@clawpilot-app/link 0.1.0

package/src/daemon.js

@@ -0,0 +1,1661 @@
+import crypto from "node:crypto";
+import http from "node:http";
+import net from "node:net";
+import os from "node:os";
+import path from "node:path";
+import { spawn } from "node:child_process";
+import { fileURLToPath } from "node:url";
+import WebSocket, { WebSocketServer } from "ws";
+import {
+  clearCredentials,
+  loadConfig,
+  loadCredentials,
+  loadState,
+  logger,
+  normalizeHttpsBaseUrl,
+  normalizeNonEmptyString,
+  parseTimestamp,
+  patchState,
+  runtimePaths,
+  saveCredentials,
+} from "./runtime.js";
+import {
+  buildLocalGatewayRequestHeaders,
+  detectOpenClawBackend,
+  installSkill,
+  writeBackendCache,
+} from "./openclaw.js";
+import { LINK_DIRECT_PORT } from "./network.js";
+import {
+  createAccessToken,
+  ServerApiError,
+  updateLinkStatus,
+} from "./server-api.js";
+import { createTranslator, resolveLanguage } from "./i18n.js";
+import { LINK_VERSION } from "./constants.js";
+
+const ACCESS_TOKEN_REFRESH_THRESHOLD_MS = 60_000;
+const BACKEND_PROBE_INTERVAL_MS = 30_000;
+const RELAY_RECONNECT_BASE_DELAY_MS = 3_000;
+const RELAY_RECONNECT_MAX_DELAY_MS = 60_000;
+const RELAY_PING_INTERVAL_MS = 25_000;
+const RELAY_PONG_TIMEOUT_MS = 20_000;
+const LOCAL_CONNECT_TIMEOUT_MS = 8_000;
+const LOCAL_APP_CONNECT_TIMEOUT_MS = 6_000;
+const GATEWAY_PROTOCOL_VERSION = 3;
+const LOCAL_GATEWAY_ROLE = "operator";
+const LOCAL_GATEWAY_SCOPES = [
+  "operator.read",
+  "operator.write",
+  "operator.admin",
+  "operator.approvals",
+  "operator.pairing",
+];
+const LOCAL_GATEWAY_CAPS = ["tool-events"];
+
+const daemonLogger = logger("daemon");
+
+const LINK_REFRESH_TOKEN_TERMINAL_ERROR_CODES = new Set([
+  "LINK_REFRESH_TOKEN_INVALID",
+  "LINK_REFRESH_TOKEN_REVOKED",
+  "LINK_REFRESH_TOKEN_EXPIRED",
+  "LINK_REVOKED",
+]);
+
+function buildRelayControlUrl(relayBaseUrl) {
+  const parsed = new URL(relayBaseUrl.replace(/\/+$/, ""));
+  parsed.protocol = "wss:";
+  parsed.pathname = "/link/connect";
+  parsed.search = "";
+  parsed.hash = "";
+  return parsed.toString();
+}
+
+function toBase64Url(buffer) {
+  return Buffer.from(buffer)
+    .toString("base64")
+    .replace(/\+/g, "-")
+    .replace(/\//g, "_")
+    .replace(/=+$/g, "");
+}
+
+function fromBase64Url(value) {
+  const normalized = String(value ?? "").replace(/-/g, "+").replace(/_/g, "/");
+  const remainder = normalized.length % 4;
+  return Buffer.from(normalized + (remainder === 0 ? "" : "=".repeat(4 - remainder)), "base64");
+}
+
+function safeJsonParse(raw) {
+  try {
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+
+function buildFrame(type, payload = {}) {
+  return JSON.stringify({
+    v: 1,
+    type,
+    payload,
+  });
+}
+
+function createRequestId(prefix) {
+  return `${prefix}-${Date.now()}-${Math.random().toString(16).slice(2)}`;
+}
+
+function createNonce(byteLength = 16) {
+  return crypto.randomBytes(byteLength)
+    .toString("base64")
+    .replace(/\+/g, "-")
+    .replace(/\//g, "_")
+    .replace(/=+$/g, "");
+}
+
+function sanitizeCloseCode(code, fallback = 1011) {
+  if (typeof code !== "number" || !Number.isInteger(code)) {
+    return fallback;
+  }
+  if (code >= 1000 && code <= 4999) {
+    return code;
+  }
+  return fallback;
+}
+
+function normalizeNodeErrorCode(error) {
+  return error && typeof error === "object" && typeof error.code === "string"
+    ? error.code.trim()
+    : null;
+}
+
+function buildGatewayError(message, code = "gateway_error") {
+  return {
+    code,
+    message: normalizeNonEmptyString(message) ?? "Request failed",
+  };
+}
+
+function isTerminalLinkRefreshTokenError(error) {
+  return (
+    error instanceof ServerApiError &&
+    (error.status === 401 || error.status === 403 || error.status === 410) &&
+    LINK_REFRESH_TOKEN_TERMINAL_ERROR_CODES.has(error.errorCode ?? "")
+  );
+}
+
+function parseGatewayFrame(raw) {
+  const parsed = safeJsonParse(raw);
+  if (!parsed || typeof parsed !== "object") {
+    return null;
+  }
+  return parsed;
+}
+
+function normalizeRequestPath(rawUrl) {
+  if (typeof rawUrl !== "string" || !rawUrl.trim()) {
+    return "/";
+  }
+
+  try {
+    const parsed = new URL(rawUrl, "http://clawpilot-link.local");
+    const pathname = parsed.pathname || "/";
+    const search = parsed.search || "";
+    return `${pathname}${search}` || "/";
+  } catch {
+    return "/";
+  }
+}
+
+function collectIncomingRequestHeaders(headers) {
+  const result = {};
+  for (const [rawName, rawValue] of Object.entries(headers ?? {})) {
+    const name = String(rawName ?? "").trim().toLowerCase();
+    if (!name) {
+      continue;
+    }
+    if (
+      name === "host" ||
+      name === "connection" ||
+      name === "upgrade" ||
+      name === "authorization" ||
+      name === "content-length" ||
+      name === "transfer-encoding"
+    ) {
+      continue;
+    }
+
+    const value = Array.isArray(rawValue) ? rawValue.join(", ") : rawValue;
+    if (typeof value !== "string" || !value.trim()) {
+      continue;
+    }
+    result[name] = value;
+  }
+  return result;
+}
+
+function extractBearerToken(headerValue) {
+  if (typeof headerValue !== "string") {
+    return null;
+  }
+  const match = headerValue.match(/^Bearer\s+(.+)$/i);
+  return normalizeNonEmptyString(match?.[1]);
+}
+
+async function readIncomingRequestBody(request) {
+  const chunks = [];
+  for await (const chunk of request) {
+    if (typeof chunk === "string") {
+      chunks.push(Buffer.from(chunk, "utf8"));
