@camstack/system 1.0.2

package/dist/builtins/platform-probe/inference-config-resolver.d.ts

@@ -0,0 +1,29 @@
+import { PlatformScore, HardwareInfo, ModelRequirement, ResolvedInferenceConfig } from '@camstack/types';
+export declare class InferenceConfigResolver {
+    private readonly scores;
+    private readonly hardware;
+    constructor(scores: readonly PlatformScore[], hardware: HardwareInfo);
+    /**
+     * Compute accuracy/backend weights based on available system RAM.
+     * availableRAM_MB is now sourced from systeminformation (reliable cross-platform),
+     * not os.freemem() which is broken on macOS.
+     *
+     * - > 16 GB available: prefer larger, more accurate models (accuracy 0.6, backend 0.4)
+     * - > 8 GB available:  balanced (accuracy 0.5, backend 0.5)
+     * - <= 8 GB available: prefer speed (accuracy 0.4, backend 0.6)
+     */
+    private getWeights;
+    /**
+     * Given an addon's model requirements, pick the best model + runtime + backend.
+     *
+     * Algorithm:
+     * 1. Filter models by available RAM (minRAM_MB < 25% of available RAM)
+     * 2. For each remaining model, find the best platform score whose format
+     *    is available in the model's formats
+     * 3. Pick the model with the highest combined score using RAM-adaptive weights:
+     *    - High RAM (>16 GB): accuracy × 0.6 + backend × 0.4  (prefer accuracy)
+     *    - Mid RAM  (>8 GB):  accuracy × 0.5 + backend × 0.5  (balanced)
+     *    - Low RAM  (<=8 GB): accuracy × 0.4 + backend × 0.6  (prefer speed)
+     */
+    resolve(requirements: readonly ModelRequirement[]): ResolvedInferenceConfig;
+}

package/dist/builtins/platform-probe/intel-accelerators.d.ts

@@ -0,0 +1,11 @@
+import { GpuInfo, NpuInfo } from '@camstack/types';
+export interface AcceleratorFs {
+    listRenderNodes(): readonly string[];
+    readVendor(renderNode: string): string;
+    exists(path: string): boolean;
+}
+export interface IntelAccelerators {
+    gpu: GpuInfo | null;
+    npu: NpuInfo | null;
+}
+export declare function classifyIntelAccelerators(fsx: AcceleratorFs): IntelAccelerators;

package/dist/builtins/platform-probe/platform-scorer.d.ts

@@ -0,0 +1,30 @@
+import { HardwareInfo, PlatformCapabilities, IScopedLogger } from '@camstack/types';
+export declare class PlatformScorer {
+    private cached;
+    private readonly logger;
+    /**
+     * Path to the embedded portable Python (from `ctx.deps.ensurePython()`).
+     * The Docker hub ships NO system `python3` — inference runs on the
+     * downloaded portable build — so probing system `python3`/`python` would
+     * wrongly report "Python not found" and never surface coreml/openvino
+     * backends. When set, the Python module probes run against THIS binary;
+     * `null` falls back to a system `python3`/`python` lookup (dev / agent
+     * environments where Python is on PATH).
+     */
+    private readonly embeddedPythonPath;
+    constructor(logger?: IScopedLogger, embeddedPythonPath?: string | null);
+    /**
+     * Probe hardware + runtimes and score all backend combos.
+     *
+     * An optional `onPhase` callback is invoked at each step so consumers
+     * (e.g. the platform-probe addon) can emit live progress events on
+     * the event bus. The callback takes a phase id + a typed payload; all
+     * phases fire in strict order: `started` → `hardware` → `node-backends`
+     * → `python-backends` → `scored` → `done`. On failure, `error` fires
+     * once with the exception. Cached after first call.
+     */
+    probe(onPhase?: (phase: string, payload?: Record<string, unknown>) => void): Promise<PlatformCapabilities>;
+    probeHardware(): Promise<HardwareInfo>;
+    private probePythonBackends;
+    private scoreBackends;
+}

package/dist/builtins/platform-probe/runtime-packages.d.ts

@@ -0,0 +1,6 @@
+import { HardwareInfo } from '@camstack/types';
+export interface RuntimePackageSet {
+    requirementsFiles: string[];
+    backendIds: string[];
+}
+export declare function resolveRuntimePackages(hardware: HardwareInfo): RuntimePackageSet;

package/dist/builtins/remote-access-orchestrator/enabled-providers-reconcile.d.ts

