@venturewild/workspace 0.6.3 → 0.6.4

package/server/bin/wild-workspace.mjs

@@ -1,1096 +1,1096 @@
-#!/usr/bin/env node
-// `wild-workspace` CLI entry — the bin field in package.json.
-// Starts the workspace server; also exposes a `daemon` subcommand for
-// inspecting / controlling the bmo-sync sync daemon.
-
-import path from 'node:path';
-import url from 'node:url';
-import os from 'node:os';
-import { createServer } from '../src/index.mjs';
-import { APP_VERSION, buildConfig } from '../src/config.mjs';
-import { DaemonSupervisor } from '../src/daemon-supervisor.mjs';
-import { SyncControl } from '../src/sync.mjs';
-import {
-  decodeLoginPayload,
-  saveAccount,
-  loadAccount,
-  clearAccount,
-} from '../src/account.mjs';
-import { readFileSync } from 'node:fs';
-import { WorkspaceSupervisor, probeHealth } from '../src/supervisor.mjs';
-import { installService, uninstallService, serviceStatus, globalDir } from '../src/service.mjs';
-import { appendLine, listLogs, tailFile } from '../src/logpaths.mjs';
-import { runDoctor, renderDoctor, writeDoctorBundle } from '../src/doctor.mjs';
-import { enableOperator, disableOperator, operatorStatus } from '../src/operator.mjs';
-import { loadObservabilityConsent, setObservabilityConsent } from '../src/observability.mjs';
-import {
-  grantConsent, revokeConsent, consentStatus, readAudit, MAX_TIER, MAX_GRANT_MINUTES, OPERATE_TIER,
-} from '../src/support-consent.mjs';
-import {
-  AutoUpdater, PACKAGE_NAME, npmInstall, recordUpdate,
-  loadUpdateSettings, setUpdateEnabled, setUpdateChannel,
-} from '../src/auto-update.mjs';
-import { openOwnerBrowser } from '../src/owner-browser.mjs';
-import { planReset, applyReset, RESET_KEEPS } from '../src/reset.mjs';
-import { createWorkspaceRails } from '../src/workspaces.mjs';
-
-const __filename = url.fileURLToPath(import.meta.url);
-const __dirname = path.dirname(__filename);
-
-function printUsage() {
-  console.log(`wild-workspace v${APP_VERSION}
-
-Usage:
-  wild-workspace                  start the workspace server in the current directory
-  wild-workspace --port 5173      override port (default 5173)
-  wild-workspace --no-open        don't auto-open browser
-  wild-workspace --host 0.0.0.0   bind to all interfaces (for share-by-URL hosting)
-  wild-workspace daemon status                  is the bmo-sync daemon running?
-  wild-workspace daemon start                   start the sync daemon now
-  wild-workspace daemon stop                    stop the sync daemon
-  wild-workspace daemon conflicts list          list open conflicts
-  wild-workspace daemon conflicts show <wid> <path>     view one conflict
-  wild-workspace daemon conflicts resolve <wid> <path> <keep_mine|take_theirs>
-  wild-workspace login <payload>  bind this install to a slug
-                                  (paste the blob from workspace.venturewild.llc)
-  wild-workspace logout           clear the bound account (slug + token)
-  wild-workspace reset [--yes]    back to the beginning: unlink + reset onboarding +
-                                  flush local config (preview without --yes; keeps your files)
-  wild-workspace whoami           show the currently-bound account
-  wild-workspace rotate-token     mint a new account token; invalidates the old one
-  wild-workspace workspace create "<name>" [--slug s]   create a shared workspace (its own slug, owned by you)
-  wild-workspace workspace list                         shared workspaces you belong to
-  wild-workspace workspace add-member <slug> <email>    add a teammate (they must have a slug already)
-  wild-workspace workspace remove-member <slug> <email-or-accountId>   remove a teammate
-  wild-workspace doctor [--share] diagnose this machine's install (✅/⚠️/❌ + logs)
-  wild-workspace logs [name] [--tail N]   list logs, or tail one (cli/server/daemon/…)
-  wild-workspace operator enable  let the wild-workspace team help with your install (mints a token)
-  wild-workspace operator disable revoke the support token
-  wild-workspace operator status  is the support channel on?
-  wild-workspace support allow --tier 1 --minutes 60   allow time-boxed support (works even when offline)
-  wild-workspace support revoke   revoke support access now
-  wild-workspace support status   is support access on, and for how long?
-  wild-workspace support audit    show what support has done (the audit feed)
-  wild-workspace observability [on|off|status]   share session + install health so we can help (default on; never chat content)
-  wild-workspace update [apply]   check for / install a newer version (auto by default)
-  wild-workspace update on|off    toggle background auto-update
-  wild-workspace update channel stable|beta   choose the update channel
-  wild-workspace service install  keep your workspace always-on (starts at login, no admin)
-  wild-workspace service uninstall   turn always-on off
-  wild-workspace service status   show always-on status (installed? supervisor? server?)
-  wild-workspace install          (info) how the sync daemon is managed
-  wild-workspace --help           this message
-  wild-workspace --version        print version
-
-The bmo-sync sync daemon starts automatically in the background when you run
-\`wild-workspace\`, and keeps running after you close the browser.
-
-Environment:
-  WILD_WORKSPACE_PORT, WILD_WORKSPACE_HOST,
-  WILD_WORKSPACE_DIR, WILD_WORKSPACE_DATA_DIR,
-  WILD_WORKSPACE_PARTNER_TOKEN, WILD_WORKSPACE_SHARE_SECRET,
-  WILD_WORKSPACE_NO_OPEN=1, WILD_WORKSPACE_DAEMON_AUTOSTART=0
-`);
-}
-
-function parseArgs(argv) {
-  const opts = {};
-  const positional = [];
-  for (let i = 0; i < argv.length; i++) {
-    const arg = argv[i];
-    if (arg === '--help' || arg === '-h') opts.help = true;
-    else if (arg === '--version' || arg === '-v') opts.version = true;
-    else if (arg === '--no-open') opts.openBrowser = false;
-    else if (arg === '--port') { opts.port = Number(argv[++i]); }
-    else if (arg === '--host') { opts.host = argv[++i]; }
-    else if (arg === '--workspace') { opts.workspaceDir = argv[++i]; }
-    else if (arg === '--tail') { opts.tail = Number(argv[++i]); }
-    else if (arg === '--share') { opts.share = true; }
-    else if (arg === '--rotate') { opts.rotate = true; }
-    else if (arg === '--yes' || arg === '-y') { opts.yes = true; }
-    else if (arg === '--kind') { opts.kind = argv[++i]; }
-    else if (arg === '--slug') { opts.slug = argv[++i]; }
-    else if (arg === '--limit') { opts.limit = Number(argv[++i]); }
-    else if (arg === '--tier') { opts.tier = Number(argv[++i]); }
-    else if (arg === '--minutes') { opts.minutes = Number(argv[++i]); }
-    else if (arg.startsWith('--')) {
-      // ignore unknown flags
-    } else {
-      positional.push(arg);
-    }
-  }
-  opts.positional = positional;
-  return opts;
-}
-
-// `wild-workspace daemon [status|start|stop|conflicts ...]`
-async function runDaemonCommand(action = 'status', rest = []) {
-  const config = buildConfig({});
-  const sup = new DaemonSupervisor({
-    httpBase: config.daemonHttpUrl,
-    // b-ii: so `wild-workspace daemon start` also opens the proxy link.
-    accountToken: config.accountToken,
-    serverUrl: config.bmoSyncServerUrl,
-  });
-
-  if (action === 'conflicts') {
-    return runConflictsCommand(config, rest);
-  }
-  if (action === 'status') {
-    const s = await sup.status();
-    console.log(`bmo-sync daemon: ${s.running ? 'running' : 'stopped'}`);
-    console.log(`  api : ${s.httpBase}`);
-    if (s.pid) console.log(`  pid : ${s.pid}`);
-    console.log(`  log : ${s.logFile}`);
-    return;
-  }
-  if (action === 'start') {
-    const r = await sup.ensureRunning();
-    if (r.alreadyRunning) {
-      console.log('bmo-sync daemon: already running');
-    } else if (r.started) {
-      const healthy = await sup.waitForHealthy();
-      console.log(
-        healthy
-          ? `bmo-sync daemon: started (pid ${r.pid})`
-          : `bmo-sync daemon: launched (pid ${r.pid}) — not yet answering, check the log`,
-      );
-    } else if (r.error === 'daemon-binary-not-found') {
-      console.log('bmo-sync daemon: cannot start — the daemon binary is not installed.');
-      console.log('  build it from the bmo-sync workspace and place it under vendor/,');
-      console.log('  or install the @venturewild/workspace-daemon-<platform> package.');
-    } else {
-      console.log(`bmo-sync daemon: could not start — ${r.error}`);
-    }
-    return;
-  }
-  if (action === 'stop') {
-    const r = await sup.stop();
-    console.log(
-      r.stopped
-        ? `bmo-sync daemon: stopped (pid ${r.pid})`
-        : `bmo-sync daemon: not stopped — ${r.reason}`,
-    );
-    return;
-  }
-  console.log(`unknown daemon action: ${action}  (use status | start | stop | conflicts)`);
-}
-
-// `wild-workspace daemon conflicts [list|show <wid> <path>|resolve <wid> <path> <action>]`
-async function runConflictsCommand(config, args) {
-  const sync = new SyncControl({
-    daemonHttpUrl: config.daemonHttpUrl,
-    bmoSyncServerUrl: config.bmoSyncServerUrl,
-  });
-  const sub = (args[0] || 'list').toLowerCase();
-  if (sub === 'list' || !sub) {
-    const conflicts = await sync.listConflicts();
-    if (!conflicts.length) {
-      console.log('no open conflicts');
-      return;
-    }
-    console.log(`open conflicts: ${conflicts.length}`);
-    for (const c of conflicts) {
-      const detected = new Date((c.detectedAt || 0) * 1000).toISOString();
-      console.log(`  [${c.workspaceId}] ${c.path}`);
-      console.log(`    resolution     : ${c.resolution}`);
-      console.log(`    detected_at    : ${detected}`);
-      if (c.peerBackOfficePath) {
-        console.log(`    peer_bytes_at  : ${c.peerBackOfficePath}`);
-      }
-      if (c.mineSha256) console.log(`    mine_sha256    : ${c.mineSha256}`);
-      if (c.theirsSha256) console.log(`    theirs_sha256  : ${c.theirsSha256}`);
-    }
-    return;
-  }
-  if (sub === 'show') {
-    const wid = args[1];
-    const path = args[2];
-    if (!wid || !path) {
-      console.log('usage: wild-workspace daemon conflicts show <workspace_id> <path>');
-      return;
-    }
-    const view = await sync.viewConflict(wid, path);
-    if (!view) {
-      console.log(`no open conflict for ${wid}:${path}`);
-      return;
-    }
-    console.log(JSON.stringify(view, null, 2));
-    return;
-  }
-  if (sub === 'resolve') {
-    const wid = args[1];
-    const path = args[2];
-    const action = args[3];
-    if (!wid || !path || !action) {
-      console.log(
-        'usage: wild-workspace daemon conflicts resolve <workspace_id> <path> <keep_mine|take_theirs>',
-      );
-      return;
-    }
-    try {
-      await sync.resolveConflict(wid, path, action);
-      console.log(`resolved: ${wid}:${path} (${action})`);
-    } catch (e) {
-      console.error(`resolve failed: ${e.message || e}`);
-      process.exitCode = 1;
-    }
-    return;
-  }
-  console.log(
-    `unknown conflicts subcommand: ${sub}  (use list | show <wid> <path> | resolve <wid> <path> <action>)`,
-  );
-}
-
-// `wild-workspace login <base64url-payload>` — bind this install to a slug.
-// The payload comes from workspace.venturewild.llc on signup. It's an opaque
-// blob the user copies once; we decode + persist + print a friendly summary.
-async function runLoginCommand(args) {
-  if (!args.length) {
-    console.error('usage: wild-workspace login <payload>');
-    console.error('');
-    console.error('The payload is the blob you copied from workspace.venturewild.llc');
-    console.error('after claiming your slug. Run that signup, then come back here.');
-    process.exitCode = 1;
-    return;
-  }
-  // Trim the obvious "wild-workspace login " prefix in case the user pasted
-  // the whole command line, and surrounding quotes if a shell preserved them.
