npm - codeharbor - Versions diffs - 0.1.10 → 0.1.12 - Mend

codeharbor 0.1.10 → 0.1.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/cli.js CHANGED Viewed

@@ -30,14 +30,14 @@ var import_node_path12 = __toESM(require("path"));
 var import_commander = require("commander");
 // src/app.ts
-var import_node_child_process3 = require("child_process");
+var import_node_child_process4 = require("child_process");
 var import_node_util2 = require("util");
 // src/admin-server.ts
-var import_node_child_process = require("child_process");
-var import_node_fs2 = __toESM(require("fs"));
+var import_node_child_process2 = require("child_process");
+var import_node_fs4 = __toESM(require("fs"));
 var import_node_http = __toESM(require("http"));
-var import_node_path2 = __toESM(require("path"));
+var import_node_path4 = __toESM(require("path"));
 var import_node_util = require("util");
 // src/init.ts
@@ -220,152 +220,514 @@ async function askYesNo(rl, question, defaultValue) {
   return answer === "y" || answer === "yes";
 }
-// src/admin-server.ts
-var execFileAsync = (0, import_node_util.promisify)(import_node_child_process.execFile);
-var HttpError = class extends Error {
-  statusCode;
-  constructor(statusCode, message) {
-    super(message);
-    this.statusCode = statusCode;
+// src/service-manager.ts
+var import_node_child_process = require("child_process");
+var import_node_fs3 = __toESM(require("fs"));
+var import_node_os2 = __toESM(require("os"));
+var import_node_path3 = __toESM(require("path"));
+// src/runtime-home.ts
+var import_node_fs2 = __toESM(require("fs"));
+var import_node_os = __toESM(require("os"));
+var import_node_path2 = __toESM(require("path"));
+var LEGACY_RUNTIME_HOME = "/opt/codeharbor";
+var USER_RUNTIME_HOME_DIR = ".codeharbor";
+var DEFAULT_RUNTIME_HOME = import_node_path2.default.resolve(import_node_os.default.homedir(), USER_RUNTIME_HOME_DIR);
+var RUNTIME_HOME_ENV_KEY = "CODEHARBOR_HOME";
+function resolveRuntimeHome(env = process.env) {
+  const configured = env[RUNTIME_HOME_ENV_KEY]?.trim();
+  if (configured) {
+    return import_node_path2.default.resolve(configured);
   }
-};
-var AdminServer = class {
-  config;
-  logger;
-  stateStore;
-  configService;
-  host;
-  port;
-  adminToken;
-  adminIpAllowlist;
-  adminAllowedOrigins;
-  cwd;
-  checkCodex;
-  checkMatrix;
-  server = null;
-  address = null;
-  constructor(config, logger, stateStore, configService, options) {
-    this.config = config;
-    this.logger = logger;
-    this.stateStore = stateStore;
-    this.configService = configService;
-    this.host = options.host;
-    this.port = options.port;
-    this.adminToken = options.adminToken;
-    this.adminIpAllowlist = normalizeAllowlist(options.adminIpAllowlist ?? []);
-    this.adminAllowedOrigins = normalizeOriginAllowlist(options.adminAllowedOrigins ?? []);
-    this.cwd = options.cwd ?? process.cwd();
-    this.checkCodex = options.checkCodex ?? defaultCheckCodex;
-    this.checkMatrix = options.checkMatrix ?? defaultCheckMatrix;
+  const legacyEnvPath = import_node_path2.default.resolve(LEGACY_RUNTIME_HOME, ".env");
+  if (import_node_fs2.default.existsSync(legacyEnvPath)) {
+    return LEGACY_RUNTIME_HOME;
   }
-  getAddress() {
-    return this.address;
+  return resolveUserRuntimeHome(env);
+}
+function resolveUserRuntimeHome(env = process.env) {
+  const home = env.HOME?.trim() || import_node_os.default.homedir();
+  return import_node_path2.default.resolve(home, USER_RUNTIME_HOME_DIR);
+}
+// src/service-manager.ts
+var SYSTEMD_DIR = "/etc/systemd/system";
+var MAIN_SERVICE_NAME = "codeharbor.service";
+var ADMIN_SERVICE_NAME = "codeharbor-admin.service";
+var SUDOERS_DIR = "/etc/sudoers.d";
+var RESTART_SUDOERS_FILE = "codeharbor-restart";
+function resolveDefaultRunUser(env = process.env) {
+  const sudoUser = env.SUDO_USER?.trim();
+  if (sudoUser) {
+    return sudoUser;
   }
-  async start() {
-    if (this.server) {
-      return;
-    }
-    this.server = import_node_http.default.createServer((req, res) => {
-      void this.handleRequest(req, res);
-    });
-    await new Promise((resolve, reject) => {
-      if (!this.server) {
-        reject(new Error("admin server is not initialized"));
-        return;
-      }
-      this.server.once("error", reject);
-      this.server.listen(this.port, this.host, () => {
-        this.server?.removeListener("error", reject);
-        const address = this.server?.address();
-        if (!address || typeof address === "string") {
-          reject(new Error("failed to resolve admin server address"));
-          return;
-        }
-        this.address = {
-          host: address.address,
-          port: address.port
-        };
-        resolve();
+  const user = env.USER?.trim();
+  if (user) {
+    return user;
+  }
+  try {
+    return import_node_os2.default.userInfo().username;
+  } catch {
+    return "root";
+  }
+}
+function resolveRuntimeHomeForUser(runUser, env = process.env, explicitRuntimeHome) {
+  const configuredRuntimeHome = explicitRuntimeHome?.trim() || env[RUNTIME_HOME_ENV_KEY]?.trim();
+  if (configuredRuntimeHome) {
+    return import_node_path3.default.resolve(configuredRuntimeHome);
+  }
+  const userHome = resolveUserHome(runUser);
+  if (userHome) {
+    return import_node_path3.default.resolve(userHome, USER_RUNTIME_HOME_DIR);
+  }
+  return import_node_path3.default.resolve(import_node_os2.default.homedir(), USER_RUNTIME_HOME_DIR);
+}
+function buildMainServiceUnit(options) {
+  validateUnitOptions(options);
+  const runtimeHome2 = import_node_path3.default.resolve(options.runtimeHome);
+  return [
+    "[Unit]",
+    "Description=CodeHarbor main service",
+    "After=network-online.target",
+    "Wants=network-online.target",
+    "",
+    "[Service]",
+    "Type=simple",
+    `User=${options.runUser}`,
+    `WorkingDirectory=${runtimeHome2}`,
+    `Environment=CODEHARBOR_HOME=${runtimeHome2}`,
+    `ExecStart=${import_node_path3.default.resolve(options.nodeBinPath)} ${import_node_path3.default.resolve(options.cliScriptPath)} start`,
+    "Restart=always",
+    "RestartSec=3",
+    "NoNewPrivileges=true",
+    "PrivateTmp=true",
+    "ProtectSystem=full",
+    "ProtectHome=false",
+    `ReadWritePaths=${runtimeHome2}`,
+    "",
+    "[Install]",
+    "WantedBy=multi-user.target",
+    ""
+  ].join("\n");
+}
+function buildAdminServiceUnit(options) {
+  validateUnitOptions(options);
+  const runtimeHome2 = import_node_path3.default.resolve(options.runtimeHome);
+  return [
+    "[Unit]",
+    "Description=CodeHarbor admin service",
+    "After=network-online.target",
+    "Wants=network-online.target",
+    "",
+    "[Service]",
+    "Type=simple",
+    `User=${options.runUser}`,
+    `WorkingDirectory=${runtimeHome2}`,
+    `Environment=CODEHARBOR_HOME=${runtimeHome2}`,
+    `ExecStart=${import_node_path3.default.resolve(options.nodeBinPath)} ${import_node_path3.default.resolve(options.cliScriptPath)} admin serve`,
+    "Restart=always",
+    "RestartSec=3",
+    "NoNewPrivileges=true",
+    "PrivateTmp=true",
+    "ProtectSystem=full",
+    "ProtectHome=false",
+    `ReadWritePaths=${runtimeHome2}`,
+    "",
+    "[Install]",
+    "WantedBy=multi-user.target",
+    ""
+  ].join("\n");
+}
+function buildRestartSudoersPolicy(options) {
+  const runUser = options.runUser.trim();
+  const systemctlPath = options.systemctlPath.trim();
+  validateSimpleValue(runUser, "runUser");
+  validateSimpleValue(systemctlPath, "systemctlPath");
+  if (!import_node_path3.default.isAbsolute(systemctlPath)) {
+    throw new Error("systemctlPath must be an absolute path.");
+  }
+  return [
+    "# Managed by CodeHarbor service install; do not edit manually.",
+    `Defaults:${runUser} !requiretty`,
+    `${runUser} ALL=(root) NOPASSWD: ${systemctlPath} restart ${MAIN_SERVICE_NAME}, ${systemctlPath} restart ${ADMIN_SERVICE_NAME}`,
+    ""
+  ].join("\n");
+}
+function installSystemdServices(options) {
+  assertLinuxWithSystemd();
+  assertRootPrivileges();
+  const output = options.output ?? process.stdout;
+  const runUser = options.runUser.trim();
+  const runtimeHome2 = import_node_path3.default.resolve(options.runtimeHome);
+  validateSimpleValue(runUser, "runUser");
+  validateSimpleValue(runtimeHome2, "runtimeHome");
+  validateSimpleValue(options.nodeBinPath, "nodeBinPath");
+  validateSimpleValue(options.cliScriptPath, "cliScriptPath");
+  ensureUserExists(runUser);
+  const runGroup = resolveUserGroup(runUser);
+  import_node_fs3.default.mkdirSync(runtimeHome2, { recursive: true });
+  runCommand("chown", ["-R", `${runUser}:${runGroup}`, runtimeHome2]);
+  const mainPath = import_node_path3.default.join(SYSTEMD_DIR, MAIN_SERVICE_NAME);
+  const adminPath = import_node_path3.default.join(SYSTEMD_DIR, ADMIN_SERVICE_NAME);
+  const restartSudoersPath = import_node_path3.default.join(SUDOERS_DIR, RESTART_SUDOERS_FILE);
+  const unitOptions = {
+    runUser,
+    runtimeHome: runtimeHome2,
+    nodeBinPath: options.nodeBinPath,
+    cliScriptPath: options.cliScriptPath
+  };
+  import_node_fs3.default.writeFileSync(mainPath, buildMainServiceUnit(unitOptions), "utf8");
+  if (options.installAdmin) {
+    import_node_fs3.default.writeFileSync(adminPath, buildAdminServiceUnit(unitOptions), "utf8");
+    if (runUser !== "root") {
+      const policy = buildRestartSudoersPolicy({
+        runUser,
+        systemctlPath: resolveSystemctlPath()
       });
-    });
+      import_node_fs3.default.mkdirSync(SUDOERS_DIR, { recursive: true });
+      import_node_fs3.default.writeFileSync(restartSudoersPath, policy, "utf8");
+      import_node_fs3.default.chmodSync(restartSudoersPath, 288);
+    }
   }
-  async stop() {
-    if (!this.server) {
-      return;
+  runSystemctl(["daemon-reload"]);
+  if (options.startNow) {
+    runSystemctl(["enable", "--now", MAIN_SERVICE_NAME]);
+    if (options.installAdmin) {
+      runSystemctl(["enable", "--now", ADMIN_SERVICE_NAME]);
+    }
+  } else {
+    runSystemctl(["enable", MAIN_SERVICE_NAME]);
+    if (options.installAdmin) {
+      runSystemctl(["enable", ADMIN_SERVICE_NAME]);
     }
-    const server = this.server;
-    this.server = null;
-    this.address = null;
-    await new Promise((resolve, reject) => {
-      server.close((error) => {
-        if (error) {
-          reject(error);
-          return;
-        }
-        resolve();
-      });
-    });
   }
-  async handleRequest(req, res) {
-    try {
-      const url = new URL(req.url ?? "/", "http://localhost");
-      this.setSecurityHeaders(res);
-      const corsDecision = this.resolveCors(req);
-      this.setCorsHeaders(res, corsDecision);
-      if (!this.isClientAllowed(req)) {
-        this.sendJson(res, 403, {
-          ok: false,
-          error: "Forbidden by ADMIN_IP_ALLOWLIST."
-        });
-        return;
-      }
-      if (url.pathname.startsWith("/api/admin/") && corsDecision.origin && !corsDecision.allowed) {
-        this.sendJson(res, 403, {
-          ok: false,
-          error: "Forbidden by ADMIN_ALLOWED_ORIGINS."
-        });
-        return;
-      }
-      if (req.method === "OPTIONS") {
-        if (corsDecision.origin && !corsDecision.allowed) {
-          this.sendJson(res, 403, {
-            ok: false,
-            error: "Forbidden by ADMIN_ALLOWED_ORIGINS."
