npm - remote-codex - Versions diffs - 0.11.1 → 0.11.3 - Mend

remote-codex 0.11.1 → 0.11.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (336) hide show

package/apps/relay-server/dist/index.js ADDED Viewed

@@ -0,0 +1,1221 @@
+// src/index.ts
+import fs4 from "fs";
+import { ZodError } from "zod";
+// src/app.ts
+import websocket from "@fastify/websocket";
+import Fastify from "fastify";
+import fs2 from "fs";
+import fsp2 from "fs/promises";
+import path2 from "path";
+import { randomUUID } from "crypto";
+import { z } from "zod";
+// src/request-broker.ts
+var RelayRequestBroker = class {
+  constructor(timeoutMs) {
+    this.timeoutMs = timeoutMs;
+  }
+  timeoutMs;
+  pendingRequests = /* @__PURE__ */ new Map();
+  forward(socket, message) {
+    return new Promise((resolve, reject) => {
+      if (message.type !== "relay.request") {
+        reject(new Error("Only relay.request messages can be forwarded."));
+        return;
+      }
+      const timeout = setTimeout(() => {
+        this.pendingRequests.delete(message.requestId);
+        reject(new Error("Supervisor relay request timed out."));
+      }, this.timeoutMs);
+      this.pendingRequests.set(message.requestId, {
+        resolve,
+        reject,
+        timeout
+      });
+      socket.send(JSON.stringify(message));
+    });
+  }
+  accept(message) {
+    if (message.type !== "relay.response") {
+      return false;
+    }
+    const pending = this.pendingRequests.get(message.requestId);
+    if (!pending) {
+      return false;
+    }
+    clearTimeout(pending.timeout);
+    this.pendingRequests.delete(message.requestId);
+    pending.resolve(message.payload);
+    return true;
+  }
+  rejectAll(error) {
+    for (const [requestId, pending] of this.pendingRequests) {
+      clearTimeout(pending.timeout);
+      this.pendingRequests.delete(requestId);
+      pending.reject(error);
+    }
+  }
+};
+// src/relay-store.ts
+import crypto from "crypto";
+import fs from "fs";
+import fsp from "fs/promises";
+import path from "path";
+var SESSION_TTL_MS = 1e3 * 60 * 60 * 24 * 14;
+var RelayStore = class _RelayStore {
+  constructor(filePath, sessionSecret, registrationEnabled) {
+    this.filePath = filePath;
+    this.sessionSecret = sessionSecret;
+    this.data = this.readData(registrationEnabled);
+  }
+  filePath;
+  sessionSecret;
+  data;
+  static fromDataDir(dataDir, sessionSecret, registrationEnabled) {
+    return new _RelayStore(
+      path.join(path.resolve(dataDir), "relay-store.json"),
+      sessionSecret,
+      registrationEnabled
+    );
+  }
+  seedAdmin(input) {
+    const username = normalizeUsername(input.username);
+    const existing = this.data.users.find((user2) => user2.role === "admin");
+    if (existing) {
+      return this.publicUser(existing);
+    }
+    const user = this.createStoredUser({
+      email: input.email ?? `${username}@relay.local`,
+      username,
+      password: input.password,
+      role: "admin"
+    });
+    this.data.users.push(user);
+    void this.persist();
+    return this.publicUser(user);
+  }
+  register(input) {
+    if (!this.data.registrationEnabled) {
+      throw new RelayStoreError(403, "forbidden", "Registration is currently disabled.");
+    }
+    const user = this.createStoredUser({
+      email: input.email,
+      username: input.username,
+      password: input.password,
+      role: "user"
+    });
+    this.data.users.push(user);
+    void this.persist();
+    return this.createLoginResult(user);
+  }
+  login(input) {
+    const normalizedIdentifier = input.identifier.trim().toLowerCase();
+    const user = this.data.users.find(
+      (entry) => entry.email.toLowerCase() === normalizedIdentifier || entry.username.toLowerCase() === normalizedIdentifier
+    );
+    if (!user || !user.enabled) {
+      throw new RelayStoreError(401, "unauthorized", "Invalid username or password.");
+    }
+    if (!verifySecret(input.password, user.passwordSalt, user.passwordHash)) {
+      throw new RelayStoreError(401, "unauthorized", "Invalid username or password.");
+    }
+    return this.createLoginResult(user);
+  }
+  verifySession(token) {
+    if (!token) {
+      return this.emptySession();
+    }
+    const payload = this.verifyToken(token);
+    if (!payload) {
+      return this.emptySession();
+    }
+    const user = this.data.users.find((entry) => entry.id === payload.userId);
+    if (!user || !user.enabled) {
+      return this.emptySession();
+    }
+    return {
+      authenticated: true,
+      user: this.publicUser(user),
+      registrationEnabled: this.data.registrationEnabled
+    };
+  }
+  createDevice(ownerUserId, input) {
+    const user = this.requireUser(ownerUserId);
+    const token = `rcd_${crypto.randomBytes(24).toString("base64url")}`;
+    const device = {
+      id: crypto.randomUUID(),
+      ownerUserId: user.id,
+      name: input.name.trim() || "Remote Codex device",
+      tokenHash: sha256(token),
+      tokenPreview: previewToken(token),
+      createdAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    this.data.devices.push(device);
+    void this.persist();
+    return {
+      device: this.publicDevice(device, null),
+      token
+    };
+  }
+  deleteDevice(userId, deviceId) {
+    const index = this.data.devices.findIndex(
+      (device) => device.id === deviceId && device.ownerUserId === userId
+    );
+    if (index < 0) {
+      throw new RelayStoreError(404, "not_found", "Device was not found.");
