codex-relay 1.0.1 → 1.0.2

package/dist/src2.js

@@ -1,2911 +0,0 @@
-import { C as WorkspaceGitActionResponseSchema, S as WorkspaceChangesResponseSchema, T as createOpenApiDocument, _ as StreamThreadRunEventSchema, a as CreateThreadRequestSchema, b as ThreadDetailResponseSchema, c as ListThreadsResponseSchema, d as PairResponseSchema, f as RateLimitsResponseSchema, g as StatusResponseSchema, h as RunThreadRequestSchema, i as ContextWindowUsageSchema, l as ListWorkspaceDirectoriesResponseSchema, m as ResolveApprovalResponseSchema, n as CheckoutWorkspaceBranchRequestSchema, o as EncryptedPayloadSchema, p as ResolveApprovalRequestSchema, r as CommitPushWorkspaceRequestSchema, s as ListModelsResponseSchema, t as ChatMessageSchema, u as PairRequestSchema, v as SubmitThreadInputResponseSchema, w as apiPaths, x as ThreadSummarySchema, y as ThreadContextWindowResponseSchema } from "./src.js";
-import qrcode from "qrcode-terminal";
-import { execFile, execFileSync, spawn } from "node:child_process";
-import fs from "node:fs";
-import { mkdir, readFile, readdir, stat, writeFile } from "node:fs/promises";
-import path, { dirname, resolve } from "node:path";
-import { z } from "zod";
-import { serve } from "@hono/node-server";
-import pc from "picocolors";
-import { createHash, randomBytes } from "node:crypto";
-import os, { hostname, networkInterfaces } from "node:os";
-import { openRepository } from "es-git";
-import { Hono } from "hono";
-import { cors } from "hono/cors";
-import { promisify } from "node:util";
-import { Codex } from "@openai/codex-sdk";
-import { createInterface } from "node:readline";
-import { gcm } from "@noble/ciphers/aes.js";
-import { randomBytes as randomBytes$1, utf8ToBytes } from "@noble/ciphers/utils.js";
-import { ed25519, x25519 } from "@noble/curves/ed25519.js";
-import { hkdf } from "@noble/hashes/hkdf.js";
-import { sha256 } from "@noble/hashes/sha2.js";
-import { fromByteArray, toByteArray } from "base64-js";
-import { connect } from "@tursodatabase/database";
-//#region src/codex.ts
-function createCodexClient() {
-	return new Codex();
-}
-function getThreadId(thread) {
-	return thread.id ?? thread.threadId ?? void 0;
-}
-function stringifyRunResult(result) {
-	if (typeof result === "string") return result;
-	if (result && typeof result === "object") {
-		const record = result;
-		const knownText = record.finalResponse ?? record.final_response ?? record.outputText ?? record.output_text ?? record.text;
-		if (typeof knownText === "string") return knownText;
-	}
-	return JSON.stringify(result, null, 2);
-}
-function extractStreamText(event) {
-	if (!event || typeof event !== "object") return;
-	const record = event;
-	const item = record.item && typeof record.item === "object" ? record.item : void 0;
-	const candidate = record.delta ?? record.text ?? record.message ?? item?.text ?? item?.aggregated_output ?? item?.command;
-	return typeof candidate === "string" && candidate.length > 0 ? candidate : void 0;
-}
-function classifyStreamEvent(event) {
-	if (!event || typeof event !== "object") return "status";
-	const record = event;
-	if (record.type === "error" || record.type === "turn.failed") return "error";
-	switch ((record.item && typeof record.item === "object" ? record.item : void 0)?.type) {
-		case "agent_message": return "assistant";
-		case "reasoning": return "reasoning";
-		case "command_execution":
-		case "file_change":
-		case "mcp_tool_call":
-		case "web_search": return "tool";
-		default: return "status";
-	}
-}
-//#endregion
-//#region src/app-server.ts
-var CodexAppServerClient = class {
-	child;
-	initialized;
-	notificationHandlers = /* @__PURE__ */ new Set();
-	nextId = 1;
-	pending = /* @__PURE__ */ new Map();
-	requestHandlers = /* @__PURE__ */ new Set();
-	readline;
-	async listThreads(limit = 80) {
-		return (await this.request("thread/list", {
-			limit,
-			sortKey: "updated_at",
-			sortDirection: "desc",
-			sourceKinds: [],
-			archived: false
-		})).data;
-	}
-	async readThread(threadId) {
-		return (await this.request("thread/read", {
-			threadId,
-			includeTurns: true
-		})).thread;
-	}
-	async listModels(limit = 80) {
-		return (await this.request("model/list", {
-			limit,
-			includeHidden: false
-		})).data;
-	}
-	async readRateLimits() {
-		return this.request("account/rateLimits/read", null);
-	}
-	async startThread(params) {
-		return (await this.request("thread/start", params)).thread;
-	}
-	async startTurn(params) {
-		return (await this.request("turn/start", params)).turn;
-	}
-	onNotification(handler) {
-		this.notificationHandlers.add(handler);
-		return () => this.notificationHandlers.delete(handler);
-	}
-	onRequest(handler) {
-		this.requestHandlers.add(handler);
-		return () => this.requestHandlers.delete(handler);
-	}
-	async respondToRequest(id, result) {
-		await this.writeJson({
-			id,
-			result
-		});
-	}
-	async rejectRequest(id, code, message) {
-		await this.writeJson({
-			id,
-			error: {
-				code,
-				message
-			}
-		});
-	}
-	close() {
-		for (const pending of this.pending.values()) pending.reject(/* @__PURE__ */ new Error("Codex app-server was closed."));
-		this.pending.clear();
-		this.readline?.close();
-		this.child?.kill();
-		this.readline = void 0;
-		this.child = void 0;
-		this.initialized = void 0;
-	}
-	async request(method, params) {
-		await this.ensureInitialized();
-		const id = this.nextId++;
-		return new Promise((resolve, reject) => {
-			this.pending.set(id, {
-				resolve: (value) => resolve(value),
-				reject
-			});
-			this.child.stdin.write(`${JSON.stringify({
-				id,
-				method,
-				params
-			})}\n`, (error) => {
-				if (error) {
-					this.pending.delete(id);
-					reject(error);
-				}
-			});
-		});
-	}
-	ensureInitialized() {
-		if (!this.initialized) this.initialized = this.start();
-		return this.initialized;
-	}
-	start() {
-		this.child = spawn(resolveCodexBinary(), [
-			"app-server",
-			"--listen",
-			"stdio://"
-		], { env: process.env });
-		this.readline = createInterface({
-			input: this.child.stdout,
-			crlfDelay: Infinity
-		});
-		this.readline.on("line", (line) => this.handleLine(line));
-		this.child.once("error", (error) => this.rejectAll(error));
-		this.child.once("exit", (code, signal) => {
-			this.rejectAll(/* @__PURE__ */ new Error(`Codex app-server exited with ${signal ?? code ?? 1}.`));
-			this.child = void 0;
-			this.initialized = void 0;
-		});
-		return this.requestRaw("initialize", {
-			clientInfo: {
-				name: "codex-relay",
-				title: "Codex Relay Mobile Server",
-				version: "0.1.0"
-			},
-			capabilities: { experimentalApi: true }
-		}).then(() => void 0);
-	}
-	requestRaw(method, params) {
-		const id = this.nextId++;
-		const request = JSON.stringify({
-			id,
-			method,
-			params
-		});
-		return new Promise((resolve, reject) => {
-			this.pending.set(id, {
-				resolve: (value) => resolve(value),
-				reject
-			});
-			this.child.stdin.write(`${request}\n`, (error) => {
-				if (error) {
-					this.pending.delete(id);
-					reject(error);
-				}
-			});
-		});
-	}
-	handleLine(line) {
-		let message;
-		try {
-			message = JSON.parse(line);
-		} catch {
-			return;
-		}
-		if (typeof message.method === "string" && typeof message.id === "number") {
-			const request = {
-				id: message.id,
-				method: message.method,
-				params: message.params
-			};
-			if (this.requestHandlers.size === 0) this.rejectRequest(request.id, -32601, `No handler for ${request.method}.`);
-			else for (const handler of this.requestHandlers) handler(request);
-			return;
-		}
-		if (typeof message.method === "string") {
-			const notification = {
-				method: message.method,
-				params: message.params
-			};
-			for (const handler of this.notificationHandlers) handler(notification);
-			return;
-		}
-		if (typeof message.id !== "number") return;
-		const pending = this.pending.get(message.id);
-		if (!pending) return;
-		this.pending.delete(message.id);
-		if (message.error) pending.reject(new Error(message.error.message));
-		else pending.resolve(message.result);
-	}
-	writeJson(payload) {
-		return new Promise((resolve, reject) => {
-			if (!this.child?.stdin) {
-				reject(/* @__PURE__ */ new Error("Codex app-server is not running."));
-				return;
-			}
-			this.child.stdin.write(`${JSON.stringify(payload)}\n`, (error) => {
-				if (error) reject(error);
-				else resolve();
-			});
-		});
-	}
-	rejectAll(error) {
-		for (const pending of this.pending.values()) pending.reject(error);
-		this.pending.clear();
-	}
-};
-function resolveCodexBinary() {
-	return process.env.CODEX_BIN ?? "codex";
-}
-//#endregion
-//#region src/context-window.ts
-const contextReadCandidateLimit = 128;
-const contextReadScanBytes = 512 * 1024;
-const threadLookupScanBytes = 512 * 1024;
-const turnLookupScanBytes = 16 * 1024;
-function readLatestContextWindowUsage({ threadId, turnId }) {
-	const rolloutPath = findRecentRolloutFileForContextRead(resolveSessionsRoot(), {
-		threadId,
-		turnId
-	});
-	if (!rolloutPath) return {
-		rolloutPath: null,
-		usage: null
-	};
-	const stat = fs.statSync(rolloutPath);
-	return {
-		rolloutPath,
-		usage: readRolloutUsageChunk({
-			endExclusive: stat.size,
-			filePath: rolloutPath,
-			start: Math.max(0, stat.size - contextReadScanBytes)
-		}).usage
-	};
-}
-function resolveSessionsRoot() {
-	const codexHome = process.env.CODEX_HOME || path.join(os.homedir(), ".codex");
-	return path.join(codexHome, "sessions");
-}
-function findRecentRolloutFileForContextRead(root, { threadId = "", turnId = "" }) {
-	const candidates = collectRecentRolloutFiles(root);
-	if (candidates.length === 0) return null;
-	if (turnId) {
-		for (const candidate of candidates) if (rolloutFileContainsTurnId(candidate.filePath, turnId)) return candidate.filePath;
-	}
-	if (threadId) {
-		const filenameMatch = candidates.find(({ filePath }) => path.basename(filePath).includes(threadId));
-		if (filenameMatch) return filenameMatch.filePath;
-		for (const candidate of candidates) if (rolloutFileContainsThreadId(candidate.filePath, threadId)) return candidate.filePath;
-	}
-	return null;
-}
-function collectRecentRolloutFiles(root) {
-	if (!fs.existsSync(root)) return [];
-	const stack = [root];
-	const candidates = [];
-	while (stack.length > 0) {
-		const current = stack.pop();
-		for (const entry of fs.readdirSync(current, { withFileTypes: true })) {
-			const fullPath = path.join(current, entry.name);
-			if (entry.isDirectory()) {
-				stack.push(fullPath);
-				continue;
-			}
-			if (entry.isFile() && entry.name.startsWith("rollout-") && entry.name.endsWith(".jsonl")) candidates.push({
-				filePath: fullPath,
-				mtimeMs: fs.statSync(fullPath).mtimeMs
-			});
-		}
-	}
-	return candidates.sort((left, right) => right.mtimeMs - left.mtimeMs).slice(0, contextReadCandidateLimit);
-}
-function rolloutFileContainsTurnId(filePath, turnId) {
-	const stat = fs.statSync(filePath);
-	const chunk = readFileSlice(filePath, 0, Math.min(stat.size, turnLookupScanBytes));
-	return chunk.includes(`"turn_id":"${turnId}"`) || chunk.includes(`"turnId":"${turnId}"`);
-}
-function rolloutFileContainsThreadId(filePath, threadId) {
-	const stat = fs.statSync(filePath);
-	const chunk = readFileSlice(filePath, Math.max(0, stat.size - Math.min(stat.size, threadLookupScanBytes)), stat.size);
-	return chunk.includes(`"thread_id":"${threadId}"`) || chunk.includes(`"threadId":"${threadId}"`) || chunk.includes(`"conversation_id":"${threadId}"`) || chunk.includes(`"conversationId":"${threadId}"`);
-}
-function readRolloutUsageChunk({ filePath, start, endExclusive }) {
-	const lines = readFileSlice(filePath, start, endExclusive).split("\n");
-	if (start > 0) lines.shift();
-	let latestUsage = null;
-	for (const line of lines) {
-		const usage = extractContextUsageFromRolloutLine(line);
-		if (usage) latestUsage = usage;
-	}
-	return { usage: latestUsage };
-}
-function readFileSlice(filePath, start, endExclusive) {
-	const length = Math.max(0, endExclusive - start);
-	if (length === 0) return "";
-	const fileHandle = fs.openSync(filePath, "r");
-	try {
-		const buffer = Buffer.alloc(length);
-		const bytesRead = fs.readSync(fileHandle, buffer, 0, length, start);
-		return buffer.toString("utf8", 0, bytesRead);
-	} finally {
-		fs.closeSync(fileHandle);
-	}
-}
-function extractContextUsageFromRolloutLine(rawLine) {
-	let parsed;
-	try {
-		parsed = JSON.parse(rawLine.trim());
-	} catch {
-		return null;
-	}
-	if (!parsed || typeof parsed !== "object") return null;
-	const record = parsed;
-	if (record.type !== "event_msg" || !record.payload || typeof record.payload !== "object") return null;
-	const payload = record.payload;
-	if (payload.type !== "token_count" || !payload.info || typeof payload.info !== "object") return null;
-	return contextUsageFromTokenCountInfo(payload.info);
-}
-function contextUsageFromTokenCountInfo(info) {
-	const usageRoot = objectValue(info.last_token_usage ?? info.lastTokenUsage ?? info.total_token_usage ?? info.totalTokenUsage);
-	const tokenLimit = positiveInteger(info.model_context_window ?? info.modelContextWindow ?? info.context_window ?? info.contextWindow);
-	if (!tokenLimit) return null;
-	const tokensUsed = positiveInteger(usageRoot?.total_tokens ?? usageRoot?.totalTokens) ?? sumPositiveIntegers([
-		usageRoot?.input_tokens ?? usageRoot?.inputTokens,
-		usageRoot?.output_tokens ?? usageRoot?.outputTokens,
-		usageRoot?.reasoning_output_tokens ?? usageRoot?.reasoningOutputTokens
-	]);
-	if (tokensUsed === null) return null;
-	return ContextWindowUsageSchema.parse({
-		tokenLimit,
-		tokensUsed: Math.min(tokensUsed, tokenLimit)
-	});
-}
-function objectValue(value) {
-	return value && typeof value === "object" ? value : void 0;
-}
-function positiveInteger(value) {
-	if (typeof value === "number" && Number.isFinite(value)) return Math.max(0, Math.trunc(value));
-	if (typeof value === "string") {
-		const parsed = Number.parseInt(value, 10);
-		return Number.isFinite(parsed) ? Math.max(0, parsed) : null;
-	}
-	return null;
-}
-function sumPositiveIntegers(values) {
-	let sum = 0;
-	let found = false;
-	for (const value of values) {
-		const parsed = positiveInteger(value);
