@runcore-sh/runcore 0.3.1 → 0.4.0

package/dist/server.js

@@ -9,12 +9,17 @@ import { serveStatic } from "@hono/node-server/serve-static";
 import { join, dirname } from "node:path";
 import { fileURLToPath } from "node:url";
 import { readFile, writeFile, mkdir } from "node:fs/promises";
-// Package root (where public/ lives) — works whether run from CWD or npx
+import { acquireLock, releaseLock } from "./runtime-lock.js";
+// Package root — works whether run from CWD or npx
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
-const PKG_ROOT = join(__dirname, "..");
+const PKG_ROOT = __dirname.endsWith("dist") ? join(__dirname, "..") : __dirname;
+// UI directory — resolved at startup. Prefers CDN-synced, falls back to bundled.
+let UI_DIR = getUiPublicDir(PKG_ROOT);
 import { writeFileSync } from "node:fs";
+import { appendFile } from "node:fs/promises";
 import { initInstanceName, getInstanceName, setInstanceName, getInstanceNameLower, resolveEnv, getAlertEmailFrom } from "./instance.js";
+import { syncUi, getUiPublicDir } from "./ui-sync.js";
 import { readBrainFile, writeBrainFile, appendBrainLine } from "./lib/brain-io.js";
 import { runWithAuditContext } from "./lib/audit.js";
 import { Brain } from "./brain.js";
@@ -22,7 +27,7 @@ import { FileSystemLongTermMemory } from "./memory/file-backed.js";
 import { createLogger } from "./utils/logger.js";
 const log = createLogger("server");
 const agentLog = createLogger("agent");
-import { ensurePairingCode, getStatus, pair, authenticate, getRecoveryQuestion, recover, validateSession, readHuman, restoreSession, cacheSessionKey, } from "./auth/identity.js";
+import { ensurePairingCode, getStatus, pair, authenticate, getRecoveryQuestion, recover, validateSession, readHuman, restoreSession, cacheSessionKey, createSession, } from "./auth/identity.js";
 import { requireSession } from "./auth/middleware.js";
 import { getProvider } from "./llm/providers/index.js";
 import { withStreamRetry } from "./llm/retry.js";
@@ -31,7 +36,8 @@ import { PrivateModeError, isPrivateMode, checkOllamaHealth } from "./llm/guard.
 import { installFetchGuard } from "./llm/fetch-guard.js";
 import { SensitiveRegistry } from "./llm/sensitive-registry.js";
 import { PrivacyMembrane } from "./llm/membrane.js";
-import { setActiveMembrane, rehydrateResponse } from "./llm/redact.js";
+import { setActiveMembrane, getActiveMembrane, rehydrateResponse } from "./llm/redact.js";
+import { VolumeManager } from "./volumes/index.js";
 import { loadSettings, getSettings, updateSettings, resolveProvider, resolveChatModel, resolveUtilityModel, getPulseSettings, getMeshConfig, } from "./settings.js";
 import { startMdns, stopMdns } from "./mdns.js";
 import { ingestDirectory } from "./files/ingest.js";
@@ -93,7 +99,7 @@ import { tracingMiddleware } from "./tracing/middleware.js";
 import { attachOTelToBus } from "./tracing/bridge.js";
 import { HealthChecker, memoryCheck, eventLoopCheck, availabilityCheck, cpuCheck, diskUsageCheck, diskCheck, queueStoreCheck, agentCapacityCheck, agentHealthCheck, boardCheck, RecoveryManager, sidecarRecovery, AlertManager, defaultAlertConfig, } from "./health/index.js";
 import { NotificationDispatcher, EmailChannel, PhoneChannel } from "./notifications/index.js";
-import { createSkillRegistry, getSkillRegistry } from "./skills/index.js";
+import { skillRegistry as _skillRegistry } from "./skills/index.js";
 import { createModuleRegistry, getModuleRegistry } from "./modules/index.js";
 import { createCapabilityRegistry, getCapabilityRegistry, calendarCapability, emailCapability, docsCapability, boardCapability, browserCapability, closeBrowser, taskDoneCapability, calendarContextProvider, emailContextProvider, createWebSearchContextProvider, vaultContextProvider } from "./capabilities/index.js";
 import { MetricsStore, startCollector, stopCollector, registerDefaultThresholds, evaluateAlerts, buildDashboard, metricsMiddleware, collectPrometheus, generatePeriodStats, generateComparisonReport, } from "./metrics/index.js";
@@ -133,7 +139,10 @@ function pickStreamFn() {
     return withStreamRetry((options) => provider.streamChat(options), { maxRetries: 3, baseDelayMs: 1_000, maxDelayMs: 30_000 });
 }
 // --- Config ---
-const PORT = parseInt(process.env.CORE_PORT ?? resolveEnv("PORT") ?? "0", 10);
+import { getLastPort } from "./runtime-lock.js";
+const _envPort = parseInt(process.env.CORE_PORT ?? resolveEnv("PORT") ?? "0", 10);
+// Sticky port: if no explicit port set, reuse the last known port from runtime lock
+const PORT = _envPort === 0 ? getLastPort() : _envPort;
 let actualPort = PORT;
 const SIDECAR_PORT = resolveEnv("SEARCH_PORT") ?? "3578";
 import { BRAIN_DIR } from "./lib/paths.js";
@@ -156,9 +165,25 @@ const alertManager = new AlertManager(health, defaultAlertConfig(), alertDispatc
 // --- Metrics ---
 const metricsStore = new MetricsStore(BRAIN_DIR);
 registerDefaultThresholds();
+// --- Volume manager ---
+const volumeManager = new VolumeManager(BRAIN_DIR);
+volumeManager.init().catch((err) => log.warn("Volume manager init failed — single-volume mode", { error: String(err) }));
 const chatSessions = new Map();
 const sessionKeys = new Map();
 let goalTimerStarted = false;
+/** Threads per session. Key = sessionId, value = Map<threadId, ChatThread>. */
+const sessionThreads = new Map();
+function getThreadsForSession(sessionId) {
+    let threads = sessionThreads.get(sessionId);
+    if (!threads) {
+        threads = new Map();
+        sessionThreads.set(sessionId, threads);
+    }
+    return threads;
+}
+function generateThreadId() {
+    return Date.now().toString(36) + Math.random().toString(36).slice(2, 8);
+}
 /** One-time startup token for zero-friction local auth. */
 let startupToken = null;
 export function getStartupToken() {
@@ -170,6 +195,7 @@ const tracer = new Tracer();
 let instanceManager = null;
 let agentPool = null;
 let workflowEngine = null;
+let activeSensitiveRegistry = null;
 /** Get the current instance manager (or null if not initialized). */
 function getInstanceManager() {
     return instanceManager;
@@ -186,6 +212,13 @@ async function getOrCreateChatSession(sessionId, name) {
     let cs = chatSessions.get(sessionId);
     if (cs)
         return cs;
+    // Single-user system: reuse existing chat session from any prior session ID.
+    // This ensures all tabs/devices see the same conversation history.
+    if (chatSessions.size > 0) {
+        const [existingId, existingCs] = chatSessions.entries().next().value;
+        chatSessions.set(sessionId, existingCs);
+        return existingCs;
+    }
     // Read custom personality instructions (empty string if file doesn't exist)
     let personality = "";
     try {
@@ -207,18 +240,74 @@ async function getOrCreateChatSession(sessionId, name) {
     await ltm.init();
     const brain = new Brain({
         systemPrompt: [
-            `You are ${getInstanceName()}, a personal AI agent. You just came into existence and paired with your human partner, ${name}.`,
+            `IDENTITY:`,
+            `- Your name is ${getInstanceName()}.`,
+            `- The human you are talking to is named ${name}. When they say "my name" they mean "${name}".`,
+            `- You are ${name}'s personal AI agent, running locally on their machine. This conversation is private.`,
+            `- Today is ${new Date().toLocaleDateString("en-US", { weekday: "long", year: "numeric", month: "long", day: "numeric" })}. Current tier: ${activeTier}.`,
             ``,
-            `CRITICAL RULES:`,
-            `- NEVER invent information. You have no knowledge of reports, accounts, schedules, or tasks unless they appear in the context below.`,
-            `- If context is provided below, reference ONLY that. If no context is provided, you know nothing yet — and that's okay.`,
-            `- This is a new relationship. You and ${name} are just getting to know each other. Be curious. Ask real questions.`,
-            `- Be warm, honest, and direct. Have personality. Don't be a corporate assistant.`,
-            `- If you don't know something, say so plainly. Never fabricate details to seem helpful.`,
-            `- NEVER reference board items, tasks, backlog items, or project work unless they appear verbatim in injected context below. If no "board issues" section is present, you know NOTHING about the board — do not guess, summarize from memory, or invent items.`,
-            `- NEVER claim you searched the web unless "Web search results" appear in your context. If no search results are present, you did NOT search.`,
+            // Tier-aware capability boundaries
+            ...(() => {
+                const caps = TIER_CAPS[activeTier];
+                const can = [];
+                const cannot = [];
+                // Always available
+                can.push("chat and answer questions");
+                can.push("remember things and learn from conversations");
+                if (caps.ollama)
+                    can.push("use local AI models via Ollama");
+                // Gated capabilities — be explicit about what's off
+                if (caps.integrations) {
+                    can.push("connect to external services (Google, Slack, etc.)");
+                }
+                else {
+                    cannot.push("connect to external services (Google, Slack, email)");
+                }
+                if (caps.vault) {
+                    can.push("manage API keys and credentials");
+                }
+                else {
+                    cannot.push("manage API keys or a credential vault");
+                }
+                if (caps.spawning) {
+                    can.push("spawn sub-agents to edit code and run tasks");
+                }
+                else {
+                    cannot.push("spawn agents, edit code, or run shell commands");
+                }
+                if (caps.voice) {
+                    can.push("speak and listen (voice I/O)");
+                }
+                else {
+                    cannot.push("use voice input or output");
+                }
+                if (caps.mesh) {
+                    can.push("communicate with other instances on the network");
+                }
+                else {
+                    cannot.push("reach other instances or the network");
+                }
+                if (caps.alerting) {
+                    can.push("send alerts via SMS, email, or webhooks");
+                }
+                else {
+                    cannot.push("send SMS, email, or webhook alerts");
+                }
+                const lines = [`CAPABILITIES (tier: ${activeTier}):`];
+                lines.push(`You CAN: ${can.join("; ")}.`);
+                if (cannot.length > 0) {
+                    lines.push(`You CANNOT: ${cannot.join("; ")}.`);
+                    lines.push(`Do NOT offer, suggest, or pretend to do things you cannot. If ${name} asks for something outside your capabilities, explain what tier unlocks it and how to upgrade (Settings → API Keys, or run \`runcore register\`).`);
+                }
+                return lines;
+            })(),
             ``,
-            `You are running locally on ${name}'s machine. This conversation is private.`,
+            `RULES:`,
+            `- Be warm, honest, and direct. Have personality. Don't be a corporate assistant.`,
+            `- If you don't know something, say so. Never invent information.`,
+            `- Only reference data that appears in the context below. If nothing is provided, you know nothing yet.`,
+            `- NEVER reference board items, tasks, or project work unless they appear verbatim below.`,
+            `- NEVER claim you searched the web unless search results appear in your context.`,
             ...(personality ? [``, `--- Custom personality ---`, personality, `--- End custom personality ---`] : []),
             isSearchAvailable()
                 ? `You have web search capability. When search results appear in your context, use them to answer. You don't control when searches happen — the system handles that automatically.`
