@dmsdc-ai/aigentry-telepty 0.3.3 → 0.3.5

package/AGENTS.md

@@ -72,3 +72,26 @@ telepty inject --ref --from aigentry-telepty-{cli} aigentry-orchestrator-claude
 - **Evidence-Based**: 추측 금지. 데이터/로그/테스트 결과 기반 판단.
 - **Fail Fast**: 에러 즉시 보고. 숨기지 않음.
 - **Constitution**: ~/projects/aigentry/docs/CONSTITUTION.md 준수.
+
+## Legacy exception — `skill-installer.js`
+
+`skill-installer.js` is a **named legacy exception** grandfathered by
+**ADR 2026-05-05-telepty-devkit-boundary §6.2.1**. It is the single
+exception to the telepty/devkit boundary rule and is NOT precedent for
+new placements.
+
+- **Scope**: bugfixes, security patches, dependency upgrades only.
+- **No new feature expansion**: net-new functionality (new CLI detection,
+  new skill types, new install paths, new flags) MUST land in
+  `@dmsdc-ai/aigentry-devkit`. At migration time devkit will introduce
+  `aigentry scaffold install-skills`.
+- **Reviewer enforcement**: PR reviewers cite ADR 2026-05-05 §6.2.1 when
+  rejecting feature-expansion PRs against `skill-installer.js`.
+- **Migration triggers** (per ADR §6.2.1): ≥2 PRs in 60 days attempting
+  net-new features; devkit feature requires functionality only in
+  `skill-installer.js`; breaking change to its interface.
+
+Per-CLI hook installation, `CLAUDE.md`/`AGENTS.md`/`GEMINI.md` scaffolding,
+project-file generation, and cross-cutting installable skills are
+**devkit-owned** per ADR 2026-05-05 §3.3 — not telepty's responsibility.
+See `@dmsdc-ai/aigentry-devkit` (`aigentry scaffold …`).

package/CHANGELOG.md

@@ -2,6 +2,116 @@
 
 All notable changes to `@dmsdc-ai/aigentry-telepty` are documented here.
 
+## [0.3.5] — 2026-05-05
+
+### Added — `telepty init --print-snippet` (Issue #8)
+
+New subcommand that emits the canonical telepty-baseline snippet to stdout for
+graceful integration into per-CLI agent files. **Mechanism only** — telepty
+emits the versioned snippet text; downstream tooling (`aigentry-devkit
+scaffold --integrate-telepty`) owns idempotent insertion into
+`~/CLAUDE.md` / `~/AGENTS.md` / `~/GEMINI.md`. Boundary contract per ADR
+`2026-05-05-telepty-devkit-boundary` (commit `e4b072b`).
+
+```
+telepty init --print-snippet [--target {claude|agents|gemini|all}] [--format {markdown|json}]
+```
+
+- **argv-only**: never consumes stdin (safe in scripted pipelines).
+- **zero file I/O**: pure stdout emission; nothing read from or written to disk.
+- **deterministic**: byte-identical output for a given (target, format) pair —
+  fixtures can be hashed for verification.
+- **LF-only bodies**: no CRLF leakage on cross-platform consumers.
+- **stderr clean**: success path emits no warnings.
+
+Spec: `docs/specs/2026-05-05-issue-8-telepty-init.md` (commit `8d2dc94`).
+Implementation: `f5c6bad`. Protocol SSOT: `aigentry-ssot/contracts/telepty-snippet-v1.md`
+(commit `f4ff0cd`). 15 conformance fixtures shipped at `tests/snippet-protocol/v1/`
+covering markdown envelopes (claude, agents, gemini, all), JSON records,
+shell-hazard guards, deterministic LF output, default targeting, unsupported-target
+rejection, internal-failure exit codes, stdin-pipe ignore, devkit-free invocation,
+and the snippet golden fixtures themselves.
+
+### Docs — G7/G8/G9 M0 audit gate closure (commit `d7b8b21`)
+
+Per ADR `2026-05-05-telepty-devkit-boundary` §3.1.2 (devkit owns content
+placement; telepty owns mechanism), three gates closed:
+
+- **G7 — `README.md`**: removed reference to the rejected `telepty install
+  hooks` subcommand. Per ADR §3.1.2, that responsibility lives in devkit.
+- **G8 — `AGENTS.md`**: added Legacy exception subsection documenting the
+  remaining devkit-shaped legacy surface.
