@openacp/cli 2026.403.3 → 2026.403.5

package/dist/index.js

@@ -462,22 +462,22 @@ __export(config_registry_exports, {
 });
 import * as fs4 from "fs";
 import * as path4 from "path";
-function getFieldDef(path33) {
-  return CONFIG_REGISTRY.find((f) => f.path === path33);
+function getFieldDef(path35) {
+  return CONFIG_REGISTRY.find((f) => f.path === path35);
 }
 function getSafeFields() {
   return CONFIG_REGISTRY.filter((f) => f.scope === "safe");
 }
-function isHotReloadable(path33) {
-  const def = getFieldDef(path33);
+function isHotReloadable(path35) {
+  const def = getFieldDef(path35);
   return def?.hotReload ?? false;
 }
 function resolveOptions(def, config) {
   if (!def.options) return void 0;
   return typeof def.options === "function" ? def.options(config) : def.options;
 }
-function getConfigValue(config, path33) {
-  const parts = path33.split(".");
+function getConfigValue(config, path35) {
+  const parts = path35.split(".");
   let current = config;
   for (const part of parts) {
     if (current && typeof current === "object" && part in current) {
@@ -745,7 +745,11 @@ var init_config = __esm({
       agents: z.record(z.string(), AgentSchema).optional().default({}),
       defaultAgent: z.string(),
       workspace: z.object({
-        baseDir: z.string().default("~/openacp-workspace")
+        baseDir: z.string().default("~/openacp-workspace"),
+        security: z.object({
+          allowedPaths: z.array(z.string()).default([]),
+          envWhitelist: z.array(z.string()).default([])
+        }).default({})
       }).default({}),
       security: z.object({
         allowedUserIds: z.array(z.string()).default([]),
@@ -906,11 +910,25 @@ var init_config = __esm({
         }
         if (input2.startsWith("/") || input2.startsWith("~")) {
           const resolved2 = expandHome3(input2);
-          fs5.mkdirSync(resolved2, { recursive: true });
-          return resolved2;
+          const base = expandHome3(this.config.workspace.baseDir);
+          if (resolved2 === base || resolved2.startsWith(base + path5.sep)) {
+            fs5.mkdirSync(resolved2, { recursive: true });
+            return resolved2;
+          }
+          throw new Error(
+            `Workspace path "${input2}" is outside base directory "${this.config.workspace.baseDir}".`
+          );
+        }
+        const name = input2.replace(/[^a-zA-Z0-9_-]/g, "");
+        if (name !== input2) {
+          throw new Error(
+            `Invalid workspace name: "${input2}". Only alphanumeric characters, hyphens, and underscores are allowed.`
+          );
         }
-        const name = input2.toLowerCase();
-        const resolved = path5.join(expandHome3(this.config.workspace.baseDir), name);
+        const resolved = path5.join(
+          expandHome3(this.config.workspace.baseDir),
+          name.toLowerCase()
+        );
         fs5.mkdirSync(resolved, { recursive: true });
         return resolved;
       }
@@ -1036,9 +1054,9 @@ var read_text_file_exports = {};
 __export(read_text_file_exports, {
   readTextFileWithRange: () => readTextFileWithRange
 });
-import fs6 from "fs";
+import fs7 from "fs";
 async function readTextFileWithRange(filePath, options) {
-  const content = await fs6.promises.readFile(filePath, "utf-8");
+  const content = await fs7.promises.readFile(filePath, "utf-8");
   if (!options?.line && !options?.limit) return content;
   const lines = content.split("\n");
   const start = Math.max(0, (options.line ?? 1) - 1);
@@ -1078,8 +1096,8 @@ __export(agent_dependencies_exports, {
   listAgentsWithIntegration: () => listAgentsWithIntegration
 });
 import { execFileSync as execFileSync2 } from "child_process";
-import * as fs11 from "fs";
-import * as path9 from "path";
+import * as fs12 from "fs";
+import * as path11 from "path";
 function getAgentSetup(registryId) {
   return AGENT_SETUP[registryId];
 }
@@ -1103,9 +1121,9 @@ function commandExists(cmd) {
   }
   let dir = process.cwd();
   while (true) {
-    const binPath = path9.join(dir, "node_modules", ".bin", cmd);
-    if (fs11.existsSync(binPath)) return true;
-    const parent = path9.dirname(dir);
+    const binPath = path11.join(dir, "node_modules", ".bin", cmd);
+    if (fs12.existsSync(binPath)) return true;
+    const parent = path11.dirname(dir);
     if (parent === dir) break;
     dir = parent;
   }
@@ -1360,8 +1378,270 @@ var init_agent_registry = __esm({
   }
 });
 
+// src/core/agents/agent-installer.ts
+import * as fs14 from "fs";
+import * as path13 from "path";
+import * as os5 from "os";
+import crypto from "crypto";
+function validateTarContents(entries, destDir) {
+  for (const entry of entries) {
+    const segments = entry.split("/");
+    if (segments.includes("..")) {
+      throw new Error(`Archive contains unsafe path traversal: ${entry}`);
+    }
+    if (entry.startsWith("/")) {
+      throw new Error(`Archive contains unsafe absolute path: ${entry}`);
+    }
+  }
+}
+function validateUninstallPath(binaryPath, agentsDir) {
+  const realPath = path13.resolve(binaryPath);
+  const realAgentsDir = path13.resolve(agentsDir);
+  if (!realPath.startsWith(realAgentsDir + path13.sep) && realPath !== realAgentsDir) {
+    throw new Error(`Refusing to delete path outside agents directory: ${realPath}`);
+  }
+}
+function getPlatformKey() {
+  const platform2 = PLATFORM_MAP[process.platform] ?? process.platform;
+  const arch = ARCH_MAP[process.arch] ?? process.arch;
+  return `${platform2}-${arch}`;
+}
+function resolveDistribution(agent) {
+  const dist = agent.distribution;
+  if (dist.npx) {
+    return { type: "npx", package: dist.npx.package, args: dist.npx.args ?? [], env: dist.npx.env };
+  }
+  if (dist.uvx) {
+    return { type: "uvx", package: dist.uvx.package, args: dist.uvx.args ?? [], env: dist.uvx.env };
+  }
+  if (dist.binary) {
+    const platformKey = getPlatformKey();
+    const target = dist.binary[platformKey];
+    if (!target) return null;
+    return { type: "binary", archive: target.archive, cmd: target.cmd, args: target.args ?? [], env: target.env };
+  }
+  return null;
+}
+function buildInstalledAgent(registryId, name, version, dist, binaryPath) {
+  if (dist.type === "npx") {
+    const npxPackage = stripPackageVersion(dist.package);
+    return {
+      registryId,
+      name,
+      version,
+      distribution: "npx",
+      command: "npx",
+      args: [npxPackage, ...dist.args],
+      env: dist.env ?? {},
+      installedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      binaryPath: null
+    };
+  }
+  if (dist.type === "uvx") {
+    const uvxPackage = stripPythonPackageVersion(dist.package);
+    return {
+      registryId,
+      name,
+      version,
+      distribution: "uvx",
+      command: "uvx",
+      args: [uvxPackage, ...dist.args],
+      env: dist.env ?? {},
+      installedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      binaryPath: null
+    };
+  }
+  const absCmd = path13.resolve(binaryPath, dist.cmd);
+  return {
+    registryId,
+    name,
+    version,
+    distribution: "binary",
+    command: absCmd,
+    args: dist.args,
+    env: dist.env ?? {},
+    installedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    binaryPath
+  };
+}
+function stripPackageVersion(pkg) {
+  if (pkg.startsWith("@")) {
+    const afterScope = pkg.indexOf("/");
+    if (afterScope === -1) return pkg;
+    const versionAt = pkg.indexOf("@", afterScope + 1);
+    return versionAt === -1 ? pkg : pkg.slice(0, versionAt);
+  }
+  const at = pkg.indexOf("@");
+  return at === -1 ? pkg : pkg.slice(0, at);
+}
+function stripPythonPackageVersion(pkg) {
+  const pyMatch = pkg.match(/^([^=@><!]+)/);
+  if (pyMatch && pkg.includes("==")) return pyMatch[1];
+  const at = pkg.indexOf("@");
+  return at === -1 ? pkg : pkg.slice(0, at);
+}
+async function installAgent(agent, store, progress, agentsDir) {
+  const agentKey = getAgentAlias(agent.id);
+  await progress?.onStart(agent.id, agent.name);
+  await progress?.onStep("Checking requirements...");
+  const depResult = checkDependencies(agent.id);
+  if (!depResult.available) {
+    const hints = depResult.missing.map((m) => `  ${m.label}: ${m.installHint}`).join("\n");
+    const msg = `${agent.name} needs some tools installed first:
+${hints}`;
+    await progress?.onError(msg);
+    return { ok: false, agentKey, error: msg };
+  }
+  const dist = resolveDistribution(agent);
+  if (!dist) {
+    const platformKey = getPlatformKey();
+    const msg = `${agent.name} is not available for your system (${platformKey}). Check their website for other install options.`;
+    await progress?.onError(msg);
+    return { ok: false, agentKey, error: msg };
+  }
+  if (dist.type === "uvx" && !checkRuntimeAvailable("uvx")) {
+    const msg = `${agent.name} requires Python's uvx tool.
+Install it with: pip install uv`;
+    await progress?.onError(msg, "pip install uv");
+    return { ok: false, agentKey, error: msg, hint: "pip install uv" };
+  }
+  let binaryPath;
+  if (dist.type === "binary") {
+    try {
+      binaryPath = await downloadAndExtract(agent.id, dist.archive, progress, agentsDir);
+    } catch (err) {
+      const msg = `Failed to download ${agent.name}. Please try again or install manually.`;
+      await progress?.onError(msg);
+      return { ok: false, agentKey, error: msg };
+    }
+  } else {
+    await progress?.onStep("Setting up... (will download on first use)");
+  }
+  const installed = buildInstalledAgent(agent.id, agent.name, agent.version, dist, binaryPath);
+  store.addAgent(agentKey, installed);
+  const setup = getAgentSetup(agent.id);
+  await progress?.onSuccess(agent.name);
+  return { ok: true, agentKey, setupSteps: setup?.setupSteps };
+}
+async function downloadAndExtract(agentId, archiveUrl, progress, agentsDir) {
+  const destDir = path13.join(agentsDir ?? DEFAULT_AGENTS_DIR, agentId);
+  fs14.mkdirSync(destDir, { recursive: true });
+  await progress?.onStep("Downloading...");
+  log11.info({ agentId, url: archiveUrl }, "Downloading agent binary");
+  const response = await fetch(archiveUrl);
+  if (!response.ok) {
+    throw new Error(`Download failed: ${response.status} ${response.statusText}`);
+  }
+  const contentLength = Number(response.headers.get("content-length") || 0);
+  const buffer = await readResponseWithProgress(response, contentLength, progress);
+  await progress?.onStep("Extracting...");
+  if (archiveUrl.endsWith(".zip")) {
+    await extractZip(buffer, destDir);
+  } else {
+    await extractTarGz(buffer, destDir);
+  }
+  await progress?.onStep("Ready!");
+  return destDir;
+}
+async function readResponseWithProgress(response, contentLength, progress) {
+  if (!response.body) {
+    const arrayBuffer = await response.arrayBuffer();
+    return Buffer.from(arrayBuffer);
+  }
+  const reader = response.body.getReader();
+  const chunks = [];
+  let received = 0;
+  while (true) {
+    const { done, value } = await reader.read();
+    if (done) break;
+    chunks.push(value);
+    received += value.length;
+    if (received > MAX_DOWNLOAD_SIZE) {
+      throw new Error(`Download exceeds size limit of ${MAX_DOWNLOAD_SIZE} bytes`);
+    }
+    if (contentLength > 0) {
+      await progress?.onDownloadProgress(Math.round(received / contentLength * 100));
+    }
+  }
+  return Buffer.concat(chunks);
+}
+function validateExtractedPaths(destDir) {
+  const realDest = fs14.realpathSync(destDir);
+  const entries = fs14.readdirSync(destDir, { recursive: true, withFileTypes: true });
+  for (const entry of entries) {
+    const dirent = entry;
+    const parentPath = dirent.parentPath ?? dirent.path ?? destDir;
+    const fullPath = path13.join(parentPath, entry.name);
+    let realPath;
+    try {
+      realPath = fs14.realpathSync(fullPath);
+    } catch {
+      const linkTarget = fs14.readlinkSync(fullPath);
+      realPath = path13.resolve(path13.dirname(fullPath), linkTarget);
+    }
+    if (!realPath.startsWith(realDest + path13.sep) && realPath !== realDest) {
+      fs14.rmSync(destDir, { recursive: true, force: true });
+      throw new Error(`Archive contains unsafe path: ${entry.name}`);
+    }
+  }
+}
+async function extractTarGz(buffer, destDir) {
+  const { execFileSync: execFileSync7 } = await import("child_process");
+  const tmpFile = path13.join(destDir, "_archive.tar.gz");
+  fs14.writeFileSync(tmpFile, buffer);
+  try {
+    const listing = execFileSync7("tar", ["tf", tmpFile], { stdio: "pipe" }).toString().trim().split("\n").filter(Boolean);
+    validateTarContents(listing, destDir);
+    execFileSync7("tar", ["xzf", tmpFile, "-C", destDir], { stdio: "pipe" });
+  } finally {
+    fs14.unlinkSync(tmpFile);
+  }
+  validateExtractedPaths(destDir);
+}
+async function extractZip(buffer, destDir) {
+  const { execFileSync: execFileSync7 } = await import("child_process");
+  const tmpFile = path13.join(destDir, "_archive.zip");
+  fs14.writeFileSync(tmpFile, buffer);
+  try {
+    execFileSync7("unzip", ["-o", tmpFile, "-d", destDir], { stdio: "pipe" });
+  } finally {
+    fs14.unlinkSync(tmpFile);
+  }
+  validateExtractedPaths(destDir);
+}
+async function uninstallAgent(agentKey, store, agentsDir) {
+  const agent = store.getAgent(agentKey);
+  if (!agent) return;
+  if (agent.binaryPath && fs14.existsSync(agent.binaryPath)) {
+    validateUninstallPath(agent.binaryPath, agentsDir ?? DEFAULT_AGENTS_DIR);
+    fs14.rmSync(agent.binaryPath, { recursive: true, force: true });
+    log11.info({ agentKey, binaryPath: agent.binaryPath }, "Deleted agent binary");
+  }
+  store.removeAgent(agentKey);
+}
+var log11, DEFAULT_AGENTS_DIR, MAX_DOWNLOAD_SIZE, ARCH_MAP, PLATFORM_MAP;
+var init_agent_installer = __esm({
+  "src/core/agents/agent-installer.ts"() {
+    "use strict";
+    init_log();
+    init_agent_dependencies();
+    log11 = createChildLogger({ module: "agent-installer" });
+    DEFAULT_AGENTS_DIR = path13.join(os5.homedir(), ".openacp", "agents");
+    MAX_DOWNLOAD_SIZE = 500 * 1024 * 1024;
+    ARCH_MAP = {
+      arm64: "aarch64",
+      x64: "x86_64"
+    };
+    PLATFORM_MAP = {
+      darwin: "darwin",
+      linux: "linux",
+      win32: "windows"
+    };
+  }
+});
+
 // src/core/doctor/checks/config.ts
-import * as fs16 from "fs";
+import * as fs17 from "fs";
 var configCheck;
 var init_config2 = __esm({
   "src/core/doctor/checks/config.ts"() {
@@ -1373,14 +1653,14 @@ var init_config2 = __esm({
       order: 1,
       async run(ctx) {
         const results = [];
-        if (!fs16.existsSync(ctx.configPath)) {
+        if (!fs17.existsSync(ctx.configPath)) {
           results.push({ status: "fail", message: "Config file not found" });
           return results;
         }
         results.push({ status: "pass", message: "Config file exists" });
         let raw;
         try {
-          raw = JSON.parse(fs16.readFileSync(ctx.configPath, "utf-8"));
+          raw = JSON.parse(fs17.readFileSync(ctx.configPath, "utf-8"));
         } catch (err) {
           results.push({
             status: "fail",
@@ -1399,7 +1679,7 @@ var init_config2 = __esm({
             fixRisk: "safe",
             fix: async () => {
               applyMigrations(raw);
-              fs16.writeFileSync(ctx.configPath, JSON.stringify(raw, null, 2));
+              fs17.writeFileSync(ctx.configPath, JSON.stringify(raw, null, 2));
               return { success: true, message: "applied migrations" };
             }
           });
@@ -1423,8 +1703,8 @@ var init_config2 = __esm({
 
