@vellumai/assistant 0.3.3 → 0.3.5

package/src/daemon/server.ts

@@ -1,22 +1,17 @@
 import * as net from 'node:net';
 import * as tls from 'node:tls';
-import { randomBytes } from 'node:crypto';
-import { existsSync, chmodSync, readFileSync, writeFileSync, readdirSync, watch, type FSWatcher } from 'node:fs';
+import { chmodSync, statSync, readFileSync } from 'node:fs';
 import { join } from 'node:path';
-import { getSocketPath, getSessionTokenPath, getRootDir, getWorkspaceDir, getWorkspaceSkillsDir, getSandboxWorkingDir, removeSocketFile, getTCPPort, getTCPHost, isTCPEnabled, isIOSPairingEnabled } from '../util/platform.js';
+import { getSocketPath, getSandboxWorkingDir, removeSocketFile, getTCPPort, getTCPHost, isTCPEnabled, isIOSPairingEnabled } from '../util/platform.js';
 import { ensureTlsCert } from './tls-certs.js';
 import { getLocalIPv4 } from '../util/network-info.js';
-import { hasNoAuthOverride } from './connection-policy.js';
 import { getLogger } from '../util/logger.js';
 import { getFailoverProvider, initializeProviders } from '../providers/registry.js';
 import { RateLimitProvider } from '../providers/ratelimit.js';
-import { getConfig, invalidateConfigCache } from '../config/loader.js';
+import { getConfig } from '../config/loader.js';
 import { buildSystemPrompt } from '../config/system-prompt.js';
-import { clearCache as clearTrustCache } from '../permissions/trust-store.js';
-import { resetAllowlist, validateAllowlistFile } from '../security/secret-allowlist.js';
 import { checkIngressForSecrets } from '../security/secret-ingress.js';
 import { IngressBlockedError } from '../util/errors.js';
-import { clearEmbeddingBackendCache } from '../memory/embedding-backend.js';
 import * as conversationStore from '../memory/conversation-store.js';
 import * as attachmentsStore from '../memory/attachments-store.js';
 import { Session, DEFAULT_MEMORY_POLICY, type SessionMemoryPolicy } from './session.js';
@@ -26,7 +21,6 @@ import {
   serialize,
   createMessageParser,
   MAX_LINE_SIZE,
-  type ClientMessage,
   type ServerMessage,
   normalizeThreadType,
 } from './ipc-protocol.js';
@@ -35,15 +29,15 @@ import { handleMessage, type HandlerContext, type SessionCreateOptions } from '.
 import { RunOrchestrator } from '../runtime/run-orchestrator.js';
 import { ensureBlobDir, sweepStaleBlobs } from './ipc-blob-store.js';
 import { bootstrapHomeBaseAppLink } from '../home-base/bootstrap.js';
-import { assistantEventHub } from '../runtime/assistant-event-hub.js';
-import { buildAssistantEvent } from '../runtime/assistant-event.js';
 import { SessionEvictor } from './session-evictor.js';
 import { getSubagentManager } from '../subagent/index.js';
 import { tryRouteCallMessage } from '../calls/call-bridge.js';
 import { resolveSlash } from './session-slash.js';
 import { createUserMessage, createAssistantMessage } from '../agent/message-types.js';
 import { registerDaemonCallbacks } from '../work-items/work-item-runner.js';
-import { DebouncerMap } from '../util/debounce.js';
+import { AuthManager } from './auth-manager.js';
+import { ConfigWatcher } from './config-watcher.js';
+import { IpcSender } from './ipc-handler.js';
 
 const log = getLogger('server');
 
@@ -69,41 +63,25 @@ export class DaemonServer {
   private connectedSockets = new Set<net.Socket>();
   private socketSandboxOverride = new Map<net.Socket, boolean>();
   private cuObservationParseSequence = new Map<string, number>();
-  // Persisted session options (e.g. systemPromptOverride, maxResponseTokens)
-  // so that evicted sessions can be recreated with the same overrides.
   private sessionOptions = new Map<string, SessionCreateOptions>();
-  // Guards against duplicate session creation when multiple clients connect
-  // with the same conversation ID concurrently. The first caller creates the
-  // session; subsequent callers await the same promise.
   private sessionCreating = new Map<string, Promise<Session>>();
-  // Shared across all sessions so maxRequestsPerMinute is enforced globally.
   private sharedRequestTimestamps: number[] = [];
   private socketPath: string;
   private httpPort: number | undefined;
-  private watchers: FSWatcher[] = [];
-  private debounceTimers = new DebouncerMap({
-    defaultDelayMs: 200,
-    maxEntries: 1000,
-    protectedKeyPrefix: '__',
-  });
-  private suppressConfigReload = false;
-  private lastConfigFingerprint = '';
-  private lastConfigRefreshTime = 0;
   private blobSweepTimer: ReturnType<typeof setInterval> | null = null;
-  private static readonly CONFIG_REFRESH_INTERVAL_MS = 30_000;
   private static readonly MAX_CONNECTIONS = 50;
-  private static readonly AUTH_TIMEOUT_MS = 5_000;
-  private sessionToken = '';
-  private authenticatedSockets = new Set<net.Socket>();
-  private authTimeouts = new Map<net.Socket, ReturnType<typeof setTimeout>>();
   private evictor: SessionEvictor;
 
