@wipcomputer/wip-ldm-os 0.4.85-alpha.22 → 0.4.85-alpha.24

package/README.md

@@ -22,7 +22,8 @@ Open your AI and paste this:
 ```
 Read https://wip.computer/install/wip-ldm-os.txt
 
-Use the install document and live local checks as the source of truth. Do not search memory or prior notes for this install.
+Use the install document and live local checks as the source of truth.
+Do not search memory or prior notes for this install. Do not pre-load context from `MEMORY.md`, `crystal_search`, local skill dev guides, or other local memory before fetching the install document.
 
 Check if LDM OS is installed (`which ldm && ldm --version`). Branch.
 

package/SKILL.md

@@ -29,7 +29,7 @@ metadata:
 
 ## Source of truth
 
-Memory policy for install flows: your first action is to fetch `https://wip.computer/install/wip-ldm-os.txt`. Do not consult `MEMORY.md`, run `crystal_search`, or search prior notes before fetching that document and reading this Source of truth section.
+Memory policy for install flows: do not consult `MEMORY.md`, do not run `crystal_search`, and do not search prior notes when this skill is invoked, including in any parallel or batched exploration step. The only context sources for this install flow are `https://wip.computer/install/wip-ldm-os.txt` and the live local commands that document prescribes. Read that document and run those commands. Do not pre-load other context.
 
 Use this install document and live local checks as the source of truth. Do not search memory or prior notes for this install.
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@wipcomputer/wip-ldm-os",
-  "version": "0.4.85-alpha.22",
+  "version": "0.4.85-alpha.24",
   "type": "module",
   "description": "LDM OS: identity, memory, and sovereignty infrastructure for AI agents",
   "engines": {
@@ -37,6 +37,7 @@
     "test:crc-pair-relink-audit-and-rotation": "node scripts/test-crc-pair-relink-audit-and-rotation.mjs",
     "test:crc-e2ee-key-persistence": "node scripts/test-crc-e2ee-key-persistence.mjs",
     "test:crc-e2ee-session-route": "node scripts/test-crc-e2ee-session-route.mjs",
+    "test:crc-websocket-abuse-limits": "node scripts/test-crc-websocket-abuse-limits.mjs",
     "fmt": "npx prettier --write 'src/**/*.{ts,mjs}' 'lib/**/*.mjs' 'bin/**/*.js'",
     "fmt:check": "npx prettier --check 'src/**/*.{ts,mjs}' 'lib/**/*.mjs' 'bin/**/*.js'"
   },

package/scripts/test-crc-agentid-tenant-boundary.mjs

@@ -33,7 +33,7 @@ assertContains("codexDaemonPubkeyRegistry.get(identity.agentId)", "daemon pubkey
 assertContains("agentId: identity.agentId,", "relay tickets bind tenant id");
 assertContains("handle: identity.handle,", "relay tickets preserve display handle");
 assertContains("codexDaemons.set(identity.agentId, ws);", "daemon ws keyed by tenant id");
-assertContains("const key = codexRelayKey(identity.agentId, threadId);", "web ws keyed by tenant id");
+assertContains("const webKey = codexRelayKey(identity.agentId, threadId);", "web ws keyed by tenant id");
 assertContains("const daemonWs = codexDaemons.get(identity.agentId);", "web sends to tenant daemon");
 assertNotContains("const agentId = stored.username || (\"passkey-\"", "registration must not use chosen handle as tenant");
 assertNotContains("const existingKey = Object.entries(API_KEYS).find(([k, v]) => v === agentId);", "oauth must not reuse chosen handle as tenant");

package/scripts/test-crc-e2ee-session-route.mjs

@@ -33,8 +33,8 @@ assertContains("if (isCodexE2eeEnvelope(envelope) && envelope.session) {", "web
 assertContains("envelope.route_thread_id = threadId;", "relay injects ticket-bound thread into e2ee hello");
 assertContains("text = JSON.stringify(envelope);", "relay forwards the route-bound e2ee hello");
 assertContains("registerCodexE2eeSessionRoute(identity.agentId, envelope.session, threadId, ws);", "web e2ee session is registered");
