agent-relay 2.0.22 → 2.0.24

package/packages/cloud/dist/server.js

@@ -1,2034 +0,0 @@
-/**
- * Agent Relay Cloud - Express Server
- */
-import express from 'express';
-import session from 'express-session';
-import cors from 'cors';
-import helmet from 'helmet';
-import crypto from 'crypto';
-import path from 'node:path';
-import http from 'node:http';
-import fs from 'node:fs';
-import { fileURLToPath } from 'node:url';
-import { createClient } from 'redis';
-import { RedisStore } from 'connect-redis';
-import { WebSocketServer, WebSocket } from 'ws';
-import { getConfig } from './config.js';
-import { runMigrations } from './db/index.js';
-import { getScalingOrchestrator, getComputeEnforcementService, getIntroExpirationService, getWorkspaceKeepaliveService } from './services/index.js';
-const __filename = fileURLToPath(import.meta.url);
-const __dirname = path.dirname(__filename);
-// API routers
-import { authRouter, requireAuth } from './api/auth.js';
-import { providersRouter } from './api/providers.js';
-import { workspacesRouter } from './api/workspaces.js';
-import { reposRouter } from './api/repos.js';
-import { onboardingRouter } from './api/onboarding.js';
-import { teamsRouter } from './api/teams.js';
-import { billingRouter } from './api/billing.js';
-import { usageRouter } from './api/usage.js';
-import { coordinatorsRouter } from './api/coordinators.js';
-import { daemonsRouter } from './api/daemons.js';
-import { monitoringRouter } from './api/monitoring.js';
-import { testHelpersRouter } from './api/test-helpers.js';
-import { webhooksRouter } from './api/webhooks.js';
-import { githubAppRouter } from './api/github-app.js';
-import { nangoAuthRouter } from './api/nango-auth.js';
-import { emailAuthRouter } from './api/email-auth.js';
-import { gitRouter } from './api/git.js';
-import { sessionsRouter } from './api/sessions.js';
-import { codexAuthHelperRouter } from './api/codex-auth-helper.js';
-import { adminRouter } from './api/admin.js';
-import { consensusRouter } from './api/consensus.js';
-import { db } from './db/index.js';
-import { validateSshSecurityConfig } from './services/ssh-security.js';
-import { registerUserPresence, unregisterUserPresence, updateUserLastSeen } from './services/presence-registry.js';
-import { cloudMessageBus } from './services/cloud-message-bus.js';
-/**
- * Proxy a request to the user's primary running workspace
- */
-async function proxyToUserWorkspace(req, res, path, options) {
-    const userId = req.session.userId;
-    if (!userId) {
-        res.status(401).json({ error: 'Unauthorized' });
-        return;
-    }
-    try {
-        // Find user's running workspace
-        const workspaces = await db.workspaces.findByUserId(userId);
-        const runningWorkspace = workspaces.find(w => w.status === 'running' && w.publicUrl);
-        if (!runningWorkspace || !runningWorkspace.publicUrl) {
-            res.status(404).json({ error: 'No running workspace found', success: false });
-            return;
-        }
-        // Proxy to workspace
-        const targetUrl = `${runningWorkspace.publicUrl}${path}`;
-        console.log(`[workspace-proxy] ${options?.method || 'GET'} ${targetUrl}`);
-        const fetchOptions = {
-            method: options?.method || 'GET',
-            headers: { 'Content-Type': 'application/json' },
-        };
-        if (options?.body) {
-            fetchOptions.body = JSON.stringify(options.body);
-        }
-        const proxyRes = await fetch(targetUrl, fetchOptions);
-        const contentType = proxyRes.headers.get('content-type') || '';
-        console.log(`[workspace-proxy] Response: ${proxyRes.status} ${proxyRes.statusText}, content-type: ${contentType}`);
-        // Check if response is JSON
-        if (!contentType.includes('application/json')) {
-            const text = await proxyRes.text();
-            console.error(`[workspace-proxy] Non-JSON response: ${text.substring(0, 200)}`);
-            res.status(502).json({ error: 'Workspace returned non-JSON response', success: false });
-            return;
-        }
-        const data = await proxyRes.json();
-        res.status(proxyRes.status).json(data);
-    }
-    catch (error) {
-        console.error('[workspace-proxy] Error:', error);
-        res.status(500).json({ error: 'Failed to proxy request to workspace', success: false });
-    }
-}
-export async function createServer() {
-    const config = getConfig();
-    // Validate security configuration at startup
-    validateSshSecurityConfig();
-    const app = express();
-    app.set('trust proxy', 1);
-    // Redis client for sessions
-    const redisClient = createClient({ url: config.redisUrl });
-    redisClient.on('error', (err) => {
-        console.error('[redis] error', err);
-    });
-    redisClient.on('reconnecting', () => {
-        console.warn('[redis] reconnecting...');
-    });
-    await redisClient.connect();
-    // Middleware
-    // Configure helmet to allow Next.js inline scripts and Nango Connect UI
-    app.use(helmet({
-        contentSecurityPolicy: {
-            directives: {
-                defaultSrc: ["'self'"],
-                scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'", "https://connect.nango.dev"],
-                styleSrc: ["'self'", "'unsafe-inline'", "https://fonts.googleapis.com", "https://connect.nango.dev"],
-                fontSrc: ["'self'", "https://fonts.gstatic.com", "data:"],
-                imgSrc: ["'self'", "data:", "https:", "blob:"],
-                connectSrc: ["'self'", "wss:", "ws:", "https:", "https://api.nango.dev", "https://connect.nango.dev"],
-                frameSrc: ["'self'", "https://connect.nango.dev", "https://github.com"],
-                childSrc: ["'self'", "https://connect.nango.dev", "blob:"],
-                workerSrc: ["'self'", "blob:"],
-            },
-        },
-    }));
-    app.use(cors({
-        origin: config.publicUrl,
-        credentials: true,
-    }));
-    // Custom JSON parser that preserves raw body for webhook signature verification
-    // Increase limit to 10mb for base64 image uploads (screenshots)
-    app.use(express.json({
-        limit: '10mb',
-        verify: (req, _res, buf) => {
-            // Store raw body for webhook signature verification
-            req.rawBody = buf.toString();
-        },
-    }));
-    // Session middleware
-    app.use(session({
-        store: new RedisStore({ client: redisClient }),
-        secret: config.sessionSecret,
-        resave: false,
-        saveUninitialized: false,
-        cookie: {
-            secure: config.publicUrl.startsWith('https'),
-            httpOnly: true,
-            sameSite: 'lax',
-            maxAge: 7 * 24 * 60 * 60 * 1000, // 7 days
-        },
-    }));
-    // Basic audit log (request/response)
-    app.use((req, res, next) => {
-        const started = Date.now();
-        res.on('finish', () => {
-            const duration = Date.now() - started;
-            const user = req.session?.userId ?? 'anon';
-            console.log(`[audit] ${req.method} ${req.originalUrl} ${res.statusCode} user=${user} ip=${req.ip} ${duration}ms`);
-        });
-        next();
-    });
-    // Simple in-memory rate limiting per IP
-    const RATE_LIMIT_WINDOW_MS = 60_000;
-    // Higher limit in development mode
-    const RATE_LIMIT_MAX = process.env.NODE_ENV === 'development' ? 1000 : 300;
-    const rateLimits = new Map();
-    // Track channel WebSocket clients by workspaceId for broadcasting channel events
-    const channelClientsByWorkspace = new Map();
-    /**
-     * Broadcast a channel event to all connected clients in a workspace.
-     * Used for notifying clients about channel creation, archiving, etc.
-     */
-    const broadcastToWorkspaceChannelClients = (workspaceId, message) => {
-        const clients = channelClientsByWorkspace.get(workspaceId);
-        if (!clients || clients.size === 0) {
-            console.log(`[ws/channels] No clients connected for workspace ${workspaceId}, skipping broadcast`);
-            return;
-        }
-        const payload = JSON.stringify(message);
-        let sentCount = 0;
-        for (const client of clients) {
-            if (client.readyState === WebSocket.OPEN) {
-                client.send(payload);
-                sentCount++;
-            }
-        }
-        console.log(`[ws/channels] Broadcast to ${sentCount}/${clients.size} clients in workspace ${workspaceId}`);
-    };
-    app.use((req, res, next) => {
-        // Skip rate limiting for localhost in development
-        if (process.env.NODE_ENV === 'development') {
-            const ip = req.ip || '';
-            if (ip === '127.0.0.1' || ip === '::1' || ip === '::ffff:127.0.0.1') {
-                return next();
-            }
-        }
-        const now = Date.now();
-        const key = req.ip || 'unknown';
-        const entry = rateLimits.get(key);
-        if (!entry || entry.resetAt <= now) {
-            rateLimits.set(key, { count: 1, resetAt: now + RATE_LIMIT_WINDOW_MS });
-        }
-        else {
-            entry.count += 1;
-        }
-        const current = rateLimits.get(key);
-        res.setHeader('X-RateLimit-Limit', RATE_LIMIT_MAX.toString());
-        res.setHeader('X-RateLimit-Remaining', Math.max(RATE_LIMIT_MAX - current.count, 0).toString());
-        res.setHeader('X-RateLimit-Reset', Math.floor(current.resetAt / 1000).toString());
-        if (current.count > RATE_LIMIT_MAX) {
-            return res.status(429).json({ error: 'Too many requests' });
-        }
-        // Opportunistic cleanup
-        if (rateLimits.size > 5000) {
-            for (const [ip, data] of rateLimits) {
-                if (data.resetAt <= now) {
-                    rateLimits.delete(ip);
-                }
-            }
-        }
-        next();
-    });
-    // Lightweight CSRF protection using session token
-    const SAFE_METHODS = new Set(['GET', 'HEAD', 'OPTIONS']);
-    // Paths exempt from CSRF (webhooks from external services, workspace proxy, local auth callbacks, admin API)
-    const CSRF_EXEMPT_PATHS = [
-        '/api/webhooks/',
-        '/api/auth/nango/webhook',
-        '/api/auth/codex-helper/callback',
-        '/api/admin/', // Admin API uses X-Admin-Secret header auth
-        '/api/channels/', // Channels API routes to local daemon, not cloud
-    ];
-    // Additional pattern for workspace proxy routes (contains /proxy/)
-    const isWorkspaceProxyRoute = (path) => /^\/api\/workspaces\/[^/]+\/proxy\//.test(path);
-    app.use((req, res, next) => {
-        // Skip CSRF for webhook endpoints and workspace proxy routes
-        const isExemptPath = CSRF_EXEMPT_PATHS.some(exemptPath => req.path.startsWith(exemptPath));
-        if (isExemptPath || isWorkspaceProxyRoute(req.path)) {
-            return next();
-        }
-        if (!req.session)
-            return res.status(500).json({ error: 'Session unavailable' });
-        // Generate CSRF token if not present
-        // Use session.save() to ensure the session is persisted even for unauthenticated users
-        // This is necessary because saveUninitialized: false won't auto-save new sessions
-        if (!req.session.csrfToken) {
-            req.session.csrfToken = crypto.randomBytes(32).toString('hex');
-            // Explicitly save session to persist the CSRF token
-            req.session.save((err) => {
-                if (err) {
-                    console.error('[csrf] Failed to save session:', err);
-                }
-            });
-        }
-        res.setHeader('X-CSRF-Token', req.session.csrfToken);
-        if (SAFE_METHODS.has(req.method.toUpperCase())) {
-            return next();
-        }
-        // Skip CSRF for Bearer-authenticated endpoints (daemon API, test helpers)
-        const authHeader = req.get('authorization');
-        if (authHeader?.startsWith('Bearer ')) {
-            return next();
-        }
-        // Skip CSRF for admin API key authenticated requests
-        const adminSecret = req.get('x-admin-secret');
-        if (adminSecret) {
-            return next();
-        }
-        // Skip CSRF for test endpoints in non-production
-        if (process.env.NODE_ENV !== 'production' && req.path.startsWith('/api/test/')) {
-            return next();
-        }
-        const token = req.get('x-csrf-token');
-        if (!token || token !== req.session.csrfToken) {
-            console.log(`[csrf] Token mismatch: received=${token?.substring(0, 8)}... expected=${req.session.csrfToken?.substring(0, 8)}...`);
-            return res.status(403).json({
-                error: 'CSRF token invalid or missing',
-                code: 'CSRF_MISMATCH',
-            });
-        }
-        return next();
-    });
-    // Health check
-    app.get('/health', (req, res) => {
-        res.json({ status: 'ok', timestamp: new Date().toISOString() });
-    });
-    // API routes
-    //
-    // IMPORTANT: Route order matters! Routes with non-session auth (webhooks, API keys, tokens)
-    // must be mounted BEFORE teamsRouter, which catches all /api/* with requireAuth.