-		if (parsed !== null) {
-			sum += parsed;
-			found = true;
-		}
-	}
-	return found ? sum : null;
-}
-const handshakeTag = "codex-relay-e2ee-v1";
-function createServerIdentity() {
-	const privateKey = ed25519.utils.randomSecretKey();
-	return {
-		privateKey,
-		publicKey: bytesToBase64(ed25519.getPublicKey(privateKey))
-	};
-}
-function createSecurePairing(input) {
-	const serverEphemeralPrivateKey = x25519.utils.randomSecretKey();
-	const serverEphemeralPublicKey = x25519.getPublicKey(serverEphemeralPrivateKey);
-	const serverNonce = randomBytes$1(32);
-	const transcript = pairingTranscript({
-		clientEphemeralPublicKey: input.clientEphemeralPublicKey,
-		clientNonce: input.clientNonce,
-		keyEpoch: input.keyEpoch,
-		approvalCode: input.approvalCode,
-		serverEphemeralPublicKey: bytesToBase64(serverEphemeralPublicKey),
-		serverIdentityPublicKey: input.serverIdentity.publicKey,
-		serverNonce: bytesToBase64(serverNonce),
-		serverUrl: input.serverUrl
-	});
-	const session = deriveSession(x25519.getSharedSecret(serverEphemeralPrivateKey, base64ToBytes(input.clientEphemeralPublicKey)), transcript, input.keyEpoch);
-	const encryptedPayload = encryptWithKey(session.serverToMobileKey, "server", input.keyEpoch, 0, JSON.stringify({
-		clientToken: input.clientToken,
-		clientTokenExpiresAt: input.clientTokenExpiresAt
-	}));
-	session.nextServerCounter = 1;
-	return {
-		response: {
-			encryptedPayload: encryptedPayload.ciphertext,
-			keyEpoch: input.keyEpoch,
-			protocolVersion: 1,
-			serverEphemeralPublicKey: bytesToBase64(serverEphemeralPublicKey),
-			serverNonce: bytesToBase64(serverNonce),
-			serverSignature: bytesToBase64(ed25519.sign(transcript, input.serverIdentity.privateKey))
-		},
-		session
-	};
-}
-function encryptForMobile(session, plaintext) {
-	const envelope = encryptWithKey(session.serverToMobileKey, "server", session.keyEpoch, session.nextServerCounter, plaintext);
-	session.nextServerCounter += 1;
-	return envelope;
-}
-function decryptFromMobile(session, envelope) {
-	if (!isEncryptedEnvelope(envelope) || envelope.sender !== "mobile") throw new Error("Expected encrypted mobile payload.");
-	if (envelope.keyEpoch !== session.keyEpoch || envelope.counter <= session.lastMobileCounter) throw new Error("Rejected stale encrypted mobile payload.");
-	const plaintext = decryptWithKey(session.mobileToServerKey, "mobile", envelope.counter, envelope.ciphertext);
-	session.lastMobileCounter = envelope.counter;
-	return plaintext;
-}
-function deriveSession(sharedSecret, transcript, keyEpoch) {
-	const salt = sha256(transcript);
-	const infoPrefix = `${handshakeTag}|${keyEpoch}|${bytesToBase64(sha256(transcript))}`;
-	return {
-		keyEpoch,
-		lastMobileCounter: -1,
-		mobileToServerKey: hkdf(sha256, sharedSecret, salt, utf8ToBytes(`${infoPrefix}|mobileToServer`), 32),
-		nextServerCounter: 0,
-		serverToMobileKey: hkdf(sha256, sharedSecret, salt, utf8ToBytes(`${infoPrefix}|serverToMobile`), 32)
-	};
-}
-function pairingTranscript(input) {
-	return new TextEncoder().encode(JSON.stringify({
-		tag: handshakeTag,
-		approvalCode: input.approvalCode,
-		clientEphemeralPublicKey: input.clientEphemeralPublicKey,
-		clientNonce: input.clientNonce,
-		keyEpoch: input.keyEpoch,
-		serverEphemeralPublicKey: input.serverEphemeralPublicKey,
-		serverIdentityPublicKey: input.serverIdentityPublicKey,
-		serverNonce: input.serverNonce,
-		serverUrl: input.serverUrl
-	}));
-}
-function encryptWithKey(key, sender, keyEpoch, counter, plaintext) {
-	return {
-		ciphertext: bytesToBase64(gcm(key, nonceFor(sender, counter)).encrypt(new TextEncoder().encode(plaintext))),
-		counter,
-		keyEpoch,
-		protocolVersion: 1,
-		sender
-	};
-}
-function decryptWithKey(key, sender, counter, ciphertext) {
-	const plaintext = gcm(key, nonceFor(sender, counter)).decrypt(base64ToBytes(ciphertext));
-	return new TextDecoder().decode(plaintext);
-}
-function nonceFor(sender, counter) {
-	const nonce = new Uint8Array(12);
-	nonce[0] = sender === "mobile" ? 1 : 2;
-	new DataView(nonce.buffer).setBigUint64(4, BigInt(counter), false);
-	return nonce;
-}
-function isEncryptedEnvelope(value) {
-	return value !== null && typeof value === "object" && "ciphertext" in value && "counter" in value && "keyEpoch" in value && "sender" in value && typeof value.ciphertext === "string" && typeof value.counter === "number" && typeof value.keyEpoch === "number" && (value.sender === "mobile" || value.sender === "server");
-}
-function bytesToBase64(bytes) {
-	return fromByteArray(bytes);
-}
-function base64ToBytes(value) {
-	return toByteArray(value);
-}
-//#endregion
-//#region src/app.ts
-const defaultWorkspacePath = process.cwd();
-const execFileAsync = promisify(execFile);
-const planModePromptPrefix = "Plan mode is active. Do not modify files or run implementation commands. Analyze the request, ask concise clarifying questions only if needed, and produce a concrete plan. Stop after the plan unless the user asks to execute.";
-const defaultWebPreviewPorts = [
-	3e3,
-	3001,
-	5173,
-	4173,
-	8080,
-	19006
-];
-const PairApproveRequestSchema = z.object({ approvalCode: z.string().trim().min(1) });
-function createApp(options = {}) {
-	const app = new Hono();
-	const appServer = options.appServer === void 0 ? process.env.VITEST ? null : new CodexAppServerClient() : options.appServer;
-	const codex = options.codex ?? createCodexClient();
-	const workspacePath = resolve(options.workspacePath ?? process.env.CODEX_RELAY_WORKSPACE_PATH ?? defaultWorkspacePath);
-	const threads = /* @__PURE__ */ new Map();
-	const messagesByThreadId = /* @__PURE__ */ new Map();
-	const liveThreads = /* @__PURE__ */ new Map();
-	const pendingApprovals = /* @__PURE__ */ new Map();
-	const queuedInputsByThreadId = /* @__PURE__ */ new Map();
-	const steeringThreads = /* @__PURE__ */ new Set();
-	const secureSessionsByTokenHash = /* @__PURE__ */ new Map();
-	const threadOptions = { workingDirectory: workspacePath };
-	app.use("*", cors());
-	app.use("*", async (c, next) => {
-		if (!options.pairing || c.req.method === "OPTIONS" || c.req.path.startsWith(apiPaths.pair)) {
-			await next();
-			return;
-		}
-		const token = parseBearerToken(c.req.header("authorization"));
-		const tokenHash = token ? options.pairing.hashClientToken(token) : void 0;
-		const validSession = tokenHash ? await options.pairing.sessions.getValidSession(tokenHash, Date.now()) : void 0;
-		if (!tokenHash || !validSession) return c.json(apiError("unauthorized", "Pair this device with the Codex Relay server."), 401);
-		if (options.pairing.serverIdentity && !secureSessionsByTokenHash.has(tokenHash)) return c.json(apiError("secure_session_required", "Secure session expired. Pair this device again."), 401);
-		await next();
-	});
-	app.post(apiPaths.pair, async (c) => {
-		if (!options.pairing) return c.json(apiError("pairing_disabled", "Pairing is not enabled on this server."), 404);
-		options.pairing.onPairAttempt?.({ remoteAddress: c.req.header("x-forwarded-for") ?? c.req.header("x-real-ip") ?? c.req.header("cf-connecting-ip") });
-		const parsed = await parsePlainJson(c.req.raw, PairRequestSchema);
-		if (!parsed.success) return c.json(validationError(parsed.error), 400);
-		if (!parsed.data.secure || !options.pairing.serverIdentity) return c.json(apiError("secure_pairing_required", "Pairing requires the secure QR approval flow."), 400);
-		await options.pairing.sessions.pruneExpired(Date.now());
-		const approvalCode = await createApprovalCode(options.pairing.sessions);
-		const expiresAt = Date.now() + (options.pairing.approvalTtlMs ?? 300 * 1e3);
-		await options.pairing.sessions.createPendingPairing({
-			approved: false,
-			approvalCode,
-			clientEphemeralPublicKey: parsed.data.secure.clientEphemeralPublicKey,
-			clientName: parsed.data.clientName,
-			clientNonce: parsed.data.secure.clientNonce,
-			expiresAt,
-			serverUrl: new URL(c.req.url).origin
-		});
-		options.pairing.onPairApprovalRequested?.({
-			approvalCode,
-			clientName: parsed.data.clientName
-		});
-		const response = PairResponseSchema.parse({
-			approvalCode,
-			approvalExpiresAt: new Date(expiresAt).toISOString()
-		});
-		return c.json(response, 202);
-	});
-	app.get("/v1/pair/:approvalCode", async (c) => {
-		if (!options.pairing?.serverIdentity) return c.json(apiError("pairing_disabled", "Pairing is not enabled on this server."), 404);
-		const approvalCode = normalizeApprovalCode(c.req.param("approvalCode"));
-		const pending = await options.pairing.sessions.getPendingPairing(approvalCode, Date.now());
-		if (!pending) return c.json(apiError("pairing_expired", "The pairing approval code has expired."), 410);
-		if (!pending.approved) return c.json(PairResponseSchema.parse({
-			approvalCode,
-			approvalExpiresAt: new Date(pending.expiresAt).toISOString()
-		}), 202);
-		await options.pairing.sessions.pruneExpired(Date.now());
-		const clientToken = options.pairing.createClientToken();
-		const expiresAt = Date.now() + options.pairing.tokenTtlMs;
-		const tokenHash = options.pairing.hashClientToken(clientToken);
-		const tokenCount = await options.pairing.sessions.createSession(tokenHash, {
-			clientName: pending.clientName,
-			expiresAt
-		});
-		await options.pairing.sessions.deletePendingPairing(approvalCode);
-		options.pairing.onPaired?.({
-			clientName: pending.clientName,
-			tokenCount
-		});
-		const clientTokenExpiresAt = new Date(expiresAt).toISOString();
-		const pairing = createSecurePairing({
-			approvalCode,
-			clientEphemeralPublicKey: pending.clientEphemeralPublicKey,
-			clientNonce: pending.clientNonce,
-			clientToken,
-			clientTokenExpiresAt,
-			keyEpoch: 1,
-			serverIdentity: options.pairing.serverIdentity,
-			serverUrl: pending.serverUrl
-		});
-		secureSessionsByTokenHash.set(tokenHash, pairing.session);
-		return c.json(PairResponseSchema.parse({ secure: pairing.response }), 201);
-	});
-	app.post(apiPaths.pairApprove, async (c) => {
-		if (!options.pairing) return c.json(apiError("pairing_disabled", "Pairing is not enabled on this server."), 404);
-		if (options.pairing.approvalSecret && c.req.header("x-codex-relay-approve-secret") !== options.pairing.approvalSecret) return c.json(apiError("unauthorized", "Pairing approval must come from this machine."), 401);
-		const parsed = await parsePlainJson(c.req.raw, PairApproveRequestSchema);
-		if (!parsed.success) return c.json(validationError(parsed.error), 400);
-		const approvalCode = normalizeApprovalCode(parsed.data.approvalCode);
-		const pending = await options.pairing.sessions.approvePendingPairing(approvalCode, Date.now());
-		if (!pending) return c.json(apiError("not_found", "No pending pairing request matches that code."), 404);
-		options.pairing.onPairApproved?.({
-			approvalCode,
-			clientName: pending.clientName
-		});
-		return c.json({ ok: true });
-	});
-	app.post(apiPaths.sessionRefresh, async (c) => {
-		if (!options.pairing) return c.json(apiError("pairing_disabled", "Pairing is not enabled on this server."), 404);
-		const oldToken = parseBearerToken(c.req.header("authorization"));
-		const oldSession = oldToken ? await getValidClientSession(options.pairing, oldToken) : void 0;
-		if (!oldToken || !oldSession) return c.json(apiError("unauthorized", "Pair this device with the Codex Relay server."), 401);
-		const clientToken = options.pairing.createClientToken();
-		const expiresAt = Date.now() + options.pairing.tokenTtlMs;
-		const oldTokenHash = options.pairing.hashClientToken(oldToken);
-		const newTokenHash = options.pairing.hashClientToken(clientToken);
-		const tokenCount = await options.pairing.sessions.rotateSession(oldTokenHash, newTokenHash, {
-			clientName: oldSession.clientName,
-			expiresAt
-		});
-		const secureSession = secureSessionsByTokenHash.get(oldTokenHash);
-		if (secureSession) {
-			secureSessionsByTokenHash.delete(oldTokenHash);
-			secureSessionsByTokenHash.set(newTokenHash, secureSession);
-		}
-		options.pairing.onTokenRefreshed?.({
-			clientName: oldSession.clientName,
-			tokenCount
-		});
-		const response = PairResponseSchema.parse({
-			clientToken,
-			clientTokenExpiresAt: new Date(expiresAt).toISOString()
-		});
-		return secureJson(c, options.pairing, secureSessionsByTokenHash, response, 201);
-	});
-	app.get(apiPaths.status, (c) => {
-		const response = StatusResponseSchema.parse({
-			ok: true,
-			service: "codex-relay-server",
-			sdkAvailable: Boolean(codex),
-			machineName: hostname(),
-			workspacePath,
-			threadCount: threads.size,
-			appServerAvailable: Boolean(appServer)
-		});
-		return secureJson(c, options.pairing, secureSessionsByTokenHash, response);
-	});
-	app.get(apiPaths.workspaceDirectories, async (c) => {
-		const targetPath = resolve(c.req.query("path") ?? workspacePath);
-		try {
-			if (!(await stat(targetPath)).isDirectory()) return secureJson(c, options.pairing, secureSessionsByTokenHash, apiError("invalid_workspace_path", "Workspace path must be a directory."), 400);
-			const directories = (await readdir(targetPath, { withFileTypes: true })).filter((entry) => entry.isDirectory() && !entry.name.startsWith(".")).map((entry) => ({
-				name: entry.name,
-				path: resolve(targetPath, entry.name)
-			})).sort((left, right) => left.name.localeCompare(right.name));
-			const response = ListWorkspaceDirectoriesResponseSchema.parse({
-				rootPath: workspacePath,
-				path: targetPath,
-				parentPath: dirname(targetPath) === targetPath ? null : dirname(targetPath),
-				directories
-			});
-			return secureJson(c, options.pairing, secureSessionsByTokenHash, response);
-		} catch (error) {
-			return secureJson(c, options.pairing, secureSessionsByTokenHash, apiError("workspace_unavailable", errorMessage(error)), 400);
-		}
-	});
-	app.get(apiPaths.workspaceChanges, async (c) => {
-		try {
-			const selectedWorkspacePath = await validateThreadWorkspacePath(workspacePath, c.req.query("workspacePath"));
-			if (!selectedWorkspacePath.success) return secureJson(c, options.pairing, secureSessionsByTokenHash, apiError("invalid_workspace_path", selectedWorkspacePath.error), 400);
-			const changes = await readWorkspaceChanges(selectedWorkspacePath.path);
