@clawos-dev/clawd 0.2.27 → 0.2.28-beta.38.7eb315d

package/dist/cli.cjs

@@ -296,8 +296,8 @@ var require_req = __commonJS({
       if (req.originalUrl) {
         _req.url = req.originalUrl;
       } else {
-        const path20 = req.path;
-        _req.url = typeof path20 === "string" ? path20 : req.url ? req.url.path || req.url : void 0;
+        const path23 = req.path;
+        _req.url = typeof path23 === "string" ? path23 : req.url ? req.url.path || req.url : void 0;
       }
       if (req.query) {
         _req.query = req.query;
@@ -462,14 +462,14 @@ var require_redact = __commonJS({
       }
       return obj;
     }
-    function parsePath(path20) {
+    function parsePath(path23) {
       const parts = [];
       let current = "";
       let inBrackets = false;
       let inQuotes = false;
       let quoteChar = "";
-      for (let i = 0; i < path20.length; i++) {
-        const char = path20[i];
+      for (let i = 0; i < path23.length; i++) {
+        const char = path23[i];
         if (!inBrackets && char === ".") {
           if (current) {
             parts.push(current);
@@ -600,10 +600,10 @@ var require_redact = __commonJS({
       return current;
     }
     function redactPaths(obj, paths, censor, remove = false) {
-      for (const path20 of paths) {
-        const parts = parsePath(path20);
+      for (const path23 of paths) {
+        const parts = parsePath(path23);
         if (parts.includes("*")) {
-          redactWildcardPath(obj, parts, censor, path20, remove);
+          redactWildcardPath(obj, parts, censor, path23, remove);
         } else {
           if (remove) {
             removeKey(obj, parts);
@@ -688,8 +688,8 @@ var require_redact = __commonJS({
           }
         } else {
           if (afterWildcard.includes("*")) {
-            const wrappedCensor = typeof censor === "function" ? (value, path20) => {
-              const fullPath = [...pathArray.slice(0, pathLength), ...path20];
+            const wrappedCensor = typeof censor === "function" ? (value, path23) => {
+              const fullPath = [...pathArray.slice(0, pathLength), ...path23];
               return censor(value, fullPath);
             } : censor;
             redactWildcardPath(current, afterWildcard, wrappedCensor, originalPath, remove);
@@ -724,8 +724,8 @@ var require_redact = __commonJS({
         return null;
       }
       const pathStructure = /* @__PURE__ */ new Map();
-      for (const path20 of pathsToClone) {
-        const parts = parsePath(path20);
+      for (const path23 of pathsToClone) {
+        const parts = parsePath(path23);
         let current = pathStructure;
         for (let i = 0; i < parts.length; i++) {
           const part = parts[i];
@@ -777,24 +777,24 @@ var require_redact = __commonJS({
       }
       return cloneSelectively(obj, pathStructure);
     }
-    function validatePath(path20) {
-      if (typeof path20 !== "string") {
+    function validatePath(path23) {
+      if (typeof path23 !== "string") {
         throw new Error("Paths must be (non-empty) strings");
       }
-      if (path20 === "") {
+      if (path23 === "") {
         throw new Error("Invalid redaction path ()");
       }
-      if (path20.includes("..")) {
-        throw new Error(`Invalid redaction path (${path20})`);
+      if (path23.includes("..")) {
+        throw new Error(`Invalid redaction path (${path23})`);
       }
-      if (path20.includes(",")) {
-        throw new Error(`Invalid redaction path (${path20})`);
+      if (path23.includes(",")) {
+        throw new Error(`Invalid redaction path (${path23})`);
       }
       let bracketCount = 0;
       let inQuotes = false;
       let quoteChar = "";
-      for (let i = 0; i < path20.length; i++) {
-        const char = path20[i];
+      for (let i = 0; i < path23.length; i++) {
+        const char = path23[i];
         if ((char === '"' || char === "'") && bracketCount > 0) {
           if (!inQuotes) {
             inQuotes = true;
@@ -808,20 +808,20 @@ var require_redact = __commonJS({
         } else if (char === "]" && !inQuotes) {
           bracketCount--;
           if (bracketCount < 0) {
-            throw new Error(`Invalid redaction path (${path20})`);
+            throw new Error(`Invalid redaction path (${path23})`);
           }
         }
       }
       if (bracketCount !== 0) {
-        throw new Error(`Invalid redaction path (${path20})`);
+        throw new Error(`Invalid redaction path (${path23})`);
       }
     }
     function validatePaths(paths) {
       if (!Array.isArray(paths)) {
         throw new TypeError("paths must be an array");
       }
-      for (const path20 of paths) {
-        validatePath(path20);
+      for (const path23 of paths) {
+        validatePath(path23);
       }
     }
     function slowRedact(options = {}) {
@@ -989,8 +989,8 @@ var require_redaction = __commonJS({
         if (shape[k] === null) {
           o[k] = (value) => topCensor(value, [k]);
         } else {
-          const wrappedCensor = typeof censor === "function" ? (value, path20) => {
-            return censor(value, [k, ...path20]);
+          const wrappedCensor = typeof censor === "function" ? (value, path23) => {
+            return censor(value, [k, ...path23]);
           } : censor;
           o[k] = Redact({
             paths: shape[k],
@@ -1208,10 +1208,10 @@ var require_atomic_sleep = __commonJS({
 var require_sonic_boom = __commonJS({
   "../node_modules/.pnpm/sonic-boom@4.2.1/node_modules/sonic-boom/index.js"(exports2, module2) {
     "use strict";
-    var fs20 = require("fs");
+    var fs22 = require("fs");
     var EventEmitter = require("events");
     var inherits = require("util").inherits;
-    var path20 = require("path");
+    var path23 = require("path");
     var sleep = require_atomic_sleep();
     var assert = require("assert");
     var BUSY_WRITE_TIMEOUT = 100;
@@ -1265,20 +1265,20 @@ var require_sonic_boom = __commonJS({
       const mode = sonic.mode;
       if (sonic.sync) {
         try {
-          if (sonic.mkdir) fs20.mkdirSync(path20.dirname(file), { recursive: true });
-          const fd = fs20.openSync(file, flags, mode);
+          if (sonic.mkdir) fs22.mkdirSync(path23.dirname(file), { recursive: true });
+          const fd = fs22.openSync(file, flags, mode);
           fileOpened(null, fd);
         } catch (err) {
           fileOpened(err);
           throw err;
         }
       } else if (sonic.mkdir) {
-        fs20.mkdir(path20.dirname(file), { recursive: true }, (err) => {
+        fs22.mkdir(path23.dirname(file), { recursive: true }, (err) => {
           if (err) return fileOpened(err);
-          fs20.open(file, flags, mode, fileOpened);
+          fs22.open(file, flags, mode, fileOpened);
         });
       } else {
-        fs20.open(file, flags, mode, fileOpened);
+        fs22.open(file, flags, mode, fileOpened);
       }
     }
     function SonicBoom(opts) {
@@ -1319,8 +1319,8 @@ var require_sonic_boom = __commonJS({
         this.flush = flushBuffer;
         this.flushSync = flushBufferSync;
         this._actualWrite = actualWriteBuffer;
-        fsWriteSync = () => fs20.writeSync(this.fd, this._writingBuf);
-        fsWrite = () => fs20.write(this.fd, this._writingBuf, this.release);
+        fsWriteSync = () => fs22.writeSync(this.fd, this._writingBuf);
+        fsWrite = () => fs22.write(this.fd, this._writingBuf, this.release);
       } else if (contentMode === void 0 || contentMode === kContentModeUtf8) {
         this._writingBuf = "";
         this.write = write;
@@ -1329,15 +1329,15 @@ var require_sonic_boom = __commonJS({
         this._actualWrite = actualWrite;
         fsWriteSync = () => {
           if (Buffer.isBuffer(this._writingBuf)) {
-            return fs20.writeSync(this.fd, this._writingBuf);
+            return fs22.writeSync(this.fd, this._writingBuf);
           }
-          return fs20.writeSync(this.fd, this._writingBuf, "utf8");
+          return fs22.writeSync(this.fd, this._writingBuf, "utf8");
         };
         fsWrite = () => {
           if (Buffer.isBuffer(this._writingBuf)) {
-            return fs20.write(this.fd, this._writingBuf, this.release);
+            return fs22.write(this.fd, this._writingBuf, this.release);
           }
-          return fs20.write(this.fd, this._writingBuf, "utf8", this.release);
+          return fs22.write(this.fd, this._writingBuf, "utf8", this.release);
         };
       } else {
         throw new Error(`SonicBoom supports "${kContentModeUtf8}" and "${kContentModeBuffer}", but passed ${contentMode}`);
@@ -1394,7 +1394,7 @@ var require_sonic_boom = __commonJS({
           }
         }
         if (this._fsync) {
-          fs20.fsyncSync(this.fd);
+          fs22.fsyncSync(this.fd);
         }
         const len = this._len;
         if (this._reopening) {
@@ -1508,7 +1508,7 @@ var require_sonic_boom = __commonJS({
       const onDrain = () => {
         if (!this._fsync) {
           try {
-            fs20.fsync(this.fd, (err) => {
+            fs22.fsync(this.fd, (err) => {
               this._flushPending = false;
               cb(err);
             });
@@ -1610,7 +1610,7 @@ var require_sonic_boom = __commonJS({
       const fd = this.fd;
       this.once("ready", () => {
         if (fd !== this.fd) {
-          fs20.close(fd, (err) => {
+          fs22.close(fd, (err) => {
             if (err) {
               return this.emit("error", err);
             }
@@ -1659,7 +1659,7 @@ var require_sonic_boom = __commonJS({
           buf = this._bufs[0];
         }
         try {
-          const n = Buffer.isBuffer(buf) ? fs20.writeSync(this.fd, buf) : fs20.writeSync(this.fd, buf, "utf8");
+          const n = Buffer.isBuffer(buf) ? fs22.writeSync(this.fd, buf) : fs22.writeSync(this.fd, buf, "utf8");
           const releasedBufObj = releaseWritingBuf(buf, this._len, n);
           buf = releasedBufObj.writingBuf;
           this._len = releasedBufObj.len;
@@ -1675,7 +1675,7 @@ var require_sonic_boom = __commonJS({
         }
       }
       try {
-        fs20.fsyncSync(this.fd);
+        fs22.fsyncSync(this.fd);
       } catch {
       }
     }
@@ -1696,7 +1696,7 @@ var require_sonic_boom = __commonJS({
           buf = mergeBuf(this._bufs[0], this._lens[0]);
         }
         try {
-          const n = fs20.writeSync(this.fd, buf);
+          const n = fs22.writeSync(this.fd, buf);
           buf = buf.subarray(n);
           this._len = Math.max(this._len - n, 0);
           if (buf.length <= 0) {
@@ -1724,13 +1724,13 @@ var require_sonic_boom = __commonJS({
       this._writingBuf = this._writingBuf.length ? this._writingBuf : this._bufs.shift() || "";
       if (this.sync) {
         try {
-          const written = Buffer.isBuffer(this._writingBuf) ? fs20.writeSync(this.fd, this._writingBuf) : fs20.writeSync(this.fd, this._writingBuf, "utf8");
+          const written = Buffer.isBuffer(this._writingBuf) ? fs22.writeSync(this.fd, this._writingBuf) : fs22.writeSync(this.fd, this._writingBuf, "utf8");
           release(null, written);
         } catch (err) {
           release(err);
         }
       } else {
-        fs20.write(this.fd, this._writingBuf, release);
+        fs22.write(this.fd, this._writingBuf, release);
       }
     }
     function actualWriteBuffer() {
@@ -1739,7 +1739,7 @@ var require_sonic_boom = __commonJS({
       this._writingBuf = this._writingBuf.length ? this._writingBuf : mergeBuf(this._bufs.shift(), this._lens.shift());
       if (this.sync) {
         try {
-          const written = fs20.writeSync(this.fd, this._writingBuf);
+          const written = fs22.writeSync(this.fd, this._writingBuf);
           release(null, written);
         } catch (err) {
           release(err);
@@ -1748,7 +1748,7 @@ var require_sonic_boom = __commonJS({
         if (kCopyBuffer) {
           this._writingBuf = Buffer.from(this._writingBuf);
         }
-        fs20.write(this.fd, this._writingBuf, release);
+        fs22.write(this.fd, this._writingBuf, release);
       }
     }
     function actualClose(sonic) {
@@ -1764,12 +1764,12 @@ var require_sonic_boom = __commonJS({
       sonic._lens = [];
       assert(typeof sonic.fd === "number", `sonic.fd must be a number, got ${typeof sonic.fd}`);
       try {
-        fs20.fsync(sonic.fd, closeWrapped);
+        fs22.fsync(sonic.fd, closeWrapped);
       } catch {
       }
       function closeWrapped() {
         if (sonic.fd !== 1 && sonic.fd !== 2) {
-          fs20.close(sonic.fd, done);
+          fs22.close(sonic.fd, done);
         } else {
           done();
         }
@@ -4391,6 +4391,16 @@ var init_methods = __esm({
       "git:worktree:create",
       "git:worktree:remove",
       "capabilities:get",
+      // ---- persona:* (老板侧管理 + 插话；alice 走 persona-bound WS 简化协议，不在此白名单) ----
+      "persona:create",
+      "persona:list",
+      "persona:get",
+      "persona:update",
+      "persona:delete",
+      "persona:issueToken",
+      "persona:revokeToken",
+      "persona:listSubSessions",
+      "persona:appendOwnerMessage",
       "info",
       "ping"
     ];
@@ -4398,17 +4408,10 @@ var init_methods = __esm({
 });
 
 // ../protocol/src/events.ts
-var SESSION_STATUS_VALUES, HISTORY_USER_META_VALUES, ASK_USER_QUESTION_TOOL_NAME;
+var HISTORY_USER_META_VALUES, ASK_USER_QUESTION_TOOL_NAME;
 var init_events = __esm({
   "../protocol/src/events.ts"() {
     "use strict";
-    SESSION_STATUS_VALUES = [
-      "idle",
-      "running",
-      "stopped",
-      "error",
-      "observing"
-    ];
     HISTORY_USER_META_VALUES = [
       "task-notification",
       "slash-command",
@@ -4873,8 +4876,8 @@ var init_parseUtil = __esm({
     init_errors2();
     init_en();
     makeIssue = (params) => {
-      const { data, path: path20, errorMaps, issueData } = params;
-      const fullPath = [...path20, ...issueData.path || []];
+      const { data, path: path23, errorMaps, issueData } = params;
+      const fullPath = [...path23, ...issueData.path || []];
       const fullIssue = {
         ...issueData,
         path: fullPath
@@ -5185,11 +5188,11 @@ var init_types = __esm({
     init_parseUtil();
     init_util();
     ParseInputLazyPath = class {
-      constructor(parent, value, path20, key) {
+      constructor(parent, value, path23, key) {
         this._cachedPath = [];
         this.parent = parent;
         this.data = value;
-        this._path = path20;
+        this._path = path23;
         this._key = key;
       }
       get path() {
@@ -8572,14 +8575,136 @@ var init_zod = __esm({
   }
 });
 
