clawborrator-cli 0.0.54 → 0.0.56

package/dist-bundled/claw.cjs

@@ -5226,7 +5226,7 @@ var require_websocket = __commonJS({
     var http = require("http");
     var net = require("net");
     var tls = require("tls");
-    var { randomBytes: randomBytes2, createHash: createHash2 } = require("crypto");
+    var { randomBytes: randomBytes3, createHash: createHash3 } = require("crypto");
     var { Duplex, Readable } = require("stream");
     var { URL: URL2 } = require("url");
     var PerMessageDeflate2 = require_permessage_deflate();
@@ -5756,7 +5756,7 @@ var require_websocket = __commonJS({
         }
       }
       const defaultPort = isSecure ? 443 : 80;
-      const key = randomBytes2(16).toString("base64");
+      const key = randomBytes3(16).toString("base64");
       const request2 = isSecure ? https.request : http.request;
       const protocolSet = /* @__PURE__ */ new Set();
       let perMessageDeflate;
@@ -5886,7 +5886,7 @@ var require_websocket = __commonJS({
           abortHandshake(websocket, socket, "Invalid Upgrade header");
           return;
         }
-        const digest = createHash2("sha1").update(key + GUID).digest("base64");
+        const digest = createHash3("sha1").update(key + GUID).digest("base64");
         if (res.headers["sec-websocket-accept"] !== digest) {
           abortHandshake(websocket, socket, "Invalid Sec-WebSocket-Accept header");
           return;
@@ -6253,7 +6253,7 @@ var require_websocket_server = __commonJS({
     var EventEmitter = require("events");
     var http = require("http");
     var { Duplex } = require("stream");
-    var { createHash: createHash2 } = require("crypto");
+    var { createHash: createHash3 } = require("crypto");
     var extension2 = require_extension();
     var PerMessageDeflate2 = require_permessage_deflate();
     var subprotocol2 = require_subprotocol();
@@ -6554,7 +6554,7 @@ var require_websocket_server = __commonJS({
           );
         }
         if (this._state > RUNNING) return abortHandshake(socket, 503);
-        const digest = createHash2("sha1").update(key + GUID).digest("base64");
+        const digest = createHash3("sha1").update(key + GUID).digest("base64");
         const headers = [
           "HTTP/1.1 101 Switching Protocols",
           "Upgrade: websocket",
@@ -64056,34 +64056,38 @@ var ApiError = class extends Error {
     this.name = "ApiError";
   }
 };
+function buildRequestHeaders(body, token) {
+  const headers = {};
+  if (body !== void 0) headers["Content-Type"] = "application/json";
+  if (token) headers["Authorization"] = `Bearer ${token}`;
+  return headers;
+}
+function parseResponseBody(text) {
+  if (!text) return null;
+  try {
+    return JSON.parse(text);
+  } catch {
+    return { error: text };
+  }
+}
+function buildApiError(status, parsed) {
+  const code = parsed?.error || `http_${status}`;
+  const msg = typeof parsed?.message === "string" ? parsed.message : code;
+  return new ApiError(status, code, msg);
+}
 async function request(method, path, body, opts = {}) {
   const cfg = loadConfig();
   const hubUrl = (opts.hubUrl ?? cfg.hubUrl).replace(/\/$/, "");
   const token = opts.token === void 0 ? cfg.sessionToken : opts.token;
-  const headers = {};
-  if (body !== void 0) headers["Content-Type"] = "application/json";
-  if (token) headers["Authorization"] = `Bearer ${token}`;
   const res = await fetch(`${hubUrl}${path}`, {
     method,
-    headers,
+    headers: buildRequestHeaders(body, token),
     body: body !== void 0 ? JSON.stringify(body) : void 0,
     signal: opts.signal
   });
   if (res.status === 204) return void 0;
-  const text = await res.text();
-  let parsed = null;
-  if (text) {
-    try {
-      parsed = JSON.parse(text);
-    } catch {
-      parsed = { error: text };
-    }
-  }
-  if (!res.ok) {
-    const code = parsed?.error || `http_${res.status}`;
-    const msg = typeof parsed?.message === "string" ? parsed.message : code;
-    throw new ApiError(res.status, code, msg);
-  }
+  const parsed = parseResponseBody(await res.text());
+  if (!res.ok) throw buildApiError(res.status, parsed);
   return parsed;
 }
 var api = {
@@ -67615,36 +67619,34 @@ var AmbiguousError = class extends Error {
   }
   code = "CLW_AMBIGUOUS";
 };
-async function pickCandidate(input, candidates, opts = {}) {
-  if (candidates.length === 1) return candidates[0];
+function selectPromptSet(candidates, opts) {
   const live = candidates.filter((c) => c.connected);
-  let promptSet;
   if (opts.destructive) {
-    if (candidates.length <= 1) return candidates[0];
-    promptSet = candidates;
-  } else {
-    if (live.length <= 1) return live[0] ?? candidates[0];
-    promptSet = live;
-  }
-  if (!process.stdin.isTTY || !process.stderr.isTTY) {
-    throw new AmbiguousError(promptSet, input);
+    if (candidates.length <= 1) return { auto: candidates[0] };
+    return { promptSet: candidates };
   }
+  if (live.length <= 1) return { auto: live[0] ?? candidates[0] };
+  return { promptSet: live };
+}
+function formatCandidateLine(c, idx) {
+  const qualified = c.routingName ? `@${c.startedByLogin}/${c.routingName.replace(/^@/, "")}` : `(no routing name)`;
+  const status = c.connected ? `${BOLD}\u25CF online${RESET}` : `${DIM}\u25CB offline${RESET}`;
+  const cwd = c.cwd ? `  ${DIM}${c.cwd}${RESET}` : "";
+  const host = c.host ? `  ${DIM}${c.host}${RESET}` : "";
+  const seen = c.lastSeenAt ? `  ${DIM}last seen ${c.lastSeenAt}${RESET}` : "";
+  return `  ${BOLD}${idx + 1}${RESET}. ${qualified}  ${status}${host}${cwd}${seen}
+     ${DIM}id ${c.id}${RESET}`;
+}
+function renderPromptList(input, promptSet) {
   process.stderr.write(`${BOLD}'${input}' is ambiguous \u2014 pick a session:${RESET}
 `);
   for (let i = 0; i < promptSet.length; i++) {
-    const c = promptSet[i];
-    const qualified = c.routingName ? `@${c.startedByLogin}/${c.routingName.replace(/^@/, "")}` : `(no routing name)`;
-    const status = c.connected ? `${BOLD}\u25CF online${RESET}` : `${DIM}\u25CB offline${RESET}`;
-    const cwd = c.cwd ? `  ${DIM}${c.cwd}${RESET}` : "";
-    const host = c.host ? `  ${DIM}${c.host}${RESET}` : "";
-    const seen = c.lastSeenAt ? `  ${DIM}last seen ${c.lastSeenAt}${RESET}` : "";
-    process.stderr.write(`  ${BOLD}${i + 1}${RESET}. ${qualified}  ${status}${host}${cwd}${seen}
-`);
-    process.stderr.write(`     ${DIM}id ${c.id}${RESET}
-`);
+    process.stderr.write(formatCandidateLine(promptSet[i], i) + "\n");
   }
   process.stderr.write(`  ${BOLD}q${RESET}. cancel
 `);
+}
+async function readSelection(promptSet) {
   const rl = (0, import_node_readline.createInterface)({ input: process.stdin, output: process.stderr });
   const answer = await new Promise((resolve3) => {
     rl.question(`pick [1-${promptSet.length}]: `, resolve3);
@@ -67660,6 +67662,17 @@ async function pickCandidate(input, candidates, opts = {}) {
   }
   return promptSet[idx - 1];
 }
+async function pickCandidate(input, candidates, opts = {}) {
+  if (candidates.length === 1) return candidates[0];
+  const sel = selectPromptSet(candidates, opts);
+  if ("auto" in sel) return sel.auto;
+  const promptSet = sel.promptSet;
+  if (!process.stdin.isTTY || !process.stderr.isTTY) {
+    throw new AmbiguousError(promptSet, input);
+  }
+  renderPromptList(input, promptSet);
+  return readSelection(promptSet);
+}
 
 // src/commands/session-attach.ts
 var RESET2 = "\x1B[0m";
@@ -67776,161 +67789,336 @@ function emitChatLine(prefix, body) {
     say(`  ${line}`);
   }
 }
-var sessionAttach = new Command("attach").description("open a TUI on a session \u2014 see the chat stream, post op-messages").argument("<ref>", "session UUID or @routingName (e.g. @driver)").option("--limit <n>", 'history items to load before the live stream begins. 0 = none. "all" = up to 5000. default 50.', "50").option("--no-op-messages", "exclude op-messages from the history backlog (live ones still arrive once attached)").option("--no-markdown", "render assistant_text and reply payloads as raw text instead of formatted markdown").option("--debug", "after every rendered event, print its full JSON payload (truncated at 2 KB) \u2014 surfaces fields the renderer normally hides (e.g., SubagentStop's last_assistant_message, PreToolUse tool_input details)").option("--no-status", 'disable the animated "claude working" dot at the bottom of the TUI (useful for piped output or rough-ANSI terminals)').action(async (ref, opts) => {
+function applyAttachFlags(opts) {
   if (opts.markdown === false) markdownEnabled = false;
   if (opts.debug) debugMode = true;
   if (opts.status === false) statusEnabled = false;
-  const cfg = loadConfig();
-  if (!cfg.sessionToken) {
-    console.error("error: not logged in. run `claw login`.");
+}
+async function fetchMyLogin() {
+  try {
+    const me = await api.get("/api/v1/me");
+    return me.githubLogin;
+  } catch {
+    return null;
+  }
+}
+var ATTACH_UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+function splitRoutingRef(ref) {
+  const needle = ref.startsWith("@") ? ref : "@" + ref;
+  const slash = needle.indexOf("/");
+  if (slash > 0) {
+    return {
+      ownerLogin: needle.slice(1, slash),
+      slug: "@" + needle.slice(slash + 1).replace(/^@/, "")
+    };
+  }
+  return { ownerLogin: null, slug: needle };
+}
+function filterCandidatesByName(items, parts) {
+  let candidates = items.filter((s) => s.routingName === parts.slug);
+  if (parts.ownerLogin !== null) {
+    candidates = candidates.filter((s) => s.startedByLogin === parts.ownerLogin);
+  } else {
+    const mine = candidates.filter((s) => s.role === "owner");
+    if (mine.length > 0) candidates = mine;
+  }
+  return candidates;
+}
+function reportAmbiguousAndExit(ref, e) {
+  const usedQualified = ref.includes("/");
+  const advice = usedQualified ? `'${ref}' is ambiguous even within owner \u2014 multiple sessions share the same routing name. Re-run with a session UUID:` : `'${ref}' is ambiguous \u2014 re-run with the qualified @owner/slug form, or with a UUID if even that collides:`;
+  console.error(`error: ${advice}`);
+  for (const c of e.candidates) {
+    console.error(`  ${c.id}  @${c.startedByLogin}/${(c.routingName ?? "").replace(/^@/, "")}  ${c.cwd ?? ""}`);
+  }
+  process.exit(2);
+}
+async function resolveAttachSessionId(ref) {
+  if (ATTACH_UUID_RE.test(ref)) return ref;
+  const parts = splitRoutingRef(ref);
+  const data = await api.get("/api/v1/sessions");
+  const candidates = filterCandidatesByName(data.items, parts);
+  if (candidates.length === 0) {
+    const label = parts.ownerLogin ? `@${parts.ownerLogin}/${parts.slug.slice(1)}` : parts.slug;
+    console.error(`error: no session with routing name ${label} (run \`claw session list\` to see what's available)`);
     process.exit(2);
   }
-  let myLogin = null;
   try {
-    const me = await api.get("/api/v1/me");
-    myLogin = me.githubLogin;
+    const picked = await pickCandidate(ref, candidates);
+    return picked.id;
+  } catch (e) {
+    if (e instanceof AmbiguousError) reportAmbiguousAndExit(ref, e);
+    console.error(`error: ${e?.message ?? String(e)}`);
+    process.exit(2);
+  }
+}
+function parseHistoryLimit(opts) {
+  const limitArg = String(opts.limit ?? "50").toLowerCase();
+  if (limitArg === "all") return 5e3;
+  if (limitArg === "0") return 0;
+  return Math.max(0, parseInt(limitArg, 10) || 0);
+}
+function renderTimelineItem(item, myLogin) {
+  if (item.kind === "event") {
+    renderEvent(
+      item.event,
+      myLogin,
+      /* fromBacklog */
+      true
+    );
+    return;
+  }
+  if (item.kind === "op-message") {
+    console.log(`${DIM2}[${shortTs(item.ts)}]${RESET2} ${GREEN}@${item.authorLogin}${RESET2}  ${item.text}`);
+    return;
+  }
+  const verb = item.action === "uploaded" ? `${GREEN}\u{1F4CE} uploaded${RESET2}` : `${RED}\u2717 deleted${RESET2}`;
