@boluo-ai/relay 0.1.0

package/dist/cli.js

@@ -0,0 +1,2035 @@
+#!/usr/bin/env node
+
+// src/ids.ts
+import { randomUUID } from "crypto";
+function mintId(prefix) {
+  return prefix + randomUUID().replace(/-/g, "").slice(0, 16);
+}
+function mintDeviceId() {
+  return mintId("dev_");
+}
+function mintUserId() {
+  return mintId("usr_");
+}
+
+// src/cli.ts
+import { existsSync, statSync, readFileSync } from "fs";
+import { extname, join, normalize, resolve as resolvePath } from "path";
+import { fileURLToPath } from "url";
+import { Command } from "commander";
+import { serve } from "@hono/node-server";
+
+// src/auth-apikey.ts
+import { Buffer } from "buffer";
+import { timingSafeEqual } from "crypto";
+
+// src/auth-deps.ts
+var RELAY_PROTOCOL_VERSION = 1;
+function authError(code, message) {
+  return { type: "auth_error", code, message };
+}
+
+// src/auth-apikey.ts
+function safeEqual(a, b) {
+  if (a.length !== b.length) return false;
+  const ab = Buffer.from(a);
+  const bb = Buffer.from(b);
+  return timingSafeEqual(ab, bb);
+}
+function createApiKeyProvider(opts) {
+  const apiKey = opts.apiKey;
+  return {
+    authenticate(msg, deps) {
+      if (apiKey === "") {
+        return {
+          ok: false,
+          result: authError("apikey_disabled", "apikey auth not configured")
+        };
+      }
+      if (!msg.device) {
+        return {
+          ok: false,
+          result: authError("missing_device", "apikey auth requires device payload")
+        };
+      }
+      const key = msg.auth.key ?? "";
+      if (!safeEqual(key, apiKey)) {
+        return {
+          ok: false,
+          result: authError("unauthorized", "invalid api key")
+        };
+      }
+      const user = deps.upsertUserFromProvider({
+        provider: "apikey",
+        login: "apikey-user",
+        email: ""
+      });
+      const deviceId = deps.newDeviceId();
+      deps.upsertDevice({
+        device_id: deviceId,
+        user_id: user.user_id,
+        device: msg.device
+      });
+      return {
+        ok: true,
+        result: {
+          type: "auth_ok",
+          deviceId,
+          userId: user.user_id,
+          user: {
+            id: user.user_id,
+            login: user.login,
+            email: user.email,
+            provider: user.provider
+          },
+          version: RELAY_PROTOCOL_VERSION
+        }
+      };
+    }
+  };
+}
+
+// src/challenge.ts
+import { Buffer as Buffer2 } from "buffer";
+import { randomBytes, randomUUID as randomUUID2, verify as cryptoVerify, constants } from "crypto";
+var DEFAULT_NONCE_BYTES = 32;
+var DEFAULT_PENDING_TTL_MS = 6e4;
+function spkiB64ToPem(b64) {
+  const chunks = [];
+  for (let i = 0; i < b64.length; i += 64) {
+    chunks.push(b64.slice(i, i + 64));
+  }
+  return `-----BEGIN PUBLIC KEY-----
+${chunks.join("\n")}
+-----END PUBLIC KEY-----`;
+}
+function createChallengeProvider(opts = {}) {
+  const nonceBytes = opts.nonceBytes ?? DEFAULT_NONCE_BYTES;
+  const ttl = opts.pendingTtlMs ?? DEFAULT_PENDING_TTL_MS;
+  const pending = /* @__PURE__ */ new Map();
+  return {
+    start(msg, deps) {
+      const deviceId = msg.auth.deviceId;
+      if (!deviceId) {
+        return { error: authError("invalid_request", "deviceId required") };
+      }
+      const row = deps.getDeviceById(deviceId);
+      if (!row) {
+        return { error: authError("unknown_device", "device not registered") };
+      }
+      const nonceB64 = randomBytes(nonceBytes).toString("base64");
+      const pendingKey = randomUUID2();
+      pending.set(pendingKey, {
+        nonceB64,
+        deviceId,
+        userId: row.user_id,
+        publicKey: row.public_key,
+        expiresAt: deps.now() + ttl
+      });
+      return { nonceB64, pendingKey, deviceId, userId: row.user_id };
+    },
+    verify(pendingKey, response, deps) {
+      const entry = pending.get(pendingKey);
+      if (!entry) {
+        return {
+          ok: false,
+          result: authError("unknown_challenge", "no pending challenge for key")
+        };
+      }
+      pending.delete(pendingKey);
+      if (entry.expiresAt <= deps.now()) {
+        return {
+          ok: false,
+          result: authError("challenge_expired", "challenge nonce expired")
+        };
+      }
+      let valid = false;
+      try {
+        valid = cryptoVerify(
+          "RSA-SHA256",
+          Buffer2.from(entry.nonceB64, "base64"),
+          {
+            key: spkiB64ToPem(entry.publicKey),
+            format: "pem",
+            padding: constants.RSA_PKCS1_PADDING
+          },
+          Buffer2.from(response.signature, "base64")
+        );
+      } catch {
+        valid = false;
+      }
+      if (!valid) {
+        return {
+          ok: false,
+          result: authError("bad_signature", "challenge signature invalid")
+        };
+      }
+      const user = deps.upsertUserFromProvider({
+        provider: "challenge",
+        login: entry.userId,
+        email: ""
+      });
+      return {
+        ok: true,
+        result: {
+          type: "auth_ok",
+          deviceId: entry.deviceId,
+          userId: entry.userId,
+          user: {
+            id: entry.userId,
+            login: user.login,
+            email: user.email,
+            provider: user.provider
+          },
+          version: RELAY_PROTOCOL_VERSION
+        }
+      };
+    }
+  };
+}
+
+// src/auth-github.ts
+function createGithubProvider(opts = {}) {
+  const fetchImpl = opts.fetchImpl ?? globalThis.fetch;
+  const oauthEnabled = () => !!(opts.clientId && opts.clientId !== "" && opts.clientSecret && opts.clientSecret !== "");
+  async function fetchGithubUser(token) {
+    const res = await fetchImpl("https://api.github.com/user", {
+      headers: {
+        Authorization: `Bearer ${token}`,
+        Accept: "application/vnd.github+json",
+        "User-Agent": "boluo-relay"
+      }
+    });
+    if (!res.ok) {
+      const body = await safeText(res);
+      return { ok: false, status: res.status, body };
+    }
+    const user = await res.json();
+    return { ok: true, user };
+  }
+  function finalize(user, msg, deps) {
+    if (!msg.device) {
+      return {
+        ok: false,
+        result: authError("missing_device", "github auth requires device payload")
+      };
+    }
+    const login = (user.login ?? "").trim();
+    if (login === "") {
+      return {
+        ok: false,
+        result: authError("github_error", "github user payload missing login")
+      };
+    }
+    const stored = deps.upsertUserFromProvider({
+      provider: "github",
+      login,
+      email: user.email ?? ""
+    });
+    const deviceId = deps.newDeviceId();
+    deps.upsertDevice({
+      device_id: deviceId,
+      user_id: stored.user_id,
+      device: msg.device
+    });
+    return {
+      ok: true,
+      result: {
+        type: "auth_ok",
+        deviceId,
+        userId: stored.user_id,
+        user: {
+          id: stored.user_id,
+          login: stored.login,
+          email: stored.email,
+          provider: stored.provider
+        },
+        version: RELAY_PROTOCOL_VERSION
+      }
+    };
+  }
+  return {
+    oauthEnabled,
+    async authenticateOAuth(msg, deps) {
+      if (!oauthEnabled()) {
+        return {
+          ok: false,
+          result: authError("oauth_disabled", "github_oauth not configured")
+        };
+      }
+      if (!msg.device) {
+        return {
+          ok: false,
+          result: authError("missing_device", "github auth requires device payload")
+        };
+      }
+      try {
+        const tokenRes = await fetchImpl("https://github.com/login/oauth/access_token", {
+          method: "POST",
+          headers: {
+            "Content-Type": "application/json",
+            Accept: "application/json",
+            "User-Agent": "boluo-relay"
+          },
+          body: JSON.stringify({
+            client_id: opts.clientId,
+            client_secret: opts.clientSecret,
+            code: msg.auth.code,
+            state: msg.auth.state
+          })
+        });
+        if (!tokenRes.ok) {
+          return {
+            ok: false,
+            result: authError(
+              "github_error",
