durthang 0.1.0

A modern, terminal-based MUD client with TLS, GMCP, automap, aliases, triggers, and a sidebar panel system
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701

// Copyright (c) 2026 Raimo Geisel
// SPDX-License-Identifier: GPL-3.0-only
//
// Durthang is free software: you can redistribute it and/or modify it under
// the terms of the GNU General Public License as published by the Free
// Software Foundation, version 3.  See <https://www.gnu.org/licenses/gpl-3.0.html>.

//! Network layer — async TCP/Telnet connection to a MUD server.
//!
//! Architecture:
//!   - `Connection::spawn()` launches a Tokio task that owns the TCP socket.
//!   - The task sends decoded text lines to the UI via an `mpsc` channel
//!     (`net_tx` / `net_rx`).
//!   - The UI sends raw user input back to the task via a second `mpsc` channel
//!     (`input_tx` / `input_rx`).
//!   - Telnet IAC bytes are stripped / negotiated before forwarding to the UI.
//!   - NAWS: terminal size is sent on connect and whenever the UI notifies a
//!     resize via `Connection::send_naws()`.
//!   - TLS: when `tls = true` the plain TCP stream is wrapped with rustls after
//!     the TCP handshake completes. System root certificates are loaded via
//!     `rustls-native-certs`.
//!   - Auto-login: when `auto_login = Some((login, password))` is given the
//!     task sends the login on the first server prompt and the password on the
//!     second prompt.
//!   - The task gracefully shuts down when either the TCP stream closes or the
//!     UI drops its end of the channel.

use std::{
    sync::Arc,
    time::{Duration, Instant},
};

use bytes::BytesMut;
use tokio::{
    io::{AsyncReadExt, AsyncWriteExt},
    net::TcpStream,
    sync::mpsc,
    time::{MissedTickBehavior, interval, timeout},
};
use tokio_rustls::{
    TlsConnector,
    rustls::{self, ClientConfig, RootCertStore},
};
use tracing::{debug, error, info, warn};

// ---------------------------------------------------------------------------
// Telnet constants
// ---------------------------------------------------------------------------

const IAC: u8 = 0xFF;
const WILL: u8 = 0xFB;
const WONT: u8 = 0xFC;
const DO: u8 = 0xFD;
const DONT: u8 = 0xFE;
const SB: u8 = 0xFA;
const SE: u8 = 0xF0;
const AYT: u8 = 0xF6;

// Telnet option codes
const OPT_ECHO: u8 = 0x01;
const OPT_NAWS: u8 = 0x1F;
const OPT_GMCP: u8 = 0xC9;

/// Connect timeout.
const CONNECT_TIMEOUT: Duration = Duration::from_secs(15);
/// Periodic best-effort latency probe interval.
const LATENCY_PROBE_INTERVAL: Duration = Duration::from_secs(30);
/// Maximum age for a user-command latency sample.
const USER_LATENCY_MAX_AGE: Duration = Duration::from_secs(10);
/// Maximum age for a probe latency sample.
const PROBE_LATENCY_MAX_AGE: Duration = Duration::from_secs(3);

/// Classifies the source of a pending latency measurement.
///
/// This distinction is used to apply different staleness thresholds:
/// user-command samples remain valid for longer because the user may type
/// slowly, whereas probe samples expire quickly.
#[derive(Copy, Clone, Debug, Eq, PartialEq)]
enum LatencySource {
    UserCommand,
    Probe,
}

/// An in-flight latency measurement waiting for the server's first response.
#[derive(Copy, Clone, Debug)]
struct PendingLatency {
    started: Instant,
    source: LatencySource,
}

impl PendingLatency {
    /// Create a new sample stamped at `Instant::now()` with the given source.
    fn new(source: LatencySource) -> Self {
        Self {
            started: Instant::now(),
            source,
        }
    }

    /// Maximum age a measurement of this type is considered valid.
    fn max_age(self) -> Duration {
        match self.source {
            LatencySource::UserCommand => USER_LATENCY_MAX_AGE,
            LatencySource::Probe => PROBE_LATENCY_MAX_AGE,
        }
    }

