@spacebar_ai/moldclaw-core 2026.3.14 → 2026.3.16

package/dist/prompt-select-styled-DDnCfM3j.js

@@ -1,2673 +0,0 @@
-import { o as getResolvedLoggerSettings } from "./logger-BFfIIIKH.js";
-import { _ as resolveStateDir, d as resolveIsNixMode, h as resolveOAuthDir, t as CONFIG_PATH, u as resolveGatewayPort, x as resolveRequiredHomeDir } from "./paths-D6AgsMTU.js";
-import { m as defaultRuntime } from "./subsystem-S4LNMNHd.js";
-import { t as isTruthyEnvValue$1 } from "./env-Dgex_t9p.js";
-import { C as sleep, S as shortenHomePath, y as resolveUserPath } from "./utils-rjVNXUns.js";
-import { h as isWSLEnv, p as isWSL } from "./setup-binary-Fw3cCSWL.js";
-import { $a as DEFAULT_OAUTH_WARN_MS, AE as updateAuthProfileStoreWithLock, Ad as resolveDmAllowState, Fn as loadmoldClawPlugins, LC as loadCronStore, Pn as resolvePluginProviders, RC as resolveCronStorePath, T as listChannelPlugins, Vb as loadModelCatalog, Xc as analyzeBootstrapBudget, Zc as buildBootstrapInjectionStats, ch as hasConfiguredMemorySecretInput, d as resolveProfileUnusableUntilForDisplay, eo as buildAuthHealthSummary, fE as resolveBootstrapMaxChars, hE as repairOAuthProfileIdMismatch, km as noteOpenAIOAuthTlsPrerequisites, mE as resolveApiKeyForProfile, mf as resolveBootstrapContextForRun, pE as resolveBootstrapTotalMaxChars, rC as loadSessionStore, sx as resolveApiKeyForProvider, to as formatRemainingShort, wE as ensureAuthProfileStore, y as resolveAgentSessionDirs, zC as saveCronStore } from "./auth-profiles-BJcHzwPy.js";
-import { O as DEFAULT_MODEL, g as resolveHooksGmailModel, i as getModelRefStatus, k as DEFAULT_PROVIDER, m as resolveConfiguredModelRef } from "./model-selection-DfA4esOK.js";
-import { a as resolveAgentDir, m as resolveDefaultAgentId, p as resolveAgentWorkspaceDir } from "./agent-scope-DA7O8MVG.js";
-import { S as parseAgentSessionKey } from "./session-key-DyhRsRh-.js";
-import { n as runCommandWithTimeout, r as runExec } from "./exec-CoBTyh8B.js";
-import { t as resolvemoldClawPackageRoot } from "./moldclaw-root-vgfzPuAl.js";
-import { t as DEFAULT_AGENTS_FILENAME } from "./workspace-CxNKYS0V.js";
-import { d as readConfigFileSnapshot, g as writeConfigFile } from "./io-DcoxdH6t.js";
-import { a as hasConfiguredSecretInput, d as resolveSecretInputRef } from "./types.secrets-DuSPmmWB.js";
-import { P as cleanStaleLockFiles, at as DEFAULT_SANDBOX_IMAGE, rt as DEFAULT_SANDBOX_BROWSER_IMAGE, z as resolveSandboxScope } from "./workspace-dirs-L1_QQ9mB.js";
-import { m as resolveGatewayAuth } from "./config-BbxrRaLf.js";
-import { t as formatCliCommand } from "./command-format-DIDjlImI.js";
-import { r as isLoopbackHost, u as resolveGatewayBindHost } from "./net-B_Iq_SVP.js";
-import { d as readGatewayTokenEnv } from "./credentials-D5uBf_C5.js";
-import { C as parseBrowserMajorVersion, T as resolveGoogleChromeExecutableForPlatform, at as resolveConfiguredSecretInputWithFallback, ct as hasAmbiguousGatewayAuthModeConfig, w as readBrowserVersion } from "./routes-BNDsNO_e.js";
-import { a as inspectPortUsage, c as formatPortDiagnostics } from "./ports-BVwQuCIR.js";
-import { n as isPrimarySessionTranscriptFileName, t as formatSessionArchiveTimestamp } from "./artifacts-B5Zkf6S0.js";
-import { f as resolveMainSessionKey } from "./lazy-runtime-DdzFA4b9.js";
-import { c as resolveSessionTranscriptsDirForAgent, i as resolveSessionFilePathOptions, l as resolveStorePath, r as resolveSessionFilePath } from "./paths-CDWV-9nX.js";
-import { n as callGateway, t as buildGatewayConnectionDetails } from "./call-CoaQYq7c.js";
-import { t as resolveMemorySearchConfig } from "./memory-search-BBG2BKIh.js";
-import { r as resolveMemoryBackendConfig } from "./search-manager-CfizyEMk.js";
-import { n as logConfigUpdated } from "./logging-S-5LPdfQ.js";
-import { i as stylePromptTitle, n as stylePromptHint, r as stylePromptMessage, t as note$1 } from "./note-z78_JyNp.js";
-import { f as resolveGatewaySystemdServiceName, h as resolveNodeLaunchAgentLabel, l as resolveGatewayLaunchAgentLabel, p as resolveGatewayWindowsTaskName } from "./constants-WvU01Mp_.js";
-import { a as resolveSystemNodeInfo, r as renderSystemNodeWarning } from "./runtime-paths-DPdaWILN.js";
-import { n as buildGatewayInstallPlan, r as gatewayInstallErrorHint, t as resolveGatewayInstallToken } from "./gateway-install-token-CskJfo_N.js";
-import { n as GATEWAY_DAEMON_RUNTIME_OPTIONS, t as DEFAULT_GATEWAY_DAEMON_RUNTIME } from "./daemon-runtime-BPknjyQD.js";
-import { f as printWizardHeader, m as randomToken, n as applyWizardMetadata, s as guardCancel } from "./onboard-helpers-D3wWfH8F.js";
-import { i as launchAgentPlistExists, n as isLaunchAgentListed, r as isLaunchAgentLoaded, s as repairLaunchAgentBootstrap } from "./launchd-C1YgvbKp.js";
-import { n as resolveGatewayService, t as describeGatewayServiceRestart } from "./service-DLhEn8sS.js";
-import { i as isSystemdUserServiceAvailable, u as uninstallLegacySystemdUnits } from "./systemd-BD-XXrY3.js";
-import { c as buildPlatformRuntimeLogHints, i as auditGatewayServiceConfig, n as renderSystemdUnavailableHints, o as needsNodeRuntimeMigration, r as SERVICE_AUDIT_CODES, s as readEmbeddedGatewayToken, t as isSystemdUnavailableDetail, u as formatRuntimeStatus } from "./systemd-hints-LWwXTYeY.js";
-import { t as readLastGatewayErrorLine } from "./diagnostics-Ct6HBGrk.js";
-import { n as renderGatewayServiceCleanupHints, t as findExtraGatewayServices } from "./inspect-BryOMVYx.js";
-import { t as buildWorkspaceSkillStatus } from "./skills-status-DGdxY3OI.js";
-import { r as healthCommand } from "./health-DXZykGaX.js";
-import { i as resolveControlUiDistIndexPathForRoot, r as resolveControlUiDistIndexHealth } from "./control-ui-assets-Bwqp8PYM.js";
-import { p as normalizeStoredCronJobs, t as runGatewayUpdate } from "./update-runner-Cq-Q40T9.js";
-import { t as collectChannelStatusIssues } from "./channels-status-issues-kDtsWzA-.js";
-import { n as resolveProviderAuthLoginCommand, t as buildProviderAuthRecoveryHint } from "./provider-auth-guidance-CrjxnoNZ.js";
-import { t as ensureSystemdUserLingerInteractive } from "./systemd-linger-B_ndoLL9.js";
-import { t as formatHealthCheckFailure } from "./health-format-D2gwr1bv.js";
-import { n as doctorShellCompletion } from "./doctor-completion-B5hcQD5c.js";
-import { a as runLegacyStateMigrations, i as detectLegacyStateMigrations, r as loadAndMaybeMigrateDoctorConfig } from "./doctor-config-flow-DDBYUS9f.js";
-import { t as resolveDefaultChannelAccountContext } from "./channel-account-context-DXq8dlvI.js";
-import fs from "node:fs";
-import path from "node:path";
-import { execFile } from "node:child_process";
-import os from "node:os";
-import { promisify } from "node:util";
-import fs$1 from "node:fs/promises";
-import { confirm, intro, outro, select } from "@clack/prompts";
-//#region src/commands/doctor-auth.ts
-async function maybeRepairAnthropicOAuthProfileId(cfg, prompter) {
-	const repair = repairOAuthProfileIdMismatch({
-		cfg,
-		store: ensureAuthProfileStore(),
-		provider: "anthropic",
-		legacyProfileId: "anthropic:default"
-	});
-	if (!repair.migrated || repair.changes.length === 0) return cfg;
-	note$1(repair.changes.map((c) => `- ${c}`).join("\n"), "Auth profiles");
-	if (!await prompter.confirm({
-		message: "Update Anthropic OAuth profile id in config now?",
-		initialValue: true
-	})) return cfg;
-	return repair.config;
-}
-function pruneAuthOrder(order, profileIds) {
-	if (!order) return {
-		next: order,
-		changed: false
-	};
-	let changed = false;
-	const next = {};
-	for (const [provider, list] of Object.entries(order)) {
-		const filtered = list.filter((id) => !profileIds.has(id));
-		if (filtered.length !== list.length) changed = true;
-		if (filtered.length > 0) next[provider] = filtered;
-	}
-	return {
-		next: Object.keys(next).length > 0 ? next : void 0,
-		changed
-	};
-}
-function pruneAuthProfiles(cfg, profileIds) {
-	const profiles = cfg.auth?.profiles;
-	const order = cfg.auth?.order;
-	const nextProfiles = profiles ? { ...profiles } : void 0;
-	let changed = false;
-	if (nextProfiles) {
-		for (const id of profileIds) if (id in nextProfiles) {
-			delete nextProfiles[id];
-			changed = true;
-		}
-	}
-	const prunedOrder = pruneAuthOrder(order, profileIds);
-	if (prunedOrder.changed) changed = true;
-	if (!changed) return {
-		next: cfg,
-		changed: false
-	};
-	const nextAuth = nextProfiles || prunedOrder.next ? {
-		...cfg.auth,
-		profiles: nextProfiles && Object.keys(nextProfiles).length > 0 ? nextProfiles : void 0,
-		order: prunedOrder.next
-	} : void 0;
-	return {
-		next: {
-			...cfg,
-			auth: nextAuth
-		},
-		changed: true
-	};
-}
-async function maybeRemoveDeprecatedCliAuthProfiles(cfg, prompter) {
-	const store = ensureAuthProfileStore(void 0, { allowKeychainPrompt: false });
-	const deprecatedEntries = resolvePluginProviders({
-		config: cfg,
-		env: process.env,
-		bundledProviderAllowlistCompat: true,
-		bundledProviderVitestCompat: true
-	}).flatMap((provider) => (provider.deprecatedProfileIds ?? []).filter((profileId) => store.profiles[profileId] || cfg.auth?.profiles?.[profileId]).map((profileId) => ({
-		profileId,
-		providerId: provider.id,
-		providerLabel: provider.label
-	})));
-	const deprecated = new Set(deprecatedEntries.map((entry) => entry.profileId));
-	if (deprecated.size === 0) return cfg;
-	const lines = ["Deprecated external CLI auth profiles detected (no longer supported):"];
-	for (const entry of deprecatedEntries) {
-		const authCommand = resolveProviderAuthLoginCommand({
-			provider: entry.providerId,
-			config: cfg,
-			env: process.env
-		}) ?? formatCliCommand("moldclaw configure");
-		lines.push(`- ${entry.profileId} (${entry.providerLabel}): use ${authCommand}`);
-	}
-	note$1(lines.join("\n"), "Auth profiles");
-	if (!await prompter.confirmRepair({
-		message: "Remove deprecated CLI auth profiles now?",
-		initialValue: true
-	})) return cfg;
-	await updateAuthProfileStoreWithLock({ updater: (nextStore) => {
-		let mutated = false;
-		for (const id of deprecated) {
-			if (nextStore.profiles[id]) {
-				delete nextStore.profiles[id];
-				mutated = true;
-			}
-			if (nextStore.usageStats?.[id]) {
-				delete nextStore.usageStats[id];
-				mutated = true;
-			}
-		}
-		if (nextStore.order) for (const [provider, list] of Object.entries(nextStore.order)) {
-			const filtered = list.filter((id) => !deprecated.has(id));
-			if (filtered.length !== list.length) {
-				mutated = true;
-				if (filtered.length > 0) nextStore.order[provider] = filtered;
-				else delete nextStore.order[provider];
-			}
-		}
-		if (nextStore.lastGood) {
-			for (const [provider, profileId] of Object.entries(nextStore.lastGood)) if (deprecated.has(profileId)) {
-				delete nextStore.lastGood[provider];
-				mutated = true;
-			}
-		}
-		return mutated;
-	} });
-	const pruned = pruneAuthProfiles(cfg, deprecated);
-	if (pruned.changed) note$1(Array.from(deprecated.values()).map((id) => `- removed ${id} from config`).join("\n"), "Doctor changes");
-	return pruned.next;
-}
-function resolveUnusableProfileHint(params) {
-	if (params.kind === "disabled") {
-		if (params.reason === "billing") return "Top up credits (provider billing) or switch provider.";
-		if (params.reason === "auth_permanent" || params.reason === "auth") return "Refresh or replace credentials, then retry.";
-	}
-	return "Wait for cooldown or switch provider.";
-}
-function formatAuthIssueHint(issue) {
-	if (issue.reasonCode === "invalid_expires") return "Invalid token expires metadata. Set a future Unix ms timestamp or remove expires.";
-	if (issue.provider === "anthropic" && issue.profileId === "anthropic:claude-cli") return `Deprecated profile. ${buildProviderAuthRecoveryHint({ provider: "anthropic" })}`;
-	if (issue.provider === "openai-codex" && issue.profileId === "openai-codex:codex-cli") return `Deprecated profile. ${buildProviderAuthRecoveryHint({ provider: "openai-codex" })}`;
-	return buildProviderAuthRecoveryHint({ provider: issue.provider }).replace(/^Run /, "Re-auth via ");
-}
-function formatAuthIssueLine(issue) {
-	const remaining = issue.remainingMs !== void 0 ? ` (${formatRemainingShort(issue.remainingMs)})` : "";
-	const hint = formatAuthIssueHint(issue);
-	const reason = issue.reasonCode ? ` [${issue.reasonCode}]` : "";
-	return `- ${issue.profileId}: ${issue.status}${reason}${remaining}${hint ? ` — ${hint}` : ""}`;
-}
-async function noteAuthProfileHealth(params) {
-	const store = ensureAuthProfileStore(void 0, { allowKeychainPrompt: params.allowKeychainPrompt });
-	const unusable = (() => {
-		const now = Date.now();
-		const out = [];
-		for (const profileId of Object.keys(store.usageStats ?? {})) {
-			const until = resolveProfileUnusableUntilForDisplay(store, profileId);
-			if (!until || now >= until) continue;
-			const stats = store.usageStats?.[profileId];
-			const remaining = formatRemainingShort(until - now);
-			const disabledActive = typeof stats?.disabledUntil === "number" && now < stats.disabledUntil;
-			const kind = disabledActive ? `disabled${stats.disabledReason ? `:${stats.disabledReason}` : ""}` : "cooldown";
-			const hint = resolveUnusableProfileHint({
-				kind: disabledActive ? "disabled" : "cooldown",
-				reason: stats?.disabledReason
-			});
-			out.push(`- ${profileId}: ${kind} (${remaining})${hint ? ` — ${hint}` : ""}`);
-		}
-		return out;
-	})();
-	if (unusable.length > 0) note$1(unusable.join("\n"), "Auth profile cooldowns");
-	let summary = buildAuthHealthSummary({
-		store,
-		cfg: params.cfg,
-		warnAfterMs: DEFAULT_OAUTH_WARN_MS
-	});
-	const findIssues = () => summary.profiles.filter((profile) => (profile.type === "oauth" || profile.type === "token") && (profile.status === "expired" || profile.status === "expiring" || profile.status === "missing"));
-	let issues = findIssues();
-	if (issues.length === 0) return;
-	if (await params.prompter.confirmRepair({
-		message: "Refresh expiring OAuth tokens now? (static tokens need re-auth)",
-		initialValue: true
-	})) {
-		const refreshTargets = issues.filter((issue) => issue.type === "oauth" && [
-			"expired",
-			"expiring",
-			"missing"
-		].includes(issue.status));
-		const errors = [];
-		for (const profile of refreshTargets) try {
-			await resolveApiKeyForProfile({
-				cfg: params.cfg,
-				store,
-				profileId: profile.profileId
-			});
-		} catch (err) {
-			errors.push(`- ${profile.profileId}: ${err instanceof Error ? err.message : String(err)}`);
-		}
-		if (errors.length > 0) note$1(errors.join("\n"), "OAuth refresh errors");
-		summary = buildAuthHealthSummary({
-			store: ensureAuthProfileStore(void 0, { allowKeychainPrompt: false }),
-			cfg: params.cfg,
-			warnAfterMs: DEFAULT_OAUTH_WARN_MS
-		});
-		issues = findIssues();
-	}
-	if (issues.length > 0) note$1(issues.map((issue) => formatAuthIssueLine({
-		profileId: issue.profileId,
-		provider: issue.provider,
-		status: issue.status,
-		reasonCode: issue.reasonCode,
-		remainingMs: issue.remainingMs
-	})).join("\n"), "Model auth");
-}
-//#endregion
-//#region src/commands/doctor-bootstrap-size.ts
-function formatInt(value) {
-	return new Intl.NumberFormat("en-US").format(Math.max(0, Math.floor(value)));
-}
-function formatPercent(numerator, denominator) {
-	if (!Number.isFinite(denominator) || denominator <= 0) return "0%";
-	return `${Math.min(100, Math.max(0, Math.round(numerator / denominator * 100)))}%`;
-}
-function formatCauses(causes) {
-	if (causes.length === 0) return "unknown";
-	return causes.map((cause) => cause === "per-file-limit" ? "max/file" : "max/total").join(", ");
-}
-async function noteBootstrapFileSize(cfg) {
-	const workspaceDir = resolveAgentWorkspaceDir(cfg, resolveDefaultAgentId(cfg));
-	const bootstrapMaxChars = resolveBootstrapMaxChars(cfg);
-	const bootstrapTotalMaxChars = resolveBootstrapTotalMaxChars(cfg);
-	const { bootstrapFiles, contextFiles } = await resolveBootstrapContextForRun({
-		workspaceDir,
-		config: cfg
-	});
-	const analysis = analyzeBootstrapBudget({
-		files: buildBootstrapInjectionStats({
-			bootstrapFiles,
-			injectedFiles: contextFiles
-		}),
-		bootstrapMaxChars,
-		bootstrapTotalMaxChars
-	});
-	if (!analysis.hasTruncation && analysis.nearLimitFiles.length === 0 && !analysis.totalNearLimit) return analysis;
-	const lines = [];
-	if (analysis.hasTruncation) {
-		lines.push("Workspace bootstrap files exceed limits and will be truncated:");
