@venturewild/workspace 0.1.13 → 0.2.0

package/server/src/index.mjs

@@ -1,1726 +1,1948 @@
-// wild-workspace server bootstrap.
-// Three processes per AR-17:
-//   - this Node server (Hono): REST + WebSocket + frontend bundle
-//   - AI agent subprocess: spawned per chat session via agent.mjs
-//   - bmo-sync daemon (v1.x — out of scope for this scaffold)
-
-import { Hono } from 'hono';
-import { serveStatic } from '@hono/node-server/serve-static';
-import { serve } from '@hono/node-server';
-import { WebSocketServer } from 'ws';
-import { existsSync, mkdirSync, readFileSync, writeFileSync, readdirSync } from 'node:fs';
-import path from 'node:path';
-import url from 'node:url';
-import {
-  buildConfig,
-  ROLES,
-  ROLE_CAPABILITIES,
-  APP_VERSION,
-  DEFAULT_AGENTS,
-  assertSecureBinding,
-  isLocalhost,
-} from './config.mjs';
-import { detectAgents, AgentSession, pickDefaultAgent } from './agent.mjs';
-import {
-  mintShareToken,
-  mintDeviceToken,
-  verifyShareToken,
-  buildShareUrl,
-  TokenRegistry,
-} from './share.mjs';
-import { PairingStore } from './pairing.mjs';
-import { listDir, readFile, fullTree, workspaceSummary, safeResolve } from './fs.mjs';
-import { InboxWatcher } from './inbox.mjs';
-import { ActivityBus } from './activity.mjs';
-import { loadIdentity, saveIdentity, markOnboarded, TONES } from './agent-identity.mjs';
-import { probeAgentReadiness } from './agent-readiness.mjs';
-import { ClaudeLoginSession } from './agent-login.mjs';
-import { ErrorReporter } from './error-reporter.mjs';
-import { DaemonBridge } from './daemon.mjs';
-import { DaemonSupervisor } from './daemon-supervisor.mjs';
-import { SyncControl } from './sync.mjs';
-import { detectPreviewPorts, checkPort } from './preview.mjs';
-import { loadAccount } from './account.mjs';
-import { runDoctor } from './doctor.mjs';
-import { appendLine, tailFile, logFile, TAILABLE, globalDir } from './logpaths.mjs';
-import { SessionReporter } from './session-reporter.mjs';
-import { TranscriptRecorder } from './transcript.mjs';
-import { loadObservabilityConsent, setObservabilityConsent } from './observability.mjs';
-import { spawn } from 'node:child_process';
-import { nanoid } from 'nanoid';
-
-const __filename = url.fileURLToPath(import.meta.url);
-const __dirname = path.dirname(__filename);
-
-// --- structured logging ---------------------------------------------------
-// Single helper used everywhere so log lines are uniformly tagged + timestamped.
-// Goes to stdout; the launcher redirects stdout/stderr to a file. Categories:
-// [http], [ws], [chat], [onboarding], [identity], [auth].
-function log(tag, ...args) {
-  const ts = new Date().toISOString();
-  const line = args
-    .map((a) =>
-      typeof a === 'string'
-        ? a
-        : a instanceof Error
-          ? a.stack || String(a)
-          : JSON.stringify(a),
-    )
-    .join(' ');
-  process.stdout.write(`${ts} ${tag} ${line}\n`);
-}
-
-// --- chat session persistence ---------------------------------------------
-// The conversation's claude session id, stored in the workspace's gitignored
-// .wild-workspace/ dir. Persisting it means a browser reload — or a server
-// restart — doesn't wipe the agent's memory of the conversation.
-function chatSessionPath(dataDir) {
-  return path.join(dataDir, 'chat-session.json');
-}
-function loadChatSessionId(dataDir) {
-  try {
-    const parsed = JSON.parse(readFileSync(chatSessionPath(dataDir), 'utf8'));
-    return typeof parsed.sessionId === 'string' ? parsed.sessionId : null;
-  } catch {
-    return null;
-  }
-}
-function saveChatSessionId(dataDir, sessionId) {
-  try {
-    writeFileSync(
-      chatSessionPath(dataDir),
-      JSON.stringify({ sessionId: sessionId || null }, null, 2),
-    );
-  } catch {
-    /* read-only fs — continuity degrades to in-memory for this run */
-  }
-}
-
-// Directory names already under .wild/imports/ — the auto-wake baseline.
-function scanImports(workspaceDir) {
-  try {
-    return readdirSync(path.join(workspaceDir, '.wild', 'imports'), {
-      withFileTypes: true,
-    })
-      .filter((e) => e.isDirectory())
-      .map((e) => e.name);
-  } catch {
-    return [];
-  }
-}
-
-export async function createServer(overrides = {}) {
-  const config = buildConfig(overrides);
-  // Refuse to start on a public bind with a forgeable default secret. (C1/C2)
-  assertSecureBinding(config);
-  if (!existsSync(config.dataDir)) mkdirSync(config.dataDir, { recursive: true });
-
-  const activityBus = new ActivityBus();
-  // Persist the revocation list so a revoked share token stays revoked across a
-  // server restart (concern C8). Lives in the gitignored .wild-workspace dir.
-  const tokenRegistry = new TokenRegistry({
-    persistPath: path.join(config.dataDir, 'revoked.json'),
-  });
-  // Device sign-in (Phase 2): pending "approve this device" requests. In-memory
-  // + ephemeral by design — a pending pairing that survives a restart is just a
-  // longer attack window for no UX gain. `overrides.pairingTtlMs` is a test seam.
-  const pairing = new PairingStore({
-    ttlMs: overrides.pairingTtlMs ?? 5 * 60 * 1000,
-    maxPending: overrides.pairingMaxPending ?? 5,
-  });
-  const inboxWatcher = new InboxWatcher(config.workspaceDir).start();
-  inboxWatcher.on('change', (payload) => {
-    activityBus.publish({ type: 'inbox-change', snapshot: payload.snapshot });
-  });
-
-  // Bridge the bmo-sync daemon's event feed into the ActivityBus. The daemon
-  // is a separate process and may be absent — the bridge retries quietly.
-  // `overrides.daemonBridge: false` disables it (used by tests).
-  const daemonBridge =
-    overrides.daemonBridge === false
-      ? null
-      : new DaemonBridge(activityBus, { url: config.daemonUrl }).start();
-
-  // Owns the bmo-sync daemon's lifecycle: starts it (detached + window-hidden)
-  // if it isn't already running, so sync just works whenever wild-workspace is
-  // used. The daemon outlives the server by design — not stopped in stop().
-  // `overrides.daemonSupervisor: false` disables it; an object injects test
-  // seams. Autostart is gated by config.daemonAutostart (off under tests).
-  const daemonSupervisor =
-    overrides.daemonSupervisor === false
-      ? null
-      : new DaemonSupervisor({
-          httpBase: config.daemonHttpUrl,
-          // b-ii: hand the daemon the account token + relay so it opens the
-          // proxy link (lights up <slug>.venturewild.llc). Null when logged out.
-          accountToken: config.accountToken,
-          serverUrl: config.bmoSyncServerUrl,
-          ...(typeof overrides.daemonSupervisor === 'object'
-            ? overrides.daemonSupervisor
-            : {}),
-        });
-  const daemonReady =
-    daemonSupervisor && config.daemonAutostart
-      ? daemonSupervisor
-          .ensureRunning()
-          .catch((e) => ({ started: false, error: String(e?.message || e) }))
-      : Promise.resolve({ started: false, skipped: true });
-
-  // Control plane for bmo-sync folder sharing (pair / detach / invite).
-  // `overrides.syncControl` is a test seam.
-  const syncControl =
-    overrides.syncControl ||
-    new SyncControl({
-      daemonHttpUrl: config.daemonHttpUrl,
-      bmoSyncServerUrl: config.bmoSyncServerUrl,
-      adminKey: config.bmoSyncAdminKey,
-    });
-
-  // `overrides.agents` / `overrides.activeAgent` are a test/embedding seam:
-  // a caller can inject agent definitions instead of probing PATH.
-  const detectedAgents = overrides.agents || (await detectAgents());
-  let activeAgent = overrides.activeAgent || pickDefaultAgent(detectedAgents);
-
-  // Error telemetry — forwards agent crashes etc. to bmo-sync-server so
-  // support can diagnose client-machine issues. Off via
-  // WILD_WORKSPACE_NO_TELEMETRY=1 or overrides.errorReporter = false.
-  const errorReporter =
-    overrides.errorReporter === false
-      ? { report: () => {} }
-      : overrides.errorReporter ||
-        new ErrorReporter({
-          bmoSyncUrl: config.bmoSyncServerUrl,
-          workspaceId: config.workspaceId,
-          enabled: process.env.WILD_WORKSPACE_NO_TELEMETRY !== '1',
-        });
-
-  // Proactive, consented session + install observability (session-reporter.mjs).
-  // Default-on with a clear disclosure at onboarding; off via the consent toggle
-  // or the WILD_WORKSPACE_NO_TELEMETRY kill switch. Inert in tests and without an
-  // account token. Carries WHAT happened + install health, never the words —
-  // conversation content is the separate transcript channel.
-  let observability = loadObservabilityConsent(config.dataDir);
-  const sessionEnabled = () =>
-    observability.enabled &&
-    process.env.WILD_WORKSPACE_NO_TELEMETRY !== '1' &&
-    !process.env.VITEST &&
-    config.nodeEnv !== 'test';
-  const sessionReporter =
-    overrides.sessionReporter === false
-      ? { ingest() {}, flush() {}, start() {}, stop() {}, setEnabled() {} }
-      : overrides.sessionReporter ||
-        new SessionReporter({
-          bmoSyncUrl: config.bmoSyncServerUrl,
-          accountToken: config.accountToken,
-          slug: config.account?.slug || null,
-          workspaceId: config.workspaceId,
-          sessionId: overrides.sessionId || nanoid(12),
-          enabled: sessionEnabled(),
-        });
-  // Conversation *content* channel (transcript.mjs) — separate from the feed.
-  // Appends markdown to ~/.wild-workspace/transcripts/<workspaceId>/ (OUTSIDE the
-  // synced repo); forwarding to us is consent-gated. Noop under the test runner so
-  // it never writes into a real home dir.
-  const transcriptForward = ({ markdown, date }) => {
-    if (!sessionEnabled() || !config.accountToken) return;
-    const url = `${config.bmoSyncServerUrl.replace(/\/$/, '')}/api/telemetry`;
-    const ctrl = new AbortController();
-    const t = setTimeout(() => ctrl.abort(), 5000);
-    Promise.resolve()
-      .then(() =>
-        fetch(url, {
-          method: 'POST',
-          headers: { 'content-type': 'application/json' },
-          body: JSON.stringify({
-            account_token: config.accountToken,
-            slug: config.account?.slug || null,
-            workspace_id: config.workspaceId,
-            kind: 'transcript',
-            date,
-            markdown,
-            sent_at: Math.floor(Date.now() / 1000),
-          }),
-          signal: ctrl.signal,
-        }),
-      )
-      .catch(() => {})
-      .finally(() => clearTimeout(t));
-  };
-  const transcriptRecorder =
-    overrides.transcriptRecorder === false || process.env.VITEST || config.nodeEnv === 'test'
-      ? { ingest() {}, flush() {}, stop() {} }
-      : new TranscriptRecorder({
-          dir: path.join(globalDir(), 'transcripts', config.workspaceId),
-          agentName: loadIdentity(config.dataDir)?.name || activeAgent?.label || 'Agent',
-          forwardImpl: transcriptForward,
-        });
-
-  activityBus.on('event', (e) => {
-    try { sessionReporter.ingest(e); } catch { /* never let telemetry break the bus */ }
-    try { transcriptRecorder.ingest(e); } catch { /* nor the transcript */ }
-  });
-  sessionReporter.start();
-
-  // --- chat turn orchestration ----------------------------------------------
-  // One conversation per workspace in v1 (single-user, single tab — PRD §5.5).
-  // Both user sends and auto-wake turns thread through one turn-runner so they
-  // share the agent's memory and never run two claude processes at once.
-  let chatSessionId = loadChatSessionId(config.dataDir);
-  const chatClients = new Set(); // every connected /ws/chat socket
-  let currentTurn = null; //       { session, messageId } — at most one at a time
-
-  // Per-connection chat rate limit (SECURITY.md S6 / concern C4). Every send
-  // spawns an agent subprocess that costs real API tokens, so cap the burst a
-  // single socket can drive. Sliding window; overridable for tests/env.
-  const chatRate = {
-    max:
-      overrides.chatRateLimit?.max ??
-      (Number(process.env.WILD_WORKSPACE_CHAT_RATE_MAX) || 30),
-    windowMs:
-      overrides.chatRateLimit?.windowMs ??
-      (Number(process.env.WILD_WORKSPACE_CHAT_RATE_WINDOW_MS) || 60_000),
-  };
-
-  function broadcastChat(obj) {
-    const data = JSON.stringify(obj);
-    for (const ws of chatClients) {
-      if (ws.readyState === ws.OPEN) ws.send(data);
-    }
-  }
-
-  /**
-   * Run one chat turn: spawn the agent, stream every chunk to every chat
-   * client, and persist the resulting session id so the next turn resumes it.
-   *   - `userText` / `note`: optional lines shown before the agent reply (a
-   *     user bubble, or an auto-wake system note).
-   *   - `auto`: an automated (auto-wake) turn — never interrupts a live turn,
-   *     and retries once if the run fails (PRD §13 A8).
-   * Returns false if the turn could not start (an auto turn while busy).
-   */
-  function runChatTurn({ prompt, mode, messageId, userText, note, auto = false }) {
-    if (currentTurn) {
-      if (auto) return false; //          auto-wake yields to a live turn
-      currentTurn.session.close(); //     a user send supersedes what's running
-      currentTurn = null;
-    }
-    const id = messageId || nanoid(8);
-    broadcastChat({ type: 'turn-begin', messageId: id, userText, note });
-    activityBus.publish({
-      type: 'chat-user',
-      messageId: id,
-      text: userText || note || prompt,
-    });
-
-    let retried = false;
-    const startTurn = () => {
-      const startedAt = Date.now();
-      log('[chat]', `turn-begin id=${id} auto=${auto} mode=${mode || 'build'} promptChars=${(prompt || '').length}`);
-      const session = new AgentSession(activeAgent);
-      currentTurn = { session, messageId: id };
-      let sawError = false;
-      session.on('chunk', (chunk) => {
-        if (chunk.type === 'error') sawError = true;
-        broadcastChat({ type: 'chunk', messageId: id, chunk });
-        activityBus.publish({ type: 'chat-stream', messageId: id, chunk });
-        // Surface the turn's token/cost totals so the activity bar can show
-        // running usage — the ActivityBus accumulates events typed 'usage'.
-        if (chunk.type === 'usage' && chunk.usage) {
-          activityBus.publish({ type: 'usage', usage: chunk.usage });
-        }
-      });
-      session.on('stderr', (text) => {
-        const trimmed = String(text || '').trim();
-        if (trimmed) log('[chat]', `stderr id=${id}: ${trimmed.slice(0, 240)}`);
-        broadcastChat({ type: 'stderr', messageId: id, text });
-      });
-      session.on('error', (err) => {
-        sawError = true;
-        const msg = String(err?.message || err);
-        log('[chat]', `error id=${id}: ${msg}`);
-        errorReporter.report({
-          category: 'agent',
-          message: msg,
-          stack: err?.stack,
-          agentLabel: activeAgent?.label,
-        });
-        broadcastChat({
-          type: 'error',
-          messageId: id,
-          message: msg,
-        });
-        currentTurn = null;
-      });
-      session.on('end', ({ code }) => {
-        currentTurn = null;
-        const elapsed = Date.now() - startedAt;
-        log('[chat]', `turn-end id=${id} code=${code} ms=${elapsed} closed=${session.closed} sawError=${sawError}`);
-        // Silent agent crash → telemetry. A non-zero exit (or signal-kill =
-        // code null) that wasn't user-cancelled is exactly the failure mode
-        // we want to see in the central log. Skip the user-cancelled and
-        // clean-exit cases.
-        if (!session.closed && (code !== 0 || sawError)) {
-          errorReporter.report({
-            category: 'agent',
-            message:
-              code === null
-                ? `agent subprocess killed by signal after ${elapsed}ms (no chunks)`
-                : `agent exited code=${code} after ${elapsed}ms sawError=${sawError}`,
-            agentLabel: activeAgent?.label,
-          });
-        }
-        // A turn closed on purpose — cancelled by the user, or superseded by
-        // the next turn — never reached a clean finish: it must not retry and
-        // must not persist its session id (that would clobber a reset, or
-        // resurrect a turn the user just stopped).
-        if (!session.closed) {
-          // An automated turn retries once on a failed run — `claude -p`
-          // spawned non-interactively hits transient API resets (PRD §13 A8).
-          if (auto && !retried && (sawError || code !== 0)) {
-            retried = true;
-            setTimeout(startTurn, 700);
-            return;
-          }
-          if (session.sessionId) {
-            chatSessionId = session.sessionId;
-            saveChatSessionId(config.dataDir, chatSessionId);
-          }
-        }
-        broadcastChat({ type: 'end', messageId: id, code });
-        activityBus.publish({ type: 'chat-end', messageId: id, code });
-      });
-      session.send(prompt, {
-        cwd: config.workspaceDir,
-        mode,
-        resumeSessionId: chatSessionId,
-      });
-    };
-    startTurn();
-    return true;
-  }
-
-  function resetChat() {
-    if (currentTurn) {
-      currentTurn.session.close();
-      currentTurn = null;
-    }
-    chatSessionId = null;
-    saveChatSessionId(config.dataDir, null);
-    broadcastChat({ type: 'reset' });
-  }
-
-  // --- auto-wake on import (AR-23) ------------------------------------------
-  // When `wild add` (or a bmo-sync delivery) drops a new component into
-  // .wild/imports/, wake the agent in PLAN mode to PROPOSE the integration.
-  // Plan mode is the consent boundary — it cannot edit files, so auto-wake
-  // only ever proposes; the user's reply applies it in Build mode.
-  const autoWakeMs = overrides.autoWakeDebounceMs ?? 1500;
-  const autoWakeEnabled = overrides.autoWake !== false;
-  let knownImports = new Set(scanImports(config.workspaceDir)); // startup baseline
-  let pendingWake = new Set();
-  let autoWakeTimer = null;
-
-  if (autoWakeEnabled) {
-    inboxWatcher.on('change', ({ snapshot }) => {
-      const current = new Set(snapshot.imports || []);
-      for (const name of current) {
-        if (!knownImports.has(name)) pendingWake.add(name);
-      }
-      knownImports = current;
-      if (pendingWake.size === 0) return;
-      // Debounce: `wild add` writes several files; collapse the burst.
-      clearTimeout(autoWakeTimer);
-      autoWakeTimer = setTimeout(fireAutoWake, autoWakeMs);
-    });
-  }
-
-  function fireAutoWake() {
-    const names = [...pendingWake];
-    if (names.length === 0) return;
-    pendingWake = new Set();
-    const list = names.join(', ');
-    const note = `📦 Imported ${list} — proposing an integration plan…`;
-    const prompt =
-      `A new wild component was just imported into this workspace: ` +
-      `${names.map((n) => `.wild/imports/${n}/`).join(', ')}. ` +
-      `You are in Plan mode, so you cannot modify files — only propose. ` +
-      `Read each component's README.md, look at the existing workspace, then ` +
-      `lay out how to integrate it: where the files should go, whether to ` +
-      `merge / overwrite / namespace, and any risks. Then stop so I can choose.`;
-    const started = runChatTurn({ prompt, mode: 'plan', note, auto: true });
-    if (!started) {
-      // The chat was busy — re-queue so the import isn't silently dropped.
-      for (const n of names) pendingWake.add(n);
-      clearTimeout(autoWakeTimer);
-      autoWakeTimer = setTimeout(fireAutoWake, 3000);
-    }
-  }
-
-  const app = new Hono();
-
-  // --- auth helpers ---------------------------------------------------------
-  // Classify one raw token into a role. Shared by the Authorization header, the
-  // HttpOnly auth cookie, and the `?t=` query so all three stay consistent.
