codex-relay 1.0.1-beta.0 → 1.0.1

package/README.md

@@ -13,7 +13,7 @@ Codex Relay runs a local bridge server for the Codex Relay mobile app. Keep Code
 Run the server from the workspace you want Codex to use:
 
 ```sh
-npx codex-relay@latest
+npx codex-relay
 ```
 
 The CLI prints a QR code, a mobile URL, and a `codex-relay://pair...` pairing payload. Scan the QR code from the mobile app. If scanning is not available, paste the full pairing payload into the app.
@@ -21,7 +21,7 @@ The CLI prints a QR code, a mobile URL, and a `codex-relay://pair...` pairing pa
 When the app shows an approval code, approve it on the computer:
 
 ```sh
-npx codex-relay@latest approve XXXX-XXXX
+npx codex-relay approve XXXX-XXXX
 ```
 
 After approval, the phone can list Codex threads, start new work, stream messages, and handle approval prompts from the local Codex runtime.
@@ -31,7 +31,7 @@ After approval, the phone can list Codex threads, start new work, stream message
 To keep the relay running after the command returns:
 
 ```sh
-npx codex-relay@latest --bg
+npx codex-relay --bg
 ```
 
 Background mode writes runtime files under `.codex-relay/` in the current directory:
@@ -44,7 +44,7 @@ Background mode writes runtime files under `.codex-relay/` in the current direct
 Print the current pairing QR again:
 
 ```sh
-npx codex-relay@latest qr
+npx codex-relay qr
 ```
 
 Stop a background server with the printed process id:
@@ -56,25 +56,25 @@ kill -TERM <pid>
 ## Commands
 
 ```sh
-npx codex-relay@latest
+npx codex-relay
 ```
 
 Start the relay in the foreground.
 
 ```sh
-npx codex-relay@latest --bg
+npx codex-relay --bg
 ```
 
 Start the relay in the background.
 
 ```sh
-npx codex-relay@latest qr
+npx codex-relay qr
 ```
 
 Print the latest pairing QR for an already running relay.
 
 ```sh
-npx codex-relay@latest approve XXXX-XXXX
+npx codex-relay approve XXXX-XXXX
 ```
 
 Approve a pending mobile pairing request.
@@ -83,29 +83,29 @@ Approve a pending mobile pairing request.
 
 The relay listens on `0.0.0.0:8787` by default. Configure it with environment variables:
 
-| Variable                      | Purpose                                                                                            |
-| ----------------------------- | -------------------------------------------------------------------------------------------------- |
-| `PORT`                        | Server port. Defaults to `8787`.                                                                   |
-| `HOST`                        | Listen host. Defaults to `0.0.0.0`.                                                                |
-| `CODEX_RELAY_PUBLIC_URL`      | URL printed into the pairing QR, for example a Tailscale or tunnel URL.                            |
-| `CODEX_RELAY_WORKSPACE_PATH`  | Workspace path Codex should use. Defaults to the directory where you run `npx codex-relay@latest`. |
-| `CODEX_RELAY_AUTH_DB_PATH`    | Pairing and session database path. Defaults to `.codex-relay/auth.db`.                             |
-| `CODEX_RELAY_APPROVAL_SECRET` | Secret used by the local approve command. Usually generated automatically.                         |
-| `CODEX_HOME`                  | Codex home directory, used when reading Codex session metadata.                                    |
-| `CODEX_BIN`                   | Codex CLI executable path.                                                                         |
+| Variable                      | Purpose                                                                                     |
+| ----------------------------- | ------------------------------------------------------------------------------------------- |
+| `PORT`                        | Server port. Defaults to `8787`.                                                            |
+| `HOST`                        | Listen host. Defaults to `0.0.0.0`.                                                         |
+| `CODEX_RELAY_PUBLIC_URL`      | URL printed into the pairing QR, for example a Tailscale or tunnel URL.                     |
+| `CODEX_RELAY_WORKSPACE_PATH`  | Workspace path Codex should use. Defaults to the directory where you run `npx codex-relay`. |
+| `CODEX_RELAY_AUTH_DB_PATH`    | Pairing and session database path. Defaults to `.codex-relay/auth.db`.                      |
+| `CODEX_RELAY_APPROVAL_SECRET` | Secret used by the local approve command. Usually generated automatically.                  |
+| `CODEX_HOME`                  | Codex home directory, used when reading Codex session metadata.                             |
+| `CODEX_BIN`                   | Codex CLI executable path.                                                                  |
 
