@slock-ai/computer 0.0.13 → 0.0.15

package/dist/index.js

@@ -6917,13 +6917,13 @@ var require_infra = __commonJS({
     }
     function collectASequenceOfCodePointsFast(char, input, position) {
       const idx = input.indexOf(char, position.position);
-      const start = position.position;
+      const start2 = position.position;
       if (idx === -1) {
         position.position = input.length;
-        return input.slice(start);
+        return input.slice(start2);
       }
       position.position = idx;
-      return input.slice(start, position.position);
+      return input.slice(start2, position.position);
     }
     var ASCII_WHITESPACE_REPLACE_REGEX = /[\u0009\u000A\u000C\u000D\u0020]/g;
     function forgivingBase64(data) {
@@ -9193,11 +9193,11 @@ var require_formdata_parser = __commonJS({
       }
     }
     function collectASequenceOfBytes(condition, input, position) {
-      let start = position.position;
-      while (start < input.length && condition(input[start])) {
-        ++start;
+      let start2 = position.position;
+      while (start2 < input.length && condition(input[start2])) {
+        ++start2;
       }
-      return input.subarray(position.position, position.position = start);
+      return input.subarray(position.position, position.position = start2);
     }
     function removeChars(buf, leading, trailing, predicate) {
       let lead = 0;
@@ -9210,12 +9210,12 @@ var require_formdata_parser = __commonJS({
       }
       return lead === 0 && trail === buf.length - 1 ? buf : buf.subarray(lead, trail + 1);
     }
-    function bufferStartsWith(buffer, start, position) {
-      if (buffer.length < start.length) {
+    function bufferStartsWith(buffer, start2, position) {
+      if (buffer.length < start2.length) {
         return false;
       }
-      for (let i = 0; i < start.length; i++) {
-        if (start[i] !== buffer[position.position + i]) {
+      for (let i = 0; i < start2.length; i++) {
+        if (start2[i] !== buffer[position.position + i]) {
           return false;
         }
       }
@@ -9657,8 +9657,8 @@ var require_client_h1 = __commonJS({
            */
           wasm_on_status: (p, at, len) => {
             assert(currentParser.ptr === p);
-            const start = at - currentBufferPtr + currentBufferRef.byteOffset;
-            return currentParser.onStatus(new FastBuffer(currentBufferRef.buffer, start, len));
+            const start2 = at - currentBufferPtr + currentBufferRef.byteOffset;
+            return currentParser.onStatus(new FastBuffer(currentBufferRef.buffer, start2, len));
           },
           /**
            * @param {number} p
@@ -9676,8 +9676,8 @@ var require_client_h1 = __commonJS({
            */
           wasm_on_header_field: (p, at, len) => {
             assert(currentParser.ptr === p);
-            const start = at - currentBufferPtr + currentBufferRef.byteOffset;
-            return currentParser.onHeaderField(new FastBuffer(currentBufferRef.buffer, start, len));
+            const start2 = at - currentBufferPtr + currentBufferRef.byteOffset;
+            return currentParser.onHeaderField(new FastBuffer(currentBufferRef.buffer, start2, len));
           },
           /**
            * @param {number} p
@@ -9687,8 +9687,8 @@ var require_client_h1 = __commonJS({
            */
           wasm_on_header_value: (p, at, len) => {
             assert(currentParser.ptr === p);
-            const start = at - currentBufferPtr + currentBufferRef.byteOffset;
-            return currentParser.onHeaderValue(new FastBuffer(currentBufferRef.buffer, start, len));
+            const start2 = at - currentBufferPtr + currentBufferRef.byteOffset;
+            return currentParser.onHeaderValue(new FastBuffer(currentBufferRef.buffer, start2, len));
           },
           /**
            * @param {number} p
@@ -9709,8 +9709,8 @@ var require_client_h1 = __commonJS({
            */
           wasm_on_body: (p, at, len) => {
             assert(currentParser.ptr === p);
-            const start = at - currentBufferPtr + currentBufferRef.byteOffset;
-            return currentParser.onBody(new FastBuffer(currentBufferRef.buffer, start, len));
+            const start2 = at - currentBufferPtr + currentBufferRef.byteOffset;
+            return currentParser.onBody(new FastBuffer(currentBufferRef.buffer, start2, len));
           },
           /**
            * @param {number} p
@@ -13962,8 +13962,8 @@ var require_retry_handler = __commonJS({
               data: { count: this.retryCount }
             });
           }
-          const { start, size, end = size ? size - 1 : null } = contentRange;
-          assert(this.start === start, "content-range mismatch");
+          const { start: start2, size, end = size ? size - 1 : null } = contentRange;
+          assert(this.start === start2, "content-range mismatch");
           assert(this.end == null || this.end === end, "content-range mismatch");
           return;
         }
@@ -13980,13 +13980,13 @@ var require_retry_handler = __commonJS({
               );
               return;
             }
-            const { start, size, end = size ? size - 1 : null } = range;
+            const { start: start2, size, end = size ? size - 1 : null } = range;
             assert(
-              start != null && Number.isFinite(start),
+              start2 != null && Number.isFinite(start2),
               "content-range mismatch"
             );
             assert(end != null && Number.isFinite(end), "invalid content-length");
-            this.start = start;
+            this.start = start2;
             this.end = end;
           }
           if (this.end == null) {
@@ -14473,9 +14473,9 @@ var require_readable = __commonJS({
       }
       const { _readableState: state } = consume2.stream;
       if (state.bufferIndex) {
-        const start = state.bufferIndex;
+        const start2 = state.bufferIndex;
         const end = state.buffer.length;
-        for (let n = start; n < end; n++) {
+        for (let n = start2; n < end; n++) {
           consumePush(consume2, state.buffer[n]);
         }
       } else {
@@ -14500,11 +14500,11 @@ var require_readable = __commonJS({
       }
       const buffer = chunks.length === 1 ? chunks[0] : Buffer.concat(chunks, length);
       const bufferLength = buffer.length;
-      const start = bufferLength > 2 && buffer[0] === 239 && buffer[1] === 187 && buffer[2] === 191 ? 3 : 0;
+      const start2 = bufferLength > 2 && buffer[0] === 239 && buffer[1] === 187 && buffer[2] === 191 ? 3 : 0;
       if (!encoding || encoding === "utf8" || encoding === "utf-8") {
-        return buffer.utf8Slice(start, bufferLength);
+        return buffer.utf8Slice(start2, bufferLength);
       } else {
-        return buffer.subarray(start, bufferLength).toString(encoding);
+        return buffer.subarray(start2, bufferLength).toString(encoding);
       }
     }
     function chunksConcat(chunks, length) {
@@ -16617,8 +16617,8 @@ var require_snapshot_recorder = __commonJS({
   "../../node_modules/.pnpm/undici@7.24.8/node_modules/undici/lib/mock/snapshot-recorder.js"(exports, module) {
     "use strict";
     init_esm_shims();
-    var { writeFile: writeFile11, readFile: readFile14, mkdir: mkdir15 } = __require("fs/promises");
-    var { dirname: dirname12, resolve } = __require("path");
+    var { writeFile: writeFile13, readFile: readFile17, mkdir: mkdir17 } = __require("fs/promises");
+    var { dirname: dirname14, resolve } = __require("path");
     var { setTimeout: setTimeout2, clearTimeout: clearTimeout2 } = __require("timers");
     var { InvalidArgumentError: InvalidArgumentError2, UndiciError } = require_errors();
     var { hashId, isUrlExcludedFactory, normalizeHeaders, createHeaderFilters } = require_snapshot_utils();
@@ -16819,7 +16819,7 @@ var require_snapshot_recorder = __commonJS({
           throw new InvalidArgumentError2("Snapshot path is required");
         }
         try {
-          const data = await readFile14(resolve(path3), "utf8");
+          const data = await readFile17(resolve(path3), "utf8");
           const parsed = JSON.parse(data);
           if (Array.isArray(parsed)) {
             this.#snapshots.clear();
@@ -16849,12 +16849,12 @@ var require_snapshot_recorder = __commonJS({
           throw new InvalidArgumentError2("Snapshot path is required");
         }
         const resolvedPath = resolve(path3);
-        await mkdir15(dirname12(resolvedPath), { recursive: true });
+        await mkdir17(dirname14(resolvedPath), { recursive: true });
         const data = Array.from(this.#snapshots.entries()).map(([hash, snapshot]) => ({
           hash,
           snapshot
         }));
-        await writeFile11(resolvedPath, JSON.stringify(data, null, 2), { flush: true });
+        await writeFile13(resolvedPath, JSON.stringify(data, null, 2), { flush: true });
       }
       /**
        * Clears all recorded snapshots
@@ -22862,7 +22862,7 @@ var require_fetch = __commonJS({
     function handleFetchDone(response) {
       finalizeAndReportTiming(response, "fetch");
     }
-    function fetch4(input, init = void 0) {
+    function fetch5(input, init = void 0) {
       webidl.argumentLengthCheck(arguments, 1, "globalThis.fetch");
       let p = createDeferredPromise();
       let requestObject;
@@ -23892,7 +23892,7 @@ var require_fetch = __commonJS({
       }
     }
     module.exports = {
-      fetch: fetch4,
+      fetch: fetch5,
       Fetch,
       fetching,
       finalizeAndReportTiming
@@ -27902,7 +27902,7 @@ var require_undici = __commonJS({
       err.stack = stack ? `${stack}
 ${captureLines}` : capture.stack;
     }
-    module.exports.fetch = function fetch4(init, options = void 0) {
+    module.exports.fetch = function fetch5(init, options = void 0) {
       return fetchImpl(init, options).catch((err) => {
         if (currentFilename) {
           appendFetchStackTrace(err, currentFilename);
@@ -28040,10 +28040,10 @@ var require_polyfills = __commonJS({
       if (platform === "win32") {
         fs.rename = typeof fs.rename !== "function" ? fs.rename : (function(fs$rename) {
           function rename5(from, to, cb) {
-            var start = Date.now();
+            var start2 = Date.now();
             var backoff = 0;
             fs$rename(from, to, function CB(er) {
-              if (er && (er.code === "EACCES" || er.code === "EPERM" || er.code === "EBUSY") && Date.now() - start < 6e4) {
+              if (er && (er.code === "EACCES" || er.code === "EPERM" || er.code === "EBUSY") && Date.now() - start2 < 6e4) {
                 setTimeout(function() {
                   fs.stat(to, function(stater, st) {
                     if (stater && stater.code === "ENOENT")
@@ -28469,8 +28469,8 @@ var require_graceful_fs = __commonJS({
       fs2.createReadStream = createReadStream;
       fs2.createWriteStream = createWriteStream;
       var fs$readFile = fs2.readFile;
-      fs2.readFile = readFile14;
-      function readFile14(path3, options, cb) {
+      fs2.readFile = readFile17;
+      function readFile17(path3, options, cb) {
         if (typeof options === "function")
           cb = options, options = null;
         return go$readFile(path3, options, cb);
@@ -28486,8 +28486,8 @@ var require_graceful_fs = __commonJS({
         }
       }
       var fs$writeFile = fs2.writeFile;
-      fs2.writeFile = writeFile11;
-      function writeFile11(path3, data, options, cb) {
+      fs2.writeFile = writeFile13;
+      function writeFile13(path3, data, options, cb) {
         if (typeof options === "function")
           cb = options, options = null;
         return go$writeFile(path3, data, options, cb);
@@ -28504,8 +28504,8 @@ var require_graceful_fs = __commonJS({
       }
       var fs$appendFile = fs2.appendFile;
       if (fs$appendFile)
-        fs2.appendFile = appendFile2;
-      function appendFile2(path3, data, options, cb) {
+        fs2.appendFile = appendFile4;
+      function appendFile4(path3, data, options, cb) {
         if (typeof options === "function")
           cb = options, options = null;
         return go$appendFile(path3, data, options, cb);
@@ -29094,7 +29094,7 @@ var require_signal_exit = __commonJS({
         emitter.count -= 1;
       };
       module.exports.unload = unload;
-      emit = function emit2(event, code, signal) {
+      emit7 = function emit8(event, code, signal) {
         if (emitter.emitted[event]) {
           return;
         }
@@ -29110,8 +29110,8 @@ var require_signal_exit = __commonJS({
           var listeners = process2.listeners(sig);
           if (listeners.length === emitter.count) {
             unload();
-            emit("exit", null, sig);
-            emit("afterexit", null, sig);
+            emit7("exit", null, sig);
+            emit7("afterexit", null, sig);
             if (isWin && sig === "SIGHUP") {
               sig = "SIGINT";
             }
@@ -29148,8 +29148,8 @@ var require_signal_exit = __commonJS({
         }
         process2.exitCode = code || /* istanbul ignore next */
         0;
-        emit("exit", process2.exitCode, null);
-        emit("afterexit", process2.exitCode, null);
+        emit7("exit", process2.exitCode, null);
+        emit7("afterexit", process2.exitCode, null);
         originalProcessReallyExit.call(process2, process2.exitCode);
       };
       originalProcessEmit = process2.emit;
@@ -29159,8 +29159,8 @@ var require_signal_exit = __commonJS({
             process2.exitCode = arg;
           }
           var ret = originalProcessEmit.apply(this, arguments);
-          emit("exit", process2.exitCode, null);
-          emit("afterexit", process2.exitCode, null);
+          emit7("exit", process2.exitCode, null);
+          emit7("afterexit", process2.exitCode, null);
           return ret;
         } else {
           return originalProcessEmit.apply(this, arguments);
@@ -29173,7 +29173,7 @@ var require_signal_exit = __commonJS({
     var EE;
     var emitter;
     var unload;
-    var emit;
+    var emit7;
     var sigListeners;
     var loaded;
     var load;
@@ -29591,6 +29591,48 @@ var {
 
 // src/login.ts
 init_esm_shims();
+
+// src/output.ts
+init_esm_shims();
+var CliExit = class extends Error {
+  /**
+   * v8.3.3 PR-2c — carry the closed-set / stderr token through the thrown
+   * error so callers can pattern-match without parsing stderr. Optional
+   * because some callsites throw `new CliExit(code)` directly without a
+   * named token (e.g. the harness EX_CONFIG paths).
+   */
+  constructor(exitCode, code) {
+    super(`CliExit(${exitCode}${code ? ` ${code}` : ""})`);
+    this.exitCode = exitCode;
+    this.code = code;
+    this.name = "CliExit";
+  }
+};
+function info(line) {
+  process.stdout.write(`${line}
+`);
+}
+function fail(code, message, exitCode = 1) {
+  process.stderr.write(`${JSON.stringify({ ok: false, code, message })}
+`);
+  throw new CliExit(exitCode, code);
+}
+
+// src/services/errors.ts
+init_esm_shims();
+var ComputerServiceError = class extends Error {
+  code;
+  cause;
+  constructor(code, message, cause) {
+    super(message);
+    this.name = "ComputerServiceError";
+    this.code = code;
+    if (cause !== void 0) this.cause = cause;
+  }
+};
+
+// src/services/login.ts
+init_esm_shims();
 import { mkdir, writeFile } from "fs/promises";
 import { dirname } from "path";
 
@@ -29849,6 +29891,9 @@ function serverManagedFlagPath(slockHome, serverId) {
 function serverHealthPath(slockHome, serverId) {
   return path2.join(serverDir(slockHome, serverId), "health.json");
 }
+function serviceStatePath(slockHome) {
+  return path2.join(computerDir(slockHome), "service.state.json");
+}
 function supervisorPidPath(slockHome) {
   return path2.join(computerDir(slockHome), "supervisor.pid");
 }
@@ -29901,32 +29946,6 @@ function formatUpgradeLogTimestamp(date = /* @__PURE__ */ new Date()) {
   return iso.replace(/[-:]/g, "").replace(/\.\d{3}Z$/, "Z");
 }
 
-// src/output.ts
-init_esm_shims();
-var CliExit = class extends Error {
-  /**
-   * v8.3.3 PR-2c — carry the closed-set / stderr token through the thrown
-   * error so callers can pattern-match without parsing stderr. Optional
-   * because some callsites throw `new CliExit(code)` directly without a
-   * named token (e.g. the harness EX_CONFIG paths).
-   */
-  constructor(exitCode, code) {
-    super(`CliExit(${exitCode}${code ? ` ${code}` : ""})`);
-    this.exitCode = exitCode;
-    this.code = code;
-    this.name = "CliExit";
-  }
-};
-function info(line) {
-  process.stdout.write(`${line}
-`);
-}
-function fail(code, message, exitCode = 1) {
-  process.stderr.write(`${JSON.stringify({ ok: false, code, message })}
-`);
-  throw new CliExit(exitCode, code);
-}
-
 // src/serverUrl.ts
 init_esm_shims();
 var DEFAULT_SLOCK_SERVER_URL = "https://api.slock.ai";
@@ -29938,62 +29957,146 @@ function resolveServerUrl(...candidates) {
   return DEFAULT_SLOCK_SERVER_URL;
 }
 
