npm - @clawos-dev/clawd - Versions diffs - 0.2.70 → 0.2.71-beta.124.b09b0a0 - Mend

@clawos-dev/clawd 0.2.70 → 0.2.71-beta.124.b09b0a0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/cli.cjs +993 -280
package/package.json +1 -1

package/dist/cli.cjs CHANGED Viewed

@@ -114,6 +114,13 @@ var init_methods = __esm({
       "attachment.groupList",
       // v2：跨 session 聚合（本期 UI 不调，保留槽位用于 HTTP ACL 内部判定 / 未来 "All files" tab）
       "attachment.groupListPersona",
+      // ---- capability:* (capability platform 鉴权底座) ----
+      // owner 颁发 / 列出 / 撤销给 guest 的 capability。三者均需 admin 权限（METHOD_GRANT_MAP
+      // 在 daemon 端固定为 `{ resource: '*', action: 'admin' }`，owner 自动满足）。
+      // 颁发后 daemon 推 'capability:tokenIssued' 帧；撤销推 'capability:revoked' 帧。
+      "capability:issue",
+      "capability:list",
+      "capability:revoke",
       "info",
       "ping"
     ];
@@ -605,8 +612,8 @@ var init_parseUtil = __esm({
     init_errors2();
     init_en();
     makeIssue = (params) => {
-      const { data, path: path32, errorMaps, issueData } = params;
-      const fullPath = [...path32, ...issueData.path || []];
+      const { data, path: path35, errorMaps, issueData } = params;
+      const fullPath = [...path35, ...issueData.path || []];
       const fullIssue = {
         ...issueData,
         path: fullPath
@@ -917,11 +924,11 @@ var init_types = __esm({
     init_parseUtil();
     init_util();
     ParseInputLazyPath = class {
-      constructor(parent, value, path32, key) {
+      constructor(parent, value, path35, key) {
         this._cachedPath = [];
         this.parent = parent;
         this.data = value;
-        this._path = path32;
+        this._path = path35;
         this._key = key;
       }
       get path() {
@@ -4331,11 +4338,9 @@ var init_attachment_schemas = __esm({
       stale: external_exports.boolean().optional()
     });
     AttachmentSignUrlArgs = external_exports.object({
-      /** 群文件所属的 session */
-      sessionId: external_exports.string().min(1),
-      /** 相对 session.cwd 的路径；允许传绝对路径，daemon 端会归一化（必须在 cwd 内） */
-      relPath: external_exports.string().min(1),
-      /** TTL 秒数；缺省 24h；null 走永久 URL（不带 exp 字段） */
+      /** 要分享的绝对路径；签名只关心 absPath，不区分 persona/session */
+      absPath: external_exports.string().min(1),
+      /** TTL 秒数；缺省 24h；'never' 走 null 不带 exp 字段（永久有效） */
       ttlSeconds: external_exports.number().int().positive().nullable().optional()
     });
     AttachmentSignUrlResponseSchema = external_exports.object({
@@ -4470,7 +4475,7 @@ var init_persona_schemas = __esm({
 });
 // ../protocol/src/schemas.ts
-var SessionStatusSchema, UsageSchema, ContextUsageSchema, sessionMetaShape, SessionMetaSchema, ModelInfoSchema, ModeInfoSchema, ConfigFieldSchemaSchema, CapabilitiesGetArgs, CapabilitiesResponseSchema, AllowRuleSchema, SessionFileSchema, ParsedEventBase, HistoryUserMetaSchema, SubagentToolStatsSchema, StructuredPatchHunkSchema, ToolResultExtraSchema, MemoryEntrySchema, AskQuestionOptionSchema, AskQuestionItemSchema, ParsedEventSchema, SessionCreateArgs, SessionIdArgs, SessionUpdateArgs, SessionSendArgs, SessionRewindArgs, SessionRewindResponseSchema, SessionRewindDiffArgs, RewindDiffHunkSchema, RewindDiffFileSchema, SessionRewindDiffResponseSchema, SessionRewindableMessageIdsArgs, SessionRewindableMessageIdsResponseSchema, SessionResumeArgs, SessionForkArgs, SessionForkResponseSchema, SessionObserveArgs, SessionEventsArgs, PermissionRespondArgs, HistoryListArgs, HistoryReadArgs, HistorySubagentsArgs, HistorySubagentReadArgs, WorkspaceListArgs, WorkspaceReadArgs, SkillsListArgs, SkillEntrySchema, AgentEntrySchema, AgentsListArgs, AgentsListResponseSchema, SessionSubscribeArgs, SessionPinArgs, SessionReorderPinsArgs, GitRootArgs, GitRootResponseSchema, GitBranchArgs, GitBranchResponseSchema, GitBranchesArgs, GitBranchesResponseSchema, HistoryRecentDirsArgs, RecentDirEntrySchema, HistoryRecentDirsResponseSchema, SessionQuestionFrameSchema, SessionQuestionClearedFrameSchema, AnswerQuestionArgs, AnswerQuestionResponseSchema, CancelQuestionArgs, CancelQuestionResponseSchema, AuthRequestFrameSchema, AuthOkFrameSchema, TunnelExitedEventSchema, TunnelUnavailableEventSchema, InfoRunningSessionSchema, InfoResponseSchema;
+var SessionStatusSchema, UsageSchema, ContextUsageSchema, sessionMetaShape, SessionMetaSchema, ModelInfoSchema, ModeInfoSchema, ConfigFieldSchemaSchema, CapabilitiesGetArgs, CapabilitiesResponseSchema, AllowRuleSchema, SessionFileSchema, ParsedEventBase, HistoryUserMetaSchema, SubagentToolStatsSchema, StructuredPatchHunkSchema, ToolResultExtraSchema, MemoryEntrySchema, AskQuestionOptionSchema, AskQuestionItemSchema, ParsedEventSchema, SessionCreateArgs, SessionIdArgs, SessionUpdateArgs, SessionSendArgs, SessionRewindArgs, SessionRewindResponseSchema, SessionRewindDiffArgs, RewindDiffHunkSchema, RewindDiffFileSchema, SessionRewindDiffResponseSchema, SessionRewindableMessageIdsArgs, SessionRewindableMessageIdsResponseSchema, SessionResumeArgs, SessionForkArgs, SessionForkResponseSchema, SessionObserveArgs, SessionEventsArgs, PermissionRespondArgs, HistoryListArgs, HistoryReadArgs, HistorySubagentsArgs, HistorySubagentReadArgs, WorkspaceListArgs, WorkspaceReadArgs, SkillsListArgs, SkillEntrySchema, AgentEntrySchema, AgentsListArgs, AgentsListResponseSchema, SessionSubscribeArgs, SessionPinArgs, SessionReorderPinsArgs, GitRootArgs, GitRootResponseSchema, GitBranchArgs, GitBranchResponseSchema, GitBranchesArgs, GitBranchesResponseSchema, HistoryRecentDirsArgs, RecentDirEntrySchema, HistoryRecentDirsResponseSchema, SessionQuestionFrameSchema, SessionQuestionClearedFrameSchema, AnswerQuestionArgs, AnswerQuestionResponseSchema, CancelQuestionArgs, CancelQuestionResponseSchema, AuthRequestFrameSchema, AuthOkFrameSchema, TunnelExitedEventSchema, InfoRunningSessionSchema, InfoResponseSchema;
 var init_schemas = __esm({
   "../protocol/src/schemas.ts"() {
     "use strict";
@@ -4994,11 +4999,6 @@ var init_schemas = __esm({
       subdomain: external_exports.string().nullable(),
       url: external_exports.string().nullable()
     });
-    TunnelUnavailableEventSchema = external_exports.object({
-      type: external_exports.literal("tunnel:unavailable"),
-      reason: external_exports.string().min(1),
-      failedAt: external_exports.string().min(1)
-    });
     InfoRunningSessionSchema = external_exports.object({
       sessionId: external_exports.string().min(1),
       status: SessionStatusSchema,
@@ -5049,6 +5049,69 @@ var init_persona_mode = __esm({
   }
 });
+// ../protocol/src/principal.ts
+var PrincipalKindSchema, PrincipalSchema, OWNER_PRINCIPAL;
+var init_principal = __esm({
+  "../protocol/src/principal.ts"() {
+    "use strict";
+    init_zod();
+    PrincipalKindSchema = external_exports.enum(["owner", "guest"]);
+    PrincipalSchema = external_exports.object({
+      id: external_exports.string().min(1),
+      kind: PrincipalKindSchema,
+      displayName: external_exports.string()
+    }).strict();
+    OWNER_PRINCIPAL = {
+      id: "owner",
+      kind: "owner",
+      displayName: "owner"
+    };
+  }
+});
+// ../protocol/src/capability.ts
+function stripSecretHash(cap) {
+  const { secretHash: _hash, ...wire } = cap;
+  return wire;
+}
+var ResourceSchema, ActionSchema, GrantSchema, CapabilitySchema, CapabilityWireSchema, CapabilityErrorCodeSchema;
+var init_capability = __esm({
+  "../protocol/src/capability.ts"() {
+    "use strict";
+    init_zod();
+    ResourceSchema = external_exports.discriminatedUnion("type", [
+      external_exports.object({ type: external_exports.literal("persona"), id: external_exports.string().min(1) }).strict(),
+      external_exports.object({ type: external_exports.literal("chat"), id: external_exports.string().min(1) }).strict(),
+      external_exports.object({ type: external_exports.literal("*") }).strict()
+    ]);
+    ActionSchema = external_exports.enum(["read", "send", "admin"]);
+    GrantSchema = external_exports.object({
+      resource: ResourceSchema,
+      actions: external_exports.array(ActionSchema).min(1)
+    }).strict();
+    CapabilitySchema = external_exports.object({
+      id: external_exports.string().min(1),
+      // sha256(token) hex 64
+      secretHash: external_exports.string().regex(/^[a-f0-9]{64}$/),
+      displayName: external_exports.string(),
+      // 空数组合法 = 纯访客（只能 DM）
+      grants: external_exports.array(GrantSchema),
+      issuedAt: external_exports.number().int().nonnegative(),
+      expiresAt: external_exports.number().int().positive().optional(),
+      maxUses: external_exports.number().int().positive().optional(),
+      usedCount: external_exports.number().int().nonnegative(),
+      revokedAt: external_exports.number().int().positive().optional()
+    }).strict();
+    CapabilityWireSchema = CapabilitySchema.omit({ secretHash: true });
+    CapabilityErrorCodeSchema = external_exports.enum([
+      "TOKEN_INVALID",
+      "TOKEN_REVOKED",
+      "TOKEN_EXPIRED",
+      "TOKEN_EXHAUSTED"
+    ]);
+  }
+});
 // ../protocol/src/runtime.ts
 var init_runtime = __esm({
   "../protocol/src/runtime.ts"() {
@@ -5061,6 +5124,8 @@ var init_runtime = __esm({
     init_persona_schemas();
     init_persona_mode();
     init_attachment_schemas();
+    init_principal();
+    init_capability();
   }
 });
@@ -5335,8 +5400,8 @@ var require_req = __commonJS({
       if (req.originalUrl) {
         _req.url = req.originalUrl;
       } else {
-        const path32 = req.path;
-        _req.url = typeof path32 === "string" ? path32 : req.url ? req.url.path || req.url : void 0;
+        const path35 = req.path;
+        _req.url = typeof path35 === "string" ? path35 : req.url ? req.url.path || req.url : void 0;
       }
       if (req.query) {
         _req.query = req.query;
@@ -5501,14 +5566,14 @@ var require_redact = __commonJS({
       }
       return obj;
     }
-    function parsePath(path32) {
+    function parsePath(path35) {
       const parts = [];
       let current = "";
       let inBrackets = false;
       let inQuotes = false;
       let quoteChar = "";
-      for (let i = 0; i < path32.length; i++) {
-        const char = path32[i];
+      for (let i = 0; i < path35.length; i++) {
+        const char = path35[i];
         if (!inBrackets && char === ".") {
           if (current) {
             parts.push(current);
@@ -5639,10 +5704,10 @@ var require_redact = __commonJS({
       return current;
     }
     function redactPaths(obj, paths, censor, remove = false) {
-      for (const path32 of paths) {
-        const parts = parsePath(path32);
+      for (const path35 of paths) {
+        const parts = parsePath(path35);
         if (parts.includes("*")) {
-          redactWildcardPath(obj, parts, censor, path32, remove);
+          redactWildcardPath(obj, parts, censor, path35, remove);
         } else {
           if (remove) {
             removeKey(obj, parts);
@@ -5727,8 +5792,8 @@ var require_redact = __commonJS({
           }
         } else {
           if (afterWildcard.includes("*")) {
-            const wrappedCensor = typeof censor === "function" ? (value, path32) => {
-              const fullPath = [...pathArray.slice(0, pathLength), ...path32];
+            const wrappedCensor = typeof censor === "function" ? (value, path35) => {
+              const fullPath = [...pathArray.slice(0, pathLength), ...path35];
               return censor(value, fullPath);
             } : censor;
             redactWildcardPath(current, afterWildcard, wrappedCensor, originalPath, remove);
@@ -5763,8 +5828,8 @@ var require_redact = __commonJS({
         return null;