-			const response = WorkspaceChangesResponseSchema.parse({
-				workspacePath: selectedWorkspacePath.path,
-				...changes
-			});
-			return secureJson(c, options.pairing, secureSessionsByTokenHash, response);
-		} catch (error) {
-			return secureJson(c, options.pairing, secureSessionsByTokenHash, apiError("workspace_changes_unavailable", errorMessage(error)), 400);
-		}
-	});
-	app.post(apiPaths.workspaceCheckout, async (c) => {
-		const parsed = await parseRequestJson(c, options.pairing, secureSessionsByTokenHash, CheckoutWorkspaceBranchRequestSchema);
-		if (!parsed.success) return secureJson(c, options.pairing, secureSessionsByTokenHash, validationError(parsed.error), 400);
-		try {
-			const selectedWorkspacePath = await validateThreadWorkspacePath(workspacePath, parsed.data.workspacePath);
-			if (!selectedWorkspacePath.success) return secureJson(c, options.pairing, secureSessionsByTokenHash, apiError("invalid_workspace_path", selectedWorkspacePath.error), 400);
-			const output = await git(selectedWorkspacePath.path, ["checkout", parsed.data.branch]);
-			const response = WorkspaceGitActionResponseSchema.parse({
-				branch: await currentGitBranch(selectedWorkspacePath.path),
-				message: `Checked out ${parsed.data.branch}.`,
-				output
-			});
-			return secureJson(c, options.pairing, secureSessionsByTokenHash, response);
-		} catch (error) {
-			return secureJson(c, options.pairing, secureSessionsByTokenHash, apiError("workspace_checkout_failed", errorMessage(error)), 400);
-		}
-	});
-	app.post(apiPaths.workspaceCommitPush, async (c) => {
-		const parsed = await parseRequestJson(c, options.pairing, secureSessionsByTokenHash, CommitPushWorkspaceRequestSchema);
-		if (!parsed.success) return secureJson(c, options.pairing, secureSessionsByTokenHash, validationError(parsed.error), 400);
-		try {
-			const selectedWorkspacePath = await validateThreadWorkspacePath(workspacePath, parsed.data.workspacePath);
-			if (!selectedWorkspacePath.success) return secureJson(c, options.pairing, secureSessionsByTokenHash, apiError("invalid_workspace_path", selectedWorkspacePath.error), 400);
-			await git(selectedWorkspacePath.path, ["add", "--all"]);
-			const commitOutput = await git(selectedWorkspacePath.path, [
-				"commit",
-				"-m",
-				parsed.data.message
-			]);
-			const branch = await currentGitBranch(selectedWorkspacePath.path);
-			const pushOutput = await git(selectedWorkspacePath.path, [
-				"rev-parse",
-				"--abbrev-ref",
-				"@{upstream}"
-			]).catch(() => null) ? await git(selectedWorkspacePath.path, ["push"]) : branch ? await git(selectedWorkspacePath.path, [
-				"push",
-				"-u",
-				"origin",
-				branch
-			]) : await git(selectedWorkspacePath.path, ["push"]);
-			const response = WorkspaceGitActionResponseSchema.parse({
-				branch,
-				message: "Committed and pushed workspace changes.",
-				output: [commitOutput, pushOutput].filter(Boolean).join("\n")
-			});
-			return secureJson(c, options.pairing, secureSessionsByTokenHash, response);
-		} catch (error) {
-			return secureJson(c, options.pairing, secureSessionsByTokenHash, apiError("workspace_commit_push_failed", errorMessage(error)), 400);
-		}
-	});
-	app.get(apiPaths.models, async (c) => {
-		try {
-			const models = appServer ? await appServer.listModels() : fallbackModels();
-			return secureJson(c, options.pairing, secureSessionsByTokenHash, ListModelsResponseSchema.parse({ models: models.map(mapAppServerModel) }));
-		} catch {
-			return secureJson(c, options.pairing, secureSessionsByTokenHash, ListModelsResponseSchema.parse({ models: fallbackModels().map(mapAppServerModel) }));
-		}
-	});
-	app.get(apiPaths.rateLimits, async (c) => {
-		if (!appServer) return secureJson(c, options.pairing, secureSessionsByTokenHash, RateLimitsResponseSchema.parse({ buckets: [] }));
-		try {
-			const rateLimits = await appServer.readRateLimits();
-			return secureJson(c, options.pairing, secureSessionsByTokenHash, RateLimitsResponseSchema.parse({ buckets: normalizeRateLimitBuckets(rateLimits) }));
-		} catch (error) {
-			return secureJson(c, options.pairing, secureSessionsByTokenHash, apiError("rate_limits_unavailable", errorMessage(error)), 502);
-		}
-	});
-	app.get(apiPaths.threads, async (c) => {
-		if (appServer) try {
-			const appServerThreads = await appServer.listThreads();
-			const response = ListThreadsResponseSchema.parse({
-				threads: appServerThreads.map(mapAppServerThread),
-				source: "app-server"
-			});
-			return secureJson(c, options.pairing, secureSessionsByTokenHash, response);
-		} catch {}
-		const response = ListThreadsResponseSchema.parse({
-			threads: sortedThreads(threads),
-			source: "memory"
-		});
-		return secureJson(c, options.pairing, secureSessionsByTokenHash, response);
-	});
-	app.get("/v1/threads/:threadId", async (c) => {
-		const threadId = c.req.param("threadId");
-		if (appServer) try {
-			const thread = await appServer.readThread(threadId);
-			return secureJson(c, options.pairing, secureSessionsByTokenHash, ThreadDetailResponseSchema.parse({
-				thread: mapAppServerThread(thread),
-				messages: mapAppServerMessages(thread)
-			}));
-		} catch {}
-		const thread = threads.get(threadId);
-		if (!thread) return secureJson(c, options.pairing, secureSessionsByTokenHash, apiError("not_found", `Thread ${threadId} is not known to this server.`), 404);
-		return secureJson(c, options.pairing, secureSessionsByTokenHash, ThreadDetailResponseSchema.parse({
-			thread,
-			messages: messagesByThreadId.get(threadId) ?? []
-		}));
-	});
-	app.get("/v1/threads/:threadId/context-window", async (c) => {
-		const threadId = c.req.param("threadId");
-		const result = readLatestContextWindowUsage({ threadId });
-		return secureJson(c, options.pairing, secureSessionsByTokenHash, ThreadContextWindowResponseSchema.parse({
-			rolloutPath: result.rolloutPath,
-			threadId,
-			usage: result.usage
-		}));
-	});
-	app.get("/openapi.json", (c) => secureJson(c, options.pairing, secureSessionsByTokenHash, createOpenApiDocument()));
-	app.post("/v1/approvals/:approvalId", async (c) => {
-		const approvalId = c.req.param("approvalId");
-		const pending = pendingApprovals.get(approvalId);
-		if (!pending) return secureJson(c, options.pairing, secureSessionsByTokenHash, apiError("not_found", "This approval request is no longer pending."), 404);
-		const parsed = await parseRequestJson(c, options.pairing, secureSessionsByTokenHash, ResolveApprovalRequestSchema);
-		if (!parsed.success) return secureJson(c, options.pairing, secureSessionsByTokenHash, validationError(parsed.error), 400);
-		pendingApprovals.delete(approvalId);
-		await resolveAppServerRequest(pending, parsed.data.decision, parsed.data.answers ?? []);
-		return secureJson(c, options.pairing, secureSessionsByTokenHash, ResolveApprovalResponseSchema.parse({ ok: true }));
-	});
-	app.post(apiPaths.threads, async (c) => {
-		const parsed = await parseRequestJson(c, options.pairing, secureSessionsByTokenHash, CreateThreadRequestSchema);
-		if (!parsed.success) return secureJson(c, options.pairing, secureSessionsByTokenHash, validationError(parsed.error), 400);
-		const selectedWorkspacePath = await validateThreadWorkspacePath(workspacePath, parsed.data.workspacePath);
-		if (!selectedWorkspacePath.success) return secureJson(c, options.pairing, secureSessionsByTokenHash, apiError("invalid_workspace_path", selectedWorkspacePath.error), 400);
-		const { threadId } = appServer ? await createAppServerThreadRecord({
-			appServer,
-			messagesByThreadId,
-			options: parsed.data,
-			threads,
-			title: parsed.data.title,
-			workspacePath: selectedWorkspacePath.path
-		}) : createThreadRecord({
-			codex,
-			liveThreads,
-			messagesByThreadId,
-			threads,
-			title: parsed.data.title,
-			prompt: parsed.data.prompt,
-			threadOptions: buildThreadOptions({
-				...threadOptions,
-				workingDirectory: selectedWorkspacePath.path
-			}, parsed.data)
-		});
-		if (!parsed.data.prompt) {
-			const response = {
-				thread: threads.get(threadId),
-				messages: messagesByThreadId.get(threadId) ?? []
-			};
-			return secureJson(c, options.pairing, secureSessionsByTokenHash, response, 201);
-		}
-		const response = await runPromptBuffered({
-			codex,
-			liveThreads,
-			messagesByThreadId,
-			prompt: parsed.data.prompt,
-			attachments: parsed.data.attachments ?? [],
-			threadId,
-			threadOptions: {
-				...threadOptions,
-				workingDirectory: selectedWorkspacePath.path
-			},
-			runOptions: parsed.data,
-			threads
-		});
-		return secureJson(c, options.pairing, secureSessionsByTokenHash, response.body, response.status);
-	});
-	app.post("/v1/threads/:threadId/runs", async (c) => {
-		const threadId = c.req.param("threadId");
-		const knownThread = await ensureKnownThread({
-			appServer,
-			threadId,
-			messagesByThreadId,
-			threads
-		});
-		if (!knownThread) return secureJson(c, options.pairing, secureSessionsByTokenHash, apiError("not_found", `Thread ${threadId} is not known to this server.`), 404);
-		const parsed = await parseRequestJson(c, options.pairing, secureSessionsByTokenHash, RunThreadRequestSchema);
-		if (!parsed.success) return secureJson(c, options.pairing, secureSessionsByTokenHash, validationError(parsed.error), 400);
-		const response = await runPromptBuffered({
-			codex,
-			liveThreads,
-			messagesByThreadId,
-			prompt: parsed.data.prompt,
-			attachments: parsed.data.attachments ?? [],
-			threadId,
-			threadOptions: {
-				...threadOptions,
-				workingDirectory: knownThread.cwd ?? workspacePath
-			},
-			runOptions: parsed.data,
-			threads
-		});
-		return secureJson(c, options.pairing, secureSessionsByTokenHash, response.body, response.status);
-	});
-	app.post("/v1/threads/:threadId/input", async (c) => {
-		const threadId = c.req.param("threadId");
-		const knownThread = await ensureKnownThread({
-			appServer,
-			threadId,
-			messagesByThreadId,
-			threads
-		});
-		if (!knownThread) return secureJson(c, options.pairing, secureSessionsByTokenHash, apiError("not_found", `Thread ${threadId} is not known to this server.`), 404);
-		if (!appServer) return secureJson(c, options.pairing, secureSessionsByTokenHash, apiError("unsupported", "Running-thread input requires the Codex app-server."), 409);
-		if (knownThread.state !== "running") return secureJson(c, options.pairing, secureSessionsByTokenHash, apiError("thread_not_running", `Thread ${threadId} is not currently running.`), 409);
-		const parsed = await parseRequestJson(c, options.pairing, secureSessionsByTokenHash, RunThreadRequestSchema);
-		if (!parsed.success) return secureJson(c, options.pairing, secureSessionsByTokenHash, validationError(parsed.error), 400);
-		const queuedInputs = queuedInputsByThreadId.get(threadId) ?? [];
-		const queuedInput = {
-			attachments: parsed.data.attachments ?? [],
-			prompt: parsed.data.prompt,
-			runOptions: parsed.data,
-			workspacePath: knownThread.cwd ?? workspacePath
-		};
-		const shouldQueue = steeringThreads.has(threadId) || queuedInputs.length > 0;
-		if (shouldQueue) {
-			queuedInputs.push(queuedInput);
-			queuedInputsByThreadId.set(threadId, queuedInputs);
-		} else {
-			steeringThreads.add(threadId);
-			await startAppServerTurn(appServer, threadId, queuedInput);
-		}
-		const thread = updateThread(threads, messagesByThreadId, threadId, {
-			state: "running",
-			lastPrompt: promptWithAttachments(parsed.data.prompt, parsed.data.attachments ?? []),
-			lastError: void 0
-		});
-		const response = SubmitThreadInputResponseSchema.parse({
-			acceptedAs: shouldQueue ? "queued" : "steering",
-			queueLength: queuedInputsByThreadId.get(threadId)?.length ?? 0,
-			thread
-		});
-		return secureJson(c, options.pairing, secureSessionsByTokenHash, response, 202);
-	});
-	app.post("/v1/threads/:threadId/runs/stream", async (c) => {
-		const threadId = c.req.param("threadId");
-		const knownThread = await ensureKnownThread({
-			appServer,
-			threadId,
-			messagesByThreadId,
-			threads
-		});
-		if (!knownThread) return secureJson(c, options.pairing, secureSessionsByTokenHash, apiError("not_found", `Thread ${threadId} is not known to this server.`), 404);
-		const parsed = await parseRequestJson(c, options.pairing, secureSessionsByTokenHash, RunThreadRequestSchema);
-		if (!parsed.success) return secureJson(c, options.pairing, secureSessionsByTokenHash, validationError(parsed.error), 400);
-		const encoder = new TextEncoder();
-		const secureSession = getSecureSessionForRequest(c, options.pairing, secureSessionsByTokenHash);
-		const stream = new ReadableStream({ start(controller) {
-			const stopPreviewMonitor = startWebPreviewTargetMonitor({
-				bridgeUrl: c.req.url,
-				send(target) {
-					sendSse(controller, encoder, secureSession, {
-						type: "thread.preview_target.detected",
-						threadId,
-						target
-					});
-				}
-			});
-			runPromptStreamed({
-				appServer,
-				controller,
-				codex,
-				encoder,
-				liveThreads,
-				messagesByThreadId,
-				pendingApprovals,
-				queuedInputsByThreadId,
-				prompt: parsed.data.prompt,
-				attachments: parsed.data.attachments ?? [],
-				secureSession,
-				steeringThreads,
-				threadId,
-				threadOptions: {
-					...threadOptions,
-					workingDirectory: knownThread.cwd ?? workspacePath
-				},
-				runOptions: parsed.data,
-				threads
-			}).finally(stopPreviewMonitor);
-		} });
-		return new Response(stream, { headers: {
-			"cache-control": "no-cache",
-			connection: "keep-alive",
-			"content-type": "text/event-stream; charset=utf-8"
-		} });
-	});
-	return app;
-}
-function parseBearerToken(value) {
-	return (value?.match(/^Bearer\s+(.+)$/i))?.[1];
-}
-function normalizeApprovalCode(value) {
-	const normalized = value.toUpperCase().replace(/[^A-Z0-9]/g, "").replaceAll("O", "0").replaceAll("I", "1");
-	return normalized.length === 8 ? `${normalized.slice(0, 4)}-${normalized.slice(4)}` : normalized;
-}
-async function validateThreadWorkspacePath(rootPath, requestedPath) {
-	const resolved = resolve(requestedPath ?? rootPath);
-	try {
-		if (!(await stat(resolved)).isDirectory()) return {
-			success: false,
-			error: "New chat workspace must be a directory."
