@lifeaitools/clauth 1.5.78 → 1.5.81

package/cli/commands/serve.js

@@ -17,10 +17,10 @@ import ora from "ora";
 import { execSync as execSyncTop } from "child_process";
 import Conf from "conf";
 import { getConfOptions } from "../conf-path.js";
-import { readdir, readFile, writeFile, rm, mkdir, stat, rename } from "node:fs/promises";
-import fg from "fast-glob";
-import { rgPath } from "@vscode/ripgrep";
-import { createStudioDebugRuntime } from "../studio-debug.js";
+import { readdir, readFile, writeFile, rm, mkdir, stat, rename } from "node:fs/promises";
+import fg from "fast-glob";
+import { rgPath } from "@vscode/ripgrep";
+import { createStudioDebugRuntime } from "../studio-debug.js";
 
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
 const pkg = JSON.parse(fs.readFileSync(path.join(__dirname, "../../package.json"), "utf8"));
@@ -564,6 +564,9 @@ function dashboardHtml(port, whitelist, isStaged = false) {
   .tunnel-url{font-family:'Courier New',monospace;font-size:.78rem;color:#60a5fa;word-break:break-all}
   .tunnel-url a{color:#60a5fa;text-decoration:none}
   .tunnel-url a:hover{text-decoration:underline}
+  .btn-ccandme{background:linear-gradient(135deg,#1a1a2e,#16213e);color:#a78bfa;border:1px solid #4c1d95;padding:7px 16px;font-size:.85rem;border-radius:7px;cursor:pointer;font-weight:600;transition:all .15s;white-space:nowrap}
+  .btn-ccandme:hover{background:linear-gradient(135deg,#2d1b69,#1e1b4b);border-color:#7c3aed;color:#c4b5fd;transform:translateY(-1px)}
+  .btn-ccandme:disabled{opacity:.5;cursor:not-allowed;transform:none}
   .btn-claude{background:linear-gradient(135deg,#d97706,#f59e0b);color:#0a0f1a;padding:8px 18px;font-size:.85rem;border-radius:7px;border:none;cursor:pointer;font-weight:700;letter-spacing:.3px;transition:all .15s;white-space:nowrap}
   .btn-claude:hover{filter:brightness(1.1);transform:translateY(-1px)}
   .btn-claude:disabled{opacity:.4;cursor:not-allowed;transform:none;filter:none}
@@ -743,6 +746,7 @@ function dashboardHtml(port, whitelist, isStaged = false) {
     <button class="btn-refresh" onclick="loadServices()">↻ Refresh</button>
     <button class="btn-add" onclick="toggleAddService()">+ Add Service</button>
     <button class="btn-check" id="check-btn" onclick="checkAll()">⬤ Check All</button>
+    <button class="btn-ccandme" id="ccandme-btn" onclick="launchCCandMe()" title="Launch CCandMe — 4-pane WezTerm: Claude + Codex + Me">⚡ CCandMe</button>
     <button class="btn-lock" onclick="lockVault()">🔒 Lock</button>
     <button class="btn-stop" onclick="restartDaemon()" style="background:#1a2e1a;border:1px solid #166534;color:#86efac" title="Restart daemon — keeps vault unlocked">↺ Restart</button>
     <button class="btn-stop" onclick="stopDaemon()" style="background:#7f1d1d;border:1px solid #991b1b;color:#fca5a5" title="Stop daemon — password required on next start">⏹ Stop</button>
@@ -1115,6 +1119,24 @@ async function makeLive() {
   }
 }
 
+// ── Launch CCandMe (4-pane WezTerm: Claude + Codex + Me) ──
+async function launchCCandMe() {
+  const btn = document.getElementById("ccandme-btn");
+  if (btn) { btn.disabled = true; btn.textContent = "⚡ Launching…"; }
+  try {
+    const r = await fetch(BASE + "/launch-ccandme", { method: "POST" }).then(r => r.json()).catch(() => ({}));
+    if (r.ok) {
+      if (btn) { btn.textContent = "⚡ Launched!"; setTimeout(() => { btn.disabled = false; btn.textContent = "⚡ CCandMe"; }, 3000); }
+    } else {
+      alert("CCandMe launch failed: " + (r.error || "unknown error"));
+      if (btn) { btn.disabled = false; btn.textContent = "⚡ CCandMe"; }
+    }
+  } catch (err) {
+    alert("CCandMe launch failed: " + err.message);
+    if (btn) { btn.disabled = false; btn.textContent = "⚡ CCandMe"; }
+  }
+}
+
 // ── Restart daemon (keeps boot.key — vault stays unlocked) ──
 async function restartDaemon() {
   if (!confirm("Restart the daemon?\\n\\nThe vault will stay unlocked (boot.key kept).")) return;
@@ -2406,7 +2428,9 @@ function readBody(req) {
 }
 