 Examples:
 
 ```sh
-PORT=8788 npx codex-relay@latest
+PORT=8788 npx codex-relay
 ```
 
 ```sh
-CODEX_RELAY_PUBLIC_URL=http://100.64.0.10:8787 npx codex-relay@latest
+CODEX_RELAY_PUBLIC_URL=http://100.64.0.10:8787 npx codex-relay
 ```
 
 ```sh
-CODEX_RELAY_WORKSPACE_PATH=/path/to/project npx codex-relay@latest
+CODEX_RELAY_WORKSPACE_PATH=/path/to/project npx codex-relay
 ```
 
 ## Network Notes
@@ -118,16 +118,16 @@ The phone must be able to reach the URL printed as `Mobile:` by the relay.
 
 ## Troubleshooting
 
-If `npx codex-relay@latest qr` cannot find a server, start one first:
+If `npx codex-relay qr` cannot find a server, start one first:
 
 ```sh
-npx codex-relay@latest
+npx codex-relay
 ```
 
 If the relay says another process is using the local pairing database, use the existing server:
 
 ```sh
-npx codex-relay@latest qr
+npx codex-relay qr
 ```
 
 Or stop the background process shown by the CLI:

package/dist/cli.js

@@ -31,7 +31,7 @@ async function startBackgroundServer() {
 	if (existingPid) {
 		console.log(`codex-relay is already running in the background (pid ${existingPid}).`);
 		console.log(`Logs: ${logPath}`);
-		console.log("Print the current pairing QR with: npx codex-relay@latest qr");
+		console.log("Print the current pairing QR with: npx codex-relay qr");
 		return;
 	}
 	await unlink(pidPath).catch(() => void 0);
@@ -66,7 +66,7 @@ async function startBackgroundServer() {
 	}
 	console.log(`Started codex-relay in the background (pid ${startedPid}).`);
 	console.log(`Logs: ${logPath}`);
-	console.log("Print the pairing QR later with: npx codex-relay@latest qr");
+	console.log("Print the pairing QR later with: npx codex-relay qr");
 }
 async function readRunningPid(pidPath) {
 	const value = await readFile(pidPath, "utf8").catch(() => void 0);
@@ -126,8 +126,8 @@ async function printPairingQr() {
 	const state = storedState?.pairingPayload ? storedState : await readServerLogState();
 	if (!state?.pairingPayload) {
 		console.error("No running Codex Relay server state was found.");
-		console.error("Start the server first with: npx codex-relay@latest");
-		console.error("Or run it in the background with: npx codex-relay@latest --bg");
+		console.error("Start the server first with: npx codex-relay");
+		console.error("Or run it in the background with: npx codex-relay --bg");
 		process.exitCode = 1;
 		return;
 	}
@@ -152,7 +152,7 @@ async function handleServerStartError(error) {
 	if (existingPid) {
 		console.error(`A background server appears to be running (pid ${existingPid}).`);
 		console.error("Use the existing server instead of starting a second one:");
-		console.error("  npx codex-relay@latest qr");
+		console.error("  npx codex-relay qr");
 		console.error("");
 		console.error("To stop the background server:");
 		console.error(`  kill -TERM ${existingPid}`);
@@ -162,7 +162,7 @@ async function handleServerStartError(error) {
 		console.error("Another Codex Relay process is already running or exited without cleanup.");
 		if (state?.pairingPayload) {
 			console.error("Use the existing server instead of starting a second one:");
-			console.error("  npx codex-relay@latest qr");
+			console.error("  npx codex-relay qr");
 			console.error("");
 		}
 		console.error("Find it with:");
@@ -174,7 +174,7 @@ async function handleServerStartError(error) {
 	}
 	console.error("");
 	console.error("If you wanted a persistent server, start it once with:");
-	console.error("  npx codex-relay@latest --bg");
+	console.error("  npx codex-relay --bg");
 	process.exitCode = 1;
 }
 async function readApprovalSecret() {