       }
       const pathStructure = /* @__PURE__ */ new Map();
-      for (const path32 of pathsToClone) {
-        const parts = parsePath(path32);
+      for (const path35 of pathsToClone) {
+        const parts = parsePath(path35);
         let current = pathStructure;
         for (let i = 0; i < parts.length; i++) {
           const part = parts[i];
@@ -5816,24 +5881,24 @@ var require_redact = __commonJS({
       }
       return cloneSelectively(obj, pathStructure);
     }
-    function validatePath(path32) {
-      if (typeof path32 !== "string") {
+    function validatePath(path35) {
+      if (typeof path35 !== "string") {
         throw new Error("Paths must be (non-empty) strings");
       }
-      if (path32 === "") {
+      if (path35 === "") {
         throw new Error("Invalid redaction path ()");
       }
-      if (path32.includes("..")) {
-        throw new Error(`Invalid redaction path (${path32})`);
+      if (path35.includes("..")) {
+        throw new Error(`Invalid redaction path (${path35})`);
       }
-      if (path32.includes(",")) {
-        throw new Error(`Invalid redaction path (${path32})`);
+      if (path35.includes(",")) {
+        throw new Error(`Invalid redaction path (${path35})`);
       }
       let bracketCount = 0;
       let inQuotes = false;
       let quoteChar = "";
-      for (let i = 0; i < path32.length; i++) {
-        const char = path32[i];
+      for (let i = 0; i < path35.length; i++) {
+        const char = path35[i];
         if ((char === '"' || char === "'") && bracketCount > 0) {
           if (!inQuotes) {
             inQuotes = true;
@@ -5847,20 +5912,20 @@ var require_redact = __commonJS({
         } else if (char === "]" && !inQuotes) {
           bracketCount--;
           if (bracketCount < 0) {
-            throw new Error(`Invalid redaction path (${path32})`);
+            throw new Error(`Invalid redaction path (${path35})`);
           }
         }
       }
       if (bracketCount !== 0) {
-        throw new Error(`Invalid redaction path (${path32})`);
+        throw new Error(`Invalid redaction path (${path35})`);
       }
     }
     function validatePaths(paths) {
       if (!Array.isArray(paths)) {
         throw new TypeError("paths must be an array");
       }
-      for (const path32 of paths) {
-        validatePath(path32);
+      for (const path35 of paths) {
+        validatePath(path35);
       }
     }
     function slowRedact(options = {}) {
@@ -6028,8 +6093,8 @@ var require_redaction = __commonJS({
         if (shape[k2] === null) {
           o[k2] = (value) => topCensor(value, [k2]);
         } else {
-          const wrappedCensor = typeof censor === "function" ? (value, path32) => {
-            return censor(value, [k2, ...path32]);
+          const wrappedCensor = typeof censor === "function" ? (value, path35) => {
+            return censor(value, [k2, ...path35]);
           } : censor;
           o[k2] = Redact({
             paths: shape[k2],
@@ -6247,10 +6312,10 @@ var require_atomic_sleep = __commonJS({
 var require_sonic_boom = __commonJS({
   "../node_modules/.pnpm/sonic-boom@4.2.1/node_modules/sonic-boom/index.js"(exports2, module2) {
     "use strict";
-    var fs28 = require("fs");
+    var fs31 = require("fs");
     var EventEmitter2 = require("events");
     var inherits = require("util").inherits;
-    var path32 = require("path");
+    var path35 = require("path");
     var sleep = require_atomic_sleep();
     var assert = require("assert");
     var BUSY_WRITE_TIMEOUT = 100;
@@ -6304,20 +6369,20 @@ var require_sonic_boom = __commonJS({
       const mode = sonic.mode;
       if (sonic.sync) {
         try {
-          if (sonic.mkdir) fs28.mkdirSync(path32.dirname(file), { recursive: true });
-          const fd = fs28.openSync(file, flags, mode);
+          if (sonic.mkdir) fs31.mkdirSync(path35.dirname(file), { recursive: true });
+          const fd = fs31.openSync(file, flags, mode);
           fileOpened(null, fd);
         } catch (err) {
           fileOpened(err);
           throw err;
         }
       } else if (sonic.mkdir) {
-        fs28.mkdir(path32.dirname(file), { recursive: true }, (err) => {
+        fs31.mkdir(path35.dirname(file), { recursive: true }, (err) => {
           if (err) return fileOpened(err);
-          fs28.open(file, flags, mode, fileOpened);
+          fs31.open(file, flags, mode, fileOpened);
         });
       } else {
-        fs28.open(file, flags, mode, fileOpened);
+        fs31.open(file, flags, mode, fileOpened);
       }
     }
     function SonicBoom(opts) {
@@ -6358,8 +6423,8 @@ var require_sonic_boom = __commonJS({
         this.flush = flushBuffer;
         this.flushSync = flushBufferSync;
         this._actualWrite = actualWriteBuffer;
-        fsWriteSync = () => fs28.writeSync(this.fd, this._writingBuf);
-        fsWrite = () => fs28.write(this.fd, this._writingBuf, this.release);
+        fsWriteSync = () => fs31.writeSync(this.fd, this._writingBuf);
+        fsWrite = () => fs31.write(this.fd, this._writingBuf, this.release);
       } else if (contentMode === void 0 || contentMode === kContentModeUtf8) {
         this._writingBuf = "";
         this.write = write;
@@ -6368,15 +6433,15 @@ var require_sonic_boom = __commonJS({
         this._actualWrite = actualWrite;
         fsWriteSync = () => {
           if (Buffer.isBuffer(this._writingBuf)) {
-            return fs28.writeSync(this.fd, this._writingBuf);
+            return fs31.writeSync(this.fd, this._writingBuf);
           }
-          return fs28.writeSync(this.fd, this._writingBuf, "utf8");
+          return fs31.writeSync(this.fd, this._writingBuf, "utf8");
         };
         fsWrite = () => {
           if (Buffer.isBuffer(this._writingBuf)) {
-            return fs28.write(this.fd, this._writingBuf, this.release);
+            return fs31.write(this.fd, this._writingBuf, this.release);
           }
-          return fs28.write(this.fd, this._writingBuf, "utf8", this.release);
+          return fs31.write(this.fd, this._writingBuf, "utf8", this.release);
         };
       } else {
         throw new Error(`SonicBoom supports "${kContentModeUtf8}" and "${kContentModeBuffer}", but passed ${contentMode}`);
@@ -6433,7 +6498,7 @@ var require_sonic_boom = __commonJS({
           }
         }
         if (this._fsync) {
-          fs28.fsyncSync(this.fd);
+          fs31.fsyncSync(this.fd);
         }
         const len = this._len;
         if (this._reopening) {
@@ -6547,7 +6612,7 @@ var require_sonic_boom = __commonJS({
       const onDrain = () => {
         if (!this._fsync) {
           try {
-            fs28.fsync(this.fd, (err) => {
+            fs31.fsync(this.fd, (err) => {
               this._flushPending = false;
               cb(err);
             });
@@ -6649,7 +6714,7 @@ var require_sonic_boom = __commonJS({
       const fd = this.fd;
       this.once("ready", () => {
         if (fd !== this.fd) {
-          fs28.close(fd, (err) => {
+          fs31.close(fd, (err) => {
             if (err) {
               return this.emit("error", err);
             }
@@ -6698,7 +6763,7 @@ var require_sonic_boom = __commonJS({
           buf = this._bufs[0];
         }
         try {
-          const n = Buffer.isBuffer(buf) ? fs28.writeSync(this.fd, buf) : fs28.writeSync(this.fd, buf, "utf8");
+          const n = Buffer.isBuffer(buf) ? fs31.writeSync(this.fd, buf) : fs31.writeSync(this.fd, buf, "utf8");
           const releasedBufObj = releaseWritingBuf(buf, this._len, n);
           buf = releasedBufObj.writingBuf;
           this._len = releasedBufObj.len;
@@ -6714,7 +6779,7 @@ var require_sonic_boom = __commonJS({
         }
       }
       try {
-        fs28.fsyncSync(this.fd);
+        fs31.fsyncSync(this.fd);
       } catch {
       }
     }
@@ -6735,7 +6800,7 @@ var require_sonic_boom = __commonJS({
           buf = mergeBuf(this._bufs[0], this._lens[0]);
         }
         try {
-          const n = fs28.writeSync(this.fd, buf);
+          const n = fs31.writeSync(this.fd, buf);
           buf = buf.subarray(n);
           this._len = Math.max(this._len - n, 0);
           if (buf.length <= 0) {
@@ -6763,13 +6828,13 @@ var require_sonic_boom = __commonJS({
       this._writingBuf = this._writingBuf.length ? this._writingBuf : this._bufs.shift() || "";
       if (this.sync) {
         try {
-          const written = Buffer.isBuffer(this._writingBuf) ? fs28.writeSync(this.fd, this._writingBuf) : fs28.writeSync(this.fd, this._writingBuf, "utf8");
+          const written = Buffer.isBuffer(this._writingBuf) ? fs31.writeSync(this.fd, this._writingBuf) : fs31.writeSync(this.fd, this._writingBuf, "utf8");
           release(null, written);
         } catch (err) {
           release(err);
         }
       } else {
-        fs28.write(this.fd, this._writingBuf, release);
+        fs31.write(this.fd, this._writingBuf, release);
       }
     }
     function actualWriteBuffer() {
@@ -6778,7 +6843,7 @@ var require_sonic_boom = __commonJS({
       this._writingBuf = this._writingBuf.length ? this._writingBuf : mergeBuf(this._bufs.shift(), this._lens.shift());
       if (this.sync) {
         try {
-          const written = fs28.writeSync(this.fd, this._writingBuf);
+          const written = fs31.writeSync(this.fd, this._writingBuf);
           release(null, written);
         } catch (err) {
           release(err);
@@ -6787,7 +6852,7 @@ var require_sonic_boom = __commonJS({
         if (kCopyBuffer) {
           this._writingBuf = Buffer.from(this._writingBuf);
         }
-        fs28.write(this.fd, this._writingBuf, release);
+        fs31.write(this.fd, this._writingBuf, release);
       }
     }
     function actualClose(sonic) {
@@ -6803,12 +6868,12 @@ var require_sonic_boom = __commonJS({
       sonic._lens = [];
       assert(typeof sonic.fd === "number", `sonic.fd must be a number, got ${typeof sonic.fd}`);
       try {
-        fs28.fsync(sonic.fd, closeWrapped);
+        fs31.fsync(sonic.fd, closeWrapped);
       } catch {
       }
       function closeWrapped() {
         if (sonic.fd !== 1 && sonic.fd !== 2) {
-          fs28.close(sonic.fd, done);
+          fs31.close(sonic.fd, done);
         } else {
           done();
         }
@@ -7065,7 +7130,7 @@ var require_thread_stream = __commonJS({
     var { version: version2 } = require_package();
     var { EventEmitter: EventEmitter2 } = require("events");
     var { Worker } = require("worker_threads");
-    var { join: join4 } = require("path");
+    var { join: join8 } = require("path");
     var { pathToFileURL } = require("url");
     var { wait } = require_wait();
     var {
@@ -7101,7 +7166,7 @@ var require_thread_stream = __commonJS({
     function createWorker(stream, opts) {
       const { filename, workerData } = opts;
       const bundlerOverrides = "__bundlerPathsOverrides" in globalThis ? globalThis.__bundlerPathsOverrides : {};
-      const toExecute = bundlerOverrides["thread-stream-worker"] || join4(__dirname, "lib", "worker.js");
+      const toExecute = bundlerOverrides["thread-stream-worker"] || join8(__dirname, "lib", "worker.js");
       const worker = new Worker(toExecute, {
         ...opts.workerOpts,
         trackUnmanagedFds: false,
@@ -7487,7 +7552,7 @@ var require_transport = __commonJS({
     "use strict";
     var { createRequire } = require("module");
     var getCallers = require_caller();
-    var { join: join4, isAbsolute, sep } = require("path");
+    var { join: join8, isAbsolute, sep: sep2 } = require("path");
     var sleep = require_atomic_sleep();
