happy-imou-cloud 2.0.12 → 2.0.13

package/scripts/e2e/local-server-session-roundtrip.mjs

@@ -1,1063 +1,1063 @@
-#!/usr/bin/env node
-
-import assert from 'node:assert/strict';
-import { spawn, spawnSync } from 'node:child_process';
-import {
-  createHash,
-  createHmac,
-  hkdfSync,
-  randomBytes,
-  randomUUID,
-} from 'node:crypto';
-import {
-  existsSync,
-  mkdirSync,
-  mkdtempSync,
-  readFileSync,
-  rmSync,
-  writeFileSync,
-} from 'node:fs';
-import { createServer } from 'node:net';
-import { setTimeout as delay } from 'node:timers/promises';
-import { dirname, join, resolve } from 'node:path';
-import { tmpdir } from 'node:os';
-import { fileURLToPath, pathToFileURL } from 'node:url';
-
-import { io } from 'socket.io-client';
-import tweetnacl from 'tweetnacl';
-
-const __dirname = dirname(fileURLToPath(import.meta.url));
-const packageRoot = resolve(__dirname, '..', '..');
-const workspaceRoot = resolve(packageRoot, '..', '..');
-const serverRoot = resolve(workspaceRoot, 'packages', 'happy-server');
-const cliBin = resolve(packageRoot, 'bin', 'happy-cloud.mjs');
-const demoProjectDir = resolve(packageRoot, 'demo-project');
-const fakeAcpAgentPath = resolve(packageRoot, 'scripts', 'e2e', 'fake-codex-acp-agent.mjs');
-const cliVersion = JSON.parse(readFileSync(resolve(packageRoot, 'package.json'), 'utf8')).version;
-
-const serverPort = process.env.HAPPY_CLI_E2E_SERVER_PORT || process.env.HAPPY_SERVER_TEST_PORT || '3005';
-const baseUrl = process.env.HAPPY_CLI_E2E_SERVER_URL || process.env.HAPPY_SERVER_BASE_URL || `http://127.0.0.1:${serverPort}`;
-const configuredDaemonPort = process.env.HAPPY_CLI_E2E_DAEMON_PORT || process.env.HAPPY_CLOUD_DAEMON_PORT || '';
-const fakeAcpReply = process.env.HAPPY_E2E_FAKE_ACP_RESPONSE || 'LOCAL_E2E_ACK';
-const skipServerBoot = process.env.HAPPY_CLI_E2E_SKIP_SERVER_BOOT === 'true' || process.env.HAPPY_SERVER_LIVE_SKIP_BOOT === 'true';
-
-function encodeBase64(data) {
-  return Buffer.from(data).toString('base64');
-}
-
-function decodeBase64(data) {
-  return new Uint8Array(Buffer.from(data, 'base64'));
-}
-
-function normalizePlatform(platform) {
-  switch (platform) {
-    case 'win32':
-      return 'windows';
-    case 'darwin':
-      return 'macos';
-    default:
-      return platform;
-  }
-}
-
-function buildClientHeaders(version = cliVersion) {
-  return {
-    'X-Client-Name': 'happy-cli',
-    'X-Client-Version': version,
-    'X-Platform': normalizePlatform(process.platform),
-  };
-}
-
-function canonicalizeQuery(url) {
-  const entries = [...url.searchParams.entries()].sort(([aKey, aValue], [bKey, bValue]) => {
-    if (aKey === bKey) {
-      return aValue.localeCompare(bValue);
-    }
-    return aKey.localeCompare(bKey);
-  });
-  return entries.map(([key, value]) => `${encodeURIComponent(key)}=${encodeURIComponent(value)}`).join('&');
-}
-
-function hashBody(body) {
-  if (body == null) {
-    return createHash('sha256').update('').digest('hex');
-  }
-
-  const serialized = typeof body === 'string' ? body : JSON.stringify(body);
-  return createHash('sha256').update(serialized).digest('hex');
-}
-
-function deriveSigningSecret(signing) {
-  return Buffer.from(
-    hkdfSync(
-      'sha256',
-      Buffer.from(signing.seed, 'base64'),
-      Buffer.alloc(0),
-      Buffer.from('request-sign-v1'),
-      32,
-    ),
-  );
-}
-
-function signCanonical(signing, canonical) {
-  return createHmac('sha256', deriveSigningSecret(signing)).update(canonical).digest('base64');
-}
-
-function buildHttpCanonicalString({ method, url, timestamp, nonce, bodySha256 }) {
-  const parsed = new URL(url);
-  return [
-    method.toUpperCase(),
-    parsed.pathname,
-    canonicalizeQuery(parsed),
-    timestamp,
-    nonce,
-    bodySha256,
-  ].join('\n');
-}
-
-function buildWebSocketCanonicalString({ clientType, sessionId, machineId, timestamp, nonce }) {
-  const params = new URLSearchParams();
-  params.set('clientType', clientType);
-  if (sessionId) {
-    params.set('sessionId', sessionId);
-  }
-  if (machineId) {
-    params.set('machineId', machineId);
-  }
-
-  const url = new URL('https://unused.local/v1/updates');
-  url.search = params.toString();
-
-  return [
-    'WS_CONNECT',
-    '/v1/updates',
-    canonicalizeQuery(url),
-    timestamp,
-    nonce,
-  ].join('\n');
-}
-
-function buildSignedHeaders({ token, signing, method, url, body }) {
-  const timestamp = String(Date.now());
-  const nonce = randomUUID();
-  const bodySha256 = hashBody(body);
-  const canonical = buildHttpCanonicalString({
-    method,
-    url,
-    timestamp,
-    nonce,
-    bodySha256,
-  });
-
-  return {
-    ...buildClientHeaders(),
-    Authorization: `Bearer ${token}`,
-    ...(body != null ? { 'Content-Type': 'application/json' } : {}),
-    'X-Sign-Version': String(signing.version),
-    'X-Key-Id': signing.keyId,
-    'X-Timestamp': timestamp,
-    'X-Nonce': nonce,
-    'X-Body-SHA256': bodySha256,
-    'X-Signature': signCanonical(signing, canonical),
-  };
-}
-
-function buildSocketAuth({ token, signing, clientType, sessionId, machineId }) {
-  const auth = {
-    token,
-    clientType,
-    clientName: 'happy-cli',
-    clientVersion: cliVersion,
-    ...(sessionId ? { sessionId } : {}),
-    ...(machineId ? { machineId } : {}),
-  };
-
-  if (!signing) {
-    return auth;
-  }
-
-  const timestamp = String(Date.now());
-  const nonce = randomUUID();
-  const canonical = buildWebSocketCanonicalString({
-    clientType,
-    sessionId,
-    machineId,
-    timestamp,
-    nonce,
-  });
-
-  return {
-    ...auth,
-    signVersion: signing.version,
-    timestamp,
-    nonce,
-    signature: signCanonical(signing, canonical),
-  };
-}
-
-function authChallenge(secret) {
-  const keypair = tweetnacl.sign.keyPair.fromSeed(secret);
-  const challenge = new Uint8Array(randomBytes(32));
-  const signature = tweetnacl.sign.detached(challenge, keypair.secretKey);
-
-  return {
-    challenge,
-    publicKey: keypair.publicKey,
-    signature,
-  };
-}
-
-function encryptLegacy(data, secret) {
-  const nonce = new Uint8Array(randomBytes(tweetnacl.secretbox.nonceLength));
-  const encrypted = tweetnacl.secretbox(
-    new TextEncoder().encode(JSON.stringify(data)),
-    nonce,
-    secret,
-  );
-  const result = new Uint8Array(nonce.length + encrypted.length);
-  result.set(nonce, 0);
-  result.set(encrypted, nonce.length);
-  return result;
-}
-
-function decryptLegacy(data, secret) {
-  const nonce = data.slice(0, tweetnacl.secretbox.nonceLength);
-  const encrypted = data.slice(tweetnacl.secretbox.nonceLength);
-  const decrypted = tweetnacl.secretbox.open(encrypted, nonce, secret);
-  if (!decrypted) {
-    return null;
-  }
-  return JSON.parse(new TextDecoder().decode(decrypted));
-}
-
-async function requestJson(url, init = {}) {
-  const response = await fetch(url, init);
-  const text = await response.text();
-
-  let json = null;
-  try {
-    json = text ? JSON.parse(text) : null;
-  } catch {
