@wipcomputer/wip-ldm-os 0.4.85-alpha.15 → 0.4.85-alpha.17

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-ldm-os",
-  "version": "0.4.85-alpha.15",
+  "version": "0.4.85-alpha.17",
   "type": "module",
   "description": "LDM OS: identity, memory, and sovereignty infrastructure for AI agents",
   "engines": {
@@ -32,6 +32,7 @@
     "test:crc-agentid-tenant-boundary": "node scripts/test-crc-agentid-tenant-boundary.mjs",
     "test:crc-pair-login-flow": "node scripts/test-crc-pair-login-flow.mjs",
     "test:crc-pair-status-poll-token": "node scripts/test-crc-pair-status-poll-token.mjs",
+    "test:crc-pair-relink-audit-and-rotation": "node scripts/test-crc-pair-relink-audit-and-rotation.mjs",
     "test:crc-e2ee-key-persistence": "node scripts/test-crc-e2ee-key-persistence.mjs",
     "test:crc-e2ee-session-route": "node scripts/test-crc-e2ee-session-route.mjs",
     "fmt": "npx prettier --write 'src/**/*.{ts,mjs}' 'lib/**/*.mjs' 'bin/**/*.js'",

package/scripts/test-crc-agentid-tenant-boundary.mjs

@@ -29,7 +29,7 @@ assertContains("await saveApiKey(apiKey, agentId, { handle: credentialLabel });"
 assertContains("p.handle = identity.handle;", "pair stores display handle separately");
 assertContains("handle: identity.handle,", "relay metadata returns display handle");
 assertContains("codexDaemons.has(identity.agentId)", "daemon presence uses tenant id");
-assertContains("codexDaemonPubkeys.get(identity.agentId)", "daemon pubkey uses tenant id");
+assertContains("codexDaemonPubkeyRegistry.get(identity.agentId)", "daemon pubkey uses tenant id");
 assertContains("agentId: identity.agentId,", "relay tickets bind tenant id");
 assertContains("handle: identity.handle,", "relay tickets preserve display handle");
 assertContains("codexDaemons.set(identity.agentId, ws);", "daemon ws keyed by tenant id");

package/scripts/test-crc-e2ee-key-persistence.mjs

@@ -41,6 +41,7 @@ function createFakePrisma() {
     rows,
     async $executeRawUnsafe(sql, tenantId, pubkey, cryptoVersionsJson) {
       if (/CREATE TABLE IF NOT EXISTS codex_daemon_e2ee_keys/.test(sql)) return;
+      if (/CREATE TABLE IF NOT EXISTS codex_daemon_e2ee_key_audit/.test(sql)) return;
       if (/INSERT INTO codex_daemon_e2ee_keys/.test(sql)) {
         rows.set(tenantId, {
           tenant_id: tenantId,
@@ -50,6 +51,7 @@ function createFakePrisma() {
         });
         return;
       }
+      if (/INSERT INTO codex_daemon_e2ee_key_audit/.test(sql)) return;
       throw new Error("unexpected fake prisma execute: " + sql);
     },
     async $queryRawUnsafe(sql) {