-		};
-	} catch (error) {
-		return {
-			success: false,
-			error: errorMessage(error)
-		};
-	}
-	return {
-		success: true,
-		path: resolved
-	};
-}
-async function createApprovalCode(sessions) {
-	for (let attempt = 0; attempt < 8; attempt += 1) {
-		const code = normalizeApprovalCode(crypto.randomUUID().replace(/-/g, "").slice(0, 8));
-		if (!await sessions.getPendingPairing(code, Date.now())) return code;
-	}
-	throw new Error("Unable to allocate a pairing approval code.");
-}
-async function getValidClientSession(pairing, token) {
-	return pairing.sessions.getValidSession(pairing.hashClientToken(token), Date.now());
-}
-function createThreadRecord(input) {
-	const now = (/* @__PURE__ */ new Date()).toISOString();
-	const thread = input.codex.startThread(input.threadOptions);
-	const threadId = getThreadId(thread) ?? `local-${crypto.randomUUID()}`;
-	const metadata = ThreadSummarySchema.parse({
-		id: threadId,
-		title: input.title ?? titleFromPrompt(input.prompt) ?? "New Codex thread",
-		createdAt: now,
-		updatedAt: now,
-		state: "idle",
-		cwd: input.threadOptions?.workingDirectory,
-		messageCount: 0
-	});
-	input.threads.set(threadId, metadata);
-	input.messagesByThreadId.set(threadId, []);
-	input.liveThreads.set(threadId, thread);
-	return { threadId };
-}
-async function createAppServerThreadRecord(input) {
-	const runtime = resolveAppServerRuntime(input.options.runtimeMode, input.workspacePath);
-	const thread = await input.appServer.startThread({
-		approvalPolicy: runtime.approvalPolicy,
-		cwd: input.workspacePath,
-		experimentalRawEvents: false,
-		model: input.options.model ?? null,
-		persistExtendedHistory: true,
-		sandbox: runtime.sandbox
-	});
-	const metadata = mapAppServerThread({
-		...thread,
-		name: input.title ?? thread.name,
-		preview: input.title ?? thread.preview
-	});
-	input.threads.set(thread.id, metadata);
-	input.messagesByThreadId.set(thread.id, []);
-	return { threadId: thread.id };
-}
-async function runPromptBuffered(input) {
-	const displayPrompt = promptWithAttachments(input.prompt, input.attachments);
-	const runPrompt = promptWithAttachments(promptForCollaborationMode(input.prompt, input.runOptions.collaborationMode), input.attachments);
-	const userMessage = appendMessage(input.messagesByThreadId, input.threadId, {
-		role: "user",
-		content: displayPrompt,
-		details: attachmentDetails(input.attachments)
-	});
-	updateThread(input.threads, input.messagesByThreadId, input.threadId, {
-		state: "running",
-		lastPrompt: displayPrompt,
-		lastError: void 0,
-		title: maybeReplaceDefaultTitle(input.threads.get(input.threadId)?.title, displayPrompt)
-	});
-	try {
-		const options = buildThreadOptions(input.threadOptions, input.runOptions);
-		const thread = hasExplicitRunOptions(input.runOptions) ? input.codex.resumeThread(input.threadId, options) : input.liveThreads.get(input.threadId) ?? input.codex.resumeThread(input.threadId, options);
-		input.liveThreads.set(input.threadId, thread);
-		const result = stringifyRunResult(await thread.run(runPrompt));
-		const actualThreadId = replaceLocalThreadId(input.threads, input.messagesByThreadId, input.liveThreads, input.threadId, getThreadId(thread));
-		const assistantMessage = appendMessage(input.messagesByThreadId, actualThreadId, {
-			role: "assistant",
-			content: result,
-			state: "completed"
-		});
-		return {
-			status: 200,
-			body: {
-				thread: updateThread(input.threads, input.messagesByThreadId, actualThreadId, {
-					state: "completed",
-					lastResult: result,
-					lastError: void 0
-				}),
-				messages: [userMessage, assistantMessage],
-				result
-			}
-		};
-	} catch (error) {
-		const failed = updateThread(input.threads, input.messagesByThreadId, input.threadId, {
-			state: "failed",
-			lastError: errorMessage(error)
-		});
-		appendMessage(input.messagesByThreadId, input.threadId, {
-			role: "error",
-			content: failed.lastError ?? "Codex run failed.",
-			state: "failed"
-		});
-		return {
-			status: 500,
-			body: apiError("codex_run_failed", failed.lastError ?? "Codex run failed.")
-		};
-	}
-}
-async function runPromptStreamed(input) {
-	if (input.appServer) {
-		await runAppServerPromptStreamed({
-			appServer: input.appServer,
-			attachments: input.attachments,
-			controller: input.controller,
-			encoder: input.encoder,
-			messagesByThreadId: input.messagesByThreadId,
-			pendingApprovals: input.pendingApprovals,
-			queuedInputsByThreadId: input.queuedInputsByThreadId,
-			prompt: input.prompt,
-			runOptions: input.runOptions,
-			secureSession: input.secureSession,
-			steeringThreads: input.steeringThreads,
-			threadId: input.threadId,
-			threads: input.threads,
-			workspacePath: input.threadOptions?.workingDirectory ?? defaultWorkspacePath
-		});
-		return;
-	}
-	let activeThreadId = input.threadId;
-	let assistantMessage;
-	try {
-		const displayPrompt = promptWithAttachments(input.prompt, input.attachments);
-		const runPrompt = promptWithAttachments(promptForCollaborationMode(input.prompt, input.runOptions.collaborationMode), input.attachments);
-		const userMessage = appendMessage(input.messagesByThreadId, activeThreadId, {
-			role: "user",
-			content: displayPrompt,
-			details: attachmentDetails(input.attachments)
-		});
-		let threadSummary = updateThread(input.threads, input.messagesByThreadId, activeThreadId, {
-			state: "running",
-			lastPrompt: displayPrompt,
-			lastError: void 0,
-			title: maybeReplaceDefaultTitle(input.threads.get(activeThreadId)?.title, displayPrompt)
-		});
-		sendSse(input.controller, input.encoder, input.secureSession, {
-			type: "thread.message.created",
-			thread: threadSummary,
-			message: userMessage
-		});
-		sendSse(input.controller, input.encoder, input.secureSession, {
-			type: "thread.state.changed",
-			thread: threadSummary
-		});
-		const options = buildThreadOptions(input.threadOptions, input.runOptions);
-		const thread = hasExplicitRunOptions(input.runOptions) ? input.codex.resumeThread(activeThreadId, options) : input.liveThreads.get(activeThreadId) ?? input.codex.resumeThread(activeThreadId, options);
-		input.liveThreads.set(activeThreadId, thread);
-		if (!thread.runStreamed) {
-			const result = stringifyRunResult(await thread.run(runPrompt));
-			activeThreadId = replaceLocalThreadId(input.threads, input.messagesByThreadId, input.liveThreads, activeThreadId, getThreadId(thread));
-			assistantMessage = appendMessage(input.messagesByThreadId, activeThreadId, {
-				role: "assistant",
-				content: result,
-				state: "completed"
-			});
-			threadSummary = updateThread(input.threads, input.messagesByThreadId, activeThreadId, {
-				state: "completed",
-				lastResult: result
-			});
-			sendSse(input.controller, input.encoder, input.secureSession, {
-				type: "thread.message.completed",
-				thread: threadSummary,
-				message: assistantMessage
-			});
-			sendSse(input.controller, input.encoder, input.secureSession, {
-				type: "thread.state.changed",
-				thread: threadSummary
-			});
-			return;
-		}
-		const streamed = await thread.runStreamed(runPrompt);
-		activeThreadId = replaceLocalThreadId(input.threads, input.messagesByThreadId, input.liveThreads, activeThreadId, getThreadId(thread));
-		assistantMessage = appendMessage(input.messagesByThreadId, activeThreadId, {
-			role: "assistant",
-			content: "",
-			state: "streaming"
-		});
-		threadSummary = updateThread(input.threads, input.messagesByThreadId, activeThreadId, { state: "running" });
-		sendSse(input.controller, input.encoder, input.secureSession, {
-			type: "thread.message.created",
-			thread: threadSummary,
-			message: assistantMessage
-		});
-		for await (const event of streamed.events) {
-			const kind = classifyStreamEvent(event);
-			const text = extractStreamText(event);
-			if (kind === "error") throw new Error(text ?? "Codex run failed.");
-			if (!text) continue;
-			if (kind === "assistant") {
-				assistantMessage = appendMessageDelta(input.messagesByThreadId, activeThreadId, assistantMessage.id, text);
-				updateThread(input.threads, input.messagesByThreadId, activeThreadId, {
-					state: "running",
-					lastResult: assistantMessage.content
-				});
-				sendSse(input.controller, input.encoder, input.secureSession, {
-					type: "thread.message.delta",
-					threadId: activeThreadId,
-					messageId: assistantMessage.id,
-					delta: text
-				});
-			} else {
-				const structured = structuredStreamMessage(kind, event, text);
-				const statusMessage = appendMessage(input.messagesByThreadId, activeThreadId, {
-					role: kind,
-					kind: structured.kind,
-					content: structured.content,
-					details: structured.details,
-					state: "completed"
-				});
-				threadSummary = updateThread(input.threads, input.messagesByThreadId, activeThreadId, { state: "running" });
-				sendSse(input.controller, input.encoder, input.secureSession, {
-					type: "thread.message.created",
-					thread: threadSummary,
-					message: statusMessage
-				});
-			}
-		}
-		assistantMessage = updateMessage(input.messagesByThreadId, activeThreadId, assistantMessage.id, { state: "completed" });
-		threadSummary = updateThread(input.threads, input.messagesByThreadId, activeThreadId, {
-			state: "completed",
-			lastResult: assistantMessage.content,
-			lastError: void 0
-		});
-		sendSse(input.controller, input.encoder, input.secureSession, {
-			type: "thread.message.completed",
-			thread: threadSummary,
-			message: assistantMessage
-		});
-		sendSse(input.controller, input.encoder, input.secureSession, {
-			type: "thread.state.changed",
-			thread: threadSummary
-		});
-	} catch (error) {
-		input.steeringThreads.delete(activeThreadId);
-		const threadSummary = updateThread(input.threads, input.messagesByThreadId, activeThreadId, {
-			state: "failed",
-			lastError: errorMessage(error)
-		});
-		const errorBody = apiError("codex_run_failed", threadSummary.lastError ?? "Codex run failed.");
-		appendMessage(input.messagesByThreadId, activeThreadId, {
-			role: "error",
-			content: errorBody.error.message,
-			state: "failed"
-		});
-		sendSse(input.controller, input.encoder, input.secureSession, {
-			type: "thread.error",
-			thread: threadSummary,
-			error: errorBody.error
-		});
-	} finally {
-		input.controller.close();
-	}
-}
-async function startAppServerTurn(appServer, threadId, input) {
-	const runtime = resolveAppServerRuntime(input.runOptions.runtimeMode, input.workspacePath);
-	return appServer.startTurn({
-		approvalPolicy: runtime.approvalPolicy,
-		collaborationMode: appServerCollaborationMode(input.runOptions),
-		cwd: input.workspacePath,
-		effort: input.runOptions.reasoningEffort ?? null,
-		input: [{
-			type: "text",
-			text: input.prompt,
-			text_elements: []
-		}, ...input.attachments.map((attachment) => ({
-			type: "image",
-			url: attachment.dataUri
-		}))],
-		model: input.runOptions.model ?? null,
-		sandboxPolicy: runtime.sandboxPolicy,
-		threadId
-	});
-}
-function shiftQueuedInput(queuedInputsByThreadId, threadId) {
-	const queuedInputs = queuedInputsByThreadId.get(threadId);
-	const nextInput = queuedInputs?.shift();
-	if (!queuedInputs || queuedInputs.length === 0) queuedInputsByThreadId.delete(threadId);
-	return nextInput;
-}
-async function runAppServerPromptStreamed(input) {
-	let activeThreadId = input.threadId;
-	let activeTurnId;
-	let assistantMessageId;
-	const prompt = promptWithAttachments(input.prompt, input.attachments);
-	const userMessage = appendMessage(input.messagesByThreadId, activeThreadId, {
-		role: "user",
-		content: prompt,
-		details: attachmentDetails(input.attachments)
-	});
-	let threadSummary = updateThread(input.threads, input.messagesByThreadId, activeThreadId, {
-		state: "running",
-		lastPrompt: prompt,
-		lastError: void 0,
-		title: maybeReplaceDefaultTitle(input.threads.get(activeThreadId)?.title, prompt)
-	});
-	sendSse(input.controller, input.encoder, input.secureSession, {
-		type: "thread.message.created",
-		thread: threadSummary,
-		message: userMessage
-	});
-	sendSse(input.controller, input.encoder, input.secureSession, {
-		type: "thread.state.changed",
-		thread: threadSummary
-	});
-	const cleanupRequestHandler = input.appServer.onRequest((request) => {
-		if (!isApprovalServerRequest(request.method)) {
-			input.appServer.rejectRequest(request.id, -32601, `${request.method} is not supported by Codex Relay mobile yet.`);
-			return;
-		}
-		const approval = approvalMessageFromRequest(request);
-		if (!approval || approval.threadId !== activeThreadId) {
-			input.appServer.rejectRequest(request.id, -32602, "Approval request is malformed.");
-			return;
-		}
-		input.pendingApprovals.set(approval.approvalId, {
-			appServer: input.appServer,
-			kind: approval.kind,
-			method: request.method,
-			requestId: request.id,
-			threadId: activeThreadId
-		});
-		const message = appendMessage(input.messagesByThreadId, activeThreadId, {
-			role: "status",
-			kind: approval.kind === "structuredUserInput" ? "structuredUserInput" : "approvalRequest",
-			content: approval.content,
-			details: approval.details,
-			state: "completed",
-			turnId: approval.turnId
-		});
-		threadSummary = updateThread(input.threads, input.messagesByThreadId, activeThreadId, { state: "running" });
-		sendSse(input.controller, input.encoder, input.secureSession, {
-			type: "thread.message.created",
-			thread: threadSummary,
-			message
-		});
-	});
-	const completed = new Promise((resolve, reject) => {
-		const cleanupNotificationHandler = input.appServer.onNotification((notification) => {
-			const params = recordParams(notification);
-			const threadId = firstString(params, ["threadId"]);
