@getpaseo/server 0.1.92 → 0.1.94

package/dist/server/server/auth.js

@@ -1,4 +1,5 @@
 import { compare, compareSync, hashSync } from "bcryptjs";
+import { timingSafeEqual } from "node:crypto";
 export const DAEMON_PASSWORD_BCRYPT_COST = 12;
 export function isBearerTokenValid(input) {
     return isBearerTokenValidSync(input);
@@ -98,6 +99,16 @@ const BEARER_AUTH_BYPASS_PATHS = new Set([
     // rejects requests without a valid token (400/403), so dropping the bearer
     // here does not make the route unauthenticated.
     "/api/files/download",
+    // The daemon injects its own agents' Paseo MCP connections at this endpoint
+    // (and connects its own per-client MCP client here). Those connections cannot
+    // carry the daemon password — it is only known in plaintext when set via env,
+    // never when set via the app — so the route authenticates them with a
+    // per-daemon-run capability token instead (see isAgentMcpRequestAuthorized).
+    // The token is injected only into local agent configs/sessions and never sent
+    // to remote clients, and the route still rejects callers presenting neither
+    // the token nor a valid daemon password, so dropping the global bearer here
+    // does not make the endpoint unauthenticated.
+    "/mcp/agents",
 ]);
 export function shouldBypassBearerAuth(method, path) {
     if (method === "OPTIONS") {
@@ -105,4 +116,28 @@ export function shouldBypassBearerAuth(method, path) {
     }
     return BEARER_AUTH_BYPASS_PATHS.has(path);
 }
+/**
+ * Authorizes a request to the Agent MCP endpoint (/mcp/agents), which is exempt
+ * from the global daemon-password middleware. Accepts either the per-daemon-run
+ * capability token the daemon injects into its own agents' configs and MCP
+ * client, or a valid daemon-password bearer (so existing password-authenticated
+ * callers keep working). When no daemon password is configured the endpoint is
+ * open, matching the global middleware's behavior.
+ */
+export async function isAgentMcpRequestAuthorized(input) {
+    if (!input.password) {
+        return true;
+    }
+    const token = extractHttpBearerToken(input.authorizationHeader);
+    if (input.capabilityToken !== null && token !== null) {
+        // Constant-time compare; length-guard first because timingSafeEqual throws
+        // on differing buffer lengths.
+        const provided = Buffer.from(token);
+        const expected = Buffer.from(input.capabilityToken);
+        if (provided.length === expected.length && timingSafeEqual(provided, expected)) {
+            return true;
+        }
+    }
+    return isBearerTokenValidAsync({ password: input.password, token });
+}
 //# sourceMappingURL=auth.js.map

package/dist/server/server/bootstrap.d.ts

@@ -19,6 +19,7 @@ import { AgentStorage } from "./agent/agent-storage.js";
 import type { TerminalManager } from "../terminal/terminal-manager.js";
 import type { PushNotificationSender } from "./push/notifications.js";
 import type { AgentClient, AgentProvider } from "./agent/agent-sdk-types.js";
+import type { TerminalProfile } from "@getpaseo/protocol/messages";
 import type { AgentProviderRuntimeSettingsMap, ProviderOverride } from "./agent/provider-launch-config.js";
 import type { PersistedConfig } from "./persisted-config.js";
 import { type ServiceProxySubsystem } from "./service-proxy.js";
@@ -57,6 +58,7 @@ export interface PaseoDaemonConfig {
     mcpInjectIntoAgents?: boolean;
     autoArchiveAfterMerge?: boolean;
     appendSystemPrompt?: string;
+    terminalProfiles?: TerminalProfile[];
     staticDir: string;
     mcpDebug: boolean;
     isDev?: boolean;