-  let payload = args.join(' ').trim();
-  payload = payload.replace(/^wild-workspace\s+login\s+/i, '').trim();
-  payload = payload.replace(/^['"]|['"]$/g, '');
-  let parsed;
-  try {
-    parsed = decodeLoginPayload(payload);
-  } catch (e) {
-    console.error(`Couldn't decode the login payload: ${e.message || e}`);
-    process.exitCode = 1;
-    return;
-  }
-  const config = buildConfig({});
-  let saved;
-  try {
-    saved = saveAccount(config.dataDir, parsed);
-  } catch (e) {
-    console.error(`Couldn't save account to ${config.dataDir}: ${e.message || e}`);
-    process.exitCode = 1;
-    return;
-  }
-  console.log(`✓ logged in as ${saved.email}`);
-  console.log(`  slug      : ${saved.slug}`);
-  console.log(`  url       : https://${saved.slug}.venturewild.llc  (once the tunnel is configured)`);
-  console.log(`  saved to  : ${config.dataDir}/account.json`);
-  console.log('');
-  console.log('Run `wild-workspace` in any folder to start your workspace.');
-
-  // Arm always-on so the workspace comes back on its own (best-effort — never
-  // blocks login). On a platform without autostart yet, just nudge the user.
-  try {
-    const svc = await installService({
-      node: process.execPath, cli: __filename, workspaceDir: config.workspaceDir, port: config.port, version: APP_VERSION,
-    });
-    if (svc.installed) console.log('  always-on : enabled — starts at login (disable: wild-workspace service uninstall)');
-    else if (svc.supported === false) console.log(`  always-on : not yet on ${svc.platform} — run \`wild-workspace\` to start it`);
-  } catch { /* never block login */ }
-}
-
-async function runLogoutCommand() {
-  const config = buildConfig({});
-  const before = loadAccount(config.dataDir);
-  const removed = clearAccount(config.dataDir);
-  if (!removed && !before) {
-    console.log('not logged in.');
-    return;
-  }
-  console.log(`logged out — cleared ${before?.email || 'account'} from ${config.dataDir}.`);
-}
-
-// `wild-workspace reset [--yes]` — back to the beginning: unlink the account,
-// reset onboarding, flush local config/state. NEVER touches workspace files.
-// Without --yes it's a dry run (prints exactly what it WOULD remove).
-async function runResetCommand(opts) {
-  const config = buildConfig(opts);
-  const gdir = globalDir();
-  const before = loadAccount(config.dataDir);
-
-  // Collect every data dir that might hold this install's account/onboarding:
-  // the one this invocation resolves (cwd-keyed) + the always-on workspace's
-  // (recorded in service.json), in case `reset` is run from a different folder.
-  const dataDirs = new Set([config.dataDir]);
-  try {
-    const svc = JSON.parse(readFileSync(path.join(gdir, 'service.json'), 'utf8'));
-    if (svc.workspaceDir) dataDirs.add(path.join(path.resolve(svc.workspaceDir), '.wild-workspace'));
-  } catch { /* no always-on registration — fine */ }
-
-  const targets = planReset({ dataDirs: [...dataDirs], globalDir: gdir, includeMarketplace: true });
-  const present = targets.filter((t) => t.exists);
-
-  console.log('wild-workspace reset — back to the beginning\n');
-  if (before) {
-    console.log(`  currently linked: ${before.email}  (slug: ${before.slug})`);
-    console.log('');
-  }
-  if (present.length === 0) {
-    console.log('  Nothing to clear — this install is already at a clean state.');
-    return;
-  }
-
-  console.log(`  ${opts.yes ? 'Removing' : 'Would remove'}:`);
-  for (const t of present) console.log(`    - ${t.path}${t.kind === 'dir' ? '  (folder)' : ''}`);
-  console.log('');
-  console.log('  Keeps (untouched):');
-  for (const k of RESET_KEEPS) console.log(`    · ${k}`);
-  console.log('');
-
-  if (!opts.yes) {
-    console.log('  This was a PREVIEW. Re-run to actually reset:');
-    console.log('    wild-workspace reset --yes');
-    return;
-  }
-
-  const { removed, failed } = applyReset(present);
-  console.log(`  ✓ cleared ${removed.length} item(s).`);
-  if (failed.length) {
-    console.log(`  ⚠ ${failed.length} could not be removed (in use? close the app + retry):`);
-    for (const f of failed) console.log(`    - ${f.path}: ${f.error}`);
-    process.exitCode = 1;
-  }
-  console.log('');
-  // The running server still holds the old account/secrets in memory — a restart
-  // is what makes the reset take effect (and re-arms a fresh onboarding).
-  if (await probeHealth(config.port)) {
-    console.log('  ⚠ a workspace server is still running with the old state. Restart it:');
-    console.log(`     stop it (close the app / kill :${config.port}); always-on restarts it clean,`);
-    console.log('     or run `wild-workspace` yourself.');
-    console.log('');
-  }
-  console.log('  Next:');
-  console.log('    • `wild-workspace login <blob>`  — re-link to a slug, then `wild-workspace`');
-  console.log('    • or just `wild-workspace`       — start fresh and re-run onboarding');
-  console.log('');
-  console.log('  Note: the canvas LAYOUT is stored in your browser, not here — open the');
-  console.log('  workspace in a fresh/incognito window (or clear site data) for a blank canvas.');
-}
-
-async function runRotateTokenCommand() {
-  const config = buildConfig({});
-  const account = loadAccount(config.dataDir);
-  if (!account) {
-    console.log('not logged in. Nothing to rotate.');
-    console.log('Run `wild-workspace login <payload>` after claiming a slug.');
-    process.exitCode = 1;
-    return;
-  }
-  const url = `${config.bmoSyncServerUrl.replace(/\/$/, '')}/api/account/rotate-token`;
-  let resp;
-  try {
-    resp = await fetch(url, {
-      method: 'POST',
-      headers: { authorization: `Bearer ${account.accountToken}` },
-    });
-  } catch (e) {
-    console.error(`Couldn't reach ${config.bmoSyncServerUrl}: ${e.message || e}`);
-    process.exitCode = 2;
-    return;
-  }
-  if (!resp.ok) {
-    let body;
-    try { body = await resp.text(); } catch { body = ''; }
-    console.error(`Rotate failed (HTTP ${resp.status}): ${body.slice(0, 200)}`);
-    process.exitCode = 1;
-    return;
-  }
-  let payload;
-  try {
-    payload = await resp.json();
-  } catch (e) {
-    console.error(`Server returned non-JSON: ${e.message || e}`);
-    process.exitCode = 1;
-    return;
-  }
-  if (!payload || !payload.account_token) {
-    console.error('Server response missing account_token. Aborting.');
-    process.exitCode = 1;
-    return;
-  }
-  const updated = {
-    ...account,
-    accountToken: payload.account_token,
-    loggedInAt: Date.now(),
-  };
-  try {
-    saveAccount(config.dataDir, updated);
-  } catch (e) {
-    console.error(`Got new token but failed to persist it: ${e.message || e}`);
-    console.error(`New token (save manually): ${payload.account_token}`);
-    process.exitCode = 1;
-    return;
-  }
-  console.log('✓ token rotated.');
-  console.log(`  slug      : ${updated.slug}`);
-  console.log(`  saved to  : ${config.dataDir}/account.json`);
-  console.log('');
-  console.log('Your daemon will reconnect with the new token automatically');
-  console.log('on its next restart. Run `wild-workspace daemon stop && wild-workspace`');
-  console.log('to force an immediate reconnect.');
-}
-
-// `wild-workspace workspace {create|list|add-member|remove-member}` — multi-host
-// step 2 (membership). The FOUNDATION's drivable surface: create a shared
-// workspace (its own slug, owned by you), manage its member set, and read the
-// shared workspaces you belong to. The polished invite/join/lobby UX is later;
-// these are operator/dev affordances over the rails (you never copy-paste a
-// token — they read your bound account). Requires `wild-workspace login` first.
-async function runWorkspaceCommand(action, opts) {
-  const config = buildConfig(opts);
-  if (!config.accountToken) {
-    console.error('not logged in. Run `wild-workspace login <payload>` after claiming a slug.');
-    process.exitCode = 1;
-    return;
-  }
-  const rails = createWorkspaceRails(config, { accountToken: config.accountToken });
-  const fail = (r) => {
-    console.error(`✗ ${r.message || r.code || 'failed'}${r.code ? `  (${r.code})` : ''}`);
-    process.exitCode = 1;
-  };
-
-  if (action === 'create') {
-    const name = opts.positional.slice(2).join(' ').trim();
-    if (!name) {
-      console.error('usage: wild-workspace workspace create "<name>" [--slug <slug>]');
-      process.exitCode = 1;
-      return;
-    }
-    const r = await rails.create(name, opts.slug || null);
-    if (!r.ok) return fail(r);
-    console.log(`✓ created shared workspace "${r.data.name}"`);
-    console.log(`  slug : ${r.data.slug}`);
-    console.log(`  url  : https://${r.data.slug}.venturewild.llc  (once routing lands — step 3)`);
-    console.log('');
-    console.log('  Add a teammate (they must have claimed a slug already):');
-    console.log(`    wild-workspace workspace add-member ${r.data.slug} <their-email>`);
-    return;
-  }
-
-  if (action === 'list') {
-    const r = await rails.list();
-    if (!r.ok) return fail(r);
-    const ws = r.data.workspaces || [];
-    if (!ws.length) {
-      console.log('you belong to no shared workspaces yet.');
-      console.log('  create one: wild-workspace workspace create "<name>"');
-      return;
-    }
-    console.log(`shared workspaces you belong to: ${ws.length}`);
-    for (const w of ws) {
-      console.log(`  ${w.slug.padEnd(20)} ${w.role.padEnd(7)} "${w.name}"  (owner: ${w.owner_email})`);
-    }
-    return;
-  }
-
-  if (action === 'add-member') {
-    const slug = opts.positional[2];
-    const email = opts.positional[3];
-    if (!slug || !email) {
-      console.error('usage: wild-workspace workspace add-member <slug> <email>');
-      process.exitCode = 1;
-      return;
-    }
-    const r = await rails.addMember(slug, email);
-    if (!r.ok) return fail(r);
-    console.log(`✓ added ${email} to ${slug} (account ${r.data.account_id}).`);
-    return;
-  }
-
-  if (action === 'remove-member') {
-    const slug = opts.positional[2];
-    const ref = opts.positional[3];
-    if (!slug || !ref) {
-      console.error('usage: wild-workspace workspace remove-member <slug> <email-or-accountId>');
-      process.exitCode = 1;
-      return;
-    }
-    const r = await rails.removeMember(slug, ref);
-    if (!r.ok) return fail(r);
-    console.log(
-      r.data.removed
-        ? `✓ removed ${ref} from ${slug}.`
-        : `${ref} was not a member of ${slug} (nothing to remove).`,
-    );
-    return;
-  }
-
-  console.log('unknown workspace action. use: create | list | add-member | remove-member');
-  console.log('  wild-workspace workspace create "<name>" [--slug <slug>]');
-  console.log('  wild-workspace workspace list');
-  console.log('  wild-workspace workspace add-member <slug> <email>');
-  console.log('  wild-workspace workspace remove-member <slug> <email-or-accountId>');
-}
-
-async function runWhoamiCommand() {
-  const config = buildConfig({});
-  const account = loadAccount(config.dataDir);
-  if (!account) {
-    console.log('not logged in.');
-    console.log('Run `wild-workspace login <payload>` after claiming a slug at workspace.venturewild.llc.');
-    return;
-  }
-  console.log(`logged in as ${account.email}`);
-  console.log(`  slug      : ${account.slug}`);
-  console.log(`  accountId : ${account.accountId}`);
-  if (account.displayName) console.log(`  name      : ${account.displayName}`);
-  console.log(`  loggedIn  : ${new Date(account.loggedInAt).toISOString()}`);
-}
-
-// `wild-workspace doctor [--share]` — one diagnostic of this machine's install.
-// Prints ✅/⚠️/❌ per check + where the logs are, and writes a JSON bundle under
-// ~/.wild-workspace/diagnostics/. Exits non-zero if any check failed.
