@wipcomputer/wip-ldm-os 0.4.82-alpha.1 → 0.4.84

package/src/hosted-mcp/app/codex-remote-control/index.html

@@ -0,0 +1,254 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover">
+<title>Codex remote control</title>
+<style>
+  *, *::before, *::after { margin: 0; padding: 0; box-sizing: border-box; }
+  :root {
+    --bg: #FFFDF5;
+    --bg-event: #F5F3ED;
+    --bg-tool: #F0EDE6;
+    --text: #1a1a1a;
+    --text-muted: #8a8580;
+    --accent: #0033FF;
+    --danger: #b00020;
+    --border: #E0DDD6;
+    --user-bubble: #E8F0FE;
+    --font: -apple-system, BlinkMacSystemFont, "SF Pro Text", system-ui, sans-serif;
+    --mono: ui-monospace, "SF Mono", Menlo, monospace;
+  }
+  html, body { height: 100%; font-family: var(--font); background: var(--bg); color: var(--text); }
+  body { display: flex; flex-direction: column; }
+  header { padding: 12px 16px; padding-top: calc(12px + env(safe-area-inset-top, 0px)); border-bottom: 1px solid var(--border); display: flex; align-items: center; gap: 10px; }
+  header .id { flex: 1; font-size: 13px; color: var(--text-muted); font-family: var(--mono); overflow: hidden; text-overflow: ellipsis; white-space: nowrap; }
+  header .dot { width: 8px; height: 8px; border-radius: 50%; background: var(--text-muted); }
+  header .dot.online { background: #2ea44f; }
+  header .dot.offline { background: var(--danger); }
+  main { flex: 1; overflow-y: auto; padding: 16px; padding-bottom: 0; -webkit-overflow-scrolling: touch; }
+  .event { margin-bottom: 12px; padding: 12px 14px; border-radius: 10px; background: var(--bg-event); font-size: 14px; line-height: 1.45; }
+  .event .meta { font-size: 11px; color: var(--text-muted); font-family: var(--mono); margin-bottom: 4px; text-transform: uppercase; letter-spacing: 0.05em; }
+  .event.user { background: var(--user-bubble); }
+  .event.agent_message { background: var(--bg); border: 1px solid var(--border); }
+  .event.command_execution { background: var(--bg-tool); font-family: var(--mono); white-space: pre-wrap; word-break: break-all; }
+  .event.command_execution.failed { border-left: 3px solid var(--danger); }
+  .event.error { background: #fff0f0; border: 1px solid #f0c0c0; color: var(--danger); }
+  .event.system { background: transparent; color: var(--text-muted); font-size: 12px; padding: 6px 0; text-align: center; }
+  .event pre { font-family: var(--mono); white-space: pre-wrap; word-break: break-word; font-size: 13px; }
+  footer { padding: 12px; padding-bottom: calc(12px + env(safe-area-inset-bottom, 0px)); border-top: 1px solid var(--border); background: var(--bg); }
+  .composer { display: flex; gap: 8px; align-items: flex-end; }
+  textarea {
+    flex: 1; min-height: 44px; max-height: 120px; padding: 12px;
+    border: 1px solid var(--border); border-radius: 10px;
+    background: var(--bg); color: var(--text); font-family: var(--font); font-size: 16px;
+    resize: none;
+  }
+  textarea:focus { outline: 2px solid var(--accent); outline-offset: -1px; }
+  button { padding: 12px 16px; border: none; border-radius: 10px; font-family: var(--font); font-size: 14px; font-weight: 600; cursor: pointer; -webkit-tap-highlight-color: transparent; }
+  button:active { transform: scale(0.97); }
+  button:disabled { opacity: 0.4; cursor: not-allowed; }
+  .btn-send { background: var(--accent); color: white; }
+  .btn-stop { background: var(--danger); color: white; }
+</style>
+</head>
+<body>
+<header>
+  <div class="dot" id="presence" title="connecting"></div>
+  <div class="id" id="threadId">...</div>
+  <button id="stopBtn" class="btn-stop" type="button" disabled>Stop</button>
+</header>
+<main id="log"></main>
+<footer>