-			if (threadId && threadId !== activeThreadId) return;
-			try {
-				switch (notification.method) {
-					case "thread/status/changed": {
-						const status = params?.status;
-						threadSummary = updateThread(input.threads, input.messagesByThreadId, activeThreadId, { state: mapAppServerThreadState(status) });
-						sendSse(input.controller, input.encoder, input.secureSession, {
-							type: "thread.state.changed",
-							thread: threadSummary
-						});
-						return;
-					}
-					case "turn/started":
-						activeTurnId = firstString(params, ["turnId"]) ?? turnIdFromParams(params);
-						return;
-					case "item/started":
-					case "item/completed": {
-						const item = params?.item;
-						if (!item || typeof item !== "object") return;
-						const turnId = firstString(params, ["turnId"]) ?? activeTurnId;
-						const message = upsertAppServerItemMessage(input.messagesByThreadId, activeThreadId, turnId, item);
-						if (!message) return;
-						if (message.role === "assistant") assistantMessageId = message.id;
-						threadSummary = updateThread(input.threads, input.messagesByThreadId, activeThreadId, {
-							state: "running",
-							lastResult: message.role === "assistant" ? message.content : void 0
-						});
-						sendSse(input.controller, input.encoder, input.secureSession, {
-							type: notification.method === "item/completed" && message.role === "assistant" ? "thread.message.completed" : "thread.message.created",
-							thread: threadSummary,
-							message
-						});
-						return;
-					}
-					case "item/agentMessage/delta": {
-						const itemId = firstString(params, ["itemId"]);
-						const delta = firstString(params, ["delta"]);
-						if (!itemId || !delta) return;
-						if (!input.messagesByThreadId.get(activeThreadId)?.some((item) => item.id === itemId)) appendMessageWithId(input.messagesByThreadId, activeThreadId, itemId, {
-							role: "assistant",
-							content: "",
-							state: "streaming",
-							turnId: firstString(params, ["turnId"]) ?? activeTurnId
-						});
-						assistantMessageId = itemId;
-						const message = appendMessageDelta(input.messagesByThreadId, activeThreadId, itemId, delta);
-						updateThread(input.threads, input.messagesByThreadId, activeThreadId, {
-							state: "running",
-							lastResult: message.content
-						});
-						sendSse(input.controller, input.encoder, input.secureSession, {
-							type: "thread.message.delta",
-							threadId: activeThreadId,
-							messageId: itemId,
-							delta
-						});
-						return;
-					}
-					case "turn/plan/updated": {
-						const explanation = firstString(params, ["explanation"]);
-						const plan = Array.isArray(params?.plan) ? params.plan : [];
-						const content = [explanation, ...plan.map((step) => planStepText(step))].filter(Boolean).join("\n");
-						const message = appendMessage(input.messagesByThreadId, activeThreadId, {
-							role: "status",
-							kind: "plan",
-							content: content || "Plan updated",
-							details: {
-								explanation,
-								plan
-							},
-							state: "completed",
-							turnId: firstString(params, ["turnId"]) ?? activeTurnId
-						});
-						threadSummary = updateThread(input.threads, input.messagesByThreadId, activeThreadId, { state: "running" });
-						sendSse(input.controller, input.encoder, input.secureSession, {
-							type: "thread.message.created",
-							thread: threadSummary,
-							message
-						});
-						return;
-					}
-					case "turn/completed": {
-						const state = turnStatus(params) === "failed" ? "failed" : "completed";
-						if (assistantMessageId) {
-							const completedMessage = updateMessage(input.messagesByThreadId, activeThreadId, assistantMessageId, { state: "completed" });
-							sendSse(input.controller, input.encoder, input.secureSession, {
-								type: "thread.message.completed",
-								thread: threadSummary,
-								message: completedMessage
-							});
-						}
-						const nextQueuedInput = state === "completed" ? shiftQueuedInput(input.queuedInputsByThreadId, activeThreadId) : void 0;
-						threadSummary = updateThread(input.threads, input.messagesByThreadId, activeThreadId, {
-							state,
-							lastError: state === "failed" ? turnErrorMessage(params) : void 0
-						});
-						sendSse(input.controller, input.encoder, input.secureSession, {
-							type: "thread.state.changed",
-							thread: threadSummary
-						});
-						if (nextQueuedInput) {
-							assistantMessageId = void 0;
-							input.steeringThreads.add(activeThreadId);
-							threadSummary = updateThread(input.threads, input.messagesByThreadId, activeThreadId, {
-								state: "running",
-								lastPrompt: promptWithAttachments(nextQueuedInput.prompt, nextQueuedInput.attachments),
-								lastError: void 0
-							});
-							sendSse(input.controller, input.encoder, input.secureSession, {
-								type: "thread.state.changed",
-								thread: threadSummary
-							});
-							startAppServerTurn(input.appServer, activeThreadId, nextQueuedInput).then((turn) => {
-								activeTurnId = turn.id;
-							}).catch((error) => {
-								cleanupNotificationHandler();
-								reject(error);
-							});
-							return;
-						}
-						input.steeringThreads.delete(activeThreadId);
-						cleanupNotificationHandler();
-						resolve();
-						return;
-					}
-				}
-			} catch (error) {
-				cleanupNotificationHandler();
-				reject(error);
-			}
-		});
-	});
-	try {
-		activeTurnId = (await startAppServerTurn(input.appServer, activeThreadId, {
-			attachments: input.attachments,
-			prompt,
-			runOptions: input.runOptions,
-			workspacePath: input.workspacePath
-		})).id;
-		await completed;
-	} catch (error) {
-		const threadSummary = updateThread(input.threads, input.messagesByThreadId, activeThreadId, {
-			state: "failed",
-			lastError: errorMessage(error)
-		});
-		const errorBody = apiError("codex_run_failed", threadSummary.lastError ?? "Codex run failed.");
-		appendMessage(input.messagesByThreadId, activeThreadId, {
-			role: "error",
-			content: errorBody.error.message,
-			state: "failed"
-		});
-		sendSse(input.controller, input.encoder, input.secureSession, {
-			type: "thread.error",
-			thread: threadSummary,
-			error: errorBody.error
-		});
-	} finally {
-		cleanupRequestHandler();
-		input.controller.close();
-	}
-}
-async function parseRequestJson(c, pairing, secureSessionsByTokenHash, schema) {
-	let payload;
-	try {
-		payload = await c.req.raw.json();
-	} catch {
-		payload = {};
-	}
-	const secureSession = getSecureSessionForRequest(c, pairing, secureSessionsByTokenHash);
-	if (secureSession) {
-		const envelope = EncryptedPayloadSchema.safeParse(payload);
-		if (!envelope.success) return schema.safeParse({ __invalidEncryptedPayload: true });
-		try {
-			payload = JSON.parse(decryptFromMobile(secureSession, envelope.data));
-		} catch {
-			payload = { __invalidEncryptedPayload: true };
-		}
-	}
-	return schema.safeParse(payload);
-}
-async function parsePlainJson(request, schema) {
-	let payload;
-	try {
-		payload = await request.json();
-	} catch {
-		payload = {};
-	}
-	return schema.safeParse(payload);
-}
-function secureJson(c, pairing, secureSessionsByTokenHash, payload, status) {
-	const secureSession = getSecureSessionForRequest(c, pairing, secureSessionsByTokenHash);
-	if (!secureSession) return c.json(payload, status);
-	const encrypted = EncryptedPayloadSchema.parse(encryptForMobile(secureSession, JSON.stringify(payload)));
-	return c.json(encrypted, status);
-}
-function getSecureSessionForRequest(c, pairing, secureSessionsByTokenHash) {
-	const token = parseBearerToken(c.req.header("authorization"));
-	return token && pairing ? secureSessionsByTokenHash.get(pairing.hashClientToken(token)) : void 0;
-}
-function sortedThreads(threads) {
-	return [...threads.values()].sort((a, b) => b.updatedAt.localeCompare(a.updatedAt));
-}
-async function ensureKnownThread(input) {
-	const knownThread = input.threads.get(input.threadId);
-	if (knownThread) return knownThread;
-	if (!input.appServer) return;
-	try {
-		const appServerThread = await input.appServer.readThread(input.threadId);
-		const thread = mapAppServerThread(appServerThread);
-		input.threads.set(input.threadId, thread);
-		input.messagesByThreadId.set(input.threadId, mapAppServerMessages(appServerThread));
-		return thread;
-	} catch {
-		return;
-	}
-}
-function appendMessage(messagesByThreadId, threadId, input) {
-	const now = (/* @__PURE__ */ new Date()).toISOString();
-	const message = ChatMessageSchema.parse({
-		id: `msg-${crypto.randomUUID()}`,
-		threadId,
-		role: input.role,
-		kind: input.kind,
-		content: input.content,
-		details: input.details,
-		createdAt: now,
-		updatedAt: now,
-		state: input.state,
-		turnId: input.turnId
-	});
-	const messages = messagesByThreadId.get(threadId) ?? [];
-	messages.push(message);
-	messagesByThreadId.set(threadId, messages);
-	return message;
-}
-function appendMessageWithId(messagesByThreadId, threadId, id, input) {
-	const now = (/* @__PURE__ */ new Date()).toISOString();
-	const message = ChatMessageSchema.parse({
-		id,
-		threadId,
-		role: input.role,
-		kind: input.kind,
-		content: input.content,
-		details: input.details,
-		createdAt: now,
-		updatedAt: now,
-		state: input.state,
-		turnId: input.turnId
-	});
-	const messages = messagesByThreadId.get(threadId) ?? [];
-	messages.push(message);
-	messagesByThreadId.set(threadId, messages);
-	return message;
-}
-function upsertAppServerItemMessage(messagesByThreadId, threadId, turnId, item) {
-	const message = mapAppServerItem(threadId, appServerTurnShell(turnId), item);
-	if (!message) return;
-	if (messagesByThreadId.get(threadId)?.some((candidate) => candidate.id === item.id)) return updateMessage(messagesByThreadId, threadId, item.id, message);
-	return appendMessageWithId(messagesByThreadId, threadId, item.id, {
-		role: message.role,
-		kind: message.kind,
-		content: message.content,
-		details: message.details,
-		state: message.state,
-		turnId: message.turnId
-	});
-}
-function appendMessageDelta(messagesByThreadId, threadId, messageId, delta) {
-	const existing = messagesByThreadId.get(threadId)?.find((message) => message.id === messageId);
-	return updateMessage(messagesByThreadId, threadId, messageId, {
-		content: `${existing?.content ?? ""}${delta}`,
-		state: "streaming"
-	});
-}
-function updateMessage(messagesByThreadId, threadId, messageId, update) {
-	const messages = messagesByThreadId.get(threadId) ?? [];
-	const index = messages.findIndex((message) => message.id === messageId);
-	if (index === -1) throw new Error(`Unknown message: ${messageId}`);
-	const next = ChatMessageSchema.parse({
-		...messages[index],
-		...update,
-		updatedAt: (/* @__PURE__ */ new Date()).toISOString()
-	});
-	messages[index] = next;
-	return next;
-}
-function replaceLocalThreadId(threads, messagesByThreadId, liveThreads, currentThreadId, sdkThreadId) {
-	if (!sdkThreadId || sdkThreadId === currentThreadId) return currentThreadId;
-	const metadata = threads.get(currentThreadId);
-	const thread = liveThreads.get(currentThreadId);
-	const messages = messagesByThreadId.get(currentThreadId) ?? [];
-	if (!metadata) return sdkThreadId;
-	threads.delete(currentThreadId);
-	liveThreads.delete(currentThreadId);
-	messagesByThreadId.delete(currentThreadId);
-	threads.set(sdkThreadId, {
-		...metadata,
-		id: sdkThreadId
-	});
-	messagesByThreadId.set(sdkThreadId, messages.map((message) => ({
-		...message,
-		threadId: sdkThreadId
-	})));
-	if (thread) liveThreads.set(sdkThreadId, thread);
-	return sdkThreadId;
-}
-function updateThread(threads, messagesByThreadId, threadId, update) {
-	const existing = threads.get(threadId);
-	if (!existing) throw new Error(`Unknown thread: ${threadId}`);
-	const messages = messagesByThreadId.get(threadId) ?? [];
-	const lastMessage = [...messages].reverse().find((message) => message.role !== "status");
-	const next = ThreadSummarySchema.parse({
-		...existing,
-		...update,
-		messageCount: messages.length,
-		lastMessagePreview: lastMessage?.content ? preview(lastMessage.content) : existing.lastMessagePreview,
-		lastActivityAt: lastMessage?.updatedAt ?? lastMessage?.createdAt ?? existing.lastActivityAt,
-		updatedAt: (/* @__PURE__ */ new Date()).toISOString()
-	});
-	threads.set(threadId, next);
-	return next;
-}
-function sendSse(controller, encoder, secureSession, event) {
-	const parsed = StreamThreadRunEventSchema.parse(event);
-	const data = secureSession ? EncryptedPayloadSchema.parse(encryptForMobile(secureSession, JSON.stringify(parsed))) : parsed;
-	controller.enqueue(encoder.encode(`event: ${parsed.type}\n`));
-	controller.enqueue(encoder.encode(`data: ${JSON.stringify(data)}\n\n`));
-}
-function startWebPreviewTargetMonitor({ bridgeUrl, send }) {
-	const urls = webPreviewCandidateUrls(bridgeUrl);
-	const seenUrls = /* @__PURE__ */ new Set();
-	let stopped = false;
-	async function scan() {
-		if (stopped) return;
-		const targets = await detectWebPreviewTargets(urls);
-		for (const target of targets) {
-			if (stopped || seenUrls.has(target.url)) continue;
-			seenUrls.add(target.url);
-			try {
-				send(target);
-			} catch {
-				stopped = true;
-				return;
-			}
-		}
-	}
-	scan();
-	const interval = setInterval(() => void scan(), 1500);
-	return () => {
-		stopped = true;
-		clearInterval(interval);
-	};
-}
-function webPreviewCandidateUrls(bridgeUrl) {
-	const bridge = new URL(bridgeUrl);
-	const bridgePort = Number(bridge.port);
-	return webPreviewCandidatePorts().filter((port) => port !== bridgePort).map((port) => {
-		const url = new URL(bridge.toString());
