codex-relay 1.0.0 → 1.0.1-beta.0

package/README.md

@@ -13,7 +13,7 @@ Codex Relay runs a local bridge server for the Codex Relay mobile app. Keep Code
 Run the server from the workspace you want Codex to use:
 
 ```sh
-npx codex-relay
+npx codex-relay@latest
 ```
 
 The CLI prints a QR code, a mobile URL, and a `codex-relay://pair...` pairing payload. Scan the QR code from the mobile app. If scanning is not available, paste the full pairing payload into the app.
@@ -21,7 +21,7 @@ The CLI prints a QR code, a mobile URL, and a `codex-relay://pair...` pairing pa
 When the app shows an approval code, approve it on the computer:
 
 ```sh
-npx codex-relay approve XXXX-XXXX
+npx codex-relay@latest approve XXXX-XXXX
 ```
 
 After approval, the phone can list Codex threads, start new work, stream messages, and handle approval prompts from the local Codex runtime.
@@ -31,7 +31,7 @@ After approval, the phone can list Codex threads, start new work, stream message
 To keep the relay running after the command returns:
 
 ```sh
-npx codex-relay --bg
+npx codex-relay@latest --bg
 ```
 
 Background mode writes runtime files under `.codex-relay/` in the current directory:
@@ -44,7 +44,7 @@ Background mode writes runtime files under `.codex-relay/` in the current direct
 Print the current pairing QR again:
 
 ```sh
-npx codex-relay qr
+npx codex-relay@latest qr
 ```
 
 Stop a background server with the printed process id:
@@ -56,25 +56,25 @@ kill -TERM <pid>
 ## Commands
 
 ```sh
-npx codex-relay
+npx codex-relay@latest
 ```
 
 Start the relay in the foreground.
 
 ```sh
-npx codex-relay --bg
+npx codex-relay@latest --bg
 ```
 
 Start the relay in the background.
 
 ```sh
-npx codex-relay qr
+npx codex-relay@latest qr
 ```
 
 Print the latest pairing QR for an already running relay.
 
 ```sh
-npx codex-relay approve XXXX-XXXX
+npx codex-relay@latest approve XXXX-XXXX
 ```
 
 Approve a pending mobile pairing request.
@@ -83,29 +83,29 @@ Approve a pending mobile pairing request.
 
 The relay listens on `0.0.0.0:8787` by default. Configure it with environment variables:
 
-| Variable                      | Purpose                                                                                     |
-| ----------------------------- | ------------------------------------------------------------------------------------------- |
-| `PORT`                        | Server port. Defaults to `8787`.                                                            |
-| `HOST`                        | Listen host. Defaults to `0.0.0.0`.                                                         |
-| `CODEX_RELAY_PUBLIC_URL`      | URL printed into the pairing QR, for example a Tailscale or tunnel URL.                     |
-| `CODEX_RELAY_WORKSPACE_PATH`  | Workspace path Codex should use. Defaults to the directory where you run `npx codex-relay`. |
-| `CODEX_RELAY_AUTH_DB_PATH`    | Pairing and session database path. Defaults to `.codex-relay/auth.db`.                      |
-| `CODEX_RELAY_APPROVAL_SECRET` | Secret used by the local approve command. Usually generated automatically.                  |
-| `CODEX_HOME`                  | Codex home directory, used when reading Codex session metadata.                             |
-| `CODEX_BIN`                   | Codex CLI executable path.                                                                  |
+| Variable                      | Purpose                                                                                            |
+| ----------------------------- | -------------------------------------------------------------------------------------------------- |
+| `PORT`                        | Server port. Defaults to `8787`.                                                                   |
+| `HOST`                        | Listen host. Defaults to `0.0.0.0`.                                                                |
+| `CODEX_RELAY_PUBLIC_URL`      | URL printed into the pairing QR, for example a Tailscale or tunnel URL.                            |
+| `CODEX_RELAY_WORKSPACE_PATH`  | Workspace path Codex should use. Defaults to the directory where you run `npx codex-relay@latest`. |
+| `CODEX_RELAY_AUTH_DB_PATH`    | Pairing and session database path. Defaults to `.codex-relay/auth.db`.                             |
+| `CODEX_RELAY_APPROVAL_SECRET` | Secret used by the local approve command. Usually generated automatically.                         |
+| `CODEX_HOME`                  | Codex home directory, used when reading Codex session metadata.                                    |
+| `CODEX_BIN`                   | Codex CLI executable path.                                                                         |
 