+      continue;
+    }
+    chunks.push(Buffer.from(chunk));
+  }
+  return chunks.length > 0 ? Buffer.concat(chunks) : null;
+}
+
+function collectResponseHeaders(headers) {
+  const result = {};
+  for (const [name, value] of headers.entries()) {
+    if (!name || !value) {
+      continue;
+    }
+    result[name] = value;
+  }
+  return result;
+}
+
+function sanitizeHelloPayload(payload) {
+  if (!payload || typeof payload !== "object") {
+    return {
+      type: "hello-ok",
+    };
+  }
+
+  const nextPayload = {
+    ...payload,
+  };
+  if (payload.auth && typeof payload.auth === "object") {
+    const nextAuth = {
+      ...payload.auth,
+    };
+    delete nextAuth.deviceToken;
+    delete nextAuth.deviceTokens;
+    nextPayload.auth = nextAuth;
+  }
+  return nextPayload;
+}
+
+export async function isDaemonRunning() {
+  try {
+    await sendIpcRequest("status.get", {});
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+export function spawnBackgroundDaemon() {
+  const cliPath = fileURLToPath(new URL("./cli.js", import.meta.url));
+  const child = spawn(process.execPath, [cliPath, "daemon"], {
+    detached: true,
+    stdio: "ignore",
+    env: {
+      ...process.env,
+      CLAWLINK_DAEMON: "1",
+    },
+  });
+  child.unref();
+}
+
+export async function waitForDaemonReady(timeoutMs = 5_000) {
+  const startedAt = Date.now();
+  while (Date.now() - startedAt < timeoutMs) {
+    try {
+      await sendIpcRequest("status.get", {}, 500);
+      return true;
+    } catch {
+      await new Promise((resolve) => setTimeout(resolve, 150));
+    }
+  }
+  return false;
+}
+
+export async function sendIpcRequest(method, params = {}, timeoutMs = 4_000) {
+  return await new Promise((resolve, reject) => {
+    const socket = net.createConnection(runtimePaths.socketFile);
+    const requestId = `${Date.now()}-${Math.random().toString(16).slice(2)}`;
+    let settled = false;
+    let buffer = "";
+
+    const finish = (callback, value) => {
+      if (settled) {
+        return;
+      }
+      settled = true;
+      clearTimeout(timeoutId);
+      socket.destroy();
+      callback(value);
+    };
+
+    const timeoutId = setTimeout(() => {
+      finish(reject, new Error("ipc_timeout"));
+    }, timeoutMs);
+
+    socket.on("connect", () => {
+      socket.write(`${JSON.stringify({ id: requestId, method, params })}\n`);
+    });
+
+    socket.on("data", (chunk) => {
+      buffer += chunk.toString("utf8");
+      let newlineIndex = buffer.indexOf("\n");
+      while (newlineIndex >= 0) {
+        const line = buffer.slice(0, newlineIndex).trim();
+        buffer = buffer.slice(newlineIndex + 1);
+        if (line) {
+          const parsed = safeJsonParse(line);
+          if (parsed?.id === requestId) {
+            if (parsed.ok) {
+              finish(resolve, parsed.result);
+            } else {
+              finish(reject, new Error(parsed.error?.message ?? "ipc_error"));
+            }
+            return;
+          }
+        }
+        newlineIndex = buffer.indexOf("\n");
+      }
+    });
+
+    socket.on("error", (error) => {
+      finish(reject, error);
+    });
+  });
+}
+
+export class LinkDaemon {
+  constructor(config, state, credentials) {
+    this.config = config;
+    this.state = state;
+    this.credentials = credentials;
+    this.language = resolveLanguage(config.language);
+    this.t = createTranslator(this.language);
+    this.server = null;
+    this.localGatewayServer = null;
+    this.localGatewayWsServer = null;
+    this.relaySocket = null;
+    this.relayConnected = false;
+    this.relayConnecting = false;
+    this.backendProbeTimer = null;
+    this.relayPingTimer = null;
+    this.relayPongTimeoutTimer = null;
+    this.relayAwaitingPong = false;
+    this.relayReconnectTimer = null;
+    this.relayReconnectAttempts = 0;
+    this.relayCredentialState = "ready";
+    this.stopped = false;
+    this.gatewaySessions = new Map();
+    this.localAppSockets = new Map();
+  }
+
+  async start() {
+    const relayBaseUrl = normalizeHttpsBaseUrl(this.config.relayBaseUrl);
+    if (!relayBaseUrl) {
+      throw new Error(this.t.t("relayConfigInsecure", {
+        configFile: runtimePaths.configFile,
+      }));
+    }
+    this.config = {
+      ...this.config,
+      relayBaseUrl,
+    };
+
+    await daemonLogger.info("daemon_starting", { pid: process.pid });
+    await patchState({
+      daemon: {
+        pid: process.pid,
+        startedAt: new Date().toISOString(),
+      },
+    });
+
+    await this.refreshBackendState();
+    await installSkill(this.language);
+    await this.openIpcServer();
+    await this.openLocalGatewayServer();
+    this.startBackendProbeLoop();
+    await this.ensureRelayConnection();
+  }
+
+  async stop() {
+    if (this.stopped) {
+      return;
+    }
+    this.stopped = true;
+    clearInterval(this.backendProbeTimer);
+    clearInterval(this.relayPingTimer);
+    clearTimeout(this.relayPongTimeoutTimer);
+    clearTimeout(this.relayReconnectTimer);
+
+    for (const appSocketState of this.localAppSockets.values()) {
+      clearTimeout(appSocketState.authTimer);
+      try {
+        appSocketState.socket.close();
+      } catch {
+        // Ignore close failures.
+      }
+    }
+    this.localAppSockets.clear();
+
+    for (const gatewaySession of this.gatewaySessions.values()) {
+      clearTimeout(gatewaySession.connectTimer);
+      try {
+        gatewaySession.socket.close();
+      } catch {
+        // Ignore local socket close failures.
