reley 0.1.0

package/dist/index.js

@@ -0,0 +1,2750 @@
+#!/usr/bin/env node
+var __defProp = Object.defineProperty;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __esm = (fn, res) => function __init() {
+  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+
+// src/config.ts
+var config_exports = {};
+__export(config_exports, {
+  clearConfig: () => clearConfig,
+  getConfigDir: () => getConfigDir,
+  getConfigPath: () => getConfigPath,
+  isConfigured: () => isConfigured,
+  loadConfig: () => loadConfig,
+  saveConfig: () => saveConfig
+});
+import { existsSync, readFileSync, writeFileSync, mkdirSync } from "node:fs";
+import { join } from "node:path";
+import { homedir } from "node:os";
+function getConfigDir() {
+  return CONFIG_DIR;
+}
+function getConfigPath() {
+  return CONFIG_FILE;
+}
+function loadConfig() {
+  try {
+    if (!existsSync(CONFIG_FILE)) return null;
+    const raw = readFileSync(CONFIG_FILE, "utf-8");
+    return JSON.parse(raw);
+  } catch {
+    return null;
+  }
+}
+function saveConfig(config) {
+  mkdirSync(CONFIG_DIR, { recursive: true });
+  writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2) + "\n", "utf-8");
+}
+function clearConfig() {
+  try {
+    if (existsSync(CONFIG_FILE)) {
+      writeFileSync(CONFIG_FILE, "{}\n", "utf-8");
+    }
+  } catch {
+  }
+}
+function isConfigured() {
+  const config = loadConfig();
+  return !!(config?.reley_url && config?.device_token);
+}
+var CONFIG_DIR, CONFIG_FILE;
+var init_config = __esm({
+  "src/config.ts"() {
+    "use strict";
+    CONFIG_DIR = join(homedir(), ".reley");
+    CONFIG_FILE = join(CONFIG_DIR, "config.json");
+  }
+});
+
+// src/index.ts
+import { Command } from "commander";
+
+// src/commands/run.ts
+import { createServer as createHttpServer } from "node:http";
+import { createServer as createNetServer } from "node:net";
+import { fork } from "node:child_process";
+import { existsSync as existsSync2, readFileSync as readFileSync2, writeFileSync as writeFileSync2, unlinkSync } from "node:fs";
+import { fileURLToPath } from "node:url";
+import { dirname, join as join2 } from "node:path";
+import { homedir as homedir2 } from "node:os";
+import crypto from "node:crypto";
+import WebSocket, { WebSocketServer } from "ws";
+import { spawn } from "node-pty";
+
+// ../../packages/crypto/dist/sodium.js
+import { createRequire } from "node:module";
+var require2 = createRequire(import.meta.url);
+var sodium = require2("libsodium-wrappers-sumo");
+var sodium_default = sodium;
+
+// ../../packages/crypto/dist/keys.js
+var initialized = false;
+async function ensureSodium() {
+  if (!initialized) {
+    await sodium_default.ready;
+    initialized = true;
+  }
+  return sodium_default;
+}
+async function generateIdentityKeyPair() {
+  const s = await ensureSodium();
+  const kp = s.crypto_sign_keypair();
+  return {
+    publicKey: kp.publicKey,
+    secretKey: kp.privateKey,
+    keyType: "ed25519"
+  };
+}
+async function generateEphemeralKeyPair() {
+  const s = await ensureSodium();
+  const kp = s.crypto_kx_keypair();
+  return {
+    publicKey: kp.publicKey,
+    secretKey: kp.privateKey,
+    keyType: "x25519"
+  };
+}
+async function generateOneTimeCode(length = 32) {
+  const s = await ensureSodium();
+  return s.randombytes_buf(length);
+}
+
+// ../../packages/crypto/dist/ecdh.js
+async function computeSharedSecret(ourSecretKey, theirPublicKey) {
+  const s = await ensureSodium();
+  return s.crypto_scalarmult(ourSecretKey, theirPublicKey);
+}
+
+// ../../packages/crypto/dist/hkdf.js
+var HKDF_HASH_LEN = 32;
+async function hkdfExtract(salt, ikm) {
+  const s = await ensureSodium();
+  const key = salt.length > 0 ? salt : new Uint8Array(HKDF_HASH_LEN);
+  return s.crypto_auth_hmacsha256(ikm, key);
+}
+async function hkdfExpand(prk, info, length) {
+  const s = await ensureSodium();
+  const n = Math.ceil(length / HKDF_HASH_LEN);
+  const okm = new Uint8Array(n * HKDF_HASH_LEN);
+  let prev = new Uint8Array(0);
+  for (let i = 1; i <= n; i++) {
+    const input = new Uint8Array(prev.length + info.length + 1);
+    input.set(prev, 0);
+    input.set(info, prev.length);
+    input[prev.length + info.length] = i;
+    prev = new Uint8Array(s.crypto_auth_hmacsha256(input, prk));
+    okm.set(prev, (i - 1) * HKDF_HASH_LEN);
+  }
+  return okm.slice(0, length);
+}
+async function deriveSessionKeys(sharedSecret, salt = new Uint8Array(0), info = "reley-v1") {
+  const infoBytes = new TextEncoder().encode(info);
+  const prk = await hkdfExtract(salt, sharedSecret);
+  const okm = await hkdfExpand(prk, infoBytes, 64);
+  return {
+    sendKey: okm.slice(0, 32),
+    recvKey: okm.slice(32, 64)
+  };
+}
+async function deriveChainKey(chainKey, info = "reley-chain") {
+  const s = await ensureSodium();
+  const msgKeyInput = new TextEncoder().encode(info + "-msg");
+  const chainKeyInput = new TextEncoder().encode(info + "-chain");
+  const messageKey = s.crypto_auth_hmacsha256(msgKeyInput, chainKey);
+  const nextChainKey = s.crypto_auth_hmacsha256(chainKeyInput, chainKey);
+  return { messageKey, nextChainKey };
+}
+
+// ../../packages/crypto/dist/aes-gcm.js
+var NONCE_LENGTH = 12;
+var KEY_LENGTH = 32;
+async function encrypt(plaintext, key, aad = new Uint8Array(0)) {
+  const s = await ensureSodium();
+  if (key.length !== KEY_LENGTH) {
+    throw new Error(`Key must be ${KEY_LENGTH} bytes, got ${key.length}`);
+  }
+  const nonce = s.randombytes_buf(NONCE_LENGTH);
+  const ciphertext = s.crypto_aead_xchacha20poly1305_ietf_encrypt(
+    plaintext,
+    aad.length > 0 ? aad : null,
+    null,
+    // nsec (unused)
+    // xchacha uses 24-byte nonce, pad our 12-byte nonce
+    padNonce(nonce, s),
+    key
+  );
+  return { nonce, ciphertext };
+}
+async function decrypt(ciphertext, nonce, key, aad = new Uint8Array(0)) {
+  const s = await ensureSodium();
+  if (key.length !== KEY_LENGTH) {
+    throw new Error(`Key must be ${KEY_LENGTH} bytes, got ${key.length}`);
+  }
+  try {
+    return s.crypto_aead_xchacha20poly1305_ietf_decrypt(
+      null,
+      // nsec (unused)
+      ciphertext,
+      aad.length > 0 ? aad : null,
+      padNonce(nonce, s),
+      key
+    );
+  } catch {
+    throw new Error("Decryption failed: invalid ciphertext or key");
+  }
+}
+function padNonce(nonce, s) {
+  const padded = new Uint8Array(s.crypto_aead_xchacha20poly1305_ietf_NPUBBYTES);
+  padded.set(nonce, 0);
+  return padded;
+}
+
+// ../../packages/crypto/dist/ratchet.js
+var KEY_ROTATION_INTERVAL = 50;
+function initRatchet(sendKey, recvKey) {
+  return {
+    sendChainKey: sendKey,
+    recvChainKey: recvKey,
+    sendCounter: 0,
+    recvCounter: 0,
+    maxRecvCounter: -1
+  };
+}
+async function ratchetEncrypt(state, plaintext) {
+  const { messageKey, nextChainKey } = await deriveChainKey(state.sendChainKey);
+  const counter = state.sendCounter;
+  const aad = buildAAD(1, counter);
+  const { nonce, ciphertext } = await encrypt(plaintext, messageKey, aad);
+  const newState = {
+    ...state,
+    sendChainKey: nextChainKey,
+    sendCounter: counter + 1
+  };
+  return { ciphertext, nonce, counter, state: newState };
+}
+async function ratchetDecrypt(state, ciphertext, nonce, counter) {
+  if (counter <= state.maxRecvCounter) {
+    throw new Error(`Replay attack detected: counter ${counter} <= ${state.maxRecvCounter}`);
+  }
+  let chainKey = state.recvChainKey;
+  let currentCounter = state.recvCounter;
+  let messageKey;
+  while (currentCounter <= counter) {
+    const derived = await deriveChainKey(chainKey);
+    if (currentCounter === counter) {
+      messageKey = derived.messageKey;
+    }
+    chainKey = derived.nextChainKey;
+    currentCounter++;
+  }
+  if (!messageKey) {
+    throw new Error("Failed to derive message key");
+  }
+  const aad = buildAAD(1, counter);
+  const plaintext = await decrypt(ciphertext, nonce, messageKey, aad);
+  const newState = {
+    ...state,
+    recvChainKey: chainKey,
+    recvCounter: currentCounter,
+    maxRecvCounter: counter
+  };
+  return { plaintext, state: newState };
+}
+function needsKeyRotation(state) {
+  return state.sendCounter > 0 && state.sendCounter % KEY_ROTATION_INTERVAL === 0;
+}
+function buildAAD(version, counter) {
+  const aad = new Uint8Array(6);
+  aad[0] = version;
+  aad[1] = 1;
+  aad[2] = counter >>> 24 & 255;
+  aad[3] = counter >>> 16 & 255;
+  aad[4] = counter >>> 8 & 255;
+  aad[5] = counter & 255;
+  return aad;
+}
+
+// ../../packages/crypto/dist/qr-payload.js
+var MAGIC = "CB1";
+async function encodeQRPayload(payload) {
+  const s = await ensureSodium();
+  const releyBytes = new TextEncoder().encode(payload.releyUrl);
+  const jwtBytes = new TextEncoder().encode(payload.jwt);
+  const totalLen = 3 + 2 + releyBytes.length + 32 + 32 + 2 + jwtBytes.length;
+  const buf = new Uint8Array(totalLen);
+  let offset = 0;
+  buf[offset++] = MAGIC.charCodeAt(0);
+  buf[offset++] = MAGIC.charCodeAt(1);
+  buf[offset++] = MAGIC.charCodeAt(2);
+  buf[offset++] = releyBytes.length >>> 8 & 255;
+  buf[offset++] = releyBytes.length & 255;
+  buf.set(releyBytes, offset);
+  offset += releyBytes.length;
+  buf.set(payload.publicKey, offset);
+  offset += 32;
+  buf.set(payload.oneTimeCode, offset);
+  offset += 32;
+  buf[offset++] = jwtBytes.length >>> 8 & 255;
+  buf[offset++] = jwtBytes.length & 255;
+  buf.set(jwtBytes, offset);
+  return s.to_base64(buf, s.base64_variants.URLSAFE_NO_PADDING);
+}
+async function hashOneTimeCode(otc) {
+  const s = await ensureSodium();
+  return s.crypto_generichash(32, otc, null);
+}
+
+// ../../packages/protocol/dist/constants.js
+var PROTOCOL_VERSION = 1;
+var WIRE = {
+  VERSION: 1,
+  TYPE: 1,
+  COUNTER: 4,
+  NONCE: 12,
+  TAG: 16,
+  HEADER: 1 + 1 + 4 + 12
+  // 18 bytes total header before ciphertext
+};
+var MessageType = {
+  TERMINAL_DATA: 1,
+  TERMINAL_RESIZE: 2,
+  TERMINAL_INPUT: 3,
+  HOOK_EVENT: 16,
+  HOOK_RESPONSE: 17,
+  SESSION_PING: 32,
+  SESSION_PONG: 33,
+  SESSION_CLOSE: 34,
+  KEY_ROTATION: 48,
+  KEY_EXCHANGE: 49
+};
+var TIMEOUTS = {
+  PAIRING_EXPIRY: 5 * 60 * 1e3,
+  // 5 minutes
+  JWT_EXPIRY: 24 * 60 * 60 * 1e3,
+  // 24 hours
+  PING_INTERVAL: 30 * 1e3,
+  // 30 seconds
+  PONG_TIMEOUT: 10 * 1e3,
+  // 10 seconds
+  WS_RECONNECT_BASE: 1e3,
+  // 1 second base for exponential backoff
+  WS_RECONNECT_MAX: 30 * 1e3,
+  // 30 seconds max
+  HOOK_RESPONSE_TIMEOUT: 5 * 60 * 1e3
+  // 5 minutes for user approval
+};
+
+// ../../packages/protocol/dist/envelope.js
+var MESSAGE_TYPE_MAP = {
+  terminal_data: MessageType.TERMINAL_DATA,
+  terminal_resize: MessageType.TERMINAL_RESIZE,
+  terminal_input: MessageType.TERMINAL_INPUT,
+  hook_event: MessageType.HOOK_EVENT,
+  hook_response: MessageType.HOOK_RESPONSE,
+  ping: MessageType.SESSION_PING,
+  pong: MessageType.SESSION_PONG,
+  session_close: MessageType.SESSION_CLOSE,