package/scripts/test-crc-pair-relink-audit-and-rotation.mjs

@@ -0,0 +1,139 @@
+import { readFileSync } from "node:fs";
+import {
+  codexDaemonPubkeyFingerprint,
+  createCodexDaemonPubkeyRegistry,
+} from "../src/hosted-mcp/codex-relay-e2ee-registry.mjs";
+
+const server = readFileSync("src/hosted-mcp/server.mjs", "utf8");
+const pairHtml = readFileSync("src/hosted-mcp/app/pair.html", "utf8");
+const loginHtml = readFileSync("src/hosted-mcp/app/kaleidoscope-login.html", "utf8");
+const registrySource = readFileSync("src/hosted-mcp/codex-relay-e2ee-registry.mjs", "utf8");
+const ticket = readFileSync("ai/product/bugs/codex-remote-control/2026-05-05--codex--remote-control-pair-relink-audit-and-rotation.md", "utf8");
+
+function assertContains(haystack, needle, label) {
+  if (!haystack.includes(needle)) {
+    throw new Error(`${label} missing expected text: ${needle}`);
+  }
+}
+
+function assert(condition, label, detail = "") {
+  if (!condition) throw new Error(`${label}${detail ? ": " + detail : ""}`);
+}
+
+function createSilentLogger() {
+  return { log() {}, error() {} };
+}
+
+assertContains(server, "const CODEX_PAIR_PRESENCE_TTL_MS = 2 * 60 * 1000;", "short pair presence ttl");
+assertContains(server, "const codexPairPresenceTokens = new Map();", "pair presence token store");
+assertContains(server, "function generateCodexPairPresenceToken(agentId)", "pair presence token mint");
+assertContains(server, "function consumeCodexPairPresenceToken(token, agentId)", "pair presence token consume");
+assertContains(server, "codex_pair_presence_token: generateCodexPairPresenceToken(agentId)", "registration mints pair presence token");
+assertContains(server, "codex_pair_presence_token: generateCodexPairPresenceToken(entry.agentId)", "authentication mints pair presence token");
+assertContains(server, 'error: "fresh_presence_required"', "pair-complete fresh presence rejection");
+assertContains(server, "consumeCodexPairPresenceToken(pairPresenceToken, identity.agentId)", "pair-complete consumes pair presence token");
+assertContains(server, 'json(res, 404, { error: "invalid or already-used code" });', "pair code reuse rejection");
+assertContains(server, 'json(res, 410, { error: "code expired or already used" });', "pair code expiry rejection");
+assertContains(server, "invalidateCodexBrowserSessionsForAgent(identity.agentId, \"daemon key replaced\")", "daemon replacement invalidates stale browser sessions");
+assertContains(server, "p.replaced_daemon_key = !!daemonKeyResult?.replaced;", "pair state records replacement status");
+assertContains(server, "replaced_daemon_key: !!p.replaced_daemon_key", "pair-status exposes relink replacement status");
+assertContains(pairHtml, "codex_pair_presence_token: getPairPresenceToken()", "pair page sends pair presence token");
+assertContains(pairHtml, "fresh_presence_required", "pair page handles fresh presence error");
+assertContains(pairHtml, "Remote Control relinked this laptop.", "pair page gives relink message");
+assertContains(loginHtml, "wip_codex_pair_presence_token", "login carries pair presence token into pair page");
+assertContains(registrySource, "CREATE TABLE IF NOT EXISTS codex_daemon_e2ee_key_audit", "pair audit table");
+assertContains(registrySource, "old_pubkey_fingerprint", "audit stores old key fingerprint");
+assertContains(registrySource, "new_pubkey_fingerprint", "audit stores new key fingerprint");
+assertContains(ticket, "status: done", "ticket marked done");
+
+const oldFingerprint = codexDaemonPubkeyFingerprint("old-spki-key");
+const newFingerprint = codexDaemonPubkeyFingerprint("new-spki-key");
+assert(oldFingerprint && oldFingerprint.startsWith("sha256:"), "fingerprint has sha256 prefix");
+assert(oldFingerprint !== newFingerprint, "fingerprint changes when daemon key changes");
