@clawos-dev/clawd 0.2.64-beta.103.774930b → 0.2.64-beta.104.6f4b611

package/dist/cli.cjs

@@ -110,6 +110,22 @@ var init_methods = __esm({
       //   触发频率低（仅 window resize），response 也是 ack。
       "session:pty:input",
       "session:pty:resize",
+      // ---- attachment.* file-sharing（spec §5；详见 attachment-schemas.ts） ----
+      // 命名警告：这里的 `attachment.*` RPC 与 CC v2.x 上行 `type:"attachment"` 系统行
+      // （attachment-skills / attachment-deferred-tools / attachment_memories）是不同概念。
+      // 全部管理类 RPC handler 入口 requireOwner（personal token 调任意一个都 403）；
+      // 实际文件传输走 HTTP 路由（GET/POST，详见 spec §5），不在白名单内。
+      "attachment.outboxCreate",
+      "attachment.outboxRevoke",
+      "attachment.outboxList",
+      "attachment.mountAdd",
+      "attachment.mountRemove",
+      "attachment.mountList",
+      "attachment.groupAdd",
+      "attachment.groupRemove",
+      "attachment.groupList",
+      // v2：跨 session 聚合（本期 UI 不调，保留槽位用于 HTTP ACL 内部判定 / 未来 "All files" tab）
+      "attachment.groupListPersona",
       "info",
       "ping"
     ];
@@ -601,8 +617,8 @@ var init_parseUtil = __esm({
     init_errors2();
     init_en();
     makeIssue = (params) => {
-      const { data, path: path28, errorMaps, issueData } = params;
-      const fullPath = [...path28, ...issueData.path || []];
+      const { data, path: path34, errorMaps, issueData } = params;
+      const fullPath = [...path34, ...issueData.path || []];
       const fullIssue = {
         ...issueData,
         path: fullPath
@@ -913,11 +929,11 @@ var init_types = __esm({
     init_parseUtil();
     init_util();
     ParseInputLazyPath = class {
-      constructor(parent, value, path28, key) {
+      constructor(parent, value, path34, key) {
         this._cachedPath = [];
         this.parent = parent;
         this.data = value;
-        this._path = path28;
+        this._path = path34;
         this._key = key;
       }
       get path() {
@@ -4300,6 +4316,151 @@ var init_zod = __esm({
   }
 });
 
+// ../protocol/src/attachment-schemas.ts
+var TOKEN_ROLES, GROUP_FILE_SOURCES, MOUNT_MODES, GroupFileEntrySchema, MountEntrySchema, OutboxScopeSchema, OutboxCapEntrySchema, AttachmentOutboxCreateArgs, AttachmentOutboxCreateResponseSchema, AttachmentOutboxRevokeArgs, AttachmentOutboxRevokeResponseSchema, AttachmentOutboxListArgs, AttachmentOutboxListResponseSchema, AttachmentMountAddArgs, AttachmentMountAddResponseSchema, AttachmentMountRemoveArgs, AttachmentMountRemoveResponseSchema, AttachmentMountListArgs, AttachmentMountListResponseSchema, AttachmentGroupAddArgs, AttachmentGroupAddResponseSchema, AttachmentGroupRemoveArgs, AttachmentGroupRemoveResponseSchema, AttachmentGroupListArgs, AttachmentGroupListResponseSchema, AttachmentGroupListPersonaArgs, AttachmentGroupListPersonaResponseSchema;
+var init_attachment_schemas = __esm({
+  "../protocol/src/attachment-schemas.ts"() {
+    "use strict";
+    init_zod();
+    TOKEN_ROLES = ["owner", "personal"];
+    GROUP_FILE_SOURCES = ["agent", "user", "owner"];
+    MOUNT_MODES = ["link", "copy"];
+    GroupFileEntrySchema = external_exports.object({
+      /** daemon 派发的稳定 id（用于 RPC remove / UI key） */
+      id: external_exports.string().min(1),
+      /** 相对 personaDir / sessionCwd 的路径 */
+      relPath: external_exports.string().min(1),
+      from: external_exports.enum(GROUP_FILE_SOURCES),
+      /** user 上传时的客户端标识（personal label / hostname），from='user' 才有 */
+      addedBy: external_exports.string().optional(),
+      /** owner 手动加群时的可选备注 */
+      label: external_exports.string().optional(),
+      /** 文件字节数（stat 时拍） */
+      size: external_exports.number().int().nonnegative(),
+      mime: external_exports.string().min(1),
+      /** 入群时间戳（ms） */
+      addedAt: external_exports.number().int().nonnegative(),
+      /** 最近一次 agent Write/Edit 时间戳（agent 反复改同 path 时更新） */
+      lastEditedAt: external_exports.number().int().nonnegative().optional(),
+      /** agent rm / 文件不见了时打标；UI 灰显，不能再 share */
+      stale: external_exports.boolean().optional()
+    });
+    MountEntrySchema = external_exports.object({
+      /** personaDir 下的 basename（link 目标 / copy 目的名） */
+      basename: external_exports.string().min(1),
+      /** 原始绝对路径（link 模式下 realpath 后用于 sandbox.allowRead 派生） */
+      absPath: external_exports.string().min(1),
+      mode: external_exports.enum(MOUNT_MODES)
+    });
+    OutboxScopeSchema = external_exports.discriminatedUnion("kind", [
+      external_exports.object({ kind: external_exports.literal("public") }),
+      external_exports.object({ kind: external_exports.literal("personal"), personalId: external_exports.string().min(1) })
+    ]);
+    OutboxCapEntrySchema = external_exports.object({
+      capToken: external_exports.string().min(1),
+      /** 归属：persona 域 cap 带 personaId；direct 会话 cap 带 sessionId */
+      scopeRef: external_exports.union([
+        external_exports.object({ kind: external_exports.literal("persona"), personaId: external_exports.string().min(1) }),
+        external_exports.object({ kind: external_exports.literal("session"), sessionId: external_exports.string().min(1) })
+      ]),
+      absPath: external_exports.string().min(1),
+      /** display name（UI 列表显示 + Share dialog 标题），通常等于 basename */
+      name: external_exports.string().min(1),
+      expiresAt: external_exports.number().int().nonnegative().nullable(),
+      oneShot: external_exports.boolean(),
+      scope: OutboxScopeSchema,
+      hits: external_exports.number().int().nonnegative(),
+      revoked: external_exports.boolean().optional(),
+      createdAt: external_exports.number().int().nonnegative()
+    });
+    AttachmentOutboxCreateArgs = external_exports.object({
+      /** persona 域：传 personaId；direct 会话：传 sessionId（二选一） */
+      personaId: external_exports.string().min(1).optional(),
+      sessionId: external_exports.string().min(1).optional(),
+      absPath: external_exports.string().min(1),
+      /** TTL 秒数；缺省 24h；'never' 走 null */
+      ttlSeconds: external_exports.number().int().positive().nullable().optional(),
+      oneShot: external_exports.boolean().optional(),
+      scope: OutboxScopeSchema.optional()
+    });
+    AttachmentOutboxCreateResponseSchema = external_exports.object({
+      capToken: external_exports.string().min(1),
+      /** 完整 URL（含 httpBaseUrl 前缀），UI 直接复制到剪贴板 */
+      url: external_exports.string().min(1),
+      expiresAt: external_exports.number().int().nonnegative().nullable()
+    });
+    AttachmentOutboxRevokeArgs = external_exports.object({
+      capToken: external_exports.string().min(1)
+    });
+    AttachmentOutboxRevokeResponseSchema = external_exports.object({
+      revoked: external_exports.literal(true)
+    });
+    AttachmentOutboxListArgs = external_exports.object({
+      /** 缺省 = 全部（含 direct 会话）；传 personaId 过滤到该 persona */
+      personaId: external_exports.string().min(1).optional()
+    });
+    AttachmentOutboxListResponseSchema = external_exports.object({
+      entries: external_exports.array(OutboxCapEntrySchema)
+    });
+    AttachmentMountAddArgs = external_exports.object({
+      personaId: external_exports.string().min(1),
+      absPath: external_exports.string().min(1),
+      mode: external_exports.enum(MOUNT_MODES)
+    });
+    AttachmentMountAddResponseSchema = external_exports.object({
+      entry: MountEntrySchema,
+      /** sandbox.allowRead 派生后是否需要重启 session 才能让 CC 子进程跟 symlink */
+      sandboxRestartNeeded: external_exports.boolean()
+    });
+    AttachmentMountRemoveArgs = external_exports.object({
+      personaId: external_exports.string().min(1),
+      basename: external_exports.string().min(1)
+    });
+    AttachmentMountRemoveResponseSchema = external_exports.object({
+      removed: external_exports.literal(true)
+    });
+    AttachmentMountListArgs = external_exports.object({
+      personaId: external_exports.string().min(1)
+    });
+    AttachmentMountListResponseSchema = external_exports.object({
+      entries: external_exports.array(MountEntrySchema)
+    });
+    AttachmentGroupAddArgs = external_exports.object({
+      sessionId: external_exports.string().min(1),
+      relPath: external_exports.string().min(1),
+      /** owner 手动加群时可选备注；agent / inbox 自动入清单不走此 RPC */
+      label: external_exports.string().optional()
+    });
+    AttachmentGroupAddResponseSchema = external_exports.object({
+      entry: GroupFileEntrySchema
+    });
+    AttachmentGroupRemoveArgs = external_exports.object({
+      sessionId: external_exports.string().min(1),
+      relPath: external_exports.string().min(1)
+    });
+    AttachmentGroupRemoveResponseSchema = external_exports.object({
+      removed: external_exports.literal(true)
+    });
+    AttachmentGroupListArgs = external_exports.object({
+      sessionId: external_exports.string().min(1)
+    });
+    AttachmentGroupListResponseSchema = external_exports.object({
+      entries: external_exports.array(GroupFileEntrySchema)
+    });
+    AttachmentGroupListPersonaArgs = external_exports.object({
+      personaId: external_exports.string().min(1)
+    });
+    AttachmentGroupListPersonaResponseSchema = external_exports.object({
+      perSession: external_exports.array(
+        external_exports.object({
+          sessionId: external_exports.string().min(1),
+          entries: external_exports.array(GroupFileEntrySchema)
+        })
+      )
+    });
+  }
+});
+
 // ../protocol/src/persona-schemas.ts
 var PersonaTokenEntrySchema, PersonaFileSchema, PersonaSkillSummarySchema, PersonaSandboxSettingsSchema, PersonaInfoResponseSchema, PersonaCreateArgsSchema, PersonaIdArgsSchema, PersonaUpdateArgsSchema, PersonaIssueTokenArgsSchema, PersonaRevokeTokenArgsSchema, PersonaAppendOwnerMessageArgsSchema, FRAME_TYPE_CHAT_OPEN, FRAME_TYPE_CHAT_RENAME, FRAME_TYPE_CHAT_DELETE, FRAME_TYPE_CHAT_LIST, FRAME_TYPE_CHAT_CREATED, FRAME_TYPE_CHAT_RENAMED, FRAME_TYPE_CHAT_DELETED, FRAME_TYPE_PERSONA_LISTENER_CHAT_CREATED, FRAME_TYPE_PERSONA_LISTENER_CHAT_RENAMED, FRAME_TYPE_PERSONA_LISTENER_CHAT_DELETED, FRAME_TYPE_PERSONA_LISTENER_STATUS, ChatSummarySchema, ChatOpenRequestSchema, ChatRenameRequestSchema, ChatDeleteRequestSchema, ChatRenameResponseSchema, ChatDeleteResponseSchema, ChatListPushSchema, ChatCreatedFrameSchema, ChatRenamedFrameSchema, ChatDeletedFrameSchema, PersonaListenerChatCreatedFrameSchema, PersonaListenerChatRenamedFrameSchema, PersonaListenerChatDeletedFrameSchema, PersonaListenerStatusFrameSchema, PersonaListListenerChatsForTokenArgsSchema, PersonaListListenerChatsForTokenResponseSchema;
 var init_persona_schemas = __esm({
@@ -4505,6 +4666,7 @@ var init_schemas = __esm({
     "use strict";
     init_zod();
     init_events();
+    init_attachment_schemas();
     init_persona_schemas();
     SessionStatusSchema = external_exports.enum(SESSION_STATUS_VALUES);
     UsageSchema = external_exports.object({
@@ -5061,7 +5223,22 @@ var init_schemas = __esm({
       hostname: external_exports.string(),
       os: external_exports.string(),
       tools: external_exports.array(external_exports.object({ id: external_exports.string(), available: external_exports.boolean() })),
-      runningSessions: external_exports.array(InfoRunningSessionSchema)
+      runningSessions: external_exports.array(InfoRunningSessionSchema),
+      // ── file-sharing 会话身份回执（spec: superpowers/specs/2026-05-19-clawd-file-sharing-design.md §8） ──
+      // PR 1 阶段标 optional（daemon 还没下发，旧 daemon info 响应不带这五个字段）；
+      // PR 2 daemon 实现 single HTTP server + auth-context 后，daemon 必返这五个字段，
+      // 届时可考虑改成 required。spec §11 第 3 条："tokenRole 是协议字段，daemon 查 token
+      // 表后显式下发，UI 不自行推导"——所以 UI 一律读这里，禁止本地推导。
+      /** 'owner' = 拿到 owner-token 的连接（不限来源 IP）；'personal' = persona 派发的访客 token。来源 TOKEN_ROLES（spec §11 #1 中央真理源） */
+      tokenRole: external_exports.enum(TOKEN_ROLES).optional(),
+      /** tokenRole='personal' 时携带（绑定到具体 persona）；owner 不携带 */
+      tokenPersonaId: external_exports.string().min(1).optional(),
+      /** socket.remoteAddress 是否落在 127.0.0.1 / ::1；本期无 RPC 消费，保留协议槽位给未来 "Reveal in Finder" 等本机动作 */
+      isLoopback: external_exports.boolean().optional(),
+      /** UI 拼 file-sharing HTTP 路由的前缀（http(s)://host:port），不含尾斜杠；frpc 反代时返反代地址 */
+      httpBaseUrl: external_exports.string().optional(),
+      /** file-sharing HTTP 路由的 Authorization: Bearer token；与 WS token 解耦，HTTP 401 仅触发 ReAuth 不强踢 WS（spec §11 第 4 条） */
+      httpToken: external_exports.string().optional()
     });
   }
 });
@@ -5093,6 +5270,7 @@ var init_runtime = __esm({
     init_frames();
     init_persona_schemas();
     init_persona_mode();
+    init_attachment_schemas();
   }
 });
 