-async function runDoctorCommand(opts) {
-  const config = buildConfig(opts);
-  const report = await runDoctor({ config });
-  console.log(renderDoctor(report));
-  const bundle = writeDoctorBundle(report);
-  if (bundle) {
-    console.log('');
-    console.log(`Full report: ${bundle}`);
-  }
-  if (opts.share) {
-    const shared = await shareDoctor(config, report);
-    console.log(
-      shared.ok
-        ? '✓ shared with the wild-workspace team — they can see this diagnostic now.'
-        : `Couldn't auto-share (${shared.reason}). Send the file above instead.`,
-    );
-  }
-  process.exitCode = report.summary.fail > 0 ? 1 : 0;
-}
-
-// Upload a doctor report to bmo-sync. `--share` is an explicit user action, so it
-// goes even if the passive observability feed is off — but still respects the
-// hard kill switch and needs an account to key it to.
-async function shareDoctor(config, report) {
-  if (!config.accountToken) return { ok: false, reason: 'not logged in' };
-  if (process.env.WILD_WORKSPACE_NO_TELEMETRY === '1') return { ok: false, reason: 'telemetry disabled' };
-  const url = `${config.bmoSyncServerUrl.replace(/\/$/, '')}/api/telemetry`;
-  const ctrl = new AbortController();
-  const t = setTimeout(() => ctrl.abort(), 5000);
-  try {
-    const res = await fetch(url, {
-      method: 'POST',
-      headers: { 'content-type': 'application/json' },
-      body: JSON.stringify({
-        account_token: config.accountToken,
-        slug: config.account?.slug || null,
-        workspace_id: config.workspaceId,
-        kind: 'doctor-share',
-        doctor: report,
-        sent_at: Math.floor(Date.now() / 1000),
-      }),
-      signal: ctrl.signal,
-    });
-    return { ok: res.ok, reason: res.ok ? null : `HTTP ${res.status}` };
-  } catch (e) {
-    return { ok: false, reason: String(e?.message || e) };
-  } finally {
-    clearTimeout(t);
-  }
-}
-
-// `wild-workspace logs [name] [--tail N]` — list the logs, or tail one by name.
-async function runLogsCommand(opts) {
-  const name = opts.positional[1];
-  const n = opts.tail || 40;
-  const logs = listLogs();
-  if (!name) {
-    console.log(`logs dir: ${path.dirname(logs[0].file)}`);
-    for (const l of logs) {
-      console.log(`  ${l.name.padEnd(10)} ${l.exists ? `${l.size} bytes` : '(none yet)'}  ${l.file}`);
-    }
-    console.log('');
-    console.log(`Show one: wild-workspace logs <name> [--tail N]   (names: ${logs.map((l) => l.name).join(', ')})`);
-    return;
-  }
-  const match = logs.find((l) => l.name === name);
-  if (!match) {
-    console.log(`unknown log "${name}". names: ${logs.map((l) => l.name).join(', ')}`);
-    process.exitCode = 1;
-    return;
-  }
-  console.log(`# ${match.name} — ${match.file} (last ${n} lines)`);
-  console.log(tailFile(match.file, n) || '(empty)');
-}
-
-// `wild-workspace ops <slug>` — OPERATOR read of a user's observability feed.
-// Reads the bmo-sync admin endpoint with the admin key at ~/.bmo-sync-admin-key
-// (so it only works on an operator's machine). This is how we see a stuck/broken
-// user without them having to ask. Filters: --kind feed|install-down|transcript,
-// --limit N.
-async function runOpsCommand(opts) {
-  const slug = opts.positional[1];
-  if (!slug) {
-    console.error('usage: wild-workspace ops <slug> [--kind feed|install-down|transcript] [--limit N]');
-    process.exitCode = 1;
-    return;
-  }
-  const config = buildConfig(opts);
-  const keyPath = path.join(os.homedir(), '.bmo-sync-admin-key');
-  let adminKey;
-  try {
-    adminKey = readFileSync(keyPath, 'utf8').trim();
-  } catch {
-    console.error(`No admin key at ${keyPath} — \`ops\` is an operator-only command.`);
-    process.exitCode = 1;
-    return;
-  }
-  const params = new URLSearchParams();
-  if (opts.kind) params.set('kind', opts.kind);
-  params.set('limit', String(opts.limit || 50));
-  const url = `${config.bmoSyncServerUrl.replace(/\/$/, '')}/api/admin/accounts/${encodeURIComponent(slug)}/activity?${params}`;
-  let res;
-  try {
-    res = await fetch(url, { headers: { 'x-admin-key': adminKey } });
-  } catch (e) {
-    console.error(`Couldn't reach ${config.bmoSyncServerUrl}: ${e.message || e}`);
-    process.exitCode = 2;
-    return;
-  }
-  if (res.status === 404) {
-    console.log(`No account/slug "${slug}" yet (unclaimed, or it hasn't reported).`);
-    return;
-  }
-  if (res.status === 403 || res.status === 401) {
-    console.error('admin key rejected.');
-    process.exitCode = 1;
-    return;
-  }
-  if (!res.ok) {
-    console.error(`HTTP ${res.status}`);
-    process.exitCode = 1;
-    return;
-  }
-  const data = await res.json();
-  console.log(`account ${data.account_id}${data.slug ? ` (${data.slug})` : ''} — ${data.count} recent event(s)`);
-  for (const r of data.rows || []) {
-    const when = new Date((r.reported_at || 0) * 1000).toISOString();
-    let detail = '';
-    if (r.kind === 'feed' && Array.isArray(r.payload?.events)) {
-      const counts = {};
-      for (const e of r.payload.events) counts[e.type] = (counts[e.type] || 0) + 1;
-      detail = Object.entries(counts).map(([k, v]) => `${k}×${v}`).join(' ');
-    } else if ((r.kind === 'install-down' || r.kind === 'doctor-share') && r.payload?.doctor?.summary) {
-      const s = r.payload.doctor.summary;
-      detail = `doctor: ${s.fail} fail / ${s.warn} warn`;
-    } else if (r.kind === 'transcript') {
-      detail = `transcript ${r.payload?.date || ''} (${(r.payload?.markdown || '').length} chars)`;
-    }
-    console.log(`  ${when}  [${r.kind}]${r.os ? ` ${r.os}` : ''}  ${detail}`);
-  }
-}
-
-// `wild-workspace observability [on|off|status]` — the consented session +
-// install-health feed (default ON). Streams WHAT happened + install health to the
-// Venturewild team so they can help if something breaks — never your chat words
-// (that's the separate transcript channel). See observability.mjs.
-async function runObservabilityCommand(action = 'status', opts = {}) {
-  const config = buildConfig(opts);
-  if (action === 'on' || action === 'off') {
-    const rec = setObservabilityConsent(config.dataDir, action === 'on');
-    console.log(
-      rec.enabled
-        ? '✓ observability ON — the Venturewild team can see how your workspace is doing'
-        : '✓ observability OFF — no session/health feed leaves this machine.',
-    );
-    if (rec.enabled) {
-      console.log('  (events + install health only — never your chat content)');
-    }
-    console.log('  Applies the next time your workspace starts (or toggle it live in the app).');
-    return;
-  }
-  const rec = loadObservabilityConsent(config.dataDir);
-  console.log(`observability: ${rec.enabled ? 'ON' : 'OFF'}${rec.decidedAt ? '' : ' (default)'}`);
-  console.log('  what : events + install health → lets us help if something breaks (never chat content)');
-  console.log('  toggle: wild-workspace observability on | off');
-  return;
-}
-
-// `wild-workspace update [apply|on|off|channel <stable|beta>]` — Phase 2
-// auto-update (docs/remote-support-and-self-healing-design.md). With no
-// sub-command it checks the channel for a newer release; `apply` installs it now;
-// `on`/`off` toggle the default-on background updater; `channel` switches
-// stable/beta. The always-on supervisor does this automatically — this is the
-// manual lever + the off switch.
-async function runUpdateCommand(opts) {
-  const sub = opts.positional[1];
-  const gdir = globalDir();
-
-  if (sub === 'on' || sub === 'off') {
-    const rec = setUpdateEnabled(gdir, sub === 'on');
-    console.log(
-      rec.enabled
-        ? '✓ auto-update ON — wild-workspace keeps itself up to date in the background.'
-        : '✓ auto-update OFF — update manually with `wild-workspace update apply`.',
-    );
-    console.log(`  channel: ${rec.channel}`);
-    return;
-  }
-  if (sub === 'channel') {
-    const chan = opts.positional[2];
-    if (chan !== 'stable' && chan !== 'beta') {
-      console.log('usage: wild-workspace update channel stable|beta');
-      return;
-    }
-    console.log(`✓ update channel set to ${setUpdateChannel(gdir, chan).channel}.`);
-    return;
-  }
-
-  const settings = loadUpdateSettings(gdir);
-  const c = await new AutoUpdater({ globalDir: gdir }).check();
-  console.log(`wild-workspace ${c.current}  (channel: ${c.channel}, auto-update: ${settings.enabled ? 'on' : 'off'})`);
-  if (!c.latest) {
-    console.log('  could not reach the npm registry to check for updates.');
-    process.exitCode = 1;
-    return;
-  }
-  if (!c.available) {
-    console.log(`  up to date — ${c.latest} is the latest on ${c.channel}.`);
-    return;
-  }
-  console.log(`  update available: ${c.current} → ${c.latest}`);
-  if (sub !== 'apply') {
-    console.log('  run `wild-workspace update apply` to install it now.');
-    return;
-  }
-  console.log(`  installing ${c.latest}…`);
-  const res = await npmInstall(`${PACKAGE_NAME}@${c.latest}`);
-  if (res.code === 0) {
-    recordUpdate(gdir, { from: c.current, to: c.latest, at: Date.now(), status: 'installed' });
-    console.log(`  ✓ installed ${c.latest}.`);
-    console.log('  The always-on supervisor will restart into the new version shortly,');
-    console.log('  or restart `wild-workspace` yourself to use it now.');
-  } else {
-    console.log(`  ✗ install failed (code ${res.code}).`);
-    if (res.output) console.log('  ' + res.output.split('\n').filter(Boolean).slice(-3).join('\n  '));
-    process.exitCode = 1;
-  }
-}
-
-// `wild-workspace support [allow|revoke|status]` — Phase 3 consent for the
-// daemon-hosted, out-of-band support channel (reachable even when your workspace
-// is offline). OFF by default + time-boxed; the bmo-sync daemon enforces it
-// locally and revoke is instant (this writes/deletes ~/.wild-workspace/
-// support-consent.json, which the daemon re-reads). Runs as its own process so it
-// works when the server is down.
-function fmtRemaining(ms) {
-  const m = Math.round(ms / 60000);
-  if (m < 60) return `${m} min`;
-  return `${Math.floor(m / 60)}h ${m % 60}m`;
-}
-async function runSupportCommand(action = 'status', opts = {}) {
-  const gdir = globalDir();
-
-  if (action === 'allow') {
-    const tier = opts.tier || 1;
-    const minutes = opts.minutes || 60;
-    if (tier < 1 || tier > MAX_TIER) {
-      console.error(
-        `tier must be 1..${MAX_TIER} (1 = read-only diagnostics/logs, 2 = curated fixes, ` +
-          `3 = let support operate your agent, 4 = raw shell).`,
-      );
-      process.exitCode = 1;
-      return;
-    }
-    // Tiers 3–4 let support OPERATE the machine (drive the agent / run commands).
-    // Require an explicit --yes so it's never a slip of the keyboard.