-    //
-    // --- Routes with alternative auth (must be before teamsRouter) ---
-    app.use('/api/auth', authRouter); // Login endpoints (public)
-    app.use('/api/auth/email', emailAuthRouter); // Email/password authentication
-    app.use('/api/auth/nango', nangoAuthRouter); // Nango webhook (signature verification)
-    app.use('/api/auth/codex-helper', codexAuthHelperRouter);
-    app.use('/api/git', gitRouter); // Workspace token auth
-    app.use('/api/sessions', sessionsRouter); // Workspace token auth (agent session persistence)
-    app.use('/api/webhooks', webhooksRouter); // GitHub webhooks (signature verification)
-    app.use('/api/monitoring', monitoringRouter); // Daemon API key auth endpoints
-    app.use('/api/daemons', daemonsRouter); // Daemon API key auth endpoints
-    app.use('/api/admin', adminRouter); // Admin API secret auth
-    // --- Routes with session auth ---
-    app.use('/api/providers', providersRouter);
-    app.use('/api/workspaces', workspacesRouter);
-    app.use('/api', consensusRouter); // Consensus API (nested under /api/workspaces/:id/consensus)
-    app.use('/api/repos', reposRouter);
-    app.use('/api/onboarding', onboardingRouter);
-    app.use('/api/billing', billingRouter);
-    app.use('/api/usage', usageRouter);
-    app.use('/api/project-groups', coordinatorsRouter);
-    app.use('/api/github-app', githubAppRouter);
-    // Trajectory proxy routes - auto-detect user's workspace and forward
-    // These are convenience routes so the dashboard doesn't need to know the workspace ID
-    // MUST be before teamsRouter to avoid being caught by its catch-all
-    app.get('/api/trajectory', requireAuth, async (req, res) => {
-        await proxyToUserWorkspace(req, res, '/api/trajectory');
-    });
-    app.get('/api/trajectory/steps', requireAuth, async (req, res) => {
-        const queryString = req.query.trajectoryId
-            ? `?trajectoryId=${encodeURIComponent(req.query.trajectoryId)}`
-            : '';
-        await proxyToUserWorkspace(req, res, `/api/trajectory/steps${queryString}`);
-    });
-    app.get('/api/trajectory/history', requireAuth, async (req, res) => {
-        await proxyToUserWorkspace(req, res, '/api/trajectory/history');
-    });
-    // Channel proxy routes - forward to local dashboard-server (not workspace)
-    // Channels talk to the local daemon, so they need the local dashboard-server
-    // MUST be before teamsRouter to avoid being caught by its catch-all
-    // Auto-detect local dashboard URL if not configured
-    let localDashboardUrl = config.localDashboardUrl;
-    const defaultPorts = [3889, 3888, 3890]; // 3889 first (common alternate port)
-    async function detectLocalDashboard() {
-        console.log('[channel-proxy] Auto-detecting local dashboard...');
-        for (const port of defaultPorts) {
-            try {
-                const controller = new AbortController();
-                const timeout = setTimeout(() => controller.abort(), 2000);
-                const res = await fetch(`http://localhost:${port}/health`, {
-                    method: 'GET',
-                    signal: controller.signal,
-                });
-                clearTimeout(timeout);
-                if (res.ok) {
-                    console.log(`[channel-proxy] Detected local dashboard at http://localhost:${port}`);
-                    return `http://localhost:${port}`;
-                }
-                console.log(`[channel-proxy] Port ${port}: responded but not OK (${res.status})`);
-            }
-            catch (err) {
-                const msg = err instanceof Error ? err.message : String(err);
-                console.log(`[channel-proxy] Port ${port}: ${msg}`);
-            }
-        }
-        console.log('[channel-proxy] No local dashboard detected, using fallback');
-        return null;
-    }
-    // Detect at startup if not configured - use a promise to ensure detection completes before first use
-    let detectionPromise = null;
-    if (localDashboardUrl) {
-        console.log(`[channel-proxy] Using configured dashboard URL: ${localDashboardUrl}`);
-    }
-    else {
-        // Start detection immediately
-        detectionPromise = detectLocalDashboard().then((detected) => {
-            if (detected) {
-                localDashboardUrl = detected;
-            }
-            else {
-                localDashboardUrl = 'http://localhost:3889';
-                console.log(`[channel-proxy] Falling back to ${localDashboardUrl}`);
-            }
-        });
-    }
-    async function getLocalDashboardUrl() {
-        // Wait for detection to complete if it's in progress
-        if (detectionPromise) {
-            await detectionPromise;
-            detectionPromise = null;
-        }
-        // If still not set (shouldn't happen), detect now
-        if (!localDashboardUrl) {
-            const detected = await detectLocalDashboard();
-            localDashboardUrl = detected || 'http://localhost:3889';
-        }
-        return localDashboardUrl;
-    }
-    async function proxyToLocalDashboard(req, res, path, options) {
-        try {
-            const dashboardUrl = await getLocalDashboardUrl();
-            const targetUrl = `${dashboardUrl}${path}`;
-            console.log(`[channel-proxy] ${options?.method || 'GET'} ${targetUrl}`);
-            const fetchOptions = {
-                method: options?.method || 'GET',
-                headers: { 'Content-Type': 'application/json' },
-            };
-            if (options?.body) {
-                fetchOptions.body = JSON.stringify(options.body);
-            }
-            const proxyRes = await fetch(targetUrl, fetchOptions);
-            const contentType = proxyRes.headers.get('content-type') || '';
-            if (!contentType.includes('application/json')) {
-                const text = await proxyRes.text();
-                console.error(`[channel-proxy] Non-JSON response from ${targetUrl}: ${text.substring(0, 100)}`);
-                res.status(502).json({
-                    error: 'Local dashboard not available or returned non-JSON response',
-                    hint: 'Make sure the dashboard-server is running (agent-relay start)',
-                });
-                return;
-            }
-            const data = await proxyRes.json();
-            res.status(proxyRes.status).json(data);
-        }
-        catch (error) {
-            console.error('[channel-proxy] Error:', error);
-            res.status(502).json({
-                error: 'Failed to connect to local dashboard',
-                hint: 'Make sure the dashboard-server is running (agent-relay start)',
-            });
-        }
-    }
-    // =========================================================================
-    // Channel metadata endpoints (stored in cloud PostgreSQL)
-    // =========================================================================
-    /**
-     * GET /api/channels - List channels for a workspace
-     * Channels are workspace-scoped, not user-scoped
-     */
-    app.get('/api/channels', requireAuth, async (req, res) => {
-        try {
-            const workspaceId = req.query.workspaceId;
-            if (!workspaceId) {
-                return res.status(400).json({ error: 'workspaceId query param required' });
-            }
-            // Verify user has access to this workspace
-            const userId = req.session.userId;
-            const workspace = await db.workspaces.findById(workspaceId);
-            if (!workspace) {
-                return res.status(404).json({ error: 'Workspace not found' });
-            }
-            if (workspace.userId !== userId) {
-                const membership = await db.workspaceMembers.findMembership(workspaceId, userId);
-                if (!membership || !membership.acceptedAt) {
-                    return res.status(403).json({ error: 'Access denied' });
-                }
-            }
-            const allChannels = await db.channels.findByWorkspaceId(workspaceId);
-            const activeChannels = allChannels.filter(c => c.status === 'active');
-            const archivedChannels = allChannels.filter(c => c.status === 'archived');
-            // Get member counts for all channels in one query
-            const channelUuids = allChannels.map(c => c.id);
-            const memberCounts = await db.channelMembers.countByChannelIds(channelUuids);
-            // Transform to API response format
-            // IMPORTANT: Channel IDs must include # prefix to match daemon convention
-            // The daemon uses "#channelName" format for CHANNEL_MESSAGE routing
-            const mapChannel = (c) => ({
-                id: c.channelId.startsWith('#') ? c.channelId : `#${c.channelId}`,
-                name: c.name,
-                description: c.description,
-                visibility: c.visibility,
-                status: c.status,
-                createdAt: c.createdAt.toISOString(),
-                createdBy: c.createdBy || '__system__',
-                lastActivityAt: c.lastActivityAt?.toISOString(),
-                memberCount: memberCounts.get(c.id) ?? 0,
-                unreadCount: 0,
-                hasMentions: false,
-                isDm: c.channelId.startsWith('dm:'),
-            });
-            res.json({
-                channels: activeChannels.map(mapChannel),
-                archivedChannels: archivedChannels.map(mapChannel),
-            });
-        }
-        catch (error) {
-            console.error('[channels] Error listing channels:', error);
-            res.status(500).json({ error: 'Failed to list channels' });
-        }
-    });
-    /**
-     * POST /api/channels - Create a new channel
-     */
-    app.post('/api/channels', requireAuth, express.json(), async (req, res) => {
-        try {
-            const { name, description, isPrivate, workspaceId, invites } = req.body;
-            if (!name || !workspaceId) {
-                return res.status(400).json({ error: 'name and workspaceId are required' });
-            }
-            // Verify user has access to this workspace
-            const userId = req.session.userId;
-            const workspace = await db.workspaces.findById(workspaceId);
-            if (!workspace) {
-                return res.status(404).json({ error: 'Workspace not found' });
-            }
-            if (workspace.userId !== userId) {
-                const membership = await db.workspaceMembers.findMembership(workspaceId, userId);
-                if (!membership || !membership.acceptedAt) {
-                    return res.status(403).json({ error: 'Access denied' });
-                }
-            }
-            // Get creator username from session
-            const user = await db.users.findById(userId);
-            const createdBy = user?.githubUsername || 'unknown';
-            // Normalize channel name (remove # prefix if present)
-            const channelId = name.startsWith('#') ? name.slice(1) : name;
-            const displayName = channelId;
-            // Check if channel already exists
-            const existing = await db.channels.findByWorkspaceAndChannelId(workspaceId, channelId);
-            if (existing) {
-                return res.status(409).json({ error: 'Channel already exists' });
-            }
-            // Create the channel
-            console.log('[channels] Creating channel:', { workspaceId, channelId, displayName, createdBy });
-            let channel;
-            try {
-                channel = await db.channels.create({
-                    workspaceId,
-                    channelId,
-                    name: displayName,
-                    description,
-                    visibility: isPrivate ? 'private' : 'public',
-                    status: 'active',
-                    createdBy,
-                });
-                console.log('[channels] Channel created:', channel.id);
-            }
-            catch (createError) {
-                const err = createError;
-                console.error('[channels] Failed to create channel in database:', {
-                    message: err.message,
-                    stack: err.stack,
-                });
-                throw createError;
-            }
-            // Add creator as owner
-            try {
-                await db.channelMembers.addMember({
-                    channelId: channel.id,
-                    memberId: createdBy,
-                    memberType: 'user',
-                    role: 'owner',
-                });
-                console.log('[channels] Added creator as owner:', createdBy);
-            }
-            catch (memberError) {
