refactor: use phpdotenv for wechat config

@@ -28,3 +28,7 @@ REDIS_PREFIX=ai_
 # 心跳配置
 # HEARTBEAT_INTERVAL=30
 # HEARTBEAT_CHECK_INTERVAL=10
+
+# 微信小程序配置
+WECHAT_APP_ID=wx6daaa8a7e2889a50
+WECHAT_APP_SECRET=d394d5f0f82b328a2754d53027370282

@@ -7,8 +7,8 @@
 return [
     // 微信小程序配置
     'wechat' => [
-        'app_id' => getenv('WECHAT_APP_ID') ?: 'wx6daaa8a7e2889a50',
-        'app_secret' => getenv('WECHAT_APP_SECRET') ?: 'd394d5f0f82b328a2754d53027370282',
+        'app_id' => getenv('WECHAT_APP_ID') ?: '',
+        'app_secret' => getenv('WECHAT_APP_SECRET') ?: '',
     ],
 
     // Session 配置

-<?php
-use Workerman\Worker;
-use Workerman\Timer;
-use Tos\TosClient;
-use Tos\Exception\TosClientException;
-use Tos\Exception\TosServerException;
-use Tos\Model\PutObjectInput;
-
-require_once __DIR__ . '/vendor/autoload.php';
-require_once __DIR__ . '/auth.php';
-require_once __DIR__ . '/device.php';
-
-// 加载配置文件
-$config = require __DIR__ . '/config.php';
-
-// Define Heartbeat Interval
-define('HEARTBEAT_TIME', $config['heartbeat']['interval']);
-
-// Database Connection
-$pdo = null;
-try {
-    $db_config = $config['database'];
-    $dsn = "mysql:host={$db_config['host']};port={$db_config['port']};dbname={$db_config['database']};charset=utf8mb4";
-    $pdo = new PDO($dsn, $db_config['username'], $db_config['password'], [
-        PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
-        PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC
-    ]);
-    echo "✅ Connected to MySQL at {$db_config['host']}:{$db_config['port']}\n";
-} catch (Exception $e) {
-    echo "⚠️ MySQL Connection Failed: " . $e->getMessage() . "\n";
-}
-
-// Redis Connection
-$redis = null;
-try {
-    $redis_config = $config['redis'];
-
-    $params = [
-        'scheme' => 'tcp',
-        'host' => $redis_config['host'],
-        'port' => $redis_config['port'],
-    ];
-
-    if (!empty($redis_config['password'])) {
-        $params['password'] = $redis_config['password'];
-    }
-
-    // Predis Client
-    $redis = new Predis\Client($params, ['prefix' => $redis_config['prefix']]);
-    $redis->connect();
-    echo "✅ Connected to Redis at {$redis_config['host']}:{$redis_config['port']} ({$redis_config['prefix']})\n";
-} catch (Exception $e) {
-    echo "⚠️ Redis Connection Failed: " . $e->getMessage() . "\n";
-}
-
-// Initialize Services
-$authService = $pdo ? new AuthService($pdo, $config, $redis) : null;
-$deviceService = $pdo ? new DeviceService($pdo, $config) : null;
-
-// Create a WebSocket worker
-$ws_host = $config['server']['websocket_host'];
-$ws_port = $config['server']['websocket_port'];
-$ws_worker = new Worker("websocket://{$ws_host}:{$ws_port}");
-
-// Store connections (Memory for now, can move to Redis later)
-$clients = []; // ClientID -> Connection
-$devices = []; // DeviceID -> Connection
-
-$ws_worker->onWorkerStart = function ($worker) use ($config) {
-    $ws_host = $config['server']['websocket_host'];
-    $ws_port = $config['server']['websocket_port'];
-    echo "Relay Server Started on {$ws_host}:{$ws_port}\n";
-
-    // Heartbeat check
-    $check_interval = $config['heartbeat']['check_interval'];
-    Timer::add($check_interval, function () use ($worker) {
-        $time_now = time();
-        foreach ($worker->connections as $connection) {
-            // Check if connection is alive possibly? 