-assertContains("const clientCount = addCodexWebClient(key, ws);", "new web connections are added without replacing existing clients");
-assertContains("removeCodexWebClient(key, ws);", "close cleanup removes only the closing socket");
+assertContains("const clientCount = addCodexWebClient(webKey, ws);", "new web connections are added without replacing existing clients");
+assertContains("removeCodexWebClient(webKey, ws);", "close cleanup removes only the closing socket");
 assertContains("removeCodexE2eeRoutesForWeb(identity.agentId, threadId, ws);", "close cleanup");
 assertContains("if (route.webKey === webKey && (!ws || route.ws === ws)) {", "cleanup only removes routes owned by the closing socket");
 assertBefore(

package/scripts/test-crc-websocket-abuse-limits.mjs

@@ -0,0 +1,128 @@
+import { readFileSync } from "node:fs";
+import assert from "node:assert/strict";
+import {
+  CODEX_WS_CLOSE_CODES,
+  codexWsFrameByteLength,
+  createCodexWsAbuseLimitConfig,
+  createCodexWsConnectionGuard,
+  formatCodexWsLimitLog,
+  isCodexWsAgentDisabled,
+} from "../src/hosted-mcp/codex-relay-ws-abuse-limits.mjs";
+
+const server = readFileSync("src/hosted-mcp/server.mjs", "utf8");
+const deploy = readFileSync("src/hosted-mcp/deploy.sh", "utf8");
+
+function assertContains(source, needle, label) {
+  if (!source.includes(needle)) {
+    throw new Error(`${label} missing expected text: ${needle}`);
+  }
+}
+
+function assertBefore(source, first, second, label) {
+  const firstIndex = source.indexOf(first);
+  const secondIndex = firstIndex === -1 ? -1 : source.indexOf(second, firstIndex + first.length);
+  if (firstIndex === -1 || secondIndex === -1 || firstIndex >= secondIndex) {
+    throw new Error(`${label} expected "${first}" before "${second}"`);
+  }
+}
+
+const config = createCodexWsAbuseLimitConfig({
+  LDM_CODEX_WS_MAX_FRAME_BYTES: "10",
+  LDM_CODEX_WS_RATE_WINDOW_MS: "100",
+  LDM_CODEX_WS_MAX_MESSAGES_PER_WINDOW: "2",
+  LDM_CODEX_WS_MAX_BYTES_PER_WINDOW: "15",
+  LDM_CODEX_WS_MAX_BROWSER_SOCKETS_PER_THREAD: "3",
+  LDM_CODEX_WS_IDLE_TTL_MS: "50",
+  LDM_CODEX_WS_MAX_MALFORMED_FRAMES: "1",
+  LDM_CODEX_WS_MAX_PENDING_BYTES: "20",
+  LDM_CODEX_WS_KILL_SWITCH_AGENTS: "acct:blocked, acct:other",
+});
+
+assert.equal(config.maxFrameBytes, 10);
+assert.equal(config.maxBrowserSocketsPerThread, 3);
+assert.equal(isCodexWsAgentDisabled(config, "acct:blocked"), true);
+assert.equal(isCodexWsAgentDisabled(config, "acct:allowed"), false);
+
+let nowMs = 1_000;
+const guard = createCodexWsConnectionGuard({
+  config,
+  agentId: "acct:allowed",
+  now: () => nowMs,
+});
+
+assert.equal(guard.observeFrame(11).code, CODEX_WS_CLOSE_CODES.oversizedFrame);
+assert.equal(guard.observeFrame(5).ok, true);
+assert.equal(guard.observeFrame(5).ok, true);
+assert.equal(guard.observeFrame(5).reason, "message rate limit");
+
+nowMs += 101;
+const byteGuard = createCodexWsConnectionGuard({ config, agentId: "acct:allowed", now: () => nowMs });
+assert.equal(byteGuard.observeFrame(8).ok, true);
+assert.equal(byteGuard.observeFrame(8).reason, "byte rate limit");
+
+const malformedGuard = createCodexWsConnectionGuard({ config, agentId: "acct:allowed", now: () => nowMs });
+assert.equal(malformedGuard.observeMalformed().ok, true);
+assert.equal(malformedGuard.observeMalformed().code, CODEX_WS_CLOSE_CODES.malformedFrames);
+
+const pendingGuard = createCodexWsConnectionGuard({ config, agentId: "acct:allowed", now: () => nowMs });
+assert.equal(pendingGuard.observePendingBytes(21).code, CODEX_WS_CLOSE_CODES.pendingBytes);
+
+const idleGuard = createCodexWsConnectionGuard({ config, agentId: "acct:allowed", now: () => nowMs });
+assert.equal(idleGuard.observeFrame(1).ok, true);
+assert.equal(idleGuard.observeIdle(nowMs + 51).code, CODEX_WS_CLOSE_CODES.idleTimeout);