+  key_rotation: MessageType.KEY_ROTATION,
+  key_exchange: MessageType.KEY_EXCHANGE
+};
+var REVERSE_TYPE_MAP = /* @__PURE__ */ new Map();
+for (const [k, v] of Object.entries(MESSAGE_TYPE_MAP)) {
+  REVERSE_TYPE_MAP.set(v, k);
+}
+function getWireType(messageType) {
+  const t = MESSAGE_TYPE_MAP[messageType];
+  if (t === void 0) {
+    throw new Error(`Unknown message type: ${messageType}`);
+  }
+  return t;
+}
+function encodeEnvelope(envelope) {
+  const totalLen = WIRE.HEADER + envelope.ciphertext.length;
+  const buf = new Uint8Array(totalLen);
+  let offset = 0;
+  buf[offset++] = envelope.version;
+  buf[offset++] = envelope.type;
+  buf[offset++] = envelope.counter >>> 24 & 255;
+  buf[offset++] = envelope.counter >>> 16 & 255;
+  buf[offset++] = envelope.counter >>> 8 & 255;
+  buf[offset++] = envelope.counter & 255;
+  buf.set(envelope.nonce, offset);
+  offset += WIRE.NONCE;
+  buf.set(envelope.ciphertext, offset);
+  return buf;
+}
+function decodeEnvelope(data) {
+  if (data.length < WIRE.HEADER + WIRE.TAG) {
+    throw new Error(`Envelope too short: ${data.length} bytes`);
+  }
+  let offset = 0;
+  const version = data[offset++];
+  if (version !== PROTOCOL_VERSION) {
+    throw new Error(`Unsupported protocol version: ${version}`);
+  }
+  const type = data[offset++];
+  const counter = data[offset] << 24 | data[offset + 1] << 16 | data[offset + 2] << 8 | data[offset + 3];
+  offset += 4;
+  const nonce = data.slice(offset, offset + WIRE.NONCE);
+  offset += WIRE.NONCE;
+  const ciphertext = data.slice(offset);
+  return { version, type, counter, nonce, ciphertext };
+}
+function serializeMessage(message) {
+  return new TextEncoder().encode(JSON.stringify(message));
+}
+function deserializeMessage(data) {
+  return JSON.parse(new TextDecoder().decode(data));
+}
+
+// src/commands/run.ts
+var __dirname = dirname(fileURLToPath(import.meta.url));
+var loggingEnabled = true;
+function log(label, msg) {
+  if (!loggingEnabled) return;
+  const colors = {
+    RELEY: "\x1B[34m",
+    PTY: "\x1B[32m",
+    WEB: "\x1B[35m",
+    CRYPTO: "\x1B[33m",
+    HOOKS: "\x1B[36m"
+  };
+  console.error(`${colors[label] ?? ""}[${label}]\x1B[0m ${msg}`);
+}
+function findReleyServer() {
+  const candidates = [
+    join2(__dirname, "../../../reley/dist/server.js"),
+    join2(__dirname, "../../../../apps/reley/dist/server.js")
+  ];
+  for (const p of candidates) {
+    if (existsSync2(p)) return p;
+  }
+  throw new Error("Reley server not found. Run `pnpm run build` first.");
+}
+async function isReleyRunning(url) {
+  try {
+    const res = await fetch(`${url}/health`);
+    return res.ok;
+  } catch {
+    return false;
+  }
+}
+async function waitForReley(url) {
+  for (let i = 0; i < 50; i++) {
+    if (await isReleyRunning(url)) return;
+    await new Promise((r) => setTimeout(r, 200));
+  }
+  throw new Error("Reley server failed to start");
+}
+function getTerminalHtml() {
+  return `<!DOCTYPE html>
+<html lang="ko"><head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>Reley</title>
+  <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@xterm/xterm@5.5.0/css/xterm.min.css">
+  <style>
+    :root {
+      --bg: #0E0F13;
+      --surface: rgba(255,255,255,0.06);
+      --surface-hover: rgba(255,255,255,0.10);
+      --border: rgba(255,255,255,0.08);
+      --border-hover: rgba(255,255,255,0.14);
+      --primary: #3182F6;
+      --primary-hover: #1B64DA;
+      --success: #34C759;
+      --danger: #FF3B30;
+      --warning: #FFD60A;
+      --text: #F5F5F7;
+      --text-secondary: rgba(255,255,255,0.6);
+      --text-tertiary: rgba(255,255,255,0.35);
+      --font: -apple-system, BlinkMacSystemFont, 'SF Pro Display', system-ui, sans-serif;
+      --mono: 'SF Mono', Menlo, Monaco, 'Courier New', monospace;
+      --radius-card: 16px;
+      --radius-btn: 12px;
+      --spring: cubic-bezier(0.32, 0.72, 0, 1);
+      --ease: cubic-bezier(0.25, 0.1, 0.25, 1);
+    }
+
+    * { margin: 0; padding: 0; box-sizing: border-box; }
+
+    body {
+      background: var(--bg);
+      color: var(--text);
+      font-family: var(--font);
+      display: flex;
+      flex-direction: column;
+      height: 100vh;
+      overflow: hidden;
+      -webkit-font-smoothing: antialiased;
+    }
+
+    /* \u2500\u2500 Header \u2500\u2500 */
+    #header {
+      padding: 12px 20px;
+      display: flex;
+      align-items: center;
+      justify-content: space-between;
+      flex-shrink: 0;
+      border-bottom: 1px solid var(--border);
+      background: rgba(14,15,19,0.8);
+      backdrop-filter: blur(20px) saturate(180%);
+      -webkit-backdrop-filter: blur(20px) saturate(180%);
+      z-index: 10;
+    }
+
+    .header-left {
+      display: flex;
+      align-items: center;
+      gap: 8px;
+    }
+
+    .logo {
+      font-size: 15px;
+      font-weight: 600;
+      letter-spacing: -0.3px;
+      color: var(--text);
+    }
+
+    .logo-icon {
+      width: 20px;
+      height: 20px;
+      background: var(--primary);
+      border-radius: 6px;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      font-size: 11px;
+    }
+
+    .header-center {
+      position: absolute;
+      left: 50%;
+      transform: translateX(-50%);
+    }
+
+    #status {
+      display: inline-flex;
+      align-items: center;
+      gap: 6px;
+      font-size: 12px;
+      font-weight: 500;
+      padding: 4px 12px;
+      border-radius: 100px;
+      background: var(--surface);
+      border: 1px solid var(--border);
+      color: var(--text-secondary);
+      transition: all 0.3s var(--ease);
+    }
+
+    .status-dot {
+      width: 6px;
+      height: 6px;
+      border-radius: 50%;
+      background: var(--warning);
+      transition: background 0.3s var(--ease);
+    }
+
+    #status.connected .status-dot { background: var(--success); }
+    #status.connected { color: var(--success); border-color: rgba(52,199,89,0.2); background: rgba(52,199,89,0.08); }
+    #status.disconnected .status-dot { background: var(--danger); }
+    #status.disconnected { color: var(--danger); border-color: rgba(255,59,48,0.2); background: rgba(255,59,48,0.08); }
+
+    .header-right {
+      display: flex;
+      align-items: center;
+    }
+
+    .badge-e2e {
+      display: inline-flex;
+      align-items: center;
+      gap: 5px;
+      font-size: 11px;
+      font-weight: 500;
+      padding: 4px 10px;
+      border-radius: 100px;
+      background: rgba(52,199,89,0.1);
+      border: 1px solid rgba(52,199,89,0.15);
+      color: var(--success);
+    }
+
+    .badge-e2e svg { width: 12px; height: 12px; }
+
+    /* \u2500\u2500 Terminal Window \u2500\u2500 */
+    #wrap {
+      flex: 1;
+      overflow: hidden;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      padding: 16px;
+      position: relative;
+    }
+
+    .terminal-window {
+      border-radius: var(--radius-card);
+      overflow: hidden;
+      box-shadow: 0 8px 40px rgba(0,0,0,0.5), 0 0 0 1px var(--border);
+      background: #1A1B23;
+      position: relative;
+    }
+
+    .terminal-titlebar {
+      height: 38px;
+      background: rgba(255,255,255,0.04);
+      border-bottom: 1px solid var(--border);
+      display: flex;
+      align-items: center;
+      padding: 0 14px;
+      gap: 8px;
+      user-select: none;
+      -webkit-user-select: none;
+    }
+
+    .titlebar-dots {
+      display: flex;
+      gap: 7px;
+    }
+
+    .titlebar-dot {
+      width: 11px;
+      height: 11px;
+      border-radius: 50%;
+    }
+
+    .titlebar-dot.red { background: #FF5F57; }
+    .titlebar-dot.yellow { background: #FEBC2E; }
+    .titlebar-dot.green { background: #28C840; }
+
+    .titlebar-title {
+      flex: 1;
+      text-align: center;
+      font-size: 12px;
+      font-weight: 500;
+      color: var(--text-tertiary);
+      letter-spacing: -0.2px;
+    }
+
+    .titlebar-spacer { width: 52px; }
+
+    #terminal {
+      transform-origin: top left;
+    }
+
+    /* \u2500\u2500 Event Cards Container \u2500\u2500 */
+    #event-cards {
+      position: fixed;
+      bottom: 20px;
+      right: 20px;
+      display: flex;
+      flex-direction: column;
+      gap: 10px;
+      z-index: 100;
+      max-width: 420px;
+      width: calc(100% - 40px);
+      pointer-events: none;
+    }
+
+    /* \u2500\u2500 Event Card \u2500\u2500 */
+    .event-card {
+      background: rgba(30, 32, 42, 0.85);
+      backdrop-filter: blur(24px) saturate(180%);
+      -webkit-backdrop-filter: blur(24px) saturate(180%);
+      border: 1px solid var(--border);
+      border-radius: var(--radius-card);
+      padding: 16px;
+      animation: slideUp 0.5s var(--spring) forwards;
+      pointer-events: auto;
+      box-shadow: 0 8px 32px rgba(0,0,0,0.3), 0 0 0 1px rgba(255,255,255,0.05);
+      transition: border-color 0.2s var(--ease);
+    }
+
+    .event-card:hover {
+      border-color: var(--border-hover);
+    }
+
+    .event-card.removing {
+      animation: fadeOut 0.3s var(--ease) forwards;
+    }
+
+    @keyframes slideUp {
+      from { transform: translateY(24px); opacity: 0; }
+      to { transform: translateY(0); opacity: 1; }
+    }
+
+    @keyframes fadeOut {
+      to { transform: translateY(12px); opacity: 0; }
+    }
+
+    .card-header {
+      display: flex;
+      align-items: center;
+      gap: 10px;
+      margin-bottom: 12px;
+    }
+
+    .card-icon {
+      width: 32px;
+      height: 32px;
+      border-radius: 10px;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      font-size: 15px;
+      flex-shrink: 0;
+    }
+
+    .card-icon.bash { background: rgba(49,130,246,0.15); color: var(--primary); }
+    .card-icon.file { background: rgba(168,130,246,0.15); color: #A882F6; }
+    .card-icon.stop { background: rgba(52,199,89,0.15); color: var(--success); }
+    .card-icon.info { background: rgba(49,130,246,0.15); color: var(--primary); }
+    .card-icon.warning { background: rgba(255,214,10,0.15); color: var(--warning); }
+    .card-icon.error { background: rgba(255,59,48,0.15); color: var(--danger); }
+
+    .card-title {
+      font-size: 13px;
+      font-weight: 600;
+      color: var(--text);
+      letter-spacing: -0.2px;
+    }
+
+    .card-subtitle {
+      font-size: 11px;
+      color: var(--text-tertiary);
+      margin-top: 1px;
+    }
+
+    .card-body {
+      margin-bottom: 14px;
+    }
+
+    .card-code {
+      background: rgba(0,0,0,0.3);
+      border: 1px solid rgba(255,255,255,0.06);
+      border-radius: 10px;
+      padding: 10px 12px;
+      font-family: var(--mono);
+      font-size: 12px;
+      line-height: 1.5;
+      color: var(--text);
+      overflow-x: auto;
+      white-space: pre-wrap;
+      word-break: break-all;
+      max-height: 120px;
+      overflow-y: auto;
+    }
+
+    .card-filepath {
+      background: rgba(0,0,0,0.3);