 // src/core/doctor/checks/agents.ts
 import { execFileSync as execFileSync3 } from "child_process";
-import * as fs17 from "fs";
-import * as path16 from "path";
+import * as fs18 from "fs";
+import * as path18 from "path";
 function commandExists2(cmd) {
   try {
     execFileSync3("which", [cmd], { stdio: "pipe" });
@@ -1433,9 +1713,9 @@ function commandExists2(cmd) {
   }
   let dir = process.cwd();
   while (true) {
-    const binPath = path16.join(dir, "node_modules", ".bin", cmd);
-    if (fs17.existsSync(binPath)) return true;
-    const parent = path16.dirname(dir);
+    const binPath = path18.join(dir, "node_modules", ".bin", cmd);
+    if (fs18.existsSync(binPath)) return true;
+    const parent = path18.dirname(dir);
     if (parent === dir) break;
     dir = parent;
   }
@@ -1487,8 +1767,8 @@ var settings_manager_exports = {};
 __export(settings_manager_exports, {
   SettingsManager: () => SettingsManager
 });
-import fs18 from "fs";
-import path17 from "path";
+import fs19 from "fs";
+import path19 from "path";
 var SettingsManager, SettingsAPIImpl;
 var init_settings_manager = __esm({
   "src/core/plugin/settings-manager.ts"() {
@@ -1507,7 +1787,7 @@ var init_settings_manager = __esm({
       async loadSettings(pluginName) {
         const settingsPath = this.getSettingsPath(pluginName);
         try {
-          const content = fs18.readFileSync(settingsPath, "utf-8");
+          const content = fs19.readFileSync(settingsPath, "utf-8");
           return JSON.parse(content);
         } catch {
           return {};
@@ -1525,7 +1805,7 @@ var init_settings_manager = __esm({
         };
       }
       getSettingsPath(pluginName) {
-        return path17.join(this.basePath, pluginName, "settings.json");
+        return path19.join(this.basePath, pluginName, "settings.json");
       }
       async getPluginSettings(pluginName) {
         return this.loadSettings(pluginName);
@@ -1544,7 +1824,7 @@ var init_settings_manager = __esm({
       readFile() {
         if (this.cache !== null) return this.cache;
         try {
-          const content = fs18.readFileSync(this.settingsPath, "utf-8");
+          const content = fs19.readFileSync(this.settingsPath, "utf-8");
           this.cache = JSON.parse(content);
           return this.cache;
         } catch {
@@ -1553,9 +1833,9 @@ var init_settings_manager = __esm({
         }
       }
       writeFile(data) {
-        const dir = path17.dirname(this.settingsPath);
-        fs18.mkdirSync(dir, { recursive: true });
-        fs18.writeFileSync(this.settingsPath, JSON.stringify(data, null, 2));
+        const dir = path19.dirname(this.settingsPath);
+        fs19.mkdirSync(dir, { recursive: true });
+        fs19.writeFileSync(this.settingsPath, JSON.stringify(data, null, 2));
         this.cache = data;
       }
       async get(key) {
@@ -1590,7 +1870,7 @@ var init_settings_manager = __esm({
 });
 
 // src/core/doctor/checks/telegram.ts
-import * as path18 from "path";
+import * as path20 from "path";
 var BOT_TOKEN_REGEX, telegramCheck;
 var init_telegram = __esm({
   "src/core/doctor/checks/telegram.ts"() {
@@ -1606,7 +1886,7 @@ var init_telegram = __esm({
           return results;
         }
         const { SettingsManager: SettingsManager2 } = await Promise.resolve().then(() => (init_settings_manager(), settings_manager_exports));
-        const sm = new SettingsManager2(path18.join(ctx.pluginsDir, "data"));
+        const sm = new SettingsManager2(path20.join(ctx.pluginsDir, "data"));
         const ps = await sm.loadSettings("@openacp/telegram");
         const legacyCh = ctx.config.channels.telegram;
         const botToken = ps.botToken ?? legacyCh?.botToken;
@@ -1690,7 +1970,7 @@ var init_telegram = __esm({
 });
 
 // src/core/doctor/checks/storage.ts
-import * as fs19 from "fs";
+import * as fs20 from "fs";
 var storageCheck;
 var init_storage = __esm({
   "src/core/doctor/checks/storage.ts"() {
@@ -1700,28 +1980,28 @@ var init_storage = __esm({
       order: 4,
       async run(ctx) {
         const results = [];
-        if (!fs19.existsSync(ctx.dataDir)) {
+        if (!fs20.existsSync(ctx.dataDir)) {
           results.push({
             status: "fail",
             message: "Data directory ~/.openacp does not exist",
             fixable: true,
             fixRisk: "safe",
             fix: async () => {
-              fs19.mkdirSync(ctx.dataDir, { recursive: true });
+              fs20.mkdirSync(ctx.dataDir, { recursive: true });
               return { success: true, message: "created directory" };
             }
           });
         } else {
           try {
-            fs19.accessSync(ctx.dataDir, fs19.constants.W_OK);
+            fs20.accessSync(ctx.dataDir, fs20.constants.W_OK);
             results.push({ status: "pass", message: "Data directory exists and writable" });
           } catch {
             results.push({ status: "fail", message: "Data directory not writable" });
           }
         }
-        if (fs19.existsSync(ctx.sessionsPath)) {
+        if (fs20.existsSync(ctx.sessionsPath)) {
           try {
-            const content = fs19.readFileSync(ctx.sessionsPath, "utf-8");
+            const content = fs20.readFileSync(ctx.sessionsPath, "utf-8");
             const data = JSON.parse(content);
             if (typeof data === "object" && data !== null && "sessions" in data) {
               results.push({ status: "pass", message: "Sessions file valid" });
@@ -1732,7 +2012,7 @@ var init_storage = __esm({
                 fixable: true,
                 fixRisk: "risky",
                 fix: async () => {
-                  fs19.writeFileSync(ctx.sessionsPath, JSON.stringify({ version: 1, sessions: {} }, null, 2));
+                  fs20.writeFileSync(ctx.sessionsPath, JSON.stringify({ version: 1, sessions: {} }, null, 2));
                   return { success: true, message: "reset sessions file" };
                 }
               });
@@ -1744,7 +2024,7 @@ var init_storage = __esm({
               fixable: true,
               fixRisk: "risky",
               fix: async () => {
-                fs19.writeFileSync(ctx.sessionsPath, JSON.stringify({ version: 1, sessions: {} }, null, 2));
+                fs20.writeFileSync(ctx.sessionsPath, JSON.stringify({ version: 1, sessions: {} }, null, 2));
                 return { success: true, message: "reset sessions file" };
               }
             });
@@ -1752,20 +2032,20 @@ var init_storage = __esm({
         } else {
           results.push({ status: "pass", message: "Sessions file not present yet (created on first session)" });
         }
-        if (!fs19.existsSync(ctx.logsDir)) {
+        if (!fs20.existsSync(ctx.logsDir)) {
           results.push({
             status: "warn",
             message: "Log directory does not exist",
             fixable: true,
             fixRisk: "safe",
             fix: async () => {
-              fs19.mkdirSync(ctx.logsDir, { recursive: true });
+              fs20.mkdirSync(ctx.logsDir, { recursive: true });
               return { success: true, message: "created log directory" };
             }
           });
         } else {
           try {
-            fs19.accessSync(ctx.logsDir, fs19.constants.W_OK);
+            fs20.accessSync(ctx.logsDir, fs20.constants.W_OK);
             results.push({ status: "pass", message: "Log directory exists and writable" });
           } catch {
             results.push({ status: "fail", message: "Log directory not writable" });
@@ -1778,7 +2058,7 @@ var init_storage = __esm({
 });
 
 // src/core/doctor/checks/workspace.ts
-import * as fs20 from "fs";
+import * as fs21 from "fs";
 var workspaceCheck;
 var init_workspace = __esm({
   "src/core/doctor/checks/workspace.ts"() {
@@ -1794,20 +2074,20 @@ var init_workspace = __esm({
           return results;
         }
         const baseDir = expandHome3(ctx.config.workspace.baseDir);
-        if (!fs20.existsSync(baseDir)) {
+        if (!fs21.existsSync(baseDir)) {
           results.push({
             status: "warn",
             message: `Workspace directory does not exist: ${baseDir}`,
             fixable: true,
             fixRisk: "safe",
             fix: async () => {
-              fs20.mkdirSync(baseDir, { recursive: true });
+              fs21.mkdirSync(baseDir, { recursive: true });
               return { success: true, message: "created directory" };
             }
           });
         } else {
           try {
-            fs20.accessSync(baseDir, fs20.constants.W_OK);
+            fs21.accessSync(baseDir, fs21.constants.W_OK);
             results.push({ status: "pass", message: `Workspace directory exists: ${baseDir}` });
           } catch {
             results.push({ status: "fail", message: `Workspace directory not writable: ${baseDir}` });
@@ -1820,8 +2100,8 @@ var init_workspace = __esm({
 });
 
 // src/core/doctor/checks/plugins.ts
-import * as fs21 from "fs";
-import * as path19 from "path";
+import * as fs22 from "fs";
+import * as path21 from "path";
 var pluginsCheck;
 var init_plugins = __esm({
   "src/core/doctor/checks/plugins.ts"() {
@@ -1831,16 +2111,16 @@ var init_plugins = __esm({
       order: 6,
       async run(ctx) {
         const results = [];
-        if (!fs21.existsSync(ctx.pluginsDir)) {
+        if (!fs22.existsSync(ctx.pluginsDir)) {
           results.push({
             status: "warn",
             message: "Plugins directory does not exist",
             fixable: true,
             fixRisk: "safe",
             fix: async () => {
-              fs21.mkdirSync(ctx.pluginsDir, { recursive: true });
-              fs21.writeFileSync(
-                path19.join(ctx.pluginsDir, "package.json"),
+              fs22.mkdirSync(ctx.pluginsDir, { recursive: true });
+              fs22.writeFileSync(
+                path21.join(ctx.pluginsDir, "package.json"),
                 JSON.stringify({ name: "openacp-plugins", private: true, dependencies: {} }, null, 2)
               );
               return { success: true, message: "initialized plugins directory" };
@@ -1849,15 +2129,15 @@ var init_plugins = __esm({
           return results;
         }
         results.push({ status: "pass", message: "Plugins directory exists" });
-        const pkgPath = path19.join(ctx.pluginsDir, "package.json");
-        if (!fs21.existsSync(pkgPath)) {
+        const pkgPath = path21.join(ctx.pluginsDir, "package.json");
+        if (!fs22.existsSync(pkgPath)) {
           results.push({
             status: "warn",
             message: "Plugins package.json missing",
             fixable: true,
             fixRisk: "safe",
             fix: async () => {
-              fs21.writeFileSync(
+              fs22.writeFileSync(
                 pkgPath,
                 JSON.stringify({ name: "openacp-plugins", private: true, dependencies: {} }, null, 2)
               );
@@ -1867,7 +2147,7 @@ var init_plugins = __esm({
           return results;
         }
         try {
-          const pkg = JSON.parse(fs21.readFileSync(pkgPath, "utf-8"));
+          const pkg = JSON.parse(fs22.readFileSync(pkgPath, "utf-8"));
           const deps = pkg.dependencies || {};
           const count = Object.keys(deps).length;
           results.push({ status: "pass", message: `Plugins package.json valid (${count} plugins)` });
@@ -1878,7 +2158,7 @@ var init_plugins = __esm({
             fixable: true,
             fixRisk: "risky",
             fix: async () => {
-              fs21.writeFileSync(
+              fs22.writeFileSync(
                 pkgPath,
                 JSON.stringify({ name: "openacp-plugins", private: true, dependencies: {} }, null, 2)
               );
@@ -1893,7 +2173,7 @@ var init_plugins = __esm({
 });
 
 // src/core/doctor/checks/daemon.ts
-import * as fs22 from "fs";
+import * as fs23 from "fs";
 import * as net from "net";
 function isProcessAlive(pid) {
   try {
@@ -1923,8 +2203,8 @@ var init_daemon = __esm({
       order: 7,
       async run(ctx) {
         const results = [];
-        if (fs22.existsSync(ctx.pidPath)) {
-          const content = fs22.readFileSync(ctx.pidPath, "utf-8").trim();
+        if (fs23.existsSync(ctx.pidPath)) {
+          const content = fs23.readFileSync(ctx.pidPath, "utf-8").trim();
           const pid = parseInt(content, 10);
           if (isNaN(pid)) {
             results.push({
@@ -1933,7 +2213,7 @@ var init_daemon = __esm({
               fixable: true,
               fixRisk: "safe",
               fix: async () => {
-                fs22.unlinkSync(ctx.pidPath);
+                fs23.unlinkSync(ctx.pidPath);
                 return { success: true, message: "removed invalid PID file" };
               }
             });
@@ -1944,7 +2224,7 @@ var init_daemon = __esm({
               fixable: true,
               fixRisk: "safe",
               fix: async () => {
-                fs22.unlinkSync(ctx.pidPath);
+                fs23.unlinkSync(ctx.pidPath);
                 return { success: true, message: "removed stale PID file" };
               }
             });
@@ -1952,8 +2232,8 @@ var init_daemon = __esm({
             results.push({ status: "pass", message: `Daemon running (PID ${pid})` });
           }
         }
-        if (fs22.existsSync(ctx.portFilePath)) {
-          const content = fs22.readFileSync(ctx.portFilePath, "utf-8").trim();
+        if (fs23.existsSync(ctx.portFilePath)) {
+          const content = fs23.readFileSync(ctx.portFilePath, "utf-8").trim();
           const port = parseInt(content, 10);
           if (isNaN(port)) {
             results.push({
@@ -1962,7 +2242,7 @@ var init_daemon = __esm({
               fixable: true,
               fixRisk: "safe",
               fix: async () => {
-                fs22.unlinkSync(ctx.portFilePath);
+                fs23.unlinkSync(ctx.portFilePath);
                 return { success: true, message: "removed invalid port file" };
               }
             });
@@ -1974,8 +2254,8 @@ var init_daemon = __esm({
           const apiPort = ctx.config.api.port;
           const inUse = await checkPortInUse(apiPort);
           if (inUse) {
-            if (fs22.existsSync(ctx.pidPath)) {
-              const pid = parseInt(fs22.readFileSync(ctx.pidPath, "utf-8").trim(), 10);
+            if (fs23.existsSync(ctx.pidPath)) {
+              const pid = parseInt(fs23.readFileSync(ctx.pidPath, "utf-8").trim(), 10);
               if (!isNaN(pid) && isProcessAlive(pid)) {
                 results.push({ status: "pass", message: `API port ${apiPort} in use by OpenACP daemon` });
               } else {
@@ -1995,17 +2275,17 @@ var init_daemon = __esm({
 });
 
 // src/core/utils/install-binary.ts
-import fs23 from "fs";
-import path20 from "path";
+import fs24 from "fs";
+import path22 from "path";
 import https from "https";
 import os9 from "os";
 import { execSync } from "child_process";
 function downloadFile(url, dest) {
   return new Promise((resolve6, reject) => {
-    const file = fs23.createWriteStream(dest);
+    const file = fs24.createWriteStream(dest);
     const cleanup = () => {
       try {
-        if (fs23.existsSync(dest)) fs23.unlinkSync(dest);
+        if (fs24.existsSync(dest)) fs24.unlinkSync(dest);
       } catch {
       }
     };
@@ -2024,6 +2304,18 @@ function downloadFile(url, dest) {
         });
         return;
       }
+      let totalBytes = 0;
+      const request = response;
+      response.on("data", (chunk) => {
+        totalBytes += chunk.length;
+        if (totalBytes > MAX_DOWNLOAD_SIZE) {
+          request.destroy();
+          file.close(() => {
+            cleanup();
+            reject(new Error(`Download exceeds size limit of ${MAX_DOWNLOAD_SIZE} bytes`));
+          });
+        }
+      });
       response.pipe(file);
       file.on("finish", () => file.close(() => resolve6(dest)));
       file.on("error", (err) => {
@@ -2052,34 +2344,36 @@ function getDownloadUrl(spec) {
 async function ensureBinary(spec, binDir) {
   const resolvedBinDir = binDir ?? DEFAULT_BIN_DIR;
   const binName = IS_WINDOWS ? `${spec.name}.exe` : spec.name;
-  const binPath = path20.join(resolvedBinDir, binName);
+  const binPath = path22.join(resolvedBinDir, binName);
   if (commandExists(spec.name)) {
     log17.debug({ name: spec.name }, "Found in PATH");
     return spec.name;
   }
-  if (fs23.existsSync(binPath)) {
-    if (!IS_WINDOWS) fs23.chmodSync(binPath, "755");
+  if (fs24.existsSync(binPath)) {
+    if (!IS_WINDOWS) fs24.chmodSync(binPath, "755");
     log17.debug({ name: spec.name, path: binPath }, "Found in ~/.openacp/bin");
     return binPath;
   }
   log17.info({ name: spec.name }, "Not found, downloading from GitHub...");
-  fs23.mkdirSync(resolvedBinDir, { recursive: true });
+  fs24.mkdirSync(resolvedBinDir, { recursive: true });
   const url = getDownloadUrl(spec);
   const isArchive = spec.isArchive?.(url) ?? false;
-  const downloadDest = isArchive ? path20.join(resolvedBinDir, `${spec.name}.tgz`) : binPath;
+  const downloadDest = isArchive ? path22.join(resolvedBinDir, `${spec.name}.tgz`) : binPath;
   await downloadFile(url, downloadDest);
   if (isArchive) {
+    const listing = execSync(`tar -tf "${downloadDest}"`, { stdio: "pipe" }).toString().trim().split("\n").filter(Boolean);
+    validateTarContents(listing, resolvedBinDir);
     execSync(`tar -xzf "${downloadDest}" -C "${resolvedBinDir}"`, { stdio: "pipe" });
     try {
-      fs23.unlinkSync(downloadDest);
+      fs24.unlinkSync(downloadDest);
     } catch {
     }
   }
-  if (!fs23.existsSync(binPath)) {
+  if (!fs24.existsSync(binPath)) {
     throw new Error(`${spec.name}: binary not found at ${binPath} after download/extraction. The archive structure may have changed.`);
   }
   if (!IS_WINDOWS) {
-    fs23.chmodSync(binPath, "755");
+    fs24.chmodSync(binPath, "755");
   }
   log17.info({ name: spec.name, path: binPath }, "Installed successfully");
   return binPath;
@@ -2090,8 +2384,9 @@ var init_install_binary = __esm({
     "use strict";
     init_log();
     init_agent_dependencies();
+    init_agent_installer();
     log17 = createChildLogger({ module: "binary-installer" });
-    DEFAULT_BIN_DIR = path20.join(os9.homedir(), ".openacp", "bin");
+    DEFAULT_BIN_DIR = path22.join(os9.homedir(), ".openacp", "bin");
     IS_WINDOWS = os9.platform() === "win32";
   }
 });
@@ -2132,8 +2427,8 @@ var init_install_cloudflared = __esm({
 });
 