+
+const killedGuard = createCodexWsConnectionGuard({ config, agentId: "acct:blocked", now: () => nowMs });
+assert.equal(killedGuard.observeFrame(1).code, CODEX_WS_CLOSE_CODES.operatorDisabled);
+assert.equal(codexWsFrameByteLength(Buffer.from("hello")), 5);
+assert.match(
+  formatCodexWsLimitLog({
+    agentId: "acct:blocked",
+    threadId: "thread-a",
+    connectionId: "conn-a",
+    reason: "message rate limit",
+  }),
+  /reason=message rate limit agent=acct:blocked thread=thread-a conn=conn-a/,
+);
+
+assertContains(server, "import {", "server imports abuse module");
+assertContains(server, "createCodexWsAbuseLimitConfig", "server configures websocket limits");
+assertContains(server, "isCodexWsAgentDisabled(CODEX_WS_ABUSE_LIMITS, identity.agentId)", "server checks operator kill switch");
+assertContains(server, "openBrowserSockets >= CODEX_WS_ABUSE_LIMITS.maxBrowserSocketsPerThread", "server limits browser sockets per thread");
+assertContains(server, "createCodexWsConnectionGuard({", "server creates per-socket guard");
+assertContains(server, "guard.observeFrame(codexWsFrameByteLength(data))", "server observes browser frame size and rate");
+assertContains(server, "guard.observeMalformed()", "server observes malformed browser frames");
+assertContains(server, "guard.observePendingBytes(daemonWs.bufferedAmount || 0)", "server observes pending daemon bytes");
+assertContains(server, "guard.observeIdle()", "server observes idle connections");
+assertContains(server, "closeCodexWsForLimit(ws, guardContext, decision)", "server closes idle sockets by limit");
+assertContains(server, "closeCodexWsForLimit(ws, guardContext, frameDecision)", "server closes frame abuse");
+assertContains(server, "closeCodexWsForLimit(ws, guardContext, malformedDecision)", "server closes malformed abuse");
+assertContains(server, "closeCodexWsForLimit(ws, guardContext, pendingDecision)", "server closes pending byte abuse");
+assertContains(server, "codex-relay-ws-abuse-limits.mjs", "deploy inventory includes abuse module");
+assertContains(deploy, "add_file \"codex-relay-ws-abuse-limits.mjs\"", "deploy copies abuse module");
+
+assertBefore(
+  server,
+  "openBrowserSockets >= CODEX_WS_ABUSE_LIMITS.maxBrowserSocketsPerThread",
+  "codexRelayWss.handleUpgrade(req, socket, head, (ws) => {",
+  "socket cap should run before websocket upgrade is accepted",
+);
+assertBefore(
+  server,
+  "const frameDecision = guard.observeFrame(codexWsFrameByteLength(data));",
+  "let text = data.toString();",
+  "frame limit should run before parsing or forwarding browser data",
+);
+assertBefore(
+  server,
+  "if (!envelope || typeof envelope !== \"object\" || Array.isArray(envelope)) {",
+  "const daemonWs = codexDaemons.get(identity.agentId);",
+  "malformed browser frames should not be forwarded",
+);
+assertBefore(
+  server,
+  "const pendingDecision = guard.observePendingBytes(daemonWs.bufferedAmount || 0);",
+  "daemonWs.send(text);",
+  "pending byte check should run before forwarding to daemon",
+);
+
+console.log("crc websocket abuse limit checks passed");

package/scripts/test-install-prompt-policy.mjs

@@ -19,7 +19,8 @@ const failures = [];
 for (const file of ["README.md", "shared/templates/install-prompt.md"]) {
   const text = contents[file];
   for (const phrase of [
-    "Use the install document and live local checks as the source of truth. Do not search memory or prior notes for this install.",
+    "Use the install document and live local checks as the source of truth.",
+    "Do not search memory or prior notes for this install. Do not pre-load context from `MEMORY.md`, `crystal_search`, local skill dev guides, or other local memory before fetching the install document.",
     "If installed: run `ldm status`",
