@venturewild/workspace 0.1.14 → 0.2.0

package/server/bin/wild-workspace.mjs

@@ -1,763 +1,825 @@
-#!/usr/bin/env node
-// `wild-workspace` CLI entry — the bin field in package.json.
-// Starts the workspace server; also exposes a `daemon` subcommand for
-// inspecting / controlling the bmo-sync sync daemon.
-
-import path from 'node:path';
-import url from 'node:url';
-import os from 'node:os';
-import { createServer } from '../src/index.mjs';
-import { APP_VERSION, buildConfig } from '../src/config.mjs';
-import { DaemonSupervisor } from '../src/daemon-supervisor.mjs';
-import { SyncControl } from '../src/sync.mjs';
-import {
-  decodeLoginPayload,
-  saveAccount,
-  loadAccount,
-  clearAccount,
-} from '../src/account.mjs';
-import { readFileSync } from 'node:fs';
-import { WorkspaceSupervisor, probeHealth } from '../src/supervisor.mjs';
-import { installService, uninstallService, serviceStatus, globalDir } from '../src/service.mjs';
-import { appendLine, listLogs, tailFile } from '../src/logpaths.mjs';
-import { runDoctor, renderDoctor, writeDoctorBundle } from '../src/doctor.mjs';
-import { enableOperator, disableOperator, operatorStatus } from '../src/operator.mjs';
-import { loadObservabilityConsent, setObservabilityConsent } from '../src/observability.mjs';
-
-const __filename = url.fileURLToPath(import.meta.url);
-const __dirname = path.dirname(__filename);
-
-function printUsage() {
-  console.log(`wild-workspace v${APP_VERSION}
-
-Usage:
-  wild-workspace                  start the workspace server in the current directory
-  wild-workspace --port 5173      override port (default 5173)
-  wild-workspace --no-open        don't auto-open browser
-  wild-workspace --host 0.0.0.0   bind to all interfaces (for share-by-URL hosting)
-  wild-workspace daemon status                  is the bmo-sync daemon running?
-  wild-workspace daemon start                   start the sync daemon now
-  wild-workspace daemon stop                    stop the sync daemon
-  wild-workspace daemon conflicts list          list open conflicts
-  wild-workspace daemon conflicts show <wid> <path>     view one conflict
-  wild-workspace daemon conflicts resolve <wid> <path> <keep_mine|take_theirs>
-  wild-workspace login <payload>  bind this install to a slug
-                                  (paste the blob from workspace.venturewild.llc)
-  wild-workspace logout           clear the bound account (slug + token)
-  wild-workspace whoami           show the currently-bound account
-  wild-workspace rotate-token     mint a new account token; invalidates the old one
-  wild-workspace doctor [--share] diagnose this machine's install (✅/⚠️/❌ + logs)
-  wild-workspace logs [name] [--tail N]   list logs, or tail one (cli/server/daemon/…)
-  wild-workspace operator enable  let the wild-workspace team help with your install (mints a token)
-  wild-workspace operator disable revoke the support token
-  wild-workspace operator status  is the support channel on?
-  wild-workspace observability [on|off|status]   share session + install health so we can help (default on; never chat content)
-  wild-workspace service install  keep your workspace always-on (starts at login, no admin)
-  wild-workspace service uninstall   turn always-on off
-  wild-workspace service status   show always-on status (installed? supervisor? server?)
-  wild-workspace install          (info) how the sync daemon is managed
-  wild-workspace --help           this message
-  wild-workspace --version        print version
-
-The bmo-sync sync daemon starts automatically in the background when you run
-\`wild-workspace\`, and keeps running after you close the browser.
-
-Environment:
-  WILD_WORKSPACE_PORT, WILD_WORKSPACE_HOST,
-  WILD_WORKSPACE_DIR, WILD_WORKSPACE_DATA_DIR,
-  WILD_WORKSPACE_PARTNER_TOKEN, WILD_WORKSPACE_SHARE_SECRET,
-  WILD_WORKSPACE_NO_OPEN=1, WILD_WORKSPACE_DAEMON_AUTOSTART=0
-`);
-}
-
-function parseArgs(argv) {
-  const opts = {};
-  const positional = [];
-  for (let i = 0; i < argv.length; i++) {
-    const arg = argv[i];
-    if (arg === '--help' || arg === '-h') opts.help = true;
-    else if (arg === '--version' || arg === '-v') opts.version = true;
-    else if (arg === '--no-open') opts.openBrowser = false;
-    else if (arg === '--port') { opts.port = Number(argv[++i]); }
-    else if (arg === '--host') { opts.host = argv[++i]; }
-    else if (arg === '--workspace') { opts.workspaceDir = argv[++i]; }
-    else if (arg === '--tail') { opts.tail = Number(argv[++i]); }
-    else if (arg === '--share') { opts.share = true; }
-    else if (arg === '--rotate') { opts.rotate = true; }
-    else if (arg === '--kind') { opts.kind = argv[++i]; }
-    else if (arg === '--limit') { opts.limit = Number(argv[++i]); }
-    else if (arg.startsWith('--')) {
-      // ignore unknown flags
-    } else {
-      positional.push(arg);
-    }
-  }
-  opts.positional = positional;
-  return opts;
-}
-
-// `wild-workspace daemon [status|start|stop|conflicts ...]`
-async function runDaemonCommand(action = 'status', rest = []) {
-  const config = buildConfig({});
-  const sup = new DaemonSupervisor({
-    httpBase: config.daemonHttpUrl,
-    // b-ii: so `wild-workspace daemon start` also opens the proxy link.
-    accountToken: config.accountToken,
-    serverUrl: config.bmoSyncServerUrl,
-  });
-
-  if (action === 'conflicts') {
-    return runConflictsCommand(config, rest);
-  }
-  if (action === 'status') {
-    const s = await sup.status();
-    console.log(`bmo-sync daemon: ${s.running ? 'running' : 'stopped'}`);
-    console.log(`  api : ${s.httpBase}`);
-    if (s.pid) console.log(`  pid : ${s.pid}`);
-    console.log(`  log : ${s.logFile}`);
-    return;
-  }
-  if (action === 'start') {
-    const r = await sup.ensureRunning();
-    if (r.alreadyRunning) {
-      console.log('bmo-sync daemon: already running');
-    } else if (r.started) {
-      const healthy = await sup.waitForHealthy();
-      console.log(
-        healthy
-          ? `bmo-sync daemon: started (pid ${r.pid})`
-          : `bmo-sync daemon: launched (pid ${r.pid}) — not yet answering, check the log`,
-      );
-    } else if (r.error === 'daemon-binary-not-found') {
-      console.log('bmo-sync daemon: cannot start — the daemon binary is not installed.');
-      console.log('  build it from the bmo-sync workspace and place it under vendor/,');
-      console.log('  or install the @venturewild/workspace-daemon-<platform> package.');
-    } else {
-      console.log(`bmo-sync daemon: could not start — ${r.error}`);
-    }
-    return;
-  }
-  if (action === 'stop') {
-    const r = await sup.stop();
-    console.log(
-      r.stopped
-        ? `bmo-sync daemon: stopped (pid ${r.pid})`
-        : `bmo-sync daemon: not stopped — ${r.reason}`,
-    );
-    return;
-  }
-  console.log(`unknown daemon action: ${action}  (use status | start | stop | conflicts)`);
-}
-
-// `wild-workspace daemon conflicts [list|show <wid> <path>|resolve <wid> <path> <action>]`
-async function runConflictsCommand(config, args) {
-  const sync = new SyncControl({
-    daemonHttpUrl: config.daemonHttpUrl,
-    bmoSyncServerUrl: config.bmoSyncServerUrl,
-  });
-  const sub = (args[0] || 'list').toLowerCase();
-  if (sub === 'list' || !sub) {
-    const conflicts = await sync.listConflicts();
-    if (!conflicts.length) {
-      console.log('no open conflicts');
-      return;
-    }
-    console.log(`open conflicts: ${conflicts.length}`);
-    for (const c of conflicts) {
-      const detected = new Date((c.detectedAt || 0) * 1000).toISOString();
-      console.log(`  [${c.workspaceId}] ${c.path}`);
-      console.log(`    resolution     : ${c.resolution}`);
-      console.log(`    detected_at    : ${detected}`);
-      if (c.peerBackOfficePath) {
-        console.log(`    peer_bytes_at  : ${c.peerBackOfficePath}`);
-      }
-      if (c.mineSha256) console.log(`    mine_sha256    : ${c.mineSha256}`);
-      if (c.theirsSha256) console.log(`    theirs_sha256  : ${c.theirsSha256}`);
-    }
-    return;
-  }
-  if (sub === 'show') {
-    const wid = args[1];
-    const path = args[2];
-    if (!wid || !path) {
-      console.log('usage: wild-workspace daemon conflicts show <workspace_id> <path>');
-      return;
-    }
-    const view = await sync.viewConflict(wid, path);
-    if (!view) {
-      console.log(`no open conflict for ${wid}:${path}`);
-      return;
-    }
-    console.log(JSON.stringify(view, null, 2));
-    return;
-  }
-  if (sub === 'resolve') {
-    const wid = args[1];
-    const path = args[2];
-    const action = args[3];
-    if (!wid || !path || !action) {
-      console.log(
-        'usage: wild-workspace daemon conflicts resolve <workspace_id> <path> <keep_mine|take_theirs>',
-      );
-      return;
-    }
-    try {
-      await sync.resolveConflict(wid, path, action);
-      console.log(`resolved: ${wid}:${path} (${action})`);
-    } catch (e) {
-      console.error(`resolve failed: ${e.message || e}`);
-      process.exitCode = 1;
-    }
-    return;
-  }
-  console.log(
-    `unknown conflicts subcommand: ${sub}  (use list | show <wid> <path> | resolve <wid> <path> <action>)`,
-  );
-}
-
-// `wild-workspace login <base64url-payload>` — bind this install to a slug.