@@ -0,0 +1,96 @@
+/**
+ * Pure reconciliation core for the remote-access orchestrator's durable
+ * `enabledProviders` set (D8 delivery-rule fix).
+ *
+ * Why this module exists
+ * ----------------------
+ * `enabledProviders: string[]` is the operator's "auto-start on boot"
+ * intent — a DURABLE setting. Historically it was written ONLY from two
+ * fire-and-forget bus events (`NetworkTunnelStarted` / `Stopped`). A
+ * dropped event (hub restart, addon crash-respawn, hub↔orchestrator
+ * partition) silently diverges the persisted set from reality:
+ *   - dropped `Started` → tunnel running, not recorded → no auto-start
+ *   - dropped `Stopped` → tunnel stopped, still recorded → boot restarts
+ *     an operator-stopped tunnel.
+ *
+ * A durable setting must not be written by a lossy event. The fix is an
+ * idempotent reconcile pass that pulls authoritative state via an
+ * ACKNOWLEDGED RPC (`network-access` cap `getStatus`) on every provider
+ * (re)connect — mirroring the kernel readiness-registry hydration via
+ * `$readiness.getSnapshot`. The lifecycle events stay (still fine for
+ * live UI dashboards); only the PERSISTENCE WRITE moves to the RPC pull.
+ *
+ * Reconcile semantics — ADD-ONLY (deliberately conservative)
+ * ----------------------------------------------------------
+ * `connected: true` from an acked RPC is UNAMBIGUOUS: the tunnel is up,
+ * so the operator must have started it → safe to ADD to `enabledProviders`
+ * (recovers a dropped `NetworkTunnelStarted` event).
+ *
+ * `connected: false` is AMBIGUOUS:
+ *   - Provider registered but not yet started (normal cold-boot state,
+ *     BEFORE `autoStartEnabledProviders` has called `start()`).
+ *   - Provider transiently down (network blip, restart in progress).
+ *   - Provider intentionally stopped by the operator.
+ * `getStatus()` reports connectivity, NOT operator intent. Acting on
+ * `connected: false` would wipe `enabledProviders` on every hub restart
+ * (providers re-register ~15-20 s before `start()` is called), defeating
+ * the purpose of the durable enabled-set. Therefore the reconcile pass
+ * NEVER removes on `connected: false`.
+ *
+ * Removal of operator intent stays event-driven (`NetworkTunnelStopped`
+ * → `markEnabled(id, false)`). That event is emitted synchronously by
+ * the provider's own `stop()` call — it is the reliable signal that the
+ * operator actually stopped the tunnel. A failed/absent RPC probe also
+ * leaves the provider untouched.
+ *
+ * // Follow-up: covering the dropped-`Stopped` direction (a `Stopped`
+ * // event lost → tunnel stopped but still in enabledProviders → boot
+ * // wrongly restarts it) would require a provider-side persisted
+ * // operator-intent flag that `getStatus()` surfaces. That is a larger
+ * // multi-addon change (the audit's "approach 2") and is OUT OF SCOPE
+ * // for this backstop. The current fix covers the higher-impact direction
+ * // (dropped `Started` → operator's running tunnel not auto-restarted).
+ *
+ * The function is pure: the addon owns the RPC fan-out + the persist
+ * call, so this core is unit-testable without a CapabilityRegistry.
+ */
+/**
+ * Outcome of one provider's `getStatus()` RPC probe.
+ *
+ * `ok: true`  → the RPC was acknowledged; `connected` is authoritative.
+ * `ok: false` → the RPC threw / timed out; state is unknown and the
+ *               provider's membership must be left as-is.
+ */
+export type ProviderProbeResult = {
+    readonly addonId: string;
+    readonly ok: true;
+    readonly connected: boolean;
+} | {
+    readonly addonId: string;
+    readonly ok: false;
+};
+export interface ReconcileResult {
+    /** The corrected enabled-set, sorted for stable persistence. */
+    readonly nextEnabled: readonly string[];
+    /** `true` when `nextEnabled` differs from the input — caller persists only then. */
+    readonly changed: boolean;
+    /** addonIds added because an acked RPC reported them connected. */
+    readonly added: readonly string[];
+    /**
+     * Always empty — reconcile is add-only. Removal of operator intent is
+     * event-driven (`NetworkTunnelStopped`). Kept in the type so callers
+     * that log `result.removed` continue to compile without changes.
+     */
+    readonly removed: readonly string[];
+}
+/**
+ * Reconcile the durable `enabledProviders` set against authoritative
+ * RPC probe results. Pure — no I/O. ADD-ONLY: only adds providers whose
+ * acked `getStatus()` reports `connected: true`. Never removes on
+ * `connected: false` — see module doc for the full rationale.
+ *
+ * @param currentEnabled - the persisted enabled-set before reconcile.
+ * @param probes - one entry per provider whose `getStatus()` RPC was
+ *   attempted this pass. Providers absent from this list are untouched.
+ */
+export declare function reconcileEnabledProviders(currentEnabled: readonly string[], probes: readonly ProviderProbeResult[]): ReconcileResult;