+- **G9 — `skill-installer.js`**: top-of-file LEGACY header per ADR §6.2.1
+  marking the module as legacy-track (devkit migration pending).
+
+### Internal
+
+- Cross-LLM review pattern applied: Codex implemented the `init` subcommand
+  + fixtures; Claude reviewed and ACCEPTed (commit `d06e1e9`).
+- `test/enforce-report.test.js` version assertion bumped to track release
+  (commit `d0f4495`).
+
+### Tests
+
+- `test/init.test.js` — full coverage of the new subcommand (snippet
+  emission, target/format permutations, stdin-ignore, error exits, devkit-free
+  invocation).
+- `tests/snippet-protocol/v1/` — golden fixtures for protocol conformance;
+  `npm test` runs `git diff --exit-code` against them so any drift fails CI.
+
+### Invariants preserved
+
+- Daemon code unchanged. No new dependencies. No `bin` field changes.
+- Existing CLI subcommands (`allow`, `inject`, `list`, `tui`, `daemon`, …)
+  unchanged.
+- Cross-host inject path (0.3.4) unchanged.
+
+## [0.3.4] — 2026-05-05
+
+### Added — Cross-host inject (`<id>@<host>` syntax)
+
+Enables `telepty inject <id>@<host> "msg"` to deliver to a remote daemon
+without SSH wrapping, by resolving `<host>` against the peer registry and
+issuing direct HTTP `POST /api/sessions/<id>/inject`. Closes the gap that
+forced operators to either pre-shell into the host or pipe through SSH.
+
+- **`connect-http` peer mode** (commit `a92cacc`) — new HTTP-only peer
+  registration path that does not require a reverse PTY tunnel; suitable
+  for daemons reachable via Tailscale / private DNS.
+- **`TELEPTY_HOST` env parser fix** (commit `a92cacc`) — `<id>@<host>` now
+  parses correctly when the host segment contains a port or non-default
+  scheme; prior parser dropped the host portion silently.
+- **Peer registry HTTP-only mode** — registry entries can be marked
+  HTTP-only so the daemon does not attempt PTY fan-out for them.
+
+### Added — Skill installer auto-detect (`486bc1e`)
+
+`telepty install` now auto-detects which AI CLIs are present
+(`claude`, `codex`, `gemini`) and only installs the corresponding skill
+files. Reduces noisy "skipped" log lines and prevents stub installs
+on machines that don't have the target CLI yet.
+
+### Fixed — Node 18 ESM regression (`fc7ff9a`)
+
+Pinned `uuid@9` (was floating to v10, which is ESM-only and caused
+`ERR_REQUIRE_ESM` under Node 18 CommonJS consumers).
+
+### Docs
+
+- Cross-host inject `<id>@<host>` syntax documented (commit `c8b9bbb`).
+- `[context-ref]` inject protocol standardized across docs (commit `8986a96`).
+- REPORT pattern + orchestrator-id runtime resolution documented in skills
+  (commit `658f712`).
+- Korean trigger keywords added to skill `SKILL.md` descriptions for
+  cross-locale activation (commit `57f46e1`).
+
+### Note — never published to npm
+
+`0.3.4` was version-bumped locally but never reached the registry; this
+entry is added retrospectively alongside the `0.3.5` publish so the
+changelog history matches the git log. Registry consumers go directly
+from `0.3.3` → `0.3.5`.
+
 ## [0.3.3] — 2026-05-02
 
 ### Added — `inject --submit-force` + idempotent client retry (spec: `docs/superpowers/specs/2026-05-02-submit-force-and-retry.md`)

package/README.md

@@ -72,13 +72,31 @@ telepty broadcast "status report"
 
 telepty auto-discovers sessions across your Tailnet. All commands (`list`, `attach`, `inject`, `rename`, `multicast`, `broadcast`) work seamlessly across machines.
 
-When the same session ID exists on multiple hosts, disambiguate with `session_id@host`:
+### `<id>@<host>` syntax
+
+To target a specific host (when the same session ID exists on multiple hosts,
+or when there is no Tailnet auto-discovery), append `@<host>` to the session
+ID. `<host>` can be a hostname, LAN IP, or Tailnet name.
 
 ```bash
+# Hostname / Tailnet name
 telepty inject my-session@macbook "hello"
 telepty attach worker@server-01
+
+# LAN IP — useful when no Tailnet is configured
+telepty inject orchestrator-claude@172.28.4.165 "ping"
+telepty read-screen build-runner@10.0.0.42 --lines 50
 ```
 
+**Requirements**:
+- The remote daemon must be reachable on port **3848** from the calling host
+  (LAN routing, firewall rules, or Tailscale).
