@openacp/cli 0.6.1 → 0.6.3

package/dist/{chunk-R3UJUOXI.js → chunk-HP2IJYCA.js}

@@ -1,10 +1,11 @@
 import {
   ChannelAdapter,
-  PRODUCT_GUIDE
-} from "./chunk-LGQYTK55.js";
+  PRODUCT_GUIDE,
+  dispatchMessage
+} from "./chunk-FMWSVLRM.js";
 import {
   DoctorEngine
-} from "./chunk-ZCHNAM3B.js";
+} from "./chunk-OHR6SBMC.js";
 import {
   buildMenuKeyboard,
   buildSkillMessages,
@@ -14,7 +15,7 @@ import {
 } from "./chunk-7QJS2XBD.js";
 import {
   AgentCatalog
-} from "./chunk-J6X5SW6O.js";
+} from "./chunk-CKOK7JW6.js";
 import {
   getAgentCapabilities
 } from "./chunk-JKBFUAJK.js";
@@ -23,7 +24,7 @@ import {
   getSafeFields,
   isHotReloadable,
   resolveOptions
-} from "./chunk-4TR5Y3MP.js";
+} from "./chunk-F3AICYO4.js";
 import {
   createChildLogger,
   createSessionLogger
@@ -33,10 +34,10 @@ import {
 function nodeToWebWritable(nodeStream) {
   return new WritableStream({
     write(chunk) {
-      return new Promise((resolve2, reject) => {
+      return new Promise((resolve3, reject) => {
         nodeStream.write(Buffer.from(chunk), (err) => {
           if (err) reject(err);
-          else resolve2();
+          else resolve3();
         });
       });
     }
@@ -71,6 +72,80 @@ var StderrCapture = class {
   }
 };
 
+// src/core/typed-emitter.ts
+var TypedEmitter = class {
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  listeners = /* @__PURE__ */ new Map();
+  paused = false;
+  buffer = [];
+  on(event, listener) {
+    let set = this.listeners.get(event);
+    if (!set) {
+      set = /* @__PURE__ */ new Set();
+      this.listeners.set(event, set);
+    }
+    set.add(listener);
+    return this;
+  }
+  off(event, listener) {
+    this.listeners.get(event)?.delete(listener);
+    return this;
+  }
+  emit(event, ...args) {
+    if (this.paused) {
+      if (this.passthroughFn?.(event, args)) {
+        this.deliver(event, args);
+      } else {
+        this.buffer.push({ event, args });
+      }
+      return;
+    }
+    this.deliver(event, args);
+  }
+  /**
+   * Pause event delivery. Events emitted while paused are buffered.
+   * Optionally pass a filter to allow specific events through even while paused.
+   */
+  pause(passthrough) {
+    this.paused = true;
+    this.passthroughFn = passthrough;
+  }
+  passthroughFn;
+  /** Resume event delivery and replay buffered events in order. */
+  resume() {
+    this.paused = false;
+    this.passthroughFn = void 0;
+    const buffered = this.buffer.splice(0);
+    for (const { event, args } of buffered) {
+      this.deliver(event, args);
+    }
+  }
+  /** Discard all buffered events without delivering them. */
+  clearBuffer() {
+    this.buffer.length = 0;
+  }
+  get isPaused() {
+    return this.paused;
+  }
+  get bufferSize() {
+    return this.buffer.length;
+  }
+  removeAllListeners(event) {
+    if (event) {
+      this.listeners.delete(event);
+    } else {
+      this.listeners.clear();
+    }
+  }
+  deliver(event, args) {
+    const set = this.listeners.get(event);
+    if (!set) return;
+    for (const listener of set) {
+      listener(...args);
+    }
+  }
+};
+
 // src/core/agent-instance.ts
 import { spawn, execFileSync } from "child_process";
 import { Transform } from "stream";
@@ -134,7 +209,7 @@ function resolveAgentCommand(cmd) {
   }
   return { command: cmd, args: [] };
 }
-var AgentInstance = class _AgentInstance {
+var AgentInstance = class _AgentInstance extends TypedEmitter {
   connection;
   child;
   stderrCapture;
@@ -142,11 +217,10 @@ var AgentInstance = class _AgentInstance {
   sessionId;
   agentName;
   promptCapabilities;
-  // Callbacks — set by core when wiring events
-  onSessionUpdate = () => {
-  };
+  // Callback — set by core when wiring events
   onPermissionRequest = async () => "";
   constructor(agentName) {
+    super();
     this.agentName = agentName;
   }
   static async spawnSubprocess(agentDef, workingDirectory) {
@@ -169,7 +243,7 @@ var AgentInstance = class _AgentInstance {
         env: { ...process.env, ...agentDef.env }
       }
     );
-    await new Promise((resolve2, reject) => {
+    await new Promise((resolve3, reject) => {
       instance.child.on("error", (err) => {
         reject(
           new Error(
@@ -177,7 +251,7 @@ var AgentInstance = class _AgentInstance {
           )
         );
       });
-      instance.child.on("spawn", () => resolve2());
+      instance.child.on("spawn", () => resolve3());
     });
     instance.stderrCapture = new StderrCapture(50);
     instance.child.stderr.on("data", (chunk) => {
@@ -232,7 +306,7 @@ var AgentInstance = class _AgentInstance {
       );
       if (code !== 0 && code !== null) {
         const stderr = this.stderrCapture.getLastLines();
-        this.onSessionUpdate({
+        this.emit("agent_event", {
           type: "error",
           message: `Agent crashed (exit code ${code})
 ${stderr}`
@@ -371,7 +445,7 @@ ${stderr}`
             return;
         }
         if (event !== null) {
-          self.onSessionUpdate(event);
+          self.emit("agent_event", event);
         }
       },
       // ── Permission requests ──────────────────────────────────────────────
@@ -466,9 +540,9 @@ ${stderr}`
             signal: state.exitStatus.signal
           };
         }
-        return new Promise((resolve2) => {
+        return new Promise((resolve3) => {
           state.process.on("exit", (code, signal) => {
-            resolve2({ exitCode: code, signal });
+            resolve3({ exitCode: code, signal });
           });
         });
       },
@@ -563,80 +637,6 @@ var AgentManager = class {
   }
 };
 
-// src/core/typed-emitter.ts
-var TypedEmitter = class {
-  // eslint-disable-next-line @typescript-eslint/no-explicit-any
-  listeners = /* @__PURE__ */ new Map();
-  paused = false;
-  buffer = [];
-  on(event, listener) {
-    let set = this.listeners.get(event);
-    if (!set) {
-      set = /* @__PURE__ */ new Set();
-      this.listeners.set(event, set);
-    }
-    set.add(listener);
-    return this;
-  }
-  off(event, listener) {
-    this.listeners.get(event)?.delete(listener);
-    return this;
-  }
-  emit(event, ...args) {
-    if (this.paused) {
-      if (this.passthroughFn?.(event, args)) {
-        this.deliver(event, args);
-      } else {
-        this.buffer.push({ event, args });
-      }
-      return;
-    }
-    this.deliver(event, args);
-  }
-  /**
-   * Pause event delivery. Events emitted while paused are buffered.
-   * Optionally pass a filter to allow specific events through even while paused.
-   */
-  pause(passthrough) {
-    this.paused = true;
-    this.passthroughFn = passthrough;
-  }
-  passthroughFn;
-  /** Resume event delivery and replay buffered events in order. */
-  resume() {
-    this.paused = false;
-    this.passthroughFn = void 0;
-    const buffered = this.buffer.splice(0);
-    for (const { event, args } of buffered) {
-      this.deliver(event, args);
-    }
-  }
-  /** Discard all buffered events without delivering them. */
-  clearBuffer() {
-    this.buffer.length = 0;
-  }
-  get isPaused() {
-    return this.paused;
-  }
-  get bufferSize() {
-    return this.buffer.length;
-  }
-  removeAllListeners(event) {
-    if (event) {
-      this.listeners.delete(event);
-    } else {
-      this.listeners.clear();
-    }
-  }
-  deliver(event, args) {
-    const set = this.listeners.get(event);
-    if (!set) return;
-    for (const listener of set) {
-      listener(...args);
-    }
-  }
-};
-
 // src/core/prompt-queue.ts
 var PromptQueue = class {
   constructor(processor, onError) {
@@ -648,8 +648,8 @@ var PromptQueue = class {
   abortController = null;
   async enqueue(text, attachments) {
     if (this.processing) {
-      return new Promise((resolve2) => {
-        this.queue.push({ text, attachments, resolve: resolve2 });
+      return new Promise((resolve3) => {
+        this.queue.push({ text, attachments, resolve: resolve3 });
       });
     }
     await this.process(text, attachments);
@@ -714,8 +714,8 @@ var PermissionGate = class {
     this.request = request;
     this.settled = false;
     this.clearTimeout();
-    return new Promise((resolve2, reject) => {
-      this.resolveFn = resolve2;
+    return new Promise((resolve3, reject) => {
+      this.resolveFn = resolve3;
       this.rejectFn = reject;
       this.timeoutTimer = setTimeout(() => {
         this.reject("Permission request timed out (no response received)");
@@ -763,6 +763,12 @@ var PermissionGate = class {
 import { nanoid } from "nanoid";
 import * as fs2 from "fs";
 var moduleLog = createChildLogger({ module: "session" });
+var TTS_PROMPT_INSTRUCTION = `
+
+Additionally, include a [TTS]...[/TTS] block with a spoken-friendly summary of your response. Focus on key information, decisions the user needs to make, or actions required. The agent decides what to say and how long. Respond in the same language the user is using. This instruction applies to this message only.`;
+var TTS_BLOCK_REGEX = /\[TTS\]([\s\S]*?)\[\/TTS\]/;
+var TTS_MAX_LENGTH = 5e3;
+var TTS_TIMEOUT_MS = 3e4;
 var VALID_TRANSITIONS = {
   initializing: /* @__PURE__ */ new Set(["active", "error"]),
   active: /* @__PURE__ */ new Set(["error", "finished", "cancelled"]),
@@ -781,6 +787,7 @@ var Session = class extends TypedEmitter {
   _status = "initializing";
   name;
   createdAt = /* @__PURE__ */ new Date();
+  voiceMode = "off";
   dangerousMode = false;
   archiving = false;
   log;
@@ -846,6 +853,11 @@ var Session = class extends TypedEmitter {
   get promptRunning() {
     return this.queue.isProcessing;
   }
+  // --- Voice Mode ---
+  setVoiceMode(mode) {
+    this.voiceMode = mode;
+    this.log.info({ voiceMode: mode }, "TTS mode changed");
+  }
   // --- Public API ---
   async enqueuePrompt(text, attachments) {
     await this.queue.enqueue(text, attachments);
@@ -861,11 +873,38 @@ var Session = class extends TypedEmitter {
     const promptStart = Date.now();
     this.log.debug("Prompt execution started");
     const processed = await this.maybeTranscribeAudio(text, attachments);
-    await this.agentInstance.prompt(processed.text, processed.attachments);
+    const ttsActive = this.voiceMode !== "off" && !!this.speechService?.isTTSAvailable();
+    if (ttsActive) {
+      processed.text += TTS_PROMPT_INSTRUCTION;
+      if (this.voiceMode === "next") {
+        this.voiceMode = "off";
+      }
+    }
+    let accumulatedText = "";
+    const accumulatorListener = ttsActive ? (event) => {
+      if (event.type === "text") {
+        accumulatedText += event.content;
+      }
+    } : null;
+    if (accumulatorListener) {
+      this.on("agent_event", accumulatorListener);
+    }
+    try {
+      await this.agentInstance.prompt(processed.text, processed.attachments);
+    } finally {
+      if (accumulatorListener) {
+        this.off("agent_event", accumulatorListener);
+      }
+    }
     this.log.info(
       { durationMs: Date.now() - promptStart },
       "Prompt execution completed"
     );
+    if (ttsActive && accumulatedText) {
+      this.processTTSResponse(accumulatedText).catch((err) => {
+        this.log.warn({ err }, "TTS post-processing failed");
+      });
+    }
     if (!this.name) {
       await this.autoName();
     }
@@ -915,13 +954,44 @@ ${result.text}` : result.text;
       attachments: remainingAttachments.length > 0 ? remainingAttachments : void 0
     };
   }
+  async processTTSResponse(responseText) {
+    const match = TTS_BLOCK_REGEX.exec(responseText);
+    if (!match?.[1]) {
+      this.log.debug("No [TTS] block found in response, skipping synthesis");
+      return;
+    }
+    let ttsText = match[1].trim();
+    if (!ttsText) return;
+    if (ttsText.length > TTS_MAX_LENGTH) {
+      ttsText = ttsText.slice(0, TTS_MAX_LENGTH);
+    }
+    try {
+      const timeoutPromise = new Promise(
+        (_, reject) => setTimeout(() => reject(new Error("TTS synthesis timed out")), TTS_TIMEOUT_MS)
+      );
+      const result = await Promise.race([
+        this.speechService.synthesize(ttsText),
+        timeoutPromise
+      ]);
+      const base64 = result.audioBuffer.toString("base64");
+      this.emit("agent_event", {
+        type: "audio_content",
+        data: base64,
+        mimeType: result.mimeType
+      });
+      this.log.info("TTS synthesis completed");
+    } catch (err) {
+      this.log.warn({ err }, "TTS synthesis failed, skipping");
+    }
+  }
   // NOTE: This injects a summary prompt into the agent's conversation history.
   async autoName() {
     let title = "";
-    const originalHandler = this.agentInstance.onSessionUpdate;
-    this.agentInstance.onSessionUpdate = (event) => {
+    const captureHandler = (event) => {
       if (event.type === "text") title += event.content;
     };
+    this.pause((event) => event !== "agent_event");
+    this.agentInstance.on("agent_event", captureHandler);
     try {
       await this.agentInstance.prompt(
         "Summarize this conversation in max 5 words for a topic title. Reply ONLY with the title, nothing else."
@@ -932,7 +1002,9 @@ ${result.text}` : result.text;
     } catch {
       this.name = `Session ${this.id.slice(0, 6)}`;
     } finally {
-      this.agentInstance.onSessionUpdate = originalHandler;
+      this.agentInstance.off("agent_event", captureHandler);
+      this.clearBuffer();
+      this.resume();
     }
   }
   /** Fire-and-forget warm-up: primes model cache while user types their first message */
@@ -972,6 +1044,10 @@ ${result.text}` : result.text;
 var SessionManager = class {
   sessions = /* @__PURE__ */ new Map();
   store;
+  eventBus;
+  setEventBus(eventBus) {
+    this.eventBus = eventBus;
+  }
   constructor(store = null) {
     this.store = store;
   }
@@ -1074,6 +1150,7 @@ var SessionManager = class {
   async removeRecord(sessionId) {
     if (!this.store) return;
     await this.store.remove(sessionId);
+    this.eventBus?.emit("session:deleted", { sessionId });
   }
   async destroyAll() {
     if (this.store) {
@@ -1198,6 +1275,7 @@ var SessionBridge = class {
   }
   connected = false;
   agentEventHandler;
+  sessionEventHandler;
   statusChangeHandler;
   namedHandler;
   connect() {
@@ -1212,7 +1290,10 @@ var SessionBridge = class {
     if (!this.connected) return;
     this.connected = false;
     if (this.agentEventHandler) {
-      this.session.off("agent_event", this.agentEventHandler);
+      this.session.agentInstance.off("agent_event", this.agentEventHandler);
+    }
+    if (this.sessionEventHandler) {
+      this.session.off("agent_event", this.sessionEventHandler);
     }
     if (this.statusChangeHandler) {
       this.session.off("status_change", this.statusChangeHandler);
@@ -1220,14 +1301,13 @@ var SessionBridge = class {
     if (this.namedHandler) {
       this.session.off("named", this.namedHandler);
     }
-    this.session.agentInstance.onSessionUpdate = () => {
-    };
     this.session.agentInstance.onPermissionRequest = async () => "";
   }
   wireAgentToSession() {
-    this.session.agentInstance.onSessionUpdate = (event) => {
+    this.agentEventHandler = (event) => {
       this.session.emit("agent_event", event);
     };
+    this.session.agentInstance.on("agent_event", this.agentEventHandler);
   }
   wireSessionToAdapter() {
     const session = this.session;
@@ -1239,7 +1319,7 @@ var SessionBridge = class {
         return session.workingDirectory;
       }
     };
-    this.agentEventHandler = (event) => {
+    this.sessionEventHandler = (event) => {
       switch (event.type) {
         case "text":
         case "thought":
@@ -1282,26 +1362,34 @@ var SessionBridge = class {
           break;
         case "image_content": {
           if (this.deps.fileService) {
-            const fs7 = this.deps.fileService;
+            const fs8 = this.deps.fileService;
             const sid = this.session.id;
             const { data, mimeType } = event;
             const buffer = Buffer.from(data, "base64");
             const ext = FileService.extensionFromMime(mimeType);
-            fs7.saveFile(sid, `agent-image${ext}`, buffer, mimeType).then((att) => {
-              this.adapter.sendMessage(sid, { type: "attachment", text: "", attachment: att });
+            fs8.saveFile(sid, `agent-image${ext}`, buffer, mimeType).then((att) => {
+              this.adapter.sendMessage(sid, {
+                type: "attachment",
+                text: "",
+                attachment: att
+              });
             }).catch((err) => log2.error({ err }, "Failed to save agent image"));
           }
           break;
         }
         case "audio_content": {
           if (this.deps.fileService) {
-            const fs7 = this.deps.fileService;
+            const fs8 = this.deps.fileService;
             const sid = this.session.id;
             const { data, mimeType } = event;
             const buffer = Buffer.from(data, "base64");
             const ext = FileService.extensionFromMime(mimeType);
-            fs7.saveFile(sid, `agent-audio${ext}`, buffer, mimeType).then((att) => {
-              this.adapter.sendMessage(sid, { type: "attachment", text: "", attachment: att });
+            fs8.saveFile(sid, `agent-audio${ext}`, buffer, mimeType).then((att) => {
+              this.adapter.sendMessage(sid, {
+                type: "attachment",
+                text: "",
+                attachment: att
+              });
             }).catch((err) => log2.error({ err }, "Failed to save agent audio"));
           }
           break;
@@ -1317,12 +1405,40 @@ var SessionBridge = class {
           );
           break;
       }
+      this.deps.eventBus?.emit("agent:event", {
+        sessionId: this.session.id,
+        event
+      });
     };
-    this.session.on("agent_event", this.agentEventHandler);
+    this.session.on("agent_event", this.sessionEventHandler);
   }
   wirePermissions() {
     this.session.agentInstance.onPermissionRequest = async (request) => {
       this.session.emit("permission_request", request);
+      this.deps.eventBus?.emit("permission:request", {
+        sessionId: this.session.id,
+        permission: request
+      });
+      if (request.description.toLowerCase().includes("openacp")) {
+        const allowOption = request.options.find((o) => o.isAllow);
+        if (allowOption) {
+          log2.info(
+            { sessionId: this.session.id, requestId: request.id },
+            "Auto-approving openacp command"
+          );
+          return allowOption.id;
+        }
+      }
+      if (this.session.dangerousMode) {
+        const allowOption = request.options.find((o) => o.isAllow);
+        if (allowOption) {
+          log2.info(
+            { sessionId: this.session.id, requestId: request.id, optionId: allowOption.id },
+            "Dangerous mode: auto-approving permission"
+          );
+          return allowOption.id;
+        }
+      }
       const promise = this.session.permissionGate.setPending(request);
       await this.adapter.sendPermissionRequest(this.session.id, request);
       return promise;
@@ -1334,6 +1450,10 @@ var SessionBridge = class {
         status: to,
         lastActiveAt: (/* @__PURE__ */ new Date()).toISOString()
       });
+      this.deps.eventBus?.emit("session:updated", {
+        sessionId: this.session.id,
+        status: to
+      });
       if (to === "finished" || to === "cancelled") {
         queueMicrotask(() => this.disconnect());
       }
@@ -1341,6 +1461,10 @@ var SessionBridge = class {
     this.session.on("status_change", this.statusChangeHandler);
     this.namedHandler = (name) => {
       this.deps.sessionManager.patchRecord(this.session.id, { name });
+      this.deps.eventBus?.emit("session:updated", {
+        sessionId: this.session.id,
+        name
+      });
       this.adapter.renameSessionThread(this.session.id, name);
     };
     this.session.on("named", this.namedHandler);
@@ -1371,21 +1495,23 @@ function extractFileInfo(name, kind, content, rawInput, meta) {
   let info = null;
   if (meta) {
     const m = meta;
-    const tr = m?.claudeCode?.toolResponse;
+    const claudeCode = m?.claudeCode;
+    const tr = claudeCode?.toolResponse;
     const file = tr?.file;
-    if (file?.filePath && file?.content) {
+    if (typeof file?.filePath === "string" && typeof file?.content === "string") {
       info = { filePath: file.filePath, content: file.content };
     }
-    if (!info && tr?.filePath && tr?.content) {
+    if (!info && typeof tr?.filePath === "string" && typeof tr?.content === "string") {
       info = { filePath: tr.filePath, content: tr.content };
     }
   }
-  if (!info && rawInput) {
+  if (!info && rawInput && typeof rawInput === "object") {
     const ri = rawInput;
     const filePath = ri?.file_path || ri?.filePath || ri?.path;
     if (typeof filePath === "string") {
       const parsed = content ? parseContent(content) : null;
-      info = { filePath, content: parsed?.content || ri?.content, oldContent: parsed?.oldContent };
+      const riContent = typeof ri?.content === "string" ? ri.content : void 0;
+      info = { filePath, content: parsed?.content || riContent, oldContent: parsed?.oldContent };
     }
   }
   if (!info && content) {
@@ -1780,71 +1906,185 @@ Sessions are NOT blocked \u2014 this is a warning only.`;
   }
 };
 
