npm - codex-relay - Versions diffs - 1.0.4 → 1.0.6 - Mend

codex-relay 1.0.4 → 1.0.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/src.js CHANGED Viewed

@@ -1,22 +1,23 @@
-import { A as PairResponseSchema, C as ListQueuedThreadInputsResponseSchema, D as ListWorkspaceFilesResponseSchema, Dt as apiPaths, E as ListWorkspaceDirectoriesResponseSchema, G as ResolveApprovalRequestSchema, K as ResolveApprovalResponseSchema, Lt as stripPromptSkillMentions, Mt as promptMarkdownWithSkills, Ot as chatMessageDetailsFromPromptContext, Q as RuntimePreferencesSchema, S as ListModelsResponseSchema, St as WorkspaceGitActionResponseSchema, T as ListThreadsResponseSchema, U as RateLimitsResponseSchema, X as RuntimePreferencesByWorkspacePathSchema, Z as RuntimePreferencesResponseSchema, _ as EncryptedPayloadSchema, a as ArchiveThreadResponseSchema, at as ThreadContextWindowResponseSchema, b as InterruptThreadRunResponseSchema, bt as WorkspaceFileContentResponseSchema, ct as ThreadMessageDetailResponseSchema, d as CheckoutWorkspaceBranchRequestSchema, dt as ThreadSummarySchema, et as StatusResponseSchema, ft as UpdateRuntimePreferencesRequestSchema, h as CreateThreadRequestSchema, jt as normalizePromptContext, k as PairRequestSchema, kt as createOpenApiDocument, l as ChatMessageSchema, m as ContextWindowUsageSchema, mt as VersionResponseSchema, nt as StreamThreadRunRequestSchema, ot as ThreadDetailResponseSchema, p as CommitPushWorkspaceRequestSchema, pt as UpdateWorkspaceFileContentRequestSchema, q as RunThreadRequestSchema, rt as SubmitThreadInputResponseSchema, st as ThreadMessageDetailFieldSchema, tt as StreamThreadRunEventSchema, vt as WorkspaceChangesResponseSchema, w as ListSkillsResponseSchema, y as ImageAttachmentUploadResponseSchema, z as QueuedThreadInputActionResponseSchema } from "./api-schema2.js";
-import { r as legacyCodexRelayDataPath, t as codexRelayDataPath } from "./paths.js";
+import { A as PairResponseSchema, At as WorkspaceTerminalResizeRequestSchema, C as ListQueuedThreadInputsResponseSchema, D as ListWorkspaceFilesResponseSchema, Dt as WorkspaceTerminalInputRequestSchema, E as ListWorkspaceDirectoriesResponseSchema, Ft as createOpenApiDocument, G as ResolveApprovalRequestSchema, K as ResolveApprovalResponseSchema, Lt as normalizePromptContext, Mt as WorkspaceTerminalStartRequestSchema, Nt as apiPaths, Pt as chatMessageDetailsFromPromptContext, Q as RuntimePreferencesSchema, Rt as promptMarkdownWithSkills, S as ListModelsResponseSchema, St as WorkspaceGitActionResponseSchema, T as ListThreadsResponseSchema, U as RateLimitsResponseSchema, Ut as stripPromptSkillMentions, X as RuntimePreferencesByWorkspacePathSchema, Z as RuntimePreferencesResponseSchema, _ as EncryptedPayloadSchema, a as ArchiveThreadResponseSchema, at as ThreadContextWindowResponseSchema, b as InterruptThreadRunResponseSchema, bt as WorkspaceFileContentResponseSchema, ct as ThreadMessageDetailResponseSchema, d as CheckoutWorkspaceBranchRequestSchema, dt as ThreadSummarySchema, et as StatusResponseSchema, ft as UpdateRuntimePreferencesRequestSchema, h as CreateThreadRequestSchema, jt as WorkspaceTerminalSessionResponseSchema, k as PairRequestSchema, kt as WorkspaceTerminalOutputResponseSchema, l as ChatMessageSchema, m as ContextWindowUsageSchema, mt as VersionResponseSchema, nt as StreamThreadRunRequestSchema, ot as ThreadDetailResponseSchema, p as CommitPushWorkspaceRequestSchema, pt as UpdateWorkspaceFileContentRequestSchema, q as RunThreadRequestSchema, rt as SubmitThreadInputResponseSchema, st as ThreadMessageDetailFieldSchema, tt as StreamThreadRunEventSchema, vt as WorkspaceChangesResponseSchema, w as ListSkillsResponseSchema, y as ImageAttachmentUploadResponseSchema, z as QueuedThreadInputActionResponseSchema } from "./api-schema2.js";
+import { a as getConnectUrlCandidates, i as createPairingQrPayload, o as getConnectUrlGuidance, r as legacyCodexRelayDataPath, s as createTursoPairingSessionStore, t as codexRelayDataPath } from "./paths.js";
 import { createRequire } from "node:module";
 import qrcode from "qrcode-terminal";
-import { execFile, execFileSync, spawn } from "node:child_process";
+import { execFile, spawn } from "node:child_process";
 import fs, { existsSync, mkdirSync, readFileSync, readdirSync, statSync, writeFileSync } from "node:fs";
 import { access, appendFile, copyFile, mkdir, open, readFile, readdir, stat, writeFile } from "node:fs/promises";
 import path, { basename, dirname, extname, isAbsolute, join, relative, resolve } from "node:path";
 import { fileURLToPath } from "node:url";
 import { z } from "zod";
-import os, { homedir, hostname, networkInterfaces } from "node:os";
-import { serve } from "@hono/node-server";
 import { fromByteArray, toByteArray } from "base64-js";
+import os, { homedir, hostname } from "node:os";
+import { serve } from "@hono/node-server";
 import { createHash, randomBytes, randomUUID } from "node:crypto";
 import pc from "picocolors";
 import { openRepository } from "es-git";
 import { Hono } from "hono";
 import { cors } from "hono/cors";
 import { promisify } from "node:util";
+import * as pty from "@lydell/node-pty";
 import { createInterface } from "node:readline";
 import { Codex } from "@openai/codex-sdk";
 import { gcm } from "@noble/ciphers/aes.js";
@@ -24,7 +25,6 @@ import { randomBytes as randomBytes$1, utf8ToBytes } from "@noble/ciphers/utils.