 // ── Server logic (shared by foreground + daemon) ─────────────
-function createServer(initPassword, whitelist, port, tunnelHostnameInit = null, isStaged = false) {
+function createServer(initPassword, whitelist, port, tunnelHostnameInit = null, isStaged = false) {
+  mcpHttpBaseUrl = `http://127.0.0.1:${port}`;
+
   // tunnelHostname may be updated at runtime (fetched from DB after unlock)
   let tunnelHostname = tunnelHostnameInit;
 
@@ -2436,12 +2460,12 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
   // Rotation engine — starts after unlock
   const rotationEngine = createRotationEngine(initPassword, machineHash, LOG_FILE);
 
-  const CORS = {
+  const CORS = {
     "Access-Control-Allow-Origin": "*",
     "Access-Control-Allow-Methods": "GET, POST, OPTIONS",
     "Access-Control-Allow-Headers": "Content-Type, Authorization, Mcp-Session-Id, mcp-protocol-version, mcp-session-id",
-  };
-  const studioDebugRuntime = createStudioDebugRuntime({ port, logFile: LOG_FILE });
+  };
+  const studioDebugRuntime = createStudioDebugRuntime({ port, logFile: LOG_FILE });
 
   // ── MCP SSE session tracking ──────────────────────────────
   const sseSessions = new Map(); // sessionId → { res, initialized }
@@ -2842,14 +2866,14 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
       return strike(res, 403, `Rejected non-local address: ${remote}`);
     }
 
-    // CORS preflight
-    if (req.method === "OPTIONS") {
-      res.writeHead(204, CORS);
-      return res.end();
-    }
-
-    const studioDebugHandled = await studioDebugRuntime.handle(req, res, url, CORS);
-    if (studioDebugHandled !== false) return;
+    // CORS preflight
+    if (req.method === "OPTIONS") {
+      res.writeHead(204, CORS);
+      return res.end();
+    }
+
+    const studioDebugHandled = await studioDebugRuntime.handle(req, res, url, CORS);
+    if (studioDebugHandled !== false) return;
 
     // ── Hosts that bypass OAuth (fresh domains for claude.ai compatibility) ──
     const NOAUTH_HOSTS = ["fs.regendevcorp.com", "clauth.regendevcorp.com", "chitchat.regendevcorp.com"];
@@ -3047,13 +3071,14 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
     }
 
     // ── MCP path helpers ──
-    const MCP_PATHS = ["/mcp", "/gws", "/clauth", "/fs", "/chitchat"];
+    const MCP_PATHS = ["/mcp", "/gws", "/clauth", "/fs", "/chitchat", "/codevelop"];
     const isMcpPath = MCP_PATHS.includes(reqPath);
     function toolsForPath(p) {
       if (p === "/gws")      return MCP_TOOLS.filter(t => t.name.startsWith("gws_"));
       if (p === "/clauth")   return MCP_TOOLS.filter(t => t.name.startsWith("clauth_") || t.name === "monkey_dispatch" || t.name.startsWith("terminal_") || t.name.startsWith("channel_"));
       if (p === "/fs")       return MCP_TOOLS.filter(t => t.name.startsWith("fs_"));
       if (p === "/chitchat") return MCP_TOOLS.filter(t => t.name.startsWith("chitchat_"));
+      if (p === "/codevelop") return MCP_TOOLS.filter(t => t.name.startsWith("codevelop_"));
       return MCP_TOOLS; // /mcp — all tools
     }
     function serverNameForPath(p) {
@@ -3061,6 +3086,7 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
       if (p === "/clauth")   return "clauth";
       if (p === "/fs")       return "fs";
       if (p === "/chitchat") return "chitchat";
+      if (p === "/codevelop") return "codevelop";
       return "clauth";
     }
 
@@ -3325,6 +3351,122 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
       });
     }
 