package/dist/builtins/remote-access-orchestrator/index.d.ts

@@ -0,0 +1 @@
+export { RemoteAccessOrchestratorAddon, default } from './remote-access-orchestrator.addon.js';

package/dist/builtins/remote-access-orchestrator/index.js

@@ -0,0 +1,8 @@
+Object.defineProperties(exports, {
+	__esModule: { value: true },
+	[Symbol.toStringTag]: { value: "Module" }
+});
+require("../../chunk-Cek0wNdY.js");
+const require_builtins_remote_access_orchestrator_remote_access_orchestrator_addon = require("./remote-access-orchestrator.addon.js");
+exports.RemoteAccessOrchestratorAddon = require_builtins_remote_access_orchestrator_remote_access_orchestrator_addon.RemoteAccessOrchestratorAddon;
+exports.default = require_builtins_remote_access_orchestrator_remote_access_orchestrator_addon.RemoteAccessOrchestratorAddon;

package/dist/builtins/remote-access-orchestrator/index.mjs

@@ -0,0 +1,2 @@
+import { RemoteAccessOrchestratorAddon } from "./remote-access-orchestrator.addon.mjs";
+export { RemoteAccessOrchestratorAddon, RemoteAccessOrchestratorAddon as default };

package/dist/builtins/remote-access-orchestrator/remote-access-orchestrator.addon.d.ts

