@getpaseo/server 0.1.87 → 0.1.89

package/dist/server/server/agent/timeline-projection.d.ts

@@ -21,6 +21,13 @@ interface ProjectedWindowSelection {
     minSeq: number | null;
     maxSeq: number | null;
 }
+export interface ProjectedTimelinePageSelection {
+    entries: TimelineProjectionEntry[];
+    startSeq: number | null;
+    endSeq: number | null;
+    hasOlder: boolean;
+    hasNewer: boolean;
+}
 export declare function projectTimelineRows(input: {
     rows: readonly AgentTimelineRow[];
     mode: TimelineProjectionMode;
@@ -34,8 +41,17 @@ export declare function selectTimelineWindowByProjectedLimit(input: {
     rows: readonly AgentTimelineRow[];
     direction: TimelineLimitDirection;
     limit: number;
-    collapseToolLifecycle?: boolean;
 }): ProjectedWindowSelection;
+export declare function selectProjectedTimelinePage(input: {
+    rows: readonly AgentTimelineRow[];
+    bounds?: {
+        minSeq: number;
+        maxSeq: number;
+    };
+    direction: TimelineLimitDirection;
+    cursorSeq?: number;
+    limit?: number;
+}): ProjectedTimelinePageSelection;
 /**
  * Apply a projected-count limit to a flat AgentTimelineItem[] without seq metadata.
  * Used by callers that only have items in hand (e.g. MCP tools reading

package/dist/server/server/agent/timeline-projection.js

@@ -188,9 +188,8 @@ export function projectTimelineRows(input) {
 export function selectTimelineWindowByProjectedLimit(input) {
     const { rows, direction } = input;
     const limit = Math.max(0, Math.floor(input.limit));
-    const collapseTools = input.collapseToolLifecycle ?? true;
     const canonical = makeCanonicalEntries(rows);
-    const projectedAll = mergeReasoningChunks(mergeAssistantChunks(collapseTools ? collapseToolLifecycle(canonical) : canonical));
+    const projectedAll = mergeReasoningChunks(mergeAssistantChunks(collapseToolLifecycle(canonical)));
     if (projectedAll.length === 0) {
         return {
             projectedEntries: [],
@@ -232,23 +231,21 @@ export function selectTimelineWindowByProjectedLimit(input) {
     };
     let { minSeq, maxSeq } = computeWindowBounds(projectedEntries);
     let expandedEntries = projectedEntries;
-    if (collapseTools) {
-        // Expand to include any projected entries that overlap the selected
-        // canonical range. Tool lifecycle collapse can produce non-monotonic
-        // seqEnd values, which would otherwise create cursor gaps.
-        for (let iteration = 0; iteration < projectedAll.length + 1; iteration += 1) {
-            const overlapping = projectedAll.filter((entry) => entry.seqStart <= maxSeq && entry.seqEnd >= minSeq);
-            const nextBounds = computeWindowBounds(overlapping);
-            if (overlapping.length === expandedEntries.length &&
-                nextBounds.minSeq === minSeq &&
-                nextBounds.maxSeq === maxSeq) {
-                expandedEntries = overlapping;
-                break;
-            }
+    // Expand to include any projected entries that overlap the selected canonical
+    // range. Tool lifecycle collapse can produce non-monotonic seqEnd values,
+    // which would otherwise create cursor gaps.