-		for (const file of analysis.truncatedFiles) {
-			const truncatedChars = Math.max(0, file.rawChars - file.injectedChars);
-			lines.push(`- ${file.name}: ${formatInt(file.rawChars)} raw / ${formatInt(file.injectedChars)} injected (${formatPercent(truncatedChars, file.rawChars)} truncated; ${formatCauses(file.causes)})`);
-		}
-	} else lines.push("Workspace bootstrap files are near configured limits:");
-	const nonTruncatedNearLimit = analysis.nearLimitFiles.filter((file) => !file.truncated);
-	if (nonTruncatedNearLimit.length > 0) for (const file of nonTruncatedNearLimit) lines.push(`- ${file.name}: ${formatInt(file.rawChars)} chars (${formatPercent(file.rawChars, bootstrapMaxChars)} of max/file ${formatInt(bootstrapMaxChars)})`);
-	lines.push(`Total bootstrap injected chars: ${formatInt(analysis.totals.injectedChars)} (${formatPercent(analysis.totals.injectedChars, bootstrapTotalMaxChars)} of max/total ${formatInt(bootstrapTotalMaxChars)}).`);
-	lines.push(`Total bootstrap raw chars (before truncation): ${formatInt(analysis.totals.rawChars)}.`);
-	const needsPerFileTip = analysis.truncatedFiles.some((file) => file.causes.includes("per-file-limit")) || analysis.nearLimitFiles.length > 0;
-	const needsTotalTip = analysis.truncatedFiles.some((file) => file.causes.includes("total-limit")) || analysis.totalNearLimit;
-	if (needsPerFileTip || needsTotalTip) lines.push("");
-	if (needsPerFileTip) lines.push("- Tip: tune `agents.defaults.bootstrapMaxChars` for per-file limits.");
-	if (needsTotalTip) lines.push("- Tip: tune `agents.defaults.bootstrapTotalMaxChars` for total-budget limits.");
-	note$1(lines.join("\n"), "Bootstrap file size");
-	return analysis;
-}
-//#endregion
-//#region src/commands/doctor-browser.ts
-const CHROME_MCP_MIN_MAJOR = 144;
-const REMOTE_DEBUGGING_PAGES = [
-	"chrome://inspect/#remote-debugging",
-	"brave://inspect/#remote-debugging",
-	"edge://inspect/#remote-debugging"
-].join(", ");
-function asRecord(value) {
-	return value && typeof value === "object" && !Array.isArray(value) ? value : null;
-}
-function collectChromeMcpProfiles(cfg) {
-	const browser = asRecord(cfg.browser);
-	if (!browser) return [];
-	const profiles = /* @__PURE__ */ new Map();
-	if ((typeof browser.defaultProfile === "string" ? browser.defaultProfile.trim() : "") === "user") profiles.set("user", { name: "user" });
-	const configuredProfiles = asRecord(browser.profiles);
-	if (!configuredProfiles) return [...profiles.values()].toSorted((a, b) => a.name.localeCompare(b.name));
-	for (const [profileName, rawProfile] of Object.entries(configuredProfiles)) {
-		const profile = asRecord(rawProfile);
-		if ((typeof profile?.driver === "string" ? profile.driver.trim() : "") === "existing-session") {
-			const userDataDir = typeof profile?.userDataDir === "string" ? profile.userDataDir.trim() : void 0;
-			profiles.set(profileName, {
-				name: profileName,
-				userDataDir: userDataDir || void 0
-			});
-		}
-	}
-	return [...profiles.values()].toSorted((a, b) => a.name.localeCompare(b.name));
-}
-async function noteChromeMcpBrowserReadiness(cfg, deps) {
-	const profiles = collectChromeMcpProfiles(cfg);
-	if (profiles.length === 0) return;
-	const noteFn = deps?.noteFn ?? note$1;
-	const platform = deps?.platform ?? process.platform;
-	const resolveChromeExecutable = deps?.resolveChromeExecutable ?? resolveGoogleChromeExecutableForPlatform;
-	const readVersion = deps?.readVersion ?? readBrowserVersion;
-	const explicitProfiles = profiles.filter((profile) => profile.userDataDir);
-	const autoConnectProfiles = profiles.filter((profile) => !profile.userDataDir);
-	const profileLabel = profiles.map((profile) => profile.name).join(", ");
-	if (autoConnectProfiles.length === 0) {
-		noteFn([
-			`- Chrome MCP existing-session is configured for profile(s): ${profileLabel}.`,
-			"- These profiles use an explicit Chromium user data directory instead of Chrome's default auto-connect path.",
-			`- Verify the matching Chromium-based browser is version ${CHROME_MCP_MIN_MAJOR}+ on the same host as the Gateway or node.`,
-			`- Enable remote debugging in that browser's inspect page (${REMOTE_DEBUGGING_PAGES}).`,
-			"- Keep the browser running and accept the attach consent prompt the first time moldClaw connects."
-		].join("\n"), "Browser");
-		return;
-	}
-	const chrome = resolveChromeExecutable(platform);
-	const autoProfileLabel = autoConnectProfiles.map((profile) => profile.name).join(", ");
-	if (!chrome) {
-		const lines = [
-			`- Chrome MCP existing-session is configured for profile(s): ${profileLabel}.`,
-			`- Google Chrome was not found on this host for auto-connect profile(s): ${autoProfileLabel}. moldClaw does not bundle Chrome.`,
-			`- Install Google Chrome ${CHROME_MCP_MIN_MAJOR}+ on the same host as the Gateway or node, or set browser.profiles.<name>.userDataDir for a different Chromium-based browser.`,
-			`- Enable remote debugging in the browser inspect page (${REMOTE_DEBUGGING_PAGES}).`,
-			"- Keep the browser running and accept the attach consent prompt the first time moldClaw connects.",
-			"- Docker, headless, and sandbox browser flows stay on raw CDP; this check only applies to host-local Chrome MCP attach."
-		];
-		if (explicitProfiles.length > 0) lines.push(`- Profiles with explicit userDataDir skip Chrome auto-detection: ${explicitProfiles.map((profile) => profile.name).join(", ")}.`);
-		noteFn(lines.join("\n"), "Browser");
-		return;
-	}
-	const versionRaw = readVersion(chrome.path);
-	const major = parseBrowserMajorVersion(versionRaw);
-	const lines = [`- Chrome MCP existing-session is configured for profile(s): ${profileLabel}.`, `- Chrome path: ${chrome.path}`];
-	if (!versionRaw || major === null) lines.push(`- Could not determine the installed Chrome version. Chrome MCP requires Google Chrome ${CHROME_MCP_MIN_MAJOR}+ on this host.`);
-	else if (major < CHROME_MCP_MIN_MAJOR) lines.push(`- Detected Chrome ${versionRaw}, which is too old for Chrome MCP existing-session attach. Upgrade to Chrome ${CHROME_MCP_MIN_MAJOR}+.`);
-	else lines.push(`- Detected Chrome ${versionRaw}.`);
-	lines.push(`- Enable remote debugging in the browser inspect page (${REMOTE_DEBUGGING_PAGES}).`);
-	lines.push("- Keep the browser running and accept the attach consent prompt the first time moldClaw connects.");
-	if (explicitProfiles.length > 0) lines.push(`- Profiles with explicit userDataDir still need manual validation of the matching Chromium-based browser: ${explicitProfiles.map((profile) => profile.name).join(", ")}.`);
-	noteFn(lines.join("\n"), "Browser");
-}
-//#endregion
-//#region src/commands/doctor-cron.ts
-function pluralize(count, noun) {
-	return `${count} ${noun}${count === 1 ? "" : "s"}`;
-}
-function formatLegacyIssuePreview(issues) {
-	const lines = [];
-	if (issues.jobId) lines.push(`- ${pluralize(issues.jobId, "job")} still uses legacy \`jobId\``);
-	if (issues.legacyScheduleString) lines.push(`- ${pluralize(issues.legacyScheduleString, "job")} stores schedule as a bare string`);
-	if (issues.legacyScheduleCron) lines.push(`- ${pluralize(issues.legacyScheduleCron, "job")} still uses \`schedule.cron\``);
-	if (issues.legacyPayloadKind) lines.push(`- ${pluralize(issues.legacyPayloadKind, "job")} needs payload kind normalization`);
-	if (issues.legacyPayloadProvider) lines.push(`- ${pluralize(issues.legacyPayloadProvider, "job")} still uses payload \`provider\` as a delivery alias`);
-	if (issues.legacyTopLevelPayloadFields) lines.push(`- ${pluralize(issues.legacyTopLevelPayloadFields, "job")} still uses top-level payload fields`);
-	if (issues.legacyTopLevelDeliveryFields) lines.push(`- ${pluralize(issues.legacyTopLevelDeliveryFields, "job")} still uses top-level delivery fields`);
-	if (issues.legacyDeliveryMode) lines.push(`- ${pluralize(issues.legacyDeliveryMode, "job")} still uses delivery mode \`deliver\``);
-	return lines;
-}
-function trimString(value) {
-	return typeof value === "string" && value.trim() ? value.trim() : void 0;
-}
-function migrateLegacyNotifyFallback(params) {
-	let changed = false;
-	const warnings = [];
-	for (const raw of params.jobs) {
-		if (!("notify" in raw)) continue;
-		const jobName = trimString(raw.name) ?? trimString(raw.id) ?? "<unnamed>";
-		if (!(raw.notify === true)) {
-			delete raw.notify;
-			changed = true;
-			continue;
-		}
-		const delivery = raw.delivery && typeof raw.delivery === "object" && !Array.isArray(raw.delivery) ? raw.delivery : null;
-		const mode = trimString(delivery?.mode)?.toLowerCase();
-		const to = trimString(delivery?.to);
-		if (mode === "webhook" && to) {
-			delete raw.notify;
-			changed = true;
-			continue;
-		}
-		if ((mode === void 0 || mode === "none" || mode === "webhook") && params.legacyWebhook) {
-			raw.delivery = {
-				...delivery,
-				mode: "webhook",
-				to: mode === "none" ? params.legacyWebhook : to ?? params.legacyWebhook
-			};
-			delete raw.notify;
-			changed = true;
-			continue;
-		}
-		if (!params.legacyWebhook) {
-			warnings.push(`Cron job "${jobName}" still uses legacy notify fallback, but cron.webhook is unset so doctor cannot migrate it automatically.`);
-			continue;
-		}
-		warnings.push(`Cron job "${jobName}" uses legacy notify fallback alongside delivery mode "${mode}". Migrate it manually so webhook delivery does not replace existing announce behavior.`);
-	}
-	return {
-		changed,
-		warnings
-	};
-}
-async function maybeRepairLegacyCronStore(params) {
-	const storePath = resolveCronStorePath(params.cfg.cron?.store);
-	const rawJobs = (await loadCronStore(storePath)).jobs ?? [];
-	if (rawJobs.length === 0) return;
-	const normalized = normalizeStoredCronJobs(rawJobs);
-	const legacyWebhook = trimString(params.cfg.cron?.webhook);
-	const notifyCount = rawJobs.filter((job) => job.notify === true).length;
-	const previewLines = formatLegacyIssuePreview(normalized.issues);
-	if (notifyCount > 0) previewLines.push(`- ${pluralize(notifyCount, "job")} still uses legacy \`notify: true\` webhook fallback`);
-	if (previewLines.length === 0) return;
-	note$1([
-		`Legacy cron job storage detected at ${shortenHomePath(storePath)}.`,
-		...previewLines,
-		`Repair with ${formatCliCommand("moldclaw doctor --fix")} to normalize the store before the next scheduler run.`
-	].join("\n"), "Cron");
-	if (!await params.prompter.confirm({
-		message: "Repair legacy cron jobs now?",
-		initialValue: true
-	})) return;
-	const notifyMigration = migrateLegacyNotifyFallback({
-		jobs: rawJobs,
-		legacyWebhook
-	});
-	const changed = normalized.mutated || notifyMigration.changed;
-	if (!changed && notifyMigration.warnings.length === 0) return;
-	if (changed) {
-		await saveCronStore(storePath, {
-			version: 1,
-			jobs: rawJobs
-		});
-		note$1(`Cron store normalized at ${shortenHomePath(storePath)}.`, "Doctor changes");
-	}
-	if (notifyMigration.warnings.length > 0) note$1(notifyMigration.warnings.join("\n"), "Doctor warnings");
-}
-//#endregion
-//#region src/commands/doctor-format.ts
-function formatGatewayRuntimeSummary(runtime) {
-	return formatRuntimeStatus(runtime);
-}
-function buildGatewayRuntimeHints(runtime, options = {}) {
-	const hints = [];
-	if (!runtime) return hints;
-	const platform = options.platform ?? process.platform;
-	const env = options.env ?? process.env;
-	const fileLog = (() => {
-		try {
-			return getResolvedLoggerSettings().file;
-		} catch {
-			return null;
-		}
-	})();
-	if (platform === "linux" && isSystemdUnavailableDetail(runtime.detail)) {
-		hints.push(...renderSystemdUnavailableHints({ wsl: isWSLEnv() }));
-		if (fileLog) hints.push(`File logs: ${fileLog}`);
-		return hints;
-	}
-	if (runtime.cachedLabel && platform === "darwin") {
-		const label = resolveGatewayLaunchAgentLabel(env.MOLDCLAW_PROFILE);
-		hints.push(`LaunchAgent label cached but plist missing. Clear with: launchctl bootout gui/$UID/${label}`);
-		hints.push(`Then reinstall: ${formatCliCommand("moldclaw gateway install", env)}`);
-	}
-	if (runtime.missingUnit) {
-		hints.push(`Service not installed. Run: ${formatCliCommand("moldclaw gateway install", env)}`);
-		if (fileLog) hints.push(`File logs: ${fileLog}`);
-		return hints;
-	}
-	if (runtime.status === "stopped") {
-		hints.push("Service is loaded but not running (likely exited immediately).");
-		if (fileLog) hints.push(`File logs: ${fileLog}`);
-		hints.push(...buildPlatformRuntimeLogHints({
-			platform,
-			env,
-			systemdServiceName: resolveGatewaySystemdServiceName(env.MOLDCLAW_PROFILE),
-			windowsTaskName: resolveGatewayWindowsTaskName(env.MOLDCLAW_PROFILE)
-		}));
-	}
-	return hints;
-}
-//#endregion
-//#region src/commands/doctor-gateway-daemon-flow.ts
-async function maybeRepairLaunchAgentBootstrap(params) {
-	if (process.platform !== "darwin") return false;
-	if (!await isLaunchAgentListed({ env: params.env })) return false;
-	if (await isLaunchAgentLoaded({ env: params.env })) return false;
-	if (!await launchAgentPlistExists(params.env)) return false;
-	note$1("LaunchAgent is listed but not loaded in launchd.", `${params.title} LaunchAgent`);
-	if (!await params.prompter.confirmSkipInNonInteractive({
-		message: `Repair ${params.title} LaunchAgent bootstrap now?`,
-		initialValue: true
-	})) return false;
-	params.runtime.log(`Bootstrapping ${params.title} LaunchAgent...`);
-	const repair = await repairLaunchAgentBootstrap({ env: params.env });
-	if (!repair.ok) {
-		params.runtime.error(`${params.title} LaunchAgent bootstrap failed: ${repair.detail ?? "unknown error"}`);
-		return false;
-	}
-	if (!await isLaunchAgentLoaded({ env: params.env })) {
-		params.runtime.error(`${params.title} LaunchAgent still not loaded after repair.`);
-		return false;
-	}
-	note$1(`${params.title} LaunchAgent repaired.`, `${params.title} LaunchAgent`);
-	return true;
-}
-async function maybeRepairGatewayDaemon(params) {
-	if (params.healthOk) return;
-	const service = resolveGatewayService();
-	let loaded = false;
-	try {
-		loaded = await service.isLoaded({ env: process.env });
-	} catch {
-		loaded = false;
-	}
-	let serviceRuntime;
-	if (loaded) serviceRuntime = await service.readRuntime(process.env).catch(() => void 0);
-	if (process.platform === "darwin" && params.cfg.gateway?.mode !== "remote") {
-		const gatewayRepaired = await maybeRepairLaunchAgentBootstrap({
-			env: process.env,
-			title: "Gateway",
-			runtime: params.runtime,
-			prompter: params.prompter
-		});
-		await maybeRepairLaunchAgentBootstrap({
-			env: {
-				...process.env,
-				MOLDCLAW_LAUNCHD_LABEL: resolveNodeLaunchAgentLabel()
-			},
-			title: "Node",
-			runtime: params.runtime,
-			prompter: params.prompter
-		});
-		if (gatewayRepaired) {
-			loaded = await service.isLoaded({ env: process.env });
-			if (loaded) serviceRuntime = await service.readRuntime(process.env).catch(() => void 0);
-		}
-	}
-	if (params.cfg.gateway?.mode !== "remote") {
-		const diagnostics = await inspectPortUsage(resolveGatewayPort(params.cfg, process.env));
-		if (diagnostics.status === "busy") note$1(formatPortDiagnostics(diagnostics).join("\n"), "Gateway port");
-		else if (loaded && serviceRuntime?.status === "running") {
-			const lastError = await readLastGatewayErrorLine(process.env);
-			if (lastError) note$1(`Last gateway error: ${lastError}`, "Gateway");
-		}
-	}
-	if (!loaded) {
-		if (process.platform === "linux") {
-			if (!await isSystemdUserServiceAvailable().catch(() => false)) {
-				note$1(renderSystemdUnavailableHints({ wsl: await isWSL() }).join("\n"), "Gateway");
-				return;
-			}
-		}
-		note$1("Gateway service not installed.", "Gateway");
-		if (params.cfg.gateway?.mode !== "remote") {
-			if (await params.prompter.confirmSkipInNonInteractive({
-				message: "Install gateway service now?",
-				initialValue: true
-			})) {
-				const daemonRuntime = await params.prompter.select({
-					message: "Gateway service runtime",
-					options: GATEWAY_DAEMON_RUNTIME_OPTIONS,
-					initialValue: DEFAULT_GATEWAY_DAEMON_RUNTIME
-				}, DEFAULT_GATEWAY_DAEMON_RUNTIME);
-				const tokenResolution = await resolveGatewayInstallToken({
-					config: params.cfg,
-					env: process.env
-				});
-				for (const warning of tokenResolution.warnings) note$1(warning, "Gateway");
-				if (tokenResolution.unavailableReason) {
-					note$1([
-						"Gateway service install aborted.",
-						tokenResolution.unavailableReason,
-						"Fix gateway auth config/token input and rerun doctor."
