appostle-installer 0.0.13 → 0.0.15

package/dist/appostle.js

@@ -16,10 +16,10 @@ __export(rightfont_service_exports, {
   isRightFontLibrary: () => isRightFontLibrary,
   readRightFontLibrary: () => readRightFontLibrary
 });
-import { existsSync as existsSync10, readdirSync, readFileSync as readFileSync6 } from "node:fs";
+import { existsSync as existsSync11, readdirSync, readFileSync as readFileSync6 } from "node:fs";
 import { join as join12 } from "node:path";
 function isRightFontLibrary(libraryPath) {
-  return libraryPath.endsWith(".rightfontlibrary") && existsSync10(join12(libraryPath, "fonts")) && existsSync10(join12(libraryPath, "metadata"));
+  return libraryPath.endsWith(".rightfontlibrary") && existsSync11(join12(libraryPath, "fonts")) && existsSync11(join12(libraryPath, "metadata"));
 }
 function readRightFontLibrary(libraryPath) {
   if (!isRightFontLibrary(libraryPath)) {
@@ -30,7 +30,7 @@ function readRightFontLibrary(libraryPath) {
   const metadataListsDir = join12(libraryPath, "metadata", "fontlists");
   const familyMap = /* @__PURE__ */ new Map();
   let totalFonts = 0;
-  if (existsSync10(metadataFontsDir)) {
+  if (existsSync11(metadataFontsDir)) {
     const files = readdirSync(metadataFontsDir).filter((f) => f.endsWith(".rightfontmetadata"));
     for (const file of files) {
       try {
@@ -70,7 +70,7 @@ function readRightFontLibrary(libraryPath) {
     fam.fonts.sort((a, b) => a.weight - b.weight || a.style.localeCompare(b.style));
   }
   const collections = [];
-  if (existsSync10(metadataListsDir)) {
+  if (existsSync11(metadataListsDir)) {
     const files = readdirSync(metadataListsDir).filter((f) => f.endsWith(".rightfontmetadata"));
     for (const file of files) {
       try {
@@ -255,7 +255,7 @@ import { createRequire as createRequire5 } from "node:module";
 import { Command as Command2 } from "commander";
 
 // ../cli/src/utils/client.ts
-import { existsSync as existsSync11, readFileSync as readFileSync7 } from "node:fs";
+import { existsSync as existsSync12, readFileSync as readFileSync7 } from "node:fs";
 
 // ../server/src/server/bootstrap.ts
 import express from "express";
@@ -700,18 +700,18 @@ function resolveNodePtyPackageRoot() {
     return null;
   }
 }
-function ensureExecutableBit(path28) {
-  if (!existsSync2(path28)) {
+function ensureExecutableBit(path29) {
+  if (!existsSync2(path29)) {
     return;
   }
-  const stat5 = statSync(path28);
+  const stat5 = statSync(path29);
   if (!stat5.isFile()) {
     return;
   }
   if ((stat5.mode & 73) === 73) {
     return;
   }
-  chmodSync(path28, stat5.mode | 73);
+  chmodSync(path29, stat5.mode | 73);
 }
 function ensureNodePtySpawnHelperExecutableForCurrentPlatform(options = {}) {
   const platform2 = options.platform ?? process.platform;
@@ -793,11 +793,11 @@ function parseGitRevParsePath(stdout) {
   if (lines.length !== 1) {
     return null;
   }
-  const path28 = lines[0]?.trim() ?? "";
-  if (!path28 || path28.startsWith("--")) {
+  const path29 = lines[0]?.trim() ?? "";
+  if (!path29 || path29.startsWith("--")) {
     return null;
   }
-  return path28;
+  return path29;
 }
 function resolveGitRevParsePath(cwd, stdout) {
   const parsed = parseGitRevParsePath(stdout);
@@ -1570,9 +1570,9 @@ async function deleteAppostleWorktree({
     }
   }
 }
-async function pathExists(path28) {
+async function pathExists(path29) {
   try {
-    await stat(path28);
+    await stat(path29);
     return true;
   } catch (error) {
     if (error.code === "ENOENT") {
@@ -1581,8 +1581,8 @@ async function pathExists(path28) {
     throw error;
   }
 }
-async function removeDirectoryWithRetries(path28) {
-  if (!await pathExists(path28)) {
+async function removeDirectoryWithRetries(path29) {
+  if (!await pathExists(path29)) {
     return;
   }
   const delaysMs = [0, 100, 300, 700, 1500];
@@ -1592,17 +1592,17 @@ async function removeDirectoryWithRetries(path28) {
       await new Promise((resolve12) => setTimeout(resolve12, delay));
     }
     try {
-      await rm(path28, { recursive: true, force: true });
-      if (!await pathExists(path28)) {
+      await rm(path29, { recursive: true, force: true });
+      if (!await pathExists(path29)) {
         return;
       }
-      lastError = new Error(`Directory still present after rm: ${path28}`);
+      lastError = new Error(`Directory still present after rm: ${path29}`);
     } catch (error) {
       lastError = error;
     }
   }
-  if (await pathExists(path28)) {
-    throw lastError instanceof Error ? lastError : new Error(`Failed to remove worktree directory: ${path28}`);
+  if (await pathExists(path29)) {
+    throw lastError instanceof Error ? lastError : new Error(`Failed to remove worktree directory: ${path29}`);
   }
 }
 var createWorktree = async ({
@@ -1832,7 +1832,13 @@ function extractTimestamps(record) {
     // Fork lineage — preserved across resume so the in-memory ManagedAgent
     // can flow `parentAgentId` into snapshots that drive the tab Split icon.
     ...record.parentAgentId ? { parentAgentId: record.parentAgentId } : {},
-    ...record.forkedFromMessageUuid ? { forkedFromMessageUuid: record.forkedFromMessageUuid } : {}
+    ...record.forkedFromMessageUuid ? { forkedFromMessageUuid: record.forkedFromMessageUuid } : {},
+    // Multi-tenant ownership — closes the daemon-restart gap. Old records
+    // lack these fields → ownerUserId stays undefined (→ null in
+    // registerSession), agent rehydrates as unscoped.
+    ownerUserId: record.ownerUserId ?? null,
+    sharedWithUserIds: record.sharedWithUserIds ?? [],
+    ownerUsername: record.ownerUsername ?? null
   };
 }
 function hasRegisteredProvider(registeredProviders, value) {
@@ -1916,6 +1922,11 @@ function toAgentPayload(agent, options) {
     title: options?.title ?? null,
     labels: agent.labels,
     internal: agent.internal,
+    // Surface ownership so the client can render an owner badge / detect
+    // "shared with me" agents. `sharedWithUserIds` deliberately stays off
+    // the snapshot — only owners read the full ACL, via the dedicated
+    // `list_agent_shared_users_request` RPC.
+    ownerUserId: agent.ownerUserId,
     // Fork lineage — the client's tab descriptor uses `parentAgentId` to
     // mark the agent as a fork (Split glyph). Carry it from the live
     // ManagedAgent so the marker doesn't disappear once the agent is
@@ -3982,7 +3993,19 @@ var AgentSnapshotPayloadSchema = z11.object({
    * lists at display time. The agent itself is a real, full-featured session
    * in every other respect; `internal` is a UI visibility hint, nothing more.
    */
-  internal: z11.boolean().optional()
+  internal: z11.boolean().optional(),
+  /**
+   * Multi-tenant ownership (Phase 2c/4). Surfaces the auth-server user-id
+   * of the agent's creator so the app can render an owner badge and
+   * detect "shared with me" state (owner !== current user). Optional/
+   * nullable for legacy agents created before per-agent ownership
+   * existed — those render without a badge.
+   *
+   * NOTE: `sharedWithUserIds` is intentionally NOT exposed here. Only the
+   * owner can enumerate the full ACL, via `list_agent_shared_users_request`.
+   * The snapshot stays cheap and recipient-safe.
+   */
+  ownerUserId: z11.string().nullable().optional()
 });
 var VoiceAudioChunkMessageSchema = z11.object({
   type: z11.literal("voice_audio_chunk"),
@@ -5105,6 +5128,50 @@ var LinkAccountResponseMessageSchema = z11.object({
     })
   ])
 });
+var ClaudeProfileLoginRequestMessageSchema = z11.object({
+  type: z11.literal("claude_profile_login_request"),
+  requestId: z11.string(),
+  /** Username for the profile dir (~/.claude-{username}/). */
+  username: z11.string().min(1)
+});
+var ClaudeProfileLoginUrlMessageSchema = z11.object({
+  type: z11.literal("claude_profile_login_url"),
+  requestId: z11.string(),
+  url: z11.string().min(1)
+});
+var ClaudeProfileLoginCallbackMessageSchema = z11.object({
+  type: z11.literal("claude_profile_login_callback"),
+  requestId: z11.string(),
+  callbackToken: z11.string().min(1)
+});
+var ClaudeProfileLoginResultMessageSchema = z11.object({
+  type: z11.literal("claude_profile_login_result"),
+  requestId: z11.string(),
+  ok: z11.boolean(),
+  error: z11.string().optional()
+});
+var ClaudeProfileRemoveRequestMessageSchema = z11.object({
+  type: z11.literal("claude_profile_remove_request"),
+  requestId: z11.string(),
+  username: z11.string().min(1)
+});
+var ClaudeProfileRemoveResponseMessageSchema = z11.object({
+  type: z11.literal("claude_profile_remove_response"),
+  requestId: z11.string(),
+  ok: z11.boolean(),
+  error: z11.string().optional()
+});
+var ClaudeProfileStatusRequestMessageSchema = z11.object({
+  type: z11.literal("claude_profile_status_request"),
+  requestId: z11.string(),
+  username: z11.string().min(1)
+});
+var ClaudeProfileStatusResponseMessageSchema = z11.object({
+  type: z11.literal("claude_profile_status_response"),
+  requestId: z11.string(),
+  hasProfile: z11.boolean(),
+  isAuthenticated: z11.boolean()
+});
 var ListSessionUploadsRequestSchema = z11.object({
   type: z11.literal("list_session_uploads_request"),
   requestId: z11.string(),
@@ -5147,6 +5214,74 @@ var DeleteSessionUploadResponseSchema = z11.object({
     })
   ])
 });
+var ShareAgentWithUserRequestSchema = z11.object({
+  type: z11.literal("share_agent_with_user_request"),
+  requestId: z11.string(),
+  /** Accepts full ID, unique prefix, or exact full title (server resolves). */
+  agentId: z11.string(),
+  /** Auth-server user-id of the recipient. */
+  userId: z11.string()
+});
+var ShareAgentWithUserResponseSchema = z11.object({
+  type: z11.literal("share_agent_with_user_response"),
+  payload: z11.discriminatedUnion("ok", [
+    z11.object({
+      requestId: z11.string(),
+      ok: z11.literal(true),
+      /** Updated ACL after the share applied (owner is not included). */
+      sharedWithUserIds: z11.array(z11.string())
+    }),
+    z11.object({
+      requestId: z11.string(),
+      ok: z11.literal(false),
+      error: z11.string()
+    })
+  ])
+});
+var UnshareAgentWithUserRequestSchema = z11.object({
+  type: z11.literal("unshare_agent_with_user_request"),
+  requestId: z11.string(),
+  agentId: z11.string(),
+  userId: z11.string()
+});
+var UnshareAgentWithUserResponseSchema = z11.object({
+  type: z11.literal("unshare_agent_with_user_response"),
+  payload: z11.discriminatedUnion("ok", [
+    z11.object({
+      requestId: z11.string(),
+      ok: z11.literal(true),
+      sharedWithUserIds: z11.array(z11.string())
+    }),
+    z11.object({
+      requestId: z11.string(),
+      ok: z11.literal(false),
+      error: z11.string()
+    })
+  ])
+});
+var ListAgentSharedUsersRequestSchema = z11.object({
+  type: z11.literal("list_agent_shared_users_request"),
+  requestId: z11.string(),
+  agentId: z11.string()
+});
+var ListAgentSharedUsersResponseSchema = z11.object({
+  type: z11.literal("list_agent_shared_users_response"),
+  payload: z11.discriminatedUnion("ok", [
+    z11.object({
+      requestId: z11.string(),
+      ok: z11.literal(true),
+      /** Auth-server user-id of the owner (always present when ok). */
+      ownerUserId: z11.string().nullable(),
+      /** Auth-server user-ids that the owner has granted access to. */
+      sharedWithUserIds: z11.array(z11.string())
+    }),
+    z11.object({
+      requestId: z11.string(),
+      ok: z11.literal(false),
+      error: z11.string()
+    })
+  ])
+});
 var SessionImageSchema = z11.object({
   id: z11.string(),
   fileName: z11.string(),
@@ -5235,6 +5370,10 @@ var SessionInboundMessageSchema = z11.discriminatedUnion("type", [
   AbortRequestMessageSchema,
   AudioPlayedMessageSchema,
   LinkAccountRequestMessageSchema,
+  ClaudeProfileLoginRequestMessageSchema,
+  ClaudeProfileLoginCallbackMessageSchema,
+  ClaudeProfileStatusRequestMessageSchema,
+  ClaudeProfileRemoveRequestMessageSchema,
   FetchAgentsRequestMessageSchema,
   FetchWorkspacesRequestMessageSchema,
   FetchAgentRequestMessageSchema,
@@ -5385,6 +5524,9 @@ var SessionInboundMessageSchema = z11.discriminatedUnion("type", [
   DeleteSessionUploadRequestSchema,
   ListSessionImagesRequestSchema,
   DeleteSessionImageRequestSchema,
+  ShareAgentWithUserRequestSchema,
+  UnshareAgentWithUserRequestSchema,
+  ListAgentSharedUsersRequestSchema,
   FetchAttachmentBytesRequestSchema
 ]);
 var ActivityLogPayloadSchema = z11.object({
@@ -6960,10 +7102,17 @@ var SessionOutboundMessageSchema = z11.discriminatedUnion("type", [
   GoogleFontsDownloadResponseSchema,
   GetVapidPublicKeyResponseSchema,
   LinkAccountResponseMessageSchema,
+  ClaudeProfileLoginUrlMessageSchema,
+  ClaudeProfileLoginResultMessageSchema,
+  ClaudeProfileStatusResponseMessageSchema,
+  ClaudeProfileRemoveResponseMessageSchema,
   ListSessionUploadsResponseSchema,
   DeleteSessionUploadResponseSchema,
   ListSessionImagesResponseSchema,
   DeleteSessionImageResponseSchema,
+  ShareAgentWithUserResponseSchema,
+  UnshareAgentWithUserResponseSchema,
+  ListAgentSharedUsersResponseSchema,
   FetchAttachmentBytesResponseSchema
 ]);
 var WSPingMessageSchema = z11.object({
@@ -6981,7 +7130,11 @@ var WSHelloMessageSchema = z11.object({
   capabilities: z11.object({
     voice: z11.boolean().optional(),
     pushNotifications: z11.boolean().optional()
-  }).passthrough().optional()
+  }).passthrough().optional(),
+  /** Auth-server userId of the connecting user. Used for per-user Claude profile selection. */
+  userId: z11.string().optional(),
+  /** Display name of the connecting user (for profile dir naming). */
+  username: z11.string().optional()
 });
 var WSRecordingStateMessageSchema = z11.object({
   type: z11.literal("recording_state"),
@@ -7153,7 +7306,7 @@ import { exec } from "node:child_process";
 import { promisify as promisify3 } from "util";
 import { join as join14, resolve as resolve9, sep as sep2 } from "path";
 import { homedir as homedir5, hostname as osHostname } from "node:os";
-import { z as z36 } from "zod";
+import { z as z38 } from "zod";
 