    /// Return `true` if the sample has exceeded its maximum age and should
    /// be discarded.
    fn is_stale(self) -> bool {
        self.started.elapsed() > self.max_age()
    }
}

// ---------------------------------------------------------------------------
// Message types
// ---------------------------------------------------------------------------

/// Messages from the network task to the UI.
#[derive(Debug)]
pub enum NetEvent {
    /// A decoded line of text from the server (may contain ANSI escape codes).
    Line(String),
    /// A partial line that ended without `\n` (e.g. a prompt).
    Prompt(String),
    /// The connection was established.
    Connected,
    /// The connection was lost or refused.
    Disconnected(String),
    /// A raw GMCP message payload (for example: `Room.Info {...}`).
    Gmcp(String),
    /// A latency sample in milliseconds.
    Latency(u64),
}

/// Messages from the UI to the network task.
#[derive(Debug)]
pub enum UiEvent {
    /// Send a line to the server (newline will be appended).
    SendLine(String),
    /// Update NAWS with the new terminal size.
    Resize { cols: u16, rows: u16 },
    /// Close the connection.
    Disconnect,
}

// ---------------------------------------------------------------------------
// Connection handle
// ---------------------------------------------------------------------------

/// Handle returned to the UI after spawning the network task.
pub struct Connection {
    /// Receive net events (lines, connect/disconnect notification, …).
    pub rx: mpsc::Receiver<NetEvent>,
    /// Send user input and control messages to the network task.
    pub tx: mpsc::Sender<UiEvent>,
}

impl Connection {
    /// Spawn the network task and return a `Connection` handle.
    ///
    /// - `tls`: wrap the TCP stream with TLS (rustls + system root certs).
    /// - `auto_login`: when `Some((login, opt_password))`, the task automatically
    ///   sends `login` on the first server output and `password` (if `Some`) on
    ///   the first prompt that follows.
    pub fn spawn(
        host: String,
        port: u16,
        tls: bool,
        auto_login: Option<(String, Option<String>)>,
        initial_size: (u16, u16),
    ) -> Self {
        let (net_tx, net_rx) = mpsc::channel::<NetEvent>(256);
        let (ui_tx, ui_rx) = mpsc::channel::<UiEvent>(64);

        tokio::spawn(async move {
            run_connection(host, port, tls, auto_login, initial_size, net_tx, ui_rx).await;
        });

        Connection {
            rx: net_rx,
            tx: ui_tx,
        }
    }

    /// Convenience: send a `Resize` event.
    pub async fn send_naws(&self, cols: u16, rows: u16) {
        let _ = self.tx.send(UiEvent::Resize { cols, rows }).await;
    }

    /// Convenience: send a line of user input.
    pub async fn send_line(&self, line: String) {
        let _ = self.tx.send(UiEvent::SendLine(line)).await;
    }

    /// Convenience: request a graceful disconnect.
    pub async fn disconnect(&self) {
        let _ = self.tx.send(UiEvent::Disconnect).await;
    }
}

// ---------------------------------------------------------------------------
// Telnet option negotiation
// ---------------------------------------------------------------------------

/// Build a WILL / WONT / DO / DONT response for a single option byte.
/// Translate a Telnet negotiation verb into its refusal counterpart.
///
/// `DO` → `WONT`, `WILL` → `DONT`, anything else → `WONT`.
fn refuse(verb: u8) -> u8 {
    match verb {
        DO => WONT,
        WILL => DONT,
        _ => WONT,
    }
}

/// Build a 3-byte IAC negotiation response.
/// Construct a 3-byte Telnet IAC option negotiation sequence `[IAC, verb, opt]`.
fn iac_response(verb: u8, opt: u8) -> [u8; 3] {
    [IAC, verb, opt]
}

/// Build a NAWS sub-negotiation packet for the given terminal size.
/// Construct a NAWS (Negotiate About Window Size) sub-negotiation packet.
///
/// The packet carries the terminal dimensions as two big-endian 16-bit
/// integers.  Any `0xFF` byte in the data is doubled (escaped) as required
/// by RFC 855.
fn naws_packet(cols: u16, rows: u16) -> Vec<u8> {
    let mut buf = Vec::with_capacity(9);
    buf.extend_from_slice(&[IAC, SB, OPT_NAWS]);
    // NAWS values must have 0xFF doubled if they appear in the data.
    for byte in cols.to_be_bytes().iter().chain(rows.to_be_bytes().iter()) {
        if *byte == IAC {
            buf.push(IAC);
        }
        buf.push(*byte);
    }
    buf.extend_from_slice(&[IAC, SE]);
    buf
}