+    }
+    this.data.devices.splice(index, 1);
+    this.data.shares = this.data.shares.filter((share) => share.deviceId !== deviceId);
+    void this.persist();
+  }
+  verifyDeviceToken(token) {
+    if (!token) {
+      return null;
+    }
+    const tokenHash = sha256(token);
+    return this.data.devices.find((device) => device.tokenHash === tokenHash) ?? null;
+  }
+  createShare(ownerUserId, input) {
+    const owner = this.requireUser(ownerUserId);
+    const device = this.data.devices.find(
+      (entry) => entry.id === input.deviceId && entry.ownerUserId === ownerUserId
+    );
+    if (!device) {
+      throw new RelayStoreError(404, "not_found", "Device was not found.");
+    }
+    const target = this.data.users.find(
+      (entry) => entry.username.toLowerCase() === input.targetUsername.trim().toLowerCase()
+    );
+    if (!target || !target.enabled) {
+      throw new RelayStoreError(404, "not_found", "Target user was not found.");
+    }
+    if (target.id === ownerUserId) {
+      throw new RelayStoreError(400, "bad_request", "You cannot share a session with yourself.");
+    }
+    const existing = this.data.shares.find(
+      (share2) => share2.ownerUserId === ownerUserId && share2.targetUserId === target.id && share2.deviceId === input.deviceId && share2.threadId === input.threadId && !share2.revokedAt
+    );
+    if (existing) {
+      return existing;
+    }
+    const share = {
+      id: crypto.randomUUID(),
+      ownerUserId,
+      ownerUsername: owner.username,
+      targetUserId: target.id,
+      targetUsername: target.username,
+      deviceId: input.deviceId,
+      deviceName: device.name,
+      threadId: input.threadId,
+      label: input.label?.trim() || null,
+      createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+      revokedAt: null
+    };
+    this.data.shares.push(share);
+    void this.persist();
+    return share;
+  }
+  revokeShare(userId, shareId) {
+    const share = this.data.shares.find(
+      (entry) => entry.id === shareId && entry.ownerUserId === userId
+    );
+    if (!share) {
+      throw new RelayStoreError(404, "not_found", "Share was not found.");
+    }
+    share.revokedAt = (/* @__PURE__ */ new Date()).toISOString();
+    void this.persist();
+    return share;
+  }
+  canAccessDevice(userId, deviceId, threadId) {
+    const owned = this.data.devices.some(
+      (device) => device.id === deviceId && device.ownerUserId === userId
+    );
+    if (owned) {
+      return true;
+    }
+    if (!threadId) {
+      return false;
+    }
+    return this.data.shares.some(
+      (share) => share.targetUserId === userId && share.deviceId === deviceId && !share.revokedAt && share.threadId === threadId
+    );
+  }
+  portalSummary(userId, connectedDevices) {
+    const user = this.requireUser(userId);
+    return {
+      user: this.publicUser(user),
+      devices: this.data.devices.filter((device) => device.ownerUserId === userId).map((device) => this.publicDevice(device, connectedDevices.get(device.id) ?? null)),
+      sharedWithMe: this.data.shares.filter(
+        (share) => share.targetUserId === userId && !share.revokedAt
+      ).map((share) => this.publicShare(share)),
+      sharedByMe: this.data.shares.filter(
+        (share) => share.ownerUserId === userId && !share.revokedAt
+      ).map((share) => this.publicShare(share))
+    };
+  }
+  adminSummary(connectedDevices) {
+    return {
+      users: this.data.users.map((user) => this.publicUser(user)),
+      devices: this.data.devices.map(
+        (device) => this.publicDevice(device, connectedDevices.get(device.id) ?? null)
+      ),
+      registrationEnabled: this.data.registrationEnabled
+    };
+  }
+  setRegistrationEnabled(enabled) {
+    this.data.registrationEnabled = enabled;
+    void this.persist();
+    return enabled;
+  }
+  setUserEnabled(userId, enabled) {
+    const user = this.requireUser(userId);
+    if (user.role === "admin" && !enabled) {
+      throw new RelayStoreError(400, "bad_request", "The admin user cannot be disabled.");
+    }
+    user.enabled = enabled;
+    void this.persist();
+    return this.publicUser(user);
+  }
+  emptySession() {
+    return {
+      authenticated: false,
+      user: null,
+      registrationEnabled: this.data.registrationEnabled
+    };
+  }
+  publicDevice(device, status) {
+    return {
+      id: device.id,
+      ownerUserId: device.ownerUserId,
+      name: device.name,
+      tokenPreview: device.tokenPreview,
+      connected: Boolean(status?.connected),
+      connectedAt: status?.connectedAt ?? null,
+      lastHeartbeatAt: status?.lastHeartbeatAt ?? null,
+      createdAt: device.createdAt
+    };
+  }
+  publicShare(share) {
+    const owner = this.data.users.find((user) => user.id === share.ownerUserId);
+    const target = this.data.users.find((user) => user.id === share.targetUserId);
+    const device = this.data.devices.find((entry) => entry.id === share.deviceId);
+    return {
+      ...share,
+      ownerUsername: share.ownerUsername ?? owner?.username ?? "unknown",
+      targetUsername: share.targetUsername ?? target?.username ?? "unknown",
+      deviceName: share.deviceName ?? device?.name ?? "Remote Codex device"
+    };
+  }
+  createStoredUser(input) {
+    const email = input.email.trim().toLowerCase();
+    const username = normalizeUsername(input.username);
+    if (!email.includes("@")) {
+      throw new RelayStoreError(400, "bad_request", "A valid email address is required.");
