codex-relay 1.0.4 → 1.0.6

package/dist/paths.js

@@ -1,5 +1,427 @@
-import { join, resolve } from "node:path";
-import { homedir, platform } from "node:os";
+import { execFileSync } from "node:child_process";
+import { mkdir } from "node:fs/promises";
+import { dirname, join, resolve } from "node:path";
+import { connect } from "@tursodatabase/database";
+import { fromByteArray, toByteArray } from "base64-js";
+import { homedir, networkInterfaces, platform } from "node:os";
+//#region src/pairing-store.ts
+async function createTursoPairingSessionStore(path) {
+	if (path !== ":memory:") await mkdir(dirname(path), { recursive: true });
+	const db = await connect(path);
+	await db.exec(`
+    CREATE TABLE IF NOT EXISTS pairing_sessions (
+      token_hash TEXT PRIMARY KEY,
+      client_session_id TEXT,
+      client_name TEXT,
+      expires_at INTEGER NOT NULL,
+      key_epoch INTEGER,
+      mobile_to_server_key TEXT,
+      server_to_mobile_key TEXT,
+      last_mobile_counter INTEGER,
+      next_server_counter INTEGER,
+      created_at INTEGER NOT NULL,
+      updated_at INTEGER NOT NULL
+    );
+
+    CREATE TABLE IF NOT EXISTS pending_pairings (
+      approval_code TEXT PRIMARY KEY,
+      client_session_id TEXT,
+      client_name TEXT,
+      client_ephemeral_public_key TEXT NOT NULL,
+      client_nonce TEXT NOT NULL,
+      server_url TEXT NOT NULL,
+      approved INTEGER NOT NULL DEFAULT 0,
+      expires_at INTEGER NOT NULL,
+      created_at INTEGER NOT NULL,
+      updated_at INTEGER NOT NULL
+    );
+  `);
+	await ensurePairingSessionColumns();
+	async function countActive(now) {
+		const row = await db.prepare("SELECT COUNT(DISTINCT COALESCE(client_session_id, token_hash)) AS count FROM pairing_sessions WHERE expires_at > ?").get(now);
+		return Number(row?.count ?? 0);
+	}
+	async function deleteSession(tokenHash) {
+		await db.prepare("DELETE FROM pairing_sessions WHERE token_hash = ?").run(tokenHash);
+	}
+	async function deletePendingPairing(approvalCode) {
+		await db.prepare("DELETE FROM pending_pairings WHERE approval_code = ?").run(approvalCode);
+	}
+	async function getPendingPairing(approvalCode, now) {
+		const row = await db.prepare(`SELECT approval_code AS approvalCode,
+                client_session_id AS clientSessionId,
+                client_name AS clientName,
+                client_ephemeral_public_key AS clientEphemeralPublicKey,
+                client_nonce AS clientNonce,
+                server_url AS serverUrl,
+                approved,
+                expires_at AS expiresAt
+         FROM pending_pairings
+         WHERE approval_code = ?`).get(approvalCode);
+		if (!row) return;
+		const expiresAt = Number(row.expiresAt);
+		if (now > expiresAt) {
+			await deletePendingPairing(approvalCode);
+			return;
+		}
+		return {
+			approvalCode: String(row.approvalCode),
+			approved: Number(row.approved) === 1,
+			clientEphemeralPublicKey: String(row.clientEphemeralPublicKey),
+			clientSessionId: typeof row.clientSessionId === "string" ? row.clientSessionId : void 0,
+			clientName: typeof row.clientName === "string" ? row.clientName : void 0,
+			clientNonce: String(row.clientNonce),
+			expiresAt,
+			serverUrl: String(row.serverUrl)
+		};
+	}
+	return {
+		async approvePendingPairing(approvalCode, now) {
+			const pending = await getPendingPairing(approvalCode, now);
+			if (!pending) return;
+			await db.prepare("UPDATE pending_pairings SET approved = 1, updated_at = ? WHERE approval_code = ?").run(now, approvalCode);
+			return {
+				...pending,
+				approved: true
+			};
+		},