 // src/core/doctor/checks/tunnel.ts
-import * as fs24 from "fs";
-import * as path21 from "path";
+import * as fs25 from "fs";
+import * as path23 from "path";
 import * as os10 from "os";
 import { execFileSync as execFileSync4 } from "child_process";
 var tunnelCheck;
@@ -2157,9 +2452,9 @@ var init_tunnel = __esm({
         results.push({ status: "pass", message: `Tunnel provider: ${provider}` });
         if (provider === "cloudflare") {
           const binName = os10.platform() === "win32" ? "cloudflared.exe" : "cloudflared";
-          const binPath = path21.join(ctx.dataDir, "bin", binName);
+          const binPath = path23.join(ctx.dataDir, "bin", binName);
           let found = false;
-          if (fs24.existsSync(binPath)) {
+          if (fs25.existsSync(binPath)) {
             found = true;
           } else {
             try {
@@ -2201,8 +2496,8 @@ var init_tunnel = __esm({
 });
 
 // src/core/doctor/index.ts
-import * as fs25 from "fs";
-import * as path22 from "path";
+import * as fs26 from "fs";
+import * as path24 from "path";
 var ALL_CHECKS, CHECK_TIMEOUT_MS, DoctorEngine;
 var init_doctor = __esm({
   "src/core/doctor/index.ts"() {
@@ -2284,27 +2579,27 @@ var init_doctor = __esm({
       }
       async buildContext() {
         const dataDir = this.dataDir;
-        const configPath = process.env.OPENACP_CONFIG_PATH || path22.join(dataDir, "config.json");
+        const configPath = process.env.OPENACP_CONFIG_PATH || path24.join(dataDir, "config.json");
         let config = null;
         let rawConfig = null;
         try {
-          const content = fs25.readFileSync(configPath, "utf-8");
+          const content = fs26.readFileSync(configPath, "utf-8");
           rawConfig = JSON.parse(content);
           const cm = new ConfigManager(configPath);
           await cm.load();
           config = cm.get();
         } catch {
         }
-        const logsDir = config ? expandHome3(config.logging.logDir) : path22.join(dataDir, "logs");
+        const logsDir = config ? expandHome3(config.logging.logDir) : path24.join(dataDir, "logs");
         return {
           config,
           rawConfig,
           configPath,
           dataDir,
-          sessionsPath: path22.join(dataDir, "sessions.json"),
-          pidPath: path22.join(dataDir, "openacp.pid"),
-          portFilePath: path22.join(dataDir, "api.port"),
-          pluginsDir: path22.join(dataDir, "plugins"),
+          sessionsPath: path24.join(dataDir, "sessions.json"),
+          pidPath: path24.join(dataDir, "openacp.pid"),
+          portFilePath: path24.join(dataDir, "api.port"),
+          pluginsDir: path24.join(dataDir, "plugins"),
           logsDir
         };
       }
@@ -2409,16 +2704,16 @@ __export(plugin_installer_exports, {
 });
 import { exec } from "child_process";
 import { promisify } from "util";
-import * as fs27 from "fs/promises";
+import * as fs28 from "fs/promises";
 import * as os12 from "os";
-import * as path24 from "path";
+import * as path26 from "path";
 import { pathToFileURL } from "url";
 async function importFromDir(packageName, dir) {
-  const pkgDir = path24.join(dir, "node_modules", ...packageName.split("/"));
-  const pkgJsonPath = path24.join(pkgDir, "package.json");
+  const pkgDir = path26.join(dir, "node_modules", ...packageName.split("/"));
+  const pkgJsonPath = path26.join(pkgDir, "package.json");
   let pkgJson;
   try {
-    pkgJson = JSON.parse(await fs27.readFile(pkgJsonPath, "utf-8"));
+    pkgJson = JSON.parse(await fs28.readFile(pkgJsonPath, "utf-8"));
   } catch (err) {
     throw new Error(`Cannot read package.json for "${packageName}" at ${pkgJsonPath}: ${err.message}`);
   }
@@ -2431,9 +2726,9 @@ async function importFromDir(packageName, dir) {
   } else {
     entry = pkgJson.main ?? "index.js";
   }
-  const entryPath = path24.join(pkgDir, entry);
+  const entryPath = path26.join(pkgDir, entry);
   try {
-    await fs27.access(entryPath);
+    await fs28.access(entryPath);
   } catch {
     throw new Error(`Entry point "${entry}" not found for "${packageName}" at ${entryPath}`);
   }
@@ -2443,12 +2738,12 @@ async function installNpmPlugin(packageName, pluginsDir) {
   if (!VALID_NPM_NAME.test(packageName)) {
     throw new Error(`Invalid package name: "${packageName}". Must be a valid npm package name.`);
   }
-  const dir = pluginsDir ?? path24.join(os12.homedir(), ".openacp", "plugins");
+  const dir = pluginsDir ?? path26.join(os12.homedir(), ".openacp", "plugins");
   try {
     return await importFromDir(packageName, dir);
   } catch {
   }
-  await execAsync(`npm install ${packageName} --prefix "${dir}" --save`, {
+  await execAsync(`npm install ${packageName} --prefix "${dir}" --save --ignore-scripts`, {
     timeout: 6e4
   });
   return await importFromDir(packageName, dir);
@@ -2525,10 +2820,10 @@ var install_context_exports = {};
 __export(install_context_exports, {
   createInstallContext: () => createInstallContext
 });
-import path25 from "path";
+import path27 from "path";
 function createInstallContext(opts) {
   const { pluginName, settingsManager, basePath, legacyConfig, instanceRoot } = opts;
-  const dataDir = path25.join(basePath, pluginName, "data");
+  const dataDir = path27.join(basePath, pluginName, "data");
   return {
     pluginName,
     terminal: createTerminalIO(),
@@ -2555,19 +2850,19 @@ __export(api_client_exports, {
   readApiSecret: () => readApiSecret,
   removeStalePortFile: () => removeStalePortFile
 });
-import * as fs28 from "fs";
-import * as path26 from "path";
+import * as fs29 from "fs";
+import * as path28 from "path";
 import * as os13 from "os";
 function defaultPortFile(root) {
-  return path26.join(root ?? DEFAULT_ROOT, "api.port");
+  return path28.join(root ?? DEFAULT_ROOT, "api.port");
 }
 function defaultSecretFile(root) {
-  return path26.join(root ?? DEFAULT_ROOT, "api-secret");
+  return path28.join(root ?? DEFAULT_ROOT, "api-secret");
 }
 function readApiPort(portFilePath, instanceRoot) {
   const filePath = portFilePath ?? defaultPortFile(instanceRoot);
   try {
-    const content = fs28.readFileSync(filePath, "utf-8").trim();
+    const content = fs29.readFileSync(filePath, "utf-8").trim();
     const port = parseInt(content, 10);
     return isNaN(port) ? null : port;
   } catch {
@@ -2577,7 +2872,7 @@ function readApiPort(portFilePath, instanceRoot) {
 function readApiSecret(secretFilePath, instanceRoot) {
   const filePath = secretFilePath ?? defaultSecretFile(instanceRoot);
   try {
-    const content = fs28.readFileSync(filePath, "utf-8").trim();
+    const content = fs29.readFileSync(filePath, "utf-8").trim();
     return content || null;
   } catch {
     return null;
@@ -2586,7 +2881,7 @@ function readApiSecret(secretFilePath, instanceRoot) {
 function removeStalePortFile(portFilePath, instanceRoot) {
   const filePath = portFilePath ?? defaultPortFile(instanceRoot);
   try {
-    fs28.unlinkSync(filePath);
+    fs29.unlinkSync(filePath);
   } catch {
   }
 }
@@ -2602,7 +2897,7 @@ var DEFAULT_ROOT;
 var init_api_client = __esm({
   "src/cli/api-client.ts"() {
     "use strict";
-    DEFAULT_ROOT = path26.join(os13.homedir(), ".openacp");
+    DEFAULT_ROOT = path28.join(os13.homedir(), ".openacp");
   }
 });
 
@@ -2636,8 +2931,8 @@ var init_notification = __esm({
 });
 
 // src/plugins/file-service/file-service.ts
-import fs30 from "fs";
-import path29 from "path";
+import fs31 from "fs";
+import path31 from "path";
 import { OggOpusDecoder } from "ogg-opus-decoder";
 import wav from "node-wav";
 function classifyMime(mimeType) {
@@ -2693,14 +2988,14 @@ var init_file_service = __esm({
         const cutoff = Date.now() - maxAgeDays * 24 * 60 * 60 * 1e3;
         let removed = 0;
         try {
-          const entries = await fs30.promises.readdir(this.baseDir, { withFileTypes: true });
+          const entries = await fs31.promises.readdir(this.baseDir, { withFileTypes: true });
           for (const entry of entries) {
             if (!entry.isDirectory()) continue;
-            const dirPath = path29.join(this.baseDir, entry.name);
+            const dirPath = path31.join(this.baseDir, entry.name);
             try {
-              const stat = await fs30.promises.stat(dirPath);
+              const stat = await fs31.promises.stat(dirPath);
               if (stat.mtimeMs < cutoff) {
-                await fs30.promises.rm(dirPath, { recursive: true, force: true });
+                await fs31.promises.rm(dirPath, { recursive: true, force: true });
                 removed++;
               }
             } catch {
@@ -2711,11 +3006,11 @@ var init_file_service = __esm({
         return removed;
       }
       async saveFile(sessionId, fileName, data, mimeType) {
-        const sessionDir = path29.join(this.baseDir, sessionId);
-        await fs30.promises.mkdir(sessionDir, { recursive: true });
+        const sessionDir = path31.join(this.baseDir, sessionId);
+        await fs31.promises.mkdir(sessionDir, { recursive: true });
         const safeName = `${Date.now()}-${fileName.replace(/[^a-zA-Z0-9._-]/g, "_")}`;
-        const filePath = path29.join(sessionDir, safeName);
-        await fs30.promises.writeFile(filePath, data);
+        const filePath = path31.join(sessionDir, safeName);
+        await fs31.promises.writeFile(filePath, data);
         return {
           type: classifyMime(mimeType),
           filePath,
@@ -2726,14 +3021,14 @@ var init_file_service = __esm({
       }
       async resolveFile(filePath) {
         try {
-          const stat = await fs30.promises.stat(filePath);
+          const stat = await fs31.promises.stat(filePath);
           if (!stat.isFile()) return null;
-          const ext = path29.extname(filePath).toLowerCase();
+          const ext = path31.extname(filePath).toLowerCase();
           const mimeType = EXT_TO_MIME[ext] || "application/octet-stream";
           return {
             type: classifyMime(mimeType),
             filePath,
-            fileName: path29.basename(filePath),
+            fileName: path31.basename(filePath),
             mimeType,
             size: stat.size
           };
@@ -2966,6 +3261,12 @@ function createAuthPreHandler(getSecret, getJwtSecret, tokenStore) {
     const authHeader = request.headers.authorization;
     const queryToken = request.query?.token;
     const token = authHeader?.startsWith("Bearer ") ? authHeader.slice(7) : queryToken;
+    if (queryToken && !authHeader) {
+      log20.warn(
+        { url: request.url.replace(/([?&]token=)[^&]+/, "$1[REDACTED]") },
+        "Token passed via URL query param \u2014 use Authorization: Bearer header to avoid token leakage in tunnel/proxy logs"
+      );
+    }
     if (!token) {
       throw new AuthError("UNAUTHORIZED", "Missing authentication token");
     }
@@ -3015,12 +3316,15 @@ function requireRole(role) {
     }
   };
 }
+var log20;
 var init_auth = __esm({
   "src/plugins/api-server/middleware/auth.ts"() {
     "use strict";
     init_error_handler();
     init_jwt();
     init_roles();
+    init_log();
+    log20 = createChildLogger({ module: "api-auth" });
   }
 });
 
@@ -3038,7 +3342,6 @@ async function createApiServer(options) {
     const origin = request.headers.origin;
     if (origin) {
       reply.header("Access-Control-Allow-Origin", origin);
-      reply.header("Access-Control-Allow-Credentials", "true");
     }
     if (request.method === "OPTIONS") {
       reply.header("Access-Control-Allow-Methods", "GET,HEAD,PUT,PATCH,POST,DELETE,OPTIONS");
@@ -3046,7 +3349,25 @@ async function createApiServer(options) {
       reply.status(204).send();
     }
   });
-  await app.register(fastifyRateLimit, { max: 100, timeWindow: "1 minute" });
+  await app.register(fastifyRateLimit, {
+    max: 100,
+    timeWindow: "1 minute",
+    // When the server is reachable through a tunnel (Cloudflare, ngrok, etc.) all
+    // requests arrive from the same tunnel-proxy IP address.  Use the real client IP
+    // from well-known forwarded headers so rate limits are enforced per-caller, not
+    // per-tunnel.  Only the first value in X-Forwarded-For is taken (the client); the
+    // rest may be added by intermediate proxies and must not be trusted for limiting.
+    keyGenerator: (request) => {
+      const cfIp = request.headers["cf-connecting-ip"];
+      if (cfIp && typeof cfIp === "string") return cfIp;
+      const xff = request.headers["x-forwarded-for"];
+      if (xff) {
+        const first = (Array.isArray(xff) ? xff[0] : xff).split(",")[0]?.trim();
+        if (first) return first;
+      }
+      return request.ip;
+    }
+  });
   await app.register(fastifySwagger, {
     openapi: {
       info: { title: "OpenACP API", version: "1.0.0" },
@@ -3131,10 +3452,11 @@ var init_service = __esm({
 });
 
 // src/plugins/api-server/sse-manager.ts
-var SSEManager;
+var MAX_SSE_CONNECTIONS, SSEManager;
 var init_sse_manager = __esm({
   "src/plugins/api-server/sse-manager.ts"() {
     "use strict";
+    MAX_SSE_CONNECTIONS = 50;
     SSEManager = class {
       constructor(eventBus, getSessionStats, startedAt) {
         this.eventBus = eventBus;
@@ -3176,6 +3498,11 @@ var init_sse_manager = __esm({
         }, 15e3);
       }
       handleRequest(req, res) {
+        if (this.sseConnections.size >= MAX_SSE_CONNECTIONS) {
+          res.writeHead(503, { "Content-Type": "application/json" });
+          res.end(JSON.stringify({ error: "Too many SSE connections" }));
+          return;
+        }
         const parsedUrl = new URL(req.url || "", "http://localhost");
         const sessionFilter = parsedUrl.searchParams.get("sessionId");
         console.log(`[sse] +connection total=${this.sseConnections.size + 1}`);
@@ -3189,7 +3516,6 @@ var init_sse_manager = __esm({
         };
         if (origin) {
           corsHeaders["Access-Control-Allow-Origin"] = origin;
-          corsHeaders["Access-Control-Allow-Credentials"] = "true";
         }
         res.socket?.setNoDelay(true);
         res.writeHead(200, corsHeaders);
@@ -3256,8 +3582,8 @@ data: ${JSON.stringify(data)}
 });
 
 // src/plugins/api-server/static-server.ts
-import * as fs31 from "fs";
-import * as path30 from "path";
+import * as fs32 from "fs";
+import * as path32 from "path";
 import { fileURLToPath } from "url";
 var MIME_TYPES, StaticServer;
 var init_static_server = __esm({
@@ -3281,16 +3607,16 @@ var init_static_server = __esm({
         this.uiDir = uiDir;
         if (!this.uiDir) {
           const __filename = fileURLToPath(import.meta.url);
-          const candidate = path30.resolve(path30.dirname(__filename), "../../ui/dist");
-          if (fs31.existsSync(path30.join(candidate, "index.html"))) {
+          const candidate = path32.resolve(path32.dirname(__filename), "../../ui/dist");
+          if (fs32.existsSync(path32.join(candidate, "index.html"))) {
             this.uiDir = candidate;
           }
           if (!this.uiDir) {
-            const publishCandidate = path30.resolve(
-              path30.dirname(__filename),
+            const publishCandidate = path32.resolve(
+              path32.dirname(__filename),
               "../ui"
             );
-            if (fs31.existsSync(path30.join(publishCandidate, "index.html"))) {
+            if (fs32.existsSync(path32.join(publishCandidate, "index.html"))) {
               this.uiDir = publishCandidate;
             }
           }
@@ -3302,12 +3628,23 @@ var init_static_server = __esm({
       serve(req, res) {
         if (!this.uiDir) return false;
         const urlPath = (req.url || "/").split("?")[0];
-        const safePath = path30.normalize(urlPath);
-        const filePath = path30.join(this.uiDir, safePath);
-        if (!filePath.startsWith(this.uiDir + path30.sep) && filePath !== this.uiDir)
+        const safePath = path32.normalize(urlPath);
+        const filePath = path32.join(this.uiDir, safePath);
+        if (!filePath.startsWith(this.uiDir + path32.sep) && filePath !== this.uiDir)
           return false;
-        if (fs31.existsSync(filePath) && fs31.statSync(filePath).isFile()) {
-          const ext = path30.extname(filePath);
+        let realFilePath;
+        try {
+          realFilePath = fs32.realpathSync(filePath);
+        } catch {
+          realFilePath = null;
+        }
+        if (realFilePath !== null) {
+          const realUiDir = fs32.realpathSync(this.uiDir);
+          if (!realFilePath.startsWith(realUiDir + path32.sep) && realFilePath !== realUiDir)
+            return false;
+        }
+        if (realFilePath !== null && fs32.existsSync(realFilePath) && fs32.statSync(realFilePath).isFile()) {
+          const ext = path32.extname(filePath);
           const contentType = MIME_TYPES[ext] ?? "application/octet-stream";
           const isHashed = /\.[a-zA-Z0-9]{8,}\.(js|css)$/.test(filePath);
           const cacheControl = isHashed ? "public, max-age=31536000, immutable" : "no-cache";
@@ -3315,16 +3652,16 @@ var init_static_server = __esm({
             "Content-Type": contentType,
             "Cache-Control": cacheControl
           });
-          fs31.createReadStream(filePath).pipe(res);
+          fs32.createReadStream(realFilePath).pipe(res);
           return true;
         }
-        const indexPath = path30.join(this.uiDir, "index.html");
-        if (fs31.existsSync(indexPath)) {
+        const indexPath = path32.join(this.uiDir, "index.html");
+        if (fs32.existsSync(indexPath)) {
           res.writeHead(200, {
             "Content-Type": "text/html; charset=utf-8",
             "Cache-Control": "no-cache"
           });
-          fs31.createReadStream(indexPath).pipe(res);
+          fs32.createReadStream(indexPath).pipe(res);
           return true;
         }
         return false;
@@ -3479,9 +3816,9 @@ var init_exports = __esm({
 });
 
