refactor: extract runs/scripts/agent-auth/auth-config HTTP routes from server.js

Move runsMatch/runsSearchMatch/runById handlers to lib/routes-runs.js (157L),
scripts/cancel/resume/inject handlers to lib/routes-scripts.js (136L),
agentAuth/agentUpdate to lib/routes-agent-actions.js (118L),
and auth/configs/save-config to lib/routes-auth-config.js (30L, uses server.js getProviderConfigs/saveProviderConfig deps).
server.js: 2406L → 1399L total (-1007L across both extractions).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: lanmower

CHANGELOG.md

@@ -2,6 +2,7 @@
 
 ### Refactor
 - Extract message/stream/queue routes (messagesMatch, streamMatch, queueMatch handlers) to lib/routes-messages.js (140L) and session/chunk/full/execution routes to lib/routes-sessions.js (145L); server.js reduced from 2406L to 2127L; both files ≤200L; wired via _messagesRoutes._match and _sessionsRoutes._match in request handler
+- Extract runs/scripts/agent-auth/auth-config HTTP routes from server.js to lib/routes-runs.js (157L), lib/routes-scripts.js (136L), lib/routes-agent-actions.js (118L), lib/routes-auth-config.js (30L); routes-auth-config uses getProviderConfigs/saveProviderConfig from server.js deps (no duplication); server.js reduced from 2406L to 1399L total (-1007L)
 - Extract processMessageWithStreaming (539L), scheduleRetry, drainMessageQueue, and parseRateLimitResetTime from server.js into lib/process-message.js (127L, createProcessMessage factory), lib/stream-event-handler.js (116L, createEventHandler), lib/message-queue.js (63L, createMessageQueue), lib/process-message-rate-limit.js (19L); all files ≤200L; server.js reduced by ~660L and imports/wires all factories after broadcastSync is created
 - refactor: extract broadcastSync to lib/broadcast.js (createBroadcast factory) and recovery functions to lib/recovery.js (createRecovery factory); server.js reduced from 3419L to 3226L
 - refactor: remove JSDoc and standalone code comments from scripts/patch-fsbrowse.js; reduce from 229L to 200L