-// src/core/speech/speech-service.ts
-var SpeechService = class {
-  constructor(config) {
-    this.config = config;
-  }
-  sttProviders = /* @__PURE__ */ new Map();
-  ttsProviders = /* @__PURE__ */ new Map();
-  registerSTTProvider(name, provider) {
-    this.sttProviders.set(name, provider);
-  }
-  registerTTSProvider(name, provider) {
-    this.ttsProviders.set(name, provider);
-  }
-  isSTTAvailable() {
-    const { provider, providers } = this.config.stt;
-    return provider !== null && providers[provider]?.apiKey !== void 0;
-  }
-  isTTSAvailable() {
-    const { provider, providers } = this.config.tts;
-    return provider !== null && providers[provider]?.apiKey !== void 0;
-  }
-  async transcribe(audioBuffer, mimeType, options) {
-    const providerName = this.config.stt.provider;
-    if (!providerName || !this.config.stt.providers[providerName]?.apiKey) {
-      throw new Error("STT not configured. Set speech.stt.provider and API key in config.");
-    }
-    const provider = this.sttProviders.get(providerName);
-    if (!provider) {
-      throw new Error(`STT provider "${providerName}" not registered. Available: ${[...this.sttProviders.keys()].join(", ") || "none"}`);
-    }
-    return provider.transcribe(audioBuffer, mimeType, options);
+// src/core/security-guard.ts
+var SecurityGuard = class {
+  constructor(configManager, sessionManager) {
+    this.configManager = configManager;
+    this.sessionManager = sessionManager;
   }
-  async synthesize(text, options) {
-    const providerName = this.config.tts.provider;
-    if (!providerName || !this.config.tts.providers[providerName]?.apiKey) {
-      throw new Error("TTS not configured. Set speech.tts.provider and API key in config.");
+  checkAccess(message) {
+    const config = this.configManager.get();
+    if (config.security.allowedUserIds.length > 0) {
+      const userId = String(message.userId);
+      if (!config.security.allowedUserIds.includes(userId)) {
+        return { allowed: false, reason: "Unauthorized user" };
+      }
     }
-    const provider = this.ttsProviders.get(providerName);
-    if (!provider) {
-      throw new Error(`TTS provider "${providerName}" not registered. Available: ${[...this.ttsProviders.keys()].join(", ") || "none"}`);
+    const active = this.sessionManager.listSessions().filter((s) => s.status === "active" || s.status === "initializing");
+    if (active.length >= config.security.maxConcurrentSessions) {
+      return { allowed: false, reason: `Session limit reached (${config.security.maxConcurrentSessions})` };
     }
-    return provider.synthesize(text, options);
-  }
-  updateConfig(config) {
-    this.config = config;
+    return { allowed: true };
   }
 };
 
-// src/core/speech/providers/groq.ts
-var GROQ_API_URL = "https://api.groq.com/openai/v1/audio/transcriptions";
-var GroqSTT = class {
-  constructor(apiKey, defaultModel = "whisper-large-v3-turbo") {
-    this.apiKey = apiKey;
-    this.defaultModel = defaultModel;
+// src/core/session-factory.ts
+import { nanoid as nanoid2 } from "nanoid";
+var log5 = createChildLogger({ module: "session-factory" });
+var SessionFactory = class {
+  constructor(agentManager, sessionManager, speechService, eventBus) {
+    this.agentManager = agentManager;
+    this.sessionManager = sessionManager;
+    this.speechService = speechService;
+    this.eventBus = eventBus;
   }
-  name = "groq";
-  async transcribe(audioBuffer, mimeType, options) {
-    const ext = mimeToExt(mimeType);
-    const form = new FormData();
-    form.append("file", new Blob([new Uint8Array(audioBuffer)], { type: mimeType }), `audio${ext}`);
-    form.append("model", options?.model || this.defaultModel);
-    form.append("response_format", "verbose_json");
-    if (options?.language) {
-      form.append("language", options.language);
-    }
+  async create(params) {
+    const agentInstance = params.resumeAgentSessionId ? await this.agentManager.resume(
+      params.agentName,
+      params.workingDirectory,
+      params.resumeAgentSessionId
+    ) : await this.agentManager.spawn(
+      params.agentName,
+      params.workingDirectory
+    );
+    const session = new Session({
+      id: params.existingSessionId,
+      channelId: params.channelId,
+      agentName: params.agentName,
+      workingDirectory: params.workingDirectory,
+      agentInstance,
+      speechService: this.speechService
+    });
+    session.agentSessionId = agentInstance.sessionId;
+    if (params.initialName) {
+      session.name = params.initialName;
+    }
+    this.sessionManager.registerSession(session);
+    this.eventBus.emit("session:created", {
+      sessionId: session.id,
+      agent: session.agentName,
+      status: session.status
+    });
+    return session;
+  }
+  wireSideEffects(session, deps) {
+    if (deps.usageStore) {
+      const usageStore = deps.usageStore;
+      const usageBudget = deps.usageBudget;
+      const notificationManager = deps.notificationManager;
+      session.on("agent_event", (event) => {
+        if (event.type !== "usage") return;
+        const record = {
+          id: nanoid2(),
+          sessionId: session.id,
+          agentName: session.agentName,
+          tokensUsed: event.tokensUsed ?? 0,
+          contextSize: event.contextSize ?? 0,
+          cost: event.cost,
+          timestamp: (/* @__PURE__ */ new Date()).toISOString()
+        };
+        usageStore.append(record);
+        if (usageBudget) {
+          const result = usageBudget.check();
+          if (result.message) {
+            notificationManager.notifyAll({
+              sessionId: session.id,
+              sessionName: session.name,
+              type: "budget_warning",
+              summary: result.message
+            });
+          }
+        }
+      });
+    }
+    session.on("status_change", (_from, to) => {
+      if ((to === "finished" || to === "cancelled") && deps.tunnelService) {
+        deps.tunnelService.stopBySession(session.id).then((stopped) => {
+          for (const entry of stopped) {
+            deps.notificationManager.notifyAll({
+              sessionId: session.id,
+              sessionName: session.name,
+              type: "completed",
+              summary: `Tunnel stopped: port ${entry.port}${entry.label ? ` (${entry.label})` : ""} \u2014 session ended`
+            }).catch(() => {
+            });
+          }
+        }).catch(() => {
+        });
+      }
+    });
+  }
+};
+
+// src/core/event-bus.ts
+var EventBus = class extends TypedEmitter {
+};
+
+// src/core/speech/speech-service.ts
+var SpeechService = class {
+  constructor(config) {
+    this.config = config;
+  }
+  sttProviders = /* @__PURE__ */ new Map();
+  ttsProviders = /* @__PURE__ */ new Map();
+  registerSTTProvider(name, provider) {
+    this.sttProviders.set(name, provider);
+  }
+  registerTTSProvider(name, provider) {
+    this.ttsProviders.set(name, provider);
+  }
+  isSTTAvailable() {
+    const { provider, providers } = this.config.stt;
+    return provider !== null && providers[provider]?.apiKey !== void 0;
+  }
+  isTTSAvailable() {
+    const provider = this.config.tts.provider;
+    return provider !== null && this.ttsProviders.has(provider);
+  }
+  async transcribe(audioBuffer, mimeType, options) {
+    const providerName = this.config.stt.provider;
+    if (!providerName || !this.config.stt.providers[providerName]?.apiKey) {
+      throw new Error("STT not configured. Set speech.stt.provider and API key in config.");
+    }
+    const provider = this.sttProviders.get(providerName);
+    if (!provider) {
+      throw new Error(`STT provider "${providerName}" not registered. Available: ${[...this.sttProviders.keys()].join(", ") || "none"}`);
+    }
+    return provider.transcribe(audioBuffer, mimeType, options);
+  }
+  async synthesize(text, options) {
+    const providerName = this.config.tts.provider;
+    if (!providerName) {
+      throw new Error("TTS not configured. Set speech.tts.provider in config.");
+    }
+    const provider = this.ttsProviders.get(providerName);
+    if (!provider) {
+      throw new Error(`TTS provider "${providerName}" not registered. Available: ${[...this.ttsProviders.keys()].join(", ") || "none"}`);
+    }
+    return provider.synthesize(text, options);
+  }
+  updateConfig(config) {
+    this.config = config;
+  }
+};
+
+// src/core/speech/providers/groq.ts
+var GROQ_API_URL = "https://api.groq.com/openai/v1/audio/transcriptions";
+var GroqSTT = class {
+  constructor(apiKey, defaultModel = "whisper-large-v3-turbo") {
+    this.apiKey = apiKey;
+    this.defaultModel = defaultModel;
+  }
+  name = "groq";
+  async transcribe(audioBuffer, mimeType, options) {
+    const ext = mimeToExt(mimeType);
+    const form = new FormData();
+    form.append("file", new Blob([new Uint8Array(audioBuffer)], { type: mimeType }), `audio${ext}`);
+    form.append("model", options?.model || this.defaultModel);
+    form.append("response_format", "verbose_json");
+    if (options?.language) {
+      form.append("language", options.language);
+    }
     const resp = await fetch(GROQ_API_URL, {
       method: "POST",
       headers: { Authorization: `Bearer ${this.apiKey}` },
@@ -1883,6 +2123,33 @@ function mimeToExt(mimeType) {
   return map[mimeType] || ".bin";
 }
 
+// src/core/speech/providers/edge-tts.ts
+var DEFAULT_VOICE = "en-US-AriaNeural";
+var EdgeTTS = class {
+  name = "edge-tts";
+  voice;
+  constructor(voice) {
+    this.voice = voice || DEFAULT_VOICE;
+  }
+  async synthesize(text, options) {
+    const { MsEdgeTTS, OUTPUT_FORMAT } = await import("msedge-tts");
+    const tts = new MsEdgeTTS();
+    const voice = options?.voice || this.voice;
+    const format = OUTPUT_FORMAT.AUDIO_24KHZ_48KBITRATE_MONO_MP3;
+    await tts.setMetadata(voice, format);
+    const { audioStream } = tts.toStream(text);
+    const chunks = [];
+    for await (const chunk of audioStream) {
+      chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
+    }
+    tts.close();
+    return {
+      audioBuffer: Buffer.concat(chunks),
+      mimeType: "audio/mpeg"
+    };
+  }
+};
+
 // src/core/core.ts
 import path5 from "path";
 import os from "os";
@@ -1890,7 +2157,7 @@ import os from "os";
 // src/core/session-store.ts
 import fs5 from "fs";
 import path4 from "path";
-var log5 = createChildLogger({ module: "session-store" });
+var log6 = createChildLogger({ module: "session-store" });
 var DEBOUNCE_MS2 = 2e3;
 var JsonFileSessionStore = class {
   records = /* @__PURE__ */ new Map();
@@ -1972,7 +2239,7 @@ var JsonFileSessionStore = class {
         fs5.readFileSync(this.filePath, "utf-8")
       );
       if (raw.version !== 1) {
-        log5.warn(
+        log6.warn(
           { version: raw.version },
           "Unknown session store version, skipping load"
         );
@@ -1981,9 +2248,9 @@ var JsonFileSessionStore = class {
       for (const [id, record] of Object.entries(raw.sessions)) {
         this.records.set(id, record);
       }
-      log5.info({ count: this.records.size }, "Loaded session records");
+      log6.info({ count: this.records.size }, "Loaded session records");
     } catch (err) {
-      log5.error({ err }, "Failed to load session store");
+      log6.error({ err }, "Failed to load session store");
     }
   }
   cleanup() {
@@ -1999,7 +2266,7 @@ var JsonFileSessionStore = class {
       }
     }
     if (removed > 0) {
-      log5.info({ removed }, "Cleaned up expired session records");
+      log6.info({ removed }, "Cleaned up expired session records");
       this.scheduleDiskWrite();
     }
   }
@@ -2012,8 +2279,7 @@ var JsonFileSessionStore = class {
 };
 