-					].join("\n"), "Gateway");
-					return;
-				}
-				const port = resolveGatewayPort(params.cfg, process.env);
-				const { programArguments, workingDirectory, environment } = await buildGatewayInstallPlan({
-					env: process.env,
-					port,
-					runtime: daemonRuntime,
-					warn: (message, title) => note$1(message, title),
-					config: params.cfg
-				});
-				try {
-					await service.install({
-						env: process.env,
-						stdout: process.stdout,
-						programArguments,
-						workingDirectory,
-						environment
-					});
-				} catch (err) {
-					note$1(`Gateway service install failed: ${String(err)}`, "Gateway");
-					note$1(gatewayInstallErrorHint(), "Gateway");
-				}
-			}
-		}
-		return;
-	}
-	const summary = formatGatewayRuntimeSummary(serviceRuntime);
-	const hints = buildGatewayRuntimeHints(serviceRuntime, {
-		platform: process.platform,
-		env: process.env
-	});
-	if (summary || hints.length > 0) {
-		const lines = [];
-		if (summary) lines.push(`Runtime: ${summary}`);
-		lines.push(...hints);
-		note$1(lines.join("\n"), "Gateway");
-	}
-	if (serviceRuntime?.status !== "running") {
-		if (await params.prompter.confirmSkipInNonInteractive({
-			message: "Start gateway service now?",
-			initialValue: true
-		})) {
-			const restartStatus = describeGatewayServiceRestart("Gateway", await service.restart({
-				env: process.env,
-				stdout: process.stdout
-			}));
-			if (!restartStatus.scheduled) await sleep(1500);
-			else note$1(restartStatus.message, "Gateway");
-		}
-	}
-	if (process.platform === "darwin") {
-		const label = resolveGatewayLaunchAgentLabel(process.env.MOLDCLAW_PROFILE);
-		note$1(`LaunchAgent loaded; stopping requires "${formatCliCommand("moldclaw gateway stop")}" or launchctl bootout gui/$UID/${label}.`, "Gateway");
-	}
-	if (serviceRuntime?.status === "running") {
-		if (await params.prompter.confirmSkipInNonInteractive({
-			message: "Restart gateway service now?",
-			initialValue: true
-		})) {
-			const restartStatus = describeGatewayServiceRestart("Gateway", await service.restart({
-				env: process.env,
-				stdout: process.stdout
-			}));
-			if (restartStatus.scheduled) {
-				note$1(restartStatus.message, "Gateway");
-				return;
-			}
-			await sleep(1500);
-			try {
-				await healthCommand({
-					json: false,
-					timeoutMs: 1e4
-				}, params.runtime);
-			} catch (err) {
-				if (String(err).includes("gateway closed")) {
-					note$1("Gateway not running.", "Gateway");
-					note$1(params.gatewayDetailsMessage, "Gateway connection");
-				} else params.runtime.error(formatHealthCheckFailure(err));
-			}
-		}
-	}
-}
-//#endregion
-//#region src/commands/doctor-gateway-health.ts
-async function checkGatewayHealth(params) {
-	const gatewayDetails = buildGatewayConnectionDetails({ config: params.cfg });
-	const timeoutMs = typeof params.timeoutMs === "number" && params.timeoutMs > 0 ? params.timeoutMs : 1e4;
-	let healthOk = false;
-	try {
-		await healthCommand({
-			json: false,
-			timeoutMs,
-			config: params.cfg
-		}, params.runtime);
-		healthOk = true;
-	} catch (err) {
-		if (String(err).includes("gateway closed")) {
-			note$1("Gateway not running.", "Gateway");
-			note$1(gatewayDetails.message, "Gateway connection");
-		} else params.runtime.error(formatHealthCheckFailure(err));
-	}
-	if (healthOk) try {
-		const issues = collectChannelStatusIssues(await callGateway({
-			method: "channels.status",
-			params: {
-				probe: true,
-				timeoutMs: 5e3
-			},
-			timeoutMs: 6e3
-		}));
-		if (issues.length > 0) note$1(issues.map((issue) => `- ${issue.channel} ${issue.accountId}: ${issue.message}${issue.fix ? ` (${issue.fix})` : ""}`).join("\n"), "Channel warnings");
-	} catch {}
-	return { healthOk };
-}
-async function probeGatewayMemoryStatus(params) {
-	const timeoutMs = typeof params.timeoutMs === "number" && params.timeoutMs > 0 ? params.timeoutMs : 8e3;
-	try {
-		const payload = await callGateway({
-			method: "doctor.memory.status",
-			timeoutMs,
-			config: params.cfg
-		});
-		return {
-			checked: true,
-			ready: payload.embedding.ok,
-			error: payload.embedding.error
-		};
-	} catch (err) {
-		return {
-			checked: true,
-			ready: false,
-			error: `gateway memory probe unavailable: ${err instanceof Error ? err.message : String(err)}`
-		};
-	}
-}
-//#endregion
-//#region src/commands/doctor-gateway-auth-token.ts
-async function resolveGatewayAuthTokenForService(cfg, env) {
-	const resolved = await resolveConfiguredSecretInputWithFallback({
-		config: cfg,
-		env,
-		value: cfg.gateway?.auth?.token,
-		path: "gateway.auth.token",
-		unresolvedReasonStyle: "detailed",
-		readFallback: () => readGatewayTokenEnv(env)
-	});
-	if (resolved.value) return { token: resolved.value };
-	if (!resolved.secretRefConfigured) return {};
-	if (resolved.unresolvedRefReason?.includes("resolved to an empty value")) return { unavailableReason: resolved.unresolvedRefReason };
-	return { unavailableReason: `gateway.auth.token SecretRef is configured but unresolved (${resolved.unresolvedRefReason ?? "unknown reason"}).` };
-}
-//#endregion
-//#region src/commands/doctor-gateway-services.ts
-const execFileAsync$1 = promisify(execFile);
-function detectGatewayRuntime(programArguments) {
-	const first = programArguments?.[0];
-	if (first) {
-		const base = path.basename(first).toLowerCase();
-		if (base === "bun" || base === "bun.exe") return "bun";
-		if (base === "node" || base === "node.exe") return "node";
-	}
-	return DEFAULT_GATEWAY_DAEMON_RUNTIME;
-}
-function findGatewayEntrypoint(programArguments) {
-	if (!programArguments || programArguments.length === 0) return null;
-	const gatewayIndex = programArguments.indexOf("gateway");
-	if (gatewayIndex <= 0) return null;
-	return programArguments[gatewayIndex - 1] ?? null;
-}
-async function normalizeExecutablePath(value) {
-	const resolvedPath = path.resolve(value);
-	try {
-		return await fs$1.realpath(resolvedPath);
-	} catch {
-		return resolvedPath;
-	}
-}
-function extractDetailPath(detail, prefix) {
-	if (!detail.startsWith(prefix)) return null;
-	const value = detail.slice(prefix.length).trim();
-	return value.length > 0 ? value : null;
-}
-async function cleanupLegacyLaunchdService(params) {
-	if (typeof process.getuid !== "function") return null;
-	await execFileAsync$1("launchctl", [
-		"bootout",
-		`gui/${process.getuid()}`,
-		params.plistPath
-	]).catch(() => void 0);
-	await execFileAsync$1("launchctl", ["unload", params.plistPath]).catch(() => void 0);
-	const trashDir = path.join(os.homedir(), ".Trash");
-	try {
-		await fs$1.mkdir(trashDir, { recursive: true });
-	} catch {}
-	try {
-		await fs$1.access(params.plistPath);
-	} catch {
-		return null;
-	}
-	const dest = path.join(trashDir, `${params.label}-${Date.now()}.plist`);
-	try {
-		await fs$1.rename(params.plistPath, dest);
-		return dest;
-	} catch {
-		return null;
-	}
-}
-function classifyLegacyServices(legacyServices) {
-	const darwinUserServices = [];
-	const linuxUserServices = [];
-	const failed = [];
-	for (const svc of legacyServices) {
-		if (svc.platform === "darwin") {
-			if (svc.scope === "user") darwinUserServices.push(svc);
-			else failed.push(`${svc.label} (${svc.scope})`);
-			continue;
-		}
-		if (svc.platform === "linux") {
-			if (svc.scope === "user") linuxUserServices.push(svc);
-			else failed.push(`${svc.label} (${svc.scope})`);
-			continue;
-		}
-		failed.push(`${svc.label} (${svc.platform})`);
-	}
-	return {
-		darwinUserServices,
-		linuxUserServices,
-		failed
-	};
-}
-async function cleanupLegacyDarwinServices(services) {
-	const removed = [];
-	const failed = [];
-	for (const svc of services) {
-		const plistPath = extractDetailPath(svc.detail, "plist:");
-		if (!plistPath) {
-			failed.push(`${svc.label} (missing plist path)`);
-			continue;
-		}
-		const dest = await cleanupLegacyLaunchdService({
-			label: svc.label,
-			plistPath
-		});
-		removed.push(dest ? `${svc.label} -> ${dest}` : svc.label);
-	}
-	return {
-		removed,
-		failed
-	};
-}
-async function cleanupLegacyLinuxUserServices(services, runtime) {
-	const removed = [];
-	const failed = [];
-	try {
-		const removedUnits = await uninstallLegacySystemdUnits({
-			env: process.env,
-			stdout: process.stdout
-		});
-		const removedByLabel = new Map(removedUnits.map((unit) => [`${unit.name}.service`, unit]));
-		for (const svc of services) {
-			const removedUnit = removedByLabel.get(svc.label);
-			if (!removedUnit) {
-				failed.push(`${svc.label} (legacy unit name not recognized)`);
-				continue;
-			}
-			removed.push(`${svc.label} -> ${removedUnit.unitPath}`);
-		}
-	} catch (err) {
-		runtime.error(`Legacy Linux gateway cleanup failed: ${String(err)}`);
-		for (const svc of services) failed.push(`${svc.label} (linux cleanup failed)`);
-	}
-	return {
-		removed,
-		failed
-	};
-}
-async function maybeRepairGatewayServiceConfig(cfg, mode, runtime, prompter) {
-	if (resolveIsNixMode(process.env)) {
-		note$1("Nix mode detected; skip service updates.", "Gateway");
-		return;
-	}
-	if (mode === "remote") {
-		note$1("Gateway mode is remote; skipped local service audit.", "Gateway");
-		return;
-	}
-	const service = resolveGatewayService();
-	let command = null;
-	try {
-		command = await service.readCommand(process.env);
-	} catch {
-		command = null;
-	}
-	if (!command) return;
-	const tokenRefConfigured = Boolean(resolveSecretInputRef({
-		value: cfg.gateway?.auth?.token,
-		defaults: cfg.secrets?.defaults
-	}).ref);
-	const gatewayTokenResolution = await resolveGatewayAuthTokenForService(cfg, process.env);
-	if (gatewayTokenResolution.unavailableReason) note$1(`Unable to verify gateway service token drift: ${gatewayTokenResolution.unavailableReason}`, "Gateway service config");
-	const expectedGatewayToken = tokenRefConfigured ? void 0 : gatewayTokenResolution.token;
-	const audit = await auditGatewayServiceConfig({
-		env: process.env,
-		command,
-		expectedGatewayToken
-	});
-	const serviceToken = readEmbeddedGatewayToken(command);
-	if (tokenRefConfigured && serviceToken) audit.issues.push({
-		code: SERVICE_AUDIT_CODES.gatewayTokenMismatch,
-		message: "Gateway service MOLDCLAW_GATEWAY_TOKEN should be unset when gateway.auth.token is SecretRef-managed",
-		detail: "service token is stale",
-		level: "recommended"
-	});
-	const needsNodeRuntime = needsNodeRuntimeMigration(audit.issues);
-	const systemNodeInfo = needsNodeRuntime ? await resolveSystemNodeInfo({ env: process.env }) : null;
-	const systemNodePath = systemNodeInfo?.supported ? systemNodeInfo.path : null;
-	if (needsNodeRuntime && !systemNodePath) {
-		const warning = renderSystemNodeWarning(systemNodeInfo);
-		if (warning) note$1(warning, "Gateway runtime");
-		note$1("System Node 22 LTS (22.16+) or Node 24 not found. Install via Homebrew/apt/choco and rerun doctor to migrate off Bun/version managers.", "Gateway runtime");
-	}
-	const port = resolveGatewayPort(cfg, process.env);
-	const runtimeChoice = detectGatewayRuntime(command.programArguments);
-	const { programArguments } = await buildGatewayInstallPlan({
-		env: process.env,
-		port,
-		runtime: needsNodeRuntime && systemNodePath ? "node" : runtimeChoice,
-		nodePath: systemNodePath ?? void 0,
-		warn: (message, title) => note$1(message, title),
-		config: cfg
-	});
-	const expectedEntrypoint = findGatewayEntrypoint(programArguments);
-	const currentEntrypoint = findGatewayEntrypoint(command.programArguments);
-	const normalizedExpectedEntrypoint = expectedEntrypoint ? await normalizeExecutablePath(expectedEntrypoint) : null;
-	const normalizedCurrentEntrypoint = currentEntrypoint ? await normalizeExecutablePath(currentEntrypoint) : null;
-	if (normalizedExpectedEntrypoint && normalizedCurrentEntrypoint && normalizedExpectedEntrypoint !== normalizedCurrentEntrypoint) audit.issues.push({
-		code: SERVICE_AUDIT_CODES.gatewayEntrypointMismatch,
-		message: "Gateway service entrypoint does not match the current install.",
-		detail: `${currentEntrypoint} -> ${expectedEntrypoint}`,
-		level: "recommended"
-	});
-	if (audit.issues.length === 0) return;
-	note$1(audit.issues.map((issue) => issue.detail ? `- ${issue.message} (${issue.detail})` : `- ${issue.message}`).join("\n"), "Gateway service config");
-	const needsAggressive = audit.issues.filter((issue) => issue.level === "aggressive").length > 0;
-	if (needsAggressive && !prompter.shouldForce) note$1("Custom or unexpected service edits detected. Rerun with --force to overwrite.", "Gateway service config");
-	if (!(needsAggressive ? await prompter.confirmAggressive({
-		message: "Overwrite gateway service config with current defaults now?",
-		initialValue: Boolean(prompter.shouldForce)
-	}) : await prompter.confirmRepair({
-		message: "Update gateway service config to the recommended defaults now?",
-		initialValue: true
-	}))) return;
-	const serviceEmbeddedToken = readEmbeddedGatewayToken(command);
-	const gatewayTokenForRepair = expectedGatewayToken ?? serviceEmbeddedToken;
-	const configuredGatewayToken = typeof cfg.gateway?.auth?.token === "string" ? cfg.gateway.auth.token.trim() || void 0 : void 0;
-	let cfgForServiceInstall = cfg;
-	if (!tokenRefConfigured && !configuredGatewayToken && gatewayTokenForRepair) {
-		const nextCfg = {
-			...cfg,
-			gateway: {
-				...cfg.gateway,
-				auth: {
-					...cfg.gateway?.auth,
-					mode: cfg.gateway?.auth?.mode ?? "token",
-					token: gatewayTokenForRepair
-				}
-			}
-		};
-		try {
-			await writeConfigFile(nextCfg);
-			cfgForServiceInstall = nextCfg;
-			note$1(expectedGatewayToken ? "Persisted gateway.auth.token from environment before reinstalling service." : "Persisted gateway.auth.token from existing service definition before reinstalling service.", "Gateway");
-		} catch (err) {
-			runtime.error(`Failed to persist gateway.auth.token before service repair: ${String(err)}`);
-			return;
-		}
-	}
-	const updatedPort = resolveGatewayPort(cfgForServiceInstall, process.env);
-	const updatedPlan = await buildGatewayInstallPlan({
-		env: process.env,
-		port: updatedPort,
-		runtime: needsNodeRuntime && systemNodePath ? "node" : runtimeChoice,
-		nodePath: systemNodePath ?? void 0,
-		warn: (message, title) => note$1(message, title),
-		config: cfgForServiceInstall
-	});
-	try {
-		await service.install({
-			env: process.env,
-			stdout: process.stdout,
-			programArguments: updatedPlan.programArguments,
-			workingDirectory: updatedPlan.workingDirectory,
-			environment: updatedPlan.environment
-		});
-	} catch (err) {
-		runtime.error(`Gateway service update failed: ${String(err)}`);
-	}
-}
-async function maybeScanExtraGatewayServices(options, runtime, prompter) {
-	const extraServices = await findExtraGatewayServices(process.env, { deep: options.deep });
-	if (extraServices.length === 0) return;
-	note$1(extraServices.map((svc) => `- ${svc.label} (${svc.scope}, ${svc.detail})`).join("\n"), "Other gateway-like services detected");
-	const legacyServices = extraServices.filter((svc) => svc.legacy === true);
-	if (legacyServices.length > 0) {
-		if (await prompter.confirmSkipInNonInteractive({
-			message: "Remove legacy gateway services (clawdbot/moltbot) now?",
-			initialValue: true
-		})) {
-			const removed = [];
-			const { darwinUserServices, linuxUserServices, failed } = classifyLegacyServices(legacyServices);
-			if (darwinUserServices.length > 0) {
-				const result = await cleanupLegacyDarwinServices(darwinUserServices);
-				removed.push(...result.removed);
-				failed.push(...result.failed);
-			}
-			if (linuxUserServices.length > 0) {
-				const result = await cleanupLegacyLinuxUserServices(linuxUserServices, runtime);
-				removed.push(...result.removed);
-				failed.push(...result.failed);
-			}
-			if (removed.length > 0) note$1(removed.map((line) => `- ${line}`).join("\n"), "Legacy gateway removed");
-			if (failed.length > 0) note$1(failed.map((line) => `- ${line}`).join("\n"), "Legacy gateway cleanup skipped");
-			if (removed.length > 0) runtime.log("Legacy gateway services removed. Installing moldClaw gateway next.");
-		}
-	}
-	const cleanupHints = renderGatewayServiceCleanupHints();
-	if (cleanupHints.length > 0) note$1(cleanupHints.map((hint) => `- ${hint}`).join("\n"), "Cleanup hints");
-	note$1([
-		"Recommendation: run a single gateway per machine for most setups.",
-		"One gateway supports multiple agents.",
-		"If you need multiple gateways (e.g., a rescue bot on the same host), isolate ports + config/state (see docs: /gateway#multiple-gateways-same-host)."
