@ait-co/devtools 0.1.109 → 0.1.111

package/dist/mcp/cli.js

@@ -24,6 +24,95 @@ import { Tunnel, bin, install } from "cloudflared";
 //#region \0rolldown/runtime.js
 var __require = /* @__PURE__ */ createRequire(import.meta.url);
 //#endregion
+//#region src/in-app/gate.ts
+/**
+* The host suffix the Toss app uses to serve dogfood / private mini-apps.
+*
+* A `intoss-private://` (dogfood) entry maps to a host such as
+* `aitc-sdk-example.private-apps.tossmini.com`. A production `intoss://`
+* entry is served from `*.apps.tossmini.com` — the `.private-apps.` segment
+* is absent. Confirmed live over CDP for mini-app 31146; the exact production
+* host is to be re-confirmed once 31146 passes review (spec open question 2).
+*/
+const PRIVATE_APPS_HOST_SUFFIX = ".private-apps.tossmini.com";
+/**
+* The host suffix Cloudflare quick-tunnels serve from — the env 2 (PWA) entry.
+* See {@link isTrycloudflareHost} for why this host kind bypasses Layer B1.
+*/
+const TRYCLOUDFLARE_HOST_SUFFIX = ".trycloudflare.com";
+/**
+* Returns whether `hostname` is a `*.private-apps.tossmini.com` subdomain —
+* the host the Toss app reserves for dogfood / private mini-app entries.
+*
+* The match is an exact suffix check, not a substring `.includes()`: a
+* substring test would also accept an attacker-controlled host like
+* `private-apps.tossmini.com.evil.example`, which ends in `.example`, not in
+* `.tossmini.com`. Requiring the string to END with the suffix closes that.
+* The leading `.` in the suffix also forces a real subdomain label, so a
+* bare `private-apps.tossmini.com` (no mini-app subdomain) does not match.
+*/
+function isPrivateAppsHost(hostname) {
+	return hostname.endsWith(PRIVATE_APPS_HOST_SUFFIX);
+}
+/**
+* The host suffix Cloudflare quick-tunnels use — the env 2 (PWA) entry.
+*
+* Env 2 serves the local Vite dev server through a `*.trycloudflare.com` quick
+* tunnel (`src/unplugin/tunnel.ts`). It has no Toss app, no `intoss-private://`
+* scheme, and — critically — no production runtime: the SDK is the devtools
+* mock, and the page is the developer's own dev build. The Layer B1 safety net
+* (which stops a dogfood build that lands on a Toss *production* host from
+* attaching) has nothing to protect against here, because env 2 has no
+* production host. So a trycloudflare host is allowed past B1 — but ONLY past
+* B1: the remaining layers (C1 opt-in, C2 relay, C3 TOTP) still apply, so a
+* leaked tunnel URL is still blocked by TOTP exactly as on the Toss path.
+*
+* The match is the same exact-suffix `endsWith` check as
+* {@link isPrivateAppsHost} — never a substring `.includes()`, which would
+* accept an attacker-controlled `evil.trycloudflare.com.example.com`. The
+* leading `.` forces a real subdomain label, so a bare `trycloudflare.com`
+* (no tunnel subdomain) does not match.
+*/
+function isTrycloudflareHost(hostname) {
+	return hostname.endsWith(TRYCLOUDFLARE_HOST_SUFFIX);
+}
+/**
+* Returns true when the hostname is a localhost/loopback address.
+* Allowed: `localhost`, `127.x.x.x` (full RFC 5735 loopback block), `[::1]`,
+* `0.0.0.0`, `*.localhost`.
+*
+* Security note: `hostname.startsWith('127.')` is intentionally NOT used —
+* that pattern would accept `127.evil.com`, which starts with "127." but is an
+* attacker-controlled hostname, not a loopback address. Instead, the 127/8
+* loopback block is matched with a strict numeric-quad regex so only valid
+* dotted-decimal IPv4 in the 127.x.x.x range pass (#665 작업 A fix).
+*/
+function isLocalhostHost(hostname) {
+	if (hostname === "localhost" || hostname === "0.0.0.0") return true;
+	if (hostname === "[::1]") return true;
+	if (/^127\.\d+\.\d+\.\d+$/.test(hostname)) return true;
+	if (hostname.endsWith(".localhost")) return true;
+	return false;
+}
+/**
+* Positive-allowlist kill-switch (#665): returns true when the hostname is a
+* known debug-allowed host. The debug surface is ONLY active on:
+*   - localhost / loopback (env 1 desktop dev)
+*   - *.trycloudflare.com (env 2 PWA tunnel)
+*   - *.private-apps.tossmini.com (env 3 dog-food)
+*
+* Any other host (including apps.tossmini.com — the former env 4 LIVE host)
+* is silently blocked. This is a positive allowlist — unlisted hosts never
+* had debug surface regardless, but this function makes it explicit and
+* auditable in a single place.
+*
+* SECRET-HANDLING: the hostname value MUST NOT be logged or included in any
+* error reason string — only benign labels ('host not in allowlist') are safe.
+*/
+function isDebugAllowedHost(hostname) {
+	return isLocalhostHost(hostname) || isTrycloudflareHost(hostname) || isPrivateAppsHost(hostname);
+}
+//#endregion
 //#region src/shared/parent-watcher.ts
 /**
 * Shared parent-PID watcher — used by both the MCP debug daemon and the
@@ -817,7 +906,7 @@ function logError(event, fields = {}) {
 * Attach reliability (#281):
 *   `refreshTargets()` emits an internal 'target:attached' event whenever a
 *   new target is added to the relay. `waitForFirstTarget()` awaits that event
-*   (with a polling-interval fallback) so `build_attach_url wait_for_attach`
+*   (with a polling-interval fallback) so `start_attach`'s attach wait
 *   resolves deterministically rather than racing between polling rounds.
 */
 /** Max events retained per domain ring buffer. */
@@ -1957,9 +2046,10 @@ function isCompatMode() {
 	return process.env.AIT_MCP_COMPAT === "chrome-devtools";
 }
 /**
-* Maps `McpEnvironment` to `EnvelopeEnv`. After #307 these are the same
-* union (`mock | relay-dev | relay-live`), so this is identity — kept as a
-* named export for surface stability if envelope env diverges in the future.
+* Maps `McpEnvironment` to `EnvelopeEnv`. These are now the same 3-value
+* union (`mock | relay-dev | relay-mobile`; `relay-live` removed in #665),
+* so this is identity — kept as a named export for surface stability if
+* envelope env diverges in the future.
 */
 function toEnvelopeEnv(env) {
 	return env;
@@ -1995,9 +2085,9 @@ function wrapEnvelope(data, ctx) {
 //#endregion
 //#region src/mcp/environment.ts
 /**
-* Returns `true` when the environment is any relay variant (`relay-dev`,
-* `relay-live`, or `relay-mobile`). Use this instead of `env === 'relay'` for
-* tier checks — every relay env surfaces the Tier B / relay-only tool set.
+* Returns `true` when the environment is any relay variant (`relay-dev` or
+* `relay-mobile`). Use this instead of `env === 'relay'` for tier checks —
+* every relay env surfaces the Tier B / relay-only tool set.
 *
 * Written as an exhaustive switch so a future `McpEnvironment` member that is
 * missing an arm is a TS compile error rather than a silent `false`.
@@ -2005,78 +2095,49 @@ function wrapEnvelope(data, ctx) {
 function isRelayEnv(env) {
 	switch (env) {
 		case "relay-dev":
-		case "relay-live":
 		case "relay-mobile": return true;
 		case "mock": return false;
 	}
 }
 /**
-* Returns `true` when the environment is the LIVE relay (`relay-live`).
-* This is the guard condition for side-effect tool protection. `relay-mobile`
-* is a dev-intent env (env 2 PWA) and is NOT live.
-*/
-function isLiveRelayEnv(env) {
-	return env === "relay-live";
-}
-/**
 * Maps the `McpEnvironment` union to the legacy two-value union
 * (`'mock' | 'relay'`) for backward-compatible fields in diagnostics output.
-* Every relay variant (incl. `relay-mobile`) collapses to `'relay'`.
+* Every relay variant (`relay-dev`, `relay-mobile`) collapses to `'relay'`.
+* Written as an exhaustive switch so a missing arm is a TS compile error.
 */
 function toLegacyEnv(env) {
-	if (env === "mock") return "mock";
-	return "relay";
+	switch (env) {
+		case "mock": return "mock";
+		case "relay-dev":
+		case "relay-mobile": return "relay";
+	}
 }
 /**
-* Reconstructs the four-value `McpEnvironment` output string from the
-* orthogonal signals (issues #348, #378):
+* Reconstructs the three-value `McpEnvironment` output string from the
+* orthogonal signals (issues #348, #378, #665):
 *
-*   - `kind === 'local'`                                          → `'mock'`
-*   - `kind === 'relay'` &&  liveIntent                           → `'relay-live'`
-*   - `kind === 'relay'` && !liveIntent && origin 'external-pwa'  → `'relay-mobile'`
-*   - `kind === 'relay'` && !liveIntent && origin intoss/undefined → `'relay-dev'`
+*   - `kind === 'local'`                                         → `'mock'`
+*   - `kind === 'relay'` && origin 'external-pwa'                → `'relay-mobile'`
+*   - `kind === 'relay'` && origin intoss/undefined              → `'relay-dev'`
 *
 * `relayOrigin` is the booted-family discriminator (NOT sniffed from the URL)
 * that distinguishes the env-2 external-PWA relay (`relay-mobile`) from the
 * intoss-private dog-food relay (`relay-dev`); both are `kind: 'relay'`.
 *
+* `relay-live` (env 4) has been removed (#665). `liveIntent` parameter is gone.
+*
 * Pure — used at every output boundary (envelope `meta.env`, `get_debug_status`,
 * `measure_safe_area` provenance) so the surface never sniffs a URL again.
 *
 * Written switch-style so a missing arm is a TS compile error (never falls
 * through to a default).
 */
-function deriveEnvironment(kind, liveIntent, relayOrigin) {
+function deriveEnvironment(kind, relayOrigin) {
 	switch (kind) {
 		case "local": return "mock";
-		case "relay":
-			if (liveIntent) return "relay-live";
-			return relayOrigin === "external-pwa" ? "relay-mobile" : "relay-dev";
+		case "relay": return relayOrigin === "external-pwa" ? "relay-mobile" : "relay-dev";
 	}
 }
-/**
-* Module-level `relay-dev` vs `relay-live` intent bit (issue #348).
-*
-* Armed by `start_debug({ mode: 'relay-live' })` (and seeded at boot by the
-* deprecated `MCP_ENV=relay-live` alias). Disarming is implicit: when the
-* active connection becomes local, the LIVE guard reads
-* `connection.kind === 'relay' && liveIntent`, so a stale `true` bit is inert.
-*
-* SECRET-HANDLING: this is a boolean — never a secret. Safe to read in logs.
-*/
-let liveIntent = false;
-/** Returns the current `liveIntent` bit. */
-function getLiveIntent() {
-	return liveIntent;
-}
-/**
-* Sets the `liveIntent` bit. Called by `start_debug` (true for `relay-live`,
-* false for every other mode) and once at boot by the `MCP_ENV=relay-live`
-* deprecated alias.
-*/
-function setLiveIntent(value) {
-	liveIntent = value;
-}
 //#endregion
 //#region src/mcp/errors.ts
 /**
@@ -2103,12 +2164,12 @@ function mcpError(message) {
 *                      (예: `derived:kind=relay,liveIntent=true`).
 */
 function tierRejectionError(toolName, requiredEnv, currentEnv, reason) {
-	return mcpError(`${`${toolName}은 ${requiredEnv === "relay" ? "relay (실기기 연결)" : "mock (로컬 브라우저)"} 환경에서만 사용할 수 있습니다. 현재 환경: ${currentEnv === "relay" ? "relay" : "mock"} (${reason}). ${requiredEnv === "relay" ? "relay로 전환하려면 MCP_ENV=relay 설정 후 서버를 재시작하고 build_attach_url → QR 스캔으로 실기기를 attach하세요." : "mock으로 전환하려면 MCP_ENV=mock 설정 후 서버를 재시작하세요."}`}\n\n${`tool ${toolName} is available only in ${requiredEnv}. Current environment is ${currentEnv} (${reason}).`}`);
+	return mcpError(`${`${toolName}은 ${requiredEnv === "relay" ? "relay (실기기 연결)" : "mock (로컬 브라우저)"} 환경에서만 사용할 수 있습니다. 현재 환경: ${currentEnv === "relay" ? "relay" : "mock"} (${reason}). ${requiredEnv === "relay" ? "relay로 전환하려면 MCP_ENV=relay 설정 후 서버를 재시작하고 start_attach → QR 스캔으로 실기기를 attach하세요." : "mock으로 전환하려면 MCP_ENV=mock 설정 후 서버를 재시작하세요."}`}\n\n${`tool ${toolName} is available only in ${requiredEnv}. Current environment is ${currentEnv} (${reason}).`}`);
 }
 /**
 * 상태 1: tunnel 미가동 — cloudflared 터널이 아직 뜨지 않았다.
 *
-* `build_attach_url` 호출 시 tunnel.up === false 인 경우.
+* `start_attach` 호출 시 tunnel.up === false 인 경우.
 */
 function tunnelDownError() {
 	return mcpError("cloudflared 터널이 안 떠 있습니다. MCP 서버를 재시작하거나 잠시 후 list_pages로 터널 상태를 다시 확인하세요.");
@@ -2119,7 +2180,7 @@ function tunnelDownError() {
 * enableDomains()가 "No mini-app page attached" 에러를 던질 때.
 */
 function pageMissingError(toolName) {
-	return mcpError(`${toolName ? `${toolName}: ` : ""}페이지가 attach 안 됨. dog-food 번들 배포 후 build_attach_url을 호출해 QR을 생성하세요: \`ait deploy --scheme-only\` → \`build_attach_url(scheme_url)\` → QR 스캔.`);
+	return mcpError(`${toolName ? `${toolName}: ` : ""}페이지가 attach 안 됨. dog-food 번들 배포 후 start_attach를 호출해 QR 생성 + attach까지 진행하세요: \`ait deploy --scheme-only\` → \`start_attach(scheme_url)\` → QR 스캔.`);
 }
 /**
 * 상태 3: page crash — 연결됐던 페이지가 crash/destroy됐다.
@@ -2128,7 +2189,7 @@ function pageMissingError(toolName) {
 * 던질 때 이 메시지를 사용한다.
 */
 function pageCrashError(toolName) {
-	return mcpError(`${toolName ? `${toolName}: ` : ""}페이지가 crash됐습니다. 토스 앱을 재실행한 뒤 build_attach_url → QR 스캔으로 재attach하세요.`);
+	return mcpError(`${toolName ? `${toolName}: ` : ""}페이지가 crash됐습니다. 토스 앱을 재실행한 뒤 start_attach → QR 스캔으로 재attach하세요.`);
 }
 /**
 * 상태 4: SDK 부재 — window.__sdkCall이 주입되지 않았다.
@@ -2150,23 +2211,6 @@ function sdkAbsentError(toolName, isLocal = false) {
 	return mcpError(`${prefix}window.__sdkCall이 주입되지 않았습니다 (dog-food 빌드가 아닙니다). dog-food 채널(intoss-private)로 재배포 후 QR을 다시 스캔하세요: \`ait build && aitcc app deploy\`.`);
 }
 /**
-* relay-live 환경에서 side-effect 도구(`call_sdk`, `evaluate`)를 `confirm: true`
-* 없이 호출했을 때 반환하는 거부 메시지.
-*
-* 다음 행동을 두 가지로 제시한다:
-*   1. 같은 호출에 `confirm: true` 인자를 추가해 재시도.
-*   2. 읽기 전용 환경(relay-dev, mock)으로 전환.
-*/
-function liveGuardError(toolName) {
-	return mcpError(`[LIVE relay guard] ${toolName}은 현재 relay-live(실 출시 런타임) 세션에서 side-effect 호출입니다. 실유저에게 영향을 줄 수 있어 명시적 동의가 필요합니다.
-
-다음 중 하나를 선택하세요:
-  1. \`confirm: true\` 인자를 추가해 재호출: ${toolName}(…, confirm: true)\n  2. 읽기 전용 도구(list_pages, list_console_messages, take_screenshot 등)를 사용하세요.
-  3. dog-food 빌드(relay-dev 환경)에서 먼저 검증 후 live에 적용하세요.
-
-live-guard: MCP_ENV=relay-live + confirm: true missing`);
-}
-/**
 * relay WebSocket 연결이 끊겼을 때 — 크래시가 아닌 네트워크/프로세스 종료.