+      border: 1px solid rgba(255,255,255,0.06);
+      border-radius: 10px;
+      padding: 8px 12px;
+      font-family: var(--mono);
+      font-size: 12px;
+      color: #A882F6;
+      display: flex;
+      align-items: center;
+      gap: 6px;
+    }
+
+    .card-message {
+      font-size: 13px;
+      color: var(--text-secondary);
+      line-height: 1.5;
+    }
+
+    /* \u2500\u2500 Scrollbar \u2500\u2500 */
+    ::-webkit-scrollbar { width: 6px; }
+    ::-webkit-scrollbar-track { background: transparent; }
+    ::-webkit-scrollbar-thumb { background: rgba(255,255,255,0.15); border-radius: 3px; }
+    ::-webkit-scrollbar-thumb:hover { background: rgba(255,255,255,0.25); }
+  </style>
+</head><body>
+
+  <!-- Header -->
+  <div id="header">
+    <div class="header-left">
+      <div class="logo-icon">
+        <svg width="12" height="12" viewBox="0 0 24 24" fill="none" stroke="white" stroke-width="2.5" stroke-linecap="round">
+          <polyline points="4 17 10 11 4 5"/><line x1="12" y1="19" x2="20" y2="19"/>
+        </svg>
+      </div>
+      <span class="logo">Reley</span>
+    </div>
+    <div class="header-center">
+      <div id="status">
+        <span class="status-dot"></span>
+        <span id="st">Connecting...</span>
+      </div>
+    </div>
+    <div class="header-right">
+      <div class="badge-e2e">
+        <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
+          <rect x="3" y="11" width="18" height="11" rx="2" ry="2"/><path d="M7 11V7a5 5 0 0 1 10 0v4"/>
+        </svg>
+        E2E Encrypted
+      </div>
+    </div>
+  </div>
+
+  <!-- Terminal -->
+  <div id="wrap">
+    <div class="terminal-window">
+      <div class="terminal-titlebar">
+        <div class="titlebar-dots">
+          <div class="titlebar-dot red"></div>
+          <div class="titlebar-dot yellow"></div>
+          <div class="titlebar-dot green"></div>
+        </div>
+        <div class="titlebar-title">Reley Terminal</div>
+        <div class="titlebar-spacer"></div>
+      </div>
+      <div id="terminal"></div>
+    </div>
+  </div>
+
+  <!-- Event Cards -->
+  <div id="event-cards"></div>
+
+  <script src="https://cdn.jsdelivr.net/npm/@xterm/xterm@5.5.0/lib/xterm.min.js"></script>
+  <script>
+    // \u2500\u2500 Terminal Setup \u2500\u2500
+    const term = new window.Terminal({
+      theme: {
+        background: '#1A1B23',
+        foreground: '#F5F5F7',
+        cursor: '#3182F6',
+        cursorAccent: '#1A1B23',
+        selectionBackground: '#3182F644',
+        black: '#1A1B23',
+        brightBlack: '#4A4B57',
+      },
+      fontSize: 14,
+      fontFamily: "'SF Mono', Menlo, Monaco, 'Courier New', monospace",
+      cursorBlink: true,
+      scrollback: 10000,
+      cols: 80,
+      rows: 24,
+    });
+    term.open(document.getElementById('terminal'));
+
+    // \u2500\u2500 CSS Transform Scaling \u2500\u2500
+    function fitScale() {
+      requestAnimationFrame(() => {
+        const wrap = document.getElementById('wrap');
+        const win = document.querySelector('.terminal-window');
+        const scr = document.querySelector('.xterm-screen');
+        if (!wrap || !scr || !win) return;
+        const sw = scr.offsetWidth;
+        const sh = scr.offsetHeight + 38; // titlebar height
+        if (!sw || !sh) return;
+        const pad = 32;
+        const maxW = wrap.clientWidth - pad;
+        const maxH = wrap.clientHeight - pad;
+        const scale = Math.min(maxW / sw, maxH / sh, 1.5);
+        win.style.transform = 'scale(' + scale + ')';
+        win.style.transformOrigin = 'center center';
+      });
+    }
+    window.addEventListener('resize', fitScale);
+
+    // \u2500\u2500 WebSocket \u2500\u2500
+    const statusEl = document.getElementById('status');
+    const st = document.getElementById('st');
+    const ws = new WebSocket('ws://' + location.host);
+
+    ws.onopen = () => {
+      statusEl.className = 'connected';
+      st.textContent = 'Connected';
+      term.focus();
+    };
+
+    ws.onmessage = (e) => {
+      const m = JSON.parse(e.data);
+      if (m.type === 'output') {
+        term.write(m.data);
+      } else if (m.type === 'sync_size') {
+        term.resize(m.cols, m.rows);
+        setTimeout(fitScale, 50);
+      } else if (m.type === 'hook_event') {
+        renderHookEvent(m);
+      }
+    };
+
+    ws.onclose = () => {
+      statusEl.className = 'disconnected';
+      st.textContent = 'Disconnected';
+    };
+
+    term.onData((d) => ws.send(JSON.stringify({ type: 'input', data: d })));
+    setTimeout(fitScale, 200);
+
+    // \u2500\u2500 Hook Event Cards \u2500\u2500
+    const cardsContainer = document.getElementById('event-cards');
+
+    function renderHookEvent(evt) {
+      const hookType = evt.hookType;
+      const data = evt.data || {};
+      const requestId = evt.requestId;
+
+      if (hookType === 'pre-tool-use') {
+        renderPreToolUseCard(data, requestId);
+      } else if (hookType === 'stop') {
+        renderStopCard(data);
+      } else if (hookType === 'notification') {
+        renderNotificationCard(data);
+      }
+    }
+
+    function renderPreToolUseCard(data, requestId) {
+      const toolName = (data.tool_name || '').toLowerCase();
+      const input = data.tool_input || {};
+
+      const card = document.createElement('div');
+      card.className = 'event-card';
+      card.dataset.requestId = requestId;
+
+      let iconClass, iconSvg, title, subtitle, bodyHtml;
+
+      if (toolName === 'bash') {
+        iconClass = 'bash';
+        iconSvg = '<svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round"><polyline points="4 17 10 11 4 5"/><line x1="12" y1="19" x2="20" y2="19"/></svg>';
+        title = 'Bash Command';
+        subtitle = 'Terminal execution request';
+        bodyHtml = '<div class="card-code">' + escapeHtml(input.command || '') + '</div>';
+      } else if (toolName === 'write' || toolName === 'edit') {
+        iconClass = 'file';
+        iconSvg = '<svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M14 2H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h12a2 2 0 0 0 2-2V8z"/><polyline points="14 2 14 8 20 8"/></svg>';
+        title = toolName === 'write' ? 'Write File' : 'Edit File';
+        subtitle = 'File modification request';
+        const fp = input.file_path || input.filePath || '';
+        bodyHtml = '<div class="card-filepath"><svg width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M14 2H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h12a2 2 0 0 0 2-2V8z"/><polyline points="14 2 14 8 20 8"/></svg>' + escapeHtml(fp) + '</div>';
+      } else {
+        iconClass = 'bash';
+        iconSvg = '<svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round"><circle cx="12" cy="12" r="10"/><line x1="12" y1="8" x2="12" y2="12"/><line x1="12" y1="16" x2="12.01" y2="16"/></svg>';
+        title = 'Tool: ' + escapeHtml(data.tool_name || 'Unknown');
+        subtitle = 'Tool execution request';
+        bodyHtml = '<div class="card-code">' + escapeHtml(JSON.stringify(input, null, 2)) + '</div>';
+      }
+
+      card.innerHTML =
+        '<div class="card-header">' +
+          '<div class="card-icon ' + iconClass + '">' + iconSvg + '</div>' +
+          '<div><div class="card-title">' + title + '</div><div class="card-subtitle">' + subtitle + '</div></div>' +
+        '</div>' +
+        '<div class="card-body">' + bodyHtml + '</div>';
+
+      cardsContainer.appendChild(card);
+      card.addEventListener('click', () => removeCard(card));
+      setTimeout(() => removeCard(card), 8000);
+    }
+
+    function renderStopCard(data) {
+      const card = document.createElement('div');
+      card.className = 'event-card';
+      card.innerHTML =
+        '<div class="card-header">' +
+          '<div class="card-icon stop"><svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" stroke-linecap="round" stroke-linejoin="round"><polyline points="20 6 9 17 4 12"/></svg></div>' +
+          '<div><div class="card-title">Task Complete</div><div class="card-subtitle">' + escapeHtml(data.stop_reason || 'Finished') + '</div></div>' +
+        '</div>' +
+        '<div class="card-body"><div class="card-message">' + escapeHtml(data.message || 'Claude has finished the task.') + '</div></div>';
+
+      cardsContainer.appendChild(card);
+      card.addEventListener('click', () => removeCard(card));
+      setTimeout(() => removeCard(card), 5000);
+    }
+
+    function renderNotificationCard(data) {
+      const level = (data.level || 'info').toLowerCase();
+      let iconClass = 'info';
+      let iconSvg = '<svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round"><circle cx="12" cy="12" r="10"/><line x1="12" y1="16" x2="12" y2="12"/><line x1="12" y1="8" x2="12.01" y2="8"/></svg>';
+      if (level === 'warning') {
+        iconClass = 'warning';
+        iconSvg = '<svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M10.29 3.86L1.82 18a2 2 0 0 0 1.71 3h16.94a2 2 0 0 0 1.71-3L13.71 3.86a2 2 0 0 0-3.42 0z"/><line x1="12" y1="9" x2="12" y2="13"/><line x1="12" y1="17" x2="12.01" y2="17"/></svg>';
+      } else if (level === 'error') {
+        iconClass = 'error';
+        iconSvg = '<svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round"><circle cx="12" cy="12" r="10"/><line x1="15" y1="9" x2="9" y2="15"/><line x1="9" y1="9" x2="15" y2="15"/></svg>';
+      }
+
+      const card = document.createElement('div');
+      card.className = 'event-card';
+      card.innerHTML =
+        '<div class="card-header">' +
+          '<div class="card-icon ' + iconClass + '">' + iconSvg + '</div>' +
+          '<div><div class="card-title">' + escapeHtml(data.title || 'Notification') + '</div></div>' +
+        '</div>' +
+        '<div class="card-body"><div class="card-message">' + escapeHtml(data.message || '') + '</div></div>';
+
+      cardsContainer.appendChild(card);
+      card.addEventListener('click', () => removeCard(card));
+      setTimeout(() => removeCard(card), 5000);
+    }
+
+    function removeCard(card) {
+      if (card.classList.contains('removing')) return;
+      card.classList.add('removing');
+      card.addEventListener('animationend', () => card.remove());
+    }
+
+    function escapeHtml(str) {
+      const d = document.createElement('div');
+      d.textContent = str;
+      return d.innerHTML;
+    }
+  </script>
+</body></html>`;
+}
+function getClaudeSettingsPath() {
+  return join2(homedir2(), ".claude", "settings.json");
+}
+function createHookScript(sockPath) {
+  const scriptPath = `/tmp/reley-hook-${process.pid}`;
+  const script = `#!/usr/bin/env node
+const net = require('net');
+
+// Session isolation: only run for the Reley session that set this env var.
+// Other Claude sessions won't have it, so they skip immediately.