-  // `allowOperator` is true ONLY for the header path — the operator (support)
-  // token is header-only so it can never leak via a URL or a shared cookie
-  // (SECURITY.md S1).
-  async function classifyToken(token, { allowOperator = false, source } = {}) {
-    if (!token) return null;
-    if (token === config.partnerToken) {
-      return { role: ROLES.PARTNER, sub: 'partner', source };
-    }
-    if (allowOperator && config.operatorToken && token === config.operatorToken) {
-      return { role: ROLES.OPERATOR, sub: 'operator', source: source || 'operator-token' };
-    }
-    const payload = await verifyShareToken(token, config.shareSecret);
-    if (payload && !tokenRegistry.isRevoked(payload.sub)) {
-      return {
-        role: payload.role,
-        sub: payload.sub,
-        workspaceId: payload.workspaceId,
-        source,
-        exp: payload.exp,
-      };
-    }
-    return null;
-  }
-
-  // Parse a single cookie value out of a raw Cookie header. Avoids a dependency
-  // on hono/cookie and works the same for the Node WS upgrade request.
-  function readCookie(rawCookie, name) {
-    if (!rawCookie) return null;
-    for (const part of rawCookie.split(';')) {
-      const idx = part.indexOf('=');
-      if (idx === -1) continue;
-      if (part.slice(0, idx).trim() === name) return part.slice(idx + 1).trim();
-    }
-    return null;
-  }
-
-  const AUTH_COOKIE = 'wild_auth';
-  function authCookieAttrs(value, maxAgeSeconds) {
-    const attrs = [
-      `${AUTH_COOKIE}=${value}`,
-      'HttpOnly',
-      'SameSite=Strict',
-      'Path=/',
-      `Max-Age=${Math.max(0, Math.floor(maxAgeSeconds))}`,
-    ];
-    // Secure only in public mode — the edge (Cloudflare) terminates TLS, so the
-    // browser sees HTTPS. On a localhost (http) dev bind, Secure would drop it.
-    if (config.publicMode) attrs.push('Secure');
-    return attrs.join('; ');
-  }
-
-  // --- auth + role resolution ---
-  async function resolveRole(c) {
-    // 1. Authorization: Bearer — the only path that may carry the operator token.
-    const auth = c.req.header('authorization');
-    if (auth?.startsWith('Bearer ')) {
-      const hit = await classifyToken(auth.slice('Bearer '.length).trim(), {
-        allowOperator: true,
-        source: 'bearer',
-      });
-      if (hit) return hit;
-    }
-    // 2. HttpOnly auth cookie — set by /api/auth/exchange so the partner token
-    //    never has to live in the URL after first load (SECURITY.md S1). The
-    //    browser sends it automatically on both API fetches and WS handshakes.
-    const cookieToken = readCookie(c.req.header('cookie'), AUTH_COOKIE);
-    if (cookieToken) {
-      const hit = await classifyToken(cookieToken, { source: 'cookie' });
-      if (hit) return hit;
-    }
-    // 3. `?t=` query — a fresh navigation can only carry a token this way. Kept
-    //    for the share-link first-hit + backward compatibility; the client
-    //    exchanges it for the cookie and strips it from the URL immediately.
-    const queryToken = c.req.query('t');
-    if (queryToken) {
-      const hit = await classifyToken(queryToken, { source: 'query' });
-      if (hit) return hit;
-    }
-    // Default for local partner UX — same machine, no token expected.
-    if (!config.publicMode) {
-      return { role: ROLES.PARTNER, sub: 'local-partner', source: 'localhost' };
-    }
-    // Public mode with no valid token: deny. No anonymous viewer access —
-    // a share JWT or the partner token is required. (Concern C1.)
-    return { role: null, sub: 'anon', source: 'unauth', denied: true };
-  }
-
-  function require(c, capability) {
-    const cap = ROLE_CAPABILITIES[c.get('role')];
-    if (!cap || !cap[capability]) {
-      return c.json({ error: 'forbidden', capability, role: c.get('role') }, 403);
-    }
-    return null;
-  }
-
-  // Persistent audit trail for privileged actions (SECURITY.md S8). The [http]
-  // line is ephemeral (stdout, rotated); this records WHO did WHAT to a durable
-  // log under ~/.wild-workspace (outside the synced repo) that doctor/logs and
-  // the operator channel can read. Never throws.
-  function auditAction(c, action, detail) {
-    const s = c.get('session') || {};
-    appendLine(
-      'audit',
-      `${action} role=${c.get('role') || '-'} sub=${s.sub || '-'} src=${s.source || '-'}` +
-        (detail ? ` ${detail}` : ''),
-    );
-  }
-
-  // Security headers on every response (SECURITY.md S7). Set AFTER next() so they
-  // land on static-asset + SPA-fallback responses too. Referrer-Policy: no-referrer
-  // also backstops S1 — a stale `?t=` in the URL can't leak via the Referer header.
-  app.use('*', async (c, next) => {
-    await next();
-    const h = c.res.headers;
-    h.set('X-Content-Type-Options', 'nosniff');
-    h.set('Referrer-Policy', 'no-referrer');
-    h.set('X-Frame-Options', 'SAMEORIGIN');
-    h.set('Cross-Origin-Opener-Policy', 'same-origin');
-    // Conservative CSP: locks framing (anti-clickjacking), object/base, and the
-    // connect surface, while leaving script/style permissive so the prebuilt
-    // SPA bundle isn't broken. `frame-src *` keeps the live-preview iframe (which
-    // points at the user's local dev server) working. Tightening script-src is a
-    // follow-up that needs a bundle audit.
-    if (!h.has('Content-Security-Policy')) {
-      h.set(
-        'Content-Security-Policy',
-        [
-          "default-src 'self'",
-          "script-src 'self' 'unsafe-inline' 'unsafe-eval'",
-          "style-src 'self' 'unsafe-inline'",
-          "img-src 'self' data: blob:",
-          "font-src 'self' data:",
-          "connect-src 'self' ws: wss: https:",
-          'frame-src *',
-          "frame-ancestors 'self'",
-          "object-src 'none'",
-          "base-uri 'self'",
-        ].join('; '),
-      );
-    }
-  });
-
-  // API paths reachable WITHOUT auth: health, plus the device sign-in start/poll
-  // (a brand-new browser has no token yet — it must be able to start a pairing
-  // request and poll for approval). Everything else under /api/* is walled in
-  // public mode; pair/approve+deny+requests are NOT here, so anon hits a clean
-  // 401 before their `require(c,'share')` gate even runs.
-  const PUBLIC_API = new Set([
-    '/api/health',
-    '/api/auth/pair/start',
-    '/api/auth/pair/status',
-  ]);
-  app.use('*', async (c, next) => {
-    const session = await resolveRole(c);
-    c.set('role', session.role);
-    c.set('session', session);
-    // Block the API for denied (non-localhost, unauthenticated) requests, but
-    // let static assets + the public endpoints through so the SPA can still
-    // load and prompt for sign-in. (Concern C1.)
-    if (session.denied && c.req.path.startsWith('/api/') && !PUBLIC_API.has(c.req.path)) {
-      log('[auth]', `denied ${c.req.method} ${c.req.path} src=${session.source}`);
-      return c.json({ error: 'unauthorized' }, 401);
-    }
-    await next();
-  });
-
-  // Lightweight HTTP request log — every /api/* call, with status + duration.
-  // Static asset traffic is noisy and uninteresting, so we skip it.
-  app.use('/api/*', async (c, next) => {
-    const t0 = Date.now();
-    await next();
-    const ms = Date.now() - t0;
-    const role = c.get('role') || 'anon';
-    log('[http]', `${c.req.method} ${c.req.path} ${c.res.status} ${ms}ms role=${role}`);
-  });
-
-  // --- meta ---
-  app.get('/api/health', (c) =>
-    c.json({ status: 'ok', version: APP_VERSION, ts: Date.now() }),
-  );
-
-  app.get('/api/session', (c) => {
-    const session = c.get('session');
-    const role = c.get('role');
-    const identity = loadIdentity(config.dataDir);
-    return c.json({
-      version: APP_VERSION,
-      role,
-      capabilities: ROLE_CAPABILITIES[role],
-      workspace: workspaceSummary(config.workspaceDir),
-      workspaceId: config.workspaceId,
-      session,
-      agent: activeAgent
-        ? { id: activeAgent.id, label: activeAgent.label, available: activeAgent.available }
-        : null,
-      identity,
-      onboarded: Boolean(identity?.onboardedAt),
-      shareBaseUrl: config.shareBaseUrl,
-      // `account` is set after the user runs `wild-workspace login`. The UI
-      // uses it to show "you are <slug>" and to seed step 4 of onboarding
-      // with the actual <slug>.venturewild.llc URL. accountToken is NOT
-      // exposed — it stays in server-side config only.
-      account: config.account,
-      // Consent state for the proactive observability feed, so settings/onboarding
-      // can show + toggle it. The disclosure copy lives in the UI.
-      observability: { enabled: observability.enabled, version: observability.version },
-    });
-  });
-
-  // --- auth: token → HttpOnly cookie exchange (SECURITY.md S1) ---------------
-  // A browser opening <slug>.venturewild.llc?t=<token> can only carry the token
-  // in the URL. The partner token is RCE-grade, so it must NOT linger there
-  // (history / referrer / edge logs). The SPA calls this once at boot with the
-  // token in an Authorization header (never a logged URL), we move it into an
-  // HttpOnly cookie, and the client strips ?t= from the address bar. Every
-  // later request — API fetch or WS handshake — authenticates via the cookie.
-  // The global middleware already verified the token before this runs, so the
-  // session is trustworthy; we just persist it.
-  app.post('/api/auth/exchange', async (c) => {
-    const session = c.get('session');
-    if (!session || session.denied || !session.role) {
-      return c.json({ error: 'invalid-token' }, 401);
-    }
-    // Operator tokens stay header-only — never minted into a cookie.
-    if (session.role === ROLES.OPERATOR) {
-      return c.json({ error: 'not-exchangeable' }, 400);
-    }
-    // The exact token to persist: whatever authenticated this request.
-    const auth = c.req.header('authorization');
-    const token =
-      (auth?.startsWith('Bearer ') ? auth.slice('Bearer '.length).trim() : null) ||
-      c.req.query('t');
-    if (!token) {
-      // localhost (no token) — cookie auth is unnecessary; nothing to persist.
-      return c.json({ ok: true, role: session.role, cookie: false });
-    }
-    // Cookie lifetime: a share JWT lives until its exp; the partner token has no
-    // exp. Now that the signing secret is durable across restarts/upgrades
-    // (config.mjs persists it to the per-install global dir), give the owner's
-    // browser a long-lived cookie so "just type your domain" keeps working — no
-    // token in the URL, no surprise logout. Capped at a year for an everyday user.
-    const now = Math.floor(Date.now() / 1000);
-    const PARTNER_COOKIE_MAX_AGE = 365 * 24 * 3600;
-    const maxAge = session.exp ? Math.max(60, session.exp - now) : PARTNER_COOKIE_MAX_AGE;
-    c.header('Set-Cookie', authCookieAttrs(token, maxAge));
-    log('[auth]', `exchange role=${session.role} src=${session.source} ttl=${maxAge}s`);
-    return c.json({ ok: true, role: session.role, cookie: true });
-  });
-
-  app.post('/api/auth/logout', (c) => {
-    c.header('Set-Cookie', authCookieAttrs('', 0));
-    return c.json({ ok: true });
-  });
-
-  // --- device sign-in (Phase 2): "approve a new device from one you're already
-  // signed in on" (WhatsApp-Web-style). The new device gets a short CODE (the
-  // owner reads it off the screen) + an unguessable requestId it polls by. The
-  // owner approves from a partner session, echoing the matching code (confused-
-  // deputy defense), which mints a revocable partner token the new device
-  // exchanges for the usual login cookie. No token is ever typed by the user.
-
-  // Fixed-vocabulary label derived from the User-Agent — safe to render in the
-  // owner's (privileged) approval UI without escaping, unlike a client string.
-  const deviceLabelFromUA = (ua) => {
-    const s = String(ua || '');
-    const os = /iPhone/.test(s)
-      ? 'iPhone'
-      : /iPad/.test(s)
-        ? 'iPad'
-        : /Android/.test(s)
-          ? 'Android'
-          : /Mac OS X|Macintosh/.test(s)
-            ? 'Mac'
-            : /Windows/.test(s)
-              ? 'Windows'
-              : /Linux/.test(s)
-                ? 'Linux'
-                : 'a device';
-    const browser = /Edg\//.test(s)
-      ? 'Edge'
-      : /Chrome\//.test(s)
-        ? 'Chrome'
-        : /Firefox\//.test(s)
-          ? 'Firefox'
-          : /Safari\//.test(s)
-            ? 'Safari'
-            : 'a browser';
-    return `${browser} on ${os}`;
-  };
-
-  // Per-IP start limiter (defense-in-depth; the store's global pending cap is the
-  // primary control). Overridable for tests.
-  const pairStartRate = {
-    max: Number(overrides.pairStartRate?.max ?? 10),
-    windowMs: Number(overrides.pairStartRate?.windowMs ?? 10 * 60 * 1000),
-  };
-  const pairStartHits = new Map(); // ip -> timestamps[]
-
-  app.post('/api/auth/pair/start', async (c) => {
-    const ip =
-      c.req.header('x-forwarded-for')?.split(',')[0].trim() ||
-      c.req.header('x-real-ip') ||
-      'global';
-    const now = Date.now();
-    const hits = (pairStartHits.get(ip) || []).filter((t) => now - t < pairStartRate.windowMs);
-    if (hits.length >= pairStartRate.max) {
-      return c.json({ error: 'rate_limited' }, 429);
-    }
-    hits.push(now);
-    pairStartHits.set(ip, hits);
-
-    const label = deviceLabelFromUA(c.req.header('user-agent'));
-    const created = pairing.create({ label });
-    if (!created) {
-      // Global pending cap reached — too many devices already awaiting approval.
-      return c.json({ error: 'too_many_pending' }, 429);
-    }
-    activityBus.publish({ type: 'pair-requested', requestId: created.requestId, label });
-    log('[auth]', `pair start label="${label}" req=${created.requestId}`);
-    return c.json({
-      requestId: created.requestId,
-      code: created.code,
-      expiresAt: created.expiresAt,
-      pollAfterMs: 2500,
-    });
-  });
-
-  app.post('/api/auth/pair/status', async (c) => {
-    const body = await c.req.json().catch(() => ({}));
-    const requestId = typeof body.requestId === 'string' ? body.requestId : '';
-    // Polls by requestId only (never the code) → nothing brute-forceable here.
-    // One-shot: the token is returned exactly once, then the record is 'claimed'.
-    // A missing/unknown id is a terminal 'expired' (200) — the client just
-    // restarts — so the poll endpoint always answers 200.
-    return c.json(requestId ? pairing.claim(requestId) : { status: 'expired' });
-  });
-
-  app.get('/api/auth/pair/requests', (c) => {
-    const forbidden = require(c, 'share');
-    if (forbidden) return forbidden;
-    return c.json({ requests: pairing.listPending() });
-  });
-
-  app.post('/api/auth/pair/approve', async (c) => {
-    const forbidden = require(c, 'share');
-    if (forbidden) return forbidden;
-    const body = await c.req.json().catch(() => ({}));
-    const code = String(body.code ?? '').trim();
-    // The owner types the code shown on the new device; resolve it to the one
-    // pending request (confused-deputy defense — possession of the code). A code
-    // that matches nothing pending mints nothing.
-    const pending = pairing.findPendingByCode(code);
-    if (!pending) {
-      return c.json({ error: 'no_match' }, 404);
-    }
-    const minted = await mintDeviceToken({
-      secret: config.shareSecret,
-      workspaceId: config.workspaceId,
-    });
-    // Re-validate inside approve (status + code) to close the await-window race.
-    if (!pairing.approve(pending.requestId, code, minted)) {
-      return c.json({ error: 'not_pending' }, 409);
-    }
-    tokenRegistry.add({ ...minted, kind: 'device', label: pending.label, createdAt: Date.now() });
-    activityBus.publish({
-      type: 'pair-approved',
-      requestId: pending.requestId,
-      sub: minted.sub,
-      label: pending.label,
-    });
-    auditAction(c, 'pair-approve', `label="${pending.label}" grantSub=${minted.sub}`);
-    return c.json({ ok: true, label: pending.label });
-  });
-
-  app.post('/api/auth/pair/deny', async (c) => {
-    const forbidden = require(c, 'share');
-    if (forbidden) return forbidden;
-    const body = await c.req.json().catch(() => ({}));
-    const requestId = typeof body.requestId === 'string' ? body.requestId : '';
-    const pending = pairing.get(requestId);
-    pairing.deny(requestId);
-    activityBus.publish({ type: 'pair-denied', requestId });
-    auditAction(c, 'pair-deny', `req=${requestId} label="${pending?.label || '-'}"`);
-    return c.json({ ok: true });
-  });
-
-  // --- agent identity (onboarding) ---
-  // Persisted to <dataDir>/agent-identity.json. Absence of this file is the
-  // signal the UI uses to launch the 5-step onboarding flow.
-  app.get('/api/agent/identity', (c) => {
-    const identity = loadIdentity(config.dataDir);
-    return c.json({ identity, tones: TONES });
-  });
-
-  // --- agent readiness (the agent-login gate) ---
-  // "Is the wrapped agent installed AND signed in?" detectAgents() only proves
-  // the binary is on PATH; this proves a turn will actually work. Onboarding
-  // calls this before its folder-peek wow beat so a not-signed-in user gets a
-  // calm "sign in to Claude" step instead of a broken error bubble (the §3.2
-  // open question in docs/user-experience.md). See agent-readiness.mjs.
-  //
-  // Cached briefly: a 'ready' verdict rarely flips, and the probe spawns a
-  // subprocess. `?fresh=1` forces a re-probe (the gate's "I've signed in" button
-  // sends it so the user isn't stuck behind a stale 'login' verdict).
-  let _readinessCache = null; // { at, verdict }
-  const READINESS_TTL_MS = 30_000;
-  const agentTag = (a) => (a ? { id: a.id, label: a.label } : null);
-  app.get('/api/agent/readiness', async (c) => {
-    const forbidden = require(c, 'chat');
-    if (forbidden) return forbidden;
-    const fresh = c.req.query('fresh') === '1';
-    const now = Date.now();
-    if (!fresh && _readinessCache && now - _readinessCache.at < READINESS_TTL_MS) {
-      return c.json({ agent: agentTag(activeAgent), ...(_readinessCache.verdict) });
-    }
-    const verdict = await probeAgentReadiness(activeAgent);
-    _readinessCache = { at: now, verdict };
-    log('[onboarding]', `readiness agent=${activeAgent?.id || '-'} status=${verdict.status}${verdict.email ? ` email=${verdict.email}` : ''}`);
-    return c.json({ agent: agentTag(activeAgent), ...verdict });
-  });
-
-  // In-app "Sign in to Claude" — drives `claude auth login` in a real PTY so the
-  // browser OAuth callback auto-completes and the user never touches a terminal.
-  // (See agent-login.mjs.) Claude opens the OAuth URL in the user's browser itself
-  // (the server is local), so we do NOT open it again here — doing so spawned a
-  // duplicate tab; the UI surfaces the captured URL as a "didn't open?" fallback.
-  // Degrades to `{status:'unsupported'}` if node-pty is absent (gate → terminal).