+
+const registry = createCodexDaemonPubkeyRegistry({
+  usePrisma: false,
+  devMode: false,
+  logger: createSilentLogger(),
+});
+const first = await registry.register("acct:test-user-a", "old-spki-key", ["e2ee-v1"], "pair-complete");
+assert(first.registered === true, "first pair registers key");
+assert(first.replaced === false, "first pair is not replacement");
+const second = await registry.register("acct:test-user-a", "new-spki-key", ["e2ee-v1"], "pair-complete");
+assert(second.registered === true, "relink registers new key");
+assert(second.replaced === true, "relink replacement is detected");
+assert(second.old_fingerprint === oldFingerprint, "relink reports old fingerprint");
+assert(second.new_fingerprint === newFingerprint, "relink reports new fingerprint");
+assert(registry.auditLog.length === 2, "registry keeps audit entries");
+assert(registry.auditLog[1].replaced === true, "audit marks replacement");
+assert(registry.auditLog[1].old_pubkey_fingerprint === oldFingerprint, "audit stores old fingerprint");
+assert(registry.auditLog[1].new_pubkey_fingerprint === newFingerprint, "audit stores new fingerprint");
+
+const executeCalls = [];
+const persistedRegistry = createCodexDaemonPubkeyRegistry({
+  usePrisma: true,
+  devMode: false,
+  logger: createSilentLogger(),
+  prisma: {
+    async $executeRawUnsafe(sql, ...args) {
+      executeCalls.push({ sql, args });
+      return 1;
+    },
+  },
+});
+await persistedRegistry.register("acct:test-user-b", "persisted-spki-key", ["e2ee-v1"], "daemon-reconnect");
+const auditInsert = executeCalls.find((call) => call.sql.includes("INSERT INTO codex_daemon_e2ee_key_audit"));
+assert(auditInsert, "audit insert executes for persisted registry");
+assert(auditInsert.sql.includes("$7::timestamptz"), "audit insert casts registered_at parameter to timestamptz");
+assert(typeof auditInsert.args[6] === "string" && auditInsert.args[6].includes("T"), "audit insert passes ISO registered_at value");
+
+function pairCompleteModel({ hasDaemonPublicKey, pairPresenceOk, previousPubkey, nextPubkey }) {
+  if (hasDaemonPublicKey && !pairPresenceOk) return { code: 403, error: "fresh_presence_required" };
+  const replaced = !!(previousPubkey && nextPubkey && previousPubkey !== nextPubkey);
+  return { code: 200, replaced };
+}
+
+assert(
+  pairCompleteModel({
+    hasDaemonPublicKey: true,
+    pairPresenceOk: false,
+    previousPubkey: "old",
+    nextPubkey: "new",
+  }).code === 403,
+  "ck token alone cannot replace daemon key",
+);
+assert(
+  pairCompleteModel({
+    hasDaemonPublicKey: true,
+    pairPresenceOk: true,
+    previousPubkey: "old",
+    nextPubkey: "new",
+  }).replaced === true,
+  "fresh pair presence permits relink",
+);
+assert(
+  pairCompleteModel({
+    hasDaemonPublicKey: true,
+    pairPresenceOk: true,
+    previousPubkey: null,
+    nextPubkey: "new",
+  }).replaced === false,
+  "fresh pair presence permits first pair",
+);
+
+function pairCodeModel(pair, codeKnown, now) {
+  if (!codeKnown) return { code: 404, error: "invalid or already-used code" };
+  if (!pair || pair.status !== "pending" || now > pair.expires) {
+    return { code: 410, error: "code expired or already used" };
+  }
+  pair.status = "completed";
+  return { code: 200 };
+}
+
+const pair = { status: "pending", expires: 100 };
+assert(pairCodeModel(pair, true, 10).code === 200, "first pair-complete succeeds");
+assert(pairCodeModel(pair, true, 20).code === 410, "pair code reuse fails");
+assert(pairCodeModel({ status: "pending", expires: 100 }, true, 200).code === 410, "expired pair code fails");
+assert(pairCodeModel(null, false, 10).code === 404, "unknown pair code fails");
+
+console.log("crc pair relink audit and rotation checks passed");

