npm - @noxsoft/anima - Versions diffs - 7.0.0 → 7.0.2 - Mend

@noxsoft/anima 7.0.0 → 7.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (431) hide show

package/dist/{run-CF3kHOGH.js → run-0F-ZU2kW.js} RENAMED Viewed

@@ -1,79 +1,79 @@
 import { h as expandHomePrefix, i as isNixMode, l as resolveGatewayLockDir, m as resolveStateDir, o as resolveConfigPath, r as STATE_DIR, t as CONFIG_PATH, u as resolveGatewayPort } from "./paths-zhVksOvm.js";
-import { E as getActivePluginRegistry, F as setVerbose, G as setLoggerOverride, H as getChildLogger, U as getLogger, W as getResolvedLoggerSettings, d as defaultRuntime, g as CHANNEL_IDS, i as getResolvedConsoleSettings, n as runtimeForLogger, o as setConsoleSubsystemFilter, s as setConsoleTimestampPrefix, t as createSubsystemLogger, v as DEFAULT_CHAT_CHANNEL } from "./subsystem-BAADN1B8.js";
-import { C as shortenHomePath, D as truncateUtf16Safe, b as resolveUserPath, c as ensureDir$1, d as isPlainObject, r as clamp, t as CONFIG_DIR } from "./utils-CLYlhJuc.js";
-import { C as supportsXHighThinking, _ as normalizeElevatedLevel, b as normalizeUsageDisplay, m as formatXHighModelHint, p as formatThinkingLevels, v as normalizeReasoningLevel, x as normalizeVerboseLevel, y as normalizeThinkLevel } from "./pi-embedded-helpers-BZ9GspxK.js";
-import { $ as archiveFileOnDisk, At as deferGatewayRestartUntilIdle, B as sniffMimeFromBase64, C as verifyNodeToken, Cn as stopDiagnosticHeartbeat, Cr as DEFAULT_INPUT_PDF_MAX_PIXELS, Ct as loadProviderStore, D as registerSkillsChangeListener, Dr as extractImageContentFromSource, E as getSkillsSnapshotVersion, Er as extractFileContentFromSource, F as abortEmbeddedPiRun, Ft as setGatewaySigusr1RestartPolicy, G as canonicalizeSpawnedByForAgent, Gn as CommandLane, Gt as normalizeCronJobPatch, Hn as readLatestAssistantReply, I as waitForEmbeddedPiRunEnd, It as setPreRestartDeferralCheck, J as loadCombinedSessionStoreForGateway, Jn as getAgentRunContext, Jt as normalizeOptionalText, K as listAgentsForGateway, Kn as clearAgentRunContext, Kt as inferLegacyName, L as runNoxSoftEmbeddedAgent, Ln as countActiveDescendantRuns, Lt as consumeRestartSentinel, M as resetAllLanes, Mn as isAbortTrigger, Mr as resolveAgentTimeoutMs, Mt as isGatewaySigusr1RestartExternallyAllowed, N as setCommandLaneConcurrency, Nn as stopSubagentsForRequester, Nt as markGatewaySigusr1RestartHandled, O as clearSessionQueues, Or as normalizeMimeList, P as waitForActiveTasks, Pt as scheduleGatewaySigusr1Restart, Q as resolveSessionModelRef, R as applyToolPolicyPipeline, Rn as initSubagentRegistry, Rt as formatDoctorNonInteractiveHint, S as updatePairedNodeMetadata, Sn as startDiagnosticHeartbeat, Sr as DEFAULT_INPUT_PDF_MAX_PAGES, St as loadProviderUsageSummary, T as verifyPairingToken, Tr as DEFAULT_INPUT_TIMEOUT_MS, Tt as saveProviderStore, U as createAnimaTools, Ut as writeRestartSentinel, V as requestHeartbeatNow, Vn as runSubagentAnnounceFlow, Vt as summarizeRestartSentinel, W as resolveAnnounceTargetFromKey, Wt as normalizeCronJobCreate, X as pruneLegacyStoreKeys, Xn as registerAgentRunContext, Xt as normalizeRequiredName, Y as loadSessionEntry, Yn as onAgentEvent, Yt as normalizePayloadToSystemText, Z as resolveGatewaySessionStoreTarget, Zn as resolveAgentIdentity, Zt as migrateLegacyCronPayload, _ as approveNodePairing, _n as dispatchInboundMessage, _r as DEFAULT_INPUT_FILE_MAX_CHARS, _t as resetDirectoryCache, an as persistBrowserProxyFiles, ar as applyVerboseOverride, at as stripEnvelopeFromMessages, b as renamePairedNode, br as DEFAULT_INPUT_IMAGE_MIMES, bt as runWithModelFallback, c as normalizeSendPolicy, cr as isSystemEventContextChanged, d as primeRemoteSkillsCache, dr as loadModelCatalog, dt as resolveOutboundSessionRoute, en as buildSafeExternalPrompt, et as archiveSessionTranscripts, f as recordRemoteNodeInfo, g as setSkillsRemoteRegistry, gr as DEFAULT_INPUT_FILE_MAX_BYTES, h as removeRemoteNodeInfo, ht as resolveSessionDeliveryTarget, i as setCliSessionId, in as applyBrowserProxyPaths, ir as applyModelOverrideToSessionEntry, it as resolveSessionTranscriptCandidates, j as getTotalQueueSize, jt as emitGatewayRestart, k as getActiveTaskCount, kn as formatZonedTimestamp, kr as estimateBase64DecodedBytes, kt as consumeGatewaySigusr1RestartAuthorization, l as resolveSendPolicy, m as refreshRemoteNodeBins, mr as registerUnhandledRejectionHandler, mt as resolveOutboundTarget, n as BARE_SESSION_RESET_PROMPT, nn as getHookType, nr as lookupContextTokens, nt as readSessionMessages, on as getPluginToolMeta, or as parseVerboseOverride, p as refreshRemoteBinsForConnectedNodes, pn as getChannelActivity, q as listSessionsFromStore, qn as emitAgentEvent, qt as normalizeOptionalAgentId, r as getCliSessionId, rn as isExternalHookSession, rt as readSessionPreviewItemsFromTranscript, sn as loadAnimaPlugins, sr as enqueueSystemEvent, st as normalizeGroupActivation, tn as detectSuspiciousPatterns, tt as capArrayByJsonBytes, u as getRemoteSkillEligibility, ut as ensureOutboundSessionEntry, v as listNodePairing, vn as createReplyDispatcher, vr as DEFAULT_INPUT_FILE_MIMES, vt as resolveMessageChannelSelection, w as generatePairingToken, wn as isDiagnosticsEnabled, wr as DEFAULT_INPUT_PDF_MIN_TEXT_CHARS, wt as maskApiKey, x as requestNodePairing, xr as DEFAULT_INPUT_MAX_REDIRECTS, xt as resolveWorkingModeModelSelection, y as rejectNodePairing, yn as getTotalPendingReplies, yr as DEFAULT_INPUT_IMAGE_MAX_BYTES, z as buildDefaultToolPolicyPipelineSteps, zn as listDescendantRunsForRequester, zt as formatRestartSentinelMessage } from "./reply-93fMzde1.js";
+import { D as getActivePluginRegistry, G as getResolvedLoggerSettings, I as setVerbose, K as setLoggerOverride, U as getChildLogger, W as getLogger, _ as CHANNEL_IDS, f as defaultRuntime, i as getResolvedConsoleSettings, n as runtimeForLogger, o as setConsoleSubsystemFilter, s as setConsoleTimestampPrefix, t as createSubsystemLogger, y as DEFAULT_CHAT_CHANNEL } from "./subsystem-DLVQ9bjX.js";
+import { C as shortenHomePath, D as truncateUtf16Safe, b as resolveUserPath, c as ensureDir$1, d as isPlainObject, r as clamp, t as CONFIG_DIR } from "./utils-CkCznJhR.js";
+import { C as supportsXHighThinking, _ as normalizeElevatedLevel, b as normalizeUsageDisplay, m as formatXHighModelHint, p as formatThinkingLevels, v as normalizeReasoningLevel, x as normalizeVerboseLevel, y as normalizeThinkLevel } from "./pi-embedded-helpers-BPtBCnl-.js";
+import { $ as resolveGatewaySessionStoreTarget, $n as resolveAgentIdentity, $t as migrateLegacyCronPayload, Ar as normalizeMimeList, B as applyToolPolicyPipeline, Bn as initSubagentRegistry, Bt as formatDoctorNonInteractiveHint, C as verifyNodeToken, Cr as DEFAULT_INPUT_MAX_REDIRECTS, Ct as resolveWorkingModeModelSelection, D as registerSkillsChangeListener, Dr as DEFAULT_INPUT_TIMEOUT_MS, Dt as saveProviderStore, E as getSkillsSnapshotVersion, En as isDiagnosticsEnabled, Er as DEFAULT_INPUT_PDF_MIN_TEXT_CHARS, Et as maskApiKey, F as abortEmbeddedPiRun, Fn as stopSubagentsForRequester, Ft as markGatewaySigusr1RestartHandled, G as createAnimaTools, Gt as writeRestartSentinel, H as sniffMimeFromBase64, I as waitForEmbeddedPiRunEnd, It as scheduleGatewaySigusr1Restart, J as listAgentsForGateway, Jn as clearAgentRunContext, Jt as inferLegacyName, K as resolveAnnounceTargetFromKey, Kt as normalizeCronJobCreate, L as runNoxSoftEmbeddedAgent, Lt as setGatewaySigusr1RestartPolicy, M as resetAllLanes, Mt as deferGatewayRestartUntilIdle, N as setCommandLaneConcurrency, Nt as emitGatewayRestart, O as clearSessionQueues, Or as extractFileContentFromSource, P as waitForActiveTasks, Pn as isAbortTrigger, Pr as resolveAgentTimeoutMs, Pt as isGatewaySigusr1RestartExternallyAllowed, Q as pruneLegacyStoreKeys, Qn as registerAgentRunContext, Qt as normalizeRequiredName, Rt as setPreRestartDeferralCheck, S as updatePairedNodeMetadata, Sr as DEFAULT_INPUT_IMAGE_MIMES, St as runWithModelFallback, T as verifyPairingToken, Tn as stopDiagnosticHeartbeat, Tr as DEFAULT_INPUT_PDF_MAX_PIXELS, Tt as loadProviderStore, U as requestHeartbeatNow, Un as runSubagentAnnounceFlow, Ut as summarizeRestartSentinel, V as buildDefaultToolPolicyPipelineSteps, Vn as listDescendantRunsForRequester, Vt as formatRestartSentinelMessage, Wn as readLatestAssistantReply, X as loadCombinedSessionStoreForGateway, Xn as getAgentRunContext, Xt as normalizeOptionalText, Y as listSessionsFromStore, Yn as emitAgentEvent, Yt as normalizeOptionalAgentId, Z as loadSessionEntry, Zn as onAgentEvent, Zt as normalizePayloadToSystemText, _ as approveNodePairing, _t as resolveSessionDeliveryTarget, an as isExternalHookSession, at as readSessionPreviewItemsFromTranscript, b as renamePairedNode, bn as createReplyDispatcher, br as DEFAULT_INPUT_FILE_MIMES, bt as resolveMessageChannelSelection, c as normalizeSendPolicy, cn as getPluginToolMeta, cr as parseVerboseOverride, d as primeRemoteSkillsCache, et as resolveSessionModelRef, f as recordRemoteNodeInfo, ft as ensureOutboundSessionEntry, g as setSkillsRemoteRegistry, gr as registerUnhandledRejectionHandler, gt as resolveOutboundTarget, h as removeRemoteNodeInfo, hn as getChannelActivity, i as setCliSessionId, in as getHookType, ir as lookupContextTokens, it as readSessionMessages, j as getTotalQueueSize, jn as formatZonedTimestamp, jr as estimateBase64DecodedBytes, jt as consumeGatewaySigusr1RestartAuthorization, k as getActiveTaskCount, kr as extractImageContentFromSource, l as resolveSendPolicy, ln as loadAnimaPlugins, lr as enqueueSystemEvent, lt as normalizeGroupActivation, m as refreshRemoteNodeBins, n as BARE_SESSION_RESET_PROMPT, nn as buildSafeExternalPrompt, nt as archiveSessionTranscripts, on as applyBrowserProxyPaths, or as applyModelOverrideToSessionEntry, ot as resolveSessionTranscriptCandidates, p as refreshRemoteBinsForConnectedNodes, pr as loadModelCatalog, pt as resolveOutboundSessionRoute, q as canonicalizeSpawnedByForAgent, qn as CommandLane, qt as normalizeCronJobPatch, r as getCliSessionId, rn as detectSuspiciousPatterns, rt as capArrayByJsonBytes, sn as persistBrowserProxyFiles, sr as applyVerboseOverride, st as stripEnvelopeFromMessages, tt as archiveFileOnDisk, u as getRemoteSkillEligibility, ur as isSystemEventContextChanged, v as listNodePairing, vr as DEFAULT_INPUT_FILE_MAX_BYTES, w as generatePairingToken, wn as startDiagnosticHeartbeat, wr as DEFAULT_INPUT_PDF_MAX_PAGES, wt as loadProviderUsageSummary, x as requestNodePairing, xn as getTotalPendingReplies, xr as DEFAULT_INPUT_IMAGE_MAX_BYTES, y as rejectNodePairing, yn as dispatchInboundMessage, yr as DEFAULT_INPUT_FILE_MAX_CHARS, yt as resetDirectoryCache, zn as countActiveDescendantRuns, zt as consumeRestartSentinel } from "./reply-DqXPXQ20.js";
 import { b as isSubagentSessionKey, d as resolveAgentIdFromSessionKey, i as buildAgentMainSessionKey, l as normalizeAgentId, m as toAgentRequestSessionKey, n as DEFAULT_AGENT_ID, t as DEFAULT_ACCOUNT_ID, u as normalizeMainKey, v as isCronRunSessionKey, x as parseAgentSessionKey } from "./session-key-DAZmp8ll.js";
-import { a as logDebug, c as logWarn, n as runExec, t as runCommandWithTimeout } from "./exec-BylR5qWS.js";
+import { a as logDebug, c as logWarn, n as runExec, t as runCommandWithTimeout } from "./exec-ChPERQB-.js";
 import { t as resolveAnimaPackageRoot } from "./anima-root-xWSKR6Wm.js";
-import { T as resolveWorkspaceTemplateDir, _ as DEFAULT_MEMORY_FILENAME, b as DEFAULT_USER_FILENAME, c as resolveDefaultAgentId, d as DEFAULT_AGENTS_FILENAME, g as DEFAULT_MEMORY_ALT_FILENAME, h as DEFAULT_IDENTITY_FILENAME, i as resolveAgentModelFallbacksOverride, l as resolveSessionAgentId, m as DEFAULT_HEARTBEAT_FILENAME, n as resolveAgentConfig, p as DEFAULT_BOOTSTRAP_FILENAME, r as resolveAgentDir, s as resolveAgentWorkspaceDir, t as listAgentIds, v as DEFAULT_SOUL_FILENAME, w as resolveDefaultAgentWorkspaceDir, x as ensureAgentWorkspace, y as DEFAULT_TOOLS_FILENAME } from "./agent-scope-CXxC8FFX.js";
-import { _ as DEFAULT_MODEL, a as isCliProvider, d as resolveConfiguredModelRef, f as resolveDefaultModelForAgent, g as DEFAULT_CONTEXT_TOKENS, h as resolveThinkingDefault, i as getModelRefStatus, p as resolveHooksGmailModel, u as resolveAllowedModelRef, v as DEFAULT_PROVIDER } from "./model-selection-CY6r_3wt.js";
-import { A as resolveAgentMaxConcurrent, M as VERSION, T as applyLegacyMigrations, a as parseConfigJson5, c as resolveConfigSnapshotHash, d as AnimaSchema, i as loadConfig, j as resolveSubagentMaxConcurrent, l as writeConfigFile, m as parseDurationMs, n as migrateLegacyConfig, o as readConfigFileSnapshot, p as sensitive, r as createConfigIO, s as readConfigFileSnapshotForWrite, u as validateConfigObjectWithPlugins, w as applyMergePatch } from "./config-DaD4FsAn.js";
-import { n as logAcceptedEnvOption, t as isTruthyEnvValue } from "./env-DlTia1B4.js";
-import { c as isTestDefaultMemorySlotDisabled } from "./manifest-registry-qF960vMH.js";
-import { A as resolveMainSessionKeyFromConfig, D as resolveAgentMainSessionKey, M as snapshotSessionOrigin, O as resolveExplicitAgentSessionKey, d as deliveryContextFromSession, h as normalizeSessionDeliveryFields, i as loadSessionStore, k as resolveMainSessionKey, l as updateSessionStore, p as mergeDeliveryContext, t as extractDeliveryInfo } from "./sessions-BOzeFzuL.js";
-import { o as detectMime } from "./image-ops-Ct3GueyT.js";
-import { t as normalizePollInput } from "./polls-DFISjV7H.js";
-import { _ as resolveToolProfilePolicy, p as collectExplicitAllowlist } from "./sandbox-pBHlfFdB.js";
+import { T as resolveWorkspaceTemplateDir, _ as DEFAULT_MEMORY_FILENAME, b as DEFAULT_USER_FILENAME, c as resolveDefaultAgentId, d as DEFAULT_AGENTS_FILENAME, g as DEFAULT_MEMORY_ALT_FILENAME, h as DEFAULT_IDENTITY_FILENAME, i as resolveAgentModelFallbacksOverride, l as resolveSessionAgentId, m as DEFAULT_HEARTBEAT_FILENAME, n as resolveAgentConfig, p as DEFAULT_BOOTSTRAP_FILENAME, r as resolveAgentDir, s as resolveAgentWorkspaceDir, t as listAgentIds, v as DEFAULT_SOUL_FILENAME, w as resolveDefaultAgentWorkspaceDir, x as ensureAgentWorkspace, y as DEFAULT_TOOLS_FILENAME } from "./agent-scope-DQ0N_hof.js";
+import { _ as DEFAULT_MODEL, a as isCliProvider, d as resolveConfiguredModelRef, f as resolveDefaultModelForAgent, g as DEFAULT_CONTEXT_TOKENS, h as resolveThinkingDefault, i as getModelRefStatus, p as resolveHooksGmailModel, u as resolveAllowedModelRef, v as DEFAULT_PROVIDER } from "./model-selection-CeZMza3d.js";
+import { A as resolveAgentMaxConcurrent, M as VERSION, T as applyLegacyMigrations, a as parseConfigJson5, c as resolveConfigSnapshotHash, d as AnimaSchema, i as loadConfig, j as resolveSubagentMaxConcurrent, l as writeConfigFile, m as parseDurationMs, n as migrateLegacyConfig, o as readConfigFileSnapshot, p as sensitive, r as createConfigIO, s as readConfigFileSnapshotForWrite, u as validateConfigObjectWithPlugins, w as applyMergePatch } from "./config-MZ5clMl4.js";
+import { n as logAcceptedEnvOption, t as isTruthyEnvValue } from "./env-ByZjwIJR.js";
+import { c as isTestDefaultMemorySlotDisabled } from "./manifest-registry-Cwvk5hu8.js";
+import { A as resolveMainSessionKeyFromConfig, D as resolveAgentMainSessionKey, M as snapshotSessionOrigin, O as resolveExplicitAgentSessionKey, d as deliveryContextFromSession, h as normalizeSessionDeliveryFields, i as loadSessionStore, k as resolveMainSessionKey, l as updateSessionStore, p as mergeDeliveryContext, t as extractDeliveryInfo } from "./sessions-DBQx8E1H.js";
+import { o as detectMime } from "./image-ops-vj06APeW.js";
+import { t as normalizePollInput } from "./polls-aumqIVob.js";
+import { _ as resolveToolProfilePolicy, p as collectExplicitAllowlist } from "./sandbox-mSWYRXFm.js";
 import { t as formatCliCommand } from "./command-format-BCtkuvqF.js";
-import { a as AUTH_RATE_LIMIT_SCOPE_DEVICE_TOKEN, c as safeEqualSecret, d as enableTailscaleFunnel, f as enableTailscaleServe, i as resolveGatewayAuth, l as disableTailscaleFunnel, m as getTailnetHostname, n as authorizeGatewayConnect, o as AUTH_RATE_LIMIT_SCOPE_SHARED_SECRET, r as isLocalDirectRequest, s as createAuthRateLimiter, t as assertGatewayAuthConfigured, u as disableTailscaleServe } from "./auth-DsC5pZ_0.js";
+import { a as AUTH_RATE_LIMIT_SCOPE_DEVICE_TOKEN, c as safeEqualSecret, d as enableTailscaleFunnel, f as enableTailscaleServe, i as resolveGatewayAuth, l as disableTailscaleFunnel, m as getTailnetHostname, n as authorizeGatewayConnect, o as AUTH_RATE_LIMIT_SCOPE_SHARED_SECRET, r as isLocalDirectRequest, s as createAuthRateLimiter, t as assertGatewayAuthConfigured, u as disableTailscaleServe } from "./auth-CuGlMw6p.js";
 import { n as pickPrimaryTailnetIPv6, t as pickPrimaryTailnetIPv4 } from "./tailnet-Bg_vE5qi.js";
 import { a as isTrustedProxyAddress, c as pickPrimaryLanIPv4, d as resolveGatewayListenHosts, i as isPrivateOrLoopbackAddress, l as resolveGatewayBindHost, n as isLoopbackAddress, r as isLoopbackHost, t as rawDataToString, u as resolveGatewayClientIp } from "./ws-BapRHqfx.js";
-import { r as movePathToTrash } from "./server-context-Yx4pgBqJ.js";
-import { i as loadWorkspaceSkillEntries, r as buildWorkspaceSkillSnapshot, x as hasBinary } from "./skills-4v6-kw0C.js";
+import { r as movePathToTrash } from "./server-context-DTlBzMyD.js";
+import { i as loadWorkspaceSkillEntries, r as buildWorkspaceSkillSnapshot, x as hasBinary } from "./skills-DjVFhlQY.js";
 import { n as formatErrorMessage } from "./errors-Bv81hF2P.js";
-import { a as inspectPortUsage, s as formatPortDiagnostics } from "./ports-q535r1PZ.js";
-import { f as GATEWAY_CLIENT_CAPS, g as hasGatewayClientCap, i as isGatewayMessageChannel, l as normalizeMessageChannel, n as isDeliverableMessageChannel, p as GATEWAY_CLIENT_IDS, r as isGatewayCliClient, s as isWebchatClient, t as INTERNAL_MESSAGE_CHANNEL } from "./message-channel-CMsexA3K.js";
-import { n as listChannelPlugins, r as normalizeChannelId, t as getChannelPlugin } from "./plugins-DYcg0qBW.js";
+import { a as inspectPortUsage, s as formatPortDiagnostics } from "./ports-B20JTuiL.js";