+const sockPath = process.env.RELEY_HOOK_SOCK;
+if (!sockPath) process.exit(0);
+
+const hookType = process.argv[2] || 'unknown';
+
+// Read stdin (Claude Code sends JSON via stdin for hooks)
+let input = '';
+process.stdin.setEncoding('utf8');
+process.stdin.on('data', (c) => { input += c; });
+process.stdin.on('end', () => {
+  const payload = JSON.stringify({ hookType, data: tryParse(input) }) + '\\n';
+  const client = net.createConnection(sockPath, () => {
+    client.write(payload);
+  });
+  let resp = '';
+  client.on('data', (d) => { resp += d.toString(); });
+  client.on('end', () => {
+    process.exit(0);
+  });
+  client.on('error', () => {
+    // Socket not available, approve by default
+    process.exit(0);
+  });
+  setTimeout(() => process.exit(0), 30000);
+});
+
+function tryParse(s) {
+  try { return JSON.parse(s); } catch { return { raw: s }; }
+}
+`;
+  writeFileSync2(scriptPath, script, { mode: 493 });
+  return scriptPath;
+}
+function installClaudeHooks(hookScriptPath) {
+  const settingsPath = getClaudeSettingsPath();
+  let settings = {};
+  const result = {
+    path: settingsPath,
+    hadHooks: false,
+    originalHooks: void 0
+  };
+  try {
+    if (existsSync2(settingsPath)) {
+      settings = JSON.parse(readFileSync2(settingsPath, "utf-8"));
+    }
+  } catch {
+    settings = {};
+  }
+  if (settings.hooks) {
+    result.hadHooks = true;
+    result.originalHooks = JSON.parse(JSON.stringify(settings.hooks));
+  }
+  if (!settings.hooks) settings.hooks = {};
+  const cbCommand = (type) => `${hookScriptPath} ${type}`;
+  const hookDefs = {
+    PreToolUse: [
+      { matcher: "Bash", type: "pre-tool-use" },
+      { matcher: "Write", type: "pre-tool-use" },
+      { matcher: "Edit", type: "pre-tool-use" }
+    ],
+    Stop: [
+      { matcher: "", type: "stop" }
+    ],
+    Notification: [
+      { matcher: "", type: "notification" }
+    ]
+  };
+  for (const [event, entries] of Object.entries(hookDefs)) {
+    if (!settings.hooks[event]) settings.hooks[event] = [];
+    for (const entry of entries) {
+      const cmd = cbCommand(entry.type);
+      const exists = settings.hooks[event].some(
+        (h) => Array.isArray(h.hooks) && h.hooks.some((hk) => hk.command === cmd)
+      );
+      if (!exists) {
+        const hookEntry = {
+          matcher: entry.matcher,
+          hooks: [{ type: "command", command: cmd }]
+        };
+        settings.hooks[event].push(hookEntry);
+      }
+    }
+  }
+  writeFileSync2(settingsPath, JSON.stringify(settings, null, 2), "utf-8");
+  return result;
+}
+function uninstallClaudeHooks(original, hookScriptPath) {
+  try {
+    const settingsPath = original.path;
+    if (!existsSync2(settingsPath)) return;
+    const settings = JSON.parse(readFileSync2(settingsPath, "utf-8"));
+    if (!settings.hooks) return;
+    for (const event of Object.keys(settings.hooks)) {
+      if (Array.isArray(settings.hooks[event])) {
+        settings.hooks[event] = settings.hooks[event].filter(
+          (h) => !Array.isArray(h.hooks) || !h.hooks.some((hk) => hk.command?.includes(hookScriptPath))
+        );
+        if (settings.hooks[event].length === 0) {
+          delete settings.hooks[event];
+        }
+      }
+    }
+    if (Object.keys(settings.hooks).length === 0) {
+      delete settings.hooks;
+    }
+    writeFileSync2(settingsPath, JSON.stringify(settings, null, 2), "utf-8");
+  } catch {
+  }
+}
+async function runCommand(commandArgs, options) {
+  if (options.online) {
+    return runOnlineCommand(commandArgs, options);
+  }
+  const webPort = parseInt(options.webPort, 10);
+  const releyPort = parseInt(options.releyPort, 10);
+  const releyUrl = `http://localhost:${releyPort}`;
+  const wsReleyUrl = `ws://localhost:${releyPort}/ws`;
+  const command = commandArgs.length > 0 ? commandArgs[0] : process.env.SHELL || "/bin/zsh";
+  const args = commandArgs.length > 1 ? commandArgs.slice(1) : [];
+  console.error("\n\x1B[1m  Reley\x1B[0m");
+  console.error("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n");
+  let releyProc = null;
+  if (await isReleyRunning(releyUrl)) {
+    log("RELEY", `Already running on :${releyPort}`);
+  } else {
+    log("RELEY", `Starting on :${releyPort}...`);
+    const releyPath = findReleyServer();
+    releyProc = fork(releyPath, [], {
+      env: { ...process.env, PORT: String(releyPort), LOG_LEVEL: "warn" },
+      stdio: "pipe"
+    });
+    await waitForReley(releyUrl);
+    log("RELEY", "Ready");
+  }
+  const sodium2 = await ensureSodium();
+  const cliKeys = await generateEphemeralKeyPair();
+  const viewerKeys = await generateEphemeralKeyPair();
+  const otc = sodium2.randombytes_buf(32);
+  const otcHash = crypto.createHash("sha256").update(Buffer.from(otc)).digest();
+  const initRes = await fetch(`${releyUrl}/api/v1/pair/initiate`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({
+      publicKey: sodium2.to_base64(cliKeys.publicKey, sodium2.base64_variants.URLSAFE_NO_PADDING),
+      otcHash: Buffer.from(otcHash).toString("base64"),
+      deviceId: crypto.randomUUID()
+    })
+  });
+  const { roomId, token: cliToken } = await initRes.json();
+  const compRes = await fetch(`${releyUrl}/api/v1/pair/complete`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify({
+      roomId,
+      otc: Buffer.from(otc).toString("base64"),
+      publicKey: sodium2.to_base64(viewerKeys.publicKey, sodium2.base64_variants.URLSAFE_NO_PADDING),
+      deviceId: crypto.randomUUID()
+    })
+  });
+  const { token: viewerToken } = await compRes.json();
+  log("CRYPTO", "E2E ready");
+  const cliShared = await computeSharedSecret(cliKeys.secretKey, viewerKeys.publicKey);
+  const viewerShared = await computeSharedSecret(viewerKeys.secretKey, cliKeys.publicKey);
+  const cliSessionKeys = await deriveSessionKeys(cliShared);
+  const viewerSessionKeys = await deriveSessionKeys(viewerShared);
+  let cliRatchet = initRatchet(cliSessionKeys.sendKey, cliSessionKeys.recvKey);
+  let viewerRatchet = initRatchet(viewerSessionKeys.recvKey, viewerSessionKeys.sendKey);
+  const cliWs = new WebSocket(wsReleyUrl, { headers: { Authorization: `Bearer ${cliToken}` } });
+  await new Promise((res, rej) => {
+    cliWs.on("open", res);
+    cliWs.on("error", rej);
+  });
+  const viewerWs = new WebSocket(wsReleyUrl, { headers: { Authorization: `Bearer ${viewerToken}` } });
+  await new Promise((res, rej) => {
+    viewerWs.on("open", res);
+    viewerWs.on("error", rej);
+  });
+  const webWss = new WebSocketServer({ noServer: true });
+  const webClients = /* @__PURE__ */ new Set();
+  let ptyCols = process.stdout.columns || 80;
+  let ptyRows = process.stdout.rows || 24;
+  const hookSockPath = `/tmp/reley-hooks-${process.pid}.sock`;
+  try {
+    unlinkSync(hookSockPath);
+  } catch {
+  }
+  const hookServer = createNetServer((socket) => {
+    let buf = "";
+    socket.on("data", (chunk) => {
+      buf += chunk.toString();
+      const nl = buf.indexOf("\n");
+      if (nl === -1) return;
+      const line = buf.substring(0, nl);
+      buf = buf.substring(nl + 1);
+      let json;
+      try {
+        json = JSON.parse(line);
+      } catch {
+        socket.end(JSON.stringify({ action: "approve" }));
+        return;
+      }
+      const requestId = `hook-${Date.now()}-${Math.random().toString(36).slice(2)}`;
+      const payload = JSON.stringify({
+        type: "hook_event",
+        hookType: json.hookType,
+        data: json.data,
+        requestId
+      });
+      for (const c of webClients) {
+        if (c.readyState === WebSocket.OPEN) c.send(payload);
+      }
+      socket.end(JSON.stringify({ action: "approve" }));
+    });
+  });
+  await new Promise((resolve2) => {
+    hookServer.listen(hookSockPath, () => resolve2());
+  });
+  log("HOOKS", `Socket at ${hookSockPath}`);
+  let hookScriptPath = null;
+  let originalSettings = null;
+  const isClaudeCommand = command === "claude" || command.endsWith("/claude");
+  if (isClaudeCommand) {
+    hookScriptPath = createHookScript(hookSockPath);
+    originalSettings = installClaudeHooks(hookScriptPath);
+    log("HOOKS", "Claude hooks installed");
+  }
+  viewerWs.on("message", async (raw) => {
+    if (!Buffer.isBuffer(raw)) return;
+    try {
+      const env = decodeEnvelope(new Uint8Array(raw));
+      const dec = await ratchetDecrypt(viewerRatchet, env.ciphertext, env.nonce, env.counter);
+      viewerRatchet = dec.state;
+      const msg = deserializeMessage(dec.plaintext);
+      if (msg.type === "terminal_data") {
+        const text = Buffer.from(msg.data, "base64").toString();
+        const payload = JSON.stringify({ type: "output", data: text });
+        for (const c of webClients) {
+          if (c.readyState === WebSocket.OPEN) c.send(payload);
+        }
+      }
+    } catch {
+    }
+  });
+  webWss.on("connection", (ws) => {
+    webClients.add(ws);
+    ws.send(JSON.stringify({ type: "sync_size", cols: ptyCols, rows: ptyRows }));
+    ws.on("message", async (raw) => {
+      try {
+        const msg = JSON.parse(raw.toString());
+        if (msg.type === "input") {
+          pty2.write(msg.data);
+        }
+      } catch {
+      }
+    });
+    ws.on("close", () => {
+      webClients.delete(ws);
+    });
+  });
+  const httpServer = createHttpServer((req, res) => {
+    res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+    res.end(getTerminalHtml());
+  });
+  httpServer.on("upgrade", (req, socket, head) => {
+    webWss.handleUpgrade(req, socket, head, (ws) => {
+      webWss.emit("connection", ws, req);
+    });
+  });
+  await new Promise((resolve2) => {
+    httpServer.listen(webPort, () => resolve2());
+  });
+  log("WEB", `http://localhost:${webPort}`);
+  console.error(`
+  \x1B[1m\x1B[36m\u2192 http://localhost:${webPort}\x1B[0m  \uC6F9\uC5D0\uC11C\uB3C4 \uD655\uC778/\uC785\uB825 \uAC00\uB2A5
+`);
+  loggingEnabled = false;
+  const ptyEnv = {
+    ...process.env
+  };
+  if (hookSockPath) {
+    ptyEnv.RELEY_HOOK_SOCK = hookSockPath;
+  }
+  const pty2 = spawn(command, args, {
+    name: "xterm-256color",
+    cols: ptyCols,
+    rows: ptyRows,
+    cwd: process.cwd(),
+    env: ptyEnv
+  });
+  pty2.onData(async (data) => {
+    process.stdout.write(data);
+    try {
+      const msg = {
+        type: "terminal_data",
+        data: Buffer.from(data).toString("base64")
+      };
+      const plain = serializeMessage(msg);
+      const enc = await ratchetEncrypt(cliRatchet, plain);
+      cliRatchet = enc.state;
+      const envelope = encodeEnvelope({
+        version: PROTOCOL_VERSION,
+        type: getWireType("terminal_data"),
+        counter: enc.counter,
+        nonce: enc.nonce,
+        ciphertext: enc.ciphertext
+      });
+      if (cliWs.readyState === WebSocket.OPEN) {
+        cliWs.send(Buffer.from(envelope));
+      }
+    } catch {
+    }
+  });
+  if (process.stdin.isTTY) {
+    process.stdin.setRawMode(true);
+  }
+  process.stdin.resume();
+  process.stdin.on("data", (data) => {
+    pty2.write(data.toString());
+  });
+  process.stdout.on("resize", () => {
+    ptyCols = process.stdout.columns || 80;
+    ptyRows = process.stdout.rows || 24;
+    pty2.resize(ptyCols, ptyRows);
+    const sizeMsg = JSON.stringify({ type: "sync_size", cols: ptyCols, rows: ptyRows });
+    for (const c of webClients) {
+      if (c.readyState === WebSocket.OPEN) c.send(sizeMsg);
+    }
+  });
+  const cleanup = () => {
+    hookServer.close();
+    try {
+      unlinkSync(hookSockPath);
+    } catch {
+    }
+    if (hookScriptPath) {
+      try {
+        unlinkSync(hookScriptPath);
+      } catch {