-	].join("\n"), "Gateway recommendation");
-}
-//#endregion
-//#region src/commands/doctor-install.ts
-function noteSourceInstallIssues(root) {
-	if (!root) return;
-	const workspaceMarker = path.join(root, "pnpm-workspace.yaml");
-	if (!fs.existsSync(workspaceMarker)) return;
-	const warnings = [];
-	const nodeModules = path.join(root, "node_modules");
-	const pnpmStore = path.join(nodeModules, ".pnpm");
-	const tsxBin = path.join(nodeModules, ".bin", "tsx");
-	const srcEntry = path.join(root, "src", "entry.ts");
-	if (fs.existsSync(nodeModules) && !fs.existsSync(pnpmStore)) warnings.push("- node_modules was not installed by pnpm (missing node_modules/.pnpm). Run: pnpm install");
-	if (fs.existsSync(path.join(root, "package-lock.json"))) warnings.push("- package-lock.json present in a pnpm workspace. If you ran npm install, remove it and reinstall with pnpm.");
-	if (fs.existsSync(srcEntry) && !fs.existsSync(tsxBin)) warnings.push("- tsx binary is missing for source runs. Run: pnpm install");
-	if (warnings.length > 0) note$1(warnings.join("\n"), "Install");
-}
-//#endregion
-//#region src/commands/doctor-memory-search.ts
-/**
-* Check whether memory search has a usable embedding provider.
-* Runs as part of `moldclaw doctor` — config-only, no network calls.
-*/
-async function noteMemorySearchHealth(cfg, opts) {
-	const agentId = resolveDefaultAgentId(cfg);
-	const agentDir = resolveAgentDir(cfg, agentId);
-	const resolved = resolveMemorySearchConfig(cfg, agentId);
-	const hasRemoteApiKey = hasConfiguredMemorySecretInput(resolved?.remote?.apiKey);
-	if (!resolved) {
-		note$1("Memory search is explicitly disabled (enabled: false).", "Memory search");
-		return;
-	}
-	if (resolveMemoryBackendConfig({
-		cfg,
-		agentId
-	}).backend === "qmd") return;
-	if (resolved.provider !== "auto") {
-		if (resolved.provider === "local") {
-			if (hasLocalEmbeddings(resolved.local, true)) {
-				if (opts?.gatewayMemoryProbe?.checked && !opts.gatewayMemoryProbe.ready) {
-					const detail = opts.gatewayMemoryProbe.error?.trim();
-					note$1([
-						"Memory search provider is set to \"local\" and a model path is configured,",
-						"but the gateway reports local embeddings are not ready.",
-						detail ? `Gateway probe: ${detail}` : null,
-						"",
-						`Verify: ${formatCliCommand("moldclaw memory status --deep")}`
-					].filter(Boolean).join("\n"), "Memory search");
-				}
-				return;
-			}
-			note$1([
-				"Memory search provider is set to \"local\" but no local model file was found.",
-				"",
-				"Fix (pick one):",
-				`- Install node-llama-cpp and set a local model path in config`,
-				`- Switch to a remote provider: ${formatCliCommand("moldclaw config set agents.defaults.memorySearch.provider openai")}`,
-				"",
-				`Verify: ${formatCliCommand("moldclaw memory status --deep")}`
-			].join("\n"), "Memory search");
-			return;
-		}
-		if (hasRemoteApiKey || await hasApiKeyForProvider(resolved.provider, cfg, agentDir)) return;
-		if (opts?.gatewayMemoryProbe?.checked && opts.gatewayMemoryProbe.ready) {
-			note$1([
-				`Memory search provider is set to "${resolved.provider}" but the API key was not found in the CLI environment.`,
-				"The running gateway reports memory embeddings are ready for the default agent.",
-				`Verify: ${formatCliCommand("moldclaw memory status --deep")}`
-			].join("\n"), "Memory search");
-			return;
-		}
-		const gatewayProbeWarning = buildGatewayProbeWarning(opts?.gatewayMemoryProbe);
-		const envVar = providerEnvVar(resolved.provider);
-		note$1([
-			`Memory search provider is set to "${resolved.provider}" but no API key was found.`,
-			`Semantic recall will not work without a valid API key.`,
-			gatewayProbeWarning ? gatewayProbeWarning : null,
-			"",
-			"Fix (pick one):",
-			`- Set ${envVar} in your environment`,
-			`- Configure credentials: ${formatCliCommand("moldclaw configure --section model")}`,
-			`- To disable: ${formatCliCommand("moldclaw config set agents.defaults.memorySearch.enabled false")}`,
-			"",
-			`Verify: ${formatCliCommand("moldclaw memory status --deep")}`
-		].join("\n"), "Memory search");
-		return;
-	}
-	if (hasLocalEmbeddings(resolved.local)) return;
-	for (const provider of [
-		"openai",
-		"gemini",
-		"voyage",
-		"mistral"
-	]) if (hasRemoteApiKey || await hasApiKeyForProvider(provider, cfg, agentDir)) return;
-	if (opts?.gatewayMemoryProbe?.checked && opts.gatewayMemoryProbe.ready) {
-		note$1([
-			"Memory search provider is set to \"auto\" but the API key was not found in the CLI environment.",
-			"The running gateway reports memory embeddings are ready for the default agent.",
-			`Verify: ${formatCliCommand("moldclaw memory status --deep")}`
-		].join("\n"), "Memory search");
-		return;
-	}
-	const gatewayProbeWarning = buildGatewayProbeWarning(opts?.gatewayMemoryProbe);
-	note$1([
-		"Memory search is enabled but no embedding provider is configured.",
-		"Semantic recall will not work without an embedding provider.",
-		gatewayProbeWarning ? gatewayProbeWarning : null,
-		"",
-		"Fix (pick one):",
-		"- Set OPENAI_API_KEY, GEMINI_API_KEY, VOYAGE_API_KEY, or MISTRAL_API_KEY in your environment",
-		`- Configure credentials: ${formatCliCommand("moldclaw configure --section model")}`,
-		`- For local embeddings: configure agents.defaults.memorySearch.provider and local model path`,
-		`- To disable: ${formatCliCommand("moldclaw config set agents.defaults.memorySearch.enabled false")}`,
-		"",
-		`Verify: ${formatCliCommand("moldclaw memory status --deep")}`
-	].join("\n"), "Memory search");
-}
-/**
-* Check whether local embeddings are available.
-*
-* When `useDefaultFallback` is true (explicit `provider: "local"`), an empty
-* modelPath is treated as available because the runtime falls back to
-* DEFAULT_LOCAL_MODEL (an auto-downloaded HuggingFace model).
-*
-* When false (provider: "auto"), we only consider local available if the user
-* explicitly configured a local file path — matching `canAutoSelectLocal()`
-* in the runtime, which skips local for empty/hf: model paths.
-*/
-function hasLocalEmbeddings(local, useDefaultFallback = false) {
-	const modelPath = local.modelPath?.trim() || (useDefaultFallback ? "hf:ggml-org/embeddinggemma-300m-qat-q8_0-GGUF/embeddinggemma-300m-qat-Q8_0.gguf" : void 0);
-	if (!modelPath) return false;
-	if (/^(hf:|https?:)/i.test(modelPath)) return true;
-	const resolved = resolveUserPath(modelPath);
-	try {
-		return fs.statSync(resolved).isFile();
-	} catch {
-		return false;
-	}
-}
-async function hasApiKeyForProvider(provider, cfg, agentDir) {
-	const authProvider = provider === "gemini" ? "google" : provider;
-	try {
-		await resolveApiKeyForProvider({
-			provider: authProvider,
-			cfg,
-			agentDir
-		});
-		return true;
-	} catch {
-		return false;
-	}
-}
-function providerEnvVar(provider) {
-	switch (provider) {
-		case "openai": return "OPENAI_API_KEY";
-		case "gemini": return "GEMINI_API_KEY";
-		case "voyage": return "VOYAGE_API_KEY";
-		default: return `${provider.toUpperCase()}_API_KEY`;
-	}
-}
-function buildGatewayProbeWarning(probe) {
-	if (!probe?.checked || probe.ready) return null;
-	const detail = probe.error?.trim();
-	return detail ? `Gateway memory probe for default agent is not ready: ${detail}` : "Gateway memory probe for default agent is not ready.";
-}
-//#endregion
-//#region src/commands/doctor-platform-notes.ts
-const execFileAsync = promisify(execFile);
-function resolveHomeDir() {
-	return process.env.HOME ?? os.homedir();
-}
-async function noteMacLaunchAgentOverrides() {
-	if (process.platform !== "darwin") return;
-	const home = resolveHomeDir();
-	const markerPath = [path.join(home, ".moldclaw", "disable-launchagent")].find((candidate) => fs.existsSync(candidate));
-	if (!markerPath) return;
-	const displayMarkerPath = shortenHomePath(markerPath);
-	note$1([
-		`- LaunchAgent writes are disabled via ${displayMarkerPath}.`,
-		"- To restore default behavior:",
-		`  rm ${displayMarkerPath}`
-	].filter((line) => Boolean(line)).join("\n"), "Gateway (macOS)");
-}
-async function launchctlGetenv(name) {
-	try {
-		const result = await execFileAsync("/bin/launchctl", ["getenv", name], { encoding: "utf8" });
-		const value = String(result.stdout ?? "").trim();
-		return value.length > 0 ? value : void 0;
-	} catch {
-		return;
-	}
-}
-function hasConfigGatewayCreds(cfg) {
-	const localPassword = cfg.gateway?.auth?.password;
-	const remoteToken = cfg.gateway?.remote?.token;
-	const remotePassword = cfg.gateway?.remote?.password;
-	return Boolean(hasConfiguredSecretInput(cfg.gateway?.auth?.token, cfg.secrets?.defaults) || hasConfiguredSecretInput(localPassword, cfg.secrets?.defaults) || hasConfiguredSecretInput(remoteToken, cfg.secrets?.defaults) || hasConfiguredSecretInput(remotePassword, cfg.secrets?.defaults));
-}
-async function noteMacLaunchctlGatewayEnvOverrides(cfg, deps) {
-	if ((deps?.platform ?? process.platform) !== "darwin") return;
-	if (!hasConfigGatewayCreds(cfg)) return;
-	const getenv = deps?.getenv ?? launchctlGetenv;
-	const deprecatedLaunchctlEntries = [["MOLDCLAW_GATEWAY_TOKEN", await getenv("MOLDCLAW_GATEWAY_TOKEN")], ["MOLDCLAW_GATEWAY_PASSWORD", await getenv("MOLDCLAW_GATEWAY_PASSWORD")]].filter((entry) => Boolean(entry[1]?.trim()));
-	if (deprecatedLaunchctlEntries.length > 0) {
-		const lines = ["- Deprecated launchctl environment variables detected (ignored).", ...deprecatedLaunchctlEntries.map(([key]) => `- \`${key}\` is set; use \`MOLDCLAW_${key.slice(key.indexOf("_") + 1)}\` instead.`)];
-		(deps?.noteFn ?? note$1)(lines.join("\n"), "Gateway (macOS)");
-	}
-	const tokenEntries = [["MOLDCLAW_GATEWAY_TOKEN", await getenv("MOLDCLAW_GATEWAY_TOKEN")]];
-	const passwordEntries = [["MOLDCLAW_GATEWAY_PASSWORD", await getenv("MOLDCLAW_GATEWAY_PASSWORD")]];
-	const tokenEntry = tokenEntries.find(([, value]) => value?.trim());
-	const passwordEntry = passwordEntries.find(([, value]) => value?.trim());
-	const envToken = tokenEntry?.[1]?.trim() ?? "";
-	const envPassword = passwordEntry?.[1]?.trim() ?? "";
-	const envTokenKey = tokenEntry?.[0];
-	const envPasswordKey = passwordEntry?.[0];
-	if (!envToken && !envPassword) return;
-	const lines = [
-		"- launchctl environment overrides detected (can cause confusing unauthorized errors).",
-		envToken && envTokenKey ? `- \`${envTokenKey}\` is set; it overrides config tokens.` : void 0,
-		envPassword ? `- \`${envPasswordKey ?? "MOLDCLAW_GATEWAY_PASSWORD"}\` is set; it overrides config passwords.` : void 0,
-		"- Clear overrides and restart the app/gateway:",
-		envTokenKey ? `  launchctl unsetenv ${envTokenKey}` : void 0,
-		envPasswordKey ? `  launchctl unsetenv ${envPasswordKey}` : void 0
-	].filter((line) => Boolean(line));
-	(deps?.noteFn ?? note$1)(lines.join("\n"), "Gateway (macOS)");
-}
-function noteDeprecatedLegacyEnvVars(env = process.env, deps) {
-	const entries = Object.entries(env).filter(([key, value]) => key.startsWith("MOLDCLAW_") && value?.trim()).map(([key]) => key);
-	if (entries.length === 0) return;
-	const lines = [
-		"- Deprecated legacy environment variables detected (ignored).",
-		"- Use MOLDCLAW_* equivalents instead:",
-		...entries.map((key) => {
-			return `  ${key} -> MOLDCLAW_${key.slice(key.indexOf("_") + 1)}`;
-		})
-	];
-	(deps?.noteFn ?? note$1)(lines.join("\n"), "Environment");
-}
-function isTruthyEnvValue(value) {
-	return typeof value === "string" && value.trim().length > 0;
-}
-function isTmpCompileCachePath(cachePath) {
-	const normalized = cachePath.trim().replace(/\/+$/, "");
-	return normalized === "/tmp" || normalized.startsWith("/tmp/") || normalized === "/private/tmp" || normalized.startsWith("/private/tmp/");
-}
-function noteStartupOptimizationHints(env = process.env, deps) {
-	const platform = deps?.platform ?? process.platform;
-	if (platform === "win32") return;
-	const arch = deps?.arch ?? os.arch();
-	const totalMemBytes = deps?.totalMemBytes ?? os.totalmem();
-	if (!(platform === "linux" && (arch === "arm" || arch === "arm64" || platform === "linux" && totalMemBytes > 0 && totalMemBytes <= 8 * 1024 ** 3))) return;
-	const noteFn = deps?.noteFn ?? note$1;
-	const compileCache = env.NODE_COMPILE_CACHE?.trim() ?? "";
-	const disableCompileCache = env.NODE_DISABLE_COMPILE_CACHE?.trim() ?? "";
-	const noRespawn = env.MOLDCLAW_NO_RESPAWN?.trim() ?? "";
-	const lines = [];
-	if (!compileCache) lines.push("- NODE_COMPILE_CACHE is not set; repeated CLI runs can be slower on small hosts (Pi/VM).");
-	else if (isTmpCompileCachePath(compileCache)) lines.push("- NODE_COMPILE_CACHE points to /tmp; use /var/tmp so cache survives reboots and warms startup reliably.");
