@linkshell/gateway 0.2.46 → 0.2.48

package/src/state-store.ts

@@ -1,28 +1,35 @@
-export interface StoredTokenRecord {
+export interface StoredAuthorizationRecord {
+  authorizationId: string;
   token: string;
-  sessionIds: string[];
+  hostDeviceId: string;
+  clientDeviceId?: string;
+  clientName?: string;
   createdAt: number;
   lastUsedAt: number;
 }
 
 export interface StoredPairingRecord {
-  sessionId: string;
+  hostDeviceId: string;
   pairingCode: string;
   expiresAt: number;
   claimed: boolean;
 }
 
 export interface GatewayStateStore {
-  loadTokens(): Promise<StoredTokenRecord[]>;
-  saveToken(record: StoredTokenRecord): Promise<void>;
-  deleteToken(token: string): Promise<void>;
+  loadAuthorizations(): Promise<StoredAuthorizationRecord[]>;
+  saveAuthorization(record: StoredAuthorizationRecord): Promise<void>;
+  deleteAuthorization(authorizationId: string): Promise<void>;
   loadPairings(): Promise<StoredPairingRecord[]>;
   savePairing(record: StoredPairingRecord): Promise<void>;
   deletePairing(pairingCode: string): Promise<void>;
 }
 
-const TOKEN_TABLE = process.env.SUPABASE_GATEWAY_TOKEN_TABLE ?? "linkshell_gateway_tokens";
-const PAIRING_TABLE = process.env.SUPABASE_GATEWAY_PAIRING_TABLE ?? "linkshell_gateway_pairings";
+const AUTHORIZATION_TABLE =
+  process.env.SUPABASE_GATEWAY_AUTHORIZATION_TABLE ??
+  "linkshell_gateway_device_authorizations";
+const PAIRING_TABLE =
+  process.env.SUPABASE_GATEWAY_PAIRING_TABLE ??
+  "linkshell_gateway_pairing_challenges";
 const STORE_TIMEOUT_MS = Number(process.env.SUPABASE_STATE_TIMEOUT_MS ?? 3_000);
 
 function msToIso(ms: number): string {
@@ -35,6 +42,10 @@ function isoToMs(value: unknown): number {
   return Number.isNaN(parsed) ? Date.now() : parsed;
 }
 
+function maybeString(value: unknown): string | undefined {
+  return typeof value === "string" && value.length > 0 ? value : undefined;
+}
+
 export function createSupabaseStateStore(): GatewayStateStore | undefined {
   const url = process.env.SUPABASE_URL?.replace(/\/+$/, "");
   const key = process.env.SUPABASE_SERVICE_ROLE_KEY || process.env.SUPABASE_ANON_KEY;
@@ -64,49 +75,54 @@ export function createSupabaseStateStore(): GatewayStateStore | undefined {
   }
 
