codex-blocker 0.1.1 → 0.1.3

package/dist/chunk-ZDUKZXM4.js

@@ -0,0 +1,1140 @@
+// src/server.ts
+import { createServer } from "http";
+import { WebSocketServer, WebSocket } from "ws";
+
+// src/types.ts
+var DEFAULT_PORT = 8765;
+var SESSION_TIMEOUT_MS = 5 * 60 * 1e3;
+var CODEX_SESSIONS_SCAN_INTERVAL_MS = 2e3;
+var MOBILE_PAIRING_TTL_MS = 2 * 60 * 1e3;
+var MOBILE_QR_PAIRING_TTL_MS = 60 * 1e3;
+
+// src/state.ts
+var SessionState = class {
+  sessions = /* @__PURE__ */ new Map();
+  listeners = /* @__PURE__ */ new Set();
+  cleanupInterval = null;
+  constructor() {
+    this.cleanupInterval = setInterval(() => {
+      this.cleanupStaleSessions();
+    }, 3e4);
+  }
+  subscribe(callback) {
+    this.listeners.add(callback);
+    callback(this.getStateMessage());
+    return () => this.listeners.delete(callback);
+  }
+  broadcast() {
+    const message = this.getStateMessage();
+    for (const listener of this.listeners) {
+      listener(message);
+    }
+  }
+  getStateMessage() {
+    const sessions = Array.from(this.sessions.values());
+    const working = sessions.filter((s) => s.status === "working").length;
+    const waitingForInput = sessions.filter(
+      (s) => s.status === "waiting_for_input"
+    ).length;
+    return {
+      type: "state",
+      blocked: waitingForInput > 0 || working === 0,
+      sessions: sessions.length,
+      working,
+      waitingForInput
+    };
+  }
+  handleCodexActivity(activity) {
+    this.ensureSession(activity.sessionId, activity.cwd);
+    const session = this.sessions.get(activity.sessionId);
+    const statusChanged = session.status !== "working";
+    session.status = "working";
+    session.waitingForInputSince = void 0;
+    session.lastActivity = /* @__PURE__ */ new Date();
+    session.lastSeen = /* @__PURE__ */ new Date();
+    session.idleTimeoutMs = activity.idleTimeoutMs;
+    if (statusChanged) {
+      this.broadcast();
+    }
+  }
+  setCodexIdle(sessionId, cwd) {
+    this.ensureSession(sessionId, cwd);
+    const session = this.sessions.get(sessionId);
+    if (session.status !== "idle") {
+      session.status = "idle";
+      session.waitingForInputSince = void 0;
+      session.lastActivity = /* @__PURE__ */ new Date();
+      this.broadcast();
+    }
+  }
+  setWaitingForInput(sessionId, cwd) {
+    this.ensureSession(sessionId, cwd);
+    const session = this.sessions.get(sessionId);
+    const statusChanged = session.status !== "waiting_for_input";
+    session.status = "waiting_for_input";
+    session.waitingForInputSince ??= /* @__PURE__ */ new Date();
+    session.lastActivity = /* @__PURE__ */ new Date();
+    session.lastSeen = /* @__PURE__ */ new Date();
+    if (statusChanged) {
+      this.broadcast();
+    }
+  }
+  markCodexSessionSeen(sessionId, cwd) {
+    const created = this.ensureSession(sessionId, cwd);
+    const session = this.sessions.get(sessionId);
+    session.lastSeen = /* @__PURE__ */ new Date();
+    if (created) {
+      this.broadcast();
+    }
+  }
+  removeSession(sessionId) {
+    if (this.sessions.delete(sessionId)) {
+      this.broadcast();
+    }
+  }
+  ensureSession(sessionId, cwd) {
+    if (!this.sessions.has(sessionId)) {
+      this.sessions.set(sessionId, {
+        id: sessionId,
+        status: "idle",
+        lastActivity: /* @__PURE__ */ new Date(),
+        lastSeen: /* @__PURE__ */ new Date(),
+        cwd
+      });
+      console.log("Codex session connected");
+      return true;
+    } else if (cwd) {
+      const session = this.sessions.get(sessionId);
+      session.cwd = cwd;
+    }
+    return false;
+  }
+  cleanupStaleSessions() {
+    const now = Date.now();
+    let removed = 0;
+    let changed = 0;
+    for (const [id, session] of this.sessions) {
+      if (now - session.lastSeen.getTime() > SESSION_TIMEOUT_MS) {
+        this.sessions.delete(id);
+        removed++;
+        continue;
+      }
+      if (session.status === "working" && session.idleTimeoutMs && now - session.lastActivity.getTime() > session.idleTimeoutMs) {
+        session.status = "idle";
+        session.waitingForInputSince = void 0;
+        changed++;
+      }
+    }
+    if (removed > 0 || changed > 0) {
+      this.broadcast();
+    }
+  }
+  getStatus() {
+    const sessions = Array.from(this.sessions.values());
+    const working = sessions.filter((s) => s.status === "working").length;
+    const waitingForInput = sessions.filter(
+      (s) => s.status === "waiting_for_input"
+    ).length;
+    return {
+      blocked: waitingForInput > 0 || working === 0,
+      sessions: sessions.length,
+      working,
+      waitingForInput
+    };
+  }
+  destroy() {
+    if (this.cleanupInterval) {
+      clearInterval(this.cleanupInterval);
+    }
+    this.sessions.clear();
+    this.listeners.clear();
+  }
+};
+var state = new SessionState();
+
