@hydra-acp/cli 0.1.21 → 0.1.23

package/dist/index.js

@@ -1,5 +1,5 @@
 // src/daemon/server.ts
-import * as fs10 from "fs";
+import * as fs14 from "fs";
 import * as fsp4 from "fs/promises";
 import Fastify from "fastify";
 import websocketPlugin from "@fastify/websocket";
@@ -7,7 +7,7 @@ import pino from "pino";
 import createPinoRoll from "pino-roll";
 
 // src/core/config.ts
-import * as fs from "fs/promises";
+import * as fs2 from "fs/promises";
 import { homedir as homedir2 } from "os";
 import { z } from "zod";
 
@@ -62,6 +62,12 @@ var paths = {
   sessionDir: (id) => path.join(hydraHome(), "sessions", id),
   sessionFile: (id) => path.join(hydraHome(), "sessions", id, "meta.json"),
   historyFile: (id) => path.join(hydraHome(), "sessions", id, "history.jsonl"),
+  // Persisted prompt queue for a session. ndjson, one record per
+  // entry. Survives daemon restarts so queued prompts get a chance to
+  // run rather than being silently lost. Entries are removed BEFORE
+  // the agent invocation (see Session.drainQueue) so a crash mid-
+  // generation doesn't double-run on restart.
+  queueFile: (id) => path.join(hydraHome(), "sessions", id, "queue.ndjson"),
   extensionsDir: () => path.join(hydraHome(), "extensions"),
   extensionLogFile: (name) => path.join(hydraHome(), "extensions", `${name}.log`),
   extensionPidFile: (name) => path.join(hydraHome(), "extensions", `${name}.pid`),
@@ -69,16 +75,70 @@ var paths = {
   tuiLogFile: () => path.join(hydraHome(), "tui.log")
 };
 
+// src/core/service-token.ts
+import * as fs from "fs/promises";
+function generateServiceToken() {
+  const bytes = new Uint8Array(32);
+  crypto.getRandomValues(bytes);
+  let hex = "";
+  for (const b of bytes) {
+    hex += b.toString(16).padStart(2, "0");
+  }
+  return `hydra_token_${hex}`;
+}
+async function readServiceToken() {
+  try {
+    const text = await fs.readFile(paths.authToken(), "utf8");
+    const trimmed = text.trim();
+    return trimmed.length > 0 ? trimmed : void 0;
+  } catch (err) {
+    const e = err;
+    if (e.code === "ENOENT") {
+      return void 0;
+    }
+    throw err;
+  }
+}
+async function loadServiceToken() {
+  const token = await readServiceToken();
+  if (!token) {
+    throw new Error(
+      `No service token found at ${paths.authToken()}. Run \`hydra-acp init\` to create one.`
+    );
+  }
+  return token;
+}
+async function writeServiceToken(token) {
+  await fs.mkdir(paths.home(), { recursive: true });
+  await fs.writeFile(paths.authToken(), token + "\n", {
+    encoding: "utf8",
+    mode: 384
+  });
+}
+async function ensureServiceToken() {
+  const existing = await readServiceToken();
+  if (existing) {
+    return existing;
+  }
+  const token = generateServiceToken();
+  await writeServiceToken(token);
+  process.stderr.write(
+    `hydra-acp: initialized ${paths.authToken()} with a fresh service token.
+`
+  );
+  return token;
+}
+
 // src/core/config.ts
 var REGISTRY_URL_DEFAULT = "https://cdn.agentclientprotocol.com/registry/v1/latest/registry.json";
 var TlsConfig = z.object({
   cert: z.string(),
   key: z.string()
 });
+var DEFAULT_DAEMON_PORT = 55514;
 var DaemonConfig = z.object({
   host: z.string().default("127.0.0.1"),
-  port: z.number().int().positive().default(8765),
-  authToken: z.string().min(16),
+  port: z.number().int().positive().default(DEFAULT_DAEMON_PORT),
   logLevel: z.enum(["debug", "info", "warn", "error"]).default("info"),
   tls: TlsConfig.optional(),
   sessionIdleTimeoutSeconds: z.number().int().nonnegative().default(3600),
@@ -139,7 +199,7 @@ var ExtensionBody = z.object({
   enabled: z.boolean().default(true)
 });
 var HydraConfig = z.object({
-  daemon: DaemonConfig,
+  daemon: DaemonConfig.default({}),
   registry: RegistryConfig.default({ url: REGISTRY_URL_DEFAULT, ttlHours: 24 }),
   defaultAgent: z.string().default("claude-acp"),
   // Optional per-agent default model id. When a brand-new agent process
@@ -159,6 +219,11 @@ var HydraConfig = z.object({
   // recency and truncated to this count. `--all` overrides in the CLI.
   sessionListColdLimit: z.number().int().nonnegative().default(20),
   extensions: z.record(ExtensionName, ExtensionBody).default({}),
+  // npm registry URL used when installing npm-distributed agents into
+  // ~/.hydra-acp/agents. Overrides the global ~/.npmrc registry so a
+  // corporate .npmrc pointing at an internal registry doesn't break
+  // public-package installs. Omit to let npm use its own defaults.
+  npmRegistry: z.string().url().optional(),
   tui: TuiConfig.default({
     repaintThrottleMs: 1e3,
     maxScrollbackLines: 1e4,
@@ -168,9 +233,6 @@ var HydraConfig = z.object({
     progressIndicator: true
   })
 });
-var HydraConfigReadOnly = HydraConfig.extend({
-  daemon: DaemonConfig.omit({ authToken: true }).default({})
-});
 function extensionList(config) {
   return Object.entries(config.extensions).map(([name, body]) => ({
     name,
@@ -180,7 +242,7 @@ function extensionList(config) {
 async function readConfigFile() {
   let raw;
   try {
-    raw = await fs.readFile(paths.config(), "utf8");
+    raw = await fs2.readFile(paths.config(), "utf8");
   } catch (err) {
     const e = err;
     if (e.code === "ENOENT") {
@@ -190,44 +252,34 @@ async function readConfigFile() {
   }
   return JSON.parse(raw);
 }
-async function loadAuthToken() {
-  let tokenFile;
+async function migrateLegacyAuthToken() {
+  const raw = await readConfigFile();
+  const daemon = raw.daemon;
+  const legacy = daemon && typeof daemon.authToken === "string" ? daemon.authToken : void 0;
+  if (!legacy) {
+    return;
+  }
+  let tokenFileExists = false;
   try {
-    const text = await fs.readFile(paths.authToken(), "utf8");
-    const trimmed = text.trim();
-    if (trimmed.length > 0) {
-      tokenFile = trimmed;
-    }
+    await fs2.access(paths.authToken());
+    tokenFileExists = true;
   } catch (err) {
     const e = err;
     if (e.code !== "ENOENT") {
       throw err;
     }
   }
-  const raw = await readConfigFile();
-  const daemon = raw.daemon;
-  const legacy = daemon && typeof daemon.authToken === "string" ? daemon.authToken : void 0;
-  if (tokenFile && legacy) {
+  if (tokenFileExists) {
     throw new Error(
       `Auth token present in both ${paths.authToken()} and ${paths.config()} (daemon.authToken). Remove daemon.authToken from config.json to resolve.`
     );
   }
-  if (tokenFile) {
-    return tokenFile;
-  }
-  if (legacy) {
-    await migrateLegacyAuthToken(raw, daemon, legacy);
-    return legacy;
-  }
-  return void 0;
-}
-async function migrateLegacyAuthToken(raw, daemon, token) {
-  await writeAuthToken(token);
+  await writeServiceToken(legacy);
   delete daemon.authToken;
   if (Object.keys(daemon).length === 0) {
     delete raw.daemon;
   }
-  await fs.writeFile(paths.config(), JSON.stringify(raw, null, 2) + "\n", {
+  await fs2.writeFile(paths.config(), JSON.stringify(raw, null, 2) + "\n", {
     encoding: "utf8",
     mode: 384
   });
@@ -236,61 +288,19 @@ async function migrateLegacyAuthToken(raw, daemon, token) {
 `
   );
 }
-async function writeAuthToken(token) {
-  await fs.mkdir(paths.home(), { recursive: true });
-  await fs.writeFile(paths.authToken(), token + "\n", {
-    encoding: "utf8",
-    mode: 384
-  });
-}
 async function loadConfig() {
-  const token = await loadAuthToken();
-  if (!token) {
-    throw new Error(
-      `No auth token found at ${paths.authToken()}. Run \`hydra-acp init\` to create one.`
-    );
-  }
-  const raw = await readConfigFile();
-  const daemon = raw.daemon ??= {};
-  daemon.authToken = token;
-  return HydraConfig.parse(raw);
-}
-async function ensureConfig() {
-  if (!await loadAuthToken()) {
-    const token = generateAuthToken();
-    await writeAuthToken(token);
-    process.stderr.write(
-      `hydra-acp: initialized ${paths.authToken()} with a fresh auth token.
-`
-    );
-  }
-  return loadConfig();
+  await migrateLegacyAuthToken();
+  return HydraConfig.parse(await readConfigFile());
 }
 async function writeConfig(config) {
-  await fs.mkdir(paths.home(), { recursive: true });
-  const { daemon, ...rest } = config;
-  const { authToken: _authToken, ...daemonRest } = daemon;
-  const onDisk = { ...rest, daemon: daemonRest };
-  await fs.writeFile(paths.config(), JSON.stringify(onDisk, null, 2) + "\n", {
+  await fs2.mkdir(paths.home(), { recursive: true });
+  await fs2.writeFile(paths.config(), JSON.stringify(config, null, 2) + "\n", {
     encoding: "utf8",
     mode: 384
   });
 }
-function generateAuthToken() {
-  const bytes = new Uint8Array(32);
-  crypto.getRandomValues(bytes);
-  let hex = "";
-  for (const b of bytes) {
-    hex += b.toString(16).padStart(2, "0");
-  }
-  return `hydra_token_${hex}`;
-}
 function defaultConfig() {
-  return HydraConfig.parse({
-    daemon: {
-      authToken: generateAuthToken()
-    }
-  });
+  return HydraConfig.parse({});
 }
 function expandHome(p) {
   if (p === "~" || p === "$HOME") {
@@ -306,11 +316,11 @@ function expandHome(p) {
 }
 
 // src/core/registry.ts
-import * as fs3 from "fs/promises";
+import * as fs4 from "fs/promises";
 import { z as z2 } from "zod";
 
