@mobvibe/cli 0.1.7 → 0.1.8

package/dist/index.js

@@ -1,47 +1,10 @@
+// @bun
+var __require = import.meta.require;
+
 // src/index.ts
+import { Database as Database3 } from "bun:sqlite";
 import { Command } from "commander";
 
-// src/auth/login.ts
-import * as readline from "readline/promises";
-
-// src/lib/logger.ts
-import pino from "pino";
-var LOG_LEVEL = process.env.LOG_LEVEL ?? "info";
-var isPretty = process.env.NODE_ENV !== "production";
-var redact = {
-  paths: [
-    "req.headers.authorization",
-    "req.headers.cookie",
-    "req.headers['x-api-key']",
-    "headers.authorization",
-    "headers.cookie",
-    "headers['x-api-key']",
-    "apiKey",
-    "token"
-  ],
-  censor: "[redacted]"
-};
-var transport = isPretty ? {
-  target: "pino-pretty",
-  options: {
-    colorize: true,
-    translateTime: "SYS:standard",
-    ignore: "pid,hostname"
-  }
-} : void 0;
-var logger = pino(
-  {
-    level: LOG_LEVEL,
-    redact,
-    base: { service: "mobvibe-cli" },
-    serializers: {
-      err: pino.stdSerializers.err,
-      error: pino.stdSerializers.err
-    }
-  },
-  transport ? pino.transport(transport) : void 0
-);
-
 // src/auth/credentials.ts
 import fs from "fs/promises";
 import os from "os";
@@ -55,7 +18,7 @@ async function loadCredentials() {
   try {
     const data = await fs.readFile(CREDENTIALS_FILE, "utf8");
     const credentials = JSON.parse(data);
-    if (!credentials.apiKey) {
+    if (!credentials.masterSecret) {
       return null;
     }
     return credentials;
@@ -65,25 +28,19 @@ async function loadCredentials() {
 }
 async function saveCredentials(credentials) {
   await ensureMobvibeDir();
-  await fs.writeFile(
-    CREDENTIALS_FILE,
-    JSON.stringify(credentials, null, 2),
-    { mode: 384 }
-    // Read/write only for owner
-  );
+  await fs.writeFile(CREDENTIALS_FILE, JSON.stringify(credentials, null, 2), { mode: 384 });
 }
 async function deleteCredentials() {
   try {
     await fs.unlink(CREDENTIALS_FILE);
-  } catch {
-  }
+  } catch {}
 }
-async function getApiKey() {
-  if (process.env.MOBVIBE_API_KEY) {
-    return process.env.MOBVIBE_API_KEY;
+async function getMasterSecret() {
+  if (process.env.MOBVIBE_MASTER_SECRET) {
+    return process.env.MOBVIBE_MASTER_SECRET;
   }
   const credentials = await loadCredentials();
-  return credentials?.apiKey;
+  return credentials?.masterSecret;
 }
 var DEFAULT_GATEWAY_URL = "https://mobvibe.zeabur.app";
 async function getGatewayUrl() {
@@ -98,37 +55,195 @@ async function getGatewayUrl() {
 }
 
 // src/auth/login.ts
+import os2 from "os";
+import * as readline from "readline/promises";
+import { Writable } from "stream";
+import {
+  deriveAuthKeyPair,
+  generateMasterSecret,
+  getSodium,
+  initCrypto
+} from "@mobvibe/shared";
+
+// src/lib/logger.ts
+import pino from "pino";
+var LOG_LEVEL = process.env.LOG_LEVEL ?? "info";
+var isPretty = true;
+var redact = {
+  paths: [
+    "req.headers.authorization",
+    "req.headers.cookie",
+    "req.headers['x-api-key']",
+    "headers.authorization",
+    "headers.cookie",
+    "headers['x-api-key']",
+    "apiKey",
+    "token"
+  ],
+  censor: "[redacted]"
+};
+var transport = isPretty ? {
+  target: "pino-pretty",
+  options: {
+    colorize: true,
+    translateTime: "SYS:standard",
+    ignore: "pid,hostname"
+  }
+} : undefined;
+var logger = pino({
+  level: LOG_LEVEL,
+  redact,
+  base: { service: "mobvibe-cli" },
+  serializers: {
+    err: pino.stdSerializers.err,
+    error: pino.stdSerializers.err
+  }
+}, transport ? pino.transport(transport) : undefined);
+
+// src/auth/login.ts
+function readPassword(prompt) {
+  return new Promise((resolve, reject) => {
+    process.stdout.write(prompt);
+    const chars = [];
+    if (!process.stdin.isTTY) {
+      const rl = readline.createInterface({
+        input: process.stdin,
+        output: new Writable({ write: (_c, _e, cb) => cb() })
+      });
+      rl.question("").then((answer) => {
+        rl.close();
+        process.stdout.write(`
+`);
+        resolve(answer);
+      }, reject);
+      return;
+    }
+    process.stdin.setRawMode(true);
+    process.stdin.resume();
+    process.stdin.setEncoding("utf8");
+    const onData = (key) => {
+      for (const ch of key) {
+        const code = ch.charCodeAt(0);
+        if (ch === "\r" || ch === `
+`) {
+          process.stdin.setRawMode(false);
+          process.stdin.pause();
+          process.stdin.removeListener("data", onData);
+          process.stdout.write(`
+`);
+          resolve(chars.join(""));
+          return;
+        }
+        if (code === 3) {
+          process.stdin.setRawMode(false);
+          process.stdin.pause();
+          process.stdin.removeListener("data", onData);
+          process.stdout.write(`
+`);
+          reject(new Error("User cancelled"));
+          return;
+        }
+        if (code === 127 || code === 8) {
+          if (chars.length > 0) {
+            chars.pop();
+            process.stdout.write("\b \b");
+          }
+        } else if (code >= 32) {
+          chars.push(ch);
+          process.stdout.write("*");
+        }
+      }
+    };
+    process.stdin.on("data", onData);
+  });
+}
 async function login() {
+  await initCrypto();
+  const sodium = getSodium();
   logger.info("login_prompt_start");
-  console.log("To get an API key:");
-  console.log("  1. Open the Mobvibe WebUI in your browser");
-  console.log("  2. Go to Settings (gear icon) -> API Keys");
-  console.log("  3. Click 'Create API Key' and copy it");
-  console.log("  4. Paste the API key below\n");
+  console.log(`Mobvibe E2EE Login
+`);
   const rl = readline.createInterface({
     input: process.stdin,
     output: process.stdout
   });
   try {
-    const apiKey = await rl.question("Paste your API key: ");
-    if (!apiKey.trim()) {
-      logger.warn("login_missing_api_key");
-      return { success: false, error: "No API key provided" };
+    const email = await rl.question("Email: ");
+    if (!email.trim()) {
+      return { success: false, error: "No email provided" };
+    }
+    rl.close();
+    const password = await readPassword("Password: ");
+    if (!password.trim()) {
+      return { success: false, error: "No password provided" };
+    }
+    const gatewayUrl = await getGatewayUrl();
+    console.log(`
+Signing in...`);
+    const signInResponse = await fetch(`${gatewayUrl}/api/auth/sign-in/email`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        email: email.trim(),
+        password: password.trim()
+      })
+    });
+    if (!signInResponse.ok) {
+      const body = await signInResponse.text();
+      logger.warn({ status: signInResponse.status, body }, "login_sign_in_failed");
+      return {
+        success: false,
+        error: `Sign-in failed (${signInResponse.status}): ${body}`
+      };
+    }
+    const setCookieHeaders = signInResponse.headers.getSetCookie?.() ?? [];
+    const cookieHeader = setCookieHeaders.map((c) => c.split(";")[0]).join("; ");
+    if (!cookieHeader) {
+      return {
+        success: false,
+        error: "No session cookie received from sign-in"
+      };
     }
-    if (!apiKey.trim().startsWith("mbk_")) {
-      logger.warn("login_invalid_api_key_format");
+    const masterSecret = generateMasterSecret();
+    const authKeyPair = deriveAuthKeyPair(masterSecret);
+    const publicKeyBase64 = sodium.to_base64(authKeyPair.publicKey, sodium.base64_variants.ORIGINAL);
+    console.log("Registering device...");
+    const registerResponse = await fetch(`${gatewayUrl}/auth/device/register`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Cookie: cookieHeader
+      },
+      body: JSON.stringify({
+        publicKey: publicKeyBase64,
+        deviceName: os2.hostname()
+      })
+    });
+    if (!registerResponse.ok) {
+      const body = await registerResponse.text();
+      logger.warn({ status: registerResponse.status, body }, "login_device_register_failed");
       return {
         success: false,
-        error: "Invalid API key format (should start with mbk_)"
+        error: `Device registration failed (${registerResponse.status}): ${body}`
       };
     }
+    const masterSecretBase64 = sodium.to_base64(masterSecret, sodium.base64_variants.ORIGINAL);
     const credentials = {
-      apiKey: apiKey.trim(),
+      masterSecret: masterSecretBase64,
       createdAt: Date.now()
     };
     await saveCredentials(credentials);
     logger.info("login_credentials_saved");
-    console.log("\nAPI key saved!");
+    console.log(`
+Login successful!`);
+    console.log(`
+WARNING: The master secret below will appear in your terminal history.`);
+    console.log("  Clear your terminal after copying it, or use 'mobvibe e2ee show' later.");
+    console.log(`
+Your master secret (for pairing WebUI/Tauri devices):`);
+    console.log(`  ${masterSecretBase64}`);
+    console.log(`
+Keep this secret safe. You can view it again with 'mobvibe e2ee show'.`);
     console.log("Run 'mobvibe start' to connect to the gateway.");
     return { success: true };
   } finally {
@@ -143,9 +258,14 @@ async function logout() {
 async function loginStatus() {
   const credentials = await loadCredentials();
   if (credentials) {
+    await initCrypto();
+    const sodium = getSodium();
+    const masterSecret = sodium.from_base64(credentials.masterSecret, sodium.base64_variants.ORIGINAL);
+    const authKeyPair = deriveAuthKeyPair(masterSecret);
+    const pubKeyBase64 = sodium.to_base64(authKeyPair.publicKey, sodium.base64_variants.ORIGINAL);
     logger.info("login_status_logged_in");
-    console.log("Status: Logged in");
-    console.log(`API key: ${credentials.apiKey.slice(0, 12)}...`);
+    console.log("Status: Logged in (E2EE)");
+    console.log(`Auth public key: ${pubKeyBase64.slice(0, 16)}...`);
     console.log(`Saved: ${new Date(credentials.createdAt).toLocaleString()}`);
   } else {
     logger.info("login_status_logged_out");
@@ -155,7 +275,7 @@ async function loginStatus() {
 }
 
 // src/config.ts
-import os2 from "os";
+import os3 from "os";
 import path3 from "path";
 
 // src/config-loader.ts
@@ -182,14 +302,14 @@ var validateAgentConfig = (agent, index) => {
     id: record.id.trim(),
     command: record.command.trim()
   };
-  if (record.label !== void 0) {
+  if (record.label !== undefined) {
     if (typeof record.label !== "string") {
       errors.push(`${prefix}.label: must be a string`);
     } else if (record.label.trim().length > 0) {
       validated.label = record.label.trim();
     }
   }
-  if (record.args !== void 0) {
+  if (record.args !== undefined) {
     if (!Array.isArray(record.args)) {
       errors.push(`${prefix}.args: must be an array of strings`);
     } else {
@@ -205,7 +325,7 @@ var validateAgentConfig = (agent, index) => {
       }
     }
   }
-  if (record.env !== void 0) {
+  if (record.env !== undefined) {
     if (typeof record.env !== "object" || record.env === null) {
       errors.push(`${prefix}.env: must be an object`);
     } else {
@@ -238,13 +358,13 @@ var validateUserConfig = (data) => {
   }
   const record = data;
   const config = {};
-  if (record.agents !== void 0) {
+  if (record.agents !== undefined) {
     if (!Array.isArray(record.agents)) {
       errors.push("agents: must be an array");
     } else {
       const validAgents = [];
-      const seenIds = /* @__PURE__ */ new Set();
-      for (let i = 0; i < record.agents.length; i++) {
+      const seenIds = new Set;
+      for (let i = 0;i < record.agents.length; i++) {
         const result = validateAgentConfig(record.agents[i], i);
         errors.push(...result.errors);
         if (result.valid) {
@@ -261,7 +381,7 @@ var validateUserConfig = (data) => {
       }
     }
   }
-  if (record.defaultAgentId !== void 0) {
+  if (record.defaultAgentId !== undefined) {
     if (typeof record.defaultAgentId !== "string") {
       errors.push("defaultAgentId: must be a string");
     } else if (record.defaultAgentId.trim().length > 0) {
@@ -309,6 +429,14 @@ var loadUserConfig = async (homePath) => {
 };
 
 // src/config.ts
+var DEFAULT_COMPACTION_CONFIG = {
+  enabled: false,
+  ackedEventRetentionDays: 7,
+  keepLatestRevisionsCount: 2,
+  runOnStartup: false,
+  runIntervalHours: 24,
+  minEventsToKeep: 1000
+};
 var DEFAULT_OPENCODE_BACKEND = {
   id: "opencode",
   label: "opencode",
@@ -316,10 +444,10 @@ var DEFAULT_OPENCODE_BACKEND = {
   args: ["acp"]
 };
 var generateMachineId = () => {
-  const hostname = os2.hostname();
-  const platform = os2.platform();
-  const arch = os2.arch();
-  const username = os2.userInfo().username;
+  const hostname = os3.hostname();
+  const platform = os3.platform();
+  const arch = os3.arch();
+  const username = os3.userInfo().username;
   return `${hostname}-${platform}-${arch}-${username}`;
 };
 var userAgentToBackendConfig = (agent) => ({
@@ -331,92 +459,786 @@ var userAgentToBackendConfig = (agent) => ({
 });
 var mergeBackends = (defaultBackend, userAgents) => {
   if (!userAgents || userAgents.length === 0) {
-    return { backends: [defaultBackend], defaultId: defaultBackend.id };
+    return [defaultBackend];
   }
   const userOpencode = userAgents.find((a) => a.id === "opencode");
   if (userOpencode) {
-    return {
-      backends: userAgents.map(userAgentToBackendConfig),
-      defaultId: userAgents[0].id
-    };
+    return userAgents.map(userAgentToBackendConfig);
   }
-  return {
-    backends: [defaultBackend, ...userAgents.map(userAgentToBackendConfig)],
-    defaultId: defaultBackend.id
-  };
+  return [defaultBackend, ...userAgents.map(userAgentToBackendConfig)];
 };
 var getCliConfig = async () => {
   const env = process.env;
-  const homePath = env.MOBVIBE_HOME ?? path3.join(os2.homedir(), ".mobvibe");
+  const homePath = env.MOBVIBE_HOME ?? path3.join(os3.homedir(), ".mobvibe");
   const userConfigResult = await loadUserConfig(homePath);
   if (userConfigResult.errors.length > 0) {
     for (const error of userConfigResult.errors) {
       logger.warn({ configPath: userConfigResult.path, error }, "config_error");
     }
   }
-  const { backends, defaultId } = mergeBackends(
-    DEFAULT_OPENCODE_BACKEND,
-    userConfigResult.config?.agents
-  );
-  const resolvedDefaultId = userConfigResult.config?.defaultAgentId && backends.some((b) => b.id === userConfigResult.config?.defaultAgentId) ? userConfigResult.config.defaultAgentId : defaultId;
+  const backends = mergeBackends(DEFAULT_OPENCODE_BACKEND, userConfigResult.config?.agents);
   const gatewayUrl = await getGatewayUrl();
   return {
     gatewayUrl,
     acpBackends: backends,
-    defaultAcpBackendId: resolvedDefaultId,
     clientName: env.MOBVIBE_ACP_CLIENT_NAME ?? "mobvibe-cli",
     clientVersion: env.MOBVIBE_ACP_CLIENT_VERSION ?? "0.0.0",
     homePath,
     logPath: path3.join(homePath, "logs"),
     pidFile: path3.join(homePath, "daemon.pid"),
+    walDbPath: path3.join(homePath, "events.db"),
     machineId: env.MOBVIBE_MACHINE_ID ?? generateMachineId(),
-    hostname: os2.hostname(),
-    platform: os2.platform(),
+    hostname: os3.hostname(),
+    platform: os3.platform(),
     userConfigPath: userConfigResult.path,
-    userConfigErrors: userConfigResult.errors.length > 0 ? userConfigResult.errors : void 0
+    userConfigErrors: userConfigResult.errors.length > 0 ? userConfigResult.errors : undefined,
+    compaction: {
+      ...DEFAULT_COMPACTION_CONFIG,
+      enabled: env.MOBVIBE_COMPACTION_ENABLED === "true"
+    }
   };
 };
 
 // src/daemon/daemon.ts
+import { Database as Database2 } from "bun:sqlite";
 import { spawn as spawn2 } from "child_process";
-import fs5 from "fs/promises";
-import path6 from "path";
+import fs6 from "fs/promises";
+import path7 from "path";
+import { getSodium as getSodium3, initCrypto as initCrypto2 } from "@mobvibe/shared";
 
 // src/acp/session-manager.ts
 import { randomUUID as randomUUID2 } from "crypto";
 import { EventEmitter as EventEmitter2 } from "events";
-import fs3 from "fs/promises";
+import fs4 from "fs/promises";
+import {
+  AppError,
+  createErrorDetail as createErrorDetail2
+} from "@mobvibe/shared";
 