package/dist/src.js

@@ -207,7 +207,6 @@ const WebPreviewTargetSchema = z.object({
 	detectedAt: IsoDateTimeSchema
 });
 const PairRequestSchema = z.object({
-	clientSessionId: z.string().trim().min(1).max(120).optional(),
 	clientName: z.string().trim().min(1).max(80).optional(),
 	secure: z.object({
 		clientEphemeralPublicKey: z.string().min(1),

package/dist/src2.js

@@ -540,8 +540,7 @@ function createApp(options = {}) {
 		const tokenHash = token ? options.pairing.hashClientToken(token) : void 0;
 		const validSession = tokenHash ? await options.pairing.sessions.getValidSession(tokenHash, Date.now()) : void 0;
 		if (!tokenHash || !validSession) return c.json(apiError("unauthorized", "Pair this device with the Codex Relay server."), 401);
-		if (options.pairing.serverIdentity && !secureSessionsByTokenHash.has(tokenHash)) if (validSession.secureSession) secureSessionsByTokenHash.set(tokenHash, validSession.secureSession);
-		else return c.json(apiError("secure_session_required", "Secure session expired. Pair this device again."), 401);
+		if (options.pairing.serverIdentity && !secureSessionsByTokenHash.has(tokenHash)) return c.json(apiError("secure_session_required", "Secure session expired. Pair this device again."), 401);
 		await next();
 	});
 	app.post(apiPaths.pair, async (c) => {
@@ -557,7 +556,6 @@ function createApp(options = {}) {
 			approved: false,
 			approvalCode,
 			clientEphemeralPublicKey: parsed.data.secure.clientEphemeralPublicKey,
-			clientSessionId: parsed.data.clientSessionId,
 			clientName: parsed.data.clientName,
 			clientNonce: parsed.data.secure.clientNonce,
 			expiresAt,
@@ -586,6 +584,15 @@ function createApp(options = {}) {
 		const clientToken = options.pairing.createClientToken();
 		const expiresAt = Date.now() + options.pairing.tokenTtlMs;
 		const tokenHash = options.pairing.hashClientToken(clientToken);
+		const tokenCount = await options.pairing.sessions.createSession(tokenHash, {
+			clientName: pending.clientName,
+			expiresAt
+		});
+		await options.pairing.sessions.deletePendingPairing(approvalCode);
+		options.pairing.onPaired?.({
+			clientName: pending.clientName,
+			tokenCount
+		});
 		const clientTokenExpiresAt = new Date(expiresAt).toISOString();
 		const pairing = createSecurePairing({
 			approvalCode,
@@ -597,17 +604,6 @@ function createApp(options = {}) {
 			serverIdentity: options.pairing.serverIdentity,
 			serverUrl: pending.serverUrl
 		});
-		const tokenCount = await options.pairing.sessions.createSession(tokenHash, {
-			clientSessionId: pending.clientSessionId,
-			clientName: pending.clientName,
-			expiresAt,
-			secureSession: pairing.session
-		});
-		await options.pairing.sessions.deletePendingPairing(approvalCode);
-		options.pairing.onPaired?.({
-			clientName: pending.clientName,
-			tokenCount
-		});
 		secureSessionsByTokenHash.set(tokenHash, pairing.session);
 		return c.json(PairResponseSchema.parse({ secure: pairing.response }), 201);
 	});
@@ -634,15 +630,15 @@ function createApp(options = {}) {
 		const expiresAt = Date.now() + options.pairing.tokenTtlMs;
 		const oldTokenHash = options.pairing.hashClientToken(oldToken);
 		const newTokenHash = options.pairing.hashClientToken(clientToken);
-		const clientSessionId = normalizeClientSessionId(c.req.header("x-codex-relay-client-session-id")) ?? oldSession.clientSessionId;
 		const tokenCount = await options.pairing.sessions.rotateSession(oldTokenHash, newTokenHash, {