+    }
+    if (username.length < 3) {
+      throw new RelayStoreError(400, "bad_request", "Username must be at least 3 characters.");
+    }
+    if (input.password.length < 8) {
+      throw new RelayStoreError(400, "bad_request", "Password must be at least 8 characters.");
+    }
+    if (this.data.users.some(
+      (user) => user.email.toLowerCase() === email || user.username.toLowerCase() === username
+    )) {
+      throw new RelayStoreError(409, "conflict", "A user with that email or username already exists.");
+    }
+    const passwordSalt = crypto.randomBytes(16).toString("base64url");
+    return {
+      id: crypto.randomUUID(),
+      email,
+      username,
+      role: input.role,
+      enabled: true,
+      createdAt: (/* @__PURE__ */ new Date()).toISOString(),
+      passwordSalt,
+      passwordHash: hashSecret(input.password, passwordSalt)
+    };
+  }
+  createLoginResult(user) {
+    const token = this.signSession(user.id);
+    return {
+      token,
+      session: {
+        authenticated: true,
+        user: this.publicUser(user),
+        registrationEnabled: this.data.registrationEnabled
+      }
+    };
+  }
+  signSession(userId) {
+    const payload = {
+      userId,
+      expiresAt: Date.now() + SESSION_TTL_MS,
+      nonce: crypto.randomBytes(16).toString("base64url")
+    };
+    const payloadText = Buffer.from(JSON.stringify(payload), "utf8").toString("base64url");
+    const signature = crypto.createHmac("sha256", this.sessionSecret).update(payloadText).digest("base64url");
+    return `${payloadText}.${signature}`;
+  }
+  verifyToken(token) {
+    const [payloadText, signature, extra] = token.split(".");
+    if (!payloadText || !signature || extra !== void 0) {
+      return null;
+    }
+    const expected = crypto.createHmac("sha256", this.sessionSecret).update(payloadText).digest("base64url");
+    if (!safeEqual(signature, expected)) {
+      return null;
+    }
+    try {
+      const payload = JSON.parse(Buffer.from(payloadText, "base64url").toString("utf8"));
+      if (typeof payload?.userId !== "string" || typeof payload?.expiresAt !== "number" || typeof payload?.nonce !== "string" || payload.expiresAt <= Date.now()) {
+        return null;
+      }
+      return payload;
+    } catch {
+      return null;
+    }
+  }
+  requireUser(userId) {
+    const user = this.data.users.find((entry) => entry.id === userId);
+    if (!user) {
+      throw new RelayStoreError(404, "not_found", "User was not found.");
+    }
+    return user;
+  }
+  publicUser(user) {
+    return {
+      id: user.id,
+      email: user.email,
+      username: user.username,
+      role: user.role,
+      enabled: user.enabled,
+      createdAt: user.createdAt
+    };
+  }
+  readData(registrationEnabled) {
+    try {
+      const parsed = JSON.parse(fs.readFileSync(this.filePath, "utf8"));
+      return {
+        registrationEnabled: typeof parsed.registrationEnabled === "boolean" ? parsed.registrationEnabled : registrationEnabled,
+        users: Array.isArray(parsed.users) ? parsed.users : [],
+        devices: Array.isArray(parsed.devices) ? parsed.devices : [],
+        shares: Array.isArray(parsed.shares) ? parsed.shares : []
+      };
+    } catch {
+      return {
+        registrationEnabled,
+        users: [],
+        devices: [],
+        shares: []
+      };
+    }
+  }
+  async persist() {
+    await fsp.mkdir(path.dirname(this.filePath), { recursive: true });
+    await fsp.writeFile(this.filePath, `${JSON.stringify(this.data, null, 2)}
+`, "utf8");
+  }
+};
+var RelayStoreError = class extends Error {
+  constructor(statusCode, code, message) {
+    super(message);
+    this.statusCode = statusCode;
+    this.code = code;
+  }
+  statusCode;
+  code;
+};
+function normalizeUsername(value) {
+  return value.trim().toLowerCase().replace(/[^a-z0-9_-]/g, "");
+}
+function hashSecret(secret, salt) {
+  return crypto.scryptSync(secret, salt, 32).toString("base64url");
+}
+function verifySecret(secret, salt, hash) {
+  return safeEqual(hashSecret(secret, salt), hash);
+}
+function sha256(value) {
+  return crypto.createHash("sha256").update(value).digest("base64url");
+}
+function previewToken(token) {
+  return `${token.slice(0, 7)}...${token.slice(-4)}`;
+}
+function safeEqual(left, right) {
+  const leftBuffer = Buffer.from(left);
+  const rightBuffer = Buffer.from(right);
+  if (leftBuffer.length !== rightBuffer.length) {
+    return false;
+  }
+  return crypto.timingSafeEqual(leftBuffer, rightBuffer);
+}
+// src/app.ts
+var RELAY_REQUEST_TIMEOUT_MS = 3e4;
+var WEBSOCKET_OPEN = 1;
+var RELAY_COOKIE_NAME = "remote_codex_relay_session";
+var THREAD_SHARED_HTTP_METHODS = /* @__PURE__ */ new Set(["GET", "POST", "PATCH"]);
+var loginSchema = z.object({
+  identifier: z.string().trim().min(1),
+  password: z.string().min(1)
+});
+var registerSchema = z.object({
+  email: z.string().trim().email(),
+  username: z.string().trim().min(3),
+  password: z.string().min(8)
+});
+var createDeviceSchema = z.object({
+  name: z.string().trim().min(1).max(120)
+});
+var createShareSchema = z.object({
+  targetUsername: z.string().trim().min(3),
+  deviceId: z.string().uuid(),
+  threadId: z.string().trim().min(1),
+  label: z.string().trim().min(1).max(160).optional()
+});
+var setEnabledSchema = z.object({
+  enabled: z.boolean()
+});
+function buildRelayServer(config2) {
+  const app2 = Fastify({ logger: false });