@@ -0,0 +1,40 @@
+import { BaseAddon, ProviderRegistration } from '@camstack/types';
+interface RemoteAccessOrchestratorConfig {
+    /**
+     * addonIds the operator has explicitly Started. Auto-respawned on
+     * boot so a tunnel set up once stays up across hub restarts.
+     */
+    readonly enabledProviders: readonly string[];
+}
+export declare class RemoteAccessOrchestratorAddon extends BaseAddon<RemoteAccessOrchestratorConfig> {
+    constructor();
+    protected onInitialize(): Promise<ProviderRegistration[]>;
+    /**
+     * Maintain the persisted `enabledProviders` set from a tunnel
+     * lifecycle event. `source.id` is `string | number`; `network-access`
+     * providers emit with `type: 'addon'` so it is always the addonId
+     * string. Non-string / non-addon sources are ignored defensively.
+     */
+    private onTunnelLifecycle;
+    /**
+     * Probe every locally-visible `network-access` provider's
+     * `getStatus()` over RPC and reconcile the durable `enabledProviders`
+     * set against the result. This is the D8 backstop for dropped
+     * `NetworkTunnelStarted` events: if `connected: true` is acked, the
+     * provider is added to `enabledProviders`. ADD-ONLY — never removes on
+     * `connected: false` (see enabled-providers-reconcile.ts for rationale).
+     *
+     * `getStatus()` is an acknowledged cap RPC — a transport blip surfaces
+     * as a rejected promise (recorded as `ok: false`, membership left
+     * untouched), never as a silent lossy write. Runs on every provider
+     * (re)connect via the `watchCapability` hooks, mirroring the kernel
+     * readiness-registry hydration on `$node.connected`. Safe to call
+     * before `autoStartEnabledProviders`: add-only semantics mean it cannot
+     * wipe the enabled-set even when providers are registered-not-yet-started.
+     */
+    private reconcileAndPersist;
+    private autoStartEnabledProviders;
+    private markEnabled;
+    private resolveImpl;
+}
+export default RemoteAccessOrchestratorAddon;

package/dist/builtins/remote-access-orchestrator/remote-access-orchestrator.addon.js