+      }
+    }
+    this.gatewaySessions.clear();
+
+    if (this.relaySocket) {
+      try {
+        this.relaySocket.close();
+      } catch {
+        // Ignore close failures.
+      }
+      this.relaySocket = null;
+    }
+
+    if (this.server) {
+      await new Promise((resolve) => this.server.close(() => resolve()));
+      this.server = null;
+    }
+
+    if (this.localGatewayWsServer) {
+      await new Promise((resolve) => this.localGatewayWsServer.close(() => resolve()));
+      this.localGatewayWsServer = null;
+    }
+
+    if (this.localGatewayServer) {
+      await new Promise((resolve) => this.localGatewayServer.close(() => resolve()));
+      this.localGatewayServer = null;
+    }
+
+    if (process.platform !== "win32") {
+      try {
+        await import("node:fs/promises").then(({ unlink }) => unlink(runtimePaths.socketFile));
+      } catch {
+        // Ignore stale socket cleanup failures.
+      }
+    }
+
+    const nextStatus = this.credentials.linkId ? "paired" : "new";
+    this.state = await patchState({
+      connectionStatus: nextStatus,
+      daemon: {
+        pid: null,
+      },
+    });
+
+    process.exit(0);
+  }
+
+  startBackendProbeLoop() {
+    this.backendProbeTimer = setInterval(() => {
+      void this.refreshBackendState().then(async () => {
+        await this.openLocalGatewayServer();
+        await this.ensureRelayConnection();
+      });
+    }, BACKEND_PROBE_INTERVAL_MS);
+  }
+
+  async refreshBackendState() {
+    const backend = await detectOpenClawBackend();
+    await writeBackendCache(backend);
+    this.state = await patchState((current) => ({
+      backend,
+      connectionStatus: this.resolveConnectionStatus({
+        relayConnected: this.relayConnected,
+        relayConnecting: this.relayConnecting,
+        backend,
+      }),
+      lastErrorMessage: backend.detected ? backend.message : current.lastErrorMessage,
+    }));
+    await daemonLogger.info("backend_probe", {
+      detected: backend.detected,
+      healthy: backend.healthy,
+      supported: backend.supported,
+      message: backend.message,
+      port: backend.port,
+    });
+  }
+
+  resolveConnectionStatus(params = {}) {
+    const backend = params.backend ?? this.state.backend;
+    if (params.forceRevoked || this.relayCredentialState === "revoked") {
+      return "revoked";
+    }
+    if (!this.credentials.linkId) {
+      return this.state.pairingSession ? "pairing" : "new";
+    }
+    if (!backend.detected) {
+      return "backend_missing";
+    }
+    if (!backend.supported || !backend.healthy) {
+      return "degraded";
+    }
+    if (params.relayConnected || this.relayConnected) {
+      return "connected";
+    }
+    if (params.relayConnecting || this.relayConnecting) {
+      return "connecting";
+    }
+    return "paired";
+  }
+
+  async ensureAccessToken(force = false) {
+    if (this.relayCredentialState === "revoked") {
+      return null;
+    }
+
+    if (!normalizeNonEmptyString(this.credentials.refreshToken)) {
+      return null;
+    }
+
+    const expiresAtMs = parseTimestamp(this.credentials.accessTokenExpiresAt);
+    if (!force && normalizeNonEmptyString(this.credentials.accessToken) && expiresAtMs - Date.now() > ACCESS_TOKEN_REFRESH_THRESHOLD_MS) {
+      return this.credentials.accessToken;
+    }
+
+    try {
+      const response = await createAccessToken({
+        apiBaseUrl: this.config.apiBaseUrl,
+        refreshToken: this.credentials.refreshToken,
+      });
+      this.relayCredentialState = "ready";
+      this.credentials = {
+        ...this.credentials,
+        linkId: response.link?.linkId ?? this.credentials.linkId,
+        accessToken: response.accessToken?.token ?? null,
+        accessTokenExpiresAt: response.accessToken?.expiresAt ?? null,
+      };
+      await saveCredentials(this.credentials);
+      this.state = await patchState({
+        linkId: this.credentials.linkId,
+      });
+      return this.credentials.accessToken;
+    } catch (error) {
+      if (isTerminalLinkRefreshTokenError(error)) {
+        const terminalMessage =
+          error.errorCode === "LINK_REVOKED"
+            ? this.t.t("linkRevoked")
+            : this.t.t("linkCredentialsExpired");
+        await this.handleRevokedCredentials(terminalMessage, error);
+      }
+      throw error;
+    }
+  }
+
+  async handleRevokedCredentials(message, error = null) {
+    this.relayCredentialState = "revoked";
+    clearInterval(this.relayPingTimer);
+    this.relayPingTimer = null;
+    clearTimeout(this.relayPongTimeoutTimer);
+    this.relayPongTimeoutTimer = null;
+    this.relayAwaitingPong = false;
+    clearTimeout(this.relayReconnectTimer);
+    this.relayReconnectTimer = null;
+    this.relayConnected = false;
+    this.relayConnecting = false;
+    this.relayReconnectAttempts = 0;
+
+    if (this.relaySocket) {
+      try {
+        this.relaySocket.close();
+      } catch {
+        // Ignore close failures.
+      }
+      this.relaySocket = null;
+    }
+
+    await this.closeGatewaySessionsByRouteKind("relay", "Relay credentials revoked");
+
+    this.credentials = {
+      ...this.credentials,
+      accessToken: null,
+      accessTokenExpiresAt: null,
+      refreshToken: null,
+      refreshTokenExpiresAt: null,
+    };
+    await saveCredentials(this.credentials);
+    this.state = await patchState({
+      connectionStatus: "revoked",
+      lastErrorMessage: message,
+      daemon: {
+        connectedAt: null,
+      },
+    });
+    await daemonLogger.warn("relay_credentials_revoked", {
+      errorCode: error instanceof ServerApiError ? error.errorCode ?? null : null,
+      message,
+    });
+  }
+
+  async reportStatus(connectionStatus, lastErrorMessage = null) {
+    const now = new Date().toISOString();
+    this.state = await patchState((current) => ({
+      connectionStatus,
+      lastErrorMessage,
+      daemon: {
+        connectedAt: connectionStatus === "connected" ? now : current.daemon.connectedAt,
+        lastHeartbeatAt: now,
+      },
+    }));
+
+    if (this.relayCredentialState === "revoked") {
+      return;
+    }
+
+    try {
+      const accessToken = await this.ensureAccessToken();
+      if (!normalizeNonEmptyString(accessToken)) {
+        return;
+      }
+      await updateLinkStatus({
+        apiBaseUrl: this.config.apiBaseUrl,
+        accessToken,
+        connectionStatus,
+        backendUrl: this.state.backend.httpBaseUrl,
+        lastErrorMessage,
+      });
+    } catch (error) {
+      await daemonLogger.warn("status_report_failed", {
+        message: error instanceof Error ? error.message : String(error),
+      });
+    }
+  }
+
+  async ensureRelayConnection(forceReconnect = false) {
+    if (this.stopped || !this.credentials.linkId || this.relayCredentialState === "revoked") {
+      return;
+    }
+
+    const backend = this.state.backend;
+    if (!backend.supported || !backend.wsEndpoint || !backend.httpBaseUrl) {
+      if (this.relaySocket) {
+        try {
+          this.relaySocket.close();
+        } catch {
+          // Ignore close failures.