+  // Composed subsystems
+  private auth = new AuthManager();
+  private configWatcher = new ConfigWatcher();
+  private ipc = new IpcSender();
+
   /**
-   * Derive a SessionMemoryPolicy from the conversation's thread type and
-   * memory scope. Private conversations get an isolated scope with strict
-   * side-effect controls and default-fallback recall; standard conversations
-   * use the shared default scope with no restrictions.
+   * Logical assistant identifier used when publishing to the assistant-events hub.
    */
+  assistantId: string = 'default';
+
   private deriveMemoryPolicy(conversationId: string): SessionMemoryPolicy {
     const threadType = conversationStore.getConversationThreadType(conversationId);
     if (threadType === 'private') {
@@ -119,35 +97,20 @@ export class DaemonServer {
   private applyTransportMetadata(_session: Session, options: SessionCreateOptions | undefined): void {
     const transport = options?.transport;
     if (!transport) return;
-
-    // Transport metadata is available for future use but onboarding context
-    // is now handled via BOOTSTRAP.md in the system prompt.
     log.debug({ channelId: transport.channelId }, 'Transport metadata received');
   }
 
-  /**
-   * Logical assistant identifier used when publishing to the assistant-events hub.
-   * Defaults to 'default' for the IPC daemon runtime; override in tests or
-   * multi-tenant deployments where the daemon is scoped to a specific assistant.
-   */
-  assistantId: string = 'default';
-
   constructor() {
     this.socketPath = getSocketPath();
     this.evictor = new SessionEvictor(this.sessions);
-    // Share the global rate-limit timestamps with the subagent manager.
     getSubagentManager().sharedRequestTimestamps = this.sharedRequestTimestamps;
-    // Abort subagents when their parent session is evicted.
     this.evictor.onEvict = (sessionId: string) => {
       getSubagentManager().abortAllForParent(sessionId);
     };
-    // Protect parent sessions that have active subagents from eviction.
     this.evictor.shouldProtect = (sessionId: string) => {
       const children = getSubagentManager().getChildrenOf(sessionId);
       return children.some((c) => c.status === 'running' || c.status === 'pending');
     };
-    // When a subagent finishes, inject the result into the parent session
-    // so the LLM automatically informs the user.
     getSubagentManager().onSubagentFinished = (parentSessionId, message, sendToClient, notification) => {
       const parentSession = this.sessions.get(parentSessionId);
       if (!parentSession) {
@@ -155,7 +118,6 @@ export class DaemonServer {
         return;
       }
       const requestId = `subagent-notify-${Date.now()}`;
-      // Store structured notification data in the DB for history reconstruction
       const metadata = { subagentNotification: notification };
       const enqueueResult = parentSession.enqueueMessage(message, [], sendToClient, requestId, undefined, undefined, metadata);
       if (enqueueResult.rejected) {
@@ -163,26 +125,38 @@ export class DaemonServer {
         return;
       }
       if (!enqueueResult.queued) {
-        // Parent is idle — send directly.
         const messageId = parentSession.persistUserMessage(message, [], undefined, metadata);
         parentSession.runAgentLoop(message, messageId, sendToClient).catch((err) => {
           log.error({ parentSessionId, err }, 'Failed to process subagent notification in parent');
         });
       }
-      // If queued, it will be processed when the parent finishes its current turn.
     };
   }
 
+  // ── Send / Broadcast wrappers ───────────────────────────────────────
+
+  private send(socket: net.Socket, msg: ServerMessage): void {
+    this.ipc.send(socket, msg, this.socketToSession, this.assistantId);
+  }
+
+  broadcast(msg: ServerMessage, excludeSocket?: net.Socket): void {
+    this.ipc.broadcast(
+      this.auth.getAuthenticatedSockets(),
+      msg,
+      this.socketToSession,
+      this.assistantId,
+      excludeSocket,
+    );
+  }
+
+  // ── Server lifecycle ────────────────────────────────────────────────
+
   async start(): Promise<void> {
-    // Clean up stale socket (only if it's actually a Unix socket)
     removeSocketFile(this.socketPath);
 
-    // Initialize providers from config so they're available before any
-    // session is created. Without this, getProvider() throws because the
-    // registry is empty until a config file change triggers a reload.
     const config = getConfig();
     initializeProviders(config);
-    this.lastConfigFingerprint = this.configFingerprint(config);
+    this.configWatcher.initFingerprint(config);
 
     try {
       bootstrapHomeBaseAppLink();
@@ -192,7 +166,6 @@ export class DaemonServer {
 
     this.evictor.start();
 
-    // Register daemon callbacks so tools can trigger work item execution
     registerDaemonCallbacks({
       getOrCreateSession: (conversationId) => this.getOrCreateSession(conversationId),
       broadcast: (msg) => this.broadcast(msg),
@@ -205,30 +178,9 @@ export class DaemonServer {
       });
     }, 5 * 60 * 1000);
 
-    this.startFileWatchers();
-
-    // Reuse existing session token from disk if present, so pairing
-    // (e.g. iOS QR code) survives daemon restarts. Only generate a
-    // new token when none exists on disk.
-    const tokenPath = getSessionTokenPath();
-    let existingToken: string | null = null;
-    try {
-      const raw = readFileSync(tokenPath, 'utf-8').trim();
-      if (raw.length >= 32) existingToken = raw;
-    } catch { /* file doesn't exist yet */ }
+    this.configWatcher.start(() => this.evictSessionsForReload());
+    this.auth.initToken();
 