-  let _loginSession = null;
-  const emptyLoginSnap = { status: 'idle', url: null, error: null, verdict: null };
-  app.post('/api/agent/login/start', async (c) => {
-    const forbidden = require(c, 'chatWrite');
-    if (forbidden) return forbidden;
-    if (!_loginSession) _loginSession = new ClaudeLoginSession({ agent: activeAgent });
-    _loginSession.agent = activeAgent; // track the active agent if it changed
-    const snap = await _loginSession.start();
-    _readinessCache = null; // a sign-in is about to change auth state — don't serve stale
-    log('[onboarding]', `login start status=${snap.status}`);
-    return c.json(snap);
-  });
-  app.get('/api/agent/login/status', async (c) => {
-    const forbidden = require(c, 'chat');
-    if (forbidden) return forbidden;
-    return c.json(_loginSession ? _loginSession.snapshot() : emptyLoginSnap);
-  });
-  app.post('/api/agent/login/code', async (c) => {
-    const forbidden = require(c, 'chatWrite');
-    if (forbidden) return forbidden;
-    const body = await c.req.json().catch(() => ({}));
-    const ok = _loginSession ? _loginSession.submitCode(body.code) : false;
-    return c.json({ ok, ...(_loginSession ? _loginSession.snapshot() : emptyLoginSnap) });
-  });
-
-  app.post('/api/agent/identity', async (c) => {
-    const forbidden = require(c, 'chatWrite');
-    if (forbidden) return forbidden;
-    const body = await c.req.json().catch(() => ({}));
-    try {
-      const saved = saveIdentity(config.dataDir, {
-        name: body.name,
-        tone: body.tone,
-        color: body.color,
-        connectedServices: body.connectedServices,
-      });
-      log('[identity]', `saved name=${saved.name} tone=${saved.tone} color=${saved.color}`);
-      activityBus.publish({ type: 'identity-changed', name: saved.name, tone: saved.tone });
-      return c.json({ identity: saved });
-    } catch (e) {
-      return c.json({ error: String(e.message || e) }, 400);
-    }
-  });
-
-  app.post('/api/agent/onboarded', (c) => {
-    const forbidden = require(c, 'chatWrite');
-    if (forbidden) return forbidden;
-    try {
-      const saved = markOnboarded(config.dataDir);
-      log('[onboarding]', `complete name=${saved.name}`);
-      activityBus.publish({ type: 'onboarded', at: saved.onboardedAt });
-      return c.json({ identity: saved });
-    } catch (e) {
-      return c.json({ error: String(e.message || e) }, 400);
-    }
-  });
-
-  // Consent toggle for the proactive observability feed (default-on — see
-  // observability.mjs). Owner-only; applied live to the reporter, no restart.
-  app.post('/api/observability/consent', async (c) => {
-    const forbidden = require(c, 'chatWrite');
-    if (forbidden) return forbidden;
-    const body = await c.req.json().catch(() => ({}));
-    const enabled = body.enabled !== false;
-    observability = setObservabilityConsent(config.dataDir, enabled);
-    sessionReporter.setEnabled(sessionEnabled());
-    activityBus.publish({ type: 'observability-consent', enabled });
-    log('[observability]', `consent set enabled=${enabled}`);
-    return c.json({ observability: { enabled: observability.enabled, version: observability.version } });
-  });
-
-  // --- onboarding step 2: agent peeks at a folder ---
-  // The browser sends a small sample of the chosen folder's contents — file
-  // names + a short head of each text file — and we ask the agent to react
-  // in one or two sentences. Runs through the normal turn-runner; the browser
-  // supplies the messageId so the onboarding overlay can subscribe to /ws/chat
-  // and stream the reaction back into a bubble next to the dropzone — the
-  // "agent reacts in ~2s" beat the locked plan calls the highest-converting moment.
-  app.post('/api/onboarding/peek', async (c) => {
-    const forbidden = require(c, 'chatWrite');
-    if (forbidden) return forbidden;
-    const body = await c.req.json().catch(() => ({}));
-    const files = Array.isArray(body.files) ? body.files.slice(0, 80) : [];
-    const folderName = (body.folderName || 'this folder').slice(0, 80);
-    if (files.length === 0) return c.json({ error: 'no-files' }, 400);
-    const sample = files
-      .map((f) => {
-        const head = typeof f.head === 'string' ? f.head.slice(0, 600) : '';
-        return head
-          ? `--- ${f.path}\n${head}`
-          : `--- ${f.path}`;
-      })
-      .join('\n');
-    const identity = loadIdentity(config.dataDir);
-    const youAre = identity?.name
-      ? `You are ${identity.name}, a ${identity.tone || 'concise'} AI assistant just meeting your human for the first time.`
-      : `You are an AI assistant just meeting your human for the first time.`;
-    const prompt =
-      `${youAre} They just showed you a folder called "${folderName}" with ` +
-      `${files.length} file${files.length === 1 ? '' : 's'}. Below is a quick ` +
-      `sample of what's inside. In ONE or TWO short sentences, react: name ` +
-      `what you see, then propose ONE specific, concrete thing you could do ` +
-      `with it that would be useful. Be specific — reference real filenames ` +
-      `or content. Don't ask permission, don't list options, don't introduce ` +
-      `yourself. Just react like a smart friend who just glanced at the desk.\n\n` +
-      sample;
-    const messageId =
-      typeof body.messageId === 'string' && body.messageId.trim()
-        ? body.messageId.trim().slice(0, 64)
-        : undefined;
-    log('[onboarding]', `peek folder=${folderName} files=${files.length} sampleBytes=${sample.length} mid=${messageId || '(auto)'}`);
-    const started = runChatTurn({
-      prompt,
-      mode: 'plan',
-      messageId,
-      note: `👀 ${identity?.name || 'Your agent'} is looking at ${folderName}…`,
-      auto: true,
-    });
-    return c.json({ ok: true, sampled: files.length, started: started !== false });
-  });
-
-  // --- onboarding step 5: kick off the user's first real job ---
-  // The browser picks one of three known job kinds; the server builds the
-  // matching prompt incorporating the agent's tone + the optional peek context
-  // so the long instruction shape stays server-side (the user sees a clean
-  // "Started: …" note, not the raw prompt). Same WS streaming contract as
-  // peek — the browser supplies the messageId.
-  app.post('/api/onboarding/start-job', async (c) => {
-    const forbidden = require(c, 'chatWrite');
-    if (forbidden) return forbidden;
-    const body = await c.req.json().catch(() => ({}));
-    const kind = typeof body.kind === 'string' ? body.kind : '';
-    const messageId =
-      typeof body.messageId === 'string' && body.messageId.trim()
-        ? body.messageId.trim().slice(0, 64)
-        : undefined;
-    const peekFolder =
-      typeof body.peekFolderName === 'string'
-        ? body.peekFolderName.slice(0, 80)
-        : null;
-    const identity = loadIdentity(config.dataDir);
-    const tone = identity?.tone || 'concise';
-    const name = identity?.name || 'your agent';
-    const youAre = `You are ${name}, a ${tone} AI assistant. Your human just finished a 5-step onboarding and picked their first job. Stay in character.`;
-    let prompt;
-    let note;
-    if (kind === 'survey') {
-      prompt =
-        `${youAre} Look at the wild-workspace folder this server runs in — ` +
-        `read CLAUDE.md, README.md, and any package.json or top-level docs ` +
-        `you find. In ONE short paragraph, summarize what this project is ` +
-        `and what's notable about it. Be ${tone}. Don't ask permission ` +
-        `first — just go. Finish with a single concrete next-step question.`;
-      note = `🔎 First job — ${name} is reading your workspace…`;
-    } else if (kind === 'startup') {
-      const folderHint = peekFolder
-        ? ` They showed you a folder called "${peekFolder}" earlier — feel free to reference it.`
-        : '';
-      prompt =
-        `${youAre} Your human wants to start a new project but hasn't said ` +
-        `what yet.${folderHint} In ONE or TWO sentences, ask the single ` +
-        `most useful question that will help you understand what they want ` +
-        `to build today. Be ${tone}, warm, and concrete — no list of options.`;
-      note = `🚀 First job — ${name} is figuring out what to build with you…`;
-    } else if (kind === 'chat') {
-      prompt =
-        `${youAre} Your human picked the "just chat" option — they want to ` +
-        `get to know you, no agenda yet. Say a brief hello, then ask ONE ` +
-        `short question that will help you find a job for them today. Be ` +
-        `${tone}. Don't introduce yourself by name (they already named you).`;
-      note = `💬 First job — ${name} is settling in…`;
-    } else {
-      return c.json({ error: 'unknown-job-kind' }, 400);
-    }
-    log('[onboarding]', `start-job kind=${kind} mid=${messageId || '(auto)'} peek=${peekFolder || '-'}`);
-    const started = runChatTurn({
-      prompt,
-      mode: 'build',
-      messageId,
-      note,
-      auto: true,
-    });
-    return c.json({ ok: true, started: started !== false });
-  });
-
-  app.get('/api/agents', (c) => {
-    const forbidden = require(c, 'chat');
-    if (forbidden) return forbidden;
-    // resolvedPath is a local filesystem path — only the owner (partner) needs
-    // it; don't leak the install layout to a share-link viewer/client. (S2.)
-    const isPartner = c.get('role') === ROLES.PARTNER;
-    return c.json({
-      available: detectedAgents.map(({ id, label, description, available, resolvedPath }) => ({
-        id,
-        label,
-        description,
-        available,
-        resolvedPath: isPartner ? resolvedPath : undefined,
-      })),
-      active: activeAgent?.id,
-    });
-  });
-
-  app.post('/api/agents/select', async (c) => {
-    const forbidden = require(c, 'chatWrite');
-    if (forbidden) return forbidden;
-    const body = await c.req.json().catch(() => ({}));
-    const next = detectedAgents.find((a) => a.id === body.id);
-    if (!next) return c.json({ error: 'unknown-agent', id: body.id }, 400);
-    activeAgent = next;
-    activityBus.publish({ type: 'agent-changed', agentId: next.id });
-    auditAction(c, 'agent-select', `id=${next.id}`);
-    return c.json({ ok: true, active: activeAgent.id });
-  });
-
-  // --- operator channel (consented support; OFF unless a token is set) -------
-  // The dedicated operator token (operator.mjs) maps to the `operator` role in
-  // resolveRole; every route here gates on the `operate` capability. When the
-  // channel is disabled (no token) the routes 404 so the surface is invisible.
-  // Each call is audit-logged to operator.log AND surfaced in the activity feed
-  // (CLAUDE.md principle #5 — both peers see what happened). The actions are a
-  // CURATED ALLOWLIST — never arbitrary shell (docs/SECURITY.md).
-  const operatorDeps = {
-    runDoctor: (o) => runDoctor(o),
-    detectAgents,
-    loadAccount,
-    spawn,
-    ...(overrides.operatorDeps || {}),
-  };
-  const operatorEnabled = () => Boolean(config.operatorToken);
-  function auditOperator(c, action, detail) {
-    const s = c.get('session') || {};
-    appendLine('operator', `${action} by=${s.sub || 'operator'} src=${s.source || '-'} ${detail || ''}`.trim());
-    activityBus.publish({ type: 'operator-action', action, detail: detail || null, at: Date.now() });
-  }
-
-  // Curated remediation actions. Each reuses an existing seam; none runs an
-  // arbitrary command. (`restart-server` is intentionally absent — exiting the
-  // process would sever the very tunnel we reach the user through on a machine
-  // without the always-on supervisor; deferred — see SECURITY.md.)
-  const OPERATOR_ACTIONS = {
-    'run-doctor': async () => operatorDeps.runDoctor({ config }),
-    'restart-daemon': async () => {
-      if (!daemonSupervisor) return { restarted: false, reason: 'daemon-supervisor-disabled' };
-      await daemonSupervisor.stop().catch(() => {});
-      return daemonSupervisor.ensureRunning();
-    },
-    'relink-account': async () => {
-      const account = operatorDeps.loadAccount(config.dataDir);
-      if (daemonSupervisor) {
-        await daemonSupervisor.stop().catch(() => {});
-        await daemonSupervisor.ensureRunning().catch(() => {});
-      }
-      return { relinked: Boolean(account?.slug), slug: account?.slug || null, email: account?.email || null };
-    },
-    'redetect-agent': async () => {
-      const agents = (await operatorDeps.detectAgents()) || [];
-      const next = pickDefaultAgent(agents) || null;
-      activeAgent = next;
-      _readinessCache = null; // force a fresh readiness probe next time
-      activityBus.publish({ type: 'agent-changed', agentId: next?.id || null });
-      return {
-        active: next?.id || null,
-        available: Boolean(next?.available),
-        agents: agents.map((a) => ({ id: a.id, available: a.available })),
-      };
-    },
-    'reinstall-daemon': async () => {
-      const cmd = process.platform === 'win32' ? 'npm.cmd' : 'npm';
-      const child = operatorDeps.spawn(cmd, ['i', '-g', '@venturewild/workspace'], { windowsHide: true });
-      appendLine('operator', `reinstall-daemon spawned pid=${child?.pid}`);
-      child?.stdout?.on?.('data', (d) => appendLine('operator', `[npm] ${String(d).trim()}`));
-      child?.stderr?.on?.('data', (d) => appendLine('operator', `[npm:err] ${String(d).trim()}`));
-      child?.on?.('exit', (code) => appendLine('operator', `reinstall-daemon exited code=${code}`));
-      return { started: true, pid: child?.pid || null, command: `${cmd} i -g @venturewild/workspace` };
-    },
-  };
-
-  app.get('/api/operator/diag', async (c) => {
-    if (!operatorEnabled()) return c.json({ error: 'operator-disabled' }, 404);
-    const forbidden = require(c, 'operate');
-    if (forbidden) return forbidden;
-    const report = await operatorDeps.runDoctor({ config });
-    auditOperator(c, 'diag', `fail=${report.summary?.fail} warn=${report.summary?.warn}`);
-    return c.json(report);
-  });
-
-  app.get('/api/operator/logs', (c) => {
-    if (!operatorEnabled()) return c.json({ error: 'operator-disabled' }, 404);
-    const forbidden = require(c, 'operate');
-    if (forbidden) return forbidden;
-    const name = c.req.query('name') || 'cli';
-    if (!TAILABLE.includes(name)) return c.json({ error: 'unknown-log', name, allowed: TAILABLE }, 400);
-    const tail = Math.min(Number(c.req.query('tail')) || 200, 2000);
-    const file = logFile(name);
-    auditOperator(c, 'logs', `name=${name} tail=${tail}`);
-    return c.json({ name, file, tail, body: tailFile(file, tail) });
-  });
-
-  app.post('/api/operator/action', async (c) => {
-    if (!operatorEnabled()) return c.json({ error: 'operator-disabled' }, 404);
-    const forbidden = require(c, 'operate');
-    if (forbidden) return forbidden;
-    const body = await c.req.json().catch(() => ({}));
-    const action = String(body.action || '');
-    if (!OPERATOR_ACTIONS[action]) {
-      return c.json({ error: 'unknown-action', action, allowed: Object.keys(OPERATOR_ACTIONS) }, 400);
-    }
-    auditOperator(c, 'action', `action=${action}`);
-    try {
-      const result = await OPERATOR_ACTIONS[action]();
-      return c.json({ ok: true, action, result });
-    } catch (e) {
-      appendLine('operator', `action=${action} FAILED ${e?.stack || e}`);
-      return c.json({ ok: false, action, error: String(e?.message || e) }, 500);
-    }
-  });
-
-  // --- workspace files ---
-  app.get('/api/workspace/tree', async (c) => {
-    if (!ROLE_CAPABILITIES[c.get('role')].fileTree) {
-      return c.json({ error: 'forbidden' }, 403);
-    }
-    try {
-      const tree = await fullTree(config.workspaceDir, 3);
-      return c.json({ root: config.workspaceDir, entries: tree });
-    } catch (e) {
-      return c.json({ error: String(e.message || e) }, 500);
-    }
-  });
-
-  app.get('/api/workspace/list', async (c) => {
-    if (!ROLE_CAPABILITIES[c.get('role')].fileTree) {
-      return c.json({ error: 'forbidden' }, 403);
-    }
-    const p = c.req.query('path') || '';
-    try {
-      const items = await listDir(config.workspaceDir, p);
-      if (items == null) return c.json({ error: 'not-a-directory' }, 400);
-      return c.json({ path: p, items });
-    } catch (e) {
-      return c.json({ error: String(e.message || e) }, 400);
-    }
-  });
-
-  app.get('/api/workspace/file', async (c) => {
-    if (!ROLE_CAPABILITIES[c.get('role')].fileTree) {
-      return c.json({ error: 'forbidden' }, 403);
-    }
-    const p = c.req.query('path');
-    if (!p) return c.json({ error: 'path-required' }, 400);
-    try {
-      const result = await readFile(config.workspaceDir, p);
-      return c.json({ path: p, ...result });
-    } catch (e) {
-      return c.json({ error: String(e.message || e) }, 400);
-    }
-  });
-
-  // --- component inbox ---
-  app.get('/api/inbox', async (c) => {
-    // Enforce the `inbox` capability (partner-only). It existed in the matrix
-    // but the route never checked it — a share-link viewer could read it. (S2.)
-    const forbidden = require(c, 'inbox');
-    if (forbidden) return forbidden;
-    const snapshot = await inboxWatcher.snapshot();
-    return c.json(snapshot);
-  });
-
-  // --- live preview port detection ---
-  app.get('/api/preview/ports', async (c) => {
-    const forbidden = require(c, 'preview');
-    if (forbidden) return forbidden;
-    const ports = await detectPreviewPorts();
-    return c.json({ ports });
-  });
-
-  app.get('/api/preview/check', async (c) => {
-    const forbidden = require(c, 'preview');
-    if (forbidden) return forbidden;
-    const port = Number(c.req.query('port'));
-    if (!port) return c.json({ error: 'port-required' }, 400);
-    // Preview detection is for LOCAL dev servers only. Reject any non-loopback
-    // host so this can't be used as an SSRF / internal port scanner. (S2.)
-    const host = c.req.query('host') || '127.0.0.1';
-    if (!isLocalhost(host)) {
-      return c.json({ error: 'host-not-allowed', host }, 400);
-    }
-    return c.json({ port, host, listening: await checkPort(port, host) });
-  });
-
-  // --- activity stream snapshot (WebSocket carries live updates) ---
-  // Gated on `chat`: the snapshot's `recent` feed can carry conversation text,
-  // so only roles allowed to see the chat may read it (anon already denied). (S2.)
-  app.get('/api/activity', (c) => {
-    const forbidden = require(c, 'chat');
-    if (forbidden) return forbidden;
-    return c.json(activityBus.snapshot());
-  });
-
-  // --- share-by-URL (AR-20) ---
-  app.post('/api/share', async (c) => {
-    const forbidden = require(c, 'share');
-    if (forbidden) return forbidden;
-    const body = await c.req.json().catch(() => ({}));
-    const role = body.role === 'client' ? 'client' : 'viewer';
-    const ttlSeconds = Number(body.ttlSeconds) || 60 * 60 * 24;
-    const label = body.label || (role === 'client' ? 'Client portal' : 'Viewer');
-    try {
-      const minted = await mintShareToken({
-        secret: config.shareSecret,
-        workspaceId: config.workspaceId,
-        role,
-        ttlSeconds,
-      });
-      tokenRegistry.add({
-        ...minted,
-        label,
-        createdAt: Date.now(),
-      });
-      const shareUrl = buildShareUrl({
-        shareBaseUrl: config.shareBaseUrl,
-        workspaceId: config.workspaceId,
-        token: minted.token,
-      });
-      activityBus.publish({
-        type: 'share-issued',
-        role,
-        sub: minted.sub,
-        exp: minted.exp,
-        label,
-      });
-      auditAction(c, 'share-mint', `grant=${role} grantSub=${minted.sub} ttl=${ttlSeconds}s`);
-      return c.json({ ...minted, shareUrl, label });
-    } catch (e) {
-      return c.json({ error: String(e.message || e) }, 400);
-    }
-  });
-
-  app.get('/api/share', (c) => {
-    const forbidden = require(c, 'share');
-    if (forbidden) return forbidden;
-    return c.json({ tokens: tokenRegistry.list() });
-  });
-
-  app.delete('/api/share/:sub', (c) => {
-    const forbidden = require(c, 'share');
-    if (forbidden) return forbidden;
-    const sub = c.req.param('sub');
-    tokenRegistry.revoke(sub);
-    activityBus.publish({ type: 'share-revoked', sub });
-    auditAction(c, 'share-revoke', `revokedSub=${sub}`);
-    return c.json({ ok: true, sub });
-  });
-
-  // --- bmo-sync folder sharing ---
-  // Pairing / detaching a folder and minting invites all run through the
-  // bmo-sync daemon (and, for invites, the central server). Partner-only.
