@supen-ai/cli 0.1.10 → 0.1.12

package/daemon/dist/http/routes/system.js

@@ -10,12 +10,15 @@ import { readSpaceEnvMap, updateSpaceEnvMap, withSupenLlmEnv } from '../../core/
 import { readCodexSubscription } from '../../core/codex-subscription.js';
 import { buildHubSnapshotForSpace } from '../../core/hub-snapshot.js';
 import { readEnrollmentState, createEnrollmentToken, verifyEnrollmentToken, setTrustState } from '../../core/enrollment.js';
+import { collectOsTelemetryFields } from '../../core/os-info.js';
+import { getCodingCliStatusResponse, startCodingCliStatusCache, } from '../../core/coding-cli-status-cache.js';
 import { getGatewayInstance, getLlmToken } from '../../core/gateway.js';
 import { normalizeGatewayUplinkUrl, readGatewayConfig, writeGatewayConfig, } from '../../core/gateway-config.js';
 import { ensureSession, getAllAgents, getDailyUsage, getGlobalUsage, getSessionsForAgent, getSessionUiEvents, updateSessionBackendDriverId, updateSessionSdkId, } from '../../core/store.js';
 import { listMcpEnvKeys, listMcpServers } from '../../mcp/default-servers.js';
 import { getMcpEnvOverrides, updateMcpEnvOverrides } from '../../mcp/settings.js';
 import { getMcpManager } from '../../mcp/index.js';
+import { logger } from '../../core/logger.js';
 import { buildDaemonOpenApiSpec } from '../../channels/http-routes.js';
 import { writeJson, writeProtocolError, readJsonBody } from '../response.js';
 import { listRecentThreadEventsAfter, readThreadEventLogHead, } from '../../core/thread-event-log.js';
@@ -38,6 +41,10 @@ const MIRRORED_THREAD_STREAM_REPLAY_MAX_BYTES = 8 * 1024 * 1024;
 const MIRRORED_THREAD_RUNNING_LEASE_MS = 30 * 60 * 1000;
 const MIRRORED_THREAD_HISTORY_CHUNK_BYTES = 1024 * 1024;
 const require = createRequire(import.meta.url);
+const HOST_DAEMON_INSTALL_DIR = path.join(SUPEN_HOME, 'daemon');
+const HOST_DAEMON_CLI_PACKAGE_ROOT = path.join(HOST_DAEMON_INSTALL_DIR, 'node_modules', '@supen-ai', 'cli');
+const HOST_DAEMON_BIN_PATH = path.join(HOST_DAEMON_CLI_PACKAGE_ROOT, 'daemon', 'scripts', 'supen-daemon.js');
+const HOST_DAEMON_PACKAGE_SPEC = '@supen-ai/cli';
 function readSqliteRows(dbPath, query) {
     try {
         const { DatabaseSync } = require('node:sqlite');
@@ -53,6 +60,33 @@ function readSqliteRows(dbPath, query) {
         return null;
     }
 }
+function quoteSqliteString(value) {
+    return `'${value.replace(/'/g, "''")}'`;
+}
+function runSqliteStatement(dbPath, query, params = []) {
+    try {
+        const { DatabaseSync } = require('node:sqlite');
+        const db = new DatabaseSync(dbPath);
+        try {
+            db.prepare(query).run(...params);
+            return true;
+        }
+        finally {
+            db.close();
+        }
+    }
+    catch {
+        const expandedQuery = params.reduce((sql, param) => {
+            const value = typeof param === 'string' ? quoteSqliteString(param) : String(param);
+            return sql.replace('?', value);
+        }, query);
+        const result = spawnSync('sqlite3', [dbPath, expandedQuery], {
+            encoding: 'utf-8',
+            maxBuffer: 1024 * 1024,
+        });
+        return result.status === 0;
+    }
+}
 function gatewayUplinkStatus(config = readGatewayConfig()) {
     const gatewayUrl = (config.gateway_url || '').trim();
     return {
@@ -218,7 +252,7 @@ function summarizeUiChunk(chunk) {
                 : 'Unknown error';
         return { category: 'error', summary: truncateText(errorText) };
     }
-    if (type === 'data-supen-event') {
+    if (type === 'data-codex-event') {
         const data = chunk.data && typeof chunk.data === 'object'
             ? chunk.data
             : {};
@@ -476,6 +510,15 @@ function readThreadIndexEntry(threadId) {
 function readThreadStateEntry(threadId) {
     return readThreadStateEntries(1000).find((entry) => entry.id === threadId) || null;
 }
+function archiveMirroredThread(threadId) {
+    const dbPath = path.join(localAgentHome(), 'state_5.sqlite');
+    if (!threadId || !fs.existsSync(dbPath))
+        return false;
+    const existing = readThreadStateEntry(threadId);
+    if (!existing)
+        return false;
+    return runSqliteStatement(dbPath, 'update threads set archived = 1 where id = ?', [threadId]);
+}
 function isoFromMillis(value) {
     const ms = typeof value === 'number' ? value : Number(value);
     if (!Number.isFinite(ms) || ms <= 0)
@@ -757,6 +800,66 @@ function isMirrorableCodexWorkspace(projectPath) {
     }
     return !isPathWithin(path.join(SUPEN_HOME, 'tasks'), projectPath);
 }
+function mimeTypeForWorkspaceFile(filePath) {
+    const ext = path.extname(filePath).toLowerCase();
+    if (ext === '.md' || ext === '.markdown' || ext === '.mdx')
+        return 'text/markdown; charset=utf-8';
+    if (ext === '.txt' || ext === '.log' || ext === '.env')
+        return 'text/plain; charset=utf-8';
+    if (ext === '.json')
+        return 'application/json; charset=utf-8';
+    if (ext === '.html' || ext === '.htm')
+        return 'text/html; charset=utf-8';
+    if (ext === '.css')
+        return 'text/css; charset=utf-8';
+    if (ext === '.js' || ext === '.mjs' || ext === '.cjs')
+        return 'text/javascript; charset=utf-8';
+    if (ext === '.ts' || ext === '.tsx' || ext === '.jsx')
+        return 'text/plain; charset=utf-8';
+    if (ext === '.png')
+        return 'image/png';
+    if (ext === '.jpg' || ext === '.jpeg')
+        return 'image/jpeg';
+    if (ext === '.gif')
+        return 'image/gif';
+    if (ext === '.webp')
+        return 'image/webp';
+    if (ext === '.svg')
+        return 'image/svg+xml';
+    if (ext === '.pdf')
+        return 'application/pdf';
+    return 'application/octet-stream';
+}
+function serveRemoteFile(req, res, filePath) {
+    const stat = fs.statSync(filePath);
+    const basename = path.basename(filePath);
+    res.writeHead(200, {
+        'Content-Type': mimeTypeForWorkspaceFile(filePath),
+        'Content-Length': stat.size,
+        'Last-Modified': stat.mtime.toUTCString(),
+        'Cache-Control': 'no-store',
+        'Content-Disposition': `inline; filename="${basename.replace(/"/g, '')}"`,
+    });
+    if (req.method === 'HEAD') {
+        res.end();
+        return;
+    }
+    fs.createReadStream(filePath).pipe(res);
+}
+function resolveRemoteFilePath(rawPath) {
+    const trimmed = rawPath.trim();