+    // ── Co-development transport — peer-aware Claude/Codex sessions ─────
+    // This is intentionally separate from /chitchat so existing relay behavior
+    // cannot leak into terminal peer routing.
+    if (method === "POST" && reqPath === "/codevelop/start") {
+      let body;
+      try { body = await readBody(req); } catch {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "Invalid JSON" }));
+      }
+      const result = startCodevelopSession(body || {});
+      return ok(res, result);
+    }
+
+    if (method === "POST" && reqPath === "/codevelop/join") {
+      let body;
+      try { body = await readBody(req); } catch {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "Invalid JSON" }));
+      }
+      const result = joinCodevelopSession(body || {});
+      if (result.error) {
+        res.writeHead(result.error === "not_found" ? 404 : 400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify(result));
+      }
+      return ok(res, result);
+    }
+
+    if (method === "POST" && reqPath === "/codevelop/send") {
+      let body;
+      try { body = await readBody(req); } catch {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "Invalid JSON" }));
+      }
+      const result = sendCodevelopMessage(body || {});
+      if (result.error) {
+        res.writeHead(result.error === "not_found" ? 404 : 400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify(result));
+      }
+      return ok(res, result);
+    }
+
+    if (method === "POST" && reqPath === "/codevelop/poll") {
+      let body;
+      try { body = await readBody(req); } catch {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "Invalid JSON" }));
+      }
+      const result = pollCodevelopMessages(body || {});
+      if (result.error) {
+        res.writeHead(result.error === "not_found" ? 404 : 400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify(result));
+      }
+      return ok(res, result);
+    }
+
+    if (method === "GET" && reqPath === "/codevelop") {
+      return ok(res, listCodevelopSessions());
+    }
+
+    const codevelopStatusMatch = reqPath.match(/^\/codevelop\/([^/]+)\/status$/);
+    if (method === "GET" && codevelopStatusMatch) {
+      const result = statusCodevelopSession(codevelopStatusMatch[1]);
+      if (result.error) {
+        res.writeHead(404, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify(result));
+      }
+      return ok(res, result);
+    }
+
+    const codevelopStreamMatch = reqPath.match(/^\/codevelop\/([^/]+)\/([^/]+)\/stream$/);
+    if (method === "GET" && codevelopStreamMatch) {
+      const session_id = decodeURIComponent(codevelopStreamMatch[1]);
+      const peer_id = decodeURIComponent(codevelopStreamMatch[2]);
+      const result = attachCodevelopStream(session_id, peer_id, res);
+      if (result.error) {
+        res.writeHead(result.error === "not_found" ? 404 : 400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify(result));
+      }
+
+      res.writeHead(200, {
+        "Content-Type": "text/event-stream",
+        "Cache-Control": "no-cache",
+        "Connection": "keep-alive",
+        ...CORS,
+      });
+
+      for (const entry of result.queued) {
+        res.write(`event: message\ndata: ${JSON.stringify(entry)}\n\n`);
+      }
+
+      const keepalive = setInterval(() => {
+        try { res.write(": keepalive\n\n"); } catch {}
+      }, 15_000);
+
+      req.on("close", () => {
+        clearInterval(keepalive);
+        detachCodevelopStream(session_id, peer_id, res);
+      });
+
+      return;
+    }
+
+    if (method === "POST" && reqPath === "/codevelop/stop") {
+      let body;
+      try { body = await readBody(req); } catch {
+        res.writeHead(400, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: "Invalid JSON" }));
+      }
+      const result = stopCodevelopSession(body?.session_id);
+      if (result.error) {
+        res.writeHead(404, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify(result));
+      }
+      return ok(res, result);
+    }
+
     // GET /chitchat/<session_id>/stream — SSE push stream for Claude Code (inbox events)
     // Claude Code connects once; daemon pushes an event on every chitchat_send call
     const inboxStreamMatch = reqPath.match(/^\/chitchat\/([^/]+)\/stream$/);
@@ -3545,6 +3687,52 @@ function createServer(initPassword, whitelist, port, tunnelHostnameInit = null,
       return ok(res, { status: tunnelStatus });
     }
 