-            // Workerman handles basic disconnects, but we can enforce ping logic here if needed
-        }
-    });
-};
-
-$ws_worker->onConnect = function ($connection) {
-    echo "New connection: " . $connection->id . "\n";
-    $connection->authVerified = false;
-};
-
-$ws_worker->onMessage = function ($connection, $data) use (&$clients, &$devices, $authService, $deviceService) {
-    $msg = json_decode($data, true);
-    if (!$msg || !isset($msg['type'])) {
-        return;
-    }
-
-    // 1. Authenticate / Register
-    if ($msg['type'] === 'register') {
-        if ($msg['role'] === 'device') {
-            // Device 注册 - 验证密钥
-            $deviceId = $msg['id'] ?? null;
-            $secret = $msg['secret'] ?? null;
-
-            if (!$deviceId) {
-                $connection->send(json_encode(['type' => 'error', 'msg' => 'Device ID required']));
-                return;
-            }
-
-            // 验证设备（如果有 deviceService）
-            if ($deviceService && $secret) {
-                if (!$deviceService->verifyDevice($deviceId, $secret)) {
-                    $connection->send(json_encode(['type' => 'error', 'msg' => 'Invalid device credentials']));
-                    $connection->close();
-                    return;
-                }
-                // 更新设备状态为在线
-                $deviceService->updateDeviceStatus($deviceId, 'online');
-            }
-
-            $devices[$deviceId] = $connection;
-            $connection->deviceId = $deviceId;
-            $connection->role = 'device';
-            $connection->authVerified = true;
-            $connection->send(json_encode(['type' => 'ack', 'status' => 'registered']));
-            echo "Device Registered: $deviceId\n";
-
-        } elseif ($msg['role'] === 'client') {
-            // Mini Program 注册 - 验证 Token
-            $clientId = $msg['id'] ?? null;
-            $token = $msg['token'] ?? null;
-
-            if (!$clientId) {
-                $connection->send(json_encode(['type' => 'error', 'msg' => 'Client ID required']));
-                return;
-            }
-
-            // 验证 Token（如果有 authService 和 token）
-            $user = null;
-            if ($authService && $token) {
-                $user = $authService->verifyToken($token);
-                if (!$user) {
-                    $connection->send(json_encode(['type' => 'error', 'msg' => 'Invalid or expired token']));
-                    $connection->close();
-                    return;
-                }
-                $connection->userId = $user['id'];
-                $connection->userPhone = $user['phone'];
-            }
-
-            $clients[$clientId] = $connection;
-            $connection->clientId = $clientId;
-            $connection->role = 'client';
-            $connection->authVerified = true;
-            $connection->send(json_encode([
-                'type' => 'ack',
-                'status' => 'connected',
-                'user' => $user
-            ]));
-            echo "Client Connected: $clientId" . ($user ? " (User: {$user['phone']})" : "") . "\n";
-        }
-        return;
-    }
-
-    if (!$connection->authVerified) {
-        $connection->close();
-        return;
-    }
-
-    // 2. Proxy Logic
-
-    // Client -> Device
-    if ($msg['type'] === 'proxy' && $connection->role === 'client') {
-        $targetDeviceId = $msg['targetDeviceId'] ?? null;
-
-        // 验证用户是否有权限访问该设备
-        if ($deviceService && isset($connection->userId)) {
-            if (!$deviceService->canAccessDevice($connection->userId, $targetDeviceId)) {
-                $connection->send(json_encode(['type' => 'error', 'msg' => 'No permission to access this device']));
-                return;
-            }
-        }
-
-        if ($targetDeviceId && isset($devices[$targetDeviceId])) {
-            $payload = $msg['payload'];
-            // Wrap it so device knows who sent it
-            $forwardMsg = [
-                'type' => 'cmd:execute',
-                'fromClientId' => $connection->clientId,
-                'fromUserId' => $connection->userId ?? null,
-                'payload' => $payload
-            ];
-            $devices[$targetDeviceId]->send(json_encode($forwardMsg));
-            echo "Forwarded msg from Client {$connection->clientId} to Device {$targetDeviceId}\n";
-        } else {
-            $connection->send(json_encode(['type' => 'error', 'msg' => 'Device offline or not found']));
-        }
-    }
-
-    // Device -> Client
-    if ($msg['type'] === 'proxy_response' && $connection->role === 'device') {
-        $targetClientId = $msg['targetClientId'] ?? null;
-        if ($targetClientId && isset($clients[$targetClientId])) {
-            $payload = $msg['payload'];
-            $forwardMsg = [
-                'type' => 'response',
-                'fromDeviceId' => $connection->deviceId,
-                'payload' => $payload
-            ];
-            $clients[$targetClientId]->send(json_encode($forwardMsg));
-            echo "Forwarded response from Device {$connection->deviceId} to Client {$targetClientId}\n";
-        }
-    }
-};
-
-$ws_worker->onClose = function ($connection) use (&$clients, &$devices, $deviceService) {
-    if (isset($connection->role)) {
-        if ($connection->role === 'device' && isset($connection->deviceId)) {
-            unset($devices[$connection->deviceId]);
-            // 更新设备状态为离线
-            if ($deviceService) {
-                $deviceService->updateDeviceStatus($connection->deviceId, 'offline');
-            }
-            echo "Device disconnected: {$connection->deviceId}\n";
-        } elseif ($connection->role === 'client' && isset($connection->clientId)) {
-            unset($clients[$connection->clientId]);
-            echo "Client disconnected: {$connection->clientId}\n";
-        }
-    }
-};
-
-// ---------------------------------------------------------
-// [New] HTTP Server for file uploads and static serving
-// ---------------------------------------------------------