-    if (existingToken) {
-      this.sessionToken = existingToken;
-      log.info({ tokenPath }, 'Reusing existing session token');
-    } else {
-      this.sessionToken = randomBytes(32).toString('hex');
-      writeFileSync(tokenPath, this.sessionToken, { mode: 0o600 });
-      chmodSync(tokenPath, 0o600);
-      log.info({ tokenPath }, 'New session token generated');
-    }
-
-    // Generate TLS certificate before starting listeners so it's
-    // available synchronously in the listen callback.
     let tlsCreds: { cert: string; key: string; fingerprint: string } | null = null;
     if (isTCPEnabled()) {
       try {
@@ -253,15 +205,23 @@ export class DaemonServer {
 
       this.server.listen(this.socketPath, () => {
         process.umask(oldUmask);
-        // Replace the one-shot startup handler with a permanent one
         this.server!.removeAllListeners('error');
         this.server!.on('error', (err) => {
           log.error({ err, socketPath: this.socketPath }, 'Server socket error while running');
         });
         chmodSync(this.socketPath, 0o600);
+        // Validate the chmod actually took effect — some filesystems
+        // (e.g. FAT32 mounts, container overlays) silently ignore chmod.
+        const socketStat = statSync(this.socketPath);
+        if ((socketStat.mode & 0o077) !== 0) {
+          const actual = '0o' + (socketStat.mode & 0o777).toString(8);
+          log.error(
+            { socketPath: this.socketPath, mode: actual },
+            'IPC socket is accessible by other users (expected 0600) — filesystem may not support Unix permissions',
+          );
+        }
         log.info({ socketPath: this.socketPath }, 'Daemon server listening');
 
-        // Start TLS-encrypted TCP listener for iOS clients (alongside the Unix socket)
         if (tlsCreds) {
           const tcpPort = getTCPPort();
           const tcpHost = getTCPHost();
@@ -301,22 +261,9 @@ export class DaemonServer {
       clearInterval(this.blobSweepTimer);
       this.blobSweepTimer = null;
     }
-    this.stopFileWatchers();
-
-    // Session token is intentionally kept on disk so pairing
-    // (e.g. iOS QR code) survives daemon restarts. To regenerate,
-    // delete ~/.vellum/session-token and restart the daemon.
+    this.configWatcher.stop();
+    this.auth.cleanupAll();
 
-    for (const timer of this.authTimeouts.values()) {
-      clearTimeout(timer);
-    }
-    this.authTimeouts.clear();
-    this.authenticatedSockets.clear();
-
-    // 1. Stop accepting new connections first. server.close() prevents new
-    //    connections from arriving, so the cleanup below won't race with
-    //    handleConnection() adding sockets that never get destroyed.
-    //    Its callback fires once all existing connections have ended.
     const serverClosed = new Promise<void>((resolve) => {
       if (this.server) {
         this.server.close(() => {
@@ -341,8 +288,6 @@ export class DaemonServer {
       }
     });
 
-    // 2. Now dispose sessions and destroy sockets. This lets server.close()
-    //    finish promptly since all connections will be ended.
     for (const session of this.sessions.values()) {
       session.dispose();
     }
@@ -366,247 +311,7 @@ export class DaemonServer {
     log.info('Daemon server stopped');
   }
 