-          });
-          return;
-        }
-        res.writeHead(204);
-        res.end();
-        return;
-      }
-      if (req.method === "GET" && isUiPath(url.pathname)) {
-        this.sendHtml(res, renderAdminConsoleHtml());
+  output.write(`Installed systemd unit: ${mainPath}
+`);
+  if (options.installAdmin) {
+    output.write(`Installed systemd unit: ${adminPath}
+`);
+    if (runUser !== "root") {
+      output.write(`Installed sudoers policy: ${restartSudoersPath}
+`);
+    }
+  }
+  output.write("Done. Check status with: systemctl status codeharbor --no-pager\n");
+}
+function uninstallSystemdServices(options) {
+  assertLinuxWithSystemd();
+  assertRootPrivileges();
+  const output = options.output ?? process.stdout;
+  const mainPath = import_node_path3.default.join(SYSTEMD_DIR, MAIN_SERVICE_NAME);
+  const adminPath = import_node_path3.default.join(SYSTEMD_DIR, ADMIN_SERVICE_NAME);
+  const restartSudoersPath = import_node_path3.default.join(SUDOERS_DIR, RESTART_SUDOERS_FILE);
+  stopAndDisableIfPresent(MAIN_SERVICE_NAME);
+  if (import_node_fs3.default.existsSync(mainPath)) {
+    import_node_fs3.default.unlinkSync(mainPath);
+  }
+  if (options.removeAdmin) {
+    stopAndDisableIfPresent(ADMIN_SERVICE_NAME);
+    if (import_node_fs3.default.existsSync(adminPath)) {
+      import_node_fs3.default.unlinkSync(adminPath);
+    }
+    if (import_node_fs3.default.existsSync(restartSudoersPath)) {
+      import_node_fs3.default.unlinkSync(restartSudoersPath);
+    }
+  }
+  runSystemctl(["daemon-reload"]);
+  runSystemctlIgnoreFailure(["reset-failed"]);
+  output.write(`Removed systemd unit: ${mainPath}
+`);
+  if (options.removeAdmin) {
+    output.write(`Removed systemd unit: ${adminPath}
+`);
+    output.write(`Removed sudoers policy: ${restartSudoersPath}
+`);
+  }
+  output.write("Done.\n");
+}
+function restartSystemdServices(options) {
+  assertLinuxWithSystemd();
+  const output = options.output ?? process.stdout;
+  const runWithSudoFallback = options.allowSudoFallback ?? true;
+  const systemctlRunner = hasRootPrivileges() || !runWithSudoFallback ? runSystemctl : runSystemctlWithNonInteractiveSudo;
+  systemctlRunner(["restart", MAIN_SERVICE_NAME]);
+  output.write(`Restarted service: ${MAIN_SERVICE_NAME}
+`);
+  if (options.restartAdmin) {
+    systemctlRunner(["restart", ADMIN_SERVICE_NAME]);
+    output.write(`Restarted service: ${ADMIN_SERVICE_NAME}
+`);
+  }
+  output.write("Done.\n");
+}
+function resolveUserHome(runUser) {
+  try {
+    const passwdRaw = import_node_fs3.default.readFileSync("/etc/passwd", "utf8");
+    const line = passwdRaw.split(/\r?\n/).find((item) => item.startsWith(`${runUser}:`));
+    if (!line) {
+      return null;
+    }
+    const fields = line.split(":");
+    return fields[5] ? fields[5].trim() : null;
+  } catch {
+    return null;
+  }
+}
+function validateUnitOptions(options) {
+  validateSimpleValue(options.runUser, "runUser");
+  validateSimpleValue(options.runtimeHome, "runtimeHome");
+  validateSimpleValue(options.nodeBinPath, "nodeBinPath");
+  validateSimpleValue(options.cliScriptPath, "cliScriptPath");
+}
+function validateSimpleValue(value, key) {
+  if (!value.trim()) {
+    throw new Error(`${key} cannot be empty.`);
+  }
+  if (/[\r\n]/.test(value)) {
+    throw new Error(`${key} contains invalid newline characters.`);
+  }
+}
+function assertLinuxWithSystemd() {
+  if (process.platform !== "linux") {
+    throw new Error("Systemd service install only supports Linux.");
+  }
+  try {
+    (0, import_node_child_process.execFileSync)("systemctl", ["--version"], { stdio: "ignore" });
+  } catch {
+    throw new Error("systemctl is required but not found.");
+  }
+}
+function assertRootPrivileges() {
+  if (!hasRootPrivileges()) {
+    throw new Error("Root privileges are required. Run with sudo.");
+  }
+}
+function hasRootPrivileges() {
+  if (typeof process.getuid !== "function") {
+    return true;
+  }
+  return process.getuid() === 0;
+}
+function ensureUserExists(runUser) {
+  runCommand("id", ["-u", runUser]);
+}
+function resolveUserGroup(runUser) {
+  return runCommand("id", ["-gn", runUser]).trim();
+}
+function runSystemctl(args) {
+  runCommand("systemctl", args);
+}
+function runSystemctlWithNonInteractiveSudo(args) {
+  const systemctlPath = resolveSystemctlPath();
+  try {
+    runCommand("sudo", ["-n", systemctlPath, ...args]);
+  } catch (error) {
+    throw new Error(
+      "Root privileges are required. Configure passwordless sudo for the CodeHarbor service user or run the CLI command manually with sudo.",
+      { cause: error }
+    );
+  }
+}
+function stopAndDisableIfPresent(unitName) {
+  runSystemctlIgnoreFailure(["disable", "--now", unitName]);
+}
+function runSystemctlIgnoreFailure(args) {
+  try {
+    runCommand("systemctl", args);
+  } catch {
+  }
+}
+function resolveSystemctlPath() {
+  const candidates = [];
+  const pathEntries = (process.env.PATH ?? "").split(import_node_path3.default.delimiter).filter(Boolean);
+  for (const entry of pathEntries) {
+    candidates.push(import_node_path3.default.join(entry, "systemctl"));
+  }
+  candidates.push("/usr/bin/systemctl", "/bin/systemctl", "/usr/local/bin/systemctl");
+  for (const candidate of candidates) {
+    if (import_node_path3.default.isAbsolute(candidate) && import_node_fs3.default.existsSync(candidate)) {
+      return candidate;
+    }
+  }
+  throw new Error("Unable to resolve absolute systemctl path.");
+}
+function runCommand(file, args) {
+  try {
+    return (0, import_node_child_process.execFileSync)(file, args, {
+      encoding: "utf8",
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+  } catch (error) {
+    throw new Error(formatCommandError(file, args, error), { cause: error });
+  }
+}
+function formatCommandError(file, args, error) {
+  const command = `${file} ${args.join(" ")}`.trim();
+  if (error && typeof error === "object") {
+    const maybeError = error;
+    const stderr = bufferToTrimmedString(maybeError.stderr);
+    const stdout = bufferToTrimmedString(maybeError.stdout);
+    const details = stderr || stdout || maybeError.message || "command failed";
+    return `Command failed: ${command}. ${details}`;
+  }
+  return `Command failed: ${command}. ${String(error)}`;
+}
+function bufferToTrimmedString(value) {
+  if (!value) {
+    return "";
+  }
+  const text = typeof value === "string" ? value : value.toString("utf8");
+  return text.trim();
+}
+// src/admin-server.ts
+var execFileAsync = (0, import_node_util.promisify)(import_node_child_process2.execFile);
+var HttpError = class extends Error {
+  statusCode;
+  constructor(statusCode, message) {
+    super(message);
+    this.statusCode = statusCode;
+  }
+};
+var AdminServer = class {
+  config;
+  logger;
+  stateStore;
+  configService;
+  host;
+  port;
+  adminToken;
+  adminIpAllowlist;
+  adminAllowedOrigins;
+  cwd;
+  checkCodex;
+  checkMatrix;
+  restartServices;
+  server = null;
+  address = null;
+  constructor(config, logger, stateStore, configService, options) {
+    this.config = config;
+    this.logger = logger;
+    this.stateStore = stateStore;
+    this.configService = configService;
+    this.host = options.host;
+    this.port = options.port;
+    this.adminToken = options.adminToken;
+    this.adminIpAllowlist = normalizeAllowlist(options.adminIpAllowlist ?? []);
+    this.adminAllowedOrigins = normalizeOriginAllowlist(options.adminAllowedOrigins ?? []);
+    this.cwd = options.cwd ?? process.cwd();
+    this.checkCodex = options.checkCodex ?? defaultCheckCodex;
+    this.checkMatrix = options.checkMatrix ?? defaultCheckMatrix;
+    this.restartServices = options.restartServices ?? defaultRestartServices;
+  }
+  getAddress() {
+    return this.address;
+  }
+  async start() {
+    if (this.server) {
+      return;
+    }
+    this.server = import_node_http.default.createServer((req, res) => {
+      void this.handleRequest(req, res);
+    });
+    await new Promise((resolve, reject) => {
+      if (!this.server) {
+        reject(new Error("admin server is not initialized"));
         return;
       }
-      if (url.pathname.startsWith("/api/admin/") && !this.isAuthorized(req)) {
-        this.sendJson(res, 401, {
+      this.server.once("error", reject);
+      this.server.listen(this.port, this.host, () => {
+        this.server?.removeListener("error", reject);
+        const address = this.server?.address();
+        if (!address || typeof address === "string") {
+          reject(new Error("failed to resolve admin server address"));
+          return;
+        }
+        this.address = {
+          host: address.address,
+          port: address.port
+        };
+        resolve();
+      });
+    });
+  }
+  async stop() {
+    if (!this.server) {
+      return;
+    }
+    const server = this.server;
+    this.server = null;
+    this.address = null;
+    await new Promise((resolve, reject) => {
+      server.close((error) => {
+        if (error) {
+          reject(error);
+          return;
+        }
+        resolve();
+      });
+    });
+  }
+  async handleRequest(req, res) {
+    try {
+      const url = new URL(req.url ?? "/", "http://localhost");
+      this.setSecurityHeaders(res);
+      const corsDecision = this.resolveCors(req);
+      this.setCorsHeaders(res, corsDecision);
+      if (!this.isClientAllowed(req)) {
+        this.sendJson(res, 403, {
           ok: false,
-          error: "Unauthorized. Provide Authorization: Bearer <ADMIN_TOKEN>."
+          error: "Forbidden by ADMIN_IP_ALLOWLIST."
         });
         return;
       }
-      if (req.method === "GET" && url.pathname === "/api/admin/config/global") {
-        this.sendJson(res, 200, {
-          ok: true,
-          data: buildGlobalConfigSnapshot(this.config),
-          effective: "next_start_for_env_changes"
+      if (url.pathname.startsWith("/api/admin/") && corsDecision.origin && !corsDecision.allowed) {
+        this.sendJson(res, 403, {
+          ok: false,
+          error: "Forbidden by ADMIN_ALLOWED_ORIGINS."
         });
         return;
       }
-      if (req.method === "PUT" && url.pathname === "/api/admin/config/global") {
-        const body = await readJsonBody(req);
-        const actor = readActor(req);
-        const result = this.updateGlobalConfig(body, actor);
-        this.sendJson(res, 200, {
-          ok: true,
-          ...result
-        });
-        return;
+      if (req.method === "OPTIONS") {
+        if (corsDecision.origin && !corsDecision.allowed) {
+          this.sendJson(res, 403, {
+            ok: false,
+            error: "Forbidden by ADMIN_ALLOWED_ORIGINS."
+          });
+          return;
+        }
+        res.writeHead(204);
+        res.end();
+        return;
+      }
+      if (req.method === "GET" && isUiPath(url.pathname)) {
+        this.sendHtml(res, renderAdminConsoleHtml());
+        return;
+      }
+      if (url.pathname.startsWith("/api/admin/") && !this.isAuthorized(req)) {
+        this.sendJson(res, 401, {
+          ok: false,
+          error: "Unauthorized. Provide Authorization: Bearer <ADMIN_TOKEN>."
+        });
+        return;
+      }
+      if (req.method === "GET" && url.pathname === "/api/admin/config/global") {
+        this.sendJson(res, 200, {
+          ok: true,
+          data: buildGlobalConfigSnapshot(this.config),
+          effective: "next_start_for_env_changes"
+        });
+        return;
+      }
+      if (req.method === "PUT" && url.pathname === "/api/admin/config/global") {
+        const body = await readJsonBody(req);
+        const actor = readActor(req);
+        const result = this.updateGlobalConfig(body, actor);
+        this.sendJson(res, 200, {
+          ok: true,
+          ...result
+        });
+        return;
       }
       if (req.method === "GET" && url.pathname === "/api/admin/config/rooms") {
         this.sendJson(res, 200, {
@@ -420,6 +782,33 @@ var AdminServer = class {
         });
         return;
       }
+      if (req.method === "POST" && url.pathname === "/api/admin/service/restart") {
+        const body = asObject(await readJsonBody(req), "service restart payload");
+        const restartAdmin = normalizeBoolean(body.withAdmin, false);
+        const actor = readActor(req);
+        try {
+          const result = await this.restartServices(restartAdmin);
+          this.stateStore.appendConfigRevision(
+            actor,
+            restartAdmin ? "restart services (main + admin)" : "restart service (main)",
+            JSON.stringify({
+              type: "service_restart",
+              restartAdmin,
+              restarted: result.restarted
+            })
+          );
+          this.sendJson(res, 200, {
+            ok: true,
+            restarted: result.restarted
+          });
+          return;
+        } catch (error) {
+          throw new HttpError(
+            500,
+            `Service restart failed: ${formatError(error)}. Install services via "codeharbor service install --with-admin" to auto-configure restart permissions, or run CLI command manually with sudo.`
+          );
+        }
+      }
       this.sendJson(res, 404, {
         ok: false,
         error: `Not found: ${req.method ?? "GET"} ${url.pathname}`
@@ -450,7 +839,7 @@ var AdminServer = class {
       updatedKeys.push("matrixCommandPrefix");
     }
     if ("codexWorkdir" in body) {
-      const workdir = import_node_path2.default.resolve(String(body.codexWorkdir ?? "").trim());
+      const workdir = import_node_path4.default.resolve(String(body.codexWorkdir ?? "").trim());
       ensureDirectory(workdir, "codexWorkdir");
       this.config.codexWorkdir = workdir;
       envUpdates.CODEX_WORKDIR = workdir;
@@ -674,11 +1063,11 @@ var AdminServer = class {
     return this.adminIpAllowlist.includes(normalizedRemote);
   }
   persistEnvUpdates(updates) {
-    const envPath = import_node_path2.default.resolve(this.cwd, ".env");
-    const examplePath = import_node_path2.default.resolve(this.cwd, ".env.example");
-    const template = import_node_fs2.default.existsSync(envPath) ? import_node_fs2.default.readFileSync(envPath, "utf8") : import_node_fs2.default.existsSync(examplePath) ? import_node_fs2.default.readFileSync(examplePath, "utf8") : "";
+    const envPath = import_node_path4.default.resolve(this.cwd, ".env");
+    const examplePath = import_node_path4.default.resolve(this.cwd, ".env.example");
+    const template = import_node_fs4.default.existsSync(envPath) ? import_node_fs4.default.readFileSync(envPath, "utf8") : import_node_fs4.default.existsSync(examplePath) ? import_node_fs4.default.readFileSync(examplePath, "utf8") : "";
     const next = applyEnvOverrides(template, updates);
-    import_node_fs2.default.writeFileSync(envPath, next, "utf8");
+    import_node_fs4.default.writeFileSync(envPath, next, "utf8");
   }
   resolveCors(req) {
     const origin = normalizeOriginHeader(req.headers.origin);
@@ -705,7 +1094,7 @@ var AdminServer = class {
     }
     res.setHeader("Access-Control-Allow-Origin", corsDecision.origin);
     res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization, X-Admin-Token, X-Admin-Actor");
-    res.setHeader("Access-Control-Allow-Methods", "GET, PUT, DELETE, OPTIONS");
+    res.setHeader("Access-Control-Allow-Methods", "GET, PUT, POST, DELETE, OPTIONS");
     appendVaryHeader(res, "Origin");
   }
   setSecurityHeaders(res) {
@@ -776,6 +1165,22 @@ function parseJsonLoose(raw) {
     return raw;
   }
 }
+async function defaultRestartServices(restartAdmin) {
+  const outputChunks = [];
+  const output = {
+    write: (chunk) => {
+      outputChunks.push(typeof chunk === "string" ? chunk : Buffer.from(chunk).toString("utf8"));
+      return true;
+    }
+  };
+  restartSystemdServices({
+    restartAdmin,
+    output
+  });
+  return {
+    restarted: restartAdmin ? ["codeharbor", "codeharbor-admin"] : ["codeharbor"]
+  };
+}
 function isUiPath(pathname) {
   return pathname === "/" || pathname === "/index.html" || pathname === "/settings/global" || pathname === "/settings/rooms" || pathname === "/health" || pathname === "/audit";
 }
@@ -924,7 +1329,7 @@ function normalizeNonNegativeInt(value, fallback) {
   return normalizePositiveInt(value, fallback, 0, Number.MAX_SAFE_INTEGER);
 }
 function ensureDirectory(targetPath, fieldName) {
-  if (!import_node_fs2.default.existsSync(targetPath) || !import_node_fs2.default.statSync(targetPath).isDirectory()) {
+  if (!import_node_fs4.default.existsSync(targetPath) || !import_node_fs4.default.statSync(targetPath).isDirectory()) {
     throw new HttpError(400, `${fieldName} must be an existing directory: ${targetPath}`);
   }
 }
@@ -1266,6 +1671,8 @@ var ADMIN_CONSOLE_HTML = `<!doctype html>
         <div class="actions">
           <button id="global-save-btn" type="button">Save Global Config</button>
           <button id="global-reload-btn" type="button" class="secondary">Reload</button>
+          <button id="global-restart-main-btn" type="button" class="secondary">Restart Main Service</button>