 // src/plugins/context/context-cache.ts
-import * as fs32 from "fs";
-import * as path31 from "path";
-import * as crypto from "crypto";
+import * as fs33 from "fs";
+import * as path33 from "path";
+import * as crypto2 from "crypto";
 var DEFAULT_TTL_MS, ContextCache;
 var init_context_cache = __esm({
   "src/plugins/context/context-cache.ts"() {
@@ -3491,29 +3828,29 @@ var init_context_cache = __esm({
       constructor(cacheDir, ttlMs = DEFAULT_TTL_MS) {
         this.cacheDir = cacheDir;
         this.ttlMs = ttlMs;
-        fs32.mkdirSync(cacheDir, { recursive: true });
+        fs33.mkdirSync(cacheDir, { recursive: true });
       }
       keyHash(repoPath, queryKey) {
-        return crypto.createHash("sha256").update(`${repoPath}:${queryKey}`).digest("hex").slice(0, 16);
+        return crypto2.createHash("sha256").update(`${repoPath}:${queryKey}`).digest("hex").slice(0, 16);
       }
       filePath(repoPath, queryKey) {
-        return path31.join(this.cacheDir, `${this.keyHash(repoPath, queryKey)}.json`);
+        return path33.join(this.cacheDir, `${this.keyHash(repoPath, queryKey)}.json`);
       }
       get(repoPath, queryKey) {
         const fp = this.filePath(repoPath, queryKey);
         try {
-          const stat = fs32.statSync(fp);
+          const stat = fs33.statSync(fp);
           if (Date.now() - stat.mtimeMs > this.ttlMs) {
-            fs32.unlinkSync(fp);
+            fs33.unlinkSync(fp);
             return null;
           }
-          return JSON.parse(fs32.readFileSync(fp, "utf-8"));
+          return JSON.parse(fs33.readFileSync(fp, "utf-8"));
         } catch {
           return null;
         }
       }
       set(repoPath, queryKey, result) {
-        fs32.writeFileSync(this.filePath(repoPath, queryKey), JSON.stringify(result));
+        fs33.writeFileSync(this.filePath(repoPath, queryKey), JSON.stringify(result));
       }
     };
   }
@@ -3521,7 +3858,7 @@ var init_context_cache = __esm({
 
 // src/plugins/context/context-manager.ts
 import * as os15 from "os";
-import * as path32 from "path";
+import * as path34 from "path";
 var ContextManager;
 var init_context_manager = __esm({
   "src/plugins/context/context-manager.ts"() {
@@ -3532,7 +3869,7 @@ var init_context_manager = __esm({
       cache;
       historyStore;
       constructor(cachePath) {
-        this.cache = new ContextCache(cachePath ?? path32.join(os15.homedir(), ".openacp", "cache", "entire"));
+        this.cache = new ContextCache(cachePath ?? path34.join(os15.homedir(), ".openacp", "cache", "entire"));
       }
       setHistoryStore(store) {
         this.historyStore = store;
@@ -4433,8 +4770,8 @@ function formatToolSummary(name, rawInput, displaySummary) {
   }
   if (lowerName === "grep") {
     const pattern = args.pattern ?? "";
-    const path33 = args.path ?? "";
-    return pattern ? `\u{1F50D} Grep "${pattern}"${path33 ? ` in ${path33}` : ""}` : `\u{1F527} ${name}`;
+    const path35 = args.path ?? "";
+    return pattern ? `\u{1F50D} Grep "${pattern}"${path35 ? ` in ${path35}` : ""}` : `\u{1F527} ${name}`;
   }
   if (lowerName === "glob") {
     const pattern = args.pattern ?? "";
@@ -4470,8 +4807,8 @@ function formatToolTitle(name, rawInput, displayTitle) {
   }
   if (lowerName === "grep") {
     const pattern = args.pattern ?? "";
-    const path33 = args.path ?? "";
-    return pattern ? `"${pattern}"${path33 ? ` in ${path33}` : ""}` : name;
+    const path35 = args.path ?? "";
+    return pattern ? `"${pattern}"${path35 ? ` in ${path35}` : ""}` : name;
   }
   if (lowerName === "glob") {
     return String(args.pattern ?? name);
@@ -5735,7 +6072,7 @@ function setupDangerousModeCallbacks(bot, core) {
         }).catch(() => {
         });
       }
-      log21.info({ sessionId, wantOn }, "Bypass permissions toggled via button");
+      log22.info({ sessionId, wantOn }, "Bypass permissions toggled via button");
       try {
         await ctx.editMessageText(buildSessionStatusText(session), {
           parse_mode: "HTML",
@@ -5758,7 +6095,7 @@ function setupDangerousModeCallbacks(bot, core) {
     const newDangerousMode = !(record.clientOverrides?.bypassPermissions ?? record.dangerousMode ?? false);
     core.sessionManager.patchRecord(sessionId, { clientOverrides: { bypassPermissions: newDangerousMode } }).catch(() => {
     });
-    log21.info(
+    log22.info(
       { sessionId, dangerousMode: newDangerousMode },
       "Bypass permissions toggled via button (store-only, session not in memory)"
     );
@@ -5943,14 +6280,14 @@ async function handleRestart(ctx, core) {
   await new Promise((r) => setTimeout(r, 500));
   await core.requestRestart();
 }
-var log21, OUTPUT_MODE_LABELS;
+var log22, OUTPUT_MODE_LABELS;
 var init_admin = __esm({
   "src/plugins/telegram/commands/admin.ts"() {
     "use strict";
     init_bypass_detection();
     init_formatting();
     init_log();
-    log21 = createChildLogger({ module: "telegram-cmd-admin" });
+    log22 = createChildLogger({ module: "telegram-cmd-admin" });
     OUTPUT_MODE_LABELS = {
       low: "\u{1F507} Low",
       medium: "\u{1F4CA} Medium",
@@ -5965,7 +6302,7 @@ function botFromCtx(ctx) {
   return { api: ctx.api };
 }
 async function createSessionDirect(ctx, core, chatId, agentName, workspace, onControlMessage) {
-  log22.info({ userId: ctx.from?.id, agentName, workspace }, "New session command (direct)");
+  log23.info({ userId: ctx.from?.id, agentName, workspace }, "New session command (direct)");
   let threadId;
   try {
     const topicName = `\u{1F504} New Session`;
@@ -5994,7 +6331,7 @@ async function createSessionDirect(ctx, core, chatId, agentName, workspace, onCo
     onControlMessage?.(session.id, controlMsg.message_id);
     return threadId ?? null;
   } catch (err) {
-    log22.error({ err }, "Session creation failed");
+    log23.error({ err }, "Session creation failed");
     if (threadId) {
       try {
         await ctx.api.deleteForumTopic(chatId, threadId);
@@ -6184,7 +6521,7 @@ Agent: <code>${escapeHtml(agentKey)}</code>
     }
   });
 }
-var log22, WS_CACHE_MAX, workspaceCache, nextWsId;
+var log23, WS_CACHE_MAX, workspaceCache, nextWsId;
 var init_new_session = __esm({
   "src/plugins/telegram/commands/new-session.ts"() {
     "use strict";
@@ -6192,7 +6529,7 @@ var init_new_session = __esm({
     init_topics();
     init_log();
     init_admin();
-    log22 = createChildLogger({ module: "telegram-cmd-new-session" });
+    log23 = createChildLogger({ module: "telegram-cmd-new-session" });
     WS_CACHE_MAX = 50;
     workspaceCache = /* @__PURE__ */ new Map();
     nextWsId = 0;
@@ -6256,7 +6593,7 @@ ${lines.join("\n")}${truncated}`,
       { parse_mode: "HTML", reply_markup: keyboard }
     );
   } catch (err) {
-    log23.error({ err }, "handleTopics error");
+    log24.error({ err }, "handleTopics error");
     await ctx.reply("\u274C Failed to list sessions.", { parse_mode: "HTML" }).catch(() => {
     });
   }
@@ -6277,13 +6614,13 @@ async function handleCleanup(ctx, core, chatId, statuses) {
         try {
           await ctx.api.deleteForumTopic(chatId, topicId);
         } catch (err) {
-          log23.warn({ err, sessionId: record.sessionId, topicId }, "Failed to delete forum topic during cleanup");
+          log24.warn({ err, sessionId: record.sessionId, topicId }, "Failed to delete forum topic during cleanup");
         }
       }
       await core.sessionManager.removeRecord(record.sessionId);
       deleted++;
     } catch (err) {
-      log23.error({ err, sessionId: record.sessionId }, "Failed to cleanup session");
+      log24.error({ err, sessionId: record.sessionId }, "Failed to cleanup session");
       failed++;
     }
   }
@@ -6354,7 +6691,7 @@ async function handleCleanupEverythingConfirmed(ctx, core, chatId, systemTopicId
         try {
           await core.sessionManager.cancelSession(record.sessionId);
         } catch (err) {
-          log23.warn({ err, sessionId: record.sessionId }, "Failed to cancel session during cleanup");
+          log24.warn({ err, sessionId: record.sessionId }, "Failed to cancel session during cleanup");
         }
       }
       const topicId = record.platform?.topicId;
@@ -6362,13 +6699,13 @@ async function handleCleanupEverythingConfirmed(ctx, core, chatId, systemTopicId
         try {
           await ctx.api.deleteForumTopic(chatId, topicId);
         } catch (err) {
-          log23.warn({ err, sessionId: record.sessionId, topicId }, "Failed to delete forum topic during cleanup");
+          log24.warn({ err, sessionId: record.sessionId, topicId }, "Failed to delete forum topic during cleanup");
         }
       }
       await core.sessionManager.removeRecord(record.sessionId);
       deleted++;
     } catch (err) {
-      log23.error({ err, sessionId: record.sessionId }, "Failed to cleanup session");
+      log24.error({ err, sessionId: record.sessionId }, "Failed to cleanup session");
       failed++;
     }
   }
@@ -6436,13 +6773,13 @@ async function handleArchiveConfirm(ctx, core, chatId) {
     }
   }
 }
-var log23;
+var log24;
 var init_session = __esm({
   "src/plugins/telegram/commands/session.ts"() {
     "use strict";
     init_formatting();
     init_log();
-    log23 = createChildLogger({ module: "telegram-cmd-session" });
+    log24 = createChildLogger({ module: "telegram-cmd-session" });
   }
 });
 
@@ -7085,7 +7422,7 @@ var init_agents2 = __esm({
 // src/plugins/telegram/commands/resume.ts
 function setupResumeCallbacks(_bot, _core, _chatId, _onControlMessage) {
 }
-var log24;
+var log25;
 var init_resume = __esm({
   "src/plugins/telegram/commands/resume.ts"() {
     "use strict";
@@ -7095,7 +7432,7 @@ var init_resume = __esm({
     init_topics();
     init_admin();
     init_log();
-    log24 = createChildLogger({ module: "telegram-cmd-resume" });
+    log25 = createChildLogger({ module: "telegram-cmd-resume" });
   }
 });
 
@@ -7280,7 +7617,7 @@ function setupSettingsCallbacks(bot, core, getAssistantSession) {
       } catch {
       }
     } catch (err) {
-      log25.error({ err, fieldPath }, "Failed to toggle config");
+      log26.error({ err, fieldPath }, "Failed to toggle config");
       try {
         await ctx.answerCallbackQuery({ text: "\u274C Failed to update" });
       } catch {
@@ -7363,7 +7700,7 @@ Tap to change:`, {
       } catch {
       }
     } catch (err) {
-      log25.error({ err, fieldPath }, "Failed to set config");
+      log26.error({ err, fieldPath }, "Failed to set config");
       try {
         await ctx.answerCallbackQuery({ text: "\u274C Failed to update" });
       } catch {
@@ -7421,13 +7758,13 @@ Tap to change:`, {
     }
   });
 }
-var log25;
+var log26;
 var init_settings = __esm({
   "src/plugins/telegram/commands/settings.ts"() {
     "use strict";
     init_config_registry();
     init_log();
-    log25 = createChildLogger({ module: "telegram-settings" });
+    log26 = createChildLogger({ module: "telegram-settings" });
   }
 });
 
@@ -7474,7 +7811,7 @@ async function handleDoctor(ctx) {
       reply_markup: keyboard
     });
   } catch (err) {
-    log26.error({ err }, "Doctor command failed");
+    log27.error({ err }, "Doctor command failed");
     await ctx.api.editMessageText(
       ctx.chat.id,
       statusMsg.message_id,
@@ -7523,7 +7860,7 @@ function setupDoctorCallbacks(bot) {
         }
       }
     } catch (err) {
-      log26.error({ err, index }, "Doctor fix callback failed");
+      log27.error({ err, index }, "Doctor fix callback failed");
     }
   });
   bot.callbackQuery("m:doctor", async (ctx) => {
@@ -7534,13 +7871,13 @@ function setupDoctorCallbacks(bot) {
     await handleDoctor(ctx);
   });
 }
-var log26, pendingFixesStore;
+var log27, pendingFixesStore;
 var init_doctor2 = __esm({
   "src/plugins/telegram/commands/doctor.ts"() {
     "use strict";
     init_doctor();
     init_log();
-    log26 = createChildLogger({ module: "telegram-cmd-doctor" });
+    log27 = createChildLogger({ module: "telegram-cmd-doctor" });
     pendingFixesStore = /* @__PURE__ */ new Map();
   }
 });
@@ -7599,13 +7936,13 @@ function setupTunnelCallbacks(bot, core) {
     }
   });
 }
-var log27;
+var log28;
 var init_tunnel2 = __esm({
   "src/plugins/telegram/commands/tunnel.ts"() {
     "use strict";
     init_formatting();
     init_log();
-    log27 = createChildLogger({ module: "telegram-cmd-tunnel" });
+    log28 = createChildLogger({ module: "telegram-cmd-tunnel" });
   }
 });
 
@@ -7619,10 +7956,10 @@ async function executeSwitchAgent(ctx, core, sessionId, agentName) {
       `Switched to <b>${escapeHtml(agentName)}</b> (${status})`,
       { parse_mode: "HTML" }
     );
-    log28.info({ sessionId, agentName, resumed }, "Agent switched via /switch");
+    log29.info({ sessionId, agentName, resumed }, "Agent switched via /switch");
   } catch (err) {
     await ctx.reply(`Failed to switch agent: ${escapeHtml(String(err.message || err))}`);
-    log28.warn({ sessionId, agentName, err: err.message }, "Agent switch failed");
+    log29.warn({ sessionId, agentName, err: err.message }, "Agent switch failed");
   }
 }
 function setupSwitchCallbacks(bot, core) {
@@ -7667,13 +8004,13 @@ Switch to <b>${escapeHtml(agentName)}</b> anyway?`,
     await executeSwitchAgent(ctx, core, session.id, data);
   });
 }
-var log28;
+var log29;
 var init_switch = __esm({
   "src/plugins/telegram/commands/switch.ts"() {
     "use strict";
     init_formatting();
     init_log();
-    log28 = createChildLogger({ module: "telegram-cmd-switch" });
+    log29 = createChildLogger({ module: "telegram-cmd-switch" });
   }
 });
 
@@ -8028,14 +8365,14 @@ var init_commands = __esm({
 // src/plugins/telegram/permissions.ts
 import { InlineKeyboard as InlineKeyboard11 } from "grammy";
 import { nanoid as nanoid2 } from "nanoid";
-var log29, PermissionHandler;
+var log30, PermissionHandler;
 var init_permissions = __esm({
   "src/plugins/telegram/permissions.ts"() {
     "use strict";
     init_formatting();
     init_topics();
     init_log();
-    log29 = createChildLogger({ module: "telegram-permissions" });
+    log30 = createChildLogger({ module: "telegram-permissions" });
     PermissionHandler = class {
       constructor(bot, chatId, getSession, sendNotification) {
         this.bot = bot;
@@ -8095,7 +8432,7 @@ ${escapeHtml(request.description)}`,
           }
           const session = this.getSession(pending.sessionId);
           const isAllow = pending.options.find((o) => o.id === optionId)?.isAllow ?? false;
-          log29.info({ requestId: pending.requestId, optionId, isAllow }, "Permission responded");
+          log30.info({ requestId: pending.requestId, optionId, isAllow }, "Permission responded");
           if (session?.permissionGate.requestId === pending.requestId) {
             session.permissionGate.resolve(optionId);
           }
@@ -8115,7 +8452,7 @@ ${escapeHtml(request.description)}`,
 });
 