 Examples:
 
 ```sh
-PORT=8788 npx codex-relay
+PORT=8788 npx codex-relay@latest
 ```
 
 ```sh
-CODEX_RELAY_PUBLIC_URL=http://100.64.0.10:8787 npx codex-relay
+CODEX_RELAY_PUBLIC_URL=http://100.64.0.10:8787 npx codex-relay@latest
 ```
 
 ```sh
-CODEX_RELAY_WORKSPACE_PATH=/path/to/project npx codex-relay
+CODEX_RELAY_WORKSPACE_PATH=/path/to/project npx codex-relay@latest
 ```
 
 ## Network Notes
@@ -118,16 +118,16 @@ The phone must be able to reach the URL printed as `Mobile:` by the relay.
 
 ## Troubleshooting
 
-If `npx codex-relay qr` cannot find a server, start one first:
+If `npx codex-relay@latest qr` cannot find a server, start one first:
 
 ```sh
-npx codex-relay
+npx codex-relay@latest
 ```
 
 If the relay says another process is using the local pairing database, use the existing server:
 
 ```sh
-npx codex-relay qr
+npx codex-relay@latest qr
 ```
 
 Or stop the background process shown by the CLI:

package/dist/cli.js

@@ -31,7 +31,7 @@ async function startBackgroundServer() {
 	if (existingPid) {
 		console.log(`codex-relay is already running in the background (pid ${existingPid}).`);
 		console.log(`Logs: ${logPath}`);
-		console.log("Print the current pairing QR with: npx codex-relay qr");
+		console.log("Print the current pairing QR with: npx codex-relay@latest qr");
 		return;
 	}
 	await unlink(pidPath).catch(() => void 0);
@@ -66,7 +66,7 @@ async function startBackgroundServer() {
 	}
 	console.log(`Started codex-relay in the background (pid ${startedPid}).`);
 	console.log(`Logs: ${logPath}`);
-	console.log("Print the pairing QR later with: npx codex-relay qr");
+	console.log("Print the pairing QR later with: npx codex-relay@latest qr");
 }
 async function readRunningPid(pidPath) {
 	const value = await readFile(pidPath, "utf8").catch(() => void 0);
@@ -126,8 +126,8 @@ async function printPairingQr() {
 	const state = storedState?.pairingPayload ? storedState : await readServerLogState();
 	if (!state?.pairingPayload) {
 		console.error("No running Codex Relay server state was found.");
-		console.error("Start the server first with: npx codex-relay");
-		console.error("Or run it in the background with: npx codex-relay --bg");
+		console.error("Start the server first with: npx codex-relay@latest");
+		console.error("Or run it in the background with: npx codex-relay@latest --bg");
 		process.exitCode = 1;
 		return;
 	}
@@ -152,7 +152,7 @@ async function handleServerStartError(error) {
 	if (existingPid) {
 		console.error(`A background server appears to be running (pid ${existingPid}).`);
 		console.error("Use the existing server instead of starting a second one:");
-		console.error("  npx codex-relay qr");
+		console.error("  npx codex-relay@latest qr");
 		console.error("");
 		console.error("To stop the background server:");
 		console.error(`  kill -TERM ${existingPid}`);
@@ -162,7 +162,7 @@ async function handleServerStartError(error) {
 		console.error("Another Codex Relay process is already running or exited without cleanup.");
 		if (state?.pairingPayload) {
 			console.error("Use the existing server instead of starting a second one:");
-			console.error("  npx codex-relay qr");
+			console.error("  npx codex-relay@latest qr");
 			console.error("");
 		}
 		console.error("Find it with:");
@@ -174,7 +174,7 @@ async function handleServerStartError(error) {
 	}
 	console.error("");
 	console.error("If you wanted a persistent server, start it once with:");
-	console.error("  npx codex-relay --bg");
+	console.error("  npx codex-relay@latest --bg");
 	process.exitCode = 1;
 }
 async function readApprovalSecret() {

package/dist/src.js

@@ -181,8 +181,9 @@ const WorkspaceChangesResponseSchema = z.object({
 		worktreeStatus: z.string().nullable()
 	})).default([])
 });
-const CheckoutWorkspaceBranchRequestSchema = z.object({ branch: z.string().trim().min(1).refine((branch) => !branch.startsWith("-"), "Branch name cannot start with '-'.") });
-const CommitPushWorkspaceRequestSchema = z.object({ message: z.string().trim().min(1).max(240) });
+const WorkspaceSelectionRequestSchema = z.object({ workspacePath: z.string().trim().min(1).optional() });
+const CheckoutWorkspaceBranchRequestSchema = WorkspaceSelectionRequestSchema.extend({ branch: z.string().trim().min(1).refine((branch) => !branch.startsWith("-"), "Branch name cannot start with '-'.") });
+const CommitPushWorkspaceRequestSchema = WorkspaceSelectionRequestSchema.extend({ message: z.string().trim().min(1).max(240) });
 const WorkspaceGitActionResponseSchema = z.object({
 	branch: z.string().nullable(),
 	message: z.string().min(1),
@@ -206,6 +207,7 @@ const WebPreviewTargetSchema = z.object({
 	detectedAt: IsoDateTimeSchema
 });
 const PairRequestSchema = z.object({
+	clientSessionId: z.string().trim().min(1).max(120).optional(),
 	clientName: z.string().trim().min(1).max(80).optional(),
 	secure: z.object({
 		clientEphemeralPublicKey: z.string().min(1),