+          <button id="global-restart-all-btn" type="button" class="secondary">Restart Main + Admin</button>
         </div>
         <p class="muted">Saving global config updates .env and requires restart to fully take effect.</p>
       </section>
@@ -1408,6 +1815,12 @@ var ADMIN_CONSOLE_HTML = `<!doctype html>
         document.getElementById("global-save-btn").addEventListener("click", saveGlobal);
         document.getElementById("global-reload-btn").addEventListener("click", loadGlobal);
+        document.getElementById("global-restart-main-btn").addEventListener("click", function () {
+          restartManagedServices(false);
+        });
+        document.getElementById("global-restart-all-btn").addEventListener("click", function () {
+          restartManagedServices(true);
+        });
         document.getElementById("room-load-btn").addEventListener("click", loadRoom);
         document.getElementById("room-save-btn").addEventListener("click", saveRoom);
         document.getElementById("room-delete-btn").addEventListener("click", deleteRoom);
@@ -1611,6 +2024,19 @@ var ADMIN_CONSOLE_HTML = `<!doctype html>
           }
         }
+        async function restartManagedServices(withAdmin) {
+          try {
+            var response = await apiRequest("/api/admin/service/restart", "POST", {
+              withAdmin: Boolean(withAdmin)
+            });
+            var restarted = Array.isArray(response.restarted) ? response.restarted.join(", ") : "codeharbor";
+            var suffix = withAdmin ? " Admin page may reconnect during restart." : "";
+            showNotice("warn", "Restart requested: " + restarted + "." + suffix);
+          } catch (error) {
+            showNotice("error", "Failed to restart service(s): " + error.message);
+          }
+        }
         async function refreshRoomList() {
           try {
             var response = await apiRequest("/api/admin/config/rooms", "GET");
@@ -1836,8 +2262,8 @@ async function defaultCheckMatrix(homeserver, timeoutMs) {
 // src/channels/matrix-channel.ts
 var import_promises2 = __toESM(require("fs/promises"));
-var import_node_os = __toESM(require("os"));
-var import_node_path3 = __toESM(require("path"));
+var import_node_os3 = __toESM(require("os"));
+var import_node_path5 = __toESM(require("path"));
 var import_matrix_js_sdk = require("matrix-js-sdk");
 // src/utils/message.ts
@@ -2260,10 +2686,10 @@ var MatrixChannel = class {
     }
     const bytes = Buffer.from(await response.arrayBuffer());
     const extension = resolveFileExtension(fileName, mimeType);
-    const directory = import_node_path3.default.join(import_node_os.default.tmpdir(), "codeharbor-media");
+    const directory = import_node_path5.default.join(import_node_os3.default.tmpdir(), "codeharbor-media");
     await import_promises2.default.mkdir(directory, { recursive: true });
     const safeEventId = sanitizeFilename(eventId);
-    const targetPath = import_node_path3.default.join(directory, `${safeEventId}-${index}${extension}`);
+    const targetPath = import_node_path5.default.join(directory, `${safeEventId}-${index}${extension}`);
     await import_promises2.default.writeFile(targetPath, bytes);
     return targetPath;
   }
@@ -2348,7 +2774,7 @@ function sanitizeFilename(value) {
   return value.replace(/[^a-zA-Z0-9_-]/g, "_").slice(0, 80);
 }
 function resolveFileExtension(fileName, mimeType) {
-  const ext = import_node_path3.default.extname(fileName).trim();
+  const ext = import_node_path5.default.extname(fileName).trim();
   if (ext) {
     return ext;
   }
@@ -2365,14 +2791,14 @@ function resolveFileExtension(fileName, mimeType) {
 }
 // src/config-service.ts
-var import_node_fs3 = __toESM(require("fs"));
-var import_node_path4 = __toESM(require("path"));
+var import_node_fs5 = __toESM(require("fs"));
+var import_node_path6 = __toESM(require("path"));
 var ConfigService = class {
   stateStore;
   defaultWorkdir;
   constructor(stateStore, defaultWorkdir) {
     this.stateStore = stateStore;
-    this.defaultWorkdir = import_node_path4.default.resolve(defaultWorkdir);
+    this.defaultWorkdir = import_node_path6.default.resolve(defaultWorkdir);
   }
   resolveRoomConfig(roomId, fallbackPolicy) {
     const room = this.stateStore.getRoomSettings(roomId);
@@ -2443,8 +2869,8 @@ function normalizeRoomSettingsInput(input) {
   if (!roomId) {
     throw new Error("roomId is required.");
   }
-  const workdir = import_node_path4.default.resolve(input.workdir);
-  if (!import_node_fs3.default.existsSync(workdir) || !import_node_fs3.default.statSync(workdir).isDirectory()) {
+  const workdir = import_node_path6.default.resolve(input.workdir);
+  if (!import_node_fs5.default.existsSync(workdir) || !import_node_fs5.default.statSync(workdir).isDirectory()) {
     throw new Error(`workdir does not exist or is not a directory: ${workdir}`);
   }
   return {
@@ -2459,7 +2885,7 @@ function normalizeRoomSettingsInput(input) {
 }
 // src/executor/codex-executor.ts
-var import_node_child_process2 = require("child_process");
+var import_node_child_process3 = require("child_process");
 var import_node_readline = __toESM(require("readline"));
 var CodexExecutionCancelledError = class extends Error {
   constructor(message = "codex execution cancelled") {
@@ -2477,7 +2903,7 @@ var CodexExecutor = class {
   }
   startExecution(prompt, sessionId, onProgress, startOptions) {
     const args = buildCodexArgs(prompt, sessionId, this.options, startOptions);
-    const child = (0, import_node_child_process2.spawn)(this.options.bin, args, {
+    const child = (0, import_node_child_process3.spawn)(this.options.bin, args, {
       cwd: startOptions?.workdir ?? this.options.workdir,
       env: {
         ...process.env,
@@ -2713,20 +3139,20 @@ var import_async_mutex = require("async-mutex");
 var import_promises3 = __toESM(require("fs/promises"));
 // src/compat/cli-compat-recorder.ts
-var import_node_fs4 = __toESM(require("fs"));
-var import_node_path5 = __toESM(require("path"));
+var import_node_fs6 = __toESM(require("fs"));
+var import_node_path7 = __toESM(require("path"));
 var CliCompatRecorder = class {
   filePath;
   chain = Promise.resolve();
   constructor(filePath) {
-    this.filePath = import_node_path5.default.resolve(filePath);
-    import_node_fs4.default.mkdirSync(import_node_path5.default.dirname(this.filePath), { recursive: true });
+    this.filePath = import_node_path7.default.resolve(filePath);
+    import_node_fs6.default.mkdirSync(import_node_path7.default.dirname(this.filePath), { recursive: true });
   }
   append(entry) {
     const payload = `${JSON.stringify(entry)}
 `;
     this.chain = this.chain.then(async () => {
-      await import_node_fs4.default.promises.appendFile(this.filePath, payload, "utf8");
+      await import_node_fs6.default.promises.appendFile(this.filePath, payload, "utf8");
     });
     return this.chain;
   }
@@ -4114,8 +4540,8 @@ ${result.review}
 }
 // src/store/state-store.ts
-var import_node_fs5 = __toESM(require("fs"));
-var import_node_path6 = __toESM(require("path"));
+var import_node_fs7 = __toESM(require("fs"));
+var import_node_path8 = __toESM(require("path"));
 var ONE_DAY_MS = 24 * 60 * 60 * 1e3;
 var PRUNE_INTERVAL_MS = 5 * 60 * 1e3;
 var SQLITE_MODULE_ID = `node:${"sqlite"}`;
@@ -4141,7 +4567,7 @@ var StateStore = class {
     this.maxProcessedEventsPerSession = maxProcessedEventsPerSession;
     this.maxSessionAgeMs = maxSessionAgeDays * ONE_DAY_MS;
     this.maxSessions = maxSessions;
-    import_node_fs5.default.mkdirSync(import_node_path6.default.dirname(this.dbPath), { recursive: true });
+    import_node_fs7.default.mkdirSync(import_node_path8.default.dirname(this.dbPath), { recursive: true });
     this.db = new DatabaseSync(this.dbPath);
     this.initializeSchema();
     this.importLegacyStateIfNeeded();
@@ -4386,7 +4812,7 @@ var StateStore = class {
     `);
   }
   importLegacyStateIfNeeded() {
-    if (!this.legacyJsonPath || !import_node_fs5.default.existsSync(this.legacyJsonPath)) {
+    if (!this.legacyJsonPath || !import_node_fs7.default.existsSync(this.legacyJsonPath)) {
       return;
     }
     const countRow = this.db.prepare("SELECT COUNT(*) AS count FROM sessions").get();
@@ -4416,1296 +4842,1004 @@ var StateStore = class {
         }
       }
       this.db.exec("COMMIT");
-    } catch (error) {
-      this.db.exec("ROLLBACK");
-      throw error;
-    }
-  }
-  maybePruneExpiredSessions() {
-    const now = Date.now();
-    if (now - this.lastPruneAt < PRUNE_INTERVAL_MS) {
-      return;
-    }
-    this.lastPruneAt = now;
-    if (this.pruneSessions(now)) {
-      this.touchDatabase();
-    }
-  }
-  pruneSessions(now = Date.now()) {
-    let changed = false;
-    if (this.pruneExpiredSessions(now)) {
-      changed = true;
-    }
-    if (this.pruneExcessSessions()) {
-      changed = true;
-    }
-    return changed;
-  }
-  pruneExpiredSessions(now) {
-    if (this.maxSessionAgeMs <= 0) {
-      return false;
-    }
-    const result = this.db.prepare("DELETE FROM sessions WHERE updated_at < ?1").run(now - this.maxSessionAgeMs);
-    return (result.changes ?? 0) > 0;
-  }
-  pruneExcessSessions() {
-    if (this.maxSessions <= 0) {
-      return false;
-    }
-    const row = this.db.prepare("SELECT COUNT(*) AS count FROM sessions").get();
-    const count = row?.count ?? 0;
-    if (count <= this.maxSessions) {
-      return false;
-    }
-    const removeCount = count - this.maxSessions;
-    const result = this.db.prepare(
-      "DELETE FROM sessions WHERE session_key IN (SELECT session_key FROM sessions ORDER BY updated_at ASC LIMIT ?1)"
-    ).run(removeCount);
-    return (result.changes ?? 0) > 0;
-  }
-  touchDatabase() {
-    this.db.exec("PRAGMA wal_checkpoint(PASSIVE)");
-  }
-};
-function loadLegacyState(filePath) {
-  try {
-    const raw = import_node_fs5.default.readFileSync(filePath, "utf8");
-    const parsed = JSON.parse(raw);
-    if (!parsed.sessions || typeof parsed.sessions !== "object") {
-      return null;
-    }
-    normalizeLegacyState(parsed);
-    return parsed;
-  } catch {
-    return null;
-  }
-}
-function parseUpdatedAt(updatedAt) {
-  const timestamp = Date.parse(updatedAt);
-  return Number.isFinite(timestamp) ? timestamp : Date.now();
-}
-function parseOptionalTimestamp(value) {
-  if (!value) {
-    return null;
-  }
-  const ts = Date.parse(value);
-  return Number.isFinite(ts) ? ts : null;
-}
-function normalizeLegacyState(state) {
-  for (const session of Object.values(state.sessions)) {
-    if (!Array.isArray(session.processedEventIds)) {
-      session.processedEventIds = [];
-    }
-    if (typeof session.codexSessionId !== "string" && session.codexSessionId !== null) {
-      session.codexSessionId = null;
-    }
-    if (typeof session.updatedAt !== "string") {
-      session.updatedAt = (/* @__PURE__ */ new Date()).toISOString();
-    }
-    if (typeof session.activeUntil !== "string" && session.activeUntil !== null) {
-      session.activeUntil = null;
-    }
-  }
-}
-function boolToInt(value) {
-  return value ? 1 : 0;
-}
-// src/app.ts
-var execFileAsync2 = (0, import_node_util2.promisify)(import_node_child_process3.execFile);
-var CodeHarborApp = class {
-  config;
-  logger;
-  stateStore;
-  channel;
-  orchestrator;
-  configService;
-  constructor(config) {
-    this.config = config;
-    this.logger = new Logger(config.logLevel);
-    this.stateStore = new StateStore(
-      config.stateDbPath,
-      config.legacyStateJsonPath,
-      config.maxProcessedEventsPerSession,
-      config.maxSessionAgeDays,
-      config.maxSessions
-    );
-    this.configService = new ConfigService(this.stateStore, config.codexWorkdir);
-    const executor = new CodexExecutor({
-      bin: config.codexBin,
-      model: config.codexModel,
-      workdir: config.codexWorkdir,
-      dangerousBypass: config.codexDangerousBypass,
-      timeoutMs: config.codexExecTimeoutMs,
-      sandboxMode: config.codexSandboxMode,
-      approvalPolicy: config.codexApprovalPolicy,
-      extraArgs: config.codexExtraArgs,
-      extraEnv: config.codexExtraEnv
-    });
-    this.channel = new MatrixChannel(config, this.logger);
-    this.orchestrator = new Orchestrator(this.channel, executor, this.stateStore, this.logger, {
-      progressUpdatesEnabled: config.matrixProgressUpdates,
-      progressMinIntervalMs: config.matrixProgressMinIntervalMs,
-      typingTimeoutMs: config.matrixTypingTimeoutMs,
-      commandPrefix: config.matrixCommandPrefix,
-      matrixUserId: config.matrixUserId,
-      sessionActiveWindowMinutes: config.sessionActiveWindowMinutes,
-      defaultGroupTriggerPolicy: config.defaultGroupTriggerPolicy,
-      roomTriggerPolicies: config.roomTriggerPolicies,
-      rateLimiterOptions: config.rateLimiter,
-      cliCompat: config.cliCompat,
-      multiAgentWorkflow: config.agentWorkflow,
-      configService: this.configService,
-      defaultCodexWorkdir: config.codexWorkdir
-    });
-  }
-  async start() {
-    this.logger.info("CodeHarbor starting", {
-      matrixHomeserver: this.config.matrixHomeserver,
-      workdir: this.config.codexWorkdir,
-      prefix: this.config.matrixCommandPrefix || "<none>"
-    });
-    await this.channel.start(this.orchestrator.handleMessage.bind(this.orchestrator));
-    this.logger.info("CodeHarbor is running.");
-  }
-  async stop() {
-    this.logger.info("CodeHarbor stopping.");
-    try {
-      await this.channel.stop();
-    } finally {
-      await this.stateStore.flush();
-    }
-  }
-};
-var CodeHarborAdminApp = class {
-  config;
-  logger;
-  stateStore;
-  configService;
-  adminServer;
-  constructor(config, options) {
-    this.config = config;
-    this.logger = new Logger(config.logLevel);
-    this.stateStore = new StateStore(
-      config.stateDbPath,
-      config.legacyStateJsonPath,
-      config.maxProcessedEventsPerSession,
-      config.maxSessionAgeDays,
-      config.maxSessions
-    );
-    this.configService = new ConfigService(this.stateStore, config.codexWorkdir);
-    this.adminServer = new AdminServer(config, this.logger, this.stateStore, this.configService, {
-      host: options?.host ?? config.adminBindHost,
-      port: options?.port ?? config.adminPort,
-      adminToken: config.adminToken,
-      adminIpAllowlist: config.adminIpAllowlist,
-      adminAllowedOrigins: config.adminAllowedOrigins
-    });
-  }
-  async start() {
-    await this.adminServer.start();
-    const address = this.adminServer.getAddress();
-    this.logger.info("CodeHarbor admin server started", {
-      host: address?.host ?? this.config.adminBindHost,
-      port: address?.port ?? this.config.adminPort,
-      tokenProtected: Boolean(this.config.adminToken)
-    });
-  }
-  async stop() {
-    this.logger.info("CodeHarbor admin server stopping.");
-    try {
-      await this.adminServer.stop();
-    } finally {
-      await this.stateStore.flush();
-    }
-  }
-};
-async function runDoctor(config) {
-  const logger = new Logger(config.logLevel);
-  logger.info("Doctor check started");
-  try {
-    const { stdout } = await execFileAsync2(config.codexBin, ["--version"]);
-    logger.info("codex available", { version: stdout.trim() });
-  } catch (error) {
-    logger.error("codex unavailable", error);
-    throw error;
-  }
-  try {
-    const controller = new AbortController();
-    const timer = setTimeout(() => controller.abort(), config.doctorHttpTimeoutMs);
-    timer.unref?.();
-    const response = await fetch(`${config.matrixHomeserver}/_matrix/client/versions`, {
-      signal: controller.signal
-    }).finally(() => {
-      clearTimeout(timer);
-    });
-    if (!response.ok) {
-      throw new Error(`HTTP ${response.status}`);
-    }
-    const body = await response.json();
-    logger.info("matrix reachable", { versions: body.versions ?? [] });
-  } catch (error) {
-    logger.error("matrix unreachable", error);
-    throw error;
-  }
-  logger.info("Doctor check passed");
-}
-// src/utils/admin-host.ts
-function isNonLoopbackHost(host) {
-  const normalized = host.trim().toLowerCase();
-  if (!normalized) {
-    return false;
-  }
-  return !(normalized === "localhost" || normalized === "127.0.0.1" || normalized === "::1" || normalized === "[::1]");
-}
-// src/config.ts
-var import_node_fs6 = __toESM(require("fs"));
-var import_node_path7 = __toESM(require("path"));
-var import_dotenv2 = __toESM(require("dotenv"));
-var import_zod = require("zod");
-var configSchema = import_zod.z.object({
-  MATRIX_HOMESERVER: import_zod.z.string().url(),
-  MATRIX_USER_ID: import_zod.z.string().min(1),
-  MATRIX_ACCESS_TOKEN: import_zod.z.string().min(1),
-  MATRIX_COMMAND_PREFIX: import_zod.z.string().default("!code"),
-  CODEX_BIN: import_zod.z.string().default("codex"),
-  CODEX_MODEL: import_zod.z.string().optional(),
-  CODEX_WORKDIR: import_zod.z.string().default("."),
-  CODEX_DANGEROUS_BYPASS: import_zod.z.string().default("false").transform((v) => v.toLowerCase() === "true"),