-// The payload comes from workspace.venturewild.llc on signup. It's an opaque
-// blob the user copies once; we decode + persist + print a friendly summary.
-async function runLoginCommand(args) {
-  if (!args.length) {
-    console.error('usage: wild-workspace login <payload>');
-    console.error('');
-    console.error('The payload is the blob you copied from workspace.venturewild.llc');
-    console.error('after claiming your slug. Run that signup, then come back here.');
-    process.exitCode = 1;
-    return;
-  }
-  // Trim the obvious "wild-workspace login " prefix in case the user pasted
-  // the whole command line, and surrounding quotes if a shell preserved them.
-  let payload = args.join(' ').trim();
-  payload = payload.replace(/^wild-workspace\s+login\s+/i, '').trim();
-  payload = payload.replace(/^['"]|['"]$/g, '');
-  let parsed;
-  try {
-    parsed = decodeLoginPayload(payload);
-  } catch (e) {
-    console.error(`Couldn't decode the login payload: ${e.message || e}`);
-    process.exitCode = 1;
-    return;
-  }
-  const config = buildConfig({});
-  let saved;
-  try {
-    saved = saveAccount(config.dataDir, parsed);
-  } catch (e) {
-    console.error(`Couldn't save account to ${config.dataDir}: ${e.message || e}`);
-    process.exitCode = 1;
-    return;
-  }
-  console.log(`✓ logged in as ${saved.email}`);
-  console.log(`  slug      : ${saved.slug}`);
-  console.log(`  url       : https://${saved.slug}.venturewild.llc  (once the tunnel is configured)`);
-  console.log(`  saved to  : ${config.dataDir}/account.json`);
-  console.log('');
-  console.log('Run `wild-workspace` in any folder to start your workspace.');
-
-  // Arm always-on so the workspace comes back on its own (best-effort — never
-  // blocks login). On a platform without autostart yet, just nudge the user.
-  try {
-    const svc = await installService({
-      node: process.execPath, cli: __filename, workspaceDir: config.workspaceDir, port: config.port, version: APP_VERSION,
-    });
-    if (svc.installed) console.log('  always-on : enabled — starts at login (disable: wild-workspace service uninstall)');
-    else if (svc.supported === false) console.log(`  always-on : not yet on ${svc.platform} — run \`wild-workspace\` to start it`);
-  } catch { /* never block login */ }
-}
-
-async function runLogoutCommand() {
-  const config = buildConfig({});
-  const before = loadAccount(config.dataDir);
-  const removed = clearAccount(config.dataDir);
-  if (!removed && !before) {
-    console.log('not logged in.');
-    return;
-  }
-  console.log(`logged out — cleared ${before?.email || 'account'} from ${config.dataDir}.`);
-}
-
-async function runRotateTokenCommand() {
-  const config = buildConfig({});
-  const account = loadAccount(config.dataDir);
-  if (!account) {
-    console.log('not logged in. Nothing to rotate.');
-    console.log('Run `wild-workspace login <payload>` after claiming a slug.');
-    process.exitCode = 1;
-    return;
-  }
-  const url = `${config.bmoSyncServerUrl.replace(/\/$/, '')}/api/account/rotate-token`;
-  let resp;
-  try {
-    resp = await fetch(url, {
-      method: 'POST',
-      headers: { authorization: `Bearer ${account.accountToken}` },
-    });
-  } catch (e) {
-    console.error(`Couldn't reach ${config.bmoSyncServerUrl}: ${e.message || e}`);
-    process.exitCode = 2;
-    return;
-  }
-  if (!resp.ok) {
-    let body;
-    try { body = await resp.text(); } catch { body = ''; }
-    console.error(`Rotate failed (HTTP ${resp.status}): ${body.slice(0, 200)}`);
-    process.exitCode = 1;
-    return;
-  }
-  let payload;
-  try {
-    payload = await resp.json();
-  } catch (e) {
-    console.error(`Server returned non-JSON: ${e.message || e}`);
-    process.exitCode = 1;
-    return;
-  }
-  if (!payload || !payload.account_token) {
-    console.error('Server response missing account_token. Aborting.');
-    process.exitCode = 1;
-    return;
-  }
-  const updated = {
-    ...account,
-    accountToken: payload.account_token,
-    loggedInAt: Date.now(),
-  };
-  try {
-    saveAccount(config.dataDir, updated);
-  } catch (e) {
-    console.error(`Got new token but failed to persist it: ${e.message || e}`);
-    console.error(`New token (save manually): ${payload.account_token}`);
-    process.exitCode = 1;
-    return;
-  }
-  console.log('✓ token rotated.');
-  console.log(`  slug      : ${updated.slug}`);
-  console.log(`  saved to  : ${config.dataDir}/account.json`);
-  console.log('');
-  console.log('Your daemon will reconnect with the new token automatically');
-  console.log('on its next restart. Run `wild-workspace daemon stop && wild-workspace`');
-  console.log('to force an immediate reconnect.');
-}
-
-async function runWhoamiCommand() {
-  const config = buildConfig({});
-  const account = loadAccount(config.dataDir);
-  if (!account) {
-    console.log('not logged in.');
-    console.log('Run `wild-workspace login <payload>` after claiming a slug at workspace.venturewild.llc.');
-    return;
-  }
-  console.log(`logged in as ${account.email}`);
-  console.log(`  slug      : ${account.slug}`);
-  console.log(`  accountId : ${account.accountId}`);
-  if (account.displayName) console.log(`  name      : ${account.displayName}`);
-  console.log(`  loggedIn  : ${new Date(account.loggedInAt).toISOString()}`);
-}
-
-// `wild-workspace doctor [--share]` — one diagnostic of this machine's install.
-// Prints ✅/⚠️/❌ per check + where the logs are, and writes a JSON bundle under
-// ~/.wild-workspace/diagnostics/. Exits non-zero if any check failed.
-async function runDoctorCommand(opts) {
-  const config = buildConfig(opts);
-  const report = await runDoctor({ config });
-  console.log(renderDoctor(report));
-  const bundle = writeDoctorBundle(report);
-  if (bundle) {
-    console.log('');
-    console.log(`Full report: ${bundle}`);
-  }
-  if (opts.share) {
-    const shared = await shareDoctor(config, report);
-    console.log(
-      shared.ok
-        ? '✓ shared with the wild-workspace team — they can see this diagnostic now.'
-        : `Couldn't auto-share (${shared.reason}). Send the file above instead.`,
-    );
-  }
-  process.exitCode = report.summary.fail > 0 ? 1 : 0;
-}
-
-// Upload a doctor report to bmo-sync. `--share` is an explicit user action, so it
-// goes even if the passive observability feed is off — but still respects the
-// hard kill switch and needs an account to key it to.
-async function shareDoctor(config, report) {
-  if (!config.accountToken) return { ok: false, reason: 'not logged in' };
-  if (process.env.WILD_WORKSPACE_NO_TELEMETRY === '1') return { ok: false, reason: 'telemetry disabled' };
-  const url = `${config.bmoSyncServerUrl.replace(/\/$/, '')}/api/telemetry`;
-  const ctrl = new AbortController();
-  const t = setTimeout(() => ctrl.abort(), 5000);
-  try {
-    const res = await fetch(url, {
-      method: 'POST',
-      headers: { 'content-type': 'application/json' },
-      body: JSON.stringify({
-        account_token: config.accountToken,
-        slug: config.account?.slug || null,
-        workspace_id: config.workspaceId,
-        kind: 'doctor-share',
-        doctor: report,
-        sent_at: Math.floor(Date.now() / 1000),
-      }),
-      signal: ctrl.signal,
-    });
-    return { ok: res.ok, reason: res.ok ? null : `HTTP ${res.status}` };
-  } catch (e) {
-    return { ok: false, reason: String(e?.message || e) };
-  } finally {
-    clearTimeout(t);
-  }
-}
-
-// `wild-workspace logs [name] [--tail N]` — list the logs, or tail one by name.