@@ -5367,8 +5545,8 @@ var require_req = __commonJS({
       if (req.originalUrl) {
         _req.url = req.originalUrl;
       } else {
-        const path28 = req.path;
-        _req.url = typeof path28 === "string" ? path28 : req.url ? req.url.path || req.url : void 0;
+        const path34 = req.path;
+        _req.url = typeof path34 === "string" ? path34 : req.url ? req.url.path || req.url : void 0;
       }
       if (req.query) {
         _req.query = req.query;
@@ -5533,14 +5711,14 @@ var require_redact = __commonJS({
       }
       return obj;
     }
-    function parsePath(path28) {
+    function parsePath(path34) {
       const parts = [];
       let current = "";
       let inBrackets = false;
       let inQuotes = false;
       let quoteChar = "";
-      for (let i = 0; i < path28.length; i++) {
-        const char = path28[i];
+      for (let i = 0; i < path34.length; i++) {
+        const char = path34[i];
         if (!inBrackets && char === ".") {
           if (current) {
             parts.push(current);
@@ -5671,10 +5849,10 @@ var require_redact = __commonJS({
       return current;
     }
     function redactPaths(obj, paths, censor, remove = false) {
-      for (const path28 of paths) {
-        const parts = parsePath(path28);
+      for (const path34 of paths) {
+        const parts = parsePath(path34);
         if (parts.includes("*")) {
-          redactWildcardPath(obj, parts, censor, path28, remove);
+          redactWildcardPath(obj, parts, censor, path34, remove);
         } else {
           if (remove) {
             removeKey(obj, parts);
@@ -5759,8 +5937,8 @@ var require_redact = __commonJS({
           }
         } else {
           if (afterWildcard.includes("*")) {
-            const wrappedCensor = typeof censor === "function" ? (value, path28) => {
-              const fullPath = [...pathArray.slice(0, pathLength), ...path28];
+            const wrappedCensor = typeof censor === "function" ? (value, path34) => {
+              const fullPath = [...pathArray.slice(0, pathLength), ...path34];
               return censor(value, fullPath);
             } : censor;
             redactWildcardPath(current, afterWildcard, wrappedCensor, originalPath, remove);
@@ -5795,8 +5973,8 @@ var require_redact = __commonJS({
         return null;
       }
       const pathStructure = /* @__PURE__ */ new Map();
-      for (const path28 of pathsToClone) {
-        const parts = parsePath(path28);
+      for (const path34 of pathsToClone) {
+        const parts = parsePath(path34);
         let current = pathStructure;
         for (let i = 0; i < parts.length; i++) {
           const part = parts[i];
@@ -5848,24 +6026,24 @@ var require_redact = __commonJS({
       }
       return cloneSelectively(obj, pathStructure);
     }
-    function validatePath(path28) {
-      if (typeof path28 !== "string") {
+    function validatePath(path34) {
+      if (typeof path34 !== "string") {
         throw new Error("Paths must be (non-empty) strings");
       }
-      if (path28 === "") {
+      if (path34 === "") {
         throw new Error("Invalid redaction path ()");
       }
-      if (path28.includes("..")) {
-        throw new Error(`Invalid redaction path (${path28})`);
+      if (path34.includes("..")) {
+        throw new Error(`Invalid redaction path (${path34})`);
       }
-      if (path28.includes(",")) {
-        throw new Error(`Invalid redaction path (${path28})`);
+      if (path34.includes(",")) {
+        throw new Error(`Invalid redaction path (${path34})`);
       }
       let bracketCount = 0;
       let inQuotes = false;
       let quoteChar = "";
-      for (let i = 0; i < path28.length; i++) {
-        const char = path28[i];
+      for (let i = 0; i < path34.length; i++) {
+        const char = path34[i];
         if ((char === '"' || char === "'") && bracketCount > 0) {
           if (!inQuotes) {
             inQuotes = true;
@@ -5879,20 +6057,20 @@ var require_redact = __commonJS({
         } else if (char === "]" && !inQuotes) {
           bracketCount--;
           if (bracketCount < 0) {
-            throw new Error(`Invalid redaction path (${path28})`);
+            throw new Error(`Invalid redaction path (${path34})`);
           }
         }
       }
       if (bracketCount !== 0) {
-        throw new Error(`Invalid redaction path (${path28})`);
+        throw new Error(`Invalid redaction path (${path34})`);
       }
     }
     function validatePaths(paths) {
       if (!Array.isArray(paths)) {
         throw new TypeError("paths must be an array");
       }
-      for (const path28 of paths) {
-        validatePath(path28);
+      for (const path34 of paths) {
+        validatePath(path34);
       }
     }
     function slowRedact(options = {}) {
@@ -6060,8 +6238,8 @@ var require_redaction = __commonJS({
         if (shape[k2] === null) {
           o[k2] = (value) => topCensor(value, [k2]);
         } else {
-          const wrappedCensor = typeof censor === "function" ? (value, path28) => {
-            return censor(value, [k2, ...path28]);
+          const wrappedCensor = typeof censor === "function" ? (value, path34) => {
+            return censor(value, [k2, ...path34]);
           } : censor;
           o[k2] = Redact({
             paths: shape[k2],
@@ -6279,10 +6457,10 @@ var require_atomic_sleep = __commonJS({
 var require_sonic_boom = __commonJS({
   "../node_modules/.pnpm/sonic-boom@4.2.1/node_modules/sonic-boom/index.js"(exports2, module2) {
     "use strict";
-    var fs26 = require("fs");
+    var fs31 = require("fs");
     var EventEmitter2 = require("events");
     var inherits = require("util").inherits;
-    var path28 = require("path");
+    var path34 = require("path");
     var sleep = require_atomic_sleep();
     var assert = require("assert");
     var BUSY_WRITE_TIMEOUT = 100;
@@ -6336,20 +6514,20 @@ var require_sonic_boom = __commonJS({
       const mode = sonic.mode;
       if (sonic.sync) {
         try {
-          if (sonic.mkdir) fs26.mkdirSync(path28.dirname(file), { recursive: true });
-          const fd = fs26.openSync(file, flags, mode);
+          if (sonic.mkdir) fs31.mkdirSync(path34.dirname(file), { recursive: true });
+          const fd = fs31.openSync(file, flags, mode);
           fileOpened(null, fd);
         } catch (err) {
           fileOpened(err);
           throw err;
         }
       } else if (sonic.mkdir) {
-        fs26.mkdir(path28.dirname(file), { recursive: true }, (err) => {
+        fs31.mkdir(path34.dirname(file), { recursive: true }, (err) => {
           if (err) return fileOpened(err);
-          fs26.open(file, flags, mode, fileOpened);
+          fs31.open(file, flags, mode, fileOpened);
         });
       } else {
-        fs26.open(file, flags, mode, fileOpened);
+        fs31.open(file, flags, mode, fileOpened);
       }
     }
     function SonicBoom(opts) {
@@ -6390,8 +6568,8 @@ var require_sonic_boom = __commonJS({
         this.flush = flushBuffer;
         this.flushSync = flushBufferSync;
         this._actualWrite = actualWriteBuffer;
-        fsWriteSync = () => fs26.writeSync(this.fd, this._writingBuf);
-        fsWrite = () => fs26.write(this.fd, this._writingBuf, this.release);
+        fsWriteSync = () => fs31.writeSync(this.fd, this._writingBuf);
+        fsWrite = () => fs31.write(this.fd, this._writingBuf, this.release);
       } else if (contentMode === void 0 || contentMode === kContentModeUtf8) {
         this._writingBuf = "";
         this.write = write;
@@ -6400,15 +6578,15 @@ var require_sonic_boom = __commonJS({
         this._actualWrite = actualWrite;
         fsWriteSync = () => {
           if (Buffer.isBuffer(this._writingBuf)) {
-            return fs26.writeSync(this.fd, this._writingBuf);
+            return fs31.writeSync(this.fd, this._writingBuf);
           }
-          return fs26.writeSync(this.fd, this._writingBuf, "utf8");
+          return fs31.writeSync(this.fd, this._writingBuf, "utf8");
         };
         fsWrite = () => {
           if (Buffer.isBuffer(this._writingBuf)) {
-            return fs26.write(this.fd, this._writingBuf, this.release);
+            return fs31.write(this.fd, this._writingBuf, this.release);
           }
-          return fs26.write(this.fd, this._writingBuf, "utf8", this.release);
+          return fs31.write(this.fd, this._writingBuf, "utf8", this.release);
         };
       } else {
         throw new Error(`SonicBoom supports "${kContentModeUtf8}" and "${kContentModeBuffer}", but passed ${contentMode}`);
@@ -6465,7 +6643,7 @@ var require_sonic_boom = __commonJS({
           }
         }
         if (this._fsync) {
-          fs26.fsyncSync(this.fd);
+          fs31.fsyncSync(this.fd);
         }
         const len = this._len;
         if (this._reopening) {
@@ -6579,7 +6757,7 @@ var require_sonic_boom = __commonJS({
       const onDrain = () => {
         if (!this._fsync) {
           try {
-            fs26.fsync(this.fd, (err) => {
+            fs31.fsync(this.fd, (err) => {
               this._flushPending = false;
               cb(err);
             });
@@ -6681,7 +6859,7 @@ var require_sonic_boom = __commonJS({
       const fd = this.fd;
       this.once("ready", () => {
         if (fd !== this.fd) {
-          fs26.close(fd, (err) => {
+          fs31.close(fd, (err) => {
             if (err) {
               return this.emit("error", err);
             }
@@ -6730,7 +6908,7 @@ var require_sonic_boom = __commonJS({
           buf = this._bufs[0];
         }
         try {
-          const n = Buffer.isBuffer(buf) ? fs26.writeSync(this.fd, buf) : fs26.writeSync(this.fd, buf, "utf8");
+          const n = Buffer.isBuffer(buf) ? fs31.writeSync(this.fd, buf) : fs31.writeSync(this.fd, buf, "utf8");
           const releasedBufObj = releaseWritingBuf(buf, this._len, n);
           buf = releasedBufObj.writingBuf;
           this._len = releasedBufObj.len;
@@ -6746,7 +6924,7 @@ var require_sonic_boom = __commonJS({
         }
       }
       try {
-        fs26.fsyncSync(this.fd);
+        fs31.fsyncSync(this.fd);
       } catch {
       }
     }
@@ -6767,7 +6945,7 @@ var require_sonic_boom = __commonJS({
           buf = mergeBuf(this._bufs[0], this._lens[0]);
         }
         try {
-          const n = fs26.writeSync(this.fd, buf);
+          const n = fs31.writeSync(this.fd, buf);
           buf = buf.subarray(n);
           this._len = Math.max(this._len - n, 0);
           if (buf.length <= 0) {
@@ -6795,13 +6973,13 @@ var require_sonic_boom = __commonJS({
       this._writingBuf = this._writingBuf.length ? this._writingBuf : this._bufs.shift() || "";
       if (this.sync) {
         try {
-          const written = Buffer.isBuffer(this._writingBuf) ? fs26.writeSync(this.fd, this._writingBuf) : fs26.writeSync(this.fd, this._writingBuf, "utf8");
+          const written = Buffer.isBuffer(this._writingBuf) ? fs31.writeSync(this.fd, this._writingBuf) : fs31.writeSync(this.fd, this._writingBuf, "utf8");
           release(null, written);
         } catch (err) {
           release(err);
         }
       } else {
-        fs26.write(this.fd, this._writingBuf, release);
+        fs31.write(this.fd, this._writingBuf, release);
       }
     }
     function actualWriteBuffer() {
@@ -6810,7 +6988,7 @@ var require_sonic_boom = __commonJS({
       this._writingBuf = this._writingBuf.length ? this._writingBuf : mergeBuf(this._bufs.shift(), this._lens.shift());
       if (this.sync) {
         try {
-          const written = fs26.writeSync(this.fd, this._writingBuf);
+          const written = fs31.writeSync(this.fd, this._writingBuf);
           release(null, written);
         } catch (err) {
           release(err);
@@ -6819,7 +6997,7 @@ var require_sonic_boom = __commonJS({
         if (kCopyBuffer) {
           this._writingBuf = Buffer.from(this._writingBuf);
         }
-        fs26.write(this.fd, this._writingBuf, release);
+        fs31.write(this.fd, this._writingBuf, release);
       }
     }
     function actualClose(sonic) {
@@ -6835,12 +7013,12 @@ var require_sonic_boom = __commonJS({
       sonic._lens = [];
       assert(typeof sonic.fd === "number", `sonic.fd must be a number, got ${typeof sonic.fd}`);
       try {
-        fs26.fsync(sonic.fd, closeWrapped);
+        fs31.fsync(sonic.fd, closeWrapped);
       } catch {
       }
       function closeWrapped() {
         if (sonic.fd !== 1 && sonic.fd !== 2) {
-          fs26.close(sonic.fd, done);
+          fs31.close(sonic.fd, done);
         } else {
           done();
         }
@@ -9975,11 +10153,11 @@ var init_lib = __esm({
           }
         }
       },
-      addToPath: function addToPath(path28, added, removed, oldPosInc, options) {
-        var last = path28.lastComponent;
+      addToPath: function addToPath(path34, added, removed, oldPosInc, options) {
+        var last = path34.lastComponent;
         if (last && !options.oneChangePerToken && last.added === added && last.removed === removed) {
           return {
-            oldPos: path28.oldPos + oldPosInc,
+            oldPos: path34.oldPos + oldPosInc,
             lastComponent: {
               count: last.count + 1,
               added,
@@ -9989,7 +10167,7 @@ var init_lib = __esm({
           };
         } else {
           return {
-            oldPos: path28.oldPos + oldPosInc,
+            oldPos: path34.oldPos + oldPosInc,
             lastComponent: {
               count: 1,
               added,
@@ -10420,10 +10598,10 @@ function attachmentToHistoryMessage(o, ts) {
     const memories = raw.map((m2) => {
       if (!m2 || typeof m2 !== "object") return null;
       const rec = m2;
-      const path28 = typeof rec.path === "string" ? rec.path : null;
+      const path34 = typeof rec.path === "string" ? rec.path : null;
       const content = typeof rec.content === "string" ? rec.content : null;
-      if (!path28 || content == null) return null;
-      const entry = { path: path28, content };
+      if (!path34 || content == null) return null;
+      const entry = { path: path34, content };
       if (typeof rec.mtimeMs === "number") entry.mtimeMs = rec.mtimeMs;
       return entry;
     }).filter((m2) => m2 !== null);
@@ -11227,10 +11405,10 @@ function parseAttachment(obj) {
     const memories = raw.map((m2) => {
       if (!m2 || typeof m2 !== "object") return null;
       const rec = m2;
-      const path28 = typeof rec.path === "string" ? rec.path : null;
+      const path34 = typeof rec.path === "string" ? rec.path : null;
       const content = typeof rec.content === "string" ? rec.content : null;
-      if (!path28 || content == null) return null;
-      const out = { path: path28, content };
+      if (!path34 || content == null) return null;
+      const out = { path: path34, content };
       if (typeof rec.mtimeMs === "number") out.mtimeMs = rec.mtimeMs;
       return out;
     }).filter((m2) => m2 !== null);
@@ -18725,7 +18903,7 @@ var require_websocket = __commonJS({
     "use strict";
     var EventEmitter2 = require("events");
     var https = require("https");
-    var http = require("http");
+    var http2 = require("http");
     var net = require("net");
     var tls = require("tls");
     var { randomBytes, createHash } = require("crypto");
@@ -19259,7 +19437,7 @@ var require_websocket = __commonJS({
       }
       const defaultPort = isSecure ? 443 : 80;
       const key = randomBytes(16).toString("base64");
-      const request = isSecure ? https.request : http.request;
+      const request = isSecure ? https.request : http2.request;
       const protocolSet = /* @__PURE__ */ new Set();
       let perMessageDeflate;
       opts.createConnection = opts.createConnection || (isSecure ? tlsConnect : netConnect);
@@ -19753,7 +19931,7 @@ var require_websocket_server = __commonJS({
   "../node_modules/.pnpm/ws@8.20.0/node_modules/ws/lib/websocket-server.js"(exports2, module2) {
     "use strict";
     var EventEmitter2 = require("events");
-    var http = require("http");
+    var http2 = require("http");
     var { Duplex } = require("stream");
     var { createHash } = require("crypto");
     var extension2 = require_extension();
@@ -19828,8 +20006,8 @@ var require_websocket_server = __commonJS({
           );
         }
         if (options.port != null) {
-          this._server = http.createServer((req, res) => {
-            const body = http.STATUS_CODES[426];
+          this._server = http2.createServer((req, res) => {
+            const body = http2.STATUS_CODES[426];
             res.writeHead(426, {
               "Content-Length": body.length,
               "Content-Type": "text/plain"
@@ -20116,7 +20294,7 @@ var require_websocket_server = __commonJS({
       this.destroy();
     }
     function abortHandshake(socket, code, message, headers) {
-      message = message || http.STATUS_CODES[code];
+      message = message || http2.STATUS_CODES[code];
       headers = {
         Connection: "close",
         "Content-Type": "text/html",
@@ -20125,7 +20303,7 @@ var require_websocket_server = __commonJS({
       };
       socket.once("finish", socket.destroy);
       socket.end(
-        `HTTP/1.1 ${code} ${http.STATUS_CODES[code]}\r
+        `HTTP/1.1 ${code} ${http2.STATUS_CODES[code]}\r
 ` + Object.keys(headers).map((h) => `${h}: ${headers[h]}`).join("\r\n") + "\r\n\r\n" + message
       );
     }
@@ -20144,7 +20322,7 @@ var require_websocket_server = __commonJS({
 // src/run-case/recorder.ts
 function startRunCaseRecorder(opts) {
   const now = opts.now ?? Date.now;
-  const dir = import_node_path24.default.dirname(opts.recordPath);
+  const dir = import_node_path30.default.dirname(opts.recordPath);
   let stream = null;
   let closing = false;
   let closedSettled = false;
@@ -20158,8 +20336,8 @@ function startRunCaseRecorder(opts) {
   });
   const ensureStream = () => {
     if (stream) return stream;
-    import_node_fs23.default.mkdirSync(dir, { recursive: true });
-    stream = import_node_fs23.default.createWriteStream(opts.recordPath, { flags: "a" });
+    import_node_fs28.default.mkdirSync(dir, { recursive: true });
+    stream = import_node_fs28.default.createWriteStream(opts.recordPath, { flags: "a" });
     stream.on("close", () => closedResolve());
     return stream;
   };
@@ -20184,12 +20362,12 @@ function startRunCaseRecorder(opts) {
   };
   return { tap, close, closed };
 }
-var import_node_fs23, import_node_path24;
+var import_node_fs28, import_node_path30;
 var init_recorder = __esm({
   "src/run-case/recorder.ts"() {
     "use strict";
-    import_node_fs23 = __toESM(require("fs"), 1);
-    import_node_path24 = __toESM(require("path"), 1);
+    import_node_fs28 = __toESM(require("fs"), 1);
+    import_node_path30 = __toESM(require("path"), 1);
   }
 });
 
@@ -20232,7 +20410,7 @@ var init_wire = __esm({
 // src/run-case/controller.ts
 async function runController(opts) {
   const now = opts.now ?? Date.now;
-  const cwd = opts.cwd ?? (0, import_node_fs24.mkdtempSync)(import_node_path25.default.join(import_node_os15.default.tmpdir(), "clawd-runcase-"));
+  const cwd = opts.cwd ?? (0, import_node_fs29.mkdtempSync)(import_node_path31.default.join(import_node_os15.default.tmpdir(), "clawd-runcase-"));
   const ownsCwd = opts.cwd === void 0;
   const recorder = startRunCaseRecorder({ recordPath: opts.record, now });
   const spawnCtx = { cwd };
@@ -20393,19 +20571,19 @@ async function runController(opts) {
   if (sigintHandler) process.off("SIGINT", sigintHandler);
   if (ownsCwd) {
     try {
-      (0, import_node_fs24.rmSync)(cwd, { recursive: true, force: true });
+      (0, import_node_fs29.rmSync)(cwd, { recursive: true, force: true });
     } catch {
     }
   }
   return exitCode ?? 0;
 }
-var import_node_fs24, import_node_os15, import_node_path25;
+var import_node_fs29, import_node_os15, import_node_path31;
 var init_controller = __esm({
   "src/run-case/controller.ts"() {
     "use strict";
-    import_node_fs24 = require("fs");
+    import_node_fs29 = require("fs");
     import_node_os15 = __toESM(require("os"), 1);
-    import_node_path25 = __toESM(require("path"), 1);
+    import_node_path31 = __toESM(require("path"), 1);
     init_claude();
     init_stdout_splitter();
     init_permission_stdio();
@@ -20637,8 +20815,8 @@ Env (advanced):
 `;
 