-  CODEX_EXEC_TIMEOUT_MS: import_zod.z.string().default("600000").transform((v) => Number.parseInt(v, 10)).pipe(import_zod.z.number().int().positive()),
-  CODEX_SANDBOX_MODE: import_zod.z.string().optional(),
-  CODEX_APPROVAL_POLICY: import_zod.z.string().optional(),
-  CODEX_EXTRA_ARGS: import_zod.z.string().default(""),
-  CODEX_EXTRA_ENV_JSON: import_zod.z.string().default(""),
-  AGENT_WORKFLOW_ENABLED: import_zod.z.string().default("false").transform((v) => v.toLowerCase() === "true"),
-  AGENT_WORKFLOW_AUTO_REPAIR_MAX_ROUNDS: import_zod.z.string().default("1").transform((v) => Number.parseInt(v, 10)).pipe(import_zod.z.number().int().min(0).max(10)),
-  STATE_DB_PATH: import_zod.z.string().default("data/state.db"),
-  STATE_PATH: import_zod.z.string().default("data/state.json"),
-  MAX_PROCESSED_EVENTS_PER_SESSION: import_zod.z.string().default("200").transform((v) => Number.parseInt(v, 10)).pipe(import_zod.z.number().int().positive()),
-  MAX_SESSION_AGE_DAYS: import_zod.z.string().default("30").transform((v) => Number.parseInt(v, 10)).pipe(import_zod.z.number().int().positive()),
-  MAX_SESSIONS: import_zod.z.string().default("5000").transform((v) => Number.parseInt(v, 10)).pipe(import_zod.z.number().int().positive()),
-  REPLY_CHUNK_SIZE: import_zod.z.string().default("3500").transform((v) => Number.parseInt(v, 10)).pipe(import_zod.z.number().int().positive()),
-  MATRIX_PROGRESS_UPDATES: import_zod.z.string().default("true").transform((v) => v.toLowerCase() === "true"),
-  MATRIX_PROGRESS_MIN_INTERVAL_MS: import_zod.z.string().default("2500").transform((v) => Number.parseInt(v, 10)).pipe(import_zod.z.number().int().positive()),
-  MATRIX_TYPING_TIMEOUT_MS: import_zod.z.string().default("10000").transform((v) => Number.parseInt(v, 10)).pipe(import_zod.z.number().int().positive()),
-  SESSION_ACTIVE_WINDOW_MINUTES: import_zod.z.string().default("20").transform((v) => Number.parseInt(v, 10)).pipe(import_zod.z.number().int().positive()),
-  GROUP_TRIGGER_ALLOW_MENTION: import_zod.z.string().default("true").transform((v) => v.toLowerCase() === "true"),
-  GROUP_TRIGGER_ALLOW_REPLY: import_zod.z.string().default("true").transform((v) => v.toLowerCase() === "true"),
-  GROUP_TRIGGER_ALLOW_ACTIVE_WINDOW: import_zod.z.string().default("true").transform((v) => v.toLowerCase() === "true"),
-  GROUP_TRIGGER_ALLOW_PREFIX: import_zod.z.string().default("true").transform((v) => v.toLowerCase() === "true"),
-  ROOM_TRIGGER_POLICY_JSON: import_zod.z.string().default(""),
-  RATE_LIMIT_WINDOW_SECONDS: import_zod.z.string().default("60").transform((v) => Number.parseInt(v, 10)).pipe(import_zod.z.number().int().positive()),
-  RATE_LIMIT_MAX_REQUESTS_PER_USER: import_zod.z.string().default("20").transform((v) => Number.parseInt(v, 10)).pipe(import_zod.z.number().int().nonnegative()),
-  RATE_LIMIT_MAX_REQUESTS_PER_ROOM: import_zod.z.string().default("120").transform((v) => Number.parseInt(v, 10)).pipe(import_zod.z.number().int().nonnegative()),
-  RATE_LIMIT_MAX_CONCURRENT_GLOBAL: import_zod.z.string().default("8").transform((v) => Number.parseInt(v, 10)).pipe(import_zod.z.number().int().nonnegative()),
-  RATE_LIMIT_MAX_CONCURRENT_PER_USER: import_zod.z.string().default("1").transform((v) => Number.parseInt(v, 10)).pipe(import_zod.z.number().int().nonnegative()),
-  RATE_LIMIT_MAX_CONCURRENT_PER_ROOM: import_zod.z.string().default("4").transform((v) => Number.parseInt(v, 10)).pipe(import_zod.z.number().int().nonnegative()),
-  CLI_COMPAT_MODE: import_zod.z.string().default("false").transform((v) => v.toLowerCase() === "true"),
-  CLI_COMPAT_PASSTHROUGH_EVENTS: import_zod.z.string().default("true").transform((v) => v.toLowerCase() === "true"),
-  CLI_COMPAT_PRESERVE_WHITESPACE: import_zod.z.string().default("true").transform((v) => v.toLowerCase() === "true"),
-  CLI_COMPAT_DISABLE_REPLY_CHUNK_SPLIT: import_zod.z.string().default("false").transform((v) => v.toLowerCase() === "true"),
-  CLI_COMPAT_PROGRESS_THROTTLE_MS: import_zod.z.string().default("300").transform((v) => Number.parseInt(v, 10)).pipe(import_zod.z.number().int().nonnegative()),
-  CLI_COMPAT_FETCH_MEDIA: import_zod.z.string().default("true").transform((v) => v.toLowerCase() === "true"),
-  CLI_COMPAT_RECORD_PATH: import_zod.z.string().default(""),
-  DOCTOR_HTTP_TIMEOUT_MS: import_zod.z.string().default("10000").transform((v) => Number.parseInt(v, 10)).pipe(import_zod.z.number().int().positive()),
-  ADMIN_BIND_HOST: import_zod.z.string().default("127.0.0.1"),
-  ADMIN_PORT: import_zod.z.string().default("8787").transform((v) => Number.parseInt(v, 10)).pipe(import_zod.z.number().int().min(1).max(65535)),
-  ADMIN_TOKEN: import_zod.z.string().default(""),
-  ADMIN_IP_ALLOWLIST: import_zod.z.string().default(""),
-  ADMIN_ALLOWED_ORIGINS: import_zod.z.string().default(""),
-  LOG_LEVEL: import_zod.z.enum(["debug", "info", "warn", "error"]).default("info")
-}).transform((v) => ({
-  matrixHomeserver: v.MATRIX_HOMESERVER,
-  matrixUserId: v.MATRIX_USER_ID,
-  matrixAccessToken: v.MATRIX_ACCESS_TOKEN,
-  matrixCommandPrefix: v.MATRIX_COMMAND_PREFIX,
-  codexBin: v.CODEX_BIN,
-  codexModel: v.CODEX_MODEL?.trim() || null,
-  codexWorkdir: import_node_path7.default.resolve(v.CODEX_WORKDIR),
-  codexDangerousBypass: v.CODEX_DANGEROUS_BYPASS,
-  codexExecTimeoutMs: v.CODEX_EXEC_TIMEOUT_MS,
-  codexSandboxMode: v.CODEX_SANDBOX_MODE?.trim() || null,
-  codexApprovalPolicy: v.CODEX_APPROVAL_POLICY?.trim() || null,
-  codexExtraArgs: parseExtraArgs(v.CODEX_EXTRA_ARGS),
-  codexExtraEnv: parseExtraEnv(v.CODEX_EXTRA_ENV_JSON),
-  agentWorkflow: {
-    enabled: v.AGENT_WORKFLOW_ENABLED,
-    autoRepairMaxRounds: v.AGENT_WORKFLOW_AUTO_REPAIR_MAX_ROUNDS
-  },
-  stateDbPath: import_node_path7.default.resolve(v.STATE_DB_PATH),
-  legacyStateJsonPath: v.STATE_PATH.trim() ? import_node_path7.default.resolve(v.STATE_PATH) : null,
-  maxProcessedEventsPerSession: v.MAX_PROCESSED_EVENTS_PER_SESSION,
-  maxSessionAgeDays: v.MAX_SESSION_AGE_DAYS,
-  maxSessions: v.MAX_SESSIONS,
-  replyChunkSize: v.REPLY_CHUNK_SIZE,
-  matrixProgressUpdates: v.MATRIX_PROGRESS_UPDATES,
-  matrixProgressMinIntervalMs: v.MATRIX_PROGRESS_MIN_INTERVAL_MS,
-  matrixTypingTimeoutMs: v.MATRIX_TYPING_TIMEOUT_MS,
-  sessionActiveWindowMinutes: v.SESSION_ACTIVE_WINDOW_MINUTES,
-  defaultGroupTriggerPolicy: {
-    allowMention: v.GROUP_TRIGGER_ALLOW_MENTION,
-    allowReply: v.GROUP_TRIGGER_ALLOW_REPLY,
-    allowActiveWindow: v.GROUP_TRIGGER_ALLOW_ACTIVE_WINDOW,
-    allowPrefix: v.GROUP_TRIGGER_ALLOW_PREFIX
-  },
-  roomTriggerPolicies: parseRoomTriggerPolicyOverrides(v.ROOM_TRIGGER_POLICY_JSON),
-  rateLimiter: {
-    windowMs: v.RATE_LIMIT_WINDOW_SECONDS * 1e3,
-    maxRequestsPerUser: v.RATE_LIMIT_MAX_REQUESTS_PER_USER,
-    maxRequestsPerRoom: v.RATE_LIMIT_MAX_REQUESTS_PER_ROOM,
-    maxConcurrentGlobal: v.RATE_LIMIT_MAX_CONCURRENT_GLOBAL,
-    maxConcurrentPerUser: v.RATE_LIMIT_MAX_CONCURRENT_PER_USER,
-    maxConcurrentPerRoom: v.RATE_LIMIT_MAX_CONCURRENT_PER_ROOM
-  },
-  cliCompat: {
-    enabled: v.CLI_COMPAT_MODE,
-    passThroughEvents: v.CLI_COMPAT_PASSTHROUGH_EVENTS,
-    preserveWhitespace: v.CLI_COMPAT_PRESERVE_WHITESPACE,
-    disableReplyChunkSplit: v.CLI_COMPAT_DISABLE_REPLY_CHUNK_SPLIT,
-    progressThrottleMs: v.CLI_COMPAT_PROGRESS_THROTTLE_MS,
-    fetchMedia: v.CLI_COMPAT_FETCH_MEDIA,
-    recordPath: v.CLI_COMPAT_RECORD_PATH.trim() ? import_node_path7.default.resolve(v.CLI_COMPAT_RECORD_PATH) : null
-  },
-  doctorHttpTimeoutMs: v.DOCTOR_HTTP_TIMEOUT_MS,
-  adminBindHost: v.ADMIN_BIND_HOST.trim() || "127.0.0.1",
-  adminPort: v.ADMIN_PORT,
-  adminToken: v.ADMIN_TOKEN.trim() || null,
-  adminIpAllowlist: parseCsvList(v.ADMIN_IP_ALLOWLIST),
-  adminAllowedOrigins: parseCsvList(v.ADMIN_ALLOWED_ORIGINS),
-  logLevel: v.LOG_LEVEL
-}));
-function loadEnvFromFile(filePath = import_node_path7.default.resolve(process.cwd(), ".env"), env = process.env) {
-  import_dotenv2.default.config({
-    path: filePath,
-    processEnv: env,
-    quiet: true
-  });
-}
-function loadConfig(env = process.env) {
-  const parsed = configSchema.safeParse(env);
-  if (!parsed.success) {
-    const message = parsed.error.issues.map((issue) => `${issue.path.join(".") || "config"}: ${issue.message}`).join("; ");
-    throw new Error(`Invalid configuration: ${message}`);
-  }
-  import_node_fs6.default.mkdirSync(import_node_path7.default.dirname(parsed.data.stateDbPath), { recursive: true });
-  if (parsed.data.legacyStateJsonPath) {
-    import_node_fs6.default.mkdirSync(import_node_path7.default.dirname(parsed.data.legacyStateJsonPath), { recursive: true });
-  }
-  return parsed.data;
-}
-function parseRoomTriggerPolicyOverrides(raw) {
-  const trimmed = raw.trim();
-  if (!trimmed) {
-    return {};
-  }
-  let parsed;
-  try {
-    parsed = JSON.parse(trimmed);
-  } catch {
-    throw new Error("ROOM_TRIGGER_POLICY_JSON must be valid JSON.");
-  }
-  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
-    throw new Error("ROOM_TRIGGER_POLICY_JSON must be an object keyed by room id.");
-  }
-  const output = {};
-  for (const [roomId, value] of Object.entries(parsed)) {
-    if (!value || typeof value !== "object" || Array.isArray(value)) {
-      throw new Error(`ROOM_TRIGGER_POLICY_JSON[${roomId}] must be an object.`);
-    }
-    const item = value;
-    const override = {};
-    for (const key of ["allowMention", "allowReply", "allowActiveWindow", "allowPrefix"]) {
-      if (item[key] === void 0) {
-        continue;
-      }
-      if (typeof item[key] !== "boolean") {
-        throw new Error(`ROOM_TRIGGER_POLICY_JSON[${roomId}].${key} must be boolean.`);
-      }
-      override[key] = item[key];
-    }
-    output[roomId] = override;
-  }
-  return output;
-}
-function parseExtraArgs(raw) {
-  const trimmed = raw.trim();
-  if (!trimmed) {
-    return [];
-  }
-  return trimmed.split(/\s+/).map((entry) => entry.trim()).filter((entry) => entry.length > 0);
-}
-function parseExtraEnv(raw) {
-  const trimmed = raw.trim();
-  if (!trimmed) {
-    return {};
-  }
-  let parsed;
-  try {
-    parsed = JSON.parse(trimmed);
-  } catch {
-    throw new Error("CODEX_EXTRA_ENV_JSON must be valid JSON object.");
-  }
-  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
-    throw new Error("CODEX_EXTRA_ENV_JSON must be a key/value object.");
-  }
-  const output = {};
-  for (const [key, value] of Object.entries(parsed)) {
-    if (typeof value !== "string") {
-      throw new Error(`CODEX_EXTRA_ENV_JSON[${key}] must be string.`);
-    }
-    output[key] = value;
-  }
-  return output;
-}
-function parseCsvList(raw) {
-  return raw.split(",").map((entry) => entry.trim()).filter((entry) => entry.length > 0);
-}
-// src/config-snapshot.ts
-var import_node_fs7 = __toESM(require("fs"));
-var import_node_path8 = __toESM(require("path"));
-var import_zod2 = require("zod");
-var CONFIG_SNAPSHOT_SCHEMA_VERSION = 1;
-var CONFIG_SNAPSHOT_ENV_KEYS = [
-  "MATRIX_HOMESERVER",
-  "MATRIX_USER_ID",
-  "MATRIX_ACCESS_TOKEN",
-  "MATRIX_COMMAND_PREFIX",
-  "CODEX_BIN",
-  "CODEX_MODEL",
-  "CODEX_WORKDIR",
-  "CODEX_DANGEROUS_BYPASS",
-  "CODEX_EXEC_TIMEOUT_MS",
-  "CODEX_SANDBOX_MODE",
-  "CODEX_APPROVAL_POLICY",
-  "CODEX_EXTRA_ARGS",
-  "CODEX_EXTRA_ENV_JSON",
-  "AGENT_WORKFLOW_ENABLED",
-  "AGENT_WORKFLOW_AUTO_REPAIR_MAX_ROUNDS",
-  "STATE_DB_PATH",
-  "STATE_PATH",
-  "MAX_PROCESSED_EVENTS_PER_SESSION",
-  "MAX_SESSION_AGE_DAYS",
-  "MAX_SESSIONS",
-  "REPLY_CHUNK_SIZE",
-  "MATRIX_PROGRESS_UPDATES",
-  "MATRIX_PROGRESS_MIN_INTERVAL_MS",
-  "MATRIX_TYPING_TIMEOUT_MS",
-  "SESSION_ACTIVE_WINDOW_MINUTES",
-  "GROUP_TRIGGER_ALLOW_MENTION",
-  "GROUP_TRIGGER_ALLOW_REPLY",
-  "GROUP_TRIGGER_ALLOW_ACTIVE_WINDOW",
-  "GROUP_TRIGGER_ALLOW_PREFIX",
-  "ROOM_TRIGGER_POLICY_JSON",
-  "RATE_LIMIT_WINDOW_SECONDS",
-  "RATE_LIMIT_MAX_REQUESTS_PER_USER",
-  "RATE_LIMIT_MAX_REQUESTS_PER_ROOM",
-  "RATE_LIMIT_MAX_CONCURRENT_GLOBAL",
-  "RATE_LIMIT_MAX_CONCURRENT_PER_USER",
-  "RATE_LIMIT_MAX_CONCURRENT_PER_ROOM",
-  "CLI_COMPAT_MODE",
-  "CLI_COMPAT_PASSTHROUGH_EVENTS",
-  "CLI_COMPAT_PRESERVE_WHITESPACE",
-  "CLI_COMPAT_DISABLE_REPLY_CHUNK_SPLIT",
-  "CLI_COMPAT_PROGRESS_THROTTLE_MS",
-  "CLI_COMPAT_FETCH_MEDIA",
-  "CLI_COMPAT_RECORD_PATH",
-  "DOCTOR_HTTP_TIMEOUT_MS",
-  "ADMIN_BIND_HOST",
-  "ADMIN_PORT",
-  "ADMIN_TOKEN",
-  "ADMIN_IP_ALLOWLIST",
-  "ADMIN_ALLOWED_ORIGINS",
-  "LOG_LEVEL"
-];
-var BOOLEAN_STRING = /^(true|false)$/i;
-var INTEGER_STRING = /^-?\d+$/;
-var LOG_LEVELS = ["debug", "info", "warn", "error"];
-var roomSnapshotSchema = import_zod2.z.object({
-  roomId: import_zod2.z.string().min(1),
-  enabled: import_zod2.z.boolean(),
-  allowMention: import_zod2.z.boolean(),
-  allowReply: import_zod2.z.boolean(),
-  allowActiveWindow: import_zod2.z.boolean(),
-  allowPrefix: import_zod2.z.boolean(),
-  workdir: import_zod2.z.string().min(1)
-}).strict();
-var envSnapshotSchema = import_zod2.z.object({
-  MATRIX_HOMESERVER: import_zod2.z.string().url(),
-  MATRIX_USER_ID: import_zod2.z.string().min(1),
-  MATRIX_ACCESS_TOKEN: import_zod2.z.string().min(1),
-  MATRIX_COMMAND_PREFIX: import_zod2.z.string(),
-  CODEX_BIN: import_zod2.z.string().min(1),
-  CODEX_MODEL: import_zod2.z.string(),
-  CODEX_WORKDIR: import_zod2.z.string().min(1),
-  CODEX_DANGEROUS_BYPASS: booleanStringSchema("CODEX_DANGEROUS_BYPASS"),
-  CODEX_EXEC_TIMEOUT_MS: integerStringSchema("CODEX_EXEC_TIMEOUT_MS", 1),
-  CODEX_SANDBOX_MODE: import_zod2.z.string(),
-  CODEX_APPROVAL_POLICY: import_zod2.z.string(),
-  CODEX_EXTRA_ARGS: import_zod2.z.string(),
-  CODEX_EXTRA_ENV_JSON: jsonObjectStringSchema("CODEX_EXTRA_ENV_JSON", true),
-  AGENT_WORKFLOW_ENABLED: booleanStringSchema("AGENT_WORKFLOW_ENABLED"),
-  AGENT_WORKFLOW_AUTO_REPAIR_MAX_ROUNDS: integerStringSchema("AGENT_WORKFLOW_AUTO_REPAIR_MAX_ROUNDS", 0, 10),
-  STATE_DB_PATH: import_zod2.z.string().min(1),
-  STATE_PATH: import_zod2.z.string(),
-  MAX_PROCESSED_EVENTS_PER_SESSION: integerStringSchema("MAX_PROCESSED_EVENTS_PER_SESSION", 1),
-  MAX_SESSION_AGE_DAYS: integerStringSchema("MAX_SESSION_AGE_DAYS", 1),
-  MAX_SESSIONS: integerStringSchema("MAX_SESSIONS", 1),
-  REPLY_CHUNK_SIZE: integerStringSchema("REPLY_CHUNK_SIZE", 1),
-  MATRIX_PROGRESS_UPDATES: booleanStringSchema("MATRIX_PROGRESS_UPDATES"),
-  MATRIX_PROGRESS_MIN_INTERVAL_MS: integerStringSchema("MATRIX_PROGRESS_MIN_INTERVAL_MS", 1),
-  MATRIX_TYPING_TIMEOUT_MS: integerStringSchema("MATRIX_TYPING_TIMEOUT_MS", 1),
-  SESSION_ACTIVE_WINDOW_MINUTES: integerStringSchema("SESSION_ACTIVE_WINDOW_MINUTES", 1),
-  GROUP_TRIGGER_ALLOW_MENTION: booleanStringSchema("GROUP_TRIGGER_ALLOW_MENTION"),
-  GROUP_TRIGGER_ALLOW_REPLY: booleanStringSchema("GROUP_TRIGGER_ALLOW_REPLY"),
-  GROUP_TRIGGER_ALLOW_ACTIVE_WINDOW: booleanStringSchema("GROUP_TRIGGER_ALLOW_ACTIVE_WINDOW"),
-  GROUP_TRIGGER_ALLOW_PREFIX: booleanStringSchema("GROUP_TRIGGER_ALLOW_PREFIX"),
-  ROOM_TRIGGER_POLICY_JSON: jsonObjectStringSchema("ROOM_TRIGGER_POLICY_JSON", true),
-  RATE_LIMIT_WINDOW_SECONDS: integerStringSchema("RATE_LIMIT_WINDOW_SECONDS", 1),
-  RATE_LIMIT_MAX_REQUESTS_PER_USER: integerStringSchema("RATE_LIMIT_MAX_REQUESTS_PER_USER", 0),
-  RATE_LIMIT_MAX_REQUESTS_PER_ROOM: integerStringSchema("RATE_LIMIT_MAX_REQUESTS_PER_ROOM", 0),
-  RATE_LIMIT_MAX_CONCURRENT_GLOBAL: integerStringSchema("RATE_LIMIT_MAX_CONCURRENT_GLOBAL", 0),
-  RATE_LIMIT_MAX_CONCURRENT_PER_USER: integerStringSchema("RATE_LIMIT_MAX_CONCURRENT_PER_USER", 0),
-  RATE_LIMIT_MAX_CONCURRENT_PER_ROOM: integerStringSchema("RATE_LIMIT_MAX_CONCURRENT_PER_ROOM", 0),
-  CLI_COMPAT_MODE: booleanStringSchema("CLI_COMPAT_MODE"),
-  CLI_COMPAT_PASSTHROUGH_EVENTS: booleanStringSchema("CLI_COMPAT_PASSTHROUGH_EVENTS"),
-  CLI_COMPAT_PRESERVE_WHITESPACE: booleanStringSchema("CLI_COMPAT_PRESERVE_WHITESPACE"),
-  CLI_COMPAT_DISABLE_REPLY_CHUNK_SPLIT: booleanStringSchema("CLI_COMPAT_DISABLE_REPLY_CHUNK_SPLIT"),
-  CLI_COMPAT_PROGRESS_THROTTLE_MS: integerStringSchema("CLI_COMPAT_PROGRESS_THROTTLE_MS", 0),
-  CLI_COMPAT_FETCH_MEDIA: booleanStringSchema("CLI_COMPAT_FETCH_MEDIA"),
-  CLI_COMPAT_RECORD_PATH: import_zod2.z.string(),
-  DOCTOR_HTTP_TIMEOUT_MS: integerStringSchema("DOCTOR_HTTP_TIMEOUT_MS", 1),
-  ADMIN_BIND_HOST: import_zod2.z.string(),
-  ADMIN_PORT: integerStringSchema("ADMIN_PORT", 1, 65535),
-  ADMIN_TOKEN: import_zod2.z.string(),
-  ADMIN_IP_ALLOWLIST: import_zod2.z.string(),
-  ADMIN_ALLOWED_ORIGINS: import_zod2.z.string().default(""),
-  LOG_LEVEL: import_zod2.z.enum(LOG_LEVELS)
-}).strict();
-var configSnapshotSchema = import_zod2.z.object({
-  schemaVersion: import_zod2.z.literal(CONFIG_SNAPSHOT_SCHEMA_VERSION),
-  exportedAt: import_zod2.z.string().datetime({ offset: true }),
-  env: envSnapshotSchema,
-  rooms: import_zod2.z.array(roomSnapshotSchema)
-}).strict().superRefine((value, ctx) => {
-  const seen = /* @__PURE__ */ new Set();
-  for (const room of value.rooms) {
-    const roomId = room.roomId.trim();
-    if (!roomId) {
-      ctx.addIssue({
-        code: import_zod2.z.ZodIssueCode.custom,
-        message: "rooms[].roomId cannot be empty."