-// src/login.ts
-function sleep(ms) {
-  return new Promise((r) => setTimeout(r, ms));
+// src/services/login.ts
+function sleep(ms, signal) {
+  return new Promise((resolve, reject) => {
+    if (signal?.aborted) {
+      reject(abortError(signal));
+      return;
+    }
+    const t = setTimeout(() => {
+      signal?.removeEventListener("abort", onAbort);
+      resolve();
+    }, ms);
+    const onAbort = () => {
+      clearTimeout(t);
+      reject(abortError(signal));
+    };
+    signal?.addEventListener("abort", onAbort, { once: true });
+  });
 }
-async function runLogin(opts) {
-  const baseUrl = resolveServerUrl(opts.serverUrl, process.env.SLOCK_SERVER_URL);
+function abortError(signal) {
+  const reason = signal.reason;
+  if (reason instanceof Error) return reason;
+  const err = new Error("aborted");
+  err.name = "AbortError";
+  return err;
+}
+function emit(opts, event) {
+  const cb = opts?.onEvent;
+  if (!cb) return;
+  try {
+    cb(event);
+  } catch {
+  }
+}
+async function login(input, options = {}) {
+  const baseUrl = resolveServerUrl(input.serverUrl, process.env.SLOCK_SERVER_URL);
+  options.signal?.throwIfAborted?.();
   const client = new DeviceAuthClient(baseUrl);
   let grant;
   try {
     grant = await client.authorize("slock-computer");
   } catch (err) {
     const reason = err instanceof Error ? err.message : String(err);
-    fail(
+    throw new ComputerServiceError(
       "DEVICE_AUTHORIZE_FAILED",
-      `Could not start device login at ${baseUrl}: ${reason}. Check that the server URL is correct and reachable.`
+      `Could not start device login at ${baseUrl}: ${reason}. Check that the server URL is correct and reachable.`,
+      err
     );
   }
   const verificationUri = grant.verificationUriComplete || grant.verificationUri;
   const verifyUrl = new URL(verificationUri, baseUrl).toString();
-  info(`To finish login, open: ${verifyUrl}`);
-  info(`and enter the code:   ${grant.userCode}`);
-  info(`Waiting for approval (expires in ${grant.expiresIn}s)\u2026`);
+  const expiresAt = new Date(Date.now() + grant.expiresIn * 1e3).toISOString();
+  emit(options, {
+    type: "device-code",
+    verifyUrl,
+    userCode: grant.userCode,
+    expiresAt,
+    expiresInSeconds: grant.expiresIn
+  });
   const intervalMs = Math.max(1, grant.interval) * 1e3;
   const deadline = Date.now() + grant.expiresIn * 1e3;
   while (Date.now() < deadline) {
-    await sleep(intervalMs);
+    options.signal?.throwIfAborted?.();
+    await sleep(intervalMs, options.signal);
+    emit(options, { type: "polling" });
     const r = await client.token(grant.deviceCode);
     if (r.status === "pending") continue;
-    if (r.status === "denied") fail("LOGIN_DENIED", "Login was denied in the approval page.");
-    if (r.status === "expired") fail("LOGIN_EXPIRED", "Login request expired before approval. Re-run `slock-computer login`.");
-    if (r.status === "error") fail("LOGIN_FAILED", `Login failed (${r.code}). Re-run \`slock-computer login\`.`);
+    if (r.status === "denied") {
+      throw new ComputerServiceError("LOGIN_DENIED", "Login was denied in the approval page.");
+    }
+    if (r.status === "expired") {
+      throw new ComputerServiceError(
+        "LOGIN_EXPIRED",
+        "Login request expired before approval. Re-run `slock-computer login`."
+      );
+    }
+    if (r.status === "error") {
+      throw new ComputerServiceError(
+        "LOGIN_FAILED",
+        `Login failed (${r.code}). Re-run \`slock-computer login\`.`
+      );
+    }
     const slockHome = resolveSlockHome();
     const file = userSessionPath(slockHome);
     await mkdir(dirname(file), { recursive: true });
     await writeFile(
       file,
       JSON.stringify(
-        { kind: "user-session", userId: r.userId, accessToken: r.accessToken, refreshToken: r.refreshToken, serverUrl: baseUrl, createdAt: (/* @__PURE__ */ new Date()).toISOString() },
+        {
+          kind: "user-session",
+          userId: r.userId,
+          accessToken: r.accessToken,
+          refreshToken: r.refreshToken,
+          serverUrl: baseUrl,
+          createdAt: (/* @__PURE__ */ new Date()).toISOString()
+        },
         null,
         2
       ),
       { mode: 384 }
     );
-    info(`Logged in. User session written to ${file}`);
-    if (!opts.orchestrated) {
-      info(`Next: run \`slock-computer attach <serverSlug>\` to attach this machine.`);
+    emit(options, { type: "approved", userId: r.userId, sessionPath: file });
+    return { userId: r.userId, sessionPath: file, serverUrl: baseUrl };
+  }
+  throw new ComputerServiceError(
+    "LOGIN_EXPIRED",
+    "Login request expired before approval. Re-run `slock-computer login`."
+  );
+}
+
+// src/login.ts
+async function runLogin(opts) {
+  try {
+    await login(
+      { serverUrl: opts.serverUrl },
+      {
+        onEvent: (event) => {
+          if (event.type === "device-code") {
+            info(`To finish login, open: ${event.verifyUrl}`);
+            info(`and enter the code:   ${event.userCode}`);
+            info(`Waiting for approval (expires in ${event.expiresInSeconds}s)\u2026`);
+          } else if (event.type === "approved") {
+            info(`Logged in. User session written to ${event.sessionPath}`);
+            if (!opts.orchestrated) {
+              info(`Next: run \`slock-computer attach <serverSlug>\` to attach this machine.`);
+            }
+          }
+        }
+      }
+    );
+  } catch (err) {
+    if (err instanceof CliExit) throw err;
+    if (err instanceof ComputerServiceError) {
+      fail(err.code, err.message);
     }
-    return;
+    throw err;
   }
-  fail("LOGIN_EXPIRED", "Login request expired before approval. Re-run `slock-computer login`.");
 }
 
 // src/attach.ts
 init_esm_shims();
-import { chmod as chmod2, mkdir as mkdir3, readFile as readFile2, writeFile as writeFile3 } from "fs/promises";
-import { dirname as dirname3 } from "path";
 
 // src/serverState.ts
 init_esm_shims();
@@ -30102,77 +30205,95 @@ async function listManagedServerIds(slockHome) {
   return out;
 }
 
-// src/attach.ts
-async function runAttach(opts) {
+// src/services/attach.ts
+init_esm_shims();
+import { chmod as chmod2, mkdir as mkdir3, readFile as readFile2, writeFile as writeFile3 } from "fs/promises";
+import { dirname as dirname3 } from "path";
+function emit2(opts, event) {
+  const cb = opts?.onEvent;
+  if (!cb) return;
+  try {
+    cb(event);
+  } catch {
+  }
+}
+async function attach(input, options = {}) {
+  options.signal?.throwIfAborted?.();
   const slockHome = resolveSlockHome();
   const sessionFile = userSessionPath(slockHome);
   let session;
   try {
     session = JSON.parse(await readFile2(sessionFile, "utf8"));
-  } catch {
-    fail(
+  } catch (err) {
+    throw new ComputerServiceError(
       "NO_USER_SESSION",
-      `No user session at ${sessionFile}. Run \`slock-computer login\` first.`
+      `No user session at ${sessionFile}. Run \`slock-computer login\` first.`,
+      err
     );
   }
   if (session.kind !== "user-session" || typeof session.accessToken !== "string" || !session.accessToken) {
-    fail(
+    throw new ComputerServiceError(
       "INVALID_USER_SESSION",
       `User session at ${sessionFile} is invalid. Re-run \`slock-computer login\`.`
     );
   }
-  const baseUrl = resolveServerUrl(opts.serverUrl, session.serverUrl, process.env.SLOCK_SERVER_URL);
-  const client = new ComputerAttachClient(baseUrl, session.accessToken);
-  const slugForServer = normalizeServerSlug(opts.serverSlug);
+  const baseUrl = resolveServerUrl(input.serverUrl, session.serverUrl, process.env.SLOCK_SERVER_URL);
+  const slugForServer = normalizeServerSlug(input.serverSlug);
   if (!slugForServer) {
-    fail("ATTACH_NOT_AUTHORIZED", "Server slug must not be empty.");
+    throw new ComputerServiceError("ATTACH_NOT_AUTHORIZED", "Server slug must not be empty.");
   }
-  const computerName = opts.name?.trim() || deriveDefaultComputerName();
-  info(`Attaching this machine to server ${formatServerSlugDisplay(slugForServer)}\u2026`);
+  const computerName = input.name?.trim() || deriveDefaultComputerName();
+  options.signal?.throwIfAborted?.();
+  emit2(options, { type: "attaching", serverSlug: slugForServer });
+  const client = new ComputerAttachClient(baseUrl, session.accessToken);
   const attached = await client.attach(slugForServer, computerName);
   if (attached.status === "disabled") {
-    fail(
+    throw new ComputerServiceError(
       "ATTACH_DISABLED",
       "Computer attach is not enabled on this server (ask an admin to unset SLOCK_DEVICE_LOGIN_ENABLED or set it back to a non-false value; this surface is on by default since PR-G \u2014 upgrade the server if you are on an older build)."
     );
   }
   if (attached.status === "not_authorized") {
-    fail(
+    throw new ComputerServiceError(
       "ATTACH_NOT_AUTHORIZED",
       "Not authorized to attach to that server. Check the server slug and that you're a member."
     );
   }
   if (attached.status === "server_not_found") {
-    fail(
+    throw new ComputerServiceError(
       "ATTACH_SERVER_NOT_FOUND",
       `Server ${formatServerSlugDisplay(slugForServer)} was not found on ${baseUrl}. Check the slug spelling and --server-url, then retry.`
     );
   }
   if (attached.status === "error") {
     if (attached.code === "session_invalid") {
-      fail(
+      throw new ComputerServiceError(
         "USER_SESSION_EXPIRED",
         "Your user session is no longer valid. Re-run `slock-computer login`."
       );
     }
     if (attached.code === "request_failed") {
-      fail(
+      throw new ComputerServiceError(
         "ATTACH_REQUEST_FAILED",
         `Could not reach ${baseUrl} while attaching to ${formatServerSlugDisplay(slugForServer)}. Check --server-url / network connectivity, then retry.`
       );
     }
     if (attached.code === "COMPUTER_NAME_COLLISION") {
-      fail(
+      throw new ComputerServiceError(
         "COMPUTER_NAME_COLLISION",
         `A Computer named ${JSON.stringify(computerName)} already exists on that server. Re-run with --name <name>.`
       );
     }
-    fail("ATTACH_FAILED", `Attach failed (${attached.code}). Re-run after checking --server-url / server version.`);
+    throw new ComputerServiceError(
+      "ATTACH_FAILED",
+      `Attach failed (${attached.code}). Re-run after checking --server-url / server version.`
+    );
   }
-  info(attached.resumed ? "Resumed existing attachment; running preflight\u2026" : "Attachment issued; running preflight\u2026");
+  emit2(options, { type: "preflight", resumed: attached.resumed });
+  options.signal?.throwIfAborted?.();
   const pre = await client.preflight(attached.apiKey);
   if (!pre.ok) {
-    fail(
+    throw new ComputerServiceError(
       "PREFLIGHT_FAILED",
       `Server preflight failed (${pre.code}). The server's Computer surface is not aligned; nothing was written locally. Upgrade the server or retry.`
     );
@@ -30197,9 +30318,57 @@ async function runAttach(opts) {
     { mode: 384 }
   );
   await chmod2(file, 384);
-  info(`Attached. Computer state written to ${file}`);
-  info(`  server:        ${formatServerSlugDisplay(attached.serverSlug)}`);
-  info(`  serverMachine: ${attached.serverMachineId}`);
+  const apiKeyRedactedPrefix = attached.apiKey.slice(0, 8);
+  emit2(options, {
+    type: "attached",
+    serverId: attached.serverId,
+    serverMachineId: attached.serverMachineId,
+    serverSlug: attached.serverSlug,
+    attachmentPath: file,
+    resumed: attached.resumed,
+    apiKeyRedactedPrefix
+  });
+  return {
+    serverId: attached.serverId,
+    serverMachineId: attached.serverMachineId,
+    serverSlug: attached.serverSlug,
+    serverUrl: baseUrl,
+    attachmentPath: file,
+    resumed: attached.resumed,
+    apiKeyRedactedPrefix
+  };
+}
+
+// src/attach.ts
+async function runAttach(opts) {
+  try {
+    await attach(
+      {
+        serverSlug: opts.serverSlug,
+        serverUrl: opts.serverUrl,
+        name: opts.name
+      },
+      {
+        onEvent: (event) => {
+          if (event.type === "attaching") {
+            info(`Attaching this machine to server ${formatServerSlugDisplay(event.serverSlug)}\u2026`);
+          } else if (event.type === "preflight") {
+            info(event.resumed ? "Resumed existing attachment; running preflight\u2026" : "Attachment issued; running preflight\u2026");
+          } else if (event.type === "attached") {
+            info(`Attached. Computer state written to ${event.attachmentPath}`);
+            info(`  server:        ${formatServerSlugDisplay(event.serverSlug)}`);
+            info(`  serverMachine: ${event.serverMachineId}`);
+          }
+        }
+      }
+    );
+  } catch (err) {
+    if (err instanceof CliExit) throw err;
+    if (err instanceof ComputerServiceError) {
+      fail(err.code, err.message);
+    }
+    throw err;
+  }
   if (opts.orchestrated) {
     return;
   }
@@ -30210,85 +30379,92 @@ async function runAttach(opts) {
   }
 }
 
