agent-office-cli 0.1.6 → 0.1.8

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agent-office-cli",
-  "version": "0.1.6",
+  "version": "0.1.8",
   "description": "Run and manage AI agent sessions locally, with optional relay to agentoffice.top",
   "license": "MIT",
   "engines": {

package/src/index.js

@@ -202,6 +202,9 @@ async function main() {
       });
       console.log(`AgentOffice tunnel connecting to relay: ${hosted.relayUrl}`);
       console.log(`- hosted auth: key from ${hosted.keySource}, relay from ${hosted.relaySource}`);
+      if (tunnel.logPath) {
+        console.log(`- tunnel log: ${tunnel.logPath}`);
+      }
       tunnel.sendStatusSummary(store.listSessionSummaries());
 
       let statusDebounceTimer = null;

package/src/runtime/index.js

@@ -19,6 +19,7 @@ const {
 } = require("./session-registry");
 const { ensureNodePtySpawnHelper } = require("./ensure-node-pty");
 const { startSleepInhibitor } = require("./sleep-inhibitor");
+const { createTunnelLogger, TUNNEL_LOG_PATH, describeWebSocketClose } = require("./tunnel-log");
 const {
   applyClaudeHookConfig,
   claudeSettingsPath,
@@ -47,6 +48,9 @@ module.exports = {
   removeSessionRecord,
   ensureNodePtySpawnHelper,
   startSleepInhibitor,
+  createTunnelLogger,
+  TUNNEL_LOG_PATH,
+  describeWebSocketClose,
   applyClaudeHookConfig,
   claudeSettingsPath,
   commandExists,

package/src/runtime/tunnel-log.js

@@ -0,0 +1,56 @@
+const fs = require("node:fs");
+const os = require("node:os");
+const path = require("node:path");
+
+const TUNNEL_LOG_PATH = path.join(os.homedir(), ".agentoffice", "logs", "tunnel.log");
+
+function describeWebSocketClose({ code, reason }) {
+  const parts = [];
+
+  if (typeof code === "number") {
+    parts.push(`code=${code}`);
+  }
+
+  if (reason) {
+    parts.push(`reason=${reason}`);
+  }
+
+  return parts.length > 0 ? parts.join(" ") : "no close details";
+}
+
+function createTunnelLogger({
+  logPath = TUNNEL_LOG_PATH,
+  now = () => new Date().toISOString(),
+  mkdirSync = fs.mkdirSync,
+  appendFileSync = fs.appendFileSync,
+  consoleObj = console,
+} = {}) {
+  function write(level, message) {
+    const line = `[${now()}] [${level}] ${message}`;
+    const print = level === "error" ? consoleObj.error : consoleObj.log;
+    print.call(consoleObj, line);
+
+    try {
+      mkdirSync(path.dirname(logPath), { recursive: true });
+      appendFileSync(logPath, `${line}\n`, "utf8");
+    } catch {
+      // Logging should never crash the tunnel client.
+    }
+  }
+
+  return {
+    logPath,
+    info(message) {
+      write("info", message);
+    },
+    error(message) {
+      write("error", message);
+    },
+  };
+}
+
+module.exports = {
+  TUNNEL_LOG_PATH,
+  createTunnelLogger,
+  describeWebSocketClose,
+};