+      }
+    }
+    if (originalSettings && hookScriptPath) {
+      uninstallClaudeHooks(originalSettings, hookScriptPath);
+    }
+    cliWs.close();
+    viewerWs.close();
+    httpServer.close();
+    if (releyProc) releyProc.kill();
+  };
+  pty2.onExit(() => {
+    cleanup();
+    process.exit(0);
+  });
+  process.on("SIGINT", () => pty2.kill());
+  process.on("SIGTERM", () => pty2.kill());
+}
+async function runOnlineCommand(commandArgs, options) {
+  const { loadConfig: loadConfig2 } = await Promise.resolve().then(() => (init_config(), config_exports));
+  const config = loadConfig2();
+  if (!config?.device_token || !config?.reley_url) {
+    console.error("\x1B[31mError:\x1B[0m Not logged in. Run `reley login` first.");
+    process.exit(1);
+  }
+  const command = commandArgs.length > 0 ? commandArgs[0] : process.env.SHELL || "/bin/zsh";
+  const args = commandArgs.length > 1 ? commandArgs.slice(1) : [];
+  console.error("\n\x1B[1m  Reley\x1B[0m \x1B[36m(online)\x1B[0m");
+  console.error("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\n");
+  console.error(`  \x1B[2mUser: ${config.user_email}\x1B[0m`);
+  console.error(`  \x1B[2mServer: ${config.reley_url}\x1B[0m
+`);
+  const sodium2 = await ensureSodium();
+  const cliKeys = await generateEphemeralKeyPair();
+  const cliPkB64 = sodium2.to_base64(cliKeys.publicKey, sodium2.base64_variants.URLSAFE_NO_PADDING);
+  log("RELEY", "Creating session...");
+  const sessionName = commandArgs.length > 0 ? commandArgs.join(" ") : "Terminal session";
+  const res = await fetch(`${config.reley_url}/api/v1/sessions`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      Authorization: `Bearer ${config.device_token}`
+    },
+    body: JSON.stringify({ name: sessionName, publicKey: cliPkB64 })
+  });
+  if (!res.ok) {
+    const body = await res.json().catch(() => ({}));
+    console.error(`\x1B[31mError:\x1B[0m Failed to create session: ${body.error || res.statusText}`);
+    process.exit(1);
+  }
+  const { roomId, cliToken, sessionId } = await res.json();
+  log("RELEY", `Session: ${sessionId}`);
+  log("RELEY", `Room: ${roomId}`);
+  const wsProtocol = config.reley_url.startsWith("https") ? "wss" : "ws";
+  const wsHost = config.reley_url.replace(/^https?:\/\//, "");
+  const wsUrl = `${wsProtocol}://${wsHost}/ws`;
+  const cliWs = new WebSocket(wsUrl, { headers: { Authorization: `Bearer ${cliToken}` } });
+  await new Promise((resolve2, reject) => {
+    cliWs.on("open", resolve2);
+    cliWs.on("error", reject);
+  });
+  log("RELEY", "WebSocket connected");
+  let ratchetState = null;
+  let e2eReady = false;
+  const pendingData = [];
+  let ratchetQueue = Promise.resolve();
+  function withRatchet(fn) {
+    const p = ratchetQueue.then(fn, () => fn());
+    ratchetQueue = p.then(() => {
+    }, () => {
+    });
+    return p;
+  }
+  const SCROLLBACK_MAX = 100 * 1024;
+  let scrollbackBuf = Buffer.alloc(0);
+  function appendScrollback(data) {
+    scrollbackBuf = Buffer.concat([scrollbackBuf, data]);
+    if (scrollbackBuf.length > SCROLLBACK_MAX) {
+      scrollbackBuf = scrollbackBuf.slice(scrollbackBuf.length - SCROLLBACK_MAX);
+    }
+  }
+  async function initE2E(viewerPkB64) {
+    const viewerPk = sodium2.from_base64(viewerPkB64, sodium2.base64_variants.URLSAFE_NO_PADDING);
+    const shared = await computeSharedSecret(cliKeys.secretKey, viewerPk);
+    const sessionKeys = await deriveSessionKeys(shared);
+    ratchetState = initRatchet(sessionKeys.sendKey, sessionKeys.recvKey);
+    const fp = computeFingerprint(sodium2, cliKeys.publicKey, viewerPk);
+    console.error(`  \x1B[33m\u{1F510} E2E Fingerprint: ${fp}\x1B[0m`);
+    sodium2.memzero(shared);
+    if (cliWs.readyState === WebSocket.OPEN) {
+      cliWs.send(JSON.stringify({
+        type: "key_exchange",
+        publicKey: cliPkB64,
+        role: "cli"
+      }));
+    }
+    await withRatchet(async () => {
+      if (!ratchetState) return;
+      if (scrollbackBuf.length > 0) {
+        const msg = {
+          type: "terminal_data",
+          data: scrollbackBuf.toString("base64")
+        };
+        const plain = serializeMessage(msg);
+        const enc = await ratchetEncrypt(ratchetState, plain);
+        ratchetState = enc.state;
+        const envelope = encodeEnvelope({
+          version: PROTOCOL_VERSION,
+          type: getWireType("terminal_data"),
+          counter: enc.counter,
+          nonce: enc.nonce,
+          ciphertext: enc.ciphertext
+        });
+        if (cliWs.readyState === WebSocket.OPEN) {
+          cliWs.send(Buffer.from(envelope));
+        }
+      }
+    });
+    e2eReady = true;
+    pendingData.length = 0;
+  }
+  function sendEncrypted(data) {
+    if (!ratchetState || !e2eReady) {
+      pendingData.push(data);
+      return;
+    }
+    withRatchet(async () => {
+      if (!ratchetState || cliWs.readyState !== WebSocket.OPEN) return;
+      try {
+        const msg = {
+          type: "terminal_data",
+          data: data.toString("base64")
+        };
+        const plain = serializeMessage(msg);
+        const enc = await ratchetEncrypt(ratchetState, plain);
+        ratchetState = enc.state;
+        const envelope = encodeEnvelope({
+          version: PROTOCOL_VERSION,
+          type: getWireType("terminal_data"),
+          counter: enc.counter,
+          nonce: enc.nonce,
+          ciphertext: enc.ciphertext
+        });
+        cliWs.send(Buffer.from(envelope));
+      } catch {
+      }
+    });
+  }
+  const hookSockPath = `/tmp/reley-hooks-${process.pid}.sock`;
+  try {
+    unlinkSync(hookSockPath);
+  } catch {
+  }
+  const hookServer = createNetServer((socket) => {
+    let buf = "";
+    socket.on("data", (chunk) => {
+      buf += chunk.toString();
+      const nl = buf.indexOf("\n");
+      if (nl === -1) return;
+      const line = buf.substring(0, nl);
+      buf = buf.substring(nl + 1);
+      let json;
+      try {
+        json = JSON.parse(line);
+      } catch {
+        socket.end(JSON.stringify({ action: "approve" }));
+        return;
+      }
+      if (e2eReady && ratchetState && cliWs.readyState === WebSocket.OPEN) {
+        withRatchet(async () => {
+          if (!ratchetState || cliWs.readyState !== WebSocket.OPEN) return;
+          const hookMsg = {
+            type: "hook_event",
+            hookType: json.hookType === "pre-tool-use" ? "pre_tool_use" : json.hookType,
+            sessionId,
+            payload: json.data ?? { kind: json.hookType, raw: true }
+          };
+          const plain = serializeMessage(hookMsg);
+          const enc = await ratchetEncrypt(ratchetState, plain);
+          ratchetState = enc.state;
+          const envelope = encodeEnvelope({
+            version: PROTOCOL_VERSION,
+            type: getWireType("hook_event"),
+            counter: enc.counter,
+            nonce: enc.nonce,
+            ciphertext: enc.ciphertext
+          });
+          cliWs.send(Buffer.from(envelope));
+        });
+      } else if (cliWs.readyState === WebSocket.OPEN) {
+        cliWs.send(JSON.stringify({
+          type: "hook_event",
+          hookType: json.hookType,
+          data: json.data
+        }));
+      }
+      socket.end(JSON.stringify({ action: "approve" }));
+    });
+  });
+  await new Promise((resolve2) => {
+    hookServer.listen(hookSockPath, () => resolve2());
+  });
+  log("HOOKS", `Socket at ${hookSockPath}`);
+  let hookScriptPath = null;
+  let originalSettings = null;
+  const isClaudeCommand = command === "claude" || command.endsWith("/claude");
+  if (isClaudeCommand) {
+    hookScriptPath = createHookScript(hookSockPath);
+    originalSettings = installClaudeHooks(hookScriptPath);
+    log("HOOKS", "Claude hooks installed");
+  }
+  let ptyCols = process.stdout.columns || 80;
+  let ptyRows = process.stdout.rows || 24;
+  console.error(`
+  \x1B[1m\x1B[36m\u2192 View in web dashboard\x1B[0m
+`);
+  loggingEnabled = false;
+  const ptyEnv = {
+    ...process.env
+  };
+  if (hookSockPath) {
+    ptyEnv.RELEY_HOOK_SOCK = hookSockPath;
+  }
+  const pty2 = spawn(command, args, {
+    name: "xterm-256color",
+    cols: ptyCols,
+    rows: ptyRows,
+    cwd: process.cwd(),
+    env: ptyEnv
+  });
+  pty2.onData((data) => {
+    process.stdout.write(data);
+    const buf = Buffer.from(data);
+    appendScrollback(buf);
+    sendEncrypted(buf);
+  });
+  cliWs.on("message", async (raw, isBinary) => {
+    if (!isBinary) {
+      try {
+        const msg = JSON.parse(raw.toString());
+        if (msg.type === "key_exchange" && msg.publicKey && msg.role === "viewer") {
+          await initE2E(msg.publicKey);
+          log("CRYPTO", "E2E established with viewer");
+        } else if (msg.type === "peer_joined") {
+          e2eReady = false;
+          ratchetState = null;
+        }
+      } catch {
+      }
+      return;
+    }
+    if (!e2eReady || !ratchetState) return;
+    withRatchet(async () => {
+      if (!ratchetState) return;
+      try {
+        const env = decodeEnvelope(new Uint8Array(raw));
+        const dec = await ratchetDecrypt(ratchetState, env.ciphertext, env.nonce, env.counter);
+        ratchetState = dec.state;
+        const msg = deserializeMessage(dec.plaintext);
+        if (msg.type === "terminal_input") {
+          const input = Buffer.from(msg.data, "base64").toString();
+          pty2.write(input);
+        } else if (msg.type === "terminal_resize") {
+          const { cols, rows } = msg;
+          if (cols && rows) {
+            ptyCols = cols;
+            ptyRows = rows;
+            pty2.resize(cols, rows);
+          }
+        }
+      } catch {
+      }
+    });
+  });
+  if (process.stdin.isTTY) {
+    process.stdin.setRawMode(true);
+  }
+  process.stdin.resume();
+  process.stdin.on("data", (data) => {
+    pty2.write(data.toString());
+  });
+  process.stdout.on("resize", () => {
+    ptyCols = process.stdout.columns || 80;
+    ptyRows = process.stdout.rows || 24;
+    pty2.resize(ptyCols, ptyRows);
+  });
+  const cleanup = () => {
+    hookServer.close();
+    try {
+      unlinkSync(hookSockPath);
+    } catch {
+    }
+    if (hookScriptPath) {
+      try {
+        unlinkSync(hookScriptPath);
+      } catch {
+      }
+    }
+    if (originalSettings && hookScriptPath) {
+      uninstallClaudeHooks(originalSettings, hookScriptPath);
+    }
+    cliWs.close();
+    fetch(`${config.reley_url}/api/v1/sessions/${sessionId}`, {
+      method: "PATCH",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${config.device_token}`
+      },
+      body: JSON.stringify({ status: "closed" })
+    }).catch(() => {
+    });
+  };
+  pty2.onExit(() => {
+    cleanup();
+    process.exit(0);
+  });
+  process.on("SIGINT", () => pty2.kill());
+  process.on("SIGTERM", () => pty2.kill());
+}
+function computeFingerprint(sodium2, pk1, pk2) {
+  const sorted = [pk1, pk2].sort((a, b) => {
+    for (let i = 0; i < a.length; i++) {
+      if (a[i] !== b[i]) return a[i] - b[i];
+    }
+    return 0;
+  });
+  const combined = new Uint8Array(sorted[0].length + sorted[1].length);
+  combined.set(sorted[0], 0);
+  combined.set(sorted[1], sorted[0].length);
+  const hash = sodium2.crypto_generichash(16, combined, null);
+  const hex = sodium2.to_hex(hash).toUpperCase();
+  return hex.match(/.{4}/g).join("-");
+}
+
+// src/commands/pair.ts
+import * as fs from "node:fs/promises";
+import * as path from "node:path";
+import * as crypto2 from "node:crypto";
+import qrcode from "qrcode-terminal";
+async function pairCommand(options) {
+  const { releyUrl, configDir } = options;
+  const sodium2 = await ensureSodium();