 // ../server/src/server/persisted-config.ts
 import { existsSync as existsSync4, mkdirSync as mkdirSync4, readFileSync as readFileSync3, writeFileSync as writeFileSync2 } from "node:fs";
@@ -7667,7 +7820,9 @@ function ensurePrng() {
   const cryptoObj = globalThis.crypto;
   if (cryptoObj?.getRandomValues) {
     nacl.setPRNG((x, n) => {
-      cryptoObj.getRandomValues(x.subarray(0, n));
+      const buf = new Uint8Array(n);
+      cryptoObj.getRandomValues(buf);
+      x.set(buf, 0);
     });
     prngReady = true;
     return;
@@ -7778,8 +7933,8 @@ function base64ToArrayBuffer(base64) {
 // ../relay/dist/encrypted-channel.js
 var HANDSHAKE_RETRY_MS = 1e3;
 var MAX_PENDING_SENDS = 200;
-async function createClientChannel(transport, daemonPublicKeyB64, events = {}) {
-  const keyPair = generateKeyPair();
+async function createClientChannel(transport, daemonPublicKeyB64, events = {}, staticKeyPair) {
+  const keyPair = staticKeyPair ?? generateKeyPair();
   const daemonPublicKey = importPublicKey(daemonPublicKeyB64);
   const sharedKey = deriveSharedKey(keyPair.secretKey, daemonPublicKey);
   const channel = new EncryptedChannel(transport, sharedKey, events);
@@ -7951,6 +8106,16 @@ var EncryptedChannel = class {
   isOpen() {
     return this.state === "open";
   }
+  /**
+   * Peer's X25519 public key (base64) captured during the daemon-side
+   * handshake. Returns `null` on the client side or when the channel was
+   * built without this metadata (legacy code paths). Used by the daemon's
+   * WS-server to resolve the connecting device → owning user.
+   */
+  getPeerPublicKeyB64() {
+    const v = this.options.peerPublicKeyB64;
+    return v && v.length > 0 ? v : null;
+  }
   onTransitionToOpen(cb) {
     this.onOpenCallbacks.push(cb);
   }
@@ -9410,14 +9575,14 @@ var DictationStreamManager = class {
       PCM_CHANNELS,
       PCM_BITS_PER_SAMPLE
     );
-    const path28 = await maybePersistDictationDebugAudio(
+    const path29 = await maybePersistDictationDebugAudio(
       wavBuffer,
       { sessionId: state.sessionId, dictationId: state.dictationId, format: "audio/wav" },
       this.logger,
       state.debugChunkWriter?.folder
     );
-    state.debugRecordingPath = path28;
-    return path28;
+    state.debugRecordingPath = path29;
+    return path29;
   }
   failDictationStream(dictationId, error, retryable) {
     this.emit({
@@ -9893,7 +10058,14 @@ async function ensureAgentLoaded(agentId, deps) {
       if (!config) {
         throw new Error(`Agent ${agentId} references unavailable provider '${record.provider}'`);
       }
-      snapshot = await deps.agentManager.createAgent(config, agentId, { labels: record.labels });
+      snapshot = await deps.agentManager.createAgent(config, agentId, {
+        labels: record.labels,
+        // Preserve multi-tenant ownership across the no-handle rehydrate
+        // path (records that never landed a persistence handle, e.g. very
+        // early agents). Without this, agents would silently drop their
+        // owner whenever they took this branch through `ensureAgentLoaded`.
+        ownerUserId: record.ownerUserId ?? null
+      });
       deps.logger.info({ agentId, provider: record.provider }, "Agent created from stored config");
     }
     await deps.agentManager.hydrateTimelineFromProvider(agentId);
@@ -11208,14 +11380,14 @@ function parseDiff(diffText) {
     const firstLine = lines[0];
     const isNew = section.includes("new file mode") || section.includes("--- /dev/null");
     const isDeleted = section.includes("deleted file mode") || section.includes("+++ /dev/null");
-    let path28 = "unknown";
+    let path29 = "unknown";
     const pathMatch = firstLine.match(/a\/(.*?) b\//);
     if (pathMatch) {
-      path28 = pathMatch[1];
+      path29 = pathMatch[1];
     } else {
       const newFileMatch = firstLine.match(/b\/(.+)$/);
       if (newFileMatch) {
-        path28 = newFileMatch[1];
+        path29 = newFileMatch[1];
       }
     }
     const hunks = [];
@@ -11259,7 +11431,7 @@ function parseDiff(diffText) {
     if (currentHunk) {
       hunks.push(currentHunk);
     }
-    files.push({ path: path28, isNew, isDeleted, additions, deletions, hunks });
+    files.push({ path: path29, isNew, isDeleted, additions, deletions, hunks });
   }
   return files;
 }
@@ -11315,9 +11487,9 @@ function buildTokenLookup(lineMap, highlighted) {
   }
   return lookup2;
 }
-function buildFullFileTokenLookup(fileContent, path28) {
+function buildFullFileTokenLookup(fileContent, path29) {
   const lookup2 = /* @__PURE__ */ new Map();
-  const highlighted = highlightCode(fileContent, path28);
+  const highlighted = highlightCode(fileContent, path29);
   for (let i = 0; i < highlighted.length; i++) {
     lookup2.set(i + 1, highlighted[i]);
   }
@@ -13018,11 +13190,11 @@ async function listCheckoutFileChanges(cwd, ref, ignoreWhitespace = false) {
       }
       continue;
     }
-    const path28 = tabParts[1];
-    if (!path28) continue;
+    const path29 = tabParts[1];
+    if (!path29) continue;
     const code = rawStatus[0];
     changes.push({
-      path: path28,
+      path: path29,
       status: rawStatus,
       isNew: code === "A",
       isDeleted: code === "D"
@@ -13057,9 +13229,9 @@ async function listCheckoutFileChanges(cwd, ref, ignoreWhitespace = false) {
   }
   return Array.from(byPath.values());
 }
-async function readGitFileContentAtRef(cwd, ref, path28) {
+async function readGitFileContentAtRef(cwd, ref, path29) {
   try {
-    const { stdout } = await runGitCommand(["show", `${ref}:${path28}`], {
+    const { stdout } = await runGitCommand(["show", `${ref}:${path29}`], {
       cwd,
       env: READ_ONLY_GIT_ENV2
     });
@@ -13120,21 +13292,21 @@ async function getTrackedNumstatByPath(cwd, ref, ignoreWhitespace = false) {
     const additionsField = parts[0] ?? "";
     const deletionsField = parts[1] ?? "";
     const rawPath = parts.slice(2).join("	");
-    const path28 = normalizeNumstatPath(rawPath);
-    if (!path28) {
+    const path29 = normalizeNumstatPath(rawPath);
+    if (!path29) {
       continue;
     }
     if (additionsField === "-" || deletionsField === "-") {
-      stats.set(path28, { additions: 0, deletions: 0, isBinary: true });
+      stats.set(path29, { additions: 0, deletions: 0, isBinary: true });
       continue;
     }
     const additions = Number.parseInt(additionsField, 10);
     const deletions = Number.parseInt(deletionsField, 10);
     if (Number.isNaN(additions) || Number.isNaN(deletions)) {
-      stats.set(path28, null);
+      stats.set(path29, null);
       continue;
     }
-    stats.set(path28, { additions, deletions, isBinary: false });
+    stats.set(path29, { additions, deletions, isBinary: false });
   }
   return stats;
 }
@@ -13719,10 +13891,10 @@ async function listUncommittedFiles(cwd) {
         if (dest) results.push({ path: dest, changeType: code });
         continue;
       }
-      const path28 = parts[1];
-      if (!path28) continue;
+      const path29 = parts[1];
+      if (!path29) continue;
       if (code === "A" || code === "M" || code === "D") {
-        results.push({ path: path28, changeType: code });
+        results.push({ path: path29, changeType: code });
       }
     }
   } catch {
@@ -17465,12 +17637,12 @@ function extractPlanNameFromFrontmatter(content) {
   return null;
 }
 function resolvePlanFilename(options) {
-  const { originalPath, newSlug, existsSync: existsSync15 } = options;
+  const { originalPath, newSlug, existsSync: existsSync16 } = options;
   const dir = path8.dirname(originalPath);
   const base = `${newSlug}.md`;
   let candidate = path8.join(dir, base);
   let counter = 2;
-  while (candidate !== originalPath && existsSync15(candidate)) {
+  while (candidate !== originalPath && existsSync16(candidate)) {
     candidate = path8.join(dir, `${newSlug}-${counter}.md`);
     counter += 1;
   }
@@ -21707,14 +21879,14 @@ function codexApplyPatchToUnifiedDiff(text) {
   for (const line of lines) {
     const directive = parseCodexApplyPatchDirective(line);
     if (directive) {
-      const path28 = normalizeDiffHeaderPath(directive.path);
-      if (path28.length > 0) {
+      const path29 = normalizeDiffHeaderPath(directive.path);
+      if (path29.length > 0) {
         if (output.length > 0 && output[output.length - 1] !== "") {
           output.push("");
         }
-        const left = directive.kind === "add" ? "/dev/null" : `a/${path28}`;
-        const right = directive.kind === "delete" ? "/dev/null" : `b/${path28}`;
-        output.push(`diff --git a/${path28} b/${path28}`);
+        const left = directive.kind === "add" ? "/dev/null" : `a/${path29}`;
+        const right = directive.kind === "delete" ? "/dev/null" : `b/${path29}`;
+        output.push(`diff --git a/${path29} b/${path29}`);
         output.push(`--- ${left}`);
         output.push(`+++ ${right}`);
         sawDiffContent = true;
@@ -21784,9 +21956,9 @@ function asEditTextFields(text) {
 function normalizeRolloutEditInput(input) {
   if (typeof input === "string") {
     const textFields2 = asEditTextFields(input);
-    const path28 = extractPatchPrimaryFilePath(input);
+    const path29 = extractPatchPrimaryFilePath(input);
     return {
-      ...path28 ? { path: path28 } : {},
+      ...path29 ? { path: path29 } : {},
       ...textFields2.unifiedDiff ? { patch: textFields2.unifiedDiff } : {},
       ...textFields2.newString ? { content: textFields2.newString } : {}
     };
@@ -21934,12 +22106,12 @@ function parseFileChangeDiff(entry) {
   ]);
 }
 function toFileChangeEntry(entry, options, fallbackPath) {
-  const path28 = parseFileChangePath(entry, options, fallbackPath);
-  if (!path28) {
+  const path29 = parseFileChangePath(entry, options, fallbackPath);
+  if (!path29) {
     return null;
   }
   return {
-    path: path28,
+    path: path29,
     kind: parseFileChangeKind(entry),
     diff: parseFileChangeDiff(entry)
   };
@@ -21961,12 +22133,12 @@ function parseFileChangeEntries(changes, options) {
   if (singleEntry) {
     return [singleEntry];
   }
-  return Object.entries(changes).map(([path28, value]) => {
+  return Object.entries(changes).map(([path29, value]) => {
     if (isRecord2(value)) {
-      return toFileChangeEntry(value, options, path28);
+      return toFileChangeEntry(value, options, path29);
     }
     if (typeof value === "string") {
-      const normalizedPath = normalizeCodexFilePath(path28.trim(), options?.cwd);
+      const normalizedPath = normalizeCodexFilePath(path29.trim(), options?.cwd);
       if (!normalizedPath) {
         return null;
       }
@@ -22711,16 +22883,16 @@ function isObjectSchemaNode(schema) {
   const type = schema.type;
   return isSchemaRecord(schema.properties) || type === "object" || Array.isArray(type) && type.includes("object");
 }
-function normalizeCodexOutputSchemaNode(schema, path28) {
+function normalizeCodexOutputSchemaNode(schema, path29) {
   if (Array.isArray(schema)) {
-    return schema.map((entry, index) => normalizeCodexOutputSchemaNode(entry, `${path28}[${index}]`));
+    return schema.map((entry, index) => normalizeCodexOutputSchemaNode(entry, `${path29}[${index}]`));
   }
   if (!isSchemaRecord(schema)) {
     return schema;
   }
   const normalized = {};
   for (const [key, value] of Object.entries(schema)) {
-    normalized[key] = normalizeCodexOutputSchemaNode(value, `${path28}.${key}`);
+    normalized[key] = normalizeCodexOutputSchemaNode(value, `${path29}.${key}`);
   }
   if (!isObjectSchemaNode(normalized)) {
     return normalized;
@@ -22729,7 +22901,7 @@ function normalizeCodexOutputSchemaNode(schema, path28) {
     normalized.additionalProperties = false;
   } else if (normalized.additionalProperties !== false) {
     throw new Error(
-      `Codex structured outputs require ${path28} to set additionalProperties to false for object schemas.`
+      `Codex structured outputs require ${path29} to set additionalProperties to false for object schemas.`
     );
   }
   const properties = isSchemaRecord(normalized.properties) ? normalized.properties : null;
@@ -23493,8 +23665,8 @@ function parseCodexPatchChanges(changes) {
       }
     ];
   }
-  return Object.entries(recordChanges).map(([path28, value]) => {
-    const normalizedPath = path28.trim();
+  return Object.entries(recordChanges).map(([path29, value]) => {
+    const normalizedPath = path29.trim();
     if (!normalizedPath) {
       return null;
     }
@@ -31205,6 +31377,53 @@ function buildProviderRegistry(logger, options) {
   );
 }
 
+// ../server/src/server/claude-profile.ts
+import { existsSync as existsSync10, mkdirSync as mkdirSync5, symlinkSync, rmSync as rmSync2 } from "node:fs";
+import path13 from "node:path";
+import os5 from "node:os";
+var SHARED_ITEMS = ["settings.json", "hooks", "agents", "skills", "plugins", "keybindings.json"];
+function getClaudeProfileDir(username) {
+  return path13.join(os5.homedir(), `.claude-${username}`);
+}
+function ensureClaudeProfile(username, logger) {
+  const profileDir = getClaudeProfileDir(username);
+  const ownerDir = path13.join(os5.homedir(), ".claude");
+  if (!existsSync10(ownerDir)) {
+    throw new Error(`Owner claude config dir not found: ${ownerDir}`);
+  }
+  if (!existsSync10(profileDir)) {
+    mkdirSync5(profileDir, { recursive: true });
+    logger?.info({ profileDir, username }, "created claude profile directory");
+  }
+  for (const item of SHARED_ITEMS) {
+    const target = path13.join(ownerDir, item);
+    const link = path13.join(profileDir, item);
+    if (!existsSync10(target)) continue;
+    if (existsSync10(link)) continue;
+    symlinkSync(target, link);
+    logger?.info({ item, profileDir }, "symlinked shared config item");
+  }
+  return profileDir;
+}
+function hasClaudeAuth(username) {
+  const profileDir = getClaudeProfileDir(username);
+  return existsSync10(profileDir);
+}
+function removeClaudeProfile(username, logger) {
+  const profileDir = getClaudeProfileDir(username);
+  if (!existsSync10(profileDir)) return;
+  rmSync2(profileDir, { recursive: true, force: true });
+  logger?.info({ profileDir, username }, "removed claude profile directory");
+}
+
+// ../server/src/server/agent/agent-manager.ts
+import { z as z33 } from "zod";
+import { getSessionMessages } from "@anthropic-ai/claude-agent-sdk";
+
+// ../server/src/server/agent/handoff-mcp.ts
+import { createSdkMcpServer, tool } from "@anthropic-ai/claude-agent-sdk";
+import { z as z32 } from "zod";
+
 // ../server/src/server/agent/agent-metadata-generator.ts
 import { basename as basename5 } from "path";
 import { z as z31 } from "zod";
@@ -31255,8 +31474,8 @@ function buildZodValidator(schema, schemaName) {
         return { ok: true, value: result.data };
       }
       const errors = result.error.issues.map((issue) => {
-        const path28 = issue.path.length > 0 ? issue.path.join(".") : "(root)";
-        return `${path28}: ${issue.message}`;
+        const path29 = issue.path.length > 0 ? issue.path.join(".") : "(root)";
+        return `${path29}: ${issue.message}`;
       });
       return { ok: false, errors };
     }
@@ -31274,9 +31493,9 @@ function buildJsonSchemaValidator(schema) {
         return { ok: true, value };
       }
       const errors = (validate.errors ?? []).map((error) => {
-        const path28 = error.instancePath && error.instancePath.length > 0 ? error.instancePath : "(root)";
+        const path29 = error.instancePath && error.instancePath.length > 0 ? error.instancePath : "(root)";
         const message = error.message ?? "is invalid";
-        return `${path28}: ${message}`;
+        return `${path29}: ${message}`;
       });
       return { ok: false, errors };
     }
@@ -31682,6 +31901,14 @@ function scheduleAgentMetadataGeneration(options) {
   });
 }
 
