@vibelet/cli 0.1.37 → 1.0.0

package/src/index.ts

@@ -1,781 +0,0 @@
-import { createServer, type IncomingMessage, type ServerResponse } from 'http';
-import { WebSocketServer, type WebSocket } from 'ws';
-import { mkdir, readFile, readdir, stat, writeFile } from 'fs/promises';
-import { randomBytes } from 'crypto';
-import { extname, join } from 'path';
-import { networkInterfaces } from 'os';
-import type { Socket } from 'net';
-import QRCode from 'qrcode';
-import type { DirEntry, PairingQrPayload } from '@vibelet/shared';
-import { config } from './config.js';
-import { SessionManager } from './session-manager.js';
-import { getExternalInventoryHealth } from './session-inventory.js';
-import { expandPath, resolveFileRequestPath } from './utils.js';
-import type { ClientMessage } from '@vibelet/shared';
-import { logger as rootLogger } from './logger.js';
-import { metrics } from './metrics.js';
-import { audit } from './audit.js';
-import { registerToken, sendPush, unregisterToken } from './push.js';
-import { handlePushProtocolMessage } from './push-protocol.js';
-import { collectPortOccupants } from './port-conflict.js';
-import { loadOrCreateDaemonIdentity } from './identity.js';
-import { PairingStore } from './pairing-store.js';
-import { isAuthorizedToken, isLegacyToken, isLoopbackAddress, resolveRequestToken } from './auth.js';
-import {
-  computeAdvertisedConnectionTarget,
-  computeAdvertisedHosts,
-  readConfiguredFallbackHosts,
-  readTailscaleHosts,
-} from './advertised-hosts.js';
-import { readRawDataAsText } from './ws-data.js';
-import { runStorageHousekeepingSync } from './storage-housekeeping.js';
-import { AUDIT_PATH, DAEMON_STDERR_LOG_PATH, DAEMON_STDOUT_LOG_PATH, PAIRING_QR_PNG_PATH, UPDATE_CHECK_PATH, VIBELET_DIR, VIBELET_UPLOADS_DIR } from './paths.js';
-import { CLI_VERSION } from './cli-version.js';
-import { CLAUDE_HOOK_SECRET_HEADER, type ClaudePermissionHookData, type ClaudeSessionHookData } from './claude-hooks.js';
-import { writeStdoutSafe } from './safe-stdio.js';
-
-const log = rootLogger.child({ module: 'daemon' });
-const wsLog = rootLogger.child({ module: 'ws' });
-
-function readLatestVersion(): string | undefined {
-  try {
-    const data = JSON.parse(require('fs').readFileSync(UPDATE_CHECK_PATH, 'utf8'));
-    return typeof data.latestVersion === 'string' ? data.latestVersion : undefined;
-  } catch {
-    return undefined;
-  }
-}
-
-const identity = loadOrCreateDaemonIdentity(config.port);
-const manager = new SessionManager((title, body, data) => sendPush(title, body, {
-  daemonId: identity.daemonId,
-  canonicalHost: getAdvertisedConnectionTarget().canonicalHost,
-  ...(data ?? {}),
-}));
-const pairingStore = new PairingStore();
-const sockets = new Set<Socket>();
-interface AuthenticatedClientContext {
-  authMode: 'query_token' | 'auth_hello';
-  deviceId?: string;
-}
-
-const authenticatedClients = new WeakMap<WebSocket, AuthenticatedClientContext>();
-let shuttingDown = false;
-const startTime = Date.now();
-let storageHousekeepingInterval: ReturnType<typeof setInterval> | null = null;
-let advertisedConnectionTargetCache:
-  | { value: { canonicalHost: string; fallbackHosts: string[]; port: number }; expiresAt: number }
-  | null = null;
-
-const ADVERTISED_CONNECTION_TARGET_CACHE_TTL_MS = 1_000;
-
-function getAdvertisedHosts(): { canonicalHost: string; fallbackHosts: string[] } {
-  const tailscaleHosts = readTailscaleHosts();
-  return computeAdvertisedHosts({
-    canonicalHost: identity.canonicalHost,