-    if (tier >= OPERATE_TIER && !opts.yes) {
-      console.error(
-        `tier ${tier} lets VentureWild support ${tier >= 4 ? 'run shell commands on' : 'operate the agent on'} ` +
-          `your machine (time-boxed, audited, revocable). Re-run with --yes to confirm:\n` +
-          `  wild-workspace support allow --tier ${tier} --minutes ${minutes} --yes`,
-      );
-      process.exitCode = 1;
-      return;
-    }
-    const rec = grantConsent(gdir, { tier, minutes });
-    if (!rec) {
-      console.error(`Could not write support consent to ${gdir}.`);
-      process.exitCode = 1;
-      return;
-    }
-    const tierDesc =
-      rec.tier >= 4
-        ? 'read diagnostics/logs + curated fixes + operate your agent + run raw shell commands'
-        : rec.tier >= 3
-          ? 'read diagnostics/logs + curated fixes + operate your agent on a task'
-          : rec.tier >= 2
-            ? 'read diagnostics/logs + run curated fixes (restart sync, relink, reinstall)'
-            : 'read diagnostics + logs only';
-    console.log(`✓ VentureWild support allowed at tier ${rec.tier} for ${fmtRemaining(rec.expiresAt - rec.grantedAt)} (max ${MAX_GRANT_MINUTES / 60}h).`);
-    console.log(`  tier ${rec.tier} = ${tierDesc}.`);
-    console.log('  It auto-expires; revoke anytime with: wild-workspace support revoke');
-    return;
-  }
-  if (action === 'revoke') {
-    const removed = revokeConsent(gdir);
-    console.log(removed ? '✓ support access revoked.' : 'support access was not enabled.');
-    return;
-  }
-  if (action === 'audit') {
-    const entries = readAudit(gdir, { limit: opts.limit || 20 });
-    if (!entries.length) {
-      console.log('no support actions recorded yet.');
-      return;
-    }
-    console.log('recent support actions (newest first):');
-    for (const e of entries) {
-      const when = e.ts ? new Date(e.ts).toISOString() : '?';
-      console.log(`  ${when}  ${e.ok ? '✓' : '✗'} ${e.action} (tier ${e.tier ?? '?'})`);
-    }
-    return;
-  }
-  // status (default)
-  const s = consentStatus(gdir);
-  if (s.enabled) {
-    console.log(`support access: ON (tier ${s.tier}) — ${fmtRemaining(s.remainingMs)} remaining.`);
-    console.log('  revoke : wild-workspace support revoke');
-  } else {
-    console.log('support access: OFF (default).');
-    console.log('  allow  : wild-workspace support allow --tier 1 --minutes 60');
-  }
-  console.log(`  file   : ${s.file}`);
-}
-
-// `wild-workspace operator [enable|disable|status]` — the consented support
-// channel (docs/SECURITY.md). OFF by default; `enable` mints a token to hand to
-// the wild-workspace team so they can diagnose + run a fixed set of safe fixes.
-async function runOperatorCommand(action = 'status', opts = {}) {
-  const config = buildConfig(opts);
-  if (action === 'enable') {
-    const token = enableOperator(config.dataDir, { rotate: opts.rotate });
-    if (!token) {
-      console.error(`Could not enable operator channel (couldn't write to ${config.dataDir}).`);
-      process.exitCode = 1;
-      return;
-    }
-    const slug = config.account?.slug;
-    console.log('✓ operator channel enabled (consented support access).');
-    console.log(`  token : ${token}`);
-    console.log('  Share this token with the wild-workspace team so they can help with your install.');
-    if (slug) console.log(`  reach : https://${slug}.venturewild.llc/api/operator/diag  (Authorization: Bearer <token>)`);
-    console.log('  off   : wild-workspace operator disable');
-    console.log('');
-    console.log('  Scope: read diagnostics + a fixed set of safe fixes (restart sync, re-detect');
-    console.log('  Claude, re-link your account, reinstall the sync daemon). It cannot run');
-    console.log('  arbitrary commands or drive your agent, and every action is logged.');
-    return;
-  }
-  if (action === 'disable') {
-    const removed = disableOperator(config.dataDir);
-    console.log(removed ? '✓ operator channel disabled (token revoked).' : 'operator channel was not enabled.');
-    return;
-  }
-  if (action === 'status') {
-    const s = operatorStatus(config.dataDir);
-    console.log(`operator channel: ${s.enabled ? 'ENABLED' : 'disabled'}`);
-    console.log(`  token file: ${s.file}`);
-    console.log(s.enabled ? '  disable   : wild-workspace operator disable' : '  enable    : wild-workspace operator enable');
-    return;
-  }
-  console.log(`unknown operator action: ${action}  (use enable | disable | status)`);
-}
-
-// `wild-workspace service [install|uninstall|status|run]` — the always-on
-// autostart (docs/always-on-design.md). `run` is the HIDDEN supervisor entry
-// the per-OS launcher invokes at login; the others manage registration. All
-// per-user, no admin.
-// First-run browser orchestration lives in a shebang-free module so it's
-// importable + unit-testable (server/test/owner-browser.test.mjs).
-
-async function runServiceCommand(action = 'status', opts = {}) {
-  const config = buildConfig(opts);
-
-  if (action === 'install') {
-    const r = await installService({
-      node: process.execPath, cli: __filename, workspaceDir: config.workspaceDir, port: config.port, version: APP_VERSION,
-    });
-    if (!r.installed) {
-      console.log(`service install: ${r.message || 'not supported on this platform'}`);
-      process.exitCode = 1;
-      return;
-    }
-    console.log('✓ always-on enabled — your workspace starts automatically at login.');
-    console.log(`  mechanism : ${r.mechanism} (per-user, no admin)`);
-    console.log(`  launcher  : ${r.launcher || r.vbs}`);
-    console.log(`  workspace : ${config.workspaceDir}`);
-    if (r.note) console.log(`  note      : ${r.note}`);
-    console.log('  disable   : wild-workspace service uninstall');
-    return;
-  }
-
-  if (action === 'uninstall') {
-    const r = await uninstallService();
-    if (r.supported === false) { console.log(`service: nothing to do — autostart not implemented for ${r.platform} yet`); return; }
-    console.log(`✓ always-on disabled${r.removedKey ? '' : ' (no autostart entry was set)'}${r.stoppedPid ? ` — stopped supervisor pid ${r.stoppedPid}` : ''}.`);
-    return;
-  }
-
-  if (action === 'status') {
-    const s = await serviceStatus({ port: config.port }, { probeImpl: (p) => probeHealth(p) });
-    if (s.supported === false) { console.log(`always-on: autostart not implemented for ${s.platform} yet (run \`wild-workspace\` manually)`); return; }
-    console.log(`always-on   : ${s.installed ? 'installed' : 'NOT installed'}`);
-    if (s.runValue) console.log(`  run entry : ${s.runValue}`);
-    console.log(`  supervisor: ${s.supervisorAlive ? `running (pid ${s.supervisorPid})` : 'not running'}`);
-    console.log(`  server    : ${s.serverUp ? `up on http://127.0.0.1:${config.port}` : 'down'}`);
-    return;
-  }
-
-  if (action === 'run') {
-    // Hidden entrypoint launched by the autostart VBS at login. The OS gives us
-    // an arbitrary cwd, so read the workspace dir persisted at install time.
-    let svc = {};
-    try { svc = JSON.parse(readFileSync(path.join(globalDir(), 'service.json'), 'utf8')); } catch { /* fall back to config */ }
-    const sup = new WorkspaceSupervisor({
-      workspaceDir: svc.workspaceDir || config.workspaceDir,
-      port: svc.port || config.port,
-    });
-    const r = sup.start();
-    if (!r.started) process.exit(0); // another supervisor already owns the lock
-    // else: the supervision interval keeps this process alive.
-    return;
-  }
-
-  console.log(`unknown service action: ${action}  (use install | uninstall | status | run)`);
-}
-
-async function main() {
-  // First-run capture: log every invocation BEFORE doing anything, so even a
-  // crash-on-start leaves a trace we (or `wild-workspace doctor`) can read.
-  appendLine('cli', `invoke argv=[${process.argv.slice(2).join(' ')}] cwd=${process.cwd()} node=${process.version} v${APP_VERSION}`);
-  const opts = parseArgs(process.argv.slice(2));
-  if (opts.help) return printUsage();
-  if (opts.version) { console.log(APP_VERSION); return; }
-
-  if (opts.positional[0] === 'daemon') {
-    return runDaemonCommand(opts.positional[1], opts.positional.slice(2));
-  }
-
-  if (opts.positional[0] === 'login') {
-    return runLoginCommand(opts.positional.slice(1));
-  }
-  if (opts.positional[0] === 'logout') {
-    return runLogoutCommand();
-  }
-  if (opts.positional[0] === 'reset') {
-    return runResetCommand(opts);
-  }
-  if (opts.positional[0] === 'whoami') {
-    return runWhoamiCommand();
-  }
-  if (opts.positional[0] === 'rotate-token') {
-    return runRotateTokenCommand();
-  }
-  if (opts.positional[0] === 'workspace') {
-    return runWorkspaceCommand(opts.positional[1], opts);
-  }
-  if (opts.positional[0] === 'doctor') {
-    return runDoctorCommand(opts);
-  }
-  if (opts.positional[0] === 'logs') {
-    return runLogsCommand(opts);
-  }
-  if (opts.positional[0] === 'update') {
-    return runUpdateCommand(opts);
-  }
-  if (opts.positional[0] === 'support') {
-    return runSupportCommand(opts.positional[1], opts);
-  }
-  if (opts.positional[0] === 'operator') {
-    return runOperatorCommand(opts.positional[1], opts);
-  }
-  if (opts.positional[0] === 'observability') {
-    return runObservabilityCommand(opts.positional[1], opts);
-  }
-  if (opts.positional[0] === 'ops') {
-    return runOpsCommand(opts);
-  }
-  if (opts.positional[0] === 'service') {
-    return runServiceCommand(opts.positional[1], opts);
-  }
-
-  if (opts.positional[0] === 'install') {
-    console.log('wild-workspace manages the bmo-sync sync daemon for you.');
-    console.log('');
-    console.log('It starts automatically in the background whenever you run');
-    console.log('`wild-workspace`, and keeps running after you close the browser —');
-    console.log('so there is no separate install step.');
-    console.log('');
-    console.log('  wild-workspace daemon status   check whether it is running');
-    console.log('  wild-workspace daemon stop     stop it');
-    return;
-  }
-  if (opts.positional[0] === 'share') {
-    console.log('Use the in-app Share button to issue viewer URLs. CLI share command is v1.x.');
-    return;
-  }
-
-  // If a workspace server is already serving this port — always-on started it at
-  // login, or another `wild-workspace` is running — don't fight it for the socket
-  // (createServer would reject on EADDRINUSE and crash). Just open the browser to
-  // the one already up. This is the common case now that always-on is real.
-  {
-    const probeCfg = buildConfig(opts);
-    if (await probeHealth(probeCfg.port)) {
-      const host = probeCfg.host === '0.0.0.0' ? '127.0.0.1' : probeCfg.host;
-      const displayUrl = `http://${host}:${probeCfg.port}`; // shown without the token
-      console.log(`\n  wild-workspace is already running at ${displayUrl}`);
-      if (probeCfg.openBrowser) {
-        console.log('  opening it in your browser…');
-        await openOwnerBrowser(probeCfg);
-      }
-      return;
-    }
-  }
-
-  const server = await createServer(opts);
-  const { config } = server;
-  console.log(`\n  wild-workspace v${APP_VERSION}`);
-  console.log(`  workspace : ${config.workspaceDir}`);
-  console.log(`  url       : http://${config.host}:${config.port}`);
-  console.log(`  agent     : ${server.getActiveAgent()?.label || '(none detected — install Claude Code: npm i -g @anthropic-ai/claude-code)'}`);
-
-  // Report how the sync daemon's autostart went (best-effort — never fatal).
-  try {
-    const d = await server.daemonReady;
-    if (d.alreadyRunning) console.log('  sync      : bmo-sync daemon already running');
-    else if (d.started) console.log(`  sync      : bmo-sync daemon started (pid ${d.pid})`);
-    else if (d.skipped) console.log('  sync      : daemon autostart disabled');
-    else if (d.error === 'daemon-binary-not-found')
-      console.log('  sync      : daemon binary not installed — sync is off (see `wild-workspace daemon`)');
-    else if (d.error) console.log(`  sync      : daemon did not start — ${d.error}`);
-  } catch {}
-  console.log('');
-
-  if (config.publicMode) {
-    // Public mode denies anon — tell the owner how to reach it authenticated.
-    console.log(`  mode      : PUBLIC — opening with a one-time sign-in token`);
-  }
-  if (config.openBrowser) {
-    await openOwnerBrowser(config);
-  }
-
-  // Hard safety net: even if stop() ever wedges, never leave the user staring at
-  // "shutting down…". Unref'd so the timer itself doesn't keep us alive.
-  const forceExitSoon = () => { setTimeout(() => process.exit(0), 3000).unref(); };
-  process.on('SIGINT', async () => {
-    console.log('\nshutting down…');
-    forceExitSoon();
-    try { await server.stop(); } catch {}
-    process.exit(0);
-  });
-  process.on('SIGTERM', async () => { forceExitSoon(); try { await server.stop(); } catch {} process.exit(0); });
-}
-
-main().catch((err) => {
-  appendLine('cli', `FATAL ${err?.stack || err}`);
-  console.error('wild-workspace failed:', err);
-  process.exit(1);
-});
+#!/usr/bin/env node
+// `wild-workspace` CLI entry — the bin field in package.json.