+// ../server/src/server/agent/agent-manager.ts
+var AgentIdSchema = z33.string().uuid();
+function canUserAccessAgent(agent, requesterUserId) {
+  if (agent.ownerUserId === null) return true;
+  if (agent.ownerUserId === requesterUserId) return true;
+  return agent.sharedWithUserIds.includes(requesterUserId);
+}
+
 // ../server/src/server/agent/timeline-append.ts
 async function appendTimelineItemIfAgentKnown(options) {
   try {
@@ -32065,25 +32292,25 @@ async function buildProjectPlacementForCwd(input) {
 }
 
 // ../server/src/server/workspace-registry.ts
-import { z as z32 } from "zod";
-var PersistedProjectRecordSchema = z32.object({
-  projectId: z32.string(),
-  rootPath: z32.string(),
-  kind: z32.enum(["git", "non_git"]),
-  displayName: z32.string(),
-  createdAt: z32.string(),
-  updatedAt: z32.string(),
-  archivedAt: z32.string().nullable()
-});
-var PersistedWorkspaceRecordSchema = z32.object({
-  workspaceId: z32.string(),
-  projectId: z32.string(),
-  cwd: z32.string(),
-  kind: z32.enum(["local_checkout", "worktree", "directory"]),
-  displayName: z32.string(),
-  createdAt: z32.string(),
-  updatedAt: z32.string(),
-  archivedAt: z32.string().nullable()
+import { z as z34 } from "zod";
+var PersistedProjectRecordSchema = z34.object({
+  projectId: z34.string(),
+  rootPath: z34.string(),
+  kind: z34.enum(["git", "non_git"]),
+  displayName: z34.string(),
+  createdAt: z34.string(),
+  updatedAt: z34.string(),
+  archivedAt: z34.string().nullable()
+});
+var PersistedWorkspaceRecordSchema = z34.object({
+  workspaceId: z34.string(),
+  projectId: z34.string(),
+  cwd: z34.string(),
+  kind: z34.enum(["local_checkout", "worktree", "directory"]),
+  displayName: z34.string(),
+  createdAt: z34.string(),
+  updatedAt: z34.string(),
+  archivedAt: z34.string().nullable()
 });
 function createPersistedProjectRecord(input) {
   return PersistedProjectRecordSchema.parse({
@@ -32162,7 +32389,7 @@ function isVoicePermissionAllowed(request) {
 
 // ../server/src/server/file-explorer/service.ts
 import { promises as fs8 } from "fs";
-import path13 from "path";
+import path14 from "path";
 
 // ../server/src/server/path-utils.ts
 import { homedir as homedir2 } from "node:os";
@@ -32216,7 +32443,7 @@ async function listDirectoryEntries({
   const dirents = await fs8.readdir(directoryPath, { withFileTypes: true });
   const entriesWithNulls = await Promise.all(
     dirents.map(async (dirent) => {
-      const targetPath = path13.join(directoryPath, dirent.name);
+      const targetPath = path14.join(directoryPath, dirent.name);
       const kind = dirent.isDirectory() ? "directory" : "file";
       try {
         return await buildEntryPayload({
@@ -32255,7 +32482,7 @@ async function readExplorerFile({
   if (!stats.isFile()) {
     throw new Error("Requested path is not a file");
   }
-  const ext = path13.extname(filePath).toLowerCase();
+  const ext = path14.extname(filePath).toLowerCase();
   const basePayload = {
     path: normalizeRelativePath({ root, targetPath: filePath }),
     size: stats.size,
@@ -32293,7 +32520,7 @@ async function writeTextFile({
   relativePath,
   content
 }) {
-  const ext = path13.extname(relativePath).toLowerCase();
+  const ext = path14.extname(relativePath).toLowerCase();
   if (ext in IMAGE_MIME_TYPES) {
     throw new Error(`Refusing to write '${relativePath}': binary/image file`);
   }
@@ -32303,7 +32530,7 @@ async function writeTextFile({
   await fs8.rename(tempPath, filePath);
 }
 async function deleteFile({ root, relativePath }) {
-  const ext = path13.extname(relativePath).toLowerCase();
+  const ext = path14.extname(relativePath).toLowerCase();
   if (ext !== ".md") {
     throw new Error(`Refusing to delete '${relativePath}': only .md files allowed`);
   }
@@ -32337,7 +32564,7 @@ async function getDownloadableFileInfo({ root, relativePath }) {
   if (!stats.isFile()) {
     throw new Error("Requested path is not a file");
   }
-  const ext = path13.extname(filePath).toLowerCase();
+  const ext = path14.extname(filePath).toLowerCase();
   let mimeType = "application/octet-stream";
   if (ext in IMAGE_MIME_TYPES) {
     mimeType = IMAGE_MIME_TYPES[ext] ?? mimeType;
@@ -32359,23 +32586,23 @@ async function getDownloadableFileInfo({ root, relativePath }) {
   return {
     path: normalizeRelativePath({ root, targetPath: filePath }),
     absolutePath: filePath,
-    fileName: path13.basename(filePath),
+    fileName: path14.basename(filePath),
     mimeType,
     size: stats.size
   };
 }
 async function resolveScopedPath({ root, relativePath = "." }) {
-  const normalizedRoot = path13.resolve(root);
+  const normalizedRoot = path14.resolve(root);
   const requestedPath = resolvePathFromBase(normalizedRoot, relativePath);
-  const relative = path13.relative(normalizedRoot, requestedPath);
-  if (relative !== "" && (relative.startsWith("..") || path13.isAbsolute(relative))) {
+  const relative = path14.relative(normalizedRoot, requestedPath);
+  if (relative !== "" && (relative.startsWith("..") || path14.isAbsolute(relative))) {
     throw new Error("Access outside of workspace is not allowed");
   }
   const realRoot = await fs8.realpath(normalizedRoot);
   try {
     const realPath = await fs8.realpath(requestedPath);
-    const realRelative = path13.relative(realRoot, realPath);
-    if (realRelative !== "" && (realRelative.startsWith("..") || path13.isAbsolute(realRelative))) {
+    const realRelative = path14.relative(realRoot, realPath);
+    if (realRelative !== "" && (realRelative.startsWith("..") || path14.isAbsolute(realRelative))) {
       throw new Error("Access outside of workspace is not allowed");
     }
     return requestedPath;
@@ -32406,10 +32633,10 @@ function isMissingEntryError(error) {
   return code === "ENOENT" || code === "ENOTDIR" || code === "ELOOP";
 }
 function normalizeRelativePath({ root, targetPath }) {
-  const normalizedRoot = path13.resolve(root);
-  const normalizedTarget = path13.resolve(targetPath);
-  const relative = path13.relative(normalizedRoot, normalizedTarget);
-  return relative === "" ? "." : relative.split(path13.sep).join("/");
+  const normalizedRoot = path14.resolve(root);
+  const normalizedTarget = path14.resolve(targetPath);
+  const relative = path14.relative(normalizedRoot, normalizedTarget);
+  return relative === "" ? "." : relative.split(path14.sep).join("/");
 }
 function textMimeTypeForExtension(ext) {
   return TEXT_MIME_TYPES[ext] ?? DEFAULT_TEXT_MIME_TYPE;
@@ -32762,65 +32989,65 @@ async function getProjectIcon(projectDir) {
 }
 
 // ../server/src/utils/path.ts
-import os5 from "os";
-function expandTilde(path28) {
-  if (path28.startsWith("~/")) {
-    const homeDir3 = process.env.HOME || os5.homedir();
-    return path28.replace("~", homeDir3);
+import os6 from "os";
+function expandTilde(path29) {
+  if (path29.startsWith("~/")) {
+    const homeDir3 = process.env.HOME || os6.homedir();
+    return path29.replace("~", homeDir3);
   }
-  if (path28 === "~") {
-    return process.env.HOME || os5.homedir();
+  if (path29 === "~") {
+    return process.env.HOME || os6.homedir();
   }
-  return path28;
+  return path29;
 }
 
 // ../server/src/server/skills/scanner.ts
 import fs9 from "node:fs/promises";
-import os6 from "node:os";
-import path14 from "node:path";
+import os7 from "node:os";
+import path15 from "node:path";
 var NAME_REGEX = /^[a-z0-9][a-z0-9._-]*$/i;
 function homeDir() {
-  return process.env.HOME || os6.homedir();
+  return process.env.HOME || os7.homedir();
 }
 function codexHomeDir() {
-  return process.env.CODEX_HOME || path14.join(homeDir(), ".codex");
+  return process.env.CODEX_HOME || path15.join(homeDir(), ".codex");
 }
 function resolveScopeDir(provider, scope, workspaceRoot) {
   if (scope === "codex-prompts") {
     if (provider !== "codex") {
       throw new Error(`Scope "codex-prompts" is only valid for provider "codex"`);
     }
-    return path14.join(codexHomeDir(), "prompts");
+    return path15.join(codexHomeDir(), "prompts");
   }
   if (scope === "project") {
     if (!workspaceRoot) {
       throw new Error(`workspaceRoot is required for scope "project"`);
     }
     const dotDir = provider === "claude" ? ".claude" : ".codex";
-    return path14.join(workspaceRoot, dotDir, "skills");
+    return path15.join(workspaceRoot, dotDir, "skills");
   }
   if (provider === "claude") {
-    return path14.join(homeDir(), ".claude", "skills");
+    return path15.join(homeDir(), ".claude", "skills");
   }
-  return path14.join(codexHomeDir(), "skills");
+  return path15.join(codexHomeDir(), "skills");
 }
 function allowedRoots(workspaceRoot) {
   const roots = [
-    path14.join(homeDir(), ".claude", "skills"),
-    path14.join(codexHomeDir(), "skills"),
-    path14.join(codexHomeDir(), "prompts")
+    path15.join(homeDir(), ".claude", "skills"),
+    path15.join(codexHomeDir(), "skills"),
+    path15.join(codexHomeDir(), "prompts")
   ];
   if (workspaceRoot) {
-    roots.push(path14.join(workspaceRoot, ".claude", "skills"));
-    roots.push(path14.join(workspaceRoot, ".codex", "skills"));
+    roots.push(path15.join(workspaceRoot, ".claude", "skills"));
+    roots.push(path15.join(workspaceRoot, ".codex", "skills"));
   }
-  return roots.map((r) => path14.resolve(r));
+  return roots.map((r) => path15.resolve(r));
 }
 function isInsideAllowedRoot(absPath, workspaceRoot) {
-  const resolved = path14.resolve(absPath);
+  const resolved = path15.resolve(absPath);
   for (const root of allowedRoots(workspaceRoot)) {
-    const rel = path14.relative(root, resolved);
-    if (rel === "" || !rel.startsWith("..") && !path14.isAbsolute(rel)) {
+    const rel = path15.relative(root, resolved);
+    if (rel === "" || !rel.startsWith("..") && !path15.isAbsolute(rel)) {
       return true;
     }
   }
@@ -32951,7 +33178,7 @@ async function listSkills(args) {
       if (!entry.name.endsWith(".md")) continue;
       const name = entry.name.slice(0, -".md".length);
       if (!name) continue;
-      const fullPath = path14.join(dir, entry.name);
+      const fullPath = path15.join(dir, entry.name);
       const stat5 = await safeStat(fullPath);
       if (!stat5) continue;
       const description = await readDescriptionSafely(fullPath);
@@ -32969,8 +33196,8 @@ async function listSkills(args) {
   } else {
     for (const entry of entries) {
       if (!entry.isDirectory() && !entry.isSymbolicLink()) continue;
-      const skillDir = path14.join(dir, entry.name);
-      const skillPath = path14.join(skillDir, "SKILL.md");
+      const skillDir = path15.join(dir, entry.name);
+      const skillPath = path15.join(skillDir, "SKILL.md");
       const stat5 = await safeStat(skillPath);
       if (!stat5) continue;
       const description = await readDescriptionSafely(skillPath);
@@ -33017,7 +33244,7 @@ async function createSkill(args) {
   const dir = resolveScopeDir(args.provider, args.scope, args.workspaceRoot);
   await fs9.mkdir(dir, { recursive: true });
   if (args.scope === "codex-prompts") {
-    const filePath2 = path14.join(dir, `${args.name}.md`);
+    const filePath2 = path15.join(dir, `${args.name}.md`);
     try {
       await fs9.access(filePath2);
       throw new Error(`A prompt named "${args.name}" already exists at ${filePath2}`);
@@ -33033,7 +33260,7 @@ async function createSkill(args) {
     await fs9.writeFile(filePath2, initial2, "utf8");
     return { path: filePath2 };
   }
-  const skillDir = path14.join(dir, args.name);
+  const skillDir = path15.join(dir, args.name);
   let dirExists = false;
   try {
     const stat5 = await fs9.stat(skillDir);
@@ -33045,7 +33272,7 @@ async function createSkill(args) {
     throw new Error(`A skill named "${args.name}" already exists at ${skillDir}`);
   }
   await fs9.mkdir(skillDir, { recursive: true });
-  const filePath = path14.join(skillDir, "SKILL.md");
+  const filePath = path15.join(skillDir, "SKILL.md");
   const initial = buildStarterSkill(args.name);
   await fs9.writeFile(filePath, initial, "utf8");
   return { path: filePath };
@@ -33074,7 +33301,7 @@ Body of the prompt. Use \`$1\`, \`$2\`, ... or \`$ARGUMENTS\` for parameter expa
 `;
 }
 async function writeSkillFrontmatter(args, workspaceRoot) {
-  if (!path14.isAbsolute(args.path)) {
+  if (!path15.isAbsolute(args.path)) {
     throw new Error(`writeSkillFrontmatter expects an absolute path; got "${args.path}"`);
   }
   if (!isInsideAllowedRoot(args.path, workspaceRoot)) {
@@ -33100,7 +33327,7 @@ ${original}`;
 