-  app.get('/api/sync/status', async (c) => {
-    const forbidden = require(c, 'sync');
-    if (forbidden) return forbidden;
-    const status = await syncControl.status();
-    return c.json({
-      ...status,
-      workspaceDir: config.workspaceDir,
-      workspaceName: path.basename(config.workspaceDir),
-    });
-  });
-
-  app.post('/api/sync/pair', async (c) => {
-    const forbidden = require(c, 'sync');
-    if (forbidden) return forbidden;
-    const body = await c.req.json().catch(() => ({}));
-    try {
-      const workspace = await syncControl.pair(body.inviteCode, config.workspaceDir);
-      activityBus.publish({
-        type: 'sync-paired',
-        workspaceId: workspace.workspaceId,
-        projectName: workspace.projectName,
-      });
-      auditAction(c, 'sync-pair', `workspace=${workspace.workspaceId}`);
-      return c.json({ ok: true, workspace });
-    } catch (e) {
-      return c.json({ error: String(e.message || e) }, 400);
-    }
-  });
-
-  app.post('/api/sync/detach', async (c) => {
-    const forbidden = require(c, 'sync');
-    if (forbidden) return forbidden;
-    const body = await c.req.json().catch(() => ({}));
-    try {
-      const result = await syncControl.detach(body.workspaceId);
-      activityBus.publish({ type: 'sync-detached', workspaceId: body.workspaceId });
-      auditAction(c, 'sync-detach', `workspace=${body.workspaceId}`);
-      return c.json({ ok: true, ...result });
-    } catch (e) {
-      return c.json({ error: String(e.message || e) }, 400);
-    }
-  });
-
-  app.post('/api/sync/invite', async (c) => {
-    const forbidden = require(c, 'sync');
-    if (forbidden) return forbidden;
-    const body = await c.req.json().catch(() => ({}));
-    try {
-      const invite = await syncControl.createInvite({
-        projectCode: body.projectCode,
-        displayName: body.displayName,
-        expiresHours: body.expiresHours,
-      });
-      return c.json({ ok: true, invite });
-    } catch (e) {
-      return c.json({ error: String(e.message || e) }, 400);
-    }
-  });
-
-  // --- C12-e conflict surface ---
-  // The daemon detects local-vs-peer divergence and stores both versions
-  // in its back-office. The agent (and the human-fallback badge) drives
-  // resolution through these routes.
-  app.get('/api/conflicts', async (c) => {
-    const forbidden = require(c, 'sync');
-    if (forbidden) return forbidden;
-    const conflicts = await syncControl.listConflicts();
-    return c.json({ conflicts });
-  });
-
-  app.get('/api/conflicts/view', async (c) => {
-    const forbidden = require(c, 'sync');
-    if (forbidden) return forbidden;
-    const workspaceId = c.req.query('workspaceId');
-    const filePath = c.req.query('path');
-    if (!workspaceId || !filePath) {
-      return c.json({ error: 'workspaceId and path are required' }, 400);
-    }
-    try {
-      const view = await syncControl.viewConflict(workspaceId, filePath);
-      if (!view) return c.json({ error: 'not found' }, 404);
-      return c.json(view);
-    } catch (e) {
-      return c.json({ error: String(e.message || e) }, 400);
-    }
-  });
-
-  app.post('/api/conflicts/resolve', async (c) => {
-    const forbidden = require(c, 'sync');
-    if (forbidden) return forbidden;
-    const body = await c.req.json().catch(() => ({}));
-    try {
-      await syncControl.resolveConflict(body.workspaceId, body.path, body.action);
-      activityBus.publish({
-        type: 'sync-conflict-resolved',
-        workspaceId: body.workspaceId,
-        path: body.path,
-        action: body.action,
-      });
-      auditAction(c, 'conflict-resolve', `path=${body.path} action=${body.action}`);
-      return c.json({ ok: true });
-    } catch (e) {
-      return c.json({ error: String(e.message || e) }, 400);
-    }
-  });
-
-  // --- request-changes (client role) ---
-  const changeRequests = [];
-  app.post('/api/request-changes', async (c) => {
-    const forbidden = require(c, 'requestChanges');
-    if (forbidden) return forbidden;
-    const body = await c.req.json().catch(() => ({}));
-    const text = (body.text || '').trim();
-    if (!text) return c.json({ error: 'text-required' }, 400);
-    const session = c.get('session');
-    const entry = {
-      id: nanoid(12),
-      text,
-      from: session.sub || 'client',
-      ts: Date.now(),
-    };
-    changeRequests.push(entry);
-    activityBus.publish({ type: 'request-changes', entry });
-    return c.json({ ok: true, entry });
-  });
-
-  app.get('/api/request-changes', (c) => {
-    const forbidden = require(c, 'chat');
-    if (forbidden) return forbidden;
-    return c.json({ requests: changeRequests });
-  });
-
-  // --- frontend bundle (built by `npm run build:web`) ---
-  if (existsSync(config.webDir)) {
-    app.use(
-      '/*',
-      serveStatic({
-        root: path.relative(process.cwd(), config.webDir),
-      }),
-    );
-    // SPA fallback
-    app.notFound((c) => {
-      const indexHtmlPath = path.join(config.webDir, 'index.html');
-      if (existsSync(indexHtmlPath)) {
-        return new Response(readFileSync(indexHtmlPath), {
-          headers: { 'content-type': 'text/html' },
-        });
-      }
-      return c.text('wild-workspace: frontend not built; run `npm run build`', 200);
-    });
-  } else {
-    app.notFound((c) =>
-      c.text(
-        'wild-workspace API ready. Frontend bundle missing — run `npm run build` first.',
-        200,
-      ),
-    );
-  }
-
-  const httpServer = serve({
-    fetch: app.fetch,
-    port: config.port,
-    hostname: config.host,
-  });
-  // wait until the server is actually listening before continuing
-  await new Promise((resolve, reject) => {
-    if (httpServer.listening) return resolve();
-    httpServer.once('listening', resolve);
-    httpServer.once('error', reject);
-  });
-
-  // --- websocket bridge ---
-  const wss = new WebSocketServer({ noServer: true });
-  httpServer.on('upgrade', async (req, socket, head) => {
-    const reqUrl = new URL(req.url, `http://${req.headers.host || 'localhost'}`);
-    const supported = ['/ws/chat', '/ws/activity'];
-    if (!supported.includes(reqUrl.pathname)) {
-      socket.destroy();
-      return;
-    }
-    // Auth precedence mirrors resolveRole: the HttpOnly cookie (set via
-    // /api/auth/exchange) first — the browser sends it automatically on the WS
-    // upgrade handshake, so the token never has to ride in the WS URL (S1) —
-    // then the `?t=` query fallback, then the localhost default.
-    const cookieToken = readCookie(req.headers.cookie, AUTH_COOKIE);
-    const tokenFromQuery = reqUrl.searchParams.get('t');
-    let role = null;
-    let sub = 'anon';
-    const hit =
-      (await classifyToken(cookieToken, { source: 'cookie' })) ||
-      (await classifyToken(tokenFromQuery, { source: 'query' }));
-    if (hit) {
-      role = hit.role;
-      sub = hit.sub;
-    } else if (!cookieToken && !tokenFromQuery && !config.publicMode) {
-      role = ROLES.PARTNER;
-      sub = 'local-partner';
-    }
-    // Deny: public mode with no token, or any invalid/revoked token. An
-    // invalid token must NOT silently fall back to partner. (Concern C1.)
-    if (!role) {
-      log('[ws]', `denied ${reqUrl.pathname} (no valid token)`);
-      socket.destroy();
-      return;
-    }
-    wss.handleUpgrade(req, socket, head, (ws) => {
-      ws._wsRole = role;
-      ws._wsSub = sub;
-      log('[ws]', `open ${reqUrl.pathname} role=${role} sub=${sub}`);
-      wss.emit('connection', ws, req, reqUrl.pathname);
-    });
-  });
-
-  wss.on('connection', (ws, req, route) => {
-    if (route === '/ws/activity') return wireActivityWs(ws);
-    if (route === '/ws/chat') return wireChatWs(ws);
-  });
-
-  function wireActivityWs(ws) {
-    const presence = activityBus.joinPresence({
-      sessionId: nanoid(10),
-      role: ws._wsRole,
-      label: ws._wsRole,
-    });
-    ws.send(
-      JSON.stringify({
-        type: 'snapshot',
-        snapshot: activityBus.snapshot(),
-        you: presence,
-      }),
-    );
-    const onEvent = (evt) => {
-      if (ws.readyState === ws.OPEN) ws.send(JSON.stringify(evt));
-    };
-    activityBus.on('event', onEvent);
-    ws.on('message', (raw) => {
-      try {
-        const msg = JSON.parse(raw.toString());
-        if (msg.type === 'focus') {
-          activityBus.updateFocus(presence.sessionId, msg.focus || null);
-        }
-      } catch {}
-    });
-    ws.on('close', () => {
-      activityBus.off('event', onEvent);
-      activityBus.leavePresence(presence.sessionId);
-    });
-  }
-
-  function wireChatWs(ws) {
-    const cap = ROLE_CAPABILITIES[ws._wsRole];
-    chatClients.add(ws);
-    ws.send(JSON.stringify({ type: 'hello', role: ws._wsRole, agent: activeAgent?.id }));
-    ws.on('message', (raw) => {
-      let msg;
-      try {
-        msg = JSON.parse(raw.toString());
-      } catch {
-        ws.send(JSON.stringify({ type: 'error', message: 'invalid json' }));
-        return;
-      }
-      if (msg.type === 'send') {
-        if (!cap.chatWrite) {
-          ws.send(
-            JSON.stringify({ type: 'error', message: 'role not permitted to send' }),
-          );
-          return;
-        }
-        // Rate limit per connection (S6 / C4): drop sends that exceed the burst.
-        const now = Date.now();
-        ws._sendTimes = (ws._sendTimes || []).filter((t) => now - t < chatRate.windowMs);
-        if (ws._sendTimes.length >= chatRate.max) {
-          log('[ws]', `rate-limited /ws/chat sub=${ws._wsSub} (${chatRate.max}/${chatRate.windowMs}ms)`);
-          ws.send(
-            JSON.stringify({
-              type: 'error',
-              messageId: msg.messageId,
-              message: `rate limit reached — max ${chatRate.max} messages per ${Math.round(chatRate.windowMs / 1000)}s. Wait a moment and try again.`,
-            }),
-          );
-          return;
-        }
-        ws._sendTimes.push(now);
-        // The turn-runner is server-level: it streams to every chat client and
-        // resumes the persisted claude session, so the agent keeps its memory.
-        runChatTurn({
-          prompt: msg.text,
-          mode: msg.mode,
-          messageId: msg.messageId,
-          userText: msg.text,
-        });
-      } else if (msg.type === 'cancel') {
-        if (currentTurn) {
-          currentTurn.session.close();
-          currentTurn = null;
-        }
-      } else if (msg.type === 'reset') {
-        // "New chat" — drop the resumed session so the next turn starts fresh.
-        if (cap.chatWrite) resetChat();
-      }
-    });
-    ws.on('close', () => {
-      chatClients.delete(ws);
-      log('[ws]', `close /ws/chat sub=${ws._wsSub} remaining=${chatClients.size}`);
-      // The turn itself keeps running — it may have other watchers, and it
-      // still needs to finish to persist the session id.
-    });
-  }
-
-  return {
-    config,
-    app,
-    httpServer,
-    wss,
-    activityBus,
-    inboxWatcher,
-    tokenRegistry,
-    daemonBridge,
-    daemonSupervisor,
-    daemonReady,
-    syncControl,
-    sessionReporter,
-    detectedAgents,
-    getActiveAgent: () => activeAgent,
-    async stop() {
-      try { clearTimeout(autoWakeTimer); } catch {}
-      try { currentTurn?.session.close(); } catch {}
-      try { sessionReporter.stop(); } catch {}
-      try { transcriptRecorder.stop(); } catch {}
-      try { inboxWatcher.stop(); } catch {}
-      try { daemonBridge?.stop(); } catch {}
-      // The daemon is deliberately NOT stopped here — it is detached so sync
-      // keeps running after wild-workspace closes. `wild-workspace daemon
-      // stop` is the explicit off-switch.
-      // Terminate live WebSockets first — wss.close() stops the server accepting
-      // new connections but leaves existing client sockets open, and those keep
-      // httpServer.close() hanging forever ("stuck shutting down" on Ctrl+C).
-      try { wss.clients.forEach((c) => { try { c.terminate(); } catch {} }); } catch {}
-      try { wss.close(); } catch {}
-      // Drop lingering keep-alive HTTP sockets too (Node 18.2+) so close resolves
-      // promptly instead of waiting on idle browser connections.
-      try { httpServer.closeAllConnections?.(); } catch {}
-      await new Promise((resolve) => httpServer.close(resolve));
-    },
-  };
-}
-
-// Standalone entry — runs when executed directly (node server/src/index.mjs).
-const isDirectRun = process.argv[1] && path.resolve(process.argv[1]) === __filename;
-if (isDirectRun) {
-  createServer().then(async (s) => {
-    const { config } = s;
-    console.log(`\n  wild-workspace v${APP_VERSION}`);
-    console.log(`  workspace : ${config.workspaceDir}`);
-    console.log(`  url       : http://${config.host}:${config.port}`);
-    console.log(`  agent     : ${s.getActiveAgent()?.label || '(none detected)'}`);
-    if (config.publicMode) {
-      // Public mode: no anonymous access. Partner must authenticate.
-      console.log(`  mode      : PUBLIC — anonymous requests denied`);
-      console.log(`  partner   : append ?t=${config.partnerToken} to the URL`);
-    }
-    console.log('');
-    if (config.openBrowser) {
-      try {
-        const open = (await import('open')).default;
-        const host = config.host === '0.0.0.0' ? '127.0.0.1' : config.host;
-        const base = `http://${host}:${config.port}`;
-        // Public mode denies anon, so the owner needs the partner token in the
-        // URL (the SPA exchanges it for a cookie + strips it — S1).
-        open(config.publicMode ? `${base}/?t=${encodeURIComponent(config.partnerToken)}` : base);
-      } catch (e) {
-        // browser is best-effort; not having one isn't fatal
-      }
-    }
-  }).catch((err) => {
-    console.error('wild-workspace failed to start:', err);
-    process.exit(1);
-  });
-}
+// wild-workspace server bootstrap.
+// Three processes per AR-17:
+//   - this Node server (Hono): REST + WebSocket + frontend bundle
+//   - AI agent subprocess: spawned per chat session via agent.mjs
+//   - bmo-sync daemon (v1.x — out of scope for this scaffold)
+
+import { Hono } from 'hono';
+import { serveStatic } from '@hono/node-server/serve-static';
+import { serve } from '@hono/node-server';
+import { WebSocketServer } from 'ws';
+import { existsSync, mkdirSync, readFileSync, writeFileSync, readdirSync } from 'node:fs';
+import path from 'node:path';
+import url from 'node:url';
+import {
+  buildConfig,
+  ROLES,
+  ROLE_CAPABILITIES,
+  APP_VERSION,
+  DEFAULT_AGENTS,
+  assertSecureBinding,
+  isLocalhost,
+} from './config.mjs';
+import { detectAgents, AgentSession, pickDefaultAgent } from './agent.mjs';
+import {
+  mintShareToken,
+  mintDeviceToken,
+  mintBootstrapToken,
+  verifyShareToken,
+  buildShareUrl,
+  TokenRegistry,
+} from './share.mjs';
+import { PairingStore } from './pairing.mjs';
+import { listDir, readFile, fullTree, workspaceSummary, safeResolve } from './fs.mjs';
+import { InboxWatcher } from './inbox.mjs';
+import { ActivityBus } from './activity.mjs';
+import { loadIdentity, saveIdentity, markOnboarded, TONES } from './agent-identity.mjs';
+import { probeAgentReadiness } from './agent-readiness.mjs';
+import { ClaudeLoginSession } from './agent-login.mjs';
+import { ErrorReporter } from './error-reporter.mjs';
+import { DaemonBridge } from './daemon.mjs';
+import { DaemonSupervisor } from './daemon-supervisor.mjs';
+import { SyncControl } from './sync.mjs';
+import { detectPreviewPorts, checkPort } from './preview.mjs';
+import { createBazaar } from './bazaar/core.mjs';
+import { createCanvas } from './canvas/core.mjs';
+import { matchCandidates } from './bazaar/mock-tickup.mjs';
+import { servePreviewFile, confineBuildDir } from './bazaar/preview-server.mjs';
+import { TURN_SYSTEM_PROMPT, writeTurnMcpConfig } from './turn-mcp.mjs';
+import { loadAccount } from './account.mjs';
+import { runDoctor } from './doctor.mjs';
+import { appendLine, tailFile, logFile, TAILABLE, globalDir } from './logpaths.mjs';
+import { SessionReporter } from './session-reporter.mjs';
+import { TranscriptRecorder } from './transcript.mjs';
+import { loadObservabilityConsent, setObservabilityConsent } from './observability.mjs';
+import { spawn } from 'node:child_process';
+import { nanoid } from 'nanoid';
+
+const __filename = url.fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+
+// --- structured logging ---------------------------------------------------
+// Single helper used everywhere so log lines are uniformly tagged + timestamped.
+// Goes to stdout; the launcher redirects stdout/stderr to a file. Categories:
+// [http], [ws], [chat], [onboarding], [identity], [auth].
+function log(tag, ...args) {
+  const ts = new Date().toISOString();
+  const line = args
+    .map((a) =>
+      typeof a === 'string'
+        ? a
+        : a instanceof Error
+          ? a.stack || String(a)
+          : JSON.stringify(a),
+    )
+    .join(' ');
+  process.stdout.write(`${ts} ${tag} ${line}\n`);
+}
+
+// --- chat session persistence ---------------------------------------------
+// The conversation's claude session id, stored in the workspace's gitignored
+// .wild-workspace/ dir. Persisting it means a browser reload — or a server
+// restart — doesn't wipe the agent's memory of the conversation.
+function chatSessionPath(dataDir) {
+  return path.join(dataDir, 'chat-session.json');
+}
+function loadChatSessionId(dataDir) {
+  try {
+    const parsed = JSON.parse(readFileSync(chatSessionPath(dataDir), 'utf8'));
+    return typeof parsed.sessionId === 'string' ? parsed.sessionId : null;
+  } catch {
+    return null;
+  }
+}
+function saveChatSessionId(dataDir, sessionId) {
+  try {
+    writeFileSync(
+      chatSessionPath(dataDir),
+      JSON.stringify({ sessionId: sessionId || null }, null, 2),
+    );
+  } catch {
+    /* read-only fs — continuity degrades to in-memory for this run */
+  }
+}
+
+// Directory names already under .wild/imports/ — the auto-wake baseline.
+function scanImports(workspaceDir) {
+  try {
+    return readdirSync(path.join(workspaceDir, '.wild', 'imports'), {
+      withFileTypes: true,
+    })
+      .filter((e) => e.isDirectory())
+      .map((e) => e.name);
+  } catch {
+    return [];
+  }
+}
+
+export async function createServer(overrides = {}) {
+  const config = buildConfig(overrides);
+  // Refuse to start on a public bind with a forgeable default secret. (C1/C2)
+  assertSecureBinding(config);
+  if (!existsSync(config.dataDir)) mkdirSync(config.dataDir, { recursive: true });
+
+  const activityBus = new ActivityBus();
+  // Persist the revocation list so a revoked share token stays revoked across a
+  // server restart (concern C8). Lives in the gitignored .wild-workspace dir.
+  const tokenRegistry = new TokenRegistry({
+    persistPath: path.join(config.dataDir, 'revoked.json'),
+  });
+  // Device sign-in (Phase 2): pending "approve this device" requests. In-memory
+  // + ephemeral by design — a pending pairing that survives a restart is just a
+  // longer attack window for no UX gain. `overrides.pairingTtlMs` is a test seam.
+  const pairing = new PairingStore({
+    ttlMs: overrides.pairingTtlMs ?? 5 * 60 * 1000,
+    maxPending: overrides.pairingMaxPending ?? 5,
+  });
+  const inboxWatcher = new InboxWatcher(config.workspaceDir).start();
+  inboxWatcher.on('change', (payload) => {
+    activityBus.publish({ type: 'inbox-change', snapshot: payload.snapshot });
+  });
+
+  // Bridge the bmo-sync daemon's event feed into the ActivityBus. The daemon
+  // is a separate process and may be absent — the bridge retries quietly.