package/dist/server/server/bootstrap.js

@@ -104,7 +104,7 @@ import { ScriptHealthMonitor } from "./script-health-monitor.js";
 import { createScriptStatusEmitter } from "./script-status-projection.js";
 import { WorkspaceScriptRuntimeStore } from "./workspace-script-runtime-store.js";
 import { isHostnameAllowed } from "./hostnames.js";
-import { createRequireBearerMiddleware } from "./auth.js";
+import { createRequireBearerMiddleware, isAgentMcpRequestAuthorized, } from "./auth.js";
 const MAX_MCP_DEBUG_BATCH_ITEMS = 10;
 const REDACTED_LOG_VALUE = "[redacted]";
 const DOWNLOAD_OPEN_FLAGS = process.platform === "win32" ? constants.O_RDONLY : constants.O_RDONLY | constants.O_NOFOLLOW;
@@ -174,6 +174,9 @@ export async function createPaseoDaemon(config, rootLogger) {
         },
         autoArchiveAfterMerge: config.autoArchiveAfterMerge ?? false,
         appendSystemPrompt: config.appendSystemPrompt ?? "",
+        ...(config.terminalProfiles !== undefined
+            ? { terminalProfiles: config.terminalProfiles }
+            : {}),
     }, logger);
     const serverId = getOrCreateServerId(config.paseoHome, { logger });
     const daemonKeyPair = await loadOrCreateDaemonKeyPair(config.paseoHome, logger);
@@ -183,6 +186,14 @@ export async function createPaseoDaemon(config, rootLogger) {
     const downloadTokenStore = new DownloadTokenStore({
         ttlMs: downloadTokenTtlMs,
     });
+    // Capability token authenticating the daemon's own agents to the loopback
+    // Agent MCP endpoint (/mcp/agents). Random per daemon run, injected only into
+    // local agent configs and the daemon's own MCP client — never sent to remote
+    // clients — so it cannot be replayed off-box. This lets the injected MCP
+    // authenticate even when the daemon password is set via the app (hash only,
+    // no plaintext available). Mirrors the /api/files/download capability-token
+    // pattern.
+    const agentMcpAuthToken = randomUUID();
     const listenTarget = parseListenString(config.listen);
     const app = express();
     let boundListenTarget = null;
@@ -375,6 +386,10 @@ export async function createPaseoDaemon(config, rootLogger) {
         providerDefinitions: initialAgentManagerState.providerDefinitions,
         registry: agentStorage,
         appendSystemPrompt: config.appendSystemPrompt,
+        onWorkspaceStateMayHaveChanged: ({ cwd }) => {
+            workspaceGitService.onWorkspaceStateMayHaveChanged(cwd);
+        },
+        mcpAuthToken: agentMcpAuthToken,
         logger,
     });
     const detachAgentStoragePersistence = attachAgentStoragePersistence(logger, agentManager, agentStorage);
@@ -586,6 +601,18 @@ export async function createPaseoDaemon(config, rootLogger) {
             return transport;
         };
         const runAgentMcpRequest = async (req, res) => {
+            // This route is exempt from the global daemon-password middleware, so it
+            // authenticates here using the injected capability token (or a valid
+            // daemon password). Without this, a password-protected daemon would be
+            // wide open on its agent control plane.
+            if (!(await isAgentMcpRequestAuthorized({
+                password: config.auth?.password,
+                capabilityToken: agentMcpAuthToken,
+                authorizationHeader: req.header("authorization"),
+            }))) {
+                res.status(401).json({ error: "Unauthorized" });
+                return;
+            }
             if (config.mcpDebug) {
                 logger.debug({
                     method: req.method,

package/dist/server/server/config.js

@@ -192,6 +192,7 @@ function resolveStaticLoadConfigSettings(env, cli, persisted) {
         mcpInjectIntoAgents: cli?.mcpInjectIntoAgents ?? persisted.daemon?.mcp?.injectIntoAgents ?? false,
         autoArchiveAfterMerge: persisted.daemon?.autoArchiveAfterMerge ?? false,
         appendSystemPrompt: resolveAppendSystemPrompt(persisted),
+        terminalProfiles: persisted.daemon?.terminalProfiles,
         hostnames: mergeHostnames([
             persisted.daemon?.hostnames,
             parseHostnamesEnv(env.PASEO_HOSTNAMES ?? env.PASEO_ALLOWED_HOSTS),
@@ -204,7 +205,7 @@ export function loadConfig(paseoHome, options) {
     const env = options?.env ?? process.env;
     const persisted = loadPersistedConfig(paseoHome);
     const listen = resolveListenAddress(env, options?.cli, persisted);
-    const { mcpEnabled, mcpInjectIntoAgents, autoArchiveAfterMerge, appendSystemPrompt, hostnames, appBaseUrl, } = resolveStaticLoadConfigSettings(env, options?.cli, persisted);
+    const { mcpEnabled, mcpInjectIntoAgents, autoArchiveAfterMerge, appendSystemPrompt, terminalProfiles, hostnames, appBaseUrl, } = resolveStaticLoadConfigSettings(env, options?.cli, persisted);
     const relay = resolveRelayConfig({
         env,
         persisted,
@@ -229,6 +230,7 @@ export function loadConfig(paseoHome, options) {
         mcpInjectIntoAgents,
         autoArchiveAfterMerge,
         appendSystemPrompt,
+        terminalProfiles,
         mcpDebug: env.MCP_DEBUG === "1",
         isDev: resolvePaseoNodeEnv(env) === "development",
         agentStoragePath: path.join(paseoHome, "agents"),

