rivet-design 0.7.0 → 0.8.0

package/dist/server.js

@@ -54,8 +54,18 @@ const proxy_config_1 = require("./proxy-middleware/proxy-config");
 const StaticFileService_1 = require("./services/StaticFileService");
 const static_1 = require("./routes/static");
 const ConfigManager_1 = require("./services/ConfigManager");
-const flags_1 = require("./config/flags");
+const evaluateFlags_1 = require("./config/evaluateFlags");
+const FeatureFlagService_1 = require("./services/FeatureFlagService");
 const mcp_1 = require("./routes/mcp");
+const demo_1 = require("./routes/demo");
+const HostedDemoSessionService_1 = require("./services/HostedDemoSessionService");
+const HostedDemoSessionStore_1 = require("./services/HostedDemoSessionStore");
+const http_proxy_middleware_1 = require("http-proxy-middleware");
+const HostedDemoAuthSessionService_1 = require("./services/HostedDemoAuthSessionService");
+const HostedDemoAuthSessionStore_1 = require("./services/HostedDemoAuthSessionStore");
+const shouldRecordHostedDemoSessionAction_1 = require("./utils/shouldRecordHostedDemoSessionAction");
+const hostedDemoSessionAuthRefresh_1 = require("./services/hostedDemoSessionAuthRefresh");
+const RequestAuthContext_1 = require("./services/RequestAuthContext");
 const log = (0, index_core_1.createLogger)('RivetServer');
 /**
  * Resolve UI dist path for both development and packaged (desktop app) environments
@@ -85,14 +95,17 @@ exports.DIST_UI_PATH = resolveUiPath();
 const startServer = async (options) => {
     const { userPort, userHost, telemetry, projectPath, framework, staticEntry, styleFramework, tailwindConfig, sessionBridge, mcpEditor, skipProcessHandlers, } = options;
     const userPortWithFallback = userPort ?? _1.DEFAULT_USER_PORT;
-    const userHostWithFallback = userHost ?? '127.0.0.1';
+    const userHostWithFallback = userHost ?? 'localhost';
+    const isDemoModeEnabled = options.demoMode?.enabled ?? false;
+    const requiresDemoAuth = options.demoMode?.requireSignedInUsers ?? true;
+    const isGitEnabled = options.isGitEnabled ?? !isDemoModeEnabled;
     if (process.env.SENTRY_DSN) {
         Sentry.init({
             dsn: process.env.SENTRY_DSN,
             environment: process.env.NODE_ENV ?? 'development',
         });
     }
-    const sessionService = new index_core_1.SessionService(projectPath, true);
+    const sessionService = new index_core_1.SessionService(projectPath, isGitEnabled);
     // Initialize git session
     try {
         await sessionService.initializeSession();
@@ -111,12 +124,14 @@ const startServer = async (options) => {
     if (!skipProcessHandlers) {
         const shutdownAndExit = async (code) => {
             log.info('Server shutting down, cleaning up...');
-            if (telemetry) {
-                try {
-                    await telemetry.shutdown();
-                }
-                catch (error) {
-                    log.error('Failed to cleanup telemetry:', error);
+            const results = await Promise.allSettled([
+                telemetry?.shutdown(),
+                (0, FeatureFlagService_1.getFeatureFlagService)().shutdown(),
+            ]);
+            const labels = ['telemetry', 'feature flags'];
+            for (let i = 0; i < results.length; i++) {
+                if (results[i].status === 'rejected') {
+                    log.error(`Failed to cleanup ${labels[i]}:`, results[i].reason);
                 }
             }
             process.exit(code);
@@ -136,24 +151,43 @@ const startServer = async (options) => {
     }
     const listenPort = options.rivetPort ?? _1.DEFAULT_PORT;
     const app = (0, express_1.default)();
+    const corsOrigins = new Set([
+        `http://localhost:${listenPort}`,
+        `http://127.0.0.1:${listenPort}`,
+    ]);
+    const rawCorsOrigins = process.env.RIVET_CORS_ORIGINS;
+    if (rawCorsOrigins) {
+        rawCorsOrigins
+            .split(',')
+            .map((origin) => origin.trim())
+            .filter((origin) => origin.length > 0)
+            .forEach((origin) => corsOrigins.add(origin));
+    }
+    if (isDemoModeEnabled) {
+        corsOrigins.add('https://rivet.design');