-async function runLogsCommand(opts) {
-  const name = opts.positional[1];
-  const n = opts.tail || 40;
-  const logs = listLogs();
-  if (!name) {
-    console.log(`logs dir: ${path.dirname(logs[0].file)}`);
-    for (const l of logs) {
-      console.log(`  ${l.name.padEnd(10)} ${l.exists ? `${l.size} bytes` : '(none yet)'}  ${l.file}`);
-    }
-    console.log('');
-    console.log(`Show one: wild-workspace logs <name> [--tail N]   (names: ${logs.map((l) => l.name).join(', ')})`);
-    return;
-  }
-  const match = logs.find((l) => l.name === name);
-  if (!match) {
-    console.log(`unknown log "${name}". names: ${logs.map((l) => l.name).join(', ')}`);
-    process.exitCode = 1;
-    return;
-  }
-  console.log(`# ${match.name} — ${match.file} (last ${n} lines)`);
-  console.log(tailFile(match.file, n) || '(empty)');
-}
-
-// `wild-workspace ops <slug>` — OPERATOR read of a user's observability feed.
-// Reads the bmo-sync admin endpoint with the admin key at ~/.bmo-sync-admin-key
-// (so it only works on an operator's machine). This is how we see a stuck/broken
-// user without them having to ask. Filters: --kind feed|install-down|transcript,
-// --limit N.
-async function runOpsCommand(opts) {
-  const slug = opts.positional[1];
-  if (!slug) {
-    console.error('usage: wild-workspace ops <slug> [--kind feed|install-down|transcript] [--limit N]');
-    process.exitCode = 1;
-    return;
-  }
-  const config = buildConfig(opts);
-  const keyPath = path.join(os.homedir(), '.bmo-sync-admin-key');
-  let adminKey;
-  try {
-    adminKey = readFileSync(keyPath, 'utf8').trim();
-  } catch {
-    console.error(`No admin key at ${keyPath} — \`ops\` is an operator-only command.`);
-    process.exitCode = 1;
-    return;
-  }
-  const params = new URLSearchParams();
-  if (opts.kind) params.set('kind', opts.kind);
-  params.set('limit', String(opts.limit || 50));
-  const url = `${config.bmoSyncServerUrl.replace(/\/$/, '')}/api/admin/accounts/${encodeURIComponent(slug)}/activity?${params}`;
-  let res;
-  try {
-    res = await fetch(url, { headers: { 'x-admin-key': adminKey } });
-  } catch (e) {
-    console.error(`Couldn't reach ${config.bmoSyncServerUrl}: ${e.message || e}`);
-    process.exitCode = 2;
-    return;
-  }
-  if (res.status === 404) {
-    console.log(`No account/slug "${slug}" yet (unclaimed, or it hasn't reported).`);
-    return;
-  }
-  if (res.status === 403 || res.status === 401) {
-    console.error('admin key rejected.');
-    process.exitCode = 1;
-    return;
-  }
-  if (!res.ok) {
-    console.error(`HTTP ${res.status}`);
-    process.exitCode = 1;
-    return;
-  }
-  const data = await res.json();
-  console.log(`account ${data.account_id}${data.slug ? ` (${data.slug})` : ''} — ${data.count} recent event(s)`);
-  for (const r of data.rows || []) {
-    const when = new Date((r.reported_at || 0) * 1000).toISOString();
-    let detail = '';
-    if (r.kind === 'feed' && Array.isArray(r.payload?.events)) {
-      const counts = {};
-      for (const e of r.payload.events) counts[e.type] = (counts[e.type] || 0) + 1;
-      detail = Object.entries(counts).map(([k, v]) => `${k}×${v}`).join(' ');
-    } else if ((r.kind === 'install-down' || r.kind === 'doctor-share') && r.payload?.doctor?.summary) {
-      const s = r.payload.doctor.summary;
-      detail = `doctor: ${s.fail} fail / ${s.warn} warn`;
-    } else if (r.kind === 'transcript') {
-      detail = `transcript ${r.payload?.date || ''} (${(r.payload?.markdown || '').length} chars)`;
-    }
-    console.log(`  ${when}  [${r.kind}]${r.os ? ` ${r.os}` : ''}  ${detail}`);
-  }
-}
-
-// `wild-workspace observability [on|off|status]` — the consented session +
-// install-health feed (default ON). Streams WHAT happened + install health to the
-// Venturewild team so they can help if something breaks — never your chat words
-// (that's the separate transcript channel). See observability.mjs.
-async function runObservabilityCommand(action = 'status', opts = {}) {
-  const config = buildConfig(opts);
-  if (action === 'on' || action === 'off') {
-    const rec = setObservabilityConsent(config.dataDir, action === 'on');
-    console.log(
-      rec.enabled
-        ? '✓ observability ON — the Venturewild team can see how your workspace is doing'
-        : '✓ observability OFF — no session/health feed leaves this machine.',
-    );
-    if (rec.enabled) {
-      console.log('  (events + install health only — never your chat content)');
-    }
-    console.log('  Applies the next time your workspace starts (or toggle it live in the app).');
-    return;
-  }
-  const rec = loadObservabilityConsent(config.dataDir);
-  console.log(`observability: ${rec.enabled ? 'ON' : 'OFF'}${rec.decidedAt ? '' : ' (default)'}`);
-  console.log('  what : events + install health → lets us help if something breaks (never chat content)');
-  console.log('  toggle: wild-workspace observability on | off');
-  return;
-}
-
-// `wild-workspace operator [enable|disable|status]` — the consented support
-// channel (docs/SECURITY.md). OFF by default; `enable` mints a token to hand to
-// the wild-workspace team so they can diagnose + run a fixed set of safe fixes.
-async function runOperatorCommand(action = 'status', opts = {}) {
-  const config = buildConfig(opts);
-  if (action === 'enable') {
-    const token = enableOperator(config.dataDir, { rotate: opts.rotate });
-    if (!token) {
-      console.error(`Could not enable operator channel (couldn't write to ${config.dataDir}).`);
-      process.exitCode = 1;
-      return;
-    }
-    const slug = config.account?.slug;
-    console.log('✓ operator channel enabled (consented support access).');
-    console.log(`  token : ${token}`);
-    console.log('  Share this token with the wild-workspace team so they can help with your install.');
-    if (slug) console.log(`  reach : https://${slug}.venturewild.llc/api/operator/diag  (Authorization: Bearer <token>)`);
-    console.log('  off   : wild-workspace operator disable');
-    console.log('');
-    console.log('  Scope: read diagnostics + a fixed set of safe fixes (restart sync, re-detect');
-    console.log('  Claude, re-link your account, reinstall the sync daemon). It cannot run');
-    console.log('  arbitrary commands or drive your agent, and every action is logged.');
-    return;
-  }
-  if (action === 'disable') {
-    const removed = disableOperator(config.dataDir);
-    console.log(removed ? '✓ operator channel disabled (token revoked).' : 'operator channel was not enabled.');
-    return;
-  }
-  if (action === 'status') {
-    const s = operatorStatus(config.dataDir);
-    console.log(`operator channel: ${s.enabled ? 'ENABLED' : 'disabled'}`);
-    console.log(`  token file: ${s.file}`);
-    console.log(s.enabled ? '  disable   : wild-workspace operator disable' : '  enable    : wild-workspace operator enable');
-    return;
-  }
-  console.log(`unknown operator action: ${action}  (use enable | disable | status)`);
-}
-
-// `wild-workspace service [install|uninstall|status|run]` — the always-on
-// autostart (docs/always-on-design.md). `run` is the HIDDEN supervisor entry
-// the per-OS launcher invokes at login; the others manage registration. All
-// per-user, no admin.
-// The URL to open for the LOCAL owner. A slug-linked install runs in public
-// mode (the server denies anon — C1), so the owner must authenticate: append
-// the partner token, which the SPA immediately exchanges for an HttpOnly cookie
-// and strips from the address bar (S1). A localhost-only install needs no token.
-// The token is only ever placed in the URL we hand the browser — never printed.