 import { ed25519, x25519 } from "@noble/curves/ed25519.js";
 import { hkdf } from "@noble/hashes/hkdf.js";
 import { sha256 } from "@noble/hashes/sha2.js";
-import { connect } from "@tursodatabase/database";
 //#region src/app-server.ts
 var CodexAppServerClient = class {
 	child;
@@ -823,6 +823,7 @@ const defaultWebPreviewPorts = [
 ];
 const PairApproveRequestSchema = z.object({ approvalCode: z.string().trim().min(1) });
 const maxResolvedApprovals = 100;
+const maxWorkspaceTerminalOutputChunks = 2e3;
 function createApp(options = {}) {
 	const app = new Hono();
 	const appServer = options.appServer === void 0 ? process.env.VITEST ? null : new CodexAppServerClient() : options.appServer;
@@ -835,10 +836,12 @@ function createApp(options = {}) {
 	const pendingApprovals = /* @__PURE__ */ new Map();
 	const resolvedApprovals = /* @__PURE__ */ new Map();
 	const queuedInputsByThreadId = /* @__PURE__ */ new Map();
+	const workspaceTerminalSessions = /* @__PURE__ */ new Map();
 	const activeAppServerTurnIdsByThreadId = /* @__PURE__ */ new Map();
 	const appServerHistoryLoadsByThreadId = /* @__PURE__ */ new Map();
 	const steeringThreads = /* @__PURE__ */ new Set();
 	const secureSessionsByTokenHash = /* @__PURE__ */ new Map();
+	const activeStreamControllers = /* @__PURE__ */ new Set();
 	const threadOptions = { workingDirectory: workspacePath };
 	const scheduleAppServerHistoryLoad = (threadId, cachedMessages) => {
 		if (!appServer || appServerHistoryLoadsByThreadId.has(threadId)) return;
@@ -870,7 +873,7 @@ function createApp(options = {}) {
 	};
 	app.use("*", cors());
 	app.use("*", async (c, next) => {
-		if (!options.pairing || c.req.method === "OPTIONS" || c.req.path === apiPaths.version || c.req.path.startsWith(`${apiPaths.imageAttachments}/`) || c.req.path.startsWith(apiPaths.pair)) {
+		if (!options.pairing || c.req.method === "OPTIONS" || c.req.path === apiPaths.version || c.req.path.startsWith(`${apiPaths.imageAttachments}/`) || c.req.path === apiPaths.sessionsClear || c.req.path.startsWith(apiPaths.pair)) {
 			await next();
 			return;
 		}
@@ -978,6 +981,18 @@ function createApp(options = {}) {
 		});
 		return c.json({ ok: true });
 	});
+	app.post(apiPaths.sessionsClear, async (c) => {
+		if (!options.pairing) return c.json(apiError("pairing_disabled", "Pairing is not enabled on this server."), 404);
+		if (options.pairing.approvalSecret && c.req.header("x-codex-relay-approve-secret") !== options.pairing.approvalSecret) return c.json(apiError("unauthorized", "Pairing clear must come from this machine."), 401);
+		const result = await options.pairing.sessions.clearAll();
+		secureSessionsByTokenHash.clear();
+		closeActiveStreamControllers(activeStreamControllers);
+		options.pairing.onPairingsCleared?.(result);
+		return c.json({
+			ok: true,
+			...result
+		});
+	});
 	app.post(apiPaths.sessionRefresh, async (c) => {
 		if (!options.pairing) return c.json(apiError("pairing_disabled", "Pairing is not enabled on this server."), 404);
 		const oldToken = parseBearerToken(c.req.header("authorization"));
@@ -1140,6 +1155,70 @@ function createApp(options = {}) {
 			return secureJson(c, options.pairing, secureSessionsByTokenHash, apiError("workspace_commit_push_failed", errorMessage(error)), 400);
 		}
 	});
+	app.post(apiPaths.workspaceTerminalSessions, async (c) => {
+		const parsed = await parseRequestJson(c, options.pairing, secureSessionsByTokenHash, WorkspaceTerminalStartRequestSchema);
+		if (!parsed.success) return secureJson(c, options.pairing, secureSessionsByTokenHash, validationError(parsed.error), 400);
+		const selectedWorkspacePath = await validateThreadWorkspacePath(workspacePath, parsed.data.workspacePath);
+		if (!selectedWorkspacePath.success) return secureJson(c, options.pairing, secureSessionsByTokenHash, apiError("invalid_workspace_path", selectedWorkspacePath.error), 400);
+		try {
+			const session = createWorkspaceTerminalSession({
+				cols: parsed.data.cols,
+				cwd: selectedWorkspacePath.path,
+				rows: parsed.data.rows
+			});
+			workspaceTerminalSessions.set(session.sessionId, session);
+			const response = WorkspaceTerminalSessionResponseSchema.parse({
+				cols: session.cols,
+				rows: session.rows,
+				sessionId: session.sessionId,
+				startedAt: session.startedAt,
+				workspacePath: session.workspacePath
+			});
+			return secureJson(c, options.pairing, secureSessionsByTokenHash, response);
+		} catch (error) {
+			return secureJson(c, options.pairing, secureSessionsByTokenHash, apiError("workspace_terminal_start_failed", errorMessage(error)), 400);
+		}
+	});
+	app.get("/v1/workspace/terminal/sessions/:sessionId/output", async (c) => {
+		const session = workspaceTerminalSessions.get(c.req.param("sessionId"));
+		if (!session) return secureJson(c, options.pairing, secureSessionsByTokenHash, apiError("workspace_terminal_not_found", "Terminal session was not found."), 404);
+		const since = Number(c.req.query("since") ?? "0");
+		const chunks = session.output.filter((chunk) => chunk.seq >= since);