+        corsOrigins.add('https://demo.rivet.design');
+    }
     // CORS configuration for local development
     app.use((0, cors_1.default)({
-        origin: [
-            `http://localhost:${listenPort}`,
-            `http://127.0.0.1:${listenPort}`,
-        ],
+        origin: [...corsOrigins],
         credentials: true,
         methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
         allowedHeaders: ['Content-Type', 'Authorization'],
     }));
-    app.use(express_1.default.json({ limit: '50mb' }));
+    const jsonBodyParser = express_1.default.json({ limit: '50mb' });
+    app.use((req, res, next) => {
+        if (req.originalUrl.startsWith('/try/')) {
+            next();
+            return;
+        }
+        jsonBodyParser(req, res, next);
+    });
     // Request logging middleware
     app.use((req, res, next) => {
         log.debug(`${req.method} ${req.originalUrl}`);
         next();
     });
-    // Serve Rivet UI at /rivet
-    app.use('/rivet', express_1.default.static(exports.DIST_UI_PATH, {
+    const uiStaticOptions = {
         setHeaders: (res) => {
             // Prevent aggressive caching of the UI bundle during development
             if (process.env.NODE_ENV !== 'production') {
@@ -162,21 +196,376 @@ const startServer = async (options) => {
                 res.setHeader('Expires', '0');
             }
         },
-    }));
+    };
+    // Serve hashed UI assets from root so both / and /rivet entrypoints can load them.
+    app.use('/assets', express_1.default.static(path_1.default.join(exports.DIST_UI_PATH, 'assets'), uiStaticOptions));
+    // Serve public font files used by auth and hosted demo UI.
+    app.use('/fonts', express_1.default.static(path_1.default.join(exports.DIST_UI_PATH, 'fonts'), uiStaticOptions));
+    // Serve favicon at root for hosted/static deployments.
+    app.get('/favicon.ico', (_req, res) => {
+        res.sendFile('favicon.ico', { root: exports.DIST_UI_PATH });
+    });
+    // Serve Rivet UI at /rivet for non-static modes.
+    if (framework !== 'static') {
+        app.use('/rivet', express_1.default.static(exports.DIST_UI_PATH, uiStaticOptions));
+    }
     log.info(`Serving UI assets from: ${exports.DIST_UI_PATH}`);
-    // Static mode - redirect root to /rivet (no dev server to proxy to)
+    // Static mode - use root entrypoint for Rivet UI (no dev server to proxy to)
     if (framework === 'static') {
         app.get('/', (req, res) => {
-            log.debug(`${framework} mode - redirecting to /rivet`);
-            res.redirect('/rivet');
+            log.debug(`${framework} mode - serving Rivet at root`);
+            res.sendFile('index.html', { root: exports.DIST_UI_PATH });
         });
     }
     // For web frameworks, root route falls through to catch-all proxy (no special handling needed)
+    const getBearerTokenFromHeader = (authorizationHeader) => {
+        if (typeof authorizationHeader !== 'string') {
+            return undefined;
+        }
+        if (!authorizationHeader.startsWith('Bearer ')) {
+            return undefined;
+        }
+        const token = authorizationHeader.slice('Bearer '.length).trim();
+        return token.length > 0 ? token : undefined;
+    };
+    /**
+     * @effect Hydrates request auth context from Authorization header for all modes.
+     * @deps Runs per request and reads req.headers.authorization.
+     */
+    app.use((req, _res, next) => {
+        const headerToken = getBearerTokenFromHeader(req.headers.authorization);
+        if (!headerToken) {
+            next();
+            return;
+        }
+        (0, RequestAuthContext_1.runWithRequestAuthContext)({ token: headerToken }, () => {
+            next();
+        });
+    });
+    const demoAuthSessionService = isDemoModeEnabled
+        ? new HostedDemoAuthSessionService_1.HostedDemoAuthSessionService({
+            store: options.demoMode?.authRedisUrl
+                ? new HostedDemoAuthSessionStore_1.RedisHostedDemoAuthSessionStore({
+                    redisUrl: options.demoMode.authRedisUrl,
+                    keyPrefix: options.demoMode.authRedisKeyPrefix ??