package/dist/src2.js

@@ -540,7 +540,8 @@ function createApp(options = {}) {
 		const tokenHash = token ? options.pairing.hashClientToken(token) : void 0;
 		const validSession = tokenHash ? await options.pairing.sessions.getValidSession(tokenHash, Date.now()) : void 0;
 		if (!tokenHash || !validSession) return c.json(apiError("unauthorized", "Pair this device with the Codex Relay server."), 401);
-		if (options.pairing.serverIdentity && !secureSessionsByTokenHash.has(tokenHash)) return c.json(apiError("secure_session_required", "Secure session expired. Pair this device again."), 401);
+		if (options.pairing.serverIdentity && !secureSessionsByTokenHash.has(tokenHash)) if (validSession.secureSession) secureSessionsByTokenHash.set(tokenHash, validSession.secureSession);
+		else return c.json(apiError("secure_session_required", "Secure session expired. Pair this device again."), 401);
 		await next();
 	});
 	app.post(apiPaths.pair, async (c) => {
@@ -556,6 +557,7 @@ function createApp(options = {}) {
 			approved: false,
 			approvalCode,
 			clientEphemeralPublicKey: parsed.data.secure.clientEphemeralPublicKey,
+			clientSessionId: parsed.data.clientSessionId,
 			clientName: parsed.data.clientName,
 			clientNonce: parsed.data.secure.clientNonce,
 			expiresAt,
@@ -584,15 +586,6 @@ function createApp(options = {}) {
 		const clientToken = options.pairing.createClientToken();
 		const expiresAt = Date.now() + options.pairing.tokenTtlMs;
 		const tokenHash = options.pairing.hashClientToken(clientToken);
-		const tokenCount = await options.pairing.sessions.createSession(tokenHash, {
-			clientName: pending.clientName,
-			expiresAt
-		});
-		await options.pairing.sessions.deletePendingPairing(approvalCode);
-		options.pairing.onPaired?.({
-			clientName: pending.clientName,
-			tokenCount
-		});
 		const clientTokenExpiresAt = new Date(expiresAt).toISOString();
 		const pairing = createSecurePairing({
 			approvalCode,
@@ -604,6 +597,17 @@ function createApp(options = {}) {
 			serverIdentity: options.pairing.serverIdentity,
 			serverUrl: pending.serverUrl
 		});
+		const tokenCount = await options.pairing.sessions.createSession(tokenHash, {
+			clientSessionId: pending.clientSessionId,
+			clientName: pending.clientName,
+			expiresAt,
+			secureSession: pairing.session
+		});
+		await options.pairing.sessions.deletePendingPairing(approvalCode);
+		options.pairing.onPaired?.({
+			clientName: pending.clientName,
+			tokenCount
+		});
 		secureSessionsByTokenHash.set(tokenHash, pairing.session);
 		return c.json(PairResponseSchema.parse({ secure: pairing.response }), 201);
 	});
@@ -630,15 +634,15 @@ function createApp(options = {}) {
 		const expiresAt = Date.now() + options.pairing.tokenTtlMs;
 		const oldTokenHash = options.pairing.hashClientToken(oldToken);
 		const newTokenHash = options.pairing.hashClientToken(clientToken);
+		const clientSessionId = normalizeClientSessionId(c.req.header("x-codex-relay-client-session-id")) ?? oldSession.clientSessionId;
 		const tokenCount = await options.pairing.sessions.rotateSession(oldTokenHash, newTokenHash, {
+			clientSessionId,
 			clientName: oldSession.clientName,
-			expiresAt
+			expiresAt,
+			secureSession: secureSessionsByTokenHash.get(oldTokenHash) ?? oldSession.secureSession
 		});
-		const secureSession = secureSessionsByTokenHash.get(oldTokenHash);
-		if (secureSession) {
-			secureSessionsByTokenHash.delete(oldTokenHash);
-			secureSessionsByTokenHash.set(newTokenHash, secureSession);
-		}
+		const secureSession = secureSessionsByTokenHash.get(oldTokenHash) ?? oldSession.secureSession;
+		if (secureSession) secureSessionsByTokenHash.set(oldTokenHash, secureSession);
 		options.pairing.onTokenRefreshed?.({
 			clientName: oldSession.clientName,
 			tokenCount
@@ -647,7 +651,13 @@ function createApp(options = {}) {
 			clientToken,
 			clientTokenExpiresAt: new Date(expiresAt).toISOString()
 		});
-		return secureJson(c, options.pairing, secureSessionsByTokenHash, response, 201);
+		const jsonResponse = await secureJson(c, options.pairing, secureSessionsByTokenHash, response, 201);
+		if (secureSession) {
+			secureSessionsByTokenHash.delete(oldTokenHash);
+			secureSessionsByTokenHash.set(newTokenHash, secureSession);
+			await options.pairing.sessions.updateSecureSession(newTokenHash, secureSession);
+		}
+		return jsonResponse;
 	});
 	app.get(apiPaths.status, (c) => {
 		const response = StatusResponseSchema.parse({
