pinggy 0.4.9 → 0.5.0

package/dist/chunk-FVLXFHBL.js

@@ -0,0 +1,2157 @@
+import {
+  IPCClient,
+  SessionMode
+} from "./chunk-BFARGPGP.js";
+import {
+  TunnelAlreadyRunningError,
+  TunnelManager,
+  errorMessage,
+  getLocalAddress,
+  getVersion,
+  isValidPort,
+  printer_default
+} from "./chunk-DLNUDW6G.js";
+import {
+  logger
+} from "./chunk-7G6SJEEA.js";
+import {
+  getDaemonInfoPath,
+  getDaemonLogPath
+} from "./chunk-GBYF2H4H.js";
+
+// src/types.ts
+var TunnelStateType = /* @__PURE__ */ ((TunnelStateType2) => {
+  TunnelStateType2["New"] = "idle";
+  TunnelStateType2["Starting"] = "starting";
+  TunnelStateType2["Running"] = "running";
+  TunnelStateType2["Live"] = "live";
+  TunnelStateType2["Closed"] = "closed";
+  TunnelStateType2["Exited"] = "exited";
+  return TunnelStateType2;
+})(TunnelStateType || {});
+var TunnelErrorCodeType = /* @__PURE__ */ ((TunnelErrorCodeType2) => {
+  TunnelErrorCodeType2["NonResponsive"] = "non_responsive";
+  TunnelErrorCodeType2["FailedToConnect"] = "failed_to_connect";
+  TunnelErrorCodeType2["ErrorInAdditionalForwarding"] = "additional_forwarding_error";
+  TunnelErrorCodeType2["WebdebuggerError"] = "webdebugger_error";
+  TunnelErrorCodeType2["NoError"] = "";
+  return TunnelErrorCodeType2;
+})(TunnelErrorCodeType || {});
+var TunnelWarningCode = /* @__PURE__ */ ((TunnelWarningCode2) => {
+  TunnelWarningCode2["InvalidTunnelServePath"] = "INVALID_TUNNEL_SERVE_PATH";
+  TunnelWarningCode2["UnknownWarning"] = "UNKNOWN_WARNING";
+  return TunnelWarningCode2;
+})(TunnelWarningCode || {});
+var ErrorCode = {
+  InvalidRequestMethodError: "INVALID_REQUEST_METHOD",
+  InvalidRequestBodyError: "COULD_NOT_READ_BODY",
+  InternalServerError: "INTERNAL_SERVER_ERROR",
+  InvalidBodyFormatError: "INVALID_DATA_FORMAT",
+  ErrorStartingTunnel: "ERROR_STARTING_TUNNEL",
+  TunnelNotFound: "TUNNEL_WITH_ID_OR_CONFIG_ID_NOT_FOUND",
+  TunnelAlreadyRunningError: "TUNNEL_WITH_ID_OR_CONFIG_ID_ALREADY_RUNNING",
+  WebsocketUpgradeFailError: "WEBSOCKET_UPGRADE_FAILED",
+  RemoteManagementAlreadyRunning: "REMOTE_MANAGEMENT_ALREADY_RUNNING",
+  RemoteManagementNotRunning: "REMOTE_MANAGEMENT_NOT_RUNNING",
+  RemoteManagementDeserializationFailed: "REMOTE_MANAGEMENT_DESERIALIZATION_FAILED"
+};
+function isErrorResponse(obj) {
+  return typeof obj === "object" && obj !== null && "code" in obj && "message" in obj && typeof obj.message === "string" && Object.values(ErrorCode).includes(obj.code);
+}
+function newErrorResponse(codeOrError, message) {
+  if (typeof codeOrError === "object") {
+    return codeOrError;
+  }
+  return {
+    code: codeOrError,
+    message
+  };
+}
+function NewResponseObject(data) {
+  const encoder = new TextEncoder();
+  const bytes = encoder.encode(JSON.stringify(data));
+  return {
+    response: bytes,
+    requestid: "",
+    command: "",
+    error: false,
+    errorresponse: {}
+  };
+}
+function NewErrorResponseObject(errorResponse) {
+  return {
+    response: new Uint8Array(),
+    requestid: "",
+    command: "",
+    error: true,
+    errorresponse: errorResponse
+  };
+}
+function newStatus(tunnelState, errorCode, errorMsg) {
+  let assignedState = tunnelState;
+  if (tunnelState === "live" /* Live */) {
+    assignedState = "running" /* Running */;
+  } else if (tunnelState === "idle" /* New */) {
+    assignedState = "idle" /* New */;
+  } else if (tunnelState === "closed" /* Closed */) {
+    assignedState = "exited" /* Exited */;
+  }
+  const now = (/* @__PURE__ */ new Date()).toISOString();
+  return {
+    state: assignedState,
+    errorcode: errorCode,
+    errormsg: errorMsg,
+    createdtimestamp: now,
+    starttimestamp: now,
+    endtimestamp: now,
+    warnings: []
+  };
+}
+function newStats() {
+  return {
+    numLiveConnections: 0,
+    numTotalConnections: 0,
+    numTotalReqBytes: 0,
+    numTotalResBytes: 0,
+    numTotalTxBytes: 0,
+    elapsedTime: 0
+  };
+}
+var RemoteManagementStatus = {
+  Connecting: "CONNECTING",
+  Disconnecting: "DISCONNECTING",
+  Reconnecting: "RECONNECTING",
+  Running: "RUNNING",
+  NotRunning: "NOT_RUNNING",
+  Error: "ERROR"
+};
+
+// src/remote_management/remote_schema.ts
+import { TunnelType } from "@pinggy/pinggy";
+import { z } from "zod";
+var HeaderModificationSchema = z.object({
+  key: z.string(),
+  value: z.array(z.string()).nullable().optional(),
+  type: z.enum(["add", "remove", "update"])
+});
+var AdditionalForwardingSchema = z.object({
+  remoteDomain: z.string().optional(),
+  remotePort: z.number().optional(),
+  localDomain: z.string(),
+  localPort: z.number()
+});
+var TunnelConfigSchema = z.object({
+  allowPreflight: z.boolean().optional(),
+  // primary key
+  allowpreflight: z.boolean().optional(),
+  // legacy key
+  autoreconnect: z.boolean(),
+  basicauth: z.array(z.object({ username: z.string(), password: z.string() })).nullable(),
+  bearerauth: z.array(z.string()).nullable(),
+  configid: z.string(),
+  configname: z.string(),
+  greetmsg: z.string().optional(),
+  force: z.boolean(),
+  forwardedhost: z.string(),
+  fullRequestUrl: z.boolean(),
+  headermodification: z.array(HeaderModificationSchema),
+  httpsOnly: z.boolean(),
+  internalwebdebuggerport: z.number(),
+  ipwhitelist: z.array(z.string()).nullable(),
+  localport: z.number(),
+  localsservertls: z.union([z.boolean(), z.string()]),
+  localservertlssni: z.string().nullable(),
+  regioncode: z.string(),
+  noReverseProxy: z.boolean(),
+  serveraddress: z.string(),
+  serverport: z.number(),
+  statusCheckInterval: z.number(),
+  token: z.string(),
+  tunnelTimeout: z.number(),
+  type: z.enum([
+    TunnelType.Http,
+    TunnelType.Tcp,
+    TunnelType.Udp,
+    TunnelType.Tls,
+    TunnelType.TlsTcp
+  ]),
+  webdebuggerport: z.number(),
+  xff: z.string(),
+  additionalForwarding: z.array(AdditionalForwardingSchema).optional(),
+  serve: z.string().optional()
+}).superRefine((data, ctx) => {
+  if (data.allowPreflight === void 0 && data.allowpreflight === void 0) {
+    ctx.addIssue({
+      code: "custom",
+      message: "Either allowPreflight or allowpreflight is required",
+      path: ["allowPreflight"]
+    });
+  }
+}).transform((data) => ({
+  ...data,
+  allowPreflight: data.allowPreflight ?? data.allowpreflight,
+  allowpreflight: data.allowPreflight ?? data.allowpreflight
+}));
+var StartSchema = z.object({
+  tunnelID: z.string().nullable().optional(),
+  tunnelConfig: TunnelConfigSchema
+});
+var StopSchema = z.object({
+  tunnelID: z.string().min(1)
+});
+var GetSchema = StopSchema;
+var RestartSchema = StopSchema;
+var UpdateConfigSchema = z.object({
+  tunnelConfig: TunnelConfigSchema
+});
+var ForwardingEntryV2Schema = z.object({
+  listenAddress: z.string().optional(),
+  address: z.string(),
+  type: z.enum([TunnelType.Http, TunnelType.Tcp, TunnelType.Udp, TunnelType.Tls, TunnelType.TlsTcp])
+});
+var TunnelConfigV1Schema = z.object({
+  // Meta Info
+  version: z.string(),
+  name: z.string(),
+  configId: z.string(),
+  // General tunnel configurations
+  serverAddress: z.string().optional(),
+  token: z.string().optional(),
+  autoReconnect: z.boolean().optional(),
+  reconnectInterval: z.number().optional(),
+  maxReconnectAttempts: z.number().optional(),
+  force: z.boolean(),
+  keepAliveInterval: z.number().optional(),
+  webDebugger: z.string(),
+  //Forwarding
+  // Either a URL string (e.g. "https://localhost:5555") or an array of forwarding entries.