// ---------------------------------------------------------------------------
// Telnet stream parser
// ---------------------------------------------------------------------------

/// Accumulated output of a single call to [`parse_telnet`].
struct TelnetParseResult {
    /// Printable text with all Telnet control sequences removed.
    text: String,
    /// Zero or more extracted GMCP sub-negotiation payloads.
    gmcp: Vec<String>,
}

/// Parse `buf` in-place:
/// - Strips IAC sequences and negotiates options by appending responses to
///   `responses`.
/// - Returns printable text and extracted GMCP payloads.
/// Parse a raw byte buffer received from the server and strip Telnet protocol
/// bytes.
///
/// IAC sequences are processed in-place:
/// * Three-byte option negotiations (`WILL / WONT / DO / DONT`) are responded
///   to immediately by appending to `responses`.
/// * Sub-negotiations (`SB … SE`) for GMCP are extracted into the returned
///   [`TelnetParseResult::gmcp`] list; all others are silently discarded.
/// * The literal escape `IAC IAC` is decoded to a single `0xFF` byte.
/// * All remaining bytes are treated as UTF-8 text and returned in
///   [`TelnetParseResult::text`].
fn parse_telnet(buf: &[u8], responses: &mut Vec<u8>) -> TelnetParseResult {
    let mut out = Vec::with_capacity(buf.len());
    let mut gmcp = Vec::new();
    let mut i = 0;
    while i < buf.len() {
        if buf[i] != IAC {
            out.push(buf[i]);
            i += 1;
            continue;
        }
        // IAC
        i += 1;
        if i >= buf.len() {
            break;
        }
        match buf[i] {
            IAC => {
                // Escaped 0xFF literal
                out.push(IAC);
                i += 1;
            }
            SB => {
                // Sub-negotiation: read until IAC SE.
                i += 1;
                if i >= buf.len() {
                    break;
                }
                let opt = buf[i];
                i += 1;
                let mut payload = Vec::new();
                while i < buf.len() {
                    if i + 1 < buf.len() && buf[i] == IAC && buf[i + 1] == IAC {
                        payload.push(IAC);
                        i += 2;
                        continue;
                    }
                    if i + 1 < buf.len() && buf[i] == IAC && buf[i + 1] == SE {
                        i += 2;
                        break;
                    }
                    payload.push(buf[i]);
                    i += 1;
                }
                if opt == OPT_GMCP {
                    let msg = String::from_utf8_lossy(&payload).trim().to_string();
                    if !msg.is_empty() {
                        gmcp.push(msg);
                    }
                }
            }
            WILL | WONT | DO | DONT => {
                let verb = buf[i];
                i += 1;
                if i >= buf.len() {
                    break;
                }
                let opt = buf[i];
                i += 1;
                match (verb, opt) {
                    // Accept DO NAWS — we WILL send NAWS.
                    (DO, OPT_NAWS) => {
                        responses.extend_from_slice(&iac_response(WILL, OPT_NAWS));
                        debug!("Telnet: accepted DO NAWS");
                    }
                    // Accept WILL ECHO — server echoes back what we send.
                    (WILL, OPT_ECHO) => {
                        responses.extend_from_slice(&iac_response(DO, OPT_ECHO));
                        debug!("Telnet: accepted WILL ECHO");
                    }
                    // Accept WILL GMCP — acknowledge with DO GMCP.
                    (WILL, OPT_GMCP) => {
                        responses.extend_from_slice(&iac_response(DO, OPT_GMCP));
                        debug!("Telnet: accepted WILL GMCP");
                    }
                    // Refuse everything else.
                    _ => {
                        responses.extend_from_slice(&iac_response(refuse(verb), opt));
                        debug!("Telnet: refused verb={verb:#x} opt={opt:#x}");
                    }
                }
            }
            _ => {
                // Unknown command byte — skip.
                i += 1;
            }
        }
    }
    TelnetParseResult {
        text: String::from_utf8_lossy(&out).into_owned(),
        gmcp,
    }
}