+// src/codex.ts
+import { existsSync, createReadStream, promises as fs } from "fs";
+import { homedir } from "os";
+import { join } from "path";
+
+// src/codex-parse.ts
+import { basename, dirname } from "path";
+function isRolloutFile(filePath) {
+  const name = basename(filePath);
+  return name === "rollout.jsonl" || /^rollout-.+\.jsonl$/.test(name);
+}
+function sessionIdFromPath(filePath) {
+  const name = basename(filePath);
+  const match = name.match(/^rollout-(.+)\.jsonl$/);
+  if (match) return match[1];
+  if (name === "rollout.jsonl") {
+    const parent = basename(dirname(filePath));
+    if (parent !== "sessions") return parent;
+  }
+  return filePath;
+}
+function findFirstStringValue(obj, keys, maxDepth = 6) {
+  if (!obj || typeof obj !== "object") return void 0;
+  const queue = [{ value: obj, depth: 0 }];
+  while (queue.length) {
+    const current = queue.shift();
+    if (!current) break;
+    const { value, depth } = current;
+    if (!value || typeof value !== "object") continue;
+    const record = value;
+    for (const key of keys) {
+      const candidate = record[key];
+      if (typeof candidate === "string" && candidate.length > 0) {
+        return candidate;
+      }
+    }
+    if (depth >= maxDepth) continue;
+    for (const child of Object.values(record)) {
+      if (child && typeof child === "object") {
+        queue.push({ value: child, depth: depth + 1 });
+      }
+    }
+  }
+  return void 0;
+}
+function parseCodexLine(line, sessionId) {
+  let currentSessionId = sessionId;
+  let previousSessionId;
+  let cwd;
+  let markWorking = false;
+  let markActivity = false;
+  let markWaitingForInput = false;
+  let markIdle = false;
+  let markLegacyIdleCandidate = false;
+  let assistantMessagePhase;
+  try {
+    const payload = JSON.parse(line);
+    const entryType = typeof payload.type === "string" ? payload.type : void 0;
+    const innerPayload = payload.payload;
+    const innerType = innerPayload && typeof innerPayload === "object" ? innerPayload.type : void 0;
+    if (entryType === "session_meta") {
+      const metaId = innerPayload && typeof innerPayload === "object" ? innerPayload.id : void 0;
+      if (typeof metaId === "string" && metaId.length > 0 && metaId !== currentSessionId) {
+        previousSessionId = currentSessionId;
+        currentSessionId = metaId;
+      }
+    }
+    cwd = findFirstStringValue(innerPayload, ["cwd"]) ?? findFirstStringValue(payload, ["cwd"]);
+    const innerTypeString = typeof innerType === "string" ? innerType : void 0;
+    if (entryType === "event_msg" && innerTypeString === "user_message") {
+      markWorking = true;
+    }
+    if (entryType === "event_msg" && innerTypeString === "agent_message") {
+      markLegacyIdleCandidate = true;
+    }
+    if (entryType === "event_msg" && innerTypeString === "agent_reasoning") {
+      markActivity = true;
+    }
+    if (entryType === "event_msg" && innerTypeString === "item_completed") {
+      markIdle = true;
+    }
+    if (entryType === "response_item" && innerTypeString === "message") {
+      const role = innerPayload && typeof innerPayload === "object" ? innerPayload.role : void 0;
+      if (role === "user") {
+        const messageText = extractMessageText(innerPayload);
+        if (!messageText || !messageText.trim().startsWith("<environment_context>")) {
+          markWorking = true;
+        }
+      }
+      if (role === "assistant" && innerPayload && typeof innerPayload === "object") {
+        const phase = innerPayload.phase;
+        if (typeof phase === "string" && phase.length > 0) {
+          assistantMessagePhase = phase;
+          if (phase === "final_answer") {
+            markIdle = true;
+          } else if (phase === "commentary") {
+            markActivity = true;
+          }
+        }
+      }
+    }
+    if (entryType === "response_item" && innerTypeString === "function_call") {
+      const callName = innerPayload && typeof innerPayload === "object" ? innerPayload.name : void 0;
+      if (callName === "request_user_input") {
+        markWaitingForInput = true;
+      } else {
+        markActivity = true;
+      }
+    }
+    if (entryType === "response_item" && (innerTypeString === "reasoning" || innerTypeString === "function_call_output" || innerTypeString === "custom_tool_call" || innerTypeString === "custom_tool_call_output")) {
+      markActivity = true;
+    }
+  } catch {
+  }
+  return {
+    sessionId: currentSessionId,
+    previousSessionId,
+    cwd,
+    markWorking,
+    markActivity,
+    markWaitingForInput,
+    markIdle,
+    markLegacyIdleCandidate,
+    assistantMessagePhase
+  };
+}
+function extractMessageText(payload) {
+  if (!payload || typeof payload !== "object") return void 0;
+  const record = payload;
+  const content = record.content;