+// ../protocol/src/persona-schemas.ts
+var ALLOWED_PERSONA_TOOLS, PersonaTokenEntrySchema, PersonaFileSchema, PersonaHelloFrameSchema, PersonaSendFrameSchema, PersonaResetFrameSchema, PersonaPingFrameSchema, PersonaReadyFrameSchema, PersonaHistoryEventFrameSchema, PersonaHistoryDoneFrameSchema, PersonaEventFrameSchema, PersonaErrorFrameSchema, PersonaPongFrameSchema, PersonaClientFrameSchema, PersonaServerFrameSchema, PersonaCreateArgs, PersonaIdArgs, PersonaUpdateArgs, PersonaIssueTokenArgs, PersonaRevokeTokenArgs, PersonaAppendOwnerMessageArgs;
+var init_persona_schemas = __esm({
+  "../protocol/src/persona-schemas.ts"() {
+    "use strict";
+    init_zod();
+    ALLOWED_PERSONA_TOOLS = ["Read", "Grep", "Glob"];
+    PersonaTokenEntrySchema = external_exports.object({
+      label: external_exports.string().min(1),
+      issuedAt: external_exports.string(),
+      revoked: external_exports.boolean().optional()
+    });
+    PersonaFileSchema = external_exports.object({
+      personaId: external_exports.string().min(1),
+      label: external_exports.string().min(1),
+      // cwd 必须是绝对路径；老板侧创建时 daemon 校验
+      cwd: external_exports.string().refine((p) => p.startsWith("/"), { message: "cwd must be absolute" }),
+      model: external_exports.string().optional(),
+      systemPromptAppend: external_exports.string().optional(),
+      // L1 锁死：permissionMode 只能是 'plan'，toolAllowlist 只能是 ALLOWED_PERSONA_TOOLS 子集
+      permissionMode: external_exports.literal("plan"),
+      toolAllowlist: external_exports.array(external_exports.enum(ALLOWED_PERSONA_TOOLS)),
+      public: external_exports.boolean(),
+      tokenMap: external_exports.record(external_exports.string(), PersonaTokenEntrySchema),
+      createdAt: external_exports.string(),
+      updatedAt: external_exports.string()
+    });
+    PersonaHelloFrameSchema = external_exports.object({
+      kind: external_exports.literal("persona-hello"),
+      token: external_exports.string().min(1)
+    });
+    PersonaSendFrameSchema = external_exports.object({
+      kind: external_exports.literal("send"),
+      text: external_exports.string()
+    });
+    PersonaResetFrameSchema = external_exports.object({
+      kind: external_exports.literal("reset")
+    });
+    PersonaPingFrameSchema = external_exports.object({
+      kind: external_exports.literal("ping")
+    });
+    PersonaReadyFrameSchema = external_exports.object({
+      kind: external_exports.literal("persona-ready"),
+      subSessionId: external_exports.string(),
+      personaLabel: external_exports.string(),
+      cwd: external_exports.string(),
+      model: external_exports.string().optional()
+    });
+    PersonaHistoryEventFrameSchema = external_exports.object({
+      kind: external_exports.literal("history-event"),
+      event: external_exports.unknown()
+    });
+    PersonaHistoryDoneFrameSchema = external_exports.object({
+      kind: external_exports.literal("history-done")
+    });
+    PersonaEventFrameSchema = external_exports.object({
+      kind: external_exports.literal("event"),
+      event: external_exports.unknown()
+    });
+    PersonaErrorFrameSchema = external_exports.object({
+      kind: external_exports.literal("error"),
+      code: external_exports.enum([
+        "TOKEN_INVALID",
+        "TOKEN_REVOKED",
+        "PERSONA_DELETED",
+        "PERSONA_NOT_PUBLIC",
+        "INTERNAL"
+      ]),
+      message: external_exports.string()
+    });
+    PersonaPongFrameSchema = external_exports.object({
+      kind: external_exports.literal("pong")
+    });
+    PersonaClientFrameSchema = external_exports.discriminatedUnion("kind", [
+      PersonaHelloFrameSchema,
+      PersonaSendFrameSchema,
+      PersonaResetFrameSchema,
+      PersonaPingFrameSchema
+    ]);
+    PersonaServerFrameSchema = external_exports.discriminatedUnion("kind", [
+      PersonaReadyFrameSchema,
+      PersonaHistoryEventFrameSchema,
+      PersonaHistoryDoneFrameSchema,
+      PersonaEventFrameSchema,
+      PersonaErrorFrameSchema,
+      PersonaPongFrameSchema
+    ]);
+    PersonaCreateArgs = external_exports.object({
+      label: external_exports.string().min(1),
+      cwd: external_exports.string().min(1),
+      model: external_exports.string().optional(),
+      systemPromptAppend: external_exports.string().optional()
+    });
+    PersonaIdArgs = external_exports.object({
+      personaId: external_exports.string().min(1)
+    });
+    PersonaUpdateArgs = external_exports.object({
+      personaId: external_exports.string().min(1),
+      patch: external_exports.object({
+        label: external_exports.string().min(1).optional(),
+        cwd: external_exports.string().min(1).optional(),
+        model: external_exports.string().optional(),
+        systemPromptAppend: external_exports.string().optional(),
+        public: external_exports.boolean().optional()
+      }).strict()
+    });
+    PersonaIssueTokenArgs = external_exports.object({
+      personaId: external_exports.string().min(1),
+      label: external_exports.string().min(1)
+    });
+    PersonaRevokeTokenArgs = external_exports.object({
+      personaId: external_exports.string().min(1),
+      token: external_exports.string().min(1)
+    });
+    PersonaAppendOwnerMessageArgs = external_exports.object({
+      personaId: external_exports.string().min(1),
+      subSessionId: external_exports.string().min(1),
+      text: external_exports.string().min(1)
+    });
+  }
+});
+
 // ../protocol/src/schemas.ts
-var SessionStatusSchema, UsageSchema, ContextUsageSchema, sessionMetaShape, SessionMetaSchema, ModelInfoSchema, ModeInfoSchema, ConfigFieldSchemaSchema, CapabilitiesGetArgs, CapabilitiesResponseSchema, AllowRuleSchema, SessionFileSchema, ParsedEventBase, HistoryUserMetaSchema, SubagentToolStatsSchema, StructuredPatchHunkSchema, ToolResultExtraSchema, MemoryEntrySchema, AskQuestionOptionSchema, AskQuestionItemSchema, ParsedEventSchema, SessionCreateArgs, SessionIdArgs, SessionUpdateArgs, SessionSendArgs, SessionRewindArgs, SessionRewindResponseSchema, SessionRewindDiffArgs, RewindDiffHunkSchema, RewindDiffFileSchema, SessionRewindDiffResponseSchema, SessionRewindableMessageIdsArgs, SessionRewindableMessageIdsResponseSchema, SessionResumeArgs, SessionForkArgs, SessionForkResponseSchema, SessionObserveArgs, SessionEventsArgs, PermissionRespondArgs, HistoryListArgs, HistoryReadArgs, HistorySubagentsArgs, HistorySubagentReadArgs, WorkspaceListArgs, WorkspaceReadArgs, SkillsListArgs, SessionSubscribeArgs, SessionPinArgs, SessionReorderPinsArgs, GitRootArgs, GitRootResponseSchema, GitBranchArgs, GitBranchResponseSchema, GitBranchesArgs, GitBranchesResponseSchema, GitWorktreePrefixArgs, GitWorktreePrefixResponseSchema, GitWorktreeCreateArgs, GitWorktreeCreateResponseSchema, GitWorktreeRemoveArgs, GitWorktreeRemoveResponseSchema, HistoryRecentDirsArgs, RecentDirEntrySchema, HistoryRecentDirsResponseSchema, SessionQuestionFrameSchema, SessionQuestionClearedFrameSchema, AnswerQuestionArgs, AnswerQuestionResponseSchema, AuthRequestFrameSchema, AuthOkFrameSchema, TunnelExitedEventSchema, InfoRunningSessionSchema, InfoResponseSchema;
+var UsageSchema, ContextUsageSchema, sessionMetaShape, SessionMetaSchema, ModelInfoSchema, ModeInfoSchema, ConfigFieldSchemaSchema, CapabilitiesGetArgs, CapabilitiesResponseSchema, AllowRuleSchema, SessionFileSchema, ParsedEventBase, HistoryUserMetaSchema, SubagentToolStatsSchema, StructuredPatchHunkSchema, ToolResultExtraSchema, MemoryEntrySchema, AskQuestionOptionSchema, AskQuestionItemSchema, ParsedEventSchema, SessionCreateArgs, SessionIdArgs, SessionUpdateArgs, SessionSendArgs, SessionRewindArgs, SessionRewindResponseSchema, SessionRewindDiffArgs, RewindDiffHunkSchema, RewindDiffFileSchema, SessionRewindDiffResponseSchema, SessionRewindableMessageIdsArgs, SessionRewindableMessageIdsResponseSchema, SessionResumeArgs, SessionForkArgs, SessionForkResponseSchema, SessionObserveArgs, SessionEventsArgs, PermissionRespondArgs, HistoryListArgs, HistoryReadArgs, HistorySubagentsArgs, HistorySubagentReadArgs, WorkspaceListArgs, WorkspaceReadArgs, SkillsListArgs, SessionSubscribeArgs, SessionPinArgs, SessionReorderPinsArgs, GitRootArgs, GitRootResponseSchema, GitBranchArgs, GitBranchResponseSchema, GitBranchesArgs, GitBranchesResponseSchema, GitWorktreePrefixArgs, GitWorktreePrefixResponseSchema, GitWorktreeCreateArgs, GitWorktreeCreateResponseSchema, GitWorktreeRemoveArgs, GitWorktreeRemoveResponseSchema, HistoryRecentDirsArgs, RecentDirEntrySchema, HistoryRecentDirsResponseSchema, SessionQuestionFrameSchema, AnswerQuestionArgs, AnswerQuestionResponseSchema, AuthRequestFrameSchema, AuthOkFrameSchema, TunnelExitedEventSchema;
 var init_schemas = __esm({
   "../protocol/src/schemas.ts"() {
     "use strict";
     init_zod();
     init_events();
-    SessionStatusSchema = external_exports.enum(SESSION_STATUS_VALUES);
+    init_persona_schemas();
     UsageSchema = external_exports.object({
       input_tokens: external_exports.number().int().nonnegative().optional(),
       cache_read_input_tokens: external_exports.number().int().nonnegative().optional(),
@@ -8853,6 +8978,16 @@ var init_schemas = __esm({
         ...ParsedEventBase,
         kind: external_exports.literal("meta_update"),
         patch: SessionMetaSchema
+      }),
+      // 系统消息（CC 自家系统提示 / 老板插话补充）；persona 场景下区分两类：
+      //   metaSource='cc'    → CC 注入的系统消息（默认低视觉权重渲染）
+      //   metaSource='owner' → 老板通过 persona:appendOwnerMessage 插入的话（蓝色气泡）
+      // 缺省视为 'cc'；现有非 persona 场景保持兼容（不需要 owner 时不下发该字段）
+      external_exports.object({
+        ...ParsedEventBase,
+        kind: external_exports.literal("meta-text"),
+        text: external_exports.string(),
+        metaSource: external_exports.enum(["cc", "owner"]).optional()
       })
     ]);
     SessionCreateArgs = external_exports.object({
@@ -9042,13 +9177,6 @@ var init_schemas = __esm({
       // UI 单卡承载多 question；空数组语义无效，schema 必拒
       questions: external_exports.array(AskQuestionItemSchema).min(1)
     });
-    SessionQuestionClearedFrameSchema = external_exports.object({
-      type: external_exports.literal("session:question:cleared"),
-      sessionId: external_exports.string().min(1),
-      toolUseId: external_exports.string().min(1),
-      // record<string,string>：与 AnswerQuestionArgs.answers 同形状（question text → label）
-      answers: external_exports.record(external_exports.string(), external_exports.string()).optional()
-    });
     AnswerQuestionArgs = external_exports.object({
       sessionId: external_exports.string().min(1),
       toolUseId: external_exports.string().min(1),
@@ -9071,22 +9199,6 @@ var init_schemas = __esm({
       subdomain: external_exports.string().nullable(),
       url: external_exports.string().nullable()
     });
-    InfoRunningSessionSchema = external_exports.object({
-      sessionId: external_exports.string().min(1),
-      status: SessionStatusSchema,
-      freshSpawn: external_exports.boolean(),
-      pendingPermissionsCount: external_exports.number().int().nonnegative(),
-      pendingQuestionsCount: external_exports.number().int().nonnegative()
-    });
-    InfoResponseSchema = external_exports.object({
-      type: external_exports.literal("info"),
-      version: external_exports.string(),
-      protocolVersion: external_exports.number(),
-      hostname: external_exports.string(),
-      os: external_exports.string(),
-      tools: external_exports.array(external_exports.object({ id: external_exports.string(), available: external_exports.boolean() })),
-      runningSessions: external_exports.array(InfoRunningSessionSchema)
-    });
   }
 });
 
@@ -9108,6 +9220,7 @@ var init_runtime = __esm({
     init_errors();
     init_schemas();
     init_frames();
+    init_persona_schemas();
   }
 });
 
