codeharbor 0.1.0 → 0.1.2

package/dist/cli.js

@@ -24,16 +24,1770 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 ));
 
 // src/cli.ts
+var import_node_fs9 = __toESM(require("fs"));
+var import_node_path11 = __toESM(require("path"));
 var import_commander = require("commander");
 
 // src/app.ts
-var import_node_child_process2 = require("child_process");
+var import_node_child_process3 = require("child_process");
+var import_node_util2 = require("util");
+
+// src/admin-server.ts
+var import_node_child_process = require("child_process");
+var import_node_fs2 = __toESM(require("fs"));
+var import_node_http = __toESM(require("http"));
+var import_node_path2 = __toESM(require("path"));
 var import_node_util = require("util");
 
+// src/init.ts
+var import_node_fs = __toESM(require("fs"));
+var import_node_path = __toESM(require("path"));
+var import_promises = require("readline/promises");
+var import_dotenv = __toESM(require("dotenv"));
+async function runInitCommand(options = {}) {
+  const cwd = options.cwd ?? process.cwd();
+  const envPath = import_node_path.default.resolve(cwd, ".env");
+  const templatePath = resolveInitTemplatePath(cwd);
+  const input = options.input ?? process.stdin;
+  const output = options.output ?? process.stdout;
+  const templateContent = import_node_fs.default.readFileSync(templatePath, "utf8");
+  const existingContent = import_node_fs.default.existsSync(envPath) ? import_node_fs.default.readFileSync(envPath, "utf8") : "";
+  const existingValues = existingContent ? import_dotenv.default.parse(existingContent) : {};
+  const rl = (0, import_promises.createInterface)({ input, output });
+  try {
+    if (existingContent && !options.force) {
+      const overwrite = await askYesNo(
+        rl,
+        "Detected existing .env file. Overwrite with guided setup?",
+        false
+      );
+      if (!overwrite) {
+        output.write("Init aborted. Keep existing .env unchanged.\n");
+        return;
+      }
+    }
+    output.write("CodeHarbor setup wizard\n");
+    output.write(`Target file: ${envPath}
+`);
+    const questions = [
+      {
+        key: "MATRIX_HOMESERVER",
+        label: "Matrix homeserver URL",
+        required: true,
+        validate: (value) => {
+          try {
+            new URL(value);
+            return null;
+          } catch {
+            return "Please enter a valid URL, for example https://matrix.example.com";
+          }
+        }
+      },
+      {
+        key: "MATRIX_USER_ID",
+        label: "Matrix bot user id",
+        required: true,
+        validate: (value) => {
+          if (!/^@[^:\s]+:.+/.test(value)) {
+            return "Please enter a Matrix user id like @bot:example.com";
+          }
+          return null;
+        }
+      },
+      {
+        key: "MATRIX_ACCESS_TOKEN",
+        label: "Matrix access token",
+        required: true,
+        hiddenDefault: true
+      },
+      {
+        key: "MATRIX_COMMAND_PREFIX",
+        label: "Group command prefix",
+        fallbackValue: "!code"
+      },
+      {
+        key: "CODEX_BIN",
+        label: "Codex binary",
+        fallbackValue: "codex"
+      },
+      {
+        key: "CODEX_WORKDIR",
+        label: "Codex working directory",
+        fallbackValue: cwd,
+        validate: (value) => {
+          const resolved = import_node_path.default.resolve(cwd, value);
+          if (!import_node_fs.default.existsSync(resolved) || !import_node_fs.default.statSync(resolved).isDirectory()) {
+            return `Directory does not exist: ${resolved}`;
+          }
+          return null;
+        }
+      }
+    ];
+    const updates = {};
+    for (const question of questions) {
+      const existingValue = (existingValues[question.key] ?? "").trim();
+      const value = await askValue(rl, question, existingValue);
+      updates[question.key] = value;
+    }
+    const mergedContent = applyEnvOverrides(templateContent, updates);
+    import_node_fs.default.writeFileSync(envPath, mergedContent, "utf8");
+    output.write(`Wrote ${envPath}
+`);
+    output.write("Next steps:\n");
+    output.write("1. codex login\n");
+    output.write("2. codeharbor doctor\n");
+    output.write("3. codeharbor start\n");
+  } finally {
+    rl.close();
+  }
+}
+function resolveInitTemplatePath(cwd) {
+  const candidates = [
+    import_node_path.default.resolve(cwd, ".env.example"),
+    import_node_path.default.resolve(__dirname, "..", ".env.example")
+  ];
+  for (const candidate of candidates) {
+    if (import_node_fs.default.existsSync(candidate)) {
+      return candidate;
+    }
+  }
+  throw new Error(`Cannot find template file. Tried: ${candidates.join(", ")}`);
+}
+function applyEnvOverrides(template, overrides) {
+  const lines = template.split(/\r?\n/);
+  const seen = /* @__PURE__ */ new Set();
+  for (let i = 0; i < lines.length; i += 1) {
+    const line = lines[i];
+    const match = /^([A-Z0-9_]+)=(.*)$/.exec(line.trim());
+    if (!match) {
+      continue;
+    }
+    const key = match[1];
+    if (!(key in overrides)) {
+      continue;
+    }
+    lines[i] = `${key}=${formatEnvValue(overrides[key] ?? "")}`;
+    seen.add(key);
+  }
+  for (const [key, value] of Object.entries(overrides)) {
+    if (seen.has(key)) {
+      continue;
+    }
+    lines.push(`${key}=${formatEnvValue(value)}`);
+  }
+  const content = lines.join("\n");
+  return content.endsWith("\n") ? content : `${content}
+`;
+}
+function formatEnvValue(value) {
+  if (!value) {
+    return "";
+  }
+  if (/^[A-Za-z0-9_./:@+-]+$/.test(value)) {
+    return value;
+  }
+  return JSON.stringify(value);
+}
+async function askValue(rl, question, existingValue) {
+  while (true) {
+    const fallback = question.fallbackValue ?? "";
+    const displayDefault = existingValue || fallback;
+    const hint = displayDefault ? question.hiddenDefault ? "[already set]" : `[${displayDefault}]` : "";
+    const answer = (await rl.question(`${question.label} ${hint}: `)).trim();
+    const finalValue = answer || existingValue || fallback;
+    if (question.required && !finalValue) {
+      rl.write("This value is required.\n");
+      continue;
+    }
+    if (question.validate) {
+      const reason = question.validate(finalValue);
+      if (reason) {
+        rl.write(`${reason}
+`);
+        continue;
+      }
+    }
+    return finalValue;
+  }
+}
+async function askYesNo(rl, question, defaultValue) {
+  const defaultHint = defaultValue ? "[Y/n]" : "[y/N]";
+  const answer = (await rl.question(`${question} ${defaultHint}: `)).trim().toLowerCase();
+  if (!answer) {
+    return defaultValue;
+  }
+  return answer === "y" || answer === "yes";
+}
+
+// src/admin-server.ts
+var execFileAsync = (0, import_node_util.promisify)(import_node_child_process.execFile);
+var HttpError = class extends Error {
+  statusCode;
+  constructor(statusCode, message) {
+    super(message);
+    this.statusCode = statusCode;
+  }
+};
+var AdminServer = class {
+  config;
+  logger;
+  stateStore;
+  configService;
+  host;
+  port;
+  adminToken;
+  adminIpAllowlist;
+  adminAllowedOrigins;
+  cwd;
+  checkCodex;
+  checkMatrix;
+  server = null;
+  address = null;
+  constructor(config, logger, stateStore, configService, options) {
+    this.config = config;
+    this.logger = logger;
+    this.stateStore = stateStore;
+    this.configService = configService;
+    this.host = options.host;
+    this.port = options.port;
+    this.adminToken = options.adminToken;
+    this.adminIpAllowlist = normalizeAllowlist(options.adminIpAllowlist ?? []);
+    this.adminAllowedOrigins = normalizeOriginAllowlist(options.adminAllowedOrigins ?? []);
+    this.cwd = options.cwd ?? process.cwd();
+    this.checkCodex = options.checkCodex ?? defaultCheckCodex;
+    this.checkMatrix = options.checkMatrix ?? defaultCheckMatrix;
+  }
+  getAddress() {
+    return this.address;
+  }
+  async start() {
+    if (this.server) {
+      return;
+    }
+    this.server = import_node_http.default.createServer((req, res) => {
+      void this.handleRequest(req, res);
+    });
+    await new Promise((resolve, reject) => {
+      if (!this.server) {
+        reject(new Error("admin server is not initialized"));
+        return;
+      }
+      this.server.once("error", reject);
+      this.server.listen(this.port, this.host, () => {
+        this.server?.removeListener("error", reject);
+        const address = this.server?.address();
+        if (!address || typeof address === "string") {
+          reject(new Error("failed to resolve admin server address"));
+          return;
+        }
+        this.address = {
+          host: address.address,
+          port: address.port
+        };
+        resolve();
+      });
+    });
+  }
+  async stop() {
+    if (!this.server) {
+      return;
+    }
+    const server = this.server;
+    this.server = null;
+    this.address = null;
+    await new Promise((resolve, reject) => {
+      server.close((error) => {
+        if (error) {
+          reject(error);
+          return;
+        }
+        resolve();
+      });
+    });
+  }
+  async handleRequest(req, res) {
+    try {
+      const url = new URL(req.url ?? "/", "http://localhost");
+      this.setSecurityHeaders(res);
+      const corsDecision = this.resolveCors(req);
+      this.setCorsHeaders(res, corsDecision);
+      if (!this.isClientAllowed(req)) {
+        this.sendJson(res, 403, {
+          ok: false,
+          error: "Forbidden by ADMIN_IP_ALLOWLIST."
+        });
+        return;
+      }
+      if (url.pathname.startsWith("/api/admin/") && corsDecision.origin && !corsDecision.allowed) {
+        this.sendJson(res, 403, {
+          ok: false,
+          error: "Forbidden by ADMIN_ALLOWED_ORIGINS."
+        });
+        return;
+      }
+      if (req.method === "OPTIONS") {
+        if (corsDecision.origin && !corsDecision.allowed) {
+          this.sendJson(res, 403, {
+            ok: false,
+            error: "Forbidden by ADMIN_ALLOWED_ORIGINS."
+          });
+          return;
+        }
+        res.writeHead(204);
+        res.end();
+        return;
+      }
+      if (req.method === "GET" && isUiPath(url.pathname)) {
+        this.sendHtml(res, renderAdminConsoleHtml());
+        return;
+      }
+      if (url.pathname.startsWith("/api/admin/") && !this.isAuthorized(req)) {
+        this.sendJson(res, 401, {
+          ok: false,
+          error: "Unauthorized. Provide Authorization: Bearer <ADMIN_TOKEN>."
+        });
+        return;
+      }
+      if (req.method === "GET" && url.pathname === "/api/admin/config/global") {
+        this.sendJson(res, 200, {
+          ok: true,
+          data: buildGlobalConfigSnapshot(this.config),
+          effective: "next_start_for_env_changes"
+        });
+        return;
+      }
+      if (req.method === "PUT" && url.pathname === "/api/admin/config/global") {
+        const body = await readJsonBody(req);
+        const actor = readActor(req);
+        const result = this.updateGlobalConfig(body, actor);
+        this.sendJson(res, 200, {
+          ok: true,
+          ...result
+        });
+        return;
+      }
+      if (req.method === "GET" && url.pathname === "/api/admin/config/rooms") {
+        this.sendJson(res, 200, {
+          ok: true,
+          data: this.configService.listRoomSettings()
+        });
+        return;
+      }
+      const roomMatch = /^\/api\/admin\/config\/rooms\/(.+)$/.exec(url.pathname);
+      if (roomMatch) {
+        const roomId = decodeURIComponent(roomMatch[1]);
+        if (req.method === "GET") {
+          const room = this.configService.getRoomSettings(roomId);
+          if (!room) {
+            throw new HttpError(404, `room settings not found for ${roomId}`);
+          }
+          this.sendJson(res, 200, { ok: true, data: room });
+          return;
+        }
+        if (req.method === "PUT") {
+          const body = await readJsonBody(req);
+          const actor = readActor(req);
+          const room = this.updateRoomConfig(roomId, body, actor);
+          this.sendJson(res, 200, { ok: true, data: room });
+          return;
+        }
+        if (req.method === "DELETE") {
+          const actor = readActor(req);
+          this.configService.deleteRoomSettings(roomId, actor);
+          this.sendJson(res, 200, { ok: true, roomId });
+          return;
+        }
+      }
+      if (req.method === "GET" && url.pathname === "/api/admin/audit") {
+        const limit = normalizePositiveInt(url.searchParams.get("limit"), 20, 1, 200);
+        this.sendJson(res, 200, {
+          ok: true,
+          data: this.stateStore.listConfigRevisions(limit).map((entry) => formatAuditEntry(entry))
+        });
+        return;
+      }
+      if (req.method === "GET" && url.pathname === "/api/admin/health") {
+        const [codex, matrix] = await Promise.all([
+          this.checkCodex(this.config.codexBin),
+          this.checkMatrix(this.config.matrixHomeserver, this.config.doctorHttpTimeoutMs)
+        ]);
+        this.sendJson(res, 200, {
+          ok: codex.ok && matrix.ok,
+          codex,
+          matrix,
+          timestamp: (/* @__PURE__ */ new Date()).toISOString()
+        });
+        return;
+      }
+      this.sendJson(res, 404, {
+        ok: false,
+        error: `Not found: ${req.method ?? "GET"} ${url.pathname}`
+      });
+    } catch (error) {
+      if (error instanceof HttpError) {
+        this.sendJson(res, error.statusCode, {
+          ok: false,
+          error: error.message
+        });
+        return;
+      }
+      this.logger.error("Admin API request failed", error);
+      this.sendJson(res, 500, {
+        ok: false,
+        error: formatError(error)
+      });
+    }
+  }
+  updateGlobalConfig(rawBody, actor) {
+    const body = asObject(rawBody, "global config payload");
+    const envUpdates = {};
+    const updatedKeys = [];
+    if ("matrixCommandPrefix" in body) {
+      const value = String(body.matrixCommandPrefix ?? "");
+      this.config.matrixCommandPrefix = value;
+      envUpdates.MATRIX_COMMAND_PREFIX = value;
+      updatedKeys.push("matrixCommandPrefix");
+    }
+    if ("codexWorkdir" in body) {
+      const workdir = import_node_path2.default.resolve(String(body.codexWorkdir ?? "").trim());
+      ensureDirectory(workdir, "codexWorkdir");
+      this.config.codexWorkdir = workdir;
+      envUpdates.CODEX_WORKDIR = workdir;
+      updatedKeys.push("codexWorkdir");
+    }
+    if ("rateLimiter" in body) {
+      const limiter = asObject(body.rateLimiter, "rateLimiter");
+      if ("windowMs" in limiter) {
+        const value = normalizePositiveInt(limiter.windowMs, this.config.rateLimiter.windowMs, 1, Number.MAX_SAFE_INTEGER);
+        this.config.rateLimiter.windowMs = value;
+        envUpdates.RATE_LIMIT_WINDOW_SECONDS = String(Math.max(1, Math.round(value / 1e3)));
+        updatedKeys.push("rateLimiter.windowMs");
+      }
+      if ("maxRequestsPerUser" in limiter) {
+        const value = normalizeNonNegativeInt(limiter.maxRequestsPerUser, this.config.rateLimiter.maxRequestsPerUser);
+        this.config.rateLimiter.maxRequestsPerUser = value;
+        envUpdates.RATE_LIMIT_MAX_REQUESTS_PER_USER = String(value);
+        updatedKeys.push("rateLimiter.maxRequestsPerUser");
+      }
+      if ("maxRequestsPerRoom" in limiter) {
+        const value = normalizeNonNegativeInt(limiter.maxRequestsPerRoom, this.config.rateLimiter.maxRequestsPerRoom);