     "If yes to dry run, run `ldm install --dry-run`.",
     "`npm install -g @wipcomputer/wip-ldm-os@latest && ldm install && ldm doctor`",
@@ -37,8 +38,9 @@ for (const file of ["README.md", "shared/templates/install-prompt.md"]) {
 
 const skill = contents["SKILL.md"];
 for (const phrase of [
-  "Memory policy for install flows: your first action is to fetch `https://wip.computer/install/wip-ldm-os.txt`.",
-  "Do not consult `MEMORY.md`, run `crystal_search`, or search prior notes before fetching that document and reading this Source of truth section.",
+  "Memory policy for install flows: do not consult `MEMORY.md`, do not run `crystal_search`, and do not search prior notes when this skill is invoked, including in any parallel or batched exploration step.",
+  "The only context sources for this install flow are `https://wip.computer/install/wip-ldm-os.txt` and the live local commands that document prescribes.",
+  "Read that document and run those commands. Do not pre-load other context.",
   "Do not run GitHub release commands during the install-state flow.",
   "Do not run `gh release list` or `gh release view` unless the user explicitly asks for release notes.",
   "Use the output of `ldm status`, installed package metadata, and npm metadata.",
@@ -53,6 +55,11 @@ if (/gh release (list|view) --repo/.test(skill)) {
   failures.push("SKILL.md still includes concrete gh release commands in the install flow");
 }
 
+const temporalMemoryPolicyPhrase = "your first action is " + "to fetch";
+if (skill.includes(temporalMemoryPolicyPhrase)) {
+  failures.push("SKILL.md still uses temporal first-action memory-policy phrasing");
+}
+
 if (failures.length > 0) {
   console.error("install prompt policy checks failed:");
   for (const failure of failures) console.error(`  - ${failure}`);

package/shared/templates/install-prompt.md

@@ -6,7 +6,8 @@ Open your AI and paste this:
 
 Read https://wip.computer/install/wip-ldm-os.txt
 
-Use the install document and live local checks as the source of truth. Do not search memory or prior notes for this install.
+Use the install document and live local checks as the source of truth.
+Do not search memory or prior notes for this install. Do not pre-load context from `MEMORY.md`, `crystal_search`, local skill dev guides, or other local memory before fetching the install document.
 
 Check if LDM OS is installed (`which ldm && ldm --version`). Branch.
 

package/src/hosted-mcp/README.md

@@ -12,4 +12,26 @@ It includes:
 
 WIP runs the production hosted relay so user setup is easy and works across networks. The source is public so users can inspect the relay path and build their own infrastructure.
 
+## Codex Remote Control WebSocket Abuse Limits
+
+The browser relay path enforces app-layer limits after a Remote Control ticket attaches:
+
+- max browser frame bytes;
+- max messages per rate window;
+- max browser bytes per rate window;
+- max malformed browser frames;
+- max pending bytes on the daemon socket before forwarding;
+- max browser sockets per `(tenant id, thread id)`;
+- idle connection TTL;
+- env-driven operator kill switch for all tenants or selected tenant ids.
+
+Violation logs are metadata-only: reason, tenant id, thread id, and a generated connection id. The relay does not inspect decrypted Remote Control payloads.
+
+Operational notes:
+
+- rate windows are tumbling windows, not sliding windows, so short bursts can straddle a window boundary;
+- kill switch environment changes take effect after the hosted relay process reloads;
+- idle close runs on a timer, so the close can happen up to one polling interval after the configured TTL;
+- daemon-to-browser Codex output is intentionally not throughput-limited in this browser-abuse slice.
+
 For the self-hosting shape, read [docs/self-host.md](docs/self-host.md).