@@ -9684,11 +9797,11 @@ var init_lib = __esm({
           }
         }
       },
-      addToPath: function addToPath(path20, added, removed, oldPosInc, options) {
-        var last = path20.lastComponent;
+      addToPath: function addToPath(path23, added, removed, oldPosInc, options) {
+        var last = path23.lastComponent;
         if (last && !options.oneChangePerToken && last.added === added && last.removed === removed) {
           return {
-            oldPos: path20.oldPos + oldPosInc,
+            oldPos: path23.oldPos + oldPosInc,
             lastComponent: {
               count: last.count + 1,
               added,
@@ -9698,7 +9811,7 @@ var init_lib = __esm({
           };
         } else {
           return {
-            oldPos: path20.oldPos + oldPosInc,
+            oldPos: path23.oldPos + oldPosInc,
             lastComponent: {
               count: 1,
               added,
@@ -9944,7 +10057,7 @@ function hashDirToCwd(hash) {
 }
 function safeStatMtime(p) {
   try {
-    return import_node_fs6.default.statSync(p).mtimeMs;
+    return import_node_fs8.default.statSync(p).mtimeMs;
   } catch {
     return 0;
   }
@@ -9952,7 +10065,7 @@ function safeStatMtime(p) {
 function readJsonlLines(file) {
   let raw;
   try {
-    raw = import_node_fs6.default.readFileSync(file, "utf8");
+    raw = import_node_fs8.default.readFileSync(file, "utf8");
   } catch (err) {
     if (err.code === "ENOENT") return [];
     throw err;
@@ -10129,10 +10242,10 @@ function attachmentToHistoryMessage(o, ts) {
     const memories = raw.map((m) => {
       if (!m || typeof m !== "object") return null;
       const rec = m;
-      const path20 = typeof rec.path === "string" ? rec.path : null;
+      const path23 = typeof rec.path === "string" ? rec.path : null;
       const content = typeof rec.content === "string" ? rec.content : null;
-      if (!path20 || content == null) return null;
-      const entry = { path: path20, content };
+      if (!path23 || content == null) return null;
+      const entry = { path: path23, content };
       if (typeof rec.mtimeMs === "number") entry.mtimeMs = rec.mtimeMs;
       return entry;
     }).filter((m) => m !== null);
@@ -10168,8 +10281,8 @@ function attachmentDeferredToolsText(a) {
 function readBackupContent(fileHistoryRoot, toolSessionId, backupFileName) {
   if (backupFileName === null) return null;
   try {
-    return import_node_fs6.default.readFileSync(
-      import_node_path5.default.join(fileHistoryRoot, toolSessionId, backupFileName),
+    return import_node_fs8.default.readFileSync(
+      import_node_path8.default.join(fileHistoryRoot, toolSessionId, backupFileName),
       "utf8"
     );
   } catch {
@@ -10178,19 +10291,19 @@ function readBackupContent(fileHistoryRoot, toolSessionId, backupFileName) {
 }
 function readCurrentContent(filePath) {
   try {
-    return import_node_fs6.default.readFileSync(filePath, "utf8");
+    return import_node_fs8.default.readFileSync(filePath, "utf8");
   } catch (err) {
     if (err.code === "ENOENT") return null;
     return null;
   }
 }
-var import_node_fs6, import_node_os2, import_node_path5, TASK_NOTIFICATION_RE, TASK_ID_RE, TOOL_USE_ID_RE, SLASH_COMMAND_RE, LOCAL_COMMAND_RE, SYSTEM_REMINDER_RE, OPENSPEC_BLOCK_RE, SKILL_HINT_RE, ATTACHMENT_SILENT_SUBTYPES, ClaudeHistoryReader;
+var import_node_fs8, import_node_os2, import_node_path8, TASK_NOTIFICATION_RE, TASK_ID_RE, TOOL_USE_ID_RE, SLASH_COMMAND_RE, LOCAL_COMMAND_RE, SYSTEM_REMINDER_RE, OPENSPEC_BLOCK_RE, SKILL_HINT_RE, ATTACHMENT_SILENT_SUBTYPES, ClaudeHistoryReader;
 var init_claude_history = __esm({
   "src/tools/claude-history.ts"() {
     "use strict";
-    import_node_fs6 = __toESM(require("fs"), 1);
+    import_node_fs8 = __toESM(require("fs"), 1);
     import_node_os2 = __toESM(require("os"), 1);
-    import_node_path5 = __toESM(require("path"), 1);
+    import_node_path8 = __toESM(require("path"), 1);
     init_lib();
     init_tool_result_extra();
     TASK_NOTIFICATION_RE = /<task-notification\b[\s\S]*?<\/task-notification>/i;
@@ -10214,14 +10327,14 @@ var init_claude_history = __esm({
       // 每次 user 提交前 trackEdit 拷一份，作为 rewind 回退目标
       fileHistoryRoot;
       constructor(opts = {}) {
-        const base = opts.baseDir ?? import_node_path5.default.join(import_node_os2.default.homedir(), ".claude");
-        this.projectsRoot = import_node_path5.default.join(base, "projects");
-        this.fileHistoryRoot = import_node_path5.default.join(base, "file-history");
+        const base = opts.baseDir ?? import_node_path8.default.join(import_node_os2.default.homedir(), ".claude");
+        this.projectsRoot = import_node_path8.default.join(base, "projects");
+        this.fileHistoryRoot = import_node_path8.default.join(base, "file-history");
       }
       async listProjects() {
         let entries;
         try {
-          entries = import_node_fs6.default.readdirSync(this.projectsRoot, { withFileTypes: true });
+          entries = import_node_fs8.default.readdirSync(this.projectsRoot, { withFileTypes: true });
         } catch (err) {
           if (err.code === "ENOENT") return [];
           throw err;
@@ -10229,9 +10342,9 @@ var init_claude_history = __esm({
         const out = [];
         for (const ent of entries) {
           if (!ent.isDirectory()) continue;
-          const dir = import_node_path5.default.join(this.projectsRoot, ent.name);
-          const files = import_node_fs6.default.readdirSync(dir).filter((f) => f.endsWith(".jsonl"));
-          const updatedAtMs = files.reduce((m, f) => Math.max(m, safeStatMtime(import_node_path5.default.join(dir, f))), 0);
+          const dir = import_node_path8.default.join(this.projectsRoot, ent.name);
+          const files = import_node_fs8.default.readdirSync(dir).filter((f) => f.endsWith(".jsonl"));
+          const updatedAtMs = files.reduce((m, f) => Math.max(m, safeStatMtime(import_node_path8.default.join(dir, f))), 0);
           out.push({
             projectPath: hashDirToCwd(ent.name),
             hashDir: ent.name,
@@ -10243,17 +10356,17 @@ var init_claude_history = __esm({
         return out;
       }
       async listSessions(args) {
-        const dir = import_node_path5.default.join(this.projectsRoot, cwdToHashDir(args.projectPath));
+        const dir = import_node_path8.default.join(this.projectsRoot, cwdToHashDir(args.projectPath));
         let files;
         try {
-          files = import_node_fs6.default.readdirSync(dir).filter((f) => f.endsWith(".jsonl"));
+          files = import_node_fs8.default.readdirSync(dir).filter((f) => f.endsWith(".jsonl"));
         } catch (err) {
           if (err.code === "ENOENT") return [];
           throw err;
         }
         const out = [];
         for (const f of files) {
-          const full = import_node_path5.default.join(dir, f);
+          const full = import_node_path8.default.join(dir, f);
           const toolSessionId = f.slice(0, -".jsonl".length);
           const lines = readJsonlLines(full);
           let summary = "";
@@ -10308,7 +10421,7 @@ var init_claude_history = __esm({
         return out;
       }
       async read(args) {
-        const file = import_node_path5.default.join(
+        const file = import_node_path8.default.join(
           this.projectsRoot,
           cwdToHashDir(args.cwd),
           `${args.toolSessionId}.jsonl`
@@ -10341,7 +10454,7 @@ var init_claude_history = __esm({
       // 独立目录路径：<projectsRoot>/<cwdHash>/<toolSessionId>/subagents/*.jsonl
       // 返回 null 表示目录不存在（调用方回退旧实现）；返回空数组表示目录存在但无 jsonl
       listSubagentsFromDirectory(cwd, toolSessionId) {
-        const dir = import_node_path5.default.join(
+        const dir = import_node_path8.default.join(
           this.projectsRoot,
           cwdToHashDir(cwd),
           toolSessionId,
@@ -10349,7 +10462,7 @@ var init_claude_history = __esm({
         );
         let entries;
         try {
-          entries = import_node_fs6.default.readdirSync(dir, { withFileTypes: true });
+          entries = import_node_fs8.default.readdirSync(dir, { withFileTypes: true });
         } catch (err) {
           if (err.code === "ENOENT") return null;
           return null;
@@ -10359,7 +10472,7 @@ var init_claude_history = __esm({
           if (!e.isFile()) continue;
           if (!e.name.startsWith("agent-") || !e.name.endsWith(".jsonl")) continue;
           const subagentId = e.name.slice("agent-".length, -".jsonl".length);
-          const filePath = import_node_path5.default.join(dir, e.name);
+          const filePath = import_node_path8.default.join(dir, e.name);
           const lines = readJsonlLines(filePath);
           let firstText = "";
           let messageCount = 0;
@@ -10376,7 +10489,7 @@ var init_claude_history = __esm({
         return out;
       }
       listSubagentsFromMainJsonl(cwd, toolSessionId) {
-        const file = import_node_path5.default.join(
+        const file = import_node_path8.default.join(
           this.projectsRoot,
           cwdToHashDir(cwd),
           `${toolSessionId}.jsonl`
@@ -10411,7 +10524,7 @@ var init_claude_history = __esm({
       }
       // 独立文件路径：agent-<subagentId>.jsonl；文件不存在返回 null 让调用方回退旧实现
       readSubagentFromFile(cwd, toolSessionId, subagentId) {
-        const file = import_node_path5.default.join(
+        const file = import_node_path8.default.join(
           this.projectsRoot,
           cwdToHashDir(cwd),
           toolSessionId,
@@ -10420,7 +10533,7 @@ var init_claude_history = __esm({
         );
         let exists = false;
         try {
-          exists = import_node_fs6.default.statSync(file).isFile();
+          exists = import_node_fs8.default.statSync(file).isFile();
         } catch {
           return null;
         }
@@ -10439,7 +10552,7 @@ var init_claude_history = __esm({
        * "那一刻每个 tracked 文件对应的 backup 文件名"
        */
       readFileHistorySnapshots(args) {
-        const file = import_node_path5.default.join(
+        const file = import_node_path8.default.join(
           this.projectsRoot,
           cwdToHashDir(args.cwd),
           `${args.toolSessionId}.jsonl`
@@ -10484,7 +10597,7 @@ var init_claude_history = __esm({
         for (const [anchorId, target] of snapshots) {
           let hasAny = false;
           for (const [rawPath, backup] of Object.entries(target)) {
-            const absPath = import_node_path5.default.isAbsolute(rawPath) ? rawPath : import_node_path5.default.join(args.cwd, rawPath);
+            const absPath = import_node_path8.default.isAbsolute(rawPath) ? rawPath : import_node_path8.default.join(args.cwd, rawPath);
             const backupContent = readBackupContent(
               this.fileHistoryRoot,
               args.toolSessionId,
@@ -10524,7 +10637,7 @@ var init_claude_history = __esm({
         let totalInsertions = 0;
         let totalDeletions = 0;
         for (const [rawPath, backup] of Object.entries(target)) {
-          const absPath = import_node_path5.default.isAbsolute(rawPath) ? rawPath : import_node_path5.default.join(args.cwd, rawPath);
+          const absPath = import_node_path8.default.isAbsolute(rawPath) ? rawPath : import_node_path8.default.join(args.cwd, rawPath);
           const backupContent = readBackupContent(
             this.fileHistoryRoot,
             args.toolSessionId,
@@ -10571,7 +10684,7 @@ var init_claude_history = __esm({
         };
       }
       readSubagentFromMainJsonl(cwd, toolSessionId, subagentId) {
-        const file = import_node_path5.default.join(
+        const file = import_node_path8.default.join(
           this.projectsRoot,
           cwdToHashDir(cwd),
           `${toolSessionId}.jsonl`
@@ -10595,27 +10708,27 @@ var init_claude_history = __esm({
 // src/tools/claude.ts
 function macOSDesktopCandidates(home) {
   return [
-    import_node_path6.default.join(home, "Applications", "Claude.app", "Contents", "Resources", "app.asar.unpacked", "node_modules", "@anthropic-ai", "claude-code", "cli.js"),
+    import_node_path9.default.join(home, "Applications", "Claude.app", "Contents", "Resources", "app.asar.unpacked", "node_modules", "@anthropic-ai", "claude-code", "cli.js"),
     "/Applications/Claude.app/Contents/Resources/app.asar.unpacked/node_modules/@anthropic-ai/claude-code/cli.js"
   ];
 }
 function probeViaWhich() {
   try {
     const out = (0, import_node_child_process2.execFileSync)("which", ["claude"], { encoding: "utf8" }).trim();
-    if (out && import_node_fs7.default.existsSync(out)) return out;
+    if (out && import_node_fs9.default.existsSync(out)) return out;
   } catch {
   }
   return null;
 }
 async function probeClaude(env = process.env, home = import_node_os3.default.homedir()) {
-  if (env.CLAUDE_BIN && import_node_fs7.default.existsSync(env.CLAUDE_BIN)) {
+  if (env.CLAUDE_BIN && import_node_fs9.default.existsSync(env.CLAUDE_BIN)) {
     return { available: true, path: env.CLAUDE_BIN };
   }
   const w = probeViaWhich();
   if (w) return { available: true, path: w };
   if (process.platform === "darwin") {
     for (const candidate of macOSDesktopCandidates(home)) {
-      if (import_node_fs7.default.existsSync(candidate)) {
+      if (import_node_fs9.default.existsSync(candidate)) {
         return { available: true, path: candidate };
       }
     }
@@ -10640,7 +10753,14 @@ function buildSpawnArgs(ctx) {
     "--verbose"
   ];
   if (ctx.model) args.push("--model", ctx.model);
-  if (ctx.permissionMode) args.push("--permission-mode", ctx.permissionMode);
+  const hardcoded = ctx.hardcodedToolAllowlist && ctx.hardcodedToolAllowlist.length > 0;
+  if (hardcoded) {
+    args.push("--permission-mode", ctx.hardcodedPermissionMode ?? "plan");
+    args.push("--add-dir", ctx.cwd);
+    args.push("--disallowed-tools", HARDCODED_DISALLOWED_TOOLS.join(" "));
+  } else if (ctx.permissionMode) {
+    args.push("--permission-mode", ctx.permissionMode);
+  }
   if (ctx.effort) args.push("--effort", ctx.effort);
   if (ctx.toolSessionId) args.push("--resume", ctx.toolSessionId);
   return args;
@@ -10919,10 +11039,10 @@ function parseAttachment(obj) {
     const memories = raw.map((m) => {
       if (!m || typeof m !== "object") return null;
       const rec = m;
-      const path20 = typeof rec.path === "string" ? rec.path : null;
+      const path23 = typeof rec.path === "string" ? rec.path : null;
       const content = typeof rec.content === "string" ? rec.content : null;
-      if (!path20 || content == null) return null;
-      const out = { path: path20, content };
+      if (!path23 || content == null) return null;
+      const out = { path: path23, content };
       if (typeof rec.mtimeMs === "number") out.mtimeMs = rec.mtimeMs;
       return out;
     }).filter((m) => m !== null);
@@ -11026,18 +11146,19 @@ function encodeClaudeStdin(text) {
   };
   return JSON.stringify(frame) + "\n";
 }
-var import_node_child_process, import_node_child_process2, import_node_fs7, import_node_os3, import_node_path6, ATTACHMENT_SILENT_SUBTYPES2, unknownTypeHandler, ATTACHMENT_RE, IMAGE_EXT_MIME, CLAUDE_MODELS, CLAUDE_PERMISSION_MODES, CLAUDE_CAPABILITIES, ClaudeAdapter;
+var import_node_child_process, import_node_child_process2, import_node_fs9, import_node_os3, import_node_path9, HARDCODED_DISALLOWED_TOOLS, ATTACHMENT_SILENT_SUBTYPES2, unknownTypeHandler, ATTACHMENT_RE, IMAGE_EXT_MIME, CLAUDE_MODELS, CLAUDE_PERMISSION_MODES, CLAUDE_CAPABILITIES, ClaudeAdapter;
 var init_claude = __esm({
   "src/tools/claude.ts"() {
     "use strict";
     import_node_child_process = require("child_process");
     import_node_child_process2 = require("child_process");
-    import_node_fs7 = __toESM(require("fs"), 1);
+    import_node_fs9 = __toESM(require("fs"), 1);
     import_node_os3 = __toESM(require("os"), 1);
-    import_node_path6 = __toESM(require("path"), 1);
+    import_node_path9 = __toESM(require("path"), 1);
     init_protocol();
     init_claude_history();
     init_tool_result_extra();
+    HARDCODED_DISALLOWED_TOOLS = ["Bash", "Edit", "Write", "WebFetch", "WebSearch", "Task"];
     ATTACHMENT_SILENT_SUBTYPES2 = /* @__PURE__ */ new Set([
       "hook_additional_context",
       "hook_success",
@@ -14789,7 +14910,7 @@ var require_websocket_server = __commonJS({
 // src/run-case/recorder.ts
 function startRunCaseRecorder(opts) {
   const now = opts.now ?? Date.now;
-  const dir = import_node_path18.default.dirname(opts.recordPath);
+  const dir = import_node_path21.default.dirname(opts.recordPath);
   let stream = null;
   let closing = false;
   let closedSettled = false;
@@ -14803,8 +14924,8 @@ function startRunCaseRecorder(opts) {
   });
   const ensureStream = () => {
     if (stream) return stream;
-    import_node_fs19.default.mkdirSync(dir, { recursive: true });
-    stream = import_node_fs19.default.createWriteStream(opts.recordPath, { flags: "a" });
+    import_node_fs21.default.mkdirSync(dir, { recursive: true });
+    stream = import_node_fs21.default.createWriteStream(opts.recordPath, { flags: "a" });
     stream.on("close", () => closedResolve());
     return stream;
   };
@@ -14829,12 +14950,12 @@ function startRunCaseRecorder(opts) {
   };
   return { tap, close, closed };
 }
-var import_node_fs19, import_node_path18;
+var import_node_fs21, import_node_path21;
 var init_recorder = __esm({
   "src/run-case/recorder.ts"() {
     "use strict";
-    import_node_fs19 = __toESM(require("fs"), 1);
-    import_node_path18 = __toESM(require("path"), 1);
+    import_node_fs21 = __toESM(require("fs"), 1);
+    import_node_path21 = __toESM(require("path"), 1);
   }
 });
 
@@ -14877,7 +14998,7 @@ var init_wire = __esm({
 // src/run-case/controller.ts
 async function runController(opts) {
   const now = opts.now ?? Date.now;
-  const cwd = opts.cwd ?? (0, import_node_fs20.mkdtempSync)(import_node_path19.default.join(import_node_os12.default.tmpdir(), "clawd-runcase-"));
+  const cwd = opts.cwd ?? (0, import_node_fs22.mkdtempSync)(import_node_path22.default.join(import_node_os12.default.tmpdir(), "clawd-runcase-"));
   const ownsCwd = opts.cwd === void 0;
   const recorder = startRunCaseRecorder({ recordPath: opts.record, now });
   const spawnCtx = { cwd };
@@ -15038,19 +15159,19 @@ async function runController(opts) {
   if (sigintHandler) process.off("SIGINT", sigintHandler);
   if (ownsCwd) {
     try {
-      (0, import_node_fs20.rmSync)(cwd, { recursive: true, force: true });
+      (0, import_node_fs22.rmSync)(cwd, { recursive: true, force: true });
     } catch {
     }
   }
   return exitCode ?? 0;
 }
-var import_node_fs20, import_node_os12, import_node_path19;
+var import_node_fs22, import_node_os12, import_node_path22;
 var init_controller = __esm({
   "src/run-case/controller.ts"() {
     "use strict";
-    import_node_fs20 = require("fs");
+    import_node_fs22 = require("fs");
     import_node_os12 = __toESM(require("os"), 1);
-    import_node_path19 = __toESM(require("path"), 1);
+    import_node_path22 = __toESM(require("path"), 1);
     init_claude();
     init_stdout_splitter();
     init_permission_stdio();
@@ -15275,8 +15396,8 @@ Env (advanced):
 `;
 
 // src/index.ts
-var import_node_path17 = __toESM(require("path"), 1);
-var import_node_fs18 = __toESM(require("fs"), 1);
+var import_node_path20 = __toESM(require("path"), 1);
+var import_node_fs20 = __toESM(require("fs"), 1);
 
 // src/logger.ts
 var import_node_fs2 = __toESM(require("fs"), 1);
@@ -15495,9 +15616,11 @@ function cloneState(s) {
     pendingQuestions: s.pendingQuestions,
     freshSpawn: s.freshSpawn,
     procAlive: s.procAlive,
-    seenUuids: s.seenUuids
+    seenUuids: s.seenUuids,
+    subSessionMeta: s.subSessionMeta
   };
 }
+var IDLE_KILL_DELAY_MS = 5e3;
 var SEEN_UUID_CAP = 2e3;
 function applyEventBatch(state, events, deps) {
   if (events.length === 0) return { state, effects: [] };
@@ -15530,14 +15653,21 @@ function emitSessionEvent(sessionId, event, target) {
   };
   return target ? { kind: "emit-frame", frame, target } : { kind: "emit-frame", frame };
 }
-function buildSpawnContext(file) {
-  return {
+function buildSpawnContext(state) {
+  const file = state.file;
+  const ctx = {
     cwd: file.cwd,
     toolSessionId: file.toolSessionId,
     model: file.model,
     permissionMode: file.permissionMode,
     effort: file.effort
   };
+  const meta = state.subSessionMeta;
+  if (meta?.toolAllowlist && meta.toolAllowlist.length > 0) {
+    ctx.hardcodedToolAllowlist = meta.toolAllowlist;
+    ctx.hardcodedPermissionMode = meta.permissionMode ?? "plan";
+  }
+  return ctx;
 }
 function sessionInfoFrame(file) {
   const frame = { type: "session:info", ...file };
@@ -15672,10 +15802,16 @@ function pushEventToBuffer(state, event, deps) {
     next.bufferStartSeq = trimmed[0]?.seq ?? seq;
   }
   if (next.freshSpawn) next.freshSpawn = false;
-  return {
-    state: next,
-    effects: [emitSessionEvent(next.file.sessionId, withSeq)]
-  };
+  const effects = [emitSessionEvent(next.file.sessionId, withSeq)];
+  if (isTurnEnd && next.subSessionMeta?.idleKillEnabled && next.procAlive && (next.status === "running" || next.status === "spawning")) {
+    next.status = "running-idle";
+    effects.push({
+      kind: "schedule-idle-kill",
+      sessionId: next.file.sessionId,
+      ms: IDLE_KILL_DELAY_MS
+    });
+  }
+  return { state: next, effects };
 }
 var RUNTIME_PATCH_KEYS = [
   "model",
@@ -15689,6 +15825,10 @@ function applyCommand(state, command, deps) {
   const sessionId = next.file.sessionId;
   switch (command.kind) {
     case "send": {
+      if (next.status === "running-idle") {
+        effects.push({ kind: "cancel-idle-kill", sessionId });
+        next.status = next.procAlive ? "running" : "idle";
+      }
       if (!next.procAlive) {
         next.procAlive = true;
         next.freshSpawn = true;
@@ -15697,7 +15837,7 @@ function applyCommand(state, command, deps) {
         next.nextSeq = 0;
         next.turnOpen = false;
         next.status = "running";
-        effects.push({ kind: "spawn", ctx: buildSpawnContext(next.file) });
+        effects.push({ kind: "spawn", ctx: buildSpawnContext(next) });
         effects.push({
           kind: "emit-frame",
           frame: {
@@ -15720,16 +15860,6 @@ function applyCommand(state, command, deps) {
       return { state: nextState, effects };
     }
     case "stop": {
-      for (const toolUseId of Object.keys(state.pendingQuestions ?? {})) {
-        effects.push({
-          kind: "emit-frame",
-          frame: {
-            type: "session:question:cleared",
-            sessionId,
-            toolUseId
-          }
-        });
-      }
       next.pendingPermissions = {};
       next.pendingQuestions = {};
       if (next.procAlive) {
@@ -15749,7 +15879,7 @@ function applyCommand(state, command, deps) {
       next.nextSeq = 0;
       next.turnOpen = false;
       next.status = "running";
-      effects.push({ kind: "spawn", ctx: buildSpawnContext(next.file) });
+      effects.push({ kind: "spawn", ctx: buildSpawnContext(next) });
       effects.push({
         kind: "emit-frame",
         frame: { type: "session:status", sessionId, status: "running" }
@@ -15757,16 +15887,6 @@ function applyCommand(state, command, deps) {
       return { state: next, effects };
     }
     case "delete": {
-      for (const toolUseId of Object.keys(state.pendingQuestions ?? {})) {
-        effects.push({
-          kind: "emit-frame",
-          frame: {
-            type: "session:question:cleared",
-            sessionId,
-            toolUseId
-          }
-        });
-      }
       next.pendingPermissions = {};
       next.pendingQuestions = {};
       if (next.procAlive) {
@@ -15878,17 +15998,6 @@ function reduceSession(state, input, deps) {
       const next = cloneState(state);
       next.procAlive = false;
       next.status = "stopped";
-      const sessionId = next.file.sessionId;
-      const clearedEffects = Object.keys(state.pendingQuestions ?? {}).map(
-        (toolUseId) => ({
-          kind: "emit-frame",
-          frame: {
-            type: "session:question:cleared",
-            sessionId,
-            toolUseId
-          }
-        })
-      );
       next.pendingQuestions = {};
       return {
         state: next,
@@ -15897,12 +16006,11 @@ function reduceSession(state, input, deps) {
             kind: "emit-frame",
             frame: {
               type: "session:status",
-              sessionId,
+              sessionId: next.file.sessionId,
               status: next.status,
               exitCode: input.code
             }
-          },
-          ...clearedEffects
+          }
         ]
       };
     }
@@ -15976,7 +16084,6 @@ function reduceSession(state, input, deps) {
         ...baseInput,
         answers: input.answers
       };
-      const sessionId = next.file.sessionId;
       return {
         state: next,
         effects: [
@@ -15984,21 +16091,29 @@ function reduceSession(state, input, deps) {
             kind: "send-control-response-allow-with-input",
             requestId: pending.requestId,
             updatedInput
-          },
-          // cleared(with answers) broadcast：UI dispatch session:question:submitted，
-          //   pendingQuestions[toolUseId] 转 submitted 只读态。target 缺省=broadcast。
-          {
-            kind: "emit-frame",
-            frame: {
-              type: "session:question:cleared",
-              sessionId,
-              toolUseId: input.toolUseId,
-              answers: input.answers
-            }
           }
         ]
       };
     }
+    case "idle-kill-fired": {
+      if (state.status !== "running-idle") {
+        return { state, effects: [] };
+      }
+      const next = cloneState(state);
+      next.status = "stopping";
+      return {
+        state: next,
+        effects: [{ kind: "kill", signal: "SIGKILL" }]
+      };
+    }
+    case "inject-owner-text": {
+      const ownerEvent = {
+        kind: "meta-text",
+        text: input.text,
+        metaSource: "owner"
+      };
+      return pushEventToBuffer(state, ownerEvent, deps);
+    }
     case "tick": {
       const staleMs = 10 * 60 * 1e3;
       const now = input.nowMs;
@@ -16076,6 +16191,19 @@ function startRecorder(opts) {
   };
 }
 