-			clientSessionId,
 			clientName: oldSession.clientName,
-			expiresAt,
-			secureSession: secureSessionsByTokenHash.get(oldTokenHash) ?? oldSession.secureSession
+			expiresAt
 		});
-		const secureSession = secureSessionsByTokenHash.get(oldTokenHash) ?? oldSession.secureSession;
-		if (secureSession) secureSessionsByTokenHash.set(oldTokenHash, secureSession);
+		const secureSession = secureSessionsByTokenHash.get(oldTokenHash);
+		if (secureSession) {
+			secureSessionsByTokenHash.delete(oldTokenHash);
+			secureSessionsByTokenHash.set(newTokenHash, secureSession);
+		}
 		options.pairing.onTokenRefreshed?.({
 			clientName: oldSession.clientName,
 			tokenCount
@@ -651,13 +647,7 @@ function createApp(options = {}) {
 			clientToken,
 			clientTokenExpiresAt: new Date(expiresAt).toISOString()
 		});
-		const jsonResponse = await secureJson(c, options.pairing, secureSessionsByTokenHash, response, 201);
-		if (secureSession) {
-			secureSessionsByTokenHash.delete(oldTokenHash);
-			secureSessionsByTokenHash.set(newTokenHash, secureSession);
-			await options.pairing.sessions.updateSecureSession(newTokenHash, secureSession);
-		}
-		return jsonResponse;
+		return secureJson(c, options.pairing, secureSessionsByTokenHash, response, 201);
 	});
 	app.get(apiPaths.status, (c) => {
 		const response = StatusResponseSchema.parse({
@@ -997,10 +987,6 @@ function normalizeApprovalCode(value) {
 	const normalized = value.toUpperCase().replace(/[^A-Z0-9]/g, "").replaceAll("O", "0").replaceAll("I", "1");
 	return normalized.length === 8 ? `${normalized.slice(0, 4)}-${normalized.slice(4)}` : normalized;
 }
-function normalizeClientSessionId(value) {
-	const trimmed = value?.trim();
-	return trimmed ? trimmed.slice(0, 120) : void 0;
-}
 async function validateThreadWorkspacePath(rootPath, requestedPath) {
 	const resolved = resolve(requestedPath ?? rootPath);
 	try {
@@ -1533,8 +1519,7 @@ async function parseRequestJson(c, pairing, secureSessionsByTokenHash, schema) {
 		const envelope = EncryptedPayloadSchema.safeParse(payload);
 		if (!envelope.success) return schema.safeParse({ __invalidEncryptedPayload: true });
 		try {
-			payload = JSON.parse(decryptFromMobile(secureSession.session, envelope.data));
-			await secureSession.persist();
+			payload = JSON.parse(decryptFromMobile(secureSession, envelope.data));
 		} catch {
 			payload = { __invalidEncryptedPayload: true };
 		}
@@ -1550,30 +1535,15 @@ async function parsePlainJson(request, schema) {
 	}
 	return schema.safeParse(payload);
 }
-async function secureJson(c, pairing, secureSessionsByTokenHash, payload, status) {
+function secureJson(c, pairing, secureSessionsByTokenHash, payload, status) {
 	const secureSession = getSecureSessionForRequest(c, pairing, secureSessionsByTokenHash);
 	if (!secureSession) return c.json(payload, status);
-	const encrypted = EncryptedPayloadSchema.parse(encryptForMobile(secureSession.session, JSON.stringify(payload)));
-	await secureSession.persist();
+	const encrypted = EncryptedPayloadSchema.parse(encryptForMobile(secureSession, JSON.stringify(payload)));
 	return c.json(encrypted, status);
 }
 function getSecureSessionForRequest(c, pairing, secureSessionsByTokenHash) {
 	const token = parseBearerToken(c.req.header("authorization"));
-	if (!token || !pairing) return;
-	const tokenHash = pairing.hashClientToken(token);
-	const session = secureSessionsByTokenHash.get(tokenHash);