+        }
+      }
+      return;
+    }
+
+    if (this.relaySocket && this.relaySocket.readyState === WebSocket.OPEN && !forceReconnect) {
+      return;
+    }
+
+    if (this.relayConnecting && !forceReconnect) {
+      return;
+    }
+
+    if (forceReconnect && this.relaySocket) {
+      try {
+        this.relaySocket.close();
+      } catch {
+        // Ignore close failures.
+      }
+      this.relaySocket = null;
+    }
+
+    clearTimeout(this.relayReconnectTimer);
+    this.relayReconnectTimer = null;
+    this.relayConnecting = true;
+    await this.reportStatus("connecting", null);
+
+    let accessToken;
+    try {
+      accessToken = await this.ensureAccessToken(forceReconnect);
+    } catch (error) {
+      this.relayConnecting = false;
+      if (this.relayCredentialState === "revoked") {
+        return;
+      }
+      await this.reportStatus("degraded", error instanceof Error ? error.message : String(error));
+      this.scheduleRelayReconnect();
+      return;
+    }
+
+    if (!normalizeNonEmptyString(accessToken)) {
+      this.relayConnecting = false;
+      if (this.relayCredentialState !== "revoked") {
+        await this.reportStatus("degraded", this.t.t("linkCredentialsMissing"));
+        this.scheduleRelayReconnect();
+      }
+      return;
+    }
+
+    const relayUrl = buildRelayControlUrl(this.config.relayBaseUrl);
+    const relaySocket = new WebSocket(relayUrl, {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+      },
+    });
+    this.relaySocket = relaySocket;
+
+    relaySocket.on("open", () => {
+      if (this.relaySocket !== relaySocket || this.stopped) {
+        return;
+      }
+      this.relayConnecting = false;
+      relaySocket.send(buildFrame("hello", {
+        linkId: this.credentials.linkId,
+        installId: this.config.installId,
+        hostname: os.hostname(),
+        platform: process.platform,
+        version: LINK_VERSION,
+        capabilities: {
+          gatewayWs: true,
+          gatewayHttp: true,
+          skill: true,
+        },
+      }));
+      this.relayAwaitingPong = false;
+      this.startRelayPingLoop();
+      void daemonLogger.info("relay_connected", {
+        relayUrl,
+      });
+    });
+
+    relaySocket.on("message", (rawData) => {
+      if (this.relaySocket !== relaySocket || this.stopped) {
+        return;
+      }
+      const raw = typeof rawData === "string" ? rawData : rawData.toString("utf8");
+      void this.handleRelayMessage(raw);
+    });
+
+    relaySocket.on("pong", () => {
+      if (this.relaySocket !== relaySocket || this.stopped) {
+        return;
+      }
+      this.relayAwaitingPong = false;
+      clearTimeout(this.relayPongTimeoutTimer);
+      this.relayPongTimeoutTimer = null;
+    });
+
+    relaySocket.on("close", () => {
+      if (this.relaySocket !== relaySocket && this.relaySocket !== null) {
+        return;
+      }
+      void this.handleRelayDisconnect("Relay connection closed");
+    });
+
+    relaySocket.on("error", (error) => {
+      if (this.relaySocket !== relaySocket || this.stopped) {
+        return;
+      }
+      void daemonLogger.warn("relay_socket_error", {
+        message: error instanceof Error ? error.message : String(error),
+      });
+    });
+  }
+
+  startRelayPingLoop() {
+    clearInterval(this.relayPingTimer);
+    this.relayPingTimer = setInterval(() => {
+      if (!this.relaySocket || this.relaySocket.readyState !== WebSocket.OPEN) {
+        return;
+      }
+      if (this.relayAwaitingPong) {
+        try {
+          this.relaySocket.terminate();
+        } catch {
+          // Ignore terminate failures.
+        }
+        return;
+      }
+
+      this.relayAwaitingPong = true;
+      clearTimeout(this.relayPongTimeoutTimer);
+      this.relayPongTimeoutTimer = setTimeout(() => {
+        if (!this.relaySocket || this.relaySocket.readyState !== WebSocket.OPEN) {
+          return;
+        }
+        try {
+          this.relaySocket.terminate();
+        } catch {
+          // Ignore terminate failures.
+        }
+      }, RELAY_PONG_TIMEOUT_MS);
+
+      try {
+        this.relaySocket.ping();
+      } catch {
+        try {
+          this.relaySocket.terminate();
+        } catch {
+          // Ignore terminate failures.