 */
 function relayDisconnectError(toolName) {
@@ -2676,7 +2720,7 @@ const en = {
 	"dashboard.tunnel.up": "Connected",
 	"dashboard.tunnel.down": "Disconnected",
 	"dashboard.attach.section": "Attach QR",
-	"dashboard.attach.hint": "Call the build_attach_url MCP tool to show the QR here.",
+	"dashboard.attach.hint": "Call the start_attach MCP tool to show the QR here.",
 	"dashboard.attach.tunnelDown": "Relay disconnected — this QR is no longer valid. Restart the relay, then regenerate the QR.",
 	"dashboard.pages.section": "Connected Pages",
 	"dashboard.pages.empty": "No attached pages",
@@ -2694,7 +2738,6 @@ const en = {
 	"attach.url.section": "URL (fallback)",
 	"attach.mode.sandbox": "env 2 — AITC Sandbox App (PWA)",
 	"attach.mode.intossDev": "env 3 — intoss-private relay dev",
-	"attach.mode.intossLive": "env 4 — intoss live relay debug",
 	"attach.sandbox.step1": "Launch the launcher PWA icon on your home screen (if the Safari address bar is visible, it is not standalone).",
 	"attach.sandbox.step2": "Scan this QR code with <strong>\"Scan QR with camera\"</strong> inside the launcher.",
 	"attach.sandbox.step3": "The mini-app opens fullscreen and the debug session attaches automatically.",
@@ -2710,7 +2753,6 @@ const en = {
 	"attach.intoss.faq.prepare": "<strong>Mini-app stuck in PREPARE state</strong> — verify the deep-link has a <code>_deploymentId</code> parameter",
 	"attach.intoss.faq.chii": "<strong>Chii injection failure / console is empty</strong> — verify the mini-app bundle has an <code>in-app</code> debug import",
 	"attach.intoss.faq.totp": "<strong>TOTP gate Layer C is inactive</strong> — check that <code>AIT_DEBUG_TOTP_SECRET</code> is set on the relay server",
-	"attach.intoss.faq.liveReadOnly": "<strong>LIVE session is read-only</strong> — <code>call_sdk</code>/<code>evaluate</code> require an explicit <code>confirm</code>",
 	"launcher.title": "AITC DevTools Launcher",
 	"launcher.description": "Scan the terminal QR code or paste the tunnel URL.",
 	"launcher.installCta": "Install launcher to your phone",
@@ -2913,7 +2955,7 @@ const tables = {
 		"dashboard.tunnel.up": "연결됨",
 		"dashboard.tunnel.down": "끊어짐",
 		"dashboard.attach.section": "Attach QR",
-		"dashboard.attach.hint": "build_attach_url MCP tool을 호출하면 QR이 여기에 표시됩니다.",
+		"dashboard.attach.hint": "start_attach MCP tool을 호출하면 QR이 여기에 표시됩니다.",
 		"dashboard.attach.tunnelDown": "relay 연결이 끊겼습니다 — 이 QR은 더 이상 유효하지 않습니다. relay를 재시작한 뒤 QR을 다시 생성하세요.",
 		"dashboard.pages.section": "연결된 Pages",
 		"dashboard.pages.empty": "attach된 페이지 없음",
@@ -2931,7 +2973,6 @@ const tables = {
 		"attach.url.section": "URL (fallback)",
 		"attach.mode.sandbox": "환경 2 — AITC Sandbox App (PWA)",
 		"attach.mode.intossDev": "환경 3 — intoss-private relay dev",
-		"attach.mode.intossLive": "환경 4 — intoss live relay debug",
 		"attach.sandbox.step1": "홈 화면의 launcher PWA 아이콘으로 실행하세요 (Safari 주소창이 보이면 standalone이 아닙니다).",
 		"attach.sandbox.step2": "launcher 안의 <strong>\"QR 카메라로 스캔\"</strong>으로 이 QR 코드를 스캔하세요.",
 		"attach.sandbox.step3": "미니앱이 풀스크린으로 열리고 디버그 세션이 자동으로 attach됩니다.",
@@ -2947,7 +2988,6 @@ const tables = {
 		"attach.intoss.faq.prepare": "<strong>미니앱이 PREPARE 상태에서 멈추는 경우</strong> — deep-link에 <code>_deploymentId</code> 파라미터가 있는지 확인",
 		"attach.intoss.faq.chii": "<strong>Chii 주입 실패 / 콘솔이 비어 있는 경우</strong> — 미니앱 번들에 <code>in-app</code> debug import가 있는지 확인",
 		"attach.intoss.faq.totp": "<strong>TOTP gate Layer C가 비활성인 경우</strong> — relay 서버에 <code>AIT_DEBUG_TOTP_SECRET</code>이 설정돼 있는지 확인",
-		"attach.intoss.faq.liveReadOnly": "<strong>LIVE 세션은 read-only입니다</strong> — <code>call_sdk</code>/<code>evaluate</code> 실행에는 명시적 <code>confirm</code>이 필요합니다",
 		"launcher.title": "AITC DevTools Launcher",
 		"launcher.description": "터미널 QR을 스캔하거나 URL을 입력하세요.",
 		"launcher.installCta": "폰에 런처 설치하기",
@@ -3206,7 +3246,7 @@ hr { border: none; border-top: 1px solid #21262d; width: 100%; margin: 0.5rem 0;
 }
 .inspector-link:hover { background: #388bfd; }
 .inspector-hint { display: inline-block; margin-top: 0.5rem; font-size: 0.8rem; opacity: 0.45; }
-</style></head><body><h1>AIT 디버그 세션 — QR 스캔</h1>__MODE_LABEL____LANG_SWITCHER__<p class="label">deployment: __SAFE_LABEL__</p><div id="attach-section"><img class="qr" src="__QR_DATA_URL__" alt="attach QR"/></div><section><h2>스캔 절차</h2><ol><li>토스 앱을 실행하세요.</li><li>폰 카메라 앱으로 QR 코드를 스캔하세요.</li><li>팝업이 뜨면 <strong>"토스로 열기"</strong>를 탭하세요.</li><li>미니앱이 열리고 디버그 세션이 자동으로 attach됩니다.</li></ol></section><hr/><section><h2>진단 체크리스트</h2><ul><li><strong>토스 앱이 안 열리는 경우</strong> — 앱 버전 확인, 카메라 앱으로 스캔 (토스 앱 내 QR 리더 X)</li><li><strong>미니앱이 PREPARE 상태에서 멈추는 경우</strong> — deep-link에 <code>_deploymentId</code> 파라미터가 있는지 확인</li><li><strong>Chii 주입 실패 / 콘솔이 비어 있는 경우</strong> — 미니앱 번들에 <code>in-app</code> debug import가 있는지 확인</li><li><strong>TOTP gate Layer C가 비활성인 경우</strong> — relay 서버에 <code>AIT_DEBUG_TOTP_SECRET</code>이 설정돼 있는지 확인</li>__LIVE_FAQ__</ul></section><hr/><section id="url-section"><h2>URL (fallback)</h2><div class="url-row"><p class="url-box" id="url-box">__SAFE_ATTACH_URL__</p><button class="copy-btn" id="copy-btn" type="button" aria-label="복사">복사</button></div></section><hr/><section id="inspector-section"><h2>인스펙터</h2>__INSPECTOR_SECTION__</section></body></html>`;
+</style></head><body><h1>AIT 디버그 세션 — QR 스캔</h1>__MODE_LABEL____LANG_SWITCHER__<p class="label">deployment: __SAFE_LABEL__</p><div id="attach-section"><img class="qr" src="__QR_DATA_URL__" alt="attach QR"/></div><section><h2>스캔 절차</h2><ol><li>토스 앱을 실행하세요.</li><li>폰 카메라 앱으로 QR 코드를 스캔하세요.</li><li>팝업이 뜨면 <strong>"토스로 열기"</strong>를 탭하세요.</li><li>미니앱이 열리고 디버그 세션이 자동으로 attach됩니다.</li></ol></section><hr/><section><h2>진단 체크리스트</h2><ul><li><strong>토스 앱이 안 열리는 경우</strong> — 앱 버전 확인, 카메라 앱으로 스캔 (토스 앱 내 QR 리더 X)</li><li><strong>미니앱이 PREPARE 상태에서 멈추는 경우</strong> — deep-link에 <code>_deploymentId</code> 파라미터가 있는지 확인</li><li><strong>Chii 주입 실패 / 콘솔이 비어 있는 경우</strong> — 미니앱 번들에 <code>in-app</code> debug import가 있는지 확인</li><li><strong>TOTP gate Layer C가 비활성인 경우</strong> — relay 서버에 <code>AIT_DEBUG_TOTP_SECRET</code>이 설정돼 있는지 확인</li></ul></section><hr/><section id="url-section"><h2>URL (fallback)</h2><div class="url-row"><p class="url-box" id="url-box">__SAFE_ATTACH_URL__</p><button class="copy-btn" id="copy-btn" type="button" aria-label="복사">복사</button></div></section><hr/><section id="inspector-section"><h2>인스펙터</h2>__INSPECTOR_SECTION__</section></body></html>`;
 const dashboardChromeHtmlEn = `<!DOCTYPE html>
 <html lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><title>AIT Debug Dashboard</title><style>
 *, *::before, *::after { box-sizing: border-box; }
@@ -3387,7 +3427,7 @@ hr { border: none; border-top: 1px solid #21262d; width: 100%; margin: 0.5rem 0;
 }
 .inspector-link:hover { background: #388bfd; }
 .inspector-hint { display: inline-block; margin-top: 0.5rem; font-size: 0.8rem; opacity: 0.45; }
-</style></head><body><h1>AIT Debug Session — QR Scan</h1>__MODE_LABEL____LANG_SWITCHER__<p class="label">deployment: __SAFE_LABEL__</p><div id="attach-section"><img class="qr" src="__QR_DATA_URL__" alt="attach QR"/></div><section><h2>How to scan</h2><ol><li>Open the Toss app.</li><li>Scan the QR code with your phone camera app.</li><li>Tap <strong>"Open in Toss"</strong> when the popup appears.</li><li>The mini-app opens and the debug session attaches automatically.</li></ol></section><hr/><section><h2>Troubleshooting checklist</h2><ul><li><strong>Toss app does not open</strong> — check app version; scan with the system camera app (not the Toss in-app QR reader)</li><li><strong>Mini-app stuck in PREPARE state</strong> — verify the deep-link has a <code>_deploymentId</code> parameter</li><li><strong>Chii injection failure / console is empty</strong> — verify the mini-app bundle has an <code>in-app</code> debug import</li><li><strong>TOTP gate Layer C is inactive</strong> — check that <code>AIT_DEBUG_TOTP_SECRET</code> is set on the relay server</li>__LIVE_FAQ__</ul></section><hr/><section id="url-section"><h2>URL (fallback)</h2><div class="url-row"><p class="url-box" id="url-box">__SAFE_ATTACH_URL__</p><button class="copy-btn" id="copy-btn" type="button" aria-label="Copy">Copy</button></div></section><hr/><section id="inspector-section"><h2>Inspector</h2>__INSPECTOR_SECTION__</section></body></html>`;
+</style></head><body><h1>AIT Debug Session — QR Scan</h1>__MODE_LABEL____LANG_SWITCHER__<p class="label">deployment: __SAFE_LABEL__</p><div id="attach-section"><img class="qr" src="__QR_DATA_URL__" alt="attach QR"/></div><section><h2>How to scan</h2><ol><li>Open the Toss app.</li><li>Scan the QR code with your phone camera app.</li><li>Tap <strong>"Open in Toss"</strong> when the popup appears.</li><li>The mini-app opens and the debug session attaches automatically.</li></ol></section><hr/><section><h2>Troubleshooting checklist</h2><ul><li><strong>Toss app does not open</strong> — check app version; scan with the system camera app (not the Toss in-app QR reader)</li><li><strong>Mini-app stuck in PREPARE state</strong> — verify the deep-link has a <code>_deploymentId</code> parameter</li><li><strong>Chii injection failure / console is empty</strong> — verify the mini-app bundle has an <code>in-app</code> debug import</li><li><strong>TOTP gate Layer C is inactive</strong> — check that <code>AIT_DEBUG_TOTP_SECRET</code> is set on the relay server</li></ul></section><hr/><section id="url-section"><h2>URL (fallback)</h2><div class="url-row"><p class="url-box" id="url-box">__SAFE_ATTACH_URL__</p><button class="copy-btn" id="copy-btn" type="button" aria-label="Copy">Copy</button></div></section><hr/><section id="inspector-section"><h2>Inspector</h2>__INSPECTOR_SECTION__</section></body></html>`;
 /** Map from Locale to the precompiled dashboard chrome string. */
 const dashboardChromeByLocale = {
 	ko: dashboardChromeHtmlKo,
@@ -3424,9 +3464,6 @@ function buildModeLabel(mode, s) {
 		case "relay-dev":
 			label = s("attach.mode.intossDev");
 			break;
-		case "relay-live":
-			label = s("attach.mode.intossLive");
-			break;
 		case "mock":
 		case void 0: return "";
 	}
@@ -3700,12 +3737,11 @@ function buildSseScript(strings) {
 *   - __SAFE_LABEL__        : HTML-escaped deploymentId label (intoss family에만 존재)
 *   - __SAFE_ATTACH_URL__   : HTML-escaped attach URL (TOTP at= 코드 포함 — 의도된 전달)
 *   - __MODE_LABEL__        : 환경 배지 (`<p class="mode-label">…</p>` 또는 빈 문자열, #468)
-*   - __LIVE_FAQ__          : 환경 4 LIVE read-only `<li>` 또는 빈 문자열 (intoss family에만 존재)
 *   - __INSPECTOR_SECTION__ : "디버그 툴 열기" 버튼 또는 대기 힌트 (#544)
 *
 * mode-aware 분기 (#468): mode가 `relay-mobile`이면 sandbox family chrome(launcher
-* PWA 절차), 그 외는 intoss family chrome(토스 앱 절차)을 선택한다. `relay-live`는
-* intoss chrome에 LIVE read-only 라인을 추가한다.
+* PWA 절차), 그 외는 intoss family chrome(토스 앱 절차)을 선택한다.
+* relay-live (env 4) 제거 (#665) — positive-allowlist kill-switch.
 *
 * SSE 스크립트도 주입 — `#attach-section` hook이 있으면 `/events` push 때 QR이
 * `/qr.png?u=<fresh attachUrl>`로 자동 갱신된다. `#inspector-link`도 SSE push로
@@ -3718,11 +3754,10 @@ function buildAttachHtml(qrDataUrl, safeLabel, safeAttachUrl, locale, path = "/a
 	const s = resolveLocaleStrings(locale);
 	const langSwitcher = buildLangSwitcher(path, params, locale, s);
 	const family = attachFamilyForMode(mode);
-	const liveFaq = mode === "relay-live" ? `<li>${s("attach.intoss.faq.liveReadOnly")}</li>` : "";
 	let inspectorSection;
 	if (pagesAttached && inspectorStableUrl) inspectorSection = `<a class="inspector-link" id="inspector-link" href="${escapeHtml(inspectorStableUrl)}" target="_blank" rel="noopener noreferrer">${escapeHtml(s("dashboard.inspector.open"))}</a>`;
 	else inspectorSection = `<span class="inspector-hint" id="inspector-link">${escapeHtml(s("dashboard.inspector.waiting"))}</span>`;
-	const filled = attachChromeByLocale[locale][family].replaceAll("__LANG_SWITCHER__", langSwitcher).replaceAll("__MODE_LABEL__", buildModeLabel(mode, s)).replaceAll("__LIVE_FAQ__", liveFaq).replaceAll("__QR_DATA_URL__", qrDataUrl).replaceAll("__SAFE_LABEL__", safeLabel).replaceAll("__SAFE_ATTACH_URL__", safeAttachUrl).replaceAll("__INSPECTOR_SECTION__", inspectorSection);
+	const filled = attachChromeByLocale[locale][family].replaceAll("__LANG_SWITCHER__", langSwitcher).replaceAll("__MODE_LABEL__", buildModeLabel(mode, s)).replaceAll("__QR_DATA_URL__", qrDataUrl).replaceAll("__SAFE_LABEL__", safeLabel).replaceAll("__SAFE_ATTACH_URL__", safeAttachUrl).replaceAll("__INSPECTOR_SECTION__", inspectorSection);
 	const sseScript = buildSseScript({
 		tunnelUp: JSON.stringify(s("dashboard.tunnel.up")),
 		tunnelDown: JSON.stringify(s("dashboard.tunnel.down")),
@@ -4349,22 +4384,27 @@ const DEBUG_TOOL_DEFINITIONS = [
 		availableIn: "both"
 	},
 	{
-		name: "build_attach_url",
-		description: "The tool result already shows the QR to the user directly (Claude Code renders MCP tool output to the user's screen; they press Ctrl+O to expand if it's collapsed). Do NOT re-print or re-render the QR in your reply — that just wastes output tokens. Simply tell the user to scan the QR shown in this tool's output with their phone camera. Builds a self-attaching deep-link for the active relay environment and returns a QR code. Scan the QR with the phone camera to open the mini-app and attach it to this debug session (QR is the single entry path — no USB cable or platform CLI needed). Call list_pages first to confirm the relay/tunnel is up. If the tunnel is not up, restart: `npx @ait-co/devtools devtools-mcp`.\n\nEnvironment-specific behaviour:\n  • env 3 / relay-staging (start_debug mode=\"relay-staging\"): requires scheme_url — the intoss-private://…?_deploymentId=<uuid> URL from `ait deploy --scheme-only`. Splices debug=1 + relay URL into the scheme URL to produce a self-attach deep-link.\n  • env 2 / relay-sandbox (start_debug mode=\"relay-sandbox\"): scheme_url is NOT used. Instead, reads AIT_TUNNEL_BASE_URL (the https://*.trycloudflare.com app tunnel from `tunnel:{cdp:true}`) and builds a launcher PWA deep-link (https://devtools.aitc.dev/launcher/?url=…&debug=1&relay=…). When projectRoot is given, the app name from <projectRoot>/package.json is automatically added as name= so the launcher partner bar shows it. Scan the QR with the phone to open the launcher, which frames the tunnel URL and attaches CDP.\n\nSet wait_for_attach=true to block until a page attaches (default 60 s, adjustable via wait_timeout_seconds). On timeout, call build_attach_url again to resume polling. The server automatically opens the QR dashboard in the OS default browser when running on a local GUI machine — headless/remote environments fall back to the text QR in the tool output.\n\nTOTP auth: when AIT_DEBUG_TOTP_SECRET is set on the MCP server, the returned attachUrl automatically includes the current one-time code (at=<code>). The code is valid for ~3 minutes (the relay gate accepts ±6 TOTP steps = 180–210 s of backwards acceptance). The response includes a `totp` field with `expiresAt` (ISO timestamp, ~3 min from issuance). If the phone scan happens after expiresAt, the relay will reject the code — just call build_attach_url again to get a fresh URL. Without AIT_DEBUG_TOTP_SECRET, the attachUrl has no expiry.\n\nselfdebug (env 2 / relay-sandbox only): pass selfdebug=true to add &selfdebug=1 to the launcher deep-link. The launcher PWA then registers its own document as the CDP target instead of the framed mini-app. SINGLE-ATTACH MODEL: attaching the launcher self-target evicts any currently-attached mini-app target — use this mode exclusively for diagnosing the launcher document itself (DOM, safe-area, console). Not applicable in env 3/4 (relay-staging/relay-live) — passing selfdebug=true there returns an error.",
+		name: "start_attach",
+		description: "The tool result already shows the QR to the user directly (Claude Code renders MCP tool output to the user's screen; they press Ctrl+O to expand if it's collapsed). Do NOT re-print or re-render the QR in your reply — that just wastes output tokens. Simply tell the user to scan the QR shown in this tool's output with their phone camera. Single entry point to attach a real device: switches the debug mode (if `mode` is given), builds the self-attaching deep-link QR for the active relay environment, and waits for the phone to attach — all in one call (replaces the old attach-URL + start_debug two-step). Scan the QR with the phone camera to open the mini-app and attach it to this debug session (QR is the single entry path — no USB cable or platform CLI needed).\n\nmode (optional): pass \"relay-sandbox\" (env 2) or \"relay-staging\" (env 3) to switch the active environment first. When omitted, the current relay environment is used as-is (no switch). Passing \"local-browser\" returns an error — start_attach is relay-only (env 2/3). When the session is already in the requested mode, the switch is skipped.\n\nEnvironment-specific behaviour:\n  • env 3 / relay-staging: requires scheme_url — the intoss-private://…?_deploymentId=<uuid> URL from `ait deploy --scheme-only`. Splices debug=1 + relay URL into the scheme URL.\n  • env 2 / relay-sandbox: scheme_url is NOT used. Instead, reads AIT_TUNNEL_BASE_URL (the https://*.trycloudflare.com app tunnel from `tunnel:{cdp:true}`) and builds a launcher PWA deep-link (https://devtools.aitc.dev/launcher/?url=…&debug=1&relay=…). When projectRoot is given, the app name from <projectRoot>/package.json is added as name= so the launcher partner bar shows it.\n\nWaits for a page to attach by default (up to wait_timeout_seconds, default 60 s). The server automatically opens the QR dashboard in the OS default browser when running on a local GUI machine — headless/remote environments fall back to the text QR in the tool output.\n\nTOTP auto re-mint: when AIT_DEBUG_TOTP_SECRET is set on the MCP server, the attachUrl carries a one-time code (at=<code>) valid for ~3 minutes (the relay gate accepts ±6 TOTP steps). While waiting, start_attach AUTOMATICALLY re-mints a fresh code before the current one expires and refreshes the dashboard QR in place (no browser re-open). You do NOT need to re-call start_attach every time the code would expire — a single call covers the whole wait window. The response includes a `totp` field with `expiresAt` and a `reminted` count of how many fresh codes were issued during the wait. Without AIT_DEBUG_TOTP_SECRET, the attachUrl has no expiry.\n\nselfdebug (env 2 / relay-sandbox only): pass selfdebug=true to add &selfdebug=1 to the launcher deep-link. The launcher PWA then registers its own document as the CDP target instead of the framed mini-app. SINGLE-ATTACH MODEL: attaching the launcher self-target evicts any currently-attached mini-app target — use this mode exclusively for diagnosing the launcher document itself (DOM, safe-area, console). Not applicable in env 3 (relay-staging) — passing selfdebug=true there returns an error.",
 		inputSchema: {
 			type: "object",
 			properties: {
+				mode: {
+					type: "string",
+					enum: [
+						"local-browser",
+						"relay-sandbox",
+						"relay-staging"
+					],
+					description: "Optional debug mode to switch into before attaching. \"relay-sandbox\" = env 2 (launcher PWA), \"relay-staging\" = env 3 (intoss-private dog-food). \"local-browser\" returns an error (start_attach is relay-only). Omit to keep the current relay environment."