+// src/tools/cwd-boundary.ts
+var import_node_path5 = __toESM(require("path"), 1);
+function isPathInsideCwd(cwd, target) {
+  if (!import_node_path5.default.isAbsolute(target)) return false;
+  const cwdNorm = import_node_path5.default.resolve(cwd);
+  const targetNorm = import_node_path5.default.resolve(target);
+  if (cwdNorm === targetNorm) return true;
+  const rel = import_node_path5.default.relative(cwdNorm, targetNorm);
+  if (rel.startsWith("..")) return false;
+  if (import_node_path5.default.isAbsolute(rel)) return false;
+  return true;
+}
+
 // src/session/runner.ts
 var DEFAULT_CONTROL_REQUEST_TIMEOUT_MS = 1e4;
 function encodeAllowWithInputControlResponse(requestId, updatedInput) {
@@ -16093,6 +16221,15 @@ function encodeAllowWithInputControlResponse(requestId, updatedInput) {
   return JSON.stringify(payload) + "\n";
 }
 var DEFAULT_WAIT_STOP_TIMEOUT_MS = 3e3;
+function extractToolPath(ev) {
+  const input = ev.input;
+  if (!input || typeof input !== "object") return void 0;
+  const inp = input;
+  if (ev.tool === "Read" && typeof inp.file_path === "string") return inp.file_path;
+  if (ev.tool === "Grep" && typeof inp.path === "string") return inp.path;
+  if (ev.tool === "Glob" && typeof inp.path === "string") return inp.path;
+  return void 0;
+}
 var SessionRunner = class {
   constructor(initial, hooks) {
     this.hooks = hooks;
@@ -16108,6 +16245,9 @@ var SessionRunner = class {
   stopWaiters = [];
   // IPC recorder（CLAWD_RECORD_IPC=1 时启用）；null 表示当前 spawn 未启用 / 已退出
   recorder = null;
+  // sub-session idle-kill timer ref；key = sessionId（实际同一 runner 只对应一个 session，
+  // 但 reducer Effect schema 带 sessionId 作为唯一键，对齐 schedule/cancel 配对）
+  idleKillTimers = /* @__PURE__ */ new Map();
   getState() {
     return this.state;
   }
@@ -16205,6 +16345,62 @@ var SessionRunner = class {
       }
     });
   }
+  // L1 锁定（task 14）拦截：仅 sub-session（state.subSessionMeta.toolAllowlist 非空）启用。
+  //   1. 解析 line 为 ParsedEvent[]，扫 'tool_call' kind
+  //   2. tool 名不在白名单 → emit session:event(kind='error') + SIGKILL，丢弃本行
+  //   3. tool input 里带 path 字段（Read.file_path / Grep.path / Glob.path）越出 cwd 子树 → 同上处理
+  // 命中返回 true，调用方不再喂 reducer；命中即 SIGKILL，CC 进程会触发 proc.on('exit')
+  // 走正常的 stop / proc-exit 流程。本拦截层与 buildSpawnArgs 的 --disallowed-tools / --add-dir
+  // 共同构成 L1 第二 / 第三层防御（schema 层 + manager 层 + claude CLI 层 + runner 拦截层）
+  tryInterceptL1Violation(line) {
+    const meta = this.state.subSessionMeta;
+    if (!meta?.toolAllowlist || meta.toolAllowlist.length === 0) return false;
+    const allowed = new Set(meta.toolAllowlist);
+    let events;
+    try {
+      events = this.hooks.adapter.parseLine(line);
+    } catch {
+      return false;
+    }
+    if (events.length === 0) return false;
+    const cwd = this.state.file.cwd;
+    for (const ev of events) {
+      if (ev.kind !== "tool_call") continue;
+      if (typeof ev.tool === "string" && ev.tool && !allowed.has(ev.tool)) {
+        this.emitL1Error(`tool ${ev.tool} blocked by L1 lockdown`, "TOOL_NOT_ALLOWED");
+        this.doKill("SIGKILL");
+        return true;
+      }
+      const argPath = extractToolPath(ev);
+      if (argPath && !isPathInsideCwd(cwd, argPath)) {
+        this.emitL1Error(
+          `path ${argPath} outside cwd ${cwd}`,
+          "PATH_OUT_OF_BOUND"
+        );
+        this.doKill("SIGKILL");
+        return true;
+      }
+    }
+    return false;
+  }
+  // L1 违规错误帧：走 session:event 通道，code 编码进 ParsedEvent.error message。
+  // 不引入新的 wire 帧 type（避免 protocol 改动），现有 error kind 已经走 broadcast 路径
+  emitL1Error(message, code) {
+    const errEvent = {
+      kind: "error",
+      message: `[${code}] ${message}`
+    };
+    const frame = {
+      type: "session:event",
+      sessionId: this.state.file.sessionId,
+      event: errEvent
+    };
+    try {
+      this.hooks.broadcastFrame(frame, "broadcast");
+    } catch {
+    }
+    this.hooks.logger?.warn("clawd-l1-violation", { code, message, sessionId: this.state.file.sessionId });
+  }
   // 尝试把一行 stdout 解析成 `type:"control_response"` 帧并 resolve 匹配的 pending。
   // 命中返回 true —— 调用方不再把该行喂给 reducer（control_response 不是会话事件）。
   tryHandleControlResponse(line) {
@@ -16283,8 +16479,33 @@ var SessionRunner = class {
         setTimeout(() => this.input({ kind: "tick", nowMs: now() }), effect.delayMs).unref();
         break;
       }
+      case "schedule-idle-kill": {
+        const existing = this.idleKillTimers.get(effect.sessionId);
+        if (existing) clearTimeout(existing);
+        const timer = setTimeout(() => {
+          this.idleKillTimers.delete(effect.sessionId);
+          this.input({ kind: "idle-kill-fired" });
+        }, effect.ms);
+        timer.unref?.();
+        this.idleKillTimers.set(effect.sessionId, timer);
+        break;
+      }
+      case "cancel-idle-kill": {
+        const timer = this.idleKillTimers.get(effect.sessionId);
+        if (timer) {
+          clearTimeout(timer);
+          this.idleKillTimers.delete(effect.sessionId);
+        }
+        break;
+      }
     }
   }
+  // 清空所有 idle-kill timer（runner dispose / proc 永久退出时调用）。
+  // 不喂 idle-kill-fired —— dispose 路径不再翻 reducer 状态
+  clearIdleKillTimers() {
+    for (const t of this.idleKillTimers.values()) clearTimeout(t);
+    this.idleKillTimers.clear();
+  }
   // 启动子进程，绑定 stdout line buffer → 回灌 reducer
   doSpawn(ctx) {
     const proc = this.hooks.spawnOverride ? this.hooks.spawnOverride(ctx) : this.hooks.adapter.spawn(ctx);
@@ -16302,6 +16523,7 @@ var SessionRunner = class {
       this.stdoutBuf = newBuf;
       for (const line of lines) {
         if (this.tryHandleControlResponse(line)) continue;
+        if (this.tryInterceptL1Violation(line)) continue;
         this.input({ kind: "stdout-line", line });
       }
     });
@@ -16313,6 +16535,7 @@ var SessionRunner = class {
       this.proc = null;
       this.recorder = null;
       this.rejectAllPending(new Error("session gone"));
+      this.clearIdleKillTimers();
       this.input({ kind: "proc-exit", code });
     });
     proc.on("error", (err) => {
@@ -16341,6 +16564,8 @@ function compressFrameForWire(frame) {
   switch (status) {
     case "spawning":
     case "running":
+    // sub-session（persona）专属内部状态：进程仍活着等 idle-kill；wire 协议看到的是 'running'
+    case "running-idle":
       compressed = "running";
       break;
     case "stopping":
@@ -16367,6 +16592,7 @@ function compressStatus(status) {
   switch (status) {
     case "spawning":
     case "running":
+    case "running-idle":
       return "running";
     case "stopping":
     case "stopped":
@@ -16384,7 +16610,7 @@ function nowIso2(deps) {
 function newSessionId() {
   return v4_default().replace(/-/g, "").slice(0, 16);
 }
-function makeInitialState(file) {
+function makeInitialState(file, subSessionMeta) {
   return {
     file,
     status: "idle",
@@ -16396,12 +16622,14 @@ function makeInitialState(file) {
     pendingQuestions: {},
     freshSpawn: false,
     procAlive: false,
-    seenUuids: []
+    seenUuids: [],
+    subSessionMeta
   };
 }
 var SessionManager = class {
   constructor(deps) {
     this.deps = deps;
+    this.storesByAgent.set(DEFAULT_AGENT_ID, deps.store);
   }
   deps;
   // sessionId → SessionRunner；在 send / ensureSession 时按需创建
@@ -16417,6 +16645,28 @@ var SessionManager = class {
   // 由 observer 监听 jsonl user 行后调 recordRealUserUuid 建立映射；rewind 系列 RPC 在
   // 入参 / 出参做转译，保证 UI 看到的 uuid 始终是 events 流里的 synth uuid
   realUuidBySynth = /* @__PURE__ */ new Map();
+  // persona sub-session 路径：按 agentId 派生 SessionStore（root = dataDir/sessions/<agentId>/）。
+  // 'default' 直接复用 deps.store；其它 agentId 第一次访问时按需创建并缓存
+  storesByAgent = /* @__PURE__ */ new Map();
+  // sub-session 创建时记录的 subSessionMeta；ensureSession / runner 创建时塞入 reducer state。
+  // 不进 SessionFile schema（避免破坏现有 zod parse），仅运行时缓存
+  subSessionMetaBySid = /* @__PURE__ */ new Map();
+  // persona-bound transport 订阅器：sessionId → Set<listener>。
+  // 仅推 reducer 产出的 'session:event' 帧里的 ParsedEvent，其他帧（status / info / cleared）
+  // 由调用方按需自行处理（persona-bound 简化协议只暴露 event 流，不需要这些）
+  eventSubscribers = /* @__PURE__ */ new Map();
+  // 按 agentId 拿对应的 SessionStore；persona sub-session 走这条路径写到
+  // sessions/<personaId>/<sessionId>.json。需要 deps.dataDir 同源，否则脑裂
+  storeFor(agentId) {
+    const cached = this.storesByAgent.get(agentId);
+    if (cached) return cached;
+    if (!this.deps.dataDir) {
+      throw new Error(`SessionManager: dataDir required to route agentId='${agentId}'`);
+    }
+    const st = new SessionStore({ dataDir: this.deps.dataDir, agentId });
+    this.storesByAgent.set(agentId, st);
+    return st;
+  }
   async getCapabilities(tool) {
     const cached = this.capabilitiesCache.get(tool);
     if (cached) return cached;
@@ -16427,11 +16677,14 @@ var SessionManager = class {
   }
   // 创建 runner 时包一层 broadcast hook：所有外出 frame 统一走 routeFromRunner，
   // 经过 compressFrameForWire 后决定是 push collector 还是走 deps.broadcastFrame
-  newRunner(file) {
+  // store：默认 deps.store；persona sub-session 路径下传该 personaId 对应的 SessionStore
+  // subSessionMeta：persona 路径传 { idleKillEnabled: true }，其它路径不传
+  newRunner(file, opts = {}) {
     const adapter = this.deps.getAdapter(file.tool ?? "claude");
-    const runner = new SessionRunner(makeInitialState(file), {
+    const store = opts.store ?? this.deps.store;
+    const runner = new SessionRunner(makeInitialState(file, opts.subSessionMeta), {
       broadcastFrame: (frame, target) => this.routeFromRunner(frame, target),
-      store: this.deps.store,
+      store,
       adapter,
       logger: this.deps.logger,
       spawnOverride: this.deps.spawnOverride,
@@ -16449,6 +16702,21 @@ var SessionManager = class {
   routeFromRunner(frame, target) {
     const compressed = compressFrameForWire(frame);
     if (!compressed) return;
+    if (compressed.type === "session:event") {
+      const sid = compressed.sessionId;
+      const ev = compressed.event;
+      if (sid && ev) {
+        const subs = this.eventSubscribers.get(sid);
+        if (subs && subs.size > 0) {
+          for (const fn of subs) {
+            try {
+              fn(ev);
+            } catch {
+            }
+          }
+        }
+      }
+    }
     if (this.currentCollector) {
       this.currentCollector.push({ frame: compressed, target });
       return;
@@ -16870,10 +17138,7 @@ var SessionManager = class {
       running.push({
         sessionId: sid,
         status: compressStatus(st.status),
-        freshSpawn: st.freshSpawn,
-        // sidebar awaiting-user baseline：UI 端据此填 anonymous slot 直到 push 帧带真实 toolUseId
-        pendingPermissionsCount: Object.keys(st.pendingPermissions).length,
-        pendingQuestionsCount: Object.keys(st.pendingQuestions).length
+        freshSpawn: st.freshSpawn
       });
     }
     return { runningSessions: running };
@@ -16891,10 +17156,189 @@ var SessionManager = class {
   ensureSession(file) {
     let r = this.runners.get(file.sessionId);
     if (r) return r;
-    r = this.newRunner(file);
+    const subSessionMeta = this.subSessionMetaBySid.get(file.sessionId);
+    r = this.newRunner(file, { subSessionMeta });
     this.runners.set(file.sessionId, r);
     return r;
   }
+  // ---------------- persona / sub-session 专用 API ----------------
+  //
+  // PersonaManager 是 SessionManager 之上的薄编排层，sub-session 的持久化（SessionFile）
+  // 仍由 SessionManager 持有。区别于普通 session：
+  //   - SessionFile 落到 sessions/<personaId>/ 而非 sessions/default/
+  //   - reducer state.subSessionMeta.idleKillEnabled = true（turn_end 自动 idle-kill）
+  //   - sessionId 由 PersonaManager 派生（personaId-<tokenHash>），不走自动 newSessionId
+  /** 按 agentId 读取 SessionFile；不存在返回 null */
+  readForAgent(sessionId, agentId) {
+    return this.storeFor(agentId).read(sessionId);
+  }
+  /**
+   * 按 agentId 列出该命名空间下所有 SessionFile（persona:listSubSessions 入口）。
+   * agentId 还未访问过 → storeFor 第一次创建对应 SessionStore（root 不存在则 list 返回 []）
+   */
+  listForAgent(agentId) {
+    return this.storeFor(agentId).list();
+  }
+  /**
+   * 创建 sub-session 的 SessionFile + 准备 runner（不 spawn）。
+   * subSessionMeta 不进 SessionFile schema，仅缓存进 runner state。
+   * 同一 sessionId 重复调用：抛错（PersonaManager 应先调 readForAgent 命中复用）
+   */
+  createForAgent(args) {
+    try {
+      const stat = import_node_fs5.default.statSync(args.cwd);
+      if (!stat.isDirectory()) throw new Error("not dir");
+    } catch {
+      throw new ClawdError(ERROR_CODES.INVALID_CWD, `cwd not a directory: ${args.cwd}`);
+    }
+    const tool = args.tool ?? "claude";
+    this.deps.getAdapter(tool);
+    const store = this.storeFor(args.agentId);
+    if (store.read(args.sessionId)) {
+      throw new Error(`session already exists for agent ${args.agentId}: ${args.sessionId}`);
+    }
+    const iso = nowIso2(this.deps);
+    const file = {
+      sessionId: args.sessionId,
+      cwd: args.cwd,
+      tool,
+      label: args.label,
+      model: args.model,
+      permissionMode: args.permissionMode,
+      createdAt: iso,
+      updatedAt: iso
+    };
+    const written = store.write(file);
+    if (args.subSessionMeta || args.hardcodedToolAllowlist) {
+      const meta = {
+        idleKillEnabled: args.subSessionMeta?.idleKillEnabled ?? false,
+        ...args.hardcodedToolAllowlist && args.hardcodedToolAllowlist.length > 0 ? {
+          toolAllowlist: args.hardcodedToolAllowlist,
+          permissionMode: args.permissionMode
+        } : {}
+      };
+      this.subSessionMetaBySid.set(args.sessionId, meta);
+    }
+    return written;
+  }
+  /**
+   * persona-bound transport 用：读取 sub-session 的历史 ParsedEvent[]。
+   * 实现策略：保证 runner 存在（buffer 是 reducer 唯一权威源），返回 buffer 里所有事件。
+   * - 第一次访问：lazy ensureSession，buffer 为空 → 返回 []。
+   * - 之前 send 过 / observer 喂过：buffer 已经有累积事件，直接返回。
+   *
+   * 不读 jsonl：
+   *   1. observer 路径在 spawn 后会自动接管 jsonl 回灌，进 reducer buffer。
+   *   2. 第一次握手时 sub-session 还没 spawn → toolSessionId 为空 → jsonl 不存在。
+   * sessionFile 不存在抛 SESSION_NOT_FOUND；上层应先调 createForAgent。
+   */
+  readHistoryEvents(sessionId, agentId) {
+    const store = this.storeFor(agentId);
+    const file = store.read(sessionId);
+    if (!file) {
+      throw new ClawdError(
+        ERROR_CODES.SESSION_NOT_FOUND,
+        `sub-session not found: ${agentId}/${sessionId}`
+      );
+    }
+    const runner = this.ensureRunnerFor(file, agentId);
+    return runner.getState().buffer.map((e) => e.event);
+  }
+  /**
+   * persona-bound transport 用：订阅 sub-session 实时 ParsedEvent。
+   * 返回 unsubscribe；不破坏现有 wire 广播路径——routeFromRunner 同时 fan-out 到
+   * eventSubscribers 和 deps.broadcastFrame
+   */
+  subscribe(_sessionId, _agentId, listener) {
+    const sid = _sessionId;
+    let subs = this.eventSubscribers.get(sid);
+    if (!subs) {
+      subs = /* @__PURE__ */ new Set();
+      this.eventSubscribers.set(sid, subs);
+    }
+    subs.add(listener);
+    return () => {
+      const cur = this.eventSubscribers.get(sid);
+      if (!cur) return;
+      cur.delete(listener);
+      if (cur.size === 0) this.eventSubscribers.delete(sid);
+    };
+  }
+  /**
+   * persona-bound transport 用：sub-session 路径的 send（按 agentId 路由 SessionStore）。
+   * 现状 send(args.sessionId, args.text) 默认 'default' agent；这里按 agentId 拿对应 store
+   * + ensureRunnerFor 保证 runner 用同一个 store 写盘
+   */
+  sendForAgent(args) {
+    const store = this.storeFor(args.agentId);
+    const file = store.read(args.sessionId);
+    if (!file) {
+      throw new ClawdError(
+        ERROR_CODES.SESSION_NOT_FOUND,
+        `sub-session not found: ${args.agentId}/${args.sessionId}`
+      );
+    }
+    const runner = this.ensureRunnerFor(file, args.agentId);
+    const { broadcast } = this.withCollector(() => {
+      runner.input({ kind: "command", command: { kind: "send", text: args.text } });
+    });
+    return { response: { ok: true }, broadcast };
+  }
+  /**
+   * persona-bound transport 用：sub-session reset。
+   * 复用 reducer 'new' 命令：清 toolSessionId / buffer / nextSeq / pending* + kill proc + emit
+   * session:cleared。语义上等价 alice 端"清空当前会话上下文"。
+   * 归档已写盘的 jsonl 不在本路径处理（CC 后续 spawn 会写新的 toolSessionId.jsonl，旧的留盘）；
+   * 物理归档可在后续单独 task 加（spec § 6 待 plan 决定项）。
+   */
+  resetForAgent(args) {
+    const store = this.storeFor(args.agentId);
+    const file = store.read(args.sessionId);
+    if (!file) {
+      throw new ClawdError(
+        ERROR_CODES.SESSION_NOT_FOUND,
+        `sub-session not found: ${args.agentId}/${args.sessionId}`
+      );
+    }
+    const runner = this.ensureRunnerFor(file, args.agentId);
+    const { broadcast } = this.withCollector(() => {
+      runner.input({ kind: "command", command: { kind: "new" } });
+    });
+    return { response: { ok: true }, broadcast };
+  }
+  /** ensureSession 的 agentId-aware 版本：复用现有 runner 或按 agentId 派生 store 创建 */
+  ensureRunnerFor(file, agentId) {
+    const existing = this.runners.get(file.sessionId);
+    if (existing) return existing;
+    const store = this.storeFor(agentId);
+    const subSessionMeta = this.subSessionMetaBySid.get(file.sessionId);
+    const runner = this.newRunner(file, { store, subSessionMeta });
+    this.runners.set(file.sessionId, runner);
+    return runner;
+  }
+  /**
+   * 老板插话：把 'inject-owner-text' input 喂给对应 runner，
+   * runner 不存在时按 ensureSession 路径懒创建（以 subSessionMeta 缓存为准）。
+   * frames 走异步路径（broadcastFrame）：调用方一般在 PersonaManager.appendOwnerMessage
+   * 内部走 RPC 处理流，没有同步 collector 上下文
+   */
+  injectOwnerMessage(args) {
+    const store = this.storeFor(args.agentId);
+    const file = store.read(args.sessionId);
+    if (!file) {
+      throw new ClawdError(
+        ERROR_CODES.SESSION_NOT_FOUND,
+        `sub-session not found: ${args.agentId}/${args.sessionId}`
+      );
+    }
+    let runner = this.runners.get(args.sessionId);
+    if (!runner) {
+      const subSessionMeta = this.subSessionMetaBySid.get(args.sessionId);
+      runner = this.newRunner(file, { store, subSessionMeta });
+      this.runners.set(args.sessionId, runner);
+    }
+    runner.input({ kind: "inject-owner-text", text: args.text });
+  }
   // observer 把 stdout line 转发到指定 runner；单一 reducer 入口保证 seq 分配统一
   feedObserverLine(sessionId, line) {
     const runner = this.runners.get(sessionId);
@@ -16959,28 +17403,268 @@ var SessionManager = class {
   }
 };
 