+    if (!trimmed)
+        return null;
+    const expanded = trimmed === '~'
+        ? os.homedir()
+        : trimmed.startsWith('~/')
+            ? path.join(os.homedir(), trimmed.slice(2))
+            : trimmed;
+    const resolved = path.resolve(expanded);
+    if (!path.isAbsolute(resolved))
+        return null;
+    return resolved;
+}
 function isAutomationRunThreadTitle(title) {
     if (!title)
         return false;
@@ -880,7 +983,9 @@ function sanitizeMirroredHistoryPayload(value, depth = 0) {
 }
 function safeMirroredHistoryAttachmentUrl(url) {
     const trimmed = url.trim();
-    if (trimmed.startsWith('data:') && trimmed.length > MIRRORED_THREAD_INLINE_DATA_URL_LIMIT) {
+    if (trimmed.startsWith('data:') &&
+        !trimmed.startsWith('data:image/') &&
+        trimmed.length > MIRRORED_THREAD_INLINE_DATA_URL_LIMIT) {
         return '';
     }
     return trimmed;
@@ -902,12 +1007,15 @@ function imageAttachmentFromUrl(url, index) {
     const trimmed = url.trim();
     if (!trimmed)
         return null;
+    const safeUrl = safeMirroredHistoryAttachmentUrl(trimmed);
+    if (!safeUrl)
+        return null;
     const mimeType = mimeTypeFromImageUrl(trimmed);
     const filename = `pasted-image-${index + 1}.${imageExtensionFromMimeType(mimeType)}`;
     return {
         name: filename,
         filename,
-        url: safeMirroredHistoryAttachmentUrl(trimmed),
+        url: safeUrl,
         mimeType,
         mime_type: mimeType,
     };
@@ -1079,7 +1187,7 @@ function codexReplayEvent(eventId, timestamp, taskId, raw) {
         timestamp,
         task_id: taskId,
         chunk: {
-            type: 'data-supen-event',
+            type: 'data-codex-event',
             id: eventId,
             data: { raw },
         },
@@ -1158,6 +1266,49 @@ export function readCodexThreadHistory(threadId, limit = MIRRORED_THREAD_HISTORY
             ...(attachments.length > 0 ? { attachments } : {}),
         });
     };
+    const pushWebUserMessage = (event) => {
+        if (event.source !== 'web' || event.event_type !== 'user_message')
+            return;
+        const payload = event.raw_payload && typeof event.raw_payload === 'object'
+            ? event.raw_payload
+            : {};
+        const text = typeof payload.content === 'string' ? payload.content : '';
+        const attachments = Array.isArray(payload.attachments)
+            ? payload.attachments
+                .map((attachment, index) => {
+                if (!attachment || typeof attachment !== 'object')
+                    return null;
+                const record = attachment;
+                const url = typeof record.url === 'string' ? record.url :
+                    typeof record.supenUrl === 'string' ? record.supenUrl :
+                        typeof record.path === 'string' ? record.path :
+                            typeof record.taskPath === 'string' ? record.taskPath :
+                                '';
+                if (!url.trim())
+                    return null;
+                const filename = typeof record.filename === 'string' ? record.filename :
+                    typeof record.name === 'string' ? record.name :
+                        `attachment-${index + 1}`;
+                const mimeType = typeof record.mimeType === 'string' ? record.mimeType :
+                    typeof record.mime_type === 'string' ? record.mime_type :
+                        'application/octet-stream';
+                const safeUrl = safeMirroredHistoryAttachmentUrl(url);
+                if (!safeUrl)
+                    return null;
+                return {
+                    name: filename,
+                    filename,
+                    url: safeUrl,
+                    mimeType,
+                    mime_type: mimeType,
+                };
+            })
+                .filter((attachment) => Boolean(attachment))
+            : [];
+        const timestamp = typeof payload.timestamp === 'string' ? payload.timestamp : event.received_at;
+        const messageId = typeof payload.id === 'string' ? payload.id : `${threadId}-web-user-${event.sequence}`;
+        pushUserMessage(text, timestamp, messageId, attachments);
+    };
     const pushEvent = (timestamp, chunk) => {
         eventIndex += 1;
         events.push({
@@ -1368,15 +1519,20 @@ export function readCodexThreadHistory(threadId, limit = MIRRORED_THREAD_HISTORY
             task_id: threadId,
         });
     }
-    for (const event of listRecentThreadEventsAfter(eventLogThreadId, 0, {
+    const eventLogEvents = listRecentThreadEventsAfter(eventLogThreadId, 0, {
         limit: MIRRORED_THREAD_STREAM_REPLAY_LIMIT,
         maxBytes: MIRRORED_THREAD_STREAM_REPLAY_MAX_BYTES,
-    })) {
+    });
+    for (const event of eventLogEvents) {
+        pushWebUserMessage(event);
+    }
+    for (const event of eventLogEvents) {
         const chunk = threadStreamChunkForEvent(event);
         if (!chunk)
             continue;
         events.push({
             id: `${threadId}-event-log-${event.sequence}`,
+            sequence: event.sequence,
             timestamp: event.received_at,
             task_id: threadId,
             chunk,
@@ -1539,17 +1695,41 @@ function threadStreamChunkForEvent(event) {
         return null;
     if (event.raw_payload &&
         typeof event.raw_payload === 'object' &&
-        !Array.isArray(event.raw_payload)) {
-        return event.raw_payload;
+        !Array.isArray(event.raw_payload) &&
+        typeof event.raw_payload.type === 'string' &&
+        String(event.raw_payload.type).trim()) {
+        return normalizeStoredCodexThreadChunk(event.raw_payload);
     }
     return {
-        type: 'data-supen-event',
+        type: 'data-codex-event',
         data: {
             eventType: event.event_type,
             raw: event.raw_payload,
         },
     };
 }
+function normalizeStoredCodexThreadChunk(chunk) {
+    if (chunk.type !== 'data-supen-event')
+        return chunk;
+    const data = chunk.data && typeof chunk.data === 'object' && !Array.isArray(chunk.data)
+        ? chunk.data
+        : {};
+    const raw = data.raw && typeof data.raw === 'object' && !Array.isArray(data.raw)
+        ? data.raw
+        : {};
+    return {
+        ...chunk,
+        type: 'data-codex-event',
+        data: {
+            ...data,