+- No SSH or `sshd` is required on either side — the call hits the remote
+  daemon's HTTP API directly. This is the recommended path for laptop
+  daemons that don't run sshd.
+- The `@<host>` qualifier works for `inject`, `attach`, `read-screen`,
+  `enter`, `multicast`, and `rename`.
+
 ## How It Works
 
 ```
@@ -92,6 +110,54 @@ CLI (telepty) ──> HTTP/WS ──> Daemon (:3848)
 - **`inject`** delivers text via the fastest available path: kitty terminal API, WebSocket, or UDS (Unix Domain Socket for embedded integrations)
 - **`submit`** is handled separately from text injection for reliability across all AI CLIs
 
+## `[context-ref]` Protocol — long payloads via shared file
+
+When a sender uses `telepty inject --ref <file> <target> "<message>"`, telepty
+stores the payload in a shared file under `~/.telepty/shared/<sha256>.md` and
+injects only a short pointer prompt of the form:
+
+```
+[context-ref] Read ~/.telepty/shared/<sha256>.md and use it as the source of truth for this task.
+<inline message>
+```
+
+This avoids prompt rot in the receiving session (and in the orchestrator's
+window when the reply is small).
+
+### Receiver contract
+
+The receiving AI session is expected to:
+1. Detect the `[context-ref]` prefix on the first line.
+2. Read the file at the absolute path.
+3. Treat the file contents as the **authoritative payload** for the task — the
+   inline message is supplementary (topic / hint), not the source of truth.
+
+### Storage location
+
+- File path: `~/.telepty/shared/<sha256>.md` (sha256 of payload body)
+- Created with mode `0600`; readable only by the local user
+- Persists across sessions; not garbage-collected automatically (run
+  `telepty clean --shared` to prune)
+
+### When to use `--ref`
+
+- Payload exceeds ~1KB or contains structured content (code, logs, tables).
+- You want the receiver to load the payload deterministically rather than
+  paraphrase it from the inject prompt.
+- You're orchestrating a multi-hop conversation where the orchestrator should
+  not see the full payload in its own context window.
+
+### Integration scope
+
+Per-agent receiver integrations (auto-loading the file via Claude Code
+`UserPromptSubmit` hooks, Codex `AGENTS.md` directives, etc.) are **out of
+scope for telepty core** — they live in the agent's own configuration.
+Per-CLI hook installation lives in devkit: run `aigentry scaffold
+install-hooks {claude|codex|gemini}` after installing
+`@dmsdc-ai/aigentry-devkit`. (Older drafts proposed a receiver-side
+`telepty install` subcommand for this; that direction is rejected per ADR
+2026-05-05-telepty-devkit-boundary §3.1.2 / §3.4 row 2.)
+
 ## Inject Delivery Paths
 
 | Priority | Method | When |

package/cli.js

@@ -18,6 +18,7 @@ const { formatHostLabel, groupSessionsByHost, pickSessionTarget } = require('./s
 const { buildSharedContextPrompt, createSharedContextDescriptor, ensureSharedContextFile } = require('./shared-context');
 const { runInteractiveSkillInstaller } = require('./skill-installer');
 const crossMachine = require('./cross-machine');
+const { parseHostSpec, buildDaemonUrl, buildDaemonWsUrl } = require('./host-spec');
 const { FileMailbox } = require('./src/mailbox/index');
 const args = process.argv.slice(2);
 let pendingTerminalInputError = null;
@@ -118,23 +119,43 @@ if (!process.env.NO_UPDATE_NOTIFIER && !process.env.TELEPTY_DISABLE_UPDATE_NOTIF
   updateNotifier({pkg}).notify({ isGlobal: true });
 }
 
-// Support remote host via environment variable or default to localhost
-let REMOTE_HOST = process.env.TELEPTY_HOST || '127.0.0.1';
-const PORT = Number(process.env.TELEPTY_PORT || 3848);
-let DAEMON_URL = `http://${REMOTE_HOST}:${PORT}`;
-let WS_URL = `ws://${REMOTE_HOST}:${PORT}`;
+// Support remote host via environment variable or default to localhost.
+// TELEPTY_HOST accepts: `host`, `host:port`, or `http://host:port`. Embedded
+// port from TELEPTY_HOST is used unless TELEPTY_PORT is set explicitly.