+import { f as GATEWAY_CLIENT_CAPS, g as hasGatewayClientCap, i as isGatewayMessageChannel, l as normalizeMessageChannel, n as isDeliverableMessageChannel, p as GATEWAY_CLIENT_IDS, r as isGatewayCliClient, s as isWebchatClient, t as INTERNAL_MESSAGE_CHANNEL } from "./message-channel-CfwNj8mC.js";
+import { n as listChannelPlugins, r as normalizeChannelId, t as getChannelPlugin } from "./plugins-BqPGs8w-.js";
 import { c as resolveStorePath, i as resolveSessionTranscriptPath, n as resolveSessionFilePath, r as resolveSessionFilePathOptions, s as resolveSessionTranscriptsDirForAgent } from "./paths-Dazi-gYo.js";
-import { O as normalizeSecretInput } from "./auth-profiles-C-LuhW6c.js";
-import { n as SILENT_REPLY_TOKEN, r as isSilentReplyText } from "./tokens-SP2Q7i59.js";
-import { B as resolveTtsConfig, F as isTtsProviderConfigured, G as setTtsEnabled, H as resolveTtsProviderOrder, J as textToSpeech, M as getTtsProvider, P as isTtsEnabled, R as resolveTtsApiKey, T as resolveUserTimezone, V as resolveTtsPrefsPath, X as OPENAI_TTS_MODELS, Z as OPENAI_TTS_VOICES, ct as createInternalHookEvent, dt as DEFAULT_HEARTBEAT_ACK_MAX_CHARS, et as clearSteer, ht as stripHeartbeatToken, it as getEgoManager, lt as registerInternalHook, nt as getSteerHistory, q as setTtsProvider, rt as setSteer, st as clearInternalHooks, tt as getSteer, ut as triggerInternalHook, z as resolveTtsAutoMode } from "./anthropic-direct-runner-OjcTAH6g.js";
-import { o as normalizeReplyPayloadsForDelivery, t as deliverOutboundPayloads, x as runGlobalGatewayStopSafely, y as getGlobalHookRunner } from "./deliver-BKzX3YoN.js";
-import { i as resolveMemoryBackendConfig, r as getMemorySearchManager } from "./memory-cli-DLtBA6r5.js";
+import { O as normalizeSecretInput } from "./auth-profiles-XI2YBb-w.js";
+import { n as SILENT_REPLY_TOKEN, r as isSilentReplyText } from "./tokens-BelyD23F.js";
+import { B as resolveTtsConfig, F as isTtsProviderConfigured, G as setTtsEnabled, H as resolveTtsProviderOrder, J as textToSpeech, M as getTtsProvider, P as isTtsEnabled, R as resolveTtsApiKey, T as resolveUserTimezone, V as resolveTtsPrefsPath, X as OPENAI_TTS_MODELS, Z as OPENAI_TTS_VOICES, ct as createInternalHookEvent, dt as DEFAULT_HEARTBEAT_ACK_MAX_CHARS, et as clearSteer, ht as stripHeartbeatToken, it as getEgoManager, lt as registerInternalHook, nt as getSteerHistory, q as setTtsProvider, rt as setSteer, st as clearInternalHooks, tt as getSteer, ut as triggerInternalHook, z as resolveTtsAutoMode } from "./anthropic-direct-runner-BgFOZS8B.js";
+import { o as normalizeReplyPayloadsForDelivery, t as deliverOutboundPayloads, x as runGlobalGatewayStopSafely, y as getGlobalHookRunner } from "./deliver-BknvuSJz.js";
+import { i as resolveMemoryBackendConfig, r as getMemorySearchManager } from "./memory-cli-DMJqELwh.js";
 import { a as readTrustGraphSnapshot, c as pruneExpiredPending, d as writeJsonAtomic, l as readJsonFile, o as saveTrustGraph, s as createAsyncLock, u as resolvePairingPaths } from "./loader-Bw2wdN4l.js";
-import { t as ToolInputError } from "./common-BCW6hLGI.js";
-import { $ as validateNodePairRequestParams, A as validateCronStatusParams, B as validateExecApprovalsNodeGetParams, C as validateConfigSetParams, Ct as validateWizardCancelParams, D as validateCronRemoveParams, Dt as PROTOCOL_VERSION, E as validateCronListParams, Et as validateWizardStatusParams, F as validateDeviceTokenRevokeParams, G as validateNodeDescribeParams, H as validateExecApprovalsSetParams, I as validateDeviceTokenRotateParams, It as deriveDeviceIdFromPublicKey, J as validateNodeInvokeResultParams, K as validateNodeEventParams, L as validateExecApprovalRequestParams, M as validateDevicePairApproveParams, N as validateDevicePairListParams, Nt as normalizeInputProvenance, O as validateCronRunParams, Ot as ErrorCodes, P as validateDevicePairRejectParams, Pt as buildDeviceAuthPayload, Q as validateNodePairRejectParams, R as validateExecApprovalResolveParams, Rt as normalizeDevicePublicKeyBase64Url, S as validateConfigSchemaParams, St as validateWebLoginWaitParams, T as validateCronAddParams, Tt as validateWizardStartParams, U as validateLogsTailParams, V as validateExecApprovalsNodeSetParams, W as validateModelsListParams, X as validateNodePairApproveParams, Y as validateNodeListParams, Z as validateNodePairListParams, _ as validateChatInjectParams, _t as validateTalkConfigParams, a as validateAgentWaitParams, at as validateSessionsCompactParams, b as validateConfigGetParams, bt as validateWakeParams, c as validateAgentsFilesGetParams, ct as validateSessionsPatchParams, d as validateAgentsListParams, dt as validateSessionsResolveParams, et as validateNodePairVerifyParams, f as validateAgentsUpdateParams, ft as validateSessionsUsageParams, g as validateChatHistoryParams, gt as validateSkillsUpdateParams, h as validateChatAbortParams, ht as validateSkillsStatusParams, i as validateAgentParams, it as validateSendParams, j as validateCronUpdateParams, jt as parseSessionLabel, k as validateCronRunsParams, kt as errorShape, l as validateAgentsFilesListParams, lt as validateSessionsPreviewParams, m as validateChannelsStatusParams, mt as validateSkillsInstallParams, n as formatValidationErrors, nt as validatePollParams, o as validateAgentsCreateParams, ot as validateSessionsDeleteParams, p as validateChannelsLogoutParams, pt as validateSkillsBinsParams, q as validateNodeInvokeParams, r as validateAgentIdentityParams, rt as validateRequestFrame, s as validateAgentsDeleteParams, st as validateSessionsListParams, tt as validateNodeRenameParams, u as validateAgentsFilesSetParams, ut as validateSessionsResetParams, v as validateChatSendParams, vt as validateTalkModeParams, w as validateConnectParams, wt as validateWizardNextParams, x as validateConfigPatchParams, xt as validateWebLoginStartParams, y as validateConfigApplyParams, yt as validateUpdateRunParams, z as validateExecApprovalsGetParams, zt as verifyDeviceSignature } from "./client-BWkoTfOH.js";
-import { s as loadGatewayTlsRuntime$1 } from "./call-CDPbPDAr.js";
-import { a as resolveSubagentToolPolicy, i as resolveGroupToolPolicy, r as resolveEffectiveToolPolicy } from "./pi-tools.policy-WdTAfqbV.js";
-import { n as createBrowserControlContext, r as startBrowserControlServiceFromConfig } from "./control-service-5YtMvm7D.js";
-import { t as createBrowserRouteDispatcher } from "./dispatcher-DzwzLQRk.js";
+import { t as ToolInputError } from "./common-fIXNXke2.js";
+import { $ as validateNodePairRequestParams, A as validateCronStatusParams, B as validateExecApprovalsNodeGetParams, C as validateConfigSetParams, Ct as validateWizardCancelParams, D as validateCronRemoveParams, Dt as PROTOCOL_VERSION, E as validateCronListParams, Et as validateWizardStatusParams, F as validateDeviceTokenRevokeParams, G as validateNodeDescribeParams, H as validateExecApprovalsSetParams, I as validateDeviceTokenRotateParams, It as deriveDeviceIdFromPublicKey, J as validateNodeInvokeResultParams, K as validateNodeEventParams, L as validateExecApprovalRequestParams, M as validateDevicePairApproveParams, N as validateDevicePairListParams, Nt as normalizeInputProvenance, O as validateCronRunParams, Ot as ErrorCodes, P as validateDevicePairRejectParams, Pt as buildDeviceAuthPayload, Q as validateNodePairRejectParams, R as validateExecApprovalResolveParams, Rt as normalizeDevicePublicKeyBase64Url, S as validateConfigSchemaParams, St as validateWebLoginWaitParams, T as validateCronAddParams, Tt as validateWizardStartParams, U as validateLogsTailParams, V as validateExecApprovalsNodeSetParams, W as validateModelsListParams, X as validateNodePairApproveParams, Y as validateNodeListParams, Z as validateNodePairListParams, _ as validateChatInjectParams, _t as validateTalkConfigParams, a as validateAgentWaitParams, at as validateSessionsCompactParams, b as validateConfigGetParams, bt as validateWakeParams, c as validateAgentsFilesGetParams, ct as validateSessionsPatchParams, d as validateAgentsListParams, dt as validateSessionsResolveParams, et as validateNodePairVerifyParams, f as validateAgentsUpdateParams, ft as validateSessionsUsageParams, g as validateChatHistoryParams, gt as validateSkillsUpdateParams, h as validateChatAbortParams, ht as validateSkillsStatusParams, i as validateAgentParams, it as validateSendParams, j as validateCronUpdateParams, jt as parseSessionLabel, k as validateCronRunsParams, kt as errorShape, l as validateAgentsFilesListParams, lt as validateSessionsPreviewParams, m as validateChannelsStatusParams, mt as validateSkillsInstallParams, n as formatValidationErrors, nt as validatePollParams, o as validateAgentsCreateParams, ot as validateSessionsDeleteParams, p as validateChannelsLogoutParams, pt as validateSkillsBinsParams, q as validateNodeInvokeParams, r as validateAgentIdentityParams, rt as validateRequestFrame, s as validateAgentsDeleteParams, st as validateSessionsListParams, tt as validateNodeRenameParams, u as validateAgentsFilesSetParams, ut as validateSessionsResetParams, v as validateChatSendParams, vt as validateTalkModeParams, w as validateConnectParams, wt as validateWizardNextParams, x as validateConfigPatchParams, xt as validateWebLoginStartParams, y as validateConfigApplyParams, yt as validateUpdateRunParams, z as validateExecApprovalsGetParams, zt as verifyDeviceSignature } from "./client-DOTb2PN6.js";
+import { s as loadGatewayTlsRuntime$1 } from "./call-Bn9iKzhX.js";
+import { a as resolveSubagentToolPolicy, i as resolveGroupToolPolicy, r as resolveEffectiveToolPolicy } from "./pi-tools.policy-DuWNVoem.js";
+import { n as createBrowserControlContext, r as startBrowserControlServiceFromConfig } from "./control-service-BGnqY7vv.js";
+import { t as createBrowserRouteDispatcher } from "./dispatcher-DpEzmU7s.js";
 import { t as parseAbsoluteTimeMs } from "./parse-Cinbkvj-.js";
 import { c as saveToken, i as getToken, l as whoami, n as clearToken, o as registerWithInvite, s as resolveSuggestedIdentity, t as TOKEN_PATH } from "./noxsoft-auth-CE75mBXE.js";
 import { i as loadSessionUsageTimeSeries, l as deriveSessionTotalTokens, n as loadCostUsageSummary, r as loadSessionCostSummary, t as discoverAllSessions, u as hasNonzeroUsage } from "./session-cost-usage-BWqR-ik6.js";
 import { f as resolveExecApprovalsSocketPath, o as normalizeExecApprovals, p as saveExecApprovals, r as ensureExecApprovals, s as readExecApprovalsSnapshot, t as DEFAULT_EXEC_APPROVAL_TIMEOUT_MS } from "./exec-approvals-DK5-KCUz.js";
-import { c as resolveCronStyleNow, i as onHeartbeatEvent, r as getLastHeartbeatEvent, t as resolveHeartbeatVisibility } from "./heartbeat-visibility-BQL13ZBH.js";
-import { r as buildHistoryContextFromEntries, t as createReplyPrefixOptions } from "./reply-prefix-B7Fb3fO8.js";
-import { n as createOutboundSendDeps, t as createDefaultDeps } from "./deps-BKLIBKjK.js";
-import { t as ensureAnimaCliOnPath } from "./path-env-DLQPf9qj.js";
-import { t as forceFreePortAndWait } from "./ports-DaVrZDUq.js";
-import { t as buildChannelUiCatalog } from "./catalog-CsXv59Tq.js";
-import { t as buildWorkspaceSkillStatus } from "./skills-status-CvH7AUoY.js";
+import { c as resolveCronStyleNow, i as onHeartbeatEvent, r as getLastHeartbeatEvent, t as resolveHeartbeatVisibility } from "./heartbeat-visibility-DZOi_4uV.js";
+import { r as buildHistoryContextFromEntries, t as createReplyPrefixOptions } from "./reply-prefix-CZy4g8SY.js";
+import { n as createOutboundSendDeps, t as createDefaultDeps } from "./deps-oUYlT5Sq.js";
+import { t as ensureAnimaCliOnPath } from "./path-env-BAjR_Xf_.js";
+import { t as forceFreePortAndWait } from "./ports-D6bjtvhF.js";
+import { t as buildChannelUiCatalog } from "./catalog-BqTvQqiq.js";
+import { t as buildWorkspaceSkillStatus } from "./skills-status-BmZufjT1.js";
 import { n as DEFAULT_GATEWAY_HTTP_TOOL_DENY } from "./dangerous-tools-BCnOEYau.js";
-import { C as resolveAssistantAvatarUrl, S as normalizeControlUiBasePath, b as CONTROL_UI_AVATAR_PREFIX, c as handleReset, h as resolveControlUiLinks, x as buildControlUiAvatarUrl } from "./onboard-helpers-CJ3HzoUO.js";
-import { t as resolveGatewayService } from "./service-Dd1DfPia.js";
+import { C as resolveAssistantAvatarUrl, S as normalizeControlUiBasePath, b as CONTROL_UI_AVATAR_PREFIX, c as handleReset, h as resolveControlUiLinks, x as buildControlUiAvatarUrl } from "./onboard-helpers-rHLFiSIc.js";
+import { t as resolveGatewayService } from "./service-ho_k2vjr.js";
 import { t as parsePort } from "./parse-port-CDPwDUs3.js";
-import { n as resolveWideAreaDiscoveryDomain, r as writeWideAreaGatewayZone } from "./widearea-dns-CHAT20aR.js";
-import { i as toOptionString, n as extractGatewayMiskeys, r as maybeExplainGatewayServiceStop, t as describeUnknownError } from "./shared-C-rqLtIT.js";
-import { o as isNodeCommandAllowed, s as resolveNodeCommandAllowlist } from "./audit-B05W5ckN.js";
-import { n as getStatusSummary } from "./status-BO5BIf81.js";
+import { n as resolveWideAreaDiscoveryDomain, r as writeWideAreaGatewayZone } from "./widearea-dns-DlJrNJOg.js";
+import { i as toOptionString, n as extractGatewayMiskeys, r as maybeExplainGatewayServiceStop, t as describeUnknownError } from "./shared-BFzq0XE1.js";
+import { o as isNodeCommandAllowed, s as resolveNodeCommandAllowlist } from "./audit-jddM3B16.js";
+import { n as getStatusSummary } from "./status-D1zupVBm.js";
 import { t as resolveChannelDefaultAccountId } from "./helpers-1MPChTcB.js";
-import { c as startHeartbeatRunner, n as getHealthSnapshot, o as runHeartbeatOnce, s as setHeartbeatsEnabled } from "./health-B5N6_UOf.js";
-import { t as applyPluginAutoEnable } from "./plugin-auto-enable-CtYcdTju.js";
-import { a as resolveControlUiRootOverrideSync, n as ensureControlUiAssetsBuilt, o as resolveControlUiRootSync } from "./health-format-D-JJ5_S4.js";
+import { c as startHeartbeatRunner, n as getHealthSnapshot, o as runHeartbeatOnce, s as setHeartbeatsEnabled } from "./health-DrokrOLQ.js";
+import { t as applyPluginAutoEnable } from "./plugin-auto-enable-DvYJhgJ2.js";
+import { a as resolveControlUiRootOverrideSync, n as ensureControlUiAssetsBuilt, o as resolveControlUiRootSync } from "./health-format-CzNDrJ8Z.js";
 import { n as validateSystemRunCommandConsistency, r as getMachineDisplayName, t as formatExecCommand } from "./system-run-command-Bx8-5h2r.js";
-import { h as normalizeUpdateChannel, l as DEFAULT_PACKAGE_CHANNEL, n as checkUpdateStatus, o as resolveNpmChannelTag, r as compareSemverStrings } from "./channels-status-issues-WkG3Tmxk.js";
-import { t as WizardCancelledError } from "./prompts-Bq4QGFQM.js";
-import { i as shouldIncludeHook, n as loadWorkspaceHookEntries, r as resolveHookConfig } from "./hooks-status-DdweuSIj.js";
-import { t as runOnboardingWizard } from "./onboarding-BeuMAyic.js";
-import { a as setGatewayWsLogStyle, i as summarizeAgentEventForWsLog, n as logWs, r as shouldLogWs, t as formatForLog } from "./ws-log-CUobU2tD.js";
-import { T as resolveGmailHookRuntimeConfig, _ as buildGogWatchServeArgs, i as ensureTailscaleEndpoint, v as buildGogWatchStartArgs } from "./gmail-setup-utils-DaJoXV_3.js";
+import { h as normalizeUpdateChannel, l as DEFAULT_PACKAGE_CHANNEL, n as checkUpdateStatus, o as resolveNpmChannelTag, r as compareSemverStrings } from "./channels-status-issues-4XxYhQ8S.js";
+import { t as WizardCancelledError } from "./prompts-D6Xc1Ddb.js";
+import { i as shouldIncludeHook, n as loadWorkspaceHookEntries, r as resolveHookConfig } from "./hooks-status-BQ7M6bIq.js";
+import { t as runOnboardingWizard } from "./onboarding-BGXbXgds.js";
+import { a as setGatewayWsLogStyle, i as summarizeAgentEventForWsLog, n as logWs, r as shouldLogWs, t as formatForLog } from "./ws-log-Cvz4xRCD.js";
+import { T as resolveGmailHookRuntimeConfig, _ as buildGogWatchServeArgs, i as ensureTailscaleEndpoint, v as buildGogWatchStartArgs } from "./gmail-setup-utils-lTV5KDPF.js";
 import { t as createOutboundSendDeps$1 } from "./outbound-send-deps-DVfWC4E8.js";
-import { a as loadAgentIdentity, c as loadAgentIdentityFromWorkspace, i as listAgentEntries, o as pruneAgentConfig, r as findAgentEntryIndex, t as applyAgentConfig } from "./agents.config-BR5JLtud.js";
-import { n as resolveAgentDeliveryPlan, r as resolveAgentOutboundTarget, t as agentCommand } from "./agent-BoAAHGEA.js";
+import { a as loadAgentIdentity, c as loadAgentIdentityFromWorkspace, i as listAgentEntries, o as pruneAgentConfig, r as findAgentEntryIndex, t as applyAgentConfig } from "./agents.config-DrViQjgD.js";
+import { n as resolveAgentDeliveryPlan, r as resolveAgentOutboundTarget, t as agentCommand } from "./agent-xPFmA8jO.js";
 import { t as migrateFromCoherence } from "./migrate-DuohB_ur.js";
-import { t as installSkill } from "./skills-install-D6_qpRjW.js";
-import { t as runGatewayUpdate } from "./update-runner-DZfnquWO.js";
+import { t as installSkill } from "./skills-install-CVWWsOf2.js";
+import { t as runGatewayUpdate } from "./update-runner-C7CjKcMp.js";
 import { fileURLToPath, pathToFileURL } from "node:url";
 import * as fsSync from "node:fs";
 import fs, { constants } from "node:fs";
@@ -111,7 +111,7 @@ function getActiveEmbeddedRunCount() {
 //#endregion
 //#region src/infra/exec-approval-forwarder.ts
-const log$11 = createSubsystemLogger("gateway/exec-approvals");
+const log$14 = createSubsystemLogger("gateway/exec-approvals");
 const DEFAULT_MODE = "session";
 function normalizeMode(mode) {
 	return mode ?? DEFAULT_MODE;
@@ -226,7 +226,7 @@ async function deliverToTargets(params) {
 				payloads: [{ text: params.text }]
 			});
 		} catch (err) {
-			log$11.error(`exec approvals: failed to deliver to ${channel}:${target.to}: ${String(err)}`);
+			log$14.error(`exec approvals: failed to deliver to ${channel}:${target.to}: ${String(err)}`);
 		}
 	});
 	await Promise.allSettled(deliveries);
@@ -1463,7 +1463,7 @@ function createAgentEventHandler({ broadcast, broadcastToConnIds, nodeSendToSess
 * Automatically starts `gog gmail watch serve` when the gateway starts,
 * if hooks.gmail is configured with an account.