+    for (let iteration = 0; iteration < projectedAll.length + 1; iteration += 1) {
+        const overlapping = projectedAll.filter((entry) => entry.seqStart <= maxSeq && entry.seqEnd >= minSeq);
+        const nextBounds = computeWindowBounds(overlapping);
+        if (overlapping.length === expandedEntries.length &&
+            nextBounds.minSeq === minSeq &&
+            nextBounds.maxSeq === maxSeq) {
             expandedEntries = overlapping;
-            minSeq = nextBounds.minSeq;
-            maxSeq = nextBounds.maxSeq;
+            break;
         }
+        expandedEntries = overlapping;
+        minSeq = nextBounds.minSeq;
+        maxSeq = nextBounds.maxSeq;
     }
     const selectedRows = rows.filter((row) => row.seq >= minSeq && row.seq <= maxSeq);
     return {
@@ -258,6 +255,74 @@ export function selectTimelineWindowByProjectedLimit(input) {
         maxSeq: Number.isFinite(maxSeq) ? maxSeq : null,
     };
 }
+function getTimelineBounds(rows) {
+    const first = rows[0];
+    const last = rows[rows.length - 1];
+    if (!first || !last) {
+        return null;
+    }
+    return { minSeq: first.seq, maxSeq: last.seq };
+}
+function selectEntriesOverlappingSeqRange(input) {
+    return input.entries.filter((entry) => entry.seqStart <= input.endSeq && entry.seqEnd >= input.startSeq);
+}
+export function selectProjectedTimelinePage(input) {
+    const limit = input.limit === undefined ? 0 : Math.max(0, Math.floor(input.limit));
+    const bounds = input.bounds ?? getTimelineBounds(input.rows);
+    const projectedAll = projectTimelineRows({ rows: input.rows, mode: "projected" });
+    if (projectedAll.length === 0 || !bounds) {
+        return {
+            entries: [],
+            startSeq: null,
+            endSeq: null,
+            hasOlder: false,
+            hasNewer: false,
+        };
+    }
+    if (input.direction === "tail") {
+        const selected = selectTimelineWindowByProjectedLimit({
+            rows: input.rows,
+            direction: "tail",
+            limit,
+        });
+        return {
+            entries: selected.projectedEntries,
+            startSeq: selected.minSeq,
+            endSeq: selected.maxSeq,
+            hasOlder: selected.minSeq !== null && selected.minSeq > bounds.minSeq,
+            hasNewer: false,
+        };
+    }
+    let startSeq;
+    let endSeq;
+    if (input.direction === "after") {
+        const cursorSeq = input.cursorSeq ?? bounds.minSeq - 1;
+        startSeq = Math.max(bounds.minSeq, cursorSeq + 1);
+        endSeq = limit === 0 ? bounds.maxSeq : Math.min(bounds.maxSeq, cursorSeq + limit);
+    }
+    else {
+        const cursorSeq = input.cursorSeq ?? bounds.maxSeq + 1;
+        endSeq = Math.min(bounds.maxSeq, cursorSeq - 1);
+        startSeq = limit === 0 ? bounds.minSeq : Math.max(bounds.minSeq, cursorSeq - limit);
+    }
+    if (startSeq > endSeq) {
+        return {
+            entries: [],
+            startSeq: null,
+            endSeq: null,
+            hasOlder: startSeq > bounds.minSeq,
+            hasNewer: endSeq < bounds.maxSeq,
+        };
+    }
+    const entries = selectEntriesOverlappingSeqRange({ entries: projectedAll, startSeq, endSeq });
+    return {
+        entries,
+        startSeq,
+        endSeq,
+        hasOlder: startSeq > bounds.minSeq,
+        hasNewer: endSeq < bounds.maxSeq,
+    };
+}
 export function selectItemsByProjectedLimit(input) {
     const rows = input.items.map((item, index) => ({
         seq: index + 1,

package/dist/server/server/auto-archive-on-merge/archive-if-safe.d.ts

@@ -10,6 +10,7 @@ import type { TerminalManager } from "../../terminal/terminal-manager.js";
 import { isPaseoOwnedWorktreeCwd } from "../../utils/worktree.js";
 export interface AutoArchiveArchiveOptions {
     paseoHome: string;
+    worktreesRoot?: string;
     daemonConfigStore: DaemonConfigStore;
     workspaceGitService: WorkspaceGitServiceImpl;
     github: GitHubService;

package/dist/server/server/auto-archive-on-merge/archive-if-safe.js

@@ -37,13 +37,17 @@ export async function archiveIfSafe(input) {
         if (snapshot.git.isDirty === true || (snapshot.git.aheadOfOrigin ?? 0) > 0) {
             return;
         }
-        const ownership = await deps.isPaseoOwnedWorktreeCwd(cwd, { paseoHome: options.paseoHome });
+        const ownership = await deps.isPaseoOwnedWorktreeCwd(cwd, {
+            paseoHome: options.paseoHome,
+            worktreesRoot: options.worktreesRoot,
+        });
         if (!ownership.allowed) {
             return;
         }
         try {
             await deps.archivePaseoWorktree({
                 paseoHome: options.paseoHome,
+                worktreesRoot: options.worktreesRoot,
                 github: options.github,