-// src/adopt.ts
+// src/setup.ts
 init_esm_shims();
-import { chmod as chmod3, mkdir as mkdir4, readFile as readFile3, writeFile as writeFile4, appendFile, stat } from "fs/promises";
-import { createHash as createHash2 } from "crypto";
-import { dirname as dirname4, join } from "path";
-import { setTimeout as delay } from "timers/promises";
-async function resolveLegacyKey(inputs, env) {
-  const sources = [];
-  if (typeof inputs.legacyApiKey === "string" && inputs.legacyApiKey.length > 0) {
-    sources.push({
-      mode: "legacy_key_argv",
-      load: async () => inputs.legacyApiKey.trim()
-    });
+var import_undici3 = __toESM(require_undici(), 1);
+import { chmod as chmod4, mkdir as mkdir9, readFile as readFile8, rename as rename3, rm as rm2, writeFile as writeFile8 } from "fs/promises";
+import { dirname as dirname9 } from "path";
+
+// src/lib/migration.ts
+init_esm_shims();
+import { readdir as readdir2, readFile as readFile3 } from "fs/promises";
+import { join } from "path";
+var MACHINE_DIR_PREFIX = "machine-";
+async function readOwnerEvidence(installRoot, machineDirName) {
+  const ownerFile = join(
+    installRoot,
+    "machines",
+    machineDirName,
+    "daemon.lock",
+    "owner.json"
+  );
+  let raw;
+  try {
+    raw = await readFile3(ownerFile, "utf8");
+  } catch {
+    return {};
   }
-  if (typeof inputs.legacyApiKeyFile === "string" && inputs.legacyApiKeyFile.length > 0) {
-    sources.push({
-      mode: "legacy_key_file",
-      load: async () => {
-        const contents = await readFile3(inputs.legacyApiKeyFile, "utf8");
-        return contents.trim();
-      }
-    });
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    return {};
   }
-  if (inputs.legacyApiKeyStdin) {
-    sources.push({
-      mode: "legacy_key_stdin",
-      load: async () => readAllStdin()
-    });
+  const machineName = typeof parsed.hostname === "string" && parsed.hostname.length > 0 ? parsed.hostname : void 0;
+  const serverUrl = typeof parsed.serverUrl === "string" && parsed.serverUrl.length > 0 ? parsed.serverUrl : void 0;
+  return { machineName, serverUrl };
+}
+async function detectLegacyMigration(installRoot, loggedInUserId) {
+  void loggedInUserId;
+  const machinesDir = join(installRoot, "machines");
+  let entries;
+  try {
+    entries = await readdir2(machinesDir);
+  } catch {
+    return { kind: "no-match" };
   }
-  const envKey = env.SLOCK_LEGACY_API_KEY;
-  if (typeof envKey === "string" && envKey.trim().length > 0) {
-    sources.push({
-      mode: "legacy_key_env",
-      load: async () => envKey.trim()
+  const candidates = [];
+  for (const name of entries) {
+    if (!name.startsWith(MACHINE_DIR_PREFIX)) continue;
+    const evidence = await readOwnerEvidence(installRoot, name);
+    candidates.push({
+      machineId: name,
+      machineName: evidence.machineName,
+      serverUrl: evidence.serverUrl
     });
   }
-  if (sources.length === 0) {
-    fail(
-      "LEGACY_KEY_REQUIRED",
-      "No legacy api key provided. Pass exactly one of: --legacy-api-key <key>, --legacy-api-key-file <path>, --legacy-api-key-stdin, or SLOCK_LEGACY_API_KEY."
-    );
-  }
-  if (sources.length > 1) {
-    const modes = sources.map((s) => s.mode).join(", ");
-    fail(
-      "LEGACY_KEY_MULTIPLE_SOURCES",
-      `Multiple legacy api key sources provided (${modes}). Choose exactly one.`
-    );
-  }
-  const chosen = sources[0];
-  const rawKey = await chosen.load();
-  if (chosen.mode === "legacy_key_env") {
-    delete env.SLOCK_LEGACY_API_KEY;
-  }
-  if (!rawKey.startsWith("sk_machine_") && !rawKey.startsWith("sk_daemon_")) {
-    fail(
-      "LEGACY_KEY_INVALID",
-      "Provided key does not look like a legacy machine key (expected `sk_machine_*` or `sk_daemon_*`)."
-    );
+  if (candidates.length === 0) return { kind: "no-match" };
+  if (candidates.length === 1) {
+    const only = candidates[0];
+    return {
+      kind: "match",
+      machineId: only.machineId,
+      machineName: only.machineName,
+      serverUrl: only.serverUrl
+    };
   }
-  return {
-    rawKey,
-    mode: chosen.mode,
-    redactedPrefix: rawKey.slice(0, 8)
-  };
+  return { kind: "ambiguous", candidates };
 }
-async function readAllStdin() {
-  return new Promise((resolve, reject) => {
-    const chunks = [];
-    process.stdin.on("data", (chunk) => chunks.push(chunk));
-    process.stdin.on("end", () => resolve(Buffer.concat(chunks).toString("utf8").trim()));
-    process.stdin.on("error", reject);
-  });
+
+// src/services/adoptLegacy.ts
+init_esm_shims();
+import { chmod as chmod3, mkdir as mkdir4, readFile as readFile4, writeFile as writeFile4, appendFile, stat } from "fs/promises";
+import { createHash as createHash2 } from "crypto";
+import { dirname as dirname4, join as join2 } from "path";
+import { setTimeout as delay } from "timers/promises";
+function emit3(opts, event) {
+  const cb = opts?.onEvent;
+  if (!cb) return;
+  try {
+    cb(event);
+  } catch {
+  }
 }
 var LEGACY_STOP_WAIT_MS = 1e4;
 var LEGACY_STOP_POLL_MS = 200;
 function legacyLockOwnerPath(slockHome, rawKey) {
   const fingerprint = createHash2("sha256").update(rawKey).digest("hex").slice(0, 16);
-  return join(slockHome, "machines", `machine-${fingerprint}`, "daemon.lock", "owner.json");
+  return join2(slockHome, "machines", `machine-${fingerprint}`, "daemon.lock", "owner.json");
 }
 function isProcessAlive(pid) {
   if (!Number.isInteger(pid) || pid <= 0) return false;
@@ -30303,7 +30479,7 @@ function isProcessAlive(pid) {
 async function stopLegacyDaemonByOwnerFile(ownerFile) {
   let raw;
   try {
-    raw = await readFile3(ownerFile, "utf8");
+    raw = await readFile4(ownerFile, "utf8");
   } catch {
     return { attempted: false, outcome: "absent" };
   }
@@ -30337,7 +30513,7 @@ async function stopLegacyDaemonByOwnerFile(ownerFile) {
 async function readLegacyOwnerEvidence(ownerFile) {
   let raw;
   try {
-    raw = await readFile3(ownerFile, "utf8");
+    raw = await readFile4(ownerFile, "utf8");
   } catch {
     return { ownerFile, reason: "owner_file_absent" };
   }
@@ -30371,162 +30547,164 @@ function formatLegacyOwnerEvidence(slockHome, evidence) {
   if (evidence.reason) fields.push(`ownerStatus=${evidence.reason}`);
   return fields.join(" ");
 }
-async function runAdoptLegacy(inputs) {
+async function adoptLegacy(input, options = {}) {
+  options.signal?.throwIfAborted?.();
   const slockHome = resolveSlockHome();
   const sessionFile = userSessionPath(slockHome);
   let session;
   try {
-    session = JSON.parse(await readFile3(sessionFile, "utf8"));
-  } catch {
-    fail(
+    session = JSON.parse(await readFile4(sessionFile, "utf8"));
+  } catch (err) {
+    throw new ComputerServiceError(
       "NO_USER_SESSION",
-      `No user session at ${sessionFile}. Run \`slock-computer login\` first.`
+      `No user session at ${sessionFile}. Run \`slock-computer login\` first.`,
+      err
     );
   }
   if (session.kind !== "user-session" || typeof session.accessToken !== "string" || !session.accessToken) {
-    fail(
+    throw new ComputerServiceError(
       "INVALID_USER_SESSION",
       `User session at ${sessionFile} is invalid. Re-run \`slock-computer login\`.`
     );
   }
-  const baseUrl = resolveServerUrl(inputs.serverUrl, session.serverUrl, process.env.SLOCK_SERVER_URL);
-  const slugForServer = normalizeServerSlug(inputs.serverSlug);
+  const baseUrl = resolveServerUrl(input.serverUrl, session.serverUrl, process.env.SLOCK_SERVER_URL);
+  const slugForServer = normalizeServerSlug(input.serverSlug);
   if (!slugForServer) {
-    fail("ADOPT_NOT_AUTHORIZED", "Server slug must not be empty.");
+    throw new ComputerServiceError("ADOPT_NOT_AUTHORIZED", "Server slug must not be empty.");
   }
-  const legacy = await resolveLegacyKey(inputs, process.env);
-  info(
-    `Adopting legacy daemon for ${formatServerSlugDisplay(slugForServer)} via ${legacy.mode}\u2026`
-  );
+  options.signal?.throwIfAborted?.();
+  emit3(options, { type: "adopting", serverSlug: slugForServer, mode: input.mode });
   const client = new ComputerAttachClient(baseUrl, session.accessToken);
   const adoptStartedAt = /* @__PURE__ */ new Date();
-  const legacyOwnerFile = legacyLockOwnerPath(slockHome, legacy.rawKey);
+  const legacyOwnerFile = legacyLockOwnerPath(slockHome, input.rawKey);
   const ownerEvidence = await readLegacyOwnerEvidence(legacyOwnerFile);
-  const result = await client.adoptLegacy(legacy.rawKey, inputs.name);
-  legacy.rawKey = void 0;
+  const result = await client.adoptLegacy(input.rawKey, input.name);
+  input.rawKey = void 0;
   if (result.status === "disabled") {
     await appendAdoptionLog(slockHome, {
-      mode: legacy.mode,
-      redactedPrefix: legacy.redactedPrefix,
+      mode: input.mode,
+      redactedPrefix: input.redactedPrefix,
       startedAt: adoptStartedAt,
       outcome: "failed",
       failureReason: "computer_adopt_disabled"
     });
-    fail(
+    throw new ComputerServiceError(
       "ADOPT_DISABLED",
       "Computer legacy adoption is not enabled on this server. Upgrade the server or set SLOCK_DEVICE_LOGIN_ENABLED."
     );
   }
   if (result.status === "legacy_key_invalid") {
     await appendAdoptionLog(slockHome, {
-      mode: legacy.mode,
-      redactedPrefix: legacy.redactedPrefix,
+      mode: input.mode,
+      redactedPrefix: input.redactedPrefix,
       startedAt: adoptStartedAt,
       outcome: "failed",
       failureReason: "legacy_key_invalid"
     });
-    fail(
+    throw new ComputerServiceError(
       "LEGACY_KEY_INVALID",
       `Server rejected the legacy api key (unknown / wrong server / malformed). Local legacy owner evidence for this key: ${formatLegacyOwnerEvidence(slockHome, ownerEvidence)}. Verify the key came from this SLOCK_HOME and server, or use a fresh isolated SLOCK_HOME for a clean Computer setup.`
     );
   }
   if (result.status === "legacy_machine_key_migrated") {
     await appendAdoptionLog(slockHome, {
-      mode: legacy.mode,
-      redactedPrefix: legacy.redactedPrefix,
+      mode: input.mode,
+      redactedPrefix: input.redactedPrefix,
       startedAt: adoptStartedAt,
       outcome: "failed",
       failureReason: "legacy_machine_key_migrated"
     });
-    fail(
+    throw new ComputerServiceError(
       "LEGACY_MACHINE_KEY_MIGRATED",
       `This machine has already been adopted; the legacy key is no longer accepted. Local legacy owner evidence for this key: ${formatLegacyOwnerEvidence(slockHome, ownerEvidence)}. Use \`slock-computer attach\` to add another Computer attachment, or use a fresh isolated SLOCK_HOME for a clean setup.`
     );
   }
   if (result.status === "auth_required") {
     await appendAdoptionLog(slockHome, {
-      mode: legacy.mode,
-      redactedPrefix: legacy.redactedPrefix,
+      mode: input.mode,
+      redactedPrefix: input.redactedPrefix,
       startedAt: adoptStartedAt,
       outcome: "failed",
       failureReason: "auth_required"
     });
-    fail(
+    throw new ComputerServiceError(
       "ADOPT_AUTH_REQUIRED",
       `Your Computer user session was rejected by the server before legacy adoption. Local legacy owner evidence for this key: ${formatLegacyOwnerEvidence(slockHome, ownerEvidence)}. Re-run \`slock-computer login\` for this server (use the same \`--server-url\` if not on production), then retry the adopt command. No local Computer state was written.`
     );
   }
   if (result.status === "not_authorized") {
     await appendAdoptionLog(slockHome, {
-      mode: legacy.mode,
-      redactedPrefix: legacy.redactedPrefix,
+      mode: input.mode,
+      redactedPrefix: input.redactedPrefix,
       startedAt: adoptStartedAt,
       outcome: "failed",
       failureReason: "not_authorized"
     });
-    fail(
+    throw new ComputerServiceError(
       "ADOPT_NOT_AUTHORIZED",
       "Not authorized to adopt this machine on this server. Check that you are a current member."
     );
   }
   if (result.status === "unexpected_response") {
     await appendAdoptionLog(slockHome, {
-      mode: legacy.mode,
-      redactedPrefix: legacy.redactedPrefix,
+      mode: input.mode,
+      redactedPrefix: input.redactedPrefix,
       startedAt: adoptStartedAt,
       outcome: "failed",
       failureReason: result.code ? `unexpected_response_${result.code}` : "unexpected_response_missing_code"
     });
     const responseDetail = result.code ? `status ${result.httpStatus}, code ${result.code}` : `status ${result.httpStatus}, missing error code`;
     const authHint = result.httpStatus === 401 ? " If your server may be on an older release that does not emit `code: auth_required`, re-run `slock-computer login` first to refresh your user session, then retry. If the issue persists, report it as server contract drift." : "";
-    fail(
+    throw new ComputerServiceError(
       "ADOPT_UNEXPECTED_RESPONSE",
       `Server returned an unexpected legacy adoption response (${responseDetail}).${authHint} Local legacy owner evidence for this key: ${formatLegacyOwnerEvidence(slockHome, ownerEvidence)}. Please report this with the command, server URL, and SLOCK_HOME; no local Computer state was written.`
     );
   }
   if (result.status === "error") {
     await appendAdoptionLog(slockHome, {
-      mode: legacy.mode,
-      redactedPrefix: legacy.redactedPrefix,
+      mode: input.mode,
+      redactedPrefix: input.redactedPrefix,
       startedAt: adoptStartedAt,
       outcome: "failed",
       failureReason: result.code
     });
-    fail(
+    throw new ComputerServiceError(
       "ADOPT_FAILED",
       `Adoption failed at server exchange (${result.code}). Local legacy owner evidence for this key: ${formatLegacyOwnerEvidence(slockHome, ownerEvidence)}. Confirm the user session is valid, the legacy key belongs to this server/SLOCK_HOME, and the server URL is correct. No local Computer state was written.`
     );
   }
-  info(result.resumed ? "Adopted (resumed prior attachment); running preflight\u2026" : "Adopted; running preflight\u2026");
+  emit3(options, { type: "preflight", resumed: result.resumed });
+  options.signal?.throwIfAborted?.();
   const pre = await client.preflight(result.apiKey);
   if (!pre.ok) {
     await appendAdoptionLog(slockHome, {
-      mode: legacy.mode,
-      redactedPrefix: legacy.redactedPrefix,
+      mode: input.mode,
+      redactedPrefix: input.redactedPrefix,
       startedAt: adoptStartedAt,
       outcome: "failed",
       failureReason: `preflight_${pre.code}`
     });
-    fail(
+    throw new ComputerServiceError(
       "PREFLIGHT_FAILED",
       `Server preflight failed (${pre.code}); local state not written. Upgrade the server or retry.`
     );
   }
-  const stop = await stopLegacyDaemonByOwnerFile(legacyOwnerFile);
-  if (stop.outcome === "timed_out" || stop.outcome === "denied" || stop.outcome === "error") {
+  options.signal?.throwIfAborted?.();
+  const stop2 = await stopLegacyDaemonByOwnerFile(legacyOwnerFile);
+  if (stop2.outcome === "timed_out" || stop2.outcome === "denied" || stop2.outcome === "error") {
     await appendAdoptionLog(slockHome, {
-      mode: legacy.mode,
-      redactedPrefix: legacy.redactedPrefix,
+      mode: input.mode,
+      redactedPrefix: input.redactedPrefix,
       startedAt: adoptStartedAt,
       outcome: "failed",
-      failureReason: `legacy_stop_${stop.outcome}`,
+      failureReason: `legacy_stop_${stop2.outcome}`,
       computerId: result.computerId,
       machineId: result.machineId,
       serverId: result.serverId,
-      legacyStop: stop
+      legacyStop: stop2
     });
-    const detail = stop.outcome === "timed_out" ? `pid ${stop.pid} did not exit within ${LEGACY_STOP_WAIT_MS}ms` : stop.outcome === "denied" ? `pid ${stop.pid} cannot be stopped (permission denied)` : `stop attempt error (${stop.reason ?? "unknown"})`;
-    fail(
+    const detail = stop2.outcome === "timed_out" ? `pid ${stop2.pid} did not exit within ${LEGACY_STOP_WAIT_MS}ms` : stop2.outcome === "denied" ? `pid ${stop2.pid} cannot be stopped (permission denied)` : `stop attempt error (${stop2.reason ?? "unknown"})`;
+    throw new ComputerServiceError(
       "LEGACY_DAEMON_STOP_FAILED",
       `Adoption succeeded server-side but the legacy daemon could not be stopped: ${detail}. Stop it manually and re-run \`slock-computer adopt-legacy\`, or run \`slock-computer attach\` after confirming the legacy process is gone. No local Computer state was written.`
     );
@@ -30554,33 +30732,38 @@ async function runAdoptLegacy(inputs) {
   );
   await chmod3(file, 384);
   await appendAdoptionLog(slockHome, {
-    mode: legacy.mode,
-    redactedPrefix: legacy.redactedPrefix,
+    mode: input.mode,
+    redactedPrefix: input.redactedPrefix,
     startedAt: adoptStartedAt,
     outcome: "succeeded",
     computerId: result.computerId,
     machineId: result.machineId,
     serverId: result.serverId,
-    legacyStop: stop
+    legacyStop: stop2
   });
-  info(`Adopted. Computer state written to ${file}`);
-  info(`  server:        ${formatServerSlugDisplay(slugForServer)}`);
-  info(`  serverMachine: ${result.computerId}`);
-  info(`  legacyMachine: ${result.machineId}`);
-  switch (stop.outcome) {
-    case "absent":
-      info("  legacy daemon: not detected on this Computer (no local lock file)");
-      break;
-    case "already_dead":
-      info(`  legacy daemon: already stopped (pid ${stop.pid} not running)`);
-      break;
-    case "stopped":
-      info(`  legacy daemon: stopped (pid ${stop.pid}, SIGTERM)`);
-      break;
-  }
-  if (!inputs.orchestrated) {
-    info(`Next: run \`slock-computer start\` to bring this server online under the Computer supervisor.`);
-  }
+  const apiKeyRedactedPrefix = result.apiKey.slice(0, 8);
+  emit3(options, {
+    type: "adopted",
+    serverId: result.serverId,
+    serverMachineId: result.computerId,
+    legacyMachineId: result.machineId,
+    serverSlug: slugForServer,
+    attachmentPath: file,
+    resumed: result.resumed,
+    apiKeyRedactedPrefix,
+    legacyStop: stop2
+  });
+  return {
+    serverId: result.serverId,
+    serverMachineId: result.computerId,
+    legacyMachineId: result.machineId,
+    serverSlug: slugForServer,
+    serverUrl: baseUrl,
+    attachmentPath: file,
+    resumed: result.resumed,
+    apiKeyRedactedPrefix,
+    legacyStop: stop2
+  };
 }
 async function appendAdoptionLog(slockHome, line) {
   try {
@@ -30616,24 +30799,53 @@ async function appendAdoptionLog(slockHome, line) {
   }
 }
 
-// src/setup.ts
-init_esm_shims();
-var import_undici2 = __toESM(require_undici(), 1);
-import { chmod as chmod4, mkdir as mkdir8, readdir as readdir3, readFile as readFile6, rename as rename3, rm as rm2, writeFile as writeFile7 } from "fs/promises";
-import { dirname as dirname8, join as join3 } from "path";
-
 // src/supervisor.ts
 init_esm_shims();
 import { spawn as spawn2 } from "child_process";
-import { mkdir as mkdir7, readFile as readFile5, writeFile as writeFile6, open, unlink as unlink4, rename as rename2 } from "fs/promises";
-import { dirname as dirname7, join as joinPath } from "path";
+import { mkdir as mkdir8, readFile as readFile7, writeFile as writeFile7, open, rename as rename2 } from "fs/promises";
+import { dirname as dirname8, join as joinPath } from "path";
 import { fileURLToPath as fileURLToPath2 } from "url";
 
 // src/cleanup.ts
 init_esm_shims();
-import { readdir as readdir2, stat as stat2, unlink as unlink2, rm, rmdir, rename, mkdir as mkdir5 } from "fs/promises";
+import { readdir as readdir3, stat as stat2, unlink as unlink3, rm, rmdir, rename, mkdir as mkdir6 } from "fs/promises";
 import { spawn } from "child_process";
-import { join as join2 } from "path";
+import { join as join3 } from "path";
+
+// src/internal/process-primitives.ts
+init_esm_shims();
+import { mkdir as mkdir5, readFile as readFile5, writeFile as writeFile5, unlink as unlink2 } from "fs/promises";
+import { dirname as dirname5 } from "path";
+async function readPidfileAt(pidfilePath) {
+  try {
+    const raw = (await readFile5(pidfilePath, "utf8")).trim();
+    const pid = Number.parseInt(raw, 10);
+    return Number.isInteger(pid) && pid > 0 ? pid : null;
+  } catch {
+    return null;
+  }
+}
+function isProcessAlive2(pid) {
+  if (!Number.isInteger(pid) || pid <= 0) return false;
+  try {
+    process.kill(pid, 0);
+    return true;
+  } catch (err) {
+    return err.code === "EPERM";
+  }
+}
+async function writePidfileAt(pidfilePath, pid) {
+  await mkdir5(dirname5(pidfilePath), { recursive: true });
+  await writeFile5(pidfilePath, String(pid), { mode: 384 });
+}
+async function clearPidfileAt(pidfilePath) {
+  try {
+    await unlink2(pidfilePath);
+  } catch {
+  }
+}
+
+// src/cleanup.ts
 function emptyCleanupReport() {
   return {
     stalePidfiles: [],
@@ -30649,7 +30861,7 @@ async function cleanupStalePidfile(pidfilePath) {
   if (pid === null) return false;
   if (isProcessAlive2(pid)) return false;
   try {
-    await unlink2(pidfilePath);
+    await unlink3(pidfilePath);
     return true;
   } catch {
     return false;
@@ -30728,24 +30940,24 @@ async function cleanupOrphanProcesses(slockHome, psSpawn) {
   return signaled;
 }
 function quarantineDir(slockHome) {
-  return join2(computerDir(slockHome), ".quarantine");
+  return join3(computerDir(slockHome), ".quarantine");
 }
 async function quarantineServerSubtree(slockHome, serverId) {
-  const src = join2(serversDir(slockHome), serverId);
+  const src = join3(serversDir(slockHome), serverId);
   const stamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
-  const dest = join2(quarantineDir(slockHome), `${stamp}-${serverId}`);
-  await mkdir5(dirname5(dest), { recursive: true });
+  const dest = join3(quarantineDir(slockHome), `${stamp}-${serverId}`);
+  await mkdir6(dirname6(dest), { recursive: true });
   await rename(src, dest);
   return dest;
 }
-function dirname5(p) {
+function dirname6(p) {
   const idx = p.lastIndexOf("/");
   return idx > 0 ? p.slice(0, idx) : "/";
 }
 async function cleanupPowerLossPartialState(slockHome) {
   let entries;
   try {
-    entries = await readdir2(serversDir(slockHome));
+    entries = await readdir3(serversDir(slockHome));
   } catch {
     return [];
   }
@@ -30772,11 +30984,11 @@ var TMP_MAX_AGE_MS = 24 * 60 * 60 * 1e3;
 async function cleanupTmpFiles(slockHome) {
   const removed = [];
   const cdir = computerDir(slockHome);
-  const stagingDir = join2(cdir, "upgrade-staging");
+  const stagingDir = join3(cdir, "upgrade-staging");
   try {
-    const versions = await readdir2(stagingDir);
+    const versions = await readdir3(stagingDir);
     for (const v of versions) {
-      const vdir = join2(stagingDir, v);
+      const vdir = join3(stagingDir, v);
       try {
         const s = await stat2(vdir);
         if (Date.now() - s.mtimeMs > TMP_MAX_AGE_MS) {
@@ -30787,17 +30999,17 @@ async function cleanupTmpFiles(slockHome) {
       }
     }
     try {
-      const remaining = await readdir2(stagingDir);
+      const remaining = await readdir3(stagingDir);
       if (remaining.length === 0) await rmdir(stagingDir);
     } catch {
     }
   } catch {
   }
-  const snap = join2(cdir, "upgrade-snapshot.json");
+  const snap = join3(cdir, "upgrade-snapshot.json");
   try {
     const s = await stat2(snap);
     if (Date.now() - s.mtimeMs > TMP_MAX_AGE_MS) {
-      await unlink2(snap);
+      await unlink3(snap);
       removed.push(snap);
     }
   } catch {
@@ -30805,7 +31017,7 @@ async function cleanupTmpFiles(slockHome) {
   return removed;
 }
 async function cleanupStaleLock(slockHome) {
-  const lockDir = join2(computerDir(slockHome), ".lock");
+  const lockDir = join3(computerDir(slockHome), ".lock");
   try {
     const s = await stat2(lockDir);
     if (Date.now() - s.mtimeMs > 60 * 1e3) {
@@ -30817,7 +31029,7 @@ async function cleanupStaleLock(slockHome) {
   return [];
 }
 async function forceReleaseLock(slockHome) {
-  const lockDir = join2(computerDir(slockHome), ".lock");
+  const lockDir = join3(computerDir(slockHome), ".lock");
   try {
     await stat2(lockDir);
     await rm(lockDir, { recursive: true, force: true });
@@ -30841,14 +31053,14 @@ async function runFullCleanup(slockHome, options = {}) {
 