+        this.config.rateLimiter.maxRequestsPerRoom = value;
+        envUpdates.RATE_LIMIT_MAX_REQUESTS_PER_ROOM = String(value);
+        updatedKeys.push("rateLimiter.maxRequestsPerRoom");
+      }
+      if ("maxConcurrentGlobal" in limiter) {
+        const value = normalizeNonNegativeInt(limiter.maxConcurrentGlobal, this.config.rateLimiter.maxConcurrentGlobal);
+        this.config.rateLimiter.maxConcurrentGlobal = value;
+        envUpdates.RATE_LIMIT_MAX_CONCURRENT_GLOBAL = String(value);
+        updatedKeys.push("rateLimiter.maxConcurrentGlobal");
+      }
+      if ("maxConcurrentPerUser" in limiter) {
+        const value = normalizeNonNegativeInt(limiter.maxConcurrentPerUser, this.config.rateLimiter.maxConcurrentPerUser);
+        this.config.rateLimiter.maxConcurrentPerUser = value;
+        envUpdates.RATE_LIMIT_MAX_CONCURRENT_PER_USER = String(value);
+        updatedKeys.push("rateLimiter.maxConcurrentPerUser");
+      }
+      if ("maxConcurrentPerRoom" in limiter) {
+        const value = normalizeNonNegativeInt(limiter.maxConcurrentPerRoom, this.config.rateLimiter.maxConcurrentPerRoom);
+        this.config.rateLimiter.maxConcurrentPerRoom = value;
+        envUpdates.RATE_LIMIT_MAX_CONCURRENT_PER_ROOM = String(value);
+        updatedKeys.push("rateLimiter.maxConcurrentPerRoom");
+      }
+    }
+    if ("defaultGroupTriggerPolicy" in body) {
+      const policy = asObject(body.defaultGroupTriggerPolicy, "defaultGroupTriggerPolicy");
+      if ("allowMention" in policy) {
+        const value = normalizeBoolean(policy.allowMention, this.config.defaultGroupTriggerPolicy.allowMention);
+        this.config.defaultGroupTriggerPolicy.allowMention = value;
+        envUpdates.GROUP_TRIGGER_ALLOW_MENTION = String(value);
+        updatedKeys.push("defaultGroupTriggerPolicy.allowMention");
+      }
+      if ("allowReply" in policy) {
+        const value = normalizeBoolean(policy.allowReply, this.config.defaultGroupTriggerPolicy.allowReply);
+        this.config.defaultGroupTriggerPolicy.allowReply = value;
+        envUpdates.GROUP_TRIGGER_ALLOW_REPLY = String(value);
+        updatedKeys.push("defaultGroupTriggerPolicy.allowReply");
+      }
+      if ("allowActiveWindow" in policy) {
+        const value = normalizeBoolean(policy.allowActiveWindow, this.config.defaultGroupTriggerPolicy.allowActiveWindow);
+        this.config.defaultGroupTriggerPolicy.allowActiveWindow = value;
+        envUpdates.GROUP_TRIGGER_ALLOW_ACTIVE_WINDOW = String(value);
+        updatedKeys.push("defaultGroupTriggerPolicy.allowActiveWindow");
+      }
+      if ("allowPrefix" in policy) {
+        const value = normalizeBoolean(policy.allowPrefix, this.config.defaultGroupTriggerPolicy.allowPrefix);
+        this.config.defaultGroupTriggerPolicy.allowPrefix = value;
+        envUpdates.GROUP_TRIGGER_ALLOW_PREFIX = String(value);
+        updatedKeys.push("defaultGroupTriggerPolicy.allowPrefix");
+      }
+    }
+    if ("matrixProgressUpdates" in body) {
+      const value = normalizeBoolean(body.matrixProgressUpdates, this.config.matrixProgressUpdates);
+      this.config.matrixProgressUpdates = value;
+      envUpdates.MATRIX_PROGRESS_UPDATES = String(value);
+      updatedKeys.push("matrixProgressUpdates");
+    }
+    if ("matrixProgressMinIntervalMs" in body) {
+      const value = normalizePositiveInt(
+        body.matrixProgressMinIntervalMs,
+        this.config.matrixProgressMinIntervalMs,
+        1,
+        Number.MAX_SAFE_INTEGER
+      );
+      this.config.matrixProgressMinIntervalMs = value;
+      envUpdates.MATRIX_PROGRESS_MIN_INTERVAL_MS = String(value);
+      updatedKeys.push("matrixProgressMinIntervalMs");
+    }
+    if ("matrixTypingTimeoutMs" in body) {
+      const value = normalizePositiveInt(
+        body.matrixTypingTimeoutMs,
+        this.config.matrixTypingTimeoutMs,
+        1,
+        Number.MAX_SAFE_INTEGER
+      );
+      this.config.matrixTypingTimeoutMs = value;
+      envUpdates.MATRIX_TYPING_TIMEOUT_MS = String(value);
+      updatedKeys.push("matrixTypingTimeoutMs");
+    }
+    if ("sessionActiveWindowMinutes" in body) {
+      const value = normalizePositiveInt(
+        body.sessionActiveWindowMinutes,
+        this.config.sessionActiveWindowMinutes,
+        1,
+        Number.MAX_SAFE_INTEGER
+      );
+      this.config.sessionActiveWindowMinutes = value;
+      envUpdates.SESSION_ACTIVE_WINDOW_MINUTES = String(value);
+      updatedKeys.push("sessionActiveWindowMinutes");
+    }
+    if ("cliCompat" in body) {
+      const compat = asObject(body.cliCompat, "cliCompat");
+      if ("enabled" in compat) {
+        const value = normalizeBoolean(compat.enabled, this.config.cliCompat.enabled);
+        this.config.cliCompat.enabled = value;
+        envUpdates.CLI_COMPAT_MODE = String(value);
+        updatedKeys.push("cliCompat.enabled");
+      }
+      if ("passThroughEvents" in compat) {
+        const value = normalizeBoolean(compat.passThroughEvents, this.config.cliCompat.passThroughEvents);
+        this.config.cliCompat.passThroughEvents = value;
+        envUpdates.CLI_COMPAT_PASSTHROUGH_EVENTS = String(value);
+        updatedKeys.push("cliCompat.passThroughEvents");
+      }
+      if ("preserveWhitespace" in compat) {
+        const value = normalizeBoolean(compat.preserveWhitespace, this.config.cliCompat.preserveWhitespace);
+        this.config.cliCompat.preserveWhitespace = value;
+        envUpdates.CLI_COMPAT_PRESERVE_WHITESPACE = String(value);
+        updatedKeys.push("cliCompat.preserveWhitespace");
+      }
+      if ("disableReplyChunkSplit" in compat) {
+        const value = normalizeBoolean(compat.disableReplyChunkSplit, this.config.cliCompat.disableReplyChunkSplit);
+        this.config.cliCompat.disableReplyChunkSplit = value;
+        envUpdates.CLI_COMPAT_DISABLE_REPLY_CHUNK_SPLIT = String(value);
+        updatedKeys.push("cliCompat.disableReplyChunkSplit");
+      }
+      if ("progressThrottleMs" in compat) {
+        const value = normalizeNonNegativeInt(compat.progressThrottleMs, this.config.cliCompat.progressThrottleMs);
+        this.config.cliCompat.progressThrottleMs = value;
+        envUpdates.CLI_COMPAT_PROGRESS_THROTTLE_MS = String(value);
+        updatedKeys.push("cliCompat.progressThrottleMs");
+      }
+      if ("fetchMedia" in compat) {
+        const value = normalizeBoolean(compat.fetchMedia, this.config.cliCompat.fetchMedia);
+        this.config.cliCompat.fetchMedia = value;
+        envUpdates.CLI_COMPAT_FETCH_MEDIA = String(value);
+        updatedKeys.push("cliCompat.fetchMedia");
+      }
+    }
+    if (updatedKeys.length === 0) {
+      throw new HttpError(400, "No supported global config fields provided.");
+    }
+    this.persistEnvUpdates(envUpdates);
+    this.stateStore.appendConfigRevision(
+      actor,
+      `update global config: ${updatedKeys.join(", ")}`,
+      JSON.stringify({
+        type: "global_config_update",
+        updates: envUpdates
+      })
+    );
+    return {
+      data: buildGlobalConfigSnapshot(this.config),
+      updatedKeys,
+      restartRequired: true
+    };
+  }
+  updateRoomConfig(roomId, rawBody, actor) {
+    const body = asObject(rawBody, "room config payload");
+    const current = this.configService.getRoomSettings(roomId);
+    return this.configService.updateRoomSettings({
+      roomId,
+      enabled: normalizeBoolean(body.enabled, current?.enabled ?? true),
+      allowMention: normalizeBoolean(body.allowMention, current?.allowMention ?? true),
+      allowReply: normalizeBoolean(body.allowReply, current?.allowReply ?? true),
+      allowActiveWindow: normalizeBoolean(body.allowActiveWindow, current?.allowActiveWindow ?? true),
+      allowPrefix: normalizeBoolean(body.allowPrefix, current?.allowPrefix ?? true),
+      workdir: normalizeString(body.workdir, current?.workdir ?? this.config.codexWorkdir, "workdir"),
+      actor,
+      summary: normalizeOptionalString(body.summary)
+    });
+  }
+  isAuthorized(req) {
+    if (!this.adminToken) {
+      return true;
+    }
+    const authorization = req.headers.authorization ?? "";
+    const bearer = authorization.startsWith("Bearer ") ? authorization.slice("Bearer ".length).trim() : "";
+    const fromHeader = normalizeHeaderValue(req.headers["x-admin-token"]);
+    return bearer === this.adminToken || fromHeader === this.adminToken;
+  }
+  isClientAllowed(req) {
+    if (this.adminIpAllowlist.length === 0) {
+      return true;
+    }
+    const normalizedRemote = normalizeRemoteAddress(req.socket.remoteAddress);
+    if (!normalizedRemote) {
+      return false;
+    }
+    return this.adminIpAllowlist.includes(normalizedRemote);
+  }
+  persistEnvUpdates(updates) {
+    const envPath = import_node_path2.default.resolve(this.cwd, ".env");
+    const examplePath = import_node_path2.default.resolve(this.cwd, ".env.example");
+    const template = import_node_fs2.default.existsSync(envPath) ? import_node_fs2.default.readFileSync(envPath, "utf8") : import_node_fs2.default.existsSync(examplePath) ? import_node_fs2.default.readFileSync(examplePath, "utf8") : "";
+    const next = applyEnvOverrides(template, updates);
+    import_node_fs2.default.writeFileSync(envPath, next, "utf8");
+  }
+  resolveCors(req) {
+    const origin = normalizeOriginHeader(req.headers.origin);
+    if (!origin) {
+      return { origin: null, allowed: true };
+    }
+    if (isSameOriginRequest(req, origin)) {
+      return { origin, allowed: true };
+    }
+    if (this.adminAllowedOrigins.includes("*")) {
+      return { origin, allowed: true };
+    }
+    if (this.adminAllowedOrigins.length === 0) {
+      return { origin, allowed: false };
+    }
+    return {
+      origin,
+      allowed: this.adminAllowedOrigins.includes(origin)
+    };
+  }
+  setCorsHeaders(res, corsDecision) {
+    if (!corsDecision.origin || !corsDecision.allowed) {
+      return;
+    }
+    res.setHeader("Access-Control-Allow-Origin", corsDecision.origin);
+    res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization, X-Admin-Token, X-Admin-Actor");
+    res.setHeader("Access-Control-Allow-Methods", "GET, PUT, DELETE, OPTIONS");
+    appendVaryHeader(res, "Origin");
+  }
+  setSecurityHeaders(res) {
+    res.setHeader("X-Content-Type-Options", "nosniff");
+    res.setHeader("X-Frame-Options", "DENY");
+    res.setHeader("Referrer-Policy", "no-referrer");
+    res.setHeader("Permissions-Policy", "camera=(), microphone=(), geolocation=()");
+    res.setHeader("Cross-Origin-Resource-Policy", "same-origin");
+    res.setHeader("Cross-Origin-Opener-Policy", "same-origin");
+    res.setHeader(
+      "Content-Security-Policy",
+      "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'"
+    );
+  }
+  sendHtml(res, html) {
+    res.statusCode = 200;
+    res.setHeader("Content-Type", "text/html; charset=utf-8");
+    res.end(html);
+  }
+  sendJson(res, statusCode, payload) {
+    res.statusCode = statusCode;
+    res.setHeader("Content-Type", "application/json; charset=utf-8");
+    res.end(JSON.stringify(payload));
+  }
+};
+function buildGlobalConfigSnapshot(config) {
+  return {
+    matrixCommandPrefix: config.matrixCommandPrefix,
+    codexWorkdir: config.codexWorkdir,
+    rateLimiter: { ...config.rateLimiter },
+    defaultGroupTriggerPolicy: { ...config.defaultGroupTriggerPolicy },
+    matrixProgressUpdates: config.matrixProgressUpdates,
+    matrixProgressMinIntervalMs: config.matrixProgressMinIntervalMs,
+    matrixTypingTimeoutMs: config.matrixTypingTimeoutMs,
+    sessionActiveWindowMinutes: config.sessionActiveWindowMinutes,
+    cliCompat: { ...config.cliCompat }
+  };
+}
+function formatAuditEntry(entry) {
+  return {
+    id: entry.id,
+    actor: entry.actor,
+    summary: entry.summary,
+    payloadJson: entry.payloadJson,
+    payload: parseJsonLoose(entry.payloadJson),
+    createdAt: entry.createdAt,
+    createdAtIso: new Date(entry.createdAt).toISOString()
+  };
+}
+function parseJsonLoose(raw) {
+  try {
+    return JSON.parse(raw);
+  } catch {
+    return raw;
+  }
+}
+function isUiPath(pathname) {
+  return pathname === "/" || pathname === "/index.html" || pathname === "/settings/global" || pathname === "/settings/rooms" || pathname === "/health" || pathname === "/audit";
+}
+function normalizeAllowlist(entries) {
+  const output = /* @__PURE__ */ new Set();
+  for (const entry of entries) {
+    const normalized = normalizeRemoteAddress(entry);
+    if (normalized) {
+      output.add(normalized);
+    }
+  }
+  return [...output];
+}
+function normalizeOriginAllowlist(entries) {
+  const output = /* @__PURE__ */ new Set();
+  for (const entry of entries) {
+    const normalized = normalizeOrigin(entry);
+    if (normalized) {
+      output.add(normalized);
+    }
+  }
+  return [...output];
+}
+function normalizeRemoteAddress(value) {
+  if (!value) {
+    return null;
+  }
+  const trimmed = value.trim().toLowerCase();
+  if (!trimmed) {
+    return null;
+  }
+  const withoutZone = trimmed.includes("%") ? trimmed.slice(0, trimmed.indexOf("%")) : trimmed;
+  if (withoutZone === "::1" || withoutZone === "0:0:0:0:0:0:0:1") {
+    return "127.0.0.1";
+  }
+  if (withoutZone.startsWith("::ffff:")) {
+    return withoutZone.slice("::ffff:".length);
+  }
+  return withoutZone;
+}
+function normalizeOriginHeader(value) {
+  if (!value) {
+    return null;
+  }
+  const raw = Array.isArray(value) ? value[0] ?? "" : value;
+  return normalizeOrigin(raw);
+}
+function normalizeOrigin(value) {
+  const trimmed = value.trim();
+  if (!trimmed) {
+    return null;
+  }
+  if (trimmed === "*") {
+    return "*";
+  }
+  try {
+    const parsed = new URL(trimmed);
+    return `${parsed.protocol}//${parsed.host}`.toLowerCase();
+  } catch {
+    return null;
+  }
+}
+function isSameOriginRequest(req, origin) {
+  const host = normalizeHeaderValue(req.headers.host);
+  if (!host) {
+    return false;
+  }
+  const forwardedProto = normalizeHeaderValue(req.headers["x-forwarded-proto"]);
+  const protocol = forwardedProto || "http";
+  return origin === `${protocol}://${host}`.toLowerCase();
+}
+function appendVaryHeader(res, headerName) {
+  const current = res.getHeader("Vary");
+  const existing = typeof current === "string" ? current.split(",").map((v) => v.trim()).filter(Boolean) : [];
+  if (!existing.includes(headerName)) {
+    existing.push(headerName);
+  }
+  res.setHeader("Vary", existing.join(", "));
+}
+function renderAdminConsoleHtml() {
+  return ADMIN_CONSOLE_HTML;
+}
+async function readJsonBody(req) {
+  const chunks = [];
+  for await (const chunk of req) {
+    chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
+  }
+  if (chunks.length === 0) {
+    return {};
+  }
+  const raw = Buffer.concat(chunks).toString("utf8").trim();
+  if (!raw) {
+    return {};
+  }
+  try {
+    return JSON.parse(raw);
+  } catch {
+    throw new HttpError(400, "Request body must be valid JSON.");
+  }
+}
+function asObject(value, name) {
+  if (!value || typeof value !== "object" || Array.isArray(value)) {
+    throw new HttpError(400, `${name} must be a JSON object.`);
+  }
+  return value;
+}
+function normalizeBoolean(value, fallback) {
+  if (value === void 0) {
+    return fallback;
+  }
+  if (typeof value !== "boolean") {
+    throw new HttpError(400, "Expected boolean value.");
+  }
+  return value;
+}
+function normalizeString(value, fallback, fieldName) {
+  if (value === void 0) {
+    return fallback;
+  }
+  if (typeof value !== "string") {
