@vibelet/cli 0.1.35 → 0.1.37

package/src/index.ts

@@ -0,0 +1,781 @@
+import { createServer, type IncomingMessage, type ServerResponse } from 'http';
+import { WebSocketServer, type WebSocket } from 'ws';
+import { mkdir, readFile, readdir, stat, writeFile } from 'fs/promises';
+import { randomBytes } from 'crypto';
+import { extname, join } from 'path';
+import { networkInterfaces } from 'os';
+import type { Socket } from 'net';
+import QRCode from 'qrcode';
+import type { DirEntry, PairingQrPayload } from '@vibelet/shared';
+import { config } from './config.js';
+import { SessionManager } from './session-manager.js';
+import { getExternalInventoryHealth } from './session-inventory.js';
+import { expandPath, resolveFileRequestPath } from './utils.js';
+import type { ClientMessage } from '@vibelet/shared';
+import { logger as rootLogger } from './logger.js';
+import { metrics } from './metrics.js';
+import { audit } from './audit.js';
+import { registerToken, sendPush, unregisterToken } from './push.js';
+import { handlePushProtocolMessage } from './push-protocol.js';
+import { collectPortOccupants } from './port-conflict.js';
+import { loadOrCreateDaemonIdentity } from './identity.js';
+import { PairingStore } from './pairing-store.js';
+import { isAuthorizedToken, isLegacyToken, isLoopbackAddress, resolveRequestToken } from './auth.js';
+import {
+  computeAdvertisedConnectionTarget,
+  computeAdvertisedHosts,
+  readConfiguredFallbackHosts,
+  readTailscaleHosts,
+} from './advertised-hosts.js';
+import { readRawDataAsText } from './ws-data.js';
+import { runStorageHousekeepingSync } from './storage-housekeeping.js';
+import { AUDIT_PATH, DAEMON_STDERR_LOG_PATH, DAEMON_STDOUT_LOG_PATH, PAIRING_QR_PNG_PATH, UPDATE_CHECK_PATH, VIBELET_DIR, VIBELET_UPLOADS_DIR } from './paths.js';
+import { CLI_VERSION } from './cli-version.js';
+import { CLAUDE_HOOK_SECRET_HEADER, type ClaudePermissionHookData, type ClaudeSessionHookData } from './claude-hooks.js';
+import { writeStdoutSafe } from './safe-stdio.js';
+
+const log = rootLogger.child({ module: 'daemon' });
+const wsLog = rootLogger.child({ module: 'ws' });
+
+function readLatestVersion(): string | undefined {
+  try {
+    const data = JSON.parse(require('fs').readFileSync(UPDATE_CHECK_PATH, 'utf8'));
+    return typeof data.latestVersion === 'string' ? data.latestVersion : undefined;
+  } catch {
+    return undefined;
+  }
+}
+
+const identity = loadOrCreateDaemonIdentity(config.port);
+const manager = new SessionManager((title, body, data) => sendPush(title, body, {
+  daemonId: identity.daemonId,
+  canonicalHost: getAdvertisedConnectionTarget().canonicalHost,
+  ...(data ?? {}),
+}));
+const pairingStore = new PairingStore();
+const sockets = new Set<Socket>();
+interface AuthenticatedClientContext {
+  authMode: 'query_token' | 'auth_hello';
+  deviceId?: string;
+}
+
+const authenticatedClients = new WeakMap<WebSocket, AuthenticatedClientContext>();
+let shuttingDown = false;
+const startTime = Date.now();
+let storageHousekeepingInterval: ReturnType<typeof setInterval> | null = null;
+let advertisedConnectionTargetCache:
+  | { value: { canonicalHost: string; fallbackHosts: string[]; port: number }; expiresAt: number }
+  | null = null;
+
+const ADVERTISED_CONNECTION_TARGET_CACHE_TTL_MS = 1_000;
+
+function getAdvertisedHosts(): { canonicalHost: string; fallbackHosts: string[] } {
+  const tailscaleHosts = readTailscaleHosts();
+  return computeAdvertisedHosts({
+    canonicalHost: identity.canonicalHost,