                 workspaceGitService: options.workspaceGitService,
                 agentManager: options.agentManager,
@@ -64,6 +68,7 @@ export async function archiveIfSafe(input) {
                 targetPath: cwd,
                 repoRoot: ownership.repoRoot ?? null,
                 worktreesRoot: ownership.worktreeRoot,
+                worktreesBaseRoot: options.worktreesRoot,
                 requestId: "auto-archive-on-merge",
             });
             log.info({ cwd }, "Auto-archived worktree after PR merge");

package/dist/server/server/bootstrap.d.ts

@@ -21,7 +21,7 @@ import type { PushNotificationSender } from "./push/notifications.js";
 import type { AgentClient, AgentProvider } from "./agent/agent-sdk-types.js";
 import type { AgentProviderRuntimeSettingsMap, ProviderOverride } from "./agent/provider-launch-config.js";
 import type { PersistedConfig } from "./persisted-config.js";
-import { ScriptRouteStore } from "./script-proxy.js";
+import { type ServiceProxySubsystem } from "./service-proxy.js";
 import { WorkspaceScriptRuntimeStore } from "./workspace-script-runtime-store.js";
 import { type HostnamesConfig } from "./hostnames.js";
 import { type DaemonAuthConfig } from "./auth.js";
@@ -49,6 +49,7 @@ export type DaemonLifecycleIntent = {
 export interface PaseoDaemonConfig {
     listen: string;
     paseoHome: string;
+    worktreesRoot?: string;
     corsAllowedOrigins: string[];
     allowedHosts?: HostnamesConfig;
     hostnames?: HostnamesConfig;
@@ -66,6 +67,10 @@ export interface PaseoDaemonConfig {
     relayPublicEndpoint?: string;
     relayUseTls?: boolean;
     relayPublicUseTls?: boolean;
+    serviceProxy?: {
+        publicBaseUrl: string | null;
+        standaloneListen: string | null;
+    };
     appBaseUrl?: string;
     auth?: DaemonAuthConfig;
     openai?: PaseoOpenAIConfig;
@@ -93,7 +98,7 @@ export interface PaseoDaemon {
     agentManager: AgentManager;
     agentStorage: AgentStorage;
     terminalManager: TerminalManager;
-    scriptRouteStore: ScriptRouteStore;
+    serviceProxy: ServiceProxySubsystem;
     scriptRuntimeStore: WorkspaceScriptRuntimeStore;
     start(): Promise<void>;
     stop(): Promise<void>;

package/dist/server/server/bootstrap.js

@@ -99,7 +99,7 @@ import { loadOrCreateDaemonKeyPair } from "./daemon-keypair.js";
 import { startRelayTransport } from "./relay-transport.js";
 import { getOrCreateServerId } from "./server-id.js";
 import { resolveDaemonVersion } from "./daemon-version.js";
-import { ScriptRouteStore, createScriptProxyMiddleware, createScriptProxyUpgradeHandler, } from "./script-proxy.js";
+import { createServiceProxySubsystem } from "./service-proxy.js";
 import { ScriptHealthMonitor } from "./script-health-monitor.js";
 import { createScriptStatusEmitter } from "./script-status-projection.js";
 import { WorkspaceScriptRuntimeStore } from "./workspace-script-runtime-store.js";
@@ -187,30 +187,42 @@ export async function createPaseoDaemon(config, rootLogger) {
     const app = express();
     let boundListenTarget = null;
     let workspaceRegistry = null;
-    const scriptRouteStore = new ScriptRouteStore();
+    const serviceProxyPublicBaseUrl = config.serviceProxy?.publicBaseUrl
+        ? config.serviceProxy.publicBaseUrl
+        : null;
+    const serviceProxy = createServiceProxySubsystem({
+        logger,
+        publicBaseUrl: serviceProxyPublicBaseUrl,
+    });
     const scriptRuntimeStore = new WorkspaceScriptRuntimeStore();
     const configuredHostnames = config.hostnames ?? config.allowedHosts;
     let wsServer = null;
+    let serviceProxyListenTarget = null;
     const scriptHealthMonitor = new ScriptHealthMonitor({
-        routeStore: scriptRouteStore,
+        serviceProxy,
         onChange: createScriptStatusEmitter({
             sessions: () => wsServer?.listActiveSessions().map((session) => ({
                 emit: (message) => session.emitServerMessage(message),
             })) ?? [],
-            routeStore: scriptRouteStore,
+            serviceProxy,
             runtimeStore: scriptRuntimeStore,
             daemonPort: () => (boundListenTarget?.type === "tcp" ? boundListenTarget.port : null),
             resolveWorkspaceDirectory: async (workspaceId) => (await workspaceRegistry?.get(workspaceId))?.cwd ?? null,
             logger,
+            serviceProxyPublicBaseUrl,
         }),
     });
     const handleBranchChange = createBranchChangeRouteHandler({
-        routeStore: scriptRouteStore,
+        serviceProxy,
         onRoutesChanged: (workspaceId) => {
             scriptHealthMonitor.invalidateWorkspace(workspaceId);
         },
         logger,
     });
+    // Service proxy classifies service hosts before daemon auth/route fallthrough.