+  <form class="composer" id="composer">
+    <textarea id="prompt" rows="1" placeholder="Tell Codex what to do..." autocomplete="off"></textarea>
+    <button type="submit" class="btn-send" id="sendBtn">Send</button>
+  </form>
+</footer>
+<script>
+function getApiKey() { return sessionStorage.getItem("wip_api_key"); }
+function getHandle() { return sessionStorage.getItem("wip_handle") || ""; }
+
+function ensureSignedIn() {
+  if (!getApiKey()) {
+    location.href = "/app/login.html?next=" + encodeURIComponent(location.pathname);
+    return false;
+  }
+  return true;
+}
+
+function parsePath() {
+  // /:handle/codex-remote-control/:threadId
+  const m = location.pathname.match(/^\/([^/]+)\/codex-remote-control\/([^/]+)\/?$/);
+  if (!m) return null;
+  return { handle: decodeURIComponent(m[1]), threadId: decodeURIComponent(m[2]) };
+}
+
+function setPresence(state) {
+  const dot = document.getElementById("presence");
+  dot.classList.remove("online", "offline");
+  if (state === "online") dot.classList.add("online");
+  if (state === "offline") dot.classList.add("offline");
+  dot.title = state;
+}
+
+function appendEvent(html, kind) {
+  const log = document.getElementById("log");
+  const div = document.createElement("div");
+  div.className = "event " + (kind || "");
+  div.innerHTML = html;
+  log.appendChild(div);
+  log.scrollTop = log.scrollHeight;
+  return div;
+}
+
+function escapeHtml(s) {
+  return String(s).replace(/[&<>"']/g, (c) => ({ "&": "&amp;", "<": "&lt;", ">": "&gt;", "\"": "&quot;", "'": "&#39;" }[c]));
+}
+
+function renderItem(item) {
+  if (item.type === "agent_message") {
+    return appendEvent('<div class="meta">codex</div>' + escapeHtml(item.text || "").replace(/\n/g, "<br>"), "agent_message");
+  }
+  if (item.type === "command_execution") {
+    const status = (item.status || "").toString();
+    const out = item.aggregated_output ? '\n\n' + item.aggregated_output : "";
+    return appendEvent(
+      '<div class="meta">$ ' + escapeHtml(status) + (item.exit_code != null ? " (exit " + item.exit_code + ")" : "") + '</div>' +
+      '<pre>' + escapeHtml(item.command || "") + escapeHtml(out) + '</pre>',
+      "command_execution" + (status === "failed" ? " failed" : ""),
+    );
+  }
+  if (item.type === "reasoning") {
+    return appendEvent('<div class="meta">reasoning</div>' + escapeHtml(item.text || ""), "reasoning");
+  }
+  return appendEvent('<div class="meta">' + escapeHtml(item.type || "item") + '</div><pre>' + escapeHtml(JSON.stringify(item, null, 2)) + '</pre>', "item");
+}
+
+let ws = null;
+let pendingId = 1;
+
+function send(req) {
+  if (!ws || ws.readyState !== WebSocket.OPEN) return;
+  ws.send(JSON.stringify(req));
+}
+
+function connect(threadId) {
+  const apiKey = getApiKey();
+  const proto = location.protocol === "https:" ? "wss:" : "ws:";
+  const url = proto + "//" + location.host + "/api/codex-relay/web/" + encodeURIComponent(threadId) + "?token=" + encodeURIComponent(apiKey);
+  ws = new WebSocket(url);
+
+  ws.addEventListener("open", () => {
+    setPresence("online");
+    appendEvent("connected. open this thread in Codex on your Mac if it's not already.", "system");
+  });
+
+  ws.addEventListener("close", (ev) => {
+    setPresence("offline");
+    appendEvent("disconnected (code " + ev.code + ")", "system");
+  });
+
+  ws.addEventListener("error", () => {
+    setPresence("offline");
+  });
+
+  ws.addEventListener("message", (ev) => {
+    let msg;
+    try { msg = JSON.parse(ev.data); } catch { return; }
+    if (msg.type === "session.started") {
+      // Daemon assigned a temp id; the real thread id will arrive in thread.started.