-    configuredCanonicalHost: config.canonicalHost,
-    configuredFallbackHosts: readConfiguredFallbackHosts(config.fallbackHosts),
-    tailscaleCanonicalHost: tailscaleHosts.canonicalHost,
-    tailscaleFallbackHosts: tailscaleHosts.fallbackHosts,
-    interfaces: networkInterfaces(),
-  });
-}
-
-function getAdvertisedConnectionTarget(): { canonicalHost: string; fallbackHosts: string[]; port: number } {
-  const now = Date.now();
-  if (advertisedConnectionTargetCache && advertisedConnectionTargetCache.expiresAt > now) {
-    return advertisedConnectionTargetCache.value;
-  }
-
-  const advertisedHosts = getAdvertisedHosts();
-  const connectionTarget = computeAdvertisedConnectionTarget({
-    canonicalHost: advertisedHosts.canonicalHost,
-    fallbackHosts: advertisedHosts.fallbackHosts,
-    port: identity.port,
-    relayUrl: config.relayUrl,
-  });
-
-  // Tailscale probing is synchronous and can take a few seconds when the socket
-  // is unavailable. Cache the computed target briefly so startup logging, health
-  // checks, and immediate pairing calls do not repeatedly block the event loop.
-  advertisedConnectionTargetCache = {
-    value: connectionTarget,
-    expiresAt: now + ADVERTISED_CONNECTION_TARGET_CACHE_TTL_MS,
-  };
-
-  return connectionTarget;
-}
-
-function createCompactPairingPayload(pairingPayload: PairingQrPayload): Record<string, unknown> {
-  const compactPayload: Record<string, unknown> = {
-    t: 'vp',
-    d: pairingPayload.daemonId,
-    n: pairingPayload.displayName,
-    h: pairingPayload.canonicalHost,
-    p: pairingPayload.port,
-    c: pairingPayload.pairNonce,
-    e: pairingPayload.expiresAt,
-  };
-  if (pairingPayload.fallbackHosts) compactPayload.f = pairingPayload.fallbackHosts;
-  return compactPayload;
-}
-
-async function writeStartupPairingQr(pairingPayload: PairingQrPayload): Promise<void> {
-  const payload = JSON.stringify(createCompactPairingPayload(pairingPayload));
-  await mkdir(VIBELET_DIR, { recursive: true });
-  await QRCode.toFile(PAIRING_QR_PNG_PATH, payload, {
-    type: 'png',
-    errorCorrectionLevel: 'M',
-    margin: 1,
-    scale: 8,
-  });
-  const qr = await QRCode.toString(payload, {
-    type: 'terminal',
-    small: true,
-    errorCorrectionLevel: 'M',
-  });
-  writeStdoutSafe(`\nScan this QR code with Vibelet app:\n\n${qr}\n`);
-  writeStdoutSafe(`If Vibelet app can't scan the terminal QR, open this PNG instead:\n${PAIRING_QR_PNG_PATH}\n`);
-}
-
-async function readJsonBody<T>(req: IncomingMessage): Promise<T> {
-  const chunks: Buffer[] = [];
-  for await (const chunk of req) {
-    chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
-  }
-  const raw = Buffer.concat(chunks).toString('utf8');
-  return raw ? JSON.parse(raw) as T : {} as T;
-}
-
-function sendJson(res: ServerResponse, statusCode: number, body: unknown): void {
-  res.writeHead(statusCode, { 'Content-Type': 'application/json' });
-  res.end(JSON.stringify(body, null, 2));
-}
-
-function getFileContentType(filePath: string): string {
-  const ext = extname(filePath).toLowerCase();
-  const mimeTypes: Record<string, string> = {
-    '.png': 'image/png',
-    '.jpg': 'image/jpeg',
-    '.jpeg': 'image/jpeg',
-    '.gif': 'image/gif',
-    '.svg': 'image/svg+xml',
-    '.webp': 'image/webp',
-    '.heic': 'image/heic',
-    '.heif': 'image/heif',
-    '.pdf': 'application/pdf',
-    '.md': 'text/markdown; charset=utf-8',
-    '.markdown': 'text/markdown; charset=utf-8',
-    '.txt': 'text/plain; charset=utf-8',