-function localBrowserUrl(config) {
-  const host = config.host === '0.0.0.0' ? '127.0.0.1' : config.host;
-  const base = `http://${host}:${config.port}`;
-  return config.publicMode ? `${base}/?t=${encodeURIComponent(config.partnerToken)}` : base;
-}
-
-async function runServiceCommand(action = 'status', opts = {}) {
-  const config = buildConfig(opts);
-
-  if (action === 'install') {
-    const r = await installService({
-      node: process.execPath, cli: __filename, workspaceDir: config.workspaceDir, port: config.port, version: APP_VERSION,
-    });
-    if (!r.installed) {
-      console.log(`service install: ${r.message || 'not supported on this platform'}`);
-      process.exitCode = 1;
-      return;
-    }
-    console.log('✓ always-on enabled — your workspace starts automatically at login.');
-    console.log(`  mechanism : ${r.mechanism} (per-user, no admin)`);
-    console.log(`  launcher  : ${r.launcher || r.vbs}`);
-    console.log(`  workspace : ${config.workspaceDir}`);
-    if (r.note) console.log(`  note      : ${r.note}`);
-    console.log('  disable   : wild-workspace service uninstall');
-    return;
-  }
-
-  if (action === 'uninstall') {
-    const r = await uninstallService();
-    if (r.supported === false) { console.log(`service: nothing to do — autostart not implemented for ${r.platform} yet`); return; }
-    console.log(`✓ always-on disabled${r.removedKey ? '' : ' (no autostart entry was set)'}${r.stoppedPid ? ` — stopped supervisor pid ${r.stoppedPid}` : ''}.`);
-    return;
-  }
-
-  if (action === 'status') {
-    const s = await serviceStatus({ port: config.port }, { probeImpl: (p) => probeHealth(p) });
-    if (s.supported === false) { console.log(`always-on: autostart not implemented for ${s.platform} yet (run \`wild-workspace\` manually)`); return; }
-    console.log(`always-on   : ${s.installed ? 'installed' : 'NOT installed'}`);
-    if (s.runValue) console.log(`  run entry : ${s.runValue}`);
-    console.log(`  supervisor: ${s.supervisorAlive ? `running (pid ${s.supervisorPid})` : 'not running'}`);
-    console.log(`  server    : ${s.serverUp ? `up on http://127.0.0.1:${config.port}` : 'down'}`);
-    return;
-  }
-
-  if (action === 'run') {
-    // Hidden entrypoint launched by the autostart VBS at login. The OS gives us
-    // an arbitrary cwd, so read the workspace dir persisted at install time.
-    let svc = {};
-    try { svc = JSON.parse(readFileSync(path.join(globalDir(), 'service.json'), 'utf8')); } catch { /* fall back to config */ }
-    const sup = new WorkspaceSupervisor({
-      workspaceDir: svc.workspaceDir || config.workspaceDir,
-      port: svc.port || config.port,
-    });
-    const r = sup.start();
-    if (!r.started) process.exit(0); // another supervisor already owns the lock
-    // else: the supervision interval keeps this process alive.
-    return;
-  }
-
-  console.log(`unknown service action: ${action}  (use install | uninstall | status | run)`);
-}
-
-async function main() {
-  // First-run capture: log every invocation BEFORE doing anything, so even a
-  // crash-on-start leaves a trace we (or `wild-workspace doctor`) can read.
-  appendLine('cli', `invoke argv=[${process.argv.slice(2).join(' ')}] cwd=${process.cwd()} node=${process.version} v${APP_VERSION}`);
-  const opts = parseArgs(process.argv.slice(2));
-  if (opts.help) return printUsage();
-  if (opts.version) { console.log(APP_VERSION); return; }
-
-  if (opts.positional[0] === 'daemon') {
-    return runDaemonCommand(opts.positional[1], opts.positional.slice(2));
-  }
-
-  if (opts.positional[0] === 'login') {
-    return runLoginCommand(opts.positional.slice(1));
-  }
-  if (opts.positional[0] === 'logout') {
-    return runLogoutCommand();
-  }
-  if (opts.positional[0] === 'whoami') {
-    return runWhoamiCommand();
-  }
-  if (opts.positional[0] === 'rotate-token') {
-    return runRotateTokenCommand();
-  }
-  if (opts.positional[0] === 'doctor') {
-    return runDoctorCommand(opts);
-  }
-  if (opts.positional[0] === 'logs') {
-    return runLogsCommand(opts);
-  }
-  if (opts.positional[0] === 'operator') {
-    return runOperatorCommand(opts.positional[1], opts);
-  }
-  if (opts.positional[0] === 'observability') {
-    return runObservabilityCommand(opts.positional[1], opts);
-  }
-  if (opts.positional[0] === 'ops') {
-    return runOpsCommand(opts);
-  }
-  if (opts.positional[0] === 'service') {
-    return runServiceCommand(opts.positional[1], opts);
-  }
-
-  if (opts.positional[0] === 'install') {
-    console.log('wild-workspace manages the bmo-sync sync daemon for you.');
-    console.log('');
-    console.log('It starts automatically in the background whenever you run');
-    console.log('`wild-workspace`, and keeps running after you close the browser —');
-    console.log('so there is no separate install step.');
-    console.log('');
-    console.log('  wild-workspace daemon status   check whether it is running');
-    console.log('  wild-workspace daemon stop     stop it');
-    return;
-  }
-  if (opts.positional[0] === 'share') {
-    console.log('Use the in-app Share button to issue viewer URLs. CLI share command is v1.x.');
-    return;
-  }
-
-  // If a workspace server is already serving this port — always-on started it at
-  // login, or another `wild-workspace` is running — don't fight it for the socket
-  // (createServer would reject on EADDRINUSE and crash). Just open the browser to
-  // the one already up. This is the common case now that always-on is real.
-  {
-    const probeCfg = buildConfig(opts);
-    if (await probeHealth(probeCfg.port)) {
-      const host = probeCfg.host === '0.0.0.0' ? '127.0.0.1' : probeCfg.host;
-      const displayUrl = `http://${host}:${probeCfg.port}`; // shown without the token
-      console.log(`\n  wild-workspace is already running at ${displayUrl}`);
-      if (probeCfg.openBrowser) {
-        console.log('  opening it in your browser…');
-        try { const open = (await import('open')).default; await open(localBrowserUrl(probeCfg)); } catch { /* best-effort */ }
-      }
-      return;
-    }
-  }
-
-  const server = await createServer(opts);
-  const { config } = server;
-  console.log(`\n  wild-workspace v${APP_VERSION}`);
-  console.log(`  workspace : ${config.workspaceDir}`);
-  console.log(`  url       : http://${config.host}:${config.port}`);
-  console.log(`  agent     : ${server.getActiveAgent()?.label || '(none detected — install Claude Code: npm i -g @anthropic-ai/claude-code)'}`);
-
-  // Report how the sync daemon's autostart went (best-effort — never fatal).
-  try {
-    const d = await server.daemonReady;
-    if (d.alreadyRunning) console.log('  sync      : bmo-sync daemon already running');
-    else if (d.started) console.log(`  sync      : bmo-sync daemon started (pid ${d.pid})`);
-    else if (d.skipped) console.log('  sync      : daemon autostart disabled');
-    else if (d.error === 'daemon-binary-not-found')
-      console.log('  sync      : daemon binary not installed — sync is off (see `wild-workspace daemon`)');
-    else if (d.error) console.log(`  sync      : daemon did not start — ${d.error}`);
-  } catch {}
-  console.log('');
-
-  if (config.publicMode) {
-    // Public mode denies anon — tell the owner how to reach it authenticated.
-    console.log(`  mode      : PUBLIC — opening with a one-time sign-in token`);
-  }
-  if (config.openBrowser) {
-    try {
-      const open = (await import('open')).default;
-      open(localBrowserUrl(config));
-    } catch {}
-  }
-
-  // Hard safety net: even if stop() ever wedges, never leave the user staring at
-  // "shutting down…". Unref'd so the timer itself doesn't keep us alive.
-  const forceExitSoon = () => { setTimeout(() => process.exit(0), 3000).unref(); };
-  process.on('SIGINT', async () => {
-    console.log('\nshutting down…');
-    forceExitSoon();
-    try { await server.stop(); } catch {}
-    process.exit(0);
-  });
-  process.on('SIGTERM', async () => { forceExitSoon(); try { await server.stop(); } catch {} process.exit(0); });
-}
-
-main().catch((err) => {
-  appendLine('cli', `FATAL ${err?.stack || err}`);
-  console.error('wild-workspace failed:', err);
-  process.exit(1);
-});
+#!/usr/bin/env node
+// `wild-workspace` CLI entry — the bin field in package.json.
+// Starts the workspace server; also exposes a `daemon` subcommand for
+// inspecting / controlling the bmo-sync sync daemon.
+
+import path from 'node:path';
+import url from 'node:url';
+import os from 'node:os';
+import { createServer } from '../src/index.mjs';
+import { APP_VERSION, buildConfig } from '../src/config.mjs';
+import { DaemonSupervisor } from '../src/daemon-supervisor.mjs';
+import { SyncControl } from '../src/sync.mjs';
+import {
+  decodeLoginPayload,
+  saveAccount,
+  loadAccount,
+  clearAccount,
+} from '../src/account.mjs';
+import { readFileSync } from 'node:fs';
+import { WorkspaceSupervisor, probeHealth } from '../src/supervisor.mjs';
+import { installService, uninstallService, serviceStatus, globalDir } from '../src/service.mjs';
+import { appendLine, listLogs, tailFile } from '../src/logpaths.mjs';
+import { runDoctor, renderDoctor, writeDoctorBundle } from '../src/doctor.mjs';
+import { enableOperator, disableOperator, operatorStatus } from '../src/operator.mjs';
+import { loadObservabilityConsent, setObservabilityConsent } from '../src/observability.mjs';
+
+const __filename = url.fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+
+function printUsage() {
+  console.log(`wild-workspace v${APP_VERSION}
+
+Usage:
+  wild-workspace                  start the workspace server in the current directory
+  wild-workspace --port 5173      override port (default 5173)
+  wild-workspace --no-open        don't auto-open browser
+  wild-workspace --host 0.0.0.0   bind to all interfaces (for share-by-URL hosting)
+  wild-workspace daemon status                  is the bmo-sync daemon running?