 // src/plugins/telegram/activity.ts
-var log30, THINKING_REFRESH_MS, THINKING_MAX_MS, ThinkingIndicator, ToolCard, ActivityTracker2;
+var log31, THINKING_REFRESH_MS, THINKING_MAX_MS, ThinkingIndicator, ToolCard, ActivityTracker2;
 var init_activity = __esm({
   "src/plugins/telegram/activity.ts"() {
     "use strict";
@@ -8125,7 +8462,7 @@ var init_activity = __esm({
     init_stream_accumulator();
     init_stream_accumulator();
     init_display_spec_builder();
-    log30 = createChildLogger({ module: "telegram:activity" });
+    log31 = createChildLogger({ module: "telegram:activity" });
     THINKING_REFRESH_MS = 15e3;
     THINKING_MAX_MS = 3 * 60 * 1e3;
     ThinkingIndicator = class {
@@ -8166,7 +8503,7 @@ var init_activity = __esm({
             }
           }
         } catch (err) {
-          log30.warn({ err }, "ThinkingIndicator.show() failed");
+          log31.warn({ err }, "ThinkingIndicator.show() failed");
         } finally {
           this.sending = false;
         }
@@ -8334,7 +8671,7 @@ var init_activity = __esm({
             this.tracer?.log("telegram", { action: "telegram:delete:overflow", sessionId: this.sessionId, msgId: staleId });
           }
         } catch (err) {
-          log30.warn({ err }, "[ToolCard] send/edit failed");
+          log31.warn({ err }, "[ToolCard] send/edit failed");
         }
       }
     };
@@ -8438,7 +8775,7 @@ var init_activity = __esm({
         const entry = this.toolStateMap.merge(id, status, rawInput, content, viewerLinks, diffStats);
         if (!existed || !entry) return;
         if (viewerLinks || entry.viewerLinks) {
-          log30.debug({ toolId: id, status, hasIncomingLinks: !!viewerLinks, hasEntryLinks: !!entry.viewerLinks, entryLinks: entry.viewerLinks }, "toolUpdate: viewer links trace");
+          log31.debug({ toolId: id, status, hasIncomingLinks: !!viewerLinks, hasEntryLinks: !!entry.viewerLinks, entryLinks: entry.viewerLinks }, "toolUpdate: viewer links trace");
         }
         const spec = this.specBuilder.buildToolSpec(entry, this._outputMode, this.sessionContext);
         this.toolCard.updateFromSpec(spec);
@@ -8757,13 +9094,13 @@ var init_draft_manager = __esm({
 });
 
 // src/plugins/telegram/skill-command-manager.ts
-var log31, SkillCommandManager;
+var log32, SkillCommandManager;
 var init_skill_command_manager = __esm({
   "src/plugins/telegram/skill-command-manager.ts"() {
     "use strict";
     init_commands();
     init_log();
-    log31 = createChildLogger({ module: "skill-commands" });
+    log32 = createChildLogger({ module: "skill-commands" });
     SkillCommandManager = class {
       // sessionId → pinned msgId
       constructor(bot, chatId, sendQueue, sessionManager) {
@@ -8829,7 +9166,7 @@ var init_skill_command_manager = __esm({
             disable_notification: true
           });
         } catch (err) {
-          log31.error({ err, sessionId }, "Failed to send skill commands");
+          log32.error({ err, sessionId }, "Failed to send skill commands");
         }
       }
       async cleanup(sessionId) {
@@ -8950,7 +9287,7 @@ function patchedFetch(input2, init) {
   }
   return fetch(input2, init);
 }
-var log32, TelegramAdapter;
+var log33, TelegramAdapter;
 var init_adapter = __esm({
   "src/plugins/telegram/adapter.ts"() {
     "use strict";
@@ -8969,7 +9306,7 @@ var init_adapter = __esm({
     init_messaging_adapter();
     init_renderer2();
     init_output_mode_resolver();
-    log32 = createChildLogger({ module: "telegram" });
+    log33 = createChildLogger({ module: "telegram" });
     TelegramAdapter = class extends MessagingAdapter {
       name = "telegram";
       renderer = new TelegramRenderer();
@@ -9002,6 +9339,8 @@ var init_adapter = __esm({
       _pendingSkillCommands = /* @__PURE__ */ new Map();
       /** Control message IDs per session (for updating status text/buttons) */
       controlMsgIds = /* @__PURE__ */ new Map();
+      _threadReadyHandler;
+      _configChangedHandler;
       /** Store control message ID in memory + persist to session record */
       storeControlMsgId(sessionId, msgId) {
         this.controlMsgIds.set(sessionId, msgId);
@@ -9088,7 +9427,7 @@ var init_adapter = __esm({
         );
         this.bot.catch((err) => {
           const rootCause = err.error instanceof Error ? err.error : err;
-          log32.error({ err: rootCause }, "Telegram bot error");
+          log33.error({ err: rootCause }, "Telegram bot error");
         });
         this.bot.api.config.use(async (prev, method, payload, signal) => {
           const maxRetries = 3;
@@ -9106,7 +9445,7 @@ var init_adapter = __esm({
             if (rateLimitedMethods.includes(method)) {
               this.sendQueue.onRateLimited();
             }
-            log32.warn(
+            log33.warn(
               { method, retryAfter, attempt: attempt + 1 },
               "Rate limited by Telegram, retrying"
             );
@@ -9301,7 +9640,7 @@ ${p}` : p;
           }
         );
         this.permissionHandler.setupCallbackHandler();
-        this.core.eventBus.on("session:threadReady", ({ sessionId, channelId, threadId }) => {
+        this._threadReadyHandler = ({ sessionId, channelId, threadId }) => {
           if (channelId !== "telegram") return;
           const session = this.core.sessionManager.getSession(sessionId);
           if (!session) return;
@@ -9328,17 +9667,19 @@ ${p}` : p;
           ).then((msg) => {
             if (msg) this.storeControlMsgId(sessionId, msg.message_id);
           }).catch((err) => {
-            log32.warn({ err, sessionId }, "Failed to send initial messages for new session");
+            log33.warn({ err, sessionId }, "Failed to send initial messages for new session");
           });
-        });
-        this.core.eventBus.on("session:configChanged", ({ sessionId }) => {
+        };
+        this.core.eventBus.on("session:threadReady", this._threadReadyHandler);
+        this._configChangedHandler = ({ sessionId }) => {
           this.updateControlMessage(sessionId).catch(() => {
           });
-        });
+        };
+        this.core.eventBus.on("session:configChanged", this._configChangedHandler);
         this.setupRoutes();
         this.bot.start({
           allowed_updates: ["message", "callback_query"],
-          onStart: () => log32.info(
+          onStart: () => log33.info(
             { chatId: this.telegramConfig.chatId },
             "Telegram bot started"
           )
@@ -9365,12 +9706,12 @@ ${p}` : p;
             )
           });
         } catch (err) {
-          log32.warn({ err }, "Failed to send welcome message");
+          log33.warn({ err }, "Failed to send welcome message");
         }
         try {
           await this.core.assistantManager.spawn("telegram", String(this.assistantTopicId));
         } catch (err) {
-          log32.error({ err }, "Failed to spawn assistant");
+          log33.error({ err }, "Failed to spawn assistant");
         }
       }
       /**
@@ -9384,7 +9725,7 @@ ${p}` : p;
           } catch (err) {
             if (attempt === maxRetries) throw err;
             const delay = baseDelayMs * Math.pow(2, attempt - 1);
-            log32.warn(
+            log33.warn(
               { err, attempt, maxRetries, delayMs: delay, operation: label },
               `${label} failed, retrying in ${delay}ms`
             );
@@ -9404,7 +9745,7 @@ ${p}` : p;
           }),
           "setMyCommands"
         ).catch((err) => {
-          log32.warn({ err }, "Failed to register Telegram commands after retries (non-critical)");
+          log33.warn({ err }, "Failed to register Telegram commands after retries (non-critical)");
         });
       }
       async stop() {
@@ -9412,9 +9753,17 @@ ${p}` : p;
           tracker.destroy();
         }
         this.sessionTrackers.clear();
+        if (this._threadReadyHandler) {
+          this.core.eventBus.off("session:threadReady", this._threadReadyHandler);
+          this._threadReadyHandler = void 0;
+        }
+        if (this._configChangedHandler) {
+          this.core.eventBus.off("session:configChanged", this._configChangedHandler);
+          this._configChangedHandler = void 0;
+        }
         this.sendQueue.clear();
         await this.bot.stop();
-        log32.info("Telegram bot stopped");
+        log33.info("Telegram bot stopped");
       }
       // --- CommandRegistry response rendering ---
       async renderCommandResponse(response, chatId, topicId) {
@@ -9531,7 +9880,7 @@ ${lines.join("\n")}`;
             threadId: String(threadId),
             userId: String(ctx.from.id),
             text: forwardText
-          }).catch((err) => log32.error({ err }, "handleMessage error"));
+          }).catch((err) => log33.error({ err }, "handleMessage error"));
         });
         this.bot.on("message:photo", async (ctx) => {
           const threadId = ctx.message.message_thread_id;
@@ -9620,7 +9969,7 @@ ${lines.join("\n")}`;
         if (session.archiving) return;
         const threadId = Number(session.threadId);
         if (!threadId || isNaN(threadId)) {
-          log32.warn(
+          log33.warn(
             { sessionId, threadId: session.threadId },
             "Session has no valid threadId, skipping message"
           );
@@ -9636,7 +9985,7 @@ ${lines.join("\n")}`;
             this._sessionThreadIds.delete(sessionId);
           }
         }).catch((err) => {
-          log32.warn({ err, sessionId }, "Dispatch queue error");
+          log33.warn({ err, sessionId }, "Dispatch queue error");
         });
         this._dispatchQueues.set(sessionId, next);
         await next;
@@ -9758,7 +10107,7 @@ ${lines.join("\n")}`;
           );
           usageMsgId = result?.message_id;
         } catch (err) {
-          log32.warn({ err, sessionId }, "Failed to send usage message");
+          log33.warn({ err, sessionId }, "Failed to send usage message");
         }
         if (this.notificationTopicId && sessionId !== this.core.assistantManager?.get("telegram")?.id) {
           const sess = this.core.sessionManager.getSession(sessionId);
@@ -9786,7 +10135,7 @@ Task completed.
         if (!content.attachment) return;
         const { attachment } = content;
         if (attachment.size > 50 * 1024 * 1024) {
-          log32.warn(
+          log33.warn(
             {
               sessionId,
               fileName: attachment.fileName,
@@ -9830,7 +10179,7 @@ Task completed.
             );
           }
         } catch (err) {
-          log32.error(
+          log33.error(
             { err, sessionId, fileName: attachment.fileName },
             "Failed to send attachment"
           );
@@ -9929,7 +10278,7 @@ Task completed.
       }
       async sendPermissionRequest(sessionId, request) {
         this.getTracer(sessionId)?.log("telegram", { action: "permission:send", sessionId, requestId: request.id, description: request.description });
-        log32.info({ sessionId, requestId: request.id }, "Permission request sent");
+        log33.info({ sessionId, requestId: request.id }, "Permission request sent");
         const session = this.core.sessionManager.getSession(sessionId);
         if (!session) return;
         await this.sendQueue.enqueue(
@@ -9939,7 +10288,7 @@ Task completed.
       async sendNotification(notification) {
         this.getTracer(notification.sessionId)?.log("telegram", { action: "notification:send", sessionId: notification.sessionId, type: notification.type });
         if (notification.sessionId === this.core.assistantManager?.get("telegram")?.id) return;
-        log32.info(
+        log33.info(
           { sessionId: notification.sessionId, type: notification.type },
           "Notification sent"
         );
@@ -9978,7 +10327,7 @@ Task completed.
       }
       async createSessionThread(sessionId, name) {
         this.getTracer(sessionId)?.log("telegram", { action: "thread:create", sessionId, name });
-        log32.info({ sessionId, name }, "Session topic created");
+        log33.info({ sessionId, name }, "Session topic created");
         return String(
           await createSessionTopic(this.bot, this.telegramConfig.chatId, name)
         );
@@ -9989,7 +10338,7 @@ Task completed.
         if (!session) return;
         const threadId = Number(session.threadId);
         if (!threadId) {
-          log32.debug({ sessionId, newName }, "Cannot rename thread \u2014 threadId not set yet");
+          log33.debug({ sessionId, newName }, "Cannot rename thread \u2014 threadId not set yet");
           return;
         }
         await renameSessionTopic(
@@ -10008,7 +10357,7 @@ Task completed.
         try {
           await this.bot.api.deleteForumTopic(this.telegramConfig.chatId, topicId);
         } catch (err) {
-          log32.warn(
+          log33.warn(
             { err, sessionId, topicId },
             "Failed to delete forum topic (may already be deleted)"
           );
@@ -10052,7 +10401,7 @@ Task completed.
           const buffer = Buffer.from(await response.arrayBuffer());
           return { buffer, filePath: file.file_path };
         } catch (err) {
-          log32.error({ err }, "Failed to download file from Telegram");
+          log33.error({ err }, "Failed to download file from Telegram");
           return null;
         }
       }
@@ -10073,7 +10422,7 @@ Task completed.
           try {
             buffer = await this.fileService.convertOggToWav(buffer);
           } catch (err) {
-            log32.warn({ err }, "OGG\u2192WAV conversion failed, saving original OGG");
+            log33.warn({ err }, "OGG\u2192WAV conversion failed, saving original OGG");
             fileName = "voice.ogg";
             mimeType = "audio/ogg";
             originalFilePath = void 0;
@@ -10105,7 +10454,7 @@ Task completed.
           userId: String(userId),
           text: text3,
           attachments: [att]
-        }).catch((err) => log32.error({ err }, "handleMessage error"));
+        }).catch((err) => log33.error({ err }, "handleMessage error"));
       }
       async cleanupSkillCommands(sessionId) {
         this._pendingSkillCommands.delete(sessionId);
@@ -10230,12 +10579,150 @@ var StderrCapture = class {
 // src/core/index.ts
 init_config();
 
-// src/core/agents/agent-instance.ts
-import { spawn as spawn2, execFileSync } from "child_process";
-import { Transform } from "stream";
-import fs8 from "fs";
-import path7 from "path";
-import { ClientSideConnection, ndJsonStream } from "@agentclientprotocol/sdk";
+// src/core/agents/agent-instance.ts
+import { spawn as spawn2, execFileSync } from "child_process";
+import { Transform } from "stream";
+import fs9 from "fs";
+import path8 from "path";
+import { ClientSideConnection, ndJsonStream } from "@agentclientprotocol/sdk";
+
+// src/core/security/path-guard.ts
+import fs6 from "fs";
+import path6 from "path";
+import ignore from "ignore";
+var DEFAULT_DENY_PATTERNS = [
+  ".env",
+  ".env.*",
+  "*.key",
+  "*.pem",
+  ".ssh/",
+  ".aws/",
+  ".openacp/",
+  "**/credentials*",
+  "**/secrets*",
+  "**/*.secret"
+];
+var PathGuard = class {
+  cwd;
+  allowedPaths;
+  ig;
+  constructor(options) {
+    try {
+      this.cwd = fs6.realpathSync(path6.resolve(options.cwd));
+    } catch {
+      this.cwd = path6.resolve(options.cwd);
+    }
+    this.allowedPaths = options.allowedPaths.map((p) => {
+      try {
+        return fs6.realpathSync(path6.resolve(p));
+      } catch {
+        return path6.resolve(p);
+      }
+    });
+    this.ig = ignore();
+    this.ig.add(DEFAULT_DENY_PATTERNS);
+    if (options.ignorePatterns.length > 0) {
+      this.ig.add(options.ignorePatterns);
+    }
+  }
+  validatePath(targetPath, operation) {
+    const resolved = path6.resolve(targetPath);
+    let realPath;
+    try {
+      realPath = fs6.realpathSync(resolved);
+    } catch {
+      realPath = resolved;
+    }
+    if (operation === "write" && path6.basename(realPath) === ".openacpignore") {
+      return { allowed: false, reason: "Cannot write to .openacpignore" };
+    }
+    const isWithinCwd = realPath === this.cwd || realPath.startsWith(this.cwd + path6.sep);
+    const isWithinAllowed = this.allowedPaths.some(
+      (ap) => realPath === ap || realPath.startsWith(ap + path6.sep)
+    );
+    if (!isWithinCwd && !isWithinAllowed) {
+      return {
+        allowed: false,
+        reason: `Path is outside workspace boundary: ${realPath}`
+      };
+    }
+    if (isWithinCwd) {
+      const relativePath = path6.relative(this.cwd, realPath);
+      if (relativePath === ".openacpignore") {
+        return { allowed: true, reason: "" };
+      }
+      if (relativePath && this.ig.ignores(relativePath)) {
+        return {
+          allowed: false,
+          reason: `Path matches ignore pattern: ${relativePath}`
+        };
+      }
+    }
+    return { allowed: true, reason: "" };
+  }
+  addAllowedPath(p) {
+    try {
+      this.allowedPaths.push(fs6.realpathSync(path6.resolve(p)));
+    } catch {
+      this.allowedPaths.push(path6.resolve(p));
+    }
+  }
+  static loadIgnoreFile(cwd) {
+    const ignorePath = path6.join(cwd, ".openacpignore");
+    try {
+      const content = fs6.readFileSync(ignorePath, "utf-8");
+      return content.split("\n").map((l) => l.trim()).filter((l) => l && !l.startsWith("#"));
+    } catch {
+      return [];
+    }
+  }
+};
+
+// src/core/security/env-filter.ts
+var DEFAULT_ENV_WHITELIST = [
+  "PATH",
+  "HOME",
+  "SHELL",
+  "LANG",
+  "LC_*",
+  "TERM",
+  "USER",
+  "LOGNAME",
+  "TMPDIR",
+  "XDG_*",
+  "NODE_ENV",
+  "EDITOR",
+  // Git
+  "GIT_*",
+  "SSH_AUTH_SOCK",
+  "SSH_AGENT_PID",
+  // Terminal rendering
+  "COLORTERM",
+  "FORCE_COLOR",
+  "NO_COLOR",
+  "TERM_PROGRAM",
+  "HOSTNAME"
+];
+function matchesPattern(key, pattern) {
+  if (pattern.endsWith("*")) {
+    return key.startsWith(pattern.slice(0, -1));
+  }
+  return key === pattern;
+}
+function filterEnv(processEnv, agentEnv, whitelist) {
+  const patterns = whitelist ?? DEFAULT_ENV_WHITELIST;
+  const result = {};
+  for (const [key, value] of Object.entries(processEnv)) {
+    if (value === void 0) continue;
+    if (patterns.some((p) => matchesPattern(key, p))) {
+      result[key] = value;
+    }
+  }
+  if (agentEnv) {
+    Object.assign(result, agentEnv);
+  }
+  return result;
+}
 
