for short keys was a correctness bug —it leaked short keys in plaintext to GET /api/config, and it let short masked values slip past the frontend’s mask-detection.

# File 'lib/clacky/server/http_server.rb', line 5173

def mask_api_key(key)
  return "" if key.nil? || key.empty?
  if key.length <= 12
    # Very short key — show the first char only, redact the rest.
    return "#{key[0]}****"
  end
  "#{key[0..7]}****#{key[-4..]}"
end

#normalize_currency_code(value, fallback:) ⇒ Object

# File 'lib/clacky/server/http_server.rb', line 728

def normalize_currency_code(value, fallback:)
  code = value.to_s.strip.upcase
  code = fallback if code.empty?
  code.match?(/\A[A-Z]{3}\z/) ? code : nil
end

#not_found(res) ⇒ Object

# File 'lib/clacky/server/http_server.rb', line 5245

def not_found(res)
  res.status = 404
  res.body   = "Not Found"
end

#on_ws_close(conn) ⇒ Object

# File 'lib/clacky/server/http_server.rb', line 4718

def on_ws_close(conn)
  @ws_mutex.synchronize { @all_ws_conns.delete(conn) }
  unsubscribe(conn)
end

#on_ws_message(conn, raw) ⇒ Object

# File 'lib/clacky/server/http_server.rb', line 4652

def on_ws_message(conn, raw)
  msg = JSON.parse(raw)
  type = msg["type"]

  case type
  when "subscribe"
    session_id = msg["session_id"]
    if @registry.ensure(session_id)
      conn.session_id = session_id
      subscribe(session_id, conn)
      conn.send_json(type: "subscribed", session_id: session_id)
      # Push a fresh snapshot so a reconnecting tab sees the true current
      # status (it may have missed session_update events while offline).
      if (snap = @registry.snapshot(session_id))
        conn.send_json(type: "session_update", session: snap)
      end
      # If a shell command is still running, replay progress + buffered stdout
      # to the newly subscribed tab so it sees the live state it may have missed.
      @registry.with_session(session_id) { |s| s[:ui]&.replay_live_state }
    else
      conn.send_json(type: "error", message: "Session not found: #{session_id}")
    end

  when "message"
    session_id = msg["session_id"] || conn.session_id
    # Merge legacy images array into files as { data_url:, name:, mime_type: } entries
    raw_images = (msg["images"] || []).map do |data_url|
      { "data_url" => data_url, "name" => "image.jpg", "mime_type" => "image/jpeg" }
    end
    handle_user_message(session_id, msg["content"].to_s, (msg["files"] || []) + raw_images)

  when "confirmation"
    session_id = msg["session_id"] || conn.session_id
    deliver_confirmation(session_id, msg["id"], msg["result"])

  when "interrupt"
    session_id = msg["session_id"] || conn.session_id
    interrupt_session(session_id)

  when "list_sessions"
    # Initial load: newest 20 sessions regardless of source/profile.
    # Single unified query — frontend shows all in one time-sorted list.
    page = @registry.list(limit: 21)
    has_more = page.size > 20
    all_sessions = page.first(20)
    conn.send_json(type: "session_list", sessions: all_sessions, has_more: has_more, cron_count: @registry.cron_count)

  when "run_task"
    # Client sends this after subscribing to guarantee it's ready to receive
    # broadcasts before the agent starts executing.
    session_id = msg["session_id"] || conn.session_id
    start_pending_task(session_id)

  when "ping"
    conn.send_json(type: "pong")

  else
    conn.send_json(type: "error", message: "Unknown message type: #{type}")
  end
rescue JSON::ParserError => e
  conn.send_json(type: "error", message: "Invalid JSON: #{e.message}")
rescue => e
  Clacky::Logger.error("[on_ws_message] #{e.class}: #{e.message}\n#{e.backtrace.first(10).join("\n")}")
  conn.send_json(type: "error", message: e.message)
end

#on_ws_open(conn) ⇒ Object

# File 'lib/clacky/server/http_server.rb', line 4647

def on_ws_open(conn)
  @ws_mutex.synchronize { @all_ws_conns << conn }
  # Client will send a "subscribe" message to bind to a session
end

#parse_exchange_rate_date(value) ⇒ Object

# File 'lib/clacky/server/http_server.rb', line 797

def parse_exchange_rate_date(value)
  return "" if value.to_s.strip.empty?

  Date.parse(value.to_s).iso8601
rescue ArgumentError
  ""
end

#parse_json_body(req) ⇒ Object

# File 'lib/clacky/server/http_server.rb', line 5189

def parse_json_body(req)
  return {} if req.body.nil? || req.body.empty?