+    // Registered service hosts proxy directly; known service namespaces without a
+    // route return 404 and never reach daemon APIs.
+    app.use(serviceProxy.middleware());
     // Host allowlist / DNS rebinding protection (vite-like semantics).
     // For non-TCP (unix sockets), skip host validation.
     if (listenTarget.type === "tcp") {
@@ -254,10 +266,6 @@ export async function createPaseoDaemon(config, rootLogger) {
     app.use(createRequireBearerMiddleware(config.auth, (context) => {
         logger.warn(context, "Rejected HTTP request with invalid daemon password");
     }));
-    // Script proxy — intercepts requests for registered *.localhost hostnames
-    // and forwards them to the corresponding local script port. Placed after
-    // host/CORS/auth checks but before the rest of the routes.
-    app.use(createScriptProxyMiddleware({ routeStore: scriptRouteStore, logger }));
     // Serve static files from public directory
     app.use("/public", express.static(staticDir));
     // Middleware
@@ -331,11 +339,10 @@ export async function createPaseoDaemon(config, rootLogger) {
     // VoiceAssistantWebSocketServer attaches its own "upgrade" listener so that
     // script-bound upgrades are forwarded first. The handler is a no-op for
     // requests that don't match a registered script route.
-    const scriptProxyUpgradeHandler = createScriptProxyUpgradeHandler({
-        routeStore: scriptRouteStore,
-        logger,
-    });
-    httpServer.on("upgrade", scriptProxyUpgradeHandler);
+    httpServer.on("upgrade", serviceProxy.upgradeHandler({ passthroughUnknown: true }));
+    if (config.serviceProxy?.standaloneListen) {
+        serviceProxyListenTarget = parseListenString(config.serviceProxy.standaloneListen);
+    }
     const agentStorage = new AgentStorage(config.agentStoragePath, logger);
     const projectRegistry = new FileBackedProjectRegistry(path.join(config.paseoHome, "projects", "projects.json"), logger);
     workspaceRegistry = new FileBackedWorkspaceRegistry(path.join(config.paseoHome, "projects", "workspaces.json"), logger);
@@ -348,6 +355,7 @@ export async function createPaseoDaemon(config, rootLogger) {
     const workspaceGitService = new WorkspaceGitServiceImpl({
         logger,
         paseoHome: config.paseoHome,
+        worktreesRoot: config.worktreesRoot,
         deps: {
             github,
         },
@@ -467,6 +475,7 @@ export async function createPaseoDaemon(config, rootLogger) {
     };
     setupAutoArchiveOnMerge({
         paseoHome: config.paseoHome,
+        worktreesRoot: config.worktreesRoot,
         daemonConfigStore,
         workspaceGitService,
         github,
@@ -501,6 +510,7 @@ export async function createPaseoDaemon(config, rootLogger) {
                 createPaseoWorktree: async (input, serviceOptions) => {
                     return createPaseoWorktreeWorkflow({
                         paseoHome: config.paseoHome,
+                        worktreesRoot: config.worktreesRoot,
                         createPaseoWorktree: async (workflowInput, workflowOptions) => {
                             return createRegisteredPaseoWorktree(workflowInput, {
                                 github,
@@ -530,14 +540,16 @@ export async function createPaseoDaemon(config, rootLogger) {
                         sessionLogger: logger,
                         terminalManager,
                         archiveWorkspaceRecord: archiveWorkspaceRecordExternal,
-                        scriptRouteStore,
+                        serviceProxy,
                         scriptRuntimeStore,
                         getDaemonTcpPort: () => boundListenTarget?.type === "tcp" ? boundListenTarget.port : null,
                         getDaemonTcpHost: () => boundListenTarget?.type === "tcp" ? boundListenTarget.host : null,
+                        serviceProxyPublicBaseUrl,
                         onScriptsChanged: null,
                     }, input, serviceOptions);
                 },
                 paseoHome: config.paseoHome,
+                worktreesRoot: config.worktreesRoot,
                 callerAgentId,
                 enableVoiceTools: false,
                 resolveSpeakHandler: (agentId) => wsServer?.resolveVoiceSpeakHandler(agentId) ?? null,
@@ -652,112 +664,136 @@ export async function createPaseoDaemon(config, rootLogger) {
     logger.info({ elapsed: elapsed() }, "Speech service created");
     logger.info({ elapsed: elapsed() }, "Bootstrap complete, ready to start listening");
     const start = async () => {
-        // Start main HTTP server
-        await new Promise((resolve, reject) => {
-            const onError = (err) => {
-                httpServer.off("listening", onListening);
-                reject(err);
-            };
-            const onListening = () => {
-                httpServer.off("error", onError);