+				},
 				scheme_url: {
 					type: "string",
 					description: "The intoss-private:// scheme URL from `ait deploy --scheme-only` (must carry _deploymentId). Required for env 3/relay-staging mode. Not used in env 2/relay-sandbox mode (use AIT_TUNNEL_BASE_URL instead). The authority (host) must be the app name (e.g. intoss-private://aitc-sdk-example?_deploymentId=…). Generic values like \"web\" or an empty host indicate a malformed URL."
 				},
-				wait_for_attach: {
-					type: "boolean",
-					description: "If true, block after returning the QR until a page attaches to the relay (polls listTargets ~1 s interval, default 60 s). On attach, the response includes the attached page list. On timeout, call build_attach_url again to resume polling."
-				},
 				wait_timeout_seconds: {
 					type: "number",
-					description: "Maximum seconds to wait when wait_for_attach=true (default 60, range 1–600). Values outside the range or invalid inputs (0, negative, NaN) fall back to the default silently. Only meaningful when wait_for_attach=true."
+					description: "Maximum seconds to wait for a page to attach (default 60, range 1–600). Values outside the range or invalid inputs (0, negative, NaN) fall back to the default silently. During the wait the TOTP code is auto re-minted as needed, so a single call covers the whole window."
 				},
 				projectRoot: {
 					type: "string",
@@ -4372,7 +4412,7 @@ const DEBUG_TOOL_DEFINITIONS = [
 				},
 				selfdebug: {
 					type: "boolean",
-					description: "Env 2 / relay-sandbox only. When true, adds &selfdebug=1 to the launcher deep-link so the launcher PWA registers its own document as the CDP target (launcher diagnostics mode). SINGLE-ATTACH MODEL: self-target attach evicts any currently-attached mini-app target. Use only when you need to inspect the launcher itself (DOM, safe-area, console). Passing selfdebug=true in env 3/4 (relay-staging/relay-live) returns an error. Default: false (omitted — output is byte-identical to previous behaviour)."
+					description: "Env 2 / relay-sandbox only. When true, adds &selfdebug=1 to the launcher deep-link so the launcher PWA registers its own document as the CDP target (launcher diagnostics mode). SINGLE-ATTACH MODEL: self-target attach evicts any currently-attached mini-app target. Use only when you need to inspect the launcher itself (DOM, safe-area, console). Passing selfdebug=true in env 3 (relay-staging) returns an error. Default: false (omitted)."
 				}
 			},
 			required: []
@@ -4411,7 +4451,7 @@ const DEBUG_TOOL_DEFINITIONS = [
 	},
 	{
 		name: "measure_safe_area",
-		description: "Runs a safe-area probe on the attached mini-app page via Runtime.evaluate and returns normalized safe-area insets, viewport geometry, device pixel ratio, and User-Agent. Read-only — does not modify page state. Tier C per RFC #277: the same Runtime.evaluate probe runs in both `mock` (devtools panel page with window.__ait state) and `relay` (real-device WebView with window.__sdk). The result includes a `source: \"mock\" | \"relay-dev\" | \"relay-live\" | \"relay-mobile\"` field so consumers can identify provenance without inspecting payload values. (`relay-mobile` = env 2 real-device PWA over an external relay; `relay-dev` = env 3 dog-food WebView; `relay-live` = env 4 production WebView.) Use in a relay session (phone attached) to get ground-truth values for upgrading a viewport preset from extrapolated/placeholder to measured. Requires a page to be attached — call list_pages first.",
+		description: "Runs a safe-area probe on the attached mini-app page via Runtime.evaluate and returns normalized safe-area insets, viewport geometry, device pixel ratio, and User-Agent. Read-only — does not modify page state. Tier C per RFC #277: the same Runtime.evaluate probe runs in both `mock` (devtools panel page with window.__ait state) and `relay` (real-device WebView with window.__sdk). The result includes a `source: \"mock\" | \"relay-dev\" | \"relay-mobile\"` field so consumers can identify provenance without inspecting payload values. (`relay-mobile` = env 2 real-device PWA over an external relay; `relay-dev` = env 3 dog-food WebView; relay-live/env 4 removed #665.) Use in a relay session (phone attached) to get ground-truth values for upgrading a viewport preset from extrapolated/placeholder to measured. Requires a page to be attached — call list_pages first.",
 		inputSchema: {
 			type: "object",
 			properties: {},
@@ -4421,19 +4461,13 @@ const DEBUG_TOOL_DEFINITIONS = [
 	},
 	{
 		name: "evaluate",
-		description: "Evaluates an arbitrary JavaScript expression on the attached mini-app page via CDP Runtime.evaluate (returnByValue: true) and returns the result. NOT read-only — the expression can have side effects (DOM mutations, SDK calls, state changes). Requires the relay to be attached — call list_pages first. Throws if the evaluation throws an exception on the page.\n\nSECURITY: expression and result are not redacted — never include secrets or auth tokens in the expression.\n\nLIVE guard: when running against a live/production relay (relay-live env, MCP_ENV=relay-live), this tool requires `confirm: true` to acknowledge that the expression may affect real users. Without it the call is rejected with a structured error. mock and relay-dev sessions are unaffected.",
+		description: "Evaluates an arbitrary JavaScript expression on the attached mini-app page via CDP Runtime.evaluate (returnByValue: true) and returns the result. NOT read-only — the expression can have side effects (DOM mutations, SDK calls, state changes). Requires the relay to be attached — call list_pages first. Throws if the evaluation throws an exception on the page.\n\nSECURITY: expression and result are not redacted — never include secrets or auth tokens in the expression.\n\nPositive-allowlist kill-switch (#665): this tool is blocked when the attached page is on a non-debug host (apps.tossmini.com / env 4). Only localhost, *.trycloudflare.com, and *.private-apps.tossmini.com are allowed. relay-live (env 4) and the LIVE confirm guard are removed.",
 		inputSchema: {
 			type: "object",
-			properties: {
-				expression: {
-					type: "string",
-					description: "JavaScript expression to evaluate in the page context."
-				},
-				confirm: {
-					type: "boolean",
-					description: "Required when MCP_ENV=relay-live. Set to `true` to explicitly acknowledge that this expression may have side effects on real/live users. Omitting this in a relay-live session results in a structured rejection error. Has no effect in mock or relay-dev sessions."
-				}
-			},
+			properties: { expression: {
+				type: "string",
+				description: "JavaScript expression to evaluate in the page context."
+			} },
 			required: ["expression"]
 		},
 		availableIn: "both"
@@ -4453,7 +4487,7 @@ const DEBUG_TOOL_DEFINITIONS = [
 	},
 	{
 		name: "call_sdk",
-		description: "Calls a dog-food SDK method via the window.__sdkCall bridge (exported by @apps-in-toss/web-framework only in __DEBUG_BUILD__ bundles). NOT read-only — SDK calls have side effects (navigation, payments, permissions, etc.). On env 3/4 (real device relay) this hits the real SDK; on env 1 (local mock) and env 2 (PWA relay — real WebKit, mock SDK) it hits the mock SDK. Requires the relay to be attached — call list_pages first. Returns {ok: true, value} on success or {ok: false, error} on failure. If a Runtime.exceptionThrown event was observed within [callStart-50ms, callEnd+200ms], the result also includes `recentException` for crash triage. Returns a clear error if window.__sdkCall is not available — on relay (env 3/4) that means a non-dog-food bundle (redeploy via `ait build && aitcc app deploy`); on local (--target=local, env 1) it means the dev bridge is not installed (start the dev server with `pnpm dev`).\n\nSECURITY: method name, args, and result value are not redacted — never include secrets.\n\nLIVE guard: when running against a live/production relay (relay-live env, MCP_ENV=relay-live), this tool requires `confirm: true` to acknowledge that the SDK call may affect real users. Without it the call is rejected with a structured error. mock and relay-dev sessions are unaffected.\n\nIMPORTANT — 인자 시그니처 (잘못된 인자로 호출하면 토스 앱 crash 위험):\n  setDeviceOrientation:        call_sdk(\"setDeviceOrientation\", [{ type: \"landscape\" }])  // NOT \"landscape\"\n  setIosSwipeGestureEnabled:   call_sdk(\"setIosSwipeGestureEnabled\", [{ isEnabled: false }])\n  setSecureScreen:             call_sdk(\"setSecureScreen\", [{ enabled: true }])\n  setScreenAwakeMode:          call_sdk(\"setScreenAwakeMode\", [{ enabled: true }])\n  getOperationalEnvironment:   call_sdk(\"getOperationalEnvironment\", [])\n  getPlatformOS:               call_sdk(\"getPlatformOS\", [])\n  getDeviceId:                 call_sdk(\"getDeviceId\", [])\n  getLocale:                   call_sdk(\"getLocale\", [])\n  getNetworkStatus:            call_sdk(\"getNetworkStatus\", [])\n  getSchemeUri:                call_sdk(\"getSchemeUri\", [])\n  requestReview:               call_sdk(\"requestReview\", [])\n  closeView:                   call_sdk(\"closeView\", [])",
+		description: "Calls a dog-food SDK method via the window.__sdkCall bridge (exported by @apps-in-toss/web-framework only in __DEBUG_BUILD__ bundles). NOT read-only — SDK calls have side effects (navigation, payments, permissions, etc.). On env 3/4 (real device relay) this hits the real SDK; on env 1 (local mock) and env 2 (PWA relay — real WebKit, mock SDK) it hits the mock SDK. Requires the relay to be attached — call list_pages first. Returns {ok: true, value} on success or {ok: false, error} on failure. If a Runtime.exceptionThrown event was observed within [callStart-50ms, callEnd+200ms], the result also includes `recentException` for crash triage. Returns a clear error if window.__sdkCall is not available — on relay (env 3/4) that means a non-dog-food bundle (redeploy via `ait build && aitcc app deploy`); on local (--target=local, env 1) it means the dev bridge is not installed (start the dev server with `pnpm dev`).\n\nSECURITY: method name, args, and result value are not redacted — never include secrets.\n\nPositive-allowlist kill-switch (#665): blocked when the attached page is on a non-debug host (apps.tossmini.com / env 4). relay-live and the LIVE guard removed.\n\nIMPORTANT — 인자 시그니처 (잘못된 인자로 호출하면 토스 앱 crash 위험):\n  setDeviceOrientation:        call_sdk(\"setDeviceOrientation\", [{ type: \"landscape\" }])  // NOT \"landscape\"\n  setIosSwipeGestureEnabled:   call_sdk(\"setIosSwipeGestureEnabled\", [{ isEnabled: false }])\n  setSecureScreen:             call_sdk(\"setSecureScreen\", [{ enabled: true }])\n  setScreenAwakeMode:          call_sdk(\"setScreenAwakeMode\", [{ enabled: true }])\n  getOperationalEnvironment:   call_sdk(\"getOperationalEnvironment\", [])\n  getPlatformOS:               call_sdk(\"getPlatformOS\", [])\n  getDeviceId:                 call_sdk(\"getDeviceId\", [])\n  getLocale:                   call_sdk(\"getLocale\", [])\n  getNetworkStatus:            call_sdk(\"getNetworkStatus\", [])\n  getSchemeUri:                call_sdk(\"getSchemeUri\", [])\n  requestReview:               call_sdk(\"requestReview\", [])\n  closeView:                   call_sdk(\"closeView\", [])",
 		inputSchema: {
 			type: "object",
 			properties: {
@@ -4465,10 +4499,6 @@ const DEBUG_TOOL_DEFINITIONS = [
 					type: "array",
 					description: "Arguments to pass to the SDK method (optional, default []).",
 					items: {}
-				},
-				confirm: {
-					type: "boolean",
-					description: "Required when MCP_ENV=relay-live. Set to `true` to explicitly acknowledge that this SDK call may have side effects on real/live users. Omitting this in a relay-live session results in a structured rejection error. Has no effect in mock or relay-dev sessions."
 				}
 			},
 			required: ["name"]
@@ -4507,7 +4537,7 @@ const DEBUG_TOOL_DEFINITIONS = [
 	},
 	{
 		name: "start_debug",
-		description: "Switches the active debug environment in-place (issue #348) — no Claude Code restart and no MCP re-handshake. One daemon holds both a local (env 1, mock SDK in a Chromium) and a relay (env 3/4, real-device Toss WebView over the Chii relay + cloudflared tunnel) connection at once; this tool flips which one every other tool reads from, lazily booting the requested family's infra on first use and keeping the inactive one warm so an existing attach survives the switch. After switching it emits notifications/tools/list_changed — call tools/list again to see the updated tool surface for the new environment.\n\nmodes:\n  local-browser — env 1: desktop Chromium with the mock SDK and a local CDP attach. Side-effect tools (call_sdk/evaluate) run unguarded against the mock; nothing touches a real device or real users. No prerequisites — the default, always-available environment for state/contract and visual-layout work.\n  relay-sandbox — env 2: a real-device PWA (real WebKit engine, mock SDK) over an external Chii relay. CDP covers real-device WebKit DOM, console, exceptions, and safe-area observation; call_sdk still hits the mock (SDK fidelity needs relay-staging). liveIntent off — dev-intent, LIVE guard inactive, side-effect tools run unguarded against the mock. Only the dual-connection daemon can enter relay-sandbox in-place; a single-connection session rejects it with \"동적 전환할 수 없습니다 … relay-sandbox 모드로 재시작하세요\" — follow that hint and restart the MCP server in relay-sandbox mode rather than retrying. Prerequisites: both AIT_RELAY_BASE_URL (the relay base the unplugin emits when started with tunnel:{cdp:true}, used for the CDP attach) and AIT_TUNNEL_BASE_URL (the dev-server tunnel host, required by build_attach_url to render the launcher QR) must be set before the MCP server starts — the unplugin does not auto-forward either; set them explicitly. Both carry relay/tunnel hosts (secret-class) — keep them out of logs.\n  relay-staging — env 3: a real-device Toss WebView dog-food build with the REAL SDK over the intoss-private relay. The first environment where call_sdk exercises the genuine native bridge. Side-effect tools run unguarded (dog-food, not released to real users). Prerequisite: a dog-food candidate bundle built with `RELEASE_CHANNEL=dogfood ait build`, then uploaded with `ait deploy` (add `--scheme-only` to print the resulting intoss-private://…?_deploymentId=… deep-link); open that deep-link/QR on the device to cold-load the bundle with the relay injected. Unlike env 2, env 3 is NOT a dev-server tunnel — it is a deployed bundle reached via the intoss-private scheme, so `pnpm dev` plays no part here.\n  relay-live — env 4: the REVIEW-PASSED, released production runtime with the REAL SDK over the intoss relay — real end users are on the other side. Read-only debugging is the intent: the LIVE guard is armed, so call_sdk/evaluate require confirm:true per call, and ENTERING relay-live ALSO requires confirm:true on this call. Use it only to observe a shipped regression; verify fixes in relay-staging first.\n\nSwitching back to local-browser automatically disarms the LIVE guard.\n\nFor a relay mode (relay-sandbox/relay-staging/relay-live), also pass projectRoot — the absolute mini-app project root — so the daemon can read the relay auth secret from <projectRoot>/.ait_relay (read-only; the daemon never mints it). Omit it for local-browser.",
+		description: "Switches the active debug environment in-place (issue #348) — no Claude Code restart and no MCP re-handshake. One daemon holds both a local (env 1, mock SDK in a Chromium) and a relay (env 2/3, real-device over the Chii relay + cloudflared tunnel) connection at once; this tool flips which one every other tool reads from, lazily booting the requested family's infra on first use and keeping the inactive one warm so an existing attach survives the switch. After switching it emits notifications/tools/list_changed — call tools/list again to see the updated tool surface for the new environment.\n\nPositive-allowlist kill-switch (#665): relay sessions on apps.tossmini.com (env 4, released production) are silently blocked at both the in-app gate and this MCP layer — relay-live and the LIVE guard have been removed. Only localhost/loopback (env 1), *.trycloudflare.com (env 2), and *.private-apps.tossmini.com (env 3) are allowed.\n\nmodes:\n  local-browser — env 1: desktop Chromium with the mock SDK and a local CDP attach. Side-effect tools (call_sdk/evaluate) run unguarded against the mock; nothing touches a real device or real users. No prerequisites — the default, always-available environment for state/contract and visual-layout work.\n  relay-sandbox — env 2: a real-device PWA (real WebKit engine, mock SDK) over an external Chii relay. CDP covers real-device WebKit DOM, console, exceptions, and safe-area observation; call_sdk still hits the mock (SDK fidelity needs relay-staging). Side-effect tools run unguarded against the mock. Only the dual-connection daemon can enter relay-sandbox in-place; a single-connection session rejects it with \"동적 전환할 수 없습니다 … relay-sandbox 모드로 재시작하세요\" — follow that hint and restart the MCP server in relay-sandbox mode rather than retrying. Prerequisites: both AIT_RELAY_BASE_URL (the relay base the unplugin emits when started with tunnel:{cdp:true}, used for the CDP attach) and AIT_TUNNEL_BASE_URL (the dev-server tunnel host, required by start_attach to render the launcher QR) must be set before the MCP server starts — the unplugin does not auto-forward either; set them explicitly. Both carry relay/tunnel hosts (secret-class) — keep them out of logs.\n  relay-staging — env 3: a real-device Toss WebView dog-food build with the REAL SDK over the intoss-private relay. The first environment where call_sdk exercises the genuine native bridge. Side-effect tools run unguarded (dog-food, not released to real users). Prerequisite: a dog-food candidate bundle built with `RELEASE_CHANNEL=dogfood ait build`, then uploaded with `ait deploy` (add `--scheme-only` to print the resulting intoss-private://…?_deploymentId=… deep-link); open that deep-link/QR on the device to cold-load the bundle with the relay injected. Unlike env 2, env 3 is NOT a dev-server tunnel — it is a deployed bundle reached via the intoss-private scheme, so `pnpm dev` plays no part here.\n\nFor a relay mode (relay-sandbox/relay-staging), also pass projectRoot — the absolute mini-app project root — so the daemon can read the relay auth secret from <projectRoot>/.ait_relay (read-only; the daemon never mints it). Omit it for local-browser.",
 		inputSchema: {
 			type: "object",
 			properties: {
@@ -4516,18 +4546,13 @@ const DEBUG_TOOL_DEFINITIONS = [
 					enum: [
 						"local-browser",
 						"relay-sandbox",
-						"relay-staging",
-						"relay-live"
+						"relay-staging"
 					],
-					description: "Target environment to switch to. mode=relay-live additionally requires confirm: true (and arms the read-only LIVE guard)."