 // src/core/binary-install.ts
-import * as fs2 from "fs";
+import * as fs3 from "fs";
 import * as fsp from "fs/promises";
 import * as path2 from "path";
 import { spawn } from "child_process";
@@ -415,7 +425,7 @@ async function downloadTo(args) {
     );
   }
   const total = Number(response.headers.get("content-length") ?? "0");
-  const out = fs2.createWriteStream(dest);
+  const out = fs3.createWriteStream(dest);
   const nodeStream = Readable.fromWeb(response.body);
   let received = 0;
   let lastEmit = Date.now();
@@ -541,7 +551,8 @@ async function ensureNpmPackage(args) {
   await installInto({
     agentId: args.agentId,
     packageSpec: args.packageSpec,
-    installDir
+    installDir,
+    registry: args.registry
   });
   if (!await fileExists2(binPath)) {
     throw new Error(
@@ -559,7 +570,8 @@ async function installInto(args) {
     );
     await runNpmInstall({
       packageSpec: args.packageSpec,
-      cwd: tempDir
+      cwd: tempDir,
+      registry: args.registry
     });
     try {
       await fsp2.rename(tempDir, args.installDir);
@@ -583,9 +595,10 @@ async function installInto(args) {
 }
 function runNpmInstall(args) {
   return new Promise((resolve3, reject) => {
+    const registryArgs = args.registry ? ["--registry", args.registry] : [];
     const child = spawn2(
       "npm",
-      ["install", "--no-audit", "--no-fund", "--silent", args.packageSpec],
+      ["install", "--no-audit", "--no-fund", "--silent", ...registryArgs, args.packageSpec],
       {
         cwd: args.cwd,
         stdio: ["ignore", "pipe", "pipe"]
@@ -738,7 +751,7 @@ var Registry = class {
   async readDiskCache() {
     let text;
     try {
-      text = await fs3.readFile(paths.registryCache(), "utf8");
+      text = await fs4.readFile(paths.registryCache(), "utf8");
     } catch (err) {
       const e = err;
       if (e.code === "ENOENT") {
@@ -764,7 +777,7 @@ var Registry = class {
   // without a lock file: the loser of the rename race just gets its
   // version replaced by the winner's.
   async writeDiskCache(cache) {
-    await fs3.mkdir(paths.home(), { recursive: true });
+    await fs4.mkdir(paths.home(), { recursive: true });
     const final = paths.registryCache();
     const tmp = `${final}.tmp-${process.pid}-${randSuffix()}`;
     const body = JSON.stringify(
@@ -773,10 +786,10 @@ var Registry = class {
       2
     ) + "\n";
     try {
-      await fs3.writeFile(tmp, body, "utf8");
-      await fs3.rename(tmp, final);
+      await fs4.writeFile(tmp, body, "utf8");
+      await fs4.rename(tmp, final);
     } catch (err) {
-      await fs3.unlink(tmp).catch(() => void 0);
+      await fs4.unlink(tmp).catch(() => void 0);
       throw err;
     }
   }
@@ -794,7 +807,7 @@ function npxPackageBasename(agent) {
   const atIdx = afterSlash.lastIndexOf("@");
   return atIdx <= 0 ? afterSlash : afterSlash.slice(0, atIdx);
 }
-async function planSpawn(agent, callerArgs = []) {
+async function planSpawn(agent, callerArgs = [], options = {}) {
   if (agent.distribution.npx) {
     const npx = agent.distribution.npx;
     const tail = callerArgs.length > 0 ? callerArgs : npx.args ?? [];
@@ -810,7 +823,8 @@ async function planSpawn(agent, callerArgs = []) {
       agentId: agent.id,
       version: agent.version ?? "current",
       packageSpec: npx.package,
-      bin
+      bin,
+      registry: options.npmRegistry
     });
     return {
       command: binPath,
@@ -995,6 +1009,58 @@ function extractHydraMeta(meta) {
       out.availableCommands = cmds;
     }
   }
+  if (typeof obj.promptQueueing === "boolean") {
+    out.promptQueueing = obj.promptQueueing;
+  }
+  if (Array.isArray(obj.queue)) {
+    const entries = [];
+    for (const raw of obj.queue) {
+      if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
+        continue;
+      }
+      const r = raw;
+      const orig = r.originator;
+      if (typeof r.messageId !== "string" || !orig || typeof orig.clientId !== "string" || !Array.isArray(r.prompt) || typeof r.position !== "number" || typeof r.enqueuedAt !== "number") {
+        continue;
+      }
+      const originator = { clientId: orig.clientId };
+      if (typeof orig.name === "string") originator.name = orig.name;
+      if (typeof orig.version === "string") originator.version = orig.version;
+      entries.push({
+        messageId: r.messageId,
+        originator,
+        prompt: r.prompt,
+        position: r.position,
+        enqueuedAt: r.enqueuedAt
+      });
+    }
+    if (entries.length > 0) {
+      out.queue = entries;
+    }
+  }
+  if (Array.isArray(obj.availableModes)) {
+    const modes = [];
+    for (const raw of obj.availableModes) {
+      if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
+        continue;
+      }
+      const m = raw;
+      if (typeof m.id !== "string") {
+        continue;
+      }
+      const mode = { id: m.id };
+      if (typeof m.name === "string") {
+        mode.name = m.name;
+      }
+      if (typeof m.description === "string") {
+        mode.description = m.description;
+      }
+      modes.push(mode);
+    }
+    if (modes.length > 0) {
+      out.availableModes = modes;
+    }
+  }
   return out;
 }
 function mergeMeta(passthrough, ours) {
@@ -1047,6 +1113,49 @@ var SessionPromptParams = z3.object({
 var SessionCancelParams = z3.object({
   sessionId: z3.string()
 });
+var PromptOriginatorSchema = z3.object({
+  clientId: z3.string(),
+  name: z3.string().optional(),
+  version: z3.string().optional()
+});
+var PromptQueueAddedParams = z3.object({
+  sessionId: z3.string(),
+  messageId: z3.string(),
+  originator: PromptOriginatorSchema,
+  prompt: z3.array(z3.unknown()),
+  // 0 = head (currently in-flight). At enqueue time the new entry's
+  // position equals the count of entries already ahead of it.
+  position: z3.number().int().nonnegative(),
+  queueDepth: z3.number().int().positive(),
+  enqueuedAt: z3.number()
+});
+var PromptQueueUpdatedParams = z3.object({
+  sessionId: z3.string(),
+  messageId: z3.string(),
+  prompt: z3.array(z3.unknown())
+});
+var PromptQueueRemovedParams = z3.object({
+  sessionId: z3.string(),
+  messageId: z3.string(),
+  reason: z3.enum(["started", "cancelled", "abandoned"])
+});
+var CancelPromptParams = z3.object({
+  sessionId: z3.string(),
+  messageId: z3.string()
+});
+var CancelPromptResult = z3.object({
+  cancelled: z3.boolean(),
+  reason: z3.enum(["ok", "not_found", "already_running"])
+});
+var UpdatePromptParams = z3.object({
+  sessionId: z3.string(),
+  messageId: z3.string(),
+  prompt: z3.array(z3.unknown())
+});
+var UpdatePromptResult = z3.object({
+  updated: z3.boolean(),
+  reason: z3.enum(["ok", "not_found", "already_running"])
+});
 var ProxyInitializeParams = z3.object({
   protocolVersion: z3.number().optional(),
   proxyInfo: z3.object({
@@ -1435,7 +1544,7 @@ stderr: ${tail}` : reason;
 };
 
 // src/core/session-manager.ts
-import * as fs8 from "fs/promises";
+import * as fs10 from "fs/promises";
 import * as os2 from "os";
 import { customAlphabet as customAlphabet3 } from "nanoid";
 