-	if (isTruthyEnvValue(disableCompileCache)) lines.push("- NODE_DISABLE_COMPILE_CACHE is set; startup compile cache is disabled.");
-	if (noRespawn !== "1") lines.push("- MOLDCLAW_NO_RESPAWN is not set to 1; set it to avoid extra startup overhead from self-respawn.");
-	if (lines.length === 0) return;
-	const suggestions = [
-		"- Suggested env for low-power hosts:",
-		"  export NODE_COMPILE_CACHE=/var/tmp/moldclaw-compile-cache",
-		"  mkdir -p /var/tmp/moldclaw-compile-cache",
-		"  export MOLDCLAW_NO_RESPAWN=1",
-		isTruthyEnvValue(disableCompileCache) ? "  unset NODE_DISABLE_COMPILE_CACHE" : void 0
-	].filter((line) => Boolean(line));
-	noteFn([...lines, ...suggestions].join("\n"), "Startup optimization");
-}
-//#endregion
-//#region src/commands/doctor-prompter.ts
-function createDoctorPrompter(params) {
-	const yes = params.options.yes === true;
-	const requestedNonInteractive = params.options.nonInteractive === true;
-	const shouldRepair = params.options.repair === true || yes;
-	const shouldForce = params.options.force === true;
-	const isTty = Boolean(process.stdin.isTTY);
-	const nonInteractive = requestedNonInteractive || !isTty && !yes;
-	const canPrompt = isTty && !yes && !nonInteractive;
-	const confirmDefault = async (p) => {
-		if (nonInteractive) return false;
-		if (shouldRepair) return true;
-		if (!canPrompt) return Boolean(p.initialValue ?? false);
-		return guardCancel(await confirm({
-			...p,
-			message: stylePromptMessage(p.message)
-		}), params.runtime);
-	};
-	return {
-		confirm: confirmDefault,
-		confirmRepair: async (p) => {
-			if (nonInteractive) return false;
-			return confirmDefault(p);
-		},
-		confirmAggressive: async (p) => {
-			if (nonInteractive) return false;
-			if (shouldRepair && shouldForce) return true;
-			if (shouldRepair && !shouldForce) return false;
-			if (!canPrompt) return Boolean(p.initialValue ?? false);
-			return guardCancel(await confirm({
-				...p,
-				message: stylePromptMessage(p.message)
-			}), params.runtime);
-		},
-		confirmSkipInNonInteractive: async (p) => {
-			if (nonInteractive) return false;
-			if (shouldRepair) return true;
-			return confirmDefault(p);
-		},
-		select: async (p, fallback) => {
-			if (!canPrompt || shouldRepair) return fallback;
-			return guardCancel(await select({
-				...p,
-				message: stylePromptMessage(p.message),
-				options: p.options.map((opt) => opt.hint === void 0 ? opt : {
-					...opt,
-					hint: stylePromptHint(opt.hint)
-				})
-			}), params.runtime);
-		},
-		shouldRepair,
-		shouldForce
-	};
-}
-//#endregion
-//#region src/commands/doctor-sandbox.ts
-function resolveSandboxScript(scriptRel) {
-	const candidates = /* @__PURE__ */ new Set();
-	candidates.add(process.cwd());
-	const argv1 = process.argv[1];
-	if (argv1) {
-		const normalized = path.resolve(argv1);
-		candidates.add(path.resolve(path.dirname(normalized), ".."));
-		candidates.add(path.resolve(path.dirname(normalized)));
-	}
-	for (const root of candidates) {
-		const scriptPath = path.join(root, scriptRel);
-		if (fs.existsSync(scriptPath)) return {
-			scriptPath,
-			cwd: root
-		};
-	}
-	return null;
-}
-async function runSandboxScript(scriptRel, runtime) {
-	const script = resolveSandboxScript(scriptRel);
-	if (!script) {
-		note$1(`Unable to locate ${scriptRel}. Run it from the repo root.`, "Sandbox");
-		return false;
-	}
-	runtime.log(`Running ${scriptRel}...`);
-	const result = await runCommandWithTimeout(["bash", script.scriptPath], {
-		timeoutMs: 1200 * 1e3,
-		cwd: script.cwd
-	});
-	if (result.code !== 0) {
-		runtime.error(`Failed running ${scriptRel}: ${result.stderr.trim() || result.stdout.trim() || "unknown error"}`);
-		return false;
-	}
-	runtime.log(`Completed ${scriptRel}.`);
-	return true;
-}
-async function isDockerAvailable() {
-	try {
-		await runExec("docker", [
-			"version",
-			"--format",
-			"{{.Server.Version}}"
-		], { timeoutMs: 5e3 });
-		return true;
-	} catch {
-		return false;
-	}
-}
-async function dockerImageExists(image) {
-	try {
-		await runExec("docker", [
-			"image",
-			"inspect",
-			image
-		], { timeoutMs: 5e3 });
-		return true;
-	} catch (error) {
-		const stderr = error?.stderr || error?.message || "";
-		if (String(stderr).includes("No such image")) return false;
-		throw error;
-	}
-}
-function resolveSandboxDockerImage(cfg) {
-	const image = cfg.agents?.defaults?.sandbox?.docker?.image?.trim();
-	return image ? image : DEFAULT_SANDBOX_IMAGE;
-}
-function resolveSandboxBackend(cfg) {
-	return cfg.agents?.defaults?.sandbox?.backend?.trim() || "docker";
-}
-function resolveSandboxBrowserImage(cfg) {
-	const image = cfg.agents?.defaults?.sandbox?.browser?.image?.trim();
-	return image ? image : DEFAULT_SANDBOX_BROWSER_IMAGE;
-}
-function updateSandboxDockerImage(cfg, image) {
-	return {
-		...cfg,
-		agents: {
-			...cfg.agents,
-			defaults: {
-				...cfg.agents?.defaults,
-				sandbox: {
-					...cfg.agents?.defaults?.sandbox,
-					docker: {
-						...cfg.agents?.defaults?.sandbox?.docker,
-						image
-					}
-				}
-			}
-		}
-	};
-}
-function updateSandboxBrowserImage(cfg, image) {
-	return {
-		...cfg,
-		agents: {
-			...cfg.agents,
-			defaults: {
-				...cfg.agents?.defaults,
-				sandbox: {
-					...cfg.agents?.defaults?.sandbox,
-					browser: {
-						...cfg.agents?.defaults?.sandbox?.browser,
-						image
-					}
-				}
-			}
-		}
-	};
-}
-async function handleMissingSandboxImage(params, runtime, prompter) {
-	if (await dockerImageExists(params.image)) return;
-	const buildHint = params.buildScript ? `Build it with ${params.buildScript}.` : "Build or pull it first.";
-	note$1(`Sandbox ${params.kind} image missing: ${params.image}. ${buildHint}`, "Sandbox");
-	let built = false;
-	if (params.buildScript) {
-		if (await prompter.confirmSkipInNonInteractive({
-			message: `Build ${params.kind} sandbox image now?`,
-			initialValue: true
-		})) built = await runSandboxScript(params.buildScript, runtime);
-	}
-	if (built) return;
-}
-async function maybeRepairSandboxImages(cfg, runtime, prompter) {
-	const sandbox = cfg.agents?.defaults?.sandbox;
-	const mode = sandbox?.mode ?? "off";
-	if (!sandbox || mode === "off") return cfg;
-	const backend = resolveSandboxBackend(cfg);
-	if (backend !== "docker") {
-		if (sandbox.browser?.enabled) note$1(`Sandbox backend "${backend}" selected. Docker browser health checks are skipped; browser sandbox currently requires the docker backend.`, "Sandbox");
-		return cfg;
-	}
-	if (!await isDockerAvailable()) {
-		note$1([
-			`Sandbox mode is enabled (mode: "${mode}") but Docker is not available.`,
-			"Docker is required for sandbox mode to function.",
-			"Isolated sessions (cron jobs, sub-agents) will fail without Docker.",
-			"",
-			"Options:",
-			"- Install Docker and restart the gateway",
-			"- Disable sandbox mode: moldclaw config set agents.defaults.sandbox.mode off"
-		].join("\n"), "Sandbox");
-		return cfg;
-	}
-	let next = cfg;
-	const changes = [];
-	const dockerImage = resolveSandboxDockerImage(cfg);
-	await handleMissingSandboxImage({
-		kind: "base",
-		image: dockerImage,
-		buildScript: dockerImage === "moldclaw-sandbox-common:bookworm-slim" ? "scripts/sandbox-common-setup.sh" : dockerImage === "moldclaw-sandbox:bookworm-slim" ? "scripts/sandbox-setup.sh" : void 0,
-		updateConfig: (image) => {
-			next = updateSandboxDockerImage(next, image);
-			changes.push(`Updated agents.defaults.sandbox.docker.image → ${image}`);
-		}
-	}, runtime, prompter);
-	if (sandbox.browser?.enabled) await handleMissingSandboxImage({
-		kind: "browser",
-		image: resolveSandboxBrowserImage(cfg),
-		buildScript: "scripts/sandbox-browser-setup.sh",
-		updateConfig: (image) => {
-			next = updateSandboxBrowserImage(next, image);
-			changes.push(`Updated agents.defaults.sandbox.browser.image → ${image}`);
-		}
-	}, runtime, prompter);
-	if (changes.length > 0) note$1(changes.join("\n"), "Doctor changes");
-	return next;
-}
-function noteSandboxScopeWarnings(cfg) {
-	const globalSandbox = cfg.agents?.defaults?.sandbox;
-	const agents = Array.isArray(cfg.agents?.list) ? cfg.agents.list : [];
-	const warnings = [];
-	for (const agent of agents) {
-		const agentId = agent.id;
-		const agentSandbox = agent.sandbox;
-		if (!agentSandbox) continue;
-		if (resolveSandboxScope({
-			scope: agentSandbox.scope ?? globalSandbox?.scope,
-			perSession: agentSandbox.perSession ?? globalSandbox?.perSession
-		}) !== "shared") continue;
-		const overrides = [];
-		if (agentSandbox.docker && Object.keys(agentSandbox.docker).length > 0) overrides.push("docker");
-		if (agentSandbox.browser && Object.keys(agentSandbox.browser).length > 0) overrides.push("browser");
-		if (agentSandbox.prune && Object.keys(agentSandbox.prune).length > 0) overrides.push("prune");
-		if (overrides.length === 0) continue;
-		warnings.push([`- agents.list (id "${agentId}") sandbox ${overrides.join("/")} overrides ignored.`, `  scope resolves to "shared".`].join("\n"));
-	}
-	if (warnings.length > 0) note$1(warnings.join("\n"), "Sandbox");
-}
-//#endregion
-//#region src/commands/doctor-security.ts
-function collectImplicitHeartbeatDirectPolicyWarnings(cfg) {
-	const warnings = [];
-	const maybeWarn = (params) => {
-		const heartbeat = params.heartbeat;
-		if (!heartbeat || heartbeat.target === void 0 || heartbeat.target === "none") return;
-		if (heartbeat.directPolicy !== void 0) return;
-		warnings.push(`- ${params.label}: heartbeat delivery is configured while ${params.pathHint} is unset.`, "  Heartbeat now allows direct/DM targets by default. Set it explicitly to \"allow\" or \"block\" to pin upgrade behavior.");
-	};
-	maybeWarn({
-		label: "Heartbeat defaults",
-		heartbeat: cfg.agents?.defaults?.heartbeat,
-		pathHint: "agents.defaults.heartbeat.directPolicy"
-	});
-	for (const agent of cfg.agents?.list ?? []) maybeWarn({
-		label: `Heartbeat agent "${agent.id}"`,
-		heartbeat: agent.heartbeat,
-		pathHint: `heartbeat.directPolicy for agent "${agent.id}"`
-	});
-	return warnings;
-}
-async function noteSecurityWarnings(cfg) {
-	const warnings = [];
-	const auditHint = `- Run: ${formatCliCommand("moldclaw security audit --deep")}`;
-	if (cfg.approvals?.exec?.enabled === false) warnings.push("- Note: approvals.exec.enabled=false disables approval forwarding only.", "  Host exec gating still comes from ~/.moldclaw/exec-approvals.json.", `  Check local policy with: ${formatCliCommand("moldclaw approvals get --gateway")}`);
-	warnings.push(...collectImplicitHeartbeatDirectPolicyWarnings(cfg));
-	const gatewayBind = cfg.gateway?.bind ?? "loopback";
-	const customBindHost = cfg.gateway?.customBindHost?.trim();
-	const bindMode = [
-		"auto",
-		"lan",
-		"loopback",
-		"custom",
-		"tailnet"
-	].includes(gatewayBind) ? gatewayBind : void 0;
-	const resolvedBindHost = bindMode ? await resolveGatewayBindHost(bindMode, customBindHost) : "0.0.0.0";
-	const isExposed = !isLoopbackHost(resolvedBindHost);
-	const resolvedAuth = resolveGatewayAuth({
-		authConfig: cfg.gateway?.auth,
-		env: process.env,
-		tailscaleMode: cfg.gateway?.tailscale?.mode ?? "off"
-	});
-	const authToken = resolvedAuth.token?.trim() ?? "";
-	const authPassword = resolvedAuth.password?.trim() ?? "";
-	const hasToken = authToken.length > 0 || hasConfiguredSecretInput(cfg.gateway?.auth?.token, cfg.secrets?.defaults);
-	const hasPassword = authPassword.length > 0 || hasConfiguredSecretInput(cfg.gateway?.auth?.password, cfg.secrets?.defaults);
-	const hasSharedSecret = resolvedAuth.mode === "token" && hasToken || resolvedAuth.mode === "password" && hasPassword;
-	const bindDescriptor = `"${gatewayBind}" (${resolvedBindHost})`;
-	const saferRemoteAccessLines = [
-		"  Safer remote access: keep bind loopback and use Tailscale Serve/Funnel or an SSH tunnel.",
-		"  Example tunnel: ssh -N -L 28789:127.0.0.1:28789 user@gateway-host",
-		"  Docs: https://docs.moldclaw.ai/gateway/remote"
-	];
-	if (isExposed) if (!hasSharedSecret) {
-		const authFixLines = resolvedAuth.mode === "password" ? [`  Fix: ${formatCliCommand("moldclaw configure")} to set a password`, `  Or switch to token: ${formatCliCommand("moldclaw config set gateway.auth.mode token")}`] : [`  Fix: ${formatCliCommand("moldclaw doctor --fix")} to generate a token`, `  Or set token directly: ${formatCliCommand("moldclaw config set gateway.auth.mode token")}`];
-		warnings.push(`- CRITICAL: Gateway bound to ${bindDescriptor} without authentication.`, `  Anyone on your network (or internet if port-forwarded) can fully control your agent.`, `  Fix: ${formatCliCommand("moldclaw config set gateway.bind loopback")}`, ...saferRemoteAccessLines, ...authFixLines);