-				},
-				confirm: {
-					type: "boolean",
-					description: "Required when mode=relay-live — set true to acknowledge entering LIVE (env 4) debugging that can affect real users. Ignored for the other modes."
+					description: "Target environment to switch to. relay-live (env 4) has been removed (#665) — use relay-staging (env 3) for dog-food debugging."
 				},
 				projectRoot: {
 					type: "string",
-					description: "Absolute path to the mini-app project root (the directory containing its package.json and .ait_relay). The daemon reads the relay auth secret from <projectRoot>/.ait_relay (read-only) when switching to a relay environment (relay-staging/relay-live/relay-sandbox). Pass this because the daemon's own cwd is fixed at launch and may not be the project being debugged. Omit for mode=local-browser (no secret needed)."
+					description: "Absolute path to the mini-app project root (the directory containing its package.json and .ait_relay). The daemon reads the relay auth secret from <projectRoot>/.ait_relay (read-only) when switching to a relay environment (relay-staging/relay-sandbox). Pass this because the daemon's own cwd is fixed at launch and may not be the project being debugged. Omit for mode=local-browser (no secret needed)."
 				}
 			},
 			required: ["mode"]
@@ -4536,7 +4561,7 @@ const DEBUG_TOOL_DEFINITIONS = [
 	},
 	{
 		name: "get_debug_status",
-		description: "Reports the current debug session state — which environment/mode is active, whether a page is attached, and a full diagnostic snapshot — in one call. Use this any time to answer \"what mode am I in right now?\" or \"why is this not working?\" without chaining tools. Fields: mcpVersion (MCP SDK version), devtoolsVersion (@ait-co/devtools package version), tunnel (up/wssUrl/pid/startedAt), pages (list_pages result + lastSeenAt stats), lastAttachAt, lastDetachAt, recentErrors (last N server-side errors, PII/secret redacted), authRejects ({count, lastAt} — relay TOTP 401 rejections, secret-free; count > 0 with empty pages means the phone reached the relay but its code was rejected), environment (kind: mock|relay-dev|relay-live|relay-mobile, env: mock|relay backward-compat, reason, liveGuardActive: true when relay-live LIVE guard is active; start_debug mode→kind mapping: relay-sandbox→relay-mobile, relay-staging→relay-dev, relay-live→relay-live, local-browser→mock), serverLockHolder (pid + startedAt from the lock file, or null), nextRecommendedAction ({tool, reason} or null — the single next tool to call; in local-target mode tunnel.up=false is normal so \"restart\" is never recommended). All fields are nullable — missing data is null, not an error. debug-mode only — dev-mode (--mode=dev) does not support relay diagnostics. Tier C (both mock and relay).",
+		description: "Reports the current debug session state — which environment/mode is active, whether a page is attached, and a full diagnostic snapshot — in one call. Use this any time to answer \"what mode am I in right now?\" or \"why is this not working?\" without chaining tools. Fields: mcpVersion (MCP SDK version), devtoolsVersion (@ait-co/devtools package version), tunnel (up/wssUrl/pid/startedAt), pages (list_pages result + lastSeenAt stats), lastAttachAt, lastDetachAt, recentErrors (last N server-side errors, PII/secret redacted), authRejects ({count, lastAt} — relay TOTP 401 rejections, secret-free; count > 0 with empty pages means the phone reached the relay but its code was rejected), environment (kind: mock|relay-dev|relay-mobile, env: mock|relay backward-compat, reason, liveGuardActive: always false — relay-live and LIVE guard removed (#665); start_debug mode→kind mapping: relay-sandbox→relay-mobile, relay-staging→relay-dev, local-browser→mock), serverLockHolder (pid + startedAt from the lock file, or null), nextRecommendedAction ({tool, reason} or null — the single next tool to call; in local-target mode tunnel.up=false is normal so \"restart\" is never recommended). All fields are nullable — missing data is null, not an error. debug-mode only — dev-mode (--mode=dev) does not support relay diagnostics. Tier C (both mock and relay).",
 		inputSchema: {
 			type: "object",
 			properties: { recent_errors_limit: {
@@ -4549,7 +4574,7 @@ const DEBUG_TOOL_DEFINITIONS = [
 	},
 	{
 		name: "run_tests",
-		description: "Runs mini-app test files on the attached page over CDP (Runtime.evaluate). Each matched file is bundled with esbuild (SDK imports redirected to the live mock/SDK), injected into the attached WebView, and executed; returns per-file results plus flattened totals (passed/failed/skipped/total). Requires an attached page — call list_pages first to confirm one is attached. Files run SEQUENTIALLY (single-attach model: the relay/local target serves one page), and one run_tests call runs at a time (a concurrent call is rejected). Test verification (assert/snapshot) is delegated to the in-page Vitest runtime; this tool is the transport + report. The per-file results array is the progress record — on partial failure you see exactly which files passed/failed/timed-out. In a relay-live session this is a state-mutating injection and is blocked unless confirm=true (confirm is ignored in every non-live session: mock/local, relay-dev, relay-mobile). debug-mode only — dev-mode (--mode=dev) has no CDP. Tier C (both mock/local and relay). The devtools-test CLI shares this run core and file discovery, but its standalone relay attach is not wired yet — run via this tool for now.",
+		description: "Runs mini-app test files on the attached page over CDP (Runtime.evaluate). Each matched file is bundled with esbuild (SDK imports redirected to the live mock/SDK), injected into the attached WebView, and executed; returns per-file results plus flattened totals (passed/failed/skipped/total). Requires an attached page — call list_pages first to confirm one is attached. Files run SEQUENTIALLY (single-attach model: the relay/local target serves one page), and one run_tests call runs at a time (a concurrent call is rejected). Test verification (assert/snapshot) is delegated to the in-page Vitest runtime; this tool is the transport + report. The per-file results array is the progress record — on partial failure you see exactly which files passed/failed/timed-out. Positive-allowlist kill-switch (#665): blocked when the attached page is on a non-debug host. debug-mode only — dev-mode (--mode=dev) has no CDP. Tier C (both mock/local and relay). The devtools-test CLI shares this run core and file discovery, but its standalone relay attach is not wired yet — run via this tool for now.",
 		inputSchema: {
 			type: "object",
 			properties: {
@@ -4565,10 +4590,6 @@ const DEBUG_TOOL_DEFINITIONS = [
 				timeout_ms: {
 					type: "number",
 					description: "Per-file evaluate timeout in ms (default 30000, range 1000–600000). Out-of-range/invalid values fall back to the default."
-				},
-				confirm: {
-					type: "boolean",
-					description: "Required (true) to run in a relay-live session — test injection mutates page state. Ignored in every non-live session (mock/local, relay-dev, relay-mobile)."
 				}
 			},
 			required: ["files"]
@@ -4594,8 +4615,9 @@ function getToolAvailability(name) {
 * Unknown tools return `false` — callers should reject them as unknown rather
 * than as env-mismatched.
 *
-* Relay variants (`relay-dev`, `relay-live`, `relay-mobile`) all satisfy the
+* Relay variants (`relay-dev`, `relay-mobile`) all satisfy the
 * `'relay'` availability tier — `isRelayEnv()` is used for the check.
+* (`relay-live` removed #665.)
 */
 function isToolAvailableIn(name, env) {
 	const availability = getToolAvailability(name);
@@ -4609,8 +4631,8 @@ function isToolAvailableIn(name, env) {
 * matches the given env. Pure — preserves order; both Tier C ("both") and the
 * matching single-env tier pass through.
 *
-* Relay variants (`relay-dev`, `relay-live`, `relay-mobile`) all satisfy the
-* `'relay'` tier.
+* Relay variants (`relay-dev`, `relay-mobile`) all satisfy the
+* `'relay'` tier. (`relay-live` removed #665.)
 */
 function filterToolsByEnvironment(tools, env) {
 	return tools.filter((t) => t.availableIn === "both" || t.availableIn === "relay" && isRelayEnv(env) || t.availableIn === env);
@@ -4618,14 +4640,14 @@ function filterToolsByEnvironment(tools, env) {
 /**
 * Tool names that are available before any page attaches (bootstrap tier).
 *
-* `build_attach_url` — pure URL synthesis, no attach needed.
-* `list_pages`       — reports tunnel status + empty pages even pre-attach.
+* `start_attach` — mode switch + QR synthesis + attach wait, no prior attach needed.
+* `list_pages`   — reports tunnel status + empty pages even pre-attach.
 *
 * All other tools require an attached page (`enableDomains` must succeed) and
 * are only advertised in `tools/list` once a target appears.
 */
 const BOOTSTRAP_TOOL_NAMES = new Set([
-	"build_attach_url",
+	"start_attach",
 	"get_debug_status",
 	"list_pages",
 	"start_debug"
@@ -4714,7 +4736,7 @@ function listPages(connection, tunnel) {
 		return {
 			id: t.id,
 			title: t.title,
-			url: t.url,
+			url: redactAtParam(t.url),
 			lastSeenAt: lastSeenMs !== null ? new Date(lastSeenMs).toISOString() : null
 		};
 	});
@@ -4729,57 +4751,6 @@ function listPages(connection, tunnel) {
 	};
 }
 /**
-* Builds a self-attaching dog-food deep-link from an `ait deploy --scheme-only`
-* URL plus this session's live relay. Throws if the tunnel is not up yet (no
-* relay URL to splice in) — the caller surfaces that as a tool error.
-*
-* When `AIT_DEBUG_TOTP_SECRET` is set, generates the current TOTP code and
-* splices it as `at=<code>` into the attach URL. The code is valid for ~3
-* minutes (the relay gate uses {@link RELAY_VERIFY_SKEW_STEPS}=6, accepting
-* past 6 steps = 180–210 s backwards from issuance). If the scan happens after
-* `totp.expiresAt`, call `build_attach_url` again to get a fresh code (#490).
-*
-* Also validates the scheme URL's authority. A suspicious authority (empty,
-* "web", "localhost", etc.) is surfaced as a non-fatal `authorityWarning` on
-* the result so the caller can show a helpful hint without blocking the link
-* generation (the warning is consistent with how other validation in
-* `buildDeepLinkAttachUrl` works — hard errors for relay, soft warning for
-* the scheme authority which is in the caller's input, not ours to own).
-*
-* SECRET-HANDLING: `totpSecret` (if provided) is used only to compute a code
-* and must never appear in any log, error message, or output outside of the
-* spliced `at=` param in `attachUrl`.
-*
-* @param schemeUrl - The `intoss-private://…?_deploymentId=<uuid>` URL.
-* @param tunnel - Current tunnel status from the running debug server.
-* @param totpSecret - Optional hex-encoded TOTP secret (from
-*   `AIT_DEBUG_TOTP_SECRET`). When provided, the current code is spliced into
-*   the attach URL as `at=<code>`.
-*/
-function buildAttachUrl(schemeUrl, tunnel, totpSecret) {
-	if (!tunnel.up || tunnel.wssUrl === null) throw new Error("tunnel-down: cloudflared 터널이 안 떠 있습니다. MCP 서버를 재시작하거나 잠시 후 list_pages로 터널 상태를 다시 확인하세요.");
-	const authorityWarning = validateSchemeAuthority(schemeUrl) ?? void 0;
-	let totpCode;
-	let totpMeta;
-	if (totpSecret !== void 0 && totpSecret !== "") {
-		const now = Date.now();
-		totpCode = generateTotp(totpSecret, now);
-		const STEP_SECONDS = 30;
-		const expiresAtMs = now + 6 * STEP_SECONDS * 1e3;
-		totpMeta = {
-			enabled: true,
-			ttlSeconds: 6 * STEP_SECONDS,
-			expiresAt: new Date(expiresAtMs).toISOString()
-		};
-	}
-	return {
-		attachUrl: buildDeepLinkAttachUrl(schemeUrl, tunnel.wssUrl, totpCode),
-		relayUrl: tunnel.wssUrl,
-		...authorityWarning !== void 0 ? { authorityWarning } : {},
-		...totpMeta !== void 0 ? { totp: totpMeta } : {}
-	};
-}
-/**
 * Heuristic: can this process open a GUI browser?
 *
 * Returns `true` when we think a GUI is available:
@@ -4867,9 +4838,17 @@ function getBrowserCandidates(httpUrl) {
 		}
 	];
 }
+/**
+* Redacts ONLY the `at=<value>` (TOTP) query param to `at=<redacted>`, leaving
+* every other query param (_deploymentId, debug, relay) intact. SECRET-HANDLING:
+* the TOTP code is the single short-lived secret carried in a CDP page url.
+*/
+function redactAtParam(text) {
+	return text.replace(/\bat=([^&\s"']+)/g, "at=<redacted>");
+}
 /** stderr에서 at= TOTP 코드 값을 redact한다. */
 function redactSecrets(text) {
-	return text.replace(/\bat=([^&\s"']+)/g, "at=<redacted>");
+	return redactAtParam(text);
 }
 /** spawnSync exit 0이어도 stderr에 launch 실패 시그널이 있으면 실패로 판단한다. */
 const LAUNCH_FAILURE_PATTERNS = [
@@ -5396,7 +5375,7 @@ async function readMcpSdkVersion() {
 * some test environments that skip the build step).
 */
 function readDevtoolsVersion() {
-	return "0.1.109";
+	return "0.1.111";
 }
 /**
 * Derives the next recommended action from a completed diagnostics snapshot.
@@ -5405,10 +5384,10 @@ function readDevtoolsVersion() {
 *   0. tunnel.droppedAt non-null                  → restart (permanent tunnel drop — highest priority)
 *   1. tunnel.up === false AND env is relay       → restart (relay needs a live tunnel)
 *   1b. tunnel.up === false AND env is mock       → wait_for_page (local target: tunnel-less is normal)
-*   2a. authRejects.count > 0 AND pages empty     → build_attach_url (relay TOTP 거부 관측 — QR 재스캔
+*   2a. authRejects.count > 0 AND pages empty     → start_attach (relay TOTP 거부 관측 — QR 재스캔
 *       또는 target-side `at` 전달 확인. 일반 rule 2보다 구체적이므로 먼저 평가 — issue #467)
-*   2. tunnel.up, pages empty, env === relay      → build_attach_url (start attach)
-*   3. pages has entry + crashDetectedAt non-null → build_attach_url (re-attach after crash)
+*   2. tunnel.up, pages empty, env === relay      → start_attach (start attach)
+*   3. pages has entry + crashDetectedAt non-null → start_attach (re-attach after crash)
 *   4. otherwise                                  → null (session looks healthy)
 *
 * Pure — does not throw; receives the final assembled snapshot fields.