-      });
-      continue;
-    }
-    if (seen.has(roomId)) {
-      ctx.addIssue({
-        code: import_zod2.z.ZodIssueCode.custom,
-        message: `Duplicate room id in snapshot: ${roomId}`
-      });
-    }
-    seen.add(roomId);
-  }
-});
-function buildConfigSnapshot(config, roomSettings, now = /* @__PURE__ */ new Date()) {
-  return {
-    schemaVersion: CONFIG_SNAPSHOT_SCHEMA_VERSION,
-    exportedAt: now.toISOString(),
-    env: buildSnapshotEnv(config),
-    rooms: roomSettings.map((room) => ({
-      roomId: room.roomId,
-      enabled: room.enabled,
-      allowMention: room.allowMention,
-      allowReply: room.allowReply,
-      allowActiveWindow: room.allowActiveWindow,
-      allowPrefix: room.allowPrefix,
-      workdir: room.workdir
-    }))
-  };
-}
-function parseConfigSnapshot(raw) {
-  const parsed = configSnapshotSchema.safeParse(raw);
-  if (!parsed.success) {
-    const message = parsed.error.issues.map((issue) => `${issue.path.join(".") || "snapshot"}: ${issue.message}`).join("; ");
-    throw new Error(`Invalid config snapshot: ${message}`);
-  }
-  return parsed.data;
-}
-function serializeConfigSnapshot(snapshot) {
-  return `${JSON.stringify(snapshot, null, 2)}
-`;
-}
-async function runConfigExportCommand(options = {}) {
-  const cwd = options.cwd ?? process.cwd();
-  const output = options.output ?? process.stdout;
-  const config = loadConfig(options.env ?? process.env);
-  const stateStore = new StateStore(
-    config.stateDbPath,
-    config.legacyStateJsonPath,
-    config.maxProcessedEventsPerSession,
-    config.maxSessionAgeDays,
-    config.maxSessions
-  );
-  try {
-    const snapshot = buildConfigSnapshot(config, stateStore.listRoomSettings(), options.now ?? /* @__PURE__ */ new Date());
-    const serialized = serializeConfigSnapshot(snapshot);
-    if (options.outputPath) {
-      const targetPath = import_node_path8.default.resolve(cwd, options.outputPath);
-      import_node_fs7.default.mkdirSync(import_node_path8.default.dirname(targetPath), { recursive: true });
-      import_node_fs7.default.writeFileSync(targetPath, serialized, "utf8");
-      output.write(`Exported config snapshot to ${targetPath}
-`);
-      return;
-    }
-    output.write(serialized);
-  } finally {
-    await stateStore.flush();
-  }
-}
-async function runConfigImportCommand(options) {
-  const cwd = options.cwd ?? process.cwd();
-  const output = options.output ?? process.stdout;
-  const actor = options.actor?.trim() || "cli:config-import";
-  const sourcePath = import_node_path8.default.resolve(cwd, options.filePath);
-  if (!import_node_fs7.default.existsSync(sourcePath)) {
-    throw new Error(`Config snapshot file not found: ${sourcePath}`);
-  }
-  const snapshot = parseConfigSnapshot(parseJsonFile(sourcePath));
-  const normalizedEnv = normalizeSnapshotEnv(snapshot.env, cwd);
-  ensureDirectory2(normalizedEnv.CODEX_WORKDIR, "CODEX_WORKDIR");
-  const normalizedRooms = normalizeSnapshotRooms(snapshot.rooms, cwd);
-  if (options.dryRun) {
-    output.write(
-      [
-        `Config snapshot is valid: ${sourcePath}`,
-        `- schemaVersion: ${snapshot.schemaVersion}`,
-        `- rooms: ${normalizedRooms.length}`,
-        "- dry-run: no changes were written"
-      ].join("\n") + "\n"
-    );
-    return;
-  }
-  persistEnvSnapshot(cwd, normalizedEnv);
-  const stateStore = new StateStore(
-    normalizedEnv.STATE_DB_PATH,
-    normalizedEnv.STATE_PATH ? normalizedEnv.STATE_PATH : null,
-    parseIntStrict(normalizedEnv.MAX_PROCESSED_EVENTS_PER_SESSION),
-    parseIntStrict(normalizedEnv.MAX_SESSION_AGE_DAYS),
-    parseIntStrict(normalizedEnv.MAX_SESSIONS)
-  );
-  try {
-    synchronizeRoomSettings(stateStore, normalizedRooms);
-    stateStore.appendConfigRevision(
-      actor,
-      `import config snapshot from ${import_node_path8.default.basename(sourcePath)}`,
-      JSON.stringify({
-        type: "config_snapshot_import",
-        sourcePath,
-        roomCount: normalizedRooms.length,
-        envKeyCount: CONFIG_SNAPSHOT_ENV_KEYS.length
-      })
-    );
-  } finally {
-    await stateStore.flush();
-  }
-  output.write(
-    [
-      `Imported config snapshot from ${sourcePath}`,
-      `- updated .env in ${import_node_path8.default.resolve(cwd, ".env")}`,
-      `- synchronized room settings: ${normalizedRooms.length}`,
-      "- restart required: yes (global env settings are restart-scoped)"
-    ].join("\n") + "\n"
-  );
-}
-function buildSnapshotEnv(config) {
-  return {
-    MATRIX_HOMESERVER: config.matrixHomeserver,
-    MATRIX_USER_ID: config.matrixUserId,
-    MATRIX_ACCESS_TOKEN: config.matrixAccessToken,
-    MATRIX_COMMAND_PREFIX: config.matrixCommandPrefix,
-    CODEX_BIN: config.codexBin,
-    CODEX_MODEL: config.codexModel ?? "",
-    CODEX_WORKDIR: config.codexWorkdir,
-    CODEX_DANGEROUS_BYPASS: String(config.codexDangerousBypass),
-    CODEX_EXEC_TIMEOUT_MS: String(config.codexExecTimeoutMs),
-    CODEX_SANDBOX_MODE: config.codexSandboxMode ?? "",
-    CODEX_APPROVAL_POLICY: config.codexApprovalPolicy ?? "",
-    CODEX_EXTRA_ARGS: config.codexExtraArgs.join(" "),
-    CODEX_EXTRA_ENV_JSON: serializeJsonObject(config.codexExtraEnv),
-    AGENT_WORKFLOW_ENABLED: String(config.agentWorkflow.enabled),
-    AGENT_WORKFLOW_AUTO_REPAIR_MAX_ROUNDS: String(config.agentWorkflow.autoRepairMaxRounds),
-    STATE_DB_PATH: config.stateDbPath,
-    STATE_PATH: config.legacyStateJsonPath ?? "",
-    MAX_PROCESSED_EVENTS_PER_SESSION: String(config.maxProcessedEventsPerSession),
-    MAX_SESSION_AGE_DAYS: String(config.maxSessionAgeDays),
-    MAX_SESSIONS: String(config.maxSessions),
-    REPLY_CHUNK_SIZE: String(config.replyChunkSize),
-    MATRIX_PROGRESS_UPDATES: String(config.matrixProgressUpdates),
-    MATRIX_PROGRESS_MIN_INTERVAL_MS: String(config.matrixProgressMinIntervalMs),
-    MATRIX_TYPING_TIMEOUT_MS: String(config.matrixTypingTimeoutMs),
-    SESSION_ACTIVE_WINDOW_MINUTES: String(config.sessionActiveWindowMinutes),
-    GROUP_TRIGGER_ALLOW_MENTION: String(config.defaultGroupTriggerPolicy.allowMention),
-    GROUP_TRIGGER_ALLOW_REPLY: String(config.defaultGroupTriggerPolicy.allowReply),
-    GROUP_TRIGGER_ALLOW_ACTIVE_WINDOW: String(config.defaultGroupTriggerPolicy.allowActiveWindow),
-    GROUP_TRIGGER_ALLOW_PREFIX: String(config.defaultGroupTriggerPolicy.allowPrefix),
-    ROOM_TRIGGER_POLICY_JSON: serializeJsonObject(config.roomTriggerPolicies),
-    RATE_LIMIT_WINDOW_SECONDS: String(Math.max(1, Math.round(config.rateLimiter.windowMs / 1e3))),
-    RATE_LIMIT_MAX_REQUESTS_PER_USER: String(config.rateLimiter.maxRequestsPerUser),
-    RATE_LIMIT_MAX_REQUESTS_PER_ROOM: String(config.rateLimiter.maxRequestsPerRoom),
-    RATE_LIMIT_MAX_CONCURRENT_GLOBAL: String(config.rateLimiter.maxConcurrentGlobal),
-    RATE_LIMIT_MAX_CONCURRENT_PER_USER: String(config.rateLimiter.maxConcurrentPerUser),
-    RATE_LIMIT_MAX_CONCURRENT_PER_ROOM: String(config.rateLimiter.maxConcurrentPerRoom),
-    CLI_COMPAT_MODE: String(config.cliCompat.enabled),
-    CLI_COMPAT_PASSTHROUGH_EVENTS: String(config.cliCompat.passThroughEvents),
-    CLI_COMPAT_PRESERVE_WHITESPACE: String(config.cliCompat.preserveWhitespace),
-    CLI_COMPAT_DISABLE_REPLY_CHUNK_SPLIT: String(config.cliCompat.disableReplyChunkSplit),
-    CLI_COMPAT_PROGRESS_THROTTLE_MS: String(config.cliCompat.progressThrottleMs),
-    CLI_COMPAT_FETCH_MEDIA: String(config.cliCompat.fetchMedia),
-    CLI_COMPAT_RECORD_PATH: config.cliCompat.recordPath ?? "",
-    DOCTOR_HTTP_TIMEOUT_MS: String(config.doctorHttpTimeoutMs),
-    ADMIN_BIND_HOST: config.adminBindHost,
-    ADMIN_PORT: String(config.adminPort),
-    ADMIN_TOKEN: config.adminToken ?? "",
-    ADMIN_IP_ALLOWLIST: config.adminIpAllowlist.join(","),
-    ADMIN_ALLOWED_ORIGINS: config.adminAllowedOrigins.join(","),
-    LOG_LEVEL: config.logLevel
-  };
-}
-function parseJsonFile(filePath) {
-  try {
-    const raw = import_node_fs7.default.readFileSync(filePath, "utf8");
-    return JSON.parse(raw);
-  } catch (error) {
-    const message = error instanceof Error ? error.message : String(error);
-    throw new Error(`Failed to parse snapshot JSON: ${message}`, {
-      cause: error
-    });
+    } catch (error) {
+      this.db.exec("ROLLBACK");
+      throw error;
+    }
   }
-}
-function normalizeSnapshotEnv(env, cwd) {
-  return {
-    ...env,
-    CODEX_WORKDIR: import_node_path8.default.resolve(cwd, env.CODEX_WORKDIR),
-    STATE_DB_PATH: import_node_path8.default.resolve(cwd, env.STATE_DB_PATH),
-    STATE_PATH: env.STATE_PATH.trim() ? import_node_path8.default.resolve(cwd, env.STATE_PATH) : "",
-    CLI_COMPAT_RECORD_PATH: env.CLI_COMPAT_RECORD_PATH.trim() ? import_node_path8.default.resolve(cwd, env.CLI_COMPAT_RECORD_PATH) : ""
-  };
-}
-function normalizeSnapshotRooms(rooms, cwd) {
-  const normalized = [];
-  const seen = /* @__PURE__ */ new Set();
-  for (const room of rooms) {
-    const roomId = room.roomId.trim();
-    if (!roomId) {
-      throw new Error("roomId is required for every room in snapshot.");
+  maybePruneExpiredSessions() {
+    const now = Date.now();
+    if (now - this.lastPruneAt < PRUNE_INTERVAL_MS) {
+      return;
     }
-    if (seen.has(roomId)) {
-      throw new Error(`Duplicate roomId in snapshot: ${roomId}`);
+    this.lastPruneAt = now;
+    if (this.pruneSessions(now)) {
+      this.touchDatabase();
     }
-    seen.add(roomId);
-    const workdir = import_node_path8.default.resolve(cwd, room.workdir);
-    ensureDirectory2(workdir, `room workdir (${roomId})`);
-    normalized.push({
-      roomId,
-      enabled: room.enabled,
-      allowMention: room.allowMention,
-      allowReply: room.allowReply,
-      allowActiveWindow: room.allowActiveWindow,
-      allowPrefix: room.allowPrefix,
-      workdir
-    });
   }
-  return normalized;
-}
-function synchronizeRoomSettings(stateStore, rooms) {
-  const incoming = new Map(rooms.map((room) => [room.roomId, room]));
-  const existing = stateStore.listRoomSettings();
-  for (const room of existing) {
-    if (!incoming.has(room.roomId)) {
-      stateStore.deleteRoomSettings(room.roomId);
+  pruneSessions(now = Date.now()) {
+    let changed = false;
+    if (this.pruneExpiredSessions(now)) {
+      changed = true;
+    }
+    if (this.pruneExcessSessions()) {
+      changed = true;
     }
+    return changed;
   }
-  for (const room of rooms) {
-    stateStore.upsertRoomSettings(room);
+  pruneExpiredSessions(now) {
+    if (this.maxSessionAgeMs <= 0) {
+      return false;
+    }
+    const result = this.db.prepare("DELETE FROM sessions WHERE updated_at < ?1").run(now - this.maxSessionAgeMs);
+    return (result.changes ?? 0) > 0;
   }
-}
-function persistEnvSnapshot(cwd, env) {
-  const envPath = import_node_path8.default.resolve(cwd, ".env");
-  const examplePath = import_node_path8.default.resolve(cwd, ".env.example");
-  const template = import_node_fs7.default.existsSync(envPath) ? import_node_fs7.default.readFileSync(envPath, "utf8") : import_node_fs7.default.existsSync(examplePath) ? import_node_fs7.default.readFileSync(examplePath, "utf8") : "";
-  const overrides = {};
-  for (const key of CONFIG_SNAPSHOT_ENV_KEYS) {
-    overrides[key] = env[key];
+  pruneExcessSessions() {
+    if (this.maxSessions <= 0) {
+      return false;
+    }
+    const row = this.db.prepare("SELECT COUNT(*) AS count FROM sessions").get();
+    const count = row?.count ?? 0;
+    if (count <= this.maxSessions) {
+      return false;
+    }
+    const removeCount = count - this.maxSessions;
+    const result = this.db.prepare(
+      "DELETE FROM sessions WHERE session_key IN (SELECT session_key FROM sessions ORDER BY updated_at ASC LIMIT ?1)"
+    ).run(removeCount);
+    return (result.changes ?? 0) > 0;
   }
-  const next = applyEnvOverrides(template, overrides);
-  import_node_fs7.default.writeFileSync(envPath, next, "utf8");
-}
-function ensureDirectory2(dirPath, label) {
-  if (!import_node_fs7.default.existsSync(dirPath) || !import_node_fs7.default.statSync(dirPath).isDirectory()) {
-    throw new Error(`${label} does not exist or is not a directory: ${dirPath}`);
+  touchDatabase() {
+    this.db.exec("PRAGMA wal_checkpoint(PASSIVE)");
   }
-}
-function parseIntStrict(raw) {
-  const value = Number.parseInt(raw, 10);
-  if (!Number.isFinite(value)) {
-    throw new Error(`Invalid integer value: ${raw}`);
+};
+function loadLegacyState(filePath) {
+  try {
+    const raw = import_node_fs7.default.readFileSync(filePath, "utf8");
+    const parsed = JSON.parse(raw);
+    if (!parsed.sessions || typeof parsed.sessions !== "object") {
+      return null;
+    }
+    normalizeLegacyState(parsed);
+    return parsed;
+  } catch {
+    return null;
   }
-  return value;
 }
-function serializeJsonObject(value) {
-  return Object.keys(value).length > 0 ? JSON.stringify(value) : "";
+function parseUpdatedAt(updatedAt) {
+  const timestamp = Date.parse(updatedAt);