-	return session ? createSecureSessionHandle(pairing, tokenHash, session) : void 0;
-}
-function createSecureSessionHandle(pairing, tokenHash, session) {
-	let pendingPersist = Promise.resolve();
-	return {
-		persist: () => {
-			pendingPersist = pendingPersist.catch(() => void 0).then(() => pairing.sessions.updateSecureSession(tokenHash, session));
-			return pendingPersist;
-		},
-		session,
-		tokenHash
-	};
+	return token && pairing ? secureSessionsByTokenHash.get(pairing.hashClientToken(token)) : void 0;
 }
 function sortedThreads(threads) {
 	return [...threads.values()].sort((a, b) => b.updatedAt.localeCompare(a.updatedAt));
@@ -1700,8 +1670,7 @@ function updateThread(threads, messagesByThreadId, threadId, update) {
 }
 function sendSse(controller, encoder, secureSession, event) {
 	const parsed = StreamThreadRunEventSchema.parse(event);
-	const data = secureSession ? EncryptedPayloadSchema.parse(encryptForMobile(secureSession.session, JSON.stringify(parsed))) : parsed;
-	if (secureSession) secureSession.persist().catch(() => void 0);
+	const data = secureSession ? EncryptedPayloadSchema.parse(encryptForMobile(secureSession, JSON.stringify(parsed))) : parsed;
 	controller.enqueue(encoder.encode(`event: ${parsed.type}\n`));
 	controller.enqueue(encoder.encode(`data: ${JSON.stringify(data)}\n\n`));
 }
@@ -2454,7 +2423,7 @@ function normalizeFileChanges(value) {
 async function readWorkspaceChanges(workspacePath) {
 	const repo = await openRepository(workspacePath);
 	const [currentBranch, branches] = await Promise.all([currentGitBranch(workspacePath), listGitBranches(workspacePath)]);
-	const statusEntries = collectIterator(repo.statuses().iter()).filter((entry) => !entry.status().ignored);
+	const statusEntries = collectIterator(repo.statuses().iter());
 	const statusByPath = new Map(statusEntries.map((entry) => [entry.path(), entry]));
 	const status = statusEntries.map((entry) => formatStatusLine(entry.path(), entry.status())).join("\n");
 	const structuredDiff = createWorkspaceDiff(repo);
@@ -2502,11 +2471,6 @@ async function readWorkspaceChanges(workspacePath) {
 		});
 	}
 	const files = [...filesByPath.values()].sort((left, right) => left.path.localeCompare(right.path));
-	const fileStats = {
-		additions: files.reduce((total, file) => total + file.additions, 0),
-		deletions: files.reduce((total, file) => total + file.deletions, 0),
-		filesChanged: files.length
-	};
 	return {
 		branches,
 		currentBranch,
@@ -2514,10 +2478,10 @@ async function readWorkspaceChanges(workspacePath) {
 		files,
 		hasChanges: files.length > 0 || Boolean(status.trim() || diff.trim()),
 		status,
-		stats: files.length > 0 ? fileStats : {
+		stats: {
 			additions: Number(stats.insertions),
 			deletions: Number(stats.deletions),
-			filesChanged: Number(stats.filesChanged)
+			filesChanged: files.length || Number(stats.filesChanged)
 		}
 	};
 }
@@ -2638,21 +2602,14 @@ async function createTursoPairingSessionStore(path) {
 	await db.exec(`
     CREATE TABLE IF NOT EXISTS pairing_sessions (
       token_hash TEXT PRIMARY KEY,
-      client_session_id TEXT,
       client_name TEXT,
       expires_at INTEGER NOT NULL,
-      key_epoch INTEGER,
-      mobile_to_server_key TEXT,
-      server_to_mobile_key TEXT,
-      last_mobile_counter INTEGER,
-      next_server_counter INTEGER,
       created_at INTEGER NOT NULL,
       updated_at INTEGER NOT NULL
     );
 