+    throw new HttpError(400, `Expected string value for ${fieldName}.`);
+  }
+  return value.trim();
+}
+function normalizeOptionalString(value) {
+  if (value === void 0 || value === null) {
+    return null;
+  }
+  if (typeof value !== "string") {
+    throw new HttpError(400, "Expected string value.");
+  }
+  const trimmed = value.trim();
+  return trimmed || null;
+}
+function normalizePositiveInt(value, fallback, min, max) {
+  if (value === void 0 || value === null) {
+    return fallback;
+  }
+  const parsed = Number.parseInt(String(value), 10);
+  if (!Number.isFinite(parsed) || parsed < min || parsed > max) {
+    throw new HttpError(400, `Expected integer in range [${min}, ${max}].`);
+  }
+  return parsed;
+}
+function normalizeNonNegativeInt(value, fallback) {
+  return normalizePositiveInt(value, fallback, 0, Number.MAX_SAFE_INTEGER);
+}
+function ensureDirectory(targetPath, fieldName) {
+  if (!import_node_fs2.default.existsSync(targetPath) || !import_node_fs2.default.statSync(targetPath).isDirectory()) {
+    throw new HttpError(400, `${fieldName} must be an existing directory: ${targetPath}`);
+  }
+}
+function normalizeHeaderValue(value) {
+  if (!value) {
+    return "";
+  }
+  if (Array.isArray(value)) {
+    return value[0]?.trim() ?? "";
+  }
+  return value.trim();
+}
+function readActor(req) {
+  const actor = normalizeHeaderValue(req.headers["x-admin-actor"]);
+  return actor || null;
+}
+function formatError(error) {
+  if (error instanceof Error) {
+    return error.message;
+  }
+  return String(error);
+}
+var ADMIN_CONSOLE_HTML = `<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>CodeHarbor Admin Console</title>
+    <style>
+      :root {
+        --bg-start: #0f172a;
+        --bg-end: #1e293b;
+        --panel: #0b1224cc;
+        --panel-border: #334155;
+        --text: #e2e8f0;
+        --muted: #94a3b8;
+        --accent: #22d3ee;
+        --accent-strong: #06b6d4;
+        --danger: #f43f5e;
+        --ok: #10b981;
+        --warn: #f59e0b;
+      }
+      * {
+        box-sizing: border-box;
+      }
+      body {
+        margin: 0;
+        font-family: "IBM Plex Sans", "Segoe UI", "Helvetica Neue", sans-serif;
+        color: var(--text);
+        background: radial-gradient(1200px 600px at 20% -10%, #1d4ed8 0%, transparent 55%),
+          radial-gradient(1000px 500px at 100% 0%, #0f766e 0%, transparent 55%),
+          linear-gradient(135deg, var(--bg-start), var(--bg-end));
+        min-height: 100vh;
+      }
+      .shell {
+        max-width: 1100px;
+        margin: 0 auto;
+        padding: 20px 16px 40px;
+      }
+      .header {
+        background: var(--panel);
+        border: 1px solid var(--panel-border);
+        border-radius: 16px;
+        padding: 16px;
+        backdrop-filter: blur(8px);
+      }
+      .title {
+        margin: 0 0 8px;
+        font-size: 24px;
+        letter-spacing: 0.2px;
+      }
+      .subtitle {
+        margin: 0 0 14px;
+        color: var(--muted);
+        font-size: 14px;
+      }
+      .tabs {
+        display: flex;
+        gap: 8px;
+        flex-wrap: wrap;
+        margin-bottom: 12px;
+      }
+      .tab {
+        color: var(--text);
+        text-decoration: none;
+        border: 1px solid var(--panel-border);
+        border-radius: 999px;
+        padding: 6px 12px;
+        font-size: 13px;
+      }
+      .tab.active {
+        border-color: var(--accent);
+        background: #155e7555;
+      }
+      .auth-row {
+        display: grid;
+        grid-template-columns: repeat(2, minmax(220px, 1fr)) auto auto;
+        gap: 8px;
+        align-items: end;
+      }
+      .field {
+        display: flex;
+        flex-direction: column;
+        gap: 4px;
+      }
+      .field-label {
+        font-size: 12px;
+        color: var(--muted);
+      }
+      input,
+      button,
+      textarea {
+        font: inherit;
+      }
+      input[type="text"],
+      input[type="password"],
+      input[type="number"] {
+        border: 1px solid var(--panel-border);
+        background: #0f172acc;
+        color: var(--text);
+        border-radius: 10px;
+        padding: 8px 10px;
+      }
+      button {
+        border: 1px solid var(--accent);
+        background: #164e63;
+        color: #ecfeff;
+        border-radius: 10px;
+        padding: 8px 12px;
+        cursor: pointer;
+      }
+      button.secondary {
+        border-color: var(--panel-border);
+        background: #1e293b;
+        color: var(--text);
+      }
+      button.danger {
+        border-color: var(--danger);
+        background: #881337;
+      }
+      .notice {
+        margin: 12px 0 0;
+        border-radius: 10px;
+        padding: 8px 10px;
+        font-size: 13px;
+        border: 1px solid #334155;
+        color: var(--muted);
+      }
+      .notice.ok {
+        border-color: #065f46;
+        color: #d1fae5;
+        background: #064e3b88;
+      }
+      .notice.error {
+        border-color: #881337;
+        color: #ffe4e6;
+        background: #4c051988;
+      }
+      .notice.warn {
+        border-color: #92400e;
+        color: #fef3c7;
+        background: #78350f88;
+      }
+      .panel {
+        margin-top: 14px;
+        background: var(--panel);
+        border: 1px solid var(--panel-border);
+        border-radius: 16px;
+        padding: 16px;
+      }
+      .panel[hidden] {
+        display: none;
+      }
+      .panel-title {
+        margin: 0 0 12px;
+      }
+      .grid {
+        display: grid;
+        grid-template-columns: repeat(2, minmax(0, 1fr));
+        gap: 10px;
+      }
+      .full {
+        grid-column: 1 / -1;
+      }
+      .checkbox {
+        display: flex;
+        gap: 8px;
+        align-items: center;
+        font-size: 14px;
+      }
+      .actions {
+        display: flex;
+        gap: 8px;
+        flex-wrap: wrap;
+        margin-top: 12px;
+      }
+      .table-wrap {
+        overflow-x: auto;
+        border: 1px solid #334155;
+        border-radius: 12px;
+        margin-top: 12px;
+      }
+      table {
+        width: 100%;
+        border-collapse: collapse;
+        min-width: 720px;
+      }
+      th,
+      td {
+        border-bottom: 1px solid #334155;
+        text-align: left;
+        padding: 8px;
+        font-size: 12px;
+        vertical-align: top;
+      }
+      th {
+        color: var(--muted);
+      }
+      pre {
+        margin: 0;
+        white-space: pre-wrap;
+        word-break: break-word;
+        font-size: 11px;
+        color: #cbd5e1;
+      }
+      .muted {
+        color: var(--muted);
+        font-size: 12px;
+      }
+      @media (max-width: 900px) {
+        .auth-row {
+          grid-template-columns: 1fr;
+        }
+        .grid {
+          grid-template-columns: 1fr;
+        }
+      }
+    </style>
+  </head>
+  <body>
+    <main class="shell">
+      <section class="header">
+        <h1 class="title">CodeHarbor Admin Console</h1>
+        <p class="subtitle">Manage global settings, room policies, health checks, and config audit records.</p>
+        <nav class="tabs">
+          <a class="tab" data-page="settings-global" href="#/settings/global">Global</a>
+          <a class="tab" data-page="settings-rooms" href="#/settings/rooms">Rooms</a>
+          <a class="tab" data-page="health" href="#/health">Health</a>
+          <a class="tab" data-page="audit" href="#/audit">Audit</a>
+        </nav>
+        <div class="auth-row">
+          <label class="field">
+            <span class="field-label">Admin Token (optional)</span>
+            <input id="auth-token" type="password" placeholder="ADMIN_TOKEN" />
+          </label>
+          <label class="field">
+            <span class="field-label">Actor (for audit logs)</span>
+            <input id="auth-actor" type="text" placeholder="your-name" />
+          </label>
+          <button id="auth-save-btn" type="button" class="secondary">Save Auth</button>
+          <button id="auth-clear-btn" type="button" class="secondary">Clear Auth</button>
+        </div>
+        <div id="notice" class="notice">Ready.</div>
+      </section>
+
+      <section class="panel" data-view="settings-global">
+        <h2 class="panel-title">Global Config</h2>
+        <div class="grid">
+          <label class="field">
+            <span class="field-label">Command Prefix</span>
+            <input id="global-matrix-prefix" type="text" />
+          </label>
+          <label class="field">
+            <span class="field-label">Default Workdir</span>
+            <input id="global-workdir" type="text" />
+          </label>
+          <label class="field">
+            <span class="field-label">Progress Interval (ms)</span>
+            <input id="global-progress-interval" type="number" min="1" />
+          </label>
+          <label class="field">
+            <span class="field-label">Typing Timeout (ms)</span>
+            <input id="global-typing-timeout" type="number" min="1" />
+          </label>
+          <label class="field">
+            <span class="field-label">Session Active Window (minutes)</span>
+            <input id="global-active-window" type="number" min="1" />
+          </label>
+          <label class="checkbox">
+            <input id="global-progress-enabled" type="checkbox" />
+            <span>Enable progress updates</span>
+          </label>
+
+          <label class="field">
+            <span class="field-label">Rate Window (ms)</span>
+            <input id="global-rate-window" type="number" min="1" />
+          </label>
+          <label class="field">
+            <span class="field-label">Rate Max Requests / User</span>
+            <input id="global-rate-user" type="number" min="0" />
+          </label>
+          <label class="field">
+            <span class="field-label">Rate Max Requests / Room</span>
+            <input id="global-rate-room" type="number" min="0" />
+          </label>
+          <label class="field">
+            <span class="field-label">Max Concurrent Global</span>
+            <input id="global-concurrency-global" type="number" min="0" />
+          </label>
+          <label class="field">
+            <span class="field-label">Max Concurrent / User</span>
+            <input id="global-concurrency-user" type="number" min="0" />
+          </label>
+          <label class="field">
+            <span class="field-label">Max Concurrent / Room</span>
+            <input id="global-concurrency-room" type="number" min="0" />
+          </label>
+
+          <label class="checkbox"><input id="global-trigger-mention" type="checkbox" /><span>Trigger: mention</span></label>
+          <label class="checkbox"><input id="global-trigger-reply" type="checkbox" /><span>Trigger: reply</span></label>
+          <label class="checkbox"><input id="global-trigger-window" type="checkbox" /><span>Trigger: active window</span></label>
+          <label class="checkbox"><input id="global-trigger-prefix" type="checkbox" /><span>Trigger: prefix</span></label>
+
+          <label class="checkbox"><input id="global-cli-enabled" type="checkbox" /><span>CLI compat mode</span></label>
+          <label class="checkbox"><input id="global-cli-pass" type="checkbox" /><span>CLI passthrough events</span></label>
+          <label class="checkbox"><input id="global-cli-whitespace" type="checkbox" /><span>Preserve whitespace</span></label>
+          <label class="checkbox"><input id="global-cli-disable-split" type="checkbox" /><span>Disable reply split</span></label>
+          <label class="field">
+            <span class="field-label">CLI progress throttle (ms)</span>
+            <input id="global-cli-throttle" type="number" min="0" />
+          </label>
+          <label class="checkbox"><input id="global-cli-fetch-media" type="checkbox" /><span>Fetch media attachments</span></label>
+        </div>
+        <div class="actions">
+          <button id="global-save-btn" type="button">Save Global Config</button>
+          <button id="global-reload-btn" type="button" class="secondary">Reload</button>
+        </div>
+        <p class="muted">Saving global config updates .env and requires restart to fully take effect.</p>
+      </section>
+
+      <section class="panel" data-view="settings-rooms" hidden>
+        <h2 class="panel-title">Room Config</h2>
+        <div class="grid">
+          <label class="field">
+            <span class="field-label">Room ID</span>
+            <input id="room-id" type="text" placeholder="!room:example.com" />
+          </label>
+          <label class="field">
+            <span class="field-label">Audit Summary (optional)</span>
+            <input id="room-summary" type="text" placeholder="bind room to project A" />
+          </label>
+          <label class="field full">
+            <span class="field-label">Workdir</span>
+            <input id="room-workdir" type="text" />
+          </label>
+          <label class="checkbox"><input id="room-enabled" type="checkbox" /><span>Enabled</span></label>
+          <label class="checkbox"><input id="room-mention" type="checkbox" /><span>Allow mention trigger</span></label>
+          <label class="checkbox"><input id="room-reply" type="checkbox" /><span>Allow reply trigger</span></label>
+          <label class="checkbox"><input id="room-window" type="checkbox" /><span>Allow active-window trigger</span></label>
+          <label class="checkbox"><input id="room-prefix" type="checkbox" /><span>Allow prefix trigger</span></label>
+        </div>
+        <div class="actions">
+          <button id="room-load-btn" type="button" class="secondary">Load Room</button>
+          <button id="room-save-btn" type="button">Save Room</button>
+          <button id="room-delete-btn" type="button" class="danger">Delete Room</button>
+          <button id="room-refresh-btn" type="button" class="secondary">Refresh List</button>
+        </div>
+        <div class="table-wrap">
+          <table>
+            <thead>
+              <tr>
+                <th>Room ID</th>
+                <th>Enabled</th>
+                <th>Workdir</th>
+                <th>Updated At</th>
+              </tr>
+            </thead>
+            <tbody id="room-list-body"></tbody>
+          </table>
+        </div>
+      </section>
+
+      <section class="panel" data-view="health" hidden>
+        <h2 class="panel-title">Health Check</h2>
+        <div class="actions">
+          <button id="health-refresh-btn" type="button">Run Health Check</button>
+        </div>
+        <div class="table-wrap">
+          <table>
+            <thead>
+              <tr>
+                <th>Component</th>
+                <th>Status</th>
+                <th>Details</th>
+              </tr>
+            </thead>
+            <tbody id="health-body"></tbody>
+          </table>
+        </div>
+      </section>
+
+      <section class="panel" data-view="audit" hidden>
+        <h2 class="panel-title">Config Audit</h2>
+        <div class="actions">
+          <label class="field" style="max-width: 120px;">
+            <span class="field-label">Limit</span>
+            <input id="audit-limit" type="number" min="1" max="200" value="30" />
+          </label>
+          <button id="audit-refresh-btn" type="button">Refresh Audit</button>
+        </div>
+        <div class="table-wrap">
+          <table>
+            <thead>
+              <tr>
+                <th>ID</th>
+                <th>Time</th>