+  return Number.isFinite(timestamp) ? timestamp : Date.now();
 }
-function booleanStringSchema(key) {
-  return import_zod2.z.string().refine((value) => BOOLEAN_STRING.test(value), {
-    message: `${key} must be a boolean string (true/false).`
-  });
+function parseOptionalTimestamp(value) {
+  if (!value) {
+    return null;
+  }
+  const ts = Date.parse(value);
+  return Number.isFinite(ts) ? ts : null;
 }
-function integerStringSchema(key, min, max = Number.MAX_SAFE_INTEGER) {
-  return import_zod2.z.string().refine((value) => {
-    const trimmed = value.trim();
-    if (!INTEGER_STRING.test(trimmed)) {
-      return false;
+function normalizeLegacyState(state) {
+  for (const session of Object.values(state.sessions)) {
+    if (!Array.isArray(session.processedEventIds)) {
+      session.processedEventIds = [];
     }
-    const parsed = Number.parseInt(trimmed, 10);
-    if (!Number.isFinite(parsed)) {
-      return false;
+    if (typeof session.codexSessionId !== "string" && session.codexSessionId !== null) {
+      session.codexSessionId = null;
     }
-    return parsed >= min && parsed <= max;
-  }, {
-    message: `${key} must be an integer string in range [${min}, ${max}].`
-  });
-}
-function jsonObjectStringSchema(key, allowEmpty) {
-  return import_zod2.z.string().refine((value) => {
-    const trimmed = value.trim();
-    if (!trimmed) {
-      return allowEmpty;
+    if (typeof session.updatedAt !== "string") {
+      session.updatedAt = (/* @__PURE__ */ new Date()).toISOString();
     }
-    let parsed;
-    try {
-      parsed = JSON.parse(trimmed);
-    } catch {
-      return false;
+    if (typeof session.activeUntil !== "string" && session.activeUntil !== null) {
+      session.activeUntil = null;
     }
-    return Boolean(parsed) && typeof parsed === "object" && !Array.isArray(parsed);
-  }, {
-    message: `${key} must be an empty string or a JSON object string.`
-  });
+  }
+}
+function boolToInt(value) {
+  return value ? 1 : 0;
 }
-// src/preflight.ts
-var import_node_child_process4 = require("child_process");
-var import_node_fs8 = __toESM(require("fs"));
-var import_node_path9 = __toESM(require("path"));
-var import_node_util3 = require("util");
-var execFileAsync3 = (0, import_node_util3.promisify)(import_node_child_process4.execFile);
-var REQUIRED_ENV_KEYS = ["MATRIX_HOMESERVER", "MATRIX_USER_ID", "MATRIX_ACCESS_TOKEN"];
-async function runStartupPreflight(options = {}) {
-  const env = options.env ?? process.env;
-  const cwd = options.cwd ?? process.cwd();
-  const checkCodexBinary = options.checkCodexBinary ?? defaultCheckCodexBinary;
-  const fileExists = options.fileExists ?? import_node_fs8.default.existsSync;
-  const isDirectory = options.isDirectory ?? defaultIsDirectory;
-  const issues = [];
-  const envPath = import_node_path9.default.resolve(cwd, ".env");
-  if (!fileExists(envPath)) {
-    issues.push({
-      level: "warn",
-      code: "missing_dotenv",
-      check: ".env",
-      message: `No .env file found at ${envPath}.`,
-      fix: 'Run "codeharbor init" to create baseline config.'
+// src/app.ts
+var execFileAsync2 = (0, import_node_util2.promisify)(import_node_child_process4.execFile);
+var CodeHarborApp = class {
+  config;
+  logger;
+  stateStore;
+  channel;
+  orchestrator;
+  configService;
+  constructor(config) {
+    this.config = config;
+    this.logger = new Logger(config.logLevel);
+    this.stateStore = new StateStore(
+      config.stateDbPath,
+      config.legacyStateJsonPath,
+      config.maxProcessedEventsPerSession,
+      config.maxSessionAgeDays,
+      config.maxSessions
+    );
+    this.configService = new ConfigService(this.stateStore, config.codexWorkdir);
+    const executor = new CodexExecutor({
+      bin: config.codexBin,
+      model: config.codexModel,
+      workdir: config.codexWorkdir,
+      dangerousBypass: config.codexDangerousBypass,
+      timeoutMs: config.codexExecTimeoutMs,
+      sandboxMode: config.codexSandboxMode,
+      approvalPolicy: config.codexApprovalPolicy,
+      extraArgs: config.codexExtraArgs,
+      extraEnv: config.codexExtraEnv
+    });
+    this.channel = new MatrixChannel(config, this.logger);
+    this.orchestrator = new Orchestrator(this.channel, executor, this.stateStore, this.logger, {
+      progressUpdatesEnabled: config.matrixProgressUpdates,
+      progressMinIntervalMs: config.matrixProgressMinIntervalMs,
+      typingTimeoutMs: config.matrixTypingTimeoutMs,
+      commandPrefix: config.matrixCommandPrefix,
+      matrixUserId: config.matrixUserId,
+      sessionActiveWindowMinutes: config.sessionActiveWindowMinutes,
+      defaultGroupTriggerPolicy: config.defaultGroupTriggerPolicy,
+      roomTriggerPolicies: config.roomTriggerPolicies,
+      rateLimiterOptions: config.rateLimiter,
+      cliCompat: config.cliCompat,
+      multiAgentWorkflow: config.agentWorkflow,
+      configService: this.configService,
+      defaultCodexWorkdir: config.codexWorkdir
+    });
+  }
+  async start() {
+    this.logger.info("CodeHarbor starting", {
+      matrixHomeserver: this.config.matrixHomeserver,
+      workdir: this.config.codexWorkdir,
+      prefix: this.config.matrixCommandPrefix || "<none>"
+    });
+    await this.channel.start(this.orchestrator.handleMessage.bind(this.orchestrator));
+    this.logger.info("CodeHarbor is running.");
+  }
+  async stop() {
+    this.logger.info("CodeHarbor stopping.");
+    try {
+      await this.channel.stop();
+    } finally {
+      await this.stateStore.flush();
+    }
+  }
+};
+var CodeHarborAdminApp = class {
+  config;
+  logger;
+  stateStore;
+  configService;
+  adminServer;
+  constructor(config, options) {
+    this.config = config;
+    this.logger = new Logger(config.logLevel);
+    this.stateStore = new StateStore(
+      config.stateDbPath,
+      config.legacyStateJsonPath,
+      config.maxProcessedEventsPerSession,
+      config.maxSessionAgeDays,
+      config.maxSessions
+    );
+    this.configService = new ConfigService(this.stateStore, config.codexWorkdir);
+    this.adminServer = new AdminServer(config, this.logger, this.stateStore, this.configService, {
+      host: options?.host ?? config.adminBindHost,
+      port: options?.port ?? config.adminPort,
+      adminToken: config.adminToken,
+      adminIpAllowlist: config.adminIpAllowlist,
+      adminAllowedOrigins: config.adminAllowedOrigins
     });
   }
-  for (const key of REQUIRED_ENV_KEYS) {
-    if (!readEnv(env, key)) {
-      issues.push({
-        level: "error",
-        code: "missing_env",
-        check: key,
-        message: `${key} is required.`,
-        fix: `Run "codeharbor init" or set ${key} in .env.`
-      });
-    }
+  async start() {
+    await this.adminServer.start();
+    const address = this.adminServer.getAddress();
+    this.logger.info("CodeHarbor admin server started", {
+      host: address?.host ?? this.config.adminBindHost,
+      port: address?.port ?? this.config.adminPort,
+      tokenProtected: Boolean(this.config.adminToken)
+    });
   }
-  const matrixHomeserver = readEnv(env, "MATRIX_HOMESERVER");
-  if (matrixHomeserver) {
+  async stop() {
+    this.logger.info("CodeHarbor admin server stopping.");
     try {
-      new URL(matrixHomeserver);
-    } catch {
-      issues.push({
-        level: "error",
-        code: "invalid_matrix_homeserver",
-        check: "MATRIX_HOMESERVER",
-        message: `Invalid URL: "${matrixHomeserver}".`,
-        fix: "Set MATRIX_HOMESERVER to a full URL, for example https://matrix.example.com."
-      });
+      await this.adminServer.stop();
+    } finally {
+      await this.stateStore.flush();
     }
   }
-  const matrixUserId = readEnv(env, "MATRIX_USER_ID");
-  if (matrixUserId && !/^@[^:\s]+:.+/.test(matrixUserId)) {
-    issues.push({
-      level: "error",
-      code: "invalid_matrix_user_id",
-      check: "MATRIX_USER_ID",
-      message: `Unexpected Matrix user id format: "${matrixUserId}".`,
-      fix: "Set MATRIX_USER_ID like @bot:example.com."
-    });
-  }
-  const codexBin = readEnv(env, "CODEX_BIN") || "codex";
+};
+async function runDoctor(config) {
+  const logger = new Logger(config.logLevel);
+  logger.info("Doctor check started");
   try {
-    await checkCodexBinary(codexBin);
+    const { stdout } = await execFileAsync2(config.codexBin, ["--version"]);
+    logger.info("codex available", { version: stdout.trim() });
   } catch (error) {
-    const reason = error instanceof Error && error.message ? ` (${error.message})` : "";
-    issues.push({
-      level: "error",
-      code: "missing_codex_bin",
-      check: "CODEX_BIN",
-      message: `Unable to execute "${codexBin}"${reason}.`,
-      fix: `Install Codex CLI and ensure "${codexBin}" is in PATH, or set CODEX_BIN=/absolute/path/to/codex.`
-    });
+    logger.error("codex unavailable", error);
+    throw error;
   }
-  const configuredWorkdir = readEnv(env, "CODEX_WORKDIR");
-  const workdir = import_node_path9.default.resolve(cwd, configuredWorkdir || cwd);
-  if (!fileExists(workdir) || !isDirectory(workdir)) {
-    issues.push({
-      level: "error",
-      code: "invalid_codex_workdir",
-      check: "CODEX_WORKDIR",
-      message: `Working directory does not exist or is not a directory: ${workdir}.`,
-      fix: `Set CODEX_WORKDIR to an existing directory, for example CODEX_WORKDIR=${cwd}.`
+  try {
+    const controller = new AbortController();
+    const timer = setTimeout(() => controller.abort(), config.doctorHttpTimeoutMs);
+    timer.unref?.();
+    const response = await fetch(`${config.matrixHomeserver}/_matrix/client/versions`, {
+      signal: controller.signal
+    }).finally(() => {
+      clearTimeout(timer);
     });
+    if (!response.ok) {
+      throw new Error(`HTTP ${response.status}`);
+    }
+    const body = await response.json();
+    logger.info("matrix reachable", { versions: body.versions ?? [] });
+  } catch (error) {
+    logger.error("matrix unreachable", error);
+    throw error;
   }
-  return {
-    ok: issues.every((issue) => issue.level !== "error"),
-    issues
-  };
+  logger.info("Doctor check passed");
 }
-function formatPreflightReport(result, commandName) {
-  const lines = [];
-  const errors = result.issues.filter((issue) => issue.level === "error").length;
-  const warnings = result.issues.filter((issue) => issue.level === "warn").length;
-  if (result.ok) {
-    lines.push(`Preflight check passed for "codeharbor ${commandName}" with ${warnings} warning(s).`);
-  } else {
-    lines.push(
-      `Preflight check failed for "codeharbor ${commandName}" with ${errors} error(s) and ${warnings} warning(s).`
-    );
+// src/utils/admin-host.ts
+function isNonLoopbackHost(host) {
+  const normalized = host.trim().toLowerCase();
+  if (!normalized) {
+    return false;
+  }
+  return !(normalized === "localhost" || normalized === "127.0.0.1" || normalized === "::1" || normalized === "[::1]");
+}
+// src/config.ts
+var import_node_fs8 = __toESM(require("fs"));
+var import_node_path9 = __toESM(require("path"));
+var import_dotenv2 = __toESM(require("dotenv"));
+var import_zod = require("zod");
+var configSchema = import_zod.z.object({
+  MATRIX_HOMESERVER: import_zod.z.string().url(),
+  MATRIX_USER_ID: import_zod.z.string().min(1),
+  MATRIX_ACCESS_TOKEN: import_zod.z.string().min(1),
+  MATRIX_COMMAND_PREFIX: import_zod.z.string().default("!code"),
+  CODEX_BIN: import_zod.z.string().default("codex"),
+  CODEX_MODEL: import_zod.z.string().optional(),
+  CODEX_WORKDIR: import_zod.z.string().default("."),
+  CODEX_DANGEROUS_BYPASS: import_zod.z.string().default("false").transform((v) => v.toLowerCase() === "true"),
+  CODEX_EXEC_TIMEOUT_MS: import_zod.z.string().default("600000").transform((v) => Number.parseInt(v, 10)).pipe(import_zod.z.number().int().positive()),
+  CODEX_SANDBOX_MODE: import_zod.z.string().optional(),
+  CODEX_APPROVAL_POLICY: import_zod.z.string().optional(),
+  CODEX_EXTRA_ARGS: import_zod.z.string().default(""),
+  CODEX_EXTRA_ENV_JSON: import_zod.z.string().default(""),
+  AGENT_WORKFLOW_ENABLED: import_zod.z.string().default("false").transform((v) => v.toLowerCase() === "true"),
+  AGENT_WORKFLOW_AUTO_REPAIR_MAX_ROUNDS: import_zod.z.string().default("1").transform((v) => Number.parseInt(v, 10)).pipe(import_zod.z.number().int().min(0).max(10)),
+  STATE_DB_PATH: import_zod.z.string().default("data/state.db"),
+  STATE_PATH: import_zod.z.string().default("data/state.json"),
+  MAX_PROCESSED_EVENTS_PER_SESSION: import_zod.z.string().default("200").transform((v) => Number.parseInt(v, 10)).pipe(import_zod.z.number().int().positive()),
+  MAX_SESSION_AGE_DAYS: import_zod.z.string().default("30").transform((v) => Number.parseInt(v, 10)).pipe(import_zod.z.number().int().positive()),
+  MAX_SESSIONS: import_zod.z.string().default("5000").transform((v) => Number.parseInt(v, 10)).pipe(import_zod.z.number().int().positive()),