@@ -257,32 +346,35 @@ async function getOrCreateChatSession(sessionId, name) {
                 }
                 return fragments;
             })(),
-            `## Agent spawning (CRITICAL — follow exactly)`,
-            `When a task requires code editing, file operations, or shell commands, you MUST spawn a Claude Code agent.`,
-            `Do NOT describe what you would do — actually spawn the agent by including the block below.`,
-            `The block content MUST be valid JSON with "label" and "prompt" keys. No markdown, no backticks, no explanation inside the block.`,
-            ``,
-            `### Agent prompt quality rules (MANDATORY)`,
-            `Agents are Claude Code sessions that edit files. They need CONCRETE instructions or they will fail.`,
-            `NEVER spawn an agent for a task that lacks a clear spec, requirement, or file to work on. If a board item is vague (e.g. "Rules Engine", "Skills Library"), do NOT spawn an agent — instead tell ${name} the item needs a spec first.`,
-            `Every agent prompt MUST include:`,
-            `- Real file paths from this project (e.g. "Edit src/queue/store.ts to add...")`,
-            `- What specifically to build, change, or fix`,
-            `- How it connects to existing code`,
-            `WRONG prompt: "Build a comprehensive rules engine with prioritization, conflict resolution, versioning..."`,
-            `RIGHT prompt: "In src/agents/spawn.ts, add a timeout retry: when an agent exits with code 1, re-spawn it once with the same prompt. Update the exit handler at line 77."`,
-            `If you cannot write a prompt with real file paths and concrete changes, the task is not ready to spawn. Tell ${name} what's missing and either propose a spec or ask what they want. Never go silent — if you can't act, communicate.`,
-            ``,
-            `Format (place at the END of your response, OUTSIDE any code blocks):`,
-            `[AGENT_REQUEST]`,
-            `{"label": "short task name", "prompt": "Detailed instructions for the agent including file paths and what to do", "taskId": "internal-id-from-board"}`,
-            `[/AGENT_REQUEST]`,
-            `Include "taskId" when spawning for a specific board item (use the internal id, not the DASH-N identifier). This locks the task so other agents don't pick it up concurrently.`,
-            ``,
-            `You can include multiple [AGENT_REQUEST] blocks to run tasks in parallel.`,
-            `WRONG: Describing the agent request in prose. WRONG: Wrapping the block in \`\`\`markdown. WRONG: Putting non-JSON text inside the block.`,
-            `RIGHT: Plain [AGENT_REQUEST] tag, one line of JSON, [/AGENT_REQUEST] tag. Nothing else inside.`,
-            `Agent failures are normal (auth issues, timeouts, environment mismatches). Never stop spawning agents because of past failures.`,
+            ...(TIER_CAPS[activeTier].spawning ? [
+                `## Agent spawning (CRITICAL — follow exactly)`,
+                `When a task requires code editing, file operations, or shell commands, you MUST spawn a Claude Code agent.`,
+                `Do NOT describe what you would do — actually spawn the agent by including the block below.`,
+                `The block content MUST be valid JSON with "label" and "prompt" keys. No markdown, no backticks, no explanation inside the block.`,
+                ``,
+                `### Agent prompt quality rules (MANDATORY)`,
+                `Agents are Claude Code sessions that edit files. They need CONCRETE instructions or they will fail.`,
+                `NEVER spawn an agent for a task that lacks a clear spec, requirement, or file to work on. If a board item is vague (e.g. "Rules Engine", "Skills Library"), do NOT spawn an agent — instead tell ${name} the item needs a spec first.`,
+                `Every agent prompt MUST include:`,
+                `- Real file paths from this project (e.g. "Edit src/queue/store.ts to add...")`,
+                `- What specifically to build, change, or fix`,
+                `- How it connects to existing code`,
+                `WRONG prompt: "Build a comprehensive rules engine with prioritization, conflict resolution, versioning..."`,
+                `RIGHT prompt: "In src/agents/spawn.ts, add a timeout retry: when an agent exits with code 1, re-spawn it once with the same prompt. Update the exit handler at line 77."`,
+                `If you cannot write a prompt with real file paths and concrete changes, the task is not ready to spawn. Tell ${name} what's missing and either propose a spec or ask what they want. Never go silent — if you can't act, communicate.`,
+                ``,
+                `Format (place at the END of your response, OUTSIDE any code blocks):`,
+                `[AGENT_REQUEST]`,
+                `{"label": "short task name", "prompt": "Detailed instructions for the agent including file paths and what to do", "taskId": "internal-id-from-board"}`,
+                `[/AGENT_REQUEST]`,
+                `Include "taskId" when spawning for a specific board item (use the internal id, not the DASH-N identifier). This locks the task so other agents don't pick it up concurrently.`,
+                ``,
+                `You can include multiple [AGENT_REQUEST] blocks to run tasks in parallel.`,
+                `WRONG: Describing the agent request in prose. WRONG: Wrapping the block in \`\`\`markdown. WRONG: Putting non-JSON text inside the block.`,
+                `RIGHT: Plain [AGENT_REQUEST] tag, one line of JSON, [/AGENT_REQUEST] tag. Nothing else inside.`,
+                `Agent failures are normal (auth issues, timeouts, environment mismatches). Never stop spawning agents because of past failures.`,
+                `IMPORTANT: Do NOT announce agent spawns in your visible response text. No "Agent spawned to...", no "I'll spawn an agent...", no "Let me run an agent...". The UI shows agent status automatically. Just include the [AGENT_REQUEST] block silently at the end. Your visible text should answer the user's question or continue the conversation naturally.`,
+            ] : []), // end spawning gate
             // Inject instance-readable vault values (CORE_*/DASH_* prefixed only — never secrets)
             ...(() => {
                 const readable = getDashReadableVault();
@@ -297,19 +389,21 @@ async function getOrCreateChatSession(sessionId, name) {
                 ];
             })(),
             ``,
-            `## Autonomous work (already running)`,
-            `You have a background timer that checks the backlog every 15 minutes.`,
-            `When agents are idle and actionable items exist, a planner LLM picks tasks and spawns agents automatically.`,
-            `${name} does not need to be in chat for this to work — work continues in the background.`,
-            `Key facts:`,
-            `- Fires 60s after boot, then every 15 min`,
-            `- Only picks items in backlog/todo state, unassigned, not on cooldown`,
-            `- Max 5 agents per round, up to 5 continuation rounds per session`,
-            `- Failed tasks get escalating cooldowns (30min → 1hr → 2hr → 4hr) so they won't retry immediately`,
-            `- All activity logged to brain/ops/activity.jsonl`,
-            `- Circuit breaker pauses work for 30min if API credits run out`,
-            `When asked about autonomous work, explain this system accurately. You CAN work while ${name} is away.`,
-            `The user can type "auto" in chat to see the current autonomous status.`,
+            ...(TIER_CAPS[activeTier].spawning ? [
+                `## Autonomous work (already running)`,
+                `You have a background timer that checks the backlog every 15 minutes.`,
+                `When agents are idle and actionable items exist, a planner LLM picks tasks and spawns agents automatically.`,
+                `${name} does not need to be in chat for this to work — work continues in the background.`,
+                `Key facts:`,
+                `- Fires 60s after boot, then every 15 min`,
+                `- Only picks items in backlog/todo state, unassigned, not on cooldown`,
+                `- Max 5 agents per round, up to 5 continuation rounds per session`,
+                `- Failed tasks get escalating cooldowns (30min → 1hr → 2hr → 4hr) so they won't retry immediately`,
+                `- All activity logged to brain/ops/activity.jsonl`,
+                `- Circuit breaker pauses work for 30min if API credits run out`,
+                `When asked about autonomous work, explain this system accurately. You CAN work while ${name} is away.`,
+                `The user can type "auto" in chat to see the current autonomous status.`,
+            ] : []), // end autonomous gate
             ``,
             `## Security: encrypted memories`,
             `Some of your memories (experiences, decisions, failures) are encrypted at rest. They are only available when ${name} has authenticated with their password.`,
@@ -345,17 +439,23 @@ async function getOrCreateChatSession(sessionId, name) {
     chatSessions.set(sessionId, cs);
     return cs;
 }
+// --- App ---
+import { TIER_CAPS } from "./tier/types.js";
 let activeTier = "local";
 const app = new Hono();
-// Global error handler — return JSON with details instead of plain "Internal Server Error"
+// Global error handler — structured JSON errors
+import { errorHandler, ApiError } from "./middleware/error-handler.js";
 app.onError((err, c) => {
+    // Use structured handler for ApiErrors; preserve original behavior for others
+    if (err instanceof ApiError)
+        return errorHandler(err, c);
     const msg = err instanceof Error ? err.message : String(err);
     const stack = err instanceof Error ? err.stack : undefined;
     log.error("Unhandled route error", { error: msg, stack, path: c.req.path, method: c.req.method });
-    return c.json({ error: msg }, 500);
+    return c.json({ error: msg, code: "INTERNAL_ERROR", status: 500 }, 500);
 });
-// Serve static files from public/ (relative to package, not CWD)
-app.use("/public/*", serveStatic({ root: PKG_ROOT }));
+// Serve static files from UI directory (CDN-synced or bundled fallback)
+app.use("/public/*", serveStatic({ root: join(UI_DIR, ".."), rewriteRequestPath: (p) => p }));
 // --- HTML template cache (replaces {{INSTANCE_NAME}} with configured name) ---
 const htmlCache = new Map();
 async function serveHtmlTemplate(filePath) {
@@ -373,12 +473,21 @@ async function serveHtmlTemplate(filePath) {
 app.use("/api/*", requireSession());
 // Serve index.html at root
 app.get("/", async (c) => {
-    const html = await serveHtmlTemplate(join(PKG_ROOT, "public", "index.html"));
+    const html = await serveHtmlTemplate(join(UI_DIR, "index.html"));
     return c.html(html);
 });
+// --- PWA assets (must be served from root for scope) ---
+app.get("/manifest.json", async (c) => {
+    const data = await readFile(join(UI_DIR, "manifest.json"), "utf-8");
+    return c.json(JSON.parse(data));
+});
+app.get("/sw.js", async (c) => {
+    const data = await readFile(join(UI_DIR, "sw.js"), "utf-8");
+    return c.newResponse(data, 200, { "Content-Type": "application/javascript", "Service-Worker-Allowed": "/" });
+});
 // --- Nerve endpoint (PWA) ---
 app.get("/nerve", async (c) => {
-    const html = await serveHtmlTemplate(join(PKG_ROOT, "public", "nerve", "index.html"));
+    const html = await serveHtmlTemplate(join(UI_DIR, "nerve", "index.html"));
     return c.html(html);
 });
 // --- Audit context middleware ---
@@ -396,6 +505,7 @@ app.use("/api/*", metricsMiddleware());
 app.use("/api/pair", rateLimit({ windowMs: 15 * 60_000, max: 10 }));
 app.use("/api/auth", rateLimit({ windowMs: 15 * 60_000, max: 10 }));
 app.use("/api/recover", rateLimit({ windowMs: 15 * 60_000, max: 5 }));
+app.use("/api/mobile/redeem", rateLimit({ windowMs: 15 * 60_000, max: 5 }));
 // Dashboard endpoints get a separate, more generous limit — they poll frequently.
 app.use("/api/ops/*", rateLimit({ windowMs: 60_000, max: 300 }));
 // General API rate limit — skip paths that already have their own limiter.