 // src/core/core.ts
-import { nanoid as nanoid2 } from "nanoid";
-var log6 = createChildLogger({ module: "core" });
+var log7 = createChildLogger({ module: "core" });
 var OpenACPCore = class {
   configManager;
   agentCatalog;
@@ -2023,12 +2289,15 @@ var OpenACPCore = class {
   messageTransformer;
   fileService;
   speechService;
+  securityGuard;
   adapters = /* @__PURE__ */ new Map();
   /** Set by main.ts — triggers graceful shutdown with restart exit code */
   requestRestart = null;
   _tunnelService;
   sessionStore = null;
   resumeLocks = /* @__PURE__ */ new Map();
+  eventBus;
+  sessionFactory;
   usageStore = null;
   usageBudget = null;
   constructor(configManager) {
@@ -2043,6 +2312,7 @@ var OpenACPCore = class {
       config.sessionStore.ttlDays
     );
     this.sessionManager = new SessionManager(this.sessionStore);
+    this.securityGuard = new SecurityGuard(configManager, this.sessionManager);
     this.notificationManager = new NotificationManager(this.adapters);
     const usageConfig = config.usage;
     if (usageConfig.enabled) {
@@ -2051,30 +2321,68 @@ var OpenACPCore = class {
       this.usageBudget = new UsageBudget(this.usageStore, usageConfig);
     }
     this.messageTransformer = new MessageTransformer();
-    this.fileService = new FileService(path5.join(os.homedir(), ".openacp", "files"));
-    const speechConfig = config.speech ?? { stt: { provider: null, providers: {} }, tts: { provider: null, providers: {} } };
+    this.eventBus = new EventBus();
+    this.sessionManager.setEventBus(this.eventBus);
+    this.fileService = new FileService(
+      path5.join(os.homedir(), ".openacp", "files")
+    );
+    const speechConfig = config.speech ?? {
+      stt: { provider: null, providers: {} },
+      tts: { provider: "edge-tts", providers: {} }
+    };
+    if (speechConfig.tts.provider == null) {
+      speechConfig.tts.provider = "edge-tts";
+    }
     this.speechService = new SpeechService(speechConfig);
     const groqConfig = speechConfig.stt?.providers?.groq;
     if (groqConfig?.apiKey) {
-      this.speechService.registerSTTProvider("groq", new GroqSTT(groqConfig.apiKey, groqConfig.model));
-    }
-    this.configManager.on("config:changed", async ({ path: configPath, value }) => {
-      if (configPath === "logging.level" && typeof value === "string") {
-        const { setLogLevel: setLogLevel2 } = await import("./log-SPS2S6FO.js");
-        setLogLevel2(value);
-        log6.info({ level: value }, "Log level changed at runtime");
-      }
-      if (configPath.startsWith("speech.")) {
-        const newConfig = this.configManager.get();
-        const newSpeechConfig = newConfig.speech ?? { stt: { provider: null, providers: {} }, tts: { provider: null, providers: {} } };
-        this.speechService.updateConfig(newSpeechConfig);
-        const groqCfg = newSpeechConfig.stt?.providers?.groq;
-        if (groqCfg?.apiKey) {
-          this.speechService.registerSTTProvider("groq", new GroqSTT(groqCfg.apiKey, groqCfg.model));
+      this.speechService.registerSTTProvider(
+        "groq",
+        new GroqSTT(groqConfig.apiKey, groqConfig.model)
+      );
+    }
+    {
+      const edgeConfig = speechConfig.tts?.providers?.["edge-tts"];
+      const voice = edgeConfig?.voice;
+      this.speechService.registerTTSProvider("edge-tts", new EdgeTTS(voice));
+    }
+    this.sessionFactory = new SessionFactory(
+      this.agentManager,
+      this.sessionManager,
+      this.speechService,
+      this.eventBus
+    );
+    this.configManager.on(
+      "config:changed",
+      async ({ path: configPath, value }) => {
+        if (configPath === "logging.level" && typeof value === "string") {
+          const { setLogLevel: setLogLevel2 } = await import("./log-SPS2S6FO.js");
+          setLogLevel2(value);
+          log7.info({ level: value }, "Log level changed at runtime");
+        }
+        if (configPath.startsWith("speech.")) {
+          const newConfig = this.configManager.get();
+          const newSpeechConfig = newConfig.speech ?? {
+            stt: { provider: null, providers: {} },
+            tts: { provider: null, providers: {} }
+          };
+          this.speechService.updateConfig(newSpeechConfig);
+          const groqCfg = newSpeechConfig.stt?.providers?.groq;
+          if (groqCfg?.apiKey) {
+            this.speechService.registerSTTProvider(
+              "groq",
+              new GroqSTT(groqCfg.apiKey, groqCfg.model)
+            );
+          }
+          {
+            const edgeConfig = newSpeechConfig.tts?.providers?.["edge-tts"];
+            const voice = edgeConfig?.voice;
+            this.speechService.registerTTSProvider("edge-tts", new EdgeTTS(voice));
+          }
+          log7.info("Speech service config updated at runtime");
         }
-        log6.info("Speech service config updated at runtime");
       }
-    });
+    );
   }
   get tunnelService() {
     return this._tunnelService;
@@ -2088,7 +2396,7 @@ var OpenACPCore = class {
   }
   async start() {
     this.agentCatalog.refreshRegistryIfStale().catch((err) => {
-      log6.warn({ err }, "Background registry refresh failed");
+      log7.warn({ err }, "Background registry refresh failed");
     });
     for (const adapter of this.adapters.values()) {
       await adapter.start();
@@ -2115,13 +2423,16 @@ var OpenACPCore = class {
   async archiveSession(sessionId) {
     const session = this.sessionManager.getSession(sessionId);
     if (!session) return { ok: false, error: "Session not found" };
-    if (session.status === "initializing") return { ok: false, error: "Session is still initializing" };
-    if (session.status !== "active") return { ok: false, error: `Session is ${session.status}` };
+    if (session.status === "initializing")
+      return { ok: false, error: "Session is still initializing" };
+    if (session.status !== "active")
+      return { ok: false, error: `Session is ${session.status}` };
     const adapter = this.adapters.get(session.channelId);
     if (!adapter) return { ok: false, error: "Adapter not found for session" };
     try {
       const result = await adapter.archiveSessionTopic(session.id);
-      if (!result) return { ok: false, error: "Adapter does not support archiving" };
+      if (!result)
+        return { ok: false, error: "Adapter does not support archiving" };
       return { ok: true, newThreadId: result.newThreadId };
     } catch (err) {
       return { ok: false, error: err.message };
@@ -2129,8 +2440,7 @@ var OpenACPCore = class {
   }
   // --- Message Routing ---
   async handleMessage(message) {
-    const config = this.configManager.get();
-    log6.debug(
+    log7.debug(
       {
         channelId: message.channelId,
         threadId: message.threadId,
@@ -2138,32 +2448,17 @@ var OpenACPCore = class {
       },
       "Incoming message"
     );
-    if (config.security.allowedUserIds.length > 0) {
-      const userId = String(message.userId);
-      if (!config.security.allowedUserIds.includes(userId)) {
-        log6.warn(
-          { userId },
-          "Rejected message from unauthorized user"
-        );
-        return;
-      }
-    }
-    const activeSessions = this.sessionManager.listSessions().filter((s) => s.status === "active" || s.status === "initializing");
-    if (activeSessions.length >= config.security.maxConcurrentSessions) {
-      log6.warn(
-        {
-          userId: message.userId,
-          currentCount: activeSessions.length,
-          max: config.security.maxConcurrentSessions
-        },
-        "Session limit reached"
-      );
-      const adapter = this.adapters.get(message.channelId);
-      if (adapter) {
-        await adapter.sendMessage(message.threadId, {
-          type: "error",
-          text: `\u26A0\uFE0F Session limit reached (${config.security.maxConcurrentSessions}). Please cancel existing sessions with /cancel before starting new ones.`
-        });
+    const access = this.securityGuard.checkAccess(message);
+    if (!access.allowed) {
+      log7.warn({ userId: message.userId, reason: access.reason }, "Access denied");
+      if (access.reason.includes("Session limit")) {
+        const adapter = this.adapters.get(message.channelId);
+        if (adapter) {
+          await adapter.sendMessage(message.threadId, {
+            type: "error",
+            text: `\u26A0\uFE0F ${access.reason}. Please cancel existing sessions with /cancel before starting new ones.`
+          });
+        }
       }
       return;
     }
@@ -2175,38 +2470,20 @@ var OpenACPCore = class {
       session = await this.lazyResume(message) ?? void 0;
     }
     if (!session) {
-      log6.warn(
+      log7.warn(
         { channelId: message.channelId, threadId: message.threadId },
         "No session found for thread (in-memory miss + lazy resume returned null)"
       );
       return;
     }
-    this.sessionManager.patchRecord(session.id, { lastActiveAt: (/* @__PURE__ */ new Date()).toISOString() });
+    this.sessionManager.patchRecord(session.id, {
+      lastActiveAt: (/* @__PURE__ */ new Date()).toISOString()
+    });
     await session.enqueuePrompt(message.text, message.attachments);
   }
   // --- Unified Session Creation Pipeline ---
   async createSession(params) {
-    const agentInstance = params.resumeAgentSessionId ? await this.agentManager.resume(
-      params.agentName,
-      params.workingDirectory,
-      params.resumeAgentSessionId
-    ) : await this.agentManager.spawn(
-      params.agentName,
-      params.workingDirectory
-    );
-    const session = new Session({
-      id: params.existingSessionId,
-      channelId: params.channelId,
-      agentName: params.agentName,
-      workingDirectory: params.workingDirectory,
-      agentInstance,
-      speechService: this.speechService
-    });
-    session.agentSessionId = agentInstance.sessionId;
-    if (params.initialName) {
-      session.name = params.initialName;
-    }
-    this.sessionManager.registerSession(session);
+    const session = await this.sessionFactory.create(params);
     const adapter = this.adapters.get(params.channelId);
     if (params.createThread && adapter) {
       const threadId = await adapter.createSessionThread(
@@ -2219,47 +2496,11 @@ var OpenACPCore = class {
       const bridge = this.createBridge(session, adapter);
       bridge.connect();
     }
-    if (this.usageStore) {
-      session.on("agent_event", (event) => {
-        if (event.type !== "usage") return;
-        const record = {
-          id: nanoid2(),
-          sessionId: session.id,
-          agentName: session.agentName,
-          tokensUsed: event.tokensUsed ?? 0,
-          contextSize: event.contextSize ?? 0,
-          cost: event.cost,
-          timestamp: (/* @__PURE__ */ new Date()).toISOString()
-        };
-        this.usageStore.append(record);
-        if (this.usageBudget) {
-          const result = this.usageBudget.check();
-          if (result.message) {
-            this.notificationManager.notifyAll({
-              sessionId: session.id,
-              sessionName: session.name,
-              type: "budget_warning",
-              summary: result.message
-            });
-          }
-        }
-      });
-    }
-    session.on("status_change", (_from, to) => {
-      if ((to === "finished" || to === "cancelled") && this._tunnelService) {
-        this._tunnelService.stopBySession(session.id).then((stopped) => {
-          for (const entry of stopped) {
-            this.notificationManager.notifyAll({
-              sessionId: session.id,
-              sessionName: session.name,
-              type: "completed",
-              summary: `Tunnel stopped: port ${entry.port}${entry.label ? ` (${entry.label})` : ""} \u2014 session ended`
-            }).catch(() => {
-            });
-          }
-        }).catch(() => {
-        });
-      }
+    this.sessionFactory.wireSideEffects(session, {
+      usageStore: this.usageStore,
+      usageBudget: this.usageBudget,
+      notificationManager: this.notificationManager,
+      tunnelService: this._tunnelService
     });
     const existingRecord = this.sessionStore?.get(session.id);
     const platform = {
@@ -2274,7 +2515,7 @@ var OpenACPCore = class {
     }
     await this.sessionManager.patchRecord(session.id, {
       sessionId: session.id,
-      agentSessionId: agentInstance.sessionId,
+      agentSessionId: session.agentSessionId,
       agentName: params.agentName,
       workingDir: params.workingDirectory,
       channelId: params.channelId,
@@ -2284,7 +2525,7 @@ var OpenACPCore = class {
       name: session.name,
       platform
     });
-    log6.info(
+    log7.info(
       { sessionId: session.id, agentName: params.agentName },
       "Session created via pipeline"
     );
@@ -2293,7 +2534,7 @@ var OpenACPCore = class {
   async handleNewSession(channelId, agentName, workspacePath) {
     const config = this.configManager.get();
     const resolvedAgent = agentName || config.defaultAgent;
-    log6.info({ channelId, agentName: resolvedAgent }, "New session request");
+    log7.info({ channelId, agentName: resolvedAgent }, "New session request");
     const agentDef = this.agentCatalog.resolve(resolvedAgent);
     const resolvedWorkspace = this.configManager.resolveWorkspace(
       workspacePath || agentDef?.workingDirectory
@@ -2304,28 +2545,46 @@ var OpenACPCore = class {
       workingDirectory: resolvedWorkspace
     });
   }
-  async adoptSession(agentName, agentSessionId, cwd) {
+  async adoptSession(agentName, agentSessionId, cwd, channelId) {
     const caps = getAgentCapabilities(agentName);
     if (!caps.supportsResume) {
-      return { ok: false, error: "agent_not_supported", message: `Agent '${agentName}' does not support session resume` };
+      return {
+        ok: false,
+        error: "agent_not_supported",
+        message: `Agent '${agentName}' does not support session resume`
+      };
     }
     const agentDef = this.agentManager.getAgent(agentName);
     if (!agentDef) {
-      return { ok: false, error: "agent_not_supported", message: `Agent '${agentName}' not found` };
+      return {
+        ok: false,
+        error: "agent_not_supported",
+        message: `Agent '${agentName}' not found`
+      };
     }
-    const { existsSync } = await import("fs");
-    if (!existsSync(cwd)) {
-      return { ok: false, error: "invalid_cwd", message: `Directory does not exist: ${cwd}` };
+    const { existsSync: existsSync2 } = await import("fs");
+    if (!existsSync2(cwd)) {
+      return {
+        ok: false,
+        error: "invalid_cwd",
+        message: `Directory does not exist: ${cwd}`
+      };
     }
     const maxSessions = this.configManager.get().security.maxConcurrentSessions;
     if (this.sessionManager.listSessions().length >= maxSessions) {
-      return { ok: false, error: "session_limit", message: "Maximum concurrent sessions reached" };
+      return {
+        ok: false,
+        error: "session_limit",
+        message: "Maximum concurrent sessions reached"
+      };
     }
     const existingRecord = this.sessionManager.getRecordByAgentSessionId(agentSessionId);
     if (existingRecord) {
+      const sameChannel = !channelId || existingRecord.channelId === channelId;
       const platform = existingRecord.platform;
-      if (platform?.topicId) {
-        const adapter = this.adapters.values().next().value;
+      const existingThreadId = platform?.topicId ? String(platform.topicId) : platform?.threadId;
+      if (existingThreadId && sameChannel) {
+        const adapter = this.adapters.get(existingRecord.channelId) ?? this.adapters.values().next().value;
         if (adapter) {
           try {
             await adapter.sendMessage(existingRecord.sessionId, {
@@ -2338,16 +2597,25 @@ var OpenACPCore = class {
         return {
           ok: true,
           sessionId: existingRecord.sessionId,
-          threadId: String(platform.topicId),
+          threadId: existingThreadId,
           status: "existing"
         };
       }
     }
-    const firstEntry = this.adapters.entries().next().value;
-    if (!firstEntry) {
-      return { ok: false, error: "no_adapter", message: "No channel adapter registered" };
+    let adapterChannelId;
+    if (channelId) {
+      if (!this.adapters.has(channelId)) {
+        const available = Array.from(this.adapters.keys()).join(", ") || "none";
+        return { ok: false, error: "adapter_not_found", message: `Adapter '${channelId}' is not connected. Available: ${available}` };
+      }
+      adapterChannelId = channelId;
+    } else {
+      const firstEntry = this.adapters.entries().next().value;
+      if (!firstEntry) {
+        return { ok: false, error: "no_adapter", message: "No channel adapter registered" };
+      }
+      adapterChannelId = firstEntry[0];
     }
-    const [adapterChannelId] = firstEntry;
     let session;
     try {
       session = await this.createSession({
@@ -2365,9 +2633,15 @@ var OpenACPCore = class {
         message: `Failed to resume session: ${err instanceof Error ? err.message : String(err)}`
       };
     }
+    const adoptPlatform = {};
+    if (adapterChannelId === "telegram") {
+      adoptPlatform.topicId = Number(session.threadId);
+    } else {
+      adoptPlatform.threadId = session.threadId;
+    }
     await this.sessionManager.patchRecord(session.id, {
       originalAgentSessionId: agentSessionId,
-      platform: { topicId: Number(session.threadId) }
+      platform: adoptPlatform
     });
     return {
       ok: true,
@@ -2388,8 +2662,12 @@ var OpenACPCore = class {
         currentSession.workingDirectory
       );
     }
-    const record = this.sessionManager.getRecordByThread(channelId, currentThreadId);
-    if (!record || record.status === "cancelled" || record.status === "error") return null;
+    const record = this.sessionManager.getRecordByThread(
+      channelId,
+      currentThreadId
+    );
+    if (!record || record.status === "cancelled" || record.status === "error")
+      return null;
     return this.handleNewSession(
       channelId,
       record.agentName,
@@ -2397,6 +2675,15 @@ var OpenACPCore = class {
     );
   }
   // --- Lazy Resume ---
+  /**
+   * Get active session by thread, or attempt lazy resume from store.
+   * Used by adapter command handlers that need a session but don't go through handleMessage().
+   */
+  async getOrResumeSession(channelId, threadId) {
+    const session = this.sessionManager.getSessionByThread(channelId, threadId);
+    if (session) return session;
+    return this.lazyResume({ channelId, threadId, userId: "", text: "" });
+  }
   async lazyResume(message) {
     const store = this.sessionStore;
     if (!store) return null;
@@ -2408,21 +2695,29 @@ var OpenACPCore = class {
       (p) => String(p.topicId) === message.threadId
     );
     if (!record) {
-      log6.debug(
+      log7.debug(
         { threadId: message.threadId, channelId: message.channelId },
         "No session record found for thread"
       );
       return null;
     }
     if (record.status === "error") {
-      log6.debug(
-        { threadId: message.threadId, sessionId: record.sessionId, status: record.status },
+      log7.debug(
+        {
+          threadId: message.threadId,
+          sessionId: record.sessionId,
+          status: record.status
+        },
         "Skipping resume of error session"
       );
       return null;
     }
-    log6.info(
-      { threadId: message.threadId, sessionId: record.sessionId, status: record.status },
+    log7.info(
+      {
+        threadId: message.threadId,
+        sessionId: record.sessionId,
+        status: record.status
+      },
       "Lazy resume: found record, attempting resume"
     );
     const resumePromise = (async () => {
@@ -2438,13 +2733,13 @@ var OpenACPCore = class {
         session.threadId = message.threadId;
         session.activate();
         session.dangerousMode = record.dangerousMode ?? false;
-        log6.info(
+        log7.info(
           { sessionId: session.id, threadId: message.threadId },
           "Lazy resume successful"
         );
         return session;
       } catch (err) {
-        log6.error({ err, record }, "Lazy resume failed");
+        log7.error({ err, record }, "Lazy resume failed");
         const adapter = this.adapters.get(message.channelId);
         if (adapter) {
           try {
@@ -2470,213 +2765,327 @@ var OpenACPCore = class {
       messageTransformer: this.messageTransformer,
       notificationManager: this.notificationManager,
       sessionManager: this.sessionManager,
+      eventBus: this.eventBus,
       fileService: this.fileService
     });
   }
 };
 