-// ../../packages/shared/dist/types/errors.js
-var createErrorDetail = (input) => ({
-  ...input
-});
-var isProtocolMismatch = (error) => {
-  if (error instanceof Error) {
-    return /protocol/i.test(error.message);
+// src/wal/compactor.ts
+class WalCompactor {
+  config;
+  db;
+  activeSessionIds = new Set;
+  stmtGetAllSessions;
+  stmtGetSessionRevisions;
+  stmtDeleteAckedEvents;
+  stmtDeleteOldRevisionEvents;
+  stmtCountEvents;
+  stmtLogCompaction;
+  constructor(_walStore, config, db) {
+    this.config = config;
+    this.db = db;
+    this.stmtGetAllSessions = this.db.query(`
+			SELECT DISTINCT session_id FROM sessions
+		`);
+    this.stmtGetSessionRevisions = this.db.query(`
+			SELECT DISTINCT revision FROM session_events
+			WHERE session_id = $sessionId
+			ORDER BY revision DESC
+		`);
+    this.stmtDeleteAckedEvents = this.db.query(`
+			DELETE FROM session_events
+			WHERE session_id = $sessionId
+			  AND revision = $revision
+			  AND acked_at IS NOT NULL
+			  AND acked_at < $olderThan
+			  AND id NOT IN (
+			    SELECT id FROM session_events
+			    WHERE session_id = $sessionId AND revision = $revision
+			    ORDER BY seq DESC
+			    LIMIT $minKeep
+			  )
+		`);
+    this.stmtDeleteOldRevisionEvents = this.db.query(`
+			DELETE FROM session_events
+			WHERE session_id = $sessionId
+			  AND revision = $revision
+		`);
+    this.stmtCountEvents = this.db.query(`
+			SELECT COUNT(*) as count FROM session_events
+			WHERE session_id = $sessionId AND revision = $revision
+		`);
+    this.stmtLogCompaction = this.db.query(`
+			INSERT INTO compaction_log (session_id, revision, operation, events_affected, started_at, completed_at)
+			VALUES ($sessionId, $revision, $operation, $eventsAffected, $startedAt, $completedAt)
+		`);
+  }
+  markSessionActive(sessionId) {
+    this.activeSessionIds.add(sessionId);
+  }
+  markSessionInactive(sessionId) {
+    this.activeSessionIds.delete(sessionId);
+  }
+  shouldSkipSession(sessionId) {
+    return this.activeSessionIds.has(sessionId);
+  }
+  async compactAll(options) {
+    const startTime = performance.now();
+    const stats = [];
+    const skipped = [];
+    const sessions = this.stmtGetAllSessions.all();
+    for (const { session_id: sessionId } of sessions) {
+      if (this.shouldSkipSession(sessionId)) {
+        skipped.push(sessionId);
+        continue;
+      }
+      try {
+        const sessionStats = await this.compactSession(sessionId, options);
+        stats.push(sessionStats);
+      } catch (error) {
+        logger.error({ err: error, sessionId }, "compaction_session_error");
+      }
+    }
+    const totalDurationMs = performance.now() - startTime;
+    const totalDeleted = stats.reduce((sum, s) => sum + s.ackedEventsDeleted + s.oldRevisionsDeleted, 0);
+    if (!options?.dryRun && totalDeleted > 0) {
+      try {
+        this.db.exec("VACUUM");
+        logger.info({ totalDeleted }, "compaction_vacuum_complete");
+      } catch (error) {
+        logger.error({ err: error }, "compaction_vacuum_error");
+      }
+    }
+    logger.info({
+      sessionsCompacted: stats.length,
+      sessionsSkipped: skipped.length,
+      totalDeleted,
+      totalDurationMs
+    }, "compaction_complete");
+    return { stats, totalDurationMs, skipped };
+  }
+  async compactSession(sessionId, options) {
+    const startTime = performance.now();
+    let ackedEventsDeleted = 0;
+    let oldRevisionsDeleted = 0;
+    const revisions = this.stmtGetSessionRevisions.all({
+      $sessionId: sessionId
+    });
+    if (revisions.length === 0) {
+      return {
+        sessionId,
+        ackedEventsDeleted: 0,
+        oldRevisionsDeleted: 0,
+        durationMs: performance.now() - startTime
+      };
+    }
+    const revisionsToKeep = revisions.slice(0, this.config.keepLatestRevisionsCount).map((r) => r.revision);
+    const ackedCutoff = new Date;
+    ackedCutoff.setDate(ackedCutoff.getDate() - this.config.ackedEventRetentionDays);
+    for (const { revision } of revisions) {
+      if (!revisionsToKeep.includes(revision)) {
+        const countResult = this.stmtCountEvents.get({
+          $sessionId: sessionId,
+          $revision: revision
+        });
+        if (!options?.dryRun) {
+          const result = this.stmtDeleteOldRevisionEvents.run({
+            $sessionId: sessionId,
+            $revision: revision
+          });
+          oldRevisionsDeleted += result.changes;
+          this.logCompaction(sessionId, revision, "delete_old_revision", result.changes);
+        } else {
+          oldRevisionsDeleted += countResult.count;
+        }
+        logger.debug({ sessionId, revision, count: countResult.count }, "compaction_delete_old_revision");
+        continue;
+      }
+      if (!options?.dryRun) {
+        const result = this.stmtDeleteAckedEvents.run({
+          $sessionId: sessionId,
+          $revision: revision,
+          $olderThan: ackedCutoff.toISOString(),
+          $minKeep: this.config.minEventsToKeep
+        });
+        ackedEventsDeleted += result.changes;
+        if (result.changes > 0) {
+          this.logCompaction(sessionId, revision, "delete_acked_events", result.changes);
+          logger.debug({ sessionId, revision, deleted: result.changes }, "compaction_delete_acked");
+        }
+      }
+    }
+    const durationMs = performance.now() - startTime;
+    if (ackedEventsDeleted > 0 || oldRevisionsDeleted > 0) {
+      logger.info({ sessionId, ackedEventsDeleted, oldRevisionsDeleted, durationMs }, "compaction_session_complete");
+    }
+    return {
+      sessionId,
+      ackedEventsDeleted,
+      oldRevisionsDeleted,
+      durationMs
+    };
   }
-  return false;
-};
-var AppError = class extends Error {
-  detail;
-  status;
-  constructor(detail, status = 500) {
-    super(detail.message);
-    this.detail = detail;
-    this.status = status;
+  logCompaction(sessionId, revision, operation, eventsAffected) {
+    const now = new Date().toISOString();
+    this.stmtLogCompaction.run({
+      $sessionId: sessionId,
+      $revision: revision,
+      $operation: operation,
+      $eventsAffected: eventsAffected,
+      $startedAt: now,
+      $completedAt: now
+    });
   }
-};
+}
+// src/wal/migrations.ts
+var MIGRATIONS = [
+  {
+    version: 1,
+    up: `
+      -- Sessions table to track session metadata and current revision
+      CREATE TABLE IF NOT EXISTS sessions (
+        session_id TEXT PRIMARY KEY,
+        machine_id TEXT NOT NULL,
+        backend_id TEXT NOT NULL,
+        current_revision INTEGER NOT NULL DEFAULT 1,
+        cwd TEXT,
+        title TEXT,
+        created_at TEXT NOT NULL,
+        updated_at TEXT NOT NULL
+      );
+
+      -- Session events WAL table
+      CREATE TABLE IF NOT EXISTS session_events (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        session_id TEXT NOT NULL,
+        revision INTEGER NOT NULL,
+        seq INTEGER NOT NULL,
+        kind TEXT NOT NULL,
+        payload TEXT NOT NULL,
+        created_at TEXT NOT NULL,
+        acked_at TEXT,
+        UNIQUE (session_id, revision, seq)
+      );
+
+      -- Index for querying events by session and revision
+      CREATE INDEX IF NOT EXISTS idx_session_events_session_revision
+        ON session_events (session_id, revision, seq);
+
+      -- Index for querying unacked events
+      CREATE INDEX IF NOT EXISTS idx_session_events_unacked
+        ON session_events (session_id, revision, acked_at)
+        WHERE acked_at IS NULL;
+
+      -- Schema version tracking
+      CREATE TABLE IF NOT EXISTS schema_version (
+        version INTEGER PRIMARY KEY
+      );
+    `
+  },
+  {
+    version: 2,
+    up: `
+      -- Discovered sessions table for persisting sessions found via discoverSessions()
+      CREATE TABLE IF NOT EXISTS discovered_sessions (
+        session_id TEXT PRIMARY KEY,
+        backend_id TEXT NOT NULL,
+        cwd TEXT,
+        title TEXT,
+        agent_updated_at TEXT,      -- agent-reported update time
+        discovered_at TEXT NOT NULL,
+        last_verified_at TEXT,      -- last time cwd was verified to exist
+        is_stale INTEGER DEFAULT 0  -- marked stale when cwd no longer exists
+      );
+
+      CREATE INDEX IF NOT EXISTS idx_discovered_sessions_backend
+        ON discovered_sessions (backend_id);
+
+      -- Add agent_updated_at to sessions table
+      ALTER TABLE sessions ADD COLUMN agent_updated_at TEXT;
+    `
+  },
+  {
+    version: 3,
+    up: `
+      -- Compaction support
+      ALTER TABLE session_events ADD COLUMN compacted_at TEXT;
 