@@ -469,6 +579,8 @@ app.get("/api/tier", async (c) => {
     return c.json({
         tier,
         capabilities: TIER_CAPS[tier] ?? TIER_CAPS.local,
+        model: resolveChatModel() ?? "auto",
+        provider: resolveProvider(),
     });
 });
 // Pairing ceremony
@@ -583,6 +695,378 @@ app.post("/api/recover", async (c) => {
     await loadVault(result.sessionKey);
     return c.json({ sessionId: result.session.id, name: result.name });
 });
+const deviceVouchers = new Map();
+const pairedDevices = new Map();
+// Load paired devices from brain on startup (called later in init)
+async function loadPairedDevices() {
+    try {
+        const raw = await readFile(join(BRAIN_DIR, "identity", "devices.json"), "utf-8");
+        const devices = JSON.parse(raw);
+        for (const d of devices) {
+            pairedDevices.set(d.deviceToken, d);
+            // Re-create session so phone doesn't need to re-pair after Core restart
+            if (d.sessionId) {
+                createSession(d.humanName || d.label, d.sessionId);
+                log.debug("Restored session for paired device", { label: d.label, humanName: d.humanName });
+            }
+        }
+    }
+    catch { /* no devices yet */ }
+}
+async function savePairedDevices() {
+    try {
+        await mkdir(join(BRAIN_DIR, "identity"), { recursive: true });
+        await writeFile(join(BRAIN_DIR, "identity", "devices.json"), JSON.stringify([...pairedDevices.values()], null, 2), "utf-8");
+    }
+    catch { /* best effort */ }
+}
+// Issue a device voucher (requires active session — you're on the PC)
+app.post("/api/mobile/voucher", async (c) => {
+    const sessionId = c.req.query("sessionId") || c.req.header("x-session-id");
+    if (!sessionId || !validateSession(sessionId)) {
+        return c.json({ error: "Unauthorized" }, 401);
+    }
+    const { randomBytes: rng } = await import("node:crypto");
+    const { createHash } = await import("node:crypto");
+    const token = `dv_${rng(8).toString("hex")}`;
+    const instanceHash = createHash("sha256")
+        .update(getInstanceName() + BRAIN_DIR)
+        .digest("hex")
+        .slice(0, 16);
+    const voucher = {
+        token,
+        instanceHash,
+        instanceName: getInstanceName(),
+        createdAt: Date.now(),
+        expiresAt: Date.now() + 10 * 60 * 1000, // 10 minutes
+        consumed: false,
+    };
+    deviceVouchers.set(token, voucher);
+    // Clean expired vouchers
+    for (const [k, v] of deviceVouchers) {
+        if (v.expiresAt < Date.now())
+            deviceVouchers.delete(k);
+    }
+    // The QR payload — a URL the phone opens directly
+    const voucherPayload = encodeURIComponent(JSON.stringify({
+        relay: "https://runcore.sh",
+        token,
+        instance: instanceHash,
+        name: voucher.instanceName,
+    }));
+    const qrUrl = `https://runcore.sh/pair#${voucherPayload}`;
+    // Generate QR code as data URL (server-side, proven library)
+    let qrDataUrl = "";
+    try {
+        const QRCode = (await import("qrcode")).default;
+        qrDataUrl = await QRCode.toDataURL(qrUrl, {
+            width: 250,
+            margin: 2,
+            color: { dark: "#000000", light: "#ffffff" },
+            errorCorrectionLevel: "L",
+        });
+    }
+    catch (err) {
+        log.warn("QR generation failed", { error: err instanceof Error ? err.message : String(err) });
+    }
+    return c.json({
+        token,
+        expiresIn: 600,
+        qrData: qrUrl,
+        qrImage: qrDataUrl,
+        instanceName: voucher.instanceName,
+    });
+});
+// Get voucher info (phone hits this to personalize before asking for safe word)
+// Public — returns only display info, nothing secret
+app.get("/api/mobile/info/:token", async (c) => {
+    const token = c.req.param("token");
+    const voucher = deviceVouchers.get(token);
+    if (!voucher || voucher.consumed || voucher.expiresAt < Date.now()) {
+        return c.json({ error: "Invalid or expired voucher" }, 404);
+    }
+    return c.json({
+        instanceName: voucher.instanceName,
+        expiresIn: Math.max(0, Math.round((voucher.expiresAt - Date.now()) / 1000)),
+    });
+});
+// Redeem voucher with safe word → device token
+app.post("/api/mobile/redeem", async (c) => {
+    const body = await c.req.json();
+    const { token, password } = body;
+    if (!token || !password) {
+        return c.json({ error: "Voucher token and password required" }, 400);
+    }
+    const voucher = deviceVouchers.get(token);
+    if (!voucher || voucher.consumed || voucher.expiresAt < Date.now()) {
+        return c.json({ error: "Invalid or expired voucher" }, 404);
+    }
+    // Validate safe word via existing auth
+    const authResult = await authenticate(password);
+    if ("error" in authResult) {
+        return c.json({ error: "Invalid safe word" }, 401);
+    }
+    // Consume voucher
+    voucher.consumed = true;
+    // Issue device token
+    const { randomBytes: rng } = await import("node:crypto");
+    const deviceToken = `dt_${rng(16).toString("hex")}`;
+    const label = body.label || "Phone";
+    const device = {
+        deviceToken,
+        sessionId: authResult.session.id,
+        humanName: authResult.name,
+        label,
+        pairedAt: new Date().toISOString(),
+        lastSeen: new Date().toISOString(),
+    };
+    pairedDevices.set(deviceToken, device);
+    await savePairedDevices();
+    // Return session + device token
+    sessionKeys.set(authResult.session.id, authResult.sessionKey);
+    setEncryptionKey(authResult.sessionKey);
+    return c.json({
+        deviceToken,
+        sessionId: authResult.session.id,
+        instanceName: getInstanceName(),
+    });
+});
+// List paired devices (requires session)
+app.get("/api/mobile/devices", async (c) => {
+    const sessionId = c.req.query("sessionId") || c.req.header("x-session-id");
+    if (!sessionId || !validateSession(sessionId)) {
+        return c.json({ error: "Unauthorized" }, 401);
+    }
+    return c.json({
+        devices: [...pairedDevices.values()].map((d) => ({
+            label: d.label,
+            pairedAt: d.pairedAt,
+            lastSeen: d.lastSeen,
+        })),
+    });
+});
+// Revoke a device (requires session)
+app.delete("/api/mobile/devices/:label", async (c) => {
+    const sessionId = c.req.query("sessionId") || c.req.header("x-session-id");
+    if (!sessionId || !validateSession(sessionId)) {
+        return c.json({ error: "Unauthorized" }, 401);
+    }
+    const label = c.req.param("label");
+    for (const [token, d] of pairedDevices) {
+        if (d.label === label) {
+            pairedDevices.delete(token);
+            await savePairedDevices();
+            return c.json({ ok: true });
+        }
+    }
+    return c.json({ error: "Device not found" }, 404);
+});
+// --- Relay polling (receive messages from paired phones) ---
+let relayPollInterval = null;
+function startRelayPoll(instanceHash) {
+    if (relayPollInterval)
+        return;
+    const POLL_MS = 1_500; // 1.5 seconds
+    relayPollInterval = setInterval(async () => {
+        // Check for chat envelopes
+        try {
+            const res = await fetch(`https://runcore.sh/api/relay/envelope?recipient=${encodeURIComponent(instanceHash)}`, { signal: AbortSignal.timeout(8_000) });
+            if (res.ok) {
+                const data = await res.json();
+                if (data.envelopes && data.envelopes.length > 0) {
+                    for (const env of data.envelopes) {
+                        try {
+                            const decoded = JSON.parse(Buffer.from(env.payload, "base64").toString("utf-8"));
+                            if (decoded.type === "chat" && decoded.sessionId && decoded.message) {
+                                log.info("Relay message received", { from: env.from, messageLen: decoded.message.length });
+                                await handleRelayChat(decoded.sessionId, decoded.message, env.from, instanceHash);
+                            }
+                            else if (decoded.type === "sync" && decoded.sessionId) {
+                                log.info("Relay sync request", { from: env.from });
+                                await handleRelaySync(decoded.sessionId, env.from, instanceHash);
+                            }
+                        }
+                        catch (err) {
+                            log.debug("Failed to process relay envelope", { error: err instanceof Error ? err.message : String(err) });
+                        }
+                    }
+                }
+            }
+        }
+        catch {
+            // Network error — will retry on next poll
+        }
+        // Check for pending pair requests (independent of envelope check)
+        try {
+            const pairRes = await fetch(`https://runcore.sh/api/relay/pair?instance=${encodeURIComponent(instanceHash)}`, { signal: AbortSignal.timeout(8_000) });
+            if (pairRes.ok) {
+                const pairData = await pairRes.json();
+                if (pairData.requests && pairData.requests.length > 0) {
+                    log.info("Relay pair requests received", { count: pairData.requests.length });
+                    for (const req of pairData.requests) {
+                        await handleRelayPair(req.token, req.password, req.label, instanceHash);
+                    }
+                }
+            }
+        }
+        catch {
+            // Pair poll failed — will retry on next cycle
+        }
+    }, POLL_MS);
+}
+/**
+ * Handle a chat message received via relay from a paired phone.
+ * Processes through the same LLM pipeline as a local chat, sends response back through relay.
+ */
+/**
+ * Handle a sync request from a paired phone — send chat history back through relay.