 // src/health.ts
 init_esm_shims();
-import { readFile as readFile4, writeFile as writeFile5, unlink as unlink3, mkdir as mkdir6 } from "fs/promises";
-import { dirname as dirname6 } from "path";
+import { readFile as readFile6, writeFile as writeFile6, unlink as unlink4, mkdir as mkdir7, appendFile as appendFile2 } from "fs/promises";
+import { dirname as dirname7 } from "path";
 var CRASH_WINDOW_MS = 6e4;
 var DEGRADED_THRESHOLD = 3;
 async function readHealthFile(slockHome, serverId) {
   if (!isValidServerId(serverId)) return { crashes: [] };
   try {
-    const raw = await readFile4(serverHealthPath(slockHome, serverId), "utf8");
+    const raw = await readFile6(serverHealthPath(slockHome, serverId), "utf8");
     const parsed = JSON.parse(raw);
     if (parsed && typeof parsed === "object" && Array.isArray(parsed.crashes)) {
       return parsed;
@@ -30859,8 +31071,8 @@ async function readHealthFile(slockHome, serverId) {
 }
 async function writeHealthFile(slockHome, serverId, file) {
   const path3 = serverHealthPath(slockHome, serverId);
-  await mkdir6(dirname6(path3), { recursive: true });
-  await writeFile5(path3, JSON.stringify(file), { mode: 384 });
+  await mkdir7(dirname7(path3), { recursive: true });
+  await writeFile6(path3, JSON.stringify(file), { mode: 384 });
 }
 async function recordCrash(slockHome, serverId, exitCode, signal, nowMs = Date.now()) {
   if (!isValidServerId(serverId)) return;
@@ -30909,47 +31121,401 @@ async function markFatalConfig(slockHome, serverId, exitCode, signal, nowMs = Da
 async function resetHealth(slockHome, serverId) {
   if (!isValidServerId(serverId)) return;
   try {
-    await unlink3(serverHealthPath(slockHome, serverId));
+    await unlink4(serverHealthPath(slockHome, serverId));
   } catch {
   }
 }
-
-// src/supervisor.ts
-async function readPidfileAt(pidfilePath) {
-  try {
-    const raw = (await readFile5(pidfilePath, "utf8")).trim();
-    const pid = Number.parseInt(raw, 10);
-    return Number.isInteger(pid) && pid > 0 ? pid : null;
+async function resetRunnerHealth(slockHome, serverId, nowMs = Date.now()) {
+  if (!isValidServerId(serverId)) {
+    return { status: "not-found" };
+  }
+  const wasDegraded = await isDegraded(slockHome, serverId, nowMs);
+  const recent = await readCrashHistory(slockHome, serverId, nowMs);
+  const previousState = wasDegraded ? "degraded" : "running";
+  await resetHealth(slockHome, serverId);
+  await emitRunnerStateTransition(
+    slockHome,
+    serverId,
+    previousState,
+    "running",
+    "reset-runner"
+  );
+  return {
+    status: "ok",
+    previousState,
+    clearedCrashCount: recent.length
+  };
+}
+async function emitRunnerStateTransition(slockHome, serverId, fromState, toState, trigger) {
+  const entry = {
+    at: (/* @__PURE__ */ new Date()).toISOString(),
+    kind: "runner-state-changed",
+    serverId,
+    fromState,
+    toState,
+    trigger
+  };
+  try {
+    const path3 = supervisorLogPath(slockHome);
+    await mkdir7(dirname7(path3), { recursive: true });
+    await appendFile2(path3, JSON.stringify(entry) + "\n");
   } catch {
-    return null;
   }
 }
-function isProcessAlive2(pid) {
-  if (!Number.isInteger(pid) || pid <= 0) return false;
+
+// src/services/start.ts
+init_esm_shims();
+var START_ENSURE_TIMEOUT_MS = 15e3;
+var START_ENSURE_POLL_INTERVAL_MS = 100;
+function emit4(opts, event) {
+  const cb = opts?.onEvent;
+  if (!cb) return;
   try {
-    process.kill(pid, 0);
-    return true;
+    cb(event);
+  } catch {
+  }
+}
+async function waitForManagedDaemonPids(slockHome, serverIds, opts) {
+  const readPidfile = opts.readPidfile ?? readPidfileAt;
+  const isAlive = opts.isProcessAlive ?? isProcessAlive2;
+  const sleep2 = opts.sleep ?? ((ms) => new Promise((resolve) => setTimeout(resolve, ms)));
+  const timeoutMs = opts.ensureTimeoutMs ?? START_ENSURE_TIMEOUT_MS;
+  const pollIntervalMs = opts.ensurePollIntervalMs ?? START_ENSURE_POLL_INTERVAL_MS;
+  const deadline = Date.now() + timeoutMs;
+  const ready = /* @__PURE__ */ new Map();
+  while (ready.size < serverIds.length) {
+    for (const serverId of serverIds) {
+      if (ready.has(serverId)) continue;
+      const pid = await readPidfile(serverDaemonPidPath(slockHome, serverId));
+      if (pid && isAlive(pid)) ready.set(serverId, pid);
+    }
+    if (ready.size === serverIds.length) return ready;
+    const remaining = deadline - Date.now();
+    if (remaining <= 0) return ready;
+    await sleep2(Math.min(pollIntervalMs, remaining));
+  }
+  return ready;
+}
+function buildTimeoutMessage(slockHome, serverIds, ready, input) {
+  const missing = serverIds.filter((id) => !ready.has(id));
+  const target = input.serverId && missing.length === 1 ? `${input.serverLabel ?? input.serverId}` : `${missing.length} daemon(s): ${missing.join(", ")}`;
+  return `Timed out waiting for ${target} to start. Run \`slock-computer status\` and inspect ${supervisorLogPath(slockHome)} plus per-server daemon logs under ~/.slock/computer/servers/<serverId>/daemon.log.`;
+}
+async function start(input, options = {}) {
+  options.signal?.throwIfAborted?.();
+  const slockHome = resolveSlockHome();
+  const attached = await listAttachedServerIds(slockHome);
+  if (attached.length === 0) {
+    throw new ComputerServiceError(
+      "NO_ATTACHMENT",
+      "No server attachments yet. Run `slock-computer attach <serverId>` first."
+    );
+  }
+  if (input.serverId && !attached.includes(input.serverId)) {
+    throw new ComputerServiceError(
+      "NOT_ATTACHED",
+      `Not attached to server ${input.serverId}. Run \`slock-computer attach ${input.serverId}\` first or omit the argument.`
+    );
+  }
+  const managedTargets = input.serverId ? [input.serverId] : attached;
+  emit4(options, {
+    type: "starting",
+    managedTargets,
+    attachedCount: attached.length,
+    foreground: !!input.foreground
+  });
+  for (const id of managedTargets) {
+    await setServerManaged(slockHome, id);
+  }
+  const existing = await readPidfileAt(supervisorPidPath(slockHome));
+  if (existing && isProcessAlive2(existing)) {
+    emit4(options, {
+      type: "already_running",
+      supervisorPid: existing,
+      managedTargets,
+      attachedCount: attached.length
+    });
+    const ready2 = await waitForManagedDaemonPids(slockHome, managedTargets, options);
+    if (ready2.size !== managedTargets.length) {
+      throw new ComputerServiceError(
+        "START_DAEMON_TIMEOUT",
+        buildTimeoutMessage(slockHome, managedTargets, ready2, input)
+      );
+    }
+    emit4(options, { type: "ready", ready: ready2, managedTargets });
+    return {
+      status: "already_running",
+      managedTargets,
+      attachedCount: attached.length,
+      ready: ready2,
+      supervisorPid: existing,
+      supervisorLogPath: supervisorLogPath(slockHome)
+    };
+  }
+  if (input.foreground) {
+    emit4(options, {
+      type: "running",
+      managedTargets,
+      attachedCount: attached.length
+    });
+    const supervise = options.runSupervise ?? runSupervise;
+    const previousParentLockMarker = process.env[PARENT_LOCK_HELD_ENV_VAR];
+    process.env[PARENT_LOCK_HELD_ENV_VAR] = "1";
+    try {
+      await supervise();
+    } finally {
+      if (previousParentLockMarker === void 0) delete process.env[PARENT_LOCK_HELD_ENV_VAR];
+      else process.env[PARENT_LOCK_HELD_ENV_VAR] = previousParentLockMarker;
+    }
+    return {
+      status: "running",
+      managedTargets,
+      attachedCount: attached.length,
+      ready: /* @__PURE__ */ new Map(),
+      supervisorPid: null,
+      supervisorLogPath: supervisorLogPath(slockHome)
+    };
+  }
+  options.signal?.throwIfAborted?.();
+  let pid;
+  try {
+    pid = await (options.spawnDetachedSupervisor ?? spawnDetachedSupervisor)(slockHome);
   } catch (err) {
-    return err.code === "EPERM";
+    const msg = err instanceof Error ? err.message : String(err);
+    throw new ComputerServiceError("SUPERVISOR_SPAWN_FAILED", msg, err);
   }
+  emit4(options, {
+    type: "spawned",
+    supervisorPid: pid,
+    managedTargets,
+    attachedCount: attached.length
+  });
+  if (options.signal?.aborted) {
+    const ready2 = await pollReadyOnce(slockHome, managedTargets, options);
+    emit4(options, { type: "aborted", supervisorPid: pid, managedTargets, ready: ready2 });
+    return {
+      status: "aborted",
+      managedTargets,
+      attachedCount: attached.length,
+      ready: ready2,
+      supervisorPid: pid,
+      supervisorLogPath: supervisorLogPath(slockHome)
+    };
+  }
+  const ready = await waitForManagedDaemonPids(slockHome, managedTargets, options);
+  if (ready.size !== managedTargets.length) {
+    throw new ComputerServiceError(
+      "START_DAEMON_TIMEOUT",
+      buildTimeoutMessage(slockHome, managedTargets, ready, input)
+    );
+  }
+  emit4(options, { type: "ready", ready, managedTargets });
+  return {
+    status: "spawned",
+    managedTargets,
+    attachedCount: attached.length,
+    ready,
+    supervisorPid: pid,
+    supervisorLogPath: supervisorLogPath(slockHome)
+  };
 }
-async function writePidfileAt(pidfilePath, pid) {
-  await mkdir7(dirname7(pidfilePath), { recursive: true });
-  await writeFile6(pidfilePath, String(pid), { mode: 384 });
+async function pollReadyOnce(slockHome, serverIds, opts) {
+  const readPidfile = opts.readPidfile ?? readPidfileAt;
+  const isAlive = opts.isProcessAlive ?? isProcessAlive2;
+  const ready = /* @__PURE__ */ new Map();
+  for (const serverId of serverIds) {
+    const pid = await readPidfile(serverDaemonPidPath(slockHome, serverId));
+    if (pid && isAlive(pid)) ready.set(serverId, pid);
+  }
+  return ready;
 }
-async function clearPidfileAt(pidfilePath) {
+
+// src/services/stop.ts
+init_esm_shims();
+var STOP_POLL_INTERVAL_MS = 200;
+var STOP_TIMEOUT_MS = 5e3;
+function emit5(opts, event) {
+  const cb = opts?.onEvent;
+  if (!cb) return;
   try {
-    await unlink4(pidfilePath);
+    cb(event);
   } catch {
   }
 }
+async function stop(input = {}, options = {}) {
+  void input;
+  options.signal?.throwIfAborted?.();
+  const slockHome = resolveSlockHome();
+  const readPidfile = options.readPidfile ?? readPidfileAt;
+  const isAlive = options.isProcessAlive ?? isProcessAlive2;
+  const killer = options.killSupervisor ?? ((pid2) => {
+    process.kill(pid2, "SIGTERM");
+  });
+  const sleep2 = options.sleep ?? ((ms) => new Promise((resolve) => setTimeout(resolve, ms)));
+  const pollIntervalMs = options.pollIntervalMs ?? STOP_POLL_INTERVAL_MS;
+  const timeoutMs = options.timeoutMs ?? STOP_TIMEOUT_MS;
+  const pidfilePath = supervisorPidPath(slockHome);
+  const pid = await readPidfile(pidfilePath);
+  emit5(options, { type: "stopping", pid });
+  if (pid === null) {
+    emit5(options, { type: "not_running" });
+    return { status: "not_running", pid: null, pidfilePath };
+  }
+  if (!isAlive(pid)) {
+    await clearPidfileAt(pidfilePath);
+    emit5(options, { type: "stale_pidfile_cleared", pid });
+    return { status: "stale_pidfile_cleared", pid, pidfilePath };
+  }
+  options.signal?.throwIfAborted?.();
+  try {
+    killer(pid);
+  } catch (err) {
+    const cause = err instanceof Error ? err : new Error(String(err));
+    throw new ComputerServiceError(
+      "STOP_SIGNAL_FAILED",
+      `Failed to send SIGTERM to supervisor (pid ${pid}): ${cause.message}. Check process permissions or run: kill ${pid}`,
+      err
+    );
+  }
+  emit5(options, { type: "signaled", pid });
+  const deadline = Date.now() + timeoutMs;
+  while (Date.now() < deadline) {
+    options.signal?.throwIfAborted?.();
+    if (!isAlive(pid)) {
+      await clearPidfileAt(pidfilePath);
+      emit5(options, { type: "stopped", pid });
+      return { status: "stopped", pid, pidfilePath };
+    }
+    const remaining = deadline - Date.now();
+    if (remaining <= 0) break;
+    await sleep2(Math.min(pollIntervalMs, remaining));
+  }
+  throw new ComputerServiceError(
+    "STOP_TIMEOUT",
+    `Supervisor (pid ${pid}) did not exit within ${timeoutMs}ms after SIGTERM. Force-kill with: kill -9 ${pid}`
+  );
+}
+
+// src/services/detach.ts
+init_esm_shims();
+var import_undici2 = __toESM(require_undici(), 1);
+var REVOKE_TIMEOUT_MS = 3e3;
+function emit6(opts, event) {
+  const cb = opts?.onEvent;
+  if (!cb) return;
+  try {
+    cb(event);
+  } catch {
+  }
+}
+async function bestEffortServerRevoke(fetchImpl, serverUrl, apiKey, serverId, timeoutMs) {
+  const url = `${serverUrl.replace(/\/$/, "")}/internal/computer/attachment/revoke`;
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const res = await fetchImpl(url, {
+      method: "POST",
+      headers: {
+        "content-type": "application/json",
+        authorization: `Bearer ${apiKey}`
+      },
+      body: JSON.stringify({ reason: "computer_detach" }),
+      signal: controller.signal
+    });
+    if (!res.ok) {
+      return {
+        kind: "http_error",
+        status: res.status,
+        message: `server-side revoke for server ${serverId} returned HTTP ${res.status}; local detach proceeds, but the credential may remain valid until it expires.`
+      };
+    }
+    return { kind: "success" };
+  } catch (err) {
+    const m = err instanceof Error ? err.message : String(err);
+    return {
+      kind: "network_error",
+      message: `server-side revoke for server ${serverId} failed: ${m}. Local detach proceeds, but the credential may remain valid until it expires.`
+    };
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+async function detach(input, options = {}) {
+  options.signal?.throwIfAborted?.();
+  const serverId = assertValidServerId(input.serverId);
+  const serverLabel = input.serverLabel ?? serverId;
+  const slockHome = resolveSlockHome();
+  const attachment = await readServerAttachment(slockHome, serverId);
+  if (!attachment) {
+    throw new ComputerServiceError(
+      "NOT_ATTACHED",
+      `Not attached to server ${serverLabel} (nothing to detach).`
+    );
+  }
+  emit6(options, { type: "detaching", serverId, serverLabel });
+  options.signal?.throwIfAborted?.();
+  const fetchImpl = options.fetch ?? import_undici2.fetch;
+  const timeoutMs = options.revokeTimeoutMs ?? REVOKE_TIMEOUT_MS;
+  const outcome = await bestEffortServerRevoke(
+    fetchImpl,
+    attachment.serverUrl,
+    attachment.apiKey,
+    serverId,
+    timeoutMs
+  );
+  let revokeOutcome;
+  let revokeHttpStatus;
+  if (outcome.kind === "success") {
+    revokeOutcome = "success";
+    emit6(options, { type: "revoke_succeeded", serverId, serverLabel });
+  } else if (outcome.kind === "http_error") {
+    revokeOutcome = "http_error";
+    revokeHttpStatus = outcome.status;
+    emit6(options, {
+      type: "revoke_failed",
+      serverId,
+      serverLabel,
+      reason: "http_error",
+      httpStatus: outcome.status,
+      message: outcome.message
+    });
+  } else {
+    revokeOutcome = "network_error";
+    emit6(options, {
+      type: "revoke_failed",
+      serverId,
+      serverLabel,
+      reason: "network_error",
+      message: outcome.message
+    });
+  }
+  options.signal?.throwIfAborted?.();
+  await clearServerManaged(slockHome, serverId);
+  const subtree = [
+    serverAttachmentPath(slockHome, serverId),
+    serverDaemonPidPath(slockHome, serverId),
+    serverDaemonLogPath(slockHome, serverId)
+  ];
+  for (const p of subtree) await clearPidfileAt(p);
+  emit6(options, { type: "subtree_cleared", serverId, serverLabel });
+  emit6(options, { type: "detached", serverId, serverLabel });
+  return {
+    status: "detached",
+    serverId,
+    serverLabel,
+    revokeOutcome,
+    revokeHttpStatus
+  };
+}
+
+// src/supervisor.ts
 function buildResidentSpawn(mode, serverId, selfEntry = process.argv[1] ?? "", execArgv = process.execArgv) {
   const tail = serverId ? [mode, serverId] : [mode];
   return { command: process.execPath, args: [...execArgv, selfEntry, ...tail] };
 }
 var PARENT_LOCK_HELD_ENV_VAR = "SLOCK_COMPUTER_PARENT_MUTATION_LOCK_HELD";
 async function spawnDetachedSupervisor(slockHome) {
-  await mkdir7(computerDir(slockHome), { recursive: true });
+  await mkdir8(computerDir(slockHome), { recursive: true });
   const supLogFd = await open(supervisorLogPath(slockHome), "a");
   const { command, args } = buildResidentSpawn("__supervise", null);
   const child = spawn2(command, args, {
@@ -31034,29 +31600,6 @@ async function runResident(serverId, deps = {}) {
 }
 var RECONCILE_INTERVAL_MS = 5e3;
 var CHILD_RESTART_BACKOFF_MS = 2e3;
-var START_ENSURE_TIMEOUT_MS = 15e3;
-var START_ENSURE_POLL_INTERVAL_MS = 100;
-async function waitForManagedDaemonPids(slockHome, serverIds, deps) {
-  const readPidfile = deps.readPidfile ?? readPidfileAt;
-  const isAlive = deps.isProcessAlive ?? isProcessAlive2;
-  const sleep2 = deps.sleep ?? ((ms) => new Promise((resolve) => setTimeout(resolve, ms)));
-  const timeoutMs = deps.ensureTimeoutMs ?? START_ENSURE_TIMEOUT_MS;
-  const pollIntervalMs = deps.ensurePollIntervalMs ?? START_ENSURE_POLL_INTERVAL_MS;
-  const deadline = Date.now() + timeoutMs;
-  const ready = /* @__PURE__ */ new Map();
-  while (ready.size < serverIds.length) {
-    for (const serverId of serverIds) {
-      if (ready.has(serverId)) continue;
-      const pid = await readPidfile(serverDaemonPidPath(slockHome, serverId));
-      if (pid && isAlive(pid)) ready.set(serverId, pid);
-    }
-    if (ready.size === serverIds.length) return ready;
-    const remaining = deadline - Date.now();
-    if (remaining <= 0) return ready;
-    await sleep2(Math.min(pollIntervalMs, remaining));
-  }
-  return ready;
-}
 function formatReadySummary(ready, serverIds, opts) {
   if (opts.serverId && serverIds.length === 1) {
     const pid = ready.get(opts.serverId);
@@ -31064,14 +31607,6 @@ function formatReadySummary(ready, serverIds, opts) {
   }
   return `Daemons for ${serverIds.length} managed server(s) are running.`;
 }
-function failStartEnsureTimeout(slockHome, serverIds, ready, opts) {
-  const missing = serverIds.filter((id) => !ready.has(id));
-  const target = opts.serverId && missing.length === 1 ? `${opts.serverLabel ?? opts.serverId}` : `${missing.length} daemon(s): ${missing.join(", ")}`;
-  fail(
-    "START_DAEMON_TIMEOUT",
-    `Timed out waiting for ${target} to start. Run \`slock-computer status\` and inspect ${supervisorLogPath(slockHome)} plus per-server daemon logs under ~/.slock/computer/servers/<serverId>/daemon.log.`
-  );
-}
 async function runSupervisorStartupRecovery(slockHome) {
   const parentHoldsLock = process.env[PARENT_LOCK_HELD_ENV_VAR] === "1";
   try {
@@ -31105,10 +31640,10 @@ async function runSupervisorStartupRecovery(slockHome) {
 }
 async function resolveSupervisorIdentity() {
   const here = fileURLToPath2(import.meta.url);
-  const installRoot = dirname7(dirname7(here));
+  const installRoot = dirname8(dirname8(here));
   let version = null;
   try {
-    const raw = await readFile5(joinPath(installRoot, "package.json"), "utf8");
+    const raw = await readFile7(joinPath(installRoot, "package.json"), "utf8");
     const parsed = JSON.parse(raw);
     if (typeof parsed.version === "string" && parsed.version.length > 0) {
       version = parsed.version;
@@ -31128,7 +31663,7 @@ async function writeSupervisorVersionEvidence(slockHome) {
     };
     const dest = supervisorVersionPath(slockHome);
     const tmp = `${dest}.tmp`;
-    await writeFile6(tmp, JSON.stringify(payload) + "\n", { mode: 384 });
+    await writeFile7(tmp, JSON.stringify(payload) + "\n", { mode: 384 });
     await rename2(tmp, dest);
   } catch (err) {
     const msg = err instanceof Error ? err.message : String(err);
@@ -31140,7 +31675,7 @@ async function writeSupervisorVersionEvidence(slockHome) {
 }
 async function readSupervisorVersionEvidence(slockHome) {
   try {
-    const raw = await readFile5(supervisorVersionPath(slockHome), "utf8");
+    const raw = await readFile7(supervisorVersionPath(slockHome), "utf8");
     const parsed = JSON.parse(raw);
     if (typeof parsed.installRoot !== "string" || typeof parsed.pid !== "number" || typeof parsed.writtenAt !== "string" || parsed.version !== null && typeof parsed.version !== "string") {
       return null;
@@ -31157,7 +31692,7 @@ async function readSupervisorVersionEvidence(slockHome) {
 }
 async function runSupervise() {
   const slockHome = resolveSlockHome();
-  await mkdir7(computerDir(slockHome), { recursive: true });
+  await mkdir8(computerDir(slockHome), { recursive: true });
   await runSupervisorStartupRecovery(slockHome);
   await writePidfileAt(supervisorPidPath(slockHome), process.pid);
   await writeSupervisorVersionEvidence(slockHome);
@@ -31165,7 +31700,7 @@ async function runSupervise() {
   const { [PARENT_LOCK_HELD_ENV_VAR]: _parentLockMarker, ...childEnv } = process.env;
   const spawnChild = async (serverId) => {
     const logPath = serverDaemonLogPath(slockHome, serverId);
-    await mkdir7(dirname7(logPath), { recursive: true });
+    await mkdir8(dirname8(logPath), { recursive: true });
     const logFd = await open(logPath, "a");
     const { command, args } = buildResidentSpawn("__run", serverId);
     const child = spawn2(command, args, {
@@ -31254,157 +31789,127 @@ async function runSupervise() {
   });
 }
 async function runStart(opts = {}, deps = {}) {
-  const slockHome = resolveSlockHome();
-  const attached = await listAttachedServerIds(slockHome);
-  if (attached.length === 0) {
-    fail(
-      "NO_ATTACHMENT",
-      "No server attachments yet. Run `slock-computer attach <serverId>` first."
-    );
-  }
-  if (opts.serverId && !attached.includes(opts.serverId)) {
-    fail(
-      "NOT_ATTACHED",
-      `Not attached to server ${opts.serverId}. Run \`slock-computer attach ${opts.serverId}\` first or omit the argument.`
-    );
-  }
-  const managedTargets = opts.serverId ? [opts.serverId] : attached;
-  for (const id of managedTargets) {
-    await setServerManaged(slockHome, id);
-  }
-  const existing = await readPidfileAt(supervisorPidPath(slockHome));
-  if (existing && isProcessAlive2(existing)) {
-    info(`Supervisor already running (pid ${existing}).`);
-    const ready2 = await waitForManagedDaemonPids(slockHome, managedTargets, deps);
-    if (ready2.size !== managedTargets.length) {
-      failStartEnsureTimeout(slockHome, managedTargets, ready2, opts);
-    }
-    info(formatReadySummary(ready2, managedTargets, opts));
-    return;
-  }
-  if (opts.foreground) {
-    info(
-      `Running supervisor in the foreground (managing ${managedTargets.length} of ${attached.length} attached server(s)). Ctrl-C to stop.`
-    );
-    await runSupervise();
-    return;
-  }
-  let pid;
+  let spawnedBackground = null;
   try {
-    pid = await (deps.spawnDetachedSupervisor ?? spawnDetachedSupervisor)(slockHome);
-  } catch (err) {
-    const msg = err instanceof Error ? err.message : String(err);
-    fail("SUPERVISOR_SPAWN_FAILED", msg);
-  }
-  info(`Supervisor started (pid ${pid}); keeps running after this terminal closes.`);
-  const ready = await waitForManagedDaemonPids(slockHome, managedTargets, deps);
-  if (ready.size !== managedTargets.length) {
-    failStartEnsureTimeout(slockHome, managedTargets, ready, opts);
-  }
-  info(formatReadySummary(ready, managedTargets, opts));
-  info(
-    `Managing ${managedTargets.length} of ${attached.length} attached server(s). Logs: ${supervisorLogPath(slockHome)}`
-  );
-  info(`Per-server daemon logs: ~/.slock/computer/servers/<serverId>/daemon.log`);
-  info(`Check state with \`slock-computer status\`.`);
-}
-async function runStop(deps = {}) {
-  const slockHome = resolveSlockHome();
-  const readPidfile = deps.readPidfile ?? readPidfileAt;
-  const isAlive = deps.isProcessAlive ?? isProcessAlive2;
-  const killer = deps.killSupervisor ?? ((pid2) => {
-    process.kill(pid2, "SIGTERM");
-  });
-  const sleep2 = deps.sleep ?? ((ms) => new Promise((r) => setTimeout(r, ms)));
-  const pollIntervalMs = deps.pollIntervalMs ?? 200;
-  const timeoutMs = deps.timeoutMs ?? 5e3;
-  const pidfilePath = supervisorPidPath(slockHome);
-  const pid = await readPidfile(pidfilePath);
-  if (pid === null) {
-    info("Supervisor not running.");
-    return;
-  }
-  if (!isAlive(pid)) {
-    await clearPidfileAt(pidfilePath);
-    info(`Supervisor not running (cleared stale pidfile for pid ${pid}).`);
-    return;
-  }
-  try {
-    killer(pid);
-  } catch (err) {
-    fail(
-      "STOP_SIGNAL_FAILED",
-      `Failed to send SIGTERM to supervisor (pid ${pid}): ${err instanceof Error ? err.message : String(err)}. Check process permissions or run: kill ${pid}`
+    await start(
+      {
+        foreground: opts.foreground,
+        serverId: opts.serverId ?? null,
+        serverLabel: opts.serverLabel ?? null
+      },
+      {
+        spawnDetachedSupervisor: deps.spawnDetachedSupervisor,
+        readPidfile: deps.readPidfile,
+        isProcessAlive: deps.isProcessAlive,
+        sleep: deps.sleep,
+        ensureTimeoutMs: deps.ensureTimeoutMs,
+        ensurePollIntervalMs: deps.ensurePollIntervalMs,
+        onEvent: (event) => {
+          if (event.type === "already_running") {
+            info(`Supervisor already running (pid ${event.supervisorPid}).`);
+          } else if (event.type === "running") {
+            info(
+              `Running supervisor in the foreground (managing ${event.managedTargets.length} of ${event.attachedCount} attached server(s)). Ctrl-C to stop.`
+            );
+          } else if (event.type === "spawned") {
+            info(`Supervisor started (pid ${event.supervisorPid}); keeps running after this terminal closes.`);
+            spawnedBackground = {
+              managedCount: event.managedTargets.length,
+              attachedCount: event.attachedCount,
+              logPath: supervisorLogPath(resolveSlockHome())
+            };
+          } else if (event.type === "ready") {
+            info(formatReadySummary(event.ready, event.managedTargets, opts));
+          }
+        }
+      }
     );
-  }
-  const deadline = Date.now() + timeoutMs;
-  while (Date.now() < deadline) {
-    if (!isAlive(pid)) {
-      await clearPidfileAt(pidfilePath);
-      info(`Stopped supervisor (pid ${pid}).`);
-      return;
+  } catch (err) {
+    if (err instanceof CliExit) throw err;
+    if (err instanceof ComputerServiceError) {
+      fail(err.code, err.message);
     }
-    await sleep2(pollIntervalMs);
-  }
-  fail(
-    "STOP_TIMEOUT",
-    `Supervisor (pid ${pid}) did not exit within ${timeoutMs}ms after SIGTERM. Force-kill with: kill -9 ${pid}`
-  );
-}
-async function runDetach(serverId, serverLabel = serverId) {
-  assertValidServerId(serverId);
-  const slockHome = resolveSlockHome();
-  const a = await readServerAttachment(slockHome, serverId);
-  if (!a) {
-    fail("NOT_ATTACHED", `Not attached to server ${serverLabel} (nothing to detach).`);
+    throw err;
   }
-  await bestEffortServerRevoke(a.serverUrl, a.apiKey, serverId);
-  await clearServerManaged(slockHome, serverId);
-  const subtree = [
-    serverAttachmentPath(slockHome, serverId),
-    serverDaemonPidPath(slockHome, serverId),
-    serverDaemonLogPath(slockHome, serverId)
-  ];
-  for (const p of subtree) await clearPidfileAt(p);
-  info(`Detached from server ${serverLabel}.`);
-  info(`The supervisor (if running) will stop that server's daemon on its next reconcile tick.`);
-}
-async function bestEffortServerRevoke(serverUrl, apiKey, serverId) {
-  const url = `${serverUrl.replace(/\/$/, "")}/internal/computer/attachment/revoke`;
-  const controller = new AbortController();
-  const timeout = setTimeout(() => controller.abort(), 3e3);
-  try {
-    const res = await fetch(url, {
-      method: "POST",
-      headers: {
-        "content-type": "application/json",
-        authorization: `Bearer ${apiKey}`
-      },
-      body: JSON.stringify({ reason: "computer_detach" }),
-      signal: controller.signal
-    });
-    if (!res.ok) {
-      process.stderr.write(
-        `Warning: server-side revoke for server ${serverId} returned HTTP ${res.status}; local detach proceeds, but the credential may remain valid until it expires.
-`
-      );
-    }
+  if (spawnedBackground) {
+    const sb = spawnedBackground;
+    info(
+      `Managing ${sb.managedCount} of ${sb.attachedCount} attached server(s). Logs: ${sb.logPath}`
+    );
+    info(`Per-server daemon logs: ~/.slock/computer/servers/<serverId>/daemon.log`);
+    info(`Check state with \`slock-computer status\`.`);
+  }
+}
+async function runStop(deps = {}) {
+  try {
+    await stop(
+      {},
+      {
+        readPidfile: deps.readPidfile,
+        isProcessAlive: deps.isProcessAlive,
+        killSupervisor: deps.killSupervisor,
+        sleep: deps.sleep,
+        pollIntervalMs: deps.pollIntervalMs,
+        timeoutMs: deps.timeoutMs,
+        onEvent: (event) => {
+          if (event.type === "not_running") {
+            info("Supervisor not running.");
+          } else if (event.type === "stale_pidfile_cleared") {
+            info(`Supervisor not running (cleared stale pidfile for pid ${event.pid}).`);
+          } else if (event.type === "stopped") {
+            info(`Stopped supervisor (pid ${event.pid}).`);
+          }
+        }
+      }
+    );
   } catch (err) {
-    const msg = err instanceof Error ? err.message : String(err);
-    process.stderr.write(
-      `Warning: server-side revoke for server ${serverId} failed: ${msg}. Local detach proceeds, but the credential may remain valid until it expires.
-`
+    if (err instanceof CliExit) throw err;
+    if (err instanceof ComputerServiceError) {
+      fail(err.code, err.message);
+    }
+    throw err;
+  }
+}
+async function runDetach(serverId, serverLabel = serverId) {
+  try {
+    await detach(
+      { serverId, serverLabel },
+      {
+        onEvent: (event) => {
+          if (event.type === "revoke_failed") {
+            process.stderr.write(`Warning: ${event.message}
+`);
+          } else if (event.type === "detached") {
+            info(`Detached from server ${event.serverLabel}.`);
+            info(
+              `The supervisor (if running) will stop that server's daemon on its next reconcile tick.`
+            );
+          }
+        }
+      }
     );
-  } finally {
-    clearTimeout(timeout);
+  } catch (err) {
+    if (err instanceof CliExit) throw err;
+    if (err instanceof ComputerServiceError) {
+      fail(err.code, err.message);
+    }
+    throw err;
   }
 }
 