+    // POST /launch-ccandme — open a new CCandMe WezTerm window without killing existing sessions
+    if (method === "POST" && reqPath === "/launch-ccandme") {
+      if (lockedGuard(res)) return;
+      try {
+        const { spawn } = await import("child_process");
+        const { existsSync, readFileSync, writeFileSync } = await import("fs");
+
+        // Locate WezTerm
+        const wezCandidates = [
+          "C:/Program Files/WezTerm/wezterm.exe",
+          "C:/Program Files (x86)/WezTerm/wezterm.exe",
+          process.env.WEZTERM_EXE,
+        ].filter(Boolean);
+        const wezExe = wezCandidates.find(existsSync) || "wezterm";
+
+        // Render the lua config from the CCandMe template (skip the kill-existing step)
+        const CCANDME_DIR = "C:/Dev/CCandMe";
+        const WORK_DIR = "C:/Dev/regen-root";
+        const templatePath = path.join(CCANDME_DIR, "templates", "wezterm.lua");
+        const luaOutPath  = path.join(CCANDME_DIR, ".ccandme-wezterm.lua");
+
+        if (existsSync(templatePath)) {
+          const lua = readFileSync(templatePath, "utf8")
+            .replaceAll("__SUPERVISOR_DIR__", CCANDME_DIR.replace(/\//g, "\\\\"))
+            .replaceAll("__WORK_DIR__",       WORK_DIR.replace(/\//g, "\\\\"))
+            .replaceAll("__WORKSPACE__",      "ccandme")
+            .replaceAll("__CLAUDE_CMD__",     "claude")
+            .replaceAll("__CODEX_CMD__",      "codex")
+            .replaceAll("__PACKAGE_ROOT__",   CCANDME_DIR.replace(/\//g, "\\\\"));
+          writeFileSync(luaOutPath, lua, "utf8");
+        }
+
+        // Launch WezTerm with the CCandMe config — no kill of existing sessions
+        const luaArg = existsSync(luaOutPath) ? luaOutPath : path.join(CCANDME_DIR, ".ccandme-wezterm.lua");
+        const child = spawn(wezExe, ["--config-file", luaArg, "start"], {
+          detached: true,
+          stdio: "ignore",
+        });
+        child.unref();
+        return ok(res, { ok: true, message: "CCandMe launched" });
+      } catch (err) {
+        res.writeHead(500, { "Content-Type": "application/json", ...CORS });
+        return res.end(JSON.stringify({ error: err.message }));
+      }
+    }
+
     // POST /restart — spawn fresh process then exit (keeps boot.key, vault stays unlocked)
     if (method === "POST" && reqPath === "/restart") {
       ok(res, { ok: true, message: "restarting" });
@@ -4970,6 +5158,10 @@ async function verifyAuth(password) {
 }
 
 async function actionStart(opts) {
+  if (opts.isolated) {
+    return actionForeground(opts);
+  }
+
   const isStaged = !!opts.staged || process.env.__CLAUTH_STAGED === "1";
   const port     = isStaged ? STAGED_PORT : parseInt(opts.port || String(LIVE_PORT), 10);
   let password = opts.pw || null;
@@ -5220,12 +5412,18 @@ async function actionRestart(opts) {
 
 async function actionForeground(opts) {
   const port      = parseInt(opts.port || "52437", 10);
-  const password  = opts.pw || null;
+  const isolated  = !!opts.isolated;
+  const password  = isolated ? null : (opts.pw || null);
   const tunnelHostname = opts.tunnel || null;
   const whitelist = opts.services
     ? opts.services.split(",").map(s => s.trim().toLowerCase())
     : null;
 
+  if (isolated && (port === LIVE_PORT || port === STAGED_PORT)) {
+    console.log(chalk.red(`\n  Refusing isolated mode on reserved port ${port}. Use a separate port such as 53137.\n`));
+    process.exit(1);
+  }
+
   if (password) {
     console.log(chalk.gray("\n  Verifying vault credentials..."));
     try {
@@ -5235,6 +5433,8 @@ async function actionForeground(opts) {
       process.exit(1);
     }
     console.log(chalk.green("  ✓ Vault auth verified"));
+  } else if (isolated) {
+    console.log(chalk.yellow("\n  Starting isolated passwordless server — credential routes remain locked"));
   } else {
     console.log(chalk.yellow("\n  Starting in locked state — open browser to unlock"));
   }
@@ -5245,7 +5445,7 @@ async function actionForeground(opts) {
 
   const server = createServer(password, whitelist, port, tunnelHostname);
   server.listen(port, "127.0.0.1", () => {
-    writePid(process.pid, port);
+    if (!isolated) writePid(process.pid, port);
     console.log(chalk.green(`  clauth serve → http://127.0.0.1:${port}`));
     if (tunnelHostname) {
       console.log(chalk.cyan(`  Tunnel:   https://${tunnelHostname}/sse`));
@@ -5256,10 +5456,9 @@ async function actionForeground(opts) {
       console.log(chalk.white(`  Client Secret:  ${server.__oauthClientSecret}`));
       console.log(chalk.gray("  (paste these into Advanced Settings when adding the connector)"));
     }
-    if (!password) console.log(chalk.cyan(`  👉 Open http://127.0.0.1:${port} to unlock`));
+    if (!password && !isolated) console.log(chalk.cyan(`  👉 Open http://127.0.0.1:${port} to unlock`));
     console.log(chalk.gray("  Ctrl+C to stop\n"));
-    // Auto-open browser
-    openBrowser(`http://127.0.0.1:${port}`);
+    if (!isolated) openBrowser(`http://127.0.0.1:${port}`);
   });
 
