sema-cli 0.1.0

package/experiments/spike-shell-stream/relay-server/server.js

@@ -0,0 +1,1085 @@
+const crypto = require("node:crypto");
+const fs = require("node:fs");
+const http = require("node:http");
+const path = require("node:path");
+
+const PORT = Number(process.env.PORT || 8787);
+const HOST = process.env.HOST || "0.0.0.0";
+const HISTORY_LIMIT = 64 * 1024;
+const CODE_EXPIRE_MS = 10 * 60 * 1000; // 10 minutes
+const SESSION_GRACE_MS = 60 * 1000; // 60 seconds after all clients disconnect
+const CLEANUP_INTERVAL_MS = 60 * 1000; // 60 seconds
+const RATE_LIMIT_WINDOW_MS = 60 * 1000; // 1 minute
+const RATE_LIMIT_MAX = 5; // 5 attempts per window per IP
+const WS_RATE_WINDOW_MS = 60 * 1000; // 1 minute
+const WS_RATE_MAX = 3; // 3 key_exchanges per window per device
+const CODE_CHARSET = "ABCDEFGHJKMNPQRSTUVWXYZ23456789"; // no 0/O/1/I/L
+// Env-configurable so production (Railway/Fly) can mount a persistent volume.
+// Local dev keeps the relative path (experiments/data/).
+const DATA_DIR = process.env.DATA_DIR || path.join(__dirname, "../../data");
+const EVENTS_FILE = path.join(DATA_DIR, "events.jsonl");
+const WAITLIST_FILE = path.join(DATA_DIR, "waitlist.jsonl");
+
+// Ensure data directory exists
+fs.mkdirSync(DATA_DIR, { recursive: true });
+
+// --- State ---
+
+const sessions = new Map();
+const pendingCodes = new Map(); // code → {sessionId, macToken, createdAt}
+const rateLimits = new Map(); // ip → {count, resetAt}
+const wsRateLimits = new Map(); // "sessionId:deviceId" → {count, resetAt}
+
+// --- Helpers ---
+
+function generateCode() {
+  const bytes = crypto.randomBytes(6);
+  let code = "";
+  for (let i = 0; i < 6; i++) {
+    code += CODE_CHARSET[bytes[i] % CODE_CHARSET.length];
+  }
+  // Format as XXX-XXX
+  return `${code.slice(0, 3)}-${code.slice(3)}`;
+}
+
+function generateToken() {
+  return crypto.randomBytes(32).toString("hex");
+}
+
+function generateSessionId() {
+  return crypto.randomBytes(16).toString("hex");
+}
+
+function getSession(sessionId) {
+  if (!sessions.has(sessionId)) {
+    sessions.set(sessionId, {
+      id: sessionId,
+      mac: null,
+      mobiles: new Set(),
+      history: "",
+      alertActive: false,
+      lastSmartAlert: null,
+      macToken: null,
+      mobileToken: null,
+      emptySince: null,
+      macPublicKey: null,
+      devices: new Map(),
+      mobileSockets: new Map(),
+      command: null,
+      createdAt: Date.now(),
+      pendingCode: null,
+    });
+  }
+  return sessions.get(sessionId);
+}
+
+function appendHistory(session, text) {
+  session.history += text;
+  if (session.history.length > HISTORY_LIMIT) {
+    session.history = session.history.slice(session.history.length - HISTORY_LIMIT);
+  }
+}
+
+function logEvent(type, data) {
+  try {
+    const event = { t: new Date().toISOString(), type, ...data };
+    fs.appendFileSync(EVENTS_FILE, JSON.stringify(event) + "\n");
+  } catch {
+    // Analytics failure should not crash the server
+  }
+}
+
+function checkRateLimit(ip) {
+  const now = Date.now();
+  let entry = rateLimits.get(ip);
+
+  if (!entry || now >= entry.resetAt) {
+    entry = { count: 0, resetAt: now + RATE_LIMIT_WINDOW_MS };
+    rateLimits.set(ip, entry);
+  }
+
+  entry.count++;
+  if (entry.count > RATE_LIMIT_MAX) {
+    const retryAfter = Math.ceil((entry.resetAt - now) / 1000);
+    return { allowed: false, retryAfter };
+  }
+
+  return { allowed: true };
+}
+
+function checkWsRateLimit(key) {
+  const now = Date.now();
+  let entry = wsRateLimits.get(key);
+  if (!entry || now >= entry.resetAt) {
+    entry = { count: 0, resetAt: now + WS_RATE_WINDOW_MS };
+    wsRateLimits.set(key, entry);
+  }
+  entry.count++;
+  if (entry.count > WS_RATE_MAX) {
+    const retryAfter = Math.ceil((entry.resetAt - now) / 1000);
+    return { allowed: false, retryAfter };
+  }
+  return { allowed: true };
+}
+
+function isPrivateIp(ip) {
+  const normalized = ip.replace(/^::ffff:/, "");
+  if (normalized === "127.0.0.1" || normalized === "::1" || normalized === "localhost") return true;