-    '.log': 'text/plain; charset=utf-8',
-    '.json': 'application/json; charset=utf-8',
-    '.js': 'text/plain; charset=utf-8',
-    '.jsx': 'text/plain; charset=utf-8',
-    '.ts': 'text/plain; charset=utf-8',
-    '.tsx': 'text/plain; charset=utf-8',
-    '.mjs': 'text/plain; charset=utf-8',
-    '.cjs': 'text/plain; charset=utf-8',
-    '.css': 'text/plain; charset=utf-8',
-    '.html': 'text/plain; charset=utf-8',
-    '.yml': 'text/plain; charset=utf-8',
-    '.yaml': 'text/plain; charset=utf-8',
-  };
-  return mimeTypes[ext] || 'application/octet-stream';
-}
-
-function buildPairingPayload(): PairingQrPayload {
-  const window = pairingStore.openWindow();
-  const connectionTarget = getAdvertisedConnectionTarget();
-
-  return {
-    type: 'vibelet-pair',
-    daemonId: identity.daemonId,
-    displayName: identity.displayName,
-    canonicalHost: connectionTarget.canonicalHost,
-    fallbackHosts: connectionTarget.fallbackHosts.length > 0 ? connectionTarget.fallbackHosts : undefined,
-    port: connectionTarget.port,
-    pairNonce: window.pairNonce,
-    expiresAt: window.expiresAt,
-  };
-}
-
-async function listDirs(path: string, cwd?: string): Promise<{ entries: DirEntry[] }> {
-  const resolvedPath = resolveFileRequestPath(path, cwd);
-  const entries = await readdir(resolvedPath);
-  const results: DirEntry[] = [];
-  for (const name of entries) {
-    if (name.startsWith('.')) continue;
-    const s = await stat(join(resolvedPath, name)).catch(() => null);
-    if (s) results.push({ name, isDirectory: s.isDirectory() });
-  }
-  // Sort: dirs first, then files
-  results.sort((a, b) => {
-    if (a.isDirectory !== b.isDirectory) return a.isDirectory ? -1 : 1;
-    return a.name.localeCompare(b.name);
-  });
-  return { entries: results };
-}
-
-// HTTP server for file serving (images) + WebSocket upgrade + health endpoint
-const httpServer = createServer(async (req, res) => {
-  const url = new URL(req.url ?? '/', `http://localhost:${config.port}`);
-
-  // Health endpoint — no token required for basic health check
-  if (url.pathname === '/health') {
-    const connectionTarget = getAdvertisedConnectionTarget();
-    const health: Record<string, unknown> = {
-      status: 'ok',
-      version: CLI_VERSION,
-      daemonId: identity.daemonId,
-      displayName: identity.displayName,
-      canonicalHost: connectionTarget.canonicalHost,
-      uptimeSeconds: Math.round((Date.now() - startTime) / 1000),
-      activeSessions: manager.getActiveSessionCount(),
-      pairedDevices: pairingStore.pairedCount(),
-      wsClients: wss.clients.size,
-      drivers: manager.getDriverCounts(),
-      sessionInventory: getExternalInventoryHealth(),
-      metrics: metrics.snapshot(),
-    };
-    if (config.relayUrl) {
-      health.relayUrl = config.relayUrl;
-    }
-    const latestVersion = readLatestVersion();
-    if (latestVersion) {
-      health.latestVersion = latestVersion;
-    }
-    sendJson(res, 200, health);
-    return;
-  }
-
-  if (req.method === 'POST' && url.pathname === '/pair/open') {
-    if (!isLoopbackAddress(req.socket.remoteAddress)) {
-      sendJson(res, 403, { error: 'forbidden' });
-      return;
-    }
-    sendJson(res, 200, buildPairingPayload());
-    return;
-  }
-
-  if (req.method === 'POST' && url.pathname === '/pair/reset') {
-    if (!isLoopbackAddress(req.socket.remoteAddress)) {
-      sendJson(res, 403, { error: 'forbidden' });
-      return;
-    }
-    pairingStore.reset();