@@ -682,9 +692,11 @@ function createApp(options = {}) {
 	});
 	app.get(apiPaths.workspaceChanges, async (c) => {
 		try {
-			const changes = await readWorkspaceChanges(workspacePath);
+			const selectedWorkspacePath = await validateThreadWorkspacePath(workspacePath, c.req.query("workspacePath"));
+			if (!selectedWorkspacePath.success) return secureJson(c, options.pairing, secureSessionsByTokenHash, apiError("invalid_workspace_path", selectedWorkspacePath.error), 400);
+			const changes = await readWorkspaceChanges(selectedWorkspacePath.path);
 			const response = WorkspaceChangesResponseSchema.parse({
-				workspacePath,
+				workspacePath: selectedWorkspacePath.path,
 				...changes
 			});
 			return secureJson(c, options.pairing, secureSessionsByTokenHash, response);
@@ -696,9 +708,11 @@ function createApp(options = {}) {
 		const parsed = await parseRequestJson(c, options.pairing, secureSessionsByTokenHash, CheckoutWorkspaceBranchRequestSchema);
 		if (!parsed.success) return secureJson(c, options.pairing, secureSessionsByTokenHash, validationError(parsed.error), 400);
 		try {
-			const output = await git(workspacePath, ["checkout", parsed.data.branch]);
+			const selectedWorkspacePath = await validateThreadWorkspacePath(workspacePath, parsed.data.workspacePath);
+			if (!selectedWorkspacePath.success) return secureJson(c, options.pairing, secureSessionsByTokenHash, apiError("invalid_workspace_path", selectedWorkspacePath.error), 400);
+			const output = await git(selectedWorkspacePath.path, ["checkout", parsed.data.branch]);
 			const response = WorkspaceGitActionResponseSchema.parse({
-				branch: await currentGitBranch(workspacePath),
+				branch: await currentGitBranch(selectedWorkspacePath.path),
 				message: `Checked out ${parsed.data.branch}.`,
 				output
 			});
@@ -711,23 +725,25 @@ function createApp(options = {}) {
 		const parsed = await parseRequestJson(c, options.pairing, secureSessionsByTokenHash, CommitPushWorkspaceRequestSchema);
 		if (!parsed.success) return secureJson(c, options.pairing, secureSessionsByTokenHash, validationError(parsed.error), 400);
 		try {
-			await git(workspacePath, ["add", "--all"]);
-			const commitOutput = await git(workspacePath, [
+			const selectedWorkspacePath = await validateThreadWorkspacePath(workspacePath, parsed.data.workspacePath);
+			if (!selectedWorkspacePath.success) return secureJson(c, options.pairing, secureSessionsByTokenHash, apiError("invalid_workspace_path", selectedWorkspacePath.error), 400);
+			await git(selectedWorkspacePath.path, ["add", "--all"]);
+			const commitOutput = await git(selectedWorkspacePath.path, [
 				"commit",
 				"-m",
 				parsed.data.message
 			]);
-			const branch = await currentGitBranch(workspacePath);
-			const pushOutput = await git(workspacePath, [
+			const branch = await currentGitBranch(selectedWorkspacePath.path);
+			const pushOutput = await git(selectedWorkspacePath.path, [
 				"rev-parse",
 				"--abbrev-ref",
 				"@{upstream}"
-			]).catch(() => null) ? await git(workspacePath, ["push"]) : branch ? await git(workspacePath, [
+			]).catch(() => null) ? await git(selectedWorkspacePath.path, ["push"]) : branch ? await git(selectedWorkspacePath.path, [
 				"push",
 				"-u",
 				"origin",
 				branch
-			]) : await git(workspacePath, ["push"]);
+			]) : await git(selectedWorkspacePath.path, ["push"]);
 			const response = WorkspaceGitActionResponseSchema.parse({
 				branch,
 				message: "Committed and pushed workspace changes.",
@@ -981,6 +997,10 @@ function normalizeApprovalCode(value) {
 	const normalized = value.toUpperCase().replace(/[^A-Z0-9]/g, "").replaceAll("O", "0").replaceAll("I", "1");
 	return normalized.length === 8 ? `${normalized.slice(0, 4)}-${normalized.slice(4)}` : normalized;
 }
+function normalizeClientSessionId(value) {
+	const trimmed = value?.trim();
+	return trimmed ? trimmed.slice(0, 120) : void 0;
+}
 async function validateThreadWorkspacePath(rootPath, requestedPath) {
 	const resolved = resolve(requestedPath ?? rootPath);
 	try {
@@ -1513,7 +1533,8 @@ async function parseRequestJson(c, pairing, secureSessionsByTokenHash, schema) {
 		const envelope = EncryptedPayloadSchema.safeParse(payload);
 		if (!envelope.success) return schema.safeParse({ __invalidEncryptedPayload: true });
 		try {
-			payload = JSON.parse(decryptFromMobile(secureSession, envelope.data));
+			payload = JSON.parse(decryptFromMobile(secureSession.session, envelope.data));
+			await secureSession.persist();
 		} catch {