@@ -0,0 +1,214 @@
+Object.defineProperties(exports, {
+	__esModule: { value: true },
+	[Symbol.toStringTag]: { value: "Module" }
+});
+require("../../chunk-Cek0wNdY.js");
+let _camstack_types = require("@camstack/types");
+//#region src/builtins/remote-access-orchestrator/enabled-providers-reconcile.ts
+/**
+* Reconcile the durable `enabledProviders` set against authoritative
+* RPC probe results. Pure — no I/O. ADD-ONLY: only adds providers whose
+* acked `getStatus()` reports `connected: true`. Never removes on
+* `connected: false` — see module doc for the full rationale.
+*
+* @param currentEnabled - the persisted enabled-set before reconcile.
+* @param probes - one entry per provider whose `getStatus()` RPC was
+*   attempted this pass. Providers absent from this list are untouched.
+*/
+function reconcileEnabledProviders(currentEnabled, probes) {
+	const next = new Set(currentEnabled);
+	const added = [];
+	for (const probe of probes) {
+		if (!probe.ok) continue;
+		if (probe.connected) {
+			if (!next.has(probe.addonId)) {
+				next.add(probe.addonId);
+				added.push(probe.addonId);
+			}
+		}
+	}
+	return {
+		nextEnabled: [...next].toSorted(),
+		changed: added.length > 0,
+		added,
+		removed: []
+	};
+}
+//#endregion
+//#region src/builtins/remote-access-orchestrator/remote-access-orchestrator.addon.ts
+/**
+* Remote-access orchestrator — backend-only boot-autostart service for
+* the `network-access` collection (Cloudflare Tunnel, ngrok, Tailscale, …).
+*
+* Retired its `remote-access` facade cap (2026-05-15): the admin UI now
+* talks to the `network-access` collection cap directly via generic
+* per-`addonId` routing, so this addon registers NO capability.
+*
+* What it still owns — the load-bearing logic:
+*   The orchestrator owns the "operator wants this provider running"
+*   intent — an `enabledProviders: string[]` slice in its addon-store
+*   blob (BaseAddon.config). On boot we iterate the list and call
+*   `provider.start()` for each enabled entry, so a tunnel set up once
+*   stays up across hub restarts.
+*
+*   Since start/stop no longer flow through this addon, the enabled-set
+*   is kept in sync from two sources:
+*     1. `NetworkTunnelStarted` / `NetworkTunnelStopped` bus events —
+*        fast, but lossy (fire-and-forget broadcasts). They drive both
+*        the live UI and removal from the durable set (`Stopped` is the
+*        only reliable "operator stopped it" signal).
+*     2. An RPC-driven ADD-ONLY RECONCILE pass (`reconcileEnabledProviders`)
+*        that pulls authoritative `connected` state via the `network-access`
+*        cap's `getStatus()` on every provider (re)connect. THIS covers
+*        dropped `NetworkTunnelStarted` events — if `connected: true` is
+*        acked, the provider is added to `enabledProviders`. It NEVER
+*        removes on `connected: false` because that signal is ambiguous
+*        (registered-not-yet-started vs transiently-down vs intentionally
+*        stopped). Running before `autoStartEnabledProviders` is safe:
+*        it can only add already-connected providers, never evict.
+*/
+var RemoteAccessOrchestratorAddon = class extends _camstack_types.BaseAddon {
+	constructor() {
+		super({ enabledProviders: [] });
+	}
+	async onInitialize() {
+		this.ctx.logger.info("Remote-access orchestrator initialized (backend-only)", { meta: { enabledCount: this.config.enabledProviders.length } });
+		this.ctx.eventBus?.subscribe({ category: _camstack_types.EventCategory.NetworkTunnelStarted }, (event) => {
+			this.onTunnelLifecycle(event.source, true);
+		});
+		this.ctx.eventBus?.subscribe({ category: _camstack_types.EventCategory.NetworkTunnelStopped }, (event) => {
+			this.onTunnelLifecycle(event.source, false);
+		});
+		setImmediate(() => {
+			this.autoStartEnabledProviders();
+		});
+		this.watchCapability("network-access", { onReady: () => {
+			this.autoStartEnabledProviders();
+		} });
+		this.watchCapability("mesh-network", { onReady: () => {
+			this.autoStartEnabledProviders();
+		} });
+		return [];
+	}
+	/**
+	* Maintain the persisted `enabledProviders` set from a tunnel
+	* lifecycle event. `source.id` is `string | number`; `network-access`
+	* providers emit with `type: 'addon'` so it is always the addonId