+              `oauth token exchange failed (status ${tokenRes.status})`
+            )
+          };
+        }
+        const tokenJson = await tokenRes.json();
+        if (!tokenJson.access_token) {
+          return {
+            ok: false,
+            result: authError(
+              "github_error",
+              tokenJson.error_description ?? tokenJson.error ?? "missing access_token"
+            )
+          };
+        }
+        const u = await fetchGithubUser(tokenJson.access_token);
+        if (!u.ok) {
+          return {
+            ok: false,
+            result: u.status === 401 ? authError("unauthorized", "github token rejected") : authError("github_error", `github /user ${u.status}: ${u.body}`)
+          };
+        }
+        return finalize(u.user, msg, deps);
+      } catch (err) {
+        return {
+          ok: false,
+          result: authError("github_error", `github oauth error: ${stringifyErr(err)}`)
+        };
+      }
+    },
+    async authenticatePAT(msg, deps) {
+      if (!msg.device) {
+        return {
+          ok: false,
+          result: authError("missing_device", "github auth requires device payload")
+        };
+      }
+      try {
+        const u = await fetchGithubUser(msg.auth.token);
+        if (!u.ok) {
+          return {
+            ok: false,
+            result: u.status === 401 ? authError("unauthorized", "github token rejected") : authError("github_error", `github /user ${u.status}: ${u.body}`)
+          };
+        }
+        return finalize(u.user, msg, deps);
+      } catch (err) {
+        return {
+          ok: false,
+          result: authError("github_error", `github pat error: ${stringifyErr(err)}`)
+        };
+      }
+    }
+  };
+}
+async function safeText(res) {
+  try {
+    return await res.text();
+  } catch {
+    return "";
+  }
+}
+function stringifyErr(err) {
+  if (err instanceof Error) return err.message;
+  return String(err);
+}
+
+// src/open-auth.ts
+import { Buffer as Buffer3 } from "buffer";
+import { timingSafeEqual as timingSafeEqual2 } from "crypto";
+function safeEqual2(a, b) {
+  if (a.length !== b.length) return false;
+  return timingSafeEqual2(Buffer3.from(a), Buffer3.from(b));
+}
+function createOpenProvider(opts = {}) {
+  const sharedKey = opts.sharedKey ?? "";
+  return {
+    authenticate(msg, deps) {
+      if (!msg.device) {
+        return {
+          ok: false,
+          result: authError("missing_device", "open auth requires device payload")
+        };
+      }
+      if (sharedKey !== "") {
+        const provided = msg.auth.sharedKey ?? "";
+        if (!safeEqual2(provided, sharedKey)) {
+          return {
+            ok: false,
+            result: authError("unauthorized", "shared key mismatch")
+          };
+        }
+      }
+      const user = deps.upsertUserFromProvider({
+        provider: "open",
+        login: "open-user",
+        email: ""
+      });
+      const deviceId = deps.newDeviceId();
+      deps.upsertDevice({
+        device_id: deviceId,
+        user_id: user.user_id,
+        device: msg.device
+      });
+      return {
+        ok: true,
+        result: {
+          type: "auth_ok",
+          deviceId,
+          userId: user.user_id,
+          user: {
+            id: user.user_id,
+            login: user.login,
+            email: user.email,
+            provider: user.provider
+          },
+          version: RELAY_PROTOCOL_VERSION
+        }
+      };
+    }
+  };
+}
+
+// src/pairing.ts
+import { randomBytes as randomBytes2 } from "crypto";
+var DEFAULT_TTL_MS = 5 * 60 * 1e3;
+var PairingTokenStore = class {
+  tokens = /* @__PURE__ */ new Map();
+  clock;
+  constructor(opts = {}) {
+    this.clock = opts.now ?? Date.now;
+  }
+  issue(userId, opts = {}) {
+    const ttl = opts.ttlMs ?? DEFAULT_TTL_MS;
+    const token = randomBytes2(24).toString("base64url");
+    const expiresAt = this.clock() + ttl;
+    this.tokens.set(token, {
+      userId,
+      expiresAt,
+      label: opts.label,
+      consumed: false
+    });
+    return { token, expiresAt };
+  }
+  consume(token) {
+    const entry = this.tokens.get(token);
+    if (!entry) return null;
+    if (entry.consumed) return null;
+    if (entry.expiresAt <= this.clock()) {
+      this.tokens.delete(token);
+      return null;
+    }
+    entry.consumed = true;
+    return { userId: entry.userId };
+  }
+  purgeExpired(now) {
+    let purged = 0;
+    for (const [token, entry] of this.tokens.entries()) {
+      if (entry.expiresAt <= now) {
+        this.tokens.delete(token);
+        purged += 1;
+      }
+    }
+    return purged;
+  }
+  /** Test helper. */
+  size() {
+    return this.tokens.size;
+  }
+};
+function createPairingProvider(store) {
+  return {
+    authenticate(msg, deps) {
+      if (!msg.device) {
+        return {
+          ok: false,
+          result: authError("missing_device", "pairing auth requires device payload")
+        };
+      }
+      const claim = store.consume(msg.auth.token ?? "");
+      if (!claim) {
+        return {
+          ok: false,
+          result: authError("invalid_token", "pairing token invalid or expired")
+        };
+      }
+      const deviceId = deps.newDeviceId();
+      deps.upsertDevice({
+        device_id: deviceId,
+        user_id: claim.userId,
+        device: msg.device
+      });
+      const user = deps.upsertUserFromProvider({
+        provider: "pairing",
+        login: claim.userId,
+        email: ""
+      });
+      return {
+        ok: true,
+        result: {
+          type: "auth_ok",
+          deviceId,
+          userId: claim.userId,
+          user: {
+            id: claim.userId,
+            login: user.login,
+            email: user.email,
+            provider: user.provider
+          },
+          version: RELAY_PROTOCOL_VERSION
+        }
+      };
+    }
+  };
+}
+
+// src/auth.ts
+function createAuthRegistry(opts) {
+  const enabled = new Set(opts.enabledMethods);
+  const apiKeyProvider = createApiKeyProvider({
+    apiKey: opts.apiKey ?? ""
+  });
+  const openProvider = createOpenProvider({
+    sharedKey: opts.openSharedKey
+  });
+  const pairingStore = new PairingTokenStore();
+  const pairingProvider = createPairingProvider(pairingStore);
+  const githubProvider = createGithubProvider({
+    clientId: opts.githubClientId,
+    clientSecret: opts.githubClientSecret,
+    fetchImpl: opts.fetchImpl
+  });
+  const challengeProvider = createChallengeProvider();
+  function methodDisabled(method) {
+    return {
+      ok: false,
+      result: authError("method_disabled", `auth method '${method}' not enabled on this relay`)
+    };
+  }
+  return {
+    info() {
+      const methods = Array.from(enabled);
+      const response = {
+        type: "auth_info_response",
+        methods
+      };
+      if (enabled.has("github_oauth") && opts.githubClientId) {
+        response.githubClientId = opts.githubClientId;
+      }
+      return response;
+    },
+    async dispatch(msg, deps) {
+      const method = msg.auth.method;
+      if (!enabled.has(method)) {
+        return methodDisabled(method);
+      }
+      switch (method) {
+        case "apikey":
+          return apiKeyProvider.authenticate(msg, deps);
+        case "open":
+          return openProvider.authenticate(msg, deps);
+        case "pairing":
+          return pairingProvider.authenticate(
+            msg,
+            deps
+          );
+        case "github_oauth":
+          return githubProvider.authenticateOAuth(
+            msg,
+            deps
+          );
+        case "github_token":
+          return githubProvider.authenticatePAT(
+            msg,
+            deps
+          );
+        case "challenge":
+          return {
+            ok: false,
+            result: authError(
+              "use_two_step_challenge",
+              "use startChallenge/verifyChallenge two-step API"
+            )
+          };
+        default: {
+          const _exhaustive = method;
+          void _exhaustive;
+          return {
+            ok: false,
+            result: authError("unknown_method", `unknown auth method`)
+          };
+        }
+      }
+    },
+    startChallenge(msg, deps) {
