feat: support installing local artifacts over remote daemon transport

[thymikee]

When the CLI runs on a different machine than the daemon (via AGENT_DEVICE_DAEMON_BASE_URL), install/reinstall commands now transparently upload local app binaries (.apk/.ipa/.aab) and app bundles (.app dirs) to the daemon before installing. No new flags required — same CLI ergonomics.

• Add POST /upload endpoint to daemon HTTP server with auth and streaming file/tar reception
• Add client-side upload helper with timeout and tar packing for .app directories
• Intercept install/reinstall in sendToDaemon for remote daemons, upload artifact, rewrite positional path
• Clean up uploaded temp files after install completes (or fails) with 5-minute safety-net auto-cleanup for abandoned uploads
• Sanitize artifact filenames to prevent path traversal

[github-actions]

PR Preview Action v1.8.1
Preview removed because the pull request was closed.
2026-03-09 15:10 UTC

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 60791544e9

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Enforce size cap when extracting app-bundle uploads

receiveUpload applies MAX_UPLOAD_BYTES only in streamToFile, but the app-bundle path calls extractTar directly without any byte accounting, so authenticated clients can stream arbitrarily large tar payloads (or tar bombs) and force the daemon to consume unbounded disk space. This is a production DoS risk specific to directory-based installs (.app) and was introduced with the new /upload flow.

Useful? React with 👍 / 👎.