+  console.log(`${DIM2}[${shortTs(item.ts)}]${RESET2} ${BLUE}@${item.file.uploaderLogin}${RESET2}  ${verb} ${BOLD2}${item.file.filename}${RESET2} ${DIM2}(${fmtBytes(item.file.size)} \xB7 fileId=${item.file.id})${RESET2}`);
+}
+async function drainHistoryBacklog(sessionId, opts, myLogin) {
+  const historyLimit = parseHistoryLimit(opts);
+  if (historyLimit <= 0) return;
+  const kindsParam = opts.opMessages === false ? "&kinds=event,file" : "";
+  try {
+    const tl = await api.get(
+      `/api/v1/sessions/${encodeURIComponent(sessionId)}/timeline?limit=${historyLimit}${kindsParam}`
+    );
+    if (tl.items.length === 0) return;
+    console.log(`${DIM2}\u2500\u2500\u2500 history (${tl.items.length} item${tl.items.length === 1 ? "" : "s"}) \u2500\u2500\u2500${RESET2}`);
+    for (const item of tl.items) renderTimelineItem(item, myLogin);
+    console.log(`${DIM2}\u2500\u2500\u2500 live \u2500\u2500\u2500${RESET2}`);
+  } catch (e) {
+    console.error(`${DIM2}(history fetch failed: ${e?.message ?? String(e)} \u2014 continuing live)${RESET2}`);
+  }
+}
+var BACKOFF = [1e3, 2e3, 5e3, 15e3, 3e4, 6e4];
+function onWsOpen(state) {
+  if (state.reconnectAttempt > 0) {
+    say(`${DIM2}[${ts()}]${RESET2} ${AMBER}reconnected${RESET2} to ${state.hubUrl}`);
+  } else {
+    say(`${DIM2}[${ts()}]${RESET2} connected to ${state.hubUrl}`);
+  }
+  state.reconnectAttempt = 0;
+  state.mySubscription = false;
+  const sub = { type: "subscribe", sessionId: state.sessionId };
+  state.ws.send(JSON.stringify(sub));
+}
+function trackPendingPerm(state, msg) {
+  if (msg.type === "permission_request") {
+    state.pendingPerms.push({ requestId: msg.requestId, tool: msg.tool, sessionId: msg.sessionId });
+    return;
+  }
+  if (msg.type === "permission_resolved") {
+    const i = state.pendingPerms.findIndex((p) => p.requestId === msg.requestId);
+    if (i >= 0) state.pendingPerms.splice(i, 1);
+  }
+}
+function onWsMessage(state, data) {
+  let msg;
+  try {
+    msg = JSON.parse(data.toString("utf8"));
   } catch {
+    return;
   }
-  const UUID_RE2 = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
-  let sessionId = ref;
-  if (!UUID_RE2.test(sessionId)) {
-    const needle = sessionId.startsWith("@") ? sessionId : "@" + sessionId;
-    const slash = needle.indexOf("/");
-    let ownerLogin = null;
-    let slug;
-    if (slash > 0) {
-      ownerLogin = needle.slice(1, slash);
-      slug = "@" + needle.slice(slash + 1).replace(/^@/, "");
-    } else {
-      slug = needle;
-    }
+  trackPendingPerm(state, msg);
+  printInbound(msg, state.myLogin);
+  if (msg.type === "subscribed") {
+    state.mySubscription = true;
+    say(`${DIM2}attached as ${BOLD2}${msg.role}${RESET2}${DIM2}. type for prompt \xB7 @other <text> to route \xB7 /m <text> for op-msg \xB7 /y /n on permissions \xB7 /q to quit${RESET2}`);
+  }
+  if (msg.type === "error" && (msg.code === "auth_failed" || msg.code === "token_revoked")) {
+    state.stopRequested = true;
+  }
+}
+function onWsClose(state, reconnect, code, reason) {
+  stopWorking();
+  if (state.stopRequested || code === 1e3) {
+    say(`${DIM2}[${ts()}] disconnected (${code}${reason && reason.length ? ": " + reason.toString() : ""})${RESET2}`);
+    process.exit(0);
+  }
+  if (code === 1008) {
+    sayErr(`${RED}disconnected (${code}): auth rejected \u2014 won't retry${RESET2}`);
+    process.exit(2);
+  }
+  const delay = BACKOFF[Math.min(state.reconnectAttempt, BACKOFF.length - 1)];
+  state.reconnectAttempt += 1;
+  say(`${DIM2}[${ts()}] ${AMBER}disconnected${RESET2} (${code}${reason && reason.length ? ": " + reason.toString() : ""})${DIM2} \u2014 reconnecting in ${delay / 1e3}s (attempt ${state.reconnectAttempt})${RESET2}`);
+  if (state.reconnectTimer) clearTimeout(state.reconnectTimer);
+  state.reconnectTimer = setTimeout(() => {
+    state.reconnectTimer = null;
+    reconnect();
+  }, delay);
+}
+function onWsError(state, err) {
+  if (state.ws.readyState === wrapper_default.CLOSING || state.ws.readyState === wrapper_default.CLOSED) return;
+  sayErr(`${RED}ws error: ${err.message}${RESET2}`);
+}
+function connectWs(state) {
+  const reconnect = () => connectWs(state);
+  state.ws = new wrapper_default(state.wsUrl, { headers: { Authorization: `Bearer ${state.sessionToken}` } });
+  state.ws.on("open", () => onWsOpen(state));
+  state.ws.on("message", (data) => onWsMessage(state, data));
+  state.ws.on("close", (code, reason) => onWsClose(state, reconnect, code, reason));
+  state.ws.on("error", (err) => onWsError(state, err));
+}
+function handleQuitCmd(ctx) {
+  ctx.state.stopRequested = true;
+  if (ctx.state.reconnectTimer) {
+    clearTimeout(ctx.state.reconnectTimer);
+    ctx.state.reconnectTimer = null;
+  }
+  ctx.state.ws.close(1e3, "user quit");
+}
+function handleDebugCmd(text) {
+  const arg = text.slice("/debug".length).trim().toLowerCase();
+  if (arg === "on") debugMode = true;
+  else if (arg === "off") debugMode = false;
+  else debugMode = !debugMode;
+  say(`${DIM2}debug: ${debugMode ? `${AMBER}on${RESET2}${DIM2}` : "off"}${RESET2}`);
+}
+function handleApprovalCmd(ctx, text) {
+  const pending = ctx.state.pendingPerms[ctx.state.pendingPerms.length - 1];
+  if (!pending) {
+    say(`${DIM2}(no pending permission to act on)${RESET2}`);
+    return;
+  }
+  const decision = text === "/y" || text === "/yes" ? "allow" : "deny";
+  const approval = {
+    type: "approval",
+    sessionId: pending.sessionId,
+    // owner of the permission, may not be `sessionId`
+    requestId: pending.requestId,
+    decision
+  };
+  ctx.state.ws.send(JSON.stringify(approval));
+}
+function handleOpMessageCmd(ctx, text) {
+  const opText = text.slice(2).trim();
+  if (!opText) {
+    say(`${DIM2}usage: /m <text> (sends as op-message; bare text is a prompt)${RESET2}`);
+    return;
+  }
+  const out = { type: "op_message", sessionId: ctx.state.sessionId, text: opText };
+  ctx.state.ws.send(JSON.stringify(out));
+}
+function handlePromptCmd(ctx, text) {
+  const promptText = text.slice(2).trim();
+  if (!promptText) {
+    say(`${DIM2}usage: /p <text> (or just type \u2014 bare text is a prompt now)${RESET2}`);
+    return;
+  }
+  const out = { type: "prompt", sessionId: ctx.state.sessionId, text: promptText };
+  ctx.state.ws.send(JSON.stringify(out));
+  say(`${DIM2}[${ts()}]${RESET2} ${AMBER}\u2192 prompt sent${RESET2}  ${promptText}`);
+  startWorking();
+}
+var REDIRECT_UUID_RE = /^@?[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+var REDIRECT_LINE_RE = /^(@?[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}|@[A-Za-z0-9._\-/]+)\s+([\s\S]+)$/i;
+function sendRedirectByUuid(ctx, targetRef, promptText) {
+  const peerSessionId = targetRef.replace(/^@/, "");
+  const out = {
+    type: "prompt",
+    sessionId: peerSessionId,
+    text: promptText,
+    sourceSessionId: ctx.state.sessionId
+  };
+  ctx.state.ws.send(JSON.stringify(out));
+  say(`${DIM2}[${ts()}]${RESET2} ${AMBER}\u2192 prompt \u2192 ${peerSessionId.slice(0, 8)}\u2026${RESET2}  ${promptText}`);
+  startWorking();
+  armRouteWatchdog();
+}
+function reportRedirectAmbiguous(targetRef, liveMatches) {
+  const usedQualified = targetRef.includes("/");
+  const advice = usedQualified ? `'${targetRef}' is ambiguous even within owner \u2014 re-issue using a session UUID:` : `'${targetRef}' is ambiguous \u2014 use the qualified form @owner/slug, or a UUID if the qualified form still collides:`;
+  sayErr(`${RED}error: ${advice}${RESET2}`);
+  for (const c of liveMatches) {
+    sayErr(`  ${c.id}  @${c.startedByLogin}/${(c.routingName ?? "").replace(/^@/, "")}  ${DIM2}${c.cwd ?? ""}${RESET2}`);
+  }
+}
+async function resolveRedirectAndSend(ctx, targetRef, promptText) {
+  const parts = splitRoutingRef(targetRef);
+  try {
     const data = await api.get("/api/v1/sessions");
-    let candidates = data.items.filter((s) => s.routingName === slug);
-    if (ownerLogin !== null) {
-      candidates = candidates.filter((s) => s.startedByLogin === ownerLogin);
-    } else {
-      const mine = candidates.filter((s) => s.role === "owner");
-      if (mine.length > 0) candidates = mine;
-    }
+    const candidates = filterCandidatesByName(data.items, parts);
     if (candidates.length === 0) {
-      const label = ownerLogin ? `@${ownerLogin}/${slug.slice(1)}` : slug;
-      console.error(`error: no session with routing name ${label} (run \`claw session list\` to see what's available)`);
-      process.exit(2);
+      sayErr(`${RED}error: no session ${targetRef} (try \`claw session list\` in another terminal)${RESET2}`);
+      return;
     }
-    try {
-      const picked = await pickCandidate(ref, candidates);
-      sessionId = picked.id;
-    } catch (e) {
-      if (e instanceof AmbiguousError) {
-        const usedQualified = ref.includes("/");
-        const advice = usedQualified ? `'${ref}' is ambiguous even within owner \u2014 multiple sessions share the same routing name. Re-run with a session UUID:` : `'${ref}' is ambiguous \u2014 re-run with the qualified @owner/slug form, or with a UUID if even that collides:`;
-        console.error(`error: ${advice}`);
-        for (const c of e.candidates) {
-          console.error(`  ${c.id}  @${c.startedByLogin}/${(c.routingName ?? "").replace(/^@/, "")}  ${c.cwd ?? ""}`);
-        }
-        process.exit(2);
-      }
-      console.error(`error: ${e?.message ?? String(e)}`);
-      process.exit(2);
+    const liveMatches = candidates.filter((c) => c.connected);
+    if (liveMatches.length > 1) {
+      reportRedirectAmbiguous(targetRef, liveMatches);
+      return;
     }
+    const match = candidates[0];
+    const out = {
+      type: "prompt",
+      sessionId: match.id,
+      text: promptText,
+      sourceSessionId: ctx.state.sessionId
+    };
+    ctx.state.ws.send(JSON.stringify(out));
+    say(`${DIM2}[${ts()}]${RESET2} ${AMBER}\u2192 prompt \u2192 ${targetRef}${RESET2}  ${promptText}`);
+    startWorking();
+    armRouteWatchdog();
+  } catch (e) {
+    sayErr(`${RED}error: ${e?.message ?? String(e)}${RESET2}`);
   }
-  const limitArg = String(opts.limit ?? "50").toLowerCase();
-  const historyLimit = limitArg === "all" ? 5e3 : limitArg === "0" ? 0 : Math.max(0, parseInt(limitArg, 10) || 0);
-  if (historyLimit > 0) {
-    const kindsParam = opts.opMessages === false ? "&kinds=event,file" : "";
-    try {
-      const tl = await api.get(`/api/v1/sessions/${encodeURIComponent(sessionId)}/timeline?limit=${historyLimit}${kindsParam}`);
-      if (tl.items.length > 0) {
-        console.log(`${DIM2}\u2500\u2500\u2500 history (${tl.items.length} item${tl.items.length === 1 ? "" : "s"}) \u2500\u2500\u2500${RESET2}`);
-        for (const item of tl.items) {
-          if (item.kind === "event") {
-            renderEvent(
-              item.event,
-              myLogin,
-              /* fromBacklog */
-              true
-            );
-          } else if (item.kind === "op-message") {
-            console.log(`${DIM2}[${shortTs(item.ts)}]${RESET2} ${GREEN}@${item.authorLogin}${RESET2}  ${item.text}`);
-          } else if (item.kind === "file") {
-            const verb = item.action === "uploaded" ? `${GREEN}\u{1F4CE} uploaded${RESET2}` : `${RED}\u2717 deleted${RESET2}`;
-            console.log(`${DIM2}[${shortTs(item.ts)}]${RESET2} ${BLUE}@${item.file.uploaderLogin}${RESET2}  ${verb} ${BOLD2}${item.file.filename}${RESET2} ${DIM2}(${fmtBytes(item.file.size)} \xB7 fileId=${item.file.id})${RESET2}`);
-          }
-        }
-        console.log(`${DIM2}\u2500\u2500\u2500 live \u2500\u2500\u2500${RESET2}`);
-      }
-    } catch (e) {
-      console.error(`${DIM2}(history fetch failed: ${e?.message ?? String(e)} \u2014 continuing live)${RESET2}`);
-    }
-  }
-  const wsUrl = cfg.hubUrl.replace(/^http/i, "ws") + "/cli";
-  let mySubscription = false;
-  const pendingPerms = [];
-  const BACKOFF = [1e3, 2e3, 5e3, 15e3, 3e4, 6e4];
-  let ws;
-  let stopRequested = false;