+  if (typeof content === "string") return content;
+  if (!Array.isArray(content)) return void 0;
+  const parts = [];
+  for (const item of content) {
+    if (!item || typeof item !== "object") continue;
+    const text = item.text;
+    if (typeof text === "string") parts.push(text);
+  }
+  return parts.length > 0 ? parts.join("\n") : void 0;
+}
+
+// src/codex.ts
+var DEFAULT_CODEX_HOME = join(homedir(), ".codex");
+var LEGACY_AGENT_MESSAGE_IDLE_GRACE_MS = 4e3;
+async function listRolloutFiles(root) {
+  const files = [];
+  const entries = await fs.readdir(root, { withFileTypes: true });
+  for (const entry of entries) {
+    const fullPath = join(root, entry.name);
+    if (entry.isDirectory()) {
+      files.push(...await listRolloutFiles(fullPath));
+    } else if (entry.isFile() && isRolloutFile(fullPath)) {
+      files.push(fullPath);
+    }
+  }
+  return files;
+}
+async function readNewLines(filePath, fileState) {
+  const stat = await fs.stat(filePath);
+  if (stat.size < fileState.position) {
+    fileState.position = 0;
+    fileState.remainder = "";
+  }
+  if (stat.size === fileState.position) return [];
+  const start = fileState.position;
+  const end = Math.max(stat.size - 1, start);
+  const chunks = [];
+  await new Promise((resolve, reject) => {
+    const stream = createReadStream(filePath, { start, end });
+    stream.on("data", (chunk) => chunks.push(Buffer.from(chunk)));
+    stream.on("error", reject);
+    stream.on("end", resolve);
+  });
+  fileState.position = stat.size;
+  const content = fileState.remainder + Buffer.concat(chunks).toString("utf-8");
+  const lines = content.split("\n");
+  fileState.remainder = content.endsWith("\n") ? "" : lines.pop() ?? "";
+  return lines.filter((line) => line.trim().length > 0);
+}
+var CodexSessionWatcher = class {
+  fileStates = /* @__PURE__ */ new Map();
+  scanTimer = null;
+  warnedMissing = false;
+  sessionsDir;
+  state;
+  constructor(state2, options) {
+    this.state = state2;
+    const base = process.env.CODEX_HOME ?? DEFAULT_CODEX_HOME;
+    this.sessionsDir = options?.sessionsDir ?? join(base, "sessions");
+  }
+  start() {
+    this.scan();
+    this.scanTimer = setInterval(() => {
+      this.scan();
+    }, CODEX_SESSIONS_SCAN_INTERVAL_MS);
+  }
+  stop() {
+    if (this.scanTimer) {
+      clearInterval(this.scanTimer);
+      this.scanTimer = null;
+    }
+  }
+  async scan() {
+    if (!existsSync(this.sessionsDir)) {
+      if (!this.warnedMissing) {
+        console.log(`Waiting for Codex sessions at ${this.sessionsDir}`);
+        this.warnedMissing = true;
+      }
+      return;
+    }
+    this.warnedMissing = false;
+    let files = [];
+    try {
+      files = await listRolloutFiles(this.sessionsDir);
+    } catch {
+      return;
+    }
+    for (const filePath of files) {
+      const fileState = this.fileStates.get(filePath) ?? {
+        position: 0,
+        remainder: "",
+        sessionId: sessionIdFromPath(filePath),
+        hasAssistantPhaseSignals: false
+      };
+      if (!this.fileStates.has(filePath)) {
+        this.fileStates.set(filePath, fileState);
+        try {
+          const stat = await fs.stat(filePath);
+          fileState.position = stat.size;
+        } catch {
+          continue;
+        }
+        continue;
+      }
+      let newLines = [];
+      try {
+        newLines = await readNewLines(filePath, fileState);
+      } catch {
+        continue;
+      }
+      if (newLines.length === 0) {
+        this.maybeFlushLegacyIdle(fileState);
+        continue;
+      }
+      for (const line of newLines) {
+        const parsed = parseCodexLine(line, fileState.sessionId);
+        fileState.sessionId = parsed.sessionId;
+        if (parsed.previousSessionId) {
+          this.state.removeSession(parsed.previousSessionId);
+          fileState.hasAssistantPhaseSignals = false;
+          fileState.pendingLegacyIdleAt = void 0;
+        }
+        if (parsed.assistantMessagePhase) {
+          fileState.hasAssistantPhaseSignals = true;
+          fileState.pendingLegacyIdleAt = void 0;
+        }
+        this.state.markCodexSessionSeen(parsed.sessionId, parsed.cwd);
+        if (parsed.markWorking || parsed.markActivity) {
+          fileState.pendingLegacyIdleAt = void 0;
+          this.state.handleCodexActivity({
+            sessionId: parsed.sessionId,
+            cwd: parsed.cwd
+          });
+        }
+        if (parsed.markWaitingForInput) {
+          fileState.pendingLegacyIdleAt = void 0;
+          this.state.setWaitingForInput(parsed.sessionId, parsed.cwd);
+        }
+        if (parsed.markIdle) {
+          fileState.pendingLegacyIdleAt = void 0;
+          this.state.setCodexIdle(parsed.sessionId, parsed.cwd);
+        }
+        if (parsed.markLegacyIdleCandidate && !fileState.hasAssistantPhaseSignals) {