 // src/core/utils/typed-emitter.ts
 var TypedEmitter = class {
@@ -10357,7 +10844,7 @@ var TerminalManager = class {
     }
     const childProcess = spawn(termCommand, args, {
       cwd: termCwd,
-      env: { ...process.env, ...env },
+      env: filterEnv(process.env, env),
       shell: false
     });
     const state = {
@@ -10466,24 +10953,24 @@ var McpManager = class {
 };
 
 // src/core/utils/debug-tracer.ts
-import fs7 from "fs";
-import path6 from "path";
+import fs8 from "fs";
+import path7 from "path";
 var DEBUG_ENABLED = process.env.OPENACP_DEBUG === "true" || process.env.OPENACP_DEBUG === "1";
 var DebugTracer = class {
   constructor(sessionId, workingDirectory) {
     this.sessionId = sessionId;
     this.workingDirectory = workingDirectory;
-    this.logDir = path6.join(workingDirectory, ".log");
+    this.logDir = path7.join(workingDirectory, ".log");
   }
   dirCreated = false;
   logDir;
   log(layer, data) {
     try {
       if (!this.dirCreated) {
-        fs7.mkdirSync(this.logDir, { recursive: true });
+        fs8.mkdirSync(this.logDir, { recursive: true });
         this.dirCreated = true;
       }
-      const filePath = path6.join(this.logDir, `${this.sessionId}_${layer}.jsonl`);
+      const filePath = path7.join(this.logDir, `${this.sessionId}_${layer}.jsonl`);
       const seen = /* @__PURE__ */ new WeakSet();
       const line = JSON.stringify({ ts: Date.now(), ...data }, (_key, value) => {
         if (typeof value === "object" && value !== null) {
@@ -10492,7 +10979,7 @@ var DebugTracer = class {
         }
         return value;
       }) + "\n";
-      fs7.appendFileSync(filePath, line);
+      fs8.appendFileSync(filePath, line);
     } catch {
     }
   }
@@ -10510,11 +10997,11 @@ init_log();
 var log4 = createChildLogger({ module: "agent-instance" });
 function findPackageRoot(startDir) {
   let dir = startDir;
-  while (dir !== path7.dirname(dir)) {
-    if (fs8.existsSync(path7.join(dir, "package.json"))) {
+  while (dir !== path8.dirname(dir)) {
+    if (fs9.existsSync(path8.join(dir, "package.json"))) {
       return dir;
     }
-    dir = path7.dirname(dir);
+    dir = path8.dirname(dir);
   }
   return startDir;
 }
@@ -10526,26 +11013,26 @@ function resolveAgentCommand(cmd) {
   }
   for (const root of searchRoots) {
     const packageDirs = [
-      path7.resolve(root, "node_modules", "@zed-industries", cmd, "dist", "index.js"),
-      path7.resolve(root, "node_modules", cmd, "dist", "index.js")
+      path8.resolve(root, "node_modules", "@zed-industries", cmd, "dist", "index.js"),
+      path8.resolve(root, "node_modules", cmd, "dist", "index.js")
     ];
     for (const jsPath of packageDirs) {
-      if (fs8.existsSync(jsPath)) {
+      if (fs9.existsSync(jsPath)) {
         return { command: process.execPath, args: [jsPath] };
       }
     }
   }
   for (const root of searchRoots) {
-    const localBin = path7.resolve(root, "node_modules", ".bin", cmd);
-    if (fs8.existsSync(localBin)) {
-      const content = fs8.readFileSync(localBin, "utf-8");
+    const localBin = path8.resolve(root, "node_modules", ".bin", cmd);
+    if (fs9.existsSync(localBin)) {
+      const content = fs9.readFileSync(localBin, "utf-8");
       if (content.startsWith("#!/usr/bin/env node")) {
         return { command: process.execPath, args: [localBin] };
       }
       const match = content.match(/"([^"]+\.js)"/);
       if (match) {
-        const target = path7.resolve(path7.dirname(localBin), match[1]);
-        if (fs8.existsSync(target)) {
+        const target = path8.resolve(path8.dirname(localBin), match[1]);
+        if (fs9.existsSync(target)) {
           return { command: process.execPath, args: [target] };
         }
       }
@@ -10554,7 +11041,7 @@ function resolveAgentCommand(cmd) {
   try {
     const fullPath = execFileSync("which", [cmd], { encoding: "utf-8" }).trim();
     if (fullPath) {
-      const content = fs8.readFileSync(fullPath, "utf-8");
+      const content = fs9.readFileSync(fullPath, "utf-8");
       if (content.startsWith("#!/usr/bin/env node")) {
         return { command: process.execPath, args: [fullPath] };
       }
@@ -10570,6 +11057,7 @@ var AgentInstance = class _AgentInstance extends TypedEmitter {
   terminalManager = new TerminalManager();
   static mcpManager = new McpManager();
   _destroying = false;
+  pathGuard;
   sessionId;
   agentName;
   promptCapabilities;
@@ -10578,6 +11066,10 @@ var AgentInstance = class _AgentInstance extends TypedEmitter {
   initialSessionResponse;
   middlewareChain;
   debugTracer = null;
+  /** Allow external callers (e.g. SessionFactory) to whitelist additional read paths */
+  addAllowedPath(p) {
+    this.pathGuard.addAllowedPath(p);
+  }
   // Callback — set by core when wiring events
   onPermissionRequest = async () => "";
   constructor(agentName) {
@@ -10595,13 +11087,24 @@ var AgentInstance = class _AgentInstance extends TypedEmitter {
       },
       "Resolved agent command"
     );
+    const ignorePatterns = PathGuard.loadIgnoreFile(workingDirectory);
+    instance.pathGuard = new PathGuard({
+      cwd: workingDirectory,
+      // allowedPaths is wired from workspace.security.allowedPaths config;
+      // spawnSubprocess would need to receive a SecurityConfig param to use it.
+      // Tracked as follow-up: pass workspace security config through spawn/resume call chain.
+      allowedPaths: [],
+      ignorePatterns
+    });
     instance.child = spawn2(
       resolved.command,
       [...resolved.args, ...agentDef.args],
       {
         stdio: ["pipe", "pipe", "pipe"],
         cwd: workingDirectory,
-        env: { ...process.env, ...agentDef.env }
+        // envWhitelist from workspace.security.envWhitelist config would extend DEFAULT_ENV_WHITELIST.
+        // Tracked as follow-up: pass workspace security config through spawn/resume call chain.
+        env: filterEnv(process.env, agentDef.env)
       }
     );
     await new Promise((resolve6, reject) => {
@@ -10912,6 +11415,10 @@ ${stderr}`
       // ── File operations ──────────────────────────────────────────────────
       async readTextFile(params) {
         const p = params;
+        const pathCheck = self.pathGuard.validatePath(p.path, "read");
+        if (!pathCheck.allowed) {
+          throw new Error(`[Access denied] ${pathCheck.reason}`);
+        }
         if (self.middlewareChain) {
           const result = await self.middlewareChain.execute("fs:beforeRead", { sessionId: self.sessionId, path: p.path, line: p.line, limit: p.limit }, async (r) => r);
           if (!result) return { content: "" };
@@ -10926,14 +11433,18 @@ ${stderr}`
       async writeTextFile(params) {
         let writePath = params.path;
         let writeContent = params.content;
+        const pathCheck = self.pathGuard.validatePath(writePath, "write");
+        if (!pathCheck.allowed) {
+          throw new Error(`[Access denied] ${pathCheck.reason}`);
+        }
         if (self.middlewareChain) {
           const result = await self.middlewareChain.execute("fs:beforeWrite", { sessionId: self.sessionId, path: writePath, content: writeContent }, async (r) => r);
           if (!result) return {};
           writePath = result.path;
           writeContent = result.content;
         }
-        await fs8.promises.mkdir(path7.dirname(writePath), { recursive: true });
-        await fs8.promises.writeFile(writePath, writeContent, "utf-8");
+        await fs9.promises.mkdir(path8.dirname(writePath), { recursive: true });
+        await fs9.promises.writeFile(writePath, writeContent, "utf-8");
         return {};
       },
       // ── Terminal operations (delegated to TerminalManager) ─────────────
@@ -11008,10 +11519,24 @@ ${stderr}`
     for (const att of attachments ?? []) {
       const tooLarge = att.size > 10 * 1024 * 1024;
       if (att.type === "image" && this.promptCapabilities?.image && !tooLarge && SUPPORTED_IMAGE_MIMES.has(att.mimeType)) {
-        const data = await fs8.promises.readFile(att.filePath);
+        const attCheck = this.pathGuard.validatePath(att.filePath, "read");
+        if (!attCheck.allowed) {
+          contentBlocks[0].text += `
+
+[Attachment access denied: ${attCheck.reason}]`;
+          continue;
+        }
+        const data = await fs9.promises.readFile(att.filePath);
         contentBlocks.push({ type: "image", data: data.toString("base64"), mimeType: att.mimeType });
       } else if (att.type === "audio" && this.promptCapabilities?.audio && !tooLarge) {
-        const data = await fs8.promises.readFile(att.filePath);
+        const attCheck = this.pathGuard.validatePath(att.filePath, "read");
+        if (!attCheck.allowed) {
+          contentBlocks[0].text += `
+
+[Attachment access denied: ${attCheck.reason}]`;
+          continue;
+        }
+        const data = await fs9.promises.readFile(att.filePath);
         contentBlocks.push({ type: "audio", data: data.toString("base64"), mimeType: att.mimeType });
       } else {
         if ((att.type === "image" || att.type === "audio") && !tooLarge) {
@@ -11217,7 +11742,7 @@ var PermissionGate = class {
 
 // src/core/sessions/session.ts
 init_log();
-import * as fs9 from "fs";
+import * as fs10 from "fs";
 var moduleLog = createChildLogger({ module: "session" });
 var TTS_PROMPT_INSTRUCTION = `
 
@@ -11440,7 +11965,7 @@ ${text3}`;
       try {
         const audioPath = att.originalFilePath || att.filePath;
         const audioMime = att.originalFilePath ? "audio/ogg" : att.mimeType;
-        const audioBuffer = await fs9.promises.readFile(audioPath);
+        const audioBuffer = await fs10.promises.readFile(audioPath);
         const result = await this.speechService.transcribe(audioBuffer, audioMime);
         this.log.info({ provider: "stt", duration: result.duration }, "Voice transcribed");
         this.emit("agent_event", {
@@ -11627,6 +12152,9 @@ ${result.text}` : result.text;
   }
 };
 
+// src/core/message-transformer.ts
+import * as path9 from "path";
+
 // src/core/utils/extract-file-info.ts
 function extractFileInfo(name, kind, content, rawInput, meta) {
   if (kind && !["read", "edit", "write"].includes(kind)) return null;
@@ -11752,6 +12280,41 @@ function parseContent(content) {
 // src/core/message-transformer.ts
 init_log();
 var log5 = createChildLogger({ module: "message-transformer" });
+var BINARY_VIEWER_EXTENSIONS = /* @__PURE__ */ new Set([
+  ".wav",
+  ".ogg",
+  ".mp3",
+  ".m4a",
+  ".aac",
+  ".flac",
+  ".opus",
+  ".weba",
+  ".mp4",
+  ".avi",
+  ".mov",
+  ".webm",
+  ".mkv",
+  ".jpg",
+  ".jpeg",
+  ".png",
+  ".gif",
+  ".webp",
+  ".bmp",
+  ".ico",
+  ".svg",
+  ".pdf",
+  ".zip",
+  ".gz",
+  ".tar",
+  ".7z",
+  ".rar",
+  ".bin",
+  ".exe",
+  ".dll",
+  ".so",
+  ".dylib",
+  ".wasm"
+]);
 function computeLineDiff(oldStr, newStr) {
   const oldLines = oldStr ? oldStr.split("\n") : [];
   const newLines = newStr ? newStr.split("\n") : [];
@@ -11948,6 +12511,11 @@ var MessageTransformer = class {
       );
       return;
     }
+    const fileExt = path9.extname(fileInfo.filePath).toLowerCase();
+    if (BINARY_VIEWER_EXTENSIONS.has(fileExt)) {
+      log5.debug({ kind, filePath: fileInfo.filePath }, "enrichWithViewerLinks: skipping binary file");
+      return;
+    }
     const publicUrl = this.tunnelService.getPublicUrl();
     if (publicUrl.startsWith("http://localhost") || publicUrl.startsWith("http://127.0.0.1")) {
       log5.debug({ kind, filePath: fileInfo.filePath }, "enrichWithViewerLinks: skipping (no public tunnel URL)");
@@ -12336,12 +12904,12 @@ var SessionBridge = class {
         break;
       case "image_content": {
         if (this.deps.fileService) {
-          const fs33 = this.deps.fileService;
+          const fs34 = this.deps.fileService;
           const sid = this.session.id;
           const { data, mimeType } = event;
           const buffer = Buffer.from(data, "base64");
-          const ext = fs33.extensionFromMime(mimeType);
-          fs33.saveFile(sid, `agent-image${ext}`, buffer, mimeType).then((att) => {
+          const ext = fs34.extensionFromMime(mimeType);
+          fs34.saveFile(sid, `agent-image${ext}`, buffer, mimeType).then((att) => {
             this.sendMessage(sid, {
               type: "attachment",
               text: "",
@@ -12353,12 +12921,12 @@ var SessionBridge = class {
       }
       case "audio_content": {
         if (this.deps.fileService) {
-          const fs33 = this.deps.fileService;
+          const fs34 = this.deps.fileService;
           const sid = this.session.id;
           const { data, mimeType } = event;
           const buffer = Buffer.from(data, "base64");
-          const ext = fs33.extensionFromMime(mimeType);
-          fs33.saveFile(sid, `agent-audio${ext}`, buffer, mimeType).then((att) => {
+          const ext = fs34.extensionFromMime(mimeType);
+          fs34.saveFile(sid, `agent-audio${ext}`, buffer, mimeType).then((att) => {
             this.sendMessage(sid, {
               type: "attachment",
               text: "",
@@ -12445,18 +13013,8 @@ var SessionBridge = class {
     this.emitAfterResolve(mw, permReq.id, optionId, "user", startTime);
     return optionId;
   }
-  /** Check if a permission request should be auto-approved (openacp commands or bypass mode) */
+  /** Check if a permission request should be auto-approved (bypass mode only) */
   checkAutoApprove(request) {
-    if (request.description.toLowerCase().includes("openacp")) {
-      const allowOption = request.options.find((o) => o.isAllow);
-      if (allowOption) {
-        log6.info(
-          { sessionId: this.session.id, requestId: request.id },
-          "Auto-approving openacp command"
-        );
-        return allowOption.id;
-      }
-    }
     const modeOption = this.session.getConfigByCategory("mode");
     const isAgentBypass = modeOption && isPermissionBypass(
       typeof modeOption.currentValue === "string" ? modeOption.currentValue : ""
@@ -12514,6 +13072,10 @@ var SessionFactory = class {
   agentCatalog;
   /** Injected by Core — needed for context-aware session creation */
   getContextManager;
+  /** Injected by Core — returns extra filesystem paths the agent is allowed to read.
+   *  Used to whitelist the file-service upload directory so agents can read attachments
+   *  saved outside the workspace (e.g. ~/.openacp/instances/main/files/). */
+  getAgentAllowedPaths;
   get speechService() {
     return typeof this.speechServiceAccessor === "function" ? this.speechServiceAccessor() : this.speechServiceAccessor;
   }
@@ -12605,6 +13167,10 @@ var SessionFactory = class {
       });
       throw err;
     }
+    const extraPaths = this.getAgentAllowedPaths?.() ?? [];
+    for (const p of extraPaths) {
+      agentInstance.addAllowedPath(p);
+    }
     agentInstance.middlewareChain = this.middlewareChain;
     const session = new Session({
       id: createParams.existingSessionId,
@@ -12821,13 +13387,13 @@ var SessionFactory = class {
 };
 
 // src/core/core.ts
-import path15 from "path";
+import path17 from "path";
 import os8 from "os";
 