+  forwarding: z.union([
+    z.string(),
+    z.array(ForwardingEntryV2Schema)
+  ]),
+  // IP whitelist 
+  ipWhitelist: z.array(z.string()).optional(),
+  basicAuth: z.array(z.object({ username: z.string(), password: z.string() })).optional(),
+  bearerTokenAuth: z.array(z.string()).optional(),
+  headerModification: z.array(HeaderModificationSchema).optional(),
+  reverseProxy: z.boolean().optional(),
+  xForwardedFor: z.boolean().optional(),
+  httpsOnly: z.boolean().optional(),
+  originalRequestUrl: z.boolean().optional(),
+  allowPreflight: z.boolean().optional(),
+  serve: z.string().optional(),
+  optional: z.record(z.string(), z.unknown()).optional()
+});
+var StartV2Schema = z.object({
+  tunnelID: z.string().nullable().optional(),
+  tunnelConfig: TunnelConfigV1Schema
+});
+var UpdateConfigV2Schema = z.object({
+  tunnelConfig: TunnelConfigV1Schema
+});
+function pinggyOptionsToTunnelConfigV1(opts, configStoredInCli) {
+  const parsedTokens = opts.bearerTokenAuth ? Array.isArray(opts.bearerTokenAuth) ? opts.bearerTokenAuth : JSON.parse(opts.bearerTokenAuth) : [];
+  return {
+    version: configStoredInCli.version || "1.0",
+    name: configStoredInCli.name || "",
+    configId: configStoredInCli.configId || "",
+    serverAddress: opts.serverAddress || "a.pinggy.io:443",
+    token: opts.token || "",
+    autoReconnect: opts.autoReconnect ?? true,
+    force: opts.force ?? false,
+    webDebugger: opts.webDebugger || "",
+    forwarding: opts.forwarding ? opts.forwarding : "",
+    ipWhitelist: opts.ipWhitelist ? Array.isArray(opts.ipWhitelist) ? opts.ipWhitelist : JSON.parse(opts.ipWhitelist) : [],
+    basicAuth: opts.basicAuth && Object.keys(opts.basicAuth).length ? opts.basicAuth : void 0,
+    bearerTokenAuth: parsedTokens.length ? parsedTokens : void 0,
+    headerModification: opts.headerModification || [],
+    reverseProxy: opts.reverseProxy ?? false,
+    xForwardedFor: !!opts.xForwardedFor,
+    httpsOnly: opts.httpsOnly ?? false,
+    originalRequestUrl: opts.originalRequestUrl ?? false,
+    allowPreflight: opts.allowPreflight ?? false,
+    optional: opts.optional || {}
+  };
+}
+function tunnelConfigToPinggyOptions(config) {
+  const forwardingData = [];
+  forwardingData.push({
+    address: `${config.forwardedhost}:${config.localport}`,
+    type: config.type || TunnelType.Http
+    // Default to HTTP for the primary forwarding entry
+  });
+  if (config.additionalForwarding && Array.isArray(config.additionalForwarding)) {
+    config.additionalForwarding.forEach((entry) => {
+      if (entry.localDomain && entry.localPort && entry.remoteDomain) {
+        const listenAddress = entry.remotePort && isValidPort(entry.remotePort) ? `${entry.remoteDomain}:${entry.remotePort}` : entry.remoteDomain;
+        forwardingData.push({
+          address: `${entry.localDomain}:${entry.localPort}`,
+          listenAddress,
+          type: TunnelType.Http
+        });
+      }
+    });
+  }
+  return {
+    token: config.token || "",
+    serverAddress: config.serveraddress || "free.pinggy.io",
+    forwarding: forwardingData,
+    webDebugger: config.webdebuggerport ? `localhost:${config.webdebuggerport}` : "",
+    ipWhitelist: config.ipwhitelist || [],
+    basicAuth: config.basicauth ? config.basicauth : [],
+    bearerTokenAuth: config.bearerauth || [],
+    headerModification: config.headermodification,
+    xForwardedFor: !!config.xff,
+    httpsOnly: config.httpsOnly,
+    originalRequestUrl: config.fullRequestUrl,
+    allowPreflight: config.allowPreflight,
+    reverseProxy: config.noReverseProxy,
+    force: config.force,
+    autoReconnect: config.autoreconnect,
+    optional: {
+      sniServerName: config.localservertlssni || ""
+    }
+  };
+}
+function pinggyOptionsToTunnelConfig(opts, configid, configName, localserverTls, greetMsg, serve) {
+  let primaryEntry;
+  let additionalEntries = [];
+  if (Array.isArray(opts.forwarding)) {
+    primaryEntry = opts.forwarding.find((e) => !e.listenAddress) ?? opts.forwarding[0];
+    additionalEntries = opts.forwarding.filter(
+      (e) => e !== primaryEntry && Boolean(e.listenAddress)
+    );
+  }
+  const forwarding = primaryEntry ? String(primaryEntry.address) : String(opts.forwarding);
+  const [parsedForwardedHost, portStr] = forwarding.split(":");
+  const parsedLocalPort = parseInt(portStr, 10);
+  const tunnelType = primaryEntry?.type ?? TunnelType.Http;
+  const additionalForwarding = additionalEntries.map((e) => {
+    const [localDomain, localPortStr] = String(e.address).split(":");
+    const [remoteDomain, remotePortStr] = String(e.listenAddress).split(":");
+    const localPort = parseInt(localPortStr, 10);
+    const remotePort = parseInt(remotePortStr, 10);
+    return {
+      localDomain,
+      localPort: isNaN(localPort) ? 0 : localPort,
+      remoteDomain,
+      remotePort: isNaN(remotePort) ? 0 : remotePort
+    };
+  });
+  const parsedTokens = opts.bearerTokenAuth ? Array.isArray(opts.bearerTokenAuth) ? opts.bearerTokenAuth : JSON.parse(opts.bearerTokenAuth) : [];
+  return {
+    allowPreflight: opts.allowPreflight ?? false,
+    allowpreflight: opts.allowPreflight ?? false,
+    autoreconnect: opts.autoReconnect ?? false,
+    basicauth: opts.basicAuth && Object.keys(opts.basicAuth).length ? opts.basicAuth : null,
+    bearerauth: parsedTokens.length ? [parsedTokens.join(",")] : null,
+    configid,
+    configname: configName,
+    greetmsg: greetMsg || "",
+    force: opts.force ?? false,
+    forwardedhost: parsedForwardedHost || "localhost",
+    fullRequestUrl: opts.originalRequestUrl ?? false,
+    headermodification: opts.headerModification || [],
+    //structured list
+    httpsOnly: opts.httpsOnly ?? false,
+    internalwebdebuggerport: 0,
+    ipwhitelist: opts.ipWhitelist ? Array.isArray(opts.ipWhitelist) ? opts.ipWhitelist : JSON.parse(opts.ipWhitelist) : null,
+    localport: parsedLocalPort || 0,
+    localservertlssni: null,
+    regioncode: "",
+    noReverseProxy: opts.reverseProxy ?? false,
+    serveraddress: opts.serverAddress || "free.pinggy.io",
+    serverport: 0,
+    statusCheckInterval: 0,
+    token: opts.token || "",
+    tunnelTimeout: 0,
+    type: tunnelType,
+    webdebuggerport: Number(opts.webDebugger?.split(":")[0]) || 0,
+    xff: opts.xForwardedFor ? "1" : "",
+    localsservertls: localserverTls || false,
+    additionalForwarding: additionalForwarding || [],
+    serve: serve || ""
+  };
+}
+
+// src/remote_management/handler.ts
+var TunnelOperations = class {
+  constructor() {
+    this.tunnelManager = TunnelManager.getInstance();
+  }
+  buildStatus(tunnelId, state, errorCode) {
+    const status = newStatus(state, errorCode, "");
+    try {
+      const managed = this.tunnelManager.getManagedTunnel("", tunnelId);
+      if (managed) {
+        status.createdtimestamp = managed.createdAt || "";
+        status.starttimestamp = managed.startedAt || "";
+        status.endtimestamp = managed.stoppedAt || "";
+      }
+      if (managed?.lastError) {
+        status.lastError = managed.lastError;
+      }
+    } catch (e) {
+    }
+    return status;
+  }
+  // --- Placeholder response ---
+  buildPendingTunnelResponse(tunnelid, tunnelConfig, configid, tunnelName, serve) {
+    return {
+      tunnelid,
+      remoteurls: [],
+      tunnelconfig: pinggyOptionsToTunnelConfig(tunnelConfig, configid, tunnelName, false, void 0, serve),
+      status: this.buildStatus(tunnelid, "starting" /* Starting */, "" /* NoError */),
+      stats: newStats()
+    };
+  }
+  buildPendingTunnelResponseV2(tunnelid, tunnelConfig, configFromCli, configid, tunnelName, serve) {
+    return {
+      tunnelid,
+      remoteurls: [],
+      tunnelconfig: pinggyOptionsToTunnelConfigV1(tunnelConfig, configFromCli),
+      status: this.buildStatus(tunnelid, "starting" /* Starting */, "" /* NoError */),
+      stats: newStats(),
+      greetmsg: ""
+    };
+  }
+  // --- Helper to construct TunnelResponse ---
+  async buildTunnelResponse(tunnelid, tunnelConfig, configid, tunnelName, serve) {
+    const stats = this.tunnelManager.getLatestTunnelStats(tunnelid) || newStats();
+    const [status, tlsInfo, greetMsg, remoteurls] = await Promise.all([
+      this.tunnelManager.getTunnelStatus(tunnelid),
+      this.tunnelManager.getLocalserverTlsInfo(tunnelid),
+      this.tunnelManager.getTunnelGreetMessage(tunnelid),
+      this.tunnelManager.getTunnelUrls(tunnelid)
+    ]);
+    return {
+      tunnelid,
+      remoteurls,
+      tunnelconfig: pinggyOptionsToTunnelConfig(tunnelConfig, configid, tunnelName, tlsInfo, greetMsg),
+      status: this.buildStatus(tunnelid, status, "" /* NoError */),
+      stats
+    };
+  }
+  async buildTunnelResponseV2(tunnelid, tunnelConfig, configFromCli, configid, tunnelName, serve) {
+    const stats = this.tunnelManager.getLatestTunnelStats(tunnelid) || newStats();
+    const [status, greetMsg, remoteurls] = await Promise.all([
+      this.tunnelManager.getTunnelStatus(tunnelid),
+      this.tunnelManager.getTunnelGreetMessage(tunnelid),
+      this.tunnelManager.getTunnelUrls(tunnelid)
+    ]);
+    return {
+      tunnelid,
+      remoteurls,
+      tunnelconfig: pinggyOptionsToTunnelConfigV1(tunnelConfig, configFromCli),
+      status: this.buildStatus(tunnelid, status, "" /* NoError */),
+      stats,
+      greetmsg: greetMsg
+    };
+  }
+  error(code, err, fallback) {
+    return newErrorResponse({
+      code,
+      message: err instanceof Error ? err.message : fallback
+    });
+  }
+  // --- Operations ---
+  async handleStart(config, noWait = false, origin = "cli") {
+    try {
+      const opts = tunnelConfigToPinggyOptions(config);
+      const managed = await this.tunnelManager.createTunnel({
+        ...opts,
+        configId: config.configid,
+        name: config.configname,
+        optional: {
+          serve: config.serve
+        }
+      }, origin);
+      const { tunnelid, tunnelName, serve, tunnelConfig } = managed;