+      if (!enabled.has("challenge")) {
+        return { error: authError("method_disabled", "challenge auth not enabled on this relay") };
+      }
+      const r = challengeProvider.start(msg, deps);
+      if ("error" in r) return { error: r.error };
+      return r;
+    },
+    verifyChallenge(pendingKey, response, deps) {
+      if (!enabled.has("challenge")) {
+        return {
+          ok: false,
+          result: authError("method_disabled", "challenge auth not enabled on this relay")
+        };
+      }
+      return challengeProvider.verify(pendingKey, response, deps);
+    },
+    pairing: pairingStore
+  };
+}
+
+// src/http.ts
+import { Hono } from "hono";
+function createHttpApp(deps) {
+  const app = new Hono();
+  app.get("/health", (c) => {
+    const m = deps.metrics();
+    return c.json({
+      status: "ok",
+      uptime: process.uptime(),
+      devicesOnline: m.devicesOnline,
+      users: m.users
+    });
+  });
+  app.get("/oauth/github/callback", (c) => {
+    const code = c.req.query("code") ?? "";
+    const state = c.req.query("state") ?? "";
+    const error = c.req.query("error") ?? "";
+    deps.logger.info("github oauth callback", { hasCode: code !== "", error });
+    const payload = JSON.stringify({ source: "boluo-oauth", code, state, error });
+    const html = `<!doctype html>
+<html><head><meta charset="utf-8"><title>Boluo OAuth</title></head>
+<body>
+<script>
+(function () {
+  var payload = ${payload};
+  try {
+    if (typeof BroadcastChannel === 'function') {
+      var bc = new BroadcastChannel('boluo-oauth');
+      bc.postMessage(payload);
+      bc.close();
+    }
+  } catch (e) {}
+  try {
+    if (window.opener) {
+      window.opener.postMessage(payload, '*');
+    }
+  } catch (e) {}
+  document.body.textContent = 'You can close this window.';
+  setTimeout(function () { try { window.close(); } catch (e) {} }, 100);
+})();
+</script>
+<p>You can close this window.</p>
+</body></html>`;
+    return c.html(html);
+  });
+  return app;
+}
+
+// src/logger.ts
+var LEVEL_ORDER = {
+  debug: 10,
+  info: 20,
+  warn: 30,
+  error: 40
+};
+function createLogger(opts = {}) {
+  const threshold = LEVEL_ORDER[opts.level ?? "info"];
+  function emit(level, sink, msg, fields) {
+    if (LEVEL_ORDER[level] < threshold) return;
+    if (fields && Object.keys(fields).length > 0) {
+      sink(`[${level}] ${msg}`, fields);
+    } else {
+      sink(`[${level}] ${msg}`);
+    }
+  }
+  return {
+    debug: (msg, fields) => emit("debug", console.debug.bind(console), msg, fields),
+    info: (msg, fields) => emit("info", console.log.bind(console), msg, fields),
+    warn: (msg, fields) => emit("warn", console.warn.bind(console), msg, fields),
+    error: (msg, fields) => emit("error", console.error.bind(console), msg, fields)
+  };
+}
+var NOOP_LOGGER = {
+  debug: () => {
+  },
+  info: () => {
+  },
+  warn: () => {
+  },
+  error: () => {
+  }
+};
+
+// src/server.ts
+import { WebSocket, WebSocketServer } from "ws";
+var DEFAULT_PING_INTERVAL_MS = 3e4;
+var DEFAULT_STALE_THRESHOLD_MS = 6e4;
+var DEFAULT_STALE_CHECK_INTERVAL_MS = 1e4;
+var DEFAULT_MAX_PAYLOAD = 10 * 1024 * 1024;
+function createRelayServer(opts) {
+  const log = opts.logger ?? NOOP_LOGGER;
+  const pingIntervalMs = opts.pingIntervalMs ?? DEFAULT_PING_INTERVAL_MS;
+  const staleThresholdMs = opts.staleThresholdMs ?? DEFAULT_STALE_THRESHOLD_MS;
+  const staleCheckIntervalMs = opts.staleCheckIntervalMs ?? DEFAULT_STALE_CHECK_INTERVAL_MS;
+  const maxPayload = opts.maxPayload ?? DEFAULT_MAX_PAYLOAD;
+  const { storage, auth } = opts;
+  const wss = new WebSocketServer({ noServer: true, maxPayload });
+  const byConn = /* @__PURE__ */ new Map();
+  const byDeviceId = /* @__PURE__ */ new Map();
+  const byUserId = /* @__PURE__ */ new Map();
+  let pingTimer = null;
+  let staleTimer = null;
+  let closed = false;
+  function makeDeps() {
+    return {
+      upsertUserFromProvider({ provider, login, email }) {
+        const existing = storage.getUserByLogin(login);
+        if (existing && existing.provider === provider) {
+          storage.touchUser(existing.user_id, Date.now());
+          return {
+            user_id: existing.user_id,
+            login: existing.login,
+            email: existing.email,
+            provider: existing.provider
+          };
+        }
+        const row = storage.upsertUser({
+          user_id: existing?.user_id ?? newUserId(),
+          login,
+          provider,
+          email
+        });
+        return {
+          user_id: row.user_id,
+          login: row.login,
+          email: row.email,
+          provider: row.provider
+        };
+      },
+      upsertDevice({ device_id, user_id, device }) {
+        storage.upsertDevice({
+          device_id,
+          user_id,
+          name: device.name,
+          role: device.role,
+          kind: device.kind,
+          public_key: device.publicKey,
+          encryption_key: device.encryptionKey
+        });
+      },
+      getDeviceById(device_id) {
+        const d = storage.getDevice(device_id);
+        return d ? {
+          user_id: d.user_id,
+          public_key: d.public_key,
+          encryption_key: d.encryption_key
+        } : null;
+      },
+      newDeviceId,
+      newUserId,
+      now: () => Date.now()
+    };
+  }
+  function sendFrame(ws, frame) {
+    if (ws.readyState !== WebSocket.OPEN) return;
+    try {
+      ws.send(JSON.stringify(frame));
+    } catch (err) {
+      log.warn("send failed", { error: String(err) });
+    }
+  }
+  function sendServerError(ws, code, message, ref) {
+    const frame = { type: "server_error", code, message };
+    if (ref !== void 0) frame.ref = ref;
+    sendFrame(ws, frame);
+  }
+  function summarizeDevice(row, online) {
+    return {
+      deviceId: row.device_id,
+      userId: row.user_id,
+      name: row.name,
+      role: row.role,
+      kind: row.kind,
+      online,
+      lastSeen: row.last_seen,
+      encryptionKey: row.encryption_key
+    };
+  }
+  function userPeers(userId, exceptDeviceId) {
+    const ids = byUserId.get(userId);
+    if (!ids) return [];
+    const out = [];
+    for (const id of ids) {
+      if (id === exceptDeviceId) continue;
+      const c = byDeviceId.get(id);
+      if (c && c.ws.readyState === WebSocket.OPEN) out.push(c);
+    }
+    return out;
+  }
+  function registerConn(state) {
+    if (!state.deviceId || !state.userId) return;
+    byDeviceId.set(state.deviceId, state);
+    let set = byUserId.get(state.userId);
+    if (!set) {
+      set = /* @__PURE__ */ new Set();
+      byUserId.set(state.userId, set);
+    }
+    set.add(state.deviceId);
+  }
+  function unregisterConn(state) {
+    if (!state.deviceId) return;
+    const cur = byDeviceId.get(state.deviceId);
+    if (cur === state) byDeviceId.delete(state.deviceId);
+    if (state.userId) {
+      const set = byUserId.get(state.userId);
+      if (set && cur === state) {
+        set.delete(state.deviceId);
+        if (set.size === 0) byUserId.delete(state.userId);
+      }
+    }
+  }
+  function broadcastDeviceLifecycle(userId, exceptDeviceId, frame) {
+    for (const peer of userPeers(userId, exceptDeviceId)) {
+      sendFrame(peer.ws, frame);
+    }
+  }
+  function drainPending(state) {
+    if (!state.deviceId) return;
+    storage.expirePending(Date.now());
+    const rows = storage.drainPending(state.deviceId);
+    for (const row of rows) {
+      try {
+        const envelope = JSON.parse(row.envelope);
+        sendFrame(state.ws, envelope);
+      } catch (err) {
+        log.warn("dropping malformed pending envelope", {
+          deviceId: state.deviceId,
+          error: String(err)
+        });
+      }
+    }
+  }
+  function announceJoined(state) {
+    if (!state.userId || !state.deviceId) return;
+    const row = storage.getDevice(state.deviceId);
+    if (!row) return;
+    const frame = {
+      type: "device_joined",
+      device: summarizeDevice(row, true)
+    };
+    broadcastDeviceLifecycle(state.userId, state.deviceId, frame);
+  }
+  function sendDeviceListSnapshot(state) {
+    if (!state.userId || !state.deviceId) return;
+    const rows = storage.listDevicesByUser(state.userId);