  JSON.parse(req.body)
rescue JSON::ParserError
  {}
end

#positive_float(value) ⇒ Object

# File 'lib/clacky/server/http_server.rb', line 790

def positive_float(value)
  rate = Float(value)
  rate.positive? ? rate : nil
rescue ArgumentError, TypeError
  nil
end

#serve_file_download(res, path) ⇒ Object

Stream a file to the client as a download. Content-Type is always application/octet-stream — the browser determines file type and handling from the filename extension in Content-Disposition.

# File 'lib/clacky/server/http_server.rb', line 2655

def serve_file_download(res, path)
  filename = File.basename(path)

  res.status                  = 200
  res["Content-Type"]         = "application/octet-stream"
  res["Content-Disposition"]  = "attachment; filename=\"#{filename}\""
  res["Content-Length"]       = File.size(path).to_s
  res.body = File.binread(path)
end

#start ⇒ Object

# File 'lib/clacky/server/http_server.rb', line 213

def start
  # One-time migration: move legacy trash contents into file-trash/ subdirectory.
  Clacky::TrashDirectory.migrate_legacy_if_needed

  # Enable console logging for the server process so log lines are visible in the terminal.
  Clacky::Logger.console = true

  Clacky::Logger.info("[HttpServer PID=#{Process.pid}] start() mode=#{@inherited_socket ? 'worker' : 'standalone'} inherited_socket=#{@inherited_socket.inspect} master_pid=#{@master_pid.inspect}")

  # Expose server address and brand name to all child processes (skill scripts, shell commands, etc.)
  # so they can call back into the server without hardcoding the port,
  # and use the correct product name without re-reading brand.yml.
  # CLACKY_SERVER_HOST always points at 127.0.0.1 so child processes hit
  # the loopback listener (no access key required), regardless of bind.
  ENV["CLACKY_SERVER_PORT"]  = @port.to_s
  ENV["CLACKY_SERVER_HOST"]  = "127.0.0.1"
  product_name = Clacky::BrandConfig.load.product_name
  ENV["CLACKY_PRODUCT_NAME"] = (product_name.nil? || product_name.strip.empty?) ? "OpenClacky" : product_name

  # Override WEBrick's built-in signal traps via StartCallback,
  # which fires after WEBrick sets its own INT/TERM handlers.
  # This ensures Ctrl-C always exits immediately.
  #
  # When running as a worker under Master, DoNotListen: true prevents WEBrick
  # from calling bind() on its own — we inject the inherited socket instead.
  webrick_opts = {
    BindAddress:   @host,
    Port:          @port,
    Logger:        WEBrick::Log.new(File::NULL),
    AccessLog:     [],
    StartCallback: proc { }  # signal traps set below, after `server` is created
  }
  webrick_opts[:DoNotListen] = true if @inherited_socket
  Clacky::Logger.info("[HttpServer PID=#{Process.pid}] WEBrick DoNotListen=#{webrick_opts[:DoNotListen].inspect}")

  server = WEBrick::HTTPServer.new(**webrick_opts)

  # Override WEBrick's signal traps now that `server` is available.
  # On INT/TERM: call server.shutdown (graceful), with a 1s hard-kill fallback.
  # Also stop BrowserManager so the chrome-devtools-mcp node process is killed
  # before this worker exits — otherwise it becomes an orphan and holds port 7070.
  shutdown_once = false
  shutdown_proc = proc do
    next if shutdown_once
    shutdown_once = true
    # Persist in-flight agent sessions BEFORE starting the forced-exit
    # timer, so any new messages added to @history since the last save
    # are on disk before the new worker reads them after a hot restart.
    interrupt_all_agents

    # Detach the inherited (shared) listen socket BEFORE WEBrick.shutdown
    # so that cleanup_listener does not call shutdown(SHUT_RDWR)+close on
    # it — that would propagate to every process sharing the underlying
    # kernel socket (Master + new worker), breaking subsequent accept()
    # on Linux. macOS's BSD stack tolerates this; Linux does not.
    if @inherited_socket && server.listeners.include?(@inherited_socket)
      server.listeners.delete(@inherited_socket)
      Clacky::Logger.info("[HttpServer PID=#{Process.pid}] detached inherited socket fd=#{@inherited_socket.fileno} before shutdown")
    end
    # Close the loopback listener we created in this worker so the port
    # is freed before the next worker starts (hot restart path).
    if @loopback_listener
      server.listeners.delete(@loopback_listener)
      @loopback_listener.close rescue nil
      @loopback_listener = nil
    end
    t1 = Thread.new { @channel_manager.stop rescue nil }
    t2 = Thread.new { Clacky::BrowserManager.instance.stop rescue nil }
    t3 = Thread.new { @mcp_registry&.shutdown rescue nil }
    t1.join(1.5)
    t2.join(1.5)
    t3.join(1.5)
    server.shutdown rescue nil
  end
  trap("INT")  { shutdown_proc.call }
  trap("TERM") { shutdown_proc.call }

  if @inherited_socket
    server.listeners << @inherited_socket
    Clacky::Logger.info("[HttpServer PID=#{Process.pid}] injected inherited fd=#{@inherited_socket.fileno} listeners=#{server.listeners.map(&:fileno).inspect}")
  else
    Clacky::Logger.info("[HttpServer PID=#{Process.pid}] standalone, WEBrick listeners=#{server.listeners.map(&:fileno).inspect}")
  end