 // src/core/sessions/session-store.ts
 init_log();
-import fs10 from "fs";
-import path8 from "path";
+import fs11 from "fs";
+import path10 from "path";
 var log8 = createChildLogger({ module: "session-store" });
 var DEBOUNCE_MS = 2e3;
 var JsonFileSessionStore = class {
@@ -12898,9 +13464,9 @@ var JsonFileSessionStore = class {
       version: 1,
       sessions: Object.fromEntries(this.records)
     };
-    const dir = path8.dirname(this.filePath);
-    if (!fs10.existsSync(dir)) fs10.mkdirSync(dir, { recursive: true });
-    fs10.writeFileSync(this.filePath, JSON.stringify(data, null, 2));
+    const dir = path10.dirname(this.filePath);
+    if (!fs11.existsSync(dir)) fs11.mkdirSync(dir, { recursive: true });
+    fs11.writeFileSync(this.filePath, JSON.stringify(data, null, 2));
   }
   destroy() {
     if (this.debounceTimer) clearTimeout(this.debounceTimer);
@@ -12913,10 +13479,10 @@ var JsonFileSessionStore = class {
     }
   }
   load() {
-    if (!fs10.existsSync(this.filePath)) return;
+    if (!fs11.existsSync(this.filePath)) return;
     try {
       const raw = JSON.parse(
-        fs10.readFileSync(this.filePath, "utf-8")
+        fs11.readFileSync(this.filePath, "utf-8")
       );
       if (raw.version !== 1) {
         log8.warn(
@@ -12932,7 +13498,7 @@ var JsonFileSessionStore = class {
     } catch (err) {
       log8.error({ err }, "Failed to load session store, backing up corrupt file");
       try {
-        fs10.renameSync(this.filePath, `${this.filePath}.bak`);
+        fs11.renameSync(this.filePath, `${this.filePath}.bak`);
       } catch {
       }
     }
@@ -13025,12 +13591,16 @@ var AgentSwitchHandler = class {
       await switchAdapter.cleanupSessionState(session.id);
     }
     const fromAgentSessionId = session.agentSessionId;
+    const fileService = this.deps.getService("file-service");
     try {
       await session.switchAgent(toAgent, async () => {
         if (canResume) {
-          return agentManager.resume(toAgent, session.workingDirectory, lastEntry.agentSessionId);
+          const instance = await agentManager.resume(toAgent, session.workingDirectory, lastEntry.agentSessionId);
+          if (fileService) instance.addAllowedPath(fileService.baseDir);
+          return instance;
         } else {
           const instance = await agentManager.spawn(toAgent, session.workingDirectory);
+          if (fileService) instance.addAllowedPath(fileService.baseDir);
           try {
             const contextService = this.deps.getService("context");
             if (contextService) {
@@ -13125,14 +13695,14 @@ var AgentSwitchHandler = class {
 };
 
 // src/core/agents/agent-catalog.ts
-import * as fs14 from "fs";
-import * as path12 from "path";
+import * as fs15 from "fs";
+import * as path14 from "path";
 import * as os6 from "os";
 
 // src/core/agents/agent-store.ts
 init_log();
-import * as fs12 from "fs";
-import * as path10 from "path";
+import * as fs13 from "fs";
+import * as path12 from "path";
 import * as os4 from "os";
 import { z as z2 } from "zod";
 var log10 = createChildLogger({ module: "agent-store" });
@@ -13156,15 +13726,15 @@ var AgentStore = class {
   data = { version: 1, installed: {} };
   filePath;
   constructor(filePath) {
-    this.filePath = filePath ?? path10.join(os4.homedir(), ".openacp", "agents.json");
+    this.filePath = filePath ?? path12.join(os4.homedir(), ".openacp", "agents.json");
   }
   load() {
-    if (!fs12.existsSync(this.filePath)) {
+    if (!fs13.existsSync(this.filePath)) {
       this.data = { version: 1, installed: {} };
       return;
     }
     try {
-      const raw = JSON.parse(fs12.readFileSync(this.filePath, "utf-8"));
+      const raw = JSON.parse(fs13.readFileSync(this.filePath, "utf-8"));
       const result = AgentStoreSchema.safeParse(raw);
       if (result.success) {
         this.data = result.data;
@@ -13178,7 +13748,7 @@ var AgentStore = class {
     }
   }
   exists() {
-    return fs12.existsSync(this.filePath);
+    return fs13.existsSync(this.filePath);
   }
   getInstalled() {
     return this.data.installed;
@@ -13198,244 +13768,15 @@ var AgentStore = class {
     return key in this.data.installed;
   }
   save() {
-    fs12.mkdirSync(path10.dirname(this.filePath), { recursive: true });
+    fs13.mkdirSync(path12.dirname(this.filePath), { recursive: true });
     const tmpPath = this.filePath + ".tmp";
-    fs12.writeFileSync(tmpPath, JSON.stringify(this.data, null, 2));
-    fs12.renameSync(tmpPath, this.filePath);
+    fs13.writeFileSync(tmpPath, JSON.stringify(this.data, null, 2), { mode: 384 });
+    fs13.renameSync(tmpPath, this.filePath);
   }
 };
 
-// src/core/agents/agent-installer.ts
-init_log();
-init_agent_dependencies();
-import * as fs13 from "fs";
-import * as path11 from "path";
-import * as os5 from "os";
-var log11 = createChildLogger({ module: "agent-installer" });
-var DEFAULT_AGENTS_DIR = path11.join(os5.homedir(), ".openacp", "agents");
-var ARCH_MAP = {
-  arm64: "aarch64",
-  x64: "x86_64"
-};
-var PLATFORM_MAP = {
-  darwin: "darwin",
-  linux: "linux",
-  win32: "windows"
-};
-function getPlatformKey() {
-  const platform2 = PLATFORM_MAP[process.platform] ?? process.platform;
-  const arch = ARCH_MAP[process.arch] ?? process.arch;
-  return `${platform2}-${arch}`;
-}
-function resolveDistribution(agent) {
-  const dist = agent.distribution;
-  if (dist.npx) {
-    return { type: "npx", package: dist.npx.package, args: dist.npx.args ?? [], env: dist.npx.env };
-  }
-  if (dist.uvx) {
-    return { type: "uvx", package: dist.uvx.package, args: dist.uvx.args ?? [], env: dist.uvx.env };
-  }
-  if (dist.binary) {
-    const platformKey = getPlatformKey();
-    const target = dist.binary[platformKey];
-    if (!target) return null;
-    return { type: "binary", archive: target.archive, cmd: target.cmd, args: target.args ?? [], env: target.env };
-  }
-  return null;
-}
-function buildInstalledAgent(registryId, name, version, dist, binaryPath) {
-  if (dist.type === "npx") {
-    const npxPackage = stripPackageVersion(dist.package);
-    return {
-      registryId,
-      name,
-      version,
-      distribution: "npx",
-      command: "npx",
-      args: [npxPackage, ...dist.args],
-      env: dist.env ?? {},
-      installedAt: (/* @__PURE__ */ new Date()).toISOString(),
-      binaryPath: null
-    };
-  }
-  if (dist.type === "uvx") {
-    const uvxPackage = stripPythonPackageVersion(dist.package);
-    return {
-      registryId,
-      name,
-      version,
-      distribution: "uvx",
-      command: "uvx",
-      args: [uvxPackage, ...dist.args],
-      env: dist.env ?? {},
-      installedAt: (/* @__PURE__ */ new Date()).toISOString(),
-      binaryPath: null
-    };
-  }
-  const absCmd = path11.resolve(binaryPath, dist.cmd);
-  return {
-    registryId,
-    name,
-    version,
-    distribution: "binary",
-    command: absCmd,
-    args: dist.args,
-    env: dist.env ?? {},
-    installedAt: (/* @__PURE__ */ new Date()).toISOString(),
-    binaryPath
-  };
-}
-function stripPackageVersion(pkg) {
-  if (pkg.startsWith("@")) {
-    const afterScope = pkg.indexOf("/");
-    if (afterScope === -1) return pkg;
-    const versionAt = pkg.indexOf("@", afterScope + 1);
-    return versionAt === -1 ? pkg : pkg.slice(0, versionAt);
-  }
-  const at = pkg.indexOf("@");
-  return at === -1 ? pkg : pkg.slice(0, at);
-}
-function stripPythonPackageVersion(pkg) {
-  const pyMatch = pkg.match(/^([^=@><!]+)/);
-  if (pyMatch && pkg.includes("==")) return pyMatch[1];
-  const at = pkg.indexOf("@");
-  return at === -1 ? pkg : pkg.slice(0, at);
-}
-async function installAgent(agent, store, progress, agentsDir) {
-  const agentKey = getAgentAlias(agent.id);
-  await progress?.onStart(agent.id, agent.name);
-  await progress?.onStep("Checking requirements...");
-  const depResult = checkDependencies(agent.id);
-  if (!depResult.available) {
-    const hints = depResult.missing.map((m) => `  ${m.label}: ${m.installHint}`).join("\n");
-    const msg = `${agent.name} needs some tools installed first:
-${hints}`;
-    await progress?.onError(msg);
-    return { ok: false, agentKey, error: msg };
-  }
-  const dist = resolveDistribution(agent);
-  if (!dist) {
-    const platformKey = getPlatformKey();
-    const msg = `${agent.name} is not available for your system (${platformKey}). Check their website for other install options.`;
-    await progress?.onError(msg);
-    return { ok: false, agentKey, error: msg };
-  }
-  if (dist.type === "uvx" && !checkRuntimeAvailable("uvx")) {
-    const msg = `${agent.name} requires Python's uvx tool.
-Install it with: pip install uv`;
-    await progress?.onError(msg, "pip install uv");
-    return { ok: false, agentKey, error: msg, hint: "pip install uv" };
-  }
-  let binaryPath;
-  if (dist.type === "binary") {
-    try {
-      binaryPath = await downloadAndExtract(agent.id, dist.archive, progress, agentsDir);
-    } catch (err) {
-      const msg = `Failed to download ${agent.name}. Please try again or install manually.`;
-      await progress?.onError(msg);
-      return { ok: false, agentKey, error: msg };
-    }
-  } else {
-    await progress?.onStep("Setting up... (will download on first use)");
-  }
-  const installed = buildInstalledAgent(agent.id, agent.name, agent.version, dist, binaryPath);
-  store.addAgent(agentKey, installed);
-  const setup = getAgentSetup(agent.id);
-  await progress?.onSuccess(agent.name);
-  return { ok: true, agentKey, setupSteps: setup?.setupSteps };
-}
-async function downloadAndExtract(agentId, archiveUrl, progress, agentsDir) {
-  const destDir = path11.join(agentsDir ?? DEFAULT_AGENTS_DIR, agentId);
-  fs13.mkdirSync(destDir, { recursive: true });
-  await progress?.onStep("Downloading...");
-  log11.info({ agentId, url: archiveUrl }, "Downloading agent binary");
-  const response = await fetch(archiveUrl);
-  if (!response.ok) {
-    throw new Error(`Download failed: ${response.status} ${response.statusText}`);
-  }
-  const contentLength = Number(response.headers.get("content-length") || 0);
-  const buffer = await readResponseWithProgress(response, contentLength, progress);
-  await progress?.onStep("Extracting...");
-  if (archiveUrl.endsWith(".zip")) {
-    await extractZip(buffer, destDir);
-  } else {
-    await extractTarGz(buffer, destDir);
-  }
-  await progress?.onStep("Ready!");
-  return destDir;
-}
-async function readResponseWithProgress(response, contentLength, progress) {
-  if (!response.body || contentLength === 0) {
-    const arrayBuffer = await response.arrayBuffer();
-    return Buffer.from(arrayBuffer);
-  }
-  const reader = response.body.getReader();
-  const chunks = [];
-  let received = 0;
-  while (true) {
-    const { done, value } = await reader.read();
-    if (done) break;
-    chunks.push(value);
-    received += value.length;
-    if (contentLength > 0) {
-      await progress?.onDownloadProgress(Math.round(received / contentLength * 100));
-    }
-  }
-  return Buffer.concat(chunks);
-}
-function validateExtractedPaths(destDir) {
-  const realDest = fs13.realpathSync(destDir);
-  const entries = fs13.readdirSync(destDir, { recursive: true, withFileTypes: true });
-  for (const entry of entries) {
-    const dirent = entry;
-    const parentPath = dirent.parentPath ?? dirent.path ?? destDir;
-    const fullPath = path11.join(parentPath, entry.name);
-    let realPath;
-    try {
-      realPath = fs13.realpathSync(fullPath);
-    } catch {
-      const linkTarget = fs13.readlinkSync(fullPath);
-      realPath = path11.resolve(path11.dirname(fullPath), linkTarget);
-    }
-    if (!realPath.startsWith(realDest + path11.sep) && realPath !== realDest) {
-      fs13.rmSync(destDir, { recursive: true, force: true });
-      throw new Error(`Archive contains unsafe path: ${entry.name}`);
-    }
-  }
-}
-async function extractTarGz(buffer, destDir) {
-  const { execFileSync: execFileSync7 } = await import("child_process");
-  const tmpFile = path11.join(destDir, "_archive.tar.gz");
-  fs13.writeFileSync(tmpFile, buffer);
-  try {
-    execFileSync7("tar", ["xzf", tmpFile, "-C", destDir], { stdio: "pipe" });
-  } finally {
-    fs13.unlinkSync(tmpFile);
-  }
-  validateExtractedPaths(destDir);
-}
-async function extractZip(buffer, destDir) {
-  const { execFileSync: execFileSync7 } = await import("child_process");
-  const tmpFile = path11.join(destDir, "_archive.zip");
-  fs13.writeFileSync(tmpFile, buffer);
-  try {
-    execFileSync7("unzip", ["-o", tmpFile, "-d", destDir], { stdio: "pipe" });
-  } finally {
-    fs13.unlinkSync(tmpFile);
-  }
-  validateExtractedPaths(destDir);
-}
-async function uninstallAgent(agentKey, store) {
-  const agent = store.getAgent(agentKey);
-  if (!agent) return;
-  if (agent.binaryPath && fs13.existsSync(agent.binaryPath)) {
-    fs13.rmSync(agent.binaryPath, { recursive: true, force: true });
-    log11.info({ agentKey, binaryPath: agent.binaryPath }, "Deleted agent binary");
-  }
-  store.removeAgent(agentKey);
-}
-
 // src/core/agents/agent-catalog.ts
+init_agent_installer();
 init_agent_dependencies();
 init_log();
 var log12 = createChildLogger({ module: "agent-catalog" });
@@ -13448,7 +13789,7 @@ var AgentCatalog = class {
   agentsDir;
   constructor(store, cachePath, agentsDir) {
     this.store = store ?? new AgentStore();
-    this.cachePath = cachePath ?? path12.join(os6.homedir(), ".openacp", "registry-cache.json");
+    this.cachePath = cachePath ?? path14.join(os6.homedir(), ".openacp", "registry-cache.json");
     this.agentsDir = agentsDir;
   }
   load() {
@@ -13469,8 +13810,8 @@ var AgentCatalog = class {
         ttlHours: DEFAULT_TTL_HOURS,
         data
       };
-      fs14.mkdirSync(path12.dirname(this.cachePath), { recursive: true });
-      fs14.writeFileSync(this.cachePath, JSON.stringify(cache, null, 2));
+      fs15.mkdirSync(path14.dirname(this.cachePath), { recursive: true });
+      fs15.writeFileSync(this.cachePath, JSON.stringify(cache, null, 2), { mode: 384 });
       log12.info({ count: this.registryAgents.length }, "Registry updated");
     } catch (err) {
       log12.warn({ err }, "Failed to fetch registry, using cached data");
@@ -13569,6 +13910,14 @@ var AgentCatalog = class {
     }
     return installAgent(agent, this.store, progress, this.agentsDir);
   }
+  /**
+   * Register an agent directly into the catalog store without going through
+   * the registry installer. Used to pre-register bundled agents (e.g. Claude)
+   * when their CLI dependency is not yet installed.
+   */
+  registerFallbackAgent(key, data) {
+    this.store.addAgent(key, data);
+  }
   async uninstall(key) {
     if (!this.store.hasAgent(key)) {
       return { ok: false, error: `"${key}" is not installed.` };
@@ -13630,9 +13979,9 @@ var AgentCatalog = class {
     }
   }
   isCacheStale() {
-    if (!fs14.existsSync(this.cachePath)) return true;
+    if (!fs15.existsSync(this.cachePath)) return true;
     try {
-      const raw = JSON.parse(fs14.readFileSync(this.cachePath, "utf-8"));
+      const raw = JSON.parse(fs15.readFileSync(this.cachePath, "utf-8"));
       const fetchedAt = new Date(raw.fetchedAt).getTime();
       const ttlMs = (raw.ttlHours ?? DEFAULT_TTL_HOURS) * 60 * 60 * 1e3;
       return Date.now() - fetchedAt > ttlMs;
@@ -13641,9 +13990,9 @@ var AgentCatalog = class {
     }
   }
   loadRegistryFromCacheOrSnapshot() {
-    if (fs14.existsSync(this.cachePath)) {
+    if (fs15.existsSync(this.cachePath)) {
       try {
-        const raw = JSON.parse(fs14.readFileSync(this.cachePath, "utf-8"));
+        const raw = JSON.parse(fs15.readFileSync(this.cachePath, "utf-8"));
         if (raw.data?.agents) {
           this.registryAgents = raw.data.agents;
           log12.debug({ count: this.registryAgents.length }, "Loaded registry from cache");
@@ -13655,13 +14004,13 @@ var AgentCatalog = class {
     }
     try {
       const candidates = [
-        path12.join(import.meta.dirname, "data", "registry-snapshot.json"),
-        path12.join(import.meta.dirname, "..", "data", "registry-snapshot.json"),
-        path12.join(import.meta.dirname, "..", "..", "data", "registry-snapshot.json")
+        path14.join(import.meta.dirname, "data", "registry-snapshot.json"),
+        path14.join(import.meta.dirname, "..", "data", "registry-snapshot.json"),
+        path14.join(import.meta.dirname, "..", "..", "data", "registry-snapshot.json")
       ];
       for (const candidate of candidates) {
-        if (fs14.existsSync(candidate)) {
-          const raw = JSON.parse(fs14.readFileSync(candidate, "utf-8"));
+        if (fs15.existsSync(candidate)) {
+          const raw = JSON.parse(fs15.readFileSync(candidate, "utf-8"));
           this.registryAgents = raw.agents ?? [];
           log12.debug({ count: this.registryAgents.length }, "Loaded registry from bundled snapshot");
           return;
@@ -13922,31 +14271,31 @@ var ErrorTracker = class {
 };
 