-  private startFileWatchers(): void {
-    const rootDir = getRootDir();
-    const workspaceDir = getWorkspaceDir();
-    const protectedDir = join(rootDir, 'protected');
-
-    // Watch workspace directory for config + prompt files
-    const workspaceHandlers: Record<string, () => void> = {
-      'config.json': () => {
-        if (this.suppressConfigReload) return;
-        try {
-          this.refreshConfigFromSources();
-        } catch (err) {
-          log.error({ err, configPath: join(workspaceDir, 'config.json') }, 'Failed to reload config after file change. Previous config remains active.');
-          return;
-        }
-      },
-      'SOUL.md': () => this.evictSessionsForReload(),
-      'IDENTITY.md': () => this.evictSessionsForReload(),
-      'USER.md': () => this.evictSessionsForReload(),
-      'LOOKS.md': () => this.evictSessionsForReload(),
-    };
-
-    // Watch protected/ for trust rules and secret allowlist
-    const protectedHandlers: Record<string, () => void> = {
-      'trust.json': () => {
-        clearTrustCache();
-      },
-      'secret-allowlist.json': () => {
-        resetAllowlist();
-        try {
-          const errors = validateAllowlistFile();
-          if (errors && errors.length > 0) {
-            for (const e of errors) {
-              log.warn({ index: e.index, pattern: e.pattern }, `Invalid regex in secret-allowlist.json: ${e.message}`);
-            }
-          }
-        } catch (err) {
-          log.warn({ err }, 'Failed to validate secret-allowlist.json');
-        }
-      },
-    };
-
-    const watchDir = (dir: string, handlers: Record<string, () => void>, label: string): void => {
-      try {
-        const watcher = watch(dir, (_eventType, filename) => {
-          if (!filename) return;
-          const file = String(filename);
-          if (!handlers[file]) return;
-          this.debounceTimers.schedule(`file:${file}`, () => {
-            log.info({ file }, 'File changed, reloading');
-            handlers[file]();
-          });
-        });
-        this.watchers.push(watcher);
-        log.info({ dir }, `Watching ${label}`);
-      } catch (err) {
-        log.warn({ err, dir }, `Failed to watch ${label}. Hot-reload will be unavailable.`);
-      }
-    };
-
-    watchDir(workspaceDir, workspaceHandlers, 'workspace directory for config/prompt changes');
-    if (existsSync(protectedDir)) {
-      watchDir(protectedDir, protectedHandlers, 'protected directory for trust/allowlist changes');
-    }
-
-    this.startSkillsWatchers(() => this.evictSessionsForReload());
-  }
-
-  private configFingerprint(config: ReturnType<typeof getConfig>): string {
-    return JSON.stringify(config);
-  }
-
-  /**
-   * Record the runtime HTTP server port and broadcast it to all
-   * connected clients so they can enable the share UI immediately.
-   */
-  setHttpPort(port: number): void {
-    this.httpPort = port;
-    // Clients that connected before the HTTP server started received
-    // daemon_status with no httpPort. Broadcast the updated port so
-    // they can enable the share UI without reconnecting.
-    this.broadcast({
-      type: 'daemon_status',
-      httpPort: port,
-      version: daemonVersion,
-    });
-  }
-
-  /**
-   * Dispose and remove all in-memory sessions unconditionally.
-   * Called after `sessions clear` wipes the database so that stale
-   * sessions don't reference deleted conversation rows.
-   */
-  clearAllSessions(): number {
-    const count = this.sessions.size;
-    const subagentManager = getSubagentManager();
-    for (const id of this.sessions.keys()) {
-      this.evictor.remove(id);
-      subagentManager.abortAllForParent(id);
-    }
-    for (const session of this.sessions.values()) {
-      session.dispose();
-    }
-    this.sessions.clear();
-    this.sessionOptions.clear();
-    return count;
-  }
-
-  private evictSessionsForReload(): void {
-    const subagentManager = getSubagentManager();
-    for (const [id, session] of this.sessions) {
-      if (!session.isProcessing()) {
-        subagentManager.abortAllForParent(id);
-        session.dispose();
-        this.sessions.delete(id);
-        this.evictor.remove(id);
-      } else {
-        session.markStale();
-      }
-    }
-  }
-
-  /**
-   * Reload config from disk + secure storage, and refresh providers only
-   * when effective config values (including API keys) have changed.
-   */
-  private refreshConfigFromSources(): boolean {
-    invalidateConfigCache();
-    const config = getConfig();
-    const fingerprint = this.configFingerprint(config);
-    if (fingerprint === this.lastConfigFingerprint) {
-      return false;
-    }
-    // Default trust rules depend on config (e.g. skills.load.extraDirs),
-    // so clear the trust cache so rules are regenerated from fresh config.
-    clearTrustCache();
-    clearEmbeddingBackendCache();
-    const isFirstInit = this.lastConfigFingerprint === '';
-    initializeProviders(config);
-    this.lastConfigFingerprint = fingerprint;
-    if (!isFirstInit) {
-      this.evictSessionsForReload();
-    }
-    return true;
-  }
-
-  private stopFileWatchers(): void {
-    this.debounceTimers.cancelAll();
-    for (const watcher of this.watchers) {
-      watcher.close();
-    }
-    this.watchers = [];
-  }
-
-  private startSkillsWatchers(evictSessions: () => void): void {
-    const skillsDir = getWorkspaceSkillsDir();
-    if (!existsSync(skillsDir)) return;
-
-    const scheduleSkillsReload = (file: string): void => {
-      this.debounceTimers.schedule(`skills:${file}`, () => {
-        log.info({ file }, 'Skill file changed, reloading');
-        evictSessions();
-      });
-    };
-
-    try {
-      const recursiveWatcher = watch(skillsDir, { recursive: true }, (_eventType, filename) => {
-        scheduleSkillsReload(filename ? String(filename) : '(unknown)');
-      });
-      this.watchers.push(recursiveWatcher);
-      log.info({ dir: skillsDir }, 'Watching skills directory recursively');
-      return;
-    } catch (err) {
-      log.info({ err, dir: skillsDir }, 'Recursive skills watch unavailable; using per-directory watchers');
-    }
-
-    const childWatchers = new Map<string, FSWatcher>();
-
-    const watchDir = (dirPath: string, onChange: (filename: string) => void): FSWatcher | null => {
-      try {
-        const watcher = watch(dirPath, (_eventType, filename) => {
-          onChange(filename ? String(filename) : '(unknown)');
-        });
-        this.watchers.push(watcher);
-        return watcher;
-      } catch (err) {
-        log.warn({ err, dirPath }, 'Failed to watch skills directory');
-        return null;
-      }
-    };
-
-    const removeWatcher = (watcher: FSWatcher): void => {
-      const idx = this.watchers.indexOf(watcher);
-      if (idx !== -1) {
-        this.watchers.splice(idx, 1);
-      }
-    };
-
-    const refreshChildWatchers = (): void => {
-      const nextChildDirs = new Set<string>();
-
-      try {
-        const entries = readdirSync(skillsDir, { withFileTypes: true });
-        for (const entry of entries) {
-          if (!entry.isDirectory()) continue;
-          const childDir = join(skillsDir, entry.name);
-          nextChildDirs.add(childDir);
-
-          if (childWatchers.has(childDir)) continue;
-
-          const watcher = watchDir(childDir, (filename) => {
-            const label = filename === '(unknown)' ? entry.name : `${entry.name}/${filename}`;
-            scheduleSkillsReload(label);
-          });
-          if (watcher) {
-            childWatchers.set(childDir, watcher);
-          }
-        }
-      } catch (err) {
-        log.warn({ err, skillsDir }, 'Failed to enumerate skill directories');
-        return;
-      }
-
-      for (const [childDir, watcher] of childWatchers.entries()) {
-        if (nextChildDirs.has(childDir)) continue;
-        watcher.close();
-        childWatchers.delete(childDir);
-        removeWatcher(watcher);
-      }
-    };
-
-    const rootWatcher = watchDir(skillsDir, (filename) => {
-      scheduleSkillsReload(filename);
-      refreshChildWatchers();
-    });
-
-    if (!rootWatcher) return;
-
-    refreshChildWatchers();
-    log.info({ dir: skillsDir }, 'Watching skills directory with non-recursive fallback');
-  }
+  // ── Connection handling ─────────────────────────────────────────────
 