package/dist/server/server/daemon-config-store.js

@@ -147,6 +147,9 @@ function mergeMutableConfigIntoPersistedConfig(params) {
             },
             autoArchiveAfterMerge: mutable.autoArchiveAfterMerge,
             appendSystemPrompt: mutable.appendSystemPrompt,
+            ...(mutable.terminalProfiles !== undefined
+                ? { terminalProfiles: mutable.terminalProfiles }
+                : {}),
         },
         agents: nextAgents,
     };

package/dist/server/server/loop-service.d.ts

@@ -15,14 +15,14 @@ declare const LoopLogEntrySchema: z.ZodObject<{
     level: "error" | "info";
     seq: number;
     timestamp: string;
-    source: "worker" | "loop" | "verifier" | "verify-check";
+    source: "loop" | "worker" | "verifier" | "verify-check";
     iteration: number | null;
 }, {
     text: string;
     level: "error" | "info";
     seq: number;
     timestamp: string;
-    source: "worker" | "loop" | "verifier" | "verify-check";
+    source: "loop" | "worker" | "verifier" | "verify-check";
     iteration: number | null;
 }>;
 declare const LoopVerifyCheckResultSchema: z.ZodObject<{
@@ -314,14 +314,14 @@ declare const LoopRecordSchema: z.ZodObject<{
         level: "error" | "info";
         seq: number;
         timestamp: string;
-        source: "worker" | "loop" | "verifier" | "verify-check";
+        source: "loop" | "worker" | "verifier" | "verify-check";
         iteration: number | null;
     }, {
         text: string;
         level: "error" | "info";
         seq: number;
         timestamp: string;
-        source: "worker" | "loop" | "verifier" | "verify-check";
+        source: "loop" | "worker" | "verifier" | "verify-check";
         iteration: number | null;
     }>, "many">;
     nextLogSeq: z.ZodNumber;
@@ -384,7 +384,7 @@ declare const LoopRecordSchema: z.ZodObject<{
         level: "error" | "info";
         seq: number;
         timestamp: string;
-        source: "worker" | "loop" | "verifier" | "verify-check";
+        source: "loop" | "worker" | "verifier" | "verify-check";
         iteration: number | null;
     }[];
     nextLogSeq: number;
@@ -445,7 +445,7 @@ declare const LoopRecordSchema: z.ZodObject<{
         level: "error" | "info";
         seq: number;
         timestamp: string;
-        source: "worker" | "loop" | "verifier" | "verify-check";
+        source: "loop" | "worker" | "verifier" | "verify-check";
         iteration: number | null;
     }[];
     nextLogSeq: number;