+                        'rivet:hosted-demo:auth-session',
+                })
+                : undefined,
+        })
+        : null;
+    if (demoAuthSessionService) {
+        await demoAuthSessionService.initialize();
+    }
+    if (demoAuthSessionService) {
+        app.use(async (req, res, next) => {
+            try {
+                const sessionId = demoAuthSessionService.getOrCreateSessionId(req, res);
+                const auth = await (0, hostedDemoSessionAuthRefresh_1.resolveHostedDemoSessionAuthWithRefresh)({
+                    demoAuthSessionService,
+                    sessionId,
+                    res,
+                    getProxyUrl: () => (0, ConfigManager_1.getConfigManager)().getProxyUrl(),
+                });
+                const headerToken = getBearerTokenFromHeader(req.headers.authorization);
+                res.locals.demoAuthSessionId = sessionId;
+                (0, RequestAuthContext_1.runWithRequestAuthContext)({
+                    token: auth?.token ?? headerToken,
+                    refreshToken: auth?.refreshToken,
+                    email: auth?.email,
+                }, () => {
+                    next();
+                });
+            }
+            catch (error) {
+                next(error);
+            }
+        });
+    }
+    const isDemoRequestAuthenticated = (req) => {
+        if (!isDemoModeEnabled || !requiresDemoAuth) {
+            return true;
+        }
+        return Boolean(demoAuthSessionService?.getAuthForRequest(req));
+    };
+    const getDemoRequestOwnerUserId = (req) => {
+        if (!requiresDemoAuth) {
+            return null;
+        }
+        const cookieAuthEmail = demoAuthSessionService
+            ?.getAuthForRequest(req)
+            ?.email?.trim()
+            .toLowerCase();
+        if (cookieAuthEmail) {
+            return cookieAuthEmail;
+        }
+        const email = (0, ConfigManager_1.getConfigManager)().getEmail();
+        if (!email) {
+            return null;
+        }
+        return email.trim().toLowerCase();
+    };
+    const isDemoAuthExemptApiPath = (pathName) => {
+        if (pathName === '/config' || pathName === '/health' || pathName === '/auth/store') {
+            return true;
+        }
+        if (pathName === '/demo/session' || pathName.startsWith('/demo/session/')) {
+            return true;
+        }
+        return false;
+    };
+    const isHostedRootApiPath = (pathName) => {
+        if (pathName === '/config' ||
+            pathName === '/health' ||
+            pathName === '/auth/store' ||
+            pathName === '/support') {
+            return true;
+        }
+        if (pathName === '/demo/session' || pathName.startsWith('/demo/session/')) {
+            return true;
+        }
+        return false;
+    };
+    let demoSessionService = null;
+    if (isDemoModeEnabled && options.demoMode?.allowSessionProvisioning !== false) {
+        const sessionMetadataRedisUrl = options.demoMode?.sessionMetadataRedisUrl ??
+            options.demoMode?.authRedisUrl;
+        const sessionMetadataStore = sessionMetadataRedisUrl
+            ? new HostedDemoSessionStore_1.RedisHostedDemoSessionStore({
+                redisUrl: sessionMetadataRedisUrl,
+                keyPrefix: options.demoMode?.sessionMetadataRedisKeyPrefix ??