-		url.port = String(port);
-		url.pathname = "/";
-		url.search = "";
-		url.hash = "";
-		return url.toString().replace(/\/$/, "");
-	});
-}
-function webPreviewCandidatePorts() {
-	const configured = process.env.CODEX_RELAY_WEB_PREVIEW_PORTS;
-	if (!configured) return defaultWebPreviewPorts;
-	const ports = configured.split(",").map((value) => Number(value.trim())).filter((port) => Number.isInteger(port) && port > 0 && port < 65536);
-	return ports.length > 0 ? ports : defaultWebPreviewPorts;
-}
-async function detectWebPreviewTargets(urls) {
-	return (await Promise.all(urls.map((url) => probeWebPreviewTarget(url)))).filter((target) => Boolean(target));
-}
-async function probeWebPreviewTarget(url) {
-	const controller = new AbortController();
-	const timeout = setTimeout(() => controller.abort(), 700);
-	try {
-		const response = await fetch(url, { signal: controller.signal });
-		if (!response.ok) return;
-		const contentType = response.headers.get("content-type") ?? "";
-		const text = await response.text();
-		if (!contentType.includes("text/html") && !looksLikeHtml(text)) return;
-		return {
-			kind: "web",
-			url,
-			port: Number(new URL(url).port),
-			label: webPreviewLabel(text),
-			source: "detected-port",
-			confidence: "high",
-			detectedAt: (/* @__PURE__ */ new Date()).toISOString()
-		};
-	} catch {
-		return;
-	} finally {
-		clearTimeout(timeout);
-	}
-}
-function looksLikeHtml(value) {
-	return /^\s*(<!doctype html|<html[\s>])/i.test(value);
-}
-function webPreviewLabel(html) {
-	if (html.includes("/@vite/client")) return "Vite";
-	if (html.includes("__next")) return "Next.js";
-	if (html.includes("expo-router") || html.includes("Expo")) return "Expo";
-	return "Web preview";
-}
-function titleFromPrompt(prompt) {
-	if (!prompt) return;
-	const firstLine = prompt.trim().split(/\r?\n/, 1)[0];
-	return firstLine.length > 80 ? `${firstLine.slice(0, 77)}...` : firstLine;
-}
-function maybeReplaceDefaultTitle(currentTitle, prompt) {
-	return !currentTitle || currentTitle === "New Codex thread" ? titleFromPrompt(prompt) : currentTitle;
-}
-function promptWithAttachments(prompt, attachments) {
-	if (attachments.length === 0) return prompt;
-	return `${prompt}\n\n${attachments.map((attachment, index) => {
-		const name = attachment.name ? ` (${attachment.name})` : "";
-		return `Attached image ${index + 1}${name}:\n${attachment.dataUri}`;
-	}).join("\n\n")}`;
-}
-function promptForCollaborationMode(prompt, collaborationMode) {
-	if (collaborationMode !== "plan") return prompt;
-	return `${planModePromptPrefix}\n\nUser request:\n${prompt}`;
-}
-function appServerCollaborationMode(options) {
-	if (options.collaborationMode !== "plan" || !options.model) return null;
-	return {
-		mode: "plan",
-		settings: {
-			developer_instructions: null,
-			model: options.model,
-			reasoning_effort: options.reasoningEffort ?? null
-		}
-	};
-}
-function attachmentDetails(attachments) {
-	if (attachments.length === 0) return;
-	return { attachments: attachments.map((attachment) => ({
-		mimeType: attachment.mimeType,
-		name: attachment.name,
-		type: attachment.type
-	})) };
-}
-function buildThreadOptions(base, options) {
-	const runtime = resolveRuntimeOptions(options.runtimeMode);
-	return {
-		...base,
-		...runtime,
-		...options.model ? { model: options.model } : {},
-		...options.reasoningEffort ? { modelReasoningEffort: options.reasoningEffort } : {},
-		...options.approvalPolicy ? { approvalPolicy: options.approvalPolicy } : {},
-		...options.sandboxMode ? { sandboxMode: options.sandboxMode } : {}
-	};
-}
-function resolveRuntimeOptions(runtimeMode) {
-	switch (runtimeMode) {
-		case "auto": return {
-			approvalPolicy: "on-failure",
-			sandboxMode: "workspace-write"
-		};
-		case "full-access": return {
-			approvalPolicy: "never",
-			sandboxMode: "danger-full-access"
-		};
-		default: return {
-			approvalPolicy: "on-request",
-			sandboxMode: "workspace-write"
-		};
-	}
-}
-function resolveAppServerRuntime(runtimeMode, workspacePath) {
-	const runtime = resolveRuntimeOptions(runtimeMode) ?? {};
-	const sandbox = runtime.sandboxMode ?? "workspace-write";
-	return {
-		approvalPolicy: runtime.approvalPolicy ?? "on-request",
-		sandbox,
-		sandboxPolicy: sandboxPolicyForMode(sandbox, workspacePath)
-	};
-}
-function sandboxPolicyForMode(sandboxMode, workspacePath) {
-	if (sandboxMode === "danger-full-access") return { type: "dangerFullAccess" };
-	if (sandboxMode === "read-only") return {
-		type: "readOnly",
-		access: { type: "fullAccess" },
-		networkAccess: false
-	};
-	return {
-		type: "workspaceWrite",
-		writableRoots: [workspacePath],
-		readOnlyAccess: { type: "fullAccess" },
-		networkAccess: false,
-		excludeTmpdirEnvVar: false,
-		excludeSlashTmp: false
-	};
-}
-function hasExplicitRunOptions(options) {
-	return Boolean(options.model || options.reasoningEffort || options.approvalPolicy || options.sandboxMode || options.collaborationMode === "plan" || options.runtimeMode);
-}
-function mapAppServerThread(thread) {
-	const createdAt = fromUnixSeconds(thread.createdAt);
-	const updatedAt = fromUnixSeconds(thread.updatedAt);
-	return ThreadSummarySchema.parse({
-		id: thread.id,
-		title: thread.name ?? preview(thread.preview || "Untitled thread"),
-		createdAt,
-		updatedAt,
-		state: mapAppServerThreadState(thread.status),
-		model: thread.modelProvider,
-		cwd: String(thread.cwd),
-		source: thread.source,
-		messageCount: countThreadMessages(thread),
-		lastMessagePreview: thread.preview ? preview(thread.preview) : void 0,
-		lastActivityAt: updatedAt
-	});
-}
-function mapAppServerMessages(thread) {
-	const messages = [];
-	for (const turn of thread.turns ?? []) for (const item of turn.items ?? []) {
-		const message = mapAppServerItem(thread.id, turn, item);
-		if (message) messages.push(message);
-	}
-	return messages;
-}
-function mapAppServerItem(threadId, turn, item) {
-	const timestamp = fromUnixSeconds(turn.startedAt ?? turn.completedAt ?? Date.now() / 1e3);
-	const base = {
-		id: item.id,
-		threadId,
-		createdAt: timestamp,
-		updatedAt: turn.completedAt ? fromUnixSeconds(turn.completedAt) : timestamp,
-		turnId: turn.id,
-		state: "completed"
-	};
-	switch (item.type) {
-		case "userMessage": {
-			const userItem = item;
-			return ChatMessageSchema.parse({
-				...base,
-				role: "user",
-				content: userItem.content.map((content) => content.text ?? content.path ?? content.url ?? "").filter(Boolean).join("\n\n")
-			});
-		}
-		case "agentMessage": {
-			const agentItem = item;
-			return ChatMessageSchema.parse({
-				...base,
-				role: "assistant",
-				content: agentItem.text
-			});
-		}
-		case "reasoning": {
-			const reasoningItem = item;
-			const summary = compactStringList(reasoningItem.summary);
-			const content = compactStringList(reasoningItem.content);
-			const text = [...summary, ...content].join("\n\n") || "Reasoning";
-			return ChatMessageSchema.parse({
-				...base,
-				role: "reasoning",
-				kind: "thinking",
-				content: text,
-				details: {
-					summary,
-					content
-				}
-			});
-		}
-		case "commandExecution": {
-			const commandItem = item;
-			return ChatMessageSchema.parse({
-				...base,
-				role: "tool",
-				kind: "commandExecution",
-				content: commandItem.command,
-				details: {
-					command: commandItem.command,
-					cwd: commandItem.cwd ?? void 0,
-					exitCode: commandItem.exitCode ?? void 0,
-					output: commandItem.aggregatedOutput ?? void 0,
-					status: commandItem.status ?? void 0
-				}
-			});
-		}
-		case "fileChange": {
-			const fileItem = item;
-			const changes = fileItem.changes ?? [];
-			return ChatMessageSchema.parse({
-				...base,
-				role: "tool",
-				kind: "fileChange",
-				content: summarizeFileChanges(changes),
-				details: {
-					changes,
-					patch: fileItem.patch ?? void 0
-				}
-			});
-		}
-		case "mcpToolCall": {
-			const toolItem = item;
-			return ChatMessageSchema.parse({
-				...base,
-				role: "tool",
-				kind: "toolActivity",
-				content: `${toolItem.server}.${toolItem.tool}`,
-				details: {
-					server: toolItem.server,
-					status: toolItem.status ?? void 0,
-					tool: toolItem.tool
-				}
-			});
-		}
-		case "webSearch": {
-			const searchItem = item;
-			return ChatMessageSchema.parse({
-				...base,
-				role: "tool",
-				kind: "webSearch",
-				content: searchItem.query,
-				details: {
-					query: searchItem.query,
-					status: searchItem.status ?? void 0
-				}
-			});
-		}
-		default: return mapUnknownAppServerItem(threadId, turn, item);
-	}
-}
-function mapUnknownAppServerItem(threadId, turn, item) {
-	const timestamp = fromUnixSeconds(turn.startedAt ?? turn.completedAt ?? Date.now() / 1e3);
-	const type = "type" in item ? String(item.type) : "unknown";
-	const kind = kindFromProtocolType(type) ?? "unknown";
-	return ChatMessageSchema.parse({
-		id: item.id,
-		threadId,
-		role: "status",
-		kind,
-		content: type,
-		createdAt: timestamp,
-		updatedAt: turn.completedAt ? fromUnixSeconds(turn.completedAt) : timestamp,
-		turnId: turn.id,
-		state: "completed",
-		details: { type }
-	});
-}
-function appServerTurnShell(turnId) {
-	return {
-		id: turnId ?? "turn-live",
-		items: [],
-		status: "running",
-		startedAt: Date.now() / 1e3,
-		completedAt: null
-	};
-}
-function mapAppServerModel(model) {
-	return {
-		id: model.id,
-		model: model.model,
-		displayName: model.displayName,
-		description: model.description,
-		isDefault: Boolean(model.isDefault),
-		defaultReasoningEffort: model.defaultReasoningEffort,
-		supportedReasoningEfforts: model.supportedReasoningEfforts?.map((effort) => effort.reasoningEffort) ?? []
-	};
-}
-function normalizeRateLimitBuckets(rateLimits) {
-	const keyed = objectRecord(rateLimits.rateLimitsByLimitId);
-	if (keyed) return Object.values(keyed).flatMap((value) => {
-		const bucket = normalizeRateLimitBucket(value);
-		return bucket ? [bucket] : [];
-	});
-	const bucket = normalizeRateLimitBucket(rateLimits.rateLimits);
-	return bucket ? [bucket] : [];
-}
-function normalizeRateLimitBucket(value) {
-	const record = objectRecord(value);
-	if (!record) return;
-	const limitId = firstString(record, [
-		"limitId",
-		"limit_id",
-		"id"
-	]);
-	if (!limitId) return;
-	return {
-		limitId,
-		limitName: firstString(record, [
-			"limitName",
-			"limit_name",
-			"name"
-		]) ?? null,
-		planType: firstString(record, ["planType", "plan_type"]) ?? null,
-		primary: normalizeRateLimitWindow(record.primary),
-		secondary: normalizeRateLimitWindow(record.secondary),
-		rateLimitReachedType: firstString(record, ["rateLimitReachedType", "rate_limit_reached_type"]) ?? null
-	};
-}
-function normalizeRateLimitWindow(value) {
-	const record = objectRecord(value);
-	if (!record) return null;
-	const usedPercent = firstNumber(record, ["usedPercent", "used_percent"]);
-	if (usedPercent === void 0) return null;
-	return {
-		usedPercent: Math.max(0, Math.min(100, Math.round(usedPercent))),
-		windowDurationMins: firstNumber(record, ["windowDurationMins", "window_duration_mins"]) ?? null,
-		resetsAt: firstNumber(record, ["resetsAt", "resets_at"]) ?? null
-	};
-}
-function objectRecord(value) {
-	return value && typeof value === "object" ? value : void 0;
-}
-function fallbackModels() {
-	return [{
-		id: "gpt-5.5",
-		model: "gpt-5.5",
-		displayName: "GPT-5.5",
-		description: "Default Codex model",
-		isDefault: true,
-		defaultReasoningEffort: "medium",
-		supportedReasoningEfforts: [
-			{ reasoningEffort: "low" },
-			{ reasoningEffort: "medium" },
-			{ reasoningEffort: "high" },
-			{ reasoningEffort: "xhigh" }
-		]
-	}];
-}
-function mapAppServerThreadState(status) {
-	if (typeof status === "string") {
-		if (status === "running" || status === "active") return "running";
-		if (status === "failed" || status === "systemError") return "failed";
-		if (status === "completed") return "completed";
-	}
-	if (status && typeof status === "object" && "type" in status) {
-		const type = String(status.type);
-		if (type === "active") return "running";
-		if (type === "systemError") return "failed";
-	}
-	return "idle";
-}
-function countThreadMessages(thread) {
-	return thread.turns?.reduce((count, turn) => count + turn.items.filter((item) => item.type === "userMessage" || item.type === "agentMessage").length, 0) ?? 0;
-}
-function fromUnixSeconds(value) {
-	return (/* @__PURE__ */ new Date(value * 1e3)).toISOString();
-}
-function preview(content) {
-	const normalized = content.replace(/\s+/g, " ").trim();
-	return normalized.length > 140 ? `${normalized.slice(0, 137)}...` : normalized;
-}
-function compactStringList(value) {
-	return value?.map((item) => item.trim()).filter(Boolean) ?? [];
-}
-function summarizeFileChanges(changes) {
-	if (changes.length === 0) return "Files changed";
-	const paths = changes.map((change) => change.path).filter(Boolean);
-	const shown = paths.slice(0, 3).join(", ");
-	const suffix = paths.length > 3 ? ` and ${paths.length - 3} more` : "";
-	return `${changes.length} file${changes.length === 1 ? "" : "s"} changed: ${shown}${suffix}`;
-}
-function structuredStreamMessage(role, event, fallbackContent) {
-	const item = eventItem(event);
-	const type = item?.type ? String(item.type) : void 0;
-	if (role === "reasoning") {
-		const summary = stringArray(item?.summary);
-		const content = stringArray(item?.content);
-		return {
-			kind: "thinking",
-			content: [...summary, ...content].join("\n\n") || fallbackContent,
-			details: {
-				content,
-				summary,
-				type
-			}
-		};
-	}
-	switch (type) {
-		case "command_execution": {
-			const command = firstString(item, ["command", "cmd"]) ?? fallbackContent;
-			return {