package/dist/server/server/persisted-config.d.ts

@@ -21,6 +21,25 @@ export declare const PersistedConfigSchema: z.ZodObject<{
         }, z.ZodTypeAny, "passthrough">>>;
         autoArchiveAfterMerge: z.ZodOptional<z.ZodBoolean>;
         appendSystemPrompt: z.ZodOptional<z.ZodString>;
+        terminalProfiles: z.ZodOptional<z.ZodArray<z.ZodObject<{
+            id: z.ZodString;
+            name: z.ZodString;
+            command: z.ZodString;
+            args: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+            icon: z.ZodOptional<z.ZodString>;
+        }, "passthrough", z.ZodTypeAny, z.objectOutputType<{
+            id: z.ZodString;
+            name: z.ZodString;
+            command: z.ZodString;
+            args: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+            icon: z.ZodOptional<z.ZodString>;
+        }, z.ZodTypeAny, "passthrough">, z.objectInputType<{
+            id: z.ZodString;
+            name: z.ZodString;
+            command: z.ZodString;
+            args: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+            icon: z.ZodOptional<z.ZodString>;
+        }, z.ZodTypeAny, "passthrough">>, "many">>;
         cors: z.ZodOptional<z.ZodObject<{
             allowedOrigins: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
         }, "strict", z.ZodTypeAny, {
@@ -80,6 +99,13 @@ export declare const PersistedConfigSchema: z.ZodObject<{
         allowedHosts?: true | string[] | undefined;
         autoArchiveAfterMerge?: boolean | undefined;
         appendSystemPrompt?: string | undefined;
+        terminalProfiles?: z.objectOutputType<{
+            id: z.ZodString;
+            name: z.ZodString;
+            command: z.ZodString;
+            args: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+            icon: z.ZodOptional<z.ZodString>;
+        }, z.ZodTypeAny, "passthrough">[] | undefined;
         cors?: {
             allowedOrigins?: string[] | undefined;
         } | undefined;
@@ -108,6 +134,13 @@ export declare const PersistedConfigSchema: z.ZodObject<{
         allowedHosts?: true | string[] | undefined;
         autoArchiveAfterMerge?: boolean | undefined;
         appendSystemPrompt?: string | undefined;
+        terminalProfiles?: z.objectInputType<{
+            id: z.ZodString;
+            name: z.ZodString;
+            command: z.ZodString;
+            args: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+            icon: z.ZodOptional<z.ZodString>;
+        }, z.ZodTypeAny, "passthrough">[] | undefined;
         cors?: {
             allowedOrigins?: string[] | undefined;
         } | undefined;
@@ -135,6 +168,13 @@ export declare const PersistedConfigSchema: z.ZodObject<{
         hostnames?: true | string[] | undefined;
         autoArchiveAfterMerge?: boolean | undefined;
         appendSystemPrompt?: string | undefined;
+        terminalProfiles?: z.objectOutputType<{
+            id: z.ZodString;
+            name: z.ZodString;
+            command: z.ZodString;
+            args: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+            icon: z.ZodOptional<z.ZodString>;
+        }, z.ZodTypeAny, "passthrough">[] | undefined;
         cors?: {
             allowedOrigins?: string[] | undefined;
         } | undefined;
@@ -163,6 +203,13 @@ export declare const PersistedConfigSchema: z.ZodObject<{
         allowedHosts?: true | string[] | undefined;
         autoArchiveAfterMerge?: boolean | undefined;
         appendSystemPrompt?: string | undefined;
+        terminalProfiles?: z.objectInputType<{
+            id: z.ZodString;
+            name: z.ZodString;
+            command: z.ZodString;
+            args: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+            icon: z.ZodOptional<z.ZodString>;
+        }, z.ZodTypeAny, "passthrough">[] | undefined;
         cors?: {
             allowedOrigins?: string[] | undefined;
         } | undefined;
@@ -853,6 +900,13 @@ export declare const PersistedConfigSchema: z.ZodObject<{
         hostnames?: true | string[] | undefined;
         autoArchiveAfterMerge?: boolean | undefined;
         appendSystemPrompt?: string | undefined;
+        terminalProfiles?: z.objectOutputType<{
+            id: z.ZodString;
+            name: z.ZodString;
+            command: z.ZodString;
+            args: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+            icon: z.ZodOptional<z.ZodString>;
+        }, z.ZodTypeAny, "passthrough">[] | undefined;
         cors?: {
             allowedOrigins?: string[] | undefined;
         } | undefined;
@@ -992,6 +1046,13 @@ export declare const PersistedConfigSchema: z.ZodObject<{
         allowedHosts?: true | string[] | undefined;
         autoArchiveAfterMerge?: boolean | undefined;
         appendSystemPrompt?: string | undefined;
+        terminalProfiles?: z.objectInputType<{
+            id: z.ZodString;
+            name: z.ZodString;
+            command: z.ZodString;
+            args: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+            icon: z.ZodOptional<z.ZodString>;
+        }, z.ZodTypeAny, "passthrough">[] | undefined;
         cors?: {
             allowedOrigins?: string[] | undefined;
         } | undefined;