+// Starts the workspace server; also exposes a `daemon` subcommand for
+// inspecting / controlling the bmo-sync sync daemon.
+
+import path from 'node:path';
+import url from 'node:url';
+import os from 'node:os';
+import { createServer } from '../src/index.mjs';
+import { APP_VERSION, buildConfig } from '../src/config.mjs';
+import { DaemonSupervisor } from '../src/daemon-supervisor.mjs';
+import { SyncControl } from '../src/sync.mjs';
+import {
+  decodeLoginPayload,
+  saveAccount,
+  loadAccount,
+  clearAccount,
+} from '../src/account.mjs';
+import { readFileSync } from 'node:fs';
+import { WorkspaceSupervisor, probeHealth } from '../src/supervisor.mjs';
+import { installService, uninstallService, serviceStatus, globalDir } from '../src/service.mjs';
+import { appendLine, listLogs, tailFile } from '../src/logpaths.mjs';
+import { runDoctor, renderDoctor, writeDoctorBundle } from '../src/doctor.mjs';
+import { enableOperator, disableOperator, operatorStatus } from '../src/operator.mjs';
+import { loadObservabilityConsent, setObservabilityConsent } from '../src/observability.mjs';
+import {
+  grantConsent, revokeConsent, consentStatus, readAudit, MAX_TIER, MAX_GRANT_MINUTES, OPERATE_TIER,
+} from '../src/support-consent.mjs';
+import {
+  AutoUpdater, PACKAGE_NAME, npmInstall, recordUpdate,
+  loadUpdateSettings, setUpdateEnabled, setUpdateChannel,
+} from '../src/auto-update.mjs';
+import { openOwnerBrowser } from '../src/owner-browser.mjs';
+import { planReset, applyReset, RESET_KEEPS } from '../src/reset.mjs';
+import { createWorkspaceRails } from '../src/workspaces.mjs';
+
+const __filename = url.fileURLToPath(import.meta.url);
+const __dirname = path.dirname(__filename);
+
+function printUsage() {
+  console.log(`wild-workspace v${APP_VERSION}
+
+Usage:
+  wild-workspace                  start the workspace server in the current directory
+  wild-workspace --port 5173      override port (default 5173)
+  wild-workspace --no-open        don't auto-open browser
+  wild-workspace --host 0.0.0.0   bind to all interfaces (for share-by-URL hosting)
+  wild-workspace daemon status                  is the bmo-sync daemon running?
+  wild-workspace daemon start                   start the sync daemon now
+  wild-workspace daemon stop                    stop the sync daemon
+  wild-workspace daemon conflicts list          list open conflicts
+  wild-workspace daemon conflicts show <wid> <path>     view one conflict
+  wild-workspace daemon conflicts resolve <wid> <path> <keep_mine|take_theirs>
+  wild-workspace login <payload>  bind this install to a slug
+                                  (paste the blob from workspace.venturewild.llc)
+  wild-workspace logout           clear the bound account (slug + token)
+  wild-workspace reset [--yes]    back to the beginning: unlink + reset onboarding +
+                                  flush local config (preview without --yes; keeps your files)
+  wild-workspace whoami           show the currently-bound account
+  wild-workspace rotate-token     mint a new account token; invalidates the old one
+  wild-workspace workspace create "<name>" [--slug s]   create a shared workspace (its own slug, owned by you)
+  wild-workspace workspace list                         shared workspaces you belong to
+  wild-workspace workspace add-member <slug> <email>    add a teammate (they must have a slug already)
+  wild-workspace workspace remove-member <slug> <email-or-accountId>   remove a teammate
+  wild-workspace doctor [--share] diagnose this machine's install (✅/⚠️/❌ + logs)
+  wild-workspace logs [name] [--tail N]   list logs, or tail one (cli/server/daemon/…)
+  wild-workspace operator enable  let the wild-workspace team help with your install (mints a token)
+  wild-workspace operator disable revoke the support token
+  wild-workspace operator status  is the support channel on?
+  wild-workspace support allow --tier 1 --minutes 60   allow time-boxed support (works even when offline)
+  wild-workspace support revoke   revoke support access now
+  wild-workspace support status   is support access on, and for how long?
+  wild-workspace support audit    show what support has done (the audit feed)
+  wild-workspace observability [on|off|status]   share session + install health so we can help (default on; never chat content)
+  wild-workspace update [apply]   check for / install a newer version (auto by default)
+  wild-workspace update on|off    toggle background auto-update
+  wild-workspace update channel stable|beta   choose the update channel
+  wild-workspace service install  keep your workspace always-on (starts at login, no admin)
+  wild-workspace service uninstall   turn always-on off
+  wild-workspace service status   show always-on status (installed? supervisor? server?)
+  wild-workspace install          (info) how the sync daemon is managed
+  wild-workspace --help           this message
+  wild-workspace --version        print version
+
+The bmo-sync sync daemon starts automatically in the background when you run
+\`wild-workspace\`, and keeps running after you close the browser.
+
+Environment:
+  WILD_WORKSPACE_PORT, WILD_WORKSPACE_HOST,
+  WILD_WORKSPACE_DIR, WILD_WORKSPACE_DATA_DIR,
+  WILD_WORKSPACE_PARTNER_TOKEN, WILD_WORKSPACE_SHARE_SECRET,
+  WILD_WORKSPACE_NO_OPEN=1, WILD_WORKSPACE_DAEMON_AUTOSTART=0
+`);
+}
+
+function parseArgs(argv) {
+  const opts = {};
+  const positional = [];
+  for (let i = 0; i < argv.length; i++) {
+    const arg = argv[i];
+    if (arg === '--help' || arg === '-h') opts.help = true;
+    else if (arg === '--version' || arg === '-v') opts.version = true;
+    else if (arg === '--no-open') opts.openBrowser = false;
+    else if (arg === '--port') { opts.port = Number(argv[++i]); }
+    else if (arg === '--host') { opts.host = argv[++i]; }
+    else if (arg === '--workspace') { opts.workspaceDir = argv[++i]; }
+    else if (arg === '--tail') { opts.tail = Number(argv[++i]); }
+    else if (arg === '--share') { opts.share = true; }
+    else if (arg === '--rotate') { opts.rotate = true; }
+    else if (arg === '--yes' || arg === '-y') { opts.yes = true; }
+    else if (arg === '--kind') { opts.kind = argv[++i]; }
+    else if (arg === '--slug') { opts.slug = argv[++i]; }
+    else if (arg === '--limit') { opts.limit = Number(argv[++i]); }
+    else if (arg === '--tier') { opts.tier = Number(argv[++i]); }
+    else if (arg === '--minutes') { opts.minutes = Number(argv[++i]); }
+    else if (arg.startsWith('--')) {
+      // ignore unknown flags
+    } else {
+      positional.push(arg);
+    }
+  }
+  opts.positional = positional;
+  return opts;
+}
+
+// `wild-workspace daemon [status|start|stop|conflicts ...]`
+async function runDaemonCommand(action = 'status', rest = []) {
+  const config = buildConfig({});
+  const sup = new DaemonSupervisor({
+    httpBase: config.daemonHttpUrl,
+    // b-ii: so `wild-workspace daemon start` also opens the proxy link.
+    accountToken: config.accountToken,
+    serverUrl: config.bmoSyncServerUrl,
+  });
+
+  if (action === 'conflicts') {
+    return runConflictsCommand(config, rest);
+  }
+  if (action === 'status') {
+    const s = await sup.status();
+    console.log(`bmo-sync daemon: ${s.running ? 'running' : 'stopped'}`);
+    console.log(`  api : ${s.httpBase}`);
+    if (s.pid) console.log(`  pid : ${s.pid}`);
+    console.log(`  log : ${s.logFile}`);
+    return;
+  }
+  if (action === 'start') {
+    const r = await sup.ensureRunning();
+    if (r.alreadyRunning) {
+      console.log('bmo-sync daemon: already running');
+    } else if (r.started) {
+      const healthy = await sup.waitForHealthy();
+      console.log(
+        healthy
+          ? `bmo-sync daemon: started (pid ${r.pid})`
+          : `bmo-sync daemon: launched (pid ${r.pid}) — not yet answering, check the log`,
+      );
+    } else if (r.error === 'daemon-binary-not-found') {
+      console.log('bmo-sync daemon: cannot start — the daemon binary is not installed.');
+      console.log('  build it from the bmo-sync workspace and place it under vendor/,');
+      console.log('  or install the @venturewild/workspace-daemon-<platform> package.');
+    } else {
+      console.log(`bmo-sync daemon: could not start — ${r.error}`);
+    }
+    return;
+  }
+  if (action === 'stop') {
+    const r = await sup.stop();
+    console.log(
+      r.stopped
+        ? `bmo-sync daemon: stopped (pid ${r.pid})`
+        : `bmo-sync daemon: not stopped — ${r.reason}`,
+    );
+    return;
+  }
+  console.log(`unknown daemon action: ${action}  (use status | start | stop | conflicts)`);
+}
+
+// `wild-workspace daemon conflicts [list|show <wid> <path>|resolve <wid> <path> <action>]`
+async function runConflictsCommand(config, args) {
+  const sync = new SyncControl({
+    daemonHttpUrl: config.daemonHttpUrl,
+    bmoSyncServerUrl: config.bmoSyncServerUrl,
+  });
+  const sub = (args[0] || 'list').toLowerCase();
+  if (sub === 'list' || !sub) {
+    const conflicts = await sync.listConflicts();
+    if (!conflicts.length) {
+      console.log('no open conflicts');
+      return;
+    }
+    console.log(`open conflicts: ${conflicts.length}`);
+    for (const c of conflicts) {
+      const detected = new Date((c.detectedAt || 0) * 1000).toISOString();
+      console.log(`  [${c.workspaceId}] ${c.path}`);
+      console.log(`    resolution     : ${c.resolution}`);
+      console.log(`    detected_at    : ${detected}`);
+      if (c.peerBackOfficePath) {
+        console.log(`    peer_bytes_at  : ${c.peerBackOfficePath}`);
+      }
+      if (c.mineSha256) console.log(`    mine_sha256    : ${c.mineSha256}`);
+      if (c.theirsSha256) console.log(`    theirs_sha256  : ${c.theirsSha256}`);
+    }
+    return;
+  }
+  if (sub === 'show') {
+    const wid = args[1];
+    const path = args[2];
+    if (!wid || !path) {
+      console.log('usage: wild-workspace daemon conflicts show <workspace_id> <path>');
+      return;
+    }
+    const view = await sync.viewConflict(wid, path);
+    if (!view) {
+      console.log(`no open conflict for ${wid}:${path}`);
+      return;
+    }
+    console.log(JSON.stringify(view, null, 2));
+    return;
+  }
+  if (sub === 'resolve') {
+    const wid = args[1];
+    const path = args[2];
+    const action = args[3];
+    if (!wid || !path || !action) {
+      console.log(
+        'usage: wild-workspace daemon conflicts resolve <workspace_id> <path> <keep_mine|take_theirs>',
+      );
+      return;
+    }
+    try {
+      await sync.resolveConflict(wid, path, action);
+      console.log(`resolved: ${wid}:${path} (${action})`);
+    } catch (e) {
+      console.error(`resolve failed: ${e.message || e}`);
+      process.exitCode = 1;
+    }
+    return;
+  }
+  console.log(
+    `unknown conflicts subcommand: ${sub}  (use list | show <wid> <path> | resolve <wid> <path> <action>)`,
+  );
+}
+
+// `wild-workspace login <base64url-payload>` — bind this install to a slug.
+// The payload comes from workspace.venturewild.llc on signup. It's an opaque
+// blob the user copies once; we decode + persist + print a friendly summary.
+async function runLoginCommand(args) {
+  if (!args.length) {
+    console.error('usage: wild-workspace login <payload>');
+    console.error('');
+    console.error('The payload is the blob you copied from workspace.venturewild.llc');
+    console.error('after claiming your slug. Run that signup, then come back here.');
+    process.exitCode = 1;
+    return;
+  }
+  // Trim the obvious "wild-workspace login " prefix in case the user pasted
+  // the whole command line, and surrounding quotes if a shell preserved them.