+    const onlineIds = byUserId.get(state.userId) ?? /* @__PURE__ */ new Set();
+    const devices = rows.map(
+      (r) => summarizeDevice(
+        r,
+        r.device_id === state.deviceId || onlineIds.has(r.device_id)
+      )
+    );
+    sendFrame(state.ws, { type: "device_list", devices });
+  }
+  function announceLeft(state) {
+    if (!state.userId || !state.deviceId) return;
+    storage.touchDevice(state.deviceId, Date.now());
+    const frame = {
+      type: "device_left",
+      deviceId: state.deviceId
+    };
+    broadcastDeviceLifecycle(state.userId, state.deviceId, frame);
+  }
+  async function handleAuthMessage(state, msg) {
+    const deps = makeDeps();
+    if (msg.auth.method === "challenge") {
+      const r = auth.startChallenge(msg, deps);
+      if ("error" in r) {
+        sendAuthError(state, r.error);
+        return;
+      }
+      state.pendingChallenge = r;
+      const frame = { type: "auth_challenge", nonce: r.nonceB64 };
+      sendFrame(state.ws, frame);
+      return;
+    }
+    const outcome = await auth.dispatch(msg, deps);
+    if (!outcome.ok) {
+      sendAuthError(state, outcome.result);
+      return;
+    }
+    await completeAuth(state, outcome.result);
+  }
+  async function handleAuthResponse(state, msg) {
+    const pending = state.pendingChallenge;
+    state.pendingChallenge = void 0;
+    if (!pending) {
+      sendAuthError(state, {
+        type: "auth_error",
+        code: "no_pending_challenge",
+        message: "no pending challenge"
+      });
+      return;
+    }
+    const outcome = auth.verifyChallenge(pending.pendingKey, msg, makeDeps());
+    if (!outcome.ok) {
+      sendAuthError(state, outcome.result);
+      return;
+    }
+    await completeAuth(state, outcome.result);
+  }
+  function sendAuthError(state, err) {
+    sendFrame(state.ws, err);
+    try {
+      state.ws.close(1008, err.code);
+    } catch {
+    }
+  }
+  async function completeAuth(state, ok) {
+    state.deviceId = ok.deviceId;
+    state.userId = ok.userId;
+    state.lastSeen = Date.now();
+    registerConn(state);
+    storage.touchDevice(ok.deviceId, state.lastSeen);
+    sendFrame(state.ws, ok);
+    sendDeviceListSnapshot(state);
+    drainPending(state);
+    announceJoined(state);
+  }
+  function handlePostAuthFrame(state, frame) {
+    state.lastSeen = Date.now();
+    state.isAlive = true;
+    const t = frame.type;
+    switch (t) {
+      case "ping": {
+        const p = frame;
+        const pong = { type: "pong" };
+        if (p.id !== void 0) pong.id = p.id;
+        sendFrame(state.ws, pong);
+        return;
+      }
+      case "pong": {
+        return;
+      }
+      case "create_pairing_token":
+      case "request_pairing_token": {
+        if (!state.userId) {
+          sendServerError(state.ws, "not_authenticated", "auth required");
+          return;
+        }
+        const labeled = frame;
+        const label = labeled.type === "create_pairing_token" ? labeled.label : void 0;
+        const issued = auth.pairing.issue(state.userId, {
+          ttlMs: 5 * 6e4,
+          label
+        });
+        const out = {
+          type: "pairing_token_created",
+          token: issued.token,
+          expiresAt: issued.expiresAt
+        };
+        sendFrame(state.ws, out);
+        return;
+      }
+      case "update_preferences": {
+        if (!state.userId || !state.deviceId) {
+          sendServerError(state.ws, "not_authenticated", "auth required");
+          return;
+        }
+        const u = frame;
+        if (!u.preferences || typeof u.preferences !== "object") {
+          sendServerError(state.ws, "invalid_request", "preferences required");
+          return;
+        }
+        storage.setUserPreferences(state.userId, u.preferences);
+        const out = {
+          type: "preferences_updated",
+          preferences: u.preferences
+        };
+        for (const peer of userPeers(state.userId, state.deviceId)) {
+          sendFrame(peer.ws, out);
+        }
+        return;
+      }
+      case "remove_device": {
+        if (!state.userId || !state.deviceId) {
+          sendServerError(state.ws, "not_authenticated", "auth required");
+          return;
+        }
+        const rd = frame;
+        if (typeof rd.deviceId !== "string" || rd.deviceId === "") {
+          sendServerError(state.ws, "invalid_request", "missing deviceId");
+          return;
+        }
+        if (rd.deviceId === state.deviceId) {
+          sendServerError(state.ws, "invalid_request", "cannot remove self");
+          return;
+        }
+        const target = storage.getDevice(rd.deviceId);
+        if (!target) {
+          sendServerError(state.ws, "unknown_device", "target not found");
+          return;
+        }
+        if (target.user_id !== state.userId) {
+          sendServerError(state.ws, "forbidden", "cross-user");
+          return;
+        }
+        const live = byDeviceId.get(rd.deviceId);
+        if (live) {
+          unregisterConn(live);
+          try {
+            live.ws.close(1e3, "device-removed");
+          } catch {
+          }
+        }
+        if (!storage.removeDevice(rd.deviceId)) {
+          sendServerError(state.ws, "unknown_device", "target not found");
+          return;
+        }
+        const out = {
+          type: "device_removed",
+          deviceId: rd.deviceId
+        };
+        for (const peer of userPeers(state.userId)) {
+          sendFrame(peer.ws, out);
+        }
+        return;
+      }
+      case "unicast":
+        handleUnicast(state, frame);
+        return;
+      case "broadcast":
+        handleBroadcast(state, frame);
+        return;
+      case "auth":
+      case "auth_info":
+      case "auth_response":
+        sendServerError(state.ws, "already_authenticated", "already authed");
+        return;
+      default:
+        sendServerError(state.ws, "unknown_frame", `unknown type: ${String(t)}`);
+        return;
+    }
+  }
+  function handleUnicast(state, env) {
+    if (!state.userId || !state.deviceId) {
+      sendServerError(state.ws, "not_authenticated", "auth required", env.ref);
+      return;
+    }
+    if (typeof env.to !== "string" || env.to === "") {
+      sendServerError(state.ws, "invalid_request", "missing 'to'", env.ref);
+      return;
+    }
+    const target = storage.getDevice(env.to);
+    if (!target) {
+      sendServerError(state.ws, "unknown_device", "target not found", env.ref);
+      return;
+    }
+    if (target.user_id !== state.userId) {
+      sendServerError(state.ws, "forbidden", "cross-user", env.ref);
+      return;
+    }
+    const live = byDeviceId.get(env.to);
+    if (live && live.ws.readyState === WebSocket.OPEN) {
+      sendFrame(live.ws, env);
+      return;
+    }
+    try {
+      storage.queuePending({
+        target_device_id: env.to,
+        user_id: state.userId,
+        envelope: JSON.stringify(env),
+        now: Date.now()
+      });
+    } catch (err) {
+      log.warn("queuePending failed", { error: String(err) });
+      sendServerError(state.ws, "queue_failed", "could not queue", env.ref);
+    }
+  }
+  function handleBroadcast(state, env) {
+    if (!state.userId || !state.deviceId) {
+      sendServerError(state.ws, "not_authenticated", "auth required");
+      return;
+    }
+    for (const peer of userPeers(state.userId, state.deviceId)) {
+      sendFrame(peer.ws, env);
+    }
+  }
+  function onConnection(ws) {
+    const state = {
+      ws,
+      isAlive: true,
+      lastSeen: Date.now()
+    };
+    byConn.set(ws, state);
+    ws.on("pong", () => {
+      state.isAlive = true;
+      state.lastSeen = Date.now();
+    });
+    ws.on("message", (data) => {
+      onMessage(state, data).catch((err) => {
+        log.error("message handler crashed", { error: String(err) });
+        try {
+          ws.close(1011, "internal-error");
+        } catch {
+        }
+      });
+    });
+    ws.on("close", () => onClose(state));
+    ws.on("error", (err) => {
+      log.debug("ws error", { error: String(err) });
+    });
+  }
+  async function onMessage(state, data) {
+    state.isAlive = true;
+    state.lastSeen = Date.now();
+    let frame;