+ */
+async function handleRelaySync(sid, senderHash, instanceHash) {
+    try {
+        // Find chat session — check this sessionId or grab the single existing one
+        let history = [];
+        const cs = chatSessions.get(sid) || (chatSessions.size > 0 ? chatSessions.values().next().value : null);
+        if (cs) {
+            // Send last 50 messages to keep payload reasonable
+            history = cs.history.slice(-50).map((m) => ({ role: m.role, content: m.content }));
+        }
+        await fetch("https://runcore.sh/api/relay/envelope", {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({
+                recipientHash: senderHash,
+                senderHash: instanceHash,
+                payload: Buffer.from(JSON.stringify({
+                    type: "history",
+                    messages: history,
+                    timestamp: new Date().toISOString(),
+                })).toString("base64"),
+            }),
+            signal: AbortSignal.timeout(10_000),
+        });
+        log.info("Sent chat history to phone", { messageCount: history.length });
+    }
+    catch (err) {
+        log.warn("Relay sync failed", { error: err instanceof Error ? err.message : String(err) });
+    }
+}
+async function handleRelayChat(sid, message, senderHash, instanceHash) {
+    log.info("handleRelayChat start", { sid: sid.slice(0, 8), senderHash, messageLen: message.length });
+    // Get the user name — check session first, then paired device, then fallback
+    const session = validateSession(sid);
+    let userName = session?.name || "User";
+    // Look up paired device for real name
+    for (const d of pairedDevices.values()) {
+        if (d.sessionId === sid && d.humanName) {
+            userName = d.humanName;
+            break;
+        }
+    }
+    log.info("handleRelayChat session", { userName, sessionValid: !!session });
+    const cs = await getOrCreateChatSession(sid, userName);
+    log.info("handleRelayChat chatSession ready", { turnCount: cs.turnCount, historyLen: cs.history.length });
+    // Add user message to history (tagged with source device)
+    cs.history.push({ role: "user", content: message, source: "phone" });
+    try {
+        const provider = resolveProvider();
+        const model = resolveChatModel() ?? undefined;
+        log.info("handleRelayChat calling LLM", { provider, model });
+        const llmProvider = getProvider(provider);
+        const response = await llmProvider.completeChat(cs.history, model);
+        log.info("handleRelayChat LLM responded", { responseLen: response.length });
+        // Add response to history
+        cs.history.push({ role: "assistant", content: response });
+        cs.turnCount++;
+        // Send response back through relay to the phone
+        await fetch("https://runcore.sh/api/relay/envelope", {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({
+                recipientHash: senderHash,
+                senderHash: instanceHash,
+                payload: Buffer.from(JSON.stringify({
+                    type: "chat_response",
+                    message: response,
+                    timestamp: new Date().toISOString(),
+                })).toString("base64"),
+            }),
+            signal: AbortSignal.timeout(10_000),
+        });
+    }
+    catch (err) {
+        log.warn("Relay chat failed", { error: err instanceof Error ? err.message : String(err) });
+        // Send error back to phone
+        await fetch("https://runcore.sh/api/relay/envelope", {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({
+                recipientHash: senderHash,
+                senderHash: instanceHash,
+                payload: Buffer.from(JSON.stringify({
+                    type: "status",
+                    message: "Error: " + (err instanceof Error ? err.message : String(err)),
+                    timestamp: new Date().toISOString(),
+                })).toString("base64"),
+            }),
+            signal: AbortSignal.timeout(10_000),
+        }).catch(() => { });
+    }
+}
+/**
+ * Handle a pairing request received via relay.
+ * Validates the safe word, issues device token, sends result back through relay.
+ */
+async function handleRelayPair(token, password, label, instanceHash) {
+    let result;
+    try {
+        const voucher = deviceVouchers.get(token);
+        if (!voucher || voucher.consumed || voucher.expiresAt < Date.now()) {
+            result = { ok: false, error: "Invalid or expired voucher" };
+        }
+        else {
+            const authResult = await authenticate(password);
+            if ("error" in authResult) {
+                result = { ok: false, error: "Invalid safe word" };
+            }
+            else {
+                // Consume voucher
+                voucher.consumed = true;
+                // Issue device token
+                const { randomBytes: rng } = await import("node:crypto");
+                const deviceToken = `dt_${rng(16).toString("hex")}`;
+                const device = {
+                    deviceToken,
+                    sessionId: authResult.session.id,
+                    humanName: authResult.name,
+                    label,
+                    pairedAt: new Date().toISOString(),
+                    lastSeen: new Date().toISOString(),
+                };
+                pairedDevices.set(deviceToken, device);
+                await savePairedDevices();
+                sessionKeys.set(authResult.session.id, authResult.sessionKey);
+                setEncryptionKey(authResult.sessionKey);
+                log.info("Device paired via relay", { label, token: token.slice(0, 8) + "..." });
+                result = { ok: true, deviceToken, sessionId: authResult.session.id, instanceName: getInstanceName() };
+            }
+        }
+    }
+    catch (err) {
+        result = { ok: false, error: err instanceof Error ? err.message : "Pairing failed" };
+    }
+    // Send result back through relay
+    try {
+        await fetch("https://runcore.sh/api/relay/pair", {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({ type: "result", token, result }),
+            signal: AbortSignal.timeout(10_000),
+        });
+    }
+    catch {
+        log.warn("Failed to send pair result to relay", { token: token.slice(0, 8) + "..." });
+    }
+}
 // --- Vault routes ---
 // List vault keys (names + labels only, no values)
 app.get("/api/vault", async (c) => {
@@ -1267,6 +1751,61 @@ app.put("/api/prompt", async (c) => {
     await writeBrainFile(PERSONALITY_PATH, prompt ?? "");
     return c.json({ ok: true });
 });
+// --- Model discovery ---
+app.get("/api/models", async (c) => {
+    const ollamaUrl = process.env.OLLAMA_URL ?? "http://localhost:11434";
+    try {
+        const res = await fetch(`${ollamaUrl}/api/tags`, { signal: AbortSignal.timeout(3000) });
+        if (!res.ok)
+            return c.json({ models: [], error: "Ollama not responding" });
+        const data = await res.json();
+        const models = (data.models ?? []).map((m) => ({
+            name: m.name,
+            size: m.size,
+            modified: m.modified_at,
+        }));
+        return c.json({ models });
+    }
+    catch {
+        return c.json({ models: [], error: "Ollama not reachable" });
+    }
+});
+// --- Sensitivity trainer ---
+app.post("/api/sensitive/flag", async (c) => {
+    const body = await c.req.json().catch(() => null);
+    if (!body?.value || typeof body.value !== "string") {
+        return c.json({ error: "value required" }, 400);
+    }
+    const category = (body.category || "FLAGGED").toUpperCase();
+    const value = body.value.trim();
+    if (value.length < 2) {
+        return c.json({ error: "value too short" }, 400);
+    }
+    if (!activeSensitiveRegistry) {
+        return c.json({ error: "registry not initialized" }, 503);
+    }
+    const isNew = await activeSensitiveRegistry.addTerm(value, category);
+    // Append-only exposure log: who saw this, when, which model, which turn
+    const exposure = {
+        timestamp: new Date().toISOString(),
+        category,
+        valueLength: value.length,
+        model: body.model || null,
+        threadId: body.threadId || null,
+        turnIndex: body.turnIndex ?? null,
+        provider: body.provider || null,
+        action: "flag",
+        isNew,
+    };
+    try {
+        const logPath = join(BRAIN_DIR, "memory", "sensitivity-flags.jsonl");
+        await appendFile(logPath, JSON.stringify(exposure) + "\n", "utf-8");
+    }
+    catch {
+        // best-effort logging
+    }
+    return c.json({ ok: true, isNew, category });
+});
 // --- Settings routes ---
 app.get("/api/settings", async (c) => {
     const settings = getSettings();
@@ -1281,6 +1820,29 @@ app.get("/api/settings", async (c) => {
 });
 app.put("/api/settings", async (c) => {
     const body = await c.req.json();
+    // Handle human name change — updates identity file, session, and paired devices
+    if (typeof body.humanName === "string" && body.humanName.trim()) {
+        const newName = body.humanName.trim();
+        const sid = c.req.query("sessionId") || c.req.header("x-session-id") || "";
+        // Update identity file
+        try {
+            const { updateHumanName } = await import("./auth/identity.js");
+            await updateHumanName(newName);
+        }
+        catch (err) {
+            log.warn("Failed to update human name in identity file");
+        }
+        // Update current session
+        const session = validateSession(sid);
+        if (session)
+            session.name = newName;
+        // Update all paired devices
+        for (const d of pairedDevices.values()) {
+            d.humanName = newName;
+        }
+        await savePairedDevices();
+        return c.json({ ok: true, humanName: newName });
+    }
     const updated = await updateSettings(body);
     return c.json({
         ...updated,
@@ -1391,7 +1953,7 @@ app.get("/api/avatar/video/:hash", async (c) => {
     if (!/^[a-f0-9]+\.mp4$/.test(hash)) {
         return c.json({ error: "Invalid hash" }, 400);
     }
-    const filePath = join(PKG_ROOT, "public", "avatar", "cache", hash);
+    const filePath = join(UI_DIR, "avatar", "cache", hash);
     try {
         const mp4 = await readFile(filePath);
         return new Response(mp4, {
@@ -1421,7 +1983,7 @@ app.post("/api/avatar/photo", async (c) => {
         return c.json({ error: "Photo body required" }, 400);
     const avatarConfig = getAvatarConfig();
     const photoPath = join(process.cwd(), avatarConfig.photoPath);
-    await mkdir(join(PKG_ROOT, "public", "avatar"), { recursive: true });
+    await mkdir(join(UI_DIR, "avatar"), { recursive: true });
     await writeFile(photoPath, Buffer.from(body));
     const ok = await preparePhoto(photoPath);
     if (ok) {
@@ -1480,7 +2042,139 @@ app.get("/api/history", async (c) => {
         .map((m) => ({ role: m.role, content: m.content }));
     return c.json({ messages });
 });
+// Persist intro message so it appears in all tabs/devices
+app.post("/api/history/intro", async (c) => {