+		const response = WorkspaceTerminalOutputResponseSchema.parse({
+			chunks,
+			exitCode: session.exitCode,
+			exitedAt: session.exitedAt,
+			nextSeq: session.seq
+		});
+		return secureJson(c, options.pairing, secureSessionsByTokenHash, response);
+	});
+	app.post("/v1/workspace/terminal/sessions/:sessionId/input", async (c) => {
+		const session = workspaceTerminalSessions.get(c.req.param("sessionId"));
+		if (!session) return secureJson(c, options.pairing, secureSessionsByTokenHash, apiError("workspace_terminal_not_found", "Terminal session was not found."), 404);
+		const parsed = await parseRequestJson(c, options.pairing, secureSessionsByTokenHash, WorkspaceTerminalInputRequestSchema);
+		if (!parsed.success) return secureJson(c, options.pairing, secureSessionsByTokenHash, validationError(parsed.error), 400);
+		if (session.exitedAt) return secureJson(c, options.pairing, secureSessionsByTokenHash, apiError("workspace_terminal_closed", "Terminal session is closed."), 409);
+		session.child.write(parsed.data.data);
+		return secureJson(c, options.pairing, secureSessionsByTokenHash, { ok: true });
+	});
+	app.post("/v1/workspace/terminal/sessions/:sessionId/resize", async (c) => {
+		const session = workspaceTerminalSessions.get(c.req.param("sessionId"));
+		if (!session) return secureJson(c, options.pairing, secureSessionsByTokenHash, apiError("workspace_terminal_not_found", "Terminal session was not found."), 404);
+		const parsed = await parseRequestJson(c, options.pairing, secureSessionsByTokenHash, WorkspaceTerminalResizeRequestSchema);
+		if (!parsed.success) return secureJson(c, options.pairing, secureSessionsByTokenHash, validationError(parsed.error), 400);
+		session.cols = parsed.data.cols;
+		session.rows = parsed.data.rows;
+		if (!session.exitedAt) session.child.resize(parsed.data.cols, parsed.data.rows);
+		return secureJson(c, options.pairing, secureSessionsByTokenHash, { ok: true });
+	});
+	app.delete("/v1/workspace/terminal/sessions/:sessionId", async (c) => {
+		const session = workspaceTerminalSessions.get(c.req.param("sessionId"));
+		if (session) {
+			closeWorkspaceTerminalSession(session);
+			workspaceTerminalSessions.delete(session.sessionId);
+		}
+		return secureJson(c, options.pairing, secureSessionsByTokenHash, { ok: true });
+	});
 	app.get(apiPaths.models, async (c) => {
 		try {
 			const models = appServer ? await appServer.listModels() : fallbackModels();
@@ -1748,9 +1827,12 @@ function createApp(options = {}) {
 		});
 		const encoder = new TextEncoder();
 		const secureSession = getSecureSessionForRequest(c, options.pairing, secureSessionsByTokenHash);
+		let streamController;
 		let streamSettled = false;
 		const stream = new ReadableStream({
 			start(controller) {
+				streamController = controller;
+				activeStreamControllers.add(controller);
 				relayDebugLog("thread.stream.started", {
 					mode: !runOptions.prompt && appServer ? "attach" : "run",
 					threadId
@@ -1781,6 +1863,7 @@ function createApp(options = {}) {
 							mode: "attach",
 							threadId
 						});
+						activeStreamControllers.delete(controller);
 						stopPreviewMonitor();
 					});
 					return;
@@ -1798,6 +1881,7 @@ function createApp(options = {}) {
 						mode: "unsupported",
 						threadId
 					});
+					activeStreamControllers.delete(controller);
 					stopPreviewMonitor();
 					return;
 				}
@@ -1830,10 +1914,12 @@ function createApp(options = {}) {
 						mode: "run",
 						threadId
 					});
+					activeStreamControllers.delete(controller);
 					stopPreviewMonitor();
 				});
 			},
 			cancel(reason) {
+				if (streamController) activeStreamControllers.delete(streamController);
 				relayDebugLog("thread.stream.cancelled_by_client", {
 					reason: debugReason(reason),
 					settled: streamSettled,
@@ -3476,10 +3562,32 @@ function updateThread(threads, messagesByThreadId, threadId, update) {
 }
 function sendSse(controller, encoder, secureSession, event) {
 	const parsed = StreamThreadRunEventSchema.parse(event);
+	const threadId = threadIdFromStreamEvent(parsed);
+	relayDebugLog("thread.stream.sse", {
+		direction: "server_to_mobile",
+		eventType: parsed.type,
+		threadId,
+		payload: parsed
+	});
 	const data = secureSession ? EncryptedPayloadSchema.parse(encryptForMobile(secureSession.session, JSON.stringify(parsed))) : parsed;
 	if (secureSession) secureSession.persist().catch(() => void 0);
-	if (!enqueueSseChunk(controller, encoder.encode(`event: ${parsed.type}\n`))) return;
-	enqueueSseChunk(controller, encoder.encode(`data: ${JSON.stringify(data)}\n\n`));
+	if (!enqueueSseChunk(controller, encoder.encode(`event: ${parsed.type}\n`))) {
+		relayDebugLog("thread.stream.sse.enqueue_failed", {
+			eventType: parsed.type,
+			stage: "event",
+			threadId
+		});
+		return;
+	}
+	if (!enqueueSseChunk(controller, encoder.encode(`data: ${JSON.stringify(data)}\n\n`))) relayDebugLog("thread.stream.sse.enqueue_failed", {
+		eventType: parsed.type,
+		stage: "data",
+		threadId
+	});
+}
+function threadIdFromStreamEvent(event) {