+  if (/^10\./.test(normalized)) return true;
+  if (/^172\.(1[6-9]|2\d|3[01])\./.test(normalized)) return true;
+  if (/^192\.168\./.test(normalized)) return true;
+  // Tailscale CGNAT (100.64.0.0/10)
+  if (/^100\.(6[4-9]|[7-9]\d|1([01]\d|2[0-7]))\./.test(normalized)) return true;
+  return false;
+}
+
+function cleanup() {
+  const now = Date.now();
+
+  // Expire unused codes
+  for (const [code, entry] of pendingCodes) {
+    if (now - entry.createdAt > CODE_EXPIRE_MS) {
+      console.log(`[relay] code expired: ${code}`);
+      pendingCodes.delete(code);
+      // Clear pendingCode on the session so inbox shows "code unavailable"
+      const session = sessions.get(entry.sessionId);
+      if (session && session.pendingCode === code) {
+        session.pendingCode = null;
+      }
+    }
+  }
+
+  // Clean up empty sessions (no clients for grace period)
+  for (const [id, session] of sessions) {
+    if (!session.mac && session.mobiles.size === 0) {
+      if (!session.emptySince) {
+        session.emptySince = now;
+      } else if (now - session.emptySince > SESSION_GRACE_MS) {
+        console.log(`[relay] session cleaned: ${id}`);
+        logEvent("session.cleaned", { sessionId: id, lifetimeMs: now - session.createdAt });
+        sessions.delete(id);
+      }
+    } else {
+      session.emptySince = null;
+    }
+  }
+
+  // Clean up expired rate limit entries
+  for (const [ip, entry] of rateLimits) {
+    if (now >= entry.resetAt) rateLimits.delete(ip);
+  }
+  for (const [key, entry] of wsRateLimits) {
+    if (now >= entry.resetAt) wsRateLimits.delete(key);
+  }
+}
+
+// --- WebSocket framing ---
+
+function sendFrame(socket, data) {
+  if (socket.destroyed) return;
+
+  const payload = Buffer.from(data);
+  let header;
+
+  if (payload.length < 126) {
+    header = Buffer.from([0x81, payload.length]);
+  } else if (payload.length < 65536) {
+    header = Buffer.alloc(4);
+    header[0] = 0x81;
+    header[1] = 126;
+    header.writeUInt16BE(payload.length, 2);
+  } else {
+    header = Buffer.alloc(10);
+    header[0] = 0x81;
+    header[1] = 127;
+    header.writeBigUInt64BE(BigInt(payload.length), 2);
+  }
+
+  socket.write(Buffer.concat([header, payload]));
+}
+
+function sendJson(client, message) {
+  sendFrame(client.socket, JSON.stringify(message));
+}
+
+function broadcastStatus(session) {
+  const message = {
+    type: "status",
+    sessionId: session.id,
+    macConnected: Boolean(session.mac),
+    mobileCount: session.mobiles.size,
+  };
+
+  if (session.mac) sendJson(session.mac, message);
+  for (const mobile of session.mobiles) sendJson(mobile, message);
+}
+
+function routeMessage(sender, message) {
+  const session = sessions.get(sender.sessionId);
+  if (!session) return;
+
+  // --- Key exchange: mobile sends public key → relay stores + forwards to mac ---
+  if (sender.role === "mobile" && message.type === "key_exchange") {
+    if (!session.mac) return;
+
+    if (!message.deviceId) {
+      console.error("[relay] key_exchange missing deviceId, rejected");
+      return;
+    }
+
+    // Rate limit key_exchange per session+device
+    const rlKey = `${sender.sessionId}:${message.deviceId}`;
+    const rl = checkWsRateLimit(rlKey);
+    if (!rl.allowed) {
+      console.warn(`[relay] key_exchange rate limited: ${rlKey}`);
+      sendJson(sender, {
+        type: "error",
+        sessionId: sender.sessionId,
+        message: `Too many key exchanges. Wait ${rl.retryAfter}s.`,
+      });
+      return;
+    }
+
+    const mobileId = message.deviceId;
+    sender.deviceId = mobileId;
+    session.devices.set(mobileId, {
+      publicKey: message.publicKey,
+      lastSeen: Date.now(),
+    });
+    session.mobileSockets.set(mobileId, sender);
+
+    console.log(`[relay] key_exchange session=${session.id} device=${mobileId}`);
+    logEvent("key_exchange.completed", { sessionId: session.id });
+    sendJson(session.mac, {
+      type: "key_exchange",
+      deviceId: mobileId,
+      publicKey: message.publicKey,
+    });
+    return;
+  }
+
