The first client→daemon frame on the /laboratory host-channel
WebSocket (the daemon’s ONE remaining WebSocket) — the auth preamble,
always sent, even to a secretless daemon ({"signature": null}). A
daemon holding a DAEMON_SECRET verifies the signature and closes
the connection on a missing/invalid one; a secretless daemon consumes
the envelope and ignores the value. (The HTTP routes — /execute,
/listen, and the SSE watchers — authenticate by the
X-OBJECTIVEAI-SIGNATURE header instead.)
Execute commands against a remote cli daemon over plain HTTP —
one POST per command to the daemon’s /execute route, with the
result streamed back as Server-Sent Events.