@@ -1469,6 +1578,47 @@ function hydraCommandsAsAdvertised() {
   }));
 }
 
+// src/core/queue-store.ts
+import * as fs5 from "fs/promises";
+async function rewriteQueue(sessionId, entries) {
+  const file = paths.queueFile(sessionId);
+  if (entries.length === 0) {
+    await fs5.unlink(file).catch(() => void 0);
+    return;
+  }
+  await fs5.mkdir(paths.sessionDir(sessionId), { recursive: true });
+  const body = entries.map((e) => JSON.stringify(e)).join("\n") + "\n";
+  await fs5.writeFile(file, body, "utf8");
+}
+async function loadQueue(sessionId) {
+  const file = paths.queueFile(sessionId);
+  let text;
+  try {
+    text = await fs5.readFile(file, "utf8");
+  } catch (err) {
+    if (err.code === "ENOENT") {
+      return [];
+    }
+    throw err;
+  }
+  const out = [];
+  for (const line of text.split("\n")) {
+    if (!line.trim()) continue;
+    try {
+      const parsed = JSON.parse(line);
+      if (parsed && typeof parsed.messageId === "string" && Array.isArray(parsed.prompt) && typeof parsed.enqueuedAt === "number") {
+        out.push(parsed);
+      }
+    } catch {
+    }
+  }
+  return out;
+}
+async function deleteQueue(sessionId) {
+  const file = paths.queueFile(sessionId);
+  await fs5.unlink(file).catch(() => void 0);
+}
+
 // src/core/session.ts
 var HYDRA_ID_ALPHABET = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
 var generateHydraId = customAlphabet(HYDRA_ID_ALPHABET, 16);
@@ -1504,7 +1654,18 @@ var Session = class {
   clients = /* @__PURE__ */ new Map();
   historyStore;
   promptQueue = [];
+  // The entry that drainQueue is currently awaiting. Distinct from
+  // promptQueue[0] (which is the *next* one to dequeue): once shifted
+  // off, the entry lives here for the duration of its task() so
+  // cancelQueuedPrompt can distinguish "still in line" from "running"
+  // and return already_running for the latter.
+  currentEntry;
   promptInFlight = false;
+  // Serialize disk writes to the persisted queue file. Without this
+  // chain, fire-and-forget appends/rewrites can interleave (e.g.
+  // drainQueue's rewrite-to-empty races a sibling's append-on-
+  // enqueue) and leave the file out of sync with in-memory state.
+  queueWriteChain = Promise.resolve();
   closed = false;
   closeHandlers = [];
   titleHandlers = [];
@@ -1557,10 +1718,14 @@ var Session = class {
   // can deliver the merged list via _meta without depending on history
   // replay.
   agentAdvertisedCommands = [];
+  // Last available_modes_update we observed from the agent. Same
+  // pattern as commands: cache, persist, broadcast on change.
+  agentAdvertisedModes = [];
   // Persist hooks for snapshot-shaped state. SessionManager hooks these
   // to mirror changes into meta.json so cold-resurrect attaches can
   // surface the latest snapshot via the attach response _meta.
   agentCommandsHandlers = [];
+  agentModesHandlers = [];
   modelHandlers = [];
   modeHandlers = [];
   usageHandlers = [];
@@ -1579,6 +1744,9 @@ var Session = class {
     if (init.agentCommands && init.agentCommands.length > 0) {
       this.agentAdvertisedCommands = [...init.agentCommands];
     }
+    if (init.agentModes && init.agentModes.length > 0) {
+      this.agentAdvertisedModes = [...init.agentModes];
+    }
     this.idleTimeoutMs = init.idleTimeoutMs ?? 0;
     this.spawnReplacementAgent = init.spawnReplacementAgent;
     this.logger = init.logger;
@@ -1607,6 +1775,15 @@ var Session = class {
       }
     });
   }
+  broadcastAvailableModes() {
+    this.recordAndBroadcast("session/update", {
+      sessionId: this.upstreamSessionId,
+      update: {
+        sessionUpdate: "available_modes_update",
+        availableModes: this.agentAdvertisedModes
+      }
+    });
+  }
   // Register session/update, session/request_permission, and onExit
   // handlers on an agent connection. Re-run on every /hydra agent so
   // the new agent is plumbed identically. The exit handler's identity
@@ -1624,6 +1801,11 @@ var Session = class {
         this.setAgentAdvertisedCommands(agentCmds);
         return;
       }
+      const agentModes = extractAdvertisedModes(params);
+      if (agentModes !== null) {
+        this.setAgentAdvertisedModes(agentModes);
+        return;
+      }
       if (this.maybeApplyAgentModel(params)) {
         this.recordAndBroadcast("session/update", params);
         return;
@@ -1800,7 +1982,7 @@ var Session = class {
           sessionId,
           update: {
             sessionUpdate: "current_mode_update",
-            currentMode: this.currentMode
+            currentModeId: this.currentMode
           }
         },
         recordedAt
@@ -1820,6 +2002,19 @@ var Session = class {
         recordedAt
       });
     }
+    if (this.agentAdvertisedModes.length > 0) {
+      out.push({
+        method: "session/update",
+        params: {
+          sessionId,
+          update: {
+            sessionUpdate: "available_modes_update",
+            availableModes: [...this.agentAdvertisedModes]
+          }
+        },
+        recordedAt
+      });
+    }
     if (this.currentUsage !== void 0) {
       const u = this.currentUsage;
       const update = {
@@ -1910,34 +2105,28 @@ var Session = class {
     if (promptText.startsWith("/hydra")) {
       return this.handleSlashCommand(promptText);
     }
-    this.broadcastPromptReceived(client, params);
+    const messageId = generateMessageId();
     this.maybeSeedTitleFromPrompt(params);
-    return this.enqueuePrompt(async () => {
-      let response;
-      try {
-        response = await this.agent.connection.request(
-          "session/prompt",
-          {
-            ...params,
-            sessionId: this.upstreamSessionId
-          }
-        );
-      } catch (err) {
-        this.broadcastTurnComplete(client.clientId, { stopReason: "error" });
-        throw err;
-      }
-      this.broadcastTurnComplete(client.clientId, response);
-      return response;
-    });
-  }
-  broadcastPromptReceived(client, params) {
-    const promptParams = params ?? {};
-    const sentBy = { clientId: client.clientId };
-    if (client.clientInfo?.name) {
-      sentBy.name = client.clientInfo.name;
-    }
-    if (client.clientInfo?.version) {
-      sentBy.version = client.clientInfo.version;
+    return this.enqueueUserPrompt(client, params, messageId);
+  }
+  // DEVIATION FROM RFD #533: this broadcast is deliberately deferred
+  // until the prompt actually becomes the active turn (i.e. drainQueue
+  // is about to forward it to the agent), NOT when hydra first accepts
+  // the request. The literal RFD doesn't pin the timing — it just says
+  // peers should learn about the turn — but it was authored before
+  // prompt queueing existed, so accept-time and start-time were the
+  // same moment. With hydra's per-session FIFO, deferring gives
+  // prompt_received a single, useful meaning ("the agent is now taking
+  // a turn on this prompt"), which is how attached clients (notably
+  // agent-shell) consume it. The accept-time signal that peers can use
+  // for queue chip rendering is hydra-acp/prompt_queue_added instead.
+  broadcastPromptReceived(entry) {
+    const sentBy = { clientId: entry.originator.clientId };
+    if (entry.originator.name) {
+      sentBy.name = entry.originator.name;
+    }
+    if (entry.originator.version) {
+      sentBy.version = entry.originator.version;
     }
     this.promptStartedAt = Date.now();
     this.recordAndBroadcast(
@@ -1946,14 +2135,14 @@ var Session = class {
         sessionId: this.sessionId,
         update: {
           sessionUpdate: "prompt_received",
-          messageId: generateMessageId(),
-          prompt: promptParams.prompt,
+          messageId: entry.messageId,
+          prompt: entry.prompt,
           sentBy
         }
       },
-      client.clientId
+      entry.clientId
     );
-    const text = extractPromptText(promptParams.prompt);
+    const text = extractPromptText(entry.prompt);
     if (text.length > 0) {
       this.recordAndBroadcast(
         "session/update",
@@ -1965,7 +2154,7 @@ var Session = class {
             _meta: { "hydra-acp": { compatFor: "prompt_received" } }
           }
         },
-        client.clientId
+        entry.clientId
       );
     }
   }
@@ -1988,6 +2177,172 @@ var Session = class {
       originatorClientId
     );
   }
+  // Total visible-or-running entries: the in-flight head (if any) plus
+  // the queue's user-visible waiting entries. Internal entries don't
+  // count — they're an implementation detail and the wire never
+  // surfaces them.
+  visibleQueueDepth() {
+    let count = this.currentEntry?.kind === "user" && !this.currentEntry.cancelled ? 1 : 0;
+    for (const entry of this.promptQueue) {
+      if (entry.kind === "user" && !entry.cancelled) count += 1;
+    }
+    return count;
+  }
+  broadcastQueueAdded(entry) {
+    const depth = this.visibleQueueDepth();
+    const position = Math.max(0, depth - 1);
+    const params = {
+      sessionId: this.sessionId,
+      messageId: entry.messageId,
+      originator: entry.originator,
+      prompt: entry.prompt,
+      position,
+      queueDepth: depth,
+      enqueuedAt: entry.enqueuedAt
+    };
+    this.broadcastQueueNotification("hydra-acp/prompt_queue_added", params);
+  }
+  broadcastQueueUpdated(messageId, prompt) {
+    this.broadcastQueueNotification("hydra-acp/prompt_queue_updated", {
+      sessionId: this.sessionId,
+      messageId,
+      prompt
+    });
+  }
+  broadcastQueueRemoved(messageId, reason) {
+    this.broadcastQueueNotification("hydra-acp/prompt_queue_removed", {
+      sessionId: this.sessionId,
+      messageId,
+      reason
+    });
+  }
+  // Fan-out for queue lifecycle notifications. Ephemeral by design —
+  // these signals describe transient daemon state, not conversation
+  // content, so we deliberately bypass recordAndBroadcast (no history,
+  // no idle-timer arm, no rewrite-for-client since we already emit the
+  // hydra sessionId).
+  broadcastQueueNotification(method, params) {
+    for (const client of this.clients.values()) {
+      void client.connection.notify(method, params).catch(() => void 0);
+    }
+  }
+  // Snapshot of user-visible queue state at this moment. Surfaced to
+  // late-attaching clients via the session/attach response _meta so
+  // they boot with the same chip list as their peers without waiting
+  // for new prompt_queue_added notifications. Internal entries are
+  // omitted (they're not surfaced on the wire at all).
+  queueSnapshot() {
+    const out = [];
+    let position = 0;
+    if (this.currentEntry?.kind === "user" && !this.currentEntry.cancelled) {
+      out.push({
+        messageId: this.currentEntry.messageId,
+        originator: this.currentEntry.originator,
+        prompt: this.currentEntry.prompt,
+        position: position++,
+        enqueuedAt: this.currentEntry.enqueuedAt
+      });
+    }
+    for (const entry of this.promptQueue) {
+      if (entry.kind !== "user" || entry.cancelled) continue;
+      out.push({
+        messageId: entry.messageId,
+        originator: entry.originator,
+        prompt: entry.prompt,
+        position: position++,
+        enqueuedAt: entry.enqueuedAt
+      });
+    }
+    return out;
+  }
+  // Wait for any pending queue-file writes to settle. Test hook so
+  // assertions about on-disk state don't race with fire-and-forget
+  // rewrites. Production code doesn't need this — the chain
+  // self-serializes.
+  async flushPersistWrites() {
+    await this.queueWriteChain.catch(() => void 0);
+  }
+  // Push pre-existing queue entries back through the daemon-side
+  // pipeline on startup. Called by SessionManager after resurrecting
+  // a session that had a non-empty queue.ndjson on disk. Each entry
+  // gets a synthetic UserPromptQueueEntry with no real caller
+  // (resolve/reject are no-ops since the original WS is long gone),
+  // then drainQueue picks it up like any other entry. Late-attaching
+  // clients see the entries via prompt_queue_added broadcasts and the
+  // attach-response snapshot.
+  replayPersistedQueue(entries) {
+    for (const persisted of entries) {
+      const originator = {
+        clientId: `hydra-resurrected_${persisted.messageId}`
+      };
+      if (persisted.originator.clientInfo.name !== void 0) {
+        originator.name = persisted.originator.clientInfo.name;
+      }
+      if (persisted.originator.clientInfo.version !== void 0) {
+        originator.version = persisted.originator.clientInfo.version;
+      }
+      const entry = {
+        kind: "user",
+        messageId: persisted.messageId,
+        originator,
+        // Synthetic clientId. broadcastTurnComplete uses this as
+        // excludeClientId for the peer-only broadcast; with a synthetic
+        // id no real attached client matches the exclude, so everyone
+        // sees turn_complete — which is what we want, since none of
+        // them originated this restart-replayed prompt.
+        clientId: originator.clientId,
+        prompt: persisted.prompt,
+        enqueuedAt: persisted.enqueuedAt,
+        cancelled: false,
+        resolve: () => void 0,
+        reject: () => void 0
+      };
+      this.promptQueue.push(entry);
+      this.broadcastQueueAdded(entry);
+    }
+    void this.drainQueue();
+  }
+  // Drop a queued prompt by messageId. Returns already_running when
+  // the messageId names the in-flight entry — callers should fall back
+  // to session/cancel for that case. Originator-agnostic: any attached
+  // client may cancel any queued prompt (matches the existing slack
+  // :stop_sign: reaction UX and the TUI's queue-edit dispatcher).
+  cancelQueuedPrompt(messageId) {
+    if (this.currentEntry?.messageId === messageId) {
+      return { cancelled: false, reason: "already_running" };
+    }
+    const idx = this.promptQueue.findIndex((e) => e.messageId === messageId);
+    if (idx < 0) {
+      return { cancelled: false, reason: "not_found" };
+    }
+    const entry = this.promptQueue[idx];
+    entry.cancelled = true;
+    this.promptQueue.splice(idx, 1);
+    if (entry.kind === "user") {
+      this.broadcastQueueRemoved(messageId, "cancelled");
+      this.persistRewrite();
+    }
+    entry.resolve({ stopReason: "cancelled" });
+    return { cancelled: true, reason: "ok" };
+  }
+  // Replace the prompt payload of a queued (not-yet-running) entry.
+  // Returns already_running for the in-flight head; not_found for
+  // unknown messageIds or for internal queue entries (internal tasks
+  // don't expose a mutable prompt). Broadcasts prompt_queue_updated on
+  // success so every attached client refreshes its chip.
+  updateQueuedPrompt(messageId, prompt) {
+    if (this.currentEntry?.messageId === messageId) {
+      return { updated: false, reason: "already_running" };
+    }
+    const entry = this.promptQueue.find((e) => e.messageId === messageId);
+    if (!entry || entry.kind !== "user") {
+      return { updated: false, reason: "not_found" };
+    }
+    entry.prompt = prompt;
+    this.broadcastQueueUpdated(messageId, prompt);
+    this.persistRewrite();
+    return { updated: true, reason: "ok" };
+  }
   async cancel(clientId) {
     const client = this.clients.get(clientId);
     if (!client) {
@@ -2114,7 +2469,7 @@ var Session = class {
     if (update.sessionUpdate !== "current_mode_update") {
       return false;
     }
-    const raw = typeof update.currentMode === "string" ? update.currentMode : typeof update.mode === "string" ? update.mode : void 0;
+    const raw = typeof update.currentModeId === "string" ? update.currentModeId : typeof update.currentMode === "string" ? update.currentMode : typeof update.mode === "string" ? update.mode : void 0;
     if (raw === void 0) {
       return true;
     }
@@ -2192,12 +2547,29 @@ var Session = class {
     }
     this.broadcastMergedCommands();
   }
+  setAgentAdvertisedModes(modes) {
+    if (sameAdvertisedModes(this.agentAdvertisedModes, modes)) {
+      this.broadcastAvailableModes();
+      return;
+    }
+    this.agentAdvertisedModes = modes;
+    for (const handler of this.agentModesHandlers) {
+      try {
+        handler(modes);
+      } catch {
+      }
+    }
+    this.broadcastAvailableModes();
+  }
   // Subscribe to snapshot-state updates. SessionManager wires these to
   // persist the new value into meta.json so cold resurrect can restore
   // them via the attach response _meta.
   onAgentCommandsChange(handler) {
     this.agentCommandsHandlers.push(handler);
   }
+  onAgentModesChange(handler) {
+    this.agentModesHandlers.push(handler);
+  }
   onModelChange(handler) {
     this.modelHandlers.push(handler);
   }
@@ -2219,6 +2591,10 @@ var Session = class {
   agentOnlyAdvertisedCommands() {
     return [...this.agentAdvertisedCommands];
   }
+  // The agent's advertised modes list, for callers that need a snapshot.
+  availableModes() {
+    return [...this.agentAdvertisedModes];
+  }
   // Pick up an agent-emitted session_info_update and store its title
   // as our canonical record. The notification is also forwarded to
   // clients via the surrounding recordAndBroadcast call. Authoritative
@@ -2531,6 +2907,20 @@ _(switched from \`${oldAgentId}\` to \`${newAgentId}\`)_
     }
     this.closed = true;
     this.cancelIdleTimer();
+    const stranded = this.promptQueue;
+    this.promptQueue = [];
+    for (const entry of stranded) {
+      entry.cancelled = true;
+      if (entry.kind === "user") {
+        this.broadcastQueueRemoved(entry.messageId, "abandoned");
+      }
+      try {
+        entry.resolve({ stopReason: "cancelled" });
+      } catch {
+      }
+    }
+    const sessionId = this.sessionId;
+    this.queueWriteChain = this.queueWriteChain.catch(() => void 0).then(() => deleteQueue(sessionId).catch(() => void 0));
     for (const client of this.clients.values()) {
       void client.connection.notify("hydra-acp/session_closed", { sessionId: this.sessionId }).catch(() => void 0);
     }
@@ -2576,7 +2966,7 @@ _(switched from \`${oldAgentId}\` to \`${newAgentId}\`)_
     if (this.closed || this.idleTimeoutMs <= 0) {
       return;
     }
-    if (this.turnStartedAt !== void 0 || this.inFlightPermissions.size > 0) {
+    if (this.turnStartedAt !== void 0 || this.inFlightPermissions.size > 0 || this.promptQueue.length > 0) {
       this.armIdleTimer(this.idleTimeoutMs);
       return;
     }
@@ -2705,20 +3095,88 @@ _(switched from \`${oldAgentId}\` to \`${newAgentId}\`)_
       }
     });
   }
+  // Schedule an internal task (title regen, agent swap transcript
+  // injection, import seed). Serializes behind any user prompts already
+  // in flight, but doesn't emit prompt_queue_* broadcasts — clients
+  // shouldn't see hydra's housekeeping in their chip list.
   async enqueuePrompt(task) {
     return new Promise((resolve3, reject) => {
-      const run2 = async () => {
-        try {
-          const result = await task();
-          resolve3(result);
-        } catch (err) {
-          reject(err);
-        }
+      const entry = {
+        kind: "internal",
+        messageId: generateMessageId(),
+        enqueuedAt: Date.now(),
+        cancelled: false,
+        task,
+        resolve: resolve3,
+        reject
+      };
+      this.promptQueue.push(entry);
+      void this.drainQueue();
+    });
+  }
+  // Schedule a user-originated session/prompt. Emits prompt_queue_added
+  // immediately on enqueue (so peer clients can render the queued chip)
+  // and prompt_queue_removed when the entry leaves the queue. The
+  // returned promise resolves with the upstream agent's session/prompt
+  // result, or { stopReason: "cancelled" } if the entry is dropped via
+  // cancelQueuedPrompt before reaching the head.
+  async enqueueUserPrompt(client, params, messageId) {
+    const promptArray = (params ?? {}).prompt ?? [];
+    const originator = { clientId: client.clientId };
+    if (client.clientInfo?.name) originator.name = client.clientInfo.name;
+    if (client.clientInfo?.version)
+      originator.version = client.clientInfo.version;
+    return new Promise((resolve3, reject) => {
+      const entry = {
+        kind: "user",
+        messageId,
+        originator,
+        clientId: client.clientId,
+        prompt: promptArray,
+        enqueuedAt: Date.now(),
+        cancelled: false,
+        resolve: resolve3,
+        reject
       };
-      this.promptQueue.push(run2);
+      this.promptQueue.push(entry);
+      this.persistRewrite();
+      this.broadcastQueueAdded(entry);
       void this.drainQueue();
     });
   }
+  // Rewrite the on-disk queue to reflect the current set of WAITING
+  // entries (excluding currentEntry, the in-flight head). Excluding
+  // the head is the key idempotency choice: once drainQueue shifts an
+  // entry off and calls persistRewrite, a daemon crash mid-generation
+  // will NOT re-run it on restart. Partial output (if any streamed
+  // before the crash) stays in history; the prompt itself is lost
+  // and the user can re-submit if they care.
+  //
+  // Snapshots in-memory state synchronously (so subsequent mutations
+  // can't perturb what we're about to write) and chains the write
+  // onto queueWriteChain so all persists are serialized.
+  persistRewrite() {
+    const entries = [];
+    for (const entry of this.promptQueue) {
+      if (entry.kind !== "user" || entry.cancelled) continue;
+      entries.push(this.persistedFromEntry(entry));
+    }
+    const sessionId = this.sessionId;
+    this.queueWriteChain = this.queueWriteChain.catch(() => void 0).then(() => rewriteQueue(sessionId, entries).catch(() => void 0));
+  }
+  persistedFromEntry(entry) {
+    return {
+      messageId: entry.messageId,
+      originator: {
+        clientInfo: {
+          ...entry.originator.name !== void 0 ? { name: entry.originator.name } : {},
+          ...entry.originator.version !== void 0 ? { version: entry.originator.version } : {}
+        }
+      },
+      prompt: entry.prompt,
+      enqueuedAt: entry.enqueuedAt
+    };
+  }
   async drainQueue() {
     if (this.promptInFlight) {
       return;
@@ -2727,14 +3185,64 @@ _(switched from \`${oldAgentId}\` to \`${newAgentId}\`)_
     try {
       while (this.promptQueue.length > 0) {
         const next = this.promptQueue.shift();
-        if (next) {
-          await next();
+        if (!next) {
+          break;
+        }
+        if (next.cancelled) {
+          continue;
+        }
+        this.currentEntry = next;
+        if (next.kind === "user") {
+          this.persistRewrite();
+        }
+        if (next.kind === "user") {
+          this.broadcastQueueRemoved(next.messageId, "started");
+        }
+        try {
+          const result = await this.runQueueEntry(next);
+          next.resolve(result);
+        } catch (err) {
+          next.reject(err);
+        } finally {
+          this.currentEntry = void 0;
         }
       }
     } finally {
       this.promptInFlight = false;
     }
   }
+  // Execute a queue entry. User-prompt entries forward to the upstream
+  // agent and pair with broadcastTurnComplete; internal entries run
+  // their captured task closure. Reads entry.prompt at dispatch time
+  // so updateQueuedPrompt's mutations are honoured.
+  //
+  // For user entries, broadcastPromptReceived fires HERE — not in
+  // Session.prompt — so peer clients see prompt_received only when the
+  // turn actually starts (a deliberate deviation from a naive reading
+  // of RFD #533; see the comment on broadcastPromptReceived). Order on
+  // the wire: prompt_queue_removed{started} (already emitted by
+  // drainQueue) → prompt_received → upstream session/prompt.
+  async runQueueEntry(entry) {
+    if (entry.kind === "internal") {
+      return entry.task();
+    }
+    this.broadcastPromptReceived(entry);
+    let response;
+    try {
+      response = await this.agent.connection.request(
+        "session/prompt",
+        {
+          sessionId: this.upstreamSessionId,
+          prompt: entry.prompt
+        }
+      );
+    } catch (err) {
+      this.broadcastTurnComplete(entry.clientId, { stopReason: "error" });
+      throw err;
+    }
+    this.broadcastTurnComplete(entry.clientId, response);
+    return response;
+  }
 };
 function withCode(err, code) {
   err.code = code;
@@ -2745,6 +3253,7 @@ var STATE_UPDATE_KINDS = /* @__PURE__ */ new Set([
   "current_model_update",
   "current_mode_update",
   "available_commands_update",
+  "available_modes_update",
   "usage_update"
 ]);
 function isStateUpdate(method, params) {
@@ -2766,10 +3275,51 @@ function sameAdvertisedCommands(a, b) {
   }
   return true;
 }
-function captureInternalChunk(capture, params) {
-  const obj = params ?? {};
-  const update = obj.update ?? {};
-  if (update.sessionUpdate !== "agent_message_chunk") {
+function sameAdvertisedModes(a, b) {
+  if (a.length !== b.length) {
+    return false;
+  }
+  for (let i = 0; i < a.length; i++) {
+    if (a[i]?.id !== b[i]?.id || a[i]?.name !== b[i]?.name || a[i]?.description !== b[i]?.description) {
+      return false;
+    }
+  }
+  return true;
+}
+function extractAdvertisedModes(params) {
+  const obj = params ?? {};
+  const update = obj.update ?? {};
+  if (update.sessionUpdate !== "available_modes_update") {
+    return null;
+  }
+  const list = update.availableModes;
+  if (!Array.isArray(list)) {
+    return [];
+  }
+  const out = [];
+  for (const raw of list) {
+    if (!raw || typeof raw !== "object") {
+      continue;
+    }
+    const m = raw;
+    if (typeof m.id !== "string" || m.id.length === 0) {
+      continue;
+    }
+    const mode = { id: m.id };
+    if (typeof m.name === "string") {
+      mode.name = m.name;
+    }
+    if (typeof m.description === "string") {
+      mode.description = m.description;
+    }
+    out.push(mode);
+  }
+  return out;
+}
+function captureInternalChunk(capture, params) {
+  const obj = params ?? {};
+  const update = obj.update ?? {};
+  if (update.sessionUpdate !== "agent_message_chunk") {
     return;
   }
   const content = update.content ?? {};
@@ -2921,7 +3471,7 @@ function firstLine(text, max) {
 }
 