   return {
-    async loadTokens() {
+    async loadAuthorizations() {
       const rows = await request<Array<Record<string, unknown>>>(
-        `${TOKEN_TABLE}?select=token,session_ids,created_at,last_used_at`,
+        `${AUTHORIZATION_TABLE}?select=authorization_id,token,host_device_id,client_device_id,client_name,created_at,last_used_at`,
       );
       return rows.map((row) => ({
+        authorizationId: String(row.authorization_id ?? ""),
         token: String(row.token ?? ""),
-        sessionIds: Array.isArray(row.session_ids)
-          ? row.session_ids.map(String)
-          : [],
+        hostDeviceId: String(row.host_device_id ?? ""),
+        clientDeviceId: maybeString(row.client_device_id),
+        clientName: maybeString(row.client_name),
         createdAt: isoToMs(row.created_at),
         lastUsedAt: isoToMs(row.last_used_at),
-      })).filter((record) => record.token);
+      })).filter((record) => record.authorizationId && record.token && record.hostDeviceId);
     },
-    async saveToken(record) {
+    async saveAuthorization(record) {
       await request(
-        `${TOKEN_TABLE}?on_conflict=token`,
+        `${AUTHORIZATION_TABLE}?on_conflict=authorization_id`,
         {
           method: "POST",
           headers: { Prefer: "resolution=merge-duplicates" },
           body: JSON.stringify({
+            authorization_id: record.authorizationId,
             token: record.token,
-            session_ids: record.sessionIds,
+            host_device_id: record.hostDeviceId,
+            client_device_id: record.clientDeviceId ?? null,
+            client_name: record.clientName ?? null,
             created_at: msToIso(record.createdAt),
             last_used_at: msToIso(record.lastUsedAt),
           }),
         },
       );
     },
-    async deleteToken(token) {
-      await request(`${TOKEN_TABLE}?token=eq.${encodeURIComponent(token)}`, {
-        method: "DELETE",
-      });
+    async deleteAuthorization(authorizationId) {
+      await request(
+        `${AUTHORIZATION_TABLE}?authorization_id=eq.${encodeURIComponent(authorizationId)}`,
+        { method: "DELETE" },
+      );
     },
     async loadPairings() {
       const rows = await request<Array<Record<string, unknown>>>(
-        `${PAIRING_TABLE}?select=pairing_code,session_id,expires_at,claimed`,
+        `${PAIRING_TABLE}?select=pairing_code,host_device_id,expires_at,claimed`,
       );
       return rows.map((row) => ({
         pairingCode: String(row.pairing_code ?? ""),
-        sessionId: String(row.session_id ?? ""),
+        hostDeviceId: String(row.host_device_id ?? ""),
         expiresAt: isoToMs(row.expires_at),
         claimed: row.claimed === true,
-      })).filter((record) => record.pairingCode && record.sessionId);
+      })).filter((record) => record.pairingCode && record.hostDeviceId);
     },
     async savePairing(record) {
       await request(
@@ -116,7 +132,7 @@ export function createSupabaseStateStore(): GatewayStateStore | undefined {
           headers: { Prefer: "resolution=merge-duplicates" },
           body: JSON.stringify({
             pairing_code: record.pairingCode,
-            session_id: record.sessionId,
+            host_device_id: record.hostDeviceId,
             expires_at: msToIso(record.expiresAt),
             claimed: record.claimed,
           }),

package/src/tokens.ts

@@ -1,47 +1,45 @@
 import { randomUUID } from "node:crypto";
 import type { GatewayStateStore } from "./state-store.js";
 
-const CLEANUP_INTERVAL = 5 * 60_000;
-const SESSION_TTL = 7 * 24 * 60 * 60_000; // 7 days — prune stale bindings
+interface DeviceAuthorization {
+  authorizationId: string;
+  hostDeviceId: string;
+  clientDeviceId: string | undefined;
+  clientName: string | undefined;
+  createdAt: number;
+  lastUsedAt: number;
+}
 
 interface TokenRecord {
   token: string;
-  sessionIds: Set<string>;
+  authorizations: Map<string, DeviceAuthorization>;
   createdAt: number;
   lastUsedAt: number;
 }
 
-export class TokenManager {
+export class AuthorizationManager {
   private tokens = new Map<string, TokenRecord>();
-  private sessionToToken = new Map<string, string>();
-  private cleanupTimer: ReturnType<typeof setInterval>;
+  private hostDeviceToTokens = new Map<string, Set<string>>();
 
-  constructor(private readonly store?: GatewayStateStore) {
-    this.cleanupTimer = setInterval(() => this.cleanup(), CLEANUP_INTERVAL);
-  }
+  constructor(private readonly store?: GatewayStateStore) {}
 
   async hydrate(): Promise<void> {
     if (!this.store) return;
     try {
-      const records = await this.store.loadTokens();
-      const now = Date.now();
+      const records = await this.store.loadAuthorizations();
       for (const record of records) {
-        if (now - record.lastUsedAt > SESSION_TTL) {
-          void this.store.deleteToken(record.token).catch(() => {});
-          continue;
-        }
-        this.tokens.set(record.token, {
-          token: record.token,
-          sessionIds: new Set(record.sessionIds),
+        const token = this.register(record.token);
+        this.authorize(token, record.hostDeviceId, {
+          authorizationId: record.authorizationId,
+          clientDeviceId: record.clientDeviceId,
+          clientName: record.clientName,
           createdAt: record.createdAt,
           lastUsedAt: record.lastUsedAt,
+          persist: false,
         });
-        for (const sessionId of record.sessionIds) {
-          this.sessionToToken.set(sessionId, record.token);
-        }
       }
     } catch (err) {
-      process.stderr.write(`[gateway] token store hydrate failed, using memory only: ${err}\n`);
+      process.stderr.write(`[gateway] authorization store hydrate failed, using memory only: ${err}\n`);
     }
   }
 