+      const startPromise = this.tunnelManager.startTunnel(tunnelid);
+      if (noWait) {
+        startPromise.catch((err) => {
+          logger.error("No-wait startTunnel failed", { tunnelid, err: String(err) });
+        });
+        return this.buildPendingTunnelResponse(tunnelid, tunnelConfig, config.configid, tunnelName, serve);
+      }
+      await startPromise;
+      const tunnelPconfig = await this.tunnelManager.getTunnelConfig("", tunnelid);
+      return this.buildTunnelResponse(tunnelid, tunnelPconfig, config.configid, tunnelName, serve);
+    } catch (err) {
+      return this.error(ErrorCode.ErrorStartingTunnel, err, "Unknown error occurred while starting tunnel");
+    }
+  }
+  async handleStartV2(config, noWait = false, origin = "cli") {
+    try {
+      const managed = await this.tunnelManager.createTunnel(config, origin);
+      const { tunnelid, tunnelConfig } = managed;
+      const startPromise = this.tunnelManager.startTunnel(tunnelid);
+      if (noWait) {
+        startPromise.catch((err) => {
+          logger.error("No-wait startTunnel failed", { tunnelid, err: String(err) });
+        });
+        return this.buildPendingTunnelResponseV2(tunnelid, tunnelConfig, config, config.configId, config.name, config.serve);
+      }
+      await startPromise;
+      const tunnelPconfig = await this.tunnelManager.getTunnelConfig("", tunnelid);
+      return this.buildTunnelResponseV2(tunnelid, tunnelPconfig, config, config.configId, config.name, config.serve);
+    } catch (err) {
+      if (err instanceof TunnelAlreadyRunningError) {
+        return this.error(ErrorCode.TunnelAlreadyRunningError, err, err.message);
+      }
+      return this.error(ErrorCode.ErrorStartingTunnel, err, "Unknown error occurred while starting tunnel");
+    }
+  }
+  async handleUpdateConfig(config, noWait = false) {
+    try {
+      const opts = tunnelConfigToPinggyOptions(config);
+      const updateOpts = {
+        ...opts,
+        configId: config.configid,
+        name: config.configname,
+        optional: {
+          serve: config.serve
+        }
+      };
+      if (noWait) {
+        const existing = this.tunnelManager.getManagedTunnel(config.configid);
+        if (!existing.tunnelConfig) throw new Error("Invalid tunnel state before configuration update");
+        this.tunnelManager.updateConfig(updateOpts).catch((err) => {
+          logger.error("No-wait updateConfig failed", { configid: config.configid, err: String(err) });
+        });
+        return this.buildPendingTunnelResponse(existing.tunnelid, existing.tunnelConfig, config.configid, existing.tunnelName, existing.serve);
+      }
+      const tunnel = await this.tunnelManager.updateConfig(updateOpts);
+      if (!tunnel.instance || !tunnel.tunnelConfig)
+        throw new Error("Invalid tunnel state after configuration update");
+      return this.buildTunnelResponse(tunnel.tunnelid, tunnel.tunnelConfig, config.configid, tunnel.tunnelName, tunnel.serve);
+    } catch (err) {
+      return this.error(ErrorCode.InternalServerError, err, "Failed to update tunnel configuration");
+    }
+  }
+  async handleUpdateConfigV2(config, noWait = false) {
+    try {
+      if (noWait) {
+        const existing = this.tunnelManager.getManagedTunnel(config.configId);
+        if (!existing.tunnelConfig) throw new Error("Invalid tunnel state before configuration update");
+        this.tunnelManager.updateConfig(config).catch((err) => {
+          logger.error("No-wait updateConfigV2 failed", { configId: config.configId, err: String(err) });
+        });
+        return this.buildPendingTunnelResponseV2(existing.tunnelid, existing.tunnelConfig, config, config.configId, existing.tunnelName, existing.serve);
+      }
+      const tunnel = await this.tunnelManager.updateConfig(config);
+      if (!tunnel.instance || !tunnel.tunnelConfig)
+        throw new Error("Invalid tunnel state after configuration update");
+      return this.buildTunnelResponseV2(tunnel.tunnelid, tunnel.tunnelConfig, config, config.configId, tunnel.tunnelName, tunnel.serve);
+    } catch (err) {
+      return this.error(ErrorCode.InternalServerError, err, "Failed to update tunnel configuration");
+    }
+  }
+  async handleListV2() {
+    try {
+      const tunnels = await this.tunnelManager.getAllTunnels();
+      if (tunnels.length === 0) {
+        return [];
+      }
+      return Promise.all(
+        tunnels.map(async (t) => {
+          const rawStats = this.tunnelManager.getLatestTunnelStats(t.tunnelid) || newStats();
+          const [status, tlsInfo, greetMsg] = await Promise.all([
+            this.tunnelManager.getTunnelStatus(t.tunnelid),
+            this.tunnelManager.getLocalserverTlsInfo(t.tunnelid),
+            this.tunnelManager.getTunnelGreetMessage(t.tunnelid)
+          ]);
+          const tunnelConfguration = status !== "closed" /* Closed */ && status !== "exited" /* Exited */ ? await this.tunnelManager.getTunnelConfig("", t.tunnelid) : t.tunnelConfig;
+          const tunnelConfig = pinggyOptionsToTunnelConfigV1(tunnelConfguration, t.tunnelConfig);
+          return {
+            tunnelid: t.tunnelid,
+            remoteurls: t.remoteurls,
+            status: this.buildStatus(t.tunnelid, status, "" /* NoError */),
+            stats: rawStats,
+            tunnelconfig: tunnelConfig,
+            greetmsg: greetMsg
+          };
+        })
+      );
+    } catch (err) {
+      return this.error(ErrorCode.InternalServerError, err, "Failed to list tunnels");
+    }
+  }
+  async handleList() {
+    try {
+      const tunnels = await this.tunnelManager.getAllTunnels();
+      if (tunnels.length === 0) {
+        return [];
+      }
+      return Promise.all(
+        tunnels.map(async (t) => {
+          const rawStats = this.tunnelManager.getLatestTunnelStats(t.tunnelid) || newStats();
+          const [status, tlsInfo, greetMsg] = await Promise.all([
+            this.tunnelManager.getTunnelStatus(t.tunnelid),
+            this.tunnelManager.getLocalserverTlsInfo(t.tunnelid),
+            this.tunnelManager.getTunnelGreetMessage(t.tunnelid)
+          ]);
+          const pinggyOptions = status !== "closed" /* Closed */ && status !== "exited" /* Exited */ ? await this.tunnelManager.getTunnelConfig("", t.tunnelid) : t.tunnelConfig;
+          const tunnelConfig = pinggyOptionsToTunnelConfig(pinggyOptions, t.configId, t.tunnelName, tlsInfo, greetMsg, t.serve);
+          return {
+            tunnelid: t.tunnelid,
+            remoteurls: t.remoteurls,
+            status: this.buildStatus(t.tunnelid, status, "" /* NoError */),
+            stats: rawStats,
+            tunnelconfig: tunnelConfig
+          };
+        })
+      );
+    } catch (err) {
+      return this.error(ErrorCode.InternalServerError, err, "Failed to list tunnels");
+    }
+  }
+  async handleStop(tunnelid) {
+    try {
+      const { configId } = this.tunnelManager.stopTunnel(tunnelid);
+      const managed = this.tunnelManager.getManagedTunnel("", tunnelid);
+      if (!managed?.tunnelConfig) throw new Error(`Tunnel config for ID "${tunnelid}" not found`);
+      return this.buildTunnelResponse(tunnelid, managed.tunnelConfig, configId, managed.tunnelName, managed.serve);
+    } catch (err) {
+      return this.error(ErrorCode.TunnelNotFound, err, "Failed to stop tunnel");
+    }
+  }
+  async handleGet(tunnelid) {
+    try {
+      const managed = this.tunnelManager.getManagedTunnel("", tunnelid);
+      if (!managed?.tunnelConfig) throw new Error(`Tunnel config for ID "${tunnelid}" not found`);
+      return this.buildTunnelResponse(tunnelid, managed.tunnelConfig, managed.configId, managed.tunnelName, managed.serve);
+    } catch (err) {
+      return this.error(ErrorCode.TunnelNotFound, err, "Failed to get tunnel information");
+    }
+  }
+  async handleRestart(tunnelid, noWait = false) {
+    try {
+      if (noWait) {
+        const managed2 = this.tunnelManager.getManagedTunnel("", tunnelid);
+        if (!managed2?.tunnelConfig) throw new Error(`Tunnel config for ID "${tunnelid}" not found`);
+        this.tunnelManager.restartTunnel(tunnelid).catch((err) => {
+          logger.error("No-wait restartTunnel failed", { tunnelid, err: String(err) });
+        });
+        return this.buildPendingTunnelResponse(tunnelid, managed2.tunnelConfig, managed2.configId, managed2.tunnelName, managed2.serve);
+      }
+      await this.tunnelManager.restartTunnel(tunnelid);
+      const managed = this.tunnelManager.getManagedTunnel("", tunnelid);
+      if (!managed?.tunnelConfig) throw new Error(`Tunnel config for ID "${tunnelid}" not found`);
+      return this.buildTunnelResponse(tunnelid, managed.tunnelConfig, managed.configId, managed.tunnelName, managed.serve);
+    } catch (err) {
+      return this.error(ErrorCode.TunnelNotFound, err, "Failed to restart tunnel");
+    }
+  }
+  handleRegisterStatsListener(tunnelid, listener) {
+    void this.tunnelManager.registerStatsListener(tunnelid, listener);
+  }
+  handleUnregisterStatsListener(tunnelid, listnerId) {
+    this.tunnelManager.deregisterStatsListener(tunnelid, listnerId);
+  }
+  handleGetTunnelStats(tunnelid) {
+    try {
+      const stats = this.tunnelManager.getTunnelStats(tunnelid);
+      if (!stats) {
+        return Promise.resolve([newStats()]);
+      }
+      return Promise.resolve(stats);
+    } catch (err) {
+      return Promise.resolve(this.error(ErrorCode.TunnelNotFound, err, "Failed to get tunnel stats"));
+    }
+  }
+  handleRegisterDisconnectListener(tunnelid, listener) {
+    void this.tunnelManager.registerDisconnectListener(tunnelid, listener);
+  }
+  handleRemoveStoppedTunnelByConfigId(configId) {
+    try {
+      return this.tunnelManager.removeStoppedTunnelByConfigId(configId);
+    } catch (err) {
+      return this.error(ErrorCode.InternalServerError, err, "Failed to remove stopped tunnel by configId");
+    }
+  }
+  handleRemoveStoppedTunnelByTunnelId(tunnelId) {
+    try {
+      return this.tunnelManager.removeStoppedTunnelByTunnelId(tunnelId);