package/src/hosted-mcp/app/kaleidoscope-login.html

@@ -415,6 +415,9 @@ async function followPairNextIfPresent(approveResponse, identity) {
   }
   sessionStorage.setItem('wip_api_key', identity.apiKey);
   if (identity.agentId) sessionStorage.setItem('wip_handle', identity.agentId);
+  if (PAIR_NEXT_REGEX.test(next) && identity.codex_pair_presence_token) {
+    sessionStorage.setItem('wip_codex_pair_presence_token', identity.codex_pair_presence_token);
+  }
   location.replace(next);
   return true;
 }

package/src/hosted-mcp/app/pair.html

@@ -74,7 +74,7 @@
     <!-- View 3: success -->
     <div id="success-view" style="display: none;">
       <h1>Paired.</h1>
-      <div class="sub">Your laptop will pick this up in a few seconds.</div>
+      <div id="success-sub" class="sub">Your laptop will pick this up in a few seconds.</div>
       <div class="footer">You can close this tab.</div>
     </div>
   </div>
@@ -86,6 +86,7 @@ var PAIR_CODE_REGEX = /^[ABCDEFGHJKLMNPQRSTUVWXYZ23456789]{6}$/;
 
 function getApiKey() { return sessionStorage.getItem('wip_api_key'); }
 function getHandle() { return sessionStorage.getItem('wip_handle') || '(unknown)'; }
+function getPairPresenceToken() { return sessionStorage.getItem('wip_codex_pair_presence_token'); }
 
 function setStatus(elId, msg, kind) {
   var el = document.getElementById(elId);
@@ -104,7 +105,9 @@ function readCodeFromPath() {
 }
 
 // POST the code to /api/codex-relay/pair-complete using the api_key
-// from sessionStorage as Bearer token. On success, show the success view.
+// from sessionStorage as Bearer token. Daemon key pairing also sends the
+// short-lived token minted by the passkey verify step, so a stale ck- token
+// alone cannot replace a daemon. On success, show the success view.
 async function submitPair(code, statusElId) {
   if (!PAIR_CODE_REGEX.test(code)) {
     setStatus(statusElId, 'That does not look like a valid code.', 'error');
@@ -118,7 +121,10 @@ async function submitPair(code, statusElId) {
         'Content-Type': 'application/json',
         'Authorization': 'Bearer ' + getApiKey(),
       },
-      body: JSON.stringify({ code: code }),
+      body: JSON.stringify({
+        code: code,
+        codex_pair_presence_token: getPairPresenceToken(),
+      }),
     });
     var data = await res.json();
     if (!res.ok) {
@@ -127,9 +133,21 @@ async function submitPair(code, statusElId) {
       if (res.status === 410 || res.status === 404) {
         msg += ' Run codex-daemon link again on your laptop to get a fresh code.';
       }
+      if (res.status === 403 && data && data.error === 'fresh_presence_required') {
+        msg = 'Sign in again with your passkey to relink this daemon.';
+        sessionStorage.removeItem('wip_api_key');
+        sessionStorage.removeItem('wip_codex_pair_presence_token');
+        setTimeout(function() {
+          location.replace('/login?next=' + encodeURIComponent('/pair/' + code));
+        }, 1200);
+      }
       setStatus(statusElId, msg, 'error');
       return false;
     }
+    sessionStorage.removeItem('wip_codex_pair_presence_token');
+    document.getElementById('success-sub').textContent = data.replaced_daemon_key
+      ? 'Remote Control relinked this laptop. Existing browser control tabs need to reconnect.'
+      : 'Your laptop will pick this up in a few seconds.';
     document.getElementById('confirm-view').style.display = 'none';
     document.getElementById('manual-view').style.display = 'none';
     document.getElementById('success-view').style.display = 'block';

package/src/hosted-mcp/codex-relay-e2ee-registry.mjs

@@ -1,3 +1,5 @@
+import { createHash, randomUUID } from "node:crypto";
+
 export function normalizeCodexCryptoVersions(versions) {
   const out = Array.isArray(versions)
     ? versions.filter((v) => typeof v === "string" && v.length > 0 && v.length <= 32).slice(0, 8)
@@ -5,6 +7,11 @@ export function normalizeCodexCryptoVersions(versions) {
   return out.length ? out : ["e2ee-v1"];
 }
 
+export function codexDaemonPubkeyFingerprint(pubkey) {
+  if (typeof pubkey !== "string" || !pubkey) return null;
+  return "sha256:" + createHash("sha256").update(pubkey).digest("base64url").slice(0, 16);
+}
+
 export function buildCodexBootstrapPayload({ identity, threadId, daemonOnline, daemonKey }) {
   return {
     handle: identity.handle,
@@ -24,6 +31,7 @@ export function createCodexDaemonPubkeyRegistry({
   logger = console,
 } = {}) {
   const pubkeys = new Map();
+  const auditLog = [];
 
   async function ensureStore() {
     if (!usePrisma) return;
@@ -37,6 +45,21 @@ export function createCodexDaemonPubkeyRegistry({
     `);
   }
 