+	if ("threadId" in event && typeof event.threadId === "string") return event.threadId;
+	if ("thread" in event && event.thread) return event.thread.id;
 }
 function enqueueSseChunk(controller, chunk) {
 	try {
@@ -3499,6 +3607,10 @@ function closeSseController(controller) {
 		throw error;
 	}
 }
+function closeActiveStreamControllers(controllers) {
+	for (const controller of controllers) closeSseController(controller);
+	controllers.clear();
+}
 function isClosedStreamControllerError(error) {
 	return error instanceof TypeError && error.code === "ERR_INVALID_STATE" && error.message.includes("Controller is already closed");
 }
@@ -5168,10 +5280,57 @@ async function git(cwd, args) {
 	});
 	return stdout.trimEnd();
 }
+function createWorkspaceTerminalSession(input) {
+	const sessionId = randomUUID();
+	const startedAt = (/* @__PURE__ */ new Date()).toISOString();
+	const shell = process.env.SHELL || "/bin/sh";
+	const child = pty.spawn(shell, ["-l"], {
+		cols: input.cols,
+		cwd: input.cwd,
+		env: {
+			...process.env,
+			COLORTERM: process.env.COLORTERM ?? "truecolor",
+			TERM: process.env.TERM && process.env.TERM !== "dumb" ? process.env.TERM : "xterm-256color"
+		},
+		name: "xterm-256color",
+		rows: input.rows
+	});
+	const session = {
+		child,
+		cols: input.cols,
+		output: [],
+		rows: input.rows,
+		seq: 0,
+		sessionId,
+		startedAt,
+		workspacePath: input.cwd
+	};
+	const appendOutput = (data) => {
+		session.output.push({
+			data,
+			seq: session.seq
+		});
+		session.seq += 1;
+		if (session.output.length > maxWorkspaceTerminalOutputChunks) session.output.splice(0, session.output.length - maxWorkspaceTerminalOutputChunks);
+	};
+	child.onData(appendOutput);
+	child.onExit(({ exitCode }) => {
+		session.exitCode = exitCode;
+		session.exitedAt = (/* @__PURE__ */ new Date()).toISOString();
+	});
+	return session;
+}
+function closeWorkspaceTerminalSession(session) {
+	if (session.exitedAt) return;
+	session.child.kill();
+}
 async function listWorkspaceFiles(workspacePath, query, directory) {
 	const normalizedQuery = query.toLowerCase();
-	const filePaths = await workspaceFilePaths(workspacePath);
+	const isIgnored = await workspaceIgnoreMatcher(workspacePath);
+	if (directory && isWorkspacePathIgnored(directory, isIgnored)) return [];
+	const filePaths = await workspaceFilePaths(workspacePath, isIgnored);
 	const entriesByPath = /* @__PURE__ */ new Map();
+	for (const entry of await workspaceDirectoryEntries(workspacePath, directory, isIgnored)) entriesByPath.set(entry.path, entry);
 	for (const path of filePaths) {
 		if (!path || path.startsWith("../") || path.includes("/.git/")) continue;
 		if (!directory && normalizedQuery) {
@@ -5184,6 +5343,7 @@ async function listWorkspaceFiles(workspacePath, query, directory) {
 			const parts = path.split("/");
 			for (let index = 1; index < parts.length; index += 1) {
 				const directoryPath = parts.slice(0, index).join("/");
+				if (isWorkspacePathIgnored(directoryPath, isIgnored)) continue;
 				entriesByPath.set(directoryPath, {
 					directory: dirname(directoryPath) === "." ? "" : dirname(directoryPath),
 					kind: "directory",
@@ -5205,6 +5365,7 @@ async function listWorkspaceFiles(workspacePath, query, directory) {
 		});
 		else {
 			const directoryPath = [...directory ? directory.split("/") : [], childParts[0]].join("/");
+			if (isWorkspacePathIgnored(directoryPath, isIgnored)) continue;
 			entriesByPath.set(directoryPath, {
 				directory,
 				kind: "directory",
@@ -5383,19 +5544,32 @@ function languageFromWorkspaceFile(path) {
 		yml: "yaml"
 	}[extension] ?? extension;
 }
-async function workspaceFilePaths(workspacePath) {
-	const isIgnored = await workspaceIgnoreMatcher(workspacePath);
+async function workspaceFilePaths(workspacePath, isIgnored) {
 	try {
 		return (await git(workspacePath, [
 			"ls-files",
 			"--cached",
 			"--others",
 			"--exclude-standard"
-		])).split("\n").filter(Boolean).filter((path) => !isIgnored(path));
+		])).split("\n").filter(Boolean).filter((path) => !isWorkspacePathIgnored(path, isIgnored));
 	} catch {
 		return recursiveWorkspaceFilePaths(workspacePath, isIgnored);
 	}
 }
+async function workspaceDirectoryEntries(workspacePath, directory, isIgnored) {
+	const rootPath = resolve(workspacePath);
+	const absoluteDirectory = resolve(rootPath, directory);
+	if (absoluteDirectory !== rootPath && !isPathInside(rootPath, absoluteDirectory)) return [];
+	return (await readdir(absoluteDirectory, { withFileTypes: true })).filter((entry) => entry.isDirectory() && entry.name !== ".git").map((entry) => {
+		const path = [...directory ? directory.split("/") : [], entry.name].join("/");
+		return {
+			directory,
+			kind: "directory",
+			name: entry.name,
+			path
+		};
+	}).filter((entry) => !isWorkspacePathIgnored(entry.path, isIgnored));
+}
 async function recursiveWorkspaceFilePaths(rootPath, isIgnored) {
 	const ignoredDirectories = new Set([
 		".git",
@@ -5411,7 +5585,7 @@ async function recursiveWorkspaceFilePaths(rootPath, isIgnored) {
 			if (entry.name.startsWith(".") && entry.name !== ".github") continue;