-$http_host = $config['server']['http_host'];
-$http_port = $config['server']['http_port'];
-$http_worker = new Worker("http://{$http_host}:{$http_port}");
-$http_worker->count = $config['server']['worker_count'];
-$http_worker->onMessage = function ($connection, $request) use ($config, $authService, $deviceService) {
-    $path = $request->path();
-    $method = $request->method();
-
-    // Helper: JSON Response
-    $jsonResponse = function ($data, $status = 200) use ($connection) {
-        $connection->send(new \Workerman\Protocols\Http\Response(
-            $status,
-            ['Content-Type' => 'application/json', 'Access-Control-Allow-Origin' => '*'],
-            json_encode($data)
-        ));
-    };
-
-    // CORS Preflight
-    if ($method === 'OPTIONS') {
-        $connection->send(new \Workerman\Protocols\Http\Response(200, [
-            'Access-Control-Allow-Origin' => '*',
-            'Access-Control-Allow-Methods' => 'GET, POST, PUT, DELETE, OPTIONS',
-            'Access-Control-Allow-Headers' => 'Content-Type, Authorization',
-        ], ''));
-        return;
-    }
-
-    // ==================== Auth API ====================
-
-    // POST /api/auth/login - 微信登录
-    if ($path === '/api/auth/login' && $method === 'POST') {
-        if (!$authService) {
-            $jsonResponse(['ok' => false, 'error' => 'Auth service unavailable'], 500);
-            return;
-        }
-
-        $body = json_decode($request->rawBody(), true) ?: [];
-        $code = $body['code'] ?? null;
-        $phone = $body['phone'] ?? null;
-        $phoneCode = $body['phoneCode'] ?? null;
-
-        if (!$code) {
-            $jsonResponse(['ok' => false, 'error' => 'code is required'], 400);
-            return;
-        }
-
-        $result = $authService->wechatLogin($code, $phone, $phoneCode);
-        $jsonResponse($result, $result['ok'] ? 200 : 400);
-        return;
-    }
-
-    // POST /api/auth/verify - 验证 Token
-    if ($path === '/api/auth/verify' && $method === 'POST') {
-        if (!$authService) {
-            $jsonResponse(['ok' => false, 'error' => 'Auth service unavailable'], 500);
-            return;
-        }
-
-        $body = json_decode($request->rawBody(), true) ?: [];
-        $token = $body['token'] ?? null;
-
-        if (!$token) {
-            $jsonResponse(['ok' => false, 'error' => 'token is required'], 400);
-            return;
-        }
-
-        $user = $authService->verifyToken($token);
-        if ($user) {
-            $jsonResponse(['ok' => true, 'user' => $user]);
-        } else {
-            $jsonResponse(['ok' => false, 'error' => 'Invalid or expired token'], 401);
-        }
-        return;
-    }
-
-    // POST /api/auth/logout - 注销
-    if ($path === '/api/auth/logout' && $method === 'POST') {
-        if (!$authService) {
-            $jsonResponse(['ok' => false, 'error' => 'Auth service unavailable'], 500);
-            return;
-        }
-
-        $body = json_decode($request->rawBody(), true) ?: [];
-        $token = $body['token'] ?? null;
-
-        if ($token) {
-            $authService->logout($token);
-        }
-        $jsonResponse(['ok' => true]);
-        return;
-    }
-
-    // ==================== Device API ====================
-
-    // Helper: Get user from token
-    $getUser = function () use ($request, $authService) {
-        $authHeader = $request->header('Authorization');
-        if (!$authHeader || !str_starts_with($authHeader, 'Bearer ')) {
-            return null;
-        }
-        $token = substr($authHeader, 7);
-        return $authService ? $authService->verifyToken($token) : null;
-    };
-
-    // POST /api/device/bind - 绑定设备
-    if ($path === '/api/device/bind' && $method === 'POST') {
-        if (!$deviceService) {
-            $jsonResponse(['ok' => false, 'error' => 'Device service unavailable'], 500);
-            return;
-        }
-
-        $user = $getUser();
-        if (!$user) {
-            $jsonResponse(['ok' => false, 'error' => 'Unauthorized'], 401);
-            return;
-        }
-
-        $body = json_decode($request->rawBody(), true) ?: [];
-        $deviceId = $body['deviceId'] ?? null;
-        $deviceSecret = $body['deviceSecret'] ?? null;
-
-        if (!$deviceId) {
-            $jsonResponse(['ok' => false, 'error' => 'deviceId is required'], 400);
-            return;
-        }
-
-        $result = $deviceService->bindDevice($user['id'], $deviceId, $deviceSecret);
-        $jsonResponse($result, $result['ok'] ? 200 : 400);
-        return;
-    }
-
-    // POST /api/device/unbind - 解绑设备
-    if ($path === '/api/device/unbind' && $method === 'POST') {
-        if (!$deviceService) {
-            $jsonResponse(['ok' => false, 'error' => 'Device service unavailable'], 500);
-            return;
-        }
-
-        $user = $getUser();
-        if (!$user) {
-            $jsonResponse(['ok' => false, 'error' => 'Unauthorized'], 401);
-            return;
-        }
-
-        $body = json_decode($request->rawBody(), true) ?: [];
-        $deviceId = $body['deviceId'] ?? null;
-
-        if (!$deviceId) {
-            $jsonResponse(['ok' => false, 'error' => 'deviceId is required'], 400);
-            return;
-        }
-
-        $result = $deviceService->unbindDevice($user['id'], $deviceId);
-        $jsonResponse($result, $result['ok'] ? 200 : 400);
-        return;
-    }
-
-    // GET /api/device/list - 获取绑定的设备列表
-    if ($path === '/api/device/list' && $method === 'GET') {
-        if (!$deviceService) {
-            $jsonResponse(['ok' => false, 'error' => 'Device service unavailable'], 500);
-            return;
-        }
-
-        $user = $getUser();
-        if (!$user) {
-            $jsonResponse(['ok' => false, 'error' => 'Unauthorized'], 401);
-            return;
-        }
-
-        $devices = $deviceService->getUserDevices($user['id']);
-        $jsonResponse(['ok' => true, 'devices' => $devices]);
-        return;
-    }
-
-    // POST /api/device/primary - 设置主设备