package/src/runtime/tunnel-log.test.js

@@ -0,0 +1,43 @@
+const test = require("node:test");
+const assert = require("node:assert/strict");
+
+const { createTunnelLogger, describeWebSocketClose } = require("./tunnel-log");
+
+test("describeWebSocketClose includes code and reason when present", () => {
+  assert.equal(
+    describeWebSocketClose({ code: 1006, reason: "network_reset" }),
+    "code=1006 reason=network_reset"
+  );
+});
+
+test("describeWebSocketClose falls back when no details are available", () => {
+  assert.equal(describeWebSocketClose({}), "no close details");
+});
+
+test("createTunnelLogger mirrors lines to console and appends a local tunnel log", () => {
+  const writes = [];
+  const consoleLines = [];
+
+  const logger = createTunnelLogger({
+    logPath: "/tmp/agentoffice-tunnel.log",
+    now: () => "2026-03-20T08:12:00.000Z",
+    mkdirSync: () => {},
+    appendFileSync: (_path, content) => writes.push(content),
+    consoleObj: {
+      log: (line) => consoleLines.push(["log", line]),
+      error: (line) => consoleLines.push(["error", line]),
+    },
+  });
+
+  logger.info("connected to relay");
+  logger.error("ws error: socket hang up");
+
+  assert.deepEqual(consoleLines, [
+    ["log", "[2026-03-20T08:12:00.000Z] [info] connected to relay"],
+    ["error", "[2026-03-20T08:12:00.000Z] [error] ws error: socket hang up"],
+  ]);
+  assert.deepEqual(writes, [
+    "[2026-03-20T08:12:00.000Z] [info] connected to relay\n",
+    "[2026-03-20T08:12:00.000Z] [error] ws error: socket hang up\n",
+  ]);
+});

package/src/tunnel.js

@@ -1,8 +1,12 @@
 const { WebSocket } = require("ws");
 const { toSessionSummary } = require("./core");
+const { createTunnelLogger, describeWebSocketClose } = require("./runtime/tunnel-log");
 
 const RECONNECT_BASE_MS = 1000;
 const RECONNECT_MAX_MS = 30000;
+const AUTH_RESPONSE_TIMEOUT_MS = 15000;
+const STALE_UPSTREAM_TIMEOUT_MS = 70000;
+const WATCHDOG_INTERVAL_MS = 5000;
 const LOCAL_PROXY_STRIP_HEADERS = new Set([
   "accept-encoding",
   "connection",
@@ -40,12 +44,49 @@ function buildLocalRequestHeaders(headers, localServerUrl) {
   return nextHeaders;
 }
 
-function createTunnelClient({ key, relayUrl, localServerUrl }) {
+const TERMINAL_AUTH_REASONS = new Set([
+  "invalid_key",
+  "key_revoked"
+]);
+
+function isTerminalAuthFailure({ code, reason, error }) {
+  if (error) {
+    return TERMINAL_AUTH_REASONS.has(error);
+  }
+  if (code !== 4401) {
+    return false;
+  }
+  return TERMINAL_AUTH_REASONS.has(reason);
+}
+
+function closeSocket(socket) {
+  if (!socket) {
+    return;
+  }
+  if (typeof socket.terminate === "function") {
+    socket.terminate();
+    return;
+  }
+  socket.close();
+}
+
+function createTunnelClient({
+  key,
+  relayUrl,
+  localServerUrl,
+  logger = createTunnelLogger(),
+  reconnectBaseMs = RECONNECT_BASE_MS,
+  reconnectMaxMs = RECONNECT_MAX_MS,
+  authResponseTimeoutMs = AUTH_RESPONSE_TIMEOUT_MS,
+  staleUpstreamTimeoutMs = STALE_UPSTREAM_TIMEOUT_MS,
+  watchdogIntervalMs = WATCHDOG_INTERVAL_MS
+}) {
   let ws = null;
-  let reconnectDelay = RECONNECT_BASE_MS;
+  let reconnectDelay = reconnectBaseMs;
   let stopped = false;
   let authenticated = false;
   let pendingStatusSummary = [];
+  let reconnectTimer = null;
 
   function flushStatusSummary() {
     if (!authenticated || !ws || ws.readyState !== WebSocket.OPEN) {
@@ -57,6 +98,20 @@ function createTunnelClient({ key, relayUrl, localServerUrl }) {
     }));
   }
 