+  let payload = args.join(' ').trim();
+  payload = payload.replace(/^wild-workspace\s+login\s+/i, '').trim();
+  payload = payload.replace(/^['"]|['"]$/g, '');
+  let parsed;
+  try {
+    parsed = decodeLoginPayload(payload);
+  } catch (e) {
+    console.error(`Couldn't decode the login payload: ${e.message || e}`);
+    process.exitCode = 1;
+    return;
+  }
+  const config = buildConfig({});
+  let saved;
+  try {
+    saved = saveAccount(config.dataDir, parsed);
+  } catch (e) {
+    console.error(`Couldn't save account to ${config.dataDir}: ${e.message || e}`);
+    process.exitCode = 1;
+    return;
+  }
+  console.log(`✓ logged in as ${saved.email}`);
+  console.log(`  slug      : ${saved.slug}`);
+  console.log(`  url       : https://${saved.slug}.venturewild.llc  (once the tunnel is configured)`);
+  console.log(`  saved to  : ${config.dataDir}/account.json`);
+  console.log('');
+  console.log('Run `wild-workspace` in any folder to start your workspace.');
+
+  // Arm always-on so the workspace comes back on its own (best-effort — never
+  // blocks login). On a platform without autostart yet, just nudge the user.
+  try {
+    const svc = await installService({
+      node: process.execPath, cli: __filename, workspaceDir: config.workspaceDir, port: config.port, version: APP_VERSION,
+    });
+    if (svc.installed) console.log('  always-on : enabled — starts at login (disable: wild-workspace service uninstall)');
+    else if (svc.supported === false) console.log(`  always-on : not yet on ${svc.platform} — run \`wild-workspace\` to start it`);
+  } catch { /* never block login */ }
+}
+
+async function runLogoutCommand() {
+  const config = buildConfig({});
+  const before = loadAccount(config.dataDir);
+  const removed = clearAccount(config.dataDir);
+  if (!removed && !before) {
+    console.log('not logged in.');
+    return;
+  }
+  console.log(`logged out — cleared ${before?.email || 'account'} from ${config.dataDir}.`);
+}
+
+// `wild-workspace reset [--yes]` — back to the beginning: unlink the account,
+// reset onboarding, flush local config/state. NEVER touches workspace files.
+// Without --yes it's a dry run (prints exactly what it WOULD remove).
+async function runResetCommand(opts) {
+  const config = buildConfig(opts);
+  const gdir = globalDir();
+  const before = loadAccount(config.dataDir);
+
+  // Collect every data dir that might hold this install's account/onboarding:
+  // the one this invocation resolves (cwd-keyed) + the always-on workspace's
+  // (recorded in service.json), in case `reset` is run from a different folder.
+  const dataDirs = new Set([config.dataDir]);
+  try {
+    const svc = JSON.parse(readFileSync(path.join(gdir, 'service.json'), 'utf8'));
+    if (svc.workspaceDir) dataDirs.add(path.join(path.resolve(svc.workspaceDir), '.wild-workspace'));
+  } catch { /* no always-on registration — fine */ }
+
+  const targets = planReset({ dataDirs: [...dataDirs], globalDir: gdir, includeMarketplace: true });
+  const present = targets.filter((t) => t.exists);
+
+  console.log('wild-workspace reset — back to the beginning\n');
+  if (before) {
+    console.log(`  currently linked: ${before.email}  (slug: ${before.slug})`);
+    console.log('');
+  }
+  if (present.length === 0) {
+    console.log('  Nothing to clear — this install is already at a clean state.');
+    return;
+  }
+
+  console.log(`  ${opts.yes ? 'Removing' : 'Would remove'}:`);
+  for (const t of present) console.log(`    - ${t.path}${t.kind === 'dir' ? '  (folder)' : ''}`);
+  console.log('');
+  console.log('  Keeps (untouched):');
+  for (const k of RESET_KEEPS) console.log(`    · ${k}`);
+  console.log('');
+
+  if (!opts.yes) {
+    console.log('  This was a PREVIEW. Re-run to actually reset:');
+    console.log('    wild-workspace reset --yes');
+    return;
+  }
+
+  const { removed, failed } = applyReset(present);
+  console.log(`  ✓ cleared ${removed.length} item(s).`);
+  if (failed.length) {
+    console.log(`  ⚠ ${failed.length} could not be removed (in use? close the app + retry):`);
+    for (const f of failed) console.log(`    - ${f.path}: ${f.error}`);
+    process.exitCode = 1;
+  }
+  console.log('');
+  // The running server still holds the old account/secrets in memory — a restart
+  // is what makes the reset take effect (and re-arms a fresh onboarding).
+  if (await probeHealth(config.port)) {
+    console.log('  ⚠ a workspace server is still running with the old state. Restart it:');
+    console.log(`     stop it (close the app / kill :${config.port}); always-on restarts it clean,`);
+    console.log('     or run `wild-workspace` yourself.');
+    console.log('');
+  }
+  console.log('  Next:');
+  console.log('    • `wild-workspace login <blob>`  — re-link to a slug, then `wild-workspace`');
+  console.log('    • or just `wild-workspace`       — start fresh and re-run onboarding');
+  console.log('');
+  console.log('  Note: the canvas LAYOUT is stored in your browser, not here — open the');
+  console.log('  workspace in a fresh/incognito window (or clear site data) for a blank canvas.');
+}
+
+async function runRotateTokenCommand() {
+  const config = buildConfig({});
+  const account = loadAccount(config.dataDir);
+  if (!account) {
+    console.log('not logged in. Nothing to rotate.');
+    console.log('Run `wild-workspace login <payload>` after claiming a slug.');
+    process.exitCode = 1;
+    return;
+  }
+  const url = `${config.bmoSyncServerUrl.replace(/\/$/, '')}/api/account/rotate-token`;
+  let resp;
+  try {
+    resp = await fetch(url, {
+      method: 'POST',
+      headers: { authorization: `Bearer ${account.accountToken}` },
+    });
+  } catch (e) {
+    console.error(`Couldn't reach ${config.bmoSyncServerUrl}: ${e.message || e}`);
+    process.exitCode = 2;
+    return;
+  }
+  if (!resp.ok) {
+    let body;
+    try { body = await resp.text(); } catch { body = ''; }
+    console.error(`Rotate failed (HTTP ${resp.status}): ${body.slice(0, 200)}`);
+    process.exitCode = 1;
+    return;
+  }
+  let payload;
+  try {
+    payload = await resp.json();
+  } catch (e) {
+    console.error(`Server returned non-JSON: ${e.message || e}`);
+    process.exitCode = 1;
+    return;
+  }
+  if (!payload || !payload.account_token) {
+    console.error('Server response missing account_token. Aborting.');
+    process.exitCode = 1;
+    return;
+  }
+  const updated = {
+    ...account,
+    accountToken: payload.account_token,
+    loggedInAt: Date.now(),
+  };
+  try {
+    saveAccount(config.dataDir, updated);
+  } catch (e) {
+    console.error(`Got new token but failed to persist it: ${e.message || e}`);
+    console.error(`New token (save manually): ${payload.account_token}`);
+    process.exitCode = 1;
+    return;
+  }
+  console.log('✓ token rotated.');
+  console.log(`  slug      : ${updated.slug}`);
+  console.log(`  saved to  : ${config.dataDir}/account.json`);
+  console.log('');
+  console.log('Your daemon will reconnect with the new token automatically');
+  console.log('on its next restart. Run `wild-workspace daemon stop && wild-workspace`');
+  console.log('to force an immediate reconnect.');
+}
+
+// `wild-workspace workspace {create|list|add-member|remove-member}` — multi-host
+// step 2 (membership). The FOUNDATION's drivable surface: create a shared
+// workspace (its own slug, owned by you), manage its member set, and read the
+// shared workspaces you belong to. The polished invite/join/lobby UX is later;
+// these are operator/dev affordances over the rails (you never copy-paste a
+// token — they read your bound account). Requires `wild-workspace login` first.
+async function runWorkspaceCommand(action, opts) {
+  const config = buildConfig(opts);
+  if (!config.accountToken) {
+    console.error('not logged in. Run `wild-workspace login <payload>` after claiming a slug.');
+    process.exitCode = 1;
+    return;
+  }
+  const rails = createWorkspaceRails(config, { accountToken: config.accountToken });
+  const fail = (r) => {
+    console.error(`✗ ${r.message || r.code || 'failed'}${r.code ? `  (${r.code})` : ''}`);
+    process.exitCode = 1;
+  };
+
+  if (action === 'create') {
+    const name = opts.positional.slice(2).join(' ').trim();
+    if (!name) {
+      console.error('usage: wild-workspace workspace create "<name>" [--slug <slug>]');
+      process.exitCode = 1;
+      return;
+    }
+    const r = await rails.create(name, opts.slug || null);
+    if (!r.ok) return fail(r);
+    console.log(`✓ created shared workspace "${r.data.name}"`);
+    console.log(`  slug : ${r.data.slug}`);
+    console.log(`  url  : https://${r.data.slug}.venturewild.llc  (once routing lands — step 3)`);
+    console.log('');
+    console.log('  Add a teammate (they must have claimed a slug already):');
+    console.log(`    wild-workspace workspace add-member ${r.data.slug} <their-email>`);
+    return;
+  }
+
+  if (action === 'list') {
+    const r = await rails.list();
+    if (!r.ok) return fail(r);
+    const ws = r.data.workspaces || [];
+    if (!ws.length) {
+      console.log('you belong to no shared workspaces yet.');
+      console.log('  create one: wild-workspace workspace create "<name>"');
+      return;
+    }
+    console.log(`shared workspaces you belong to: ${ws.length}`);
+    for (const w of ws) {
+      console.log(`  ${w.slug.padEnd(20)} ${w.role.padEnd(7)} "${w.name}"  (owner: ${w.owner_email})`);
+    }
+    return;
+  }
+
+  if (action === 'add-member') {
+    const slug = opts.positional[2];
+    const email = opts.positional[3];
+    if (!slug || !email) {
+      console.error('usage: wild-workspace workspace add-member <slug> <email>');
+      process.exitCode = 1;
+      return;
+    }
+    const r = await rails.addMember(slug, email);
+    if (!r.ok) return fail(r);
+    console.log(`✓ added ${email} to ${slug} (account ${r.data.account_id}).`);
+    return;
+  }
+
+  if (action === 'remove-member') {
+    const slug = opts.positional[2];
+    const ref = opts.positional[3];
+    if (!slug || !ref) {
+      console.error('usage: wild-workspace workspace remove-member <slug> <email-or-accountId>');
+      process.exitCode = 1;
+      return;
+    }
+    const r = await rails.removeMember(slug, ref);
+    if (!r.ok) return fail(r);
+    console.log(
+      r.data.removed
+        ? `✓ removed ${ref} from ${slug}.`
+        : `${ref} was not a member of ${slug} (nothing to remove).`,
+    );
+    return;
+  }
+
+  console.log('unknown workspace action. use: create | list | add-member | remove-member');
+  console.log('  wild-workspace workspace create "<name>" [--slug <slug>]');
+  console.log('  wild-workspace workspace list');
+  console.log('  wild-workspace workspace add-member <slug> <email>');
+  console.log('  wild-workspace workspace remove-member <slug> <email-or-accountId>');
+}
+
+async function runWhoamiCommand() {
+  const config = buildConfig({});
+  const account = loadAccount(config.dataDir);
+  if (!account) {
+    console.log('not logged in.');
+    console.log('Run `wild-workspace login <payload>` after claiming a slug at workspace.venturewild.llc.');
+    return;
+  }
+  console.log(`logged in as ${account.email}`);
+  console.log(`  slug      : ${account.slug}`);
+  console.log(`  accountId : ${account.accountId}`);
+  if (account.displayName) console.log(`  name      : ${account.displayName}`);
+  console.log(`  loggedIn  : ${new Date(account.loggedInAt).toISOString()}`);
+}
+
+// `wild-workspace doctor [--share]` — one diagnostic of this machine's install.
+// Prints ✅/⚠️/❌ per check + where the logs are, and writes a JSON bundle under
+// ~/.wild-workspace/diagnostics/. Exits non-zero if any check failed.
+async function runDoctorCommand(opts) {
+  const config = buildConfig(opts);
+  const report = await runDoctor({ config });
+  console.log(renderDoctor(report));
+  const bundle = writeDoctorBundle(report);
+  if (bundle) {
+    console.log('');
+    console.log(`Full report: ${bundle}`);
+  }
+  if (opts.share) {
+    const shared = await shareDoctor(config, report);
+    console.log(
+      shared.ok
+        ? '✓ shared with the wild-workspace team — they can see this diagnostic now.'