     var onExit = require_on_exit_leak_free();
     var ThreadStream = require_thread_stream();
@@ -7550,7 +7615,7 @@ var require_transport = __commonJS({
         throw new Error("only one of target or targets can be specified");
       }
       if (targets) {
-        target = bundlerOverrides["pino-worker"] || join4(__dirname, "worker.js");
+        target = bundlerOverrides["pino-worker"] || join8(__dirname, "worker.js");
         options.targets = targets.filter((dest) => dest.target).map((dest) => {
           return {
             ...dest,
@@ -7568,7 +7633,7 @@ var require_transport = __commonJS({
           });
         });
       } else if (pipeline2) {
-        target = bundlerOverrides["pino-worker"] || join4(__dirname, "worker.js");
+        target = bundlerOverrides["pino-worker"] || join8(__dirname, "worker.js");
         options.pipelines = [pipeline2.map((dest) => {
           return {
             ...dest,
@@ -7590,12 +7655,12 @@ var require_transport = __commonJS({
           return origin;
         }
         if (origin === "pino/file") {
-          return join4(__dirname, "..", "file.js");
+          return join8(__dirname, "..", "file.js");
         }
         let fixTarget2;
         for (const filePath of callers) {
           try {
-            const context = filePath === "node:repl" ? process.cwd() + sep : filePath;
+            const context = filePath === "node:repl" ? process.cwd() + sep2 : filePath;
             fixTarget2 = createRequire(context).resolve(origin);
             break;
           } catch (err) {
@@ -8580,7 +8645,7 @@ var require_safe_stable_stringify = __commonJS({
               return circularValue;
             }
             let res = "";
-            let join4 = ",";
+            let join8 = ",";
             const originalIndentation = indentation;
             if (Array.isArray(value)) {
               if (value.length === 0) {
@@ -8594,7 +8659,7 @@ var require_safe_stable_stringify = __commonJS({
                 indentation += spacer;
                 res += `
 ${indentation}`;
-                join4 = `,
+                join8 = `,
 ${indentation}`;
               }
               const maximumValuesToStringify = Math.min(value.length, maximumBreadth);
@@ -8602,13 +8667,13 @@ ${indentation}`;
               for (; i < maximumValuesToStringify - 1; i++) {
                 const tmp2 = stringifyFnReplacer(String(i), value, stack, replacer, spacer, indentation);
                 res += tmp2 !== void 0 ? tmp2 : "null";
-                res += join4;
+                res += join8;
               }
               const tmp = stringifyFnReplacer(String(i), value, stack, replacer, spacer, indentation);
               res += tmp !== void 0 ? tmp : "null";
               if (value.length - 1 > maximumBreadth) {
                 const removedKeys = value.length - maximumBreadth - 1;
-                res += `${join4}"... ${getItemCount(removedKeys)} not stringified"`;
+                res += `${join8}"... ${getItemCount(removedKeys)} not stringified"`;
               }
               if (spacer !== "") {
                 res += `
@@ -8629,7 +8694,7 @@ ${originalIndentation}`;
             let separator = "";
             if (spacer !== "") {
               indentation += spacer;
-              join4 = `,
+              join8 = `,
 ${indentation}`;
               whitespace = " ";
             }
@@ -8643,13 +8708,13 @@ ${indentation}`;
               const tmp = stringifyFnReplacer(key2, value, stack, replacer, spacer, indentation);
               if (tmp !== void 0) {
                 res += `${separator}${strEscape(key2)}:${whitespace}${tmp}`;
-                separator = join4;
+                separator = join8;
               }
             }
             if (keyLength > maximumBreadth) {
               const removedKeys = keyLength - maximumBreadth;
               res += `${separator}"...":${whitespace}"${getItemCount(removedKeys)} not stringified"`;
-              separator = join4;
+              separator = join8;
             }
             if (spacer !== "" && separator.length > 1) {
               res = `
@@ -8690,7 +8755,7 @@ ${originalIndentation}`;
             }
             const originalIndentation = indentation;
             let res = "";
-            let join4 = ",";
+            let join8 = ",";
             if (Array.isArray(value)) {
               if (value.length === 0) {
                 return "[]";
@@ -8703,7 +8768,7 @@ ${originalIndentation}`;
                 indentation += spacer;
                 res += `
 ${indentation}`;
-                join4 = `,
+                join8 = `,
 ${indentation}`;
               }
               const maximumValuesToStringify = Math.min(value.length, maximumBreadth);
@@ -8711,13 +8776,13 @@ ${indentation}`;
               for (; i < maximumValuesToStringify - 1; i++) {
                 const tmp2 = stringifyArrayReplacer(String(i), value[i], stack, replacer, spacer, indentation);
                 res += tmp2 !== void 0 ? tmp2 : "null";
-                res += join4;
+                res += join8;
               }
               const tmp = stringifyArrayReplacer(String(i), value[i], stack, replacer, spacer, indentation);
               res += tmp !== void 0 ? tmp : "null";
               if (value.length - 1 > maximumBreadth) {
                 const removedKeys = value.length - maximumBreadth - 1;
-                res += `${join4}"... ${getItemCount(removedKeys)} not stringified"`;
+                res += `${join8}"... ${getItemCount(removedKeys)} not stringified"`;
               }
               if (spacer !== "") {
                 res += `
@@ -8730,7 +8795,7 @@ ${originalIndentation}`;
             let whitespace = "";
             if (spacer !== "") {
               indentation += spacer;
-              join4 = `,
+              join8 = `,
 ${indentation}`;
               whitespace = " ";
             }
@@ -8739,7 +8804,7 @@ ${indentation}`;
               const tmp = stringifyArrayReplacer(key2, value[key2], stack, replacer, spacer, indentation);
               if (tmp !== void 0) {
                 res += `${separator}${strEscape(key2)}:${whitespace}${tmp}`;
-                separator = join4;
+                separator = join8;
               }
             }
             if (spacer !== "" && separator.length > 1) {
@@ -8797,20 +8862,20 @@ ${originalIndentation}`;
               indentation += spacer;
               let res2 = `
 ${indentation}`;
-              const join5 = `,
+              const join9 = `,
 ${indentation}`;
               const maximumValuesToStringify = Math.min(value.length, maximumBreadth);
               let i = 0;
               for (; i < maximumValuesToStringify - 1; i++) {
                 const tmp2 = stringifyIndent(String(i), value[i], stack, spacer, indentation);
                 res2 += tmp2 !== void 0 ? tmp2 : "null";
-                res2 += join5;
+                res2 += join9;
               }
               const tmp = stringifyIndent(String(i), value[i], stack, spacer, indentation);
               res2 += tmp !== void 0 ? tmp : "null";
               if (value.length - 1 > maximumBreadth) {
                 const removedKeys = value.length - maximumBreadth - 1;
-                res2 += `${join5}"... ${getItemCount(removedKeys)} not stringified"`;
+                res2 += `${join9}"... ${getItemCount(removedKeys)} not stringified"`;
               }
               res2 += `
 ${originalIndentation}`;
@@ -8826,16 +8891,16 @@ ${originalIndentation}`;
               return '"[Object]"';
             }
             indentation += spacer;
-            const join4 = `,
+            const join8 = `,
 ${indentation}`;
             let res = "";
             let separator = "";
             let maximumPropertiesToStringify = Math.min(keyLength, maximumBreadth);
             if (isTypedArrayWithEntries(value)) {
-              res += stringifyTypedArray(value, join4, maximumBreadth);
+              res += stringifyTypedArray(value, join8, maximumBreadth);
               keys = keys.slice(value.length);
               maximumPropertiesToStringify -= value.length;
-              separator = join4;
+              separator = join8;
             }
             if (deterministic) {
               keys = sort(keys, comparator);
@@ -8846,13 +8911,13 @@ ${indentation}`;
               const tmp = stringifyIndent(key2, value[key2], stack, spacer, indentation);
               if (tmp !== void 0) {
                 res += `${separator}${strEscape(key2)}: ${tmp}`;
-                separator = join4;
+                separator = join8;
               }
             }
             if (keyLength > maximumBreadth) {
               const removedKeys = keyLength - maximumBreadth;
               res += `${separator}"...": "${getItemCount(removedKeys)} not stringified"`;
-              separator = join4;
+              separator = join8;
             }
             if (separator !== "") {
               res = `
@@ -9943,11 +10008,11 @@ var init_lib = __esm({
           }
         }
       },
-      addToPath: function addToPath(path32, added, removed, oldPosInc, options) {
-        var last = path32.lastComponent;
+      addToPath: function addToPath(path35, added, removed, oldPosInc, options) {
+        var last = path35.lastComponent;
         if (last && !options.oneChangePerToken && last.added === added && last.removed === removed) {
           return {
-            oldPos: path32.oldPos + oldPosInc,
+            oldPos: path35.oldPos + oldPosInc,
             lastComponent: {
               count: last.count + 1,
               added,
@@ -9957,7 +10022,7 @@ var init_lib = __esm({
           };
         } else {
           return {
-            oldPos: path32.oldPos + oldPosInc,
+            oldPos: path35.oldPos + oldPosInc,
             lastComponent: {
               count: 1,
               added,
@@ -10015,7 +10080,7 @@ var init_lib = __esm({
       tokenize: function tokenize(value) {
         return Array.from(value);
       },
-      join: function join3(chars) {
+      join: function join4(chars) {
         return chars.join("");
       },
       postProcess: function postProcess(changeObjects) {
@@ -10388,10 +10453,10 @@ function attachmentToHistoryMessage(o, ts) {
     const memories = raw.map((m2) => {
       if (!m2 || typeof m2 !== "object") return null;
       const rec = m2;
-      const path32 = typeof rec.path === "string" ? rec.path : null;
+      const path35 = typeof rec.path === "string" ? rec.path : null;
       const content = typeof rec.content === "string" ? rec.content : null;
-      if (!path32 || content == null) return null;
-      const entry = { path: path32, content };
+      if (!path35 || content == null) return null;
+      const entry = { path: path35, content };
       if (typeof rec.mtimeMs === "number") entry.mtimeMs = rec.mtimeMs;
       return entry;
     }).filter((m2) => m2 !== null);
@@ -10851,6 +10916,27 @@ var init_claude_history = __esm({
   }
 });
+// src/tools/sandbox.ts
+function shouldSandbox(cwd, personaRoot) {
+  if (!personaRoot) return false;
+  const sep2 = personaRoot.endsWith(path12.sep) ? "" : path12.sep;
+  return cwd.startsWith(personaRoot + sep2) && cwd !== personaRoot;
+}
+function inferSandboxSettingsPath(cwd, personaRoot) {
+  if (!shouldSandbox(cwd, personaRoot)) return null;
+  const rel = path12.relative(personaRoot, cwd);
+  const personaId = rel.split(path12.sep)[0];
+  if (!personaId) return null;
+  return path12.join(personaRoot, personaId, ".clawd", "sandbox-settings.json");
+}
+var path12;