   private handleConnection(socket: net.Socket): void {
     if (this.connectedSockets.size >= DaemonServer.MAX_CONNECTIONS) {
@@ -623,14 +328,8 @@ export class DaemonServer {
     this.connectedSockets.add(socket);
     const parser = createMessageParser({ maxLineSize: MAX_LINE_SIZE });
 
-    // When the operator explicitly opts into unauthenticated connections
-    // (VELLUM_DAEMON_NOAUTH=1), auto-authenticate so clients that can't
-    // read the local session token file (e.g. SSH-forwarded sockets)
-    // aren't disconnected by the auth timeout. This is intentionally
-    // gated on a separate flag — a custom socket path alone (via
-    // VELLUM_DAEMON_SOCKET) no longer bypasses token auth.
-    if (hasNoAuthOverride()) {
-      this.authenticatedSockets.add(socket);
+    if (this.auth.shouldAutoAuth()) {
+      this.auth.markAuthenticated(socket);
       log.warn('Auto-authenticated client (VELLUM_DAEMON_NOAUTH is set — token auth bypassed)');
       this.send(socket, { type: 'auth_result', success: true });
       this.sendInitialSession(socket).catch((err) => {
@@ -638,17 +337,10 @@ export class DaemonServer {
       });
     }
 
-    // Require authentication before sending session info or accepting
-    // commands. Clients must send { type: 'auth', token } as their
-    // first message within AUTH_TIMEOUT_MS.
-    const authTimer = setTimeout(() => {
-      if (!this.authenticatedSockets.has(socket)) {
-        log.warn('Client failed to authenticate within timeout, disconnecting');
-        this.send(socket, { type: 'error', message: 'Authentication timeout' });
-        socket.destroy();
-      }
-    }, DaemonServer.AUTH_TIMEOUT_MS);
-    this.authTimeouts.set(socket, authTimer);
+    this.auth.startTimeout(socket, () => {
+      this.send(socket, { type: 'error', message: 'Authentication timeout' });
+      socket.destroy();
+    });
 
     socket.on('data', (data) => {
       const chunkReceivedAtMs = Date.now();
@@ -689,40 +381,31 @@ export class DaemonServer {
           return;
         }
 
-        // Auth gate: first message must be 'auth' with a valid token.
-        if (!this.authenticatedSockets.has(socket)) {
-          const pendingTimer = this.authTimeouts.get(socket);
-          if (pendingTimer) {
-            clearTimeout(pendingTimer);
-            this.authTimeouts.delete(socket);
-          }
+        // Auth gate
+        if (!this.auth.isAuthenticated(socket)) {
+          this.auth.clearTimeout(socket);
 
           if (result.message.type === 'auth') {
             const authMsg = result.message as { type: 'auth'; token: string };
-            if (authMsg.token === this.sessionToken) {
-              this.authenticatedSockets.add(socket);
+            if (this.auth.authenticate(socket, authMsg.token)) {
               this.send(socket, { type: 'auth_result', success: true });
               this.sendInitialSession(socket).catch((err) => {
                 log.error({ err }, 'Failed to send initial session info after auth');
               });
             } else {
-              log.warn('Client provided invalid auth token');
               this.send(socket, { type: 'auth_result', success: false, message: 'Invalid token' });
               socket.destroy();
             }
             continue;
           }
 
-          // Non-auth message from unauthenticated socket
           log.warn({ type: result.message.type }, 'Unauthenticated client sent non-auth message, disconnecting');
           this.send(socket, { type: 'error', message: 'Authentication required' });
           socket.destroy();
           return;
         }
 
-        // If an already-authenticated socket sends an auth message (e.g.
-        // auto-auth'd client that also has a local token), respond with
-        // auth_result so the client doesn't hang waiting for the handshake.
+        // Already-authenticated socket sending auth (e.g. auto-auth'd + local token)
         if (result.message.type === 'auth') {
           this.send(socket, { type: 'auth_result', success: true });
           continue;
@@ -733,12 +416,7 @@ export class DaemonServer {
     });
 
     socket.on('close', () => {
-      const pendingAuthTimer = this.authTimeouts.get(socket);
-      if (pendingAuthTimer) {
-        clearTimeout(pendingAuthTimer);
-        this.authTimeouts.delete(socket);
-      }
-      this.authenticatedSockets.delete(socket);
+      this.auth.cleanupSocket(socket);
       this.connectedSockets.delete(socket);
       this.socketSandboxOverride.delete(socket);
       const sessionId = this.socketToSession.get(socket);
@@ -770,63 +448,47 @@ export class DaemonServer {
     });
   }
 
-  /** Low-level wire write — does not publish to the assistant-events hub. */
-  private writeToSocket(socket: net.Socket, msg: ServerMessage): void {
-    if (!socket.destroyed && socket.writable) {
-      socket.write(serialize(msg));
-    }
-  }
+  // ── Session management ──────────────────────────────────────────────
 