+    configuredCanonicalHost: config.canonicalHost,
+    configuredFallbackHosts: readConfiguredFallbackHosts(config.fallbackHosts),
+    tailscaleCanonicalHost: tailscaleHosts.canonicalHost,
+    tailscaleFallbackHosts: tailscaleHosts.fallbackHosts,
+    interfaces: networkInterfaces(),
+  });
+}
+
+function getAdvertisedConnectionTarget(): { canonicalHost: string; fallbackHosts: string[]; port: number } {
+  const now = Date.now();
+  if (advertisedConnectionTargetCache && advertisedConnectionTargetCache.expiresAt > now) {
+    return advertisedConnectionTargetCache.value;
+  }
+
+  const advertisedHosts = getAdvertisedHosts();
+  const connectionTarget = computeAdvertisedConnectionTarget({
+    canonicalHost: advertisedHosts.canonicalHost,
+    fallbackHosts: advertisedHosts.fallbackHosts,
+    port: identity.port,
+    relayUrl: config.relayUrl,
+  });
+
+  // Tailscale probing is synchronous and can take a few seconds when the socket
+  // is unavailable. Cache the computed target briefly so startup logging, health
+  // checks, and immediate pairing calls do not repeatedly block the event loop.
+  advertisedConnectionTargetCache = {
+    value: connectionTarget,
+    expiresAt: now + ADVERTISED_CONNECTION_TARGET_CACHE_TTL_MS,
+  };
+
+  return connectionTarget;
+}
+
+function createCompactPairingPayload(pairingPayload: PairingQrPayload): Record<string, unknown> {
+  const compactPayload: Record<string, unknown> = {
+    t: 'vp',
+    d: pairingPayload.daemonId,
+    n: pairingPayload.displayName,
+    h: pairingPayload.canonicalHost,
+    p: pairingPayload.port,
+    c: pairingPayload.pairNonce,
+    e: pairingPayload.expiresAt,
+  };
+  if (pairingPayload.fallbackHosts) compactPayload.f = pairingPayload.fallbackHosts;
+  return compactPayload;
+}
+
+async function writeStartupPairingQr(pairingPayload: PairingQrPayload): Promise<void> {
+  const payload = JSON.stringify(createCompactPairingPayload(pairingPayload));
+  await mkdir(VIBELET_DIR, { recursive: true });
+  await QRCode.toFile(PAIRING_QR_PNG_PATH, payload, {
+    type: 'png',
+    errorCorrectionLevel: 'M',
+    margin: 1,
+    scale: 8,
+  });
+  const qr = await QRCode.toString(payload, {
+    type: 'terminal',
+    small: true,
+    errorCorrectionLevel: 'M',
+  });
+  writeStdoutSafe(`\nScan this QR code with Vibelet app:\n\n${qr}\n`);
+  writeStdoutSafe(`If Vibelet app can't scan the terminal QR, open this PNG instead:\n${PAIRING_QR_PNG_PATH}\n`);
+}
+
+async function readJsonBody<T>(req: IncomingMessage): Promise<T> {
+  const chunks: Buffer[] = [];
+  for await (const chunk of req) {
+    chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
+  }
+  const raw = Buffer.concat(chunks).toString('utf8');
+  return raw ? JSON.parse(raw) as T : {} as T;
+}
+
+function sendJson(res: ServerResponse, statusCode: number, body: unknown): void {
+  res.writeHead(statusCode, { 'Content-Type': 'application/json' });
+  res.end(JSON.stringify(body, null, 2));
+}
+
+function getFileContentType(filePath: string): string {
+  const ext = extname(filePath).toLowerCase();
+  const mimeTypes: Record<string, string> = {
+    '.png': 'image/png',
+    '.jpg': 'image/jpeg',
+    '.jpeg': 'image/jpeg',
+    '.gif': 'image/gif',
+    '.svg': 'image/svg+xml',
+    '.webp': 'image/webp',
+    '.heic': 'image/heic',
+    '.heif': 'image/heif',
+    '.pdf': 'application/pdf',
+    '.md': 'text/markdown; charset=utf-8',
+    '.markdown': 'text/markdown; charset=utf-8',
+    '.txt': 'text/plain; charset=utf-8',