@@ -5431,16 +5410,16 @@ function computeNextRecommendedAction(tunnel, pages, env, authRejects = null) {
 		reason: "tunnel not up — run `npx @ait-co/devtools devtools-mcp` to restart"
 	};
 	if (authRejects !== null && authRejects.count > 0 && pages !== null && pages.pages.length === 0) return {
-		tool: "build_attach_url",
+		tool: "start_attach",
 		reason: `relay 인증(TOTP) 거부 ${authRejects.count}건 발생 (last ${authRejects.lastAt ?? "unknown"}) — QR을 다시 스캔해 새 코드로 attach하세요(코드는 ~3분마다 만료). 반복되면 폰 페이지 URL에 at 파라미터가 전달되는지(target-side TOTP 전달 경로)를 확인하세요`
 	};
 	if (isRelayEnv(env) && pages !== null && pages.pages.length === 0 && !pages.crashDetectedAt) return {
-		tool: "build_attach_url",
-		reason: "tunnel ready, no pages attached — call build_attach_url to generate the attach QR"
+		tool: "start_attach",
+		reason: "tunnel ready, no pages attached — call start_attach to generate the attach QR"
 	};
 	if (pages !== null && pages.crashDetectedAt !== null) return {
-		tool: "build_attach_url",
-		reason: `page crashed at ${pages.crashDetectedAt} — call build_attach_url to re-attach`
+		tool: "start_attach",
+		reason: `page crashed at ${pages.crashDetectedAt} — call start_attach to re-attach`
 	};
 	return null;
 }
@@ -5505,7 +5484,7 @@ async function getDiagnostics(input) {
 			kind: env,
 			env: toLegacyEnv(env),
 			reason: envReason,
-			liveGuardActive: isLiveRelayEnv(env)
+			liveGuardActive: false
 		},
 		serverLockHolder,
 		process: {
@@ -5618,7 +5597,7 @@ async function startQuickTunnel(localPort) {
 * every surface (terminal, VS Code, JetBrains, web) and can be scanned by a
 * phone camera when shown verbatim in an agent response.
 *
-* Shared by `renderAttachBanner` (relay wssUrl QR) and the `build_attach_url`
+* Shared by `renderAttachBanner` (relay wssUrl QR) and the `start_attach`
 * MCP tool response (attach deep-link QR).
 */
 async function renderQr(text) {
@@ -5649,7 +5628,7 @@ async function renderQr(text) {
 * The QR is produced by `renderQr` (a half-block matrix, not the
 * `qrcode-terminal` ASCII art used by the unplugin banner) and encodes the
 * base `wssUrl` only. When `totpEnabled` is true, a note
-* is added that attach URLs generated by `build_attach_url` will include a
+* is added that attach URLs generated by `start_attach` will include a
 * live TOTP code (`at=`) appended at call time.
 *
 * SECRET-HANDLING: no secret value, TOTP code, or intermediate value is
@@ -5665,9 +5644,9 @@ async function renderAttachBanner(input) {
 		`  relay (wss):   ${input.wssUrl}`,
 		authNote,
 		"",
-		"  Use build_attach_url to generate a deep link with the current TOTP code.",
+		"  Use start_attach to generate a deep link with the current TOTP code.",
 		"  Scan the QR to locate the relay (open the dog-food URL separately with",
-		"  ?debug=1&relay=<wss>&at=<code> or use the build_attach_url tool):",
+		"  ?debug=1&relay=<wss>&at=<code> or use the start_attach tool):",
 		"",
 		qr
 	].join("\n");
@@ -5841,7 +5820,7 @@ function makeTunnelStatus(up, wssUrl, droppedAt = null, reissueAttempts = 0) {
 * Dynamic tool registration (issue #208):
 * The server advertises `listChanged: true` so MCP clients can subscribe to
 * `notifications/tools/list_changed`. Before any page attaches, only bootstrap
-* tools (`build_attach_url`, `list_pages`) are listed. Once a target appears,
+* tools (`start_attach`, `list_pages`) are listed. Once a target appears,
 * the full attach-dependent tool set is added and a `list_changed` notification
 * is sent — without requiring a session restart. `runDebugServer` and
 * `runLocalDebugServer` start a polling watcher that detects the 0→N target
@@ -5854,7 +5833,7 @@ function makeTunnelStatus(up, wssUrl, droppedAt = null, reissueAttempts = 0) {
 */
 /**
 * Maximum age (ms) of a page's `lastSeenAt` before it is treated as a ghost
-* and excluded from the `wait_for_attach` short-circuit in `build_attach_url`
+* and excluded from the `wait_for_attach` short-circuit in `start_attach`
 * (issue #610).
 *
 * Rationale: the env-2 relay is owned by the dev server (unplugin), so every
@@ -5869,7 +5848,15 @@ function makeTunnelStatus(up, wssUrl, droppedAt = null, reissueAttempts = 0) {
 */
 const RELAY_SANDBOX_STALE_PAGE_MS = 300 * 1e3;
 /**
-* Predicate used by `build_attach_url`'s `wait_for_attach` loop to decide
+* Segment length (ms) of the `start_attach` wait loop (issue #626 — TOTP in-call
+* re-mint). The single-shot `wait_for_attach` of the old attach tool could
+* not re-mint a TOTP code mid-wait; `start_attach` decomposes the wait into
+* SEGMENT_MS slices so it can detect an aging code between slices and re-mint a
+* fresh one without the agent re-calling the tool. 30 s = one TOTP step.
+*/
+const START_ATTACH_SEGMENT_MS = 3e4;
+/**
+* Predicate used by `start_attach`'s `wait_for_attach` loop to decide
 * whether the relay-sandbox connection has a genuinely fresh page attached.
 *
 * Stale-ghost gating (issue #610): when the dev server restarts with a new
@@ -5919,13 +5906,28 @@ function extractDeploymentId(schemeUrl) {
 	}
 }
 /**
-* Returns `true` when the mode routes to a relay connection (`relay-sandbox`,
-* `relay-staging`, or `relay-live`). `relay-sandbox` is an external-PWA relay;
-* `relay-staging`/`relay-live` are intoss-private relays — but all three surface
-* the Tier B / relay-only tool set.
+* Returns `true` when the mode routes to a relay connection (`relay-sandbox` or
+* `relay-staging`). Both surface the Tier B / relay-only tool set.
 */
 function isRelayMode(mode) {
-	return mode === "relay-sandbox" || mode === "relay-staging" || mode === "relay-live";
+	return mode === "relay-sandbox" || mode === "relay-staging";
+}
+/**
+* Maps a `StartDebugMode` to the `McpEnvironment` it routes to (issue #626).
+* Used by `start_attach`'s mode prologue to decide whether a `switchMode` is
+* needed: when the active env already equals `envForMode(mode)`, the switch is
+* skipped (no `tools/list_changed` churn).
+*
+*   - `local-browser`  → `mock`
+*   - `relay-sandbox`  → `relay-mobile` (env 2 external-PWA relay)
+*   - `relay-staging`  → `relay-dev`    (env 3 intoss-private relay)
+*/
+function envForMode(mode) {
+	switch (mode) {
+		case "local-browser": return "mock";
+		case "relay-sandbox": return "relay-mobile";
+		case "relay-staging": return "relay-dev";
+	}
 }
 /**
 * Single-attach guard for `run_tests` (#646). Two concurrent runs injecting
@@ -5948,7 +5950,7 @@ let runTestsInFlight = false;
 * to resolve before the relay had observed the first inbound CDP message from
 * the phone.
 *
-* Timeout note: callers (e.g. the `build_attach_url` path) always pass an
+* Timeout note: callers (e.g. the `start_attach` path) always pass an
 * explicit `timeoutMs`, sourced from the factory's `waitForAttachTimeoutMs`
 * (default 60 000). That value is forwarded to `waitForFirstTarget`, so it
 * overrides that method's own 90 000 signature default — the effective
@@ -5990,7 +5992,7 @@ function waitForAttachWithEvents(connection, filterFn, timeoutMs, pollIntervalMs
 * tunnel, which is what makes the tool surface unit-testable.
 *
 * `tools/list` is two-tiered (issue #208):
-*   - bootstrap (always): `build_attach_url`, `list_pages`
+*   - bootstrap (always): `start_attach`, `list_pages`
 *   - attach-dependent (after `connection.listTargets().length > 0`): all others
 *
 * `CallTool` is NOT tiered — hidden tools still execute (attach errors surface
@@ -6001,12 +6003,299 @@ function createDebugServer(deps) {
 	const getTotpSecret = deps.getTotpSecret ?? (() => totpSecret);
 	const readLockFn = readLockDep ?? readServerLock;
 	const router = routerDep ?? makeSingleConnectionRouter(connection);
-	const resolveEnvironment = getEnvDep ?? (() => deriveEnvironment(router.active.kind, getLiveIntent(), router.activeRelayOrigin));
-	const resolveEnvironmentReason = getEnvReasonDep ?? (() => `derived:kind=${router.active.kind},liveIntent=${getLiveIntent()}`);
+	const resolveEnvironment = getEnvDep ?? (() => deriveEnvironment(router.active.kind, router.activeRelayOrigin));
+	const resolveEnvironmentReason = getEnvReasonDep ?? (() => `derived:kind=${router.active.kind},relayOrigin=${router.activeRelayOrigin ?? "none"}`);
 	const collector = collectorDep ?? new InMemoryDiagnosticsCollector();
+	/**
+	* Synthesizes an attach URL from stored components with a FRESHLY-minted TOTP
+	* code (issue #626 §3/§4 — the single mint point). Reads the late-bound secret
+	* via `getTotpSecret()` so the project-local `.ait_relay` secret loaded by
+	* `switchMode` is visible. SECRET-HANDLING: the minted code rides inside the
+	* URL's `at=` param only — never logged or returned separately.
+	*/
+	function mintAttachUrl(parts) {
+		const secret = getTotpSecret();
+		const code = secret ? generateTotp(secret) : void 0;
+		return parts.kind === "launcher" ? buildLauncherAttachUrl(parts.tunnelHttpUrl, parts.wssUrl, code, {
+			name: parts.appName,
+			...parts.selfdebug ? { selfdebug: true } : {}
+		}) : buildDeepLinkAttachUrl(parts.schemeUrl, parts.wssUrl, code);
+	}
+	/** Builds the fresh TOTP metadata (expiresAt window) for a tool result. */
+	function buildTotpMeta() {
+		const secret = getTotpSecret();
+		if (secret === void 0 || secret === "") return void 0;
+		const STEP_SECONDS = 30;
+		const expiresAtMs = nowMs() + 6 * STEP_SECONDS * 1e3;
+		return {
+			enabled: true,
+			ttlSeconds: 6 * STEP_SECONDS,
+			expiresAt: new Date(expiresAtMs).toISOString()
+		};
+	}
+	/**
+	* Env-specific validation + component bundle for `start_attach` (issue #626).
+	* Branches on `env`: `relay-mobile` reads AIT_TUNNEL_BASE_URL + builds launcher
+	* parts; `relay-dev` requires scheme_url + builds scheme parts. Returns
+	* `{ ok: false, error }` with a ready McpResult on any failure.
+	*/
+	async function prepareAttach(env, args, conn) {
+		const selfdebug = args?.selfdebug === true;
+		if (selfdebug && env !== "relay-mobile") return {
+			ok: false,
+			error: mcpError("start_attach: selfdebug=true는 env 2 / relay-sandbox 전용 기능입니다. 현재 환경(env 3)에서는 launcher가 없어 self-target 모드를 지원하지 않습니다. launcher self-target이 필요하다면 relay-sandbox 모드로 전환하세요.")
+		};
+		if (env === "relay-mobile") {
+			const rawProjectRoot = args?.projectRoot;
+			const buildProjectRoot = typeof rawProjectRoot === "string" ? rawProjectRoot : void 0;
+			let tunnelHttpUrl = process.env.AIT_TUNNEL_BASE_URL?.trim() ?? "";
+			if (tunnelHttpUrl === "" && buildProjectRoot !== void 0) {
+				const { readRelayUrls } = await import("../relay-url-store-CwKT7i04.js");
+				tunnelHttpUrl = (await readRelayUrls({ projectRoot: buildProjectRoot }))?.tunnelBaseUrl ?? "";
+			}
+			if (tunnelHttpUrl === "") return {
+				ok: false,
+				error: mcpError("start_attach(mobile): AIT_TUNNEL_BASE_URL이 설정되지 않았습니다. dev 서버가 tunnel:{cdp:true}로 기동 중이면 .ait_urls 파일이 자동 생성돼 있어야 합니다. 자동 발견이 되지 않을 경우 앱 HTTP 터널 URL을 AIT_TUNNEL_BASE_URL 환경변수로 직접 전달하세요.")
+			};
+			const tunnelStatus = getTunnelStatus();
+			if (!tunnelStatus.up || tunnelStatus.wssUrl === null) return {
+				ok: false,
+				error: mcpError("start_attach(mobile): relay wssUrl이 아직 설정되지 않았습니다. unplugin tunnel:{cdp:true}가 relay를 완전히 기동할 때까지 잠시 후 다시 시도하세요.")
+			};
+			const secret = getTotpSecret();
+			if (secret === void 0 || secret === "") return {
+				ok: false,
+				error: mcpError("start_attach(relay): TOTP secret(AIT_DEBUG_TOTP_SECRET)이 설정되지 않았습니다. relay 환경은 TOTP 인증이 필수입니다 — relay를 secret과 함께 재기동하세요.")
+			};
+			let launcherAppName;
+			if (buildProjectRoot !== void 0) try {
+				const { readFileSync } = await import("node:fs");
+				const pkgRaw = readFileSync(`${buildProjectRoot}/package.json`, "utf8");
+				const pkg = JSON.parse(pkgRaw);
+				const rawName = typeof pkg.name === "string" ? pkg.name : "";
+				launcherAppName = (rawName.includes("/") ? rawName.slice(rawName.indexOf("/") + 1) : rawName).trim() || void 0;
+			} catch {}
+			const parts = {
+				kind: "launcher",
+				tunnelHttpUrl,
+				wssUrl: tunnelStatus.wssUrl,
+				appName: launcherAppName,
+				...selfdebug ? { selfdebug: true } : {}
+			};
+			const connAsAny = conn;
+			const getLastSeenAt = typeof connAsAny.getTargetLastSeenAt === "function" ? (id) => connAsAny.getTargetLastSeenAt(id) : null;
+			const callNow = nowMs();
+			const isMatchingPage = (pages) => isSandboxPageFresh(pages, getLastSeenAt, callNow, stalePageThresholdMs);
+			const buildTimeoutError = (baseText, timeoutSec, observed) => {
+				const observedUrls = observed.slice(0, 3).map((p) => p.url.slice(0, 80)).join(", ");
+				return `${baseText}\n\nNo page attached within ${timeoutSec}s${observed.length > 0 ? ` — previously attached pages: [${observedUrls}]` : ""} — launcher QR을 폰 카메라로 스캔한 뒤 call list_pages를 다시 호출하세요.`;
+			};
+			return {
+				ok: true,
+				parts,
+				isMatchingPage,
+				buildTimeoutError,
+				authorityWarning: void 0,
+				totpMeta: buildTotpMeta()
+			};
+		}
+		const schemeUrl = args?.scheme_url;
+		if (typeof schemeUrl !== "string" || schemeUrl === "") return {
+			ok: false,
+			error: mcpError("start_attach: scheme_url이 비어 있습니다. `ait deploy --scheme-only`가 출력하는 intoss-private:// URL을 인자로 전달하세요. 환경 2(mobile)라면 scheme_url 대신 AIT_TUNNEL_BASE_URL을 설정하세요.")
+		};
+		{
+			const relaySecret = getTotpSecret();
+			if (relaySecret === void 0 || relaySecret === "") return {
+				ok: false,
+				error: mcpError("start_attach(relay): TOTP secret(AIT_DEBUG_TOTP_SECRET)이 설정되지 않았습니다. relay 환경은 TOTP 인증이 필수입니다 — relay를 secret과 함께 재기동하세요.")
+			};
+		}
+		const tunnelForBuild = getTunnelStatus();
+		if (!tunnelForBuild.up || tunnelForBuild.wssUrl === null) return {
+			ok: false,
+			error: classifyToolError(/* @__PURE__ */ new Error("tunnel-down:"), "start_attach")
+		};
+		const authorityWarning = validateSchemeAuthority(schemeUrl) ?? void 0;
+		const parts = {
+			kind: "scheme",
+			schemeUrl,
+			wssUrl: tunnelForBuild.wssUrl
+		};
+		const deploymentId = extractDeploymentId(schemeUrl);
+		if (!deploymentId) logInfo("tool.call", {
+			tool: "start_attach",
+			msg: "no _deploymentId in scheme_url; matching on presence only"
+		});
+		const isMatchingPage = (pages) => {
+			if (pages.length === 0) return false;
+			if (deploymentId === null) return true;
+			return pages.some((p) => p.url.includes(deploymentId));
+		};
+		const buildTimeoutError = (baseText, timeoutSec, observed) => {
+			const observedUrls = observed.slice(0, 3).map((p) => p.url.slice(0, 80)).join(", ");
+			const observedNote = observed.length > 0 ? ` — previously attached pages: [${observedUrls}]` : "";
+			return `${baseText}\n\nNo page${deploymentId ? ` matching deploymentId=${deploymentId}` : ""} attached within ${timeoutSec}s${observedNote} — call list_pages to retry.`;
+		};
+		return {
+			ok: true,
+			parts,
+			isMatchingPage,
+			buildTimeoutError,
+			authorityWarning,
+			totpMeta: buildTotpMeta()
+		};
+	}
+	/**
+	* QR render + browser open + segmented attach wait with in-call TOTP re-mint
+	* (issue #626 §3). Shared by env-2 and env-3 (4 render paths:
+	* headless / browser-opened / browser-open-failed / no-http-server).
+	*
+	* The wait is decomposed into `START_ATTACH_SEGMENT_MS` slices. Between slices,
+	* if the current TOTP code has aged past `START_ATTACH_REMINT_THRESHOLD_MS`,
+	* a fresh URL is minted via `mintAttachUrl` and pushed to the dashboard via
+	* `onAttachUrlBuilt` (SSE refresh — NO browser re-open). The `reminted` count
+	* rides in the success/timeout result.
+	*
+	* SECRET-HANDLING: attachUrl encodes tunnel/scheme host + the TOTP `at=` code
+	* in the QR payload only. The browser is opened on a 127.0.0.1 URL only. The
+	* tool result carries `totp.expiresAt` + `reminted` count — never the code.