-    if ($path === '/api/device/primary' && $method === 'POST') {
-        if (!$deviceService) {
-            $jsonResponse(['ok' => false, 'error' => 'Device service unavailable'], 500);
-            return;
-        }
-
-        $user = $getUser();
-        if (!$user) {
-            $jsonResponse(['ok' => false, 'error' => 'Unauthorized'], 401);
-            return;
-        }
-
-        $body = json_decode($request->rawBody(), true) ?: [];
-        $deviceId = $body['deviceId'] ?? null;
-
-        if (!$deviceId) {
-            $jsonResponse(['ok' => false, 'error' => 'deviceId is required'], 400);
-            return;
-        }
-
-        $result = $deviceService->setPrimaryDevice($user['id'], $deviceId);
-        $jsonResponse($result, $result['ok'] ? 200 : 400);
-        return;
-    }
-
-    // ==================== File API ====================
-
-    // 1. Static File Serving (Simple implementation)
-    if (strpos($path, '/uploads/') === 0) {
-        $file = __DIR__ . $path;
-        if (is_file($file)) {
-            $connection->send(new \Workerman\Protocols\Http\Response(
-                200,
-                ['Content-Type' => mime_content_type($file)],
-                file_get_contents($file)
-            ));
-            return;
-        }
-    }
-
-    // 2. Upload Handler
-    if ($path === '/upload') {
-        $files = $request->file();
-
-        if (empty($files['file'])) {
-            $connection->send(new \Workerman\Protocols\Http\Response(400, [], json_encode(['ok' => false, 'error' => 'No file'])));
-            return;
-        }
-
-        $file = $files['file'];
-
-        // Validate Size
-        $max_size = $config['upload']['max_size'];
-        if ($file['size'] > $max_size) {
-            $max_mb = round($max_size / 1024 / 1024);
-            $connection->send(new \Workerman\Protocols\Http\Response(400, [], json_encode(['ok' => false, 'error' => "File too large (Max {$max_mb}MB)"])));
-            return;
-        }
-
-        // Validate Extension
-        $ext = strtolower(pathinfo($file['name'], PATHINFO_EXTENSION));
-        $allowed = $config['upload']['allowed_extensions'];
-        if (!in_array($ext, $allowed)) {
-            $connection->send(new \Workerman\Protocols\Http\Response(400, [], json_encode(['ok' => false, 'error' => 'File type not allowed'])));
-            return;
-        }
-
-        // TOS Configuration
-        $tos_config = $config['tos'];
-
-        try {
-            $client = new TosClient([
-                'region' => $tos_config['region'],
-                'endpoint' => $tos_config['endpoint'],
-                'ak' => $tos_config['ak'],
-                'sk' => $tos_config['sk'],
-            ]);
-
-            // Generate Key
-            $uuid = bin2hex(random_bytes(8));
-            $userPhone = $config['upload']['default_user'];
-            $objectKey = "clawdbot/{$userPhone}/{$uuid}.{$ext}";
-            $bucket = $tos_config['bucket'];
-
-            // Read file content
-            $contentFn = fopen($file['tmp_name'], 'r');
-
-            // Upload using Object Input
-            $input = new PutObjectInput($bucket, $objectKey, $contentFn);
-            $input->setACL('public-read');
-
-            $client->putObject($input);
-
-            if (is_resource($contentFn)) {
-                fclose($contentFn);
-            }
-
-            // Generate URL
-            $url = "https://{$bucket}.{$tos_config['endpoint']}/{$objectKey}";
-
-            $connection->send(json_encode([
-                'ok' => true,
-                'url' => $url
-            ]));
-
-        } catch (Exception $e) {
-            $connection->send(new \Workerman\Protocols\Http\Response(500, [], json_encode(['ok' => false, 'error' => 'Upload failed: ' . $e->getMessage()])));
-        }
-        return;
-    }
-
-    // 3. Generate Pre-Signed URL for Direct Upload
-    if (strpos($path, '/tos/sign') === 0) {
-        $query = $request->get();
-        $filename = $query['filename'] ?? 'file_' . time();
-        $ext = strtolower(pathinfo($filename, PATHINFO_EXTENSION));
-
-        // Validation
-        $allowed = $config['upload']['allowed_extensions'];
-        if (!in_array($ext, $allowed) && $ext !== '') {
-            // If no extension providing, we might just allow it or fail. 
-            // Ideally client should provide full filename with extension.
-        }
-
-        // TOS Configuration
-        $tos_config = $config['tos'];
-
-        try {
-            $client = new TosClient([
-                'region' => $tos_config['region'],
-                'endpoint' => $tos_config['endpoint'],
-                'ak' => $tos_config['ak'],
-                'sk' => $tos_config['sk'],
-            ]);
-
-            $uuid = bin2hex(random_bytes(8));
-            $userPhone = $config['upload']['default_user'];
-            // Ensure filename is safe
-            $safeName = preg_replace('/[^a-zA-Z0-9._-]/', '', $filename);
-            if (!$safeName)
-                $safeName = 'unnamed';
-
-            $objectKey = "clawdbot/{$userPhone}/direct_{$uuid}_{$safeName}";
-            $bucket = $tos_config['bucket'];
-
-            // Generate Pre-Signed PUT URL (Valid for 15 mins)
-            // Note: The SDK method name might vary slightly based on version, 
-            // but `preSignedURL` is standard for TOS PHP SDK v2.
-            $input = new \Tos\Model\PreSignedURLInput(
-                'PUT',
-                $tos_config['bucket'],
-                $objectKey,
-                300 // 5 minutes validity
-            );
-
-            // Add content-type if known? client will send it. 
-            // For simple PUT, we just sign the method and resource.
-
-            $output = $client->preSignedURL($input);
-            $signedUrl = $output->getSignedUrl();
-
-            // Public Access URL (Assuming bucket is public-read or we use signed Get URL)
-            // For this project, we used public-read ACL in previous code, so we assume public access.