+  // `overrides.daemonBridge: false` disables it (used by tests).
+  const daemonBridge =
+    overrides.daemonBridge === false
+      ? null
+      : new DaemonBridge(activityBus, { url: config.daemonUrl }).start();
+
+  // Owns the bmo-sync daemon's lifecycle: starts it (detached + window-hidden)
+  // if it isn't already running, so sync just works whenever wild-workspace is
+  // used. The daemon outlives the server by design — not stopped in stop().
+  // `overrides.daemonSupervisor: false` disables it; an object injects test
+  // seams. Autostart is gated by config.daemonAutostart (off under tests).
+  const daemonSupervisor =
+    overrides.daemonSupervisor === false
+      ? null
+      : new DaemonSupervisor({
+          httpBase: config.daemonHttpUrl,
+          // b-ii: hand the daemon the account token + relay so it opens the
+          // proxy link (lights up <slug>.venturewild.llc). Null when logged out.
+          accountToken: config.accountToken,
+          serverUrl: config.bmoSyncServerUrl,
+          ...(typeof overrides.daemonSupervisor === 'object'
+            ? overrides.daemonSupervisor
+            : {}),
+        });
+  const daemonReady =
+    daemonSupervisor && config.daemonAutostart
+      ? daemonSupervisor
+          .ensureRunning()
+          .catch((e) => ({ started: false, error: String(e?.message || e) }))
+      : Promise.resolve({ started: false, skipped: true });
+
+  // Control plane for bmo-sync folder sharing (pair / detach / invite).
+  // `overrides.syncControl` is a test seam.
+  const syncControl =
+    overrides.syncControl ||
+    new SyncControl({
+      daemonHttpUrl: config.daemonHttpUrl,
+      bmoSyncServerUrl: config.bmoSyncServerUrl,
+      adminKey: config.bmoSyncAdminKey,
+    });
+
+  // `overrides.agents` / `overrides.activeAgent` are a test/embedding seam:
+  // a caller can inject agent definitions instead of probing PATH.
+  const detectedAgents = overrides.agents || (await detectAgents());
+  let activeAgent = overrides.activeAgent || pickDefaultAgent(detectedAgents);
+
+  // Error telemetry — forwards agent crashes etc. to bmo-sync-server so
+  // support can diagnose client-machine issues. Off via
+  // WILD_WORKSPACE_NO_TELEMETRY=1 or overrides.errorReporter = false.
+  const errorReporter =
+    overrides.errorReporter === false
+      ? { report: () => {} }
+      : overrides.errorReporter ||
+        new ErrorReporter({
+          bmoSyncUrl: config.bmoSyncServerUrl,
+          workspaceId: config.workspaceId,
+          enabled: process.env.WILD_WORKSPACE_NO_TELEMETRY !== '1',
+        });
+
+  // Proactive, consented session + install observability (session-reporter.mjs).
+  // Default-on with a clear disclosure at onboarding; off via the consent toggle
+  // or the WILD_WORKSPACE_NO_TELEMETRY kill switch. Inert in tests and without an
+  // account token. Carries WHAT happened + install health, never the words —
+  // conversation content is the separate transcript channel.
+  let observability = loadObservabilityConsent(config.dataDir);
+  const sessionEnabled = () =>
+    observability.enabled &&
+    process.env.WILD_WORKSPACE_NO_TELEMETRY !== '1' &&
+    !process.env.VITEST &&
+    config.nodeEnv !== 'test';
+  const sessionReporter =
+    overrides.sessionReporter === false
+      ? { ingest() {}, flush() {}, start() {}, stop() {}, setEnabled() {} }
+      : overrides.sessionReporter ||
+        new SessionReporter({
+          bmoSyncUrl: config.bmoSyncServerUrl,
+          accountToken: config.accountToken,
+          slug: config.account?.slug || null,
+          workspaceId: config.workspaceId,
+          sessionId: overrides.sessionId || nanoid(12),
+          enabled: sessionEnabled(),
+        });
+  // Conversation *content* channel (transcript.mjs) — separate from the feed.
+  // Appends markdown to ~/.wild-workspace/transcripts/<workspaceId>/ (OUTSIDE the
+  // synced repo); forwarding to us is consent-gated. Noop under the test runner so
+  // it never writes into a real home dir.
+  const transcriptForward = ({ markdown, date }) => {
+    if (!sessionEnabled() || !config.accountToken) return;
+    const url = `${config.bmoSyncServerUrl.replace(/\/$/, '')}/api/telemetry`;
+    const ctrl = new AbortController();
+    const t = setTimeout(() => ctrl.abort(), 5000);
+    Promise.resolve()
+      .then(() =>
+        fetch(url, {
+          method: 'POST',
+          headers: { 'content-type': 'application/json' },
+          body: JSON.stringify({
+            account_token: config.accountToken,
+            slug: config.account?.slug || null,
+            workspace_id: config.workspaceId,
+            kind: 'transcript',
+            date,
+            markdown,
+            sent_at: Math.floor(Date.now() / 1000),
+          }),
+          signal: ctrl.signal,
+        }),
+      )
+      .catch(() => {})
+      .finally(() => clearTimeout(t));
+  };
+  const transcriptRecorder =
+    overrides.transcriptRecorder === false || process.env.VITEST || config.nodeEnv === 'test'
+      ? { ingest() {}, flush() {}, stop() {} }
+      : new TranscriptRecorder({
+          dir: path.join(globalDir(), 'transcripts', config.workspaceId),
+          agentName: loadIdentity(config.dataDir)?.name || activeAgent?.label || 'Agent',
+          forwardImpl: transcriptForward,
+        });
+
+  activityBus.on('event', (e) => {
+    try { sessionReporter.ingest(e); } catch { /* never let telemetry break the bus */ }
+    try { transcriptRecorder.ingest(e); } catch { /* nor the transcript */ }
+  });
+  sessionReporter.start();
+
+  // --- bazaar (producer/remix marketplace — UX §3.7) ------------------------
+  // One shared core, file-backed under ~/.wild-workspace/bazaar (OUTSIDE the
+  // synced repo). The agent reaches onto the shelf via an MCP server we hand it
+  // per turn; the built site is served same-origin at /preview/* below. The build
+  // itself is the user's product and lands in their workspace — no bazaar sidecars.
+  const bazaar = createBazaar(overrides.bazaarDir ? { baseDir: overrides.bazaarDir } : {});
+  // The canvas store — AGENT-MADE custom blocks (§3.3), file-backed under
+  // ~/.wild-workspace/canvas (OUTSIDE the repo). The agent builds blocks via the
+  // canvas MCP server we hand it per turn; the UI reads them from /api/canvas/blocks.
+  const canvas = createCanvas(overrides.canvasDir ? { baseDir: overrides.canvasDir } : {});
+  const turnMcpConfig = writeTurnMcpConfig({
+    baseDir: bazaar.dir,
+    globalDir: path.dirname(bazaar.dir),
+  });
+  // ctx merged into USER chat turns (not auto-wake) so the agent can consult the
+  // shelf AND build canvas blocks. strictMcp isolates to our two in-repo MCP
+  // servers (bazaar + canvas); the built-in Read/Write/Bash tools are unaffected.
+  const turnCtx = turnMcpConfig
+    ? { mcpConfigPath: turnMcpConfig, strictMcp: true, appendSystemPrompt: TURN_SYSTEM_PROMPT }
+    : {};
+
+  // --- chat turn orchestration ----------------------------------------------
+  // One conversation per workspace in v1 (single-user, single tab — PRD §5.5).
+  // Both user sends and auto-wake turns thread through one turn-runner so they
+  // share the agent's memory and never run two claude processes at once.
+  let chatSessionId = loadChatSessionId(config.dataDir);
+  const chatClients = new Set(); // every connected /ws/chat socket
+  let currentTurn = null; //       { session, messageId } — at most one at a time
+
+  // Per-connection chat rate limit (SECURITY.md S6 / concern C4). Every send
+  // spawns an agent subprocess that costs real API tokens, so cap the burst a
+  // single socket can drive. Sliding window; overridable for tests/env.
+  const chatRate = {
+    max:
+      overrides.chatRateLimit?.max ??
+      (Number(process.env.WILD_WORKSPACE_CHAT_RATE_MAX) || 30),
+    windowMs:
+      overrides.chatRateLimit?.windowMs ??
+      (Number(process.env.WILD_WORKSPACE_CHAT_RATE_WINDOW_MS) || 60_000),
+  };
+
+  function broadcastChat(obj) {
+    const data = JSON.stringify(obj);
+    for (const ws of chatClients) {
+      if (ws.readyState === ws.OPEN) ws.send(data);
+    }
+  }
+
+  /**
+   * Run one chat turn: spawn the agent, stream every chunk to every chat
+   * client, and persist the resulting session id so the next turn resumes it.
+   *   - `userText` / `note`: optional lines shown before the agent reply (a
+   *     user bubble, or an auto-wake system note).
+   *   - `auto`: an automated (auto-wake) turn — never interrupts a live turn,
+   *     and retries once if the run fails (PRD §13 A8).
+   * Returns false if the turn could not start (an auto turn while busy).
+   */
+  function runChatTurn({ prompt, mode, messageId, userText, note, auto = false }) {
+    if (currentTurn) {
+      if (auto) return false; //          auto-wake yields to a live turn
+      currentTurn.session.close(); //     a user send supersedes what's running
+      currentTurn = null;
+    }
+    const id = messageId || nanoid(8);
+    broadcastChat({ type: 'turn-begin', messageId: id, userText, note });
+    activityBus.publish({
+      type: 'chat-user',
+      messageId: id,
+      text: userText || note || prompt,
+    });
+
+    let retried = false;
+    const startTurn = () => {
+      const startedAt = Date.now();
+      log('[chat]', `turn-begin id=${id} auto=${auto} mode=${mode || 'build'} promptChars=${(prompt || '').length}`);
+      const session = new AgentSession(activeAgent);
+      currentTurn = { session, messageId: id };
+      let sawError = false;
+      session.on('chunk', (chunk) => {
+        if (chunk.type === 'error') sawError = true;
+        broadcastChat({ type: 'chunk', messageId: id, chunk });
+        activityBus.publish({ type: 'chat-stream', messageId: id, chunk });
+        // Surface the turn's token/cost totals so the activity bar can show
+        // running usage — the ActivityBus accumulates events typed 'usage'.
+        if (chunk.type === 'usage' && chunk.usage) {
+          activityBus.publish({ type: 'usage', usage: chunk.usage });
+        }
+      });
+      session.on('stderr', (text) => {
+        const trimmed = String(text || '').trim();
+        if (trimmed) log('[chat]', `stderr id=${id}: ${trimmed.slice(0, 240)}`);
+        broadcastChat({ type: 'stderr', messageId: id, text });
+      });
+      session.on('error', (err) => {
+        sawError = true;
+        const msg = String(err?.message || err);
+        log('[chat]', `error id=${id}: ${msg}`);
+        errorReporter.report({
+          category: 'agent',
+          message: msg,
+          stack: err?.stack,
+          agentLabel: activeAgent?.label,
+        });
+        broadcastChat({
+          type: 'error',
+          messageId: id,
+          message: msg,
+        });
+        currentTurn = null;
+      });
+      session.on('end', ({ code }) => {
+        currentTurn = null;
+        const elapsed = Date.now() - startedAt;
+        log('[chat]', `turn-end id=${id} code=${code} ms=${elapsed} closed=${session.closed} sawError=${sawError}`);
+        // Silent agent crash → telemetry. A non-zero exit (or signal-kill =
+        // code null) that wasn't user-cancelled is exactly the failure mode
+        // we want to see in the central log. Skip the user-cancelled and
+        // clean-exit cases.
+        if (!session.closed && (code !== 0 || sawError)) {
+          errorReporter.report({
+            category: 'agent',
+            message:
+              code === null
+                ? `agent subprocess killed by signal after ${elapsed}ms (no chunks)`
+                : `agent exited code=${code} after ${elapsed}ms sawError=${sawError}`,
+            agentLabel: activeAgent?.label,
+          });
+        }
+        // A turn closed on purpose — cancelled by the user, or superseded by
+        // the next turn — never reached a clean finish: it must not retry and
+        // must not persist its session id (that would clobber a reset, or
+        // resurrect a turn the user just stopped).
+        if (!session.closed) {
+          // An automated turn retries once on a failed run — `claude -p`
+          // spawned non-interactively hits transient API resets (PRD §13 A8).
+          if (auto && !retried && (sawError || code !== 0)) {
+            retried = true;
+            setTimeout(startTurn, 700);
+            return;
+          }
+          if (session.sessionId) {
+            chatSessionId = session.sessionId;
+            saveChatSessionId(config.dataDir, chatSessionId);
+          }
+        }
+        broadcastChat({ type: 'end', messageId: id, code });
+        activityBus.publish({ type: 'chat-end', messageId: id, code });
+      });
+      session.send(prompt, {
+        cwd: config.workspaceDir,
+        mode,
+        resumeSessionId: chatSessionId,
+        // Auto-wake (import integration, plan mode) stays bazaar-free; only the
+        // user's own turns get the marketplace tools + disposition.
+        ...(auto ? {} : turnCtx),
+      });
+    };
+    startTurn();
+    return true;
+  }
+
+  function resetChat() {
+    if (currentTurn) {
+      currentTurn.session.close();
+      currentTurn = null;
+    }
+    chatSessionId = null;
+    saveChatSessionId(config.dataDir, null);
+    broadcastChat({ type: 'reset' });
+  }
+
+  // --- auto-wake on import (AR-23) ------------------------------------------
+  // When `wild add` (or a bmo-sync delivery) drops a new component into
+  // .wild/imports/, wake the agent in PLAN mode to PROPOSE the integration.
+  // Plan mode is the consent boundary — it cannot edit files, so auto-wake
+  // only ever proposes; the user's reply applies it in Build mode.
+  const autoWakeMs = overrides.autoWakeDebounceMs ?? 1500;
+  const autoWakeEnabled = overrides.autoWake !== false;
+  let knownImports = new Set(scanImports(config.workspaceDir)); // startup baseline
+  let pendingWake = new Set();
+  let autoWakeTimer = null;
+
+  if (autoWakeEnabled) {
+    inboxWatcher.on('change', ({ snapshot }) => {
+      const current = new Set(snapshot.imports || []);
+      for (const name of current) {
+        if (!knownImports.has(name)) pendingWake.add(name);
+      }
+      knownImports = current;
+      if (pendingWake.size === 0) return;
+      // Debounce: `wild add` writes several files; collapse the burst.
+      clearTimeout(autoWakeTimer);
+      autoWakeTimer = setTimeout(fireAutoWake, autoWakeMs);
+    });
+  }
+
+  function fireAutoWake() {
+    const names = [...pendingWake];
+    if (names.length === 0) return;
+    pendingWake = new Set();
+    const list = names.join(', ');
+    const note = `📦 Imported ${list} — proposing an integration plan…`;
+    const prompt =
+      `A new wild component was just imported into this workspace: ` +
+      `${names.map((n) => `.wild/imports/${n}/`).join(', ')}. ` +
+      `You are in Plan mode, so you cannot modify files — only propose. ` +
+      `Read each component's README.md, look at the existing workspace, then ` +
+      `lay out how to integrate it: where the files should go, whether to ` +
+      `merge / overwrite / namespace, and any risks. Then stop so I can choose.`;
+    const started = runChatTurn({ prompt, mode: 'plan', note, auto: true });
+    if (!started) {
+      // The chat was busy — re-queue so the import isn't silently dropped.
+      for (const n of names) pendingWake.add(n);
+      clearTimeout(autoWakeTimer);
+      autoWakeTimer = setTimeout(fireAutoWake, 3000);
+    }
+  }
+
+  const app = new Hono();
+
+  // --- auth helpers ---------------------------------------------------------
+  // Classify one raw token into a role. Shared by the Authorization header, the
+  // HttpOnly auth cookie, and the `?t=` query so all three stay consistent.
+  // `allowOperator` is true ONLY for the header path — the operator (support)
+  // token is header-only so it can never leak via a URL or a shared cookie
+  // (SECURITY.md S1).
+  async function classifyToken(token, { allowOperator = false, source } = {}) {
+    if (!token) return null;
+    if (token === config.partnerToken) {
+      return { role: ROLES.PARTNER, sub: 'partner', source };
+    }
+    if (allowOperator && config.operatorToken && token === config.operatorToken) {
+      return { role: ROLES.OPERATOR, sub: 'operator', source: source || 'operator-token' };
+    }
+    const payload = await verifyShareToken(token, config.shareSecret);
+    if (payload && !tokenRegistry.isRevoked(payload.sub)) {
+      return {
+        role: payload.role,
+        sub: payload.sub,
+        workspaceId: payload.workspaceId,
+        source,
+        exp: payload.exp,
+        // One-time first-device bootstrap token (B1): the exchange path upgrades
+        // it to a durable device cookie instead of cookie-ing the short token.
+        boot: payload.boot === true,
+      };
+    }
+    return null;
+  }
+
+  // Parse a single cookie value out of a raw Cookie header. Avoids a dependency
+  // on hono/cookie and works the same for the Node WS upgrade request.
+  function readCookie(rawCookie, name) {
+    if (!rawCookie) return null;
+    for (const part of rawCookie.split(';')) {
+      const idx = part.indexOf('=');
+      if (idx === -1) continue;
+      if (part.slice(0, idx).trim() === name) return part.slice(idx + 1).trim();
+    }
+    return null;
+  }
+
+  const AUTH_COOKIE = 'wild_auth';
+  function authCookieAttrs(value, maxAgeSeconds) {
+    const attrs = [
+      `${AUTH_COOKIE}=${value}`,
+      'HttpOnly',
+      'SameSite=Strict',
+      'Path=/',
+      `Max-Age=${Math.max(0, Math.floor(maxAgeSeconds))}`,
+    ];
+    // Secure only in public mode — the edge (Cloudflare) terminates TLS, so the
+    // browser sees HTTPS. On a localhost (http) dev bind, Secure would drop it.
+    if (config.publicMode) attrs.push('Secure');
+    return attrs.join('; ');
+  }
+
+  // --- auth + role resolution ---
+  async function resolveRole(c) {
+    // 1. Authorization: Bearer — the only path that may carry the operator token.
+    const auth = c.req.header('authorization');
+    if (auth?.startsWith('Bearer ')) {
+      const hit = await classifyToken(auth.slice('Bearer '.length).trim(), {
+        allowOperator: true,
+        source: 'bearer',
+      });
+      if (hit) return hit;
+    }
+    // 2. HttpOnly auth cookie — set by /api/auth/exchange so the partner token
+    //    never has to live in the URL after first load (SECURITY.md S1). The
+    //    browser sends it automatically on both API fetches and WS handshakes.
+    const cookieToken = readCookie(c.req.header('cookie'), AUTH_COOKIE);
+    if (cookieToken) {
+      const hit = await classifyToken(cookieToken, { source: 'cookie' });
+      if (hit) return hit;
+    }
+    // 3. `?t=` query — a fresh navigation can only carry a token this way. Kept
+    //    for the share-link first-hit + backward compatibility; the client
+    //    exchanges it for the cookie and strips it from the URL immediately.
+    const queryToken = c.req.query('t');
+    if (queryToken) {
+      const hit = await classifyToken(queryToken, { source: 'query' });
+      if (hit) return hit;
+    }
+    // Default for local partner UX — same machine, no token expected.
+    if (!config.publicMode) {
+      return { role: ROLES.PARTNER, sub: 'local-partner', source: 'localhost' };
+    }
+    // Public mode with no valid token: deny. No anonymous viewer access —
+    // a share JWT or the partner token is required. (Concern C1.)
+    return { role: null, sub: 'anon', source: 'unauth', denied: true };
+  }
+
+  function require(c, capability) {
+    const cap = ROLE_CAPABILITIES[c.get('role')];
+    if (!cap || !cap[capability]) {
+      return c.json({ error: 'forbidden', capability, role: c.get('role') }, 403);
+    }
+    return null;
+  }
+
+  // Persistent audit trail for privileged actions (SECURITY.md S8). The [http]
+  // line is ephemeral (stdout, rotated); this records WHO did WHAT to a durable
+  // log under ~/.wild-workspace (outside the synced repo) that doctor/logs and
+  // the operator channel can read. Never throws.