 // src/setup.ts
 var USER_SESSION_EXPIRY_LEEWAY_MS = 3e4;
+async function readUserSessionUserId(slockHome) {
+  try {
+    const parsed = JSON.parse(await readFile8(userSessionPath(slockHome), "utf8"));
+    return typeof parsed.userId === "string" ? parsed.userId : "";
+  } catch {
+    return "";
+  }
+}
 async function hasValidUserSession(slockHome) {
   try {
-    const parsed = JSON.parse(await readFile6(userSessionPath(slockHome), "utf8"));
+    const parsed = JSON.parse(await readFile8(userSessionPath(slockHome), "utf8"));
     return parsed.kind === "user-session" && typeof parsed.accessToken === "string" && parsed.accessToken.length > 0 && !isJwtExpired(parsed.accessToken);
   } catch {
     return false;
@@ -31424,7 +31929,7 @@ async function refreshUserSession(slockHome, serverUrl) {
   const file = userSessionPath(slockHome);
   let session;
   try {
-    session = JSON.parse(await readFile6(file, "utf8"));
+    session = JSON.parse(await readFile8(file, "utf8"));
   } catch {
     return false;
   }
@@ -31434,7 +31939,7 @@ async function refreshUserSession(slockHome, serverUrl) {
   const baseUrl = resolveServerUrl(serverUrl, session.serverUrl, process.env.SLOCK_SERVER_URL);
   const tmpFile = `${file}.${process.pid}.${Date.now()}.tmp`;
   try {
-    const res = await (0, import_undici2.fetch)(new URL("/api/auth/refresh", baseUrl).toString(), {
+    const res = await (0, import_undici3.fetch)(new URL("/api/auth/refresh", baseUrl).toString(), {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify({ refreshToken: session.refreshToken })
@@ -31443,8 +31948,8 @@ async function refreshUserSession(slockHome, serverUrl) {
     if (res.status !== 200 || typeof body?.accessToken !== "string" || typeof body.refreshToken !== "string") {
       return false;
     }
-    await mkdir8(dirname8(file), { recursive: true });
-    await writeFile7(
+    await mkdir9(dirname9(file), { recursive: true });
+    await writeFile8(
       tmpFile,
       JSON.stringify(
         {
@@ -31469,49 +31974,74 @@ async function refreshUserSession(slockHome, serverUrl) {
     return false;
   }
 }
-async function hasLiveLegacyDaemon(slockHome) {
-  let machineDirs;
-  try {
-    machineDirs = await readdir3(join3(slockHome, "machines"));
-  } catch {
-    return false;
-  }
-  for (const name of machineDirs) {
-    if (!name.startsWith("machine-")) continue;
-    try {
-      const raw = await readFile6(join3(slockHome, "machines", name, "daemon.lock", "owner.json"), "utf8");
-      const owner = JSON.parse(raw);
-      if (typeof owner.pid === "number" && isProcessAlive2(owner.pid)) return true;
-    } catch {
-    }
-  }
-  return false;
+async function defaultConfirmMigrate(prompt) {
+  process.stdout.write(prompt);
+  const line = await readLine(false);
+  const norm = line.trim().toLowerCase();
+  return norm === "y" || norm === "yes";
 }
-function hasExplicitLegacyKeyInput(opts) {
-  return typeof opts.legacyApiKey === "string" && opts.legacyApiKey.length > 0 || typeof opts.legacyApiKeyFile === "string" && opts.legacyApiKeyFile.length > 0 || opts.legacyApiKeyStdin === true;
+async function defaultReadMigrateSecret(prompt) {
+  process.stdout.write(prompt);
+  const line = await readLine(true);
+  process.stdout.write("\n");
+  return line.trim();
 }
-function hasAmbientLegacyKeyInput() {
-  return typeof process.env.SLOCK_LEGACY_API_KEY === "string" && process.env.SLOCK_LEGACY_API_KEY.trim().length > 0;
+async function readLine(masked) {
+  const stdin = process.stdin;
+  const wasRaw = stdin.isTTY === true && stdin.isRaw === true;
+  const enterRaw = masked && stdin.isTTY === true && typeof stdin.setRawMode === "function";
+  if (enterRaw) stdin.setRawMode(true);
+  stdin.resume();
+  return await new Promise((resolve) => {
+    let buf = "";
+    const cleanup = () => {
+      stdin.off("data", onData);
+      stdin.off("end", onEnd);
+      stdin.pause();
+      if (enterRaw) stdin.setRawMode(wasRaw);
+    };
+    const onData = (chunk) => {
+      const text = typeof chunk === "string" ? chunk : chunk.toString("utf8");
+      for (const ch of text) {
+        if (ch === "\n" || ch === "\r") {
+          cleanup();
+          resolve(buf);
+          return;
+        }
+        if (ch === "") {
+          cleanup();
+          resolve("");
+          return;
+        }
+        if (ch === "\x7F" || ch === "\b") {
+          buf = buf.slice(0, -1);
+          continue;
+        }
+        buf += ch;
+      }
+    };
+    const onEnd = () => {
+      cleanup();
+      resolve(buf);
+    };
+    stdin.on("data", onData);
+    stdin.on("end", onEnd);
+  });
 }
 async function runSetup(opts, deps = {}) {
   const slockHome = resolveSlockHome();
   const isTty = deps.isTty ?? Boolean(process.stdin.isTTY && process.stdout.isTTY);
-  const login = deps.runLogin ?? runLogin;
-  const attach = deps.runAttach ?? runAttach;
-  const adopt = deps.runAdoptLegacy ?? runAdoptLegacy;
-  const start = deps.runStart ?? runStart;
+  const login2 = deps.runLogin ?? runLogin;
+  const attach2 = deps.runAttach ?? runAttach;
+  const start2 = deps.runStart ?? runStart;
   const refreshSession = deps.refreshUserSession ?? refreshUserSession;
-  const legacyDaemonCheck = deps.hasLiveLegacyDaemon ?? hasLiveLegacyDaemon;
+  const detectMigration = deps.detectLegacyMigration ?? detectLegacyMigration;
+  const confirmMigrate = deps.confirmMigrate ?? defaultConfirmMigrate;
+  const readMigrateSecret = deps.readMigrateSecret ?? defaultReadMigrateSecret;
   if (!isTty && !opts.yes) {
     fail(
       "NON_INTERACTIVE_SETUP_REQUIRES_FLAGS",
-      "Non-interactive setup requires --yes after you have confirmed the login/attach/adopt/start actions. Run `slock-computer login`, `slock-computer attach`, and `slock-computer start` separately for fully explicit automation."
-    );
-  }
-  if (!opts.adoptLegacy && hasExplicitLegacyKeyInput(opts)) {
-    fail(
-      "LEGACY_KEY_OUTSIDE_ADOPT",
-      "`--legacy-api-key*` options are only accepted with `slock-computer setup --adopt-legacy` or `slock-computer adopt-legacy`."
+      "Non-interactive setup requires --yes after you have confirmed the login/attach/start actions. Run `slock-computer login`, `slock-computer attach`, and `slock-computer start` separately for fully explicit automation."
     );
   }
   const label = formatServerSlugDisplay(opts.serverSlug);
@@ -31527,7 +32057,7 @@ async function runSetup(opts, deps = {}) {
         );
       }
       info("User session: missing or expired; starting login.");
-      await login({ serverUrl: opts.serverUrl, orchestrated: true });
+      await login2({ serverUrl: opts.serverUrl, orchestrated: true });
     }
   } else {
     info("User session: already logged in.");
@@ -31536,35 +32066,83 @@ async function runSetup(opts, deps = {}) {
   if (attachment) {
     info(`Attachment: already attached to ${label}.`);
   } else {
-    const liveLegacy = await legacyDaemonCheck(slockHome);
-    const explicitLegacyKey = hasExplicitLegacyKeyInput(opts);
-    const hasLegacyKey = explicitLegacyKey || opts.adoptLegacy === true && hasAmbientLegacyKeyInput();
-    if (!opts.adoptLegacy && liveLegacy) {
-      fail(
-        "LEGACY_DAEMON_RUNNING",
-        `A legacy daemon appears to be running in ${slockHome}, so Computer setup stopped before creating a second attachment. To proceed: try the Computer beta in an isolated home with \`SLOCK_HOME=$HOME/.slock-computer-beta slock-computer setup ${label}\`; or stop the legacy daemon with \`pkill -f slock-daemon && rm -f ~/.slock/daemon.pid\`; or migrate the existing daemon with \`--adopt-legacy --legacy-api-key <key>\`.`
-      );
-    }
-    if (opts.adoptLegacy && hasLegacyKey) {
-      await adopt({
-        serverSlug: opts.serverSlug,
-        serverUrl: opts.serverUrl,
-        name: opts.name,
-        legacyApiKey: opts.legacyApiKey,
-        legacyApiKeyFile: opts.legacyApiKeyFile,
-        legacyApiKeyStdin: opts.legacyApiKeyStdin,
-        orchestrated: true
-      });
-    } else if (opts.adoptLegacy && liveLegacy) {
-      fail(
-        "LEGACY_DAEMON_RUNNING",
-        `A legacy daemon is running in ${slockHome}, but no legacy key was provided. To proceed: provide --legacy-api-key-file/--legacy-api-key/--legacy-api-key-stdin to adopt it; or stop the legacy daemon with \`pkill -f slock-daemon && rm -f ~/.slock/daemon.pid\`; or use an isolated home with \`SLOCK_HOME=$HOME/.slock-computer-beta slock-computer setup ${label}\` for a clean beta trial.`
-      );
-    } else {
-      if (opts.adoptLegacy) {
-        info("Legacy key: not provided; falling back to fresh device-login attach.");
+    let migrated = false;
+    if (isTty) {
+      const detection = await detectMigration(slockHome, await readUserSessionUserId(slockHome));
+      if (detection.kind === "match") {
+        const where = detection.serverUrl ? ` attached to ${detection.serverUrl}` : "";
+        const who = detection.machineName ? ` "${detection.machineName}"` : "";
+        const accepted = await confirmMigrate(
+          `Migration: detected legacy daemon machine${who}${where}. Migrate it under Computer instead of creating a fresh attachment? [y/N] `
+        );
+        if (accepted) {
+          const rawKey = await readMigrateSecret(
+            "Paste legacy api key (sk_machine_* or sk_daemon_*); input is hidden: "
+          );
+          if (rawKey.length === 0) {
+            info("Migration: no key provided; falling back to fresh attach.");
+          } else if (!rawKey.startsWith("sk_machine_") && !rawKey.startsWith("sk_daemon_")) {
+            fail(
+              "LEGACY_KEY_INVALID",
+              "Provided key does not look like a legacy machine key (expected `sk_machine_*` or `sk_daemon_*`)."
+            );
+          } else {
+            try {
+              await adoptLegacy(
+                {
+                  serverSlug: opts.serverSlug,
+                  serverUrl: opts.serverUrl,
+                  name: opts.name,
+                  rawKey,
+                  mode: "legacy_key_stdin",
+                  redactedPrefix: rawKey.slice(0, 8)
+                },
+                {
+                  onEvent: (event) => {
+                    if (event.type === "adopting") {
+                      info(
+                        `Adopting legacy daemon for ${formatServerSlugDisplay(event.serverSlug)} via ${event.mode}\u2026`
+                      );
+                    } else if (event.type === "preflight") {
+                      info(
+                        event.resumed ? "Adopted (resumed prior attachment); running preflight\u2026" : "Adopted; running preflight\u2026"
+                      );
+                    } else if (event.type === "adopted") {
+                      info(`Adopted. Computer state written to ${event.attachmentPath}`);
+                      info(`  server:        ${formatServerSlugDisplay(event.serverSlug)}`);
+                      info(`  serverMachine: ${event.serverMachineId}`);
+                      info(`  legacyMachine: ${event.legacyMachineId}`);
+                      switch (event.legacyStop.outcome) {
+                        case "absent":
+                          info("  legacy daemon: not detected on this Computer (no local lock file)");
+                          break;
+                        case "already_dead":
+                          info(`  legacy daemon: already stopped (pid ${event.legacyStop.pid} not running)`);
+                          break;
+                        case "stopped":
+                          info(`  legacy daemon: stopped (pid ${event.legacyStop.pid}, SIGTERM)`);
+                          break;
+                      }
+                    }
+                  }
+                }
+              );
+              migrated = true;
+            } catch (err) {
+              if (err instanceof CliExit) throw err;
+              if (err instanceof ComputerServiceError) {
+                fail(err.code, err.message);
+              }
+              throw err;
+            }
+          }
+        } else {
+          info("Migration: declined; falling back to fresh attach.");
+        }
       }
-      await attach({
+    }
+    if (!migrated) {
+      await attach2({
         serverSlug: opts.serverSlug,
         serverUrl: opts.serverUrl,
         name: opts.name,
@@ -31576,7 +32154,7 @@ async function runSetup(opts, deps = {}) {
     if (!attachment) {
       fail(
         "SETUP_ATTACHMENT_MISSING",
-        `Setup did not produce a local attachment for ${label}. Re-run \`slock-computer attach ${label}\` or \`slock-computer adopt-legacy ${label}\`.`
+        `Setup did not produce a local attachment for ${label}. Re-run \`slock-computer attach ${label}\`.`
       );
     }
   }
@@ -31584,7 +32162,7 @@ async function runSetup(opts, deps = {}) {
     info(`Start: skipped (--no-start). Run \`slock-computer start ${label}\` when ready.`);
     return;
   }
-  await start({
+  await start2({
     serverId: attachment.serverId,
     serverLabel: opts.serverSlug,
     foreground: opts.foreground
@@ -31593,10 +32171,10 @@ async function runSetup(opts, deps = {}) {
 