 // src/core/session-store.ts
-import * as fs4 from "fs/promises";
+import * as fs6 from "fs/promises";
 import * as path4 from "path";
 import { customAlphabet as customAlphabet2 } from "nanoid";
 import { z as z4 } from "zod";
@@ -2935,6 +3485,11 @@ var PersistedAgentCommand = z4.object({
   name: z4.string(),
   description: z4.string().optional()
 });
+var PersistedAgentMode = z4.object({
+  id: z4.string(),
+  name: z4.string().optional(),
+  description: z4.string().optional()
+});
 var PersistedUsage = z4.object({
   used: z4.number().optional(),
   size: z4.number().optional(),
@@ -2980,6 +3535,7 @@ var SessionRecord = z4.object({
   currentMode: z4.string().optional(),
   currentUsage: PersistedUsage.optional(),
   agentCommands: z4.array(PersistedAgentCommand).optional(),
+  agentModes: z4.array(PersistedAgentMode).optional(),
   createdAt: z4.string(),
   updatedAt: z4.string()
 });
@@ -2992,9 +3548,9 @@ function assertSafeId(id) {
 var SessionStore = class {
   async write(record) {
     assertSafeId(record.sessionId);
-    await fs4.mkdir(paths.sessionDir(record.sessionId), { recursive: true });
+    await fs6.mkdir(paths.sessionDir(record.sessionId), { recursive: true });
     const full = { version: 1, ...record };
-    await fs4.writeFile(
+    await fs6.writeFile(
       paths.sessionFile(record.sessionId),
       JSON.stringify(full, null, 2) + "\n",
       { encoding: "utf8", mode: 384 }
@@ -3006,7 +3562,7 @@ var SessionStore = class {
     }
     let raw;
     try {
-      raw = await fs4.readFile(paths.sessionFile(sessionId), "utf8");
+      raw = await fs6.readFile(paths.sessionFile(sessionId), "utf8");
     } catch (err) {
       const e = err;
       if (e.code === "ENOENT") {
@@ -3025,7 +3581,7 @@ var SessionStore = class {
       return;
     }
     try {
-      await fs4.unlink(paths.sessionFile(sessionId));
+      await fs6.unlink(paths.sessionFile(sessionId));
     } catch (err) {
       const e = err;
       if (e.code !== "ENOENT") {
@@ -3033,7 +3589,7 @@ var SessionStore = class {
       }
     }
     try {
-      await fs4.rmdir(paths.sessionDir(sessionId));
+      await fs6.rmdir(paths.sessionDir(sessionId));
     } catch (err) {
       const e = err;
       if (e.code !== "ENOENT" && e.code !== "ENOTEMPTY") {
@@ -3063,7 +3619,7 @@ var SessionStore = class {
   async list() {
     let entries;
     try {
-      entries = await fs4.readdir(paths.sessionsDir());
+      entries = await fs6.readdir(paths.sessionsDir());
     } catch (err) {
       const e = err;
       if (e.code === "ENOENT") {
@@ -3098,13 +3654,14 @@ function recordFromMemorySession(args) {
     currentMode: args.currentMode,
     currentUsage: args.currentUsage,
     agentCommands: args.agentCommands,
+    agentModes: args.agentModes,
     createdAt: args.createdAt ?? now,
     updatedAt: args.updatedAt ?? now
   };
 }
 