+  const store = RelayStore.fromDataDir(
+    config2.dataDir,
+    config2.sessionSecret,
+    config2.registrationEnabled
+  );
+  store.seedAdmin({
+    username: config2.adminUsername,
+    email: config2.adminEmail,
+    password: config2.adminPassword
+  });
+  const state = {
+    supervisors: /* @__PURE__ */ new Map()
+  };
+  app2.get("/healthz", async () => {
+    const primary = [...state.supervisors.values()][0] ?? null;
+    return {
+      status: "ok",
+      supervisorConnected: state.supervisors.size > 0,
+      supervisorConnectedAt: primary?.connectedAt ?? null,
+      lastSupervisorHeartbeatAt: primary?.lastHeartbeatAt ?? null,
+      supervisorCount: state.supervisors.size
+    };
+  });
+  app2.get("/relay/auth/session", async (request) => {
+    return store.verifySession(readRelaySessionToken(request));
+  });
+  app2.post("/relay/auth/register", async (request, reply) => {
+    const body = registerSchema.parse(request.body ?? {});
+    const result = store.register(body);
+    attachRelayCookie(reply, result.token);
+    return result;
+  });
+  app2.post("/relay/auth/login", async (request, reply) => {
+    const body = loginSchema.parse(request.body ?? {});
+    const result = store.login(body);
+    attachRelayCookie(reply, result.token);
+    return result;
+  });
+  app2.post("/relay/auth/logout", async (_request, reply) => {
+    clearRelayCookie(reply);
+    return store.emptySession();
+  });
+  app2.get("/relay/portal", async (request, reply) => {
+    const user = requireRelayUser(request, reply, store);
+    if (!user) {
+      return;
+    }
+    return store.portalSummary(user.id, connectionStatus(state));
+  });
+  app2.post("/relay/devices", async (request, reply) => {
+    const user = requireRelayUser(request, reply, store);
+    if (!user) {
+      return;
+    }
+    const body = createDeviceSchema.parse(request.body ?? {});
+    return store.createDevice(user.id, body);
+  });
+  app2.delete("/relay/devices/:deviceId", async (request, reply) => {
+    const user = requireRelayUser(request, reply, store);
+    if (!user) {
+      return;
+    }
+    const { deviceId } = z.object({ deviceId: z.string().uuid() }).parse(request.params);
+    store.deleteDevice(user.id, deviceId);
+    return { id: deviceId };
+  });
+  app2.post("/relay/shares", async (request, reply) => {
+    const user = requireRelayUser(request, reply, store);
+    if (!user) {
+      return;
+    }
+    const body = createShareSchema.parse(request.body ?? {});
+    return store.createShare(user.id, {
+      targetUsername: body.targetUsername,
+      deviceId: body.deviceId,
+      threadId: body.threadId,
+      label: body.label ?? null
+    });
+  });
+  app2.delete("/relay/shares/:shareId", async (request, reply) => {
+    const user = requireRelayUser(request, reply, store);
+    if (!user) {
+      return;
+    }
+    const { shareId } = z.object({ shareId: z.string().uuid() }).parse(request.params);
+    return store.revokeShare(user.id, shareId);
+  });
+  app2.get("/relay/admin", async (request, reply) => {
+    const user = requireRelayUser(request, reply, store, { admin: true });
+    if (!user) {
+      return;
+    }
+    return store.adminSummary(connectionStatus(state));
+  });
+  app2.patch("/relay/admin/settings/registration", async (request, reply) => {
+    const user = requireRelayUser(request, reply, store, { admin: true });
+    if (!user) {
+      return;
+    }
+    const body = setEnabledSchema.parse(request.body ?? {});
+    return { registrationEnabled: store.setRegistrationEnabled(body.enabled) };
+  });
+  app2.patch("/relay/admin/users/:userId", async (request, reply) => {
+    const user = requireRelayUser(request, reply, store, { admin: true });
+    if (!user) {
+      return;
+    }
+    const { userId } = z.object({ userId: z.string().uuid() }).parse(request.params);
+    const body = setEnabledSchema.parse(request.body ?? {});
+    return store.setUserEnabled(userId, body.enabled);
+  });
+  app2.all("/relay/devices/:deviceId/api/*", async (request, reply) => {
+    const user = requireRelayUser(request, reply, store);
+    if (!user) {
+      return;
+    }
+    const { deviceId } = z.object({ deviceId: z.string().uuid() }).parse(request.params);
+    const targetPath = request.url.replace(/^\/relay\/devices\/[^/]+/, "") || "/";
+    await forwardRelayHttp({
+      request,
+      reply,
+      state,
+      store,
+      user,
+      deviceId,
+      targetPath
+    });
+  });
+  app2.all("/relay/api/*", async (request, reply) => {
+    const user = requireRelayUser(request, reply, store);
+    if (!user) {
+      return;
+    }
+    const deviceId = firstAccessibleConnectedDevice(state, store, user.id);
+    if (!deviceId) {
+      reply.status(503).send({
+        code: "service_unavailable",
+        message: "No accessible supervisor is connected to this relay."
+      });
+      return;
+    }
+    const targetPath = request.url.slice("/relay".length) || "/";
+    await forwardRelayHttp({
+      request,
+      reply,
+      state,
+      store,
+      user,
+      deviceId,
+      targetPath
+    });
+  });
+  app2.register(async (realtimeApp) => {
+    await realtimeApp.register(websocket);
+    realtimeApp.route({
+      method: "GET",
+      url: "/supervisor/tunnel",
+      handler: (_request, reply) => {
+        reply.status(426).send({
+          code: "bad_request",
+          message: "Upgrade to websocket is required."