-                const logAndResolve = async () => {
-                    boundListenTarget = resolveBoundListenTarget(listenTarget, httpServer);
-                    const mcpBaseUrl = mcpEnabled ? createAgentMcpBaseUrl(boundListenTarget) : null;
-                    agentMcpBaseUrl = config.mcpInjectIntoAgents === false ? null : mcpBaseUrl;
-                    agentManager.setMcpBaseUrl(agentMcpBaseUrl);
-                    daemonConfigStore.onFieldChange("mcp.injectIntoAgents", (value) => {
-                        agentManager.setMcpBaseUrl(value ? mcpBaseUrl : null);
-                    });
-                    daemonConfigStore.onFieldChange("appendSystemPrompt", (value) => {
-                        agentManager.setAppendSystemPrompt(typeof value === "string" ? value : "");
-                    });
-                    const relayEnabled = config.relayEnabled ?? true;
-                    const relayEndpoint = config.relayEndpoint ?? "relay.paseo.sh:443";
-                    const relayPublicEndpoint = config.relayPublicEndpoint ?? relayEndpoint;
-                    const relayUseTls = config.relayUseTls ?? relayEndpoint === "relay.paseo.sh:443";
-                    const relayPublicUseTls = config.relayPublicUseTls ?? relayUseTls;
-                    const appBaseUrl = config.appBaseUrl ?? "https://app.paseo.sh";
-                    if (boundListenTarget.type === "tcp") {
-                        logger.info({
-                            host: boundListenTarget.host,
-                            port: boundListenTarget.port,
-                            authRequired: !!config.auth?.password,
-                            elapsed: elapsed(),
-                        }, `Server listening on http://${boundListenTarget.host}:${boundListenTarget.port}`);
-                    }
-                    else {
-                        logger.info({
-                            path: boundListenTarget.path,
-                            authRequired: !!config.auth?.password,
-                            elapsed: elapsed(),
-                        }, `Server listening on ${boundListenTarget.path}`);
-                    }
-                    if (config.auth?.password) {
-                        logger.info("Daemon password authentication enabled");
-                    }
-                    wsServer = new VoiceAssistantWebSocketServer(httpServer, logger, serverId, agentManager, agentStorage, downloadTokenStore, config.paseoHome, daemonConfigStore, mcpBaseUrl, { allowedOrigins, hostnames: configuredHostnames }, config.auth, speechService, terminalManager, {
-                        finalTimeoutMs: config.dictationFinalTimeoutMs,
-                    }, daemonVersion, (intent) => {
-                        try {
-                            config.onLifecycleIntent?.(intent);
+        let mainStarted = false;
+        try {
+            if (serviceProxyListenTarget) {
+                const boundServiceProxyTarget = await serviceProxy.startStandalone({
+                    listenTarget: serviceProxyListenTarget,
+                });
+                serviceProxyListenTarget = boundServiceProxyTarget;
+                logger.info({
+                    listen: formatListenTarget(serviceProxyListenTarget),
+                    publicBaseUrl: serviceProxyPublicBaseUrl,
+                    elapsed: elapsed(),
+                }, "Service proxy listening");
+            }
+            // Start main HTTP server
+            await new Promise((resolve, reject) => {
+                const onError = (err) => {
+                    httpServer.off("listening", onListening);
+                    reject(err);
+                };
+                const onListening = () => {
+                    httpServer.off("error", onError);
+                    mainStarted = true;
+                    const logAndResolve = async () => {
+                        boundListenTarget = resolveBoundListenTarget(listenTarget, httpServer);
+                        const mcpBaseUrl = mcpEnabled ? createAgentMcpBaseUrl(boundListenTarget) : null;
+                        agentMcpBaseUrl = config.mcpInjectIntoAgents === false ? null : mcpBaseUrl;
+                        agentManager.setMcpBaseUrl(agentMcpBaseUrl);
+                        daemonConfigStore.onFieldChange("mcp.injectIntoAgents", (value) => {
+                            agentManager.setMcpBaseUrl(value ? mcpBaseUrl : null);
+                        });
+                        daemonConfigStore.onFieldChange("appendSystemPrompt", (value) => {
+                            agentManager.setAppendSystemPrompt(typeof value === "string" ? value : "");
+                        });
+                        const relayEnabled = config.relayEnabled ?? true;
+                        const relayEndpoint = config.relayEndpoint ?? "relay.paseo.sh:443";