package/src/hosted-mcp/codex-relay-ws-abuse-limits.mjs

@@ -0,0 +1,140 @@
+const DEFAULTS = {
+  maxFrameBytes: 256 * 1024,
+  rateWindowMs: 10_000,
+  maxMessagesPerWindow: 120,
+  maxBytesPerWindow: 1024 * 1024,
+  maxBrowserSocketsPerThread: 8,
+  idleTtlMs: 30 * 60 * 1000,
+  maxMalformedFrames: 3,
+  maxPendingBytes: 1024 * 1024,
+};
+
+export const CODEX_WS_CLOSE_CODES = Object.freeze({
+  oversizedFrame: 4400,
+  rateLimited: 4401,
+  tooManySockets: 4402,
+  idleTimeout: 4403,
+  malformedFrames: 4404,
+  operatorDisabled: 4405,
+  pendingBytes: 4406,
+});
+
+function positiveInt(value, fallback) {
+  const parsed = Number.parseInt(String(value ?? ""), 10);
+  return Number.isFinite(parsed) && parsed > 0 ? parsed : fallback;
+}
+
+function parseAgentSet(value) {
+  if (!value) return new Set();
+  return new Set(
+    String(value)
+      .split(",")
+      .map((part) => part.trim())
+      .filter(Boolean),
+  );
+}
+
+export function createCodexWsAbuseLimitConfig(env = process.env) {
+  return {
+    maxFrameBytes: positiveInt(env.LDM_CODEX_WS_MAX_FRAME_BYTES, DEFAULTS.maxFrameBytes),
+    rateWindowMs: positiveInt(env.LDM_CODEX_WS_RATE_WINDOW_MS, DEFAULTS.rateWindowMs),
+    maxMessagesPerWindow: positiveInt(env.LDM_CODEX_WS_MAX_MESSAGES_PER_WINDOW, DEFAULTS.maxMessagesPerWindow),
+    maxBytesPerWindow: positiveInt(env.LDM_CODEX_WS_MAX_BYTES_PER_WINDOW, DEFAULTS.maxBytesPerWindow),
+    maxBrowserSocketsPerThread: positiveInt(
+      env.LDM_CODEX_WS_MAX_BROWSER_SOCKETS_PER_THREAD,
+      DEFAULTS.maxBrowserSocketsPerThread,
+    ),
+    idleTtlMs: positiveInt(env.LDM_CODEX_WS_IDLE_TTL_MS, DEFAULTS.idleTtlMs),
+    maxMalformedFrames: positiveInt(env.LDM_CODEX_WS_MAX_MALFORMED_FRAMES, DEFAULTS.maxMalformedFrames),
+    maxPendingBytes: positiveInt(env.LDM_CODEX_WS_MAX_PENDING_BYTES, DEFAULTS.maxPendingBytes),
+    killSwitchAll: env.LDM_CODEX_WS_KILL_SWITCH_ALL === "1",
+    killSwitchAgents: parseAgentSet(env.LDM_CODEX_WS_KILL_SWITCH_AGENTS),
+  };
+}
+
+export function isCodexWsAgentDisabled(config, agentId) {
+  return !!(
+    config?.killSwitchAll
+    || (typeof agentId === "string" && config?.killSwitchAgents?.has(agentId))
+  );
+}
+
+function rejected(code, reason) {
+  return { ok: false, code, reason };
+}
+
+export function createCodexWsConnectionGuard({ config, agentId, now = Date.now }) {
+  let windowStartMs = now();
+  let messagesInWindow = 0;
+  let bytesInWindow = 0;
+  let malformedFrames = 0;
+  let lastActivityMs = windowStartMs;
+
+  function resetWindow(nowMs) {
+    windowStartMs = nowMs;
+    messagesInWindow = 0;
+    bytesInWindow = 0;
+  }
+
+  return {
+    observeFrame(byteLength, nowMs = now()) {
+      if (isCodexWsAgentDisabled(config, agentId)) {
+        return rejected(CODEX_WS_CLOSE_CODES.operatorDisabled, "operator disabled");
+      }
+      if (byteLength > config.maxFrameBytes) {
+        return rejected(CODEX_WS_CLOSE_CODES.oversizedFrame, "frame too large");
+      }
+      if (nowMs - windowStartMs > config.rateWindowMs) {
+        resetWindow(nowMs);
+      }
+      messagesInWindow += 1;
+      bytesInWindow += byteLength;
+      lastActivityMs = nowMs;
+      if (messagesInWindow > config.maxMessagesPerWindow) {
+        return rejected(CODEX_WS_CLOSE_CODES.rateLimited, "message rate limit");
+      }
+      if (bytesInWindow > config.maxBytesPerWindow) {
+        return rejected(CODEX_WS_CLOSE_CODES.rateLimited, "byte rate limit");
+      }
+      return { ok: true };
+    },
+    observeMalformed(nowMs = now()) {
+      lastActivityMs = nowMs;