+var init_sandbox = __esm({
+  "src/tools/sandbox.ts"() {
+    "use strict";
+    path12 = __toESM(require("path"), 1);
+  }
+});
 // src/tools/claude.ts
 function macOSDesktopCandidates(home) {
   return [
@@ -10915,7 +11001,8 @@ function buildSpawnArgs(ctx) {
       throw new Error(`unexpected personaMode: ${String(_exhaustive)}`);
     }
   }
-  if (ctx.extraSettings) args.push("--settings", ctx.extraSettings);
+  const sandboxSettings = ctx.extraSettings ?? inferSandboxSettingsPath(ctx.cwd, ctx.personaRoot);
+  if (sandboxSettings) args.push("--settings", sandboxSettings);
   if (ctx.extraSystemPrompt) args.push("--append-system-prompt", ctx.extraSystemPrompt);
   if (ctx.effort) args.push("--effort", ctx.effort);
   if (ctx.toolSessionId) args.push("--resume", ctx.toolSessionId);
@@ -11195,10 +11282,10 @@ function parseAttachment(obj) {
     const memories = raw.map((m2) => {
       if (!m2 || typeof m2 !== "object") return null;
       const rec = m2;
-      const path32 = typeof rec.path === "string" ? rec.path : null;
+      const path35 = typeof rec.path === "string" ? rec.path : null;
       const content = typeof rec.content === "string" ? rec.content : null;
-      if (!path32 || content == null) return null;
-      const out = { path: path32, content };
+      if (!path35 || content == null) return null;
+      const out = { path: path35, content };
       if (typeof rec.mtimeMs === "number") out.mtimeMs = rec.mtimeMs;
       return out;
     }).filter((m2) => m2 !== null);
@@ -11314,6 +11401,7 @@ var init_claude = __esm({
     init_protocol();
     init_claude_history();
     init_tool_result_extra();
+    init_sandbox();
     ATTACHMENT_SILENT_SUBTYPES2 = /* @__PURE__ */ new Set([
       "hook_additional_context",
       "hook_success",
@@ -18696,7 +18784,7 @@ var require_websocket = __commonJS({
     var http2 = require("http");
     var net = require("net");
     var tls = require("tls");
-    var { randomBytes, createHash } = require("crypto");
+    var { randomBytes: randomBytes2, createHash: createHash3 } = require("crypto");
     var { Duplex, Readable: Readable3 } = require("stream");
     var { URL: URL2 } = require("url");
     var PerMessageDeflate2 = require_permessage_deflate();
@@ -19226,7 +19314,7 @@ var require_websocket = __commonJS({
         }
       }
       const defaultPort = isSecure ? 443 : 80;
-      const key = randomBytes(16).toString("base64");
+      const key = randomBytes2(16).toString("base64");
       const request = isSecure ? https.request : http2.request;
       const protocolSet = /* @__PURE__ */ new Set();
       let perMessageDeflate;
@@ -19356,7 +19444,7 @@ var require_websocket = __commonJS({
           abortHandshake(websocket, socket, "Invalid Upgrade header");
           return;
         }
-        const digest = createHash("sha1").update(key + GUID).digest("base64");
+        const digest = createHash3("sha1").update(key + GUID).digest("base64");
         if (res.headers["sec-websocket-accept"] !== digest) {
           abortHandshake(websocket, socket, "Invalid Sec-WebSocket-Accept header");
           return;
@@ -19723,7 +19811,7 @@ var require_websocket_server = __commonJS({
     var EventEmitter2 = require("events");
     var http2 = require("http");
     var { Duplex } = require("stream");
-    var { createHash } = require("crypto");
+    var { createHash: createHash3 } = require("crypto");
     var extension2 = require_extension();
     var PerMessageDeflate2 = require_permessage_deflate();
     var subprotocol2 = require_subprotocol();
@@ -20024,7 +20112,7 @@ var require_websocket_server = __commonJS({
           );
         }
         if (this._state > RUNNING) return abortHandshake(socket, 503);
-        const digest = createHash("sha1").update(key + GUID).digest("base64");
+        const digest = createHash3("sha1").update(key + GUID).digest("base64");
         const headers = [
           "HTTP/1.1 101 Switching Protocols",
           "Upgrade: websocket",
@@ -20112,7 +20200,7 @@ var require_websocket_server = __commonJS({
 // src/run-case/recorder.ts
 function startRunCaseRecorder(opts) {
   const now = opts.now ?? Date.now;
-  const dir = import_node_path28.default.dirname(opts.recordPath);
+  const dir = import_node_path27.default.dirname(opts.recordPath);
   let stream = null;
   let closing = false;
   let closedSettled = false;
@@ -20152,12 +20240,12 @@ function startRunCaseRecorder(opts) {
   };
   return { tap, close, closed };
 }
-var import_node_fs25, import_node_path28;
+var import_node_fs25, import_node_path27;
 var init_recorder = __esm({
   "src/run-case/recorder.ts"() {
     "use strict";
     import_node_fs25 = __toESM(require("fs"), 1);
-    import_node_path28 = __toESM(require("path"), 1);
+    import_node_path27 = __toESM(require("path"), 1);
   }
 });
@@ -20200,7 +20288,7 @@ var init_wire = __esm({
 // src/run-case/controller.ts
 async function runController(opts) {
   const now = opts.now ?? Date.now;
-  const cwd = opts.cwd ?? (0, import_node_fs26.mkdtempSync)(import_node_path29.default.join(import_node_os14.default.tmpdir(), "clawd-runcase-"));
+  const cwd = opts.cwd ?? (0, import_node_fs26.mkdtempSync)(import_node_path28.default.join(import_node_os14.default.tmpdir(), "clawd-runcase-"));
   const ownsCwd = opts.cwd === void 0;
   const recorder = startRunCaseRecorder({ recordPath: opts.record, now });
   const spawnCtx = { cwd };
@@ -20367,13 +20455,13 @@ async function runController(opts) {
   }
   return exitCode ?? 0;
 }
-var import_node_fs26, import_node_os14, import_node_path29;
+var import_node_fs26, import_node_os14, import_node_path28;
 var init_controller = __esm({
   "src/run-case/controller.ts"() {
     "use strict";
     import_node_fs26 = require("fs");
     import_node_os14 = __toESM(require("os"), 1);
-    import_node_path29 = __toESM(require("path"), 1);
+    import_node_path28 = __toESM(require("path"), 1);
     init_claude();
     init_stdout_splitter();
     init_permission_stdio();
@@ -20605,7 +20693,7 @@ Env (advanced):
 `;
 // src/index.ts
-var import_node_path27 = __toESM(require("path"), 1);
+var import_node_path26 = __toESM(require("path"), 1);
 var import_node_fs24 = __toESM(require("fs"), 1);
 // src/logger.ts
@@ -20643,6 +20731,9 @@ function createLogger(opts = {}) {
   return wrap(base);
 }
+// src/session/store-factory.ts
+var path5 = __toESM(require("path"), 1);
 // src/session/store.ts
 var import_node_fs3 = __toESM(require("fs"), 1);
 var import_node_path4 = __toESM(require("path"), 1);
@@ -20680,12 +20771,16 @@ function safeFileName(sessionId) {
 var SessionStore = class {
   root;
   constructor(opts) {
-    const scope = opts.scope ?? { kind: "default" };
-    this.root = import_node_path4.default.join(
-      opts.dataDir,
-      "sessions",
-      ...scopeSubPath(scope).map(safeFileName)
-    );
+    if ("root" in opts) {
+      this.root = opts.root;
+    } else {
+      const scope = opts.scope ?? { kind: "default" };
+      this.root = import_node_path4.default.join(
+        opts.dataDir,
+        "sessions",
+        ...scopeSubPath(scope).map(safeFileName)
+      );
+    }
   }
   filePath(sessionId) {
     return import_node_path4.default.join(this.root, `${safeFileName(sessionId)}.json`);
@@ -20750,6 +20845,66 @@ var SessionStore = class {
   }
 };
+// src/session/store-factory.ts
+var SessionStoreFactory = class {
+  dataDir;
+  bareStore = null;
+  vmOwnerStores = /* @__PURE__ */ new Map();
+  // vmGuest 索引 key = `${pid}::${capId}`
+  vmGuestStores = /* @__PURE__ */ new Map();
+  constructor(opts) {
+    this.dataDir = opts.dataDir;
+  }
+  // ---- root path 派生（暴露给 migration / revoke cascade 等外部消费方） ----
+  bareRoot() {
+    return path5.join(this.dataDir, "sessions");
+  }
+  vmOwnerRoot(personaId) {
+    return path5.join(
+      this.dataDir,
+      "personas",
+      safeFileName(personaId),
+      ".clawd",
+      "sessions",
+      "owner"
+    );
+  }
+  vmGuestRoot(personaId, capabilityId) {
+    return path5.join(
+      this.dataDir,
+      "personas",
+      safeFileName(personaId),
+      ".clawd",
+      "sessions",
+      "guests",
+      safeFileName(capabilityId)
+    );
+  }
+  // ---- SessionStore 工厂（缓存） ----
+  forBare() {
+    if (!this.bareStore) {
+      this.bareStore = new SessionStore({ root: this.bareRoot() });
+    }
+    return this.bareStore;
+  }
+  forVmOwner(personaId) {
+    const key = personaId;
+    const cached = this.vmOwnerStores.get(key);
+    if (cached) return cached;
+    const st = new SessionStore({ root: this.vmOwnerRoot(personaId) });
+    this.vmOwnerStores.set(key, st);
+    return st;
+  }
+  forVmGuest(personaId, capabilityId) {
+    const key = `${personaId}::${capabilityId}`;
+    const cached = this.vmGuestStores.get(key);
+    if (cached) return cached;
+    const st = new SessionStore({ root: this.vmGuestRoot(personaId, capabilityId) });
+    this.vmGuestStores.set(key, st);
+    return st;
+  }
+};
 // src/session/manager.ts
 var import_node_fs5 = __toESM(require("fs"), 1);
 var import_node_path6 = __toESM(require("path"), 1);
@@ -20909,7 +21064,10 @@ function buildSpawnContext(state, deps) {
     toolSessionId: file.toolSessionId,
     model: file.model,
     permissionMode: file.permissionMode,
-    effort: file.effort
+    effort: file.effort,
+    // Phase 2 capability platform (plan §3): personaRoot 透传给 buildSpawnArgs;
+    // 内部 shouldSandbox(cwd, personaRoot) 决定是否注入 --settings sandbox-settings.
+    personaRoot: deps.personaRoot
   };
   const meta = state.subSessionMeta;
   if (meta?.personaMode) {
@@ -21636,7 +21794,8 @@ var SessionRunner = class {
       now: this.hooks.now ?? Date.now,
       resolveContextWindow: this.hooks.resolveContextWindow,
       genUuid: this.hooks.genUuid ?? v4_default,
-      ownerDisplayName: this.hooks.ownerDisplayName
+      ownerDisplayName: this.hooks.ownerDisplayName,
+      personaRoot: this.hooks.personaRoot
     };
     const { state, effects } = reduceSession(this.state, inputMsg, deps);
     this.state = state;
@@ -22060,9 +22219,20 @@ var SessionManager = class {
   attachObserver(observer) {
     this.attachedObserver = observer;
   }
-  // 按 scope 拿对应的 SessionStore。default scope 复用 deps.store（保证与
-  // bootstrap 注入的 store 一致）；persona scope 第一次访问时按需创建并缓存。
+  // 按 scope 拿对应的 SessionStore.
+  // Phase 2 (capability platform plan §1) 路由切到 SessionStoreFactory:
+  //   default              → factory.forBare()        <dataDir>/sessions/
+  //   persona/<pid>/owner  → factory.forVmOwner(pid)  <dataDir>/personas/<pid>/.clawd/sessions/owner/
+  //   persona/<pid>/listener → throw (listener 角色 #698 已下线, schema 字段保留但运行时不该出现)
+  // 缺省 (无 factory 注入): 回退 dataDir+scope 老路径 (向后兼容旧 spec).
   storeFor(scope) {
+    if (this.deps.storeFactory) {
+      if (scope.kind === "default") return this.deps.storeFactory.forBare();
+      if (scope.mode === "owner") return this.deps.storeFactory.forVmOwner(scope.personaId);
+      throw new Error(
+        `SessionManager: listener scope is deprecated (#698); use forVmGuest in Phase 3+ instead`
+      );
+    }
     if (scope.kind === "default") return this.deps.store;
     const key = scopeKey(scope);
     const cached = this.storesByScope.get(key);
@@ -22090,11 +22260,13 @@ var SessionManager = class {
   scopeForFile(file) {
     return file.ownerPersonaId ? { kind: "persona", personaId: file.ownerPersonaId, mode: "owner" } : { kind: "default" };
   }
-  // 扫 <dataDir>/sessions/ 列出所有 persona 命名空间（不含 'default'）。
-  // 用于 findOwnedSession / listAllOwned 跨 scope 查询。
+  // 扫所有 persona 命名空间. 用于 findOwnedSession / listAllOwned 跨 scope 查询.