-    json = { raw: text };
-  }
-
-  return {
-    status: response.status,
-    ok: response.ok,
-    json,
-  };
-}
-
-async function isServerHealthy(url) {
-  try {
-    const response = await fetch(`${url}/`);
-    return response.ok;
-  } catch {
-    return false;
-  }
-}
-
-async function waitForServer(url, timeoutMs = 30_000) {
-  const startedAt = Date.now();
-  while (Date.now() - startedAt < timeoutMs) {
-    if (await isServerHealthy(url)) {
-      return;
-    }
-    await delay(1_000);
-  }
-  throw new Error(`Server did not become ready within ${timeoutMs}ms`);
-}
-
-async function waitForCondition(fn, { timeoutMs = 15_000, intervalMs = 250, description = 'condition' } = {}) {
-  const startedAt = Date.now();
-  while (Date.now() - startedAt < timeoutMs) {
-    const result = await fn();
-    if (result) {
-      return result;
-    }
-    await delay(intervalMs);
-  }
-  throw new Error(`Timed out waiting for ${description} after ${timeoutMs}ms`);
-}
-
-async function resolveDaemonPort() {
-  if (configuredDaemonPort) {
-    return configuredDaemonPort;
-  }
-
-  const server = createServer();
-  try {
-    await new Promise((resolve, reject) => {
-      server.once('error', reject);
-      server.listen(0, '127.0.0.1', resolve);
-    });
-
-    const address = server.address();
-    if (!address || typeof address === 'string') {
-      throw new Error('Failed to resolve an available daemon port');
-    }
-
-    return String(address.port);
-  } finally {
-    await new Promise((resolve) => {
-      server.close(() => resolve());
-    }).catch(() => {});
-  }
-}
-
-function resolveTsxCli() {
-  const candidates = [
-    resolve(packageRoot, 'node_modules', 'tsx', 'dist', 'cli.mjs'),
-    resolve(workspaceRoot, 'node_modules', 'tsx', 'dist', 'cli.mjs'),
-  ];
-
-  for (const candidate of candidates) {
-    if (existsSync(candidate)) {
-      return candidate;
-    }
-  }
-
-  throw new Error('Could not resolve tsx CLI. Run yarn install first.');
-}
-
-function buildServerEnv() {
-  return {
-    ...process.env,
-    DATABASE_URL: process.env.DATABASE_URL || 'postgresql://postgres:postgres@localhost:5432/handy',
-    TEST_USERS: process.env.TEST_USERS || 'apple:apple123',
-    NODE_ENV: 'development',
-    PORT: serverPort,
-    ALLOW_LEGACY_UNSIGNED_REQUESTS: 'true',
-    REQUEST_SIGN_ENFORCE_MIN_APP_VERSION: '1.8.0',
-    LEGACY_SIGN_SUNSET_AT: '2026-12-31T00:00:00Z',
-  };
-}
-
-function writeCliState({ homeDir, token, signing, secret, machineId }) {
-  mkdirSync(homeDir, { recursive: true });
-
-  writeFileSync(
-    join(homeDir, 'access.key'),
-    JSON.stringify(
-      {
-        secret: encodeBase64(secret),
-        token,
-        signing,
-      },
-      null,
-      2,
-    ),
-    'utf8',
-  );
-
-  writeFileSync(
-    join(homeDir, 'settings.json'),
-    JSON.stringify(
-      {
-        schemaVersion: 2,
-        onboardingCompleted: true,
-        machineId,
-        machineIdConfirmedByServer: false,
-        profiles: [],
-        localEnvironmentVariables: {},
-      },
-      null,
-      2,
-    ),
-    'utf8',
-  );
-}
-
-async function waitForSocketConnect(socket, timeoutMs = 10_000) {
-  if (socket?.connected) {
-    return;
-  }
-
-  return new Promise((resolve, reject) => {
-    const timer = setTimeout(() => {
-      cleanup();
-      reject(new Error('Timed out waiting for socket connect'));
-    }, timeoutMs);
-
-    const cleanup = () => {
-      clearTimeout(timer);
-      socket.off('connect', onConnect);
-      socket.off('connect_error', onError);
-    };
-
-    const onConnect = () => {
-      cleanup();
-      resolve();
-    };
-
-    const onError = (error) => {
-      cleanup();
-      reject(error instanceof Error ? error : new Error(String(error)));
-    };
-
-    socket.on('connect', onConnect);
-    socket.on('connect_error', onError);
-  });
-}
-
-async function waitForObserverMessage({ socket, secret, predicate, timeoutMs = 15_000 }) {
-  return new Promise((resolve, reject) => {
-    const timer = setTimeout(() => {
-      cleanup();
-      reject(new Error('Timed out waiting for observer update'));
-    }, timeoutMs);
-
-    const cleanup = () => {
-      clearTimeout(timer);
-      socket.off('update', onUpdate);
-      socket.off('connect_error', onError);
-    };
-
-    const onError = (error) => {
-      cleanup();
-      reject(error instanceof Error ? error : new Error(String(error)));
-    };
-
-    const onUpdate = (update) => {
-      try {
-        if (!update?.body || update.body.t !== 'new-message') {
-          return;
-        }
-        const encrypted = update.body?.message?.content;
-        if (!encrypted || encrypted.t !== 'encrypted' || typeof encrypted.c !== 'string') {
-          return;
-        }
-
-        const body = decryptLegacy(decodeBase64(encrypted.c), secret);
-        if (!body) {
-          return;
-        }
-
-        if (predicate(body, update)) {
-          cleanup();
-          resolve({ body, update });
-        }
-      } catch (error) {
-        cleanup();
-        reject(error);
-      }
-    };
-
-    socket.on('update', onUpdate);
-    socket.on('connect_error', onError);
-  });
-}
-
-async function waitForClientMessage({ client, predicate, timeoutMs = 15_000 }) {
-  return new Promise((resolve, reject) => {
-    const timer = setTimeout(() => {
-      cleanup();
-      reject(new Error('Timed out waiting for client message'));
-    }, timeoutMs);
-
-    const cleanup = () => {
-      clearTimeout(timer);
-      client.off('message', onMessage);
-    };
-
-    const onMessage = (body) => {
-      try {
-        if (predicate(body)) {
-          cleanup();
-          resolve(body);
-        }
-      } catch (error) {
-        cleanup();
-        reject(error);
-      }
-    };
-
-    client.on('message', onMessage);
-  });
-}
-
-async function waitForChildExit(child, timeoutMs = 5_000) {
-  if (!child || child.exitCode !== null) {
-    return true;
-  }
-
-  return await new Promise((resolve) => {
-    const timer = setTimeout(() => {
-      cleanup();
-      resolve(child.exitCode !== null);
-    }, timeoutMs);
-
-    const cleanup = () => {
-      clearTimeout(timer);
-      child.off('exit', onExit);
-      child.off('error', onError);
-    };
-
-    const onExit = () => {
-      cleanup();
-      resolve(true);
-    };
-
-    const onError = () => {
-      cleanup();
-      resolve(child.exitCode !== null);
-    };
-
-    child.once('exit', onExit);
-    child.once('error', onError);
-  });
-}
-
-async function killProcessTree(child) {
-  if (!child?.pid) {
-    return;
-  }
-
-  if (process.platform === 'win32') {
-    await new Promise((resolve) => {
-      const killer = spawn('taskkill', ['/PID', String(child.pid), '/T', '/F'], { stdio: 'ignore' });
-      killer.once('exit', resolve);
-      killer.once('error', resolve);
-    });
-    return;
-  }
-
-  try {
-    process.kill(child.pid, 'SIGKILL');
-  } catch {
-    // Ignore if already exited.
