feat(cloud): Add managed relay tunnels and APN service

[juliusmarminge]

Stack

• Extract collection performance refactors from mobile stack #2854 codex/collection-performance-refactors -> main (merged)
• T3 Code Mobile [WIP] #2013 t3code/mobile-remote-connect -> main
• This PR codex/relay-managed-tunnels-auth-infra -> t3code/mobile-remote-connect

Summary

This stacked draft PR adds the relay-managed tunnel and cloud authentication work on top of the mobile remote-runtime PR. General collection/performance rewrites from #2854 and the TypeScript/Effect tooling base are now on main.

• add the relay worker/infrastructure package, persistence, APNs delivery, managed endpoint provisioning, observability, migrations, and tests
• add standards-oriented relay authentication: DPoP proof handling, JWT/JWS signing and verification, OAuth-style token exchange/scopes, replay protections, and environment proof flows
• add shared client-runtime/contracts/shared modules for managed relay operation across web and Expo mobile clients
• add web, desktop, and mobile cloud linking and managed-environment flows, including mobile agent-awareness/live-activity registration
• route relay-specific hashing and randomness through effect/Crypto while retaining Expo-compatible implementations

Validation

• bun fmt
• bun lint (passes with 8 existing web warnings)
• bun lint:mobile
• bun typecheck
• cd infra/relay && bun run test (103 passed, 5 skipped)
• cd apps/mobile && bun run test (135 passed)
• cd apps/web && bun run test (1005 passed)
• cd apps/server && bun run test (1075 passed, 4 skipped)

Rebase Note

General collection/performance rewrites from #2854 are now merged into main; mobile command metadata, pairing-URL redaction, and shared-runtime Crypto cleanup remain in #2013. This PR retains the managed-relay changes to the mobile connection contract and runtime above those inherited lower-layer changes.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 4e659b36-5b70-44b0-9c1e-72381b45c0d1

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch codex/relay-managed-tunnels-auth-infra

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[macroscopeapp]

🟡 Medium

t3code/apps/desktop/scripts/electron-launcher.mjs

Line 277 in d52d11e

const expectedMetadata = {

The cache invalidation logic at line 290 only checks expectedMetadata, which omits the environment variables embedded by writeDevelopmentLauncherScript. When the metadata matches, the function returns early at line 293 without regenerating the launcher script, even if VITE_DEV_SERVER_URL or T3CODE_PORT has changed. This causes the app to use stale environment variables from a previous run — for example, attempting to connect to a Vite dev server port that is no longer running.

🚀 Reply "fix it for me" or copy this AI Prompt for your agent:

In file apps/desktop/scripts/electron-launcher.mjs around line 277:

The cache invalidation logic at line 290 only checks `expectedMetadata`, which omits the environment variables embedded by `writeDevelopmentLauncherScript`. When the metadata matches, the function returns early at line 293 without regenerating the launcher script, even if `VITE_DEV_SERVER_URL` or `T3CODE_PORT` has changed. This causes the app to use stale environment variables from a previous run — for example, attempting to connect to a Vite dev server port that is no longer running.

Evidence trail:
apps/desktop/scripts/electron-launcher.mjs lines 277-294 (expectedMetadata definition and early return), lines 97-130 (writeDevelopmentLauncherScript embedding env vars into the launcher script), lines 300-302 (writeDevelopmentLauncherScript only called when cache is invalidated)

[macroscopeapp]

🟠 High environments/ManagedEndpointProvider.ts:254

The URL at line 255 uses double quotes with ${cf.zoneId}, so the literal string /zones/${cf.zoneId}/dns_records is sent to the API instead of the actual zone ID. Line 269-270 correctly use backticks for template literals. Consider changing to backticks to interpolate the zone ID.

-      const existingDnsRecordId = yield* HttpClientRequest.make("GET")(
-        "/zones/${cf.zoneId}/dns_records",
+      const existingDnsRecordId = yield* HttpClientRequest.make("GET")(
+        `/zones/${cf.zoneId}/dns_records`,

🚀 Reply "fix it for me" or copy this AI Prompt for your agent:

In file infra/relay/src/environments/ManagedEndpointProvider.ts around lines 254-256:

The URL at line 255 uses double quotes with `${cf.zoneId}`, so the literal string `/zones/${cf.zoneId}/dns_records` is sent to the API instead of the actual zone ID. Line 269-270 correctly use backticks for template literals. Consider changing to backticks to interpolate the zone ID.