-            $publicUrl = "https://{$tos_config['bucket']}.{$tos_config['endpoint']}/{$objectKey}";
-
-            $connection->send(json_encode([
-                'ok' => true,
-                'uploadUrl' => $signedUrl,
-                'publicUrl' => $publicUrl,
-                'key' => $objectKey
-            ]));
-
-        } catch (Exception $e) {
-            $connection->send(new \Workerman\Protocols\Http\Response(500, [], json_encode(['ok' => false, 'error' => $e->getMessage()])));
-        }
-        return;
-    }
-
-    $connection->send("Moltbot Relay HTTP Server");
-};
-
-Worker::runAll();
+<?php
+use Workerman\Worker;
+use Workerman\Timer;
+use Tos\TosClient;
+use Tos\Exception\TosClientException;
+use Tos\Exception\TosServerException;
+use Tos\Model\PutObjectInput;
+
+require_once __DIR__ . '/vendor/autoload.php';
+require_once __DIR__ . '/auth.php';
+require_once __DIR__ . '/device.php';
+
+// Load .env
+if (class_exists('Dotenv\Dotenv') && file_exists(__DIR__ . '/.env')) {
+    $dotenv = Dotenv\Dotenv::createImmutable(__DIR__);
+    $dotenv->load();
+}
+
+// 加载配置文件
+$config = require __DIR__ . '/config.php';
+
+// Define Heartbeat Interval
+define('HEARTBEAT_TIME', $config['heartbeat']['interval']);
+
+// Database Connection
+$pdo = null;
+try {
+    $db_config = $config['database'];
+    $dsn = "mysql:host={$db_config['host']};port={$db_config['port']};dbname={$db_config['database']};charset=utf8mb4";
+    $pdo = new PDO($dsn, $db_config['username'], $db_config['password'], [
+        PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
+        PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC
+    ]);
+    echo "✅ Connected to MySQL at {$db_config['host']}:{$db_config['port']}\n";
+} catch (Exception $e) {
+    echo "⚠️ MySQL Connection Failed: " . $e->getMessage() . "\n";
+}
+
+// Redis Connection
+$redis = null;
+try {
+    $redis_config = $config['redis'];
+
+    $params = [
+        'scheme' => 'tcp',
+        'host' => $redis_config['host'],
+        'port' => $redis_config['port'],
+    ];
+
+    if (!empty($redis_config['password'])) {
+        $params['password'] = $redis_config['password'];
+    }
+
+    // Predis Client
+    $redis = new Predis\Client($params, ['prefix' => $redis_config['prefix']]);
+    $redis->connect();
+    echo "✅ Connected to Redis at {$redis_config['host']}:{$redis_config['port']} ({$redis_config['prefix']})\n";
+} catch (Exception $e) {
+    echo "⚠️ Redis Connection Failed: " . $e->getMessage() . "\n";
+}
+
+// Initialize Services
+$authService = $pdo ? new AuthService($pdo, $config, $redis) : null;
+$deviceService = $pdo ? new DeviceService($pdo, $config) : null;
+
+// Create a WebSocket worker
+$ws_host = $config['server']['websocket_host'];
+$ws_port = $config['server']['websocket_port'];
+$ws_worker = new Worker("websocket://{$ws_host}:{$ws_port}");
+
+// Store connections (Memory for now, can move to Redis later)
+$clients = []; // ClientID -> Connection
+$devices = []; // DeviceID -> Connection
+
+$ws_worker->onWorkerStart = function ($worker) use ($config) {
+    $ws_host = $config['server']['websocket_host'];
+    $ws_port = $config['server']['websocket_port'];
+    echo "Relay Server Started on {$ws_host}:{$ws_port}\n";
+
+    // Heartbeat check
+    $check_interval = $config['heartbeat']['check_interval'];
+    Timer::add($check_interval, function () use ($worker) {
+        $time_now = time();
+        foreach ($worker->connections as $connection) {
+            // Check if connection is alive possibly? 
+            // Workerman handles basic disconnects, but we can enforce ping logic here if needed
+        }
+    });
+};
+
+$ws_worker->onConnect = function ($connection) {
+    echo "New connection: " . $connection->id . "\n";
+    $connection->authVerified = false;
+};
+
+$ws_worker->onMessage = function ($connection, $data) use (&$clients, &$devices, $authService, $deviceService) {
+    $msg = json_decode($data, true);
+    if (!$msg || !isset($msg['type'])) {
+        return;
+    }
+
+    // 1. Authenticate / Register
+    if ($msg['type'] === 'register') {
+        if ($msg['role'] === 'device') {
+            // Device 注册 - 验证密钥
+            $deviceId = $msg['id'] ?? null;
+            $secret = $msg['secret'] ?? null;
+
+            if (!$deviceId) {
+                $connection->send(json_encode(['type' => 'error', 'msg' => 'Device ID required']));
+                return;
+            }
+
+            // 验证设备（如果有 deviceService）
+            if ($deviceService && $secret) {
+                if (!$deviceService->verifyDevice($deviceId, $secret)) {
+                    $connection->send(json_encode(['type' => 'error', 'msg' => 'Invalid device credentials']));
+                    $connection->close();
+                    return;
+                }
+                // 更新设备状态为在线
+                $deviceService->updateDeviceStatus($deviceId, 'online');
+            }
+
+            $devices[$deviceId] = $connection;
+            $connection->deviceId = $deviceId;
+            $connection->role = 'device';
+            $connection->authVerified = true;
+            $connection->send(json_encode(['type' => 'ack', 'status' => 'registered']));
+            echo "Device Registered: $deviceId\n";
+
+        } elseif ($msg['role'] === 'client') {
+            // Mini Program 注册 - 验证 Token
+            $clientId = $msg['id'] ?? null;
+            $token = $msg['token'] ?? null;
+
+            if (!$clientId) {
+                $connection->send(json_encode(['type' => 'error', 'msg' => 'Client ID required']));