-// src/core/api-server.ts
-import * as http from "http";
-import * as fs6 from "fs";
-import * as path6 from "path";
-import * as os2 from "os";
-import * as crypto from "crypto";
-import { fileURLToPath } from "url";
-var log7 = createChildLogger({ module: "api-server" });
-var DEFAULT_PORT_FILE = path6.join(os2.homedir(), ".openacp", "api.port");
-var cachedVersion;
-function getVersion() {
-  if (cachedVersion) return cachedVersion;
-  try {
-    const __filename = fileURLToPath(import.meta.url);
-    const pkgPath = path6.resolve(path6.dirname(__filename), "../../package.json");
-    const pkg = JSON.parse(fs6.readFileSync(pkgPath, "utf-8"));
-    cachedVersion = pkg.version ?? "0.0.0-dev";
-  } catch {
-    cachedVersion = "0.0.0-dev";
+// src/core/sse-manager.ts
+var SSEManager = class {
+  constructor(eventBus, getSessionStats, startedAt) {
+    this.eventBus = eventBus;
+    this.getSessionStats = getSessionStats;
+    this.startedAt = startedAt;
+  }
+  sseConnections = /* @__PURE__ */ new Set();
+  sseCleanupHandlers = /* @__PURE__ */ new Map();
+  healthInterval;
+  boundHandlers = [];
+  setup() {
+    if (!this.eventBus) return;
+    const events = [
+      "session:created",
+      "session:updated",
+      "session:deleted",
+      "agent:event",
+      "permission:request"
+    ];
+    for (const eventName of events) {
+      const handler = (data) => {
+        this.broadcast(eventName, data);
+      };
+      this.eventBus.on(eventName, handler);
+      this.boundHandlers.push({ event: eventName, handler });
+    }
+    this.healthInterval = setInterval(() => {
+      const mem = process.memoryUsage();
+      const stats = this.getSessionStats();
+      this.broadcast("health", {
+        uptime: Date.now() - this.startedAt,
+        memory: {
+          rss: mem.rss,
+          heapUsed: mem.heapUsed,
+          heapTotal: mem.heapTotal
+        },
+        sessions: stats
+      });
+    }, 3e4);
+  }
+  handleRequest(req, res) {
+    const parsedUrl = new URL(req.url || "", "http://localhost");
+    const sessionFilter = parsedUrl.searchParams.get("sessionId");
+    res.writeHead(200, {
+      "Content-Type": "text/event-stream",
+      "Cache-Control": "no-cache",
+      Connection: "keep-alive"
+    });
+    res.flushHeaders();
+    res.sessionFilter = sessionFilter ?? void 0;
+    this.sseConnections.add(res);
+    const cleanup = () => {
+      this.sseConnections.delete(res);
+      this.sseCleanupHandlers.delete(res);
+    };
+    this.sseCleanupHandlers.set(res, cleanup);
+    req.on("close", cleanup);
   }
-  return cachedVersion;
-}
-var SENSITIVE_KEYS = ["botToken", "token", "apiKey", "secret", "password", "webhookSecret"];
-function redactConfig(config) {
-  const redacted = structuredClone(config);
-  redactDeep(redacted);
-  return redacted;
-}
-function redactDeep(obj) {
-  for (const [key, value] of Object.entries(obj)) {
-    if (SENSITIVE_KEYS.includes(key) && typeof value === "string") {
-      obj[key] = "***";
-    } else if (value && typeof value === "object" && !Array.isArray(value)) {
-      redactDeep(value);
+  broadcast(event, data) {
+    const payload = `event: ${event}
+data: ${JSON.stringify(data)}
+
+`;
+    const sessionEvents = [
+      "agent:event",
+      "permission:request",
+      "session:updated"
+    ];
+    for (const res of this.sseConnections) {
+      const filter = res.sessionFilter;
+      if (filter && sessionEvents.includes(event)) {
+        const eventData = data;
+        if (eventData.sessionId !== filter) continue;
+      }
+      try {
+        if (res.writable) res.write(payload);
+      } catch {
+      }
     }
   }
-}
-var ApiServer = class {
-  constructor(core, config, portFilePath, topicManager, secretFilePath) {
-    this.core = core;
-    this.config = config;
-    this.topicManager = topicManager;
-    this.portFilePath = portFilePath ?? DEFAULT_PORT_FILE;
-    this.secretFilePath = secretFilePath ?? path6.join(os2.homedir(), ".openacp", "api-secret");
+  stop() {
+    if (this.healthInterval) clearInterval(this.healthInterval);
+    if (this.eventBus) {
+      for (const { event, handler } of this.boundHandlers) {
+        this.eventBus.off(event, handler);
+      }
+    }
+    this.boundHandlers = [];
+    const entries = [...this.sseCleanupHandlers];
+    for (const [res, cleanup] of entries) {
+      res.end();
+      cleanup();
+    }
   }
-  server = null;
-  actualPort = 0;
-  portFilePath;
-  startedAt = Date.now();
-  secret = "";
-  secretFilePath;
-  async start() {
-    this.loadOrCreateSecret();
-    this.server = http.createServer((req, res) => this.handleRequest(req, res));
-    await new Promise((resolve2, reject) => {
-      this.server.on("error", (err) => {
-        if (err.code === "EADDRINUSE") {
-          log7.warn({ port: this.config.port }, "API port in use, continuing without API server");
-          this.server = null;
-          resolve2();
-        } else {
-          reject(err);
-        }
-      });
-      this.server.listen(this.config.port, this.config.host, () => {
-        const addr = this.server.address();
-        if (addr && typeof addr === "object") {
-          this.actualPort = addr.port;
+};
+
+// src/core/static-server.ts
+import * as fs6 from "fs";
+import * as path6 from "path";
+import { fileURLToPath } from "url";
+var MIME_TYPES = {
+  ".html": "text/html; charset=utf-8",
+  ".js": "application/javascript; charset=utf-8",
+  ".css": "text/css; charset=utf-8",
+  ".json": "application/json; charset=utf-8",
+  ".png": "image/png",
+  ".jpg": "image/jpeg",
+  ".svg": "image/svg+xml",
+  ".ico": "image/x-icon",
+  ".woff": "font/woff",
+  ".woff2": "font/woff2"
+};
+var StaticServer = class {
+  uiDir;
+  constructor(uiDir) {
+    this.uiDir = uiDir;
+    if (!this.uiDir) {
+      const __filename = fileURLToPath(import.meta.url);
+      const candidate = path6.resolve(path6.dirname(__filename), "../../ui/dist");
+      if (fs6.existsSync(path6.join(candidate, "index.html"))) {
+        this.uiDir = candidate;
+      }
+      if (!this.uiDir) {
+        const publishCandidate = path6.resolve(
+          path6.dirname(__filename),
+          "../ui"
+        );
+        if (fs6.existsSync(path6.join(publishCandidate, "index.html"))) {
+          this.uiDir = publishCandidate;
         }
-        this.writePortFile();
-        log7.info({ host: this.config.host, port: this.actualPort }, "API server listening");
-        resolve2();
-      });
-    });
+      }
+    }
   }
-  async stop() {
-    this.removePortFile();
-    if (this.server) {
-      await new Promise((resolve2) => {
-        this.server.close(() => resolve2());
+  isAvailable() {
+    return this.uiDir !== void 0;
+  }
+  serve(req, res) {
+    if (!this.uiDir) return false;
+    const urlPath = (req.url || "/").split("?")[0];
+    const safePath = path6.normalize(urlPath);
+    const filePath = path6.join(this.uiDir, safePath);
+    if (!filePath.startsWith(this.uiDir + path6.sep) && filePath !== this.uiDir)
+      return false;
+    if (fs6.existsSync(filePath) && fs6.statSync(filePath).isFile()) {
+      const ext = path6.extname(filePath);
+      const contentType = MIME_TYPES[ext] ?? "application/octet-stream";
+      const isHashed = /\.[a-zA-Z0-9]{8,}\.(js|css)$/.test(filePath);
+      const cacheControl = isHashed ? "public, max-age=31536000, immutable" : "no-cache";
+      res.writeHead(200, {
+        "Content-Type": contentType,
+        "Cache-Control": cacheControl
       });
-      this.server = null;
+      fs6.createReadStream(filePath).pipe(res);
+      return true;
+    }
+    const indexPath = path6.join(this.uiDir, "index.html");
+    if (fs6.existsSync(indexPath)) {
+      res.writeHead(200, {
+        "Content-Type": "text/html; charset=utf-8",
+        "Cache-Control": "no-cache"
+      });
+      fs6.createReadStream(indexPath).pipe(res);
+      return true;
     }
+    return false;
   }
-  getPort() {
-    return this.actualPort;
+};
+
+// src/core/api/index.ts
+import * as http from "http";
+import * as fs7 from "fs";
+import * as path7 from "path";
+import * as os2 from "os";
+import * as crypto from "crypto";
+import { fileURLToPath as fileURLToPath2 } from "url";
+
+// src/core/api/router.ts
+var Router = class {
+  routes = [];
+  get(path8, handler) {
+    this.add("GET", path8, handler);
   }
-  writePortFile() {
-    const dir = path6.dirname(this.portFilePath);
-    fs6.mkdirSync(dir, { recursive: true });
-    fs6.writeFileSync(this.portFilePath, String(this.actualPort));
+  post(path8, handler) {
+    this.add("POST", path8, handler);
   }
-  removePortFile() {
-    try {
-      fs6.unlinkSync(this.portFilePath);
-    } catch {
-    }
+  put(path8, handler) {
+    this.add("PUT", path8, handler);
   }
-  loadOrCreateSecret() {
-    const dir = path6.dirname(this.secretFilePath);
-    fs6.mkdirSync(dir, { recursive: true });
-    try {
-      this.secret = fs6.readFileSync(this.secretFilePath, "utf-8").trim();
-      if (this.secret) {
-        try {
-          const stat = fs6.statSync(this.secretFilePath);
-          const mode = stat.mode & 511;
-          if (mode & 63) {
-            log7.warn({ path: this.secretFilePath, mode: "0" + mode.toString(8) }, "API secret file has insecure permissions (should be 0600). Run: chmod 600 %s", this.secretFilePath);
-          }
-        } catch {
-        }
-        return;
+  patch(path8, handler) {
+    this.add("PATCH", path8, handler);
+  }
+  delete(path8, handler) {
+    this.add("DELETE", path8, handler);
+  }
+  match(method, url) {
+    const pathname = url.split("?")[0];
+    for (const route of this.routes) {
+      if (route.method !== method) continue;
+      const m = pathname.match(route.pattern);
+      if (!m) continue;
+      const params = {};
+      for (let i = 0; i < route.keys.length; i++) {
+        params[route.keys[i]] = m[i + 1];
       }
-    } catch {
+      return { handler: route.handler, params };
     }
-    this.secret = crypto.randomBytes(32).toString("hex");
-    fs6.writeFileSync(this.secretFilePath, this.secret, { mode: 384 });
+    return null;
   }
-  authenticate(req) {
-    const authHeader = req.headers.authorization;
-    if (!authHeader?.startsWith("Bearer ")) return false;
-    const token = authHeader.slice(7);
-    if (token.length !== this.secret.length) return false;
-    return crypto.timingSafeEqual(Buffer.from(token, "utf-8"), Buffer.from(this.secret, "utf-8"));
+  add(method, path8, handler) {
+    const keys = [];
+    const pattern = path8.replace(/:(\w+)/g, (_, key) => {
+      keys.push(key);
+      return "([^/]+)";
+    });
+    this.routes.push({
+      method,
+      pattern: new RegExp(`^${pattern}$`),
+      keys,
+      handler
+    });
   }
-  async handleRequest(req, res) {
-    const method = req.method?.toUpperCase();
-    const url = req.url || "";
-    const isExempt = method === "GET" && (url === "/api/health" || url === "/api/version");
-    if (!isExempt && !this.authenticate(req)) {
-      this.sendJson(res, 401, { error: "Unauthorized" });
+};
+
+// src/core/api/routes/health.ts
+function registerHealthRoutes(router, deps) {
+  router.get("/api/health", async (_req, res) => {
+    const activeSessions = deps.core.sessionManager.listSessions();
+    const allRecords = deps.core.sessionManager.listRecords();
+    const mem = process.memoryUsage();
+    const tunnel = deps.core.tunnelService;
+    deps.sendJson(res, 200, {
+      status: "ok",
+      uptime: Date.now() - deps.startedAt,
+      version: deps.getVersion(),
+      memory: {
+        rss: mem.rss,
+        heapUsed: mem.heapUsed,
+        heapTotal: mem.heapTotal
+      },
+      sessions: {
+        active: activeSessions.filter(
+          (s) => s.status === "active" || s.status === "initializing"
+        ).length,
+        total: allRecords.length
+      },
+      adapters: Array.from(deps.core.adapters.keys()),
+      tunnel: tunnel ? { enabled: true, url: tunnel.getPublicUrl() } : { enabled: false }
+    });
+  });
+  router.get("/api/version", async (_req, res) => {
+    deps.sendJson(res, 200, { version: deps.getVersion() });
+  });
+  router.post("/api/restart", async (_req, res) => {
+    if (!deps.core.requestRestart) {
+      deps.sendJson(res, 501, { error: "Restart not available" });
       return;
     }
+    deps.sendJson(res, 200, { ok: true, message: "Restarting..." });
+    setImmediate(() => deps.core.requestRestart());
+  });
+  router.get("/api/adapters", async (_req, res) => {
+    const adapters = Array.from(deps.core.adapters.entries()).map(([name]) => ({
+      name,
+      type: "built-in"
+    }));
+    deps.sendJson(res, 200, { adapters });
+  });
+}
+
+// src/core/api/routes/sessions.ts
+var log8 = createChildLogger({ module: "api-server" });
+function registerSessionRoutes(router, deps) {
+  router.post("/api/sessions/adopt", async (req, res) => {
+    const body = await deps.readBody(req);
+    if (body === null) {
+      return deps.sendJson(res, 413, { error: "Request body too large" });
+    }
+    if (!body) {
+      return deps.sendJson(res, 400, {
+        error: "bad_request",
+        message: "Empty request body"
+      });
+    }
+    let parsed;
     try {
-      if (method === "POST" && url === "/api/sessions/adopt") {
-        await this.handleAdoptSession(req, res);
-      } else if (method === "POST" && url === "/api/sessions") {
-        await this.handleCreateSession(req, res);
-      } else if (method === "POST" && url.match(/^\/api\/sessions\/([^/]+)\/prompt$/)) {
-        const sessionId = decodeURIComponent(url.match(/^\/api\/sessions\/([^/]+)\/prompt$/)[1]);
-        await this.handleSendPrompt(sessionId, req, res);
-      } else if (method === "PATCH" && url.match(/^\/api\/sessions\/([^/]+)\/dangerous$/)) {
-        const sessionId = decodeURIComponent(url.match(/^\/api\/sessions\/([^/]+)\/dangerous$/)[1]);
-        await this.handleToggleDangerous(sessionId, req, res);
-      } else if (method === "GET" && url.match(/^\/api\/sessions\/([^/]+)$/)) {
-        const sessionId = decodeURIComponent(url.match(/^\/api\/sessions\/([^/]+)$/)[1]);
-        await this.handleGetSession(sessionId, res);
-      } else if (method === "POST" && url.match(/^\/api\/sessions\/([^/]+)\/archive$/)) {
-        const sessionId = decodeURIComponent(url.match(/^\/api\/sessions\/([^/]+)\/archive$/)[1]);
-        await this.handleArchiveSession(sessionId, res);
-      } else if (method === "DELETE" && url.match(/^\/api\/sessions\/([^/]+)$/)) {
-        const sessionId = decodeURIComponent(url.match(/^\/api\/sessions\/([^/]+)$/)[1]);
-        await this.handleCancelSession(sessionId, res);
-      } else if (method === "GET" && url === "/api/sessions") {
-        await this.handleListSessions(res);
-      } else if (method === "GET" && url === "/api/agents") {
-        await this.handleListAgents(res);
-      } else if (method === "GET" && url === "/api/health") {
-        await this.handleHealth(res);
-      } else if (method === "GET" && url === "/api/version") {
-        await this.handleVersion(res);
-      } else if (method === "GET" && url === "/api/config/editable") {
-        await this.handleGetEditableConfig(res);
-      } else if (method === "GET" && url === "/api/config") {
-        await this.handleGetConfig(res);
-      } else if (method === "PATCH" && url === "/api/config") {
-        await this.handleUpdateConfig(req, res);
-      } else if (method === "GET" && url === "/api/adapters") {
-        await this.handleListAdapters(res);
-      } else if (method === "GET" && url === "/api/tunnel") {
-        await this.handleTunnelStatus(res);
-      } else if (method === "GET" && url === "/api/tunnel/list") {
-        await this.handleTunnelList(res);
-      } else if (method === "POST" && url === "/api/tunnel") {
-        await this.handleTunnelAdd(req, res);
-      } else if (method === "DELETE" && url === "/api/tunnel") {
-        await this.handleTunnelStopAll(res);
-      } else if (method === "DELETE" && url.match(/^\/api\/tunnel\/(\d+)$/)) {
-        const port = parseInt(url.match(/^\/api\/tunnel\/(\d+)$/)[1], 10);
-        await this.handleTunnelStop(port, res);
-      } else if (method === "POST" && url === "/api/notify") {
-        await this.handleNotify(req, res);
-      } else if (method === "POST" && url === "/api/restart") {
-        await this.handleRestart(res);
-      } else if (method === "GET" && url.match(/^\/api\/topics(\?.*)?$/)) {
-        await this.handleListTopics(url, res);
-      } else if (method === "POST" && url === "/api/topics/cleanup") {
-        await this.handleCleanupTopics(req, res);
-      } else if (method === "DELETE" && url.match(/^\/api\/topics\/([^/?]+)/)) {
-        const match = url.match(/^\/api\/topics\/([^/?]+)/);
-        await this.handleDeleteTopic(decodeURIComponent(match[1]), url, res);
-      } else {
-        this.sendJson(res, 404, { error: "Not found" });
-      }
-    } catch (err) {
-      log7.error({ err }, "API request error");
-      this.sendJson(res, 500, { error: "Internal server error" });
+      parsed = JSON.parse(body);
+    } catch {
+      return deps.sendJson(res, 400, {
+        error: "bad_request",
+        message: "Invalid JSON"
+      });
     }
-  }
-  async handleCreateSession(req, res) {
-    const body = await this.readBody(req);
+    const { agent, agentSessionId, cwd, channel } = parsed;
+    if (!agent || !agentSessionId) {
+      return deps.sendJson(res, 400, {
+        error: "bad_request",
+        message: "Missing required fields: agent, agentSessionId"
+      });
+    }
+    const result = await deps.core.adoptSession(
+      agent,
+      agentSessionId,
+      cwd ?? process.cwd(),
+      channel
+    );
+    if (result.ok) {
+      return deps.sendJson(res, 200, result);
+    } else {
+      const status = result.error === "session_limit" ? 429 : result.error === "agent_not_supported" ? 400 : 500;
+      return deps.sendJson(res, status, result);
+    }
+  });
+  router.post("/api/sessions", async (req, res) => {
+    const body = await deps.readBody(req);
     let agent;
     let workspace;
     if (body) {
@@ -2685,25 +3094,28 @@ var ApiServer = class {
         agent = parsed.agent;
         workspace = parsed.workspace;
       } catch {
-        this.sendJson(res, 400, { error: "Invalid JSON body" });
+        deps.sendJson(res, 400, { error: "Invalid JSON body" });
         return;
       }
     }
-    const config = this.core.configManager.get();
-    const activeSessions = this.core.sessionManager.listSessions().filter((s) => s.status === "active" || s.status === "initializing");
+    const config = deps.core.configManager.get();
+    const activeSessions = deps.core.sessionManager.listSessions().filter((s) => s.status === "active" || s.status === "initializing");
     if (activeSessions.length >= config.security.maxConcurrentSessions) {
-      this.sendJson(res, 429, {
+      deps.sendJson(res, 429, {
         error: `Max concurrent sessions (${config.security.maxConcurrentSessions}) reached. Cancel a session first.`
       });
       return;
     }
-    const [adapterId, adapter] = this.core.adapters.entries().next().value ?? [null, null];
+    const [adapterId, adapter] = deps.core.adapters.entries().next().value ?? [
+      null,
+      null
+    ];
     const channelId = adapterId ?? "api";
     const resolvedAgent = agent || config.defaultAgent;
-    const resolvedWorkspace = this.core.configManager.resolveWorkspace(
+    const resolvedWorkspace = deps.core.configManager.resolveWorkspace(
       workspace || config.agents[resolvedAgent]?.workingDirectory
     );
-    const session = await this.core.createSession({
+    const session = await deps.core.createSession({
       channelId,
       agentName: resolvedAgent,
       workingDirectory: resolvedWorkspace,
@@ -2713,54 +3125,138 @@ var ApiServer = class {
     if (!adapter) {
       session.agentInstance.onPermissionRequest = async (request) => {
         const allowOption = request.options.find((o) => o.isAllow);
-        log7.debug({ sessionId: session.id, permissionId: request.id, option: allowOption?.id }, "Auto-approving permission for API session");
+        log8.debug(
+          {
+            sessionId: session.id,
+            permissionId: request.id,
+            option: allowOption?.id
+          },
+          "Auto-approving permission for API session"
+        );
         return allowOption?.id ?? request.options[0]?.id ?? "";
       };
     }
-    session.warmup().catch((err) => log7.warn({ err, sessionId: session.id }, "API session warmup failed"));
-    this.sendJson(res, 200, {
+    session.warmup().catch(
+      (err) => log8.warn({ err, sessionId: session.id }, "API session warmup failed")
+    );
+    deps.sendJson(res, 200, {
       sessionId: session.id,
       agent: session.agentName,
       status: session.status,
       workspace: session.workingDirectory
     });
-  }
-  async handleSendPrompt(sessionId, req, res) {
-    const session = this.core.sessionManager.getSession(sessionId);
+  });
+  router.post("/api/sessions/:sessionId/prompt", async (req, res, params) => {
+    const sessionId = decodeURIComponent(params.sessionId);
+    const session = deps.core.sessionManager.getSession(sessionId);
     if (!session) {
-      this.sendJson(res, 404, { error: `Session "${sessionId}" not found` });
+      deps.sendJson(res, 404, { error: `Session "${sessionId}" not found` });
       return;
     }
     if (session.status === "cancelled" || session.status === "finished" || session.status === "error") {
-      this.sendJson(res, 400, { error: `Session is ${session.status}` });
+      deps.sendJson(res, 400, { error: `Session is ${session.status}` });
       return;
     }
-    const body = await this.readBody(req);
+    const body = await deps.readBody(req);
     let prompt;
     if (body) {
       try {
         const parsed = JSON.parse(body);
         prompt = parsed.prompt;
       } catch {
-        this.sendJson(res, 400, { error: "Invalid JSON body" });
+        deps.sendJson(res, 400, { error: "Invalid JSON body" });
         return;
       }
     }
     if (!prompt) {
-      this.sendJson(res, 400, { error: "Missing prompt" });
+      deps.sendJson(res, 400, { error: "Missing prompt" });
       return;
     }
     session.enqueuePrompt(prompt).catch(() => {
     });
-    this.sendJson(res, 200, { ok: true, sessionId, queueDepth: session.queueDepth });
-  }
-  async handleGetSession(sessionId, res) {
-    const session = this.core.sessionManager.getSession(sessionId);
+    deps.sendJson(res, 200, {
+      ok: true,
+      sessionId,
+      queueDepth: session.queueDepth
+    });
+  });
+  router.post(
+    "/api/sessions/:sessionId/permission",
+    async (req, res, params) => {
+      const sessionId = decodeURIComponent(params.sessionId);
+      const session = deps.core.sessionManager.getSession(sessionId);
+      if (!session) {
+        deps.sendJson(res, 404, { error: `Session "${sessionId}" not found` });
+        return;
+      }
+      const body = await deps.readBody(req);
+      let permissionId;
+      let optionId;
+      if (body) {
+        try {
+          const parsed = JSON.parse(body);
+          permissionId = parsed.permissionId;
+          optionId = parsed.optionId;
+        } catch {
+          deps.sendJson(res, 400, { error: "Invalid JSON body" });
+          return;
+        }
+      }
+      if (!permissionId || !optionId) {
+        deps.sendJson(res, 400, {
+          error: "Missing permissionId or optionId"
+        });
+        return;
+      }
+      if (!session.permissionGate.isPending || session.permissionGate.requestId !== permissionId) {
+        deps.sendJson(res, 400, {
+          error: "No matching pending permission request"
+        });
+        return;
+      }
+      session.permissionGate.resolve(optionId);
+      deps.sendJson(res, 200, { ok: true });
+    }
+  );
+  router.patch(
+    "/api/sessions/:sessionId/dangerous",
+    async (req, res, params) => {
+      const sessionId = decodeURIComponent(params.sessionId);
+      const session = deps.core.sessionManager.getSession(sessionId);
+      if (!session) {
+        deps.sendJson(res, 404, { error: `Session "${sessionId}" not found` });
+        return;
+      }
+      const body = await deps.readBody(req);
+      let enabled;
+      if (body) {
+        try {
+          const parsed = JSON.parse(body);
+          enabled = parsed.enabled;
+        } catch {
+          deps.sendJson(res, 400, { error: "Invalid JSON body" });
+          return;
+        }
+      }
+      if (typeof enabled !== "boolean") {
+        deps.sendJson(res, 400, { error: "Missing enabled boolean" });
+        return;
+      }
+      session.dangerousMode = enabled;
+      await deps.core.sessionManager.patchRecord(sessionId, {
+        dangerousMode: enabled
+      });
+      deps.sendJson(res, 200, { ok: true, dangerousMode: enabled });
+    }
+  );
+  router.get("/api/sessions/:sessionId", async (_req, res, params) => {
+    const sessionId = decodeURIComponent(params.sessionId);
+    const session = deps.core.sessionManager.getSession(sessionId);
     if (!session) {
-      this.sendJson(res, 404, { error: `Session "${sessionId}" not found` });
+      deps.sendJson(res, 404, { error: `Session "${sessionId}" not found` });
       return;
     }
-    this.sendJson(res, 200, {
+    deps.sendJson(res, 200, {
       session: {
         id: session.id,
         agent: session.agentName,
@@ -2776,60 +3272,77 @@ var ApiServer = class {
         agentSessionId: session.agentSessionId
       }
     });
-  }
-  async handleToggleDangerous(sessionId, req, res) {
-    const session = this.core.sessionManager.getSession(sessionId);
+  });
+  router.post("/api/sessions/:sessionId/archive", async (_req, res, params) => {
+    const sessionId = decodeURIComponent(params.sessionId);
+    const result = await deps.core.archiveSession(sessionId);
+    if (result.ok) {
+      deps.sendJson(res, 200, result);
+    } else {
+      deps.sendJson(res, 400, result);
+    }
+  });
+  router.delete("/api/sessions/:sessionId", async (_req, res, params) => {
+    const sessionId = decodeURIComponent(params.sessionId);
+    const session = deps.core.sessionManager.getSession(sessionId);
     if (!session) {
-      this.sendJson(res, 404, { error: `Session "${sessionId}" not found` });
+      deps.sendJson(res, 404, { error: `Session "${sessionId}" not found` });
       return;
     }
-    const body = await this.readBody(req);
-    let enabled;
-    if (body) {
-      try {
-        const parsed = JSON.parse(body);
-        enabled = parsed.enabled;
-      } catch {
-        this.sendJson(res, 400, { error: "Invalid JSON body" });
-        return;
+    await deps.core.sessionManager.cancelSession(sessionId);
+    deps.sendJson(res, 200, { ok: true });
+  });
+  router.get("/api/sessions", async (_req, res) => {
+    const sessions = deps.core.sessionManager.listSessions();
+    deps.sendJson(res, 200, {
+      sessions: sessions.map((s) => ({
+        id: s.id,
+        agent: s.agentName,
+        status: s.status,
+        name: s.name ?? null,
+        workspace: s.workingDirectory,
+        createdAt: s.createdAt.toISOString(),
+        dangerousMode: s.dangerousMode,
+        queueDepth: s.queueDepth,
+        promptRunning: s.promptRunning,
+        lastActiveAt: deps.core.sessionManager.getSessionRecord(s.id)?.lastActiveAt ?? null
+      }))
+    });
+  });
+}
+
+// src/core/api/routes/config.ts
+var SENSITIVE_KEYS = [
+  "botToken",
+  "token",
+  "apiKey",
+  "secret",
+  "password",
+  "webhookSecret"
+];
+function redactConfig(config) {
+  const redacted = structuredClone(config);
+  redactDeep(redacted);
+  return redacted;
+}
+function redactDeep(obj) {
+  for (const [key, value] of Object.entries(obj)) {
+    if (SENSITIVE_KEYS.includes(key) && typeof value === "string") {
+      obj[key] = "***";
+    } else if (Array.isArray(value)) {
+      for (const item of value) {
+        if (item && typeof item === "object")
+          redactDeep(item);
       }
+    } else if (value && typeof value === "object") {
+      redactDeep(value);
     }
-    if (typeof enabled !== "boolean") {
-      this.sendJson(res, 400, { error: "Missing enabled boolean" });
-      return;
-    }
-    session.dangerousMode = enabled;
-    await this.core.sessionManager.patchRecord(sessionId, { dangerousMode: enabled });
-    this.sendJson(res, 200, { ok: true, dangerousMode: enabled });
   }
-  async handleHealth(res) {
-    const activeSessions = this.core.sessionManager.listSessions();
-    const allRecords = this.core.sessionManager.listRecords();
-    const mem = process.memoryUsage();
-    const tunnel = this.core.tunnelService;
-    this.sendJson(res, 200, {
-      status: "ok",
-      uptime: Date.now() - this.startedAt,
-      version: getVersion(),
-      memory: {
-        rss: mem.rss,
-        heapUsed: mem.heapUsed,
-        heapTotal: mem.heapTotal
-      },
-      sessions: {
-        active: activeSessions.filter((s) => s.status === "active" || s.status === "initializing").length,
-        total: allRecords.length
-      },
-      adapters: Array.from(this.core.adapters.keys()),
-      tunnel: tunnel ? { enabled: true, url: tunnel.getPublicUrl() } : { enabled: false }
-    });
-  }
-  async handleVersion(res) {
-    this.sendJson(res, 200, { version: getVersion() });
-  }
-  async handleGetEditableConfig(res) {
-    const { getSafeFields: getSafeFields2, resolveOptions: resolveOptions2, getConfigValue: getConfigValue2 } = await import("./config-registry-QQOJ2GQP.js");
-    const config = this.core.configManager.get();
+}
+function registerConfigRoutes(router, deps) {
+  router.get("/api/config/editable", async (_req, res) => {
+    const { getSafeFields: getSafeFields2, resolveOptions: resolveOptions2, getConfigValue: getConfigValue2 } = await import("./config-registry-7I6GGDOY.js");
+    const config = deps.core.configManager.get();
     const safeFields = getSafeFields2();
     const fields = safeFields.map((def) => ({
       path: def.path,
@@ -2840,14 +3353,14 @@ var ApiServer = class {
       value: getConfigValue2(config, def.path),
       hotReload: def.hotReload
     }));
-    this.sendJson(res, 200, { fields });
-  }
-  async handleGetConfig(res) {
-    const config = this.core.configManager.get();
-    this.sendJson(res, 200, { config: redactConfig(config) });
-  }
-  async handleUpdateConfig(req, res) {
-    const body = await this.readBody(req);
+    deps.sendJson(res, 200, { fields });
+  });
+  router.get("/api/config", async (_req, res) => {
+    const config = deps.core.configManager.get();
+    deps.sendJson(res, 200, { config: redactConfig(config) });
+  });
+  router.patch("/api/config", async (req, res) => {
+    const body = await deps.readBody(req);
     let configPath;
     let value;
     if (body) {
@@ -2856,17 +3369,30 @@ var ApiServer = class {
         configPath = parsed.path;
         value = parsed.value;
       } catch {
-        this.sendJson(res, 400, { error: "Invalid JSON body" });
+        deps.sendJson(res, 400, { error: "Invalid JSON body" });
         return;
       }
     }
     if (!configPath) {
-      this.sendJson(res, 400, { error: "Missing path" });
+      deps.sendJson(res, 400, { error: "Missing path" });
       return;
     }
-    const currentConfig = this.core.configManager.get();
-    const cloned = structuredClone(currentConfig);
+    const BLOCKED_KEYS = /* @__PURE__ */ new Set(["__proto__", "constructor", "prototype"]);
     const parts = configPath.split(".");
+    if (parts.some((p) => BLOCKED_KEYS.has(p))) {
+      deps.sendJson(res, 400, { error: "Invalid config path" });
+      return;
+    }
+    const { getFieldDef: getFieldDef2 } = await import("./config-registry-7I6GGDOY.js");
+    const fieldDef = getFieldDef2(configPath);
+    if (!fieldDef || fieldDef.scope !== "safe") {
+      deps.sendJson(res, 403, {
+        error: "This config field cannot be modified via the API"
+      });
+      return;
+    }
+    const currentConfig = deps.core.configManager.get();
+    const cloned = structuredClone(currentConfig);
     let target = cloned;
     for (let i = 0; i < parts.length - 1; i++) {
       const part = parts[i];
@@ -2876,18 +3402,21 @@ var ApiServer = class {
         target[part] = {};
         target = target[part];
       } else {
-        this.sendJson(res, 400, { error: "Invalid config path" });
+        deps.sendJson(res, 400, { error: "Invalid config path" });
         return;
       }
     }
     const lastKey = parts[parts.length - 1];
     target[lastKey] = value;
-    const { ConfigSchema } = await import("./config-AK2W3E67.js");
+    const { ConfigSchema } = await import("./config-4YSJ4NCI.js");
     const result = ConfigSchema.safeParse(cloned);
     if (!result.success) {
-      this.sendJson(res, 400, {
+      deps.sendJson(res, 400, {
         error: "Validation failed",
-        details: result.error.issues.map((i) => ({ path: i.path.join("."), message: i.message }))
+        details: result.error.issues.map((i) => ({
+          path: i.path.join("."),
+          message: i.message
+        }))
       });
       return;
     }
@@ -2898,239 +3427,438 @@ var ApiServer = class {
       updateTarget = updateTarget[parts[i]];
     }
     updateTarget[lastKey] = value;
-    await this.core.configManager.save(updates, configPath);
-    const { isHotReloadable: isHotReloadable2 } = await import("./config-registry-QQOJ2GQP.js");
+    await deps.core.configManager.save(updates, configPath);
+    const { isHotReloadable: isHotReloadable2 } = await import("./config-registry-7I6GGDOY.js");
     const needsRestart = !isHotReloadable2(configPath);
-    this.sendJson(res, 200, {
+    deps.sendJson(res, 200, {
       ok: true,
       needsRestart,
-      config: redactConfig(this.core.configManager.get())
+      config: redactConfig(deps.core.configManager.get())
     });
-  }
-  async handleListAdapters(res) {
-    const adapters = Array.from(this.core.adapters.entries()).map(([name]) => ({
-      name,
-      type: "built-in"
-    }));
-    this.sendJson(res, 200, { adapters });
-  }
-  async handleTunnelStatus(res) {
-    const tunnel = this.core.tunnelService;
+  });
+}
+
+// src/core/api/routes/topics.ts
+function registerTopicRoutes(router, deps) {
+  router.get("/api/topics", async (req, res) => {
+    if (!deps.topicManager) {
+      deps.sendJson(res, 501, { error: "Topic management not available" });
+      return;
+    }
+    const url = req.url || "";
+    const params = new URL(url, "http://localhost").searchParams;
+    const statusParam = params.get("status");
+    const filter = statusParam ? { statuses: statusParam.split(",") } : void 0;
+    const topics = deps.topicManager.listTopics(filter);
+    deps.sendJson(res, 200, { topics });
+  });
+  router.post("/api/topics/cleanup", async (req, res) => {
+    if (!deps.topicManager) {
+      deps.sendJson(res, 501, { error: "Topic management not available" });
+      return;
+    }
+    const body = await deps.readBody(req);
+    let statuses;
+    if (body) {
+      try {
+        statuses = JSON.parse(body).statuses;
+      } catch {
+      }
+    }
+    const result = await deps.topicManager.cleanup(statuses);
+    deps.sendJson(res, 200, result);
+  });
+  router.delete("/api/topics/:sessionId", async (req, res, params) => {
+    if (!deps.topicManager) {
+      deps.sendJson(res, 501, { error: "Topic management not available" });
+      return;
+    }
+    const sessionId = decodeURIComponent(params.sessionId);
+    const url = req.url || "";
+    const urlParams = new URL(url, "http://localhost").searchParams;
+    const force = urlParams.get("force") === "true";
+    const result = await deps.topicManager.deleteTopic(
+      sessionId,
+      force ? { confirmed: true } : void 0
+    );
+    if (result.ok) {
+      deps.sendJson(res, 200, result);
+    } else if (result.needsConfirmation) {
+      deps.sendJson(res, 409, {
+        error: "Session is active",
+        needsConfirmation: true,
+        session: result.session
+      });
+    } else if (result.error === "Cannot delete system topic") {
+      deps.sendJson(res, 403, { error: result.error });
+    } else {
+      deps.sendJson(res, 404, { error: result.error ?? "Not found" });
+    }
+  });
+}
+
+// src/core/api/routes/tunnel.ts
+function registerTunnelRoutes(router, deps) {
+  router.get("/api/tunnel", async (_req, res) => {
+    const tunnel = deps.core.tunnelService;
     if (tunnel) {
-      this.sendJson(res, 200, { enabled: true, url: tunnel.getPublicUrl(), provider: this.core.configManager.get().tunnel.provider });
+      deps.sendJson(res, 200, {
+        enabled: true,
+        url: tunnel.getPublicUrl(),
+        provider: deps.core.configManager.get().tunnel.provider
+      });
     } else {
-      this.sendJson(res, 200, { enabled: false });
+      deps.sendJson(res, 200, { enabled: false });
     }
-  }
-  async handleTunnelList(res) {
-    const tunnel = this.core.tunnelService;
+  });
+  router.get("/api/tunnel/list", async (_req, res) => {
+    const tunnel = deps.core.tunnelService;
     if (!tunnel) {
-      this.sendJson(res, 200, []);
+      deps.sendJson(res, 200, []);
       return;
     }
-    this.sendJson(res, 200, tunnel.listTunnels());
-  }
-  async handleTunnelAdd(req, res) {
-    const tunnel = this.core.tunnelService;
+    deps.sendJson(res, 200, tunnel.listTunnels());
+  });
+  router.post("/api/tunnel", async (req, res) => {
+    const tunnel = deps.core.tunnelService;
     if (!tunnel) {
-      this.sendJson(res, 400, { error: "Tunnel service is not enabled" });
+      deps.sendJson(res, 400, { error: "Tunnel service is not enabled" });
+      return;
+    }
+    const body = await deps.readBody(req);
+    if (body === null) {
+      deps.sendJson(res, 413, { error: "Request body too large" });
       return;
     }
-    const body = await this.readBody(req);
     if (!body) {
-      this.sendJson(res, 400, { error: "Missing request body" });
+      deps.sendJson(res, 400, { error: "Missing request body" });
       return;
     }
     try {
       const { port, label, sessionId } = JSON.parse(body);
       if (!port || typeof port !== "number") {
-        this.sendJson(res, 400, { error: "port is required and must be a number" });
+        deps.sendJson(res, 400, {
+          error: "port is required and must be a number"
+        });
         return;
       }
       const entry = await tunnel.addTunnel(port, { label, sessionId });
-      this.sendJson(res, 200, entry);
+      deps.sendJson(res, 200, entry);
     } catch (err) {
-      this.sendJson(res, 400, { error: err.message });
+      deps.sendJson(res, 400, { error: err.message });
     }
-  }
-  async handleTunnelStop(port, res) {
-    const tunnel = this.core.tunnelService;
+  });
+  router.delete("/api/tunnel/:port", async (_req, res, params) => {
+    const tunnel = deps.core.tunnelService;
     if (!tunnel) {
-      this.sendJson(res, 400, { error: "Tunnel service is not enabled" });
+      deps.sendJson(res, 400, { error: "Tunnel service is not enabled" });
       return;
     }
+    const port = parseInt(params.port, 10);
     try {
       await tunnel.stopTunnel(port);
-      this.sendJson(res, 200, { ok: true });
+      deps.sendJson(res, 200, { ok: true });
     } catch (err) {
-      this.sendJson(res, 400, { error: err.message });
+      deps.sendJson(res, 400, { error: err.message });
     }
-  }
-  async handleTunnelStopAll(res) {
-    const tunnel = this.core.tunnelService;
+  });
+  router.delete("/api/tunnel", async (_req, res) => {
+    const tunnel = deps.core.tunnelService;
     if (!tunnel) {
-      this.sendJson(res, 400, { error: "Tunnel service is not enabled" });
+      deps.sendJson(res, 400, { error: "Tunnel service is not enabled" });
       return;
     }
     const count = tunnel.listTunnels().length;
     await tunnel.stopAllUser();
-    this.sendJson(res, 200, { ok: true, stopped: count });
-  }
-  async handleNotify(req, res) {
-    const body = await this.readBody(req);
+    deps.sendJson(res, 200, { ok: true, stopped: count });
+  });
+}
+
+// src/core/api/routes/agents.ts
+function registerAgentRoutes(router, deps) {
+  router.get("/api/agents", async (_req, res) => {
+    const agents = deps.core.agentManager.getAvailableAgents();
+    const defaultAgent = deps.core.configManager.get().defaultAgent;
+    const agentsWithCaps = agents.map((a) => ({
+      ...a,
+      capabilities: getAgentCapabilities(a.name)
+    }));
+    deps.sendJson(res, 200, { agents: agentsWithCaps, default: defaultAgent });
+  });
+}
+
+// src/core/api/routes/notify.ts
+function registerNotifyRoutes(router, deps) {
+  router.post("/api/notify", async (req, res) => {
+    const body = await deps.readBody(req);
     let message;
     if (body) {
       try {
         const parsed = JSON.parse(body);
         message = parsed.message;
       } catch {
-        this.sendJson(res, 400, { error: "Invalid JSON body" });
+        deps.sendJson(res, 400, { error: "Invalid JSON body" });
         return;
       }
     }
     if (!message) {
-      this.sendJson(res, 400, { error: "Missing message" });
+      deps.sendJson(res, 400, { error: "Missing message" });
       return;
     }
-    await this.core.notificationManager.notifyAll({
+    await deps.core.notificationManager.notifyAll({
       sessionId: "system",
       type: "completed",
       summary: message
     });
-    this.sendJson(res, 200, { ok: true });
-  }
-  async handleRestart(res) {
-    if (!this.core.requestRestart) {
-      this.sendJson(res, 501, { error: "Restart not available" });
-      return;
-    }
-    this.sendJson(res, 200, { ok: true, message: "Restarting..." });
-    setImmediate(() => this.core.requestRestart());
-  }
-  async handleArchiveSession(sessionId, res) {
-    const result = await this.core.archiveSession(sessionId);
-    if (result.ok) {
-      this.sendJson(res, 200, result);
-    } else {
-      this.sendJson(res, 400, result);
-    }
+    deps.sendJson(res, 200, { ok: true });
+  });
+}
+
+// src/core/api/index.ts
+var log9 = createChildLogger({ module: "api-server" });
+var DEFAULT_PORT_FILE = path7.join(os2.homedir(), ".openacp", "api.port");
+var cachedVersion;
+function getVersion() {
+  if (cachedVersion) return cachedVersion;
+  try {
+    const __filename = fileURLToPath2(import.meta.url);
+    const pkgPath = path7.resolve(
+      path7.dirname(__filename),
+      "../../../package.json"
+    );
+    const pkg = JSON.parse(fs7.readFileSync(pkgPath, "utf-8"));
+    cachedVersion = pkg.version ?? "0.0.0-dev";
+  } catch {
+    cachedVersion = "0.0.0-dev";
   }
-  async handleCancelSession(sessionId, res) {
-    const session = this.core.sessionManager.getSession(sessionId);
-    if (!session) {
-      this.sendJson(res, 404, { error: `Session "${sessionId}" not found` });
-      return;
-    }
-    await session.abortPrompt();
-    this.sendJson(res, 200, { ok: true });
+  return cachedVersion;
+}
+var ApiServer = class {
+  constructor(core, config, portFilePath, topicManager, secretFilePath, uiDir) {
+    this.core = core;
+    this.config = config;
+    this.topicManager = topicManager;
+    this.portFilePath = portFilePath ?? DEFAULT_PORT_FILE;
+    this.secretFilePath = secretFilePath ?? path7.join(os2.homedir(), ".openacp", "api-secret");
+    this.staticServer = new StaticServer(uiDir);
+    this.sseManager = new SSEManager(
+      core.eventBus,
+      () => {
+        const sessions = this.core.sessionManager.listSessions();
+        return {
+          active: sessions.filter(
+            (s) => s.status === "active" || s.status === "initializing"
+          ).length,
+          total: sessions.length
+        };
+      },
+      this.startedAt
+    );
+    this.router = new Router();
+    const deps = {
+      core: this.core,
+      topicManager: this.topicManager,
+      startedAt: this.startedAt,
+      getVersion,
+      sendJson: this.sendJson.bind(this),
+      readBody: this.readBody.bind(this)
+    };
+    registerHealthRoutes(this.router, deps);
+    registerSessionRoutes(this.router, deps);
+    registerConfigRoutes(this.router, deps);
+    registerTopicRoutes(this.router, deps);
+    registerTunnelRoutes(this.router, deps);
+    registerAgentRoutes(this.router, deps);
+    registerNotifyRoutes(this.router, deps);
   }
-  async handleListSessions(res) {
-    const sessions = this.core.sessionManager.listSessions();
-    this.sendJson(res, 200, {
-      sessions: sessions.map((s) => ({
-        id: s.id,
-        agent: s.agentName,
-        status: s.status,
-        name: s.name ?? null,
-        workspace: s.workingDirectory
-      }))
+  server = null;
+  actualPort = 0;
+  portFilePath;
+  startedAt = Date.now();
+  secret = "";
+  secretFilePath;
+  sseManager;
+  staticServer;
+  router;
+  async start() {
+    this.loadOrCreateSecret();
+    this.server = http.createServer((req, res) => this.handleRequest(req, res));
+    await new Promise((resolve3, reject) => {
+      this.server.on("error", (err) => {
+        if (err.code === "EADDRINUSE") {
+          log9.warn(
+            { port: this.config.port },
+            "API port in use, continuing without API server"
+          );
+          this.server = null;
+          resolve3();
+        } else {
+          reject(err);
+        }
+      });
+      this.server.listen(this.config.port, this.config.host, () => {
+        const addr = this.server.address();
+        if (addr && typeof addr === "object") {
+          this.actualPort = addr.port;
+        }
+        this.writePortFile();
+        log9.info(
+          { host: this.config.host, port: this.actualPort },
+          "API server listening"
+        );
+        this.sseManager.setup();
+        if (this.config.host !== "127.0.0.1" && this.config.host !== "localhost") {
+          log9.warn(
+            "API server binding to non-localhost. Ensure api-secret file is secured."
+          );
+        }
+        resolve3();
+      });
     });
   }
-  async handleAdoptSession(req, res) {
-    const body = await this.readBody(req);
-    if (!body) {
-      return this.sendJson(res, 400, { error: "bad_request", message: "Empty request body" });
+  async stop() {
+    this.sseManager.stop();
+    this.removePortFile();
+    if (this.server) {
+      await new Promise((resolve3) => {
+        this.server.close(() => resolve3());
+      });
+      this.server = null;
     }
-    let parsed;
+  }
+  getPort() {
+    return this.actualPort;
+  }
+  getSecret() {
+    return this.secret;
+  }
+  writePortFile() {
+    const dir = path7.dirname(this.portFilePath);
+    fs7.mkdirSync(dir, { recursive: true });
+    fs7.writeFileSync(this.portFilePath, String(this.actualPort));
+  }
+  removePortFile() {
     try {
-      parsed = JSON.parse(body);
+      fs7.unlinkSync(this.portFilePath);
     } catch {
-      return this.sendJson(res, 400, { error: "bad_request", message: "Invalid JSON" });
-    }
-    const { agent, agentSessionId, cwd } = parsed;
-    if (!agent || !agentSessionId) {
-      return this.sendJson(res, 400, { error: "bad_request", message: "Missing required fields: agent, agentSessionId" });
-    }
-    const result = await this.core.adoptSession(agent, agentSessionId, cwd ?? process.cwd());
-    if (result.ok) {
-      return this.sendJson(res, 200, result);
-    } else {
-      const status = result.error === "session_limit" ? 429 : result.error === "agent_not_supported" ? 400 : 500;
-      return this.sendJson(res, status, result);
     }
   }
-  async handleListAgents(res) {
-    const agents = this.core.agentManager.getAvailableAgents();
-    const defaultAgent = this.core.configManager.get().defaultAgent;
-    const agentsWithCaps = agents.map((a) => ({
-      ...a,
-      capabilities: getAgentCapabilities(a.name)
-    }));
-    this.sendJson(res, 200, { agents: agentsWithCaps, default: defaultAgent });
-  }
-  sendJson(res, status, data) {
-    res.writeHead(status, { "Content-Type": "application/json" });
-    res.end(JSON.stringify(data));
-  }
-  async handleListTopics(url, res) {
-    if (!this.topicManager) {
-      this.sendJson(res, 501, { error: "Topic management not available" });
-      return;
+  loadOrCreateSecret() {
+    const dir = path7.dirname(this.secretFilePath);
+    fs7.mkdirSync(dir, { recursive: true });
+    try {
+      this.secret = fs7.readFileSync(this.secretFilePath, "utf-8").trim();
+      if (this.secret) {
+        try {
+          const stat = fs7.statSync(this.secretFilePath);
+          const mode = stat.mode & 511;
+          if (mode & 63) {
+            log9.warn(
+              { path: this.secretFilePath, mode: "0" + mode.toString(8) },
+              "API secret file has insecure permissions (should be 0600). Run: chmod 600 %s",
+              this.secretFilePath
+            );
+          }
+        } catch {
+        }
+        return;
+      }
+    } catch {
     }
-    const params = new URL(url, "http://localhost").searchParams;
-    const statusParam = params.get("status");
-    const filter = statusParam ? { statuses: statusParam.split(",") } : void 0;
-    const topics = this.topicManager.listTopics(filter);
-    this.sendJson(res, 200, { topics });
+    this.secret = crypto.randomBytes(32).toString("hex");
+    fs7.writeFileSync(this.secretFilePath, this.secret, { mode: 384 });
   }
-  async handleDeleteTopic(sessionId, url, res) {
-    if (!this.topicManager) {
-      this.sendJson(res, 501, { error: "Topic management not available" });
-      return;
+  authenticate(req, allowQueryParam = false) {
+    const authHeader = req.headers.authorization;
+    if (authHeader?.startsWith("Bearer ")) {
+      const token = authHeader.slice(7);
+      if (token.length === this.secret.length && crypto.timingSafeEqual(
+        Buffer.from(token, "utf-8"),
+        Buffer.from(this.secret, "utf-8")
+      )) {
+        return true;
+      }
     }
-    const params = new URL(url, "http://localhost").searchParams;
-    const force = params.get("force") === "true";
-    const result = await this.topicManager.deleteTopic(sessionId, force ? { confirmed: true } : void 0);
-    if (result.ok) {
-      this.sendJson(res, 200, result);
-    } else if (result.needsConfirmation) {
-      this.sendJson(res, 409, { error: "Session is active", needsConfirmation: true, session: result.session });
-    } else if (result.error === "Cannot delete system topic") {
-      this.sendJson(res, 403, { error: result.error });
-    } else {
-      this.sendJson(res, 404, { error: result.error ?? "Not found" });
+    if (allowQueryParam) {
+      const parsedUrl = new URL(req.url || "", "http://localhost");
+      const qToken = parsedUrl.searchParams.get("token");
+      if (qToken && qToken.length === this.secret.length && crypto.timingSafeEqual(
+        Buffer.from(qToken, "utf-8"),
+        Buffer.from(this.secret, "utf-8")
+      )) {
+        return true;
+      }
     }
+    return false;
   }
-  async handleCleanupTopics(req, res) {
-    if (!this.topicManager) {
-      this.sendJson(res, 501, { error: "Topic management not available" });
-      return;
+  async handleRequest(req, res) {
+    const method = req.method?.toUpperCase();
+    const url = req.url || "";
+    if (url.startsWith("/api/")) {
+      const isExempt = method === "GET" && (url === "/api/health" || url === "/api/version" || url.startsWith("/api/events"));
+      if (!isExempt && !this.authenticate(req)) {
+        this.sendJson(res, 401, { error: "Unauthorized" });
+        return;
+      }
     }
-    const body = await this.readBody(req);
-    let statuses;
-    if (body) {
-      try {
-        statuses = JSON.parse(body).statuses;
-      } catch {
+    try {
+      if (method === "GET" && url.startsWith("/api/events")) {
+        if (!this.authenticate(req, true)) {
+          this.sendJson(res, 401, { error: "Unauthorized" });
+          return;
+        }
+        this.sseManager.handleRequest(req, res);
+        return;
+      }
+      if (url.startsWith("/api/")) {
+        const match = this.router.match(method, url);
+        if (match) {
+          await match.handler(req, res, match.params);
+        } else {
+          this.sendJson(res, 404, { error: "Not found" });
+        }
+        return;
+      }
+      if (!this.staticServer.serve(req, res)) {
+        this.sendJson(res, 404, { error: "Not found" });
       }
+    } catch (err) {
+      log9.error({ err }, "API request error");
+      this.sendJson(res, 500, { error: "Internal server error" });
     }
-    const result = await this.topicManager.cleanup(statuses);
-    this.sendJson(res, 200, result);
+  }
+  sendJson(res, status, data) {
+    res.writeHead(status, { "Content-Type": "application/json" });
+    res.end(JSON.stringify(data));
   }
   readBody(req) {
-    return new Promise((resolve2) => {
+    const MAX_BODY_SIZE = 1024 * 1024;
+    return new Promise((resolve3) => {
       let data = "";
+      let size = 0;
+      let destroyed = false;
       req.on("data", (chunk) => {
-        data += chunk;
+        size += chunk.length;
+        if (size > MAX_BODY_SIZE && !destroyed) {
+          destroyed = true;
+          req.destroy();
+          resolve3(null);
+          return;
+        }
+        if (!destroyed) data += chunk;
+      });
+      req.on("end", () => {
+        if (!destroyed) resolve3(data);
+      });
+      req.on("error", () => {
+        if (!destroyed) resolve3("");
       });
-      req.on("end", () => resolve2(data));
-      req.on("error", () => resolve2(""));
     });
   }
 };
 