-  let reconnectAttempt = 0;
-  let reconnectTimer = null;
-  function connect() {
-    ws = new wrapper_default(wsUrl, { headers: { Authorization: `Bearer ${cfg.sessionToken}` } });
-    ws.on("open", () => {
-      if (reconnectAttempt > 0) {
-        say(`${DIM2}[${ts()}]${RESET2} ${AMBER}reconnected${RESET2} to ${cfg.hubUrl}`);
-      } else {
-        say(`${DIM2}[${ts()}]${RESET2} connected to ${cfg.hubUrl}`);
-      }
-      reconnectAttempt = 0;
-      mySubscription = false;
-      const sub = { type: "subscribe", sessionId };
-      ws.send(JSON.stringify(sub));
-    });
-    ws.on("message", (data) => {
-      let msg;
-      try {
-        msg = JSON.parse(data.toString("utf8"));
-      } catch {
-        return;
-      }
-      if (msg.type === "permission_request") {
-        pendingPerms.push({ requestId: msg.requestId, tool: msg.tool, sessionId: msg.sessionId });
-      } else if (msg.type === "permission_resolved") {
-        const i = pendingPerms.findIndex((p) => p.requestId === msg.requestId);
-        if (i >= 0) pendingPerms.splice(i, 1);
-      }
-      printInbound(msg, myLogin);
-      if (msg.type === "subscribed") {
-        mySubscription = true;
-        say(`${DIM2}attached as ${BOLD2}${msg.role}${RESET2}${DIM2}. type for prompt \xB7 @other <text> to route \xB7 /m <text> for op-msg \xB7 /y /n on permissions \xB7 /q to quit${RESET2}`);
-      }
-      if (msg.type === "error" && (msg.code === "auth_failed" || msg.code === "token_revoked")) {
-        stopRequested = true;
-      }
-    });
-    ws.on("close", (code, reason) => {
-      stopWorking();
-      if (stopRequested || code === 1e3) {
-        say(`${DIM2}[${ts()}] disconnected (${code}${reason && reason.length ? ": " + reason.toString() : ""})${RESET2}`);
-        process.exit(0);
-      }
-      if (code === 1008) {
-        sayErr(`${RED}disconnected (${code}): auth rejected \u2014 won't retry${RESET2}`);
-        process.exit(2);
-      }
-      const delay = BACKOFF[Math.min(reconnectAttempt, BACKOFF.length - 1)];
-      reconnectAttempt += 1;
-      say(`${DIM2}[${ts()}] ${AMBER}disconnected${RESET2} (${code}${reason && reason.length ? ": " + reason.toString() : ""})${DIM2} \u2014 reconnecting in ${delay / 1e3}s (attempt ${reconnectAttempt})${RESET2}`);
-      if (reconnectTimer) clearTimeout(reconnectTimer);
-      reconnectTimer = setTimeout(() => {
-        reconnectTimer = null;
-        connect();
-      }, delay);
-    });
-    ws.on("error", (err) => {
-      if (ws.readyState === wrapper_default.CLOSING || ws.readyState === wrapper_default.CLOSED) return;
-      sayErr(`${RED}ws error: ${err.message}${RESET2}`);
-    });
+}
+function handleRedirectLine(ctx, xMatch) {
+  const targetRef = xMatch[1];
+  const promptText = xMatch[2].trim();
+  if (!promptText) {
+    say(`${DIM2}usage: ${targetRef} <prompt>${RESET2}`);
+    return;
+  }
+  if (REDIRECT_UUID_RE.test(targetRef)) {
+    sendRedirectByUuid(ctx, targetRef, promptText);
+    return;
+  }
+  void resolveRedirectAndSend(ctx, targetRef, promptText);
+}
+function handleBarePrompt(ctx, text) {
+  const out = { type: "prompt", sessionId: ctx.state.sessionId, text };
+  ctx.state.ws.send(JSON.stringify(out));
+  say(`${DIM2}[${ts()}]${RESET2} ${AMBER}\u2192 prompt${RESET2}  ${text}`);
+  startWorking();
+}
+var SLASH_HANDLERS = [
+  { match: (t) => t === "/q" || t === "/quit", run: (c) => handleQuitCmd(c) },
+  { match: (t) => t === "/debug" || t.startsWith("/debug "), run: (_, t) => handleDebugCmd(t) },
+  { match: (t) => t === "/y" || t === "/yes" || t === "/n" || t === "/no", run: (c, t) => handleApprovalCmd(c, t) },
+  { match: (t) => t === "/m" || t.startsWith("/m "), run: (c, t) => handleOpMessageCmd(c, t) },
+  { match: (t) => t === "/p" || t.startsWith("/p "), run: (c, t) => handlePromptCmd(c, t) }
+];
+function dispatchSlash(ctx, text) {
+  for (const h of SLASH_HANDLERS) {
+    if (h.match(text)) {
+      h.run(ctx, text);
+      return true;
+    }
+  }
+  if (text.startsWith("/")) {
+    say(`${DIM2}unknown slash-command: ${text} (try /m /y /n /debug /q)${RESET2}`);
+    return true;
+  }
+  return false;
+}
+function handleInputLine(ctx, raw) {
+  const text = raw.trim();
+  if (!text) return;
+  if (!ctx.state.mySubscription) {
+    say(`${DIM2}(not subscribed yet \u2014 waiting...)${RESET2}`);
+    return;
+  }
+  if (dispatchSlash(ctx, text)) return;
+  const xMatch = REDIRECT_LINE_RE.exec(text);
+  if (xMatch) {
+    handleRedirectLine(ctx, xMatch);
+    return;
   }
-  connect();
+  handleBarePrompt(ctx, text);
+}
+function setupReadline(ctx) {
   const rl = (0, import_node_readline2.createInterface)({
     input: process.stdin,
     output: process.stdout,
@@ -67939,213 +68127,92 @@ var sessionAttach = new Command("attach").description("open a TUI on a session \
   });
   rlRef = rl;
   if (process.stdout.isTTY) rl.prompt(true);
-  rl.on("line", (raw) => {
-    const text = raw.trim();
-    if (!text) return;
-    if (!mySubscription) {
-      say(`${DIM2}(not subscribed yet \u2014 waiting...)${RESET2}`);
-      return;
-    }
-    if (text === "/q" || text === "/quit") {
-      stopRequested = true;
-      if (reconnectTimer) {
-        clearTimeout(reconnectTimer);
-        reconnectTimer = null;
-      }
-      ws.close(1e3, "user quit");
-      return;
-    }
-    if (text === "/debug" || text.startsWith("/debug ")) {
-      const arg = text.slice("/debug".length).trim().toLowerCase();
-      if (arg === "on") debugMode = true;
-      else if (arg === "off") debugMode = false;
-      else debugMode = !debugMode;
-      say(`${DIM2}debug: ${debugMode ? `${AMBER}on${RESET2}${DIM2}` : "off"}${RESET2}`);
-      return;
-    }
-    if (text === "/y" || text === "/yes" || text === "/n" || text === "/no") {
-      const pending = pendingPerms[pendingPerms.length - 1];
-      if (!pending) {
-        say(`${DIM2}(no pending permission to act on)${RESET2}`);
-        return;
-      }
-      const decision = text === "/y" || text === "/yes" ? "allow" : "deny";
-      const approval = {
-        type: "approval",
-        sessionId: pending.sessionId,
-        // owner of the permission, may not be `sessionId`
-        requestId: pending.requestId,
-        decision
-      };
-      ws.send(JSON.stringify(approval));
-      return;
-    }
-    if (text === "/m" || text.startsWith("/m ")) {
-      const opText = text.slice(2).trim();
-      if (!opText) {
-        say(`${DIM2}usage: /m <text> (sends as op-message; bare text is a prompt)${RESET2}`);
-        return;
-      }
-      const out2 = { type: "op_message", sessionId, text: opText };
-      ws.send(JSON.stringify(out2));
-      return;
-    }
-    if (text === "/p" || text.startsWith("/p ")) {
-      const promptText = text.slice(2).trim();
-      if (!promptText) {
-        say(`${DIM2}usage: /p <text> (or just type \u2014 bare text is a prompt now)${RESET2}`);
-        return;
-      }
-      const out2 = { type: "prompt", sessionId, text: promptText };
-      ws.send(JSON.stringify(out2));
-      say(`${DIM2}[${ts()}]${RESET2} ${AMBER}\u2192 prompt sent${RESET2}  ${promptText}`);
-      startWorking();
-      return;
-    }
-    if (text.startsWith("/")) {
-      say(`${DIM2}unknown slash-command: ${text} (try /m /y /n /debug /q)${RESET2}`);
-      return;
-    }
-    const UUID_RE_LOOSE = /^@?[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
-    const xMatch = /^(@?[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}|@[A-Za-z0-9._\-/]+)\s+([\s\S]+)$/i.exec(text);
-    if (xMatch) {
-      const targetRef = xMatch[1];
-      const promptText = xMatch[2].trim();
-      if (!promptText) {
-        say(`${DIM2}usage: ${targetRef} <prompt>${RESET2}`);
-        return;
-      }
-      if (UUID_RE_LOOSE.test(targetRef)) {
-        const peerSessionId = targetRef.replace(/^@/, "");
-        const out2 = {
-          type: "prompt",
-          sessionId: peerSessionId,
-          text: promptText,
-          sourceSessionId: sessionId
-        };
-        ws.send(JSON.stringify(out2));
-        say(`${DIM2}[${ts()}]${RESET2} ${AMBER}\u2192 prompt \u2192 ${peerSessionId.slice(0, 8)}\u2026${RESET2}  ${promptText}`);
-        startWorking();
-        armRouteWatchdog();
-        return;
-      }
-      (async () => {
-        const needle = targetRef.startsWith("@") ? targetRef : "@" + targetRef;
-        const slash = needle.indexOf("/");
-        let ownerLogin = null;
-        let slug;
-        if (slash > 0) {
-          ownerLogin = needle.slice(1, slash);
-          slug = "@" + needle.slice(slash + 1).replace(/^@/, "");
-        } else {
-          slug = needle;
-        }
-        try {
-          const data = await api.get("/api/v1/sessions");
-          let candidates = data.items.filter((s) => s.routingName === slug);
-          if (ownerLogin !== null) {
-            candidates = candidates.filter((s) => s.startedByLogin === ownerLogin);
-          } else {
-            const mine = candidates.filter((s) => s.role === "owner");
-            if (mine.length > 0) candidates = mine;
-          }
-          if (candidates.length === 0) {
-            sayErr(`${RED}error: no session ${targetRef} (try \`claw session list\` in another terminal)${RESET2}`);
-            return;
-          }
-          const liveMatches = candidates.filter((c) => c.connected);
-          if (liveMatches.length > 1) {
-            const usedQualified = targetRef.includes("/");
-            const advice = usedQualified ? `'${targetRef}' is ambiguous even within owner \u2014 re-issue using a session UUID:` : `'${targetRef}' is ambiguous \u2014 use the qualified form @owner/slug, or a UUID if the qualified form still collides:`;
-            sayErr(`${RED}error: ${advice}${RESET2}`);
-            for (const c of liveMatches) {
-              sayErr(`  ${c.id}  @${c.startedByLogin}/${(c.routingName ?? "").replace(/^@/, "")}  ${DIM2}${c.cwd ?? ""}${RESET2}`);
-            }
-            return;
-          }
-          const match = candidates[0];
-          const out2 = {
-            type: "prompt",
-            sessionId: match.id,
-            text: promptText,
-            sourceSessionId: sessionId
-          };
-          ws.send(JSON.stringify(out2));
-          say(`${DIM2}[${ts()}]${RESET2} ${AMBER}\u2192 prompt \u2192 ${targetRef}${RESET2}  ${promptText}`);
-          startWorking();
-          armRouteWatchdog();
-        } catch (e) {
-          sayErr(`${RED}error: ${e?.message ?? String(e)}${RESET2}`);
-        }
-      })();
-      return;
-    }
-    const out = { type: "prompt", sessionId, text };
-    ws.send(JSON.stringify(out));
-    say(`${DIM2}[${ts()}]${RESET2} ${AMBER}\u2192 prompt${RESET2}  ${text}`);
-    startWorking();
-  });
+  rl.on("line", (raw) => handleInputLine(ctx, raw));
   process.on("SIGINT", () => {
-    stopRequested = true;
-    if (reconnectTimer) {
-      clearTimeout(reconnectTimer);
-      reconnectTimer = null;
+    ctx.state.stopRequested = true;
+    if (ctx.state.reconnectTimer) {
+      clearTimeout(ctx.state.reconnectTimer);
+      ctx.state.reconnectTimer = null;
     }
-    ws.close(1e3, "sigint");
+    ctx.state.ws.close(1e3, "sigint");
   });
+}
+var sessionAttach = new Command("attach").description("open a TUI on a session \u2014 see the chat stream, post op-messages").argument("<ref>", "session UUID or @routingName (e.g. @driver)").option("--limit <n>", 'history items to load before the live stream begins. 0 = none. "all" = up to 5000. default 50.', "50").option("--no-op-messages", "exclude op-messages from the history backlog (live ones still arrive once attached)").option("--no-markdown", "render assistant_text and reply payloads as raw text instead of formatted markdown").option("--debug", "after every rendered event, print its full JSON payload (truncated at 2 KB) \u2014 surfaces fields the renderer normally hides (e.g., SubagentStop's last_assistant_message, PreToolUse tool_input details)").option("--no-status", 'disable the animated "claude working" dot at the bottom of the TUI (useful for piped output or rough-ANSI terminals)').action(async (ref, opts) => {