     CREATE TABLE IF NOT EXISTS pending_pairings (
       approval_code TEXT PRIMARY KEY,
-      client_session_id TEXT,
       client_name TEXT,
       client_ephemeral_public_key TEXT NOT NULL,
       client_nonce TEXT NOT NULL,
@@ -2663,9 +2620,8 @@ async function createTursoPairingSessionStore(path) {
       updated_at INTEGER NOT NULL
     );
   `);
-	await ensurePairingSessionColumns();
 	async function countActive(now) {
-		const row = await db.prepare("SELECT COUNT(DISTINCT COALESCE(client_session_id, token_hash)) AS count FROM pairing_sessions WHERE expires_at > ?").get(now);
+		const row = await db.prepare("SELECT COUNT(*) AS count FROM pairing_sessions WHERE expires_at > ?").get(now);
 		return Number(row?.count ?? 0);
 	}
 	async function deleteSession(tokenHash) {
@@ -2676,7 +2632,6 @@ async function createTursoPairingSessionStore(path) {
 	}
 	async function getPendingPairing(approvalCode, now) {
 		const row = await db.prepare(`SELECT approval_code AS approvalCode,
-                client_session_id AS clientSessionId,
                 client_name AS clientName,
                 client_ephemeral_public_key AS clientEphemeralPublicKey,
                 client_nonce AS clientNonce,
@@ -2695,7 +2650,6 @@ async function createTursoPairingSessionStore(path) {
 			approvalCode: String(row.approvalCode),
 			approved: Number(row.approved) === 1,
 			clientEphemeralPublicKey: String(row.clientEphemeralPublicKey),
-			clientSessionId: typeof row.clientSessionId === "string" ? row.clientSessionId : void 0,
 			clientName: typeof row.clientName === "string" ? row.clientName : void 0,
 			clientNonce: String(row.clientNonce),
 			expiresAt,
@@ -2717,7 +2671,6 @@ async function createTursoPairingSessionStore(path) {
 			const now = Date.now();
 			await db.prepare(`INSERT INTO pending_pairings (
              approval_code,
-             client_session_id,
              client_name,
              client_ephemeral_public_key,
              client_nonce,
@@ -2727,45 +2680,19 @@ async function createTursoPairingSessionStore(path) {
              created_at,
              updated_at
            )
-           VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`).run(pairing.approvalCode, pairing.clientSessionId ?? null, pairing.clientName ?? null, pairing.clientEphemeralPublicKey, pairing.clientNonce, pairing.serverUrl, pairing.approved ? 1 : 0, pairing.expiresAt, now, now);
+           VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)`).run(pairing.approvalCode, pairing.clientName ?? null, pairing.clientEphemeralPublicKey, pairing.clientNonce, pairing.serverUrl, pairing.approved ? 1 : 0, pairing.expiresAt, now, now);
 		},
 		async createSession(tokenHash, session) {
 			const now = Date.now();
-			const secure = encodeSecureSession(session.secureSession);
-			if (session.clientSessionId) {
-				await db.prepare("DELETE FROM pairing_sessions WHERE client_session_id = ?").run(session.clientSessionId);
-				if (session.clientName) await db.prepare("DELETE FROM pairing_sessions WHERE client_session_id IS NULL AND client_name = ?").run(session.clientName);
-			}
-			await db.prepare(`INSERT INTO pairing_sessions (
-             token_hash,
-             client_session_id,
-             client_name,
-             expires_at,
-             key_epoch,
-             mobile_to_server_key,
-             server_to_mobile_key,
-             last_mobile_counter,
-             next_server_counter,
-             created_at,
-             updated_at
-           )