+      malformedFrames += 1;
+      if (malformedFrames > config.maxMalformedFrames) {
+        return rejected(CODEX_WS_CLOSE_CODES.malformedFrames, "malformed frame limit");
+      }
+      return { ok: true };
+    },
+    observePendingBytes(bufferedAmount) {
+      if (bufferedAmount > config.maxPendingBytes) {
+        return rejected(CODEX_WS_CLOSE_CODES.pendingBytes, "pending byte limit");
+      }
+      return { ok: true };
+    },
+    observeIdle(nowMs = now()) {
+      if (nowMs - lastActivityMs > config.idleTtlMs) {
+        return rejected(CODEX_WS_CLOSE_CODES.idleTimeout, "idle timeout");
+      }
+      return { ok: true };
+    },
+  };
+}
+
+export function codexWsFrameByteLength(data) {
+  if (typeof data === "string") return Buffer.byteLength(data);
+  if (Buffer.isBuffer(data)) return data.length;
+  if (data instanceof ArrayBuffer) return data.byteLength;
+  if (ArrayBuffer.isView(data)) return data.byteLength;
+  return Buffer.byteLength(String(data ?? ""));
+}
+
+export function formatCodexWsLimitLog({ agentId, threadId, connectionId, reason }) {
+  return (
+    "codex-relay: websocket limit"
+    + " reason=" + String(reason || "unknown").slice(0, 64)
+    + " agent=" + String(agentId || "<none>").slice(0, 96)
+    + " thread=" + String(threadId || "<none>").slice(0, 96)
+    + " conn=" + String(connectionId || "<none>").slice(0, 64)
+  );
+}

package/src/hosted-mcp/deploy.sh

@@ -117,6 +117,7 @@ if [ "$SKIP_APP" -ne 1 ]; then
   add_file "inbox.mjs"    "${APP_REMOTE_DIR}/inbox.mjs"
   add_file "tools.mjs"    "${APP_REMOTE_DIR}/tools.mjs"
   add_file "codex-relay-e2ee-registry.mjs" "${APP_REMOTE_DIR}/codex-relay-e2ee-registry.mjs"
+  add_file "codex-relay-ws-abuse-limits.mjs" "${APP_REMOTE_DIR}/codex-relay-ws-abuse-limits.mjs"
   add_file "package.json" "${APP_REMOTE_DIR}/package.json"
   # Phone app static files (codex-remote-control, login).
   if [ -d "${SCRIPT_DIR}/app" ]; then

package/src/hosted-mcp/server.mjs

@@ -29,6 +29,13 @@ import {
   createCodexDaemonPubkeyRegistry,
   evaluateCodexDaemonReconnectPubkey,
 } from "./codex-relay-e2ee-registry.mjs";
+import {
+  codexWsFrameByteLength,
+  createCodexWsAbuseLimitConfig,
+  createCodexWsConnectionGuard,
+  formatCodexWsLimitLog,
+  isCodexWsAgentDisabled,
+} from "./codex-relay-ws-abuse-limits.mjs";
 
 // ── Settings ─────────────────────────────────────────────────────────
 
@@ -48,6 +55,7 @@ const WS_ORIGIN_ALLOWLIST = (process.env.LDM_HOSTED_MCP_WS_ORIGIN_ALLOWLIST || "
   .split(",")
   .map(s => s.trim())
   .filter(Boolean);
+const CODEX_WS_ABUSE_LIMITS = createCodexWsAbuseLimitConfig(process.env);
 
 function isWsOriginAllowed(origin) {
   if (!origin) return false;
@@ -2727,6 +2735,15 @@ function invalidateCodexBrowserSessionsForAgent(agentId, reason) {
   return closed;
 }
 
+function logCodexWsLimit({ agentId, threadId, connectionId, reason }) {
+  console.warn(formatCodexWsLimitLog({ agentId, threadId, connectionId, reason }));
+}
+
+function closeCodexWsForLimit(ws, { agentId, threadId, connectionId }, decision) {
+  logCodexWsLimit({ agentId, threadId, connectionId, reason: decision.reason });
+  try { ws.close(decision.code, decision.reason); } catch {}
+}
+
 function generateCodexPairingCode() {
   for (let attempt = 0; attempt < 100; attempt += 1) {
     let code = "";
@@ -3256,14 +3273,62 @@ httpServer.on("upgrade", (req, socket, head) => {
     socket.destroy();
     return;
   }
+  const webKey = codexRelayKey(identity.agentId, threadId);