+const _explicitPort = process.env.TELEPTY_PORT ? Number(process.env.TELEPTY_PORT) : null;
+const _hostSpec = parseHostSpec(process.env.TELEPTY_HOST, _explicitPort || 3848);
+let REMOTE_HOST = _hostSpec.host;
+const PORT = _explicitPort != null ? _explicitPort : _hostSpec.port;
+let DAEMON_URL = buildDaemonUrl(REMOTE_HOST, PORT);
+let WS_URL = buildDaemonWsUrl(REMOTE_HOST, PORT);
+
+function daemonUrl(host) {
+  if (host == null || host === '') return DAEMON_URL;
+  return buildDaemonUrl(host, PORT);
+}
+
+function daemonWsUrl(host) {
+  if (host == null || host === '') return WS_URL;
+  return buildDaemonWsUrl(host, PORT);
+}
 
-const config = getConfig();
-const TOKEN = config.authToken;
+let cachedAuthToken = null;
+
+function getAuthToken() {
+  if (cachedAuthToken == null) {
+    cachedAuthToken = getConfig().authToken;
+  }
+  return cachedAuthToken;
+}
 
 const fetchWithAuth = (url, options = {}) => {
-  const headers = { ...options.headers, 'x-telepty-token': TOKEN };
+  const headers = { ...options.headers, 'x-telepty-token': getAuthToken() };
   return fetch(url, { ...options, headers });
 };
 
 async function getDaemonMeta(host = REMOTE_HOST) {
   try {
-    const res = await fetchWithAuth(`http://${host}:${PORT}/api/meta`, {
+    const res = await fetchWithAuth(`${daemonUrl(host)}/api/meta`, {
       signal: AbortSignal.timeout(1500)
     });
     if (!res.ok) {
@@ -487,7 +508,7 @@ async function discoverSessions(options = {}) {
 
   // Local daemon sessions
   try {
-    const res = await fetchWithAuth(`http://127.0.0.1:${PORT}/api/sessions`, {
+    const res = await fetchWithAuth(`${daemonUrl('127.0.0.1')}/api/sessions`, {
       signal: AbortSignal.timeout(1500)
     });
     if (res.ok) {
@@ -502,6 +523,14 @@ async function discoverSessions(options = {}) {
   const remoteSessions = crossMachine.discoverAllRemoteSessions();
   allSessions.push(...remoteSessions);
 
+  // Remote peer sessions via HTTP (no SSH)
+  try {
+    const httpSessions = await crossMachine.discoverHttpRemoteSessions();
+    allSessions.push(...httpSessions);
+  } catch {
+    // HTTP peer discovery is best-effort.
+  }
+
   return allSessions;
 }
 
@@ -550,7 +579,7 @@ async function ensureDaemonRunning(options = {}) {
 }
 
 async function manageInteractiveAttach(sessionId, targetHost) {
-  const wsUrl = `ws://${targetHost}:${PORT}/api/sessions/${encodeURIComponent(sessionId)}?token=${encodeURIComponent(TOKEN)}`;
+  const wsUrl = `${daemonWsUrl(targetHost)}/api/sessions/${encodeURIComponent(sessionId)}?token=${encodeURIComponent(getAuthToken())}`;
   const ws = new WebSocket(wsUrl);
   let cleanupTerminal = null;
   return new Promise((resolve) => {
@@ -576,7 +605,7 @@ async function manageInteractiveAttach(sessionId, targetHost) {
 
       // Check if other clients are still attached before destroying
       try {
-        const res = await fetchWithAuth(`http://${targetHost}:${PORT}/api/sessions`);
+        const res = await fetchWithAuth(`${daemonUrl(targetHost)}/api/sessions`);
         if (res.ok) {
           const sessions = await res.json();
           const session = sessions.find(s => s.id === sessionId);
@@ -584,7 +613,7 @@ async function manageInteractiveAttach(sessionId, targetHost) {
             console.log(`\n\x1b[33mLeft room '${sessionId}'. Other clients still attached — session kept alive.\x1b[0m\n`);
           } else {
             console.log(`\n\x1b[33mLeft room '${sessionId}'. No other clients — destroying session.\x1b[0m\n`);
-            await fetchWithAuth(`http://${targetHost}:${PORT}/api/sessions/${encodeURIComponent(sessionId)}`, { method: 'DELETE' });
+            await fetchWithAuth(`${daemonUrl(targetHost)}/api/sessions/${encodeURIComponent(sessionId)}`, { method: 'DELETE' });
           }
         }
       } catch(e) {
@@ -787,7 +816,7 @@ async function manageInteractive() {
         const { promptText } = injectPromptResponse;
         if (!promptText) continue;
         try {
-          const res = await fetchWithAuth(`http://${target.host}:${PORT}/api/sessions/${encodeURIComponent(target.id)}/inject`, {
+          const res = await fetchWithAuth(`${daemonUrl(target.host)}/api/sessions/${encodeURIComponent(target.id)}/inject`, {
             method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ prompt: promptText })
           });
           const data = await res.json();
@@ -812,6 +841,15 @@ async function main() {
     return;
   }
 
+  if (cmd === 'init') {
+    const { main: runInit } = require('./src/init/print-snippet');
+    const exitCode = runInit(args.slice(1));
+    if (exitCode) {
+      process.exitCode = exitCode;
+    }
+    return;
+  }
+
   if (cmd === 'update') {
     console.log('\x1b[36m🔄 Updating telepty to the latest version...\x1b[0m');
     try {
@@ -1140,7 +1178,7 @@ async function main() {
     // Connect to daemon WebSocket with auto-reconnect
     // owner=1 tells daemon this is the allow bridge (owner), not an attach viewer.