package/dist/server/server/persisted-config.js

@@ -3,6 +3,7 @@ import path from "node:path";
 import { z } from "zod";
 import { AgentProviderRuntimeSettingsMapSchema, migrateProviderSettings, ProviderOverridesSchema, } from "./agent/provider-launch-config.js";
 import { ensurePrivateFile, writePrivateFileAtomicSync } from "./private-files.js";
+import { TerminalProfileSchema } from "@getpaseo/protocol/messages";
 export const LogLevelSchema = z.enum(["trace", "debug", "info", "warn", "error", "fatal"]);
 export const LogFormatSchema = z.enum(["pretty", "json"]);
 const LogConfigSchema = z
@@ -187,6 +188,7 @@ export const PersistedConfigSchema = z
             .optional(),
         autoArchiveAfterMerge: z.boolean().optional(),
         appendSystemPrompt: z.string().optional(),
+        terminalProfiles: z.array(TerminalProfileSchema).optional(),
         cors: z
             .object({
             allowedOrigins: z.array(z.string()).optional(),

package/dist/server/server/session.d.ts

@@ -415,6 +415,7 @@ export declare class Session {
     private resolveCurrentPullRequest;
     private handleCheckoutPrStatusRequest;
     private handlePullRequestTimelineRequest;
+    private handleCheckoutGithubGetCheckDetailsRequest;
     private handlePaseoWorktreeListRequest;
     private handlePaseoWorktreeArchiveRequest;
     /**

package/dist/server/server/session.js

@@ -356,6 +356,12 @@ export class Session {
             hasBinaryChannel: () => this.onBinaryMessage !== null,
             isPathWithinRoot: (rootPath, candidatePath) => this.isPathWithinRoot(rootPath, candidatePath),
             sessionLogger: this.sessionLogger,
+            listTerminalWorkspaceRoots: async () => {
+                const workspaces = await this.workspaceRegistry.list();
+                return workspaces
+                    .filter((workspace) => !workspace.archivedAt)
+                    .map((workspace) => workspace.cwd);
+            },
             clientSupportsWrapReflow: () => this.clientCapabilities.has(CLIENT_CAPS.terminalReflowableSnapshot),
         });
         this.createAgentLifecycleDispatch = new CreateAgentLifecycleDispatch({
@@ -586,7 +592,10 @@ export class Session {
                 this.sessionLogger.info("Skipping Agent MCP initialization because no MCP base URL is configured");
                 return;
             }
-            const transport = new StreamableHTTPClientTransport(new URL(this.mcpBaseUrl));
+            const authToken = this.agentManager.getMcpAuthToken();
+            const transport = new StreamableHTTPClientTransport(new URL(this.mcpBaseUrl), authToken
+                ? { requestInit: { headers: { Authorization: `Bearer ${authToken}` } } }
+                : undefined);
             this.agentMcpClient = await experimental_createMCPClient({
                 transport,
             });
@@ -1279,6 +1288,8 @@ export class Session {
                 return this.handleCheckoutPrMergeRequest(msg);
             case "checkout.github.set_auto_merge.request":
                 return this.handleCheckoutGithubSetAutoMergeRequest(msg);
+            case "checkout.github.get_check_details.request":
+                return this.handleCheckoutGithubGetCheckDetailsRequest(msg);
             case "checkout_pr_status_request":
                 return this.handleCheckoutPrStatusRequest(msg);
             case "pull_request_timeline_request":
@@ -4276,6 +4287,43 @@ export class Session {
             });
         }
     }
+    async handleCheckoutGithubGetCheckDetailsRequest(msg) {
+        const { cwd, repoOwner, repoName, checkRunId, workflowRunId, requestId } = msg;
+        try {
+            const details = await this.github.getGitHubCheckDetails({
+                cwd,
+                repoOwner,
+                repoName,
+                checkRunId,
+                workflowRunId,
+            });
+            this.emit({
+                type: "checkout.github.get_check_details.response",
+                payload: {
+                    cwd,
+                    success: true,
+                    details,
+                    error: null,
+                    requestId,
+                },
+            });
+        }
+        catch (error) {
+            this.emit({
+                type: "checkout.github.get_check_details.response",
+                payload: {
+                    cwd,
+                    success: false,
+                    details: null,
+                    error: {
+                        code: "UNKNOWN",
+                        message: error instanceof Error ? error.message : String(error),
+                    },
+                    requestId,
+                },
+            });
+        }
+    }
     async handlePaseoWorktreeListRequest(msg) {
         return handleWorktreeListRequest({
             emit: (message) => this.emit(message),
@@ -7135,7 +7183,6 @@ function isValidGitHubRepoSegment(value) {
     return /^[A-Za-z0-9._-]+$/.test(value);
 }
 function toPullRequestTimelinePayloadItem(item) {
-    const { authorUrl: _authorUrl, ...payload } = item;
-    return payload;
+    return item;
 }
 //# sourceMappingURL=session.js.map