+      return;
+    }
+    if (msg.type === "session.event") {
+      const evt = msg.event || {};
+      if (evt.type === "thread.started") {
+        // ok
+        return;
+      }
+      if (evt.type === "turn.started") {
+        document.getElementById("stopBtn").disabled = false;
+        return;
+      }
+      if (evt.type === "item.completed" && evt.item) {
+        renderItem(evt.item);
+        return;
+      }
+      if (evt.type === "item.started") {
+        return; // skip; we render on completed for now
+      }
+      if (evt.type === "turn.completed") {
+        document.getElementById("stopBtn").disabled = true;
+        const u = evt.usage;
+        if (u) appendEvent("turn complete (" + (u.input_tokens || 0) + " in / " + (u.output_tokens || 0) + " out)", "system");
+        else appendEvent("turn complete", "system");
+        return;
+      }
+      if (evt.type === "turn.failed") {
+        document.getElementById("stopBtn").disabled = true;
+        appendEvent("turn failed: " + (evt.error && evt.error.message ? evt.error.message : "unknown"), "error");
+        return;
+      }
+      return;
+    }
+    if (msg.type === "ack") return;
+    if (msg.type === "error") {
+      appendEvent("error: " + (msg.message || ""), "error");
+      return;
+    }
+  });
+}
+
+function init() {
+  if (!ensureSignedIn()) return;
+  const parsed = parsePath();
+  if (!parsed) {
+    appendEvent("Invalid URL. Expected /<handle>/codex-remote-control/<thread-id>.", "error");
+    return;
+  }
+  document.getElementById("threadId").textContent = parsed.threadId;
+  connect(parsed.threadId);
+
+  // Open or attach to the session on the daemon. session.start returns a temp
+  // sessionId; the actual thread.id arrives via thread.started in the stream.
+  setTimeout(() => {
+    send({ type: "session.start", id: "open-" + (pendingId += 1) });
+  }, 250);
+
+  document.getElementById("composer").addEventListener("submit", (ev) => {
+    ev.preventDefault();
+    const input = document.getElementById("prompt");
+    const text = input.value.trim();
+    if (!text) return;
+    input.value = "";
+    appendEvent('<div class="meta">you</div>' + escapeHtml(text), "user");
+    send({
+      type: "session.send",
+      id: "send-" + (pendingId += 1),
+      sessionId: parsed.threadId,
+      prompt: text,
+    });
+  });
+
+  document.getElementById("stopBtn").addEventListener("click", () => {
+    send({ type: "session.interrupt", id: "stop-" + (pendingId += 1), sessionId: parsed.threadId });
+  });
+
+  // Submit on Cmd+Enter / Ctrl+Enter; auto-resize.