-	} else warnings.push(`- WARNING: Gateway bound to ${bindDescriptor} (network-accessible).`, `  Ensure your auth credentials are strong and not exposed.`, ...saferRemoteAccessLines);
-	const warnDmPolicy = async (params) => {
-		const dmPolicy = params.dmPolicy;
-		const policyPath = params.policyPath ?? `${params.allowFromPath}policy`;
-		const { hasWildcard, allowCount, isMultiUserDm } = await resolveDmAllowState({
-			provider: params.provider,
-			accountId: params.accountId,
-			allowFrom: params.allowFrom,
-			normalizeEntry: params.normalizeEntry
-		});
-		const dmScope = cfg.session?.dmScope ?? "main";
-		if (dmPolicy === "open") {
-			const allowFromPath = `${params.allowFromPath}allowFrom`;
-			warnings.push(`- ${params.label} DMs: OPEN (${policyPath}="open"). Anyone can DM it.`);
-			if (!hasWildcard) warnings.push(`- ${params.label} DMs: config invalid — "open" requires ${allowFromPath} to include "*".`);
-		}
-		if (dmPolicy === "disabled") {
-			warnings.push(`- ${params.label} DMs: disabled (${policyPath}="disabled").`);
-			return;
-		}
-		if (dmPolicy !== "open" && allowCount === 0) {
-			warnings.push(`- ${params.label} DMs: locked (${policyPath}="${dmPolicy}") with no allowlist; unknown senders will be blocked / get a pairing code.`);
-			warnings.push(`  ${params.approveHint}`);
-		}
-		if (dmScope === "main" && isMultiUserDm) warnings.push(`- ${params.label} DMs: multiple senders share the main session; run: ` + formatCliCommand("moldclaw config set session.dmScope \"per-channel-peer\"") + " (or \"per-account-channel-peer\" for multi-account channels) to isolate sessions.");
-	};
-	for (const plugin of listChannelPlugins()) {
-		if (!plugin.security) continue;
-		const { defaultAccountId, account, enabled, configured, diagnostics } = await resolveDefaultChannelAccountContext(plugin, cfg, {
-			mode: "read_only",
-			commandName: "doctor"
-		});
-		for (const diagnostic of diagnostics) warnings.push(`- [secrets] ${diagnostic}`);
-		if (!enabled) continue;
-		if (!configured) continue;
-		const dmPolicy = plugin.security.resolveDmPolicy?.({
-			cfg,
-			accountId: defaultAccountId,
-			account
-		});
-		if (dmPolicy) await warnDmPolicy({
-			label: plugin.meta.label ?? plugin.id,
-			provider: plugin.id,
-			accountId: defaultAccountId,
-			dmPolicy: dmPolicy.policy,
-			allowFrom: dmPolicy.allowFrom,
-			policyPath: dmPolicy.policyPath,
-			allowFromPath: dmPolicy.allowFromPath,
-			approveHint: dmPolicy.approveHint,
-			normalizeEntry: dmPolicy.normalizeEntry
-		});
-		if (plugin.security.collectWarnings) {
-			const extra = await plugin.security.collectWarnings({
-				cfg,
-				accountId: defaultAccountId,
-				account
-			});
-			if (extra?.length) warnings.push(...extra);
-		}
-	}
-	const lines = warnings.length > 0 ? warnings : ["- No channel security warnings detected."];
-	lines.push(auditHint);
-	note$1(lines.join("\n"), "Security");
-}
-//#endregion
-//#region src/commands/doctor-session-locks.ts
-const DEFAULT_STALE_MS = 1800 * 1e3;
-function formatAge(ageMs) {
-	if (ageMs === null) return "unknown";
-	const seconds = Math.floor(ageMs / 1e3);
-	if (seconds < 60) return `${seconds}s`;
-	const minutes = Math.floor(seconds / 60);
-	const remainingSeconds = seconds % 60;
-	if (minutes < 60) return `${minutes}m${remainingSeconds}s`;
-	return `${Math.floor(minutes / 60)}h${minutes % 60}m`;
-}
-function formatLockLine(lock) {
-	const pidStatus = lock.pid === null ? "pid=missing" : `pid=${lock.pid} (${lock.pidAlive ? "alive" : "dead"})`;
-	const ageStatus = `age=${formatAge(lock.ageMs)}`;
-	const staleStatus = lock.stale ? `stale=yes (${lock.staleReasons.join(", ") || "unknown"})` : "stale=no";
-	const removedStatus = lock.removed ? " [removed]" : "";
-	return `- ${shortenHomePath(lock.lockPath)} ${pidStatus} ${ageStatus} ${staleStatus}${removedStatus}`;
-}
-async function noteSessionLockHealth(params) {
-	const shouldRepair = params?.shouldRepair === true;
-	const staleMs = params?.staleMs ?? DEFAULT_STALE_MS;
-	let sessionDirs = [];
-	try {
-		sessionDirs = await resolveAgentSessionDirs(resolveStateDir(process.env));
-	} catch (err) {
-		note$1(`- Failed to inspect session lock files: ${String(err)}`, "Session locks");
-		return;
-	}
-	if (sessionDirs.length === 0) return;
-	const allLocks = [];
-	for (const sessionsDir of sessionDirs) {
-		const result = await cleanStaleLockFiles({
-			sessionsDir,
-			staleMs,
-			removeStale: shouldRepair
-		});
-		allLocks.push(...result.locks);
-	}
-	if (allLocks.length === 0) return;
-	const staleCount = allLocks.filter((lock) => lock.stale).length;
-	const removedCount = allLocks.filter((lock) => lock.removed).length;
-	const lines = [`- Found ${allLocks.length} session lock file${allLocks.length === 1 ? "" : "s"}.`, ...allLocks.toSorted((a, b) => a.lockPath.localeCompare(b.lockPath)).map(formatLockLine)];
-	if (staleCount > 0 && !shouldRepair) {
-		lines.push(`- ${staleCount} lock file${staleCount === 1 ? " is" : "s are"} stale.`);
-		lines.push("- Run \"moldclaw doctor --fix\" to remove stale lock files automatically.");
-	}
-	if (shouldRepair && removedCount > 0) lines.push(`- Removed ${removedCount} stale session lock file${removedCount === 1 ? "" : "s"}.`);
-	note$1(lines.join("\n"), "Session locks");
-}
-//#endregion
-//#region src/commands/doctor-state-integrity.ts
-function existsDir(dir) {
-	try {
-		return fs.existsSync(dir) && fs.statSync(dir).isDirectory();
-	} catch {
-		return false;
-	}
-}
-function existsFile(filePath) {
-	try {
-		return fs.existsSync(filePath) && fs.statSync(filePath).isFile();
-	} catch {
-		return false;
-	}
-}
-function canWriteDir(dir) {
-	try {
-		fs.accessSync(dir, fs.constants.W_OK);
-		return true;
-	} catch {
-		return false;
-	}
-}
-function ensureDir(dir) {
-	try {
-		fs.mkdirSync(dir, { recursive: true });
-		return { ok: true };
-	} catch (err) {
-		return {
-			ok: false,
-			error: String(err)
-		};
-	}
-}
-function dirPermissionHint(dir) {
-	const uid = typeof process.getuid === "function" ? process.getuid() : null;
-	const gid = typeof process.getgid === "function" ? process.getgid() : null;
-	try {
-		const stat = fs.statSync(dir);
-		if (uid !== null && stat.uid !== uid) return `Owner mismatch (uid ${stat.uid}). Run: sudo chown -R $USER "${dir}"`;
-		if (gid !== null && stat.gid !== gid) return `Group mismatch (gid ${stat.gid}). If access fails, run: sudo chown -R $USER "${dir}"`;
-	} catch {
-		return null;
-	}
-	return null;
-}
-function addUserRwx(mode) {
-	return mode & 511 | 448;
-}
-function countJsonlLines(filePath) {
-	try {
-		const raw = fs.readFileSync(filePath, "utf-8");
-		if (!raw) return 0;
-		let count = 0;
-		for (let i = 0; i < raw.length; i += 1) if (raw[i] === "\n") count += 1;
-		if (!raw.endsWith("\n")) count += 1;
-		return count;
-	} catch {
-		return 0;
-	}
-}
-function findOtherStateDirs(stateDir) {
-	const resolvedState = path.resolve(stateDir);
-	const roots = process.platform === "darwin" ? ["/Users"] : process.platform === "linux" ? ["/home"] : [];
-	const found = [];
-	for (const root of roots) {
-		let entries = [];
-		try {
-			entries = fs.readdirSync(root, { withFileTypes: true });
-		} catch {
-			continue;
-		}
-		for (const entry of entries) {
-			if (!entry.isDirectory()) continue;
-			if (entry.name.startsWith(".")) continue;
-			const candidates = [".moldclaw"].map((dir) => path.resolve(root, entry.name, dir));
-			for (const candidate of candidates) {
-				if (candidate === resolvedState) continue;
-				if (existsDir(candidate)) found.push(candidate);
-			}
-		}
-	}
-	return found;
-}
-function isPathUnderRoot(targetPath, rootPath) {
-	const normalizedTarget = path.resolve(targetPath);
-	const normalizedRoot = path.resolve(rootPath);
-	const rootToken = path.parse(normalizedRoot).root;
-	if (normalizedRoot === rootToken) return normalizedTarget.startsWith(rootToken);
-	return normalizedTarget === normalizedRoot || normalizedTarget.startsWith(`${normalizedRoot}${path.sep}`);
-}
-function tryResolveRealPath(targetPath) {
-	try {
-		return fs.realpathSync(targetPath);
-	} catch {
-		return null;
-	}
-}
-function decodeMountInfoPath(value) {
-	return value.replace(/\\([0-7]{3})/g, (_, octal) => String.fromCharCode(Number.parseInt(octal, 8)));
-}
-function escapeControlCharsForTerminal(value) {
-	let escaped = "";
-	for (const char of value) {
-		if (char === "\x1B") {
-			escaped += "\\x1b";
-			continue;
-		}
-		if (char === "\r") {
-			escaped += "\\r";
-			continue;
-		}
-		if (char === "\n") {
-			escaped += "\\n";
-			continue;
-		}
-		if (char === "	") {
-			escaped += "\\t";
-			continue;
-		}
-		const code = char.charCodeAt(0);
-		if (code >= 0 && code <= 8 || code === 11 || code === 12 || code >= 14 && code <= 31) {
-			escaped += `\\x${code.toString(16).padStart(2, "0")}`;
-			continue;
-		}
-		if (code === 127) {
-			escaped += "\\x7f";
-			continue;
-		}
-		escaped += char;
-	}
-	return escaped;
-}
-function parseLinuxMountInfo(rawMountInfo) {
-	const entries = [];
-	for (const line of rawMountInfo.split("\n")) {
-		const trimmed = line.trim();
-		if (!trimmed) continue;
-		const separatorIndex = trimmed.indexOf(" - ");
-		if (separatorIndex === -1) continue;
-		const left = trimmed.slice(0, separatorIndex);
-		const right = trimmed.slice(separatorIndex + 3);
-		const leftFields = left.split(" ");
-		const rightFields = right.split(" ");
-		if (leftFields.length < 5 || rightFields.length < 2) continue;
-		entries.push({
-			mountPoint: decodeMountInfoPath(leftFields[4]),
-			fsType: rightFields[0],
-			source: decodeMountInfoPath(rightFields[1])
-		});
-	}
-	return entries;
-}
-function isPathUnderRootWithPathOps(targetPath, rootPath, pathOps) {
-	const normalizedTarget = pathOps.resolve(targetPath);
-	const normalizedRoot = pathOps.resolve(rootPath);
-	const rootToken = pathOps.parse(normalizedRoot).root;
-	if (normalizedRoot === rootToken) return normalizedTarget.startsWith(rootToken);
-	return normalizedTarget === normalizedRoot || normalizedTarget.startsWith(`${normalizedRoot}${pathOps.sep}`);
-}
-function findLinuxMountInfoEntryForPath(targetPath, entries, pathOps) {
-	const normalizedTarget = pathOps.resolve(targetPath);
-	let bestMatch = null;
-	for (const entry of entries) {
-		if (!isPathUnderRootWithPathOps(normalizedTarget, entry.mountPoint, pathOps)) continue;
-		if (!bestMatch || pathOps.resolve(entry.mountPoint).length > pathOps.resolve(bestMatch.mountPoint).length) bestMatch = entry;
-	}
-	return bestMatch;
-}
-function isMmcDevicePath(devicePath, pathOps) {
-	const name = pathOps.basename(devicePath);
-	return /^mmcblk\d+(?:p\d+)?$/.test(name);
-}
-function tryReadLinuxMountInfo() {
-	try {
-		return fs.readFileSync("/proc/self/mountinfo", "utf8");
-	} catch {
-		return null;
-	}
-}
-function detectLinuxSdBackedStateDir(stateDir, deps) {
-	if ((deps?.platform ?? process.platform) !== "linux") return null;
-	const linuxPath = path.posix;
-	const resolvedStatePath = (deps?.resolveRealPath ?? tryResolveRealPath)(stateDir) ?? linuxPath.resolve(stateDir);
-	const mountInfo = deps?.mountInfo ?? tryReadLinuxMountInfo();
-	if (!mountInfo) return null;
-	const mountEntry = findLinuxMountInfoEntryForPath(resolvedStatePath, parseLinuxMountInfo(mountInfo), linuxPath);
-	if (!mountEntry) return null;
-	const sourceCandidates = [mountEntry.source];
-	if (mountEntry.source.startsWith("/dev/")) {
-		const resolvedDevicePath = (deps?.resolveDeviceRealPath ?? tryResolveRealPath)(mountEntry.source);
-		if (resolvedDevicePath) sourceCandidates.push(linuxPath.resolve(resolvedDevicePath));
-	}
-	if (!sourceCandidates.some((candidate) => isMmcDevicePath(candidate, linuxPath))) return null;
-	return {
-		path: linuxPath.resolve(resolvedStatePath),
-		mountPoint: linuxPath.resolve(mountEntry.mountPoint),
-		fsType: mountEntry.fsType,
-		source: mountEntry.source
-	};
-}
-function formatLinuxSdBackedStateDirWarning(displayStateDir, linuxSdBackedStateDir) {
-	const displayMountPoint = linuxSdBackedStateDir.mountPoint === "/" ? "/" : shortenHomePath(linuxSdBackedStateDir.mountPoint);
-	return [
-		`- State directory appears to be on SD/eMMC storage (${displayStateDir}; device ${escapeControlCharsForTerminal(linuxSdBackedStateDir.source)}, fs ${escapeControlCharsForTerminal(linuxSdBackedStateDir.fsType)}, mount ${escapeControlCharsForTerminal(displayMountPoint)}).`,
-		"- SD/eMMC media can be slower for random I/O and wear faster under session/log churn.",
-		"- For better startup and state durability, prefer SSD/NVMe (or USB SSD on Raspberry Pi) for MOLDCLAW_STATE_DIR."