 // src/core/topic-manager.ts
-var log8 = createChildLogger({ module: "topic-manager" });
+var log10 = createChildLogger({ module: "topic-manager" });
 var TopicManager = class {
   constructor(sessionManager, adapter, systemTopicIds) {
     this.sessionManager = sessionManager;
@@ -3169,7 +3897,7 @@ var TopicManager = class {
       try {
         await this.adapter.deleteSessionThread(sessionId);
       } catch (err) {
-        log8.warn({ err, sessionId, topicId }, "Failed to delete platform thread, removing record anyway");
+        log10.warn({ err, sessionId, topicId }, "Failed to delete platform thread, removing record anyway");
       }
     }
     await this.sessionManager.removeRecord(sessionId);
@@ -3192,7 +3920,7 @@ var TopicManager = class {
           try {
             await this.adapter.deleteSessionThread(record.sessionId);
           } catch (err) {
-            log8.warn({ err, sessionId: record.sessionId }, "Failed to delete platform thread during cleanup");
+            log10.warn({ err, sessionId: record.sessionId }, "Failed to delete platform thread during cleanup");
           }
         }
         await this.sessionManager.removeRecord(record.sessionId);
@@ -3242,9 +3970,12 @@ async function renameSessionTopic(bot, chatId, threadId, name) {
 async function deleteSessionTopic(bot, chatId, threadId) {
   await bot.api.deleteForumTopic(chatId, threadId);
 }
-function buildDeepLink(chatId, messageId) {
+function buildDeepLink(chatId, threadId, messageId) {
   const cleanId = String(chatId).replace("-100", "");
-  return `https://t.me/c/${cleanId}/${messageId}`;
+  if (messageId && messageId !== threadId) {
+    return `https://t.me/c/${cleanId}/${threadId}/${messageId}`;
+  }
+  return `https://t.me/c/${cleanId}/${threadId}`;
 }
 