+  const ta = document.getElementById("prompt");
+  ta.addEventListener("input", () => {
+    ta.style.height = "auto";
+    ta.style.height = Math.min(120, ta.scrollHeight) + "px";
+  });
+  ta.addEventListener("keydown", (ev) => {
+    if ((ev.metaKey || ev.ctrlKey) && ev.key === "Enter") {
+      ev.preventDefault();
+      document.getElementById("composer").requestSubmit();
+    }
+  });
+}
+
+init();
+</script>
+</body>
+</html>

package/src/hosted-mcp/app/login.html

@@ -0,0 +1,176 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover">
+<title>Sign in ... wip.computer</title>
+<style>
+  *, *::before, *::after { margin: 0; padding: 0; box-sizing: border-box; }
+  :root {
+    --bg: #FFFDF5;
+    --text: #1a1a1a;
+    --text-muted: #8a8580;
+    --accent: #0033FF;
+    --input-border: #E0DDD6;
+    --card-bg: #FFFFFF;
+    --font: -apple-system, BlinkMacSystemFont, "SF Pro Text", system-ui, sans-serif;
+  }
+  html, body { height: 100%; font-family: var(--font); background: var(--bg); color: var(--text); }
+  .page { display: flex; flex-direction: column; align-items: center; justify-content: center; min-height: 100vh; padding: 24px; }
+  .card { max-width: 380px; width: 100%; text-align: center; }
+  h1 { font-size: 26px; font-weight: 600; letter-spacing: -0.02em; margin-bottom: 8px; }
+  .sub { font-size: 16px; color: var(--text-muted); margin-bottom: 24px; }
+  .btn {
+    display: block; width: 100%; padding: 18px;
+    border: none; border-radius: 12px;
+    font-size: 18px; font-weight: 600; font-family: var(--font);
+    cursor: pointer; transition: background 0.15s, transform 0.1s;
+    -webkit-tap-highlight-color: transparent;
+  }
+  .btn:active { transform: scale(0.98); }
+  .btn-primary { background: var(--accent); color: white; }
+  .btn-secondary { background: var(--card-bg); color: var(--text); border: 1px solid var(--input-border); }
+  .btn:disabled { opacity: 0.5; cursor: not-allowed; }
+  .status { margin-top: 16px; font-size: 14px; min-height: 1.4em; color: var(--text-muted); }
+  .status.error { color: #b00020; }
+  .status.success { color: #007e33; }
+  .footer { margin-top: 24px; font-size: 13px; color: var(--text-muted); }
+
+  .qr-wrap {
+    margin: 12px auto;
+    padding: 16px; background: var(--card-bg);
+    border: 1px solid var(--input-border); border-radius: 16px;
+    width: 280px; height: 280px;
+    display: flex; align-items: center; justify-content: center;
+  }
+  .qr-wrap img { width: 100%; height: 100%; image-rendering: pixelated; }
+
+  /* Mobile: hide QR, passkey is the only path. */
+  @media (max-width: 700px) {
+    #qr-section { display: none; }
+  }
+  /* Desktop: passkey is the secondary action. */
+  @media (min-width: 701px) {
+    #passkey-section { margin-top: 20px; }
+    #passkey-section .or { font-size: 13px; color: var(--text-muted); margin-bottom: 10px; }
+  }
+</style>
+</head>
+<body>
+<div class="page">
+  <div class="card">
+    <h1 id="title">Open on your phone</h1>
+    <div class="sub" id="subtitle">Scan with your phone to drive this session from your phone.</div>
+
+    <div id="qr-section">
+      <div class="qr-wrap"><img id="qrImg" alt="QR code"></div>
+    </div>
+
+    <div id="passkey-section">
+      <div class="or">or sign in on this device</div>
+      <button id="passkeyBtn" class="btn btn-secondary" type="button">Continue with passkey</button>
+      <div id="status" class="status"></div>
+    </div>
+
+    <div class="footer">No account? <a href="/signup">Create one</a></div>
+  </div>
+</div>
+<script>
+function b64urlToBytes(b64url) {
+  const pad = "=".repeat((4 - (b64url.length % 4)) % 4);
+  const b64 = (b64url + pad).replace(/-/g, "+").replace(/_/g, "/");
+  const bin = atob(b64);
+  const out = new Uint8Array(bin.length);
+  for (let i = 0; i < bin.length; i += 1) out[i] = bin.charCodeAt(i);
+  return out.buffer;
+}
+function bytesToB64url(buf) {
+  const bytes = new Uint8Array(buf);
+  let s = "";
+  for (let i = 0; i < bytes.length; i += 1) s += String.fromCharCode(bytes[i]);
+  return btoa(s).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+
+const params = new URLSearchParams(location.search);
+const NEXT = (() => {
+  const n = params.get("next");
+  return n && n.startsWith("/") ? n : "/pair";
+})();
+
+function setStatus(msg, kind) {
+  const el = document.getElementById("status");
+  el.textContent = msg;
+  el.className = "status" + (kind ? " " + kind : "");
+}
+
+// Already signed in? Skip the page entirely.