+      -- Index for finding acked events eligible for cleanup
+      CREATE INDEX IF NOT EXISTS idx_session_events_acked_at
+        ON session_events (session_id, revision, acked_at)
+        WHERE acked_at IS NOT NULL;
+
+      -- Index for finding events by kind (for chunk consolidation)
+      CREATE INDEX IF NOT EXISTS idx_session_events_kind
+        ON session_events (session_id, revision, kind);
+
+      -- Compaction operation log
+      CREATE TABLE IF NOT EXISTS compaction_log (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        session_id TEXT NOT NULL,
+        revision INTEGER,
+        operation TEXT NOT NULL,
+        events_affected INTEGER NOT NULL,
+        started_at TEXT NOT NULL,
+        completed_at TEXT
+      );
+    `
+  },
+  {
+    version: 4,
+    up: `
+      -- Archived sessions table (local archive state)
+      CREATE TABLE IF NOT EXISTS archived_session_ids (
+        session_id TEXT PRIMARY KEY,
+        archived_at TEXT NOT NULL
+      );
+    `
+  }
+];
+function runMigrations(db) {
+  db.exec("PRAGMA journal_mode = WAL");
+  db.exec("PRAGMA synchronous = NORMAL");
+  let currentVersion = 0;
+  try {
+    const result = db.query("SELECT MAX(version) as version FROM schema_version").get();
+    currentVersion = result?.version ?? 0;
+  } catch {}
+  for (const migration of MIGRATIONS) {
+    if (migration.version > currentVersion) {
+      db.exec(migration.up);
+      db.exec(`INSERT INTO schema_version (version) VALUES (${migration.version})`);
+    }
+  }
+}
+// src/wal/seq-generator.ts
+class SeqGenerator {
+  sequences = new Map;
+  buildKey(sessionId, revision) {
+    return `${sessionId}:${revision}`;
+  }
+  initialize(sessionId, revision, lastSeq) {
+    const key = this.buildKey(sessionId, revision);
+    this.sequences.set(key, lastSeq);
+  }
+  next(sessionId, revision) {
+    const key = this.buildKey(sessionId, revision);
+    const current = this.sequences.get(key) ?? 0;
+    const next = current + 1;
+    this.sequences.set(key, next);
+    return next;
+  }
+  current(sessionId, revision) {
+    const key = this.buildKey(sessionId, revision);
+    return this.sequences.get(key) ?? 0;
+  }
+  reset(sessionId, revision) {
+    const key = this.buildKey(sessionId, revision);
+    this.sequences.set(key, 0);
+  }
+  clearSession(sessionId) {
+    for (const key of this.sequences.keys()) {
+      if (key.startsWith(`${sessionId}:`)) {
+        this.sequences.delete(key);
+      }
+    }
+  }
+}
+// src/wal/wal-store.ts
+import { Database } from "bun:sqlite";
+import fs3 from "fs";
+import path4 from "path";
+var DEFAULT_QUERY_LIMIT = 100;
+
+class WalStore {
+  db;
+  seqGenerator = new SeqGenerator;
+  stmtGetSession;
+  stmtInsertSession;
+  stmtUpdateSession;
+  stmtInsertEvent;
+  stmtQueryEvents;
+  stmtQueryUnackedEvents;
+  stmtAckEvents;
+  stmtIncrementRevision;
+  stmtGetMaxSeq;
+  stmtUpsertDiscoveredSession;
+  stmtGetDiscoveredSessions;
+  stmtGetDiscoveredSessionsByBackend;
+  stmtMarkDiscoveredSessionStale;
+  stmtDeleteStaleDiscoveredSessions;
+  stmtDeleteSessionEvents;
+  stmtDeleteSession;
+  stmtInsertArchivedSession;
+  stmtIsArchived;
+  stmtGetArchivedSessionIds;
+  constructor(dbPath) {
+    const dir = path4.dirname(dbPath);
+    if (!fs3.existsSync(dir)) {
+      fs3.mkdirSync(dir, { recursive: true });
+    }
+    this.db = new Database(dbPath);
+    runMigrations(this.db);
+    this.stmtGetSession = this.db.query(`
+      SELECT session_id, machine_id, backend_id, current_revision, cwd, title, created_at, updated_at
+      FROM sessions
+      WHERE session_id = $sessionId
+    `);
+    this.stmtInsertSession = this.db.query(`
+      INSERT INTO sessions (session_id, machine_id, backend_id, current_revision, cwd, title, created_at, updated_at)
+      VALUES ($sessionId, $machineId, $backendId, 1, $cwd, $title, $createdAt, $updatedAt)
+    `);
+    this.stmtUpdateSession = this.db.query(`
+      UPDATE sessions
+      SET cwd = COALESCE($cwd, cwd),
+          title = COALESCE($title, title),
+          updated_at = $updatedAt
+      WHERE session_id = $sessionId
+    `);
+    this.stmtInsertEvent = this.db.query(`
+      INSERT INTO session_events (session_id, revision, seq, kind, payload, created_at)
+      VALUES ($sessionId, $revision, $seq, $kind, $payload, $createdAt)
+    `);
+    this.stmtQueryEvents = this.db.query(`
+      SELECT id, session_id, revision, seq, kind, payload, created_at, acked_at
+      FROM session_events
+      WHERE session_id = $sessionId
+        AND revision = $revision
+        AND seq > $afterSeq
+      ORDER BY seq ASC
+      LIMIT $limit
+    `);
+    this.stmtQueryUnackedEvents = this.db.query(`
+      SELECT id, session_id, revision, seq, kind, payload, created_at, acked_at
+      FROM session_events
+      WHERE session_id = $sessionId
+        AND revision = $revision
+        AND acked_at IS NULL
+      ORDER BY seq ASC
+    `);
+    this.stmtAckEvents = this.db.query(`
+      UPDATE session_events
+      SET acked_at = $ackedAt
+      WHERE session_id = $sessionId
+        AND revision = $revision
+        AND seq <= $upToSeq
+        AND acked_at IS NULL
+    `);
+    this.stmtIncrementRevision = this.db.query(`
+      UPDATE sessions
+      SET current_revision = current_revision + 1,
+          updated_at = $updatedAt
+      WHERE session_id = $sessionId
+      RETURNING current_revision
+    `);
+    this.stmtGetMaxSeq = this.db.query(`
+      SELECT MAX(seq) as max_seq
+      FROM session_events
+      WHERE session_id = $sessionId AND revision = $revision
+    `);
+    this.stmtUpsertDiscoveredSession = this.db.query(`
+      INSERT INTO discovered_sessions (
+        session_id, backend_id, cwd, title, agent_updated_at,
+        discovered_at, last_verified_at, is_stale
+      ) VALUES (
+        $sessionId, $backendId, $cwd, $title, $agentUpdatedAt,
+        $discoveredAt, $lastVerifiedAt, 0
+      )
+      ON CONFLICT (session_id) DO UPDATE SET
+        backend_id = $backendId,
+        cwd = COALESCE($cwd, discovered_sessions.cwd),
+        title = COALESCE($title, discovered_sessions.title),
+        agent_updated_at = COALESCE($agentUpdatedAt, discovered_sessions.agent_updated_at),
+        last_verified_at = $lastVerifiedAt,
+        is_stale = 0
+    `);
+    this.stmtGetDiscoveredSessions = this.db.query(`
+      SELECT d.session_id, d.backend_id, d.cwd, d.title, d.agent_updated_at,
+             d.discovered_at, d.last_verified_at, d.is_stale
+      FROM discovered_sessions d
+      LEFT JOIN archived_session_ids a ON d.session_id = a.session_id
+      WHERE d.is_stale = 0 AND a.session_id IS NULL
+      ORDER BY d.discovered_at DESC
+    `);
+    this.stmtGetDiscoveredSessionsByBackend = this.db.query(`
+      SELECT d.session_id, d.backend_id, d.cwd, d.title, d.agent_updated_at,
+             d.discovered_at, d.last_verified_at, d.is_stale
+      FROM discovered_sessions d
+      LEFT JOIN archived_session_ids a ON d.session_id = a.session_id
+      WHERE d.backend_id = $backendId AND d.is_stale = 0 AND a.session_id IS NULL
+      ORDER BY d.discovered_at DESC
+    `);
+    this.stmtMarkDiscoveredSessionStale = this.db.query(`
+      UPDATE discovered_sessions
+      SET is_stale = 1
+      WHERE session_id = $sessionId
+    `);
+    this.stmtDeleteStaleDiscoveredSessions = this.db.query(`
+      DELETE FROM discovered_sessions
+      WHERE is_stale = 1 AND discovered_at < $olderThan
+    `);
+    this.stmtDeleteSessionEvents = this.db.query(`
+      DELETE FROM session_events WHERE session_id = $sessionId
+    `);
+    this.stmtDeleteSession = this.db.query(`
+      DELETE FROM sessions WHERE session_id = $sessionId
+    `);
+    this.stmtInsertArchivedSession = this.db.query(`
+      INSERT OR IGNORE INTO archived_session_ids (session_id, archived_at)
+      VALUES ($sessionId, $archivedAt)
+    `);
+    this.stmtIsArchived = this.db.query(`
+      SELECT 1 FROM archived_session_ids WHERE session_id = $sessionId
+    `);
+    this.stmtGetArchivedSessionIds = this.db.query(`
+      SELECT session_id FROM archived_session_ids
+    `);
+  }
+  ensureSession(params) {
+    const now = new Date().toISOString();
+    const existing = this.stmtGetSession.get({
+      $sessionId: params.sessionId
+    });
+    logger.debug({ sessionId: params.sessionId, exists: !!existing }, "wal_ensure_session");
+    if (existing) {
+      this.stmtUpdateSession.run({
+        $sessionId: params.sessionId,
+        $cwd: params.cwd ?? null,
+        $title: params.title ?? null,
+        $updatedAt: now
+      });
+      const maxSeq = this.getMaxSeq(params.sessionId, existing.current_revision);
+      this.seqGenerator.initialize(params.sessionId, existing.current_revision, maxSeq);
+      logger.debug({
+        sessionId: params.sessionId,
+        revision: existing.current_revision,
+        maxSeq
+      }, "wal_session_existing");
+      return { revision: existing.current_revision };
+    }
+    this.stmtInsertSession.run({
+      $sessionId: params.sessionId,
+      $machineId: params.machineId,
+      $backendId: params.backendId,
+      $cwd: params.cwd ?? null,
+      $title: params.title ?? null,
+      $createdAt: now,
+      $updatedAt: now
+    });
+    this.seqGenerator.initialize(params.sessionId, 1, 0);
+    logger.info({ sessionId: params.sessionId, revision: 1 }, "wal_session_created");
+    return { revision: 1 };
+  }
+  getSession(sessionId) {
+    const row = this.stmtGetSession.get({
+      $sessionId: sessionId
+    });
+    if (!row)
+      return null;
+    return this.rowToSession(row);
+  }
+  appendEvent(params) {
+    const seq = this.seqGenerator.next(params.sessionId, params.revision);
+    const now = new Date().toISOString();
+    logger.debug({
+      sessionId: params.sessionId,
+      revision: params.revision,
+      seq,
+      kind: params.kind
+    }, "wal_append_event");
+    this.stmtInsertEvent.run({
+      $sessionId: params.sessionId,
+      $revision: params.revision,
+      $seq: seq,
+      $kind: params.kind,
+      $payload: JSON.stringify(params.payload),
+      $createdAt: now
+    });
+    const lastId = this.db.query("SELECT last_insert_rowid() as id").get();
+    logger.info({
+      sessionId: params.sessionId,
+      revision: params.revision,
+      seq,
+      kind: params.kind,
+      eventId: lastId.id
+    }, "wal_event_appended");
+    return {
+      id: lastId.id,
+      sessionId: params.sessionId,
+      revision: params.revision,
+      seq,
+      kind: params.kind,
+      payload: params.payload,
+      createdAt: now
+    };
+  }
+  queryEvents(params) {
+    logger.debug({
+      sessionId: params.sessionId,
+      revision: params.revision,
+      afterSeq: params.afterSeq ?? 0,
+      limit: params.limit ?? DEFAULT_QUERY_LIMIT
+    }, "wal_query_events");
+    const rows = this.stmtQueryEvents.all({
+      $sessionId: params.sessionId,
+      $revision: params.revision,
+      $afterSeq: params.afterSeq ?? 0,
+      $limit: params.limit ?? DEFAULT_QUERY_LIMIT
+    });
+    logger.debug({
+      sessionId: params.sessionId,
+      revision: params.revision,
+      count: rows.length,
+      seqRange: rows.length > 0 ? `${rows[0].seq}-${rows[rows.length - 1].seq}` : "empty"
+    }, "wal_query_events_result");
+    return rows.map((row) => this.rowToEvent(row));
+  }
+  getUnackedEvents(sessionId, revision) {
+    const rows = this.stmtQueryUnackedEvents.all({
+      $sessionId: sessionId,
+      $revision: revision
+    });
+    return rows.map((row) => this.rowToEvent(row));
+  }
+  ackEvents(sessionId, revision, upToSeq) {
+    logger.debug({ sessionId, revision, upToSeq }, "wal_ack_events");
+    const result = this.stmtAckEvents.run({
+      $sessionId: sessionId,
+      $revision: revision,
+      $upToSeq: upToSeq,
+      $ackedAt: new Date().toISOString()
+    });
+    logger.debug({ sessionId, revision, upToSeq, changes: result.changes }, "wal_ack_events_result");
+  }
+  incrementRevision(sessionId) {
+    logger.info({ sessionId }, "wal_increment_revision");
+    const result = this.stmtIncrementRevision.get({
+      $sessionId: sessionId,
+      $updatedAt: new Date().toISOString()
+    });
+    if (!result) {
+      logger.error({ sessionId }, "wal_increment_revision_session_not_found");
+      throw new Error(`Session not found: ${sessionId}`);
+    }
+    this.seqGenerator.reset(sessionId, result.current_revision);
+    logger.info({ sessionId, newRevision: result.current_revision }, "wal_revision_incremented");
+    return result.current_revision;
+  }
+  getCurrentSeq(sessionId, revision) {
+    return this.seqGenerator.current(sessionId, revision);
+  }
+  saveDiscoveredSessions(sessions) {
+    const now = new Date().toISOString();
+    for (const session of sessions) {
+      this.stmtUpsertDiscoveredSession.run({
+        $sessionId: session.sessionId,
+        $backendId: session.backendId,
+        $cwd: session.cwd ?? null,
+        $title: session.title ?? null,
+        $agentUpdatedAt: session.agentUpdatedAt ?? null,
+        $discoveredAt: session.discoveredAt,
+        $lastVerifiedAt: now
+      });
+    }
+  }
+  getDiscoveredSessions(backendId) {
+    let rows;
+    if (backendId) {
+      rows = this.stmtGetDiscoveredSessionsByBackend.all({
+        $backendId: backendId
+      });
+    } else {
+      rows = this.stmtGetDiscoveredSessions.all();
+    }
+    return rows.map((row) => this.rowToDiscoveredSession(row));
+  }
+  markDiscoveredSessionStale(sessionId) {
+    this.stmtMarkDiscoveredSessionStale.run({
+      $sessionId: sessionId
+    });
+  }
+  deleteStaleDiscoveredSessions(olderThan) {
+    const result = this.stmtDeleteStaleDiscoveredSessions.run({
+      $olderThan: olderThan.toISOString()
+    });
+    return result.changes;
+  }
+  archiveSession(sessionId) {
+    this.stmtDeleteSessionEvents.run({ $sessionId: sessionId });
+    this.stmtDeleteSession.run({ $sessionId: sessionId });
+    this.stmtInsertArchivedSession.run({
+      $sessionId: sessionId,
+      $archivedAt: new Date().toISOString()
+    });
+  }
+  bulkArchiveSessions(sessionIds) {
+    let count = 0;
+    for (const sessionId of sessionIds) {
+      this.archiveSession(sessionId);
+      count++;
+    }
+    return count;
+  }
+  isArchived(sessionId) {
+    const row = this.stmtIsArchived.get({ $sessionId: sessionId });
+    return row !== null;
+  }
+  getArchivedSessionIds() {
+    const rows = this.stmtGetArchivedSessionIds.all();
+    return rows.map((r) => r.session_id);
+  }
+  close() {
+    this.db.close();
+  }
+  getMaxSeq(sessionId, revision) {
+    const result = this.stmtGetMaxSeq.get({
+      $sessionId: sessionId,
+      $revision: revision
+    });
+    return result?.max_seq ?? 0;
+  }
+  rowToSession(row) {
+    return {
+      sessionId: row.session_id,
+      machineId: row.machine_id,
+      backendId: row.backend_id,
+      currentRevision: row.current_revision,
+      cwd: row.cwd ?? undefined,
+      title: row.title ?? undefined,
+      createdAt: row.created_at,
+      updatedAt: row.updated_at
+    };
+  }
+  rowToEvent(row) {
+    return {
+      id: row.id,
+      sessionId: row.session_id,
+      revision: row.revision,
+      seq: row.seq,
+      kind: row.kind,
+      payload: JSON.parse(row.payload),
+      createdAt: row.created_at,
+      ackedAt: row.acked_at ?? undefined
+    };
+  }
+  rowToDiscoveredSession(row) {
+    return {
+      sessionId: row.session_id,
+      backendId: row.backend_id,
+      cwd: row.cwd ?? undefined,
+      title: row.title ?? undefined,
+      agentUpdatedAt: row.agent_updated_at ?? undefined,
+      discoveredAt: row.discovered_at,
+      lastVerifiedAt: row.last_verified_at ?? undefined,
+      isStale: row.is_stale === 1
+    };
+  }
+}
 // src/acp/acp-connection.ts
 import { spawn } from "child_process";
 import { randomUUID } from "crypto";
 import { EventEmitter } from "events";
-import { Readable, Writable } from "stream";
+import { Readable, Writable as Writable2 } from "stream";
 import {
   ClientSideConnection,
   ndJsonStream,
   PROTOCOL_VERSION
 } from "@agentclientprotocol/sdk";
+import {
+  createErrorDetail,
+  isProtocolMismatch
+} from "@mobvibe/shared";
 var getErrorMessage = (error) => {
   if (error instanceof Error) {
     return error.message;
@@ -520,10 +1342,9 @@ var sliceOutputToLimit = (value, limit) => {
   }
   return sliced.subarray(start).toString("utf8");
 };
-var AcpConnection = class {
-  constructor(options) {
-    this.options = options;
-  }
+
+class AcpConnection {
+  options;
   connection;
   process;
   closedPromise;
@@ -533,11 +1354,14 @@ var AcpConnection = class {
   sessionId;
   agentInfo;
   agentCapabilities;
-  sessionUpdateEmitter = new EventEmitter();
-  statusEmitter = new EventEmitter();
-  terminalOutputEmitter = new EventEmitter();
+  sessionUpdateEmitter = new EventEmitter;
+  statusEmitter = new EventEmitter;
+  terminalOutputEmitter = new EventEmitter;
   permissionHandler;
-  terminals = /* @__PURE__ */ new Map();
+  terminals = new Map;
+  constructor(options) {
+    this.options = options;
+  }
   getStatus() {
     return {
       backendId: this.options.backend.id,
@@ -554,52 +1378,32 @@ var AcpConnection = class {
   getAgentInfo() {
     return this.agentInfo;
   }
-  /**
-   * Get the agent's session capabilities.
-   */
   getSessionCapabilities() {
     return {
       list: this.agentCapabilities?.sessionCapabilities?.list != null,
       load: this.agentCapabilities?.loadSession === true
     };
   }
-  /**
-   * Check if the agent supports session/list.
-   */
   supportsSessionList() {
     return this.agentCapabilities?.sessionCapabilities?.list != null;
   }
-  /**
-   * Check if the agent supports session/load.
-   */
   supportsSessionLoad() {
     return this.agentCapabilities?.loadSession === true;
   }
-  /**
-   * List sessions from the agent (session/list).
-   * @param params Optional filter parameters
-   * @returns List of session info from the agent
-   */
   async listSessions(params) {
     if (!this.supportsSessionList()) {
       return { sessions: [] };
     }
     const connection = await this.ensureReady();
     const response = await connection.unstable_listSessions({
-      cursor: params?.cursor ?? void 0,
-      cwd: params?.cwd ?? void 0
+      cursor: params?.cursor ?? undefined,
+      cwd: params?.cwd ?? undefined
     });
     return {
       sessions: response.sessions,
-      nextCursor: response.nextCursor ?? void 0
+      nextCursor: response.nextCursor ?? undefined
     };
   }
-  /**
-   * Load a historical session with message history replay (session/load).
-   * @param sessionId The session ID to load
-   * @param cwd The working directory
-   * @returns Load session response with modes/models state
-   */
   async loadSession(sessionId, cwd) {
     if (!this.supportsSessionLoad()) {
       throw new Error("Agent does not support session/load capability");
@@ -644,35 +1448,28 @@ var AcpConnection = class {
       return;
     }
     this.updateStatus("connecting");
-    this.agentInfo = void 0;
+    this.agentInfo = undefined;
     try {
       const env = this.options.backend.envOverrides ? { ...process.env, ...this.options.backend.envOverrides } : process.env;
-      const child = spawn(
-        this.options.backend.command,
-        this.options.backend.args,
-        {
-          stdio: ["pipe", "pipe", "pipe"],
-          env
-        }
-      );
+      const child = spawn(this.options.backend.command, this.options.backend.args, {
+        stdio: ["pipe", "pipe", "pipe"],
+        env
+      });
       this.process = child;
-      this.sessionId = void 0;
+      this.sessionId = undefined;
       child.stderr.pipe(process.stderr);
-      const input = Writable.toWeb(child.stdin);
+      const input = Writable2.toWeb(child.stdin);
       const output = Readable.toWeb(child.stdout);
       const stream = ndJsonStream(input, output);
-      const connection = new ClientSideConnection(
-        () => buildClient({
-          onSessionUpdate: (notification) => this.emitSessionUpdate(notification),
-          onRequestPermission: (params) => this.handlePermissionRequest(params),
-          onCreateTerminal: (params) => this.createTerminal(params),
-          onTerminalOutput: (params) => this.getTerminalOutput(params),
-          onWaitForTerminalExit: (params) => this.waitForTerminalExit(params),
-          onKillTerminal: (params) => this.killTerminal(params),
-          onReleaseTerminal: (params) => this.releaseTerminal(params)
-        }),
-        stream
-      );
+      const connection = new ClientSideConnection(() => buildClient({
+        onSessionUpdate: (notification) => this.emitSessionUpdate(notification),
+        onRequestPermission: (params) => this.handlePermissionRequest(params),
+        onCreateTerminal: (params) => this.createTerminal(params),
+        onTerminalOutput: (params) => this.getTerminalOutput(params),
+        onWaitForTerminalExit: (params) => this.waitForTerminalExit(params),
+        onKillTerminal: (params) => this.killTerminal(params),
+        onReleaseTerminal: (params) => this.releaseTerminal(params)
+      }), stream);
       this.connection = connection;
       child.once("error", (error) => {
         if (this.state === "stopped") {
@@ -684,16 +1481,10 @@ var AcpConnection = class {
         if (this.state === "stopped") {
           return;
         }
-        this.updateStatus(
-          "error",
-          buildProcessExitError(formatExitMessage(code, signal))
-        );
+        this.updateStatus("error", buildProcessExitError(formatExitMessage(code, signal)));
       });
       this.closedPromise = connection.closed.catch((error) => {
-        this.updateStatus(
-          "error",
-          buildConnectionClosedError(getErrorMessage(error))
-        );
+        this.updateStatus("error", buildConnectionClosedError(getErrorMessage(error)));
       });
       const initializeResponse = await connection.initialize({
         protocolVersion: PROTOCOL_VERSION,
@@ -703,9 +1494,9 @@ var AcpConnection = class {
         },
         clientCapabilities: { terminal: true }
       });
-      this.agentInfo = initializeResponse.agentInfo ?? void 0;
-      this.agentCapabilities = initializeResponse.agentCapabilities ?? void 0;
-      this.connectedAt = /* @__PURE__ */ new Date();
+      this.agentInfo = initializeResponse.agentInfo ?? undefined;
+      this.agentCapabilities = initializeResponse.agentCapabilities ?? undefined;
+      this.connectedAt = new Date;
       this.updateStatus("ready");
     } catch (error) {
       this.updateStatus("error", buildConnectError(error));
@@ -715,10 +1506,7 @@ var AcpConnection = class {
   }
   async createSession(options) {
     const connection = await this.ensureReady();
-    const response = await this.createSessionInternal(
-      connection,
-      options?.cwd ?? process.cwd()
-    );
+    const response = await this.createSessionInternal(connection, options?.cwd ?? process.cwd());
     this.sessionId = response.sessionId;
     return response;
   }
@@ -740,9 +1528,7 @@ var AcpConnection = class {
   }
   async createTerminal(params) {
     const outputLimit = typeof params.outputByteLimit === "number" && params.outputByteLimit > 0 ? Math.floor(params.outputByteLimit) : 1024 * 1024;
-    const resolvedEnv = params.env ? Object.fromEntries(
-      params.env.map((envVar) => [envVar.name, envVar.value])
-    ) : void 0;
+    const resolvedEnv = params.env ? Object.fromEntries(params.env.map((envVar) => [envVar.name, envVar.value])) : undefined;
     const terminalId = randomUUID();
     const record = {
       sessionId: params.sessionId,
@@ -757,7 +1543,7 @@ var AcpConnection = class {
     };
     this.terminals.set(terminalId, record);
     const child = spawn(params.command, params.args ?? [], {
-      cwd: params.cwd ?? void 0,
+      cwd: params.cwd ?? undefined,
       env: resolvedEnv ? { ...process.env, ...resolvedEnv } : process.env
     });
     child.once("error", (error) => {
@@ -777,8 +1563,7 @@ var AcpConnection = class {
       });
     });
     record.process = child;
-    let resolveExit = () => {
-    };
+    let resolveExit = () => {};
     record.onExit = new Promise((resolve) => {
       resolveExit = resolve;
     });
@@ -789,20 +1574,14 @@ var AcpConnection = class {
         return;
       }
       const combinedOutput = record.output.output + delta;
-      record.output.truncated = isOutputOverLimit(
-        combinedOutput,
-        record.outputByteLimit
-      );
-      record.output.output = sliceOutputToLimit(
-        combinedOutput,
-        record.outputByteLimit
-      );
+      record.output.truncated = isOutputOverLimit(combinedOutput, record.outputByteLimit);
+      record.output.output = sliceOutputToLimit(combinedOutput, record.outputByteLimit);
       this.terminalOutputEmitter.emit("output", {
         sessionId: record.sessionId,
         terminalId,
         delta,
         truncated: record.output.truncated,
-        output: record.output.truncated ? record.output.output : void 0,
+        output: record.output.truncated ? record.output.output : undefined,
         exitStatus: record.output.exitStatus
       });
     };
@@ -863,11 +1642,11 @@ var AcpConnection = class {
       return;
     }
     this.updateStatus("stopped");
-    this.sessionId = void 0;
-    this.agentInfo = void 0;
+    this.sessionId = undefined;
+    this.agentInfo = undefined;
     await this.stopProcess();
     await this.closedPromise;
-    this.connection = void 0;
+    this.connection = undefined;
   }
   async ensureReady() {
     if (this.state !== "ready" || !this.connection) {
@@ -899,46 +1678,42 @@ var AcpConnection = class {
     if (!child) {
       return;
     }
-    this.process = void 0;
+    this.process = undefined;
     if (child.exitCode === null && !child.killed) {
       child.kill("SIGTERM");
     }
   }
-};
+}
 