+                    'rivet:hosted-demo:demo-session',
+            })
+            : undefined;
+        demoSessionService = new HostedDemoSessionService_1.HostedDemoSessionService({
+            repoPath: projectPath,
+            telemetry,
+            templateProjectPath: options.demoMode?.templateProjectPath ?? 'examples/microsoft-paint',
+            worktreesRootPath: options.demoMode?.worktreesRootPath,
+            sessionTtlMs: options.demoMode?.sessionTtlMs,
+            sessionIdleTtlMs: options.demoMode?.sessionIdleTtlMs,
+            maxActiveSessions: options.demoMode?.maxActiveSessions,
+            baseRivetPort: options.demoMode?.baseRivetPort,
+            publicBaseUrl: options.demoMode?.publicBaseUrl,
+            sessionMetadataStore,
+        });
+        await demoSessionService.initialize();
+    }
+    if (isDemoModeEnabled && requiresDemoAuth) {
+        app.use('/api', (req, res, next) => {
+            if (isDemoAuthExemptApiPath(req.path)) {
+                next();
+                return;
+            }
+            if (!isDemoRequestAuthenticated(req)) {
+                res.status(401).json({ error: 'Authentication required' });
+                return;
+            }
+            next();
+        });
+    }
+    if (demoSessionService) {
+        const activeSessionApiProxy = (0, http_proxy_middleware_1.createProxyMiddleware)({
+            changeOrigin: true,
+            pathRewrite: (pathName) => `/api${pathName}`,
+            on: {
+                proxyReq: (proxyReq, req) => {
+                    (0, http_proxy_middleware_1.fixRequestBody)(proxyReq, req);
+                },
+            },
+            router: (req) => {
+                const activeDemoSessionId = demoAuthSessionService?.getActiveDemoSessionIdForRequest(req) ?? null;
+                if (!activeDemoSessionId) {
+                    return undefined;
+                }
+                return demoSessionService.getSessionProxyTarget(activeDemoSessionId) ?? undefined;
+            },
+        });
+        app.use('/api', (req, res, next) => {
+            if (isHostedRootApiPath(req.path)) {
+                next();
+                return;
+            }
+            const activeDemoSessionId = demoAuthSessionService?.getActiveDemoSessionIdForRequest(req) ?? null;
+            if (!activeDemoSessionId) {
+                res.status(409).json({
+                    error: 'No active demo session. Call /api/demo/session first.',
+                });
+                return;
+            }
+            const sessionOwnerUserId = demoSessionService.getSessionOwnerUserId(activeDemoSessionId);
+            const requestOwnerUserId = getDemoRequestOwnerUserId(req);
+            if (requiresDemoAuth &&
+                sessionOwnerUserId &&
+                requestOwnerUserId &&
+                sessionOwnerUserId !== requestOwnerUserId) {
+                res.status(403).json({ error: 'Session access denied' });
+                return;
+            }
+            const auth = demoAuthSessionService?.getAuthForRequest(req);
+            if (auth?.token) {
+                req.headers.authorization = `Bearer ${auth.token}`;
+            }
+            void (async () => {
+                try {
+                    await demoSessionService.ensureRuntimeReady(activeDemoSessionId);
+                }
+                catch (error) {
+                    const message = error instanceof Error ? error.message : '';
+                    if (message === 'Session not found') {
+                        demoAuthSessionService?.clearActiveDemoSessionIdForRequest(req, res);
+                        if (!res.headersSent) {
+                            res.status(409).json({
+                                error: 'No active demo session. Call /api/demo/session first.',
+                            });
+                        }
+                        return;
+                    }
+                    log.warn('Hosted demo runtime rehydration failed for active session API', error);
+                    if (!res.headersSent) {
+                        res.status(503).json({
+                            error: 'Demo session runtime unavailable',
+                        });
+                    }
+                    return;
+                }
+                const target = demoSessionService.getSessionProxyTarget(activeDemoSessionId);
+                if (!target) {
+                    demoAuthSessionService?.clearActiveDemoSessionIdForRequest(req, res);