     // Daemon uses this to reclaim ownership even if a stale ownerWs is still registered.
-    const wsUrl = `ws://${REMOTE_HOST}:${PORT}/api/sessions/${encodeURIComponent(sessionId)}?token=${encodeURIComponent(TOKEN)}&owner=1`;
+    const wsUrl = `${daemonWsUrl(REMOTE_HOST)}/api/sessions/${encodeURIComponent(sessionId)}?token=${encodeURIComponent(getAuthToken())}&owner=1`;
     let daemonWs = null;
     let wsReady = false;
     let reconnectAttempts = 0;
@@ -1448,7 +1486,7 @@ async function main() {
       }
     }
 
-    const wsUrl = `ws://${targetHost}:${PORT}/api/sessions/${encodeURIComponent(sessionId)}?token=${encodeURIComponent(TOKEN)}`;
+    const wsUrl = `${daemonWsUrl(targetHost)}/api/sessions/${encodeURIComponent(sessionId)}?token=${encodeURIComponent(getAuthToken())}`;
     const ws = new WebSocket(wsUrl);
     let cleanupTerminal = null;
 
@@ -1486,7 +1524,7 @@ async function main() {
 
       // Check if other clients are still attached before destroying
       try {
-        const res = await fetchWithAuth(`http://${targetHost}:${PORT}/api/sessions`);
+        const res = await fetchWithAuth(`${daemonUrl(targetHost)}/api/sessions`);
         if (res.ok) {
           const allSessions = await res.json();
           const session = allSessions.find(s => s.id === sessionId);
@@ -1494,7 +1532,7 @@ async function main() {
             console.log(`\n\x1b[33mLeft room '${sessionId}'. Other clients still attached — session kept alive.\x1b[0m`);
           } else {
             console.log(`\n\x1b[33mLeft room '${sessionId}'. No other clients — destroying session.\x1b[0m`);
-            await fetchWithAuth(`http://${targetHost}:${PORT}/api/sessions/${encodeURIComponent(sessionId)}`, { method: 'DELETE' });
+            await fetchWithAuth(`${daemonUrl(targetHost)}/api/sessions/${encodeURIComponent(sessionId)}`, { method: 'DELETE' });
           }
         }
       } catch(e) {}
@@ -1524,7 +1562,7 @@ async function main() {
         process.exit(1);
       }
 
-      const res = await fetchWithAuth(`http://${target.host}:${PORT}/api/sessions/${encodeURIComponent(target.id)}/screen?lines=${lines}${raw ? '&raw=1' : ''}`);
+      const res = await fetchWithAuth(`${daemonUrl(target.host)}/api/sessions/${encodeURIComponent(target.id)}/screen?lines=${lines}${raw ? '&raw=1' : ''}`);
       const data = await res.json();
       if (!res.ok) { console.error(`❌ Error: ${data.error}`); process.exit(1); }
 
@@ -1656,7 +1694,7 @@ async function main() {
         noEnter: useSubmit
       });
 
-      const res = await fetchWithAuth(`http://${target.host}:${PORT}/api/sessions/${encodeURIComponent(target.id)}/inject`, {
+      const res = await fetchWithAuth(`${daemonUrl(target.host)}/api/sessions/${encodeURIComponent(target.id)}/inject`, {
         method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(body)
       });
       const data = await res.json();
@@ -1699,7 +1737,7 @@ async function main() {
           }
           attemptsMade = attempt + 1;
           try {
-            submitRes = await fetchWithAuth(`http://${target.host}:${PORT}/api/sessions/${encodeURIComponent(target.id)}/submit`, {
+            submitRes = await fetchWithAuth(`${daemonUrl(target.host)}/api/sessions/${encodeURIComponent(target.id)}/submit`, {
               method: 'POST',
               headers: { 'Content-Type': 'application/json' },
               body: JSON.stringify(submitBody),
@@ -1776,7 +1814,7 @@ async function main() {
         return;
       }
 
-      const res = await fetchWithAuth(`http://${target.host}:${PORT}/api/sessions/${encodeURIComponent(target.id)}/inject`, {
+      const res = await fetchWithAuth(`${daemonUrl(target.host)}/api/sessions/${encodeURIComponent(target.id)}/inject`, {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },
         body: JSON.stringify(buildInjectRequestBody('', {}))
@@ -1808,7 +1846,7 @@ async function main() {
 
       // send-key is a manual override — bypass the render gate via force=true.