-	].join("\n");
-}
-function detectMacCloudSyncedStateDir(stateDir, deps) {
-	if ((deps?.platform ?? process.platform) !== "darwin") return null;
-	const homedir = deps?.homedir ?? os.homedir();
-	const roots = [{
-		storage: "iCloud Drive",
-		root: path.join(homedir, "Library", "Mobile Documents", "com~apple~CloudDocs")
-	}, {
-		storage: "CloudStorage provider",
-		root: path.join(homedir, "Library", "CloudStorage")
-	}];
-	const realPath = (deps?.resolveRealPath ?? tryResolveRealPath)(stateDir);
-	const candidates = realPath ? [path.resolve(realPath)] : [path.resolve(stateDir)];
-	for (const candidate of candidates) for (const { storage, root } of roots) if (isPathUnderRoot(candidate, root)) return {
-		path: candidate,
-		storage
-	};
-	return null;
-}
-function isRecord(value) {
-	return typeof value === "object" && value !== null;
-}
-function isPairingPolicy(value) {
-	return typeof value === "string" && value.trim().toLowerCase() === "pairing";
-}
-function hasPairingPolicy(value) {
-	if (!isRecord(value)) return false;
-	if (isPairingPolicy(value.dmPolicy)) return true;
-	if (isRecord(value.dm) && isPairingPolicy(value.dm.policy)) return true;
-	if (!isRecord(value.accounts)) return false;
-	for (const accountCfg of Object.values(value.accounts)) if (hasPairingPolicy(accountCfg)) return true;
-	return false;
-}
-function isSlashRoutingSessionKey(sessionKey) {
-	const raw = sessionKey.trim().toLowerCase();
-	if (!raw) return false;
-	const scoped = parseAgentSessionKey(raw)?.rest ?? raw;
-	return /^[^:]+:slash:[^:]+(?:$|:)/.test(scoped);
-}
-function shouldRequireOAuthDir(cfg, env) {
-	if (env.MOLDCLAW_OAUTH_DIR?.trim()) return true;
-	const channels = cfg.channels;
-	if (!isRecord(channels)) return false;
-	if (isRecord(channels.whatsapp)) return true;
-	for (const [channelId, channelCfg] of Object.entries(channels)) {
-		if (channelId === "defaults" || channelId === "modelByChannel") continue;
-		if (hasPairingPolicy(channelCfg)) return true;
-	}
-	return false;
-}
-async function noteStateIntegrity(cfg, prompter, configPath) {
-	const warnings = [];
-	const changes = [];
-	const env = process.env;
-	const homedir = () => resolveRequiredHomeDir(env, os.homedir);
-	const stateDir = resolveStateDir(env, homedir);
-	const defaultStateDir = path.join(homedir(), ".moldclaw");
-	const oauthDir = resolveOAuthDir(env, stateDir);
-	const agentId = resolveDefaultAgentId(cfg);
-	const sessionsDir = resolveSessionTranscriptsDirForAgent(agentId, env, homedir);
-	const storePath = resolveStorePath(cfg.session?.store, { agentId });
-	const storeDir = path.dirname(storePath);
-	const absoluteStorePath = path.resolve(storePath);
-	const displayStateDir = shortenHomePath(stateDir);
-	const displayOauthDir = shortenHomePath(oauthDir);
-	const displaySessionsDir = shortenHomePath(sessionsDir);
-	const displayStoreDir = shortenHomePath(storeDir);
-	const displayConfigPath = configPath ? shortenHomePath(configPath) : void 0;
-	const requireOAuthDir = shouldRequireOAuthDir(cfg, env);
-	const cloudSyncedStateDir = detectMacCloudSyncedStateDir(stateDir);
-	const linuxSdBackedStateDir = detectLinuxSdBackedStateDir(stateDir);
-	if (cloudSyncedStateDir) warnings.push([
-		`- State directory is under macOS cloud-synced storage (${displayStateDir}; ${cloudSyncedStateDir.storage}).`,
-		"- This can cause slow I/O and sync/lock races for sessions and credentials.",
-		"- Prefer a local non-synced state dir (for example: ~/.moldclaw).",
-		`  Set locally: MOLDCLAW_STATE_DIR=~/.moldclaw ${formatCliCommand("moldclaw doctor")}`
-	].join("\n"));
-	if (linuxSdBackedStateDir) warnings.push(formatLinuxSdBackedStateDirWarning(displayStateDir, linuxSdBackedStateDir));
-	let stateDirExists = existsDir(stateDir);
-	if (!stateDirExists) {
-		warnings.push(`- CRITICAL: state directory missing (${displayStateDir}). Sessions, credentials, logs, and config are stored there.`);
-		if (cfg.gateway?.mode === "remote") warnings.push("- Gateway is in remote mode; run doctor on the remote host where the gateway runs.");
-		if (await prompter.confirmSkipInNonInteractive({
-			message: `Create ${displayStateDir} now?`,
-			initialValue: false
-		})) {
-			const created = ensureDir(stateDir);
-			if (created.ok) {
-				changes.push(`- Created ${displayStateDir}`);
-				stateDirExists = true;
-			} else warnings.push(`- Failed to create ${displayStateDir}: ${created.error}`);
-		}
-	}
-	if (stateDirExists && !canWriteDir(stateDir)) {
-		warnings.push(`- State directory not writable (${displayStateDir}).`);
-		const hint = dirPermissionHint(stateDir);
-		if (hint) warnings.push(`  ${hint}`);
-		if (await prompter.confirmSkipInNonInteractive({
-			message: `Repair permissions on ${displayStateDir}?`,
-			initialValue: true
-		})) try {
-			const target = addUserRwx(fs.statSync(stateDir).mode);
-			fs.chmodSync(stateDir, target);
-			changes.push(`- Repaired permissions on ${displayStateDir}`);
-		} catch (err) {
-			warnings.push(`- Failed to repair ${displayStateDir}: ${String(err)}`);
-		}
-	}
-	if (stateDirExists && process.platform !== "win32") try {
-		const dirLstat = fs.lstatSync(stateDir);
-		const isDirSymlink = dirLstat.isSymbolicLink();
-		const stat = isDirSymlink ? fs.statSync(stateDir) : dirLstat;
-		if (!(isDirSymlink ? fs.realpathSync(stateDir) : stateDir).startsWith("/nix/store/") && (stat.mode & 63) !== 0) {
-			warnings.push(`- State directory permissions are too open (${displayStateDir}). Recommend chmod 700.`);
-			if (await prompter.confirmSkipInNonInteractive({
-				message: `Tighten permissions on ${displayStateDir} to 700?`,
-				initialValue: true
-			})) {
-				fs.chmodSync(stateDir, 448);
-				changes.push(`- Tightened permissions on ${displayStateDir} to 700`);
-			}
-		}
-	} catch (err) {
-		warnings.push(`- Failed to read ${displayStateDir} permissions: ${String(err)}`);
-	}
-	if (configPath && existsFile(configPath) && process.platform !== "win32") try {
-		const configLstat = fs.lstatSync(configPath);
-		const isSymlink = configLstat.isSymbolicLink();
-		const stat = isSymlink ? fs.statSync(configPath) : configLstat;
-		if (!(isSymlink ? fs.realpathSync(configPath) : configPath).startsWith("/nix/store/") && (stat.mode & 63) !== 0) {
-			warnings.push(`- Config file is group/world readable (${displayConfigPath ?? configPath}). Recommend chmod 600.`);
-			if (await prompter.confirmSkipInNonInteractive({
-				message: `Tighten permissions on ${displayConfigPath ?? configPath} to 600?`,
-				initialValue: true
-			})) {
-				fs.chmodSync(configPath, 384);
-				changes.push(`- Tightened permissions on ${displayConfigPath ?? configPath} to 600`);
-			}
-		}
-	} catch (err) {
-		warnings.push(`- Failed to read config permissions (${displayConfigPath ?? configPath}): ${String(err)}`);
-	}
-	if (stateDirExists) {
-		const dirCandidates = /* @__PURE__ */ new Map();
-		dirCandidates.set(sessionsDir, "Sessions dir");
-		dirCandidates.set(storeDir, "Session store dir");
-		if (requireOAuthDir) dirCandidates.set(oauthDir, "OAuth dir");
-		else if (!existsDir(oauthDir)) warnings.push(`- OAuth dir not present (${displayOauthDir}). Skipping create because no WhatsApp/pairing channel config is active.`);
-		const displayDirFor = (dir) => {
-			if (dir === sessionsDir) return displaySessionsDir;
-			if (dir === storeDir) return displayStoreDir;
-			if (dir === oauthDir) return displayOauthDir;
-			return shortenHomePath(dir);
-		};
-		for (const [dir, label] of dirCandidates) {
-			const displayDir = displayDirFor(dir);
-			if (!existsDir(dir)) {
-				warnings.push(`- CRITICAL: ${label} missing (${displayDir}).`);
-				if (await prompter.confirmSkipInNonInteractive({
-					message: `Create ${label} at ${displayDir}?`,
-					initialValue: true
-				})) {
-					const created = ensureDir(dir);
-					if (created.ok) changes.push(`- Created ${label}: ${displayDir}`);
-					else warnings.push(`- Failed to create ${displayDir}: ${created.error}`);
-				}
-				continue;
-			}
-			if (!canWriteDir(dir)) {
-				warnings.push(`- ${label} not writable (${displayDir}).`);
-				const hint = dirPermissionHint(dir);
-				if (hint) warnings.push(`  ${hint}`);
-				if (await prompter.confirmSkipInNonInteractive({
-					message: `Repair permissions on ${label}?`,
-					initialValue: true
-				})) try {
-					const target = addUserRwx(fs.statSync(dir).mode);
-					fs.chmodSync(dir, target);
-					changes.push(`- Repaired permissions on ${label}: ${displayDir}`);
-				} catch (err) {
-					warnings.push(`- Failed to repair ${displayDir}: ${String(err)}`);
-				}
-			}
-		}
-	}
-	const extraStateDirs = /* @__PURE__ */ new Set();
-	if (path.resolve(stateDir) !== path.resolve(defaultStateDir)) {
-		if (existsDir(defaultStateDir)) extraStateDirs.add(defaultStateDir);
-	}
-	for (const other of findOtherStateDirs(stateDir)) extraStateDirs.add(other);
-	if (extraStateDirs.size > 0) warnings.push([
-		"- Multiple state directories detected. This can split session history.",
-		...Array.from(extraStateDirs).map((dir) => `  - ${shortenHomePath(dir)}`),
-		`  Active state dir: ${displayStateDir}`
-	].join("\n"));
-	const store = loadSessionStore(storePath);
-	const sessionPathOpts = resolveSessionFilePathOptions({
-		agentId,
-		storePath
-	});
-	const entries = Object.entries(store).filter(([, entry]) => entry && typeof entry === "object");
-	if (entries.length > 0) {
-		const recentTranscriptCandidates = entries.slice().toSorted((a, b) => {
-			const aUpdated = typeof a[1].updatedAt === "number" ? a[1].updatedAt : 0;
-			return (typeof b[1].updatedAt === "number" ? b[1].updatedAt : 0) - aUpdated;
-		}).slice(0, 5).filter(([key]) => !isSlashRoutingSessionKey(key));
-		const missing = recentTranscriptCandidates.filter(([, entry]) => {
-			const sessionId = entry.sessionId;
-			if (!sessionId) return false;
-			return !existsFile(resolveSessionFilePath(sessionId, entry, sessionPathOpts));
-		});
-		if (missing.length > 0) warnings.push([
-			`- ${missing.length}/${recentTranscriptCandidates.length} recent sessions are missing transcripts.`,
-			`  Verify sessions in store: ${formatCliCommand(`moldclaw sessions --store "${absoluteStorePath}"`)}`,
-			`  Preview cleanup impact: ${formatCliCommand(`moldclaw sessions cleanup --store "${absoluteStorePath}" --dry-run`)}`,
-			`  Prune missing entries: ${formatCliCommand(`moldclaw sessions cleanup --store "${absoluteStorePath}" --enforce --fix-missing`)}`
-		].join("\n"));
-		const mainEntry = store[resolveMainSessionKey(cfg)];
-		if (mainEntry?.sessionId) {
-			const transcriptPath = resolveSessionFilePath(mainEntry.sessionId, mainEntry, sessionPathOpts);
-			if (!existsFile(transcriptPath)) warnings.push(`- Main session transcript missing (${shortenHomePath(transcriptPath)}). History will appear to reset.`);
-			else {
-				const lineCount = countJsonlLines(transcriptPath);
-				if (lineCount <= 1) warnings.push(`- Main session transcript has only ${lineCount} line. Session history may not be appending.`);
-			}
-		}
-	}
-	if (existsDir(sessionsDir)) {
-		const referencedTranscriptPaths = /* @__PURE__ */ new Set();
-		for (const [, entry] of entries) {
-			if (!entry?.sessionId) continue;
-			try {
-				referencedTranscriptPaths.add(path.resolve(resolveSessionFilePath(entry.sessionId, entry, sessionPathOpts)));
-			} catch {}
-		}
-		const orphanTranscriptPaths = fs.readdirSync(sessionsDir, { withFileTypes: true }).filter((entry) => entry.isFile() && isPrimarySessionTranscriptFileName(entry.name)).map((entry) => path.resolve(path.join(sessionsDir, entry.name))).filter((filePath) => !referencedTranscriptPaths.has(filePath));
-		if (orphanTranscriptPaths.length > 0) {
-			warnings.push(`- Found ${orphanTranscriptPaths.length} orphan transcript file(s) in ${displaySessionsDir}. They are not referenced by sessions.json and can consume disk over time.`);
-			if (await prompter.confirmSkipInNonInteractive({
-				message: `Archive ${orphanTranscriptPaths.length} orphan transcript file(s) in ${displaySessionsDir}?`,
-				initialValue: false
-			})) {
-				let archived = 0;
-				const archivedAt = formatSessionArchiveTimestamp();
-				for (const orphanPath of orphanTranscriptPaths) {
-					const archivedPath = `${orphanPath}.deleted.${archivedAt}`;
-					try {
-						fs.renameSync(orphanPath, archivedPath);
-						archived += 1;
-					} catch (err) {
-						warnings.push(`- Failed to archive orphan transcript ${shortenHomePath(orphanPath)}: ${String(err)}`);
-					}
-				}
-				if (archived > 0) changes.push(`- Archived ${archived} orphan transcript file(s) in ${displaySessionsDir}`);
-			}
-		}
-	}
-	if (warnings.length > 0) note$1(warnings.join("\n"), "State integrity");
-	if (changes.length > 0) note$1(changes.join("\n"), "Doctor changes");
-}
-function noteWorkspaceBackupTip(workspaceDir) {
-	if (!existsDir(workspaceDir)) return;
-	const gitMarker = path.join(workspaceDir, ".git");
-	if (fs.existsSync(gitMarker)) return;
-	note$1([
-		"- Tip: back up the workspace in a private git repo (GitHub or GitLab).",
-		"- Keep ~/.moldclaw out of git; it contains credentials and session history.",
-		"- Details: /concepts/agent-workspace#git-backup-recommended"
-	].join("\n"), "Workspace");
-}
-//#endregion
-//#region src/commands/doctor-ui.ts
-async function maybeRepairUiProtocolFreshness(_runtime, prompter) {
-	const root = await resolvemoldClawPackageRoot({
-		moduleUrl: import.meta.url,
-		argv1: process.argv[1],
-		cwd: process.cwd()
-	});
-	if (!root) return;
-	const schemaPath = path.join(root, "src/gateway/protocol/schema.ts");
-	const uiIndexPath = (await resolveControlUiDistIndexHealth({
-		root,
-		argv1: process.argv[1]
-	})).indexPath ?? resolveControlUiDistIndexPathForRoot(root);
-	try {
-		const [schemaStats, uiStats] = await Promise.all([fs$1.stat(schemaPath).catch(() => null), fs$1.stat(uiIndexPath).catch(() => null)]);
-		if (schemaStats && !uiStats) {
-			note$1(["- Control UI assets are missing.", "- Run: pnpm ui:build"].join("\n"), "UI");
-			const uiSourcesPath = path.join(root, "ui/package.json");
-			if (!await fs$1.stat(uiSourcesPath).catch(() => null)) {
-				note$1("Skipping UI build: ui/ sources not present.", "UI");
-				return;
-			}
-			if (await prompter.confirmRepair({
-				message: "Build Control UI assets now?",
-				initialValue: true
-			})) {
-				note$1("Building Control UI assets... (this may take a moment)", "UI");
-				const uiScriptPath = path.join(root, "scripts/ui.js");
-				const buildResult = await runCommandWithTimeout([
-					process.execPath,
-					uiScriptPath,
-					"build"
-				], {
-					cwd: root,
-					timeoutMs: 12e4,
-					env: {
-						...process.env,
-						FORCE_COLOR: "1"
-					}
-				});
-				if (buildResult.code === 0) note$1("UI build complete.", "UI");
-				else note$1([`UI build failed (exit ${buildResult.code ?? "unknown"}).`, buildResult.stderr.trim() ? buildResult.stderr.trim() : null].filter(Boolean).join("\n"), "UI");
-			}
-			return;
-		}
-		if (!schemaStats || !uiStats) return;
-		if (schemaStats.mtime > uiStats.mtime) {
-			const gitLog = await runCommandWithTimeout([
-				"git",
-				"-C",
-				root,
-				"log",
-				`--since=${uiStats.mtime.toISOString()}`,
-				"--format=%h %s",
-				"src/gateway/protocol/schema.ts"
-			], { timeoutMs: 5e3 }).catch(() => null);
-			if (gitLog && gitLog.code === 0 && gitLog.stdout.trim()) {
-				note$1(`UI assets are older than the protocol schema.\nFunctional changes since last build:\n${gitLog.stdout.trim().split("\n").map((l) => `- ${l}`).join("\n")}`, "UI Freshness");
-				if (await prompter.confirmAggressive({
-					message: "Rebuild UI now? (Detected protocol mismatch requiring update)",
-					initialValue: true
-				})) {
-					const uiSourcesPath = path.join(root, "ui/package.json");
-					if (!await fs$1.stat(uiSourcesPath).catch(() => null)) {
-						note$1("Skipping UI rebuild: ui/ sources not present.", "UI");
-						return;
-					}
-					note$1("Rebuilding stale UI assets... (this may take a moment)", "UI");
-					const uiScriptPath = path.join(root, "scripts/ui.js");
-					const buildResult = await runCommandWithTimeout([
-						process.execPath,
-						uiScriptPath,
-						"build"
-					], {
-						cwd: root,
-						timeoutMs: 12e4,
-						env: {
-							...process.env,
-							FORCE_COLOR: "1"
-						}
-					});
-					if (buildResult.code === 0) note$1("UI rebuild complete.", "UI");
-					else note$1([`UI rebuild failed (exit ${buildResult.code ?? "unknown"}).`, buildResult.stderr.trim() ? buildResult.stderr.trim() : null].filter(Boolean).join("\n"), "UI");
-				}
-			}
-		}
-	} catch {}
-}
-//#endregion
-//#region src/commands/doctor-update.ts
-async function detectmoldClawGitCheckout(root) {
-	const res = await runCommandWithTimeout([
-		"git",
-		"-C",
-		root,
-		"rev-parse",
-		"--show-toplevel"
-	], { timeoutMs: 5e3 }).catch(() => null);
-	if (!res) return "unknown";
-	if (res.code !== 0) {
-		if (res.stderr.toLowerCase().includes("not a git repository")) return "not-git";
-		return "unknown";
-	}
-	return res.stdout.trim() === root ? "git" : "not-git";
-}
-async function maybeOfferUpdateBeforeDoctor(params) {
-	if (!(!isTruthyEnvValue$1(process.env.MOLDCLAW_UPDATE_IN_PROGRESS) && params.options.nonInteractive !== true && params.options.yes !== true && params.options.repair !== true && Boolean(process.stdin.isTTY)) || !params.root) return { updated: false };
-	const git = await detectmoldClawGitCheckout(params.root);
-	if (git === "git") {
-		if (!await params.confirm({
-			message: "Update moldClaw from git before running doctor?",
-			initialValue: true
-		})) return { updated: false };
-		note$1("Running update (fetch/rebase/build/ui:build/doctor)…", "Update");
-		const result = await runGatewayUpdate({
-			cwd: params.root,
-			argv1: process.argv[1]
-		});
-		note$1([
-			`Status: ${result.status}`,
-			`Mode: ${result.mode}`,
-			result.root ? `Root: ${result.root}` : null,
-			result.reason ? `Reason: ${result.reason}` : null
-		].filter(Boolean).join("\n"), "Update result");
-		if (result.status === "ok") {
-			params.outro("Update completed (doctor already ran as part of the update).");
-			return {
-				updated: true,
-				handled: true
-			};
-		}
-		return {
-			updated: true,
-			handled: false
-		};
-	}
-	if (git === "not-git") note$1(["This install is not a git checkout.", `Run \`${formatCliCommand("moldclaw update")}\` to update via your package manager (npm/pnpm), then rerun doctor.`].join("\n"), "Update");
-	return { updated: false };
-}
-//#endregion
-//#region src/commands/doctor-workspace.ts
-const MEMORY_SYSTEM_PROMPT = [
-	"Memory system not found in workspace.",
-	"Paste this into your agent:",
-	"",
-	"Install the memory system by applying:",
-	"https://github.com/moldclaw/moldclaw/commit/9ffea23f31ca1df5183b25668f8f814bee0fb34e",
-	"https://github.com/moldclaw/moldclaw/commit/7d1fee70e76f2f634f1b41fca927ee663914183a"
-].join("\n");
-async function shouldSuggestMemorySystem(workspaceDir) {
-	const memoryPaths = [path.join(workspaceDir, "MEMORY.md"), path.join(workspaceDir, "memory.md")];
-	for (const memoryPath of memoryPaths) try {
-		await fs.promises.access(memoryPath);
-		return false;
-	} catch {}
-	const agentsPath = path.join(workspaceDir, DEFAULT_AGENTS_FILENAME);
-	try {
-		const content = await fs.promises.readFile(agentsPath, "utf-8");
-		if (/memory\.md/i.test(content)) return false;
-	} catch {}
-	return true;
-}
-function detectLegacyWorkspaceDirs(params) {
-	return {
-		activeWorkspace: path.resolve(params.workspaceDir),
-		legacyDirs: []
-	};
-}
-function formatLegacyWorkspaceWarning(detection) {
-	return [
-		"Extra workspace directories detected (may contain old agent files):",
-		...detection.legacyDirs.map((dir) => `- ${shortenHomePath(dir)}`),
-		`Active workspace: ${shortenHomePath(detection.activeWorkspace)}`,
-		"If unused, archive or move to Trash."