+if (sessionStorage.getItem("wip_api_key")) {
+  location.replace(NEXT);
+}
+
+// QR encodes the absolute next URL. Phone scans, phone visits next URL.
+// If phone has no api_key yet, the next page redirects back here on the
+// phone, where the user signs in with passkey on the phone.
+(function renderQr() {
+  const absoluteNext = location.origin + NEXT;
+  document.getElementById("qrImg").src = "/api/qr?url=" + encodeURIComponent(absoluteNext);
+})();
+
+async function signIn() {
+  const btn = document.getElementById("passkeyBtn");
+  btn.disabled = true;
+  setStatus("Waiting for biometric...");
+  try {
+    const optRes = await fetch("/webauthn/auth-options", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: "{}",
+    });
+    const { challengeId, options } = await optRes.json();
+    if (!options) throw new Error("Server returned no auth options");
+    options.challenge = b64urlToBytes(options.challenge);
+    if (options.allowCredentials) {
+      options.allowCredentials = options.allowCredentials.map(c => ({ ...c, id: b64urlToBytes(c.id) }));
+    }
+    const credential = await navigator.credentials.get({ publicKey: options });
+    setStatus("Verifying...");
+    const verifyRes = await fetch("/webauthn/auth-verify", {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        challengeId,
+        credential: {
+          id: credential.id,
+          rawId: bytesToB64url(credential.rawId),
+          type: credential.type,
+          response: {
+            clientDataJSON: bytesToB64url(credential.response.clientDataJSON),
+            authenticatorData: bytesToB64url(credential.response.authenticatorData),
+            signature: bytesToB64url(credential.response.signature),
+            userHandle: credential.response.userHandle ? bytesToB64url(credential.response.userHandle) : null,
+          },
+        },
+      }),
+    });
+    const data = await verifyRes.json();
+    if (!verifyRes.ok || !data.success) throw new Error(data.error || "Sign-in failed");
+    sessionStorage.setItem("wip_api_key", data.apiKey);
+    sessionStorage.setItem("wip_handle", data.agentId);
+    setStatus("Signed in.", "success");
+    location.replace(NEXT);
+  } catch (err) {
+    setStatus(err.message || String(err), "error");
+    btn.disabled = false;
+  }
+}
+
+document.getElementById("passkeyBtn").addEventListener("click", signIn);
+
+// Tighten copy on phone-sized viewports.