+            eventType: typeof data.eventType === 'string' && data.eventType.trim()
+                ? data.eventType
+                : typeof raw.method === 'string' && raw.method.trim()
+                    ? raw.method
+                    : 'codex-event',
+        },
+    };
+}
 function buildMcpSettingsResponse() {
     const overrides = getMcpEnvOverrides();
     const runtimeEnv = { ...process.env };
@@ -1653,19 +1833,206 @@ function codexConnectSnapshot() {
         error: codexConnectRuntime.error,
     };
 }
+function detectGlobalNpmRoot() {
+    const result = spawnSync('npm', ['root', '-g'], {
+        encoding: 'utf8',
+        timeout: 3000,
+    });
+    if (result.status !== 0)
+        return null;
+    const root = String(result.stdout || '').trim();
+    if (!root)
+        return null;
+    try {
+        return fs.realpathSync(root);
+    }
+    catch {
+        return root;
+    }
+}
+function findPackageRootFrom(startPath, expectedName) {
+    if (!startPath)
+        return null;
+    let current = fs.existsSync(startPath) && fs.statSync(startPath).isDirectory()
+        ? startPath
+        : path.dirname(startPath);
+    for (let i = 0; i < 8; i += 1) {
+        const packageJsonPath = path.join(current, 'package.json');
+        if (fs.existsSync(packageJsonPath)) {
+            try {
+                const parsed = JSON.parse(fs.readFileSync(packageJsonPath, 'utf8'));
+                if (parsed.name === expectedName)
+                    return current;
+            }
+            catch {
+                return null;
+            }
+        }
+        const next = path.dirname(current);
+        if (next === current)
+            break;
+        current = next;
+    }
+    return null;
+}
+function readPackageVersion(packageRoot) {
+    if (!packageRoot)
+        return null;
+    try {
+        const parsed = JSON.parse(fs.readFileSync(path.join(packageRoot, 'package.json'), 'utf8'));
+        return typeof parsed.version === 'string' ? parsed.version : null;
+    }
+    catch {
+        return null;
+    }
+}
+function detectDaemonPackageStatus() {
+    const envVersion = process.env.SUPEN_DAEMON_VERSION || process.env.npm_package_version || null;
+    let packageRoot = null;
+    try {
+        packageRoot = findPackageRootFrom(require.resolve('@supen-ai/daemon'), '@supen-ai/daemon');
+    }
+    catch {
+        packageRoot = null;
+    }
+    if (!packageRoot) {
+        for (const candidate of [process.argv[1], process.cwd(), path.resolve(process.cwd(), 'apps/daemon')]) {
+            packageRoot = findPackageRootFrom(candidate || null, '@supen-ai/daemon');
+            if (packageRoot)
+                break;
+        }
+    }
+    let cliPackageRoot = null;
+    try {
+        if (fs.existsSync(path.join(HOST_DAEMON_CLI_PACKAGE_ROOT, 'package.json'))) {
+            cliPackageRoot = fs.realpathSync(HOST_DAEMON_CLI_PACKAGE_ROOT);
+        }
+    }
+    catch {
+        cliPackageRoot = null;
+    }
+    if (!cliPackageRoot) {
+        cliPackageRoot = findPackageRootFrom(process.argv[1] || null, '@supen-ai/cli');
+    }
+    const bundledDaemonRoot = cliPackageRoot
+        ? path.join(cliPackageRoot, 'daemon')
+        : null;
+    const bundledDaemonVersion = readPackageVersion(bundledDaemonRoot);
+    const packageVersion = readPackageVersion(packageRoot);
+    const npmRoot = detectGlobalNpmRoot();
+    const realPackageRoot = packageRoot ? fs.realpathSync(packageRoot) : null;
+    const realCliPackageRoot = cliPackageRoot ? fs.realpathSync(cliPackageRoot) : null;
+    const installSource = realCliPackageRoot && realCliPackageRoot.startsWith(`${HOST_DAEMON_INSTALL_DIR}${path.sep}`)
+        ? 'supen-cli-bundle'
+        : realPackageRoot && npmRoot && realPackageRoot.startsWith(`${npmRoot}${path.sep}@supen-ai${path.sep}daemon`)
+            ? 'npm-global'
+            : packageRoot
+                ? 'local-package'
+                : null;
+    return {
+        version: envVersion || bundledDaemonVersion || packageVersion,
+        package_root: packageRoot || bundledDaemonRoot,
+        install_source: installSource,
+        update_supported: installSource === 'supen-cli-bundle' || installSource === 'npm-global',
+    };
+}
+function restartManagedHostDaemon() {
+    if (process.platform === 'linux') {
+        const result = spawnSync('systemctl', ['--user', 'restart', 'supen-daemon.service'], {
+            encoding: 'utf8',
+            timeout: 10_000,
+        });
+        if (result.status === 0)
+            return { method: 'systemd', attempted: true };
+    }
+    if (process.platform === 'darwin') {
+        const uid = typeof process.getuid === 'function' ? process.getuid() : Number(process.env.UID || 0);
+        const result = spawnSync('launchctl', ['kickstart', '-k', `gui/${uid}/ai.supen.daemon`], {
+            encoding: 'utf8',
+            timeout: 10_000,
+        });
+        if (result.status === 0)
+            return { method: 'launchd', attempted: true };
+    }
+    if (fs.existsSync(HOST_DAEMON_BIN_PATH)) {
+        const child = spawn(process.execPath, [HOST_DAEMON_BIN_PATH], {
+            detached: true,
+            stdio: 'ignore',
+            env: process.env,
+        });
+        child.unref();
+        setTimeout(() => process.exit(0), 250);
+        return { method: 'detached-node', attempted: true };
+    }
+    return { method: 'none', attempted: false };
+}
+function inferCliInstallSource(name, executablePath, resolvedPath) {
+    if (!executablePath && !resolvedPath)
+        return { install_source: null, update_supported: false };
+    const candidates = [executablePath || '', resolvedPath || ''].map((value) => value.toLowerCase());
+    const normalized = candidates.join('\n');
+    if (normalized.includes('/.local/share/pnpm/') || normalized.includes('/pnpm/')) {
+        return { install_source: 'pnpm', update_supported: false };
+    }
+    if (normalized.includes('/homebrew/') || normalized.includes('/opt/homebrew/') || normalized.includes('/cellar/')) {
+        return { install_source: 'homebrew', update_supported: false };
+    }
+    if (name === 'codex') {
+        const npmRoot = detectGlobalNpmRoot();
+        const codexPackagePath = resolvedPath || executablePath || '';
+        if (npmRoot && codexPackagePath.startsWith(`${npmRoot}${path.sep}@openai${path.sep}codex${path.sep}`)) {