+  wild-workspace daemon start                   start the sync daemon now
+  wild-workspace daemon stop                    stop the sync daemon
+  wild-workspace daemon conflicts list          list open conflicts
+  wild-workspace daemon conflicts show <wid> <path>     view one conflict
+  wild-workspace daemon conflicts resolve <wid> <path> <keep_mine|take_theirs>
+  wild-workspace login <payload>  bind this install to a slug
+                                  (paste the blob from workspace.venturewild.llc)
+  wild-workspace logout           clear the bound account (slug + token)
+  wild-workspace whoami           show the currently-bound account
+  wild-workspace rotate-token     mint a new account token; invalidates the old one
+  wild-workspace doctor [--share] diagnose this machine's install (✅/⚠️/❌ + logs)
+  wild-workspace logs [name] [--tail N]   list logs, or tail one (cli/server/daemon/…)
+  wild-workspace operator enable  let the wild-workspace team help with your install (mints a token)
+  wild-workspace operator disable revoke the support token
+  wild-workspace operator status  is the support channel on?
+  wild-workspace observability [on|off|status]   share session + install health so we can help (default on; never chat content)
+  wild-workspace service install  keep your workspace always-on (starts at login, no admin)
+  wild-workspace service uninstall   turn always-on off
+  wild-workspace service status   show always-on status (installed? supervisor? server?)
+  wild-workspace install          (info) how the sync daemon is managed
+  wild-workspace --help           this message
+  wild-workspace --version        print version
+
+The bmo-sync sync daemon starts automatically in the background when you run
+\`wild-workspace\`, and keeps running after you close the browser.
+
+Environment:
+  WILD_WORKSPACE_PORT, WILD_WORKSPACE_HOST,
+  WILD_WORKSPACE_DIR, WILD_WORKSPACE_DATA_DIR,
+  WILD_WORKSPACE_PARTNER_TOKEN, WILD_WORKSPACE_SHARE_SECRET,
+  WILD_WORKSPACE_NO_OPEN=1, WILD_WORKSPACE_DAEMON_AUTOSTART=0
+`);
+}
+
+function parseArgs(argv) {
+  const opts = {};
+  const positional = [];
+  for (let i = 0; i < argv.length; i++) {
+    const arg = argv[i];
+    if (arg === '--help' || arg === '-h') opts.help = true;
+    else if (arg === '--version' || arg === '-v') opts.version = true;
+    else if (arg === '--no-open') opts.openBrowser = false;
+    else if (arg === '--port') { opts.port = Number(argv[++i]); }
+    else if (arg === '--host') { opts.host = argv[++i]; }
+    else if (arg === '--workspace') { opts.workspaceDir = argv[++i]; }
+    else if (arg === '--tail') { opts.tail = Number(argv[++i]); }
+    else if (arg === '--share') { opts.share = true; }
+    else if (arg === '--rotate') { opts.rotate = true; }
+    else if (arg === '--kind') { opts.kind = argv[++i]; }
+    else if (arg === '--limit') { opts.limit = Number(argv[++i]); }
+    else if (arg.startsWith('--')) {
+      // ignore unknown flags
+    } else {
+      positional.push(arg);
+    }
+  }
+  opts.positional = positional;
+  return opts;
+}
+
+// `wild-workspace daemon [status|start|stop|conflicts ...]`
+async function runDaemonCommand(action = 'status', rest = []) {
+  const config = buildConfig({});
+  const sup = new DaemonSupervisor({
+    httpBase: config.daemonHttpUrl,
+    // b-ii: so `wild-workspace daemon start` also opens the proxy link.
+    accountToken: config.accountToken,
+    serverUrl: config.bmoSyncServerUrl,
+  });
+
+  if (action === 'conflicts') {
+    return runConflictsCommand(config, rest);
+  }
+  if (action === 'status') {
+    const s = await sup.status();
+    console.log(`bmo-sync daemon: ${s.running ? 'running' : 'stopped'}`);
+    console.log(`  api : ${s.httpBase}`);
+    if (s.pid) console.log(`  pid : ${s.pid}`);
+    console.log(`  log : ${s.logFile}`);
+    return;
+  }
+  if (action === 'start') {
+    const r = await sup.ensureRunning();
+    if (r.alreadyRunning) {
+      console.log('bmo-sync daemon: already running');
+    } else if (r.started) {
+      const healthy = await sup.waitForHealthy();
+      console.log(
+        healthy
+          ? `bmo-sync daemon: started (pid ${r.pid})`
+          : `bmo-sync daemon: launched (pid ${r.pid}) — not yet answering, check the log`,
+      );
+    } else if (r.error === 'daemon-binary-not-found') {
+      console.log('bmo-sync daemon: cannot start — the daemon binary is not installed.');
+      console.log('  build it from the bmo-sync workspace and place it under vendor/,');
+      console.log('  or install the @venturewild/workspace-daemon-<platform> package.');
+    } else {
+      console.log(`bmo-sync daemon: could not start — ${r.error}`);
+    }
+    return;
+  }
+  if (action === 'stop') {
+    const r = await sup.stop();
+    console.log(
+      r.stopped
+        ? `bmo-sync daemon: stopped (pid ${r.pid})`
+        : `bmo-sync daemon: not stopped — ${r.reason}`,
+    );
+    return;
+  }
+  console.log(`unknown daemon action: ${action}  (use status | start | stop | conflicts)`);
+}
+
+// `wild-workspace daemon conflicts [list|show <wid> <path>|resolve <wid> <path> <action>]`
+async function runConflictsCommand(config, args) {
+  const sync = new SyncControl({
+    daemonHttpUrl: config.daemonHttpUrl,
+    bmoSyncServerUrl: config.bmoSyncServerUrl,
+  });
+  const sub = (args[0] || 'list').toLowerCase();
+  if (sub === 'list' || !sub) {
+    const conflicts = await sync.listConflicts();
+    if (!conflicts.length) {
+      console.log('no open conflicts');
+      return;
+    }
+    console.log(`open conflicts: ${conflicts.length}`);
+    for (const c of conflicts) {
+      const detected = new Date((c.detectedAt || 0) * 1000).toISOString();
+      console.log(`  [${c.workspaceId}] ${c.path}`);
+      console.log(`    resolution     : ${c.resolution}`);
+      console.log(`    detected_at    : ${detected}`);
+      if (c.peerBackOfficePath) {
+        console.log(`    peer_bytes_at  : ${c.peerBackOfficePath}`);
+      }
+      if (c.mineSha256) console.log(`    mine_sha256    : ${c.mineSha256}`);
+      if (c.theirsSha256) console.log(`    theirs_sha256  : ${c.theirsSha256}`);
+    }
+    return;
+  }
+  if (sub === 'show') {
+    const wid = args[1];
+    const path = args[2];
+    if (!wid || !path) {
+      console.log('usage: wild-workspace daemon conflicts show <workspace_id> <path>');
+      return;
+    }
+    const view = await sync.viewConflict(wid, path);
+    if (!view) {
+      console.log(`no open conflict for ${wid}:${path}`);
+      return;
+    }
+    console.log(JSON.stringify(view, null, 2));
+    return;
+  }
+  if (sub === 'resolve') {
+    const wid = args[1];
+    const path = args[2];
+    const action = args[3];
+    if (!wid || !path || !action) {
+      console.log(
+        'usage: wild-workspace daemon conflicts resolve <workspace_id> <path> <keep_mine|take_theirs>',
+      );
+      return;
+    }
+    try {
+      await sync.resolveConflict(wid, path, action);
+      console.log(`resolved: ${wid}:${path} (${action})`);
+    } catch (e) {
+      console.error(`resolve failed: ${e.message || e}`);
+      process.exitCode = 1;
+    }
+    return;
+  }
+  console.log(
+    `unknown conflicts subcommand: ${sub}  (use list | show <wid> <path> | resolve <wid> <path> <action>)`,
+  );
+}
+
+// `wild-workspace login <base64url-payload>` — bind this install to a slug.
+// The payload comes from workspace.venturewild.llc on signup. It's an opaque
+// blob the user copies once; we decode + persist + print a friendly summary.
+async function runLoginCommand(args) {
+  if (!args.length) {
+    console.error('usage: wild-workspace login <payload>');
+    console.error('');
+    console.error('The payload is the blob you copied from workspace.venturewild.llc');
+    console.error('after claiming your slug. Run that signup, then come back here.');
+    process.exitCode = 1;
+    return;
+  }
+  // Trim the obvious "wild-workspace login " prefix in case the user pasted
+  // the whole command line, and surrounding quotes if a shell preserved them.