+        });
+      },
+      wsHandler: (socket, request) => {
+        const legacyToken = bearerToken(request.headers.authorization) ?? queryToken(request.query);
+        const deviceToken = queryToken(request.query, "deviceToken") ?? legacyToken;
+        const device = store.verifyDeviceToken(deviceToken);
+        const deviceId = device?.id ?? (config2.supervisorToken && legacyToken === config2.supervisorToken ? "legacy-default" : null);
+        if (!deviceId) {
+          socket.close(1008, "Supervisor relay token is invalid.");
+          return;
+        }
+        const connectedAt = (/* @__PURE__ */ new Date()).toISOString();
+        const existing = state.supervisors.get(deviceId);
+        existing?.socket.send(JSON.stringify({
+          type: "relay.connected",
+          timestamp: connectedAt,
+          deviceId
+        }));
+        existing?.clientSockets.forEach((clientConnection) => clientConnection.socket.close());
+        const connection = {
+          deviceId,
+          socket,
+          requestBroker: new RelayRequestBroker(RELAY_REQUEST_TIMEOUT_MS),
+          clientSockets: /* @__PURE__ */ new Map(),
+          connected: true,
+          connectedAt,
+          lastHeartbeatAt: connectedAt
+        };
+        state.supervisors.set(deviceId, connection);
+        socket.send(
+          JSON.stringify({
+            type: "relay.connected",
+            timestamp: connectedAt,
+            deviceId
+          })
+        );
+        socket.on("message", (rawMessage) => {
+          let parsed;
+          try {
+            parsed = JSON.parse(rawMessage.toString());
+          } catch {
+            return;
+          }
+          if (parsed.type === "relay.heartbeat") {
+            connection.lastHeartbeatAt = parsed.timestamp;
+            return;
+          }
+          if (parsed.type === "relay.server.message") {
+            const clientConnection = connection.clientSockets.get(parsed.clientId);
+            if (clientConnection && clientConnection.socket.readyState === WEBSOCKET_OPEN && shouldForwardSocketEvent(parsed.payload, clientConnection.threadId)) {
+              clientConnection.socket.send(JSON.stringify(parsed.payload));
+            }
+            return;
+          }
+          connection.requestBroker.accept(parsed);
+        });
+        socket.on("close", () => {
+          if (state.supervisors.get(deviceId)?.socket === socket) {
+            state.supervisors.delete(deviceId);
+          }
+          connection.requestBroker.rejectAll(new Error("Supervisor tunnel closed."));
+          for (const [clientId, clientConnection] of connection.clientSockets) {
+            connection.clientSockets.delete(clientId);
+            clientConnection.socket.close();
+          }
+        });
+      }
+    });
+    realtimeApp.route({
+      method: "GET",
+      url: "/relay/devices/:deviceId/ws",
+      handler: (_request, reply) => {
+        reply.status(426).send({
+          code: "bad_request",
+          message: "Upgrade to websocket is required."
+        });
+      },
+      wsHandler: (socket, request) => {
+        const session = store.verifySession(readRelaySessionToken(request));
+        const deviceId = pathParam(request.params, "deviceId");
+        const threadId = queryString(request.query, "threadId");
+        if (!session.authenticated || !session.user || !deviceId) {
+          socket.close(1008, "Relay login is required.");
+          return;
+        }
+        if (!store.canAccessDevice(session.user.id, deviceId, threadId)) {
+          socket.close(1008, "Device access is not allowed.");
+          return;
+        }
+        const supervisor = state.supervisors.get(deviceId);
+        if (!supervisor || supervisor.socket.readyState !== WEBSOCKET_OPEN) {
+          socket.close(1013, "No supervisor is connected for this device.");
+          return;
+        }
+        connectRelayWebsocket(supervisor, socket, threadId);
+      }
+    });
+    realtimeApp.route({
+      method: "GET",
+      url: "/relay/ws",
+      handler: (_request, reply) => {
+        reply.status(426).send({
+          code: "bad_request",
+          message: "Upgrade to websocket is required."
+        });
+      },
+      wsHandler: (socket, request) => {
+        const session = store.verifySession(readRelaySessionToken(request));
+        if (!session.authenticated || !session.user) {
+          socket.close(1008, "Relay login is required.");
+          return;
+        }
+        const threadId = queryString(request.query, "threadId");
+        const deviceId = firstAccessibleConnectedDevice(state, store, session.user.id, threadId);
+        const supervisor = deviceId ? state.supervisors.get(deviceId) : null;
+        if (!deviceId || !supervisor || supervisor.socket.readyState !== WEBSOCKET_OPEN) {
+          socket.close(1013, "No accessible supervisor is connected to this relay.");
+          return;
+        }
+        connectRelayWebsocket(supervisor, socket, threadId);
+      }
+    });
+  });
+  if (config2.webDistDir) {
+    registerRelayWebApp(app2, config2.webDistDir);
+  }
+  app2.setErrorHandler((error, _request, reply) => {
+    if (error instanceof RelayStoreError) {
+      reply.status(error.statusCode).send({
+        code: error.code,
+        message: error.message
+      });
+      return;
+    }
+    if (error instanceof z.ZodError) {
+      reply.status(400).send({
+        code: "bad_request",
+        message: "The request payload is invalid.",
+        details: {
+          issues: error.issues
+        }
+      });
+      return;
+    }
+    reply.status(500).send({
+      code: "internal_error",
+      message: "An unexpected relay server error occurred."
+    });
+  });
+  return app2;
+}
+async function forwardRelayHttp(input) {
+  const threadId = threadIdFromPath(input.targetPath);
+  if (!input.store.canAccessDevice(input.user.id, input.deviceId, threadId)) {
+    input.reply.status(403).send({
+      code: "forbidden",
+      message: "Device access is not allowed."