+	*/
+	async function renderAndMaybeWait(prep, waitForAttach, callTimeoutMs, conn) {
+		const { parts, isMatchingPage, buildTimeoutError, authorityWarning, totpMeta } = prep;
+		let attachUrl = mintAttachUrl(parts);
+		onAttachUrlBuilt?.(parts);
+		let totpIssuedAt = nowMs();
+		let reminted = 0;
+		const relayUrl = parts.wssUrl;
+		const header = "This tool result is shown to the user directly — do NOT re-print the QR below in your reply (it wastes output tokens). Just tell the user to scan the QR in this output (Ctrl+O to expand if collapsed).";
+		const warningPrefix = authorityWarning ? `⚠️  scheme_url 경고: ${authorityWarning}\n\n` : "";
+		const guiAvailable = canOpenBrowser();
+		/** Builds the totp object surfaced in results (fresh expiresAt + reminted). */
+		const totpResult = () => {
+			if (!totpMeta) return void 0;
+			const expiresAtMs = totpIssuedAt + 180 * 1e3;
+			return {
+				enabled: true,
+				ttlSeconds: totpMeta.ttlSeconds,
+				expiresAt: new Date(expiresAtMs).toISOString(),
+				...reminted > 0 ? { reminted } : {}
+			};
+		};
+		/**
+		* Segmented wait with TOTP re-mint (issue #626 §3). Resolves with the
+		* attached page list, or rejects on timeout. Between SEGMENT_MS slices it
+		* re-mints when the code has aged past the threshold (max ~4 re-mints over
+		* 600 s). Returns immediately once a matching page attaches (no re-mint).
+		*/
+		async function waitWithRemint() {
+			const deadline = nowMs() + callTimeoutMs;
+			if (isMatchingPage(conn.listTargets())) return conn.listTargets();
+			for (;;) {
+				const remaining = deadline - nowMs();
+				if (remaining <= 0) throw new Error(`start_attach: 타임아웃 (${callTimeoutMs}ms)`);
+				const segmentMs = Math.min(START_ATTACH_SEGMENT_MS, remaining);
+				try {
+					return await waitForAttachWithEvents(conn, isMatchingPage, segmentMs);
+				} catch {
+					if (totpMeta && nowMs() - totpIssuedAt >= 15e4) {
+						attachUrl = mintAttachUrl(parts);
+						onAttachUrlBuilt?.(parts);
+						totpIssuedAt = nowMs();
+						reminted += 1;
+					}
+				}
+			}
+		}
+		/**
+		* Assembles the success result after a page attaches. `baseText` carries the
+		* QR + pre-wait JSON block (the QR the user already scanned). The attach
+		* itself ends the wait, so the QR is moot — what matters now is the final
+		* TOTP state. If the segmented wait re-minted (issue #626 §3), surface the
+		* post-wait `totp` block (fresh `expiresAt` + `reminted` count) so the result
+		* reflects how many times the code rotated during the wait. SECRET-HANDLING:
+		* the totp block carries expiresAt + reminted only — never the code value.
+		*/
+		const successResult = (baseText) => {
+			const pagesResult = listPages(conn, getTunnelStatus());
+			const finalTotp = totpResult();
+			const remintNote = finalTotp && reminted > 0 ? `\n\n${JSON.stringify({ totp: finalTotp }, null, 2)}` : "";
+			return { content: [{
+				type: "text",
+				text: `${baseText}\n\n${JSON.stringify(pagesResult, null, 2)}${remintNote}`
+			}] };
+		};
+		/** Runs the wait (when requested) and returns success/timeout result. */
+		const runWait = async (baseText) => {
+			if (!waitForAttach) return { content: [{
+				type: "text",
+				text: baseText
+			}] };
+			try {
+				await waitWithRemint();
+			} catch {
+				const observed = conn.listTargets();
+				return {
+					content: [{
+						type: "text",
+						text: buildTimeoutError(baseText, callTimeoutMs / 1e3, observed)
+					}],
+					isError: true
+				};
+			}
+			return successResult(baseText);
+		};
+		if (!guiAvailable) {
+			const headlessNote = "GUI 환경이 감지되지 않았습니다 (headless/remote 환경). 텍스트 QR을 폰 카메라로 스캔하거나, 로컬 GUI 환경에서 실행하세요.\n\n";
+			const qr = await renderQr(attachUrl);
+			return runWait(`${warningPrefix}${headlessNote}${header}\n${JSON.stringify({
+				attachUrl,
+				relayUrl,
+				...totpResult() ? { totp: totpResult() } : {}
+			}, null, 2)}\n\n${qr}`);
+		}
+		if (guiAvailable && qrHttpServer) {
+			const browserResult = await openQrInBrowser(qrHttpServer.buildAttachPageUrl(attachUrl), `http://127.0.0.1:${qrHttpServer.port}/qr.png?u=${encodeURIComponent(attachUrl)}`);
+			if (browserResult.opened) {
+				const retriedNote = browserResult.retried ? " (1회 retry 후 성공)" : "";
+				const openResult = {
+					attempted: true,
+					succeeded: true,
+					...browserResult.retried ? { retried: true } : {}
+				};
+				return runWait(`${warningPrefix}${header}\n${JSON.stringify({
+					relayUrl,
+					openResult,
+					...totpResult() ? { totp: totpResult() } : {}
+				}, null, 2)}\n\n브라우저에서 QR을 열었습니다${retriedNote}. 폰 카메라로 스캔하세요.\nURL: ${browserResult.httpUrl}`);
+			}
+			const openResult = {
+				attempted: true,
+				succeeded: false,
+				failureReason: browserResult.error ?? "브라우저 실행 후보 모두 실패",
+				pngUrl: browserResult.pngUrl,
+				...browserResult.stderrSummary ? { stderrSummary: browserResult.stderrSummary } : {}
+			};
+			const stderrNote = browserResult.stderrSummary ? `\nstderr: ${browserResult.stderrSummary}` : "";
+			const fallbackNote = `브라우저 자동 열기에 실패했습니다. 다음 URL을 직접 브라우저에서 여세요:\n${browserResult.httpUrl}\n또는 PNG로 받기: ${browserResult.pngUrl}` + stderrNote + "\n\n";
+			const qr = await renderQr(attachUrl);
+			return runWait(`${warningPrefix}${fallbackNote}${header}\n${JSON.stringify({
+				attachUrl,
+				relayUrl,
+				openResult,
+				...totpResult() ? { totp: totpResult() } : {}
+			}, null, 2)}\n\n${qr}`);
+		}
+		const qr = await renderQr(attachUrl);
+		return runWait(`${warningPrefix}${header}\n${JSON.stringify({
+			attachUrl,
+			relayUrl,
+			...totpResult() ? { totp: totpResult() } : {}
+		}, null, 2)}\n\n${qr}`);
+	}
 	const server = new Server({
 		name: "ait-debug",
-		version: "0.1.109"
+		version: "0.1.111"
 	}, { capabilities: { tools: { listChanged: true } } });
 	server.setRequestHandler(ListToolsRequestSchema, () => {
 		const conn = router.active;
@@ -6028,12 +6317,47 @@ function createDebugServer(deps) {
 		if (name === "start_debug") {
 			const rawMode = request.params.arguments?.mode;
 			const mode = normalizeStartDebugMode(rawMode);
-			if (mode === null) return mcpError("start_debug: mode가 올바르지 않습니다. 'local-browser' | 'relay-sandbox' | 'relay-staging' | 'relay-live' 중 하나를 전달하세요.");
-			const confirm = request.params.arguments?.confirm === true;
+			if (mode === null) return mcpError("start_debug: mode가 올바르지 않습니다. 'local-browser' | 'relay-sandbox' | 'relay-staging' 중 하나를 전달하세요. (relay-live / env 4는 #665에서 제거됐습니다.)");
 			const rawProjectRoot = request.params.arguments?.projectRoot;
 			const projectRoot = typeof rawProjectRoot === "string" ? rawProjectRoot : void 0;
 			try {
-				return jsonResult$1(await router.switchMode(mode, confirm, projectRoot));
+				return jsonResult$1(await router.switchMode(mode, projectRoot));
+			} catch (err) {
+				return errorResult(err, name);
+			}
+		}
+		if (name === "start_attach") {
+			const args = request.params.arguments;
+			let attachConn = conn;
+			const rawMode = args?.mode;
+			if (rawMode !== void 0) {
+				const mode = normalizeStartDebugMode(rawMode);
+				if (mode === null || mode === "local-browser") return mcpError("start_attach: mode가 올바르지 않습니다. 'relay-sandbox' | 'relay-staging' 중 하나를 전달하세요 (local-browser는 QR attach가 없어 start_attach에서 지원하지 않습니다).");
+				const targetEnv = envForMode(mode);
+				if (resolveEnvironment() !== targetEnv) {
+					const rawProjectRoot = args?.projectRoot;
+					const projectRoot = typeof rawProjectRoot === "string" ? rawProjectRoot : void 0;
+					try {
+						await router.switchMode(mode, projectRoot);
+					} catch (err) {
+						return errorResult(err, name);
+					}
+					attachConn = router.active;
+				}
+			}
+			const attachEnv = resolveEnvironment();
+			if (!isRelayEnv(attachEnv)) return mcpError("start_attach: relay 전용 tool입니다 (env 2 / relay-sandbox 또는 env 3 / relay-staging). 현재 환경은 'local-browser'(mock)입니다 — mode 인자로 'relay-sandbox' 또는 'relay-staging'을 전달하거나, 먼저 relay 모드로 전환하세요.");
+			const waitForAttach = true;
+			const rawWaitTimeout = args?.wait_timeout_seconds;
+			const callTimeoutMs = (() => {
+				if (typeof rawWaitTimeout !== "number" || !Number.isFinite(rawWaitTimeout)) return waitForAttachTimeoutMs;
+				if (rawWaitTimeout <= 0) return waitForAttachTimeoutMs;
+				return Math.round(Math.max(1, Math.min(600, rawWaitTimeout))) * 1e3;
+			})();
+			try {
+				const prep = await prepareAttach(attachEnv, args, attachConn);
+				if (!prep.ok) return prep.error;
+				return await renderAndMaybeWait(prep, waitForAttach, callTimeoutMs, attachConn);
 			} catch (err) {
 				return errorResult(err, name);
 			}
@@ -6078,386 +6402,6 @@ function createDebugServer(deps) {
 		} catch (err) {
 			return errorResult(err, name);
 		}
-		if (name === "build_attach_url") {
-			const waitForAttach = request.params.arguments?.wait_for_attach === true;
-			const selfdebug = request.params.arguments?.selfdebug === true;
-			const rawWaitTimeout = request.params.arguments?.wait_timeout_seconds;
-			const callTimeoutMs = (() => {
-				if (typeof rawWaitTimeout !== "number" || !Number.isFinite(rawWaitTimeout)) return waitForAttachTimeoutMs;
-				const clamped = Math.max(1, Math.min(600, rawWaitTimeout));
-				if (rawWaitTimeout <= 0) return waitForAttachTimeoutMs;
-				return Math.round(clamped) * 1e3;
-			})();
-			if (selfdebug && env !== "relay-mobile") return mcpError("build_attach_url: selfdebug=true는 env 2 / relay-sandbox 전용 기능입니다. 현재 환경(env 3/4)에서는 launcher가 없어 self-target 모드를 지원하지 않습니다. launcher self-target이 필요하다면 relay-sandbox 모드로 재시작하세요.");
-			if (env === "relay-mobile") {
-				const rawBuildProjectRoot = request.params.arguments?.projectRoot;
-				const buildProjectRoot = typeof rawBuildProjectRoot === "string" ? rawBuildProjectRoot : void 0;
-				let tunnelHttpUrl = process.env.AIT_TUNNEL_BASE_URL?.trim() ?? "";
-				if (tunnelHttpUrl === "" && buildProjectRoot !== void 0) {
-					const { readRelayUrls } = await import("../relay-url-store-CwKT7i04.js");
-					tunnelHttpUrl = (await readRelayUrls({ projectRoot: buildProjectRoot }))?.tunnelBaseUrl ?? "";
-				}
-				if (tunnelHttpUrl === "") return mcpError("build_attach_url(mobile): AIT_TUNNEL_BASE_URL이 설정되지 않았습니다. dev 서버가 tunnel:{cdp:true}로 기동 중이면 .ait_urls 파일이 자동 생성돼 있어야 합니다. 자동 발견이 되지 않을 경우 앱 HTTP 터널 URL을 AIT_TUNNEL_BASE_URL 환경변수로 직접 전달하세요.");
-				const tunnelStatus = getTunnelStatus();
-				if (!tunnelStatus.up || tunnelStatus.wssUrl === null) return mcpError("build_attach_url(mobile): relay wssUrl이 아직 설정되지 않았습니다. unplugin tunnel:{cdp:true}가 relay를 완전히 기동할 때까지 잠시 후 다시 시도하세요.");
-				const secret = getTotpSecret();
-				if (secret === void 0 || secret === "") return mcpError("build_attach_url(relay): TOTP secret(AIT_DEBUG_TOTP_SECRET)이 설정되지 않았습니다. relay 환경은 TOTP 인증이 필수입니다 — relay를 secret과 함께 재기동하세요.");
-				let totpCode;
-				let totpMeta;
-				{
-					const now = Date.now();
-					totpCode = generateTotp(secret, now);
-					const STEP_SECONDS = 30;
-					const expiresAtMs = now + 6 * STEP_SECONDS * 1e3;
-					totpMeta = {
-						enabled: true,
-						ttlSeconds: 6 * STEP_SECONDS,
-						expiresAt: new Date(expiresAtMs).toISOString()
-					};
-				}
-				let launcherAppName;
-				if (buildProjectRoot !== void 0) try {
-					const { readFileSync } = await import("node:fs");
-					const pkgRaw = readFileSync(`${buildProjectRoot}/package.json`, "utf8");
-					const pkg = JSON.parse(pkgRaw);
-					const rawName = typeof pkg.name === "string" ? pkg.name : "";
-					launcherAppName = (rawName.includes("/") ? rawName.slice(rawName.indexOf("/") + 1) : rawName).trim() || void 0;
-				} catch {}
-				const attachUrl = buildLauncherAttachUrl(tunnelHttpUrl, tunnelStatus.wssUrl, totpCode, {
-					name: launcherAppName,
-					...selfdebug ? { selfdebug: true } : {}
-				});
-				onAttachUrlBuilt?.({
-					kind: "launcher",
-					tunnelHttpUrl,
-					wssUrl: tunnelStatus.wssUrl,
-					appName: launcherAppName
-				});
-				const relayUrl = tunnelStatus.wssUrl;
-				const totp = totpMeta;
-				const connAsAny = conn;
-				const getLastSeenAt = typeof connAsAny.getTargetLastSeenAt === "function" ? (id) => connAsAny.getTargetLastSeenAt(id) : null;
-				const callNow = nowMs();
-				const isMatchingPage = (pages) => isSandboxPageFresh(pages, getLastSeenAt, callNow, stalePageThresholdMs);
-				const buildTimeoutError = (baseText, timeoutSec, observed) => {
-					const observedUrls = observed.slice(0, 3).map((p) => p.url.slice(0, 80)).join(", ");
-					return `${baseText}\n\nNo page attached within ${timeoutSec}s${observed.length > 0 ? ` — previously attached pages: [${observedUrls}]` : ""} — launcher QR을 폰 카메라로 스캔한 뒤 call list_pages를 다시 호출하세요.`;
-				};
-				return await (async () => {
-					const header = "This tool result is shown to the user directly — do NOT re-print the QR below in your reply (it wastes output tokens). Just tell the user to scan the QR in this output (Ctrl+O to expand if collapsed).";
-					const warningPrefix = "";
-					const guiAvailable = canOpenBrowser();
-					if (!guiAvailable) {
-						const headlessNote = "GUI 환경이 감지되지 않았습니다 (headless/remote 환경). 텍스트 QR을 폰 카메라로 스캔하거나, 로컬 GUI 환경에서 실행하세요.\n\n";
-						const qrHeadless = await renderQr(attachUrl);
-						const headlessText = `${warningPrefix}${headlessNote}${header}\n${JSON.stringify({
-							attachUrl,
-							relayUrl,
-							...totp ? { totp } : {}
-						}, null, 2)}\n\n${qrHeadless}`;
-						if (!waitForAttach) return { content: [{
-							type: "text",
-							text: headlessText
-						}] };
-						let attachedPagesHl = [];
-						try {
-							attachedPagesHl = await waitForAttachWithEvents(conn, isMatchingPage, callTimeoutMs);
-						} catch {
-							attachedPagesHl = conn.listTargets();
-							return {
-								content: [{
-									type: "text",
-									text: buildTimeoutError(headlessText, callTimeoutMs / 1e3, attachedPagesHl)
-								}],
-								isError: true
-							};
-						}
-						const pagesResultHl = listPages(conn, getTunnelStatus());
-						return { content: [{
-							type: "text",
-							text: `${headlessText}\n\n${JSON.stringify(pagesResultHl, null, 2)}`
-						}] };
-					}
-					if (guiAvailable && qrHttpServer) {
-						const browserResult = await openQrInBrowser(qrHttpServer.buildAttachPageUrl(attachUrl), `http://127.0.0.1:${qrHttpServer.port}/qr.png?u=${encodeURIComponent(attachUrl)}`);
-						if (browserResult.opened) {
-							const retriedNote = browserResult.retried ? " (1회 retry 후 성공)" : "";
-							const openResult = {
-								attempted: true,
-								succeeded: true,
-								...browserResult.retried ? { retried: true } : {}
-							};
-							const shortText = `${warningPrefix}${header}\n${JSON.stringify({
-								relayUrl,
-								openResult,
-								...totp ? { totp } : {}
-							}, null, 2)}\n\n브라우저에서 QR을 열었습니다${retriedNote}. 폰 카메라로 스캔하세요.\nURL: ${browserResult.httpUrl}`;
-							if (!waitForAttach) return { content: [{
-								type: "text",
-								text: shortText
-							}] };
-							let attachedPages = [];
-							try {
-								attachedPages = await waitForAttachWithEvents(conn, isMatchingPage, callTimeoutMs);
-							} catch {
-								attachedPages = conn.listTargets();
-								return {
-									content: [{
-										type: "text",
-										text: buildTimeoutError(shortText, callTimeoutMs / 1e3, attachedPages)
-									}],
-									isError: true
-								};
-							}
-							const pagesResult = listPages(conn, getTunnelStatus());
-							return { content: [{
-								type: "text",
-								text: `${shortText}\n\n${JSON.stringify(pagesResult, null, 2)}`
-							}] };
-						}
-						const openResult = {
-							attempted: true,
-							succeeded: false,
-							failureReason: browserResult.error ?? "브라우저 실행 후보 모두 실패",
-							pngUrl: browserResult.pngUrl,
-							...browserResult.stderrSummary ? { stderrSummary: browserResult.stderrSummary } : {}
-						};
-						const stderrNote = browserResult.stderrSummary ? `\nstderr: ${browserResult.stderrSummary}` : "";