 			payload = { __invalidEncryptedPayload: true };
 		}
@@ -1529,15 +1550,30 @@ async function parsePlainJson(request, schema) {
 	}
 	return schema.safeParse(payload);
 }
-function secureJson(c, pairing, secureSessionsByTokenHash, payload, status) {
+async function secureJson(c, pairing, secureSessionsByTokenHash, payload, status) {
 	const secureSession = getSecureSessionForRequest(c, pairing, secureSessionsByTokenHash);
 	if (!secureSession) return c.json(payload, status);
-	const encrypted = EncryptedPayloadSchema.parse(encryptForMobile(secureSession, JSON.stringify(payload)));
+	const encrypted = EncryptedPayloadSchema.parse(encryptForMobile(secureSession.session, JSON.stringify(payload)));
+	await secureSession.persist();
 	return c.json(encrypted, status);
 }
 function getSecureSessionForRequest(c, pairing, secureSessionsByTokenHash) {
 	const token = parseBearerToken(c.req.header("authorization"));
-	return token && pairing ? secureSessionsByTokenHash.get(pairing.hashClientToken(token)) : void 0;
+	if (!token || !pairing) return;
+	const tokenHash = pairing.hashClientToken(token);
+	const session = secureSessionsByTokenHash.get(tokenHash);
+	return session ? createSecureSessionHandle(pairing, tokenHash, session) : void 0;
+}
+function createSecureSessionHandle(pairing, tokenHash, session) {
+	let pendingPersist = Promise.resolve();
+	return {
+		persist: () => {
+			pendingPersist = pendingPersist.catch(() => void 0).then(() => pairing.sessions.updateSecureSession(tokenHash, session));
+			return pendingPersist;
+		},
+		session,
+		tokenHash
+	};
 }
 function sortedThreads(threads) {
 	return [...threads.values()].sort((a, b) => b.updatedAt.localeCompare(a.updatedAt));
@@ -1664,7 +1700,8 @@ function updateThread(threads, messagesByThreadId, threadId, update) {
 }
 function sendSse(controller, encoder, secureSession, event) {
 	const parsed = StreamThreadRunEventSchema.parse(event);
-	const data = secureSession ? EncryptedPayloadSchema.parse(encryptForMobile(secureSession, JSON.stringify(parsed))) : parsed;
+	const data = secureSession ? EncryptedPayloadSchema.parse(encryptForMobile(secureSession.session, JSON.stringify(parsed))) : parsed;
+	if (secureSession) secureSession.persist().catch(() => void 0);
 	controller.enqueue(encoder.encode(`event: ${parsed.type}\n`));
 	controller.enqueue(encoder.encode(`data: ${JSON.stringify(data)}\n\n`));
 }
@@ -2417,7 +2454,7 @@ function normalizeFileChanges(value) {
 async function readWorkspaceChanges(workspacePath) {
 	const repo = await openRepository(workspacePath);
 	const [currentBranch, branches] = await Promise.all([currentGitBranch(workspacePath), listGitBranches(workspacePath)]);
-	const statusEntries = collectIterator(repo.statuses().iter());
+	const statusEntries = collectIterator(repo.statuses().iter()).filter((entry) => !entry.status().ignored);
 	const statusByPath = new Map(statusEntries.map((entry) => [entry.path(), entry]));
 	const status = statusEntries.map((entry) => formatStatusLine(entry.path(), entry.status())).join("\n");
 	const structuredDiff = createWorkspaceDiff(repo);
@@ -2465,6 +2502,11 @@ async function readWorkspaceChanges(workspacePath) {
 		});
 	}
 	const files = [...filesByPath.values()].sort((left, right) => left.path.localeCompare(right.path));
+	const fileStats = {
+		additions: files.reduce((total, file) => total + file.additions, 0),
+		deletions: files.reduce((total, file) => total + file.deletions, 0),
+		filesChanged: files.length
+	};
 	return {
 		branches,
 		currentBranch,
@@ -2472,10 +2514,10 @@ async function readWorkspaceChanges(workspacePath) {
 		files,
 		hasChanges: files.length > 0 || Boolean(status.trim() || diff.trim()),
 		status,
-		stats: {
+		stats: files.length > 0 ? fileStats : {
 			additions: Number(stats.insertions),
 			deletions: Number(stats.deletions),
-			filesChanged: files.length || Number(stats.filesChanged)
+			filesChanged: Number(stats.filesChanged)
 		}
 	};
 }
@@ -2596,14 +2638,21 @@ async function createTursoPairingSessionStore(path) {
 	await db.exec(`
     CREATE TABLE IF NOT EXISTS pairing_sessions (
       token_hash TEXT PRIMARY KEY,
+      client_session_id TEXT,
       client_name TEXT,
       expires_at INTEGER NOT NULL,
+      key_epoch INTEGER,
+      mobile_to_server_key TEXT,
+      server_to_mobile_key TEXT,
+      last_mobile_counter INTEGER,
+      next_server_counter INTEGER,
       created_at INTEGER NOT NULL,
       updated_at INTEGER NOT NULL
     );
 