+  function auditAction(c, action, detail) {
+    const s = c.get('session') || {};
+    appendLine(
+      'audit',
+      `${action} role=${c.get('role') || '-'} sub=${s.sub || '-'} src=${s.source || '-'}` +
+        (detail ? ` ${detail}` : ''),
+    );
+  }
+
+  // Security headers on every response (SECURITY.md S7). Set AFTER next() so they
+  // land on static-asset + SPA-fallback responses too. Referrer-Policy: no-referrer
+  // also backstops S1 — a stale `?t=` in the URL can't leak via the Referer header.
+  app.use('*', async (c, next) => {
+    await next();
+    const h = c.res.headers;
+    h.set('X-Content-Type-Options', 'nosniff');
+    h.set('Referrer-Policy', 'no-referrer');
+    h.set('X-Frame-Options', 'SAMEORIGIN');
+    h.set('Cross-Origin-Opener-Policy', 'same-origin');
+    // Conservative CSP: locks framing (anti-clickjacking), object/base, and the
+    // connect surface, while leaving script/style permissive so the prebuilt
+    // SPA bundle isn't broken. `frame-src *` keeps the live-preview iframe (which
+    // points at the user's local dev server) working. Tightening script-src is a
+    // follow-up that needs a bundle audit.
+    if (!h.has('Content-Security-Policy')) {
+      h.set(
+        'Content-Security-Policy',
+        [
+          "default-src 'self'",
+          "script-src 'self' 'unsafe-inline' 'unsafe-eval'",
+          "style-src 'self' 'unsafe-inline'",
+          "img-src 'self' data: blob:",
+          "font-src 'self' data:",
+          "connect-src 'self' ws: wss: https:",
+          'frame-src *',
+          "frame-ancestors 'self'",
+          "object-src 'none'",
+          "base-uri 'self'",
+        ].join('; '),
+      );
+    }
+  });
+
+  // API paths reachable WITHOUT auth: health, plus the device sign-in start/poll
+  // (a brand-new browser has no token yet — it must be able to start a pairing
+  // request and poll for approval). Everything else under /api/* is walled in
+  // public mode; pair/approve+deny+requests are NOT here, so anon hits a clean
+  // 401 before their `require(c,'share')` gate even runs.
+  const PUBLIC_API = new Set([
+    '/api/health',
+    '/api/auth/pair/start',
+    '/api/auth/pair/status',
+    // First-device bootstrap (B1). Past the wall ONLY so a genuine on-host
+    // request can reach it; the handler itself 404s anything that isn't real
+    // loopback, so a public visitor can never use it.
+    '/api/auth/bootstrap',
+  ]);
+  app.use('*', async (c, next) => {
+    const session = await resolveRole(c);
+    c.set('role', session.role);
+    c.set('session', session);
+    // Block the API for denied (non-localhost, unauthenticated) requests, but
+    // let static assets + the public endpoints through so the SPA can still
+    // load and prompt for sign-in. (Concern C1.)
+    if (session.denied && c.req.path.startsWith('/api/') && !PUBLIC_API.has(c.req.path)) {
+      log('[auth]', `denied ${c.req.method} ${c.req.path} src=${session.source}`);
+      return c.json({ error: 'unauthorized' }, 401);
+    }
+    await next();
+  });
+
+  // Lightweight HTTP request log — every /api/* call, with status + duration.
+  // Static asset traffic is noisy and uninteresting, so we skip it.
+  app.use('/api/*', async (c, next) => {
+    const t0 = Date.now();
+    await next();
+    const ms = Date.now() - t0;
+    const role = c.get('role') || 'anon';
+    log('[http]', `${c.req.method} ${c.req.path} ${c.res.status} ${ms}ms role=${role}`);
+  });
+
+  // --- meta ---
+  app.get('/api/health', (c) =>
+    c.json({ status: 'ok', version: APP_VERSION, ts: Date.now() }),
+  );
+
+  app.get('/api/session', (c) => {
+    const session = c.get('session');
+    const role = c.get('role');
+    const identity = loadIdentity(config.dataDir);
+    return c.json({
+      version: APP_VERSION,
+      role,
+      capabilities: ROLE_CAPABILITIES[role],
+      workspace: workspaceSummary(config.workspaceDir),
+      workspaceId: config.workspaceId,
+      session,
+      agent: activeAgent
+        ? { id: activeAgent.id, label: activeAgent.label, available: activeAgent.available }
+        : null,
+      identity,
+      onboarded: Boolean(identity?.onboardedAt),
+      shareBaseUrl: config.shareBaseUrl,
+      // `account` is set after the user runs `wild-workspace login`. The UI
+      // uses it to show "you are <slug>" and to seed step 4 of onboarding
+      // with the actual <slug>.venturewild.llc URL. accountToken is NOT
+      // exposed — it stays in server-side config only.
+      account: config.account,
+      // Consent state for the proactive observability feed, so settings/onboarding
+      // can show + toggle it. The disclosure copy lives in the UI.
+      observability: { enabled: observability.enabled, version: observability.version },
+    });
+  });
+
+  // True iff this request physically originated on the owner's own machine
+  // (a process hitting 127.0.0.1:5173 directly) rather than arriving through the
+  // public tunnel. The bmo-sync relay STRIPS any inbound x-forwarded-*/x-real-ip
+  // and SETS its own on every proxied request (bmo-sync server/src/routes/proxy.rs),
+  // and the daemon replays them — so their ABSENCE is unspoofable from off-box,
+  // and the Host on tunneled traffic is the public subdomain (x-forwarded-host).
+  // The server binds loopback, so only an on-host process can produce a request
+  // with no forwarding headers + a loopback Host. (B1 — basis for first-device
+  // bootstrap. A local process already has the user's filesystem + secrets, so
+  // trusting it grants nothing it didn't already have.)
+  function isGenuineLoopback(c) {
+    const h = (n) => c.req.header(n);
+    if (h('x-forwarded-for') || h('x-forwarded-host') || h('x-forwarded-proto') || h('x-real-ip')) {
+      return false;
+    }
+    const hostname = String(h('host') || '').toLowerCase().split(':')[0];
+    return hostname === '127.0.0.1' || hostname === 'localhost' || hostname === '::1' || hostname === '[::1]';
+  }
+
+  // --- auth: first-device bootstrap (B1) -------------------------------------
+  // The everyday problem: a brand-new owner runs `wild-workspace` and wants to
+  // land signed-in on their PUBLIC url (<slug>.venturewild.llc) with no token
+  // typed and no second device to approve from. The local launcher calls this
+  // over genuine loopback; we mint a short-lived bootstrap link the launcher
+  // opens. A public visitor can never reach this (404 unless on-host), so C1
+  // (no anonymous partner access) still holds.
+  app.post('/api/auth/bootstrap', async (c) => {
+    // Explicit 404 (not c.notFound(), which falls through to the SPA handler) so
+    // a non-local caller sees the endpoint as simply absent.
+    if (!isGenuineLoopback(c)) return c.json({ error: 'not_found' }, 404);
+    if (!config.account?.slug || !config.shareBaseUrl) {
+      return c.json({ error: 'no-public-url' }, 400);
+    }
+    const minted = await mintBootstrapToken({
+      secret: config.shareSecret,
+      workspaceId: config.workspaceId,
+    });
+    const base = config.shareBaseUrl.replace(/\/$/, '');
+    const url = `${base}/?t=${encodeURIComponent(minted.token)}`;
+    log('[auth]', `bootstrap link minted sub=${minted.sub} ttl=${minted.exp * 1000 - Date.now()}ms`);
+    return c.json({ url, expiresAt: minted.exp * 1000 });
+  });
+
+  // --- auth: token → HttpOnly cookie exchange (SECURITY.md S1) ---------------
+  // A browser opening <slug>.venturewild.llc?t=<token> can only carry the token
+  // in the URL. The partner token is RCE-grade, so it must NOT linger there
+  // (history / referrer / edge logs). The SPA calls this once at boot with the
+  // token in an Authorization header (never a logged URL), we move it into an
+  // HttpOnly cookie, and the client strips ?t= from the address bar. Every
+  // later request — API fetch or WS handshake — authenticates via the cookie.
+  // The global middleware already verified the token before this runs, so the
+  // session is trustworthy; we just persist it.
+  app.post('/api/auth/exchange', async (c) => {
+    const session = c.get('session');
+    // Idempotency (B1): a retried exchange whose original response was lost on a
+    // flaky first-connect would otherwise fail if the one-time token had already
+    // been consumed. If a valid auth cookie already authenticated THIS request,
+    // the exchange already succeeded — report success and don't re-mint.
+    if (session && !session.denied && session.role && session.source === 'cookie') {
+      return c.json({ ok: true, role: session.role, cookie: true });
+    }
+    if (!session || session.denied || !session.role) {
+      return c.json({ error: 'invalid-token' }, 401);
+    }
+    // Operator tokens stay header-only — never minted into a cookie.
+    if (session.role === ROLES.OPERATOR) {
+      return c.json({ error: 'not-exchangeable' }, 400);
+    }
+    // The exact token to persist: whatever authenticated this request.
+    const auth = c.req.header('authorization');
+    const token =
+      (auth?.startsWith('Bearer ') ? auth.slice('Bearer '.length).trim() : null) ||
+      c.req.query('t');
+    if (!token) {
+      // localhost (no token) — cookie auth is unnecessary; nothing to persist.
+      return c.json({ ok: true, role: session.role, cookie: false });
+    }
+    // First-device bootstrap token (B1): the token in the URL was short-lived by
+    // design, so DON'T cookie it (the browser would expire in minutes). Re-mint a
+    // DURABLE, individually-revocable device token and cookie THAT instead — the
+    // owner gets a long-lived public-origin session, and the durable credential
+    // they keep is a bounded device token, never the bootstrap link.
+    if (session.boot && session.role === ROLES.PARTNER) {
+      const device = await mintDeviceToken({
+        secret: config.shareSecret,
+        workspaceId: config.workspaceId,
+      });
+      tokenRegistry.add({
+        ...device,
+        kind: 'device',
+        label: 'this device (first sign-in)',
+        createdAt: Date.now(),
+      });
+      const now = Math.floor(Date.now() / 1000);
+      const maxAge = Math.max(60, device.exp - now);
+      c.header('Set-Cookie', authCookieAttrs(device.token, maxAge));
+      log('[auth]', `bootstrap exchanged → durable device sub=${device.sub} ttl=${maxAge}s`);
+      return c.json({ ok: true, role: session.role, cookie: true });
+    }
+    // Cookie lifetime: a share JWT lives until its exp; the partner token has no
+    // exp. Now that the signing secret is durable across restarts/upgrades
+    // (config.mjs persists it to the per-install global dir), give the owner's
+    // browser a long-lived cookie so "just type your domain" keeps working — no
+    // token in the URL, no surprise logout. Capped at a year for an everyday user.
+    const now = Math.floor(Date.now() / 1000);
+    const PARTNER_COOKIE_MAX_AGE = 365 * 24 * 3600;
+    const maxAge = session.exp ? Math.max(60, session.exp - now) : PARTNER_COOKIE_MAX_AGE;
+    c.header('Set-Cookie', authCookieAttrs(token, maxAge));
+    log('[auth]', `exchange role=${session.role} src=${session.source} ttl=${maxAge}s`);
+    return c.json({ ok: true, role: session.role, cookie: true });
+  });
+
+  app.post('/api/auth/logout', (c) => {
+    c.header('Set-Cookie', authCookieAttrs('', 0));
+    return c.json({ ok: true });
+  });
+
+  // --- device sign-in (Phase 2): "approve a new device from one you're already
+  // signed in on" (WhatsApp-Web-style). The new device gets a short CODE (the
+  // owner reads it off the screen) + an unguessable requestId it polls by. The
+  // owner approves from a partner session, echoing the matching code (confused-
+  // deputy defense), which mints a revocable partner token the new device
+  // exchanges for the usual login cookie. No token is ever typed by the user.
+
+  // Fixed-vocabulary label derived from the User-Agent — safe to render in the
+  // owner's (privileged) approval UI without escaping, unlike a client string.
+  const deviceLabelFromUA = (ua) => {
+    const s = String(ua || '');
+    const os = /iPhone/.test(s)
+      ? 'iPhone'
+      : /iPad/.test(s)
+        ? 'iPad'
+        : /Android/.test(s)
+          ? 'Android'
+          : /Mac OS X|Macintosh/.test(s)
+            ? 'Mac'
+            : /Windows/.test(s)
+              ? 'Windows'
+              : /Linux/.test(s)
+                ? 'Linux'
+                : 'a device';
+    const browser = /Edg\//.test(s)
+      ? 'Edge'
+      : /Chrome\//.test(s)
+        ? 'Chrome'
+        : /Firefox\//.test(s)
+          ? 'Firefox'
+          : /Safari\//.test(s)
+            ? 'Safari'
+            : 'a browser';
+    return `${browser} on ${os}`;
+  };
+
+  // Per-IP start limiter (defense-in-depth; the store's global pending cap is the
+  // primary control). Overridable for tests.
+  const pairStartRate = {
+    max: Number(overrides.pairStartRate?.max ?? 10),
+    windowMs: Number(overrides.pairStartRate?.windowMs ?? 10 * 60 * 1000),
+  };
+  const pairStartHits = new Map(); // ip -> timestamps[]
+
+  app.post('/api/auth/pair/start', async (c) => {
+    const ip =
+      c.req.header('x-forwarded-for')?.split(',')[0].trim() ||
+      c.req.header('x-real-ip') ||
+      'global';
+    const now = Date.now();
+    const hits = (pairStartHits.get(ip) || []).filter((t) => now - t < pairStartRate.windowMs);
+    if (hits.length >= pairStartRate.max) {
+      return c.json({ error: 'rate_limited' }, 429);
+    }
+    hits.push(now);
+    pairStartHits.set(ip, hits);
+
+    const label = deviceLabelFromUA(c.req.header('user-agent'));
+    const created = pairing.create({ label });
+    if (!created) {
+      // Global pending cap reached — too many devices already awaiting approval.
+      return c.json({ error: 'too_many_pending' }, 429);
+    }
+    activityBus.publish({ type: 'pair-requested', requestId: created.requestId, label });
+    log('[auth]', `pair start label="${label}" req=${created.requestId}`);
+    return c.json({
+      requestId: created.requestId,
+      code: created.code,
+      expiresAt: created.expiresAt,
+      pollAfterMs: 2500,
+    });
+  });
+
+  app.post('/api/auth/pair/status', async (c) => {
+    const body = await c.req.json().catch(() => ({}));
+    const requestId = typeof body.requestId === 'string' ? body.requestId : '';
+    // Polls by requestId only (never the code) → nothing brute-forceable here.
+    // One-shot: the token is returned exactly once, then the record is 'claimed'.
+    // A missing/unknown id is a terminal 'expired' (200) — the client just
+    // restarts — so the poll endpoint always answers 200.
+    return c.json(requestId ? pairing.claim(requestId) : { status: 'expired' });
+  });
+
+  app.get('/api/auth/pair/requests', (c) => {
+    const forbidden = require(c, 'share');
+    if (forbidden) return forbidden;
+    return c.json({ requests: pairing.listPending() });
+  });
+
+  app.post('/api/auth/pair/approve', async (c) => {
+    const forbidden = require(c, 'share');
+    if (forbidden) return forbidden;
+    const body = await c.req.json().catch(() => ({}));
+    const requestId = typeof body.requestId === 'string' ? body.requestId : '';
+    // One tap: the owner approves the specific pending request they identified
+    // (by its code + label) on the new device. No token is minted unless that
+    // request is genuinely pending.
+    const pending = pairing.get(requestId);
+    if (!pending || pending.status !== 'pending') {
+      return c.json({ error: 'not_pending' }, 404);
+    }
+    const minted = await mintDeviceToken({
+      secret: config.shareSecret,
+      workspaceId: config.workspaceId,
+    });
+    // Re-validate inside approve to close the await-window race.
+    if (!pairing.approve(requestId, minted)) {
+      return c.json({ error: 'not_pending' }, 409);
+    }
+    tokenRegistry.add({ ...minted, kind: 'device', label: pending.label, createdAt: Date.now() });
+    activityBus.publish({ type: 'pair-approved', requestId, sub: minted.sub, label: pending.label });
+    auditAction(c, 'pair-approve', `label="${pending.label}" grantSub=${minted.sub}`);
+    return c.json({ ok: true, label: pending.label });
+  });
+
+  app.post('/api/auth/pair/deny', async (c) => {
+    const forbidden = require(c, 'share');
+    if (forbidden) return forbidden;
+    const body = await c.req.json().catch(() => ({}));
+    const requestId = typeof body.requestId === 'string' ? body.requestId : '';
+    const pending = pairing.get(requestId);
+    pairing.deny(requestId);
+    activityBus.publish({ type: 'pair-denied', requestId });
+    auditAction(c, 'pair-deny', `req=${requestId} label="${pending?.label || '-'}"`);
+    return c.json({ ok: true });
+  });
+
+  // --- agent identity (onboarding) ---
+  // Persisted to <dataDir>/agent-identity.json. Absence of this file is the
+  // signal the UI uses to launch the 5-step onboarding flow.
+  app.get('/api/agent/identity', (c) => {
+    const identity = loadIdentity(config.dataDir);
+    return c.json({ identity, tones: TONES });
+  });
+
+  // --- agent readiness (the agent-login gate) ---
+  // "Is the wrapped agent installed AND signed in?" detectAgents() only proves
+  // the binary is on PATH; this proves a turn will actually work. Onboarding
+  // calls this before its folder-peek wow beat so a not-signed-in user gets a
+  // calm "sign in to Claude" step instead of a broken error bubble (the §3.2
+  // open question in docs/user-experience.md). See agent-readiness.mjs.
+  //
+  // Cached briefly: a 'ready' verdict rarely flips, and the probe spawns a
+  // subprocess. `?fresh=1` forces a re-probe (the gate's "I've signed in" button
+  // sends it so the user isn't stuck behind a stale 'login' verdict).
+  let _readinessCache = null; // { at, verdict }
+  const READINESS_TTL_MS = 30_000;
+  const agentTag = (a) => (a ? { id: a.id, label: a.label } : null);
+  app.get('/api/agent/readiness', async (c) => {
+    const forbidden = require(c, 'chat');
+    if (forbidden) return forbidden;
+    const fresh = c.req.query('fresh') === '1';
+    const now = Date.now();
+    if (!fresh && _readinessCache && now - _readinessCache.at < READINESS_TTL_MS) {
+      return c.json({ agent: agentTag(activeAgent), ...(_readinessCache.verdict) });
+    }
+    const verdict = await probeAgentReadiness(activeAgent);
+    _readinessCache = { at: now, verdict };
+    log('[onboarding]', `readiness agent=${activeAgent?.id || '-'} status=${verdict.status}${verdict.email ? ` email=${verdict.email}` : ''}`);
+    return c.json({ agent: agentTag(activeAgent), ...verdict });
+  });
+
+  // In-app "Sign in to Claude" — drives `claude auth login` in a real PTY so the
+  // browser OAuth callback auto-completes and the user never touches a terminal.
+  // (See agent-login.mjs.) Claude opens the OAuth URL in the user's browser itself
+  // (the server is local), so we do NOT open it again here — doing so spawned a
+  // duplicate tab; the UI surfaces the captured URL as a "didn't open?" fallback.
+  // Degrades to `{status:'unsupported'}` if node-pty is absent (gate → terminal).