+// src/persona/store.ts
+var import_node_fs6 = __toESM(require("fs"), 1);
+var import_node_path6 = __toESM(require("path"), 1);
+init_protocol();
+var PersonaStore = class {
+  root;
+  constructor(opts) {
+    this.root = import_node_path6.default.join(opts.dataDir, "personas");
+  }
+  filePath(personaId) {
+    return import_node_path6.default.join(this.root, `${safeFileName(personaId)}.json`);
+  }
+  ensureDir() {
+    import_node_fs6.default.mkdirSync(this.root, { recursive: true });
+  }
+  read(personaId) {
+    try {
+      const raw = import_node_fs6.default.readFileSync(this.filePath(personaId), "utf8");
+      return PersonaFileSchema.parse(JSON.parse(raw));
+    } catch (err) {
+      const code = err?.code;
+      if (code === "ENOENT") return null;
+      return null;
+    }
+  }
+  write(file) {
+    const validated = PersonaFileSchema.parse(file);
+    this.ensureDir();
+    const target = this.filePath(validated.personaId);
+    const tmp = `${target}.tmp-${process.pid}-${Date.now()}`;
+    import_node_fs6.default.writeFileSync(tmp, JSON.stringify(validated, null, 2), { encoding: "utf8", mode: 384 });
+    import_node_fs6.default.renameSync(tmp, target);
+    return validated;
+  }
+  delete(personaId) {
+    try {
+      import_node_fs6.default.unlinkSync(this.filePath(personaId));
+    } catch (err) {
+      const code = err?.code;
+      if (code !== "ENOENT") throw err;
+    }
+  }
+  list() {
+    if (!import_node_fs6.default.existsSync(this.root)) return [];
+    const files = import_node_fs6.default.readdirSync(this.root).filter((f) => f.endsWith(".json") && !f.includes(".tmp"));
+    const items = [];
+    for (const f of files) {
+      try {
+        const raw = import_node_fs6.default.readFileSync(import_node_path6.default.join(this.root, f), "utf8");
+        items.push(PersonaFileSchema.parse(JSON.parse(raw)));
+      } catch {
+      }
+    }
+    return items.sort((a, b) => b.updatedAt.localeCompare(a.updatedAt));
+  }
+};
+
+// src/persona/registry.ts
+var PersonaRegistry = class {
+  constructor(store) {
+    this.store = store;
+    this.reload();
+  }
+  store;
+  cache = /* @__PURE__ */ new Map();
+  /** 从 store 全量重建缓存（boot 时 + 测试 setup 时） */
+  reload() {
+    this.cache.clear();
+    for (const p of this.store.list()) this.cache.set(p.personaId, p);
+  }
+  get(personaId) {
+    return this.cache.get(personaId);
+  }
+  /** PersonaManager 写盘后同步 cache；不主动写盘 */
+  set(file) {
+    this.cache.set(file.personaId, file);
+  }
+  remove(personaId) {
+    this.cache.delete(personaId);
+  }
+  list() {
+    return Array.from(this.cache.values());
+  }
+  verifyToken(personaId, token) {
+    const persona = this.cache.get(personaId);
+    if (!persona) return { ok: false, code: "PERSONA_DELETED" };
+    if (!persona.public) return { ok: false, code: "PERSONA_NOT_PUBLIC" };
+    const entry = persona.tokenMap[token];
+    if (!entry) return { ok: false, code: "TOKEN_INVALID" };
+    if (entry.revoked) return { ok: false, code: "TOKEN_REVOKED" };
+    return { ok: true, label: entry.label };
+  }
+};
+
+// src/persona/manager.ts
+var import_node_crypto3 = __toESM(require("crypto"), 1);
+var import_node_fs7 = __toESM(require("fs"), 1);
+var import_node_path7 = __toESM(require("path"), 1);
+var PersonaManager = class {
+  constructor(deps) {
+    this.deps = deps;
+  }
+  deps;
+  create(args) {
+    const personaId = this.generatePersonaId(args.label);
+    const iso = this.deps.now().toISOString();
+    const file = {
+      personaId,
+      label: args.label,
+      cwd: args.cwd,
+      model: args.model,
+      systemPromptAppend: args.systemPromptAppend,
+      // L1 锁死：plan 模式 + 只读三件套
+      permissionMode: "plan",
+      toolAllowlist: ["Read", "Grep", "Glob"],
+      public: true,
+      tokenMap: {},
+      createdAt: iso,
+      updatedAt: iso
+    };
+    const written = this.deps.store.write(file);
+    this.deps.registry.set(written);
+    return written;
+  }
+  update(personaId, patch) {
+    const existing = this.deps.registry.get(personaId);
+    if (!existing) throw new Error(`persona not found: ${personaId}`);
+    const updated = {
+      ...existing,
+      ...patch,
+      updatedAt: this.deps.now().toISOString()
+    };
+    const written = this.deps.store.write(updated);
+    this.deps.registry.set(written);
+    return written;
+  }
+  /** 删除 persona + 级联清掉 sessions/<personaId>/ 目录 */
+  delete(personaId) {
+    this.deps.store.delete(personaId);
+    this.deps.registry.remove(personaId);
+    const dir = import_node_path7.default.join(this.deps.dataDir, "sessions", personaId);
+    try {
+      import_node_fs7.default.rmSync(dir, { recursive: true, force: true });
+    } catch (err) {
+      this.deps.logger.warn(`PersonaManager.delete: cleanup ${dir} failed`, {
+        err: err.message
+      });
+    }
+  }
+  /** 生成 32-char base64url token（24 bytes 随机），label 必填 */
+  issueToken(personaId, label) {
+    const existing = this.deps.registry.get(personaId);
+    if (!existing) throw new Error(`persona not found: ${personaId}`);
+    const token = import_node_crypto3.default.randomBytes(24).toString("base64url");
+    const entry = {
+      label,
+      issuedAt: this.deps.now().toISOString()
+    };
+    const updated = {
+      ...existing,
+      tokenMap: { ...existing.tokenMap, [token]: entry },
+      updatedAt: this.deps.now().toISOString()
+    };
+    const written = this.deps.store.write(updated);
+    this.deps.registry.set(written);
+    return { token, persona: written };
+  }
+  revokeToken(personaId, token) {
+    const existing = this.deps.registry.get(personaId);
+    if (!existing) throw new Error(`persona not found: ${personaId}`);
+    const tokenEntry = existing.tokenMap[token];
+    if (!tokenEntry) throw new Error(`token not found in persona ${personaId}`);
+    const updated = {
+      ...existing,
+      tokenMap: {
+        ...existing.tokenMap,
+        [token]: { ...tokenEntry, revoked: true }
+      },
+      updatedAt: this.deps.now().toISOString()
+    };
+    const written = this.deps.store.write(updated);
+    this.deps.registry.set(written);
+    return written;
+  }
+  /**
+   * 拿到（或按需创建）该 token 对应的 sub-session。subSessionId 由 personaId + token 哈希派生
+   * 保证 idempotent：同一 token 永远复用同一个 sub-session。
+   * 创建路径：开启 idleKillEnabled，cwd / model / tool 等字段从 PersonaFile 模板复制
+   */
+  getOrCreateSubSession(personaId, token) {
+    const persona = this.deps.registry.get(personaId);
+    if (!persona) throw new Error(`persona not found: ${personaId}`);
+    const subSessionId = this.deriveSubSessionId(personaId, token);
+    const existing = this.deps.sessionManager.readForAgent(subSessionId, personaId);
+    if (existing) {
+      return { sessionFile: existing, isNew: false };
+    }
+    const tokenEntry = persona.tokenMap[token];
+    const subLabel = tokenEntry?.label ?? "unknown";
+    const sessionFile = this.deps.sessionManager.createForAgent({
+      sessionId: subSessionId,
+      agentId: personaId,
+      cwd: persona.cwd,
+      tool: "claude",
+      label: subLabel,
+      model: persona.model,
+      permissionMode: "plan",
+      // L1 锁定（task 14）：把 PersonaFile.toolAllowlist 透传到 SessionManager，
+      // 最终在 buildSpawnArgs 拼成 --add-dir + --disallowed-tools，runner stdout 拦截层
+      // 也读 SubSessionMeta.toolAllowlist 做工具名 / cwd 越界拦截
+      hardcodedToolAllowlist: persona.toolAllowlist,
+      subSessionMeta: { idleKillEnabled: true }
+    });
+    return { sessionFile, isNew: true };
+  }
+  /**
+   * 老板插话：把"老板的话"作为 meta-text + metaSource='owner' 推到 sub-session 的事件流。
+   * 委托 SessionManager.injectOwnerMessage 路由到 reducer 'inject-owner-text' input
+   */
+  appendOwnerMessage(personaId, subSessionId, text) {
+    this.deps.sessionManager.injectOwnerMessage({
+      sessionId: subSessionId,
+      agentId: personaId,
+      text
+    });
+  }
+  // ---------------- 内部 ----------------
+  /** label 转 4-16 char slug + 4 char base64url 后缀，避免冲突且文件名安全 */
+  generatePersonaId(label) {
+    const slug = label.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "").slice(0, 16) || "persona";
+    const rand = import_node_crypto3.default.randomBytes(3).toString("base64url").slice(0, 4);
+    return `persona-${slug}-${rand}`;
+  }
+  /** subSessionId = persona-<short>-<tokenHash12>；同 token 始终复用同一 sub-session */
+  deriveSubSessionId(personaId, token) {
+    const tokenHash = import_node_crypto3.default.createHash("sha256").update(token).digest("hex").slice(0, 12);
+    return `${personaId}-${tokenHash}`;
+  }
+};
+
 // src/index.ts
 init_claude();
 init_claude_history();
 