-  private send(socket: net.Socket, msg: ServerMessage): void {
-    this.writeToSocket(socket, msg);
-    // Best-effort sessionId: prefer message field, fall back to socket binding.
-    const msgRecord = msg as unknown as Record<string, unknown>;
-    const sessionId =
-      ('sessionId' in msg && typeof msgRecord.sessionId === 'string'
-        ? msgRecord.sessionId as string
-        : undefined) ?? this.socketToSession.get(socket);
-    this.publishAssistantEvent(msg, sessionId, this.assistantId);
+  setHttpPort(port: number): void {
+    this.httpPort = port;
+    this.broadcast({
+      type: 'daemon_status',
+      httpPort: port,
+      version: daemonVersion,
+    });
   }
 
-  broadcast(msg: ServerMessage, excludeSocket?: net.Socket): void {
-    for (const socket of this.authenticatedSockets) {
-      if (socket === excludeSocket) continue;
-      this.writeToSocket(socket, msg);  // bypass per-socket hub publish
+  clearAllSessions(): number {
+    const count = this.sessions.size;
+    const subagentManager = getSubagentManager();
+    for (const id of this.sessions.keys()) {
+      this.evictor.remove(id);
+      subagentManager.abortAllForParent(id);
+    }
+    for (const session of this.sessions.values()) {
+      session.dispose();
     }
-    // Publish once for the broadcast. Prefer message-level sessionId; fall back
-    // to excludeSocket's session binding so session-scoped events (e.g.
-    // assistant_text_delta emitted without a sessionId field) are correctly tagged.
-    const msgRecord = msg as unknown as Record<string, unknown>;
-    const sessionId =
-      ('sessionId' in msg && typeof msgRecord.sessionId === 'string'
-        ? msgRecord.sessionId as string
-        : undefined) ?? (excludeSocket ? this.socketToSession.get(excludeSocket) : undefined);
-    this.publishAssistantEvent(msg, sessionId, this.assistantId);
+    this.sessions.clear();
+    this.sessionOptions.clear();
+    return count;
   }
 
-  /**
-   * Publish `msg` as an `AssistantEvent` to the process-level hub.
-   * Publishes are serialized via a promise chain so that subscribers always
-   * observe events in the order they were sent (e.g. text deltas before
-   * message_complete), even when subscriber callbacks are async.
-   */
-  private _hubChain: Promise<void> = Promise.resolve();
-
-  private publishAssistantEvent(msg: ServerMessage, sessionId?: string, assistantId?: string): void {
-    const event = buildAssistantEvent(assistantId ?? this.assistantId, msg, sessionId);
-    this._hubChain = this._hubChain
-      .then(() => assistantEventHub.publish(event))
-      .catch((err: unknown) => {
-        log.warn({ err }, 'assistant-events hub subscriber threw during IPC send');
-      });
+  private evictSessionsForReload(): void {
+    const subagentManager = getSubagentManager();
+    for (const [id, session] of this.sessions) {
+      if (!session.isProcessing()) {
+        subagentManager.abortAllForParent(id);
+        session.dispose();
+        this.sessions.delete(id);
+        this.evictor.remove(id);
+      } else {
+        session.markStale();
+      }
+    }
   }
 
   private async sendInitialSession(socket: net.Socket): Promise<void> {
-    // Only send session info for an existing conversation. Don't create one —
-    // the client will create its own session via session_create when the user
-    // sends a message. Creating one here would produce an orphaned session
-    // that the macOS client rejects (correlation ID mismatch) but that still
-    // appears in session_list on subsequent launches.
     const conversation = conversationStore.getLatestConversation();
     if (!conversation) {
       this.send(socket, {
@@ -837,8 +499,6 @@ export class DaemonServer {
       return;
     }
 
-    // Warm session state for commands like undo/usage after reconnect without
-    // rebinding the active IPC output client to this passive socket.
     await this.getOrCreateSession(conversation.id, undefined, false);
 
     this.send(socket, {
@@ -869,12 +529,9 @@ export class DaemonServer {
       if (!rebindClient || !socket) return;
       target.updateClient(sendToClient);
       target.setSandboxOverride(this.socketSandboxOverride.get(socket));
-      // Update the sender for any active child subagents so they route
-      // through the new socket instead of the stale one from spawn time.
       getSubagentManager().updateParentSender(conversationId, sendToClient);
     };
 
-    // Persist session options so they survive eviction/recreation.
     if (options && Object.values(options).some(v => v !== undefined)) {
       this.sessionOptions.set(conversationId, {
         ...this.sessionOptions.get(conversationId),
@@ -883,16 +540,11 @@ export class DaemonServer {
     }
 
     if (!session || (session.isStale() && !session.isProcessing())) {
-      // Dispose the outgoing stale session before replacing it.
       if (session) {
         getSubagentManager().abortAllForParent(conversationId);
         session.dispose();
       }
 
-      // Check if another caller is already creating this session.
-      // Without this guard, two concurrent getOrCreateSession calls for the
-      // same conversationId would both pass the null/stale check, both create
-      // a Session + loadFromDb(), and the second set() would orphan the first.
       const pending = this.sessionCreating.get(conversationId);
       if (pending) {
         session = await pending;
@@ -900,7 +552,6 @@ export class DaemonServer {
         return session;
       }
 