 // src/index.ts
-var import_node_path23 = __toESM(require("path"), 1);
-var import_node_fs22 = __toESM(require("fs"), 1);
+var import_node_path29 = __toESM(require("path"), 1);
+var import_node_fs27 = __toESM(require("fs"), 1);
 
 // src/logger.ts
 var import_node_fs2 = __toESM(require("fs"), 1);
@@ -21630,6 +21808,11 @@ var SessionRunner = class {
   // sub-session idle-kill timer ref；key = sessionId（实际同一 runner 只对应一个 session，
   // 但 reducer Effect schema 带 sessionId 作为唯一键，对齐 schedule/cancel 配对）
   idleKillTimers = /* @__PURE__ */ new Map();
+  // file-sharing 待配对的 file-edit tool_use（spec §6 PR 3）：在同一 session 流里
+  // tool_use（kind='tool_call'）与 tool_result 通过 toolUseId 配对。tool_use 提前到，
+  // 等 tool_result 来时反查 path 调 onFileEdit。条目 in-flight 期间很少（个位数），
+  // 不需要 LRU；session 退出时整个 runner 销毁自然清理。
+  pendingFileEdits = /* @__PURE__ */ new Map();
   getState() {
     return this.state;
   }
@@ -21638,7 +21821,13 @@ var SessionRunner = class {
     const personaStore = this.hooks.personaStore;
     const adapter = this.hooks.adapter;
     const deps = {
-      parseLine: (l) => adapter.parseLine(l),
+      // file-sharing (spec §6 PR 3)：在 stdout-line 解析时同步观察 file-edit 工具事件，
+      // 配对 tool_use ↔ tool_result 调 onFileEdit。原 reducer 路径不变。
+      parseLine: (l) => {
+        const events = adapter.parseLine(l);
+        if (this.hooks.onFileEdit) this.observeForFileEdit(events);
+        return events;
+      },
       // persona mention injection 在 deps 装配处包一层，对 reducer 完全透明。
       // 命中 mention 时拆成两条 stdin 帧（先 system-reminder 块、后 user 原文）：
       //   - CC stream-json 按行处理，落盘是两条独立 user message；
@@ -21706,8 +21895,54 @@ var SessionRunner = class {
   // reducer 的 batch dedup 按 events[0].uuid 整组处理，避免跨路径重复。
   feedObserverEvents(events) {
     if (events.length === 0) return;
+    if (this.hooks.onFileEdit) this.observeForFileEdit(events);
     this.input({ kind: "inject-events", events });
   }
+  /**
+   * file-sharing tool_use ↔ tool_result 配对（spec §6 PR 3）。
+   *
+   * 1) tool_call kind + tool ∈ FILE_EDIT_TOOLS → cache toolUseId → { tool, relPath }
+   *    relPath 从 input 里取（Write/Edit/MultiEdit 是 file_path，NotebookEdit 是 notebook_path）。
+   * 2) tool_result kind + cache 命中 + 非 error → 调 onFileEdit + 删 cache
+   * 3) tool_result kind + cache 命中 + 是 error → 删 cache，不调（spec 只要"成功"才入清单）
+   * 4) tool_call 但 input 没有 path → 不 cache（防御）
+   *
+   * 不破坏 reducer 路径——纯只读扫描 events 数组。
+   */
+  observeForFileEdit(events) {
+    const cb = this.hooks.onFileEdit;
+    if (!cb) return;
+    for (const ev of events) {
+      if (ev.kind === "tool_call") {
+        const tool = ev.tool;
+        if (!isFileEditTool(tool)) continue;
+        const relPath = extractEditPath(ev.input);
+        if (!relPath) continue;
+        this.pendingFileEdits.set(ev.toolUseId, {
+          tool,
+          relPath
+        });
+      } else if (ev.kind === "tool_result") {
+        const pending = this.pendingFileEdits.get(ev.toolUseId);
+        if (!pending) continue;
+        this.pendingFileEdits.delete(ev.toolUseId);
+        if (ev.error != null) continue;
+        try {
+          cb({
+            toolUseId: ev.toolUseId,
+            tool: pending.tool,
+            relPath: pending.relPath,
+            cwd: this.state.file.cwd
+          });
+        } catch (err) {
+          this.hooks.logger?.warn("onFileEdit hook threw", {
+            err: err.message,
+            sessionId: this.state.file.sessionId
+          });
+        }
+      }
+    }
+  }
   // 向子进程 stdin 写一条 CC IPC `control_request` 并返回 Promise<response>
   // —— CC 侧会异步回写匹配 request_id 的 `control_response` 帧，
   // 在 stdout 行处理入口被 tryHandleControlResponse 拦截并 resolve pending
@@ -21897,6 +22132,15 @@ var SessionRunner = class {
     }
   }
 };
+function isFileEditTool(name) {
+  return name === "Write" || name === "Edit" || name === "MultiEdit" || name === "NotebookEdit";
+}
+function extractEditPath(input) {
+  if (!input || typeof input !== "object") return null;
+  const o = input;
+  const candidate = typeof o.file_path === "string" && o.file_path || typeof o.notebook_path === "string" && o.notebook_path || typeof o.path === "string" && o.path || null;
+  return candidate || null;
+}
 
 // src/session/manager.ts
 function compressFrameForWire(frame) {
@@ -21953,16 +22197,6 @@ function nowIso2(deps) {
 function newSessionId() {
   return v4_default().replace(/-/g, "").slice(0, 16);
 }
-function derivePersonaSpawnCwd(file, personaRoot) {
-  const personaId = file.ownerPersonaId;
-  if (!personaId) return file.cwd;
-  if (!personaRoot) {
-    throw new Error(
-      `derivePersonaSpawnCwd: personaRoot missing for owner session ${file.sessionId} (ownerPersonaId=${personaId})`
-    );
-  }
-  return import_node_path6.default.join(personaRoot, safeFileName(personaId));
-}
 function makeInitialState(file, subSessionMeta) {
   return {
     file,
@@ -22121,24 +22355,7 @@ var SessionManager = class {
     const adapter = this.deps.getAdapter(file.tool ?? "claude");
     const store = this.storeFor(scope);
     const subSessionMeta = metaFromScope(scope, this.deps.personaRoot ?? "");
-    const correctedCwd = derivePersonaSpawnCwd(file, this.deps.personaRoot);
-    if (correctedCwd !== file.cwd) {
-      this.deps.logger?.warn("owner session cwd drifted from persona dir; auto-correcting", {
-        sessionId: file.sessionId,
-        ownerPersonaId: file.ownerPersonaId,
-        stale: file.cwd,
-        corrected: correctedCwd
-      });
-      file = { ...file, cwd: correctedCwd, updatedAt: nowIso2(this.deps) };
-      try {
-        store.write(file);
-      } catch (err) {
-        this.deps.logger?.warn("failed to persist auto-corrected owner cwd", {
-          sessionId: file.sessionId,
-          error: err.message
-        });
-      }
-    }
+    const attachmentGroup = this.deps.attachmentGroup;
     const runner = new SessionRunner(makeInitialState(file, subSessionMeta), {
       broadcastFrame: (frame, target) => this.routeFromRunner(frame, target),
       store,
@@ -22151,7 +22368,15 @@ var SessionManager = class {
       resolveContextWindow: (tool, modelId) => this.deps.getAdapter(tool).resolveContextWindow(modelId),
       dataDir: this.deps.dataDir,
       personaStore: this.deps.personaStore,
-      ownerDisplayName: this.deps.ownerDisplayName
+      ownerDisplayName: this.deps.ownerDisplayName,
+      // file-sharing (spec §6 PR 3)：闭包 scope + sessionId，runner 只暴露 tool/relPath/cwd
+      onFileEdit: attachmentGroup ? (input) => attachmentGroup.onFileEdit({
+        scope,
+        sessionId: file.sessionId,
+        tool: input.tool,
+        relPath: input.relPath,
+        cwd: input.cwd
+      }) : void 0
     });
     if (this.deps.mode === "tui" && !file.toolSessionId) {
       const newTsid = v4_default();
@@ -22239,22 +22464,14 @@ var SessionManager = class {
   }
   // ---- 命令方法：均返回 { response, broadcast[] }，由 dispatcher 聚合 ----
   create(args) {
-    let cwd;
-    if (args.ownerPersonaId) {
-      cwd = derivePersonaSpawnCwd(
-        {
-          sessionId: "",
-          cwd: args.cwd ?? "",
-          tool: "claude",
-          ownerPersonaId: args.ownerPersonaId,
-          createdAt: "",
-          updatedAt: ""
-        },
-        this.deps.personaRoot
-      );
-    } else if (args.cwd) {
-      cwd = args.cwd;
-    } else {
+    let cwd = args.cwd;
+    if (args.ownerPersonaId && !cwd) {
+      if (!this.deps.personaRoot) {
+        throw new Error("personaRoot required to derive cwd from ownerPersonaId");
+      }
+      cwd = import_node_path6.default.join(this.deps.personaRoot, safeFileName(args.ownerPersonaId));
+    }
+    if (!cwd) {
       throw new ClawdError(ERROR_CODES.INVALID_CWD, "cwd required when ownerPersonaId is absent");
     }
     try {
@@ -23310,6 +23527,21 @@ var PersonaRegistry = class {
     if (entry.revoked) return { ok: false, code: "TOKEN_REVOKED" };
     return { ok: true, label: entry.label };
   }
+  /**
+   * file-sharing HTTP auth-context 用的逆向查表：只有 Bearer token，没有 personaId。
+   * 线性扫所有 persona.tokenMap 找到第一条 ok 命中的；revoked / non-public persona 跳过。
+   * persona 数量通常 < 100，性能可忽略。
+   */
+  findByToken(token) {
+    if (!token) return null;
+    for (const persona of this.cache.values()) {
+      if (!persona.public) continue;
+      const entry = persona.tokenMap[token];
+      if (!entry || entry.revoked) continue;
+      return { personaId: persona.personaId, label: entry.label };
+    }
+    return null;
+  }
 };
 
 // src/persona/manager.ts
@@ -25251,6 +25483,7 @@ var import_websocket = __toESM(require_websocket(), 1);
 var import_websocket_server = __toESM(require_websocket_server(), 1);
 
 // src/transport/local-ws-server.ts
+var import_node_http = __toESM(require("http"), 1);
 var PERSONA_PATH_RE = /^\/personas\/([a-zA-Z0-9._-]+)$/;
 var LocalWsServer = class {
   constructor(opts) {
@@ -25260,6 +25493,7 @@ var LocalWsServer = class {
   }
   opts;
   wss = null;
+  httpServer = null;
   frameHandler = null;
   clients = /* @__PURE__ */ new Map();
   logger;
@@ -25267,25 +25501,28 @@ var LocalWsServer = class {
   async start() {
     const host = this.opts.host ?? "127.0.0.1";
     await new Promise((resolve2, reject) => {
-      const wss = new import_websocket_server.default({
-        host,
-        port: this.opts.port,
-        clientTracking: true
+      const httpServer = import_node_http.default.createServer((req, res) => this.handleHttpRequest(req, res));
+      const wss = new import_websocket_server.default({ noServer: true, clientTracking: true });
+      httpServer.on("upgrade", (req, socket, head) => {
+        wss.handleUpgrade(req, socket, head, (ws) => {
+          this.routeConnection(ws, req);
+        });
       });
-      wss.on("listening", () => {
+      httpServer.on("listening", () => {
         this.logger?.info("ws listening", { host, port: this.opts.port });
         resolve2();
       });
-      wss.on("error", (err) => {
+      httpServer.on("error", (err) => {
         this.logger?.error("ws server error", { err: err.message });
         reject(err);
       });
-      wss.on("connection", (socket, req) => this.routeConnection(socket, req));
+      httpServer.listen(this.opts.port, host);
+      this.httpServer = httpServer;
       this.wss = wss;
     });
   }
   async stop() {
-    if (!this.wss) return;
+    if (!this.httpServer) return;
     for (const c of this.clients.values()) {
       try {
         c.ws.close(1001, "shutdown");
@@ -25297,7 +25534,32 @@ var LocalWsServer = class {
     await new Promise((resolve2) => {
       this.wss?.close(() => resolve2());
     });
+    await new Promise((resolve2) => {
+      this.httpServer?.close(() => resolve2());
+    });
     this.wss = null;
+    this.httpServer = null;
+  }
+  /** http.createServer 'request' 入口：file-sharing 路由优先，未命中走 404 */
+  async handleHttpRequest(req, res) {
+    const handler = this.opts.httpRequestHandler;
+    if (handler) {
+      try {
+        const handled = await handler(req, res);
+        if (handled) return;
+      } catch (err) {
+        this.logger?.warn("http handler threw", { err: err.message });
+        if (!res.headersSent) {
+          res.writeHead(500, { "Content-Type": "application/json; charset=utf-8" });
+          res.end(JSON.stringify({ code: "INTERNAL", message: "http handler error" }));
+        }
+        return;
+      }
+    }
+    if (!res.headersSent) {
+      res.writeHead(404, { "Content-Type": "application/json; charset=utf-8" });
+      res.end(JSON.stringify({ code: "NOT_FOUND", message: "no route" }));
+    }
   }
   onFrame(handler) {
     this.frameHandler = handler;
@@ -25399,7 +25661,7 @@ var LocalWsServer = class {
     }
     try {
       if (authed) {
-        const readyFrame = this.opts.readyFrameBuilder();
+        const readyFrame = this.opts.readyFrameBuilder({ remoteAddress });
         this.safeSend(socket, { type: "ready", ...readyFrame });
       } else {
         this.safeSend(socket, { type: "ready", protocolVersion: this.opts.protocolVersion });
@@ -25436,7 +25698,7 @@ var LocalWsServer = class {
       if (verdict !== "pass") {
         if (!wasAuthed && authGate.isAuthed(client.id)) {
           try {
-            const full = this.opts.readyFrameBuilder();
+            const full = this.opts.readyFrameBuilder({ remoteAddress });
             this.safeSend(this.clients.get(client.id).ws, { type: "ready", ...full });
           } catch (err) {
             this.logger?.warn("post-auth ready frame build failed", { err: err.message });
@@ -26033,128 +26295,1049 @@ function isLocalhost(addr) {
   return addr === "127.0.0.1" || addr === "::1" || addr === "::ffff:127.0.0.1";
 }
 