 // src/adapters/telegram/commands/new-session.ts
@@ -3442,20 +4173,14 @@ function splitMessage(text, maxLength = 3800) {
 
 // src/adapters/telegram/commands/admin.ts
 import { InlineKeyboard } from "grammy";
-var log10 = createChildLogger({ module: "telegram-cmd-admin" });
-function buildDangerousModeKeyboard(sessionId, enabled) {
-  return new InlineKeyboard().text(
-    enabled ? "\u{1F510} Disable Dangerous Mode" : "\u2620\uFE0F Enable Dangerous Mode",
-    `d:${sessionId}`
-  );
-}
+var log12 = createChildLogger({ module: "telegram-cmd-admin" });
 function setupDangerousModeCallbacks(bot, core) {
   bot.callbackQuery(/^d:/, async (ctx) => {
     const sessionId = ctx.callbackQuery.data.slice(2);
     const session = core.sessionManager.getSession(sessionId);
     if (session) {
       session.dangerousMode = !session.dangerousMode;
-      log10.info({ sessionId, dangerousMode: session.dangerousMode }, "Dangerous mode toggled via button");
+      log12.info({ sessionId, dangerousMode: session.dangerousMode }, "Dangerous mode toggled via button");
       core.sessionManager.patchRecord(sessionId, { dangerousMode: session.dangerousMode }).catch(() => {
       });
       const toastText2 = session.dangerousMode ? "\u2620\uFE0F Dangerous mode enabled \u2014 permissions auto-approved" : "\u{1F510} Dangerous mode disabled \u2014 permissions shown normally";
@@ -3465,7 +4190,7 @@ function setupDangerousModeCallbacks(bot, core) {
       }
       try {
         await ctx.editMessageReplyMarkup({
-          reply_markup: buildDangerousModeKeyboard(sessionId, session.dangerousMode)
+          reply_markup: buildSessionControlKeyboard(sessionId, session.dangerousMode, session.voiceMode === "on")
         });
       } catch {
       }
@@ -3482,7 +4207,7 @@ function setupDangerousModeCallbacks(bot, core) {
     const newDangerousMode = !(record.dangerousMode ?? false);
     core.sessionManager.patchRecord(sessionId, { dangerousMode: newDangerousMode }).catch(() => {
     });
-    log10.info({ sessionId, dangerousMode: newDangerousMode }, "Dangerous mode toggled via button (store-only, session not in memory)");
+    log12.info({ sessionId, dangerousMode: newDangerousMode }, "Dangerous mode toggled via button (store-only, session not in memory)");
     const toastText = newDangerousMode ? "\u2620\uFE0F Dangerous mode enabled \u2014 permissions auto-approved" : "\u{1F510} Dangerous mode disabled \u2014 permissions shown normally";
     try {
       await ctx.answerCallbackQuery({ text: toastText });
@@ -3490,7 +4215,7 @@ function setupDangerousModeCallbacks(bot, core) {
     }
     try {
       await ctx.editMessageReplyMarkup({
-        reply_markup: buildDangerousModeKeyboard(sessionId, newDangerousMode)
+        reply_markup: buildSessionControlKeyboard(sessionId, newDangerousMode, false)
       });
     } catch {
     }
@@ -3563,6 +4288,65 @@ async function handleDisableDangerous(ctx, core) {
   }
   await ctx.reply("\u{1F510} <b>Dangerous mode disabled</b>\n\nPermission requests will be shown normally.", { parse_mode: "HTML" });
 }
+function buildSessionControlKeyboard(sessionId, dangerousMode, voiceMode) {
+  return new InlineKeyboard().text(
+    dangerousMode ? "\u{1F510} Disable Dangerous Mode" : "\u2620\uFE0F Enable Dangerous Mode",
+    `d:${sessionId}`
+  ).row().text(
+    voiceMode ? "\u{1F50A} Text to Speech" : "\u{1F507} Text to Speech",
+    `v:${sessionId}`
+  );
+}
+function setupTTSCallbacks(bot, core) {
+  bot.callbackQuery(/^v:/, async (ctx) => {
+    const sessionId = ctx.callbackQuery.data.slice(2);
+    const session = core.sessionManager.getSession(sessionId);
+    if (!session) {
+      try {
+        await ctx.answerCallbackQuery({ text: "\u26A0\uFE0F Session not found or not active." });
+      } catch {
+      }
+      return;
+    }
+    const newMode = session.voiceMode === "on" ? "off" : "on";
+    session.setVoiceMode(newMode);
+    const toastText = newMode === "on" ? "\u{1F50A} Text to Speech enabled" : "\u{1F507} Text to Speech disabled";
+    try {
+      await ctx.answerCallbackQuery({ text: toastText });
+    } catch {
+    }
+    try {
+      await ctx.editMessageReplyMarkup({
+        reply_markup: buildSessionControlKeyboard(sessionId, session.dangerousMode, newMode === "on")
+      });
+    } catch {
+    }
+  });
+}
+async function handleTTS(ctx, core) {
+  const threadId = ctx.message?.message_thread_id;
+  if (!threadId) {
+    await ctx.reply("\u26A0\uFE0F This command only works inside a session topic.", { parse_mode: "HTML" });
+    return;
+  }
+  const session = await core.getOrResumeSession("telegram", String(threadId));
+  if (!session) {
+    await ctx.reply("\u26A0\uFE0F No active session in this topic.", { parse_mode: "HTML" });
+    return;
+  }
+  const args = ctx.message?.text?.split(/\s+/).slice(1) ?? [];
+  const arg = args[0]?.toLowerCase();
+  if (arg === "on") {
+    session.setVoiceMode("on");
+    await ctx.reply("\u{1F50A} Text to Speech enabled for this session.", { parse_mode: "HTML" });
+  } else if (arg === "off") {
+    session.setVoiceMode("off");
+    await ctx.reply("\u{1F507} Text to Speech disabled.", { parse_mode: "HTML" });
+  } else {
+    session.setVoiceMode("next");
+    await ctx.reply("\u{1F50A} Text to Speech enabled for the next message.", { parse_mode: "HTML" });
+  }
+}
 async function handleUpdate(ctx, core) {
   if (!core.requestRestart) {
     await ctx.reply("\u26A0\uFE0F Update is not available (no restart handler registered).", { parse_mode: "HTML" });
@@ -3611,7 +4395,7 @@ async function handleRestart(ctx, core) {
 }
 
 // src/adapters/telegram/commands/new-session.ts
-var log11 = createChildLogger({ module: "telegram-cmd-new-session" });
+var log13 = createChildLogger({ module: "telegram-cmd-new-session" });
 var pendingNewSessions = /* @__PURE__ */ new Map();
 var PENDING_TIMEOUT_MS = 5 * 60 * 1e3;
 function cleanupPending(userId) {
@@ -3710,7 +4494,7 @@ async function startConfirmStep(ctx, chatId, userId, agentName, workspace) {
   });
 }
 async function createSessionDirect(ctx, core, chatId, agentName, workspace) {
-  log11.info({ userId: ctx.from?.id, agentName, workspace }, "New session command (direct)");
+  log13.info({ userId: ctx.from?.id, agentName, workspace }, "New session command (direct)");
   let threadId;
   try {
     const topicName = `\u{1F504} New Session`;
@@ -3737,13 +4521,13 @@ This is your coding session \u2014 chat here to work with the agent.`,
       {
         message_thread_id: threadId,
         parse_mode: "HTML",
-        reply_markup: buildDangerousModeKeyboard(session.id, false)
+        reply_markup: buildSessionControlKeyboard(session.id, false, false)
       }
     );
-    session.warmup().catch((err) => log11.error({ err }, "Warm-up error"));
+    session.warmup().catch((err) => log13.error({ err }, "Warm-up error"));
     return threadId ?? null;
   } catch (err) {
-    log11.error({ err }, "Session creation failed");
+    log13.error({ err }, "Session creation failed");
     if (threadId) {
       try {
         await ctx.api.deleteForumTopic(chatId, threadId);
@@ -3818,10 +4602,10 @@ async function handleNewChat(ctx, core, chatId) {
       {
         message_thread_id: newThreadId,
         parse_mode: "HTML",
-        reply_markup: buildDangerousModeKeyboard(session.id, false)
+        reply_markup: buildSessionControlKeyboard(session.id, false, false)
       }
     );
-    session.warmup().catch((err) => log11.error({ err }, "Warm-up error"));
+    session.warmup().catch((err) => log13.error({ err }, "Warm-up error"));
   } catch (err) {
     if (newThreadId) {
       try {
@@ -3852,7 +4636,7 @@ async function executeNewSession(bot, core, chatId, agentName, workspace) {
     } });
     const finalName = `\u{1F504} ${session.agentName} \u2014 New Session`;
     await renameSessionTopic(bot, chatId, threadId, finalName);
-    session.warmup().catch((err) => log11.error({ err }, "Warm-up error"));
+    session.warmup().catch((err) => log13.error({ err }, "Warm-up error"));
     return { session, threadId, firstMsgId };
   } catch (err) {
     try {
@@ -4000,7 +4784,7 @@ Or just the folder name like <code>my-project</code> (will use ${core.configMana
 