-           VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`).run(tokenHash, session.clientSessionId ?? null, session.clientName ?? null, session.expiresAt, secure?.keyEpoch ?? null, secure?.mobileToServerKey ?? null, secure?.serverToMobileKey ?? null, secure?.lastMobileCounter ?? null, secure?.nextServerCounter ?? null, now, now);
+			await db.prepare(`INSERT INTO pairing_sessions (token_hash, client_name, expires_at, created_at, updated_at)
+           VALUES (?, ?, ?, ?, ?)`).run(tokenHash, session.clientName ?? null, session.expiresAt, now, now);
 			return countActive(now);
 		},
 		deleteSession,
 		deletePendingPairing,
 		getPendingPairing,
 		async getValidSession(tokenHash, now) {
-			const row = await db.prepare(`SELECT client_name AS clientName,
-                  client_session_id AS clientSessionId,
-                  expires_at AS expiresAt,
-                  key_epoch AS keyEpoch,
-                  mobile_to_server_key AS mobileToServerKey,
-                  server_to_mobile_key AS serverToMobileKey,
-                  last_mobile_counter AS lastMobileCounter,
-                  next_server_counter AS nextServerCounter
-           FROM pairing_sessions
-           WHERE token_hash = ?`).get(tokenHash);
+			const row = await db.prepare("SELECT client_name AS clientName, expires_at AS expiresAt FROM pairing_sessions WHERE token_hash = ?").get(tokenHash);
 			if (!row) return;
 			const expiresAt = Number(row.expiresAt);
 			if (now > expiresAt) {
@@ -2773,10 +2700,8 @@ async function createTursoPairingSessionStore(path) {
 				return;
 			}
 			return {
-				clientSessionId: typeof row.clientSessionId === "string" ? row.clientSessionId : void 0,
 				clientName: typeof row.clientName === "string" ? row.clientName : void 0,
-				expiresAt,
-				secureSession: decodeSecureSession(row)
+				expiresAt
 			};
 		},
 		async pruneExpired(now) {
@@ -2785,82 +2710,14 @@ async function createTursoPairingSessionStore(path) {
 		},
 		async rotateSession(oldTokenHash, newTokenHash, session) {
 			const now = Date.now();
-			const secure = encodeSecureSession(session.secureSession);
 			await db.transaction(async () => {
 				await db.prepare("DELETE FROM pairing_sessions WHERE token_hash = ?").run(oldTokenHash);
-				if (session.clientSessionId) {
-					await db.prepare("DELETE FROM pairing_sessions WHERE client_session_id = ?").run(session.clientSessionId);
-					if (session.clientName) await db.prepare("DELETE FROM pairing_sessions WHERE client_session_id IS NULL AND client_name = ?").run(session.clientName);
-				}
-				await db.prepare(`INSERT INTO pairing_sessions (
-               token_hash,
-               client_session_id,
-               client_name,
-               expires_at,
-               key_epoch,
-               mobile_to_server_key,
-               server_to_mobile_key,
-               last_mobile_counter,
-               next_server_counter,
-               created_at,
-               updated_at
-             )
-             VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`).run(newTokenHash, session.clientSessionId ?? null, session.clientName ?? null, session.expiresAt, secure?.keyEpoch ?? null, secure?.mobileToServerKey ?? null, secure?.serverToMobileKey ?? null, secure?.lastMobileCounter ?? null, secure?.nextServerCounter ?? null, now, now);
+				await db.prepare(`INSERT INTO pairing_sessions (token_hash, client_name, expires_at, created_at, updated_at)
+             VALUES (?, ?, ?, ?, ?)`).run(newTokenHash, session.clientName ?? null, session.expiresAt, now, now);
 			})();
 			return countActive(now);
-		},
-		async updateSecureSession(tokenHash, secureSession) {
-			const secure = encodeSecureSession(secureSession);