package/dist/server/server/websocket-server.js

@@ -85,6 +85,7 @@ function createFallbackWorkspaceGitService() {
             unsubscribe: () => { },
         }),
         scheduleRefreshForCwd: () => { },
+        onWorkspaceStateMayHaveChanged: () => { },
         dispose: () => { },
     };
 }
@@ -719,6 +720,7 @@ export class VoiceAssistantWebSocketServer {
                 providersSnapshot: true,
                 // COMPAT(checkoutGithubSetAutoMerge): added in v0.1.75, remove gate after 2026-11-13.
                 checkoutGithubSetAutoMerge: true,
+                githubCheckDetails: true,
                 // COMPAT(daemonStatusRpc): added in v0.1.76, remove gate after 2026-11-18.
                 daemonStatusRpc: true,
                 // COMPAT(terminalRestoreModes): added in v0.1.81, remove gate after 2026-11-23.

package/dist/server/server/workspace-git-service.d.ts

@@ -89,6 +89,7 @@ export interface WorkspaceGitService {
         unsubscribe: () => void;
     }>;
     scheduleRefreshForCwd(cwd: string): void;
+    onWorkspaceStateMayHaveChanged(cwd: string): void;
     dispose(): void;
 }
 export type WorkspaceGitListener = (snapshot: WorkspaceGitRuntimeSnapshot) => void;
@@ -201,6 +202,7 @@ export declare class WorkspaceGitServiceImpl implements WorkspaceGitService {
         unsubscribe: () => void;
     }>;
     scheduleRefreshForCwd(cwd: string): void;
+    onWorkspaceStateMayHaveChanged(cwd: string): void;
     dispose(): void;
     private ensureWorkspaceTarget;
     private readAuxiliaryCache;
@@ -233,7 +235,8 @@ export declare class WorkspaceGitServiceImpl implements WorkspaceGitService {
     private normalizeRefreshRequest;
     private resolveGitHubRemoteForTarget;
     private shouldThrottleNonForcedRefresh;
-    private mergeQueuedRefresh;
+    private buildScheduledRefreshRequest;
+    private mergeRefreshRequests;
     private runWorkspaceRefreshLoop;
     private refreshSnapshot;
     private refreshGitSnapshot;