+    try {
+      frame = JSON.parse(data.toString());
+    } catch {
+      sendServerError(state.ws, "invalid_json", "could not parse frame");
+      try {
+        state.ws.close(1003, "invalid-json");
+      } catch {
+      }
+      return;
+    }
+    if (!state.deviceId) {
+      if (frame.type === "auth_info") {
+        const info = auth.info();
+        sendFrame(state.ws, info);
+        return;
+      }
+      if (frame.type === "auth") {
+        await handleAuthMessage(state, frame);
+        return;
+      }
+      if (frame.type === "auth_response") {
+        await handleAuthResponse(state, frame);
+        return;
+      }
+      sendAuthError(state, {
+        type: "auth_error",
+        code: "not_authenticated",
+        message: "auth required"
+      });
+      return;
+    }
+    handlePostAuthFrame(state, frame);
+  }
+  function onClose(state) {
+    byConn.delete(state.ws);
+    const wasRegistered = state.deviceId ? byDeviceId.get(state.deviceId) === state : false;
+    if (wasRegistered) announceLeft(state);
+    unregisterConn(state);
+  }
+  function startTimers() {
+    pingTimer = setInterval(() => {
+      for (const state of byConn.values()) {
+        if (!state.isAlive) {
+          try {
+            state.ws.terminate();
+          } catch {
+          }
+          continue;
+        }
+        state.isAlive = false;
+        try {
+          state.ws.ping();
+        } catch {
+        }
+      }
+    }, pingIntervalMs);
+    if (pingTimer && typeof pingTimer.unref === "function") {
+      pingTimer.unref();
+    }
+    staleTimer = setInterval(() => {
+      const now = Date.now();
+      for (const state of byConn.values()) {
+        if (now - state.lastSeen > staleThresholdMs) {
+          try {
+            state.ws.terminate();
+          } catch {
+          }
+        }
+      }
+    }, staleCheckIntervalMs);
+    if (staleTimer && typeof staleTimer.unref === "function") {
+      staleTimer.unref();
+    }
+  }
+  function stopTimers() {
+    if (pingTimer) clearInterval(pingTimer);
+    if (staleTimer) clearInterval(staleTimer);
+    pingTimer = null;
+    staleTimer = null;
+  }
+  startTimers();
+  return {
+    attach(httpServer) {
+      httpServer.on("upgrade", (req, socket, head) => {
+        const url = req.url ?? "";
+        if (!url.startsWith("/ws")) {
+          socket.destroy();
+          return;
+        }
+        wss.handleUpgrade(req, socket, head, (ws) => {
+          wss.emit("connection", ws, req);
+        });
+      });
+      wss.on("connection", (ws) => onConnection(ws));
+    },
+    metrics() {
+      return { devicesOnline: byDeviceId.size, users: byUserId.size };
+    },
+    async close() {
+      if (closed) return;
+      closed = true;
+      stopTimers();
+      for (const state of byConn.values()) {
+        try {
+          state.ws.close(1001, "shutdown");
+        } catch {
+        }
+      }
+      byConn.clear();
+      byDeviceId.clear();
+      byUserId.clear();
+      await new Promise((resolve) => {
+        wss.close(() => resolve());
+      });
+    }
+  };
+}
+function newDeviceId() {
+  return mintDeviceId();
+}
+function newUserId() {
+  return mintUserId();
+}
+
+// src/storage.ts
+import Database from "better-sqlite3";
+
+// ../shared/src/relay/devices.ts
+var DEVICE_ROLES = ["server", "app"];
+var DEVICE_KINDS = [
+  "desktop",
+  "server",
+  "vm",
+  "web",
+  "ios",
+  "android"
+];
+function isDeviceRole(v) {
+  return typeof v === "string" && DEVICE_ROLES.includes(v);
+}
+function isDeviceKind(v) {
+  return typeof v === "string" && DEVICE_KINDS.includes(v);
+}
+
+// ../shared/src/relay/auth.ts
+var AUTH_METHODS = [
+  "github_oauth",
+  "github_token",
+  "pairing",
+  "challenge",
+  "apikey",
+  "open"
+];
+function isAuthMethod(v) {
+  return typeof v === "string" && AUTH_METHODS.includes(v);
+}
+
+// ../shared/src/relay/inner-message.ts
+var PRODUCER_TYPE_LIST = [
+  "user_message",
+  "agent_message",
+  "agent_message_delta",
+  "tool_start",
+  "tool_complete",
+  "permission_request",
+  "permission_resolved",
+  "question_request",
+  "question_resolved",
+  "session_created",
+  "session_ended",
+  "session_deleted",
+  "session_mode_set",
+  "session_model_set",
+  "session_pinned",
+  "session_read",
+  "session_title_updated",
+  "session_list",
+  "session_replay_batch",
+  "session_state_snapshot",
+  "idle",
+  "active",
+  "session_usage_update",
+  "error",
+  "device_greeting",
+  "workspace_list_update",
+  "workspace_created",
+  "workspace_updated",
+  "workspace_deleted",
+  "workspace_check_result",
+  "directory_listing",
+  "claude_sessions_listing",
+  "task_list_update",
+  "task_created",
+  "task_updated",
+  "task_deleted",
+  "agent_availability_update",
+  "available_commands_update",
+  "current_mode_update"
+];
+var CONSUMER_TYPE_LIST = [
+  "send_input",
+  "approve",
+  "deny",
+  "always_allow",
+  "answer",
+  "kill_session",
+  "abort_session",
+  "delete_session",
+  "set_session_mode",
+  "set_session_model",
+  "rename_session",
+  "pin_session",
+  "mark_read",
+  "mark_unread",
+  "request_session_replay",
+  "create_workspace",
+  "check_workspace_path",
+  "list_directory",
+  "list_claude_sessions",
+  "update_workspace",
+  "delete_workspace",
+  "request_workspace_list",
+  "create_task",
+  "update_task",
+  "delete_task",
+  "request_task_list",
+  "reconnect_task_session",
+  "request_agent_recheck"
+];
+var PRODUCER_TYPES = new Set(PRODUCER_TYPE_LIST);
+var CONSUMER_TYPES = new Set(CONSUMER_TYPE_LIST);
+
+// src/storage.ts
+var DEFAULT_PENDING_TTL_MS2 = 30 * 24 * 60 * 60 * 1e3;
+var DEFAULT_PENDING_CAP = 200;
+var SCHEMA_VERSION = 1;
+var MIGRATIONS = [
+  // v1 — initial relay schema.
+  (db) => {
+    db.exec(`
+      CREATE TABLE IF NOT EXISTS users (
+        user_id        TEXT    PRIMARY KEY,
+        login          TEXT    NOT NULL DEFAULT '',
+        provider       TEXT    NOT NULL DEFAULT '',
+        email          TEXT    NOT NULL DEFAULT '',
+        preferences    TEXT    NOT NULL DEFAULT '{}',
+        created_at     INTEGER NOT NULL DEFAULT 0,
+        last_seen      INTEGER NOT NULL DEFAULT 0
+      );
+
+      CREATE TABLE IF NOT EXISTS devices (
+        device_id       TEXT    PRIMARY KEY,
+        user_id         TEXT    NOT NULL DEFAULT '',
+        name            TEXT    NOT NULL DEFAULT '',
+        role            TEXT    NOT NULL DEFAULT '',
+        kind            TEXT    NOT NULL DEFAULT '',
+        public_key      TEXT    NOT NULL DEFAULT '',
+        encryption_key  TEXT    NOT NULL DEFAULT '',
+        last_seen       INTEGER NOT NULL DEFAULT 0,
+        created_at      INTEGER NOT NULL DEFAULT 0
+      );
+      CREATE INDEX IF NOT EXISTS idx_devices_user ON devices(user_id, last_seen);
+
+      CREATE TABLE IF NOT EXISTS pending_messages (
+        id               INTEGER PRIMARY KEY AUTOINCREMENT,
+        target_device_id TEXT    NOT NULL DEFAULT '',
+        user_id          TEXT    NOT NULL DEFAULT '',
+        envelope         TEXT    NOT NULL DEFAULT '',
+        created_at       INTEGER NOT NULL DEFAULT 0,
+        expires_at       INTEGER NOT NULL DEFAULT 0
+      );
+      CREATE INDEX IF NOT EXISTS idx_pending_target
+        ON pending_messages(target_device_id, created_at);
+    `);
+  }
+];
+function applyMigrations(db) {
+  const row = db.pragma("user_version", { simple: true });
+  let current = typeof row === "number" ? row : 0;
+  for (let v = current; v < MIGRATIONS.length; v++) {
+    const migrate = MIGRATIONS[v];
+    const tx = db.transaction(() => {
+      migrate(db);
+      db.pragma(`user_version = ${v + 1}`);
+    });
+    tx();
+    current = v + 1;
+  }
+  if (current !== SCHEMA_VERSION) {
+    throw new Error(
+      `relay storage schema version drift: applied=${current} expected=${SCHEMA_VERSION}`
+    );
+  }
+}
+function openRelayStorage(opts) {
+  const db = new Database(opts.file);
+  db.pragma("journal_mode = WAL");
+  applyMigrations(db);
+  const pendingTtlMs = opts.pendingTtlMs ?? DEFAULT_PENDING_TTL_MS2;
+  const pendingCap = opts.pendingCap ?? DEFAULT_PENDING_CAP;
+  const stUserGet = db.prepare(
+    "SELECT * FROM users WHERE user_id = ?"