 // src/workspace/browser.ts
-var import_node_fs8 = __toESM(require("fs"), 1);
+var import_node_fs10 = __toESM(require("fs"), 1);
 var import_node_os4 = __toESM(require("os"), 1);
-var import_node_path7 = __toESM(require("path"), 1);
+var import_node_path10 = __toESM(require("path"), 1);
 init_protocol();
 var MAX_FILE_BYTES = 2 * 1024 * 1024;
 function resolveInsideCwd(cwd, subpath) {
-  const absCwd = import_node_path7.default.resolve(cwd);
-  const joined = import_node_path7.default.resolve(absCwd, subpath ?? ".");
-  const rel = import_node_path7.default.relative(absCwd, joined);
-  if (rel.startsWith("..") || import_node_path7.default.isAbsolute(rel)) {
+  const absCwd = import_node_path10.default.resolve(cwd);
+  const joined = import_node_path10.default.resolve(absCwd, subpath ?? ".");
+  const rel = import_node_path10.default.relative(absCwd, joined);
+  if (rel.startsWith("..") || import_node_path10.default.isAbsolute(rel)) {
     throw new ClawdError(ERROR_CODES.INVALID_PATH, `path escapes cwd: ${subpath}`);
   }
   return joined;
 }
 function ensureCwd(cwd) {
   try {
-    const stat = import_node_fs8.default.statSync(cwd);
+    const stat = import_node_fs10.default.statSync(cwd);
     if (!stat.isDirectory()) {
       throw new ClawdError(ERROR_CODES.INVALID_CWD, `not a directory: ${cwd}`);
     }
@@ -16994,7 +17678,7 @@ var WorkspaceBrowser = class {
     const cwd = args.cwd && args.cwd.length > 0 ? args.cwd : import_node_os4.default.homedir();
     ensureCwd(cwd);
     const full = resolveInsideCwd(cwd, args.path);
-    const dirents = import_node_fs8.default.readdirSync(full, { withFileTypes: true });
+    const dirents = import_node_fs10.default.readdirSync(full, { withFileTypes: true });
     const entries = [];
     for (const d of dirents) {
       if (!args.showHidden && d.name.startsWith(".")) continue;
@@ -17004,7 +17688,7 @@ var WorkspaceBrowser = class {
         mtime: ""
       };
       try {
-        const st = import_node_fs8.default.statSync(import_node_path7.default.join(full, d.name));
+        const st = import_node_fs10.default.statSync(import_node_path10.default.join(full, d.name));
         entry.mtime = new Date(st.mtimeMs).toISOString();
         if (d.isFile()) entry.size = st.size;
       } catch {
@@ -17020,14 +17704,14 @@ var WorkspaceBrowser = class {
   read(args) {
     ensureCwd(args.cwd);
     const full = resolveInsideCwd(args.cwd, args.path);
-    const st = import_node_fs8.default.statSync(full);
+    const st = import_node_fs10.default.statSync(full);
     if (!st.isFile()) {
       throw new ClawdError(ERROR_CODES.INVALID_PATH, `not a file: ${args.path}`);
     }
     if (st.size > MAX_FILE_BYTES) {
       throw new ClawdError(ERROR_CODES.FILE_TOO_LARGE, `file > ${MAX_FILE_BYTES} bytes`);
     }
-    const buf = import_node_fs8.default.readFileSync(full);
+    const buf = import_node_fs10.default.readFileSync(full);
     const isBinary = buf.includes(0);
     if (isBinary) {
       return {
@@ -17049,9 +17733,9 @@ var WorkspaceBrowser = class {
 };
 
 // src/skills/scanner.ts
-var import_node_fs9 = __toESM(require("fs"), 1);
+var import_node_fs11 = __toESM(require("fs"), 1);
 var import_node_os5 = __toESM(require("os"), 1);
-var import_node_path8 = __toESM(require("path"), 1);
+var import_node_path11 = __toESM(require("path"), 1);
 function parseFrontmatter(content) {
   if (!content.startsWith("---")) return { name: "", description: "" };
   const end = content.indexOf("---", 3);
@@ -17087,7 +17771,7 @@ function parseFrontmatter(content) {
 }
 function isDirLikeSync(p) {
   try {
-    return import_node_fs9.default.statSync(p).isDirectory();
+    return import_node_fs11.default.statSync(p).isDirectory();
   } catch {
     return false;
   }
@@ -17095,19 +17779,19 @@ function isDirLikeSync(p) {
 function scanSkillDir(dir, source, seen, out, pluginName) {
   let entries;
   try {
-    entries = import_node_fs9.default.readdirSync(dir, { withFileTypes: true });
+    entries = import_node_fs11.default.readdirSync(dir, { withFileTypes: true });
   } catch {
     return;
   }
   for (const ent of entries) {
-    const entryPath = import_node_path8.default.join(dir, ent.name);
+    const entryPath = import_node_path11.default.join(dir, ent.name);
     if (!ent.isDirectory() && !(ent.isSymbolicLink() && isDirLikeSync(entryPath))) continue;
     let content;
     try {
-      content = import_node_fs9.default.readFileSync(import_node_path8.default.join(entryPath, "SKILL.md"), "utf8");
+      content = import_node_fs11.default.readFileSync(import_node_path11.default.join(entryPath, "SKILL.md"), "utf8");
     } catch {
       try {
-        content = import_node_fs9.default.readFileSync(import_node_path8.default.join(entryPath, "skill.md"), "utf8");
+        content = import_node_fs11.default.readFileSync(import_node_path11.default.join(entryPath, "skill.md"), "utf8");
       } catch {
         continue;
       }
@@ -17125,26 +17809,26 @@ function scanSkillDir(dir, source, seen, out, pluginName) {
 function scanCommandDir(dir, source, seen, out, pluginName) {
   let entries;
   try {
-    entries = import_node_fs9.default.readdirSync(dir, { withFileTypes: true });
+    entries = import_node_fs11.default.readdirSync(dir, { withFileTypes: true });
   } catch {
     return;
   }
   for (const ent of entries) {
-    const entryPath = import_node_path8.default.join(dir, ent.name);
+    const entryPath = import_node_path11.default.join(dir, ent.name);
     if (ent.isDirectory() || ent.isSymbolicLink() && isDirLikeSync(entryPath)) {
       const ns = ent.name;
       let subEntries;
       try {
-        subEntries = import_node_fs9.default.readdirSync(entryPath, { withFileTypes: true });
+        subEntries = import_node_fs11.default.readdirSync(entryPath, { withFileTypes: true });
       } catch {
         continue;
       }
       for (const se of subEntries) {
         if (!se.name.endsWith(".md")) continue;
-        const sePath = import_node_path8.default.join(entryPath, se.name);
+        const sePath = import_node_path11.default.join(entryPath, se.name);
         let content;
         try {
-          content = import_node_fs9.default.readFileSync(sePath, "utf8");
+          content = import_node_fs11.default.readFileSync(sePath, "utf8");
         } catch {
           continue;
         }
@@ -17161,7 +17845,7 @@ function scanCommandDir(dir, source, seen, out, pluginName) {
     } else if (ent.name.endsWith(".md")) {
       let content;
       try {
-        content = import_node_fs9.default.readFileSync(entryPath, "utf8");
+        content = import_node_fs11.default.readFileSync(entryPath, "utf8");
       } catch {
         continue;
       }
@@ -17177,10 +17861,10 @@ function scanCommandDir(dir, source, seen, out, pluginName) {
   }
 }
 function readInstalledPlugins(home) {
-  const file = import_node_path8.default.join(home, ".claude", "plugins", "installed_plugins.json");
+  const file = import_node_path11.default.join(home, ".claude", "plugins", "installed_plugins.json");
   let raw;
   try {
-    raw = import_node_fs9.default.readFileSync(file, "utf8");
+    raw = import_node_fs11.default.readFileSync(file, "utf8");
   } catch {
     return [];
   }
@@ -17218,14 +17902,14 @@ var SkillsScanner = class {
   list(args) {
     const seen = /* @__PURE__ */ new Set();
     const out = [];
-    scanSkillDir(import_node_path8.default.join(this.home, ".claude", "skills"), "global", seen, out);
-    scanCommandDir(import_node_path8.default.join(this.home, ".claude", "commands"), "global", seen, out);
-    scanSkillDir(import_node_path8.default.join(args.cwd, ".claude", "skills"), "project", seen, out);
-    scanCommandDir(import_node_path8.default.join(args.cwd, ".claude", "commands"), "project", seen, out);
+    scanSkillDir(import_node_path11.default.join(this.home, ".claude", "skills"), "global", seen, out);
+    scanCommandDir(import_node_path11.default.join(this.home, ".claude", "commands"), "global", seen, out);
+    scanSkillDir(import_node_path11.default.join(args.cwd, ".claude", "skills"), "project", seen, out);
+    scanCommandDir(import_node_path11.default.join(args.cwd, ".claude", "commands"), "project", seen, out);
     const plugins = [...readInstalledPlugins(this.home), ...this.extraPluginRoots];
     for (const { name, root } of plugins) {
-      scanSkillDir(import_node_path8.default.join(root, "skills"), "plugin", seen, out, name);
-      scanCommandDir(import_node_path8.default.join(root, "commands"), "plugin", seen, out, name);
+      scanSkillDir(import_node_path11.default.join(root, "skills"), "plugin", seen, out, name);
+      scanCommandDir(import_node_path11.default.join(root, "commands"), "plugin", seen, out, name);
     }
     out.sort((a, b) => a.name < b.name ? -1 : a.name > b.name ? 1 : 0);
     return out;
@@ -17233,9 +17917,9 @@ var SkillsScanner = class {
 };
 
 // src/observer/session-observer.ts
-var import_node_fs10 = __toESM(require("fs"), 1);
+var import_node_fs12 = __toESM(require("fs"), 1);
 var import_node_os6 = __toESM(require("os"), 1);
-var import_node_path9 = __toESM(require("path"), 1);
+var import_node_path12 = __toESM(require("path"), 1);
 init_claude_history();
 var SessionObserver = class {
   constructor(opts) {
@@ -17247,14 +17931,14 @@ var SessionObserver = class {
   watches = /* @__PURE__ */ new Map();
   resolveJsonlPath(cwd, toolSessionId, override) {
     if (override) return override;
-    return import_node_path9.default.join(this.home, ".claude", "projects", cwdToHashDir(cwd), `${toolSessionId}.jsonl`);
+    return import_node_path12.default.join(this.home, ".claude", "projects", cwdToHashDir(cwd), `${toolSessionId}.jsonl`);
   }
   start(args) {
     this.stop(args.sessionId);
     const filePath = this.resolveJsonlPath(args.cwd, args.toolSessionId, args.jsonlPath);
     let size = 0;
     try {
-      size = import_node_fs10.default.statSync(filePath).size;
+      size = import_node_fs12.default.statSync(filePath).size;
     } catch {
     }
     const w = {
@@ -17267,10 +17951,10 @@ var SessionObserver = class {
       adapter: args.adapter
     };
     try {
-      import_node_fs10.default.mkdirSync(import_node_path9.default.dirname(filePath), { recursive: true });
+      import_node_fs12.default.mkdirSync(import_node_path12.default.dirname(filePath), { recursive: true });
     } catch {
     }
-    w.watcher = import_node_fs10.default.watch(import_node_path9.default.dirname(filePath), { persistent: false }, (_event, changedName) => {
+    w.watcher = import_node_fs12.default.watch(import_node_path12.default.dirname(filePath), { persistent: false }, (_event, changedName) => {
       if (!changedName || !filePath.endsWith(changedName)) return;
       this.poll(w);
     });
@@ -17285,7 +17969,7 @@ var SessionObserver = class {
   // reducer.shallowEqMeta diff 让重复 patch 静默吞掉；异常静默吞，不阻塞 watcher 启动
   hydrateMetaTail(w, maxLines = 200) {
     try {
-      const raw = import_node_fs10.default.readFileSync(w.filePath, "utf8");
+      const raw = import_node_fs12.default.readFileSync(w.filePath, "utf8");
       if (!raw) return;
       const allLines = raw.split("\n").filter((l) => l.trim().length > 0);
       if (allLines.length === 0) return;
@@ -17306,7 +17990,7 @@ var SessionObserver = class {
   poll(w) {
     let size = 0;
     try {
-      size = import_node_fs10.default.statSync(w.filePath).size;
+      size = import_node_fs12.default.statSync(w.filePath).size;
     } catch {
       return;
     }
@@ -17315,11 +17999,11 @@ var SessionObserver = class {
       w.buf = "";
     }
     if (size === w.lastSize) return;
-    const fd = import_node_fs10.default.openSync(w.filePath, "r");
+    const fd = import_node_fs12.default.openSync(w.filePath, "r");
     try {
       const len = size - w.lastSize;
       const buf = Buffer.alloc(len);
-      import_node_fs10.default.readSync(fd, buf, 0, len, w.lastSize);
+      import_node_fs12.default.readSync(fd, buf, 0, len, w.lastSize);
       w.lastSize = size;
       w.buf += buf.toString("utf8");
       let newlineIndex;
@@ -17333,7 +18017,7 @@ var SessionObserver = class {
         this.maybeReportUserMessage(w.sessionId, line);
       }
     } finally {
-      import_node_fs10.default.closeSync(fd);
+      import_node_fs12.default.closeSync(fd);
     }
   }
   // 解析 JSONL 单行：仅当是主链 user 文本行（非 sidechain / 非 sub-agent / message.role='user'
@@ -17431,6 +18115,7 @@ var import_websocket = __toESM(require_websocket(), 1);
 var import_websocket_server = __toESM(require_websocket_server(), 1);
 
 // src/transport/local-ws-server.ts
+var PERSONA_PATH_RE = /^\/personas\/([a-zA-Z0-9._-]+)$/;
 var LocalWsServer = class {
   constructor(opts) {
     this.opts = opts;
@@ -17459,7 +18144,7 @@ var LocalWsServer = class {
         this.logger?.error("ws server error", { err: err.message });
         reject(err);
       });
-      wss.on("connection", (socket, req) => this.onConnection(socket, req?.socket?.remoteAddress));
+      wss.on("connection", (socket, req) => this.routeConnection(socket, req));
       this.wss = wss;
     });
   }
@@ -17524,6 +18209,35 @@ var LocalWsServer = class {
     if (!c) return;
     this.safeSend(c.ws, frame);
   }
+  // URL path 路由：'/' → owner mode（first-message authToken gate 走 onConnection），
+  // '/personas/<id>' → personaBoundHandler，其它 → close 4404
+  routeConnection(socket, req) {
+    const remoteAddress = req?.socket?.remoteAddress;
+    const urlPath = (() => {
+      try {
+        return new URL(req.url ?? "/", "http://localhost").pathname;
+      } catch {
+        return "/";
+      }
+    })();
+    if (urlPath === "/") {
+      this.onConnection(socket, remoteAddress);
+      return;
+    }
+    const personaMatch = urlPath.match(PERSONA_PATH_RE);
+    if (personaMatch && this.opts.personaBoundHandler) {
+      this.logger?.info("persona ws connected", {
+        personaId: personaMatch[1],
+        remoteAddress
+      });
+      this.opts.personaBoundHandler.handle(socket, personaMatch[1]);
+      return;
+    }
+    try {
+      socket.close(4404, "unknown path");
+    } catch {
+    }
+  }
   onConnection(socket, remoteAddress) {
     const id = v4_default();
     const subscribedSessions = /* @__PURE__ */ new Map();
@@ -17603,15 +18317,9 @@ var LocalWsServer = class {
       return;
     }
     if (frame.type === "session:subscribe" && typeof frame.sessionId === "string") {
-      const sessionId = frame.sessionId;
-      addSubscription(client, sessionId);
+      addSubscription(client, frame.sessionId);
       if (typeof frame.requestId === "string") {
-        this.safeSend(this.clients.get(client.id).ws, { type: "subscribed", requestId: frame.requestId, sessionId });
-      }
-      try {
-        this.opts.onSubscribe?.(client, sessionId);
-      } catch (err) {
-        this.logger?.warn("onSubscribe hook threw", { err: err.message });
+        this.safeSend(this.clients.get(client.id).ws, { type: "subscribed", requestId: frame.requestId, sessionId: frame.sessionId });
       }
       return;
     }
@@ -17661,6 +18369,141 @@ function removeSubscription(client, sessionId) {
   else client.subscribedSessions.set(sessionId, next);
 }
 
+// src/transport/persona-bound-handler.ts
+init_protocol();
+var PersonaBoundHandler = class {
+  constructor(deps) {
+    this.deps = deps;
+  }
+  deps;
+  handle(ws, personaId) {
+    let scope = null;
+    let unsubscribe = null;
+    const send = (frame) => {
+      try {
+        ws.send(JSON.stringify(frame));
+      } catch (err) {
+        this.deps.logger.warn(`persona ws send failed: ${err.message}`);
+      }
+    };
+    ws.on("message", (raw) => {
+      let parsedRaw;
+      try {
+        parsedRaw = JSON.parse(raw.toString());
+      } catch {
+        ws.close(4400, "PROTOCOL_VIOLATION");
+        return;
+      }
+      const parseResult = PersonaClientFrameSchema.safeParse(parsedRaw);
+      if (!parseResult.success) {
+        ws.close(4400, "PROTOCOL_VIOLATION");
+        return;
+      }
+      const frame = parseResult.data;
+      if (!scope) {
+        if (frame.kind !== "persona-hello") {
+          ws.close(4400, "PROTOCOL_VIOLATION");
+          return;
+        }
+        const verify = this.deps.registry.verifyToken(personaId, frame.token);
+        if (!verify.ok) {
+          const code = verify.code === "PERSONA_DELETED" ? 4404 : verify.code === "PERSONA_NOT_PUBLIC" ? 4403 : 4401;
+          ws.close(code, verify.code);
+          return;
+        }
+        const persona = this.deps.registry.get(personaId);
+        if (!persona) {
+          ws.close(4404, "PERSONA_DELETED");
+          return;
+        }
+        let subSessionFile;
+        try {
+          const { sessionFile } = this.deps.personaManager.getOrCreateSubSession(
+            personaId,
+            frame.token
+          );
+          subSessionFile = sessionFile;
+        } catch (err) {
+          this.deps.logger.warn(
+            `persona getOrCreateSubSession failed: ${err.message}`
+          );
+          ws.close(1011, "INTERNAL");
+          return;
+        }
+        scope = { personaId, subSessionId: subSessionFile.sessionId };
+        send({
+          kind: "persona-ready",
+          subSessionId: subSessionFile.sessionId,
+          personaLabel: persona.label,
+          cwd: persona.cwd,
+          model: persona.model
+        });
+        unsubscribe = this.deps.sessionManager.subscribe(
+          subSessionFile.sessionId,
+          personaId,
+          (event) => {
+            send({ kind: "event", event });
+          }
+        );
+        try {
+          const history = this.deps.sessionManager.readHistoryEvents(
+            subSessionFile.sessionId,
+            personaId
+          );
+          for (const event of history) {
+            send({ kind: "history-event", event });
+          }
+        } catch (err) {
+          this.deps.logger.warn(
+            `persona history read failed: ${err.message}`
+          );
+        }
+        send({ kind: "history-done" });
+        return;
+      }
+      switch (frame.kind) {
+        case "persona-hello":
+          ws.close(4400, "PROTOCOL_VIOLATION");
+          return;
+        case "send": {
+          try {
+            this.deps.sessionManager.sendForAgent({
+              sessionId: scope.subSessionId,
+              agentId: scope.personaId,
+              text: frame.text
+            });
+          } catch (err) {
+            this.deps.logger.warn(
+              `persona sendForAgent failed: ${err.message}`
+            );
+          }
+          return;
+        }
+        case "reset": {
+          try {
+            this.deps.sessionManager.resetForAgent({
+              sessionId: scope.subSessionId,
+              agentId: scope.personaId
+            });
+          } catch (err) {
+            this.deps.logger.warn(
+              `persona resetForAgent failed: ${err.message}`
+            );
+          }
+          return;
+        }
+        case "ping":
+          send({ kind: "pong" });
+          return;
+      }
+    });
+    ws.on("close", () => {
+      unsubscribe?.();
+      unsubscribe = null;
+    });
+  }
+};
+
 // src/transport/auth.ts
 init_protocol();
 var AuthGate = class {
@@ -17756,10 +18599,10 @@ function isLocalhost(addr) {
 }
 