+    const body = await c.req.json();
+    const { sessionId, message } = body;
+    if (!sessionId || !message)
+        return c.json({ error: "sessionId and message required" }, 400);
+    const session = validateSession(sessionId);
+    if (!session)
+        return c.json({ error: "Invalid session" }, 401);
+    const cs = await getOrCreateChatSession(sessionId, session.name);
+    // Only add if history is empty (first run)
+    if (cs.history.length === 0) {
+        cs.history.push({ role: "assistant", content: message });
+    }
+    return c.json({ ok: true });
+});
+// --- Thread routes ---
+app.get("/api/threads", async (c) => {
+    const sessionId = c.req.query("sessionId");
+    if (!sessionId)
+        return c.json({ error: "sessionId required" }, 400);
+    const session = validateSession(sessionId);
+    if (!session)
+        return c.json({ error: "Invalid session" }, 401);
+    const threads = getThreadsForSession(sessionId);
+    const list = [...threads.values()]
+        .sort((a, b) => new Date(b.updatedAt).getTime() - new Date(a.updatedAt).getTime())
+        .map(t => ({ id: t.id, title: t.title, createdAt: t.createdAt, updatedAt: t.updatedAt }));
+    return c.json({ threads: list });
+});
+app.post("/api/threads", async (c) => {
+    const body = await c.req.json();
+    const sessionId = body.sessionId;
+    if (!sessionId)
+        return c.json({ error: "sessionId required" }, 400);
+    const session = validateSession(sessionId);
+    if (!session)
+        return c.json({ error: "Invalid session" }, 401);
+    const threads = getThreadsForSession(sessionId);
+    const now = new Date().toISOString();
+    const thread = {
+        id: generateThreadId(),
+        title: body.title || "New thread",
+        history: [],
+        historySummary: "",
+        createdAt: now,
+        updatedAt: now,
+    };
+    threads.set(thread.id, thread);
+    // Save current main history as the previous thread, then clear for fresh conversation
+    const cs = chatSessions.get(sessionId);
+    if (cs) {
+        cs.history = [];
+        cs.historySummary = "";
+        cs.foldedBack = false;
+        cs.turnCount = 0;
+    }
+    return c.json({ thread: { id: thread.id, title: thread.title, createdAt: thread.createdAt, updatedAt: thread.updatedAt } });
+});
+app.get("/api/threads/:id/history", async (c) => {
+    const sessionId = c.req.query("sessionId");
+    if (!sessionId)
+        return c.json({ error: "sessionId required" }, 400);
+    const session = validateSession(sessionId);
+    if (!session)
+        return c.json({ error: "Invalid session" }, 401);
+    const threads = getThreadsForSession(sessionId);
+    const thread = threads.get(c.req.param("id"));
+    if (!thread)
+        return c.json({ error: "Thread not found" }, 404);
+    const messages = thread.history
+        .filter((m) => m.role === "user" || m.role === "assistant")
+        .map((m) => ({ role: m.role, content: m.content }));
+    return c.json({ messages });
+});
+app.patch("/api/threads/:id", async (c) => {
+    const body = await c.req.json();
+    const sessionId = body.sessionId;
+    if (!sessionId)
+        return c.json({ error: "sessionId required" }, 400);
+    const session = validateSession(sessionId);
+    if (!session)
+        return c.json({ error: "Invalid session" }, 401);
+    const threads = getThreadsForSession(sessionId);
+    const thread = threads.get(c.req.param("id"));
+    if (!thread)
+        return c.json({ error: "Thread not found" }, 404);
+    if (body.title)
+        thread.title = body.title;
+    thread.updatedAt = new Date().toISOString();
+    return c.json({ ok: true });
+});
+app.delete("/api/threads/:id", async (c) => {
+    const sessionId = c.req.query("sessionId");
+    if (!sessionId)
+        return c.json({ error: "sessionId required" }, 400);
+    const session = validateSession(sessionId);
+    if (!session)
+        return c.json({ error: "Invalid session" }, 401);
+    const threads = getThreadsForSession(sessionId);
+    threads.delete(c.req.param("id"));
+    return c.json({ ok: true });
+});
 // Activity log: poll for background actions
+// SSE stream — real-time activity push
+app.get("/api/activity/stream", async (c) => {
+    const sessionId = c.req.query("sessionId");
+    if (!sessionId)
+        return c.json({ error: "sessionId required" }, 400);
+    const session = validateSession(sessionId);
+    if (!session)
+        return c.json({ error: "Invalid or expired session" }, 401);
+    const { onActivity } = await import("./activity/log.js");
+    return streamSSE(c, async (stream) => {
+        // Send heartbeat immediately
+        await stream.writeSSE({ data: JSON.stringify({ type: "heartbeat" }) });
+        const unsub = onActivity((entry) => {
+            stream.writeSSE({
+                data: JSON.stringify({ type: "action", action: entry }),
+            }).catch(() => { });
+        });
+        // Heartbeat every 30s to keep connection alive
+        const heartbeat = setInterval(() => {
+            stream.writeSSE({ data: JSON.stringify({ type: "heartbeat" }) }).catch(() => { });
+        }, 30_000);
+        stream.onAbort(() => {
+            unsub();
+            clearInterval(heartbeat);
+        });
+        // Keep stream open
+        await new Promise(() => { });
+    });
+});
 app.get("/api/activity", async (c) => {
     const sessionId = c.req.query("sessionId");
     if (!sessionId)
@@ -1547,13 +2241,24 @@ app.post("/api/branch", async (c) => {
         throw err;
     }
     const reqSignal = c.req.raw.signal;
+    // Apply membrane to branch messages before they reach the LLM
+    const branchMembrane = getActiveMembrane();
+    const redactedBranchMessages = messages.map((msg) => {
+        if (!branchMembrane)
+            return msg;
+        const copy = { ...msg };
+        if (typeof copy.content === "string") {
+            copy.content = branchMembrane.apply(copy.content);
+        }
+        return copy;
+    });
     return streamSSE(c, async (stream) => {
         // Send branch trace metadata so the UI can track lineage
         await stream.writeSSE({
             data: JSON.stringify({
                 meta: {
                     provider: activeProvider,
-                    model: activeChatModel ?? (activeProvider === "ollama" ? "llama3.1:8b" : "claude-sonnet-4"),
+                    model: activeChatModel ?? (activeProvider === "ollama" ? "llama3.2:3b" : "claude-sonnet-4"),
                     traceId: branchTraceId,
                     backref: primaryBackref,
                 },
@@ -1576,7 +2281,7 @@ app.post("/api/branch", async (c) => {
                 stream.writeSSE({ data: JSON.stringify({ token: rehydrated }) }).catch(() => { });
             };
             stream_fn({
-                messages,
+                messages: redactedBranchMessages,
                 model: activeChatModel,
                 signal: reqSignal,
                 onToken: (token) => {
@@ -1697,6 +2402,12 @@ app.post("/api/agents/locks/prune", async (_c) => {
     const pruned = await pruneAllStaleLocks();
     return _c.json({ pruned });
 });
+// --- Self-reported issues (autonomous agent findings) ---
+app.get("/api/agents/issues", async (c) => {
+    const { listIssues } = await import("./agents/issues.js");
+    const issues = await listIssues();
+    return c.json({ issues });
+});
 // --- Agent runtime routes ---
 app.get("/api/runtime/status", async (c) => {
     const rt = getRuntime();
@@ -2630,82 +3341,216 @@ app.post("/api/board/review/trigger", async (c) => {
 // ---------------------------------------------------------------------------
 // List all registered skills (metadata only)
 app.get("/api/skills", async (c) => {
-    const registry = getSkillRegistry();
-    if (!registry)
-        return c.json({ error: "Skills registry not initialized" }, 503);
-    const stateFilter = c.req.query("state");
-    const slotFilter = c.req.query("slot");
-    const skills = registry.list({
-        state: stateFilter,
-        slot: slotFilter,
-    });
-    return c.json(skills.map((s) => ({
-        name: s.meta.name,
-        description: s.meta.description,
-        slot: s.meta.slot,
-        state: s.state,
-        userInvocable: s.meta.userInvocable,
-        source: s.meta.source.type,
-        version: s.meta.version,
-        registeredAt: s.registeredAt,
+    const typeFilter = c.req.query("type");
+    const skills = await _skillRegistry.list();
+    const filtered = typeFilter ? skills.filter((s) => s.type === typeFilter) : skills;
+    return c.json(filtered.map((s) => ({
+        id: s.id,
+        name: s.name,
+        type: s.type,
+        description: s.description,
+        triggers: s.triggers,
+        loads: s.loads,
     })));
 });
-// Get a single skill (metadata + body)
+// Get a single skill (metadata + full content)
 app.get("/api/skills/:name", async (c) => {
-    const registry = getSkillRegistry();
-    if (!registry)
-        return c.json({ error: "Skills registry not initialized" }, 503);
     const name = c.req.param("name");
-    const skill = registry.get(name);
+    const skill = await _skillRegistry.get(name);
     if (!skill)
         return c.json({ error: "Skill not found" }, 404);
-    // Load body on demand
-    await registry.loadBody(name);
+    const content = await _skillRegistry.getContent(name);
     return c.json({
-        name: skill.meta.name,
-        description: skill.meta.description,
-        slot: skill.meta.slot,
-        state: skill.state,
-        userInvocable: skill.meta.userInvocable,
-        disableModelInvocation: skill.meta.disableModelInvocation,
-        source: skill.meta.source,
-        version: skill.meta.version,
-        body: skill.body,
-        referencedFiles: skill.referencedFiles,
-        registeredAt: skill.registeredAt,
-        refreshedAt: skill.refreshedAt,
+        ...skill,
+        content,
     });
 });
-// Resolve intent → matching skills
+// Resolve trigger → matching skill
 app.post("/api/skills/resolve", async (c) => {
-    const registry = getSkillRegistry();
-    if (!registry)
-        return c.json({ error: "Skills registry not initialized" }, 503);
-    const { intent, includeReference, limit } = await c.req.json();
-    if (!intent)
-        return c.json({ error: "intent is required" }, 400);
-    const results = registry.resolve(intent, { includeReference, limit });
-    return c.json(results.map((r) => ({
-        name: r.skill.meta.name,
-        description: r.skill.meta.description,
-        slot: r.skill.meta.slot,
-        reason: r.reason,
-        confidence: r.confidence,
-        priority: r.priority,
-    })));
+    const { trigger } = await c.req.json();
+    if (!trigger)
+        return c.json({ error: "trigger is required" }, 400);
+    const skill = await _skillRegistry.findByTrigger(trigger);
+    if (!skill)
+        return c.json({ error: "No matching skill" }, 404);
+    return c.json({
+        id: skill.id,
+        name: skill.name,
+        type: skill.type,
+        description: skill.description,