 // src/core/plugin/plugin-context.ts
-import path14 from "path";
+import path16 from "path";
 import os7 from "os";
 
 // src/core/plugin/plugin-storage.ts
-import fs15 from "fs";
-import path13 from "path";
+import fs16 from "fs";
+import path15 from "path";
 var PluginStorageImpl = class {
   kvPath;
   dataDir;
   writeChain = Promise.resolve();
   constructor(baseDir) {
-    this.dataDir = path13.join(baseDir, "data");
-    this.kvPath = path13.join(baseDir, "kv.json");
-    fs15.mkdirSync(baseDir, { recursive: true });
+    this.dataDir = path15.join(baseDir, "data");
+    this.kvPath = path15.join(baseDir, "kv.json");
+    fs16.mkdirSync(baseDir, { recursive: true });
   }
   readKv() {
     try {
-      const raw = fs15.readFileSync(this.kvPath, "utf-8");
+      const raw = fs16.readFileSync(this.kvPath, "utf-8");
       return JSON.parse(raw);
     } catch {
       return {};
     }
   }
   writeKv(data) {
-    fs15.writeFileSync(this.kvPath, JSON.stringify(data), "utf-8");
+    fs16.writeFileSync(this.kvPath, JSON.stringify(data), "utf-8");
   }
   async get(key) {
     const data = this.readKv();
@@ -13972,7 +14321,7 @@ var PluginStorageImpl = class {
     return Object.keys(this.readKv());
   }
   getDataDir() {
-    fs15.mkdirSync(this.dataDir, { recursive: true });
+    fs16.mkdirSync(this.dataDir, { recursive: true });
     return this.dataDir;
   }
 };
@@ -13996,7 +14345,7 @@ function createPluginContext(opts) {
     config,
     core
   } = opts;
-  const instanceRoot = opts.instanceRoot ?? path14.join(os7.homedir(), ".openacp");
+  const instanceRoot = opts.instanceRoot ?? path16.join(os7.homedir(), ".openacp");
   const registeredListeners = [];
   const registeredCommands = [];
   const noopLog = {
@@ -14017,7 +14366,7 @@ function createPluginContext(opts) {
     }
   };
   const baseLog = opts.log ?? noopLog;
-  const log33 = typeof baseLog.child === "function" ? baseLog.child({ plugin: pluginName }) : baseLog;
+  const log34 = typeof baseLog.child === "function" ? baseLog.child({ plugin: pluginName }) : baseLog;
   const storageImpl = new PluginStorageImpl(storagePath);
   const storage = {
     async get(key) {
@@ -14044,7 +14393,7 @@ function createPluginContext(opts) {
   const ctx = {
     pluginName,
     pluginConfig,
-    log: log33,
+    log: log34,
     storage,
     on(event, handler) {
       requirePermission(permissions, "events:read", "on()");
@@ -14079,7 +14428,7 @@ function createPluginContext(opts) {
       const registry = serviceRegistry.get("command-registry");
       if (registry && typeof registry.register === "function") {
         registry.register(def, pluginName);
-        log33.debug(`Command '/${def.name}' registered`);
+        log34.debug(`Command '/${def.name}' registered`);
       }
     },
     async sendMessage(_sessionId, _content) {
@@ -14826,7 +15175,7 @@ var OpenACPCore = class {
     );
     this.agentCatalog.load();
     this.agentManager = new AgentManager(this.agentCatalog);
-    const storePath = ctx?.paths.sessions ?? path15.join(os8.homedir(), ".openacp", "sessions.json");
+    const storePath = ctx?.paths.sessions ?? path17.join(os8.homedir(), ".openacp", "sessions.json");
     this.sessionStore = new JsonFileSessionStore(
       storePath,
       config.sessionStore.ttlDays
@@ -14850,7 +15199,7 @@ var OpenACPCore = class {
       sessions: this.sessionManager,
       config: this.configManager,
       core: this,
-      storagePath: ctx?.paths.pluginsData ?? path15.join(os8.homedir(), ".openacp", "plugins", "data"),
+      storagePath: ctx?.paths.pluginsData ?? path17.join(os8.homedir(), ".openacp", "plugins", "data"),
       instanceRoot: ctx?.root,
       log: createChildLogger({ module: "plugin" })
     });
@@ -14862,6 +15211,10 @@ var OpenACPCore = class {
     this.sessionFactory.configManager = this.configManager;
     this.sessionFactory.agentCatalog = this.agentCatalog;
     this.sessionFactory.getContextManager = () => this.lifecycleManager.serviceRegistry.get("context");
+    this.sessionFactory.getAgentAllowedPaths = () => {
+      const fileService = this.lifecycleManager.serviceRegistry.get("file-service");
+      return fileService ? [fileService.baseDir] : [];
+    };
     this.agentSwitchHandler = new AgentSwitchHandler({
       sessionManager: this.sessionManager,
       agentManager: this.agentManager,
@@ -14911,7 +15264,7 @@ var OpenACPCore = class {
     );
     registerCoreMenuItems(this.menuRegistry);
     if (ctx?.root) {
-      this.assistantRegistry.setInstanceRoot(path15.dirname(ctx.root));
+      this.assistantRegistry.setInstanceRoot(path17.dirname(ctx.root));
     }
     this.assistantRegistry.register(createSessionsSection(this));
     this.assistantRegistry.register(createAgentsSection(this));
@@ -15413,19 +15766,19 @@ init_doctor();
 init_config_registry();
 
 // src/core/config/config-editor.ts
-import * as path27 from "path";
+import * as path29 from "path";
 import * as clack2 from "@clack/prompts";
 
 // src/cli/autostart.ts
 init_log();
 import { execFileSync as execFileSync5 } from "child_process";
-import * as fs26 from "fs";
-import * as path23 from "path";
+import * as fs27 from "fs";
+import * as path25 from "path";
 import * as os11 from "os";
 var log18 = createChildLogger({ module: "autostart" });
 var LAUNCHD_LABEL = "com.openacp.daemon";
-var LAUNCHD_PLIST_PATH = path23.join(os11.homedir(), "Library", "LaunchAgents", `${LAUNCHD_LABEL}.plist`);
-var SYSTEMD_SERVICE_PATH = path23.join(os11.homedir(), ".config", "systemd", "user", "openacp.service");
+var LAUNCHD_PLIST_PATH = path25.join(os11.homedir(), "Library", "LaunchAgents", `${LAUNCHD_LABEL}.plist`);
+var SYSTEMD_SERVICE_PATH = path25.join(os11.homedir(), ".config", "systemd", "user", "openacp.service");
 function isAutoStartSupported() {
   return process.platform === "darwin" || process.platform === "linux";
 }
@@ -15437,7 +15790,7 @@ function escapeSystemdValue(str) {
   return `"${escaped}"`;
 }
 function generateLaunchdPlist(nodePath, cliPath, logDir2) {
-  const logFile = path23.join(logDir2, "openacp.log");
+  const logFile = path25.join(logDir2, "openacp.log");
   return `<?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
@@ -15482,23 +15835,23 @@ function installAutoStart(logDir2) {
     return { success: false, error: "Auto-start not supported on this platform" };
   }
   const nodePath = process.execPath;
-  const cliPath = path23.resolve(process.argv[1]);
-  const resolvedLogDir = logDir2.startsWith("~") ? path23.join(os11.homedir(), logDir2.slice(1)) : logDir2;
+  const cliPath = path25.resolve(process.argv[1]);
+  const resolvedLogDir = logDir2.startsWith("~") ? path25.join(os11.homedir(), logDir2.slice(1)) : logDir2;
   try {
     if (process.platform === "darwin") {
       const plist = generateLaunchdPlist(nodePath, cliPath, resolvedLogDir);
-      const dir = path23.dirname(LAUNCHD_PLIST_PATH);
-      fs26.mkdirSync(dir, { recursive: true });
-      fs26.writeFileSync(LAUNCHD_PLIST_PATH, plist);
+      const dir = path25.dirname(LAUNCHD_PLIST_PATH);
+      fs27.mkdirSync(dir, { recursive: true });
+      fs27.writeFileSync(LAUNCHD_PLIST_PATH, plist);
       execFileSync5("launchctl", ["load", LAUNCHD_PLIST_PATH], { stdio: "pipe" });
       log18.info("LaunchAgent installed");
       return { success: true };
     }
     if (process.platform === "linux") {
       const unit = generateSystemdUnit(nodePath, cliPath);
-      const dir = path23.dirname(SYSTEMD_SERVICE_PATH);
-      fs26.mkdirSync(dir, { recursive: true });
-      fs26.writeFileSync(SYSTEMD_SERVICE_PATH, unit);
+      const dir = path25.dirname(SYSTEMD_SERVICE_PATH);
+      fs27.mkdirSync(dir, { recursive: true });
+      fs27.writeFileSync(SYSTEMD_SERVICE_PATH, unit);
       execFileSync5("systemctl", ["--user", "daemon-reload"], { stdio: "pipe" });
       execFileSync5("systemctl", ["--user", "enable", "openacp"], { stdio: "pipe" });
       log18.info("systemd user service installed");
@@ -15517,23 +15870,23 @@ function uninstallAutoStart() {
   }
   try {
     if (process.platform === "darwin") {
-      if (fs26.existsSync(LAUNCHD_PLIST_PATH)) {
+      if (fs27.existsSync(LAUNCHD_PLIST_PATH)) {
         try {
           execFileSync5("launchctl", ["unload", LAUNCHD_PLIST_PATH], { stdio: "pipe" });
         } catch {
         }
-        fs26.unlinkSync(LAUNCHD_PLIST_PATH);
+        fs27.unlinkSync(LAUNCHD_PLIST_PATH);
         log18.info("LaunchAgent removed");
       }
       return { success: true };
     }
     if (process.platform === "linux") {
-      if (fs26.existsSync(SYSTEMD_SERVICE_PATH)) {
+      if (fs27.existsSync(SYSTEMD_SERVICE_PATH)) {
         try {
           execFileSync5("systemctl", ["--user", "disable", "openacp"], { stdio: "pipe" });
         } catch {
         }
-        fs26.unlinkSync(SYSTEMD_SERVICE_PATH);
+        fs27.unlinkSync(SYSTEMD_SERVICE_PATH);
         execFileSync5("systemctl", ["--user", "daemon-reload"], { stdio: "pipe" });
         log18.info("systemd user service removed");
       }
@@ -15548,10 +15901,10 @@ function uninstallAutoStart() {
 }
 function isAutoStartInstalled() {
   if (process.platform === "darwin") {
-    return fs26.existsSync(LAUNCHD_PLIST_PATH);
+    return fs27.existsSync(LAUNCHD_PLIST_PATH);
   }
   if (process.platform === "linux") {
-    return fs26.existsSync(SYSTEMD_SERVICE_PATH);
+    return fs27.existsSync(SYSTEMD_SERVICE_PATH);
   }
   return false;
 }
@@ -15756,7 +16109,7 @@ async function editDiscord(_config, _updates) {
     const { createInstallContext: createInstallContext2 } = await Promise.resolve().then(() => (init_install_context(), install_context_exports));
     const { getGlobalRoot: getGlobalRoot2 } = await Promise.resolve().then(() => (init_instance_context(), instance_context_exports));
     const root = getGlobalRoot2();
-    const basePath = path27.join(root, "plugins", "data");
+    const basePath = path29.join(root, "plugins", "data");
     const settingsManager = new SettingsManager2(basePath);
     const ctx = createInstallContext2({
       pluginName: plugin.name,
@@ -16277,17 +16630,17 @@ ${c.cyan}${c.bold}OpenACP Config Editor${c.reset}`);
 async function sendConfigViaApi(port, updates) {
   const { apiCall: call } = await Promise.resolve().then(() => (init_api_client(), api_client_exports));
   const paths = flattenToPaths(updates);
-  for (const { path: path33, value } of paths) {
+  for (const { path: path35, value } of paths) {
     const res = await call(port, "/api/config", {
       method: "PATCH",
       headers: { "Content-Type": "application/json" },
-      body: JSON.stringify({ path: path33, value })
+      body: JSON.stringify({ path: path35, value })
     });
     const data = await res.json();
     if (!res.ok) {
-      console.log(warn(`Failed to update ${path33}: ${data.error}`));
+      console.log(warn(`Failed to update ${path35}: ${data.error}`));
     } else if (data.needsRestart) {
-      console.log(warn(`${path33} updated \u2014 restart required`));
+      console.log(warn(`${path35} updated \u2014 restart required`));
     }
   }
 }
@@ -16307,30 +16660,30 @@ function flattenToPaths(obj, prefix = "") {
 // src/cli/daemon.ts
 init_config();
 import { spawn as spawn3 } from "child_process";
-import * as fs29 from "fs";
-import * as path28 from "path";
+import * as fs30 from "fs";
+import * as path30 from "path";
 import * as os14 from "os";
-var DEFAULT_ROOT2 = path28.join(os14.homedir(), ".openacp");
+var DEFAULT_ROOT2 = path30.join(os14.homedir(), ".openacp");
 function getPidPath(root) {
   const base = root ?? DEFAULT_ROOT2;
-  return path28.join(base, "openacp.pid");
+  return path30.join(base, "openacp.pid");
 }
 function getLogDir(root) {
   const base = root ?? DEFAULT_ROOT2;
-  return path28.join(base, "logs");
+  return path30.join(base, "logs");
 }
 function getRunningMarker(root) {
   const base = root ?? DEFAULT_ROOT2;
-  return path28.join(base, "running");
+  return path30.join(base, "running");
 }
 function writePidFile(pidPath, pid) {
-  const dir = path28.dirname(pidPath);
-  fs29.mkdirSync(dir, { recursive: true });
-  fs29.writeFileSync(pidPath, String(pid));
+  const dir = path30.dirname(pidPath);
+  fs30.mkdirSync(dir, { recursive: true });
+  fs30.writeFileSync(pidPath, String(pid));
 }
 function readPidFile(pidPath) {
   try {
-    const content = fs29.readFileSync(pidPath, "utf-8").trim();
+    const content = fs30.readFileSync(pidPath, "utf-8").trim();
     const pid = parseInt(content, 10);
     return isNaN(pid) ? null : pid;
   } catch {
@@ -16339,7 +16692,7 @@ function readPidFile(pidPath) {
 }
 function removePidFile(pidPath) {
   try {
-    fs29.unlinkSync(pidPath);
+    fs30.unlinkSync(pidPath);
   } catch {
   }
 }
@@ -16372,12 +16725,12 @@ function startDaemon(pidPath = getPidPath(), logDir2, instanceRoot) {
     return { error: `Already running (PID ${pid})` };
   }
   const resolvedLogDir = logDir2 ? expandHome3(logDir2) : getLogDir(instanceRoot);
-  fs29.mkdirSync(resolvedLogDir, { recursive: true });
-  const logFile = path28.join(resolvedLogDir, "openacp.log");
-  const cliPath = path28.resolve(process.argv[1]);
+  fs30.mkdirSync(resolvedLogDir, { recursive: true });
+  const logFile = path30.join(resolvedLogDir, "openacp.log");
+  const cliPath = path30.resolve(process.argv[1]);
   const nodePath = process.execPath;
-  const out = fs29.openSync(logFile, "a");
-  const err = fs29.openSync(logFile, "a");
+  const out = fs30.openSync(logFile, "a");
+  const err = fs30.openSync(logFile, "a");
   const child = spawn3(nodePath, [cliPath, "--daemon-child"], {
     detached: true,
     stdio: ["ignore", out, err],
@@ -16386,8 +16739,8 @@ function startDaemon(pidPath = getPidPath(), logDir2, instanceRoot) {
       ...instanceRoot ? { OPENACP_INSTANCE_ROOT: instanceRoot } : {}
     }
   });
-  fs29.closeSync(out);
-  fs29.closeSync(err);
+  fs30.closeSync(out);
+  fs30.closeSync(err);
   if (!child.pid) {
     return { error: "Failed to spawn daemon process" };
   }
@@ -16458,12 +16811,12 @@ async function stopDaemon(pidPath = getPidPath(), instanceRoot) {
 }
 function markRunning(root) {
   const marker = getRunningMarker(root);
-  fs29.mkdirSync(path28.dirname(marker), { recursive: true });
-  fs29.writeFileSync(marker, "");
+  fs30.mkdirSync(path30.dirname(marker), { recursive: true });
+  fs30.writeFileSync(marker, "");
 }
 function clearRunning(root) {
   try {
-    fs29.unlinkSync(getRunningMarker(root));
+    fs30.unlinkSync(getRunningMarker(root));
   } catch {
   }
 }
@@ -16479,7 +16832,7 @@ init_static_server();
 
 // src/plugins/telegram/topic-manager.ts
 init_log();
-var log20 = createChildLogger({ module: "topic-manager" });
+var log21 = createChildLogger({ module: "topic-manager" });
 var TopicManager = class {
   constructor(sessionManager, adapter, systemTopicIds) {
     this.sessionManager = sessionManager;
@@ -16518,7 +16871,7 @@ var TopicManager = class {
       try {
         await this.adapter.deleteSessionThread?.(sessionId);
       } catch (err) {
-        log20.warn({ err, sessionId, topicId }, "Failed to delete platform thread, removing record anyway");
+        log21.warn({ err, sessionId, topicId }, "Failed to delete platform thread, removing record anyway");
       }
     }
     await this.sessionManager.removeRecord(sessionId);
@@ -16541,7 +16894,7 @@ var TopicManager = class {
           try {
             await this.adapter.deleteSessionThread?.(record.sessionId);
           } catch (err) {
-            log20.warn({ err, sessionId: record.sessionId }, "Failed to delete platform thread during cleanup");
+            log21.warn({ err, sessionId: record.sessionId }, "Failed to delete platform thread during cleanup");
           }
         }
         await this.sessionManager.removeRecord(record.sessionId);