+  applyAttachFlags(opts);
+  const cfg = loadConfig();
+  if (!cfg.sessionToken) {
+    console.error("error: not logged in. run `claw login`.");
+    process.exit(2);
+  }
+  const myLogin = await fetchMyLogin();
+  const sessionId = await resolveAttachSessionId(ref);
+  await drainHistoryBacklog(sessionId, opts, myLogin);
+  const state = {
+    ws: void 0,
+    // assigned by connectWs()
+    sessionId,
+    myLogin,
+    hubUrl: cfg.hubUrl,
+    wsUrl: cfg.hubUrl.replace(/^http/i, "ws") + "/cli",
+    sessionToken: cfg.sessionToken,
+    mySubscription: false,
+    pendingPerms: [],
+    stopRequested: false,
+    reconnectAttempt: 0,
+    reconnectTimer: null
+  };
+  connectWs(state);
+  setupReadline({ state });
 });
-function printInbound(msg, myLogin) {
-  switch (msg.type) {
-    case "subscribed":
-      break;
-    case "event": {
-      renderEvent(msg.event, myLogin);
-      break;
-    }
-    case "op_message": {
-      say(`${DIM2}[${shortTs(msg.ts)}]${RESET2} ${GREEN}@${msg.authorLogin}${RESET2}  ${msg.text}`);
-      break;
-    }
-    case "permission_request": {
-      say(`${RED}[!] ${shortTs(msg.ts)}${RESET2}  approval needed: ${BOLD2}${msg.tool}${RESET2} \u2014 ${msg.inputPreview}`);
-      break;
-    }
-    case "permission_resolved": {
-      const dec = msg.decision === "allow" ? `${GREEN}allowed${RESET2}` : msg.decision === "deny" ? `${RED}denied${RESET2}` : `${DIM2}expired${RESET2}`;
-      say(`${DIM2}[${ts()}]${RESET2} permission ${msg.requestId} ${dec} by @${msg.resolverLogin ?? "?"}`);
-      break;
-    }
-    case "presence": {
-      const list3 = msg.attached.map((l) => "@" + l).join(", ") || "(empty)";
-      let line;
-      if (msg.joined) {
-        line = `${GREEN}+ @${msg.joined} joined${RESET2}${DIM2} (attached: ${list3})${RESET2}`;
-      } else if (msg.left) {
-        line = `${AMBER}- @${msg.left} left${RESET2}${DIM2} (attached: ${list3})${RESET2}`;
-      } else {
-        line = `${DIM2}presence: ${list3}${RESET2}`;
-      }
-      say(`${DIM2}[${ts()}]${RESET2} ${line}`);
-      break;
-    }
-    case "channel_status": {
-      const tag2 = msg.connected ? `${GREEN}\u25CF channel online${RESET2}` : `${RED}\u25CB channel offline${RESET2}`;
-      say(`${DIM2}[${shortTs(msg.ts)}]${RESET2} ${tag2}`);
-      if (!msg.connected) stopWorking();
-      break;
-    }
-    case "file_event": {
-      const verb = msg.action === "uploaded" ? `${GREEN}\u{1F4CE} uploaded${RESET2}` : `${RED}\u2717 deleted${RESET2}`;
-      const f = msg.file;
-      say(`${DIM2}[${ts()}]${RESET2} ${BLUE}@${f.uploaderLogin}${RESET2}  ${verb} ${BOLD2}${f.filename}${RESET2} ${DIM2}(${fmtBytes(f.size)} \xB7 fileId=${f.id})${RESET2}`);
-      break;
-    }
-    case "ack":
-      break;
-    case "error":
-      sayErr(`${RED}error (${msg.code}): ${msg.message}${RESET2}`);
-      break;
+function printInboundOpMessage(msg) {
+  say(`${DIM2}[${shortTs(msg.ts)}]${RESET2} ${GREEN}@${msg.authorLogin}${RESET2}  ${msg.text}`);
+}
+function printInboundPermissionRequest(msg) {
+  say(`${RED}[!] ${shortTs(msg.ts)}${RESET2}  approval needed: ${BOLD2}${msg.tool}${RESET2} \u2014 ${msg.inputPreview}`);
+}
+function printInboundPermissionResolved(msg) {
+  const dec = msg.decision === "allow" ? `${GREEN}allowed${RESET2}` : msg.decision === "deny" ? `${RED}denied${RESET2}` : `${DIM2}expired${RESET2}`;
+  say(`${DIM2}[${ts()}]${RESET2} permission ${msg.requestId} ${dec} by @${msg.resolverLogin ?? "?"}`);
+}
+function printInboundPresence(msg) {
+  const list3 = msg.attached.map((l) => "@" + l).join(", ") || "(empty)";
+  let line;
+  if (msg.joined) {
+    line = `${GREEN}+ @${msg.joined} joined${RESET2}${DIM2} (attached: ${list3})${RESET2}`;
+  } else if (msg.left) {
+    line = `${AMBER}- @${msg.left} left${RESET2}${DIM2} (attached: ${list3})${RESET2}`;
+  } else {
+    line = `${DIM2}presence: ${list3}${RESET2}`;
   }
+  say(`${DIM2}[${ts()}]${RESET2} ${line}`);
+}
+function printInboundChannelStatus(msg) {
+  const tag2 = msg.connected ? `${GREEN}\u25CF channel online${RESET2}` : `${RED}\u25CB channel offline${RESET2}`;
+  say(`${DIM2}[${shortTs(msg.ts)}]${RESET2} ${tag2}`);
+  if (!msg.connected) stopWorking();
+}
+function printInboundFileEvent(msg) {
+  const verb = msg.action === "uploaded" ? `${GREEN}\u{1F4CE} uploaded${RESET2}` : `${RED}\u2717 deleted${RESET2}`;
+  const f = msg.file;
+  say(`${DIM2}[${ts()}]${RESET2} ${BLUE}@${f.uploaderLogin}${RESET2}  ${verb} ${BOLD2}${f.filename}${RESET2} ${DIM2}(${fmtBytes(f.size)} \xB7 fileId=${f.id})${RESET2}`);
+}
+var INBOUND_PRINTERS = {
+  subscribed: () => {
+  },
+  event: (msg, ml) => renderEvent(msg.event, ml),
+  op_message: (msg) => printInboundOpMessage(msg),
+  permission_request: (msg) => printInboundPermissionRequest(msg),
+  permission_resolved: (msg) => printInboundPermissionResolved(msg),
+  presence: (msg) => printInboundPresence(msg),
+  channel_status: (msg) => printInboundChannelStatus(msg),
+  file_event: (msg) => printInboundFileEvent(msg),
+  ack: () => {
+  },
+  error: (msg) => sayErr(`${RED}error (${msg.code}): ${msg.message}${RESET2}`)
+};
+function printInbound(msg, myLogin) {
+  const fn = INBOUND_PRINTERS[msg.type];
+  if (fn) fn(msg, myLogin);
 }
 function shortTs(iso) {
   const d = new Date(iso);
@@ -68178,133 +68245,179 @@ function maybeDebugDump(p) {
     say(`  ${DIM2}${line}${RESET2}`);
   }
 }
+function isOwnPromptMirror(ev, p, myLogin, fromBacklog) {
+  if (fromBacklog) return false;
+  if (ev.kind !== "chat" || ev.type !== "prompt") return false;
+  const src = String(p.source ?? "");
+  if (src !== "operator" && src !== "operator-route") return false;
+  return !!myLogin && p.authorLogin === myLogin;
+}
 function renderEvent(ev, myLogin, fromBacklog = false) {
   const ts2 = shortTs(ev.ts);
   const p = ev.payload || {};
-  if (!fromBacklog && ev.kind === "chat" && ev.type === "prompt") {
-    const src = String(p.source ?? "");
-    if ((src === "operator" || src === "operator-route") && myLogin && p.authorLogin === myLogin) return;
-  }
+  if (isOwnPromptMirror(ev, p, myLogin, fromBacklog)) return;
   try {
     renderEventBody(ev, ts2, p, myLogin);
   } finally {
     maybeDebugDump(p);
   }
 }
-function renderEventBody(ev, ts2, p, myLogin) {
+function applyWorkingHeartbeat(ev) {
   if (ev.kind === "chat" && ev.type === "prompt") startWorking();
   else if (ev.kind === "tail" && ev.type === "PreToolUse") startWorking();
   else if (ev.kind === "tail" && ev.type === "Stop") stopWorking();
-  if (ev.kind === "chat") {
-    if (ev.type === "prompt") {
-      const text = String(p.text ?? p.prompt ?? "").trim() || JSON.stringify(p).slice(0, 200);
-      const source = String(p.source ?? "cli");
-      if (source === "operator-route") {
-        const peer = String(p.peerLogin ?? p.peerSessionId ?? "?");
-        const peerShort = peer.length > 36 ? peer.slice(0, 8) + "\u2026" : peer;
-        say(`${DIM2}[${ts2}]${RESET2} ${AMBER}\u2192 prompt \u2192 ${peerShort}${RESET2}  ${text}`);
-        return;
-      }
-      const label = source === "operator" ? `${BOLD2}@${String(p.authorLogin ?? "remote")} \u203A${RESET2}` : `${BOLD2}(cli) \u203A${RESET2}`;
-      say(`${DIM2}[${ts2}]${RESET2} ${label} ${text}`);
-      return;
-    }
-    if (ev.type === "assistant_text") {
-      const text = String(p.text ?? "").trim();
-      const isPlaceholder = !!p.placeholder;
-      const tag2 = isPlaceholder ? `${DIM2}claude \xB7 thinking${RESET2}` : `${AMBER}claude${RESET2}`;
-      const prefix = `${DIM2}[${ts2}]${RESET2} ${tag2}`;
-      if (isPlaceholder) {
-        say(`${prefix}  ${DIM2}${text}${RESET2}`);
-        return;
-      }
-      emitChatLine(prefix, renderMarkdown(text));
-      return;
-    }
-    if (ev.type === "reply") {
-      const text = String(p.text ?? "").trim();
-      const tag2 = p.source === "peer-reply" && p.peerLogin ? `${AMBER}${String(p.peerLogin)} answered${RESET2}` : p.chatId ? `${AMBER}claude${RESET2} ${DIM2}(reply to ${String(p.chatId).slice(0, 8)})${RESET2}` : `${AMBER}claude${RESET2}`;
-      emitChatLine(`${DIM2}[${ts2}]${RESET2} ${tag2}`, renderMarkdown(text));
-      if (p.source === "peer-reply") disarmRouteWatchdog();
-      return;
-    }
-    if (ev.type === "peer-timeout") {
-      const peer = String(p.peerLogin ?? p.peerSessionId ?? "?");
-      const peerShort = peer.length > 36 ? peer.slice(0, 8) + "\u2026" : peer;
-      say(`${DIM2}[${ts2}]${RESET2} ${RED}\u26A0 ${peerShort} did not reply${RESET2} ${DIM2}\u2014 peer's Claude may have denied the reply tool${RESET2}`);
-      disarmRouteWatchdog();
-      stopWorking();
-      return;
-    }
-    say(`${DIM2}[${ts2}]${RESET2} ${AMBER}[chat:${ev.type}]${RESET2} ${previewPayload(p)}`);
+}
+function extractPromptText(p) {
+  const raw = String(p.text ?? p.prompt ?? "").trim();
+  return raw || JSON.stringify(p).slice(0, 200);
+}
+function shortPeer(p) {
+  const peer = String(p.peerLogin ?? p.peerSessionId ?? "?");
+  return peer.length > 36 ? peer.slice(0, 8) + "\u2026" : peer;
+}
+function promptLabel(p, source) {
+  if (source === "operator") return `${BOLD2}@${String(p.authorLogin ?? "remote")} \u203A${RESET2}`;
+  return `${BOLD2}(cli) \u203A${RESET2}`;
+}
+function renderChatPromptBody(ts2, p) {
+  const text = extractPromptText(p);
+  const source = String(p.source ?? "cli");
+  if (source === "operator-route") {
+    say(`${DIM2}[${ts2}]${RESET2} ${AMBER}\u2192 prompt \u2192 ${shortPeer(p)}${RESET2}  ${text}`);
     return;
   }
-  switch (ev.type) {
-    case "PreToolUse": {
-      const tool = String(p.tool_name ?? p.toolName ?? p.tool ?? "?");
-      const input = renderToolInput(p);
-      say(`${DIM2}[${ts2}]${RESET2} ${BLUE}\u2192 ${tool}${RESET2} ${DIM2}${input}${RESET2}`);
-      return;
-    }
-    case "PostToolUse": {
-      const tool = String(p.tool_name ?? p.toolName ?? p.tool ?? "?");
-      const out = stringifyToolResponse(p.tool_response ?? p.toolResponse ?? p.outputPreview ?? p.output);
-      const ok = p.ok === false ? `${RED}\u2717${RESET2}` : `${BLUE}\u2713${RESET2}`;
-      say(`${DIM2}[${ts2}]${RESET2} ${ok} ${tool}${out ? "  " + DIM2 + truncate(out, 200) + RESET2 : ""}`);
-      return;
-    }
-    case "PostToolUseFailure": {
-      const tool = String(p.tool_name ?? p.toolName ?? p.tool ?? "?");
-      const err = stringifyToolResponse(p.error ?? p.message ?? p.tool_response);
-      say(`${DIM2}[${ts2}]${RESET2} ${RED}\u2717 ${tool}${RESET2}  ${RED}${truncate(err, 200)}${RESET2}`);
-      return;
-    }
-    case "Stop":
-      say(`${DIM2}[${ts2}]  \u2014 turn end \u2014${RESET2}`);
-      return;
-    case "SessionStart":
-      say(`${DIM2}[${ts2}]  \u25B8 session start${RESET2}`);
-      return;
-    case "SessionEnd":
-      say(`${DIM2}[${ts2}]  \u25C2 session end${RESET2}`);
-      return;
-    case "TaskCreated":
-    case "SubagentStart":
-    case "SubagentStop":
-    case "TaskCompleted": {
-      const which = ev.type;
-      const desc = String(p.description ?? p.agentType ?? "");
-      say(`${DIM2}[${ts2}] ${BLUE}\u21AA ${which}${RESET2}${desc ? " " + desc : ""}`);
-      return;
-    }
-    case "Notification": {
-      const msg = String(p.message ?? p.text ?? "").trim();
-      say(`${DIM2}[${ts2}]${RESET2} ${BOLD2}\u{1F514}${RESET2} ${msg || JSON.stringify(p).slice(0, 200)}`);
-      return;
-    }
-    default:
-      say(`${DIM2}[${ts2}]${RESET2} ${BLUE}[${ev.type}]${RESET2} ${previewPayload(p)}`);
+  say(`${DIM2}[${ts2}]${RESET2} ${promptLabel(p, source)} ${text}`);
+}
+function renderChatAssistantTextBody(ts2, p) {
+  const text = String(p.text ?? "").trim();
+  const isPlaceholder = !!p.placeholder;