+	* string. Non-string / non-addon sources are ignored defensively.
+	*/
+	async onTunnelLifecycle(source, started) {
+		if (source.type !== "addon" || typeof source.id !== "string") {
+			this.ctx.logger.warn("tunnel lifecycle event with non-addon source — ignoring", { meta: {
+				sourceType: source.type,
+				sourceId: source.id,
+				started
+			} });
+			return;
+		}
+		await this.markEnabled(source.id, started);
+	}
+	/**
+	* Probe every locally-visible `network-access` provider's
+	* `getStatus()` over RPC and reconcile the durable `enabledProviders`
+	* set against the result. This is the D8 backstop for dropped
+	* `NetworkTunnelStarted` events: if `connected: true` is acked, the
+	* provider is added to `enabledProviders`. ADD-ONLY — never removes on
+	* `connected: false` (see enabled-providers-reconcile.ts for rationale).
+	*
+	* `getStatus()` is an acknowledged cap RPC — a transport blip surfaces
+	* as a rejected promise (recorded as `ok: false`, membership left
+	* untouched), never as a silent lossy write. Runs on every provider
+	* (re)connect via the `watchCapability` hooks, mirroring the kernel
+	* readiness-registry hydration on `$node.connected`. Safe to call
+	* before `autoStartEnabledProviders`: add-only semantics mean it cannot
+	* wipe the enabled-set even when providers are registered-not-yet-started.
+	*/
+	async reconcileAndPersist() {
+		const entries = this.capabilities?.getCollectionEntries("network-access") ?? [];
+		if (entries.length === 0) return;
+		const probes = await Promise.all(entries.map(async ([addonId, impl]) => {
+			if (!impl.getStatus) return {
+				addonId,
+				ok: false
+			};
+			try {
+				return {
+					addonId,
+					ok: true,
+					connected: (await impl.getStatus()).connected
+				};
+			} catch (err) {
+				this.ctx.logger.warn("reconcile: getStatus RPC failed — leaving membership as-is", { meta: {
+					addonId,
+					error: err instanceof Error ? err.message : String(err)
+				} });
+				return {
+					addonId,
+					ok: false
+				};
+			}
+		}));
+		const result = reconcileEnabledProviders(this.config.enabledProviders, probes);
+		if (!result.changed) return;
+		this.ctx.logger.info("reconcile: corrected enabledProviders from RPC-pulled state", { meta: {
+			added: result.added,
+			removed: result.removed
+		} });
+		await this.updateGlobalSettings({ enabledProviders: result.nextEnabled });
+	}
+	async autoStartEnabledProviders() {
+		await this.reconcileAndPersist();
+		const ids = this.config.enabledProviders;
+		if (ids.length === 0) return;
+		this.ctx.logger.info("Auto-starting enabled remote-access providers", { meta: { addonIds: [...ids] } });
+		for (const addonId of ids) try {
+			const impl = this.resolveImpl(addonId);
+			if (!impl?.start) {
+				this.ctx.logger.warn("autostart: provider not ready or unsupported", { meta: {
+					addonId,
+					hasImpl: !!impl,
+					hasStart: !!impl?.start
+				} });
+				continue;
+			}
+			if (impl.getStatus) {
+				const status = await impl.getStatus().catch(() => null);
+				if (status?.connected) {
+					this.ctx.logger.info("autostart: provider already connected — skipping", { meta: {
+						addonId,
+						url: status.endpoint?.url
+					} });
+					continue;
+				}
+			}
+			const endpoint = await impl.start();
+			this.ctx.logger.info("autostart: provider started", { meta: {
+				addonId,
+				url: endpoint.url
+			} });
+		} catch (err) {
+			this.ctx.logger.error("autostart: provider start failed", { meta: {
+				addonId,
+				error: err instanceof Error ? err.message : String(err)
+			} });
+		}
+	}
+	async markEnabled(addonId, enabled) {
+		const current = new Set(this.config.enabledProviders);
+		const wasEnabled = current.has(addonId);
+		if (enabled) current.add(addonId);
+		else current.delete(addonId);
+		if (wasEnabled === enabled) return;
+		this.ctx.logger.info("remote-access intent updated", { meta: {
+			addonId,
+			enabled
+		} });
+		await this.updateGlobalSettings({ enabledProviders: [...current] });
+	}
+	resolveImpl(addonId) {
+		return (this.capabilities?.getCollectionEntries("network-access") ?? []).find(([id]) => id === addonId)?.[1] ?? null;
+	}
+};
+//#endregion
+exports.RemoteAccessOrchestratorAddon = RemoteAccessOrchestratorAddon;
+exports.default = RemoteAccessOrchestratorAddon;