+  function scheduleReconnect() {
+    if (stopped || reconnectTimer) {
+      return;
+    }
+
+    const delay = reconnectDelay;
+    reconnectTimer = setTimeout(() => {
+      reconnectTimer = null;
+      reconnectDelay = Math.min(reconnectDelay * 2, reconnectMaxMs);
+      connect();
+    }, delay);
+    reconnectTimer.unref?.();
+  }
+
   function connect() {
     if (stopped) {
       return;
@@ -64,16 +119,56 @@ function createTunnelClient({ key, relayUrl, localServerUrl }) {
 
     authenticated = false;
     const url = `${relayUrl.replace(/^http/, "ws")}/upstream`;
-    ws = new WebSocket(url);
+    const socket = new WebSocket(url);
+    let socketAuthenticated = false;
+    let lastActivityAt = Date.now();
 
-    ws.on("open", () => {
-      reconnectDelay = RECONNECT_BASE_MS;
-      console.log("[tunnel] connected to relay, authenticating...");
-      ws.send(JSON.stringify({ type: "auth", key }));
+    function markActivity() {
+      lastActivityAt = Date.now();
+    }
+
+    const watchdogTimer = setInterval(() => {
+      if (stopped || ws !== socket) {
+        return;
+      }
+
+      const idleForMs = Date.now() - lastActivityAt;
+      if (!socketAuthenticated) {
+        if (idleForMs < authResponseTimeoutMs) {
+          return;
+        }
+        logger.error(`[tunnel] auth response timeout after ${idleForMs}ms. Terminating socket and retrying.`);
+        closeSocket(socket);
+        return;
+      }
+
+      if (idleForMs < staleUpstreamTimeoutMs) {
+        return;
+      }
+
+      logger.error(`[tunnel] upstream stale for ${idleForMs}ms. Terminating socket and reconnecting.`);
+      closeSocket(socket);
+    }, watchdogIntervalMs);
+    watchdogTimer.unref?.();
+
+    ws = socket;
+
+    socket.on("open", () => {
+      markActivity();
+      logger.info("[tunnel] connected to relay, authenticating...");
+      socket.send(JSON.stringify({ type: "auth", key }));
     });
 
-    ws.on("message", async (raw) => {
+    socket.on("ping", markActivity);
+    socket.on("pong", markActivity);
+
+    socket.on("message", async (raw) => {
       try {
+        if (ws !== socket) {
+          return;
+        }
+
+        markActivity();
         const str = String(raw);
 
         // Fast path: WS data forwarding uses "W:${connId}:${data}" prefix (no JSON parse)
@@ -90,15 +185,19 @@ function createTunnelClient({ key, relayUrl, localServerUrl }) {
         const msg = JSON.parse(str);
 
         if (msg.type === "auth:ok") {
+          socketAuthenticated = true;
           authenticated = true;
-          console.log(`[tunnel] authenticated with relay: ${relayUrl} (userId=${msg.userId})`);
+          reconnectDelay = reconnectBaseMs;
+          logger.info(`[tunnel] authenticated with relay: ${relayUrl} (userId=${msg.userId})`);
           flushStatusSummary();
           return;
         }
         if (msg.type === "auth:error") {
-          console.error(`[tunnel] authentication failed: ${msg.error || "invalid key"}`);
-          stopped = true;
-          ws.close();
+          logger.error(`[tunnel] authentication failed: ${msg.error || "invalid key"}`);
+          if (isTerminalAuthFailure({ error: msg.error })) {
+            stopped = true;
+          }
+          socket.close();
           return;
         }
 
@@ -108,28 +207,32 @@ function createTunnelClient({ key, relayUrl, localServerUrl }) {
 
         await handleRelayMessage(msg);
       } catch (err) {
-        console.error(`[tunnel] message error: ${err.message}`);
+        logger.error(`[tunnel] message error: ${err.message}`);
       }
     });
 