+  // --- Device revoked: relay tells mac to drop key for a device ---
+  if (sender.role === "mac" && message.type === "device_revoked") {
+    console.log(`[relay] device_revoked session=${session.id} device=${message.deviceId}`);
+    return;
+  }
+
+  if (sender.role === "mac" && message.type === "output") {
+    // Clear stale alert state — CLI has continued past the prompt
+    if (session.alertActive) {
+      session.alertActive = false;
+      session.lastSmartAlert = null;
+    }
+    appendHistory(session, JSON.stringify(message));
+    console.log(`[relay] output session=${session.id} bytes=${Buffer.byteLength(JSON.stringify(message))}`);
+
+    // E2E: route to specific device if deviceId present
+    if (message.deviceId) {
+      const target = session.mobileSockets.get(message.deviceId);
+      if (target) sendJson(target, message);
+      return;
+    }
+
+    // Plaintext fallback: broadcast to all mobiles
+    for (const mobile of session.mobiles) {
+      sendJson(mobile, {
+        type: "output",
+        sessionId: session.id,
+        data: message.data || "",
+      });
+    }
+    return;
+  }
+
+  if (sender.role === "mac" && message.type === "key_ack") {
+    // Route key_ack to specific device
+    if (message.deviceId) {
+      const target = session.mobileSockets.get(message.deviceId);
+      if (target) sendJson(target, message);
+    }
+    return;
+  }
+
+  // key_rotation: mac → relay → specific mobile device
+  if (sender.role === "mac" && message.type === "key_rotation") {
+    if (message.deviceId) {
+      const target = session.mobileSockets.get(message.deviceId);
+      if (target) sendJson(target, message);
+    }
+    return;
+  }
+
+  // key_rot_ack: mobile → relay → mac
+  if (sender.role === "mobile" && message.type === "key_rot_ack") {
+    if (session.mac) sendJson(session.mac, message);
+    return;
+  }
+
+  if (sender.role === "mac" && message.type === "alert") {
+    session.alertActive = true;
+    console.log(`[relay] alert session=${session.id} reason=${message.reason || "idle"}`);
+    logEvent("alert.sent", { sessionId: session.id, kind: "alert" });
+    for (const mobile of session.mobiles) {
+      sendJson(mobile, {
+        type: "alert",
+        sessionId: session.id,
+        reason: message.reason || "idle",
+      });
+    }
+    return;
+  }
+
+  if (sender.role === "mac" && message.type === "smart_alert") {
+    session.alertActive = true;
+    session.lastSmartAlert = message;
+    console.log(`[relay] smart_alert session=${session.id} kind=${message.kind || "encrypted"}`);
+    logEvent("alert.sent", { sessionId: session.id, kind: "smart_alert" });
+
+    // E2E: route to specific device
+    if (message.deviceId) {
+      const target = session.mobileSockets.get(message.deviceId);
+      if (target) sendJson(target, message);
+      return;
+    }
+
+    // Plaintext fallback
+    for (const mobile of session.mobiles) {
+      sendJson(mobile, session.lastSmartAlert);
+    }
+    return;
+  }
+
+  if (sender.role === "mobile" && (message.type === "input" || message.type === "resize")) {
+    if (message.type === "input" && session.alertActive) {
+      session.alertActive = false;
+    }
+    console.log(`[relay] ${message.type} session=${session.id} bytes=${Buffer.byteLength(JSON.stringify(message))}`);
+    if (!session.mac) {
+      sendJson(sender, {
+        type: "error",
+        sessionId: session.id,
+        message: "Mac Agent is not connected.",
+      });
+      return;
+    }
+
+    sendJson(session.mac, message);
+    console.log(`[relay] ${message.type} forwarded session=${session.id}`);
+    return;
+  }
+}
+
+function parseFrames(client, chunk) {
+  client.buffer = Buffer.concat([client.buffer, chunk]);
+
+  while (client.buffer.length >= 2) {
+    const firstByte = client.buffer[0];
+    const secondByte = client.buffer[1];
+    const opcode = firstByte & 0x0f;
+    const masked = Boolean(secondByte & 0x80);
+    let payloadLength = secondByte & 0x7f;
+    let offset = 2;
+
+    if (payloadLength === 126) {