+  const tag2 = isPlaceholder ? `${DIM2}claude \xB7 thinking${RESET2}` : `${AMBER}claude${RESET2}`;
+  const prefix = `${DIM2}[${ts2}]${RESET2} ${tag2}`;
+  if (isPlaceholder) {
+    say(`${prefix}  ${DIM2}${text}${RESET2}`);
+    return;
   }
+  emitChatLine(prefix, renderMarkdown(text));
 }
-function stringifyToolResponse(v) {
+function renderChatReplyBody(ts2, p) {
+  const text = String(p.text ?? "").trim();
+  const tag2 = p.source === "peer-reply" && p.peerLogin ? `${AMBER}${String(p.peerLogin)} answered${RESET2}` : p.chatId ? `${AMBER}claude${RESET2} ${DIM2}(reply to ${String(p.chatId).slice(0, 8)})${RESET2}` : `${AMBER}claude${RESET2}`;
+  emitChatLine(`${DIM2}[${ts2}]${RESET2} ${tag2}`, renderMarkdown(text));
+  if (p.source === "peer-reply") disarmRouteWatchdog();
+}
+function renderChatPeerTimeoutBody(ts2, p) {
+  const peer = String(p.peerLogin ?? p.peerSessionId ?? "?");
+  const peerShort = peer.length > 36 ? peer.slice(0, 8) + "\u2026" : peer;
+  say(`${DIM2}[${ts2}]${RESET2} ${RED}\u26A0 ${peerShort} did not reply${RESET2} ${DIM2}\u2014 peer's Claude may have denied the reply tool${RESET2}`);
+  disarmRouteWatchdog();
+  stopWorking();
+}
+function renderChatBody(ev, ts2, p) {
+  if (ev.type === "prompt") {
+    renderChatPromptBody(ts2, p);
+    return;
+  }
+  if (ev.type === "assistant_text") {
+    renderChatAssistantTextBody(ts2, p);
+    return;
+  }
+  if (ev.type === "reply") {
+    renderChatReplyBody(ts2, p);
+    return;
+  }
+  if (ev.type === "peer-timeout") {
+    renderChatPeerTimeoutBody(ts2, p);
+    return;
+  }
+  say(`${DIM2}[${ts2}]${RESET2} ${AMBER}[chat:${ev.type}]${RESET2} ${previewPayload(p)}`);
+}
+function renderTailPreToolUseBody(ts2, p) {
+  const tool = String(p.tool_name ?? p.toolName ?? p.tool ?? "?");
+  const input = renderToolInput(p);
+  say(`${DIM2}[${ts2}]${RESET2} ${BLUE}\u2192 ${tool}${RESET2} ${DIM2}${input}${RESET2}`);
+}
+function renderTailPostToolUseBody(ts2, p) {
+  const tool = String(p.tool_name ?? p.toolName ?? p.tool ?? "?");
+  const out = stringifyToolResponse(p.tool_response ?? p.toolResponse ?? p.outputPreview ?? p.output);
+  const ok = p.ok === false ? `${RED}\u2717${RESET2}` : `${BLUE}\u2713${RESET2}`;
+  say(`${DIM2}[${ts2}]${RESET2} ${ok} ${tool}${out ? "  " + DIM2 + truncate(out, 200) + RESET2 : ""}`);
+}
+function renderTailPostToolUseFailureBody(ts2, p) {
+  const tool = String(p.tool_name ?? p.toolName ?? p.tool ?? "?");
+  const err = stringifyToolResponse(p.error ?? p.message ?? p.tool_response);
+  say(`${DIM2}[${ts2}]${RESET2} ${RED}\u2717 ${tool}${RESET2}  ${RED}${truncate(err, 200)}${RESET2}`);
+}
+function renderTailTaskBody(ts2, p, which) {
+  const desc = String(p.description ?? p.agentType ?? "");
+  say(`${DIM2}[${ts2}] ${BLUE}\u21AA ${which}${RESET2}${desc ? " " + desc : ""}`);
+}
+function renderTailNotificationBody(ts2, p) {
+  const msg = String(p.message ?? p.text ?? "").trim();
+  say(`${DIM2}[${ts2}]${RESET2} ${BOLD2}\u{1F514}${RESET2} ${msg || JSON.stringify(p).slice(0, 200)}`);
+}
+var TAIL_RENDERERS = {
+  PreToolUse: (ts2, p) => renderTailPreToolUseBody(ts2, p),
+  PostToolUse: (ts2, p) => renderTailPostToolUseBody(ts2, p),
+  PostToolUseFailure: (ts2, p) => renderTailPostToolUseFailureBody(ts2, p),
+  Stop: (ts2) => say(`${DIM2}[${ts2}]  \u2014 turn end \u2014${RESET2}`),
+  SessionStart: (ts2) => say(`${DIM2}[${ts2}]  \u25B8 session start${RESET2}`),
+  SessionEnd: (ts2) => say(`${DIM2}[${ts2}]  \u25C2 session end${RESET2}`),
+  TaskCreated: (ts2, p, type) => renderTailTaskBody(ts2, p, type),
+  SubagentStart: (ts2, p, type) => renderTailTaskBody(ts2, p, type),
+  SubagentStop: (ts2, p, type) => renderTailTaskBody(ts2, p, type),
+  TaskCompleted: (ts2, p, type) => renderTailTaskBody(ts2, p, type),
+  Notification: (ts2, p) => renderTailNotificationBody(ts2, p)
+};
+function renderTailBody(ev, ts2, p) {
+  const fn = TAIL_RENDERERS[ev.type];
+  if (fn) {
+    fn(ts2, p, ev.type);
+    return;
+  }
+  say(`${DIM2}[${ts2}]${RESET2} ${BLUE}[${ev.type}]${RESET2} ${previewPayload(p)}`);
+}
+function renderEventBody(ev, ts2, p, _myLogin) {
+  applyWorkingHeartbeat(ev);
+  if (ev.kind === "chat") {
+    renderChatBody(ev, ts2, p);
+    return;
+  }
+  renderTailBody(ev, ts2, p);
+}
+function isTextBlock(v) {
+  return typeof v === "object" && v !== null && v.type === "text" && typeof v.text === "string";
+}
+function stringifyToolResponseScalar(v) {
   if (v === null || v === void 0) return "";
   if (typeof v === "string") return v.trim();
   if (typeof v === "number" || typeof v === "boolean") return String(v);
-  if (typeof v === "object" && v !== null && v.type === "text" && typeof v.text === "string") {
-    return v.text.trim();
+  return null;
+}
+function stringifyToolResponseArray(v) {
+  const texts = [];
+  for (const b of v) if (isTextBlock(b)) texts.push(b.text);
+  if (texts.length === 0) return null;
+  return texts.join("\n").trim();
+}
+function stringifyToolResponseFallback(v) {
+  try {
+    return JSON.stringify(v);
+  } catch {
+    return String(v);
   }
+}
+function stringifyToolResponse(v) {
+  const scalar = stringifyToolResponseScalar(v);
+  if (scalar !== null) return scalar;
+  if (isTextBlock(v)) return v.text.trim();
   if (Array.isArray(v)) {
-    const texts = v.filter((b) => b && typeof b === "object" && b.type === "text" && typeof b.text === "string").map((b) => b.text);
-    if (texts.length) return texts.join("\n").trim();
+    const out = stringifyToolResponseArray(v);
+    if (out !== null) return out;
   }
   if (typeof v === "object" && v !== null && Array.isArray(v.content)) {
     return stringifyToolResponse(v.content);
   }
-  try {
-    return JSON.stringify(v);
-  } catch {
-    return String(v);
-  }
+  return stringifyToolResponseFallback(v);
 }
 function renderToolInput(p) {
   const input = p.tool_input ?? p.toolInput;
@@ -68337,71 +68450,75 @@ function fmtAgo(iso) {
   return fmtDuration(Date.now() - new Date(iso).getTime());
 }
 var UUID_RE = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
-async function resolveSessionId(idOrName, opts = {}) {
-  if (UUID_RE.test(idOrName)) return idOrName;
-  const needle = idOrName.startsWith("@") ? idOrName : "@" + idOrName;
+function splitRoutingRef2(ref) {
+  const needle = ref.startsWith("@") ? ref : "@" + ref;
   const slash = needle.indexOf("/");
-  let ownerLogin = null;
-  let slug;
   if (slash > 0) {
-    ownerLogin = needle.slice(1, slash);
-    slug = "@" + needle.slice(slash + 1).replace(/^@/, "");
-  } else {
-    slug = needle;
+    return {
+      ownerLogin: needle.slice(1, slash),
+      slug: "@" + needle.slice(slash + 1).replace(/^@/, "")
+    };
   }
-  const data = await api.get("/api/v1/sessions");
-  let candidates = data.items.filter((s) => s.routingName === slug);
-  if (ownerLogin !== null) {
-    candidates = candidates.filter((s) => s.startedByLogin === ownerLogin);
+  return { ownerLogin: null, slug: needle };
+}
+function filterByRoutingParts(items, parts) {
+  let candidates = items.filter((s) => s.routingName === parts.slug);
+  if (parts.ownerLogin !== null) {
+    candidates = candidates.filter((s) => s.startedByLogin === parts.ownerLogin);
   } else {
     const mine = candidates.filter((s) => s.role === "owner");
     if (mine.length > 0) candidates = mine;
   }
-  if (candidates.length === 0) {
-    const err = new Error(
-      ownerLogin ? `no session @${ownerLogin}/${slug.slice(1)} (run \`claw session list\`)` : `no session with routing name ${slug} (run \`claw session list\`)`
-    );
-    err.code = "CLW_NO_ROUTING_MATCH";
-    throw err;
-  }
+  return candidates;
+}
+function noRoutingMatchError(parts) {
+  const err = new Error(
+    parts.ownerLogin ? `no session @${parts.ownerLogin}/${parts.slug.slice(1)} (run \`claw session list\`)` : `no session with routing name ${parts.slug} (run \`claw session list\`)`
+  );
+  err.code = "CLW_NO_ROUTING_MATCH";
+  return err;
+}
+function ambiguousError(idOrName, e) {
+  const usedQualified = idOrName.includes("/");
+  const advice = usedQualified ? `'${idOrName}' is ambiguous even within owner \u2014 multiple sessions share the same routing name (different cwds with matching basenames). Re-run with a UUID:` : `'${idOrName}' is ambiguous \u2014 re-run with the qualified @owner/slug form, or with a UUID if even that collides:`;
+  const err = new Error(
+    advice + "\n" + e.candidates.map((c) => `  ${c.id}  @${c.startedByLogin}/${(c.routingName ?? "").replace(/^@/, "")}  ${c.cwd ?? ""}`).join("\n")
+  );
+  err.code = "CLW_AMBIGUOUS";
+  return err;
+}
+async function resolveSessionId(idOrName, opts = {}) {
+  if (UUID_RE.test(idOrName)) return idOrName;
+  const parts = splitRoutingRef2(idOrName);
+  const data = await api.get("/api/v1/sessions");
+  const candidates = filterByRoutingParts(data.items, parts);
+  if (candidates.length === 0) throw noRoutingMatchError(parts);
   try {
     const picked = await pickCandidate(idOrName, candidates, { destructive: !!opts.destructive });
     return picked.id;
   } catch (e) {
-    if (e instanceof AmbiguousError) {
-      const usedQualified = idOrName.includes("/");
-      const advice = usedQualified ? `'${idOrName}' is ambiguous even within owner \u2014 multiple sessions share the same routing name (different cwds with matching basenames). Re-run with a UUID:` : `'${idOrName}' is ambiguous \u2014 re-run with the qualified @owner/slug form, or with a UUID if even that collides:`;
-      const err = new Error(
-        advice + "\n" + e.candidates.map((c) => `  ${c.id}  @${c.startedByLogin}/${(c.routingName ?? "").replace(/^@/, "")}  ${c.cwd ?? ""}`).join("\n")
-      );
-      err.code = "CLW_AMBIGUOUS";
-      throw err;
-    }
+    if (e instanceof AmbiguousError) throw ambiguousError(idOrName, e);
     throw e;
   }
 }
-var sessionList = new Command("list").alias("ls").description("list sessions you can see").option("--connected", "only sessions whose channel WS is currently open").option("--all", "include archived sessions").action(async (opts) => {
+function buildSessionListQs(opts) {
   const qs = new URLSearchParams();
   if (opts.connected) qs.set("connected", "true");
   if (opts.all) qs.set("archived", "true");
-  const data = await api.get(
-    "/api/v1/sessions" + (qs.toString() ? "?" + qs : "")
-  );
-  if (data.items.length === 0) {
-    console.log("no sessions");
-    return;
-  }
-  for (const s of data.items) {
-    const dot = s.connected ? "\u25CF" : "\u25CB";
-    const slug = s.routingName ?? "";
-    const qualified = slug ? `@${s.startedByLogin}/${slug.replace(/^@/, "")}` : "(no routing name)";
-    const where = s.cwd ? ` ${s.cwd}` : "";
-    const role = s.role.padEnd(8);
-    const seen = s.connected ? "online" : `offline \xB7 ${fmtAgo(s.lastSeenAt)}`;
-    const arch = s.archivedAt ? " \xB7 ARCHIVED" : "";
-    console.log(`${dot} ${qualified.padEnd(28)} ${role}${where}  [${seen}]${arch}`);
-    console.log(`    id: ${s.id}`);
-  }
+  return qs.toString() ? "?" + qs : "";
+}
+function printSessionListRow(s) {
+  const dot = s.connected ? "\u25CF" : "\u25CB";
+  const slug = s.routingName ?? "";
+  const qualified = slug ? `@${s.startedByLogin}/${slug.replace(/^@/, "")}` : "(no routing name)";
+  const where = s.cwd ? ` ${s.cwd}` : "";
+  const role = s.role.padEnd(8);
+  const seen = s.connected ? "online" : `offline \xB7 ${fmtAgo(s.lastSeenAt)}`;
+  const arch = s.archivedAt ? " \xB7 ARCHIVED" : "";
+  console.log(`${dot} ${qualified.padEnd(28)} ${role}${where}  [${seen}]${arch}`);
+  console.log(`    id: ${s.id}`);
+}
+function printSessionListFooter() {
   console.log("");
   console.log("  attach to a session:    claw session attach <ref>");
   console.log("  recent hook/chat:       claw session events <ref>");
@@ -68409,6 +68526,17 @@ var sessionList = new Command("list").alias("ls").description("list sessions you