-				kind: "commandExecution",
-				content: command,
-				details: {
-					command,
-					cwd: firstString(item, ["cwd", "working_directory"]),
-					exitCode: firstNumber(item, ["exit_code", "exitCode"]),
-					output: firstString(item, [
-						"aggregated_output",
-						"aggregatedOutput",
-						"output"
-					]),
-					status: firstString(item, ["status"]),
-					type
-				}
-			};
-		}
-		case "file_change": {
-			const changes = Array.isArray(item?.changes) ? item.changes : [];
-			return {
-				kind: "fileChange",
-				content: summarizeFileChanges(normalizeFileChanges(changes)),
-				details: {
-					changes,
-					patch: firstString(item, ["patch"]),
-					type
-				}
-			};
-		}
-		case "mcp_tool_call": return {
-			kind: "toolActivity",
-			content: [firstString(item, ["server"]), firstString(item, ["tool", "name"])].filter(Boolean).join(".") || fallbackContent,
-			details: {
-				server: firstString(item, ["server"]),
-				status: firstString(item, ["status"]),
-				tool: firstString(item, ["tool", "name"]),
-				type
-			}
-		};
-		case "web_search": return {
-			kind: "webSearch",
-			content: firstString(item, ["query"]) ?? fallbackContent,
-			details: {
-				query: firstString(item, ["query"]),
-				status: firstString(item, ["status"]),
-				type
-			}
-		};
-		default: return {
-			kind: kindFromProtocolType(type) ?? (role === "tool" ? "toolActivity" : "unknown"),
-			content: fallbackContent,
-			details: { type }
-		};
-	}
-}
-function isApprovalServerRequest(method) {
-	return method === "item/commandExecution/requestApproval" || method === "item/fileChange/requestApproval" || method === "item/permissions/requestApproval" || method === "item/tool/requestUserInput" || method === "mcpServer/elicitation/request" || method === "execCommandApproval" || method === "applyPatchApproval";
-}
-function approvalMessageFromRequest(request) {
-	const params = recordParams(request);
-	const threadId = firstString(params, ["threadId", "conversationId"]);
-	const turnId = firstString(params, ["turnId"]) ?? void 0;
-	if (!threadId) return;
-	const approvalId = `approval-${request.id}`;
-	switch (request.method) {
-		case "item/commandExecution/requestApproval": {
-			const command = firstString(params, ["command"]) ?? "Command execution";
-			return {
-				approvalId,
-				content: command,
-				details: {
-					approvalId,
-					approvalKind: "commandExecution",
-					command,
-					cwd: firstString(params, ["cwd"]),
-					reason: firstString(params, ["reason"]),
-					availableDecisions: Array.isArray(params?.availableDecisions) ? params.availableDecisions : void 0
-				},
-				kind: "commandExecution",
-				threadId,
-				turnId
-			};
-		}
-		case "execCommandApproval": {
-			const command = stringArray(params?.command).join(" ") || "Command execution";
-			return {
-				approvalId,
-				content: command,
-				details: {
-					approvalId,
-					approvalKind: "commandExecution",
-					command,
-					cwd: firstString(params, ["cwd"]),
-					reason: firstString(params, ["reason"])
-				},
-				kind: "commandExecution",
-				threadId,
-				turnId
-			};
-		}
-		case "item/fileChange/requestApproval": return {
-			approvalId,
-			content: firstString(params, ["reason"]) ?? "Approve file changes",
-			details: {
-				approvalId,
-				approvalKind: "fileChange",
-				grantRoot: firstString(params, ["grantRoot"]),
-				reason: firstString(params, ["reason"])
-			},
-			kind: "fileChange",
-			threadId,
-			turnId
-		};
-		case "applyPatchApproval": return {
-			approvalId,
-			content: firstString(params, ["reason"]) ?? "Approve file changes",
-			details: {
-				approvalId,
-				approvalKind: "fileChange",
-				changes: params?.fileChanges,
-				reason: firstString(params, ["reason"])
-			},
-			kind: "fileChange",
-			threadId,
-			turnId
-		};
-		case "item/permissions/requestApproval": return {
-			approvalId,
-			content: firstString(params, ["reason"]) ?? "Approve additional permissions",
-			details: {
-				approvalId,
-				approvalKind: "permissions",
-				cwd: firstString(params, ["cwd"]),
-				permissions: params?.permissions,
-				reason: firstString(params, ["reason"])
-			},
-			kind: "permissions",
-			threadId,
-			turnId
-		};
-		case "item/tool/requestUserInput": return {
-			approvalId,
-			content: "Input requested",
-			details: {
-				approvalId,
-				approvalKind: "structuredUserInput",
-				questions: Array.isArray(params?.questions) ? params.questions : []
-			},
-			kind: "structuredUserInput",
-			threadId,
-			turnId
-		};
-		case "mcpServer/elicitation/request": return {
-			approvalId,
-			content: firstString(params, ["message"]) ?? "MCP input requested",
-			details: {
-				approvalId,
-				approvalKind: "mcpElicitation",
-				message: firstString(params, ["message"]),
-				mode: firstString(params, ["mode"]),
-				serverName: firstString(params, ["serverName"]),
-				url: firstString(params, ["url"])
-			},
-			kind: "mcpElicitation",
-			threadId,
-			turnId
-		};
-		default: return;
-	}
-}
-async function resolveAppServerRequest(pending, decision, answers) {
-	switch (pending.kind) {
-		case "commandExecution":
-			await pending.appServer.respondToRequest(pending.requestId, { decision: pending.method === "execCommandApproval" ? legacyApprovalDecision(decision) : commandApprovalDecision(decision) });
-			return;
-		case "fileChange":
-			await pending.appServer.respondToRequest(pending.requestId, { decision: pending.method === "applyPatchApproval" ? legacyApprovalDecision(decision) : fileChangeApprovalDecision(decision) });
-			return;
-		case "permissions":
-			await pending.appServer.respondToRequest(pending.requestId, {
-				permissions: decision === "approve" || decision === "approve-for-session" ? {} : {},
-				scope: decision === "approve-for-session" ? "session" : "turn",
-				strictAutoReview: decision === "deny" || decision === "cancel"
-			});
-			return;
-		case "structuredUserInput":
-			await pending.appServer.respondToRequest(pending.requestId, { answers });
-			return;
-		case "mcpElicitation":
-			await pending.appServer.respondToRequest(pending.requestId, {
-				action: decision === "approve" || decision === "approve-for-session" ? "accept" : "decline",
-				content: answers.length > 0 ? { answers } : null,
-				_meta: null
-			});
-			return;
-	}
-}
-function legacyApprovalDecision(decision) {
-	switch (decision) {
-		case "approve": return "approved";
-		case "approve-for-session": return "approved_for_session";
-		case "cancel": return "abort";
-		default: return "denied";
-	}
-}
-function commandApprovalDecision(decision) {
-	switch (decision) {
-		case "approve": return "accept";
-		case "approve-for-session": return "acceptForSession";
-		case "cancel": return "cancel";
-		default: return "decline";
-	}
-}
-function fileChangeApprovalDecision(decision) {
-	switch (decision) {
-		case "approve": return "accept";
-		case "approve-for-session": return "acceptForSession";
-		case "cancel": return "cancel";
-		default: return "decline";
-	}
-}
-function kindFromProtocolType(type) {
-	switch (type) {
-		case "plan":
-		case "turn_plan_updated":
-		case "turn/plan/updated": return "plan";
-		case "request_user_input":
-		case "structured_user_input":
-		case "structuredUserInput": return "structuredUserInput";
-		case "approval_request":
-		case "approvalRequest": return "approvalRequest";
-		case "subagent_action":
-		case "subagentAction": return "subagentAction";
-		default: return;
-	}
-}
-function eventItem(event) {
-	if (!event || typeof event !== "object") return;
-	const record = event;
-	return record.item && typeof record.item === "object" ? record.item : record;
-}
-function recordParams(message) {
-	return message.params && typeof message.params === "object" ? message.params : void 0;
-}
-function turnIdFromParams(params) {
-	const turn = params?.turn;
-	return turn && typeof turn === "object" ? firstString(turn, ["id"]) : void 0;
-}
-function turnStatus(params) {
-	const turn = params?.turn;
-	if (turn && typeof turn === "object") {
-		const status = turn.status;
-		return typeof status === "string" ? status : void 0;
-	}
-}
-function turnErrorMessage(params) {
-	const turn = params?.turn;
-	if (!turn || typeof turn !== "object") return;
-	const error = turn.error;
-	return error && typeof error === "object" ? firstString(error, ["message"]) : void 0;
-}
-function planStepText(step) {
-	if (!step || typeof step !== "object") return;
-	const record = step;
-	const text = firstString(record, ["text", "step"]);
-	const status = firstString(record, ["status"]);
-	return text ? `${status ? `${status}: ` : ""}${text}` : void 0;
-}
-function firstString(record, keys) {
-	for (const key of keys) {
-		const value = record?.[key];
-		if (typeof value === "string" && value.trim()) return value;
-	}
-}
-function firstNumber(record, keys) {
-	for (const key of keys) {
-		const value = record?.[key];
-		if (typeof value === "number") return value;
-	}
-}
-function stringArray(value) {
-	if (!Array.isArray(value)) return [];
-	return value.filter((item) => typeof item === "string" && item.trim().length > 0);
-}
-function normalizeFileChanges(value) {
-	return value.flatMap((item) => {
-		if (!item || typeof item !== "object") return [];
-		const record = item;
-		const path = firstString(record, ["path"]);
-		const kind = firstString(record, ["kind", "type"]) ?? "modified";
-		return path ? [{
-			path,
-			kind
-		}] : [];
-	});
-}
-async function readWorkspaceChanges(workspacePath) {
-	const repo = await openRepository(workspacePath);
-	const [currentBranch, branches] = await Promise.all([currentGitBranch(workspacePath), listGitBranches(workspacePath)]);
-	const statusEntries = collectIterator(repo.statuses().iter());
-	const statusByPath = new Map(statusEntries.map((entry) => [entry.path(), entry]));
-	const status = statusEntries.map((entry) => formatStatusLine(entry.path(), entry.status())).join("\n");
-	const structuredDiff = createWorkspaceDiff(repo);
-	const diff = await git(workspacePath, [
-		"diff",
-		"--no-ext-diff",
-		"--no-color",
-		"HEAD",
-		"--"
-	]).catch(() => structuredDiff.print());
-	const patchesByPath = splitDiffByPath(diff);
-	structuredDiff.findSimilar({ renames: true });
-	const stats = structuredDiff.stats();
-	const filesByPath = /* @__PURE__ */ new Map();
-	for (const delta of collectIterator(structuredDiff.deltas())) {
-		const path = delta.newFile().path() ?? delta.oldFile().path();
-		if (!path) continue;
-		const patch = patchesByPath.get(path) ?? patchesByPath.get(delta.oldFile().path() ?? "") ?? "";
-		const lineStats = countPatchLines(patch);
-		const statusEntry = statusByPath.get(path) ?? statusByPath.get(delta.oldFile().path() ?? "");
-		filesByPath.set(path, {
-			additions: lineStats.additions,
-			deletions: lineStats.deletions,
-			isBinary: delta.newFile().isBinary() || delta.oldFile().isBinary(),
-			oldPath: delta.oldFile().path(),
-			path,
-			patch,
-			stagedStatus: statusEntry?.headToIndex()?.status() ?? null,
-			status: delta.status(),
-			worktreeStatus: statusEntry?.indexToWorkdir()?.status() ?? null
-		});
-	}
-	for (const entry of statusEntries) {
-		if (filesByPath.has(entry.path())) continue;
-		filesByPath.set(entry.path(), {
-			additions: 0,
-			deletions: 0,
-			isBinary: false,
-			oldPath: null,
-			path: entry.path(),
-			patch: "",
-			stagedStatus: entry.headToIndex()?.status() ?? null,
-			status: statusNameFromStatus(entry.status()),
-			worktreeStatus: entry.indexToWorkdir()?.status() ?? null
-		});
-	}
-	const files = [...filesByPath.values()].sort((left, right) => left.path.localeCompare(right.path));
-	return {
-		branches,
-		currentBranch,
-		diff,
-		files,
-		hasChanges: files.length > 0 || Boolean(status.trim() || diff.trim()),
-		status,
-		stats: {
-			additions: Number(stats.insertions),
-			deletions: Number(stats.deletions),
-			filesChanged: files.length || Number(stats.filesChanged)
-		}
-	};
-}
-async function currentGitBranch(workspacePath) {
-	return (await git(workspacePath, ["branch", "--show-current"]).catch(() => "")).trim() || null;
-}
-async function listGitBranches(workspacePath) {
-	return (await git(workspacePath, [
-		"branch",
-		"--format=%(HEAD)%09%(refname:short)",
-		"--sort=refname"
-	]).catch(() => "")).split("\n").map((line) => {
-		const [headMarker, name] = line.split("	");
-		return {
-			current: headMarker === "*",
-			name: name?.trim() ?? ""
-		};
-	}).filter((branch) => branch.name.length > 0);
-}
-function createWorkspaceDiff(repo) {
-	const options = {
-		includeUntracked: true,
-		recurseUntrackedDirs: true,
-		showUntrackedContent: true
-	};
-	try {
-		return repo.diffTreeToWorkdirWithIndex(repo.head().peelToTree(), options);
-	} catch {
-		return repo.diffIndexToWorkdir(void 0, options);
-	}
-}
-function collectIterator(iterator) {
-	const items = [];
-	for (let result = iterator.next(); !result.done; result = iterator.next()) items.push(result.value);
-	return items;
-}
-function splitDiffByPath(diff) {
-	const patches = /* @__PURE__ */ new Map();
-	const sections = diff.split(/(?=^diff --git )/m).filter(Boolean);
-	for (const section of sections) {
-		const header = section.match(/^diff --git a\/(.+) b\/(.+)$/m);
-		if (!header) continue;
-		const oldPath = header[1];
-		const newPath = header[2];
-		patches.set(newPath, section.trimEnd());
-		patches.set(oldPath, section.trimEnd());
-	}
-	return patches;
-}
-function countPatchLines(patch) {
-	let additions = 0;
-	let deletions = 0;
-	for (const line of patch.split("\n")) {
-		if (line.startsWith("+++") || line.startsWith("---")) continue;
-		if (line.startsWith("+")) additions += 1;