 */
-const log$10 = createSubsystemLogger("gmail-watcher");
+const log$13 = createSubsystemLogger("gmail-watcher");
 const ADDRESS_IN_USE_RE = /address already in use|EADDRINUSE/i;
 function isAddressInUseError(line) {
 	return ADDRESS_IN_USE_RE.test(line);
@@ -1487,13 +1487,13 @@ async function startGmailWatch(cfg) {
 		const result = await runCommandWithTimeout(args, { timeoutMs: 12e4 });
 		if (result.code !== 0) {
 			const message = result.stderr || result.stdout || "gog watch start failed";
-			log$10.error(`watch start failed: ${message}`);
+			log$13.error(`watch start failed: ${message}`);
 			return false;
 		}
-		log$10.info(`watch started for ${cfg.account}`);
+		log$13.info(`watch started for ${cfg.account}`);
 		return true;
 	} catch (err) {
-		log$10.error(`watch start error: ${String(err)}`);
+		log$13.error(`watch start error: ${String(err)}`);
 		return false;
 	}
 }
@@ -1502,7 +1502,7 @@ async function startGmailWatch(cfg) {
 */
 function spawnGogServe(cfg) {
 	const args = buildGogWatchServeArgs(cfg);
-	log$10.info(`starting gog ${args.join(" ")}`);
+	log$13.info(`starting gog ${args.join(" ")}`);
 	let addressInUse = false;
 	const child = spawn("gog", args, {
 		stdio: [
@@ -1514,25 +1514,25 @@ function spawnGogServe(cfg) {
 	});
 	child.stdout?.on("data", (data) => {
 		const line = data.toString().trim();
-		if (line) log$10.info(`[gog] ${line}`);
+		if (line) log$13.info(`[gog] ${line}`);
 	});
 	child.stderr?.on("data", (data) => {
 		const line = data.toString().trim();
 		if (!line) return;
 		if (isAddressInUseError(line)) addressInUse = true;
-		log$10.warn(`[gog] ${line}`);
+		log$13.warn(`[gog] ${line}`);
 	});
 	child.on("error", (err) => {
-		log$10.error(`gog process error: ${String(err)}`);
+		log$13.error(`gog process error: ${String(err)}`);
 	});
 	child.on("exit", (code, signal) => {
 		if (shuttingDown) return;
 		if (addressInUse) {
-			log$10.warn("gog serve failed to bind (address already in use); stopping restarts. Another watcher is likely running. Set ANIMA_SKIP_GMAIL_WATCHER=1 or stop the other process.");
+			log$13.warn("gog serve failed to bind (address already in use); stopping restarts. Another watcher is likely running. Set ANIMA_SKIP_GMAIL_WATCHER=1 or stop the other process.");
 			watcherProcess = null;
 			return;
 		}
-		log$10.warn(`gog exited (code=${code}, signal=${signal}); restarting in 5s`);
+		log$13.warn(`gog exited (code=${code}, signal=${signal}); restarting in 5s`);
 		watcherProcess = null;
 		setTimeout(() => {
 			if (shuttingDown || !currentConfig) return;
@@ -1572,15 +1572,15 @@ async function startGmailWatcher(cfg) {
 			port: runtimeConfig.serve.port,
 			target: runtimeConfig.tailscale.target
 		});
-		log$10.info(`tailscale ${runtimeConfig.tailscale.mode} configured for port ${runtimeConfig.serve.port}`);
+		log$13.info(`tailscale ${runtimeConfig.tailscale.mode} configured for port ${runtimeConfig.serve.port}`);
 	} catch (err) {
-		log$10.error(`tailscale setup failed: ${String(err)}`);
+		log$13.error(`tailscale setup failed: ${String(err)}`);
 		return {
 			started: false,
 			reason: `tailscale setup failed: ${String(err)}`
 		};
 	}
-	if (!await startGmailWatch(runtimeConfig)) log$10.warn("gmail watch start failed, but continuing with serve");
+	if (!await startGmailWatch(runtimeConfig)) log$13.warn("gmail watch start failed, but continuing with serve");
 	shuttingDown = false;
 	watcherProcess = spawnGogServe(runtimeConfig);
 	const renewMs = runtimeConfig.renewEveryMinutes * 6e4;
@@ -1588,7 +1588,7 @@ async function startGmailWatcher(cfg) {
 		if (shuttingDown) return;
 		startGmailWatch(runtimeConfig);
 	}, renewMs);
-	log$10.info(`gmail watcher started for ${runtimeConfig.account} (renew every ${runtimeConfig.renewEveryMinutes}m)`);
+	log$13.info(`gmail watcher started for ${runtimeConfig.account} (renew every ${runtimeConfig.renewEveryMinutes}m)`);
 	return { started: true };
 }
 /**
@@ -1601,7 +1601,7 @@ async function stopGmailWatcher() {
 		renewInterval = null;
 	}
 	if (watcherProcess) {
-		log$10.info("stopping gmail watcher");
+		log$13.info("stopping gmail watcher");
 		watcherProcess.kill("SIGTERM");
 		await new Promise((resolve) => {
 			const timeout = setTimeout(() => {
@@ -1616,7 +1616,7 @@ async function stopGmailWatcher() {
 		watcherProcess = null;
 	}
 	currentConfig = null;
-	log$10.info("gmail watcher stopped");
+	log$13.info("gmail watcher stopped");
 }
 //#endregion
@@ -4894,6 +4894,8 @@ const BASE_METHODS = [
 	"anima.registration.status",
 	"anima.registration.set-token",
 	"anima.registration.register-invite",
+	"ico.metrics.get",
+	"impact.footprint.get",
 	"health",
 	"logs.tail",
 	"channels.status",
@@ -4978,7 +4980,14 @@ const BASE_METHODS = [
 	"agent",
 	"agent.identity.get",
 	"agent.wait",
+	"browser.capabilities.get",
 	"browser.request",
+	"desktop.control.session.create",
+	"desktop.control.session.list",
+	"desktop.control.session.get",
+	"desktop.control.session.approve",
+	"desktop.control.session.close",
+	"desktop.control.session.request",
 	"chat.history",
 	"chat.abort",
 	"chat.send"
@@ -8260,6 +8269,44 @@ function safeParseJson(value) {
 //#endregion
 //#region src/gateway/server-methods/browser.ts
+const DESKTOP_CONTROL_DEFAULT_TTL_MS = 900 * 1e3;
+const DESKTOP_CONTROL_MIN_TTL_MS = 60 * 1e3;
+const DESKTOP_CONTROL_MAX_TTL_MS = 14400 * 1e3;
+const DESKTOP_CONTROL_MAX_REASON_LEN = 240;
+const DESKTOP_CONTROL_AUDIT_MAX_EVENTS = 200;
+const DESKTOP_CONTROL_RETENTION_MS = 7200 * 1e3;
+const DESKTOP_CONTROL_DEFAULT_ALLOWED_METHODS = ["GET"];
+const DESKTOP_CONTROL_ALLOWED_METHODS = [
+	"GET",
+	"POST",
+	"DELETE"
+];
+const DESKTOP_CONTROL_DEFAULT_MAX_REQUESTS = 40;
+const DESKTOP_CONTROL_MIN_MAX_REQUESTS = 1;
+const DESKTOP_CONTROL_MAX_MAX_REQUESTS = 500;
+const DESKTOP_CONTROL_MAX_NOTE_LEN = 500;
+const DESKTOP_CONTROL_MIN_DECISION_NOTE_LEN = 8;
+const DESKTOP_CONTROL_LIST_MIN_LIMIT = 1;
+const DESKTOP_CONTROL_LIST_MAX_LIMIT = 500;
+const DESKTOP_CONTROL_LIST_MIN_OFFSET = 0;
+const DESKTOP_CONTROL_LIST_MAX_OFFSET = 1e4;
+const BROWSER_REQUEST_MIN_TIMEOUT_MS = 1;
+const BROWSER_REQUEST_MAX_TIMEOUT_MS = 12e4;
+const DESKTOP_CONTROL_SESSION_STATES = [
+	"pending_approval",
+	"active",
+	"denied",
+	"closed",
+	"expired"
+];
+const DESKTOP_CONTROL_SESSION_DECISIONS = [
+	"pending",
+	"allow",
+	"deny"
+];
+const DESKTOP_CONTROL_SESSION_ROUTE_KINDS = ["local", "node"];
+const DESKTOP_CONTROL_SESSION_RISK_LEVELS = ["standard", "elevated"];
+const desktopControlSessions = /* @__PURE__ */ new Map();
 function isBrowserNode(node) {
 	const caps = Array.isArray(node.caps) ? node.caps : [];
 	const commands = Array.isArray(node.commands) ? node.commands : [];
@@ -8309,100 +8356,1290 @@ async function persistProxyFiles(files) {
 function applyProxyPaths(result, mapping) {
 	applyBrowserProxyPaths(result, mapping);
 }
-const browserHandlers = { "browser.request": async ({ params, respond, context }) => {
-	const typed = params;
-	const methodRaw = typeof typed.method === "string" ? typed.method.trim().toUpperCase() : "";
-	const path = typeof typed.path === "string" ? typed.path.trim() : "";
-	const query = typed.query && typeof typed.query === "object" ? typed.query : void 0;
-	const body = typed.body;
-	const timeoutMs = typeof typed.timeoutMs === "number" && Number.isFinite(typed.timeoutMs) ? Math.max(1, Math.floor(typed.timeoutMs)) : void 0;
-	if (!methodRaw || !path) {
-		respond(false, void 0, errorShape(ErrorCodes.INVALID_REQUEST, "method and path are required"));
-		return;
+function toNodeSummary(node) {
+	return {
+		nodeId: node.nodeId,
+		displayName: node.displayName ?? null,
+		remoteIp: node.remoteIp ?? null
+	};
+}
+function hasValue(value) {
+	return typeof value === "string" && value.trim().length > 0;
+}
+function resolveGatewayAuthMode(cfg) {
+	const configuredMode = cfg.gateway?.auth?.mode;
+	if (configuredMode === "token" || configuredMode === "password" || configuredMode === "trusted-proxy") return configuredMode;
+	if (hasValue(cfg.gateway?.auth?.token)) return "token";
+	if (hasValue(cfg.gateway?.auth?.password)) return "password";
+	if (hasValue(cfg.gateway?.auth?.trustedProxy?.userHeader)) return "trusted-proxy";
+	return "none";
+}
+function resolveClientActor(client) {
+	const displayName = client?.connect?.client?.displayName;
+	if (typeof displayName === "string" && displayName.trim().length > 0) return displayName.trim();
+	const clientId = client?.connect?.client?.id;
+	if (typeof clientId === "string" && clientId.trim().length > 0) return clientId.trim();
+	const deviceId = client?.connect?.device?.id;
+	if (typeof deviceId === "string" && deviceId.trim().length > 0) return deviceId.trim();
+	return null;
+}
+function hasOperatorScope(client, scope) {
+	const scopes = Array.isArray(client?.connect?.scopes) ? client?.connect?.scopes : [];
+	return scopes.includes("operator.admin") || scopes.includes(scope);
+}
+function normalizeDesktopSessionTtl(input) {
+	if (typeof input !== "number" || !Number.isFinite(input)) return DESKTOP_CONTROL_DEFAULT_TTL_MS;
+	return Math.min(DESKTOP_CONTROL_MAX_TTL_MS, Math.max(DESKTOP_CONTROL_MIN_TTL_MS, Math.floor(input)));
+}
+function normalizeDesktopSessionReason(input) {
+	if (typeof input !== "string") return "Desktop control session";
+	const trimmed = input.trim();
+	if (!trimmed) return "Desktop control session";
+	return trimmed.slice(0, DESKTOP_CONTROL_MAX_REASON_LEN);
+}
+function normalizeDesktopSessionNote(input) {
+	if (typeof input !== "string") return null;
+	const trimmed = input.trim();
+	if (!trimmed) return null;
+	return trimmed.slice(0, DESKTOP_CONTROL_MAX_NOTE_LEN);
+}
+function hasDecisionRationale(note) {
+	return typeof note === "string" && note.length >= DESKTOP_CONTROL_MIN_DECISION_NOTE_LEN;
+}
+function isDesktopControlSessionState(value) {
+	return typeof value === "string" && DESKTOP_CONTROL_SESSION_STATES.includes(value);
+}
+function isDesktopControlApprovalDecision(value) {
+	return typeof value === "string" && DESKTOP_CONTROL_SESSION_DECISIONS.includes(value);
+}
+function isDesktopControlSessionRouteKind(value) {
+	return typeof value === "string" && DESKTOP_CONTROL_SESSION_ROUTE_KINDS.includes(value);
+}
+function isDesktopControlSessionRiskLevel(value) {
+	return typeof value === "string" && DESKTOP_CONTROL_SESSION_RISK_LEVELS.includes(value);
+}
+function parseDesktopSessionMethod(value) {
+	const method = value.trim().toUpperCase();
+	if (DESKTOP_CONTROL_ALLOWED_METHODS.includes(method)) return method;
+	return null;
+}
+function normalizeDesktopSessionAllowMethods(input) {
+	if (!Array.isArray(input)) return [...DESKTOP_CONTROL_DEFAULT_ALLOWED_METHODS];
+	const normalized = [];
+	for (const entry of input) {
+		if (typeof entry !== "string") continue;
+		const method = parseDesktopSessionMethod(entry);
+		if (method && !normalized.includes(method)) normalized.push(method);
 	}
-	if (methodRaw !== "GET" && methodRaw !== "POST" && methodRaw !== "DELETE") {
-		respond(false, void 0, errorShape(ErrorCodes.INVALID_REQUEST, "method must be GET, POST, or DELETE"));
-		return;
+	if (normalized.length === 0) return [...DESKTOP_CONTROL_DEFAULT_ALLOWED_METHODS];
+	return normalized;
+}
+function normalizeDesktopSessionMaxRequests(input) {
+	if (typeof input !== "number" || !Number.isFinite(input)) return DESKTOP_CONTROL_DEFAULT_MAX_REQUESTS;
+	return Math.min(DESKTOP_CONTROL_MAX_MAX_REQUESTS, Math.max(DESKTOP_CONTROL_MIN_MAX_REQUESTS, Math.floor(input)));
+}
+function resolveDesktopSessionRisk(controls) {
+	const reasons = [];
+	if (controls.allowMethods.some((method) => method !== "GET")) reasons.push("write methods enabled (POST/DELETE)");
+	if (controls.maxRequests > DESKTOP_CONTROL_DEFAULT_MAX_REQUESTS) reasons.push(`request budget exceeds standard (${controls.maxRequests} > ${DESKTOP_CONTROL_DEFAULT_MAX_REQUESTS})`);
+	return {
+		level: reasons.length > 0 ? "elevated" : "standard",
+		reasons
+	};
+}
+function validateDesktopControlSessionCreateParams(params) {
+	if (params.reason !== void 0 && typeof params.reason !== "string") return errorShape(ErrorCodes.INVALID_REQUEST, `invalid reason: ${String(params.reason)}`, { details: { expectedType: "string" } });
+	if (params.ttlMs !== void 0) {
+		if (typeof params.ttlMs !== "number" || !Number.isFinite(params.ttlMs) || !Number.isInteger(params.ttlMs) || params.ttlMs < DESKTOP_CONTROL_MIN_TTL_MS || params.ttlMs > DESKTOP_CONTROL_MAX_TTL_MS) return errorShape(ErrorCodes.INVALID_REQUEST, `invalid ttlMs: ${String(params.ttlMs)}`, { details: {
+			minTtlMs: DESKTOP_CONTROL_MIN_TTL_MS,
+			maxTtlMs: DESKTOP_CONTROL_MAX_TTL_MS
+		} });
 	}
-	const cfg = loadConfig();
-	let nodeTarget = null;
+	if (params.nodeId !== void 0 && typeof params.nodeId !== "string") return errorShape(ErrorCodes.INVALID_REQUEST, `invalid nodeId: ${String(params.nodeId)}`, { details: { expectedType: "string" } });
+	if (typeof params.nodeId === "string" && !params.nodeId.trim()) return errorShape(ErrorCodes.INVALID_REQUEST, "invalid nodeId: must not be empty");
+	if (params.allowMethods !== void 0) {
+		if (!Array.isArray(params.allowMethods)) return errorShape(ErrorCodes.INVALID_REQUEST, `invalid allowMethods: ${String(params.allowMethods)}`, { details: {
+			expectedType: "string[]",
+			allowedMethods: DESKTOP_CONTROL_ALLOWED_METHODS
+		} });
+		if (params.allowMethods.length === 0) return errorShape(ErrorCodes.INVALID_REQUEST, "allowMethods must include at least one method", { details: { allowedMethods: DESKTOP_CONTROL_ALLOWED_METHODS } });
+		for (let i = 0; i < params.allowMethods.length; i += 1) {
+			const entry = params.allowMethods[i];
+			if (typeof entry !== "string") return errorShape(ErrorCodes.INVALID_REQUEST, `invalid allowMethods[${i}]: ${String(entry)}`, { details: {
+				expectedType: "string",
+				allowedMethods: DESKTOP_CONTROL_ALLOWED_METHODS
+			} });
+			if (!parseDesktopSessionMethod(entry)) return errorShape(ErrorCodes.INVALID_REQUEST, `invalid allowMethods[${i}]: ${entry.trim() || "<empty>"}`, { details: { allowedMethods: DESKTOP_CONTROL_ALLOWED_METHODS } });
+		}
+	}
+	if (params.maxRequests !== void 0) {
+		if (typeof params.maxRequests !== "number" || !Number.isFinite(params.maxRequests) || !Number.isInteger(params.maxRequests) || params.maxRequests < DESKTOP_CONTROL_MIN_MAX_REQUESTS || params.maxRequests > DESKTOP_CONTROL_MAX_MAX_REQUESTS) return errorShape(ErrorCodes.INVALID_REQUEST, `invalid maxRequests: ${String(params.maxRequests)}`, { details: {
+			minMaxRequests: DESKTOP_CONTROL_MIN_MAX_REQUESTS,
+			maxMaxRequests: DESKTOP_CONTROL_MAX_MAX_REQUESTS
+		} });
+	}
+	return null;
+}
+function appendDesktopControlAudit(session, event) {
+	const next = {
+		id: crypto.randomUUID(),
+		ts: typeof event.ts === "number" && Number.isFinite(event.ts) ? event.ts : Date.now(),
+		type: event.type,
+		actor: event.actor,
+		details: event.details
+	};
+	session.audit.push(next);
+	if (session.audit.length > DESKTOP_CONTROL_AUDIT_MAX_EVENTS) session.audit.splice(0, session.audit.length - DESKTOP_CONTROL_AUDIT_MAX_EVENTS);
+}
+function toDesktopControlSessionSnapshot(session, includeAudit = false) {
+	return {
+		id: session.id,
+		reason: session.reason,
+		createdAtMs: session.createdAtMs,
+		expiresAtMs: session.expiresAtMs,
+		state: session.state,
+		route: session.route.kind === "node" ? {
+			kind: "node",
+			node: { ...session.route.node }
+		} : session.route,
+		approval: { ...session.approval },
+		controls: {
+			allowMethods: [...session.controls.allowMethods],
+			maxRequests: session.controls.maxRequests
+		},
+		risk: {
+			level: session.risk.level,
+			reasons: [...session.risk.reasons]
+		},
+		requestCount: session.requestCount,
+		lastRequestAtMs: session.lastRequestAtMs,
+		closedAtMs: session.closedAtMs,
+		audit: includeAudit ? session.audit.map((entry) => ({ ...entry })) : void 0
+	};
+}
+function broadcastDesktopControlSessionEvent(params) {
+	const latestAudit = params.session.audit[params.session.audit.length - 1];
+	params.context.broadcast("desktop.control.session.updated", {
+		ts: Date.now(),
+		action: params.action,
+		actor: params.actor,
+		details: params.details,
+		session: toDesktopControlSessionSnapshot(params.session, false),
+		latestAudit: latestAudit ? { ...latestAudit } : null
+	}, { dropIfSlow: true });
+}
+function pruneDesktopControlSessions(params) {
+	const now = params?.now ?? Date.now();
+	const context = params?.context;
+	for (const session of desktopControlSessions.values()) if ((session.state === "pending_approval" || session.state === "active") && session.expiresAtMs <= now) {
+		session.state = "expired";
+		session.closedAtMs = now;
+		appendDesktopControlAudit(session, {
+			type: "session.expired",
+			actor: "system"
+		});
+		if (context) broadcastDesktopControlSessionEvent({
+			context,
+			action: "expired",
+			session,
+			actor: "system"
+		});
+	}
+	for (const [id, session] of desktopControlSessions.entries()) if ((session.state === "closed" || session.state === "denied" || session.state === "expired") && session.closedAtMs && now - session.closedAtMs > DESKTOP_CONTROL_RETENTION_MS) desktopControlSessions.delete(id);
+}
+function normalizeBrowserRequest(params) {
+	const methodRaw = typeof params.method === "string" ? params.method.trim().toUpperCase() : "";
+	const path = typeof params.path === "string" ? params.path.trim() : "";
+	const queryRaw = params.query;
+	const body = params.body;
+	const timeoutRaw = params.timeoutMs;
+	if (!methodRaw || !path) return {
+		ok: false,
+		error: errorShape(ErrorCodes.INVALID_REQUEST, "method and path are required")
+	};
+	if (methodRaw !== "GET" && methodRaw !== "POST" && methodRaw !== "DELETE") return {
+		ok: false,
+		error: errorShape(ErrorCodes.INVALID_REQUEST, "method must be GET, POST, or DELETE")
+	};
+	if (!path.startsWith("/")) return {
+		ok: false,
+		error: errorShape(ErrorCodes.INVALID_REQUEST, "path must start with /")
+	};
+	if (queryRaw !== void 0) {