+		async clearAll() {
+			return await db.transaction(async () => {
+				const sessionRow = await db.prepare("SELECT COUNT(*) AS count FROM pairing_sessions").get();
+				const pendingRow = await db.prepare("SELECT COUNT(*) AS count FROM pending_pairings").get();
+				await db.prepare("DELETE FROM pairing_sessions").run();
+				await db.prepare("DELETE FROM pending_pairings").run();
+				return {
+					pendingPairingsCleared: Number(pendingRow?.count ?? 0),
+					sessionsCleared: Number(sessionRow?.count ?? 0)
+				};
+			})();
+		},
+		countActive,
+		async createPendingPairing(pairing) {
+			const now = Date.now();
+			await db.prepare(`INSERT INTO pending_pairings (
+             approval_code,
+             client_session_id,
+             client_name,
+             client_ephemeral_public_key,
+             client_nonce,
+             server_url,
+             approved,
+             expires_at,
+             created_at,
+             updated_at
+           )
+           VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`).run(pairing.approvalCode, pairing.clientSessionId ?? null, pairing.clientName ?? null, pairing.clientEphemeralPublicKey, pairing.clientNonce, pairing.serverUrl, pairing.approved ? 1 : 0, pairing.expiresAt, now, now);
+		},
+		async createSession(tokenHash, session) {
+			const now = Date.now();
+			const secure = encodeSecureSession(session.secureSession);
+			if (session.clientSessionId) {
+				await db.prepare("DELETE FROM pairing_sessions WHERE client_session_id = ?").run(session.clientSessionId);
+				if (session.clientName) await db.prepare("DELETE FROM pairing_sessions WHERE client_session_id IS NULL AND client_name = ?").run(session.clientName);
+			}
+			await db.prepare(`INSERT INTO pairing_sessions (
+             token_hash,
+             client_session_id,
+             client_name,
+             expires_at,
+             key_epoch,
+             mobile_to_server_key,
+             server_to_mobile_key,
+             last_mobile_counter,
+             next_server_counter,
+             created_at,
+             updated_at
+           )
+           VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`).run(tokenHash, session.clientSessionId ?? null, session.clientName ?? null, session.expiresAt, secure?.keyEpoch ?? null, secure?.mobileToServerKey ?? null, secure?.serverToMobileKey ?? null, secure?.lastMobileCounter ?? null, secure?.nextServerCounter ?? null, now, now);
+			return countActive(now);
+		},
+		deleteSession,
+		deletePendingPairing,
+		getPendingPairing,
+		async getValidSession(tokenHash, now) {
+			const row = await db.prepare(`SELECT client_name AS clientName,
+                  client_session_id AS clientSessionId,
+                  expires_at AS expiresAt,
+                  key_epoch AS keyEpoch,
+                  mobile_to_server_key AS mobileToServerKey,
+                  server_to_mobile_key AS serverToMobileKey,
+                  last_mobile_counter AS lastMobileCounter,
+                  next_server_counter AS nextServerCounter
+           FROM pairing_sessions
+           WHERE token_hash = ?`).get(tokenHash);
+			if (!row) return;
+			const expiresAt = Number(row.expiresAt);
+			if (now > expiresAt) {
+				await deleteSession(tokenHash);
+				return;
+			}
+			return {
+				clientSessionId: typeof row.clientSessionId === "string" ? row.clientSessionId : void 0,
+				clientName: typeof row.clientName === "string" ? row.clientName : void 0,
+				expiresAt,
+				secureSession: decodeSecureSession(row)
+			};
+		},
+		async pruneExpired(now) {