+  );
+  const stUserByLogin = db.prepare(
+    "SELECT * FROM users WHERE login = ?"
+  );
+  const stUserInsert = db.prepare(
+    `INSERT INTO users (user_id, login, provider, email, preferences, created_at, last_seen)
+     VALUES (?, ?, ?, ?, '{}', ?, ?)`
+  );
+  const stUserUpdate = db.prepare(
+    `UPDATE users SET login = ?, provider = ?, email = ?, last_seen = ? WHERE user_id = ?`
+  );
+  const stUserPrefs = db.prepare(
+    "UPDATE users SET preferences = ? WHERE user_id = ?"
+  );
+  const stUserTouch = db.prepare(
+    "UPDATE users SET last_seen = ? WHERE user_id = ?"
+  );
+  const stDeviceGet = db.prepare(
+    "SELECT * FROM devices WHERE device_id = ?"
+  );
+  const stDeviceListByUser = db.prepare(
+    "SELECT * FROM devices WHERE user_id = ? ORDER BY last_seen DESC, created_at DESC"
+  );
+  const stDeviceInsert = db.prepare(
+    `INSERT INTO devices
+       (device_id, user_id, name, role, kind, public_key, encryption_key, last_seen, created_at)
+     VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)`
+  );
+  const stDeviceUpdate = db.prepare(
+    `UPDATE devices
+       SET name = ?, role = ?, kind = ?, public_key = ?, encryption_key = ?, last_seen = ?
+     WHERE device_id = ?`
+  );
+  const stDeviceTouch = db.prepare(
+    "UPDATE devices SET last_seen = ? WHERE device_id = ?"
+  );
+  const stDeviceDelete = db.prepare("DELETE FROM devices WHERE device_id = ?");
+  const stPendingInsert = db.prepare(
+    `INSERT INTO pending_messages
+       (target_device_id, user_id, envelope, created_at, expires_at)
+     VALUES (?, ?, ?, ?, ?)`
+  );
+  const stPendingGet = db.prepare(
+    "SELECT * FROM pending_messages WHERE id = ?"
+  );
+  const stPendingForDevice = db.prepare(
+    "SELECT * FROM pending_messages WHERE target_device_id = ? ORDER BY created_at ASC, id ASC"
+  );
+  const stPendingDeleteForDevice = db.prepare(
+    "DELETE FROM pending_messages WHERE target_device_id = ?"
+  );
+  const stPendingExpire = db.prepare(
+    "DELETE FROM pending_messages WHERE expires_at > 0 AND expires_at <= ?"
+  );
+  const stPendingCount = db.prepare(
+    "SELECT COUNT(*) AS c FROM pending_messages WHERE target_device_id = ?"
+  );
+  const stPendingOldest = db.prepare(
+    `SELECT id FROM pending_messages
+      WHERE target_device_id = ?
+      ORDER BY created_at ASC, id ASC
+      LIMIT ?`
+  );
+  const stPendingDeleteById = db.prepare(
+    "DELETE FROM pending_messages WHERE id = ?"
+  );
+  function enforceFifoCap(target_device_id) {
+    const row = stPendingCount.get(target_device_id);
+    const count = row?.c ?? 0;
+    if (count <= pendingCap) return 0;
+    const over = count - pendingCap;
+    const victims = stPendingOldest.all(target_device_id, over);
+    let deleted = 0;
+    const tx = db.transaction(() => {
+      for (const v of victims) {
+        const r = stPendingDeleteById.run(v.id);
+        deleted += r.changes;
+      }
+    });
+    tx();
+    return deleted;
+  }
+  return {
+    // users
+    upsertUser({ user_id, login, provider, email }) {
+      const now = Date.now();
+      const existing = stUserGet.get(user_id);
+      if (existing) {
+        stUserUpdate.run(login, provider, email, now, user_id);
+      } else {
+        stUserInsert.run(user_id, login, provider, email, now, now);
+      }
+      const row = stUserGet.get(user_id);
+      if (!row) throw new Error(`upsertUser failed for ${user_id}`);
+      return row;
+    },
+    getUser: (user_id) => stUserGet.get(user_id) ?? null,
+    getUserByLogin: (login) => stUserByLogin.get(login) ?? null,
+    setUserPreferences: (user_id, prefs) => {
+      stUserPrefs.run(JSON.stringify(prefs), user_id);
+    },
+    touchUser: (user_id, now) => {
+      stUserTouch.run(now, user_id);
+    },
+    // devices
+    upsertDevice({
+      device_id,
+      user_id,
+      name,
+      role,
+      kind,
+      public_key,
+      encryption_key
+    }) {
+      if (!isDeviceRole(role)) {
+        throw new Error(`invalid device role: ${String(role)}`);
+      }
+      if (!isDeviceKind(kind)) {
+        throw new Error(`invalid device kind: ${String(kind)}`);
+      }
+      const now = Date.now();
+      const existing = stDeviceGet.get(device_id);
+      if (existing) {
+        stDeviceUpdate.run(
+          name,
+          role,
+          kind,
+          public_key,
+          encryption_key,
+          now,
+          device_id
+        );
+      } else {
+        stDeviceInsert.run(
+          device_id,
+          user_id,
+          name,
+          role,
+          kind,
+          public_key,
+          encryption_key,
+          now,
+          now
+        );
+      }
+      const row = stDeviceGet.get(device_id);
+      if (!row) throw new Error(`upsertDevice failed for ${device_id}`);
+      return row;
+    },
+    getDevice: (device_id) => stDeviceGet.get(device_id) ?? null,
+    listDevicesByUser: (user_id) => stDeviceListByUser.all(user_id),
+    touchDevice: (device_id, now) => {
+      stDeviceTouch.run(now, device_id);
+    },
+    removeDevice: (device_id) => stDeviceDelete.run(device_id).changes > 0,
+    // pending
+    queuePending({ target_device_id, user_id, envelope, now, ttlMs }) {
+      const ttl = ttlMs ?? pendingTtlMs;
+      const expires_at = now + ttl;
+      const info = stPendingInsert.run(
+        target_device_id,
+        user_id,
+        envelope,
+        now,
+        expires_at
+      );
+      enforceFifoCap(target_device_id);
+      const id = Number(info.lastInsertRowid);
+      const row = stPendingGet.get(id);
+      if (!row) {
+        return {
+          id,
+          target_device_id,
+          user_id,
+          envelope,
+          created_at: now,
+          expires_at
+        };
+      }
+      return row;
+    },
+    drainPending(target_device_id) {
+      const tx = db.transaction((tid) => {
+        const rows = stPendingForDevice.all(tid);
+        stPendingDeleteForDevice.run(tid);
+        return rows;
+      });
+      return tx(target_device_id);
+    },
+    expirePending: (now) => stPendingExpire.run(now).changes,
+    enforceFifoCap,
+    countPending: (target_device_id) => stPendingCount.get(target_device_id)?.c ?? 0,
+    close: () => db.close()
+  };
+}
+
+// src/config.ts
+var DEFAULTS = {
+  port: 7900,
+  host: "0.0.0.0",
+  authMethods: ["pairing", "challenge"],
+  logLevel: "info"
+};
+var DEFAULT_DB_FILE = "./boluo-relay.db";
+var VALID_LOG_LEVELS = /* @__PURE__ */ new Set([
+  "debug",
+  "info",
+  "warn",
+  "error"
+]);
+function parseAuthList(raw, onWarn) {
+  const out = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const tok of raw.split(",")) {
+    const t = tok.trim().toLowerCase();
+    if (t === "") continue;
+    if (seen.has(t)) continue;
+    seen.add(t);
+    if (isAuthMethod(t)) {
+      out.push(t);
+    } else {
+      onWarn(
+        `unknown auth method '${t}' (valid: ${AUTH_METHODS.join(",")}) \u2014 ignored`
+      );
+    }
+  }
+  return out;
+}
+function parsePort(raw, onWarn) {
+  if (raw === void 0 || raw === "") return void 0;
+  const n = Number(raw);
+  if (!Number.isFinite(n) || n < 0 || n > 65535 || !Number.isInteger(n)) {