-    ws.on("close", (code) => {
+    socket.on("close", (code, reasonBuffer) => {
+      clearInterval(watchdogTimer);
+      if (ws === socket) {
+        ws = null;
+      }
+      const reason = Buffer.isBuffer(reasonBuffer) ? reasonBuffer.toString("utf8") : String(reasonBuffer || "");
+      const closeDetails = describeWebSocketClose({ code, reason });
       if (stopped) {
+        logger.info(`[tunnel] stopped with close ${closeDetails}`);
         return;
       }
-      if (code === 4401) {
-        console.error("[tunnel] authentication rejected by relay. Not reconnecting.");
+      if (isTerminalAuthFailure({ code, reason })) {
+        logger.error(`[tunnel] authentication rejected by relay (${closeDetails}). Not reconnecting.`);
         stopped = true;
         return;
       }
-      console.log(`[tunnel] disconnected (${code}). Reconnecting in ${reconnectDelay}ms...`);
-      setTimeout(() => {
-        reconnectDelay = Math.min(reconnectDelay * 2, RECONNECT_MAX_MS);
-        connect();
-      }, reconnectDelay);
+      logger.info(`[tunnel] disconnected (${closeDetails}). Reconnecting in ${reconnectDelay}ms...`);
+      scheduleReconnect();
     });
 
-    ws.on("error", (err) => {
-      console.error(`[tunnel] ws error: ${err.message}`);
+    socket.on("error", (err) => {
+      logger.error(`[tunnel] ws error: ${err.message}`);
     });
   }
 
@@ -238,6 +341,10 @@ function createTunnelClient({ key, relayUrl, localServerUrl }) {
 
   function stop() {
     stopped = true;
+    if (reconnectTimer) {
+      clearTimeout(reconnectTimer);
+      reconnectTimer = null;
+    }
     for (const localWs of localWsConnections.values()) {
       localWs.close();
     }
@@ -250,6 +357,7 @@ function createTunnelClient({ key, relayUrl, localServerUrl }) {
   connect();
 
   return {
+    logPath: logger.logPath,
     sendStatusSummary,
     stop
   };

package/src/tunnel.test.js

@@ -1,7 +1,10 @@
 const test = require("node:test");
 const assert = require("node:assert/strict");
+const { once } = require("node:events");
+const { createServer } = require("node:http");
+const { WebSocketServer } = require("ws");
 
-const { buildLocalRequestHeaders } = require("./tunnel");
+const { buildLocalRequestHeaders, createTunnelClient } = require("./tunnel");
 