-    sendJson(res, 200, { ok: true });
-    return;
-  }
-
-  if (req.method === 'POST' && url.pathname === '/shutdown') {
-    if (!isLoopbackAddress(req.socket.remoteAddress)) {
-      sendJson(res, 403, { error: 'forbidden' });
-      return;
-    }
-    sendJson(res, 200, { status: 'stopping' });
-    setTimeout(() => shutdown('HTTP /shutdown request'), 50);
-    return;
-  }
-
-  if (req.method === 'POST' && url.pathname === '/hook/claude/session-start') {
-    if (!isLoopbackAddress(req.socket.remoteAddress)) {
-      sendJson(res, 403, { error: 'forbidden' });
-      return;
-    }
-    try {
-      const body = await readJsonBody<ClaudeSessionHookData>(req);
-      const secretHeader = req.headers[CLAUDE_HOOK_SECRET_HEADER];
-      const secret = Array.isArray(secretHeader) ? secretHeader[0] : secretHeader;
-      manager.handleClaudeSessionStartHook(secret, body);
-      sendJson(res, 200, { ok: true });
-    } catch (error) {
-      sendJson(res, 400, { error: String(error) });
-    }
-    return;
-  }
-
-  if (req.method === 'POST' && url.pathname === '/hook/claude/permission-request') {
-    if (!isLoopbackAddress(req.socket.remoteAddress)) {
-      sendJson(res, 403, { error: 'forbidden' });
-      return;
-    }
-    try {
-      const body = await readJsonBody<ClaudePermissionHookData>(req);
-      const secretHeader = req.headers[CLAUDE_HOOK_SECRET_HEADER];
-      const secret = Array.isArray(secretHeader) ? secretHeader[0] : secretHeader;
-      const response = await manager.handleClaudePermissionHook(secret, body);
-      sendJson(res, 200, response);
-    } catch (error) {
-      sendJson(res, 400, { error: String(error) });
-    }
-    return;
-  }
-
-  if (req.method === 'POST' && url.pathname === '/pair/create') {
-    try {
-      const body = await readJsonBody<{
-        daemonId?: string;
-        pairNonce?: string;
-        deviceId?: string;
-        deviceName?: string;
-      }>(req);
-      if (
-        body.daemonId !== identity.daemonId ||
-        typeof body.pairNonce !== 'string' ||
-        typeof body.deviceId !== 'string' ||
-        typeof body.deviceName !== 'string'
-      ) {
-        sendJson(res, 400, { error: 'invalid_pair_request' });
-        return;
-      }
-      const window = pairingStore.consumeWindow(body.pairNonce);
-      if (!window) {
-        sendJson(res, 401, { error: 'pair_window_expired' });
-        return;
-      }
-      const pairToken = pairingStore.issuePairToken(body.deviceId, body.deviceName);
-      const connectionTarget = getAdvertisedConnectionTarget();
-      sendJson(res, 200, {
-        daemonId: identity.daemonId,
-        displayName: identity.displayName,
-        canonicalHost: connectionTarget.canonicalHost,
-        fallbackHosts: connectionTarget.fallbackHosts,
-        port: connectionTarget.port,
-        deviceId: body.deviceId,
-        pairToken,
-      });
-    } catch (error) {
-      sendJson(res, 400, { error: String(error) });
-    }
-    return;
-  }
-
-  const token = resolveRequestToken(req.headers.authorization, url.searchParams.get('token'));
-  if (!isAuthorizedToken(token, config.legacyToken, (value, touch) => pairingStore.validateAnyPairToken(value, touch), false)) {
-    res.writeHead(401);
-    res.end('Unauthorized');
-    return;
-  }
-
-  // Upload image: POST /upload (raw binary body, Content-Type = image/*)
-  if (req.method === 'POST' && url.pathname === '/upload') {
-    const UPLOAD_MIME_TO_EXT: Record<string, string> = {
-      'image/png': '.png',