+    } catch (err) {
+      return this.error(ErrorCode.InternalServerError, err, "Failed to remove stopped tunnel by tunnelId");
+    }
+  }
+};
+
+// src/remote_management/remoteManagement.ts
+import WebSocket from "ws";
+
+// src/remote_management/websocket_printer.ts
+import pico from "picocolors";
+var PENDING_START_TIMEOUT_MS = 5 * 60 * 1e3;
+var RemoteManagementWebSocketPrinter = class {
+  constructor() {
+    this.pendingStarts = /* @__PURE__ */ new Map();
+  }
+  setTunnelHandler(tunnelHandler) {
+    this.tunnelHandler = tunnelHandler;
+  }
+  queueStart(config) {
+    this.cleanupExpiredPendingStarts();
+    const entry = {
+      configId: this.getConfigIdFromRequest(config),
+      configName: this.getConfigNameFromRequest(config),
+      queuedAt: Date.now()
+    };
+    this.latestPendingConfigId = entry.configId;
+    this.pendingStarts.set(entry.configId, entry);
+    printer_default.startSpinner("Starting tunnel with config name: " + entry.configName);
+  }
+  failQueuedStart(config, reason) {
+    const configId = this.getConfigIdFromRequest(config);
+    const pending = this.pendingStarts.get(configId);
+    const configName = pending?.configName || this.getConfigNameFromRequest(config);
+    this.pendingStarts.delete(configId);
+    if (this.latestPendingConfigId === configId) {
+      this.latestPendingConfigId = void 0;
+      printer_default.stopSpinnerFail(`Failed to start tunnel with config name: ${configName}. ${reason}`);
+    }
+  }
+  handleStartResult(config, result) {
+    this.cleanupExpiredPendingStarts();
+    const requestedConfigId = this.getConfigIdFromRequest(config);
+    if (this.latestPendingConfigId && requestedConfigId !== this.latestPendingConfigId) {
+      this.pendingStarts.delete(requestedConfigId);
+      return;
+    }
+    if (isErrorResponse(result)) {
+      this.failQueuedStart(config, result.message);
+      return;
+    }
+    const configId = this.getConfigIdFromTunnel(result);
+    const pending = this.pendingStarts.get(requestedConfigId) || {
+      configId: requestedConfigId,
+      configName: this.getConfigNameFromRequest(config),
+      queuedAt: Date.now()
+    };
+    pending.tunnelId = result.tunnelid;
+    this.pendingStarts.set(requestedConfigId, pending);
+    if (result.remoteurls.length > 0) {
+      this.completePendingStart(pending, result.remoteurls);
+    }
+  }
+  printStopRequested(tunnelId) {
+    const details = this.resolveTunnelDetails(tunnelId);
+    printer_default.startSpinner("Stopping tunnel with config name: " + details.configName);
+  }
+  handleStopResult(tunnelId, result) {
+    const details = this.resolveTunnelDetails(tunnelId, result);
+    if (isErrorResponse(result)) {
+      printer_default.stopSpinnerFail("Failed to stop tunnel with config name: " + details.configName);
+      return;
+    }
+    this.pendingStarts.delete(details.configId);
+    printer_default.stopSpinnerSuccess("Stopped tunnel with config name: " + details.configName);
+  }
+  printRestartRequested(tunnelId) {
+    const details = this.resolveTunnelDetails(tunnelId);
+    printer_default.startSpinner("Restarting tunnel with config name: " + details.configName);
+  }
+  handleRestartResult(tunnelId, result) {
+    const details = this.resolveTunnelDetails(tunnelId, result);
+    if (isErrorResponse(result)) {
+      printer_default.warn(`Failed to restart tunnel with config name: ${details.configName}. ${result.message}`);
+      printer_default.stopSpinnerFail("Failed to restart tunnel with config name: " + details.configName);
+      return;
+    }
+    printer_default.stopSpinnerSuccess("Restarted tunnel with config name: " + details.configName);
+    if (result.remoteurls?.length > 0) {
+      printer_default.info(pico.cyanBright("Remote URLs:"));
+      (result.remoteurls ?? []).forEach(
+        (url) => printer_default.print("  " + pico.magentaBright(url))
+      );
+    }
+  }
+  monitorList(result) {
+    this.cleanupExpiredPendingStarts();
+    if (!Array.isArray(result) || this.pendingStarts.size === 0 || !this.latestPendingConfigId) {
+      return;
+    }
+    for (const tunnel of result) {
+      const pending = this.findPendingStart(tunnel);
+      if (!pending) {
+        continue;
+      }
+      if (pending.configId !== this.latestPendingConfigId) {
+        continue;
+      }
+      pending.tunnelId = tunnel.tunnelid;
+      this.pendingStarts.set(pending.configId, pending);
+      if (tunnel.remoteurls.length > 0) {
+        this.completePendingStart(pending, tunnel.remoteurls);
+        continue;
+      }
+      if (tunnel.status.state === "exited" /* Exited */) {
+        const reason = tunnel.status.errormsg || "Tunnel exited before a public URL was assigned";
+        this.pendingStarts.delete(pending.configId);
+        this.latestPendingConfigId = void 0;
+        printer_default.stopSpinnerFail(`Tunnel start did not complete for config name: ${pending.configName}. ${reason}`);
+      }
+    }
+  }
+  completePendingStart(entry, urls) {
+    if (this.latestPendingConfigId && entry.configId !== this.latestPendingConfigId) {
+      this.pendingStarts.delete(entry.configId);
+      return;
+    }
+    this.pendingStarts.delete(entry.configId);
+    this.latestPendingConfigId = void 0;
+    printer_default.stopSpinnerSuccess(`Tunnel started with config name: ${entry.configName}.`);
+    printer_default.info(pico.cyanBright("Remote URLs:"));
+    (urls ?? []).forEach(
+      (url) => printer_default.print("  " + pico.magentaBright(url))
+    );
+  }
+  cleanupExpiredPendingStarts() {
+    const now = Date.now();
+    for (const [configId, entry] of this.pendingStarts.entries()) {
+      if (now - entry.queuedAt <= PENDING_START_TIMEOUT_MS) {
+        continue;
+      }
+      this.pendingStarts.delete(configId);
+      printer_default.warn(`Timed out while waiting for tunnel URL for config name: ${entry.configName}`);
+      logger.warn("Pending websocket start entry expired", { configId, tunnelId: entry.tunnelId });
+    }
+  }
+  findPendingStart(tunnel) {
+    const configId = this.getConfigIdFromTunnel(tunnel);
+    const byConfigId = this.pendingStarts.get(configId);
+    if (byConfigId) {
+      return byConfigId;
+    }
+    for (const entry of this.pendingStarts.values()) {
+      if (entry.tunnelId === tunnel.tunnelid) {
+        return entry;
+      }
+    }
+    return void 0;
+  }
+  resolveTunnelDetails(tunnelId, result) {
+    if (result && !isErrorResponse(result)) {
+      return {
+        configId: this.getConfigIdFromTunnel(result),
+        configName: this.getConfigNameFromTunnel(result)
+      };
+    }
+    return {
+      configId: tunnelId,
+      configName: tunnelId
+    };
+  }
+  getConfigIdFromRequest(config) {
+    return "configid" in config ? config.configid : config.configId;
+  }
+  getConfigNameFromRequest(config) {
+    return "configname" in config ? config.configname : config.name;
+  }
+  getConfigIdFromTunnel(tunnel) {
+    return "configid" in tunnel.tunnelconfig ? tunnel.tunnelconfig.configid : tunnel.tunnelconfig.configId;
+  }
+  getConfigNameFromTunnel(tunnel) {
+    return "configname" in tunnel.tunnelconfig ? tunnel.tunnelconfig.configname : tunnel.tunnelconfig.name;
+  }
+};
+var remoteManagementWebSocketPrinter = new RemoteManagementWebSocketPrinter();
+
+// src/remote_management/websocket_handlers.ts
+import z2 from "zod";
+var WsCommand = {
+  Start: "start",
+  StartV2: "start-v2",
+  Stop: "stop",
+  Get: "get",
+  Restart: "restart",
+  UpdateConfig: "updateconfig",
+  UpdateConfigV2: "update-config-v2",
+  List: "list",
+  ListV2: "list-v2",
+  GetVersion: "get-version"
+};
+var WebSocketCommandHandler = class {
+  constructor(handler) {
+    this.tunnelHandler = handler ?? new TunnelOperations();
+    remoteManagementWebSocketPrinter.setTunnelHandler(this.tunnelHandler);
+  }
+  safeParse(text) {
+    if (!text) return void 0;
+    try {
+      return JSON.parse(text);
+    } catch (e) {
+      logger.warn("Invalid JSON payload", { error: String(e), text });
+      return void 0;
+    }
+  }
+  sendResponse(ws, resp) {
+    const payload = {
+      ...resp,
+      response: Buffer.from(resp.response || []).toString("base64")
+    };
+    ws.send(JSON.stringify(payload));
+  }
+  sendError(ws, req, message, code = ErrorCode.InternalServerError) {
+    const resp = NewErrorResponseObject({ code, message });
+    resp.command = req.command || "";
+    resp.requestid = req.requestid || "";
+    this.sendResponse(ws, resp);
+  }
+  async handleStartReq(req, raw) {
+    let queuedConfig;
+    try {
+      const dc = StartSchema.parse(raw);
+      queuedConfig = dc.tunnelConfig;
+      remoteManagementWebSocketPrinter.queueStart(dc.tunnelConfig);
+      const result = await this.tunnelHandler.handleStart(dc.tunnelConfig, true);
+      remoteManagementWebSocketPrinter.handleStartResult(dc.tunnelConfig, result);
+      return this.wrapResponse(result, req);
+    } catch (e) {
+      if (queuedConfig) {
+        remoteManagementWebSocketPrinter.failQueuedStart(queuedConfig, String(e));
+      }
+      if (e instanceof z2.ZodError) {
+        printer_default.warn("Validation failed for start request");
+        return NewErrorResponseObject({ code: ErrorCode.InvalidBodyFormatError, message: "Validation failed" });
+      }
+      printer_default.warn(`Error in handleStartReq error: ${String(e)}`);
+      return NewErrorResponseObject({ code: ErrorCode.InternalServerError, message: String(e) });
+    }
+  }
+  async handleStartV2Req(req, raw) {
+    let queuedConfig;
+    try {
+      const dc = StartV2Schema.parse(raw);
+      queuedConfig = dc.tunnelConfig;
+      remoteManagementWebSocketPrinter.queueStart(dc.tunnelConfig);
+      const result = await this.tunnelHandler.handleStartV2(dc.tunnelConfig, true);
+      remoteManagementWebSocketPrinter.handleStartResult(dc.tunnelConfig, result);
+      return this.wrapResponse(result, req);
+    } catch (e) {