+      if (client.buffer.length < offset + 2) return;
+      payloadLength = client.buffer.readUInt16BE(offset);
+      offset += 2;
+    } else if (payloadLength === 127) {
+      if (client.buffer.length < offset + 8) return;
+      const bigLength = client.buffer.readBigUInt64BE(offset);
+      if (bigLength > BigInt(Number.MAX_SAFE_INTEGER)) {
+        client.socket.destroy();
+        return;
+      }
+      payloadLength = Number(bigLength);
+      offset += 8;
+    }
+
+    const maskLength = masked ? 4 : 0;
+    const frameLength = offset + maskLength + payloadLength;
+    if (client.buffer.length < frameLength) return;
+
+    let payload = client.buffer.slice(offset + maskLength, frameLength);
+
+    if (masked) {
+      const mask = client.buffer.slice(offset, offset + 4);
+      payload = Buffer.from(payload.map((byte, index) => byte ^ mask[index % 4]));
+    }
+
+    client.buffer = client.buffer.slice(frameLength);
+
+    if (opcode === 0x8) {
+      client.socket.end();
+      return;
+    }
+
+    if (opcode === 0x9) {
+      sendFrame(client.socket, "");
+      continue;
+    }
+
+    if (opcode !== 0x1) continue;
+
+    try {
+      routeMessage(client, JSON.parse(payload.toString("utf8")));
+    } catch (error) {
+      sendJson(client, {
+        type: "error",
+        sessionId: client.sessionId,
+        message: "Invalid JSON message.",
+      });
+    }
+  }
+}
+
+// --- Client registration (WebSocket) ---
+
+function registerClient(socket, request) {
+  const url = new URL(request.url, `http://${request.headers.host}`);
+  const role = url.searchParams.get("role");
+  const sessionId = url.searchParams.get("sessionId");
+  const sessionToken = url.searchParams.get("sessionToken");
+
+  if (!["mac", "mobile"].includes(role)) {
+    socket.destroy();
+    return;
+  }
+
+  if (!sessionId || !sessionToken) {
+    // Send close frame with error message before destroying
+    sendFrame(socket, JSON.stringify({
+      type: "error",
+      message: "Missing sessionId or sessionToken. Use /pair to connect.",
+    }));
+    setTimeout(() => socket.destroy(), 100);
+    return;
+  }
+
+  const session = sessions.get(sessionId);
+  if (!session) {
+    sendFrame(socket, JSON.stringify({
+      type: "error",
+      message: "Session expired. Please re-pair.",
+    }));
+    setTimeout(() => socket.destroy(), 100);
+    return;
+  }
+
+  // Validate token based on role
+  if (role === "mac" && session.macToken !== sessionToken) {
+    sendFrame(socket, JSON.stringify({
+      type: "error",
+      sessionId,
+      message: "Invalid session token.",
+    }));
+    setTimeout(() => socket.destroy(), 100);
+    return;
+  }
+
+  if (role === "mobile" && session.mobileToken !== sessionToken) {
+    sendFrame(socket, JSON.stringify({
+      type: "error",
+      sessionId,
+      message: "Invalid session token.",
+    }));
+    setTimeout(() => socket.destroy(), 100);
+    return;
+  }
+
+  const client = {
+    socket,
+    role,
+    sessionId,
+    buffer: Buffer.alloc(0),
+    connectedAt: Date.now(),
+  };
+
+  if (role === "mac") {
+    if (session.mac) session.mac.socket.destroy();
+    session.mac = client;
+    session.emptySince = null;
+  } else {
+    session.mobiles.add(client);
+    session.emptySince = null;
+    // Skip history replay when E2E is enabled (history contains ciphertext that new key can't decrypt)
+    if (session.history && !session.macPublicKey) {
+      sendJson(client, {
+        type: "output",
+        sessionId,
+        data: session.history,
+        replay: true,
+      });
+    }
+    // Skip lastSmartAlert replay when E2E is enabled (it's encrypted)
+    if (session.alertActive && session.lastSmartAlert && !session.macPublicKey) {
+      sendJson(client, session.lastSmartAlert);
+    }
+  }
+
+  console.log(`[relay] ${role} connected session=${sessionId}`);
+  logEvent("ws.connected", { role, sessionId });
+  broadcastStatus(session);
+
+  socket.on("data", (chunk) => parseFrames(client, chunk));
+  socket.on("close", () => {