-      'image/jpeg': '.jpg',
-      'image/gif': '.gif',
-      'image/webp': '.webp',
-      'image/heic': '.heic',
-      'image/heif': '.heif',
-    };
-    const contentType = (req.headers['content-type'] ?? '').split(';')[0].trim();
-    const ext = UPLOAD_MIME_TO_EXT[contentType];
-    if (!ext) {
-      sendJson(res, 400, { error: 'Unsupported content type' });
-      return;
-    }
-
-    const MAX_UPLOAD_SIZE = 10 * 1024 * 1024; // 10MB
-    const chunks: Buffer[] = [];
-    let totalSize = 0;
-    for await (const chunk of req) {
-      const buf = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk);
-      totalSize += buf.length;
-      if (totalSize > MAX_UPLOAD_SIZE) {
-        res.writeHead(413);
-        res.end('File too large');
-        return;
-      }
-      chunks.push(buf);
-    }
-
-    try {
-      await mkdir(VIBELET_UPLOADS_DIR, { recursive: true });
-      const filename = `${Date.now()}_${randomBytes(8).toString('hex')}${ext}`;
-      const filePath = join(VIBELET_UPLOADS_DIR, filename);
-      await writeFile(filePath, Buffer.concat(chunks));
-      log.info({ filePath, size: totalSize }, 'file uploaded');
-      sendJson(res, 200, { path: filePath });
-    } catch (e) {
-      log.error({ error: String(e) }, 'upload failed');
-      sendJson(res, 500, { error: 'Upload failed' });
-    }
-    return;
-  }
-
-  // Serve files: GET /file?path=/path/to/file&cwd=/repo&token=xxx
-  if (url.pathname === '/file') {
-    const filePath = url.searchParams.get('path');
-    const cwd = url.searchParams.get('cwd') || undefined;
-    if (!filePath) {
-      res.writeHead(400);
-      res.end('Missing path parameter');
-      return;
-    }
-
-    try {
-      const resolvedPath = resolveFileRequestPath(filePath, cwd);
-      const fileStat = await stat(resolvedPath);
-      if (!fileStat.isFile()) {
-        res.writeHead(404);
-        res.end('Not a file');
-        return;
-      }
-
-      const contentType = getFileContentType(resolvedPath);
-      const data = await readFile(resolvedPath);
-      res.writeHead(200, { 'Content-Type': contentType, 'Content-Length': data.length });
-      res.end(data);
-    } catch (e) {
-      res.writeHead(404);
-      res.end('File not found');
-    }
-    return;
-  }
-
-  res.writeHead(200);
-  res.end(`Vibelet Daemon v${CLI_VERSION}`);
-});
-
-const wss = new WebSocketServer({ server: httpServer });
-
-httpServer.on('connection', (socket) => {
-  sockets.add(socket);
-  socket.on('close', () => {
-    sockets.delete(socket);
-  });
-});
-
-wss.on('connection', (ws, req) => {
-  const url = new URL(req.url ?? '/', `http://localhost:${config.port}`);
-  const token = url.searchParams.get('token');
-  if (token && isLegacyToken(token, config.legacyToken)) {
-    authenticatedClients.set(ws, { authMode: 'query_token' });
-    metrics.increment('ws.auth.success', { mode: 'query_token' });
-    manager.addGlobalClient(ws);
-    manager.prewarmCaches();
-  } else if (token) {
-    const pairingRecord = pairingStore.validateAnyPairToken(token);
-    if (pairingRecord) {
-      authenticatedClients.set(ws, {
-        authMode: 'query_token',
-        deviceId: pairingRecord.deviceId,
-      });
-      metrics.increment('ws.auth.success', { mode: 'query_token' });
-      manager.addGlobalClient(ws);
-      manager.prewarmCaches();
-    } else {
-      metrics.increment('ws.auth.failure', { mode: 'query_token' });
-      ws.close(4001, 'Unauthorized');
-      return;
-    }
-  }
-