   server.on("error", err => {
@@ -5273,7 +5472,7 @@ async function actionForeground(opts) {
 
   process.on("SIGINT", () => {
     console.log(chalk.yellow("\n  Stopping clauth serve...\n"));
-    removePid();
+    if (!isolated) removePid();
     server.close(() => process.exit(0));
   });
 }
@@ -5344,6 +5543,7 @@ function spawnClaudeTask(prompt, jobId, cwd) {
 // /terminal/send spawns a fresh claude -p with [context + message],
 // captures stdout, stores result back in session context.
 const terminalSessions = new Map(); // session_id → SessionState
+let mcpHttpBaseUrl = "http://127.0.0.1:52437";
 
 // ── Channel webhook event queue ───────────────────────────────────────────────
 const channelEvents = [];   // { id, event, resource, status, url, repository, created_at }
@@ -5643,6 +5843,249 @@ function stopChitchatSession(session_id) {
   return { stopped: true, session_id };
 }
 
+// ── Co-development — peer-aware Claude/Codex terminal relay ───────────────
+//
+// This route is intentionally not a chitchat migration path. It is a separate
+// transport with addressed peer inboxes and a stable JSON envelope.
+
+function normalizePeerId(peer) {
+  return String(peer || "").trim().toLowerCase();
+}
+
+function serializeCodevelopSession(session) {
+  const peers = {};
+  for (const [peer_id, peer] of Object.entries(session.peers || {})) {
+    peers[peer_id] = {
+      peer_id,
+      role: peer.role,
+      target_peer: peer.target_peer || null,
+      joined_at: peer.joined_at,
+      last_seen_at: peer.last_seen_at,
+      queued: peer.inbox.length,
+      streams: peer.streams.length,
+    };
+  }
+  return {
+    session_id: session.session_id,
+    name: session.name,
+    repo: session.repo,
+    status: session.status,
+    started_at: session.started_at,
+    stopped_at: session.stopped_at || null,
+    turn: session.turn || 0,
+    peers,
+  };
+}
+
+function startCodevelopSession({ name, repo, metadata } = {}) {
+  const session_id = generateSessionId();
+  const session = {
+    session_id,
+    name: name || `codevelop-${session_id.slice(0, 8)}`,
+    repo: repo || null,
+    status: "active",
+    started_at: new Date().toISOString(),
+    is_codevelop: true,
+    turn: 0,
+    peers: {},
+    history: [],
+    metadata: metadata && typeof metadata === "object" ? metadata : {},
+  };
+  terminalSessions.set(session_id, session);
+  console.log(`[codevelop] started session ${session_id} name=${session.name}`);
+  return serializeCodevelopSession(session);
+}
+
+function joinCodevelopSession({ session_id, peer_id, role, target_peer, metadata } = {}) {
+  const session = terminalSessions.get(session_id);
+  if (!session || !session.is_codevelop) return { error: "not_found", message: `Codevelop session ${session_id} not found` };
+  if (session.status === "stopped") return { error: "stopped", message: "Session is stopped" };
+
+  const normalizedPeer = normalizePeerId(peer_id);
+  if (!normalizedPeer) return { error: "invalid_peer", message: "peer_id is required" };
+
+  const now = new Date().toISOString();
+  const existing = session.peers[normalizedPeer];
+  session.peers[normalizedPeer] = {
+    peer_id: normalizedPeer,
+    role: role || existing?.role || "participant",
+    target_peer: target_peer ? normalizePeerId(target_peer) : existing?.target_peer || null,
+    joined_at: existing?.joined_at || now,
+    last_seen_at: now,
+    inbox: existing?.inbox || [],
+    streams: existing?.streams || [],
+    metadata: metadata && typeof metadata === "object" ? metadata : existing?.metadata || {},
+  };
+
+  console.log(`[codevelop] session ${session_id} peer=${normalizedPeer} joined role=${session.peers[normalizedPeer].role}`);
+  return serializeCodevelopSession(session);
+}
+
+function buildCodevelopEnvelope(session, payload) {
+  const from = normalizePeerId(payload.from);
+  const to = normalizePeerId(payload.to);
+  if (!from || !to) return { error: "invalid_route", message: "from and to are required" };
+
+  session.turn = (session.turn || 0) + 1;
+  const turn_id = payload.turn_id || `turn-${String(session.turn).padStart(4, "0")}`;
+  return {
+    session_id: session.session_id,
+    turn_id,
+    from,
+    to,
+    type: payload.type || "message",
+    role: payload.role || null,
+    skill: payload.skill || null,
+    task: payload.task || payload.message || "",
+    message: payload.message || null,
+    context: payload.context && typeof payload.context === "object" ? payload.context : {},
+    expect: payload.expect && typeof payload.expect === "object" ? payload.expect : {},
+    verdict: payload.verdict || null,
+    summary: payload.summary || null,
+    evidence: Array.isArray(payload.evidence) ? payload.evidence : [],
+    files_changed: Array.isArray(payload.files_changed) ? payload.files_changed : [],
+    commits: Array.isArray(payload.commits) ? payload.commits : [],
+    blockers: Array.isArray(payload.blockers) ? payload.blockers : [],
+    next: Array.isArray(payload.next) ? payload.next : (payload.next_action ? [String(payload.next_action)] : []),
+    sent_at: new Date().toISOString(),
+  };
+}
+
+function sendCodevelopMessage(payload = {}) {
+  const session = terminalSessions.get(payload.session_id);