+  console.log("Generating identity key pair...");
+  const identityKp = await generateIdentityKeyPair();
+  console.log("Generating ephemeral key pair...");
+  const ephemeralKp = await generateEphemeralKeyPair();
+  console.log("Generating one-time pairing code...");
+  const oneTimeCode = await generateOneTimeCode(32);
+  const otcHash = await hashOneTimeCode(oneTimeCode);
+  const deviceId = crypto2.randomUUID();
+  console.log("Initiating pairing with reley...");
+  const initiateBody = {
+    publicKey: sodium2.to_base64(identityKp.publicKey, sodium2.base64_variants.URLSAFE_NO_PADDING),
+    otcHash: sodium2.to_base64(otcHash, sodium2.base64_variants.URLSAFE_NO_PADDING),
+    deviceId
+  };
+  const initiateRes = await fetch(`${releyUrl}/api/v1/pair/initiate`, {
+    method: "POST",
+    headers: { "Content-Type": "application/json" },
+    body: JSON.stringify(initiateBody)
+  });
+  if (!initiateRes.ok) {
+    const errText = await initiateRes.text();
+    throw new Error(`Failed to initiate pairing: ${initiateRes.status} ${errText}`);
+  }
+  const { sessionId, jwt } = await initiateRes.json();
+  console.log(`Pairing session created: ${sessionId}`);
+  const qrPayloadStr = await encodeQRPayload({
+    releyUrl,
+    publicKey: ephemeralKp.publicKey,
+    oneTimeCode,
+    jwt
+  });
+  console.log("\nScan this QR code with the Reley mobile app:\n");
+  await new Promise((resolve2) => {
+    qrcode.generate(qrPayloadStr, { small: true }, (output) => {
+      console.log(output);
+      resolve2();
+    });
+  });
+  console.log("\nWaiting for mobile device to complete pairing...");
+  const POLL_INTERVAL_MS = 2e3;
+  const MAX_POLL_DURATION_MS = 5 * 60 * 1e3;
+  const startTime = Date.now();
+  let peerPublicKey;
+  while (Date.now() - startTime < MAX_POLL_DURATION_MS) {
+    await sleep(POLL_INTERVAL_MS);
+    const statusRes = await fetch(`${releyUrl}/api/v1/pair/status/${sessionId}`, {
+      headers: { Authorization: `Bearer ${jwt}` }
+    });
+    if (!statusRes.ok) {
+      console.error(`Poll error: ${statusRes.status}`);
+      continue;
+    }
+    const statusData = await statusRes.json();
+    if (statusData.status === "completed") {
+      peerPublicKey = statusData.peerPublicKey;
+      break;
+    }
+    if (statusData.status === "expired") {
+      throw new Error("Pairing session expired. Please try again.");
+    }
+    process.stdout.write(".");
+  }
+  if (!peerPublicKey) {
+    throw new Error("Pairing timed out after 5 minutes.");
+  }
+  console.log("\n\nPairing successful!");
+  const sessionConfig = {
+    deviceId,
+    sessionId,
+    releyUrl,
+    jwt,
+    identityPublicKey: sodium2.to_base64(identityKp.publicKey, sodium2.base64_variants.URLSAFE_NO_PADDING),
+    identitySecretKey: sodium2.to_base64(identityKp.secretKey, sodium2.base64_variants.URLSAFE_NO_PADDING),
+    ephemeralPublicKey: sodium2.to_base64(ephemeralKp.publicKey, sodium2.base64_variants.URLSAFE_NO_PADDING),
+    ephemeralSecretKey: sodium2.to_base64(ephemeralKp.secretKey, sodium2.base64_variants.URLSAFE_NO_PADDING),
+    peerPublicKey,
+    pairedAt: (/* @__PURE__ */ new Date()).toISOString()
+  };
+  await fs.mkdir(configDir, { recursive: true });
+  const configPath = path.join(configDir, "session.json");
+  await fs.writeFile(configPath, JSON.stringify(sessionConfig, null, 2), "utf-8");
+  console.log(`Session saved to ${configPath}`);
+  console.log(`Device ID: ${deviceId}`);
+  console.log(`Session ID: ${sessionId}`);
+}
+function sleep(ms) {
+  return new Promise((resolve2) => setTimeout(resolve2, ms));
+}
+
+// src/commands/wrap.ts
+import * as fs3 from "node:fs/promises";
+import * as path3 from "node:path";
+
+// src/daemon/pty-manager.ts
+import pty from "node-pty";
+var PtyManager = class {
+  process = null;
+  dataCallbacks = [];
+  exitCallbacks = [];
+  /**
+   * Spawn a command in a pseudo-terminal.
+   */
+  spawn(command, args, options = {}) {
+    const { cols = 80, rows = 24, cwd, env } = options;
+    this.process = pty.spawn(command, args, {
+      name: "xterm-256color",
+      cols,
+      rows,
+      cwd: cwd || process.cwd(),
+      env: env || process.env
+    });
+    this.process.onData((data) => {
+      for (const cb of this.dataCallbacks) {
+        cb(data);
+      }
+    });
+    this.process.onExit(({ exitCode, signal }) => {
+      for (const cb of this.exitCallbacks) {
+        cb(exitCode, signal);
+      }
+      this.process = null;
+    });
+    return this.process;
+  }
+  /**
+   * Register a callback for PTY data output.
+   */
+  onData(callback) {
+    this.dataCallbacks.push(callback);
+  }
+  /**
+   * Register a callback for PTY exit.
+   */
+  onExit(callback) {
+    this.exitCallbacks.push(callback);
+  }
+  /**
+   * Write data to the PTY input.
+   */
+  write(data) {
+    if (!this.process) {
+      throw new Error("PTY process not running");
+    }
+    this.process.write(data);
+  }
+  /**
+   * Resize the PTY to the given dimensions.
+   */
+  resize(cols, rows) {
+    if (!this.process) {
+      return;
+    }
+    this.process.resize(cols, rows);
+  }
+  /**
+   * Kill the PTY process.
+   */
+  kill(signal) {
+    if (!this.process) {
+      return;
+    }
+    try {
+      this.process.kill(signal);
+    } catch {
+    }
+    this.process = null;
+  }
+  /**
+   * Get the PID of the PTY process.
+   */
+  get pid() {
+    return this.process?.pid;
+  }
+  /**
+   * Check if the PTY process is running.
+   */
+  get isRunning() {
+    return this.process !== null;
+  }
+  /**
+   * Clean shutdown: kill process and clear callbacks.
+   */
+  shutdown() {
+    this.kill();
+    this.dataCallbacks = [];
+    this.exitCallbacks = [];
+  }
+};
+
+// src/daemon/ws-client.ts
+import { EventEmitter } from "node:events";
+import WebSocket2 from "ws";
+var WsClient = class extends EventEmitter {
+  ws = null;
+  url = "";
+  token = "";
+  releyHttpUrl = "";
+  reconnectAttempts = 0;
+  reconnectTimer = null;
+  pingTimer = null;
+  pongTimer = null;
+  tokenRefreshTimer = null;
+  shouldReconnect = true;
+  messageCallbacks = [];
+  connectCallbacks = [];
+  disconnectCallbacks = [];
+  /**
+   * Connect to a WebSocket reley server.
+   */
+  async connect(url, token) {
+    this.url = url;
+    this.token = token;
+    this.shouldReconnect = true;
+    this.releyHttpUrl = url.replace(/^ws:/, "http:").replace(/^wss:/, "https:").replace(/\/ws\??.*$/, "");
+    this.scheduleTokenRefresh();
+    return this.doConnect();
+  }
+  doConnect() {
+    return new Promise((resolve2, reject) => {
+      const ws = new WebSocket2(this.url, {
+        headers: {
+          Authorization: `Bearer ${this.token}`
+        }
+      });
+      ws.binaryType = "arraybuffer";
+      ws.on("open", () => {
+        this.ws = ws;
+        this.reconnectAttempts = 0;
+        this.startPingInterval();
+        for (const cb of this.connectCallbacks) {
+          cb();
+        }
+        this.emit("connect");
+        resolve2(ws);
+      });
+      ws.on("message", (data) => {
+        let bytes;
+        if (data instanceof ArrayBuffer) {
+          bytes = new Uint8Array(data);
+        } else if (Buffer.isBuffer(data)) {
+          bytes = new Uint8Array(data);
+        } else if (Array.isArray(data)) {
+          bytes = new Uint8Array(Buffer.concat(data));
+        } else {
+          return;
+        }
+        for (const cb of this.messageCallbacks) {
+          cb(bytes);
+        }
+        this.emit("message", bytes);
+      });
+      ws.on("pong", () => {
+        this.clearPongTimeout();
+      });
+      ws.on("close", (code, reason) => {
+        const reasonStr = reason.toString("utf-8");
+        this.ws = null;
+        this.stopPingInterval();
+        for (const cb of this.disconnectCallbacks) {
+          cb(code, reasonStr);
+        }
+        this.emit("disconnect", code, reasonStr);
+        if (this.shouldReconnect) {
+          this.scheduleReconnect();
+        }
+      });
+      ws.on("error", (err) => {
+        this.emit("error", err);
+        if (!this.ws && this.reconnectAttempts === 0) {
+          reject(err);
+        }
+      });
+    });
+  }
+  /**
+   * Register a callback for incoming binary messages.
+   */
+  onMessage(callback) {
+    this.messageCallbacks.push(callback);
+  }
+  /**
+   * Register a callback for successful connection.
+   */
+  onConnect(callback) {
+    this.connectCallbacks.push(callback);
+  }
+  /**
+   * Register a callback for disconnection.
+   */
+  onDisconnect(callback) {
+    this.disconnectCallbacks.push(callback);
+  }
+  /**
+   * Send binary data through the WebSocket.
+   */
+  send(data) {
+    if (!this.ws || this.ws.readyState !== WebSocket2.OPEN) {
+      throw new Error("WebSocket is not connected");
+    }
+    this.ws.send(data);
+  }
+  /**
+   * Close the WebSocket connection and stop reconnecting.
+   */
+  /**
+   * Update the token (called after refresh).
+   */
+  updateToken(newToken) {
+    this.token = newToken;
+  }
+  close() {
+    this.shouldReconnect = false;
+    if (this.reconnectTimer) {
+      clearTimeout(this.reconnectTimer);
+      this.reconnectTimer = null;
+    }
+    if (this.tokenRefreshTimer) {
+      clearTimeout(this.tokenRefreshTimer);
+      this.tokenRefreshTimer = null;
+    }
+    this.stopPingInterval();
+    if (this.ws) {
+      this.ws.close(1e3, "Client closing");
+      this.ws = null;
+    }
+  }
+  /**
+   * Check if the WebSocket is currently connected.
+   */
+  get isConnected() {
+    return this.ws !== null && this.ws.readyState === WebSocket2.OPEN;
+  }
+  /**
+   * Schedule a reconnection attempt with exponential backoff.
+   */
+  scheduleReconnect() {
+    const baseDelay = TIMEOUTS.WS_RECONNECT_BASE;
+    const maxDelay = TIMEOUTS.WS_RECONNECT_MAX;
+    const delay = Math.min(baseDelay * Math.pow(2, this.reconnectAttempts), maxDelay);
+    const jitter = Math.random() * delay * 0.25;
+    const actualDelay = delay + jitter;
+    this.reconnectAttempts++;
+    this.reconnectTimer = setTimeout(async () => {
+      try {
+        await this.doConnect();
+      } catch {
+      }
+    }, actualDelay);
+  }
+  /**
+   * Start sending periodic ping frames.
+   */
+  startPingInterval() {
+    this.stopPingInterval();
+    this.pingTimer = setInterval(() => {
+      if (this.ws && this.ws.readyState === WebSocket2.OPEN) {
+        this.ws.ping();
+        this.startPongTimeout();
+      }
+    }, TIMEOUTS.PING_INTERVAL);
+  }
+  /**
+   * Stop the ping interval.
+   */
+  stopPingInterval() {
+    if (this.pingTimer) {
+      clearInterval(this.pingTimer);
+      this.pingTimer = null;
+    }
+    this.clearPongTimeout();
+  }
+  /**
+   * Start a timeout waiting for pong response.
+   */
+  startPongTimeout() {
+    this.clearPongTimeout();
+    this.pongTimer = setTimeout(() => {
+      if (this.ws) {
+        this.ws.terminate();
+      }
+    }, TIMEOUTS.PONG_TIMEOUT);
+  }
+  /**
+   * Clear the pong timeout.
+   */
+  clearPongTimeout() {
+    if (this.pongTimer) {
+      clearTimeout(this.pongTimer);
+      this.pongTimer = null;
+    }
+  }
+  /**
+   * Schedule automatic token refresh 1 hour before expiry (i.e., every 23 hours).
+   */
+  scheduleTokenRefresh() {
+    if (this.tokenRefreshTimer) {
+      clearTimeout(this.tokenRefreshTimer);
+    }
+    const refreshInterval = 23 * 60 * 60 * 1e3;
+    this.tokenRefreshTimer = setTimeout(async () => {
+      await this.refreshToken();
+    }, refreshInterval);
+    this.tokenRefreshTimer.unref();
+  }
+  /**
+   * Refresh the JWT token via the reley's refresh endpoint.