+    '.log': 'text/plain; charset=utf-8',
+    '.json': 'application/json; charset=utf-8',
+    '.js': 'text/plain; charset=utf-8',
+    '.jsx': 'text/plain; charset=utf-8',
+    '.ts': 'text/plain; charset=utf-8',
+    '.tsx': 'text/plain; charset=utf-8',
+    '.mjs': 'text/plain; charset=utf-8',
+    '.cjs': 'text/plain; charset=utf-8',
+    '.css': 'text/plain; charset=utf-8',
+    '.html': 'text/plain; charset=utf-8',
+    '.yml': 'text/plain; charset=utf-8',
+    '.yaml': 'text/plain; charset=utf-8',
+  };
+  return mimeTypes[ext] || 'application/octet-stream';
+}
+
+function buildPairingPayload(): PairingQrPayload {
+  const window = pairingStore.openWindow();
+  const connectionTarget = getAdvertisedConnectionTarget();
+
+  return {
+    type: 'vibelet-pair',
+    daemonId: identity.daemonId,
+    displayName: identity.displayName,
+    canonicalHost: connectionTarget.canonicalHost,
+    fallbackHosts: connectionTarget.fallbackHosts.length > 0 ? connectionTarget.fallbackHosts : undefined,
+    port: connectionTarget.port,
+    pairNonce: window.pairNonce,
+    expiresAt: window.expiresAt,
+  };
+}
+
+async function listDirs(path: string, cwd?: string): Promise<{ entries: DirEntry[] }> {
+  const resolvedPath = resolveFileRequestPath(path, cwd);
+  const entries = await readdir(resolvedPath);
+  const results: DirEntry[] = [];
+  for (const name of entries) {
+    if (name.startsWith('.')) continue;
+    const s = await stat(join(resolvedPath, name)).catch(() => null);
+    if (s) results.push({ name, isDirectory: s.isDirectory() });
+  }
+  // Sort: dirs first, then files
+  results.sort((a, b) => {
+    if (a.isDirectory !== b.isDirectory) return a.isDirectory ? -1 : 1;
+    return a.name.localeCompare(b.name);
+  });
+  return { entries: results };
+}
+
+// HTTP server for file serving (images) + WebSocket upgrade + health endpoint
+const httpServer = createServer(async (req, res) => {
+  const url = new URL(req.url ?? '/', `http://localhost:${config.port}`);
+
+  // Health endpoint — no token required for basic health check
+  if (url.pathname === '/health') {
+    const connectionTarget = getAdvertisedConnectionTarget();
+    const health: Record<string, unknown> = {
+      status: 'ok',
+      version: CLI_VERSION,
+      daemonId: identity.daemonId,
+      displayName: identity.displayName,
+      canonicalHost: connectionTarget.canonicalHost,
+      uptimeSeconds: Math.round((Date.now() - startTime) / 1000),
+      activeSessions: manager.getActiveSessionCount(),
+      pairedDevices: pairingStore.pairedCount(),
+      wsClients: wss.clients.size,
+      drivers: manager.getDriverCounts(),
+      sessionInventory: getExternalInventoryHealth(),
+      metrics: metrics.snapshot(),
+    };
+    if (config.relayUrl) {
+      health.relayUrl = config.relayUrl;
+    }
+    const latestVersion = readLatestVersion();
+    if (latestVersion) {
+      health.latestVersion = latestVersion;
+    }
+    sendJson(res, 200, health);
+    return;
+  }
+
+  if (req.method === 'POST' && url.pathname === '/pair/open') {
+    if (!isLoopbackAddress(req.socket.remoteAddress)) {
+      sendJson(res, 403, { error: 'forbidden' });
+      return;
+    }
+    sendJson(res, 200, buildPairingPayload());
+    return;
+  }
+
+  if (req.method === 'POST' && url.pathname === '/pair/reset') {
+    if (!isLoopbackAddress(req.socket.remoteAddress)) {
+      sendJson(res, 403, { error: 'forbidden' });
+      return;
+    }
+    pairingStore.reset();