+  if (!session || !session.is_codevelop) return { error: "not_found", message: `Codevelop session ${payload.session_id} not found` };
+  if (session.status === "stopped") return { error: "stopped", message: "Session is stopped" };
+
+  const envelope = buildCodevelopEnvelope(session, payload);
+  if (envelope.error) return envelope;
+
+  if (!session.peers[envelope.from]) {
+    session.peers[envelope.from] = {
+      peer_id: envelope.from,
+      role: "participant",
+      target_peer: envelope.to,
+      joined_at: envelope.sent_at,
+      last_seen_at: envelope.sent_at,
+      inbox: [],
+      streams: [],
+      metadata: {},
+    };
+  }
+  if (!session.peers[envelope.to]) {
+    session.peers[envelope.to] = {
+      peer_id: envelope.to,
+      role: "participant",
+      target_peer: envelope.from,
+      joined_at: envelope.sent_at,
+      last_seen_at: envelope.sent_at,
+      inbox: [],
+      streams: [],
+      metadata: {},
+    };
+  }
+
+  const target = session.peers[envelope.to];
+  target.inbox.push(envelope);
+  session.history.push(envelope);
+  if (session.history.length > 200) session.history = session.history.slice(-200);
+
+  const event = `event: message\ndata: ${JSON.stringify(envelope)}\n\n`;
+  target.streams = target.streams.filter(res => {
+    try { res.write(event); return true; } catch { return false; }
+  });
+
+  console.log(`[codevelop] session ${session.session_id} ${envelope.from}->${envelope.to} ${envelope.turn_id} queued`);
+  return { queued: true, session_id: session.session_id, turn_id: envelope.turn_id, to: envelope.to };
+}
+
+function pollCodevelopMessages({ session_id, peer_id } = {}) {
+  const session = terminalSessions.get(session_id);
+  if (!session || !session.is_codevelop) return { error: "not_found", message: `Codevelop session ${session_id} not found` };
+
+  const normalizedPeer = normalizePeerId(peer_id);
+  if (!normalizedPeer) return { error: "invalid_peer", message: "peer_id is required" };
+  const peer = session.peers[normalizedPeer];
+  if (!peer) return { error: "not_joined", message: `Peer ${normalizedPeer} has not joined session ${session_id}` };
+
+  peer.last_seen_at = new Date().toISOString();
+  const messages = peer.inbox.splice(0);
+  return {
+    session_id,
+    peer_id: normalizedPeer,
+    status: messages.length ? "ready" : "idle",
+    count: messages.length,
+    messages,
+  };
+}
+
+function attachCodevelopStream(session_id, peer_id, res) {
+  const session = terminalSessions.get(session_id);
+  if (!session || !session.is_codevelop) return { error: "not_found", message: `Codevelop session ${session_id} not found` };
+
+  const normalizedPeer = normalizePeerId(peer_id);
+  const peer = session.peers[normalizedPeer];
+  if (!peer) return { error: "not_joined", message: `Peer ${normalizedPeer} has not joined session ${session_id}` };
+
+  peer.last_seen_at = new Date().toISOString();
+  peer.streams.push(res);
+  console.log(`[codevelop] session ${session_id} peer=${normalizedPeer} stream connected (${peer.streams.length} total)`);
+  return { queued: peer.inbox.slice() };
+}
+
+function detachCodevelopStream(session_id, peer_id, res) {
+  const session = terminalSessions.get(session_id);
+  if (!session || !session.is_codevelop) return;
+  const normalizedPeer = normalizePeerId(peer_id);
+  const peer = session.peers[normalizedPeer];
+  if (!peer) return;
+  peer.streams = peer.streams.filter(r => r !== res);
+  console.log(`[codevelop] session ${session_id} peer=${normalizedPeer} stream disconnected`);
+}
+
+function statusCodevelopSession(session_id) {
+  const session = terminalSessions.get(session_id);
+  if (!session || !session.is_codevelop) return { error: "not_found", message: `Codevelop session ${session_id} not found` };
+  return serializeCodevelopSession(session);
+}
+
+function listCodevelopSessions() {
+  const sessions = [];
+  for (const [, s] of terminalSessions) {
+    if (s.is_codevelop) sessions.push(serializeCodevelopSession(s));
+  }
+  return { sessions, count: sessions.length };
+}
+
+function stopCodevelopSession(session_id) {
+  const session = terminalSessions.get(session_id);
+  if (!session || !session.is_codevelop) return { error: "not_found", message: `Codevelop session ${session_id} not found` };
+  session.status = "stopped";
+  session.stopped_at = new Date().toISOString();
+
+  for (const peer of Object.values(session.peers)) {
+    const entry = {
+      session_id,
+      turn_id: `stop-${Date.now()}`,
+      from: "system",
+      to: peer.peer_id,
+      type: "stop",
+      task: "Session stopped.",
+      context: {},
+      expect: {},
+      sent_at: session.stopped_at,
+    };
+    peer.inbox.push(entry);
+    const event = `event: stop\ndata: ${JSON.stringify(entry)}\n\n`;
+    peer.streams = peer.streams.filter(res => {
+      try { res.write(event); return true; } catch { return false; }
+    });
+  }
+
+  terminalSessions.delete(session_id);
+  console.log(`[codevelop] stopped session ${session_id}`);
+  return { stopped: true, session_id };
+}
+
 const ENV_MAP = {
   "github":           "GITHUB_TOKEN",
   "supabase-anon":    "NEXT_PUBLIC_SUPABASE_ANON_KEY",
@@ -5998,6 +6441,116 @@ const MCP_TOOLS = [
     },
   },
 