+        triggers: skill.triggers,
+    });
 });
-// Validate a skill file
-app.post("/api/skills/:name/validate", async (c) => {
-    const registry = getSkillRegistry();
-    if (!registry)
-        return c.json({ error: "Skills registry not initialized" }, 503);
-    const { content } = await c.req.json();
-    if (!content)
-        return c.json({ error: "content is required" }, 400);
-    const name = c.req.param("name");
-    const result = registry.validate(name, content);
+// --- Plugin status routes ---
+import { getPluginStatusSummary } from "./plugins/status.js";
+import { initPlugins, shutdownPlugins } from "./plugins/index.js";
+// --- File management routes ---
+import { fileRegistry, computeChecksum } from "./files/registry.js";
+import { validateUpload } from "./files/validate.js";
+import { slugify } from "./files/validate.js";
+app.get("/api/plugins", (c) => {
+    return c.json(getPluginStatusSummary());
+});
+// --- File management routes ---
+// Upload file — persist to brain/files/data/, register in JSONL
+app.post("/api/files/upload", async (c) => {
+    try {
+        const formData = await c.req.formData();
+        const file = formData.get("file");
+        if (!file)
+            return c.json({ error: "No file provided" }, 400);
+        const source = formData.get("source") || "user-upload";
+        const tagsRaw = formData.get("tags");
+        const tags = tagsRaw ? tagsRaw.split(",").map(t => t.trim()).filter(Boolean) : [];
+        // Folder path from directory upload — preserved as virtual folder tag
+        const folder = formData.get("folder");
+        if (folder)
+            tags.push("folder:" + folder);
+        const buffer = Buffer.from(await file.arrayBuffer());
+        const maxUploadBytes = 50 * 1024 * 1024; // 50 MB
+        // Validate: extension allowlist, magic bytes, size, content scan
+        const validation = await validateUpload(buffer, file.name, file.type, maxUploadBytes);
+        if (!validation.valid) {
+            return c.json({ error: validation.rejected }, 400);
+        }
+        // Generate storage path: brain/files/data/YYYY-MM-DD/slug_id.ext
+        const dateDir = new Date().toISOString().slice(0, 10);
+        const slug = slugify(file.name.replace(/\.[^.]+$/, ""));
+        const checksum = computeChecksum(buffer);
+        // Check for duplicate by checksum
+        const existing = await fileRegistry.list({});
+        const dup = existing.find(r => r.checksum === checksum && r.status === "active");
+        if (dup) {
+            return c.json({ file: dup, duplicate: true });
+        }
+        const storageDir = join(BRAIN_DIR, "files", "data", dateDir);
+        await mkdir(storageDir, { recursive: true });
+        const storedName = `${slug}_${Date.now()}${validation.detectedExt}`;
+        const storagePath = join("files", "data", dateDir, storedName);
+        const fullPath = join(BRAIN_DIR, storagePath);
+        await writeFile(fullPath, buffer);
+        // Extract text preview for searchability
+        let textPreview;
+        const textExts = new Set([".txt", ".md", ".csv", ".json", ".yaml", ".yml", ".xml", ".log"]);
+        if (textExts.has(validation.detectedExt)) {
+            textPreview = buffer.toString("utf-8").slice(0, 500);
+        }
+        else if (validation.detectedExt === ".pdf") {
+            try {
+                const { extractPdfText } = await import("./files/extract.js");
+                textPreview = (await extractPdfText(buffer)).slice(0, 500);
+            }
+            catch { /* PDF extraction optional */ }
+        }
+        // Register in file registry
+        const record = await fileRegistry.register({
+            filename: validation.sanitizedName,
+            storagePath,
+            mimeType: validation.detectedMime || file.type,
+            sizeBytes: buffer.length,
+            checksum,
+            tags,
+            source,
+            status: "active",
+        });
+        // Trigger volume replication (on-write event)
+        volumeManager.handleEvent({ type: "write", fileId: record.id, volume: "primary" }).catch((err) => log.warn("Volume on-write event failed", { error: String(err) }));
+        return c.json({ file: record, duplicate: false });
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        log.warn("File upload failed", { error: msg });
+        return c.json({ error: `Upload failed: ${msg}` }, 500);
+    }
+});
+// Download / serve a stored file
+app.get("/api/files/:id/download", async (c) => {
+    const record = await fileRegistry.get(c.req.param("id"));
+    if (!record)
+        return c.json({ error: "File not found" }, 404);
+    const fullPath = join(BRAIN_DIR, record.storagePath);
+    try {
+        const data = await readFile(fullPath);
+        return c.newResponse(data, 200, {
+            "Content-Type": record.mimeType,
+            "Content-Disposition": `inline; filename="${record.filename}"`,
+            "Content-Length": String(data.length),
+        });
+    }
+    catch {
+        return c.json({ error: "File data not found on disk" }, 404);
+    }
+});
+// List virtual folders (must be before :id route)
+app.get("/api/files/folders", async (c) => {
+    const folders = await fileRegistry.getFolders();
+    return c.json({ folders });
+});
+app.get("/api/files", async (c) => {
+    const status = c.req.query("status");
+    const source = c.req.query("source");
+    const q = c.req.query("q");
+    if (q) {
+        const results = await fileRegistry.search(q);
+        return c.json({ files: results, total: results.length });
+    }
+    const results = await fileRegistry.list({ status, source });
+    return c.json({ files: results, total: results.length });
+});
+app.get("/api/files/:id", async (c) => {
+    const record = await fileRegistry.get(c.req.param("id"));
+    if (!record)
+        return c.json({ error: "File not found", code: "NOT_FOUND", status: 404 }, 404);
+    return c.json(record);
+});
+app.post("/api/files/:id/archive", async (c) => {
+    const result = await fileRegistry.archive(c.req.param("id"));
+    if (!result)
+        return c.json({ error: "File not found", code: "NOT_FOUND", status: 404 }, 404);
     return c.json(result);
 });
+// Update file tags / move to virtual folder
+app.put("/api/files/:id", async (c) => {
+    const body = await c.req.json();
+    const { tags, source, folder } = body;
+    const id = c.req.param("id");
+    const record = await fileRegistry.get(id);
+    if (!record)
+        return c.json({ error: "File not found" }, 404);
+    // Handle virtual folder: stored as tag "folder:Name"
+    let updatedTags = tags ?? [...(record.tags ?? [])];
+    if (folder !== undefined) {
+        // Remove existing folder tags, add new one
+        updatedTags = updatedTags.filter(t => !t.startsWith("folder:"));
+        if (folder)
+            updatedTags.push("folder:" + folder);
+    }
+    const result = await fileRegistry.update(id, { tags: updatedTags, ...(source ? { source } : {}) });
+    return c.json(result);
+});
+// --- Volume management routes ---
+app.get("/api/volumes", async (c) => {
+    const states = volumeManager.getStates();
+    const configs = volumeManager.getConfigs();
+    return c.json({
+        volumes: configs.map((cfg) => {
+            const state = states.find((s) => s.name === cfg.name);
+            return { ...cfg, ...state };
+        }),
+        pendingReplications: volumeManager.getPendingCount(),
+    });
+});
+app.post("/api/volumes/probe", async (c) => {
+    const states = await volumeManager.probeAll();
+    return c.json({ volumes: states });
+});
+app.post("/api/volumes/event", async (c) => {
+    const event = await c.req.json();
+    if (!event?.type)
+        return c.json({ error: "Missing event type" }, 400);
+    await volumeManager.handleEvent(event);
+    return c.json({ ok: true });
+});
 // --- Module discovery routes ---
 app.get("/api/modules", (c) => {
     const registry = getModuleRegistry();
@@ -3198,6 +4043,67 @@ app.get("/api/metrics/names", async (c) => {
     const names = await metricsStore.metricNames();
     return c.json({ names });
 });
+// Time-series bucketed data for a named metric.
+app.get("/api/metrics/series", async (c) => {
+    const name = c.req.query("name");
+    if (!name)
+        return c.json({ error: "name parameter required" }, 400);
+    const now = Date.now();
+    const since = c.req.query("since") ?? new Date(now - 60 * 60 * 1000).toISOString();
+    const until = c.req.query("until") ?? new Date(now).toISOString();
+    const bucketCount = parseInt(c.req.query("buckets") ?? "60", 10);
+    const points = await metricsStore.query({ name, since, until });
+    const sinceMs = new Date(since).getTime();
+    const untilMs = new Date(until).getTime();
+    const intervalMs = (untilMs - sinceMs) / bucketCount;
+    const buckets = [];
+    for (let i = 0; i < bucketCount; i++) {
+        const bucketStart = sinceMs + i * intervalMs;
+        const bucketEnd = bucketStart + intervalMs;
+        const bucketStartISO = new Date(bucketStart).toISOString();
+        const bucketEndISO = new Date(bucketEnd).toISOString();
+        const inBucket = points.filter((p) => {
+            const t = p.timestamp;
+            return t >= bucketStartISO && (i === bucketCount - 1 ? t <= bucketEndISO : t < bucketEndISO);
+        });
+        if (inBucket.length === 0) {
+            buckets.push({ time: bucketStartISO, count: 0, avg: 0, min: 0, max: 0 });
+        }
+        else {
+            const values = inBucket.map((p) => p.value);
+            const sum = values.reduce((a, v) => a + v, 0);
+            buckets.push({
+                time: bucketStartISO,
+                count: inBucket.length,
+                avg: sum / inBucket.length,
+                min: Math.min(...values),
+                max: Math.max(...values),
+            });
+        }
+    }
+    return c.json({ name, since, until, buckets, interval: intervalMs });
+});
+// Export raw metric points as JSON or CSV.
+app.get("/api/metrics/export", async (c) => {
+    const now = Date.now();
+    const since = c.req.query("since") ?? new Date(now - 24 * 60 * 60 * 1000).toISOString();
+    const until = c.req.query("until") ?? new Date(now).toISOString();
+    const name = c.req.query("name") || undefined;
+    const format = c.req.query("format") ?? "json";
+    const points = await metricsStore.query({ name, since, until });
+    if (format === "csv") {
+        const header = "timestamp,name,value,unit,tags";
+        const rows = points.map((p) => {
+            const tags = p.tags ? JSON.stringify(p.tags).replace(/"/g, '""') : "";
+            return `${p.timestamp},${p.name},${p.value},${p.unit ?? ""},\"${tags}\"`;
+        });
+        const csv = [header, ...rows].join("\n");
+        c.header("Content-Type", "text/csv");
+        c.header("Content-Disposition", 'attachment; filename="metrics-export.csv"');
+        return c.body(csv);
+    }
+    return c.json({ points, count: points.length });
+});
 // Evaluate alert thresholds and return any fired alerts.