+  // Phase 2 capability platform: 新布局下 persona 资产在 <dataDir>/personas/<pid>/,
+  // 直接 readdir 这个目录拿所有 personaId. 老布局 (无 storeFactory) fallback 扫
+  // <dataDir>/sessions/ 列子目录 (排除 'default').
   listPersonaIdsOnDisk() {
     if (!this.deps.dataDir) return [];
-    const root = import_node_path6.default.join(this.deps.dataDir, "sessions");
+    const root = this.deps.storeFactory ? import_node_path6.default.join(this.deps.dataDir, "personas") : import_node_path6.default.join(this.deps.dataDir, "sessions");
     let entries;
     try {
       entries = import_node_fs5.default.readdirSync(root, { withFileTypes: true });
@@ -22106,19 +22278,9 @@ var SessionManager = class {
     return entries.filter((e) => e.isDirectory() && e.name !== "default").map((e) => e.name);
   }
   // owner / default 两个分类下按 sessionId 找文件——前端只传 sessionId 不带 scope，
-  // SessionManager 在这里定位。三层快慢路径：
-  //   1) active runner（用户当前在用的 session）：runner.state.file 是 SessionFile 内存权威副本，
-  //      直接返回，零磁盘 I/O。覆盖 attachment / file-sharing 等"用户操作 → 紧接着 RPC"的
-  //      绝大多数场景
-  //   2) default scope 磁盘：inactive default session 命中
-  //   3) 所有 persona owner 目录扫盘：inactive persona owner session 命中
+  // SessionManager 在这里扫盘定位（default 直接试，未命中再轮询所有 persona owner 目录）。
   // listener sub-session 不走这条——transport 始终明确传 (personaId, sessionId)。
-  //
-  // 公开方法：attachment / file-sharing handler 通过 deps 闭包消费，不应直接持 SessionStore
-  // （持 default-only store 是 file-sharing v1 的预存 bug 根因——见 fix #703）
   findOwnedSession(sessionId) {
-    const runner = this.runners.get(sessionId);
-    if (runner) return runner.getState().file;
     const dflt = this.deps.store.read(sessionId);
     if (dflt) return dflt;
     for (const personaId of this.listPersonaIdsOnDisk()) {
@@ -22128,13 +22290,6 @@ var SessionManager = class {
     }
     return null;
   }
-  // findOwnedSession + scopeForFile 收口。把"sessionId → SessionScope"的派生
-  // 集中到 manager（scope 单一来源），调用方拿 scope 不再自己拼 object 也不依赖
-  // ownerPersonaId 字段语义。给 attachment handler 通过 deps.getSessionScope 闭包消费。
-  findOwnedSessionScope(sessionId) {
-    const file = this.findOwnedSession(sessionId);
-    return file ? this.scopeForFile(file) : null;
-  }
   // 合并 default + 所有 persona owner 的 SessionFile —— 桌面 App 主 session 列表入口。
   // 同样不含 listener sub-session（listener 走 persona:listSubSessions RPC 单独入口）。
   listAllOwned() {
@@ -22186,6 +22341,9 @@ var SessionManager = class {
       dataDir: this.deps.dataDir,
       personaStore: this.deps.personaStore,
       ownerDisplayName: this.deps.ownerDisplayName,
+      // Phase 2 capability platform (plan §3): 透传 personaRoot, buildSpawnArgs 据
+      // cwd 是否在 personaRoot 下自动决定是否注入 --settings sandbox-settings.json.
+      personaRoot: this.deps.personaRoot,
       // file-sharing (spec §6 PR 3)：闭包 scope + sessionId，runner 只暴露 tool/relPath/cwd
       onFileEdit: attachmentGroup ? (input) => attachmentGroup.onFileEdit({
         scope,
@@ -23198,7 +23356,7 @@ var SessionManager = class {
 // src/persona/store.ts
 var fs6 = __toESM(require("fs"), 1);
-var path7 = __toESM(require("path"), 1);
+var path8 = __toESM(require("path"), 1);
 init_protocol();
 var DEFAULT_SETTINGS = {
   permissions: {
@@ -23227,13 +23385,13 @@ var PersonaStore = class {
   }
   root;
   personaDir(personaId) {
-    return path7.join(this.root, safeFileName(personaId));
+    return path8.join(this.root, safeFileName(personaId));
   }
   metaPath(personaId) {
-    return path7.join(this.personaDir(personaId), ".clawd", "persona.json");
+    return path8.join(this.personaDir(personaId), ".clawd", "persona.json");
   }
   claudeMdPath(personaId) {
-    return path7.join(this.personaDir(personaId), "CLAUDE.md");
+    return path8.join(this.personaDir(personaId), "CLAUDE.md");
   }
   /**
    * Sandbox settings 落盘路径 —— 故意放在 `.clawd/` 而不是 `.claude/`，让 CC 的
@@ -23243,11 +23401,11 @@ var PersonaStore = class {
    * 加载 persona 人格，只有 listener 多一层 OS sandbox。
    */
   sandboxSettingsPath(personaId) {
-    return path7.join(this.personaDir(personaId), ".clawd", "sandbox-settings.json");
+    return path8.join(this.personaDir(personaId), ".clawd", "sandbox-settings.json");
   }
   write(persona, personality) {
     const dir = this.personaDir(persona.personaId);
-    fs6.mkdirSync(path7.join(dir, ".clawd"), { recursive: true });
+    fs6.mkdirSync(path8.join(dir, ".clawd"), { recursive: true });
     this.atomicWrite(this.claudeMdPath(persona.personaId), personality);
     this.atomicWrite(
       this.sandboxSettingsPath(persona.personaId),
@@ -23290,12 +23448,12 @@ var PersonaStore = class {
   }
   /** Persona 私有 skills 目录路径：<personaDir>/.claude/skills */
   skillsDir(personaId) {
-    return path7.join(this.personaDir(personaId), ".claude", "skills");
+    return path8.join(this.personaDir(personaId), ".claude", "skills");
   }
   list() {
     if (!fs6.existsSync(this.root)) return [];
     return fs6.readdirSync(this.root).filter((name) => {
-      return fs6.existsSync(path7.join(this.root, name, ".clawd", "persona.json"));
+      return fs6.existsSync(path8.join(this.root, name, ".clawd", "persona.json"));
     });
   }
   remove(personaId) {
@@ -23694,7 +23852,17 @@ var PersonaManager = class {
   }
   /**
    * 删除 persona。
-   * PersonaStore.remove(personaId) 已级联删除整个 <personaRoot>/<personaId>/ 目录。
+   * PersonaStore.remove(personaId) 已级联删除整个 <personaRoot>/<personaId>/ 目录,
+   * Phase 2 capability platform 新布局下含 .clawd/sessions/owner/ +
+   * .clawd/sessions/guests/<capId>/, rmSync recursive force 一锅清.
+   *
+   * ⚠️ TODO (Phase 3+ design gap, reviewer P1 flagged):
+   * ~/.clawd/capabilities.json 里若有 cap.grants 含本 personaId, grant 会变成
+   * 悬空引用 (guest 仍能持 token 接入, 但调依赖该 persona 的 RPC 会 fail).
+   * 选项: (A) 这里扫所有 cap 过滤掉该 personaId 的 grant; (B) revoke 所有 grant
+   * 含该 personaId 的 cap. 当前因 cleanupGuestSessionsForCapability 用 rmSync
+   * force=true 吞 ENOENT 不会 crash, 但 UI CapabilityManagerDrawer 会展示
+   * "无效的 persona" grant. Phase 3 加 cross-reference 矩阵后正式实现.
    */
   delete(personaId) {
     this.deps.store.remove(personaId);
@@ -23759,7 +23927,7 @@ var PersonaManager = class {
 // src/persona/seed.ts
 var fs8 = __toESM(require("fs"), 1);
-var path9 = __toESM(require("path"), 1);
+var path10 = __toESM(require("path"), 1);
 var import_node_url = require("url");
 var import_meta = {};
 var DEFAULT_PERSONAS = [
@@ -23795,14 +23963,14 @@ var DEFAULT_PERSONAS = [
 function findDefaultsRoot() {
   const candidates = [];
   try {
-    const here = path9.dirname((0, import_node_url.fileURLToPath)(import_meta.url));
-    candidates.push(path9.resolve(here, "defaults"));
-    candidates.push(path9.resolve(here, "persona-defaults"));
+    const here = path10.dirname((0, import_node_url.fileURLToPath)(import_meta.url));
+    candidates.push(path10.resolve(here, "defaults"));
+    candidates.push(path10.resolve(here, "persona-defaults"));
   } catch {
   }
   if (process.argv[1]) {
-    const argvDir = path9.dirname(process.argv[1]);
-    candidates.push(path9.resolve(argvDir, "persona-defaults"));
+    const argvDir = path10.dirname(process.argv[1]);
+    candidates.push(path10.resolve(argvDir, "persona-defaults"));
   }
   for (const c of candidates) {
     try {
@@ -23819,7 +23987,7 @@ function seedDefaultPersonas(args) {
       args.logger.info("persona.seed.skip", { personaId: entry.personaId, reason: "exists" });
       continue;
     }
-    const bundleDir = path9.join(args.defaultsRoot, entry.personaId);
+    const bundleDir = path10.join(args.defaultsRoot, entry.personaId);
     if (!fs8.existsSync(bundleDir)) {
       args.logger.warn("persona.seed.skip", {
         personaId: entry.personaId,
@@ -23828,7 +23996,7 @@ function seedDefaultPersonas(args) {
       });
       continue;
     }
-    const claudeMdPath = path9.join(bundleDir, "CLAUDE.md");
+    const claudeMdPath = path10.join(bundleDir, "CLAUDE.md");
     if (!fs8.existsSync(claudeMdPath)) {
       args.logger.warn("persona.seed.skip", {
         personaId: entry.personaId,
@@ -23857,8 +24025,8 @@ function seedDefaultPersonas(args) {
 function copyBundleExtras(srcDir, dstDir) {
   for (const entry of fs8.readdirSync(srcDir, { withFileTypes: true })) {
     if (entry.name === "CLAUDE.md" || entry.name === ".clawd") continue;
-    const srcPath = path9.join(srcDir, entry.name);
-    const dstPath = path9.join(dstDir, entry.name);
+    const srcPath = path10.join(srcDir, entry.name);
+    const dstPath = path10.join(dstDir, entry.name);
     if (entry.isDirectory()) {
       fs8.cpSync(srcPath, dstPath, { recursive: true, dereference: true });
     } else if (entry.isFile()) {
@@ -25240,6 +25408,9 @@ var LocalWsServer = class {
   httpServer = null;
   frameHandler = null;
   clients = /* @__PURE__ */ new Map();
+  // Task 1.7 capability platform：capId → Set<clientId>，撤销时 O(1) 找到该 cap 的
+  // 所有活跃连接做关闭级联（Task 1.10）。同一 cap 可能多端同时连（多设备 / 多 tab）。
+  capabilityIdToClients = /* @__PURE__ */ new Map();
   logger;
   pingIntervalMs;
   async start() {
@@ -25330,6 +25501,17 @@ var LocalWsServer = class {
       this.safeSend(c.ws, frame);
     }
   }
+  // Task 1.9 capability platform：仅广播给 owner 连接（跳过 guest ws）。
+  // 用于 capability:tokenIssued / capability:revoked 等 owner-only push frame——
+  // guest 没必要也无法消费这类管理帧。noAuth localhost ws 没有 ctx, 视作 owner.