package/dist/server/server/workspace-git-service.js

@@ -12,7 +12,7 @@ import { listPaseoWorktrees } from "../utils/worktree.js";
 import { READ_ONLY_GIT_ENV } from "./checkout-git-utils.js";
 import { buildWorkspaceGitMetadataFromSnapshot, } from "./workspace-git-metadata.js";
 import { checkoutLiteFromGitSnapshot, normalizeWorkspaceId } from "./workspace-registry-model.js";
-const WORKSPACE_GIT_WATCH_DEBOUNCE_MS = 500;
+const WORKSPACE_GIT_WATCH_DEBOUNCE_MS = 1000;
 const BACKGROUND_GIT_FETCH_INTERVAL_MS = 180000;
 export const WORKSPACE_GIT_SELF_HEAL_INTERVAL_MS = 60000;
 const WORKING_TREE_WATCH_FALLBACK_REFRESH_MS = 5000;
@@ -295,6 +295,19 @@ export class WorkspaceGitServiceImpl {
             this.scheduleWorkspaceRefresh(target);
         }
     }
+    onWorkspaceStateMayHaveChanged(cwd) {
+        const normalizedCwd = normalizeWorkspaceId(cwd);
+        const target = this.workspaceTargets.get(normalizedCwd);
+        if (!target || target.closed) {
+            return;
+        }
+        this.deps.github.invalidate({ cwd: normalizedCwd });
+        this.scheduleWorkspaceRefresh(target, {
+            force: true,
+            includeGitHub: true,
+            reason: "external-state-change",
+        });
+    }
     dispose() {
         for (const target of this.workspaceTargets.values()) {
             this.closeWorkspaceTarget(target);
@@ -384,6 +397,7 @@ export class WorkspaceGitServiceImpl {
             listeners: new Set(),
             watchers: [],
             debounceTimer: null,
+            pendingDebounceRequest: null,
             selfHealTimer: null,
             githubPollSubscription: null,
             githubPollKey: null,
@@ -640,6 +654,8 @@ export class WorkspaceGitServiceImpl {
         if (!target || target.closed || this.workspaceTargets.get(target.cwd) !== target) {
             return;
         }
+        const request = this.buildScheduledRefreshRequest(options);
+        target.pendingDebounceRequest = this.mergeRefreshRequests(target.pendingDebounceRequest, request);
         if (target.debounceTimer) {
             clearTimeout(target.debounceTimer);
         }
@@ -648,12 +664,11 @@ export class WorkspaceGitServiceImpl {
                 return;
             }
             target.debounceTimer = null;
-            void this.refreshWorkspaceTarget(target, {
-                force: options?.force === true,
-                includeGitHub: false,
-                reason: options?.reason ?? "watch",
-                notify: true,
-            });
+            const merged = target.pendingDebounceRequest;
+            target.pendingDebounceRequest = null;
+            if (merged) {
+                void this.refreshWorkspaceTarget(target, merged);
+            }
         }, WORKSPACE_GIT_WATCH_DEBOUNCE_MS);
     }
     startWorkspaceSubscriptionTimers(target) {
@@ -923,7 +938,7 @@ export class WorkspaceGitServiceImpl {
             const needsForcedRefresh = request.force && !target.refreshState.force;
             const needsGitHubRefresh = request.force && request.includeGitHub && !target.refreshState.includeGitHub;
             if (needsForcedRefresh || needsGitHubRefresh) {
-                target.refreshState.queued = this.mergeQueuedRefresh(target.refreshState.queued, request);
+                target.refreshState.queued = this.mergeRefreshRequests(target.refreshState.queued, request);
             }
             return target.refreshState.promise;
         }
@@ -975,23 +990,26 @@ export class WorkspaceGitServiceImpl {
         }
         return this.deps.now().getTime() - target.lastShellOutAtMs < WORKSPACE_GIT_INTERNAL_MIN_GAP_MS;
     }
-    mergeQueuedRefresh(queued, request) {
-        if (!queued) {
-            return {
-                force: request.force,
-                includeGitHub: request.includeGitHub,
-                reason: request.reason,
-                notify: request.notify,
-            };
+    buildScheduledRefreshRequest(options) {
+        return {
+            force: options?.force === true,
+            includeGitHub: options?.includeGitHub ?? false,
+            reason: options?.reason ?? "watch",
+            notify: true,
+        };
+    }
+    mergeRefreshRequests(pending, request) {
+        if (!pending) {
+            return request;
         }
-        const force = queued.force || request.force;
-        const upgradesForce = request.force && !queued.force;
-        const upgradesGitHub = request.includeGitHub && !queued.includeGitHub;
+        const force = pending.force || request.force;
+        const upgradesForce = request.force && !pending.force;
+        const upgradesGitHub = request.includeGitHub && !pending.includeGitHub;
         return {
             force,
-            includeGitHub: queued.includeGitHub || request.includeGitHub,
-            reason: upgradesForce || upgradesGitHub ? request.reason : queued.reason,
-            notify: queued.notify || request.notify,
+            includeGitHub: pending.includeGitHub || request.includeGitHub,
+            reason: upgradesForce || upgradesGitHub ? request.reason : pending.reason,
+            notify: pending.notify || request.notify,
         };
     }
     async runWorkspaceRefreshLoop(target, initialRequest) {