+			await db.prepare("DELETE FROM pairing_sessions WHERE expires_at <= ?").run(now);
+			await db.prepare("DELETE FROM pending_pairings WHERE expires_at <= ?").run(now);
+		},
+		async rotateSession(oldTokenHash, newTokenHash, session) {
+			const now = Date.now();
+			const secure = encodeSecureSession(session.secureSession);
+			await db.transaction(async () => {
+				await db.prepare("DELETE FROM pairing_sessions WHERE token_hash = ?").run(oldTokenHash);
+				if (session.clientSessionId) {
+					await db.prepare("DELETE FROM pairing_sessions WHERE client_session_id = ?").run(session.clientSessionId);
+					if (session.clientName) await db.prepare("DELETE FROM pairing_sessions WHERE client_session_id IS NULL AND client_name = ?").run(session.clientName);
+				}
+				await db.prepare(`INSERT INTO pairing_sessions (
+               token_hash,
+               client_session_id,
+               client_name,
+               expires_at,
+               key_epoch,
+               mobile_to_server_key,
+               server_to_mobile_key,
+               last_mobile_counter,
+               next_server_counter,
+               created_at,
+               updated_at
+             )
+             VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`).run(newTokenHash, session.clientSessionId ?? null, session.clientName ?? null, session.expiresAt, secure?.keyEpoch ?? null, secure?.mobileToServerKey ?? null, secure?.serverToMobileKey ?? null, secure?.lastMobileCounter ?? null, secure?.nextServerCounter ?? null, now, now);
+			})();
+			return countActive(now);
+		},
+		async updateSecureSession(tokenHash, secureSession) {
+			const secure = encodeSecureSession(secureSession);
+			const now = Date.now();
+			await db.prepare(`UPDATE pairing_sessions
+           SET key_epoch = ?,
+               mobile_to_server_key = ?,
+               server_to_mobile_key = ?,
+               last_mobile_counter = ?,
+               next_server_counter = ?,
+               updated_at = ?
+           WHERE token_hash = ?`).run(secure.keyEpoch, secure.mobileToServerKey, secure.serverToMobileKey, secure.lastMobileCounter, secure.nextServerCounter, now, tokenHash);
+		}
+	};
+	async function ensurePairingSessionColumns() {
+		const rows = await db.prepare("PRAGMA table_info(pairing_sessions)").all();
+		const columns = new Set(resultRows(rows).map((row) => String(row.name)));
+		for (const [column, sql] of [
+			["client_session_id", "ALTER TABLE pairing_sessions ADD COLUMN client_session_id TEXT"],
+			["key_epoch", "ALTER TABLE pairing_sessions ADD COLUMN key_epoch INTEGER"],
+			["mobile_to_server_key", "ALTER TABLE pairing_sessions ADD COLUMN mobile_to_server_key TEXT"],
+			["server_to_mobile_key", "ALTER TABLE pairing_sessions ADD COLUMN server_to_mobile_key TEXT"],
+			["last_mobile_counter", "ALTER TABLE pairing_sessions ADD COLUMN last_mobile_counter INTEGER"],
+			["next_server_counter", "ALTER TABLE pairing_sessions ADD COLUMN next_server_counter INTEGER"]
+		]) if (!columns.has(column)) await db.exec(sql);
+		const pendingRows = await db.prepare("PRAGMA table_info(pending_pairings)").all();
+		if (!new Set(resultRows(pendingRows).map((row) => String(row.name))).has("client_session_id")) await db.exec("ALTER TABLE pending_pairings ADD COLUMN client_session_id TEXT");
+	}
+}
+function encodeSecureSession(session) {
+	if (!session) return;
+	return {
+		keyEpoch: session.keyEpoch,
+		lastMobileCounter: session.lastMobileCounter,
+		mobileToServerKey: fromByteArray(session.mobileToServerKey),
+		nextServerCounter: session.nextServerCounter,