+    sendJson(res, 200, { ok: true });
+    return;
+  }
+
+  if (req.method === 'POST' && url.pathname === '/shutdown') {
+    if (!isLoopbackAddress(req.socket.remoteAddress)) {
+      sendJson(res, 403, { error: 'forbidden' });
+      return;
+    }
+    sendJson(res, 200, { status: 'stopping' });
+    setTimeout(() => shutdown('HTTP /shutdown request'), 50);
+    return;
+  }
+
+  if (req.method === 'POST' && url.pathname === '/hook/claude/session-start') {
+    if (!isLoopbackAddress(req.socket.remoteAddress)) {
+      sendJson(res, 403, { error: 'forbidden' });
+      return;
+    }
+    try {
+      const body = await readJsonBody<ClaudeSessionHookData>(req);
+      const secretHeader = req.headers[CLAUDE_HOOK_SECRET_HEADER];
+      const secret = Array.isArray(secretHeader) ? secretHeader[0] : secretHeader;
+      manager.handleClaudeSessionStartHook(secret, body);
+      sendJson(res, 200, { ok: true });
+    } catch (error) {
+      sendJson(res, 400, { error: String(error) });
+    }
+    return;
+  }
+
+  if (req.method === 'POST' && url.pathname === '/hook/claude/permission-request') {
+    if (!isLoopbackAddress(req.socket.remoteAddress)) {
+      sendJson(res, 403, { error: 'forbidden' });
+      return;
+    }
+    try {
+      const body = await readJsonBody<ClaudePermissionHookData>(req);
+      const secretHeader = req.headers[CLAUDE_HOOK_SECRET_HEADER];
+      const secret = Array.isArray(secretHeader) ? secretHeader[0] : secretHeader;
+      const response = await manager.handleClaudePermissionHook(secret, body);
+      sendJson(res, 200, response);
+    } catch (error) {
+      sendJson(res, 400, { error: String(error) });
+    }
+    return;
+  }
+
+  if (req.method === 'POST' && url.pathname === '/pair/create') {
+    try {
+      const body = await readJsonBody<{
+        daemonId?: string;
+        pairNonce?: string;
+        deviceId?: string;
+        deviceName?: string;
+      }>(req);
+      if (
+        body.daemonId !== identity.daemonId ||
+        typeof body.pairNonce !== 'string' ||
+        typeof body.deviceId !== 'string' ||
+        typeof body.deviceName !== 'string'
+      ) {
+        sendJson(res, 400, { error: 'invalid_pair_request' });
+        return;
+      }
+      const window = pairingStore.consumeWindow(body.pairNonce);
+      if (!window) {
+        sendJson(res, 401, { error: 'pair_window_expired' });
+        return;
+      }
+      const pairToken = pairingStore.issuePairToken(body.deviceId, body.deviceName);
+      const connectionTarget = getAdvertisedConnectionTarget();
+      sendJson(res, 200, {
+        daemonId: identity.daemonId,
+        displayName: identity.displayName,
+        canonicalHost: connectionTarget.canonicalHost,
+        fallbackHosts: connectionTarget.fallbackHosts,
+        port: connectionTarget.port,
+        deviceId: body.deviceId,
+        pairToken,
+      });
+    } catch (error) {
+      sendJson(res, 400, { error: String(error) });
+    }
+    return;
+  }
+
+  const token = resolveRequestToken(req.headers.authorization, url.searchParams.get('token'));
+  if (!isAuthorizedToken(token, config.legacyToken, (value, touch) => pairingStore.validateAnyPairToken(value, touch), false)) {
+    res.writeHead(401);
+    res.end('Unauthorized');
+    return;
+  }
+
+  // Upload image: POST /upload (raw binary body, Content-Type = image/*)
+  if (req.method === 'POST' && url.pathname === '/upload') {
+    const UPLOAD_MIME_TO_EXT: Record<string, string> = {
+      'image/png': '.png',