 // ../server/src/utils/directory-suggestions.ts
 import { readdir as readdir2, realpath, stat as stat3 } from "node:fs/promises";
-import path15 from "node:path";
+import path16 from "node:path";
 var DEFAULT_LIMIT = 30;
 var MAX_LIMIT = 100;
 var DEFAULT_MAX_DEPTH = 6;
@@ -33186,7 +33413,7 @@ function normalizeLimit(limit) {
   return Math.max(1, Math.min(MAX_LIMIT, bounded));
 }
 async function searchWithinParentDirectory(input) {
-  const parentPath = path15.resolve(input.homeRoot, input.parentPart || ".");
+  const parentPath = path16.resolve(input.homeRoot, input.parentPart || ".");
   const parentRoot = await resolveDirectory(parentPath);
   if (!parentRoot || !isPathInsideRoot(input.homeRoot, parentRoot)) {
     return [];
@@ -33251,7 +33478,7 @@ async function searchAcrossHomeTree(input) {
   return dedupeAndSort(ranked).slice(0, input.limit);
 }
 async function searchWorkspaceWithinParentDirectory(input) {
-  const parentPath = path15.resolve(input.workspaceRoot, input.parentPart || ".");
+  const parentPath = path16.resolve(input.workspaceRoot, input.parentPart || ".");
   const parentRoot = await resolveDirectory(parentPath);
   if (!parentRoot || !isPathInsideRoot(input.workspaceRoot, parentRoot)) {
     return [];
@@ -33497,15 +33724,15 @@ function findSegmentMatchIndex(segments, predicate) {
   return -1;
 }
 function normalizeRelativePath2(homeRoot, absolutePath) {
-  const relative = path15.relative(homeRoot, absolutePath);
+  const relative = path16.relative(homeRoot, absolutePath);
   if (!relative) {
     return ".";
   }
-  return relative.split(path15.sep).join("/");
+  return relative.split(path16.sep).join("/");
 }
 function isPathInsideRoot(root, target) {
-  const relative = path15.relative(root, target);
-  return relative === "" || !relative.startsWith("..") && !path15.isAbsolute(relative);
+  const relative = path16.relative(root, target);
+  return relative === "" || !relative.startsWith("..") && !path16.isAbsolute(relative);
 }
 function normalizeQueryParts(query2, homeRoot) {
   const typedQuery = query2.trim().replace(/\\/g, "/");
@@ -33521,9 +33748,9 @@ function normalizeQueryParts(query2, homeRoot) {
       normalized = normalized.slice(1);
     }
   }
-  if (path15.isAbsolute(normalized)) {
+  if (path16.isAbsolute(normalized)) {
     isRooted = true;
-    const absolute = path15.resolve(normalized);
+    const absolute = path16.resolve(normalized);
     if (!isPathInsideRoot(homeRoot, absolute)) {
       return null;
     }
@@ -33562,8 +33789,8 @@ function normalizeQueryParts(query2, homeRoot) {
 }
 function normalizeWorkspaceQueryParts(query2, workspaceRoot) {
   let normalized = query2.trim().replace(/\\/g, "/");
-  if (path15.isAbsolute(normalized)) {
-    const absolute = path15.resolve(normalized);
+  if (path16.isAbsolute(normalized)) {
+    const absolute = path16.resolve(normalized);
     if (!isPathInsideRoot(workspaceRoot, absolute)) {
       return null;
     }
@@ -33589,7 +33816,7 @@ function normalizeWorkspaceQueryParts(query2, workspaceRoot) {
 }
 async function resolveDirectory(inputPath) {
   try {
-    const resolved = await realpath(path15.resolve(inputPath));
+    const resolved = await realpath(path16.resolve(inputPath));
     const stats = await stat3(resolved);
     if (!stats.isDirectory()) {
       return null;
@@ -33616,7 +33843,7 @@ async function listChildDirectories(input) {
     if (!dirent.isDirectory() && !dirent.isSymbolicLink()) {
       continue;
     }
-    const candidatePath = path15.join(input.directory, dirent.name);
+    const candidatePath = path16.join(input.directory, dirent.name);
     const absolutePath = await resolveDirectoryCandidate({
       candidatePath,
       dirent,
@@ -33653,7 +33880,7 @@ async function listWorkspaceChildEntries(input) {
     if (isIgnoredWorkspaceDirectoryName(dirent.name)) {
       continue;
     }
-    const candidatePath = path15.join(input.directory, dirent.name);
+    const candidatePath = path16.join(input.directory, dirent.name);
     const entry = await resolveWorkspaceCandidate({
       candidatePath,
       dirent,
@@ -33676,7 +33903,7 @@ async function listWorkspaceChildEntries(input) {
 }
 async function resolveDirectoryCandidate(input) {
   if (input.dirent.isDirectory()) {
-    const resolved2 = path15.resolve(input.candidatePath);
+    const resolved2 = path16.resolve(input.candidatePath);
     return isPathInsideRoot(input.homeRoot, resolved2) ? resolved2 : null;
   }
   const resolved = await resolveDirectory(input.candidatePath);
@@ -33687,14 +33914,14 @@ async function resolveDirectoryCandidate(input) {
 }
 async function resolveWorkspaceCandidate(input) {
   if (input.dirent.isDirectory()) {
-    const resolved = path15.resolve(input.candidatePath);
+    const resolved = path16.resolve(input.candidatePath);
     if (!isPathInsideRoot(input.workspaceRoot, resolved)) {
       return null;
     }
     return { absolutePath: resolved, kind: "directory" };
   }
   if (input.dirent.isFile()) {
-    const resolved = path15.resolve(input.candidatePath);
+    const resolved = path16.resolve(input.candidatePath);
     if (!isPathInsideRoot(input.workspaceRoot, resolved)) {
       return null;
     }
@@ -33774,7 +34001,7 @@ function pruneWorkspaceEntryListCache() {
 // ../server/src/utils/directory-listing.ts
 import { readdir as readdir3, stat as stat4, realpath as realpath2 } from "node:fs/promises";
 import { homedir as homedir3 } from "node:os";
-import path16 from "node:path";
+import path17 from "node:path";
 var DEFAULT_LIMIT2 = 500;
 async function listDirectoryContents(options) {
   const includeFiles = options.includeFiles ?? false;
@@ -33785,7 +34012,7 @@ async function listDirectoryContents(options) {
   const collected = [];
   for (const dirent of dirents) {
     if (!includeHidden && dirent.name.startsWith(".")) continue;
-    const childPath = path16.join(resolvedPath, dirent.name);
+    const childPath = path17.join(resolvedPath, dirent.name);
     const kind = await classifyEntry(dirent, childPath);
     if (!kind) continue;
     if (kind === "file" && !includeFiles) continue;
@@ -33793,7 +34020,7 @@ async function listDirectoryContents(options) {
     if (collected.length >= limit) break;
   }
   collected.sort(compareEntries);
-  const parent = path16.dirname(resolvedPath);
+  const parent = path17.dirname(resolvedPath);
   return {
     path: resolvedPath,
     parent: parent === resolvedPath ? null : parent,
@@ -33804,12 +34031,12 @@ async function resolveAbsolutePath(rawPath) {
   const home = process.env.HOME ?? homedir3();
   const trimmed = rawPath.trim();
   if (trimmed === "" || trimmed === "~") {
-    return path16.resolve(home);
+    return path17.resolve(home);
   }
   if (trimmed.startsWith("~/")) {
-    return path16.resolve(home, trimmed.slice(2));
+    return path17.resolve(home, trimmed.slice(2));
   }
-  if (!path16.isAbsolute(trimmed)) {
+  if (!path17.isAbsolute(trimmed)) {
     throw new Error(
       `list_directory requires an absolute path, an empty string, or a "~"-prefixed path; got ${JSON.stringify(rawPath)}`
     );
@@ -33817,7 +34044,7 @@ async function resolveAbsolutePath(rawPath) {
   try {
     return await realpath2(trimmed);
   } catch {
-    return path16.resolve(trimmed);
+    return path17.resolve(trimmed);
   }
 }
 async function classifyEntry(dirent, fullPath) {
@@ -33857,10 +34084,10 @@ function resolveClientMessageId(clientMessageId, generateId = uuidv45) {
 }
 
 // ../server/src/server/chat/chat-service.ts
-import { z as z33 } from "zod";
-var ChatStorePayloadSchema = z33.object({
-  rooms: z33.array(ChatRoomSchema),
-  messages: z33.array(ChatMessageSchema)
+import { z as z35 } from "zod";
+var ChatStorePayloadSchema = z35.object({
+  rooms: z35.array(ChatRoomSchema),
+  messages: z35.array(ChatMessageSchema)
 });
 var ChatServiceError = class extends Error {
   constructor(code, message) {
@@ -33951,33 +34178,33 @@ function buildChatMentionNotification(input) {
 
 // ../server/src/server/roles/scanner.ts
 import fs10 from "node:fs/promises";
-import os7 from "node:os";
-import path17 from "node:path";
+import os8 from "node:os";
+import path18 from "node:path";
 var NAME_REGEX2 = /^[a-z0-9][a-z0-9._-]*$/i;
 function homeDir2() {
-  return process.env.HOME || os7.homedir();
+  return process.env.HOME || os8.homedir();
 }
 function resolveScopeDir2(scope, workspaceRoot) {
   if (scope === "project") {
     if (!workspaceRoot) {
       throw new Error('workspaceRoot is required for scope "project"');
     }
-    return path17.join(workspaceRoot, ".roles");
+    return path18.join(workspaceRoot, ".roles");
   }
-  return path17.join(homeDir2(), ".appostle", ".roles");
+  return path18.join(homeDir2(), ".appostle", ".roles");
 }
 function allowedRoots2(workspaceRoot) {
-  const roots = [path17.join(homeDir2(), ".appostle", ".roles")];
+  const roots = [path18.join(homeDir2(), ".appostle", ".roles")];
   if (workspaceRoot) {
-    roots.push(path17.join(workspaceRoot, ".roles"));
+    roots.push(path18.join(workspaceRoot, ".roles"));
   }
-  return roots.map((r) => path17.resolve(r));
+  return roots.map((r) => path18.resolve(r));
 }
 function isInsideAllowedRoot2(absPath, workspaceRoot) {
-  const resolved = path17.resolve(absPath);
+  const resolved = path18.resolve(absPath);
   for (const root of allowedRoots2(workspaceRoot)) {
-    const rel = path17.relative(root, resolved);
-    if (rel === "" || !rel.startsWith("..") && !path17.isAbsolute(rel)) {
+    const rel = path18.relative(root, resolved);
+    if (rel === "" || !rel.startsWith("..") && !path18.isAbsolute(rel)) {
       return true;
     }
   }
@@ -34175,7 +34402,7 @@ async function readRolesFromDir(scope, dir, category) {
     if (!entry.name.endsWith(".md")) continue;
     const name = entry.name.slice(0, -".md".length);
     if (!name || !NAME_REGEX2.test(name)) continue;
-    const fullPath = path17.join(dir, entry.name);
+    const fullPath = path18.join(dir, entry.name);
     let stat5;
     try {
       const s = await fs10.stat(fullPath);
@@ -34225,7 +34452,7 @@ async function readRolesFromScopeDir(scope, scopeDir) {
   }
   const flat = await readRolesFromDir(scope, scopeDir, null);
   const categoryResults = await Promise.all(
-    topEntries.filter((e) => e.isDirectory() && NAME_REGEX2.test(e.name)).map((e) => readRolesFromDir(scope, path17.join(scopeDir, e.name), e.name))
+    topEntries.filter((e) => e.isDirectory() && NAME_REGEX2.test(e.name)).map((e) => readRolesFromDir(scope, path18.join(scopeDir, e.name), e.name))
   );
   const all = [...flat, ...categoryResults.flat()];
   all.sort((a, b) => {
@@ -34265,9 +34492,9 @@ async function createRole(args) {
     throw new Error(`Role name must not contain path separators or "..".`);
   }
   const scopeDir = resolveScopeDir2(args.scope, args.workspaceRoot);
-  const dir = args.category ? path17.join(scopeDir, args.category) : scopeDir;
+  const dir = args.category ? path18.join(scopeDir, args.category) : scopeDir;
   await fs10.mkdir(dir, { recursive: true });
-  const filePath = path17.join(dir, `${args.name}.md`);
+  const filePath = path18.join(dir, `${args.name}.md`);
   try {
     await fs10.access(filePath);
     throw new Error(`A role named "${args.name}" already exists at ${filePath}`);
@@ -34301,7 +34528,7 @@ the role is invoked.
 `;
 }
 async function writeRoleFrontmatter(args, workspaceRoot) {
-  if (!path17.isAbsolute(args.path)) {
+  if (!path18.isAbsolute(args.path)) {
     throw new Error(`writeRoleFrontmatter expects an absolute path; got "${args.path}"`);
   }
   if (!isInsideAllowedRoot2(args.path, workspaceRoot)) {
@@ -34325,20 +34552,20 @@ ${original}`;
   await fs10.writeFile(args.path, nextContent, "utf8");
 }
 async function moveRole(args, workspaceRoot) {
-  if (!path17.isAbsolute(args.path)) {
+  if (!path18.isAbsolute(args.path)) {
     throw new Error(`moveRole expects an absolute path; got "${args.path}"`);
   }
   if (!isInsideAllowedRoot2(args.path, workspaceRoot)) {
     throw new Error(`Path "${args.path}" is not inside an allowlisted role root`);
   }
-  const oldDir = path17.dirname(args.path);
-  const oldFilename = path17.basename(args.path, ".md");
+  const oldDir = path18.dirname(args.path);
+  const oldFilename = path18.basename(args.path, ".md");
   const roots = allowedRoots2(workspaceRoot);
-  const rolesRoot = roots.find((r) => path17.resolve(args.path).startsWith(r));
+  const rolesRoot = roots.find((r) => path18.resolve(args.path).startsWith(r));
   if (!rolesRoot) {
     throw new Error(`Cannot determine roles root for "${args.path}"`);
   }
-  const relFromRoot = path17.relative(rolesRoot, path17.dirname(args.path));
+  const relFromRoot = path18.relative(rolesRoot, path18.dirname(args.path));
   const currentCategory = relFromRoot && relFromRoot !== "." ? relFromRoot : "";
   const newName = args.newName ?? oldFilename;
   const newCategory = args.newCategory !== void 0 ? args.newCategory : currentCategory;
@@ -34348,9 +34575,9 @@ async function moveRole(args, workspaceRoot) {
   if (newCategory && !NAME_REGEX2.test(newCategory)) {
     throw new Error(`Invalid category name: "${newCategory}"`);
   }
-  const newDir = newCategory ? path17.join(rolesRoot, newCategory) : rolesRoot;
-  const newPath = path17.join(newDir, `${newName}.md`);
-  if (path17.resolve(newPath) === path17.resolve(args.path)) {
+  const newDir = newCategory ? path18.join(rolesRoot, newCategory) : rolesRoot;
+  const newPath = path18.join(newDir, `${newName}.md`);
+  if (path18.resolve(newPath) === path18.resolve(args.path)) {
     return { path: args.path };
   }
   await fs10.mkdir(newDir, { recursive: true });
@@ -34388,17 +34615,17 @@ async function moveRole(args, workspaceRoot) {
 