+                <th>Actor</th>
+                <th>Summary</th>
+                <th>Payload</th>
+              </tr>
+            </thead>
+            <tbody id="audit-body"></tbody>
+          </table>
+        </div>
+      </section>
+    </main>
+
+    <script>
+      (function () {
+        "use strict";
+
+        var routeToView = {
+          "#/settings/global": "settings-global",
+          "#/settings/rooms": "settings-rooms",
+          "#/health": "health",
+          "#/audit": "audit"
+        };
+        var pathToRoute = {
+          "/settings/global": "#/settings/global",
+          "/settings/rooms": "#/settings/rooms",
+          "/health": "#/health",
+          "/audit": "#/audit"
+        };
+        var storageTokenKey = "codeharbor.admin.token";
+        var storageActorKey = "codeharbor.admin.actor";
+        var loaded = {
+          "settings-global": false,
+          "settings-rooms": false,
+          health: false,
+          audit: false
+        };
+
+        var tokenInput = document.getElementById("auth-token");
+        var actorInput = document.getElementById("auth-actor");
+        var noticeNode = document.getElementById("notice");
+        var roomListBody = document.getElementById("room-list-body");
+        var healthBody = document.getElementById("health-body");
+        var auditBody = document.getElementById("audit-body");
+
+        tokenInput.value = localStorage.getItem(storageTokenKey) || "";
+        actorInput.value = localStorage.getItem(storageActorKey) || "";
+
+        document.getElementById("auth-save-btn").addEventListener("click", function () {
+          localStorage.setItem(storageTokenKey, tokenInput.value.trim());
+          localStorage.setItem(storageActorKey, actorInput.value.trim());
+          showNotice("ok", "Auth settings saved to localStorage.");
+        });
+
+        document.getElementById("auth-clear-btn").addEventListener("click", function () {
+          tokenInput.value = "";
+          actorInput.value = "";
+          localStorage.removeItem(storageTokenKey);
+          localStorage.removeItem(storageActorKey);
+          showNotice("warn", "Auth settings cleared.");
+        });
+
+        document.getElementById("global-save-btn").addEventListener("click", saveGlobal);
+        document.getElementById("global-reload-btn").addEventListener("click", loadGlobal);
+        document.getElementById("room-load-btn").addEventListener("click", loadRoom);
+        document.getElementById("room-save-btn").addEventListener("click", saveRoom);
+        document.getElementById("room-delete-btn").addEventListener("click", deleteRoom);
+        document.getElementById("room-refresh-btn").addEventListener("click", refreshRoomList);
+        document.getElementById("health-refresh-btn").addEventListener("click", loadHealth);
+        document.getElementById("audit-refresh-btn").addEventListener("click", loadAudit);
+
+        window.addEventListener("hashchange", handleRoute);
+
+        if (!window.location.hash) {
+          window.location.hash = pathToRoute[window.location.pathname] || "#/settings/global";
+        } else {
+          handleRoute();
+        }
+
+        function getCurrentView() {
+          return routeToView[window.location.hash] || "settings-global";
+        }
+
+        function handleRoute() {
+          var view = getCurrentView();
+          var panels = document.querySelectorAll("[data-view]");
+          for (var i = 0; i < panels.length; i += 1) {
+            var panel = panels[i];
+            panel.hidden = panel.getAttribute("data-view") !== view;
+          }
+          var tabs = document.querySelectorAll(".tab");
+          for (var j = 0; j < tabs.length; j += 1) {
+            var tab = tabs[j];
+            if (tab.getAttribute("data-page") === view) {
+              tab.classList.add("active");
+            } else {
+              tab.classList.remove("active");
+            }
+          }
+          ensureLoaded(view);
+        }
+
+        function ensureLoaded(view) {
+          if (loaded[view]) {
+            return;
+          }
+          if (view === "settings-global") {
+            loadGlobal();
+          } else if (view === "settings-rooms") {
+            refreshRoomList();
+          } else if (view === "health") {
+            loadHealth();
+          } else if (view === "audit") {
+            loadAudit();
+          }
+          loaded[view] = true;
+        }
+
+        async function apiRequest(path, method, body) {
+          var headers = {};
+          var token = tokenInput.value.trim();
+          var actor = actorInput.value.trim();
+          if (token) {
+            headers.authorization = "Bearer " + token;
+          }
+          if (actor) {
+            headers["x-admin-actor"] = actor;
+          }
+          if (body !== undefined) {
+            headers["content-type"] = "application/json";
+          }
+          var response = await fetch(path, {
+            method: method || "GET",
+            headers: headers,
+            body: body === undefined ? undefined : JSON.stringify(body)
+          });
+          var text = await response.text();
+          var payload;
+          try {
+            payload = text ? JSON.parse(text) : {};
+          } catch (error) {
+            payload = { raw: text };
+          }
+          if (!response.ok) {
+            var message = payload && payload.error ? payload.error : response.status + " " + response.statusText;
+            throw new Error(message);
+          }
+          return payload;
+        }
+
+        function asNumber(inputId, fallback) {
+          var value = Number.parseInt(document.getElementById(inputId).value, 10);
+          return Number.isFinite(value) ? value : fallback;
+        }
+
+        function asBool(inputId) {
+          return Boolean(document.getElementById(inputId).checked);
+        }
+
+        function asText(inputId) {
+          return document.getElementById(inputId).value.trim();
+        }
+
+        function showNotice(type, message) {
+          noticeNode.className = "notice " + type;
+          noticeNode.textContent = message;
+        }
+
+        function renderEmptyRow(body, columns, text) {
+          body.innerHTML = "";
+          var row = document.createElement("tr");
+          var cell = document.createElement("td");
+          cell.colSpan = columns;
+          cell.textContent = text;
+          row.appendChild(cell);
+          body.appendChild(row);
+        }
+
+        async function loadGlobal() {
+          try {
+            var response = await apiRequest("/api/admin/config/global", "GET");
+            var data = response.data || {};
+            var rateLimiter = data.rateLimiter || {};
+            var trigger = data.defaultGroupTriggerPolicy || {};
+            var cliCompat = data.cliCompat || {};
+
+            document.getElementById("global-matrix-prefix").value = data.matrixCommandPrefix || "";
+            document.getElementById("global-workdir").value = data.codexWorkdir || "";
+            document.getElementById("global-progress-enabled").checked = Boolean(data.matrixProgressUpdates);
+            document.getElementById("global-progress-interval").value = String(data.matrixProgressMinIntervalMs || 2500);
+            document.getElementById("global-typing-timeout").value = String(data.matrixTypingTimeoutMs || 10000);
+            document.getElementById("global-active-window").value = String(data.sessionActiveWindowMinutes || 20);
+            document.getElementById("global-rate-window").value = String(rateLimiter.windowMs || 60000);
+            document.getElementById("global-rate-user").value = String(rateLimiter.maxRequestsPerUser || 0);
+            document.getElementById("global-rate-room").value = String(rateLimiter.maxRequestsPerRoom || 0);
+            document.getElementById("global-concurrency-global").value = String(rateLimiter.maxConcurrentGlobal || 0);
+            document.getElementById("global-concurrency-user").value = String(rateLimiter.maxConcurrentPerUser || 0);
+            document.getElementById("global-concurrency-room").value = String(rateLimiter.maxConcurrentPerRoom || 0);
+
+            document.getElementById("global-trigger-mention").checked = Boolean(trigger.allowMention);
+            document.getElementById("global-trigger-reply").checked = Boolean(trigger.allowReply);
+            document.getElementById("global-trigger-window").checked = Boolean(trigger.allowActiveWindow);
+            document.getElementById("global-trigger-prefix").checked = Boolean(trigger.allowPrefix);
+
+            document.getElementById("global-cli-enabled").checked = Boolean(cliCompat.enabled);
+            document.getElementById("global-cli-pass").checked = Boolean(cliCompat.passThroughEvents);
+            document.getElementById("global-cli-whitespace").checked = Boolean(cliCompat.preserveWhitespace);
+            document.getElementById("global-cli-disable-split").checked = Boolean(cliCompat.disableReplyChunkSplit);
+            document.getElementById("global-cli-throttle").value = String(cliCompat.progressThrottleMs || 0);
+            document.getElementById("global-cli-fetch-media").checked = Boolean(cliCompat.fetchMedia);
+
+            showNotice("ok", "Global config loaded.");
+          } catch (error) {
+            showNotice("error", "Failed to load global config: " + error.message);
+          }
+        }
+
+        async function saveGlobal() {
+          try {
+            var body = {
+              matrixCommandPrefix: asText("global-matrix-prefix"),
+              codexWorkdir: asText("global-workdir"),
+              matrixProgressUpdates: asBool("global-progress-enabled"),
+              matrixProgressMinIntervalMs: asNumber("global-progress-interval", 2500),
+              matrixTypingTimeoutMs: asNumber("global-typing-timeout", 10000),
+              sessionActiveWindowMinutes: asNumber("global-active-window", 20),
+              rateLimiter: {
+                windowMs: asNumber("global-rate-window", 60000),
+                maxRequestsPerUser: asNumber("global-rate-user", 20),
+                maxRequestsPerRoom: asNumber("global-rate-room", 120),
+                maxConcurrentGlobal: asNumber("global-concurrency-global", 8),
+                maxConcurrentPerUser: asNumber("global-concurrency-user", 1),
+                maxConcurrentPerRoom: asNumber("global-concurrency-room", 4)
+              },
+              defaultGroupTriggerPolicy: {
+                allowMention: asBool("global-trigger-mention"),
+                allowReply: asBool("global-trigger-reply"),
+                allowActiveWindow: asBool("global-trigger-window"),
+                allowPrefix: asBool("global-trigger-prefix")
+              },
+              cliCompat: {
+                enabled: asBool("global-cli-enabled"),
+                passThroughEvents: asBool("global-cli-pass"),
+                preserveWhitespace: asBool("global-cli-whitespace"),
+                disableReplyChunkSplit: asBool("global-cli-disable-split"),
+                progressThrottleMs: asNumber("global-cli-throttle", 300),
+                fetchMedia: asBool("global-cli-fetch-media")
+              }
+            };
+            var response = await apiRequest("/api/admin/config/global", "PUT", body);
+            var keys = Array.isArray(response.updatedKeys) ? response.updatedKeys.join(", ") : "global config";
+            showNotice("warn", "Saved: " + keys + ". Restart is required.");
+            await loadAudit();
+          } catch (error) {
+            showNotice("error", "Failed to save global config: " + error.message);
+          }
+        }
+
+        async function refreshRoomList() {
+          try {
+            var response = await apiRequest("/api/admin/config/rooms", "GET");
+            var items = Array.isArray(response.data) ? response.data : [];
+            roomListBody.innerHTML = "";
+            if (items.length === 0) {
+              renderEmptyRow(roomListBody, 4, "No room settings.");
+              return;
+            }
+            for (var i = 0; i < items.length; i += 1) {
+              var item = items[i];
+              var row = document.createElement("tr");
+              appendCell(row, item.roomId || "");
+              appendCell(row, String(Boolean(item.enabled)));
+              appendCell(row, item.workdir || "");
+              appendCell(row, item.updatedAt ? new Date(item.updatedAt).toISOString() : "-");
+              roomListBody.appendChild(row);
+            }
+            showNotice("ok", "Loaded " + items.length + " room setting(s).");
+          } catch (error) {
+            showNotice("error", "Failed to load room list: " + error.message);
+            renderEmptyRow(roomListBody, 4, "Failed to load room settings.");
+          }
+        }
+
+        function appendCell(row, text) {
+          var cell = document.createElement("td");
+          cell.textContent = text;
+          row.appendChild(cell);
+        }
+
+        async function loadRoom() {
+          var roomId = asText("room-id");
+          if (!roomId) {
+            showNotice("warn", "Room ID is required.");
+            return;
+          }
+          try {
+            var response = await apiRequest("/api/admin/config/rooms/" + encodeURIComponent(roomId), "GET");
+            fillRoomForm(response.data || {});
+            showNotice("ok", "Room config loaded for " + roomId + ".");
+          } catch (error) {
+            showNotice("error", "Failed to load room config: " + error.message);
+          }
+        }
+
+        function fillRoomForm(data) {
+          document.getElementById("room-enabled").checked = Boolean(data.enabled);
+          document.getElementById("room-mention").checked = Boolean(data.allowMention);
+          document.getElementById("room-reply").checked = Boolean(data.allowReply);
+          document.getElementById("room-window").checked = Boolean(data.allowActiveWindow);
+          document.getElementById("room-prefix").checked = Boolean(data.allowPrefix);
+          document.getElementById("room-workdir").value = data.workdir || "";
+        }
+
+        async function saveRoom() {
+          var roomId = asText("room-id");
+          if (!roomId) {
+            showNotice("warn", "Room ID is required.");
+            return;
+          }
+          try {
+            var body = {
+              enabled: asBool("room-enabled"),
+              allowMention: asBool("room-mention"),
+              allowReply: asBool("room-reply"),
+              allowActiveWindow: asBool("room-window"),
+              allowPrefix: asBool("room-prefix"),
+              workdir: asText("room-workdir"),
+              summary: asText("room-summary")
+            };
+            await apiRequest("/api/admin/config/rooms/" + encodeURIComponent(roomId), "PUT", body);
+            showNotice("ok", "Room config saved for " + roomId + ".");
+            await refreshRoomList();
+            await loadAudit();
+          } catch (error) {
+            showNotice("error", "Failed to save room config: " + error.message);
+          }
+        }
+
+        async function deleteRoom() {
+          var roomId = asText("room-id");
+          if (!roomId) {
+            showNotice("warn", "Room ID is required.");
+            return;
+          }
+          if (!window.confirm("Delete room config for " + roomId + "?")) {