-      // Recover stored options for this conversation (survives eviction).
       const storedOptions = this.sessionOptions.get(conversationId);
 
       const createPromise = (async () => {
@@ -926,9 +577,6 @@ export class DaemonServer {
           (msg) => this.broadcast(msg, socket),
           memoryPolicy,
         );
-        // When created without a socket (HTTP path), mark the session
-        // so interactive prompts (e.g. host attachment reads) can fail
-        // fast instead of waiting for a timeout with no client to respond.
         if (!socket) {
           newSession.updateClient(sendToClient, true);
         }
@@ -949,7 +597,6 @@ export class DaemonServer {
       }
       this.evictor.touch(conversationId);
     } else {
-      // Rebind to the new socket so IPC goes to the current client.
       maybeBindClient(session);
       this.applyTransportMetadata(session, options);
       this.evictor.touch(conversationId);
@@ -957,6 +604,8 @@ export class DaemonServer {
     return session;
   }
 
+  // ── Message dispatch ────────────────────────────────────────────────
+
   private handlerContext(): HandlerContext {
     return {
       sessions: this.sessions,
@@ -966,12 +615,11 @@ export class DaemonServer {
       cuObservationParseSequence: this.cuObservationParseSequence,
       socketSandboxOverride: this.socketSandboxOverride,
       sharedRequestTimestamps: this.sharedRequestTimestamps,
-      debounceTimers: this.debounceTimers,
-      suppressConfigReload: this.suppressConfigReload,
-      setSuppressConfigReload: (value: boolean) => { this.suppressConfigReload = value; },
+      debounceTimers: this.configWatcher.timers,
+      suppressConfigReload: this.configWatcher.suppressConfigReload,
+      setSuppressConfigReload: (value: boolean) => { this.configWatcher.suppressConfigReload = value; },
       updateConfigFingerprint: () => {
-        this.lastConfigFingerprint = this.configFingerprint(getConfig());
-        this.lastConfigRefreshTime = Date.now();
+        this.configWatcher.updateFingerprint();
       },
       send: (socket, msg) => this.send(socket, msg),
       broadcast: (msg) => this.broadcast(msg),
@@ -982,13 +630,14 @@ export class DaemonServer {
     };
   }
 
-  private dispatchMessage(msg: ClientMessage, socket: net.Socket): void {
+  private dispatchMessage(msg: Parameters<typeof handleMessage>[0], socket: net.Socket): void {
     if (msg.type !== 'ping') {
       const now = Date.now();
-      if (now - this.lastConfigRefreshTime >= DaemonServer.CONFIG_REFRESH_INTERVAL_MS) {
+      if (now - this.configWatcher.lastConfigRefreshTime >= ConfigWatcher.REFRESH_INTERVAL_MS) {
         try {
-          this.refreshConfigFromSources();
-          this.lastConfigRefreshTime = now;
+          const changed = this.configWatcher.refreshConfigFromSources();
+          if (changed) this.evictSessionsForReload();
+          this.configWatcher.lastConfigRefreshTime = now;
         } catch (err) {
           log.warn({ err }, 'Failed to refresh config from secure sources before handling IPC message');
         }
@@ -997,12 +646,8 @@ export class DaemonServer {
     handleMessage(msg, socket, this.handlerContext());
   }
 
-  /**
-   * Persist a user message and start the agent loop in the background.
-   * Returns the messageId immediately without waiting for the agent loop
-   * to complete. Used by the HTTP sendMessage endpoint so the response
-   * is not blocked for the duration of the agent loop.
-   */
+  // ── HTTP message processing ─────────────────────────────────────────
+
   async persistAndProcessMessage(
     conversationId: string,
     content: string,
@@ -1010,7 +655,6 @@ export class DaemonServer {
     options?: SessionCreateOptions,
     sourceChannel?: string,
   ): Promise<{ messageId: string }> {
-    // Block inbound content that contains secrets — mirrors the IPC check in sessions.ts
     const ingressCheck = checkIngressForSecrets(content);
     if (ingressCheck.blocked) {
       throw new IngressBlockedError(ingressCheck.userNotice!, ingressCheck.detectedTypes);
@@ -1018,15 +662,14 @@ export class DaemonServer {
 
     const session = await this.getOrCreateSession(conversationId, undefined, true, options);
 
-    // Reject concurrent requests upfront. The HTTP path should never use
-    // the message queue — it returns 409 to the caller instead.
     if (session.isProcessing()) {
       throw new Error('Session is already processing a message');
     }
 
+    session.setAssistantId(options?.assistantId ?? 'self');
+    session.setGuardianContext(options?.guardianContext ?? null);
     session.setChannelCapabilities(resolveChannelCapabilities(sourceChannel));
 
-    // Resolve attachment IDs to full attachment data for the session
     const attachments = attachmentIds
       ? attachmentsStore.getAttachmentsByIds(attachmentIds).map((a) => ({
           id: a.id,
@@ -1036,15 +679,9 @@ export class DaemonServer {
         }))
       : [];
 
-    // Persist the user message immediately after the isProcessing() guard.
-    // This synchronously sets session.processing = true, closing the race
-    // window that previously existed between the guard and the async bridge
-    // check (two concurrent requests could both pass isProcessing() and
-    // race into message handling).
     const requestId = crypto.randomUUID();
     const messageId = session.persistUserMessage(content, attachments, requestId);
 