+  let _loginSession = null;
+  const emptyLoginSnap = { status: 'idle', url: null, error: null, verdict: null };
+  app.post('/api/agent/login/start', async (c) => {
+    const forbidden = require(c, 'chatWrite');
+    if (forbidden) return forbidden;
+    if (!_loginSession) _loginSession = new ClaudeLoginSession({ agent: activeAgent });
+    _loginSession.agent = activeAgent; // track the active agent if it changed
+    const snap = await _loginSession.start();
+    _readinessCache = null; // a sign-in is about to change auth state — don't serve stale
+    log('[onboarding]', `login start status=${snap.status}`);
+    return c.json(snap);
+  });
+  app.get('/api/agent/login/status', async (c) => {
+    const forbidden = require(c, 'chat');
+    if (forbidden) return forbidden;
+    return c.json(_loginSession ? _loginSession.snapshot() : emptyLoginSnap);
+  });
+  app.post('/api/agent/login/code', async (c) => {
+    const forbidden = require(c, 'chatWrite');
+    if (forbidden) return forbidden;
+    const body = await c.req.json().catch(() => ({}));
+    const ok = _loginSession ? _loginSession.submitCode(body.code) : false;
+    return c.json({ ok, ...(_loginSession ? _loginSession.snapshot() : emptyLoginSnap) });
+  });
+
+  app.post('/api/agent/identity', async (c) => {
+    const forbidden = require(c, 'chatWrite');
+    if (forbidden) return forbidden;
+    const body = await c.req.json().catch(() => ({}));
+    try {
+      const saved = saveIdentity(config.dataDir, {
+        name: body.name,
+        tone: body.tone,
+        color: body.color,
+        connectedServices: body.connectedServices,
+      });
+      log('[identity]', `saved name=${saved.name} tone=${saved.tone} color=${saved.color}`);
+      activityBus.publish({ type: 'identity-changed', name: saved.name, tone: saved.tone });
+      return c.json({ identity: saved });
+    } catch (e) {
+      return c.json({ error: String(e.message || e) }, 400);
+    }
+  });
+
+  app.post('/api/agent/onboarded', (c) => {
+    const forbidden = require(c, 'chatWrite');
+    if (forbidden) return forbidden;
+    try {
+      const saved = markOnboarded(config.dataDir);
+      log('[onboarding]', `complete name=${saved.name}`);
+      activityBus.publish({ type: 'onboarded', at: saved.onboardedAt });
+      return c.json({ identity: saved });
+    } catch (e) {
+      return c.json({ error: String(e.message || e) }, 400);
+    }
+  });
+
+  // Consent toggle for the proactive observability feed (default-on — see
+  // observability.mjs). Owner-only; applied live to the reporter, no restart.
+  app.post('/api/observability/consent', async (c) => {
+    const forbidden = require(c, 'chatWrite');
+    if (forbidden) return forbidden;
+    const body = await c.req.json().catch(() => ({}));
+    const enabled = body.enabled !== false;
+    observability = setObservabilityConsent(config.dataDir, enabled);
+    sessionReporter.setEnabled(sessionEnabled());
+    activityBus.publish({ type: 'observability-consent', enabled });
+    log('[observability]', `consent set enabled=${enabled}`);
+    return c.json({ observability: { enabled: observability.enabled, version: observability.version } });
+  });
+
+  // --- onboarding step 2: agent peeks at a folder ---
+  // The browser sends a small sample of the chosen folder's contents — file
+  // names + a short head of each text file — and we ask the agent to react
+  // in one or two sentences. Runs through the normal turn-runner; the browser
+  // supplies the messageId so the onboarding overlay can subscribe to /ws/chat
+  // and stream the reaction back into a bubble next to the dropzone — the
+  // "agent reacts in ~2s" beat the locked plan calls the highest-converting moment.
+  app.post('/api/onboarding/peek', async (c) => {
+    const forbidden = require(c, 'chatWrite');
+    if (forbidden) return forbidden;
+    const body = await c.req.json().catch(() => ({}));
+    const files = Array.isArray(body.files) ? body.files.slice(0, 80) : [];
+    const folderName = (body.folderName || 'this folder').slice(0, 80);
+    if (files.length === 0) return c.json({ error: 'no-files' }, 400);
+    const sample = files
+      .map((f) => {
+        const head = typeof f.head === 'string' ? f.head.slice(0, 600) : '';
+        return head
+          ? `--- ${f.path}\n${head}`
+          : `--- ${f.path}`;
+      })
+      .join('\n');
+    const identity = loadIdentity(config.dataDir);
+    const youAre = identity?.name
+      ? `You are ${identity.name}, a ${identity.tone || 'concise'} AI assistant just meeting your human for the first time.`
+      : `You are an AI assistant just meeting your human for the first time.`;
+    const prompt =
+      `${youAre} They just showed you a folder called "${folderName}" with ` +
+      `${files.length} file${files.length === 1 ? '' : 's'}. Below is a quick ` +
+      `sample of what's inside. In ONE or TWO short sentences, react: name ` +
+      `what you see, then propose ONE specific, concrete thing you could do ` +
+      `with it that would be useful. Be specific — reference real filenames ` +
+      `or content. Don't ask permission, don't list options, don't introduce ` +
+      `yourself. Just react like a smart friend who just glanced at the desk.\n\n` +
+      sample;
+    const messageId =
+      typeof body.messageId === 'string' && body.messageId.trim()
+        ? body.messageId.trim().slice(0, 64)
+        : undefined;
+    log('[onboarding]', `peek folder=${folderName} files=${files.length} sampleBytes=${sample.length} mid=${messageId || '(auto)'}`);
+    const started = runChatTurn({
+      prompt,
+      mode: 'plan',
+      messageId,
+      note: `👀 ${identity?.name || 'Your agent'} is looking at ${folderName}…`,
+      auto: true,
+    });
+    return c.json({ ok: true, sampled: files.length, started: started !== false });
+  });
+
+  // --- onboarding step 5: kick off the user's first real job ---
+  // The browser picks one of three known job kinds; the server builds the
+  // matching prompt incorporating the agent's tone + the optional peek context
+  // so the long instruction shape stays server-side (the user sees a clean
+  // "Started: …" note, not the raw prompt). Same WS streaming contract as
+  // peek — the browser supplies the messageId.
+  app.post('/api/onboarding/start-job', async (c) => {
+    const forbidden = require(c, 'chatWrite');
+    if (forbidden) return forbidden;
+    const body = await c.req.json().catch(() => ({}));
+    const kind = typeof body.kind === 'string' ? body.kind : '';
+    const messageId =
+      typeof body.messageId === 'string' && body.messageId.trim()
+        ? body.messageId.trim().slice(0, 64)
+        : undefined;
+    const peekFolder =
+      typeof body.peekFolderName === 'string'
+        ? body.peekFolderName.slice(0, 80)
+        : null;
+    const identity = loadIdentity(config.dataDir);
+    const tone = identity?.tone || 'concise';
+    const name = identity?.name || 'your agent';
+    const youAre = `You are ${name}, a ${tone} AI assistant. Your human just finished a 5-step onboarding and picked their first job. Stay in character.`;
+    let prompt;
+    let note;
+    if (kind === 'survey') {
+      prompt =
+        `${youAre} Look at the wild-workspace folder this server runs in — ` +
+        `read CLAUDE.md, README.md, and any package.json or top-level docs ` +
+        `you find. In ONE short paragraph, summarize what this project is ` +
+        `and what's notable about it. Be ${tone}. Don't ask permission ` +
+        `first — just go. Finish with a single concrete next-step question.`;
+      note = `🔎 First job — ${name} is reading your workspace…`;
+    } else if (kind === 'startup') {
+      const folderHint = peekFolder
+        ? ` They showed you a folder called "${peekFolder}" earlier — feel free to reference it.`
+        : '';
+      prompt =
+        `${youAre} Your human wants to start a new project but hasn't said ` +
+        `what yet.${folderHint} In ONE or TWO sentences, ask the single ` +
+        `most useful question that will help you understand what they want ` +
+        `to build today. Be ${tone}, warm, and concrete — no list of options.`;
+      note = `🚀 First job — ${name} is figuring out what to build with you…`;
+    } else if (kind === 'chat') {
+      prompt =
+        `${youAre} Your human picked the "just chat" option — they want to ` +
+        `get to know you, no agenda yet. Say a brief hello, then ask ONE ` +
+        `short question that will help you find a job for them today. Be ` +
+        `${tone}. Don't introduce yourself by name (they already named you).`;
+      note = `💬 First job — ${name} is settling in…`;
+    } else {
+      return c.json({ error: 'unknown-job-kind' }, 400);
+    }
+    log('[onboarding]', `start-job kind=${kind} mid=${messageId || '(auto)'} peek=${peekFolder || '-'}`);
+    const started = runChatTurn({
+      prompt,
+      mode: 'build',
+      messageId,
+      note,
+      auto: true,
+    });
+    return c.json({ ok: true, started: started !== false });
+  });
+
+  app.get('/api/agents', (c) => {
+    const forbidden = require(c, 'chat');
+    if (forbidden) return forbidden;
+    // resolvedPath is a local filesystem path — only the owner (partner) needs
+    // it; don't leak the install layout to a share-link viewer/client. (S2.)
+    const isPartner = c.get('role') === ROLES.PARTNER;
+    return c.json({
+      available: detectedAgents.map(({ id, label, description, available, resolvedPath }) => ({
+        id,
+        label,
+        description,
+        available,
+        resolvedPath: isPartner ? resolvedPath : undefined,
+      })),
+      active: activeAgent?.id,
+    });
+  });
+
+  app.post('/api/agents/select', async (c) => {
+    const forbidden = require(c, 'chatWrite');
+    if (forbidden) return forbidden;
+    const body = await c.req.json().catch(() => ({}));
+    const next = detectedAgents.find((a) => a.id === body.id);
+    if (!next) return c.json({ error: 'unknown-agent', id: body.id }, 400);
+    activeAgent = next;
+    activityBus.publish({ type: 'agent-changed', agentId: next.id });
+    auditAction(c, 'agent-select', `id=${next.id}`);
+    return c.json({ ok: true, active: activeAgent.id });
+  });
+
+  // --- operator channel (consented support; OFF unless a token is set) -------
+  // The dedicated operator token (operator.mjs) maps to the `operator` role in
+  // resolveRole; every route here gates on the `operate` capability. When the
+  // channel is disabled (no token) the routes 404 so the surface is invisible.
+  // Each call is audit-logged to operator.log AND surfaced in the activity feed
+  // (CLAUDE.md principle #5 — both peers see what happened). The actions are a
+  // CURATED ALLOWLIST — never arbitrary shell (docs/SECURITY.md).
+  const operatorDeps = {
+    runDoctor: (o) => runDoctor(o),
+    detectAgents,
+    loadAccount,
+    spawn,
+    ...(overrides.operatorDeps || {}),
+  };
+  const operatorEnabled = () => Boolean(config.operatorToken);
+  function auditOperator(c, action, detail) {
+    const s = c.get('session') || {};
+    appendLine('operator', `${action} by=${s.sub || 'operator'} src=${s.source || '-'} ${detail || ''}`.trim());
+    activityBus.publish({ type: 'operator-action', action, detail: detail || null, at: Date.now() });
+  }
+
+  // Curated remediation actions. Each reuses an existing seam; none runs an
+  // arbitrary command. (`restart-server` is intentionally absent — exiting the
+  // process would sever the very tunnel we reach the user through on a machine
+  // without the always-on supervisor; deferred — see SECURITY.md.)
+  const OPERATOR_ACTIONS = {
+    'run-doctor': async () => operatorDeps.runDoctor({ config }),
+    'restart-daemon': async () => {
+      if (!daemonSupervisor) return { restarted: false, reason: 'daemon-supervisor-disabled' };
+      await daemonSupervisor.stop().catch(() => {});
+      return daemonSupervisor.ensureRunning();
+    },
+    'relink-account': async () => {
+      const account = operatorDeps.loadAccount(config.dataDir);
+      if (daemonSupervisor) {
+        await daemonSupervisor.stop().catch(() => {});
+        await daemonSupervisor.ensureRunning().catch(() => {});
+      }
+      return { relinked: Boolean(account?.slug), slug: account?.slug || null, email: account?.email || null };
+    },
+    'redetect-agent': async () => {
+      const agents = (await operatorDeps.detectAgents()) || [];
+      const next = pickDefaultAgent(agents) || null;
+      activeAgent = next;
+      _readinessCache = null; // force a fresh readiness probe next time
+      activityBus.publish({ type: 'agent-changed', agentId: next?.id || null });
+      return {
+        active: next?.id || null,
+        available: Boolean(next?.available),
+        agents: agents.map((a) => ({ id: a.id, available: a.available })),
+      };
+    },
+    'reinstall-daemon': async () => {
+      const cmd = process.platform === 'win32' ? 'npm.cmd' : 'npm';
+      const child = operatorDeps.spawn(cmd, ['i', '-g', '@venturewild/workspace'], { windowsHide: true });
+      appendLine('operator', `reinstall-daemon spawned pid=${child?.pid}`);
+      child?.stdout?.on?.('data', (d) => appendLine('operator', `[npm] ${String(d).trim()}`));
+      child?.stderr?.on?.('data', (d) => appendLine('operator', `[npm:err] ${String(d).trim()}`));
+      child?.on?.('exit', (code) => appendLine('operator', `reinstall-daemon exited code=${code}`));
+      return { started: true, pid: child?.pid || null, command: `${cmd} i -g @venturewild/workspace` };
+    },
+  };
+
+  app.get('/api/operator/diag', async (c) => {
+    if (!operatorEnabled()) return c.json({ error: 'operator-disabled' }, 404);
+    const forbidden = require(c, 'operate');
+    if (forbidden) return forbidden;
+    const report = await operatorDeps.runDoctor({ config });
+    auditOperator(c, 'diag', `fail=${report.summary?.fail} warn=${report.summary?.warn}`);
+    return c.json(report);
+  });
+
+  app.get('/api/operator/logs', (c) => {
+    if (!operatorEnabled()) return c.json({ error: 'operator-disabled' }, 404);
+    const forbidden = require(c, 'operate');
+    if (forbidden) return forbidden;
+    const name = c.req.query('name') || 'cli';
+    if (!TAILABLE.includes(name)) return c.json({ error: 'unknown-log', name, allowed: TAILABLE }, 400);
+    const tail = Math.min(Number(c.req.query('tail')) || 200, 2000);
+    const file = logFile(name);
+    auditOperator(c, 'logs', `name=${name} tail=${tail}`);
+    return c.json({ name, file, tail, body: tailFile(file, tail) });
+  });
+
+  app.post('/api/operator/action', async (c) => {
+    if (!operatorEnabled()) return c.json({ error: 'operator-disabled' }, 404);
+    const forbidden = require(c, 'operate');
+    if (forbidden) return forbidden;
+    const body = await c.req.json().catch(() => ({}));
+    const action = String(body.action || '');
+    if (!OPERATOR_ACTIONS[action]) {
+      return c.json({ error: 'unknown-action', action, allowed: Object.keys(OPERATOR_ACTIONS) }, 400);
+    }
+    auditOperator(c, 'action', `action=${action}`);
+    try {
+      const result = await OPERATOR_ACTIONS[action]();
+      return c.json({ ok: true, action, result });
+    } catch (e) {
+      appendLine('operator', `action=${action} FAILED ${e?.stack || e}`);
+      return c.json({ ok: false, action, error: String(e?.message || e) }, 500);
+    }
+  });
+
+  // --- workspace files ---
+  app.get('/api/workspace/tree', async (c) => {
+    if (!ROLE_CAPABILITIES[c.get('role')].fileTree) {
+      return c.json({ error: 'forbidden' }, 403);
+    }
+    try {
+      const tree = await fullTree(config.workspaceDir, 3);
+      return c.json({ root: config.workspaceDir, entries: tree });
+    } catch (e) {
+      return c.json({ error: String(e.message || e) }, 500);
+    }
+  });
+
+  app.get('/api/workspace/list', async (c) => {
+    if (!ROLE_CAPABILITIES[c.get('role')].fileTree) {
+      return c.json({ error: 'forbidden' }, 403);
+    }
+    const p = c.req.query('path') || '';
+    try {
+      const items = await listDir(config.workspaceDir, p);
+      if (items == null) return c.json({ error: 'not-a-directory' }, 400);
+      return c.json({ path: p, items });
+    } catch (e) {
+      return c.json({ error: String(e.message || e) }, 400);
+    }
+  });
+
+  app.get('/api/workspace/file', async (c) => {
+    if (!ROLE_CAPABILITIES[c.get('role')].fileTree) {
+      return c.json({ error: 'forbidden' }, 403);
+    }
+    const p = c.req.query('path');
+    if (!p) return c.json({ error: 'path-required' }, 400);
+    try {
+      const result = await readFile(config.workspaceDir, p);
+      return c.json({ path: p, ...result });
+    } catch (e) {
+      return c.json({ error: String(e.message || e) }, 400);
+    }
+  });
+
+  // --- component inbox ---
+  app.get('/api/inbox', async (c) => {
+    // Enforce the `inbox` capability (partner-only). It existed in the matrix
+    // but the route never checked it — a share-link viewer could read it. (S2.)
+    const forbidden = require(c, 'inbox');
+    if (forbidden) return forbidden;
+    const snapshot = await inboxWatcher.snapshot();
+    return c.json(snapshot);
+  });
+
+  // --- live preview port detection ---
+  app.get('/api/preview/ports', async (c) => {
+    const forbidden = require(c, 'preview');
+    if (forbidden) return forbidden;
+    const ports = await detectPreviewPorts();
+    return c.json({ ports });
+  });
+
+  app.get('/api/preview/check', async (c) => {
+    const forbidden = require(c, 'preview');
+    if (forbidden) return forbidden;
+    const port = Number(c.req.query('port'));
+    if (!port) return c.json({ error: 'port-required' }, 400);
+    // Preview detection is for LOCAL dev servers only. Reject any non-loopback
+    // host so this can't be used as an SSRF / internal port scanner. (S2.)
+    const host = c.req.query('host') || '127.0.0.1';
+    if (!isLocalhost(host)) {
+      return c.json({ error: 'host-not-allowed', host }, 400);
+    }
+    return c.json({ port, host, listening: await checkPort(port, host) });
+  });
+
+  // --- bazaar (producer/remix marketplace — §3.7) ---------------------------
+  // The shelf + ledger state for the UI. Live updates ride the chat chunk stream
+  // (agent tool results) and the /preview/match broadcast below — never a watcher.
+  app.get('/api/bazaar/shelf', (c) => {
+    const forbidden = require(c, 'chat');
+    if (forbidden) return forbidden;
+    return c.json({ recipes: bazaar.shelf().map((r) => bazaar.card(r)) });
+  });
+  app.get('/api/bazaar/state', (c) => {
+    const forbidden = require(c, 'chat');
+    if (forbidden) return forbidden;
+    return c.json(bazaar.computeState());
+  });
+  // Apply a theme from the shelf: records the three-way moment (producer earns) and
+  // returns the validated bundle for the browser to apply. chatWrite-gated — a
+  // read-only viewer can browse the shelf but not record a use against it.
+  app.post('/api/bazaar/themes/:id/apply', (c) => {
+    const forbidden = require(c, 'chatWrite');
+    if (forbidden) return forbidden;
+    const res = bazaar.recordThemeApply({ themeId: c.req.param('id') });
+    if (!res.ok) return c.json({ error: res.error }, 404);
+    return c.json(res);
+  });
+
+  // --- canvas (agent-made custom blocks — §3.3) -----------------------------
+  // The blocks the agent has built for the user. The UI hydrates these on load (so
+  // a block made while the tab was closed still shows) and otherwise receives new
+  // blocks live on the chat chunk stream (agent make_block/update_block results).
+  app.get('/api/canvas/blocks', (c) => {
+    const forbidden = require(c, 'chat');
+    if (forbidden) return forbidden;
+    return c.json({ blocks: canvas.listBlocks() });
+  });
+  // Tidy the server store when the user removes an agent-made block from the canvas.
+  // Owner-only (chatWrite) — a read-only viewer can't mutate the owner's blocks.
+  app.delete('/api/canvas/blocks/:id', (c) => {
+    const forbidden = require(c, 'chatWrite');
+    if (forbidden) return forbidden;
+    const removed = canvas.removeBlock(c.req.param('id'));
+    return c.json({ ok: removed });
+  });
+  // The agent-set theme (the "make it mine" look). The UI hydrates this on load
+  // (so a restyle done while the tab was closed still applies) and otherwise gets
+  // theme changes live on the chat chunk stream (the canvas set_theme result).
+  app.get('/api/canvas/theme', (c) => {
+    const forbidden = require(c, 'chat');
+    if (forbidden) return forbidden;
+    return c.json({ theme: canvas.getTheme() });
+  });
+
+  // The built site, served SAME-ORIGIN through this (already authed) server — no
+  // squatted dev port, no mixed-content under the public proxy. The build dir
+  // comes from preview.json (written by the agent's launch_preview / record_use).