-  }
-}
-
-async function stopChildProcess(child) {
-  if (!child) {
-    return;
-  }
-
-  child.kill('SIGTERM');
-  const exited = await waitForChildExit(child, 2_000);
-  if (!exited) {
-    await killProcessTree(child);
-    await waitForChildExit(child, 2_000);
-  }
-}
-
-async function authenticateWithKey(secret) {
-  const { challenge, publicKey, signature } = authChallenge(secret);
-  const response = await requestJson(`${baseUrl}/v1/auth`, {
-    method: 'POST',
-    headers: {
-      ...buildClientHeaders(),
-      'Content-Type': 'application/json',
-    },
-    body: JSON.stringify({
-      challenge: encodeBase64(challenge),
-      publicKey: encodeBase64(publicKey),
-      signature: encodeBase64(signature),
-    }),
-  });
-
-  assert.equal(response.status, 200, `auth failed: ${JSON.stringify(response.json)}`);
-  assert.equal(response.json?.success, true, `auth response invalid: ${JSON.stringify(response.json)}`);
-
-  return {
-    token: response.json.token,
-    signing: response.json.signing,
-  };
-}
-
-async function fetchMachine({ token, signing, machineId }) {
-  const url = `${baseUrl}/v1/machines/${machineId}`;
-  const response = await requestJson(url, {
-    method: 'GET',
-    headers: buildSignedHeaders({
-      token,
-      signing,
-      method: 'GET',
-      url,
-      body: null,
-    }),
-  });
-
-  if (response.status === 404) {
-    return null;
-  }
-
-  assert.equal(response.status, 200, `fetch machine failed: ${JSON.stringify(response.json)}`);
-  return response.json.machine;
-}
-
-async function listSessions({ token, signing }) {
-  const url = `${baseUrl}/v1/sessions`;
-  const response = await requestJson(url, {
-    method: 'GET',
-    headers: buildSignedHeaders({
-      token,
-      signing,
-      method: 'GET',
-      url,
-      body: null,
-    }),
-  });
-
-  assert.equal(response.status, 200, `list sessions failed: ${JSON.stringify(response.json)}`);
-  return response.json.sessions || [];
-}
-
-async function fetchMessages({ token, signing, sessionId }) {
-  const url = `${baseUrl}/v1/sessions/${sessionId}/messages`;
-  const response = await requestJson(url, {
-    method: 'GET',
-    headers: buildSignedHeaders({
-      token,
-      signing,
-      method: 'GET',
-      url,
-      body: null,
-    }),
-  });
-
-  assert.equal(response.status, 200, `fetch messages failed: ${JSON.stringify(response.json)}`);
-  return response.json.messages || [];
-}
-
-async function fetchSessionRecord({ token, signing, secret, sessionId }) {
-  const sessions = await listSessions({
-    token,
-    signing,
-  });
-
-  const match = sessions.find((candidate) => candidate.id === sessionId);
-  if (!match) {
-    return null;
-  }
-
-  return decryptSessionRecord(match, secret);
-}
-
-function decryptSessionRecord(record, secret) {
-  return {
-    ...record,
-    metadataDecoded: record.metadata ? decryptLegacy(decodeBase64(record.metadata), secret) : null,
-    agentStateDecoded: record.agentState ? decryptLegacy(decodeBase64(record.agentState), secret) : null,
-  };
-}
-
-function decodePersistedMessageContent(content, secret) {
-  const encoded = typeof content === 'string'
-    ? content
-    : (content && typeof content === 'object' && typeof content.c === 'string' ? content.c : null);
-
-  if (!encoded) {
-    return null;
-  }
-
-  return decryptLegacy(decodeBase64(encoded), secret);
-}
-
-async function stopDaemon(cliEnv) {
-  spawnSync(process.execPath, [cliBin, 'daemon', 'stop'], {
-    cwd: packageRoot,
-    env: cliEnv,
-    stdio: 'ignore',
-    timeout: 5_000,
-  });
-}
-
-async function sendUserMessageWithAck({ client, sessionId, secret, text, localId, timeoutMs = 10_000 }) {
-  const socket = client?.socket;
-  if (!socket?.connected) {
-    throw new Error('Sender socket is not connected');
-  }
-
-  const encrypted = encodeBase64(encryptLegacy({
-    role: 'user',
-    content: {
-      type: 'text',
-      text,
-    },
-    localKey: localId,
-    meta: {
-      sentFrom: 'cli',
-    },
-  }, secret));
-
-  const ack = await Promise.race([
-    socket.emitWithAck('message', {
-      sid: sessionId,
-      message: encrypted,
-      localId,
-    }),
-    delay(timeoutMs).then(() => {
-      throw new Error('Timed out waiting for sender ack');
-    }),
-  ]);
-
-  assert.equal(ack?.ok, true, `sender ack failed: ${JSON.stringify(ack)}`);
-  assert.equal(ack?.sessionId, sessionId, `sender ack session mismatch: ${JSON.stringify(ack)}`);
-  assert.equal(ack?.status, 'accepted', `sender ack status unexpected: ${JSON.stringify(ack)}`);
-  return ack;
-}
-
-async function main() {
-  const tempRoot = mkdtempSync(join(tmpdir(), 'happy-cli-local-e2e-'));
-  const cliHomeDir = join(tempRoot, '.happy-cloud-e2e');
-  const fakeAcpLogPath = join(tempRoot, 'fake-codex-acp.log');
-  const daemonPort = await resolveDaemonPort();
-  const machineId = randomUUID();
-  const secret = new Uint8Array(randomBytes(32));
-  const userPrompt = `Please reply with ${fakeAcpReply} only.`;
-  const userLocalId = `e2e-user-${randomUUID()}`;
-
-  let server = null;
-  let serverOwnedByScript = false;
-  let cli = null;
-  let observerClient = null;
-  let senderClient = null;
-  let cliStdout = '';
-  let cliStderr = '';
-  let serverStdout = '';
-  let serverStderr = '';
-
-  const cliEnv = {
-    ...process.env,
-    HAPPY_SERVER_URL: baseUrl,
-    HAPPY_CLOUD_SERVER_URL: baseUrl,
-    HAPPY_HOME_DIR: cliHomeDir,
-    HAPPY_CLOUD_HOME_DIR: cliHomeDir,
-    HAPPY_CLOUD_DAEMON_PORT: daemonPort,
-    HAPPY_CODEX_ACP_COMMAND: process.execPath,
-    HAPPY_DISABLE_CAFFEINATE: 'true',
-    HAPPY_E2E_FAKE_ACP_RESPONSE: fakeAcpReply,
-    HAPPY_E2E_FAKE_ACP_LOG: fakeAcpLogPath,
-    NO_COLOR: '1',
-  };
-
-  try {
-    if (await isServerHealthy(baseUrl)) {
-      serverOwnedByScript = false;
-    } else {
-      if (skipServerBoot) {
-        throw new Error(`Local server is not reachable at ${baseUrl}, and boot was skipped.`);
-      }
-
-      serverOwnedByScript = true;
-      server = spawn(process.execPath, [
-        resolveTsxCli(),
-        '--env-file=.env',
-        '--env-file=.env.dev',
-        './sources/main.ts',
-      ], {
-        cwd: serverRoot,
-        env: buildServerEnv(),
-        stdio: ['ignore', 'pipe', 'pipe'],
-      });
-
-      server.stdout?.on('data', (chunk) => {
-        serverStdout += chunk.toString();
-      });
-      server.stderr?.on('data', (chunk) => {
-        serverStderr += chunk.toString();
-      });
-    }
-
-    await waitForServer(baseUrl);
-
-    const auth = await authenticateWithKey(secret);
-    writeCliState({
-      homeDir: cliHomeDir,
-      token: auth.token,
-      signing: auth.signing,
-      secret,
-      machineId,
-    });
-
-    cli = spawn(process.execPath, [
-      cliBin,
-      'codex',
-      fakeAcpAgentPath,
-      '--happy-starting-mode',
-      'remote',
-      '--started-by',
-      'daemon',
-    ], {
-      cwd: demoProjectDir,
-      env: cliEnv,
-      stdio: ['ignore', 'pipe', 'pipe'],
-    });
-
-    cli.stdout?.on('data', (chunk) => {
-      cliStdout += chunk.toString();
-    });
-    cli.stderr?.on('data', (chunk) => {
-      cliStderr += chunk.toString();
-    });
-
-    const daemonState = await waitForCondition(
-      async () => {
-        const statePath = join(cliHomeDir, 'daemon.state.json');
-        if (!existsSync(statePath)) {
-          return null;