-  wsLog.info({ clients: wss.clients.size }, 'client connected');
-  metrics.increment('ws.connect');
-  metrics.gauge('ws.clients', wss.clients.size);
-  audit.emit('ws.connect', {
-    clients: wss.clients.size,
-    authMode: authenticatedClients.get(ws)?.authMode ?? 'pending',
-    deviceId: authenticatedClients.get(ws)?.deviceId,
-  });
-
-  ws.on('message', async (data) => {
-    try {
-      const parsed = JSON.parse(readRawDataAsText(data));
-
-      // Basic validation: action must exist and be a string
-      if (!parsed || typeof parsed.action !== 'string') {
-        ws.send(JSON.stringify({ type: 'error', sessionId: '', message: 'Invalid message: missing or non-string "action" field' }));
-        return;
-      }
-
-      // Respond to heartbeat pings before auth check (harmless, keeps connection alive)
-      if (parsed.action === 'ping') {
-        ws.send(JSON.stringify({ type: 'pong' }));
-        return;
-      }
-
-      const msg = parsed as ClientMessage;
-
-      if (!authenticatedClients.has(ws)) {
-        if (
-          msg.action === 'auth.hello' &&
-          msg.daemonId === identity.daemonId &&
-          pairingStore.validatePairToken(msg.deviceId, msg.pairToken)
-        ) {
-          authenticatedClients.set(ws, {
-            authMode: 'auth_hello',
-            deviceId: msg.deviceId,
-          });
-          metrics.increment('ws.auth.success', { mode: 'auth_hello' });
-          manager.addGlobalClient(ws);
-          manager.prewarmCaches();
-          ws.send(JSON.stringify({
-            type: 'response',
-            id: msg.id,
-            ok: true,
-            data: {
-              daemonId: identity.daemonId,
-              displayName: identity.displayName,
-            },
-          }));
-          return;
-        }
-
-        if (msg.action === 'auth.hello') {
-          metrics.increment('ws.auth.failure', { mode: 'auth_hello' });
-          ws.send(JSON.stringify({ type: 'response', id: msg.id, ok: false, error: 'auth_failed' }));
-          ws.close(4001, 'Unauthorized');
-          return;
-        }
-
-        metrics.increment('ws.auth.failure', { mode: 'missing' });
-        ws.send(JSON.stringify({ type: 'error', sessionId: '', message: 'Authentication required' }));
-        ws.close(4001, 'Unauthorized');
-        return;
-      }
-
-      // Handle log.report: app sends client-side logs to daemon audit trail
-      if (msg.action === 'log.report') {
-        for (const entry of msg.entries) {
-          audit.emitApp(entry.event, entry.level, entry.data ?? {}, entry.ts);
-          // Also log to daemon stdout for debugging
-          const logFn = entry.level === 'error' ? log.error : entry.level === 'warn' ? log.warn : log.info;
-          logFn.call(log, { event: entry.event, ...entry.data }, `[app] ${entry.event}`);
-        }
-        ws.send(JSON.stringify({ type: 'response', id: msg.id, ok: true }));
-        return;
-      }
-
-      // Handle dirs.list directly in index.ts
-      if (msg.action === 'dirs.list') {
-        try {
-          const result = await listDirs(msg.path, msg.cwd);
-          ws.send(JSON.stringify({ type: 'response', id: msg.id, ok: true, data: result }));
-        } catch (e) {
-          ws.send(JSON.stringify({ type: 'response', id: msg.id, ok: false, error: String(e) }));
-        }
-        return;
-      }
-
-      if (parsed.action === 'push.register') {
-        const context = authenticatedClients.get(ws);
-        handlePushProtocolMessage(parsed, {