+          fileState.pendingLegacyIdleAt ??= Date.now();
+        }
+      }
+      this.maybeFlushLegacyIdle(fileState);
+    }
+  }
+  maybeFlushLegacyIdle(fileState) {
+    if (!fileState.pendingLegacyIdleAt) return;
+    if (Date.now() - fileState.pendingLegacyIdleAt < LEGACY_AGENT_MESSAGE_IDLE_GRACE_MS) {
+      return;
+    }
+    this.state.setCodexIdle(fileState.sessionId);
+    fileState.pendingLegacyIdleAt = void 0;
+  }
+};
+
+// src/mobile.ts
+import { randomBytes, randomInt } from "crypto";
+var ExtensionPairingManager = class {
+  constructor(now = () => Date.now()) {
+    this.now = now;
+  }
+  pairing = null;
+  startPairing(regenerateCode = false) {
+    this.expireIfNeeded();
+    if (this.pairing && !regenerateCode) {
+      return { ...this.pairing };
+    }
+    const next = {
+      code: randomInt(0, 1e6).toString().padStart(6, "0"),
+      expiresAt: this.now() + MOBILE_PAIRING_TTL_MS
+    };
+    this.pairing = next;
+    return { ...next };
+  }
+  getStatus() {
+    this.expireIfNeeded();
+    return {
+      active: this.pairing !== null,
+      expiresAt: this.pairing?.expiresAt ?? null
+    };
+  }
+  confirmPairingCode(code) {
+    this.expireIfNeeded();
+    if (!this.pairing) return false;
+    if (code.trim() !== this.pairing.code) return false;
+    this.pairing = null;
+    return true;
+  }
+  expireIfNeeded() {
+    if (!this.pairing) return;
+    if (this.now() >= this.pairing.expiresAt) {
+      this.pairing = null;
+    }
+  }
+};
+var MobileQrPairingManager = class {
+  constructor(now = () => Date.now()) {
+    this.now = now;
+  }
+  pairing = null;
+  startPairing(refreshQr = false) {
+    this.expireIfNeeded();
+    if (this.pairing && !refreshQr) {
+      return { ...this.pairing };
+    }
+    if (this.pairing && refreshQr) {
+      const nextQrExpiry = this.now() + MOBILE_QR_PAIRING_TTL_MS;
+      const refreshed = {
+        ...this.pairing,
+        qrNonce: randomBytes(16).toString("hex"),
+        qrExpiresAt: Math.max(nextQrExpiry, this.pairing.qrExpiresAt + 1)
+      };
+      this.pairing = refreshed;
+      return { ...refreshed };
+    }
+    const next = {
+      expiresAt: this.now() + MOBILE_PAIRING_TTL_MS,
+      qrNonce: randomBytes(16).toString("hex"),
+      qrExpiresAt: this.now() + MOBILE_QR_PAIRING_TTL_MS
+    };
+    this.pairing = next;
+    return { ...next };
+  }
+  getStatus() {
+    this.expireIfNeeded();
+    return {
+      active: this.pairing !== null,
+      expiresAt: this.pairing?.expiresAt ?? null
+    };
+  }
+  confirmPairingQrNonce(qrNonce) {
+    this.expireIfNeeded();
+    if (!this.pairing) return false;
+    if (this.now() >= this.pairing.qrExpiresAt) return false;
+    if (qrNonce.trim() !== this.pairing.qrNonce) return false;
+    this.pairing = null;
+    return true;
+  }
+  expireIfNeeded() {
+    if (!this.pairing) return;
+    if (this.now() >= this.pairing.expiresAt) {
+      this.pairing = null;
+    }
+  }
+};
+function createServerInstanceId() {
+  return randomBytes(8).toString("hex");
+}
+
+// src/mdns.ts
+import { Bonjour } from "bonjour-service";
+function publishMobileService({
+  name,
+  type,
+  port,
+  instanceId
+}) {
+  const bonjour = new Bonjour();
+  const service = bonjour.publish({
+    name,
+    type,
+    port,
+    txt: {
+      instanceId,
+      version: "1"
+    }
+  });
+  return {
+    stop: () => new Promise((resolve) => {
+      const maybeService = service;
+      if (!maybeService || typeof maybeService.stop !== "function") {
+        bonjour.destroy();
+        resolve();
+        return;
+      }
+      maybeService.stop(() => {
+        bonjour.destroy();
+        resolve();
+      });
+    })
+  };
+}
+
+// src/auth-token.ts
+import { randomBytes as randomBytes2 } from "crypto";
+import { homedir as homedir2 } from "os";
+import { dirname as dirname2, join as join2 } from "path";
+var DEFAULT_TOKEN_DIR = join2(homedir2(), ".codex-blocker");
+var DEFAULT_TOKEN_PATH = join2(DEFAULT_TOKEN_DIR, "token");
+function createAuthToken() {
+  return randomBytes2(32).toString("hex");
+}
+
+// src/pairing-qr.ts
+import QRCode from "qrcode";
+var PAIRING_QR_FORMAT = "cbm-v1";
+var PAIRING_QR_PREFIX = "CBM1";
+function encodePairingQrPayload(input) {
+  const host = encodeURIComponent(input.host);
+  const instanceId = encodeURIComponent(input.instanceId);
+  const qrNonce = encodeURIComponent(input.qrNonce);
+  return `${PAIRING_QR_PREFIX};h=${host};p=${input.port};i=${instanceId};n=${qrNonce};e=${input.expiresAt}`;
+}
+async function renderPairingQr(payload) {
+  return QRCode.toString(payload, { type: "terminal", small: true });
+}
+
+// src/server.ts
+var RATE_WINDOW_MS = 6e4;
+var RATE_LIMIT = 60;
+var MAX_WS_CONNECTIONS_PER_IP = 3;
+var MOBILE_SERVICE_TYPE = "codex-blocker";
+var PAIR_CONFIRM_WINDOW_MS = 6e4;
+var PAIR_CONFIRM_MAX_FAILURES = 6;