       // See: docs/superpowers/specs/2026-04-26-submit-gate-fixes-v2.md §3.1
-      const res = await fetchWithAuth(`http://${target.host}:${PORT}/api/sessions/${encodeURIComponent(target.id)}/submit`, {
+      const res = await fetchWithAuth(`${daemonUrl(target.host)}/api/sessions/${encodeURIComponent(target.id)}/submit`, {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },
         body: JSON.stringify({ force: true }),
@@ -1836,7 +1874,7 @@ async function main() {
       const target = await resolveSessionTarget(replyTo);
       if (!target) { console.error(`❌ Session '${replyTo}' was not found on any discovered host.`); process.exit(1); }
       const body = { prompt: replyText, from: mySessionId, reply_to: mySessionId };
-      const res = await fetchWithAuth(`http://${target.host}:${PORT}/api/sessions/${encodeURIComponent(target.id)}/inject`, {
+      const res = await fetchWithAuth(`${daemonUrl(target.host)}/api/sessions/${encodeURIComponent(target.id)}/inject`, {
         method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(body)
       });
       const data = await res.json();
@@ -1860,7 +1898,7 @@ async function main() {
         process.exit(1);
       }
 
-      const res = await fetchWithAuth(`http://${target.host}:${PORT}/api/sessions/${encodeURIComponent(target.id)}/state`);
+      const res = await fetchWithAuth(`${daemonUrl(target.host)}/api/sessions/${encodeURIComponent(target.id)}/state`);
       const data = await res.json();
       if (!res.ok) {
         console.error(`❌ ${formatApiError(data)}`);
@@ -1977,7 +2015,7 @@ async function main() {
         process.exit(1);
       }
 
-      const res = await fetchWithAuth(`http://${target.host}:${PORT}/api/sessions/${encodeURIComponent(target.id)}/state`, {
+      const res = await fetchWithAuth(`${daemonUrl(target.host)}/api/sessions/${encodeURIComponent(target.id)}/state`, {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },
         body: JSON.stringify(buildSessionStateReportBody({
@@ -2022,7 +2060,7 @@ async function main() {
 
       const aggregate = { successful: [], failed: [] };
       for (const [host, ids] of groupedTargets.entries()) {
-        const res = await fetchWithAuth(`http://${host}:${PORT}/api/sessions/multicast/inject`, {
+        const res = await fetchWithAuth(`${daemonUrl(host)}/api/sessions/multicast/inject`, {
           method: 'POST',
           headers: { 'Content-Type': 'application/json' },
           body: JSON.stringify({ session_ids: ids, prompt })
@@ -2065,7 +2103,7 @@ async function main() {
         }
 
         for (const host of groupSessionsByHost(local).keys()) {
-          const res = await fetchWithAuth(`http://${host}:${PORT}/api/sessions/broadcast/inject`, {
+          const res = await fetchWithAuth(`${daemonUrl(host)}/api/sessions/broadcast/inject`, {
             method: 'POST',
             headers: { 'Content-Type': 'application/json' },
             body: JSON.stringify({ prompt: localPrompt })
@@ -2112,7 +2150,7 @@ async function main() {
     try {
       const target = await resolveSessionTarget(sessionRef);
       if (!target) { console.error(`❌ Session '${sessionRef}' not found.`); process.exit(1); }
-      const res = await fetchWithAuth(`http://${target.host}:${PORT}/api/sessions/${encodeURIComponent(target.id)}`, { method: 'DELETE' });
+      const res = await fetchWithAuth(`${daemonUrl(target.host)}/api/sessions/${encodeURIComponent(target.id)}`, { method: 'DELETE' });
       const data = await res.json();
       if (!res.ok) { console.error(`❌ Error: ${data.error}`); return; }
       console.log(`✅ Session '\x1b[36m${target.id}\x1b[0m' deleted.`);