     CREATE TABLE IF NOT EXISTS pending_pairings (
       approval_code TEXT PRIMARY KEY,
+      client_session_id TEXT,
       client_name TEXT,
       client_ephemeral_public_key TEXT NOT NULL,
       client_nonce TEXT NOT NULL,
@@ -2614,8 +2663,9 @@ async function createTursoPairingSessionStore(path) {
       updated_at INTEGER NOT NULL
     );
   `);
+	await ensurePairingSessionColumns();
 	async function countActive(now) {
-		const row = await db.prepare("SELECT COUNT(*) AS count FROM pairing_sessions WHERE expires_at > ?").get(now);
+		const row = await db.prepare("SELECT COUNT(DISTINCT COALESCE(client_session_id, token_hash)) AS count FROM pairing_sessions WHERE expires_at > ?").get(now);
 		return Number(row?.count ?? 0);
 	}
 	async function deleteSession(tokenHash) {
@@ -2626,6 +2676,7 @@ async function createTursoPairingSessionStore(path) {
 	}
 	async function getPendingPairing(approvalCode, now) {
 		const row = await db.prepare(`SELECT approval_code AS approvalCode,
+                client_session_id AS clientSessionId,
                 client_name AS clientName,
                 client_ephemeral_public_key AS clientEphemeralPublicKey,
                 client_nonce AS clientNonce,
@@ -2644,6 +2695,7 @@ async function createTursoPairingSessionStore(path) {
 			approvalCode: String(row.approvalCode),
 			approved: Number(row.approved) === 1,
 			clientEphemeralPublicKey: String(row.clientEphemeralPublicKey),
+			clientSessionId: typeof row.clientSessionId === "string" ? row.clientSessionId : void 0,
 			clientName: typeof row.clientName === "string" ? row.clientName : void 0,
 			clientNonce: String(row.clientNonce),
 			expiresAt,
@@ -2665,6 +2717,7 @@ async function createTursoPairingSessionStore(path) {
 			const now = Date.now();
 			await db.prepare(`INSERT INTO pending_pairings (
              approval_code,
+             client_session_id,
              client_name,
              client_ephemeral_public_key,
              client_nonce,
@@ -2674,19 +2727,45 @@ async function createTursoPairingSessionStore(path) {
              created_at,
              updated_at
            )
-           VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)`).run(pairing.approvalCode, pairing.clientName ?? null, pairing.clientEphemeralPublicKey, pairing.clientNonce, pairing.serverUrl, pairing.approved ? 1 : 0, pairing.expiresAt, now, now);
+           VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`).run(pairing.approvalCode, pairing.clientSessionId ?? null, pairing.clientName ?? null, pairing.clientEphemeralPublicKey, pairing.clientNonce, pairing.serverUrl, pairing.approved ? 1 : 0, pairing.expiresAt, now, now);
 		},
 		async createSession(tokenHash, session) {
 			const now = Date.now();
-			await db.prepare(`INSERT INTO pairing_sessions (token_hash, client_name, expires_at, created_at, updated_at)
-           VALUES (?, ?, ?, ?, ?)`).run(tokenHash, session.clientName ?? null, session.expiresAt, now, now);
+			const secure = encodeSecureSession(session.secureSession);
+			if (session.clientSessionId) {
+				await db.prepare("DELETE FROM pairing_sessions WHERE client_session_id = ?").run(session.clientSessionId);
+				if (session.clientName) await db.prepare("DELETE FROM pairing_sessions WHERE client_session_id IS NULL AND client_name = ?").run(session.clientName);
+			}
+			await db.prepare(`INSERT INTO pairing_sessions (
+             token_hash,
+             client_session_id,
+             client_name,
+             expires_at,
+             key_epoch,
+             mobile_to_server_key,
+             server_to_mobile_key,
+             last_mobile_counter,
+             next_server_counter,