 // src/discovery/state-file.ts
-var import_node_fs11 = __toESM(require("fs"), 1);
-var import_node_path10 = __toESM(require("path"), 1);
+var import_node_fs13 = __toESM(require("fs"), 1);
+var import_node_path13 = __toESM(require("path"), 1);
 function defaultStateFilePath(dataDir) {
-  return import_node_path10.default.join(dataDir, "state.json");
+  return import_node_path13.default.join(dataDir, "state.json");
 }
 function isPidAlive(pid) {
   if (!Number.isFinite(pid) || pid <= 0) return false;
@@ -17781,7 +18624,7 @@ var StateFileManager = class {
   }
   read() {
     try {
-      const raw = import_node_fs11.default.readFileSync(this.file, "utf8");
+      const raw = import_node_fs13.default.readFileSync(this.file, "utf8");
       const parsed = JSON.parse(raw);
       return parsed;
     } catch {
@@ -17795,34 +18638,34 @@ var StateFileManager = class {
     return { status: "stale", existing };
   }
   write(state) {
-    import_node_fs11.default.mkdirSync(import_node_path10.default.dirname(this.file), { recursive: true });
+    import_node_fs13.default.mkdirSync(import_node_path13.default.dirname(this.file), { recursive: true });
     const tmp = `${this.file}.tmp.${process.pid}.${Date.now()}`;
-    import_node_fs11.default.writeFileSync(tmp, JSON.stringify(state, null, 2), { mode: 384 });
-    import_node_fs11.default.renameSync(tmp, this.file);
+    import_node_fs13.default.writeFileSync(tmp, JSON.stringify(state, null, 2), { mode: 384 });
+    import_node_fs13.default.renameSync(tmp, this.file);
     if (process.platform !== "win32") {
       try {
-        import_node_fs11.default.chmodSync(this.file, 384);
+        import_node_fs13.default.chmodSync(this.file, 384);
       } catch {
       }
     }
   }
   delete() {
     try {
-      import_node_fs11.default.unlinkSync(this.file);
+      import_node_fs13.default.unlinkSync(this.file);
     } catch {
     }
   }
 };
 
 // src/tunnel/tunnel-manager.ts
-var import_node_fs14 = __toESM(require("fs"), 1);
-var import_node_path13 = __toESM(require("path"), 1);
-var import_node_crypto3 = __toESM(require("crypto"), 1);
+var import_node_fs16 = __toESM(require("fs"), 1);
+var import_node_path16 = __toESM(require("path"), 1);
+var import_node_crypto4 = __toESM(require("crypto"), 1);
 var import_node_child_process4 = require("child_process");
 
 // src/tunnel/tunnel-store.ts
-var import_node_fs12 = __toESM(require("fs"), 1);
-var import_node_path11 = __toESM(require("path"), 1);
+var import_node_fs14 = __toESM(require("fs"), 1);
+var import_node_path14 = __toESM(require("path"), 1);
 var TunnelStore = class {
   constructor(filePath) {
     this.filePath = filePath;
@@ -17830,7 +18673,7 @@ var TunnelStore = class {
   filePath;
   async get() {
     try {
-      const raw = await import_node_fs12.default.promises.readFile(this.filePath, "utf8");
+      const raw = await import_node_fs14.default.promises.readFile(this.filePath, "utf8");
       const obj = JSON.parse(raw);
       if (!isPersistedTunnel(obj)) return null;
       return obj;
@@ -17841,22 +18684,22 @@ var TunnelStore = class {
     }
   }
   async set(v) {
-    const dir = import_node_path11.default.dirname(this.filePath);
-    await import_node_fs12.default.promises.mkdir(dir, { recursive: true });
+    const dir = import_node_path14.default.dirname(this.filePath);
+    await import_node_fs14.default.promises.mkdir(dir, { recursive: true });
     const data = JSON.stringify(v, null, 2);
     const tmp = `${this.filePath}.tmp.${process.pid}.${Date.now()}`;
-    await import_node_fs12.default.promises.writeFile(tmp, data, { mode: 384 });
+    await import_node_fs14.default.promises.writeFile(tmp, data, { mode: 384 });
     if (process.platform !== "win32") {
       try {
-        await import_node_fs12.default.promises.chmod(tmp, 384);
+        await import_node_fs14.default.promises.chmod(tmp, 384);
       } catch {
       }
     }
-    await import_node_fs12.default.promises.rename(tmp, this.filePath);
+    await import_node_fs14.default.promises.rename(tmp, this.filePath);
   }
   async clear() {
     try {
-      await import_node_fs12.default.promises.unlink(this.filePath);
+      await import_node_fs14.default.promises.unlink(this.filePath);
     } catch (err) {
       const code = err?.code;
       if (code !== "ENOENT") throw err;
@@ -17951,9 +18794,9 @@ function escape(v) {
 }
 
 // src/tunnel/frpc-binary.ts
-var import_node_fs13 = __toESM(require("fs"), 1);
+var import_node_fs15 = __toESM(require("fs"), 1);
 var import_node_os7 = __toESM(require("os"), 1);
-var import_node_path12 = __toESM(require("path"), 1);
+var import_node_path15 = __toESM(require("path"), 1);
 var import_node_child_process3 = require("child_process");
 var import_node_stream = require("stream");
 var import_promises = require("stream/promises");
@@ -17985,20 +18828,20 @@ function frpcDownloadUrl(version2, p) {
 }
 async function ensureFrpcBinary(opts) {
   if (opts.override) {
-    if (!import_node_fs13.default.existsSync(opts.override)) {
+    if (!import_node_fs15.default.existsSync(opts.override)) {
       throw new Error(`frpc binary not found at override path: ${opts.override}`);
     }
     return opts.override;
   }
   const version2 = opts.version ?? FRPC_VERSION;
   const platform = opts.platform ?? detectPlatform();
-  const binDir = import_node_path12.default.join(opts.dataDir, "bin");
-  import_node_fs13.default.mkdirSync(binDir, { recursive: true });
+  const binDir = import_node_path15.default.join(opts.dataDir, "bin");
+  import_node_fs15.default.mkdirSync(binDir, { recursive: true });
   cleanupStaleArtifacts(binDir);
-  const stableBin = import_node_path12.default.join(binDir, "frpc");
-  if (import_node_fs13.default.existsSync(stableBin)) return stableBin;
+  const stableBin = import_node_path15.default.join(binDir, "frpc");
+  if (import_node_fs15.default.existsSync(stableBin)) return stableBin;
   const partialBin = `${stableBin}.partial`;
-  const tarballPath = import_node_path12.default.join(binDir, `frp_${version2}_${platform.os}_${platform.arch}.tar.gz.partial`);
+  const tarballPath = import_node_path15.default.join(binDir, `frp_${version2}_${platform.os}_${platform.arch}.tar.gz.partial`);
   try {
     const url = frpcDownloadUrl(version2, platform);
     await downloadToFile(url, tarballPath, opts.fetchImpl);
@@ -18007,8 +18850,8 @@ async function ensureFrpcBinary(opts) {
     } else {
       await extractFrpcFromTarball(tarballPath, binDir, version2, platform, partialBin);
     }
-    import_node_fs13.default.chmodSync(partialBin, 493);
-    import_node_fs13.default.renameSync(partialBin, stableBin);
+    import_node_fs15.default.chmodSync(partialBin, 493);
+    import_node_fs15.default.renameSync(partialBin, stableBin);
   } finally {
     safeUnlink(tarballPath);
     safeUnlink(partialBin);
@@ -18018,15 +18861,15 @@ async function ensureFrpcBinary(opts) {
 function cleanupStaleArtifacts(binDir) {
   let entries;
   try {
-    entries = import_node_fs13.default.readdirSync(binDir);
+    entries = import_node_fs15.default.readdirSync(binDir);
   } catch {
     return;
   }
   for (const name of entries) {
     if (name.endsWith(".partial") || name.startsWith("extract-")) {
-      const full = import_node_path12.default.join(binDir, name);
+      const full = import_node_path15.default.join(binDir, name);
       try {
-        import_node_fs13.default.rmSync(full, { recursive: true, force: true });
+        import_node_fs15.default.rmSync(full, { recursive: true, force: true });
       } catch {
       }
     }
@@ -18034,7 +18877,7 @@ function cleanupStaleArtifacts(binDir) {
 }
 function safeUnlink(p) {
   try {
-    import_node_fs13.default.unlinkSync(p);
+    import_node_fs15.default.unlinkSync(p);
   } catch {
   }
 }
@@ -18045,13 +18888,13 @@ async function downloadToFile(url, dest, fetchImpl) {
   if (!res.ok || !res.body) {
     throw new Error(`download failed: ${res.status} ${res.statusText}`);
   }
-  const out = import_node_fs13.default.createWriteStream(dest);
+  const out = import_node_fs15.default.createWriteStream(dest);
   const nodeStream = import_node_stream.Readable.fromWeb(res.body);
   await (0, import_promises.pipeline)(nodeStream, out);
 }
 async function extractFrpcFromTarball(tarball, binDir, version2, platform, destBin) {
-  const work = import_node_path12.default.join(binDir, `extract-${process.pid}-${Date.now()}`);
-  import_node_fs13.default.mkdirSync(work, { recursive: true });
+  const work = import_node_path15.default.join(binDir, `extract-${process.pid}-${Date.now()}`);
+  import_node_fs15.default.mkdirSync(work, { recursive: true });
   try {
     await new Promise((resolve, reject) => {
       const proc = (0, import_node_child_process3.spawn)("tar", ["xzf", tarball, "-C", work], { stdio: "pipe" });
@@ -18059,13 +18902,13 @@ async function extractFrpcFromTarball(tarball, binDir, version2, platform, destB
       proc.on("exit", (code) => code === 0 ? resolve() : reject(new Error(`tar exited ${code}`)));
     });
     const dirName = `frp_${version2}_${platform.os}_${platform.arch}`;
-    const src = import_node_path12.default.join(work, dirName, "frpc");
-    if (!import_node_fs13.default.existsSync(src)) {
+    const src = import_node_path15.default.join(work, dirName, "frpc");
+    if (!import_node_fs15.default.existsSync(src)) {
       throw new Error(`frpc not found inside tarball at ${src}`);
     }
-    import_node_fs13.default.copyFileSync(src, destBin);
+    import_node_fs15.default.copyFileSync(src, destBin);
   } finally {
-    import_node_fs13.default.rmSync(work, { recursive: true, force: true });
+    import_node_fs15.default.rmSync(work, { recursive: true, force: true });
   }
 }
 
@@ -18074,7 +18917,7 @@ var DEFAULT_TUNNEL_TTL_MS = 7 * 24 * 60 * 60 * 1e3;
 var TunnelManager = class {
   constructor(deps) {
     this.deps = deps;
-    this.store = deps.store ?? new TunnelStore(import_node_path13.default.join(deps.dataDir, "tunnel.json"));
+    this.store = deps.store ?? new TunnelStore(import_node_path16.default.join(deps.dataDir, "tunnel.json"));
     this.ttlMs = deps.ttlMs ?? DEFAULT_TUNNEL_TTL_MS;
     this.startupTimeoutMs = deps.startupTimeoutMs ?? 15e3;
   }
@@ -18191,8 +19034,8 @@ var TunnelManager = class {
         dataDir: this.deps.dataDir,
         override: this.deps.frpcBinaryOverride ?? void 0
       });
-      const tomlPath = import_node_path13.default.join(this.deps.dataDir, "frpc.toml");
-      const proxyName = `clawd-${t.subdomain}-${localPort}-${import_node_crypto3.default.randomBytes(3).toString("hex")}`;
+      const tomlPath = import_node_path16.default.join(this.deps.dataDir, "frpc.toml");
+      const proxyName = `clawd-${t.subdomain}-${localPort}-${import_node_crypto4.default.randomBytes(3).toString("hex")}`;
       const toml = buildFrpcToml({
         serverAddr: t.frpsHost,
         serverPort: t.frpsPort,
@@ -18202,12 +19045,12 @@ var TunnelManager = class {
         localPort,
         logLevel: "info"
       });
-      await import_node_fs14.default.promises.writeFile(tomlPath, toml, { mode: 384 });
+      await import_node_fs16.default.promises.writeFile(tomlPath, toml, { mode: 384 });
       const proc = (this.deps.spawnImpl ?? import_node_child_process4.spawn)(frpcBin, ["-c", tomlPath], {
         stdio: ["ignore", "pipe", "pipe"]
       });
-      const logFilePath = import_node_path13.default.join(this.deps.dataDir, "frpc.log");
-      const logStream = import_node_fs14.default.createWriteStream(logFilePath, { flags: "a", mode: 384 });
+      const logFilePath = import_node_path16.default.join(this.deps.dataDir, "frpc.log");
+      const logStream = import_node_fs16.default.createWriteStream(logFilePath, { flags: "a", mode: 384 });
       logStream.on("error", () => {
       });
       const tee = (chunk) => {
@@ -18289,22 +19132,22 @@ async function waitForFrpcReady(proc, timeoutMs) {
 
 // src/tunnel/device-key.ts
 var import_node_os8 = __toESM(require("os"), 1);
-var import_node_crypto4 = __toESM(require("crypto"), 1);
+var import_node_crypto5 = __toESM(require("crypto"), 1);
 var DERIVE_SALT = "clawd-tunnel-device-v1";
 function deriveStableDeviceKey(opts = {}) {
   const hostname = opts.hostname ?? import_node_os8.default.hostname();
   const uid = opts.uid ?? (typeof import_node_os8.default.userInfo === "function" ? import_node_os8.default.userInfo().uid : 0);
   const input = `${hostname}::${uid}`;
-  return import_node_crypto4.default.createHmac("sha256", DERIVE_SALT).update(input).digest("hex").slice(0, 32);
+  return import_node_crypto5.default.createHmac("sha256", DERIVE_SALT).update(input).digest("hex").slice(0, 32);
 }
 
 // src/auth-store.ts
-var import_node_fs15 = __toESM(require("fs"), 1);
-var import_node_path14 = __toESM(require("path"), 1);
-var import_node_crypto5 = __toESM(require("crypto"), 1);
+var import_node_fs17 = __toESM(require("fs"), 1);
+var import_node_path17 = __toESM(require("path"), 1);
+var import_node_crypto6 = __toESM(require("crypto"), 1);
 var AUTH_FILE_NAME = "auth.json";
 function authFilePath(dataDir) {
-  return import_node_path14.default.join(dataDir, AUTH_FILE_NAME);
+  return import_node_path17.default.join(dataDir, AUTH_FILE_NAME);
 }
 function loadOrCreateAuthToken(opts) {
   const file = authFilePath(opts.dataDir);
@@ -18316,11 +19159,11 @@ function loadOrCreateAuthToken(opts) {
   return token;
 }
 function defaultGenerate() {
-  return import_node_crypto5.default.randomBytes(32).toString("base64url");
+  return import_node_crypto6.default.randomBytes(32).toString("base64url");
 }
 function readAuthFile(file) {
   try {
-    const raw = import_node_fs15.default.readFileSync(file, "utf8");
+    const raw = import_node_fs17.default.readFileSync(file, "utf8");
     const parsed = JSON.parse(raw);
     if (typeof parsed?.token === "string" && parsed.token.length > 0) {
       return {
@@ -18336,10 +19179,10 @@ function readAuthFile(file) {
   }
 }
 function writeAuthFile(file, content) {
-  import_node_fs15.default.mkdirSync(import_node_path14.default.dirname(file), { recursive: true });
-  import_node_fs15.default.writeFileSync(file, JSON.stringify(content, null, 2), { mode: 384 });
+  import_node_fs17.default.mkdirSync(import_node_path17.default.dirname(file), { recursive: true });
+  import_node_fs17.default.writeFileSync(file, JSON.stringify(content, null, 2), { mode: 384 });
   try {
-    import_node_fs15.default.chmodSync(file, 384);
+    import_node_fs17.default.chmodSync(file, 384);
   } catch {
   }
 }
@@ -18351,12 +19194,12 @@ init_protocol();
 init_protocol();
 