+      if (queuedConfig) {
+        remoteManagementWebSocketPrinter.failQueuedStart(queuedConfig, String(e));
+      }
+      if (e instanceof z2.ZodError) {
+        printer_default.warn("Validation failed for start-v2 request");
+        return NewErrorResponseObject({ code: ErrorCode.InvalidBodyFormatError, message: "Validation failed" });
+      }
+      printer_default.warn(`Error in handleStartV2Req error: ${String(e)}`);
+      return NewErrorResponseObject({ code: ErrorCode.InternalServerError, message: String(e) });
+    }
+  }
+  async handleStopReq(req, raw) {
+    try {
+      const dc = StopSchema.parse(raw);
+      remoteManagementWebSocketPrinter.printStopRequested(dc.tunnelID);
+      const result = await this.tunnelHandler.handleStop(dc.tunnelID);
+      remoteManagementWebSocketPrinter.handleStopResult(dc.tunnelID, result);
+      return this.wrapResponse(result, req);
+    } catch (e) {
+      if (e instanceof z2.ZodError) {
+        printer_default.warn("Validation failed for stop request");
+        return NewErrorResponseObject({ code: ErrorCode.InvalidBodyFormatError, message: "Validation failed" });
+      }
+      printer_default.warn(`Error in handleStopReq error: ${String(e)}`);
+      return NewErrorResponseObject({ code: ErrorCode.InternalServerError, message: String(e) });
+    }
+  }
+  async handleGetReq(req, raw) {
+    try {
+      const dc = GetSchema.parse(raw);
+      const result = await this.tunnelHandler.handleGet(dc.tunnelID);
+      return this.wrapResponse(result, req);
+    } catch (e) {
+      if (e instanceof z2.ZodError) {
+        printer_default.warn("Validation failed for get request");
+        return NewErrorResponseObject({ code: ErrorCode.InvalidBodyFormatError, message: "Validation failed" });
+      }
+      printer_default.warn(`Error in handleGetReq error: ${String(e)}`);
+      return NewErrorResponseObject({ code: ErrorCode.InternalServerError, message: String(e) });
+    }
+  }
+  async handleRestartReq(req, raw) {
+    try {
+      const dc = RestartSchema.parse(raw);
+      remoteManagementWebSocketPrinter.printRestartRequested(dc.tunnelID);
+      const result = await this.tunnelHandler.handleRestart(dc.tunnelID, true);
+      remoteManagementWebSocketPrinter.handleRestartResult(dc.tunnelID, result);
+      return this.wrapResponse(result, req);
+    } catch (e) {
+      if (e instanceof z2.ZodError) {
+        printer_default.warn("Validation failed for restart request");
+        return NewErrorResponseObject({ code: ErrorCode.InvalidBodyFormatError, message: "Validation failed" });
+      }
+      printer_default.warn(`Error in handleRestartReq error: ${String(e)}`);
+      return NewErrorResponseObject({ code: ErrorCode.InternalServerError, message: String(e) });
+    }
+  }
+  async handleUpdateConfigReq(req, raw) {
+    try {
+      const dc = UpdateConfigSchema.parse(raw);
+      const result = await this.tunnelHandler.handleUpdateConfig(dc.tunnelConfig, true);
+      return this.wrapResponse(result, req);
+    } catch (e) {
+      if (e instanceof z2.ZodError) {
+        printer_default.warn("Validation failed for updateconfig request");
+        return NewErrorResponseObject({ code: ErrorCode.InvalidBodyFormatError, message: "Validation failed" });
+      }
+      printer_default.warn(`Error in handleUpdateConfigReq error: ${String(e)}`);
+      return NewErrorResponseObject({ code: ErrorCode.InternalServerError, message: String(e) });
+    }
+  }
+  async handleUpdateConfigV2Req(req, raw) {
+    try {
+      const dc = UpdateConfigV2Schema.parse(raw);
+      const result = await this.tunnelHandler.handleUpdateConfigV2(dc.tunnelConfig, true);
+      return this.wrapResponse(result, req);
+    } catch (e) {
+      if (e instanceof z2.ZodError) {
+        printer_default.warn("Validation failed for update-config-v2 request");
+        return NewErrorResponseObject({ code: ErrorCode.InvalidBodyFormatError, message: "Validation failed" });
+      }
+      printer_default.warn(`Error in handleUpdateConfigV2Req error: ${String(e)}`);
+      return NewErrorResponseObject({ code: ErrorCode.InternalServerError, message: String(e) });
+    }
+  }
+  async handleListReq(req) {
+    try {
+      const result = await this.tunnelHandler.handleList();
+      remoteManagementWebSocketPrinter.monitorList(result);
+      return this.wrapResponse(result, req);
+    } catch (e) {
+      printer_default.warn(`Error in handleListReq error: ${String(e)}`);
+      return NewErrorResponseObject({ code: ErrorCode.InternalServerError, message: String(e) });
+    }
+  }
+  async handleListV2Req(req) {
+    try {
+      const result = await this.tunnelHandler.handleListV2();
+      remoteManagementWebSocketPrinter.monitorList(result);
+      return this.wrapResponse(result, req);
+    } catch (e) {
+      printer_default.warn(`Error in handleListV2Req error: ${String(e)}`);
+      return NewErrorResponseObject({ code: ErrorCode.InternalServerError, message: String(e) });
+    }
+  }
+  handleGetVersionReq(ws, req) {
+    try {
+      const versionResponse = {
+        cli_version: getVersion()
+      };
+      const payload = {
+        command: req.command,
+        requestid: req.requestid,
+        response: JSON.stringify(versionResponse),
+        error: false
+      };
+      ws.send(JSON.stringify(payload));
+    } catch (e) {
+      printer_default.warn(`Error in handleGetVersionReq error: ${String(e)}`);
+      this.sendError(ws, req, String(e));
+    }
+  }
+  wrapResponse(result, req) {
+    if (isErrorResponse(result)) {
+      const errResp = NewErrorResponseObject(result);
+      errResp.command = req.command;
+      errResp.requestid = req.requestid;
+      return errResp;
+    }
+    const finalResult = JSON.parse(JSON.stringify(result));
+    if (Array.isArray(finalResult)) {
+      finalResult.forEach((item) => {
+        if (item?.tunnelconfig) {
+          delete item.tunnelconfig.allowPreflight;
+        }
+      });
+    } else if (finalResult?.tunnelconfig) {
+      delete finalResult.tunnelconfig.allowPreflight;
+    }
+    const respObj = NewResponseObject(finalResult);
+    respObj.command = req.command;
+    respObj.requestid = req.requestid;
+    return respObj;
+  }
+  async handle(ws, req) {
+    const cmd = (req.command || "").toLowerCase();
+    const raw = this.safeParse(req.data);
+    try {
+      let response;
+      switch (cmd) {
+        case WsCommand.Start: {
+          response = await this.handleStartReq(req, raw);
+          break;
+        }
+        case WsCommand.StartV2: {
+          response = await this.handleStartV2Req(req, raw);
+          break;
+        }
+        case WsCommand.Stop: {
+          response = await this.handleStopReq(req, raw);
+          break;
+        }
+        case WsCommand.Get: {
+          response = await this.handleGetReq(req, raw);
+          break;
+        }
+        case WsCommand.Restart: {
+          response = await this.handleRestartReq(req, raw);
+          break;
+        }
+        case WsCommand.UpdateConfig: {
+          response = await this.handleUpdateConfigReq(req, raw);
+          break;
+        }
+        case WsCommand.UpdateConfigV2: {
+          response = await this.handleUpdateConfigV2Req(req, raw);
+          break;
+        }
+        case WsCommand.List: {
+          response = await this.handleListReq(req);
+          break;
+        }
+        case WsCommand.ListV2: {
+          response = await this.handleListV2Req(req);
+          break;
+        }
+        case WsCommand.GetVersion: {
+          this.handleGetVersionReq(ws, req);
+          return;
+        }
+        default:
+          if (typeof req.command === "string") {
+            logger.warn("Unknown command", { command: req.command });
+          }
+          return this.sendError(ws, req, "Invalid command");
+      }
+      logger.debug("Sending response", { command: response.command, requestid: response.requestid });
+      this.sendResponse(ws, response);
+    } catch (e) {
+      if (e instanceof z2.ZodError) {
+        logger.warn("Validation failed", { cmd, issues: e.issues });
+        return this.sendError(ws, req, "Invalid request data", ErrorCode.InvalidBodyFormatError);
+      }
+      logger.error("Error handling command", { cmd, error: errorMessage(e) });
+      return this.sendError(ws, req, errorMessage(e) || "Internal error");
+    }
+  }
+};
+function sendVersionResponse(ws) {
+  const versionResponse = {
+    cli_version: getVersion()
+  };
+  const payload = {
+    command: WsCommand.GetVersion,
+    requestid: "0",
+    response: JSON.stringify(versionResponse),
+    error: false
+  };
+  ws.send(JSON.stringify(payload));
+}
+function handleConnectionStatusMessage(firstMessage) {
+  try {
+    const text = typeof firstMessage === "string" ? firstMessage : firstMessage.toString();
+    const cs = JSON.parse(text);
+    if (!cs.success) {
+      const msg = cs.error_msg || "Connection failed";
+      printer_default.warn(`Connection failed: ${msg}`);
+      logger.warn("Remote management connection failed", { error_code: cs.error_code, error_msg: msg });
+      return false;
+    }
+    return true;
+  } catch (e) {
+    logger.warn("Failed to parse connection status message", { error: String(e) });
+    return true;
+  }
+}
+
+// src/remote_management/remoteManagement.ts
+var RECONNECT_SLEEP_MS = 5e3;
+var PING_INTERVAL_MS = 3e4;
+var RemoteManagementUnauthorizedError = class extends Error {
+  constructor() {
+    super("Unauthorized. Please enter a valid token.");
+    this.name = "RemoteManagementUnauthorizedError";
+  }
+};
+var _remoteManagementState = {
+  status: "NOT_RUNNING",
+  errorMessage: ""
+};
+var _stopRequested = false;
+var currentWs = null;
+function buildRemoteManagementWsUrl(manage) {
+  let baseUrl = (manage || "dashboard.pinggy.io").trim();
+  if (!(baseUrl.startsWith("ws://") || baseUrl.startsWith("wss://"))) {
+    baseUrl = "wss://" + baseUrl;
+  }