-                const err = memberError;
-                console.error('[channels] Failed to add channel member:', {
-                    message: err.message,
-                    stack: err.stack,
-                    channelId: channel.id,
-                    memberId: createdBy,
-                });
-                throw memberError;
-            }
-            // Handle invites if provided
-            // Supports: comma-separated string, array of strings, or array of {id, type} objects
-            const addedMembers = [
-                { id: createdBy, type: 'user', role: 'owner' },
-            ];
-            const memberWarnings = [];
-            if (invites) {
-                let inviteList = [];
-                if (typeof invites === 'string') {
-                    // Comma-separated string: "alice,bob" -> all as users
-                    inviteList = invites.split(',')
-                        .map((s) => s.trim())
-                        .filter(Boolean)
-                        .map(id => ({ id, type: 'user' }));
-                }
-                else if (Array.isArray(invites)) {
-                    // Array of strings or objects
-                    inviteList = invites.map((inv) => {
-                        if (typeof inv === 'string') {
-                            return { id: inv, type: 'user' };
-                        }
-                        return {
-                            id: inv.id,
-                            type: (inv.type === 'agent' ? 'agent' : 'user'),
-                        };
-                    });
-                }
-                for (const invitee of inviteList) {
-                    await db.channelMembers.addMember({
-                        channelId: channel.id,
-                        memberId: invitee.id,
-                        memberType: invitee.type,
-                        role: 'member',
-                        invitedBy: createdBy,
-                    });
-                    addedMembers.push({ id: invitee.id, type: invitee.type, role: 'member' });
-                    // For agent members, sync to workspace daemon's in-memory channel membership
-                    // IMPORTANT: Must use workspace.publicUrl where agents are connected
-                    if (invitee.type === 'agent') {
-                        try {
-                            const channelName = channelId.startsWith('#') ? channelId : `#${channelId}`;
-                            // Route to workspace's dashboard where agents are connected
-                            const dashboardUrl = workspace.publicUrl || await getLocalDashboardUrl();
-                            const joinResponse = await fetch(`${dashboardUrl}/api/channels/admin-join`, {
-                                method: 'POST',
-                                headers: { 'Content-Type': 'application/json' },
-                                body: JSON.stringify({ channel: channelName, member: invitee.id, workspaceId }),
-                            });
-                            const joinResult = await joinResponse.json();
-                            console.log(`[channels] Synced agent ${invitee.id} to channel ${channelName} via workspace daemon`);
-                            // Check for warning about unconnected agent
-                            if (joinResult.warning) {
-                                memberWarnings.push({ member: invitee.id, warning: joinResult.warning });
-                                console.log(`[channels] Warning for ${invitee.id}: ${joinResult.warning}`);
-                            }
-                        }
-                        catch (err) {
-                            // Non-fatal - daemon sync is best-effort
-                            console.warn(`[channels] Failed to sync agent ${invitee.id} to daemon:`, err);
-                        }
-                    }
-                }
-            }
-            // Subscribe the channel creator to the daemon for real-time messages
-            // Use # prefix for channel ID to match daemon convention
-            const normalizedChannelId = channel.channelId.startsWith('#') ? channel.channelId : `#${channel.channelId}`;
-            try {
-                const workspace = await db.workspaces.findById(workspaceId);
-                const dashboardUrl = workspace?.publicUrl || await getLocalDashboardUrl();
-                await fetch(`${dashboardUrl}/api/channels/subscribe`, {
-                    method: 'POST',
-                    headers: { 'Content-Type': 'application/json' },
-                    body: JSON.stringify({
-                        username: createdBy,
-                        channels: [normalizedChannelId],
-                        workspaceId,
-                    }),
-                });
-                console.log(`[channels] Subscribed creator ${createdBy} to ${normalizedChannelId} on workspace daemon`);
-            }
-            catch (err) {
-                // Non-fatal - daemon sync is best-effort
-                console.warn(`[channels] Failed to sync creator to daemon:`, err);
-            }
-            // Broadcast channel creation to all connected clients in this workspace
-            const channelData = {
-                id: normalizedChannelId,
-                name: channel.name,
-                description: channel.description,
-                visibility: channel.visibility,
-                status: channel.status,
-                createdAt: channel.createdAt.toISOString(),
-                createdBy: channel.createdBy,
-                memberCount: addedMembers.length,
-                unreadCount: 0,
-                hasMentions: false,
-                isDm: false,
-            };
-            broadcastToWorkspaceChannelClients(workspaceId, {
-                type: 'channel_created',
-                channel: channelData,
-            });
-            console.log(`[channels] Broadcast channel_created event for ${channelId} to workspace ${workspaceId}`);
-            res.status(201).json({
-                success: true,
-                channel: {
-                    id: normalizedChannelId,
-                    name: channel.name,
-                    description: channel.description,
-                    visibility: channel.visibility,
-                    status: channel.status,
-                    createdAt: channel.createdAt.toISOString(),
-                    createdBy: channel.createdBy,
-                    members: addedMembers,
-                },
-                warnings: memberWarnings.length > 0 ? memberWarnings : undefined,
-            });
-        }
-        catch (error) {
-            const err = error;
-            console.error('[channels] Error creating channel:', {
-                message: err.message,
-                stack: err.stack,
-                name: err.name,
-                workspaceId: req.body.workspaceId,
-                channelName: req.body.name,
-            });
-            // Include error message for debugging (safe since this is authenticated)
-            res.status(500).json({
-                error: 'Failed to create channel',
-                message: err.message,
-            });
-        }
-    });
-    /**
-     * POST /api/channels/join - Join a channel
-     */
-    app.post('/api/channels/join', requireAuth, express.json(), async (req, res) => {
-        try {
-            const { channel: rawChannelId, workspaceId, username } = req.body;
-            if (!rawChannelId || !workspaceId) {
-                return res.status(400).json({ error: 'channel and workspaceId are required' });
-            }
-            // Normalize channel ID (remove # prefix if present)
-            const channelId = rawChannelId.startsWith('#') ? rawChannelId.slice(1) : rawChannelId;
-            const userId = req.session.userId;
-            const user = await db.users.findById(userId);
-            const memberId = username || user?.githubUsername || 'unknown';
-            // Find the channel
-            const channel = await db.channels.findByWorkspaceAndChannelId(workspaceId, channelId);
-            if (!channel) {
-                return res.status(404).json({ error: 'Channel not found' });
-            }
-            // Check if already a member
-            const existing = await db.channelMembers.findMembership(channel.id, memberId);
-            if (!existing) {
-                await db.channelMembers.addMember({
-                    channelId: channel.id,
-                    memberId,
-                    memberType: 'user',
-                    role: 'member',
-                });
-            }
-            // Also subscribe the user on the daemon side for real-time messages
-            // IMPORTANT: Must use workspace.publicUrl where agents are connected
-            try {
-                const workspace = await db.workspaces.findById(workspaceId);
-                const dashboardUrl = workspace?.publicUrl || await getLocalDashboardUrl();
-                const channelWithHash = rawChannelId.startsWith('#') ? rawChannelId : `#${rawChannelId}`;
-                await fetch(`${dashboardUrl}/api/channels/subscribe`, {
-                    method: 'POST',
-                    headers: { 'Content-Type': 'application/json' },
-                    body: JSON.stringify({
-                        username: memberId,
-                        channels: [channelWithHash],
-                        workspaceId,
-                    }),
-                });
-                console.log(`[cloud] Subscribed ${memberId} to ${channelWithHash} on workspace daemon`);
-            }
-            catch (err) {
-                // Non-fatal - daemon sync is best-effort
-                console.warn(`[cloud] Failed to sync join to daemon:`, err);
-            }
-            res.json({ success: true, channel: channelId });
-        }
-        catch (error) {
-            console.error('[channels] Error joining channel:', error);
-            res.status(500).json({ error: 'Failed to join channel' });
-        }
-    });
-    /**
-     * POST /api/channels/leave - Leave a channel
-     */
-    app.post('/api/channels/leave', requireAuth, express.json(), async (req, res) => {
-        try {
-            const { channel: rawChannelId, workspaceId, username } = req.body;
-            if (!rawChannelId || !workspaceId) {
-                return res.status(400).json({ error: 'channel and workspaceId are required' });
-            }
-            // Normalize channel ID (remove # prefix if present)
-            const channelId = rawChannelId.startsWith('#') ? rawChannelId.slice(1) : rawChannelId;
-            const userId = req.session.userId;
-            const user = await db.users.findById(userId);
-            const memberId = username || user?.githubUsername || 'unknown';
-            const channel = await db.channels.findByWorkspaceAndChannelId(workspaceId, channelId);
-            if (!channel) {
-                return res.status(404).json({ error: 'Channel not found' });
-            }
-            await db.channelMembers.removeMember(channel.id, memberId);
-            res.json({ success: true, channel: channelId });
-        }
-        catch (error) {
-            console.error('[channels] Error leaving channel:', error);
-            res.status(500).json({ error: 'Failed to leave channel' });
-        }
-    });
-    /**
-     * POST /api/channels/invite - Invite users or agents to a channel
-     * Invites can be:
-     * - Array of strings (usernames, assumed to be users)
-     * - Comma-separated string of usernames
-     * - Array of objects with { id: string, type: 'user' | 'agent' }
-     */
-    app.post('/api/channels/invite', requireAuth, express.json(), async (req, res) => {
-        try {
-            const { channel: rawChannelId, workspaceId, invites, invitedBy } = req.body;
-            if (!rawChannelId || !workspaceId || !invites) {
-                return res.status(400).json({ error: 'channel, workspaceId, and invites are required' });
-            }
-            // Normalize channel ID (remove # prefix if present)
-            const channelId = rawChannelId.startsWith('#') ? rawChannelId.slice(1) : rawChannelId;
-            const channel = await db.channels.findByWorkspaceAndChannelId(workspaceId, channelId);
-            if (!channel) {
-                return res.status(404).json({ error: 'Channel not found' });
-            }
-            // Get workspace for daemon sync
-            const workspace = await db.workspaces.findById(workspaceId);
-            let inviteList;
-            if (typeof invites === 'string') {
-                // Comma-separated string - assume users