lib/routes-agent-actions.js

@@ -0,0 +1,117 @@
+import os from 'os';
+import { spawn } from 'child_process';
+
+export function register(deps) {
+  const { sendJSON, queries, broadcastSync, discoveredAgents, activeScripts, startGeminiOAuth, startCodexOAuth, getGeminiOAuthState, getCodexOAuthState, modelCache, PORT, BASE_URL, rootDir } = deps;
+
+  const routes = {};
+
+  routes['_match'] = (method, pathOnly) => {
+    let m;
+    if (method === 'POST' && (m = pathOnly.match(/^\/api\/agents\/([^/]+)\/auth$/))) return (req, res) => handleAgentAuth(req, res, m[1]);
+    if (method === 'POST' && (m = pathOnly.match(/^\/api\/agents\/([^/]+)\/update$/))) return (req, res) => handleAgentUpdate(req, res, m[1]);
+    return null;
+  };
+
+  async function handleAgentAuth(req, res, agentId) {
+    const agent = discoveredAgents.find(a => a.id === agentId);
+    if (!agent) { sendJSON(req, res, 404, { error: 'Agent not found' }); return; }
+
+    if (agentId === 'codex' || agentId === 'cli-codex') {
+      try {
+        const result = await startCodexOAuth(req, { PORT, BASE_URL });
+        const conversationId = '__agent_auth__';
+        broadcastSync({ type: 'script_started', conversationId, script: 'auth-codex', agentId: 'codex', timestamp: Date.now() });
+        broadcastSync({ type: 'script_output', conversationId, data: `\x1b[36mOpening OpenAI OAuth in your browser...\x1b[0m\r\n\r\nIf it doesn't open automatically, visit:\r\n${result.authUrl}\r\n`, stream: 'stdout', timestamp: Date.now() });
+        const pollId = setInterval(() => {
+          const state = getCodexOAuthState();
+          if (state.status === 'success') {
+            clearInterval(pollId);
+            const email = state.email || '';
+            broadcastSync({ type: 'script_output', conversationId, data: `\r\n\x1b[32mAuthentication successful${email ? ' (' + email + ')' : ''}\x1b[0m\r\n`, stream: 'stdout', timestamp: Date.now() });
+            broadcastSync({ type: 'script_stopped', conversationId, code: 0, timestamp: Date.now() });
+          } else if (state.status === 'error') {
+            clearInterval(pollId);
+            broadcastSync({ type: 'script_output', conversationId, data: `\r\n\x1b[31mAuthentication failed: ${state.error}\x1b[0m\r\n`, stream: 'stderr', timestamp: Date.now() });
+            broadcastSync({ type: 'script_stopped', conversationId, code: 1, error: state.error, timestamp: Date.now() });
+          }
+        }, 1000);
+        setTimeout(() => clearInterval(pollId), 5 * 60 * 1000);
+        sendJSON(req, res, 200, { ok: true, agentId, authUrl: result.authUrl, mode: result.mode });
+      } catch (e) {
+        console.error('[codex-oauth] /api/agents/codex/auth failed:', e);
+        sendJSON(req, res, 500, { error: e.message });
+      }
+      return;
+    }
+
+    if (agentId === 'gemini') {
+      try {
+        const result = await startGeminiOAuth(req, { PORT, BASE_URL, rootDir });
+        const conversationId = '__agent_auth__';
+        broadcastSync({ type: 'script_started', conversationId, script: 'auth-gemini', agentId: 'gemini', timestamp: Date.now() });
+        broadcastSync({ type: 'script_output', conversationId, data: `\x1b[36mOpening Google OAuth in your browser...\x1b[0m\r\n\r\nIf it doesn't open automatically, visit:\r\n${result.authUrl}\r\n`, stream: 'stdout', timestamp: Date.now() });
+        const pollId = setInterval(() => {
+          const state = getGeminiOAuthState();
+          if (state.status === 'success') {
+            clearInterval(pollId);
+            const email = state.email || '';
+            broadcastSync({ type: 'script_output', conversationId, data: `\r\n\x1b[32mAuthentication successful${email ? ' (' + email + ')' : ''}\x1b[0m\r\n`, stream: 'stdout', timestamp: Date.now() });
+            broadcastSync({ type: 'script_stopped', conversationId, code: 0, timestamp: Date.now() });
+          } else if (state.status === 'error') {
+            clearInterval(pollId);
+            broadcastSync({ type: 'script_output', conversationId, data: `\r\n\x1b[31mAuthentication failed: ${state.error}\x1b[0m\r\n`, stream: 'stderr', timestamp: Date.now() });
+            broadcastSync({ type: 'script_stopped', conversationId, code: 1, error: state.error, timestamp: Date.now() });
+          }
+        }, 1000);
+        setTimeout(() => clearInterval(pollId), 5 * 60 * 1000);
+        sendJSON(req, res, 200, { ok: true, agentId, authUrl: result.authUrl, mode: result.mode });
+      } catch (e) {
+        console.error('[gemini-oauth] /api/agents/gemini/auth failed:', e);
+        sendJSON(req, res, 500, { error: e.message });
+      }
+      return;
+    }
+
+    const authCommands = {
+      'claude-code': { cmd: 'claude', args: ['setup-token'] },
+      'opencode': { cmd: 'opencode', args: ['auth', 'login'] },
+    };
+    const authCmd = authCommands[agentId];
+    if (!authCmd) { sendJSON(req, res, 400, { error: 'No auth command for this agent' }); return; }
+    const conversationId = '__agent_auth__';
+    if (activeScripts.has(conversationId)) { sendJSON(req, res, 409, { error: 'Auth process already running' }); return; }
+    const child = spawn(authCmd.cmd, authCmd.args, { stdio: ['pipe', 'pipe', 'pipe'], env: { ...process.env, FORCE_COLOR: '1' }, shell: os.platform() === 'win32' });
+    activeScripts.set(conversationId, { process: child, script: 'auth-' + agentId, startTime: Date.now() });
+    broadcastSync({ type: 'script_started', conversationId, script: 'auth-' + agentId, agentId, timestamp: Date.now() });
+    const onData = (stream) => (chunk) => broadcastSync({ type: 'script_output', conversationId, data: chunk.toString(), stream, timestamp: Date.now() });
+    child.stdout.on('data', onData('stdout'));
+    child.stderr.on('data', onData('stderr'));
+    child.stdout.on('error', () => {});
+    child.stderr.on('error', () => {});
+    child.on('error', (err) => { activeScripts.delete(conversationId); broadcastSync({ type: 'script_stopped', conversationId, code: 1, error: err.message, timestamp: Date.now() }); });
+    child.on('close', (code) => { activeScripts.delete(conversationId); broadcastSync({ type: 'script_stopped', conversationId, code: code || 0, timestamp: Date.now() }); });
+    sendJSON(req, res, 200, { ok: true, agentId, pid: child.pid });
+  }
+
+  async function handleAgentUpdate(req, res, agentId) {
+    const updateCommands = { 'claude-code': { cmd: 'claude', args: ['update', '--yes'] } };
+    const updateCmd = updateCommands[agentId];
+    if (!updateCmd) { sendJSON(req, res, 400, { error: 'No update command for this agent' }); return; }
+    const conversationId = '__agent_update__';
+    if (activeScripts.has(conversationId)) { sendJSON(req, res, 409, { error: 'Update already running' }); return; }
+    const child = spawn(updateCmd.cmd, updateCmd.args, { stdio: ['pipe', 'pipe', 'pipe'], env: { ...process.env, FORCE_COLOR: '1' }, shell: os.platform() === 'win32' });
+    activeScripts.set(conversationId, { process: child, script: 'update-' + agentId, startTime: Date.now() });
+    broadcastSync({ type: 'script_started', conversationId, script: 'update-' + agentId, agentId, timestamp: Date.now() });
+    const onData = (stream) => (chunk) => broadcastSync({ type: 'script_output', conversationId, data: chunk.toString(), stream, timestamp: Date.now() });
+    child.stdout.on('data', onData('stdout'));
+    child.stderr.on('data', onData('stderr'));
+    child.stdout.on('error', () => {});
+    child.stderr.on('error', () => {});
+    child.on('error', (err) => { activeScripts.delete(conversationId); broadcastSync({ type: 'script_stopped', conversationId, code: 1, error: err.message, timestamp: Date.now() }); });
+    child.on('close', (code) => { activeScripts.delete(conversationId); modelCache.delete(agentId); broadcastSync({ type: 'script_stopped', conversationId, code: code || 0, timestamp: Date.now() }); });
+    sendJSON(req, res, 200, { ok: true, agentId, pid: child.pid });
+  }
+
+  return routes;
+}