+    if (role === "mac" && session.mac === client) session.mac = null;
+    if (role === "mobile") {
+      session.mobiles.delete(client);
+      if (client.deviceId) {
+        session.mobileSockets.delete(client.deviceId);
+      }
+    }
+    if (!session.mac && session.mobiles.size === 0) {
+      session.emptySince = Date.now();
+    }
+    console.log(`[relay] ${role} disconnected session=${sessionId}`);
+    logEvent("ws.disconnected", { role, sessionId, durationMs: Date.now() - client.connectedAt });
+    broadcastStatus(session);
+  });
+  socket.on("error", () => socket.destroy());
+}
+
+function upgradeToWebSocket(request, socket) {
+  const key = request.headers["sec-websocket-key"];
+  if (!key) {
+    socket.destroy();
+    return;
+  }
+
+  const accept = crypto
+    .createHash("sha1")
+    .update(`${key}258EAFA5-E914-47DA-95CA-C5AB0DC85B11`)
+    .digest("base64");
+
+  socket.write(
+    [
+      "HTTP/1.1 101 Switching Protocols",
+      "Upgrade: websocket",
+      "Connection: Upgrade",
+      `Sec-WebSocket-Accept: ${accept}`,
+      "",
+      "",
+    ].join("\r\n"),
+  );
+
+  registerClient(socket, request);
+}
+
+// --- HTTP API ---
+
+function readBody(request) {
+  return new Promise((resolve, reject) => {
+    const chunks = [];
+    let size = 0;
+    const MAX_BODY = 4096;
+
+    request.on("data", (chunk) => {
+      size += chunk.length;
+      if (size > MAX_BODY) {
+        request.destroy();
+        reject(new Error("Body too large"));
+        return;
+      }
+      chunks.push(chunk);
+    });
+    request.on("end", () => resolve(Buffer.concat(chunks).toString("utf8")));
+    request.on("error", reject);
+  });
+}
+
+function sendJsonResponse(response, status, body) {
+  const json = JSON.stringify(body);
+  response.writeHead(status, {
+    "content-type": "application/json",
+    "access-control-allow-origin": "*",
+    "access-control-allow-methods": "GET, POST, OPTIONS",
+    "access-control-allow-headers": "content-type",
+  });
+  response.end(json);
+}
+
+function getClientIp(request) {
+  // Check X-Forwarded-For first (for future reverse proxy use)
+  const forwarded = request.headers["x-forwarded-for"];
+  if (forwarded) return forwarded.split(",")[0].trim();
+  return request.socket.remoteAddress || "unknown";
+}
+
+async function handleApiSessions(request, response) {
+  if (request.method === "OPTIONS") {
+    sendJsonResponse(response, 204, {});
+    return;
+  }
+
+  if (request.method !== "POST") {
+    sendJsonResponse(response, 405, { error: "Method not allowed" });
+    return;
+  }
+
+  let body = {};
+  try {
+    const raw = await readBody(request);
+    if (raw) body = JSON.parse(raw);
+  } catch {
+    sendJsonResponse(response, 400, { error: "Invalid JSON" });
+    return;
+  }
+
+  const sessionId = generateSessionId();
+  const macToken = generateToken();
+  const session = getSession(sessionId);
+  session.macToken = macToken;
+  session.macPublicKey = body.macPublicKey || null;
+  session.command = body.command || null;
+  session.createdAt = Date.now();
+
+  // Generate a unique code
+  let code;
+  do {
+    code = generateCode();
+  } while (pendingCodes.has(code));
+
+  session.pendingCode = code;
+
+  pendingCodes.set(code, {
+    sessionId,
+    macToken,
+    createdAt: Date.now(),
+  });
+
+  console.log(`[relay] session created: ${sessionId} code: ${code}`);
+  logEvent("session.created", { sessionId, command: session.command });
+
+  sendJsonResponse(response, 201, {
+    sessionId,
+    code,
+    macToken,
+    pairUrl: `/pair?code=${code}`,
+  });
+}
+
+async function handleApiPair(request, response) {
+  if (request.method === "OPTIONS") {
+    sendJsonResponse(response, 204, {});
+    return;
+  }
+
+  if (request.method !== "POST") {
+    sendJsonResponse(response, 405, { error: "Method not allowed" });
+    return;
+  }
+
+  // Rate limiting
+  const ip = getClientIp(request);
+  const rateCheck = checkRateLimit(ip);
+  if (!rateCheck.allowed) {
+    response.writeHead(429, {
+      "content-type": "application/json",