-// src/discovery/state-file.ts
-var import_node_fs13 = __toESM(require("fs"), 1);
-var import_node_path14 = __toESM(require("path"), 1);
-function defaultStateFilePath(dataDir) {
-  return import_node_path14.default.join(dataDir, "state.json");
-}
-function isPidAlive(pid) {
-  if (!Number.isFinite(pid) || pid <= 0) return false;
-  try {
-    process.kill(pid, 0);
-    return true;
-  } catch (err) {
-    const code = err.code;
-    return code === "EPERM";
+// src/transport/auth-context.ts
+var AuthContextResolver = class {
+  constructor(opts) {
+    this.opts = opts;
+  }
+  opts;
+  /**
+   * 从 `Authorization` 头解析。null = 无凭证 / 不识别 / revoked，调用方一律 401。
+   * remoteAddress 用于 isLoopback 判定（loopback = 127.0.0.1 / ::1 / ::ffff:127.0.0.1）。
+   */
+  resolveFromHeader(authHeader, remoteAddress) {
+    const token = parseBearer(authHeader);
+    if (!token) return null;
+    const isLoopback = isLoopbackAddr(remoteAddress);
+    if (this.opts.ownerToken && constantTimeEqual2(token, this.opts.ownerToken)) {
+      return { role: "owner", isLoopback };
+    }
+    const personalHit = this.opts.personaRegistry.findByToken(token);
+    if (personalHit) {
+      return {
+        role: "personal",
+        personaId: personalHit.personaId,
+        label: personalHit.label,
+        isLoopback
+      };
+    }
+    return null;
   }
+};
+function parseBearer(header) {
+  if (!header) return null;
+  const raw = Array.isArray(header) ? header[0] : header;
+  if (typeof raw !== "string") return null;
+  const m2 = /^Bearer\s+(\S+)$/i.exec(raw.trim());
+  return m2 ? m2[1] : null;
 }
-var StateFileManager = class {
-  file;
+function isLoopbackAddr(addr) {
+  if (!addr) return false;
+  return addr === "127.0.0.1" || addr === "::1" || addr === "::ffff:127.0.0.1";
+}
+function constantTimeEqual2(a, b2) {
+  if (a.length !== b2.length) return false;
+  let diff2 = 0;
+  for (let i = 0; i < a.length; i++) diff2 |= a.charCodeAt(i) ^ b2.charCodeAt(i);
+  return diff2 === 0;
+}
+
+// src/transport/http-router.ts
+var import_node_fs15 = __toESM(require("fs"), 1);
+var import_node_path17 = __toESM(require("path"), 1);
+
+// src/attachment/group.ts
+var import_node_fs13 = __toESM(require("fs"), 1);
+var import_node_path14 = __toESM(require("path"), 1);
+var import_node_crypto4 = __toESM(require("crypto"), 1);
+init_protocol();
+var GroupFileStore = class {
+  dataDir;
+  logger;
+  cache = /* @__PURE__ */ new Map();
   constructor(opts) {
-    this.file = defaultStateFilePath(opts.dataDir);
+    this.dataDir = opts.dataDir;
+    this.logger = opts.logger;
   }
-  filePath() {
-    return this.file;
+  rootForScope(scope) {
+    return import_node_path14.default.join(this.dataDir, "sessions", ...scopeSubPath(scope).map(safeFileName));
   }
-  read() {
+  /** 与 SessionStore.filePath 平级，扩展名 .group-files.json */
+  filePath(scope, sessionId) {
+    return import_node_path14.default.join(this.rootForScope(scope), `${safeFileName(sessionId)}.group-files.json`);
+  }
+  cacheKey(scope, sessionId) {
+    return scope.kind === "default" ? `default::${sessionId}` : `persona:${scope.personaId}:${scope.mode}::${sessionId}`;
+  }
+  /** 从磁盘读一份；不存在 → 空数组；schema 不匹配的条目 → 跳过（防腐） */
+  readFile(scope, sessionId) {
+    const file = this.filePath(scope, sessionId);
     try {
-      const raw = import_node_fs13.default.readFileSync(this.file, "utf8");
+      const raw = import_node_fs13.default.readFileSync(file, "utf8");
       const parsed = JSON.parse(raw);
-      return parsed;
-    } catch {
-      return null;
+      if (!Array.isArray(parsed)) {
+        this.logger?.warn("GroupFileStore.readFile: not an array; resetting session entries", {
+          file
+        });
+        return [];
+      }
+      const out = [];
+      for (const entry of parsed) {
+        const r = GroupFileEntrySchema.safeParse(entry);
+        if (r.success) out.push(r.data);
+      }
+      return out;
+    } catch (err) {
+      const code = err?.code;
+      if (code === "ENOENT") return [];
+      this.logger?.warn("GroupFileStore.readFile failed", {
+        file,
+        err: err.message
+      });
+      return [];
     }
   }
-  preflight() {
-    const existing = this.read();
-    if (!existing) return { status: "ok" };
-    if (isPidAlive(existing.pid)) return { status: "active", existing };
-    return { status: "stale", existing };
+  writeFile(scope, sessionId, entries) {
+    const file = this.filePath(scope, sessionId);
+    import_node_fs13.default.mkdirSync(import_node_path14.default.dirname(file), { recursive: true });
+    const tmp = `${file}.tmp-${process.pid}-${Date.now()}`;
+    import_node_fs13.default.writeFileSync(tmp, JSON.stringify(entries, null, 2), { mode: 384 });
+    import_node_fs13.default.renameSync(tmp, file);
   }
-  write(state) {
-    import_node_fs13.default.mkdirSync(import_node_path14.default.dirname(this.file), { recursive: true });
-    const tmp = `${this.file}.tmp.${process.pid}.${Date.now()}`;
-    import_node_fs13.default.writeFileSync(tmp, JSON.stringify(state, null, 2), { mode: 384 });
-    import_node_fs13.default.renameSync(tmp, this.file);
-    if (process.platform !== "win32") {
-      try {
-        import_node_fs13.default.chmodSync(this.file, 384);
-      } catch {
-      }
-    }
+  /** 拉一份当前 session 的清单。读盘 → cache；之后调用复用 cache */
+  list(scope, sessionId) {
+    const key = this.cacheKey(scope, sessionId);
+    const cached = this.cache.get(key);
+    if (cached) return cached.entries;
+    const entries = this.readFile(scope, sessionId);
+    this.cache.set(key, { entries, scope });
+    return entries;
   }
-  delete() {
-    try {
-      import_node_fs13.default.unlinkSync(this.file);
-    } catch {
+  /**
+   * upsert：
+   *   - 同 relPath 已存在 → 更新 lastEditedAt + clear stale；不动 from / addedAt / id
+   *     （保留首次入群人 / 入群时刻）
+   *   - 不存在 → append，id 派生稳定 uuid，addedAt = now
+   *
+   * 返回最新 entry（caller 可用来 broadcast 通知）。
+   */
+  upsert(scope, sessionId, input, now = Date.now()) {
+    const entries = this.list(scope, sessionId).slice();
+    const idx = entries.findIndex((e) => e.relPath === input.relPath);
+    let next;
+    if (idx >= 0) {
+      const prev = entries[idx];
+      next = {
+        ...prev,
+        size: input.size,
+        mime: input.mime,
+        lastEditedAt: now,
+        stale: false
+        // addedBy / label 不在 upsert 路径覆盖（owner +Add 走另一条路径）
+      };
+      entries[idx] = next;
+    } else {
+      next = {
+        id: `gf-${import_node_crypto4.default.randomBytes(6).toString("base64url")}`,
+        relPath: input.relPath,
+        from: input.from,
+        addedBy: input.addedBy,
+        label: input.label,
+        size: input.size,
+        mime: input.mime,
+        addedAt: now
+        // agent / inbox 第一次 upsert 时不写 lastEditedAt（语义上 = 首次"编辑" = addedAt）
+      };
+      entries.push(next);
     }
+    this.writeFile(scope, sessionId, entries);
+    this.cache.set(this.cacheKey(scope, sessionId), { entries, scope });
+    return next;
   }
-};
-
-// src/tunnel/tunnel-manager.ts
-var import_node_fs17 = __toESM(require("fs"), 1);
-var import_node_path18 = __toESM(require("path"), 1);
-var import_node_crypto4 = __toESM(require("crypto"), 1);
-var import_node_child_process5 = require("child_process");
-
-// src/tunnel/tunnel-store.ts
-var import_node_fs14 = __toESM(require("fs"), 1);
-var import_node_path15 = __toESM(require("path"), 1);
-var TunnelStore = class {
-  constructor(filePath) {
-    this.filePath = filePath;
+  /**
+   * 标记一个 relPath stale（agent rm / mv 后文件不在）。
+   * - 命中 → stale=true，UI 灰显
+   * - 未命中 → noop（不需要为不在群里的文件创建 stale 条目）
+   *
+   * 注：spec §6 "Bash 命令是 rm 形态"启发式不强求 — runner 暂不调，留给后续优化
+   */
+  markStale(scope, sessionId, relPath) {
+    const entries = this.list(scope, sessionId).slice();
+    const idx = entries.findIndex((e) => e.relPath === relPath);
+    if (idx < 0) return;
+    if (entries[idx].stale) return;
+    entries[idx] = { ...entries[idx], stale: true };
+    this.writeFile(scope, sessionId, entries);
+    this.cache.set(this.cacheKey(scope, sessionId), { entries, scope });
   }
-  filePath;
-  async get() {
-    try {
-      const raw = await import_node_fs14.default.promises.readFile(this.filePath, "utf8");
-      const obj = JSON.parse(raw);
-      if (!isPersistedTunnel(obj)) return null;
-      return obj;
-    } catch (err) {
-      const code = err?.code;
-      if (code === "ENOENT") return null;
-      return null;
-    }
+  /**
+   * 真删一条群文件条目（用于 owner 撤销自己 +Add 的入群操作）。
+   * agent / inbox 自动入群的不应走这条 —— 用 markStale 表达"文件不在了"语义；
+   * owner 手动加错了，应该能彻底从列表移除而不是留个 stale 占位。
+   *
+   * 返回值：true=命中并删除；false=relPath 不在群里。
+   */
+  remove(scope, sessionId, relPath) {
+    const entries = this.list(scope, sessionId).slice();
+    const idx = entries.findIndex((e) => e.relPath === relPath);
+    if (idx < 0) return false;
+    entries.splice(idx, 1);
+    this.writeFile(scope, sessionId, entries);
+    this.cache.set(this.cacheKey(scope, sessionId), { entries, scope });
+    return true;
   }
-  async set(v2) {
-    const dir = import_node_path15.default.dirname(this.filePath);
-    await import_node_fs14.default.promises.mkdir(dir, { recursive: true });
-    const data = JSON.stringify(v2, null, 2);
-    const tmp = `${this.filePath}.tmp.${process.pid}.${Date.now()}`;
-    await import_node_fs14.default.promises.writeFile(tmp, data, { mode: 384 });
-    if (process.platform !== "win32") {
+  /**
+   * 跨 session 聚合查询（spec §4 HTTP ACL：personal 视野并集）。
+   *
+   * 扫 <dataDir>/sessions/<personaId>/owner/*.group-files.json 和
+   * <dataDir>/sessions/<personaId>/listener/*.group-files.json，每文件读一份。
+   *
+   * 复杂度 O(N sessions × N entries)，N 通常 < 100，可接受。
+   */
+  listByPersona(personaId) {
+    const out = [];
+    for (const mode of ["owner", "listener"]) {
+      const scope = { kind: "persona", personaId, mode };
+      const root = this.rootForScope(scope);
+      let names;
       try {
-        await import_node_fs14.default.promises.chmod(tmp, 384);
-      } catch {
+        names = import_node_fs13.default.readdirSync(root);
+      } catch (err) {
+        const code = err?.code;
+        if (code === "ENOENT") continue;
+        continue;
+      }
+      for (const name of names) {
+        if (!name.endsWith(".group-files.json")) continue;
+        const sessionId = name.slice(0, -".group-files.json".length);
+        if (!sessionId) continue;
+        const entries = this.list(scope, sessionId);
+        out.push({ sessionId, entries });
       }
     }
-    await import_node_fs14.default.promises.rename(tmp, this.filePath);
+    return out;
   }
-  async clear() {
-    try {
-      await import_node_fs14.default.promises.unlink(this.filePath);
-    } catch (err) {
-      const code = err?.code;
-      if (code !== "ENOENT") throw err;
+};
+function personalViewable(groupStore, personaDir, personaId, absPath) {
+  const realTarget = safeRealpath(absPath);
+  if (!realTarget) {
+    return false;
+  }
+  const personasUnion = groupStore.listByPersona(personaId);
+  for (const { entries } of personasUnion) {
+    for (const e of entries) {
+      if (e.stale) continue;
+      const realEntry = safeRealpath(import_node_path14.default.join(personaDir, e.relPath));
+      if (realEntry && realEntry === realTarget) return true;
     }
   }
-};
-function isPersistedTunnel(o) {
-  if (!o || typeof o !== "object") return false;
-  const r = o;
-  return typeof r.subdomain === "string" && typeof r.frpsHost === "string" && typeof r.frpsPort === "number" && typeof r.frpsToken === "string" && typeof r.url === "string" && typeof r.registeredAt === "string";
+  return false;
 }
-
-// src/tunnel/register-client.ts
-var TunnelRegisterError = class extends Error {
-  constructor(message, cause) {
-    super(message);
-    this.cause = cause;
-    this.name = "TunnelRegisterError";
+function safeRealpath(p2) {
+  try {
+    return import_node_fs13.default.realpathSync(p2);
+  } catch {
+    return null;
   }
-  cause;
+}
+
+// src/attachment/mime.ts
+var import_node_path15 = __toESM(require("path"), 1);
+var EXT_TO_MIME = {
+  ".md": "text/markdown",
+  ".markdown": "text/markdown",
+  ".txt": "text/plain",
+  ".log": "text/plain",
+  ".json": "application/json",
+  ".html": "text/html",
+  ".htm": "text/html",
+  ".css": "text/css",
+  ".js": "application/javascript",
+  ".ts": "application/typescript",
+  ".tsx": "application/typescript",
+  ".png": "image/png",
+  ".jpg": "image/jpeg",
+  ".jpeg": "image/jpeg",
+  ".gif": "image/gif",
+  ".webp": "image/webp",
+  ".svg": "image/svg+xml",
+  ".pdf": "application/pdf",
+  ".mp4": "video/mp4",
+  ".webm": "video/webm",
+  ".mp3": "audio/mpeg",
+  ".wav": "audio/wav",
+  ".zip": "application/zip",
+  ".gz": "application/gzip",
+  ".tar": "application/x-tar",
+  ".csv": "text/csv",
+  ".xml": "application/xml",
+  ".yaml": "application/yaml",
+  ".yml": "application/yaml"
+};
+function lookupMime(filePathOrName) {
+  const ext = import_node_path15.default.extname(filePathOrName).toLowerCase();
+  return EXT_TO_MIME[ext] ?? "application/octet-stream";
+}
+
+// src/attachment/inbox.ts
+var import_node_fs14 = __toESM(require("fs"), 1);
+var import_node_path16 = __toESM(require("path"), 1);
+var import_node_crypto5 = __toESM(require("crypto"), 1);
+var DEFAULT_MAX_BYTES = 10 * 1024 * 1024;
+async function handlePersonaInbox(req, args, deps) {
+  const filename = readFilenameFromUrl(req.url);
+  if (!filename) throw httpErr(400, "INVALID_PARAM", "missing ?name= query");
+  const safeName = sanitizeFilename(filename);
+  const mime = lookupMime(safeName);
+  if (deps.isAllowedMime && !deps.isAllowedMime(mime)) {
+    throw httpErr(415, "UNSUPPORTED_MEDIA", `mime ${mime} not allowed`);
+  }
+  const inboxDir = import_node_path16.default.join(args.personaDir, "_inbox");
+  import_node_fs14.default.mkdirSync(inboxDir, { recursive: true });
+  const sha = import_node_crypto5.default.randomBytes(6).toString("hex");
+  const fileName = `${sha}-${safeName}`;
+  const absPath = import_node_path16.default.join(inboxDir, fileName);
+  const size = await streamBodyToFile(req, absPath, deps.maxBytes ?? DEFAULT_MAX_BYTES);
+  const relPath = `_inbox/${fileName}`;
+  deps.groupFileStore.upsert(args.scope, args.sessionId, {
+    relPath,
+    from: args.from,
+    addedBy: args.addedBy,
+    size,
+    mime
+  });
+  return { relPath, size, mime };
+}
+async function handleSessionInbox(req, args, deps) {
+  const filename = readFilenameFromUrl(req.url);
+  if (!filename) throw httpErr(400, "INVALID_PARAM", "missing ?name= query");
+  const safeName = sanitizeFilename(filename);
+  const mime = lookupMime(safeName);
+  if (deps.isAllowedMime && !deps.isAllowedMime(mime)) {
+    throw httpErr(415, "UNSUPPORTED_MEDIA", `mime ${mime} not allowed`);
+  }
+  const inboxDir = import_node_path16.default.join(args.sessionCwd, "_inbox");
+  import_node_fs14.default.mkdirSync(inboxDir, { recursive: true });
+  const sha = import_node_crypto5.default.randomBytes(6).toString("hex");
+  const fileName = `${sha}-${safeName}`;
+  const absPath = import_node_path16.default.join(inboxDir, fileName);
+  const size = await streamBodyToFile(req, absPath, deps.maxBytes ?? DEFAULT_MAX_BYTES);
+  const relPath = `_inbox/${fileName}`;
+  deps.groupFileStore.upsert(args.scope, args.sessionId, {
+    relPath,
+    from: "owner",
+    size,
+    mime
+  });
+  return { relPath, size, mime };
+}
+function streamBodyToFile(req, absPath, maxBytes) {
+  return new Promise((resolve2, reject) => {
+    let received = 0;
+    const tmp = `${absPath}.tmp-${process.pid}-${Date.now()}`;
+    const stream = import_node_fs14.default.createWriteStream(tmp, { mode: 384 });
+    req.on("data", (chunk) => {
+      received += chunk.length;
+      if (received > maxBytes) {
+        stream.destroy();
+        try {
+          import_node_fs14.default.unlinkSync(tmp);
+        } catch {
+        }
+        reject(httpErr(413, "TOO_LARGE", `upload exceeds ${maxBytes} bytes`));
+        req.destroy();
+        return;
+      }
+      stream.write(chunk);
+    });
+    req.on("end", () => {
+      stream.end();
+      stream.on("finish", () => {
+        try {
+          import_node_fs14.default.renameSync(tmp, absPath);
+          resolve2(received);
+        } catch (err) {
+          reject(err);
+        }
+      });
+    });
+    req.on("error", reject);
+    stream.on("error", reject);
+  });
+}
+function readFilenameFromUrl(rawUrl) {
+  if (!rawUrl) return null;
+  try {
+    const u = new URL(rawUrl, "http://placeholder");
+    return u.searchParams.get("name");
+  } catch {
+    return null;
+  }
+}
+function sanitizeFilename(name) {
+  const trimmed = name.replace(/[\x00-\x1f]/g, "").replace(/\//g, "_").replace(/\\/g, "_");
+  const dotsOnly = trimmed.replace(/^\.+/, (m2) => "_".repeat(m2.length));
+  if (!dotsOnly) return "unnamed";
+  return dotsOnly.slice(0, 200);
+}
+function httpErr(status, code, message) {
+  const err = new Error(message);
+  err.httpStatus = status;
+  err.code = code;
+  return err;
+}
+function isHttpError(err) {
+  return err instanceof Error && typeof err.httpStatus === "number" && typeof err.code === "string";
+}
+async function handleInboxRequest(req, res, ctxRouter, deps) {
+  const personaMatch = ctxRouter.pathname.match(/^\/persona\/([^/]+)\/inbox$/);
+  if (personaMatch && req.method === "POST") {
+    if (!deps.getPersonaDir || !deps.getPersonaScope) {
+      sendJson(res, 501, { code: "NOT_IMPLEMENTED", message: "inbox not wired" });
+      return true;
+    }
+    const pid = personaMatch[1];
+    const personaDir = deps.getPersonaDir(pid);
+    if (!personaDir) {
+      sendJson(res, 404, { code: "NOT_FOUND", message: `persona ${pid} not found` });
+      return true;
+    }
+    const sessionId = new URL(req.url ?? "", "http://placeholder").searchParams.get("session") || pid;
+    try {
+      const result = await handlePersonaInbox(
+        req,
+        {
+          personaId: pid,
+          personaDir,
+          sessionId,
+          scope: deps.getPersonaScope(pid),
+          addedBy: deps.addedBy,
+          from: ctxRouter.isOwner ? "owner" : "user"
+        },
+        deps.inboxOpts ?? { groupFileStore: deps.groupFileStore }
+      );
+      sendJson(res, 200, result);
+    } catch (err) {
+      handleInboxError(err, res);
+    }
+    return true;
+  }
+  const sessionMatch = ctxRouter.pathname.match(/^\/session\/([^/]+)\/inbox$/);
+  if (sessionMatch && req.method === "POST") {
+    if (!ctxRouter.isOwner) {
+      sendJson(res, 403, { code: "FORBIDDEN", message: "direct session inbox is owner-only" });
+      return true;
+    }
+    if (!deps.getSessionCwd) {
+      sendJson(res, 501, { code: "NOT_IMPLEMENTED", message: "inbox not wired" });
+      return true;
+    }
+    const sid = sessionMatch[1];
+    const sessionCwd = deps.getSessionCwd(sid);
+    if (!sessionCwd) {
+      sendJson(res, 404, { code: "NOT_FOUND", message: `session ${sid} not found` });
+      return true;
+    }
+    try {
+      const result = await handleSessionInbox(
+        req,
+        {
+          sessionId: sid,
+          sessionCwd: sessionCwd.cwd,
+          scope: sessionCwd.scope,
+          from: "owner"
+        },
+        deps.inboxOpts ?? { groupFileStore: deps.groupFileStore }
+      );
+      sendJson(res, 200, result);
+    } catch (err) {
+      handleInboxError(err, res);
+    }
+    return true;
+  }
+  return false;
+}
+function handleInboxError(err, res) {
+  if (isHttpError(err)) {
+    sendJson(res, err.httpStatus, { code: err.code, message: err.message });
+    return;
+  }
+  sendJson(res, 500, { code: "INTERNAL", message: err.message });
+}
+function sendJson(res, status, body) {
+  if (res.headersSent) return;
+  res.writeHead(status, { "Content-Type": "application/json; charset=utf-8" });
+  res.end(JSON.stringify(body));
+}
+
+// src/transport/http-router.ts
+function createHttpRouter(deps) {
+  return async (req, res) => {
+    const url = parseUrl(req.url);
+    if (!url) {
+      sendJson2(res, 400, { code: "INVALID_URL", message: "malformed request URL" });
+      return true;
+    }
+    if (url.pathname === "/healthz" && req.method === "GET") {
+      sendJson2(res, 200, { ok: true, version: deps.daemonVersion });
+      return true;
+    }
+    if (!url.pathname.startsWith("/persona/") && !url.pathname.startsWith("/session/") && url.pathname !== "/outbox" && !url.pathname.startsWith("/outbox/")) {
+      return false;
+    }
+    {
+      const directMatch = url.pathname.match(/^\/outbox\/([^/]+)$/);
+      const personaMatch = url.pathname.match(/^\/persona\/([^/]+)\/outbox\/([^/]+)$/);
+      if (directMatch || personaMatch) {
+        if (!deps.outboxStore) {
+          sendJson2(res, 501, { code: "NOT_IMPLEMENTED", message: "outbox store not wired" });
+          return true;
+        }
+        const capToken = directMatch ? directMatch[1] : personaMatch[2];
+        const lookup = deps.outboxStore.lookup(capToken);
+        if (!lookup.ok) {
+          const statusByCode = {
+            NOT_FOUND: 404,
+            EXPIRED: 410,
+            REVOKED: 410
+          };
+          sendJson2(res, statusByCode[lookup.code], { code: lookup.code, message: "outbox cap not usable" });
+          return true;
+        }
+        const { entry } = lookup;
+        if (entry.scope.kind === "personal") {
+          const ctx2 = deps.authResolver.resolveFromHeader(
+            req.headers.authorization,
+            req.socket.remoteAddress ?? void 0
+          );
+          if (!ctx2 || ctx2.role !== "personal" || ctx2.personaId !== entry.scope.personalId) {
+            sendJson2(res, 403, { code: "FORBIDDEN", message: "personal-scoped cap requires matching token" });
+            return true;
+          }
+        }
+        const outboxStore = deps.outboxStore;
+        streamFile(res, entry.absPath, deps.logger, () => outboxStore.consume(capToken));
+        return true;
+      }
+    }
+    const ctx = deps.authResolver.resolveFromHeader(
+      req.headers.authorization,
+      req.socket.remoteAddress ?? void 0
+    );
+    if (!ctx) {
+      sendJson2(res, 401, { code: "UNAUTHORIZED", message: "missing or invalid bearer token" });
+      return true;
+    }
+    const personaFilesMatch = url.pathname.match(/^\/persona\/([^/]+)\/files$/);
+    if (personaFilesMatch && req.method === "GET") {
+      const pid = personaFilesMatch[1];
+      const pathParam = url.searchParams.get("path");
+      if (!pathParam) {
+        sendJson2(res, 400, { code: "INVALID_PARAM", message: "missing `path` query" });
+        return true;
+      }
+      if (!deps.personaStore || !deps.groupFileStore) {
+        sendJson2(res, 501, withCtx(ctx, { code: "NOT_IMPLEMENTED", message: "files endpoint not wired" }));
+        return true;
+      }
+      const personaDir = deps.personaStore.personaDirPath(pid);
+      const absPath = import_node_path17.default.isAbsolute(pathParam) ? pathParam : import_node_path17.default.join(personaDir, pathParam);
+      if (!import_node_path17.default.isAbsolute(pathParam) && !isContainedIn(absPath, personaDir)) {
+        sendJson2(res, 400, { code: "PATH_TRAVERSAL", message: "rel path escapes personaDir" });
+        return true;
+      }
+      if (ctx.role === "personal") {
+        if (ctx.personaId !== pid) {
+          sendJson2(res, 403, { code: "FORBIDDEN", message: "personal token bound to other persona" });
+          return true;
+        }
+        if (!personalViewable(deps.groupFileStore, personaDir, pid, absPath)) {
+          sendJson2(res, 403, { code: "FORBIDDEN", message: "path not in personal viewable scope" });
+          return true;
+        }
+      }
+      streamFile(res, absPath, deps.logger);
+      return true;
+    }
+    const sessionFilesMatch = url.pathname.match(/^\/session\/([^/]+)\/files$/);
+    if (sessionFilesMatch && req.method === "GET") {
+      if (ctx.role !== "owner") {
+        sendJson2(res, 403, { code: "FORBIDDEN", message: "direct session files are owner-only" });
+        return true;
+      }
+      const sid = sessionFilesMatch[1];
+      const pathParam = url.searchParams.get("path");
+      if (!pathParam) {
+        sendJson2(res, 400, { code: "INVALID_PARAM", message: "missing `path` query" });
+        return true;
+      }
+      let absPath;
+      if (import_node_path17.default.isAbsolute(pathParam)) {
+        absPath = pathParam;
+      } else if (deps.sessionStore) {
+        const file = deps.sessionStore.read(sid);
+        if (!file) {
+          sendJson2(res, 404, { code: "NOT_FOUND", message: `session ${sid} not found` });
+          return true;
+        }
+        absPath = import_node_path17.default.join(file.cwd, pathParam);
+      } else {
+        sendJson2(res, 501, withCtx(ctx, { code: "NOT_IMPLEMENTED", message: "sessionStore not wired" }));
+        return true;
+      }
+      streamFile(res, absPath, deps.logger);
+      return true;
+    }
+    if (/^\/persona\/[^/]+\/inbox$/.test(url.pathname) && req.method === "POST") {
+      if (!deps.groupFileStore || !deps.personaStore) {
+        sendJson2(res, 501, withCtx(ctx, { code: "NOT_IMPLEMENTED", message: "inbox not wired" }));
+        return true;
+      }
+      const handled = await handleInboxRequest(
+        req,
+        res,
+        {
+          pathname: url.pathname,
+          isOwner: ctx.role === "owner",
+          personaId: ctx.personaId
+        },
+        {
+          groupFileStore: deps.groupFileStore,
+          getPersonaDir: (pid) => deps.personaStore.personaDirPath(pid),
+          // PR 7：persona inbox 默认走 owner-mode scope；UI 端如果用 personal listener
+          // 也归到 owner scope（session 维度）—— PR 9 完善时再走 listener scope。
+          getPersonaScope: (pid) => ({
+            kind: "persona",
+            personaId: pid,
+            mode: "owner"
+          }),
+          addedBy: ctx.label ?? (ctx.role === "owner" ? "owner" : "unknown")
+        }
+      );
+      if (handled) return true;
+    }
+    if (/^\/session\/[^/]+\/inbox$/.test(url.pathname) && req.method === "POST") {
+      if (!deps.groupFileStore || !deps.sessionStore) {
+        sendJson2(res, 501, withCtx(ctx, { code: "NOT_IMPLEMENTED", message: "inbox not wired" }));
+        return true;
+      }
+      const handled = await handleInboxRequest(
+        req,
+        res,
+        {
+          pathname: url.pathname,
+          isOwner: ctx.role === "owner"
+        },
+        {
+          groupFileStore: deps.groupFileStore,
+          getSessionCwd: (sid) => {
+            const f = deps.sessionStore.read(sid);
+            if (!f) return null;
+            const scope = f.ownerPersonaId ? { kind: "persona", personaId: f.ownerPersonaId, mode: "owner" } : { kind: "default" };
+            return { cwd: f.cwd, scope };
+          },
+          addedBy: ctx.role === "owner" ? "owner" : "unknown"
+        }
+      );
+      if (handled) return true;
+    }
+    if (/^\/persona\/[^/]+\/attachment-meta$/.test(url.pathname) && req.method === "GET") {
+      sendJson2(res, 501, withCtx(ctx, { code: "NOT_IMPLEMENTED", message: "attachment-meta \u2014 PR 6" }));
+      return true;
+    }
+    sendJson2(res, 404, { code: "NOT_FOUND", message: `no route for ${req.method} ${url.pathname}` });
+    return true;
+  };
+}
+function parseUrl(rawUrl) {
+  if (!rawUrl) return null;
+  try {
+    return new URL(rawUrl, "http://placeholder");
+  } catch {
+    return null;
+  }
+}
+function sendJson2(res, status, body) {
+  res.writeHead(status, { "Content-Type": "application/json; charset=utf-8" });
+  res.end(JSON.stringify(body));
+}
+function withCtx(ctx, body) {
+  return { ...body, role: ctx.role, personaId: ctx.personaId };
+}
+function isContainedIn(abs, root) {
+  const normalized = import_node_path17.default.resolve(abs);
+  const normalizedRoot = import_node_path17.default.resolve(root);
+  if (normalized === normalizedRoot) return true;
+  return normalized.startsWith(normalizedRoot + import_node_path17.default.sep);
+}
+function streamFile(res, absPath, logger, onComplete) {
+  let stat;
+  try {
+    stat = import_node_fs15.default.statSync(absPath);
+  } catch (err) {
+    const code = err?.code;
+    if (code === "ENOENT") {
+      sendJson2(res, 404, { code: "NOT_FOUND", message: "file not found" });
+    } else {
+      sendJson2(res, 500, { code: "STAT_FAILED", message: err.message });
+    }
+    return;
+  }
+  if (!stat.isFile()) {
+    sendJson2(res, 400, { code: "NOT_A_FILE", message: "path is not a regular file" });
+    return;
+  }
+  const mime = lookupMime(absPath);
+  res.writeHead(200, {
+    "Content-Type": mime,
+    "Content-Length": String(stat.size),
+    // 防止浏览器把任意 mime 当 html 渲染（spec §11 #8 安全心智）
+    "X-Content-Type-Options": "nosniff"
+  });
+  const stream = import_node_fs15.default.createReadStream(absPath);
+  stream.on("error", (err) => {
+    logger?.warn("streamFile read error", { absPath, err: err.message });
+    res.destroy();
+  });
+  if (onComplete) {
+    res.once("finish", onComplete);
+  }
+  stream.pipe(res);
+}
+
+// src/attachment/outbox.ts
+var import_node_fs16 = __toESM(require("fs"), 1);
+var import_node_path18 = __toESM(require("path"), 1);
+var import_node_crypto6 = __toESM(require("crypto"), 1);
+init_protocol();
+var FILE_NAME = "outbox-caps.json";
+var OutboxStore = class {
+  file;
+  now;
+  logger;
+  cache = [];
+  constructor(opts) {
+    this.file = import_node_path18.default.join(opts.dataDir, FILE_NAME);
+    this.now = opts.now ?? Date.now;
+    this.logger = opts.logger;
+    this.reload();
+  }
+  reload() {
+    try {
+      const raw = import_node_fs16.default.readFileSync(this.file, "utf8");
+      const parsed = JSON.parse(raw);
+      if (!Array.isArray(parsed)) {
+        this.logger?.warn("OutboxStore.reload: outbox-caps.json is not an array; resetting", {
+          file: this.file
+        });
+        this.cache = [];
+        return;
+      }
+      const out = [];
+      for (const item of parsed) {
+        const r = OutboxCapEntrySchema.safeParse(item);
+        if (r.success) out.push(r.data);
+      }
+      this.cache = out;
+    } catch (err) {
+      const code = err?.code;
+      if (code !== "ENOENT") {
+        this.logger?.warn("OutboxStore.reload failed; outbox-caps.json may be corrupt", {
+          file: this.file,
+          err: err.message
+        });
+      }
+      this.cache = [];
+    }
+  }
+  persist() {
+    import_node_fs16.default.mkdirSync(import_node_path18.default.dirname(this.file), { recursive: true });
+    const tmp = `${this.file}.tmp-${process.pid}-${Date.now()}`;
+    import_node_fs16.default.writeFileSync(tmp, JSON.stringify(this.cache, null, 2), { mode: 384 });
+    import_node_fs16.default.renameSync(tmp, this.file);
+  }
+  /** 列出当前缓存（含 revoked / 过期，UI Drawer 显灰；过滤靠调用方） */
+  list() {
+    return this.cache.slice();
+  }
+  /** 按 personaId / sessionId 过滤；为 outbox Drawer 服务 */
+  listByPersona(personaId) {
+    return this.cache.filter(
+      (c) => c.scopeRef.kind === "persona" && c.scopeRef.personaId === personaId
+    );
+  }
+  /**
+   * Mint a new cap. capToken = 32B 随机 base64url（256-bit entropy），spec §11 #8 防剪贴板/微信
+   * 截图泄露通过短码的暴力面。返回完整 entry 让 caller 拼 URL。
+   *
+   * @param ttlSeconds null = 永久；undefined = 默认 24h（spec §12）
+   */
+  mint(input) {
+    const ts = this.now();
+    const ttl = input.ttlSeconds === null ? null : input.ttlSeconds ?? 24 * 3600;
+    const entry = {
+      capToken: import_node_crypto6.default.randomBytes(32).toString("base64url"),
+      scopeRef: input.scopeRef,
+      absPath: input.absPath,
+      name: input.name,
+      expiresAt: ttl === null ? null : ts + ttl * 1e3,
+      oneShot: input.oneShot ?? false,
+      scope: input.scope ?? { kind: "public" },
+      hits: 0,
+      createdAt: ts
+    };
+    this.cache.push(entry);
+    this.persist();
+    return entry;
+  }
+  /** Mark revoked；不删除条目（便于审计），上层 lookup 后返回 410 */
+  revoke(capToken) {
+    const idx = this.cache.findIndex((c) => c.capToken === capToken);
+    if (idx < 0) return false;
+    if (this.cache[idx].revoked) return false;
+    this.cache[idx] = { ...this.cache[idx], revoked: true };
+    this.persist();
+    return true;
+  }
+  /**
+   * HTTP 层用：根据 capToken 找到 entry 并判定能不能用。
+   * 三种结果：
+   *   - { ok: true, entry }                可用，调用方流文件
+   *   - { ok: false, code: 'EXPIRED' | 'REVOKED' | 'NOT_FOUND' }
+   *
+   * 命中 + oneShot=true 时由调用方调 consume() 把 cache 中 hits 自增并立即 revoke
+   * （consume 应当在 response 'finish' 后才触发，避免中途断流误算消费）。
+   */
+  lookup(capToken) {
+    const entry = this.cache.find((c) => c.capToken === capToken);
+    if (!entry) return { ok: false, code: "NOT_FOUND" };
+    if (entry.revoked) return { ok: false, code: "REVOKED" };
+    if (entry.expiresAt !== null && this.now() > entry.expiresAt) {
+      return { ok: false, code: "EXPIRED" };
+    }
+    return { ok: true, entry };
+  }
+  /** 命中后真正"消费"一次：hits++ + oneShot 时 revoke。daemon HTTP 层 stream 成功后再调 */
+  consume(capToken) {
+    const idx = this.cache.findIndex((c) => c.capToken === capToken);
+    if (idx < 0) return;
+    const prev = this.cache[idx];
+    this.cache[idx] = {
+      ...prev,
+      hits: prev.hits + 1,
+      revoked: prev.oneShot ? true : prev.revoked
+    };
+    this.persist();
+  }
+};
+
+// src/attachment/mount.ts
+var import_node_fs17 = __toESM(require("fs"), 1);
+var import_node_path19 = __toESM(require("path"), 1);
+init_protocol();
+var MountStore = class {
+  constructor(opts) {
+    this.opts = opts;
+  }
+  opts;
+  filePath(personaId) {
+    return import_node_path19.default.join(this.opts.personaDirPath(personaId), ".clawd", "shared-files.json");
+  }
+  list(personaId) {
+    try {
+      const raw = import_node_fs17.default.readFileSync(this.filePath(personaId), "utf8");
+      const parsed = JSON.parse(raw);
+      if (!Array.isArray(parsed)) return [];
+      const out = [];
+      for (const item of parsed) {
+        const r = MountEntrySchema.safeParse(item);
+        if (r.success) out.push(r.data);
+      }
+      return out;
+    } catch {
+      return [];
+    }
+  }
+  /**
+   * Add a mount。在 personaDir 创建 link/copy + 写 manifest。冲突 basename 抛错（caller
+   * 决定是覆盖还是改名）。
+   */
+  add(personaId, input) {
+    const personaDir = this.opts.personaDirPath(personaId);
+    if (!import_node_fs17.default.existsSync(personaDir)) {
+      throw new Error(`personaDir not found: ${personaDir}`);
+    }
+    const source = import_node_path19.default.resolve(input.absPath);
+    if (!import_node_fs17.default.existsSync(source)) {
+      throw new Error(`source path not found: ${source}`);
+    }
+    const basename = import_node_path19.default.basename(source);
+    const dest = import_node_path19.default.join(personaDir, basename);
+    if (import_node_fs17.default.existsSync(dest)) {
+      throw new Error(`destination already exists: ${dest}`);
+    }
+    if (input.mode === "link") {
+      import_node_fs17.default.symlinkSync(source, dest);
+    } else {
+      import_node_fs17.default.copyFileSync(source, dest);
+    }
+    const entry = {
+      basename,
+      absPath: source,
+      mode: input.mode
+    };
+    const next = this.list(personaId).concat([entry]);
+    this.writeManifest(personaId, next);
+    return entry;
+  }
+  remove(personaId, basename) {
+    const entries = this.list(personaId);
+    const idx = entries.findIndex((e) => e.basename === basename);
+    if (idx < 0) return false;
+    const entry = entries[idx];
+    const personaDir = this.opts.personaDirPath(personaId);
+    const dest = import_node_path19.default.join(personaDir, basename);
+    try {
+      import_node_fs17.default.unlinkSync(dest);
+    } catch {
+    }
+    const next = entries.slice();
+    next.splice(idx, 1);
+    this.writeManifest(personaId, next);
+    void entry;
+    return true;
+  }
+  writeManifest(personaId, entries) {
+    const file = this.filePath(personaId);
+    import_node_fs17.default.mkdirSync(import_node_path19.default.dirname(file), { recursive: true });
+    const tmp = `${file}.tmp-${process.pid}-${Date.now()}`;
+    import_node_fs17.default.writeFileSync(tmp, JSON.stringify(entries, null, 2), { mode: 384 });
+    import_node_fs17.default.renameSync(tmp, file);
+  }
+};
+
+// src/discovery/state-file.ts
+var import_node_fs18 = __toESM(require("fs"), 1);
+var import_node_path20 = __toESM(require("path"), 1);
+function defaultStateFilePath(dataDir) {
+  return import_node_path20.default.join(dataDir, "state.json");
+}
+function isPidAlive(pid) {
+  if (!Number.isFinite(pid) || pid <= 0) return false;
+  try {
+    process.kill(pid, 0);
+    return true;
+  } catch (err) {
+    const code = err.code;
+    return code === "EPERM";
+  }
+}
+var StateFileManager = class {
+  file;
+  constructor(opts) {
+    this.file = defaultStateFilePath(opts.dataDir);
+  }
+  filePath() {
+    return this.file;
+  }
+  read() {
+    try {
+      const raw = import_node_fs18.default.readFileSync(this.file, "utf8");
+      const parsed = JSON.parse(raw);
+      return parsed;
+    } catch {
+      return null;
+    }
+  }
+  preflight() {
+    const existing = this.read();
+    if (!existing) return { status: "ok" };
+    if (isPidAlive(existing.pid)) return { status: "active", existing };
+    return { status: "stale", existing };
+  }
+  write(state) {
+    import_node_fs18.default.mkdirSync(import_node_path20.default.dirname(this.file), { recursive: true });
+    const tmp = `${this.file}.tmp.${process.pid}.${Date.now()}`;
+    import_node_fs18.default.writeFileSync(tmp, JSON.stringify(state, null, 2), { mode: 384 });
+    import_node_fs18.default.renameSync(tmp, this.file);
+    if (process.platform !== "win32") {
+      try {
+        import_node_fs18.default.chmodSync(this.file, 384);
+      } catch {
+      }
+    }
+  }
+  delete() {
+    try {
+      import_node_fs18.default.unlinkSync(this.file);
+    } catch {
+    }
+  }
+};
+
+// src/tunnel/tunnel-manager.ts
+var import_node_fs22 = __toESM(require("fs"), 1);
+var import_node_path24 = __toESM(require("path"), 1);
+var import_node_crypto7 = __toESM(require("crypto"), 1);
+var import_node_child_process5 = require("child_process");
+
+// src/tunnel/tunnel-store.ts
+var import_node_fs19 = __toESM(require("fs"), 1);
+var import_node_path21 = __toESM(require("path"), 1);
+var TunnelStore = class {
+  constructor(filePath) {
+    this.filePath = filePath;
+  }
+  filePath;
+  async get() {
+    try {
+      const raw = await import_node_fs19.default.promises.readFile(this.filePath, "utf8");
+      const obj = JSON.parse(raw);
+      if (!isPersistedTunnel(obj)) return null;
+      return obj;
+    } catch (err) {
+      const code = err?.code;
+      if (code === "ENOENT") return null;
+      return null;
+    }
+  }
+  async set(v2) {
+    const dir = import_node_path21.default.dirname(this.filePath);
+    await import_node_fs19.default.promises.mkdir(dir, { recursive: true });
+    const data = JSON.stringify(v2, null, 2);
+    const tmp = `${this.filePath}.tmp.${process.pid}.${Date.now()}`;
+    await import_node_fs19.default.promises.writeFile(tmp, data, { mode: 384 });
+    if (process.platform !== "win32") {
+      try {
+        await import_node_fs19.default.promises.chmod(tmp, 384);
+      } catch {
+      }
+    }
+    await import_node_fs19.default.promises.rename(tmp, this.filePath);
+  }
+  async clear() {
+    try {
+      await import_node_fs19.default.promises.unlink(this.filePath);
+    } catch (err) {
+      const code = err?.code;
+      if (code !== "ENOENT") throw err;
+    }
+  }
+};
+function isPersistedTunnel(o) {
+  if (!o || typeof o !== "object") return false;
+  const r = o;
+  return typeof r.subdomain === "string" && typeof r.frpsHost === "string" && typeof r.frpsPort === "number" && typeof r.frpsToken === "string" && typeof r.url === "string" && typeof r.registeredAt === "string";
+}
+
+// src/tunnel/register-client.ts
+var TunnelRegisterError = class extends Error {
+  constructor(message, cause) {
+    super(message);
+    this.cause = cause;
+    this.name = "TunnelRegisterError";
+  }
+  cause;
 };
 async function registerTunnel(opts) {
   const f = opts.fetchImpl ?? globalThis.fetch;
@@ -26229,9 +27412,9 @@ function escape(v2) {
 }
 