+  broadcastToOwners(frame) {
+    const gate = this.opts.authGate;
+    for (const c of this.clients.values()) {
+      if (gate && !gate.isAuthed(c.handle.id)) continue;
+      if (c.ctx && c.ctx.principal.kind !== "owner") continue;
+      this.safeSend(c.ws, frame);
+    }
+  }
   firstSubscriber(sessionId) {
     for (const c of this.clients.values()) {
       if (c.handle.subscribedSessions.has(sessionId)) return c.handle;
@@ -25351,6 +25533,40 @@ var LocalWsServer = class {
     if (!c) return;
     this.safeSend(c.ws, frame);
   }
+  // Task 1.7 capability platform：AuthGate.onAuthed 回调里调本方法，把 ConnectionContext
+  // 绑到 client；guest 连接同时进 capId 索引（Task 1.10 撤销级联用）。
+  attachClientContext(clientId, ctx) {
+    const c = this.clients.get(clientId);
+    if (!c) return;
+    c.ctx = ctx;
+    if (ctx.capabilityId) {
+      let set = this.capabilityIdToClients.get(ctx.capabilityId);
+      if (!set) {
+        set = /* @__PURE__ */ new Set();
+        this.capabilityIdToClients.set(ctx.capabilityId, set);
+      }
+      set.add(clientId);
+    }
+  }
+  // 测试 / Task 1.8 dispatcher 用：拿 client 当前 ConnectionContext（null = 未鉴权 / noAuth）
+  getClientContext(clientId) {
+    return this.clients.get(clientId)?.ctx ?? null;
+  }
+  // Task 1.10 撤销级联：关闭某 capability 的所有活跃 ws 连接。close code 4401
+  // 让客户端识别 'capability revoked' 而非普通断连。
+  closeConnectionsByCapability(capabilityId, code = 4401, reason = "TOKEN_REVOKED") {
+    const set = this.capabilityIdToClients.get(capabilityId);
+    if (!set) return;
+    const ids = [...set];
+    for (const id of ids) {
+      const c = this.clients.get(id);
+      if (!c) continue;
+      try {
+        c.ws.close(code, reason);
+      } catch {
+      }
+    }
+  }
   // URL path 路由：'/' → 主连接路径；其他 → close 4404
   routeConnection(socket, req) {
     const remoteAddress = req?.socket?.remoteAddress;
@@ -25385,7 +25601,7 @@ var LocalWsServer = class {
       } catch {
       }
     }, this.pingIntervalMs);
-    this.clients.set(id, { handle, ws: socket, pingTimer });
+    this.clients.set(id, { handle, ws: socket, pingTimer, ctx: null });
     this.logger?.info("client connected", { clientId: id, total: this.clients.size, remoteAddress });
     const authGate = this.opts.authGate;
     let authed = true;
@@ -25409,6 +25625,12 @@ var LocalWsServer = class {
     socket.on("close", () => {
       const c = this.clients.get(id);
       if (c?.pingTimer) clearInterval(c.pingTimer);
+      const capId = c?.ctx?.capabilityId;
+      if (capId) {
+        const set = this.capabilityIdToClients.get(capId);
+        set?.delete(id);
+        if (set && set.size === 0) this.capabilityIdToClients.delete(capId);
+      }
       this.clients.delete(id);
       authGate?.unregister(id);
       this.logger?.info("client disconnected", { clientId: id, remaining: this.clients.size });
@@ -25557,15 +25779,27 @@ var AuthGate = class {
       this.markFailed(handle.id);
       return frame.type === "auth" ? "consumed" : "reject";
     }
-    if (!this.opts.expectedToken) {
-      this.opts.closeConnection(handle, 1008, "auth not configured");
-      this.markFailed(handle.id);
-      return "consumed";
-    }
-    if (!constantTimeEqual(parsed.data.token, this.opts.expectedToken)) {
-      this.opts.closeConnection(handle, 1008, "auth failed");
-      this.markFailed(handle.id);
-      return "consumed";
+    let ctx = null;
+    if (this.opts.authenticate) {
+      const r = this.opts.authenticate(parsed.data.token);
+      if (!r.ok) {
+        this.opts.closeConnection(handle, 4401, r.code);
+        this.markFailed(handle.id);
+        return "consumed";
+      }
+      ctx = r.context;
+    } else {
+      if (!this.opts.expectedToken) {
+        this.opts.closeConnection(handle, 1008, "auth not configured");
+        this.markFailed(handle.id);
+        return "consumed";
+      }
+      if (!constantTimeEqual(parsed.data.token, this.opts.expectedToken)) {
+        this.opts.closeConnection(handle, 1008, "auth failed");
+        this.markFailed(handle.id);
+        return "consumed";
+      }
+      ctx = this.opts.buildOwnerContext?.() ?? null;
     }
     if (st.timer != null) {
       const clear = this.opts.clearTimer ?? ((h) => clearTimeout(h));
@@ -25573,6 +25807,7 @@ var AuthGate = class {
     }
     st.authed = true;
     st.timer = null;
+    if (ctx && this.opts.onAuthed) this.opts.onAuthed(handle, ctx);
     this.opts.sendOk(handle, { type: "auth:ok" });
     return "consumed";
   }
@@ -25648,6 +25883,328 @@ function constantTimeEqual2(a, b2) {
   return diff2 === 0;
 }
+// ../protocol/src/index.ts
+init_runtime();
+// src/transport/connection-context.ts
+function ownerContext() {
+  return {
+    principal: OWNER_PRINCIPAL,
+    grants: [{ resource: { type: "*" }, actions: ["admin"] }]
+  };
+}
+function guestContext(cap) {
+  return {
+    principal: { id: cap.id, kind: "guest", displayName: cap.displayName },
+    grants: cap.grants,
+    capabilityId: cap.id
+  };
+}
+function authenticate(token, deps) {
+  if (!token) return { ok: false, code: "NO_TOKEN" };
+  if (deps.isOwnerToken(token)) return { ok: true, context: ownerContext() };
+  if (!deps.capabilityRegistry) return { ok: false, code: "BAD_TOKEN" };
+  const v2 = deps.capabilityRegistry.verifyToken(token);
+  if (v2.ok) return { ok: true, context: guestContext(v2.capability) };
+  if (v2.code === "TOKEN_INVALID") return { ok: false, code: "BAD_TOKEN" };
+  return { ok: false, code: v2.code };
+}
+// src/permission/capability-store.ts
+var fs15 = __toESM(require("fs"), 1);
+var path18 = __toESM(require("path"), 1);
+var CAPABILITIES_FILE_NAME = "capabilities.json";
+var FILE_VERSION = 1;
+var CapabilityStore = class {
+  constructor(dataDir) {
+    this.dataDir = dataDir;
+    fs15.mkdirSync(dataDir, { recursive: true });
+    this.cache = this.readFromDisk();
+  }
+  dataDir;
+  cache;
+  list() {
+    return [...this.cache];
+  }
+  upsert(cap) {
+    const idx = this.cache.findIndex((c) => c.id === cap.id);
+    if (idx >= 0) {
+      this.cache[idx] = cap;
+    } else {
+      this.cache.push(cap);
+    }
+    this.flush();
+  }
+  remove(id) {
+    const next = this.cache.filter((c) => c.id !== id);
+    if (next.length === this.cache.length) return;
+    this.cache = next;
+    this.flush();
+  }
+  filePath() {
+    return path18.join(this.dataDir, CAPABILITIES_FILE_NAME);
+  }
+  readFromDisk() {
+    const file = this.filePath();
+    let raw;
+    try {
+      raw = fs15.readFileSync(file, "utf8");
+    } catch (err) {
+      if (err?.code === "ENOENT") return [];
+      return [];
+    }
+    if (!raw.trim()) return [];
+    let parsed;
+    try {
+      parsed = JSON.parse(raw);
+    } catch {
+      return [];
+    }
+    if (!parsed || typeof parsed !== "object") return [];
+    const arr = parsed.capabilities;
+    if (!Array.isArray(arr)) return [];
+    const out = [];
+    for (const item of arr) {
+      const r = CapabilitySchema.safeParse(item);
+      if (r.success) out.push(r.data);
+    }
+    return out;
+  }
+  flush() {
+    const content = { version: FILE_VERSION, capabilities: this.cache };
+    this.atomicWrite(this.filePath(), JSON.stringify(content, null, 2));
+  }
+  atomicWrite(file, content) {
+    const tmp = `${file}.tmp-${process.pid}-${Date.now()}-${Math.random().toString(36).slice(2)}`;
+    fs15.writeFileSync(tmp, content, { mode: 384 });
+    fs15.renameSync(tmp, file);
+    try {
+      fs15.chmodSync(file, 384);
+    } catch {
+    }
+  }
+};
+// src/permission/capability-registry.ts
+var crypto4 = __toESM(require("crypto"), 1);
+var CapabilityRegistry = class {
+  constructor(store, now = () => Date.now()) {
+    this.store = store;
+    this.now = now;
+    for (const cap of store.list()) {
+      this.bySecretHash.set(cap.secretHash, cap);
+    }
+  }
+  store;
+  now;
+  // sha256(token) → Capability
+  bySecretHash = /* @__PURE__ */ new Map();
+  list() {
+    return this.store.list();
+  }
+  verifyToken(token) {
+    if (!token) return { ok: false, code: "TOKEN_INVALID" };
+    const hash = sha256Hex(token);
+    const cap = this.bySecretHash.get(hash);
+    if (!cap) return { ok: false, code: "TOKEN_INVALID" };
+    if (cap.revokedAt) return { ok: false, code: "TOKEN_REVOKED" };
+    if (cap.expiresAt && this.now() >= cap.expiresAt) {
+      return { ok: false, code: "TOKEN_EXPIRED" };
+    }
+    if (cap.maxUses && cap.usedCount >= cap.maxUses) {
+      return { ok: false, code: "TOKEN_EXHAUSTED" };
+    }
+    const updated = { ...cap, usedCount: cap.usedCount + 1 };
+    this.bySecretHash.set(hash, updated);
+    this.store.upsert(updated);
+    return { ok: true, capability: updated };
+  }
+  upsertCapability(cap) {
+    this.bySecretHash.set(cap.secretHash, cap);
+    this.store.upsert(cap);
+  }
+  markRevoked(id, revokedAt) {
+    const current = this.store.list().find((c) => c.id === id);
+    if (!current) return null;
+    if (current.revokedAt) return current;
+    const updated = { ...current, revokedAt };
+    this.bySecretHash.set(updated.secretHash, updated);
+    this.store.upsert(updated);
+    return updated;
+  }
+  findById(id) {
+    return this.store.list().find((c) => c.id === id) ?? null;
+  }
+};
+function sha256Hex(s) {
+  return crypto4.createHash("sha256").update(s).digest("hex");
+}
+// src/permission/capability-manager.ts
+var crypto5 = __toESM(require("crypto"), 1);
+var CapabilityManager = class {
+  constructor(registry2, hooks = {}) {
+    this.registry = registry2;
+    this.hooks = hooks;
+  }
+  registry;
+  hooks;
+  list() {
+    return this.registry.list();
+  }
+  issue(args) {
+    if (!args.displayName.trim()) {
+      throw new Error("CapabilityManager.issue: displayName must be non-empty");
+    }
+    const token = (this.hooks.generateToken ?? defaultGenerateToken)();
+    const id = (this.hooks.generateId ?? defaultGenerateId)();
+    const now = (this.hooks.now ?? Date.now)();
+    const cap = {
+      id,
+      secretHash: sha256Hex2(token),
+      displayName: args.displayName,
+      grants: args.grants,
+      issuedAt: now,
+      usedCount: 0,
+      ...args.expiresAt !== void 0 ? { expiresAt: args.expiresAt } : {},
+      ...args.maxUses !== void 0 ? { maxUses: args.maxUses } : {}
+    };
+    this.registry.upsertCapability(cap);
+    this.hooks.onIssued?.(cap, token);
+    return { token, capability: cap };
+  }
+  revoke(id) {
+    const existing = this.registry.findById(id);
+    if (!existing) return null;
+    const now = (this.hooks.now ?? Date.now)();
+    if (existing.revokedAt) {
+      return { revokedAt: existing.revokedAt, capability: existing };
+    }
+    const updated = this.registry.markRevoked(id, now);
+    if (!updated) return null;
+    this.hooks.onRevoked?.(updated);
+    return { revokedAt: now, capability: updated };
+  }
+};
+function defaultGenerateToken() {
+  return crypto5.randomBytes(24).toString("base64url");
+}
+function defaultGenerateId() {
+  return "cap_" + crypto5.randomBytes(6).toString("base64url");
+}
+function sha256Hex2(s) {
+  return crypto5.createHash("sha256").update(s).digest("hex");
+}
+// src/permission/cleanup.ts
+var fs16 = __toESM(require("fs"), 1);
+function cleanupGuestSessionsForCapability(cap, factory) {
+  const removed = [];
+  for (const g2 of cap.grants) {
+    if (g2.resource.type !== "persona") continue;
+    const dir = factory.vmGuestRoot(g2.resource.id, cap.id);
+    try {
+      fs16.rmSync(dir, { recursive: true, force: true });
+      removed.push(dir);
+    } catch {
+    }
+  }
+  return { removed };
+}
+// src/migrations/2026-05-20-flatten-sessions.ts
+var fs17 = __toESM(require("fs"), 1);
+var path19 = __toESM(require("path"), 1);
+var MIGRATION_FLAG_NAME = ".migration.v1.done";
+function migrateFlattenSessions(opts) {
+  const dataDir = opts.dataDir;
+  const now = opts.now ?? Date.now;
+  const sessionsDir = path19.join(dataDir, "sessions");
+  const flagPath = path19.join(sessionsDir, MIGRATION_FLAG_NAME);
+  if (existsSync3(flagPath)) {
+    return { skipped: true, flagWritten: false, movedBare: 0, movedVmOwner: 0, archivedListener: 0 };
+  }
+  let movedBare = 0;
+  let movedVmOwner = 0;
+  let archivedListener = 0;
+  const defaultDir = path19.join(sessionsDir, "default");
+  if (existsSync3(defaultDir)) {
+    for (const entry of readdirSafe(defaultDir)) {
+      if (!entry.endsWith(".json")) continue;
+      const src = path19.join(defaultDir, entry);
+      const dst = path19.join(sessionsDir, entry);
+      fs17.renameSync(src, dst);
+      movedBare += 1;
+    }
+    rmdirIfEmpty(defaultDir);
+  }
+  for (const pid of readdirSafe(sessionsDir)) {
+    const personaDir = path19.join(sessionsDir, pid);
+    if (!isDir(personaDir)) continue;
+    if (pid === "default") continue;
+    const ownerSrc = path19.join(personaDir, "owner");
+    if (existsSync3(ownerSrc) && isDir(ownerSrc)) {
+      const ownerDst = path19.join(dataDir, "personas", pid, ".clawd", "sessions", "owner");
+      fs17.mkdirSync(ownerDst, { recursive: true });
+      for (const file of readdirSafe(ownerSrc)) {
+        if (!file.endsWith(".json")) continue;
+        fs17.renameSync(path19.join(ownerSrc, file), path19.join(ownerDst, file));
+        movedVmOwner += 1;
+      }
+      rmdirIfEmpty(ownerSrc);
+    }
+    const listenerSrc = path19.join(personaDir, "listener");