+      "retry-after": String(rateCheck.retryAfter),
+      "access-control-allow-origin": "*",
+    });
+    response.end(JSON.stringify({
+      error: "Too many attempts. Please wait a moment.",
+      retryAfter: rateCheck.retryAfter,
+    }));
+    return;
+  }
+
+  let body;
+  try {
+    const raw = await readBody(request);
+    body = JSON.parse(raw);
+  } catch {
+    sendJsonResponse(response, 400, { error: "Invalid JSON" });
+    return;
+  }
+
+  const code = String(body.code || "").toUpperCase().trim();
+  if (!code) {
+    sendJsonResponse(response, 400, { error: "Code is required." });
+    return;
+  }
+
+  const pending = pendingCodes.get(code);
+  if (!pending) {
+    logEvent("pair.failed", { reason: "invalid" });
+    sendJsonResponse(response, 404, { error: "Invalid or expired code." });
+    return;
+  }
+
+  // Check expiration
+  if (Date.now() - pending.createdAt > CODE_EXPIRE_MS) {
+    pendingCodes.delete(code);
+    logEvent("pair.failed", { reason: "expired" });
+    sendJsonResponse(response, 410, { error: "Code expired. Please generate a new code on your Mac." });
+    return;
+  }
+
+  // Consume the code (one-time use)
+  pendingCodes.delete(code);
+
+  // Generate mobile token and attach to session
+  const mobileToken = generateToken();
+  const session = sessions.get(pending.sessionId);
+  if (!session) {
+    sendJsonResponse(response, 410, { error: "Session expired. Please re-pair." });
+    return;
+  }
+  session.mobileToken = mobileToken;
+  session.pendingCode = null;  // Mark pairing code as consumed
+
+  console.log(`[relay] paired: code=${code} session=${pending.sessionId}`);
+  logEvent("pair.completed", { sessionId: pending.sessionId });
+
+  sendJsonResponse(response, 200, {
+    sessionId: pending.sessionId,
+    mobileToken,
+    macPublicKey: session.macPublicKey,
+    command: session.command,
+  });
+}
+
+// --- Session list API ---
+
+function handleApiSessionsList(response) {
+  // No auth — returns non-sensitive metadata only.
+  // Tokens and keys are protected by their own auth mechanisms.
+  // ⚠️ Local network only. Sprint 9+ may add IP allowlist.
+  const list = [];
+  for (const [id, s] of sessions) {
+    list.push({
+      id,
+      command: s.command,
+      createdAt: s.createdAt,
+      pendingCode: s.pendingCode,
+      deviceCount: s.devices.size,
+      hasMac: !!s.mac,
+      hasMobiles: s.mobiles.size > 0,
+      hasE2E: !!s.macPublicKey,
+    });
+  }
+  sendJsonResponse(response, 200, { sessions: list });
+}
+
+// --- Device management API ---
+
+async function handleApiDevices(request, response, sessionId, deviceId, url) {
+  // Authenticate with macToken
+  const token = url.searchParams.get("token") || request.headers.authorization?.replace("Bearer ", "");
+  const session = sessions.get(sessionId);
+
+  if (!session || session.macToken !== token) {
+    sendJsonResponse(response, 401, { error: "Unauthorized" });
+    return;
+  }
+
+  // GET: list devices
+  if (request.method === "GET" && !deviceId) {
+    const devices = [];
+    for (const [id, info] of session.devices) {
+      devices.push({
+        deviceId: id,
+        lastSeen: info.lastSeen,
+        connected: session.mobileSockets.has(id),
+      });
+    }
+    sendJsonResponse(response, 200, { devices });
+    return;
+  }
+
+  // DELETE: revoke device
+  if (request.method === "DELETE" && deviceId) {
+    if (!session.devices.has(deviceId)) {
+      sendJsonResponse(response, 404, { error: "Device not found" });
+      return;
+    }
+
+    session.devices.delete(deviceId);
+
+    // Notify mac to drop key
+    if (session.mac) {
+      sendJson(session.mac, { type: "device_revoked", deviceId });
+    }
+
+    // Disconnect the device's WebSocket
+    const mobileClient = session.mobileSockets.get(deviceId);
+    if (mobileClient) {
+      mobileClient.socket.destroy();
+      session.mobileSockets.delete(deviceId);
+    }
+
+    console.log(`[relay] device revoked: session=${sessionId} device=${deviceId}`);