   console.log("  <ref> = UUID, @owner/slug, @slug, or bare slug");
   console.log("  (PowerShell tip: use the bare-slug form \u2014 `@driver` is parsed as");
   console.log("   a splatting operator and stripped before reaching the CLI)");
+}
+var sessionList = new Command("list").alias("ls").description("list sessions you can see").option("--connected", "only sessions whose channel WS is currently open").option("--all", "include archived sessions").action(async (opts) => {
+  const data = await api.get(
+    "/api/v1/sessions" + buildSessionListQs(opts)
+  );
+  if (data.items.length === 0) {
+    console.log("no sessions");
+    return;
+  }
+  for (const s of data.items) printSessionListRow(s);
+  printSessionListFooter();
 });
 var sessionInfo = new Command("info").description("show metadata for a single session").argument("<ref>", "session UUID or @routingName").action(async (ref) => {
   const id = await resolveSessionId(ref);
@@ -68424,17 +68552,32 @@ var sessionInfo = new Command("info").description("show metadata for a single se
   console.log(`last seen: ${s.lastSeenAt}`);
   console.log(`status   : ${s.connected ? "connected" : "offline"}${s.archivedAt ? " \xB7 ARCHIVED" : ""}`);
 });
+function buildEventsQs(opts) {
+  const qs = new URLSearchParams({ limit: opts.limit ?? "200" });
+  if (opts.after) qs.set("after", opts.after);
+  if (opts.before) qs.set("before", opts.before);
+  if (opts.kind) qs.set("kind", opts.kind);
+  if (opts.type) qs.set("type", opts.type);
+  return qs;
+}
+function printEventRow(ev) {
+  const ts2 = ev.ts.slice(11, 19);
+  const text = ev.payload?.text ?? ev.payload?.preview ?? "";
+  const preview = typeof text === "string" && text ? (text.length > 200 ? text.slice(0, 200) + "\u2026" : text).replace(/\s+/g, " ") : "";
+  console.log(`#${String(ev.id).padStart(5)} ${ts2} ${ev.kind.padEnd(4)} ${ev.type.padEnd(20)} ${preview}`);
+}
+function printPagedHasMore(data, json) {
+  if (data.hasMore && !json) {
+    console.log(`(more \u2014 older: --before ${data.firstId} \xB7 newer: --after ${data.lastId})`);
+  }
+}
 var sessionEvents = new Command("events").description("dump recent events for a session (history; non-TUI)").argument("<ref>", "session UUID or @routingName").option("--limit <n>", "max events to return (default 200, max 1000)", "200").option("--after <id>", "forward pagination: events with id > given").option("--before <id>", "backward pagination: events with id < given").option("--kind <k>", "filter to chat or tail").option("--type <t>", "filter by type (e.g. PreToolUse, reply)").option("--json", "emit one JSON object per line instead of human-readable").action(async (ref, opts) => {
   if (opts.after && opts.before) {
     console.error("error: use --after OR --before, not both");
     process.exit(2);
   }
   const id = await resolveSessionId(ref);
-  const qs = new URLSearchParams({ limit: opts.limit ?? "200" });
-  if (opts.after) qs.set("after", opts.after);
-  if (opts.before) qs.set("before", opts.before);
-  if (opts.kind) qs.set("kind", opts.kind);
-  if (opts.type) qs.set("type", opts.type);
+  const qs = buildEventsQs(opts);
   const data = await api.get(
     `/api/v1/sessions/${encodeURIComponent(id)}/events?${qs.toString()}`
   );
@@ -68447,24 +68590,28 @@ var sessionEvents = new Command("events").description("dump recent events for a
       console.log(JSON.stringify(ev));
       continue;
     }
-    const ts2 = ev.ts.slice(11, 19);
-    const text = ev.payload?.text ?? ev.payload?.preview ?? "";
-    const preview = typeof text === "string" && text ? (text.length > 200 ? text.slice(0, 200) + "\u2026" : text).replace(/\s+/g, " ") : "";
-    console.log(`#${String(ev.id).padStart(5)} ${ts2} ${ev.kind.padEnd(4)} ${ev.type.padEnd(20)} ${preview}`);
-  }
-  if (data.hasMore && !opts.json) {
-    console.log(`(more \u2014 older: --before ${data.firstId} \xB7 newer: --after ${data.lastId})`);
+    printEventRow(ev);
   }
+  printPagedHasMore(data, opts.json);
 });
+function buildMessagesQs(opts) {
+  const qs = new URLSearchParams({ limit: opts.limit ?? "100" });
+  if (opts.after) qs.set("after", opts.after);
+  if (opts.before) qs.set("before", opts.before);
+  return qs;
+}
+function printOpMessageRow(m) {
+  const ts2 = m.ts.slice(11, 19);
+  const flag = m.deletedAt ? " [deleted]" : m.editedAt ? " [edited]" : "";
+  console.log(`#${String(m.id).padStart(5)} ${ts2} @${m.authorLogin.padEnd(20)} ${m.text}${flag}`);
+}
 var sessionMessages = new Command("messages").alias("msgs").description("dump operator-to-operator chat for a session (op-messages history)").argument("<ref>", "session UUID or @routingName").option("--limit <n>", "max messages to return (default 100, max 500)", "100").option("--after <id>", "forward pagination").option("--before <id>", "backward pagination").option("--json", "emit one JSON object per line").action(async (ref, opts) => {
   if (opts.after && opts.before) {
     console.error("error: use --after OR --before, not both");
     process.exit(2);
   }
   const id = await resolveSessionId(ref);
-  const qs = new URLSearchParams({ limit: opts.limit ?? "100" });
-  if (opts.after) qs.set("after", opts.after);
-  if (opts.before) qs.set("before", opts.before);
+  const qs = buildMessagesQs(opts);
   const data = await api.get(
     `/api/v1/sessions/${encodeURIComponent(id)}/op-messages?${qs.toString()}`
   );
@@ -68477,13 +68624,9 @@ var sessionMessages = new Command("messages").alias("msgs").description("dump op
       console.log(JSON.stringify(m));
       continue;
     }
-    const ts2 = m.ts.slice(11, 19);
-    const flag = m.deletedAt ? " [deleted]" : m.editedAt ? " [edited]" : "";
-    console.log(`#${String(m.id).padStart(5)} ${ts2} @${m.authorLogin.padEnd(20)} ${m.text}${flag}`);
-  }
-  if (data.hasMore && !opts.json) {
-    console.log(`(more \u2014 older: --before ${data.firstId} \xB7 newer: --after ${data.lastId})`);
+    printOpMessageRow(m);
   }
+  printPagedHasMore(data, opts.json);
 });
 var sessionArchive = new Command("archive").description("soft-delete a session (sets archivedAt). Note: register-time reconnect unarchives, so a session whose UUID is still in a project's .claude/clawborrator/session.json will resurrect on its next start.").argument("<ref>", "session UUID or @routingName").action(async (ref) => {
   const id = await resolveSessionId(ref);
@@ -68497,14 +68640,12 @@ var sessionArchive = new Command("archive").description("soft-delete a session (
     console.log(`\u2713 archived ${r.sessionId} at ${r.archivedAt}`);
   }
 });
-var sessionPrune = new Command("prune").description("hard-delete duplicate session rows that share a routing name. The live (or most-recently-seen) row is kept; the rest are removed along with their events / op-messages / shares (FK cascade). Use --dry-run first if unsure.").option("--dry-run", "show what would be deleted without writing").option("--routing <name>", "narrow to a single routing name (e.g. @driver)").action(async (opts) => {
+function buildPruneBody(opts) {
   const body = { dryRun: !!opts.dryRun };
   if (opts.routing) body.routingName = opts.routing.startsWith("@") ? opts.routing : "@" + opts.routing;
-  const r = await api.post(`/api/v1/sessions/prune`, body);
-  if (r.deleted.length === 0) {
-    console.log("nothing to prune (no routing-name duplicates).");
-    return;
-  }
+  return body;
+}
+function printPruneResult(r) {
   const verb = r.dryRun ? "would delete" : "deleted";
   console.log(`${verb} ${r.deleted.length} duplicate${r.deleted.length === 1 ? "" : "s"}:`);
   for (const d of r.deleted) {
@@ -68516,6 +68657,14 @@ var sessionPrune = new Command("prune").description("hard-delete duplicate sessi
     console.log(`  \u2713 ${k.routingName.padEnd(20)} ${k.sessionId}`);
   }
   if (r.dryRun) console.log("\n(--dry-run \u2014 re-run without it to apply)");
+}
+var sessionPrune = new Command("prune").description("hard-delete duplicate session rows that share a routing name. The live (or most-recently-seen) row is kept; the rest are removed along with their events / op-messages / shares (FK cascade). Use --dry-run first if unsure.").option("--dry-run", "show what would be deleted without writing").option("--routing <name>", "narrow to a single routing name (e.g. @driver)").action(async (opts) => {
+  const r = await api.post(`/api/v1/sessions/prune`, buildPruneBody(opts));
+  if (r.deleted.length === 0) {
+    console.log("nothing to prune (no routing-name duplicates).");
+    return;
+  }
+  printPruneResult(r);
 });
 var sessionDelete = new Command("delete").description("hard-delete a single session \u2014 cascades events / op-messages / shares / files (refcount-sweeps blobs). Irreversible. Use `archive` for the soft form (auto-resurrects on reconnect). Prompts if the routing name matches more than one row, even when only one is online \u2014 both are equally permanent to delete.").argument("<ref>", "session UUID or @routingName").option("--hard", "required: confirm you want a permanent delete (no soft form is offered without this flag)").action(async (ref, opts) => {
   if (!opts.hard) {
@@ -68632,7 +68781,28 @@ var sessionUnshareCmd = new Command("unshare").description("revoke a user's shar
     console.log(`\u2717 revoked @${out.login}'s access to ${out.sessionId.slice(0, 8)}\u2026`);
   }
 });
-var sessionCmd = new Command("session").description("manage Claude Code sessions registered with this hub").addCommand(sessionList).addCommand(sessionInfo).addCommand(sessionAttach).addCommand(sessionEvents).addCommand(sessionMessages).addCommand(sessionArchive).addCommand(sessionPrune).addCommand(sessionPrompt).addCommand(sessionDelete).addCommand(sessionShareCmd).addCommand(sessionSharesCmd).addCommand(sessionUnshareCmd).addCommand(sessionFiles).addCommand(sessionFileRm);
+var sessionKill = new Command("kill").description("kill the CC process for a managed session (keeps the session row)").argument("<ref>", "session UUID, @routingName, or @owner/slug").action(async (ref) => {
+  const id = await resolveSessionId(ref, { destructive: true });
+  await api.post(`/api/v1/sessions/${encodeURIComponent(id)}/kill`, {});
+  console.log(`\u2717 killed CC process for ${id.slice(0, 8)}\u2026`);
+});
+var sessionRestart = new Command("restart").description("kill + respawn the CC process for a managed session").argument("<ref>", "session UUID, @routingName, or @owner/slug").action(async (ref) => {
+  const id = await resolveSessionId(ref, { destructive: true });
+  const out = await api.post(
+    `/api/v1/sessions/${encodeURIComponent(id)}/restart`,
+    {}
+  );
+  console.log(`\u21BA restarted: ${out.sessionId}`);
+});
+var sessionScreenshot = new Command("screenshot").description("print the current rendered terminal frame for a managed session").argument("<ref>", "session UUID, @routingName, or @owner/slug").action(async (ref) => {
+  const id = await resolveSessionId(ref);
+  const out = await api.get(
+    `/api/v1/sessions/${encodeURIComponent(id)}/screenshot`
+  );
+  console.error(`(${out.cols}\xD7${out.rows} terminal \u2014 cursor at ${out.cursor?.row ?? "?"},${out.cursor?.col ?? "?"})`);
+  process.stdout.write(out.text.endsWith("\n") ? out.text : out.text + "\n");
+});
+var sessionCmd = new Command("session").description("manage Claude Code sessions registered with this hub").addCommand(sessionList).addCommand(sessionInfo).addCommand(sessionAttach).addCommand(sessionEvents).addCommand(sessionMessages).addCommand(sessionArchive).addCommand(sessionPrune).addCommand(sessionPrompt).addCommand(sessionDelete).addCommand(sessionShareCmd).addCommand(sessionSharesCmd).addCommand(sessionUnshareCmd).addCommand(sessionFiles).addCommand(sessionFileRm).addCommand(sessionKill).addCommand(sessionRestart).addCommand(sessionScreenshot);
 
 // src/commands/token.ts
 var import_node_fs2 = require("node:fs");