+        : `Couldn't auto-share (${shared.reason}). Send the file above instead.`,
+    );
+  }
+  process.exitCode = report.summary.fail > 0 ? 1 : 0;
+}
+
+// Upload a doctor report to bmo-sync. `--share` is an explicit user action, so it
+// goes even if the passive observability feed is off — but still respects the
+// hard kill switch and needs an account to key it to.
+async function shareDoctor(config, report) {
+  if (!config.accountToken) return { ok: false, reason: 'not logged in' };
+  if (process.env.WILD_WORKSPACE_NO_TELEMETRY === '1') return { ok: false, reason: 'telemetry disabled' };
+  const url = `${config.bmoSyncServerUrl.replace(/\/$/, '')}/api/telemetry`;
+  const ctrl = new AbortController();
+  const t = setTimeout(() => ctrl.abort(), 5000);
+  try {
+    const res = await fetch(url, {
+      method: 'POST',
+      headers: { 'content-type': 'application/json' },
+      body: JSON.stringify({
+        account_token: config.accountToken,
+        slug: config.account?.slug || null,
+        workspace_id: config.workspaceId,
+        kind: 'doctor-share',
+        doctor: report,
+        sent_at: Math.floor(Date.now() / 1000),
+      }),
+      signal: ctrl.signal,
+    });
+    return { ok: res.ok, reason: res.ok ? null : `HTTP ${res.status}` };
+  } catch (e) {
+    return { ok: false, reason: String(e?.message || e) };
+  } finally {
+    clearTimeout(t);
+  }
+}
+
+// `wild-workspace logs [name] [--tail N]` — list the logs, or tail one by name.
+async function runLogsCommand(opts) {
+  const name = opts.positional[1];
+  const n = opts.tail || 40;
+  const logs = listLogs();
+  if (!name) {
+    console.log(`logs dir: ${path.dirname(logs[0].file)}`);
+    for (const l of logs) {
+      console.log(`  ${l.name.padEnd(10)} ${l.exists ? `${l.size} bytes` : '(none yet)'}  ${l.file}`);
+    }
+    console.log('');
+    console.log(`Show one: wild-workspace logs <name> [--tail N]   (names: ${logs.map((l) => l.name).join(', ')})`);
+    return;
+  }
+  const match = logs.find((l) => l.name === name);
+  if (!match) {
+    console.log(`unknown log "${name}". names: ${logs.map((l) => l.name).join(', ')}`);
+    process.exitCode = 1;
+    return;
+  }
+  console.log(`# ${match.name} — ${match.file} (last ${n} lines)`);
+  console.log(tailFile(match.file, n) || '(empty)');
+}
+
+// `wild-workspace ops <slug>` — OPERATOR read of a user's observability feed.
+// Reads the bmo-sync admin endpoint with the admin key at ~/.bmo-sync-admin-key
+// (so it only works on an operator's machine). This is how we see a stuck/broken
+// user without them having to ask. Filters: --kind feed|install-down|transcript,
+// --limit N.
+async function runOpsCommand(opts) {
+  const slug = opts.positional[1];
+  if (!slug) {
+    console.error('usage: wild-workspace ops <slug> [--kind feed|install-down|transcript] [--limit N]');
+    process.exitCode = 1;
+    return;
+  }
+  const config = buildConfig(opts);
+  const keyPath = path.join(os.homedir(), '.bmo-sync-admin-key');
+  let adminKey;
+  try {
+    adminKey = readFileSync(keyPath, 'utf8').trim();
+  } catch {
+    console.error(`No admin key at ${keyPath} — \`ops\` is an operator-only command.`);
+    process.exitCode = 1;
+    return;
+  }
+  const params = new URLSearchParams();
+  if (opts.kind) params.set('kind', opts.kind);
+  params.set('limit', String(opts.limit || 50));
+  const url = `${config.bmoSyncServerUrl.replace(/\/$/, '')}/api/admin/accounts/${encodeURIComponent(slug)}/activity?${params}`;
+  let res;
+  try {
+    res = await fetch(url, { headers: { 'x-admin-key': adminKey } });
+  } catch (e) {
+    console.error(`Couldn't reach ${config.bmoSyncServerUrl}: ${e.message || e}`);
+    process.exitCode = 2;
+    return;
+  }
+  if (res.status === 404) {
+    console.log(`No account/slug "${slug}" yet (unclaimed, or it hasn't reported).`);
+    return;
+  }
+  if (res.status === 403 || res.status === 401) {
+    console.error('admin key rejected.');
+    process.exitCode = 1;
+    return;
+  }
+  if (!res.ok) {
+    console.error(`HTTP ${res.status}`);
+    process.exitCode = 1;
+    return;
+  }
+  const data = await res.json();
+  console.log(`account ${data.account_id}${data.slug ? ` (${data.slug})` : ''} — ${data.count} recent event(s)`);
+  for (const r of data.rows || []) {
+    const when = new Date((r.reported_at || 0) * 1000).toISOString();
+    let detail = '';
+    if (r.kind === 'feed' && Array.isArray(r.payload?.events)) {
+      const counts = {};
+      for (const e of r.payload.events) counts[e.type] = (counts[e.type] || 0) + 1;
+      detail = Object.entries(counts).map(([k, v]) => `${k}×${v}`).join(' ');
+    } else if ((r.kind === 'install-down' || r.kind === 'doctor-share') && r.payload?.doctor?.summary) {
+      const s = r.payload.doctor.summary;
+      detail = `doctor: ${s.fail} fail / ${s.warn} warn`;
+    } else if (r.kind === 'transcript') {
+      detail = `transcript ${r.payload?.date || ''} (${(r.payload?.markdown || '').length} chars)`;
+    }
+    console.log(`  ${when}  [${r.kind}]${r.os ? ` ${r.os}` : ''}  ${detail}`);
+  }
+}
+
+// `wild-workspace observability [on|off|status]` — the consented session +
+// install-health feed (default ON). Streams WHAT happened + install health to the
+// Venturewild team so they can help if something breaks — never your chat words
+// (that's the separate transcript channel). See observability.mjs.
+async function runObservabilityCommand(action = 'status', opts = {}) {
+  const config = buildConfig(opts);
+  if (action === 'on' || action === 'off') {
+    const rec = setObservabilityConsent(config.dataDir, action === 'on');
+    console.log(
+      rec.enabled
+        ? '✓ observability ON — the Venturewild team can see how your workspace is doing'
+        : '✓ observability OFF — no session/health feed leaves this machine.',
+    );
+    if (rec.enabled) {
+      console.log('  (events + install health only — never your chat content)');
+    }
+    console.log('  Applies the next time your workspace starts (or toggle it live in the app).');
+    return;
+  }
+  const rec = loadObservabilityConsent(config.dataDir);
+  console.log(`observability: ${rec.enabled ? 'ON' : 'OFF'}${rec.decidedAt ? '' : ' (default)'}`);
+  console.log('  what : events + install health → lets us help if something breaks (never chat content)');
+  console.log('  toggle: wild-workspace observability on | off');
+  return;
+}
+
+// `wild-workspace update [apply|on|off|channel <stable|beta>]` — Phase 2
+// auto-update (docs/remote-support-and-self-healing-design.md). With no
+// sub-command it checks the channel for a newer release; `apply` installs it now;
+// `on`/`off` toggle the default-on background updater; `channel` switches
+// stable/beta. The always-on supervisor does this automatically — this is the
+// manual lever + the off switch.
+async function runUpdateCommand(opts) {
+  const sub = opts.positional[1];
+  const gdir = globalDir();
+
+  if (sub === 'on' || sub === 'off') {
+    const rec = setUpdateEnabled(gdir, sub === 'on');
+    console.log(
+      rec.enabled
+        ? '✓ auto-update ON — wild-workspace keeps itself up to date in the background.'
+        : '✓ auto-update OFF — update manually with `wild-workspace update apply`.',
+    );
+    console.log(`  channel: ${rec.channel}`);
+    return;
+  }
+  if (sub === 'channel') {
+    const chan = opts.positional[2];
+    if (chan !== 'stable' && chan !== 'beta') {
+      console.log('usage: wild-workspace update channel stable|beta');
+      return;
+    }
+    console.log(`✓ update channel set to ${setUpdateChannel(gdir, chan).channel}.`);
+    return;
+  }
+
+  const settings = loadUpdateSettings(gdir);
+  const c = await new AutoUpdater({ globalDir: gdir }).check();
+  console.log(`wild-workspace ${c.current}  (channel: ${c.channel}, auto-update: ${settings.enabled ? 'on' : 'off'})`);
+  if (!c.latest) {
+    console.log('  could not reach the npm registry to check for updates.');
+    process.exitCode = 1;
+    return;
+  }
+  if (!c.available) {
+    console.log(`  up to date — ${c.latest} is the latest on ${c.channel}.`);
+    return;
+  }
+  console.log(`  update available: ${c.current} → ${c.latest}`);
+  if (sub !== 'apply') {
+    console.log('  run `wild-workspace update apply` to install it now.');
+    return;
+  }
+  console.log(`  installing ${c.latest}…`);
+  const res = await npmInstall(`${PACKAGE_NAME}@${c.latest}`);
+  if (res.code === 0) {
+    recordUpdate(gdir, { from: c.current, to: c.latest, at: Date.now(), status: 'installed' });
+    console.log(`  ✓ installed ${c.latest}.`);
+    console.log('  The always-on supervisor will restart into the new version shortly,');
+    console.log('  or restart `wild-workspace` yourself to use it now.');
+  } else {
+    console.log(`  ✗ install failed (code ${res.code}).`);
+    if (res.output) console.log('  ' + res.output.split('\n').filter(Boolean).slice(-3).join('\n  '));
+    process.exitCode = 1;
+  }
+}
+
+// `wild-workspace support [allow|revoke|status]` — Phase 3 consent for the
+// daemon-hosted, out-of-band support channel (reachable even when your workspace
+// is offline). OFF by default + time-boxed; the bmo-sync daemon enforces it
+// locally and revoke is instant (this writes/deletes ~/.wild-workspace/
+// support-consent.json, which the daemon re-reads). Runs as its own process so it
+// works when the server is down.
+function fmtRemaining(ms) {
+  const m = Math.round(ms / 60000);
+  if (m < 60) return `${m} min`;
+  return `${Math.floor(m / 60)}h ${m % 60}m`;
+}
+async function runSupportCommand(action = 'status', opts = {}) {
+  const gdir = globalDir();
+
+  if (action === 'allow') {
+    const tier = opts.tier || 1;
+    const minutes = opts.minutes || 60;
+    if (tier < 1 || tier > MAX_TIER) {
+      console.error(
+        `tier must be 1..${MAX_TIER} (1 = read-only diagnostics/logs, 2 = curated fixes, ` +
+          `3 = let support operate your agent, 4 = raw shell).`,
+      );
+      process.exitCode = 1;
+      return;
+    }
+    // Tiers 3–4 let support OPERATE the machine (drive the agent / run commands).
+    // Require an explicit --yes so it's never a slip of the keyboard.