  # When bound to a specific non-loopback address (e.g. 192.168.x.x),
  # local skills using 127.0.0.1 cannot reach the server. Attach an
  # extra loopback listener so child processes (curl in skills, MCP, etc.)
  # can always talk to the server via 127.0.0.1 without an access key.
  # Skipped for 0.0.0.0 (already covers loopback) and for loopback binds.
  @loopback_listener = nil
  if !@localhost_only && @host.to_s != "0.0.0.0"
    begin
      @loopback_listener = TCPServer.new("127.0.0.1", @port)
      @loopback_listener.setsockopt(Socket::SOL_SOCKET, Socket::SO_REUSEADDR, true)
      server.listeners << @loopback_listener
      Clacky::Logger.info("[HttpServer PID=#{Process.pid}] added loopback listener fd=#{@loopback_listener.fileno} on 127.0.0.1:#{@port}")
    rescue Errno::EADDRINUSE, Errno::EACCES => e
      Clacky::Logger.warn("[HttpServer PID=#{Process.pid}] could not add loopback listener on 127.0.0.1:#{@port}: #{e.class}: #{e.message}")
      @loopback_listener = nil
    end
  end

  # Mount API + WebSocket handler (takes priority).
  # Use a custom Servlet so that DELETE/PUT/PATCH requests are not rejected
  # by WEBrick's default method whitelist before reaching our dispatcher.
  dispatcher = self
  servlet_class = Class.new(WEBrick::HTTPServlet::AbstractServlet) do
    define_method(:do_GET)     { |req, res| dispatcher.send(:dispatch, req, res) }
    define_method(:do_POST)    { |req, res| dispatcher.send(:dispatch, req, res) }
    define_method(:do_PUT)     { |req, res| dispatcher.send(:dispatch, req, res) }
    define_method(:do_DELETE)  { |req, res| dispatcher.send(:dispatch, req, res) }
    define_method(:do_PATCH)   { |req, res| dispatcher.send(:dispatch, req, res) }
    define_method(:do_OPTIONS) { |req, res| dispatcher.send(:dispatch, req, res) }
  end
  server.mount("/api", servlet_class)
  server.mount("/ws",  servlet_class)

  # Mount static file handler for the entire web directory.
  # Use mount_proc so we can inject no-cache headers on every response,
  # preventing stale JS/CSS from being served after a gem update.
  #
  # Special case: GET / and GET /index.html are served with server-side
  # rendering — the {{BRAND_NAME}} placeholder is replaced before delivery
  # so the correct brand name appears on first paint with no JS flash.
  file_handler = WEBrick::HTTPServlet::FileHandler.new(server, WEB_ROOT,
                                                       FancyIndexing: false)
  index_html_path = File.join(WEB_ROOT, "index.html")

  server.mount_proc("/") do |req, res|
    if req.path == "/" || req.path == "/index.html"
      product_name = Clacky::BrandConfig.load.product_name || "OpenClacky"
      html = File.read(index_html_path).gsub("{{BRAND_NAME}}", product_name)
      res.status                = 200
      res["Content-Type"]       = "text/html; charset=utf-8"
      res["Cache-Control"]      = "no-store"
      res["Pragma"]             = "no-cache"
      res.body                  = html
    else
      file_handler.service(req, res)
      res["Cache-Control"] = "no-store"
      res["Pragma"]        = "no-cache"
    end
  end

  # Auto-create a default session on startup
  create_default_session

  # Start the background scheduler
  @scheduler.start
  puts "   Scheduler: #{@scheduler.schedules.size} task(s) loaded"

  # Start IM channel adapters (non-blocking — each platform runs in its own thread)
  @channel_manager.start

  # Start browser MCP daemon if browser.yml is configured (non-blocking)
  @browser_manager.start

  server.start
end

#start_pending_task(session_id) ⇒ Object

Start the pending task for a session. Called when the client sends “run_task” over WS — by that point the client has already subscribed, so every broadcast will be delivered.