+             created_at,
+             updated_at
+           )
+           VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`).run(tokenHash, session.clientSessionId ?? null, session.clientName ?? null, session.expiresAt, secure?.keyEpoch ?? null, secure?.mobileToServerKey ?? null, secure?.serverToMobileKey ?? null, secure?.lastMobileCounter ?? null, secure?.nextServerCounter ?? null, now, now);
 			return countActive(now);
 		},
 		deleteSession,
 		deletePendingPairing,
 		getPendingPairing,
 		async getValidSession(tokenHash, now) {
-			const row = await db.prepare("SELECT client_name AS clientName, expires_at AS expiresAt FROM pairing_sessions WHERE token_hash = ?").get(tokenHash);
+			const row = await db.prepare(`SELECT client_name AS clientName,
+                  client_session_id AS clientSessionId,
+                  expires_at AS expiresAt,
+                  key_epoch AS keyEpoch,
+                  mobile_to_server_key AS mobileToServerKey,
+                  server_to_mobile_key AS serverToMobileKey,
+                  last_mobile_counter AS lastMobileCounter,
+                  next_server_counter AS nextServerCounter
+           FROM pairing_sessions
+           WHERE token_hash = ?`).get(tokenHash);
 			if (!row) return;
 			const expiresAt = Number(row.expiresAt);
 			if (now > expiresAt) {
@@ -2694,8 +2773,10 @@ async function createTursoPairingSessionStore(path) {
 				return;
 			}
 			return {
+				clientSessionId: typeof row.clientSessionId === "string" ? row.clientSessionId : void 0,
 				clientName: typeof row.clientName === "string" ? row.clientName : void 0,
-				expiresAt
+				expiresAt,
+				secureSession: decodeSecureSession(row)
 			};
 		},
 		async pruneExpired(now) {
@@ -2704,14 +2785,82 @@ async function createTursoPairingSessionStore(path) {
 		},
 		async rotateSession(oldTokenHash, newTokenHash, session) {
 			const now = Date.now();
+			const secure = encodeSecureSession(session.secureSession);
 			await db.transaction(async () => {
 				await db.prepare("DELETE FROM pairing_sessions WHERE token_hash = ?").run(oldTokenHash);
-				await db.prepare(`INSERT INTO pairing_sessions (token_hash, client_name, expires_at, created_at, updated_at)
-             VALUES (?, ?, ?, ?, ?)`).run(newTokenHash, session.clientName ?? null, session.expiresAt, now, now);
+				if (session.clientSessionId) {
+					await db.prepare("DELETE FROM pairing_sessions WHERE client_session_id = ?").run(session.clientSessionId);
+					if (session.clientName) await db.prepare("DELETE FROM pairing_sessions WHERE client_session_id IS NULL AND client_name = ?").run(session.clientName);
+				}
+				await db.prepare(`INSERT INTO pairing_sessions (
+               token_hash,
+               client_session_id,
+               client_name,
+               expires_at,
+               key_epoch,
+               mobile_to_server_key,
+               server_to_mobile_key,
+               last_mobile_counter,
+               next_server_counter,
+               created_at,
+               updated_at
+             )
+             VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`).run(newTokenHash, session.clientSessionId ?? null, session.clientName ?? null, session.expiresAt, secure?.keyEpoch ?? null, secure?.mobileToServerKey ?? null, secure?.serverToMobileKey ?? null, secure?.lastMobileCounter ?? null, secure?.nextServerCounter ?? null, now, now);
 			})();
 			return countActive(now);
+		},
+		async updateSecureSession(tokenHash, secureSession) {
+			const secure = encodeSecureSession(secureSession);
+			const now = Date.now();
+			await db.prepare(`UPDATE pairing_sessions
+           SET key_epoch = ?,