+  REPLY_CHUNK_SIZE: import_zod.z.string().default("3500").transform((v) => Number.parseInt(v, 10)).pipe(import_zod.z.number().int().positive()),
+  MATRIX_PROGRESS_UPDATES: import_zod.z.string().default("true").transform((v) => v.toLowerCase() === "true"),
+  MATRIX_PROGRESS_MIN_INTERVAL_MS: import_zod.z.string().default("2500").transform((v) => Number.parseInt(v, 10)).pipe(import_zod.z.number().int().positive()),
+  MATRIX_TYPING_TIMEOUT_MS: import_zod.z.string().default("10000").transform((v) => Number.parseInt(v, 10)).pipe(import_zod.z.number().int().positive()),
+  SESSION_ACTIVE_WINDOW_MINUTES: import_zod.z.string().default("20").transform((v) => Number.parseInt(v, 10)).pipe(import_zod.z.number().int().positive()),
+  GROUP_TRIGGER_ALLOW_MENTION: import_zod.z.string().default("true").transform((v) => v.toLowerCase() === "true"),
+  GROUP_TRIGGER_ALLOW_REPLY: import_zod.z.string().default("true").transform((v) => v.toLowerCase() === "true"),
+  GROUP_TRIGGER_ALLOW_ACTIVE_WINDOW: import_zod.z.string().default("true").transform((v) => v.toLowerCase() === "true"),
+  GROUP_TRIGGER_ALLOW_PREFIX: import_zod.z.string().default("true").transform((v) => v.toLowerCase() === "true"),
+  ROOM_TRIGGER_POLICY_JSON: import_zod.z.string().default(""),
+  RATE_LIMIT_WINDOW_SECONDS: import_zod.z.string().default("60").transform((v) => Number.parseInt(v, 10)).pipe(import_zod.z.number().int().positive()),
+  RATE_LIMIT_MAX_REQUESTS_PER_USER: import_zod.z.string().default("20").transform((v) => Number.parseInt(v, 10)).pipe(import_zod.z.number().int().nonnegative()),
+  RATE_LIMIT_MAX_REQUESTS_PER_ROOM: import_zod.z.string().default("120").transform((v) => Number.parseInt(v, 10)).pipe(import_zod.z.number().int().nonnegative()),
+  RATE_LIMIT_MAX_CONCURRENT_GLOBAL: import_zod.z.string().default("8").transform((v) => Number.parseInt(v, 10)).pipe(import_zod.z.number().int().nonnegative()),
+  RATE_LIMIT_MAX_CONCURRENT_PER_USER: import_zod.z.string().default("1").transform((v) => Number.parseInt(v, 10)).pipe(import_zod.z.number().int().nonnegative()),
+  RATE_LIMIT_MAX_CONCURRENT_PER_ROOM: import_zod.z.string().default("4").transform((v) => Number.parseInt(v, 10)).pipe(import_zod.z.number().int().nonnegative()),
+  CLI_COMPAT_MODE: import_zod.z.string().default("false").transform((v) => v.toLowerCase() === "true"),
+  CLI_COMPAT_PASSTHROUGH_EVENTS: import_zod.z.string().default("true").transform((v) => v.toLowerCase() === "true"),
+  CLI_COMPAT_PRESERVE_WHITESPACE: import_zod.z.string().default("true").transform((v) => v.toLowerCase() === "true"),
+  CLI_COMPAT_DISABLE_REPLY_CHUNK_SPLIT: import_zod.z.string().default("false").transform((v) => v.toLowerCase() === "true"),
+  CLI_COMPAT_PROGRESS_THROTTLE_MS: import_zod.z.string().default("300").transform((v) => Number.parseInt(v, 10)).pipe(import_zod.z.number().int().nonnegative()),
+  CLI_COMPAT_FETCH_MEDIA: import_zod.z.string().default("true").transform((v) => v.toLowerCase() === "true"),
+  CLI_COMPAT_RECORD_PATH: import_zod.z.string().default(""),
+  DOCTOR_HTTP_TIMEOUT_MS: import_zod.z.string().default("10000").transform((v) => Number.parseInt(v, 10)).pipe(import_zod.z.number().int().positive()),
+  ADMIN_BIND_HOST: import_zod.z.string().default("127.0.0.1"),
+  ADMIN_PORT: import_zod.z.string().default("8787").transform((v) => Number.parseInt(v, 10)).pipe(import_zod.z.number().int().min(1).max(65535)),
+  ADMIN_TOKEN: import_zod.z.string().default(""),
+  ADMIN_IP_ALLOWLIST: import_zod.z.string().default(""),
+  ADMIN_ALLOWED_ORIGINS: import_zod.z.string().default(""),
+  LOG_LEVEL: import_zod.z.enum(["debug", "info", "warn", "error"]).default("info")
+}).transform((v) => ({
+  matrixHomeserver: v.MATRIX_HOMESERVER,
+  matrixUserId: v.MATRIX_USER_ID,
+  matrixAccessToken: v.MATRIX_ACCESS_TOKEN,
+  matrixCommandPrefix: v.MATRIX_COMMAND_PREFIX,
+  codexBin: v.CODEX_BIN,
+  codexModel: v.CODEX_MODEL?.trim() || null,
+  codexWorkdir: import_node_path9.default.resolve(v.CODEX_WORKDIR),
+  codexDangerousBypass: v.CODEX_DANGEROUS_BYPASS,
+  codexExecTimeoutMs: v.CODEX_EXEC_TIMEOUT_MS,
+  codexSandboxMode: v.CODEX_SANDBOX_MODE?.trim() || null,
+  codexApprovalPolicy: v.CODEX_APPROVAL_POLICY?.trim() || null,
+  codexExtraArgs: parseExtraArgs(v.CODEX_EXTRA_ARGS),
+  codexExtraEnv: parseExtraEnv(v.CODEX_EXTRA_ENV_JSON),
+  agentWorkflow: {
+    enabled: v.AGENT_WORKFLOW_ENABLED,
+    autoRepairMaxRounds: v.AGENT_WORKFLOW_AUTO_REPAIR_MAX_ROUNDS
+  },
+  stateDbPath: import_node_path9.default.resolve(v.STATE_DB_PATH),
+  legacyStateJsonPath: v.STATE_PATH.trim() ? import_node_path9.default.resolve(v.STATE_PATH) : null,
+  maxProcessedEventsPerSession: v.MAX_PROCESSED_EVENTS_PER_SESSION,
+  maxSessionAgeDays: v.MAX_SESSION_AGE_DAYS,
+  maxSessions: v.MAX_SESSIONS,
+  replyChunkSize: v.REPLY_CHUNK_SIZE,
+  matrixProgressUpdates: v.MATRIX_PROGRESS_UPDATES,
+  matrixProgressMinIntervalMs: v.MATRIX_PROGRESS_MIN_INTERVAL_MS,
+  matrixTypingTimeoutMs: v.MATRIX_TYPING_TIMEOUT_MS,
+  sessionActiveWindowMinutes: v.SESSION_ACTIVE_WINDOW_MINUTES,
+  defaultGroupTriggerPolicy: {
+    allowMention: v.GROUP_TRIGGER_ALLOW_MENTION,
+    allowReply: v.GROUP_TRIGGER_ALLOW_REPLY,
+    allowActiveWindow: v.GROUP_TRIGGER_ALLOW_ACTIVE_WINDOW,
+    allowPrefix: v.GROUP_TRIGGER_ALLOW_PREFIX
+  },
+  roomTriggerPolicies: parseRoomTriggerPolicyOverrides(v.ROOM_TRIGGER_POLICY_JSON),
+  rateLimiter: {
+    windowMs: v.RATE_LIMIT_WINDOW_SECONDS * 1e3,
+    maxRequestsPerUser: v.RATE_LIMIT_MAX_REQUESTS_PER_USER,
+    maxRequestsPerRoom: v.RATE_LIMIT_MAX_REQUESTS_PER_ROOM,
+    maxConcurrentGlobal: v.RATE_LIMIT_MAX_CONCURRENT_GLOBAL,
+    maxConcurrentPerUser: v.RATE_LIMIT_MAX_CONCURRENT_PER_USER,
+    maxConcurrentPerRoom: v.RATE_LIMIT_MAX_CONCURRENT_PER_ROOM
+  },
+  cliCompat: {
+    enabled: v.CLI_COMPAT_MODE,
+    passThroughEvents: v.CLI_COMPAT_PASSTHROUGH_EVENTS,
+    preserveWhitespace: v.CLI_COMPAT_PRESERVE_WHITESPACE,
+    disableReplyChunkSplit: v.CLI_COMPAT_DISABLE_REPLY_CHUNK_SPLIT,
+    progressThrottleMs: v.CLI_COMPAT_PROGRESS_THROTTLE_MS,
+    fetchMedia: v.CLI_COMPAT_FETCH_MEDIA,
+    recordPath: v.CLI_COMPAT_RECORD_PATH.trim() ? import_node_path9.default.resolve(v.CLI_COMPAT_RECORD_PATH) : null
+  },
+  doctorHttpTimeoutMs: v.DOCTOR_HTTP_TIMEOUT_MS,
+  adminBindHost: v.ADMIN_BIND_HOST.trim() || "127.0.0.1",
+  adminPort: v.ADMIN_PORT,
+  adminToken: v.ADMIN_TOKEN.trim() || null,
+  adminIpAllowlist: parseCsvList(v.ADMIN_IP_ALLOWLIST),
+  adminAllowedOrigins: parseCsvList(v.ADMIN_ALLOWED_ORIGINS),
+  logLevel: v.LOG_LEVEL
+}));
+function loadEnvFromFile(filePath = import_node_path9.default.resolve(process.cwd(), ".env"), env = process.env) {
+  import_dotenv2.default.config({
+    path: filePath,
+    processEnv: env,
+    quiet: true
+  });
+}
+function loadConfig(env = process.env) {
+  const parsed = configSchema.safeParse(env);
+  if (!parsed.success) {
+    const message = parsed.error.issues.map((issue) => `${issue.path.join(".") || "config"}: ${issue.message}`).join("; ");
+    throw new Error(`Invalid configuration: ${message}`);
+  }
+  import_node_fs8.default.mkdirSync(import_node_path9.default.dirname(parsed.data.stateDbPath), { recursive: true });
+  if (parsed.data.legacyStateJsonPath) {
+    import_node_fs8.default.mkdirSync(import_node_path9.default.dirname(parsed.data.legacyStateJsonPath), { recursive: true });
+  }
+  return parsed.data;
+}
+function parseRoomTriggerPolicyOverrides(raw) {
+  const trimmed = raw.trim();
+  if (!trimmed) {
+    return {};
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(trimmed);
+  } catch {
+    throw new Error("ROOM_TRIGGER_POLICY_JSON must be valid JSON.");
   }
-  for (const issue of result.issues) {
-    const level = issue.level.toUpperCase();
-    lines.push(`- [${level}] ${issue.check}: ${issue.message}`);
-    lines.push(`  fix: ${issue.fix}`);
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+    throw new Error("ROOM_TRIGGER_POLICY_JSON must be an object keyed by room id.");
   }
-  return `${lines.join("\n")}
-`;
+  const output = {};
+  for (const [roomId, value] of Object.entries(parsed)) {
+    if (!value || typeof value !== "object" || Array.isArray(value)) {
+      throw new Error(`ROOM_TRIGGER_POLICY_JSON[${roomId}] must be an object.`);
+    }
+    const item = value;
+    const override = {};
+    for (const key of ["allowMention", "allowReply", "allowActiveWindow", "allowPrefix"]) {
+      if (item[key] === void 0) {
+        continue;
+      }
+      if (typeof item[key] !== "boolean") {
+        throw new Error(`ROOM_TRIGGER_POLICY_JSON[${roomId}].${key} must be boolean.`);
+      }
+      override[key] = item[key];
+    }
+    output[roomId] = override;
+  }
+  return output;
 }
-async function defaultCheckCodexBinary(bin) {
-  await execFileAsync3(bin, ["--version"]);
+function parseExtraArgs(raw) {
+  const trimmed = raw.trim();
+  if (!trimmed) {
+    return [];
+  }
+  return trimmed.split(/\s+/).map((entry) => entry.trim()).filter((entry) => entry.length > 0);
 }
-function defaultIsDirectory(targetPath) {
+function parseExtraEnv(raw) {
+  const trimmed = raw.trim();
+  if (!trimmed) {
+    return {};
+  }
+  let parsed;
   try {
-    return import_node_fs8.default.statSync(targetPath).isDirectory();
+    parsed = JSON.parse(trimmed);
   } catch {
-    return false;
+    throw new Error("CODEX_EXTRA_ENV_JSON must be valid JSON object.");
+  }
+  if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+    throw new Error("CODEX_EXTRA_ENV_JSON must be a key/value object.");
+  }
+  const output = {};
+  for (const [key, value] of Object.entries(parsed)) {
+    if (typeof value !== "string") {
+      throw new Error(`CODEX_EXTRA_ENV_JSON[${key}] must be string.`);
+    }
+    output[key] = value;
   }
+  return output;
 }
-function readEnv(env, key) {
-  return env[key]?.trim() ?? "";
+function parseCsvList(raw) {
+  return raw.split(",").map((entry) => entry.trim()).filter((entry) => entry.length > 0);
 }
-// src/runtime-home.ts
+// src/config-snapshot.ts
 var import_node_fs9 = __toESM(require("fs"));
-var import_node_os2 = __toESM(require("os"));
 var import_node_path10 = __toESM(require("path"));
-var LEGACY_RUNTIME_HOME = "/opt/codeharbor";
-var USER_RUNTIME_HOME_DIR = ".codeharbor";
-var DEFAULT_RUNTIME_HOME = import_node_path10.default.resolve(import_node_os2.default.homedir(), USER_RUNTIME_HOME_DIR);
-var RUNTIME_HOME_ENV_KEY = "CODEHARBOR_HOME";
-function resolveRuntimeHome(env = process.env) {
-  const configured = env[RUNTIME_HOME_ENV_KEY]?.trim();
-  if (configured) {
-    return import_node_path10.default.resolve(configured);
-  }
-  const legacyEnvPath = import_node_path10.default.resolve(LEGACY_RUNTIME_HOME, ".env");
-  if (import_node_fs9.default.existsSync(legacyEnvPath)) {
-    return LEGACY_RUNTIME_HOME;
+var import_zod2 = require("zod");
+var CONFIG_SNAPSHOT_SCHEMA_VERSION = 1;
+var CONFIG_SNAPSHOT_ENV_KEYS = [
+  "MATRIX_HOMESERVER",
+  "MATRIX_USER_ID",
+  "MATRIX_ACCESS_TOKEN",
+  "MATRIX_COMMAND_PREFIX",
+  "CODEX_BIN",
+  "CODEX_MODEL",
+  "CODEX_WORKDIR",
+  "CODEX_DANGEROUS_BYPASS",
+  "CODEX_EXEC_TIMEOUT_MS",
+  "CODEX_SANDBOX_MODE",
+  "CODEX_APPROVAL_POLICY",
+  "CODEX_EXTRA_ARGS",
+  "CODEX_EXTRA_ENV_JSON",
+  "AGENT_WORKFLOW_ENABLED",
+  "AGENT_WORKFLOW_AUTO_REPAIR_MAX_ROUNDS",
+  "STATE_DB_PATH",
+  "STATE_PATH",
+  "MAX_PROCESSED_EVENTS_PER_SESSION",
+  "MAX_SESSION_AGE_DAYS",
+  "MAX_SESSIONS",
+  "REPLY_CHUNK_SIZE",
+  "MATRIX_PROGRESS_UPDATES",
+  "MATRIX_PROGRESS_MIN_INTERVAL_MS",
+  "MATRIX_TYPING_TIMEOUT_MS",
+  "SESSION_ACTIVE_WINDOW_MINUTES",
+  "GROUP_TRIGGER_ALLOW_MENTION",
+  "GROUP_TRIGGER_ALLOW_REPLY",
+  "GROUP_TRIGGER_ALLOW_ACTIVE_WINDOW",
+  "GROUP_TRIGGER_ALLOW_PREFIX",
+  "ROOM_TRIGGER_POLICY_JSON",
+  "RATE_LIMIT_WINDOW_SECONDS",
+  "RATE_LIMIT_MAX_REQUESTS_PER_USER",
+  "RATE_LIMIT_MAX_REQUESTS_PER_ROOM",
+  "RATE_LIMIT_MAX_CONCURRENT_GLOBAL",
+  "RATE_LIMIT_MAX_CONCURRENT_PER_USER",
+  "RATE_LIMIT_MAX_CONCURRENT_PER_ROOM",
+  "CLI_COMPAT_MODE",
+  "CLI_COMPAT_PASSTHROUGH_EVENTS",
+  "CLI_COMPAT_PRESERVE_WHITESPACE",
+  "CLI_COMPAT_DISABLE_REPLY_CHUNK_SPLIT",
+  "CLI_COMPAT_PROGRESS_THROTTLE_MS",
+  "CLI_COMPAT_FETCH_MEDIA",
+  "CLI_COMPAT_RECORD_PATH",
+  "DOCTOR_HTTP_TIMEOUT_MS",
+  "ADMIN_BIND_HOST",
+  "ADMIN_PORT",
+  "ADMIN_TOKEN",
+  "ADMIN_IP_ALLOWLIST",
+  "ADMIN_ALLOWED_ORIGINS",
+  "LOG_LEVEL"
+];
+var BOOLEAN_STRING = /^(true|false)$/i;
+var INTEGER_STRING = /^-?\d+$/;
+var LOG_LEVELS = ["debug", "info", "warn", "error"];
+var roomSnapshotSchema = import_zod2.z.object({
+  roomId: import_zod2.z.string().min(1),
+  enabled: import_zod2.z.boolean(),
+  allowMention: import_zod2.z.boolean(),
+  allowReply: import_zod2.z.boolean(),
+  allowActiveWindow: import_zod2.z.boolean(),
+  allowPrefix: import_zod2.z.boolean(),
+  workdir: import_zod2.z.string().min(1)
+}).strict();
+var envSnapshotSchema = import_zod2.z.object({
+  MATRIX_HOMESERVER: import_zod2.z.string().url(),
+  MATRIX_USER_ID: import_zod2.z.string().min(1),