@@ -49,83 +47,131 @@ export class TokenManager {
     if (deviceToken && this.tokens.has(deviceToken)) {
       const record = this.tokens.get(deviceToken)!;
       record.lastUsedAt = Date.now();
-      this.persist(record);
       return deviceToken;
     }
     const token = deviceToken || randomUUID();
     this.tokens.set(token, {
       token,
-      sessionIds: new Set(),
+      authorizations: new Map(),
       createdAt: Date.now(),
       lastUsedAt: Date.now(),
     });
-    this.persist(this.tokens.get(token)!);
     return token;
   }
 
-  bind(token: string, sessionId: string): boolean {
+  authorize(
+    token: string,
+    hostDeviceId: string,
+    input: {
+      authorizationId?: string;
+      clientDeviceId?: string;
+      clientName?: string;
+      createdAt?: number;
+      lastUsedAt?: number;
+      persist?: boolean;
+    } = {},
+  ): DeviceAuthorization | undefined {
     const record = this.tokens.get(token);
-    if (!record) return false;
-    record.sessionIds.add(sessionId);
-    record.lastUsedAt = Date.now();
-    this.sessionToToken.set(sessionId, token);
-    this.persist(record);
-    return true;
+    if (!record) return undefined;
+    const existing = record.authorizations.get(hostDeviceId);
+    const now = Date.now();
+    const authorization: DeviceAuthorization = {
+      authorizationId: input.authorizationId ?? existing?.authorizationId ?? randomUUID(),
+      hostDeviceId,
+      clientDeviceId: input.clientDeviceId ?? existing?.clientDeviceId,
+      clientName: input.clientName ?? existing?.clientName,
+      createdAt: input.createdAt ?? existing?.createdAt ?? now,
+      lastUsedAt: input.lastUsedAt ?? now,
+    };
+    record.authorizations.set(hostDeviceId, authorization);
+    record.lastUsedAt = now;
+    let tokens = this.hostDeviceToTokens.get(hostDeviceId);
+    if (!tokens) {
+      tokens = new Set();
+      this.hostDeviceToTokens.set(hostDeviceId, tokens);
+    }
+    tokens.add(token);
+    if (input.persist !== false) {
+      this.persist(token, authorization);
+    }
+    return authorization;
   }
 
   validate(token: string): boolean {
     const record = this.tokens.get(token);
     if (!record) return false;
     record.lastUsedAt = Date.now();
-    this.persist(record);
     return true;
   }
 
-  owns(token: string, sessionId: string): boolean {
+  owns(token: string, hostDeviceId: string): boolean {
     const record = this.tokens.get(token);
     if (!record) return false;
-    record.lastUsedAt = Date.now();
-    this.persist(record);
-    return record.sessionIds.has(sessionId);
+    const authorization = record.authorizations.get(hostDeviceId);
+    if (!authorization) return false;
+    const now = Date.now();
+    record.lastUsedAt = now;
+    authorization.lastUsedAt = now;
+    this.persist(token, authorization);
+    return true;
   }
 
-  getSessionIds(token: string): Set<string> {
+  revoke(token: string, hostDeviceId: string, authorizationId: string): boolean {
+    const record = this.tokens.get(token);
+    const authorization = record?.authorizations.get(hostDeviceId);
+    if (!record || !authorization || authorization.authorizationId !== authorizationId) {
+      return false;
+    }
+    record.authorizations.delete(hostDeviceId);
+    const tokens = this.hostDeviceToTokens.get(hostDeviceId);
+    tokens?.delete(token);
+    if (tokens && tokens.size === 0) {
+      this.hostDeviceToTokens.delete(hostDeviceId);
+    }
+    void this.store?.deleteAuthorization(authorizationId).catch((err) => {
+      process.stderr.write(`[gateway] authorization store delete failed: ${err}\n`);
+    });
+    return true;
+  }
+
+  getHostDeviceIds(token: string): Set<string> {
     const record = this.tokens.get(token);
     if (!record) return new Set();
     record.lastUsedAt = Date.now();
-    this.persist(record);
-    return record.sessionIds;
+    return new Set(record.authorizations.keys());
   }
 
-  getTokenForSession(sessionId: string): string | undefined {
-    return this.sessionToToken.get(sessionId);
+  getSessionIds(token: string): Set<string> {
+    return this.getHostDeviceIds(token);
   }
 