+		serverToMobileKey: fromByteArray(session.serverToMobileKey)
+	};
+}
+function decodeSecureSession(row) {
+	if (typeof row.mobileToServerKey !== "string" || typeof row.serverToMobileKey !== "string" || row.keyEpoch === null || row.lastMobileCounter === null || row.nextServerCounter === null) return;
+	return {
+		keyEpoch: Number(row.keyEpoch),
+		lastMobileCounter: Number(row.lastMobileCounter),
+		mobileToServerKey: toByteArray(row.mobileToServerKey),
+		nextServerCounter: Number(row.nextServerCounter),
+		serverToMobileKey: toByteArray(row.serverToMobileKey)
+	};
+}
+function resultRows(result) {
+	if (Array.isArray(result)) return result;
+	if (result && typeof result === "object" && Array.isArray(result.rows)) return result.rows;
+	return [];
+}
+//#endregion
+//#region src/pairing-url-candidates.ts
+function getConnectUrlGuidance(url) {
+	const host = parseUrlHost(url);
+	if (!host) return;
+	if (isLocalhost(host) || isUnspecifiedHost(host)) return "This address is only reachable from this computer. Use a same-Wi-Fi address, Tailscale, or CODEX_RELAY_PUBLIC_URL for mobile pairing.";
+	if (isTailscaleHost(host)) return "Using Tailscale. Keep Tailscale connected on both this computer and the phone.";
+	if (isPrivateIPv4Host(host) || isLocalIPv6Host(host)) return "Using a local Wi-Fi/LAN address. Keep the phone and computer on the same network; if pairing is flaky, try Tailscale.";
+	return "Using a configured or public address. Make sure the phone can reach it before pairing.";
+}
+function createPairingQrPayload(details) {
+	const primaryServerUrl = details.serverUrls[0];
+	if (!primaryServerUrl) throw new Error("Pairing QR requires at least one server URL.");
+	const url = new URL("codex-relay://pair");
+	url.searchParams.set("serverUrl", primaryServerUrl);
+	url.searchParams.set("serverPublicKey", details.serverPublicKey);
+	const hosts = compactCandidateHosts(primaryServerUrl, details.serverUrls);
+	if (hosts.length > 0) url.searchParams.set("h", hosts.join(","));
+	return url.toString();
+}
+function getConnectUrlCandidates(details) {
+	return dedupeCandidates([
+		...configuredConnectUrlCandidates(),
+		...tailscaleConnectUrlCandidates(details.port),
+		...localNetworkConnectUrlCandidates(details.port),
+		{
+			label: "Server",
+			url: details.listenUrl
+		}
+	]);
+}
+function normalizeUrl(value) {
+	if (!value) return;
+	const trimmed = value.trim().replace(/\/$/, "");
+	if (!trimmed) return;
+	try {
+		const url = new URL(trimmed);
+		return url.protocol === "http:" || url.protocol === "https:" ? url.toString().replace(/\/$/, "") : void 0;
+	} catch {
+		return;
+	}
+}
+function configuredConnectUrlCandidates() {
+	const configuredUrl = normalizeUrl(process.env.CODEX_RELAY_PUBLIC_URL);
+	return configuredUrl ? [{
+		label: "Configured",
+		url: configuredUrl
+	}] : [];
+}
+function tailscaleConnectUrlCandidates(port) {
+	const status = getTailscaleStatus();
+	const candidates = [];
+	for (const ip of status?.Self?.TailscaleIPs ?? []) if (ip.startsWith("100.") && ip.includes(".")) candidates.push({
+		label: "Tailscale",
+		url: `http://${ip}:${port}`
+	});
+	const dnsName = status?.Self?.DNSName?.replace(/\.$/, "");
+	if (dnsName) {
+		const servedUrl = getTailscaleServeHttpsUrl(dnsName, port);
+		candidates.push({
+			label: servedUrl ? "Tailscale Serve" : "Tailscale DNS",
+			url: servedUrl ?? `http://${dnsName}:${port}`
+		});
+	}
+	for (const ip of status?.Self?.TailscaleIPs ?? []) if (ip.includes(".")) candidates.push({
+		label: "Tailscale",
+		url: `http://${ip}:${port}`
+	});
+	return candidates;
+}
+function localNetworkConnectUrlCandidates(port) {