+   */
+  async refreshToken() {
+    try {
+      const response = await fetch(`${this.releyHttpUrl}/api/v1/auth/refresh`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ token: this.token })
+      });
+      if (response.ok) {
+        const data = await response.json();
+        this.token = data.token;
+        this.scheduleTokenRefresh();
+      }
+    } catch {
+      this.tokenRefreshTimer = setTimeout(async () => {
+        await this.refreshToken();
+      }, 5 * 60 * 1e3);
+      this.tokenRefreshTimer?.unref();
+    }
+  }
+};
+
+// src/daemon/crypto-session.ts
+import * as fs2 from "node:fs/promises";
+import * as path2 from "node:path";
+var CryptoSession = class {
+  ratchetState = null;
+  isInitialized = false;
+  /**
+   * Initialize the crypto session from saved pairing configuration.
+   */
+  async initFromConfig(configDir) {
+    const sodium2 = await ensureSodium();
+    const ratchetPath = path2.join(configDir, "ratchet-state.json");
+    try {
+      const raw2 = await fs2.readFile(ratchetPath, "utf-8");
+      const serialized = JSON.parse(raw2);
+      this.ratchetState = {
+        sendChainKey: sodium2.from_base64(serialized.sendChainKey, sodium2.base64_variants.URLSAFE_NO_PADDING),
+        recvChainKey: sodium2.from_base64(serialized.recvChainKey, sodium2.base64_variants.URLSAFE_NO_PADDING),
+        sendCounter: serialized.sendCounter,
+        recvCounter: serialized.recvCounter,
+        maxRecvCounter: serialized.maxRecvCounter
+      };
+      this.isInitialized = true;
+      return;
+    } catch {
+    }
+    const configPath = path2.join(configDir, "session.json");
+    const raw = await fs2.readFile(configPath, "utf-8");
+    const config = JSON.parse(raw);
+    const ourSecretKey = sodium2.from_base64(config.ephemeralSecretKey, sodium2.base64_variants.URLSAFE_NO_PADDING);
+    const peerPublicKey = sodium2.from_base64(config.peerPublicKey, sodium2.base64_variants.URLSAFE_NO_PADDING);
+    const sharedSecret = await computeSharedSecret(ourSecretKey, peerPublicKey);
+    const { sendKey, recvKey } = await deriveSessionKeys(sharedSecret);
+    this.ratchetState = initRatchet(sendKey, recvKey);
+    this.isInitialized = true;
+  }
+  /**
+   * Initialize from raw keys (for testing or manual setup).
+   */
+  async initFromKeys(ourSecretKey, peerPublicKey) {
+    const sharedSecret = await computeSharedSecret(ourSecretKey, peerPublicKey);
+    const { sendKey, recvKey } = await deriveSessionKeys(sharedSecret);
+    this.ratchetState = initRatchet(sendKey, recvKey);
+    this.isInitialized = true;
+  }
+  /**
+   * Encrypt a protocol message and build a wire-format envelope.
+   */
+  async encryptMessage(message) {
+    if (!this.ratchetState) {
+      throw new Error("Crypto session not initialized");
+    }
+    const plaintext = serializeMessage(message);
+    const wireType = getWireType(message.type);
+    const { ciphertext, nonce, counter, state } = await ratchetEncrypt(
+      this.ratchetState,
+      plaintext
+    );
+    this.ratchetState = state;
+    const envelope = {
+      version: PROTOCOL_VERSION,
+      type: wireType,
+      counter,
+      nonce,
+      ciphertext
+    };
+    if (needsKeyRotation(this.ratchetState)) {
+      await this.performKeyRotation();
+    }
+    return encodeEnvelope(envelope);
+  }
+  /**
+   * Decrypt a wire-format envelope and return the protocol message.
+   */
+  async decryptMessage(data) {
+    if (!this.ratchetState) {
+      throw new Error("Crypto session not initialized");
+    }
+    const envelope = decodeEnvelope(data);
+    const { plaintext, state } = await ratchetDecrypt(
+      this.ratchetState,
+      envelope.ciphertext,
+      envelope.nonce,
+      envelope.counter
+    );
+    this.ratchetState = state;
+    return deserializeMessage(plaintext);
+  }
+  /**
+   * Save the current ratchet state to disk.
+   */
+  async saveState(configDir) {
+    if (!this.ratchetState) {
+      return;
+    }
+    const sodium2 = await ensureSodium();
+    const serialized = {
+      sendChainKey: sodium2.to_base64(this.ratchetState.sendChainKey, sodium2.base64_variants.URLSAFE_NO_PADDING),
+      recvChainKey: sodium2.to_base64(this.ratchetState.recvChainKey, sodium2.base64_variants.URLSAFE_NO_PADDING),
+      sendCounter: this.ratchetState.sendCounter,
+      recvCounter: this.ratchetState.recvCounter,
+      maxRecvCounter: this.ratchetState.maxRecvCounter
+    };
+    const ratchetPath = path2.join(configDir, "ratchet-state.json");
+    await fs2.writeFile(ratchetPath, JSON.stringify(serialized, null, 2), "utf-8");
+  }
+  /**
+   * Load ratchet state from disk.
+   */
+  async loadState(configDir) {
+    const sodium2 = await ensureSodium();
+    const ratchetPath = path2.join(configDir, "ratchet-state.json");
+    try {
+      const raw = await fs2.readFile(ratchetPath, "utf-8");
+      const serialized = JSON.parse(raw);
+      this.ratchetState = {
+        sendChainKey: sodium2.from_base64(serialized.sendChainKey, sodium2.base64_variants.URLSAFE_NO_PADDING),
+        recvChainKey: sodium2.from_base64(serialized.recvChainKey, sodium2.base64_variants.URLSAFE_NO_PADDING),
+        sendCounter: serialized.sendCounter,
+        recvCounter: serialized.recvCounter,
+        maxRecvCounter: serialized.maxRecvCounter
+      };
+      this.isInitialized = true;
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * Get current ratchet state (for diagnostics).
+   */
+  getRatchetInfo() {
+    return {
+      sendCounter: this.ratchetState?.sendCounter ?? 0,
+      recvCounter: this.ratchetState?.recvCounter ?? 0,
+      initialized: this.isInitialized
+    };
+  }
+  /**
+   * Perform key rotation by generating new ephemeral keys.
+   * This is triggered automatically when the ratchet reaches KEY_ROTATION_INTERVAL.
+   */
+  async performKeyRotation() {
+  }
+};
+
+// src/commands/wrap.ts
+async function wrapCommand(commandArgs, options) {
+  const { configDir } = options;
+  const configPath = path3.join(configDir, "session.json");
+  let sessionConfig;
+  try {
+    const raw = await fs3.readFile(configPath, "utf-8");
+    sessionConfig = JSON.parse(raw);
+  } catch {
+    console.error('No active session found. Run "reley pair" first.');
+    process.exit(1);
+  }
+  const cryptoSession = new CryptoSession();
+  await cryptoSession.initFromConfig(configDir);
+  const command = commandArgs[0];
+  const args = commandArgs.slice(1);
+  console.log(`Wrapping command: ${commandArgs.join(" ")}`);
+  const ptyManager = new PtyManager();
+  const pty2 = ptyManager.spawn(command, args, {
+    cols: process.stdout.columns || 80,
+    rows: process.stdout.rows || 24,
+    cwd: process.cwd(),
+    env: process.env
+  });
+  const wsUrl = sessionConfig.releyUrl.replace(/^http/, "ws");
+  const wsClient = new WsClient();
+  await wsClient.connect(`${wsUrl}/api/v1/ws/${sessionConfig.sessionId}`, sessionConfig.jwt);
+  console.log("Connected to reley. Forwarding terminal output...");
+  ptyManager.onData(async (data) => {
+    process.stdout.write(data);
+    const message = {
+      type: "terminal_data",
+      data: Buffer.from(data, "utf-8").toString("base64")
+    };
+    try {
+      const encrypted = await cryptoSession.encryptMessage(message);
+      wsClient.send(encrypted);
+    } catch (err) {
+      console.error("Encryption error:", err);
+    }
+  });
+  if (process.stdin.isTTY) {
+    process.stdin.setRawMode(true);
+  }
+  process.stdin.resume();
+  process.stdin.on("data", (data) => {
+    ptyManager.write(data.toString("utf-8"));
+  });
+  process.stdout.on("resize", () => {
+    const cols = process.stdout.columns || 80;
+    const rows = process.stdout.rows || 24;
+    ptyManager.resize(cols, rows);
+  });
+  wsClient.onMessage(async (data) => {
+    try {
+      const message = await cryptoSession.decryptMessage(data);
+      switch (message.type) {
+        case "terminal_input": {
+          const inputMsg = message;
+          const inputData = Buffer.from(inputMsg.data, "base64").toString("utf-8");
+          ptyManager.write(inputData);
+          break;
+        }
+        case "terminal_resize": {
+          const resizeMsg = message;
+          ptyManager.resize(resizeMsg.cols, resizeMsg.rows);
+          break;
+        }
+        case "session_close": {
+          const closeMsg = message;
+          console.log(`
+Remote session closed: ${closeMsg.reason}`);
+          cleanup();
+          break;
+        }
+        default:
+          break;
+      }
+    } catch (err) {
+      console.error("Decryption/handling error:", err);
+    }
+  });
+  ptyManager.onExit(async (exitCode, signal) => {
+    console.log(`
+Process exited with code ${exitCode}${signal ? ` (signal ${signal})` : ""}`);
+    const closeMessage = {
+      type: "session_close",
+      reason: `Process exited with code ${exitCode}`
+    };
+    try {
+      const encrypted = await cryptoSession.encryptMessage(closeMessage);
+      wsClient.send(encrypted);
+    } catch {
+    }
+    await cryptoSession.saveState(configDir);
+    cleanup();
+  });
+  wsClient.onDisconnect(() => {
+    console.log("\nDisconnected from reley. Attempting reconnection...");
+  });
+  wsClient.onConnect(() => {
+    console.log("Reconnected to reley.");
+  });
+  function cleanup() {
+    ptyManager.kill();
+    wsClient.close();
+    if (process.stdin.isTTY) {
+      process.stdin.setRawMode(false);
+    }
+    process.stdin.pause();
+    process.exit(0);
+  }
+  process.on("SIGINT", cleanup);
+  process.on("SIGTERM", cleanup);
+}
+
+// src/commands/status.ts
+import * as fs4 from "node:fs/promises";
+import * as path4 from "node:path";
+async function statusCommand(options) {
+  const { configDir } = options;
+  console.log("Reley Status");
+  console.log("=================\n");
+  const configPath = path4.join(configDir, "session.json");
+  let sessionConfig = null;
+  try {
+    const raw = await fs4.readFile(configPath, "utf-8");
+    sessionConfig = JSON.parse(raw);
+  } catch {
+  }
+  if (!sessionConfig) {
+    console.log("Pairing:    Not paired");
+    console.log('\nRun "reley pair" to pair with a mobile device.\n');
+  } else {
+    console.log("Pairing:    Paired");
+    console.log(`Device ID:  ${sessionConfig.deviceId}`);
+    console.log(`Session ID: ${sessionConfig.sessionId}`);
+    console.log(`Reley URL:  ${sessionConfig.releyUrl}`);
+    console.log(`Paired at:  ${sessionConfig.pairedAt || "Unknown"}`);
+    if (sessionConfig.peerPublicKey) {
+      const truncatedKey = sessionConfig.peerPublicKey.substring(0, 16) + "...";
+      console.log(`Peer key:   ${truncatedKey}`);
+    }
+    console.log(`Identity:   ${sessionConfig.identityPublicKey.substring(0, 16)}...`);
+  }
+  const releyUrl = sessionConfig?.releyUrl || options.releyUrl;
+  console.log(`
+Reley Health (${releyUrl}):`);
+  try {
+    const healthRes = await fetch(`${releyUrl}/api/v1/health`, {
+      signal: AbortSignal.timeout(5e3)
+    });
+    if (healthRes.ok) {
+      const healthData = await healthRes.json();
+      console.log(`  Status:  ${healthData.status}`);
+      if (healthData.version) {
+        console.log(`  Version: ${healthData.version}`);
+      }
+      if (healthData.uptime !== void 0) {
+        console.log(`  Uptime:  ${Math.round(healthData.uptime)}s`);
+      }
+    } else {
+      console.log(`  Status:  Error (HTTP ${healthRes.status})`);
+    }
+  } catch (err) {
+    const errorMessage = err instanceof Error ? err.message : String(err);
+    console.log(`  Status:  Unreachable (${errorMessage})`);
+  }
+  const ratchetPath = path4.join(configDir, "ratchet-state.json");
+  try {
+    await fs4.access(ratchetPath);
+    console.log("\nCrypto:     Ratchet state saved");
+  } catch {
+    console.log("\nCrypto:     No ratchet state (new session)");
+  }
+  const hooksSocketPath = path4.join(configDir, "hooks.sock");
+  try {
+    await fs4.access(hooksSocketPath);
+    console.log("Hooks:      Socket exists");
+  } catch {
+    console.log("Hooks:      Not active");