-          deviceId: context?.deviceId,
-          registerToken,
-          unregisterToken,
-          respond: (response) => ws.send(JSON.stringify(response)),
-        });
-        return;
-      }
-
-      if (parsed.action === 'push.unregister') {
-        const context = authenticatedClients.get(ws);
-        handlePushProtocolMessage(parsed, {
-          deviceId: context?.deviceId,
-          registerToken,
-          unregisterToken,
-          respond: (response) => ws.send(JSON.stringify(response)),
-        });
-        return;
-      }
-
-      await manager.handle(ws, msg);
-    } catch (e) {
-      wsLog.error({ error: String(e) }, 'message handling error');
-      ws.send(JSON.stringify({ type: 'error', sessionId: '', message: String(e) }));
-    }
-  });
-
-  ws.on('close', (code) => {
-    wsLog.info({ clients: wss.clients.size, code }, 'client disconnected');
-    metrics.increment('ws.disconnect');
-    metrics.increment('ws.disconnect.code', { code: String(code) });
-    metrics.gauge('ws.clients', wss.clients.size);
-    audit.emit('ws.disconnect', { clients: wss.clients.size, code });
-    manager.removeClient(ws);
-  });
-
-  ws.on('error', (err) => {
-    wsLog.error({ error: err.message }, 'websocket error');
-  });
-});
-
-function destroyAllSockets(): void {
-  for (const socket of sockets) {
-    try {
-      socket.destroy();
-    } catch {}
-  }
-  sockets.clear();
-}
-
-function runStorageHousekeeping(): void {
-  const summary = runStorageHousekeepingSync({
-    auditPath: AUDIT_PATH,
-    stdoutLogPath: DAEMON_STDOUT_LOG_PATH,
-    stderrLogPath: DAEMON_STDERR_LOG_PATH,
-    auditMaxBytes: config.auditMaxBytes,
-    logMaxBytes: config.daemonLogMaxBytes,
-  });
-  if (summary.trimmedFiles > 0) {
-    log.info({
-      trimmedFiles: summary.trimmedFiles,
-      reclaimedBytes: summary.reclaimedBytes,
-      files: summary.files
-        .filter(file => file.trimmed)
-        .map(file => ({
-          path: file.path,
-          beforeBytes: file.beforeBytes,
-          afterBytes: file.afterBytes,
-        })),
-    }, 'trimmed vibelet storage');
-  }
-}
-
-function startStorageHousekeeping(): void {
-  if (storageHousekeepingInterval) return;
-  storageHousekeepingInterval = setInterval(runStorageHousekeeping, config.storageHousekeepingIntervalMs);
-  storageHousekeepingInterval.unref();
-}
-
-function stopStorageHousekeeping(): void {
-  if (!storageHousekeepingInterval) return;
-  clearInterval(storageHousekeepingInterval);
-  storageHousekeepingInterval = null;
-}
-
-function shutdown(reason: string, exitCode = 0): void {
-  if (shuttingDown) return;
-  shuttingDown = true;
-  log.info({ reason, exitCode }, 'shutting down');
-  audit.emit('daemon.shutdown', { reason, exitCode, uptimeSeconds: Math.round((Date.now() - startTime) / 1000) });
-  metrics.stopPeriodicLog();
-  stopStorageHousekeeping();
-
-  manager.shutdown();
-
-  for (const client of wss.clients) {
-    try {
-      client.close(1001, 'Server shutting down');
-      client.terminate();
-    } catch {}
-  }
-
-  wss.close((err) => {
-    if (err) log.error({ error: String(err) }, 'websocket close error');
-  });
-
-  httpServer.close((err) => {
-    if (err) {
-      log.error({ error: String(err) }, 'http close error');
-      destroyAllSockets();
-      process.exit(1);
-      return;
-    }
-    destroyAllSockets();
-    process.exit(exitCode);
-  });
-
-  setTimeout(() => {
-    log.error('force exiting after shutdown timeout');
-    destroyAllSockets();