 // src/core/history-store.ts
-import * as fs5 from "fs/promises";
+import * as fs7 from "fs/promises";
 var SESSION_ID_PATTERN2 = /^[A-Za-z0-9_-]+$/;
 var DEFAULT_MAX_ENTRIES = 1e3;
 var HistoryStore = class {
@@ -3121,9 +3678,9 @@ var HistoryStore = class {
       return;
     }
     return this.enqueue(sessionId, async () => {
-      await fs5.mkdir(paths.sessionDir(sessionId), { recursive: true });
+      await fs7.mkdir(paths.sessionDir(sessionId), { recursive: true });
       const line = JSON.stringify(entry) + "\n";
-      await fs5.appendFile(paths.historyFile(sessionId), line, {
+      await fs7.appendFile(paths.historyFile(sessionId), line, {
         encoding: "utf8",
         mode: 384
       });
@@ -3134,9 +3691,9 @@ var HistoryStore = class {
       return;
     }
     return this.enqueue(sessionId, async () => {
-      await fs5.mkdir(paths.sessionDir(sessionId), { recursive: true });
+      await fs7.mkdir(paths.sessionDir(sessionId), { recursive: true });
       const body = entries.length === 0 ? "" : entries.map((e) => JSON.stringify(e)).join("\n") + "\n";
-      await fs5.writeFile(paths.historyFile(sessionId), body, {
+      await fs7.writeFile(paths.historyFile(sessionId), body, {
         encoding: "utf8",
         mode: 384
       });
@@ -3153,7 +3710,7 @@ var HistoryStore = class {
     return this.enqueue(sessionId, async () => {
       let raw;
       try {
-        raw = await fs5.readFile(paths.historyFile(sessionId), "utf8");
+        raw = await fs7.readFile(paths.historyFile(sessionId), "utf8");
       } catch (err) {
         const e = err;
         if (e.code === "ENOENT") {
@@ -3166,7 +3723,7 @@ var HistoryStore = class {
         return;
       }
       const trimmed = lines.slice(-maxEntries);
-      await fs5.writeFile(paths.historyFile(sessionId), trimmed.join("\n") + "\n", {
+      await fs7.writeFile(paths.historyFile(sessionId), trimmed.join("\n") + "\n", {
         encoding: "utf8",
         mode: 384
       });
@@ -3182,7 +3739,7 @@ var HistoryStore = class {
     }
     let raw;
     try {
-      raw = await fs5.readFile(paths.historyFile(sessionId), "utf8");
+      raw = await fs7.readFile(paths.historyFile(sessionId), "utf8");
     } catch (err) {
       const e = err;
       if (e.code === "ENOENT") {
@@ -3228,7 +3785,7 @@ var HistoryStore = class {
     }
     return this.enqueue(sessionId, async () => {
       try {
-        await fs5.unlink(paths.historyFile(sessionId));
+        await fs7.unlink(paths.historyFile(sessionId));
       } catch (err) {
         const e = err;
         if (e.code !== "ENOENT") {
@@ -3236,7 +3793,7 @@ var HistoryStore = class {
         }
       }
       try {
-        await fs5.rmdir(paths.sessionDir(sessionId));
+        await fs7.rmdir(paths.sessionDir(sessionId));
       } catch (err) {
         const e = err;
         if (e.code !== "ENOENT" && e.code !== "ENOTEMPTY") {
@@ -3260,25 +3817,25 @@ var HistoryStore = class {
 };
 
 // src/tui/history.ts
-import { promises as fs6 } from "fs";
+import { promises as fs8 } from "fs";
 import * as path5 from "path";
 async function saveHistory(file, history) {
-  await fs6.mkdir(path5.dirname(file), { recursive: true });
+  await fs8.mkdir(path5.dirname(file), { recursive: true });
   const lines = history.map((entry) => JSON.stringify(entry));
-  await fs6.writeFile(file, lines.length > 0 ? lines.join("\n") + "\n" : "");
+  await fs8.writeFile(file, lines.length > 0 ? lines.join("\n") + "\n" : "");
 }
 
 // src/core/hydra-version.ts
 import { fileURLToPath } from "url";
 import * as path6 from "path";
-import * as fs7 from "fs";
+import * as fs9 from "fs";
 function resolveVersion() {
   try {
     let dir = path6.dirname(fileURLToPath(import.meta.url));
     for (let i = 0; i < 8; i += 1) {
       const candidate = path6.join(dir, "package.json");
-      if (fs7.existsSync(candidate)) {
-        const pkg = JSON.parse(fs7.readFileSync(candidate, "utf8"));
+      if (fs9.existsSync(candidate)) {
+        const pkg = JSON.parse(fs9.readFileSync(candidate, "utf8"));
         if (typeof pkg.version === "string" && pkg.version.length > 0 && (typeof pkg.name !== "string" || pkg.name.includes("hydra-acp"))) {
           return pkg.version;
         }
@@ -3296,6 +3853,7 @@ function resolveVersion() {
 var HYDRA_VERSION = resolveVersion();
 