+    });
+    return;
+  }
+  if (!isAllowedForRelayUser(input.store, input.user.id, input.deviceId, input.request.method, input.targetPath)) {
+    input.reply.status(403).send({
+      code: "forbidden",
+      message: "This shared session does not allow that operation."
+    });
+    return;
+  }
+  const supervisor = input.state.supervisors.get(input.deviceId);
+  if (!supervisor || supervisor.socket.readyState !== WEBSOCKET_OPEN) {
+    input.reply.status(503).send({
+      code: "service_unavailable",
+      message: "No supervisor is connected for this device."
+    });
+    return;
+  }
+  if (!isAllowedRelayTarget(input.targetPath)) {
+    input.reply.status(403).send({
+      code: "forbidden",
+      message: "This relay path is not allowed."
+    });
+    return;
+  }
+  try {
+    const requestId = randomUUID();
+    const response = await supervisor.requestBroker.forward(supervisor.socket, {
+      type: "relay.request",
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      requestId,
+      deviceId: input.deviceId,
+      payload: {
+        method: input.request.method,
+        path: input.targetPath,
+        headers: relayRequestHeaders(input.request.headers),
+        body: relayRequestBody(input.request.body)
+      }
+    });
+    for (const [name, value] of Object.entries(response.headers)) {
+      if (canForwardResponseHeader(name)) {
+        input.reply.header(name, value);
+      }
+    }
+    input.reply.status(response.statusCode).send(response.body);
+  } catch (error) {
+    const message = error instanceof Error ? error.message : "Relay request failed.";
+    input.reply.status(message.includes("timed out") ? 504 : 503).send({
+      code: "service_unavailable",
+      message
+    });
+  }
+}
+function connectRelayWebsocket(supervisor, socket, threadId) {
+  const clientId = randomUUID();
+  supervisor.clientSockets.set(clientId, { socket, threadId });
+  sendToSupervisor(supervisor, {
+    type: "relay.client.connected",
+    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+    clientId
+  });
+  socket.on("message", (rawMessage) => {
+    let payload;
+    try {
+      payload = JSON.parse(rawMessage.toString());
+    } catch {
+      return;
+    }
+    sendToSupervisor(supervisor, {
+      type: "relay.client.message",
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      clientId,
+      payload
+    });
+  });
+  socket.on("close", () => {
+    supervisor.clientSockets.delete(clientId);
+    sendToSupervisor(supervisor, {
+      type: "relay.client.disconnected",
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      clientId
+    });
+  });
+}
+function sendToSupervisor(supervisor, message) {
+  if (supervisor.socket.readyState === WEBSOCKET_OPEN) {
+    supervisor.socket.send(JSON.stringify(message));
+  }
+}
+function registerRelayWebApp(app2, distDirInput) {
+  const distDir = path2.resolve(distDirInput);
+  const indexFile = path2.join(distDir, "index.html");
+  const mimeTypes = /* @__PURE__ */ new Map([
+    [".css", "text/css; charset=utf-8"],
+    [".html", "text/html; charset=utf-8"],
+    [".js", "text/javascript; charset=utf-8"],
+    [".json", "application/json; charset=utf-8"],
+    [".png", "image/png"],
+    [".svg", "image/svg+xml"],
+    [".webp", "image/webp"],
+    [".woff", "font/woff"],
+    [".woff2", "font/woff2"]
+  ]);
+  app2.get("/*", async (request, reply) => {
+    if (!fs2.existsSync(indexFile)) {
+      reply.status(503).type("text/plain; charset=utf-8").send("Relay web frontend is not built.");
+      return;
+    }
+    const pathname = new URL(request.url, "http://relay.local").pathname;
+    if (pathname.startsWith("/relay/") || pathname === "/healthz" || pathname === "/supervisor/tunnel") {
+      reply.status(404).send({
+        code: "not_found",
+        message: "The requested relay endpoint was not found."
+      });
+      return;
+    }
+    const assetPath = await resolveAssetPath(distDir, indexFile, pathname);
+    if (!assetPath) {
+      reply.status(404).type("text/plain; charset=utf-8").send("Not Found");
+      return;
+    }
+    if (assetPath === indexFile) {
+      const html = await fsp2.readFile(indexFile, "utf8");
+      const payload = injectRelayBootstrap(html);
+      reply.header("cache-control", "no-cache").header("content-length", Buffer.byteLength(payload)).type("text/html; charset=utf-8");
+      return reply.send(payload);
+    }
+    const stat = await fsp2.stat(assetPath);
+    reply.header("cache-control", "public, max-age=31536000, immutable").header("content-length", stat.size).type(mimeTypes.get(path2.extname(assetPath).toLowerCase()) ?? "application/octet-stream");
+    return reply.send(fs2.createReadStream(assetPath));
+  });
+}
+function injectRelayBootstrap(html) {
+  const script = `<script>window.__REMOTE_CODEX_BOOTSTRAP__=${JSON.stringify({
+    mode: "relay",
+    relayApiBase: "/relay"
+  })};</script>`;
+  if (html.includes("</head>")) {
+    return html.replace("</head>", `${script}</head>`);
+  }
+  return `${script}${html}`;
+}
+async function resolveAssetPath(distDir, indexFile, pathname) {
+  let decodedPath;
+  try {
+    decodedPath = decodeURIComponent(pathname);
+  } catch {
+    return null;
+  }
+  const relativePath = decodedPath === "/" ? "index.html" : decodedPath.replace(/^\/+/, "");
+  const candidate = path2.resolve(distDir, relativePath);
+  if (candidate !== distDir && !candidate.startsWith(`${distDir}${path2.sep}`)) {
+    return null;
+  }
+  const stat = await safeStat(candidate);
+  if (stat?.isFile()) {
+    return candidate;
+  }
+  if (path2.posix.extname(decodedPath)) {
+    return null;
+  }
+  return indexFile;
+}
+function requireRelayUser(request, reply, store, options = {}) {
+  const session = store.verifySession(readRelaySessionToken(request));
+  if (!session.authenticated || !session.user) {
+    reply.status(401).send({
+      code: "unauthorized",
+      message: "Relay login is required."