-    process.exit(exitCode || 1);
-  }, 3000).unref();
-}
-
-wss.on('error', (err: Error) => {
-  wsLog.error({ error: err.message }, 'wss error');
-});
-
-httpServer.on('error', (err: NodeJS.ErrnoException) => {
-  if (err.code === 'EADDRINUSE') {
-    const occupants = collectPortOccupants(config.port).filter((occupant) => occupant.pid !== process.pid);
-    log.error(
-      { port: config.port, occupants },
-      'port is already in use. Stop the existing process or use VIBE_PORT=<port> to specify another port',
-    );
-  } else {
-    log.error({ error: String(err) }, 'server error');
-  }
-  shutdown(`httpServer error: ${err.code ?? err.message}`, 1);
-});
-
-process.once('SIGINT', () => shutdown('SIGINT'));
-process.once('SIGTERM', () => shutdown('SIGTERM'));
-process.once('SIGHUP', () => shutdown('SIGHUP'));
-process.once('SIGTTIN', () => shutdown('SIGTTIN'));
-process.once('SIGTSTP', () => shutdown('SIGTSTP'));
-
-process.on('uncaughtException', (err) => {
-  log.error({ error: String(err), stack: err.stack }, 'uncaughtException');
-  audit.emit('daemon.error', { type: 'uncaughtException', error: String(err) });
-});
-
-process.on('unhandledRejection', (reason) => {
-  log.error({ reason: String(reason) }, 'unhandledRejection');
-  audit.emit('daemon.error', { type: 'unhandledRejection', reason: String(reason) });
-});
-
-httpServer.listen(config.port, async () => {
-  runStorageHousekeeping();
-  audit.emit('daemon.start', { port: config.port });
-  metrics.startPeriodicLog();
-  startStorageHousekeeping();
-  const startupConnectionTarget = getAdvertisedConnectionTarget();
-
-  log.info(
-    {
-      port: config.port,
-      pairingPort: startupConnectionTarget.port,
-      daemonId: identity.daemonId,
-      displayName: identity.displayName,
-      canonicalHost: startupConnectionTarget.canonicalHost,
-      fallbackHosts: startupConnectionTarget.fallbackHosts,
-      claudePath: config.claudePath,
-      codexPath: config.codexPath,
-      auditMaxBytes: config.auditMaxBytes,
-      daemonLogMaxBytes: config.daemonLogMaxBytes,
-      storageHousekeepingIntervalMs: config.storageHousekeepingIntervalMs,
-      turnStallTimeoutMs: config.turnStallTimeoutMs,
-    },
-    'daemon started',
-  );
-
-  const window = pairingStore.openWindow();
-  const qrPayload: PairingQrPayload = {
-    type: 'vibelet-pair',
-    daemonId: identity.daemonId,
-    displayName: identity.displayName,
-    canonicalHost: startupConnectionTarget.canonicalHost,
-    fallbackHosts: startupConnectionTarget.fallbackHosts.length > 0 ? startupConnectionTarget.fallbackHosts : undefined,
-    port: startupConnectionTarget.port,
-    pairNonce: window.pairNonce,
-    expiresAt: window.expiresAt,
-  };
-
-  // Keep the human-friendly banner on stdout for interactive use
-  writeStdoutSafe(`
-╔══════════════════════════════════════╗
-║       Vibelet Daemon v${CLI_VERSION}         ║
-╠══════════════════════════════════════╣
-║  Port:  ${String(qrPayload.port).padEnd(28)}║
-║  ID:    ${identity.daemonId.slice(0, 28).padEnd(28)}║
-║  Host:  ${qrPayload.canonicalHost.slice(0, 28).padEnd(28)}║
-╚══════════════════════════════════════╝
-
-Pair with: npx @vibelet/cli or npx vibelet
-Host: ${qrPayload.canonicalHost}
-Fallbacks: ${qrPayload.fallbackHosts?.join(', ') || '(none)'}
-
-Claude: ${config.claudePath}
-Codex:  ${config.codexPath}
-`);
-
-  // Print QR code for app to scan
-  try {
-    await writeStartupPairingQr(qrPayload);
-  } catch {
-    // QR generation is best-effort
-  }
-});