-	].join("\n");
-}
-//#endregion
-//#region src/commands/doctor-workspace-status.ts
-function noteWorkspaceStatus(cfg) {
-	const workspaceDir = resolveAgentWorkspaceDir(cfg, resolveDefaultAgentId(cfg));
-	const legacyWorkspace = detectLegacyWorkspaceDirs({ workspaceDir });
-	if (legacyWorkspace.legacyDirs.length > 0) note$1(formatLegacyWorkspaceWarning(legacyWorkspace), "Extra workspace");
-	const skillsReport = buildWorkspaceSkillStatus(workspaceDir, { config: cfg });
-	note$1([
-		`Eligible: ${skillsReport.skills.filter((s) => s.eligible).length}`,
-		`Missing requirements: ${skillsReport.skills.filter((s) => !s.eligible && !s.disabled && !s.blockedByAllowlist).length}`,
-		`Blocked by allowlist: ${skillsReport.skills.filter((s) => s.blockedByAllowlist).length}`
-	].join("\n"), "Skills status");
-	const pluginRegistry = loadmoldClawPlugins({
-		config: cfg,
-		workspaceDir,
-		logger: {
-			info: () => {},
-			warn: () => {},
-			error: () => {},
-			debug: () => {}
-		}
-	});
-	if (pluginRegistry.plugins.length > 0) {
-		const loaded = pluginRegistry.plugins.filter((p) => p.status === "loaded");
-		const disabled = pluginRegistry.plugins.filter((p) => p.status === "disabled");
-		const errored = pluginRegistry.plugins.filter((p) => p.status === "error");
-		note$1([
-			`Loaded: ${loaded.length}`,
-			`Disabled: ${disabled.length}`,
-			`Errors: ${errored.length}`,
-			errored.length > 0 ? `- ${errored.slice(0, 10).map((p) => p.id).join("\n- ")}${errored.length > 10 ? "\n- ..." : ""}` : null
-		].filter((line) => Boolean(line)).join("\n"), "Plugins");
-	}
-	if (pluginRegistry.diagnostics.length > 0) note$1(pluginRegistry.diagnostics.map((diag) => {
-		const prefix = diag.level.toUpperCase();
-		const plugin = diag.pluginId ? ` ${diag.pluginId}` : "";
-		const source = diag.source ? ` (${diag.source})` : "";
-		return `- ${prefix}${plugin}: ${diag.message}${source}`;
-	}).join("\n"), "Plugin diagnostics");
-	return { workspaceDir };
-}
-//#endregion
-//#region src/commands/doctor.ts
-const intro$1 = (message) => intro(stylePromptTitle(message) ?? message);
-const outro$1 = (message) => outro(stylePromptTitle(message) ?? message);
-function resolveMode(cfg) {
-	return cfg.gateway?.mode === "remote" ? "remote" : "local";
-}
-async function doctorCommand(runtime = defaultRuntime, options = {}) {
-	const prompter = createDoctorPrompter({
-		runtime,
-		options
-	});
-	printWizardHeader(runtime);
-	intro$1("moldClaw doctor");
-	const root = await resolvemoldClawPackageRoot({
-		moduleUrl: import.meta.url,
-		argv1: process.argv[1],
-		cwd: process.cwd()
-	});
-	if ((await maybeOfferUpdateBeforeDoctor({
-		runtime,
-		options,
-		root,
-		confirm: (p) => prompter.confirm(p),
-		outro: outro$1
-	})).handled) return;
-	await maybeRepairUiProtocolFreshness(runtime, prompter);
-	noteSourceInstallIssues(root);
-	noteDeprecatedLegacyEnvVars();
-	noteStartupOptimizationHints();
-	const configResult = await loadAndMaybeMigrateDoctorConfig({
-		options,
-		confirm: (p) => prompter.confirm(p)
-	});
-	let cfg = configResult.cfg;
-	const cfgForPersistence = structuredClone(cfg);
-	const sourceConfigValid = configResult.sourceConfigValid ?? true;
-	const configPath = configResult.path ?? CONFIG_PATH;
-	if (!cfg.gateway?.mode) {
-		const lines = [
-			"gateway.mode is unset; gateway start will be blocked.",
-			`Fix: run ${formatCliCommand("moldclaw configure")} and set Gateway mode (local/remote).`,
-			`Or set directly: ${formatCliCommand("moldclaw config set gateway.mode local")}`
-		];
-		if (!fs.existsSync(configPath)) lines.push(`Missing config: run ${formatCliCommand("moldclaw setup")} first.`);
-		note$1(lines.join("\n"), "Gateway");
-	}
-	if (resolveMode(cfg) === "local" && hasAmbiguousGatewayAuthModeConfig(cfg)) note$1([
-		"gateway.auth.token and gateway.auth.password are both configured while gateway.auth.mode is unset.",
-		"Set an explicit mode to avoid ambiguous auth selection and startup/runtime failures.",
-		`Set token mode: ${formatCliCommand("moldclaw config set gateway.auth.mode token")}`,
-		`Set password mode: ${formatCliCommand("moldclaw config set gateway.auth.mode password")}`
-	].join("\n"), "Gateway auth");
-	cfg = await maybeRepairAnthropicOAuthProfileId(cfg, prompter);
-	cfg = await maybeRemoveDeprecatedCliAuthProfiles(cfg, prompter);
-	await noteAuthProfileHealth({
-		cfg,
-		prompter,
-		allowKeychainPrompt: options.nonInteractive !== true && Boolean(process.stdin.isTTY)
-	});
-	const gatewayDetails = buildGatewayConnectionDetails({ config: cfg });
-	if (gatewayDetails.remoteFallbackNote) note$1(gatewayDetails.remoteFallbackNote, "Gateway");
-	if (resolveMode(cfg) === "local" && sourceConfigValid) {
-		const gatewayTokenRef = resolveSecretInputRef({
-			value: cfg.gateway?.auth?.token,
-			defaults: cfg.secrets?.defaults
-		}).ref;
-		const auth = resolveGatewayAuth({
-			authConfig: cfg.gateway?.auth,
-			tailscaleMode: cfg.gateway?.tailscale?.mode ?? "off"
-		});
-		if (auth.mode !== "password" && (auth.mode !== "token" || !auth.token)) if (gatewayTokenRef) note$1([
-			"Gateway token is managed via SecretRef and is currently unavailable.",
-			"Doctor will not overwrite gateway.auth.token with a plaintext value.",
-			"Resolve/rotate the external secret source, then rerun doctor."
-		].join("\n"), "Gateway auth");
-		else {
-			note$1("Gateway auth is off or missing a token. Token auth is now the recommended default (including loopback).", "Gateway auth");
-			if (options.generateGatewayToken === true ? true : options.nonInteractive === true ? false : await prompter.confirmRepair({
-				message: "Generate and configure a gateway token now?",
-				initialValue: true
-			})) {
-				const nextToken = randomToken();
-				cfg = {
-					...cfg,
-					gateway: {
-						...cfg.gateway,
-						auth: {
-							...cfg.gateway?.auth,
-							mode: "token",
-							token: nextToken
-						}
-					}
-				};
-				note$1("Gateway token configured.", "Gateway auth");
-			}
-		}
-	}
-	const legacyState = await detectLegacyStateMigrations({ cfg });
-	if (legacyState.preview.length > 0) {
-		note$1(legacyState.preview.join("\n"), "Legacy state detected");
-		if (options.nonInteractive === true ? true : await prompter.confirm({
-			message: "Migrate legacy state (sessions/agent/WhatsApp auth) now?",
-			initialValue: true
-		})) {
-			const migrated = await runLegacyStateMigrations({ detected: legacyState });
-			if (migrated.changes.length > 0) note$1(migrated.changes.join("\n"), "Doctor changes");
-			if (migrated.warnings.length > 0) note$1(migrated.warnings.join("\n"), "Doctor warnings");
-		}
-	}
-	await noteStateIntegrity(cfg, prompter, configResult.path ?? CONFIG_PATH);
-	await noteSessionLockHealth({ shouldRepair: prompter.shouldRepair });
-	await maybeRepairLegacyCronStore({
-		cfg,
-		options,
-		prompter
-	});
-	cfg = await maybeRepairSandboxImages(cfg, runtime, prompter);
-	noteSandboxScopeWarnings(cfg);
-	await maybeScanExtraGatewayServices(options, runtime, prompter);
-	await maybeRepairGatewayServiceConfig(cfg, resolveMode(cfg), runtime, prompter);
-	await noteMacLaunchAgentOverrides();
-	await noteMacLaunchctlGatewayEnvOverrides(cfg);
-	await noteSecurityWarnings(cfg);
-	await noteChromeMcpBrowserReadiness(cfg);
-	await noteOpenAIOAuthTlsPrerequisites({
-		cfg,
-		deep: options.deep === true
-	});
-	if (cfg.hooks?.gmail?.model?.trim()) {
-		const hooksModelRef = resolveHooksGmailModel({
-			cfg,
-			defaultProvider: DEFAULT_PROVIDER
-		});
-		if (!hooksModelRef) note$1(`- hooks.gmail.model "${cfg.hooks.gmail.model}" could not be resolved`, "Hooks");
-		else {
-			const { provider: defaultProvider, model: defaultModel } = resolveConfiguredModelRef({
-				cfg,
-				defaultProvider: DEFAULT_PROVIDER,
-				defaultModel: DEFAULT_MODEL
-			});
-			const catalog = await loadModelCatalog({ config: cfg });
-			const status = getModelRefStatus({
-				cfg,
-				catalog,
-				ref: hooksModelRef,
-				defaultProvider,
-				defaultModel
-			});
-			const warnings = [];
-			if (!status.allowed) warnings.push(`- hooks.gmail.model "${status.key}" not in agents.defaults.models allowlist (will use primary instead)`);
-			if (!status.inCatalog) warnings.push(`- hooks.gmail.model "${status.key}" not in the model catalog (may fail at runtime)`);
-			if (warnings.length > 0) note$1(warnings.join("\n"), "Hooks");
-		}
-	}
-	if (options.nonInteractive !== true && process.platform === "linux" && resolveMode(cfg) === "local") {
-		const service = resolveGatewayService();
-		let loaded = false;
-		try {
-			loaded = await service.isLoaded({ env: process.env });
-		} catch {
-			loaded = false;
-		}
-		if (loaded) await ensureSystemdUserLingerInteractive({
-			runtime,
-			prompter: {
-				confirm: async (p) => prompter.confirm(p),
-				note: note$1
-			},
-			reason: "Gateway runs as a systemd user service. Without lingering, systemd stops the user session on logout/idle and kills the Gateway.",
-			requireConfirm: true
-		});
-	}
-	noteWorkspaceStatus(cfg);
-	await noteBootstrapFileSize(cfg);
-	await doctorShellCompletion(runtime, prompter, { nonInteractive: options.nonInteractive });
-	const { healthOk } = await checkGatewayHealth({
-		runtime,
-		cfg,
-		timeoutMs: options.nonInteractive === true ? 3e3 : 1e4
-	});
-	const gatewayMemoryProbe = healthOk ? await probeGatewayMemoryStatus({
-		cfg,
-		timeoutMs: options.nonInteractive === true ? 3e3 : 1e4
-	}) : {
-		checked: false,
-		ready: false
-	};
-	await noteMemorySearchHealth(cfg, { gatewayMemoryProbe });
-	await maybeRepairGatewayDaemon({
-		cfg,
-		runtime,
-		prompter,
-		options,
-		gatewayDetailsMessage: gatewayDetails.message,
-		healthOk
-	});
-	if (configResult.shouldWriteConfig || JSON.stringify(cfg) !== JSON.stringify(cfgForPersistence)) {
-		cfg = applyWizardMetadata(cfg, {
-			command: "doctor",
-			mode: resolveMode(cfg)
-		});
-		await writeConfigFile(cfg);
-		logConfigUpdated(runtime);
-		const backupPath = `${CONFIG_PATH}.bak`;
-		if (fs.existsSync(backupPath)) runtime.log(`Backup: ${shortenHomePath(backupPath)}`);
-	} else if (!prompter.shouldRepair) runtime.log(`Run "${formatCliCommand("moldclaw doctor --fix")}" to apply changes.`);
-	if (options.workspaceSuggestions !== false) {
-		const workspaceDir = resolveAgentWorkspaceDir(cfg, resolveDefaultAgentId(cfg));
-		noteWorkspaceBackupTip(workspaceDir);
-		if (await shouldSuggestMemorySystem(workspaceDir)) note$1(MEMORY_SYSTEM_PROMPT, "Workspace");
-	}
-	const finalSnapshot = await readConfigFileSnapshot();
-	if (finalSnapshot.exists && !finalSnapshot.valid) {
-		runtime.error("Invalid config:");
-		for (const issue of finalSnapshot.issues) {
-			const path = issue.path || "<root>";
-			runtime.error(`- ${path}: ${issue.message}`);
-		}
-	}
-	outro$1("Doctor complete.");
-}
-//#endregion
-//#region src/terminal/prompt-select-styled.ts
-function selectStyled(params) {
-	return select({
-		...params,
-		message: stylePromptMessage(params.message),
-		options: params.options.map((opt) => opt.hint === void 0 ? opt : {
-			...opt,
-			hint: stylePromptHint(opt.hint)
-		})
-	});
-}
-//#endregion
-export { doctorCommand as n, selectStyled as t };