+  const trimmed = baseUrl.replace(/\/$/, "");
+  return `${trimmed}/backend/api/v1/remote-management/connect`;
+}
+function extractHostname(u) {
+  try {
+    const url = new URL(u);
+    return url.host;
+  } catch {
+    return u;
+  }
+}
+function sleep(ms) {
+  return new Promise((res) => setTimeout(res, ms));
+}
+async function initiateRemoteManagement(remoteManagementConfig, tunnelHandler) {
+  if (!remoteManagementConfig.apiKey || remoteManagementConfig.apiKey.trim().length === 0) {
+    throw new Error("Remote management token is required (use --remote-management <TOKEN>)");
+  }
+  const wsUrl = remoteManagementConfig.serverUrl;
+  const wsHost = extractHostname(wsUrl);
+  logger.info("Remote management mode enabled.");
+  _stopRequested = false;
+  const sigintHandler = () => {
+    _stopRequested = true;
+  };
+  process.once("SIGINT", sigintHandler);
+  const logConnecting = () => {
+    printer_default.print(`Connecting to ${wsHost}`);
+    logger.info("Connecting to remote management", { wsUrl });
+  };
+  while (!_stopRequested) {
+    logConnecting();
+    setRemoteManagementState({ status: RemoteManagementStatus.Connecting, errorMessage: "" });
+    try {
+      await handleWebSocketConnection(wsUrl, wsHost, remoteManagementConfig.apiKey, void 0, tunnelHandler);
+    } catch (error) {
+      if (error instanceof RemoteManagementUnauthorizedError) {
+        throw error;
+      }
+      logger.warn("Remote management connection error", { error: String(error) });
+    }
+    if (_stopRequested) {
+      break;
+    }
+    printer_default.warn(`Remote management disconnected. Reconnecting in ${RECONNECT_SLEEP_MS / 1e3} seconds...`);
+    logger.info("Reconnecting to remote management after disconnect");
+    await sleep(RECONNECT_SLEEP_MS);
+  }
+  process.removeListener("SIGINT", sigintHandler);
+  logger.info("Remote management stopped.");
+  return getRemoteManagementState();
+}
+async function handleWebSocketConnection(wsUrl, wsHost, token, onOpenCallback, tunnelHandler) {
+  return new Promise((resolve, reject) => {
+    const ws = new WebSocket(wsUrl, {
+      headers: { Authorization: `Bearer ${token}` }
+    });
+    currentWs = ws;
+    let heartbeat = null;
+    let firstMessage = true;
+    let settled = false;
+    const cleanup = (err) => {
+      if (settled) {
+        return;
+      }
+      settled = true;
+      if (heartbeat) {
+        clearInterval(heartbeat);
+      }
+      currentWs = null;
+      if (err) {
+        reject(err);
+      } else {
+        resolve();
+      }
+    };
+    ws.once("open", () => {
+      printer_default.success(`Connected to ${wsHost}`);
+      setRemoteManagementState({ status: RemoteManagementStatus.Running, errorMessage: "" });
+      onOpenCallback?.();
+      heartbeat = setInterval(() => {
+        if (ws.readyState === WebSocket.OPEN) ws.ping();
+      }, PING_INTERVAL_MS);
+    });
+    ws.on("ping", () => ws.pong());
+    ws.on("message", async (data) => {
+      try {
+        if (firstMessage) {
+          firstMessage = false;
+          const ok = handleConnectionStatusMessage(data);
+          if (!ok) {
+            ws.close();
+            return;
+          }
+          sendVersionResponse(ws);
+          return;
+        }
+        setRemoteManagementState({ status: RemoteManagementStatus.Running, errorMessage: "" });
+        const req = JSON.parse(data.toString("utf8"));
+        await new WebSocketCommandHandler(tunnelHandler).handle(ws, req);
+      } catch (e) {
+        logger.warn("Failed handling websocket message", { error: String(e) });
+      }
+    });
+    ws.on("unexpected-response", (_, res) => {
+      if (res.statusCode === 401) {
+        setRemoteManagementState({ status: RemoteManagementStatus.NotRunning, errorMessage: `HTTP ${res.statusCode}` });
+        logger.error("Unauthorized (401) on remote management connect");
+        cleanup(new RemoteManagementUnauthorizedError());
+        ws.close();
+      } else {
+        logger.warn("Unexpected HTTP response ", { statusCode: res.statusCode });
+        printer_default.warn(`Unexpected HTTP ${res.statusCode}. Retrying...`);
+        cleanup();
+        ws.close();
+      }
+    });
+    ws.on("close", (code, reason) => {
+      setRemoteManagementState({ status: RemoteManagementStatus.NotRunning, errorMessage: "" });
+      logger.info("WebSocket closed", { code, reason: reason.toString() });
+      printer_default.warn(`Disconnected (code: ${code}). Retrying in ${RECONNECT_SLEEP_MS / 1e3}s...`);
+      cleanup();
+    });
+    ws.on("error", (err) => {
+      setRemoteManagementState({ status: RemoteManagementStatus.Error, errorMessage: err.message });
+      logger.warn("WebSocket error", { error: err.message });
+      printer_default.warn(err.message);
+      cleanup();
+    });
+  });
+}
+async function closeRemoteManagement(timeoutMs = 1e4) {
+  _stopRequested = true;
+  try {
+    if (currentWs) {
+      try {
+        setRemoteManagementState({ status: RemoteManagementStatus.Disconnecting, errorMessage: "" });
+        currentWs.close();
+      } catch (e) {
+        logger.warn("Error while closing current remote management websocket", { error: String(e) });
+      }
+    }
+    const start = Date.now();
+    while (_remoteManagementState.status === "RUNNING") {
+      if (Date.now() - start > timeoutMs) {
+        logger.warn("Timed out waiting for remote management to stop");
+        break;
+      }
+      await sleep(200);
+    }
+  } finally {
+    currentWs = null;
+    setRemoteManagementState({ status: RemoteManagementStatus.NotRunning, errorMessage: "" });
+    return getRemoteManagementState();
+  }
+}
+function startRemoteManagement(remoteManagementConfig, tunnelHandler) {
+  if (!remoteManagementConfig.apiKey || remoteManagementConfig.apiKey.trim().length === 0) {
+    return Promise.reject(new Error("Remote management token is required"));
+  }
+  const wsUrl = remoteManagementConfig.serverUrl;
+  const wsHost = extractHostname(wsUrl);
+  logger.info("Remote management mode enabled.");
+  _stopRequested = false;
+  return new Promise((resolve, reject) => {
+    let firstSettled = false;
+    const settleOnce = (err) => {
+      if (firstSettled) {
+        return;
+      }
+      firstSettled = true;
+      if (err) {
+        reject(err);
+      } else {
+        resolve(getRemoteManagementState());
+      }
+    };
+    const runLoop = async () => {
+      const sigintHandler = () => {
+        _stopRequested = true;
+      };
+      process.once("SIGINT", sigintHandler);
+      while (!_stopRequested) {
+        logger.info("Connecting to remote management", { wsUrl });
+        setRemoteManagementState({ status: RemoteManagementStatus.Connecting, errorMessage: "" });
+        try {
+          await handleWebSocketConnection(wsUrl, wsHost, remoteManagementConfig.apiKey, () => settleOnce(), tunnelHandler);
+        } catch (error) {
+          if (error instanceof RemoteManagementUnauthorizedError) {
+            settleOnce(error);
+            process.removeListener("SIGINT", sigintHandler);
+            return;
+          }
+          settleOnce();
+          logger.warn("Remote management connection error", { error: String(error) });
+        }
+        if (_stopRequested) {
+          break;
+        }
+        logger.info("Reconnecting to remote management after disconnect");
+        await sleep(RECONNECT_SLEEP_MS);
+      }
+      process.removeListener("SIGINT", sigintHandler);
+      logger.info("Remote management stopped.");
+    };
+    runLoop().catch((err) => settleOnce(err instanceof Error ? err : new Error(String(err))));
+  });
+}
+function getRemoteManagementState() {
+  return _remoteManagementState;
+}
+function setRemoteManagementState(state, errorMessage2) {
+  _remoteManagementState = {
+    status: state.status,
+    errorMessage: errorMessage2 || ""
+  };
+}
+
+// src/daemon/lifecycle/daemonManager.ts
+import os from "os";
+import fs from "fs";
+import { spawn } from "child_process";
+var inProcessHandle = null;
+var DAEMON_SPAWN_TIMEOUT_MS = 8e3;
+var DAEMON_POLL_INTERVAL_MS = 200;
+function isProcessAlive(pid) {
+  try {
+    process.kill(pid, 0);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function getDaemonInfo() {
+  const infoPath = getDaemonInfoPath();
+  if (!fs.existsSync(infoPath)) return null;
+  try {
+    const data = JSON.parse(fs.readFileSync(infoPath, "utf-8"));
+    if (!data.pid || !data.port) return null;
+    if (!isProcessAlive(data.pid)) {
+      logger.info("Stale daemon.json found, cleaning up", { stalePid: data.pid });
+      try {
+        fs.unlinkSync(infoPath);
+      } catch {
+      }
+      return null;
+    }
+    return data;
+  } catch {
+    return null;
+  }
+}
+function isDaemonRunning() {
+  return getDaemonInfo() !== null;
+}
+function getDaemonSpawnArgs() {
+  return {
+    command: process.execPath,
+    args: [process.argv[1], "--_daemon-child"],
+    env: { ...process.env }
+  };
+}
+async function startDaemon() {
+  const existing = getDaemonInfo();
+  if (existing) {
+    return existing;
+  }
+  const { command, args, env } = getDaemonSpawnArgs();
+  logger.info("Spawning daemon child", { command, args });
+  let stderrOutput = "";
+  let exited = false;
+  let exitCode = null;
+  const child = spawn(command, args, {
+    detached: true,
+    stdio: ["ignore", "ignore", "pipe"],
+    env,
+    ...os.platform() === "win32" ? { windowsHide: true } : {}
+  });
+  child.stderr?.on("data", (chunk) => {
+    stderrOutput += chunk.toString("utf-8");
+  });
+  child.on("exit", (code) => {
+    exited = true;
+    exitCode = code;
+  });
+  child.unref();
+  const info = await pollForDaemonInfo(DAEMON_SPAWN_TIMEOUT_MS, () => exited);
+  if (!info) {
+    const logPath = getDaemonLogPath();
+    if (exited) {
+      const detail = stderrOutput.trim() || `Check ${logPath} for details.`;
+      throw new Error(`Daemon child exited with code ${exitCode}. ${detail}`);