+        }
+      }
+    }, RELAY_PING_INTERVAL_MS);
+  }
+
+  scheduleRelayReconnect() {
+    if (this.relayReconnectTimer || this.stopped || this.relayCredentialState === "revoked") {
+      return;
+    }
+    const attempt = this.relayReconnectAttempts;
+    const baseDelayMs = Math.min(
+      RELAY_RECONNECT_BASE_DELAY_MS * 2 ** attempt,
+      RELAY_RECONNECT_MAX_DELAY_MS,
+    );
+    const jitterMs = Math.floor(baseDelayMs * 0.2 * Math.random());
+    const delayMs = baseDelayMs + jitterMs;
+    this.relayReconnectAttempts = Math.min(attempt + 1, 12);
+    this.relayReconnectTimer = setTimeout(() => {
+      this.relayReconnectTimer = null;
+      void this.ensureRelayConnection();
+    }, delayMs);
+  }
+
+  async handleRelayDisconnect(message) {
+    clearInterval(this.relayPingTimer);
+    this.relayPingTimer = null;
+    clearTimeout(this.relayPongTimeoutTimer);
+    this.relayPongTimeoutTimer = null;
+    this.relayAwaitingPong = false;
+    const previousSocket = this.relaySocket;
+    this.relaySocket = null;
+    this.relayConnected = false;
+    this.relayConnecting = false;
+    await this.closeGatewaySessionsByRouteKind("relay", "Relay connection lost");
+
+    if (this.relayCredentialState === "revoked") {
+      return;
+    }
+
+    await this.reportStatus(
+      this.resolveConnectionStatus({ relayConnected: false, relayConnecting: false }),
+      message,
+    );
+    if (previousSocket || this.credentials.linkId) {
+      this.scheduleRelayReconnect();
+    }
+  }
+
+  async handleRelayMessage(raw) {
+    const frame = safeJsonParse(raw);
+    if (!frame || typeof frame.type !== "string") {
+      return;
+    }
+
+    const payload = frame.payload && typeof frame.payload === "object" ? frame.payload : {};
+    switch (frame.type) {
+      case "auth.ok":
+        this.relayConnected = true;
+        this.relayReconnectAttempts = 0;
+        await this.reportStatus("connected", null);
+        return;
+      case "ping":
+        this.sendRelayFrame("pong", { ts: Date.now() });
+        return;
+      case "pong":
+        return;
+      case "app.ws.connect":
+        await this.openGatewaySession(
+          normalizeNonEmptyString(payload.appConnId),
+          this.buildRelayGatewaySessionHandlers(normalizeNonEmptyString(payload.appConnId)),
+          {
+            routeKind: "relay",
+          },
+        );
+        return;
+      case "app.ws.message":
+        await this.forwardRelayAppWsMessage(payload);
+        return;
+      case "app.ws.close":
+        await this.closeGatewaySession(normalizeNonEmptyString(payload.appConnId));
+        return;
+      case "http.request":
+        await this.handleRelayHttpRequest(payload);
+        return;
+      default:
+        return;
+    }
+  }
+
+  sendRelayFrame(type, payload = {}) {
+    if (!this.relaySocket || this.relaySocket.readyState !== WebSocket.OPEN) {
+      return;
+    }
+    this.relaySocket.send(buildFrame(type, payload));
+  }
+
+  buildRelayGatewaySessionHandlers(appConnId) {
+    if (!appConnId) {
+      return null;
+    }
+
+    return {
+      onConnected: (hello) => {
+        this.sendRelayFrame("app.ws.connected", {
+          appConnId,
+          hello,
+        });
+      },
+      onMessage: (raw) => {
+        this.sendRelayFrame("app.ws.message", {
+          appConnId,
+          data: raw,
+        });
+      },
+      onConnectError: (error) => {
+        this.sendRelayFrame("app.ws.connect_error", {
+          appConnId,
+          error,
+        });
+      },
+      onClose: ({ code, reason }) => {
+        this.sendRelayFrame("app.ws.close", {
+          appConnId,
+          code,
+          reason,
+        });
+      },
+    };
+  }
+
+  async openGatewaySession(sessionId, handlers, options = {}) {
+    if (!sessionId || !handlers || this.gatewaySessions.has(sessionId) || !this.state.backend.wsEndpoint) {
+      return;
+    }
+
+    const backend = this.state.backend;
+    const socket = new WebSocket(backend.wsEndpoint);
+    const gatewaySession = {
+      socket,
+      queue: [],
+      ready: false,
+      connectRequestId: null,
+      connectSent: false,
+      connectFailed: false,
+      suppressCloseFrame: false,
+      connectTimer: setTimeout(() => {
+        if (
+          gatewaySession.ready ||
+          gatewaySession.connectFailed ||
+          gatewaySession.suppressCloseFrame
+        ) {
+          return;
+        }
+        gatewaySession.connectFailed = true;
+        handlers.onConnectError(buildGatewayError("Local OpenClaw connect timed out"));
+        void this.closeGatewaySession(sessionId);
+      }, LOCAL_CONNECT_TIMEOUT_MS),
+      handlers,
+      routeKind: options.routeKind === "lan" ? "lan" : "relay",
+    };
+    this.gatewaySessions.set(sessionId, gatewaySession);
+
+    socket.on("message", (rawData) => {
+      const raw = typeof rawData === "string" ? rawData : rawData.toString("utf8");
+      void this.handleGatewaySessionBackendMessage(sessionId, raw);
+    });
+
+    socket.on("close", (code, reason) => {
+      clearTimeout(gatewaySession.connectTimer);
+      this.gatewaySessions.delete(sessionId);
+      if (gatewaySession.suppressCloseFrame) {
+        return;
+      }
+      if (!gatewaySession.ready) {
+        if (gatewaySession.connectFailed) {
+          return;
+        }
+        handlers.onConnectError(
+          buildGatewayError(
+            typeof reason === "string"
+              ? reason
+              : reason?.toString("utf8") ?? "Local OpenClaw socket closed",
+          ),
+        );
+        return;
+      }
+      handlers.onClose({
+        code: sanitizeCloseCode(code, 1000),
+        reason:
+          typeof reason === "string"
+            ? reason
+            : reason?.toString("utf8") ?? "Local socket closed",
+      });
+    });
+
+    socket.on("error", (error) => {
+      void daemonLogger.warn("local_socket_error", {
+        sessionId,
+        message: error instanceof Error ? error.message : String(error),
+      });
+    });
+  }
+
+  async closeGatewaySession(sessionId) {
+    if (!sessionId) {
+      return;
+    }
+    const gatewaySession = this.gatewaySessions.get(sessionId);
+    if (!gatewaySession) {
+      return;
+    }
+    this.gatewaySessions.delete(sessionId);
+    clearTimeout(gatewaySession.connectTimer);
+    gatewaySession.suppressCloseFrame = true;
+    try {
+      gatewaySession.socket.close();
+    } catch {
+      // Ignore close failures.
+    }
+  }
+
+  async closeGatewaySessionsByRouteKind(routeKind, reason = "Connection closed") {
+    const matchingSessionIds = [];
+    for (const [sessionId, gatewaySession] of this.gatewaySessions.entries()) {
+      if (gatewaySession.routeKind === routeKind) {
+        matchingSessionIds.push(sessionId);
+      }
+    }
+
+    for (const sessionId of matchingSessionIds) {
+      const gatewaySession = this.gatewaySessions.get(sessionId);
+      if (!gatewaySession) {
+        continue;
+      }
+      this.gatewaySessions.delete(sessionId);
+      clearTimeout(gatewaySession.connectTimer);
+      gatewaySession.suppressCloseFrame = true;
+      try {
+        gatewaySession.socket.close(1001, reason.slice(0, 120));
+      } catch {
+        // Ignore close failures.