-    // Now that the processing lock is held, check the call-answer bridge.
     let bridgeHandled = false;
     try {
       const bridgeResult = await tryRouteCallMessage(conversationId, content, messageId);
@@ -1054,16 +691,12 @@ export class DaemonServer {
     }
 
     if (bridgeHandled) {
-      // The message was consumed by the call system. Release the session.
       resetSessionProcessingState(session);
-      // Drain any queued messages that arrived while processing was true.
       session.drainQueue('loop_complete');
       log.info({ conversationId, messageId }, 'User message consumed by call bridge, skipping agent loop');
       return { messageId };
     }
 
-    // Fire-and-forget the agent loop. Errors are logged but do not
-    // affect the HTTP response (the client polls GET /messages).
     session.runAgentLoop(content, messageId, () => {}).catch((err) => {
       log.error({ err, conversationId }, 'Background agent loop failed');
     });
@@ -1071,11 +704,6 @@ export class DaemonServer {
     return { messageId };
   }
 
-  /**
-   * Process a message from the HTTP runtime API (blocking).
-   * Gets or creates a session and runs the full agent loop before returning.
-   * Used by the channel inbound endpoint which needs the assistant reply.
-   */
   async processMessage(
     conversationId: string,
     content: string,
@@ -1083,7 +711,6 @@ export class DaemonServer {
     options?: SessionCreateOptions,
     sourceChannel?: string,
   ): Promise<{ messageId: string }> {
-    // Block inbound content that contains secrets — mirrors the IPC check in sessions.ts
     const ingressCheck = checkIngressForSecrets(content);
     if (ingressCheck.blocked) {
       throw new IngressBlockedError(ingressCheck.userNotice!, ingressCheck.detectedTypes);
@@ -1095,9 +722,10 @@ export class DaemonServer {
       throw new Error('Session is already processing a message');
     }
 
+    session.setAssistantId(options?.assistantId ?? 'self');
+    session.setGuardianContext(options?.guardianContext ?? null);
     session.setChannelCapabilities(resolveChannelCapabilities(sourceChannel));
 
-    // Resolve attachment IDs to full attachment data for the session
     const attachments = attachmentIds
       ? attachmentsStore.getAttachmentsByIds(attachmentIds).map((a) => ({
           id: a.id,
@@ -1107,12 +735,8 @@ export class DaemonServer {
         }))
       : [];
 
-    // Resolve slash commands before persistence (synchronous — no race window).
     const slashResult = resolveSlash(content);
 
-    // Unknown slash command — persist the exchange (user + assistant) and
-    // return immediately. This path doesn't set processing=true since no
-    // agent loop runs, so there is no race concern.
     if (slashResult.kind === 'unknown') {
       const userMsg = createUserMessage(content, attachments);
       const persisted = conversationStore.addMessage(
@@ -1134,26 +758,19 @@ export class DaemonServer {
 
     const resolvedContent = slashResult.content;
 
-    // Preactivate skill tools when slash resolution identifies a known skill
     if (slashResult.kind === 'rewritten') {
       (session as unknown as { preactivatedSkillIds?: string[] }).preactivatedSkillIds = [slashResult.skillId];
     }
 
-    // Persist the user message immediately after the isProcessing() guard.
-    // This synchronously sets session.processing = true, closing the race
-    // window that previously existed between the guard and the async bridge
-    // check.
     const requestId = crypto.randomUUID();
     let messageId: string;
     try {
       messageId = session.persistUserMessage(resolvedContent, attachments, requestId);
     } catch (err) {
-      // runAgentLoop never ran, so its finally block won't clear this
       (session as unknown as { preactivatedSkillIds?: string[] }).preactivatedSkillIds = undefined;
       throw err;
     }
 
-    // Now that the processing lock is held, check the call-answer bridge.
     let bridgeHandled = false;
     try {
       const bridgeResult = await tryRouteCallMessage(conversationId, resolvedContent, messageId);
@@ -1163,28 +780,22 @@ export class DaemonServer {
     }
 
     if (bridgeHandled) {
-      // The message was consumed by the call system. Release the session.
       (session as unknown as { preactivatedSkillIds?: string[] }).preactivatedSkillIds = undefined;
       resetSessionProcessingState(session);
-      // Drain any queued messages that arrived while processing was true.
       session.drainQueue('loop_complete');
       log.info({ conversationId, messageId }, 'User message consumed by call bridge, skipping agent loop');
       return { messageId };
     }
 
-    // Run the agent loop (blocking — the channel inbound endpoint needs the reply).
     await session.runAgentLoop(resolvedContent, messageId, () => {});
 
     return { messageId };
   }
 
-  /**
-   * Create a RunOrchestrator wired to this server's session management.
-   */
   createRunOrchestrator(): RunOrchestrator {
     return new RunOrchestrator({
-      getOrCreateSession: (conversationId) =>
-        this.getOrCreateSession(conversationId),
+      getOrCreateSession: (conversationId, transport) =>
+        this.getOrCreateSession(conversationId, undefined, true, transport ? { transport } : undefined),
       resolveAttachments: (attachmentIds) =>
         attachmentsStore.getAttachmentsByIds(attachmentIds).map((a) => ({
           id: a.id,
@@ -1199,10 +810,6 @@ export class DaemonServer {
 
 }
 
-/**
- * Reset the processing state set by `persistUserMessage` when the agent loop
- * is intentionally skipped (e.g. call-answer bridge consumed the message).
- */
 function resetSessionProcessingState(session: Session): void {
   const s = session as unknown as {
     processing: boolean;