+            return { install_source: 'npm-global', update_supported: true };
+        }
+        if (normalized.includes('/node_modules/@openai/codex/')) {
+            return { install_source: 'node-package', update_supported: false };
+        }
+    }
+    if (name === 'gemini') {
+        const npmRoot = detectGlobalNpmRoot();
+        const geminiPackagePath = resolvedPath || executablePath || '';
+        if (npmRoot && geminiPackagePath.startsWith(`${npmRoot}${path.sep}@google${path.sep}gemini-cli${path.sep}`)) {
+            return { install_source: 'npm-global', update_supported: true };
+        }
+        if (normalized.includes('/node_modules/@google/gemini-cli/')) {
+            return { install_source: 'node-package', update_supported: false };
+        }
+    }
+    return { install_source: null, update_supported: false };
+}
 function detectCliInstalled(name) {
-    const cmd = spawnSync('sh', ['-lc', `command -v ${name}`], {
+    const cmd = spawnSync('sh', ['-c', `command -v ${name}`], {
         encoding: 'utf8',
         timeout: 3000,
     });
-    if (cmd.status !== 0)
-        return { installed: false, version: null };
+    if (cmd.status !== 0) {
+        return { installed: false, version: null, path: null, resolved_path: null, install_source: null, update_supported: false };
+    }
+    const executablePath = String(cmd.stdout || '').split(/\r?\n/g).find(Boolean)?.trim() || null;
+    let resolvedPath = null;
+    if (executablePath) {
+        try {
+            resolvedPath = fs.realpathSync(executablePath);
+        }
+        catch {
+            resolvedPath = executablePath;
+        }
+    }
     const versionCmd = spawnSync(name, ['--version'], {
         encoding: 'utf8',
         timeout: 5000,
     });
-    const output = trimLogNoise(`${versionCmd.stdout || ''}\n${versionCmd.stderr || ''}`) || '';
-    return { installed: true, version: output || null };
+    const output = versionCmd.status === 0
+        ? trimLogNoise(`${versionCmd.stdout || ''}\n${versionCmd.stderr || ''}`) || ''
+        : '';
+    const semver = output.match(/\b\d+\.\d+\.\d+(?:[-+][0-9A-Za-z.-]+)?\b/)?.[0] || null;
+    const source = inferCliInstallSource(name, executablePath, resolvedPath);
+    return {
+        installed: true,
+        version: semver || (output && !output.includes('\n') ? output : null),
+        path: executablePath,
+        resolved_path: resolvedPath,
+        ...source,
+    };
 }
 function detectCodexAuthStatus(installed) {
     if (!installed)
@@ -1674,14 +2041,27 @@ function detectCodexAuthStatus(installed) {
         encoding: 'utf8',
         timeout: 8000,
     });
-    const text = `${result.stdout || ''}\n${result.stderr || ''}`
+    const lines = `${result.stdout || ''}\n${result.stderr || ''}`
         .split(/\r?\n/g)
         .map((line) => trimLogNoise(line))
-        .filter(Boolean)
-        .join('\n');
+        .filter(Boolean);
+    const text = lines.join('\n');
     const authenticated = /logged in/i.test(text) && !/not logged in/i.test(text);
-    const summary = text.split(/\r?\n/g).find((line) => line.trim().length > 0) || null;
-    return { authenticated, summary };
+    const email = text.match(/[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}/i)?.[0] || null;
+    const accountLine = lines.find((line) => /logged in as|account|email|user/i.test(line) && !line.startsWith('file://')) || null;
+    const summary = authenticated
+        ? email || accountLine || 'Authenticated'
+        : null;
+    let accountId = null;
+    try {
+        const parsed = JSON.parse(fs.readFileSync(path.join(resolveCodexHome(), 'auth.json'), 'utf8'));
+        const tokens = parsed.tokens && typeof parsed.tokens === 'object' ? parsed.tokens : {};
+        accountId = typeof tokens.account_id === 'string' && tokens.account_id.trim() ? tokens.account_id.trim() : null;
+    }
+    catch {
+        accountId = null;
+    }
+    return { authenticated, summary, account_id: accountId };
 }
 function readCodexDefaultModel() {
     const codexHome = resolveCodexHome();
@@ -1799,6 +2179,10 @@ function readCodingCliStatusPayload() {
             name,
             installed: detected.installed,
             version: detected.version,
+            path: detected.path,
+            resolved_path: detected.resolved_path,
+            install_source: detected.install_source,
+            update_supported: detected.update_supported,
         };
     });
     const codexInstalled = clis.find((cli) => cli.name === 'codex')?.installed ?? false;
@@ -1819,6 +2203,10 @@ function readCodingCliStatusPayload() {
             installed: detected.installed,
             version: detected.version,
             managed: app.managed,
+            path: detected.path,
+            resolved_path: detected.resolved_path,
+            install_source: detected.install_source,
+            update_supported: detected.update_supported,
         };
     });
     return {
@@ -1889,6 +2277,15 @@ function readCodingCliStatusPayload() {
         codex_connect: codexConnectSnapshot(),
     };
 }
+function readCachedCodingCliStatusPayload(options) {
+    startCodingCliStatusCache({
+        build: () => ({
+            ...readCodingCliStatusPayload(),
+            daemon: detectDaemonPackageStatus(),
+        }),
+    });
+    return getCodingCliStatusResponse(options);
+}
 function readRuntimeModelStatusPayload() {
     const selected_cli = process.env.SUPEN_CODING_CLI || readConfigSummary().coding_cli || 'codex';
     const codexTransport = normalizeCodexTransport(process.env.SUPEN_CODEX_TRANSPORT) ||
@@ -2017,15 +2414,15 @@ export async function handleSystemRoutes(req, res, url, pathname, method) {
         writeJson(res, 200, { status: 'ok' });
         return true;
     }
-    if (pathname === '/api/computer/openapi.json' && method === 'GET') {
+    if (pathname === '/api/computers/{computer_id}/openapi.json' && method === 'GET') {
         writeJson(res, 200, buildDaemonOpenApiSpec());
         return true;
     }
-    if (pathname === '/api/computer/models' && method === 'GET') {
+    if (pathname === '/api/computers/{computer_id}/models' && method === 'GET') {
         writeJson(res, 200, { models: MODELS_REGISTRY });
         return true;
     }
-    if (pathname === '/api/computer/config/reload' && method === 'POST') {