 // src/acp/session-manager.ts
 var buildPermissionKey = (sessionId, requestId) => `${sessionId}:${requestId}`;
 var resolveModelState = (models) => {
   if (!models) {
     return {
-      modelId: void 0,
-      modelName: void 0,
-      availableModels: void 0
+      modelId: undefined,
+      modelName: undefined,
+      availableModels: undefined
     };
   }
   const availableModels = models.availableModels?.map((model) => ({
     id: model.modelId,
     name: model.name,
-    description: model.description ?? void 0
+    description: model.description ?? undefined
   }));
-  const modelId = models.currentModelId ?? void 0;
-  const modelName = availableModels?.find(
-    (model) => model.id === modelId
-  )?.name;
+  const modelId = models.currentModelId ?? undefined;
+  const modelName = availableModels?.find((model) => model.id === modelId)?.name;
   return { modelId, modelName, availableModels };
 };
 var resolveModeState = (modes) => {
   if (!modes) {
     return {
-      modeId: void 0,
-      modeName: void 0,
-      availableModes: void 0
+      modeId: undefined,
+      modeName: undefined,
+      availableModes: undefined
     };
   }
-  const modeId = modes.currentModeId ?? void 0;
-  const modeName = modes.availableModes?.find(
-    (mode) => mode.id === modeId
-  )?.name;
+  const modeId = modes.currentModeId ?? undefined;
+  const modeName = modes.availableModes?.find((mode) => mode.id === modeId)?.name;
   return {
     modeId,
     modeName,
@@ -948,63 +1723,87 @@ var resolveModeState = (modes) => {
     }))
   };
 };
-var createCapabilityNotSupportedError = (message) => new AppError(
-  createErrorDetail({
-    code: "CAPABILITY_NOT_SUPPORTED",
-    message,
-    retryable: false,
-    scope: "session"
-  }),
-  409
-);
+var createCapabilityNotSupportedError = (message) => new AppError(createErrorDetail2({
+  code: "CAPABILITY_NOT_SUPPORTED",
+  message,
+  retryable: false,
+  scope: "session"
+}), 409);
 var isValidWorkspacePath = async (cwd) => {
   try {
-    const stats = await fs3.stat(cwd);
+    const stats = await fs4.stat(cwd);
     return stats.isDirectory();
   } catch {
     return false;
   }
 };
-var SessionManager = class {
-  constructor(config) {
+
+class SessionManager {
+  config;
+  sessions = new Map;
+  discoveredSessions = new Map;
+  backendById;
+  permissionRequests = new Map;
+  permissionRequestEmitter = new EventEmitter2;
+  permissionResultEmitter = new EventEmitter2;
+  sessionsChangedEmitter = new EventEmitter2;
+  sessionAttachedEmitter = new EventEmitter2;
+  sessionDetachedEmitter = new EventEmitter2;
+  sessionEventEmitter = new EventEmitter2;
+  walStore;
+  cryptoService;
+  constructor(config, cryptoService) {
     this.config = config;
-    this.backendById = new Map(
-      config.acpBackends.map((backend) => [backend.id, backend])
-    );
-    this.defaultBackendId = config.defaultAcpBackendId;
+    this.backendById = new Map(config.acpBackends.map((backend) => [backend.id, backend]));
+    this.walStore = new WalStore(config.walDbPath);
+    this.cryptoService = cryptoService;
+  }
+  createConnection(backend) {
+    return new AcpConnection({
+      backend,
+      client: {
+        name: this.config.clientName,
+        version: this.config.clientVersion
+      }
+    });
   }
-  sessions = /* @__PURE__ */ new Map();
-  discoveredSessions = /* @__PURE__ */ new Map();
-  backendById;
-  defaultBackendId;
-  permissionRequests = /* @__PURE__ */ new Map();
-  sessionUpdateEmitter = new EventEmitter2();
-  sessionErrorEmitter = new EventEmitter2();
-  permissionRequestEmitter = new EventEmitter2();
-  permissionResultEmitter = new EventEmitter2();
-  terminalOutputEmitter = new EventEmitter2();
-  sessionsChangedEmitter = new EventEmitter2();
-  sessionAttachedEmitter = new EventEmitter2();
-  sessionDetachedEmitter = new EventEmitter2();
   listSessions() {
-    return Array.from(this.sessions.values()).map(
-      (record) => this.buildSummary(record)
-    );
+    return Array.from(this.sessions.values()).map((record) => this.buildSummary(record));
+  }
+  listAllSessions() {
+    const active = this.listSessions();
+    const merged = new Map(active.map((s) => [s.sessionId, s]));
+    for (const s of this.walStore.getDiscoveredSessions()) {
+      if (s.cwd === undefined)
+        continue;
+      const existing = merged.get(s.sessionId);
+      if (existing) {
+        const discoveredUpdatedAt = s.agentUpdatedAt ?? s.discoveredAt;
+        if (discoveredUpdatedAt > existing.updatedAt) {
+          merged.set(s.sessionId, {
+            ...existing,
+            updatedAt: discoveredUpdatedAt
+          });
+        }
+      } else {
+        merged.set(s.sessionId, {
+          sessionId: s.sessionId,
+          title: s.title ?? `Session ${s.sessionId.slice(0, 8)}`,
+          backendId: s.backendId,
+          backendLabel: s.backendId,
+          cwd: s.cwd,
+          createdAt: s.discoveredAt,
+          updatedAt: s.agentUpdatedAt ?? s.discoveredAt
+        });
+      }
+    }
+    return Array.from(merged.values());
   }
   getSession(sessionId) {
     return this.sessions.get(sessionId);
   }
-  onSessionUpdate(listener) {
-    this.sessionUpdateEmitter.on("update", listener);
-    return () => {
-      this.sessionUpdateEmitter.off("update", listener);
-    };
-  }
-  onSessionError(listener) {
-    this.sessionErrorEmitter.on("error", listener);
-    return () => {
-      this.sessionErrorEmitter.off("error", listener);
-    };
+  getSessionRevision(sessionId) {
+    return this.sessions.get(sessionId)?.revision;
   }
   onPermissionRequest(listener) {
     this.permissionRequestEmitter.on("request", listener);
@@ -1018,12 +1817,6 @@ var SessionManager = class {
       this.permissionResultEmitter.off("result", listener);
     };
   }
-  onTerminalOutput(listener) {
-    this.terminalOutputEmitter.on("output", listener);
-    return () => {
-      this.terminalOutputEmitter.off("output", listener);
-    };
-  }
   onSessionsChanged(listener) {
     this.sessionsChangedEmitter.on("changed", listener);
     return () => {
@@ -1042,6 +1835,117 @@ var SessionManager = class {
       this.sessionDetachedEmitter.off("detached", listener);
     };
   }
+  onSessionEvent(listener) {
+    this.sessionEventEmitter.on("event", listener);
+    return () => {
+      this.sessionEventEmitter.off("event", listener);
+    };
+  }
+  getSessionEvents(params) {
+    const record = this.sessions.get(params.sessionId);
+    let actualRevision;
+    if (record) {
+      actualRevision = record.revision;
+    } else {
+      const walSession = this.walStore.getSession(params.sessionId);
+      actualRevision = walSession?.currentRevision ?? params.revision;
+    }
+    if (!record && !this.walStore.getSession(params.sessionId)) {
+      return {
+        sessionId: params.sessionId,
+        machineId: this.config.machineId,
+        revision: actualRevision,
+        events: [],
+        hasMore: false
+      };
+    }
+    if (params.revision !== actualRevision) {
+      return {
+        sessionId: params.sessionId,
+        machineId: this.config.machineId,
+        revision: actualRevision,
+        events: [],
+        hasMore: false
+      };
+    }
+    const limit = params.limit ?? 100;
+    const events = this.walStore.queryEvents({
+      sessionId: params.sessionId,
+      revision: actualRevision,
+      afterSeq: params.afterSeq,
+      limit: limit + 1
+    });
+    const hasMore = events.length > limit;
+    const resultEvents = hasMore ? events.slice(0, limit) : events;
+    return {
+      sessionId: params.sessionId,
+      machineId: this.config.machineId,
+      revision: actualRevision,
+      events: resultEvents.map((e) => ({
+        sessionId: e.sessionId,
+        machineId: this.config.machineId,
+        revision: e.revision,
+        seq: e.seq,
+        kind: e.kind,
+        createdAt: e.createdAt,
+        payload: e.payload
+      })),
+      nextAfterSeq: resultEvents.length > 0 ? resultEvents[resultEvents.length - 1].seq : undefined,
+      hasMore
+    };
+  }
+  getUnackedEvents(sessionId, revision) {
+    const events = this.walStore.getUnackedEvents(sessionId, revision);
+    return events.map((e) => ({
+      sessionId: e.sessionId,
+      machineId: this.config.machineId,
+      revision: e.revision,
+      seq: e.seq,
+      kind: e.kind,
+      createdAt: e.createdAt,
+      payload: e.payload
+    }));
+  }
+  ackEvents(sessionId, revision, upToSeq) {
+    this.walStore.ackEvents(sessionId, revision, upToSeq);
+  }
+  recordTurnEnd(sessionId, stopReason) {
+    const record = this.sessions.get(sessionId);
+    if (!record) {
+      return;
+    }
+    record.updatedAt = new Date;
+    this.writeAndEmitEvent(sessionId, record.revision, "turn_end", {
+      stopReason
+    });
+  }
+  writeAndEmitEvent(sessionId, revision, kind, payload) {
+    logger.debug({ sessionId, revision, kind }, "session_write_and_emit_event_start");
+    const walEvent = this.walStore.appendEvent({
+      sessionId,
+      revision,
+      kind,
+      payload
+    });
+    const event = {
+      sessionId: walEvent.sessionId,
+      machineId: this.config.machineId,
+      revision: walEvent.revision,
+      seq: walEvent.seq,
+      kind: walEvent.kind,
+      createdAt: walEvent.createdAt,
+      payload: walEvent.payload
+    };
+    logger.info({
+      sessionId: event.sessionId,
+      revision: event.revision,
+      seq: event.seq,
+      kind: event.kind
+    }, "session_event_emitting");
+    this.sessionEventEmitter.emit("event", event);
+    logger.debug({ sessionId: event.sessionId, seq: event.seq }, "session_event_emitted");
+    return event;
+  }
   emitSessionsChanged(payload) {
     this.sessionsChangedEmitter.emit("changed", payload);
   }
@@ -1053,13 +1957,14 @@ var SessionManager = class {
     if (record.isAttached && !force) {
       return;
     }
-    const attachedAt = /* @__PURE__ */ new Date();
+    const attachedAt = new Date;
     record.isAttached = true;
     record.attachedAt = attachedAt;
     this.sessionAttachedEmitter.emit("attached", {
       sessionId,
       machineId: this.config.machineId,
-      attachedAt: attachedAt.toISOString()
+      attachedAt: attachedAt.toISOString(),
+      revision: record.revision
     });
   }
   emitSessionDetached(sessionId, reason) {
@@ -1074,7 +1979,7 @@ var SessionManager = class {
     this.sessionDetachedEmitter.emit("detached", {
       sessionId,
       machineId: this.config.machineId,
-      detachedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      detachedAt: new Date().toISOString(),
       reason
     });
   }
@@ -1083,69 +1988,72 @@ var SessionManager = class {
   }
   resolvePermissionRequest(sessionId, requestId, outcome) {
     const key = buildPermissionKey(sessionId, requestId);
-    const record = this.permissionRequests.get(key);
-    if (!record) {
-      throw new AppError(
-        createErrorDetail({
-          code: "REQUEST_VALIDATION_FAILED",
-          message: "Permission request not found",
-          retryable: false,
-          scope: "request"
-        }),
-        404
-      );
+    const permRecord = this.permissionRequests.get(key);
+    if (!permRecord) {
+      throw new AppError(createErrorDetail2({
+        code: "REQUEST_VALIDATION_FAILED",
+        message: "Permission request not found",
+        retryable: false,
+        scope: "request"
+      }), 404);
     }
     const response = { outcome };
-    record.resolve(response);
+    permRecord.resolve(response);
     this.permissionRequests.delete(key);
     const payload = {
       sessionId,
       requestId,
       outcome
     };
+    const sessionRecord = this.sessions.get(sessionId);
+    if (sessionRecord) {
+      this.writeAndEmitEvent(sessionId, sessionRecord.revision, "permission_result", payload);
+    }
     this.permissionResultEmitter.emit("result", payload);
     return payload;
   }
   resolveBackend(backendId) {
-    const normalized = backendId?.trim();
-    const resolvedId = normalized && normalized.length > 0 ? normalized : this.defaultBackendId;
-    const backend = this.backendById.get(resolvedId);
+    const normalized = backendId.trim();
+    if (!normalized) {
+      throw new AppError(createErrorDetail2({
+        code: "REQUEST_VALIDATION_FAILED",
+        message: "backendId is required",
+        retryable: false,
+        scope: "request"
+      }), 400);
+    }
+    const backend = this.backendById.get(normalized);
     if (!backend) {
-      throw new AppError(
-        createErrorDetail({
-          code: "REQUEST_VALIDATION_FAILED",
-          message: "Invalid backend ID",
-          retryable: false,
-          scope: "request"
-        }),
-        400
-      );
+      throw new AppError(createErrorDetail2({
+        code: "REQUEST_VALIDATION_FAILED",
+        message: "Invalid backend ID",
+        retryable: false,
+        scope: "request"
+      }), 400);
     }
     return backend;
   }
   async createSession(options) {
-    const backend = this.resolveBackend(options?.backendId);
-    const connection = new AcpConnection({
-      backend,
-      client: {
-        name: this.config.clientName,
-        version: this.config.clientVersion
-      }
-    });
+    const backend = this.resolveBackend(options.backendId);
+    const connection = this.createConnection(backend);
     try {
       await connection.connect();
       const session = await connection.createSession({ cwd: options?.cwd });
-      connection.setPermissionHandler(
-        (params) => this.handlePermissionRequest(session.sessionId, params)
-      );
-      const now = /* @__PURE__ */ new Date();
+      connection.setPermissionHandler((params) => this.handlePermissionRequest(session.sessionId, params));
+      const now = new Date;
       const agentInfo = connection.getAgentInfo();
-      const { modelId, modelName, availableModels } = resolveModelState(
-        session.models
-      );
-      const { modeId, modeName, availableModes } = resolveModeState(
-        session.modes
-      );
+      const { modelId, modelName, availableModels } = resolveModelState(session.models);
+      const { modeId, modeName, availableModes } = resolveModeState(session.modes);
+      const { revision } = this.walStore.ensureSession({
+        sessionId: session.sessionId,
+        machineId: this.config.machineId,
+        backendId: backend.id,
+        cwd: options?.cwd,
+        title: options?.title ?? `Session ${this.sessions.size + 1}`
+      });
+      if (this.cryptoService) {
+        this.cryptoService.initSessionDek(session.sessionId);
+      }
       const record = {
         sessionId: session.sessionId,
         title: options?.title ?? `Session ${this.sessions.size + 1}`,
@@ -1162,24 +2070,25 @@ var SessionManager = class {
         modeName,
         availableModes,
         availableModels,
-        availableCommands: void 0
+        availableCommands: undefined,
+        revision
       };
-      record.unsubscribe = connection.onSessionUpdate(
-        (notification) => {
-          record.updatedAt = /* @__PURE__ */ new Date();
-          this.sessionUpdateEmitter.emit("update", notification);
-          this.applySessionUpdateToRecord(record, notification);
-        }
-      );
+      record.unsubscribe = connection.onSessionUpdate((notification) => {
+        logger.debug({
+          sessionId: session.sessionId,
+          updateType: notification.update.sessionUpdate
+        }, "acp_session_update_received");
+        record.updatedAt = new Date;
+        this.writeSessionUpdateToWal(record, notification);
+        this.applySessionUpdateToRecord(record, notification);
+      });
       record.unsubscribeTerminal = connection.onTerminalOutput((event) => {
-        this.terminalOutputEmitter.emit("output", event);
+        logger.debug({ sessionId: record.sessionId }, "acp_terminal_output_received");
+        this.writeAndEmitEvent(record.sessionId, record.revision, "terminal_output", event);
       });
       connection.onStatusChange((status) => {
         if (status.error) {
-          this.sessionErrorEmitter.emit("error", {
-            sessionId: session.sessionId,
-            error: status.error
-          });
+          this.writeAndEmitEvent(record.sessionId, record.revision, "session_error", { error: status.error });
           this.emitSessionDetached(session.sessionId, "agent_exit");
         }
       });
@@ -1208,7 +2117,6 @@ var SessionManager = class {
       requestId: record.requestId,
       options: record.params.options.map((option) => ({
         optionId: option.optionId,
-        // SDK uses 'name', our shared type uses 'label'
         label: option.name,
         description: option._meta?.description ?? null
       })),
@@ -1228,23 +2136,24 @@ var SessionManager = class {
     if (existing) {
       return existing.promise;
     }
-    let resolver = () => {
-    };
+    let resolver = () => {};
     const promise = new Promise((resolve) => {
       resolver = resolve;
     });
-    const record = {
+    const permRecord = {
       sessionId,
       requestId,
       params,
       promise,
       resolve: resolver
     };
-    this.permissionRequests.set(key, record);
-    this.permissionRequestEmitter.emit(
-      "request",
-      this.buildPermissionRequestPayload(record)
-    );
+    this.permissionRequests.set(key, permRecord);
+    const payload = this.buildPermissionRequestPayload(permRecord);
+    const sessionRecord = this.sessions.get(sessionId);
+    if (sessionRecord) {
+      this.writeAndEmitEvent(sessionId, sessionRecord.revision, "permission_request", payload);
+    }
+    this.permissionRequestEmitter.emit("request", payload);
     return promise;
   }
   cancelPermissionRequests(sessionId) {
@@ -1267,18 +2176,15 @@ var SessionManager = class {
   updateTitle(sessionId, title) {
     const record = this.sessions.get(sessionId);
     if (!record) {
-      throw new AppError(
-        createErrorDetail({
-          code: "SESSION_NOT_FOUND",
-          message: "Session not found",
-          retryable: false,
-          scope: "session"
-        }),
-        404
-      );
+      throw new AppError(createErrorDetail2({
+        code: "SESSION_NOT_FOUND",
+        message: "Session not found",
+        retryable: false,
+        scope: "session"
+      }), 404);
     }
     record.title = title;
-    record.updatedAt = /* @__PURE__ */ new Date();
+    record.updatedAt = new Date;
     const summary = this.buildSummary(record);
     this.emitSessionsChanged({
       added: [],
@@ -1292,42 +2198,34 @@ var SessionManager = class {
     if (!record) {
       return;
     }
-    record.updatedAt = /* @__PURE__ */ new Date();
+    record.updatedAt = new Date;
   }
   async setSessionMode(sessionId, modeId) {
     const record = this.sessions.get(sessionId);
     if (!record) {
-      throw new AppError(
-        createErrorDetail({
-          code: "SESSION_NOT_FOUND",
-          message: "Session not found",
-          retryable: false,
-          scope: "session"
-        }),
-        404
-      );
+      throw new AppError(createErrorDetail2({
+        code: "SESSION_NOT_FOUND",
+        message: "Session not found",
+        retryable: false,
+        scope: "session"
+      }), 404);
     }
     if (!record.availableModes || record.availableModes.length === 0) {
-      throw createCapabilityNotSupportedError(
-        "Current agent does not support mode switching"
-      );
+      throw createCapabilityNotSupportedError("Current agent does not support mode switching");
     }
     const selected = record.availableModes.find((mode) => mode.id === modeId);
     if (!selected) {
-      throw new AppError(
-        createErrorDetail({
-          code: "REQUEST_VALIDATION_FAILED",