 // src/tunnel/frpc-binary.ts
-var import_node_fs15 = __toESM(require("fs"), 1);
+var import_node_fs20 = __toESM(require("fs"), 1);
 var import_node_os9 = __toESM(require("os"), 1);
-var import_node_path16 = __toESM(require("path"), 1);
+var import_node_path22 = __toESM(require("path"), 1);
 var import_node_child_process3 = require("child_process");
 var import_node_stream2 = require("stream");
 var import_promises = require("stream/promises");
@@ -26263,20 +27446,20 @@ function frpcDownloadUrl(version2, p2) {
 }
 async function ensureFrpcBinary(opts) {
   if (opts.override) {
-    if (!import_node_fs15.default.existsSync(opts.override)) {
+    if (!import_node_fs20.default.existsSync(opts.override)) {
       throw new Error(`frpc binary not found at override path: ${opts.override}`);
     }
     return opts.override;
   }
   const version2 = opts.version ?? FRPC_VERSION;
   const platform = opts.platform ?? detectPlatform();
-  const binDir = import_node_path16.default.join(opts.dataDir, "bin");
-  import_node_fs15.default.mkdirSync(binDir, { recursive: true });
+  const binDir = import_node_path22.default.join(opts.dataDir, "bin");
+  import_node_fs20.default.mkdirSync(binDir, { recursive: true });
   cleanupStaleArtifacts(binDir);
-  const stableBin = import_node_path16.default.join(binDir, "frpc");
-  if (import_node_fs15.default.existsSync(stableBin)) return stableBin;
+  const stableBin = import_node_path22.default.join(binDir, "frpc");
+  if (import_node_fs20.default.existsSync(stableBin)) return stableBin;
   const partialBin = `${stableBin}.partial`;
-  const tarballPath = import_node_path16.default.join(binDir, `frp_${version2}_${platform.os}_${platform.arch}.tar.gz.partial`);
+  const tarballPath = import_node_path22.default.join(binDir, `frp_${version2}_${platform.os}_${platform.arch}.tar.gz.partial`);
   try {
     const url = frpcDownloadUrl(version2, platform);
     await downloadToFile(url, tarballPath, opts.fetchImpl);
@@ -26285,8 +27468,8 @@ async function ensureFrpcBinary(opts) {
     } else {
       await extractFrpcFromTarball(tarballPath, binDir, version2, platform, partialBin);
     }
-    import_node_fs15.default.chmodSync(partialBin, 493);
-    import_node_fs15.default.renameSync(partialBin, stableBin);
+    import_node_fs20.default.chmodSync(partialBin, 493);
+    import_node_fs20.default.renameSync(partialBin, stableBin);
   } finally {
     safeUnlink(tarballPath);
     safeUnlink(partialBin);
@@ -26296,15 +27479,15 @@ async function ensureFrpcBinary(opts) {
 function cleanupStaleArtifacts(binDir) {
   let entries;
   try {
-    entries = import_node_fs15.default.readdirSync(binDir);
+    entries = import_node_fs20.default.readdirSync(binDir);
   } catch {
     return;
   }
   for (const name of entries) {
     if (name.endsWith(".partial") || name.startsWith("extract-")) {
-      const full = import_node_path16.default.join(binDir, name);
+      const full = import_node_path22.default.join(binDir, name);
       try {
-        import_node_fs15.default.rmSync(full, { recursive: true, force: true });
+        import_node_fs20.default.rmSync(full, { recursive: true, force: true });
       } catch {
       }
     }
@@ -26312,7 +27495,7 @@ function cleanupStaleArtifacts(binDir) {
 }
 function safeUnlink(p2) {
   try {
-    import_node_fs15.default.unlinkSync(p2);
+    import_node_fs20.default.unlinkSync(p2);
   } catch {
   }
 }
@@ -26323,13 +27506,13 @@ async function downloadToFile(url, dest, fetchImpl) {
   if (!res.ok || !res.body) {
     throw new Error(`download failed: ${res.status} ${res.statusText}`);
   }
-  const out = import_node_fs15.default.createWriteStream(dest);
+  const out = import_node_fs20.default.createWriteStream(dest);
   const nodeStream = import_node_stream2.Readable.fromWeb(res.body);
   await (0, import_promises.pipeline)(nodeStream, out);
 }
 async function extractFrpcFromTarball(tarball, binDir, version2, platform, destBin) {
-  const work = import_node_path16.default.join(binDir, `extract-${process.pid}-${Date.now()}`);
-  import_node_fs15.default.mkdirSync(work, { recursive: true });
+  const work = import_node_path22.default.join(binDir, `extract-${process.pid}-${Date.now()}`);
+  import_node_fs20.default.mkdirSync(work, { recursive: true });
   try {
     await new Promise((resolve2, reject) => {
       const proc = (0, import_node_child_process3.spawn)("tar", ["xzf", tarball, "-C", work], { stdio: "pipe" });
@@ -26337,32 +27520,32 @@ async function extractFrpcFromTarball(tarball, binDir, version2, platform, destB
       proc.on("exit", (code) => code === 0 ? resolve2() : reject(new Error(`tar exited ${code}`)));
     });
     const dirName = `frp_${version2}_${platform.os}_${platform.arch}`;
-    const src = import_node_path16.default.join(work, dirName, "frpc");
-    if (!import_node_fs15.default.existsSync(src)) {
+    const src = import_node_path22.default.join(work, dirName, "frpc");
+    if (!import_node_fs20.default.existsSync(src)) {
       throw new Error(`frpc not found inside tarball at ${src}`);
     }
-    import_node_fs15.default.copyFileSync(src, destBin);
+    import_node_fs20.default.copyFileSync(src, destBin);
   } finally {
-    import_node_fs15.default.rmSync(work, { recursive: true, force: true });
+    import_node_fs20.default.rmSync(work, { recursive: true, force: true });
   }
 }
 