+var PAIR_CONFIRM_LOCKOUT_MS = 2 * 6e4;
+var WS_TOKEN_PROTOCOL_PREFIX = "codex-blocker-token.";
+var INVALID_JSON_SENTINEL = /* @__PURE__ */ Symbol("invalid-json");
+var rateByIp = /* @__PURE__ */ new Map();
+var wsConnectionsByIp = /* @__PURE__ */ new Map();
+var extensionPairConfirmByIp = /* @__PURE__ */ new Map();
+var mobilePairConfirmByIp = /* @__PURE__ */ new Map();
+var CHROME_EXTENSION_ID_PATTERN = /^[a-p]{32}$/;
+function isTrustedChromeExtensionOrigin(origin) {
+  if (!origin) return false;
+  try {
+    const parsed = new URL(origin);
+    return parsed.protocol === "chrome-extension:" && CHROME_EXTENSION_ID_PATTERN.test(parsed.hostname);
+  } catch {
+    return false;
+  }
+}
+function canBootstrapExtensionToken(providedToken, allowExtensionOrigin) {
+  return Boolean(providedToken && allowExtensionOrigin);
+}
+function isLoopbackClientIp(clientIp) {
+  if (!clientIp) return false;
+  const normalized = clientIp.startsWith("::ffff:") ? clientIp.slice(7) : clientIp;
+  return normalized === "127.0.0.1" || normalized === "::1";
+}
+function getClientIp(req) {
+  return req.socket.remoteAddress ?? "unknown";
+}
+function checkRateLimit(ip) {
+  const now = Date.now();
+  const state2 = rateByIp.get(ip);
+  if (!state2 || state2.resetAt <= now) {
+    rateByIp.set(ip, { count: 1, resetAt: now + RATE_WINDOW_MS });
+    return true;
+  }
+  if (state2.count >= RATE_LIMIT) return false;
+  state2.count += 1;
+  return true;
+}
+function getPairConfirmState(lockoutStore, ip) {
+  const now = Date.now();
+  const current = lockoutStore.get(ip);
+  if (!current || current.resetAt <= now) {
+    const next = {
+      failures: 0,
+      resetAt: now + PAIR_CONFIRM_WINDOW_MS,
+      lockoutUntil: 0
+    };
+    lockoutStore.set(ip, next);
+    return next;
+  }
+  return current;
+}
+function canAttemptPairConfirm(lockoutStore, ip) {
+  const state2 = getPairConfirmState(lockoutStore, ip);
+  return state2.lockoutUntil <= Date.now();
+}
+function getPairConfirmRetryAfterMs(lockoutStore, ip) {
+  const state2 = getPairConfirmState(lockoutStore, ip);
+  const remaining = state2.lockoutUntil - Date.now();
+  return remaining > 0 ? remaining : 0;
+}
+function recordPairConfirmFailure(lockoutStore, ip) {
+  const state2 = getPairConfirmState(lockoutStore, ip);
+  state2.failures += 1;
+  if (state2.failures >= PAIR_CONFIRM_MAX_FAILURES) {
+    state2.failures = 0;
+    state2.lockoutUntil = Date.now() + PAIR_CONFIRM_LOCKOUT_MS;
+  }
+}
+function clearPairConfirmFailures(lockoutStore, ip) {
+  lockoutStore.delete(ip);
+}
+function readAuthToken(req, url) {
+  const header = req.headers.authorization;
+  if (header && header.startsWith("Bearer ")) {
+    return header.slice("Bearer ".length).trim();
+  }
+  const query = url.searchParams.get("token");
+  if (query) return query;
+  const alt = req.headers["x-codex-blocker-token"];
+  if (typeof alt === "string" && alt.length > 0) return alt;
+  return null;
+}
+function parseWebSocketProtocols(protocolsHeader) {
+  const raw = Array.isArray(protocolsHeader) ? protocolsHeader.join(",") : protocolsHeader ?? "";
+  return raw.split(",").map((value) => value.trim()).filter((value) => value.length > 0);
+}
+function readTokenFromWebSocketProtocols(protocolsHeader) {
+  const protocols = parseWebSocketProtocols(protocolsHeader);
+  for (const protocol of protocols) {
+    if (protocol.startsWith(WS_TOKEN_PROTOCOL_PREFIX)) {
+      const token = protocol.slice(WS_TOKEN_PROTOCOL_PREFIX.length).trim();
+      if (token.length > 0) return token;
+    }
+  }
+  return null;
+}
+function readWebSocketAuthToken(req, url) {
+  const protocolToken = readTokenFromWebSocketProtocols(
+    req.headers["sec-websocket-protocol"]
+  );
+  if (protocolToken) return protocolToken;
+  return readAuthToken(req, url);
+}
+function decrementWsConnectionCount(clientIp) {
+  const next = (wsConnectionsByIp.get(clientIp) ?? 1) - 1;
+  if (next <= 0) {
+    wsConnectionsByIp.delete(clientIp);
+    return;
+  }
+  wsConnectionsByIp.set(clientIp, next);
+}
+function sendJson(res, data, status = 200) {
+  res.writeHead(status, { "Content-Type": "application/json" });
+  res.end(JSON.stringify(data));
+}
+function normalizeListenHost(bindHost) {
+  if (bindHost === "0.0.0.0") {
+    return "127.0.0.1";
+  }
+  return bindHost;
+}
+async function readJsonBody(req, maxBytes = 8192) {
+  const chunks = [];
+  let totalBytes = 0;
+  for await (const chunk of req) {
+    const buffer = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk);
+    totalBytes += buffer.byteLength;
+    if (totalBytes > maxBytes) {
+      return INVALID_JSON_SENTINEL;
+    }
+    chunks.push(buffer);
+  }
+  if (chunks.length === 0) {
+    return {};
+  }
+  try {
+    const parsed = JSON.parse(Buffer.concat(chunks).toString("utf-8"));