-          message: "Invalid mode ID",
-          retryable: false,
-          scope: "request"
-        }),
-        400
-      );
+      throw new AppError(createErrorDetail2({
+        code: "REQUEST_VALIDATION_FAILED",
+        message: "Invalid mode ID",
+        retryable: false,
+        scope: "request"
+      }), 400);
     }
     await record.connection.setSessionMode(sessionId, modeId);
     record.modeId = selected.id;
     record.modeName = selected.name;
-    record.updatedAt = /* @__PURE__ */ new Date();
+    record.updatedAt = new Date;
     const summary = this.buildSummary(record);
     this.emitSessionsChanged({
       added: [],
@@ -1339,39 +2237,29 @@ var SessionManager = class {
   async setSessionModel(sessionId, modelId) {
     const record = this.sessions.get(sessionId);
     if (!record) {
-      throw new AppError(
-        createErrorDetail({
-          code: "SESSION_NOT_FOUND",
-          message: "Session not found",
-          retryable: false,
-          scope: "session"
-        }),
-        404
-      );
+      throw new AppError(createErrorDetail2({
+        code: "SESSION_NOT_FOUND",
+        message: "Session not found",
+        retryable: false,
+        scope: "session"
+      }), 404);
     }
     if (!record.availableModels || record.availableModels.length === 0) {
-      throw createCapabilityNotSupportedError(
-        "Current agent does not support model switching"
-      );
+      throw createCapabilityNotSupportedError("Current agent does not support model switching");
     }
-    const selected = record.availableModels.find(
-      (model) => model.id === modelId
-    );
+    const selected = record.availableModels.find((model) => model.id === modelId);
     if (!selected) {
-      throw new AppError(
-        createErrorDetail({
-          code: "REQUEST_VALIDATION_FAILED",
-          message: "Invalid model ID",
-          retryable: false,
-          scope: "request"
-        }),
-        400
-      );
+      throw new AppError(createErrorDetail2({
+        code: "REQUEST_VALIDATION_FAILED",
+        message: "Invalid model ID",
+        retryable: false,
+        scope: "request"
+      }), 400);
     }
     await record.connection.setSessionModel(sessionId, modelId);
     record.modelId = selected.id;
     record.modelName = selected.name;
-    record.updatedAt = /* @__PURE__ */ new Date();
+    record.updatedAt = new Date;
     const summary = this.buildSummary(record);
     this.emitSessionsChanged({
       added: [],
@@ -1418,25 +2306,38 @@ var SessionManager = class {
   }
   async closeAll() {
     const sessionIds = Array.from(this.sessions.keys());
-    await Promise.all(
-      sessionIds.map((sessionId) => this.closeSession(sessionId))
-    );
-  }
-  /**
-   * Discover sessions persisted by the ACP agent.
-   * Creates a temporary connection to query sessions.
-   * @param options Optional parameters for discovery
-   * @returns List of discovered sessions and agent capabilities
-   */
+    await Promise.all(sessionIds.map((sessionId) => this.closeSession(sessionId)));
+  }
+  async archiveSession(sessionId) {
+    if (this.sessions.has(sessionId)) {
+      await this.closeSession(sessionId);
+    }
+    this.walStore.archiveSession(sessionId);
+    this.discoveredSessions.delete(sessionId);
+  }
+  async bulkArchiveSessions(sessionIds) {
+    await Promise.allSettled(sessionIds.filter((id) => this.sessions.has(id)).map((id) => this.closeSession(id)));
+    const archivedCount = this.walStore.bulkArchiveSessions(sessionIds);
+    for (const id of sessionIds) {
+      this.discoveredSessions.delete(id);
+    }
+    return { archivedCount };
+  }
+  async shutdown() {
+    await this.closeAll();
+    this.walStore.close();
+  }
+  getPersistedDiscoveredSessions(backendId) {
+    return this.walStore.getDiscoveredSessions(backendId).filter((s) => !this.sessions.has(s.sessionId) && s.cwd !== undefined).map((s) => ({
+      sessionId: s.sessionId,
+      cwd: s.cwd,
+      title: s.title,
+      updatedAt: s.agentUpdatedAt
+    }));
+  }
   async discoverSessions(options) {
-    const backend = this.resolveBackend(options?.backendId);
-    const connection = new AcpConnection({
-      backend,
-      client: {
-        name: this.config.clientName,
-        version: this.config.clientVersion
-      }
-    });
+    const backend = this.resolveBackend(options.backendId);
+    const connection = this.createConnection(backend);
     try {
       await connection.connect();
       const capabilities = connection.getSessionCapabilities();
@@ -1448,98 +2349,123 @@ var SessionManager = class {
           cursor: options?.cursor
         });
         nextCursor = response.nextCursor;
-        const validity = await Promise.all(
-          response.sessions.map(async (session) => ({
-            session,
-            isValid: session.cwd ? await isValidWorkspacePath(session.cwd) : false
-          }))
-        );
+        const archivedIds = new Set(this.walStore.getArchivedSessionIds());
+        const validity = await Promise.all(response.sessions.map(async (session) => ({
+          session,
+          isValid: session.cwd ? await isValidWorkspacePath(session.cwd) : false
+        })));
+        const now = new Date().toISOString();
+        const discoveredRecords = [];
         for (const { session, isValid } of validity) {
           if (!isValid) {
             this.discoveredSessions.delete(session.sessionId);
+            this.walStore.markDiscoveredSessionStale(session.sessionId);
+            continue;
+          }
+          if (archivedIds.has(session.sessionId)) {
             continue;
           }
           this.discoveredSessions.set(session.sessionId, {
             sessionId: session.sessionId,
             cwd: session.cwd,
-            title: session.title ?? void 0,
-            updatedAt: session.updatedAt ?? void 0
+            title: session.title ?? undefined,
+            updatedAt: session.updatedAt ?? undefined
           });
           sessions.push({
             sessionId: session.sessionId,
             cwd: session.cwd,
-            title: session.title ?? void 0,
-            updatedAt: session.updatedAt ?? void 0
+            title: session.title ?? undefined,
+            updatedAt: session.updatedAt ?? undefined
+          });
+          discoveredRecords.push({
+            sessionId: session.sessionId,
+            backendId: backend.id,
+            cwd: session.cwd,
+            title: session.title ?? undefined,
+            agentUpdatedAt: session.updatedAt ?? undefined,
+            discoveredAt: now,
+            isStale: false
           });
         }
+        if (discoveredRecords.length > 0) {
+          this.walStore.saveDiscoveredSessions(discoveredRecords);
+        }
       }
-      logger.info(
-        {
-          backendId: backend.id,
-          sessionCount: sessions.length,
-          capabilities
-        },
-        "sessions_discovered"
-      );
+      logger.info({
+        backendId: backend.id,
+        sessionCount: sessions.length,
+        capabilities
+      }, "sessions_discovered");
       return { sessions, capabilities, nextCursor };
     } finally {
       await connection.disconnect();
     }
   }
-  /**
-   * Load a historical session from the ACP agent.
-   * This will replay the session's message history.
-   * @param sessionId The session ID to load
-   * @param cwd The working directory
-   * @param backendId Optional backend ID
-   * @returns The loaded session summary
-   */
   async loadSession(sessionId, cwd, backendId) {
+    logger.info({ sessionId, cwd, backendId }, "load_session_start");
     const existing = this.sessions.get(sessionId);
     if (existing) {
+      logger.debug({ sessionId }, "load_session_already_loaded");
       this.emitSessionAttached(sessionId, true);
       return this.buildSummary(existing);
     }
     const backend = this.resolveBackend(backendId);
-    const connection = new AcpConnection({
-      backend,
-      client: {
-        name: this.config.clientName,
-        version: this.config.clientVersion
-      }
-    });
+    const connection = this.createConnection(backend);
     try {
       await connection.connect();
       if (!connection.supportsSessionLoad()) {
-        throw createCapabilityNotSupportedError(
-          "Agent does not support session loading"
-        );
+        throw createCapabilityNotSupportedError("Agent does not support session loading");
+      }
+      const existingWalSession = this.walStore.getSession(sessionId);
+      const hasExistingHistory = existingWalSession !== null && this.walStore.queryEvents({
+        sessionId,
+        revision: existingWalSession.currentRevision,
+        afterSeq: 0,
+        limit: 1
+      }).length > 0;
+      let revision;
+      if (hasExistingHistory) {
+        revision = this.walStore.incrementRevision(sessionId);
+        logger.debug({ sessionId, revision }, "load_session_bump_revision");
+      } else {
+        const result = this.walStore.ensureSession({
+          sessionId,
+          machineId: this.config.machineId,
+          backendId: backend.id,
+          cwd
+        });
+        revision = result.revision;
       }
       const bufferedUpdates = [];
       let recordRef;
-      const unsubscribe = connection.onSessionUpdate(
-        (notification) => {
-          this.sessionUpdateEmitter.emit("update", notification);
-          if (recordRef) {
-            recordRef.updatedAt = /* @__PURE__ */ new Date();
-            this.applySessionUpdateToRecord(recordRef, notification);
-          } else {
-            bufferedUpdates.push(notification);
-          }
+      const unsubscribe = connection.onSessionUpdate((notification) => {
+        logger.debug({
+          sessionId,
+          updateType: notification.update.sessionUpdate,
+          hasRecordRef: !!recordRef
+        }, "load_session_update_received");
+        if (recordRef) {
+          this.writeSessionUpdateToWal(recordRef, notification);
+          recordRef.updatedAt = new Date;
+          this.applySessionUpdateToRecord(recordRef, notification);
+        } else {
+          bufferedUpdates.push(notification);
+          logger.debug({ sessionId, bufferedCount: bufferedUpdates.length }, "load_session_buffered");
         }
-      );
+      });
+      logger.debug({ sessionId }, "load_session_calling_acp");
       const response = await connection.loadSession(sessionId, cwd);
-      connection.setPermissionHandler(
-        (params) => this.handlePermissionRequest(sessionId, params)
-      );
-      const now = /* @__PURE__ */ new Date();
+      logger.debug({
+        sessionId,
+        bufferedCount: bufferedUpdates.length,
+        hasModels: !!response.models,
+        hasModes: !!response.modes
+      }, "load_session_acp_returned");
+      connection.setPermissionHandler((params) => this.handlePermissionRequest(sessionId, params));
+      const now = new Date;
       const agentInfo = connection.getAgentInfo();
-      const { modelId, modelName, availableModels } = resolveModelState(
-        response.models
-      );
-      const { modeId, modeName, availableModes } = resolveModeState(
-        response.modes
-      );
+      const { modelId, modelName, availableModels } = resolveModelState(response.models);
+      const { modeId, modeName, availableModes } = resolveModeState(response.modes);
       const discovered = this.discoveredSessions.get(sessionId);
       const record = {
         sessionId,
@@ -1557,11 +2483,18 @@ var SessionManager = class {
         modeName,
         availableModes,
         availableModels,
-        availableCommands: void 0
+        availableCommands: undefined,
+        revision
       };
       recordRef = record;
       record.unsubscribe = unsubscribe;
+      if (this.cryptoService) {
+        this.cryptoService.initSessionDek(sessionId);
+      }
+      logger.debug({ sessionId, bufferedCount: bufferedUpdates.length }, "load_session_writing_buffered");
       for (const notification of bufferedUpdates) {
+        logger.debug({ sessionId, updateType: notification.update.sessionUpdate }, "load_session_writing_buffered_event");
+        this.writeSessionUpdateToWal(record, notification);
         this.applySessionUpdateToRecord(record, notification);
       }
       this.setupSessionSubscriptions(record, { skipSessionUpdates: true });
@@ -1573,34 +2506,26 @@ var SessionManager = class {
         removed: []
       });
       this.emitSessionAttached(sessionId);
-      logger.info({ sessionId, backendId: backend.id }, "session_loaded");
+      logger.info({ sessionId, backendId: backend.id, revision: record.revision }, "load_session_complete");
       return summary;
     } catch (error) {
       await connection.disconnect();
       throw error;
     }
   }
-  /**
-   * Reload a historical session from the ACP agent.
-   * Replays session history even if the session is already loaded.
-   */
   async reloadSession(sessionId, cwd, backendId) {
     const existing = this.sessions.get(sessionId);
     if (!existing) {
       return this.loadSession(sessionId, cwd, backendId);
     }
     if (!existing.connection.supportsSessionLoad()) {
-      throw createCapabilityNotSupportedError(
-        "Agent does not support session loading"
-      );
+      throw createCapabilityNotSupportedError("Agent does not support session loading");
     }
+    const newRevision = this.walStore.incrementRevision(sessionId);
+    existing.revision = newRevision;
     const response = await existing.connection.loadSession(sessionId, cwd);
-    const { modelId, modelName, availableModels } = resolveModelState(
-      response.models
-    );
-    const { modeId, modeName, availableModes } = resolveModeState(
-      response.modes
-    );
+    const { modelId, modelName, availableModels } = resolveModelState(response.models);
+    const { modeId, modeName, availableModes } = resolveModeState(response.modes);
     const agentInfo = existing.connection.getAgentInfo();
     existing.cwd = cwd;
     existing.agentName = agentInfo?.title ?? agentInfo?.name ?? existing.agentName;
@@ -1610,7 +2535,7 @@ var SessionManager = class {
     existing.modeId = modeId;
     existing.modeName = modeName;
     existing.availableModes = availableModes;
-    existing.updatedAt = /* @__PURE__ */ new Date();
+    existing.updatedAt = new Date;
     const summary = this.buildSummary(existing);
     this.emitSessionsChanged({
       added: [],
@@ -1618,7 +2543,7 @@ var SessionManager = class {
       removed: []
     });
     this.emitSessionAttached(sessionId, true);
-    logger.info({ sessionId, backendId }, "session_reloaded");
+    logger.info({ sessionId, backendId, revision: newRevision }, "session_reloaded");
     return summary;
   }
   applySessionUpdateToRecord(record, notification) {
@@ -1642,27 +2567,69 @@ var SessionManager = class {
       }
     }
   }
-  /**
-   * Set up event subscriptions for a session record.
-   */
+  writeSessionUpdateToWal(record, notification) {
+    const update = notification.update;
+    let kind;
+    logger.debug({
+      sessionId: record.sessionId,
+      revision: record.revision,
+      updateType: update.sessionUpdate
+    }, "write_session_update_to_wal_start");
+    switch (update.sessionUpdate) {
+      case "user_message_chunk":
+        kind = "user_message";
+        break;
+      case "agent_message_chunk":
+        kind = "agent_message_chunk";
+        break;
+      case "agent_thought_chunk":
+        kind = "agent_thought_chunk";
+        break;
+      case "tool_call":
+        kind = "tool_call";
+        break;
+      case "tool_call_update":
+        kind = "tool_call_update";
+        break;
+      case "session_info_update":
+      case "current_mode_update":
+      case "available_commands_update":
+        kind = "session_info_update";
+        break;
+      default:
+        logger.warn({ sessionId: record.sessionId, updateType: update.sessionUpdate }, "unknown_session_update_type_skipped");
+        return;
+    }
+    logger.info({
+      sessionId: record.sessionId,
+      revision: record.revision,
+      updateType: update.sessionUpdate,
+      kind
+    }, "write_session_update_to_wal_mapped");
+    this.writeAndEmitEvent(record.sessionId, record.revision, kind, notification);
+  }
   setupSessionSubscriptions(record, options) {
     const { sessionId, connection } = record;
+    logger.debug({ sessionId, skipSessionUpdates: options?.skipSessionUpdates }, "setup_session_subscriptions");
     if (!options?.skipSessionUpdates) {
-      record.unsubscribe = connection.onSessionUpdate(
-        (notification) => {
-          record.updatedAt = /* @__PURE__ */ new Date();
-          this.sessionUpdateEmitter.emit("update", notification);
-          this.applySessionUpdateToRecord(record, notification);
-        }
-      );
+      record.unsubscribe = connection.onSessionUpdate((notification) => {
+        logger.debug({
+          sessionId,
+          updateType: notification.update.sessionUpdate
+        }, "acp_session_update_received_via_setup");
+        record.updatedAt = new Date;
+        this.writeSessionUpdateToWal(record, notification);
+        this.applySessionUpdateToRecord(record, notification);
+      });
     }
     record.unsubscribeTerminal = connection.onTerminalOutput((event) => {
-      this.terminalOutputEmitter.emit("output", event);
+      logger.debug({ sessionId }, "acp_terminal_output_received_via_setup");
+      this.writeAndEmitEvent(sessionId, record.revision, "terminal_output", event);
     });
     connection.onStatusChange((status) => {
+      logger.debug({ sessionId, hasError: !!status.error }, "acp_status_change");
       if (status.error) {
-        this.sessionErrorEmitter.emit("error", {
-          sessionId,
+        this.writeAndEmitEvent(sessionId, record.revision, "session_error", {
           error: status.error
         });
         this.emitSessionDetached(sessionId, "agent_exit");
@@ -1688,28 +2655,81 @@ var SessionManager = class {
       modeName: record.modeName,
       availableModes: record.availableModes,
       availableModels: record.availableModels,
-      availableCommands: record.availableCommands
+      availableCommands: record.availableCommands,
+      revision: record.revision,
+      wrappedDek: this.cryptoService?.getWrappedDek(record.sessionId) ?? undefined
     };
   }
-};
+}
+
+// src/e2ee/crypto-service.ts
+import {
+  deriveAuthKeyPair as deriveAuthKeyPair2,
+  deriveContentKeyPair,
+  encryptPayload,
+  generateDEK,
+  getSodium as getSodium2,
+  wrapDEK
+} from "@mobvibe/shared";
+
+class CliCryptoService {
+  authKeyPair;
+  contentKeyPair;
+  sessionDeks = new Map;
+  wrappedDekCache = new Map;
+  constructor(masterSecret) {
+    this.authKeyPair = deriveAuthKeyPair2(masterSecret);
+    this.contentKeyPair = deriveContentKeyPair(masterSecret);
+  }
+  initSessionDek(sessionId) {
+    const dek = generateDEK();
+    const wrappedDek = wrapDEK(dek, this.contentKeyPair.publicKey);
+    this.sessionDeks.set(sessionId, dek);
+    this.wrappedDekCache.set(sessionId, wrappedDek);
+    return { dek, wrappedDek };
+  }
+  setSessionDek(sessionId, dek) {
+    this.sessionDeks.set(sessionId, dek);
+    this.wrappedDekCache.set(sessionId, wrapDEK(dek, this.contentKeyPair.publicKey));
+  }
+  encryptEvent(event) {
+    const dek = this.sessionDeks.get(event.sessionId);
+    if (!dek) {
+      return event;
+    }
+    return {
+      ...event,
+      payload: encryptPayload(event.payload, dek)
+    };
+  }
+  getWrappedDek(sessionId) {
+    return this.wrappedDekCache.get(sessionId) ?? null;
+  }
+  getAuthPublicKeyBase64() {
+    const sodium = getSodium2();
+    return sodium.to_base64(this.authKeyPair.publicKey, sodium.base64_variants.ORIGINAL);
+  }
+}
 