+    if (pathname === '/api/computers/{computer_id}/config/reload' && method === 'POST') {
         const before = {
             total_models: MODELS_REGISTRY.length,
             default_model: DEFAULT_MODEL?.id ?? null,
@@ -2041,11 +2438,11 @@ export async function handleSystemRoutes(req, res, url, pathname, method) {
         });
         return true;
     }
-    if (pathname === '/api/computer/config-summary' && method === 'GET') {
+    if (pathname === '/api/computers/{computer_id}/config-summary' && method === 'GET') {
         writeJson(res, 200, readConfigSummary());
         return true;
     }
-    if (pathname === '/api/computer/logs' && method === 'GET') {
+    if (pathname === '/api/computers/{computer_id}/logs' && method === 'GET') {
         const agentId = coerceSingleQueryParam(url.searchParams.get('agent_id'));
         const sessionId = coerceSingleQueryParam(url.searchParams.get('session_id'));
         const limitRaw = coerceSingleQueryParam(url.searchParams.get('limit'));
@@ -2057,7 +2454,7 @@ export async function handleSystemRoutes(req, res, url, pathname, method) {
         }));
         return true;
     }
-    if (pathname === '/api/computer/logs/stream' && method === 'GET') {
+    if (pathname === '/api/computers/{computer_id}/logs/stream' && method === 'GET') {
         const agentId = coerceSingleQueryParam(url.searchParams.get('agent_id'));
         const sessionId = coerceSingleQueryParam(url.searchParams.get('session_id'));
         const limitRaw = coerceSingleQueryParam(url.searchParams.get('limit'));
@@ -2100,7 +2497,7 @@ export async function handleSystemRoutes(req, res, url, pathname, method) {
         writeSse(res);
         return true;
     }
-    if (pathname === '/api/computer/config-yaml' && method === 'GET') {
+    if (pathname === '/api/computers/{computer_id}/config-yaml' && method === 'GET') {
         try {
             const yaml = readConfigYamlFile();
             writeJson(res, 200, { yaml });
@@ -2110,7 +2507,7 @@ export async function handleSystemRoutes(req, res, url, pathname, method) {
         }
         return true;
     }
-    if (pathname === '/api/computer/config-yaml' && method === 'PUT') {
+    if (pathname === '/api/computers/{computer_id}/config-yaml' && method === 'PUT') {
         try {
             const parsed = await readJsonBody(req);
             const yamlText = typeof parsed === 'object' && parsed && typeof parsed.yaml === 'string'
@@ -2137,11 +2534,11 @@ export async function handleSystemRoutes(req, res, url, pathname, method) {
         }
         return true;
     }
-    if (pathname === '/api/computer/gateway-uplink' && method === 'GET') {
+    if (pathname === '/api/computers/{computer_id}/gateway-uplink' && method === 'GET') {
         writeJson(res, 200, gatewayUplinkStatus());
         return true;
     }
-    if (pathname === '/api/computer/gateway-uplink' && (method === 'PUT' || method === 'PATCH')) {
+    if (pathname === '/api/computers/{computer_id}/gateway-uplink' && (method === 'PUT' || method === 'PATCH')) {
         if (process.env.SUPEN_GATEWAY_URL) {
             writeProtocolError(res, 409, 'config_error', 'env_override', 'SUPEN_GATEWAY_URL is set; update the daemon environment to change the gateway uplink.');
             return true;
@@ -2184,11 +2581,11 @@ export async function handleSystemRoutes(req, res, url, pathname, method) {
         }
         return true;
     }
-    if (pathname === '/api/computer/env' && method === 'GET') {
+    if (pathname === '/api/computers/{computer_id}/env' && method === 'GET') {
         writeJson(res, 200, { env: readSpaceEnvMap() });
         return true;
     }
-    if (pathname === '/api/computer/llm-env' && method === 'GET') {
+    if (pathname === '/api/computers/{computer_id}/llm-env' && method === 'GET') {
         const token = getLlmToken() || process.env.SUPEN_LLM_TOKEN || process.env.SUPEN_LLM_API_KEY || '';
         const env = withSupenLlmEnv({
             ...process.env,
@@ -2208,15 +2605,15 @@ export async function handleSystemRoutes(req, res, url, pathname, method) {
         });
         return true;
     }
-    if (pathname === '/api/computer/apps' && method === 'GET') {
-        writeJson(res, 200, readCodingCliStatusPayload());
+    if (pathname === '/api/computers/{computer_id}/apps' && method === 'GET') {
+        writeJson(res, 200, readCachedCodingCliStatusPayload());
         return true;
     }
-    if (pathname === '/api/computer/runtime-models' && method === 'GET') {
+    if (pathname === '/api/computers/{computer_id}/runtime-models' && method === 'GET') {
         writeJson(res, 200, readRuntimeModelStatusPayload());
         return true;
     }
-    if (pathname === '/api/computer/runtime-models/default' && method === 'PUT') {
+    if (pathname === '/api/computers/{computer_id}/runtime-models/default' && method === 'PUT') {
         try {
             const parsed = await readJsonBody(req);
             const model = typeof parsed === 'object' && parsed && typeof parsed.model === 'string'
@@ -2237,7 +2634,7 @@ export async function handleSystemRoutes(req, res, url, pathname, method) {
         }
         return true;
     }
-    const spaceCodexTransportDefaultMatch = pathname.match(/^\/api\/computer\/apps\/codex\/transports\/([^/]+)\/default$/);
+    const spaceCodexTransportDefaultMatch = pathname.match(/^\/api\/computers\/\{computer_id\}\/apps\/codex\/transports\/([^/]+)\/default$/);
     if (spaceCodexTransportDefaultMatch && method === 'PUT') {
         try {
             const transport = normalizeCodexTransport(decodeURIComponent(spaceCodexTransportDefaultMatch[1] || '').trim());
@@ -2249,7 +2646,7 @@ export async function handleSystemRoutes(req, res, url, pathname, method) {
             writeJson(res, 200, {
                 ok: true,
                 ...result,
-                status: readCodingCliStatusPayload(),
+                status: readCachedCodingCliStatusPayload({ force: true }),
             });
         }
         catch (err) {
@@ -2257,7 +2654,7 @@ export async function handleSystemRoutes(req, res, url, pathname, method) {
         }
         return true;
     }
-    const spaceAppDefaultMatch = pathname.match(/^\/api\/computer\/apps\/([^/]+)\/default$/);
+    const spaceAppDefaultMatch = pathname.match(/^\/api\/computers\/\{computer_id\}\/apps\/([^/]+)\/default$/);