 			const absolutePath = resolve(directory, entry.name);
 			const relativePath = relative(rootPath, absolutePath).split("\\").join("/");
-			if (isIgnored(relativePath)) continue;
+			if (isWorkspacePathIgnored(relativePath, isIgnored)) continue;
 			if (entry.isDirectory()) {
 				if (ignoredDirectories.has(entry.name)) continue;
 				await visit(absolutePath);
@@ -5427,6 +5601,17 @@ async function workspaceIgnoreMatcher(workspacePath) {
 	const matchers = (await readFile(join(workspacePath, ".gitignore"), "utf8").catch(() => "")).split(/\r?\n/).map((line) => gitignorePatternMatcher(line)).filter((matcher) => Boolean(matcher));
 	return (path) => matchers.some((matcher) => matcher(path.split("\\").join("/")));
 }
+function isWorkspacePathIgnored(path, isIgnored) {
+	const normalizedPath = path.replace(/^\/+/, "").replaceAll("\\", "/").replace(/\/+$/, "");
+	if (!normalizedPath) return false;
+	if (isIgnored(normalizedPath) || isIgnored(`${normalizedPath}/`)) return true;
+	const parts = normalizedPath.split("/");
+	for (let index = 1; index < parts.length; index += 1) {
+		const ancestorPath = parts.slice(0, index).join("/");
+		if (isIgnored(ancestorPath) || isIgnored(`${ancestorPath}/`)) return true;
+	}
+	return false;
+}
 function gitignorePatternMatcher(line) {
 	const trimmed = line.trim();
 	if (!trimmed || trimmed.startsWith("#") || trimmed.startsWith("!")) return;
@@ -5439,7 +5624,7 @@ function gitignorePatternMatcher(line) {
 	return (path) => {
 		const normalizedPath = path.replace(/^\/+/, "");
 		return (anchored || hasSlash ? [normalizedPath] : normalizedPath.split("/")).some((candidate) => {
-			if (directoryOnly) return matcher(candidate) || normalizedPath.startsWith(`${candidate}/`);
+			if (directoryOnly) return matcher(candidate);
 			return matcher(candidate);
 		});
 	};
@@ -5473,238 +5658,6 @@ function errorMessage(error) {
 	return error instanceof Error ? error.message : "Codex run failed.";
 }
 //#endregion
-//#region src/pairing-store.ts
-async function createTursoPairingSessionStore(path) {
-	if (path !== ":memory:") await mkdir(dirname(path), { recursive: true });
-	const db = await connect(path);
-	await db.exec(`
-    CREATE TABLE IF NOT EXISTS pairing_sessions (
-      token_hash TEXT PRIMARY KEY,
-      client_session_id TEXT,
-      client_name TEXT,
-      expires_at INTEGER NOT NULL,
-      key_epoch INTEGER,
-      mobile_to_server_key TEXT,
-      server_to_mobile_key TEXT,
-      last_mobile_counter INTEGER,
-      next_server_counter INTEGER,
-      created_at INTEGER NOT NULL,
-      updated_at INTEGER NOT NULL
-    );
-    CREATE TABLE IF NOT EXISTS pending_pairings (
-      approval_code TEXT PRIMARY KEY,
-      client_session_id TEXT,
-      client_name TEXT,
-      client_ephemeral_public_key TEXT NOT NULL,
-      client_nonce TEXT NOT NULL,
-      server_url TEXT NOT NULL,
-      approved INTEGER NOT NULL DEFAULT 0,
-      expires_at INTEGER NOT NULL,
-      created_at INTEGER NOT NULL,
-      updated_at INTEGER NOT NULL
-    );
-  `);
-	await ensurePairingSessionColumns();
-	async function countActive(now) {
-		const row = await db.prepare("SELECT COUNT(DISTINCT COALESCE(client_session_id, token_hash)) AS count FROM pairing_sessions WHERE expires_at > ?").get(now);
-		return Number(row?.count ?? 0);
-	}
-	async function deleteSession(tokenHash) {
-		await db.prepare("DELETE FROM pairing_sessions WHERE token_hash = ?").run(tokenHash);
-	}
-	async function deletePendingPairing(approvalCode) {
-		await db.prepare("DELETE FROM pending_pairings WHERE approval_code = ?").run(approvalCode);
-	}
-	async function getPendingPairing(approvalCode, now) {
-		const row = await db.prepare(`SELECT approval_code AS approvalCode,
-                client_session_id AS clientSessionId,
-                client_name AS clientName,
-                client_ephemeral_public_key AS clientEphemeralPublicKey,
-                client_nonce AS clientNonce,
-                server_url AS serverUrl,
-                approved,
-                expires_at AS expiresAt
-         FROM pending_pairings
-         WHERE approval_code = ?`).get(approvalCode);
-		if (!row) return;
-		const expiresAt = Number(row.expiresAt);
-		if (now > expiresAt) {
-			await deletePendingPairing(approvalCode);
-			return;
-		}
-		return {
-			approvalCode: String(row.approvalCode),
-			approved: Number(row.approved) === 1,
-			clientEphemeralPublicKey: String(row.clientEphemeralPublicKey),
-			clientSessionId: typeof row.clientSessionId === "string" ? row.clientSessionId : void 0,
-			clientName: typeof row.clientName === "string" ? row.clientName : void 0,
-			clientNonce: String(row.clientNonce),
-			expiresAt,
-			serverUrl: String(row.serverUrl)
-		};
-	}
-	return {
-		async approvePendingPairing(approvalCode, now) {
-			const pending = await getPendingPairing(approvalCode, now);
-			if (!pending) return;
-			await db.prepare("UPDATE pending_pairings SET approved = 1, updated_at = ? WHERE approval_code = ?").run(now, approvalCode);
-			return {
-				...pending,