-			const now = Date.now();
-			await db.prepare(`UPDATE pairing_sessions
-           SET key_epoch = ?,
-               mobile_to_server_key = ?,
-               server_to_mobile_key = ?,
-               last_mobile_counter = ?,
-               next_server_counter = ?,
-               updated_at = ?
-           WHERE token_hash = ?`).run(secure.keyEpoch, secure.mobileToServerKey, secure.serverToMobileKey, secure.lastMobileCounter, secure.nextServerCounter, now, tokenHash);
 		}
 	};
-	async function ensurePairingSessionColumns() {
-		const rows = await db.prepare("PRAGMA table_info(pairing_sessions)").all();
-		const columns = new Set(resultRows(rows).map((row) => String(row.name)));
-		for (const [column, sql] of [
-			["client_session_id", "ALTER TABLE pairing_sessions ADD COLUMN client_session_id TEXT"],
-			["key_epoch", "ALTER TABLE pairing_sessions ADD COLUMN key_epoch INTEGER"],
-			["mobile_to_server_key", "ALTER TABLE pairing_sessions ADD COLUMN mobile_to_server_key TEXT"],
-			["server_to_mobile_key", "ALTER TABLE pairing_sessions ADD COLUMN server_to_mobile_key TEXT"],
-			["last_mobile_counter", "ALTER TABLE pairing_sessions ADD COLUMN last_mobile_counter INTEGER"],
-			["next_server_counter", "ALTER TABLE pairing_sessions ADD COLUMN next_server_counter INTEGER"]
-		]) if (!columns.has(column)) await db.exec(sql);
-		const pendingRows = await db.prepare("PRAGMA table_info(pending_pairings)").all();
-		if (!new Set(resultRows(pendingRows).map((row) => String(row.name))).has("client_session_id")) await db.exec("ALTER TABLE pending_pairings ADD COLUMN client_session_id TEXT");
-	}
-}
-function encodeSecureSession(session) {
-	if (!session) return;
-	return {
-		keyEpoch: session.keyEpoch,
-		lastMobileCounter: session.lastMobileCounter,
-		mobileToServerKey: fromByteArray(session.mobileToServerKey),
-		nextServerCounter: session.nextServerCounter,
-		serverToMobileKey: fromByteArray(session.serverToMobileKey)
-	};
-}
-function decodeSecureSession(row) {
-	if (typeof row.mobileToServerKey !== "string" || typeof row.serverToMobileKey !== "string" || row.keyEpoch === null || row.lastMobileCounter === null || row.nextServerCounter === null) return;
-	return {
-		keyEpoch: Number(row.keyEpoch),
-		lastMobileCounter: Number(row.lastMobileCounter),
-		mobileToServerKey: toByteArray(row.mobileToServerKey),
-		nextServerCounter: Number(row.nextServerCounter),
-		serverToMobileKey: toByteArray(row.serverToMobileKey)
-	};
-}
-function resultRows(result) {
-	if (Array.isArray(result)) return result;
-	if (result && typeof result === "object" && Array.isArray(result.rows)) return result.rows;
-	return [];
 }
 //#endregion
 //#region src/index.ts
@@ -2995,7 +2852,7 @@ async function writeBackgroundPid() {
 	await writeFile(path, `${process.pid}\n`, { mode: 384 });
 }
 function formatApprovalCommand(approvalCode, activePort) {
-	return activePort === 8787 ? `npx codex-relay@latest approve ${approvalCode}` : `PORT=${activePort} npx codex-relay@latest approve ${approvalCode}`;
+	return activePort === 8787 ? `npx codex-relay approve ${approvalCode}` : `PORT=${activePort} npx codex-relay approve ${approvalCode}`;
 }
 function getLocalNetworkConnectUrl(port) {
 	for (const addresses of Object.values(networkInterfaces())) for (const address of addresses ?? []) if (address.family === "IPv4" && !address.internal) return `http://${address.address}:${port}`;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codex-relay",
-  "version": "1.0.1-beta.0",
+  "version": "1.0.1",
   "description": "Local Codex Relay CLI bridge for the Codex Relay mobile app.",
   "repository": {
     "type": "git",