+                return;
+            }
+
+            // 验证 Token（如果有 authService 和 token）
+            $user = null;
+            if ($authService && $token) {
+                $user = $authService->verifyToken($token);
+                if (!$user) {
+                    $connection->send(json_encode(['type' => 'error', 'msg' => 'Invalid or expired token']));
+                    $connection->close();
+                    return;
+                }
+                $connection->userId = $user['id'];
+                $connection->userPhone = $user['phone'];
+            }
+
+            $clients[$clientId] = $connection;
+            $connection->clientId = $clientId;
+            $connection->role = 'client';
+            $connection->authVerified = true;
+            $connection->send(json_encode([
+                'type' => 'ack',
+                'status' => 'connected',
+                'user' => $user
+            ]));
+            echo "Client Connected: $clientId" . ($user ? " (User: {$user['phone']})" : "") . "\n";
+        }
+        return;
+    }
+
+    if (!$connection->authVerified) {
+        $connection->close();
+        return;
+    }
+
+    // 2. Proxy Logic
+
+    // Client -> Device
+    if ($msg['type'] === 'proxy' && $connection->role === 'client') {
+        $targetDeviceId = $msg['targetDeviceId'] ?? null;
+
+        // 验证用户是否有权限访问该设备
+        if ($deviceService && isset($connection->userId)) {
+            if (!$deviceService->canAccessDevice($connection->userId, $targetDeviceId)) {
+                $connection->send(json_encode(['type' => 'error', 'msg' => 'No permission to access this device']));
+                return;
+            }
+        }
+
+        if ($targetDeviceId && isset($devices[$targetDeviceId])) {
+            $payload = $msg['payload'];
+            // Wrap it so device knows who sent it
+            $forwardMsg = [
+                'type' => 'cmd:execute',
+                'fromClientId' => $connection->clientId,
+                'fromUserId' => $connection->userId ?? null,
+                'payload' => $payload
+            ];
+            $devices[$targetDeviceId]->send(json_encode($forwardMsg));
+            echo "Forwarded msg from Client {$connection->clientId} to Device {$targetDeviceId}\n";
+        } else {
+            $connection->send(json_encode(['type' => 'error', 'msg' => 'Device offline or not found']));
+        }
+    }
+
+    // Device -> Client
+    if ($msg['type'] === 'proxy_response' && $connection->role === 'device') {
+        $targetClientId = $msg['targetClientId'] ?? null;
+        if ($targetClientId && isset($clients[$targetClientId])) {
+            $payload = $msg['payload'];
+            $forwardMsg = [
+                'type' => 'response',
+                'fromDeviceId' => $connection->deviceId,
+                'payload' => $payload
+            ];
+            $clients[$targetClientId]->send(json_encode($forwardMsg));
+            echo "Forwarded response from Device {$connection->deviceId} to Client {$targetClientId}\n";
+        }
+    }
+};
+
+$ws_worker->onClose = function ($connection) use (&$clients, &$devices, $deviceService) {
+    if (isset($connection->role)) {
+        if ($connection->role === 'device' && isset($connection->deviceId)) {
+            unset($devices[$connection->deviceId]);
+            // 更新设备状态为离线
+            if ($deviceService) {
+                $deviceService->updateDeviceStatus($connection->deviceId, 'offline');
+            }
+            echo "Device disconnected: {$connection->deviceId}\n";
+        } elseif ($connection->role === 'client' && isset($connection->clientId)) {
+            unset($clients[$connection->clientId]);
+            echo "Client disconnected: {$connection->clientId}\n";
+        }
+    }
+};
+
+// ---------------------------------------------------------
+// [New] HTTP Server for file uploads and static serving
+// ---------------------------------------------------------
+$http_host = $config['server']['http_host'];
+$http_port = $config['server']['http_port'];
+$http_worker = new Worker("http://{$http_host}:{$http_port}");
+$http_worker->count = $config['server']['worker_count'];
+$http_worker->onMessage = function ($connection, $request) use ($config, $authService, $deviceService) {
+    $path = $request->path();
+    $method = $request->method();
+
+    // Helper: JSON Response
+    $jsonResponse = function ($data, $status = 200) use ($connection) {
+        $connection->send(new \Workerman\Protocols\Http\Response(
+            $status,
+            ['Content-Type' => 'application/json', 'Access-Control-Allow-Origin' => '*'],
+            json_encode($data)
+        ));
+    };
+
+    // CORS Preflight
+    if ($method === 'OPTIONS') {
+        $connection->send(new \Workerman\Protocols\Http\Response(200, [
+            'Access-Control-Allow-Origin' => '*',
+            'Access-Control-Allow-Methods' => 'GET, POST, PUT, DELETE, OPTIONS',
+            'Access-Control-Allow-Headers' => 'Content-Type, Authorization',
+        ], ''));
+        return;
+    }
+
+    // ==================== Auth API ====================
+
+    // POST /api/auth/login - 微信登录
+    if ($path === '/api/auth/login' && $method === 'POST') {
+        if (!$authService) {
+            $jsonResponse(['ok' => false, 'error' => 'Auth service unavailable'], 500);
+            return;
+        }
+
+        $body = json_decode($request->rawBody(), true) ?: [];
+        $code = $body['code'] ?? null;