-        }
-
-        try {
-          return JSON.parse(readFileSync(statePath, 'utf8'));
-        } catch {
-          return null;
-        }
-      },
-      {
-        timeoutMs: 20_000,
-        description: 'daemon state file',
-      },
-    );
-
-    const machine = await waitForCondition(
-      async () => {
-        const result = await fetchMachine({
-          token: auth.token,
-          signing: auth.signing,
-          machineId,
-        });
-        if (!result) {
-          return null;
-        }
-
-        const metadata = result.metadata ? decryptLegacy(decodeBase64(result.metadata), secret) : null;
-        return {
-          ...result,
-          metadataDecoded: metadata,
-        };
-      },
-      {
-        timeoutMs: 20_000,
-        description: 'machine registration',
-      },
-    );
-
-    let session = await waitForCondition(
-      async () => {
-        const sessions = await listSessions({
-          token: auth.token,
-          signing: auth.signing,
-        });
-
-        for (const rawSession of sessions) {
-          const decodedSession = decryptSessionRecord(rawSession, secret);
-          if (
-            decodedSession.metadataDecoded?.path === demoProjectDir &&
-            decodedSession.metadataDecoded?.machineId === machineId
-          ) {
-            return decodedSession;
-          }
-        }
-
-        return null;
-      },
-      {
-        timeoutMs: 20_000,
-        description: 'CLI session registration',
-      },
-    );
-
-    session = await waitForCondition(
-      async () => {
-        const latest = await fetchSessionRecord({
-          token: auth.token,
-          signing: auth.signing,
-          secret,
-          sessionId: session.id,
-        });
-
-        if (!latest) {
-          return null;
-        }
-
-        if (latest.agentStateDecoded?.controlledByUser === false) {
-          return latest;
-        }
-
-        return null;
-      },
-      {
-        timeoutMs: 20_000,
-        description: 'CLI session ready state',
-      },
-    );
-
-    process.env.HAPPY_SERVER_URL = baseUrl;
-    process.env.HAPPY_CLOUD_SERVER_URL = baseUrl;
-    process.env.HAPPY_HOME_DIR = cliHomeDir;
-    process.env.HAPPY_CLOUD_HOME_DIR = cliHomeDir;
-
-    const { ApiSessionClient } = await import(pathToFileURL(resolve(packageRoot, 'dist', 'lib.mjs')).href);
-    const sessionDescriptor = {
-      id: session.id,
-      seq: session.seq,
-      metadata: session.metadataDecoded,
-      metadataVersion: session.metadataVersion,
-      agentState: session.agentStateDecoded,
-      agentStateVersion: session.agentStateVersion,
-      encryptionKey: secret,
-      encryptionVariant: 'legacy',
-    };
-    const credentialsDescriptor = {
-      token: auth.token,
-      signing: auth.signing,
-      encryption: {
-        type: 'legacy',
-        secret,
-      },
-    };
-
-    observerClient = new ApiSessionClient(credentialsDescriptor, sessionDescriptor);
-    senderClient = new ApiSessionClient(credentialsDescriptor, sessionDescriptor);
-
-    await waitForSocketConnect(observerClient.socket);
-    await waitForSocketConnect(senderClient.socket);
-
-    const senderAck = await sendUserMessageWithAck({
-      client: senderClient,
-      sessionId: session.id,
-      secret,
-      text: userPrompt,
-      localId: userLocalId,
-    });
-
-    const agentReplyPromise = waitForClientMessage({
-      client: observerClient,
-      predicate: (body) =>
-        body?.role === 'agent'
-        && body?.content?.type === 'codex'
-        && body?.content?.data?.type === 'message'
-        && typeof body?.content?.data?.message === 'string'
-        && body.content.data.message.includes(fakeAcpReply),
-      timeoutMs: 20_000,
-    });
-
-    let agentReply;
-    try {
-      agentReply = await agentReplyPromise;
-    } catch (error) {
-      const persistedMessagesOnFailure = await fetchMessages({
-        token: auth.token,
-        signing: auth.signing,
-        sessionId: session.id,
-      }).catch(() => []);
-      const decodedMessagesOnFailure = persistedMessagesOnFailure.map((message) => ({
-        id: message.id,
-        seq: message.seq,
-        decodedContent: decodePersistedMessageContent(message.content, secret),
-      }));
-      const fakeAcpLog = existsSync(fakeAcpLogPath) ? readFileSync(fakeAcpLogPath, 'utf8') : null;
-      throw new Error([
-        error instanceof Error ? error.message : String(error),
-        `senderAck=${JSON.stringify(senderAck)}`,
-        `decodedMessages=${JSON.stringify(decodedMessagesOnFailure, null, 2)}`,
-        `fakeAcpLog=${JSON.stringify(fakeAcpLog)}`,
-      ].join('\n'));
-    }
-
-    await delay(500);
-
-    const persistedMessages = await fetchMessages({
-      token: auth.token,
-      signing: auth.signing,
-      sessionId: session.id,
-    });
-
-    const decodedMessages = persistedMessages.map((message) => ({
-      ...message,
-      decodedContent: decodePersistedMessageContent(message.content, secret),
-    }));
-
-    const persistedUserMessage = decodedMessages.find(
-      (message) =>
-        message.decodedContent?.role === 'user'
-        && message.decodedContent?.content?.type === 'text'
-        && message.decodedContent?.content?.text === userPrompt,
-    );
-    const persistedAgentMessage = decodedMessages.find(
-      (message) =>
-        message.decodedContent?.role === 'agent'
-        && message.decodedContent?.content?.type === 'codex'
-        && message.decodedContent?.content?.data?.type === 'message'
-        && typeof message.decodedContent?.content?.data?.message === 'string'
-        && message.decodedContent.content.data.message.includes(fakeAcpReply),
-    );
-
-    assert.ok(persistedUserMessage, 'persisted user message not found');
-    assert.ok(persistedAgentMessage, 'persisted agent message not found');
-
-    console.log(JSON.stringify({
-      ok: true,
-      baseUrl,
-      demoProjectDir,
-      machineId,
-      daemonPort,
-      daemonPid: daemonState.pid,
-      sessionId: session.id,
-      verified: [
-        'local_server_ready',
-        'legacy_key_auth_bootstrap',
-        'daemon_state_written',
-        'machine_registered',
-        'demo_cli_session_registered',
-        'cli_session_ready_state_observed',
-        'session_scoped_socket_connected',
-        'user_message_sender_acknowledged',
-        'user_message_sent_via_api_client',
-        'codex_agent_reply_received',
-        'user_message_persisted',
-        'agent_message_persisted',
-      ],
-      agentReply: agentReply?.content?.data?.message ?? null,
-      persistedMessageCount: decodedMessages.length,
-      machineMetadata: machine.metadataDecoded,
-      sessionMetadata: session.metadataDecoded,
-    }, null, 2));
-  } finally {
-    await observerClient?.close?.().catch(() => {});
-    await senderClient?.close?.().catch(() => {});
-
-    await stopDaemon(cliEnv).catch(() => {});
-    await stopChildProcess(cli).catch(() => {});
-
-    if (serverOwnedByScript) {
-      await stopChildProcess(server).catch(() => {});
-    }
-
-    const shouldKeepArtifacts = process.env.DEBUG === '1' || process.env.HAPPY_CLI_E2E_KEEP_ARTIFACTS === 'true';
-    if (!shouldKeepArtifacts) {
-      try {
-        rmSync(tempRoot, { recursive: true, force: true });
-      } catch {
-        // Ignore cleanup errors.