-  private cleanup(): void {
-    const now = Date.now();
-    for (const [token, record] of this.tokens) {
-      if (now - record.lastUsedAt > SESSION_TTL) {
-        for (const sid of record.sessionIds) {
-          this.sessionToToken.delete(sid);
-        }
-        this.tokens.delete(token);
-        void this.store?.deleteToken(token).catch(() => {});
-      }
-    }
+  getAuthorizationId(token: string, hostDeviceId: string): string | undefined {
+    return this.tokens.get(token)?.authorizations.get(hostDeviceId)?.authorizationId;
+  }
+
+  getTokenForSession(hostDeviceId: string): string | undefined {
+    return this.hostDeviceToTokens.get(hostDeviceId)?.values().next().value;
+  }
+
+  bind(token: string, hostDeviceId: string): boolean {
+    return !!this.authorize(token, hostDeviceId);
   }
 
-  private persist(record: TokenRecord): void {
-    void this.store?.saveToken({
-      token: record.token,
-      sessionIds: [...record.sessionIds],
-      createdAt: record.createdAt,
-      lastUsedAt: record.lastUsedAt,
+  private persist(token: string, authorization: DeviceAuthorization): void {
+    void this.store?.saveAuthorization({
+      token,
+      authorizationId: authorization.authorizationId,
+      hostDeviceId: authorization.hostDeviceId,
+      clientDeviceId: authorization.clientDeviceId,
+      clientName: authorization.clientName,
+      createdAt: authorization.createdAt,
+      lastUsedAt: authorization.lastUsedAt,
     }).catch((err) => {
-      process.stderr.write(`[gateway] token store save failed: ${err}\n`);
+      process.stderr.write(`[gateway] authorization store save failed: ${err}\n`);
     });
   }
 
-  destroy(): void {
-    clearInterval(this.cleanupTimer);
-  }
+  destroy(): void {}
 }
+
+export class TokenManager extends AuthorizationManager {}

package/src/tunnel.ts

@@ -26,23 +26,23 @@ export interface PendingTunnelWs {
 const pendingRequests = new Map<string, PendingTunnelRequest>();
 const pendingWsSockets = new Map<string, PendingTunnelWs>();
 
-// Track requestIds per session for cleanup on host disconnect
-const sessionRequests = new Map<string, Set<string>>();
+// Track requestIds per host device for cleanup on host disconnect
+const deviceRequests = new Map<string, Set<string>>();
 
-function trackRequest(sessionId: string, requestId: string): void {
-  let set = sessionRequests.get(sessionId);
+function trackRequest(hostDeviceId: string, requestId: string): void {
+  let set = deviceRequests.get(hostDeviceId);
   if (!set) {
     set = new Set();
-    sessionRequests.set(sessionId, set);
+    deviceRequests.set(hostDeviceId, set);
   }
   set.add(requestId);
 }
 
-function untrackRequest(sessionId: string, requestId: string): void {
-  const set = sessionRequests.get(sessionId);
+function untrackRequest(hostDeviceId: string, requestId: string): void {
+  const set = deviceRequests.get(hostDeviceId);
   if (set) {
     set.delete(requestId);
-    if (set.size === 0) sessionRequests.delete(sessionId);
+    if (set.size === 0) deviceRequests.delete(hostDeviceId);
   }
 }
 
@@ -65,19 +65,19 @@ function extractToken(req: IncomingMessage, url: URL): string | null {
   return null;
 }
 
-/** Parse lsh_tunnel cookie: "sessionId:port:token" */
-export function parseTunnelCookie(req: IncomingMessage): { sessionId: string; port: number; token: string } | null {
+/** Parse lsh_tunnel cookie: "hostDeviceId:port:token" */
+export function parseTunnelCookie(req: IncomingMessage): { hostDeviceId: string; sessionId: string; port: number; token: string } | null {
   const cookie = req.headers.cookie;
   if (!cookie) return null;
   const match = cookie.match(/lsh_tunnel=([^;]+)/);
   if (!match?.[1]) return null;
   const parts = decodeURIComponent(match[1]).split(":");
   if (parts.length < 3) return null;
-  const sessionId = parts[0]!;
+  const hostDeviceId = parts[0]!;
   const port = Number(parts[1]);
   const token = parts.slice(2).join(":"); // token may contain colons
-  if (!sessionId || isNaN(port) || port < 1 || port > 65535 || !token) return null;
-  return { sessionId, port, token };
+  if (!hostDeviceId || isNaN(port) || port < 1 || port > 65535 || !token) return null;
+  return { hostDeviceId, sessionId: hostDeviceId, port, token };
 }
 
 function errorResponse(res: ServerResponse, status: number, message: string): void {
@@ -89,32 +89,45 @@ function errorResponse(res: ServerResponse, status: number, message: string): vo
   res.end(message);
 }
 