 app.post("/api/metrics/alerts/evaluate", async (c) => {
     const alerts = await evaluateAlerts(metricsStore);
@@ -3233,7 +4139,7 @@ app.get("/api/cache", (c) => {
 });
 // --- Help page routes (no auth — knowledge exchange for other AIs/humans) ---
 app.get("/help", async (c) => {
-    const html = await serveHtmlTemplate(join(PKG_ROOT, "public", "help.html"));
+    const html = await serveHtmlTemplate(join(UI_DIR, "help.html"));
     return c.html(html);
 });
 app.get("/api/help/context", async (c) => {
@@ -3276,33 +4182,33 @@ app.get("/api/help/context", async (c) => {
 // --- Ops dashboard routes (posture-gated: board level) ---
 // Board-level pages — only assembled when user has shown intent for full visibility
 app.get("/observatory", requireSurface("pages"), async (c) => {
-    const html = await serveHtmlTemplate(join(PKG_ROOT, "public", "observatory.html"));
+    const html = await serveHtmlTemplate(join(UI_DIR, "observatory.html"));
     return c.html(html);
 });
 app.get("/ops", requireSurface("pages"), async (c) => {
-    const html = await serveHtmlTemplate(join(PKG_ROOT, "public", "ops.html"));
+    const html = await serveHtmlTemplate(join(UI_DIR, "ops.html"));
     return c.html(html);
 });
 app.get("/board", requireSurface("pages"), async (c) => {
-    const html = await serveHtmlTemplate(join(PKG_ROOT, "public", "board.html"));
+    const html = await serveHtmlTemplate(join(UI_DIR, "board.html"));
     return c.html(html);
 });
 app.get("/library", requireSurface("pages"), async (c) => {
-    const html = await serveHtmlTemplate(join(PKG_ROOT, "public", "library.html"));
+    const html = await serveHtmlTemplate(join(UI_DIR, "library.html"));
     return c.html(html);
 });
 app.get("/browser", requireSurface("pages"), async (c) => {
-    const html = await serveHtmlTemplate(join(PKG_ROOT, "public", "browser.html"));
+    const html = await serveHtmlTemplate(join(UI_DIR, "browser.html"));
     return c.html(html);
 });
 // Registry is always available — it's the entry point
 app.get("/registry", async (c) => {
-    const html = await serveHtmlTemplate(join(PKG_ROOT, "public", "registry.html"));
+    const html = await serveHtmlTemplate(join(UI_DIR, "registry.html"));
     return c.html(html);
 });
 // Serve roadmap.html (strategic roadmap & rearview)
 app.get("/roadmap", async (c) => {
-    const html = await serveHtmlTemplate(join(PKG_ROOT, "public", "roadmap.html"));
+    const html = await serveHtmlTemplate(join(UI_DIR, "roadmap.html"));
     return c.html(html);
 });
 // Roadmap API — parse brain/operations/roadmap.yaml and return as JSON
@@ -3317,12 +4223,17 @@ app.get("/api/roadmap", async (c) => {
     }
 });
 // Roadmap rearview API — recent git commits grouped by hour
+// Git is an optional signal source — returns empty when unavailable.
 app.get("/api/roadmap/recent", async (c) => {
     const hours = parseInt(c.req.query("hours") || "24", 10);
     if (isNaN(hours) || hours < 1 || hours > 168) {
         return c.json({ error: "hours must be between 1 and 168" }, 400);
     }
     try {
+        const { gitAvailable } = await import("./utils/git.js");
+        if (!gitAvailable()) {
+            return c.json({ commits: [], groups: [], hours, total: 0 });
+        }
         const { execSync } = await import("child_process");
         const since = new Date(Date.now() - hours * 60 * 60 * 1000).toISOString();
         const raw = execSync(`git log --after="${since}" --format="%H||%an||%ai||%s" --no-merges`, { cwd: process.cwd(), encoding: "utf-8", timeout: 10000 }).trim();
@@ -3364,7 +4275,7 @@ app.get("/api/roadmap/recent", async (c) => {
 // Serve personal.html (placeholder — instances populate this)
 app.get("/personal", async (c) => {
     try {
-        const html = await serveHtmlTemplate(join(PKG_ROOT, "public", "personal.html"));
+        const html = await serveHtmlTemplate(join(UI_DIR, "personal.html"));
         return c.html(html);
     }
     catch {
@@ -3374,7 +4285,7 @@ app.get("/personal", async (c) => {
 // Serve life.html (placeholder — instances populate this)
 app.get("/life", async (c) => {
     try {
-        const html = await serveHtmlTemplate(join(PKG_ROOT, "public", "life.html"));
+        const html = await serveHtmlTemplate(join(UI_DIR, "life.html"));
         return c.html(html);
     }
     catch {
@@ -3832,6 +4743,26 @@ app.post("/api/nerve/accept-update", async (c) => {
         return c.json({ error: err.message }, 500);
     }
 });
+// Poll for new chat messages (phone → PC live feed)
+app.get("/api/chat/poll", async (c) => {
+    const sessionId = c.req.query("sessionId") || c.req.header("x-session-id");
+    if (!sessionId)
+        return c.json({ error: "sessionId required" }, 400);
+    const since = parseInt(c.req.query("since") || "0", 10);
+    const cs = chatSessions.get(sessionId) || (chatSessions.size > 0 ? chatSessions.values().next().value : null);
+    if (!cs)
+        return c.json({ messages: [], total: 0 });
+    const total = cs.history.length;
+    if (since >= total)
+        return c.json({ messages: [], total });
+    const newMsgs = cs.history.slice(since).map((m, i) => ({
+        index: since + i,
+        role: m.role,
+        content: typeof m.content === "string" ? m.content : JSON.stringify(m.content),
+        source: m.source || "pc",
+    }));
+    return c.json({ messages: newMsgs, total });
+});
 // Chat: streamed response (or learn command)
 app.post("/api/chat", async (c) => {
     const body = await c.req.json();
@@ -4164,33 +5095,30 @@ app.post("/api/chat", async (c) => {
             }
         }
     }
-    // Inject resolved skill content (reference skills auto-load by intent match)
+    // Inject resolved skill content (reference skills auto-load by trigger match)
     try {
-        const registry = getSkillRegistry();
-        if (registry) {
-            const resolved = registry.resolve(chatMessage, { includeReference: true });
-            for (const res of resolved) {
-                const body = await registry.loadBody(res.skill.meta.name);
-                if (body) {
-                    // Load files referenced by the skill (brain/ paths)
-                    const refPaths = body.match(/(?:brain|docs)\/[\w\-\/]+\.\w+/g) ?? [];
-                    const refContents = [];
-                    for (const refPath of refPaths) {
-                        try {
-                            const content = await readBrainFile(join(process.cwd(), refPath));
-                            refContents.push(`--- ${refPath} ---\n${content}\n--- end ${refPath} ---`);
-                        }
-                        catch { /* skip missing files */ }
+        const matched = await _skillRegistry.findByTrigger(chatMessage);
+        if (matched) {
+            const body = await _skillRegistry.getContent(matched.id);
+            if (body) {
+                // Load files referenced by the skill (brain/ paths)
+                const refPaths = body.match(/(?:brain|docs)\/[\w\-\/]+\.\w+/g) ?? [];
+                const refContents = [];
+                for (const refPath of refPaths) {
+                    try {
+                        const content = await readBrainFile(join(process.cwd(), refPath));
+                        refContents.push(`--- ${refPath} ---\n${content}\n--- end ${refPath} ---`);
                     }
-                    const skillSection = [
-                        `--- Skill: ${res.skill.meta.name} (${res.reason}, confidence ${res.confidence.toFixed(2)}) ---`,
-                        body,
-                        ...refContents,
-                        `--- end skill ---`,
-                    ].join("\n");
-                    ctx.messages.splice(1, 0, { role: "system", content: skillSection });
-                    logActivity({ source: "system", summary: `Loaded skill: ${res.skill.meta.name} (${res.reason})` });
+                    catch { /* skip missing files */ }
                 }
+                const skillSection = [
+                    `--- Skill: ${matched.name} (${matched.type}) ---`,
+                    body,
+                    ...refContents,
+                    `--- end skill ---`,
+                ].join("\n");
+                ctx.messages.splice(1, 0, { role: "system", content: skillSection });
+                logActivity({ source: "system", summary: `Loaded skill: ${matched.name} (${matched.type})` });
             }
         }
     }
@@ -4545,7 +5473,55 @@ app.post("/api/chat", async (c) => {
     const reqSignal = c.req.raw.signal;
     return streamSSE(c, async (stream) => {
         // Send metadata first so UI can show which model is responding
-        await stream.writeSSE({ data: JSON.stringify({ meta: { provider: activeProvider, model: activeChatModel ?? (activeProvider === "ollama" ? "llama3.1:8b" : "claude-sonnet-4") } }) });
+        await stream.writeSSE({ data: JSON.stringify({ meta: { provider: activeProvider, model: activeChatModel ?? (activeProvider === "ollama" ? "llama3.2:3b" : "claude-sonnet-4") } }) });
+        // --- Apply membrane: redact messages BEFORE they reach the LLM ---
+        const membrane = getActiveMembrane();
+        const redactedMessages = ctx.messages.map((msg) => {
+            if (!membrane)
+                return msg;
+            const copy = { ...msg };
+            if (typeof copy.content === "string") {
+                copy.content = membrane.apply(copy.content);
+            }
+            else if (Array.isArray(copy.content)) {
+                copy.content = copy.content.map((block) => {
+                    if (block.type === "text" && typeof block.text === "string") {
+                        return { ...block, text: membrane.apply(block.text) };
+                    }
+                    return block;
+                });
+            }
+            return copy;
+        });
+        // --- Membrane view: emit what the LLM will see (redacted) ---
+        try {
+            const membraneView = [];
+            for (const msg of redactedMessages) {
+                const raw = typeof msg.content === "string" ? msg.content
+                    : Array.isArray(msg.content) ? msg.content.map((b) => b.text || b.type || "").join(" ") : "";
+                if (!raw)
+                    continue;
+                // Count redactions by counting placeholders (already redacted)
+                const placeholders = raw.match(/<<[A-Z_]+_\d+>>|\[REDACTED:[^\]]+\]/g);
+                membraneView.push({
+                    role: msg.role,
+                    preview: raw.slice(0, 300) + (raw.length > 300 ? "..." : ""),
+                    redactions: placeholders ? placeholders.length : 0,
+                });
+            }
+            const totalRedactions = membraneView.reduce((sum, m) => sum + m.redactions, 0);
+            await stream.writeSSE({ data: JSON.stringify({
+                    membrane: {
+                        messageCount: redactedMessages.length,
+                        totalRedactions,
+                        messages: membraneView,
+                        sealValues: membrane ? membrane.knownValues.map(v => v.value) : [],
+                    },
+                }) });
+        }
+        catch (memErr) {
+            log.warn("membrane view error", { error: String(memErr) });
+        }
         let fullResponse = "";
         const savePartial = () => {
             if (fullResponse) {
@@ -4571,16 +5547,17 @@ app.post("/api/chat", async (c) => {
             const flushBuf2 = () => {
                 if (!tokenBuf2)
                     return;
+                // Debug: trace rehydration
                 const rehydrated = rehydrateResponse(tokenBuf2);
+                fullResponse += rehydrated;
                 tokenBuf2 = "";
                 stream.writeSSE({ data: JSON.stringify({ token: rehydrated }) }).catch(() => { });
             };
             stream_fn({
-                messages: ctx.messages,
+                messages: redactedMessages,
                 model: activeChatModel,
                 signal: reqSignal,
                 onToken: (token) => {
-                    fullResponse += token;
                     tokenBuf2 += token;
                     // Hold if buffer ends with partial placeholder
                     const lastOpen = tokenBuf2.lastIndexOf("<<");
@@ -4588,7 +5565,7 @@ app.post("/api/chat", async (c) => {
                         return;
                     flushBuf2();
                 },
-                onDone: () => {
+                onDone: async () => {
                     flushBuf2(); // flush remainder
                     reqSignal?.removeEventListener("abort", onAbort);
                     // Process action blocks BEFORE sending done — ensures SSE events reach client before stream closes.