+    if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+      return INVALID_JSON_SENTINEL;
+    }
+    return parsed;
+  } catch {
+    return INVALID_JSON_SENTINEL;
+  }
+}
+function getResponseHost(req, bindHost, port) {
+  if (req.headers.host) {
+    return req.headers.host;
+  }
+  return `${normalizeListenHost(bindHost)}:${port}`;
+}
+function splitHostAndPort(rawHost, fallbackPort) {
+  try {
+    const parsed = new URL(`http://${rawHost}`);
+    const parsedPort = parsed.port ? Number.parseInt(parsed.port, 10) : fallbackPort;
+    return {
+      host: parsed.hostname,
+      port: Number.isInteger(parsedPort) && parsedPort > 0 && parsedPort < 65536 ? parsedPort : fallbackPort
+    };
+  } catch {
+    return { host: rawHost, port: fallbackPort };
+  }
+}
+function startServer(port = DEFAULT_PORT, options) {
+  const stateInstance = options?.state ?? state;
+  const startWatcher = options?.startWatcher ?? true;
+  const logBanner = options?.log ?? true;
+  const mobileEnabled = options?.mobile ?? true;
+  const bindHost = options?.bindHost ?? (mobileEnabled ? "0.0.0.0" : "127.0.0.1");
+  const mobileServiceName = options?.mobileServiceName ?? "Codex Blocker";
+  const publishMdns = options?.publishMdns ?? mobileEnabled;
+  const mobileQrOutput = options?.mobileQrOutput ?? true;
+  const autoStartMobilePairing = options?.autoStartMobilePairing ?? true;
+  const mobileInstanceId = createServerInstanceId();
+  let authToken = null;
+  let activePort = port;
+  let mdnsService = null;
+  const extensionPairing = mobileEnabled ? options?.extensionPairingManager ?? new ExtensionPairingManager() : null;
+  const mobileQrPairing = mobileEnabled ? options?.mobileQrPairingManager ?? new MobileQrPairingManager() : null;
+  const printExtensionPairingCode = (code) => {
+    if (!logBanner) return;
+    console.log(
+      `
+[Codex Blocker] Extension pairing code (6-digit, extension only): ${code} (expires in 2 minutes)
+`
+    );
+  };
+  const printPairingQr = (host, portToUse, qrNonce, qrExpiresAt) => {
+    if (!logBanner || !mobileQrOutput) return;
+    const payload = encodePairingQrPayload({
+      host,
+      port: portToUse,
+      instanceId: mobileInstanceId,
+      qrNonce,
+      expiresAt: qrExpiresAt
+    });
+    void renderPairingQr(payload).then((terminalQr) => {
+      console.log(
+        `[Codex Blocker] Mobile app pairing QR (QR-only, expires in 60 seconds):
+${terminalQr}
+`
+      );
+    }).catch((error) => {
+      console.warn(
+        `[Codex Blocker] Failed to render pairing QR: ${error instanceof Error ? error.message : String(error)}`
+      );
+    });
+  };
+  const sendPairingToken = (req, res) => {
+    if (!authToken) {
+      authToken = createAuthToken();
+    }
+    const host = getResponseHost(req, bindHost, activePort);
+    const payload = {
+      token: authToken,
+      statusUrl: `http://${host}/status`,
+      wsUrl: `ws://${host}/ws`
+    };
+    sendJson(res, payload);
+  };
+  const server = createServer(async (req, res) => {
+    const clientIp = getClientIp(req);
+    if (!checkRateLimit(clientIp)) {
+      sendJson(res, { error: "Too Many Requests" }, 429);
+      return;
+    }
+    const url = new URL(req.url || "/", `http://localhost:${activePort}`);
+    const origin = req.headers.origin;
+    const allowExtensionOrigin = isTrustedChromeExtensionOrigin(origin);
+    if (allowExtensionOrigin && origin) {
+      res.setHeader("Access-Control-Allow-Origin", origin);
+      res.setHeader("Vary", "Origin");
+      res.setHeader("Access-Control-Allow-Methods", "GET, POST, OPTIONS");
+      res.setHeader(
+        "Access-Control-Allow-Headers",
+        "Content-Type, Authorization, X-Codex-Blocker-Token"
+      );
+    }
+    if (req.method === "OPTIONS") {
+      res.writeHead(allowExtensionOrigin ? 204 : 403);
+      res.end();
+      return;
+    }
+    if (extensionPairing && mobileQrPairing) {
+      if (req.method === "GET" && url.pathname === "/mobile/discovery") {
+        const pairingStatus = mobileQrPairing.getStatus();
+        const payload = {
+          name: mobileServiceName,
+          instanceId: mobileInstanceId,
+          port: activePort,
+          pairingRequired: !authToken,
+          pairingExpiresAt: pairingStatus.expiresAt
+        };
+        sendJson(res, payload);
+        return;
+      }
+      if (req.method === "POST" && url.pathname === "/extension/pair/start") {
+        const body = await readJsonBody(req);
+        if (body === INVALID_JSON_SENTINEL) {
+          sendJson(res, { error: "Invalid JSON" }, 400);
+          return;
+        }
+        const startBody = body;
+        const regenerateCode = startBody.regenerateCode === true;
+        const pairingWasActive = extensionPairing.getStatus().active;
+        const pairingCode = extensionPairing.startPairing(regenerateCode);