+            return;
+          }
+          try {
+            await apiRequest("/api/admin/config/rooms/" + encodeURIComponent(roomId), "DELETE");
+            showNotice("ok", "Room config deleted for " + roomId + ".");
+            await refreshRoomList();
+            await loadAudit();
+          } catch (error) {
+            showNotice("error", "Failed to delete room config: " + error.message);
+          }
+        }
+
+        async function loadHealth() {
+          try {
+            var response = await apiRequest("/api/admin/health", "GET");
+            healthBody.innerHTML = "";
+
+            var codex = response.codex || {};
+            var matrix = response.matrix || {};
+
+            appendHealthRow("Codex", Boolean(codex.ok), codex.ok ? (codex.version || "ok") : (codex.error || "failed"));
+            appendHealthRow(
+              "Matrix",
+              Boolean(matrix.ok),
+              matrix.ok ? "HTTP " + matrix.status + " " + JSON.stringify(matrix.versions || []) : (matrix.error || "failed")
+            );
+            appendHealthRow("Overall", Boolean(response.ok), response.timestamp || "");
+            showNotice("ok", "Health check completed.");
+          } catch (error) {
+            showNotice("error", "Health check failed: " + error.message);
+            renderEmptyRow(healthBody, 3, "Failed to run health check.");
+          }
+        }
+
+        function appendHealthRow(component, ok, detail) {
+          var row = document.createElement("tr");
+          appendCell(row, component);
+          appendCell(row, ok ? "OK" : "FAIL");
+          appendCell(row, detail);
+          healthBody.appendChild(row);
+        }
+
+        async function loadAudit() {
+          var limit = asNumber("audit-limit", 30);
+          if (limit < 1) {
+            limit = 1;
+          }
+          if (limit > 200) {
+            limit = 200;
+          }
+          try {
+            var response = await apiRequest("/api/admin/audit?limit=" + limit, "GET");
+            var items = Array.isArray(response.data) ? response.data : [];
+            auditBody.innerHTML = "";
+            if (items.length === 0) {
+              renderEmptyRow(auditBody, 5, "No audit records.");
+              return;
+            }
+            for (var i = 0; i < items.length; i += 1) {
+              var item = items[i];
+              var row = document.createElement("tr");
+              appendCell(row, String(item.id || ""));
+              appendCell(row, item.createdAtIso || "");
+              appendCell(row, item.actor || "-");
+              appendCell(row, item.summary || "");
+              var payloadCell = document.createElement("td");
+              var payloadNode = document.createElement("pre");
+              payloadNode.textContent = formatPayload(item);
+              payloadCell.appendChild(payloadNode);
+              row.appendChild(payloadCell);
+              auditBody.appendChild(row);
+            }
+            showNotice("ok", "Audit loaded: " + items.length + " record(s).");
+          } catch (error) {
+            showNotice("error", "Failed to load audit: " + error.message);
+            renderEmptyRow(auditBody, 5, "Failed to load audit records.");
+          }
+        }
+
+        function formatPayload(item) {
+          if (item.payload && typeof item.payload === "object") {
+            return JSON.stringify(item.payload, null, 2);
+          }
+          if (typeof item.payloadJson === "string" && item.payloadJson) {
+            return item.payloadJson;
+          }
+          return "";
+        }
+      })();
+    </script>
+  </body>
+</html>
+`;
+async function defaultCheckCodex(bin) {
+  try {
+    const { stdout } = await execFileAsync(bin, ["--version"]);
+    return {
+      ok: true,
+      version: stdout.trim() || null,
+      error: null
+    };
+  } catch (error) {
+    return {
+      ok: false,
+      version: null,
+      error: formatError(error)
+    };
+  }
+}
+async function defaultCheckMatrix(homeserver, timeoutMs) {
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), timeoutMs);
+  timer.unref?.();
+  try {
+    const response = await fetch(`${homeserver}/_matrix/client/versions`, {
+      signal: controller.signal
+    });
+    const versions = response.ok ? (await response.json()).versions ?? [] : [];
+    return {
+      ok: response.ok,
+      status: response.status,
+      versions,
+      error: response.ok ? null : `HTTP ${response.status}`
+    };
+  } catch (error) {
+    return {
+      ok: false,
+      status: null,
+      versions: [],
+      error: formatError(error)
+    };
+  } finally {
+    clearTimeout(timer);
+  }
+}
+
 // src/channels/matrix-channel.ts
-var import_promises = __toESM(require("fs/promises"));
+var import_promises2 = __toESM(require("fs/promises"));
 var import_node_os = __toESM(require("os"));
-var import_node_path = __toESM(require("path"));
+var import_node_path3 = __toESM(require("path"));
 var import_matrix_js_sdk = require("matrix-js-sdk");
 
 // src/utils/message.ts
@@ -456,11 +2210,11 @@ var MatrixChannel = class {
     }
     const bytes = Buffer.from(await response.arrayBuffer());
     const extension = resolveFileExtension(fileName, mimeType);
-    const directory = import_node_path.default.join(import_node_os.default.tmpdir(), "codeharbor-media");
-    await import_promises.default.mkdir(directory, { recursive: true });
+    const directory = import_node_path3.default.join(import_node_os.default.tmpdir(), "codeharbor-media");
+    await import_promises2.default.mkdir(directory, { recursive: true });
     const safeEventId = sanitizeFilename(eventId);
-    const targetPath = import_node_path.default.join(directory, `${safeEventId}-${index}${extension}`);
-    await import_promises.default.writeFile(targetPath, bytes);
+    const targetPath = import_node_path3.default.join(directory, `${safeEventId}-${index}${extension}`);
+    await import_promises2.default.writeFile(targetPath, bytes);
     return targetPath;
   }
 };
@@ -544,7 +2298,7 @@ function sanitizeFilename(value) {
   return value.replace(/[^a-zA-Z0-9_-]/g, "_").slice(0, 80);
 }
 function resolveFileExtension(fileName, mimeType) {
-  const ext = import_node_path.default.extname(fileName).trim();
+  const ext = import_node_path3.default.extname(fileName).trim();
   if (ext) {
     return ext;
   }
@@ -560,8 +2314,102 @@ function resolveFileExtension(fileName, mimeType) {
   return ".bin";
 }
 
+// src/config-service.ts
+var import_node_fs3 = __toESM(require("fs"));
+var import_node_path4 = __toESM(require("path"));
+var ConfigService = class {
+  stateStore;
+  defaultWorkdir;
+  constructor(stateStore, defaultWorkdir) {
+    this.stateStore = stateStore;
+    this.defaultWorkdir = import_node_path4.default.resolve(defaultWorkdir);
+  }
+  resolveRoomConfig(roomId, fallbackPolicy) {
+    const room = this.stateStore.getRoomSettings(roomId);
+    if (!room) {
+      return {
+        source: "default",
+        enabled: true,
+        triggerPolicy: fallbackPolicy,
+        workdir: this.defaultWorkdir
+      };
+    }
+    return {
+      source: "room",
+      enabled: room.enabled,
+      triggerPolicy: {
+        allowMention: room.allowMention,
+        allowReply: room.allowReply,
+        allowActiveWindow: room.allowActiveWindow,
+        allowPrefix: room.allowPrefix
+      },
+      workdir: room.workdir
+    };
+  }
+  getRoomSettings(roomId) {
+    return this.stateStore.getRoomSettings(roomId);
+  }
+  listRoomSettings() {
+    return this.stateStore.listRoomSettings();
+  }
+  updateRoomSettings(input) {
+    const normalized = normalizeRoomSettingsInput(input);
+    this.stateStore.upsertRoomSettings(normalized);
+    const revisionPayload = JSON.stringify({
+      type: "room_settings_upsert",
+      roomId: normalized.roomId,
+      enabled: normalized.enabled,
+      allowMention: normalized.allowMention,
+      allowReply: normalized.allowReply,
+      allowActiveWindow: normalized.allowActiveWindow,
+      allowPrefix: normalized.allowPrefix,
+      workdir: normalized.workdir
+    });
+    const summary = input.summary?.trim() || `upsert room settings for ${normalized.roomId}`;
+    const actor = input.actor?.trim() || null;
+    this.stateStore.appendConfigRevision(actor, summary, revisionPayload);
+    const latest = this.stateStore.getRoomSettings(normalized.roomId);
+    if (!latest) {
+      throw new Error(`Failed to persist room settings for ${normalized.roomId}`);
+    }
+    return latest;
+  }
+  deleteRoomSettings(roomId, actor) {
+    const normalizedRoomId = roomId.trim();
+    if (!normalizedRoomId) {
+      throw new Error("roomId is required.");
+    }
+    this.stateStore.deleteRoomSettings(normalizedRoomId);
+    const summary = `delete room settings for ${normalizedRoomId}`;
+    const payload = JSON.stringify({
+      type: "room_settings_delete",
+      roomId: normalizedRoomId
+    });
+    this.stateStore.appendConfigRevision(actor?.trim() || null, summary, payload);
+  }
+};
+function normalizeRoomSettingsInput(input) {
+  const roomId = input.roomId.trim();
+  if (!roomId) {
+    throw new Error("roomId is required.");
+  }
+  const workdir = import_node_path4.default.resolve(input.workdir);
+  if (!import_node_fs3.default.existsSync(workdir) || !import_node_fs3.default.statSync(workdir).isDirectory()) {
+    throw new Error(`workdir does not exist or is not a directory: ${workdir}`);
+  }
+  return {
+    roomId,
+    enabled: input.enabled,
+    allowMention: input.allowMention,
+    allowReply: input.allowReply,
+    allowActiveWindow: input.allowActiveWindow,
+    allowPrefix: input.allowPrefix,
+    workdir
+  };
+}
+
 // src/executor/codex-executor.ts
-var import_node_child_process = require("child_process");
+var import_node_child_process2 = require("child_process");
 var import_node_readline = __toESM(require("readline"));
 var CodexExecutionCancelledError = class extends Error {
   constructor(message = "codex execution cancelled") {
@@ -579,8 +2427,8 @@ var CodexExecutor = class {
   }
   startExecution(prompt, sessionId, onProgress, startOptions) {
     const args = buildCodexArgs(prompt, sessionId, this.options, startOptions);
-    const child = (0, import_node_child_process.spawn)(this.options.bin, args, {
-      cwd: this.options.workdir,
+    const child = (0, import_node_child_process2.spawn)(this.options.bin, args, {
+      cwd: startOptions?.workdir ?? this.options.workdir,
       env: {
         ...process.env,
         ...this.options.extraEnv
@@ -812,23 +2660,23 @@ function stringify(value) {
 
 // src/orchestrator.ts
 var import_async_mutex = require("async-mutex");
-var import_promises2 = __toESM(require("fs/promises"));
+var import_promises3 = __toESM(require("fs/promises"));
 
 // src/compat/cli-compat-recorder.ts
-var import_node_fs = __toESM(require("fs"));
-var import_node_path2 = __toESM(require("path"));
+var import_node_fs4 = __toESM(require("fs"));
+var import_node_path5 = __toESM(require("path"));
 var CliCompatRecorder = class {
   filePath;
   chain = Promise.resolve();
   constructor(filePath) {
-    this.filePath = import_node_path2.default.resolve(filePath);
-    import_node_fs.default.mkdirSync(import_node_path2.default.dirname(this.filePath), { recursive: true });
+    this.filePath = import_node_path5.default.resolve(filePath);
+    import_node_fs4.default.mkdirSync(import_node_path5.default.dirname(this.filePath), { recursive: true });
   }
   append(entry) {
     const payload = `${JSON.stringify(entry)}
 `;
     this.chain = this.chain.then(async () => {
-      await import_node_fs.default.promises.appendFile(this.filePath, payload, "utf8");
+      await import_node_fs4.default.promises.appendFile(this.filePath, payload, "utf8");
     });
     return this.chain;
   }
@@ -1112,6 +2960,8 @@ var Orchestrator = class {
   sessionActiveWindowMs;
   defaultGroupTriggerPolicy;
   roomTriggerPolicies;
+  configService;
+  defaultCodexWorkdir;
   rateLimiter;
   cliCompat;
   cliCompatRecorder;
@@ -1149,6 +2999,8 @@ var Orchestrator = class {
       allowPrefix: true
     };
     this.roomTriggerPolicies = options?.roomTriggerPolicies ?? {};
+    this.configService = options?.configService ?? null;
+    this.defaultCodexWorkdir = options?.defaultCodexWorkdir ?? process.cwd();
     this.rateLimiter = new RateLimiter(
       options?.rateLimiterOptions ?? {
         windowMs: 6e4,
@@ -1184,7 +3036,8 @@ var Orchestrator = class {
         this.logger.debug("Duplicate event ignored", { requestId, eventId: message.eventId, sessionKey, queueWaitMs });
         return;
       }
-      const route = this.routeMessage(message, sessionKey);
+      const roomConfig = this.resolveRoomRuntimeConfig(message.conversationId);
+      const route = this.routeMessage(message, sessionKey, roomConfig);
       if (route.kind === "ignore") {
         this.metrics.record("ignored", queueWaitMs, 0, 0);
         this.logger.debug("Message ignored by routing policy", {
@@ -1253,6 +3106,8 @@ var Orchestrator = class {
         hasCodexSession: Boolean(previousCodexSessionId),
         queueWaitMs,
         attachmentCount: message.attachments.length,
+        workdir: roomConfig.workdir,
+        roomConfigSource: roomConfig.source,
         isDirectMessage: message.isDirectMessage,
         mentionsBot: message.mentionsBot,
         repliesToBot: message.repliesToBot
@@ -1289,7 +3144,8 @@ var Orchestrator = class {
           },
           {
             passThroughRawEvents: this.cliCompat.enabled && this.cliCompat.passThroughEvents,
-            imagePaths
+            imagePaths,
+            workdir: roomConfig.workdir
           }
         );
         const running = this.runningExecutions.get(sessionKey);
@@ -1350,7 +3206,7 @@ var Orchestrator = class {
           try {
             await this.channel.sendMessage(
               message.conversationId,
-              `[CodeHarbor] Failed to process request: ${formatError(error)}`
+              `[CodeHarbor] Failed to process request: ${formatError2(error)}`
             );
           } catch (sendError) {
             this.logger.error("Failed to send error reply to Matrix", sendError);
@@ -1365,7 +3221,7 @@ var Orchestrator = class {
           queueWaitMs,
           executionDurationMs,
           totalDurationMs: Date.now() - receivedAt,
-          error: formatError(error)
+          error: formatError2(error)
         });
       } finally {
         const running = this.runningExecutions.get(sessionKey);
@@ -1378,13 +3234,16 @@ var Orchestrator = class {
       }
     });
   }
-  routeMessage(message, sessionKey) {
+  routeMessage(message, sessionKey, roomConfig) {
     const incomingRaw = message.text;
     const incomingTrimmed = incomingRaw.trim();
     if (!incomingTrimmed && message.attachments.length === 0) {
       return { kind: "ignore" };
     }
-    const groupPolicy = message.isDirectMessage ? null : this.resolveGroupPolicy(message.conversationId);
+    if (!message.isDirectMessage && !roomConfig.enabled) {
+      return { kind: "ignore" };
+    }
+    const groupPolicy = message.isDirectMessage ? null : roomConfig.triggerPolicy;
     const prefixAllowed = message.isDirectMessage || Boolean(groupPolicy?.allowPrefix);
     const prefixTriggered = prefixAllowed && this.commandPrefix.length > 0;
     const prefixedText = prefixTriggered ? extractCommandText(incomingTrimmed, this.commandPrefix) : null;