+    });
+    return null;
+  }
+  if (options.admin && session.user.role !== "admin") {
+    reply.status(403).send({
+      code: "forbidden",
+      message: "Admin access is required."
+    });
+    return null;
+  }
+  request.relayUser = session.user;
+  return session.user;
+}
+function readRelaySessionToken(request) {
+  return bearerToken(request.headers.authorization) ?? queryToken(request.query, "relaySession") ?? readCookie(request.headers.cookie, RELAY_COOKIE_NAME);
+}
+function attachRelayCookie(reply, token) {
+  reply.header(
+    "set-cookie",
+    `${RELAY_COOKIE_NAME}=${encodeURIComponent(token)}; HttpOnly; SameSite=Lax; Path=/; Max-Age=${60 * 60 * 24 * 14}`
+  );
+}
+function clearRelayCookie(reply) {
+  reply.header(
+    "set-cookie",
+    `${RELAY_COOKIE_NAME}=; HttpOnly; SameSite=Lax; Path=/; Max-Age=0`
+  );
+}
+function connectionStatus(state) {
+  const statuses = /* @__PURE__ */ new Map();
+  for (const [deviceId, supervisor] of state.supervisors) {
+    statuses.set(deviceId, {
+      connected: true,
+      connectedAt: supervisor.connectedAt,
+      lastHeartbeatAt: supervisor.lastHeartbeatAt
+    });
+  }
+  return statuses;
+}
+function firstAccessibleConnectedDevice(state, store, userId, threadId) {
+  for (const deviceId of state.supervisors.keys()) {
+    if (store.canAccessDevice(userId, deviceId, threadId)) {
+      return deviceId;
+    }
+  }
+  return null;
+}
+function isAllowedRelayTarget(pathValue) {
+  const pathname = new URL(pathValue, "http://relay.local").pathname;
+  return pathname === "/healthz" || pathname.startsWith("/api/");
+}
+function threadIdFromPath(pathValue) {
+  const pathname = new URL(pathValue, "http://relay.local").pathname;
+  const match = /^\/api\/threads\/([^/?#]+)/.exec(pathname);
+  return match ? decodeURIComponent(match[1]) : null;
+}
+function isAllowedForRelayUser(store, userId, deviceId, method, pathValue) {
+  if (store.canAccessDevice(userId, deviceId, null)) {
+    return true;
+  }
+  const pathname = new URL(pathValue, "http://relay.local").pathname;
+  const threadId = threadIdFromPath(pathValue);
+  if (!threadId || !store.canAccessDevice(userId, deviceId, threadId)) {
+    return false;
+  }
+  if (!THREAD_SHARED_HTTP_METHODS.has(method.toUpperCase())) {
+    return false;
+  }
+  const escapedThreadId = escapeRegExp(encodeURIComponent(threadId));
+  const allowed = [
+    new RegExp(`^/api/threads/${escapedThreadId}$`),
+    new RegExp(`^/api/threads/${escapedThreadId}/items/[^/]+/detail$`),
+    new RegExp(`^/api/threads/${escapedThreadId}/export-turns$`),
+    new RegExp(`^/api/threads/${escapedThreadId}/goal$`),
+    new RegExp(`^/api/threads/${escapedThreadId}/skills$`),
+    new RegExp(`^/api/threads/${escapedThreadId}/mcp-servers$`),
+    new RegExp(`^/api/threads/${escapedThreadId}/hooks$`),
+    new RegExp(`^/api/threads/${escapedThreadId}/resume$`),
+    new RegExp(`^/api/threads/${escapedThreadId}/prompt$`),
+    new RegExp(`^/api/threads/${escapedThreadId}/interrupt$`),
+    new RegExp(`^/api/threads/${escapedThreadId}/requests/[^/]+/respond$`)
+  ];
+  return allowed.some((pattern) => pattern.test(pathname));
+}
+function shouldForwardSocketEvent(event, threadId) {
+  if (!threadId) {
+    return true;
+  }
+  if (event.type === "supervisor.connected" || event.type === "supervisor.pong") {
+    return true;
+  }
+  return "threadId" in event && event.threadId === threadId;
+}
+function relayRequestBody(body) {
+  if (body === void 0 || body === null) {
+    return null;
+  }
+  if (typeof body === "string") {
+    return body;
+  }
+  if (Buffer.isBuffer(body)) {
+    return body.toString("utf8");
+  }
+  return JSON.stringify(body);
+}
+function relayRequestHeaders(headers) {
+  const output = {};
+  for (const [name, value] of Object.entries(headers)) {
+    if (name.toLowerCase() === "authorization") {
+      continue;
+    }
+    if (Array.isArray(value)) {
+      output[name] = value.join(", ");
+    } else if (value !== void 0) {
+      output[name] = value;
+    }
+  }
+  return output;
+}
+function canForwardResponseHeader(name) {
+  const lower = name.toLowerCase();
+  return lower !== "content-length" && lower !== "transfer-encoding";
+}
+function bearerToken(value) {
+  const match = /^Bearer\s+(.+)$/i.exec(value ?? "");
+  return match?.[1]?.trim() ?? null;
+}
+function queryToken(query, name = "token") {
+  if (!query || typeof query !== "object" || !(name in query)) {
+    return null;