+    onWarn(`invalid port '${raw}' \u2014 ignored`);
+    return void 0;
+  }
+  return n;
+}
+function parseLogLevel(raw, onWarn) {
+  if (raw === void 0 || raw === "") return void 0;
+  const v = raw.toLowerCase();
+  if (VALID_LOG_LEVELS.has(v)) {
+    return v;
+  }
+  onWarn(`invalid log level '${raw}' \u2014 ignored`);
+  return void 0;
+}
+function resolveConfig(input = {}) {
+  const flags = input.flags ?? {};
+  const env = input.env ?? {};
+  const onWarn = input.onWarn ?? (() => {
+  });
+  const port = flags.port ?? parsePort(env.BOLUO_RELAY_PORT, onWarn) ?? DEFAULTS.port;
+  const host = flags.host ?? env.BOLUO_RELAY_HOST ?? DEFAULTS.host;
+  const dbFile = flags.db ?? env.BOLUO_RELAY_DB ?? DEFAULT_DB_FILE;
+  const apiKey = env.BOLUO_API_KEY ?? "";
+  const userExplicitAuth = flags.auth !== void 0 && flags.auth !== "";
+  let authMethods;
+  if (userExplicitAuth) {
+    authMethods = parseAuthList(flags.auth, onWarn);
+    if (authMethods.length === 0) {
+      onWarn("no valid auth methods after --auth parsing; falling back to defaults");
+      authMethods = [...DEFAULTS.authMethods];
+    }
+  } else if (env.BOLUO_RELAY_AUTH !== void 0 && env.BOLUO_RELAY_AUTH !== "") {
+    authMethods = parseAuthList(env.BOLUO_RELAY_AUTH, onWarn);
+    if (authMethods.length === 0) {
+      onWarn("no valid auth methods after BOLUO_RELAY_AUTH parsing; falling back to defaults");
+      authMethods = [...DEFAULTS.authMethods];
+    }
+    if (apiKey !== "" && !authMethods.includes("apikey")) {
+      authMethods.push("apikey");
+    }
+  } else {
+    authMethods = [...DEFAULTS.authMethods];
+    if (apiKey !== "" && !authMethods.includes("apikey")) {
+      authMethods.push("apikey");
+    }
+  }
+  if (!authMethods.includes("challenge")) {
+    onWarn(
+      "auth method 'challenge' is disabled \u2014 clients will not be able to reauth on an existing deviceId"
+    );
+  }
+  const githubClientId = flags.githubClientId ?? env.GITHUB_CLIENT_ID ?? "";
+  const githubClientSecret = flags.githubClientSecret ?? env.GITHUB_CLIENT_SECRET ?? "";
+  const openSharedKey = flags.openSharedKey ?? env.BOLUO_OPEN_SHARED_KEY ?? "";
+  const staticDir = flags.serveWeb ?? env.BOLUO_RELAY_STATIC_DIR ?? "";
+  const logLevel = parseLogLevel(flags.logLevel, onWarn) ?? parseLogLevel(env.BOLUO_LOG_LEVEL, onWarn) ?? DEFAULTS.logLevel;
+  return {
+    port,
+    host,
+    dbFile,
+    authMethods,
+    apiKey,
+    githubClientId,
+    githubClientSecret,
+    openSharedKey,
+    staticDir,
+    logLevel
+  };
+}
+function redactConfig(cfg) {
+  return {
+    ...cfg,
+    apiKey: cfg.apiKey ? "<set>" : "",
+    githubClientSecret: cfg.githubClientSecret ? "<set>" : "",
+    openSharedKey: cfg.openSharedKey ? "<set>" : ""
+  };
+}
+
+// src/cli.ts
+async function startRelay(cfg, deps = {}) {
+  const logger = deps.logger ?? createLogger({ level: cfg.logLevel });
+  const stdout = deps.stdout ?? ((m) => console.log(m));
+  const storage = openRelayStorage({ file: cfg.dbFile });
+  const auth = createAuthRegistry({
+    enabledMethods: cfg.authMethods,
+    apiKey: cfg.apiKey,
+    githubClientId: cfg.githubClientId,
+    githubClientSecret: cfg.githubClientSecret,
+    openSharedKey: cfg.openSharedKey
+  });
+  const relay = createRelayServer({ storage, auth, logger });
+  const app = createHttpApp({
+    metrics: () => relay.metrics(),
+    logger
+  });
+  if (cfg.staticDir !== "") {
+    mountStatic(app, cfg.staticDir, logger);
+  }
+  const { server, port } = await new Promise((resolveListen, rejectListen) => {
+    let settled = false;
+    let raw;
+    try {
+      const s = serve(
+        { fetch: app.fetch, port: cfg.port, hostname: cfg.host },
+        (info) => {
+          if (settled) return;
+          settled = true;
+          resolveListen({
+            server: raw,
+            port: info.port
+          });
+        }
+      );
+      raw = s;
+    } catch (err) {
+      if (!settled) {
+        settled = true;
+        rejectListen(err instanceof Error ? err : new Error(String(err)));
+      }
+    }
+  });
+  relay.attach(server);
+  stdout(
+    `boluo-relay listening on http://${cfg.host}:${port} (ws://${cfg.host}:${port}/ws, health: /health)`
+  );
+  let closing = false;
+  const close = async () => {
+    if (closing) return;
+    closing = true;
+    try {
+      await relay.close();
+    } catch {
+    }
+    if (typeof server.closeAllConnections === "function") {
+      try {
+        server.closeAllConnections();
+      } catch {
+      }
+    }
+    await new Promise((res) => {
+      server.close(() => res());
+    });
+    try {
+      storage.close();
+    } catch {
+    }
+  };
+  return { config: cfg, storage, auth, relay, http: app, server, port, close };
+}
+function mountStatic(app, dir, logger) {
+  const root = resolvePath(dir);
+  if (!existsSync(root) || !statSync(root).isDirectory()) {
+    logger.warn("static dir does not exist; skipping", { dir: root });
+    return;
+  }
+  app.use("*", async (c, next) => {
+    await next();
+    if (c.res.status !== 404) return;
+    const url = new URL(c.req.url);
+    let pathname = decodeURIComponent(url.pathname);
+    if (pathname === "/" || pathname === "") pathname = "/index.html";
+    const candidate = normalize(join(root, pathname));
+    if (!candidate.startsWith(root)) return;
+    if (!existsSync(candidate)) return;
+    const stat = statSync(candidate);
+    if (stat.isDirectory()) {
+      const indexFile = join(candidate, "index.html");
+      if (!existsSync(indexFile)) return;
+      const body2 = readFileSync(indexFile);
+      c.res = new Response(body2, {
+        status: 200,
+        headers: { "content-type": "text/html; charset=utf-8" }
+      });
+      return;
+    }
+    const body = readFileSync(candidate);
+    c.res = new Response(body, {
+      status: 200,
+      headers: { "content-type": contentTypeFor(candidate) }
+    });
+  });
+}
+function contentTypeFor(file) {
+  switch (extname(file).toLowerCase()) {
+    case ".html":
+      return "text/html; charset=utf-8";
+    case ".js":
+    case ".mjs":
+      return "application/javascript; charset=utf-8";
+    case ".css":
+      return "text/css; charset=utf-8";
+    case ".json":
+      return "application/json; charset=utf-8";
+    case ".svg":
+      return "image/svg+xml";
+    case ".png":
+      return "image/png";
+    case ".jpg":
+    case ".jpeg":
+      return "image/jpeg";
+    case ".webp":
+      return "image/webp";
+    case ".ico":
+      return "image/x-icon";
+    case ".txt":
+      return "text/plain; charset=utf-8";
+    default:
+      return "application/octet-stream";
+  }
+}
+function newUserId2() {
+  return mintUserId();
+}
+function defaultBundledWebDir() {
+  try {
+    const dir = fileURLToPath(new URL("../web-dist/", import.meta.url));
+    if (existsSync(dir) && statSync(dir).isDirectory()) return dir;
+  } catch {
+  }
+  return "";
+}
+async function runCli(opts) {
+  const env = opts.env ?? {};
+  const stdout = opts.stdout ?? ((m) => console.log(m));
+  const stderr = opts.stderr ?? ((m) => console.error(m));