# File 'lib/clacky/server/http_server.rb', line 4884

def start_pending_task(session_id)
  return unless @registry.exist?(session_id)

  session = @registry.get(session_id)
  prompt      = session[:pending_task]
  working_dir = session[:pending_working_dir]
  return unless prompt  # nothing pending

  # Clear the pending fields so a re-connect doesn't re-run
  @registry.update(session_id, pending_task: nil, pending_working_dir: nil)

  agent = nil
  @registry.with_session(session_id) { |s| agent = s[:agent] }
  return unless agent

  run_agent_task(session_id, agent) { agent.run(prompt) }
end

#subscribe(session_id, conn) ⇒ Object

── WebSocket subscription management ─────────────────────────────────────

# File 'lib/clacky/server/http_server.rb', line 4984

def subscribe(session_id, conn)
  @ws_mutex.synchronize do
    # Remove conn from any previous session subscription first,
    # so switching sessions never results in duplicate delivery.
    @ws_clients.each_value { |list| list.delete(conn) }
    @ws_clients[session_id] ||= []
    @ws_clients[session_id] << conn unless @ws_clients[session_id].include?(conn)
  end
end

#trigger_async_distribution_refresh! ⇒ Object

Fire a public-distribution refresh in a background Thread.

Used for installs that have a package_name configured via install.sh but haven’t activated a license yet — they would otherwise never see the brand logo / theme / homepage_url until activation. See BrandConfig#refresh_distribution! for the end-to-end flow.

Contract mirrors #trigger_async_heartbeat!:

* At most one refresh Thread in flight process-wide.
* Caller never waits — Web UI first paint is not blocked on network.
* All exceptions are swallowed; a refresh failure must not crash the
  server or leak through the web stack.

# File 'lib/clacky/server/http_server.rb', line 1374

def trigger_async_distribution_refresh!
  BRAND_DIST_REFRESH_MUTEX.synchronize do
    if @@brand_dist_refresh_inflight
      Clacky::Logger.debug("[Brand] distribution refresh already in flight, skipping")
      return
    end
    @@brand_dist_refresh_inflight = true
  end

  Thread.new do
    Clacky::Logger.info("[Brand] async distribution refresh starting...")
    begin
      brand  = Clacky::BrandConfig.load
      result = brand.refresh_distribution!
      if result[:success]
        Clacky::Logger.info("[Brand] async distribution refresh OK")
      else
        Clacky::Logger.debug("[Brand] async distribution refresh skipped/failed — #{result[:message]}")
      end
      # Free-mode skill sync: branded + unactivated installs need their
      # creator's free skills auto-installed for the "no serial number" UX.
      brand.sync_free_skills_async!
    rescue StandardError => e
      Clacky::Logger.warn("[Brand] async distribution refresh raised: #{e.class}: #{e.message}")
    ensure
      BRAND_DIST_REFRESH_MUTEX.synchronize do
        @@brand_dist_refresh_inflight = false
      end
    end
  end
end

#trigger_async_heartbeat! ⇒ Object

Fire a heartbeat in a background Thread without blocking the caller.

Contract:

* Only one heartbeat Thread may be running at any moment across the
  whole process. If one is already in flight, this call is a no-op.
* The caller never waits: it returns immediately after (at most)
  spawning the Thread.
* The Thread rescues everything so a network failure cannot kill the
  server or leak an exception through the web stack.

# File 'lib/clacky/server/http_server.rb', line 1333

def trigger_async_heartbeat!
  BRAND_HEARTBEAT_MUTEX.synchronize do
    if @@brand_heartbeat_inflight
      Clacky::Logger.debug("[Brand] heartbeat already in flight, skipping")
      return
    end
    @@brand_heartbeat_inflight = true
  end

  Thread.new do
    Clacky::Logger.info("[Brand] async heartbeat starting...")
    begin
      brand  = Clacky::BrandConfig.load
      result = brand.heartbeat!
      if result[:success]
        Clacky::Logger.info("[Brand] async heartbeat OK")
      else
        Clacky::Logger.warn("[Brand] async heartbeat failed — #{result[:message]}")
      end
    rescue StandardError => e
      Clacky::Logger.warn("[Brand] async heartbeat raised: #{e.class}: #{e.message}")
    ensure
      BRAND_HEARTBEAT_MUTEX.synchronize do
        @@brand_heartbeat_inflight = false
      end
    end
  end
end

#unsubscribe(conn) ⇒ Object

# File 'lib/clacky/server/http_server.rb', line 4994

def unsubscribe(conn)
  @ws_mutex.synchronize do
    @ws_clients.each_value { |list| list.delete(conn) }
  end
end

#unsubscribe_all(session_id) ⇒ Object

# File 'lib/clacky/server/http_server.rb', line 5000

def unsubscribe_all(session_id)
  @ws_mutex.synchronize { @ws_clients.delete(session_id) }
end

#websocket_upgrade?(req) ⇒ Boolean

── WebSocket ─────────────────────────────────────────────────────────────

Returns:

• (Boolean)

# File 'lib/clacky/server/http_server.rb', line 4574

def websocket_upgrade?(req)
  req["Upgrade"]&.downcase == "websocket"
end