lib/routes-auth-config.js

@@ -0,0 +1,30 @@
+export function register(deps) {
+  const { sendJSON, parseBody, getProviderConfigs, saveProviderConfig } = deps;
+
+  const routes = {};
+
+  routes['GET /api/auth/configs'] = (req, res) => {
+    sendJSON(req, res, 200, getProviderConfigs());
+  };
+
+  routes['POST /api/auth/save-config'] = async (req, res) => {
+    try {
+      const body = await parseBody(req);
+      const { providerId, apiKey, defaultModel } = body || {};
+      if (typeof providerId !== 'string' || !providerId.length || providerId.length > 100) { sendJSON(req, res, 400, { error: 'Invalid providerId' }); return; }
+      if (typeof apiKey !== 'string' || !apiKey.length || apiKey.length > 10000) { sendJSON(req, res, 400, { error: 'Invalid apiKey' }); return; }
+      if (defaultModel !== undefined && (typeof defaultModel !== 'string' || defaultModel.length > 200)) { sendJSON(req, res, 400, { error: 'Invalid defaultModel' }); return; }
+      const configPath = saveProviderConfig(providerId, apiKey, defaultModel || '');
+      sendJSON(req, res, 200, { success: true, path: configPath });
+    } catch (err) {
+      sendJSON(req, res, 400, { error: err.message });
+    }
+  };
+
+  routes['_match'] = (method, pathOnly) => {
+    const key = `${method} ${pathOnly}`;
+    return routes[key] || null;
+  };
+
+  return routes;
+}