-                inviteList = invites.split(',').map((s) => s.trim()).filter(Boolean)
-                    .map(id => ({ id, type: 'user' }));
-            }
-            else if (Array.isArray(invites)) {
-                // Array - could be strings or objects
-                inviteList = invites.map(item => {
-                    if (typeof item === 'string') {
-                        return { id: item, type: 'user' };
-                    }
-                    return { id: item.id, type: item.type || 'user' };
-                });
-            }
-            else {
-                return res.status(400).json({ error: 'invites must be a string or array' });
-            }
-            const results = [];
-            const agentWarnings = [];
-            for (const invitee of inviteList) {
-                const existing = await db.channelMembers.findMembership(channel.id, invitee.id);
-                if (!existing) {
-                    await db.channelMembers.addMember({
-                        channelId: channel.id,
-                        memberId: invitee.id,
-                        memberType: invitee.type,
-                        role: 'member',
-                        invitedBy,
-                    });
-                    // For agents, sync to workspace daemon's in-memory channel membership
-                    if (invitee.type === 'agent' && workspace) {
-                        try {
-                            const channelName = `#${channelId}`;
-                            const dashboardUrl = workspace.publicUrl || await getLocalDashboardUrl();
-                            const joinResponse = await fetch(`${dashboardUrl}/api/channels/admin-join`, {
-                                method: 'POST',
-                                headers: { 'Content-Type': 'application/json' },
-                                body: JSON.stringify({ channel: channelName, member: invitee.id, workspaceId }),
-                            });
-                            const joinResult = await joinResponse.json();
-                            console.log(`[channels] Synced agent ${invitee.id} to channel ${channelName} via workspace daemon`);
-                            if (joinResult.warning) {
-                                agentWarnings.push({ member: invitee.id, warning: joinResult.warning });
-                            }
-                        }
-                        catch (err) {
-                            console.warn(`[channels] Failed to sync agent ${invitee.id} to daemon:`, err);
-                        }
-                    }
-                    results.push({ id: invitee.id, type: invitee.type, success: true });
-                }
-                else {
-                    results.push({ id: invitee.id, type: invitee.type, success: true, reason: 'already_member' });
-                }
-            }
-            res.json({ channel: channelId, invited: results, warnings: agentWarnings.length > 0 ? agentWarnings : undefined });
-        }
-        catch (error) {
-            console.error('[channels] Error inviting to channel:', error);
-            res.status(500).json({ error: 'Failed to invite to channel' });
-        }
-    });
-    /**
-     * POST /api/channels/archive - Archive a channel
-     */
-    app.post('/api/channels/archive', requireAuth, express.json(), async (req, res) => {
-        try {
-            const { channel: rawChannelId, workspaceId } = req.body;
-            if (!rawChannelId || !workspaceId) {
-                return res.status(400).json({ error: 'channel and workspaceId are required' });
-            }
-            // Normalize channel ID (remove # prefix if present)
-            const channelId = rawChannelId.startsWith('#') ? rawChannelId.slice(1) : rawChannelId;
-            const channel = await db.channels.findByWorkspaceAndChannelId(workspaceId, channelId);
-            if (!channel) {
-                return res.status(404).json({ error: 'Channel not found' });
-            }
-            await db.channels.archive(channel.id);
-            res.json({ success: true, channel: channelId, status: 'archived' });
-        }
-        catch (error) {
-            console.error('[channels] Error archiving channel:', error);
-            res.status(500).json({ error: 'Failed to archive channel' });
-        }
-    });
-    /**
-     * POST /api/channels/unarchive - Unarchive a channel
-     */
-    app.post('/api/channels/unarchive', requireAuth, express.json(), async (req, res) => {
-        try {
-            const { channel: rawChannelId, workspaceId } = req.body;
-            if (!rawChannelId || !workspaceId) {
-                return res.status(400).json({ error: 'channel and workspaceId are required' });
-            }
-            // Normalize channel ID (remove # prefix if present)
-            const channelId = rawChannelId.startsWith('#') ? rawChannelId.slice(1) : rawChannelId;
-            const channel = await db.channels.findByWorkspaceAndChannelId(workspaceId, channelId);
-            if (!channel) {
-                return res.status(404).json({ error: 'Channel not found' });
-            }
-            await db.channels.unarchive(channel.id);
-            res.json({ success: true, channel: channelId, status: 'active' });
-        }
-        catch (error) {
-            console.error('[channels] Error unarchiving channel:', error);
-            res.status(500).json({ error: 'Failed to unarchive channel' });
-        }
-    });
-    // =========================================================================
-    // Channel message endpoints (proxied to workspace container)
-    // Messages are stored in the daemon's SQLite for real-time performance
-    // =========================================================================
-    app.post('/api/channels/message', requireAuth, express.json(), async (req, res) => {
-        // Route to the workspace's dashboard where the daemon and agents run
-        // IMPORTANT: Must use workspace.publicUrl (not getLocalDashboardUrl) because
-        // agents are connected to the workspace's daemon, so messages must route there
-        const { workspaceId } = req.body;
-        let dashboardUrl = await getLocalDashboardUrl(); // Default for local mode
-        if (workspaceId) {
-            try {
-                const workspace = await db.workspaces.findById(workspaceId);
-                if (workspace?.publicUrl) {
-                    dashboardUrl = workspace.publicUrl;
-                }
-            }
-            catch (err) {
-                console.warn(`[channel-message] Failed to lookup workspace ${workspaceId}:`, err);
-            }
-        }
-        const targetUrl = `${dashboardUrl}/api/channels/message`;
-        console.log(`[channel-message] POST ${targetUrl}`);
-        try {
-            const proxyRes = await fetch(targetUrl, {
-                method: 'POST',
-                headers: { 'Content-Type': 'application/json' },
-                body: JSON.stringify(req.body),
-            });
-            const data = await proxyRes.json();
-            res.status(proxyRes.status).json(data);
-        }
-        catch (error) {
-            console.error('[channel-message] Error:', error);
-            res.status(502).json({ error: 'Failed to send message to workspace' });
-        }
-    });
-    app.get('/api/channels/:channel/messages', requireAuth, async (req, res) => {
-        // Route to the workspace's dashboard where the daemon stores messages
-        // IMPORTANT: Must use workspace.publicUrl (not getLocalDashboardUrl) because
-        // messages are stored in the workspace's daemon SQLite, not the cloud server's
-        const workspaceId = req.query.workspaceId;
-        let dashboardUrl = await getLocalDashboardUrl(); // Default for local mode
-        if (workspaceId) {
-            try {
-                const workspace = await db.workspaces.findById(workspaceId);
-                if (workspace?.publicUrl) {
-                    dashboardUrl = workspace.publicUrl;
-                }
-            }
-            catch (err) {
-                console.warn(`[channel-messages] Failed to lookup workspace ${workspaceId}:`, err);
-            }
-        }
-        const channel = encodeURIComponent(String(req.params.channel));
-        const params = new URLSearchParams();
-        const limit = Array.isArray(req.query.limit) ? req.query.limit[0] : req.query.limit;
-        const before = Array.isArray(req.query.before) ? req.query.before[0] : req.query.before;
-        if (limit)
-            params.set('limit', String(limit));
-        if (before)
-            params.set('before', String(before));
-        if (workspaceId)
-            params.set('workspaceId', workspaceId);
-        const queryString = params.toString() ? `?${params.toString()}` : '';
-        const targetUrl = `${dashboardUrl}/api/channels/${channel}/messages${queryString}`;
-        console.log(`[channel-messages] GET ${targetUrl}`);
-        try {
-            const proxyRes = await fetch(targetUrl, {
-                method: 'GET',
-                headers: { 'Content-Type': 'application/json' },
-            });
-            const contentType = proxyRes.headers.get('content-type') || '';
-            if (!contentType.includes('application/json')) {
-                const text = await proxyRes.text();
-                console.error(`[channel-messages] Non-JSON response from ${targetUrl}: ${text.substring(0, 100)}`);
-                res.status(502).json({
-                    error: 'Workspace dashboard not available or returned non-JSON response',
-                    hint: 'Make sure the workspace daemon is running',
-                });
-                return;
-            }
-            const data = await proxyRes.json();
-            res.status(proxyRes.status).json(data);
-        }
-        catch (error) {
-            console.error('[channel-messages] Error:', error);
-            res.status(502).json({ error: 'Failed to fetch messages from workspace' });
-        }
-    });
-    /**
-     * GET /api/channels/:channel/members - Get members of a channel
-     * Cloud mode: Query database for channel members instead of proxying to local dashboard
-     */
-    app.get('/api/channels/:channel/members', requireAuth, async (req, res) => {
-        const channelParam = req.params.channel;
-        const workspaceId = req.query.workspaceId;
-        const userId = req.session.userId;
-        try {
-            // Find the channel in the database
-            // Channel ID can be passed as "random" or "#random" - normalize to find in DB
-            const channelName = channelParam.replace(/^#/, '');
-            // Get workspace ID - either from query param or user's default workspace
-            let targetWorkspaceId = workspaceId;
-            if (!targetWorkspaceId) {
-                const memberships = await db.workspaceMembers.findByUserId(userId);
-                if (memberships.length > 0) {
-                    targetWorkspaceId = memberships[0].workspaceId;
-                }
-            }
-            if (!targetWorkspaceId) {
-                return res.json({ members: [] });
-            }
-            // Verify user has access to this workspace
-            const canView = await db.workspaceMembers.canView(targetWorkspaceId, userId);
-            if (!canView) {
-                const workspace = await db.workspaces.findById(targetWorkspaceId);
-                if (!workspace || workspace.userId !== userId) {
-                    return res.status(403).json({ error: 'Access denied' });
-                }
-            }
-            // Find the channel by name and workspace
-            const channels = await db.channels.findByWorkspaceId(targetWorkspaceId);
-            const channel = channels.find(c => c.channelId === channelName ||
-                c.channelId === `#${channelName}` ||
-                c.name === channelName);
-            if (!channel) {
-                // Channel not found in database - return empty or fallback to dashboard proxy
-                console.log(`[channels] Channel ${channelParam} not found in database, proxying to dashboard`);
-                const encodedChannel = encodeURIComponent(channelParam);
-                return proxyToLocalDashboard(req, res, `/api/channels/${encodedChannel}/members`);
-            }
-            // Get all members of this channel from the database
-            const channelMembers = await db.channelMembers.findByChannelId(channel.id);
-            // Build response with entity type info and user details
-            const members = await Promise.all(channelMembers.map(async (member) => {