+  let payload = args.join(' ').trim();
+  payload = payload.replace(/^wild-workspace\s+login\s+/i, '').trim();
+  payload = payload.replace(/^['"]|['"]$/g, '');
+  let parsed;
+  try {
+    parsed = decodeLoginPayload(payload);
+  } catch (e) {
+    console.error(`Couldn't decode the login payload: ${e.message || e}`);
+    process.exitCode = 1;
+    return;
+  }
+  const config = buildConfig({});
+  let saved;
+  try {
+    saved = saveAccount(config.dataDir, parsed);
+  } catch (e) {
+    console.error(`Couldn't save account to ${config.dataDir}: ${e.message || e}`);
+    process.exitCode = 1;
+    return;
+  }
+  console.log(`✓ logged in as ${saved.email}`);
+  console.log(`  slug      : ${saved.slug}`);
+  console.log(`  url       : https://${saved.slug}.venturewild.llc  (once the tunnel is configured)`);
+  console.log(`  saved to  : ${config.dataDir}/account.json`);
+  console.log('');
+  console.log('Run `wild-workspace` in any folder to start your workspace.');
+
+  // Arm always-on so the workspace comes back on its own (best-effort — never
+  // blocks login). On a platform without autostart yet, just nudge the user.
+  try {
+    const svc = await installService({
+      node: process.execPath, cli: __filename, workspaceDir: config.workspaceDir, port: config.port, version: APP_VERSION,
+    });
+    if (svc.installed) console.log('  always-on : enabled — starts at login (disable: wild-workspace service uninstall)');
+    else if (svc.supported === false) console.log(`  always-on : not yet on ${svc.platform} — run \`wild-workspace\` to start it`);
+  } catch { /* never block login */ }
+}
+
+async function runLogoutCommand() {
+  const config = buildConfig({});
+  const before = loadAccount(config.dataDir);
+  const removed = clearAccount(config.dataDir);
+  if (!removed && !before) {
+    console.log('not logged in.');
+    return;
+  }
+  console.log(`logged out — cleared ${before?.email || 'account'} from ${config.dataDir}.`);
+}
+
+async function runRotateTokenCommand() {
+  const config = buildConfig({});
+  const account = loadAccount(config.dataDir);
+  if (!account) {
+    console.log('not logged in. Nothing to rotate.');
+    console.log('Run `wild-workspace login <payload>` after claiming a slug.');
+    process.exitCode = 1;
+    return;
+  }
+  const url = `${config.bmoSyncServerUrl.replace(/\/$/, '')}/api/account/rotate-token`;
+  let resp;
+  try {
+    resp = await fetch(url, {
+      method: 'POST',
+      headers: { authorization: `Bearer ${account.accountToken}` },
+    });
+  } catch (e) {
+    console.error(`Couldn't reach ${config.bmoSyncServerUrl}: ${e.message || e}`);
+    process.exitCode = 2;
+    return;
+  }
+  if (!resp.ok) {
+    let body;
+    try { body = await resp.text(); } catch { body = ''; }
+    console.error(`Rotate failed (HTTP ${resp.status}): ${body.slice(0, 200)}`);
+    process.exitCode = 1;
+    return;
+  }
+  let payload;
+  try {
+    payload = await resp.json();
+  } catch (e) {
+    console.error(`Server returned non-JSON: ${e.message || e}`);
+    process.exitCode = 1;
+    return;
+  }
+  if (!payload || !payload.account_token) {
+    console.error('Server response missing account_token. Aborting.');
+    process.exitCode = 1;
+    return;
+  }
+  const updated = {
+    ...account,
+    accountToken: payload.account_token,
+    loggedInAt: Date.now(),
+  };
+  try {
+    saveAccount(config.dataDir, updated);
+  } catch (e) {
+    console.error(`Got new token but failed to persist it: ${e.message || e}`);
+    console.error(`New token (save manually): ${payload.account_token}`);
+    process.exitCode = 1;
+    return;
+  }
+  console.log('✓ token rotated.');
+  console.log(`  slug      : ${updated.slug}`);
+  console.log(`  saved to  : ${config.dataDir}/account.json`);
+  console.log('');
+  console.log('Your daemon will reconnect with the new token automatically');
+  console.log('on its next restart. Run `wild-workspace daemon stop && wild-workspace`');
+  console.log('to force an immediate reconnect.');
+}
+
+async function runWhoamiCommand() {
+  const config = buildConfig({});
+  const account = loadAccount(config.dataDir);
+  if (!account) {
+    console.log('not logged in.');
+    console.log('Run `wild-workspace login <payload>` after claiming a slug at workspace.venturewild.llc.');
+    return;
+  }
+  console.log(`logged in as ${account.email}`);
+  console.log(`  slug      : ${account.slug}`);
+  console.log(`  accountId : ${account.accountId}`);
+  if (account.displayName) console.log(`  name      : ${account.displayName}`);
+  console.log(`  loggedIn  : ${new Date(account.loggedInAt).toISOString()}`);
+}
+
+// `wild-workspace doctor [--share]` — one diagnostic of this machine's install.
+// Prints ✅/⚠️/❌ per check + where the logs are, and writes a JSON bundle under
+// ~/.wild-workspace/diagnostics/. Exits non-zero if any check failed.
+async function runDoctorCommand(opts) {
+  const config = buildConfig(opts);
+  const report = await runDoctor({ config });
+  console.log(renderDoctor(report));
+  const bundle = writeDoctorBundle(report);
+  if (bundle) {
+    console.log('');
+    console.log(`Full report: ${bundle}`);
+  }
+  if (opts.share) {
+    const shared = await shareDoctor(config, report);
+    console.log(
+      shared.ok
+        ? '✓ shared with the wild-workspace team — they can see this diagnostic now.'
+        : `Couldn't auto-share (${shared.reason}). Send the file above instead.`,
+    );
+  }
+  process.exitCode = report.summary.fail > 0 ? 1 : 0;
+}
+
+// Upload a doctor report to bmo-sync. `--share` is an explicit user action, so it
+// goes even if the passive observability feed is off — but still respects the
+// hard kill switch and needs an account to key it to.
+async function shareDoctor(config, report) {
+  if (!config.accountToken) return { ok: false, reason: 'not logged in' };
+  if (process.env.WILD_WORKSPACE_NO_TELEMETRY === '1') return { ok: false, reason: 'telemetry disabled' };
+  const url = `${config.bmoSyncServerUrl.replace(/\/$/, '')}/api/telemetry`;
+  const ctrl = new AbortController();
+  const t = setTimeout(() => ctrl.abort(), 5000);
+  try {
+    const res = await fetch(url, {
+      method: 'POST',
+      headers: { 'content-type': 'application/json' },
+      body: JSON.stringify({
+        account_token: config.accountToken,
+        slug: config.account?.slug || null,
+        workspace_id: config.workspaceId,
+        kind: 'doctor-share',
+        doctor: report,
+        sent_at: Math.floor(Date.now() / 1000),
+      }),
+      signal: ctrl.signal,
+    });
+    return { ok: res.ok, reason: res.ok ? null : `HTTP ${res.status}` };
+  } catch (e) {
+    return { ok: false, reason: String(e?.message || e) };
+  } finally {
+    clearTimeout(t);
+  }
+}
+
+// `wild-workspace logs [name] [--tail N]` — list the logs, or tail one by name.
+async function runLogsCommand(opts) {
+  const name = opts.positional[1];
+  const n = opts.tail || 40;
+  const logs = listLogs();
+  if (!name) {
+    console.log(`logs dir: ${path.dirname(logs[0].file)}`);
+    for (const l of logs) {
+      console.log(`  ${l.name.padEnd(10)} ${l.exists ? `${l.size} bytes` : '(none yet)'}  ${l.file}`);
+    }
+    console.log('');
+    console.log(`Show one: wild-workspace logs <name> [--tail N]   (names: ${logs.map((l) => l.name).join(', ')})`);
+    return;
+  }
+  const match = logs.find((l) => l.name === name);
+  if (!match) {
+    console.log(`unknown log "${name}". names: ${logs.map((l) => l.name).join(', ')}`);
+    process.exitCode = 1;
+    return;
+  }
+  console.log(`# ${match.name} — ${match.file} (last ${n} lines)`);
+  console.log(tailFile(match.file, n) || '(empty)');
+}
+
+// `wild-workspace ops <slug>` — OPERATOR read of a user's observability feed.
+// Reads the bmo-sync admin endpoint with the admin key at ~/.bmo-sync-admin-key
+// (so it only works on an operator's machine). This is how we see a stuck/broken
+// user without them having to ask. Filters: --kind feed|install-down|transcript,
+// --limit N.