+        if (!pairingWasActive || regenerateCode) {
+          printExtensionPairingCode(pairingCode.code);
+        }
+        const payload = {
+          expiresAt: pairingCode.expiresAt
+        };
+        sendJson(res, payload);
+        return;
+      }
+      if (req.method === "POST" && url.pathname === "/extension/pair/confirm") {
+        if (!canAttemptPairConfirm(extensionPairConfirmByIp, clientIp)) {
+          const retryAfterMs = getPairConfirmRetryAfterMs(extensionPairConfirmByIp, clientIp);
+          if (retryAfterMs > 0) {
+            res.setHeader("Retry-After", String(Math.ceil(retryAfterMs / 1e3)));
+          }
+          sendJson(
+            res,
+            {
+              error: "Too Many Requests",
+              code: "pair_confirm_locked",
+              retryAfterMs
+            },
+            429
+          );
+          return;
+        }
+        const body = await readJsonBody(req);
+        if (body === INVALID_JSON_SENTINEL) {
+          sendJson(res, { error: "Invalid JSON" }, 400);
+          return;
+        }
+        const confirmBody = body;
+        const code = typeof confirmBody.code === "string" ? confirmBody.code.trim() : "";
+        if (code.length === 0) {
+          sendJson(res, { error: "Provide extension pairing code" }, 400);
+          return;
+        }
+        const confirmed = extensionPairing.confirmPairingCode(code);
+        if (!confirmed) {
+          recordPairConfirmFailure(extensionPairConfirmByIp, clientIp);
+          sendJson(res, { error: "Invalid or expired extension pairing code" }, 401);
+          return;
+        }
+        clearPairConfirmFailures(extensionPairConfirmByIp, clientIp);
+        sendPairingToken(req, res);
+        return;
+      }
+      if (req.method === "POST" && url.pathname === "/mobile/pair/start") {
+        const body = await readJsonBody(req);
+        if (body === INVALID_JSON_SENTINEL) {
+          sendJson(res, { error: "Invalid JSON" }, 400);
+          return;
+        }
+        const startBody = body;
+        const refreshQr = startBody.refreshQr === true;
+        const pairingWasActive = mobileQrPairing.getStatus().active;
+        const pairingCode = mobileQrPairing.startPairing(refreshQr);
+        if (!pairingWasActive || refreshQr) {
+          const rawHost = getResponseHost(req, bindHost, activePort);
+          const hostInfo = splitHostAndPort(rawHost, activePort);
+          printPairingQr(
+            hostInfo.host,
+            hostInfo.port,
+            pairingCode.qrNonce,
+            pairingCode.qrExpiresAt
+          );
+        }
+        const payload = {
+          expiresAt: pairingCode.expiresAt,
+          qrExpiresAt: pairingCode.qrExpiresAt,
+          qrFormat: PAIRING_QR_FORMAT
+        };
+        sendJson(res, payload);
+        return;
+      }
+      if (req.method === "POST" && url.pathname === "/mobile/pair/confirm") {
+        if (!canAttemptPairConfirm(mobilePairConfirmByIp, clientIp)) {
+          const retryAfterMs = getPairConfirmRetryAfterMs(mobilePairConfirmByIp, clientIp);
+          if (retryAfterMs > 0) {
+            res.setHeader("Retry-After", String(Math.ceil(retryAfterMs / 1e3)));
+          }
+          sendJson(
+            res,
+            {
+              error: "Too Many Requests",
+              code: "pair_confirm_locked",
+              retryAfterMs
+            },
+            429
+          );
+          return;
+        }
+        const body = await readJsonBody(req);
+        if (body === INVALID_JSON_SENTINEL) {
+          sendJson(res, { error: "Invalid JSON" }, 400);
+          return;
+        }
+        const confirmBody = body;
+        const qrNonce = typeof confirmBody.qrNonce === "string" ? confirmBody.qrNonce.trim() : "";
+        if (qrNonce.length === 0) {
+          sendJson(res, { error: "Provide mobile QR nonce" }, 400);
+          return;
+        }
+        const confirmed = mobileQrPairing.confirmPairingQrNonce(qrNonce);
+        if (!confirmed) {
+          recordPairConfirmFailure(mobilePairConfirmByIp, clientIp);
+          sendJson(res, { error: "Invalid or expired QR nonce" }, 401);
+          return;
+        }
+        clearPairConfirmFailures(mobilePairConfirmByIp, clientIp);
+        sendPairingToken(req, res);
+        return;
+      }
+    }
+    const providedToken = readAuthToken(req, url);
+    if (authToken) {
+      if (!providedToken || providedToken !== authToken) {
+        sendJson(res, { error: "Unauthorized" }, 401);
+        return;
+      }
+    } else {
+      sendJson(res, { error: "Unauthorized" }, 401);
+      return;
+    }
+    if (req.method === "GET" && url.pathname === "/status") {
+      sendJson(res, stateInstance.getStatus());
+      return;
+    }
+    sendJson(res, { error: "Not found" }, 404);
+  });
+  const wss = new WebSocketServer({ server, path: "/ws" });