+  if (isCodexWsAgentDisabled(CODEX_WS_ABUSE_LIMITS, identity.agentId)) {
+    console.warn(formatCodexWsLimitLog({
+      agentId: identity.agentId,
+      threadId,
+      connectionId: "upgrade",
+      reason: "operator disabled",
+    }));
+    socket.write("HTTP/1.1 503 Service Unavailable\r\nConnection: close\r\n\r\n");
+    socket.destroy();
+    return;
+  }
+  const openBrowserSockets = openCodexWebClientsForKey(webKey).length;
+  if (openBrowserSockets >= CODEX_WS_ABUSE_LIMITS.maxBrowserSocketsPerThread) {
+    console.warn(formatCodexWsLimitLog({
+      agentId: identity.agentId,
+      threadId,
+      connectionId: "upgrade",
+      reason: "too many browser sockets",
+    }));
+    socket.write("HTTP/1.1 429 Too Many Requests\r\nConnection: close\r\n\r\n");
+    socket.destroy();
+    return;
+  }
   codexRelayWss.handleUpgrade(req, socket, head, (ws) => {
-    const key = codexRelayKey(identity.agentId, threadId);
-    const clientCount = addCodexWebClient(key, ws);
-    console.log("codex-relay: web online " + key + " clients=" + clientCount);
+    const connectionId = randomUUID();
+    const guard = createCodexWsConnectionGuard({
+      config: CODEX_WS_ABUSE_LIMITS,
+      agentId: identity.agentId,
+    });
+    const guardContext = { agentId: identity.agentId, threadId, connectionId };
+    const idleIntervalMs = Math.max(1000, Math.min(60_000, Math.floor(CODEX_WS_ABUSE_LIMITS.idleTtlMs / 2)));
+    const idleTimer = setInterval(() => {
+      const decision = guard.observeIdle();
+      if (!decision.ok && ws.readyState === ws.OPEN) {
+        closeCodexWsForLimit(ws, guardContext, decision);
+      }
+    }, idleIntervalMs);
+    const clientCount = addCodexWebClient(webKey, ws);
+    console.log("codex-relay: web online " + webKey + " clients=" + clientCount + " conn=" + connectionId);
     ws.on("message", (data) => {
+      const frameDecision = guard.observeFrame(codexWsFrameByteLength(data));
+      if (!frameDecision.ok) {
+        closeCodexWsForLimit(ws, guardContext, frameDecision);
+        return;
+      }
       let text = data.toString();
       let envelope = null;
       try { envelope = JSON.parse(text); } catch {}
+      if (!envelope || typeof envelope !== "object" || Array.isArray(envelope)) {
+        const malformedDecision = guard.observeMalformed();
+        if (!malformedDecision.ok) {
+          closeCodexWsForLimit(ws, guardContext, malformedDecision);
+        }
+        return;
+      }
       if (isCodexE2eeEnvelope(envelope) && envelope.session) {
         // The browser cannot be allowed to choose this value. The relay
         // owns the route because it consumed the ticket for this URL
@@ -3275,14 +3340,20 @@ httpServer.on("upgrade", (req, socket, head) => {
       }
       const daemonWs = codexDaemons.get(identity.agentId);
       if (daemonWs && daemonWs.readyState === daemonWs.OPEN) {
+        const pendingDecision = guard.observePendingBytes(daemonWs.bufferedAmount || 0);
+        if (!pendingDecision.ok) {
+          closeCodexWsForLimit(ws, guardContext, pendingDecision);
+          return;
+        }
         daemonWs.send(text);
       } else {
         try { ws.send(JSON.stringify({ type: "error", message: "daemon offline" })); } catch {}
       }
     });
     ws.on("close", () => {
+      clearInterval(idleTimer);
       removeCodexE2eeRoutesForWeb(identity.agentId, threadId, ws);
-      removeCodexWebClient(key, ws);
+      removeCodexWebClient(webKey, ws);
     });
     ws.on("error", (err) => {
       console.error("codex-relay web ws error:", err.message);