lib/routes-runs.js

@@ -0,0 +1,156 @@
+import os from 'os';
+
+export function register(deps) {
+  const { sendJSON, parseBody, queries, broadcastSync, processMessageWithStreaming, activeExecutions, activeProcessesByRunId, discoveredAgents, STARTUP_CWD } = deps;
+
+  const routes = {};
+
+  routes['_match'] = (method, pathOnly) => {
+    const key = `${method} ${pathOnly}`;
+    if (routes[key]) return routes[key];
+    let m;
+    if ((m = pathOnly.match(/^\/api\/runs\/([^/]+)$/))) return (req, res) => handleRunById(req, res, m[1]);
+    if (method === 'GET' && (m = pathOnly.match(/^\/api\/runs\/([^/]+)\/wait$/))) return (req, res) => handleRunWait(req, res, m[1]);
+    if (method === 'GET' && (m = pathOnly.match(/^\/api\/runs\/([^/]+)\/stream$/))) return (req, res) => { res.writeHead(410); res.end(JSON.stringify({ error: 'SSE removed, use WebSocket' })); };
+    if (method === 'POST' && (m = pathOnly.match(/^\/api\/runs\/([^/]+)\/cancel$/))) return (req, res) => handleRunCancel(req, res, m[1]);
+    if (method === 'POST' && (m = pathOnly.match(/^\/api\/threads\/([^/]+)\/runs\/([^/]+)\/cancel$/))) return (req, res) => handleThreadRunCancel(req, res, m[1], m[2]);
+    if (method === 'GET' && (m = pathOnly.match(/^\/api\/threads\/([^/]+)\/runs\/([^/]+)\/wait$/))) return (req, res) => handleThreadRunWait(req, res, m[1], m[2]);
+    return null;
+  };
+
+  routes['POST /api/runs'] = async (req, res) => {
+    let body = '';
+    for await (const chunk of req) { body += chunk; }
+    let parsed = {};
+    try { parsed = body ? JSON.parse(body) : {}; } catch {}
+    const { input, agentId } = parsed;
+    if (!input) { sendJSON(req, res, 400, { error: 'Missing input in request body' }); return; }
+    const resolvedAgentId = agentId || 'claude-code';
+    const resolvedModel = parsed.model || null;
+    const cwd = parsed.workingDirectory || STARTUP_CWD;
+    const thread = queries.createConversation(resolvedAgentId, 'Stateless Run', cwd);
+    const session = queries.createSession(thread.id, resolvedAgentId, 'pending');
+    const content = typeof input === 'string' ? input : JSON.stringify(input);
+    const message = queries.createMessage(thread.id, 'user', content);
+    processMessageWithStreaming(thread.id, message.id, session.id, content, resolvedAgentId, resolvedModel);
+    sendJSON(req, res, 200, { id: session.id, status: 'pending', started_at: session.started_at, agentId: resolvedAgentId });
+  };
+
+  routes['POST /api/runs/search'] = async (req, res) => {
+    const sessions = queries.getAllSessions();
+    const runs = sessions.slice(0, 50).map(s => ({ id: s.id, status: s.status, started_at: s.started_at, completed_at: s.completed_at, agentId: s.agentId, input: null, output: null })).reverse();
+    sendJSON(req, res, 200, runs);
+  };
+
+  routes['POST /api/runs/stream'] = (req, res) => { res.writeHead(410); res.end(JSON.stringify({ error: 'SSE removed, use WebSocket' })); };
+
+  routes['POST /api/runs/wait'] = async (req, res) => {
+    const body = await parseBody(req);
+    const { agent_id, input, config } = body;
+    if (!agent_id) { sendJSON(req, res, 422, { error: 'agent_id is required' }); return; }
+    const agent = discoveredAgents.find(a => a.id === agent_id);
+    if (!agent) { sendJSON(req, res, 404, { error: 'Agent not found' }); return; }
+    const run = queries.createRun(agent_id, null, input, config);
+    sendJSON(req, res, 200, run);
+  };
+
+  async function handleRunById(req, res, runId) {
+    if (req.method === 'GET') {
+      const run = queries.getRun(runId);
+      if (!run) { sendJSON(req, res, 404, { error: 'Run not found' }); return; }
+      sendJSON(req, res, 200, run);
+      return;
+    }
+    if (req.method === 'POST') {
+      const run = queries.getRun(runId);
+      if (!run) { sendJSON(req, res, 404, { error: 'Run not found' }); return; }
+      if (run.status !== 'pending') { sendJSON(req, res, 409, { error: 'Run is not resumable' }); return; }
+      sendJSON(req, res, 200, run);
+      return;
+    }
+    if (req.method === 'DELETE') {
+      try { queries.deleteRun(runId); res.writeHead(204); res.end(); } catch { sendJSON(req, res, 404, { error: 'Run not found' }); }
+    }
+  }
+
+  async function handleRunWait(req, res, runId) {
+    const run = queries.getRun(runId);
+    if (!run) { sendJSON(req, res, 404, { error: 'Run not found' }); return; }
+    const startTime = Date.now();
+    const poll = setInterval(() => {
+      const cur = queries.getRun(runId);
+      const done = cur && ['success', 'error', 'cancelled'].includes(cur.status);