 // src/status.ts
 init_esm_shims();
-import { readFile as readFile7 } from "fs/promises";
+import { readFile as readFile9 } from "fs/promises";
 async function readUserSession(path3) {
   try {
-    const parsed = JSON.parse(await readFile7(path3, "utf8"));
+    const parsed = JSON.parse(await readFile9(path3, "utf8"));
     if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
       return { state: "present", session: parsed, error: null };
     }
@@ -31624,32 +32202,31 @@ async function deriveHealth(slockHome, serverId, daemon) {
   if (await isDegraded(slockHome, serverId)) return "degraded";
   return "ok";
 }
-async function buildStatusReport() {
-  const slockHome = resolveSlockHome();
-  const sessionRead = await readUserSession(userSessionPath(slockHome));
+async function buildStatusReport(installRoot) {
+  const sessionRead = await readUserSession(userSessionPath(installRoot));
   const session = sessionRead.session;
-  const attachments = await listServerAttachments(slockHome);
+  const attachments = await listServerAttachments(installRoot);
   const supervisor = {
-    ...await pidStatus(supervisorPidPath(slockHome)),
-    logPath: supervisorLogPath(slockHome)
+    ...await pidStatus(supervisorPidPath(installRoot)),
+    logPath: supervisorLogPath(installRoot)
   };
   const servers = [];
   for (const a of attachments) {
-    const daemon = await pidStatus(serverDaemonPidPath(slockHome, a.serverId));
+    const daemon = await pidStatus(serverDaemonPidPath(installRoot, a.serverId));
     servers.push({
       serverId: a.serverId,
       serverSlug: a.serverSlug ?? null,
       serverMachineId: a.serverMachineId,
       serverUrl: a.serverUrl,
       attachedAt: a.attachedAt ?? null,
-      daemonLogPath: serverDaemonLogPath(slockHome, a.serverId),
+      daemonLogPath: serverDaemonLogPath(installRoot, a.serverId),
       daemon,
-      health: await deriveHealth(slockHome, a.serverId, daemon)
+      health: await deriveHealth(installRoot, a.serverId, daemon)
     });
   }
   const loggedIn = session?.kind === "user-session" && typeof session.accessToken === "string" && session.accessToken.length > 0;
   return {
-    slockHome,
+    slockHome: installRoot,
     loggedIn,
     userId: session ? str(session.userId) : null,
     loginServerUrl: session ? str(session.serverUrl) : null,
@@ -31662,7 +32239,7 @@ function pad(s, n) {
   return s.length >= n ? s : s + " ".repeat(n - s.length);
 }
 async function runStatus(opts) {
-  const report = await buildStatusReport();
+  const report = await buildStatusReport(resolveSlockHome());
   if (opts.json) {
     info(JSON.stringify(report, null, 2));
     return;
@@ -31767,42 +32344,92 @@ async function resolveTargetAttachment(opts) {
   return a;
 }
 
+// src/lib/readers.ts
+init_esm_shims();
+
+// src/lib/types.ts
+init_esm_shims();
+var StateReaderError = class extends Error {
+  code;
+  constructor(code, message) {
+    super(message);
+    this.name = "StateReaderError";
+    this.code = code;
+  }
+};
+
+// src/lib/readers.ts
+async function listRunners(installRoot, opts = {}) {
+  const all = await listServerAttachments(installRoot);
+  let subset = all;
+  if (opts.serverId !== void 0) {
+    const found = all.find((a) => a.serverId === opts.serverId);
+    if (!found) {
+      throw new StateReaderError(
+        "NOT_ATTACHED",
+        `Server ${opts.serverId} is not attached to this Computer.`
+      );
+    }
+    subset = [found];
+  }
+  const servers = [];
+  for (const a of subset) {
+    const client = new RunnersClient(a.serverUrl, a.apiKey);
+    const result = await client.list();
+    const idCols = { serverId: a.serverId, serverSlug: a.serverSlug ?? null };
+    if (result.status === "success") {
+      servers.push({
+        ...idCols,
+        status: "ok",
+        whitelist: result.whitelist,
+        runners: result.runners
+      });
+    } else if (result.status === "unauthorized") {
+      servers.push({ ...idCols, status: "unauthorized" });
+    } else {
+      servers.push({ ...idCols, status: "error", code: result.code });
+    }
+  }
+  return { servers };
+}
+
 // src/runners.ts
 async function runRunnersList(opts) {
-  const a = await resolveTargetAttachment({ server: opts.server });
-  const client = new RunnersClient(a.serverUrl, a.apiKey);
-  const result = await client.list();
-  const label = a.serverSlug ? formatServerSlugDisplay(a.serverSlug) : a.serverId;
-  if (result.status === "unauthorized") {
+  const serverId = await resolveTargetServerId({ server: opts.server });
+  const installRoot = resolveSlockHome();
+  const { servers } = await listRunners(installRoot, { serverId });
+  const block = servers[0];
+  const label = block.serverSlug ? formatServerSlugDisplay(block.serverSlug) : block.serverId;
+  if (block.status === "unauthorized") {
     fail(
       "RUNNERS_UNAUTHORIZED",
       `The Computer credential for ${label} was rejected. Re-run \`slock-computer attach ${label}\`.`
     );
   }
-  if (result.status === "error") {
+  if (block.status === "error") {
     fail(
       "RUNNERS_LIST_FAILED",
-      `Could not list runners on ${label} (${result.code}). Check --server-url / server version.`
+      `Could not list runners on ${label} (${block.code}). Check --server-url / server version.`
     );
   }
   if (opts.json) {
     info(
       JSON.stringify(
-        { server: label, serverId: a.serverId, whitelist: result.whitelist, runners: result.runners },
+        { server: label, serverId: block.serverId, whitelist: block.whitelist, runners: block.runners },
         null,
         2
       )
     );
     return;
   }
-  if (result.runners.length === 0) {
+  if (block.runners.length === 0) {
     info(`No runners on server ${label}.`);
     return;
   }
   info("");
   info(`Server ${label}:`);
   info("  AGENT                                 STATUS     RUNTIME   MODEL          NAME");
-  for (const r of result.runners) {
+  for (const r of block.runners) {
     info(
       `  ${r.agentId.padEnd(38)}${(r.status ?? "").padEnd(11)}${(r.runtime ?? "").padEnd(10)}${(r.model ?? "").padEnd(15)}${r.name ?? ""}`
     );
@@ -31851,7 +32478,8 @@ function redactSecrets(line) {
   return out;
 }
 async function runDoctorChecks() {
-  const report = await buildStatusReport();
+  const slockHome = resolveSlockHome();
+  const report = await buildStatusReport(slockHome);
   const checks = [];
   checks.push({ name: "SLOCK_HOME", ok: true, detail: report.slockHome });
   checks.push(
@@ -31864,7 +32492,6 @@ async function runDoctorChecks() {
       detail: "stopped (run `slock-computer start` when you want background)"
     }
   );
-  const slockHome = resolveSlockHome();
   const attachments = await listServerAttachments(slockHome);
   if (attachments.length === 0) {
     checks.push({
@@ -31976,14 +32603,14 @@ async function runDoctor(opts) {
 
 // src/logs.ts
 init_esm_shims();
-import { readFile as readFile8 } from "fs/promises";
+import { readFile as readFile10 } from "fs/promises";
 var DEFAULT_LINES = 200;
 async function runLogs(opts) {
   const home = resolveSlockHome();
   const file = opts.supervisor ? supervisorLogPath(home) : serverDaemonLogPath(home, await resolveTargetServerId({ server: opts.server }));
   let content;
   try {
-    content = await readFile8(file, "utf8");
+    content = await readFile10(file, "utf8");
   } catch {
     fail(
       "NO_DAEMON_LOG",
@@ -31997,16 +32624,166 @@ async function runLogs(opts) {
   for (const line of tail) info(redactSecrets(line));
 }
 