+                        const relayPublicEndpoint = config.relayPublicEndpoint ?? relayEndpoint;
+                        const relayUseTls = config.relayUseTls ?? relayEndpoint === "relay.paseo.sh:443";
+                        const relayPublicUseTls = config.relayPublicUseTls ?? relayUseTls;
+                        const appBaseUrl = config.appBaseUrl ?? "https://app.paseo.sh";
+                        if (boundListenTarget.type === "tcp") {
+                            logger.info({
+                                host: boundListenTarget.host,
+                                port: boundListenTarget.port,
+                                authRequired: !!config.auth?.password,
+                                elapsed: elapsed(),
+                            }, `Server listening on http://${boundListenTarget.host}:${boundListenTarget.port}`);
                         }
-                        catch (error) {
-                            logger.error({ err: error, intent }, "Failed to handle daemon lifecycle intent");
+                        else {
+                            logger.info({
+                                path: boundListenTarget.path,
+                                authRequired: !!config.auth?.password,
+                                elapsed: elapsed(),
+                            }, `Server listening on ${boundListenTarget.path}`);
                         }
-                    }, projectRegistry, workspaceRegistry, chatService, loopService, scheduleService, checkoutDiffManager, scriptRouteStore, scriptRuntimeStore, handleBranchChange, () => (boundListenTarget?.type === "tcp" ? boundListenTarget.port : null), () => (boundListenTarget?.type === "tcp" ? boundListenTarget.host : null), (hostname) => scriptHealthMonitor.getHealthForHostname(hostname), workspaceGitService, github, config.pushNotificationSender, providerSnapshotManager, {
-                        listen: formatListenTarget(boundListenTarget ?? listenTarget),
-                        relay: {
-                            enabled: relayEnabled,
-                            endpoint: relayEndpoint,
-                            publicEndpoint: relayPublicEndpoint,
-                            useTls: relayUseTls,
-                            publicUseTls: relayPublicUseTls,
-                        },
-                    });
-                    if (relayEnabled) {
-                        const offer = await createConnectionOfferV2({
-                            serverId,
-                            daemonPublicKeyB64: daemonKeyPair.publicKeyB64,
+                        if (config.auth?.password) {
+                            logger.info("Daemon password authentication enabled");
+                        }
+                        wsServer = new VoiceAssistantWebSocketServer(httpServer, logger, serverId, agentManager, agentStorage, downloadTokenStore, config.paseoHome, daemonConfigStore, mcpBaseUrl, { allowedOrigins, hostnames: configuredHostnames }, config.auth, speechService, terminalManager, {
+                            finalTimeoutMs: config.dictationFinalTimeoutMs,
+                        }, daemonVersion, (intent) => {
+                            try {
+                                config.onLifecycleIntent?.(intent);
+                            }
+                            catch (error) {
+                                logger.error({ err: error, intent }, "Failed to handle daemon lifecycle intent");
+                            }
+                        }, projectRegistry, workspaceRegistry, chatService, loopService, scheduleService, checkoutDiffManager, serviceProxy, scriptRuntimeStore, handleBranchChange, () => (boundListenTarget?.type === "tcp" ? boundListenTarget.port : null), () => (boundListenTarget?.type === "tcp" ? boundListenTarget.host : null), (hostname) => scriptHealthMonitor.getHealthForHostname(hostname), workspaceGitService, github, config.pushNotificationSender, providerSnapshotManager, {
+                            listen: formatListenTarget(boundListenTarget ?? listenTarget),
+                            worktreesRoot: config.worktreesRoot,
                             relay: {
-                                endpoint: relayPublicEndpoint,
-                                useTls: relayPublicUseTls,
+                                enabled: relayEnabled,
+                                endpoint: relayEndpoint,
+                                publicEndpoint: relayPublicEndpoint,
+                                useTls: relayUseTls,
+                                publicUseTls: relayPublicUseTls,
                             },
-                        });
-                        encodeOfferToFragmentUrl({ offer, appBaseUrl });
-                        relayTransport?.stop().catch(() => undefined);
-                        relayTransport = startRelayTransport({