-				approved: true
-			};
-		},
-		countActive,
-		async createPendingPairing(pairing) {
-			const now = Date.now();
-			await db.prepare(`INSERT INTO pending_pairings (
-             approval_code,
-             client_session_id,
-             client_name,
-             client_ephemeral_public_key,
-             client_nonce,
-             server_url,
-             approved,
-             expires_at,
-             created_at,
-             updated_at
-           )
-           VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`).run(pairing.approvalCode, pairing.clientSessionId ?? null, pairing.clientName ?? null, pairing.clientEphemeralPublicKey, pairing.clientNonce, pairing.serverUrl, pairing.approved ? 1 : 0, pairing.expiresAt, now, now);
-		},
-		async createSession(tokenHash, session) {
-			const now = Date.now();
-			const secure = encodeSecureSession(session.secureSession);
-			if (session.clientSessionId) {
-				await db.prepare("DELETE FROM pairing_sessions WHERE client_session_id = ?").run(session.clientSessionId);
-				if (session.clientName) await db.prepare("DELETE FROM pairing_sessions WHERE client_session_id IS NULL AND client_name = ?").run(session.clientName);
-			}
-			await db.prepare(`INSERT INTO pairing_sessions (
-             token_hash,
-             client_session_id,
-             client_name,
-             expires_at,
-             key_epoch,
-             mobile_to_server_key,
-             server_to_mobile_key,
-             last_mobile_counter,
-             next_server_counter,
-             created_at,
-             updated_at
-           )
-           VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`).run(tokenHash, session.clientSessionId ?? null, session.clientName ?? null, session.expiresAt, secure?.keyEpoch ?? null, secure?.mobileToServerKey ?? null, secure?.serverToMobileKey ?? null, secure?.lastMobileCounter ?? null, secure?.nextServerCounter ?? null, now, now);
-			return countActive(now);
-		},
-		deleteSession,
-		deletePendingPairing,
-		getPendingPairing,
-		async getValidSession(tokenHash, now) {
-			const row = await db.prepare(`SELECT client_name AS clientName,
-                  client_session_id AS clientSessionId,
-                  expires_at AS expiresAt,
-                  key_epoch AS keyEpoch,
-                  mobile_to_server_key AS mobileToServerKey,
-                  server_to_mobile_key AS serverToMobileKey,
-                  last_mobile_counter AS lastMobileCounter,
-                  next_server_counter AS nextServerCounter
-           FROM pairing_sessions
-           WHERE token_hash = ?`).get(tokenHash);
-			if (!row) return;
-			const expiresAt = Number(row.expiresAt);
-			if (now > expiresAt) {
-				await deleteSession(tokenHash);
-				return;
-			}
-			return {
-				clientSessionId: typeof row.clientSessionId === "string" ? row.clientSessionId : void 0,
-				clientName: typeof row.clientName === "string" ? row.clientName : void 0,
-				expiresAt,
-				secureSession: decodeSecureSession(row)
-			};
-		},
-		async pruneExpired(now) {
-			await db.prepare("DELETE FROM pairing_sessions WHERE expires_at <= ?").run(now);
-			await db.prepare("DELETE FROM pending_pairings WHERE expires_at <= ?").run(now);
-		},
-		async rotateSession(oldTokenHash, newTokenHash, session) {
-			const now = Date.now();
-			const secure = encodeSecureSession(session.secureSession);
-			await db.transaction(async () => {
-				await db.prepare("DELETE FROM pairing_sessions WHERE token_hash = ?").run(oldTokenHash);
-				if (session.clientSessionId) {
-					await db.prepare("DELETE FROM pairing_sessions WHERE client_session_id = ?").run(session.clientSessionId);
-					if (session.clientName) await db.prepare("DELETE FROM pairing_sessions WHERE client_session_id IS NULL AND client_name = ?").run(session.clientName);
-				}
-				await db.prepare(`INSERT INTO pairing_sessions (
-               token_hash,
-               client_session_id,
-               client_name,
-               expires_at,
-               key_epoch,
-               mobile_to_server_key,
-               server_to_mobile_key,
-               last_mobile_counter,
-               next_server_counter,
-               created_at,
-               updated_at
-             )
-             VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`).run(newTokenHash, session.clientSessionId ?? null, session.clientName ?? null, session.expiresAt, secure?.keyEpoch ?? null, secure?.mobileToServerKey ?? null, secure?.serverToMobileKey ?? null, secure?.lastMobileCounter ?? null, secure?.nextServerCounter ?? null, now, now);
-			})();
-			return countActive(now);
-		},
-		async updateSecureSession(tokenHash, secureSession) {
-			const secure = encodeSecureSession(secureSession);
-			const now = Date.now();
-			await db.prepare(`UPDATE pairing_sessions
-           SET key_epoch = ?,
-               mobile_to_server_key = ?,
-               server_to_mobile_key = ?,
-               last_mobile_counter = ?,
-               next_server_counter = ?,
-               updated_at = ?