 // src/session/fork.ts
-var import_node_fs16 = __toESM(require("fs"), 1);
+var import_node_fs18 = __toESM(require("fs"), 1);
 var import_node_os9 = __toESM(require("os"), 1);
-var import_node_path15 = __toESM(require("path"), 1);
+var import_node_path18 = __toESM(require("path"), 1);
 init_claude_history();
 function readJsonlEntries(file) {
-  const raw = import_node_fs16.default.readFileSync(file, "utf8");
+  const raw = import_node_fs18.default.readFileSync(file, "utf8");
   const out = [];
   for (const line of raw.split("\n")) {
     const t = line.trim();
@@ -18369,10 +19212,10 @@ function readJsonlEntries(file) {
   return out;
 }
 function forkSession(input) {
-  const baseDir = input.baseDir ?? import_node_path15.default.join(import_node_os9.default.homedir(), ".claude");
-  const projectDir = import_node_path15.default.join(baseDir, "projects", cwdToHashDir(input.cwd));
-  const sourceFile = import_node_path15.default.join(projectDir, `${input.toolSessionId}.jsonl`);
-  if (!import_node_fs16.default.existsSync(sourceFile)) {
+  const baseDir = input.baseDir ?? import_node_path18.default.join(import_node_os9.default.homedir(), ".claude");
+  const projectDir = import_node_path18.default.join(baseDir, "projects", cwdToHashDir(input.cwd));
+  const sourceFile = import_node_path18.default.join(projectDir, `${input.toolSessionId}.jsonl`);
+  if (!import_node_fs18.default.existsSync(sourceFile)) {
     throw new Error(`fork: source transcript not found: ${sourceFile}`);
   }
   const entries = readJsonlEntries(sourceFile);
@@ -18402,9 +19245,9 @@ function forkSession(input) {
     }
     forkedLines.push(JSON.stringify(forked));
   }
-  const forkedFilePath = import_node_path15.default.join(projectDir, `${forkedToolSessionId}.jsonl`);
-  import_node_fs16.default.mkdirSync(projectDir, { recursive: true });
-  import_node_fs16.default.writeFileSync(forkedFilePath, forkedLines.join("\n") + "\n", { mode: 384 });
+  const forkedFilePath = import_node_path18.default.join(projectDir, `${forkedToolSessionId}.jsonl`);
+  import_node_fs18.default.mkdirSync(projectDir, { recursive: true });
+  import_node_fs18.default.writeFileSync(forkedFilePath, forkedLines.join("\n") + "\n", { mode: 384 });
   return { forkedToolSessionId, forkedFilePath };
 }
 
@@ -18674,9 +19517,9 @@ init_protocol();
 
 // src/workspace/git.ts
 var import_node_child_process5 = require("child_process");
-var import_node_fs17 = __toESM(require("fs"), 1);
+var import_node_fs19 = __toESM(require("fs"), 1);
 var import_node_os10 = __toESM(require("os"), 1);
-var import_node_path16 = __toESM(require("path"), 1);
+var import_node_path19 = __toESM(require("path"), 1);
 var import_node_util = require("util");
 var pexec = (0, import_node_util.promisify)(import_node_child_process5.execFile);
 function formatChildProcessError(err) {
@@ -18691,9 +19534,9 @@ function formatChildProcessError(err) {
   return e.message ?? "unknown error";
 }
 function normalizePath(p) {
-  const resolved = import_node_path16.default.resolve(p);
+  const resolved = import_node_path19.default.resolve(p);
   try {
-    return import_node_fs17.default.realpathSync(resolved);
+    return import_node_fs19.default.realpathSync(resolved);
   } catch {
     return resolved;
   }
@@ -18794,13 +19637,13 @@ function flattenToDirName(branch) {
 }
 function encodeClaudeProjectDir(absPath) {
   if (!absPath || typeof absPath !== "string") return "";
-  let canonical = import_node_path16.default.resolve(absPath);
+  let canonical = import_node_path19.default.resolve(absPath);
   try {
-    canonical = import_node_fs17.default.realpathSync(canonical);
+    canonical = import_node_fs19.default.realpathSync(canonical);
   } catch {
     try {
-      const parent = import_node_fs17.default.realpathSync(import_node_path16.default.dirname(canonical));
-      canonical = import_node_path16.default.join(parent, import_node_path16.default.basename(canonical));
+      const parent = import_node_fs19.default.realpathSync(import_node_path19.default.dirname(canonical));
+      canonical = import_node_path19.default.join(parent, import_node_path19.default.basename(canonical));
     } catch {
     }
   }
@@ -18824,11 +19667,11 @@ async function createWorktree(input) {
   if (!isGitRoot) {
     throw new Error(`\u76EE\u5F55 ${cwd} \u4E0D\u662F git repo \u6839`);
   }
-  const parent = import_node_path16.default.dirname(import_node_path16.default.resolve(cwd));
-  if (parent === "/" || parent === import_node_path16.default.resolve(cwd)) {
+  const parent = import_node_path19.default.dirname(import_node_path19.default.resolve(cwd));
+  if (parent === "/" || parent === import_node_path19.default.resolve(cwd)) {
     throw new Error("repo \u5728\u78C1\u76D8\u6839\u76EE\u5F55\uFF0C\u65E0\u6CD5\u5728\u540C\u7EA7\u521B\u5EFA worktree");
   }
-  const worktreeRoot = import_node_path16.default.join(parent, dirName);
+  const worktreeRoot = import_node_path19.default.join(parent, dirName);
   try {
     await pexec("git", ["-C", cwd, "rev-parse", "--verify", `refs/heads/${baseBranch}`], {
       timeout: 3e3
@@ -18845,7 +19688,7 @@ async function createWorktree(input) {
     const msg = err.message;
     if (msg.startsWith("\u5206\u652F ")) throw err;
   }
-  if (import_node_fs17.default.existsSync(worktreeRoot)) {
+  if (import_node_fs19.default.existsSync(worktreeRoot)) {
     throw new Error(`\u76EE\u5F55 ${worktreeRoot} \u5DF2\u5B58\u5728\uFF0C\u8BF7\u6362\u4E00\u4E2A label \u6216\u6E05\u7406\u540E\u91CD\u8BD5`);
   }
   try {
@@ -18873,8 +19716,8 @@ async function removeWorktree(input) {
     );
     const gitCommonDir = stdout.trim();
     if (!gitCommonDir) throw new Error("empty git-common-dir");
-    const absGitCommon = import_node_path16.default.isAbsolute(gitCommonDir) ? gitCommonDir : import_node_path16.default.resolve(worktreeRoot, gitCommonDir);
-    repoRoot = import_node_path16.default.dirname(absGitCommon);
+    const absGitCommon = import_node_path19.default.isAbsolute(gitCommonDir) ? gitCommonDir : import_node_path19.default.resolve(worktreeRoot, gitCommonDir);
+    repoRoot = import_node_path19.default.dirname(absGitCommon);
   } catch {
     repoRoot = null;
   }
@@ -18886,7 +19729,7 @@ async function removeWorktree(input) {
     } catch (err) {
       const stderr = err.stderr ?? "";
       const lower = stderr.toLowerCase();
-      const vanished = lower.includes("not a working tree") || lower.includes("is not a working tree") || !import_node_fs17.default.existsSync(worktreeRoot);
+      const vanished = lower.includes("not a working tree") || lower.includes("is not a working tree") || !import_node_fs19.default.existsSync(worktreeRoot);
       if (!vanished) {
         throw new Error(`\u6E05\u7406 worktree \u5931\u8D25\uFF1A${formatChildProcessError(err)}`);
       }
@@ -18905,10 +19748,10 @@ async function removeWorktree(input) {
   try {
     const encoded = encodeClaudeProjectDir(worktreeRoot);
     if (encoded) {
-      const projectsRoot = import_node_path16.default.join(import_node_os10.default.homedir(), ".claude", "projects");
-      const target = import_node_path16.default.resolve(projectsRoot, encoded);
-      if (target.startsWith(projectsRoot + import_node_path16.default.sep) && target !== projectsRoot) {
-        import_node_fs17.default.rmSync(target, { recursive: true, force: true });
+      const projectsRoot = import_node_path19.default.join(import_node_os10.default.homedir(), ".claude", "projects");
+      const target = import_node_path19.default.resolve(projectsRoot, encoded);
+      if (target.startsWith(projectsRoot + import_node_path19.default.sep) && target !== projectsRoot) {
+        import_node_fs19.default.rmSync(target, { recursive: true, force: true });
       }
     }
   } catch {
@@ -18998,13 +19841,15 @@ function buildReadyFrame(deps) {
       tools.push({ id, available: false });
     }
   }
+  const tunnelUrl = deps.getTunnelUrl ? deps.getTunnelUrl() : null;
   return {
     version,
     protocolVersion: PROTOCOL_VERSION,
     hostname: import_node_os11.default.hostname(),
     os: process.platform,
     tools,
-    runningSessions: info.runningSessions
+    runningSessions: info.runningSessions,
+    tunnelUrl
   };
 }
 function buildMetaHandlers(deps) {
@@ -19020,6 +19865,79 @@ function buildMetaHandlers(deps) {
   };
 }
 
+// src/handlers/persona.ts
+init_protocol();
+function buildPersonaHandlers(deps) {
+  const { personaManager, personaRegistry, sessionManager } = deps;
+  const create = async (frame) => {
+    const args = PersonaCreateArgs.parse(frame);
+    const persona = personaManager.create(args);
+    return { response: { type: "persona:info", ...persona } };
+  };
+  const list = async () => {
+    return {
+      response: { type: "persona:list", personas: personaRegistry.list() }
+    };
+  };
+  const get = async (frame) => {
+    const args = PersonaIdArgs.parse(frame);
+    const persona = personaRegistry.get(args.personaId) ?? null;
+    if (!persona) {
+      return { response: { type: "persona:info", persona: null } };
+    }
+    return { response: { type: "persona:info", ...persona } };
+  };
+  const update = async (frame) => {
+    const args = PersonaUpdateArgs.parse(frame);
+    const persona = personaManager.update(args.personaId, args.patch);
+    return { response: { type: "persona:info", ...persona } };
+  };
+  const del = async (frame) => {
+    const args = PersonaIdArgs.parse(frame);
+    personaManager.delete(args.personaId);
+    return {
+      response: { type: "persona:deleted", personaId: args.personaId }
+    };
+  };
+  const issueToken = async (frame) => {
+    const args = PersonaIssueTokenArgs.parse(frame);
+    const { token, persona } = personaManager.issueToken(args.personaId, args.label);
+    return {
+      response: { type: "persona:tokenIssued", token, persona }
+    };
+  };
+  const revokeToken = async (frame) => {
+    const args = PersonaRevokeTokenArgs.parse(frame);
+    const persona = personaManager.revokeToken(args.personaId, args.token);
+    return { response: { type: "persona:info", ...persona } };
+  };
+  const listSubSessions = async (frame) => {
+    const args = PersonaIdArgs.parse(frame);
+    const sessions = sessionManager.listForAgent(args.personaId);
+    return {
+      response: { type: "persona:subSessions", sessions }
+    };
+  };
+  const appendOwnerMessage = async (frame) => {
+    const args = PersonaAppendOwnerMessageArgs.parse(frame);
+    personaManager.appendOwnerMessage(args.personaId, args.subSessionId, args.text);
+    return {
+      response: { type: "persona:appendOwnerMessage", ok: true }
+    };
+  };
+  return {
+    "persona:create": create,
+    "persona:list": list,
+    "persona:get": get,
+    "persona:update": update,
+    "persona:delete": del,
+    "persona:issueToken": issueToken,
+    "persona:revokeToken": revokeToken,
+    "persona:listSubSessions": listSubSessions,
+    "persona:appendOwnerMessage": appendOwnerMessage
+  };
+}
+
 // src/handlers/index.ts
 function buildMethodHandlers(deps) {
   return {
@@ -19029,7 +19947,12 @@ function buildMethodHandlers(deps) {
     ...buildWorkspaceHandlers(deps),
     ...buildGitHandlers(),
     ...buildCapabilitiesHandlers(deps),
-    ...buildMetaHandlers(deps)
+    ...buildMetaHandlers(deps),
+    ...buildPersonaHandlers({
+      personaManager: deps.personaManager,
+      personaRegistry: deps.personaRegistry,
+      sessionManager: deps.manager
+    })
   };
 }
 
@@ -19037,7 +19960,7 @@ function buildMethodHandlers(deps) {
 async function startDaemon(config) {
   const logger = createLogger({
     level: config.logLevel,
-    file: import_node_path17.default.join(config.dataDir, "clawd.log")
+    file: import_node_path20.default.join(config.dataDir, "clawd.log")
   });
   logger.info("starting clawd", { version, config: { port: config.port, host: config.host, dataDir: config.dataDir } });
   const stateMgr = new StateFileManager({ dataDir: config.dataDir });
@@ -19117,35 +20040,43 @@ async function startDaemon(config) {
       manager.recordRealUserUuid({ sessionId, realUuid, text });
     }
   });
-  const handlers = buildMethodHandlers({ manager, workspace, skills, history, observer, getAdapter, store });
+  const personaStore = new PersonaStore({ dataDir: config.dataDir });
+  const personaRegistry = new PersonaRegistry(personaStore);
+  const personaManager = new PersonaManager({
+    store: personaStore,
+    registry: personaRegistry,
+    sessionManager: manager,
+    dataDir: config.dataDir,
+    now: () => /* @__PURE__ */ new Date(),
+    logger
+  });
+  let currentTunnelUrl = null;
+  const handlers = buildMethodHandlers({
+    manager,
+    workspace,
+    skills,
+    history,
+    observer,
+    getAdapter,
+    store,
+    personaManager,
+    personaRegistry,
+    getTunnelUrl: () => currentTunnelUrl
+  });
+  const personaBoundHandler = new PersonaBoundHandler({
+    registry: personaRegistry,
+    personaManager,
+    sessionManager: manager,
+    logger
+  });
   wsServer = new LocalWsServer({
     host: config.host,
     port: config.port,
     logger,
-    readyFrameBuilder: () => buildReadyFrame({ manager, getAdapter }),
+    readyFrameBuilder: () => buildReadyFrame({ manager, getAdapter, getTunnelUrl: () => currentTunnelUrl }),
     protocolVersion: PROTOCOL_VERSION,
     authGate: authGate ?? void 0,
-    // 订阅成功后给该 client 重放 in-flight pendingQuestions（plan: clawd-question-server-truth）。
-    // daemon 是 pendingQuestions 的唯一 source of truth；新 client 接入 / 刷新页面时
-    // 把当前所有未决 question 以 session:question 帧定向回放，让 UI 不再误显示 Ended。
-    // 形状与 reducer permission_request 分支构造的 session:question 帧一致；UI 不区分
-    // 首播 vs 重放（last-write-wins，详见 protocol/events.ts JSDoc）。
-    onSubscribe: (client, sessionId) => {
-      const runner = manager.getActive(sessionId);
-      if (!runner) return;
-      const pendingQuestions = runner.getState().pendingQuestions ?? {};
-      for (const [toolUseId, entry] of Object.entries(pendingQuestions)) {
-        const rawInput = entry.input;
-        const questions = rawInput && typeof rawInput === "object" && "questions" in rawInput ? rawInput.questions : void 0;
-        client.send({
-          type: "session:question",
-          sessionId,
-          toolUseId,
-          requestId: entry.requestId,
-          questions: Array.isArray(questions) ? questions : []
-        });
-      }
-    }
+    personaBoundHandler
   });
   transport = wsServer;
   const wss = wsServer;
@@ -19217,12 +20148,13 @@ async function startDaemon(config) {
       const r = await tunnelMgr.start({ localPort: config.port });
       stateSnapshot = { ...stateSnapshot, tunnelUrl: r.url };
       stateMgr.write(stateSnapshot);
+      currentTunnelUrl = r.url;
       const connectUrl = resolvedAuthToken ? `${r.url}#token=${resolvedAuthToken}` : r.url;
       const lines = [
         `Tunnel:      ${r.url}`,
         ...resolvedAuthToken ? [`Connect:     ${connectUrl}`] : [],
-        `Frpc config: ${import_node_path17.default.join(config.dataDir, "frpc.toml")}`,
-        `Frpc log:    ${import_node_path17.default.join(config.dataDir, "frpc.log")}`
+        `Frpc config: ${import_node_path20.default.join(config.dataDir, "frpc.toml")}`,
+        `Frpc log:    ${import_node_path20.default.join(config.dataDir, "frpc.log")}`
       ];
       const width = Math.max(...lines.map((l) => l.length));
       const bar = "\u2550".repeat(width + 4);
@@ -19235,8 +20167,8 @@ ${bar}
 
 `);
       try {
-        const connectPath = import_node_path17.default.join(config.dataDir, "connect.txt");
-        import_node_fs18.default.writeFileSync(connectPath, lines.join("\n") + "\n", { mode: 384 });
+        const connectPath = import_node_path20.default.join(config.dataDir, "connect.txt");
+        import_node_fs20.default.writeFileSync(connectPath, lines.join("\n") + "\n", { mode: 384 });
       } catch {
       }
     } catch (err) {
@@ -19264,8 +20196,7 @@ ${bar}
     stop: shutdown,
     url,
     tunnelUrl: stateSnapshot.tunnelUrl ?? null,
-    authToken: resolvedAuthToken,
-    manager
+    authToken: resolvedAuthToken
   };
 }