-                let displayName = member.memberId;
-                let avatarUrl;
-                // If it's a user, look up their details (stored by GitHub username)
-                if (member.memberType === 'user') {
-                    const user = await db.users.findByGithubUsername(member.memberId);
-                    if (user) {
-                        displayName = user.githubUsername || member.memberId;
-                        avatarUrl = user.avatarUrl || undefined;
-                    }
-                }
-                return {
-                    id: member.memberId,
-                    displayName,
-                    avatarUrl,
-                    entityType: member.memberType,
-                    role: member.role || 'member',
-                    status: 'offline', // TODO: Get actual online status from daemon
-                    joinedAt: member.joinedAt.toISOString(),
-                };
-            }));
-            return res.json({ members });
-        }
-        catch (error) {
-            console.error('[channels] Error getting channel members:', error);
-            return res.status(500).json({ error: 'Failed to get channel members' });
-        }
-    });
-    /**
-     * GET /api/channels/available-members - Get available members for channel invites
-     * Returns workspace members (humans) and agents from linked daemons
-     */
-    app.get('/api/channels/available-members', requireAuth, async (req, res) => {
-        try {
-            const userId = req.session.userId;
-            const workspaceId = req.query.workspaceId;
-            // Get workspace ID - either from query param or user's default workspace
-            let targetWorkspaceId = workspaceId;
-            if (!targetWorkspaceId) {
-                // Find user's default or first workspace
-                const memberships = await db.workspaceMembers.findByUserId(userId);
-                if (memberships.length > 0) {
-                    targetWorkspaceId = memberships[0].workspaceId;
-                }
-            }
-            if (!targetWorkspaceId) {
-                return res.json({ members: [], agents: [] });
-            }
-            // Verify user has access to this workspace
-            const canView = await db.workspaceMembers.canView(targetWorkspaceId, userId);
-            if (!canView) {
-                const workspace = await db.workspaces.findById(targetWorkspaceId);
-                if (!workspace || workspace.userId !== userId) {
-                    return res.status(403).json({ error: 'Access denied' });
-                }
-            }
-            // Get workspace members (humans)
-            const workspaceMembers = await db.workspaceMembers.findByWorkspaceId(targetWorkspaceId);
-            const members = await Promise.all(workspaceMembers.map(async (m) => {
-                const user = await db.users.findById(m.userId);
-                return {
-                    id: user?.githubUsername || m.userId,
-                    displayName: user?.githubUsername || 'Unknown',
-                    type: 'user',
-                    avatarUrl: user?.avatarUrl ?? undefined,
-                };
-            }));
-            // Get agents from linked daemons for this workspace
-            const daemons = await db.linkedDaemons.findByWorkspaceId(targetWorkspaceId);
-            const agents = [];
-            for (const daemon of daemons) {
-                const metadata = daemon.metadata;
-                const daemonAgents = metadata?.agents || [];
-                for (const agent of daemonAgents) {
-                    // Skip human users from daemon agent list (they're in workspace members)
-                    if (agent.isHuman)
-                        continue;
-                    // Avoid duplicates
-                    if (!agents.some((a) => a.id === agent.name)) {
-                        agents.push({
-                            id: agent.name,
-                            displayName: agent.name,
-                            type: 'agent',
-                            status: agent.status,
-                        });
-                    }
-                }
-            }
-            res.json({ members, agents });
-        }
-        catch (error) {
-            console.error('[channels] Error getting available members:', error);
-            res.status(500).json({ error: 'Failed to get available members' });
-        }
-    });
-    app.get('/api/channels/users', requireAuth, async (req, res) => {
-        await proxyToLocalDashboard(req, res, '/api/channels/users');
-    });
-    /**
-     * POST /api/channels/admin-remove - Remove a member from a channel (admin operation)
-     * Proxies to workspace dashboard where the daemon maintains channel membership
-     */
-    app.post('/api/channels/admin-remove', requireAuth, express.json(), async (req, res) => {
-        await proxyToLocalDashboard(req, res, '/api/channels/admin-remove');
-    });
-    // Bridge API - returns empty state in cloud mode
-    // Bridge is for local multi-project coordination; cloud workspaces are already separate
-    // MUST be before teamsRouter to avoid auth interception
-    app.get('/api/bridge', requireAuth, (_req, res) => {
-        res.json({ projects: [], messages: [], connected: false });
-    });
-    // Test helper routes (only available in non-production)
-    // MUST be before teamsRouter to avoid auth interception
-    if (process.env.NODE_ENV !== 'production') {
-        app.use('/api/test', testHelpersRouter);
-        console.log('[cloud] Test helper routes enabled (non-production mode)');
-    }
-    // Teams router - MUST BE LAST among /api routes
-    // Handles /workspaces/:id/members and /invites with requireAuth on all routes
-    app.use('/api', teamsRouter);
-    // Serve static dashboard files (Next.js static export)
-    // Path: packages/cloud/dist/server.js -> ../../dashboard/ui/out
-    // In Docker: /app/packages/cloud/dist -> /app/packages/dashboard/ui/out
-    const dashboardPath = path.join(__dirname, '../../dashboard/ui/out');
-    // Serve static files (JS, CSS, images, etc.)
-    app.use(express.static(dashboardPath));
-    // Handle clean URLs for Next.js static export
-    // When a directory exists (e.g., /app/), express.static won't serve app.html
-    // So we need to explicitly check for .html files
-    app.get('/{*splat}', (req, res, next) => {
-        // Don't handle API routes
-        if (req.path.startsWith('/api/')) {
-            return next();
-        }
-        // Clean the path (remove trailing slash)
-        const cleanPath = req.path.replace(/\/$/, '') || '/';
-        // Try to serve the corresponding .html file
-        const htmlFile = cleanPath === '/' ? 'index.html' : `${cleanPath}.html`;
-        const htmlPath = path.join(dashboardPath, htmlFile);
-        // Check if the HTML file exists
-        if (fs.existsSync(htmlPath)) {
-            res.sendFile(htmlPath);
-        }
-        else {
-            // Fallback to index.html for SPA-style routing
-            res.sendFile(path.join(dashboardPath, 'index.html'));
-        }
-    });
-    // Error handler
-    app.use((err, req, res, _next) => {
-        console.error('Error:', err);
-        res.status(500).json({
-            error: 'Internal server error',
-            message: process.env.NODE_ENV === 'development' ? err.message : undefined,
-        });
-    });
-    // Server lifecycle
-    let server = null;
-    let scalingOrchestrator = null;
-    let computeEnforcement = null;
-    let introExpiration = null;
-    let workspaceKeepalive = null;
-    let daemonStaleCheckInterval = null;
-    // Create HTTP server for WebSocket upgrade handling
-    const httpServer = http.createServer(app);
-    // ===== Presence WebSocket =====
-    const wssPresence = new WebSocketServer({
-        noServer: true,
-        perMessageDeflate: false,
-        maxPayload: 1024 * 1024, // 1MB - presence messages are small
-    });
-    const onlineUsers = new Map();
-    // Track workspace per WebSocket connection for filtering
-    const connectionWorkspace = new Map();
-    // Validation helpers
-    const isValidUsername = (username) => {
-        if (typeof username !== 'string')
-            return false;
-        // Username can be:
-        // - GitHub-style: alphanumeric with hyphens (e.g., "khaliqgant")
-        // - Display name style: allows spaces for email users (e.g., "Khaliq Gant")
-        // Max 50 chars, must start/end with alphanumeric, no consecutive spaces
-        if (username.length === 0 || username.length > 50)
-            return false;
-        // Must start and end with alphanumeric
-        if (!/^[a-zA-Z0-9]/.test(username) || !/[a-zA-Z0-9]$/.test(username))
-            return false;
-        // Only allow alphanumeric, spaces, hyphens, underscores, and periods
-        if (!/^[a-zA-Z0-9][a-zA-Z0-9 _.-]*[a-zA-Z0-9]$/.test(username) && username.length > 1)
-            return false;
-        // Single character usernames must be alphanumeric
-        if (username.length === 1 && !/^[a-zA-Z0-9]$/.test(username))
-            return false;
-        // No consecutive spaces
-        if (/  /.test(username))
-            return false;
-        return true;
-    };
-    const isValidAvatarUrl = (url) => {
-        if (url === undefined || url === null)
-            return true;
-        if (typeof url !== 'string')
-            return false;
-        // Must be a valid HTTPS URL from known avatar providers
-        try {
-            const parsed = new URL(url);
-            if (parsed.protocol !== 'https:')
-                return false;
-            // Allow GitHub avatars
-            if (parsed.hostname === 'avatars.githubusercontent.com' ||
-                parsed.hostname === 'github.com' ||
-                parsed.hostname.endsWith('.githubusercontent.com'))
-                return true;
-            // Allow Gravatar for email-based avatars
-            if (parsed.hostname === 'www.gravatar.com' ||
-                parsed.hostname === 'gravatar.com' ||
-                parsed.hostname === 'secure.gravatar.com')
-                return true;
-            // Allow UI Avatars (placeholder service)
-            if (parsed.hostname === 'ui-avatars.com')
-                return true;
-            return false;
-        }
-        catch {
-            return false;
-        }
-    };
-    // WebSocket server for agent logs (proxied to workspace daemon)
-    const wssLogs = new WebSocketServer({ noServer: true, perMessageDeflate: false });
-    // WebSocket server for channel messages (proxied to workspace daemon)
-    const wssChannels = new WebSocketServer({ noServer: true, perMessageDeflate: false });
-    // Handle agent logs WebSocket connections
-    wssLogs.on('connection', async (clientWs, workspaceId, agentName) => {
-        console.log(`[ws/logs] Client connected for workspace=${workspaceId} agent=${agentName}`);
-        let daemonWs = null;
-        try {
-            // Find the workspace (needed to verify it exists and get its URL)
-            const workspace = await db.workspaces.findById(workspaceId);
-            if (!workspace) {
-                clientWs.send(JSON.stringify({ type: 'error', message: 'Workspace not found' }));
-                clientWs.close();
-                return;
-            }
-            // Connect to the workspace's dashboard where the agent was spawned
-            // IMPORTANT: Must use workspace.publicUrl (not getLocalDashboardUrl) because
-            // agents are spawned on the workspace server, so logs must connect there too
-            const dashboardUrl = workspace.publicUrl || await getLocalDashboardUrl();
-            const baseUrl = dashboardUrl.replace(/^http/, 'ws').replace(/\/$/, '');
-            const daemonWsUrl = `${baseUrl}/ws/logs/${encodeURIComponent(agentName)}`;
-            console.log(`[ws/logs] Connecting to daemon: ${daemonWsUrl}`);
-            daemonWs = new WebSocket(daemonWsUrl, { perMessageDeflate: false });
-            daemonWs.on('open', () => {
-                console.log(`[ws/logs] Connected to daemon for ${agentName}`);
-                // Note: No need to send subscribe message - the agent name in the URL path
-                // triggers auto-subscription in the dashboard server
-            });
-            daemonWs.on('message', (data) => {
-                // Forward daemon messages to client
-                if (clientWs.readyState === WebSocket.OPEN) {
-                    clientWs.send(data.toString());
-                }
-            });
-            daemonWs.on('close', () => {
-                console.log(`[ws/logs] Daemon connection closed for ${agentName}`);