+async function runOpsCommand(opts) {
+  const slug = opts.positional[1];
+  if (!slug) {
+    console.error('usage: wild-workspace ops <slug> [--kind feed|install-down|transcript] [--limit N]');
+    process.exitCode = 1;
+    return;
+  }
+  const config = buildConfig(opts);
+  const keyPath = path.join(os.homedir(), '.bmo-sync-admin-key');
+  let adminKey;
+  try {
+    adminKey = readFileSync(keyPath, 'utf8').trim();
+  } catch {
+    console.error(`No admin key at ${keyPath} — \`ops\` is an operator-only command.`);
+    process.exitCode = 1;
+    return;
+  }
+  const params = new URLSearchParams();
+  if (opts.kind) params.set('kind', opts.kind);
+  params.set('limit', String(opts.limit || 50));
+  const url = `${config.bmoSyncServerUrl.replace(/\/$/, '')}/api/admin/accounts/${encodeURIComponent(slug)}/activity?${params}`;
+  let res;
+  try {
+    res = await fetch(url, { headers: { 'x-admin-key': adminKey } });
+  } catch (e) {
+    console.error(`Couldn't reach ${config.bmoSyncServerUrl}: ${e.message || e}`);
+    process.exitCode = 2;
+    return;
+  }
+  if (res.status === 404) {
+    console.log(`No account/slug "${slug}" yet (unclaimed, or it hasn't reported).`);
+    return;
+  }
+  if (res.status === 403 || res.status === 401) {
+    console.error('admin key rejected.');
+    process.exitCode = 1;
+    return;
+  }
+  if (!res.ok) {
+    console.error(`HTTP ${res.status}`);
+    process.exitCode = 1;
+    return;
+  }
+  const data = await res.json();
+  console.log(`account ${data.account_id}${data.slug ? ` (${data.slug})` : ''} — ${data.count} recent event(s)`);
+  for (const r of data.rows || []) {
+    const when = new Date((r.reported_at || 0) * 1000).toISOString();
+    let detail = '';
+    if (r.kind === 'feed' && Array.isArray(r.payload?.events)) {
+      const counts = {};
+      for (const e of r.payload.events) counts[e.type] = (counts[e.type] || 0) + 1;
+      detail = Object.entries(counts).map(([k, v]) => `${k}×${v}`).join(' ');
+    } else if ((r.kind === 'install-down' || r.kind === 'doctor-share') && r.payload?.doctor?.summary) {
+      const s = r.payload.doctor.summary;
+      detail = `doctor: ${s.fail} fail / ${s.warn} warn`;
+    } else if (r.kind === 'transcript') {
+      detail = `transcript ${r.payload?.date || ''} (${(r.payload?.markdown || '').length} chars)`;
+    }
+    console.log(`  ${when}  [${r.kind}]${r.os ? ` ${r.os}` : ''}  ${detail}`);
+  }
+}
+
+// `wild-workspace observability [on|off|status]` — the consented session +
+// install-health feed (default ON). Streams WHAT happened + install health to the
+// Venturewild team so they can help if something breaks — never your chat words
+// (that's the separate transcript channel). See observability.mjs.
+async function runObservabilityCommand(action = 'status', opts = {}) {
+  const config = buildConfig(opts);
+  if (action === 'on' || action === 'off') {
+    const rec = setObservabilityConsent(config.dataDir, action === 'on');
+    console.log(
+      rec.enabled
+        ? '✓ observability ON — the Venturewild team can see how your workspace is doing'
+        : '✓ observability OFF — no session/health feed leaves this machine.',
+    );
+    if (rec.enabled) {
+      console.log('  (events + install health only — never your chat content)');
+    }
+    console.log('  Applies the next time your workspace starts (or toggle it live in the app).');
+    return;
+  }
+  const rec = loadObservabilityConsent(config.dataDir);
+  console.log(`observability: ${rec.enabled ? 'ON' : 'OFF'}${rec.decidedAt ? '' : ' (default)'}`);
+  console.log('  what : events + install health → lets us help if something breaks (never chat content)');
+  console.log('  toggle: wild-workspace observability on | off');
+  return;
+}
+
+// `wild-workspace operator [enable|disable|status]` — the consented support
+// channel (docs/SECURITY.md). OFF by default; `enable` mints a token to hand to
+// the wild-workspace team so they can diagnose + run a fixed set of safe fixes.
+async function runOperatorCommand(action = 'status', opts = {}) {
+  const config = buildConfig(opts);
+  if (action === 'enable') {
+    const token = enableOperator(config.dataDir, { rotate: opts.rotate });
+    if (!token) {
+      console.error(`Could not enable operator channel (couldn't write to ${config.dataDir}).`);
+      process.exitCode = 1;
+      return;
+    }
+    const slug = config.account?.slug;
+    console.log('✓ operator channel enabled (consented support access).');
+    console.log(`  token : ${token}`);
+    console.log('  Share this token with the wild-workspace team so they can help with your install.');
+    if (slug) console.log(`  reach : https://${slug}.venturewild.llc/api/operator/diag  (Authorization: Bearer <token>)`);
+    console.log('  off   : wild-workspace operator disable');
+    console.log('');
+    console.log('  Scope: read diagnostics + a fixed set of safe fixes (restart sync, re-detect');
+    console.log('  Claude, re-link your account, reinstall the sync daemon). It cannot run');
+    console.log('  arbitrary commands or drive your agent, and every action is logged.');
+    return;
+  }
+  if (action === 'disable') {
+    const removed = disableOperator(config.dataDir);
+    console.log(removed ? '✓ operator channel disabled (token revoked).' : 'operator channel was not enabled.');
+    return;
+  }
+  if (action === 'status') {
+    const s = operatorStatus(config.dataDir);
+    console.log(`operator channel: ${s.enabled ? 'ENABLED' : 'disabled'}`);
+    console.log(`  token file: ${s.file}`);
+    console.log(s.enabled ? '  disable   : wild-workspace operator disable' : '  enable    : wild-workspace operator enable');
+    return;
+  }
+  console.log(`unknown operator action: ${action}  (use enable | disable | status)`);
+}
+
+// `wild-workspace service [install|uninstall|status|run]` — the always-on
+// autostart (docs/always-on-design.md). `run` is the HIDDEN supervisor entry
+// the per-OS launcher invokes at login; the others manage registration. All
+// per-user, no admin.
+// The URL to open for the LOCAL owner. A slug-linked install runs in public
+// mode (the server denies anon — C1), so the owner must authenticate: append
+// the partner token, which the SPA immediately exchanges for an HttpOnly cookie
+// and strips from the address bar (S1). A localhost-only install needs no token.
+// The token is only ever placed in the URL we hand the browser — never printed.
+function localBrowserUrl(config) {
+  const host = config.host === '0.0.0.0' ? '127.0.0.1' : config.host;
+  const base = `http://${host}:${config.port}`;
+  return config.publicMode ? `${base}/?t=${encodeURIComponent(config.partnerToken)}` : base;
+}
+
+// Ask the running local server (over genuine loopback) for a one-time sign-in
+// link to the PUBLIC url. Returns the URL or null (no slug / older server).
+async function fetchPublicBootstrapUrl(config) {
+  const host = config.host === '0.0.0.0' ? '127.0.0.1' : config.host;
+  try {
+    const ac = new AbortController();
+    const t = setTimeout(() => ac.abort(), 4000);
+    const r = await fetch(`http://${host}:${config.port}/api/auth/bootstrap`, {
+      method: 'POST',
+      signal: ac.signal,
+    });
+    clearTimeout(t);
+    if (!r.ok) return null;
+    const body = await r.json().catch(() => ({}));
+    return typeof body.url === 'string' ? body.url : null;
+  } catch {
+    return null;
+  }
+}
+
+// Poll the public url's /api/health until the tunnel forwards (200) or we give
+// up — so we never open the owner onto a 502 "warming up" page.
+async function publicTunnelReady(shareBaseUrl, { tries = 6, gapMs = 1300 } = {}) {
+  const base = String(shareBaseUrl || '').replace(/\/$/, '');
+  if (!/^https?:\/\//.test(base)) return false;
+  for (let i = 0; i < tries; i += 1) {
+    try {
+      const ac = new AbortController();
+      const t = setTimeout(() => ac.abort(), 2500);
+      const r = await fetch(`${base}/api/health`, { signal: ac.signal });
+      clearTimeout(t);
+      if (r.ok) return true;
+    } catch { /* not up yet */ }
+    if (i < tries - 1) await new Promise((res) => setTimeout(res, gapMs));
+  }
+  return false;
+}
+
+// Open the owner's browser the friendliest way for THIS install:
+//  - slug-linked + public: land them signed-in on <slug>.venturewild.llc (their
+//    real, bookmarkable home) via a one-time bootstrap link, once the tunnel is
+//    confirmed up. If it isn't ready yet, fall back to localhost (always works
+//    locally) and tell them their public url is warming up.
+//  - localhost-only: just open localhost.
+// Tokens only ever reach the browser via open() — never printed to stdout (B1/S1).