-export function parseTunnelPath(pathname: string): { sessionId: string; port: number; path: string } | null {
+export function parseTunnelPath(pathname: string): { hostDeviceId: string; sessionId: string; port: number; path: string } | null {
   const match = pathname.match(/^\/tunnel\/([^/]+)\/(\d+)(\/.*)?$/);
   if (!match) return null;
   const port = Number(match[2]);
   if (port < 1 || port > 65535) return null;
   return {
+    hostDeviceId: match[1]!,
     sessionId: match[1]!,
     port,
     path: match[3] || "/",
   };
 }
 
+type ParsedTunnelTarget = {
+  hostDeviceId?: string;
+  sessionId?: string;
+  port: number;
+  path: string;
+};
+
 export async function handleTunnelRequest(
   req: IncomingMessage,
   res: ServerResponse,
   sessions: SessionManager,
   tokens: TokenManager,
-  parsed: { sessionId: string; port: number; path: string },
+  parsed: ParsedTunnelTarget,
   url: URL,
   preAuthToken?: string,
 ): Promise<void> {
-  const { sessionId, port, path } = parsed;
+  const hostDeviceId = parsed.hostDeviceId ?? parsed.sessionId;
+  const { port, path } = parsed;
+  if (!hostDeviceId) {
+    errorResponse(res, 400, "Missing host device id");
+    return;
+  }
 
   // Auth: device token OR Supabase JWT (userId owns session)
   const token = preAuthToken || extractToken(req, url);
-  const tokenOwns = token && tokens.owns(token, sessionId);
+  const tokenOwns = token && tokens.owns(token, hostDeviceId);
   let authOwns = false;
   let authJwt: string | null = null;
   if (!tokenOwns && AUTH_REQUIRED) {
@@ -135,7 +148,7 @@ export async function handleTunnelRequest(
           });
           if (userRes.ok) {
             const user = (await userRes.json()) as { id: string };
-            const session = sessions.get(sessionId);
+            const session = sessions.get(hostDeviceId);
             if (user.id && session?.userId && user.id === session.userId) {
               authOwns = true;
               authJwt = jwtCandidate;
@@ -153,12 +166,12 @@ export async function handleTunnelRequest(
   // Set auth cookie for subsequent sub-resource requests
   const cookieToken = tokenOwns ? token : authJwt;
   if (cookieToken) {
-    const cookieVal = encodeURIComponent(`${sessionId}:${port}:${cookieToken}`);
+    const cookieVal = encodeURIComponent(`${hostDeviceId}:${port}:${cookieToken}`);
     res.setHeader("Set-Cookie", `lsh_tunnel=${cookieVal}; Path=/; HttpOnly; SameSite=Lax`);
   }
 
   // Validate session & host
-  const session = sessions.get(sessionId);
+  const session = sessions.get(hostDeviceId);
   if (!session || !session.host || session.host.socket.readyState !== session.host.socket.OPEN) {
     errorResponse(res, 502, "Host not connected");
     return;
@@ -204,17 +217,17 @@ export async function handleTunnelRequest(
     headersSent: false,
     timeout: setTimeout(() => {
       pendingRequests.delete(requestId);
-      untrackRequest(sessionId, requestId);
+      untrackRequest(hostDeviceId, requestId);
       errorResponse(res, 504, "Tunnel request timed out");
     }, TUNNEL_TIMEOUT),
   };
   pendingRequests.set(requestId, pending);
-  trackRequest(sessionId, requestId);
+  trackRequest(hostDeviceId, requestId);
 
   // Send tunnel.request to host
   const envelope = createEnvelope({
     type: "tunnel.request",
-    sessionId,
+    hostDeviceId,
     payload: {
       requestId,
       method,
@@ -232,7 +245,7 @@ export async function handleTunnelRequest(
     if (p) {
       clearTimeout(p.timeout);
       pendingRequests.delete(requestId);
-      untrackRequest(sessionId, requestId);
+      untrackRequest(hostDeviceId, requestId);
     }
   });
 }
@@ -306,8 +319,8 @@ export function removeTunnelWs(requestId: string): void {
   pendingWsSockets.delete(requestId);
 }
 