-                if (clientWs.readyState === WebSocket.OPEN) {
-                    clientWs.close();
-                }
-            });
-            daemonWs.on('error', (err) => {
-                console.error(`[ws/logs] Daemon WebSocket error:`, err);
-                if (clientWs.readyState === WebSocket.OPEN) {
-                    clientWs.send(JSON.stringify({ type: 'error', message: 'Daemon connection error' }));
-                    clientWs.close();
-                }
-            });
-            // Forward client messages to daemon (for user input)
-            clientWs.on('message', (data) => {
-                if (daemonWs && daemonWs.readyState === WebSocket.OPEN) {
-                    daemonWs.send(data.toString());
-                }
-            });
-            clientWs.on('close', () => {
-                console.log(`[ws/logs] Client disconnected for ${agentName}`);
-                if (daemonWs && daemonWs.readyState === WebSocket.OPEN) {
-                    daemonWs.close();
-                }
-            });
-            clientWs.on('error', (err) => {
-                console.error(`[ws/logs] Client WebSocket error:`, err);
-                if (daemonWs && daemonWs.readyState === WebSocket.OPEN) {
-                    daemonWs.close();
-                }
-            });
-        }
-        catch (err) {
-            console.error(`[ws/logs] Setup error:`, err);
-            if (clientWs.readyState === WebSocket.OPEN) {
-                clientWs.send(JSON.stringify({ type: 'error', message: 'Failed to connect to workspace' }));
-                clientWs.close();
-            }
-        }
-    });
-    // Handle channel WebSocket connections (proxied to workspace daemon)
-    // This allows cloud users to receive real-time channel messages
-    wssChannels.on('connection', async (clientWs, workspaceId, username) => {
-        console.log(`[ws/channels] Client connected for workspace=${workspaceId} user=${username}`);
-        // Track client for broadcasting channel events
-        if (!channelClientsByWorkspace.has(workspaceId)) {
-            channelClientsByWorkspace.set(workspaceId, new Set());
-        }
-        channelClientsByWorkspace.get(workspaceId).add(clientWs);
-        console.log(`[ws/channels] Now tracking ${channelClientsByWorkspace.get(workspaceId).size} clients for workspace ${workspaceId}`);
-        let daemonWs = null;
-        try {
-            // Find the workspace (needed to verify it exists)
-            const workspace = await db.workspaces.findById(workspaceId);
-            if (!workspace) {
-                clientWs.send(JSON.stringify({ type: 'error', message: 'Workspace not found' }));
-                clientWs.close();
-                return;
-            }
-            // Connect to the workspace's dashboard where the daemon and agents run
-            // IMPORTANT: Must use workspace.publicUrl (not getLocalDashboardUrl) because
-            // agents are connected to the workspace's daemon, so channels must connect there too
-            const dashboardUrl = workspace.publicUrl || await getLocalDashboardUrl();
-            const baseUrl = dashboardUrl.replace(/^http/, 'ws').replace(/\/$/, '');
-            const daemonWsUrl = `${baseUrl}/ws/presence`;
-            console.log(`[ws/channels] Connecting to workspace daemon: ${daemonWsUrl}`);
-            daemonWs = new WebSocket(daemonWsUrl, { perMessageDeflate: false });
-            daemonWs.on('open', () => {
-                console.log(`[ws/channels] Connected to daemon for ${username}`);
-                // Register with the daemon's presence system
-                daemonWs.send(JSON.stringify({
-                    type: 'presence',
-                    action: 'join',
-                    user: { username },
-                }));
-            });
-            daemonWs.on('message', (data) => {
-                // Forward daemon messages to client
-                // Forward channel_message, direct_message, and presence updates for this user
-                try {
-                    const msg = JSON.parse(data.toString());
-                    if (msg.type === 'channel_message') {
-                        // Channel messages are sent to all members - the user's connection
-                        // to the daemon via UserBridge ensures they only receive messages
-                        // for channels they've joined
-                        console.log(`[ws/channels] Forwarding channel message to ${username}: ${msg.from} -> ${msg.channel}`);
-                        clientWs.send(data.toString());
-                    }
-                    // Forward direct messages from agents to this cloud user
-                    if (msg.type === 'direct_message') {
-                        console.log(`[ws/channels] Forwarding direct message to ${username}: ${msg.from}`);
-                        clientWs.send(data.toString());
-                    }
-                    // Also forward presence updates so client stays in sync
-                    if (msg.type === 'presence_join' || msg.type === 'presence_leave' || msg.type === 'presence_list') {
-                        clientWs.send(data.toString());
-                    }
-                }
-                catch {
-                    // Non-JSON message, skip
-                }
-            });
-            daemonWs.on('close', () => {
-                console.log(`[ws/channels] Daemon connection closed for ${username}`);
-                if (clientWs.readyState === WebSocket.OPEN) {
-                    clientWs.close();
-                }
-            });
-            daemonWs.on('error', (err) => {
-                console.error(`[ws/channels] Daemon WebSocket error:`, err);
-                if (clientWs.readyState === WebSocket.OPEN) {
-                    clientWs.send(JSON.stringify({ type: 'error', message: 'Daemon connection error' }));
-                    clientWs.close();
-                }
-            });
-            // Forward client messages to daemon (for sending channel messages)
-            clientWs.on('message', (data) => {
-                if (daemonWs && daemonWs.readyState === WebSocket.OPEN) {
-                    daemonWs.send(data.toString());
-                }
-            });
-            clientWs.on('close', () => {
-                console.log(`[ws/channels] Client disconnected for ${username}`);
-                // Remove from tracking
-                const clients = channelClientsByWorkspace.get(workspaceId);
-                if (clients) {
-                    clients.delete(clientWs);
-                    if (clients.size === 0) {
-                        channelClientsByWorkspace.delete(workspaceId);
-                    }
-                }
-                // Send leave message to daemon
-                if (daemonWs && daemonWs.readyState === WebSocket.OPEN) {
-                    daemonWs.send(JSON.stringify({
-                        type: 'presence',
-                        action: 'leave',
-                        username,
-                    }));
-                    daemonWs.close();
-                }
-            });
-            clientWs.on('error', (err) => {
-                console.error(`[ws/channels] Client WebSocket error:`, err);
-                // Remove from tracking
-                const clients = channelClientsByWorkspace.get(workspaceId);
-                if (clients) {
-                    clients.delete(clientWs);
-                    if (clients.size === 0) {
-                        channelClientsByWorkspace.delete(workspaceId);
-                    }
-                }
-                if (daemonWs && daemonWs.readyState === WebSocket.OPEN) {
-                    daemonWs.close();
-                }
-            });
-        }
-        catch (err) {
-            console.error(`[ws/channels] Setup error:`, err);
-            if (clientWs.readyState === WebSocket.OPEN) {
-                clientWs.send(JSON.stringify({ type: 'error', message: 'Failed to connect to workspace' }));
-                clientWs.close();
-            }
-        }
-    });
-    // Handle HTTP upgrade for WebSocket
-    httpServer.on('upgrade', (request, socket, head) => {
-        const pathname = new URL(request.url || '', `http://${request.headers.host}`).pathname;
-        if (pathname === '/ws/presence') {
-            wssPresence.handleUpgrade(request, socket, head, (ws) => {
-                wssPresence.emit('connection', ws, request);
-            });
-        }
-        else if (pathname.startsWith('/ws/logs/')) {
-            // Parse /ws/logs/:workspaceId/:agentName
-            const parts = pathname.split('/').filter(Boolean);
-            if (parts.length >= 4) {
-                const workspaceId = decodeURIComponent(parts[2]);
-                const agentName = decodeURIComponent(parts[3]);
-                wssLogs.handleUpgrade(request, socket, head, (ws) => {
-                    wssLogs.emit('connection', ws, workspaceId, agentName);
-                });
-            }
-            else {
-                socket.destroy();
-            }
-        }
-        else if (pathname.startsWith('/ws/channels/')) {
-            // Parse /ws/channels/:workspaceId/:username
-            const parts = pathname.split('/').filter(Boolean);
-            if (parts.length >= 4) {
-                const workspaceId = decodeURIComponent(parts[2]);
-                const username = decodeURIComponent(parts[3]);
-                wssChannels.handleUpgrade(request, socket, head, (ws) => {
-                    wssChannels.emit('connection', ws, workspaceId, username);
-                });
-            }
-            else {
-                socket.destroy();
-            }
-        }
-        else {
-            // Unknown WebSocket path - destroy socket
-            socket.destroy();
-        }
-    });
-    // Broadcast to all presence clients
-    const broadcastPresence = (message, exclude) => {
-        const payload = JSON.stringify(message);
-        wssPresence.clients.forEach((client) => {
-            if (client !== exclude && client.readyState === WebSocket.OPEN) {
-                client.send(payload);
-            }
-        });
-    };
-    // Get online users list, optionally filtered by workspace
-    const getOnlineUsersList = (workspaceId) => {
-        if (!workspaceId) {
-            // No workspace filter - return all (for backwards compat)
-            return Array.from(onlineUsers.values()).map((state) => state.info);
-        }
-        // Filter to only users in this workspace
-        return Array.from(onlineUsers.values())
-            .filter((state) => state.workspaceIds.has(workspaceId))
-            .map((state) => state.info);
-    };
-    // Heartbeat interval to detect dead connections (30 seconds)
-    const PRESENCE_HEARTBEAT_INTERVAL = 30000;
-    const _PRESENCE_HEARTBEAT_TIMEOUT = 35000; // Allow 5s grace period (reserved for future use)
-    // Track connection health for heartbeat
-    const connectionHealth = new WeakMap();
-    // Heartbeat interval to clean up dead connections
-    const presenceHeartbeat = setInterval(() => {
-        const now = Date.now();
-        wssPresence.clients.forEach((ws) => {
-            const health = connectionHealth.get(ws);
-            if (!health) {
-                // New connection without health tracking - initialize it
-                connectionHealth.set(ws, { isAlive: true, lastPing: now });
-                return;
-            }
-            if (!health.isAlive) {
-                // Connection didn't respond to last ping - terminate it
-                ws.terminate();
-                return;
-            }
-            // Mark as not alive until we get a pong
-            health.isAlive = false;
-            health.lastPing = now;
-            ws.ping();
-        });
-    }, PRESENCE_HEARTBEAT_INTERVAL);
-    // Clean up interval on server close
-    wssPresence.on('close', () => {
-        clearInterval(presenceHeartbeat);
-    });
-    // Track daemon proxy connections for channel message forwarding
-    const daemonProxies = new Map(); // clientWs -> workspaceId -> daemonWs
-    // Set up daemon proxy for channel messages
-    async function setupDaemonChannelProxy(clientWs, workspaceId, username) {
-        // Check if already have a proxy for this workspace
-        const clientProxies = daemonProxies.get(clientWs) || new Map();
-        if (clientProxies.has(workspaceId)) {
-            return; // Already connected
-        }
-        try {
-            const workspace = await db.workspaces.findById(workspaceId);
-            if (!workspace) {