package/dist/builtins/remote-access-orchestrator/remote-access-orchestrator.addon.mjs

@@ -0,0 +1,208 @@
+import { BaseAddon, EventCategory } from "@camstack/types";
+//#region src/builtins/remote-access-orchestrator/enabled-providers-reconcile.ts
+/**
+* Reconcile the durable `enabledProviders` set against authoritative
+* RPC probe results. Pure — no I/O. ADD-ONLY: only adds providers whose
+* acked `getStatus()` reports `connected: true`. Never removes on
+* `connected: false` — see module doc for the full rationale.
+*
+* @param currentEnabled - the persisted enabled-set before reconcile.
+* @param probes - one entry per provider whose `getStatus()` RPC was
+*   attempted this pass. Providers absent from this list are untouched.
+*/
+function reconcileEnabledProviders(currentEnabled, probes) {
+	const next = new Set(currentEnabled);
+	const added = [];
+	for (const probe of probes) {
+		if (!probe.ok) continue;
+		if (probe.connected) {
+			if (!next.has(probe.addonId)) {
+				next.add(probe.addonId);
+				added.push(probe.addonId);
+			}
+		}
+	}
+	return {
+		nextEnabled: [...next].toSorted(),
+		changed: added.length > 0,
+		added,
+		removed: []
+	};
+}
+//#endregion
+//#region src/builtins/remote-access-orchestrator/remote-access-orchestrator.addon.ts
+/**
+* Remote-access orchestrator — backend-only boot-autostart service for
+* the `network-access` collection (Cloudflare Tunnel, ngrok, Tailscale, …).
+*
+* Retired its `remote-access` facade cap (2026-05-15): the admin UI now
+* talks to the `network-access` collection cap directly via generic
+* per-`addonId` routing, so this addon registers NO capability.
+*
+* What it still owns — the load-bearing logic:
+*   The orchestrator owns the "operator wants this provider running"
+*   intent — an `enabledProviders: string[]` slice in its addon-store
+*   blob (BaseAddon.config). On boot we iterate the list and call
+*   `provider.start()` for each enabled entry, so a tunnel set up once
+*   stays up across hub restarts.
+*
+*   Since start/stop no longer flow through this addon, the enabled-set
+*   is kept in sync from two sources:
+*     1. `NetworkTunnelStarted` / `NetworkTunnelStopped` bus events —
+*        fast, but lossy (fire-and-forget broadcasts). They drive both
+*        the live UI and removal from the durable set (`Stopped` is the
+*        only reliable "operator stopped it" signal).
+*     2. An RPC-driven ADD-ONLY RECONCILE pass (`reconcileEnabledProviders`)
+*        that pulls authoritative `connected` state via the `network-access`
+*        cap's `getStatus()` on every provider (re)connect. THIS covers
+*        dropped `NetworkTunnelStarted` events — if `connected: true` is
+*        acked, the provider is added to `enabledProviders`. It NEVER
+*        removes on `connected: false` because that signal is ambiguous
+*        (registered-not-yet-started vs transiently-down vs intentionally
+*        stopped). Running before `autoStartEnabledProviders` is safe:
+*        it can only add already-connected providers, never evict.
+*/
+var RemoteAccessOrchestratorAddon = class extends BaseAddon {
+	constructor() {
+		super({ enabledProviders: [] });
+	}
+	async onInitialize() {
+		this.ctx.logger.info("Remote-access orchestrator initialized (backend-only)", { meta: { enabledCount: this.config.enabledProviders.length } });
+		this.ctx.eventBus?.subscribe({ category: EventCategory.NetworkTunnelStarted }, (event) => {
+			this.onTunnelLifecycle(event.source, true);
+		});
+		this.ctx.eventBus?.subscribe({ category: EventCategory.NetworkTunnelStopped }, (event) => {
+			this.onTunnelLifecycle(event.source, false);
+		});
+		setImmediate(() => {
+			this.autoStartEnabledProviders();
+		});
+		this.watchCapability("network-access", { onReady: () => {
+			this.autoStartEnabledProviders();
+		} });
+		this.watchCapability("mesh-network", { onReady: () => {
+			this.autoStartEnabledProviders();
+		} });
+		return [];
+	}
+	/**
+	* Maintain the persisted `enabledProviders` set from a tunnel
+	* lifecycle event. `source.id` is `string | number`; `network-access`
+	* providers emit with `type: 'addon'` so it is always the addonId
+	* string. Non-string / non-addon sources are ignored defensively.