+	const candidates = [];
+	for (const [name, addresses] of Object.entries(networkInterfaces())) for (const address of addresses ?? []) if (address.family === "IPv4" && !address.internal) candidates.push({
+		label: name,
+		url: `http://${address.address}:${port}`
+	});
+	return candidates;
+}
+function dedupeCandidates(candidates) {
+	const deduped = /* @__PURE__ */ new Map();
+	for (const candidate of candidates) {
+		const url = normalizeUrl(candidate.url);
+		if (url && !deduped.has(url)) deduped.set(url, {
+			...candidate,
+			url
+		});
+	}
+	return [...deduped.values()];
+}
+function compactCandidateHosts(primaryServerUrl, serverUrls) {
+	const primary = parseUrl(primaryServerUrl);
+	if (!primary) return [];
+	const hosts = [];
+	for (const serverUrl of serverUrls.slice(1)) {
+		const candidate = parseUrl(serverUrl);
+		if (candidate && candidate.protocol === primary.protocol && candidate.port === primary.port && !hosts.includes(candidate.hostname)) hosts.push(candidate.hostname);
+	}
+	return hosts;
+}
+function parseUrl(url) {
+	try {
+		return new URL(url);
+	} catch {
+		return;
+	}
+}
+function parseUrlHost(url) {
+	try {
+		return new URL(url).hostname.toLowerCase();
+	} catch {
+		return;
+	}
+}
+function isLocalhost(host) {
+	return host === "localhost" || host === "127.0.0.1" || host === "::1";
+}
+function isUnspecifiedHost(host) {
+	return host === "0.0.0.0" || host === "::";
+}
+function isTailscaleHost(host) {
+	return host.endsWith(".ts.net") || host.endsWith(".beta.tailscale.net") || isTailscaleIPv4Host(host);
+}
+function isPrivateIPv4Host(host) {
+	const octets = host.split(".").map(Number);
+	if (octets.length !== 4 || octets.some((octet) => !Number.isInteger(octet))) return false;
+	return octets[0] === 10 || octets[0] === 172 && octets[1] >= 16 && octets[1] <= 31 || octets[0] === 192 && octets[1] === 168 || octets[0] === 169 && octets[1] === 254;
+}
+function isTailscaleIPv4Host(host) {
+	const octets = host.split(".").map(Number);
+	return octets.length === 4 && octets[0] === 100 && octets[1] >= 64 && octets[1] <= 127;
+}
+function isLocalIPv6Host(host) {
+	const normalized = host.replace(/^\[/, "").replace(/\]$/, "");
+	return normalized.startsWith("fe80:") || normalized.startsWith("fc") || normalized.startsWith("fd");
+}
+function getTailscaleStatus() {
+	try {
+		const output = execFileSync("tailscale", ["status", "--json"], {
+			encoding: "utf8",
+			stdio: [
+				"ignore",
+				"pipe",
+				"ignore"
+			],
+			timeout: 1500
+		});
+		return JSON.parse(output);
+	} catch {
+		return;
+	}
+}
+function getTailscaleServeHttpsUrl(dnsName, port) {
+	try {
+		const output = execFileSync("tailscale", [
+			"serve",
+			"status",
+			"--json"
+		], {
+			encoding: "utf8",
+			stdio: [
+				"ignore",
+				"pipe",
+				"ignore"
+			],
+			timeout: 1500
+		});
+		const serveStatus = JSON.parse(output);
+		const portKey = String(port);
+		const hostPort = `${dnsName}:${portKey}`;
+		return serveStatus.TCP?.[portKey]?.HTTPS && serveStatus.Web?.[hostPort] ? `https://${hostPort}` : void 0;
+	} catch {
+		return;
+	}
+}
+//#endregion
 //#region src/paths.ts
 const appDataDirectoryName = "codex-relay";
 function codexRelayHome() {
@@ -22,4 +444,4 @@ function defaultCodexRelayHome() {
 	}
 }
 //#endregion
-export { codexRelayHome as n, legacyCodexRelayDataPath as r, codexRelayDataPath as t };
+export { getConnectUrlCandidates as a, createPairingQrPayload as i, codexRelayHome as n, getConnectUrlGuidance as o, legacyCodexRelayDataPath as r, createTursoPairingSessionStore as s, codexRelayDataPath as t };