+        $phone = $body['phone'] ?? null;
+        $phoneCode = $body['phoneCode'] ?? null;
+
+        if (!$code) {
+            $jsonResponse(['ok' => false, 'error' => 'code is required'], 400);
+            return;
+        }
+
+        $result = $authService->wechatLogin($code, $phone, $phoneCode);
+        $jsonResponse($result, $result['ok'] ? 200 : 400);
+        return;
+    }
+
+    // POST /api/auth/verify - 验证 Token
+    if ($path === '/api/auth/verify' && $method === 'POST') {
+        if (!$authService) {
+            $jsonResponse(['ok' => false, 'error' => 'Auth service unavailable'], 500);
+            return;
+        }
+
+        $body = json_decode($request->rawBody(), true) ?: [];
+        $token = $body['token'] ?? null;
+
+        if (!$token) {
+            $jsonResponse(['ok' => false, 'error' => 'token is required'], 400);
+            return;
+        }
+
+        $user = $authService->verifyToken($token);
+        if ($user) {
+            $jsonResponse(['ok' => true, 'user' => $user]);
+        } else {
+            $jsonResponse(['ok' => false, 'error' => 'Invalid or expired token'], 401);
+        }
+        return;
+    }
+
+    // POST /api/auth/logout - 注销
+    if ($path === '/api/auth/logout' && $method === 'POST') {
+        if (!$authService) {
+            $jsonResponse(['ok' => false, 'error' => 'Auth service unavailable'], 500);
+            return;
+        }
+
+        $body = json_decode($request->rawBody(), true) ?: [];
+        $token = $body['token'] ?? null;
+
+        if ($token) {
+            $authService->logout($token);
+        }
+        $jsonResponse(['ok' => true]);
+        return;
+    }
+
+    // ==================== Device API ====================
+
+    // Helper: Get user from token
+    $getUser = function () use ($request, $authService) {
+        $authHeader = $request->header('Authorization');
+        if (!$authHeader || !str_starts_with($authHeader, 'Bearer ')) {
+            return null;
+        }
+        $token = substr($authHeader, 7);
+        return $authService ? $authService->verifyToken($token) : null;
+    };
+
+    // POST /api/device/bind - 绑定设备
+    if ($path === '/api/device/bind' && $method === 'POST') {
+        if (!$deviceService) {
+            $jsonResponse(['ok' => false, 'error' => 'Device service unavailable'], 500);
+            return;
+        }
+
+        $user = $getUser();
+        if (!$user) {
+            $jsonResponse(['ok' => false, 'error' => 'Unauthorized'], 401);
+            return;
+        }
+
+        $body = json_decode($request->rawBody(), true) ?: [];
+        $deviceId = $body['deviceId'] ?? null;
+        $deviceSecret = $body['deviceSecret'] ?? null;
+
+        if (!$deviceId) {
+            $jsonResponse(['ok' => false, 'error' => 'deviceId is required'], 400);
+            return;
+        }
+
+        $result = $deviceService->bindDevice($user['id'], $deviceId, $deviceSecret);
+        $jsonResponse($result, $result['ok'] ? 200 : 400);
+        return;
+    }
+
+    // POST /api/device/unbind - 解绑设备
+    if ($path === '/api/device/unbind' && $method === 'POST') {
+        if (!$deviceService) {
+            $jsonResponse(['ok' => false, 'error' => 'Device service unavailable'], 500);
+            return;
+        }
+
+        $user = $getUser();
+        if (!$user) {
+            $jsonResponse(['ok' => false, 'error' => 'Unauthorized'], 401);
+            return;
+        }
+
+        $body = json_decode($request->rawBody(), true) ?: [];
+        $deviceId = $body['deviceId'] ?? null;
+
+        if (!$deviceId) {
+            $jsonResponse(['ok' => false, 'error' => 'deviceId is required'], 400);
+            return;
+        }
+
+        $result = $deviceService->unbindDevice($user['id'], $deviceId);
+        $jsonResponse($result, $result['ok'] ? 200 : 400);
+        return;
+    }
+
+    // GET /api/device/list - 获取绑定的设备列表
+    if ($path === '/api/device/list' && $method === 'GET') {
+        if (!$deviceService) {
+            $jsonResponse(['ok' => false, 'error' => 'Device service unavailable'], 500);
+            return;
+        }
+
+        $user = $getUser();
+        if (!$user) {
+            $jsonResponse(['ok' => false, 'error' => 'Unauthorized'], 401);
+            return;
+        }
+
+        $devices = $deviceService->getUserDevices($user['id']);
+        $jsonResponse(['ok' => true, 'devices' => $devices]);
+        return;
+    }
+
+    // POST /api/device/primary - 设置主设备
+    if ($path === '/api/device/primary' && $method === 'POST') {
+        if (!$deviceService) {
+            $jsonResponse(['ok' => false, 'error' => 'Device service unavailable'], 500);
+            return;
+        }
+
+        $user = $getUser();
+        if (!$user) {
+            $jsonResponse(['ok' => false, 'error' => 'Unauthorized'], 401);
+            return;
+        }
+
+        $body = json_decode($request->rawBody(), true) ?: [];
+        $deviceId = $body['deviceId'] ?? null;
+
+        if (!$deviceId) {
+            $jsonResponse(['ok' => false, 'error' => 'deviceId is required'], 400);
+            return;
+        }
+
+        $result = $deviceService->setPrimaryDevice($user['id'], $deviceId);
+        $jsonResponse($result, $result['ok'] ? 200 : 400);
+        return;
+    }
+
+    // ==================== File API ====================
+
+    // 1. Static File Serving (Simple implementation)
+    if (strpos($path, '/uploads/') === 0) {
+        $file = __DIR__ . $path;
+        if (is_file($file)) {
+            $connection->send(new \Workerman\Protocols\Http\Response(