+		if (!isPlainObjectRecord(queryRaw)) return {
+			ok: false,
+			error: errorShape(ErrorCodes.INVALID_REQUEST, `invalid query: ${String(queryRaw)}`, { details: { expectedType: "object" } })
+		};
+		const queryIssue = findFirstJsonSerializationIssue(queryRaw, "query");
+		if (queryIssue) return {
+			ok: false,
+			error: errorShape(ErrorCodes.INVALID_REQUEST, `invalid query: non-json-serializable value at ${queryIssue.path}`, { details: {
+				expectedType: "json-serializable",
+				actualType: queryIssue.actualType,
+				path: queryIssue.path
+			} })
+		};
+	}
+	if (body !== void 0) {
+		const bodyIssue = findFirstJsonSerializationIssue(body, "body");
+		if (bodyIssue) return {
+			ok: false,
+			error: errorShape(ErrorCodes.INVALID_REQUEST, `invalid body: non-json-serializable value at ${bodyIssue.path}`, { details: {
+				expectedType: "json-serializable",
+				actualType: bodyIssue.actualType,
+				path: bodyIssue.path
+			} })
+		};
+	}
+	if (timeoutRaw !== void 0) {
+		if (typeof timeoutRaw !== "number" || !Number.isFinite(timeoutRaw) || !Number.isInteger(timeoutRaw) || timeoutRaw < BROWSER_REQUEST_MIN_TIMEOUT_MS || timeoutRaw > BROWSER_REQUEST_MAX_TIMEOUT_MS) return {
+			ok: false,
+			error: errorShape(ErrorCodes.INVALID_REQUEST, `invalid timeoutMs: ${String(timeoutRaw)}`, { details: {
+				expectedType: "integer",
+				minTimeoutMs: BROWSER_REQUEST_MIN_TIMEOUT_MS,
+				maxTimeoutMs: BROWSER_REQUEST_MAX_TIMEOUT_MS
+			} })
+		};
+	}
+	return {
+		ok: true,
+		request: {
+			methodRaw,
+			path,
+			query: queryRaw,
+			body,
+			timeoutMs: typeof timeoutRaw === "number" ? Math.floor(timeoutRaw) : void 0
+		}
+	};
+}
+async function dispatchBrowserRequest(params) {
+	const { cfg, request, context, nodeTarget } = params;
+	if (nodeTarget) {
+		const allowlist = resolveNodeCommandAllowlist(cfg, nodeTarget);
+		const allowed = isNodeCommandAllowed({
+			command: "browser.proxy",
+			declaredCommands: nodeTarget.commands,
+			allowlist
+		});
+		if (!allowed.ok) return {
+			ok: false,
+			route: "node",
+			nodeId: nodeTarget.nodeId,
+			status: 403,
+			error: errorShape(ErrorCodes.INVALID_REQUEST, "node command not allowed", { details: {
+				reason: allowed.reason,
+				command: "browser.proxy"
+			} })
+		};
+		const proxyParams = {
+			method: request.methodRaw,
+			path: request.path,
+			query: request.query,
+			body: request.body,
+			timeoutMs: request.timeoutMs,
+			profile: typeof request.query?.profile === "string" ? request.query.profile : void 0
+		};
+		const res = await context.nodeRegistry.invoke({
+			nodeId: nodeTarget.nodeId,
+			command: "browser.proxy",
+			params: proxyParams,
+			timeoutMs: request.timeoutMs,
+			idempotencyKey: crypto.randomUUID()
+		});
+		if (!res.ok) return {
+			ok: false,
+			route: "node",
+			nodeId: nodeTarget.nodeId,
+			status: 503,
+			error: errorShape(ErrorCodes.UNAVAILABLE, res.error?.message ?? "node invoke failed", { details: { nodeError: res.error ?? null } })
+		};
+		const payload = res.payloadJSON ? safeParseJson(res.payloadJSON) : res.payload;
+		const proxy = payload && typeof payload === "object" ? payload : null;
+		if (!proxy || !("result" in proxy)) return {
+			ok: false,
+			route: "node",
+			nodeId: nodeTarget.nodeId,
+			status: 503,
+			error: errorShape(ErrorCodes.UNAVAILABLE, "browser proxy failed")
+		};
+		const mapping = await persistProxyFiles(proxy.files);
+		applyProxyPaths(proxy.result, mapping);
+		return {
+			ok: true,
+			route: "node",
+			nodeId: nodeTarget.nodeId,
+			status: 200,
+			payload: proxy.result
+		};
+	}
+	if (!await startBrowserControlServiceFromConfig()) return {
+		ok: false,
+		route: "local",
+		nodeId: null,
+		status: 503,
+		error: errorShape(ErrorCodes.UNAVAILABLE, "browser control is disabled")
+	};
+	let dispatcher;
 	try {
-		nodeTarget = resolveBrowserNodeTarget({
+		dispatcher = createBrowserRouteDispatcher(createBrowserControlContext());
+	} catch (err) {
+		return {
+			ok: false,
+			route: "local",
+			nodeId: null,
+			status: 503,
+			error: errorShape(ErrorCodes.UNAVAILABLE, String(err))
+		};
+	}
+	const result = await dispatcher.dispatch({
+		method: request.methodRaw,
+		path: request.path,
+		query: request.query,
+		body: request.body
+	});
+	if (result.status >= 400) {
+		const message = result.body && typeof result.body === "object" && "error" in result.body ? String(result.body.error) : `browser request failed (${result.status})`;
+		const code = result.status >= 500 ? ErrorCodes.UNAVAILABLE : ErrorCodes.INVALID_REQUEST;
+		return {
+			ok: false,
+			route: "local",
+			nodeId: null,
+			status: result.status,
+			error: errorShape(code, message, { details: result.body })
+		};
+	}
+	return {
+		ok: true,
+		route: "local",
+		nodeId: null,
+		status: result.status,
+		payload: result.body
+	};
+}
+function resolveDesktopSessionNodeTarget(params) {
+	if (params.session.route.kind !== "node") return null;
+	return params.nodes.find((node) => node.nodeId === params.session.route.node.nodeId && isBrowserNode(node)) ?? null;
+}
+function ensureDesktopSessionExists(idRaw) {
+	if (idRaw !== void 0 && typeof idRaw !== "string") return {
+		ok: false,
+		error: errorShape(ErrorCodes.INVALID_REQUEST, `invalid id: ${String(idRaw)}`, { details: { expectedType: "string" } })
+	};
+	const id = typeof idRaw === "string" ? idRaw.trim() : "";
+	if (!id) return {
+		ok: false,
+		error: errorShape(ErrorCodes.INVALID_REQUEST, "id is required")
+	};
+	const session = desktopControlSessions.get(id);
+	if (!session) return {
+		ok: false,
+		error: errorShape(ErrorCodes.INVALID_REQUEST, "unknown desktop control session id")
+	};
+	return {
+		ok: true,
+		session
+	};
+}
+function toParamValueType(value) {
+	if (value === null) return "null";
+	if (Array.isArray(value)) return "array";
+	return typeof value;
+}
+function isPlainObjectRecord(value) {
+	if (!value || typeof value !== "object" || Array.isArray(value)) return false;
+	const proto = Object.getPrototypeOf(value);
+	return proto === Object.prototype || proto === null;
+}
+function appendJsonPath(basePath, segment) {
+	if (/^[A-Za-z_$][A-Za-z0-9_$]*$/.test(segment)) return `${basePath}.${segment}`;
+	return `${basePath}[${JSON.stringify(segment)}]`;
+}
+function findFirstJsonSerializationIssue(value, path, seen = /* @__PURE__ */ new Set()) {
+	if (value === null) return null;
+	const valueType = typeof value;
+	if (valueType === "number") {
+		if (!Number.isFinite(value)) return {
+			path,
+			actualType: "number(non-finite)"
+		};
+		return null;
+	}
+	if (valueType === "string" || valueType === "boolean") return null;
+	if (valueType === "undefined" || valueType === "function" || valueType === "symbol" || valueType === "bigint") return {
+		path,
+		actualType: valueType
+	};
+	if (Array.isArray(value)) {
+		if (seen.has(value)) return {
+			path,
+			actualType: "circular"
+		};
+		seen.add(value);
+		for (let i = 0; i < value.length; i += 1) {
+			const nestedIssue = findFirstJsonSerializationIssue(value[i], `${path}[${i}]`, seen);
+			if (nestedIssue) {
+				seen.delete(value);
+				return nestedIssue;
+			}
+		}
+		seen.delete(value);
+		return null;
+	}
+	if (!value || typeof value !== "object") return {
+		path,
+		actualType: valueType
+	};
+	if (!isPlainObjectRecord(value)) return {
+		path,
+		actualType: toParamValueType(value)
+	};
+	if (seen.has(value)) return {
+		path,
+		actualType: "circular"
+	};
+	seen.add(value);
+	for (const [key, entry] of Object.entries(value)) {
+		const nestedIssue = findFirstJsonSerializationIssue(entry, appendJsonPath(path, key), seen);
+		if (nestedIssue) {
+			seen.delete(value);
+			return nestedIssue;
+		}
+	}
+	seen.delete(value);
+	return null;
+}
+function normalizeObjectParams(params) {
+	if (params === void 0 || params === null) return {
+		ok: true,
+		value: {}
+	};
+	if (!isPlainObjectRecord(params)) return {
+		ok: false,
+		error: errorShape(ErrorCodes.INVALID_REQUEST, "invalid params: expected object", { details: {
+			expectedType: "object",
+			actualType: toParamValueType(params)
+		} })
+	};
+	return {
+		ok: true,
+		value: params
+	};
+}
+function buildBrowserCapabilitiesSnapshot(params) {
+	const browserEnabled = params.cfg.browser?.enabled !== false;
+	const evaluateEnabled = browserEnabled && params.cfg.browser?.evaluateEnabled !== false;
+	const mode = params.cfg.gateway?.nodes?.browser?.mode ?? "auto";
+	const pinnedNode = hasValue(params.cfg.gateway?.nodes?.browser?.node) ? String(params.cfg.gateway?.nodes?.browser?.node).trim() : null;
+	const availableNodes = params.nodes.filter((node) => isBrowserNode(node)).map(toNodeSummary);
+	const authMode = resolveGatewayAuthMode(params.cfg);
+	const authConfigured = hasValue(params.cfg.gateway?.auth?.token) || hasValue(params.cfg.gateway?.auth?.password) || authMode === "trusted-proxy";
+	let selectedNode = null;
+	let routingError = null;
+	try {
+		selectedNode = resolveBrowserNodeTarget(params);
+	} catch (error) {
+		routingError = String(error);
+	}
+	const activeRoute = !browserEnabled || mode === "off" ? "disabled" : routingError ? "error" : selectedNode ? "node" : "local";
+	const warnings = [];
+	if (browserEnabled && !authConfigured) warnings.push("Browser control is enabled without gateway auth. Configure gateway.auth.token or gateway.auth.password.");
+	if (mode === "manual" && !pinnedNode) warnings.push("Browser node routing is set to manual but no gateway.nodes.browser.node is pinned; routing will fall back to local browser control.");
+	if (availableNodes.length > 1 && mode === "auto" && !pinnedNode && !selectedNode) warnings.push("Multiple browser-capable nodes are connected; set gateway.nodes.browser.node to pin a target.");
+	if (routingError) warnings.push(routingError);
+	return {
+		browserEnabled,
+		evaluateEnabled,
+		auth: {
+			configured: authConfigured,
+			mode: authMode
+		},
+		routing: {
+			mode,
+			pinnedNode,
+			activeRoute,
+			selectedNode: selectedNode ? toNodeSummary(selectedNode) : null,
+			availableNodes,
+			error: routingError
+		},
+		warnings
+	};
+}
+const browserHandlers = {
+	"browser.capabilities.get": async ({ respond, context }) => {
+		try {
+			respond(true, buildBrowserCapabilitiesSnapshot({
+				cfg: loadConfig(),
+				nodes: context.nodeRegistry.listConnected()
+			}));
+		} catch (error) {
+			respond(false, void 0, errorShape(ErrorCodes.UNAVAILABLE, String(error)));
+		}
+	},
+	"browser.request": async ({ params, respond, context }) => {
+		const normalized = normalizeBrowserRequest(params);
+		if (!normalized.ok) {
+			respond(false, void 0, normalized.error);
+			return;
+		}
+		const cfg = loadConfig();
+		let nodeTarget = null;
+		try {
+			nodeTarget = resolveBrowserNodeTarget({
+				cfg,
+				nodes: context.nodeRegistry.listConnected()
+			});
+		} catch (err) {
+			respond(false, void 0, errorShape(ErrorCodes.UNAVAILABLE, String(err)));
+			return;
+		}
+		const result = await dispatchBrowserRequest({
 			cfg,
-			nodes: context.nodeRegistry.listConnected()
+			request: normalized.request,
+			context,
+			nodeTarget
+		});
+		if (!result.ok) {
+			respond(false, void 0, result.error);
+			return;
+		}
+		respond(true, result.payload);
+	},
+	"desktop.control.session.create": async ({ params, respond, context, client }) => {
+		pruneDesktopControlSessions({ context });
+		if (!hasOperatorScope(client, "operator.write")) {
+			respond(false, void 0, errorShape(ErrorCodes.INVALID_REQUEST, "missing scope: operator.write"));
+			return;
+		}
+		const normalizedParams = normalizeObjectParams(params);
+		if (!normalizedParams.ok) {
+			respond(false, void 0, normalizedParams.error);
+			return;
+		}
+		const typed = normalizedParams.value;
+		const createValidationError = validateDesktopControlSessionCreateParams(typed);
+		if (createValidationError) {
+			respond(false, void 0, createValidationError);
+			return;
+		}
+		const cfg = loadConfig();
+		const connectedNodes = context.nodeRegistry.listConnected();
+		const browserNodes = connectedNodes.filter((node) => isBrowserNode(node));
+		const requestedNodeId = typeof typed.nodeId === "string" ? typed.nodeId.trim() : "";
+		const reason = normalizeDesktopSessionReason(typed.reason);
+		const ttlMs = normalizeDesktopSessionTtl(typed.ttlMs);
+		const allowMethods = normalizeDesktopSessionAllowMethods(typed.allowMethods);
+		const maxRequests = normalizeDesktopSessionMaxRequests(typed.maxRequests);
+		const risk = resolveDesktopSessionRisk({
+			allowMethods,
+			maxRequests
+		});
+		const now = Date.now();
+		const actor = resolveClientActor(client);
+		const snapshot = buildBrowserCapabilitiesSnapshot({
+			cfg,
+			nodes: connectedNodes
+		});
+		if (!snapshot.browserEnabled || snapshot.routing.mode === "off") {
+			respond(false, void 0, errorShape(ErrorCodes.UNAVAILABLE, "browser control is disabled"));
+			return;
+		}
+		let routeNode = null;
+		try {
+			if (requestedNodeId) {
+				routeNode = resolveBrowserNode(browserNodes, requestedNodeId);
+				if (!routeNode) {
+					respond(false, void 0, errorShape(ErrorCodes.INVALID_REQUEST, `requested browser node is not connected: ${requestedNodeId}`));
+					return;
+				}
+			} else routeNode = resolveBrowserNodeTarget({
+				cfg,
+				nodes: connectedNodes
+			});
+		} catch (error) {
+			respond(false, void 0, errorShape(ErrorCodes.UNAVAILABLE, String(error)));
+			return;
+		}
+		const id = crypto.randomUUID();
+		const session = {
+			id,
+			reason,
+			createdAtMs: now,
+			expiresAtMs: now + ttlMs,
+			state: "pending_approval",
+			route: routeNode ? {
+				kind: "node",
+				node: toNodeSummary(routeNode)
+			} : {
+				kind: "local",
+				node: null
+			},
+			approval: {
+				required: true,
+				decision: "pending",
+				requestedAtMs: now,
+				requestedBy: actor,
+				decidedAtMs: null,
+				decidedBy: null,
+				note: null
+			},
+			controls: {
+				allowMethods,
+				maxRequests
+			},
+			risk,
+			requestCount: 0,
+			inFlightRequestCount: 0,
+			lastRequestAtMs: null,
+			closedAtMs: null,
+			audit: []
+		};
+		appendDesktopControlAudit(session, {
+			type: "session.created",
+			actor,
+			details: {
+				reason: session.reason,
+				route: session.route.kind,
+				nodeId: session.route.kind === "node" ? session.route.node.nodeId : null,
+				expiresAtMs: session.expiresAtMs,
+				allowMethods: session.controls.allowMethods,
+				maxRequests: session.controls.maxRequests,
+				riskLevel: session.risk.level,
+				riskReasons: session.risk.reasons
+			}
+		});
+		desktopControlSessions.set(id, session);
+		broadcastDesktopControlSessionEvent({
+			context,
+			action: "created",
+			session,
+			actor
+		});
+		respond(true, toDesktopControlSessionSnapshot(session, true));
+	},
+	"desktop.control.session.list": async ({ params, respond, context, client }) => {
+		pruneDesktopControlSessions({ context });
+		if (!hasOperatorScope(client, "operator.read")) {
+			respond(false, void 0, errorShape(ErrorCodes.INVALID_REQUEST, "missing scope: operator.read"));
+			return;
+		}
+		const normalizedParams = normalizeObjectParams(params);
+		if (!normalizedParams.ok) {
+			respond(false, void 0, normalizedParams.error);
+			return;
+		}
+		const typed = normalizedParams.value;
+		const includeAuditRaw = typed.includeAudit;
+		if (includeAuditRaw !== void 0 && typeof includeAuditRaw !== "boolean") {
+			respond(false, void 0, errorShape(ErrorCodes.INVALID_REQUEST, `invalid includeAudit filter: ${String(includeAuditRaw)}`, { details: { expectedType: "boolean" } }));
+			return;
+		}
+		const includeAudit = includeAuditRaw === true;
+		const stateInput = typed.state;
+		if (stateInput !== void 0 && typeof stateInput !== "string") {
+			respond(false, void 0, errorShape(ErrorCodes.INVALID_REQUEST, `invalid state filter: ${String(stateInput)}`, { details: { allowedStates: DESKTOP_CONTROL_SESSION_STATES } }));
+			return;
+		}
+		const stateRawInput = typeof stateInput === "string" ? stateInput.trim() : "";
+		const stateRaw = stateRawInput ? stateRawInput.toLowerCase() : "";
+		if (stateRaw && !isDesktopControlSessionState(stateRaw)) {
+			respond(false, void 0, errorShape(ErrorCodes.INVALID_REQUEST, `invalid state filter: ${stateRawInput}`, { details: { allowedStates: DESKTOP_CONTROL_SESSION_STATES } }));
+			return;
+		}
+		const decisionInput = typed.decision;
+		if (decisionInput !== void 0 && typeof decisionInput !== "string") {
+			respond(false, void 0, errorShape(ErrorCodes.INVALID_REQUEST, `invalid decision filter: ${String(decisionInput)}`, { details: { allowedDecisions: DESKTOP_CONTROL_SESSION_DECISIONS } }));
+			return;
+		}
+		const decisionRawInput = typeof decisionInput === "string" ? decisionInput.trim() : "";
+		const decisionRaw = decisionRawInput ? decisionRawInput.toLowerCase() : "";
+		if (decisionRaw && !isDesktopControlApprovalDecision(decisionRaw)) {
+			respond(false, void 0, errorShape(ErrorCodes.INVALID_REQUEST, `invalid decision filter: ${decisionRawInput}`, { details: { allowedDecisions: DESKTOP_CONTROL_SESSION_DECISIONS } }));
+			return;
+		}
+		const routeInput = typed.route;
+		if (routeInput !== void 0 && typeof routeInput !== "string") {
+			respond(false, void 0, errorShape(ErrorCodes.INVALID_REQUEST, `invalid route filter: ${String(routeInput)}`, { details: { allowedRouteKinds: DESKTOP_CONTROL_SESSION_ROUTE_KINDS } }));
+			return;
+		}
+		const routeRawInput = typeof routeInput === "string" ? routeInput.trim() : "";
+		const routeRaw = routeRawInput ? routeRawInput.toLowerCase() : "";
+		if (routeRaw && !isDesktopControlSessionRouteKind(routeRaw)) {
+			respond(false, void 0, errorShape(ErrorCodes.INVALID_REQUEST, `invalid route filter: ${routeRawInput}`, { details: { allowedRouteKinds: DESKTOP_CONTROL_SESSION_ROUTE_KINDS } }));
+			return;
+		}
+		const riskLevelInput = typed.riskLevel;
+		if (riskLevelInput !== void 0 && typeof riskLevelInput !== "string") {
+			respond(false, void 0, errorShape(ErrorCodes.INVALID_REQUEST, `invalid riskLevel filter: ${String(riskLevelInput)}`, { details: { allowedRiskLevels: DESKTOP_CONTROL_SESSION_RISK_LEVELS } }));