 // src/core/session-manager.ts
+var QUEUE_REPLAY_TTL_MS = 15 * 60 * 1e3;
 var HYDRA_ID_ALPHABET3 = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
 var generateRawSessionId = customAlphabet3(HYDRA_ID_ALPHABET3, 16);
 var SessionManager = class {
@@ -3308,6 +3866,7 @@ var SessionManager = class {
     this.idleTimeoutMs = options.idleTimeoutMs ?? 0;
     this.defaultModels = options.defaultModels ?? {};
     this.logger = options.logger;
+    this.npmRegistry = options.npmRegistry;
   }
   registry;
   sessions = /* @__PURE__ */ new Map();
@@ -3323,6 +3882,7 @@ var SessionManager = class {
   // back-to-back) don't lose writes via interleaved reads.
   metaWriteQueues = /* @__PURE__ */ new Map();
   logger;
+  npmRegistry;
   async create(params) {
     const fresh = await this.bootstrapAgent({
       agentId: params.agentId,
@@ -3344,7 +3904,9 @@ var SessionManager = class {
       spawnReplacementAgent: (p) => this.bootstrapAgent({ ...p, mcpServers: [] }),
       historyStore: this.histories,
       historyMaxEntries: this.sessionHistoryMaxEntries,
-      currentModel: fresh.initialModel
+      currentModel: fresh.initialModel,
+      currentMode: fresh.initialMode,
+      agentModes: fresh.initialModes
     });
     await this.attachManagerHooks(session);
     return session;
@@ -3389,7 +3951,7 @@ var SessionManager = class {
     if (params.upstreamSessionId === "") {
       return this.doResurrectFromImport(params);
     }
-    const plan = await planSpawn(agentDef, params.agentArgs ?? []);
+    const plan = await planSpawn(agentDef, params.agentArgs ?? [], { npmRegistry: this.npmRegistry });
     const agent = this.spawner({
       agentId: params.agentId,
       cwd: params.cwd,
@@ -3443,9 +4005,10 @@ var SessionManager = class {
       // this fix), fall back to the model the agent ships in its
       // session/load response body.
       currentModel: params.currentModel ?? extractInitialModel(loadResult ?? {}),
-      currentMode: params.currentMode,
+      currentMode: params.currentMode ?? extractInitialCurrentMode(loadResult ?? {}),
       currentUsage: params.currentUsage,
       agentCommands: params.agentCommands,
+      agentModes: params.agentModes ?? nonEmptyOrUndefined(extractInitialModes(loadResult ?? {})),
       // Only gate the first-prompt title heuristic when we actually have
       // a title to preserve. A title-less session (lost to a write race
       // or never seeded) should re-derive from the next prompt rather
@@ -3488,9 +4051,10 @@ var SessionManager = class {
       // Prefer the stored value (set by a previous current_model_update);
       // fall back to whatever the agent ships in its session/new response.
       currentModel: params.currentModel ?? fresh.initialModel,
-      currentMode: params.currentMode,
+      currentMode: params.currentMode ?? fresh.initialMode,
       currentUsage: params.currentUsage,
       agentCommands: params.agentCommands,
+      agentModes: params.agentModes ?? fresh.initialModes,
       firstPromptSeeded: !!params.title,
       createdAt: params.createdAt ? new Date(params.createdAt).getTime() : void 0
     });
@@ -3500,7 +4064,7 @@ var SessionManager = class {
   }
   async resolveImportCwd(cwd) {
     try {
-      const stat2 = await fs8.stat(cwd);
+      const stat2 = await fs10.stat(cwd);
       if (stat2.isDirectory()) {
         return cwd;
       }
@@ -3520,7 +4084,7 @@ var SessionManager = class {
       err.code = JsonRpcErrorCodes.AgentNotInstalled;
       throw err;
     }
-    const plan = await planSpawn(agentDef, params.agentArgs ?? []);
+    const plan = await planSpawn(agentDef, params.agentArgs ?? [], { npmRegistry: this.npmRegistry });
     const agent = this.spawner({
       agentId: params.agentId,
       cwd: params.cwd,
@@ -3557,11 +4121,15 @@ var SessionManager = class {
         } catch {
         }
       }
+      const initialModes = extractInitialModes(newResult);
+      const initialMode = extractInitialCurrentMode(newResult);
       return {
         agent,
         upstreamSessionId: sessionIdRaw,
         agentMeta: newResult._meta,
-        initialModel
+        initialModel,
+        initialModes: initialModes.length > 0 ? initialModes : void 0,
+        initialMode
       };
     } catch (err) {
       await agent.kill().catch(() => void 0);
@@ -3613,6 +4181,15 @@ var SessionManager = class {
         }))
       }).catch(() => void 0);
     });
+    session.onAgentModesChange((modes) => {
+      void this.persistSnapshot(session.sessionId, {
+        agentModes: modes.map((m) => ({
+          id: m.id,
+          ...m.name !== void 0 ? { name: m.name } : {},
+          ...m.description !== void 0 ? { description: m.description } : {}
+        }))
+      }).catch(() => void 0);
+    });
     this.sessions.set(session.sessionId, session);
     await this.enqueueMetaWrite(session.sessionId, async () => {
       const existing = await this.store.read(session.sessionId);
@@ -3655,6 +4232,7 @@ var SessionManager = class {
       currentMode: record.currentMode,
       currentUsage: persistedUsageToSnapshot(record.currentUsage),
       agentCommands: record.agentCommands,
+      agentModes: record.agentModes,
       createdAt: record.createdAt
     };
   }
@@ -3932,6 +4510,7 @@ var SessionManager = class {
         ...update.currentMode !== void 0 ? { currentMode: update.currentMode } : {},
         ...update.currentUsage !== void 0 ? { currentUsage: update.currentUsage } : {},
         ...update.agentCommands !== void 0 ? { agentCommands: update.agentCommands } : {},
+        ...update.agentModes !== void 0 ? { agentModes: update.agentModes } : {},
         updatedAt: (/* @__PURE__ */ new Date()).toISOString()
       });
     });
@@ -3965,6 +4544,53 @@ var SessionManager = class {
     }
     await Promise.allSettled(pending);
   }
+  // Startup hook: scan persisted sessions for non-empty queue files,
+  // apply the TTL, resurrect anything with surviving entries, and
+  // replay them through the normal queue path. Called from the daemon
+  // boot sequence; failures per session are logged and don't block
+  // the boot.
+  //
+  // Concurrency is deliberately sequential — resurrect each session
+  // one at a time so a runaway daemon with 100 queued sessions
+  // doesn't burst-spawn 100 agents on startup. Inside a single
+  // session, the queue still drains in parallel-friendly fashion via
+  // drainQueue once resurrect() completes.
+  async resurrectPendingQueues() {
+    const records = await this.store.list().catch(() => []);
+    for (const rec of records) {
+      const queue = await loadQueue(rec.sessionId).catch(() => []);
+      if (queue.length === 0) continue;
+      const now = Date.now();
+      const fresh = queue.filter((e) => now - e.enqueuedAt < QUEUE_REPLAY_TTL_MS);
+      const dropped = queue.length - fresh.length;
+      if (dropped > 0) {
+        this.logger?.info(
+          `queue replay: dropping ${dropped} stale prompt(s) for ${rec.sessionId} (TTL ${QUEUE_REPLAY_TTL_MS / 1e3}s)`
+        );
+        await rewriteQueue(rec.sessionId, fresh).catch(() => void 0);
+      }
+      if (fresh.length === 0) continue;
+      const fromDisk = await this.loadFromDisk(rec.sessionId).catch(() => void 0);
+      if (!fromDisk) {
+        this.logger?.warn(
+          `queue replay: no meta for ${rec.sessionId}; discarding ${fresh.length} entr${fresh.length === 1 ? "y" : "ies"}`
+        );
+        await rewriteQueue(rec.sessionId, []).catch(() => void 0);
+        continue;
+      }
+      try {
+        const session = await this.resurrect(fromDisk);
+        this.logger?.info(
+          `queue replay: resurrected ${rec.sessionId} and replaying ${fresh.length} prompt(s)`
+        );
+        session.replayPersistedQueue(fresh);
+      } catch (err) {
+        this.logger?.warn(
+          `queue replay: failed to resurrect ${rec.sessionId}: ${err.message}`
+        );
+      }
+    }
+  }
 };
 function mergeForPersistence(session, existing) {
   const persistedCommands = session.mergedAvailableCommands().length > 0 ? session.agentOnlyAdvertisedCommands().map((c) => {
@@ -3974,6 +4600,18 @@ function mergeForPersistence(session, existing) {
     return { name: c.name };
   }) : void 0;
   const agentCommands = persistedCommands ?? existing?.agentCommands;
+  const sessionModes = session.availableModes();
+  const persistedModes = sessionModes.length > 0 ? sessionModes.map((m) => {
+    const out = { id: m.id };
+    if (m.name !== void 0) {
+      out.name = m.name;
+    }
+    if (m.description !== void 0) {
+      out.description = m.description;
+    }
+    return out;
+  }) : void 0;
+  const agentModes = persistedModes ?? existing?.agentModes;
   return recordFromMemorySession({
     sessionId: session.sessionId,
     lineageId: existing?.lineageId ?? generateLineageId(),
@@ -3989,6 +4627,7 @@ function mergeForPersistence(session, existing) {
     currentMode: session.currentMode ?? existing?.currentMode,
     currentUsage: usageSnapshotToPersisted(session.currentUsage) ?? existing?.currentUsage,
     agentCommands,
+    agentModes,
     createdAt: existing?.createdAt ?? new Date(session.createdAt).toISOString()
   });
 }
@@ -4051,9 +4690,103 @@ function asString(value) {
   const trimmed = value.trim();
   return trimmed.length > 0 ? trimmed : void 0;
 }
+function nonEmptyOrUndefined(arr) {
+  return arr.length > 0 ? arr : void 0;
+}
+function extractInitialModes(result) {
+  const direct = parseModesList(result.availableModes);
+  if (direct.length > 0) {
+    return direct;
+  }
+  const modes = result.modes;
+  if (modes && typeof modes === "object" && !Array.isArray(modes)) {
+    const fromModesObj = parseModesList(
+      modes.availableModes
+    );
+    if (fromModesObj.length > 0) {
+      return fromModesObj;
+    }
+  }
+  const meta = result._meta;
+  if (meta && typeof meta === "object" && !Array.isArray(meta)) {
+    for (const [key, value] of Object.entries(
+      meta
+    )) {
+      if (key === "hydra-acp") {
+        continue;
+      }
+      if (value && typeof value === "object" && !Array.isArray(value)) {
+        const fromMeta = parseModesList(
+          value.availableModes
+        );
+        if (fromMeta.length > 0) {
+          return fromMeta;
+        }
+      }
+    }
+  }
+  return [];
+}
+function extractInitialCurrentMode(result) {
+  const direct = asString(result.currentModeId) ?? asString(result.currentMode) ?? asString(result.modeId) ?? asString(result.mode);
+  if (direct) {
+    return direct;
+  }
+  const modes = result.modes;
+  if (modes && typeof modes === "object" && !Array.isArray(modes)) {
+    const m = asString(modes.currentModeId) ?? asString(modes.currentMode);
+    if (m) {
+      return m;
+    }
+  }
+  const meta = result._meta;
+  if (meta && typeof meta === "object" && !Array.isArray(meta)) {
+    for (const [key, value] of Object.entries(
+      meta
+    )) {
+      if (key === "hydra-acp") {
+        continue;
+      }
+      if (value && typeof value === "object" && !Array.isArray(value)) {
+        const m = asString(value.currentModeId) ?? asString(value.currentMode) ?? asString(value.modeId);
+        if (m) {
+          return m;
+        }
+      }
+    }
+  }
+  return void 0;
+}
+function parseModesList(list) {
+  if (!Array.isArray(list)) {
+    return [];
+  }
+  const out = [];
+  for (const raw of list) {
+    if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
+      continue;
+    }
+    const r = raw;
+    const id = asString(r.id) ?? asString(r.modeId);
+    if (!id) {
+      continue;
+    }
+    const mode = { id };
+    const name = asString(r.name);
+    if (name) {
+      mode.name = name;
+    }
+    const description = asString(r.description);
+    if (description) {
+      mode.description = description;
+    }
+    out.push(mode);
+  }
+  return out;
+}
 async function loadPromptHistorySafely(sessionId) {
   try {
-    const raw = await fs8.readFile(paths.tuiHistoryFile(sessionId), "utf8");
+    const raw = await fs10.readFile(paths.tuiHistoryFile(sessionId), "utf8");
     const out = [];
     for (const line of raw.split("\n")) {
       if (line.length === 0) {
@@ -4074,7 +4807,7 @@ async function loadPromptHistorySafely(sessionId) {
 }
 async function historyMtimeIso(sessionId) {
   try {
-    const st = await fs8.stat(paths.historyFile(sessionId));
+    const st = await fs10.stat(paths.historyFile(sessionId));
     return new Date(st.mtimeMs).toISOString();
   } catch {
     return void 0;
@@ -4083,7 +4816,7 @@ async function historyMtimeIso(sessionId) {
 
 // src/core/extensions.ts
 import { spawn as spawn4 } from "child_process";
-import * as fs9 from "fs";
+import * as fs11 from "fs";
 import * as fsp3 from "fs/promises";
 import * as path7 from "path";
 var RESTART_BASE_MS = 1e3;
@@ -4366,7 +5099,7 @@ var ExtensionManager = class {
     }
     const ext = entry.config;
     const command = ext.command.length > 0 ? ext.command : [ext.name];
-    const logStream = fs9.createWriteStream(paths.extensionLogFile(ext.name), {
+    const logStream = fs11.createWriteStream(paths.extensionLogFile(ext.name), {
       flags: "a"
     });
     logStream.write(
@@ -4378,7 +5111,7 @@ var ExtensionManager = class {
       HYDRA_ACP_DAEMON_URL: ctx.daemonUrl,
       HYDRA_ACP_DAEMON_HOST: ctx.daemonHost,
       HYDRA_ACP_DAEMON_PORT: String(ctx.daemonPort),
-      HYDRA_ACP_TOKEN: ctx.daemonToken,
+      HYDRA_ACP_TOKEN: ctx.serviceToken,
       HYDRA_ACP_WS_URL: ctx.daemonWsUrl,
       HYDRA_ACP_HOME: ctx.hydraHome,
       HYDRA_ACP_EXTENSION_NAME: ext.name,
@@ -4416,7 +5149,7 @@ var ExtensionManager = class {
     }
     if (typeof child.pid === "number") {
       try {
-        fs9.writeFileSync(paths.extensionPidFile(ext.name), `${child.pid}
+        fs11.writeFileSync(paths.extensionPidFile(ext.name), `${child.pid}
 `, {
           encoding: "utf8",
           mode: 384
@@ -4441,7 +5174,7 @@ var ExtensionManager = class {
     });
     child.on("exit", (code, signal) => {
       try {
-        fs9.unlinkSync(paths.extensionPidFile(ext.name));
+        fs11.unlinkSync(paths.extensionPidFile(ext.name));
       } catch {
       }
       logStream.write(
@@ -4497,8 +5230,227 @@ function withCode2(err, code) {
   return err;
 }
 