// ---------------------------------------------------------------------------
// TLS helper
// ---------------------------------------------------------------------------

/// Perform a TLS handshake over an existing TCP stream.
/// Wrap an existing TCP stream with a TLS layer using system root certificates.
///
/// `host` must be a valid DNS name that matches the server's certificate
/// subject, as it is passed to rustls as the SNI host name.
///
/// # Errors
///
/// Returns an error if the certificate store cannot be loaded, if SNI name
/// parsing fails, or if the TLS handshake is rejected by the server.
async fn connect_tls(
    stream: TcpStream,
    host: &str,
) -> Result<tokio_rustls::client::TlsStream<TcpStream>, Box<dyn std::error::Error + Send + Sync>> {
    let mut root_store = RootCertStore::empty();
    let certs = rustls_native_certs::load_native_certs();
    for cert in certs.certs {
        // Ignore errors from individual untrusted/malformed system certs.
        let _ = root_store.add(cert);
    }
    let config = ClientConfig::builder()
        .with_root_certificates(root_store)
        .with_no_client_auth();
    let connector = TlsConnector::from(Arc::new(config));
    let domain = rustls::pki_types::ServerName::try_from(host.to_string())?;
    Ok(connector.connect(domain, stream).await?)
}

// ---------------------------------------------------------------------------
// Connection task
// ---------------------------------------------------------------------------

async fn run_connection(
    host: String,
    port: u16,
    tls: bool,
    auto_login: Option<(String, Option<String>)>,
    initial_size: (u16, u16),
    tx: mpsc::Sender<NetEvent>,
    ui_rx: mpsc::Receiver<UiEvent>,
) {
    let addr = format!("{host}:{port}");
    info!("Connecting to {addr} (tls={tls})");

    let stream = match timeout(CONNECT_TIMEOUT, TcpStream::connect(&addr)).await {
        Ok(Ok(s)) => s,
        Ok(Err(e)) => {
            error!("TCP connect failed: {e}");
            let _ = tx.send(NetEvent::Disconnected(e.to_string())).await;
            return;
        }
        Err(_) => {
            error!("TCP connect timed out");
            let _ = tx
                .send(NetEvent::Disconnected("Connection timed out".into()))
                .await;
            return;
        }
    };

    info!("TCP connected to {addr}");

    if tls {
        match connect_tls(stream, &host).await {
            Ok(tls_stream) => {
                info!("TLS handshake successful for {host}");
                let (r, w) = tokio::io::split(tls_stream);
                connection_loop(
                    Box::new(r) as _,
                    Box::new(w) as _,
                    initial_size,
                    tx,
                    ui_rx,
                    auto_login,
                )
                .await;
            }
            Err(e) => {
                error!("TLS handshake failed: {e}");
                let _ = tx
                    .send(NetEvent::Disconnected(format!("TLS error: {e}")))
                    .await;
            }
        }
    } else {
        let (r, w) = stream.into_split();
        connection_loop(
            Box::new(r) as _,
            Box::new(w) as _,
            initial_size,
            tx,
            ui_rx,
            auto_login,
        )
        .await;
    }
}

/// Check whether the escape sequence starting at `seq[0]` (which must be ESC)
/// is fully terminated within `seq`.
fn is_complete_escape(seq: &[u8]) -> bool {
    if seq.len() < 2 || seq[0] != 0x1b {
        return false;
    }
    match seq[1] {
        b'[' => {
            // CSI: terminated by a byte in 0x40..=0x7E
            seq[2..].iter().any(|&b| (0x40..=0x7E).contains(&b))
        }
        b']' | b'P' | b'^' | b'_' | b'X' => {
            // OSC / DCS / PM / APC / SOS: terminated by BEL or ST (ESC \)
            seq[2..].iter().any(|&b| b == 0x07) || seq[2..].windows(2).any(|w| w == [0x1b, b'\\'])
        }
        b'(' | b')' | b'*' | b'+' => {
            // Charset designation: ESC + designator + one charset byte = 3 bytes
            seq.len() >= 3
        }
        _ => true, // Fe / single-byte: ESC + one byte is always complete
    }
}