+// src/reset.ts
+init_esm_shims();
+
+// src/serviceState.ts
+init_esm_shims();
+import { mkdir as mkdir10, readFile as readFile11, writeFile as writeFile9, appendFile as appendFile3 } from "fs/promises";
+import { dirname as dirname10 } from "path";
+
+// src/lib/state.ts
+init_esm_shims();
+var SERVICE_STATE_VALUES = [
+  "starting",
+  "running",
+  "degraded",
+  "stopping",
+  "stopped"
+];
+function isServiceState(value) {
+  return typeof value === "string" && SERVICE_STATE_VALUES.includes(value);
+}
+
+// src/serviceState.ts
+var DEFAULT_STATE = {
+  state: "running",
+  crashHistory: []
+};
+async function readServiceState(slockHome) {
+  try {
+    const raw = await readFile11(serviceStatePath(slockHome), "utf8");
+    const parsed = JSON.parse(raw);
+    if (!parsed || typeof parsed !== "object") return { ...DEFAULT_STATE };
+    const obj = parsed;
+    const state = isServiceState(obj.state) ? obj.state : "running";
+    const crashHistory = Array.isArray(obj.crashHistory) ? obj.crashHistory.filter(isCrashEntry) : [];
+    return { state, crashHistory };
+  } catch {
+    return { ...DEFAULT_STATE };
+  }
+}
+async function writeServiceState(slockHome, file) {
+  const path3 = serviceStatePath(slockHome);
+  await mkdir10(dirname10(path3), { recursive: true });
+  await writeFile9(path3, JSON.stringify(file), { mode: 384 });
+}
+function isCrashEntry(value) {
+  if (!value || typeof value !== "object") return false;
+  const obj = value;
+  return typeof obj.at === "string";
+}
+async function emitServiceStateTransition(slockHome, fromState, toState, trigger) {
+  const entry = {
+    at: (/* @__PURE__ */ new Date()).toISOString(),
+    kind: "service-state-changed",
+    fromState,
+    toState,
+    trigger
+  };
+  try {
+    const path3 = supervisorLogPath(slockHome);
+    await mkdir10(dirname10(path3), { recursive: true });
+    await appendFile3(path3, JSON.stringify(entry) + "\n");
+  } catch {
+  }
+}
+async function clearServiceCrashHistory(slockHome) {
+  const current = await readServiceState(slockHome);
+  const previousState = current.state;
+  const clearedCrashCount = current.crashHistory.length;
+  const next = { state: "running", crashHistory: [] };
+  await writeServiceState(slockHome, next);
+  await emitServiceStateTransition(
+    slockHome,
+    previousState,
+    "running",
+    "reset-service"
+  );
+  return { previousState, clearedCrashCount };
+}
+
+// src/reset.ts
+async function resetService(installRoot) {
+  const { previousState, clearedCrashCount } = await clearServiceCrashHistory(installRoot);
+  return {
+    status: "ok",
+    previousState,
+    clearedCrashCount
+  };
+}
+async function resetRunner(installRoot, serverId) {
+  const attachment = await readServerAttachment(installRoot, serverId);
+  if (!attachment) {
+    return { status: "not-found", serverId };
+  }
+  const outcome = await resetRunnerHealth(installRoot, serverId);
+  if (outcome.status === "not-found") {
+    return { status: "not-found", serverId };
+  }
+  return {
+    status: "ok",
+    serverId,
+    previousState: outcome.previousState ?? "running",
+    clearedCrashCount: outcome.clearedCrashCount ?? 0
+  };
+}
+async function runReset(opts) {
+  const wantsService = opts.service === true;
+  const wantsRunner = opts.runner === true;
+  if (wantsService && wantsRunner) {
+    fail(
+      "RESET_SCOPE_AMBIGUOUS",
+      "`--service` and `--runner` are mutually exclusive. Pass exactly one."
+    );
+  }
+  if (!wantsService && !wantsRunner) {
+    fail(
+      "RESET_SCOPE_MISSING",
+      "Pass `--service` to clear the service-level crash history, or `--runner` to clear a per-runner crash history."
+    );
+  }
+  const slockHome = resolveSlockHome();
+  if (wantsService) {
+    const result2 = await resetService(slockHome);
+    if (opts.json) {
+      info(JSON.stringify(result2));
+      return;
+    }
+    info(
+      `Reset service crash history (previous state: ${result2.previousState}; cleared ${result2.clearedCrashCount} entr${result2.clearedCrashCount === 1 ? "y" : "ies"}).`
+    );
+    info("Service state transitioned to `running`. Runners were not touched.");
+    return;
+  }
+  const serverId = await resolveTargetServerId({ server: opts.server });
+  const result = await resetRunner(slockHome, serverId);
+  if (result.status === "not-found") {
+    fail(
+      "RESET_RUNNER_NOT_FOUND",
+      `Runner for server ${serverId} was not found.`
+    );
+  }
+  if (opts.json) {
+    info(JSON.stringify(result));
+    return;
+  }
+  info(
+    `Reset runner crash history for server ${result.serverId} (previous state: ${result.previousState}; cleared ${result.clearedCrashCount} entr${result.clearedCrashCount === 1 ? "y" : "ies"}).`
+  );
+  info("Runner state transitioned to `running`. Process was not respawned.");
+}
+
 // src/concurrency.ts
 init_esm_shims();
 var import_proper_lockfile = __toESM(require_proper_lockfile(), 1);
-import { mkdir as mkdir9 } from "fs/promises";
+import { mkdir as mkdir11 } from "fs/promises";
 import { join as join4 } from "path";
 var STALE_LOCK_THRESHOLD_MS = 6e4;
 async function withMutationLock(fn) {
   const slockHome = resolveSlockHome();
   const lockTarget = computerDir(slockHome);
-  await mkdir9(lockTarget, { recursive: true });
+  await mkdir11(lockTarget, { recursive: true });
   const lockfilePath = join4(lockTarget, ".lock");
   let release = null;
   try {
@@ -32045,8 +32822,8 @@ async function withMutationLock(fn) {
 
 // src/channel.ts
 init_esm_shims();
-import { readFile as readFile9, writeFile as writeFile8, mkdir as mkdir10 } from "fs/promises";
-import { dirname as dirname9 } from "path";
+import { readFile as readFile12, writeFile as writeFile10, mkdir as mkdir12 } from "fs/promises";
+import { dirname as dirname11 } from "path";
 var DEFAULT_CHANNEL = "latest";
 var SEMVER_RE = /^\d+\.\d+\.\d+(-[\w.]+)?$/;
 function parseChannel(raw) {
@@ -32061,7 +32838,7 @@ function parseChannel(raw) {
 }
 async function readChannel(slockHome) {
   try {
-    const raw = await readFile9(channelPath(slockHome), "utf8");
+    const raw = await readFile12(channelPath(slockHome), "utf8");
     const parsed = parseChannel(raw);
     if (parsed !== null) return parsed;
   } catch {
@@ -32070,8 +32847,8 @@ async function readChannel(slockHome) {
 }
 async function writeChannel(slockHome, channel2) {
   const p = channelPath(slockHome);
-  await mkdir10(dirname9(p), { recursive: true });
-  await writeFile8(p, `${channel2}
+  await mkdir12(dirname11(p), { recursive: true });
+  await writeFile10(p, `${channel2}
 `, { mode: 384 });
 }
 async function runChannelShow(slockHome) {
@@ -32094,20 +32871,20 @@ async function runChannelSet(slockHome, raw) {
 
 // src/upgradeCli.ts
 init_esm_shims();
-import { readFile as readFile12 } from "fs/promises";
+import { readFile as readFile15 } from "fs/promises";
 import { fileURLToPath as fileURLToPath3 } from "url";
-import { dirname as dirname10, join as join7 } from "path";
+import { dirname as dirname12, join as join7 } from "path";
 
 // src/upgrade.ts
 init_esm_shims();
 import { spawn as spawn4 } from "child_process";
-import { mkdir as mkdir11, readFile as readFile11, writeFile as writeFile9, rm as rm3, rename as rename4 } from "fs/promises";
+import { mkdir as mkdir13, readFile as readFile14, writeFile as writeFile11, rm as rm3, rename as rename4 } from "fs/promises";
 import { join as join6 } from "path";
 import { createHash as createHash3 } from "crypto";
 
 // src/preflightDepDrift.ts
 init_esm_shims();
-import { readFile as readFile10 } from "fs/promises";
+import { readFile as readFile13 } from "fs/promises";
 import { spawn as spawn3 } from "child_process";
 import { createRequire } from "module";
 import { join as join5 } from "path";
@@ -32116,12 +32893,10 @@ var DAEMON_PACKAGE_NAME = "@slock-ai/daemon";
 async function preflightDepDriftCheck(currentBinaryDir, stagedTarballPath, deps = {}) {
   const readTarball = deps.readTarballPackageJson ?? defaultReadTarballPackageJson;
   const readCurrent = deps.readCurrentPackageJson ?? defaultReadCurrentPackageJson;
-  const readInstalled = deps.readInstalledDaemonVersion ?? defaultReadInstalledDaemonVersion;
   const satisfies = deps.semverSatisfies ?? defaultSemverSatisfies;
   const allowUnsafe = deps.allowUnsafeSpec === true;
   let targetPkg;
   let currentPkg;
-  let installedVersion;
   try {
     targetPkg = await readTarball(stagedTarballPath);
   } catch (e) {
@@ -32140,15 +32915,6 @@ async function preflightDepDriftCheck(currentBinaryDir, stagedTarballPath, deps
       detail: `cannot read current binary package.json: ${errMsg(e)}`
     };
   }
-  try {
-    installedVersion = await readInstalled(currentBinaryDir);
-  } catch (e) {
-    return {
-      ok: false,
-      reason: "read_failed",
-      detail: `cannot read installed ${DAEMON_PACKAGE_NAME} version: ${errMsg(e)}`
-    };
-  }
   const targetSpec = targetPkg.dependencies?.[DAEMON_PACKAGE_NAME];
   const currentSpec = currentPkg.dependencies?.[DAEMON_PACKAGE_NAME];
   if (typeof targetSpec !== "string" || targetSpec.length === 0) {
@@ -32159,60 +32925,64 @@ async function preflightDepDriftCheck(currentBinaryDir, stagedTarballPath, deps
       currentSpec
     };
   }
-  if (typeof currentSpec !== "string" || currentSpec.length === 0) {
+  const unsafeTarget = isUnsafeSpec(targetSpec) || isUnparseableRange(targetSpec);
+  if (!allowUnsafe && unsafeTarget) {
     return {
       ok: false,
-      reason: "read_failed",
-      detail: `current binary package.json has no ${DAEMON_PACKAGE_NAME} dependency entry`,
+      reason: "unsafe_spec",
+      detail: `${DAEMON_PACKAGE_NAME} target spec is not a safe semver range (target="${targetSpec}"). Auto-upgrade only supports target semver ranges that can be hydrated and verified before swap.`,
+      currentSpec,
       targetSpec
     };
   }
-  if (installedVersion === null || installedVersion.length === 0) {
+  void satisfies;
+  return { ok: true, currentSpec, targetSpec };
+}
+async function verifyHydratedDaemonDependency(extractedPackageDir, targetSpec, deps = {}) {
+  const readInstalled = deps.readInstalledDaemonVersion ?? defaultReadInstalledDaemonVersion;
+  const satisfies = deps.semverSatisfies ?? defaultSemverSatisfies;
+  const allowUnsafe = deps.allowUnsafeSpec === true;
+  const unsafeTarget = isUnsafeSpec(targetSpec) || isUnparseableRange(targetSpec);
+  if (!allowUnsafe && unsafeTarget) {
     return {
       ok: false,
-      reason: "read_failed",
-      detail: `${DAEMON_PACKAGE_NAME} is not installed at the expected location next to the current binary`,
-      currentSpec,
+      reason: "unsafe_spec",
+      detail: `${DAEMON_PACKAGE_NAME} target spec is not a safe semver range (target="${targetSpec}").`,
       targetSpec
     };
   }
-  const unsafeCurrent = isUnsafeSpec(currentSpec) || isUnparseableRange(currentSpec);
-  const unsafeTarget = isUnsafeSpec(targetSpec) || isUnparseableRange(targetSpec);
-  const anyUnsafe = unsafeCurrent || unsafeTarget;
-  if (!allowUnsafe && anyUnsafe) {
+  let installedVersion;
+  try {
+    installedVersion = await readInstalled(extractedPackageDir);
+  } catch (e) {
     return {
       ok: false,
-      reason: "unsafe_spec",
-      detail: `${DAEMON_PACKAGE_NAME} spec is not a safe semver range (current="${currentSpec}", target="${targetSpec}"). v1 auto-upgrade only supports semver ranges; re-install manually with \`npm install -g @slock-ai/computer@<version>\`.`,
-      currentSpec,
-      targetSpec,
-      installedVersion
+      reason: "read_failed",
+      detail: `cannot read hydrated ${DAEMON_PACKAGE_NAME} version: ${errMsg(e)}`,
+      targetSpec
     };
   }
-  if (currentSpec !== targetSpec) {
+  if (installedVersion === null || installedVersion.length === 0) {
     return {
       ok: false,
-      reason: "spec_changed",
-      detail: `${DAEMON_PACKAGE_NAME} dependency spec changed from "${currentSpec}" to "${targetSpec}". Auto-upgrade only swaps the Computer package root; the runtime dependency tree is not refreshed. Run \`npm install -g @slock-ai/computer@<version>\` manually.`,
-      currentSpec,
-      targetSpec,
-      installedVersion
+      reason: "read_failed",
+      detail: `${DAEMON_PACKAGE_NAME} is not installed in the hydrated staged package`,
+      targetSpec
     };
   }
-  if (allowUnsafe && anyUnsafe) {
-    return { ok: true, currentSpec, targetSpec, installedVersion };
+  if (allowUnsafe && unsafeTarget) {
+    return { ok: true, targetSpec, installedVersion };
   }
   if (!satisfies(installedVersion, targetSpec)) {
     return {
       ok: false,
       reason: "installed_unsatisfied",
-      detail: `installed ${DAEMON_PACKAGE_NAME}@${installedVersion} does not satisfy target spec "${targetSpec}". Re-install with \`npm install -g @slock-ai/computer@<version>\`.`,
-      currentSpec,
+      detail: `hydrated ${DAEMON_PACKAGE_NAME}@${installedVersion} does not satisfy target spec "${targetSpec}".`,
       targetSpec,
       installedVersion
     };
   }
-  return { ok: true, currentSpec, targetSpec, installedVersion };
+  return { ok: true, targetSpec, installedVersion };
 }
 function isUnparseableRange(spec) {
   const s = spec.trim();
@@ -32278,7 +33048,7 @@ async function defaultReadTarballPackageJson(tarballPath) {
   return JSON.parse(raw);
 }
 async function defaultReadCurrentPackageJson(currentBinaryDir) {
-  const raw = await readFile10(join5(currentBinaryDir, "package.json"), "utf8");
+  const raw = await readFile13(join5(currentBinaryDir, "package.json"), "utf8");
   return JSON.parse(raw);
 }
 async function defaultReadInstalledDaemonVersion(currentBinaryDir) {
@@ -32295,7 +33065,7 @@ async function defaultReadInstalledDaemonVersion(currentBinaryDir) {
   for (const base of searchPaths) {
     const candidate = join5(base, ...subPath, "package.json");
     try {
-      const raw = await readFile10(candidate, "utf8");
+      const raw = await readFile13(candidate, "utf8");
       const parsed = JSON.parse(raw);
       if (parsed.name !== DAEMON_PACKAGE_NAME) continue;
       if (typeof parsed.version === "string" && parsed.version.length > 0) {
@@ -32375,9 +33145,9 @@ function satisfiesTilde(ver, base) {
 // src/upgrade.ts
 async function stagePhase(slockHome, version, deps = {}) {
   const npmPack = deps.npmPack ?? defaultNpmPack;
-  const fsReadFile = deps.fsReadFile ?? readFile11;
+  const fsReadFile = deps.fsReadFile ?? readFile14;
   const stagedPath = upgradeStagingDir(slockHome, version);
-  await mkdir11(stagedPath, { recursive: true });
+  await mkdir13(stagedPath, { recursive: true });
   const packageRef = `@slock-ai/computer@${version}`;
   const result = await npmPack(stagedPath, packageRef);
   if (result.exitCode !== 0) {
@@ -32485,8 +33255,8 @@ async function cleanupStaged(slockHome, version) {
 async function snapshotPhase(slockHome, snap) {
   const path3 = upgradeSnapshotPath(slockHome);
   const tmp = `${path3}.tmp`;
-  await mkdir11(computerDir(slockHome), { recursive: true });
-  await writeFile9(tmp, JSON.stringify(snap, null, 2), { mode: 384 });
+  await mkdir13(computerDir(slockHome), { recursive: true });
+  await writeFile11(tmp, JSON.stringify(snap, null, 2), { mode: 384 });
   await rename4(tmp, path3);
 }
 async function clearUpgradeSnapshot(slockHome) {
@@ -32498,7 +33268,7 @@ async function clearUpgradeSnapshot(slockHome) {
 }
 async function extractTarball(tarballPath, destDir, deps = {}) {
   const tarSpawn = deps.tarSpawn ?? defaultTarSpawn;
-  await mkdir11(destDir, { recursive: true });
+  await mkdir13(destDir, { recursive: true });
   const result = await tarSpawn(tarballPath, destDir);
   if (result.exitCode !== 0) {
     const err = new Error(
@@ -32603,7 +33373,7 @@ async function rollbackSwap(currentBinaryDir, deps = {}) {
 }
 async function rollbackRestart(slockHome, currentBinaryDir, deps = {}) {
   const readSupervisorPid = deps.readSupervisorPid ?? (() => defaultReadSupervisorPid(slockHome));
-  const isProcessAlive3 = deps.isProcessAlive ?? defaultIsProcessAlive;
+  const isProcessAlive4 = deps.isProcessAlive ?? defaultIsProcessAlive;
   const killSupervisor = deps.killSupervisor ?? defaultKillSupervisor;
   const forceKillSupervisor = deps.forceKillSupervisor ?? defaultForceKillSupervisor;
   const waitForExit = deps.waitForExit ?? defaultWaitForExit;
@@ -32614,7 +33384,7 @@ async function rollbackRestart(slockHome, currentBinaryDir, deps = {}) {
   let supervisorStopped = false;
   try {
     const pid = await readSupervisorPid();
-    if (pid === null || !isProcessAlive3(pid)) {
+    if (pid === null || !isProcessAlive4(pid)) {
       supervisorStopped = true;
     } else {
       await killSupervisor(pid);
@@ -32683,9 +33453,9 @@ async function rollbackRestart(slockHome, currentBinaryDir, deps = {}) {
       reason: e instanceof Error ? e.message : String(e)
     };
   }
-  const start = Date.now();
+  const start2 = Date.now();
   let healthy = false;
-  while (Date.now() - start < healthTimeoutMs) {
+  while (Date.now() - start2 < healthTimeoutMs) {
     if (await healthCheck()) {
       healthy = true;
       break;
@@ -32746,10 +33516,10 @@ async function restartPhase(slockHome, deps = {}) {
       return { ok: false, reason: "spawn_failed" };
     }
   }
-  const start = Date.now();
-  while (Date.now() - start < healthTimeoutMs) {
+  const start2 = Date.now();
+  while (Date.now() - start2 < healthTimeoutMs) {
     if (await healthCheck()) {
-      return { ok: true, healthAfterMs: Date.now() - start };
+      return { ok: true, healthAfterMs: Date.now() - start2 };
     }
     await new Promise((r) => setTimeout(r, healthPollIntervalMs));
   }
@@ -32757,7 +33527,7 @@ async function restartPhase(slockHome, deps = {}) {
 }
 async function defaultReadSupervisorPid(slockHome) {
   try {
-    const raw = (await readFile11(supervisorPidPath(slockHome), "utf8")).trim();
+    const raw = (await readFile14(supervisorPidPath(slockHome), "utf8")).trim();
     const pid = Number.parseInt(raw, 10);
     return Number.isInteger(pid) && pid > 0 ? pid : null;
   } catch {
@@ -32784,8 +33554,8 @@ async function defaultIsDaemonBusy(_slockHome) {
   return false;
 }
 async function defaultWaitForExit(pid, timeoutMs) {
-  const start = Date.now();
-  while (Date.now() - start < timeoutMs) {
+  const start2 = Date.now();
+  while (Date.now() - start2 < timeoutMs) {
     try {
       process.kill(pid, 0);
     } catch (err) {
@@ -32876,6 +33646,18 @@ async function runUpgrade(slockHome, opts) {
       preflight
     };
   }
+  const targetDaemonSpec = preflight.targetSpec;
+  if (typeof targetDaemonSpec !== "string" || targetDaemonSpec.length === 0) {
+    await cleanupStaged(slockHome, opts.targetVersion);
+    return {
+      ok: false,
+      phase: "preflight",
+      reason: `${preflight.detail ?? preflight.reason ?? "dep_drift"}: missing target ${DAEMON_PACKAGE_NAME} spec`,
+      staged,
+      verify,
+      preflight
+    };
+  }
   const snap = {
     at: (/* @__PURE__ */ new Date()).toISOString(),
     fromVersion: opts.fromVersion,
@@ -32926,6 +33708,24 @@ async function runUpgrade(slockHome, opts) {
       verify
     };
   }
+  const hydratedDaemon = await verifyHydratedDaemonDependency(
+    extractedPackageDir,
+    targetDaemonSpec,
+    deps.preflight ?? {}
+  );
+  if (!hydratedDaemon.ok) {
+    await cleanupStaged(slockHome, opts.targetVersion);
+    await clearUpgradeSnapshot(slockHome);
+    return {
+      ok: false,
+      phase: "hydrate",
+      reason: `staged dependency tree verification failed: ${hydratedDaemon.detail ?? hydratedDaemon.reason ?? "hydrated dependency verification failed"}`,
+      staged,
+      verify,
+      preflight,
+      hydratedDaemon
+    };
+  }
   let swap;
   try {
     swap = await swapPhase(opts.currentBinaryDir, extractedPackageDir, {
@@ -33014,25 +33814,25 @@ async function runUpgrade(slockHome, opts) {
     };
   }
   await cleanupSuccessPhase(slockHome, opts.targetVersion, swap.prevBinaryDir);
-  return { ok: true, phase: "cleanup", staged, verify, swap, restart, rolling };
+  return { ok: true, phase: "cleanup", staged, verify, preflight, hydratedDaemon, swap, restart, rolling };
 }
 async function rollingDaemonHealthCheck(slockHome, deps = {}) {
   const list = deps.listManagedServerIds ?? listManagedServerIds;
   const readDaemonPid = deps.readDaemonPid ?? defaultReadDaemonPid;
-  const isProcessAlive3 = deps.isProcessAlive ?? defaultIsProcessAlive;
+  const isProcessAlive4 = deps.isProcessAlive ?? defaultIsProcessAlive;
   const perDaemonTimeoutMs = deps.perDaemonTimeoutMs ?? 3e4;
   const pollIntervalMs = deps.pollIntervalMs ?? 500;
   const managed = await list(slockHome);
   const daemons = [];
   for (const serverId of managed) {
-    const start = Date.now();
+    const start2 = Date.now();
     let lastReason = "timeout";
     let healthy = false;
-    while (Date.now() - start < perDaemonTimeoutMs) {
+    while (Date.now() - start2 < perDaemonTimeoutMs) {
       const pid = await readDaemonPid(slockHome, serverId);
       if (pid === null) {
         lastReason = "pidfile_missing";
-      } else if (!isProcessAlive3(pid)) {
+      } else if (!isProcessAlive4(pid)) {
         lastReason = "process_dead";
       } else {
         healthy = true;
@@ -33040,7 +33840,7 @@ async function rollingDaemonHealthCheck(slockHome, deps = {}) {
       }
       await new Promise((r) => setTimeout(r, pollIntervalMs));
     }
-    const entry = healthy ? { serverId, ok: true, healthAfterMs: Date.now() - start } : { serverId, ok: false, reason: lastReason };
+    const entry = healthy ? { serverId, ok: true, healthAfterMs: Date.now() - start2 } : { serverId, ok: false, reason: lastReason };
     daemons.push(entry);
     if (!healthy) {
       return { ok: false, daemons };
@@ -33050,7 +33850,7 @@ async function rollingDaemonHealthCheck(slockHome, deps = {}) {
 }
 async function defaultReadDaemonPid(slockHome, serverId) {
   try {
-    const raw = (await readFile11(serverDaemonPidPath(slockHome, serverId), "utf8")).trim();
+    const raw = (await readFile14(serverDaemonPidPath(slockHome, serverId), "utf8")).trim();
     const pid = Number.parseInt(raw, 10);
     return Number.isInteger(pid) && pid > 0 ? pid : null;
   } catch {
@@ -33078,7 +33878,7 @@ async function locateStagedTarball(stagedPath) {
 