@@ -68796,27 +68966,34 @@ var webhookRm = new Command("rm").alias("delete").description("remove a webhook
 var webhookCmd = new Command("webhook").description("manage webhook subscriptions").addCommand(webhookAdd).addCommand(webhookList).addCommand(webhookTest).addCommand(webhookRm);
 
 // src/commands/agents.ts
-var agentsList = new Command("list").alias("ls").description("list published agents (default) or your own agents (--mine)").option("--mine", "list every agent you own, including drafts").option("--owner <login>", "list a specific creator's published agents").option("--q <text>", "substring match on handle / name / tagline").action(async (opts) => {
+function buildAgentsListQs(opts) {
   const params = new URLSearchParams();
   if (opts.mine) params.set("mine", "true");
   if (opts.owner) params.set("owner", opts.owner);
   if (opts.q) params.set("q", opts.q);
-  const qs = params.toString() ? "?" + params.toString() : "";
-  const data = await api.get(`/api/v1/agents${qs}`);
+  return params.toString() ? "?" + params.toString() : "";
+}
+function printAgentRow(a) {
+  const dot = a.online ? "\u25CF" : "\u25CB";
+  const tag2 = a.status === "draft" ? " [draft]" : "";
+  const iso = a.isolated ? " [isolated]" : " [composable]";
+  const stats = `${a.queriesAllTime} queries`;
+  const tagln = a.tagline ? ` \u2014 ${a.tagline}` : "";
+  console.log(`${dot} @${a.handle}${tag2}${iso}  ${a.name}  ${stats}${tagln}`);
+}
+var agentsList = new Command("list").alias("ls").description("list published agents (default) or your own agents (--mine)").option("--mine", "list every agent you own, including drafts").option("--owner <login>", "list a specific creator's published agents").option("--q <text>", "substring match on handle / name / tagline").action(async (opts) => {
+  const data = await api.get(`/api/v1/agents${buildAgentsListQs(opts)}`);
   if (data.items.length === 0) {
     console.log("no agents");
     return;
   }
-  for (const a of data.items) {
-    const dot = a.online ? "\u25CF" : "\u25CB";
-    const tag2 = a.status === "draft" ? " [draft]" : "";
-    const iso = a.isolated ? " [isolated]" : " [composable]";
-    const stats = `${a.queriesAllTime} queries`;
-    const tagln = a.tagline ? ` \u2014 ${a.tagline}` : "";
-    console.log(`${dot} @${a.handle}${tag2}${iso}  ${a.name}  ${stats}${tagln}`);
-  }
+  for (const a of data.items) printAgentRow(a);
 });
 var agentsPublish = new Command("publish").description("publish a session as a public agent").requiredOption("--session <id>", "the session UUID to back the agent").requiredOption("--name <name>", 'display name (e.g. "viper-rust-expert")').option("--tagline <text>", "one-line description (160 chars max)").option("--description <text>", "long-form description, markdown allowed (4 KB max)").option("--slug <slug>", "explicit slug (default: derived from session routingName)").option("--draft", "publish as draft (status=draft); use --published to go live immediately").option("--published", "publish as live (status=published)").option("--budget <n>", "daily budget in queries (default 1000, max 100000)", (v) => parseInt(v, 10)).option("--concurrency <n>", "concurrent in-flight queries cap (default 5, max 20)", (v) => parseInt(v, 10)).option("--isolated", "isolated mode: agent CC cannot use cross-session routing tools while answering (default true; safer)").option("--composable", "composable mode: agent CC may use cross-session routing tools (gated against the requester's own access)").action(async (opts) => {
+  const r = await api.post("/api/v1/agents", buildPublishBody(opts));
+  printPublishResult(r);
+});
+function buildPublishBody(opts) {
   const status = opts.published ? "published" : "draft";
   const body = {
     sessionId: opts.session,
@@ -68830,7 +69007,9 @@ var agentsPublish = new Command("publish").description("publish a session as a p
   if (typeof opts.concurrency === "number") body.concurrencyCap = opts.concurrency;
   if (opts.composable) body.isolated = false;
   else if (opts.isolated) body.isolated = true;
-  const r = await api.post("/api/v1/agents", body);
+  return body;
+}
+function printPublishResult(r) {
   console.log(`\u2713 ${r.restored ? "restored" : "published"} agent: @${r.handle}`);
   console.log(`  name:    ${r.name}`);
   console.log(`  status:  ${r.status}`);
@@ -68842,19 +69021,11 @@ var agentsPublish = new Command("publish").description("publish a session as a p
   } else {
     console.log(`  call as: '@${r.handle} <question>' from any session prompt`);
   }
-});
+}
 var agentsUpdate = new Command("update").description("update an agent").argument("<handle>", "@owner/slug").option("--status <s>", "draft | published").option("--name <name>").option("--tagline <text>").option("--description <text>").option("--budget <n>", "daily budget in queries", (v) => parseInt(v, 10)).option("--concurrency <n>", "concurrency cap", (v) => parseInt(v, 10)).option("--isolated", "switch to isolated mode (block cross-session routing while answering)").option("--composable", "switch to composable mode (allow cross-session routing tools)").action(async (handleArg, opts) => {
   const handle = handleArg.replace(/^@/, "");
   const agent = await api.get(`/api/v1/agents/by-handle/${encodeURIComponent(handle.split("/")[0])}/${encodeURIComponent(handle.split("/")[1] ?? "")}`);
-  const body = {};
-  if (opts.status) body.status = opts.status;
-  if (opts.name) body.name = opts.name;
-  if (opts.tagline) body.tagline = opts.tagline;
-  if (opts.description) body.description = opts.description;
-  if (typeof opts.budget === "number") body.dailyBudgetQueries = opts.budget;
-  if (typeof opts.concurrency === "number") body.concurrencyCap = opts.concurrency;
-  if (opts.composable) body.isolated = false;
-  else if (opts.isolated) body.isolated = true;
+  const body = buildUpdateBody(opts);
   if (Object.keys(body).length === 0) {
     console.error("no fields to update");
     process.exit(2);
@@ -68865,6 +69036,18 @@ var agentsUpdate = new Command("update").description("update an agent").argument
   console.log(`  mode:    ${r.isolated ? "isolated" : "composable"}`);
   console.log(`  budget:  ${r.dailyBudgetQueries}/day, concurrency ${r.concurrencyCap}`);
 });
+function buildUpdateBody(opts) {
+  const body = {};
+  if (opts.status) body.status = opts.status;
+  if (opts.name) body.name = opts.name;
+  if (opts.tagline) body.tagline = opts.tagline;
+  if (opts.description) body.description = opts.description;
+  if (typeof opts.budget === "number") body.dailyBudgetQueries = opts.budget;
+  if (typeof opts.concurrency === "number") body.concurrencyCap = opts.concurrency;
+  if (opts.composable) body.isolated = false;
+  else if (opts.isolated) body.isolated = true;
+  return body;
+}
 var agentsUnpublish = new Command("unpublish").description("soft-delete an agent (drops its handle)").argument("<handle>", "@owner/slug").action(async (handleArg) => {
   const handle = handleArg.replace(/^@/, "");
   const [owner, slug] = handle.split("/");
@@ -68885,28 +69068,309 @@ var agentsInbound = new Command("inbound").description("audit view: who has been
   }
   const agent = await api.get(`/api/v1/agents/by-handle/${encodeURIComponent(owner)}/${encodeURIComponent(slug)}`);
   const data = await api.get(`/api/v1/agents/${agent.id}/inbound?days=${opts.days}`);
+  printInboundReport(data);
+});
+function printInboundReport(data) {
   console.log(`@${data.agent.handle}  (${data.window.days}-day window)`);
   console.log(`  total: ${data.summary.total}  ok: ${data.summary.ok}  denied: ${data.summary.denied}  avg-latency: ${data.summary.avgLatencyMs ?? "\u2014"}ms  askers: ${data.summary.distinctAskers}`);
-  if (data.topAskers.length) {
-    console.log("");
-    console.log("top askers:");
-    for (const t of data.topAskers) {
-      console.log(`  @${t.login.padEnd(20)} ${String(t.count).padStart(4)} queries  last: ${t.lastAt}`);
+  if (data.topAskers.length) printInboundTopAskers(data.topAskers);
+  if (data.recent.length) printInboundRecent(data.recent);
+}
+function printInboundTopAskers(items) {
+  console.log("");
+  console.log("top askers:");
+  for (const t of items) {
+    console.log(`  @${t.login.padEnd(20)} ${String(t.count).padStart(4)} queries  last: ${t.lastAt}`);
+  }
+}
+function printInboundRecent(items) {
+  console.log("");
+  console.log("recent:");
+  for (const r of items.slice(0, 20)) {
+    const flag = r.ok ? "\u2713" : "\u2717";
+    const lat = r.latencyMs != null ? ` ${r.latencyMs}ms` : "";
+    const why = r.deniedReason ? ` [${r.deniedReason}]` : "";
+    const q = r.question.length > 70 ? r.question.slice(0, 67) + "\u2026" : r.question;
+    console.log(`  ${flag} ${r.ts}  @${r.askerLogin}${lat}${why}  ${q}`);
+  }
+}
+var agentsCmd = new Command("agents").description("public expert agents \u2014 list, publish, update, audit").addCommand(agentsList).addCommand(agentsPublish).addCommand(agentsUpdate).addCommand(agentsUnpublish).addCommand(agentsInbound);
+
+// src/commands/apps.ts
+var import_promises = require("node:readline/promises");
+var import_node_http2 = require("node:http");
+var import_node_crypto2 = require("node:crypto");
+var import_node_child_process2 = require("node:child_process");
+function fmtAgo3(iso) {
+  if (!iso) return "never";
+  let s = iso;
+  if (!/[zZ]|[+-]\d{2}:?\d{2}$/.test(s)) s = s.replace(" ", "T") + "Z";
+  const ms = Date.now() - new Date(s).getTime();
+  if (!Number.isFinite(ms)) return "\u2014";
+  if (ms < 0) return "just now";
+  if (ms < 6e4) return Math.max(1, Math.floor(ms / 1e3)) + "s ago";
+  if (ms < 36e5) return Math.floor(ms / 6e4) + "m ago";
+  if (ms < 864e5) return Math.floor(ms / 36e5) + "h ago";
+  return Math.floor(ms / 864e5) + "d ago";
+}
+function base64url2(buf) {
+  return buf.toString("base64").replace(/=+$/, "").replace(/\+/g, "-").replace(/\//g, "_");
+}
+function openBrowser2(url) {
+  const platform2 = process.platform;
+  try {
+    if (platform2 === "win32") {
+      (0, import_node_child_process2.spawn)("cmd", ["/c", "start", '""', `"${url}"`], {
+        stdio: "ignore",
+        detached: true,
+        windowsVerbatimArguments: true
+      }).unref();
+    } else {
+      const cmd = platform2 === "darwin" ? "open" : "xdg-open";
+      (0, import_node_child_process2.spawn)(cmd, [url], { stdio: "ignore", detached: true }).unref();
     }
+  } catch {
   }
-  if (data.recent.length) {
-    console.log("");
-    console.log("recent:");
-    for (const r of data.recent.slice(0, 20)) {
-      const flag = r.ok ? "\u2713" : "\u2717";
-      const lat = r.latencyMs != null ? ` ${r.latencyMs}ms` : "";
-      const why = r.deniedReason ? ` [${r.deniedReason}]` : "";
-      const q = r.question.length > 70 ? r.question.slice(0, 67) + "\u2026" : r.question;
-      console.log(`  ${flag} ${r.ts}  @${r.askerLogin}${lat}${why}  ${q}`);
+}
+var appsMint = new Command("mint").description("mint a new SPA app token (cw_app_\u2026) for testing \u2014 equivalent to walking the OAuth flow but uses the CLI's already-authenticated session").argument("<name>", "human-readable label for the token, shown in `claw apps list`").action(async (name) => {
+  const out = await api.post("/api/v1/auth/apps/mint", { name });
+  console.log(`\u2713 minted app token "${out.tokenName}"`);
+  console.log(out.token);
+  console.log("");
+  console.log("Stash this somewhere safe \u2014 it can't be retrieved later. Use as `Authorization: Bearer " + out.token + "` for any /api/v1/* call. Revoke with `claw apps revoke <id>` (id from `claw apps list`).");
+});
+function printAppRow(t) {
+  const created = `created ${fmtAgo3(t.createdAt)}`;
+  const lastUsed = `last used ${fmtAgo3(t.lastUsedAt)}`;
+  const revoked = t.revokedAt ? `   REVOKED ${fmtAgo3(t.revokedAt)}` : "";
+  const label = (t.appName ?? t.name ?? "").padEnd(28);
+  console.log(`@${String(t.id).padStart(4)}  ${label}  ${created}   ${lastUsed}${revoked}`);