+  function servePreview(c) {
+    const forbidden = require(c, 'preview');
+    if (forbidden) return forbidden;
+    const preview = bazaar.getPreview();
+    // Confine the build dir to the workspace (the agent-written preview.dir is not
+    // trusted to stay inside it). An out-of-workspace dir serves the waiting page.
+    const buildDir = confineBuildDir(config.workspaceDir, preview?.dir);
+    const rel = c.req.path.replace(/^\/preview\/?/, '');
+    const served = servePreviewFile(buildDir, rel);
+    // The build is UNTRUSTED HTML/JS. The iframe that loads it is sandboxed (opaque
+    // origin — Preview.jsx) so it can't reach the control plane's cookie/API; this
+    // per-response CSP is defense-in-depth, locking the build to its own inline
+    // assets + the matching service, never the parent's /api. (Overrides the global
+    // CSP, which the security middleware only sets when absent.)
+    return c.body(served.body, served.status, {
+      'Content-Type': served.contentType,
+      'Content-Security-Policy':
+        "default-src 'none'; script-src 'unsafe-inline' 'unsafe-eval'; " +
+        "style-src 'unsafe-inline'; img-src data: blob:; font-src data:; " +
+        "connect-src http: https:; form-action 'none'; base-uri 'none'",
+      ...(served.headers || {}),
+    });
+  }
+  app.get('/preview', servePreview);
+  app.get('/preview/*', servePreview);
+
+  // TickUp's matching service (mocked), same-origin so the built site's
+  // fetch('./match') just works. Each call meters the producer's usage — "TickUp
+  // gains a customer, earns per match" — and broadcasts the live beat to the chat
+  // UI. This rides an ACTIVE user interaction (the match click), not a watcher.
+  // CORS for the matching service: the build runs in a sandboxed (opaque-origin)
+  // iframe, so its fetch to /match is cross-origin. No credentials are used.
+  const MATCH_CORS = {
+    'Access-Control-Allow-Origin': '*',
+    'Access-Control-Allow-Methods': 'POST, OPTIONS',
+    'Access-Control-Allow-Headers': 'Content-Type',
+  };
+  async function handleMatch(c) {
+    const forbidden = require(c, 'preview');
+    if (forbidden) return forbidden;
+    const body = await c.req.json().catch(() => ({}));
+    const result = matchCandidates({ role: body.role, candidates: body.candidates });
+    // Only the workspace OWNER's matches credit the producer's ledger — a read-only
+    // viewer/client share-link holder can run the tool but cannot inflate earnings.
+    if (c.get('role') === ROLES.PARTNER) {
+      const preview = bazaar.getPreview();
+      try {
+        bazaar.recordServiceCall({
+          recipeId: preview?.recipeId,
+          serviceId: 'tickup-match',
+          matches: result.count,
+        });
+      } catch {}
+      broadcastChat({ type: 'bazaar', phase: 'meter', state: bazaar.computeState() });
+    }
+    return c.json(result, 200, MATCH_CORS);
+  }
+  const matchPreflight = (c) => c.body(null, 204, MATCH_CORS);
+  // Register both paths: a built site served under /preview/ may fetch the
+  // matching service as './match' (-> /preview/match) OR as the absolute '/match'.
+  app.post('/preview/match', handleMatch);
+  app.post('/match', handleMatch);
+  app.options('/preview/match', matchPreflight);
+  app.options('/match', matchPreflight);
+
+  // --- activity stream snapshot (WebSocket carries live updates) ---
+  // Gated on `chat`: the snapshot's `recent` feed can carry conversation text,
+  // so only roles allowed to see the chat may read it (anon already denied). (S2.)
+  app.get('/api/activity', (c) => {
+    const forbidden = require(c, 'chat');
+    if (forbidden) return forbidden;
+    return c.json(activityBus.snapshot());
+  });
+
+  // --- share-by-URL (AR-20) ---
+  app.post('/api/share', async (c) => {
+    const forbidden = require(c, 'share');
+    if (forbidden) return forbidden;
+    const body = await c.req.json().catch(() => ({}));
+    const role = body.role === 'client' ? 'client' : 'viewer';
+    const ttlSeconds = Number(body.ttlSeconds) || 60 * 60 * 24;
+    const label = body.label || (role === 'client' ? 'Client portal' : 'Viewer');
+    try {
+      const minted = await mintShareToken({
+        secret: config.shareSecret,
+        workspaceId: config.workspaceId,
+        role,
+        ttlSeconds,
+      });
+      tokenRegistry.add({
+        ...minted,
+        label,
+        createdAt: Date.now(),
+      });
+      const shareUrl = buildShareUrl({
+        shareBaseUrl: config.shareBaseUrl,
+        workspaceId: config.workspaceId,
+        token: minted.token,
+      });
+      activityBus.publish({
+        type: 'share-issued',
+        role,
+        sub: minted.sub,
+        exp: minted.exp,
+        label,
+      });
+      auditAction(c, 'share-mint', `grant=${role} grantSub=${minted.sub} ttl=${ttlSeconds}s`);
+      return c.json({ ...minted, shareUrl, label });
+    } catch (e) {
+      return c.json({ error: String(e.message || e) }, 400);
+    }
+  });
+
+  app.get('/api/share', (c) => {
+    const forbidden = require(c, 'share');
+    if (forbidden) return forbidden;
+    return c.json({ tokens: tokenRegistry.list() });
+  });
+
+  app.delete('/api/share/:sub', (c) => {
+    const forbidden = require(c, 'share');
+    if (forbidden) return forbidden;
+    const sub = c.req.param('sub');
+    tokenRegistry.revoke(sub);
+    activityBus.publish({ type: 'share-revoked', sub });
+    auditAction(c, 'share-revoke', `revokedSub=${sub}`);
+    return c.json({ ok: true, sub });
+  });
+
+  // --- bmo-sync folder sharing ---
+  // Pairing / detaching a folder and minting invites all run through the
+  // bmo-sync daemon (and, for invites, the central server). Partner-only.
+  app.get('/api/sync/status', async (c) => {
+    const forbidden = require(c, 'sync');
+    if (forbidden) return forbidden;
+    const status = await syncControl.status();
+    return c.json({
+      ...status,
+      workspaceDir: config.workspaceDir,
+      workspaceName: path.basename(config.workspaceDir),
+    });
+  });
+
+  app.post('/api/sync/pair', async (c) => {
+    const forbidden = require(c, 'sync');
+    if (forbidden) return forbidden;
+    const body = await c.req.json().catch(() => ({}));
+    try {
+      const workspace = await syncControl.pair(body.inviteCode, config.workspaceDir);
+      activityBus.publish({
+        type: 'sync-paired',
+        workspaceId: workspace.workspaceId,
+        projectName: workspace.projectName,
+      });
+      auditAction(c, 'sync-pair', `workspace=${workspace.workspaceId}`);
+      return c.json({ ok: true, workspace });
+    } catch (e) {
+      return c.json({ error: String(e.message || e) }, 400);
+    }
+  });
+
+  app.post('/api/sync/detach', async (c) => {
+    const forbidden = require(c, 'sync');
+    if (forbidden) return forbidden;
+    const body = await c.req.json().catch(() => ({}));
+    try {
+      const result = await syncControl.detach(body.workspaceId);
+      activityBus.publish({ type: 'sync-detached', workspaceId: body.workspaceId });
+      auditAction(c, 'sync-detach', `workspace=${body.workspaceId}`);
+      return c.json({ ok: true, ...result });
+    } catch (e) {
+      return c.json({ error: String(e.message || e) }, 400);
+    }
+  });
+
+  app.post('/api/sync/invite', async (c) => {
+    const forbidden = require(c, 'sync');
+    if (forbidden) return forbidden;
+    const body = await c.req.json().catch(() => ({}));
+    try {
+      const invite = await syncControl.createInvite({
+        projectCode: body.projectCode,
+        displayName: body.displayName,
+        expiresHours: body.expiresHours,
+      });
+      return c.json({ ok: true, invite });
+    } catch (e) {
+      return c.json({ error: String(e.message || e) }, 400);
+    }
+  });
+
+  // --- C12-e conflict surface ---
+  // The daemon detects local-vs-peer divergence and stores both versions
+  // in its back-office. The agent (and the human-fallback badge) drives
+  // resolution through these routes.
+  app.get('/api/conflicts', async (c) => {
+    const forbidden = require(c, 'sync');
+    if (forbidden) return forbidden;
+    const conflicts = await syncControl.listConflicts();
+    return c.json({ conflicts });
+  });
+
+  app.get('/api/conflicts/view', async (c) => {
+    const forbidden = require(c, 'sync');
+    if (forbidden) return forbidden;
+    const workspaceId = c.req.query('workspaceId');
+    const filePath = c.req.query('path');
+    if (!workspaceId || !filePath) {
+      return c.json({ error: 'workspaceId and path are required' }, 400);
+    }
+    try {
+      const view = await syncControl.viewConflict(workspaceId, filePath);
+      if (!view) return c.json({ error: 'not found' }, 404);
+      return c.json(view);
+    } catch (e) {
+      return c.json({ error: String(e.message || e) }, 400);
+    }
+  });
+
+  app.post('/api/conflicts/resolve', async (c) => {
+    const forbidden = require(c, 'sync');
+    if (forbidden) return forbidden;
+    const body = await c.req.json().catch(() => ({}));
+    try {
+      await syncControl.resolveConflict(body.workspaceId, body.path, body.action);
+      activityBus.publish({
+        type: 'sync-conflict-resolved',
+        workspaceId: body.workspaceId,
+        path: body.path,
+        action: body.action,
+      });
+      auditAction(c, 'conflict-resolve', `path=${body.path} action=${body.action}`);
+      return c.json({ ok: true });
+    } catch (e) {
+      return c.json({ error: String(e.message || e) }, 400);
+    }
+  });
+
+  // --- request-changes (client role) ---
+  const changeRequests = [];
+  app.post('/api/request-changes', async (c) => {
+    const forbidden = require(c, 'requestChanges');
+    if (forbidden) return forbidden;
+    const body = await c.req.json().catch(() => ({}));
+    const text = (body.text || '').trim();
+    if (!text) return c.json({ error: 'text-required' }, 400);
+    const session = c.get('session');
+    const entry = {
+      id: nanoid(12),
+      text,
+      from: session.sub || 'client',
+      ts: Date.now(),
+    };
+    changeRequests.push(entry);
+    activityBus.publish({ type: 'request-changes', entry });
+    return c.json({ ok: true, entry });
+  });
+
+  app.get('/api/request-changes', (c) => {
+    const forbidden = require(c, 'chat');
+    if (forbidden) return forbidden;
+    return c.json({ requests: changeRequests });
+  });
+
+  // --- frontend bundle (built by `npm run build:web`) ---
+  if (existsSync(config.webDir)) {
+    app.use(
+      '/*',
+      serveStatic({
+        root: path.relative(process.cwd(), config.webDir),
+      }),
+    );
+    // SPA fallback
+    app.notFound((c) => {
+      const indexHtmlPath = path.join(config.webDir, 'index.html');
+      if (existsSync(indexHtmlPath)) {
+        return new Response(readFileSync(indexHtmlPath), {
+          headers: { 'content-type': 'text/html' },
+        });
+      }
+      return c.text('wild-workspace: frontend not built; run `npm run build`', 200);
+    });
+  } else {
+    app.notFound((c) =>
+      c.text(
+        'wild-workspace API ready. Frontend bundle missing — run `npm run build` first.',
+        200,
+      ),
+    );
+  }
+
+  const httpServer = serve({
+    fetch: app.fetch,
+    port: config.port,
+    hostname: config.host,
+  });
+  // wait until the server is actually listening before continuing
+  await new Promise((resolve, reject) => {
+    if (httpServer.listening) return resolve();
+    httpServer.once('listening', resolve);
+    httpServer.once('error', reject);
+  });
+
+  // --- websocket bridge ---
+  const wss = new WebSocketServer({ noServer: true });
+  httpServer.on('upgrade', async (req, socket, head) => {
+    const reqUrl = new URL(req.url, `http://${req.headers.host || 'localhost'}`);
+    const supported = ['/ws/chat', '/ws/activity'];
+    if (!supported.includes(reqUrl.pathname)) {
+      socket.destroy();
+      return;
+    }
+    // Auth precedence mirrors resolveRole: the HttpOnly cookie (set via
+    // /api/auth/exchange) first — the browser sends it automatically on the WS
+    // upgrade handshake, so the token never has to ride in the WS URL (S1) —
+    // then the `?t=` query fallback, then the localhost default.
+    const cookieToken = readCookie(req.headers.cookie, AUTH_COOKIE);
+    const tokenFromQuery = reqUrl.searchParams.get('t');
+    let role = null;
+    let sub = 'anon';
+    const hit =
+      (await classifyToken(cookieToken, { source: 'cookie' })) ||
+      (await classifyToken(tokenFromQuery, { source: 'query' }));
+    if (hit) {
+      role = hit.role;
+      sub = hit.sub;
+    } else if (!cookieToken && !tokenFromQuery && !config.publicMode) {
+      role = ROLES.PARTNER;
+      sub = 'local-partner';
+    }
+    // Deny: public mode with no token, or any invalid/revoked token. An
+    // invalid token must NOT silently fall back to partner. (Concern C1.)
+    if (!role) {
+      log('[ws]', `denied ${reqUrl.pathname} (no valid token)`);
+      socket.destroy();
+      return;
+    }
+    wss.handleUpgrade(req, socket, head, (ws) => {
+      ws._wsRole = role;
+      ws._wsSub = sub;
+      log('[ws]', `open ${reqUrl.pathname} role=${role} sub=${sub}`);
+      wss.emit('connection', ws, req, reqUrl.pathname);
+    });
+  });
+
+  wss.on('connection', (ws, req, route) => {
+    if (route === '/ws/activity') return wireActivityWs(ws);
+    if (route === '/ws/chat') return wireChatWs(ws);
+  });
+
+  function wireActivityWs(ws) {
+    const presence = activityBus.joinPresence({
+      sessionId: nanoid(10),
+      role: ws._wsRole,
+      label: ws._wsRole,
+    });
+    ws.send(
+      JSON.stringify({
+        type: 'snapshot',
+        snapshot: activityBus.snapshot(),
+        you: presence,
+      }),
+    );
+    const onEvent = (evt) => {
+      if (ws.readyState === ws.OPEN) ws.send(JSON.stringify(evt));
+    };
+    activityBus.on('event', onEvent);
+    ws.on('message', (raw) => {
+      try {
+        const msg = JSON.parse(raw.toString());
+        if (msg.type === 'focus') {
+          activityBus.updateFocus(presence.sessionId, msg.focus || null);
+        }
+      } catch {}
+    });
+    ws.on('close', () => {
+      activityBus.off('event', onEvent);
+      activityBus.leavePresence(presence.sessionId);
+    });
+  }
+
+  function wireChatWs(ws) {
+    const cap = ROLE_CAPABILITIES[ws._wsRole];
+    chatClients.add(ws);
+    ws.send(JSON.stringify({ type: 'hello', role: ws._wsRole, agent: activeAgent?.id }));
+    ws.on('message', (raw) => {
+      let msg;
+      try {
+        msg = JSON.parse(raw.toString());
+      } catch {
+        ws.send(JSON.stringify({ type: 'error', message: 'invalid json' }));
+        return;
+      }
+      if (msg.type === 'send') {
+        if (!cap.chatWrite) {
+          ws.send(
+            JSON.stringify({ type: 'error', message: 'role not permitted to send' }),
+          );
+          return;
+        }
+        // Rate limit per connection (S6 / C4): drop sends that exceed the burst.
+        const now = Date.now();
+        ws._sendTimes = (ws._sendTimes || []).filter((t) => now - t < chatRate.windowMs);
+        if (ws._sendTimes.length >= chatRate.max) {
+          log('[ws]', `rate-limited /ws/chat sub=${ws._wsSub} (${chatRate.max}/${chatRate.windowMs}ms)`);
+          ws.send(
+            JSON.stringify({
+              type: 'error',
+              messageId: msg.messageId,
+              message: `rate limit reached — max ${chatRate.max} messages per ${Math.round(chatRate.windowMs / 1000)}s. Wait a moment and try again.`,
+            }),
+          );
+          return;
+        }
+        ws._sendTimes.push(now);
+        // The turn-runner is server-level: it streams to every chat client and
+        // resumes the persisted claude session, so the agent keeps its memory.
+        runChatTurn({
+          prompt: msg.text,
+          mode: msg.mode,
+          messageId: msg.messageId,
+          userText: msg.text,
+        });
+      } else if (msg.type === 'cancel') {
+        if (currentTurn) {
+          currentTurn.session.close();
+          currentTurn = null;
+        }
+      } else if (msg.type === 'reset') {
+        // "New chat" — drop the resumed session so the next turn starts fresh.
+        if (cap.chatWrite) resetChat();
+      }
+    });
+    ws.on('close', () => {
+      chatClients.delete(ws);
+      log('[ws]', `close /ws/chat sub=${ws._wsSub} remaining=${chatClients.size}`);
+      // The turn itself keeps running — it may have other watchers, and it
+      // still needs to finish to persist the session id.
+    });
+  }
+
+  return {
+    config,
+    app,
+    httpServer,
+    wss,
+    activityBus,
+    inboxWatcher,
+    tokenRegistry,
+    daemonBridge,
+    daemonSupervisor,
+    daemonReady,
+    syncControl,
+    sessionReporter,
+    detectedAgents,
+    getActiveAgent: () => activeAgent,
+    async stop() {
+      try { clearTimeout(autoWakeTimer); } catch {}
+      try { currentTurn?.session.close(); } catch {}
+      try { sessionReporter.stop(); } catch {}
+      try { transcriptRecorder.stop(); } catch {}
+      try { inboxWatcher.stop(); } catch {}
+      try { daemonBridge?.stop(); } catch {}
+      // The daemon is deliberately NOT stopped here — it is detached so sync
+      // keeps running after wild-workspace closes. `wild-workspace daemon
+      // stop` is the explicit off-switch.
+      // Terminate live WebSockets first — wss.close() stops the server accepting
+      // new connections but leaves existing client sockets open, and those keep
+      // httpServer.close() hanging forever ("stuck shutting down" on Ctrl+C).
+      try { wss.clients.forEach((c) => { try { c.terminate(); } catch {} }); } catch {}
+      try { wss.close(); } catch {}
+      // Drop lingering keep-alive HTTP sockets too (Node 18.2+) so close resolves
+      // promptly instead of waiting on idle browser connections.
+      try { httpServer.closeAllConnections?.(); } catch {}
+      await new Promise((resolve) => httpServer.close(resolve));
+    },
+  };
+}
+
+// Standalone entry — runs when executed directly (node server/src/index.mjs).
+const isDirectRun = process.argv[1] && path.resolve(process.argv[1]) === __filename;
+if (isDirectRun) {
+  createServer().then(async (s) => {
+    const { config } = s;
+    console.log(`\n  wild-workspace v${APP_VERSION}`);
+    console.log(`  workspace : ${config.workspaceDir}`);
+    console.log(`  url       : http://${config.host}:${config.port}`);
+    console.log(`  agent     : ${s.getActiveAgent()?.label || '(none detected)'}`);
+    if (config.publicMode) {
+      // Public mode: no anonymous access. Partner must authenticate.
+      console.log(`  mode      : PUBLIC — anonymous requests denied`);
+      console.log(`  partner   : append ?t=${config.partnerToken} to the URL`);
+    }
+    console.log('');
+    if (config.openBrowser) {
+      try {
+        const open = (await import('open')).default;
+        const host = config.host === '0.0.0.0' ? '127.0.0.1' : config.host;
+        const base = `http://${host}:${config.port}`;
+        // Public mode denies anon, so the owner needs the partner token in the
+        // URL (the SPA exchanges it for a cookie + strips it — S1).
+        open(config.publicMode ? `${base}/?t=${encodeURIComponent(config.partnerToken)}` : base);
+      } catch (e) {
+        // browser is best-effort; not having one isn't fatal
+      }
+    }
+  }).catch((err) => {
+    console.error('wild-workspace failed to start:', err);
+    process.exit(1);
+  });
+}