+      }
+    }
+  }
+
+  buildLocalConnectFrame(connectRequestId) {
+    const auth =
+      this.state.backend.authType === "password"
+        ? { password: this.state.backend.secret }
+        : { token: this.state.backend.secret };
+
+    return JSON.stringify({
+      type: "req",
+      id: connectRequestId,
+      method: "connect",
+      params: {
+        minProtocol: GATEWAY_PROTOCOL_VERSION,
+        maxProtocol: GATEWAY_PROTOCOL_VERSION,
+        client: {
+          id: "clawpilot-link",
+          displayName: this.config.displayName || "ClawPilot Link",
+          version: LINK_VERSION,
+          platform: process.platform,
+          mode: "backend",
+          instanceId: this.config.installId,
+        },
+        caps: [...LOCAL_GATEWAY_CAPS],
+        role: LOCAL_GATEWAY_ROLE,
+        scopes: [...LOCAL_GATEWAY_SCOPES],
+        auth,
+      },
+    });
+  }
+
+  async handleGatewaySessionBackendMessage(sessionId, raw) {
+    const gatewaySession = this.gatewaySessions.get(sessionId);
+    if (!gatewaySession || !raw) {
+      return;
+    }
+
+    const parsed = parseGatewayFrame(raw);
+    if (!gatewaySession.ready) {
+      if (
+        parsed &&
+        parsed.type === "event" &&
+        parsed.event === "connect.challenge" &&
+        !gatewaySession.connectSent
+      ) {
+        gatewaySession.connectSent = true;
+        gatewaySession.connectRequestId = createRequestId("link-connect");
+        gatewaySession.socket.send(
+          this.buildLocalConnectFrame(gatewaySession.connectRequestId),
+        );
+        return;
+      }
+
+      if (
+        parsed &&
+        parsed.type === "res" &&
+        typeof parsed.id === "string" &&
+        parsed.id === gatewaySession.connectRequestId
+      ) {
+        if (parsed.ok) {
+          clearTimeout(gatewaySession.connectTimer);
+          gatewaySession.ready = true;
+          gatewaySession.handlers.onConnected(sanitizeHelloPayload(parsed.payload));
+          const pendingMessages = [...gatewaySession.queue];
+          gatewaySession.queue.length = 0;
+          for (const pendingRaw of pendingMessages) {
+            gatewaySession.socket.send(pendingRaw);
+          }
+          return;
+        }
+
+        clearTimeout(gatewaySession.connectTimer);
+        gatewaySession.connectFailed = true;
+        gatewaySession.handlers.onConnectError(
+          parsed.error && typeof parsed.error === "object"
+            ? parsed.error
+            : buildGatewayError("Local OpenClaw connect failed"),
+        );
+        await this.closeGatewaySession(sessionId);
+        return;
+      }
+
+      return;
+    }
+
+    gatewaySession.handlers.onMessage(raw);
+  }
+
+  async sendGatewaySessionMessage(sessionId, raw) {
+    if (!sessionId || !raw) {
+      return;
+    }
+
+    const gatewaySession = this.gatewaySessions.get(sessionId);
+    if (!gatewaySession) {
+      return;
+    }
+
+    if (gatewaySession.ready && gatewaySession.socket.readyState === WebSocket.OPEN) {
+      gatewaySession.socket.send(raw);
+      return;
+    }
+
+    gatewaySession.queue.push(raw);
+  }
+
+  async forwardRelayAppWsMessage(payload) {
+    const appConnId = normalizeNonEmptyString(payload.appConnId);
+    const raw = typeof payload.data === "string" ? payload.data : null;
+    if (!appConnId || !raw) {
+      return;
+    }
+
+    if (!this.gatewaySessions.has(appConnId)) {
+      await this.openGatewaySession(
+        appConnId,
+        this.buildRelayGatewaySessionHandlers(appConnId),
+        {
+          routeKind: "relay",
+        },
+      );
+    }
+
+    await this.sendGatewaySessionMessage(appConnId, raw);
+  }
+
+  async proxyBackendHttpRequest(params) {
+    if (!this.state.backend.supported || !this.state.backend.httpBaseUrl) {
+      throw new Error(
+        this.state.backend.message ?? "Current OpenClaw setup is not supported yet.",
+      );
+    }
+
+    const requestUrl = `${this.state.backend.httpBaseUrl}${params.requestPath}`;
+    const requestHeaders = {
+      ...(params.headers ?? {}),
+      ...buildLocalGatewayRequestHeaders(this.state.backend),
+    };
+
+    return await fetch(requestUrl, {
+      method: normalizeNonEmptyString(params.method) ?? "GET",
+      headers: requestHeaders,
+      body: params.body ?? undefined,
+    });
+  }
+
+  async handleRelayHttpRequest(payload) {
+    const requestId = normalizeNonEmptyString(payload.requestId);
+    const requestPath = normalizeNonEmptyString(payload.path);
+    if (!requestId || !requestPath || !this.state.backend.httpBaseUrl) {
+      return;
+    }
+
+    try {
+      const response = await this.proxyBackendHttpRequest({
+        method: payload.method,
+        requestPath,
+        headers:
+          payload.headers && typeof payload.headers === "object" ? payload.headers : {},
+        body: payload.body ? fromBase64Url(payload.body) : undefined,
+      });
+
+      this.sendRelayFrame("http.response.start", {
+        requestId,
+        status: response.status,
+        headers: collectResponseHeaders(response.headers),
+      });
+
+      if (response.body) {
+        const reader = response.body.getReader();
+        while (true) {
+          const { value, done } = await reader.read();
+          if (done) {
+            break;
+          }
+          if (value && value.byteLength > 0) {
+            this.sendRelayFrame("http.response.chunk", {
+              requestId,
+              chunk: toBase64Url(value),
+            });
+          }
+        }
+      }
+
+      this.sendRelayFrame("http.response.end", {
+        requestId,
+      });
+    } catch (error) {
+      this.sendRelayFrame("http.response.error", {
+        requestId,
+        message: error instanceof Error ? error.message : String(error),
+      });
+    }
+  }
+
+  isLocalDirectAccessKeyValid(token) {
+    const expected = normalizeNonEmptyString(this.config.directAccessKey);
+    const actual = normalizeNonEmptyString(token);
+    return Boolean(expected && actual && expected === actual);
+  }
+
+  describeDirectAccessListenFailure(error) {
+    const code = normalizeNodeErrorCode(error);
+    if (code === "EADDRINUSE") {
+      return {
+        reason: "port_in_use",
+        message: this.t.t("localAccessPortInUse", {
+          port: LINK_DIRECT_PORT,
+        }),
+      };
+    }
+    if (code === "EACCES" || code === "EPERM") {
+      return {
+        reason: "permission_denied",
+        message: this.t.t("localAccessPermissionDenied", {
+          port: LINK_DIRECT_PORT,
+        }),
+      };
+    }
+    return {
+      reason: "listen_failed",
+      message: error instanceof Error ? error.message : this.t.t("localAccessUnavailable"),
+    };
+  }
+
+  async openLocalGatewayServer() {
+    if (this.localGatewayServer) {
+      return;
+    }
+
+    const wsServer = new WebSocketServer({ noServer: true });
+    wsServer.on("connection", (socket) => {
+      const sessionId = createRequestId("lan");
+      const appSocketState = {
+        socket,
+        sessionId,
+        authenticated: false,
+        connectRequestId: null,
+        authTimer: setTimeout(() => {
+          if (appSocketState.authenticated) {
+            return;
+          }
+          try {
+            socket.close(1008, "Link connect timed out");
+          } catch {
+            // Ignore close failures.