-      }
-    }
-
-    if (process.env.DEBUG && cliStdout.trim()) {
-      process.stdout.write(cliStdout);
-    }
-    if (process.env.DEBUG && cliStderr.trim()) {
-      process.stderr.write(cliStderr);
-    }
-    if (process.env.DEBUG && serverStdout.trim()) {
-      process.stdout.write(serverStdout);
-    }
-    if (process.env.DEBUG && serverStderr.trim()) {
-      process.stderr.write(serverStderr);
-    }
-    if (process.env.DEBUG && existsSync(fakeAcpLogPath)) {
-      process.stdout.write(readFileSync(fakeAcpLogPath, 'utf8'));
-    }
-    if (shouldKeepArtifacts) {
-      process.stderr.write(`[e2e] artifacts kept at ${tempRoot}\n`);
-    }
-  }
-}
-
-main().catch((error) => {
-  console.error(error instanceof Error ? error.stack || error.message : String(error));
-  process.exitCode = 1;
-});
+#!/usr/bin/env node
+
+import assert from 'node:assert/strict';
+import { spawn, spawnSync } from 'node:child_process';
+import {
+  createHash,
+  createHmac,
+  hkdfSync,
+  randomBytes,
+  randomUUID,
+} from 'node:crypto';
+import {
+  existsSync,
+  mkdirSync,
+  mkdtempSync,
+  readFileSync,
+  rmSync,
+  writeFileSync,
+} from 'node:fs';
+import { createServer } from 'node:net';
+import { setTimeout as delay } from 'node:timers/promises';
+import { dirname, join, resolve } from 'node:path';
+import { tmpdir } from 'node:os';
+import { fileURLToPath, pathToFileURL } from 'node:url';
+
+import { io } from 'socket.io-client';
+import tweetnacl from 'tweetnacl';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const packageRoot = resolve(__dirname, '..', '..');
+const workspaceRoot = resolve(packageRoot, '..', '..');
+const serverRoot = resolve(workspaceRoot, 'packages', 'happy-server');
+const cliBin = resolve(packageRoot, 'bin', 'happy-cloud.mjs');
+const demoProjectDir = resolve(packageRoot, 'demo-project');
+const fakeAcpAgentPath = resolve(packageRoot, 'scripts', 'e2e', 'fake-codex-acp-agent.mjs');
+const cliVersion = JSON.parse(readFileSync(resolve(packageRoot, 'package.json'), 'utf8')).version;
+
+const serverPort = process.env.HAPPY_CLI_E2E_SERVER_PORT || process.env.HAPPY_SERVER_TEST_PORT || '3005';
+const baseUrl = process.env.HAPPY_CLI_E2E_SERVER_URL || process.env.HAPPY_SERVER_BASE_URL || `http://127.0.0.1:${serverPort}`;
+const configuredDaemonPort = process.env.HAPPY_CLI_E2E_DAEMON_PORT || process.env.HAPPY_CLOUD_DAEMON_PORT || '';
+const fakeAcpReply = process.env.HAPPY_E2E_FAKE_ACP_RESPONSE || 'LOCAL_E2E_ACK';
+const skipServerBoot = process.env.HAPPY_CLI_E2E_SKIP_SERVER_BOOT === 'true' || process.env.HAPPY_SERVER_LIVE_SKIP_BOOT === 'true';
+
+function encodeBase64(data) {
+  return Buffer.from(data).toString('base64');
+}
+
+function decodeBase64(data) {
+  return new Uint8Array(Buffer.from(data, 'base64'));
+}
+
+function normalizePlatform(platform) {
+  switch (platform) {
+    case 'win32':
+      return 'windows';
+    case 'darwin':
+      return 'macos';
+    default:
+      return platform;
+  }
+}
+
+function buildClientHeaders(version = cliVersion) {
+  return {
+    'X-Client-Name': 'happy-cli',
+    'X-Client-Version': version,
+    'X-Platform': normalizePlatform(process.platform),
+  };
+}
+
+function canonicalizeQuery(url) {
+  const entries = [...url.searchParams.entries()].sort(([aKey, aValue], [bKey, bValue]) => {
+    if (aKey === bKey) {
+      return aValue.localeCompare(bValue);
+    }
+    return aKey.localeCompare(bKey);
+  });
+  return entries.map(([key, value]) => `${encodeURIComponent(key)}=${encodeURIComponent(value)}`).join('&');
+}
+
+function hashBody(body) {
+  if (body == null) {
+    return createHash('sha256').update('').digest('hex');
+  }
+
+  const serialized = typeof body === 'string' ? body : JSON.stringify(body);
+  return createHash('sha256').update(serialized).digest('hex');
+}
+
+function deriveSigningSecret(signing) {
+  return Buffer.from(
+    hkdfSync(
+      'sha256',
+      Buffer.from(signing.seed, 'base64'),
+      Buffer.alloc(0),
+      Buffer.from('request-sign-v1'),
+      32,
+    ),
+  );
+}
+
+function signCanonical(signing, canonical) {
+  return createHmac('sha256', deriveSigningSecret(signing)).update(canonical).digest('base64');
+}
+
+function buildHttpCanonicalString({ method, url, timestamp, nonce, bodySha256 }) {
+  const parsed = new URL(url);
+  return [
+    method.toUpperCase(),
+    parsed.pathname,
+    canonicalizeQuery(parsed),
+    timestamp,
+    nonce,
+    bodySha256,
+  ].join('\n');
+}
+
+function buildWebSocketCanonicalString({ clientType, sessionId, machineId, timestamp, nonce }) {
+  const params = new URLSearchParams();
+  params.set('clientType', clientType);
+  if (sessionId) {
+    params.set('sessionId', sessionId);
+  }
+  if (machineId) {
+    params.set('machineId', machineId);
+  }
+
+  const url = new URL('https://unused.local/v1/updates');
+  url.search = params.toString();
+
+  return [
+    'WS_CONNECT',
+    '/v1/updates',
+    canonicalizeQuery(url),
+    timestamp,
+    nonce,
+  ].join('\n');
+}
+
+function buildSignedHeaders({ token, signing, method, url, body }) {
+  const timestamp = String(Date.now());
+  const nonce = randomUUID();
+  const bodySha256 = hashBody(body);
+  const canonical = buildHttpCanonicalString({
+    method,
+    url,
+    timestamp,
+    nonce,
+    bodySha256,
+  });
+
+  return {
+    ...buildClientHeaders(),
+    Authorization: `Bearer ${token}`,
+    ...(body != null ? { 'Content-Type': 'application/json' } : {}),
+    'X-Sign-Version': String(signing.version),
+    'X-Key-Id': signing.keyId,
+    'X-Timestamp': timestamp,
+    'X-Nonce': nonce,
+    'X-Body-SHA256': bodySha256,
+    'X-Signature': signCanonical(signing, canonical),
+  };
+}
+
+function buildSocketAuth({ token, signing, clientType, sessionId, machineId }) {
+  const auth = {
+    token,
+    clientType,
+    clientName: 'happy-cli',
+    clientVersion: cliVersion,
+    ...(sessionId ? { sessionId } : {}),
+    ...(machineId ? { machineId } : {}),
+  };
+
+  if (!signing) {
+    return auth;
+  }
+
+  const timestamp = String(Date.now());
+  const nonce = randomUUID();
+  const canonical = buildWebSocketCanonicalString({
+    clientType,
+    sessionId,
+    machineId,
+    timestamp,
+    nonce,
+  });
+
+  return {
+    ...auth,
+    signVersion: signing.version,
+    timestamp,
+    nonce,
+    signature: signCanonical(signing, canonical),
+  };
+}
+
+function authChallenge(secret) {
+  const keypair = tweetnacl.sign.keyPair.fromSeed(secret);
+  const challenge = new Uint8Array(randomBytes(32));
+  const signature = tweetnacl.sign.detached(challenge, keypair.secretKey);
+
+  return {
+    challenge,
+    publicKey: keypair.publicKey,
+    signature,
+  };
+}
+
+function encryptLegacy(data, secret) {
+  const nonce = new Uint8Array(randomBytes(tweetnacl.secretbox.nonceLength));
+  const encrypted = tweetnacl.secretbox(
+    new TextEncoder().encode(JSON.stringify(data)),
+    nonce,
+    secret,
+  );
+  const result = new Uint8Array(nonce.length + encrypted.length);
+  result.set(nonce, 0);
+  result.set(encrypted, nonce.length);
+  return result;
+}
+
+function decryptLegacy(data, secret) {
+  const nonce = data.slice(0, tweetnacl.secretbox.nonceLength);
+  const encrypted = data.slice(tweetnacl.secretbox.nonceLength);
+  const decrypted = tweetnacl.secretbox.open(encrypted, nonce, secret);