+// src/core/session-tokens.ts
+import * as fs12 from "fs/promises";
+import * as path8 from "path";
+import { createHash, randomBytes, timingSafeEqual } from "crypto";
+var TOKEN_PREFIX = "hydra_session_";
+var DEFAULT_TTL_SEC = 60 * 60 * 24 * 30;
+var ID_LENGTH = 12;
+var TOKEN_BYTES = 32;
+var WRITE_DEBOUNCE_MS = 50;
+function tokensFilePath() {
+  return path8.join(paths.home(), "session-tokens.json");
+}
+function sha256Hex(input) {
+  return createHash("sha256").update(input).digest("hex");
+}
+function randomHex(bytes) {
+  return randomBytes(bytes).toString("hex");
+}
+function generateId() {
+  return randomHex(ID_LENGTH).slice(0, ID_LENGTH * 2);
+}
+function generateToken() {
+  return `${TOKEN_PREFIX}${randomHex(TOKEN_BYTES)}`;
+}
+var SessionTokenStore = class _SessionTokenStore {
+  records = /* @__PURE__ */ new Map();
+  // keyed by hash
+  writeTimer = null;
+  writeInflight = null;
+  constructor(records) {
+    for (const r of records) {
+      this.records.set(r.hash, r);
+    }
+  }
+  static async load() {
+    let records = [];
+    try {
+      const raw = await fs12.readFile(tokensFilePath(), "utf8");
+      const parsed = JSON.parse(raw);
+      if (parsed && Array.isArray(parsed.records)) {
+        records = parsed.records.filter(isRecord);
+      }
+    } catch (err) {
+      const e = err;
+      if (e.code !== "ENOENT") {
+        throw err;
+      }
+    }
+    const store = new _SessionTokenStore(records);
+    const removed = store.sweepExpired(/* @__PURE__ */ new Date());
+    if (removed > 0) {
+      await store.flush();
+    }
+    return store;
+  }
+  async issue(opts = {}) {
+    const token = generateToken();
+    const hash = sha256Hex(token);
+    const id = generateId();
+    const now = /* @__PURE__ */ new Date();
+    const ttlSec = opts.ttlSec && opts.ttlSec > 0 ? opts.ttlSec : DEFAULT_TTL_SEC;
+    const expiresAt = new Date(now.getTime() + ttlSec * 1e3);
+    const record = {
+      id,
+      hash,
+      label: opts.label,
+      createdAt: now.toISOString(),
+      expiresAt: expiresAt.toISOString(),
+      lastUsedAt: now.toISOString()
+    };
+    this.records.set(hash, record);
+    this.scheduleWrite();
+    return { id, token, expiresAt: record.expiresAt };
+  }
+  // Verifies a presented token. Returns the matching record id (so the
+  // caller can revoke it on logout) and bumps lastUsedAt; returns
+  // undefined when no record matches or when the matched record has
+  // expired.
+  async verify(token) {
+    if (typeof token !== "string" || !token.startsWith(TOKEN_PREFIX)) {
+      return void 0;
+    }
+    const hash = sha256Hex(token);
+    const record = this.records.get(hash);
+    if (!record) {
+      return void 0;
+    }
+    const expected = Buffer.from(record.hash, "hex");
+    const actual = Buffer.from(hash, "hex");
+    if (expected.length !== actual.length || !timingSafeEqual(expected, actual)) {
+      return void 0;
+    }
+    const now = /* @__PURE__ */ new Date();
+    if (new Date(record.expiresAt).getTime() <= now.getTime()) {
+      this.records.delete(hash);
+      this.scheduleWrite();
+      return void 0;
+    }
+    record.lastUsedAt = now.toISOString();
+    this.scheduleWrite();
+    return record.id;
+  }
+  async revoke(id) {
+    for (const [hash, r] of this.records) {
+      if (r.id === id) {
+        this.records.delete(hash);
+        this.scheduleWrite();
+        return true;
+      }
+    }
+    return false;
+  }
+  async revokeAll() {
+    const n = this.records.size;
+    this.records.clear();
+    this.scheduleWrite();
+    return n;
+  }
+  list() {
+    return Array.from(this.records.values()).map(({ id, label, createdAt, expiresAt, lastUsedAt }) => ({
+      id,
+      label,
+      createdAt,
+      expiresAt,
+      lastUsedAt
+    })).sort((a, b) => b.createdAt.localeCompare(a.createdAt));
+  }
+  sweepExpired(now = /* @__PURE__ */ new Date()) {
+    let removed = 0;
+    for (const [hash, r] of this.records) {
+      if (new Date(r.expiresAt).getTime() <= now.getTime()) {
+        this.records.delete(hash);
+        removed += 1;
+      }
+    }
+    if (removed > 0) {
+      this.scheduleWrite();
+    }
+    return removed;
+  }
+  // Force any pending write to complete. Useful in tests and at shutdown.
+  async flush() {
+    if (this.writeTimer) {
+      clearTimeout(this.writeTimer);
+      this.writeTimer = null;
+    }
+    await this.persist();
+  }
+  scheduleWrite() {
+    if (this.writeTimer) {
+      return;
+    }
+    this.writeTimer = setTimeout(() => {
+      this.writeTimer = null;
+      this.persist().catch(() => {
+      });
+    }, WRITE_DEBOUNCE_MS);
+  }
+  async persist() {
+    if (this.writeInflight) {
+      await this.writeInflight;
+    }
+    const records = Array.from(this.records.values());
+    const payload = JSON.stringify({ records }, null, 2) + "\n";
+    this.writeInflight = (async () => {
+      await fs12.mkdir(paths.home(), { recursive: true });
+      await fs12.writeFile(tokensFilePath(), payload, {
+        encoding: "utf8",
+        mode: 384
+      });
+    })();
+    try {
+      await this.writeInflight;
+    } finally {
+      this.writeInflight = null;
+    }
+  }
+};
+function isRecord(value) {
+  if (!value || typeof value !== "object") {
+    return false;
+  }
+  const v = value;
+  return typeof v.id === "string" && typeof v.hash === "string" && typeof v.createdAt === "string" && typeof v.expiresAt === "string" && typeof v.lastUsedAt === "string" && (v.label === void 0 || typeof v.label === "string");
+}
+
 // src/daemon/auth.ts
 var BEARER_PREFIX = "Bearer ";
+var StaticTokenValidator = class {
+  constructor(token) {
+    this.token = token;
+  }
+  token;
+  async validate(token) {
+    return constantTimeEqual(token, this.token) ? "service" : void 0;
+  }
+};
+var SessionTokenValidator = class {
+  constructor(store) {
+    this.store = store;
+  }
+  store;
+  async validate(token) {
+    return this.store.verify(token);
+  }
+};
+var CompositeTokenValidator = class {
+  constructor(validators) {
+    this.validators = validators;
+  }
+  validators;
+  async validate(token) {
+    for (const v of this.validators) {
+      const id = await v.validate(token);
+      if (id !== void 0) {
+        return id;
+      }
+    }
+    return void 0;
+  }
+};
 function bearerAuth(opts) {
   return async function authMiddleware(request, reply) {
     const header = request.headers.authorization;
@@ -4507,10 +5459,12 @@ function bearerAuth(opts) {
       return;
     }
     const token = header.slice(BEARER_PREFIX.length).trim();
-    if (!constantTimeEqual(token, opts.config.daemon.authToken)) {
+    const identity = await opts.validator.validate(token);
+    if (!identity) {
       reply.code(403).send({ error: "Invalid token" });
       return;
     }
+    request.authIdentity = identity;
   };
 }
 function tokenFromUpgradeRequest(req) {
@@ -4549,6 +5503,40 @@ function constantTimeEqual(a, b) {
   return mismatch === 0;
 }
 
+// src/daemon/rate-limit.ts
+var AuthRateLimiter = class {
+  entries = /* @__PURE__ */ new Map();
+  maxFails;
+  windowMs;
+  constructor(maxFails = 10, windowMs = 15 * 60 * 1e3) {
+    this.maxFails = maxFails;
+    this.windowMs = windowMs;
+  }
+  isBlocked(ip) {
+    const e = this.entries.get(ip);
+    if (!e) {
+      return false;
+    }
+    if (Date.now() - e.windowStart > this.windowMs) {
+      this.entries.delete(ip);
+      return false;
+    }
+    return e.fails >= this.maxFails;
+  }
+  recordFailure(ip) {
+    const now = Date.now();
+    const e = this.entries.get(ip);
+    if (!e || now - e.windowStart > this.windowMs) {
+      this.entries.set(ip, { fails: 1, windowStart: now });
+      return;
+    }
+    e.fails += 1;
+  }
+  recordSuccess(ip) {
+    this.entries.delete(ip);
+  }
+};
+
 // src/daemon/routes/sessions.ts
 import * as os3 from "os";
 
@@ -4579,6 +5567,7 @@ var BundleSession = z5.object({
   currentMode: z5.string().optional(),
   currentUsage: PersistedUsage.optional(),
   agentCommands: z5.array(PersistedAgentCommand).optional(),
+  agentModes: z5.array(PersistedAgentMode).optional(),
   createdAt: z5.string(),
   updatedAt: z5.string()
 });
@@ -4612,6 +5601,7 @@ function encodeBundle(params) {
       ...params.record.currentMode !== void 0 ? { currentMode: params.record.currentMode } : {},
       ...params.record.currentUsage !== void 0 ? { currentUsage: params.record.currentUsage } : {},
       ...params.record.agentCommands !== void 0 ? { agentCommands: params.record.agentCommands } : {},
+      ...params.record.agentModes !== void 0 ? { agentModes: params.record.agentModes } : {},
       createdAt: params.record.createdAt,
       updatedAt: params.record.updatedAt
     },
@@ -4670,6 +5660,8 @@ function mapUpdate(update) {
       return mapUsage(u);
     case "available_commands_update":
       return mapAvailableCommands(u);
+    case "available_modes_update":
+      return mapAvailableModes(u);
     case "session_info_update":
       return mapSessionInfo(u);
     default:
@@ -4731,6 +5723,31 @@ function mapAvailableCommands(u) {
   }
   return { kind: "available-commands", commands: normalizeAdvertisedCommands(list) };
 }
+function mapAvailableModes(u) {
+  const list = u.availableModes;
+  if (!Array.isArray(list)) {
+    return null;
+  }
+  const modes = [];
+  for (const raw of list) {
+    if (!raw || typeof raw !== "object") {
+      continue;
+    }
+    const m = raw;
+    if (typeof m.id !== "string" || m.id.length === 0) {
+      continue;
+    }
+    const mode = { id: sanitizeSingleLine(m.id) };
+    if (typeof m.name === "string") {
+      mode.name = sanitizeSingleLine(m.name);
+    }
+    if (typeof m.description === "string") {
+      mode.description = sanitizeSingleLine(m.description);
+    }
+    modes.push(mode);
+  }
+  return { kind: "available-modes", modes };
+}
 function mapUsage(u) {
   const event = { kind: "usage-update" };
   if (typeof u.used === "number") {
@@ -4851,7 +5868,7 @@ function mapPlan(u) {
   return { kind: "plan", entries: normalized };
 }
 function mapMode(u) {
-  const mode = readString(u, "currentMode") ?? readString(u, "mode");
+  const mode = readString(u, "currentModeId") ?? readString(u, "currentMode") ?? readString(u, "mode");
   if (!mode) {
     return null;
   }
@@ -5514,6 +6531,157 @@ function registerConfigRoutes(app, defaults) {
   });
 }
 
+// src/daemon/routes/auth.ts
+import { z as z6 } from "zod";
+
+// src/core/password.ts
+import * as fs13 from "fs/promises";
+import * as path9 from "path";
+import { randomBytes as randomBytes2, scrypt, timingSafeEqual as timingSafeEqual2 } from "crypto";
+import { promisify } from "util";
+var scryptAsync = promisify(scrypt);
+function passwordHashPath() {
+  return path9.join(paths.home(), "password-hash");
+}
+var DEFAULT_N = 1 << 15;
+var MAX_MEM = 128 * 1024 * 1024;
+async function hasPassword() {
+  try {
+    const text = await fs13.readFile(passwordHashPath(), "utf8");
+    return text.trim().length > 0;
+  } catch (err) {
+    const e = err;
+    if (e.code === "ENOENT") {
+      return false;
+    }
+    throw err;
+  }
+}
+async function verifyPassword(plaintext) {
+  if (typeof plaintext !== "string" || plaintext.length === 0) {
+    return false;
+  }
+  let line;
+  try {
+    line = (await fs13.readFile(passwordHashPath(), "utf8")).trim();
+  } catch (err) {
+    const e = err;
+    if (e.code === "ENOENT") {
+      return false;
+    }
+    throw err;
+  }
+  const parts = line.split("$");
+  if (parts.length !== 6 || parts[0] !== "scrypt") {
+    return false;
+  }
+  const N = parseInt(parts[1], 10);
+  const r = parseInt(parts[2], 10);
+  const p = parseInt(parts[3], 10);
+  if (!Number.isFinite(N) || !Number.isFinite(r) || !Number.isFinite(p)) {
+    return false;
+  }
+  const salt = Buffer.from(parts[4], "hex");
+  const expected = Buffer.from(parts[5], "hex");
+  if (salt.length === 0 || expected.length === 0) {
+    return false;
+  }
+  const actual = await scryptAsync(plaintext, salt, expected.length, {
+    N,
+    r,
+    p,
+    maxmem: MAX_MEM
+  });
+  if (actual.length !== expected.length) {
+    return false;
+  }
+  return timingSafeEqual2(actual, expected);
+}
+
+// src/daemon/routes/auth.ts
+var LoginBody = z6.object({
+  password: z6.string().min(1),
+  label: z6.string().min(1).max(256).optional(),
+  ttlSec: z6.number().int().positive().optional()
+});
+var LogoutBody = z6.object({
+  id: z6.string().optional()
+}).optional();
+function registerAuthRoutes(app, deps) {
+  app.post(
+    "/v1/auth/login",
+    { config: { skipAuth: true } },
+    async (request, reply) => {
+      const ip = remoteIp(request);
+      if (deps.rateLimiter.isBlocked(ip)) {
+        return reply.code(429).send({
+          error: "Too many failed attempts; try again later."
+        });
+      }
+      let body;
+      try {
+        body = LoginBody.parse(request.body);
+      } catch {
+        return reply.code(400).send({ error: "Invalid request body" });
+      }
+      if (!await hasPassword()) {
+        return reply.code(403).send({
+          error: "No password configured. Run `hydra-acp auth password` on the daemon host."
+        });
+      }
+      const ok = await verifyPassword(body.password);
+      if (!ok) {
+        deps.rateLimiter.recordFailure(ip);
+        return reply.code(401).send({ error: "Invalid password" });
+      }
+      deps.rateLimiter.recordSuccess(ip);
+      const issued = await deps.store.issue({
+        label: body.label,
+        ttlSec: body.ttlSec
+      });
+      return reply.code(200).send({
+        session_token: issued.token,
+        id: issued.id,
+        expires_at: issued.expiresAt
+      });
+    }
+  );
+  app.post("/v1/auth/logout", async (request, reply) => {
+    let body = void 0;
+    try {
+      body = LogoutBody.parse(request.body ?? void 0);
+    } catch {
+      return reply.code(400).send({ error: "Invalid request body" });
+    }
+    const id = body?.id ?? request.authIdentity;
+    if (!id || id === "service") {
+      return reply.code(200).send({ revoked: false });
+    }
+    const revoked = await deps.store.revoke(id);
+    return reply.code(200).send({ revoked });
+  });
+  app.get("/v1/auth/verify", async (_request, reply) => {
+    return reply.code(200).send({ ok: true });
+  });
+  app.get("/v1/auth/sessions", async (_request, reply) => {
+    return reply.code(200).send({ sessions: deps.store.list() });
+  });
+  app.delete(
+    "/v1/auth/sessions/:id",
+    async (request, reply) => {
+      const id = request.params.id;
+      const revoked = await deps.store.revoke(id);
+      if (!revoked) {
+        return reply.code(404).send({ error: "Not found" });
+      }
+      return reply.code(204).send();
+    }
+  );
+}
+function remoteIp(request) {
+  return request.ip || "unknown";
+}
+
 // src/daemon/acp-ws.ts
 import { nanoid as nanoid2 } from "nanoid";
 