 // src/tunnel/frpc-process.ts
-var import_node_fs16 = __toESM(require("fs"), 1);
-var import_node_path17 = __toESM(require("path"), 1);
+var import_node_fs21 = __toESM(require("fs"), 1);
+var import_node_path23 = __toESM(require("path"), 1);
 var import_node_child_process4 = require("child_process");
 function frpcPidFilePath(dataDir) {
-  return import_node_path17.default.join(dataDir, "frpc.pid");
+  return import_node_path23.default.join(dataDir, "frpc.pid");
 }
 function writeFrpcPid(dataDir, pid) {
   try {
-    import_node_fs16.default.writeFileSync(frpcPidFilePath(dataDir), String(pid), { mode: 384 });
+    import_node_fs21.default.writeFileSync(frpcPidFilePath(dataDir), String(pid), { mode: 384 });
   } catch {
   }
 }
 function clearFrpcPid(dataDir) {
   try {
-    import_node_fs16.default.unlinkSync(frpcPidFilePath(dataDir));
+    import_node_fs21.default.unlinkSync(frpcPidFilePath(dataDir));
   } catch {
   }
 }
@@ -26378,7 +27561,7 @@ function defaultIsPidAlive(pid) {
 }
 function defaultReadPidFile(file) {
   try {
-    return import_node_fs16.default.readFileSync(file, "utf8");
+    return import_node_fs21.default.readFileSync(file, "utf8");
   } catch {
     return null;
   }
@@ -26394,7 +27577,7 @@ function defaultSleep(ms) {
 }
 async function killStaleFrpc(deps) {
   const pidFile = frpcPidFilePath(deps.dataDir);
-  const tomlPath = import_node_path17.default.join(deps.dataDir, "frpc.toml");
+  const tomlPath = import_node_path23.default.join(deps.dataDir, "frpc.toml");
   const readPidFile = deps.readPidFileImpl ?? defaultReadPidFile;
   const isAlive = deps.isPidAliveImpl ?? defaultIsPidAlive;
   const killPid = deps.killPidImpl ?? defaultKillPid;
@@ -26418,7 +27601,7 @@ async function killStaleFrpc(deps) {
   }
   if (victims.size === 0) {
     try {
-      import_node_fs16.default.unlinkSync(pidFile);
+      import_node_fs21.default.unlinkSync(pidFile);
     } catch {
     }
     return;
@@ -26429,7 +27612,7 @@ async function killStaleFrpc(deps) {
   }
   await sleep(deps.reapWaitMs ?? 300);
   try {
-    import_node_fs16.default.unlinkSync(pidFile);
+    import_node_fs21.default.unlinkSync(pidFile);
   } catch {
   }
 }
@@ -26466,7 +27649,7 @@ var DEFAULT_TUNNEL_TTL_MS = 7 * 24 * 60 * 60 * 1e3;
 var TunnelManager = class {
   constructor(deps) {
     this.deps = deps;
-    this.store = deps.store ?? new TunnelStore(import_node_path18.default.join(deps.dataDir, "tunnel.json"));
+    this.store = deps.store ?? new TunnelStore(import_node_path24.default.join(deps.dataDir, "tunnel.json"));
     this.ttlMs = deps.ttlMs ?? DEFAULT_TUNNEL_TTL_MS;
     this.startupTimeoutMs = deps.startupTimeoutMs ?? 15e3;
   }
@@ -26593,8 +27776,8 @@ var TunnelManager = class {
         dataDir: this.deps.dataDir,
         override: this.deps.frpcBinaryOverride ?? void 0
       });
-      const tomlPath = import_node_path18.default.join(this.deps.dataDir, "frpc.toml");
-      const proxyName = `clawd-${t.subdomain}-${localPort}-${import_node_crypto4.default.randomBytes(3).toString("hex")}`;
+      const tomlPath = import_node_path24.default.join(this.deps.dataDir, "frpc.toml");
+      const proxyName = `clawd-${t.subdomain}-${localPort}-${import_node_crypto7.default.randomBytes(3).toString("hex")}`;
       const toml = buildFrpcToml({
         serverAddr: t.frpsHost,
         serverPort: t.frpsPort,
@@ -26604,12 +27787,12 @@ var TunnelManager = class {
         localPort,
         logLevel: "info"
       });
-      await import_node_fs17.default.promises.writeFile(tomlPath, toml, { mode: 384 });
+      await import_node_fs22.default.promises.writeFile(tomlPath, toml, { mode: 384 });
       const proc = (this.deps.spawnImpl ?? import_node_child_process5.spawn)(frpcBin, ["-c", tomlPath], {
         stdio: ["ignore", "pipe", "pipe"]
       });
-      const logFilePath = import_node_path18.default.join(this.deps.dataDir, "frpc.log");
-      const logStream = import_node_fs17.default.createWriteStream(logFilePath, { flags: "a", mode: 384 });
+      const logFilePath = import_node_path24.default.join(this.deps.dataDir, "frpc.log");
+      const logStream = import_node_fs22.default.createWriteStream(logFilePath, { flags: "a", mode: 384 });
       logStream.on("error", () => {
       });
       const tee = (chunk) => {
@@ -26692,22 +27875,22 @@ async function waitForFrpcReady(proc, timeoutMs) {
 