+                200,
+                ['Content-Type' => mime_content_type($file)],
+                file_get_contents($file)
+            ));
+            return;
+        }
+    }
+
+    // 2. Upload Handler
+    if ($path === '/upload') {
+        $files = $request->file();
+
+        if (empty($files['file'])) {
+            $connection->send(new \Workerman\Protocols\Http\Response(400, [], json_encode(['ok' => false, 'error' => 'No file'])));
+            return;
+        }
+
+        $file = $files['file'];
+
+        // Validate Size
+        $max_size = $config['upload']['max_size'];
+        if ($file['size'] > $max_size) {
+            $max_mb = round($max_size / 1024 / 1024);
+            $connection->send(new \Workerman\Protocols\Http\Response(400, [], json_encode(['ok' => false, 'error' => "File too large (Max {$max_mb}MB)"])));
+            return;
+        }
+
+        // Validate Extension
+        $ext = strtolower(pathinfo($file['name'], PATHINFO_EXTENSION));
+        $allowed = $config['upload']['allowed_extensions'];
+        if (!in_array($ext, $allowed)) {
+            $connection->send(new \Workerman\Protocols\Http\Response(400, [], json_encode(['ok' => false, 'error' => 'File type not allowed'])));
+            return;
+        }
+
+        // TOS Configuration
+        $tos_config = $config['tos'];
+
+        try {
+            $client = new TosClient([
+                'region' => $tos_config['region'],
+                'endpoint' => $tos_config['endpoint'],
+                'ak' => $tos_config['ak'],
+                'sk' => $tos_config['sk'],
+            ]);
+
+            // Generate Key
+            $uuid = bin2hex(random_bytes(8));
+            $userPhone = $config['upload']['default_user'];
+            $objectKey = "clawdbot/{$userPhone}/{$uuid}.{$ext}";
+            $bucket = $tos_config['bucket'];
+
+            // Read file content
+            $contentFn = fopen($file['tmp_name'], 'r');
+
+            // Upload using Object Input
+            $input = new PutObjectInput($bucket, $objectKey, $contentFn);
+            $input->setACL('public-read');
+
+            $client->putObject($input);
+
+            if (is_resource($contentFn)) {
+                fclose($contentFn);
+            }
+
+            // Generate URL
+            $url = "https://{$bucket}.{$tos_config['endpoint']}/{$objectKey}";
+
+            $connection->send(json_encode([
+                'ok' => true,
+                'url' => $url
+            ]));
+
+        } catch (Exception $e) {
+            $connection->send(new \Workerman\Protocols\Http\Response(500, [], json_encode(['ok' => false, 'error' => 'Upload failed: ' . $e->getMessage()])));
+        }
+        return;
+    }
+
+    // 3. Generate Pre-Signed URL for Direct Upload
+    if (strpos($path, '/tos/sign') === 0) {
+        $query = $request->get();
+        $filename = $query['filename'] ?? 'file_' . time();
+        $ext = strtolower(pathinfo($filename, PATHINFO_EXTENSION));
+
+        // Validation
+        $allowed = $config['upload']['allowed_extensions'];
+        if (!in_array($ext, $allowed) && $ext !== '') {
+            // If no extension providing, we might just allow it or fail. 
+            // Ideally client should provide full filename with extension.
+        }
+
+        // TOS Configuration
+        $tos_config = $config['tos'];
+
+        try {
+            $client = new TosClient([
+                'region' => $tos_config['region'],
+                'endpoint' => $tos_config['endpoint'],
+                'ak' => $tos_config['ak'],
+                'sk' => $tos_config['sk'],
+            ]);
+
+            $uuid = bin2hex(random_bytes(8));
+            $userPhone = $config['upload']['default_user'];
+            // Ensure filename is safe
+            $safeName = preg_replace('/[^a-zA-Z0-9._-]/', '', $filename);
+            if (!$safeName)
+                $safeName = 'unnamed';
+
+            $objectKey = "clawdbot/{$userPhone}/direct_{$uuid}_{$safeName}";
+            $bucket = $tos_config['bucket'];
+
+            // Generate Pre-Signed PUT URL (Valid for 15 mins)
+            // Note: The SDK method name might vary slightly based on version, 
+            // but `preSignedURL` is standard for TOS PHP SDK v2.
+            $input = new \Tos\Model\PreSignedURLInput(
+                'PUT',
+                $tos_config['bucket'],
+                $objectKey,
+                300 // 5 minutes validity
+            );
+
+            // Add content-type if known? client will send it. 
+            // For simple PUT, we just sign the method and resource.
+
+            $output = $client->preSignedURL($input);
+            $signedUrl = $output->getSignedUrl();
+
+            // Public Access URL (Assuming bucket is public-read or we use signed Get URL)
+            // For this project, we used public-read ACL in previous code, so we assume public access.
+            $publicUrl = "https://{$tos_config['bucket']}.{$tos_config['endpoint']}/{$objectKey}";
+
+            $connection->send(json_encode([
+                'ok' => true,
+                'uploadUrl' => $signedUrl,
+                'publicUrl' => $publicUrl,
+                'key' => $objectKey
+            ]));
+
+        } catch (Exception $e) {
+            $connection->send(new \Workerman\Protocols\Http\Response(500, [], json_encode(['ok' => false, 'error' => $e->getMessage()])));
+        }
+        return;
+    }
+
+    $connection->send("Moltbot Relay HTTP Server");
+};
+
+Worker::runAll();