     if (spaceAppDefaultMatch && method === 'PUT') {
         try {
             const cli = normalizeCliName(decodeURIComponent(spaceAppDefaultMatch[1] || '').trim());
@@ -2269,7 +2666,7 @@ export async function handleSystemRoutes(req, res, url, pathname, method) {
             writeJson(res, 200, {
                 ok: true,
                 ...result,
-                status: readCodingCliStatusPayload(),
+                status: readCachedCodingCliStatusPayload({ force: true }),
             });
         }
         catch (err) {
@@ -2277,7 +2674,7 @@ export async function handleSystemRoutes(req, res, url, pathname, method) {
         }
         return true;
     }
-    const spaceAppInstallMatch = pathname.match(/^\/api\/computer\/apps\/([^/]+)\/install$/);
+    const spaceAppInstallMatch = pathname.match(/^\/api\/computers\/\{computer_id\}\/apps\/([^/]+)\/install$/);
     if (spaceAppInstallMatch && method === 'POST') {
         try {
             const cli = normalizeCliName(decodeURIComponent(spaceAppInstallMatch[1] || '').trim());
@@ -2289,6 +2686,11 @@ export async function handleSystemRoutes(req, res, url, pathname, method) {
                 writeProtocolError(res, 400, 'validation_error', 'install_not_supported', 'Only codex and gemini support managed install at the moment');
                 return true;
             }
+            const current = detectCliInstalled(cli);
+            if (current.installed && !current.update_supported) {
+                writeProtocolError(res, 400, 'validation_error', 'coding_cli_update_not_supported', `${cli} is installed via ${current.install_source || current.resolved_path || current.path || 'an unknown source'}; update it with that installer on this computer.`);
+                return true;
+            }
             const installSpec = MANAGED_CODING_CLI_INSTALL_COMMANDS[cli];
             const result = spawnSync(installSpec.command, installSpec.args, {
                 encoding: 'utf8',
@@ -2302,7 +2704,7 @@ export async function handleSystemRoutes(req, res, url, pathname, method) {
             writeJson(res, 200, {
                 ok: true,
                 cli,
-                status: readCodingCliStatusPayload(),
+                status: readCachedCodingCliStatusPayload({ force: true }),
             });
         }
         catch (err) {
@@ -2310,14 +2712,51 @@ export async function handleSystemRoutes(req, res, url, pathname, method) {
         }
         return true;
     }
-    const spaceAppConnectMatch = pathname.match(/^\/api\/computer\/apps\/([^/]+)\/connect$/);
+    if (pathname === '/api/computers/{computer_id}/daemon/update' && method === 'POST') {
+        try {
+            const current = detectDaemonPackageStatus();
+            if (!current.update_supported) {
+                writeProtocolError(res, 400, 'validation_error', 'daemon_update_not_supported', `Supen daemon is installed via ${current.install_source || current.package_root || 'an unknown source'}; update it with that installer on this computer.`);
+                return true;
+            }
+            fs.mkdirSync(HOST_DAEMON_INSTALL_DIR, { recursive: true });
+            const result = spawnSync('npm', ['install', '--prefix', HOST_DAEMON_INSTALL_DIR, HOST_DAEMON_PACKAGE_SPEC], {
+                encoding: 'utf8',
+                timeout: 120_000,
+            });
+            if (result.status !== 0) {
+                const output = `${result.stdout || ''}\n${result.stderr || ''}`.trim() || 'Failed to update Supen daemon';
+                writeProtocolError(res, 500, 'install_error', 'daemon_update_failed', output);
+                return true;
+            }
+            writeJson(res, 200, {
+                ok: true,
+                daemon: detectDaemonPackageStatus(),
+                status: readCachedCodingCliStatusPayload({ force: true }),
+                restart: { scheduled: true },
+            });
+            setTimeout(() => {
+                try {
+                    restartManagedHostDaemon();
+                }
+                catch (err) {
+                    logger.error({ err }, 'Failed to restart Supen daemon after update');
+                }
+            }, 250);
+        }
+        catch (err) {
+            writeProtocolError(res, 500, 'install_error', 'daemon_update_failed', err?.message || 'Failed to update Supen daemon');
+        }
+        return true;
+    }
+    const spaceAppConnectMatch = pathname.match(/^\/api\/computers\/\{computer_id\}\/apps\/([^/]+)\/connect$/);
     if (spaceAppConnectMatch && method === 'POST') {
         const cli = normalizeCliName(decodeURIComponent(spaceAppConnectMatch[1] || '').trim());
         if (cli !== 'codex') {
             writeProtocolError(res, 400, 'validation_error', 'connect_not_supported', 'Only codex supports connect flow at the moment');
             return true;
         }
-        const status = readCodingCliStatusPayload();
+        const status = readCachedCodingCliStatusPayload();
         const codex = status.clis.find((entry) => entry.name === 'codex');
         if (!codex?.installed) {
             writeProtocolError(res, 400, 'validation_error', 'codex_not_installed', 'codex CLI is not installed');
@@ -2326,7 +2765,7 @@ export async function handleSystemRoutes(req, res, url, pathname, method) {
         writeJson(res, 200, {
             ok: true,
             codex_connect: startCodexConnectFlow(),
-            status: readCodingCliStatusPayload(),
+            status: readCachedCodingCliStatusPayload({ force: true }),
         });
         return true;
     }
@@ -2339,11 +2778,11 @@ export async function handleSystemRoutes(req, res, url, pathname, method) {
         writeJson(res, 200, {
             ok: true,
             codex_connect: cancelCodexConnectFlow(),
-            status: readCodingCliStatusPayload(),
+            status: readCachedCodingCliStatusPayload({ force: true }),
         });
         return true;
     }
-    const spaceAppSessionMatch = pathname.match(/^\/api\/computer\/apps\/([^/]+)\/session$/);
+    const spaceAppSessionMatch = pathname.match(/^\/api\/computers\/\{computer_id\}\/apps\/([^/]+)\/session$/);
     if (spaceAppSessionMatch && method === 'DELETE') {
         const cli = normalizeCliName(decodeURIComponent(spaceAppSessionMatch[1] || '').trim());