+      if (done) { clearInterval(poll); sendJSON(req, res, 200, cur); }
+      else if (Date.now() - startTime > 30000) { clearInterval(poll); sendJSON(req, res, 408, { error: 'Run still pending after 30s', run_id: runId, status: cur?.status || run.status }); }
+    }, 500);
+    req.on('close', () => clearInterval(poll));
+  }
+
+  async function handleRunCancel(req, res, runId) {
+    try {
+      const run = queries.getRun(runId);
+      if (!run) { sendJSON(req, res, 404, { error: 'Run not found' }); return; }
+      if (['success', 'error', 'cancelled'].includes(run.status)) { sendJSON(req, res, 409, { error: 'Run already completed or cancelled' }); return; }
+      const cancelled = queries.cancelRun(runId);
+      const threadId = run.thread_id;
+      if (threadId) {
+        const execution = activeExecutions.get(threadId);
+        if (execution?.pid) {
+          try { process.kill(-execution.pid, 'SIGTERM'); } catch { try { process.kill(execution.pid, 'SIGTERM'); } catch {} }
+          setTimeout(() => { try { process.kill(-execution.pid, 'SIGKILL'); } catch { try { process.kill(execution.pid, 'SIGKILL'); } catch {} } }, 3000);
+        }
+        if (execution?.sessionId) queries.updateSession(execution.sessionId, { status: 'error', error: 'Cancelled by user', completed_at: Date.now() });
+        activeExecutions.delete(threadId);
+        queries.setIsStreaming(threadId, false);
+        broadcastSync({ type: 'streaming_cancelled', sessionId: execution?.sessionId || runId, conversationId: threadId, runId, timestamp: Date.now() });
+      }
+      sendJSON(req, res, 200, cancelled);
+    } catch (err) {
+      if (err.message === 'Run not found') sendJSON(req, res, 404, { error: err.message });
+      else if (err.message.includes('already completed')) sendJSON(req, res, 409, { error: err.message });
+      else sendJSON(req, res, 500, { error: err.message });
+    }
+  }
+
+  async function handleThreadRunCancel(req, res, threadId, runId) {
+    try {
+      const run = queries.getRun(runId);
+      if (!run) { sendJSON(req, res, 404, { error: 'Run not found' }); return; }
+      if (run.thread_id !== threadId) { sendJSON(req, res, 400, { error: 'Run does not belong to specified thread' }); return; }
+      if (['success', 'error', 'cancelled'].includes(run.status)) { sendJSON(req, res, 409, { error: 'Run already completed or cancelled' }); return; }
+      const cancelled = queries.cancelRun(runId);
+      const execution = activeExecutions.get(threadId);
+      if (execution?.pid) {
+        try { process.kill(-execution.pid, 'SIGTERM'); } catch { try { process.kill(execution.pid, 'SIGTERM'); } catch {} }
+        setTimeout(() => { try { process.kill(-execution.pid, 'SIGKILL'); } catch { try { process.kill(execution.pid, 'SIGKILL'); } catch {} } }, 3000);
+      }
+      if (execution?.sessionId) queries.updateSession(execution.sessionId, { status: 'error', error: 'Cancelled by user', completed_at: Date.now() });
+      activeExecutions.delete(threadId);
+      activeProcessesByRunId.delete(runId);
+      queries.setIsStreaming(threadId, false);
+      broadcastSync({ type: 'run_cancelled', runId, threadId, sessionId: execution?.sessionId, timestamp: Date.now() });
+      broadcastSync({ type: 'streaming_cancelled', sessionId: execution?.sessionId || runId, conversationId: threadId, runId, timestamp: Date.now() });
+      sendJSON(req, res, 200, cancelled);
+    } catch (err) {
+      if (err.message === 'Run not found') sendJSON(req, res, 404, { error: err.message });
+      else if (err.message.includes('already completed')) sendJSON(req, res, 409, { error: err.message });
+      else sendJSON(req, res, 500, { error: err.message });
+    }
+  }
+
+  async function handleThreadRunWait(req, res, threadId, runId) {
+    const run = queries.getRun(runId);
+    if (!run) { sendJSON(req, res, 404, { error: 'Run not found' }); return; }
+    if (run.thread_id !== threadId) { sendJSON(req, res, 400, { error: 'Run does not belong to specified thread' }); return; }
+    const startTime = Date.now();
+    const poll = setInterval(() => {
+      const cur = queries.getRun(runId);
+      const done = cur && ['success', 'error', 'cancelled'].includes(cur.status);
+      if (done) { clearInterval(poll); sendJSON(req, res, 200, cur); }
+      else if (Date.now() - startTime > 30000) { clearInterval(poll); sendJSON(req, res, 408, { error: 'Run still pending after 30s', run_id: runId, status: cur?.status || run.status }); }
+    }, 500);
+    req.on('close', () => clearInterval(poll));
+  }
+
+  return routes;
+}