+if (window.matchMedia("(max-width: 700px)").matches) {
+  document.getElementById("title").textContent = "Sign in";
+  document.getElementById("subtitle").textContent = "Use the passkey on this device.";
+}
+</script>
+</body>
+</html>

package/src/hosted-mcp/app/pair.html

@@ -0,0 +1,118 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover">
+<title>Pair codex-daemon ... wip.computer</title>
+<style>
+  *, *::before, *::after { margin: 0; padding: 0; box-sizing: border-box; }
+  :root {
+    --bg: #FFFDF5;
+    --text: #1a1a1a;
+    --text-muted: #8a8580;
+    --accent: #0033FF;
+    --input-bg: #F5F3ED;
+    --input-border: #E0DDD6;
+    --font: -apple-system, BlinkMacSystemFont, "SF Pro Text", system-ui, sans-serif;
+  }
+  html, body { height: 100%; font-family: var(--font); background: var(--bg); color: var(--text); }
+  .page { display: flex; flex-direction: column; align-items: center; justify-content: center; min-height: 100vh; padding: 24px; }
+  .card { max-width: 420px; width: 100%; text-align: center; }
+  h1 { font-size: 26px; font-weight: 600; letter-spacing: -0.02em; margin-bottom: 8px; }
+  .sub { font-size: 16px; color: var(--text-muted); margin-bottom: 32px; }
+  input[type="text"] {
+    width: 100%; padding: 18px; font-size: 22px; font-weight: 600;
+    text-align: center; letter-spacing: 0.4em;
+    border: 2px solid var(--input-border); border-radius: 12px;
+    background: var(--input-bg); color: var(--text);
+    text-transform: uppercase; font-family: ui-monospace, "SF Mono", monospace;
+  }
+  input[type="text"]:focus { border-color: var(--accent); outline: none; }
+  .btn { display: block; width: 100%; padding: 18px; border: none; border-radius: 12px; font-size: 18px; font-weight: 600; font-family: var(--font); cursor: pointer; margin-top: 16px; }
+  .btn:active { transform: scale(0.98); }
+  .btn-primary { background: var(--accent); color: white; }
+  .btn:disabled { opacity: 0.5; cursor: not-allowed; }
+  .status { margin-top: 18px; font-size: 14px; min-height: 1.4em; color: var(--text-muted); }
+  .status.error { color: #b00020; }
+  .status.success { color: #007e33; }
+  .footer { margin-top: 32px; font-size: 13px; color: var(--text-muted); }
+</style>
+</head>
+<body>
+<div class="page">
+  <div class="card">
+    <h1>Pair your Mac</h1>
+    <div class="sub">Type the code printed by <code>codex-daemon link</code></div>
+    <input id="codeInput" type="text" maxlength="6" autocomplete="off" autocapitalize="characters" inputmode="text" placeholder="ABC123">
+    <button id="pairBtn" class="btn btn-primary" type="button">Pair</button>
+    <div id="status" class="status"></div>
+    <div class="footer">Signed in as <span id="handle">...</span> ... <a href="#" id="signout">sign out</a></div>
+  </div>
+</div>
+<script>
+function getApiKey() {
+  return sessionStorage.getItem("wip_api_key");
+}
+function getHandle() {
+  return sessionStorage.getItem("wip_handle") || "(unknown)";
+}
+function setStatus(msg, kind) {
+  const el = document.getElementById("status");
+  el.textContent = msg;
+  el.className = "status" + (kind ? " " + kind : "");
+}
+function ensureSignedIn() {
+  if (!getApiKey()) {
+    location.href = "/app/login.html?next=" + encodeURIComponent("/pair");
+    return false;
+  }
+  document.getElementById("handle").textContent = getHandle();
+  return true;
+}
+
+document.getElementById("signout").addEventListener("click", (ev) => {
+  ev.preventDefault();
+  sessionStorage.removeItem("wip_api_key");
+  sessionStorage.removeItem("wip_handle");
+  location.href = "/app/login.html?next=" + encodeURIComponent("/pair");
+});
+
+async function pair() {
+  const input = document.getElementById("codeInput");
+  const code = input.value.trim().toUpperCase();
+  if (code.length !== 6) {
+    setStatus("Enter the 6-character code shown on your Mac.", "error");
+    return;
+  }
+  const btn = document.getElementById("pairBtn");
+  btn.disabled = true;
+  setStatus("Pairing...");
+  try {
+    const res = await fetch("/api/codex-relay/pair-complete", {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "Authorization": "Bearer " + getApiKey(),
+      },
+      body: JSON.stringify({ code }),
+    });
+    const data = await res.json();
+    if (!res.ok) throw new Error(data.error || "Pairing failed");
+    setStatus("Paired. Your Mac will pick this up in a few seconds.", "success");
+    btn.textContent = "Done";
+  } catch (err) {
+    setStatus(err.message || String(err), "error");
+    btn.disabled = false;
+  }
+}
+
+if (ensureSignedIn()) {
+  document.getElementById("pairBtn").addEventListener("click", pair);
+  document.getElementById("codeInput").addEventListener("keydown", (ev) => {
+    if (ev.key === "Enter") pair();
+  });
+  document.getElementById("codeInput").focus();
+}
+</script>
+</body>
+</html>

package/src/hosted-mcp/nginx/wip.computer.conf

@@ -16,6 +16,94 @@ server {
     add_header X-Content-Type-Options "nosniff" always;
     add_header X-XSS-Protection "1; mode=block" always;
 
+    # ── Codex Remote Control relay ──
+    # The Node app at 127.0.0.1:18800 (wip-mcp/server.mjs) owns these.