+}
+var appsList = new Command("list").alias("ls").description("list this user's SPA app tokens (kind=app). Active only by default; --all to include revoked.").option("--all", "include revoked tokens").action(async (opts) => {
+  const qs = opts.all ? "?includeRevoked=true" : "";
+  const data = await api.get("/api/v1/tokens" + qs);
+  const apps = data.items.filter((t) => t.kind === "app");
+  if (apps.length === 0) {
+    console.log("no app tokens");
+    return;
+  }
+  for (const t of apps) printAppRow(t);
+});
+async function confirmYesNo(prompt) {
+  if (!process.stdin.isTTY) {
+    console.error("error: not a TTY \u2014 pass --yes to skip the confirmation prompt");
+    return false;
+  }
+  const rl = (0, import_promises.createInterface)({ input: process.stdin, output: process.stdout });
+  try {
+    const ans = (await rl.question(prompt + " [y/N] ")).trim().toLowerCase();
+    return ans === "y" || ans === "yes";
+  } finally {
+    rl.close();
+  }
+}
+var appsRevoke = new Command("revoke").description("revoke an app token by id (from `claw apps list`). Idempotent on the server, but prompts here unless --yes.").argument("<id>", "token id (the @<num> column from `claw apps list`)").option("--yes", "skip the y/N confirmation prompt").action(async (idArg, opts) => {
+  const id = Number(idArg.replace(/^@/, ""));
+  if (!Number.isInteger(id) || id <= 0) {
+    console.error("error: id must be a positive integer");
+    process.exit(2);
+  }
+  if (!opts.yes) {
+    const ok = await confirmYesNo(`revoke app token #${id}?`);
+    if (!ok) {
+      console.log("aborted");
+      return;
+    }
+  }
+  try {
+    await api.delete(`/api/v1/tokens/${id}`);
+    console.log(`\u2713 revoked app token #${id}`);
+  } catch (e) {
+    if (e instanceof ApiError) {
+      console.error(`error: ${e.status} ${e.code} \u2014 ${e.message}`);
+      process.exit(1);
     }
+    throw e;
   }
 });
-var agentsCmd = new Command("agents").description("public expert agents \u2014 list, publish, update, audit").addCommand(agentsList).addCommand(agentsPublish).addCommand(agentsUpdate).addCommand(agentsUnpublish).addCommand(agentsInbound);
+function awaitSpaCallback(server) {
+  return new Promise((resolve3, reject) => {
+    server.on("request", (req, res) => {
+      res.setHeader("Connection", "close");
+      const u = new URL(req.url ?? "/", "http://localhost");
+      if (u.pathname !== "/" && u.pathname !== "/callback") {
+        res.statusCode = 404;
+        res.end("not found");
+        return;
+      }
+      const code = u.searchParams.get("code") ?? "";
+      const state = u.searchParams.get("state") ?? "";
+      const error = u.searchParams.get("error");
+      if (error) {
+        res.setHeader("Content-Type", "text/html; charset=utf-8");
+        res.end(`<html><body><h2>oauth error: ${error}</h2><p>you can close this tab.</p></body></html>`);
+        reject(new Error(`oauth error: ${error}`));
+        return;
+      }
+      if (!code || !state) {
+        res.statusCode = 400;
+        res.end("missing code or state");
+        reject(new Error("callback missing code or state"));
+        return;
+      }
+      res.setHeader("Content-Type", "text/html; charset=utf-8");
+      res.end("<html><body><h2>oauth code received</h2><p>you can close this tab and return to the terminal.</p><script>setTimeout(() => window.close(), 1500);</script></body></html>");
+      resolve3({ code, state });
+    });
+    server.on("error", reject);
+  });
+}
+async function spaTestOauthFlow(args) {
+  const verifier = base64url2((0, import_node_crypto2.randomBytes)(32));
+  const challenge = base64url2((0, import_node_crypto2.createHash)("sha256").update(verifier).digest());
+  const stateNonce = base64url2((0, import_node_crypto2.randomBytes)(16));
+  const appName = "claw-cli-test-oauth";
+  const server = (0, import_node_http2.createServer)();
+  await new Promise((resolve3, reject) => {
+    server.once("error", reject);
+    server.listen(args.port, "127.0.0.1", () => resolve3());
+  });
+  const actualPort = server.address().port;
+  const redirectUri = `http://127.0.0.1:${actualPort}`;
+  const startUrl = new URL("/api/v1/auth/spa/start", args.hubUrl);
+  startUrl.searchParams.set("redirect_uri", redirectUri);
+  startUrl.searchParams.set("state", stateNonce);
+  startUrl.searchParams.set("code_challenge", challenge);
+  startUrl.searchParams.set("code_challenge_method", "S256");
+  startUrl.searchParams.set("app_name", appName);
+  console.log("Opening browser to authorize\u2026");
+  console.log(`  if it doesn't open automatically, paste this URL into a browser:`);
+  console.log(`    ${startUrl}`);
+  console.log("");
+  openBrowser2(startUrl.toString());
+  let cb;
+  let timeoutHandle;
+  try {
+    cb = await Promise.race([
+      awaitSpaCallback(server),
+      new Promise((_, reject) => {
+        timeoutHandle = setTimeout(
+          () => reject(new Error("test-oauth timed out after 5 minutes (matches app_code TTL)")),
+          5 * 60 * 1e3
+        );
+      })
+    ]);
+  } finally {
+    if (timeoutHandle) clearTimeout(timeoutHandle);
+    server.close();
+    server.closeAllConnections?.();
+  }
+  if (cb.state !== stateNonce) throw new Error("state mismatch \u2014 possible CSRF; aborting");
+  const res = await fetch(args.hubUrl.replace(/\/$/, "") + "/api/v1/auth/spa/exchange", {
+    method: "POST",
+    headers: { "Content-Type": "application/json", "User-Agent": "clawborrator-cli" },
+    body: JSON.stringify({ code: cb.code, code_verifier: verifier })
+  });
+  if (!res.ok) {
+    const text = await res.text().catch(() => "");
+    let parsed = null;
+    try {
+      parsed = JSON.parse(text);
+    } catch {
+    }
+    throw new ApiError(res.status, parsed?.error ?? `http_${res.status}`, parsed?.message ?? parsed?.error ?? text);
+  }
+  const out = await res.json();
+  return { ...out, appName };
+}
+var appsTestOauth = new Command("test-oauth").description("walk the full SPA OAuth+PKCE flow end-to-end as a debug tool. Mints a real `cw_app_\u2026` token; revoke afterwards via `claw apps revoke <id>` if you don't want it lying around.").option("--port <n>", "local listener port (default 8765)", (v) => parseInt(v, 10), 8765).action(async (opts) => {
+  const cfg = loadConfig();
+  const hubUrl = cfg.hubUrl.replace(/\/+$/, "");
+  if (!Number.isInteger(opts.port) || opts.port < 1 || opts.port > 65535) {
+    console.error("error: --port must be an integer in 1..65535");
+    process.exit(2);
+  }
+  console.log(`hub: ${hubUrl}`);
+  try {
+    const out = await spaTestOauthFlow({ hubUrl, port: opts.port });
+    console.log("");
+    console.log("\u2713 flow completed");
+    console.log(`token:    ${out.token}`);
+    console.log(`appName:  ${out.appName}`);
+    console.log(`curl:     curl -H 'Authorization: Bearer ${out.token}' ${hubUrl}/api/v1/me`);
+    console.log("");
+    console.log("Note: this token is real (counted against mint quotas etc). List with `claw apps list`,");
+    console.log("and revoke via `claw apps revoke <id>` once you're done debugging.");
+  } catch (e) {
+    console.error("error: " + (e?.message ?? String(e)));
+    process.exit(1);
+  }
+});
+var appsCmd = new Command("apps").description("manage SPA app tokens (kind=app, `cw_app_\u2026`) \u2014 mint, list, revoke, and end-to-end-test the SPA OAuth+PKCE flow").addCommand(appsMint).addCommand(appsList).addCommand(appsRevoke).addCommand(appsTestOauth);
+
+// src/commands/desktop.ts
+var desktopList = new Command("list").alias("ls").description("list desktop daemons registered for the current user").action(async () => {
+  const data = await api.get("/api/v1/desktops");
+  if (data.items.length === 0) {
+    console.log("no registered desktops");
+    return;
+  }
+  for (const d of data.items) {
+    const dot = d.online ? "\u25CF" : "\u25CB";
+    const host = d.hostname ?? "(unknown host)";
+    const ver = d.daemonVersion ?? "?";
+    console.log(`${dot} ${d.machineId.slice(0, 8)}  ${host.padEnd(24)} v${ver.padEnd(8)} last-seen ${fmtAgo4(d.lastSeenAt)}`);
+  }
+});
+var desktopCreate = new Command("create-session").description("ask a desktop daemon to spawn a managed CC session in a folder").argument("<machineId>", "desktop machine id (from `claw desktop list`)").argument("<folder>", "absolute path on the desktop where CC should be spawned").option("--routing-name <name>", "optional routing name for the new session (e.g. @frontend)").action(async (machineId, folder, opts) => {
+  const body = { folder };
+  if (opts.routingName) body.routingName = opts.routingName;
+  const out = await api.post(
+    `/api/v1/desktops/${encodeURIComponent(machineId)}/sessions`,
+    body
+  );
+  console.log(`\u2713 session created: ${out.sessionId}`);
+});
+var desktopCmd = new Command("desktop").description("inspect + control desktop daemons (clawborrator-supervisor)").addCommand(desktopList).addCommand(desktopCreate);
+function fmtAgo4(iso) {
+  const ms = Date.now() - new Date(iso).getTime();
+  if (ms < 6e4) return Math.max(1, Math.floor(ms / 1e3)) + "s ago";
+  if (ms < 36e5) return Math.floor(ms / 6e4) + "m ago";
+  if (ms < 864e5) return Math.floor(ms / 36e5) + "h ago";
+  return Math.floor(ms / 864e5) + "d ago";
+}
+
+// src/commands/prompt-memory.ts
+var promptMemoryList = new Command("list").alias("ls").description("list remembered startup-prompt answers").option("--machine-id <id>", "filter to one machine").option("--folder <path>", "filter to one folder").action(async (opts) => {
+  const qs = new URLSearchParams();
+  if (opts.machineId) qs.set("machineId", opts.machineId);
+  if (opts.folder) qs.set("folder", opts.folder);
+  const url = "/api/v1/prompt-memory" + (qs.toString() ? "?" + qs : "");
+  const data = await api.get(url);
+  if (data.items.length === 0) {
+    console.log("no remembered answers");
+    return;
+  }
+  for (const m of data.items) {
+    const where = [m.machineId?.slice(0, 8) ?? "*", m.folder ?? "*"].join("  ");
+    const printableAnswer = JSON.stringify(m.answer);
+    console.log(`${m.id.toString().padStart(4)}  ${m.category.padEnd(28)} ${printableAnswer.padEnd(8)}  ${where}`);
+  }
+});
+var promptMemorySet = new Command("set").description("set or update a remembered answer (idempotent)").requiredOption("--category <category>", "e.g. startup_trust_folder, startup_use_mcp").requiredOption("--answer <bytes>", 'literal bytes the daemon should type, e.g. "y\\n"').option("--machine-id <id>", "scope to a specific machine; omit for all-machines").option("--folder <path>", "scope to a specific folder; omit for all-folders").action(async (opts) => {
+  const out = await api.post("/api/v1/prompt-memory", {
+    machineId: opts.machineId ?? null,
+    folder: opts.folder ?? null,
+    category: opts.category,
+    answer: opts.answer
+  });
+  console.log(`\u2713 remembered #${out.id}: ${out.category} \u2192 ${JSON.stringify(out.answer)}`);
+});
+var promptMemoryForget = new Command("forget").description("forget a remembered answer by id (from `claw prompt-memory list`)").argument("<id>", "memory id").action(async (id) => {
+  await api.delete(`/api/v1/prompt-memory/${encodeURIComponent(id)}`);
+  console.log(`\u2717 forgot memory ${id}`);
+});
+var promptMemoryCmd = new Command("prompt-memory").description("view and manage remembered CC startup-prompt answers").addCommand(promptMemoryList).addCommand(promptMemorySet).addCommand(promptMemoryForget);
 
 // src/index.ts
 var program2 = new Command();
@@ -68921,6 +69385,9 @@ program2.addCommand(routeCmd);
 program2.addCommand(probeCmd);
 program2.addCommand(webhookCmd);
 program2.addCommand(agentsCmd);
+program2.addCommand(appsCmd);
+program2.addCommand(desktopCmd);
+program2.addCommand(promptMemoryCmd);
 program2.parseAsync(process.argv).catch((err) => {
   console.error(err.message ?? err);
   process.exit(1);