 test("buildLocalRequestHeaders strips browser-only proxy headers and rewrites host", () => {
   const next = buildLocalRequestHeaders(
@@ -29,3 +32,167 @@ test("buildLocalRequestHeaders strips browser-only proxy headers and rewrites ho
     host: "127.0.0.1:8765"
   });
 });
+
+async function withRelaySocketServer(run) {
+  const server = createServer();
+  const wss = new WebSocketServer({ server });
+
+  server.listen(0, "127.0.0.1");
+  await once(server, "listening");
+
+  const address = server.address();
+  const relayUrl = `http://127.0.0.1:${address.port}`;
+
+  try {
+    await run({ relayUrl, wss });
+  } finally {
+    await new Promise((resolve) => wss.close(resolve));
+    await new Promise((resolve, reject) => {
+      server.close((error) => {
+        if (error) {
+          reject(error);
+          return;
+        }
+        resolve();
+      });
+    });
+  }
+}
+
+function createNoopLogger() {
+  return {
+    info() {},
+    error() {}
+  };
+}
+
+async function waitFor(predicate, timeoutMs = 500) {
+  const startedAt = Date.now();
+  while (!predicate()) {
+    if (Date.now() - startedAt > timeoutMs) {
+      return false;
+    }
+    await new Promise((resolve) => setTimeout(resolve, 10));
+  }
+  return true;
+}
+
+test("createTunnelClient reconnects when auth never completes", async () => {
+  await withRelaySocketServer(async ({ relayUrl, wss }) => {
+    const connections = [];
+    wss.on("connection", (socket) => {
+      connections.push(socket);
+      socket.on("message", () => {
+        // Intentionally ignore auth messages to simulate a stalled handshake.
+      });
+    });
+
+    const tunnel = createTunnelClient({
+      key: "test-key",
+      relayUrl,
+      localServerUrl: "http://127.0.0.1:8765",
+      logger: createNoopLogger(),
+      reconnectBaseMs: 20,
+      reconnectMaxMs: 40,
+      authResponseTimeoutMs: 50,
+      watchdogIntervalMs: 10
+    });
+
+    try {
+      const reconnected = await waitFor(() => connections.length >= 2);
+      assert.ok(reconnected, `expected reconnect after stalled auth, saw ${connections.length} connection(s)`);
+    } finally {
+      tunnel.stop();
+    }
+  });
+});
+
+test("createTunnelClient reconnects when an authenticated tunnel goes silent", async () => {
+  await withRelaySocketServer(async ({ relayUrl, wss }) => {
+    const connections = [];
+    wss.on("connection", (socket) => {
+      connections.push(socket);
+      socket.once("message", () => {
+        socket.send(JSON.stringify({ type: "auth:ok", userId: "user_test" }));
+        // Intentionally stay silent after auth: no ping, no messages.
+      });
+    });
+
+    const tunnel = createTunnelClient({
+      key: "test-key",
+      relayUrl,
+      localServerUrl: "http://127.0.0.1:8765",
+      logger: createNoopLogger(),
+      reconnectBaseMs: 20,
+      reconnectMaxMs: 40,
+      staleUpstreamTimeoutMs: 60,
+      watchdogIntervalMs: 10
+    });
+
+    try {
+      const reconnected = await waitFor(() => connections.length >= 2);
+      assert.ok(reconnected, `expected reconnect after stale upstream, saw ${connections.length} connection(s)`);
+    } finally {
+      tunnel.stop();
+    }
+  });
+});
+
+test("createTunnelClient retries after relay auth timeout closes the socket", async () => {
+  await withRelaySocketServer(async ({ relayUrl, wss }) => {
+    const connections = [];
+    wss.on("connection", (socket) => {
+      connections.push(socket);
+      socket.once("message", () => {
+        socket.close(4401, "auth_timeout");
+      });
+    });
+
+    const tunnel = createTunnelClient({
+      key: "test-key",
+      relayUrl,
+      localServerUrl: "http://127.0.0.1:8765",
+      logger: createNoopLogger(),
+      reconnectBaseMs: 20,
+      reconnectMaxMs: 40,
+      watchdogIntervalMs: 10
+    });
+
+    try {
+      const reconnected = await waitFor(() => connections.length >= 2);
+      assert.ok(reconnected, `expected reconnect after auth_timeout, saw ${connections.length} connection(s)`);
+    } finally {
+      tunnel.stop();
+    }
+  });
+});
+
+test("createTunnelClient stops retrying after invalid key is rejected", async () => {
+  await withRelaySocketServer(async ({ relayUrl, wss }) => {
+    const connections = [];
+    wss.on("connection", (socket) => {
+      connections.push(socket);
+      socket.once("message", () => {
+        socket.send(JSON.stringify({ type: "auth:error", error: "invalid_key" }));
+        socket.close(4401, "invalid_key");
+      });
+    });
+
+    const tunnel = createTunnelClient({
+      key: "test-key",
+      relayUrl,
+      localServerUrl: "http://127.0.0.1:8765",
+      logger: createNoopLogger(),
+      reconnectBaseMs: 20,
+      reconnectMaxMs: 40,
+      watchdogIntervalMs: 10
+    });
+
+    try {
+      await new Promise((resolve) => setTimeout(resolve, 120));
+      assert.equal(connections.length, 1);
+    } finally {
+      tunnel.stop();
+    }
+  });
+});