 // ../server/src/server/brands/scanner.ts
 import fs11 from "node:fs/promises";
-import path18 from "node:path";
+import path19 from "node:path";
 var CATEGORY_REGEX = /^[a-z0-9][a-z0-9_-]*$/i;
 function resolveAssetsDir(workspaceRoot, category) {
-  const base = path18.join(workspaceRoot, ".appostle", "brand", "assets");
+  const base = path19.join(workspaceRoot, ".appostle", "brand", "assets");
   if (!category) return base;
   if (!CATEGORY_REGEX.test(category) || category.includes("..")) {
     throw new Error(
       `Invalid asset category "${category}". Use letters, digits, dot, underscore, dash.`
     );
   }
-  return path18.join(base, category);
+  return path19.join(base, category);
 }
 function relativePathFor(category, fileName) {
   return category ? `assets/${category}/${fileName}` : `assets/${fileName}`;
@@ -34414,9 +34641,9 @@ async function removeSiblingExtensions(dir, targetName, keepFileName) {
     if (entry === keepFileName) continue;
     if (!entry.startsWith(`${targetName}.`)) continue;
     try {
-      const stat5 = await fs11.stat(path18.join(dir, entry));
+      const stat5 = await fs11.stat(path19.join(dir, entry));
       if (!stat5.isFile()) continue;
-      await fs11.unlink(path18.join(dir, entry));
+      await fs11.unlink(path19.join(dir, entry));
     } catch {
     }
   }
@@ -34427,7 +34654,7 @@ function convertSvgToMono(svg, color) {
 async function runDerivations(options) {
   const { primaryAbsolutePath, assetsDir, category, derive } = options;
   if (derive.length === 0) return [];
-  const ext = path18.extname(primaryAbsolutePath).toLowerCase();
+  const ext = path19.extname(primaryAbsolutePath).toLowerCase();
   const isSvg = ext === ".svg";
   const results = [];
   for (const spec of derive) {
@@ -34462,9 +34689,9 @@ async function runDerivations(options) {
       const sourceText = await fs11.readFile(primaryAbsolutePath, "utf8");
       const monoText = convertSvgToMono(sourceText, spec.color);
       const fileName = `${spec.targetName}${ext}`;
-      const destAbs = path18.resolve(assetsDir, fileName);
-      const rel = path18.relative(path18.resolve(assetsDir), destAbs);
-      if (rel.startsWith("..") || path18.isAbsolute(rel)) {
+      const destAbs = path19.resolve(assetsDir, fileName);
+      const rel = path19.relative(path19.resolve(assetsDir), destAbs);
+      if (rel.startsWith("..") || path19.isAbsolute(rel)) {
         results.push({
           targetName: spec.targetName,
           relativePath: "",
@@ -34498,22 +34725,22 @@ function resolveScopeDir3(scope, workspaceRoot) {
     if (!workspaceRoot) {
       throw new Error('workspaceRoot is required for scope "project"');
     }
-    return path18.join(workspaceRoot, ".appostle", "brand");
+    return path19.join(workspaceRoot, ".appostle", "brand");
   }
   throw new Error(`Unknown scope: ${scope}`);
 }
 function allowedRoots3(workspaceRoot) {
   const roots = [];
   if (workspaceRoot) {
-    roots.push(path18.join(workspaceRoot, ".appostle", "brand"));
+    roots.push(path19.join(workspaceRoot, ".appostle", "brand"));
   }
-  return roots.map((r) => path18.resolve(r));
+  return roots.map((r) => path19.resolve(r));
 }
 function isInsideAllowedRoot3(absPath, workspaceRoot) {
-  const resolved = path18.resolve(absPath);
+  const resolved = path19.resolve(absPath);
   for (const root of allowedRoots3(workspaceRoot)) {
-    const rel = path18.relative(root, resolved);
-    if (rel === "" || !rel.startsWith("..") && !path18.isAbsolute(rel)) {
+    const rel = path19.relative(root, resolved);
+    if (rel === "" || !rel.startsWith("..") && !path19.isAbsolute(rel)) {
       return true;
     }
   }
@@ -34727,7 +34954,7 @@ async function readBrandsFromDir(scope, dir) {
     if (!entry.name.endsWith(".md")) continue;
     const name = entry.name.slice(0, -".md".length);
     if (!name || !NAME_REGEX3.test(name)) continue;
-    const fullPath = path18.join(dir, entry.name);
+    const fullPath = path19.join(dir, entry.name);
     let stat5;
     try {
       const s = await fs11.stat(fullPath);
@@ -34771,7 +34998,7 @@ async function createBrand(args) {
   }
   const dir = resolveScopeDir3("project", args.workspaceRoot);
   await fs11.mkdir(dir, { recursive: true });
-  const filePath = path18.join(dir, `${args.name}.md`);
+  const filePath = path19.join(dir, `${args.name}.md`);
   try {
     await fs11.access(filePath);
     throw new Error(`A brand named "${args.name}" already exists at ${filePath}`);
@@ -34827,7 +35054,7 @@ async function copyBrandAsset(args) {
   if (!args.workspaceRoot) {
     throw new Error("workspaceRoot is required to copy a brand asset");
   }
-  if (!args.sourcePath || !path18.isAbsolute(args.sourcePath)) {
+  if (!args.sourcePath || !path19.isAbsolute(args.sourcePath)) {
     throw new Error(`copyBrandAsset expects an absolute sourcePath; got "${args.sourcePath}"`);
   }
   if (!TARGET_NAME_REGEX.test(args.targetName) || args.targetName.includes("..")) {
@@ -34839,12 +35066,12 @@ async function copyBrandAsset(args) {
   if (!stats.isFile()) {
     throw new Error(`Source path is not a regular file: ${args.sourcePath}`);
   }
-  const ext = path18.extname(args.sourcePath).toLowerCase();
+  const ext = path19.extname(args.sourcePath).toLowerCase();
   const fileName = `${args.targetName}${ext}`;
   const assetsDir = resolveAssetsDir(args.workspaceRoot, args.category);
-  const destAbs = path18.resolve(assetsDir, fileName);
-  const rel = path18.relative(path18.resolve(assetsDir), destAbs);
-  if (rel.startsWith("..") || path18.isAbsolute(rel)) {
+  const destAbs = path19.resolve(assetsDir, fileName);
+  const rel = path19.relative(path19.resolve(assetsDir), destAbs);
+  if (rel.startsWith("..") || path19.isAbsolute(rel)) {
     throw new Error(`Refusing to write outside of .appostle/brand/assets: ${destAbs}`);
   }
   await fs11.mkdir(assetsDir, { recursive: true });
@@ -34874,13 +35101,13 @@ async function uploadBrandAsset(args) {
   if (!args.dataBase64 || args.dataBase64.trim().length === 0) {
     throw new Error("No file data provided for brand asset upload");
   }
-  const extFromSource = args.sourceName ? path18.extname(args.sourceName).toLowerCase() : "";
+  const extFromSource = args.sourceName ? path19.extname(args.sourceName).toLowerCase() : "";
   const ext = extFromSource || ".png";
   const fileName = `${args.targetName}${ext}`;
   const assetsDir = resolveAssetsDir(args.workspaceRoot, args.category);
-  const destAbs = path18.resolve(assetsDir, fileName);
-  const rel = path18.relative(path18.resolve(assetsDir), destAbs);
-  if (rel.startsWith("..") || path18.isAbsolute(rel)) {
+  const destAbs = path19.resolve(assetsDir, fileName);
+  const rel = path19.relative(path19.resolve(assetsDir), destAbs);
+  if (rel.startsWith("..") || path19.isAbsolute(rel)) {
     throw new Error(`Refusing to write outside of .appostle/brand/assets: ${destAbs}`);
   }
   let data;
@@ -34908,7 +35135,7 @@ async function uploadBrandAsset(args) {
   };
 }
 async function writeBrandFrontmatter(args, workspaceRoot) {
-  if (!path18.isAbsolute(args.path)) {
+  if (!path19.isAbsolute(args.path)) {
     throw new Error(`writeBrandFrontmatter expects an absolute path; got "${args.path}"`);
   }
   if (!isInsideAllowedRoot3(args.path, workspaceRoot)) {
@@ -34933,10 +35160,10 @@ ${original}`;
 }
 
 // ../server/src/server/brand/token-generator.ts
-import { z as z34 } from "zod";
+import { z as z36 } from "zod";
 var HEX6 = /^#[0-9a-f]{6}$/i;
-var TokensResponseSchema = z34.object({
-  tokens: z34.record(z34.string(), z34.string())
+var TokensResponseSchema = z36.object({
+  tokens: z36.record(z36.string(), z36.string())
 });
 function buildPrompt2(args) {
   const baseColours = args.paletteVars.filter((v) => v.type === "color");
@@ -35154,21 +35381,21 @@ async function generateAndApplyBrandTokens(options) {
 