-export function cleanupSessionTunnels(sessionId: string): void {
-  const requestIds = sessionRequests.get(sessionId);
+export function cleanupSessionTunnels(hostDeviceId: string): void {
+  const requestIds = deviceRequests.get(hostDeviceId);
   if (!requestIds) return;
   for (const rid of requestIds) {
     const pending = pendingRequests.get(rid);
@@ -322,21 +335,26 @@ export function cleanupSessionTunnels(sessionId: string): void {
       pendingWsSockets.delete(rid);
     }
   }
-  sessionRequests.delete(sessionId);
+  deviceRequests.delete(hostDeviceId);
 }
 
 export async function handleTunnelWsUpgrade(
   ws: WebSocket,
-  parsed: { sessionId: string; port: number; path: string },
+  parsed: ParsedTunnelTarget,
   url: URL,
   sessions: SessionManager,
   tokens: TokenManager,
 ): Promise<void> {
-  const { sessionId, port, path } = parsed;
+  const hostDeviceId = parsed.hostDeviceId ?? parsed.sessionId;
+  const { port, path } = parsed;
+  if (!hostDeviceId) {
+    ws.close(1008, "Missing host device id");
+    return;
+  }
 
   // Auth: device token OR Supabase JWT (userId owns session)
   const token = url.searchParams.get("token");
-  const tokenOwns = token && tokens.owns(token, sessionId);
+  const tokenOwns = token && tokens.owns(token, hostDeviceId);
   let authOwns = false;
   if (!tokenOwns && AUTH_REQUIRED) {
     // Try auth_token param first, then fall back to token param (cookie fallback stores JWT there)
@@ -352,7 +370,7 @@ export async function handleTunnelWsUpgrade(
           });
           if (userRes.ok) {
             const user = (await userRes.json()) as { id: string };
-            const session = sessions.get(sessionId);
+            const session = sessions.get(hostDeviceId);
             if (user.id && session?.userId && user.id === session.userId) {
               authOwns = true;
             }
@@ -366,7 +384,7 @@ export async function handleTunnelWsUpgrade(
     return;
   }
 
-  const session = sessions.get(sessionId);
+  const session = sessions.get(hostDeviceId);
   if (!session || !session.host || session.host.socket.readyState !== session.host.socket.OPEN) {
     ws.close(4002, "Host not connected");
     return;
@@ -377,12 +395,12 @@ export async function handleTunnelWsUpgrade(
 
   // Register this WS so host responses route here
   registerTunnelWs(requestId, ws);
-  trackRequest(sessionId, requestId);
+  trackRequest(hostDeviceId, requestId);
 
   // Send tunnel.request with upgrade header to host
   const envelope = createEnvelope({
     type: "tunnel.request",
-    sessionId,
+    hostDeviceId,
     payload: {
       requestId,
       method: "GET",
@@ -397,13 +415,13 @@ export async function handleTunnelWsUpgrade(
   // Forward data from browser WS to host
   ws.on("message", (data: Buffer | string) => {
     try {
-      const s = sessions.get(sessionId);
+      const s = sessions.get(hostDeviceId);
       if (!s?.host || s.host.socket.readyState !== s.host.socket.OPEN) return;
       const isBinary = typeof data !== "string";
       const buf = typeof data === "string" ? Buffer.from(data) : data;
       const fwd = createEnvelope({
         type: "tunnel.ws.data",
-        sessionId,
+        hostDeviceId,
         payload: {
           requestId,
           data: buf.toString("base64"),
@@ -417,13 +435,13 @@ export async function handleTunnelWsUpgrade(
   ws.on("close", (code, reason) => {
     try {
       removeTunnelWs(requestId);
-      untrackRequest(sessionId, requestId);
-      const s = sessions.get(sessionId);
+      untrackRequest(hostDeviceId, requestId);
+      const s = sessions.get(hostDeviceId);
       if (!s?.host || s.host.socket.readyState !== s.host.socket.OPEN) return;
       const safeCode = typeof code === "number" && code >= 1000 && code <= 4999 ? code : 1000;
       const fwd = createEnvelope({
         type: "tunnel.ws.close",
-        sessionId,
+        hostDeviceId,
         payload: {
           requestId,
           code: safeCode,