 // src/daemon/socket-client.ts
 import { EventEmitter as EventEmitter3 } from "events";
-import fs4 from "fs/promises";
+import fs5 from "fs/promises";
 import { homedir } from "os";
-import path5 from "path";
+import path6 from "path";
+import { createSignedToken } from "@mobvibe/shared";
 import ignore from "ignore";
 import { io } from "socket.io-client";
 
 // src/lib/git-utils.ts
-import { exec } from "child_process";
-import path4 from "path";
+import { execFile } from "child_process";
+import { readFile } from "fs/promises";
+import path5 from "path";
 import { promisify } from "util";
-var execAsync = promisify(exec);
+var execFileAsync = promisify(execFile);
 var MAX_BUFFER = 10 * 1024 * 1024;
 async function isGitRepo(cwd) {
   try {
-    await execAsync("git rev-parse --is-inside-work-tree", {
+    await execFileAsync("git", ["rev-parse", "--is-inside-work-tree"], {
       cwd,
       maxBuffer: MAX_BUFFER
     });
@@ -1720,7 +2740,7 @@ async function isGitRepo(cwd) {
 }
 async function getGitBranch(cwd) {
   try {
-    const { stdout } = await execAsync("git branch --show-current", {
+    const { stdout } = await execFileAsync("git", ["branch", "--show-current"], {
       cwd,
       maxBuffer: MAX_BUFFER
     });
@@ -1728,18 +2748,16 @@ async function getGitBranch(cwd) {
     if (branch) {
       return branch;
     }
-    const { stdout: hashOut } = await execAsync("git rev-parse --short HEAD", {
-      cwd,
-      maxBuffer: MAX_BUFFER
-    });
-    return hashOut.trim() || void 0;
+    const { stdout: hashOut } = await execFileAsync("git", ["rev-parse", "--short", "HEAD"], { cwd, maxBuffer: MAX_BUFFER });
+    return hashOut.trim() || undefined;
   } catch {
-    return void 0;
+    return;
   }
 }
 function parseGitStatus(output) {
   const files = [];
-  const lines = output.split("\n").filter((line) => line.length > 0);
+  const lines = output.split(`
+`).filter((line) => line.length > 0);
   for (const line of lines) {
     const indexStatus = line[0];
     const workTreeStatus = line[1];
@@ -1773,10 +2791,7 @@ function parseGitStatus(output) {
 }
 async function getGitStatus(cwd) {
   try {
-    const { stdout } = await execAsync("git status --porcelain=v1", {
-      cwd,
-      maxBuffer: MAX_BUFFER
-    });
+    const { stdout } = await execFileAsync("git", ["status", "--porcelain=v1"], { cwd, maxBuffer: MAX_BUFFER });
     return parseGitStatus(stdout);
   } catch {
     return [];
@@ -1797,7 +2812,7 @@ function aggregateDirStatus(files) {
   for (const file of files) {
     const parts = file.path.split("/");
     let currentPath = "";
-    for (let i = 0; i < parts.length - 1; i++) {
+    for (let i = 0;i < parts.length - 1; i++) {
       currentPath = currentPath ? `${currentPath}/${parts[i]}` : parts[i];
       const existing = dirStatus[currentPath];
       if (!existing || statusPriority[file.status] > statusPriority[existing]) {
@@ -1811,7 +2826,8 @@ function parseDiffOutput(diffOutput) {
   const addedLines = [];
   const modifiedLines = [];
   const deletedLines = [];
-  const lines = diffOutput.split("\n");
+  const lines = diffOutput.split(`
+`);
   let currentLine = 0;
   let inHunk = false;
   let pendingDeletionLine = 0;
@@ -1847,22 +2863,15 @@ function parseDiffOutput(diffOutput) {
 }
 async function getFileDiff(cwd, filePath) {
   try {
-    const relativePath = path4.isAbsolute(filePath) ? path4.relative(cwd, filePath) : filePath;
-    const { stdout } = await execAsync(`git diff HEAD -- "${relativePath}"`, {
-      cwd,
-      maxBuffer: MAX_BUFFER
-    });
+    const relativePath = path5.isAbsolute(filePath) ? path5.relative(cwd, filePath) : filePath;
+    const { stdout } = await execFileAsync("git", ["diff", "HEAD", "--", relativePath], { cwd, maxBuffer: MAX_BUFFER });
     if (!stdout.trim()) {
-      const { stdout: statusOut } = await execAsync(
-        `git status --porcelain=v1 -- "${relativePath}"`,
-        { cwd, maxBuffer: MAX_BUFFER }
-      );
+      const { stdout: statusOut } = await execFileAsync("git", ["status", "--porcelain=v1", "--", relativePath], { cwd, maxBuffer: MAX_BUFFER });
       if (statusOut.startsWith("?") || statusOut.startsWith("A")) {
-        const { stdout: wcOut } = await execAsync(`wc -l < "${relativePath}"`, {
-          cwd,
-          maxBuffer: MAX_BUFFER
-        });
-        const lineCount = Number.parseInt(wcOut.trim(), 10) || 0;
+        const absPath = path5.isAbsolute(filePath) ? filePath : path5.resolve(cwd, relativePath);
+        const content = await readFile(absPath, "utf-8");
+        const lineCount = content.split(`
+`).filter((l) => l.length > 0).length;
         return {
           addedLines: Array.from({ length: lineCount }, (_, i) => i + 1),
           modifiedLines: [],
@@ -1879,7 +2888,7 @@ async function getFileDiff(cwd, filePath) {
 