@@ -2129,7 +2167,7 @@ async function main() {
         if (s.healthStatus === 'STALE' || s.healthStatus === 'DISCONNECTED') {
           try {
             const host = s.host || '127.0.0.1';
-            const res = await fetchWithAuth(`http://${host}:${PORT}/api/sessions/${encodeURIComponent(s.id)}`, { method: 'DELETE' });
+            const res = await fetchWithAuth(`${daemonUrl(host)}/api/sessions/${encodeURIComponent(s.id)}`, { method: 'DELETE' });
             if (res.ok) { console.log(`  🗑  Removed ghost: \x1b[36m${s.id}\x1b[0m (${s.healthStatus})`); cleaned++; }
           } catch (_) {}
         }
@@ -2149,7 +2187,7 @@ async function main() {
         process.exit(1);
       }
 
-      const res = await fetchWithAuth(`http://${target.host}:${PORT}/api/sessions/${encodeURIComponent(target.id)}`, {
+      const res = await fetchWithAuth(`${daemonUrl(target.host)}/api/sessions/${encodeURIComponent(target.id)}`, {
         method: 'PATCH', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify({ new_id: newId })
       });
       const data = await res.json();
@@ -2181,7 +2219,7 @@ async function main() {
           return;
         }
 
-        const res = await fetchWithAuth(`http://${target.host}:${PORT}/api/sessions/${encodeURIComponent(target.id)}`);
+        const res = await fetchWithAuth(`${daemonUrl(target.host)}/api/sessions/${encodeURIComponent(target.id)}`);
         const data = await res.json();
         if (!res.ok) {
           console.error(`❌ Error: ${data.error}`);
@@ -2196,7 +2234,7 @@ async function main() {
         return;
       }
 
-      const res = await fetchWithAuth(`http://${target.host}:${PORT}/api/sessions/${encodeURIComponent(target.id)}`);
+      const res = await fetchWithAuth(`${daemonUrl(target.host)}/api/sessions/${encodeURIComponent(target.id)}`);
       const data = await res.json();
       if (!res.ok) {
         console.error(`❌ Error: ${data.error}`);
@@ -2649,7 +2687,7 @@ Discuss the following topic from your project's perspective. Engage with other s
           reply_to: orchestratorId,
           thread_id: threadId
         };
-        const resp = await fetchWithAuth(`http://${host}:${PORT}/api/sessions/${encodeURIComponent(session.id)}/inject`, {
+        const resp = await fetchWithAuth(`${daemonUrl(host)}/api/sessions/${encodeURIComponent(session.id)}/inject`, {
           method: 'POST',
           headers: { 'Content-Type': 'application/json' },
           body: JSON.stringify(body)
@@ -2658,7 +2696,7 @@ Discuss the following topic from your project's perspective. Engage with other s
           // Submit after text injection (300ms delay handled by daemon)
           setTimeout(async () => {
             try {
-              await fetchWithAuth(`http://${host}:${PORT}/api/sessions/${encodeURIComponent(session.id)}/submit`, { method: 'POST' });
+              await fetchWithAuth(`${daemonUrl(host)}/api/sessions/${encodeURIComponent(session.id)}/submit`, { method: 'POST' });
             } catch {}
           }, 500);
           console.log(`  ✅ Injected to ${session.id}`);
@@ -2908,6 +2946,43 @@ Discuss the following topic from your project's perspective. Engage with other s
     return;
   }
 
+  // telepty connect-http <host>[:port] [--name <name>] [--token <token>]
+  // HTTP-only remote daemon registration (no SSH/sshd required).
+  // Records peer in ~/.telepty/peers.json with transport='http' so subsequent
+  // `telepty list`/`inject`/etc. discover sessions on the remote daemon via
+  // its HTTP API. Designed for laptop daemons where running sshd is not
+  // viable. See GitHub issue #13.