 // src/tunnel/device-key.ts
 var import_node_os10 = __toESM(require("os"), 1);
-var import_node_crypto5 = __toESM(require("crypto"), 1);
+var import_node_crypto8 = __toESM(require("crypto"), 1);
 var DERIVE_SALT = "clawd-tunnel-device-v1";
 function deriveStableDeviceKey(opts = {}) {
   const hostname = opts.hostname ?? import_node_os10.default.hostname();
   const uid = opts.uid ?? (typeof import_node_os10.default.userInfo === "function" ? import_node_os10.default.userInfo().uid : 0);
   const input = `${hostname}::${uid}`;
-  return import_node_crypto5.default.createHmac("sha256", DERIVE_SALT).update(input).digest("hex").slice(0, 32);
+  return import_node_crypto8.default.createHmac("sha256", DERIVE_SALT).update(input).digest("hex").slice(0, 32);
 }
 
 // src/auth-store.ts
-var import_node_fs18 = __toESM(require("fs"), 1);
-var import_node_path19 = __toESM(require("path"), 1);
-var import_node_crypto6 = __toESM(require("crypto"), 1);
+var import_node_fs23 = __toESM(require("fs"), 1);
+var import_node_path25 = __toESM(require("path"), 1);
+var import_node_crypto9 = __toESM(require("crypto"), 1);
 var AUTH_FILE_NAME = "auth.json";
 function authFilePath(dataDir) {
-  return import_node_path19.default.join(dataDir, AUTH_FILE_NAME);
+  return import_node_path25.default.join(dataDir, AUTH_FILE_NAME);
 }
 function loadOrCreateAuthToken(opts) {
   const file = authFilePath(opts.dataDir);
@@ -26719,11 +27902,11 @@ function loadOrCreateAuthToken(opts) {
   return token;
 }
 function defaultGenerate() {
-  return import_node_crypto6.default.randomBytes(32).toString("base64url");
+  return import_node_crypto9.default.randomBytes(32).toString("base64url");
 }
 function readAuthFile(file) {
   try {
-    const raw = import_node_fs18.default.readFileSync(file, "utf8");
+    const raw = import_node_fs23.default.readFileSync(file, "utf8");
     const parsed = JSON.parse(raw);
     if (typeof parsed?.token === "string" && parsed.token.length > 0) {
       return {
@@ -26739,25 +27922,25 @@ function readAuthFile(file) {
   }
 }
 function writeAuthFile(file, content) {
-  import_node_fs18.default.mkdirSync(import_node_path19.default.dirname(file), { recursive: true });
-  import_node_fs18.default.writeFileSync(file, JSON.stringify(content, null, 2), { mode: 384 });
+  import_node_fs23.default.mkdirSync(import_node_path25.default.dirname(file), { recursive: true });
+  import_node_fs23.default.writeFileSync(file, JSON.stringify(content, null, 2), { mode: 384 });
   try {
-    import_node_fs18.default.chmodSync(file, 384);
+    import_node_fs23.default.chmodSync(file, 384);
   } catch {
   }
 }
 
 // src/owner-profile.ts
-var import_node_fs19 = __toESM(require("fs"), 1);
+var import_node_fs24 = __toESM(require("fs"), 1);
 var import_node_os11 = __toESM(require("os"), 1);
-var import_node_path20 = __toESM(require("path"), 1);
+var import_node_path26 = __toESM(require("path"), 1);
 var PROFILE_FILENAME = "profile.json";
 function loadOwnerDisplayName(dataDir) {
   const fallback = import_node_os11.default.userInfo().username;
-  const profilePath = import_node_path20.default.join(dataDir, PROFILE_FILENAME);
+  const profilePath = import_node_path26.default.join(dataDir, PROFILE_FILENAME);
   let raw;
   try {
-    raw = import_node_fs19.default.readFileSync(profilePath, "utf8");
+    raw = import_node_fs24.default.readFileSync(profilePath, "utf8");
   } catch {
     return fallback;
   }
@@ -26786,12 +27969,12 @@ init_protocol();
 init_protocol();
 
 // src/session/fork.ts
-var import_node_fs20 = __toESM(require("fs"), 1);
+var import_node_fs25 = __toESM(require("fs"), 1);
 var import_node_os12 = __toESM(require("os"), 1);
-var import_node_path21 = __toESM(require("path"), 1);
+var import_node_path27 = __toESM(require("path"), 1);
 init_claude_history();
 function readJsonlEntries(file) {
-  const raw = import_node_fs20.default.readFileSync(file, "utf8");
+  const raw = import_node_fs25.default.readFileSync(file, "utf8");
   const out = [];
   for (const line of raw.split("\n")) {
     const t = line.trim();
@@ -26804,10 +27987,10 @@ function readJsonlEntries(file) {
   return out;
 }
 function forkSession(input) {
-  const baseDir = input.baseDir ?? import_node_path21.default.join(import_node_os12.default.homedir(), ".claude");
-  const projectDir = import_node_path21.default.join(baseDir, "projects", cwdToHashDir(input.cwd));
-  const sourceFile = import_node_path21.default.join(projectDir, `${input.toolSessionId}.jsonl`);
-  if (!import_node_fs20.default.existsSync(sourceFile)) {
+  const baseDir = input.baseDir ?? import_node_path27.default.join(import_node_os12.default.homedir(), ".claude");
+  const projectDir = import_node_path27.default.join(baseDir, "projects", cwdToHashDir(input.cwd));
+  const sourceFile = import_node_path27.default.join(projectDir, `${input.toolSessionId}.jsonl`);
+  if (!import_node_fs25.default.existsSync(sourceFile)) {
     throw new Error(`fork: source transcript not found: ${sourceFile}`);
   }
   const entries = readJsonlEntries(sourceFile);
@@ -26837,9 +28020,9 @@ function forkSession(input) {
     }
     forkedLines.push(JSON.stringify(forked));
   }
-  const forkedFilePath = import_node_path21.default.join(projectDir, `${forkedToolSessionId}.jsonl`);
-  import_node_fs20.default.mkdirSync(projectDir, { recursive: true });
-  import_node_fs20.default.writeFileSync(forkedFilePath, forkedLines.join("\n") + "\n", { mode: 384 });
+  const forkedFilePath = import_node_path27.default.join(projectDir, `${forkedToolSessionId}.jsonl`);
+  import_node_fs25.default.mkdirSync(projectDir, { recursive: true });
+  import_node_fs25.default.writeFileSync(forkedFilePath, forkedLines.join("\n") + "\n", { mode: 384 });
   return { forkedToolSessionId, forkedFilePath };
 }
 
@@ -27160,9 +28343,9 @@ init_protocol();
 
 // src/workspace/git.ts
 var import_node_child_process6 = require("child_process");
-var import_node_fs21 = __toESM(require("fs"), 1);
+var import_node_fs26 = __toESM(require("fs"), 1);
 var import_node_os13 = __toESM(require("os"), 1);
-var import_node_path22 = __toESM(require("path"), 1);
+var import_node_path28 = __toESM(require("path"), 1);
 var import_node_util = require("util");
 var pexec = (0, import_node_util.promisify)(import_node_child_process6.execFile);
 function formatChildProcessError(err) {
@@ -27177,9 +28360,9 @@ function formatChildProcessError(err) {
   return e.message ?? "unknown error";
 }
 function normalizePath(p2) {
-  const resolved = import_node_path22.default.resolve(p2);
+  const resolved = import_node_path28.default.resolve(p2);
   try {
-    return import_node_fs21.default.realpathSync(resolved);
+    return import_node_fs26.default.realpathSync(resolved);
   } catch {
     return resolved;
   }
@@ -27280,13 +28463,13 @@ function flattenToDirName(branch) {
 }
 function encodeClaudeProjectDir(absPath) {
   if (!absPath || typeof absPath !== "string") return "";
-  let canonical = import_node_path22.default.resolve(absPath);
+  let canonical = import_node_path28.default.resolve(absPath);
   try {
-    canonical = import_node_fs21.default.realpathSync(canonical);
+    canonical = import_node_fs26.default.realpathSync(canonical);
   } catch {
     try {
-      const parent = import_node_fs21.default.realpathSync(import_node_path22.default.dirname(canonical));
-      canonical = import_node_path22.default.join(parent, import_node_path22.default.basename(canonical));
+      const parent = import_node_fs26.default.realpathSync(import_node_path28.default.dirname(canonical));
+      canonical = import_node_path28.default.join(parent, import_node_path28.default.basename(canonical));
     } catch {
     }
   }
@@ -27310,11 +28493,11 @@ async function createWorktree(input) {
   if (!isGitRoot) {
     throw new Error(`\u76EE\u5F55 ${cwd} \u4E0D\u662F git repo \u6839`);
   }
-  const parent = import_node_path22.default.dirname(import_node_path22.default.resolve(cwd));
-  if (parent === "/" || parent === import_node_path22.default.resolve(cwd)) {
+  const parent = import_node_path28.default.dirname(import_node_path28.default.resolve(cwd));
+  if (parent === "/" || parent === import_node_path28.default.resolve(cwd)) {
     throw new Error("repo \u5728\u78C1\u76D8\u6839\u76EE\u5F55\uFF0C\u65E0\u6CD5\u5728\u540C\u7EA7\u521B\u5EFA worktree");
   }
-  const worktreeRoot = import_node_path22.default.join(parent, dirName);
+  const worktreeRoot = import_node_path28.default.join(parent, dirName);
   try {
     await pexec("git", ["-C", cwd, "fetch", "origin", baseBranch, "--no-tags"], {
       timeout: 3e4
@@ -27333,7 +28516,7 @@ async function createWorktree(input) {
     const msg = err.message;
     if (msg.startsWith("\u5206\u652F ")) throw err;
   }
-  if (import_node_fs21.default.existsSync(worktreeRoot)) {
+  if (import_node_fs26.default.existsSync(worktreeRoot)) {
     throw new Error(`\u76EE\u5F55 ${worktreeRoot} \u5DF2\u5B58\u5728\uFF0C\u8BF7\u6362\u4E00\u4E2A label \u6216\u6E05\u7406\u540E\u91CD\u8BD5`);
   }
   try {
@@ -27361,8 +28544,8 @@ async function removeWorktree(input) {
     );
     const gitCommonDir = stdout.trim();
     if (!gitCommonDir) throw new Error("empty git-common-dir");
-    const absGitCommon = import_node_path22.default.isAbsolute(gitCommonDir) ? gitCommonDir : import_node_path22.default.resolve(worktreeRoot, gitCommonDir);
-    repoRoot = import_node_path22.default.dirname(absGitCommon);
+    const absGitCommon = import_node_path28.default.isAbsolute(gitCommonDir) ? gitCommonDir : import_node_path28.default.resolve(worktreeRoot, gitCommonDir);
+    repoRoot = import_node_path28.default.dirname(absGitCommon);
   } catch {
     repoRoot = null;
   }
@@ -27374,7 +28557,7 @@ async function removeWorktree(input) {
     } catch (err) {
       const stderr = err.stderr ?? "";
       const lower = stderr.toLowerCase();
-      const vanished = lower.includes("not a working tree") || lower.includes("is not a working tree") || !import_node_fs21.default.existsSync(worktreeRoot);
+      const vanished = lower.includes("not a working tree") || lower.includes("is not a working tree") || !import_node_fs26.default.existsSync(worktreeRoot);
       if (!vanished) {
         throw new Error(`\u6E05\u7406 worktree \u5931\u8D25\uFF1A${formatChildProcessError(err)}`);
       }
@@ -27393,10 +28576,10 @@ async function removeWorktree(input) {
   try {
     const encoded = encodeClaudeProjectDir(worktreeRoot);
     if (encoded) {
-      const projectsRoot = import_node_path22.default.join(import_node_os13.default.homedir(), ".claude", "projects");
-      const target = import_node_path22.default.resolve(projectsRoot, encoded);
-      if (target.startsWith(projectsRoot + import_node_path22.default.sep) && target !== projectsRoot) {
-        import_node_fs21.default.rmSync(target, { recursive: true, force: true });
+      const projectsRoot = import_node_path28.default.join(import_node_os13.default.homedir(), ".claude", "projects");
+      const target = import_node_path28.default.resolve(projectsRoot, encoded);
+      if (target.startsWith(projectsRoot + import_node_path28.default.sep) && target !== projectsRoot) {
+        import_node_fs26.default.rmSync(target, { recursive: true, force: true });
       }
     }
   } catch {
@@ -27475,7 +28658,7 @@ init_protocol();
 var version = "0.2.6".length > 0 ? "0.2.6" : "dev";
 
 // src/handlers/meta.ts
-function buildReadyFrame(deps) {
+function buildReadyFrame(deps, client) {
   const info = deps.manager.info();
   const tools = [];
   for (const id of listRegistered()) {
@@ -27487,6 +28670,14 @@ function buildReadyFrame(deps) {
     }
   }
   const tunnelUrl = deps.getTunnelUrl ? deps.getTunnelUrl() : null;
+  const fileSharing = {};
+  const httpBaseUrl = deps.getHttpBaseUrl ? deps.getHttpBaseUrl() : null;
+  if (httpBaseUrl) {
+    fileSharing.tokenRole = "owner";
+    fileSharing.isLoopback = isLoopbackAddr(client?.remoteAddress);
+    fileSharing.httpBaseUrl = httpBaseUrl;
+    if (deps.httpToken) fileSharing.httpToken = deps.httpToken;
+  }
   return {
     version,
     protocolVersion: PROTOCOL_VERSION,
@@ -27495,7 +28686,8 @@ function buildReadyFrame(deps) {
     tools,
     runningSessions: info.runningSessions,
     tunnelUrl,
-    mode: deps.mode
+    mode: deps.mode,
+    ...fileSharing
   };
 }
 function buildMetaHandlers(deps) {
@@ -27606,6 +28798,200 @@ function buildPersonaHandlers(deps) {
   };
 }
 