+  // ── Co-development — peer-aware Claude/Codex terminal sessions ─────────
+  {
+    name: "codevelop_start",
+    description: "Start a peer-aware co-development session. Separate from chitchat; routes messages by session_id/from/to.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        name: { type: "string", description: "Human-readable session name" },
+        repo: { type: "string", description: "Repository path or slug for the session" },
+        metadata: { type: "object", description: "Optional session metadata" },
+      },
+      additionalProperties: false,
+    },
+  },
+  {
+    name: "codevelop_join",
+    description: "Join a co-development session as a stable peer such as claude or codex.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        session_id: { type: "string", description: "Session ID from codevelop_start" },
+        peer_id: { type: "string", description: "Stable peer ID, e.g. claude or codex" },
+        role: { type: "string", description: "Session role, e.g. supervisor or implementation_partner" },
+        target_peer: { type: "string", description: "Default partner peer ID" },
+        metadata: { type: "object", description: "Optional peer metadata" },
+      },
+      required: ["session_id", "peer_id"],
+      additionalProperties: false,
+    },
+  },
+  {
+    name: "codevelop_send",
+    description: "Send a structured addressed turn to a peer in a co-development session.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        session_id: { type: "string" },
+        turn_id: { type: "string" },
+        from: { type: "string" },
+        to: { type: "string" },
+        type: { type: "string", description: "Message type, e.g. audit_request, reply, blocker" },
+        role: { type: "string", description: "Temporary requested turn role" },
+        skill: { type: "string", description: "Optional requested skill, e.g. rdc:review" },
+        task: { type: "string", description: "Task or request body" },
+        message: { type: "string", description: "Plain fallback message" },
+        context: { type: "object", description: "Repo/work item/branch/files metadata" },
+        expect: { type: "object", description: "Expected response format and evidence requirements" },
+        verdict: { type: "string", description: "Reply verdict, e.g. pass, fail, blocked" },
+        summary: { type: "string", description: "Concise reply summary" },
+        evidence: { type: "array", items: { type: "string" }, description: "Evidence strings or checked commands/files" },
+        files_changed: { type: "array", items: { type: "string" }, description: "Files changed by the sender" },
+        commits: { type: "array", items: { type: "string" }, description: "Commit hashes or messages, if any" },
+        blockers: { type: "array", items: { type: "string" }, description: "Blocking issues, if any" },
+        next: { type: "array", items: { type: "string" }, description: "Next recommended actions" },
+        next_action: { type: "string", description: "Single next action shorthand" },
+      },
+      required: ["session_id", "from", "to"],
+      additionalProperties: false,
+    },
+  },
+  {
+    name: "codevelop_poll",
+    description: "Poll and drain all pending messages for one peer.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        session_id: { type: "string" },
+        peer_id: { type: "string" },
+      },
+      required: ["session_id", "peer_id"],
+      additionalProperties: false,
+    },
+  },
+  {
+    name: "codevelop_stream",
+    description: "Return the local SSE stream URL for a peer. Use HTTP GET on that URL to receive events.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        session_id: { type: "string" },
+        peer_id: { type: "string" },
+      },
+      required: ["session_id", "peer_id"],
+      additionalProperties: false,
+    },
+  },
+  {
+    name: "codevelop_status",
+    description: "Return status, peers, queue counts, and stream counts for a co-development session.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        session_id: { type: "string", description: "Optional session ID. Omit to list all codevelop sessions." },
+      },
+      additionalProperties: false,
+    },
+  },
+  {
+    name: "codevelop_stop",
+    description: "Stop a co-development session and notify joined peers.",
+    inputSchema: {
+      type: "object",
+      properties: {
+        session_id: { type: "string" },
+      },
+      required: ["session_id"],
+      additionalProperties: false,
+    },
+  },
+
   // ── Google Workspace (gws CLI) ──────────────────────────────────────────
   {
     name: "gws_run",
@@ -6838,6 +7391,54 @@ async function handleMcpTool(vault, name, args) {
       return mcpResult(JSON.stringify(result));
     }
 
