feat: WebSocket transport for VPN-free remote daemon access

[hard2forgetme]

Summary

Adds WebSocket as an alternative transport alongside TCP for the remote daemon protocol. The daemon auto-detects WebSocket (HTTP Upgrade) vs raw TCP on the same listen port by peeking at the first bytes of each connection — no config changes, no extra ports.

This unlocks remote access through any HTTP reverse proxy (Cloudflare Tunnel, nginx, Caddy, etc.), removing the need for Tailscale/VPN for cross-network iOS connectivity.

What changed

Daemon (server-side):

• New ws_transport.rs — handles WebSocket connections using tokio-tungstenite (already a dependency)
• Accept loop peeks first 3 bytes: GET → WebSocket upgrade, otherwise → raw TCP
• Same auth, same RPC dispatch, same event forwarding — just different framing

Client (app-side):

• New ws_transport.rs implementing RemoteTransport trait
• resolve_transport_config auto-detects ws:///wss:// URLs
• Added WebSocket variant to RemoteBackendProvider and RemoteTransportConfig

Settings UI:

• New "Cloudflare Tunnel" helper section alongside the existing Tailscale helper
• Shows the cloudflared tunnel command and wss:// usage instructions

Scripts:

• scripts/codexmonitor-tunnel.sh — manages daemon lifecycle + Cloudflare Quick Tunnel with auto-generated auth tokens

How it works

The JSON-RPC protocol is completely unchanged — each WebSocket text message = one JSON-RPC line. Auth works identically. The only difference is framing: WebSocket messages instead of newline-delimited TCP.

iPhone → wss://abc.trycloudflare.com → Cloudflare Edge → localhost:4732 → daemon (auto-detects WS)

No new dependencies

tokio-tungstenite and futures-util were already in Cargo.toml. Zero new crates.

Test plan

• cargo check passes (verified)
• tsc --noEmit passes (verified)
• Daemon starts and accepts TCP connections (backward compat)
• Daemon accepts WebSocket connections on same port
• cloudflared tunnel --url http://127.0.0.1:4732 proxies WebSocket correctly
• iOS app connects via wss:// URL through Cloudflare Tunnel
• Settings UI shows Cloudflare Tunnel helper section on desktop
• Auth token validation works over WebSocket
• Events (app-server-event, terminal-output) stream correctly over WebSocket

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b0b502ad11

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Accept WebSocket URLs before prepending wss:// here

This button turns a Cloudflare hostname into wss://…, but validateRemoteHost() in src/features/settings/hooks/useSettingsServerSection.ts:118-126 still only accepts bare host:port values. As soon as the field blurs, onCommitRemoteHost() rejects the new value, so the Settings UI cannot actually save the WebSocket endpoint that this feature needs (desktop remote mode and the mobile connect test are both blocked unless the user edits settings outside the UI).

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Print the tunnel host as a WebSocket URL, not raw host:443

When a tunnel is active, these instructions tell users to enter <trycloudflare-host>:443. In src-tauri/src/remote_backend/mod.rs:243-266, that value is still resolved as the TCP transport because only ws:///wss:// hosts (or the explicit provider) select WebSocket mode. Since this script created the tunnel with cloudflared tunnel --url http://127.0.0.1:4732, following the printed steps will try raw TCP against an HTTP/WebSocket endpoint and fail to connect.

Useful? React with 👍 / 👎.