/// Find the byte offset up to which `buf` can safely be sent as prompt text
/// without splitting an in-progress ANSI escape sequence.
/// Any trailing incomplete sequence is excluded from the returned range.
fn safe_prompt_end(buf: &[u8]) -> usize {
    let len = buf.len();
    if len == 0 {
        return 0;
    }
    // Scan backwards (up to 32 bytes) for the last ESC byte.
    let mut j = len;
    while j > 0 {
        j -= 1;
        if buf[j] == 0x1b {
            if is_complete_escape(&buf[j..]) {
                return len; // Last ESC starts a complete sequence → all safe.
            } else {
                return j; // Incomplete → cut before this ESC.
            }
        }
        if len - j > 32 {
            break;
        }
    }
    len // No ESC found in trailing region → all safe.
}

/// Core read/write loop — shared between plain-TCP and TLS connections.
///
/// Auto-login:
///   Step 0 → fires on the FIRST server output (any line or prompt) → sends login.
///   Step 1 → fires on the next PROMPT (partial line, no \n) → sends password if stored.
/// Using "first output" for login covers both MUDs that send a prompt without \n
/// and those that send the login line with \n.
async fn connection_loop(
    mut reader: Box<dyn tokio::io::AsyncRead + Unpin + Send>,
    mut writer: Box<dyn tokio::io::AsyncWrite + Unpin + Send>,
    initial_size: (u16, u16),
    tx: mpsc::Sender<NetEvent>,
    mut ui_rx: mpsc::Receiver<UiEvent>,
    auto_login: Option<(String, Option<String>)>,
) {
    let _ = tx.send(NetEvent::Connected).await;

    // Send initial NAWS.
    let naws = naws_packet(initial_size.0, initial_size.1);
    if let Err(e) = writer.write_all(&naws).await {
        warn!("Failed to send initial NAWS: {e}");
    }

    let mut read_buf = BytesMut::with_capacity(4096);
    let mut line_buf = String::new();
    // 0 = send login on first server output (line or prompt)
    // 1 = send password on next PROMPT
    // 2 = done
    let mut auto_login_step: u8 = if auto_login.is_some() { 0 } else { 2 };
    // Approximate round-trip latency: timestamp an outstanding user command
    // (or periodic probe) and sample when the next server output arrives.
    // Stale timestamps are dropped so unrelated output does not create spikes.
    let mut pending_latency: Option<PendingLatency> = None;
    let mut latency_probe = interval(LATENCY_PROBE_INTERVAL);
    latency_probe.set_missed_tick_behavior(MissedTickBehavior::Delay);

    loop {
        tokio::select! {
            // Server → UI
            result = reader.read_buf(&mut read_buf) => {
                match result {
                    Ok(0) => {
                        info!("Server closed connection");
                        let _ = tx.send(NetEvent::Disconnected("Server closed the connection".into())).await;
                        break;
                    }
                    Ok(_) => {
                        let mut responses = Vec::new();
                        let raw = read_buf.split().freeze();
                        let parsed = parse_telnet(&raw, &mut responses);

                        for gmcp in parsed.gmcp {
                            let _ = tx.send(NetEvent::Gmcp(gmcp)).await;
                        }

                        // Send negotiation responses immediately.
                        if !responses.is_empty() {
                            if let Err(e) = writer.write_all(&responses).await {
                                warn!("Failed to write telnet responses: {e}");
                            }
                        }

                        // Split into lines; partial trailing content → Prompt.
                        line_buf.push_str(&parsed.text);
                        let mut had_complete_lines = false;
                        while let Some(pos) = line_buf.find('\n') {
                            had_complete_lines = true;
                            let line: String = line_buf.drain(..=pos).collect();
                            let line = line.trim_end_matches('\n').trim_end_matches('\r').to_string();
                            let _ = tx.send(NetEvent::Line(line)).await;
                        }
                        let had_prompt = !line_buf.is_empty();