+                    if (!res.headersSent) {
+                        res.status(409).json({
+                            error: 'No active demo session. Call /api/demo/session first.',
+                        });
+                    }
+                    return;
+                }
+                if ((0, shouldRecordHostedDemoSessionAction_1.shouldRecordHostedDemoSessionAction)(req)) {
+                    try {
+                        await demoSessionService.recordSessionAction(activeDemoSessionId);
+                    }
+                    catch (error) {
+                        log.warn('Failed to persist hosted demo session action timestamp', error);
+                    }
+                }
+                activeSessionApiProxy(req, res, next);
+            })();
+        });
+    }
     // API routes for Rivet functionality
     app.use('/api', (0, components_1.createComponentRouter)(projectPath, telemetry));
     app.use('/api', (0, modifications_1.createModificationRouter)(projectPath, telemetry));
     app.use('/api', (0, design_1.createDesignRouter)(projectPath));
-    app.use('/api', (0, git_1.createGitRouter)(sessionService, projectPath));
+    if (!isGitEnabled) {
+        log.info('Git routes disabled for this server instance');
+    }
+    app.use('/api', (0, git_1.createGitRouter)(sessionService, projectPath, { isGitEnabled }));
+    let trySessionProxy = null;
+    if (demoSessionService) {
+        app.use('/api', (0, demo_1.createDemoRouter)(demoSessionService, {
+            requireSignedInUsers: requiresDemoAuth,
+            getActiveDemoSessionIdForRequest: demoAuthSessionService
+                ? (req) => demoAuthSessionService.getActiveDemoSessionIdForRequest(req)
+                : undefined,
+            storeActiveDemoSessionIdForRequest: demoAuthSessionService
+                ? (req, res, demoSessionId) => demoAuthSessionService.storeActiveDemoSessionIdForRequest(req, res, demoSessionId)
+                : undefined,
+            clearActiveDemoSessionIdForRequest: demoAuthSessionService
+                ? (req, res) => demoAuthSessionService.clearActiveDemoSessionIdForRequest(req, res)
+                : undefined,
+            telemetry,
+            deploymentEnv: process.env.NODE_ENV ?? 'development',
+        }));
+        const mountedTrySessionProxy = (0, http_proxy_middleware_1.createProxyMiddleware)({
+            changeOrigin: true,
+            ws: true,
+            router: (req) => {
+                const sessionIdParam = req.params.sessionId;
+                const sessionId = Array.isArray(sessionIdParam)
+                    ? sessionIdParam[0]
+                    : sessionIdParam;
+                return demoSessionService.getSessionProxyTarget(sessionId) ?? undefined;
+            },
+        });
+        trySessionProxy = mountedTrySessionProxy;
+        // Browsers resolve default favicon relative to the document URL under /try/:id/,
+        // so requests hit this path instead of /. Serve the Rivet UI favicon here too.
+        app.get('/try/:sessionId/favicon.ico', (_req, res) => {
+            res.sendFile('favicon.ico', { root: exports.DIST_UI_PATH });
+        });
+        app.use('/try/:sessionId', (req, res, next) => {
+            if (!isDemoRequestAuthenticated(req)) {
+                if (req.accepts('html')) {
+                    res.redirect('/');
+                    return;
+                }
+                res.status(401).json({ error: 'Authentication required' });
+                return;
+            }
+            const sessionIdParam = req.params.sessionId;
+            const sessionId = Array.isArray(sessionIdParam)
+                ? sessionIdParam[0]
+                : sessionIdParam;
+            const sessionOwnerUserId = demoSessionService.getSessionOwnerUserId(sessionId);
+            const requestOwnerUserId = getDemoRequestOwnerUserId(req);
+            if (requiresDemoAuth &&
+                sessionOwnerUserId &&
+                requestOwnerUserId &&
+                sessionOwnerUserId !== requestOwnerUserId) {
+                res.status(403).json({ error: 'Session access denied' });
+                return;
+            }
+            const auth = demoAuthSessionService?.getAuthForRequest(req);
+            if (auth?.token) {
+                req.headers.authorization = `Bearer ${auth.token}`;
+            }
+            void (async () => {
+                try {
+                    await demoSessionService.ensureRuntimeReady(sessionId);