+  async function ensureAuditStore() {
+    if (!usePrisma) return;
+    await prisma.$executeRawUnsafe(`
+      CREATE TABLE IF NOT EXISTS codex_daemon_e2ee_key_audit (
+        id TEXT PRIMARY KEY,
+        tenant_id TEXT NOT NULL,
+        source TEXT NOT NULL,
+        old_pubkey_fingerprint TEXT,
+        new_pubkey_fingerprint TEXT,
+        replaced BOOLEAN NOT NULL,
+        registered_at TIMESTAMPTZ NOT NULL DEFAULT now()
+      )
+    `);
+  }
+
   async function loadFromDb() {
     if (!usePrisma) return;
     try {
@@ -79,9 +102,39 @@ export function createCodexDaemonPubkeyRegistry({
     );
   }
 
+  async function recordAudit(agentId, previousPubkey, nextPubkey, source, registeredAt) {
+    const oldFingerprint = codexDaemonPubkeyFingerprint(previousPubkey);
+    const newFingerprint = codexDaemonPubkeyFingerprint(nextPubkey);
+    const replaced = !!(previousPubkey && previousPubkey !== nextPubkey);
+    const entry = {
+      tenant_id: agentId,
+      source,
+      old_pubkey_fingerprint: oldFingerprint,
+      new_pubkey_fingerprint: newFingerprint,
+      replaced,
+      registered_at: registeredAt,
+    };
+    auditLog.push(entry);
+    if (!usePrisma) return;
+    await ensureAuditStore();
+    await prisma.$executeRawUnsafe(
+      `INSERT INTO codex_daemon_e2ee_key_audit
+        (id, tenant_id, source, old_pubkey_fingerprint, new_pubkey_fingerprint, replaced, registered_at)
+       VALUES ($1, $2, $3, $4, $5, $6, $7::timestamptz)`,
+      randomUUID(),
+      agentId,
+      source,
+      oldFingerprint,
+      newFingerprint,
+      replaced,
+      registeredAt,
+    );
+  }
+
   function register(agentId, pubkey, cryptoVersions, source) {
     if (typeof agentId !== "string" || !agentId) return Promise.resolve(false);
     if (typeof pubkey !== "string" || !pubkey || pubkey.length > 1024) return Promise.resolve(false);
+    const previous = pubkeys.get(agentId) || null;
     const normalizedVersions = normalizeCodexCryptoVersions(cryptoVersions);
     const registeredAt = new Date().toISOString();
     pubkeys.set(agentId, {
@@ -91,7 +144,13 @@ export function createCodexDaemonPubkeyRegistry({
     });
     logger.log("codex-relay: registered E2EE pubkey for " + agentId + " via " + source);
     return persist(agentId, pubkey, normalizedVersions)
-      .then(() => true)
+      .then(() => recordAudit(agentId, previous?.pubkey || null, pubkey, source, registeredAt))
+      .then(() => ({
+        registered: true,
+        replaced: !!(previous?.pubkey && previous.pubkey !== pubkey),
+        old_fingerprint: codexDaemonPubkeyFingerprint(previous?.pubkey || null),
+        new_fingerprint: codexDaemonPubkeyFingerprint(pubkey),
+      }))
       .catch((err) => {
         logger.error("codex-relay: failed to persist E2EE pubkey for " + agentId + ":", err.message);
         if (!devMode) throw err;
@@ -101,7 +160,9 @@ export function createCodexDaemonPubkeyRegistry({
 
   return {
     pubkeys,
+    auditLog,
     ensureStore,
+    ensureAuditStore,
     loadFromDb,
     register,
     get(agentId) {

package/src/hosted-mcp/server.mjs

@@ -775,7 +775,14 @@ async function handleRegisterVerify(req, res) {
 
   console.log("WebAuthn: registered passkey for tenant '" + agentId + "' handle '" + credentialLabel + "' (credId: " + cred.id.slice(0, 16) + "...)");
 