+    }
+    throw new Error(`Daemon failed to start within timeout. Check ${logPath} for details.`);
+  }
+  child.stderr?.removeAllListeners();
+  child.stderr?.destroy();
+  return info;
+}
+async function ensureDaemonRunning() {
+  const existing = getDaemonInfo();
+  if (existing) return existing;
+  if (process.versions.electron) {
+    const { runDaemonChild } = await import("./daemonChild-E2CORSSB.js");
+    const handle = await runDaemonChild({
+      installSignalHandlers: false,
+      exitOnFailure: false
+    });
+    inProcessHandle = handle;
+    return getDaemonInfo() ?? {
+      pid: handle.pid,
+      port: handle.port,
+      startedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+  }
+  return startDaemon();
+}
+function getInProcessDaemonHandle() {
+  return inProcessHandle;
+}
+async function getActiveTunnelSummaries(origin = "app") {
+  const info = getDaemonInfo();
+  if (!info) return [];
+  const { IPCClient: IPCClient2 } = await import("./ipcClient-LZQCCNMR.js");
+  const client = new IPCClient2(info.port, origin);
+  let tunnels;
+  try {
+    tunnels = await client.listTunnels();
+  } catch (err) {
+    logger.warn("Failed to list tunnels from daemon", { error: errorMessage(err) });
+    return [];
+  }
+  if (!Array.isArray(tunnels)) return [];
+  return tunnels.filter((t) => {
+    const state = t?.status?.state;
+    return state !== "closed" /* Closed */ && state !== "exited" /* Exited */;
+  }).map((t) => ({
+    tunnelId: t.tunnelid,
+    name: t.tunnelconfig?.name || t.tunnelid.slice(0, 8),
+    localAddress: getLocalAddress(t.tunnelconfig),
+    urls: t.remoteurls ?? []
+  }));
+}
+function pollForDaemonInfo(timeoutMs, hasExited) {
+  return new Promise((resolve) => {
+    const start = Date.now();
+    const check = () => {
+      const info = getDaemonInfo();
+      if (info) {
+        resolve(info);
+        return;
+      }
+      if (hasExited?.()) {
+        resolve(null);
+        return;
+      }
+      if (Date.now() - start > timeoutMs) {
+        resolve(null);
+        return;
+      }
+      setTimeout(check, DAEMON_POLL_INTERVAL_MS);
+    };
+    check();
+  });
+}
+async function stopDaemon() {
+  const info = getDaemonInfo();
+  if (!info) return { ok: false, error: "No daemon is running." };
+  let daemonErrors = [];
+  try {
+    const { IPCClient: IPCClient2 } = await import("./ipcClient-LZQCCNMR.js");
+    const client = new IPCClient2(info.port);
+    const result = await client.shutdown();
+    logger.debug("Sent shutdown command to daemon", { result });
+    if (Array.isArray(result?.errors)) daemonErrors = result.errors;
+  } catch (e) {
+    return { ok: false, error: `Failed to reach daemon: ${errorMessage(e)}` };
+  }
+  const exited = await waitForExit(info.pid, 5e3);
+  if (!exited) {
+    const detail = daemonErrors.length > 0 ? ` Daemon reported: ${daemonErrors.join("; ")}` : "";
+    return { ok: false, error: `Daemon PID ${info.pid} did not exit within 5s.${detail}` };
+  }
+  if (daemonErrors.length > 0) {
+    return { ok: false, error: `Daemon exited but reported errors: ${daemonErrors.join("; ")}` };
+  }
+  return { ok: true };
+}
+async function waitForExit(pid, timeoutMs) {
+  const deadline = Date.now() + timeoutMs;
+  while (Date.now() < deadline) {
+    if (!isProcessAlive(pid)) return true;
+    await new Promise((r) => setTimeout(r, 100));
+  }
+  return !isProcessAlive(pid);
+}
+
+// src/daemon/ws/wsStream.ts
+import { WebSocket as WebSocket2 } from "ws";
+var WS_NORMAL_CLOSE = 1e3;
+var WsStream = class {
+  constructor(getWsUrl) {
+    this.getWsUrl = getWsUrl;
+    this.ws = null;
+    this.wsReady = null;
+    this.wsResolve = null;
+    this.subscribedTunnels = /* @__PURE__ */ new Map();
+    this.callbacks = {
+      stats: [],
+      disconnect: [],
+      reconnecting: [],
+      reconnected: [],
+      reconnection_failed: [],
+      error: [],
+      url_ready: [],
+      worker_error: [],
+      will_reconnect: [],
+      stopped: []
+    };
+    this.openListeners = [];
+    this.closeListeners = [];
+  }
+  // Lifecycle
+  async ensureOpen() {
+    if (this.ws && this.ws.readyState === WebSocket2.OPEN) return;
+    this.wsReady = new Promise((resolve) => {
+      this.wsResolve = resolve;
+    });
+    this.ws = new WebSocket2(this.getWsUrl());
+    this.ws.on("open", () => {
+      if (this.wsResolve) {
+        this.wsResolve();
+        this.wsResolve = null;
+      }
+      for (const cb of this.openListeners) {
+        try {
+          cb();
+        } catch (err) {
+          logger.debug("WsStream open listener threw", { error: errorMessage(err) });
+        }
+      }
+    });
+    this.ws.on("message", (data) => this.handleMessage(data.toString()));
+    this.ws.on("close", (code) => {
+      this.ws = null;
+      this.wsReady = null;
+      this.wsResolve = null;
+      for (const cb of this.closeListeners) {
+        try {
+          cb(code);
+        } catch (err) {
+          logger.debug("WsStream close listener threw", { error: errorMessage(err) });
+        }
+      }
+    });
+    this.ws.on("error", (err) => {
+      logger.debug("WsStream WS error", { error: errorMessage(err) });
+    });
+    await this.wsReady;
+  }
+  /** Send a normal close (1000). Use for user-initiated shutdown. */
+  closeNormally() {
+    if (!this.ws) return;
+    try {
+      this.ws.close(WS_NORMAL_CLOSE, "Client closing");
+    } catch {
+    }
+    this.ws = null;
+    this.wsReady = null;
+    this.wsResolve = null;
+    this.subscribedTunnels.clear();
+  }
+  /** Hard kill the socket. Use when daemon is known dead. */
+  terminate() {
+    if (!this.ws) return;
+    try {
+      this.ws.terminate();
+    } catch {
+    }
+    this.ws = null;
+    this.wsReady = null;
+    this.wsResolve = null;
+    this.subscribedTunnels.clear();
+  }
+  isOpen() {
+    return !!this.ws && this.ws.readyState === WebSocket2.OPEN;
+  }
+  // Subscriptions
+  async subscribe(tunnelId, mode = SessionMode.Foreground) {
+    await this.ensureOpen();
+    if (this.subscribedTunnels.has(tunnelId)) return;
+    const msg = { type: "subscribe", tunnelId, mode };
+    this.ws.send(JSON.stringify(msg));
+    this.subscribedTunnels.set(tunnelId, { mode });
+  }
+  /**
+   * Remove the local subscription. Sends an unsubscribe frame if the socket
+   * is still open; if not, the daemon cleans up server-side when the session
+   * closes. Returns true if the caller had this subscription.
+   */
+  unsubscribe(tunnelId) {
+    const wasSubscribed = this.subscribedTunnels.delete(tunnelId);
+    if (!wasSubscribed) return false;
+    if (this.ws && this.ws.readyState === WebSocket2.OPEN) {
+      try {
+        const msg = { type: "unsubscribe", tunnelId };
+        this.ws.send(JSON.stringify(msg));
+      } catch {
+      }
+    }
+    return true;
+  }
+  hasSubscriptions() {
+    return this.subscribedTunnels.size > 0;
+  }
+  subscriptionCount() {
+    return this.subscribedTunnels.size;
+  }
+  /** Snapshot of current subscriptions, for the reconnect path to replay. */
+  snapshotSubscriptions() {
+    return Array.from(this.subscribedTunnels.entries());
+  }
+  /**
+   * Re-open the WS (fresh socket) and re-subscribe a previously captured set.
+   * Clears existing state first so ensureOpen builds a new connection.
+   */
+  async restoreSubscriptions(snapshot) {
+    this.subscribedTunnels.clear();
+    this.ws = null;
+    this.wsReady = null;
+    this.wsResolve = null;
+    await this.ensureOpen();
+    for (const [tunnelId, info] of snapshot) {
+      const msg = { type: "subscribe", tunnelId, mode: info.mode };
+      this.ws.send(JSON.stringify(msg));
+      this.subscribedTunnels.set(tunnelId, info);
+    }
+  }
+  // Event registration
+  onOpen(cb) {
+    this.openListeners.push(cb);
+  }
+  onClose(cb) {
+    this.closeListeners.push(cb);
+  }
+  onStats(cb) {
+    this.callbacks.stats.push(cb);
+  }
+  onDisconnect(cb) {
+    this.callbacks.disconnect.push(cb);
+  }
+  onReconnecting(cb) {
+    this.callbacks.reconnecting.push(cb);
+  }
+  onReconnected(cb) {
+    this.callbacks.reconnected.push(cb);
+  }
+  onReconnectionFailed(cb) {
+    this.callbacks.reconnection_failed.push(cb);
+  }
+  onError(cb) {
+    this.callbacks.error.push(cb);
+  }
+  onUrlReady(cb) {
+    this.callbacks.url_ready.push(cb);
+  }
+  onWorkerError(cb) {
+    this.callbacks.worker_error.push(cb);
+  }
+  onWillReconnect(cb) {
+    this.callbacks.will_reconnect.push(cb);
+  }
+  onStopped(cb) {
+    this.callbacks.stopped.push(cb);
+  }
+  // Private
+  handleMessage(raw) {
+    let msg;
+    try {
+      msg = JSON.parse(raw);
+    } catch {
+      return;
+    }
+    if (msg.type !== "tunnel_event") return;
+    const { tunnelId, event, payload } = msg;
+    switch (event) {
+      case "stats":
+        for (const cb of this.callbacks.stats) cb(tunnelId, payload.stats);
+        break;
+      case "disconnect": {
+        const p = payload;
+        for (const cb of this.callbacks.disconnect) cb(tunnelId, p.error, p.messages);
+        break;
+      }
+      case "reconnecting":
+        for (const cb of this.callbacks.reconnecting) cb(tunnelId, payload.retryCnt);
+        break;
+      case "reconnected":
+        for (const cb of this.callbacks.reconnected) cb(tunnelId, payload.urls);
+        break;
+      case "reconnection_failed":
+        for (const cb of this.callbacks.reconnection_failed) cb(tunnelId, payload.retryCnt);
+        break;
+      case "error": {
+        const p = payload;
+        for (const cb of this.callbacks.error) cb(tunnelId, p.message, p.isFatal);
+        break;
+      }
+      case "url_ready":
+        for (const cb of this.callbacks.url_ready) cb(tunnelId, payload.urls);
+        break;
+      case "worker_error":
+        for (const cb of this.callbacks.worker_error) cb(tunnelId, payload.message);
+        break;
+      case "will_reconnect": {
+        const p = payload;