+               mobile_to_server_key = ?,
+               server_to_mobile_key = ?,
+               last_mobile_counter = ?,
+               next_server_counter = ?,
+               updated_at = ?
+           WHERE token_hash = ?`).run(secure.keyEpoch, secure.mobileToServerKey, secure.serverToMobileKey, secure.lastMobileCounter, secure.nextServerCounter, now, tokenHash);
 		}
 	};
+	async function ensurePairingSessionColumns() {
+		const rows = await db.prepare("PRAGMA table_info(pairing_sessions)").all();
+		const columns = new Set(resultRows(rows).map((row) => String(row.name)));
+		for (const [column, sql] of [
+			["client_session_id", "ALTER TABLE pairing_sessions ADD COLUMN client_session_id TEXT"],
+			["key_epoch", "ALTER TABLE pairing_sessions ADD COLUMN key_epoch INTEGER"],
+			["mobile_to_server_key", "ALTER TABLE pairing_sessions ADD COLUMN mobile_to_server_key TEXT"],
+			["server_to_mobile_key", "ALTER TABLE pairing_sessions ADD COLUMN server_to_mobile_key TEXT"],
+			["last_mobile_counter", "ALTER TABLE pairing_sessions ADD COLUMN last_mobile_counter INTEGER"],
+			["next_server_counter", "ALTER TABLE pairing_sessions ADD COLUMN next_server_counter INTEGER"]
+		]) if (!columns.has(column)) await db.exec(sql);
+		const pendingRows = await db.prepare("PRAGMA table_info(pending_pairings)").all();
+		if (!new Set(resultRows(pendingRows).map((row) => String(row.name))).has("client_session_id")) await db.exec("ALTER TABLE pending_pairings ADD COLUMN client_session_id TEXT");
+	}
+}
+function encodeSecureSession(session) {
+	if (!session) return;
+	return {
+		keyEpoch: session.keyEpoch,
+		lastMobileCounter: session.lastMobileCounter,
+		mobileToServerKey: fromByteArray(session.mobileToServerKey),
+		nextServerCounter: session.nextServerCounter,
+		serverToMobileKey: fromByteArray(session.serverToMobileKey)
+	};
+}
+function decodeSecureSession(row) {
+	if (typeof row.mobileToServerKey !== "string" || typeof row.serverToMobileKey !== "string" || row.keyEpoch === null || row.lastMobileCounter === null || row.nextServerCounter === null) return;
+	return {
+		keyEpoch: Number(row.keyEpoch),
+		lastMobileCounter: Number(row.lastMobileCounter),
+		mobileToServerKey: toByteArray(row.mobileToServerKey),
+		nextServerCounter: Number(row.nextServerCounter),
+		serverToMobileKey: toByteArray(row.serverToMobileKey)
+	};
+}
+function resultRows(result) {
+	if (Array.isArray(result)) return result;
+	if (result && typeof result === "object" && Array.isArray(result.rows)) return result.rows;
+	return [];
 }
 //#endregion
 //#region src/index.ts
@@ -2846,7 +2995,7 @@ async function writeBackgroundPid() {
 	await writeFile(path, `${process.pid}\n`, { mode: 384 });
 }
 function formatApprovalCommand(approvalCode, activePort) {
-	return activePort === 8787 ? `npx codex-relay approve ${approvalCode}` : `PORT=${activePort} npx codex-relay approve ${approvalCode}`;
+	return activePort === 8787 ? `npx codex-relay@latest approve ${approvalCode}` : `PORT=${activePort} npx codex-relay@latest approve ${approvalCode}`;
 }
 function getLocalNetworkConnectUrl(port) {
 	for (const addresses of Object.values(networkInterfaces())) for (const address of addresses ?? []) if (address.family === "IPv4" && !address.internal) return `http://${address.address}:${port}`;

package/package.json

@@ -1,10 +1,10 @@
 {
   "name": "codex-relay",
-  "version": "1.0.0",
+  "version": "1.0.1-beta.0",
   "description": "Local Codex Relay CLI bridge for the Codex Relay mobile app.",
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/gronxb/hot-codex.git",
+    "url": "git+https://github.com/gronxb/codex-relay.git",
     "directory": "apps/server"
   },
   "bin": {