+    if (tier >= OPERATE_TIER && !opts.yes) {
+      console.error(
+        `tier ${tier} lets VentureWild support ${tier >= 4 ? 'run shell commands on' : 'operate the agent on'} ` +
+          `your machine (time-boxed, audited, revocable). Re-run with --yes to confirm:\n` +
+          `  wild-workspace support allow --tier ${tier} --minutes ${minutes} --yes`,
+      );
+      process.exitCode = 1;
+      return;
+    }
+    const rec = grantConsent(gdir, { tier, minutes });
+    if (!rec) {
+      console.error(`Could not write support consent to ${gdir}.`);
+      process.exitCode = 1;
+      return;
+    }
+    const tierDesc =
+      rec.tier >= 4
+        ? 'read diagnostics/logs + curated fixes + operate your agent + run raw shell commands'
+        : rec.tier >= 3
+          ? 'read diagnostics/logs + curated fixes + operate your agent on a task'
+          : rec.tier >= 2
+            ? 'read diagnostics/logs + run curated fixes (restart sync, relink, reinstall)'
+            : 'read diagnostics + logs only';
+    console.log(`✓ VentureWild support allowed at tier ${rec.tier} for ${fmtRemaining(rec.expiresAt - rec.grantedAt)} (max ${MAX_GRANT_MINUTES / 60}h).`);
+    console.log(`  tier ${rec.tier} = ${tierDesc}.`);
+    console.log('  It auto-expires; revoke anytime with: wild-workspace support revoke');
+    return;
+  }
+  if (action === 'revoke') {
+    const removed = revokeConsent(gdir);
+    console.log(removed ? '✓ support access revoked.' : 'support access was not enabled.');
+    return;
+  }
+  if (action === 'audit') {
+    const entries = readAudit(gdir, { limit: opts.limit || 20 });
+    if (!entries.length) {
+      console.log('no support actions recorded yet.');
+      return;
+    }
+    console.log('recent support actions (newest first):');
+    for (const e of entries) {
+      const when = e.ts ? new Date(e.ts).toISOString() : '?';
+      console.log(`  ${when}  ${e.ok ? '✓' : '✗'} ${e.action} (tier ${e.tier ?? '?'})`);
+    }
+    return;
+  }
+  // status (default)
+  const s = consentStatus(gdir);
+  if (s.enabled) {
+    console.log(`support access: ON (tier ${s.tier}) — ${fmtRemaining(s.remainingMs)} remaining.`);
+    console.log('  revoke : wild-workspace support revoke');
+  } else {
+    console.log('support access: OFF (default).');
+    console.log('  allow  : wild-workspace support allow --tier 1 --minutes 60');
+  }
+  console.log(`  file   : ${s.file}`);
+}
+
+// `wild-workspace operator [enable|disable|status]` — the consented support
+// channel (docs/SECURITY.md). OFF by default; `enable` mints a token to hand to
+// the wild-workspace team so they can diagnose + run a fixed set of safe fixes.
+async function runOperatorCommand(action = 'status', opts = {}) {
+  const config = buildConfig(opts);
+  if (action === 'enable') {
+    const token = enableOperator(config.dataDir, { rotate: opts.rotate });
+    if (!token) {
+      console.error(`Could not enable operator channel (couldn't write to ${config.dataDir}).`);
+      process.exitCode = 1;
+      return;
+    }
+    const slug = config.account?.slug;
+    console.log('✓ operator channel enabled (consented support access).');
+    console.log(`  token : ${token}`);
+    console.log('  Share this token with the wild-workspace team so they can help with your install.');
+    if (slug) console.log(`  reach : https://${slug}.venturewild.llc/api/operator/diag  (Authorization: Bearer <token>)`);
+    console.log('  off   : wild-workspace operator disable');
+    console.log('');
+    console.log('  Scope: read diagnostics + a fixed set of safe fixes (restart sync, re-detect');
+    console.log('  Claude, re-link your account, reinstall the sync daemon). It cannot run');
+    console.log('  arbitrary commands or drive your agent, and every action is logged.');
+    return;
+  }
+  if (action === 'disable') {
+    const removed = disableOperator(config.dataDir);
+    console.log(removed ? '✓ operator channel disabled (token revoked).' : 'operator channel was not enabled.');
+    return;
+  }
+  if (action === 'status') {
+    const s = operatorStatus(config.dataDir);
+    console.log(`operator channel: ${s.enabled ? 'ENABLED' : 'disabled'}`);
+    console.log(`  token file: ${s.file}`);
+    console.log(s.enabled ? '  disable   : wild-workspace operator disable' : '  enable    : wild-workspace operator enable');
+    return;
+  }
+  console.log(`unknown operator action: ${action}  (use enable | disable | status)`);
+}
+
+// `wild-workspace service [install|uninstall|status|run]` — the always-on
+// autostart (docs/always-on-design.md). `run` is the HIDDEN supervisor entry
+// the per-OS launcher invokes at login; the others manage registration. All
+// per-user, no admin.
+// First-run browser orchestration lives in a shebang-free module so it's
+// importable + unit-testable (server/test/owner-browser.test.mjs).
+
+async function runServiceCommand(action = 'status', opts = {}) {
+  const config = buildConfig(opts);
+
+  if (action === 'install') {
+    const r = await installService({
+      node: process.execPath, cli: __filename, workspaceDir: config.workspaceDir, port: config.port, version: APP_VERSION,
+    });
+    if (!r.installed) {
+      console.log(`service install: ${r.message || 'not supported on this platform'}`);
+      process.exitCode = 1;
+      return;
+    }
+    console.log('✓ always-on enabled — your workspace starts automatically at login.');
+    console.log(`  mechanism : ${r.mechanism} (per-user, no admin)`);
+    console.log(`  launcher  : ${r.launcher || r.vbs}`);
+    console.log(`  workspace : ${config.workspaceDir}`);
+    if (r.note) console.log(`  note      : ${r.note}`);
+    console.log('  disable   : wild-workspace service uninstall');
+    return;
+  }
+
+  if (action === 'uninstall') {
+    const r = await uninstallService();
+    if (r.supported === false) { console.log(`service: nothing to do — autostart not implemented for ${r.platform} yet`); return; }
+    console.log(`✓ always-on disabled${r.removedKey ? '' : ' (no autostart entry was set)'}${r.stoppedPid ? ` — stopped supervisor pid ${r.stoppedPid}` : ''}.`);
+    return;
+  }
+
+  if (action === 'status') {
+    const s = await serviceStatus({ port: config.port }, { probeImpl: (p) => probeHealth(p) });
+    if (s.supported === false) { console.log(`always-on: autostart not implemented for ${s.platform} yet (run \`wild-workspace\` manually)`); return; }
+    console.log(`always-on   : ${s.installed ? 'installed' : 'NOT installed'}`);
+    if (s.runValue) console.log(`  run entry : ${s.runValue}`);
+    console.log(`  supervisor: ${s.supervisorAlive ? `running (pid ${s.supervisorPid})` : 'not running'}`);
+    console.log(`  server    : ${s.serverUp ? `up on http://127.0.0.1:${config.port}` : 'down'}`);
+    return;
+  }
+
+  if (action === 'run') {
+    // Hidden entrypoint launched by the autostart VBS at login. The OS gives us
+    // an arbitrary cwd, so read the workspace dir persisted at install time.
+    let svc = {};
+    try { svc = JSON.parse(readFileSync(path.join(globalDir(), 'service.json'), 'utf8')); } catch { /* fall back to config */ }
+    const sup = new WorkspaceSupervisor({
+      workspaceDir: svc.workspaceDir || config.workspaceDir,
+      port: svc.port || config.port,
+    });
+    const r = sup.start();
+    if (!r.started) process.exit(0); // another supervisor already owns the lock
+    // else: the supervision interval keeps this process alive.
+    return;
+  }
+
+  console.log(`unknown service action: ${action}  (use install | uninstall | status | run)`);
+}
+
+async function main() {
+  // First-run capture: log every invocation BEFORE doing anything, so even a
+  // crash-on-start leaves a trace we (or `wild-workspace doctor`) can read.
+  appendLine('cli', `invoke argv=[${process.argv.slice(2).join(' ')}] cwd=${process.cwd()} node=${process.version} v${APP_VERSION}`);
+  const opts = parseArgs(process.argv.slice(2));
+  if (opts.help) return printUsage();
+  if (opts.version) { console.log(APP_VERSION); return; }
+
+  if (opts.positional[0] === 'daemon') {
+    return runDaemonCommand(opts.positional[1], opts.positional.slice(2));
+  }
+
+  if (opts.positional[0] === 'login') {
+    return runLoginCommand(opts.positional.slice(1));
+  }
+  if (opts.positional[0] === 'logout') {
+    return runLogoutCommand();
+  }
+  if (opts.positional[0] === 'reset') {
+    return runResetCommand(opts);
+  }
+  if (opts.positional[0] === 'whoami') {
+    return runWhoamiCommand();
+  }
+  if (opts.positional[0] === 'rotate-token') {
+    return runRotateTokenCommand();
+  }
+  if (opts.positional[0] === 'workspace') {
+    return runWorkspaceCommand(opts.positional[1], opts);
+  }
+  if (opts.positional[0] === 'doctor') {
+    return runDoctorCommand(opts);
+  }
+  if (opts.positional[0] === 'logs') {
+    return runLogsCommand(opts);
+  }
+  if (opts.positional[0] === 'update') {
+    return runUpdateCommand(opts);
+  }
+  if (opts.positional[0] === 'support') {
+    return runSupportCommand(opts.positional[1], opts);
+  }
+  if (opts.positional[0] === 'operator') {
+    return runOperatorCommand(opts.positional[1], opts);
+  }
+  if (opts.positional[0] === 'observability') {
+    return runObservabilityCommand(opts.positional[1], opts);
+  }
+  if (opts.positional[0] === 'ops') {
+    return runOpsCommand(opts);
+  }
+  if (opts.positional[0] === 'service') {
+    return runServiceCommand(opts.positional[1], opts);
+  }
+
+  if (opts.positional[0] === 'install') {
+    console.log('wild-workspace manages the bmo-sync sync daemon for you.');
+    console.log('');
+    console.log('It starts automatically in the background whenever you run');
+    console.log('`wild-workspace`, and keeps running after you close the browser —');
+    console.log('so there is no separate install step.');
+    console.log('');
+    console.log('  wild-workspace daemon status   check whether it is running');
+    console.log('  wild-workspace daemon stop     stop it');
+    return;
+  }
+  if (opts.positional[0] === 'share') {
+    console.log('Use the in-app Share button to issue viewer URLs. CLI share command is v1.x.');
+    return;
+  }
+
+  // If a workspace server is already serving this port — always-on started it at
+  // login, or another `wild-workspace` is running — don't fight it for the socket
+  // (createServer would reject on EADDRINUSE and crash). Just open the browser to
+  // the one already up. This is the common case now that always-on is real.
+  {
+    const probeCfg = buildConfig(opts);
+    if (await probeHealth(probeCfg.port)) {
+      const host = probeCfg.host === '0.0.0.0' ? '127.0.0.1' : probeCfg.host;
+      const displayUrl = `http://${host}:${probeCfg.port}`; // shown without the token
+      console.log(`\n  wild-workspace is already running at ${displayUrl}`);
+      if (probeCfg.openBrowser) {
+        console.log('  opening it in your browser…');
+        await openOwnerBrowser(probeCfg);
+      }
+      return;
+    }
+  }
+
+  const server = await createServer(opts);
+  const { config } = server;
+  console.log(`\n  wild-workspace v${APP_VERSION}`);
+  console.log(`  workspace : ${config.workspaceDir}`);
+  console.log(`  url       : http://${config.host}:${config.port}`);
+  console.log(`  agent     : ${server.getActiveAgent()?.label || '(none detected — install Claude Code: npm i -g @anthropic-ai/claude-code)'}`);
+
+  // Report how the sync daemon's autostart went (best-effort — never fatal).
+  try {
+    const d = await server.daemonReady;
+    if (d.alreadyRunning) console.log('  sync      : bmo-sync daemon already running');
+    else if (d.started) console.log(`  sync      : bmo-sync daemon started (pid ${d.pid})`);
+    else if (d.skipped) console.log('  sync      : daemon autostart disabled');
+    else if (d.error === 'daemon-binary-not-found')
+      console.log('  sync      : daemon binary not installed — sync is off (see `wild-workspace daemon`)');
+    else if (d.error) console.log(`  sync      : daemon did not start — ${d.error}`);
+  } catch {}
+  console.log('');
+
+  if (config.publicMode) {
+    // Public mode denies anon — tell the owner how to reach it authenticated.
+    console.log(`  mode      : PUBLIC — opening with a one-time sign-in token`);
+  }
+  if (config.openBrowser) {
+    await openOwnerBrowser(config);
+  }
+
+  // Hard safety net: even if stop() ever wedges, never leave the user staring at
+  // "shutting down…". Unref'd so the timer itself doesn't keep us alive.
+  const forceExitSoon = () => { setTimeout(() => process.exit(0), 3000).unref(); };
+  process.on('SIGINT', async () => {
+    console.log('\nshutting down…');
+    forceExitSoon();
+    try { await server.stop(); } catch {}
+    process.exit(0);
+  });
+  process.on('SIGTERM', async () => { forceExitSoon(); try { await server.stop(); } catch {} process.exit(0); });
+}
+
+main().catch((err) => {
+  appendLine('cli', `FATAL ${err?.stack || err}`);
+  console.error('wild-workspace failed:', err);
+  process.exit(1);
+});