@@ -1426,6 +3285,7 @@ var Orchestrator = class {
       return;
     }
     const status = this.stateStore.getSessionStatus(sessionKey);
+    const roomConfig = this.resolveRoomRuntimeConfig(message.conversationId);
     const scope = message.isDirectMessage ? "\u79C1\u804A\uFF08\u514D\u524D\u7F00\uFF09" : "\u7FA4\u804A\uFF08\u6309\u623F\u95F4\u89E6\u53D1\u7B56\u7565\uFF09";
     const activeUntil = status.activeUntil ?? "\u672A\u6FC0\u6D3B";
     const metrics = this.metrics.snapshot(this.runningExecutions.size);
@@ -1438,6 +3298,7 @@ var Orchestrator = class {
 - \u6FC0\u6D3B\u4E2D: ${status.isActive ? "\u662F" : "\u5426"}
 - activeUntil: ${activeUntil}
 - \u5DF2\u7ED1\u5B9A Codex \u4F1A\u8BDD: ${status.hasCodexSession ? "\u662F" : "\u5426"}
+- \u5F53\u524D\u5DE5\u4F5C\u76EE\u5F55: ${roomConfig.workdir}
 - \u8FD0\u884C\u4E2D\u4EFB\u52A1: ${metrics.activeExecutions}
 - \u6307\u6807: total=${metrics.total}, success=${metrics.success}, failed=${metrics.failed}, timeout=${metrics.timeout}, cancelled=${metrics.cancelled}, rate_limited=${metrics.rateLimited}
 - \u5E73\u5747\u8017\u65F6: queue=${metrics.avgQueueMs}ms, exec=${metrics.avgExecMs}ms, send=${metrics.avgSendMs}ms
@@ -1559,6 +3420,18 @@ var Orchestrator = class {
       allowPrefix: override.allowPrefix ?? this.defaultGroupTriggerPolicy.allowPrefix
     };
   }
+  resolveRoomRuntimeConfig(conversationId) {
+    const fallbackPolicy = this.resolveGroupPolicy(conversationId);
+    if (!this.configService) {
+      return {
+        source: "default",
+        enabled: true,
+        triggerPolicy: fallbackPolicy,
+        workdir: this.defaultCodexWorkdir
+      };
+    }
+    return this.configService.resolveRoomConfig(conversationId, fallbackPolicy);
+  }
   buildExecutionPrompt(prompt, message) {
     if (message.attachments.length === 0) {
       return prompt;
@@ -1631,7 +3504,7 @@ ${attachmentSummary}
 function buildSessionKey(message) {
   return `${message.channel}:${message.conversationId}:${message.senderId}`;
 }
-function formatError(error) {
+function formatError2(error) {
   if (error instanceof Error) {
     return error.message;
   }
@@ -1651,7 +3524,7 @@ async function cleanupAttachmentFiles(imagePaths) {
   await Promise.all(
     imagePaths.map(async (imagePath) => {
       try {
-        await import_promises2.default.unlink(imagePath);
+        await import_promises3.default.unlink(imagePath);
       } catch {
       }
     })
@@ -1730,7 +3603,7 @@ function classifyExecutionOutcome(error) {
   if (error instanceof CodexExecutionCancelledError) {
     return "cancelled";
   }
-  const message = formatError(error).toLowerCase();
+  const message = formatError2(error).toLowerCase();
   if (message.includes("timed out")) {
     return "timeout";
   }
@@ -1742,14 +3615,14 @@ function buildFailureProgressSummary(status, startedAt, error) {
     return `\u5904\u7406\u5DF2\u53D6\u6D88\uFF08\u8017\u65F6 ${elapsed}\uFF09`;
   }
   if (status === "timeout") {
-    return `\u5904\u7406\u8D85\u65F6\uFF08\u8017\u65F6 ${elapsed}\uFF09: ${formatError(error)}`;
+    return `\u5904\u7406\u8D85\u65F6\uFF08\u8017\u65F6 ${elapsed}\uFF09: ${formatError2(error)}`;
   }
-  return `\u5904\u7406\u5931\u8D25\uFF08\u8017\u65F6 ${elapsed}\uFF09: ${formatError(error)}`;
+  return `\u5904\u7406\u5931\u8D25\uFF08\u8017\u65F6 ${elapsed}\uFF09: ${formatError2(error)}`;
 }
 
 // src/store/state-store.ts
-var import_node_fs2 = __toESM(require("fs"));
-var import_node_path3 = __toESM(require("path"));
+var import_node_fs5 = __toESM(require("fs"));
+var import_node_path6 = __toESM(require("path"));
 var ONE_DAY_MS = 24 * 60 * 60 * 1e3;
 var PRUNE_INTERVAL_MS = 5 * 60 * 1e3;
 var SQLITE_MODULE_ID = `node:${"sqlite"}`;
@@ -1775,7 +3648,7 @@ var StateStore = class {
     this.maxProcessedEventsPerSession = maxProcessedEventsPerSession;
     this.maxSessionAgeMs = maxSessionAgeDays * ONE_DAY_MS;
     this.maxSessions = maxSessions;
-    import_node_fs2.default.mkdirSync(import_node_path3.default.dirname(this.dbPath), { recursive: true });
+    import_node_fs5.default.mkdirSync(import_node_path6.default.dirname(this.dbPath), { recursive: true });
     this.db = new DatabaseSync(this.dbPath);
     this.initializeSchema();
     this.importLegacyStateIfNeeded();
@@ -1874,6 +3747,83 @@ var StateStore = class {
       throw error;
     }
   }
+  getRoomSettings(roomId) {
+    const row = this.db.prepare(
+      "SELECT room_id, enabled, allow_mention, allow_reply, allow_active_window, allow_prefix, workdir, updated_at FROM room_settings WHERE room_id = ?1"
+    ).get(roomId);
+    if (!row) {
+      return null;
+    }
+    return {
+      roomId: row.room_id,
+      enabled: row.enabled === 1,
+      allowMention: row.allow_mention === 1,
+      allowReply: row.allow_reply === 1,
+      allowActiveWindow: row.allow_active_window === 1,
+      allowPrefix: row.allow_prefix === 1,
+      workdir: row.workdir,
+      updatedAt: row.updated_at
+    };
+  }
+  listRoomSettings() {
+    const rows = this.db.prepare(
+      "SELECT room_id, enabled, allow_mention, allow_reply, allow_active_window, allow_prefix, workdir, updated_at FROM room_settings ORDER BY room_id ASC"
+    ).all();
+    return rows.map((row) => ({
+      roomId: row.room_id,
+      enabled: row.enabled === 1,
+      allowMention: row.allow_mention === 1,
+      allowReply: row.allow_reply === 1,
+      allowActiveWindow: row.allow_active_window === 1,
+      allowPrefix: row.allow_prefix === 1,
+      workdir: row.workdir,
+      updatedAt: row.updated_at
+    }));
+  }
+  upsertRoomSettings(input) {
+    const now = Date.now();
+    this.db.prepare(
+      `INSERT INTO room_settings
+          (room_id, enabled, allow_mention, allow_reply, allow_active_window, allow_prefix, workdir, updated_at)
+         VALUES (?1, ?2, ?3, ?4, ?5, ?6, ?7, ?8)
+         ON CONFLICT(room_id) DO UPDATE SET
+          enabled = excluded.enabled,
+          allow_mention = excluded.allow_mention,
+          allow_reply = excluded.allow_reply,
+          allow_active_window = excluded.allow_active_window,
+          allow_prefix = excluded.allow_prefix,
+          workdir = excluded.workdir,
+          updated_at = excluded.updated_at`
+    ).run(
+      input.roomId,
+      boolToInt(input.enabled),
+      boolToInt(input.allowMention),
+      boolToInt(input.allowReply),
+      boolToInt(input.allowActiveWindow),
+      boolToInt(input.allowPrefix),
+      input.workdir,
+      now
+    );
+  }
+  deleteRoomSettings(roomId) {
+    this.db.prepare("DELETE FROM room_settings WHERE room_id = ?1").run(roomId);
+  }
+  appendConfigRevision(actor, summary, payloadJson) {
+    this.db.prepare("INSERT INTO config_revisions (actor, summary, payload_json, created_at) VALUES (?1, ?2, ?3, ?4)").run(actor, summary, payloadJson, Date.now());
+  }
+  listConfigRevisions(limit = 20) {
+    const safeLimit = Math.max(1, Math.floor(limit));
+    const rows = this.db.prepare(
+      "SELECT id, actor, summary, payload_json, created_at FROM config_revisions ORDER BY id DESC LIMIT ?1"
+    ).all(safeLimit);
+    return rows.map((row) => ({
+      id: row.id,
+      actor: row.actor,
+      summary: row.summary,
+      payloadJson: row.payload_json,
+      createdAt: row.created_at
+    }));
+  }
   async flush() {
     this.touchDatabase();
   }
@@ -1919,10 +3869,31 @@ var StateStore = class {
 
       CREATE INDEX IF NOT EXISTS idx_sessions_updated_at ON sessions(updated_at);
       CREATE INDEX IF NOT EXISTS idx_events_created_at ON processed_events(created_at);
+
+      CREATE TABLE IF NOT EXISTS room_settings (
+        room_id TEXT PRIMARY KEY,
+        enabled INTEGER NOT NULL DEFAULT 1,
+        allow_mention INTEGER NOT NULL DEFAULT 1,
+        allow_reply INTEGER NOT NULL DEFAULT 1,
+        allow_active_window INTEGER NOT NULL DEFAULT 1,
+        allow_prefix INTEGER NOT NULL DEFAULT 1,
+        workdir TEXT NOT NULL,
+        updated_at INTEGER NOT NULL
+      );
+
+      CREATE TABLE IF NOT EXISTS config_revisions (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        actor TEXT,
+        summary TEXT NOT NULL,
+        payload_json TEXT NOT NULL,
+        created_at INTEGER NOT NULL
+      );
+
+      CREATE INDEX IF NOT EXISTS idx_config_revisions_created_at ON config_revisions(created_at);
     `);
   }
   importLegacyStateIfNeeded() {
-    if (!this.legacyJsonPath || !import_node_fs2.default.existsSync(this.legacyJsonPath)) {
+    if (!this.legacyJsonPath || !import_node_fs5.default.existsSync(this.legacyJsonPath)) {
       return;
     }
     const countRow = this.db.prepare("SELECT COUNT(*) AS count FROM sessions").get();
@@ -2005,7 +3976,7 @@ var StateStore = class {
 };
 function loadLegacyState(filePath) {
   try {
-    const raw = import_node_fs2.default.readFileSync(filePath, "utf8");
+    const raw = import_node_fs5.default.readFileSync(filePath, "utf8");
     const parsed = JSON.parse(raw);
     if (!parsed.sessions || typeof parsed.sessions !== "object") {
       return null;
@@ -2043,15 +4014,19 @@ function normalizeLegacyState(state) {
     }
   }
 }
+function boolToInt(value) {
+  return value ? 1 : 0;
+}
 
 // src/app.ts
-var execFileAsync = (0, import_node_util.promisify)(import_node_child_process2.execFile);
+var execFileAsync2 = (0, import_node_util2.promisify)(import_node_child_process3.execFile);
 var CodeHarborApp = class {
   config;
   logger;
   stateStore;
   channel;
   orchestrator;
+  configService;
   constructor(config) {
     this.config = config;
     this.logger = new Logger(config.logLevel);
@@ -2062,6 +4037,7 @@ var CodeHarborApp = class {
       config.maxSessionAgeDays,
       config.maxSessions
     );
+    this.configService = new ConfigService(this.stateStore, config.codexWorkdir);
     const executor = new CodexExecutor({
       bin: config.codexBin,
       model: config.codexModel,
@@ -2084,7 +4060,9 @@ var CodeHarborApp = class {
       defaultGroupTriggerPolicy: config.defaultGroupTriggerPolicy,
       roomTriggerPolicies: config.roomTriggerPolicies,
       rateLimiterOptions: config.rateLimiter,
-      cliCompat: config.cliCompat
+      cliCompat: config.cliCompat,
+      configService: this.configService,
+      defaultCodexWorkdir: config.codexWorkdir
     });
   }
   async start() {
@@ -2105,11 +4083,54 @@ var CodeHarborApp = class {
     }
   }
 };
+var CodeHarborAdminApp = class {
+  config;
+  logger;
+  stateStore;
+  configService;
+  adminServer;
+  constructor(config, options) {
+    this.config = config;
+    this.logger = new Logger(config.logLevel);
+    this.stateStore = new StateStore(
+      config.stateDbPath,
+      config.legacyStateJsonPath,
+      config.maxProcessedEventsPerSession,
+      config.maxSessionAgeDays,
+      config.maxSessions
+    );
+    this.configService = new ConfigService(this.stateStore, config.codexWorkdir);
+    this.adminServer = new AdminServer(config, this.logger, this.stateStore, this.configService, {
+      host: options?.host ?? config.adminBindHost,
+      port: options?.port ?? config.adminPort,
+      adminToken: config.adminToken,
+      adminIpAllowlist: config.adminIpAllowlist,
+      adminAllowedOrigins: config.adminAllowedOrigins
+    });
+  }
+  async start() {
+    await this.adminServer.start();
+    const address = this.adminServer.getAddress();
+    this.logger.info("CodeHarbor admin server started", {
+      host: address?.host ?? this.config.adminBindHost,
+      port: address?.port ?? this.config.adminPort,
+      tokenProtected: Boolean(this.config.adminToken)
+    });
+  }
+  async stop() {
+    this.logger.info("CodeHarbor admin server stopping.");
+    try {
+      await this.adminServer.stop();
+    } finally {
+      await this.stateStore.flush();
+    }
+  }
+};
 async function runDoctor(config) {
   const logger = new Logger(config.logLevel);
   logger.info("Doctor check started");
   try {
-    const { stdout } = await execFileAsync(config.codexBin, ["--version"]);
+    const { stdout } = await execFileAsync2(config.codexBin, ["--version"]);
     logger.info("codex available", { version: stdout.trim() });
   } catch (error) {
     logger.error("codex unavailable", error);
@@ -2136,12 +4157,20 @@ async function runDoctor(config) {
   logger.info("Doctor check passed");
 }
 
+// src/utils/admin-host.ts
+function isNonLoopbackHost(host) {
+  const normalized = host.trim().toLowerCase();
+  if (!normalized) {
+    return false;
+  }
+  return !(normalized === "localhost" || normalized === "127.0.0.1" || normalized === "::1" || normalized === "[::1]");
+}
+
 // src/config.ts
-var import_node_fs3 = __toESM(require("fs"));
-var import_node_path4 = __toESM(require("path"));
-var import_dotenv = __toESM(require("dotenv"));
+var import_node_fs6 = __toESM(require("fs"));
+var import_node_path7 = __toESM(require("path"));
+var import_dotenv2 = __toESM(require("dotenv"));
 var import_zod = require("zod");
-import_dotenv.default.config();
 var configSchema = import_zod.z.object({
   MATRIX_HOMESERVER: import_zod.z.string().url(),
   MATRIX_USER_ID: import_zod.z.string().min(1),
@@ -2149,7 +4178,7 @@ var configSchema = import_zod.z.object({
   MATRIX_COMMAND_PREFIX: import_zod.z.string().default("!code"),
   CODEX_BIN: import_zod.z.string().default("codex"),
   CODEX_MODEL: import_zod.z.string().optional(),
-  CODEX_WORKDIR: import_zod.z.string().default(process.cwd()),
+  CODEX_WORKDIR: import_zod.z.string().default("."),
   CODEX_DANGEROUS_BYPASS: import_zod.z.string().default("false").transform((v) => v.toLowerCase() === "true"),
   CODEX_EXEC_TIMEOUT_MS: import_zod.z.string().default("600000").transform((v) => Number.parseInt(v, 10)).pipe(import_zod.z.number().int().positive()),
   CODEX_SANDBOX_MODE: import_zod.z.string().optional(),
@@ -2185,6 +4214,11 @@ var configSchema = import_zod.z.object({
   CLI_COMPAT_FETCH_MEDIA: import_zod.z.string().default("true").transform((v) => v.toLowerCase() === "true"),
   CLI_COMPAT_RECORD_PATH: import_zod.z.string().default(""),
   DOCTOR_HTTP_TIMEOUT_MS: import_zod.z.string().default("10000").transform((v) => Number.parseInt(v, 10)).pipe(import_zod.z.number().int().positive()),
+  ADMIN_BIND_HOST: import_zod.z.string().default("127.0.0.1"),
+  ADMIN_PORT: import_zod.z.string().default("8787").transform((v) => Number.parseInt(v, 10)).pipe(import_zod.z.number().int().min(1).max(65535)),
+  ADMIN_TOKEN: import_zod.z.string().default(""),
+  ADMIN_IP_ALLOWLIST: import_zod.z.string().default(""),
+  ADMIN_ALLOWED_ORIGINS: import_zod.z.string().default(""),
   LOG_LEVEL: import_zod.z.enum(["debug", "info", "warn", "error"]).default("info")
 }).transform((v) => ({
   matrixHomeserver: v.MATRIX_HOMESERVER,
@@ -2193,15 +4227,15 @@ var configSchema = import_zod.z.object({
   matrixCommandPrefix: v.MATRIX_COMMAND_PREFIX,
   codexBin: v.CODEX_BIN,
   codexModel: v.CODEX_MODEL?.trim() || null,
-  codexWorkdir: import_node_path4.default.resolve(v.CODEX_WORKDIR),
+  codexWorkdir: import_node_path7.default.resolve(v.CODEX_WORKDIR),
   codexDangerousBypass: v.CODEX_DANGEROUS_BYPASS,
   codexExecTimeoutMs: v.CODEX_EXEC_TIMEOUT_MS,
   codexSandboxMode: v.CODEX_SANDBOX_MODE?.trim() || null,
   codexApprovalPolicy: v.CODEX_APPROVAL_POLICY?.trim() || null,
   codexExtraArgs: parseExtraArgs(v.CODEX_EXTRA_ARGS),
   codexExtraEnv: parseExtraEnv(v.CODEX_EXTRA_ENV_JSON),
-  stateDbPath: import_node_path4.default.resolve(v.STATE_DB_PATH),
-  legacyStateJsonPath: v.STATE_PATH.trim() ? import_node_path4.default.resolve(v.STATE_PATH) : null,