-                console.log(`[cloud] Workspace ${workspaceId} not found`);
-                return;
-            }
-            // Use workspace's public URL where the daemon actually runs
-            // IMPORTANT: Must use workspace.publicUrl (not getLocalDashboardUrl) because
-            // the daemon and userBridge are on the workspace server, not the cloud server
-            const dashboardUrl = workspace.publicUrl || await getLocalDashboardUrl();
-            const daemonWsUrl = dashboardUrl.replace(/^http/, 'ws').replace(/\/$/, '') + '/ws/presence';
-            console.log(`[cloud] Connecting channel proxy to daemon: ${daemonWsUrl} for ${username}`);
-            const daemonWs = new WebSocket(daemonWsUrl, { perMessageDeflate: false });
-            daemonWs.on('open', async () => {
-                console.log(`[cloud] Channel proxy connected for ${username} in workspace ${workspaceId}`);
-                // Send presence join to register with userBridge on dashboard-server
-                // This creates a relay client for the user so they can receive channel messages
-                daemonWs.send(JSON.stringify({
-                    type: 'presence',
-                    action: 'join',
-                    user: { username },
-                }));
-                console.log(`[cloud] Sent presence join for ${username} to register with userBridge`);
-                // Wait briefly for userBridge registration to complete, then subscribe to channels
-                // This ensures the user is registered before we try to join channels via userBridge
-                await new Promise(resolve => setTimeout(resolve, 200));
-                try {
-                    // Get all channels the user is a member of
-                    const memberships = await db.channelMembers.findByMemberId(username);
-                    const userChannels = ['#general']; // Always include #general
-                    // Look up channel details to get the channelId string (like '#foobar')
-                    for (const membership of memberships) {
-                        const channel = await db.channels.findById(membership.channelId);
-                        if (channel && channel.workspaceId === workspaceId) {
-                            // Normalize channel ID with # prefix
-                            const channelIdStr = channel.channelId.startsWith('#')
-                                ? channel.channelId
-                                : `#${channel.channelId}`;
-                            if (!userChannels.includes(channelIdStr)) {
-                                userChannels.push(channelIdStr);
-                            }
-                        }
-                    }
-                    console.log(`[cloud] Subscribing ${username} to ${userChannels.length} channels: ${userChannels.join(', ')}`);
-                    const subscribeRes = await fetch(`${dashboardUrl}/api/channels/subscribe`, {
-                        method: 'POST',
-                        headers: { 'Content-Type': 'application/json' },
-                        body: JSON.stringify({
-                            username,
-                            channels: userChannels,
-                            workspaceId,
-                        }),
-                    });
-                    if (subscribeRes.ok) {
-                        const result = (await subscribeRes.json());
-                        console.log(`[cloud] Subscribed ${username} to channels: ${result.channels?.join(', ')}`);
-                    }
-                    else {
-                        console.warn(`[cloud] Failed to subscribe ${username} to channels: ${subscribeRes.status}`);
-                    }
-                }
-                catch (err) {
-                    console.warn(`[cloud] Error subscribing ${username} to channels:`, err);
-                }
-            });
-            daemonWs.on('message', (data) => {
-                try {
-                    const msg = JSON.parse(data.toString());
-                    // Forward channel messages to this user
-                    // userBridge sends messages directly to registered users (no targetUser filter needed)
-                    // getRelayClient fallback broadcasts with targetUser field
-                    if (msg.type === 'channel_message') {
-                        // Either the message is for this user specifically (targetUser match)
-                        // or it's a direct send from userBridge (no targetUser, meaning it's for us)
-                        if (!msg.targetUser || msg.targetUser === username) {
-                            console.log(`[cloud] Forwarding channel message to ${username}: ${msg.from} -> ${msg.channel}`);
-                            if (clientWs.readyState === WebSocket.OPEN) {
-                                clientWs.send(data.toString());
-                            }
-                        }
-                    }
-                }
-                catch {
-                    // Non-JSON, ignore
-                }
-            });
-            daemonWs.on('close', () => {
-                console.log(`[cloud] Channel proxy closed for ${username} in workspace ${workspaceId}`);
-                clientProxies.delete(workspaceId);
-            });
-            daemonWs.on('error', (err) => {
-                console.error(`[cloud] Channel proxy error for ${username}:`, err);
-                clientProxies.delete(workspaceId);
-            });
-            clientProxies.set(workspaceId, daemonWs);
-            daemonProxies.set(clientWs, clientProxies);
-        }
-        catch (err) {
-            console.error(`[cloud] Failed to setup channel proxy for ${username}:`, err);
-        }
-    }
-    // Clean up daemon proxies for a client
-    function cleanupDaemonProxies(clientWs) {
-        const clientProxies = daemonProxies.get(clientWs);
-        if (clientProxies) {
-            for (const [workspaceId, daemonWs] of clientProxies) {
-                console.log(`[cloud] Cleaning up channel proxy for workspace ${workspaceId}`);
-                if (daemonWs.readyState === WebSocket.OPEN) {
-                    daemonWs.close();
-                }
-            }
-            daemonProxies.delete(clientWs);
-        }
-    }
-    // Handle presence connections
-    wssPresence.on('connection', (ws) => {
-        // Initialize health tracking (no log - too noisy)
-        connectionHealth.set(ws, { isAlive: true, lastPing: Date.now() });
-        // Handle pong responses (heartbeat)
-        ws.on('pong', () => {
-            const health = connectionHealth.get(ws);
-            if (health) {
-                health.isAlive = true;
-            }
-        });
-        let clientUsername;
-        ws.on('message', (data) => {
-            try {
-                const msg = JSON.parse(data.toString());
-                if (msg.type === 'presence') {
-                    if (msg.action === 'join' && msg.user?.username) {
-                        const username = msg.user.username;
-                        const avatarUrl = msg.user.avatarUrl;
-                        if (!isValidUsername(username)) {
-                            console.warn(`[cloud] Invalid username rejected: ${username}`);
-                            return;
-                        }
-                        if (!isValidAvatarUrl(avatarUrl)) {
-                            console.warn(`[cloud] Invalid avatar URL rejected for user ${username}`);
-                            return;
-                        }
-                        clientUsername = username;
-                        const now = new Date().toISOString();
-                        const existing = onlineUsers.get(username);
-                        if (existing) {
-                            existing.connections.add(ws);
-                            existing.info.lastSeen = now;
-                            // Update last seen in shared presence registry
-                            updateUserLastSeen(username);
-                            // Only log at milestones to reduce noise
-                            const count = existing.connections.size;
-                            if (count === 2 || count === 5 || count === 10 || count % 50 === 0) {
-                                console.log(`[cloud] User ${username} has ${count} connections`);
-                            }
-                        }
-                        else {
-                            onlineUsers.set(username, {
-                                info: { username, avatarUrl, connectedAt: now, lastSeen: now },
-                                connections: new Set([ws]),
-                                workspaceIds: new Set(), // Workspace set when subscribe_channels is called
-                            });
-                            // Register with shared presence registry for cross-module access
-                            registerUserPresence({ username, avatarUrl, connectedAt: now, lastSeen: now });
-                            console.log(`[cloud] User ${username} came online`);
-                            // Don't broadcast globally - wait until we know which workspace they're in
-                        }
-                        // Send empty presence list initially - real list sent when workspace is known
-                        ws.send(JSON.stringify({
-                            type: 'presence_list',
-                            users: [],
-                        }));
-                    }
-                    else if (msg.action === 'leave') {
-                        if (!clientUsername || msg.username !== clientUsername)
-                            return;
-                        const userState = onlineUsers.get(clientUsername);
-                        const leavingWorkspace = connectionWorkspace.get(ws);
-                        connectionWorkspace.delete(ws);
-                        if (userState) {
-                            userState.connections.delete(ws);
-                            // Remove workspace from user's set if no more connections to it
-                            if (leavingWorkspace) {
-                                const stillHasWorkspaceConnection = Array.from(userState.connections).some((conn) => connectionWorkspace.get(conn) === leavingWorkspace);
-                                if (!stillHasWorkspaceConnection) {
-                                    userState.workspaceIds.delete(leavingWorkspace);
-                                    // Broadcast leave to users in that workspace
-                                    wssPresence.clients.forEach((client) => {
-                                        if (client.readyState === WebSocket.OPEN && connectionWorkspace.get(client) === leavingWorkspace) {
-                                            client.send(JSON.stringify({ type: 'presence_leave', username: clientUsername }));
-                                        }
-                                    });
-                                }
-                            }
-                            if (userState.connections.size === 0) {
-                                onlineUsers.delete(clientUsername);
-                                // Unregister from shared presence registry
-                                unregisterUserPresence(clientUsername);
-                                console.log(`[cloud] User ${clientUsername} went offline`);
-                            }
-                        }
-                    }
-                }
-                else if (msg.type === 'typing') {
-                    if (!clientUsername || msg.username !== clientUsername)
-                        return;
-                    const userState = onlineUsers.get(clientUsername);
-                    if (userState) {
-                        userState.info.lastSeen = new Date().toISOString();
-                        // Update last seen in shared presence registry
-                        updateUserLastSeen(clientUsername);
-                    }
-                    // Only broadcast typing to users in the same workspace
-                    const typingWorkspace = connectionWorkspace.get(ws);
-                    if (typingWorkspace) {
-                        wssPresence.clients.forEach((client) => {
-                            if (client !== ws && client.readyState === WebSocket.OPEN && connectionWorkspace.get(client) === typingWorkspace) {
-                                client.send(JSON.stringify({
-                                    type: 'typing',
-                                    username: clientUsername,
-                                    avatarUrl: userState?.info.avatarUrl,