-		else if (line.startsWith("-")) deletions += 1;
-	}
-	return {
-		additions,
-		deletions
-	};
-}
-function formatStatusLine(path, status) {
-	if (status.ignored) return `!! ${path}`;
-	if (status.wtNew && !status.indexNew) return `?? ${path}`;
-	return `${statusIndexCode(status)}${statusWorktreeCode(status)} ${path}`;
-}
-function statusIndexCode(status) {
-	if (status.conflicted) return "U";
-	if (status.indexRenamed) return "R";
-	if (status.indexNew) return "A";
-	if (status.indexDeleted) return "D";
-	if (status.indexTypechange) return "T";
-	return status.indexModified ? "M" : " ";
-}
-function statusWorktreeCode(status) {
-	if (status.conflicted) return "U";
-	if (status.wtRenamed) return "R";
-	if (status.wtDeleted) return "D";
-	if (status.wtTypechange) return "T";
-	if (status.wtUnreadable) return "?";
-	return status.wtModified ? "M" : " ";
-}
-function statusNameFromStatus(status) {
-	if (status.conflicted) return "Conflicted";
-	if (status.indexNew || status.wtNew) return "Added";
-	if (status.indexDeleted || status.wtDeleted) return "Deleted";
-	if (status.indexRenamed || status.wtRenamed) return "Renamed";
-	if (status.indexTypechange || status.wtTypechange) return "Typechange";
-	if (status.ignored) return "Ignored";
-	return status.current ? "Unmodified" : "Modified";
-}
-async function git(cwd, args) {
-	const { stdout } = await execFileAsync("git", args, {
-		cwd,
-		maxBuffer: 16 * 1024 * 1024
-	});
-	return stdout.trimEnd();
-}
-function validationError(error) {
-	return apiError("invalid_request", "Request body did not match the Codex Relay API schema.", error.issues.map((issue) => `${issue.path.join(".") || "body"}: ${issue.message}`));
-}
-function apiError(code, message, issues) {
-	return { error: {
-		code,
-		message,
-		issues
-	} };
-}
-function errorMessage(error) {
-	return error instanceof Error ? error.message : "Codex run failed.";
-}
-//#endregion
-//#region src/pairing-store.ts
-async function createTursoPairingSessionStore(path) {
-	if (path !== ":memory:") await mkdir(dirname(path), { recursive: true });
-	const db = await connect(path);
-	await db.exec(`
-    CREATE TABLE IF NOT EXISTS pairing_sessions (
-      token_hash TEXT PRIMARY KEY,
-      client_name TEXT,
-      expires_at INTEGER NOT NULL,
-      created_at INTEGER NOT NULL,
-      updated_at INTEGER NOT NULL
-    );
-
-    CREATE TABLE IF NOT EXISTS pending_pairings (
-      approval_code TEXT PRIMARY KEY,
-      client_name TEXT,
-      client_ephemeral_public_key TEXT NOT NULL,
-      client_nonce TEXT NOT NULL,
-      server_url TEXT NOT NULL,
-      approved INTEGER NOT NULL DEFAULT 0,
-      expires_at INTEGER NOT NULL,
-      created_at INTEGER NOT NULL,
-      updated_at INTEGER NOT NULL
-    );
-  `);
-	async function countActive(now) {
-		const row = await db.prepare("SELECT COUNT(*) AS count FROM pairing_sessions WHERE expires_at > ?").get(now);
-		return Number(row?.count ?? 0);
-	}
-	async function deleteSession(tokenHash) {
-		await db.prepare("DELETE FROM pairing_sessions WHERE token_hash = ?").run(tokenHash);
-	}
-	async function deletePendingPairing(approvalCode) {
-		await db.prepare("DELETE FROM pending_pairings WHERE approval_code = ?").run(approvalCode);
-	}
-	async function getPendingPairing(approvalCode, now) {
-		const row = await db.prepare(`SELECT approval_code AS approvalCode,
-                client_name AS clientName,
-                client_ephemeral_public_key AS clientEphemeralPublicKey,
-                client_nonce AS clientNonce,
-                server_url AS serverUrl,
-                approved,
-                expires_at AS expiresAt
-         FROM pending_pairings
-         WHERE approval_code = ?`).get(approvalCode);
-		if (!row) return;
-		const expiresAt = Number(row.expiresAt);
-		if (now > expiresAt) {
-			await deletePendingPairing(approvalCode);
-			return;
-		}
-		return {
-			approvalCode: String(row.approvalCode),
-			approved: Number(row.approved) === 1,
-			clientEphemeralPublicKey: String(row.clientEphemeralPublicKey),
-			clientName: typeof row.clientName === "string" ? row.clientName : void 0,
-			clientNonce: String(row.clientNonce),
-			expiresAt,
-			serverUrl: String(row.serverUrl)
-		};
-	}
-	return {
-		async approvePendingPairing(approvalCode, now) {
-			const pending = await getPendingPairing(approvalCode, now);
-			if (!pending) return;
-			await db.prepare("UPDATE pending_pairings SET approved = 1, updated_at = ? WHERE approval_code = ?").run(now, approvalCode);
-			return {
-				...pending,
-				approved: true
-			};
-		},
-		countActive,
-		async createPendingPairing(pairing) {
-			const now = Date.now();
-			await db.prepare(`INSERT INTO pending_pairings (
-             approval_code,
-             client_name,
-             client_ephemeral_public_key,
-             client_nonce,
-             server_url,
-             approved,
-             expires_at,
-             created_at,
-             updated_at
-           )
-           VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)`).run(pairing.approvalCode, pairing.clientName ?? null, pairing.clientEphemeralPublicKey, pairing.clientNonce, pairing.serverUrl, pairing.approved ? 1 : 0, pairing.expiresAt, now, now);
-		},
-		async createSession(tokenHash, session) {
-			const now = Date.now();
-			await db.prepare(`INSERT INTO pairing_sessions (token_hash, client_name, expires_at, created_at, updated_at)
-           VALUES (?, ?, ?, ?, ?)`).run(tokenHash, session.clientName ?? null, session.expiresAt, now, now);
-			return countActive(now);
-		},
-		deleteSession,
-		deletePendingPairing,
-		getPendingPairing,
-		async getValidSession(tokenHash, now) {
-			const row = await db.prepare("SELECT client_name AS clientName, expires_at AS expiresAt FROM pairing_sessions WHERE token_hash = ?").get(tokenHash);
-			if (!row) return;
-			const expiresAt = Number(row.expiresAt);
-			if (now > expiresAt) {
-				await deleteSession(tokenHash);
-				return;
-			}
-			return {
-				clientName: typeof row.clientName === "string" ? row.clientName : void 0,
-				expiresAt
-			};
-		},
-		async pruneExpired(now) {
-			await db.prepare("DELETE FROM pairing_sessions WHERE expires_at <= ?").run(now);
-			await db.prepare("DELETE FROM pending_pairings WHERE expires_at <= ?").run(now);
-		},
-		async rotateSession(oldTokenHash, newTokenHash, session) {
-			const now = Date.now();
-			await db.transaction(async () => {
-				await db.prepare("DELETE FROM pairing_sessions WHERE token_hash = ?").run(oldTokenHash);
-				await db.prepare(`INSERT INTO pairing_sessions (token_hash, client_name, expires_at, created_at, updated_at)
-             VALUES (?, ?, ?, ?, ?)`).run(newTokenHash, session.clientName ?? null, session.expiresAt, now, now);
-			})();
-			return countActive(now);
-		}
-	};
-}
-//#endregion
-//#region src/index.ts
-const port = Number(process.env.PORT ?? 8787);
-const hostname$1 = process.env.HOST ?? "0.0.0.0";
-const clientTokenTtlMs = 10080 * 60 * 1e3;
-const serverIdentity = createServerIdentity();
-const approvalSecret = await getApprovalSecret();
-const colors = pc.createColors(!process.env.NO_COLOR && process.env.TERM !== "dumb");
-const color = {
-	brand: colors.cyan,
-	code: colors.yellow,
-	command: colors.green,
-	event: colors.magenta,
-	muted: colors.gray,
-	prompt: colors.cyan,
-	url: colors.blue
-};
-serve({
-	fetch: createApp({ pairing: {
-		approvalSecret,
-		serverIdentity,
-		createClientToken: () => randomBytes(32).toString("base64url"),
-		hashClientToken,
-		sessions: await createTursoPairingSessionStore(process.env.CODEX_RELAY_AUTH_DB_PATH ?? resolve(process.cwd(), ".codex-relay/auth.db")),
-		tokenTtlMs: clientTokenTtlMs,
-		onPaired: ({ clientName, tokenCount }) => {
-			logRuntimeEvent("Paired", `Mobile client connected${clientName ? ` from ${clientName}` : ""}; ${formatClientCount(tokenCount)} active.`);
-		},
-		onPairAttempt: ({ remoteAddress }) => {
-			logRuntimeEvent("Pairing", `Handshake received${remoteAddress ? ` from ${remoteAddress}` : ""}.`);
-		},
-		onPairApprovalRequested: ({ clientName }) => {
-			logRuntimeEvent("Approval", `Pairing approval requested${clientName ? ` from ${clientName}` : ""}. Use the code shown in the mobile app to approve locally.`);
-		},
-		onPairApproved: ({ clientName }) => {
-			logRuntimeEvent("Approved", `Pairing request approved${clientName ? ` for ${clientName}` : ""}. Waiting for secure session pickup.`);
-		},
-		onTokenRefreshed: ({ clientName, tokenCount }) => {
-			logRuntimeEvent("Refreshed", `Mobile session rotated${clientName ? ` for ${clientName}` : ""}; ${formatClientCount(tokenCount)} active.`);
-		}
-	} }).fetch,
-	hostname: hostname$1,
-	port
-}, (info) => {
-	const listenUrl = `http://${info.address}:${info.port}`;
-	const connectUrl = getConfiguredConnectUrl() ?? getTailscaleConnectUrl(info.port) ?? getLocalNetworkConnectUrl(info.port) ?? listenUrl;
-	const pairingPayload = createPairingQrPayload(connectUrl);
-	writeServerState({
-		connectUrl,
-		host: hostname$1,
-		listenUrl,
-		pairingPayload,
-		port: info.port
-	});
-	writeBackgroundPid();
-	console.log("");
-	qrcode.generate(pairingPayload, { small: true });
-	console.log(formatStartupInstructions({
-		connectUrl,
-		listenUrl,
-		pairingPayload,
-		port: info.port
-	}));
-});
-function formatStartupInstructions(details) {
-	return [
-		"",
-		...[
-			`${color.prompt("›")} Scan the QR code above to pair ${color.brand("Codex Relay mobile")}.`,
-			"",
-			`${color.prompt("›")} Mobile: ${color.url(details.connectUrl)}`,
-			`${color.prompt("›")} Server: ${color.muted(details.listenUrl)}`,
-			"",
-			`${color.prompt("›")} Pairing: ${color.url(details.pairingPayload)}`,
-			"",
-			`${color.prompt("›")} Waiting for pairing requests`,
-			`${color.prompt("›")} Approve a device with ${color.command(formatApprovalCommand("<code>", details.port))}`
-		],
-		""
-	].join("\n");
-}
-function logRuntimeEvent(label, message) {
-	console.log(`${color.prompt("›")} ${color.event(label.padEnd(8))} ${message}`);
-}
-function formatClientCount(tokenCount) {
-	return `${tokenCount} client${tokenCount === 1 ? "" : "s"}`;
-}
-function createPairingQrPayload(serverUrl) {
-	const url = new URL("codex-relay://pair");
-	url.searchParams.set("serverUrl", serverUrl);
-	url.searchParams.set("serverPublicKey", serverIdentity.publicKey);
-	return url.toString();
-}
-function hashClientToken(token) {
-	return createHash("sha256").update(token).digest("base64url");
-}
-function getConfiguredConnectUrl() {
-	const configuredUrl = normalizeUrl(process.env.CODEX_RELAY_PUBLIC_URL);
-	if (configuredUrl) return configuredUrl;
-}
-function getTailscaleConnectUrl(port) {
-	const status = getTailscaleStatus();
-	const tailscaleIp = status?.Self?.TailscaleIPs?.find((ip) => ip.startsWith("100.") && ip.includes("."));
-	if (tailscaleIp) return `http://${tailscaleIp}:${port}`;
-	const dnsName = status?.Self?.DNSName?.replace(/\.$/, "");
-	if (dnsName) return getTailscaleServeHttpsUrl(dnsName, port) ?? `http://${dnsName}:${port}`;
-	const tailscaleHost = status?.Self?.TailscaleIPs?.find((ip) => ip.includes("."));
-	return tailscaleHost ? `http://${tailscaleHost}:${port}` : void 0;
-}
-async function getApprovalSecret() {
-	if (process.env.CODEX_RELAY_APPROVAL_SECRET) return process.env.CODEX_RELAY_APPROVAL_SECRET;
-	const path = resolve(process.cwd(), ".codex-relay/approval-secret");
-	try {
-		return (await readFile(path, "utf8")).trim();
-	} catch {
-		const secret = randomBytes(32).toString("base64url");
-		await mkdir(dirname(path), { recursive: true });
-		await writeFile(path, `${secret}\n`, { mode: 384 });
-		return secret;
-	}
-}
-async function writeServerState(details) {
-	const path = resolve(process.cwd(), ".codex-relay/server-state.json");
-	await mkdir(dirname(path), { recursive: true });
-	await writeFile(path, `${JSON.stringify(details)}\n`, { mode: 384 });
-}
-async function writeBackgroundPid() {
-	const path = process.env.CODEX_RELAY_PID_PATH;
-	if (!path) return;
-	await mkdir(dirname(path), { recursive: true });
-	await writeFile(path, `${process.pid}\n`, { mode: 384 });
-}
-function formatApprovalCommand(approvalCode, activePort) {
-	return activePort === 8787 ? `npx codex-relay approve ${approvalCode}` : `PORT=${activePort} npx codex-relay approve ${approvalCode}`;
-}
-function getLocalNetworkConnectUrl(port) {
-	for (const addresses of Object.values(networkInterfaces())) for (const address of addresses ?? []) if (address.family === "IPv4" && !address.internal) return `http://${address.address}:${port}`;
-}
-function normalizeUrl(value) {
-	if (!value) return;
-	const trimmed = value.trim().replace(/\/$/, "");
-	if (!trimmed) return;
-	try {
-		const url = new URL(trimmed);
-		return url.protocol === "http:" || url.protocol === "https:" ? url.toString().replace(/\/$/, "") : void 0;
-	} catch {
-		return;
-	}
-}
-function getTailscaleStatus() {
-	try {
-		const output = execFileSync("tailscale", ["status", "--json"], {
-			encoding: "utf8",
-			stdio: [
-				"ignore",
-				"pipe",
-				"ignore"
-			],
-			timeout: 1500
-		});
-		return JSON.parse(output);
-	} catch {
-		return;
-	}
-}
-function getTailscaleServeHttpsUrl(dnsName, port) {
-	try {
-		const output = execFileSync("tailscale", [
-			"serve",
-			"status",
-			"--json"
-		], {
-			encoding: "utf8",
-			stdio: [
-				"ignore",
-				"pipe",
-				"ignore"
-			],
-			timeout: 1500
-		});
-		const serveStatus = JSON.parse(output);
-		const portKey = String(port);
-		const hostPort = `${dnsName}:${portKey}`;
-		return serveStatus.TCP?.[portKey]?.HTTPS && serveStatus.Web?.[hostPort] ? `https://${hostPort}` : void 0;
-	} catch {
-		return;
-	}
-}
-//#endregion
-export {};