+    # Without these blocks, nginx falls back to /index.html and the
+    # phone-side bootstrap + ws-ticket calls receive HTML, which breaks
+    # E2EE handshake and relay attach. See:
+    # wip-ldm-os-private/ai/product/plans-prds/codex-remote-control/
+
+    # HTTP routes: bootstrap (GET), ws-ticket (POST), state (GET),
+    # pair-init (POST), pair-status (GET), pair-complete (POST).
+    location /api/codex-relay/bootstrap/ {
+        proxy_pass http://127.0.0.1:18800;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+    location /api/codex-relay/ws-ticket {
+        proxy_pass http://127.0.0.1:18800;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+    location /api/codex-relay/state {
+        proxy_pass http://127.0.0.1:18800;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+    location /api/codex-relay/pair-init {
+        proxy_pass http://127.0.0.1:18800;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+    location /api/codex-relay/pair-status/ {
+        proxy_pass http://127.0.0.1:18800;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+    location /api/codex-relay/pair-complete {
+        proxy_pass http://127.0.0.1:18800;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    # WebSocket routes: phone (web) and daemon long-lived sockets.
+    # Upgrade headers are the standard WebSocket-via-nginx pattern.
+    # Long read timeout because daemon sockets stay open indefinitely.
+    location /api/codex-relay/web/ {
+        proxy_pass http://127.0.0.1:18800;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 86400;
+        proxy_send_timeout 86400;
+        proxy_buffering off;
+    }
+    location /api/codex-relay/daemon {
+        proxy_pass http://127.0.0.1:18800;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 86400;
+        proxy_send_timeout 86400;
+        proxy_buffering off;
+    }
+
     location ~ /\. {
         deny all;
     }

package/src/hosted-mcp/package-lock.json

@@ -13,6 +13,7 @@
         "@simplewebauthn/server": "^13.3.0",
         "prisma": "^6.19.3",
         "qrcode": "^1.5.4",
+        "ws": "^8.18.0",
         "zod": "^3.25.0"
       },
       "engines": {
@@ -2029,6 +2030,27 @@
       "integrity": "sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==",
       "license": "ISC"
     },
+    "node_modules/ws": {
+      "version": "8.20.0",
+      "resolved": "https://registry.npmjs.org/ws/-/ws-8.20.0.tgz",
+      "integrity": "sha512-sAt8BhgNbzCtgGbt2OxmpuryO63ZoDk/sqaB/znQm94T4fCEsy/yV+7CdC1kJhOU9lboAEU7R3kquuycDoibVA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=10.0.0"
+      },
+      "peerDependencies": {
+        "bufferutil": "^4.0.1",
+        "utf-8-validate": ">=5.0.2"
+      },
+      "peerDependenciesMeta": {
+        "bufferutil": {
+          "optional": true
+        },
+        "utf-8-validate": {
+          "optional": true
+        }
+      }
+    },
     "node_modules/y18n": {
       "version": "4.0.3",
       "resolved": "https://registry.npmjs.org/y18n/-/y18n-4.0.3.tgz",