+  if (!decrypted) {
+    return null;
+  }
+  return JSON.parse(new TextDecoder().decode(decrypted));
+}
+
+async function requestJson(url, init = {}) {
+  const response = await fetch(url, init);
+  const text = await response.text();
+
+  let json = null;
+  try {
+    json = text ? JSON.parse(text) : null;
+  } catch {
+    json = { raw: text };
+  }
+
+  return {
+    status: response.status,
+    ok: response.ok,
+    json,
+  };
+}
+
+async function isServerHealthy(url) {
+  try {
+    const response = await fetch(`${url}/`);
+    return response.ok;
+  } catch {
+    return false;
+  }
+}
+
+async function waitForServer(url, timeoutMs = 30_000) {
+  const startedAt = Date.now();
+  while (Date.now() - startedAt < timeoutMs) {
+    if (await isServerHealthy(url)) {
+      return;
+    }
+    await delay(1_000);
+  }
+  throw new Error(`Server did not become ready within ${timeoutMs}ms`);
+}
+
+async function waitForCondition(fn, { timeoutMs = 15_000, intervalMs = 250, description = 'condition' } = {}) {
+  const startedAt = Date.now();
+  while (Date.now() - startedAt < timeoutMs) {
+    const result = await fn();
+    if (result) {
+      return result;
+    }
+    await delay(intervalMs);
+  }
+  throw new Error(`Timed out waiting for ${description} after ${timeoutMs}ms`);
+}
+
+async function resolveDaemonPort() {
+  if (configuredDaemonPort) {
+    return configuredDaemonPort;
+  }
+
+  const server = createServer();
+  try {
+    await new Promise((resolve, reject) => {
+      server.once('error', reject);
+      server.listen(0, '127.0.0.1', resolve);
+    });
+
+    const address = server.address();
+    if (!address || typeof address === 'string') {
+      throw new Error('Failed to resolve an available daemon port');
+    }
+
+    return String(address.port);
+  } finally {
+    await new Promise((resolve) => {
+      server.close(() => resolve());
+    }).catch(() => {});
+  }
+}
+
+function resolveTsxCli() {
+  const candidates = [
+    resolve(packageRoot, 'node_modules', 'tsx', 'dist', 'cli.mjs'),
+    resolve(workspaceRoot, 'node_modules', 'tsx', 'dist', 'cli.mjs'),
+  ];
+
+  for (const candidate of candidates) {
+    if (existsSync(candidate)) {
+      return candidate;
+    }
+  }
+
+  throw new Error('Could not resolve tsx CLI. Run yarn install first.');
+}
+
+function buildServerEnv() {
+  return {
+    ...process.env,
+    DATABASE_URL: process.env.DATABASE_URL || 'postgresql://postgres:postgres@localhost:5432/handy',
+    TEST_USERS: process.env.TEST_USERS || 'apple:apple123',
+    NODE_ENV: 'development',
+    PORT: serverPort,
+    ALLOW_LEGACY_UNSIGNED_REQUESTS: 'true',
+    REQUEST_SIGN_ENFORCE_MIN_APP_VERSION: '1.8.0',
+    LEGACY_SIGN_SUNSET_AT: '2026-12-31T00:00:00Z',
+  };
+}
+
+function writeCliState({ homeDir, token, signing, secret, machineId }) {
+  mkdirSync(homeDir, { recursive: true });
+
+  writeFileSync(
+    join(homeDir, 'access.key'),
+    JSON.stringify(
+      {
+        secret: encodeBase64(secret),
+        token,
+        signing,
+      },
+      null,
+      2,
+    ),
+    'utf8',
+  );
+
+  writeFileSync(
+    join(homeDir, 'settings.json'),
+    JSON.stringify(
+      {
+        schemaVersion: 2,
+        onboardingCompleted: true,
+        machineId,
+        machineIdConfirmedByServer: false,
+        profiles: [],
+        localEnvironmentVariables: {},
+      },
+      null,
+      2,
+    ),
+    'utf8',
+  );
+}
+
+async function waitForSocketConnect(socket, timeoutMs = 10_000) {
+  if (socket?.connected) {
+    return;
+  }
+
+  return new Promise((resolve, reject) => {
+    const timer = setTimeout(() => {
+      cleanup();
+      reject(new Error('Timed out waiting for socket connect'));
+    }, timeoutMs);
+
+    const cleanup = () => {
+      clearTimeout(timer);
+      socket.off('connect', onConnect);
+      socket.off('connect_error', onError);
+    };
+
+    const onConnect = () => {
+      cleanup();
+      resolve();
+    };
+
+    const onError = (error) => {
+      cleanup();
+      reject(error instanceof Error ? error : new Error(String(error)));
+    };
+
+    socket.on('connect', onConnect);
+    socket.on('connect_error', onError);
+  });
+}
+
+async function waitForObserverMessage({ socket, secret, predicate, timeoutMs = 15_000 }) {
+  return new Promise((resolve, reject) => {
+    const timer = setTimeout(() => {
+      cleanup();
+      reject(new Error('Timed out waiting for observer update'));
+    }, timeoutMs);
+
+    const cleanup = () => {
+      clearTimeout(timer);
+      socket.off('update', onUpdate);
+      socket.off('connect_error', onError);
+    };
+
+    const onError = (error) => {
+      cleanup();
+      reject(error instanceof Error ? error : new Error(String(error)));
+    };
+
+    const onUpdate = (update) => {
+      try {
+        if (!update?.body || update.body.t !== 'new-message') {
+          return;
+        }
+        const encrypted = update.body?.message?.content;
+        if (!encrypted || encrypted.t !== 'encrypted' || typeof encrypted.c !== 'string') {
+          return;
+        }
+
+        const body = decryptLegacy(decodeBase64(encrypted.c), secret);
+        if (!body) {
+          return;
+        }
+
+        if (predicate(body, update)) {
+          cleanup();
+          resolve({ body, update });
+        }
+      } catch (error) {
+        cleanup();
+        reject(error);
+      }
+    };
+
+    socket.on('update', onUpdate);
+    socket.on('connect_error', onError);
+  });
+}
+
+async function waitForClientMessage({ client, predicate, timeoutMs = 15_000 }) {
+  return new Promise((resolve, reject) => {
+    const timer = setTimeout(() => {
+      cleanup();
+      reject(new Error('Timed out waiting for client message'));
+    }, timeoutMs);
+
+    const cleanup = () => {
+      clearTimeout(timer);
+      client.off('message', onMessage);
+    };
+
+    const onMessage = (body) => {
+      try {
+        if (predicate(body)) {
+          cleanup();
+          resolve(body);
+        }
+      } catch (error) {
+        cleanup();
+        reject(error);
+      }
+    };
+
+    client.on('message', onMessage);
+  });
+}
+
+async function waitForChildExit(child, timeoutMs = 5_000) {
+  if (!child || child.exitCode !== null) {
+    return true;
+  }
+
+  return await new Promise((resolve) => {
+    const timer = setTimeout(() => {
+      cleanup();
+      resolve(child.exitCode !== null);
+    }, timeoutMs);
+
+    const cleanup = () => {
+      clearTimeout(timer);
+      child.off('exit', onExit);
+      child.off('error', onError);
+    };
+
+    const onExit = () => {
+      cleanup();
+      resolve(true);
+    };
+
+    const onError = () => {
+      cleanup();
+      resolve(child.exitCode !== null);
+    };
+
+    child.once('exit', onExit);
+    child.once('error', onError);
+  });
+}
+
+async function killProcessTree(child) {
+  if (!child?.pid) {
+    return;
+  }
+
+  if (process.platform === 'win32') {
+    await new Promise((resolve) => {
+      const killer = spawn('taskkill', ['/PID', String(child.pid), '/T', '/F'], { stdio: 'ignore' });
+      killer.once('exit', resolve);
+      killer.once('error', resolve);
+    });
+    return;
+  }
+
+  try {
+    process.kill(child.pid, 'SIGKILL');
+  } catch {
+    // Ignore if already exited.