 // ../server/src/server/brand/art-direction-generator.ts
 import { promises as fs12 } from "node:fs";
-import path19 from "node:path";
+import path20 from "node:path";
 import { fileURLToPath as fileURLToPath2 } from "node:url";
-import { z as z35 } from "zod";
+import { z as z37 } from "zod";
 var PROMPT_FILENAME = "art-direction-prompt.md";
 var MAX_LOOKUP_LEVELS = 10;
 async function findPromptFile() {
-  let dir = path19.dirname(fileURLToPath2(import.meta.url));
+  let dir = path20.dirname(fileURLToPath2(import.meta.url));
   for (let i = 0; i < MAX_LOOKUP_LEVELS; i++) {
-    const candidate = path19.join(dir, PROMPT_FILENAME);
+    const candidate = path20.join(dir, PROMPT_FILENAME);
     try {
       await fs12.access(candidate);
       return candidate;
     } catch {
     }
-    const parent = path19.dirname(dir);
+    const parent = path20.dirname(dir);
     if (parent === dir) break;
     dir = parent;
   }
@@ -35201,8 +35428,8 @@ var EMBEDDED_PROMPT_FALLBACK = [
   "",
   'Return ONLY JSON: { "fields": { "art-direction.intent": "...", ... } }'
 ].join("\n");
-var ArtDirectionResponseSchema = z35.object({
-  fields: z35.record(z35.string(), z35.string())
+var ArtDirectionResponseSchema = z37.object({
+  fields: z37.record(z37.string(), z37.string())
 });
 var KNOWN_KEYS = /* @__PURE__ */ new Set([
   "art-direction.intent",
@@ -35602,57 +35829,57 @@ async function fetchGitLabUsername(fetchImpl, accessToken) {
     return null;
   }
 }
-async function readCredential(path28, log2) {
+async function readCredential(path29, log2) {
   try {
-    const raw = await readFile3(path28, "utf8");
+    const raw = await readFile3(path29, "utf8");
     const parsed = JSON.parse(raw);
     return parsed.gitlab ?? null;
   } catch (error) {
     if (isNotFound(error)) return null;
-    log2.warn({ err: error, path: path28 }, "oauth.credentials.read_failed");
+    log2.warn({ err: error, path: path29 }, "oauth.credentials.read_failed");
     return null;
   }
 }
-async function persistCredential(path28, credential, log2) {
-  await mkdir4(dirname4(path28), { recursive: true });
+async function persistCredential(path29, credential, log2) {
+  await mkdir4(dirname4(path29), { recursive: true });
   let current = {};
   try {
-    const raw = await readFile3(path28, "utf8");
+    const raw = await readFile3(path29, "utf8");
     current = JSON.parse(raw);
   } catch (error) {
     if (!isNotFound(error)) {
-      log2.warn({ err: error, path: path28 }, "oauth.credentials.read_failed_overwriting");
+      log2.warn({ err: error, path: path29 }, "oauth.credentials.read_failed_overwriting");
     }
   }
   const next = { ...current, gitlab: credential };
-  const tmpPath = `${path28}.tmp-${process.pid}-${Date.now()}`;
+  const tmpPath = `${path29}.tmp-${process.pid}-${Date.now()}`;
   await writeFile4(tmpPath, JSON.stringify(next, null, 2), { mode: 384 });
-  await rename(tmpPath, path28);
+  await rename(tmpPath, path29);
 }
-async function deleteCredential(path28, log2) {
+async function deleteCredential(path29, log2) {
   let current = {};
   try {
-    const raw = await readFile3(path28, "utf8");
+    const raw = await readFile3(path29, "utf8");
     current = JSON.parse(raw);
   } catch (error) {
     if (isNotFound(error)) return;
-    log2.warn({ err: error, path: path28 }, "oauth.credentials.delete_read_failed");
+    log2.warn({ err: error, path: path29 }, "oauth.credentials.delete_read_failed");
     return;
   }
   delete current.gitlab;
   if (Object.keys(current).length === 0) {
     try {
-      await unlink(path28);
+      await unlink(path29);
     } catch (error) {
       if (!isNotFound(error)) {
-        log2.warn({ err: error, path: path28 }, "oauth.credentials.unlink_failed");
+        log2.warn({ err: error, path: path29 }, "oauth.credentials.unlink_failed");
       }
     }
     return;
   }
-  const tmpPath = `${path28}.tmp-${process.pid}-${Date.now()}`;
+  const tmpPath = `${path29}.tmp-${process.pid}-${Date.now()}`;
   await writeFile4(tmpPath, JSON.stringify(current, null, 2), { mode: 384 });
-  await rename(tmpPath, path28);
+  await rename(tmpPath, path29);
 }
 function defaultGlabConfigPath() {
   const home = homedir4();
@@ -35667,15 +35894,15 @@ function defaultGlabConfigPath() {
   const xdg = process.env.XDG_CONFIG_HOME;
   return join11(xdg && xdg.length > 0 ? xdg : join11(home, ".config"), "glab-cli", "config.yml");
 }
-async function writeGlabConfig(path28, credential, log2) {
-  await mkdir4(dirname4(path28), { recursive: true });
+async function writeGlabConfig(path29, credential, log2) {
+  await mkdir4(dirname4(path29), { recursive: true });
   let doc;
   try {
-    const raw = await readFile3(path28, "utf8");
+    const raw = await readFile3(path29, "utf8");
     doc = YAML.parseDocument(raw);
     if (doc.errors.length > 0) {
       log2.warn(
-        { errors: doc.errors.map((e) => e.message), path: path28 },
+        { errors: doc.errors.map((e) => e.message), path: path29 },
         "oauth.glab.parse_errors_replacing"
       );
       doc = YAML.parseDocument("{}");
@@ -35684,7 +35911,7 @@ async function writeGlabConfig(path28, credential, log2) {
     if (isNotFound(error)) {
       doc = YAML.parseDocument("{}");
     } else {
-      log2.warn({ err: error, path: path28 }, "oauth.glab.read_failed_replacing");
+      log2.warn({ err: error, path: path29 }, "oauth.glab.read_failed_replacing");
       doc = YAML.parseDocument("{}");
     }
   }
@@ -35697,18 +35924,18 @@ async function writeGlabConfig(path28, credential, log2) {
   if (credential.username) {
     hostEntry.set("user", credential.username);
   }
-  const tmpPath = `${path28}.tmp-${process.pid}-${Date.now()}`;
+  const tmpPath = `${path29}.tmp-${process.pid}-${Date.now()}`;
   await writeFile4(tmpPath, doc.toString(), { mode: 384 });
-  await rename(tmpPath, path28);
+  await rename(tmpPath, path29);
 }
-async function removeGlabHost(path28, log2) {
+async function removeGlabHost(path29, log2) {
   let doc;
   try {
-    const raw = await readFile3(path28, "utf8");
+    const raw = await readFile3(path29, "utf8");
     doc = YAML.parseDocument(raw);
   } catch (error) {
     if (isNotFound(error)) return;
-    log2.warn({ err: error, path: path28 }, "oauth.glab.remove_read_failed");
+    log2.warn({ err: error, path: path29 }, "oauth.glab.remove_read_failed");
     return;
   }
   const hosts = doc.get("hosts");
@@ -35717,9 +35944,9 @@ async function removeGlabHost(path28, log2) {
   if (hosts.items.length === 0) {
     doc.delete("hosts");
   }
-  const tmpPath = `${path28}.tmp-${process.pid}-${Date.now()}`;
+  const tmpPath = `${path29}.tmp-${process.pid}-${Date.now()}`;
   await writeFile4(tmpPath, doc.toString(), { mode: 384 });
-  await rename(tmpPath, path28);
+  await rename(tmpPath, path29);
 }
 function ensureMap(doc, key) {
   const existing = doc.get(key);
@@ -36748,7 +36975,7 @@ var MIN_STREAMING_SEGMENT_DURATION_MS = 1e3;
 var MIN_STREAMING_SEGMENT_BYTES = Math.round(
   PCM_BYTES_PER_MS * MIN_STREAMING_SEGMENT_DURATION_MS
 );
-var AgentIdSchema = z36.string().uuid();
+var AgentIdSchema2 = z38.string().uuid();
 var VOICE_INTERRUPT_CONFIRMATION_MS = 500;
 var VoiceFeatureUnavailableError = class extends Error {
   constructor(context) {
@@ -36835,6 +37062,8 @@ var Session = class _Session {
     this.nextTerminalSlot = 0;
     this.inflightRequests = 0;
     this.peakInflightRequests = 0;
+    /** In-progress `claude login` processes, keyed by requestId. */
+    this.pendingClaudeLogins = /* @__PURE__ */ new Map();
     this.checkoutDiffSubscriptions = /* @__PURE__ */ new Map();
     this.workspaceGitWatchTargets = /* @__PURE__ */ new Map();
     this.workspaceSetupSnapshots = /* @__PURE__ */ new Map();
@@ -36852,6 +37081,8 @@ var Session = class _Session {
     const {
       clientId,
       appVersion,
+      peerPublicKeyB64,
+      ownerUserId,
       onMessage,
       onBinaryMessage,
       onLifecycleIntent,
@@ -36896,6 +37127,8 @@ var Session = class _Session {
     this.clientId = clientId;
     this.appVersion = appVersion ?? null;
     this.sessionId = uuidv47();
+    this.userId = options.userId ?? null;
+    this.username = options.username ?? null;
     this.onMessage = onMessage;
     this.onBinaryMessage = onBinaryMessage ?? null;
     this.onLifecycleIntent = onLifecycleIntent ?? null;
@@ -36912,6 +37145,8 @@ var Session = class _Session {
     });
     this.agentManager = agentManager;
     this.agentStorage = agentStorage;
+    this.peerPublicKeyB64 = peerPublicKeyB64 ?? null;
+    this.ownerUserId = ownerUserId ?? null;
     this.uploadStore = new SessionUploadStore({ logger: this.sessionLogger });
     this.imageStore = new SessionImageStore({ logger: this.sessionLogger });
     this.projectRegistry = projectRegistry;
@@ -36986,7 +37221,43 @@ var Session = class _Session {
     });
     void this.initializeAgentMcp();
     this.subscribeToAgentEvents();
-    this.sessionLogger.trace("Session created");
+    this.sessionLogger.trace(
+      {
+        hasPeerPubkey: this.peerPublicKeyB64 !== null,
+        // Log a fingerprint, not the full key, so the audit log stays useful
+        // without bloating every entry with 44-char base64. First 8 chars is
+        // unique enough for human cross-reference.
+        peerPubkeyPrefix: this.peerPublicKeyB64 ? this.peerPublicKeyB64.slice(0, 8) : null,
+        ownerUserId: this.ownerUserId
+      },
+      "Session created"
+    );
+  }
+  /**
+   * Peer device's e2ee pubkey (base64). Surfaced so the upcoming user-scope
+   * lookup can resolve it via the auth-server allow-list. Null when unknown
+   * (local TCP, legacy paths).
+   */
+  getPeerPublicKeyB64() {
+    return this.peerPublicKeyB64;
+  }
+  /**
+   * Auth-server user-id that owns the connecting device. Null when the
+   * daemon has no auth-server linkage, when the peer pubkey is unknown
+   * (local TCP), or when the resolver returned no match (allow-list entry
+   * for this pubkey hasn't been seen yet). Callers use this for per-user
+   * agent filtering; null means "show everything" (single-tenant fallback).
+   */
+  getOwnerUserId() {
+    return this.ownerUserId;
+  }
+  /**
+   * Whether this session is bound to a specific account. Equivalent to
+   * `getOwnerUserId() !== null` but reads cleaner at call sites that gate
+   * on "should we apply per-user filtering at all?".
+   */
+  hasOwnerUserId() {
+    return this.ownerUserId !== null;
   }
   updateAppVersion(appVersion) {
     if (appVersion && appVersion !== this.appVersion) {
@@ -37231,6 +37502,9 @@ var Session = class _Session {
             );
           });
         }
+        if (this.ownerUserId !== null && !this.agentManager.canUserAccessAgentById(event.agentId, this.ownerUserId)) {
+          return;
+        }
         const activity = this.clientActivity;
         if (activity?.deviceType === "mobile") {
           if (!activity.focusedAgentId) {
@@ -37458,6 +37732,9 @@ var Session = class _Session {
   }
   async forwardAgentUpdate(agent) {
     try {
+      if (this.ownerUserId !== null && !this.agentManager.canUserAccessAgentById(agent.id, this.ownerUserId)) {
+        return;
+      }
       const subscription = this.agentUpdatesSubscription;
       const payload = await this.buildAgentPayload(agent);
       if (subscription) {
@@ -37515,6 +37792,18 @@ var Session = class _Session {
           case "link_account_request":
             await this.handleLinkAccountRequest(msg);
             break;
+          case "claude_profile_login_request":
+            await this.handleClaudeProfileLoginRequest(msg);
+            break;
+          case "claude_profile_login_callback":
+            await this.handleClaudeProfileLoginCallback(msg);
+            break;
+          case "claude_profile_status_request":
+            await this.handleClaudeProfileStatusRequest(msg);
+            break;
+          case "claude_profile_remove_request":
+            await this.handleClaudeProfileRemoveRequest(msg);
+            break;
           case "fetch_agents_request":
             await this.handleFetchAgents(msg);
             break;
@@ -37560,6 +37849,15 @@ var Session = class _Session {
           case "delete_session_upload_request":
             await this.handleDeleteSessionUploadRequest(msg);
             break;
+          case "share_agent_with_user_request":
+            await this.handleShareAgentWithUserRequest(msg);
+            break;
+          case "unshare_agent_with_user_request":
+            await this.handleUnshareAgentWithUserRequest(msg);
+            break;
+          case "list_agent_shared_users_request":
+            await this.handleListAgentSharedUsersRequest(msg);
+            break;
           case "list_session_images_request":
             await this.handleListSessionImagesRequest(msg);
             break;
@@ -38221,6 +38519,138 @@ var Session = class _Session {
       respond({ ok: false, error: message });
     }
   }
+  // ---------------------------------------------------------------------------
+  // Claude profile login — per-user subscription on shared hosts
+  // ---------------------------------------------------------------------------
+  async handleClaudeProfileLoginRequest(msg) {
+    const { requestId, username } = msg;
+    const log2 = this.sessionLogger.child({ handler: "claude_profile_login" });
+    try {
+      const profileDir = ensureClaudeProfile(username, log2);
+      const child = spawnProcess("claude", ["auth", "login"], {
+        env: {
+          ...process.env,
+          CLAUDE_CONFIG_DIR: profileDir
+        },
+        stdio: ["pipe", "pipe", "pipe"]
+      });
+      this.pendingClaudeLogins.set(requestId, { process: child, username });
+      let stdoutBuffer = "";
+      child.stdout?.on("data", (chunk) => {
+        stdoutBuffer += chunk.toString();
+        const urlMatch = stdoutBuffer.match(/(https?:\/\/[^\s]+)/);
+        if (urlMatch) {
+          this.emit({
+            type: "claude_profile_login_url",
+            requestId,
+            url: urlMatch[1]
+          });
+        }
+      });
+      child.stderr?.on("data", (chunk) => {
+        log2.debug({ stderr: chunk.toString() }, "claude login stderr");
+      });
+      child.on("close", (code) => {
+        this.pendingClaudeLogins.delete(requestId);
+        if (code === 0) {
+          log2.info({ username }, "claude profile login succeeded");
+          this.emit({
+            type: "claude_profile_login_result",
+            requestId,
+            ok: true
+          });
+        } else {
+          log2.warn({ username, code }, "claude profile login failed");
+          this.emit({
+            type: "claude_profile_login_result",
+            requestId,
+            ok: false,
+            error: `claude login exited with code ${code}`
+          });
+        }
+      });
+      child.on("error", (err) => {
+        this.pendingClaudeLogins.delete(requestId);
+        log2.error({ err }, "claude login process error");
+        this.emit({
+          type: "claude_profile_login_result",
+          requestId,
+          ok: false,
+          error: err.message
+        });
+      });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "unknown_error";
+      log2.error({ err }, "claude profile login request failed");
+      this.emit({
+        type: "claude_profile_login_result",
+        requestId,
+        ok: false,
+        error: message
+      });
+    }
+  }
+  async handleClaudeProfileLoginCallback(msg) {
+    const { requestId, callbackToken } = msg;
+    const pending = this.pendingClaudeLogins.get(requestId);
+    if (!pending) {
+      this.sessionLogger.warn({ requestId }, "claude_profile_login_callback: no pending login");
+      this.emit({
+        type: "claude_profile_login_result",
+        requestId,
+        ok: false,
+        error: "no_pending_login"
+      });
+      return;
+    }
+    try {
+      pending.process.stdin?.write(callbackToken + "\n");
+    } catch (err) {
+      this.sessionLogger.error({ err }, "failed to write callback token to claude login stdin");
+    }
+  }
+  async handleClaudeProfileStatusRequest(msg) {
+    const { requestId, username } = msg;
+    const profileExists = hasClaudeAuth(username);
+    let isAuthenticated = false;
+    if (profileExists) {
+      try {
+        const profileDir = ensureClaudeProfile(username);
+        const result = await execCommand("claude", ["auth", "status"], {
+          env: { ...process.env, CLAUDE_CONFIG_DIR: profileDir },
+          timeout: 5e3
+        });
+        isAuthenticated = !result.stdout.toLowerCase().includes("not logged in");
+      } catch {
+      }
+    }
+    this.emit({
+      type: "claude_profile_status_response",
+      requestId,
+      hasProfile: profileExists,
+      isAuthenticated
+    });
+  }
+  async handleClaudeProfileRemoveRequest(msg) {
+    const { requestId, username } = msg;
+    try {
+      removeClaudeProfile(username, this.sessionLogger);
+      this.emit({
+        type: "claude_profile_remove_response",
+        requestId,
+        ok: true
+      });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "unknown_error";
+      this.sessionLogger.error({ err, username }, "claude profile remove failed");
+      this.emit({
+        type: "claude_profile_remove_response",
+        requestId,
+        ok: false,
+        error: message
+      });
+    }
+  }
   async handleRestartServerRequest(requestId, reason) {
     const payload = {
       status: "restart_requested",
@@ -38726,7 +39156,7 @@ var Session = class _Session {
     }
   }
   parseVoiceTargetAgentId(rawId, source) {
-    const parsed = AgentIdSchema.safeParse(rawId.trim());
+    const parsed = AgentIdSchema2.safeParse(rawId.trim());
     if (!parsed.success) {
       throw new Error(`${source}: agentId must be a UUID`);
     }
@@ -39054,7 +39484,15 @@ var Session = class _Session {
         {
           labels,
           workspaceId: resolvedWorkspace.workspaceId,
-          initialPrompt: trimmedPrompt
+          initialPrompt: trimmedPrompt,
+          // Stamp the agent with the user that created it. Null on single-
+          // tenant daemons (no auth-server linkage) — agent stays globally
+          // visible, preserving legacy behavior. This is the authoritative
+          // owner (pubkey-derived), used for `canAccessAgent`.
+          ownerUserId: this.ownerUserId,
+          // Self-declared identity, used for Claude profile dir naming etc.
+          userId: this.userId ?? void 0,
+          username: this.username ?? void 0
         }
       );
       await this.forwardAgentUpdate(snapshot);
@@ -39533,8 +39971,8 @@ var Session = class _Session {
   }
   async generateCommitMessage(cwd) {
     const files = await listUncommittedFiles(cwd);
-    const schema = z36.object({
-      message: z36.string().min(1).max(100).describe(
+    const schema = z38.object({
+      message: z38.string().min(1).max(100).describe(
         "Short feature-level summary, lowercase, imperative mood, no trailing period, no filename references."
       )
     });
@@ -39579,9 +40017,9 @@ var Session = class _Session {
       },
       { appostleHome: this.appostleHome }
     );
-    const schema = z36.object({
-      title: z36.string().min(1).max(72),
-      body: z36.string().min(1)
+    const schema = z38.object({
+      title: z38.string().min(1).max(72),
+      body: z38.string().min(1)
     });
     const fileList = diff.structured && diff.structured.length > 0 ? [
       "Files changed:",
@@ -40522,7 +40960,7 @@ var Session = class _Session {
         homeDir: process.env.HOME ?? homedir5(),
         query: query2,
         limit
-      })).map((path28) => ({ path: path28, kind: "directory" }));
+      })).map((path29) => ({ path: path29, kind: "directory" }));
       const directories = entries.filter((entry) => entry.kind === "directory").map((entry) => entry.path);
       this.emit({
         type: "directory_suggestions_response",
@@ -41621,13 +42059,22 @@ ${details}`.trim());
    * Build the current agent list payload (live + persisted), optionally filtered by labels.
    */
   async listAgentPayloads(filter) {
-    const agentSnapshots = this.agentManager.listAgents();
+    const agentSnapshots = this.agentManager.listAgentsForUser(this.ownerUserId);
     const liveAgents = await Promise.all(
       agentSnapshots.map((agent) => this.buildAgentPayload(agent))
     );
     const registryRecords = await this.agentStorage.list();
+    const requesterId = this.ownerUserId;
     const liveIds = new Set(agentSnapshots.map((a) => a.id));
-    const persistedAgents = registryRecords.filter((record) => !liveIds.has(record.id)).map((record) => this.buildStoredAgentPayload(record));
+    const persistedAgents = registryRecords.filter((record) => !liveIds.has(record.id)).filter(
+      (record) => requesterId === null || canUserAccessAgent(
+        {
+          ownerUserId: record.ownerUserId ?? null,
+          sharedWithUserIds: record.sharedWithUserIds
+        },
+        requesterId
+      )
+    ).map((record) => this.buildStoredAgentPayload(record));
     let agents = [...liveAgents, ...persistedAgents];
     agents = agents.filter((agent) => this.isProviderVisibleToClient(agent.provider));
     if (filter?.labels) {
@@ -41644,6 +42091,9 @@ ${details}`.trim());
       return { ok: false, error: "Agent identifier cannot be empty" };
     }
     if (this.agentManager.getAgent(trimmed)) {
+      if (!this.agentManager.canUserAccessAgentById(trimmed, this.ownerUserId)) {
+        return { ok: false, error: "Agent not found" };
+      }
       return { ok: true, agentId: trimmed };
     }
     const exactStored = await this.agentStorage.get(trimmed);
@@ -43247,6 +43697,139 @@ ${details}`.trim());
     }
   }
   // ──────────────────────────────────────────────────────────────────────
+  // Phase 4: agent sharing — owner-only mutations of the access ACL.
+  // The visibility predicate (Phase 2c) already honors `sharedWithUserIds`;
+  // these handlers surface a typed user-facing path so an owner can grant /
+  // revoke / inspect access from the app instead of editing JSON on disk.
+  //
+  // Authorization:
+  //   - All three handlers require the session's `ownerUserId` to equal the
+  //     agent's `ownerUserId`. Anyone else gets `unauthorized` (including
+  //     existing share-recipients — only the owner can re-share).
+  //   - `resolveAgentIdentifier` already applies `canUserAccessAgent`, so a
+  //     non-recipient even sees the agent as "not found". The owner check
+  //     here is the strictly-tighter follow-up gate for mutations.
+  //   - On a single-tenant daemon (session.ownerUserId == null) the gate
+  //     opens — no isolation to enforce, sharing is a no-op for unscoped
+  //     agents (their ownerUserId is also null).
+  // ──────────────────────────────────────────────────────────────────────
+  async handleShareAgentWithUserRequest(msg) {
+    const resolved = await this.resolveAgentIdentifier(msg.agentId);
+    if (!resolved.ok) {
+      this.emit({
+        type: "share_agent_with_user_response",
+        payload: { requestId: msg.requestId, ok: false, error: resolved.error }
+      });
+      return;
+    }
+    const agent = this.agentManager.getAgent(resolved.agentId);
+    if (!agent) {
+      this.emit({
+        type: "share_agent_with_user_response",
+        payload: { requestId: msg.requestId, ok: false, error: "Agent not found" }
+      });
+      return;
+    }
+    if (this.ownerUserId !== null && agent.ownerUserId !== null && agent.ownerUserId !== this.ownerUserId) {
+      this.emit({
+        type: "share_agent_with_user_response",
+        payload: { requestId: msg.requestId, ok: false, error: "unauthorized" }
+      });
+      return;
+    }
+    try {
+      const sharedWithUserIds = await this.agentManager.shareAgentWithUser(
+        resolved.agentId,
+        msg.userId
+      );
+      this.emit({
+        type: "share_agent_with_user_response",
+        payload: { requestId: msg.requestId, ok: true, sharedWithUserIds }
+      });
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      this.emit({
+        type: "share_agent_with_user_response",
+        payload: { requestId: msg.requestId, ok: false, error: message }
+      });
+    }
+  }
+  async handleUnshareAgentWithUserRequest(msg) {
+    const resolved = await this.resolveAgentIdentifier(msg.agentId);
+    if (!resolved.ok) {
+      this.emit({
+        type: "unshare_agent_with_user_response",
+        payload: { requestId: msg.requestId, ok: false, error: resolved.error }
+      });
+      return;
+    }
+    const agent = this.agentManager.getAgent(resolved.agentId);
+    if (!agent) {
+      this.emit({
+        type: "unshare_agent_with_user_response",
+        payload: { requestId: msg.requestId, ok: false, error: "Agent not found" }
+      });
+      return;
+    }
+    if (this.ownerUserId !== null && agent.ownerUserId !== null && agent.ownerUserId !== this.ownerUserId) {
+      this.emit({
+        type: "unshare_agent_with_user_response",
+        payload: { requestId: msg.requestId, ok: false, error: "unauthorized" }
+      });
+      return;
+    }
+    try {
+      const sharedWithUserIds = await this.agentManager.unshareAgentWithUser(
+        resolved.agentId,
+        msg.userId
+      );
+      this.emit({
+        type: "unshare_agent_with_user_response",
+        payload: { requestId: msg.requestId, ok: true, sharedWithUserIds }
+      });
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      this.emit({
+        type: "unshare_agent_with_user_response",
+        payload: { requestId: msg.requestId, ok: false, error: message }
+      });
+    }
+  }
+  async handleListAgentSharedUsersRequest(msg) {
+    const resolved = await this.resolveAgentIdentifier(msg.agentId);
+    if (!resolved.ok) {
+      this.emit({
+        type: "list_agent_shared_users_response",
+        payload: { requestId: msg.requestId, ok: false, error: resolved.error }
+      });
+      return;
+    }
+    const agent = this.agentManager.getAgent(resolved.agentId);
+    if (!agent) {
+      this.emit({
+        type: "list_agent_shared_users_response",
+        payload: { requestId: msg.requestId, ok: false, error: "Agent not found" }
+      });
+      return;
+    }
+    if (this.ownerUserId !== null && agent.ownerUserId !== null && agent.ownerUserId !== this.ownerUserId) {
+      this.emit({
+        type: "list_agent_shared_users_response",
+        payload: { requestId: msg.requestId, ok: false, error: "unauthorized" }
+      });
+      return;
+    }
+    this.emit({
+      type: "list_agent_shared_users_response",
+      payload: {
+        requestId: msg.requestId,
+        ok: true,
+        ownerUserId: agent.ownerUserId,
+        sharedWithUserIds: [...agent.sharedWithUserIds]
+      }
+    });
+  }
+  // ──────────────────────────────────────────────────────────────────────
   // Session images — backs the "Images" tab inside the uploads modal. Same
   // shape as the file handlers above; the store has no manifest, so listing
   // is a directory scan and delete is `unlink` (traversal-guarded).
@@ -45421,7 +46004,7 @@ import webpush from "web-push";
 import webpush2 from "web-push";
 