+    sendJsonResponse(response, 200, { ok: true });
+    return;
+  }
+
+  sendJsonResponse(response, 405, { error: "Method not allowed" });
+}
+
+// --- Waitlist API ---
+
+const WAITLIST_RATE_WINDOW_MS = 60 * 1000;
+const WAITLIST_RATE_MAX = 1;
+const waitlistRateLimits = new Map();
+
+async function handleApiWaitlist(request, response) {
+  if (request.method === "OPTIONS") {
+    sendJsonResponse(response, 204, {});
+    return;
+  }
+
+  if (request.method !== "POST") {
+    sendJsonResponse(response, 405, { error: "Method not allowed" });
+    return;
+  }
+
+  // Rate limit per IP
+  const ip = getClientIp(request);
+  const now = Date.now();
+  let rl = waitlistRateLimits.get(ip);
+  if (!rl || now >= rl.resetAt) {
+    rl = { count: 0, resetAt: now + WAITLIST_RATE_WINDOW_MS };
+    waitlistRateLimits.set(ip, rl);
+  }
+  rl.count++;
+  if (rl.count > WAITLIST_RATE_MAX) {
+    sendJsonResponse(response, 429, { error: "Too many submissions. Please wait." });
+    return;
+  }
+
+  let body;
+  try {
+    const raw = await readBody(request);
+    body = JSON.parse(raw);
+  } catch {
+    sendJsonResponse(response, 400, { error: "Invalid JSON" });
+    return;
+  }
+
+  const email = String(body.email || "").trim();
+  if (!email || !email.includes("@")) {
+    sendJsonResponse(response, 400, { error: "Valid email is required." });
+    return;
+  }
+
+  const pricing = String(body.pricing || "").trim();
+  const entry = {
+    email,
+    pricing: pricing || null,
+    ip,
+    t: new Date().toISOString(),
+  };
+
+  try {
+    fs.appendFileSync(WAITLIST_FILE, JSON.stringify(entry) + "\n");
+  } catch {
+    sendJsonResponse(response, 500, { error: "Failed to save" });
+    return;
+  }
+
+  logEvent("waitlist.signup", { pricing });
+  sendJsonResponse(response, 201, { ok: true });
+}
+
+// --- Stats API ---
+
+function handleApiStats(response) {
+  let events = [];
+  try {
+    const raw = fs.readFileSync(EVENTS_FILE, "utf8").trim();
+    if (raw) events = raw.split("\n").map(line => JSON.parse(line));
+  } catch {
+    // File doesn't exist yet
+  }
+
+  let waitlist = [];
+  try {
+    const raw = fs.readFileSync(WAITLIST_FILE, "utf8").trim();
+    if (raw) waitlist = raw.split("\n").map(line => JSON.parse(line));
+  } catch {
+    // File doesn't exist yet
+  }
+
+  const stats = {
+    period: {
+      from: events.length ? events[0].t : null,
+      to: events.length ? events[events.length - 1].t : null,
+      totalEvents: events.length,
+    },
+    sessions: {
+      created: events.filter(e => e.type === "session.created").length,
+      cleaned: events.filter(e => e.type === "session.cleaned"),
+      active: sessions.size,
+    },
+    pairs: {
+      completed: events.filter(e => e.type === "pair.completed").length,
+      failed: events.filter(e => e.type === "pair.failed").length,
+    },
+    alerts: {
+      total: events.filter(e => e.type === "alert.sent").length,
+      smart: events.filter(e => e.type === "alert.sent" && e.kind === "smart_alert").length,
+    },
+    connections: {
+      mac: events.filter(e => e.type === "ws.connected" && e.role === "mac").length,
+      mobile: events.filter(e => e.type === "ws.connected" && e.role === "mobile").length,
+    },
+    keyExchanges: events.filter(e => e.type === "key_exchange.completed").length,
+    waitlist: waitlist.length,
+  };
+
+  // Calculate average connection duration
+  const disconnections = events.filter(e => e.type === "ws.disconnected" && e.durationMs);
+  if (disconnections.length) {
+    const totalMs = disconnections.reduce((sum, e) => sum + e.durationMs, 0);
+    stats.connections.avgDurationMs = Math.round(totalMs / disconnections.length);
+    stats.connections.avgDurationMin = Math.round(totalMs / disconnections.length / 60000);
+  }
+
+  // Calculate average session lifetime
+  const cleaned = events.filter(e => e.type === "session.cleaned" && e.lifetimeMs);
+  if (cleaned.length) {
+    const totalMs = cleaned.reduce((sum, e) => sum + e.lifetimeMs, 0);
+    stats.sessions.avgLifetimeMs = Math.round(totalMs / cleaned.length);