+          }
+        }, LOCAL_APP_CONNECT_TIMEOUT_MS),
+      };
+      this.localAppSockets.set(sessionId, appSocketState);
+
+      socket.on("message", (rawData) => {
+        void this.handleLocalGatewayWebSocketMessage(sessionId, rawData);
+      });
+
+      socket.on("close", () => {
+        clearTimeout(appSocketState.authTimer);
+        this.localAppSockets.delete(sessionId);
+        void this.closeGatewaySession(sessionId);
+      });
+
+      socket.on("error", (error) => {
+        void daemonLogger.warn("local_app_socket_error", {
+          sessionId,
+          message: error instanceof Error ? error.message : String(error),
+        });
+      });
+
+      socket.send(JSON.stringify({
+        type: "event",
+        event: "connect.challenge",
+        payload: {
+          nonce: createNonce(),
+        },
+      }));
+    });
+
+    const server = http.createServer((request, response) => {
+      void this.handleLocalGatewayHttpRequest(request, response);
+    });
+
+    server.on("upgrade", (request, socket, head) => {
+      const requestPath = normalizeRequestPath(request.url);
+      if (requestPath !== "/" && requestPath !== "/ws") {
+        socket.destroy();
+        return;
+      }
+
+      wsServer.handleUpgrade(request, socket, head, (upgradedSocket) => {
+        wsServer.emit("connection", upgradedSocket, request);
+      });
+    });
+
+    try {
+      await new Promise((resolve, reject) => {
+        server.once("error", reject);
+        server.listen(LINK_DIRECT_PORT, "0.0.0.0", () => {
+          server.off("error", reject);
+          resolve();
+        });
+      });
+      this.localGatewayServer = server;
+      this.localGatewayWsServer = wsServer;
+      this.state = await patchState({
+        directAccess: {
+          status: "listening",
+          port: LINK_DIRECT_PORT,
+          reason: null,
+          message: this.t.t("localAccessReadyOnPort", {
+            port: LINK_DIRECT_PORT,
+          }),
+          checkedAt: new Date().toISOString(),
+        },
+      });
+      await daemonLogger.info("local_gateway_server_listening", {
+        port: LINK_DIRECT_PORT,
+      });
+    } catch (error) {
+      this.localGatewayServer = null;
+      this.localGatewayWsServer = null;
+      wsServer.close();
+      server.close();
+      const directAccessFailure = this.describeDirectAccessListenFailure(error);
+      const shouldReportUnavailableState =
+        this.state.directAccess?.status !== "unavailable" ||
+        this.state.directAccess?.reason !== directAccessFailure.reason;
+      if (shouldReportUnavailableState) {
+        this.state = await patchState({
+          directAccess: {
+            status: "unavailable",
+            port: LINK_DIRECT_PORT,
+            reason: directAccessFailure.reason,
+            message: directAccessFailure.message,
+            checkedAt: new Date().toISOString(),
+          },
+        });
+        await daemonLogger.warn("local_gateway_server_unavailable", {
+          port: LINK_DIRECT_PORT,
+          reason: directAccessFailure.reason,
+          message: error instanceof Error ? error.message : String(error),
+        });
+      }
+    }
+  }
+
+  writeLocalGatewayJson(response, statusCode, payload) {
+    const body = Buffer.from(`${JSON.stringify(payload)}\n`, "utf8");
+    response.writeHead(statusCode, {
+      "content-type": "application/json; charset=utf-8",
+      "content-length": String(body.byteLength),
+      "cache-control": "no-store",
+    });
+    response.end(body);
+  }
+
+  async handleLocalGatewayHttpRequest(request, response) {
+    const requestPath = normalizeRequestPath(request.url);
+    const bearerToken = extractBearerToken(request.headers.authorization);
+
+    if (!this.isLocalDirectAccessKeyValid(bearerToken)) {
+      this.writeLocalGatewayJson(response, 401, {
+        error: {
+          message: "Scan the ClawPilot Link QR code again to refresh local access.",
+        },
+      });
+      return;
+    }
+
+    if (requestPath === "/healthz") {
+      const statusCode = this.state.backend.supported ? 200 : 503;
+      this.writeLocalGatewayJson(response, statusCode, {
+        ok: this.state.backend.supported,
+        connectionStatus: this.state.connectionStatus,
+        linkId: this.credentials.linkId,
+        backend: {
+          detected: this.state.backend.detected,
+          supported: this.state.backend.supported,
+          message: this.state.backend.message,
+        },
+      });
+      return;
+    }
+
+    try {
+      const body = await readIncomingRequestBody(request);
+      const proxyResponse = await this.proxyBackendHttpRequest({
+        method: request.method,
+        requestPath,
+        headers: collectIncomingRequestHeaders(request.headers),
+        body,
+      });
+
+      response.writeHead(proxyResponse.status, collectResponseHeaders(proxyResponse.headers));
+      if (!proxyResponse.body) {
+        response.end();
+        return;
+      }
+
+      const reader = proxyResponse.body.getReader();
+      while (true) {
+        const { value, done } = await reader.read();
+        if (done) {
+          break;
+        }
+        if (value && value.byteLength > 0) {
+          response.write(Buffer.from(value));
+        }
+      }
+      response.end();
+    } catch (error) {
+      this.writeLocalGatewayJson(response, 502, {
+        error: {
+          message: error instanceof Error ? error.message : String(error),
+        },
+      });
+    }
+  }
+
+  async handleLocalGatewayWebSocketMessage(sessionId, rawData) {
+    const appSocketState = this.localAppSockets.get(sessionId);
+    if (!appSocketState) {
+      return;
+    }
+
+    const raw = typeof rawData === "string" ? rawData : rawData.toString("utf8");
+    if (!raw) {
+      return;
+    }
+
+    if (!appSocketState.authenticated) {
+      const parsed = parseGatewayFrame(raw);
+      if (
+        !parsed ||
+        parsed.type !== "req" ||
+        parsed.method !== "connect" ||
+        typeof parsed.id !== "string"
+      ) {
+        try {
+          appSocketState.socket.close(1008, "Link connect is required first");
+        } catch {
+          // Ignore close failures.