 // ../server/src/server/speech/providers/local/sherpa/model-catalog.ts
-import { z as z37 } from "zod";
+import { z as z39 } from "zod";
 var SHERPA_ONNX_MODEL_CATALOG = {
   "zipformer-bilingual-zh-en-2023-02-20": {
     kind: "stt-online",
@@ -45514,7 +46097,7 @@ function buildAliasMap(modelIds) {
 }
 function createAliasedModelIdSchema(params) {
   const validIds = new Set(params.modelIds);
-  return z37.string().trim().toLowerCase().refine(
+  return z39.string().trim().toLowerCase().refine(
     (value) => validIds.has(value) || Object.prototype.hasOwnProperty.call(params.aliases, value),
     {
       message: "Invalid model id"
@@ -45545,20 +46128,20 @@ import { v4 as uuidv410 } from "uuid";
 import { v4 as uuidv411 } from "uuid";
 
 // ../server/src/server/speech/providers/openai/config.ts
-import { z as z38 } from "zod";
+import { z as z40 } from "zod";
 var DEFAULT_OPENAI_REALTIME_TRANSCRIPTION_MODEL = "gpt-4o-transcribe";
 var DEFAULT_OPENAI_TTS_MODEL = "tts-1";
-var OpenAiTtsVoiceSchema = z38.enum(["alloy", "echo", "fable", "onyx", "nova", "shimmer"]);
-var OpenAiTtsModelSchema = z38.enum(["tts-1", "tts-1-hd"]);
-var NumberLikeSchema = z38.union([z38.number(), z38.string().trim().min(1)]);
-var OptionalFiniteNumberSchema = NumberLikeSchema.pipe(z38.coerce.number().finite()).optional();
-var OptionalTrimmedStringSchema = z38.string().trim().optional().transform((value) => value && value.length > 0 ? value : void 0);
-var OpenAiSpeechResolutionSchema = z38.object({
+var OpenAiTtsVoiceSchema = z40.enum(["alloy", "echo", "fable", "onyx", "nova", "shimmer"]);
+var OpenAiTtsModelSchema = z40.enum(["tts-1", "tts-1-hd"]);
+var NumberLikeSchema = z40.union([z40.number(), z40.string().trim().min(1)]);
+var OptionalFiniteNumberSchema = NumberLikeSchema.pipe(z40.coerce.number().finite()).optional();
+var OptionalTrimmedStringSchema = z40.string().trim().optional().transform((value) => value && value.length > 0 ? value : void 0);
+var OpenAiSpeechResolutionSchema = z40.object({
   apiKey: OptionalTrimmedStringSchema,
   sttConfidenceThreshold: OptionalFiniteNumberSchema,
   sttModel: OptionalTrimmedStringSchema,
-  ttsVoice: z38.string().trim().toLowerCase().pipe(OpenAiTtsVoiceSchema).default("alloy"),
-  ttsModel: z38.string().trim().toLowerCase().pipe(OpenAiTtsModelSchema).default(DEFAULT_OPENAI_TTS_MODEL),
+  ttsVoice: z40.string().trim().toLowerCase().pipe(OpenAiTtsVoiceSchema).default("alloy"),
+  ttsModel: z40.string().trim().toLowerCase().pipe(OpenAiTtsModelSchema).default(DEFAULT_OPENAI_TTS_MODEL),
   realtimeTranscriptionModel: OptionalTrimmedStringSchema.default(
     DEFAULT_OPENAI_REALTIME_TRANSCRIPTION_MODEL
   )
@@ -45602,17 +46185,6 @@ import { v4 } from "uuid";
 // ../server/src/server/speech/providers/openai/tts.ts
 import OpenAI2 from "openai";
 
-// ../server/src/server/agent/agent-manager.ts
-import { z as z40 } from "zod";
-import { getSessionMessages } from "@anthropic-ai/claude-agent-sdk";
-
-// ../server/src/server/agent/handoff-mcp.ts
-import { createSdkMcpServer, tool } from "@anthropic-ai/claude-agent-sdk";
-import { z as z39 } from "zod";
-
-// ../server/src/server/agent/agent-manager.ts
-var AgentIdSchema2 = z40.string().uuid();
-
 // ../server/src/server/agent/agent-storage.ts
 import { z as z41 } from "zod";
 var SERIALIZABLE_CONFIG_SCHEMA = z41.object({
@@ -45662,7 +46234,22 @@ var STORED_AGENT_SCHEMA = z41.object({
   archivedAt: z41.string().nullable().optional(),
   // Fork lineage (optional for backward compat with pre-fork records).
   parentAgentId: z41.string().optional(),
-  forkedFromMessageUuid: z41.string().optional()
+  forkedFromMessageUuid: z41.string().optional(),
+  // Multi-tenant session isolation: the auth-server user-id that created
+  // (and therefore owns) this agent + the additive ACL of other users
+  // granted access. Both optional/null-default for backward compatibility
+  // with pre-Phase-2c records — those load with `null` owner and stay
+  // visible to every connecting user (matches today's single-tenant
+  // behavior). Set on new agents at create time via Session.ownerUserId.
+  ownerUserId: z41.string().nullable().optional(),
+  sharedWithUserIds: z41.array(z41.string()).default([]),
+  // Owner's display username — needed on resume to route to the correct
+  // `CLAUDE_CONFIG_DIR` via `ensureClaudeProfile(username)` for agents
+  // created by a shared (non-owner) user. Without this, a resumed shared-
+  // user agent would silently fall back to the daemon owner's Claude
+  // profile/subscription. Optional — pre-Phase-3 records rehydrate without
+  // per-user profile routing.
+  ownerUsername: z41.string().optional()
 });
 
 // ../server/src/server/agent/mcp-server.ts
@@ -45863,16 +46450,16 @@ function isRelayClientWebSocketUrl(url) {
 }
 
 // ../server/src/server/config.ts
-import path21 from "node:path";
+import path22 from "node:path";
 import { z as z51 } from "zod";
 
 // ../server/src/server/speech/speech-config-resolver.ts
 import { z as z50 } from "zod";
 
 // ../server/src/server/speech/providers/local/config.ts
-import path20 from "node:path";
+import path21 from "node:path";
 import { z as z48 } from "zod";
-var DEFAULT_LOCAL_MODELS_SUBDIR = path20.join("models", "local-speech");
+var DEFAULT_LOCAL_MODELS_SUBDIR = path21.join("models", "local-speech");
 var NumberLikeSchema2 = z48.union([z48.number(), z48.string().trim().min(1)]);
 var OptionalFiniteNumberSchema2 = NumberLikeSchema2.pipe(z48.coerce.number().finite()).optional();
 var OptionalIntegerSchema = NumberLikeSchema2.pipe(z48.coerce.number().int()).optional();
@@ -45899,7 +46486,7 @@ function resolveLocalSpeechConfig(params) {
   const includeProviderConfig = shouldIncludeLocalProviderConfig(params);
   const parsed = LocalSpeechResolutionSchema.parse({
     includeProviderConfig,
-    modelsDir: params.env.APPOSTLE_LOCAL_MODELS_DIR ?? params.persisted.providers?.local?.modelsDir ?? path20.join(params.appostleHome, DEFAULT_LOCAL_MODELS_SUBDIR),
+    modelsDir: params.env.APPOSTLE_LOCAL_MODELS_DIR ?? params.persisted.providers?.local?.modelsDir ?? path21.join(params.appostleHome, DEFAULT_LOCAL_MODELS_SUBDIR),
     dictationLocalSttModel: params.env.APPOSTLE_DICTATION_LOCAL_STT_MODEL ?? persistedLocalFeatureModel(
       params.providers.dictationStt.provider,
       params.providers.dictationStt.enabled,
@@ -46155,7 +46742,7 @@ function loadConfig(appostleHome, options) {
     chromeEnabled,
     mcpDebug: env.MCP_DEBUG === "1",
     daemonIcon,
-    agentStoragePath: path21.join(appostleHome, "agents"),
+    agentStoragePath: path22.join(appostleHome, "agents"),
     staticDir: "public",
     agentClients: {},
     relayEnabled,
@@ -46346,10 +46933,10 @@ function encodeUtf8String(value) {
 function createRelayE2eeTransportFactory(args) {
   return ({ url, headers }) => {
     const base = args.baseFactory({ url, headers });
-    return createEncryptedTransport(base, args.daemonPublicKeyB64, args.logger);
+    return createEncryptedTransport(base, args.daemonPublicKeyB64, args.logger, args.staticKeyPair);
   };
 }
-function createEncryptedTransport(base, daemonPublicKeyB64, logger) {
+function createEncryptedTransport(base, daemonPublicKeyB64, logger, staticKeyPair) {
   let channel = null;
   let opened = false;
   let closed = false;
@@ -46406,12 +46993,17 @@ function createEncryptedTransport(base, daemonPublicKeyB64, logger) {
   };
   const startHandshake = async () => {
     try {
-      channel = await createClientChannel(relayTransport, daemonPublicKeyB64, {
-        onopen: emitOpen,
-        onmessage: (data) => emitMessage(data),
-        onclose: (code, reason) => emitClose({ code, reason }),
-        onerror: (error) => emitError(error)
-      });
+      channel = await createClientChannel(
+        relayTransport,
+        daemonPublicKeyB64,
+        {
+          onopen: emitOpen,
+          onmessage: (data) => emitMessage(data),
+          onclose: (code, reason) => emitClose({ code, reason }),
+          onerror: (error) => emitError(error)
+        },
+        staticKeyPair
+      );
     } catch (error) {
       logger.warn({ err: normalizeTransportError(error) }, "relay_e2ee_handshake_failed");
       emitError(error);
@@ -46774,7 +47366,8 @@ var DaemonClient = class {
         transportFactory = createRelayE2eeTransportFactory({
           baseFactory: baseTransportFactory,
           daemonPublicKeyB64,
-          logger: this.logger
+          logger: this.logger,
+          staticKeyPair: this.config.e2ee?.staticKeyPair
         });
       }
       const transportUrl = this.resolveTransportUrlForAttempt();
@@ -47405,12 +47998,12 @@ var DaemonClient = class {
       timeout: 1e4
     });
   }
-  async openInEditor(path28, editorId, requestId) {
+  async openInEditor(path29, editorId, requestId) {
     return this.sendCorrelatedSessionRequest({
       requestId,
       message: {
         type: "open_in_editor_request",
-        path: path28,
+        path: path29,
         editorId
       },
       responseType: "open_in_editor_response",
@@ -47848,6 +48441,99 @@ var DaemonClient = class {
       throw new Error(payload.error || "Failed to delete session upload");
     }
   }
+  // ──────────────────────────────────────────────────────────────────────
+  // Phase 4 agent sharing — owner-only mutations of the per-agent ACL.
+  // ──────────────────────────────────────────────────────────────────────
+  /**
+   * Grant a user access to this agent. Owner-only. Idempotent — sharing
+   * with a user already on the ACL is a no-op. The recipient does not
+   * need to be currently paired; access takes effect at their next
+   * connection.
+   */
+  async shareAgentWithUser(agentId, userId) {
+    const requestId = this.createRequestId();
+    const message = SessionInboundMessageSchema.parse({
+      type: "share_agent_with_user_request",
+      requestId,
+      agentId,
+      userId
+    });
+    const payload = await this.sendRequest({
+      requestId,
+      message,
+      timeout: 15e3,
+      options: { skipQueue: true },
+      select: (msg) => {
+        if (msg.type !== "share_agent_with_user_response") return null;
+        if (msg.payload.requestId !== requestId) return null;
+        return msg.payload;
+      }
+    });
+    if (!payload.ok) {
+      throw new Error(payload.error || "Failed to share agent");
+    }
+    return payload.sharedWithUserIds;
+  }
+  /**
+   * Revoke a user's access to this agent. Owner-only. Effects are
+   * immediate — once the auth-server allow-list propagates (and the
+   * daemon's in-memory state updates here), the removed user's resolver
+   * answers "Agent not found" for any further per-agent RPC.
+   */
+  async unshareAgentWithUser(agentId, userId) {
+    const requestId = this.createRequestId();
+    const message = SessionInboundMessageSchema.parse({
+      type: "unshare_agent_with_user_request",
+      requestId,
+      agentId,
+      userId
+    });
+    const payload = await this.sendRequest({
+      requestId,
+      message,
+      timeout: 15e3,
+      options: { skipQueue: true },
+      select: (msg) => {
+        if (msg.type !== "unshare_agent_with_user_response") return null;
+        if (msg.payload.requestId !== requestId) return null;
+        return msg.payload;
+      }
+    });
+    if (!payload.ok) {
+      throw new Error(payload.error || "Failed to unshare agent");
+    }
+    return payload.sharedWithUserIds;
+  }
+  /**
+   * Return the ACL — owner + the user-ids the owner has granted access
+   * to. Owner-only: recipients can't enumerate who else has access.
+   */
+  async listAgentSharedUsers(agentId) {
+    const requestId = this.createRequestId();
+    const message = SessionInboundMessageSchema.parse({
+      type: "list_agent_shared_users_request",
+      requestId,
+      agentId
+    });
+    const payload = await this.sendRequest({
+      requestId,
+      message,
+      timeout: 15e3,
+      options: { skipQueue: true },
+      select: (msg) => {
+        if (msg.type !== "list_agent_shared_users_response") return null;
+        if (msg.payload.requestId !== requestId) return null;
+        return msg.payload;
+      }
+    });
+    if (!payload.ok) {
+      throw new Error(payload.error || "Failed to list agent shared users");
+    }
+    return {
+      ownerUserId: payload.ownerUserId,
+      sharedWithUserIds: payload.sharedWithUserIds
+    };
+  }
   /**
    * List the images the user has attached to this agent's chat (the "Images"
    * tab in the uploads modal). Returns newest first; the daemon scans
@@ -48896,13 +49582,13 @@ var DaemonClient = class {
   // ============================================================================
   // File Explorer
   // ============================================================================
-  async exploreFileSystem(cwd, path28, mode = "list", requestId) {
+  async exploreFileSystem(cwd, path29, mode = "list", requestId) {
     return this.sendCorrelatedSessionRequest({
       requestId,
       message: {
         type: "file_explorer_request",
         cwd,
-        path: path28,
+        path: path29,
         mode
       },
       responseType: "file_explorer_response",
@@ -48914,13 +49600,13 @@ var DaemonClient = class {
    * allowlists extensions (currently `.md` only) — callers don't need to
    * re-check. Used by the plan-todos UI to rewrite plan-file frontmatter.
    */
-  async writeFile(cwd, path28, content, requestId) {
+  async writeFile(cwd, path29, content, requestId) {
     return this.sendCorrelatedSessionRequest({
       requestId,
       message: {
         type: "file_write_request",
         cwd,
-        path: path28,
+        path: path29,
         content
       },
       responseType: "file_write_response",
@@ -48933,42 +49619,42 @@ var DaemonClient = class {
    * action is the only consumer). Returns the daemon's structured response
    * so callers can surface the error in the UI.
    */
-  async deleteFile(cwd, path28, requestId) {
+  async deleteFile(cwd, path29, requestId) {
     return this.sendCorrelatedSessionRequest({
       requestId,
       message: {
         type: "file_delete_request",
         cwd,
-        path: path28
+        path: path29
       },
       responseType: "file_delete_response",
       timeout: 1e4
     });
   }
-  async requestDownloadToken(cwd, path28, requestId) {
+  async requestDownloadToken(cwd, path29, requestId) {
     return this.sendCorrelatedSessionRequest({
       requestId,
       message: {
         type: "file_download_token_request",
         cwd,
-        path: path28
+        path: path29
       },
       responseType: "file_download_token_response",
       timeout: 1e4
     });
   }
-  async explorerDeleteEntry(cwd, path28, requestId) {
+  async explorerDeleteEntry(cwd, path29, requestId) {
     return this.sendCorrelatedSessionRequest({
       requestId,
-      message: { type: "file_explorer_delete_request", cwd, path: path28 },
+      message: { type: "file_explorer_delete_request", cwd, path: path29 },
       responseType: "file_explorer_delete_response",
       timeout: 1e4
     });
   }
-  async explorerMkdir(cwd, path28, requestId) {
+  async explorerMkdir(cwd, path29, requestId) {
     return this.sendCorrelatedSessionRequest({
       requestId,
-      message: { type: "file_mkdir_request", cwd, path: path28 },
+      message: { type: "file_mkdir_request", cwd, path: path29 },
       responseType: "file_mkdir_response",
       timeout: 1e4
     });
@@ -49998,7 +50684,9 @@ var DaemonClient = class {
           clientId: this.config.clientId,
           clientType: this.config.clientType ?? "cli",
           protocolVersion: 1,
-          ...this.config.appVersion ? { appVersion: this.config.appVersion } : {}
+          ...this.config.appVersion ? { appVersion: this.config.appVersion } : {},
+          ...this.config.userId ? { userId: this.config.userId } : {},
+          ...this.config.username ? { username: this.config.username } : {}
         })
       );
     } catch (error) {
@@ -50394,7 +51082,7 @@ function resolveAgentConfig(options) {
 }
 