+    stats.sessions.avgLifetimeMin = Math.round(totalMs / cleaned.length / 60000);
+  }
+
+  // Pricing distribution from waitlist
+  if (waitlist.length) {
+    const pricingDist = {};
+    for (const w of waitlist) {
+      const p = w.pricing || "unspecified";
+      pricingDist[p] = (pricingDist[p] || 0) + 1;
+    }
+    stats.waitlistPricing = pricingDist;
+  }
+
+  sendJsonResponse(response, 200, stats);
+}
+
+// --- HTTP server ---
+
+const server = http.createServer(async (request, response) => {
+  const url = new URL(request.url, `http://${request.headers.host}`);
+
+  // CORS preflight
+  if (request.method === "OPTIONS") {
+    sendJsonResponse(response, 204, {});
+    return;
+  }
+
+  if (url.pathname === "/health") {
+    sendJsonResponse(response, 200, { ok: true });
+    return;
+  }
+
+  // GET /api/sessions — list all active sessions (must come before POST /api/sessions)
+  if (url.pathname === "/api/sessions" && request.method === "GET") {
+    const ip = getClientIp(request);
+    if (!isPrivateIp(ip)) {
+      sendJsonResponse(response, 403, { error: "Forbidden" });
+      return;
+    }
+    handleApiSessionsList(response);
+    return;
+  }
+
+  // GET /api/stats — aggregated usage analytics (private IP only)
+  if (url.pathname === "/api/stats" && request.method === "GET") {
+    const ip = getClientIp(request);
+    if (!isPrivateIp(ip)) {
+      sendJsonResponse(response, 403, { error: "Forbidden" });
+      return;
+    }
+    handleApiStats(response);
+    return;
+  }
+
+  // POST /api/waitlist — email signup (public, rate-limited)
+  if (url.pathname === "/api/waitlist") {
+    await handleApiWaitlist(request, response);
+    return;
+  }
+
+  // / → landing page (public), /app → inbox (app entry)
+  if ((url.pathname === "/" || url.pathname === "")
+      && !url.searchParams.has("sessionId")
+      && request.method === "GET") {
+    response.writeHead(302, { Location: "/landing.html" });
+    response.end();
+    return;
+  }
+
+  if (url.pathname === "/app") {
+    response.writeHead(302, { Location: "/inbox.html" });
+    response.end();
+    return;
+  }
+
+  if (url.pathname === "/api/sessions") {
+    await handleApiSessions(request, response);
+    return;
+  }
+
+  if (url.pathname === "/api/pair") {
+    await handleApiPair(request, response);
+    return;
+  }
+
+  // Device management: GET /api/sessions/:id/devices, DELETE /api/sessions/:id/devices/:deviceId
+  const devicesMatch = url.pathname.match(/^\/api\/sessions\/([^/]+)\/devices(?:\/([^/]+))?$/);
+  if (devicesMatch) {
+    await handleApiDevices(request, response, devicesMatch[1], devicesMatch[2], url);
+    return;
+  }
+
+  // Static files (mobile-web)
+  const staticMap = {
+    "/": "index.html",
+    "/pair": "pair.html",
+  };
+  const fileName = staticMap[url.pathname] || url.pathname;
+  const filePath = path.join(__dirname, "../mobile-web", fileName);
+
+  fs.readFile(filePath, (error, content) => {
+    if (error) {
+      response.writeHead(404, { "content-type": "text/plain" });
+      response.end("Not found");
+      return;
+    }
+
+    const ext = path.extname(filePath);
+    const contentTypes = {
+      ".html": "text/html",
+      ".css": "text/css",
+      ".js": "application/javascript",
+      ".json": "application/json",
+      ".png": "image/png",
+      ".svg": "image/svg+xml",
+    };
+    response.writeHead(200, {
+      "content-type": contentTypes[ext] || "text/plain",
+    });
+    response.end(content);
+  });
+});
+
+server.on("upgrade", (request, socket) => {
+  if (!request.url.startsWith("/ws")) {
+    socket.destroy();
+    return;
+  }
+  upgradeToWebSocket(request, socket);
+});
+
+// --- Cleanup timer ---
+
+setInterval(cleanup, CLEANUP_INTERVAL_MS);
+
+// --- Start ---
+
+server.listen(PORT, HOST, () => {
+  console.log(`[relay] listening on http://${HOST}:${PORT}`);
+  if (HOST === "0.0.0.0") {
+    console.log(`\x1b[33m⚠  Listening on 0.0.0.0 — accessible on LAN. Use HOST=127.0.0.1 for local only.\x1b[0m`);
+  }
+});