+        for (const cb of this.callbacks.will_reconnect) cb(tunnelId, p.error, p.messages);
+        break;
+      }
+      case "stopped":
+        for (const cb of this.callbacks.stopped) cb(tunnelId);
+        break;
+    }
+  }
+};
+
+// src/daemon/daemonHealth.ts
+var RECONNECT_ATTEMPTS = 3;
+var RECONNECT_INTERVAL_MS = 1e3;
+var HEARTBEAT_INTERVAL_MS = 5e3;
+var HEARTBEAT_TIMEOUT_MS = 2e3;
+var HEARTBEAT_FAILURE_THRESHOLD = 2;
+var sleep2 = (ms) => new Promise((r) => setTimeout(r, ms));
+var DaemonHealth = class {
+  constructor(getIpc, stream) {
+    this.getIpc = getIpc;
+    this.stream = stream;
+    this.originalPid = null;
+    this.lost = false;
+    this.reconnecting = false;
+    this.heartbeatTimer = null;
+    this.lostCallbacks = [];
+    this.reconnectingCallbacks = [];
+    this.reconnectedCallbacks = [];
+    this.stream.onOpen(() => this.startHeartbeat());
+    this.stream.onClose((code) => {
+      this.stopHeartbeat();
+      if (code === WS_NORMAL_CLOSE) return;
+      if (this.lost || this.reconnecting) return;
+      if (!this.stream.hasSubscriptions()) return;
+      this.reconnecting = true;
+      this.attemptReconnect().catch((err) => logger.debug("Reconnect loop threw", { error: err?.message })).finally(() => {
+        this.reconnecting = false;
+      });
+    });
+  }
+  bindPid(pid) {
+    this.originalPid = pid;
+  }
+  isLost() {
+    return this.lost;
+  }
+  onLost(cb) {
+    this.lostCallbacks.push(cb);
+  }
+  onReconnecting(cb) {
+    this.reconnectingCallbacks.push(cb);
+  }
+  onReconnected(cb) {
+    this.reconnectedCallbacks.push(cb);
+  }
+  startHeartbeat() {
+    this.stopHeartbeat();
+    let consecutiveFailures = 0;
+    this.heartbeatTimer = setInterval(async () => {
+      if (this.lost || this.reconnecting) return;
+      const ipc = this.getIpc();
+      if (!ipc) return;
+      try {
+        await ipc.ping(HEARTBEAT_TIMEOUT_MS);
+        consecutiveFailures = 0;
+      } catch (err) {
+        consecutiveFailures += 1;
+        if (consecutiveFailures >= HEARTBEAT_FAILURE_THRESHOLD) {
+          this.triggerLost("heartbeat", errorMessage(err));
+        }
+      }
+    }, HEARTBEAT_INTERVAL_MS);
+  }
+  stopHeartbeat() {
+    if (this.heartbeatTimer) {
+      clearInterval(this.heartbeatTimer);
+      this.heartbeatTimer = null;
+    }
+  }
+  async attemptReconnect() {
+    const snapshot = this.stream.snapshotSubscriptions();
+    for (let attempt = 1; attempt <= RECONNECT_ATTEMPTS; attempt++) {
+      for (const cb of this.reconnectingCallbacks) {
+        try {
+          cb(attempt, RECONNECT_ATTEMPTS);
+        } catch {
+        }
+      }
+      await sleep2(RECONNECT_INTERVAL_MS);
+      if (this.lost) return;
+      const info = getDaemonInfo();
+      if (!info) {
+        this.triggerLost("dead");
+        return;
+      }
+      if (info.pid !== this.originalPid) {
+        this.triggerLost("respawned", `was pid ${this.originalPid}, now pid ${info.pid}`);
+        return;
+      }
+      try {
+        const ipc = this.getIpc();
+        if (!ipc) throw new Error("IPC client missing");
+        await ipc.ping(HEARTBEAT_TIMEOUT_MS);
+        await this.stream.restoreSubscriptions(snapshot);
+        for (const cb of this.reconnectedCallbacks) {
+          try {
+            cb();
+          } catch {
+          }
+        }
+        return;
+      } catch (err) {
+        logger.debug("Reconnect attempt failed", { attempt, error: errorMessage(err) });
+      }
+    }
+    this.triggerLost("hung");
+  }
+  triggerLost(reason, detail) {
+    if (this.lost) return;
+    this.lost = true;
+    this.stopHeartbeat();
+    this.stream.terminate();
+    for (const cb of this.lostCallbacks) {
+      try {
+        cb(reason, detail);
+      } catch (err) {
+        logger.debug("daemon-lost callback threw", { error: errorMessage(err) });
+      }
+    }
+  }
+};
+
+// src/daemon/tunnelClient.ts
+var TunnelClient = class _TunnelClient {
+  constructor(options = {}) {
+    this.ipc = null;
+    this.origin = options.origin ?? "cli";
+    this.stream = new WsStream(() => {
+      if (!this.ipc) throw new Error("TunnelClient not initialized. Call ensureDaemon() first.");
+      return this.ipc.getWsUrl();
+    });
+    this.health = new DaemonHealth(() => this.ipc, this.stream);
+  }
+  async ensureDaemon() {
+    const info = await ensureDaemonRunning();
+    this.ipc = new IPCClient(info.port, this.origin);
+    this.health.bindPid(info.pid);
+  }
+  static async forRemoteManagement() {
+    const client = new _TunnelClient({ origin: "remote" });
+    await client.ensureDaemon();
+    client.health.startHeartbeat();
+    return client;
+  }
+  /**
+   * Close the WebSocket connection and cleanup.
+   */
+  close() {
+    this.health.stopHeartbeat();
+    this.stream.closeNormally();
+  }
+  async ping() {
+    this.assertClient();
+    return this.ipc.ping();
+  }
+  // Tunnel Operations (HTTP)
+  // Callers construct config from SDK shapes (FinalConfig) that are
+  // structurally compatible with the zod-derived wire type but not nominally
+  // identical. Accept the SDK shape and cast at the IPC boundary.
+  async handleStartV2(config, noWait, mode) {
+    this.assertClient();
+    return this.ipc.startTunnelWithConfig(config, mode ?? SessionMode.Detached, noWait);
+  }
+  async handleStart(config, noWait, mode) {
+    this.assertClient();
+    return this.ipc.startTunnelV1(config, mode ?? SessionMode.Detached, noWait);
+  }
+  async handleUpdateConfig(config, noWait) {
+    this.assertClient();
+    return this.ipc.updateConfig(config, noWait);
+  }
+  async handleUpdateConfigV2(config, noWait) {
+    this.assertClient();
+    return this.ipc.updateConfigV2(config, noWait);
+  }
+  async handleStop(tunnelId) {
+    this.assertClient();
+    return this.ipc.stopTunnel(tunnelId);
+  }
+  async handleListV2() {
+    this.assertClient();
+    return this.ipc.listTunnels();
+  }
+  async handleList() {
+    this.assertClient();
+    return this.ipc.listTunnelsV1();
+  }
+  handleRemoveStoppedTunnelByTunnelId(tunnelId) {
+    this.assertClient();
+    void this.ipc.removeStoppedTunnel({ tunnelid: tunnelId });
+    return true;
+  }
+  handleRemoveStoppedTunnelByConfigId(configId) {
+    this.assertClient();
+    void this.ipc.removeStoppedTunnel({ configId });
+    return true;
+  }
+  async handleGet(tunnelId) {
+    this.assertClient();
+    return this.ipc.getTunnel(tunnelId);
+  }
+  async handleRestart(tunnelId) {
+    this.assertClient();
+    return this.ipc.restartTunnel(tunnelId);
+  }
+  async shutdown() {
+    this.assertClient();
+    await this.ipc.shutdown();
+    this.close();
+  }
+  async getLogLevel() {
+    this.assertClient();
+    const res = await this.ipc.getLogLevel();
+    return res.level;
+  }
+  async setLogLevel(level) {
+    this.assertClient();
+    await this.ipc.setLogLevel(level);
+  }
+  async getTunnelLogging() {
+    this.assertClient();
+    const res = await this.ipc.getTunnelLogging();
+    return res.enabled;
+  }
+  async setTunnelLogging(enabled) {
+    this.assertClient();
+    await this.ipc.setTunnelLogging(enabled);
+  }
+  async getLogPaths() {
+    this.assertClient();
+    return await this.ipc.getLogPaths();
+  }
+  async resolveLogPath(q) {
+    this.assertClient();
+    return await this.ipc.resolveLogPath(q);
+  }
+  async restart(tunnelId) {
+    this.assertClient();
+    await this.ipc.restartTunnel(tunnelId);
+  }
+  // Streaming — delegate to WsStream, guarded by daemon-lost
+  async attach(tunnelId, mode = SessionMode.Foreground) {
+    if (this.health.isLost()) return;
+    await this.stream.subscribe(tunnelId, mode);
+  }
+  detach(tunnelId) {
+    const wasSubscribed = this.stream.unsubscribe(tunnelId);
+    if (!wasSubscribed) return;
+    if (!this.stream.hasSubscriptions()) this.close();
+  }
+  // Event registration — delegate to WsStream
+  onStats(cb) {
+    this.stream.onStats(cb);
+  }
+  onDisconnect(cb) {
+    this.stream.onDisconnect(cb);
+  }
+  onReconnecting(cb) {
+    this.stream.onReconnecting(cb);
+  }
+  onReconnected(cb) {
+    this.stream.onReconnected(cb);
+  }
+  onReconnectionFailed(cb) {
+    this.stream.onReconnectionFailed(cb);
+  }
+  onError(cb) {
+    this.stream.onError(cb);
+  }
+  onUrlReady(cb) {
+    this.stream.onUrlReady(cb);
+  }
+  onWorkerError(cb) {
+    this.stream.onWorkerError(cb);
+  }
+  onWillReconnect(cb) {
+    this.stream.onWillReconnect(cb);
+  }
+  onStopped(cb) {
+    this.stream.onStopped(cb);
+  }
+  // Daemon-loss events — delegate to DaemonHealth
+  onDaemonLost(cb) {
+    this.health.onLost(cb);
+  }
+  onDaemonReconnecting(cb) {
+    this.health.onReconnecting(cb);
+  }
+  onDaemonReconnected(cb) {
+    this.health.onReconnected(cb);
+  }
+  isDaemonLost() {
+    return this.health.isLost();
+  }
+  // App-compat shims (register listener + auto-attach in detached mode)
+  handleRegisterStatsListener(tunnelId, listener) {
+    this.onStats(listener);
+    this.attach(tunnelId, "detached").catch(() => {
+    });
+  }
+  handleRegisterDisconnectListener(tunnelId, listener) {
+    this.onDisconnect(listener);
+    this.attach(tunnelId, "detached").catch(() => {
+    });
+  }
+  handleUnregisterStatsListener(_tunnelId, _listenerId) {
+  }
+  async handleGetTunnelStats(tunnelId) {
+    this.assertClient();
+    return this.ipc.getTunnelStats(tunnelId);
+  }
+  // Private
+  assertClient() {
+    if (!this.ipc) {
+      throw new Error("TunnelClient not initialized. Call ensureDaemon() first.");
+    }
+  }
+};
+
+export {
+  TunnelStateType,
+  TunnelErrorCodeType,
+  TunnelWarningCode,
+  ErrorCode,
+  isErrorResponse,
+  TunnelOperations,
+  RemoteManagementUnauthorizedError,
+  buildRemoteManagementWsUrl,
+  initiateRemoteManagement,
+  closeRemoteManagement,
+  startRemoteManagement,
+  getRemoteManagementState,
+  getDaemonInfo,
+  isDaemonRunning,
+  startDaemon,
+  ensureDaemonRunning,
+  getInProcessDaemonHandle,
+  getActiveTunnelSummaries,
+  stopDaemon,
+  TunnelClient
+};