 // src/daemon/socket-client.ts
 var SESSION_ROOT_NAME = "Working Directory";
-var MAX_RESOURCE_FILES = 2e3;
+var MAX_RESOURCE_FILES = 2000;
 var DEFAULT_IGNORES = [
   "node_modules",
   ".git",
@@ -1897,15 +2906,14 @@ var DEFAULT_IGNORES = [
 var loadGitignore = async (rootPath) => {
   const ig = ignore().add(DEFAULT_IGNORES);
   try {
-    const gitignorePath = path5.join(rootPath, ".gitignore");
-    const content = await fs4.readFile(gitignorePath, "utf8");
+    const gitignorePath = path6.join(rootPath, ".gitignore");
+    const content = await fs5.readFile(gitignorePath, "utf8");
     ig.add(content);
-  } catch {
-  }
+  } catch {}
   return ig;
 };
 var resolveImageMimeType = (filePath) => {
-  const extension = path5.extname(filePath).toLowerCase();
+  const extension = path6.extname(filePath).toLowerCase();
   switch (extension) {
     case ".apng":
       return "image/apng";
@@ -1924,31 +2932,28 @@ var resolveImageMimeType = (filePath) => {
     case ".webp":
       return "image/webp";
     default:
-      return void 0;
+      return;
   }
 };
 var readDirectoryEntries = async (dirPath) => {
-  const entries = await fs4.readdir(dirPath, { withFileTypes: true });
-  const resolvedEntries = await Promise.all(
-    entries.map(async (entry) => {
-      const entryPath = path5.join(dirPath, entry.name);
-      let isDirectory = entry.isDirectory();
-      if (!isDirectory && entry.isSymbolicLink()) {
-        try {
-          const stats = await fs4.stat(entryPath);
-          isDirectory = stats.isDirectory();
-        } catch {
-        }
-      }
-      const entryType = isDirectory ? "directory" : "file";
-      return {
-        name: entry.name,
-        path: entryPath,
-        type: entryType,
-        hidden: entry.name.startsWith(".")
-      };
-    })
-  );
+  const entries = await fs5.readdir(dirPath, { withFileTypes: true });
+  const resolvedEntries = await Promise.all(entries.map(async (entry) => {
+    const entryPath = path6.join(dirPath, entry.name);
+    let isDirectory = entry.isDirectory();
+    if (!isDirectory && entry.isSymbolicLink()) {
+      try {
+        const stats = await fs5.stat(entryPath);
+        isDirectory = stats.isDirectory();
+      } catch {}
+    }
+    const entryType = isDirectory ? "directory" : "file";
+    return {
+      name: entry.name,
+      path: entryPath,
+      type: entryType,
+      hidden: entry.name.startsWith(".")
+    };
+  }));
   return resolvedEntries.sort((left, right) => {
     if (left.type !== right.type) {
       return left.type === "directory" ? -1 : 1;
@@ -1957,6 +2962,16 @@ var readDirectoryEntries = async (dirPath) => {
   });
 };
 var filterVisibleEntries = (entries) => entries.filter((entry) => !entry.hidden);
+var resolveWithinCwd = (cwd, requestPath) => {
+  if (path6.isAbsolute(requestPath)) {
+    throw new Error("Absolute paths are not allowed");
+  }
+  const resolved = path6.resolve(cwd, requestPath);
+  if (resolved !== cwd && !resolved.startsWith(`${cwd}/`)) {
+    throw new Error("Path escapes working directory");
+  }
+  return resolved;
+};
 var buildHostFsRoots = async () => {
   const homePath = homedir();
   return {
@@ -1964,41 +2979,46 @@ var buildHostFsRoots = async () => {
     roots: [{ name: "Home", path: homePath }]
   };
 };
-var SocketClient = class extends EventEmitter3 {
+
+class SocketClient extends EventEmitter3 {
+  options;
+  socket;
+  connected = false;
+  reconnectAttempts = 0;
+  heartbeatInterval;
   constructor(options) {
     super();
     this.options = options;
+    const { cryptoService } = options;
     this.socket = io(`${options.config.gatewayUrl}/cli`, {
       path: "/socket.io",
       reconnection: true,
       reconnectionAttempts: Number.POSITIVE_INFINITY,
-      reconnectionDelay: 1e3,
-      reconnectionDelayMax: 3e4,
+      reconnectionDelay: 1000,
+      reconnectionDelayMax: 30000,
       transports: ["websocket"],
       autoConnect: false,
-      extraHeaders: {
-        "x-api-key": options.apiKey
-      }
+      auth: (cb) => cb(createSignedToken(cryptoService.authKeyPair))
     });
     this.setupEventHandlers();
     this.setupRpcHandlers();
     this.setupSessionManagerListeners();
   }
-  socket;
-  connected = false;
-  reconnectAttempts = 0;
-  heartbeatInterval;
   setupEventHandlers() {
     this.socket.on("connect", () => {
-      logger.info(
-        { gatewayUrl: this.options.config.gatewayUrl },
-        "gateway_connected"
-      );
+      const wasReconnect = this.reconnectAttempts > 0;
+      logger.info({
+        gatewayUrl: this.options.config.gatewayUrl,
+        wasReconnect
+      }, "gateway_connected");
       this.connected = true;
       this.reconnectAttempts = 0;
       logger.info("gateway_register_start");
       this.register();
       this.startHeartbeat();
+      if (wasReconnect) {
+        this.replayUnackedEvents();
+      }
       this.emit("connected");
     });
     this.socket.on("disconnect", (reason) => {
@@ -2010,41 +3030,55 @@ var SocketClient = class extends EventEmitter3 {
     this.socket.on("connect_error", (error) => {
       this.reconnectAttempts++;
       if (this.reconnectAttempts <= 3 || this.reconnectAttempts % 10 === 0) {
-        logger.error(
-          { attempt: this.reconnectAttempts, err: error },
-          "gateway_connect_error"
-        );
+        logger.error({ attempt: this.reconnectAttempts, err: error }, "gateway_connect_error");
       }
     });
     this.socket.on("cli:registered", async (info) => {
       logger.info({ machineId: info.machineId }, "gateway_registered");
-      try {
-        let cursor;
-        let page = 0;
-        do {
-          const { sessions, capabilities, nextCursor } = await this.options.sessionManager.discoverSessions({ cursor });
-          cursor = nextCursor;
-          if (sessions.length > 0) {
-            this.socket.emit("sessions:discovered", {
-              sessions,
-              capabilities,
-              nextCursor
+      for (const backend of this.options.config.acpBackends) {
+        try {
+          let cursor;
+          let page = 0;
+          do {
+            const { sessions, capabilities, nextCursor } = await this.options.sessionManager.discoverSessions({
+              backendId: backend.id,
+              cursor
             });
-            logger.info(
-              { count: sessions.length, capabilities, page },
-              "historical_sessions_discovered"
-            );
-          }
-          page += 1;
-        } while (cursor);
-      } catch (error) {
-        logger.warn({ err: error }, "session_discovery_failed");
+            cursor = nextCursor;
+            if (sessions.length > 0) {
+              this.socket.emit("sessions:discovered", {
+                sessions,
+                capabilities,
+                nextCursor,
+                backendId: backend.id,
+                backendLabel: backend.label
+              });
+              logger.info({
+                count: sessions.length,
+                capabilities,
+                page,
+                backendId: backend.id
+              }, "historical_sessions_discovered");
+            }
+            page += 1;
+          } while (cursor);
+        } catch (error) {
+          logger.warn({ err: error, backendId: backend.id }, "session_discovery_failed");
+        }
       }
     });
     this.socket.on("cli:error", (error) => {
       logger.error({ err: error }, "gateway_auth_error");
       this.emit("auth_error", error);
     });
+    this.socket.on("events:ack", (payload) => {
+      logger.debug({
+        sessionId: payload.sessionId,
+        revision: payload.revision,
+        upToSeq: payload.upToSeq
+      }, "events_acked");
+      this.options.sessionManager.ackEvents(payload.sessionId, payload.revision, payload.upToSeq);
+    });
   }
   setupRpcHandlers() {
     const { sessionManager } = this.options;
@@ -2054,106 +3088,73 @@ var SocketClient = class extends EventEmitter3 {
         const session = await sessionManager.createSession(request.params);
         this.sendRpcResponse(request.requestId, session);
       } catch (error) {
-        logger.error(
-          { err: error, requestId: request.requestId },
-          "rpc_session_create_error"
-        );
+        logger.error({ err: error, requestId: request.requestId }, "rpc_session_create_error");
         this.sendRpcError(request.requestId, error);
       }
     });
     this.socket.on("rpc:session:close", async (request) => {
       try {
-        logger.info(
-          { requestId: request.requestId, sessionId: request.params.sessionId },
-          "rpc_session_close"
-        );
+        logger.info({ requestId: request.requestId, sessionId: request.params.sessionId }, "rpc_session_close");
         await sessionManager.closeSession(request.params.sessionId);
         this.sendRpcResponse(request.requestId, { ok: true });
       } catch (error) {
-        logger.error(
-          {
-            err: error,
-            requestId: request.requestId,
-            sessionId: request.params.sessionId
-          },
-          "rpc_session_close_error"
-        );
+        logger.error({
+          err: error,
+          requestId: request.requestId,
+          sessionId: request.params.sessionId
+        }, "rpc_session_close_error");
         this.sendRpcError(request.requestId, error);
       }
     });
     this.socket.on("rpc:session:cancel", async (request) => {
       try {
-        logger.info(
-          { requestId: request.requestId, sessionId: request.params.sessionId },
-          "rpc_session_cancel"
-        );
+        logger.info({ requestId: request.requestId, sessionId: request.params.sessionId }, "rpc_session_cancel");
         await sessionManager.cancelSession(request.params.sessionId);
         this.sendRpcResponse(request.requestId, { ok: true });
       } catch (error) {
-        logger.error(
-          {
-            err: error,
-            requestId: request.requestId,
-            sessionId: request.params.sessionId
-          },
-          "rpc_session_cancel_error"
-        );
+        logger.error({
+          err: error,
+          requestId: request.requestId,
+          sessionId: request.params.sessionId
+        }, "rpc_session_cancel_error");
         this.sendRpcError(request.requestId, error);
       }
     });
     this.socket.on("rpc:session:mode", async (request) => {
       try {
-        logger.info(
-          {
-            requestId: request.requestId,
-            sessionId: request.params.sessionId,
-            modeId: request.params.modeId
-          },
-          "rpc_session_mode"
-        );
-        const session = await sessionManager.setSessionMode(
-          request.params.sessionId,
-          request.params.modeId
-        );
+        logger.info({
+          requestId: request.requestId,
+          sessionId: request.params.sessionId,
+          modeId: request.params.modeId
+        }, "rpc_session_mode");
+        const session = await sessionManager.setSessionMode(request.params.sessionId, request.params.modeId);
         this.sendRpcResponse(request.requestId, session);
       } catch (error) {
-        logger.error(
-          {
-            err: error,
-            requestId: request.requestId,
-            sessionId: request.params.sessionId,
-            modeId: request.params.modeId
-          },
-          "rpc_session_mode_error"
-        );
+        logger.error({
+          err: error,
+          requestId: request.requestId,
+          sessionId: request.params.sessionId,
+          modeId: request.params.modeId
+        }, "rpc_session_mode_error");
         this.sendRpcError(request.requestId, error);
       }
     });
     this.socket.on("rpc:session:model", async (request) => {
       try {
-        logger.info(
-          {
-            requestId: request.requestId,
-            sessionId: request.params.sessionId,
-            modelId: request.params.modelId
-          },
-          "rpc_session_model"
-        );
-        const session = await sessionManager.setSessionModel(
-          request.params.sessionId,
-          request.params.modelId
-        );
+        logger.info({
+          requestId: request.requestId,
+          sessionId: request.params.sessionId,
+          modelId: request.params.modelId
+        }, "rpc_session_model");
+        const session = await sessionManager.setSessionModel(request.params.sessionId, request.params.modelId);
         this.sendRpcResponse(request.requestId, session);
       } catch (error) {
-        logger.error(
-          {
-            err: error,
-            requestId: request.requestId,
-            sessionId: request.params.sessionId,
-            modelId: request.params.modelId
-          },
-          "rpc_session_model_error"
-        );
+        logger.error({
+          err: error,
+          requestId: request.requestId,
+          sessionId: request.params.sessionId,
+          modelId: request.params.modelId
+        }, "rpc_session_model_error");
         this.sendRpcError(request.requestId, error);
       }
     });
@@ -2161,97 +3162,71 @@ var SocketClient = class extends EventEmitter3 {
       const requestStart = process.hrtime.bigint();
       try {
         const { sessionId, prompt } = request.params;
-        logger.info(
-          {
-            requestId: request.requestId,
-            sessionId,
-            promptBlocks: prompt.length
-          },
-          "rpc_message_send"
-        );
-        logger.debug(
-          {
-            requestId: request.requestId,
-            sessionId,
-            promptBlocks: prompt.length
-          },
-          "rpc_message_send_start"
-        );
+        logger.info({
+          requestId: request.requestId,
+          sessionId,
+          promptBlocks: prompt.length
+        }, "rpc_message_send");
+        logger.debug({
+          requestId: request.requestId,
+          sessionId,
+          promptBlocks: prompt.length
+        }, "rpc_message_send_start");
         const record = sessionManager.getSession(sessionId);
         if (!record) {
           throw new Error("Session not found");
         }
         sessionManager.touchSession(sessionId);
-        const result = await record.connection.prompt(
-          sessionId,
-          prompt
-        );
+        const result = await record.connection.prompt(sessionId, prompt);
         sessionManager.touchSession(sessionId);
+        sessionManager.recordTurnEnd(sessionId, result.stopReason);
         this.sendRpcResponse(request.requestId, {
           stopReason: result.stopReason
         });
         const durationMs = Number(process.hrtime.bigint() - requestStart) / 1e6;
-        logger.info(
-          {
-            requestId: request.requestId,
-            sessionId,
-            stopReason: result.stopReason,
-            durationMs
-          },
-          "rpc_message_send_complete"
-        );
-        logger.debug(
-          {
-            requestId: request.requestId,
-            sessionId,
-            durationMs
-          },
-          "rpc_message_send_finish"
-        );
+        logger.info({
+          requestId: request.requestId,
+          sessionId,
+          stopReason: result.stopReason,
+          durationMs
+        }, "rpc_message_send_complete");
+        logger.debug({
+          requestId: request.requestId,
+          sessionId,
+          durationMs
+        }, "rpc_message_send_finish");
       } catch (error) {
         const durationMs = Number(process.hrtime.bigint() - requestStart) / 1e6;
-        logger.error(
-          {
-            err: error,
-            requestId: request.requestId,
-            sessionId: request.params.sessionId,
-            promptBlocks: request.params.prompt.length,
-            durationMs
-          },
-          "rpc_message_send_error"
-        );
+        logger.error({
+          err: error,
+          requestId: request.requestId,
+          sessionId: request.params.sessionId,
+          promptBlocks: request.params.prompt.length,
+          durationMs
+        }, "rpc_message_send_error");
         this.sendRpcError(request.requestId, error);
       }
     });
     this.socket.on("rpc:permission:decision", async (request) => {
       try {
         const { sessionId, requestId, outcome } = request.params;
-        logger.info(
-          { requestId: request.requestId, sessionId, outcome },
-          "rpc_permission_decision"
-        );
+        logger.info({ requestId: request.requestId, sessionId, outcome }, "rpc_permission_decision");
         sessionManager.resolvePermissionRequest(sessionId, requestId, outcome);
         this.sendRpcResponse(request.requestId, { ok: true });
       } catch (error) {
-        logger.error(
-          {
-            err: error,
-            requestId: request.requestId,
-            sessionId: request.params.sessionId,
-            permissionRequestId: request.params.requestId,
-            outcome: request.params.outcome
-          },
-          "rpc_permission_decision_error"
-        );
+        logger.error({
+          err: error,
+          requestId: request.requestId,
+          sessionId: request.params.sessionId,
+          permissionRequestId: request.params.requestId,
+          outcome: request.params.outcome
+        }, "rpc_permission_decision_error");
         this.sendRpcError(request.requestId, error);
       }
     });
     this.socket.on("rpc:fs:roots", async (request) => {
       try {
-        logger.debug(
-          { requestId: request.requestId, sessionId: request.params.sessionId },
-          "rpc_fs_roots"
-        );
+        logger.debug({ requestId: request.requestId, sessionId: request.params.sessionId }, "rpc_fs_roots");
         const record = sessionManager.getSession(request.params.sessionId);
         if (!record || !record.cwd) {
           throw new Error("Session not found or no working directory");
@@ -2262,105 +3237,81 @@ var SocketClient = class extends EventEmitter3 {
         };
         this.sendRpcResponse(request.requestId, { root });
       } catch (error) {
-        logger.error(
-          {
-            err: error,
-            requestId: request.requestId,
-            sessionId: request.params.sessionId
-          },
-          "rpc_fs_roots_error"
-        );
+        logger.error({
+          err: error,
+          requestId: request.requestId,
+          sessionId: request.params.sessionId
+        }, "rpc_fs_roots_error");
         this.sendRpcError(request.requestId, error);
       }
     });
     this.socket.on("rpc:hostfs:roots", async (request) => {
       try {
-        logger.debug(
-          {
-            requestId: request.requestId,
-            machineId: request.params.machineId
-          },
-          "rpc_hostfs_roots"
-        );
+        logger.debug({
+          requestId: request.requestId,
+          machineId: request.params.machineId
+        }, "rpc_hostfs_roots");
         const result = await buildHostFsRoots();
         this.sendRpcResponse(request.requestId, result);
       } catch (error) {
-        logger.error(
-          {
-            err: error,
-            requestId: request.requestId,
-            machineId: request.params.machineId
-          },
-          "rpc_hostfs_roots_error"
-        );
+        logger.error({
+          err: error,
+          requestId: request.requestId,
+          machineId: request.params.machineId
+        }, "rpc_hostfs_roots_error");
         this.sendRpcError(request.requestId, error);
       }
     });
     this.socket.on("rpc:hostfs:entries", async (request) => {
       try {
         const { path: requestPath, machineId } = request.params;
-        logger.debug(
-          { requestId: request.requestId, machineId, path: requestPath },
-          "rpc_hostfs_entries"
-        );
+        logger.debug({ requestId: request.requestId, machineId, path: requestPath }, "rpc_hostfs_entries");
         const entries = await readDirectoryEntries(requestPath);
         this.sendRpcResponse(request.requestId, {
           path: requestPath,
           entries: filterVisibleEntries(entries)
         });
       } catch (error) {
-        logger.error(
-          {
-            err: error,
-            requestId: request.requestId,
-            machineId: request.params.machineId
-          },
-          "rpc_hostfs_entries_error"
-        );
+        logger.error({
+          err: error,
+          requestId: request.requestId,
+          machineId: request.params.machineId
+        }, "rpc_hostfs_entries_error");
         this.sendRpcError(request.requestId, error);
       }
     });
     this.socket.on("rpc:fs:entries", async (request) => {
       try {
         const { sessionId, path: requestPath } = request.params;
-        logger.debug(
-          { requestId: request.requestId, sessionId, path: requestPath },
-          "rpc_fs_entries"
-        );
+        logger.debug({ requestId: request.requestId, sessionId, path: requestPath }, "rpc_fs_entries");
         const record = sessionManager.getSession(sessionId);
         if (!record || !record.cwd) {
           throw new Error("Session not found or no working directory");
         }
-        const resolved = requestPath ? path5.isAbsolute(requestPath) ? requestPath : path5.join(record.cwd, requestPath) : record.cwd;
+        const resolved = requestPath ? resolveWithinCwd(record.cwd, requestPath) : record.cwd;
         const entries = await readDirectoryEntries(resolved);
         this.sendRpcResponse(request.requestId, { path: resolved, entries });
       } catch (error) {
-        logger.error(
-          {
-            err: error,
-            requestId: request.requestId,
-            sessionId: request.params.sessionId
-          },
-          "rpc_fs_entries_error"
-        );
+        logger.error({
+          err: error,
+          requestId: request.requestId,
+          sessionId: request.params.sessionId
+        }, "rpc_fs_entries_error");
         this.sendRpcError(request.requestId, error);
       }
     });
     this.socket.on("rpc:fs:file", async (request) => {
       try {
         const { sessionId, path: requestPath } = request.params;
-        logger.debug(
-          { requestId: request.requestId, sessionId, path: requestPath },
-          "rpc_fs_file"
-        );
+        logger.debug({ requestId: request.requestId, sessionId, path: requestPath }, "rpc_fs_file");
         const record = sessionManager.getSession(sessionId);
         if (!record || !record.cwd) {
           throw new Error("Session not found or no working directory");
         }
-        const resolved = path5.isAbsolute(requestPath) ? requestPath : path5.join(record.cwd, requestPath);
+        const resolved = resolveWithinCwd(record.cwd, requestPath);
         const mimeType = resolveImageMimeType(resolved);
         if (mimeType) {
-          const buffer = await fs4.readFile(resolved);
+          const buffer = await fs5.readFile(resolved);
           const preview2 = {
             path: resolved,
             previewType: "image",
@@ -2370,7 +3321,7 @@ var SocketClient = class extends EventEmitter3 {
           this.sendRpcResponse(request.requestId, preview2);
           return;
         }
-        const content = await fs4.readFile(resolved, "utf8");
+        const content = await fs5.readFile(resolved, "utf8");
         const preview = {
           path: resolved,
           previewType: "code",
@@ -2378,24 +3329,18 @@ var SocketClient = class extends EventEmitter3 {
         };
         this.sendRpcResponse(request.requestId, preview);
       } catch (error) {
-        logger.error(
-          {
-            err: error,
-            requestId: request.requestId,
-            sessionId: request.params.sessionId
-          },
-          "rpc_fs_file_error"
-        );
+        logger.error({
+          err: error,
+          requestId: request.requestId,
+          sessionId: request.params.sessionId
+        }, "rpc_fs_file_error");
         this.sendRpcError(request.requestId, error);
       }
     });
     this.socket.on("rpc:fs:resources", async (request) => {
       try {
         const { sessionId } = request.params;
-        logger.debug(
-          { requestId: request.requestId, sessionId },
-          "rpc_fs_resources"
-        );
+        logger.debug({ requestId: request.requestId, sessionId }, "rpc_fs_resources");
         const record = sessionManager.getSession(sessionId);
         if (!record || !record.cwd) {
           throw new Error("Session not found or no working directory");
@@ -2406,24 +3351,18 @@ var SocketClient = class extends EventEmitter3 {
           entries
         });
       } catch (error) {
-        logger.error(
-          {
-            err: error,
-            requestId: request.requestId,
-            sessionId: request.params.sessionId
-          },
-          "rpc_fs_resources_error"
-        );
+        logger.error({
+          err: error,
+          requestId: request.requestId,
+          sessionId: request.params.sessionId
+        }, "rpc_fs_resources_error");
         this.sendRpcError(request.requestId, error);
       }
     });
     this.socket.on("rpc:sessions:discover", async (request) => {
       try {
         const { cwd, backendId, cursor } = request.params;
-        logger.info(
-          { requestId: request.requestId, cwd, backendId, cursor },
-          "rpc_sessions_discover"
-        );
+        logger.info({ requestId: request.requestId, cwd, backendId, cursor }, "rpc_sessions_discover");
         const result = await sessionManager.discoverSessions({
           cwd,
           backendId,
@@ -2431,65 +3370,47 @@ var SocketClient = class extends EventEmitter3 {
         });
         this.sendRpcResponse(request.requestId, result);
       } catch (error) {
-        logger.error(
-          {
-            err: error,
-            requestId: request.requestId
-          },
-          "rpc_sessions_discover_error"
-        );
+        logger.error({
+          err: error,
+          requestId: request.requestId
+        }, "rpc_sessions_discover_error");
         this.sendRpcError(request.requestId, error);
       }
     });
     this.socket.on("rpc:session:load", async (request) => {
       try {
-        const { sessionId, cwd } = request.params;
-        logger.info(
-          { requestId: request.requestId, sessionId, cwd },
-          "rpc_session_load"
-        );
-        const session = await sessionManager.loadSession(sessionId, cwd);
+        const { sessionId, cwd, backendId } = request.params;
+        logger.info({ requestId: request.requestId, sessionId, cwd, backendId }, "rpc_session_load");
+        const session = await sessionManager.loadSession(sessionId, cwd, backendId);
         this.sendRpcResponse(request.requestId, session);
       } catch (error) {
-        logger.error(
-          {
-            err: error,
-            requestId: request.requestId,
-            sessionId: request.params.sessionId
-          },
-          "rpc_session_load_error"
-        );
+        logger.error({
+          err: error,
+          requestId: request.requestId,
+          sessionId: request.params.sessionId
+        }, "rpc_session_load_error");
         this.sendRpcError(request.requestId, error);
       }
     });
     this.socket.on("rpc:session:reload", async (request) => {
       try {
-        const { sessionId, cwd } = request.params;
-        logger.info(
-          { requestId: request.requestId, sessionId, cwd },
-          "rpc_session_reload"
-        );
-        const session = await sessionManager.reloadSession(sessionId, cwd);
+        const { sessionId, cwd, backendId } = request.params;
+        logger.info({ requestId: request.requestId, sessionId, cwd, backendId }, "rpc_session_reload");
+        const session = await sessionManager.reloadSession(sessionId, cwd, backendId);
         this.sendRpcResponse(request.requestId, session);
       } catch (error) {
-        logger.error(
-          {
-            err: error,
-            requestId: request.requestId,
-            sessionId: request.params.sessionId
-          },
-          "rpc_session_reload_error"
-        );
+        logger.error({
+          err: error,
+          requestId: request.requestId,
+          sessionId: request.params.sessionId
+        }, "rpc_session_reload_error");
         this.sendRpcError(request.requestId, error);
       }
     });
     this.socket.on("rpc:git:status", async (request) => {
       try {
         const { sessionId } = request.params;
-        logger.debug(
-          { requestId: request.requestId, sessionId },
-          "rpc_git_status"
-        );
+        logger.debug({ requestId: request.requestId, sessionId }, "rpc_git_status");
         const record = sessionManager.getSession(sessionId);
         if (!record || !record.cwd) {
           throw new Error("Session not found or no working directory");
@@ -2515,28 +3436,23 @@ var SocketClient = class extends EventEmitter3 {
           dirStatus
         });
       } catch (error) {
-        logger.error(
-          {
-            err: error,
-            requestId: request.requestId,
-            sessionId: request.params.sessionId
-          },
-          "rpc_git_status_error"
-        );
+        logger.error({
+          err: error,
+          requestId: request.requestId,
+          sessionId: request.params.sessionId
+        }, "rpc_git_status_error");
         this.sendRpcError(request.requestId, error);
       }
     });
     this.socket.on("rpc:git:fileDiff", async (request) => {
       try {
         const { sessionId, path: filePath } = request.params;
-        logger.debug(
-          { requestId: request.requestId, sessionId, path: filePath },
-          "rpc_git_file_diff"
-        );
+        logger.debug({ requestId: request.requestId, sessionId, path: filePath }, "rpc_git_file_diff");
         const record = sessionManager.getSession(sessionId);
         if (!record || !record.cwd) {
           throw new Error("Session not found or no working directory");
         }
+        resolveWithinCwd(record.cwd, filePath);
         const isRepo = await isGitRepo(record.cwd);
         if (!isRepo) {
           this.sendRpcResponse(request.requestId, {
@@ -2547,10 +3463,7 @@ var SocketClient = class extends EventEmitter3 {
           });
           return;
         }
-        const { addedLines, modifiedLines } = await getFileDiff(
-          record.cwd,
-          filePath
-        );
+        const { addedLines, modifiedLines } = await getFileDiff(record.cwd, filePath);
         this.sendRpcResponse(request.requestId, {
           isGitRepo: true,
           path: filePath,
@@ -2558,33 +3471,76 @@ var SocketClient = class extends EventEmitter3 {
           modifiedLines
         });
       } catch (error) {
-        logger.error(
-          {
-            err: error,
-            requestId: request.requestId,
-            sessionId: request.params.sessionId
-          },
-          "rpc_git_file_diff_error"
-        );
+        logger.error({
+          err: error,
+          requestId: request.requestId,
+          sessionId: request.params.sessionId
+        }, "rpc_git_file_diff_error");
         this.sendRpcError(request.requestId, error);
       }
     });
-  }
-  setupSessionManagerListeners() {
-    const { sessionManager } = this.options;
-    sessionManager.onSessionUpdate((notification) => {
-      if (this.connected) {
-        this.socket.emit(
-          "session:update",
-          notification
-        );
+    this.socket.on("rpc:session:archive", async (request) => {
+      try {
+        const { sessionId } = request.params;
+        logger.info({ requestId: request.requestId, sessionId }, "rpc_session_archive");
+        await sessionManager.archiveSession(sessionId);
+        this.sendRpcResponse(request.requestId, { ok: true });
+      } catch (error) {
+        logger.error({
+          err: error,
+          requestId: request.requestId,
+          sessionId: request.params.sessionId
+        }, "rpc_session_archive_error");
+        this.sendRpcError(request.requestId, error);
       }
     });
-    sessionManager.onSessionError((payload) => {
-      if (this.connected) {
-        this.socket.emit("session:error", payload);
+    this.socket.on("rpc:session:archive-all", async (request) => {
+      try {
+        const { sessionIds } = request.params;
+        logger.info({
+          requestId: request.requestId,
+          count: sessionIds.length
+        }, "rpc_session_archive_all");
+        const result = await sessionManager.bulkArchiveSessions(sessionIds);
+        this.sendRpcResponse(request.requestId, result);
+      } catch (error) {
+        logger.error({
+          err: error,
+          requestId: request.requestId
+        }, "rpc_session_archive_all_error");
+        this.sendRpcError(request.requestId, error);
+      }
+    });
+    this.socket.on("rpc:session:events", (request) => {
+      try {
+        const { sessionId, revision, afterSeq, limit } = request.params;
+        logger.debug({
+          requestId: request.requestId,
+          sessionId,
+          revision,
+          afterSeq,
+          limit
+        }, "rpc_session_events");
+        const result = sessionManager.getSessionEvents({
+          sessionId,
+          revision,
+          afterSeq,
+          limit
+        });
+        result.events = result.events.map((e) => this.options.cryptoService.encryptEvent(e));
+        this.sendRpcResponse(request.requestId, result);
+      } catch (error) {
+        logger.error({
+          err: error,
+          requestId: request.requestId,
+          sessionId: request.params.sessionId
+        }, "rpc_session_events_error");
+        this.sendRpcError(request.requestId, error);
       }
     });
+  }
+  setupSessionManagerListeners() {
+    const { sessionManager } = this.options;
     sessionManager.onPermissionRequest((payload) => {
       if (this.connected) {
         this.socket.emit("permission:request", payload);
@@ -2595,21 +3551,13 @@ var SocketClient = class extends EventEmitter3 {
         this.socket.emit("permission:result", payload);
       }
     });
-    sessionManager.onTerminalOutput((event) => {
-      if (this.connected) {
-        this.socket.emit("terminal:output", event);
-      }
-    });
     sessionManager.onSessionsChanged((payload) => {
       if (this.connected) {
-        logger.info(
-          {
-            added: payload.added.length,
-            updated: payload.updated.length,
-            removed: payload.removed.length
-          },
-          "sessions_changed_emit"
-        );
+        logger.info({
+          added: payload.added.length,
+          updated: payload.updated.length,
+          removed: payload.removed.length
+        }, "sessions_changed_emit");
         this.socket.emit("sessions:changed", payload);
       }
     });
@@ -2623,13 +3571,42 @@ var SocketClient = class extends EventEmitter3 {
         this.socket.emit("session:detached", payload);
       }
     });
+    sessionManager.onSessionEvent((event) => {
+      logger.info({
+        sessionId: event.sessionId,
+        revision: event.revision,
+        seq: event.seq,
+        kind: event.kind,
+        connected: this.connected
+      }, "session_event_received_from_manager");
+      if (this.connected) {
+        const encrypted = this.options.cryptoService.encryptEvent(event);
+        logger.debug({
+          sessionId: event.sessionId,
+          revision: event.revision,
+          seq: event.seq,
+          kind: event.kind
+        }, "session_event_emitting_to_gateway");
+        this.socket.emit("session:event", encrypted);
+        logger.debug({
+          sessionId: event.sessionId,
+          seq: event.seq
+        }, "session_event_emitted_to_gateway");
+      } else {
+        logger.warn({
+          sessionId: event.sessionId,
+          seq: event.seq,
+          kind: event.kind
+        }, "session_event_dropped_not_connected");
+      }
+    });
   }
   async listSessionResources(rootPath) {
     const ig = await loadGitignore(rootPath);
     const allFiles = await this.listAllFiles(rootPath, ig, rootPath, []);
     return allFiles.map((filePath) => ({
-      name: path5.basename(filePath),
-      relativePath: path5.relative(rootPath, filePath),
+      name: path6.basename(filePath),
+      relativePath: path6.relative(rootPath, filePath),
       path: filePath
     }));
   }
@@ -2637,13 +3614,13 @@ var SocketClient = class extends EventEmitter3 {
     if (collected.length >= MAX_RESOURCE_FILES) {
       return collected;
     }
-    const entries = await fs4.readdir(rootPath, { withFileTypes: true });
+    const entries = await fs5.readdir(rootPath, { withFileTypes: true });
     for (const entry of entries) {
       if (collected.length >= MAX_RESOURCE_FILES) {
         break;
       }
-      const entryPath = path5.join(rootPath, entry.name);
-      const relativePath = path5.relative(baseDir, entryPath);
+      const entryPath = path6.join(rootPath, entry.name);
+      const relativePath = path6.relative(baseDir, entryPath);
       const checkPath = entry.isDirectory() ? `${relativePath}/` : relativePath;
       if (ig.ignores(checkPath)) {
         continue;
@@ -2663,16 +3640,13 @@ var SocketClient = class extends EventEmitter3 {
   }
   sendRpcError(requestId, error) {
     const message = error instanceof Error ? error.message : "Unknown error";
-    const detail = error instanceof Error ? error.stack : void 0;
-    logger.error(
-      {
-        requestId,
-        err: error,
-        message,
-        detail
-      },
-      "rpc_response_error_sent"
-    );
+    const detail = error instanceof Error ? error.stack : undefined;
+    logger.error({
+      requestId,
+      err: error,
+      message,
+      detail
+    }, "rpc_response_error_sent");
     const response = {
       requestId,
       error: {
@@ -2695,28 +3669,45 @@ var SocketClient = class extends EventEmitter3 {
       backends: config.acpBackends.map((backend) => ({
         backendId: backend.id,
         backendLabel: backend.label
-      })),
-      defaultBackendId: config.defaultAcpBackendId
+      }))
     });
     logger.info({ machineId: config.machineId }, "cli_register_sessions_list");
-    this.socket.emit("sessions:list", sessionManager.listSessions());
+    this.socket.emit("sessions:list", sessionManager.listAllSessions());
   }
   startHeartbeat() {
     this.stopHeartbeat();
     this.heartbeatInterval = setInterval(() => {
       if (this.connected) {
         this.socket.emit("cli:heartbeat");
-        this.socket.emit(
-          "sessions:list",
-          this.options.sessionManager.listSessions()
-        );
+        this.socket.emit("sessions:list", this.options.sessionManager.listAllSessions());
       }
-    }, 3e4);
+    }, 30000);
   }
   stopHeartbeat() {
     if (this.heartbeatInterval) {
       clearInterval(this.heartbeatInterval);
-      this.heartbeatInterval = void 0;
+      this.heartbeatInterval = undefined;
+    }
+  }
+  replayUnackedEvents() {
+    const { sessionManager } = this.options;
+    const sessions = sessionManager.listSessions();
+    for (const session of sessions) {
+      const revision = sessionManager.getSessionRevision(session.sessionId);
+      if (revision === undefined)
+        continue;
+      const unackedEvents = sessionManager.getUnackedEvents(session.sessionId, revision);
+      if (unackedEvents.length > 0) {
+        logger.info({
+          sessionId: session.sessionId,
+          revision,
+          count: unackedEvents.length
+        }, "replaying_unacked_events");
+        for (const event of unackedEvents) {
+          const encrypted = this.options.cryptoService.encryptEvent(event);
+          this.socket.emit("session:event", encrypted);
+        }
+      }
     }
   }
   connect() {
@@ -2729,20 +3720,21 @@ var SocketClient = class extends EventEmitter3 {
   isConnected() {
     return this.connected;
   }
-};
+}
 