-  json(res, 200, { success: true, agentId: credentialLabel, tenantId: agentId, apiKey, credentialLabel });
+  json(res, 200, {
+    success: true,
+    agentId: credentialLabel,
+    tenantId: agentId,
+    apiKey,
+    credentialLabel,
+    codex_pair_presence_token: generateCodexPairPresenceToken(agentId),
+  });
 }
 
 // POST /webauthn/auth-options
@@ -907,7 +914,14 @@ async function handleAuthVerify(req, res) {
 
   console.log("WebAuthn: authenticated tenant '" + entry.agentId + "' handle '" + credentialLabel + "'");
 
-  json(res, 200, { success: true, agentId: credentialLabel, tenantId: entry.agentId, apiKey: entry.apiKey, credentialLabel });
+  json(res, 200, {
+    success: true,
+    agentId: credentialLabel,
+    tenantId: entry.agentId,
+    apiKey: entry.apiKey,
+    credentialLabel,
+    codex_pair_presence_token: generateCodexPairPresenceToken(entry.agentId),
+  });
 }
 
 // ---------- Page handlers ----------
@@ -2597,14 +2611,17 @@ const httpServer = createServer(async (req, res) => {
 //
 // In-memory state. Pairing codes: 6-char, 5-min TTL. Daemons indexed by
 // immutable tenant id (one daemon per tenant; new daemon kicks the old one). Web clients
-// indexed by `tenantId:threadId`. Server is a transparent passthrough between
-// the daemon and the matching web client(s); thread routing is enforced
-// purely client-side via session.send/sessionId payloads.
+// indexed by `tenantId:threadId`. The server is a transport relay between
+// the daemon and matching web client(s). The relay injects the route thread
+// into the E2EE handshake, and the daemon enforces that bound route after
+// decrypting session commands.
 
 const CODEX_PAIR_EXPIRY_MS = 5 * 60 * 1000;
+const CODEX_PAIR_PRESENCE_TTL_MS = 2 * 60 * 1000;
 const CODEX_PAIR_ALPHABET = "ABCDEFGHJKLMNPQRSTUVWXYZ23456789";
 const codexPairings = {};       // pairing_id -> { code, status, expires, poll_token, poll_token_used?, daemon_info, apiKey?, agentId?, handle?, daemon_public_key?, crypto_versions? }
 const codexPairingByCode = {};  // code -> pairing_id (only while pending)
+const codexPairPresenceTokens = new Map(); // token -> { agentId, expires, used }
 const codexDaemons = new Map(); // agentId -> ws
 const codexWebClients = new Map(); // `${agentId}:${threadId}` -> Set<ws>
 const codexE2eeSessionRoutes = new Map(); // `${agentId}:${e2eeSession}` -> { threadId, webKey, ws }
@@ -2689,6 +2706,25 @@ function removeCodexE2eeRoutesForWeb(agentId, threadId, ws) {
   }
 }
 
+function invalidateCodexBrowserSessionsForAgent(agentId, reason) {
+  const prefix = agentId + ":";
+  let closed = 0;
+  for (const routeKey of [...codexE2eeSessionRoutes.keys()]) {
+    if (routeKey.startsWith(prefix)) codexE2eeSessionRoutes.delete(routeKey);
+  }
+  for (const [webKey, clients] of [...codexWebClients]) {
+    if (!webKey.startsWith(prefix)) continue;
+    for (const webWs of clients) {
+      if (webWs.readyState === webWs.OPEN) {
+        closed += 1;
+        try { webWs.close(4001, reason); } catch {}
+      }
+    }
+    codexWebClients.delete(webKey);
+  }
+  return closed;
+}
+
 function generateCodexPairingCode() {
   for (let attempt = 0; attempt < 100; attempt += 1) {
     let code = "";
@@ -2705,6 +2741,34 @@ function generateCodexPairPollToken() {
   return "ppt_" + randomBytes(32).toString("base64url");
 }
 