+// src/handlers/attachment.ts
+init_protocol();
+init_protocol();
+function buildAttachmentHandlers(deps) {
+  const outboxCreate = async (frame) => {
+    const parsed = AttachmentOutboxCreateArgs.safeParse(frame);
+    if (!parsed.success) {
+      throw new ClawdError(ERROR_CODES.VALIDATION_ERROR, parsed.error.message);
+    }
+    const args = parsed.data;
+    if (args.personaId && args.sessionId || !args.personaId && !args.sessionId) {
+      throw new ClawdError(
+        ERROR_CODES.VALIDATION_ERROR,
+        "outboxCreate requires exactly one of personaId / sessionId"
+      );
+    }
+    const scopeRef = deps.getPersonaScopeForRequest(args);
+    if (!scopeRef) {
+      throw new ClawdError(ERROR_CODES.VALIDATION_ERROR, "invalid scope");
+    }
+    const name = args.absPath.split("/").pop() || args.absPath;
+    const entry = deps.outboxStore.mint({
+      scopeRef,
+      absPath: args.absPath,
+      name,
+      ttlSeconds: args.ttlSeconds,
+      oneShot: args.oneShot,
+      scope: args.scope
+    });
+    const httpBaseUrl = deps.getHttpBaseUrl();
+    const urlPath = scopeRef.kind === "persona" ? `/persona/${encodeURIComponent(scopeRef.personaId)}/outbox/${entry.capToken}` : `/outbox/${entry.capToken}`;
+    const url = httpBaseUrl ? `${httpBaseUrl}${urlPath}` : urlPath;
+    return {
+      response: {
+        type: "attachment.outboxCreate",
+        capToken: entry.capToken,
+        url,
+        expiresAt: entry.expiresAt
+      }
+    };
+  };
+  const outboxRevoke = async (frame) => {
+    const parsed = AttachmentOutboxRevokeArgs.safeParse(frame);
+    if (!parsed.success) {
+      throw new ClawdError(ERROR_CODES.VALIDATION_ERROR, parsed.error.message);
+    }
+    const ok = deps.outboxStore.revoke(parsed.data.capToken);
+    if (!ok) {
+      throw new ClawdError(ERROR_CODES.VALIDATION_ERROR, `capToken not found / already revoked`);
+    }
+    return { response: { type: "attachment.outboxRevoke", revoked: true } };
+  };
+  const outboxList = async (frame) => {
+    const parsed = AttachmentOutboxListArgs.safeParse(frame);
+    if (!parsed.success) {
+      throw new ClawdError(ERROR_CODES.VALIDATION_ERROR, parsed.error.message);
+    }
+    const entries = parsed.data.personaId ? deps.outboxStore.listByPersona(parsed.data.personaId) : deps.outboxStore.list();
+    return {
+      response: { type: "attachment.outboxList", entries }
+    };
+  };
+  const mountAdd = async (frame) => {
+    if (!deps.mountStore) {
+      throw new ClawdError(ERROR_CODES.METHOD_NOT_IMPLEMENTED, "mountStore not wired");
+    }
+    const parsed = AttachmentMountAddArgs.safeParse(frame);
+    if (!parsed.success) {
+      throw new ClawdError(ERROR_CODES.VALIDATION_ERROR, parsed.error.message);
+    }
+    const args = parsed.data;
+    try {
+      const entry = deps.mountStore.add(args.personaId, {
+        absPath: args.absPath,
+        mode: args.mode
+      });
+      return {
+        response: {
+          type: "attachment.mountAdd",
+          entry,
+          sandboxRestartNeeded: true
+        }
+      };
+    } catch (err) {
+      throw new ClawdError(ERROR_CODES.VALIDATION_ERROR, err.message);
+    }
+  };
+  const mountRemove = async (frame) => {
+    if (!deps.mountStore) {
+      throw new ClawdError(ERROR_CODES.METHOD_NOT_IMPLEMENTED, "mountStore not wired");
+    }
+    const parsed = AttachmentMountRemoveArgs.safeParse(frame);
+    if (!parsed.success) {
+      throw new ClawdError(ERROR_CODES.VALIDATION_ERROR, parsed.error.message);
+    }
+    const ok = deps.mountStore.remove(parsed.data.personaId, parsed.data.basename);
+    if (!ok) {
+      throw new ClawdError(ERROR_CODES.VALIDATION_ERROR, "mount not found");
+    }
+    return { response: { type: "attachment.mountRemove", removed: true } };
+  };
+  const mountList = async (frame) => {
+    if (!deps.mountStore) {
+      throw new ClawdError(ERROR_CODES.METHOD_NOT_IMPLEMENTED, "mountStore not wired");
+    }
+    const parsed = AttachmentMountListArgs.safeParse(frame);
+    if (!parsed.success) {
+      throw new ClawdError(ERROR_CODES.VALIDATION_ERROR, parsed.error.message);
+    }
+    const entries = deps.mountStore.list(parsed.data.personaId);
+    return { response: { type: "attachment.mountList", entries } };
+  };
+  const groupAdd = async (frame) => {
+    if (!deps.groupFileStore || !deps.getSessionScope) {
+      throw new ClawdError(ERROR_CODES.METHOD_NOT_IMPLEMENTED, "groupFileStore not wired");
+    }
+    const parsed = AttachmentGroupAddArgs.safeParse(frame);
+    if (!parsed.success) {
+      throw new ClawdError(ERROR_CODES.VALIDATION_ERROR, parsed.error.message);
+    }
+    const args = parsed.data;
+    const scope = deps.getSessionScope(args.sessionId);
+    if (!scope) {
+      throw new ClawdError(ERROR_CODES.VALIDATION_ERROR, `session ${args.sessionId} not found`);
+    }
+    const size = 0;
+    const entry = deps.groupFileStore.upsert(scope, args.sessionId, {
+      relPath: args.relPath,
+      from: "owner",
+      label: args.label,
+      size,
+      mime: lookupMime(args.relPath)
+    });
+    return { response: { type: "attachment.groupAdd", entry } };
+  };
+  const groupRemove = async (frame) => {
+    if (!deps.groupFileStore || !deps.getSessionScope) {
+      throw new ClawdError(ERROR_CODES.METHOD_NOT_IMPLEMENTED, "groupFileStore not wired");
+    }
+    const parsed = AttachmentGroupRemoveArgs.safeParse(frame);
+    if (!parsed.success) {
+      throw new ClawdError(ERROR_CODES.VALIDATION_ERROR, parsed.error.message);
+    }
+    const scope = deps.getSessionScope(parsed.data.sessionId);
+    if (!scope) {
+      throw new ClawdError(ERROR_CODES.VALIDATION_ERROR, "session not found");
+    }
+    const entries = deps.groupFileStore.list(scope, parsed.data.sessionId);
+    const target = entries.find((e) => e.relPath === parsed.data.relPath);
+    if (target?.from === "owner") {
+      deps.groupFileStore.remove(scope, parsed.data.sessionId, parsed.data.relPath);
+    } else {
+      deps.groupFileStore.markStale(scope, parsed.data.sessionId, parsed.data.relPath);
+    }
+    return { response: { type: "attachment.groupRemove", removed: true } };
+  };
+  const groupList = async (frame) => {
+    if (!deps.groupFileStore || !deps.getSessionScope) {
+      throw new ClawdError(ERROR_CODES.METHOD_NOT_IMPLEMENTED, "groupFileStore not wired");
+    }
+    const parsed = AttachmentGroupListArgs.safeParse(frame);
+    if (!parsed.success) {
+      throw new ClawdError(ERROR_CODES.VALIDATION_ERROR, parsed.error.message);
+    }
+    const scope = deps.getSessionScope(parsed.data.sessionId);
+    if (!scope) return { response: { type: "attachment.groupList", entries: [] } };
+    const entries = deps.groupFileStore.list(scope, parsed.data.sessionId);
+    return { response: { type: "attachment.groupList", entries } };
+  };
+  const groupListPersona = async (frame) => {
+    if (!deps.groupFileStore) {
+      throw new ClawdError(ERROR_CODES.METHOD_NOT_IMPLEMENTED, "groupFileStore not wired");
+    }
+    const parsed = AttachmentGroupListPersonaArgs.safeParse(frame);
+    if (!parsed.success) {
+      throw new ClawdError(ERROR_CODES.VALIDATION_ERROR, parsed.error.message);
+    }
+    const perSession = deps.groupFileStore.listByPersona(parsed.data.personaId);
+    return { response: { type: "attachment.groupListPersona", perSession } };
+  };
+  return {
+    "attachment.outboxCreate": outboxCreate,
+    "attachment.outboxRevoke": outboxRevoke,
+    "attachment.outboxList": outboxList,
+    "attachment.mountAdd": mountAdd,
+    "attachment.mountRemove": mountRemove,
+    "attachment.mountList": mountList,
+    "attachment.groupAdd": groupAdd,
+    "attachment.groupRemove": groupRemove,
+    "attachment.groupList": groupList,
+    "attachment.groupListPersona": groupListPersona
+  };
+}
+
 // src/handlers/index.ts
 function buildMethodHandlers(deps) {
   return {
@@ -27621,7 +29007,8 @@ function buildMethodHandlers(deps) {
       personaRegistry: deps.personaRegistry,
       sessionManager: deps.manager,
       personaBoundHandler: deps.personaBoundHandler
-    })
+    }),
+    ...deps.attachment ? buildAttachmentHandlers(deps.attachment) : {}
   };
 }
 
@@ -27629,7 +29016,7 @@ function buildMethodHandlers(deps) {
 async function startDaemon(config) {
   const logger = createLogger({
     level: config.logLevel,
-    file: import_node_path23.default.join(config.dataDir, "clawd.log")
+    file: import_node_path29.default.join(config.dataDir, "clawd.log")
   });
   logger.info("starting clawd", { version, config: { port: config.port, host: config.host, dataDir: config.dataDir } });
   const stateMgr = new StateFileManager({ dataDir: config.dataDir });
@@ -27661,7 +29048,7 @@ async function startDaemon(config) {
   const agents = new AgentsScanner();
   const history = new ClaudeHistoryReader();
   let transport = null;
-  const personaStore = new PersonaStore(import_node_path23.default.join(config.dataDir, "personas"));
+  const personaStore = new PersonaStore(import_node_path29.default.join(config.dataDir, "personas"));
   const defaultsRoot = findDefaultsRoot();
   if (defaultsRoot) {
     seedDefaultPersonas({ store: personaStore, defaultsRoot, logger });
@@ -27669,13 +29056,18 @@ async function startDaemon(config) {
     logger.warn("persona.seed.skip", { reason: "defaults-root-not-found" });
   }
   const ownerDisplayName = loadOwnerDisplayName(config.dataDir);
+  const groupFileStore = new GroupFileStore({ dataDir: config.dataDir, logger });
+  const outboxStore = new OutboxStore({ dataDir: config.dataDir, logger });
+  const mountStore = new MountStore({
+    personaDirPath: (pid) => personaStore.personaDirPath(pid)
+  });
   const manager = new SessionManager({
     store,
     logger,
     getAdapter,
     historyReader: history,
     dataDir: config.dataDir,
-    personaRoot: import_node_path23.default.join(config.dataDir, "personas"),
+    personaRoot: import_node_path29.default.join(config.dataDir, "personas"),
     personaStore,
     ownerDisplayName,
     mode: config.mode,
@@ -27692,6 +29084,38 @@ async function startDaemon(config) {
         return;
       }
       transport?.broadcastToSession(sid, frame);
+    },
+    // file-sharing (spec §6 PR 3)：runner 检测到成功 file-edit tool_result 时，
+    // 闭包 stat + mime 写入群清单。stat 失败不阻塞主流程（log warn + 跳过本条），
+    // 文件可能 agent 写完又被自己删（罕见），用 size=0 / fallback mime 兜底。
+    attachmentGroup: {
+      onFileEdit: (input) => {
+        const absPath = import_node_path29.default.isAbsolute(input.relPath) ? input.relPath : import_node_path29.default.join(input.cwd, input.relPath);
+        let size = 0;
+        try {
+          size = import_node_fs27.default.statSync(absPath).size;
+        } catch (err) {
+          logger.warn("attachment.onFileEdit stat failed", {
+            sessionId: input.sessionId,
+            absPath,
+            err: err.message
+          });
+        }
+        try {
+          groupFileStore.upsert(input.scope, input.sessionId, {
+            relPath: input.relPath,
+            from: "agent",
+            size,
+            mime: lookupMime(input.relPath)
+          });
+        } catch (err) {
+          logger.warn("attachment.onFileEdit upsert failed", {
+            sessionId: input.sessionId,
+            relPath: input.relPath,
+            err: err.message
+          });
+        }
+      }
     }
   });
   const observer = new SessionObserver({
@@ -27737,6 +29161,12 @@ async function startDaemon(config) {
     sessionManager: manager
   });
   let currentTunnelUrl = null;
+  const getHttpBaseUrl = () => {
+    if (currentTunnelUrl) {
+      return currentTunnelUrl.replace(/^wss:/i, "https:").replace(/^ws:/i, "http:");
+    }
+    return `http://${config.host}:${config.port}`;
+  };
   const personaBoundHandler = new PersonaBoundHandler({
     registry: personaRegistry,
     personaManager,
@@ -27762,22 +29192,73 @@ async function startDaemon(config) {
     getTunnelUrl: () => currentTunnelUrl,
     // ready / info 帧的 mode = daemon CC spawn 模式（'sdk' | 'tui'）。UI 据此挂 XtermPanel +
     // 订阅 session:pty / session:control；业务帧名两种 mode 完全一致，UI 业务订阅代码不变
-    mode: config.mode
+    mode: config.mode,
+    // file-sharing (spec §8)：ready / info 帧把 httpBaseUrl + httpToken 下发给 UI。
+    // PR 2 阶段 httpToken 复用 owner WS token；noAuth 模式下为 null（UI 看到无 httpToken
+    // 时禁用文件 GET/POST，保持 1.0 行为兼容）。
+    getHttpBaseUrl,
+    httpToken: resolvedAuthToken,
+    // file-sharing attachment.* RPC（spec §5 PR 6+）。getPersonaScopeForRequest 把 RPC
+    // args 里的 personaId/sessionId 翻译成 scopeRef 给 OutboxStore；mountAdd/groupAdd
+    // 后续 PR 复用同一份装配。
+    attachment: {
+      outboxStore,
+      mountStore,
+      groupFileStore,
+      personaDirPath: (pid) => personaStore.personaDirPath(pid),
+      getHttpBaseUrl,
+      getPersonaScopeForRequest: (args) => {
+        if (args.personaId) return { kind: "persona", personaId: args.personaId };
+        if (args.sessionId) return { kind: "session", sessionId: args.sessionId };
+        return null;
+      },
+      // group RPC：根据 sessionId 反查 scope；owner-mode persona session 走
+      // 'persona/<pid>/owner'，default 走 'default'。PR 9 UI Drawer 用。
+      getSessionScope: (sessionId) => {
+        const file = store.read(sessionId);
+        if (!file) return null;
+        if (file.ownerPersonaId) {
+          return { kind: "persona", personaId: file.ownerPersonaId, mode: "owner" };
+        }
+        return { kind: "default" };
+      }
+    }
+  });
+  const authResolver = new AuthContextResolver({
+    ownerToken: resolvedAuthToken,
+    personaRegistry
+  });
+  const httpRouter = createHttpRouter({
+    authResolver,
+    daemonVersion: version,
+    logger,
+    personaStore,
+    groupFileStore,
+    sessionStore: store,
+    outboxStore
   });
   wsServer = new LocalWsServer({
     host: config.host,
     port: config.port,
     logger,
-    readyFrameBuilder: () => buildReadyFrame({
-      manager,
-      getAdapter,
-      getTunnelUrl: () => currentTunnelUrl,
-      // ready 帧 mode = daemon CC spawn 模式（'sdk' | 'tui'）；UI 用它挂 XtermPanel
-      mode: config.mode
-    }),
+    readyFrameBuilder: (ctx) => buildReadyFrame(
+      {
+        manager,
+        getAdapter,
+        getTunnelUrl: () => currentTunnelUrl,
+        // ready 帧 mode = daemon CC spawn 模式（'sdk' | 'tui'）；UI 用它挂 XtermPanel
+        mode: config.mode,
+        // file-sharing 字段：httpBaseUrl 跟 tunnel 状态走；httpToken 复用 owner WS token
+        getHttpBaseUrl,
+        httpToken: resolvedAuthToken
+      },
+      ctx
+    ),
     protocolVersion: PROTOCOL_VERSION,
     authGate: authGate ?? void 0,
     personaBoundHandler,
+    // file-sharing HTTP 路由复用 daemon 同端口（spec §5 第 3 条）；router 自己处理 auth + 404
+    httpRequestHandler: httpRouter,
     // 订阅成功后给该 client 重放 in-flight pendingQuestions（plan: clawd-question-server-truth）。
     // daemon 是 pendingQuestions 的唯一 source of truth；新 client 接入 / 刷新页面时
     // 把当前所有未决 question 以 session:question 帧定向回放，让 UI 不再误显示 Ended。
@@ -27893,8 +29374,8 @@ async function startDaemon(config) {
       const lines = [
         `Tunnel:      ${r.url}`,
         ...resolvedAuthToken ? [`Connect:     ${connectUrl}`] : [],
-        `Frpc config: ${import_node_path23.default.join(config.dataDir, "frpc.toml")}`,
-        `Frpc log:    ${import_node_path23.default.join(config.dataDir, "frpc.log")}`
+        `Frpc config: ${import_node_path29.default.join(config.dataDir, "frpc.toml")}`,
+        `Frpc log:    ${import_node_path29.default.join(config.dataDir, "frpc.log")}`
       ];
       const width = Math.max(...lines.map((l) => l.length));
       const bar = "\u2550".repeat(width + 4);
@@ -27907,8 +29388,8 @@ ${bar}
 
 `);
       try {
-        const connectPath = import_node_path23.default.join(config.dataDir, "connect.txt");
-        import_node_fs22.default.writeFileSync(connectPath, lines.join("\n") + "\n", { mode: 384 });
+        const connectPath = import_node_path29.default.join(config.dataDir, "connect.txt");
+        import_node_fs27.default.writeFileSync(connectPath, lines.join("\n") + "\n", { mode: 384 });
       } catch {
       }
     } catch (err) {