+  const startImpl = opts.startImpl ?? startRelay;
+  let exitCode = 0;
+  let handle;
+  const program = new Command();
+  program.name("boluo-relay").description("Boluo encrypted relay server").exitOverride();
+  program.configureOutput({
+    writeOut: (s) => stdout(s.replace(/\n$/, "")),
+    writeErr: (s) => stderr(s.replace(/\n$/, ""))
+  });
+  const startCmd = program.command("start", { isDefault: true }).description("Start the relay server (default)").option("--port <n>", "TCP port", (v) => Number(v)).option("--host <addr>", "bind address").option("--db <path>", "SQLite db file (':memory:' for tests)").option(
+    "--auth <list>",
+    "comma-separated auth methods (e.g. pairing,challenge,apikey)"
+  ).option("--github-client-id <id>", "GitHub OAuth client id").option("--github-client-secret <secret>", "GitHub OAuth client secret").option("--open-shared-key <key>", "shared key for 'open' auth method").option("--serve-web <dir>", "serve static files from this directory").option("--log-level <level>", "debug|info|warn|error").action(async (flagsRaw) => {
+    const flags = {
+      port: typeof flagsRaw.port === "number" ? flagsRaw.port : void 0,
+      host: typeof flagsRaw.host === "string" ? flagsRaw.host : void 0,
+      db: typeof flagsRaw.db === "string" ? flagsRaw.db : void 0,
+      auth: typeof flagsRaw.auth === "string" ? flagsRaw.auth : void 0,
+      githubClientId: typeof flagsRaw.githubClientId === "string" ? flagsRaw.githubClientId : void 0,
+      githubClientSecret: typeof flagsRaw.githubClientSecret === "string" ? flagsRaw.githubClientSecret : void 0,
+      openSharedKey: typeof flagsRaw.openSharedKey === "string" ? flagsRaw.openSharedKey : void 0,
+      serveWeb: typeof flagsRaw.serveWeb === "string" ? flagsRaw.serveWeb : void 0,
+      logLevel: typeof flagsRaw.logLevel === "string" ? flagsRaw.logLevel : void 0
+    };
+    const cfg = resolveConfig({
+      flags,
+      env,
+      onWarn: (m) => stderr(`warn: ${m}`)
+    });
+    const effective = cfg.staticDir === "" ? { ...cfg, staticDir: defaultBundledWebDir() } : cfg;
+    handle = await startImpl(effective, { stdout });
+    if (!opts.exitAfterStart) {
+      await installShutdownHandlers(handle, stdout);
+    }
+  });
+  const admin = program.command("admin").description("Admin subcommands");
+  admin.command("create-user").description("Create a user record").requiredOption("--login <name>", "login (unique handle)").option("--provider <s>", "auth provider (e.g. github, local)", "local").option("--email <s>", "email address", "").action((flagsRaw) => {
+    const cfg = resolveConfig({ env, onWarn: (m) => stderr(`warn: ${m}`) });
+    const storage = openRelayStorage({ file: cfg.dbFile });
+    try {
+      const existing = storage.getUserByLogin(flagsRaw.login);
+      const userId = existing?.user_id ?? newUserId2();
+      const row = storage.upsertUser({
+        user_id: userId,
+        login: flagsRaw.login,
+        provider: flagsRaw.provider,
+        email: flagsRaw.email
+      });
+      stdout(`user_id=${row.user_id} login=${row.login} provider=${row.provider}`);
+    } finally {
+      storage.close();
+    }
+  });
+  admin.command("issue-pairing").description(
+    "Issue a pairing token (NOT supported standalone \u2014 tokens live in relay process memory; use a connected client's create_pairing_token control frame)"
+  ).requiredOption("--user <login>", "user login").action(() => {
+    stderr(
+      "issue-pairing is not supported from the standalone CLI: pairing tokens live in the running relay's memory. Use a connected client to send `create_pairing_token`."
+    );
+    exitCode = 2;
+  });
+  admin.command("list-devices").description("List devices for a user (or all users)").option("--user <login>", "filter by user login").action((flagsRaw) => {
+    const cfg = resolveConfig({ env, onWarn: (m) => stderr(`warn: ${m}`) });
+    const storage = openRelayStorage({ file: cfg.dbFile });
+    try {
+      if (flagsRaw.user) {
+        const u = storage.getUserByLogin(flagsRaw.user);
+        if (!u) {
+          stdout(`no user with login=${flagsRaw.user}`);
+          exitCode = 1;
+          return;
+        }
+        const rows = storage.listDevicesByUser(u.user_id);
+        stdout(`devices for ${u.login} (${u.user_id}): ${rows.length}`);
+        for (const r of rows) {
+          stdout(
+            `  ${r.device_id}  role=${r.role}  kind=${r.kind}  name=${r.name}  last_seen=${r.last_seen}`
+          );
+        }
+      } else {
+        stdout("no --user provided; listing devices per user not supported");
+        exitCode = 1;
+      }
+    } finally {
+      storage.close();
+    }
+  });
+  admin.command("remove-device").description("Remove a device by id").requiredOption("--device-id <id>", "device id").action((flagsRaw) => {
+    const cfg = resolveConfig({ env, onWarn: (m) => stderr(`warn: ${m}`) });
+    const storage = openRelayStorage({ file: cfg.dbFile });
+    try {
+      const removed = storage.removeDevice(flagsRaw.deviceId);
+      if (removed) {
+        stdout(`removed device ${flagsRaw.deviceId}`);
+      } else {
+        stdout(`no rows removed for device_id=${flagsRaw.deviceId}`);
+        exitCode = 1;
+      }
+    } finally {
+      storage.close();
+    }
+  });
+  admin.command("show-config").description("Print resolved config (secrets redacted)").action(() => {
+    const cfg = resolveConfig({ env, onWarn: (m) => stderr(`warn: ${m}`) });
+    stdout(JSON.stringify(redactConfig(cfg), null, 2));
+  });
+  try {
+    await program.parseAsync(opts.argv, { from: "user" });
+  } catch (err) {
+    const errObj = err;
+    if (errObj && typeof errObj.exitCode === "number") {
+      if (errObj.code === "commander.helpDisplayed" || errObj.code === "commander.version") {
+        return { exitCode: 0 };
+      }
+      if (errObj.code === "commander.help") {
+        return { exitCode: 0 };
+      }
+      if (errObj.message) stderr(errObj.message);
+      return { exitCode: errObj.exitCode };
+    }
+    stderr(`error: ${err instanceof Error ? err.message : String(err)}`);
+    return { exitCode: 1 };
+  }
+  if (opts.exitAfterStart && handle !== void 0) {
+    return { exitCode, handle };
+  }
+  return { exitCode };
+}
+async function installShutdownHandlers(handle, stdout) {
+  const onSignal = async (sig) => {
+    stdout(`received ${sig}, shutting down\u2026`);
+    try {
+      await handle.close();
+    } finally {
+      process.exit(0);
+    }
+  };
+  process.once("SIGINT", () => {
+    void onSignal("SIGINT");
+  });
+  process.once("SIGTERM", () => {
+    void onSignal("SIGTERM");
+  });
+  await new Promise(() => {
+  });
+}
+var isDirect = (() => {
+  try {
+    const entry = process.argv[1] ?? "";
+    const url = new URL(`file://${entry}`).href;
+    return import.meta.url === url;
+  } catch {
+    return false;
+  }
+})();
+if (isDirect) {
+  runCli({ argv: process.argv.slice(2), env: process.env }).then(
+    (r) => {
+      if (r.exitCode !== 0) process.exit(r.exitCode);
+    },
+    (err) => {
+      console.error("fatal:", err);
+      process.exit(1);
+    }
+  );
+}
+export {
+  runCli,
+  startRelay
+};