+  }
+}
+
+async function stopChildProcess(child) {
+  if (!child) {
+    return;
+  }
+
+  child.kill('SIGTERM');
+  const exited = await waitForChildExit(child, 2_000);
+  if (!exited) {
+    await killProcessTree(child);
+    await waitForChildExit(child, 2_000);
+  }
+}
+
+async function authenticateWithKey(secret) {
+  const { challenge, publicKey, signature } = authChallenge(secret);
+  const response = await requestJson(`${baseUrl}/v1/auth`, {
+    method: 'POST',
+    headers: {
+      ...buildClientHeaders(),
+      'Content-Type': 'application/json',
+    },
+    body: JSON.stringify({
+      challenge: encodeBase64(challenge),
+      publicKey: encodeBase64(publicKey),
+      signature: encodeBase64(signature),
+    }),
+  });
+
+  assert.equal(response.status, 200, `auth failed: ${JSON.stringify(response.json)}`);
+  assert.equal(response.json?.success, true, `auth response invalid: ${JSON.stringify(response.json)}`);
+
+  return {
+    token: response.json.token,
+    signing: response.json.signing,
+  };
+}
+
+async function fetchMachine({ token, signing, machineId }) {
+  const url = `${baseUrl}/v1/machines/${machineId}`;
+  const response = await requestJson(url, {
+    method: 'GET',
+    headers: buildSignedHeaders({
+      token,
+      signing,
+      method: 'GET',
+      url,
+      body: null,
+    }),
+  });
+
+  if (response.status === 404) {
+    return null;
+  }
+
+  assert.equal(response.status, 200, `fetch machine failed: ${JSON.stringify(response.json)}`);
+  return response.json.machine;
+}
+
+async function listSessions({ token, signing }) {
+  const url = `${baseUrl}/v1/sessions`;
+  const response = await requestJson(url, {
+    method: 'GET',
+    headers: buildSignedHeaders({
+      token,
+      signing,
+      method: 'GET',
+      url,
+      body: null,
+    }),
+  });
+
+  assert.equal(response.status, 200, `list sessions failed: ${JSON.stringify(response.json)}`);
+  return response.json.sessions || [];
+}
+
+async function fetchMessages({ token, signing, sessionId }) {
+  const url = `${baseUrl}/v1/sessions/${sessionId}/messages`;
+  const response = await requestJson(url, {
+    method: 'GET',
+    headers: buildSignedHeaders({
+      token,
+      signing,
+      method: 'GET',
+      url,
+      body: null,
+    }),
+  });
+
+  assert.equal(response.status, 200, `fetch messages failed: ${JSON.stringify(response.json)}`);
+  return response.json.messages || [];
+}
+
+async function fetchSessionRecord({ token, signing, secret, sessionId }) {
+  const sessions = await listSessions({
+    token,
+    signing,
+  });
+
+  const match = sessions.find((candidate) => candidate.id === sessionId);
+  if (!match) {
+    return null;
+  }
+
+  return decryptSessionRecord(match, secret);
+}
+
+function decryptSessionRecord(record, secret) {
+  return {
+    ...record,
+    metadataDecoded: record.metadata ? decryptLegacy(decodeBase64(record.metadata), secret) : null,
+    agentStateDecoded: record.agentState ? decryptLegacy(decodeBase64(record.agentState), secret) : null,
+  };
+}
+
+function decodePersistedMessageContent(content, secret) {
+  const encoded = typeof content === 'string'
+    ? content
+    : (content && typeof content === 'object' && typeof content.c === 'string' ? content.c : null);
+
+  if (!encoded) {
+    return null;
+  }
+
+  return decryptLegacy(decodeBase64(encoded), secret);
+}
+
+async function stopDaemon(cliEnv) {
+  spawnSync(process.execPath, [cliBin, 'daemon', 'stop'], {
+    cwd: packageRoot,
+    env: cliEnv,
+    stdio: 'ignore',
+    timeout: 5_000,
+  });
+}
+
+async function sendUserMessageWithAck({ client, sessionId, secret, text, localId, timeoutMs = 10_000 }) {
+  const socket = client?.socket;
+  if (!socket?.connected) {
+    throw new Error('Sender socket is not connected');
+  }
+
+  const encrypted = encodeBase64(encryptLegacy({
+    role: 'user',
+    content: {
+      type: 'text',
+      text,
+    },
+    localKey: localId,
+    meta: {
+      sentFrom: 'cli',
+    },
+  }, secret));
+
+  const ack = await Promise.race([
+    socket.emitWithAck('message', {
+      sid: sessionId,
+      message: encrypted,
+      localId,
+    }),
+    delay(timeoutMs).then(() => {
+      throw new Error('Timed out waiting for sender ack');
+    }),
+  ]);
+
+  assert.equal(ack?.ok, true, `sender ack failed: ${JSON.stringify(ack)}`);
+  assert.equal(ack?.sessionId, sessionId, `sender ack session mismatch: ${JSON.stringify(ack)}`);
+  assert.equal(ack?.status, 'accepted', `sender ack status unexpected: ${JSON.stringify(ack)}`);
+  return ack;
+}
+
+async function main() {
+  const tempRoot = mkdtempSync(join(tmpdir(), 'happy-cli-local-e2e-'));
+  const cliHomeDir = join(tempRoot, '.happy-cloud-e2e');
+  const fakeAcpLogPath = join(tempRoot, 'fake-codex-acp.log');
+  const daemonPort = await resolveDaemonPort();
+  const machineId = randomUUID();
+  const secret = new Uint8Array(randomBytes(32));
+  const userPrompt = `Please reply with ${fakeAcpReply} only.`;
+  const userLocalId = `e2e-user-${randomUUID()}`;
+
+  let server = null;
+  let serverOwnedByScript = false;
+  let cli = null;
+  let observerClient = null;
+  let senderClient = null;
+  let cliStdout = '';
+  let cliStderr = '';
+  let serverStdout = '';
+  let serverStderr = '';
+
+  const cliEnv = {
+    ...process.env,
+    HAPPY_SERVER_URL: baseUrl,
+    HAPPY_CLOUD_SERVER_URL: baseUrl,
+    HAPPY_HOME_DIR: cliHomeDir,
+    HAPPY_CLOUD_HOME_DIR: cliHomeDir,
+    HAPPY_CLOUD_DAEMON_PORT: daemonPort,
+    HAPPY_CODEX_ACP_COMMAND: process.execPath,
+    HAPPY_DISABLE_CAFFEINATE: 'true',
+    HAPPY_E2E_FAKE_ACP_RESPONSE: fakeAcpReply,
+    HAPPY_E2E_FAKE_ACP_LOG: fakeAcpLogPath,
+    NO_COLOR: '1',
+  };
+
+  try {
+    if (await isServerHealthy(baseUrl)) {
+      serverOwnedByScript = false;
+    } else {
+      if (skipServerBoot) {
+        throw new Error(`Local server is not reachable at ${baseUrl}, and boot was skipped.`);
+      }
+
+      serverOwnedByScript = true;
+      server = spawn(process.execPath, [
+        resolveTsxCli(),
+        '--env-file=.env',
+        '--env-file=.env.dev',
+        './sources/main.ts',
+      ], {
+        cwd: serverRoot,
+        env: buildServerEnv(),
+        stdio: ['ignore', 'pipe', 'pipe'],
+      });
+
+      server.stdout?.on('data', (chunk) => {
+        serverStdout += chunk.toString();
+      });
+      server.stderr?.on('data', (chunk) => {
+        serverStderr += chunk.toString();
+      });
+    }
+
+    await waitForServer(baseUrl);
+
+    const auth = await authenticateWithKey(secret);
+    writeCliState({
+      homeDir: cliHomeDir,
+      token: auth.token,
+      signing: auth.signing,
+      secret,
+      machineId,
+    });
+
+    cli = spawn(process.execPath, [
+      cliBin,
+      'codex',
+      fakeAcpAgentPath,
+      '--happy-starting-mode',
+      'remote',
+      '--started-by',
+      'daemon',
+    ], {
+      cwd: demoProjectDir,
+      env: cliEnv,
+      stdio: ['ignore', 'pipe', 'pipe'],
+    });
+
+    cli.stdout?.on('data', (chunk) => {
+      cliStdout += chunk.toString();
+    });
+    cli.stderr?.on('data', (chunk) => {
+      cliStderr += chunk.toString();
+    });
+
+    const daemonState = await waitForCondition(
+      async () => {
+        const statePath = join(cliHomeDir, 'daemon.state.json');
+        if (!existsSync(statePath)) {
+          return null;
+        }
+
+        try {
+          return JSON.parse(readFileSync(statePath, 'utf8'));
+        } catch {
+          return null;
+        }
+      },
+      {
+        timeoutMs: 20_000,
+        description: 'daemon state file',
+      },
+    );
+
+    const machine = await waitForCondition(
+      async () => {
+        const result = await fetchMachine({
+          token: auth.token,