-						const fallbackNote = `브라우저 자동 열기에 실패했습니다. 다음 URL을 직접 브라우저에서 여세요:\n${browserResult.httpUrl}\n또는 PNG로 받기: ${browserResult.pngUrl}` + stderrNote + "\n\n";
-						const qr = await renderQr(attachUrl);
-						const baseText = `${warningPrefix}${fallbackNote}${header}\n${JSON.stringify({
-							attachUrl,
-							relayUrl,
-							openResult,
-							...totp ? { totp } : {}
-						}, null, 2)}\n\n${qr}`;
-						if (!waitForAttach) return { content: [{
-							type: "text",
-							text: baseText
-						}] };
-						let attachedPagesFb = [];
-						try {
-							attachedPagesFb = await waitForAttachWithEvents(conn, isMatchingPage, callTimeoutMs);
-						} catch {
-							attachedPagesFb = conn.listTargets();
-							return {
-								content: [{
-									type: "text",
-									text: buildTimeoutError(baseText, callTimeoutMs / 1e3, attachedPagesFb)
-								}],
-								isError: true
-							};
-						}
-						const pagesResultFb = listPages(conn, getTunnelStatus());
-						return { content: [{
-							type: "text",
-							text: `${baseText}\n\n${JSON.stringify(pagesResultFb, null, 2)}`
-						}] };
-					}
-					const qr = await renderQr(attachUrl);
-					const baseText = `${warningPrefix}${header}\n${JSON.stringify({
-						attachUrl,
-						relayUrl,
-						...totp ? { totp } : {}
-					}, null, 2)}\n\n${qr}`;
-					if (!waitForAttach) return { content: [{
-						type: "text",
-						text: baseText
-					}] };
-					let attachedPages = [];
-					try {
-						attachedPages = await waitForAttachWithEvents(conn, isMatchingPage, callTimeoutMs);
-					} catch {
-						attachedPages = conn.listTargets();
-						return {
-							content: [{
-								type: "text",
-								text: buildTimeoutError(baseText, callTimeoutMs / 1e3, attachedPages)
-							}],
-							isError: true
-						};
-					}
-					const pagesResult = listPages(conn, getTunnelStatus());
-					return { content: [{
-						type: "text",
-						text: `${baseText}\n\n${JSON.stringify(pagesResult, null, 2)}`
-					}] };
-				})();
-			}
-			const schemeUrl = request.params.arguments?.scheme_url;
-			if (typeof schemeUrl !== "string" || schemeUrl === "") return mcpError("build_attach_url: scheme_url이 비어 있습니다. `ait deploy --scheme-only`가 출력하는 intoss-private:// URL을 인자로 전달하세요. 환경 2(mobile)라면 scheme_url 대신 AIT_TUNNEL_BASE_URL을 설정하세요.");
-			const deploymentId = extractDeploymentId(schemeUrl);
-			if (!deploymentId) logInfo("tool.call", {
-				tool: "build_attach_url",
-				msg: "no _deploymentId in scheme_url; matching on presence only"
-			});
-			/** Returns true when the page list satisfies the attach condition. */
-			const isMatchingPage = (pages) => {
-				if (pages.length === 0) return false;
-				if (deploymentId === null) return true;
-				return pages.some((p) => p.url.includes(deploymentId));
-			};
-			/** Builds a timeout error message with diagnostic context. */
-			const buildTimeoutError = (baseText, timeoutSec, observed) => {
-				const observedUrls = observed.slice(0, 3).map((p) => p.url.slice(0, 80)).join(", ");
-				const observedNote = observed.length > 0 ? ` — previously attached pages: [${observedUrls}]` : "";
-				return `${baseText}\n\nNo page${deploymentId ? ` matching deploymentId=${deploymentId}` : ""} attached within ${timeoutSec}s${observedNote} — call list_pages to retry.`;
-			};
-			{
-				const relaySecret = getTotpSecret();
-				if (relaySecret === void 0 || relaySecret === "") return mcpError("build_attach_url(relay): TOTP secret(AIT_DEBUG_TOTP_SECRET)이 설정되지 않았습니다. relay 환경은 TOTP 인증이 필수입니다 — relay를 secret과 함께 재기동하세요.");
-			}
-			try {
-				const tunnelForBuild = getTunnelStatus();
-				const { attachUrl, relayUrl, authorityWarning, totp } = buildAttachUrl(schemeUrl, tunnelForBuild, getTotpSecret());
-				if (tunnelForBuild.wssUrl !== null) onAttachUrlBuilt?.({
-					kind: "scheme",
-					schemeUrl,
-					wssUrl: tunnelForBuild.wssUrl
-				});
-				const warningPrefix = authorityWarning ? `⚠️  scheme_url 경고: ${authorityWarning}\n\n` : "";
-				const header = "This tool result is shown to the user directly — do NOT re-print the QR below in your reply (it wastes output tokens). Just tell the user to scan the QR in this output (Ctrl+O to expand if collapsed).";
-				const guiAvailable = canOpenBrowser();
-				if (!guiAvailable) {
-					const headlessNote = "GUI 환경이 감지되지 않았습니다 (headless/remote 환경). 텍스트 QR을 폰 카메라로 스캔하거나, 로컬 GUI 환경에서 실행하세요.\n\n";
-					const qrHeadless = await renderQr(attachUrl);
-					const headlessText = `${warningPrefix}${headlessNote}${header}\n${JSON.stringify({
-						attachUrl,
-						relayUrl,
-						...totp ? { totp } : {}
-					}, null, 2)}\n\n${qrHeadless}`;
-					if (!waitForAttach) return { content: [{
-						type: "text",
-						text: headlessText
-					}] };
-					let attachedPagesHl = [];
-					try {
-						attachedPagesHl = await waitForAttachWithEvents(conn, isMatchingPage, callTimeoutMs);
-					} catch {
-						attachedPagesHl = conn.listTargets();
-						return {
-							content: [{
-								type: "text",
-								text: buildTimeoutError(headlessText, callTimeoutMs / 1e3, attachedPagesHl)
-							}],
-							isError: true
-						};
-					}
-					const pagesResultHl = listPages(conn, getTunnelStatus());
-					return { content: [{
-						type: "text",
-						text: `${headlessText}\n\n${JSON.stringify(pagesResultHl, null, 2)}`
-					}] };
-				}
-				if (guiAvailable && qrHttpServer) {
-					const browserResult = await openQrInBrowser(qrHttpServer.buildAttachPageUrl(attachUrl), `http://127.0.0.1:${qrHttpServer.port}/qr.png?u=${encodeURIComponent(attachUrl)}`);
-					if (browserResult.opened) {
-						const retriedNote = browserResult.retried ? " (1회 retry 후 성공)" : "";
-						const openResult = {
-							attempted: true,
-							succeeded: true,
-							...browserResult.retried ? { retried: true } : {}
-						};
-						const shortText = `${warningPrefix}${header}\n${JSON.stringify({
-							relayUrl,
-							openResult,
-							...totp ? { totp } : {}
-						}, null, 2)}\n\n브라우저에서 QR을 열었습니다${retriedNote}. 폰 카메라로 스캔하세요.\nURL: ${browserResult.httpUrl}`;
-						if (!waitForAttach) return { content: [{
-							type: "text",
-							text: shortText
-						}] };
-						let attachedPages = [];
-						try {
-							attachedPages = await waitForAttachWithEvents(conn, isMatchingPage, callTimeoutMs);
-						} catch {
-							attachedPages = conn.listTargets();
-							return {
-								content: [{
-									type: "text",
-									text: buildTimeoutError(shortText, callTimeoutMs / 1e3, attachedPages)
-								}],
-								isError: true
-							};
-						}
-						const pagesResult = listPages(conn, getTunnelStatus());
-						return { content: [{
-							type: "text",
-							text: `${shortText}\n\n${JSON.stringify(pagesResult, null, 2)}`
-						}] };
-					}
-					const openResult = {
-						attempted: true,
-						succeeded: false,
-						failureReason: browserResult.error ?? "브라우저 실행 후보 모두 실패",
-						pngUrl: browserResult.pngUrl,
-						...browserResult.stderrSummary ? { stderrSummary: browserResult.stderrSummary } : {}
-					};
-					const stderrNote = browserResult.stderrSummary ? `\nstderr: ${browserResult.stderrSummary}` : "";
-					const fallbackNote = `브라우저 자동 열기에 실패했습니다. 다음 URL을 직접 브라우저에서 여세요:
-${browserResult.httpUrl}\n또는 PNG로 받기: ${browserResult.pngUrl}` + stderrNote + "\n\n";
-					const qr = await renderQr(attachUrl);
-					const baseText = `${warningPrefix}${fallbackNote}${header}\n${JSON.stringify({
-						attachUrl,
-						relayUrl,
-						openResult,
-						...totp ? { totp } : {}
-					}, null, 2)}\n\n${qr}`;
-					if (!waitForAttach) return { content: [{
-						type: "text",
-						text: baseText
-					}] };
-					let attachedPagesFb = [];
-					try {
-						attachedPagesFb = await waitForAttachWithEvents(conn, isMatchingPage, callTimeoutMs);
-					} catch {
-						attachedPagesFb = conn.listTargets();
-						return {
-							content: [{
-								type: "text",
-								text: buildTimeoutError(baseText, callTimeoutMs / 1e3, attachedPagesFb)
-							}],
-							isError: true
-						};
-					}
-					const pagesResultFb = listPages(conn, getTunnelStatus());
-					return { content: [{
-						type: "text",
-						text: `${baseText}\n\n${JSON.stringify(pagesResultFb, null, 2)}`
-					}] };
-				}
-				const qr = await renderQr(attachUrl);
-				const baseText = `${warningPrefix}${header}\n${JSON.stringify({
-					attachUrl,
-					relayUrl,
-					...totp ? { totp } : {}
-				}, null, 2)}\n\n${qr}`;
-				if (!waitForAttach) return { content: [{
-					type: "text",
-					text: baseText
-				}] };
-				let attachedPages = [];
-				try {
-					attachedPages = await waitForAttachWithEvents(conn, isMatchingPage, callTimeoutMs);
-				} catch {
-					attachedPages = conn.listTargets();
-					return {
-						content: [{
-							type: "text",
-							text: buildTimeoutError(baseText, callTimeoutMs / 1e3, attachedPages)
-						}],
-						isError: true
-					};
-				}
-				const pagesResult = listPages(conn, getTunnelStatus());
-				return { content: [{
-					type: "text",
-					text: `${baseText}\n\n${JSON.stringify(pagesResult, null, 2)}`
-				}] };
-			} catch (err) {
-				return errorResult(err, name);
-			}
-		}
 		try {
 			await conn.enableDomains();
 		} catch (err) {
@@ -6496,7 +6440,7 @@ ${browserResult.httpUrl}\n또는 PNG로 받기: ${browserResult.pngUrl}` + stder
 				case "evaluate": {
 					const expression = request.params.arguments?.expression;
 					if (typeof expression !== "string" || expression === "") return mcpError("evaluate: expression 인자가 비어 있습니다. 평가할 JavaScript 표현식을 전달하세요.");
-					if (conn.kind === "relay" && getLiveIntent() && request.params.arguments?.confirm !== true) return liveGuardError("evaluate");
+					if (!connectionHostsAllowed(conn)) return mcpError("evaluate: 현재 연결된 페이지는 debug 허용 호스트가 아닙니다 (#665). 허용 호스트: localhost, *.trycloudflare.com, *.private-apps.tossmini.com.");
 					return jsonResult$1(await evaluate(conn, expression));
 				}
 				case "call_sdk": {
@@ -6504,7 +6448,7 @@ ${browserResult.httpUrl}\n또는 PNG로 받기: ${browserResult.pngUrl}` + stder
 					if (typeof sdkName !== "string" || sdkName === "") return mcpError("call_sdk: name 인자가 비어 있습니다. 호출할 SDK 메서드 이름을 전달하세요.");
 					const rawArgs = request.params.arguments?.args;
 					const sdkArgs = Array.isArray(rawArgs) ? rawArgs : [];
-					if (conn.kind === "relay" && getLiveIntent() && request.params.arguments?.confirm !== true) return liveGuardError("call_sdk");
+					if (!connectionHostsAllowed(conn)) return mcpError("call_sdk: 현재 연결된 페이지는 debug 허용 호스트가 아닙니다 (#665). 허용 호스트: localhost, *.trycloudflare.com, *.private-apps.tossmini.com.");
 					const sdkResult = await callSdk(conn, sdkName, sdkArgs);
 					if (!sdkResult.ok && typeof sdkResult.error === "string" && sdkResult.error.startsWith("sdk-absent:")) return sdkAbsentError("call_sdk", conn.kind === "local");
 					return envelopeResult$1(sdkResult, name, env, conn.listTargets().length > 0);
@@ -6518,7 +6462,7 @@ ${browserResult.httpUrl}\n또는 PNG로 받기: ${browserResult.pngUrl}` + stder
 					const projectRoot = typeof rawRoot === "string" ? rawRoot : process.cwd();
 					const rawTimeout = request.params.arguments?.timeout_ms;
 					const timeoutMs = typeof rawTimeout === "number" && rawTimeout >= 1e3 && rawTimeout <= 6e5 ? rawTimeout : void 0;
-					if (conn.kind === "relay" && getLiveIntent() && request.params.arguments?.confirm !== true) return liveGuardError("run_tests");
+					if (!connectionHostsAllowed(conn)) return mcpError("run_tests: 현재 연결된 페이지는 debug 허용 호스트가 아닙니다 (#665). 허용 호스트: localhost, *.trycloudflare.com, *.private-apps.tossmini.com.");
 					if (runTestsInFlight) return mcpError("run_tests: 이미 다른 테스트 실행이 진행 중입니다 (single-attach 모델: 페이지는 한 번에 하나의 실행만 처리). 완료 후 다시 시도하세요.");
 					runTestsInFlight = true;
 					try {
@@ -6548,24 +6492,52 @@ ${browserResult.httpUrl}\n또는 PNG로 받기: ${browserResult.pngUrl}` + stder
 }
 /**
 * Normalizes a raw `start_debug` `mode` argument to a `StartDebugMode`, or
-* `null` when the value is not one of the four accepted modes:
-*   'local-browser' | 'relay-sandbox' | 'relay-staging' | 'relay-live'
+* `null` when the value is not one of the three accepted modes:
+*   'local-browser' | 'relay-sandbox' | 'relay-staging'
 *
 * Hard rename (issue #398): the older `local`/`mobile`/`staging`/`live` names
 * and their aliases are no longer accepted — pre-1.0, no back-compat.
+* `relay-live` (env 4) removed in #665.
 */
 function normalizeStartDebugMode(raw) {
-	if (raw === "local-browser" || raw === "relay-sandbox" || raw === "relay-staging" || raw === "relay-live") return raw;
+	if (raw === "local-browser" || raw === "relay-sandbox" || raw === "relay-staging") return raw;
 	return null;
 }
 /**
+* Positive-allowlist kill-switch for side-effect MCP tools (#665).
+*
+* Returns `true` when the connection's attached targets are all on allowed
+* debug hosts (localhost / trycloudflare / private-apps). Returns `false` when
+* any target's page URL is on a non-allowed host (e.g. `apps.tossmini.com`).
+*
+* For local connections this always returns `true` — the local Chromium is
+* always on localhost. For relay connections without any pages it returns
+* `true` (no pages = nothing to block; the caller's page-missing guard fires
+* first).
+*
+* SECRET-HANDLING: hostnames are NEVER logged here — only the boolean result
+* is returned to the caller.
+*/
+function connectionHostsAllowed(conn) {
+	if (conn.kind === "local") return true;
+	const pages = conn.listTargets();
+	if (pages.length === 0) return true;
+	return pages.every((p) => {
+		try {
+			return isDebugAllowedHost(new URL(p.url ?? "").hostname);
+		} catch {
+			return false;
+		}
+	});
+}
+/**
 * Builds a trivial `ConnectionRouter` pinned to a single connection (issue
 * #348). Used by `createDebugServer` when no real dual router is injected —
 * every existing single-connection test and the `local`-only / `relay`-only
 * boot path. `switchMode` here cannot lazily boot another family, so it only
-* honors a request that matches the connection's own kind (and arms/disarms
-* `liveIntent` accordingly for relay-live); any cross-family request is
-* rejected with a clear "dynamic switch unavailable in this session" error.
+* honors a request that matches the connection's own kind; any cross-family
+* request is rejected with a clear "dynamic switch unavailable in this session"
+* error. `confirm` parameter and `relay-live` gate removed (#665).
 */
 function makeSingleConnectionRouter(connection) {
 	return {
@@ -6573,18 +6545,15 @@ function makeSingleConnectionRouter(connection) {
 			return connection;
 		},
 		activeRelayOrigin: void 0,
-		switchMode(mode, confirm, _projectRoot) {
+		switchMode(mode, _projectRoot) {
 			if (mode === "relay-sandbox") return Promise.reject(/* @__PURE__ */ new Error("start_debug: 이 세션은 단일 연결만 보유합니다 — 'relay-sandbox'(환경 2 PWA, 외부 relay)로 동적 전환할 수 없습니다 (dual-connection 데몬에서만 지원). MCP 서버를 relay-sandbox 모드로 재시작하세요."));
 			if (isRelayMode(mode) !== (connection.kind === "relay")) return Promise.reject(/* @__PURE__ */ new Error(`start_debug: 이 세션은 단일 ${connection.kind} 연결만 보유합니다 — '${mode}'로 동적 전환할 수 없습니다 (dual-connection 데몬에서만 지원). MCP 서버를 원하는 모드로 재시작하세요.`));
-			if (mode === "relay-live" && !confirm) return Promise.reject(/* @__PURE__ */ new Error("start_debug: relay-live(실서비스 LIVE)는 confirm: true가 필요합니다 — 실유저에게 영향이 갈 수 있는 LIVE 디버깅 진입을 명시적으로 승인하세요."));
-			setLiveIntent(mode === "relay-live");
-			const environment = deriveEnvironment(connection.kind, getLiveIntent());
+			const environment = deriveEnvironment(connection.kind);
 			return Promise.resolve({
 				mode,
 				environment,
 				kind: connection.kind,
-				liveGuardActive: connection.kind === "relay" && getLiveIntent(),
-				nextStep: connection.kind === "relay" ? "build_attach_url로 attach QR을 생성하세요." : "list_pages로 로컬 페이지 attach를 확인하세요."