+  stateDbPath: import_node_path7.default.resolve(v.STATE_DB_PATH),
+  legacyStateJsonPath: v.STATE_PATH.trim() ? import_node_path7.default.resolve(v.STATE_PATH) : null,
   maxProcessedEventsPerSession: v.MAX_PROCESSED_EVENTS_PER_SESSION,
   maxSessionAgeDays: v.MAX_SESSION_AGE_DAYS,
   maxSessions: v.MAX_SESSIONS,
@@ -2232,20 +4266,32 @@ var configSchema = import_zod.z.object({
     disableReplyChunkSplit: v.CLI_COMPAT_DISABLE_REPLY_CHUNK_SPLIT,
     progressThrottleMs: v.CLI_COMPAT_PROGRESS_THROTTLE_MS,
     fetchMedia: v.CLI_COMPAT_FETCH_MEDIA,
-    recordPath: v.CLI_COMPAT_RECORD_PATH.trim() ? import_node_path4.default.resolve(v.CLI_COMPAT_RECORD_PATH) : null
+    recordPath: v.CLI_COMPAT_RECORD_PATH.trim() ? import_node_path7.default.resolve(v.CLI_COMPAT_RECORD_PATH) : null
   },
   doctorHttpTimeoutMs: v.DOCTOR_HTTP_TIMEOUT_MS,
+  adminBindHost: v.ADMIN_BIND_HOST.trim() || "127.0.0.1",
+  adminPort: v.ADMIN_PORT,
+  adminToken: v.ADMIN_TOKEN.trim() || null,
+  adminIpAllowlist: parseCsvList(v.ADMIN_IP_ALLOWLIST),
+  adminAllowedOrigins: parseCsvList(v.ADMIN_ALLOWED_ORIGINS),
   logLevel: v.LOG_LEVEL
 }));
+function loadEnvFromFile(filePath = import_node_path7.default.resolve(process.cwd(), ".env"), env = process.env) {
+  import_dotenv2.default.config({
+    path: filePath,
+    processEnv: env,
+    quiet: true
+  });
+}
 function loadConfig(env = process.env) {
   const parsed = configSchema.safeParse(env);
   if (!parsed.success) {
     const message = parsed.error.issues.map((issue) => `${issue.path.join(".") || "config"}: ${issue.message}`).join("; ");
     throw new Error(`Invalid configuration: ${message}`);
   }
-  import_node_fs3.default.mkdirSync(import_node_path4.default.dirname(parsed.data.stateDbPath), { recursive: true });
+  import_node_fs6.default.mkdirSync(import_node_path7.default.dirname(parsed.data.stateDbPath), { recursive: true });
   if (parsed.data.legacyStateJsonPath) {
-    import_node_fs3.default.mkdirSync(import_node_path4.default.dirname(parsed.data.legacyStateJsonPath), { recursive: true });
+    import_node_fs6.default.mkdirSync(import_node_path7.default.dirname(parsed.data.legacyStateJsonPath), { recursive: true });
   }
   return parsed.data;
 }
@@ -2313,12 +4359,584 @@ function parseExtraEnv(raw) {
   }
   return output;
 }
+function parseCsvList(raw) {
+  return raw.split(",").map((entry) => entry.trim()).filter((entry) => entry.length > 0);
+}
+
+// src/config-snapshot.ts
+var import_node_fs7 = __toESM(require("fs"));
+var import_node_path8 = __toESM(require("path"));
+var import_zod2 = require("zod");
+var CONFIG_SNAPSHOT_SCHEMA_VERSION = 1;
+var CONFIG_SNAPSHOT_ENV_KEYS = [
+  "MATRIX_HOMESERVER",
+  "MATRIX_USER_ID",
+  "MATRIX_ACCESS_TOKEN",
+  "MATRIX_COMMAND_PREFIX",
+  "CODEX_BIN",
+  "CODEX_MODEL",
+  "CODEX_WORKDIR",
+  "CODEX_DANGEROUS_BYPASS",
+  "CODEX_EXEC_TIMEOUT_MS",
+  "CODEX_SANDBOX_MODE",
+  "CODEX_APPROVAL_POLICY",
+  "CODEX_EXTRA_ARGS",
+  "CODEX_EXTRA_ENV_JSON",
+  "STATE_DB_PATH",
+  "STATE_PATH",
+  "MAX_PROCESSED_EVENTS_PER_SESSION",
+  "MAX_SESSION_AGE_DAYS",
+  "MAX_SESSIONS",
+  "REPLY_CHUNK_SIZE",
+  "MATRIX_PROGRESS_UPDATES",
+  "MATRIX_PROGRESS_MIN_INTERVAL_MS",
+  "MATRIX_TYPING_TIMEOUT_MS",
+  "SESSION_ACTIVE_WINDOW_MINUTES",
+  "GROUP_TRIGGER_ALLOW_MENTION",
+  "GROUP_TRIGGER_ALLOW_REPLY",
+  "GROUP_TRIGGER_ALLOW_ACTIVE_WINDOW",
+  "GROUP_TRIGGER_ALLOW_PREFIX",
+  "ROOM_TRIGGER_POLICY_JSON",
+  "RATE_LIMIT_WINDOW_SECONDS",
+  "RATE_LIMIT_MAX_REQUESTS_PER_USER",
+  "RATE_LIMIT_MAX_REQUESTS_PER_ROOM",
+  "RATE_LIMIT_MAX_CONCURRENT_GLOBAL",
+  "RATE_LIMIT_MAX_CONCURRENT_PER_USER",
+  "RATE_LIMIT_MAX_CONCURRENT_PER_ROOM",
+  "CLI_COMPAT_MODE",
+  "CLI_COMPAT_PASSTHROUGH_EVENTS",
+  "CLI_COMPAT_PRESERVE_WHITESPACE",
+  "CLI_COMPAT_DISABLE_REPLY_CHUNK_SPLIT",
+  "CLI_COMPAT_PROGRESS_THROTTLE_MS",
+  "CLI_COMPAT_FETCH_MEDIA",
+  "CLI_COMPAT_RECORD_PATH",
+  "DOCTOR_HTTP_TIMEOUT_MS",
+  "ADMIN_BIND_HOST",
+  "ADMIN_PORT",
+  "ADMIN_TOKEN",
+  "ADMIN_IP_ALLOWLIST",
+  "ADMIN_ALLOWED_ORIGINS",
+  "LOG_LEVEL"
+];
+var BOOLEAN_STRING = /^(true|false)$/i;
+var INTEGER_STRING = /^-?\d+$/;
+var LOG_LEVELS = ["debug", "info", "warn", "error"];
+var roomSnapshotSchema = import_zod2.z.object({
+  roomId: import_zod2.z.string().min(1),
+  enabled: import_zod2.z.boolean(),
+  allowMention: import_zod2.z.boolean(),
+  allowReply: import_zod2.z.boolean(),
+  allowActiveWindow: import_zod2.z.boolean(),
+  allowPrefix: import_zod2.z.boolean(),
+  workdir: import_zod2.z.string().min(1)
+}).strict();
+var envSnapshotSchema = import_zod2.z.object({
+  MATRIX_HOMESERVER: import_zod2.z.string().url(),
+  MATRIX_USER_ID: import_zod2.z.string().min(1),
+  MATRIX_ACCESS_TOKEN: import_zod2.z.string().min(1),
+  MATRIX_COMMAND_PREFIX: import_zod2.z.string(),
+  CODEX_BIN: import_zod2.z.string().min(1),
+  CODEX_MODEL: import_zod2.z.string(),
+  CODEX_WORKDIR: import_zod2.z.string().min(1),
+  CODEX_DANGEROUS_BYPASS: booleanStringSchema("CODEX_DANGEROUS_BYPASS"),
+  CODEX_EXEC_TIMEOUT_MS: integerStringSchema("CODEX_EXEC_TIMEOUT_MS", 1),
+  CODEX_SANDBOX_MODE: import_zod2.z.string(),
+  CODEX_APPROVAL_POLICY: import_zod2.z.string(),
+  CODEX_EXTRA_ARGS: import_zod2.z.string(),
+  CODEX_EXTRA_ENV_JSON: jsonObjectStringSchema("CODEX_EXTRA_ENV_JSON", true),
+  STATE_DB_PATH: import_zod2.z.string().min(1),
+  STATE_PATH: import_zod2.z.string(),
+  MAX_PROCESSED_EVENTS_PER_SESSION: integerStringSchema("MAX_PROCESSED_EVENTS_PER_SESSION", 1),
+  MAX_SESSION_AGE_DAYS: integerStringSchema("MAX_SESSION_AGE_DAYS", 1),
+  MAX_SESSIONS: integerStringSchema("MAX_SESSIONS", 1),
+  REPLY_CHUNK_SIZE: integerStringSchema("REPLY_CHUNK_SIZE", 1),
+  MATRIX_PROGRESS_UPDATES: booleanStringSchema("MATRIX_PROGRESS_UPDATES"),
+  MATRIX_PROGRESS_MIN_INTERVAL_MS: integerStringSchema("MATRIX_PROGRESS_MIN_INTERVAL_MS", 1),
+  MATRIX_TYPING_TIMEOUT_MS: integerStringSchema("MATRIX_TYPING_TIMEOUT_MS", 1),
+  SESSION_ACTIVE_WINDOW_MINUTES: integerStringSchema("SESSION_ACTIVE_WINDOW_MINUTES", 1),
+  GROUP_TRIGGER_ALLOW_MENTION: booleanStringSchema("GROUP_TRIGGER_ALLOW_MENTION"),
+  GROUP_TRIGGER_ALLOW_REPLY: booleanStringSchema("GROUP_TRIGGER_ALLOW_REPLY"),
+  GROUP_TRIGGER_ALLOW_ACTIVE_WINDOW: booleanStringSchema("GROUP_TRIGGER_ALLOW_ACTIVE_WINDOW"),
+  GROUP_TRIGGER_ALLOW_PREFIX: booleanStringSchema("GROUP_TRIGGER_ALLOW_PREFIX"),
+  ROOM_TRIGGER_POLICY_JSON: jsonObjectStringSchema("ROOM_TRIGGER_POLICY_JSON", true),
+  RATE_LIMIT_WINDOW_SECONDS: integerStringSchema("RATE_LIMIT_WINDOW_SECONDS", 1),
+  RATE_LIMIT_MAX_REQUESTS_PER_USER: integerStringSchema("RATE_LIMIT_MAX_REQUESTS_PER_USER", 0),
+  RATE_LIMIT_MAX_REQUESTS_PER_ROOM: integerStringSchema("RATE_LIMIT_MAX_REQUESTS_PER_ROOM", 0),
+  RATE_LIMIT_MAX_CONCURRENT_GLOBAL: integerStringSchema("RATE_LIMIT_MAX_CONCURRENT_GLOBAL", 0),
+  RATE_LIMIT_MAX_CONCURRENT_PER_USER: integerStringSchema("RATE_LIMIT_MAX_CONCURRENT_PER_USER", 0),
+  RATE_LIMIT_MAX_CONCURRENT_PER_ROOM: integerStringSchema("RATE_LIMIT_MAX_CONCURRENT_PER_ROOM", 0),
+  CLI_COMPAT_MODE: booleanStringSchema("CLI_COMPAT_MODE"),
+  CLI_COMPAT_PASSTHROUGH_EVENTS: booleanStringSchema("CLI_COMPAT_PASSTHROUGH_EVENTS"),
+  CLI_COMPAT_PRESERVE_WHITESPACE: booleanStringSchema("CLI_COMPAT_PRESERVE_WHITESPACE"),
+  CLI_COMPAT_DISABLE_REPLY_CHUNK_SPLIT: booleanStringSchema("CLI_COMPAT_DISABLE_REPLY_CHUNK_SPLIT"),
+  CLI_COMPAT_PROGRESS_THROTTLE_MS: integerStringSchema("CLI_COMPAT_PROGRESS_THROTTLE_MS", 0),
+  CLI_COMPAT_FETCH_MEDIA: booleanStringSchema("CLI_COMPAT_FETCH_MEDIA"),
+  CLI_COMPAT_RECORD_PATH: import_zod2.z.string(),
+  DOCTOR_HTTP_TIMEOUT_MS: integerStringSchema("DOCTOR_HTTP_TIMEOUT_MS", 1),
+  ADMIN_BIND_HOST: import_zod2.z.string(),
+  ADMIN_PORT: integerStringSchema("ADMIN_PORT", 1, 65535),
+  ADMIN_TOKEN: import_zod2.z.string(),
+  ADMIN_IP_ALLOWLIST: import_zod2.z.string(),
+  ADMIN_ALLOWED_ORIGINS: import_zod2.z.string().default(""),
+  LOG_LEVEL: import_zod2.z.enum(LOG_LEVELS)
+}).strict();
+var configSnapshotSchema = import_zod2.z.object({
+  schemaVersion: import_zod2.z.literal(CONFIG_SNAPSHOT_SCHEMA_VERSION),
+  exportedAt: import_zod2.z.string().datetime({ offset: true }),
+  env: envSnapshotSchema,
+  rooms: import_zod2.z.array(roomSnapshotSchema)
+}).strict().superRefine((value, ctx) => {
+  const seen = /* @__PURE__ */ new Set();
+  for (const room of value.rooms) {
+    const roomId = room.roomId.trim();
+    if (!roomId) {
+      ctx.addIssue({
+        code: import_zod2.z.ZodIssueCode.custom,
+        message: "rooms[].roomId cannot be empty."
+      });
+      continue;
+    }
+    if (seen.has(roomId)) {
+      ctx.addIssue({
+        code: import_zod2.z.ZodIssueCode.custom,
+        message: `Duplicate room id in snapshot: ${roomId}`
+      });
+    }
+    seen.add(roomId);
+  }
+});
+function buildConfigSnapshot(config, roomSettings, now = /* @__PURE__ */ new Date()) {
+  return {
+    schemaVersion: CONFIG_SNAPSHOT_SCHEMA_VERSION,
+    exportedAt: now.toISOString(),
+    env: buildSnapshotEnv(config),
+    rooms: roomSettings.map((room) => ({
+      roomId: room.roomId,
+      enabled: room.enabled,
+      allowMention: room.allowMention,
+      allowReply: room.allowReply,
+      allowActiveWindow: room.allowActiveWindow,
+      allowPrefix: room.allowPrefix,
+      workdir: room.workdir
+    }))
+  };
+}
+function parseConfigSnapshot(raw) {
+  const parsed = configSnapshotSchema.safeParse(raw);
+  if (!parsed.success) {
+    const message = parsed.error.issues.map((issue) => `${issue.path.join(".") || "snapshot"}: ${issue.message}`).join("; ");
+    throw new Error(`Invalid config snapshot: ${message}`);
+  }
+  return parsed.data;
+}
+function serializeConfigSnapshot(snapshot) {
+  return `${JSON.stringify(snapshot, null, 2)}
+`;
+}
+async function runConfigExportCommand(options = {}) {
+  const cwd = options.cwd ?? process.cwd();
+  const output = options.output ?? process.stdout;
+  const config = loadConfig(options.env ?? process.env);
+  const stateStore = new StateStore(
+    config.stateDbPath,
+    config.legacyStateJsonPath,
+    config.maxProcessedEventsPerSession,
+    config.maxSessionAgeDays,
+    config.maxSessions
+  );
+  try {
+    const snapshot = buildConfigSnapshot(config, stateStore.listRoomSettings(), options.now ?? /* @__PURE__ */ new Date());
+    const serialized = serializeConfigSnapshot(snapshot);
+    if (options.outputPath) {
+      const targetPath = import_node_path8.default.resolve(cwd, options.outputPath);
+      import_node_fs7.default.mkdirSync(import_node_path8.default.dirname(targetPath), { recursive: true });
+      import_node_fs7.default.writeFileSync(targetPath, serialized, "utf8");
+      output.write(`Exported config snapshot to ${targetPath}
+`);
+      return;
+    }
+    output.write(serialized);
+  } finally {
+    await stateStore.flush();
+  }
+}
+async function runConfigImportCommand(options) {
+  const cwd = options.cwd ?? process.cwd();
+  const output = options.output ?? process.stdout;
+  const actor = options.actor?.trim() || "cli:config-import";
+  const sourcePath = import_node_path8.default.resolve(cwd, options.filePath);
+  if (!import_node_fs7.default.existsSync(sourcePath)) {
+    throw new Error(`Config snapshot file not found: ${sourcePath}`);
+  }
+  const snapshot = parseConfigSnapshot(parseJsonFile(sourcePath));
+  const normalizedEnv = normalizeSnapshotEnv(snapshot.env, cwd);
+  ensureDirectory2(normalizedEnv.CODEX_WORKDIR, "CODEX_WORKDIR");
+  const normalizedRooms = normalizeSnapshotRooms(snapshot.rooms, cwd);
+  if (options.dryRun) {
+    output.write(
+      [
+        `Config snapshot is valid: ${sourcePath}`,
+        `- schemaVersion: ${snapshot.schemaVersion}`,
+        `- rooms: ${normalizedRooms.length}`,
+        "- dry-run: no changes were written"
+      ].join("\n") + "\n"
+    );
+    return;
+  }
+  persistEnvSnapshot(cwd, normalizedEnv);
+  const stateStore = new StateStore(
+    normalizedEnv.STATE_DB_PATH,
+    normalizedEnv.STATE_PATH ? normalizedEnv.STATE_PATH : null,
+    parseIntStrict(normalizedEnv.MAX_PROCESSED_EVENTS_PER_SESSION),
+    parseIntStrict(normalizedEnv.MAX_SESSION_AGE_DAYS),
+    parseIntStrict(normalizedEnv.MAX_SESSIONS)
+  );
+  try {
+    synchronizeRoomSettings(stateStore, normalizedRooms);
+    stateStore.appendConfigRevision(
+      actor,
+      `import config snapshot from ${import_node_path8.default.basename(sourcePath)}`,
+      JSON.stringify({
+        type: "config_snapshot_import",
+        sourcePath,
+        roomCount: normalizedRooms.length,
+        envKeyCount: CONFIG_SNAPSHOT_ENV_KEYS.length
+      })
+    );
+  } finally {
+    await stateStore.flush();
+  }
+  output.write(
+    [
+      `Imported config snapshot from ${sourcePath}`,
+      `- updated .env in ${import_node_path8.default.resolve(cwd, ".env")}`,
+      `- synchronized room settings: ${normalizedRooms.length}`,
+      "- restart required: yes (global env settings are restart-scoped)"
+    ].join("\n") + "\n"
+  );
+}
+function buildSnapshotEnv(config) {
+  return {
+    MATRIX_HOMESERVER: config.matrixHomeserver,
+    MATRIX_USER_ID: config.matrixUserId,
+    MATRIX_ACCESS_TOKEN: config.matrixAccessToken,
+    MATRIX_COMMAND_PREFIX: config.matrixCommandPrefix,
+    CODEX_BIN: config.codexBin,
+    CODEX_MODEL: config.codexModel ?? "",
+    CODEX_WORKDIR: config.codexWorkdir,
+    CODEX_DANGEROUS_BYPASS: String(config.codexDangerousBypass),
+    CODEX_EXEC_TIMEOUT_MS: String(config.codexExecTimeoutMs),
+    CODEX_SANDBOX_MODE: config.codexSandboxMode ?? "",
+    CODEX_APPROVAL_POLICY: config.codexApprovalPolicy ?? "",
+    CODEX_EXTRA_ARGS: config.codexExtraArgs.join(" "),
+    CODEX_EXTRA_ENV_JSON: serializeJsonObject(config.codexExtraEnv),
+    STATE_DB_PATH: config.stateDbPath,
+    STATE_PATH: config.legacyStateJsonPath ?? "",
+    MAX_PROCESSED_EVENTS_PER_SESSION: String(config.maxProcessedEventsPerSession),
+    MAX_SESSION_AGE_DAYS: String(config.maxSessionAgeDays),
+    MAX_SESSIONS: String(config.maxSessions),
+    REPLY_CHUNK_SIZE: String(config.replyChunkSize),
+    MATRIX_PROGRESS_UPDATES: String(config.matrixProgressUpdates),
+    MATRIX_PROGRESS_MIN_INTERVAL_MS: String(config.matrixProgressMinIntervalMs),
+    MATRIX_TYPING_TIMEOUT_MS: String(config.matrixTypingTimeoutMs),
+    SESSION_ACTIVE_WINDOW_MINUTES: String(config.sessionActiveWindowMinutes),
+    GROUP_TRIGGER_ALLOW_MENTION: String(config.defaultGroupTriggerPolicy.allowMention),
+    GROUP_TRIGGER_ALLOW_REPLY: String(config.defaultGroupTriggerPolicy.allowReply),
+    GROUP_TRIGGER_ALLOW_ACTIVE_WINDOW: String(config.defaultGroupTriggerPolicy.allowActiveWindow),
+    GROUP_TRIGGER_ALLOW_PREFIX: String(config.defaultGroupTriggerPolicy.allowPrefix),
+    ROOM_TRIGGER_POLICY_JSON: serializeJsonObject(config.roomTriggerPolicies),
+    RATE_LIMIT_WINDOW_SECONDS: String(Math.max(1, Math.round(config.rateLimiter.windowMs / 1e3))),
+    RATE_LIMIT_MAX_REQUESTS_PER_USER: String(config.rateLimiter.maxRequestsPerUser),
+    RATE_LIMIT_MAX_REQUESTS_PER_ROOM: String(config.rateLimiter.maxRequestsPerRoom),
+    RATE_LIMIT_MAX_CONCURRENT_GLOBAL: String(config.rateLimiter.maxConcurrentGlobal),
+    RATE_LIMIT_MAX_CONCURRENT_PER_USER: String(config.rateLimiter.maxConcurrentPerUser),
+    RATE_LIMIT_MAX_CONCURRENT_PER_ROOM: String(config.rateLimiter.maxConcurrentPerRoom),
+    CLI_COMPAT_MODE: String(config.cliCompat.enabled),
+    CLI_COMPAT_PASSTHROUGH_EVENTS: String(config.cliCompat.passThroughEvents),
+    CLI_COMPAT_PRESERVE_WHITESPACE: String(config.cliCompat.preserveWhitespace),