+      'image/jpeg': '.jpg',
+      'image/gif': '.gif',
+      'image/webp': '.webp',
+      'image/heic': '.heic',
+      'image/heif': '.heif',
+    };
+    const contentType = (req.headers['content-type'] ?? '').split(';')[0].trim();
+    const ext = UPLOAD_MIME_TO_EXT[contentType];
+    if (!ext) {
+      sendJson(res, 400, { error: 'Unsupported content type' });
+      return;
+    }
+
+    const MAX_UPLOAD_SIZE = 10 * 1024 * 1024; // 10MB
+    const chunks: Buffer[] = [];
+    let totalSize = 0;
+    for await (const chunk of req) {
+      const buf = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk);
+      totalSize += buf.length;
+      if (totalSize > MAX_UPLOAD_SIZE) {
+        res.writeHead(413);
+        res.end('File too large');
+        return;
+      }
+      chunks.push(buf);
+    }
+
+    try {
+      await mkdir(VIBELET_UPLOADS_DIR, { recursive: true });
+      const filename = `${Date.now()}_${randomBytes(8).toString('hex')}${ext}`;
+      const filePath = join(VIBELET_UPLOADS_DIR, filename);
+      await writeFile(filePath, Buffer.concat(chunks));
+      log.info({ filePath, size: totalSize }, 'file uploaded');
+      sendJson(res, 200, { path: filePath });
+    } catch (e) {
+      log.error({ error: String(e) }, 'upload failed');
+      sendJson(res, 500, { error: 'Upload failed' });
+    }
+    return;
+  }
+
+  // Serve files: GET /file?path=/path/to/file&cwd=/repo&token=xxx
+  if (url.pathname === '/file') {
+    const filePath = url.searchParams.get('path');
+    const cwd = url.searchParams.get('cwd') || undefined;
+    if (!filePath) {
+      res.writeHead(400);
+      res.end('Missing path parameter');
+      return;
+    }
+
+    try {
+      const resolvedPath = resolveFileRequestPath(filePath, cwd);
+      const fileStat = await stat(resolvedPath);
+      if (!fileStat.isFile()) {
+        res.writeHead(404);
+        res.end('Not a file');
+        return;
+      }
+
+      const contentType = getFileContentType(resolvedPath);
+      const data = await readFile(resolvedPath);
+      res.writeHead(200, { 'Content-Type': contentType, 'Content-Length': data.length });
+      res.end(data);
+    } catch (e) {
+      res.writeHead(404);
+      res.end('File not found');
+    }
+    return;
+  }
+
+  res.writeHead(200);
+  res.end(`Vibelet Daemon v${CLI_VERSION}`);
+});
+
+const wss = new WebSocketServer({ server: httpServer });
+
+httpServer.on('connection', (socket) => {
+  sockets.add(socket);
+  socket.on('close', () => {
+    sockets.delete(socket);
+  });
+});
+
+wss.on('connection', (ws, req) => {
+  const url = new URL(req.url ?? '/', `http://localhost:${config.port}`);
+  const token = url.searchParams.get('token');
+  if (token && isLegacyToken(token, config.legacyToken)) {
+    authenticatedClients.set(ws, { authMode: 'query_token' });
+    metrics.increment('ws.auth.success', { mode: 'query_token' });
+    manager.addGlobalClient(ws);
+    manager.prewarmCaches();
+  } else if (token) {
+    const pairingRecord = pairingStore.validateAnyPairToken(token);
+    if (pairingRecord) {
+      authenticatedClients.set(ws, {
+        authMode: 'query_token',
+        deviceId: pairingRecord.deviceId,
+      });
+      metrics.increment('ws.auth.success', { mode: 'query_token' });
+      manager.addGlobalClient(ws);
+      manager.prewarmCaches();
+    } else {
+      metrics.increment('ws.auth.failure', { mode: 'query_token' });
+      ws.close(4001, 'Unauthorized');
+      return;
+    }
+  }
+