 // ../cli/src/utils/client.ts
-import path22 from "node:path";
+import path23 from "node:path";
 import WebSocket3 from "ws";
 
 // ../cli/src/utils/client-id.ts
@@ -50470,8 +51158,8 @@ function isTcpDaemonHost(host) {
   return host !== null && !isIpcDaemonHost(host);
 }
 function readPidSocketTarget(appostleHome) {
-  const pidPath = path22.join(appostleHome, PID_FILENAME);
-  if (!existsSync11(pidPath)) {
+  const pidPath = path23.join(appostleHome, PID_FILENAME);
+  if (!existsSync12(pidPath)) {
     return null;
   }
   try {
@@ -50939,12 +51627,12 @@ function relativeTime(date) {
   if (seconds < 86400) return `${Math.floor(seconds / 3600)} hours ago`;
   return `${Math.floor(seconds / 86400)} days ago`;
 }
-function shortenPath(path28) {
+function shortenPath(path29) {
   const home = process.env.HOME;
-  if (home && path28.startsWith(home)) {
-    return "~" + path28.slice(home.length);
+  if (home && path29.startsWith(home)) {
+    return "~" + path29.slice(home.length);
   }
-  return path28;
+  return path29;
 }
 function normalizeModelId(modelId) {
   if (typeof modelId !== "string") return null;
@@ -51801,10 +52489,10 @@ function addSendOptions(cmd) {
 }
 async function readImageFiles(imagePaths) {
   const images = [];
-  for (const path28 of imagePaths) {
+  for (const path29 of imagePaths) {
     try {
-      const buffer = await readFile5(path28);
-      const ext = extname5(path28).toLowerCase();
+      const buffer = await readFile5(path29);
+      const ext = extname5(path29).toLowerCase();
       let mimeType = "image/jpeg";
       switch (ext) {
         case ".png":
@@ -51832,7 +52520,7 @@ async function readImageFiles(imagePaths) {
       const message = err instanceof Error ? err.message : String(err);
       const error = {
         code: "IMAGE_READ_ERROR",
-        message: `Failed to read image file: ${path28}`,
+        message: `Failed to read image file: ${path29}`,
         details: message
       };
       throw error;
@@ -52005,12 +52693,12 @@ function createInspectSchema(agent) {
     serialize: (_item) => agent
   };
 }
-function shortenPath2(path28) {
+function shortenPath2(path29) {
   const home = process.env.HOME;
-  if (home && path28.startsWith(home)) {
-    return "~" + path28.slice(home.length);
+  if (home && path29.startsWith(home)) {
+    return "~" + path29.slice(home.length);
   }
-  return path28;
+  return path29;
 }
 function formatCost(costUsd) {
   if (costUsd === 0) return "$0.00";
@@ -52976,9 +53664,9 @@ import chalk3 from "chalk";
 
 // ../cli/src/commands/daemon/local-daemon.ts
 import { spawn as spawn7, spawnSync } from "node:child_process";
-import { existsSync as existsSync12, readFileSync as readFileSync9 } from "node:fs";
+import { existsSync as existsSync13, readFileSync as readFileSync9 } from "node:fs";
 import { createRequire as createRequire3 } from "node:module";
-import path23 from "node:path";
+import path24 from "node:path";
 import { fileURLToPath as fileURLToPath3 } from "node:url";
 var DETACHED_STARTUP_GRACE_MS = 1200;
 var PID_POLL_INTERVAL_MS = 100;
@@ -53029,8 +53717,8 @@ function buildChildEnv(options) {
 function resolveDaemonRunnerEntry() {
   try {
     const here = fileURLToPath3(import.meta.url);
-    const sibling = path23.join(path23.dirname(here), "supervisor-entrypoint.js");
-    if (existsSync12(sibling)) {
+    const sibling = path24.join(path24.dirname(here), "supervisor-entrypoint.js");
+    if (existsSync13(sibling)) {
       return sibling;
     }
   } catch {
@@ -53043,23 +53731,23 @@ function resolveDaemonRunnerEntry() {
       "Unable to resolve @appostle/server package root for daemon runner (and no sibling supervisor-entrypoint.js was bundled)"
     );
   }
-  let currentDir = path23.dirname(serverExportPath);
+  let currentDir = path24.dirname(serverExportPath);
   while (true) {
-    const packageJsonPath = path23.join(currentDir, "package.json");
-    if (existsSync12(packageJsonPath)) {
+    const packageJsonPath = path24.join(currentDir, "package.json");
+    if (existsSync13(packageJsonPath)) {
       try {
         const packageJson = JSON.parse(readFileSync9(packageJsonPath, "utf-8"));
         if (packageJson.name === "@appostle/server") {
-          const distRunner = path23.join(currentDir, "dist", "scripts", "supervisor-entrypoint.js");
-          if (existsSync12(distRunner)) {
+          const distRunner = path24.join(currentDir, "dist", "scripts", "supervisor-entrypoint.js");
+          if (existsSync13(distRunner)) {
             return distRunner;
           }
-          return path23.join(currentDir, "scripts", "supervisor-entrypoint.ts");
+          return path24.join(currentDir, "scripts", "supervisor-entrypoint.ts");
         }
       } catch {
       }
     }
-    const parentDir = path23.dirname(currentDir);
+    const parentDir = path24.dirname(currentDir);
     if (parentDir === currentDir) {
       break;
     }
@@ -53068,7 +53756,7 @@ function resolveDaemonRunnerEntry() {
   throw new Error("Unable to resolve @appostle/server package root for daemon runner");
 }
 function pidFilePath(appostleHome) {
-  return path23.join(appostleHome, DAEMON_PID_FILENAME);
+  return path24.join(appostleHome, DAEMON_PID_FILENAME);
 }
 function readPidFile(pidPath) {
   try {
@@ -53210,8 +53898,8 @@ function resolveLocalDaemonState(options = {}) {
   const home = resolveAppostleHome(env);
   const config = loadConfig(home, { env });
   const pidPath = pidFilePath(home);
-  const logPath = path23.join(home, DAEMON_LOG_FILENAME);
-  const pidInfo = existsSync12(pidPath) ? readPidFile(pidPath) : null;
+  const logPath = path24.join(home, DAEMON_LOG_FILENAME);
+  const pidInfo = existsSync13(pidPath) ? readPidFile(pidPath) : null;
   const running = pidInfo ? isProcessRunning(pidInfo.pid) : false;
   const listen = pidInfo?.listen ?? config.listen;
   return {
@@ -53225,7 +53913,7 @@ function resolveLocalDaemonState(options = {}) {
   };
 }
 function tailDaemonLog(home, lines = 30) {
-  const logPath = path23.join(resolveLocalAppostleHome(home), DAEMON_LOG_FILENAME);
+  const logPath = path24.join(resolveLocalAppostleHome(home), DAEMON_LOG_FILENAME);
   return tailFile(logPath, lines);
 }
 async function startLocalDaemonDetached(options) {
@@ -53234,7 +53922,7 @@ async function startLocalDaemonDetached(options) {
   }
   const childEnv = buildChildEnv(options);
   const appostleHome = resolveAppostleHome(childEnv);
-  const logPath = path23.join(appostleHome, DAEMON_LOG_FILENAME);
+  const logPath = path24.join(appostleHome, DAEMON_LOG_FILENAME);
   const daemonRunnerEntry = resolveDaemonRunnerEntry();
   const child = spawn7(
     process.execPath,
@@ -55960,15 +56648,15 @@ import { Command as Command13 } from "commander";
 // ../cli/src/commands/worktree/ls.ts
 import { homedir as homedir7 } from "node:os";
 import { basename as basename7, join as join16, sep as sep3 } from "node:path";
-function shortenPath3(path28) {
+function shortenPath3(path29) {
   const home = process.env.HOME;
-  if (home && path28.startsWith(home)) {
-    return "~" + path28.slice(home.length);
+  if (home && path29.startsWith(home)) {
+    return "~" + path29.slice(home.length);
   }
-  return path28;
+  return path29;
 }
-function extractWorktreeName(path28) {
-  return basename7(path28);
+function extractWorktreeName(path29) {
+  return basename7(path29);
 }
 function resolveAppostleHomePath() {
   return process.env.APPOSTLE_HOME ?? join16(homedir7(), ".appostle");
@@ -56048,7 +56736,7 @@ async function runLsCommand7(options, _command) {
 }
 
 // ../cli/src/commands/worktree/archive.ts
-import path24 from "path";
+import path25 from "path";
 var archiveSchema2 = {
   idField: "name",
   columns: [
@@ -56092,7 +56780,7 @@ async function runArchiveCommand2(nameArg, options, _command) {
       throw error;
     }
     const worktree = listResponse.worktrees.find((wt) => {
-      const name = path24.basename(wt.worktreePath);
+      const name = path25.basename(wt.worktreePath);
       return name === nameArg || wt.branchName === nameArg;
     });
     if (!worktree) {
@@ -56114,7 +56802,7 @@ async function runArchiveCommand2(nameArg, options, _command) {
       };
       throw error;
     }
-    const worktreeName = path24.basename(worktree.worktreePath) || nameArg;
+    const worktreeName = path25.basename(worktree.worktreePath) || nameArg;
     return {
       type: "single",
       data: {
@@ -56155,7 +56843,7 @@ function createWorktreeCommand() {
 import { cancel, confirm, intro, isCancel, log, note, outro, spinner } from "@clack/prompts";
 import { Command as Command14, Option as Option4 } from "commander";
 import { writeFileSync as writeFileSync5 } from "node:fs";
-import path25 from "node:path";
+import path26 from "node:path";
 var DEFAULT_READY_TIMEOUT_MS = 10 * 60 * 1e3;
 var OnboardCancelledError = class extends Error {
 };
@@ -56198,7 +56886,7 @@ function toCliOverrides(options) {
   return cliOverrides;
 }
 function savePersistedConfig2(appostleHome, config) {
-  const configPath = path25.join(appostleHome, "config.json");
+  const configPath = path26.join(appostleHome, "config.json");
   writeFileSync5(configPath, `${JSON.stringify(config, null, 2)}
 `);
 }
@@ -56319,7 +57007,7 @@ ${recentLogs}` : null
   );
 }
 function printNextSteps(pairingUrl, appostleHome, richUi) {
-  const daemonLogPath = path25.join(appostleHome, "daemon.log");
+  const daemonLogPath = path26.join(appostleHome, "daemon.log");
   const nextStepsLines = [
     pairingUrl ? "1. Open Appostle and scan the QR code above, or paste the pairing link." : "1. Open Appostle and connect to your daemon.",
     "2. Web app: https://appostle.app",
@@ -56571,21 +57259,21 @@ function createCli() {
 }
 
 // ../cli/src/classify.ts
-import { existsSync as existsSync13, statSync as statSync3 } from "node:fs";
+import { existsSync as existsSync14, statSync as statSync3 } from "node:fs";
 import { homedir as homedir8 } from "node:os";
-import path26 from "node:path";
+import path27 from "node:path";
 function expandUserPath2(inputPath) {
   if (inputPath === "~") {
     return homedir8();
   }
   if (inputPath.startsWith("~/")) {
-    return path26.join(homedir8(), inputPath.slice(2));
+    return path27.join(homedir8(), inputPath.slice(2));
   }
   return inputPath;
 }
 function isExistingDirectory(input) {
-  const resolvedPath = path26.resolve(input.cwd, expandUserPath2(input.pathArg));
-  if (!existsSync13(resolvedPath)) {
+  const resolvedPath = path27.resolve(input.cwd, expandUserPath2(input.pathArg));
+  if (!existsSync14(resolvedPath)) {
     return false;
   }
   return statSync3(resolvedPath).isDirectory();
@@ -56604,25 +57292,25 @@ function classifyInvocation(input) {
   if (isExistingDirectory({ pathArg: firstArg, cwd: input.cwd })) {
     return {
       kind: "open-project",
-      resolvedPath: path26.resolve(input.cwd, expandUserPath2(firstArg))
+      resolvedPath: path27.resolve(input.cwd, expandUserPath2(firstArg))
     };
   }
   return { kind: "cli", argv: input.argv };
 }
 
 // ../cli/src/commands/open.ts
-import { existsSync as existsSync14 } from "node:fs";
+import { existsSync as existsSync15 } from "node:fs";
 import { spawn as spawn8 } from "node:child_process";
 import { homedir as homedir9 } from "node:os";
-import path27 from "node:path";
+import path28 from "node:path";
 function findDesktopApp() {
   if (process.platform === "darwin") {
     const candidates = [
       "/Applications/Appostle.app",
-      path27.join(homedir9(), "Applications", "Appostle.app")
+      path28.join(homedir9(), "Applications", "Appostle.app")
     ];
     for (const candidate of candidates) {
-      if (existsSync14(candidate)) {
+      if (existsSync15(candidate)) {
         return candidate;
       }
     }
@@ -56632,10 +57320,10 @@ function findDesktopApp() {
     const candidates = [
       "/usr/bin/Appostle",
       "/opt/Appostle/Appostle",
-      path27.join(homedir9(), "Applications", "Appostle.AppImage")
+      path28.join(homedir9(), "Applications", "Appostle.AppImage")
     ];
     for (const candidate of candidates) {
-      if (existsSync14(candidate)) {
+      if (existsSync15(candidate)) {
         return candidate;
       }
     }
@@ -56646,8 +57334,8 @@ function findDesktopApp() {
     if (!localAppData) {
       return null;
     }
-    const candidate = path27.join(localAppData, "Programs", "Appostle", "Appostle.exe");
-    return existsSync14(candidate) ? candidate : null;
+    const candidate = path28.join(localAppData, "Programs", "Appostle", "Appostle.exe");
+    return existsSync15(candidate) ? candidate : null;
   }
   return null;
 }