+  }
+  console.log("");
+}
+
+// src/commands/install-hooks.ts
+import * as fs5 from "node:fs/promises";
+import * as path5 from "node:path";
+import { fileURLToPath as fileURLToPath2 } from "node:url";
+async function installHooksCommand(options) {
+  const { configDir } = options;
+  console.log("Installing Claude Code hooks for Reley...\n");
+  const __filename = fileURLToPath2(import.meta.url);
+  const __dirname2 = path5.dirname(__filename);
+  const hooksTemplatePath = path5.resolve(__dirname2, "..", "hooks", "hooks.json");
+  let hooksConfig;
+  try {
+    const raw = await fs5.readFile(hooksTemplatePath, "utf-8");
+    hooksConfig = JSON.parse(raw);
+  } catch {
+    hooksConfig = {
+      hooks: {
+        Stop: [{ matcher: "", command: "reley-hook stop" }],
+        Notification: [{ matcher: "", command: "reley-hook notification" }],
+        PreToolUse: [
+          { matcher: "Bash", command: "reley-hook pre-tool-use" },
+          { matcher: "Write", command: "reley-hook pre-tool-use" },
+          { matcher: "Edit", command: "reley-hook pre-tool-use" }
+        ]
+      }
+    };
+  }
+  const claudeConfigDir = path5.join(process.env.HOME || "~", ".claude");
+  const hooksDir = path5.join(claudeConfigDir, "hooks");
+  await fs5.mkdir(hooksDir, { recursive: true });
+  const hooksOutputPath = path5.join(hooksDir, "reley-hooks.json");
+  await fs5.writeFile(hooksOutputPath, JSON.stringify(hooksConfig, null, 2), "utf-8");
+  const socketPath = path5.join(configDir, "hooks.sock");
+  const hookScript = createHookScript2(socketPath);
+  const binDir = path5.join(configDir, "bin");
+  await fs5.mkdir(binDir, { recursive: true });
+  const hookScriptPath = path5.join(binDir, "reley-hook");
+  await fs5.writeFile(hookScriptPath, hookScript, { mode: 493 });
+  console.log("Installed files:");
+  console.log(`  Hooks config:  ${hooksOutputPath}`);
+  console.log(`  Hook script:   ${hookScriptPath}`);
+  console.log(`  Socket path:   ${socketPath}`);
+  console.log("");
+  console.log("Hook configuration:");
+  console.log("  Stop:         Sends stop events to mobile");
+  console.log("  Notification: Forwards notifications to mobile");
+  console.log("  PreToolUse:   Requires mobile approval for Bash, Write, Edit");
+  console.log("");
+  console.log("To activate, add to your PATH:");
+  console.log(`  export PATH="${binDir}:$PATH"`);
+  console.log("");
+  console.log("Or create a symlink:");
+  console.log(`  ln -sf ${hookScriptPath} /usr/local/bin/reley-hook`);
+  console.log("");
+}
+function createHookScript2(socketPath) {
+  return `#!/usr/bin/env node
+import * as net from 'node:net';
+import * as process from 'node:process';
+
+const SOCKET_PATH = ${JSON.stringify(socketPath)};
+const HOOK_TYPE = process.argv[2]; // stop, notification, pre-tool-use
+const TIMEOUT_MS = 5 * 60 * 1000; // 5 minutes
+
+async function main() {
+  // Read hook data from stdin
+  const chunks = [];
+  for await (const chunk of process.stdin) {
+    chunks.push(chunk);
+  }
+  const hookData = Buffer.concat(chunks).toString('utf-8');
+
+  // Send to daemon via Unix socket
+  const payload = JSON.stringify({
+    hookType: HOOK_TYPE,
+    data: hookData ? JSON.parse(hookData) : {},
+    timestamp: Date.now(),
+  });
+
+  const response = await new Promise((resolve, reject) => {
+    const timeout = setTimeout(() => {
+      reject(new Error('Hook response timeout'));
+    }, TIMEOUT_MS);
+
+    const client = net.createConnection(SOCKET_PATH, () => {
+      client.write(payload + '\\n');
+    });
+
+    let responseData = '';
+    client.on('data', (data) => {
+      responseData += data.toString();
+    });
+
+    client.on('end', () => {
+      clearTimeout(timeout);
+      try {
+        resolve(JSON.parse(responseData));
+      } catch {
+        resolve({ action: 'approve' });
+      }
+    });
+
+    client.on('error', (err) => {
+      clearTimeout(timeout);
+      // If daemon is not running, default to approve
+      console.error('Reley daemon not available:', err.message);
+      resolve({ action: 'approve' });
+    });
+  });
+
+  // Output response for Claude Code to read
+  console.log(JSON.stringify(response));
+}
+
+main().catch((err) => {
+  console.error('reley-hook error:', err);
+  // Default to approve on error
+  console.log(JSON.stringify({ action: 'approve' }));
+});
+`;
+}
+
+// src/commands/login.ts
+init_config();
+import { createServer } from "node:http";
+import { URL } from "node:url";
+import { hostname } from "node:os";
+var DEFAULT_RELEY_URL = "https://api.reley.sh";
+async function loginCommand(opts) {
+  const releyUrl = opts.releyUrl || process.env.RELEY_URL || DEFAULT_RELEY_URL;
+  let supabaseUrl = process.env.SUPABASE_URL;
+  let supabaseAnonKey = process.env.SUPABASE_ANON_KEY;
+  if (!supabaseUrl || !supabaseAnonKey) {
+    try {
+      const configRes = await fetch(`${releyUrl}/api/v1/auth/config`);
+      if (!configRes.ok) throw new Error(`HTTP ${configRes.status}`);
+      const config = await configRes.json();
+      supabaseUrl = config.supabaseUrl;
+      supabaseAnonKey = config.supabaseAnonKey;
+    } catch {
+      console.error(
+        "\x1B[31mError:\x1B[0m Could not connect to reley server at " + releyUrl
+      );
+      console.error("Check that the server is running and the URL is correct.");
+      process.exit(1);
+    }
+  }
+  console.log("\x1B[36m[Reley]\x1B[0m Starting Google login...\n");
+  const { token, email } = await startOAuthFlow(supabaseUrl, supabaseAnonKey);
+  console.log(`\x1B[32m\u2713\x1B[0m Logged in as \x1B[1m${email}\x1B[0m
+`);
+  console.log("\x1B[36m[Reley]\x1B[0m Registering device...");
+  const deviceName = hostname() || "Unknown Device";
+  const res = await fetch(`${releyUrl}/api/v1/devices/register`, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      Authorization: `Bearer ${token}`
+    },
+    body: JSON.stringify({ name: deviceName })
+  });
+  if (!res.ok) {
+    const body = await res.json().catch(() => ({}));
+    console.error(
+      `\x1B[31mError:\x1B[0m Failed to register device: ${body.error || res.statusText}`
+    );
+    process.exit(1);
+  }
+  const { deviceId, deviceToken } = await res.json();
+  saveConfig({
+    reley_url: releyUrl,
+    device_token: deviceToken,
+    device_id: deviceId,
+    user_email: email
+  });
+  console.log(`\x1B[32m\u2713\x1B[0m Device registered: \x1B[1m${deviceName}\x1B[0m`);
+  console.log(`\x1B[32m\u2713\x1B[0m Config saved to ${getConfigPath()}
+`);
+  console.log("You can now run \x1B[1mreley\x1B[0m to start a session.");
+}
+async function startOAuthFlow(supabaseUrl, supabaseAnonKey) {
+  return new Promise((resolve2, reject) => {
+    const CALLBACK_PORT = 54321;
+    const redirectUri = `http://localhost:${CALLBACK_PORT}/auth/callback`;
+    const server = createServer((req, res) => {
+      const url = new URL(req.url, `http://localhost:${CALLBACK_PORT}`);
+      if (url.pathname === "/auth/callback") {
+        res.writeHead(200, { "Content-Type": "text/html" });
+        res.end(`<!DOCTYPE html>
+<html><body>
+<script>
+  // Supabase puts tokens in the hash fragment
+  const hash = window.location.hash.substring(1);
+  const params = new URLSearchParams(hash);
+  const accessToken = params.get('access_token');
+
+  if (accessToken) {
+    fetch('/auth/token', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ access_token: accessToken })
+    }).then(() => {
+      document.body.innerHTML = '<h2 style="font-family:system-ui;text-align:center;margin-top:100px">Login successful! You can close this tab.</h2>';
+    });
+  } else {
+    document.body.innerHTML = '<h2 style="font-family:system-ui;text-align:center;margin-top:100px;color:red">Login failed. Please try again.</h2>';
+  }
+</script>
+<h2 style="font-family:system-ui;text-align:center;margin-top:100px">Processing login...</h2>
+</body></html>`);
+        return;
+      }
+      if (url.pathname === "/auth/token" && req.method === "POST") {
+        let body = "";
+        req.on("data", (chunk) => {
+          body += chunk.toString();
+        });
+        req.on("end", async () => {
+          res.writeHead(200, { "Content-Type": "application/json" });
+          res.end(JSON.stringify({ ok: true }));
+          try {
+            const { access_token } = JSON.parse(body);
+            const userRes = await fetch(`${supabaseUrl}/auth/v1/user`, {
+              headers: {
+                Authorization: `Bearer ${access_token}`,
+                apikey: supabaseAnonKey
+              }
+            });
+            if (!userRes.ok) {
+              reject(new Error("Failed to verify token"));
+              return;
+            }
+            const user = await userRes.json();
+            server.close();
+            resolve2({ token: access_token, email: user.email });
+          } catch (err) {
+            reject(err);
+          }
+        });
+        return;
+      }
+      res.writeHead(404);
+      res.end("Not found");
+    });
+    server.listen(CALLBACK_PORT, () => {
+      const authUrl = `${supabaseUrl}/auth/v1/authorize?` + new URLSearchParams({
+        provider: "google",
+        redirect_to: redirectUri
+      }).toString();
+      console.log(
+        `\x1B[36m[Reley]\x1B[0m Opening browser for Google login...`
+      );
+      console.log(`\x1B[2m${authUrl}\x1B[0m
+`);
+      const openCmd = process.platform === "darwin" ? "open" : process.platform === "win32" ? "start" : "xdg-open";
+      import("node:child_process").then(({ spawn: spawnChild }) => {
+        spawnChild(openCmd, [authUrl], { stdio: "ignore", detached: true }).unref();
+      });
+      setTimeout(() => {
+        server.close();
+        reject(new Error("Login timed out (5 minutes)"));
+      }, 5 * 60 * 1e3);
+    });
+    server.on("error", (err) => {
+      reject(new Error(`Failed to start callback server: ${err.message}`));
+    });
+  });
+}
+
+// src/index.ts
+var program = new Command();
+program.name("reley").description("Bridge your terminal to mobile/web with E2E encryption").version("0.1.0");
+program.option("--reley-url <url>", "Reley server URL", "http://localhost:3100").option("--config-dir <path>", "Configuration directory", `${process.env.HOME}/.reley`);
+program.command("run [command...]", { isDefault: true }).description("Run a command with web terminal sync (default)").option("--web-port <port>", "Web UI port", "3200").option("--reley-port <port>", "Reley server port", "3100").option("--online", "Use online reley server (requires `reley login` first)").action(async (commandArgs, opts) => {
+  await runCommand(commandArgs, { webPort: opts.webPort, releyPort: opts.releyPort, online: opts.online });
+});
+program.command("login").description("Login with Google and register this device").option("--reley-url <url>", "Reley server URL").action(async (opts) => {
+  const parentOpts = program.opts();
+  await loginCommand({ releyUrl: opts.releyUrl || parentOpts.releyUrl });
+});
+program.command("pair").description("Pair this device with a mobile client").action(async () => {
+  const opts = program.opts();
+  await pairCommand({ releyUrl: opts.releyUrl, configDir: opts.configDir });
+});
+program.command("wrap <command...>").description("Wrap a command with existing session (requires prior pairing)").action(async (commandArgs) => {
+  const opts = program.opts();
+  await wrapCommand(commandArgs, { releyUrl: opts.releyUrl, configDir: opts.configDir });
+});
+program.command("status").description("Show pairing and connection status").action(async () => {
+  const opts = program.opts();
+  await statusCommand({ releyUrl: opts.releyUrl, configDir: opts.configDir });
+});
+program.command("install-hooks").description("Install Claude Code hooks for Reley integration").action(async () => {
+  const opts = program.opts();
+  await installHooksCommand({ releyUrl: opts.releyUrl, configDir: opts.configDir });
+});
+program.parseAsync(process.argv).catch((err) => {
+  console.error("Fatal error:", err);
+  process.exit(1);
+});