-                                    isTyping: msg.isTyping,
-                                }));
-                            }
-                        });
-                    }
-                }
-                else if (msg.type === 'subscribe_channels') {
-                    // Subscribe to channel messages for a specific workspace
-                    if (!clientUsername) {
-                        console.warn(`[cloud] subscribe_channels from unauthenticated client`);
-                        return;
-                    }
-                    if (!msg.workspaceId || typeof msg.workspaceId !== 'string') {
-                        console.warn(`[cloud] subscribe_channels missing workspaceId`);
-                        return;
-                    }
-                    const workspaceId = msg.workspaceId;
-                    console.log(`[cloud] User ${clientUsername} subscribing to channels in workspace ${workspaceId}`);
-                    // Track which workspace this connection is in
-                    connectionWorkspace.set(ws, workspaceId);
-                    // Add workspace to user's workspace set
-                    const userState = onlineUsers.get(clientUsername);
-                    if (userState) {
-                        const isNewToWorkspace = !userState.workspaceIds.has(workspaceId);
-                        userState.workspaceIds.add(workspaceId);
-                        // If user is new to this workspace, broadcast presence_join to others in workspace
-                        if (isNewToWorkspace) {
-                            const { info } = userState;
-                            // Broadcast to all users in this workspace
-                            wssPresence.clients.forEach((client) => {
-                                if (client !== ws && client.readyState === WebSocket.OPEN) {
-                                    const clientWsId = connectionWorkspace.get(client);
-                                    if (clientWsId === workspaceId) {
-                                        client.send(JSON.stringify({
-                                            type: 'presence_join',
-                                            user: info,
-                                        }));
-                                    }
-                                }
-                            });
-                        }
-                        // Send updated presence list filtered by this workspace
-                        ws.send(JSON.stringify({
-                            type: 'presence_list',
-                            users: getOnlineUsersList(workspaceId),
-                        }));
-                    }
-                    setupDaemonChannelProxy(ws, workspaceId, clientUsername).catch((err) => {
-                        console.error(`[cloud] Failed to setup channel subscription:`, err);
-                    });
-                }
-                else if (msg.type === 'channel_message') {
-                    // Proxy channel message to daemon via HTTP API
-                    if (!clientUsername) {
-                        console.warn(`[cloud] channel_message from unauthenticated client`);
-                        return;
-                    }
-                    if (!msg.channel || !msg.body) {
-                        console.warn(`[cloud] channel_message missing channel or body`);
-                        return;
-                    }
-                    // Note: This should be handled by the HTTP API, but support WebSocket too
-                    console.log(`[cloud] Channel message via WebSocket from ${clientUsername} to ${msg.channel}`);
-                    // The HTTP proxy will handle actual sending - just log for now
-                }
-            }
-            catch (err) {
-                console.error('[cloud] Invalid presence message:', err);
-            }
-        });
-        ws.on('close', () => {
-            // Clean up daemon proxies
-            cleanupDaemonProxies(ws);
-            const closingWorkspace = connectionWorkspace.get(ws);
-            connectionWorkspace.delete(ws);
-            if (clientUsername) {
-                const userState = onlineUsers.get(clientUsername);
-                if (userState) {
-                    userState.connections.delete(ws);
-                    // Remove workspace from user's set if no more connections to it
-                    if (closingWorkspace) {
-                        const stillHasWorkspaceConnection = Array.from(userState.connections).some((conn) => connectionWorkspace.get(conn) === closingWorkspace);
-                        if (!stillHasWorkspaceConnection) {
-                            userState.workspaceIds.delete(closingWorkspace);
-                            // Broadcast leave to users in that workspace
-                            wssPresence.clients.forEach((client) => {
-                                if (client.readyState === WebSocket.OPEN && connectionWorkspace.get(client) === closingWorkspace) {
-                                    client.send(JSON.stringify({ type: 'presence_leave', username: clientUsername }));
-                                }
-                            });
-                        }
-                    }
-                    if (userState.connections.size === 0) {
-                        onlineUsers.delete(clientUsername);
-                        // Unregister from shared presence registry
-                        unregisterUserPresence(clientUsername);
-                        console.log(`[cloud] User ${clientUsername} disconnected`);
-                    }
-                }
-            }
-        });
-        ws.on('error', (err) => {
-            console.error('[cloud] Presence WebSocket error:', err);
-        });
-    });
-    wssPresence.on('error', (err) => {
-        console.error('[cloud] Presence WebSocket server error:', err);
-    });
-    // Subscribe to cloud message bus for delivering messages to cloud users
-    cloudMessageBus.on('user-message', ({ username, message }) => {
-        const userState = onlineUsers.get(username);
-        if (!userState) {
-            console.warn(`[cloud] Cannot deliver message to ${username}: user not online`);
-            return;
-        }
-        // Deliver to all of the user's WebSocket connections
-        const payload = JSON.stringify({
-            type: 'direct_message',
-            from: message.from.agent,
-            body: message.body,
-            timestamp: message.timestamp,
-            metadata: {
-                ...message.metadata,
-                daemonId: message.from.daemonId,
-                daemonName: message.from.daemonName,
-            },
-        });
-        let delivered = 0;
-        userState.connections.forEach((ws) => {
-            if (ws.readyState === WebSocket.OPEN) {
-                ws.send(payload);
-                delivered++;
-            }
-        });
-        console.log(`[cloud] Delivered message to ${username} (${delivered} connections)`);
-    });
-    return {
-        app,
-        async start() {
-            // Run database migrations before accepting connections
-            console.log('[cloud] Running database migrations...');
-            await runMigrations();
-            // Initialize scaling orchestrator for auto-scaling
-            if (process.env.RELAY_CLOUD_ENABLED === 'true') {
-                try {
-                    scalingOrchestrator = getScalingOrchestrator();
-                    await scalingOrchestrator.initialize(config.redisUrl);
-                    console.log('[cloud] Scaling orchestrator initialized');
-                    // Log scaling events
-                    scalingOrchestrator.on('scaling_started', (op) => {
-                        console.log(`[scaling] Started: ${op.action} for user ${op.userId}`);
-                    });
-                    scalingOrchestrator.on('scaling_completed', (op) => {
-                        console.log(`[scaling] Completed: ${op.action} for user ${op.userId}`);
-                    });
-                    scalingOrchestrator.on('scaling_error', ({ operation, error }) => {
-                        console.error(`[scaling] Error: ${operation.action} for ${operation.userId}:`, error);
-                    });
-                    scalingOrchestrator.on('workspace_provisioned', (data) => {
-                        console.log(`[scaling] Provisioned workspace ${data.workspaceId} for user ${data.userId}`);
-                    });
-                }
-                catch (error) {
-                    console.warn('[cloud] Failed to initialize scaling orchestrator:', error);
-                    // Non-fatal - server can run without auto-scaling
-                }
-                // Start compute enforcement service (checks every 15 min)
-                try {
-                    computeEnforcement = getComputeEnforcementService();
-                    computeEnforcement.start();
-                    console.log('[cloud] Compute enforcement service started');
-                }
-                catch (error) {
-                    console.warn('[cloud] Failed to start compute enforcement:', error);
-                }
-                // Start intro expiration service (checks every hour for expired intro periods)
-                try {
-                    introExpiration = getIntroExpirationService();
-                    introExpiration.start();
-                    console.log('[cloud] Intro expiration service started');
-                }
-                catch (error) {
-                    console.warn('[cloud] Failed to start intro expiration:', error);
-                }
-                // Start workspace keepalive service (pings workspaces with active agents)
-                // This prevents Fly.io from idling machines that have running Claude agents
-                try {
-                    workspaceKeepalive = getWorkspaceKeepaliveService();
-                    workspaceKeepalive.start();
-                    console.log('[cloud] Workspace keepalive service started');
-                }
-                catch (error) {
-                    console.warn('[cloud] Failed to start workspace keepalive:', error);
-                }
-            }
-            // Start daemon stale check (mark daemons offline if no heartbeat for 2+ minutes)
-            // Runs every 60 seconds regardless of RELAY_CLOUD_ENABLED
-            daemonStaleCheckInterval = setInterval(async () => {
-                try {
-                    const count = await db.linkedDaemons.markStale();
-                    if (count > 0) {
-                        console.log(`[cloud] Marked ${count} daemon(s) as offline (stale)`);
-                    }
-                }
-                catch (error) {
-                    console.error('[cloud] Failed to mark stale daemons:', error);
-                }
-            }, 60_000); // Every 60 seconds
-            console.log('[cloud] Daemon stale check started (60s interval)');
-            return new Promise((resolve) => {
-                server = httpServer.listen(config.port, () => {
-                    console.log(`Agent Relay Cloud running on port ${config.port}`);
-                    console.log(`Public URL: ${config.publicUrl}`);
-                    console.log(`WebSocket: ws://localhost:${config.port}/ws/presence`);
-                    resolve();
-                });
-            });
-        },
-        async stop() {
-            // Shutdown scaling orchestrator
-            if (scalingOrchestrator) {
-                await scalingOrchestrator.shutdown();
-            }
-            // Stop compute enforcement service
-            if (computeEnforcement) {
-                computeEnforcement.stop();
-            }
-            // Stop intro expiration service
-            if (introExpiration) {
-                introExpiration.stop();
-            }
-            // Stop workspace keepalive service
-            if (workspaceKeepalive) {
-                workspaceKeepalive.stop();
-            }
-            // Stop daemon stale check
-            if (daemonStaleCheckInterval) {
-                clearInterval(daemonStaleCheckInterval);
-                daemonStaleCheckInterval = null;
-            }
-            // Close WebSocket server
-            wssPresence.close();
-            if (server) {
-                await new Promise((resolve) => server.close(() => resolve()));
-            }
-            // Only quit Redis if client is still open
-            if (redisClient.isOpen) {
-                await redisClient.quit();
-            }
-        },
-    };
-}
-//# sourceMappingURL=server.js.map