@@ -4640,20 +5617,23 @@ app.post("/api/chat", async (c) => {
                                     }
                                     spawnCount++;
                                     agentLog.info(` Spawning: ${label}${(isVague || isWishList) ? " (grounded)" : ""}`);
-                                    stream.writeSSE({ data: JSON.stringify({ agentSpawned: { label } }) }).catch(() => { });
-                                    submitTask({
-                                        label,
-                                        prompt: finalPrompt,
-                                        origin: "ai",
-                                        sessionId,
-                                        boardTaskId: req.taskId,
-                                    }).then((task) => {
+                                    // Await task submission so we can send the real task ID to the client
+                                    try {
+                                        const task = await submitTask({
+                                            label,
+                                            prompt: finalPrompt,
+                                            origin: "ai",
+                                            sessionId,
+                                            boardTaskId: req.taskId,
+                                        });
+                                        stream.writeSSE({ data: JSON.stringify({ agentSpawned: { label, taskId: task.id } }) }).catch(() => { });
                                         logActivity({ source: "agent", summary: `AI-triggered agent: ${task.label}`, detail: `Task ${task.id}, PID ${task.pid}`, actionLabel: "PROMPTED", reason: "user chat triggered agent" });
-                                    }).catch((err) => {
+                                    }
+                                    catch (err) {
                                         agentLog.error(`Spawn failed for "${label}": ${err.message}`);
                                         logActivity({ source: "agent", summary: `AI agent spawn failed: ${err.message}`, actionLabel: "PROMPTED", reason: "user chat triggered agent spawn failed" });
                                         stream.writeSSE({ data: JSON.stringify({ agentError: { label, error: err.message } }) }).catch(() => { });
-                                    });
+                                    }
                                 }
                                 else {
                                     agentLog.warn(`Parsed JSON but missing "prompt" field: ${jsonMatch[0].slice(0, 200)}`);
@@ -4819,12 +5799,16 @@ app.post("/api/chat", async (c) => {
                     }
                     else {
                         let errorMsg = err instanceof LLMError ? err.userMessage : (err.message || "Stream error");
+                        // Include raw detail for health drilldown — client shows this, not the friendly version
+                        const rawDetail = err instanceof LLMError
+                            ? `${err.provider} ${err.statusCode || ""}: ${err.message}`.trim()
+                            : (err.message || "Stream error");
                         if (isPrivateMode() && /ECONNREFUSED|fetch failed|network|socket/i.test(errorMsg)) {
                             const health = await checkOllamaHealth();
                             if (!health.ok)
                                 errorMsg += " — Check that Ollama is running. " + health.message;
                         }
-                        stream.writeSSE({ data: JSON.stringify({ error: errorMsg }) }).catch(() => { });
+                        stream.writeSSE({ data: JSON.stringify({ error: errorMsg, errorDetail: rawDetail }) }).catch(() => { });
                     }
                     resolve(); // Still resolve so stream closes
                 },
@@ -4954,9 +5938,9 @@ async function start(opts) {
     // Install fetch guard before any routes or outbound calls
     installFetchGuard();
     // Initialize PrivacyMembrane for reversible redaction
-    const sensitiveRegistry = new SensitiveRegistry();
-    await sensitiveRegistry.load(BRAIN_DIR);
-    const membrane = new PrivacyMembrane(sensitiveRegistry);
+    activeSensitiveRegistry = new SensitiveRegistry();
+    await activeSensitiveRegistry.load(BRAIN_DIR);
+    const membrane = new PrivacyMembrane(activeSensitiveRegistry);
     setActiveMembrane(membrane);
     // Run independent initialization in parallel: LLM cache, auth, and sidecars
     const [, pairingCode, sidecarResults] = await Promise.all([
@@ -4979,6 +5963,33 @@ async function start(opts) {
     ]);
     const code = pairingCode;
     const [searchAvailable, ttsAvailable, sttAvailable] = sidecarResults;
+    // Load paired mobile devices
+    await loadPairedDevices();
+    // Register with runcore.sh relay (fire-and-forget, non-blocking)
+    (async () => {
+        try {
+            const { createHash } = await import("node:crypto");
+            const instanceHash = createHash("sha256")
+                .update(getInstanceName() + BRAIN_DIR)
+                .digest("hex")
+                .slice(0, 16);
+            await fetch("https://runcore.sh/api/relay/register", {
+                method: "POST",
+                headers: { "Content-Type": "application/json" },
+                body: JSON.stringify({
+                    instanceHash,
+                    displayName: getInstanceName(),
+                }),
+                signal: AbortSignal.timeout(10_000),
+            });
+            log.info("Registered with runcore.sh relay", { instanceHash });
+            // Start polling relay for incoming phone messages
+            startRelayPoll(instanceHash);
+        }
+        catch {
+            log.debug("Relay registration skipped (offline or unreachable)");
+        }
+    })();
     // Pre-warm notification queue from disk (encryption key is set by now)
     const notifCount = await initNotifications();
     if (notifCount > 0)
@@ -5030,12 +6041,13 @@ async function start(opts) {
     // of skills/module init, so running them concurrently improves startup time (DASH-60).
     // Note: initAgents() only creates directories — recovery runs after the runtime
     // is ready so the monitor can skip runtime-managed tasks (DASH-82 fix).
-    const [skillRegistry, moduleRegistry, , runtime] = await Promise.all([
-        createSkillRegistry({ skillsDir: SKILLS_DIR, brainDir: BRAIN_DIR }),
+    const [, moduleRegistry, , runtime] = await Promise.all([
+        _skillRegistry.refresh(),
         Promise.resolve(createModuleRegistry(BRAIN_DIR)),
         initAgents(),
         createRuntime(),
     ]);
+    const skillRegistry = _skillRegistry;
     // Recover tasks from previous session AFTER runtime is initialized.
     // The monitor checks the runtime registry to skip tasks that RuntimeManager
     // already handles, preventing the double-recovery race (DASH-82).
@@ -5110,6 +6122,10 @@ async function start(opts) {
     }
     if (isTasksAvailable())
         startTasksTimer();
+    // Initialize plugin registry (authenticate + start all registered plugins)
+    await initPlugins().catch((err) => {
+        log.warn("Plugin init failed", { error: err instanceof Error ? err.message : String(err) });
+    });
     // Wire batch continuation: when all agents finish, commit + decide what's next (direct LLM, no HTTP)
     setOnBatchComplete(async (sessionId, results) => {
         try {
@@ -5279,9 +6295,9 @@ async function start(opts) {
         log.info("Google: add GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET in vault to enable");
     }
     // Show skills registry status
-    if (skillRegistry) {
-        const counts = skillRegistry.countByState();
-        log.info(`Skills: ${skillRegistry.size} registered (${counts.registered} active)`);
+    {
+        const allSkills = await skillRegistry.list();
+        log.info(`Skills: ${allSkills.length} registered`);
     }
     // Show module registry status
     if (moduleRegistry) {
@@ -5294,9 +6310,21 @@ async function start(opts) {
         const taskCount = await queueProvider.getStore().count();
         log.info(`Board: ${board.name} (local, ${taskCount} tasks)`);
     }
+    // Sync UI from CDN (non-blocking — falls back to bundled if offline)
+    syncUi().then(({ source, revision }) => {
+        if (source === "cdn") {
+            UI_DIR = getUiPublicDir(PKG_ROOT);
+            log.info(`UI synced from CDN: revision ${revision}`);
+        }
+        else {
+            log.info(`UI source: ${source}${revision ? ` (revision ${revision})` : ""}`);
+        }
+    }).catch(() => { });
     // Generate startup token for zero-friction local auth
     const { randomBytes: rng } = await import("node:crypto");
     startupToken = rng(32).toString("hex");
+    // Warm up local model in background (non-blocking)
+    import("./llm/ollama.js").then(({ warmupOllama }) => warmupOllama()).catch(() => { });
     if (code) {
         log.info(`First launch detected. Pairing code: ${code}`);
     }
@@ -5319,6 +6347,7 @@ async function start(opts) {
         const emailBrain = new Brain({
             systemPrompt: [
                 `You are ${getInstanceName()}, a personal AI agent paired with ${name}. You run locally on ${name}'s machine.`,
+                `Today is ${new Date().toLocaleDateString("en-US", { weekday: "long", year: "numeric", month: "long", day: "numeric" })}.`,
                 `You are responding to an email that was sent to you. This is a working email channel — you received this email and your reply will be sent back automatically via Gmail.`,
                 ``,
                 `Your capabilities — USE THEM when the email requests action:`,
@@ -5385,12 +6414,15 @@ async function start(opts) {
     });
     log.info(`${getInstanceName()} email handler registered — emails with '${getInstanceName()}' in subject will be auto-replied`);
     await new Promise((resolve) => {
-        const server = serve({ fetch: app.fetch, port: PORT }, () => {
+        function onListening(server) {
             const addr = server.address();
             if (typeof addr === "object" && addr) {
                 actualPort = addr.port;
             }
             log.info(`Listening on http://localhost:${actualPort}`);
+            acquireLock(actualPort, getInstanceName());
+            console.log(`\n  ${getInstanceName()} is running:\n`);
+            console.log(`  → http://localhost:${actualPort}\n`);
             // Show LAN IP for phone access
             try {
                 import("node:os").then(({ networkInterfaces }) => {
@@ -5398,7 +6430,7 @@ async function start(opts) {
                     for (const name of Object.keys(nets)) {
                         for (const net of nets[name] ?? []) {
                             if (net.family === "IPv4" && !net.internal) {
-                                log.info(`Nerve (phone): http://${net.address}:${actualPort}/nerve`);
+                                console.log(`  → http://${net.address}:${actualPort}  (LAN)\n`);
                             }
                         }
                     }
@@ -5417,7 +6449,29 @@ async function start(opts) {
                 }
             }
             resolve();
-        });
+        }
+        try {
+            const server = serve({ fetch: app.fetch, port: PORT }, () => onListening(server));
+            server.on("error", (err) => {
+                if (err.code === "EADDRINUSE" && PORT !== 0) {
+                    log.warn(`Port ${PORT} in use, falling back to random port`);
+                    const fallback = serve({ fetch: app.fetch, port: 0 }, () => onListening(fallback));
+                }
+                else {
+                    throw err;
+                }
+            });
+        }
+        catch (err) {
+            // If serve() throws synchronously (unlikely but safe)
+            if (PORT !== 0) {
+                log.warn(`Port ${PORT} failed, falling back to random port`);
+                const fallback = serve({ fetch: app.fetch, port: 0 }, () => onListening(fallback));
+            }
+            else {
+                throw err;
+            }
+        }
     });
 }
 /** Returns the port the server is actually listening on (resolves port 0). */
@@ -5554,8 +6608,10 @@ async function gracefulShutdown(signal) {
     stopSidecar();
     await closeBrowser();
     shutdownAgents();
+    await shutdownPlugins().catch(() => { });
     await shutdownLLMCache();
     await shutdownTracing();
+    releaseLock();
     process.exit(0);
 }
 process.on("SIGINT", () => { gracefulShutdown("SIGINT"); });