+  wsLog.info({ clients: wss.clients.size }, 'client connected');
+  metrics.increment('ws.connect');
+  metrics.gauge('ws.clients', wss.clients.size);
+  audit.emit('ws.connect', {
+    clients: wss.clients.size,
+    authMode: authenticatedClients.get(ws)?.authMode ?? 'pending',
+    deviceId: authenticatedClients.get(ws)?.deviceId,
+  });
+
+  ws.on('message', async (data) => {
+    try {
+      const parsed = JSON.parse(readRawDataAsText(data));
+
+      // Basic validation: action must exist and be a string
+      if (!parsed || typeof parsed.action !== 'string') {
+        ws.send(JSON.stringify({ type: 'error', sessionId: '', message: 'Invalid message: missing or non-string "action" field' }));
+        return;
+      }
+
+      // Respond to heartbeat pings before auth check (harmless, keeps connection alive)
+      if (parsed.action === 'ping') {
+        ws.send(JSON.stringify({ type: 'pong' }));
+        return;
+      }
+
+      const msg = parsed as ClientMessage;
+
+      if (!authenticatedClients.has(ws)) {
+        if (
+          msg.action === 'auth.hello' &&
+          msg.daemonId === identity.daemonId &&
+          pairingStore.validatePairToken(msg.deviceId, msg.pairToken)
+        ) {
+          authenticatedClients.set(ws, {
+            authMode: 'auth_hello',
+            deviceId: msg.deviceId,
+          });
+          metrics.increment('ws.auth.success', { mode: 'auth_hello' });
+          manager.addGlobalClient(ws);
+          manager.prewarmCaches();
+          ws.send(JSON.stringify({
+            type: 'response',
+            id: msg.id,
+            ok: true,
+            data: {
+              daemonId: identity.daemonId,
+              displayName: identity.displayName,
+            },
+          }));
+          return;
+        }
+
+        if (msg.action === 'auth.hello') {
+          metrics.increment('ws.auth.failure', { mode: 'auth_hello' });
+          ws.send(JSON.stringify({ type: 'response', id: msg.id, ok: false, error: 'auth_failed' }));
+          ws.close(4001, 'Unauthorized');
+          return;
+        }
+
+        metrics.increment('ws.auth.failure', { mode: 'missing' });
+        ws.send(JSON.stringify({ type: 'error', sessionId: '', message: 'Authentication required' }));
+        ws.close(4001, 'Unauthorized');
+        return;
+      }
+
+      // Handle log.report: app sends client-side logs to daemon audit trail
+      if (msg.action === 'log.report') {
+        for (const entry of msg.entries) {
+          audit.emitApp(entry.event, entry.level, entry.data ?? {}, entry.ts);
+          // Also log to daemon stdout for debugging
+          const logFn = entry.level === 'error' ? log.error : entry.level === 'warn' ? log.warn : log.info;
+          logFn.call(log, { event: entry.event, ...entry.data }, `[app] ${entry.event}`);
+        }
+        ws.send(JSON.stringify({ type: 'response', id: msg.id, ok: true }));
+        return;
+      }
+
+      // Handle dirs.list directly in index.ts
+      if (msg.action === 'dirs.list') {
+        try {
+          const result = await listDirs(msg.path, msg.cwd);
+          ws.send(JSON.stringify({ type: 'response', id: msg.id, ok: true, data: result }));
+        } catch (e) {
+          ws.send(JSON.stringify({ type: 'response', id: msg.id, ok: false, error: String(e) }));
+        }
+        return;
+      }
+
+      if (parsed.action === 'push.register') {
+        const context = authenticatedClients.get(ws);
+        handlePushProtocolMessage(parsed, {