-           WHERE token_hash = ?`).run(secure.keyEpoch, secure.mobileToServerKey, secure.serverToMobileKey, secure.lastMobileCounter, secure.nextServerCounter, now, tokenHash);
-		}
-	};
-	async function ensurePairingSessionColumns() {
-		const rows = await db.prepare("PRAGMA table_info(pairing_sessions)").all();
-		const columns = new Set(resultRows(rows).map((row) => String(row.name)));
-		for (const [column, sql] of [
-			["client_session_id", "ALTER TABLE pairing_sessions ADD COLUMN client_session_id TEXT"],
-			["key_epoch", "ALTER TABLE pairing_sessions ADD COLUMN key_epoch INTEGER"],
-			["mobile_to_server_key", "ALTER TABLE pairing_sessions ADD COLUMN mobile_to_server_key TEXT"],
-			["server_to_mobile_key", "ALTER TABLE pairing_sessions ADD COLUMN server_to_mobile_key TEXT"],
-			["last_mobile_counter", "ALTER TABLE pairing_sessions ADD COLUMN last_mobile_counter INTEGER"],
-			["next_server_counter", "ALTER TABLE pairing_sessions ADD COLUMN next_server_counter INTEGER"]
-		]) if (!columns.has(column)) await db.exec(sql);
-		const pendingRows = await db.prepare("PRAGMA table_info(pending_pairings)").all();
-		if (!new Set(resultRows(pendingRows).map((row) => String(row.name))).has("client_session_id")) await db.exec("ALTER TABLE pending_pairings ADD COLUMN client_session_id TEXT");
-	}
-}
-function encodeSecureSession(session) {
-	if (!session) return;
-	return {
-		keyEpoch: session.keyEpoch,
-		lastMobileCounter: session.lastMobileCounter,
-		mobileToServerKey: fromByteArray(session.mobileToServerKey),
-		nextServerCounter: session.nextServerCounter,
-		serverToMobileKey: fromByteArray(session.serverToMobileKey)
-	};
-}
-function decodeSecureSession(row) {
-	if (typeof row.mobileToServerKey !== "string" || typeof row.serverToMobileKey !== "string" || row.keyEpoch === null || row.lastMobileCounter === null || row.nextServerCounter === null) return;
-	return {
-		keyEpoch: Number(row.keyEpoch),
-		lastMobileCounter: Number(row.lastMobileCounter),
-		mobileToServerKey: toByteArray(row.mobileToServerKey),
-		nextServerCounter: Number(row.nextServerCounter),
-		serverToMobileKey: toByteArray(row.serverToMobileKey)
-	};
-}
-function resultRows(result) {
-	if (Array.isArray(result)) return result;
-	if (result && typeof result === "object" && Array.isArray(result.rows)) return result.rows;
-	return [];
-}
-//#endregion
 //#region src/index.ts
 const port = Number(process.env.PORT ?? 8787);
 const hostname$1 = process.env.HOST ?? "0.0.0.0";
@@ -5755,6 +5708,9 @@ serve({
 			onPairApproved: ({ clientName }) => {
 				logRuntimeEvent("Approved", `Pairing request approved${clientName ? ` for ${clientName}` : ""}. Waiting for secure session pickup.`);
 			},
+			onPairingsCleared: ({ pendingPairingsCleared, sessionsCleared }) => {
+				logRuntimeEvent("Cleared", `Signed out ${sessionsCleared} mobile session${sessionsCleared === 1 ? "" : "s"} and removed ${pendingPairingsCleared} pending pairing request${pendingPairingsCleared === 1 ? "" : "s"}.`);
+			},
 			onTokenRefreshed: ({ clientName, tokenCount }) => {
 				logRuntimeEvent("Refreshed", `Mobile session rotated${clientName ? ` for ${clientName}` : ""}; ${formatClientCount(tokenCount)} active.`);
 			}
@@ -5765,10 +5721,19 @@ serve({
 	port
 }, (info) => {
 	const listenUrl = `http://${info.address}:${info.port}`;
-	const connectUrl = getConfiguredConnectUrl() ?? getTailscaleConnectUrl(info.port) ?? getLocalNetworkConnectUrl(info.port) ?? listenUrl;
-	const pairingPayload = createPairingQrPayload(connectUrl);
+	const connectUrlCandidates = getConnectUrlCandidates({
+		listenUrl,
+		port: info.port
+	});
+	const connectUrl = connectUrlCandidates[0]?.url ?? listenUrl;
+	const connectUrls = connectUrlCandidates.map((candidate) => candidate.url);
+	const pairingPayload = createPairingQrPayload({
+		serverPublicKey: serverIdentity.publicKey,
+		serverUrls: connectUrls.length > 0 ? connectUrls : [connectUrl]
+	});
 	writeServerState({
 		connectUrl,
+		connectUrlCandidates,
 		host: hostname$1,
 		listenUrl,
 		pairingPayload,
@@ -5779,6 +5744,7 @@ serve({
 		logRuntimeEvent("Debug", `Writing diagnostics to ${debugLogPath}`);
 		relayDebugLog("relay.started", {
 			connectUrl,
+			connectUrlCandidates,
 			listenUrl,
 			port: info.port,
 			workspacePath: process.env.CODEX_RELAY_WORKSPACE_PATH ?? process.cwd()
@@ -5788,6 +5754,7 @@ serve({
 	qrcode.generate(pairingPayload, { small: true });