                        // Auto-login state machine.
                        // Step 0: fire on ANY first server output (line or prompt).
                        if auto_login_step == 0 && (had_complete_lines || had_prompt) {
                            if let Some((ref login, _)) = auto_login {
                                info!("Auto-login: sending login name");
                                auto_login_step = 1;
                                let mut data = login.as_bytes().to_vec();
                                data.extend_from_slice(b"\r\n");
                                if let Err(e) = writer.write_all(&data).await {
                                    error!("Auto-login write error: {e}");
                                    let _ = tx.send(NetEvent::Disconnected(e.to_string())).await;
                                    break;
                                }
                            }
                        // Step 1: fire only on a PROMPT – wait for the actual password prompt.
                        } else if auto_login_step == 1 && had_prompt {
                            if let Some((_, Some(ref password))) = auto_login {
                                info!("Auto-login: sending password");
                                auto_login_step = 2;
                                let mut data = password.as_bytes().to_vec();
                                data.extend_from_slice(b"\r\n");
                                if let Err(e) = writer.write_all(&data).await {
                                    error!("Auto-login password write error: {e}");
                                    let _ = tx.send(NetEvent::Disconnected(e.to_string())).await;
                                    break;
                                }
                            } else {
                                // No stored password – user will type it manually.
                                auto_login_step = 2;
                            }
                        }

                        if had_prompt {
                            // Don't send a prompt if `line_buf` ends with an
                            // incomplete ANSI escape sequence — keep the fragment
                            // for the next read so it can be reassembled.
                            let safe = safe_prompt_end(line_buf.as_bytes());
                            if safe > 0 {
                                let prompt_text: String = line_buf[..safe].chars()
                                    .filter(|&c| c != '\r')
                                    .collect();
                                let _ = tx.send(NetEvent::Prompt(prompt_text)).await;
                            }
                            // Keep the incomplete tail (if any) for the next read.
                            let tail = line_buf[safe..].to_string();
                            line_buf.clear();
                            line_buf.push_str(&tail);
                        }

                        if had_complete_lines || had_prompt {
                            if let Some(pending) = pending_latency.take() {
                                if !pending.is_stale() {
                                    let elapsed = pending.started.elapsed().as_millis();
                                    let latency_ms = u64::try_from(elapsed).unwrap_or(u64::MAX);
                                    let _ = tx.send(NetEvent::Latency(latency_ms)).await;
                                }
                            }
                        }
                    }
                    Err(e) => {
                        error!("Read error: {e}");
                        let _ = tx.send(NetEvent::Disconnected(e.to_string())).await;
                        break;
                    }
                }
            }

            // UI → Server
            msg = ui_rx.recv() => {
                match msg {
                    None | Some(UiEvent::Disconnect) => {
                        info!("Disconnecting on UI request");
                        let _ = tx.send(NetEvent::Disconnected("Disconnected".into())).await;
                        break;
                    }
                    Some(UiEvent::SendLine(line)) => {
                        let mut data = line.into_bytes();
                        data.extend_from_slice(b"\r\n");
                        if let Err(e) = writer.write_all(&data).await {
                            error!("Write error: {e}");
                            let _ = tx.send(NetEvent::Disconnected(e.to_string())).await;
                            break;
                        }
                        if !matches!(pending_latency, Some(PendingLatency { source: LatencySource::UserCommand, .. })) {
                            // A real user command takes precedence over any probe sample.
                            pending_latency = Some(PendingLatency::new(LatencySource::UserCommand));
                        }
                    }
                    Some(UiEvent::Resize { cols, rows }) => {
                        let naws = naws_packet(cols, rows);
                        if let Err(e) = writer.write_all(&naws).await {
                            warn!("Failed to send NAWS on resize: {e}");
                        }
                    }
                }
            }

            _ = latency_probe.tick() => {
                if pending_latency.map(|p| p.is_stale()).unwrap_or(false) {
                    pending_latency = None;
                }
                if pending_latency.is_some() {
                    continue;
                }
                let probe = [IAC, AYT];
                if let Err(e) = writer.write_all(&probe).await {
                    warn!("Failed to send latency probe: {e}");
                } else {
                    pending_latency = Some(PendingLatency::new(LatencySource::Probe));
                }
            }
        }
    }
}