+    CLI_COMPAT_DISABLE_REPLY_CHUNK_SPLIT: String(config.cliCompat.disableReplyChunkSplit),
+    CLI_COMPAT_PROGRESS_THROTTLE_MS: String(config.cliCompat.progressThrottleMs),
+    CLI_COMPAT_FETCH_MEDIA: String(config.cliCompat.fetchMedia),
+    CLI_COMPAT_RECORD_PATH: config.cliCompat.recordPath ?? "",
+    DOCTOR_HTTP_TIMEOUT_MS: String(config.doctorHttpTimeoutMs),
+    ADMIN_BIND_HOST: config.adminBindHost,
+    ADMIN_PORT: String(config.adminPort),
+    ADMIN_TOKEN: config.adminToken ?? "",
+    ADMIN_IP_ALLOWLIST: config.adminIpAllowlist.join(","),
+    ADMIN_ALLOWED_ORIGINS: config.adminAllowedOrigins.join(","),
+    LOG_LEVEL: config.logLevel
+  };
+}
+function parseJsonFile(filePath) {
+  try {
+    const raw = import_node_fs7.default.readFileSync(filePath, "utf8");
+    return JSON.parse(raw);
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    throw new Error(`Failed to parse snapshot JSON: ${message}`, {
+      cause: error
+    });
+  }
+}
+function normalizeSnapshotEnv(env, cwd) {
+  return {
+    ...env,
+    CODEX_WORKDIR: import_node_path8.default.resolve(cwd, env.CODEX_WORKDIR),
+    STATE_DB_PATH: import_node_path8.default.resolve(cwd, env.STATE_DB_PATH),
+    STATE_PATH: env.STATE_PATH.trim() ? import_node_path8.default.resolve(cwd, env.STATE_PATH) : "",
+    CLI_COMPAT_RECORD_PATH: env.CLI_COMPAT_RECORD_PATH.trim() ? import_node_path8.default.resolve(cwd, env.CLI_COMPAT_RECORD_PATH) : ""
+  };
+}
+function normalizeSnapshotRooms(rooms, cwd) {
+  const normalized = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const room of rooms) {
+    const roomId = room.roomId.trim();
+    if (!roomId) {
+      throw new Error("roomId is required for every room in snapshot.");
+    }
+    if (seen.has(roomId)) {
+      throw new Error(`Duplicate roomId in snapshot: ${roomId}`);
+    }
+    seen.add(roomId);
+    const workdir = import_node_path8.default.resolve(cwd, room.workdir);
+    ensureDirectory2(workdir, `room workdir (${roomId})`);
+    normalized.push({
+      roomId,
+      enabled: room.enabled,
+      allowMention: room.allowMention,
+      allowReply: room.allowReply,
+      allowActiveWindow: room.allowActiveWindow,
+      allowPrefix: room.allowPrefix,
+      workdir
+    });
+  }
+  return normalized;
+}
+function synchronizeRoomSettings(stateStore, rooms) {
+  const incoming = new Map(rooms.map((room) => [room.roomId, room]));
+  const existing = stateStore.listRoomSettings();
+  for (const room of existing) {
+    if (!incoming.has(room.roomId)) {
+      stateStore.deleteRoomSettings(room.roomId);
+    }
+  }
+  for (const room of rooms) {
+    stateStore.upsertRoomSettings(room);
+  }
+}
+function persistEnvSnapshot(cwd, env) {
+  const envPath = import_node_path8.default.resolve(cwd, ".env");
+  const examplePath = import_node_path8.default.resolve(cwd, ".env.example");
+  const template = import_node_fs7.default.existsSync(envPath) ? import_node_fs7.default.readFileSync(envPath, "utf8") : import_node_fs7.default.existsSync(examplePath) ? import_node_fs7.default.readFileSync(examplePath, "utf8") : "";
+  const overrides = {};
+  for (const key of CONFIG_SNAPSHOT_ENV_KEYS) {
+    overrides[key] = env[key];
+  }
+  const next = applyEnvOverrides(template, overrides);
+  import_node_fs7.default.writeFileSync(envPath, next, "utf8");
+}
+function ensureDirectory2(dirPath, label) {
+  if (!import_node_fs7.default.existsSync(dirPath) || !import_node_fs7.default.statSync(dirPath).isDirectory()) {
+    throw new Error(`${label} does not exist or is not a directory: ${dirPath}`);
+  }
+}
+function parseIntStrict(raw) {
+  const value = Number.parseInt(raw, 10);
+  if (!Number.isFinite(value)) {
+    throw new Error(`Invalid integer value: ${raw}`);
+  }
+  return value;
+}
+function serializeJsonObject(value) {
+  return Object.keys(value).length > 0 ? JSON.stringify(value) : "";
+}
+function booleanStringSchema(key) {
+  return import_zod2.z.string().refine((value) => BOOLEAN_STRING.test(value), {
+    message: `${key} must be a boolean string (true/false).`
+  });
+}
+function integerStringSchema(key, min, max = Number.MAX_SAFE_INTEGER) {
+  return import_zod2.z.string().refine((value) => {
+    const trimmed = value.trim();
+    if (!INTEGER_STRING.test(trimmed)) {
+      return false;
+    }
+    const parsed = Number.parseInt(trimmed, 10);
+    if (!Number.isFinite(parsed)) {
+      return false;
+    }
+    return parsed >= min && parsed <= max;
+  }, {
+    message: `${key} must be an integer string in range [${min}, ${max}].`
+  });
+}
+function jsonObjectStringSchema(key, allowEmpty) {
+  return import_zod2.z.string().refine((value) => {
+    const trimmed = value.trim();
+    if (!trimmed) {
+      return allowEmpty;
+    }
+    let parsed;
+    try {
+      parsed = JSON.parse(trimmed);
+    } catch {
+      return false;
+    }
+    return Boolean(parsed) && typeof parsed === "object" && !Array.isArray(parsed);
+  }, {
+    message: `${key} must be an empty string or a JSON object string.`
+  });
+}
+
+// src/preflight.ts
+var import_node_child_process4 = require("child_process");
+var import_node_fs8 = __toESM(require("fs"));
+var import_node_path9 = __toESM(require("path"));
+var import_node_util3 = require("util");
+var execFileAsync3 = (0, import_node_util3.promisify)(import_node_child_process4.execFile);
+var REQUIRED_ENV_KEYS = ["MATRIX_HOMESERVER", "MATRIX_USER_ID", "MATRIX_ACCESS_TOKEN"];
+async function runStartupPreflight(options = {}) {
+  const env = options.env ?? process.env;
+  const cwd = options.cwd ?? process.cwd();
+  const checkCodexBinary = options.checkCodexBinary ?? defaultCheckCodexBinary;
+  const fileExists = options.fileExists ?? import_node_fs8.default.existsSync;
+  const isDirectory = options.isDirectory ?? defaultIsDirectory;
+  const issues = [];
+  const envPath = import_node_path9.default.resolve(cwd, ".env");
+  if (!fileExists(envPath)) {
+    issues.push({
+      level: "warn",
+      code: "missing_dotenv",
+      check: ".env",
+      message: `No .env file found at ${envPath}.`,
+      fix: 'Run "codeharbor init" to create baseline config.'
+    });
+  }
+  for (const key of REQUIRED_ENV_KEYS) {
+    if (!readEnv(env, key)) {
+      issues.push({
+        level: "error",
+        code: "missing_env",
+        check: key,
+        message: `${key} is required.`,
+        fix: `Run "codeharbor init" or set ${key} in .env.`
+      });
+    }
+  }
+  const matrixHomeserver = readEnv(env, "MATRIX_HOMESERVER");
+  if (matrixHomeserver) {
+    try {
+      new URL(matrixHomeserver);
+    } catch {
+      issues.push({
+        level: "error",
+        code: "invalid_matrix_homeserver",
+        check: "MATRIX_HOMESERVER",
+        message: `Invalid URL: "${matrixHomeserver}".`,
+        fix: "Set MATRIX_HOMESERVER to a full URL, for example https://matrix.example.com."
+      });
+    }
+  }
+  const matrixUserId = readEnv(env, "MATRIX_USER_ID");
+  if (matrixUserId && !/^@[^:\s]+:.+/.test(matrixUserId)) {
+    issues.push({
+      level: "error",
+      code: "invalid_matrix_user_id",
+      check: "MATRIX_USER_ID",
+      message: `Unexpected Matrix user id format: "${matrixUserId}".`,
+      fix: "Set MATRIX_USER_ID like @bot:example.com."
+    });
+  }
+  const codexBin = readEnv(env, "CODEX_BIN") || "codex";
+  try {
+    await checkCodexBinary(codexBin);
+  } catch (error) {
+    const reason = error instanceof Error && error.message ? ` (${error.message})` : "";
+    issues.push({
+      level: "error",
+      code: "missing_codex_bin",
+      check: "CODEX_BIN",
+      message: `Unable to execute "${codexBin}"${reason}.`,
+      fix: `Install Codex CLI and ensure "${codexBin}" is in PATH, or set CODEX_BIN=/absolute/path/to/codex.`
+    });
+  }
+  const configuredWorkdir = readEnv(env, "CODEX_WORKDIR");
+  const workdir = import_node_path9.default.resolve(cwd, configuredWorkdir || cwd);
+  if (!fileExists(workdir) || !isDirectory(workdir)) {
+    issues.push({
+      level: "error",
+      code: "invalid_codex_workdir",
+      check: "CODEX_WORKDIR",
+      message: `Working directory does not exist or is not a directory: ${workdir}.`,
+      fix: `Set CODEX_WORKDIR to an existing directory, for example CODEX_WORKDIR=${cwd}.`
+    });
+  }
+  return {
+    ok: issues.every((issue) => issue.level !== "error"),
+    issues
+  };
+}
+function formatPreflightReport(result, commandName) {
+  const lines = [];
+  const errors = result.issues.filter((issue) => issue.level === "error").length;
+  const warnings = result.issues.filter((issue) => issue.level === "warn").length;
+  if (result.ok) {
+    lines.push(`Preflight check passed for "codeharbor ${commandName}" with ${warnings} warning(s).`);
+  } else {
+    lines.push(
+      `Preflight check failed for "codeharbor ${commandName}" with ${errors} error(s) and ${warnings} warning(s).`
+    );
+  }
+  for (const issue of result.issues) {
+    const level = issue.level.toUpperCase();
+    lines.push(`- [${level}] ${issue.check}: ${issue.message}`);
+    lines.push(`  fix: ${issue.fix}`);
+  }
+  return `${lines.join("\n")}
+`;
+}
+async function defaultCheckCodexBinary(bin) {
+  await execFileAsync3(bin, ["--version"]);
+}
+function defaultIsDirectory(targetPath) {
+  try {
+    return import_node_fs8.default.statSync(targetPath).isDirectory();
+  } catch {
+    return false;
+  }
+}
+function readEnv(env, key) {
+  return env[key]?.trim() ?? "";
+}
+
+// src/runtime-home.ts
+var import_node_path10 = __toESM(require("path"));
+var DEFAULT_RUNTIME_HOME = "/opt/codeharbor";
+var RUNTIME_HOME_ENV_KEY = "CODEHARBOR_HOME";
+function resolveRuntimeHome(env = process.env) {
+  const configured = env[RUNTIME_HOME_ENV_KEY]?.trim();
+  if (configured) {
+    return import_node_path10.default.resolve(configured);
+  }
+  return DEFAULT_RUNTIME_HOME;
+}
 
 // src/cli.ts
+var runtimeHome = null;
 var program = new import_commander.Command();
 program.name("codeharbor").description("Instant-messaging bridge for Codex CLI sessions").version("0.1.0");
+program.command("init").description("Create or update .env via guided prompts").option("-f, --force", "overwrite existing .env without confirmation").action(async (options) => {
+  const home = ensureRuntimeHomeOrExit();
+  await runInitCommand({ force: options.force ?? false, cwd: home });
+});
 program.command("start").description("Start CodeHarbor service").action(async () => {
-  const config = loadConfig();
+  const home = ensureRuntimeHomeOrExit();
+  const config = await loadConfigWithPreflight("start", home);
+  if (!config) {
+    process.exitCode = 1;
+    return;
+  }
   const app = new CodeHarborApp(config);
   await app.start();
   const stop = async () => {
@@ -2333,10 +4951,135 @@ program.command("start").description("Start CodeHarbor service").action(async ()
   });
 });
 program.command("doctor").description("Check codex and matrix connectivity").action(async () => {
-  const config = loadConfig();
+  const home = ensureRuntimeHomeOrExit();
+  const config = await loadConfigWithPreflight("doctor", home);
+  if (!config) {
+    process.exitCode = 1;
+    return;
+  }
   await runDoctor(config);
 });
+var admin = program.command("admin").description("Admin utilities");
+var configCommand = program.command("config").description("Config snapshot utilities");
+admin.command("serve").description("Start admin config API server").option("--host <host>", "override admin bind host").option("--port <port>", "override admin bind port").option(
+  "--allow-insecure-no-token",
+  "allow serving admin API without ADMIN_TOKEN on non-loopback host (not recommended)"
+).action(async (options) => {
+  ensureRuntimeHomeOrExit();
+  const config = loadConfig();
+  const host = options.host?.trim() || config.adminBindHost;
+  const port = options.port ? parsePortOption(options.port, config.adminPort) : config.adminPort;
+  const allowInsecureNoToken = options.allowInsecureNoToken ?? false;
+  if (!config.adminToken && !allowInsecureNoToken && isNonLoopbackHost(host)) {
+    process.stderr.write(
+      [
+        "Refusing to start admin server on non-loopback host without ADMIN_TOKEN.",
+        "Fix: set ADMIN_TOKEN in .env, or explicitly pass --allow-insecure-no-token.",
+        ""
+      ].join("\n")
+    );
+    process.exitCode = 1;
+    return;
+  }
+  const app = new CodeHarborAdminApp(config, { host, port });
+  await app.start();
+  const stop = async () => {
+    await app.stop();
+    process.exit(0);
+  };
+  process.once("SIGINT", () => {
+    void stop();
+  });
+  process.once("SIGTERM", () => {
+    void stop();
+  });
+});
+configCommand.command("export").description("Export config snapshot as JSON").option("-o, --output <path>", "write snapshot to file instead of stdout").action(async (options) => {
+  try {
+    const home = ensureRuntimeHomeOrExit();
+    await runConfigExportCommand({ outputPath: options.output, cwd: home });
+  } catch (error) {
+    process.stderr.write(`Config export failed: ${formatError3(error)}
+`);
+    process.exitCode = 1;
+  }
+});
+configCommand.command("import").description("Import config snapshot from JSON").argument("<file>", "snapshot file path").option("--dry-run", "validate snapshot without writing changes").action(async (file, options) => {
+  try {
+    const home = ensureRuntimeHomeOrExit();
+    await runConfigImportCommand({
+      filePath: file,
+      dryRun: options.dryRun ?? false,
+      cwd: home
+    });
+  } catch (error) {
+    process.stderr.write(`Config import failed: ${formatError3(error)}
+`);
+    process.exitCode = 1;
+  }
+});
 if (process.argv.length <= 2) {
   process.argv.push("start");
 }
 void program.parseAsync(process.argv);
+async function loadConfigWithPreflight(commandName, runtimeHomePath) {
+  const preflight = await runStartupPreflight({ cwd: runtimeHomePath });
+  if (preflight.issues.length > 0) {
+    const report = formatPreflightReport(preflight, commandName);
+    if (preflight.ok) {
+      process.stdout.write(report);
+    } else {
+      process.stderr.write(report);
+      return null;
+    }
+  }
+  try {
+    return loadConfig();
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    process.stderr.write(`Configuration error: ${message}
+`);
+    process.stderr.write('Fix: run "codeharbor init" and then retry.\n');
+    return null;
+  }
+}
+function ensureRuntimeHomeOrExit() {
+  if (runtimeHome) {
+    return runtimeHome;
+  }
+  const home = resolveRuntimeHome();
+  try {
+    import_node_fs9.default.mkdirSync(home, { recursive: true });
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    process.stderr.write(`Runtime setup failed: cannot create ${home}. ${message}
+`);
+    process.exit(1);
+  }
+  try {
+    process.chdir(home);
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    process.stderr.write(`Runtime setup failed: cannot switch to ${home}. ${message}
+`);
+    process.exit(1);
+  }
+  loadEnvFromFile(import_node_path11.default.resolve(home, ".env"));
+  runtimeHome = home;
+  return runtimeHome;
+}
+function parsePortOption(raw, fallback) {
+  const parsed = Number.parseInt(raw, 10);
+  if (!Number.isFinite(parsed) || parsed < 1 || parsed > 65535) {
+    process.stderr.write(`Invalid --port value: ${raw}; fallback to ${fallback}
+`);
+    return fallback;
+  }
+  return parsed;
+}
+function formatError3(error) {
+  if (error instanceof Error) {
+    return error.message;
+  }
+  return String(error);
+}