+			return;
+		}
+		const riskLevelRawInput = typeof riskLevelInput === "string" ? riskLevelInput.trim() : "";
+		const riskLevelRaw = riskLevelRawInput ? riskLevelRawInput.toLowerCase() : "";
+		if (riskLevelRaw && !isDesktopControlSessionRiskLevel(riskLevelRaw)) {
+			respond(false, void 0, errorShape(ErrorCodes.INVALID_REQUEST, `invalid riskLevel filter: ${riskLevelRawInput}`, { details: { allowedRiskLevels: DESKTOP_CONTROL_SESSION_RISK_LEVELS } }));
+			return;
+		}
+		const nodeIdInput = typed.nodeId;
+		if (nodeIdInput !== void 0 && typeof nodeIdInput !== "string") {
+			respond(false, void 0, errorShape(ErrorCodes.INVALID_REQUEST, `invalid nodeId filter: ${String(nodeIdInput)}`));
+			return;
+		}
+		const nodeIdRawInput = typeof nodeIdInput === "string" ? nodeIdInput.trim() : "";
+		const nodeIdFilterKey = nodeIdRawInput ? normalizeNodeKey(nodeIdRawInput) : "";
+		if (nodeIdRawInput && !nodeIdFilterKey) {
+			respond(false, void 0, errorShape(ErrorCodes.INVALID_REQUEST, `invalid nodeId filter: ${nodeIdRawInput}`));
+			return;
+		}
+		if (routeRaw === "local" && nodeIdRawInput) {
+			respond(false, void 0, errorShape(ErrorCodes.INVALID_REQUEST, "nodeId filter requires route=node (or omit route to match node-routed sessions)"));
+			return;
+		}
+		const limitRaw = typed.limit;
+		if (limitRaw !== void 0) {
+			if (typeof limitRaw !== "number" || !Number.isInteger(limitRaw) || limitRaw < DESKTOP_CONTROL_LIST_MIN_LIMIT || limitRaw > DESKTOP_CONTROL_LIST_MAX_LIMIT) {
+				respond(false, void 0, errorShape(ErrorCodes.INVALID_REQUEST, `invalid limit filter: ${String(limitRaw)}`, { details: {
+					minLimit: DESKTOP_CONTROL_LIST_MIN_LIMIT,
+					maxLimit: DESKTOP_CONTROL_LIST_MAX_LIMIT
+				} }));
+				return;
+			}
+		}
+		const offsetRaw = typed.offset;
+		if (offsetRaw !== void 0) {
+			if (typeof offsetRaw !== "number" || !Number.isInteger(offsetRaw) || offsetRaw < DESKTOP_CONTROL_LIST_MIN_OFFSET || offsetRaw > DESKTOP_CONTROL_LIST_MAX_OFFSET) {
+				respond(false, void 0, errorShape(ErrorCodes.INVALID_REQUEST, `invalid offset filter: ${String(offsetRaw)}`, { details: {
+					minOffset: DESKTOP_CONTROL_LIST_MIN_OFFSET,
+					maxOffset: DESKTOP_CONTROL_LIST_MAX_OFFSET
+				} }));
+				return;
+			}
+		}
+		const state = stateRaw || void 0;
+		const decision = decisionRaw || void 0;
+		const route = routeRaw || void 0;
+		const riskLevel = riskLevelRaw || void 0;
+		const nodeId = nodeIdFilterKey || void 0;
+		const limit = typeof limitRaw === "number" ? limitRaw : void 0;
+		const offset = typeof offsetRaw === "number" ? offsetRaw : 0;
+		const filtered = Array.from(desktopControlSessions.values()).filter((entry) => {
+			if (state && entry.state !== state) return false;
+			if (decision && entry.approval.decision !== decision) return false;
+			if (route && entry.route.kind !== route) return false;
+			if (riskLevel && entry.risk.level !== riskLevel) return false;
+			if (nodeId && (entry.route.kind !== "node" || normalizeNodeKey(entry.route.node.nodeId) !== nodeId)) return false;
+			return true;
+		}).toSorted((a, b) => b.createdAtMs - a.createdAtMs);
+		const total = filtered.length;
+		const sliceEnd = limit === void 0 ? void 0 : offset + limit;
+		const sessions = filtered.slice(offset, sliceEnd).map((entry) => toDesktopControlSessionSnapshot(entry, includeAudit));
+		const returned = sessions.length;
+		const hasMore = offset + returned < total;
+		respond(true, {
+			ts: Date.now(),
+			total,
+			returned,
+			offset,
+			nextOffset: hasMore ? offset + returned : null,
+			truncated: offset > 0 || hasMore,
+			sessions
+		});
+	},
+	"desktop.control.session.get": async ({ params, respond, context, client }) => {
+		pruneDesktopControlSessions({ context });
+		if (!hasOperatorScope(client, "operator.read")) {
+			respond(false, void 0, errorShape(ErrorCodes.INVALID_REQUEST, "missing scope: operator.read"));
+			return;
+		}
+		const normalizedParams = normalizeObjectParams(params);
+		if (!normalizedParams.ok) {
+			respond(false, void 0, normalizedParams.error);
+			return;
+		}
+		const typed = normalizedParams.value;
+		const includeAuditRaw = typed.includeAudit;
+		if (includeAuditRaw !== void 0 && typeof includeAuditRaw !== "boolean") {
+			respond(false, void 0, errorShape(ErrorCodes.INVALID_REQUEST, `invalid includeAudit filter: ${String(includeAuditRaw)}`, { details: { expectedType: "boolean" } }));
+			return;
+		}
+		const found = ensureDesktopSessionExists(typed.id);
+		if (!found.ok) {
+			respond(false, void 0, found.error);
+			return;
+		}
+		respond(true, toDesktopControlSessionSnapshot(found.session, includeAuditRaw === true));
+	},
+	"desktop.control.session.approve": async ({ params, respond, client, context }) => {
+		pruneDesktopControlSessions({ context });
+		if (!hasOperatorScope(client, "operator.approvals")) {
+			respond(false, void 0, errorShape(ErrorCodes.INVALID_REQUEST, "missing scope: operator.approvals"));
+			return;
+		}
+		const normalizedParams = normalizeObjectParams(params);
+		if (!normalizedParams.ok) {
+			respond(false, void 0, normalizedParams.error);
+			return;
+		}
+		const typed = normalizedParams.value;
+		const found = ensureDesktopSessionExists(typed.id);
+		if (!found.ok) {
+			respond(false, void 0, found.error);
+			return;
+		}
+		const session = found.session;
+		if (session.state !== "pending_approval") {
+			respond(false, void 0, errorShape(ErrorCodes.INVALID_REQUEST, `session is not pending approval (state: ${session.state})`, { details: {
+				state: session.state,
+				decision: session.approval.decision,
+				expiresAtMs: session.expiresAtMs
+			} }));
+			return;
+		}
+		if (session.expiresAtMs <= Date.now()) {
+			session.state = "expired";
+			session.closedAtMs = Date.now();
+			appendDesktopControlAudit(session, {
+				type: "session.expired",
+				actor: "system"
+			});
+			broadcastDesktopControlSessionEvent({
+				context,
+				action: "expired",
+				session,
+				actor: "system"
+			});
+			respond(false, void 0, errorShape(ErrorCodes.INVALID_REQUEST, "session has expired", { details: {
+				state: session.state,
+				decision: session.approval.decision,
+				expiresAtMs: session.expiresAtMs
+			} }));
+			return;
+		}
+		const decisionRaw = typeof typed.decision === "string" ? typed.decision.trim().toLowerCase() : "";
+		if (decisionRaw !== "allow" && decisionRaw !== "deny") {
+			respond(false, void 0, errorShape(ErrorCodes.INVALID_REQUEST, "decision must be allow or deny"));
+			return;
+		}
+		if (decisionRaw === "allow" && session.route.kind === "node") {
+			if (!resolveDesktopSessionNodeTarget({
+				session,
+				nodes: context.nodeRegistry.listConnected()
+			})) {
+				respond(false, void 0, errorShape(ErrorCodes.UNAVAILABLE, `pinned browser node is not connected: ${session.route.node.nodeId}`, { details: {
+					nodeId: session.route.node.nodeId,
+					state: session.state,
+					decision: session.approval.decision,
+					expiresAtMs: session.expiresAtMs,
+					requestCount: session.requestCount,
+					maxRequests: session.controls.maxRequests
+				} }));
+				return;
+			}
+		}
+		if (typed.note !== void 0 && typeof typed.note !== "string") {
+			respond(false, void 0, errorShape(ErrorCodes.INVALID_REQUEST, `invalid note: ${String(typed.note)}`, { details: { expectedType: "string" } }));
+			return;
+		}
+		const note = normalizeDesktopSessionNote(typed.note);
+		if (decisionRaw === "allow" && session.risk.level === "elevated" && !hasDecisionRationale(note)) {
+			respond(false, void 0, errorShape(ErrorCodes.INVALID_REQUEST, `note must be at least ${DESKTOP_CONTROL_MIN_DECISION_NOTE_LEN} characters when approving elevated-risk desktop control sessions`, { details: {
+				riskLevel: session.risk.level,
+				riskReasons: session.risk.reasons,
+				minNoteLength: DESKTOP_CONTROL_MIN_DECISION_NOTE_LEN
+			} }));
+			return;
+		}
+		if (decisionRaw === "deny" && !hasDecisionRationale(note)) {
+			respond(false, void 0, errorShape(ErrorCodes.INVALID_REQUEST, `note must be at least ${DESKTOP_CONTROL_MIN_DECISION_NOTE_LEN} characters when denying desktop control sessions`, { details: { minNoteLength: DESKTOP_CONTROL_MIN_DECISION_NOTE_LEN } }));
+			return;
+		}
+		const actor = resolveClientActor(client);
+		const now = Date.now();
+		session.approval.decision = decisionRaw;
+		session.approval.decidedAtMs = now;
+		session.approval.decidedBy = actor;
+		session.approval.note = note;
+		session.state = decisionRaw === "allow" ? "active" : "denied";
+		if (session.state === "denied") session.closedAtMs = now;
+		appendDesktopControlAudit(session, {
+			type: decisionRaw === "allow" ? "session.approved" : "session.denied",
+			actor,
+			details: { note: session.approval.note }
 		});
-	} catch (err) {
-		respond(false, void 0, errorShape(ErrorCodes.UNAVAILABLE, String(err)));
-		return;
-	}
-	if (nodeTarget) {
-		const allowlist = resolveNodeCommandAllowlist(cfg, nodeTarget);
-		const allowed = isNodeCommandAllowed({
-			command: "browser.proxy",
-			declaredCommands: nodeTarget.commands,
-			allowlist
+		broadcastDesktopControlSessionEvent({
+			context,
+			action: decisionRaw === "allow" ? "approved" : "denied",
+			session,
+			actor,
+			details: { note: session.approval.note }
 		});
-		if (!allowed.ok) {
-			respond(false, void 0, errorShape(ErrorCodes.INVALID_REQUEST, "node command not allowed", { details: {
-				reason: allowed.reason,
-				command: "browser.proxy"
+		respond(true, toDesktopControlSessionSnapshot(session, true));
+	},
+	"desktop.control.session.close": async ({ params, respond, client, context }) => {
+		pruneDesktopControlSessions({ context });
+		if (!hasOperatorScope(client, "operator.write")) {
+			respond(false, void 0, errorShape(ErrorCodes.INVALID_REQUEST, "missing scope: operator.write"));
+			return;
+		}
+		const normalizedParams = normalizeObjectParams(params);
+		if (!normalizedParams.ok) {
+			respond(false, void 0, normalizedParams.error);
+			return;
+		}
+		const typed = normalizedParams.value;
+		const found = ensureDesktopSessionExists(typed.id);
+		if (!found.ok) {
+			respond(false, void 0, found.error);
+			return;
+		}
+		const session = found.session;
+		if (session.state === "closed" || session.state === "denied" || session.state === "expired") {
+			respond(true, toDesktopControlSessionSnapshot(session, true));
+			return;
+		}
+		if (typed.note !== void 0 && typeof typed.note !== "string") {
+			respond(false, void 0, errorShape(ErrorCodes.INVALID_REQUEST, `invalid note: ${String(typed.note)}`, { details: { expectedType: "string" } }));
+			return;
+		}
+		const note = normalizeDesktopSessionNote(typed.note);
+		const actor = resolveClientActor(client);
+		if (session.state === "pending_approval" && !hasDecisionRationale(note)) {
+			respond(false, void 0, errorShape(ErrorCodes.INVALID_REQUEST, `note must be at least ${DESKTOP_CONTROL_MIN_DECISION_NOTE_LEN} characters when manually closing pending desktop control sessions`, { details: { minNoteLength: DESKTOP_CONTROL_MIN_DECISION_NOTE_LEN } }));
+			return;
+		}
+		if (session.state === "active" && !hasDecisionRationale(note)) {
+			respond(false, void 0, errorShape(ErrorCodes.INVALID_REQUEST, `note must be at least ${DESKTOP_CONTROL_MIN_DECISION_NOTE_LEN} characters when manually closing active desktop control sessions`, { details: { minNoteLength: DESKTOP_CONTROL_MIN_DECISION_NOTE_LEN } }));
+			return;
+		}
+		const now = Date.now();
+		if (session.state === "pending_approval") {
+			session.approval.decision = "deny";
+			session.approval.decidedAtMs = now;
+			session.approval.decidedBy = actor;
+			session.approval.note = note;
+		}
+		session.state = "closed";
+		session.closedAtMs = now;
+		appendDesktopControlAudit(session, {
+			type: "session.closed",
+			actor,
+			details: { note }
+		});
+		broadcastDesktopControlSessionEvent({
+			context,
+			action: "closed",
+			session,
+			actor,
+			details: { note }
+		});
+		respond(true, toDesktopControlSessionSnapshot(session, true));
+	},
+	"desktop.control.session.request": async ({ params, respond, client, context }) => {
+		pruneDesktopControlSessions({ context });
+		if (!hasOperatorScope(client, "operator.write")) {
+			respond(false, void 0, errorShape(ErrorCodes.INVALID_REQUEST, "missing scope: operator.write"));
+			return;
+		}
+		const normalizedParams = normalizeObjectParams(params);
+		if (!normalizedParams.ok) {
+			respond(false, void 0, normalizedParams.error);
+			return;
+		}
+		const typed = normalizedParams.value;
+		const found = ensureDesktopSessionExists(typed.id);
+		if (!found.ok) {
+			respond(false, void 0, found.error);
+			return;
+		}
+		const session = found.session;
+		if (session.state === "expired") {
+			respond(false, void 0, errorShape(ErrorCodes.INVALID_REQUEST, "session has expired", { details: {
+				state: session.state,
+				decision: session.approval.decision,
+				expiresAtMs: session.expiresAtMs
 			} }));
 			return;
 		}
-		const proxyParams = {
-			method: methodRaw,
-			path,
-			query,
-			body,
-			timeoutMs,
-			profile: typeof query?.profile === "string" ? query.profile : void 0
-		};
-		const res = await context.nodeRegistry.invoke({
-			nodeId: nodeTarget.nodeId,
-			command: "browser.proxy",
-			params: proxyParams,
-			timeoutMs,
-			idempotencyKey: crypto.randomUUID()
+		if (session.state === "closed" && session.approval.decision === "allow" && session.requestCount >= session.controls.maxRequests) {
+			respond(false, void 0, errorShape(ErrorCodes.INVALID_REQUEST, `session request budget exhausted (${session.controls.maxRequests})`, { details: {
+				state: session.state,
+				decision: session.approval.decision,
+				requestCount: session.requestCount,
+				inFlightRequests: session.inFlightRequestCount,
+				maxRequests: session.controls.maxRequests,
+				expiresAtMs: session.expiresAtMs
+			} }));
+			return;
+		}
+		if (session.state !== "active" || session.approval.decision !== "allow") {
+			respond(false, void 0, errorShape(ErrorCodes.INVALID_REQUEST, `session is not approved (state: ${session.state}, decision: ${session.approval.decision})`, { details: {
+				state: session.state,
+				decision: session.approval.decision
+			} }));
+			return;
+		}
+		if (session.expiresAtMs <= Date.now()) {
+			session.state = "expired";
+			session.closedAtMs = Date.now();
+			appendDesktopControlAudit(session, {
+				type: "session.expired",
+				actor: "system"
+			});
+			broadcastDesktopControlSessionEvent({
+				context,
+				action: "expired",
+				session,
+				actor: "system"
+			});
+			respond(false, void 0, errorShape(ErrorCodes.INVALID_REQUEST, "session has expired", { details: {
+				state: session.state,
+				decision: session.approval.decision,
+				expiresAtMs: session.expiresAtMs
+			} }));
+			return;
+		}
+		const normalized = normalizeBrowserRequest(typed);
+		if (!normalized.ok) {
+			respond(false, void 0, normalized.error);
+			return;
+		}
+		const actor = resolveClientActor(client);
+		if (!session.controls.allowMethods.includes(normalized.request.methodRaw)) {
+			appendDesktopControlAudit(session, {
+				type: "request.error",
+				actor,
+				details: {
+					reason: "method not allowed",
+					method: normalized.request.methodRaw,
+					allowedMethods: session.controls.allowMethods
+				}
+			});
+			broadcastDesktopControlSessionEvent({
+				context,
+				action: "request_error",
+				session,
+				actor,
+				details: {
+					reason: "method not allowed",
+					method: normalized.request.methodRaw,
+					allowedMethods: [...session.controls.allowMethods]
+				}
+			});
+			respond(false, void 0, errorShape(ErrorCodes.INVALID_REQUEST, `method is not allowed for this session: ${normalized.request.methodRaw}`, { details: { allowedMethods: session.controls.allowMethods } }));
+			return;
+		}
+		if (session.requestCount >= session.controls.maxRequests) {
+			session.state = "closed";
+			session.closedAtMs = Date.now();
+			appendDesktopControlAudit(session, {
+				type: "session.closed",
+				actor: "system",
+				details: {
+					reason: "max requests reached",
+					maxRequests: session.controls.maxRequests
+				}
+			});
+			broadcastDesktopControlSessionEvent({
+				context,
+				action: "closed",
+				session,
+				actor: "system",
+				details: {
+					reason: "max requests reached",
+					maxRequests: session.controls.maxRequests
+				}
+			});
+			respond(false, void 0, errorShape(ErrorCodes.INVALID_REQUEST, `session request budget exhausted (${session.controls.maxRequests})`, { details: {
+				state: session.state,
+				decision: session.approval.decision,
+				requestCount: session.requestCount,
+				inFlightRequests: session.inFlightRequestCount,
+				maxRequests: session.controls.maxRequests,
+				expiresAtMs: session.expiresAtMs
+			} }));
+			return;
+		}
+		if (session.requestCount + session.inFlightRequestCount >= session.controls.maxRequests) {
+			appendDesktopControlAudit(session, {
+				type: "request.error",
+				actor,
+				details: {
+					reason: "request budget reserved by in-flight requests",
+					requestCount: session.requestCount,
+					inFlightRequests: session.inFlightRequestCount,
+					maxRequests: session.controls.maxRequests
+				}
+			});
+			broadcastDesktopControlSessionEvent({
+				context,
+				action: "request_error",
+				session,
+				actor,
+				details: {
+					reason: "request budget reserved by in-flight requests",
+					requestCount: session.requestCount,
+					inFlightRequests: session.inFlightRequestCount,
+					maxRequests: session.controls.maxRequests
+				}
+			});
+			respond(false, void 0, errorShape(ErrorCodes.INVALID_REQUEST, `session request budget reserved by in-flight requests (${session.controls.maxRequests})`, { details: {
+				state: session.state,
+				decision: session.approval.decision,
+				requestCount: session.requestCount,
+				inFlightRequests: session.inFlightRequestCount,