 	console.log(formatStartupInstructions({
 		connectUrl,
+		connectUrlCandidates,
 		dangerouslyAutoApprove,
 		listenUrl,
 		pairingPayload,
@@ -5801,6 +5768,8 @@ function formatStartupInstructions(details) {
 			`${color.prompt("›")} Scan the QR code above to pair ${color.brand("Codex Relay mobile")}.`,
 			"",
 			`${color.prompt("›")} Mobile: ${color.url(details.connectUrl)}`,
+			...formatConnectUrlGuidance(details.connectUrl),
+			...formatConnectUrlCandidates(details.connectUrlCandidates),
 			`${color.prompt("›")} Server: ${color.muted(details.listenUrl)}`,
 			"",
 			`${color.prompt("›")} Pairing: ${color.url(details.pairingPayload)}`,
@@ -5817,34 +5786,23 @@ function formatStartupInstructions(details) {
 		""
 	].join("\n");
 }
+function formatConnectUrlGuidance(connectUrl) {
+	const guidance = getConnectUrlGuidance(connectUrl);
+	return guidance ? [`${color.prompt("›")} Network: ${guidance}`] : [];
+}
+function formatConnectUrlCandidates(candidates) {
+	if (candidates.length <= 1) return [];
+	return [`${color.prompt("›")} QR includes ${candidates.length} candidate addresses; the app will use the first reachable one.`, ...candidates.slice(1).map((candidate) => `  ${color.muted(candidate.label)} ${color.url(candidate.url)}`)];
+}
 function logRuntimeEvent(label, message) {
 	console.log(`${color.prompt("›")} ${color.event(label.padEnd(8))} ${message}`);
 }
 function formatClientCount(tokenCount) {
 	return `${tokenCount} client${tokenCount === 1 ? "" : "s"}`;
 }
-function createPairingQrPayload(serverUrl) {
-	const url = new URL("codex-relay://pair");
-	url.searchParams.set("serverUrl", serverUrl);
-	url.searchParams.set("serverPublicKey", serverIdentity.publicKey);
-	return url.toString();
-}
 function hashClientToken(token) {
 	return createHash("sha256").update(token).digest("base64url");
 }
-function getConfiguredConnectUrl() {
-	const configuredUrl = normalizeUrl(process.env.CODEX_RELAY_PUBLIC_URL);
-	if (configuredUrl) return configuredUrl;
-}
-function getTailscaleConnectUrl(port) {
-	const status = getTailscaleStatus();
-	const tailscaleIp = status?.Self?.TailscaleIPs?.find((ip) => ip.startsWith("100.") && ip.includes("."));
-	if (tailscaleIp) return `http://${tailscaleIp}:${port}`;
-	const dnsName = status?.Self?.DNSName?.replace(/\.$/, "");
-	if (dnsName) return getTailscaleServeHttpsUrl(dnsName, port) ?? `http://${dnsName}:${port}`;
-	const tailscaleHost = status?.Self?.TailscaleIPs?.find((ip) => ip.includes("."));
-	return tailscaleHost ? `http://${tailscaleHost}:${port}` : void 0;
-}
 async function getApprovalSecret() {
 	if (process.env.CODEX_RELAY_APPROVAL_SECRET) return process.env.CODEX_RELAY_APPROVAL_SECRET;
 	const path = await prepareCodexRelayDataPath("approval-secret");
@@ -5897,58 +5855,5 @@ async function writeBackgroundPid() {
 function formatApprovalCommand(approvalCode, activePort) {
 	return activePort === 8787 ? `${npxCommand} approve ${approvalCode}` : `PORT=${activePort} ${npxCommand} approve ${approvalCode}`;
 }
-function getLocalNetworkConnectUrl(port) {
-	for (const addresses of Object.values(networkInterfaces())) for (const address of addresses ?? []) if (address.family === "IPv4" && !address.internal) return `http://${address.address}:${port}`;
-}
-function normalizeUrl(value) {
-	if (!value) return;
-	const trimmed = value.trim().replace(/\/$/, "");
-	if (!trimmed) return;
-	try {
-		const url = new URL(trimmed);
-		return url.protocol === "http:" || url.protocol === "https:" ? url.toString().replace(/\/$/, "") : void 0;
-	} catch {
-		return;
-	}
-}
-function getTailscaleStatus() {
-	try {
-		const output = execFileSync("tailscale", ["status", "--json"], {
-			encoding: "utf8",
-			stdio: [
-				"ignore",
-				"pipe",
-				"ignore"
-			],
-			timeout: 1500
-		});
-		return JSON.parse(output);
-	} catch {
-		return;
-	}
-}
-function getTailscaleServeHttpsUrl(dnsName, port) {
-	try {
-		const output = execFileSync("tailscale", [
-			"serve",
-			"status",
-			"--json"
-		], {
-			encoding: "utf8",
-			stdio: [
-				"ignore",
-				"pipe",
-				"ignore"
-			],
-			timeout: 1500
-		});
-		const serveStatus = JSON.parse(output);
-		const portKey = String(port);
-		const hostPort = `${dnsName}:${portKey}`;
-		return serveStatus.TCP?.[portKey]?.HTTPS && serveStatus.Web?.[hostPort] ? `https://${hostPort}` : void 0;
-	} catch {
-		return;
-	}
-}
 //#endregion
 export {};