+          deviceId: context?.deviceId,
+          registerToken,
+          unregisterToken,
+          respond: (response) => ws.send(JSON.stringify(response)),
+        });
+        return;
+      }
+
+      if (parsed.action === 'push.unregister') {
+        const context = authenticatedClients.get(ws);
+        handlePushProtocolMessage(parsed, {
+          deviceId: context?.deviceId,
+          registerToken,
+          unregisterToken,
+          respond: (response) => ws.send(JSON.stringify(response)),
+        });
+        return;
+      }
+
+      await manager.handle(ws, msg);
+    } catch (e) {
+      wsLog.error({ error: String(e) }, 'message handling error');
+      ws.send(JSON.stringify({ type: 'error', sessionId: '', message: String(e) }));
+    }
+  });
+
+  ws.on('close', (code) => {
+    wsLog.info({ clients: wss.clients.size, code }, 'client disconnected');
+    metrics.increment('ws.disconnect');
+    metrics.increment('ws.disconnect.code', { code: String(code) });
+    metrics.gauge('ws.clients', wss.clients.size);
+    audit.emit('ws.disconnect', { clients: wss.clients.size, code });
+    manager.removeClient(ws);
+  });
+
+  ws.on('error', (err) => {
+    wsLog.error({ error: err.message }, 'websocket error');
+  });
+});
+
+function destroyAllSockets(): void {
+  for (const socket of sockets) {
+    try {
+      socket.destroy();
+    } catch {}
+  }
+  sockets.clear();
+}
+
+function runStorageHousekeeping(): void {
+  const summary = runStorageHousekeepingSync({
+    auditPath: AUDIT_PATH,
+    stdoutLogPath: DAEMON_STDOUT_LOG_PATH,
+    stderrLogPath: DAEMON_STDERR_LOG_PATH,
+    auditMaxBytes: config.auditMaxBytes,
+    logMaxBytes: config.daemonLogMaxBytes,
+  });
+  if (summary.trimmedFiles > 0) {
+    log.info({
+      trimmedFiles: summary.trimmedFiles,
+      reclaimedBytes: summary.reclaimedBytes,
+      files: summary.files
+        .filter(file => file.trimmed)
+        .map(file => ({
+          path: file.path,
+          beforeBytes: file.beforeBytes,
+          afterBytes: file.afterBytes,
+        })),
+    }, 'trimmed vibelet storage');
+  }
+}
+
+function startStorageHousekeeping(): void {
+  if (storageHousekeepingInterval) return;
+  storageHousekeepingInterval = setInterval(runStorageHousekeeping, config.storageHousekeepingIntervalMs);
+  storageHousekeepingInterval.unref();
+}
+
+function stopStorageHousekeeping(): void {
+  if (!storageHousekeepingInterval) return;
+  clearInterval(storageHousekeepingInterval);
+  storageHousekeepingInterval = null;
+}
+
+function shutdown(reason: string, exitCode = 0): void {
+  if (shuttingDown) return;
+  shuttingDown = true;
+  log.info({ reason, exitCode }, 'shutting down');
+  audit.emit('daemon.shutdown', { reason, exitCode, uptimeSeconds: Math.round((Date.now() - startTime) / 1000) });
+  metrics.stopPeriodicLog();
+  stopStorageHousekeeping();
+
+  manager.shutdown();
+
+  for (const client of wss.clients) {
+    try {
+      client.close(1001, 'Server shutting down');
+      client.terminate();
+    } catch {}
+  }
+
+  wss.close((err) => {
+    if (err) log.error({ error: String(err) }, 'websocket close error');
+  });
+
+  httpServer.close((err) => {
+    if (err) {
+      log.error({ error: String(err) }, 'http close error');
+      destroyAllSockets();
+      process.exit(1);
+      return;
+    }
+    destroyAllSockets();
+    process.exit(exitCode);
+  });
+
+  setTimeout(() => {
+    log.error('force exiting after shutdown timeout');
+    destroyAllSockets();