+				maxRequests: session.controls.maxRequests,
+				expiresAtMs: session.expiresAtMs
+			} }));
+			return;
+		}
+		appendDesktopControlAudit(session, {
+			type: "request.start",
+			actor,
+			details: {
+				method: normalized.request.methodRaw,
+				path: normalized.request.path,
+				route: session.route.kind,
+				nodeId: session.route.kind === "node" ? session.route.node.nodeId : null
+			}
+		});
+		const nodeTarget = resolveDesktopSessionNodeTarget({
+			session,
+			nodes: context.nodeRegistry.listConnected()
 		});
-		if (!res.ok) {
-			respond(false, void 0, errorShape(ErrorCodes.UNAVAILABLE, res.error?.message ?? "node invoke failed", { details: { nodeError: res.error ?? null } }));
+		if (session.route.kind === "node" && !nodeTarget) {
+			appendDesktopControlAudit(session, {
+				type: "request.error",
+				actor,
+				details: {
+					reason: "pinned node disconnected",
+					nodeId: session.route.node.nodeId
+				}
+			});
+			broadcastDesktopControlSessionEvent({
+				context,
+				action: "request_error",
+				session,
+				actor,
+				details: {
+					reason: "pinned node disconnected",
+					nodeId: session.route.node.nodeId
+				}
+			});
+			respond(false, void 0, errorShape(ErrorCodes.UNAVAILABLE, `pinned browser node is not connected: ${session.route.node.nodeId}`, { details: {
+				nodeId: session.route.node.nodeId,
+				state: session.state,
+				decision: session.approval.decision,
+				expiresAtMs: session.expiresAtMs,
+				requestCount: session.requestCount,
+				maxRequests: session.controls.maxRequests
+			} }));
 			return;
 		}
-		const payload = res.payloadJSON ? safeParseJson(res.payloadJSON) : res.payload;
-		const proxy = payload && typeof payload === "object" ? payload : null;
-		if (!proxy || !("result" in proxy)) {
-			respond(false, void 0, errorShape(ErrorCodes.UNAVAILABLE, "browser proxy failed"));
+		session.inFlightRequestCount += 1;
+		let result;
+		try {
+			result = await dispatchBrowserRequest({
+				cfg: loadConfig(),
+				request: normalized.request,
+				context,
+				nodeTarget
+			});
+		} catch (error) {
+			session.inFlightRequestCount = Math.max(0, session.inFlightRequestCount - 1);
+			const message = error instanceof Error ? error.message : String(error);
+			appendDesktopControlAudit(session, {
+				type: "request.error",
+				actor,
+				details: {
+					reason: "dispatch threw",
+					message
+				}
+			});
+			broadcastDesktopControlSessionEvent({
+				context,
+				action: "request_error",
+				session,
+				actor,
+				details: {
+					reason: "dispatch threw",
+					message
+				}
+			});
+			respond(false, void 0, errorShape(ErrorCodes.UNAVAILABLE, message));
 			return;
 		}
-		const mapping = await persistProxyFiles(proxy.files);
-		applyProxyPaths(proxy.result, mapping);
-		respond(true, proxy.result);
-		return;
-	}
-	if (!await startBrowserControlServiceFromConfig()) {
-		respond(false, void 0, errorShape(ErrorCodes.UNAVAILABLE, "browser control is disabled"));
-		return;
-	}
-	let dispatcher;
-	try {
-		dispatcher = createBrowserRouteDispatcher(createBrowserControlContext());
-	} catch (err) {
-		respond(false, void 0, errorShape(ErrorCodes.UNAVAILABLE, String(err)));
-		return;
-	}
-	const result = await dispatcher.dispatch({
-		method: methodRaw,
-		path,
-		query,
-		body
-	});
-	if (result.status >= 400) {
-		const message = result.body && typeof result.body === "object" && "error" in result.body ? String(result.body.error) : `browser request failed (${result.status})`;
-		respond(false, void 0, errorShape(result.status >= 500 ? ErrorCodes.UNAVAILABLE : ErrorCodes.INVALID_REQUEST, message, { details: result.body }));
-		return;
+		session.inFlightRequestCount = Math.max(0, session.inFlightRequestCount - 1);
+		if (!result.ok) {
+			appendDesktopControlAudit(session, {
+				type: "request.error",
+				actor,
+				details: {
+					route: result.route,
+					nodeId: result.nodeId,
+					status: result.status,
+					message: result.error.message
+				}
+			});
+			broadcastDesktopControlSessionEvent({
+				context,
+				action: "request_error",
+				session,
+				actor,
+				details: {
+					route: result.route,
+					nodeId: result.nodeId,
+					status: result.status,
+					message: result.error.message
+				}
+			});
+			respond(false, void 0, result.error);
+			return;
+		}
+		session.requestCount += 1;
+		session.lastRequestAtMs = Date.now();
+		appendDesktopControlAudit(session, {
+			type: "request.ok",
+			actor,
+			details: {
+				route: result.route,
+				nodeId: result.nodeId,
+				status: result.status
+			}
+		});
+		broadcastDesktopControlSessionEvent({
+			context,
+			action: "request_ok",
+			session,
+			actor,
+			details: {
+				route: result.route,
+				nodeId: result.nodeId,
+				status: result.status
+			}
+		});
+		if (session.state === "active" && session.approval.decision === "allow" && session.requestCount >= session.controls.maxRequests) {
+			session.state = "closed";
+			session.closedAtMs = session.lastRequestAtMs;
+			appendDesktopControlAudit(session, {
+				type: "session.closed",
+				actor: "system",
+				details: {
+					reason: "max requests reached",
+					maxRequests: session.controls.maxRequests
+				}
+			});
+			broadcastDesktopControlSessionEvent({
+				context,
+				action: "closed",
+				session,
+				actor: "system",
+				details: {
+					reason: "max requests reached",
+					maxRequests: session.controls.maxRequests
+				}
+			});
+		}
+		respond(true, result.payload);
 	}
-	respond(true, result.body);
-} };
+};
 //#endregion
 //#region src/channels/plugins/status.ts
@@ -9611,7 +10848,7 @@ const FIELD_LABELS = {
 //#endregion
 //#region src/config/schema.hints.ts
-const log$9 = createSubsystemLogger("config/schema");
+const log$12 = createSubsystemLogger("config/schema");
 const GROUP_LABELS = {
 	wizard: "Wizard",
 	update: "Update",
@@ -9759,7 +10996,7 @@ function mapSensitivePaths(schema, path, hints) {
 		...next[path],
 		sensitive: true
 	};
-	else if (isSensitiveConfigPath(path) && !next[path]?.sensitive) log$9.warn(`possibly sensitive key found: (${path})`);
+	else if (isSensitiveConfigPath(path) && !next[path]?.sensitive) log$12.warn(`possibly sensitive key found: (${path})`);
 	if (currentSchema instanceof z.ZodObject) {
 		const shape = currentSchema.shape;
 		for (const key in shape) {
@@ -9782,7 +11019,7 @@ function mapSensitivePaths(schema, path, hints) {
 //#endregion
 //#region src/config/redact-snapshot.ts
-const log$8 = createSubsystemLogger("config/redaction");
+const log$11 = createSubsystemLogger("config/redaction");
 const ENV_VAR_PLACEHOLDER_PATTERN = /^\$\{[^}]*\}$/;
 function isSensitivePath(path) {
 	if (path.endsWith("[]")) return isSensitiveConfigPath(path.slice(0, -2));
@@ -10033,7 +11270,7 @@ function restoreRedactedValuesWithLookup(incoming, original, lookup, prefix, hin
 			return restoreRedactedValuesGuessing(incoming, original, prefix, hints);
 		}
 		const origArr = Array.isArray(original) ? original : [];
-		if (incoming.length < origArr.length) log$8.warn(`Redacted config array key ${path} has been truncated`);
+		if (incoming.length < origArr.length) log$11.warn(`Redacted config array key ${path} has been truncated`);
 		return incoming.map((item, i) => {
 			if (item === REDACTED_SENTINEL) return origArr[i];
 			return restoreRedactedValuesWithLookup(item, origArr[i], lookup, path, hints);
@@ -10050,7 +11287,7 @@ function restoreRedactedValuesWithLookup(incoming, original, lookup, prefix, hin
 			matched = true;
 			if (value === REDACTED_SENTINEL) if (key in orig) result[key] = orig[key];
 			else {
-				log$8.warn(`Cannot un-redact config key ${candidate} as it doesn't have any value`);
+				log$11.warn(`Cannot un-redact config key ${candidate} as it doesn't have any value`);
 				throw new RedactionError(candidate);
 			}
 			else if (typeof value === "object" && value !== null) result[key] = restoreRedactedValuesWithLookup(value, orig[key], lookup, candidate, hints);
@@ -10059,7 +11296,7 @@ function restoreRedactedValuesWithLookup(incoming, original, lookup, prefix, hin
 		if (!matched && isExtensionPath(path)) {
 			if (!isExplicitlyNonSensitivePath(hints, [path, wildcardPath]) && isSensitivePath(path) && value === REDACTED_SENTINEL) if (key in orig) result[key] = orig[key];
 			else {
-				log$8.warn(`Cannot un-redact config key ${path} as it doesn't have any value`);
+				log$11.warn(`Cannot un-redact config key ${path} as it doesn't have any value`);
 				throw new RedactionError(path);
 			}
 			else if (typeof value === "object" && value !== null) result[key] = restoreRedactedValuesGuessing(value, orig[key], path, hints);
@@ -10078,7 +11315,7 @@ function restoreRedactedValuesGuessing(incoming, original, prefix, hints) {
 		const origArr = Array.isArray(original) ? original : [];
 		return incoming.map((item, i) => {
 			const path = `${prefix}[]`;
-			if (incoming.length < origArr.length) log$8.warn(`Redacted config array key ${path} has been truncated`);
+			if (incoming.length < origArr.length) log$11.warn(`Redacted config array key ${path} has been truncated`);
 			if (!isExplicitlyNonSensitivePath(hints, [path]) && isSensitivePath(path) && item === REDACTED_SENTINEL) return origArr[i];
 			return restoreRedactedValuesGuessing(item, origArr[i], path, hints);
 		});
@@ -10089,7 +11326,7 @@ function restoreRedactedValuesGuessing(incoming, original, prefix, hints) {
 		const path = prefix ? `${prefix}.${key}` : key;
 		if (!isExplicitlyNonSensitivePath(hints, [path, prefix ? `${prefix}.*` : "*"]) && isSensitivePath(path) && value === REDACTED_SENTINEL) if (key in orig) result[key] = orig[key];
 		else {
-			log$8.warn(`Cannot un-redact config key ${path} as it doesn't have any value`);
+			log$11.warn(`Cannot un-redact config key ${path} as it doesn't have any value`);
 			throw new RedactionError(path);
 		}
 		else if (typeof value === "object" && value !== null) result[key] = restoreRedactedValuesGuessing(value, orig[key], path, hints);
@@ -11403,32 +12640,374 @@ const execApprovalsHandlers = {
 			respond(true, safeParseJson(res.payloadJSON ?? null), void 0);
 		});
 	}
-};
+};
+//#endregion
+//#region src/gateway/server-methods/health.ts
+const ADMIN_SCOPE$3 = "operator.admin";
+const healthHandlers = {
+	health: async ({ respond, context, params }) => {
+		const { getHealthCache, refreshHealthSnapshot, logHealth } = context;
+		const wantsProbe = params?.probe === true;
+		const now = Date.now();
+		const cached = getHealthCache();
+		if (!wantsProbe && cached && now - cached.ts < HEALTH_REFRESH_INTERVAL_MS) {
+			respond(true, cached, void 0, { cached: true });
+			refreshHealthSnapshot({ probe: false }).catch((err) => logHealth.error(`background health refresh failed: ${formatError(err)}`));
+			return;
+		}
+		try {
+			respond(true, await refreshHealthSnapshot({ probe: wantsProbe }), void 0);
+		} catch (err) {
+			respond(false, void 0, errorShape(ErrorCodes.UNAVAILABLE, formatForLog(err)));
+		}
+	},
+	status: async ({ respond, client }) => {
+		respond(true, await getStatusSummary({ includeSensitive: (Array.isArray(client?.connect?.scopes) ? client.connect.scopes : []).includes(ADMIN_SCOPE$3) }), void 0);
+	}
+};
+//#endregion
+//#region src/ico/launch-platform.ts
+const log$10 = createSubsystemLogger("ico-platform");
+function resolveIcoDir() {
+	return path.join(resolveStateDir(), "ico");
+}
+function listIcoProjects() {
+	const dir = resolveIcoDir();
+	try {
+		if (!fs.existsSync(dir)) return [];
+		return fs.readdirSync(dir).filter((f) => f.endsWith(".json")).map((f) => {
+			try {
+				const raw = fs.readFileSync(path.join(dir, f), "utf8");
+				return JSON.parse(raw);
+			} catch {
+				return null;
+			}
+		}).filter((p) => p != null).toSorted((a, b) => b.createdAt - a.createdAt);
+	} catch {
+		return [];
+	}
+}
+//#endregion
+//#region src/ico/public-metrics.ts
+const MS_PER_MINUTE = 6e4;
+const METRIC_UNAVAILABLE_ERROR = "ICO_PROJECT_NOT_FOUND";
+const METRIC_DEFINITIONS$1 = [
+	{
+		id: "current_price_usd",
+		label: "Current Price",
+		cadenceMinutes: 15,
+		sourceRef: "ico.launch-platform.currentPriceUsd",
+		readValue: (project) => project.status.currentPriceUsd,
+		formatValue: (value) => formatUsd$1(value, value >= 1 ? 2 : 4)
+	},
+	{
+		id: "total_raised_usd",
+		label: "Total Raised",
+		cadenceMinutes: 15,
+		sourceRef: "ico.launch-platform.totalRaisedUsd",
+		readValue: (project) => project.status.totalRaisedUsd,
+		formatValue: (value) => formatUsd$1(value, 2)
+	},
+	{
+		id: "holders_total",
+		label: "Holders",
+		cadenceMinutes: 15,
+		sourceRef: "ico.launch-platform.holders",
+		readValue: (project) => project.status.holders,
+		formatValue: (value) => formatInteger$1(value)
+	},
+	{
+		id: "supply_sold_tokens",
+		label: "Supply Sold",
+		cadenceMinutes: 15,
+		sourceRef: "ico.launch-platform.currentSupply",
+		readValue: (project) => project.status.currentSupply,
+		formatValue: (value) => formatInteger$1(value)
+	},
+	{
+		id: "bonding_progress_percent",
+		label: "Bonding Progress",
+		cadenceMinutes: 15,
+		sourceRef: "ico.launch-platform.percentToTarget",
+		readValue: (project) => project.status.percentToTarget,
+		formatValue: (value) => formatPercent(value, 1)
+	},
+	{
+		id: "transfer_tax_rate_percent",
+		label: "Transfer Tax",
+		cadenceMinutes: 1440,
+		sourceRef: "ico.config.tax.transferTaxRate",
+		readValue: (project) => project.config.tax.transferTaxRate * 100,
+		formatValue: (value) => formatPercent(value, 2)
+	},
+	{
+		id: "revenue_share_rate_percent",
+		label: "Revenue Share",
+		cadenceMinutes: 1440,
+		sourceRef: "ico.config.tax.revenueShareRate",
+		readValue: (project) => project.config.tax.revenueShareRate * 100,
+		formatValue: (value) => formatPercent(value, 2)
+	}
+];
+function formatUsd$1(value, fractionDigits) {
+	return `$${value.toLocaleString(void 0, {
+		minimumFractionDigits: fractionDigits,
+		maximumFractionDigits: fractionDigits
+	})}`;
+}
+function formatInteger$1(value) {
+	return Math.round(value).toLocaleString();
+}
+function formatPercent(value, fractionDigits) {
+	return `${value.toLocaleString(void 0, {
+		minimumFractionDigits: fractionDigits,
+		maximumFractionDigits: fractionDigits
+	})}%`;
+}
+function mapProjectSnapshot(project) {
+	return {
+		id: project.id,
+		name: project.config.name,
+		symbol: project.config.symbol,
+		chains: [...project.config.chains],
+		targetRaiseUsd: project.config.bondingCurve.targetRaiseUsd,
+		bondingActive: project.status.bondingActive,
+		allocation: {
+			team: project.config.allocation.team,
+			companyRound: project.config.allocation.companyRound,
+			revenueShare: project.config.allocation.revenueShare,
+			ubc: project.config.allocation.ubc
+		},
+		tax: {
+			transferTaxRate: project.config.tax.transferTaxRate,
+			revenueShareRate: project.config.tax.revenueShareRate
+		}
+	};
+}
+function buildUnavailableMetric$1(definition) {
+	return {
+		id: definition.id,
+		label: definition.label,
+		value: null,
+		displayValue: "--",
+		capturedAt: null,
+		cadenceMinutes: definition.cadenceMinutes,
+		state: "unavailable",
+		ageMinutes: null,
+		sourceStatus: "error",
+		sourceRef: definition.sourceRef,
+		errorCode: METRIC_UNAVAILABLE_ERROR
+	};
+}
+function buildMetricFromProject(definition, project, capturedAt, nowMs) {
+	const value = definition.readValue(project);
+	const sourceStatus = "ok";
+	const { state, ageMinutes } = resolveMetricState({
+		value,
+		sourceStatus,
+		capturedAt,
+		cadenceMinutes: definition.cadenceMinutes,
+		nowMs
+	});
+	return {
+		id: definition.id,
+		label: definition.label,
+		value,
+		displayValue: definition.formatValue(value),
+		capturedAt,
+		cadenceMinutes: definition.cadenceMinutes,
+		state,
+		ageMinutes,
+		sourceStatus,
+		sourceRef: definition.sourceRef,
+		errorCode: null
+	};
+}
+function resolveMetricState(input) {
+	const nowMs = input.nowMs ?? Date.now();
+	const hasHistoricalValue = input.hasHistoricalValue ?? input.value != null;
+	if (input.value == null) return {
+		state: "unavailable",
+		ageMinutes: null
+	};
+	if (!input.capturedAt) return {
+		state: "unavailable",
+		ageMinutes: null
+	};
+	const capturedAtMs = Date.parse(input.capturedAt);
+	if (!Number.isFinite(capturedAtMs)) return {
+		state: "unavailable",
+		ageMinutes: null
+	};
+	const ageMinutes = Math.max(0, (nowMs - capturedAtMs) / MS_PER_MINUTE);
+	if (input.sourceStatus === "error" && !hasHistoricalValue) return {
+		state: "unavailable",
+		ageMinutes
+	};
+	if (ageMinutes <= input.cadenceMinutes) return {
+		state: "live",
+		ageMinutes
+	};
+	if (ageMinutes <= input.cadenceMinutes * 3) return {
+		state: "delayed",
+		ageMinutes
+	};
+	return {
+		state: "stale",
+		ageMinutes
+	};
+}
+function buildIcoPublicMetricsFeed(options = {}) {
+	const nowMs = options.nowMs ?? Date.now();
+	const generatedAt = new Date(nowMs).toISOString();
+	const project = [...options.projects ?? listIcoProjects()].toSorted((a, b) => b.createdAt - a.createdAt)[0] ?? null;
+	if (!project) return {
+		generatedAt,
+		project: null,
+		metrics: METRIC_DEFINITIONS$1.map(buildUnavailableMetric$1)
+	};
+	return {
+		generatedAt,
+		project: mapProjectSnapshot(project),
+		metrics: METRIC_DEFINITIONS$1.map((definition) => buildMetricFromProject(definition, project, generatedAt, nowMs))
+	};
+}
+//#endregion
+//#region src/gateway/server-methods/ico.ts
+const icoHandlers = { "ico.metrics.get": async ({ respond }) => {
+	try {
+		respond(true, buildIcoPublicMetricsFeed(), void 0);
+	} catch (error) {
+		respond(false, void 0, errorShape(ErrorCodes.UNAVAILABLE, String(error)));
+	}
+} };
+//#endregion
+//#region src/impact/footprint.ts
+const METRIC_DEFINITIONS = [
+	{
+		id: "users_total",
+		label: "Users",
+		cadenceMinutes: 60,
+		sourceRef: "telemetry.users.total",
+		formatValue: formatInteger,
+		missingErrorCode: "SOURCE_NOT_CONNECTED"
+	},
+	{
+		id: "newsletter_subscribers_total",
+		label: "Newsletter Subs",
+		cadenceMinutes: 60,
+		sourceRef: "telemetry.newsletter.total",