+                }
+                catch (error) {
+                    const message = error instanceof Error ? error.message : '';
+                    if (message === 'Session not found') {
+                        demoAuthSessionService?.clearActiveDemoSessionIdForRequest(req, res);
+                        telemetry?.trackTryoutProxySessionMissing({
+                            demoSessionId: sessionId,
+                            deploymentEnv: process.env.NODE_ENV ?? 'development',
+                        });
+                        if (!res.headersSent) {
+                            res.status(404).json({ error: 'Session not found' });
+                        }
+                        return;
+                    }
+                    log.warn('Hosted demo runtime rehydration failed for try session', error);
+                    if (!res.headersSent) {
+                        res.status(503).json({
+                            error: 'Demo session runtime unavailable',
+                        });
+                    }
+                    return;
+                }
+                const target = demoSessionService.getSessionProxyTarget(sessionId);
+                if (!target) {
+                    demoAuthSessionService?.clearActiveDemoSessionIdForRequest(req, res);
+                    telemetry?.trackTryoutProxySessionMissing({
+                        demoSessionId: sessionId,
+                        deploymentEnv: process.env.NODE_ENV ?? 'development',
+                    });
+                    if (!res.headersSent) {
+                        res.status(404).json({ error: 'Session not found' });
+                    }
+                    return;
+                }
+                if ((0, shouldRecordHostedDemoSessionAction_1.shouldRecordHostedDemoSessionAction)(req)) {
+                    try {
+                        await demoSessionService.recordSessionAction(sessionId);
+                    }
+                    catch (error) {
+                        log.warn('Failed to persist hosted demo session action timestamp', error);
+                    }
+                }
+                mountedTrySessionProxy(req, res, next);
+            })();
+        });
+    }
     app.use('/api', (0, tokens_1.createTokenRouter)(projectPath, styleFramework, tailwindConfig));
     app.use('/api', (0, support_1.createSupportRouter)(telemetry));
     // Static routes (only for static projects)
@@ -197,28 +586,80 @@ const startServer = async (options) => {
         });
     });
     // Config endpoint
-    app.get('/api/config', (req, res) => {
+    app.get('/api/config', async (req, res) => {
         const configManager = (0, ConfigManager_1.getConfigManager)();
+        const demoSessionId = res.locals.demoAuthSessionId;
+        const demoAuth = demoAuthSessionService?.getAuthForSessionId(demoSessionId ?? '');
+        const isAuthenticatedInDemoMode = Boolean(demoAuth?.token);
+        const isAuthenticated = demoAuthSessionService
+            ? isAuthenticatedInDemoMode
+            : configManager.isAuthenticated();
+        const email = demoAuthSessionService ? demoAuth?.email : configManager.getEmail();
+        const activeDemoSessionId = demoAuth?.activeDemoSessionId ?? null;
+        const activeSession = activeDemoSessionId
+            ? demoSessionService?.getSession(activeDemoSessionId)
+            : null;
+        const featureFlags = await (0, evaluateFlags_1.getFeatureFlags)();
         res.json({
-            agentModeAvailable: configManager.isAuthenticated(),
-            email: configManager.getEmail(),
+            agentModeAvailable: isAuthenticated,
+            email,
+            activeDemoSessionId,
             isMCPSession: sessionBridge?.isActive() ?? false,
             mcpEditor: mcpEditor ?? null,
-            featureFlags: (0, flags_1.getFeatureFlags)(),
-            projectPath,
+            featureFlags,
+            projectPath: activeSession?.projectPath ?? projectPath,
+            demoMode: isDemoModeEnabled,
         });
     });
-    // Store auth credentials locally after browser-based OAuth completion.
-    // The OAuth callback in the UI sends tokens to the proxy for validation,
-    // but the local ConfigManager also needs the email and tokens so that
-    // /api/config returns the email on subsequent page loads.
+    // Store auth credentials after browser-based OAuth completion.
+    // Hosted demo mode stores auth by browser session; non-demo keeps local config behavior.