+function cleanupCodexPairPresenceTokens() {
+  const now = Date.now();
+  for (const [token, entry] of codexPairPresenceTokens) {
+    if (!entry || entry.used || now > entry.expires) codexPairPresenceTokens.delete(token);
+  }
+}
+
+function generateCodexPairPresenceToken(agentId) {
+  cleanupCodexPairPresenceTokens();
+  if (typeof agentId !== "string" || !agentId) return null;
+  const token = "cpt_" + randomBytes(32).toString("base64url");
+  codexPairPresenceTokens.set(token, {
+    agentId,
+    expires: Date.now() + CODEX_PAIR_PRESENCE_TTL_MS,
+    used: false,
+  });
+  return token;
+}
+
+function consumeCodexPairPresenceToken(token, agentId) {
+  cleanupCodexPairPresenceTokens();
+  const entry = codexPairPresenceTokens.get(token);
+  if (!entry || entry.used || entry.agentId !== agentId || Date.now() > entry.expires) return false;
+  entry.used = true;
+  codexPairPresenceTokens.delete(token);
+  return true;
+}
+
 function getBearerToken(req) {
   const auth = req.headers["authorization"];
   if (typeof auth !== "string" || !auth.startsWith("Bearer ")) return null;
@@ -2769,7 +2833,12 @@ function handleCodexPairStatus(req, res, pairingId) {
   }
   if (p.status === "completed") {
     p.poll_token_used = true;
-    json(res, 200, { status: "completed", api_key: p.apiKey, handle: p.handle || p.agentId });
+    json(res, 200, {
+      status: "completed",
+      api_key: p.apiKey,
+      handle: p.handle || p.agentId,
+      replaced_daemon_key: !!p.replaced_daemon_key,
+    });
   } else {
     json(res, 200, { status: p.status });
   }
@@ -2797,19 +2866,44 @@ async function handleCodexPairComplete(req, res) {
     json(res, 410, { error: "code expired or already used" });
     return;
   }
-  p.status = "completed";
-  p.apiKey = identity.apiKey;
-  p.agentId = identity.agentId;
-  p.handle = identity.handle;
+  const pairPresenceToken = body && typeof body.codex_pair_presence_token === "string"
+    ? body.codex_pair_presence_token
+    : "";
+  if (p.daemon_public_key && !consumeCodexPairPresenceToken(pairPresenceToken, identity.agentId)) {
+    json(res, 403, {
+      error: "fresh_presence_required",
+      error_description: "Pairing this daemon requires a fresh passkey confirmation. Sign in again from the pair page.",
+    });
+    return;
+  }
   // Phase 2.5: register the daemon's E2EE public key against the
   // authenticated immutable tenant id. The display handle is returned
   // as metadata only.
+  let daemonKeyResult = null;
   if (p.daemon_public_key) {
-    await codexDaemonPubkeyRegistry.register(identity.agentId, p.daemon_public_key, p.crypto_versions, "pair-complete");
+    daemonKeyResult = await codexDaemonPubkeyRegistry.register(identity.agentId, p.daemon_public_key, p.crypto_versions, "pair-complete");
+    if (daemonKeyResult?.replaced) {
+      const closed = invalidateCodexBrowserSessionsForAgent(identity.agentId, "daemon key replaced");
+      console.log(
+        "codex-relay: replaced daemon E2EE key for tenant " + identity.agentId
+        + " old=" + daemonKeyResult.old_fingerprint
+        + " new=" + daemonKeyResult.new_fingerprint
+        + " closed_browser_sessions=" + closed
+      );
+    }
   }
+  p.status = "completed";
+  p.apiKey = identity.apiKey;
+  p.agentId = identity.agentId;
+  p.handle = identity.handle;
+  p.replaced_daemon_key = !!daemonKeyResult?.replaced;
   delete codexPairingByCode[code];
   console.log("codex-relay: paired daemon for tenant " + identity.agentId + " handle " + identity.handle);
-  json(res, 200, { ok: true, handle: identity.handle });
+  json(res, 200, {
+    ok: true,
+    handle: identity.handle,
+    replaced_daemon_key: !!daemonKeyResult?.replaced,
+  });
 }
 
 function handleCodexRelayState(req, res) {