 // src/daemon/daemon.ts
-var DaemonManager = class {
+class DaemonManager {
+  config;
   constructor(config) {
     this.config = config;
   }
   async ensureHomeDirectory() {
-    await fs5.mkdir(this.config.homePath, { recursive: true });
-    await fs5.mkdir(this.config.logPath, { recursive: true });
+    await fs6.mkdir(this.config.homePath, { recursive: true });
+    await fs6.mkdir(this.config.logPath, { recursive: true });
   }
   async getPid() {
     try {
-      const content = await fs5.readFile(this.config.pidFile, "utf8");
+      const content = await fs6.readFile(this.config.pidFile, "utf8");
       const pid = Number.parseInt(content.trim(), 10);
       if (Number.isNaN(pid)) {
         return null;
@@ -2759,13 +3751,12 @@ var DaemonManager = class {
     }
   }
   async writePidFile(pid) {
-    await fs5.writeFile(this.config.pidFile, String(pid), "utf8");
+    await fs6.writeFile(this.config.pidFile, String(pid), "utf8");
   }
   async removePidFile() {
     try {
-      await fs5.unlink(this.config.pidFile);
-    } catch {
-    }
+      await fs6.unlink(this.config.pidFile);
+    } catch {}
   }
   async status() {
     const pid = await this.getPid();
@@ -2804,7 +3795,7 @@ var DaemonManager = class {
       logger.info({ pid }, "daemon_stop_sigterm");
       process.kill(pid, "SIGTERM");
       const startTime = Date.now();
-      const timeout = 5e3;
+      const timeout = 5000;
       while (Date.now() - startTime < timeout) {
         await new Promise((resolve) => setTimeout(resolve, 100));
         try {
@@ -2830,10 +3821,7 @@ var DaemonManager = class {
     }
   }
   async spawnBackground() {
-    const logFile = path6.join(
-      this.config.logPath,
-      `${(/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-")}-daemon.log`
-    );
+    const logFile = path7.join(this.config.logPath, `${new Date().toISOString().replace(/[:.]/g, "-")}-daemon.log`);
     const args = process.argv.slice(1).filter((arg) => arg !== "--foreground" && arg !== "-f");
     args.push("--foreground");
     const child = spawn2(process.argv[0], args, {
@@ -2848,22 +3836,18 @@ var DaemonManager = class {
       logger.error("daemon_spawn_failed");
       throw new Error("Failed to spawn daemon process");
     }
-    const logStream = await fs5.open(logFile, "a");
+    const logStream = await fs6.open(logFile, "a");
     const fileHandle = logStream;
     child.stdout?.on("data", (data) => {
-      fileHandle.write(`[stdout] ${data.toString()}`).catch(() => {
-      });
+      fileHandle.write(`[stdout] ${data.toString()}`).catch(() => {});
     });
     child.stderr?.on("data", (data) => {
-      fileHandle.write(`[stderr] ${data.toString()}`).catch(() => {
-      });
+      fileHandle.write(`[stderr] ${data.toString()}`).catch(() => {});
     });
     child.on("exit", (code, signal) => {
       fileHandle.write(`[exit] Process exited with code ${code}, signal ${signal}
-`).catch(() => {
-      });
-      fileHandle.close().catch(() => {
-      });
+`).catch(() => {});
+      fileHandle.close().catch(() => {});
     });
     child.unref();
     logger.info({ pid: child.pid }, "daemon_started");
@@ -2876,22 +3860,47 @@ var DaemonManager = class {
     logger.info({ pid }, "daemon_starting");
     logger.info({ gatewayUrl: this.config.gatewayUrl }, "daemon_gateway_url");
     logger.info({ machineId: this.config.machineId }, "daemon_machine_id");
-    const apiKey = await getApiKey();
-    if (!apiKey) {
-      logger.error("daemon_api_key_missing");
-      console.error(
-        `[mobvibe-cli] No API key found. Run 'mobvibe login' to authenticate.`
-      );
-      logger.warn("daemon_exit_missing_api_key");
+    await initCrypto2();
+    const masterSecretBase64 = await getMasterSecret();
+    if (!masterSecretBase64) {
+      logger.error("daemon_master_secret_missing");
+      console.error(`[mobvibe-cli] No credentials found. Run 'mobvibe login' to authenticate.`);
+      logger.warn("daemon_exit_missing_master_secret");
       process.exit(1);
     }
-    logger.info("daemon_api_key_loaded");
-    const sessionManager = new SessionManager(this.config);
+    const sodium = getSodium3();
+    const masterSecret = sodium.from_base64(masterSecretBase64, sodium.base64_variants.ORIGINAL);
+    const cryptoService = new CliCryptoService(masterSecret);
+    logger.info("daemon_crypto_initialized");
+    const sessionManager = new SessionManager(this.config, cryptoService);
     const socketClient = new SocketClient({
       config: this.config,
       sessionManager,
-      apiKey
+      cryptoService
     });
+    let compactor;
+    let compactionInterval;
+    let compactorWalStore;
+    let compactorDb;
+    if (this.config.compaction.enabled) {
+      compactorWalStore = new WalStore(this.config.walDbPath);
+      compactorDb = new Database2(this.config.walDbPath);
+      compactor = new WalCompactor(compactorWalStore, this.config.compaction, compactorDb);
+      if (this.config.compaction.runOnStartup) {
+        logger.info("compaction_startup_start");
+        compactor.compactAll().catch((error) => {
+          logger.error({ err: error }, "compaction_startup_error");
+        });
+      }
+      const intervalMs = this.config.compaction.runIntervalHours * 60 * 60 * 1000;
+      compactionInterval = setInterval(() => {
+        logger.info("compaction_scheduled_start");
+        compactor?.compactAll().catch((error) => {
+          logger.error({ err: error }, "compaction_scheduled_error");
+        });
+      }, intervalMs);
+      logger.info({ intervalHours: this.config.compaction.runIntervalHours }, "compaction_scheduled");
+    }
     let shuttingDown = false;
     const shutdown = async (signal) => {
       if (shuttingDown) {
@@ -2901,8 +3910,17 @@ var DaemonManager = class {
       shuttingDown = true;
       logger.info({ signal }, "daemon_shutdown_start");
       try {
+        if (compactionInterval) {
+          clearInterval(compactionInterval);
+        }
+        if (compactorWalStore) {
+          compactorWalStore.close();
+        }
+        if (compactorDb) {
+          compactorDb.close();
+        }
         socketClient.disconnect();
-        await sessionManager.closeAll();
+        await sessionManager.shutdown();
         await this.removePidFile();
         logger.info({ signal }, "daemon_shutdown_complete");
       } catch (error) {
@@ -2920,18 +3938,17 @@ var DaemonManager = class {
       });
     });
     socketClient.connect();
-    await new Promise(() => {
-    });
+    await new Promise(() => {});
   }
   async logs(options) {
-    const files = await fs5.readdir(this.config.logPath);
+    const files = await fs6.readdir(this.config.logPath);
     const logFiles = files.filter((f) => f.endsWith("-daemon.log")).sort().reverse();
     if (logFiles.length === 0) {
       logger.warn("daemon_logs_empty");
       console.log("No log files found");
       return;
     }
-    const latestLog = path6.join(this.config.logPath, logFiles[0]);
+    const latestLog = path7.join(this.config.logPath, logFiles[0]);
     logger.info({ logFile: latestLog }, "daemon_logs_latest");
     console.log(`Log file: ${latestLog}
 `);
@@ -2943,16 +3960,18 @@ var DaemonManager = class {
         tail.on("close", () => resolve());
       });
     } else {
-      const content = await fs5.readFile(latestLog, "utf8");
-      const lines = content.split("\n");
+      const content = await fs6.readFile(latestLog, "utf8");
+      const lines = content.split(`
+`);
       const count = options?.lines ?? 50;
-      console.log(lines.slice(-count).join("\n"));
+      console.log(lines.slice(-count).join(`
+`));
     }
   }
-};
+}
 
 // src/index.ts
-var program = new Command();
+var program = new Command;
 program.name("mobvibe").description("Mobvibe CLI - Connect local ACP backends to the gateway").version("0.0.0");
 program.command("start").description("Start the mobvibe daemon").option("--gateway <url>", "Gateway URL", process.env.MOBVIBE_GATEWAY_URL).option("--foreground", "Run in foreground instead of detaching").action(async (options) => {
   if (options.gateway) {
@@ -2974,10 +3993,10 @@ program.command("status").description("Show daemon status").action(async () => {
   if (status.running) {
     logger.info({ pid: status.pid }, "daemon_status_running");
     console.log(`Daemon is running (PID ${status.pid})`);
-    if (status.connected !== void 0) {
+    if (status.connected !== undefined) {
       console.log(`Connected to gateway: ${status.connected ? "yes" : "no"}`);
     }
-    if (status.sessionCount !== void 0) {
+    if (status.sessionCount !== undefined) {
       console.log(`Active sessions: ${status.sessionCount}`);
     }
   } else {
@@ -3007,6 +4026,97 @@ program.command("logout").description("Remove stored credentials").action(async
 program.command("auth-status").description("Show authentication status").action(async () => {
   await loginStatus();
 });
+var e2eeCmd = program.command("e2ee").description("E2EE key management");
+e2eeCmd.command("show").description("Display the master secret for pairing other devices").action(async () => {
+  const credentials = await loadCredentials();
+  if (!credentials) {
+    console.error("Not logged in. Run 'mobvibe login' first.");
+    process.exit(1);
+  }
+  const base64url = credentials.masterSecret.replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+  const pairingUrl = `mobvibe://pair?secret=${base64url}`;
+  const QRCode = await import("qrcode");
+  const qrText = await QRCode.toString(pairingUrl, {
+    type: "terminal",
+    small: true
+  });
+  console.log(qrText);
+  console.log("Master secret (for pairing WebUI/Tauri devices):");
+  console.log(`  ${credentials.masterSecret}`);
+  console.log(`
+Scan the QR code with your phone, or paste the secret into WebUI Settings > E2EE > Pair.`);
+});
+e2eeCmd.command("status").description("Show E2EE key status").action(async () => {
+  const { initCrypto: initCrypto3, deriveAuthKeyPair: deriveAuthKeyPair3, deriveContentKeyPair: deriveContentKeyPair2, getSodium: getSodium4 } = await import("@mobvibe/shared");
+  const credentials = await loadCredentials();
+  if (!credentials) {
+    console.log("Status: Not logged in");
+    console.log("Run 'mobvibe login' to authenticate.");
+    return;
+  }
+  await initCrypto3();
+  const sodium = getSodium4();
+  const masterSecret = sodium.from_base64(credentials.masterSecret, sodium.base64_variants.ORIGINAL);
+  const authKp = deriveAuthKeyPair3(masterSecret);
+  const contentKp = deriveContentKeyPair2(masterSecret);
+  const authPub = sodium.to_base64(authKp.publicKey, sodium.base64_variants.ORIGINAL);
+  const contentPub = sodium.to_base64(contentKp.publicKey, sodium.base64_variants.ORIGINAL);
+  console.log("Status: E2EE enabled");
+  console.log(`Auth public key:    ${authPub.slice(0, 16)}...`);
+  console.log(`Content public key: ${contentPub.slice(0, 16)}...`);
+  console.log(`Saved: ${new Date(credentials.createdAt).toLocaleString()}`);
+});
+program.command("compact").description("Compact the WAL database to reclaim space").option("--session <id>", "Compact a specific session only").option("--dry-run", "Show what would be deleted without actually deleting").option("-v, --verbose", "Show detailed output").action(async (options) => {
+  const config = await getCliConfig();
+  if (!config.compaction.enabled && !options.dryRun) {
+    console.log("Compaction is disabled in configuration.");
+    console.log("Set MOBVIBE_COMPACTION_ENABLED=true to enable.");
+    return;
+  }
+  const walStore = new WalStore(config.walDbPath);
+  const db = new Database3(config.walDbPath);
+  const compactor = new WalCompactor(walStore, config.compaction, db);
+  console.log(options.dryRun ? "Dry run - no changes will be made" : "Starting compaction...");
+  try {
+    if (options.session) {
+      const stats = await compactor.compactSession(options.session, {
+        dryRun: options.dryRun
+      });
+      console.log(`Session ${options.session}:`);
+      console.log(`  Acked events deleted: ${stats.ackedEventsDeleted}`);
+      console.log(`  Old revisions deleted: ${stats.oldRevisionsDeleted}`);
+      console.log(`  Duration: ${stats.durationMs.toFixed(2)}ms`);
+    } else {
+      const result = await compactor.compactAll({
+        dryRun: options.dryRun
+      });
+      if (options.verbose) {
+        for (const stats of result.stats) {
+          if (stats.ackedEventsDeleted > 0 || stats.oldRevisionsDeleted > 0) {
+            console.log(`
+Session ${stats.sessionId}:`);
+            console.log(`  Acked events deleted: ${stats.ackedEventsDeleted}`);
+            console.log(`  Old revisions deleted: ${stats.oldRevisionsDeleted}`);
+          }
+        }
+        if (result.skipped.length > 0) {
+          console.log(`
+Skipped (active sessions): ${result.skipped.join(", ")}`);
+        }
+      }
+      const totalDeleted = result.stats.reduce((sum, s) => sum + s.ackedEventsDeleted + s.oldRevisionsDeleted, 0);
+      console.log(`
+Summary:`);
+      console.log(`  Sessions processed: ${result.stats.length}`);
+      console.log(`  Sessions skipped: ${result.skipped.length}`);
+      console.log(`  Total events ${options.dryRun ? "to delete" : "deleted"}: ${totalDeleted}`);
+      console.log(`  Duration: ${result.totalDurationMs.toFixed(2)}ms`);
+    }
+  } finally {
+    walStore.close();
+    db.close();
+  }
+});
 async function run() {
   await program.parseAsync(process.argv);
 }
@@ -3018,4 +4128,5 @@ run().catch((error) => {
 export {
   run
 };
-//# sourceMappingURL=index.js.map
+
+//# debugId=3BEAA052FAC1A9B764756E2164756E21