+        }
+        return;
+      }
+
+      appSocketState.connectRequestId = parsed.id;
+      const token = normalizeNonEmptyString(parsed.params?.auth?.token);
+      if (!this.isLocalDirectAccessKeyValid(token)) {
+        appSocketState.socket.send(JSON.stringify({
+          type: "res",
+          id: parsed.id,
+          ok: false,
+          error: buildGatewayError(
+            "This local Link code is no longer valid. Scan the QR code again.",
+            "unauthorized",
+          ),
+        }));
+        try {
+          appSocketState.socket.close(1008, "Local Link auth failed");
+        } catch {
+          // Ignore close failures.
+        }
+        return;
+      }
+
+      if (!this.state.backend.supported) {
+        appSocketState.socket.send(JSON.stringify({
+          type: "res",
+          id: parsed.id,
+          ok: false,
+          error: buildGatewayError(
+            this.state.backend.message ?? "OpenClaw is not available on this computer.",
+          ),
+        }));
+        try {
+          appSocketState.socket.close(1011, "OpenClaw unavailable");
+        } catch {
+          // Ignore close failures.
+        }
+        return;
+      }
+
+      await this.openGatewaySession(
+        sessionId,
+        {
+          onConnected: (hello) => {
+            appSocketState.authenticated = true;
+            clearTimeout(appSocketState.authTimer);
+            appSocketState.socket.send(JSON.stringify({
+              type: "res",
+              id: parsed.id,
+              ok: true,
+              payload: hello,
+            }));
+          },
+          onMessage: (message) => {
+            appSocketState.socket.send(message);
+          },
+          onConnectError: (error) => {
+            appSocketState.socket.send(JSON.stringify({
+              type: "res",
+              id: parsed.id,
+              ok: false,
+              error,
+            }));
+            try {
+              appSocketState.socket.close(1011, normalizeNonEmptyString(error?.message) ?? "Connect failed");
+            } catch {
+              // Ignore close failures.
+            }
+          },
+          onClose: ({ code, reason }) => {
+            try {
+              appSocketState.socket.close(sanitizeCloseCode(code), reason || "Gateway closed");
+            } catch {
+              // Ignore close failures.
+            }
+          },
+        },
+        {
+          routeKind: "lan",
+        },
+      );
+      return;
+    }
+
+    await this.sendGatewaySessionMessage(sessionId, raw);
+  }
+
+  async openIpcServer() {
+    if (process.platform !== "win32") {
+      try {
+        await import("node:fs/promises").then(({ unlink }) => unlink(runtimePaths.socketFile));
+      } catch {
+        // Ignore stale socket cleanup failures.
+      }
+    }
+
+    this.server = net.createServer((socket) => {
+      let buffer = "";
+      socket.on("data", (chunk) => {
+        buffer += chunk.toString("utf8");
+        let newlineIndex = buffer.indexOf("\n");
+        while (newlineIndex >= 0) {
+          const line = buffer.slice(0, newlineIndex).trim();
+          buffer = buffer.slice(newlineIndex + 1);
+          if (line) {
+            void this.handleIpcLine(socket, line);
+          }
+          newlineIndex = buffer.indexOf("\n");
+        }
+      });
+    });
+
+    await new Promise((resolve, reject) => {
+      this.server.once("error", reject);
+      this.server.listen(runtimePaths.socketFile, () => {
+        this.server.off("error", reject);
+        resolve();
+      });
+    });
+  }
+
+  async handleIpcLine(socket, line) {
+    const message = safeJsonParse(line);
+    if (!message?.id || typeof message.method !== "string") {
+      socket.write(`${JSON.stringify({
+        id: message?.id ?? null,
+        ok: false,
+        error: { message: "invalid_ipc_message" },
+      })}\n`);
+      return;
+    }
+
+    try {
+      const result = await this.handleIpcRequest(message.method, message.params ?? {});
+      socket.write(`${JSON.stringify({
+        id: message.id,
+        ok: true,
+        result,
+      })}\n`);
+    } catch (error) {
+      socket.write(`${JSON.stringify({
+        id: message.id,
+        ok: false,
+        error: {
+          message: error instanceof Error ? error.message : String(error),
+        },
+      })}\n`);
+    }
+  }
+
+  async handleIpcRequest(method) {
+    switch (method) {
+      case "status.get":
+        return {
+          config: this.config,
+          state: this.state,
+          credentials: {
+            linkId: this.credentials.linkId,
+            refreshTokenExpiresAt: this.credentials.refreshTokenExpiresAt,
+            accessTokenExpiresAt: this.credentials.accessTokenExpiresAt,
+          },
+          relayConnected: this.relayConnected,
+        };
+      case "daemon.reconnect":
+        await this.ensureRelayConnection(true);
+        return { ok: true };
+      case "daemon.shutdown":
+        await this.stop();
+        return { ok: true };
+      case "daemon.clearCredentials":
+        await clearCredentials();
+        this.credentials = await loadCredentials();
+        return { ok: true };
+      default:
+        throw new Error("unknown_ipc_method");
+    }
+  }
+}