Evidence trail:
infra/relay/src/environments/ManagedEndpointProvider.ts lines 254-270 at REVIEWED_COMMIT: line 255 uses double quotes ("/zones/${cf.zoneId}/dns_records") while lines 269-270 use backticks (`/zones/${cf.zoneId}/dns_records/${id}` and `/zones/${cf.zoneId}/dns_records`).

[macroscopeapp]

🟡 Medium src/worker.ts:249

The queue message handler and cron handler create spans using Stream.withSpan and Effect.withSpan, but they only provide runtimeLayer which does not include the tracer. This means spans from background jobs are silently dropped instead of being exported to Axiom, despite the explicit instrumentation. Consider providing relayTraceLayer to these handlers, similar to the HTTP fetch handler at line 270.

        Effect.provide(runtimeLayer),
+        Effect.provide(relayTraceLayer),

🚀 Reply "fix it for me" or copy this AI Prompt for your agent:

In file infra/relay/src/worker.ts around lines 249-250:

The queue message handler and cron handler create spans using `Stream.withSpan` and `Effect.withSpan`, but they only provide `runtimeLayer` which does not include the tracer. This means spans from background jobs are silently dropped instead of being exported to Axiom, despite the explicit instrumentation. Consider providing `relayTraceLayer` to these handlers, similar to the HTTP fetch handler at line 270.

Evidence trail:
infra/relay/src/worker.ts lines 170-176 (relayTraceLayer definition with OtlpTracer), lines 178-213 (runtimeLayer definition without tracer), line 242 (Stream.withSpan in queue handler), line 246 (Effect.withSpan in queue handler), line 249 (Effect.provide(runtimeLayer) - no tracer), line 256 (Effect.withSpan in cron handler), line 257 (Effect.provide(runtimeLayer) - no tracer), line 270 (HTTP handler uses relayTraceLayer). infra/relay/src/observability.ts lines 53-72 (makeRelayTraceLayer creates OtlpTracer.layer for Axiom export).

[macroscopeapp]

🟠 High src/worker.ts:162

Both managedEndpointBaseDomain and cloudflareZoneId are set to managedEndpointZoneId (the zone ID), but managedEndpointBaseDomain semantically requires the domain name (e.g., "ineededadomain.com"). The ManagedEndpointZone provides zoneName which contains the correct value, but it is never extracted or used. This will cause managed endpoint domain construction to use an invalid zone ID string instead of the actual domain name.

-        managedEndpointBaseDomain: yield* managedEndpointZoneId,
+        managedEndpointBaseDomain: yield* managedEndpointZone.zoneName,

🚀 Reply "fix it for me" or copy this AI Prompt for your agent:

In file infra/relay/src/worker.ts around lines 162-163:

Both `managedEndpointBaseDomain` and `cloudflareZoneId` are set to `managedEndpointZoneId` (the zone ID), but `managedEndpointBaseDomain` semantically requires the domain name (e.g., "ineededadomain.com"). The `ManagedEndpointZone` provides `zoneName` which contains the correct value, but it is never extracted or used. This will cause managed endpoint domain construction to use an invalid zone ID string instead of the actual domain name.

Evidence trail:
infra/relay/src/managedEndpointStack.ts:9-29 (ManagedEndpointZone returns zoneId, zoneName, dnsToken; zoneName = zone.name = 'ineededadomain.com')
infra/relay/src/worker.ts:140 (only zoneId extracted, zoneName ignored)
infra/relay/src/worker.ts:162-163 (both managedEndpointBaseDomain and cloudflareZoneId assigned from managedEndpointZoneId)
infra/relay/src/environments/ManagedEndpointProvider.ts:131 (baseDomain: settings.managedEndpointBaseDomain)
infra/relay/src/environments/ManagedEndpointProvider.ts:149 (baseDomain used in hostname construction: `...${baseDomain}`)