fix(t-1.0): fix broken import paths, wire upgrade.ts into legacy server

- Fixed import paths in legacy-server.ts: ./auth.js → ../auth.js etc.
  (broken by rename from server.ts → server/legacy-server.ts)
- Implemented upgrade.ts with extracted WS upgrade + auth logic
- Updated server/server.ts bootstrap docs
- All LEGACY tags verified across frozen files and route stubs

extensions/remote-control/server/legacy-server.ts

@@ -21,10 +21,10 @@ import {
   parseCookies,
   SESSION_COOKIE,
   validateToken,
-} from "./auth.js";
-import { parseBindAddress, readRemoteControlConfig } from "./config.js";
-import { buildHTML } from "./html.js";
-import { buildSyncMessage } from "./messages.js";
+} from "../auth.js";
+import { parseBindAddress, readRemoteControlConfig } from "../config.js";
+import { buildHTML } from "../html.js";
+import { buildSyncMessage } from "../messages.js";
 
 interface WsClient {
   readyState: number;
@@ -55,6 +55,8 @@ const wsModule = _require("ws") as {
 };
 const { WebSocketServer, OPEN } = wsModule;
 
+import { handleUpgrade } from "./upgrade.js";
+
 export interface RemoteServer {
   broadcast: (msg: object) => void;
   sync: (ctx: ExtensionContext) => void;
@@ -205,20 +207,7 @@ export async function startServer(
   httpServer.on(
     "upgrade",
     (request: IncomingMessage, socket: Socket, head: Buffer) => {
-      const url = new URL(request.url, "http://localhost");
-      if (url.pathname === "/ws") {
-        // Validate auth: session cookie or token query param
-        if (!isAuthenticated(request)) {
-          socket.write("HTTP/1.1 403 Forbidden\r\n\r\n");
-          socket.destroy();
-          return;
-        }
-        wss.handleUpgrade(request, socket, head, (ws: WsClient) => {
-          wss.emit("connection", ws, request);
-        });
-      } else {
-        socket.destroy();
-      }
+      handleUpgrade(httpServer, wss, request, socket, head, () => isAuthenticated(request));
     },
   );
 

extensions/remote-control/server/server.ts

@@ -3,6 +3,13 @@
  *
  * Creates the HTTP + WebSocket server and wires up legacy routes.
  * Route placeholders will be populated by T-1.5 / T-1.6 / T-1.7.
+ *
+ * Architecture:
+ *   server/server.ts   — this file: bootstrap, exports startServer()
+ *   server/upgrade.ts  — WebSocket upgrade routing (extracted from legacy)
+ *   server/legacy-server.ts — LEGACY: original server implementation,
+ *                              to be gradually carved into route modules
+ *   server/routes/     — stubs; T-1.5..T-1.7 will implement
  */
 import type {
   ExtensionAPI,
@@ -13,7 +20,12 @@ export type { RemoteServer } from "./legacy-server.js";
 
 /**
  * Start the remote-control server.
- * Currently delegates to the legacy server; route modules will be
- * wired in during T-1.5 – T-1.7.
+ *
+ * Currently delegates to the legacy server monolith; T-1.5–T-1.7 will
+ * incrementally replace legacy routes with the modular route handlers
+ * under server/routes/.
  */
-export { startLegacyServer as startServer };
+export const startServer: (
+  pi: ExtensionAPI,
+  ctx: ExtensionContext,
+) => Promise<import("./legacy-server.js").RemoteServer> = startLegacyServer;

extensions/remote-control/server/upgrade.ts

@@ -1,5 +1,12 @@
-// Legacy WebSocket upgrade routing — to be replaced in T-1.5/T-1.6.
+/**
+ * WebSocket upgrade routing — validates auth and dispatches to the
+ * appropriate handler.
+ *
+ * LEGACY: currently routes everything to a single /ws endpoint.
+ * T-1.5/T-1.6: dispatch to topic/session-specific handlers (stream, input, …).
+ */
 import type { IncomingMessage } from "node:http";
+import type { Server } from "node:http";
 import type { Socket } from "node:net";
 
 // Lightweight ws server interface (compatible with the ws package without types)
@@ -14,18 +21,36 @@ interface WsServer {
 }
 
 /**
- * Route WebSocket upgrade requests to the legacy server.
- * In Phase 2 this will dispatch to topic/session-specific handlers.
+ * Handle an HTTP upgrade request.
+ *
+ * @param _httpServer  The HTTP server (reserved for T-1.5/T-1.6 per-session dispatch).
+ * @param wss          The WebSocket server.
+ * @param request      Incoming upgrade request.
+ * @param socket       Raw socket.
+ * @param head         First packet bytes.
+ * @param isAuthed     Whether the request passed authentication.
  */
 export function handleUpgrade(
+  _httpServer: Server,
   wss: WsServer,
   request: IncomingMessage,
   socket: Socket,
   head: Buffer,
+  isAuthed: boolean,
 ): void {
-  // T-1.5/T-1.6: inspect URL to route to stream/input/session handlers.
-  // For now, delegate everything to the legacy WebSocket server.
-  wss.handleUpgrade(request, socket, head, (ws) => {
-    wss.emit("connection", ws, request);
-  });
+  const url = new URL(request.url ?? "/", "http://localhost");
+
+  // T-1.5/T-1.6: inspect url.pathname to dispatch to stream / input / session handlers.
+  if (url.pathname === "/ws") {
+    if (!isAuthed) {
+      socket.write("HTTP/1.1 403 Forbidden\r\n\r\n");
+      socket.destroy();
+      return;
+    }
+    wss.handleUpgrade(request, socket, head, (ws) => {
+      wss.emit("connection", ws, request);
+    });
+  } else {
+    socket.destroy();
+  }
 }