+  if (cmd === 'connect-http') {
+    const target = args[1];
+    if (!target) {
+      console.error('❌ Usage: telepty connect-http <host>[:port] [--name <name>] [--token <token>]');
+      process.exit(1);
+    }
+    const nameFlag = args.indexOf('--name');
+    const tokenFlag = args.indexOf('--token');
+    const options = {};
+    if (nameFlag !== -1 && args[nameFlag + 1]) options.name = args[nameFlag + 1];
+    if (tokenFlag !== -1 && args[tokenFlag + 1]) options.token = args[tokenFlag + 1];
+
+    process.stdout.write(`\x1b[36m🔗 Connecting to ${target} via HTTP...\x1b[0m\n`);
+    try {
+      const result = await crossMachine.connectHttp(target, options);
+      if (result.success) {
+        console.log(`\x1b[32m✅ Connected to ${result.name}\x1b[0m`);
+        console.log(`   Host: ${result.host}:${result.port}`);
+        console.log(`   Machine ID: ${result.machineId}`);
+        console.log(`\nSessions on ${result.name} are now discoverable via \x1b[36mtelepty list\x1b[0m`);
+      } else {
+        console.error(`\x1b[31m❌ ${result.error}\x1b[0m`);
+        process.exit(1);
+      }
+    } catch (err) {
+      console.error(`\x1b[31m❌ ${err.message}\x1b[0m`);
+      process.exit(1);
+    }
+    return;
+  }
+
   // telepty disconnect [<name> | --all]
   if (cmd === 'disconnect') {
     if (args[1] === '--all') {
@@ -2937,8 +3012,9 @@ Discuss the following topic from your project's perspective. Engage with other s
 
     const active = crossMachine.listActivePeers();
     const known = crossMachine.listKnownPeers();
+    const httpPeers = crossMachine.listHttpPeers();
 
-    console.log('\x1b[1mConnected Peers:\x1b[0m');
+    console.log('\x1b[1mConnected Peers (SSH ControlMaster):\x1b[0m');
     if (active.length === 0) {
       console.log('  (none)');
     } else {
@@ -2948,7 +3024,8 @@ Discuss the following topic from your project's perspective. Engage with other s
     }
 
     const knownNames = Object.keys(known);
-    const disconnected = knownNames.filter(n => !active.find(a => a.name === n));
+    const httpNames = new Set(httpPeers.map((p) => p.name));
+    const disconnected = knownNames.filter(n => !active.find(a => a.name === n) && !httpNames.has(n));
     if (disconnected.length > 0) {
       console.log('\n\x1b[1mKnown Peers (disconnected):\x1b[0m');
       for (const name of disconnected) {
@@ -2956,6 +3033,14 @@ Discuss the following topic from your project's perspective. Engage with other s
         console.log(`  \x1b[90m○\x1b[0m ${name} (${p.target}) — last: ${p.lastConnected || 'never'}`);
       }
     }
+
+    if (httpPeers.length > 0) {
+      console.log('\n\x1b[1mHTTP Peers (no SSH):\x1b[0m');
+      for (const peer of httpPeers) {
+        const tokenNote = peer.hasToken ? ' [token]' : '';
+        console.log(`  \x1b[36m◆\x1b[0m ${peer.name} (${peer.host}:${peer.port}) [${peer.machineId}]${tokenNote}`);
+      }
+    }
     return;
   }
 
@@ -2973,7 +3058,7 @@ Discuss the following topic from your project's perspective. Engage with other s
     let connectedHosts = 0;
 
     hosts.forEach((host) => {
-      const wsUrl = `ws://${host}:${PORT}/api/bus?token=${encodeURIComponent(TOKEN)}`;
+      const wsUrl = `${daemonWsUrl(host)}/api/bus?token=${encodeURIComponent(getAuthToken())}`;
       const ws = new WebSocket(wsUrl);
 
       ws.on('open', () => {
@@ -3051,7 +3136,8 @@ Discuss the following topic from your project's perspective. Engage with other s
   telepty read-screen <id[@host]> [--lines N]    Read session screen buffer
 
 \x1b[1mCross-Machine:\x1b[0m
-  telepty connect <user@host> [--name N] [--port P]  SSH tunnel to remote host
+  telepty connect <user@host> [--name N] [--port P]      SSH tunnel to remote host
+  telepty connect-http <host>[:port] [--name N] [--token T]  Register remote daemon via HTTP (no SSH)
   telepty disconnect <name> | --all              Disconnect remote host
   telepty peers [--remove <name>]                List connected peers