@@ -5590,12 +6758,12 @@ function wsToMessageStream(ws) {
 
 // src/daemon/acp-ws.ts
 function registerAcpWsEndpoint(app, deps) {
-  app.get("/acp", { websocket: true }, (socket, request) => {
+  app.get("/acp", { websocket: true }, async (socket, request) => {
     const token = tokenFromUpgradeRequest({
       headers: request.headers,
       url: request.url
     });
-    if (!token || !constantTimeEqual(token, deps.config.daemon.authToken)) {
+    if (!token || !await deps.validator.validate(token)) {
       socket.close(4401, "Unauthorized");
       return;
     }
@@ -5646,8 +6814,15 @@ function registerAcpWsEndpoint(app, deps) {
           }
         })();
       });
+      const modesPayload = buildModesPayload(session);
       return {
         sessionId: session.sessionId,
+        // session/new is implicitly an attach; mirror session/attach's
+        // shape by including the clientId so deferred-echo clients
+        // (TUI's queue work) can recognize their own prompt_queue_added
+        // events without an extra round-trip.
+        clientId: client.clientId,
+        ...modesPayload ? { modes: modesPayload } : {},
         _meta: buildResponseMeta(session)
       };
     });
@@ -5708,6 +6883,7 @@ function registerAcpWsEndpoint(app, deps) {
         await connection.notify(note.method, note.params);
       }
       session.replayPendingPermissions(client);
+      const modesPayload = buildModesPayload(session);
       return {
         sessionId: session.sessionId,
         clientId: client.clientId,
@@ -5718,6 +6894,7 @@ function registerAcpWsEndpoint(app, deps) {
         // ran, not what was asked for.
         historyPolicy: appliedPolicy,
         replayed: replay.length,
+        ...modesPayload ? { modes: modesPayload } : {},
         _meta: buildResponseMeta(session)
       };
     });
@@ -5751,7 +6928,29 @@ function registerAcpWsEndpoint(app, deps) {
         err.code = JsonRpcErrorCodes.SessionNotFound;
         throw err;
       }
-      const session = deps.manager.require(params.sessionId);
+      let session = deps.manager.get(params.sessionId);
+      if (!session) {
+        const fromDisk = await deps.manager.loadFromDisk(params.sessionId);
+        if (!fromDisk) {
+          const err = new Error(
+            `session ${params.sessionId} not found`
+          );
+          err.code = JsonRpcErrorCodes.SessionNotFound;
+          throw err;
+        }
+        app.log.info(
+          `session/prompt auto-resurrecting cold sessionId=${params.sessionId}`
+        );
+        session = await deps.manager.resurrect(fromDisk);
+        const client = bindClientToSession(
+          connection,
+          session,
+          state,
+          void 0,
+          att.clientId
+        );
+        await session.attach(client, "none");
+      }
       return session.prompt(att.clientId, params);
     });
     const handleCancelParams = (raw) => {
@@ -5783,6 +6982,26 @@ function registerAcpWsEndpoint(app, deps) {
       handleCancelParams(raw);
       return null;
     });
+    connection.onRequest("hydra-acp/cancel_prompt", async (raw) => {
+      const params = CancelPromptParams.parse(raw);
+      const session = deps.manager.get(params.sessionId);
+      if (!session) {
+        const err = new Error(`session ${params.sessionId} not found`);
+        err.code = JsonRpcErrorCodes.SessionNotFound;
+        throw err;
+      }
+      return session.cancelQueuedPrompt(params.messageId);
+    });
+    connection.onRequest("hydra-acp/update_prompt", async (raw) => {
+      const params = UpdatePromptParams.parse(raw);
+      const session = deps.manager.get(params.sessionId);
+      if (!session) {
+        const err = new Error(`session ${params.sessionId} not found`);
+        err.code = JsonRpcErrorCodes.SessionNotFound;
+        throw err;
+      }
+      return session.updateQueuedPrompt(params.messageId, params.prompt);
+    });
     connection.onRequest("session/load", async (raw) => {
       const rawObj = raw ?? {};
       const rawSessionId = typeof rawObj.sessionId === "string" ? rawObj.sessionId : void 0;
@@ -5814,8 +7033,13 @@ function registerAcpWsEndpoint(app, deps) {
         await connection.notify(note.method, note.params);
       }
       session.replayPendingPermissions(client);
+      const modesPayload = buildModesPayload(session);
       return {
         sessionId: session.sessionId,
+        // Same as session/new: include clientId so the deferred-echo
+        // path in queue-aware clients can recognize own broadcasts.
+        clientId: client.clientId,
+        ...modesPayload ? { modes: modesPayload } : {},
         _meta: buildResponseMeta(session)
       };
     });
@@ -5841,6 +7065,26 @@ function registerAcpWsEndpoint(app, deps) {
     });
   });
 }
+function buildModesPayload(session) {
+  const modes = session.availableModes();
+  if (modes.length === 0) {
+    return void 0;
+  }
+  const availableModes = modes.map((m) => {
+    const out = {
+      id: m.id,
+      // ACP spec requires `name` — fall back to id when the agent didn't
+      // supply one so we never emit an invalid SessionMode.
+      name: m.name ?? m.id
+    };
+    if (m.description !== void 0) {
+      out.description = m.description;
+    }
+    return out;
+  });
+  const currentModeId = session.currentMode ?? modes[0].id;
+  return { currentModeId, availableModes };
+}
 function buildResponseMeta(session) {
   const ours = {
     upstreamSessionId: session.upstreamSessionId,
@@ -5866,9 +7110,17 @@ function buildResponseMeta(session) {
   if (commands.length > 0) {
     ours.availableCommands = commands;
   }
+  const modes = session.availableModes();
+  if (modes.length > 0) {
+    ours.availableModes = modes;
+  }
   if (session.turnStartedAt !== void 0) {
     ours.turnStartedAt = session.turnStartedAt;
   }
+  const queue = session.queueSnapshot();
+  if (queue.length > 0) {
+    ours.queue = queue;
+  }
   return mergeMeta(session.agentMeta, ours);
 }
 function buildInitializeResult() {
@@ -5899,7 +7151,13 @@ function buildInitializeResult() {
         id: "bearer-token",
         description: "Bearer token presented at WS upgrade"
       }
-    ]
+    ],
+    // Advertise hydra-only capabilities via _meta["hydra-acp"]. Generic
+    // ACP clients ignore the field; capability-aware clients learn here
+    // that hydra accepts concurrent session/prompt requests and emits
+    // prompt_queue_* notifications so they can stop running their own
+    // local queue.
+    _meta: mergeMeta(void 0, { promptQueueing: true })
   };
 }
 function bindClientToSession(connection, session, state, clientInfo, callerClientId) {
@@ -5913,7 +7171,7 @@ function bindClientToSession(connection, session, state, clientInfo, callerClien
 }
 
 // src/daemon/server.ts
-async function startDaemon(config) {
+async function startDaemon(config, serviceToken) {
   ensureLoopbackOrTls(config);
   const httpsOptions = config.daemon.tls ? {
     key: await fsp4.readFile(config.daemon.tls.key),
@@ -5940,7 +7198,13 @@ async function startDaemon(config) {
   setNpmInstallLogger((msg) => {
     app.log.info(msg);
   });
-  const auth = bearerAuth({ config });
+  const sessionTokenStore = await SessionTokenStore.load();
+  const authRateLimiter = new AuthRateLimiter();
+  const validator = new CompositeTokenValidator([
+    new StaticTokenValidator(serviceToken),
+    new SessionTokenValidator(sessionTokenStore)
+  ]);
+  const auth = bearerAuth({ validator });
   app.addHook("onRequest", async (request, reply) => {
     if (request.routeOptions.config?.skipAuth) {
       return;
@@ -5950,6 +7214,13 @@ async function startDaemon(config) {
     }
     await auth(request, reply);
   });
+  const sweepInterval = setInterval(
+    () => {
+      sessionTokenStore.sweepExpired();
+    },
+    5 * 60 * 1e3
+  );
+  sweepInterval.unref();
   const registry = new Registry(config);
   const agentLogger = {
     info: (msg) => app.log.info(msg),
@@ -5964,7 +7235,8 @@ async function startDaemon(config) {
     idleTimeoutMs: config.daemon.sessionIdleTimeoutSeconds * 1e3,
     defaultModels: config.defaultModels,
     sessionHistoryMaxEntries: config.daemon.sessionHistoryMaxEntries,
-    logger: agentLogger
+    logger: agentLogger,
+    npmRegistry: config.npmRegistry
   });
   const extensions = new ExtensionManager(extensionList(config));
   registerHealthRoutes(app, HYDRA_VERSION);
@@ -5978,8 +7250,12 @@ async function startDaemon(config) {
     defaultAgent: config.defaultAgent,
     defaultCwd: config.defaultCwd
   });
+  registerAuthRoutes(app, {
+    store: sessionTokenStore,
+    rateLimiter: authRateLimiter
+  });
   registerAcpWsEndpoint(app, {
-    config,
+    validator,
     manager,
     defaultAgent: config.defaultAgent
   });
@@ -6003,12 +7279,19 @@ async function startDaemon(config) {
     daemonUrl: `${scheme}://${config.daemon.host}:${boundPort}`,
     daemonHost: config.daemon.host,
     daemonPort: boundPort,
-    daemonToken: config.daemon.authToken,
+    serviceToken,
     daemonWsUrl: `${wsScheme}://${config.daemon.host}:${boundPort}/acp`,
     hydraHome: paths.home()
   });
   await extensions.start();
+  void manager.resurrectPendingQueues().catch((err) => {
+    app.log.warn(
+      `queue replay scan failed: ${err.message}`
+    );
+  });
   const shutdown = async () => {
+    clearInterval(sweepInterval);
+    await sessionTokenStore.flush();
     await extensions.stop();
     await manager.closeAll();
     await manager.flushMetaWrites();
@@ -6016,7 +7299,7 @@ async function startDaemon(config) {
     setNpmInstallLogger(null);
     await app.close();
     try {
-      fs10.unlinkSync(paths.pidFile());
+      fs14.unlinkSync(paths.pidFile());
     } catch {
     }
     try {
@@ -6057,9 +7340,10 @@ export {
   Session,
   SessionManager,
   defaultConfig,
-  ensureConfig,
-  generateAuthToken,
+  ensureServiceToken,
+  generateServiceToken,
   loadConfig,
+  loadServiceToken,
   ndjsonStreamFromStdio,
   paths,
   planSpawn,