+  }
+  const token = query[name];
+  return typeof token === "string" && token.trim() ? token.trim() : null;
+}
+function readCookie(cookie, name) {
+  if (!cookie) {
+    return null;
+  }
+  for (const entry of cookie.split(";")) {
+    const [entryName, ...valueParts] = entry.trim().split("=");
+    if (entryName === name) {
+      return decodeURIComponent(valueParts.join("="));
+    }
+  }
+  return null;
+}
+function pathParam(params, name) {
+  if (!params || typeof params !== "object" || !(name in params)) {
+    return null;
+  }
+  const value = params[name];
+  return typeof value === "string" ? value : null;
+}
+function queryString(query, name) {
+  if (!query || typeof query !== "object" || !(name in query)) {
+    return null;
+  }
+  const value = query[name];
+  if (typeof value !== "string") {
+    return null;
+  }
+  const trimmed = value.trim();
+  return trimmed ? trimmed : null;
+}
+function escapeRegExp(value) {
+  return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+async function safeStat(filePath) {
+  try {
+    return await fsp2.stat(filePath);
+  } catch {
+    return null;
+  }
+}
+// src/config.ts
+import fs3 from "fs";
+import path3 from "path";
+import { fileURLToPath } from "url";
+import { z as z2 } from "zod";
+var envSchema = z2.object({
+  HOST: z2.string().min(1).optional(),
+  PORT: z2.coerce.number().int().positive().optional(),
+  REMOTE_CODEX_RELAY_SUPERVISOR_TOKEN: z2.string().min(1).optional(),
+  REMOTE_CODEX_RELAY_CLIENT_TOKEN: z2.string().min(1).optional(),
+  REMOTE_CODEX_ADMIN_USERNAME: z2.string().min(3),
+  REMOTE_CODEX_ADMIN_PASSWORD: z2.string().min(8),
+  REMOTE_CODEX_ADMIN_EMAIL: z2.string().email().optional(),
+  REMOTE_CODEX_RELAY_DATA_DIR: z2.string().min(1).optional(),
+  REMOTE_CODEX_RELAY_SESSION_SECRET: z2.string().min(16).optional(),
+  REMOTE_CODEX_RELAY_REGISTRATION_ENABLED: z2.string().optional(),
+  REMOTE_CODEX_RELAY_WEB_DIST_DIR: z2.string().min(1).optional()
+});
+function loadRelayServerConfig(env = process.env) {
+  const parsed = envSchema.parse(env);
+  return {
+    host: parsed.HOST ?? "0.0.0.0",
+    port: parsed.PORT ?? 8788,
+    supervisorToken: parsed.REMOTE_CODEX_RELAY_SUPERVISOR_TOKEN ?? null,
+    clientToken: parsed.REMOTE_CODEX_RELAY_CLIENT_TOKEN ?? null,
+    adminUsername: parsed.REMOTE_CODEX_ADMIN_USERNAME,
+    adminEmail: parsed.REMOTE_CODEX_ADMIN_EMAIL ?? `${parsed.REMOTE_CODEX_ADMIN_USERNAME}@relay.local`,
+    adminPassword: parsed.REMOTE_CODEX_ADMIN_PASSWORD,
+    dataDir: parsed.REMOTE_CODEX_RELAY_DATA_DIR ?? ".local/relay-server",
+    sessionSecret: parsed.REMOTE_CODEX_RELAY_SESSION_SECRET ?? parsed.REMOTE_CODEX_ADMIN_PASSWORD,
+    registrationEnabled: parsed.REMOTE_CODEX_RELAY_REGISTRATION_ENABLED === void 0 ? true : ["1", "true", "yes", "on"].includes(
+      parsed.REMOTE_CODEX_RELAY_REGISTRATION_ENABLED.toLowerCase()
+    ),
+    webDistDir: parsed.REMOTE_CODEX_RELAY_WEB_DIST_DIR ?? defaultRelayWebDistDir()
+  };
+}
+function defaultRelayWebDistDir() {
+  const moduleDir = path3.dirname(fileURLToPath(import.meta.url));
+  const candidates = [
+    path3.resolve("apps/supervisor-web/dist"),
+    path3.resolve(moduleDir, "../../supervisor-web/dist")
+  ];
+  for (const candidate of candidates) {
+    if (fs3.existsSync(path3.join(candidate, "index.html"))) {
+      return candidate;
+    }
+  }
+  return null;
+}
+// src/index.ts
+if (fs4.existsSync(".env")) {
+  process.loadEnvFile?.(".env");
+}
+var config;
+try {
+  config = loadRelayServerConfig();
+} catch (error) {
+  if (error instanceof ZodError) {
+    console.error("Remote Codex relay configuration is invalid.");
+    for (const issue of error.issues) {
+      const name = issue.path.join(".") || "environment";
+      console.error(`- ${name}: ${issue.message}`);
+    }
+    console.error("");
+    console.error("Required: REMOTE_CODEX_ADMIN_USERNAME, REMOTE_CODEX_ADMIN_PASSWORD");
+    console.error("Optional: REMOTE_CODEX_ADMIN_EMAIL, REMOTE_CODEX_RELAY_SUPERVISOR_TOKEN, REMOTE_CODEX_RELAY_CLIENT_TOKEN, REMOTE_CODEX_RELAY_SESSION_SECRET, REMOTE_CODEX_RELAY_DATA_DIR, REMOTE_CODEX_RELAY_WEB_DIST_DIR, HOST, PORT");
+    process.exit(1);
+  }
+  throw error;
+}
+var app = buildRelayServer(config);
+app.listen({ host: config.host, port: config.port }).then(() => {
+  app.log.info(`Remote Codex relay listening on http://${config.host}:${config.port}`);
+}).catch((error) => {
+  app.log.error(error);
+  process.exit(1);
+});