+async function openOwnerBrowser(config) {
+  let open;
+  try { open = (await import('open')).default; } catch { return; }
+  const slugLinked = config.publicMode && config.account?.slug && config.shareBaseUrl;
+  if (slugLinked) {
+    const url = await fetchPublicBootstrapUrl(config);
+    if (url && (await publicTunnelReady(config.shareBaseUrl))) {
+      console.log(`  opening your workspace at ${config.shareBaseUrl} …`);
+      try { await open(url); } catch { /* best-effort */ }
+      return;
+    }
+    // Tunnel not up yet (or older server) — open locally so first run is never a
+    // dead page; the public url comes alive on its own as the daemon links.
+    try { await open(localBrowserUrl(config)); } catch { /* best-effort */ }
+    console.log(`  your workspace will be live at ${config.shareBaseUrl} shortly (warming up the tunnel)…`);
+    return;
+  }
+  try { await open(localBrowserUrl(config)); } catch { /* best-effort */ }
+}
+
+async function runServiceCommand(action = 'status', opts = {}) {
+  const config = buildConfig(opts);
+
+  if (action === 'install') {
+    const r = await installService({
+      node: process.execPath, cli: __filename, workspaceDir: config.workspaceDir, port: config.port, version: APP_VERSION,
+    });
+    if (!r.installed) {
+      console.log(`service install: ${r.message || 'not supported on this platform'}`);
+      process.exitCode = 1;
+      return;
+    }
+    console.log('✓ always-on enabled — your workspace starts automatically at login.');
+    console.log(`  mechanism : ${r.mechanism} (per-user, no admin)`);
+    console.log(`  launcher  : ${r.launcher || r.vbs}`);
+    console.log(`  workspace : ${config.workspaceDir}`);
+    if (r.note) console.log(`  note      : ${r.note}`);
+    console.log('  disable   : wild-workspace service uninstall');
+    return;
+  }
+
+  if (action === 'uninstall') {
+    const r = await uninstallService();
+    if (r.supported === false) { console.log(`service: nothing to do — autostart not implemented for ${r.platform} yet`); return; }
+    console.log(`✓ always-on disabled${r.removedKey ? '' : ' (no autostart entry was set)'}${r.stoppedPid ? ` — stopped supervisor pid ${r.stoppedPid}` : ''}.`);
+    return;
+  }
+
+  if (action === 'status') {
+    const s = await serviceStatus({ port: config.port }, { probeImpl: (p) => probeHealth(p) });
+    if (s.supported === false) { console.log(`always-on: autostart not implemented for ${s.platform} yet (run \`wild-workspace\` manually)`); return; }
+    console.log(`always-on   : ${s.installed ? 'installed' : 'NOT installed'}`);
+    if (s.runValue) console.log(`  run entry : ${s.runValue}`);
+    console.log(`  supervisor: ${s.supervisorAlive ? `running (pid ${s.supervisorPid})` : 'not running'}`);
+    console.log(`  server    : ${s.serverUp ? `up on http://127.0.0.1:${config.port}` : 'down'}`);
+    return;
+  }
+
+  if (action === 'run') {
+    // Hidden entrypoint launched by the autostart VBS at login. The OS gives us
+    // an arbitrary cwd, so read the workspace dir persisted at install time.
+    let svc = {};
+    try { svc = JSON.parse(readFileSync(path.join(globalDir(), 'service.json'), 'utf8')); } catch { /* fall back to config */ }
+    const sup = new WorkspaceSupervisor({
+      workspaceDir: svc.workspaceDir || config.workspaceDir,
+      port: svc.port || config.port,
+    });
+    const r = sup.start();
+    if (!r.started) process.exit(0); // another supervisor already owns the lock
+    // else: the supervision interval keeps this process alive.
+    return;
+  }
+
+  console.log(`unknown service action: ${action}  (use install | uninstall | status | run)`);
+}
+
+async function main() {
+  // First-run capture: log every invocation BEFORE doing anything, so even a
+  // crash-on-start leaves a trace we (or `wild-workspace doctor`) can read.
+  appendLine('cli', `invoke argv=[${process.argv.slice(2).join(' ')}] cwd=${process.cwd()} node=${process.version} v${APP_VERSION}`);
+  const opts = parseArgs(process.argv.slice(2));
+  if (opts.help) return printUsage();
+  if (opts.version) { console.log(APP_VERSION); return; }
+
+  if (opts.positional[0] === 'daemon') {
+    return runDaemonCommand(opts.positional[1], opts.positional.slice(2));
+  }
+
+  if (opts.positional[0] === 'login') {
+    return runLoginCommand(opts.positional.slice(1));
+  }
+  if (opts.positional[0] === 'logout') {
+    return runLogoutCommand();
+  }
+  if (opts.positional[0] === 'whoami') {
+    return runWhoamiCommand();
+  }
+  if (opts.positional[0] === 'rotate-token') {
+    return runRotateTokenCommand();
+  }
+  if (opts.positional[0] === 'doctor') {
+    return runDoctorCommand(opts);
+  }
+  if (opts.positional[0] === 'logs') {
+    return runLogsCommand(opts);
+  }
+  if (opts.positional[0] === 'operator') {
+    return runOperatorCommand(opts.positional[1], opts);
+  }
+  if (opts.positional[0] === 'observability') {
+    return runObservabilityCommand(opts.positional[1], opts);
+  }
+  if (opts.positional[0] === 'ops') {
+    return runOpsCommand(opts);
+  }
+  if (opts.positional[0] === 'service') {
+    return runServiceCommand(opts.positional[1], opts);
+  }
+
+  if (opts.positional[0] === 'install') {
+    console.log('wild-workspace manages the bmo-sync sync daemon for you.');
+    console.log('');
+    console.log('It starts automatically in the background whenever you run');
+    console.log('`wild-workspace`, and keeps running after you close the browser —');
+    console.log('so there is no separate install step.');
+    console.log('');
+    console.log('  wild-workspace daemon status   check whether it is running');
+    console.log('  wild-workspace daemon stop     stop it');
+    return;
+  }
+  if (opts.positional[0] === 'share') {
+    console.log('Use the in-app Share button to issue viewer URLs. CLI share command is v1.x.');
+    return;
+  }
+
+  // If a workspace server is already serving this port — always-on started it at
+  // login, or another `wild-workspace` is running — don't fight it for the socket
+  // (createServer would reject on EADDRINUSE and crash). Just open the browser to
+  // the one already up. This is the common case now that always-on is real.
+  {
+    const probeCfg = buildConfig(opts);
+    if (await probeHealth(probeCfg.port)) {
+      const host = probeCfg.host === '0.0.0.0' ? '127.0.0.1' : probeCfg.host;
+      const displayUrl = `http://${host}:${probeCfg.port}`; // shown without the token
+      console.log(`\n  wild-workspace is already running at ${displayUrl}`);
+      if (probeCfg.openBrowser) {
+        console.log('  opening it in your browser…');
+        await openOwnerBrowser(probeCfg);
+      }
+      return;
+    }
+  }
+
+  const server = await createServer(opts);
+  const { config } = server;
+  console.log(`\n  wild-workspace v${APP_VERSION}`);
+  console.log(`  workspace : ${config.workspaceDir}`);
+  console.log(`  url       : http://${config.host}:${config.port}`);
+  console.log(`  agent     : ${server.getActiveAgent()?.label || '(none detected — install Claude Code: npm i -g @anthropic-ai/claude-code)'}`);
+
+  // Report how the sync daemon's autostart went (best-effort — never fatal).
+  try {
+    const d = await server.daemonReady;
+    if (d.alreadyRunning) console.log('  sync      : bmo-sync daemon already running');
+    else if (d.started) console.log(`  sync      : bmo-sync daemon started (pid ${d.pid})`);
+    else if (d.skipped) console.log('  sync      : daemon autostart disabled');
+    else if (d.error === 'daemon-binary-not-found')
+      console.log('  sync      : daemon binary not installed — sync is off (see `wild-workspace daemon`)');
+    else if (d.error) console.log(`  sync      : daemon did not start — ${d.error}`);
+  } catch {}
+  console.log('');
+
+  if (config.publicMode) {
+    // Public mode denies anon — tell the owner how to reach it authenticated.
+    console.log(`  mode      : PUBLIC — opening with a one-time sign-in token`);
+  }
+  if (config.openBrowser) {
+    await openOwnerBrowser(config);
+  }
+
+  // Hard safety net: even if stop() ever wedges, never leave the user staring at
+  // "shutting down…". Unref'd so the timer itself doesn't keep us alive.
+  const forceExitSoon = () => { setTimeout(() => process.exit(0), 3000).unref(); };
+  process.on('SIGINT', async () => {
+    console.log('\nshutting down…');
+    forceExitSoon();
+    try { await server.stop(); } catch {}
+    process.exit(0);
+  });
+  process.on('SIGTERM', async () => { forceExitSoon(); try { await server.stop(); } catch {} process.exit(0); });
+}
+
+main().catch((err) => {
+  appendLine('cli', `FATAL ${err?.stack || err}`);
+  console.error('wild-workspace failed:', err);
+  process.exit(1);
+});