+    if (existsSync3(listenerSrc) && isDir(listenerSrc)) {
+      const archiveDst = path19.join(dataDir, ".legacy", `listener-${pid}`);
+      fs17.mkdirSync(archiveDst, { recursive: true });
+      for (const file of readdirSafe(listenerSrc)) {
+        if (!file.endsWith(".json")) continue;
+        fs17.renameSync(path19.join(listenerSrc, file), path19.join(archiveDst, file));
+        archivedListener += 1;
+      }
+      rmdirIfEmpty(listenerSrc);
+    }
+    rmdirIfEmpty(personaDir);
+  }
+  fs17.mkdirSync(sessionsDir, { recursive: true });
+  fs17.writeFileSync(flagPath, JSON.stringify({ migratedAt: now() }, null, 2));
+  return {
+    skipped: false,
+    flagWritten: true,
+    movedBare,
+    movedVmOwner,
+    archivedListener
+  };
+}
+function existsSync3(p2) {
+  try {
+    fs17.statSync(p2);
+    return true;
+  } catch {
+    return false;
+  }
+}
+function isDir(p2) {
+  try {
+    return fs17.statSync(p2).isDirectory();
+  } catch {
+    return false;
+  }
+}
+function readdirSafe(p2) {
+  try {
+    return fs17.readdirSync(p2);
+  } catch {
+    return [];
+  }
+}
+function rmdirIfEmpty(p2) {
+  try {
+    fs17.rmdirSync(p2);
+  } catch {
+  }
+}
 // src/transport/http-router.ts
 var import_node_fs14 = __toESM(require("fs"), 1);
 var import_node_path16 = __toESM(require("path"), 1);
@@ -26869,24 +27426,14 @@ var AUTH_FILE_NAME = "auth.json";
 function authFilePath(dataDir) {
   return import_node_path22.default.join(dataDir, AUTH_FILE_NAME);
 }
-function loadOrCreateAuthFile(opts) {
+function loadOrCreateAuthToken(opts) {
   const file = authFilePath(opts.dataDir);
-  const generate = opts.generate ?? defaultGenerate;
-  const now = opts.now ?? (() => /* @__PURE__ */ new Date());
   const existing = readAuthFile(file);
-  if (existing && existing.token && existing.signSecret) {
-    return {
-      token: existing.token,
-      signSecret: existing.signSecret,
-      createdAt: existing.createdAt ?? (/* @__PURE__ */ new Date(0)).toISOString()
-    };
-  }
-  const token = existing?.token || generate();
-  const signSecret = existing?.signSecret || generate();
-  const createdAt = existing?.createdAt || now().toISOString();
-  const next = { token, signSecret, createdAt };
-  writeAuthFile(file, next);
-  return next;
+  if (existing && existing.token) return existing.token;
+  const token = (opts.generate ?? defaultGenerate)();
+  const now = (opts.now ?? (() => /* @__PURE__ */ new Date()))();
+  writeAuthFile(file, { token, createdAt: now.toISOString() });
+  return token;
 }
 function defaultGenerate() {
   return import_node_crypto8.default.randomBytes(32).toString("base64url");
@@ -26895,14 +27442,13 @@ function readAuthFile(file) {
   try {
     const raw = import_node_fs20.default.readFileSync(file, "utf8");
     const parsed = JSON.parse(raw);
-    if (typeof parsed?.token !== "string" || parsed.token.length === 0) {
-      return null;
+    if (typeof parsed?.token === "string" && parsed.token.length > 0) {
+      return {
+        token: parsed.token,
+        createdAt: typeof parsed.createdAt === "string" ? parsed.createdAt : (/* @__PURE__ */ new Date(0)).toISOString()
+      };
     }
-    return {
-      token: parsed.token,
-      signSecret: typeof parsed.signSecret === "string" && parsed.signSecret.length > 0 ? parsed.signSecret : void 0,
-      createdAt: typeof parsed.createdAt === "string" ? parsed.createdAt : void 0
-    };
+    return null;
   } catch (err) {
     const code = err?.code;
     if (code === "ENOENT") return null;
@@ -27446,6 +27992,65 @@ function buildCapabilitiesHandlers(deps) {
   };
 }
+// src/handlers/capability.ts
+init_zod();
+init_protocol();
+var IssueArgsSchema = external_exports.object({
+  displayName: external_exports.string().min(1),
+  grants: external_exports.array(GrantSchema),
+  expiresAt: external_exports.number().int().positive().optional(),
+  maxUses: external_exports.number().int().positive().optional()
+}).strict();
+var RevokeArgsSchema = external_exports.object({
+  capabilityId: external_exports.string().min(1)
+}).strict();
+function buildCapabilityHandlers(deps) {
+  const { manager } = deps;
+  const issue = async (frame) => {
+    const { type: _type, requestId: _requestId, ...rest } = frame;
+    const args = IssueArgsSchema.parse(rest);
+    const { token, capability } = manager.issue(args);
+    return {
+      response: {
+        type: "capability:issued",
+        token,
+        capability: stripSecretHash(capability)
+      }
+    };
+  };
+  const list = async () => {
+    return {
+      response: {
+        type: "capability:list",
+        capabilities: manager.list().map(stripSecretHash)
+      }
+    };
+  };
+  const revoke = async (frame) => {
+    const { type: _type, requestId: _requestId, ...rest } = frame;
+    const args = RevokeArgsSchema.parse(rest);
+    const result = manager.revoke(args.capabilityId);
+    if (!result) {
+      throw new ClawdError(
+        ERROR_CODES.VALIDATION_ERROR,
+        `capability not found: ${args.capabilityId}`
+      );
+    }
+    return {
+      response: {
+        type: "capability:revoked",
+        capabilityId: args.capabilityId,
+        revokedAt: result.revokedAt
+      }
+    };
+  };
+  return {
+    "capability:issue": issue,
+    "capability:list": list,
+    "capability:revoke": revoke
+  };
+}
 // src/handlers/meta.ts
 var import_node_os13 = __toESM(require("os"), 1);
 init_protocol();
@@ -27571,7 +28176,6 @@ function buildPersonaHandlers(deps) {
 }
 // src/handlers/attachment.ts
-var import_node_path26 = __toESM(require("path"), 1);
 init_protocol();
 init_protocol();
 var DEFAULT_TTL_SECONDS = 24 * 3600;
@@ -27596,41 +28200,8 @@ function buildAttachmentHandlers(deps) {
         "httpBaseUrl unavailable (daemon HTTP not ready)"
       );
     }
-    if (!deps.sessionStore || !deps.getSessionScope || !deps.groupFileStore) {
-      throw new ClawdError(
-        ERROR_CODES.METHOD_NOT_IMPLEMENTED,
-        "signUrl requires session/group stores"
-      );
-    }
-    const sessionFile = deps.sessionStore.read(args.sessionId);
-    if (!sessionFile) {
-      throw new ClawdError(
-        ERROR_CODES.VALIDATION_ERROR,
-        `session ${args.sessionId} not found`
-      );
-    }
-    const scope = deps.getSessionScope(args.sessionId);
-    if (!scope) {
-      throw new ClawdError(
-        ERROR_CODES.VALIDATION_ERROR,
-        `session ${args.sessionId} scope unresolved`
-      );
-    }
-    const cwdAbs = import_node_path26.default.resolve(sessionFile.cwd);
-    const candidateAbs = import_node_path26.default.isAbsolute(args.relPath) ? import_node_path26.default.resolve(args.relPath) : import_node_path26.default.resolve(cwdAbs, args.relPath);
-    const entries = deps.groupFileStore.list(scope, args.sessionId);
-    const entry = entries.find((e) => {
-      const storedAbs = import_node_path26.default.isAbsolute(e.relPath) ? import_node_path26.default.resolve(e.relPath) : import_node_path26.default.resolve(cwdAbs, e.relPath);
-      return storedAbs === candidateAbs && !e.stale;
-    });
-    if (!entry) {
-      throw new ClawdError(
-        ERROR_CODES.VALIDATION_ERROR,
-        `relPath not in session group files or stale: ${args.relPath}`
-      );
-    }
     const ttl = args.ttlSeconds === null ? null : args.ttlSeconds ?? DEFAULT_TTL_SECONDS;
-    const parts = signUrlParts(secret, candidateAbs, ttl);
+    const parts = signUrlParts(secret, args.absPath, ttl);
     const url = buildSignedFileUrl(httpBaseUrl, parts);
     return {
       response: {
@@ -27731,15 +28302,112 @@ function buildMethodHandlers(deps) {
       personaManager: deps.personaManager,
       personaRegistry: deps.personaRegistry
     }),
+    ...buildCapabilityHandlers({ manager: deps.capabilityManager }),
     ...deps.attachment ? buildAttachmentHandlers(deps.attachment) : {}
   };
 }
+// src/handlers/method-grants.ts
+var ADMIN_ANY = {
+  kind: "fixed",
+  resource: { type: "*" },
+  action: "admin"
+};
+var METHOD_GRANT_MAP = {
+  // ---- public（meta-only，guest 也能调） ----
+  "info": { kind: "public" },
+  "ping": { kind: "public" },
+  // ---- capability platform（admin-only，本 PR 新增） ----
+  "capability:issue": ADMIN_ANY,
+  "capability:list": ADMIN_ANY,
+  "capability:revoke": ADMIN_ANY,
+  // ---- 业务方法：Phase 1 全 admin-only（owner 自动通过；guest 无法调用） ----
+  "session:create": ADMIN_ANY,
+  "session:list": ADMIN_ANY,
+  "session:get": ADMIN_ANY,
+  "session:update": ADMIN_ANY,
+  "session:delete": ADMIN_ANY,
+  "session:send": ADMIN_ANY,
+  "session:stop": ADMIN_ANY,
+  "session:interrupt": ADMIN_ANY,
+  "session:rewind": ADMIN_ANY,
+  "session:rewind-diff": ADMIN_ANY,
+  "session:rewindable-message-ids": ADMIN_ANY,
+  "session:fork": ADMIN_ANY,
+  "session:new": ADMIN_ANY,
+  "session:resume": ADMIN_ANY,
+  "session:observe": ADMIN_ANY,
+  "session:events": ADMIN_ANY,
+  "session:subscribe": ADMIN_ANY,
+  "session:unsubscribe": ADMIN_ANY,
+  "session:pin": ADMIN_ANY,
+  "session:reorderPins": ADMIN_ANY,
+  "permission:respond": ADMIN_ANY,
+  "session:answerQuestion": ADMIN_ANY,
+  "session:cancelQuestion": ADMIN_ANY,
+  "history:projects": ADMIN_ANY,
+  "history:list": ADMIN_ANY,
+  "history:read": ADMIN_ANY,
+  "history:subagents": ADMIN_ANY,
+  "history:subagent-read": ADMIN_ANY,
+  "history:recentDirs": ADMIN_ANY,
+  "workspace:list": ADMIN_ANY,
+  "workspace:read": ADMIN_ANY,
+  "skills:list": ADMIN_ANY,
+  "agents:list": ADMIN_ANY,
+  "git:root": ADMIN_ANY,
+  "git:branch": ADMIN_ANY,
+  "git:branches": ADMIN_ANY,
+  "capabilities:get": ADMIN_ANY,
+  "persona:create": ADMIN_ANY,
+  "persona:list": ADMIN_ANY,
+  "persona:get": ADMIN_ANY,
+  "persona:update": ADMIN_ANY,
+  "persona:delete": ADMIN_ANY,
+  "persona:issueToken": ADMIN_ANY,
+  "persona:revokeToken": ADMIN_ANY,
+  "session:pty:input": ADMIN_ANY,
+  "session:pty:resize": ADMIN_ANY,
+  // file-sharing attachment.*：handler 内部已有 requireOwner（HTTP 路径同），dispatcher 这里
+  // 用 admin-only 兜底（双保险，wire-level 也拦）
+  "attachment.signUrl": ADMIN_ANY,
+  "attachment.groupAdd": ADMIN_ANY,
+  "attachment.groupRemove": ADMIN_ANY,
+  "attachment.groupList": ADMIN_ANY,
+  "attachment.groupListPersona": ADMIN_ANY
+};
+function computeGrantForFrame(method, frame) {
+  const rule = METHOD_GRANT_MAP[method];
+  if (!rule) return { kind: "public" };
+  if (rule.kind === "public") return { kind: "public" };
+  if (rule.kind === "fixed") {
+    return { kind: "check", resource: rule.resource, action: rule.action };
+  }
+  const picked = rule.pick(frame);
+  if (!picked) return { kind: "public" };
+  return { kind: "check", resource: picked.resource, action: picked.action };
+}
+// src/permission/capability.ts
+function matchResource(grant, target) {
+  if (grant.type === "*") return true;
+  if (grant.type !== target.type) return false;
+  return grant.id === target.id;
+}
+function assertGrant(grants, resource, action) {
+  for (const g2 of grants) {
+    if (!matchResource(g2.resource, resource)) continue;
+    if (g2.actions.includes(action)) return true;
+    if (g2.actions.includes("admin")) return true;
+  }
+  return false;
+}
 // src/index.ts
 async function startDaemon(config) {
   const logger = createLogger({
     level: config.logLevel,
-    file: import_node_path27.default.join(config.dataDir, "clawd.log")
+    file: import_node_path26.default.join(config.dataDir, "clawd.log")
   });
   logger.info("starting clawd", { version, config: { port: config.port, host: config.host, dataDir: config.dataDir } });
   const stateMgr = new StateFileManager({ dataDir: config.dataDir });
@@ -27751,29 +28419,70 @@ async function startDaemon(config) {
     logger.warn("stale state file detected, overwriting", { pid: pre.existing.pid });
   }
   let resolvedAuthToken = null;
-  let authFile = null;
   if (config.authToken && config.authToken.trim()) {
     resolvedAuthToken = config.authToken.trim();
   } else if (config.tunnel) {
-    authFile = loadOrCreateAuthFile({ dataDir: config.dataDir });
-    resolvedAuthToken = authFile.token;
+    resolvedAuthToken = loadOrCreateAuthToken({ dataDir: config.dataDir });
   }
   const authMode = resolvedAuthToken == null ? "none" : "first-message";
+  const capabilityStore = new CapabilityStore(config.dataDir);
+  const capabilityRegistry = new CapabilityRegistry(capabilityStore);
+  const capabilityManager = new CapabilityManager(capabilityRegistry, {
+    onIssued: (cap, token) => {
+      wsServer?.broadcastToOwners({
+        type: "capability:tokenIssued",
+        capability: stripSecretHash(cap),
+        token
+      });
+    },
+    onRevoked: (cap) => {
+      wsServer?.broadcastToOwners({
+        type: "capability:tokenRevoked",
+        capabilityId: cap.id,
+        revokedAt: cap.revokedAt
+      });
+      wsServer?.closeConnectionsByCapability(cap.id);
+      const cleanup = cleanupGuestSessionsForCapability(cap, sessionStoreFactory);
+      if (cleanup.removed.length > 0) {
+        logger.info("capability revoke cascade: guest sessions removed", {
+          capabilityId: cap.id,
+          removedDirs: cleanup.removed
+        });
+      }
+    }
+  });
   let wsServer = null;
   const authGate = authMode === "first-message" ? new AuthGate({
     shouldEnforce: buildShouldEnforce({ tunnel: config.tunnel }),
+    // Task 1.7：authenticate 注入路径替代 expectedToken 单 token 比对。
+    // owner 路径 constantTimeEqual 防侧信道；guest 路径走 capabilityRegistry.