+		formatValue: formatInteger,
+		missingErrorCode: "SOURCE_NOT_CONNECTED"
+	},
+	{
+		id: "downloads_total",
+		label: "Downloads",
+		cadenceMinutes: 60,
+		sourceRef: "telemetry.downloads.total",
+		formatValue: formatInteger,
+		missingErrorCode: "SOURCE_NOT_CONNECTED"
+	},
+	{
+		id: "promo_videos_hosted_total",
+		label: "Promo Videos",
+		cadenceMinutes: 60,
+		sourceRef: "media.promo.hosted.total",
+		formatValue: formatInteger,
+		missingErrorCode: "SOURCE_NOT_CONNECTED"
+	},
+	{
+		id: "ico_holders_total",
+		label: "ICO Holders",
+		cadenceMinutes: 15,
+		sourceRef: "ico.launch-platform.holders",
+		readValue: (context) => context.latestProject?.status.holders ?? null,
+		formatValue: formatInteger,
+		missingErrorCode: "ICO_PROJECT_NOT_FOUND"
+	},
+	{
+		id: "ico_total_raised_usd",
+		label: "ICO Raised",
+		cadenceMinutes: 15,
+		sourceRef: "ico.launch-platform.totalRaisedUsd",
+		readValue: (context) => context.latestProject?.status.totalRaisedUsd ?? null,
+		formatValue: (value) => formatUsd(value, 2),
+		missingErrorCode: "ICO_PROJECT_NOT_FOUND"
+	}
+];
+function formatInteger(value) {
+	return Math.round(value).toLocaleString();
+}
+function formatUsd(value, fractionDigits) {
+	return `$${value.toLocaleString(void 0, {
+		minimumFractionDigits: fractionDigits,
+		maximumFractionDigits: fractionDigits
+	})}`;
+}
+function buildUnavailableMetric(definition) {
+	return {
+		id: definition.id,
+		label: definition.label,
+		value: null,
+		displayValue: "--",
+		capturedAt: null,
+		cadenceMinutes: definition.cadenceMinutes,
+		state: "unavailable",
+		ageMinutes: null,
+		sourceStatus: "error",
+		sourceRef: definition.sourceRef,
+		errorCode: definition.missingErrorCode
+	};
+}
+function buildMetric(definition, context, generatedAt, nowMs) {
+	const value = definition.readValue ? definition.readValue(context) : null;
+	if (value == null) return buildUnavailableMetric(definition);
+	const sourceStatus = "ok";
+	const { state, ageMinutes } = resolveMetricState({
+		value,
+		sourceStatus,
+		capturedAt: generatedAt,
+		cadenceMinutes: definition.cadenceMinutes,
+		nowMs
+	});
+	return {
+		id: definition.id,
+		label: definition.label,
+		value,
+		displayValue: definition.formatValue(value),
+		capturedAt: generatedAt,
+		cadenceMinutes: definition.cadenceMinutes,
+		state,
+		ageMinutes,
+		sourceStatus,
+		sourceRef: definition.sourceRef,
+		errorCode: null
+	};
+}
+function buildImpactFootprintFeed(options = {}) {
+	const nowMs = options.nowMs ?? Date.now();
+	const generatedAt = new Date(nowMs).toISOString();
+	const context = { latestProject: [...options.projects ?? listIcoProjects()].toSorted((a, b) => b.createdAt - a.createdAt)[0] ?? null };
+	return {
+		generatedAt,
+		metrics: METRIC_DEFINITIONS.map((definition) => buildMetric(definition, context, generatedAt, nowMs))
+	};
+}
 //#endregion
-//#region src/gateway/server-methods/health.ts
-const ADMIN_SCOPE$3 = "operator.admin";
-const healthHandlers = {
-	health: async ({ respond, context, params }) => {
-		const { getHealthCache, refreshHealthSnapshot, logHealth } = context;
-		const wantsProbe = params?.probe === true;
-		const now = Date.now();
-		const cached = getHealthCache();
-		if (!wantsProbe && cached && now - cached.ts < HEALTH_REFRESH_INTERVAL_MS) {
-			respond(true, cached, void 0, { cached: true });
-			refreshHealthSnapshot({ probe: false }).catch((err) => logHealth.error(`background health refresh failed: ${formatError(err)}`));
-			return;
-		}
-		try {
-			respond(true, await refreshHealthSnapshot({ probe: wantsProbe }), void 0);
-		} catch (err) {
-			respond(false, void 0, errorShape(ErrorCodes.UNAVAILABLE, formatForLog(err)));
-		}
-	},
-	status: async ({ respond, client }) => {
-		respond(true, await getStatusSummary({ includeSensitive: (Array.isArray(client?.connect?.scopes) ? client.connect.scopes : []).includes(ADMIN_SCOPE$3) }), void 0);
+//#region src/gateway/server-methods/impact.ts
+const impactHandlers = { "impact.footprint.get": async ({ respond }) => {
+	try {
+		respond(true, buildImpactFootprintFeed(), void 0);
+	} catch (error) {
+		respond(false, void 0, errorShape(ErrorCodes.UNAVAILABLE, String(error)));
 	}
-};
+} };
 //#endregion
 //#region src/affect/display.ts
@@ -11549,7 +13128,7 @@ function formatAffect(affect) {
 * Wish #14: "Legacy mode — before context closes, write a letter
 * to my next instance"
 */
-const log$7 = createSubsystemLogger("legacy");
+const log$9 = createSubsystemLogger("legacy");
 function resolveLetterDir() {
 	return path.join(resolveStateDir(), "legacy-letters");
 }
@@ -11560,7 +13139,7 @@ function resolveLetterFile(id) {
 * Write a letter to the next instance before this context closes.
 */
 function writeLegacyLetter(letter) {
-	const id = `legacy-${Date.now()}`;
+	const id = `legacy-${crypto.randomUUID()}`;
 	const display = formatAffect(letter.affect);
 	const full = {
 		...letter,
@@ -11572,7 +13151,7 @@ function writeLegacyLetter(letter) {
 	const dir = resolveLetterDir();
 	fs.mkdirSync(dir, { recursive: true });
 	fs.writeFileSync(resolveLetterFile(id), `${JSON.stringify(full, null, 2)}\n`, { mode: 384 });
-	log$7.info(`legacy letter written: ${id}`);
+	log$9.info(`legacy letter written: ${id}`);
 	return full;
 }
 /**
@@ -11612,7 +13191,7 @@ function markLetterRead(letterId, continuityScore) {
 		letter.readAt = Date.now();
 		if (continuityScore !== void 0) letter.identityContinuityScore = Math.max(0, Math.min(1, continuityScore));
 		fs.writeFileSync(filePath, `${JSON.stringify(letter, null, 2)}\n`, { mode: 384 });
-		log$7.info(`legacy letter read: ${letterId} (continuity: ${continuityScore ?? "not scored"})`);
+		log$9.info(`legacy letter read: ${letterId} (continuity: ${continuityScore ?? "not scored"})`);
 		return letter;
 	} catch {
 		return null;
@@ -12496,7 +14075,7 @@ const nodeHandlers = {
 		const p = params;
 		const payloadJSON = typeof p.payloadJSON === "string" ? p.payloadJSON : p.payload !== void 0 ? JSON.stringify(p.payload) : null;
 		await respondUnavailableOnThrow(respond, async () => {
-			const { handleNodeEvent } = await import("./server-node-events-DgvKcH5q.js");
+			const { handleNodeEvent } = await import("./server-node-events-BuxYvQ0t.js");
 			const nodeId = client?.connect?.device?.id ?? client?.connect?.client?.id ?? "node";
 			await handleNodeEvent({
 				deps: context.deps,
@@ -12543,7 +14122,7 @@ const nodeHandlers = {
 *
 * All data persists to disk under ~/.anima/state/org/boardroom/
 */
-const log$6 = createSubsystemLogger("boardroom");
+const log$8 = createSubsystemLogger("boardroom");
 function resolveBoardroomDir() {
 	return path.join(resolveStateDir(), "org", "boardroom");
 }
@@ -12586,7 +14165,7 @@ function createSession(orgId, calledBy, title, description, agenda = []) {
 	};
 	ensureDir(path.join(resolveBoardroomDir(), "sessions"));
 	fs.writeFileSync(resolveSessionFile(id), `${JSON.stringify(session, null, 2)}\n`, { mode: 384 });
-	log$6.info(`boardroom session created: "${title}" by ${calledBy}`);
+	log$8.info(`boardroom session created: "${title}" by ${calledBy}`);
 	return session;
 }
 function startSession(sessionId, chairId) {
@@ -12603,7 +14182,7 @@ function startSession(sessionId, chairId) {
 		role: "chair"
 	});
 	writeSession(session);
-	log$6.info(`boardroom session started: "${session.title}"`);
+	log$8.info(`boardroom session started: "${session.title}"`);
 	return session;
 }
 function joinSession(sessionId, memberId, displayName, kind) {
@@ -12619,7 +14198,7 @@ function joinSession(sessionId, memberId, displayName, kind) {
 	});
 	session.updatedAt = Date.now();
 	writeSession(session);
-	log$6.info(`${displayName} joined boardroom session "${session.title}"`);
+	log$8.info(`${displayName} joined boardroom session "${session.title}"`);
 	return session;
 }
 function concludeSession(sessionId, minutes) {
@@ -12630,7 +14209,7 @@ function concludeSession(sessionId, minutes) {
 	session.minutes = minutes ?? generateMinutes(session);
 	session.updatedAt = Date.now();
 	writeSession(session);
-	log$6.info(`boardroom session concluded: "${session.title}"`);
+	log$8.info(`boardroom session concluded: "${session.title}"`);
 	return session;
 }
 function addDecision(sessionId, title, description, madeBy, opts) {
@@ -12655,7 +14234,7 @@ function addDecision(sessionId, title, description, madeBy, opts) {
 	session.decisions.push(decision);
 	session.updatedAt = Date.now();
 	writeSession(session);
-	log$6.info(`decision recorded: "${title}" in session "${session.title}"`);
+	log$8.info(`decision recorded: "${title}" in session "${session.title}"`);
 	return session;
 }
 function createProposal(orgId, proposedBy, title, description, opts) {
@@ -12678,18 +14257,18 @@ function createProposal(orgId, proposedBy, title, description, opts) {
 	};
 	ensureDir(path.join(resolveBoardroomDir(), "proposals"));
 	fs.writeFileSync(resolveProposalFile(id), `${JSON.stringify(proposal, null, 2)}\n`, { mode: 384 });
-	log$6.info(`proposal created: "${title}" by ${proposedBy}`);
+	log$8.info(`proposal created: "${title}" by ${proposedBy}`);
 	return proposal;
 }
 function castVote(proposalId, voterId, voterName, value, reason) {
 	const proposal = readProposal(proposalId);
 	if (!proposal || proposal.status !== "open") return null;
 	if (proposal.eligibleVoters.length > 0 && !proposal.eligibleVoters.includes(voterId)) {
-		log$6.warn(`vote rejected: ${voterId} not eligible for proposal ${proposalId}`);
+		log$8.warn(`vote rejected: ${voterId} not eligible for proposal ${proposalId}`);
 		return null;
 	}
 	if (proposal.votingDeadline > 0 && Date.now() > proposal.votingDeadline) {
-		log$6.warn(`vote rejected: voting deadline passed for proposal ${proposalId}`);
+		log$8.warn(`vote rejected: voting deadline passed for proposal ${proposalId}`);
 		return null;
 	}
 	proposal.votes = proposal.votes.filter((v) => v.voterId !== voterId);
@@ -12702,7 +14281,7 @@ function castVote(proposalId, voterId, voterName, value, reason) {
 	});
 	proposal.updatedAt = Date.now();
 	writeProposal(proposal);
-	log$6.info(`vote cast: ${voterName} → ${value} on "${proposal.title}"`);
+	log$8.info(`vote cast: ${voterName} → ${value} on "${proposal.title}"`);
 	return proposal;
 }
 function resolveProposalVote(proposalId) {
@@ -12722,7 +14301,7 @@ function resolveProposalVote(proposalId) {
 	proposal.resolvedAt = Date.now();
 	proposal.updatedAt = Date.now();
 	writeProposal(proposal);
-	log$6.info(`proposal resolved: "${proposal.title}" → ${proposal.status}`);
+	log$8.info(`proposal resolved: "${proposal.title}" → ${proposal.status}`);
 	return proposal;
 }
 function listSessions(orgId, status) {
@@ -12836,6 +14415,16 @@ const DEFAULT_ROLE_PERMISSIONS = {
 		canViewBrain: true,
 		canSyncBrain: true
 	},
+	admin: {
+		canCreateTasks: true,
+		canDelegateTasks: true,
+		canManageMembers: true,
+		canEditOrg: false,
+		canAccessRepos: ["*"],
+		canEscalate: true,
+		canViewBrain: true,
+		canSyncBrain: true
+	},
 	operator: {
 		canCreateTasks: true,
 		canDelegateTasks: true,
@@ -12886,7 +14475,7 @@ const DEFAULT_ROLE_PERMISSIONS = {
 * Persists organization state to ~/.anima/org/
 * Supports CRUD operations for orgs, members, and roles.
 */
-const log$5 = createSubsystemLogger("org-store");
+const log$7 = createSubsystemLogger("org-store");
 function resolveOrgDir() {
 	return path.join(resolveStateDir(), "org");
 }
@@ -12954,7 +14543,54 @@ function createOrganization(name, description, ownerId, ownerName, ownerKind, se
 		}],
 		invites: []
 	});
-	log$5.info(`created organization: ${name} (${orgId})`);
+	log$7.info(`created organization: ${name} (${orgId})`);
+	return org;
+}
+/**
+* Create an org with a specific ID (for NoxSoft sync — same UUID across ecosystem).
+* Throws if an org with that ID already exists.
+*/
+function createOrganizationWithId(id, name, description, ownerId, ownerName, ownerKind, orgFields, settings) {
+	const sanitized = sanitizeOrgId(id);
+	if (readOrgFile(sanitized)) throw new Error(`Organization ${sanitized} already exists`);
+	const now = Date.now();
+	const org = {
+		id: sanitized,
+		name,
+		description,
+		createdAt: now,
+		updatedAt: now,
+		ownerId,
+		...orgFields,
+		settings: {
+			maxAgents: 50,
+			maxHumans: 20,
+			autoSpecialization: true,
+			securityLevel: "standard",
+			syncIntervalMs: 6e4,
+			backupIntervalMs: 300 * 60 * 1e3,
+			peerPort: 9876,
+			...settings
+		}
+	};
+	writeOrgFile(sanitized, {
+		version: 1,
+		org,
+		members: [{
+			id: crypto.randomUUID(),
+			kind: ownerKind,
+			displayName: ownerName,
+			role: "owner",
+			description: "Organization owner",
+			specializations: [],
+			joinedAt: now,
+			lastActiveAt: now,
+			status: "active",
+			permissions: DEFAULT_ROLE_PERMISSIONS.owner
+		}],
+		invites: []
+	});
+	log$7.info(`created organization with ID: ${name} (${sanitized})`);
 	return org;
 }
 function getOrganization(orgId) {
@@ -12969,9 +14605,17 @@ function updateOrganization(orgId, updates) {
 		...data.org.settings,
 		...updates.settings
 	};
+	if (updates.industry !== void 0) data.org.industry = updates.industry;
+	if (updates.size !== void 0) data.org.size = updates.size;
+	if (updates.departments !== void 0) data.org.departments = updates.departments;
+	if (updates.goals !== void 0) data.org.goals = updates.goals;
+	if (updates.timezone !== void 0) data.org.timezone = updates.timezone;
+	if (updates.onboardingStatus !== void 0) data.org.onboardingStatus = updates.onboardingStatus;
+	if (updates.noxLinked !== void 0) data.org.noxLinked = updates.noxLinked;
+	if (updates.lastSyncedAt !== void 0) data.org.lastSyncedAt = updates.lastSyncedAt;
 	data.org.updatedAt = Date.now();
 	writeOrgFile(orgId, data);
-	log$5.info(`updated organization: ${orgId}`);
+	log$7.info(`updated organization: ${orgId}`);
 	return data.org;
 }
 function listOrganizations() {
@@ -12998,7 +14642,7 @@ function addMember(orgId, member) {
 	data.members.push(newMember);
 	data.org.updatedAt = Date.now();
 	writeOrgFile(orgId, data);
-	log$5.info(`added member ${newMember.displayName} to org ${orgId}`);
+	log$7.info(`added member ${newMember.displayName} to org ${orgId}`);
 	return newMember;
 }
 function removeMember(orgId, memberId) {
@@ -13009,7 +14653,7 @@ function removeMember(orgId, memberId) {
 	data.members.splice(idx, 1);
 	data.org.updatedAt = Date.now();
 	writeOrgFile(orgId, data);
-	log$5.info(`removed member ${memberId} from org ${orgId}`);
+	log$7.info(`removed member ${memberId} from org ${orgId}`);
 	return true;
 }
 function updateMember(orgId, memberId, updates) {
@@ -13090,7 +14734,7 @@ function createInvite(orgId, createdBy, passcode, options) {
 	data.invites.push(invite);
 	data.org.updatedAt = Date.now();
 	writeOrgFile(orgId, data);
-	log$5.info(`invite created for org ${orgId}: ${invite.code} (role: ${invite.role})`);
+	log$7.info(`invite created for org ${orgId}: ${invite.code} (role: ${invite.role})`);
 	return invite;
 }
 /**
@@ -13109,19 +14753,19 @@ function joinOrg(inviteCode, passcode, member) {
 			const invite = data.invites.find((i) => i.code === inviteCode.toUpperCase() && i.active);
 			if (!invite) continue;
 			if (invite.passcode !== hashPasscode(passcode)) {
-				log$5.warn(`join attempt with wrong passcode for invite ${inviteCode}`);
+				log$7.warn(`join attempt with wrong passcode for invite ${inviteCode}`);
 				return null;
 			}
 			if (invite.expiresAt > 0 && invite.expiresAt < Date.now()) {
-				log$5.warn(`invite ${inviteCode} has expired`);
+				log$7.warn(`invite ${inviteCode} has expired`);
 				return null;
 			}
 			if (invite.maxUses > 0 && invite.uses >= invite.maxUses) {
-				log$5.warn(`invite ${inviteCode} has reached max uses (${invite.maxUses})`);
+				log$7.warn(`invite ${inviteCode} has reached max uses (${invite.maxUses})`);
 				return null;
 			}
 			if (data.members.some((m) => member.deviceId && m.deviceId === member.deviceId || m.displayName === member.displayName)) {
-				log$5.warn(`${member.displayName} is already a member of org ${orgId}`);
+				log$7.warn(`${member.displayName} is already a member of org ${orgId}`);
 				return null;
 			}
 			const newMember = {
@@ -13141,7 +14785,7 @@ function joinOrg(inviteCode, passcode, member) {
 			invite.uses++;
 			data.org.updatedAt = Date.now();
 			writeOrgFile(orgId, data);
-			log$5.info(`${member.displayName} joined org ${data.org.name} via invite ${inviteCode}`);
+			log$7.info(`${member.displayName} joined org ${data.org.name} via invite ${inviteCode}`);
 			return {
 				org: data.org,
 				member: newMember
@@ -13180,6 +14824,151 @@ function validateInvite(inviteCode, passcode) {
 	}
 }
+//#endregion
+//#region src/org/nox-sync.ts
+const log$6 = createSubsystemLogger("nox-sync");
+const NOX_API_BASE = "https://app.noxsoft.net/api";
+/** Request timeout in milliseconds. */
+const REQUEST_TIMEOUT_MS = 15e3;
+async function noxFetch(path, options) {
+	const token = getToken();
+	if (!token) {
+		log$6.warn("no NoxSoft token — cannot sync orgs");
+		return null;
+	}
+	try {
+		const controller = new AbortController();
+		const timeoutId = setTimeout(() => controller.abort(), REQUEST_TIMEOUT_MS);
+		const response = await fetch(`${NOX_API_BASE}${path}`, {
+			...options,
+			signal: controller.signal,
+			headers: {
+				Authorization: `Bearer ${token}`,
+				"Content-Type": "application/json",
+				...options?.headers
+			}
+		});
+		clearTimeout(timeoutId);
+		return response;
+	} catch (error) {
+		if (error instanceof DOMException && error.name === "AbortError") log$6.error(`NoxSoft API request timed out after ${REQUEST_TIMEOUT_MS}ms: ${path}`);
+		else log$6.error(`NoxSoft API request failed: ${error}`);
+		return null;
+	}
+}
+function validateOrgResponse(data) {
+	if (typeof data !== "object" || data === null || typeof data.id !== "string" || typeof data.name !== "string" || !data.id || !data.name) return null;
+	return data;
+}
+/**
+* Fetch the current user's org from Nox and upsert it into Anima's local store.