+  wss.on("connection", (ws, req) => {
+    const wsUrl = new URL(req.url || "", `http://localhost:${activePort}`);
+    const providedToken = readWebSocketAuthToken(req, wsUrl);
+    const clientIp = getClientIp(req);
+    const allowExtensionOrigin = isTrustedChromeExtensionOrigin(req.headers.origin);
+    const currentConnections = wsConnectionsByIp.get(clientIp) ?? 0;
+    if (currentConnections >= MAX_WS_CONNECTIONS_PER_IP) {
+      ws.close(1013, "Too many connections");
+      return;
+    }
+    if (authToken) {
+      if (!providedToken || providedToken !== authToken) {
+        ws.close(1008, "Unauthorized");
+        return;
+      }
+    } else if (canBootstrapExtensionToken(providedToken, allowExtensionOrigin)) {
+      authToken = providedToken;
+    } else {
+      ws.close(1008, "Unauthorized");
+      return;
+    }
+    wsConnectionsByIp.set(clientIp, currentConnections + 1);
+    const unsubscribe = stateInstance.subscribe((message) => {
+      if (ws.readyState === WebSocket.OPEN) {
+        ws.send(JSON.stringify(message));
+      }
+    });
+    ws.on("message", (data) => {
+      try {
+        const message = JSON.parse(data.toString());
+        if (message.type === "ping") {
+          ws.send(JSON.stringify({ type: "pong" }));
+        }
+      } catch {
+      }
+    });
+    ws.on("close", () => {
+      unsubscribe();
+      decrementWsConnectionCount(clientIp);
+    });
+    ws.on("error", () => {
+      unsubscribe();
+      decrementWsConnectionCount(clientIp);
+    });
+  });
+  const codexWatcher = new CodexSessionWatcher(stateInstance, {
+    sessionsDir: options?.sessionsDir
+  });
+  if (startWatcher) {
+    codexWatcher.start();
+  }
+  let resolveReady = () => {
+  };
+  const ready = new Promise((resolve) => {
+    resolveReady = resolve;
+  });
+  const handle = {
+    port,
+    ready,
+    close: async () => {
+      stateInstance.destroy();
+      codexWatcher.stop();
+      if (mdnsService) {
+        await mdnsService.stop();
+        mdnsService = null;
+      }
+      await new Promise((resolve) => wss.close(() => resolve()));
+      await new Promise((resolve) => server.close(() => resolve()));
+    }
+  };
+  server.listen(port, bindHost, () => {
+    const address = server.address();
+    const actualPort = typeof address === "object" && address ? address.port : port;
+    handle.port = actualPort;
+    activePort = actualPort;
+    resolveReady(actualPort);
+    if (extensionPairing && mobileQrPairing && autoStartMobilePairing) {
+      if (logBanner) {
+        const pairingSummary = mobileQrOutput ? "extension uses 6-digit code only; mobile app uses QR only." : "extension uses 6-digit code only.";
+        console.log(`[Codex Blocker] Pairing paths: ${pairingSummary}`);
+      }
+      const extensionPairingCode = extensionPairing.startPairing();
+      printExtensionPairingCode(extensionPairingCode.code);
+      const mobilePairingCode = mobileQrPairing.startPairing();
+      printPairingQr(
+        "codex-blocker.local",
+        actualPort,
+        mobilePairingCode.qrNonce,
+        mobilePairingCode.qrExpiresAt
+      );
+      if (publishMdns) {
+        try {
+          mdnsService = publishMobileService({
+            name: mobileServiceName,
+            type: MOBILE_SERVICE_TYPE,
+            port: actualPort,
+            instanceId: mobileInstanceId
+          });
+        } catch (error) {
+          if (logBanner) {
+            console.warn(
+              `[Codex Blocker] Failed to publish mDNS service: ${error instanceof Error ? error.message : String(error)}`
+            );
+          }
+        }
+      }
+    }
+    if (!logBanner) return;
+    const displayHost = bindHost === "0.0.0.0" ? "localhost" : bindHost;
+    const mobileLine = !mobileEnabled ? "" : mobileQrOutput ? `
+\u2502   Mobile:    enabled (${mobileServiceName})  \u2502` : "\n\u2502   Mobile:    extension-only              \u2502";
+    console.log(`
+\u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510
+\u2502                                     \u2502
+\u2502   Codex Blocker Server              \u2502
+\u2502                                     \u2502
+\u2502   HTTP:      http://${displayHost}:${actualPort}  \u2502
+\u2502   WebSocket: ws://${displayHost}:${actualPort}/ws \u2502${mobileLine}
+\u2502                                     \u2502
+\u2502   Watching Codex sessions...        \u2502
+\u2502                                     \u2502
+\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518
+`);
+  });
+  process.once("SIGINT", () => {
+    if (logBanner) {
+      console.log("\nShutting down...");
+    }
+    void handle.close().then(() => process.exit(0));
+  });
+  return handle;
+}
+
+export {
+  DEFAULT_PORT,
+  isTrustedChromeExtensionOrigin,
+  isLoopbackClientIp,
+  startServer
+};