 // src/upgradeLog.ts
 init_esm_shims();
-import { chmod as chmod5, mkdir as mkdir12, open as open2 } from "fs/promises";
+import { chmod as chmod5, mkdir as mkdir14, open as open2 } from "fs/promises";
 var FILE_MODE = 384;
 var UPGRADE_ERROR_CODES = [
   "UPGRADE_DEPS_CHANGED",
@@ -33123,7 +33923,7 @@ function assertUpgradeLogEntry(entry) {
 }
 async function appendUpgradeLogEntry(slockHome, entry) {
   assertUpgradeLogEntry(entry);
-  await mkdir12(computerDir(slockHome), { recursive: true });
+  await mkdir14(computerDir(slockHome), { recursive: true });
   const path3 = upgradeLogPath(slockHome);
   const at = entry.at ?? formatUpgradeLogTimestamp();
   const fullEntry = { ...entry, at };
@@ -33146,7 +33946,7 @@ function isEphemeralNpxContext(binaryDir) {
 async function readBundledDaemonVersion(binaryDir) {
   try {
     const pkgPath = join7(binaryDir, "package.json");
-    const raw = await readFile12(pkgPath, "utf8");
+    const raw = await readFile15(pkgPath, "utf8");
     const parsed = JSON.parse(raw);
     const pinned = parsed.dependencies?.["@slock-ai/daemon"];
     if (typeof pinned !== "string" || pinned.length === 0) return null;
@@ -33340,6 +34140,9 @@ function mapFailurePhaseToCode(outcome) {
     case "extract":
       return "UPGRADE_INTEGRITY_FAILED";
     case "hydrate":
+      if (outcome.hydratedDaemon?.ok === false) {
+        return "UPGRADE_INTEGRITY_FAILED";
+      }
       return "UPGRADE_NETWORK_FAILED";
     case "swap":
       return "UPGRADE_SWAP_FAILED";
@@ -33374,12 +34177,12 @@ async function defaultFetchDistTags() {
 }
 function defaultCurrentBinaryDir() {
   const here = fileURLToPath3(import.meta.url);
-  return dirname10(dirname10(here));
+  return dirname12(dirname12(here));
 }
 async function defaultCurrentVersion() {
   const pkgPath = join7(defaultCurrentBinaryDir(), "package.json");
   try {
-    const raw = await readFile12(pkgPath, "utf8");
+    const raw = await readFile15(pkgPath, "utf8");
     const parsed = JSON.parse(raw);
     if (typeof parsed.version === "string" && parsed.version.length > 0) {
       return parsed.version;
@@ -33391,7 +34194,7 @@ async function defaultCurrentVersion() {
 
 // src/upgradeTestHarness.ts
 init_esm_shims();
-import { mkdir as mkdir13, readdir as readdir4, stat as stat3, writeFile as writeFile10 } from "fs/promises";
+import { mkdir as mkdir15, readdir as readdir4, stat as stat3, writeFile as writeFile12 } from "fs/promises";
 import { join as join8 } from "path";
 import { createHash as createHash4 } from "crypto";
 var PHASES = /* @__PURE__ */ new Set([
@@ -33450,7 +34253,7 @@ function buildSimulatedDeps(slockHome, opts) {
             return { tarballPath: "", exitCode: 1, stderr: "simulated stage failure" };
           }
           const filename = `slock-ai-computer-${targetVersion}.tgz`;
-          await writeFile10(join8(cwd, filename), tarballBytes);
+          await writeFile12(join8(cwd, filename), tarballBytes);
           return { tarballPath: join8(cwd, filename), exitCode: 0, stderr: "" };
         },
         fetchAdvertisedHash: async () => {
@@ -33462,8 +34265,8 @@ function buildSimulatedDeps(slockHome, opts) {
           if (opts.simulateFail === "extract") {
             return { exitCode: 1, stderr: "simulated extract failure" };
           }
-          await mkdir13(join8(destDir, "package"), { recursive: true });
-          await writeFile10(join8(destDir, "package", "marker.txt"), `NEW@${targetVersion}`);
+          await mkdir15(join8(destDir, "package"), { recursive: true });
+          await writeFile12(join8(destDir, "package", "marker.txt"), `NEW@${targetVersion}`);
           return { exitCode: 0, stderr: "" };
         },
         npmInstall: async () => ({ exitCode: 0, stderr: "" }),
@@ -33524,7 +34327,7 @@ function buildSimulatedDeps(slockHome, opts) {
 }
 async function arrangeSnapshotFailure(slockHome) {
   const snapshotPath = join8(slockHome, "computer", "upgrade-snapshot.json");
-  await mkdir13(snapshotPath, { recursive: true });
+  await mkdir15(snapshotPath, { recursive: true });
 }
 async function pathInfo(path3) {
   try {
@@ -33579,12 +34382,12 @@ async function runUpgradeTestHarness(slockHome, opts, writer = (s) => process.st
     process.exitCode = 1;
     return;
   }
-  await mkdir13(slockHome, { recursive: true });
+  await mkdir15(slockHome, { recursive: true });
   if (opts.simulateFail === "snapshot") {
     await arrangeSnapshotFailure(slockHome);
   }
   const { opts: upgradeOpts } = buildSimulatedDeps(slockHome, opts);
-  await mkdir13(upgradeOpts.currentBinaryDir, { recursive: true });
+  await mkdir15(upgradeOpts.currentBinaryDir, { recursive: true });
   let outcome;
   try {
     outcome = await runUpgrade(slockHome, upgradeOpts);
@@ -33622,9 +34425,9 @@ async function runUpgradeTestHarness(slockHome, opts, writer = (s) => process.st
 
 // src/upgradeInstallSmoke.ts
 init_esm_shims();
-import { copyFile, mkdir as mkdir14, readFile as readFile13 } from "fs/promises";
+import { copyFile, mkdir as mkdir16, readFile as readFile16 } from "fs/promises";
 import { createHash as createHash5 } from "crypto";
-import { dirname as dirname11, isAbsolute, join as join9, resolve as pathResolve } from "path";
+import { dirname as dirname13, isAbsolute, join as join9, resolve as pathResolve } from "path";
 import { fileURLToPath as fileURLToPath4 } from "url";
 async function runUpgradeInstallSmoke(slockHome, opts, deps = {}) {
   if (typeof opts.packageTarball !== "string" || opts.packageTarball.trim().length === 0) {
@@ -33633,7 +34436,7 @@ async function runUpgradeInstallSmoke(slockHome, opts, deps = {}) {
   const tarballPath = isAbsolute(opts.packageTarball) ? opts.packageTarball : pathResolve(opts.packageTarball);
   let tarballBytes;
   try {
-    tarballBytes = await readFile13(tarballPath);
+    tarballBytes = await readFile16(tarballPath);
   } catch (e) {
     const msg = e instanceof Error ? e.message : String(e);
     throw new Error(`__upgrade-install-smoke: cannot read --package-tarball ${tarballPath}: ${msg}`);
@@ -33645,7 +34448,7 @@ async function runUpgradeInstallSmoke(slockHome, opts, deps = {}) {
   const spawnFreshSupervisor = deps.spawnFreshSupervisor ?? (async (h) => {
     await spawnDetachedSupervisor(h);
   });
-  await mkdir14(slockHome, { recursive: true });
+  await mkdir16(slockHome, { recursive: true });
   const outcome = await runUpgrade(slockHome, {
     targetVersion: opts.targetVersion,
     fromVersion,
@@ -33703,12 +34506,12 @@ async function runUpgradeInstallSmokeCli(slockHome, opts, writer = (s) => proces
 }
 function defaultCurrentBinaryDirLocal() {
   const here = fileURLToPath4(import.meta.url);
-  return dirname11(dirname11(here));
+  return dirname13(dirname13(here));
 }
 async function defaultCurrentVersionLocal() {
   const pkgPath = join9(defaultCurrentBinaryDirLocal(), "package.json");
   try {
-    const raw = await readFile13(pkgPath, "utf8");
+    const raw = await readFile16(pkgPath, "utf8");
     const parsed = JSON.parse(raw);
     if (typeof parsed.version === "string" && parsed.version.length > 0) {
       return parsed.version;
@@ -33758,17 +34561,13 @@ program2.command("attach").argument("<serverSlug>", "target Slock server slug (c
     () => runAttach({ serverSlug, serverUrl: opts.serverUrl, name: opts.name, run: opts.run, foreground: opts.foreground })
   );
 }));
-program2.command("setup").argument("<serverSlug>", "target Slock server slug (canonical form `/myserver`; bare `myserver` accepted)").description("Set up this Computer for one server: login if needed, attach/adopt if needed, then start.").option("--server-url <url>", `Slock API base URL; defaults to the saved user session, SLOCK_SERVER_URL, or ${DEFAULT_SLOCK_SERVER_URL}`).option("--name <name>", "Computer display name for a new attachment/adoption; defaults to a sanitized hostname").option("--adopt-legacy", "attempt one-time migration from a legacy daemon before fresh attach fallback").option("--legacy-api-key <key>", "legacy key for --adopt-legacy (migration-only; prefer file/stdin)").option("--legacy-api-key-file <path>", "path to a file containing the legacy key for --adopt-legacy").option("--legacy-api-key-stdin", "read the legacy key from stdin for --adopt-legacy").option("--no-start", "stop after login + attach/adopt; do not start the supervisor").option("--foreground", "run the supervisor in this terminal instead of the background").option("-y, --yes", "allow non-interactive setup after confirming the planned actions").action(
+program2.command("setup").argument("<serverSlug>", "target Slock server slug (canonical form `/myserver`; bare `myserver` accepted)").description("Set up this Computer for one server: login if needed, attach (or \xA7X.1 migrate-prompt) if needed, then start.").option("--server-url <url>", `Slock API base URL; defaults to the saved user session, SLOCK_SERVER_URL, or ${DEFAULT_SLOCK_SERVER_URL}`).option("--name <name>", "Computer display name for a new attachment; defaults to a sanitized hostname").option("--no-start", "stop after login + attach; do not start the supervisor").option("--foreground", "run the supervisor in this terminal instead of the background").option("-y, --yes", "allow non-interactive setup after confirming the planned actions").action(
   withCliExit(async (serverSlug, opts) => {
     await withMutationLock(
       () => runSetup({
         serverSlug,
         serverUrl: opts.serverUrl,
         name: opts.name,
-        adoptLegacy: opts.adoptLegacy,
-        legacyApiKey: opts.legacyApiKey,
-        legacyApiKeyFile: opts.legacyApiKeyFile,
-        legacyApiKeyStdin: opts.legacyApiKeyStdin,
         start: opts.start,
         foreground: opts.foreground,
         yes: opts.yes
@@ -33776,22 +34575,6 @@ program2.command("setup").argument("<serverSlug>", "target Slock server slug (ca
     );
   })
 );
-program2.command("adopt-legacy").argument("<serverSlug>", "target Slock server slug (the legacy machine's server)").description(
-  "One-time migration: trade a legacy sk_machine_* / sk_daemon_* key for a fresh Computer attachment (sk_computer_*)."
-).option("--server-url <url>", `Slock API base URL; defaults to the saved user session, SLOCK_SERVER_URL, or ${DEFAULT_SLOCK_SERVER_URL}`).option("--name <name>", "name to record on the new Computer attachment (default: existing machine name)").option("--legacy-api-key <key>", "raw legacy key on argv (insecure on shared shells; prefer --legacy-api-key-file or stdin)").option("--legacy-api-key-file <path>", "path to a 0600 file containing the legacy key (one line)").option("--legacy-api-key-stdin", "read the legacy key from stdin").action(
-  withCliExit(async (serverSlug, opts) => {
-    await withMutationLock(
-      () => runAdoptLegacy({
-        serverSlug,
-        serverUrl: opts.serverUrl,
-        name: opts.name,
-        legacyApiKey: opts.legacyApiKey,
-        legacyApiKeyFile: opts.legacyApiKeyFile,
-        legacyApiKeyStdin: opts.legacyApiKeyStdin
-      })
-    );
-  })
-);
 program2.command("detach").argument("<serverSlug>", "server slug to detach from this Computer (canonical form `/myserver`)").description("Remove ONE server's local attachment; never touches user-session or other servers.").action(withCliExit(async (serverSlug) => {
   await withMutationLock(async () => runDetach(await resolveTargetServerId({ server: serverSlug }), serverSlug));
 }));
@@ -33825,6 +34608,18 @@ program2.command("doctor").argument("[serverSlug]", "optional: scope detail (rec
     }
   )
 );
+program2.command("reset").description("Clear a degraded state and resume the supervisor's auto-restart loop.").option("--service", "clear the service-level crash history (cascade record)").option("--runner", "clear a runner's crash history (selected by `--server`)").option("--server <slug>", "with `--runner`, select target server slug (required when \u22652 attached)").option("--json", "emit the machine-readable result").action(
+  withCliExit(async (opts) => {
+    await withMutationLock(
+      () => runReset({
+        service: opts.service,
+        runner: opts.runner,
+        server: opts.server,
+        json: opts.json
+      })
+    );
+  })
+);
 program2.command("logs").description("Tail one server's daemon log (or the supervisor log); secrets redacted.").option("--lines <n>", "trailing lines to show (default 200)", (v) => Number.parseInt(v, 10)).option("--server <slug>", "select target server slug (required when \u22652 attached)").option("--supervisor", "tail the global supervisor log instead of a per-server daemon log").action(withCliExit(async (opts) => {
   await runLogs({ lines: opts.lines, server: opts.server ?? null, supervisor: !!opts.supervisor });
 }));
@@ -33850,9 +34645,8 @@ program2.command("upgrade").description(
   [
     "Auto-upgrade this Computer to the latest version in its channel (or --target-version <semver>).",
     "",
-    "v1 swaps the @slock-ai/computer package root only. Releases that change runtime",
-    "dependency requirements (e.g. @slock-ai/daemon version range) fail closed with",
-    "UPGRADE_DEPS_CHANGED and require manual `npm install -g @slock-ai/computer@<version>`."
+    "Stages the target package, hydrates production dependencies, verifies the",
+    "hydrated @slock-ai/daemon version, then swaps the Computer package root."
   ].join("\n")
 ).option("--dry-run", "stage + verify only; do not swap or restart").option("--channel <name>", "override channel for this invocation (latest | alpha | pinned:<semver>)").option("--target-version <semver>", "override target version explicitly (bypasses channel resolution)").option("--drain <mode>", "\xA72.7 drain mode: drain (default) | defer (abort if daemon busy) | force (SIGKILL, drop in-flight)").option("--force", "alias for --drain force (stuck-daemon recovery; drops in-flight turns)").action(
   withCliExit(
@@ -33945,21 +34739,6 @@ program2.command("__upgrade-install-smoke", { hidden: true }).requiredOption("--
     );
   })
 );
-{
-  const argv = process.argv.slice(2);
-  const isAdopt = argv[0] === "adopt-legacy";
-  const isSetup = argv[0] === "setup";
-  const strayLegacyFlag = argv.find(
-    (a) => a === "--legacy-api-key" || a.startsWith("--legacy-api-key=") || a === "--legacy-api-key-file" || a.startsWith("--legacy-api-key-file=") || a === "--legacy-api-key-stdin"
-  );
-  if (strayLegacyFlag && !isAdopt && !isSetup) {
-    process.stderr.write(
-      `slock-computer: LEGACY_KEY_OUTSIDE_ADOPT: ${strayLegacyFlag} is only accepted by \`slock-computer adopt-legacy\` or \`slock-computer setup --adopt-legacy\`. Remove it or run an adopt flow.
-`
-    );
-    process.exit(2);
-  }
-}
 program2.parseAsync(process.argv).catch((err) => {
   process.stderr.write(`slock-computer: ${err instanceof Error ? err.message : String(err)}
 `);