     app.post('/api/auth/store', (req, res) => {
         const { email, token, refreshToken } = req.body ?? {};
         if (!email || !token) {
+            if (demoAuthSessionService) {
+                telemetry?.trackTryoutAuthStoreFailed({
+                    reason: 'missing_email_or_token',
+                    statusCode: 400,
+                    deploymentEnv: process.env.NODE_ENV ?? 'development',
+                });
+            }
             return res.status(400).json({ error: 'Missing email or token' });
         }
-        const configManager = (0, ConfigManager_1.getConfigManager)();
-        configManager.setAuth(token, email, refreshToken);
+        try {
+            if (demoAuthSessionService) {
+                const sessionId = res.locals.demoAuthSessionId;
+                const demoSessionId = sessionId
+                    ? demoAuthSessionService.storeAuthForSessionId(sessionId, res, {
+                        token,
+                        email,
+                        refreshToken,
+                    })
+                    : demoAuthSessionService.storeAuthForRequest(req, res, {
+                        token,
+                        email,
+                        refreshToken,
+                    });
+                telemetry?.trackTryoutAuthStoreCompleted({
+                    demoSessionId,
+                    hasRefreshToken: Boolean(refreshToken),
+                    deploymentEnv: process.env.NODE_ENV ?? 'development',
+                });
+            }
+            else {
+                const configManager = (0, ConfigManager_1.getConfigManager)();
+                configManager.setAuth(token, email, refreshToken);
+            }
+        }
+        catch (error) {
+            if (demoAuthSessionService) {
+                telemetry?.trackTryoutAuthStoreFailed({
+                    reason: error instanceof Error ? error.message : 'auth_store_failed',
+                    statusCode: 500,
+                    deploymentEnv: process.env.NODE_ENV ?? 'development',
+                });
+            }
+            return res.status(500).json({ error: 'Failed to store auth credentials' });
+        }
         telemetry?.identifyUser();
         log.info(`Stored auth for ${email} via browser OAuth`);
         res.json({ success: true });
@@ -253,6 +694,12 @@ const startServer = async (options) => {
     }
     // Global error handler — catches errors passed via next(err) in route handlers
     app.use((err, req, res, _next) => {
+        const requestAborted = err.code === 'ECONNABORTED' ||
+            err.type === 'request.aborted';
+        if (requestAborted) {
+            log.debug('Request aborted by client');
+            return;
+        }
         log.error('Unhandled route error:', err);
         telemetry?.captureException(err, 'express_error_handler');
         if (!res.headersSent) {
@@ -279,8 +726,46 @@ const startServer = async (options) => {
         });
         // Handle WebSocket upgrade requests
         server.on('upgrade', (req, socket, head) => {
-            const pathname = req.url;
+            const pathname = req.url?.split('?')[0] ?? '';
             log.debug(`WebSocket upgrade request for: ${pathname}`);
+            const trySessionMatch = /^\/try\/([^/]+)/.exec(pathname);
+            if (trySessionMatch && trySessionProxy?.upgrade && demoSessionService) {
+                const sessionId = trySessionMatch[1];
+                void (async () => {
+                    try {
+                        await demoSessionService.ensureRuntimeReady(sessionId);
+                    }
+                    catch {
+                        socket.destroy();
+                        return;
+                    }
+                    const target = demoSessionService.getSessionProxyTarget(sessionId);
+                    if (!target) {
+                        socket.destroy();
+                        return;
+                    }
+                    if (requiresDemoAuth) {
+                        const auth = demoAuthSessionService?.getAuthForRequest(req);
+                        if (!auth?.token) {
+                            log.debug('Rejecting unauthenticated hosted demo upgrade request');
+                            socket.destroy();
+                            return;
+                        }
+                        const sessionOwnerUserId = demoSessionService.getSessionOwnerUserId(sessionId);
+                        const requestOwnerUserId = auth.email?.trim().toLowerCase() ?? null;
+                        if (sessionOwnerUserId &&
+                            requestOwnerUserId &&
+                            sessionOwnerUserId !== requestOwnerUserId) {
+                            log.debug('Rejecting non-owner hosted demo upgrade request');
+                            socket.destroy();
+                            return;
+                        }
+                    }
+                    log.debug('Proxying upgrade to hosted demo session for HMR');
+                    trySessionProxy.upgrade(req, socket, head);
+                })();
+                return;
+            }
             // Proxy to user's dev server for HMR
             if (framework !== 'static' && userDevProxy?.upgrade) {
                 log.debug('Proxying upgrade to user dev server for HMR');
@@ -295,10 +780,20 @@ const startServer = async (options) => {
     return {
         close: () => new Promise((resolve, reject) => {
             httpServer.close((err) => {
-                if (err)
+                if (err) {
                     reject(err);
-                else
+                    return;
+                }
+                void (async () => {
+                    if (demoSessionService) {
+                        await demoSessionService.shutdown();
+                    }
+                    demoAuthSessionService?.shutdown();
+                    if (telemetry) {
+                        await telemetry.shutdown();
+                    }
                     resolve();
+                })();
             });
             // Destroy all active connections so close() resolves immediately
             for (const socket of activeSockets) {