-                            logger,
-                            attachSocket: (ws, metadata) => {
-                                if (!wsServer) {
-                                    throw new Error("WebSocket server not initialized");
-                                }
-                                return wsServer.attachExternalSocket(ws, metadata);
-                            },
-                            relayEndpoint,
-                            relayUseTls,
-                            serverId,
-                            daemonKeyPair: daemonKeyPair.keyPair,
-                        });
-                    }
+                        }, serviceProxyPublicBaseUrl);
+                        if (relayEnabled) {
+                            const offer = await createConnectionOfferV2({
+                                serverId,
+                                daemonPublicKeyB64: daemonKeyPair.publicKeyB64,
+                                relay: {
+                                    endpoint: relayPublicEndpoint,
+                                    useTls: relayPublicUseTls,
+                                },
+                            });
+                            encodeOfferToFragmentUrl({ offer, appBaseUrl });
+                            relayTransport?.stop().catch(() => undefined);
+                            relayTransport = startRelayTransport({
+                                logger,
+                                attachSocket: (ws, metadata) => {
+                                    if (!wsServer) {
+                                        throw new Error("WebSocket server not initialized");
+                                    }
+                                    return wsServer.attachExternalSocket(ws, metadata);
+                                },
+                                relayEndpoint,
+                                relayUseTls,
+                                serverId,
+                                daemonKeyPair: daemonKeyPair.keyPair,
+                            });
+                        }
+                    };
+                    logAndResolve().then(resolve, reject);
                 };
-                logAndResolve().then(resolve, reject);
-            };
-            httpServer.once("error", onError);
-            httpServer.once("listening", onListening);
-            if (listenTarget.type === "tcp") {
-                httpServer.listen(listenTarget.port, listenTarget.host);
-            }
-            else {
-                if (listenTarget.type === "socket" && existsSync(listenTarget.path)) {
-                    unlinkSync(listenTarget.path);
+                httpServer.once("error", onError);
+                httpServer.once("listening", onListening);
+                if (listenTarget.type === "tcp") {
+                    httpServer.listen(listenTarget.port, listenTarget.host);
                 }
-                httpServer.listen(listenTarget.path);
+                else {
+                    if (listenTarget.type === "socket" && existsSync(listenTarget.path)) {
+                        unlinkSync(listenTarget.path);
+                    }
+                    httpServer.listen(listenTarget.path);
+                }
+            });
+            // Start speech service after listening so synchronous Sherpa native
+            // model loading doesn't block the server from accepting connections.
+            speechService.start();
+            scriptHealthMonitor.start();
+        }
+        catch (error) {
+            await serviceProxy.stopStandalone().catch(() => undefined);
+            if (mainStarted) {
+                httpServer.closeAllConnections();
+                await new Promise((resolve) => httpServer.close(() => resolve()));
             }
-        });
-        // Start speech service after listening so synchronous Sherpa native
-        // model loading doesn't block the server from accepting connections.
-        speechService.start();
-        scriptHealthMonitor.start();
+            throw error;
+        }
     };
     const stop = async () => {
         scriptHealthMonitor.stop();
@@ -773,6 +809,7 @@ export async function createPaseoDaemon(config, rootLogger) {
         if (wsServer) {
             await wsServer.close();
         }
+        await serviceProxy.stopStandalone();
         // Force-drop remaining sockets so httpServer.close() resolves promptly.
         // We've already closed wsServer (which sent ws-layer close frames) and
         // stopped every other service, so anything still attached is a TCP
@@ -794,7 +831,7 @@ export async function createPaseoDaemon(config, rootLogger) {
         agentManager,
         agentStorage,
         terminalManager,
-        scriptRouteStore,
+        serviceProxy,
         scriptRuntimeStore,
         start,
         stop,