+	*/
+	async onTunnelLifecycle(source, started) {
+		if (source.type !== "addon" || typeof source.id !== "string") {
+			this.ctx.logger.warn("tunnel lifecycle event with non-addon source — ignoring", { meta: {
+				sourceType: source.type,
+				sourceId: source.id,
+				started
+			} });
+			return;
+		}
+		await this.markEnabled(source.id, started);
+	}
+	/**
+	* Probe every locally-visible `network-access` provider's
+	* `getStatus()` over RPC and reconcile the durable `enabledProviders`
+	* set against the result. This is the D8 backstop for dropped
+	* `NetworkTunnelStarted` events: if `connected: true` is acked, the
+	* provider is added to `enabledProviders`. ADD-ONLY — never removes on
+	* `connected: false` (see enabled-providers-reconcile.ts for rationale).
+	*
+	* `getStatus()` is an acknowledged cap RPC — a transport blip surfaces
+	* as a rejected promise (recorded as `ok: false`, membership left
+	* untouched), never as a silent lossy write. Runs on every provider
+	* (re)connect via the `watchCapability` hooks, mirroring the kernel
+	* readiness-registry hydration on `$node.connected`. Safe to call
+	* before `autoStartEnabledProviders`: add-only semantics mean it cannot
+	* wipe the enabled-set even when providers are registered-not-yet-started.
+	*/
+	async reconcileAndPersist() {
+		const entries = this.capabilities?.getCollectionEntries("network-access") ?? [];
+		if (entries.length === 0) return;
+		const probes = await Promise.all(entries.map(async ([addonId, impl]) => {
+			if (!impl.getStatus) return {
+				addonId,
+				ok: false
+			};
+			try {
+				return {
+					addonId,
+					ok: true,
+					connected: (await impl.getStatus()).connected
+				};
+			} catch (err) {
+				this.ctx.logger.warn("reconcile: getStatus RPC failed — leaving membership as-is", { meta: {
+					addonId,
+					error: err instanceof Error ? err.message : String(err)
+				} });
+				return {
+					addonId,
+					ok: false
+				};
+			}
+		}));
+		const result = reconcileEnabledProviders(this.config.enabledProviders, probes);
+		if (!result.changed) return;
+		this.ctx.logger.info("reconcile: corrected enabledProviders from RPC-pulled state", { meta: {
+			added: result.added,
+			removed: result.removed
+		} });
+		await this.updateGlobalSettings({ enabledProviders: result.nextEnabled });
+	}
+	async autoStartEnabledProviders() {
+		await this.reconcileAndPersist();
+		const ids = this.config.enabledProviders;
+		if (ids.length === 0) return;
+		this.ctx.logger.info("Auto-starting enabled remote-access providers", { meta: { addonIds: [...ids] } });
+		for (const addonId of ids) try {
+			const impl = this.resolveImpl(addonId);
+			if (!impl?.start) {
+				this.ctx.logger.warn("autostart: provider not ready or unsupported", { meta: {
+					addonId,
+					hasImpl: !!impl,
+					hasStart: !!impl?.start
+				} });
+				continue;
+			}
+			if (impl.getStatus) {
+				const status = await impl.getStatus().catch(() => null);
+				if (status?.connected) {
+					this.ctx.logger.info("autostart: provider already connected — skipping", { meta: {
+						addonId,
+						url: status.endpoint?.url
+					} });
+					continue;
+				}
+			}
+			const endpoint = await impl.start();
+			this.ctx.logger.info("autostart: provider started", { meta: {
+				addonId,
+				url: endpoint.url
+			} });
+		} catch (err) {
+			this.ctx.logger.error("autostart: provider start failed", { meta: {
+				addonId,
+				error: err instanceof Error ? err.message : String(err)
+			} });
+		}
+	}
+	async markEnabled(addonId, enabled) {
+		const current = new Set(this.config.enabledProviders);
+		const wasEnabled = current.has(addonId);
+		if (enabled) current.add(addonId);
+		else current.delete(addonId);
+		if (wasEnabled === enabled) return;
+		this.ctx.logger.info("remote-access intent updated", { meta: {
+			addonId,
+			enabled
+		} });
+		await this.updateGlobalSettings({ enabledProviders: [...current] });
+	}
+	resolveImpl(addonId) {
+		return (this.capabilities?.getCollectionEntries("network-access") ?? []).find(([id]) => id === addonId)?.[1] ?? null;
+	}
+};
+//#endregion
+export { RemoteAccessOrchestratorAddon, RemoteAccessOrchestratorAddon as default };