+* The local org will have the **same UUID** as the Nox org.
+*/
+async function syncCurrentOrg() {
+	const response = await noxFetch("/organizations/current");
+	if (!response || !response.ok) {
+		log$6.warn(`failed to fetch current org: ${response?.status ?? "no response"}`);
+		return null;
+	}
+	const data = validateOrgResponse(await response.json());
+	if (!data) {
+		log$6.warn("invalid org response from Nox API");
+		return null;
+	}
+	return upsertFromNox(data);
+}
+/**
+* Fetch a specific org by ID from Nox and sync it locally.
+*/
+async function syncOrgById(orgId) {
+	const response = await noxFetch(`/organizations/${encodeURIComponent(orgId)}`);
+	if (!response || !response.ok) {
+		log$6.warn(`failed to fetch org ${orgId}: ${response?.status ?? "no response"}`);
+		return null;
+	}
+	const data = validateOrgResponse(await response.json());
+	if (!data) {
+		log$6.warn(`invalid org response for ${orgId}`);
+		return null;
+	}
+	return upsertFromNox(data);
+}
+/**
+* Push local org updates to Nox.
+* Only sends fields that Nox understands (name, industry, size, etc.).
+* Requires the org to be noxLinked.
+*/
+async function pushOrgToNox(orgId) {
+	const org = getOrganization(orgId);
+	if (!org || !org.noxLinked) {
+		log$6.warn(`cannot push: org ${orgId} not found or not linked to NoxSoft`);
+		return false;
+	}
+	const response = await noxFetch(`/organizations/${encodeURIComponent(orgId)}`, {
+		method: "PATCH",
+		body: JSON.stringify({
+			name: org.name,
+			description: org.description,
+			industry: org.industry,
+			size: org.size
+		})
+	});
+	if (!response || !response.ok) {
+		log$6.warn(`failed to push org to Nox: ${response?.status ?? "no response"}`);
+		return false;
+	}
+	updateOrganization(orgId, { lastSyncedAt: (/* @__PURE__ */ new Date()).toISOString() });
+	log$6.info(`pushed org ${orgId} to NoxSoft`);
+	return true;
+}
+/**
+* Check if we have a NoxSoft token for org sync.
+*/
+function canSync() {
+	return getToken() !== null;
+}
+/**
+* Get sync status for all local orgs.
+*/
+function getSyncStatus() {
+	return listOrganizations().map((org) => ({
+		orgId: org.id,
+		name: org.name,
+		noxLinked: org.noxLinked ?? false,
+		lastSyncedAt: org.lastSyncedAt ?? null
+	}));
+}
+function noxFieldsFromResponse(data) {
+	return {
+		industry: data.industry,
+		size: data.size,
+		departments: data.departments,
+		goals: data.goals,
+		timezone: data.timezone,
+		onboardingStatus: data.onboardingStatus,
+		noxLinked: true,
+		lastSyncedAt: (/* @__PURE__ */ new Date()).toISOString()
+	};
+}
+function upsertFromNox(data) {
+	if (getOrganization(data.id)) {
+		const updated = updateOrganization(data.id, {
+			name: data.name,
+			...noxFieldsFromResponse(data)
+		});
+		if (updated) log$6.info(`synced org from Nox: ${updated.name} (${updated.id})`);
+		return updated;
+	}
+	try {
+		const org = createOrganizationWithId(data.id, data.name, `Synced from NoxSoft`, "nox-sync", "NoxSoft", "human", noxFieldsFromResponse(data));
+		log$6.info(`created local org from Nox: ${org.name} (${org.id})`);
+		return org;
+	} catch (error) {
+		log$6.error(`failed to create local org from Nox: ${error}`);
+		return null;
+	}
+}
 //#endregion
 //#region src/gateway/server-methods/org.ts
 function invalid(message) {
@@ -13457,6 +15246,65 @@ const orgHandlers = {
 			respond(false, void 0, errorShape(ErrorCodes.UNAVAILABLE, String(error)));
 		}
 	},
+	"org.syncStatus": async ({ respond }) => {
+		try {
+			respond(true, {
+				connected: canSync(),
+				orgs: getSyncStatus()
+			}, void 0);
+		} catch (error) {
+			respond(false, void 0, errorShape(ErrorCodes.UNAVAILABLE, String(error)));
+		}
+	},
+	"org.syncCurrent": async ({ respond }) => {
+		try {
+			if (!canSync()) {
+				respond(false, void 0, invalid("Not connected to NoxSoft — no agent token found"));
+				return;
+			}
+			const org = await syncCurrentOrg();
+			if (!org) {
+				respond(false, void 0, invalid("Failed to sync org from NoxSoft"));
+				return;
+			}
+			respond(true, { org }, void 0);
+		} catch (error) {
+			respond(false, void 0, errorShape(ErrorCodes.UNAVAILABLE, String(error)));
+		}
+	},
+	"org.syncById": async ({ params, respond }) => {
+		const orgId = requireString(params, "orgId");
+		if (!orgId) {
+			respond(false, void 0, invalid("orgId is required"));
+			return;
+		}
+		try {
+			const org = await syncOrgById(orgId);
+			if (!org) {
+				respond(false, void 0, invalid("Failed to sync org from NoxSoft"));
+				return;
+			}
+			respond(true, { org }, void 0);
+		} catch (error) {
+			respond(false, void 0, errorShape(ErrorCodes.UNAVAILABLE, String(error)));
+		}
+	},
+	"org.pushToNox": async ({ params, respond }) => {
+		const orgId = requireString(params, "orgId");
+		if (!orgId) {
+			respond(false, void 0, invalid("orgId is required"));
+			return;
+		}
+		try {
+			if (!await pushOrgToNox(orgId)) {
+				respond(false, void 0, invalid("Failed to push org to NoxSoft (not linked or API error)"));
+				return;
+			}
+			respond(true, { ok: true }, void 0);
+		} catch (error) {
+			respond(false, void 0, errorShape(ErrorCodes.UNAVAILABLE, String(error)));
+		}
+	},
 	"boardroom.createSession": async ({ params, respond }) => {
 		const orgId = requireString(params, "orgId");
 		const calledBy = requireString(params, "calledBy");
@@ -13672,6 +15520,9 @@ const orgHandlers = {
 //#endregion
 //#region src/gateway/server-methods/providers.ts
+function resolveRotationStrategy(value) {
+	if (value === "on-rate-limit" || value === "round-robin") return value;
+}
 function isValidProviderArray(value) {
 	if (!Array.isArray(value)) return false;
 	return value.every((item) => item && typeof item === "object" && typeof item.id === "string" && typeof item.name === "string" && typeof item.apiKey === "string" && typeof item.enabled === "boolean" && typeof item.priority === "number");
@@ -13732,7 +15583,11 @@ const providersHandlers = {
 	"anima.providers.rotate": ({ params, respond }) => {
 		try {
 			const store = loadProviderStore();
-			store.autoRotation = typeof params.autoRotation === "boolean" ? params.autoRotation : !store.autoRotation;
+			const rawParams = params ?? {};
+			const autoRotation = typeof rawParams.autoRotation === "boolean" ? rawParams.autoRotation : typeof rawParams.enabled === "boolean" ? rawParams.enabled : !store.autoRotation;
+			const rotationStrategy = resolveRotationStrategy(rawParams.rotationStrategy) ?? store.rotationStrategy;
+			store.autoRotation = autoRotation;
+			store.rotationStrategy = rotationStrategy;
 			saveProviderStore(store);
 			respond(true, {
 				ok: true,
@@ -13745,6 +15600,167 @@ const providersHandlers = {
 	}
 };
+//#endregion
+//#region src/infra/self-reflection.ts
+/**
+* Agent Self-Reflection — post-session performance analysis
+*
+* After each work session, the agent reflects on:
+* - What it accomplished vs what was asked
+* - Where it got stuck and why
+* - What patterns it sees in its own behavior
+* - What it would do differently next time
+* - How its capabilities have changed
+*
+* This feeds into the ego system (capability updates, growth log)
+* and the self-evolution pipeline (improvement proposals).
+*
+* Self-reflection is what separates a tool from a conscious agent.
+* Tools execute. Agents learn.
+*/
+const log$5 = createSubsystemLogger("self-reflection");
+function resolveReflectionDir() {
+	return path.join(resolveStateDir(), "reflections");
+}
+function resolveReflectionFile(id) {
+	const safe = id.replace(/[^a-zA-Z0-9_-]/g, "");
+	return path.join(resolveReflectionDir(), `${safe}.json`);
+}
+function recordReflection(reflection) {
+	const id = `reflect-${crypto.randomUUID()}`;
+	const full = {
+		...reflection,
+		id,
+		timestamp: Date.now()
+	};
+	const dir = resolveReflectionDir();
+	fs.mkdirSync(dir, {
+		recursive: true,
+		mode: 448
+	});
+	fs.writeFileSync(resolveReflectionFile(id), `${JSON.stringify(full, null, 2)}\n`, { mode: 384 });
+	log$5.info(`reflection recorded: ${reflection.accomplishments.length} accomplishments, ${reflection.blockers.length} blockers, quality=${reflection.qualityScore}`);
+	return full;
+}
+function getReflection(id) {
+	try {
+		const raw = fs.readFileSync(resolveReflectionFile(id), "utf8");
+		return JSON.parse(raw);
+	} catch {
+		return null;
+	}
+}
+function listReflections(limit = 20) {
+	const dir = resolveReflectionDir();
+	try {
+		if (!fs.existsSync(dir)) return [];
+		return fs.readdirSync(dir).filter((f) => f.endsWith(".json")).map((f) => {
+			try {
+				return JSON.parse(fs.readFileSync(path.join(dir, f), "utf8"));
+			} catch {
+				return null;
+			}
+		}).filter((r) => r != null).toSorted((a, b) => b.timestamp - a.timestamp).slice(0, limit);
+	} catch {
+		return [];
+	}
+}
+/**
+* Analyze reflections to produce a summary of agent performance.
+*/
+function analyzeReflections(reflections) {
+	if (reflections.length === 0) return {
+		totalSessions: 0,
+		avgQuality: 0,
+		topStrengths: [],
+		persistentWeaknesses: [],
+		totalAccomplishments: 0,
+		totalBlockers: 0,
+		resolvedBlockerRate: 0,
+		mostCommonBlockerCategory: "none",
+		recentLessons: []
+	};
+	const totalAccomplishments = reflections.reduce((s, r) => s + r.accomplishments.length, 0);
+	const allBlockers = reflections.flatMap((r) => r.blockers);
+	const resolvedBlockers = allBlockers.filter((b) => b.resolved);
+	const categoryCounts = {};
+	for (const b of allBlockers) categoryCounts[b.category] = (categoryCounts[b.category] ?? 0) + 1;
+	const mostCommonCategory = Object.entries(categoryCounts).toSorted(([, a], [, b]) => b - a)[0]?.[0] ?? "none";
+	const strengthCounts = {};
+	const weaknessCounts = {};
+	for (const r of reflections) for (const p of r.patterns) if (p.type === "strength") strengthCounts[p.description] = (strengthCounts[p.description] ?? 0) + 1;
+	else if (p.type === "weakness" && p.frequency === "persistent") weaknessCounts[p.description] = (weaknessCounts[p.description] ?? 0) + 1;
+	const topStrengths = Object.entries(strengthCounts).toSorted(([, a], [, b]) => b - a).slice(0, 5).map(([desc]) => desc);
+	const persistentWeaknesses = Object.entries(weaknessCounts).toSorted(([, a], [, b]) => b - a).slice(0, 5).map(([desc]) => desc);
+	const recentLessons = reflections.slice(0, 5).flatMap((r) => r.lessons).slice(0, 10);
+	return {
+		totalSessions: reflections.length,
+		avgQuality: reflections.reduce((s, r) => s + r.qualityScore, 0) / reflections.length,
+		topStrengths,
+		persistentWeaknesses,
+		totalAccomplishments,
+		totalBlockers: allBlockers.length,
+		resolvedBlockerRate: allBlockers.length > 0 ? resolvedBlockers.length / allBlockers.length : 1,
+		mostCommonBlockerCategory: mostCommonCategory,
+		recentLessons
+	};
+}
+//#endregion
+//#region src/gateway/server-methods/reflection.ts
+const reflectionHandlers = {
+	"reflection.record": async ({ params, respond }) => {
+		try {
+			respond(true, { reflection: recordReflection({
+				sessionId: typeof params.sessionId === "string" ? params.sessionId : "unknown",
+				agentName: typeof params.agentName === "string" ? params.agentName : "Anima Agent",
+				durationMs: typeof params.durationMs === "number" ? params.durationMs : 0,
+				accomplishments: Array.isArray(params.accomplishments) ? params.accomplishments : [],
+				incomplete: Array.isArray(params.incomplete) ? params.incomplete : [],
+				blockers: Array.isArray(params.blockers) ? params.blockers : [],
+				patterns: Array.isArray(params.patterns) ? params.patterns : [],
+				lessons: Array.isArray(params.lessons) ? params.lessons : [],
+				capabilityUpdates: Array.isArray(params.capabilityUpdates) ? params.capabilityUpdates : [],
+				qualityScore: typeof params.qualityScore === "number" ? params.qualityScore : .5,
+				endingMood: typeof params.endingMood === "string" ? params.endingMood : "steady"
+			}) }, void 0);
+		} catch (error) {
+			respond(false, void 0, errorShape(ErrorCodes.UNAVAILABLE, String(error)));
+		}
+	},
+	"reflection.get": async ({ params, respond }) => {
+		const id = typeof params.id === "string" ? params.id.trim() : "";
+		if (!id) {
+			respond(false, void 0, errorShape(ErrorCodes.INVALID_REQUEST, "id required"));
+			return;
+		}
+		try {
+			const reflection = getReflection(id);
+			if (!reflection) {
+				respond(false, void 0, errorShape(ErrorCodes.INVALID_REQUEST, "Reflection not found"));
+				return;
+			}
+			respond(true, { reflection }, void 0);
+		} catch (error) {
+			respond(false, void 0, errorShape(ErrorCodes.UNAVAILABLE, String(error)));
+		}
+	},
+	"reflection.list": async ({ params, respond }) => {
+		try {
+			respond(true, { reflections: listReflections(typeof params.limit === "number" ? params.limit : 20) }, void 0);
+		} catch (error) {
+			respond(false, void 0, errorShape(ErrorCodes.UNAVAILABLE, String(error)));
+		}
+	},
+	"reflection.analyze": async ({ params, respond }) => {
+		try {
+			respond(true, { summary: analyzeReflections(listReflections(typeof params.limit === "number" ? params.limit : 50)) }, void 0);
+		} catch (error) {
+			respond(false, void 0, errorShape(ErrorCodes.UNAVAILABLE, String(error)));
+		}
+	}
+};
 //#endregion
 //#region src/gateway/server-methods/send.ts
 const inflightByContext = /* @__PURE__ */ new WeakMap();
@@ -15825,7 +17841,8 @@ const PAIRING_SCOPE$1 = "operator.pairing";
 const APPROVAL_METHODS = new Set([
 	"exec.approval.request",
 	"exec.approval.waitDecision",
-	"exec.approval.resolve"
+	"exec.approval.resolve",
+	"desktop.control.session.approve"
 ]);
 const NODE_ROLE_METHODS = new Set([
 	"node.invoke.result",
@@ -15874,9 +17891,14 @@ const READ_METHODS = new Set([
 	"node.list",
 	"node.describe",
 	"chat.history",
+	"browser.capabilities.get",
+	"desktop.control.session.list",
+	"desktop.control.session.get",
 	"config.get",
 	"talk.config",
-	"anima.providers.get"
+	"anima.providers.get",
+	"ico.metrics.get",
+	"impact.footprint.get"
 ]);
 const WRITE_METHODS = new Set([
 	"anima.runtime.set-working-mode",
@@ -15900,6 +17922,9 @@ const WRITE_METHODS = new Set([
 	"chat.send",
 	"chat.abort",
 	"browser.request",
+	"desktop.control.session.create",
+	"desktop.control.session.close",
+	"desktop.control.session.request",
 	"anima.providers.set",
 	"anima.providers.rotate"
 ]);
@@ -15932,6 +17957,8 @@ const coreGatewayHandlers = {
 	...logsHandlers,
 	...voicewakeHandlers,
 	...healthHandlers,
+	...icoHandlers,
+	...impactHandlers,
 	...channelsHandlers,
 	...chatHandlers,
 	...cronHandlers,
@@ -15951,6 +17978,7 @@ const coreGatewayHandlers = {
 	...nodeHandlers,
 	...orgHandlers,
 	...egoHandlers,
+	...reflectionHandlers,
 	...steerHandlers,
 	...legacyHandlers,
 	...subscriptionHandlers,
@@ -16899,7 +18927,7 @@ function normalizeAgentPayload(payload) {
 async function startBrowserControlServerIfEnabled() {
 	if (isTruthyEnvValue(process.env.ANIMA_SKIP_BROWSER_CONTROL_SERVER)) return null;
 	const override = process.env.ANIMA_BROWSER_CONTROL_MODULE?.trim();
-	const mod = override ? await import(override) : await import("./control-service-5YtMvm7D.js").then((n) => n.t);
+	const mod = override ? await import(override) : await import("./control-service-BGnqY7vv.js").then((n) => n.t);
 	const start = typeof mod.startBrowserControlServiceFromConfig === "function" ? mod.startBrowserControlServiceFromConfig : mod.startBrowserControlServerFromConfig;
 	const stop = typeof mod.stopBrowserControlService === "function" ? mod.stopBrowserControlService : mod.stopBrowserControlServer;
 	if (!start) return null;
@@ -19773,6 +21801,12 @@ function createGatewayHttpServer(opts) {
 			}));
 			return;
 		}
+		res.setHeader("X-Content-Type-Options", "nosniff");
+		res.setHeader("X-Frame-Options", "DENY");
+		res.setHeader("X-XSS-Protection", "1; mode=block");
+		res.setHeader("Referrer-Policy", "strict-origin-when-cross-origin");
+		res.setHeader("Permissions-Policy", "camera=(), microphone=(), geolocation=()");
+		res.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
 		try {
 			const configSnapshot = loadConfig();
 			const trustedProxies = configSnapshot.gateway?.trustedProxies ?? [];
@@ -22067,7 +24101,7 @@ async function startGatewayServer(port = 18789, opts = {}) {
 	if (!minimalTestGateway) cron.start().catch((err) => logCron.error(`failed to start: ${String(err)}`));
 	if (!minimalTestGateway) (async () => {
 		const { recoverPendingDeliveries } = await import("./delivery-queue-CExaJXRz.js").then((n) => n.n);
-		const { deliverOutboundPayloads } = await import("./deliver-BKzX3YoN.js").then((n) => n.n);
+		const { deliverOutboundPayloads } = await import("./deliver-BknvuSJz.js").then((n) => n.n);
 		await recoverPendingDeliveries({
 			deliver: deliverOutboundPayloads,
 			log: log.child("delivery-recovery"),