+          signing: auth.signing,
+          machineId,
+        });
+        if (!result) {
+          return null;
+        }
+
+        const metadata = result.metadata ? decryptLegacy(decodeBase64(result.metadata), secret) : null;
+        return {
+          ...result,
+          metadataDecoded: metadata,
+        };
+      },
+      {
+        timeoutMs: 20_000,
+        description: 'machine registration',
+      },
+    );
+
+    let session = await waitForCondition(
+      async () => {
+        const sessions = await listSessions({
+          token: auth.token,
+          signing: auth.signing,
+        });
+
+        for (const rawSession of sessions) {
+          const decodedSession = decryptSessionRecord(rawSession, secret);
+          if (
+            decodedSession.metadataDecoded?.path === demoProjectDir &&
+            decodedSession.metadataDecoded?.machineId === machineId
+          ) {
+            return decodedSession;
+          }
+        }
+
+        return null;
+      },
+      {
+        timeoutMs: 20_000,
+        description: 'CLI session registration',
+      },
+    );
+
+    session = await waitForCondition(
+      async () => {
+        const latest = await fetchSessionRecord({
+          token: auth.token,
+          signing: auth.signing,
+          secret,
+          sessionId: session.id,
+        });
+
+        if (!latest) {
+          return null;
+        }
+
+        if (latest.agentStateDecoded?.controlledByUser === false) {
+          return latest;
+        }
+
+        return null;
+      },
+      {
+        timeoutMs: 20_000,
+        description: 'CLI session ready state',
+      },
+    );
+
+    process.env.HAPPY_SERVER_URL = baseUrl;
+    process.env.HAPPY_CLOUD_SERVER_URL = baseUrl;
+    process.env.HAPPY_HOME_DIR = cliHomeDir;
+    process.env.HAPPY_CLOUD_HOME_DIR = cliHomeDir;
+
+    const { ApiSessionClient } = await import(pathToFileURL(resolve(packageRoot, 'dist', 'lib.mjs')).href);
+    const sessionDescriptor = {
+      id: session.id,
+      seq: session.seq,
+      metadata: session.metadataDecoded,
+      metadataVersion: session.metadataVersion,
+      agentState: session.agentStateDecoded,
+      agentStateVersion: session.agentStateVersion,
+      encryptionKey: secret,
+      encryptionVariant: 'legacy',
+    };
+    const credentialsDescriptor = {
+      token: auth.token,
+      signing: auth.signing,
+      encryption: {
+        type: 'legacy',
+        secret,
+      },
+    };
+
+    observerClient = new ApiSessionClient(credentialsDescriptor, sessionDescriptor);
+    senderClient = new ApiSessionClient(credentialsDescriptor, sessionDescriptor);
+
+    await waitForSocketConnect(observerClient.socket);
+    await waitForSocketConnect(senderClient.socket);
+
+    const senderAck = await sendUserMessageWithAck({
+      client: senderClient,
+      sessionId: session.id,
+      secret,
+      text: userPrompt,
+      localId: userLocalId,
+    });
+
+    const agentReplyPromise = waitForClientMessage({
+      client: observerClient,
+      predicate: (body) =>
+        body?.role === 'agent'
+        && body?.content?.type === 'codex'
+        && body?.content?.data?.type === 'message'
+        && typeof body?.content?.data?.message === 'string'
+        && body.content.data.message.includes(fakeAcpReply),
+      timeoutMs: 20_000,
+    });
+
+    let agentReply;
+    try {
+      agentReply = await agentReplyPromise;
+    } catch (error) {
+      const persistedMessagesOnFailure = await fetchMessages({
+        token: auth.token,
+        signing: auth.signing,
+        sessionId: session.id,
+      }).catch(() => []);
+      const decodedMessagesOnFailure = persistedMessagesOnFailure.map((message) => ({
+        id: message.id,
+        seq: message.seq,
+        decodedContent: decodePersistedMessageContent(message.content, secret),
+      }));
+      const fakeAcpLog = existsSync(fakeAcpLogPath) ? readFileSync(fakeAcpLogPath, 'utf8') : null;
+      throw new Error([
+        error instanceof Error ? error.message : String(error),
+        `senderAck=${JSON.stringify(senderAck)}`,
+        `decodedMessages=${JSON.stringify(decodedMessagesOnFailure, null, 2)}`,
+        `fakeAcpLog=${JSON.stringify(fakeAcpLog)}`,
+      ].join('\n'));
+    }
+
+    await delay(500);
+
+    const persistedMessages = await fetchMessages({
+      token: auth.token,
+      signing: auth.signing,
+      sessionId: session.id,
+    });
+
+    const decodedMessages = persistedMessages.map((message) => ({
+      ...message,
+      decodedContent: decodePersistedMessageContent(message.content, secret),
+    }));
+
+    const persistedUserMessage = decodedMessages.find(
+      (message) =>
+        message.decodedContent?.role === 'user'
+        && message.decodedContent?.content?.type === 'text'
+        && message.decodedContent?.content?.text === userPrompt,
+    );
+    const persistedAgentMessage = decodedMessages.find(
+      (message) =>
+        message.decodedContent?.role === 'agent'
+        && message.decodedContent?.content?.type === 'codex'
+        && message.decodedContent?.content?.data?.type === 'message'
+        && typeof message.decodedContent?.content?.data?.message === 'string'
+        && message.decodedContent.content.data.message.includes(fakeAcpReply),
+    );
+
+    assert.ok(persistedUserMessage, 'persisted user message not found');
+    assert.ok(persistedAgentMessage, 'persisted agent message not found');
+
+    console.log(JSON.stringify({
+      ok: true,
+      baseUrl,
+      demoProjectDir,
+      machineId,
+      daemonPort,
+      daemonPid: daemonState.pid,
+      sessionId: session.id,
+      verified: [
+        'local_server_ready',
+        'legacy_key_auth_bootstrap',
+        'daemon_state_written',
+        'machine_registered',
+        'demo_cli_session_registered',
+        'cli_session_ready_state_observed',
+        'session_scoped_socket_connected',
+        'user_message_sender_acknowledged',
+        'user_message_sent_via_api_client',
+        'codex_agent_reply_received',
+        'user_message_persisted',
+        'agent_message_persisted',
+      ],
+      agentReply: agentReply?.content?.data?.message ?? null,
+      persistedMessageCount: decodedMessages.length,
+      machineMetadata: machine.metadataDecoded,
+      sessionMetadata: session.metadataDecoded,
+    }, null, 2));
+  } finally {
+    await observerClient?.close?.().catch(() => {});
+    await senderClient?.close?.().catch(() => {});
+
+    await stopDaemon(cliEnv).catch(() => {});
+    await stopChildProcess(cli).catch(() => {});
+
+    if (serverOwnedByScript) {
+      await stopChildProcess(server).catch(() => {});
+    }
+
+    const shouldKeepArtifacts = process.env.DEBUG === '1' || process.env.HAPPY_CLI_E2E_KEEP_ARTIFACTS === 'true';
+    if (!shouldKeepArtifacts) {
+      try {
+        rmSync(tempRoot, { recursive: true, force: true });
+      } catch {
+        // Ignore cleanup errors.
+      }
+    }
+
+    if (process.env.DEBUG && cliStdout.trim()) {
+      process.stdout.write(cliStdout);
+    }
+    if (process.env.DEBUG && cliStderr.trim()) {
+      process.stderr.write(cliStderr);
+    }
+    if (process.env.DEBUG && serverStdout.trim()) {
+      process.stdout.write(serverStdout);
+    }
+    if (process.env.DEBUG && serverStderr.trim()) {
+      process.stderr.write(serverStderr);
+    }
+    if (process.env.DEBUG && existsSync(fakeAcpLogPath)) {
+      process.stdout.write(readFileSync(fakeAcpLogPath, 'utf8'));
+    }
+    if (shouldKeepArtifacts) {
+      process.stderr.write(`[e2e] artifacts kept at ${tempRoot}\n`);
+    }
+  }
+}
+
+main().catch((error) => {
+  console.error(error instanceof Error ? error.stack || error.message : String(error));
+  process.exitCode = 1;
+});