         if (cli !== 'codex') {
@@ -2359,10 +2798,10 @@ export async function handleSystemRoutes(req, res, url, pathname, method) {
             writeProtocolError(res, 500, 'auth_error', 'codex_logout_failed', output);
             return true;
         }
-        writeJson(res, 200, { ok: true, status: readCodingCliStatusPayload() });
+        writeJson(res, 200, { ok: true, status: readCachedCodingCliStatusPayload({ force: true }) });
         return true;
     }
-    if (pathname === '/api/computer/env' && method === 'PUT') {
+    if (pathname === '/api/computers/{computer_id}/env' && method === 'PUT') {
         try {
             const parsed = await readJsonBody(req);
             const updates = parsed && typeof parsed === 'object' && parsed.env && typeof parsed.env === 'object' && !Array.isArray(parsed.env)
@@ -2380,20 +2819,20 @@ export async function handleSystemRoutes(req, res, url, pathname, method) {
         }
         return true;
     }
-    if (pathname === '/api/computer/hub-snapshot' && method === 'GET') {
+    if (pathname === '/api/computers/{computer_id}/hub-snapshot' && method === 'GET') {
         const spaceId = (url.searchParams.get('space_id') || process.env.SUPEN_SPACE_ID || 'local').trim() || 'local';
         writeJson(res, 200, buildHubSnapshotForSpace(spaceId));
         return true;
     }
-    if (pathname === '/api/computer/usage' && method === 'GET') {
+    if (pathname === '/api/computers/{computer_id}/usage' && method === 'GET') {
         writeJson(res, 200, getGlobalUsage());
         return true;
     }
-    if (pathname === '/api/computer/usage/daily' && method === 'GET') {
+    if (pathname === '/api/computers/{computer_id}/usage/daily' && method === 'GET') {
         writeJson(res, 200, { daily: getDailyUsage() });
         return true;
     }
-    if (pathname === '/api/computer/codex/subscription' && method === 'GET') {
+    if (pathname === '/api/computers/{computer_id}/codex/subscription' && method === 'GET') {
         try {
             writeJson(res, 200, await readCodexSubscription());
         }
@@ -2402,17 +2841,45 @@ export async function handleSystemRoutes(req, res, url, pathname, method) {
         }
         return true;
     }
-    if (pathname === '/api/computer/quota-status' && method === 'GET') {
+    if (pathname === '/api/computers/{computer_id}/quota-status' && method === 'GET') {
         writeJson(res, 200, readLatestSpaceQuotaStatus());
         return true;
     }
-    if (pathname === '/api/computer/codex/threads' && method === 'GET') {
+    if (pathname === '/api/computers/{computer_id}/codex/threads' && method === 'GET') {
         const limitRaw = coerceSingleQueryParam(url.searchParams.get('limit'));
         const limit = limitRaw ? Number.parseInt(limitRaw, 10) : MIRRORED_THREAD_LIMIT;
         writeJson(res, 200, readMirroredTaskProjects(Number.isFinite(limit) ? limit : MIRRORED_THREAD_LIMIT));
         return true;
     }
-    const mirroredThreadStreamMatch = pathname.match(/^\/api\/computer\/codex\/threads\/([^/]+)\/stream$/);
+    if (pathname === '/api/computers/{computer_id}/files/preview' && (method === 'GET' || method === 'HEAD')) {
+        const requestedPath = coerceSingleQueryParam(url.searchParams.get('path')) || '';
+        const filePath = resolveRemoteFilePath(requestedPath);
+        if (!filePath) {
+            writeProtocolError(res, 400, 'validation_error', 'invalid_file_path', 'A valid file path is required.');
+            return true;
+        }
+        if (!fs.existsSync(filePath) || !fs.statSync(filePath).isFile()) {
+            writeProtocolError(res, 404, 'not_found', 'remote_file_not_found', 'File not found.');
+            return true;
+        }
+        serveRemoteFile(req, res, filePath);
+        return true;
+    }
+    const mirroredThreadArchiveMatch = pathname.match(/^\/api\/computers\/\{computer_id\}\/codex\/threads\/([^/]+)\/archive$/);
+    if (mirroredThreadArchiveMatch && method === 'POST') {
+        const threadId = decodeURIComponent(mirroredThreadArchiveMatch[1] || '').trim();
+        if (!threadId) {
+            writeProtocolError(res, 400, 'validation_error', 'missing_thread_id', 'Thread id is required.');
+            return true;
+        }
+        if (!archiveMirroredThread(threadId)) {
+            writeProtocolError(res, 404, 'not_found', 'mirrored_thread_not_found', 'Mirrored task was not found.');
+            return true;
+        }
+        writeJson(res, 200, { ok: true, archived: true });
+        return true;
+    }
+    const mirroredThreadStreamMatch = pathname.match(/^\/api\/computers\/\{computer_id\}\/codex\/threads\/([^/]+)\/stream$/);
     if (mirroredThreadStreamMatch && method === 'GET') {
         const threadId = decodeURIComponent(mirroredThreadStreamMatch[1] || '').trim();
         if (!threadId) {
@@ -2455,7 +2922,7 @@ export async function handleSystemRoutes(req, res, url, pathname, method) {
         res.flush?.();
         return true;
     }
-    const mirroredThreadHistoryMatch = pathname.match(/^\/api\/computer\/codex\/threads\/([^/]+)\/messages$/);
+    const mirroredThreadHistoryMatch = pathname.match(/^\/api\/computers\/\{computer_id\}\/codex\/threads\/([^/]+)\/messages$/);
     if (mirroredThreadHistoryMatch && method === 'GET') {
         const threadId = decodeURIComponent(mirroredThreadHistoryMatch[1] || '').trim();
         const limitRaw = coerceSingleQueryParam(url.searchParams.get('limit'));
@@ -2470,7 +2937,7 @@ export async function handleSystemRoutes(req, res, url, pathname, method) {
         writeJson(res, 200, history);
         return true;
     }
-    const mirroredThreadAdoptMatch = pathname.match(/^\/api\/computer\/codex\/threads\/([^/]+)\/adopt$/);
+    const mirroredThreadAdoptMatch = pathname.match(/^\/api\/computers\/\{computer_id\}\/codex\/threads\/([^/]+)\/adopt$/);
     if (mirroredThreadAdoptMatch && method === 'POST') {
         const threadId = decodeURIComponent(mirroredThreadAdoptMatch[1] || '').trim();
         const parsed = await readJsonBody(req);
@@ -2487,7 +2954,7 @@ export async function handleSystemRoutes(req, res, url, pathname, method) {
         writeJson(res, 200, { thread: serializeAdoptedMirroredThread(session) });
         return true;
     }
-    if (pathname === '/api/computer/codex/projects/open' && method === 'POST') {