+    process.exit(exitCode || 1);
+  }, 3000).unref();
+}
+
+wss.on('error', (err: Error) => {
+  wsLog.error({ error: err.message }, 'wss error');
+});
+
+httpServer.on('error', (err: NodeJS.ErrnoException) => {
+  if (err.code === 'EADDRINUSE') {
+    const occupants = collectPortOccupants(config.port).filter((occupant) => occupant.pid !== process.pid);
+    log.error(
+      { port: config.port, occupants },
+      'port is already in use. Stop the existing process or use VIBE_PORT=<port> to specify another port',
+    );
+  } else {
+    log.error({ error: String(err) }, 'server error');
+  }
+  shutdown(`httpServer error: ${err.code ?? err.message}`, 1);
+});
+
+process.once('SIGINT', () => shutdown('SIGINT'));
+process.once('SIGTERM', () => shutdown('SIGTERM'));
+process.once('SIGHUP', () => shutdown('SIGHUP'));
+process.once('SIGTTIN', () => shutdown('SIGTTIN'));
+process.once('SIGTSTP', () => shutdown('SIGTSTP'));
+
+process.on('uncaughtException', (err) => {
+  log.error({ error: String(err), stack: err.stack }, 'uncaughtException');
+  audit.emit('daemon.error', { type: 'uncaughtException', error: String(err) });
+});
+
+process.on('unhandledRejection', (reason) => {
+  log.error({ reason: String(reason) }, 'unhandledRejection');
+  audit.emit('daemon.error', { type: 'unhandledRejection', reason: String(reason) });
+});
+
+httpServer.listen(config.port, async () => {
+  runStorageHousekeeping();
+  audit.emit('daemon.start', { port: config.port });
+  metrics.startPeriodicLog();
+  startStorageHousekeeping();
+  const startupConnectionTarget = getAdvertisedConnectionTarget();
+
+  log.info(
+    {
+      port: config.port,
+      pairingPort: startupConnectionTarget.port,
+      daemonId: identity.daemonId,
+      displayName: identity.displayName,
+      canonicalHost: startupConnectionTarget.canonicalHost,
+      fallbackHosts: startupConnectionTarget.fallbackHosts,
+      claudePath: config.claudePath,
+      codexPath: config.codexPath,
+      auditMaxBytes: config.auditMaxBytes,
+      daemonLogMaxBytes: config.daemonLogMaxBytes,
+      storageHousekeepingIntervalMs: config.storageHousekeepingIntervalMs,
+      turnStallTimeoutMs: config.turnStallTimeoutMs,
+    },
+    'daemon started',
+  );
+
+  const window = pairingStore.openWindow();
+  const qrPayload: PairingQrPayload = {
+    type: 'vibelet-pair',
+    daemonId: identity.daemonId,
+    displayName: identity.displayName,
+    canonicalHost: startupConnectionTarget.canonicalHost,
+    fallbackHosts: startupConnectionTarget.fallbackHosts.length > 0 ? startupConnectionTarget.fallbackHosts : undefined,
+    port: startupConnectionTarget.port,
+    pairNonce: window.pairNonce,
+    expiresAt: window.expiresAt,
+  };
+
+  // Keep the human-friendly banner on stdout for interactive use
+  writeStdoutSafe(`
+╔══════════════════════════════════════╗
+║       Vibelet Daemon v${CLI_VERSION}         ║
+╠══════════════════════════════════════╣
+║  Port:  ${String(qrPayload.port).padEnd(28)}║
+║  ID:    ${identity.daemonId.slice(0, 28).padEnd(28)}║
+║  Host:  ${qrPayload.canonicalHost.slice(0, 28).padEnd(28)}║
+╚══════════════════════════════════════╝
+
+Pair with: npx @vibelet/cli or npx vibelet
+Host: ${qrPayload.canonicalHost}
+Fallbacks: ${qrPayload.fallbackHosts?.join(', ') || '(none)'}
+
+Claude: ${config.claudePath}
+Codex:  ${config.codexPath}
+`);
+
+  // Print QR code for app to scan
+  try {
+    await writeStartupPairingQr(qrPayload);
+  } catch {
+    // QR generation is best-effort
+  }
+});