+    case "codevelop_start": {
+      return mcpResult(JSON.stringify(startCodevelopSession(args || {})));
+    }
+
+    case "codevelop_join": {
+      const result = joinCodevelopSession(args || {});
+      if (result.error) return mcpError(`${result.error}: ${result.message}`);
+      return mcpResult(JSON.stringify(result));
+    }
+
+    case "codevelop_send": {
+      const result = sendCodevelopMessage(args || {});
+      if (result.error) return mcpError(`${result.error}: ${result.message}`);
+      return mcpResult(JSON.stringify(result));
+    }
+
+    case "codevelop_poll": {
+      const result = pollCodevelopMessages(args || {});
+      if (result.error) return mcpError(`${result.error}: ${result.message}`);
+      return mcpResult(JSON.stringify(result));
+    }
+
+    case "codevelop_stream": {
+      const { session_id, peer_id } = args || {};
+      if (!session_id || !peer_id) return mcpError("session_id and peer_id required");
+      const session = terminalSessions.get(session_id);
+      if (!session || !session.is_codevelop) return mcpError(`not_found: Codevelop session ${session_id} not found`);
+      const peer = session.peers[normalizePeerId(peer_id)];
+      if (!peer) return mcpError(`not_joined: Peer ${peer_id} has not joined session ${session_id}`);
+      const stream_url = `${mcpHttpBaseUrl}/codevelop/${encodeURIComponent(session_id)}/${encodeURIComponent(normalizePeerId(peer_id))}/stream`;
+      return mcpResult(JSON.stringify({ session_id, peer_id: normalizePeerId(peer_id), stream_url }));
+    }
+
+    case "codevelop_status": {
+      const { session_id } = args || {};
+      const result = session_id ? statusCodevelopSession(session_id) : listCodevelopSessions();
+      if (result.error) return mcpError(`${result.error}: ${result.message}`);
+      return mcpResult(JSON.stringify(result));
+    }
+
+    case "codevelop_stop": {
+      const { session_id } = args || {};
+      if (!session_id) return mcpError("session_id required");
+      const result = stopCodevelopSession(session_id);
+      if (result.error) return mcpError(`${result.error}: ${result.message}`);
+      return mcpResult(JSON.stringify(result));
+    }
+
     default:
       return mcpError(`Unknown tool: ${name}`);
   }