     expectedToken: resolvedAuthToken,
+    authenticate: (t) => authenticate(t, {
+      isOwnerToken: (x) => resolvedAuthToken != null && constantTimeEqual(x, resolvedAuthToken),
+      capabilityRegistry
+    }),
+    onAuthed: (h, ctx) => wsServer?.attachClientContext(h.id, ctx),
+    buildOwnerContext: ownerContext,
     closeConnection: (h, code, reason) => wsServer?.closeClient(h.id, code, reason),
     sendOk: (h, payload) => wsServer?.sendToClient(h.id, payload)
   }) : null;
   resetRegistry();
-  const store = new SessionStore({ dataDir: config.dataDir });
+  const migrateResult = migrateFlattenSessions({ dataDir: config.dataDir });
+  if (!migrateResult.skipped && (migrateResult.movedBare || migrateResult.movedVmOwner || migrateResult.archivedListener)) {
+    logger.info("sessions migration applied", {
+      movedBare: migrateResult.movedBare,
+      movedVmOwner: migrateResult.movedVmOwner,
+      archivedListener: migrateResult.archivedListener
+    });
+  }
+  const sessionStoreFactory = new SessionStoreFactory({ dataDir: config.dataDir });
+  const store = sessionStoreFactory.forBare();
   const workspace = new WorkspaceBrowser();
   const skills = new SkillsScanner();
   const agents = new AgentsScanner();
   const history = new ClaudeHistoryReader();
   let transport = null;
-  const personaStore = new PersonaStore(import_node_path27.default.join(config.dataDir, "personas"));
+  const personaStore = new PersonaStore(import_node_path26.default.join(config.dataDir, "personas"));
   const defaultsRoot = findDefaultsRoot();
   if (defaultsRoot) {
     seedDefaultPersonas({ store: personaStore, defaultsRoot, logger });
@@ -27784,11 +28493,14 @@ async function startDaemon(config) {
   const groupFileStore = new GroupFileStore({ dataDir: config.dataDir, logger });
   const manager = new SessionManager({
     store,
+    // Phase 2 (capability platform plan §1): factory 注入后 manager.storeFor 走
+    // 新布局派生 (sessions/* + personas/<pid>/.clawd/sessions/owner/*)
+    storeFactory: sessionStoreFactory,
     logger,
     getAdapter,
     historyReader: history,
     dataDir: config.dataDir,
-    personaRoot: import_node_path27.default.join(config.dataDir, "personas"),
+    personaRoot: import_node_path26.default.join(config.dataDir, "personas"),
     personaStore,
     ownerDisplayName,
     mode: config.mode,
@@ -27811,7 +28523,7 @@ async function startDaemon(config) {
     // 文件可能 agent 写完又被自己删（罕见），用 size=0 / fallback mime 兜底。
     attachmentGroup: {
       onFileEdit: (input) => {
-        const absPath = import_node_path27.default.isAbsolute(input.relPath) ? input.relPath : import_node_path27.default.join(input.cwd, input.relPath);
+        const absPath = import_node_path26.default.isAbsolute(input.relPath) ? input.relPath : import_node_path26.default.join(input.cwd, input.relPath);
         let size = 0;
         try {
           size = import_node_fs24.default.statSync(absPath).size;
@@ -27910,23 +28622,25 @@ async function startDaemon(config) {
     httpToken: resolvedAuthToken,
     // file-sharing attachment.* RPC。signUrl 用 owner token 做 HMAC secret；group RPC
     // 根据 sessionId 反查 scope 写盘。
-    //
-    // sessionStore / getSessionScope 都走 manager 的跨 scope 公开 API（findOwnedSession /
-    // findOwnedSessionScope）—— 否则 default-only SessionStore 找不到 persona owner-mode
-    // session，attachment 整套 RPC 对 persona session 都会报 "session not found"。
-    // 详见 fix(daemon) #703：file-sharing v1 预存 wiring bug，#701 把 desktop 默认 --tunnel
-    // 后首次让 desktop 用户用上 file-sharing 才被暴露。
     attachment: {
       groupFileStore,
-      sessionStore: { read: (sid) => manager.findOwnedSession(sid) },
       getHttpBaseUrl,
-      // HMAC sign secret：~/.clawd/auth.json signSecret 字段（与 WS Bearer token 独立）。
-      // --auth-token CLI 模式 / noAuth 模式 authFile 为 null → handler 自己返 NOT_IMPLEMENTED。
-      getSignSecret: () => authFile?.signSecret ?? "",
-      // group RPC + sign 都用：根据 sessionId 反查 scope。owner-mode persona session 走
+      // HMAC sign secret：复用 ~/.clawd/auth.json owner token（持久跨重启）。
+      // noAuth 模式 resolvedAuthToken 为 null → handler 自己返 NOT_IMPLEMENTED。
+      getSignSecret: () => resolvedAuthToken ?? "",
+      // group RPC：根据 sessionId 反查 scope；owner-mode persona session 走
       // 'persona/<pid>/owner'，default 走 'default'。
-      getSessionScope: (sid) => manager.findOwnedSessionScope(sid)
-    }
+      getSessionScope: (sessionId) => {
+        const file = store.read(sessionId);
+        if (!file) return null;
+        if (file.ownerPersonaId) {
+          return { kind: "persona", personaId: file.ownerPersonaId, mode: "owner" };
+        }
+        return { kind: "default" };
+      }
+    },
+    // Task 1.9: capability:issue/list/revoke handler 依赖
+    capabilityManager
   });
   const authResolver = new AuthContextResolver({
     ownerToken: resolvedAuthToken,
@@ -27939,9 +28653,8 @@ async function startDaemon(config) {
     personaStore,
     groupFileStore,
     sessionStore: store,
-    // /files HMAC verify 用 auth.json 的 signSecret 字段（与 attachment.signUrl 同源）。
-    // --auth-token CLI 模式没 signSecret → 路由返 501，sign URL 功能整体禁用。
-    getSignSecret: () => authFile?.signSecret ?? null
+    // /files HMAC verify 用同一份 owner token 做 secret（与 attachment.signUrl 同源）
+    getSignSecret: () => resolvedAuthToken ?? null
   });
   wsServer = new LocalWsServer({
     host: config.host,
@@ -28014,7 +28727,18 @@ async function startDaemon(config) {
     const requestId = typeof frame.requestId === "string" ? frame.requestId : void 0;
     const handler = handlers[type];
     if (!handler) throw new ClawdError(ERROR_CODES.METHOD_NOT_IMPLEMENTED, `not implemented: ${type}`);
-    const result = await handler(frame, client);
+    const ctx = wsServer.getClientContext(client.id) ?? ownerContext();
+    const verdict = computeGrantForFrame(type, frame);
+    if (verdict.kind === "check") {
+      const ok = assertGrant(ctx.grants, verdict.resource, verdict.action);
+      if (!ok) {
+        throw new ClawdError(
+          ERROR_CODES.UNAUTHORIZED,
+          `principal ${ctx.principal.kind}:${ctx.principal.id} cannot ${verdict.action} on ${verdict.resource.type}${"id" in verdict.resource ? ":" + verdict.resource.id : ""}`
+        );
+      }
+    }
+    const result = await handler(frame, client, ctx);
     if (requestId && result.response) {
       client.send({ ...result.response, requestId });
     }
@@ -28072,15 +28796,15 @@ async function startDaemon(config) {
     });
     try {
       const r = await tunnelMgr.start({ localPort: config.port });
-      stateSnapshot = { ...stateSnapshot, tunnelUrl: r.url, tunnelError: void 0 };
+      stateSnapshot = { ...stateSnapshot, tunnelUrl: r.url };
       stateMgr.write(stateSnapshot);
       currentTunnelUrl = r.url;
       const connectUrl = resolvedAuthToken ? `${r.url}#token=${resolvedAuthToken}` : r.url;
       const lines = [
         `Tunnel:      ${r.url}`,
         ...resolvedAuthToken ? [`Connect:     ${connectUrl}`] : [],
-        `Frpc config: ${import_node_path27.default.join(config.dataDir, "frpc.toml")}`,
-        `Frpc log:    ${import_node_path27.default.join(config.dataDir, "frpc.log")}`
+        `Frpc config: ${import_node_path26.default.join(config.dataDir, "frpc.toml")}`,
+        `Frpc log:    ${import_node_path26.default.join(config.dataDir, "frpc.log")}`
       ];
       const width = Math.max(...lines.map((l) => l.length));
       const bar = "\u2550".repeat(width + 4);
@@ -28093,30 +28817,19 @@ ${bar}
 `);
       try {
-        const connectPath = import_node_path27.default.join(config.dataDir, "connect.txt");
+        const connectPath = import_node_path26.default.join(config.dataDir, "connect.txt");
         import_node_fs24.default.writeFileSync(connectPath, lines.join("\n") + "\n", { mode: 384 });
       } catch {
       }
     } catch (err) {
-      const tunnelError = err?.message ?? String(err);
       try {
         await tunnelMgr.stop();
       } catch {
       }
       tunnelMgr = null;
-      stateSnapshot = { ...stateSnapshot, tunnelUrl: void 0, tunnelError };
-      try {
-        stateMgr.write(stateSnapshot);
-      } catch {
-      }
-      wss.broadcastAll({
-        type: "tunnel:unavailable",
-        reason: tunnelError,
-        failedAt: (/* @__PURE__ */ new Date()).toISOString()
-      });
-      process.stdout.write(`Tunnel:      unavailable (local mode) \u2014 ${tunnelError}
-`);
-      logger.warn("tunnel unavailable, degraded to local mode", { reason: tunnelError });
+      stateMgr.delete();
+      await wss.stop();
+      throw err;
     }
   }
   const shutdown = async () => {