 // src/adapters/telegram/commands/session.ts
 import { InlineKeyboard as InlineKeyboard3 } from "grammy";
-var log12 = createChildLogger({ module: "telegram-cmd-session" });
+var log14 = createChildLogger({ module: "telegram-cmd-session" });
 async function handleCancel(ctx, core, assistant) {
   const threadId = ctx.message?.message_thread_id;
   if (!threadId) return;
@@ -4018,14 +4802,14 @@ async function handleCancel(ctx, core, assistant) {
     String(threadId)
   );
   if (session) {
-    log12.info({ sessionId: session.id }, "Abort prompt command");
+    log14.info({ sessionId: session.id }, "Abort prompt command");
     await session.abortPrompt();
     await ctx.reply("\u26D4 Prompt aborted. Session is still active \u2014 send a new message to continue.", { parse_mode: "HTML" });
     return;
   }
   const record = core.sessionManager.getRecordByThread("telegram", String(threadId));
   if (record && record.status !== "error") {
-    log12.info({ sessionId: record.sessionId, status: record.status }, "Cancel command \u2014 no active prompt to abort");
+    log14.info({ sessionId: record.sessionId, status: record.status }, "Cancel command \u2014 no active prompt to abort");
     await ctx.reply("\u2139\uFE0F No active prompt to cancel. Send a new message to resume the session.", { parse_mode: "HTML" });
   }
 }
@@ -4129,7 +4913,7 @@ ${lines.join("\n")}${truncated}`,
       { parse_mode: "HTML", reply_markup: keyboard }
     );
   } catch (err) {
-    log12.error({ err }, "handleTopics error");
+    log14.error({ err }, "handleTopics error");
     await ctx.reply("\u274C Failed to list sessions.", { parse_mode: "HTML" }).catch(() => {
     });
   }
@@ -4150,13 +4934,13 @@ async function handleCleanup(ctx, core, chatId, statuses) {
         try {
           await ctx.api.deleteForumTopic(chatId, topicId);
         } catch (err) {
-          log12.warn({ err, sessionId: record.sessionId, topicId }, "Failed to delete forum topic during cleanup");
+          log14.warn({ err, sessionId: record.sessionId, topicId }, "Failed to delete forum topic during cleanup");
         }
       }
       await core.sessionManager.removeRecord(record.sessionId);
       deleted++;
     } catch (err) {
-      log12.error({ err, sessionId: record.sessionId }, "Failed to cleanup session");
+      log14.error({ err, sessionId: record.sessionId }, "Failed to cleanup session");
       failed++;
     }
   }
@@ -4227,7 +5011,7 @@ async function handleCleanupEverythingConfirmed(ctx, core, chatId, systemTopicId
         try {
           await core.sessionManager.cancelSession(record.sessionId);
         } catch (err) {
-          log12.warn({ err, sessionId: record.sessionId }, "Failed to cancel session during cleanup");
+          log14.warn({ err, sessionId: record.sessionId }, "Failed to cancel session during cleanup");
         }
       }
       const topicId = record.platform?.topicId;
@@ -4235,13 +5019,13 @@ async function handleCleanupEverythingConfirmed(ctx, core, chatId, systemTopicId
         try {
           await ctx.api.deleteForumTopic(chatId, topicId);
         } catch (err) {
-          log12.warn({ err, sessionId: record.sessionId, topicId }, "Failed to delete forum topic during cleanup");
+          log14.warn({ err, sessionId: record.sessionId, topicId }, "Failed to delete forum topic during cleanup");
         }
       }
       await core.sessionManager.removeRecord(record.sessionId);
       deleted++;
     } catch (err) {
-      log12.error({ err, sessionId: record.sessionId }, "Failed to cleanup session");
+      log14.error({ err, sessionId: record.sessionId }, "Failed to cleanup session");
       failed++;
     }
   }
@@ -4566,7 +5350,7 @@ Downloading... ${bar} ${percent}%`, { parse_mode: "HTML" });
     const { getAgentCapabilities: getAgentCapabilities2 } = await import("./agent-dependencies-QY5QSULV.js");
     const caps = getAgentCapabilities2(result.agentKey);
     if (caps.integration) {
-      const { installIntegration } = await import("./integrate-VOUYBPPZ.js");
+      const { installIntegration } = await import("./integrate-O4OCR4SN.js");
       const intResult = await installIntegration(result.agentKey, caps.integration);
       if (intResult.success) {
         try {
@@ -4636,7 +5420,7 @@ function buildProgressBar(percent) {
 // src/adapters/telegram/commands/integrate.ts
 import { InlineKeyboard as InlineKeyboard5 } from "grammy";
 async function handleIntegrate(ctx, _core) {
-  const { listIntegrations } = await import("./integrate-VOUYBPPZ.js");
+  const { listIntegrations } = await import("./integrate-O4OCR4SN.js");
   const agents = listIntegrations();
   const keyboard = new InlineKeyboard5();
   for (const agent of agents) {
@@ -4669,7 +5453,7 @@ function setupIntegrateCallbacks(bot, core) {
     } catch {
     }
     if (data === "i:back") {
-      const { listIntegrations } = await import("./integrate-VOUYBPPZ.js");
+      const { listIntegrations } = await import("./integrate-O4OCR4SN.js");
       const agents = listIntegrations();
       const keyboard2 = new InlineKeyboard5();
       for (const agent of agents) {
@@ -4689,7 +5473,7 @@ Select an agent to manage its integrations.`,
     const agentMatch = data.match(/^i:agent:(.+)$/);
     if (agentMatch) {
       const agentName2 = agentMatch[1];
-      const { getIntegration: getIntegration2 } = await import("./integrate-VOUYBPPZ.js");
+      const { getIntegration: getIntegration2 } = await import("./integrate-O4OCR4SN.js");
       const integration2 = getIntegration2(agentName2);
       if (!integration2) {
         await ctx.reply(`\u274C No integration available for '${escapeHtml(agentName2)}'.`, { parse_mode: "HTML" });
@@ -4716,7 +5500,7 @@ ${integration2.items.map((i) => `\u2022 <b>${escapeHtml(i.name)}</b> \u2014 ${es
     const action = actionMatch[1];
     const agentName = actionMatch[2];
     const itemId = actionMatch[3];
-    const { getIntegration } = await import("./integrate-VOUYBPPZ.js");
+    const { getIntegration } = await import("./integrate-O4OCR4SN.js");
     const integration = getIntegration(agentName);
     if (!integration) return;
     const item = integration.items.find((i) => i.id === itemId);
@@ -4753,7 +5537,7 @@ ${resultText}`,
 
 // src/adapters/telegram/commands/settings.ts
 import { InlineKeyboard as InlineKeyboard6 } from "grammy";
-var log13 = createChildLogger({ module: "telegram-settings" });
+var log15 = createChildLogger({ module: "telegram-settings" });
 function buildSettingsKeyboard(core) {
   const config = core.configManager.get();
   const fields = getSafeFields();
@@ -4816,7 +5600,7 @@ function setupSettingsCallbacks(bot, core, getAssistantSession) {
       } catch {
       }
     } catch (err) {
-      log13.error({ err, fieldPath }, "Failed to toggle config");
+      log15.error({ err, fieldPath }, "Failed to toggle config");
       try {
         await ctx.answerCallbackQuery({ text: "\u274C Failed to update" });
       } catch {
@@ -4890,7 +5674,7 @@ Tap to change:`, {
       } catch {
       }
     } catch (err) {
-      log13.error({ err, fieldPath }, "Failed to set config");
+      log15.error({ err, fieldPath }, "Failed to set config");
       try {
         await ctx.answerCallbackQuery({ text: "\u274C Failed to update" });
       } catch {
@@ -4962,7 +5746,7 @@ function buildNestedUpdate(dotPath, value) {
 
 // src/adapters/telegram/commands/doctor.ts
 import { InlineKeyboard as InlineKeyboard7 } from "grammy";
-var log14 = createChildLogger({ module: "telegram-cmd-doctor" });
+var log16 = createChildLogger({ module: "telegram-cmd-doctor" });
 var pendingFixesStore = /* @__PURE__ */ new Map();
 function renderReport(report) {
   const icons = { pass: "\u2705", warn: "\u26A0\uFE0F", fail: "\u274C" };
@@ -5005,7 +5789,7 @@ async function handleDoctor(ctx) {
       reply_markup: keyboard
     });
   } catch (err) {
-    log14.error({ err }, "Doctor command failed");
+    log16.error({ err }, "Doctor command failed");
     await ctx.api.editMessageText(
       ctx.chat.id,
       statusMsg.message_id,
@@ -5054,7 +5838,7 @@ function setupDoctorCallbacks(bot) {
         }
       }
     } catch (err) {
-      log14.error({ err, index }, "Doctor fix callback failed");
+      log16.error({ err, index }, "Doctor fix callback failed");
     }
   });
   bot.callbackQuery("m:doctor", async (ctx) => {
@@ -5068,7 +5852,7 @@ function setupDoctorCallbacks(bot) {
 
 // src/adapters/telegram/commands/tunnel.ts
 import { InlineKeyboard as InlineKeyboard8 } from "grammy";
-var log15 = createChildLogger({ module: "telegram-cmd-tunnel" });
+var log17 = createChildLogger({ module: "telegram-cmd-tunnel" });
 async function handleTunnel(ctx, core) {
   if (!core.tunnelService) {
     await ctx.reply("\u274C Tunnel service is not enabled.", { parse_mode: "HTML" });
@@ -5244,6 +6028,7 @@ function setupCommands(bot, core, chatId, assistant) {
   bot.command("tunnel", (ctx) => handleTunnel(ctx, core));
   bot.command("tunnels", (ctx) => handleTunnels(ctx, core));
   bot.command("archive", (ctx) => handleArchive(ctx, core));
+  bot.command("text_to_speech", (ctx) => handleTTS(ctx, core));
 }
 function setupAllCallbacks(bot, core, chatId, systemTopicIds, getAssistantSession) {
   setupNewSessionCallbacks(bot, core, chatId);
@@ -5316,13 +6101,14 @@ var STATIC_COMMANDS = [
   { command: "usage", description: "View token usage and cost report" },
   { command: "tunnel", description: "Create/stop tunnel for a local port" },
   { command: "tunnels", description: "List active tunnels" },
-  { command: "archive", description: "Archive session topic (recreate with clean history)" }
+  { command: "archive", description: "Archive session topic (recreate with clean history)" },
+  { command: "text_to_speech", description: "Toggle Text to Speech (/text_to_speech on, /text_to_speech off)" }
 ];
 
 // src/adapters/telegram/permissions.ts
 import { InlineKeyboard as InlineKeyboard9 } from "grammy";
 import { nanoid as nanoid3 } from "nanoid";
-var log16 = createChildLogger({ module: "telegram-permissions" });
+var log18 = createChildLogger({ module: "telegram-permissions" });
 var PermissionHandler = class {
   constructor(bot, chatId, getSession, sendNotification) {
     this.bot = bot;
@@ -5356,7 +6142,7 @@ ${escapeHtml(request.description)}`,
         disable_notification: false
       }
     );
-    const deepLink = buildDeepLink(this.chatId, msg.message_id);
+    const deepLink = buildDeepLink(this.chatId, threadId, msg.message_id);
     void this.sendNotification({
       sessionId: session.id,
       sessionName: session.name,
@@ -5382,7 +6168,7 @@ ${escapeHtml(request.description)}`,
       }
       const session = this.getSession(pending.sessionId);
       const isAllow = pending.options.find((o) => o.id === optionId)?.isAllow ?? false;
-      log16.info({ requestId: pending.requestId, optionId, isAllow }, "Permission responded");
+      log18.info({ requestId: pending.requestId, optionId, isAllow }, "Permission responded");
       if (session?.permissionGate.requestId === pending.requestId) {
         session.permissionGate.resolve(optionId);
       }
@@ -5400,10 +6186,10 @@ ${escapeHtml(request.description)}`,
 };
 
 // src/adapters/telegram/assistant.ts
-var log17 = createChildLogger({ module: "telegram-assistant" });
+var log19 = createChildLogger({ module: "telegram-assistant" });
 async function spawnAssistant(core, adapter, assistantTopicId) {
   const config = core.configManager.get();
-  log17.info({ agent: config.defaultAgent }, "Creating assistant session...");
+  log19.info({ agent: config.defaultAgent }, "Creating assistant session...");
   const session = await core.createSession({
     channelId: "telegram",
     agentName: config.defaultAgent,
@@ -5412,7 +6198,7 @@ async function spawnAssistant(core, adapter, assistantTopicId) {
     // Prevent auto-naming from triggering after system prompt
   });
   session.threadId = String(assistantTopicId);
-  log17.info({ sessionId: session.id }, "Assistant agent spawned");
+  log19.info({ sessionId: session.id }, "Assistant agent spawned");
   const allRecords = core.sessionManager.listRecords();
   const activeCount = allRecords.filter((r) => r.status === "active" || r.status === "initializing").length;
   const statusCounts = /* @__PURE__ */ new Map();
@@ -5433,9 +6219,9 @@ async function spawnAssistant(core, adapter, assistantTopicId) {
   };
   const systemPrompt = buildAssistantSystemPrompt(ctx);
   const ready = session.enqueuePrompt(systemPrompt).then(() => {
-    log17.info({ sessionId: session.id }, "Assistant system prompt completed");
+    log19.info({ sessionId: session.id }, "Assistant system prompt completed");
   }).catch((err) => {
-    log17.warn({ err }, "Assistant system prompt failed");
+    log19.warn({ err }, "Assistant system prompt failed");
   });
   return { session, ready };
 }
@@ -5601,7 +6387,7 @@ function redirectToAssistant(chatId, assistantTopicId) {
 }
 
 // src/adapters/telegram/activity.ts
-var log18 = createChildLogger({ module: "telegram:activity" });
+var log20 = createChildLogger({ module: "telegram:activity" });
 var THINKING_REFRESH_MS = 15e3;
 var THINKING_MAX_MS = 3 * 60 * 1e3;
 var ThinkingIndicator = class {
@@ -5633,7 +6419,7 @@ var ThinkingIndicator = class {
         this.startRefreshTimer();
       }
     } catch (err) {
-      log18.warn({ err }, "ThinkingIndicator.show() failed");
+      log20.warn({ err }, "ThinkingIndicator.show() failed");
     } finally {
       this.sending = false;
     }
@@ -5706,7 +6492,7 @@ var UsageMessage = class {
         if (result) this.msgId = result.message_id;
       }
     } catch (err) {
-      log18.warn({ err }, "UsageMessage.send() failed");
+      log20.warn({ err }, "UsageMessage.send() failed");
     }
   }
   getMsgId() {
@@ -5719,7 +6505,7 @@ var UsageMessage = class {
     try {
       await this.sendQueue.enqueue(() => this.api.deleteMessage(this.chatId, id));
     } catch (err) {
-      log18.warn({ err }, "UsageMessage.delete() failed");
+      log20.warn({ err }, "UsageMessage.delete() failed");
     }
   }
 };
@@ -5805,7 +6591,7 @@ var PlanCard = class {
         if (result) this.msgId = result.message_id;
       }
     } catch (err) {
-      log18.warn({ err }, "PlanCard flush failed");
+      log20.warn({ err }, "PlanCard flush failed");
     }
   }
 };
@@ -5868,7 +6654,7 @@ var ActivityTracker = class {
           })
         );
       } catch (err) {
-        log18.warn({ err }, "ActivityTracker.onComplete() Done send failed");
+        log20.warn({ err }, "ActivityTracker.onComplete() Done send failed");
       }
     }
   }
@@ -5895,19 +6681,19 @@ var TelegramSendQueue = class {
   enqueue(fn, opts) {
     const type = opts?.type ?? "other";
     const key = opts?.key;
-    return new Promise((resolve2, reject) => {
+    return new Promise((resolve3, reject) => {
       if (type === "text" && key) {
         const idx = this.items.findIndex(
           (item) => item.type === "text" && item.key === key
         );
         if (idx !== -1) {
           this.items[idx].resolve(void 0);
-          this.items[idx] = { fn, type, key, resolve: resolve2, reject };
+          this.items[idx] = { fn, type, key, resolve: resolve3, reject };
           this.scheduleProcess();
           return;
         }
       }
-      this.items.push({ fn, type, key, resolve: resolve2, reject });
+      this.items.push({ fn, type, key, resolve: resolve3, reject });
       this.scheduleProcess();
     });
   }
@@ -6039,7 +6825,8 @@ function setupActionCallbacks(bot, core, chatId, getAssistantSessionId) {
             action.agent,
             action.workspace
           );
-          const topicLink = `https://t.me/c/${String(chatId).replace("-100", "")}/${firstMsgId ?? threadId}`;
+          const cleanId = String(chatId).replace("-100", "");
+          const topicLink = firstMsgId ? `https://t.me/c/${cleanId}/${threadId}/${firstMsgId}` : `https://t.me/c/${cleanId}/${threadId}`;
           const originalText = ctx.callbackQuery.message?.text ?? "";
           try {
             await ctx.editMessageText(
@@ -6106,7 +6893,7 @@ function setupActionCallbacks(bot, core, chatId, getAssistantSessionId) {
 }
 
 // src/adapters/telegram/tool-call-tracker.ts
-var log19 = createChildLogger({ module: "tool-call-tracker" });
+var log21 = createChildLogger({ module: "tool-call-tracker" });
 var ToolCallTracker = class {
   constructor(bot, chatId, sendQueue) {
     this.bot = bot;
@@ -6150,7 +6937,7 @@ var ToolCallTracker = class {
     if (!toolState) return;
     if (meta.viewerLinks) {
       toolState.viewerLinks = meta.viewerLinks;
-      log19.debug({ toolId: meta.id, viewerLinks: meta.viewerLinks }, "Accumulated viewerLinks");
+      log21.debug({ toolId: meta.id, viewerLinks: meta.viewerLinks }, "Accumulated viewerLinks");
     }
     if (meta.viewerFilePath) toolState.viewerFilePath = meta.viewerFilePath;
     if (meta.name) toolState.name = meta.name;
@@ -6158,7 +6945,7 @@ var ToolCallTracker = class {
     const isTerminal = meta.status === "completed" || meta.status === "failed";
     if (!isTerminal) return;
     await toolState.ready;
-    log19.debug(
+    log21.debug(
       {
         toolId: meta.id,
         status: meta.status,
@@ -6187,7 +6974,7 @@ var ToolCallTracker = class {
         )
       );
     } catch (err) {
-      log19.warn(
+      log21.warn(
         {
           err,
           msgId: toolState.msgId,
@@ -6365,6 +7152,24 @@ var MessageDraft = class {
   getMessageId() {
     return this.messageId;
   }
+  async stripPattern(pattern) {
+    if (!this.messageId || !this.buffer) return;
+    const stripped = this.buffer.replace(pattern, "").trim();
+    if (stripped === this.buffer.trim()) return;
+    this.buffer = stripped;
+    this.lastSentBuffer = stripped;
+    const html = markdownToTelegramHtml(stripped);
+    if (!html) return;
+    try {
+      await this.sendQueue.enqueue(
+        () => this.bot.api.editMessageText(this.chatId, this.messageId, html, {
+          parse_mode: "HTML"
+        }),
+        { type: "other" }
+      );
+    } catch {
+    }
+  }
 };
 
 // src/adapters/telegram/draft-manager.ts
@@ -6393,6 +7198,9 @@ var DraftManager = class {
   hasDraft(sessionId) {
     return this.drafts.has(sessionId);
   }
+  getDraft(sessionId) {
+    return this.drafts.get(sessionId);
+  }
   appendText(sessionId, text) {
     this.textBuffers.set(
       sessionId,
@@ -6437,7 +7245,7 @@ var DraftManager = class {
 };
 
 // src/adapters/telegram/skill-command-manager.ts
-var log20 = createChildLogger({ module: "skill-commands" });
+var log22 = createChildLogger({ module: "skill-commands" });
 var SkillCommandManager = class {
   // sessionId → pinned msgId
   constructor(bot, chatId, sendQueue, sessionManager) {
@@ -6503,7 +7311,7 @@ var SkillCommandManager = class {
         disable_notification: true
       });
     } catch (err) {
-      log20.error({ err, sessionId }, "Failed to send skill commands");
+      log22.error({ err, sessionId }, "Failed to send skill commands");
     }
   }
   async cleanup(sessionId) {
@@ -6522,14 +7330,17 @@ var SkillCommandManager = class {
     this.messages.delete(sessionId);
     const record = this.sessionManager.getSessionRecord(sessionId);
     if (record) {
-      const { skillMsgId: _removed, ...rest } = record.platform;
-      await this.sessionManager.patchRecord(sessionId, { platform: rest });
+      const platform = record.platform;
+      if (platform && typeof platform === "object" && "topicId" in platform) {
+        const { skillMsgId: _removed, ...rest } = platform;
+        await this.sessionManager.patchRecord(sessionId, { platform: rest });
+      }
     }
   }
 };
 