+				nextStep: connection.kind === "relay" ? "start_attach로 attach QR 생성 + 폰 attach까지 한 번에 진행하세요." : "list_pages로 로컬 페이지 attach를 확인하세요."
 			});
 		}
 	};
@@ -6599,7 +6568,10 @@ function makeSingleConnectionRouter(connection) {
 function rebuildAttachUrl(parts) {
 	const secret = process.env.AIT_DEBUG_TOTP_SECRET;
 	const code = secret ? generateTotp(secret) : void 0;
-	return parts.kind === "launcher" ? buildLauncherAttachUrl(parts.tunnelHttpUrl, parts.wssUrl, code, { name: parts.appName }) : buildDeepLinkAttachUrl(parts.schemeUrl, parts.wssUrl, code);
+	return parts.kind === "launcher" ? buildLauncherAttachUrl(parts.tunnelHttpUrl, parts.wssUrl, code, {
+		name: parts.appName,
+		...parts.selfdebug ? { selfdebug: true } : {}
+	}) : buildDeepLinkAttachUrl(parts.schemeUrl, parts.wssUrl, code);
 }
 function jsonResult$1(value) {
 	return { content: [{
@@ -6792,8 +6764,9 @@ async function bootLocalFamily() {
 *
 * Booted lazily via the dual router's `bootLazyFor('relay-intoss')` callback
 * (symmetry with {@link bootLocalFamily}), at most once on the first
-* `start_debug({ mode: 'relay-staging' | 'relay-live' })` (all-lazy, #396 — every
-* relay boot now flows through `switchMode` after the project-local secret load).
+* `start_debug({ mode: 'relay-staging' })` (all-lazy, #396 — every relay boot now
+* flows through `switchMode` after the project-local secret load). `relay-live`
+* removed (#665).
 *
 * The relay base URL is only known after `startChiiRelay()` resolves, so the
 * `ChiiCdpConnection` (via {@link createRelayConnection}) is constructed inside
@@ -6880,7 +6853,7 @@ async function bootRelayFamily(options = {}) {
 * we did not start.
 *
 * `getTunnelStatus()` reports `up: true` with a `wssUrl` derived from
-* `relayBaseUrl` (http→ws, https→wss) so the `build_attach_url` gate
+* `relayBaseUrl` (http→ws, https→wss) so the `start_attach` gate
 * (`up: true && wssUrl !== null`) is satisfied even though we never opened a
 * cloudflared tunnel ourselves.
 *
@@ -6925,14 +6898,14 @@ async function bootExternalRelayFamily(relayBaseUrl, relayLocalUrl) {
 /**
 * Maps a `StartDebugMode` to the {@link FamilyKey} that serves it (issue #378).
 *   local-browser → 'local-browser'; relay-sandbox → 'relay-sandbox';
-*   relay-staging/relay-live → 'relay-intoss' (the shared physical slot).
+*   relay-staging → 'relay-intoss' (the intoss-private relay slot).
+*   `relay-live` removed (#665).
 */
 function familyKeyForMode(mode) {
 	switch (mode) {
 		case "local-browser": return "local-browser";
 		case "relay-sandbox": return "relay-sandbox";
-		case "relay-staging":
-		case "relay-live": return "relay-intoss";
+		case "relay-staging": return "relay-intoss";
 	}
 }
 /** The error thrown / surfaced when entering `mobile` without AIT_RELAY_BASE_URL. */
@@ -6991,12 +6964,11 @@ const NULL_CDP_CONNECTION = {
 * restarting the MCP server.
 *
 * Why a KEYED map and not a single lazy slot (#378): `relay-sandbox` (env-2
-* external relay) and `relay-staging`/`relay-live` (intoss relay) are BOTH
-* `kind: 'relay'`. A single "opposite-kind" slot could not warm-keep both at
-* once — they would collide. The three `FamilyKey`s
-* (`local-browser` / `relay-intoss` / `relay-sandbox`) give each its own warm
-* slot — `relay-staging` and `relay-live` deliberately share the one
-* `relay-intoss` slot (wire-identical, distinguished only by `liveIntent`).
+* external relay) and `relay-staging` (intoss relay) are BOTH `kind: 'relay'`.
+* A single "opposite-kind" slot could not warm-keep both at once — they would
+* collide. The three `FamilyKey`s (`local-browser` / `relay-intoss` /
+* `relay-sandbox`) give each its own warm slot. `relay-live` (env 4) removed
+* (#665) — `relay-intoss` slot now maps only to `relay-staging`.
 *
 * Why all-lazy (#396): the relay TOTP secret now lives in a project-local
 * `.ait_relay` file loaded read-only by `switchMode` BEFORE a relay family boots.
@@ -7006,15 +6978,14 @@ const NULL_CDP_CONNECTION = {
 * `buildRelayVerifyAuth()` run at the boot site.
 *
 * `switchMode`:
-*   1. rejects re-entrant swaps (`swapInFlight`) and an unconfirmed `relay-live`;
+*   1. rejects re-entrant swaps (`swapInFlight`);
 *   2. resolves the requested mode's `FamilyKey`:
 *      `lazyFamilies.get(key) ?? (boot via bootLazyFor(key), store)`;
 *   3. flips `active` (the MCP `Server` never re-handshakes — it reads through
 *      `active` per request);
-*   4. sets `liveIntent` (true only for `relay-live`; `relay-sandbox` is dev-intent → false);
-*   5. stops the old attach watcher and re-arms one on the new connection
+*   4. stops the old attach watcher and re-arms one on the new connection
 *      (the watcher self-clears, so re-arm is mandatory);
-*   6. emits `tools/list_changed`.
+*   5. emits `tools/list_changed`.
 *
 * Inactive infra is left WARM — teardown happens only at process exit (the
 * unified shutdown in the run functions), which is what keeps a phone attach
@@ -7060,10 +7031,10 @@ var DualConnectionRouter = class {
 	/**
 	* Live tunnel status of the active relay family (issues #356, #378). Reads
 	* the ACTIVE family's tunnel when it has one (so `relay-sandbox` surfaces the
-	* external relay wss and `relay-staging`/`relay-live` the intoss relay wss); otherwise
+	* external relay wss and `relay-staging` the intoss relay wss); otherwise
 	* falls back to the first booted family that has a tunnel. Returns "down"
 	* until any relay family is booted (any session before the first relay
-	* start_debug) — the correct signal for `build_attach_url` (no tunnel yet).
+	* start_debug) — the correct signal for `start_attach` (no tunnel yet).
 	*/
 	relayTunnelStatus() {
 		if (this.activeFamily?.getTunnelStatus) return this.activeFamily.getTunnelStatus();
@@ -7098,7 +7069,7 @@ var DualConnectionRouter = class {
 			this.deps.onPageAttach?.();
 			if (activeFamily.connection.kind === "relay") {
 				const firstTarget = activeFamily.connection.listTargets()[0];
-				const env = deriveEnvironment(activeFamily.connection.kind, getLiveIntent(), activeFamily.relayOrigin);
+				const env = deriveEnvironment(activeFamily.connection.kind, activeFamily.relayOrigin);
 				const inspectorStableUrl = this.deps.getInspectorStableUrl?.() ?? null;
 				this.deps.devtoolsOpener.open({
 					inspectorStableUrl,
@@ -7156,25 +7127,22 @@ var DualConnectionRouter = class {
 		this.lazyFamilies.set(key, booted);
 		return booted;
 	}
-	async switchMode(mode, confirm, projectRoot) {
+	async switchMode(mode, projectRoot) {
 		if (this.swapInFlight) throw new Error("start_debug: 이전 전환이 아직 진행 중입니다 — 잠시 후 다시 호출하세요.");
-		if (mode === "relay-live" && !confirm) throw new Error("start_debug: relay-live(실서비스 LIVE)는 confirm: true가 필요합니다 — 실유저에게 영향이 갈 수 있는 LIVE 디버깅 진입을 명시적으로 승인하세요.");
 		this.swapInFlight = true;
 		try {
 			if (isRelayMode(mode)) await loadRelaySecretReadOnly({ projectRoot });
 			const target = await this.familyFor(familyKeyForMode(mode), projectRoot);
 			this.activeFamily = target;
-			setLiveIntent(mode === "relay-live");
 			this.stopWatcher();
 			this.armWatcher();
 			this.server?.sendToolListChanged();
 			const wantRelay = isRelayMode(mode);
 			return {
 				mode,
-				environment: deriveEnvironment(target.connection.kind, getLiveIntent(), target.relayOrigin),
+				environment: deriveEnvironment(target.connection.kind, target.relayOrigin),
 				kind: target.connection.kind,
-				liveGuardActive: target.connection.kind === "relay" && getLiveIntent(),
-				nextStep: wantRelay ? "build_attach_url로 attach QR을 생성하세요 (relay 세션)." : "list_pages로 로컬 Chromium 페이지 attach를 확인하세요."
+				nextStep: wantRelay ? "start_attach로 attach QR 생성 + 폰 attach까지 한 번에 진행하세요 (relay 세션)." : "list_pages로 로컬 Chromium 페이지 attach를 확인하세요."
 			};
 		} finally {
 			this.swapInFlight = false;
@@ -7233,7 +7201,7 @@ async function runDebugServer(options = {}) {
 			})),
 			attachUrl: lastAttachParts ? rebuildAttachUrl(lastAttachParts) : null,
 			inspectorUrl,
-			mode: deriveEnvironment(router.active.kind, getLiveIntent(), router.activeRelayOrigin)
+			mode: deriveEnvironment(router.active.kind, router.activeRelayOrigin)
 		};
 	};
 	const getDirectInspectorUrl = () => {
@@ -7365,7 +7333,7 @@ async function runDebugServer(options = {}) {
 *   1. `start_debug({ mode: 'local-browser' })` launches a local Chromium with
 *      `--remote-debugging-port=<port>` and attaches a `LocalCdpConnection`;
 *   2. the intoss/external relay families lazy-boot on the first
-*      `start_debug({ mode: 'relay-staging' | 'relay-live' | 'relay-sandbox' })`;
+*      `start_debug({ mode: 'relay-staging' | 'relay-sandbox' })` (#665: relay-live removed);
 *   3. all of this runs through the SAME direction-neutral
 *      `DualConnectionRouter` that `runDebugServer` uses (issue #356).
 *
@@ -7377,7 +7345,7 @@ async function runDebugServer(options = {}) {
 * env 1 (local), then env 3 (intoss-private) in ONE session, no restart" — now
 * works from either entry point.
 *
-* `build_attach_url` (relay-specific) stays effectively hidden / non-applicable
+* `start_attach` (relay-specific) stays effectively hidden / non-applicable
 * until the relay family is booted: before the first relay switch the env
 * derives to `mock` and `relayTunnelStatus()` reports "down", so the tool fails
 * with a clear "tunnel not up" message. After a relay switch the relay tunnel
@@ -7588,10 +7556,9 @@ async function runLocalDebugServer(options = {}) {
 * Symmetry with `runDebugServer` / `runLocalDebugServer` (#356, #378, #396): all
 * three families are lazy-booted — the env-2 external relay on the first
 * `start_debug({ mode: 'relay-sandbox' })`, the local family on `local-browser`,
-* the intoss relay on `relay-staging`/`relay-live` — so a `--target=mobile`
-* session can hot-switch
-* without a restart. The active env derives to `relay-mobile` (external-PWA
-* origin, liveIntent off).
+* the intoss relay on `relay-staging` (#665: relay-live removed) — so a
+* `--target=mobile` session can hot-switch without a restart. The active env
+* derives to `relay-mobile` (external-PWA origin).
 *
 * SECRET-HANDLING: `AIT_RELAY_BASE_URL` is read once here via
 * {@link readMobileRelayBaseUrl}; when unset it throws
@@ -7972,25 +7939,30 @@ const DEV_TOOL_DEFINITIONS = [
 		availableIn: "both"
 	},
 	{
-		name: "build_attach_url",
-		description: "Turns an `ait deploy --scheme-only` URL into a self-attaching deep link for a real device. NOT available in dev-mode — requires a live cloudflared relay (Tier B, relay-only). To use this tool: restart the MCP server with `--mode=debug` (or omit --mode) and set MCP_ENV=relay, then call build_attach_url to generate the QR for phone scanning. See: https://docs.aitc.dev/guides/debug-relay",
+		name: "start_attach",
+		description: "Switches into a relay mode (if given), builds a self-attaching deep-link QR for a real device, and waits for the phone to attach — all in one call. NOT available in dev-mode — requires a live cloudflared relay (Tier B, relay-only). To use this tool: restart the MCP server with `--mode=debug` (or omit --mode) and set MCP_ENV=relay, then call start_attach to generate the QR for phone scanning. See: https://docs.aitc.dev/guides/debug-relay",
 		inputSchema: {
 			type: "object",
 			properties: {
-				scheme_url: {
+				mode: {
 					type: "string",
-					description: "The intoss-private:// URL from `ait deploy --scheme-only`."
+					enum: [
+						"local-browser",
+						"relay-sandbox",
+						"relay-staging"
+					],
+					description: "Optional relay mode to switch into before attaching."
 				},
-				wait_for_attach: {
-					type: "boolean",
-					description: "If true, block until a page attaches (default 60 s)."
+				scheme_url: {
+					type: "string",
+					description: "The intoss-private:// URL from `ait deploy --scheme-only` (env 3/relay-staging)."
 				},
 				wait_timeout_seconds: {
 					type: "number",
-					description: "Maximum seconds to wait when wait_for_attach=true (default 60, range 1–600). Invalid inputs fall back to default."
+					description: "Maximum seconds to wait for a page to attach (default 60, range 1–600). Invalid inputs fall back to default."
 				}
 			},
-			required: ["scheme_url"]
+			required: []
 		},
 		availableIn: "relay"
 	},
@@ -8088,10 +8060,6 @@ const DEV_TOOL_DEFINITIONS = [
 				timeout_ms: {
 					type: "number",
 					description: "Per-file evaluate timeout in ms."
-				},
-				confirm: {
-					type: "boolean",
-					description: "Required in relay-live sessions."
 				}
 			},
 			required: ["files"]
@@ -8117,7 +8085,7 @@ const CDP_ONLY_TOOL_NAMES = new Set([
 * Listed in dev-mode tool surface (issue #323) so agents get a hand-off hint
 * toward `--mode=debug` instead of "Unknown tool".
 */
-const TIER_B_TOOL_NAMES = new Set(["build_attach_url"]);
+const TIER_B_TOOL_NAMES = new Set(["start_attach"]);
 /**
 * Builds the `list_pages` dev-mode shim response.
 * Returns the Vite dev URL as a single-entry page list with `devMode: true`.
@@ -8227,7 +8195,7 @@ function createDevServer(deps = {}) {
 	const aitSource = deps.aitSource ?? new HttpAitSource({ stateEndpoint });
 	const server = new Server({
 		name: "ait-devtools",
-		version: "0.1.109"
+		version: "0.1.111"
 	}, { capabilities: { tools: {} } });
 	server.setRequestHandler(ListToolsRequestSchema, () => ({ tools: DEV_TOOL_DEFINITIONS.map((tool) => ({ ...tool })) }));
 	server.setRequestHandler(CallToolRequestSchema, async (request) => {
@@ -8302,7 +8270,7 @@ async function runDevServer() {
 *
 *   --mode=debug (default)
 *     --target=relay (default) — CDP/Chii relay + cloudflared quick tunnel.
-*       Attach a running mini-app (real Toss WebView, env 3/4) and read its
+*       Attach a running mini-app (real Toss WebView, env 3) and read its
 *       console + network over CDP without a human watching a phone.
 *     --target=local — CDP direct-attach to a local Chromium launched by the
 *       MCP server (env 1). No relay or tunnel; the browser is launched
@@ -8318,26 +8286,12 @@ async function runDevServer() {
 * Back-compat (issue #348): the legacy `--mode`/`--target` flags and `MCP_ENV`
 * still work. `--target=relay`/`local` select the initial active connection;
 * the in-session `start_debug(mode)` MCP tool can then flip between them with no
-* restart. `MCP_ENV=relay-live` seeds LIVE intent at boot (deprecated alias);
-* `MCP_ENV=mock|relay|relay-dev` are accepted and ignored for env derivation
-* (the active connection's `kind` is authoritative).
+* restart. `MCP_ENV` values are accepted and ignored (the active connection's
+* `kind` is authoritative; `relay-live` and `liveIntent` are removed, #665).
 *
 * Node-only stdio process.
 */
 /**
-* Seeds the module-level `liveIntent` bit from the deprecated `MCP_ENV` alias
-* (issue #348). `MCP_ENV=relay-live` is the only value that matters now — it
-* arms LIVE intent at boot so a session launched straight into env 4 has the
-* guard active without a `start_debug({ mode: 'relay-live' })` round-trip. All
-* other `MCP_ENV` values (`mock`, `relay`, `relay-dev`) are accepted-and-ignored
-* for env derivation — the active connection's `kind` is authoritative.
-*
-* SECRET-HANDLING: reads only the env-var string; never logs a secret.
-*/
-function seedLiveIntentFromEnv(env = process.env) {
-	if (env.MCP_ENV === "relay-live") setLiveIntent(true);
-}
-/**
 * Returns `true` when `--force` or `--takeover` is present in argv.
 *
 * Both flags are accepted as aliases — `--force` is the short form listed in
@@ -8394,7 +8348,6 @@ function normalizeTarget(value) {
 }
 async function main() {
 	const args = process.argv.slice(2);
-	seedLiveIntentFromEnv();
 	if (parseMode(args) === "dev") await runDevServer();
 	else {
 		const target = parseTarget(args);
@@ -8429,6 +8382,6 @@ if (isEntrypoint()) main().catch((err) => {
 	process.exitCode = 1;
 });
 //#endregion
-export { parseForce, parseMode, parseTarget, seedLiveIntentFromEnv };
+export { parseForce, parseMode, parseTarget };
 
 //# sourceMappingURL=cli.js.map