+    if (pathname === '/api/computers/{computer_id}/codex/projects/open' && method === 'POST') {
         try {
             const parsed = await readJsonBody(req);
             const projectPath = parsed && typeof parsed === 'object' && typeof parsed.path === 'string'
@@ -2514,12 +2981,12 @@ export async function handleSystemRoutes(req, res, url, pathname, method) {
         }
         return true;
     }
-    if (pathname === '/api/computer/mcp/servers' && method === 'GET') {
+    if (pathname === '/api/computers/{computer_id}/mcp/servers' && method === 'GET') {
         writeJson(res, 200, { servers: buildMcpSettingsResponse().servers });
         return true;
     }
     /** Tools discovered via MCP `tools/list` for each connected server (in-memory; empty if servers not connected). */
-    if (pathname === '/api/computer/mcp/tool-catalog' && method === 'GET') {
+    if (pathname === '/api/computers/{computer_id}/mcp/tool-catalog' && method === 'GET') {
         try {
             const force = url.searchParams.get('refresh') === '1' || url.searchParams.get('force') === '1';
             const mgr = await getMcpManager({ forceConfigRefresh: force });
@@ -2538,11 +3005,11 @@ export async function handleSystemRoutes(req, res, url, pathname, method) {
         }
         return true;
     }
-    if (pathname === '/api/computer/mcp/settings' && method === 'GET') {
+    if (pathname === '/api/computers/{computer_id}/mcp/settings' && method === 'GET') {
         writeJson(res, 200, buildMcpSettingsResponse());
         return true;
     }
-    if (pathname === '/api/computer/mcp/settings' && method === 'PUT') {
+    if (pathname === '/api/computers/{computer_id}/mcp/settings' && method === 'PUT') {
         const parsed = await readJsonBody(req);
         const allowedKeys = new Set(listMcpEnvKeys());
         const payloadEnv = parsed && typeof parsed === 'object' && parsed.env && typeof parsed.env === 'object'
@@ -2563,25 +3030,14 @@ export async function handleSystemRoutes(req, res, url, pathname, method) {
         writeJson(res, 200, buildMcpSettingsResponse());
         return true;
     }
-    if (pathname === '/api/computer' && method === 'GET') {
-        const cpus = os.cpus();
-        const memTotal = os.totalmem();
-        const memFree = os.freemem();
+    if (pathname === '/api/computers/{computer_id}' && method === 'GET') {
         const enroll = readEnrollmentState(DAEMON_HOSTNAME || undefined);
-        let disk_total;
-        let disk_free;
-        let disk_used;
-        try {
-            const stats = fs.statfsSync(SUPEN_HOME);
-            disk_total = stats.bsize * stats.blocks;
-            disk_free = stats.bsize * stats.bavail;
-            disk_used = disk_total - disk_free;
-        }
-        catch { /* ignore */ }
+        const daemon = detectDaemonPackageStatus();
         writeJson(res, 200, {
             daemon_id: enroll.daemon_id,
             hostname: os.hostname(),
-            version: process.env.SUPEN_DAEMON_VERSION || process.env.npm_package_version || null,
+            version: daemon.version,
+            daemon,
             runtime: {
                 node: process.version,
                 platform: process.platform,
@@ -2602,31 +3058,17 @@ export async function handleSystemRoutes(req, res, url, pathname, method) {
                 queued_tasks: 0,
                 total_slots: 0,
             },
-            os: {
-                hostname: os.hostname(),
-                platform: os.platform(),
-                arch: os.arch(),
-                cpus: cpus.length,
-                cpu_model: cpus[0]?.model || 'Unknown',
-                load_avg: os.loadavg(),
-                mem_total: memTotal,
-                mem_free: memFree,
-                mem_used: memTotal - memFree,
-                uptime: os.uptime(),
-                disk_total,
-                disk_free,
-                disk_used,
-            },
+            os: collectOsTelemetryFields(),
         });
         return true;
     }
     // ── Enrollment ──
-    if (pathname === '/api/computer/enroll/status' && method === 'GET') {
+    if (pathname === '/api/computers/{computer_id}/enroll/status' && method === 'GET') {
         const state = readEnrollmentState(DAEMON_HOSTNAME || undefined);
         writeJson(res, 200, state);
         return true;
     }
-    if (pathname === '/api/computer/enroll/verify' && method === 'POST') {
+    if (pathname === '/api/computers/{computer_id}/enroll/verify' && method === 'POST') {
         const parsed = await readJsonBody(req);
         const result = verifyEnrollmentToken({
             token: parsed.token,
@@ -2636,12 +3078,12 @@ export async function handleSystemRoutes(req, res, url, pathname, method) {
         writeJson(res, result.ok ? 200 : 401, result);
         return true;
     }
-    if (pathname === '/api/computer/trust' && method === 'POST') {
-        writeProtocolError(res, 410, 'auth_error', 'trust_endpoint_removed', 'Direct trust elevation is disabled. Use the enrollment flow (/api/computer/enroll/token + /api/computer/enroll/verify) to transition a daemon to trusted state.');
+    if (pathname === '/api/computers/{computer_id}/trust' && method === 'POST') {
+        writeProtocolError(res, 410, 'auth_error', 'trust_endpoint_removed', 'Direct trust elevation is disabled. Use the enrollment flow (/api/computers/{computer_id}/enroll/token + /api/computers/{computer_id}/enroll/verify) to transition a daemon to trusted state.');
         return true;
     }
     // Create enrollment token
-    if (pathname === '/api/computer/enroll/token' && method === 'POST') {
+    if (pathname === '/api/computers/{computer_id}/enroll/token' && method === 'POST') {
         try {
             const parsed = await readJsonBody(req);
             const ttlMinutes = parsed?.ttl_minutes || DEFAULT_TOKEN_TTL_MINUTES;
@@ -2661,7 +3103,7 @@ export async function handleSystemRoutes(req, res, url, pathname, method) {
         return true;
     }
     // Revoke enrollment
-    if (pathname === '/api/computer/enroll/revoke' && method === 'POST') {
+    if (pathname === '/api/computers/{computer_id}/enroll/revoke' && method === 'POST') {
         try {
             setTrustState('revoked', { daemonId: DAEMON_HOSTNAME || undefined });
             writeJson(res, 200, { ok: true, trust_state: 'revoked' });