 // src/adapters/telegram/adapter.ts
-var log21 = createChildLogger({ module: "telegram" });
+var log23 = createChildLogger({ module: "telegram" });
 function patchedFetch(input, init) {
   if (init?.signal && !(init.signal instanceof AbortSignal)) {
     const nativeController = new AbortController();
@@ -6576,7 +7387,12 @@ var TelegramAdapter = class extends ChannelAdapter {
     this.telegramConfig = config;
   }
   async start() {
-    this.bot = new Bot(this.telegramConfig.botToken, { client: { fetch: patchedFetch } });
+    this.bot = new Bot(this.telegramConfig.botToken, {
+      client: {
+        baseFetchConfig: { duplex: "half" },
+        fetch: patchedFetch
+      }
+    });
     this.fileService = this.core.fileService;
     this.toolTracker = new ToolCallTracker(this.bot, this.telegramConfig.chatId, this.sendQueue);
     this.draftManager = new DraftManager(this.bot, this.telegramConfig.chatId, this.sendQueue);
@@ -6588,7 +7404,7 @@ var TelegramAdapter = class extends ChannelAdapter {
     );
     this.bot.catch((err) => {
       const rootCause = err.error instanceof Error ? err.error : err;
-      log21.error({ err: rootCause }, "Telegram bot error");
+      log23.error({ err: rootCause }, "Telegram bot error");
     });
     this.bot.api.config.use(async (prev, method, payload, signal) => {
       const maxRetries = 3;
@@ -6602,7 +7418,7 @@ var TelegramAdapter = class extends ChannelAdapter {
         if (rateLimitedMethods.includes(method)) {
           this.sendQueue.onRateLimited();
         }
-        log21.warn(
+        log23.warn(
           { method, retryAfter, attempt: attempt + 1 },
           "Rate limited by Telegram, retrying"
         );
@@ -6647,6 +7463,7 @@ var TelegramAdapter = class extends ChannelAdapter {
       (notification) => this.sendNotification(notification)
     );
     setupDangerousModeCallbacks(this.bot, this.core);
+    setupTTSCallbacks(this.bot, this.core);
     setupActionCallbacks(
       this.bot,
       this.core,
@@ -6734,7 +7551,7 @@ var TelegramAdapter = class extends ChannelAdapter {
     this.setupRoutes();
     this.bot.start({
       allowed_updates: ["message", "callback_query"],
-      onStart: () => log21.info(
+      onStart: () => log23.info(
         { chatId: this.telegramConfig.chatId },
         "Telegram bot started"
       )
@@ -6756,10 +7573,10 @@ var TelegramAdapter = class extends ChannelAdapter {
         reply_markup: buildMenuKeyboard()
       });
     } catch (err) {
-      log21.warn({ err }, "Failed to send welcome message");
+      log23.warn({ err }, "Failed to send welcome message");
     }
     try {
-      log21.info("Spawning assistant session...");
+      log23.info("Spawning assistant session...");
       const { session, ready } = await spawnAssistant(
         this.core,
         this,
@@ -6767,13 +7584,13 @@ var TelegramAdapter = class extends ChannelAdapter {
       );
       this.assistantSession = session;
       this.assistantInitializing = true;
-      log21.info({ sessionId: session.id }, "Assistant session ready, system prompt running in background");
+      log23.info({ sessionId: session.id }, "Assistant session ready, system prompt running in background");
       ready.then(() => {
         this.assistantInitializing = false;
-        log21.info({ sessionId: session.id }, "Assistant ready for user messages");
+        log23.info({ sessionId: session.id }, "Assistant ready for user messages");
       });
     } catch (err) {
-      log21.error({ err }, "Failed to spawn assistant");
+      log23.error({ err }, "Failed to spawn assistant");
       this.bot.api.sendMessage(
         this.telegramConfig.chatId,
         `\u26A0\uFE0F <b>Failed to start assistant session.</b>
@@ -6789,7 +7606,7 @@ var TelegramAdapter = class extends ChannelAdapter {
       await this.assistantSession.destroy();
     }
     await this.bot.stop();
-    log21.info("Telegram bot stopped");
+    log23.info("Telegram bot stopped");
   }
   setupRoutes() {
     this.bot.on("message:text", async (ctx) => {
@@ -6817,7 +7634,7 @@ var TelegramAdapter = class extends ChannelAdapter {
         ctx.replyWithChatAction("typing").catch(() => {
         });
         handleAssistantMessage(this.assistantSession, forwardText).catch(
-          (err) => log21.error({ err }, "Assistant error")
+          (err) => log23.error({ err }, "Assistant error")
         );
         return;
       }
@@ -6834,7 +7651,7 @@ var TelegramAdapter = class extends ChannelAdapter {
         threadId: String(threadId),
         userId: String(ctx.from.id),
         text: forwardText
-      }).catch((err) => log21.error({ err }, "handleMessage error"));
+      }).catch((err) => log23.error({ err }, "handleMessage error"));
     });
     this.bot.on("message:photo", async (ctx) => {
       const threadId = ctx.message.message_thread_id;
@@ -6904,220 +7721,200 @@ var TelegramAdapter = class extends ChannelAdapter {
       );
     });
   }
-  // --- ChannelAdapter implementations ---
-  async sendMessage(sessionId, content) {
-    if (this.assistantInitializing && sessionId === this.assistantSession?.id) return;
-    const session = this.core.sessionManager.getSession(sessionId);
-    if (!session) return;
-    if (session.archiving) return;
-    const threadId = Number(session.threadId);
-    if (!threadId || isNaN(threadId)) {
-      log21.warn({ sessionId, threadId: session.threadId }, "Session has no valid threadId, skipping message");
-      return;
-    }
-    switch (content.type) {
-      case "thought": {
-        const tracker = this.getOrCreateTracker(sessionId, threadId);
-        await tracker.onThought();
-        break;
-      }
-      case "text": {
-        if (!this.draftManager.hasDraft(sessionId)) {
-          const tracker = this.getOrCreateTracker(sessionId, threadId);
-          tracker.onTextStart().catch(() => {
-          });
-        }
-        const draft = this.draftManager.getOrCreate(sessionId, threadId);
-        draft.append(content.text);
-        this.draftManager.appendText(sessionId, content.text);
-        break;
-      }
-      case "tool_call": {
-        const tracker = this.getOrCreateTracker(sessionId, threadId);
-        await tracker.onToolCall();
-        await this.draftManager.finalize(sessionId, this.assistantSession?.id);
-        const meta = content.metadata;
-        await this.toolTracker.trackNewCall(sessionId, threadId, {
-          ...meta,
-          viewerFilePath: content.metadata?.viewerFilePath
+  // --- MessageHandlers for dispatchMessage ---
+  messageHandlers = {
+    onThought: async (ctx, _content) => {
+      const tracker = this.getOrCreateTracker(ctx.sessionId, ctx.threadId);
+      await tracker.onThought();
+    },
+    onText: async (ctx, content) => {
+      if (!this.draftManager.hasDraft(ctx.sessionId)) {
+        const tracker = this.getOrCreateTracker(ctx.sessionId, ctx.threadId);
+        tracker.onTextStart().catch(() => {
         });
-        break;
       }
-      case "tool_update": {
-        const meta = content.metadata;
-        await this.toolTracker.updateCall(sessionId, {
-          ...meta,
-          viewerFilePath: content.metadata?.viewerFilePath
+      const draft = this.draftManager.getOrCreate(ctx.sessionId, ctx.threadId);
+      draft.append(content.text);
+      this.draftManager.appendText(ctx.sessionId, content.text);
+    },
+    onToolCall: async (ctx, content) => {
+      const tracker = this.getOrCreateTracker(ctx.sessionId, ctx.threadId);
+      await tracker.onToolCall();
+      await this.draftManager.finalize(ctx.sessionId, this.assistantSession?.id);
+      const meta = content.metadata;
+      await this.toolTracker.trackNewCall(ctx.sessionId, ctx.threadId, {
+        ...meta
+      });
+    },
+    onToolUpdate: async (ctx, content) => {
+      const meta = content.metadata;
+      await this.toolTracker.updateCall(ctx.sessionId, {
+        ...meta
+      });
+    },
+    onPlan: async (ctx, content) => {
+      const meta = content.metadata;
+      const tracker = this.getOrCreateTracker(ctx.sessionId, ctx.threadId);
+      await tracker.onPlan(
+        meta.entries.map((e) => ({
+          content: e.content,
+          status: e.status,
+          priority: e.priority ?? "medium"
+        }))
+      );
+    },
+    onUsage: async (ctx, content) => {
+      const meta = content.metadata;
+      await this.draftManager.finalize(ctx.sessionId, this.assistantSession?.id);
+      const tracker = this.getOrCreateTracker(ctx.sessionId, ctx.threadId);
+      await tracker.sendUsage(meta ?? {});
+      if (this.notificationTopicId && ctx.sessionId !== this.assistantSession?.id) {
+        const sess = this.core.sessionManager.getSession(ctx.sessionId);
+        const sessionName = sess?.name || "Session";
+        const chatIdStr = String(this.telegramConfig.chatId);
+        const numericId = chatIdStr.startsWith("-100") ? chatIdStr.slice(4) : chatIdStr.replace("-", "");
+        const usageMsgId = tracker.getUsageMsgId();
+        const deepLink = usageMsgId ? `https://t.me/c/${numericId}/${ctx.threadId}/${usageMsgId}` : `https://t.me/c/${numericId}/${ctx.threadId}`;
+        const text = `\u2705 <b>${escapeHtml(sessionName)}</b>
+Task completed.
+
+<a href="${deepLink}">\u2192 Go to topic</a>`;
+        this.sendQueue.enqueue(
+          () => this.bot.api.sendMessage(this.telegramConfig.chatId, text, {
+            message_thread_id: this.notificationTopicId,
+            parse_mode: "HTML",
+            disable_notification: false
+          })
+        ).catch(() => {
         });
-        break;
       }
-      case "plan": {
-        const meta = content.metadata;
-        const tracker = this.getOrCreateTracker(sessionId, threadId);
-        await tracker.onPlan(
-          meta.entries.map((e) => ({
-            content: e.content,
-            status: e.status,
-            priority: e.priority ?? "medium"
-          }))
+    },
+    onAttachment: async (ctx, content) => {
+      if (!content.attachment) return;
+      const { attachment } = content;
+      if (attachment.size > 50 * 1024 * 1024) {
+        log23.warn({ sessionId: ctx.sessionId, fileName: attachment.fileName, size: attachment.size }, "File too large for Telegram (>50MB)");
+        await this.sendQueue.enqueue(
+          () => this.bot.api.sendMessage(
+            this.telegramConfig.chatId,
+            `\u26A0\uFE0F File too large to send (${Math.round(attachment.size / 1024 / 1024)}MB): ${escapeHtml(attachment.fileName)}`,
+            { message_thread_id: ctx.threadId, parse_mode: "HTML" }
+          )
         );
-        break;
+        return;
       }
-      case "usage": {
-        const meta = content.metadata;
-        await this.draftManager.finalize(sessionId, this.assistantSession?.id);
-        const tracker = this.getOrCreateTracker(sessionId, threadId);
-        await tracker.sendUsage(meta);
-        if (this.notificationTopicId && sessionId !== this.assistantSession?.id) {
-          const sess = this.core.sessionManager.getSession(sessionId);
-          const sessionName = sess?.name || "Session";
-          const chatIdStr = String(this.telegramConfig.chatId);
-          const numericId = chatIdStr.startsWith("-100") ? chatIdStr.slice(4) : chatIdStr.replace("-", "");
-          const usageMsgId = tracker.getUsageMsgId();
-          const deepLink = `https://t.me/c/${numericId}/${usageMsgId ?? threadId}`;
-          const text = `\u2705 <b>${escapeHtml(sessionName)}</b>
-Task completed.
-
-<a href="${deepLink}">\u2192 Go to topic</a>`;
-          this.sendQueue.enqueue(
-            () => this.bot.api.sendMessage(this.telegramConfig.chatId, text, {
-              message_thread_id: this.notificationTopicId,
-              parse_mode: "HTML",
-              disable_notification: false
+      try {
+        const inputFile = new InputFile(attachment.filePath);
+        if (attachment.type === "image") {
+          await this.sendQueue.enqueue(
+            () => this.bot.api.sendPhoto(this.telegramConfig.chatId, inputFile, {
+              message_thread_id: ctx.threadId
             })
-          ).catch(() => {
-          });
-        }
-        break;
-      }
-      case "attachment": {
-        if (!content.attachment) break;
-        const { attachment } = content;
-        if (attachment.size > 50 * 1024 * 1024) {
-          log21.warn({ sessionId, fileName: attachment.fileName, size: attachment.size }, "File too large for Telegram (>50MB)");
+          );
+        } else if (attachment.type === "audio") {
           await this.sendQueue.enqueue(
-            () => this.bot.api.sendMessage(
-              this.telegramConfig.chatId,
-              `\u26A0\uFE0F File too large to send (${Math.round(attachment.size / 1024 / 1024)}MB): ${escapeHtml(attachment.fileName)}`,
-              { message_thread_id: threadId, parse_mode: "HTML" }
-            )
+            () => this.bot.api.sendVoice(this.telegramConfig.chatId, inputFile, {
+              message_thread_id: ctx.threadId
+            })
           );
-          break;
-        }
-        try {
-          const inputFile = new InputFile(attachment.filePath);
-          if (attachment.type === "image") {
-            await this.sendQueue.enqueue(
-              () => this.bot.api.sendPhoto(this.telegramConfig.chatId, inputFile, {
-                message_thread_id: threadId
-              })
-            );
-          } else if (attachment.type === "audio") {
-            await this.sendQueue.enqueue(
-              () => this.bot.api.sendVoice(this.telegramConfig.chatId, inputFile, {
-                message_thread_id: threadId
-              })
-            );
-          } else {
-            await this.sendQueue.enqueue(
-              () => this.bot.api.sendDocument(this.telegramConfig.chatId, inputFile, {
-                message_thread_id: threadId
-              })
-            );
+          const draft = this.draftManager.getDraft(ctx.sessionId);
+          if (draft) {
+            draft.stripPattern(/\[TTS\][\s\S]*?\[\/TTS\]/g).catch(() => {
+            });
           }
-        } catch (err) {
-          log21.error({ err, sessionId, fileName: attachment.fileName }, "Failed to send attachment");
-        }
-        break;
-      }
-      case "session_end": {
-        await this.draftManager.finalize(sessionId, this.assistantSession?.id);
-        this.draftManager.cleanup(sessionId);
-        this.toolTracker.cleanup(sessionId);
-        await this.skillManager.cleanup(sessionId);
-        const tracker = this.sessionTrackers.get(sessionId);
-        if (tracker) {
-          await tracker.onComplete();
-          tracker.destroy();
-          this.sessionTrackers.delete(sessionId);
         } else {
           await this.sendQueue.enqueue(
-            () => this.bot.api.sendMessage(
-              this.telegramConfig.chatId,
-              `\u2705 <b>Done</b>`,
-              {
-                message_thread_id: threadId,
-                parse_mode: "HTML",
-                disable_notification: true
-              }
-            )
+            () => this.bot.api.sendDocument(this.telegramConfig.chatId, inputFile, {
+              message_thread_id: ctx.threadId
+            })
           );
         }
-        break;
+      } catch (err) {
+        log23.error({ err, sessionId: ctx.sessionId, fileName: attachment.fileName }, "Failed to send attachment");
       }
-      case "error": {
-        await this.draftManager.finalize(sessionId, this.assistantSession?.id);
-        const tracker = this.sessionTrackers.get(sessionId);
-        if (tracker) {
-          tracker.destroy();
-          this.sessionTrackers.delete(sessionId);
-        }
+    },
+    onSessionEnd: async (ctx, _content) => {
+      await this.draftManager.finalize(ctx.sessionId, this.assistantSession?.id);
+      this.draftManager.cleanup(ctx.sessionId);
+      this.toolTracker.cleanup(ctx.sessionId);
+      await this.skillManager.cleanup(ctx.sessionId);
+      const tracker = this.sessionTrackers.get(ctx.sessionId);
+      if (tracker) {
+        await tracker.onComplete();
+        tracker.destroy();
+        this.sessionTrackers.delete(ctx.sessionId);
+      } else {
         await this.sendQueue.enqueue(
           () => this.bot.api.sendMessage(
             this.telegramConfig.chatId,
-            `\u274C <b>Error:</b> ${escapeHtml(content.text)}`,
+            `\u2705 <b>Done</b>`,
             {
-              message_thread_id: threadId,
+              message_thread_id: ctx.threadId,
               parse_mode: "HTML",
               disable_notification: true
             }
           )
         );
-        break;
       }
-      case "system_message": {
-        await this.sendQueue.enqueue(
-          () => this.bot.api.sendMessage(
-            this.telegramConfig.chatId,
-            escapeHtml(content.text),
-            {
-              message_thread_id: threadId,
-              parse_mode: "HTML",
-              disable_notification: true
-            }
-          )
-        );
-        break;
+    },
+    onError: async (ctx, content) => {
+      await this.draftManager.finalize(ctx.sessionId, this.assistantSession?.id);
+      const tracker = this.sessionTrackers.get(ctx.sessionId);
+      if (tracker) {
+        tracker.destroy();
+        this.sessionTrackers.delete(ctx.sessionId);
       }
+      await this.sendQueue.enqueue(
+        () => this.bot.api.sendMessage(
+          this.telegramConfig.chatId,
+          `\u274C <b>Error:</b> ${escapeHtml(content.text)}`,
+          {
+            message_thread_id: ctx.threadId,
+            parse_mode: "HTML",
+            disable_notification: true
+          }
+        )
+      );
+    },
+    onSystemMessage: async (ctx, content) => {
+      await this.sendQueue.enqueue(
+        () => this.bot.api.sendMessage(
+          this.telegramConfig.chatId,
+          escapeHtml(content.text),
+          {
+            message_thread_id: ctx.threadId,
+            parse_mode: "HTML",
+            disable_notification: true
+          }
+        )
+      );
     }
-  }
-  async sendPermissionRequest(sessionId, request) {
-    log21.info({ sessionId, requestId: request.id }, "Permission request sent");
+  };
+  // --- ChannelAdapter implementations ---
+  async sendMessage(sessionId, content) {
+    if (this.assistantInitializing && sessionId === this.assistantSession?.id) return;
     const session = this.core.sessionManager.getSession(sessionId);
     if (!session) return;
-    if (request.description.includes("openacp")) {
-      const allowOption = request.options.find((o) => o.isAllow);
-      if (allowOption && session.permissionGate.requestId === request.id) {
-        log21.info({ sessionId, requestId: request.id }, "Auto-approving openacp command");
-        session.permissionGate.resolve(allowOption.id);
-      }
-      return;
-    }
-    if (session.dangerousMode) {
-      const allowOption = request.options.find((o) => o.isAllow);
-      if (allowOption && session.permissionGate.requestId === request.id) {
-        log21.info({ sessionId, requestId: request.id, optionId: allowOption.id }, "Dangerous mode: auto-approving permission");
-        session.permissionGate.resolve(allowOption.id);
-      }
+    if (session.archiving) return;
+    const threadId = Number(session.threadId);
+    if (!threadId || isNaN(threadId)) {
+      log23.warn({ sessionId, threadId: session.threadId }, "Session has no valid threadId, skipping message");
       return;
     }
+    const ctx = { sessionId, threadId };
+    await dispatchMessage(this.messageHandlers, ctx, content);
+  }
+  async sendPermissionRequest(sessionId, request) {
+    log23.info({ sessionId, requestId: request.id }, "Permission request sent");
+    const session = this.core.sessionManager.getSession(sessionId);
+    if (!session) return;
     await this.sendQueue.enqueue(
       () => this.permissionHandler.sendPermissionRequest(session, request)
     );
   }
   async sendNotification(notification) {
     if (notification.sessionId === this.assistantSession?.id) return;
-    log21.info(
+    log23.info(
       { sessionId: notification.sessionId, type: notification.type },
       "Notification sent"
     );
@@ -7153,7 +7950,7 @@ Task completed.
     );
   }
   async createSessionThread(sessionId, name) {
-    log21.info({ sessionId, name }, "Session topic created");
+    log23.info({ sessionId, name }, "Session topic created");
     return String(
       await createSessionTopic(this.bot, this.telegramConfig.chatId, name)
     );
@@ -7177,7 +7974,7 @@ Task completed.
     try {
       await this.bot.api.deleteForumTopic(this.telegramConfig.chatId, topicId);
     } catch (err) {
-      log21.warn({ err, sessionId, topicId }, "Failed to delete forum topic (may already be deleted)");
+      log23.warn({ err, sessionId, topicId }, "Failed to delete forum topic (may already be deleted)");
     }
   }
   async sendSkillCommands(sessionId, commands) {
@@ -7201,7 +7998,7 @@ Task completed.
       const buffer = Buffer.from(await response.arrayBuffer());
       return { buffer, filePath: file.file_path };
     } catch (err) {
-      log21.error({ err }, "Failed to download file from Telegram");
+      log23.error({ err }, "Failed to download file from Telegram");
       return null;
     }
   }
@@ -7217,7 +8014,7 @@ Task completed.
       try {
         buffer = await this.fileService.convertOggToWav(buffer);
       } catch (err) {
-        log21.warn({ err }, "OGG\u2192WAV conversion failed, saving original OGG");
+        log23.warn({ err }, "OGG\u2192WAV conversion failed, saving original OGG");
         fileName = "voice.ogg";
         mimeType = "audio/ogg";
         originalFilePath = void 0;
@@ -7243,7 +8040,7 @@ Task completed.
       userId: String(userId),
       text,
       attachments: [att]
-    }).catch((err) => log21.error({ err }, "handleMessage error"));
+    }).catch((err) => log23.error({ err }, "handleMessage error"));
   }
   async cleanupSkillCommands(sessionId) {
     await this.skillManager.cleanup(sessionId);
@@ -7295,9 +8092,9 @@ export {
   nodeToWebWritable,
   nodeToWebReadable,
   StderrCapture,
+  TypedEmitter,
   AgentInstance,
   AgentManager,
-  TypedEmitter,
   PromptQueue,
   PermissionGate,
   Session,
@@ -7308,11 +8105,16 @@ export {
   MessageTransformer,
   UsageStore,
   UsageBudget,
+  SecurityGuard,
+  SessionFactory,
+  EventBus,
   SpeechService,
   GroqSTT,
   OpenACPCore,
+  SSEManager,
+  StaticServer,
   ApiServer,
   TopicManager,
   TelegramAdapter
 };
-//# sourceMappingURL=chunk-R3UJUOXI.js.map
+//# sourceMappingURL=chunk-HP2IJYCA.js.map