+  MATRIX_ACCESS_TOKEN: import_zod2.z.string().min(1),
+  MATRIX_COMMAND_PREFIX: import_zod2.z.string(),
+  CODEX_BIN: import_zod2.z.string().min(1),
+  CODEX_MODEL: import_zod2.z.string(),
+  CODEX_WORKDIR: import_zod2.z.string().min(1),
+  CODEX_DANGEROUS_BYPASS: booleanStringSchema("CODEX_DANGEROUS_BYPASS"),
+  CODEX_EXEC_TIMEOUT_MS: integerStringSchema("CODEX_EXEC_TIMEOUT_MS", 1),
+  CODEX_SANDBOX_MODE: import_zod2.z.string(),
+  CODEX_APPROVAL_POLICY: import_zod2.z.string(),
+  CODEX_EXTRA_ARGS: import_zod2.z.string(),
+  CODEX_EXTRA_ENV_JSON: jsonObjectStringSchema("CODEX_EXTRA_ENV_JSON", true),
+  AGENT_WORKFLOW_ENABLED: booleanStringSchema("AGENT_WORKFLOW_ENABLED"),
+  AGENT_WORKFLOW_AUTO_REPAIR_MAX_ROUNDS: integerStringSchema("AGENT_WORKFLOW_AUTO_REPAIR_MAX_ROUNDS", 0, 10),
+  STATE_DB_PATH: import_zod2.z.string().min(1),
+  STATE_PATH: import_zod2.z.string(),
+  MAX_PROCESSED_EVENTS_PER_SESSION: integerStringSchema("MAX_PROCESSED_EVENTS_PER_SESSION", 1),
+  MAX_SESSION_AGE_DAYS: integerStringSchema("MAX_SESSION_AGE_DAYS", 1),
+  MAX_SESSIONS: integerStringSchema("MAX_SESSIONS", 1),
+  REPLY_CHUNK_SIZE: integerStringSchema("REPLY_CHUNK_SIZE", 1),
+  MATRIX_PROGRESS_UPDATES: booleanStringSchema("MATRIX_PROGRESS_UPDATES"),
+  MATRIX_PROGRESS_MIN_INTERVAL_MS: integerStringSchema("MATRIX_PROGRESS_MIN_INTERVAL_MS", 1),
+  MATRIX_TYPING_TIMEOUT_MS: integerStringSchema("MATRIX_TYPING_TIMEOUT_MS", 1),
+  SESSION_ACTIVE_WINDOW_MINUTES: integerStringSchema("SESSION_ACTIVE_WINDOW_MINUTES", 1),
+  GROUP_TRIGGER_ALLOW_MENTION: booleanStringSchema("GROUP_TRIGGER_ALLOW_MENTION"),
+  GROUP_TRIGGER_ALLOW_REPLY: booleanStringSchema("GROUP_TRIGGER_ALLOW_REPLY"),
+  GROUP_TRIGGER_ALLOW_ACTIVE_WINDOW: booleanStringSchema("GROUP_TRIGGER_ALLOW_ACTIVE_WINDOW"),
+  GROUP_TRIGGER_ALLOW_PREFIX: booleanStringSchema("GROUP_TRIGGER_ALLOW_PREFIX"),
+  ROOM_TRIGGER_POLICY_JSON: jsonObjectStringSchema("ROOM_TRIGGER_POLICY_JSON", true),
+  RATE_LIMIT_WINDOW_SECONDS: integerStringSchema("RATE_LIMIT_WINDOW_SECONDS", 1),
+  RATE_LIMIT_MAX_REQUESTS_PER_USER: integerStringSchema("RATE_LIMIT_MAX_REQUESTS_PER_USER", 0),
+  RATE_LIMIT_MAX_REQUESTS_PER_ROOM: integerStringSchema("RATE_LIMIT_MAX_REQUESTS_PER_ROOM", 0),
+  RATE_LIMIT_MAX_CONCURRENT_GLOBAL: integerStringSchema("RATE_LIMIT_MAX_CONCURRENT_GLOBAL", 0),
+  RATE_LIMIT_MAX_CONCURRENT_PER_USER: integerStringSchema("RATE_LIMIT_MAX_CONCURRENT_PER_USER", 0),
+  RATE_LIMIT_MAX_CONCURRENT_PER_ROOM: integerStringSchema("RATE_LIMIT_MAX_CONCURRENT_PER_ROOM", 0),
+  CLI_COMPAT_MODE: booleanStringSchema("CLI_COMPAT_MODE"),
+  CLI_COMPAT_PASSTHROUGH_EVENTS: booleanStringSchema("CLI_COMPAT_PASSTHROUGH_EVENTS"),
+  CLI_COMPAT_PRESERVE_WHITESPACE: booleanStringSchema("CLI_COMPAT_PRESERVE_WHITESPACE"),
+  CLI_COMPAT_DISABLE_REPLY_CHUNK_SPLIT: booleanStringSchema("CLI_COMPAT_DISABLE_REPLY_CHUNK_SPLIT"),
+  CLI_COMPAT_PROGRESS_THROTTLE_MS: integerStringSchema("CLI_COMPAT_PROGRESS_THROTTLE_MS", 0),
+  CLI_COMPAT_FETCH_MEDIA: booleanStringSchema("CLI_COMPAT_FETCH_MEDIA"),
+  CLI_COMPAT_RECORD_PATH: import_zod2.z.string(),
+  DOCTOR_HTTP_TIMEOUT_MS: integerStringSchema("DOCTOR_HTTP_TIMEOUT_MS", 1),
+  ADMIN_BIND_HOST: import_zod2.z.string(),
+  ADMIN_PORT: integerStringSchema("ADMIN_PORT", 1, 65535),
+  ADMIN_TOKEN: import_zod2.z.string(),
+  ADMIN_IP_ALLOWLIST: import_zod2.z.string(),
+  ADMIN_ALLOWED_ORIGINS: import_zod2.z.string().default(""),
+  LOG_LEVEL: import_zod2.z.enum(LOG_LEVELS)
+}).strict();
+var configSnapshotSchema = import_zod2.z.object({
+  schemaVersion: import_zod2.z.literal(CONFIG_SNAPSHOT_SCHEMA_VERSION),
+  exportedAt: import_zod2.z.string().datetime({ offset: true }),
+  env: envSnapshotSchema,
+  rooms: import_zod2.z.array(roomSnapshotSchema)
+}).strict().superRefine((value, ctx) => {
+  const seen = /* @__PURE__ */ new Set();
+  for (const room of value.rooms) {
+    const roomId = room.roomId.trim();
+    if (!roomId) {
+      ctx.addIssue({
+        code: import_zod2.z.ZodIssueCode.custom,
+        message: "rooms[].roomId cannot be empty."
+      });
+      continue;
+    }
+    if (seen.has(roomId)) {
+      ctx.addIssue({
+        code: import_zod2.z.ZodIssueCode.custom,
+        message: `Duplicate room id in snapshot: ${roomId}`
+      });
+    }
+    seen.add(roomId);
   }
-  return resolveUserRuntimeHome(env);
-}
-function resolveUserRuntimeHome(env = process.env) {
-  const home = env.HOME?.trim() || import_node_os2.default.homedir();
-  return import_node_path10.default.resolve(home, USER_RUNTIME_HOME_DIR);
+});
+function buildConfigSnapshot(config, roomSettings, now = /* @__PURE__ */ new Date()) {
+  return {
+    schemaVersion: CONFIG_SNAPSHOT_SCHEMA_VERSION,
+    exportedAt: now.toISOString(),
+    env: buildSnapshotEnv(config),
+    rooms: roomSettings.map((room) => ({
+      roomId: room.roomId,
+      enabled: room.enabled,
+      allowMention: room.allowMention,
+      allowReply: room.allowReply,
+      allowActiveWindow: room.allowActiveWindow,
+      allowPrefix: room.allowPrefix,
+      workdir: room.workdir
+    }))
+  };
 }
-// src/service-manager.ts
-var import_node_child_process5 = require("child_process");
-var import_node_fs10 = __toESM(require("fs"));
-var import_node_os3 = __toESM(require("os"));
-var import_node_path11 = __toESM(require("path"));
-var SYSTEMD_DIR = "/etc/systemd/system";
-var MAIN_SERVICE_NAME = "codeharbor.service";
-var ADMIN_SERVICE_NAME = "codeharbor-admin.service";
-function resolveDefaultRunUser(env = process.env) {
-  const sudoUser = env.SUDO_USER?.trim();
-  if (sudoUser) {
-    return sudoUser;
-  }
-  const user = env.USER?.trim();
-  if (user) {
-    return user;
+function parseConfigSnapshot(raw) {
+  const parsed = configSnapshotSchema.safeParse(raw);
+  if (!parsed.success) {
+    const message = parsed.error.issues.map((issue) => `${issue.path.join(".") || "snapshot"}: ${issue.message}`).join("; ");
+    throw new Error(`Invalid config snapshot: ${message}`);
   }
+  return parsed.data;
+}
+function serializeConfigSnapshot(snapshot) {
+  return `${JSON.stringify(snapshot, null, 2)}
+`;
+}
+async function runConfigExportCommand(options = {}) {
+  const cwd = options.cwd ?? process.cwd();
+  const output = options.output ?? process.stdout;
+  const config = loadConfig(options.env ?? process.env);
+  const stateStore = new StateStore(
+    config.stateDbPath,
+    config.legacyStateJsonPath,
+    config.maxProcessedEventsPerSession,
+    config.maxSessionAgeDays,
+    config.maxSessions
+  );
   try {
-    return import_node_os3.default.userInfo().username;
-  } catch {
-    return "root";
+    const snapshot = buildConfigSnapshot(config, stateStore.listRoomSettings(), options.now ?? /* @__PURE__ */ new Date());
+    const serialized = serializeConfigSnapshot(snapshot);
+    if (options.outputPath) {
+      const targetPath = import_node_path10.default.resolve(cwd, options.outputPath);
+      import_node_fs9.default.mkdirSync(import_node_path10.default.dirname(targetPath), { recursive: true });
+      import_node_fs9.default.writeFileSync(targetPath, serialized, "utf8");
+      output.write(`Exported config snapshot to ${targetPath}
+`);
+      return;
+    }
+    output.write(serialized);
+  } finally {
+    await stateStore.flush();
   }
 }
-function resolveRuntimeHomeForUser(runUser, env = process.env, explicitRuntimeHome) {
-  const configuredRuntimeHome = explicitRuntimeHome?.trim() || env[RUNTIME_HOME_ENV_KEY]?.trim();
-  if (configuredRuntimeHome) {
-    return import_node_path11.default.resolve(configuredRuntimeHome);
+async function runConfigImportCommand(options) {
+  const cwd = options.cwd ?? process.cwd();
+  const output = options.output ?? process.stdout;
+  const actor = options.actor?.trim() || "cli:config-import";
+  const sourcePath = import_node_path10.default.resolve(cwd, options.filePath);
+  if (!import_node_fs9.default.existsSync(sourcePath)) {
+    throw new Error(`Config snapshot file not found: ${sourcePath}`);
   }
-  const userHome = resolveUserHome(runUser);
-  if (userHome) {
-    return import_node_path11.default.resolve(userHome, USER_RUNTIME_HOME_DIR);
+  const snapshot = parseConfigSnapshot(parseJsonFile(sourcePath));
+  const normalizedEnv = normalizeSnapshotEnv(snapshot.env, cwd);
+  ensureDirectory2(normalizedEnv.CODEX_WORKDIR, "CODEX_WORKDIR");
+  const normalizedRooms = normalizeSnapshotRooms(snapshot.rooms, cwd);
+  if (options.dryRun) {
+    output.write(
+      [
+        `Config snapshot is valid: ${sourcePath}`,
+        `- schemaVersion: ${snapshot.schemaVersion}`,
+        `- rooms: ${normalizedRooms.length}`,
+        "- dry-run: no changes were written"
+      ].join("\n") + "\n"
+    );
+    return;
+  }
+  persistEnvSnapshot(cwd, normalizedEnv);
+  const stateStore = new StateStore(
+    normalizedEnv.STATE_DB_PATH,
+    normalizedEnv.STATE_PATH ? normalizedEnv.STATE_PATH : null,
+    parseIntStrict(normalizedEnv.MAX_PROCESSED_EVENTS_PER_SESSION),
+    parseIntStrict(normalizedEnv.MAX_SESSION_AGE_DAYS),
+    parseIntStrict(normalizedEnv.MAX_SESSIONS)
+  );
+  try {
+    synchronizeRoomSettings(stateStore, normalizedRooms);
+    stateStore.appendConfigRevision(
+      actor,
+      `import config snapshot from ${import_node_path10.default.basename(sourcePath)}`,
+      JSON.stringify({
+        type: "config_snapshot_import",
+        sourcePath,
+        roomCount: normalizedRooms.length,
+        envKeyCount: CONFIG_SNAPSHOT_ENV_KEYS.length
+      })
+    );
+  } finally {
+    await stateStore.flush();
   }
-  return import_node_path11.default.resolve(import_node_os3.default.homedir(), USER_RUNTIME_HOME_DIR);
+  output.write(
+    [
+      `Imported config snapshot from ${sourcePath}`,
+      `- updated .env in ${import_node_path10.default.resolve(cwd, ".env")}`,
+      `- synchronized room settings: ${normalizedRooms.length}`,
+      "- restart required: yes (global env settings are restart-scoped)"
+    ].join("\n") + "\n"
+  );
 }
-function buildMainServiceUnit(options) {
-  validateUnitOptions(options);
-  const runtimeHome2 = import_node_path11.default.resolve(options.runtimeHome);
-  return [
-    "[Unit]",
-    "Description=CodeHarbor main service",
-    "After=network-online.target",
-    "Wants=network-online.target",
-    "",
-    "[Service]",
-    "Type=simple",
-    `User=${options.runUser}`,
-    `WorkingDirectory=${runtimeHome2}`,
-    `Environment=CODEHARBOR_HOME=${runtimeHome2}`,
-    `ExecStart=${import_node_path11.default.resolve(options.nodeBinPath)} ${import_node_path11.default.resolve(options.cliScriptPath)} start`,
-    "Restart=always",
-    "RestartSec=3",
-    "NoNewPrivileges=true",
-    "PrivateTmp=true",
-    "ProtectSystem=full",
-    "ProtectHome=false",
-    `ReadWritePaths=${runtimeHome2}`,
-    "",
-    "[Install]",
-    "WantedBy=multi-user.target",
-    ""
-  ].join("\n");
+function buildSnapshotEnv(config) {
+  return {
+    MATRIX_HOMESERVER: config.matrixHomeserver,
+    MATRIX_USER_ID: config.matrixUserId,
+    MATRIX_ACCESS_TOKEN: config.matrixAccessToken,
+    MATRIX_COMMAND_PREFIX: config.matrixCommandPrefix,
+    CODEX_BIN: config.codexBin,
+    CODEX_MODEL: config.codexModel ?? "",
+    CODEX_WORKDIR: config.codexWorkdir,
+    CODEX_DANGEROUS_BYPASS: String(config.codexDangerousBypass),
+    CODEX_EXEC_TIMEOUT_MS: String(config.codexExecTimeoutMs),
+    CODEX_SANDBOX_MODE: config.codexSandboxMode ?? "",
+    CODEX_APPROVAL_POLICY: config.codexApprovalPolicy ?? "",
+    CODEX_EXTRA_ARGS: config.codexExtraArgs.join(" "),
+    CODEX_EXTRA_ENV_JSON: serializeJsonObject(config.codexExtraEnv),
+    AGENT_WORKFLOW_ENABLED: String(config.agentWorkflow.enabled),
+    AGENT_WORKFLOW_AUTO_REPAIR_MAX_ROUNDS: String(config.agentWorkflow.autoRepairMaxRounds),
+    STATE_DB_PATH: config.stateDbPath,
+    STATE_PATH: config.legacyStateJsonPath ?? "",
+    MAX_PROCESSED_EVENTS_PER_SESSION: String(config.maxProcessedEventsPerSession),
+    MAX_SESSION_AGE_DAYS: String(config.maxSessionAgeDays),
+    MAX_SESSIONS: String(config.maxSessions),
+    REPLY_CHUNK_SIZE: String(config.replyChunkSize),
+    MATRIX_PROGRESS_UPDATES: String(config.matrixProgressUpdates),
+    MATRIX_PROGRESS_MIN_INTERVAL_MS: String(config.matrixProgressMinIntervalMs),
+    MATRIX_TYPING_TIMEOUT_MS: String(config.matrixTypingTimeoutMs),
+    SESSION_ACTIVE_WINDOW_MINUTES: String(config.sessionActiveWindowMinutes),
+    GROUP_TRIGGER_ALLOW_MENTION: String(config.defaultGroupTriggerPolicy.allowMention),
+    GROUP_TRIGGER_ALLOW_REPLY: String(config.defaultGroupTriggerPolicy.allowReply),
+    GROUP_TRIGGER_ALLOW_ACTIVE_WINDOW: String(config.defaultGroupTriggerPolicy.allowActiveWindow),
+    GROUP_TRIGGER_ALLOW_PREFIX: String(config.defaultGroupTriggerPolicy.allowPrefix),
+    ROOM_TRIGGER_POLICY_JSON: serializeJsonObject(config.roomTriggerPolicies),
+    RATE_LIMIT_WINDOW_SECONDS: String(Math.max(1, Math.round(config.rateLimiter.windowMs / 1e3))),
+    RATE_LIMIT_MAX_REQUESTS_PER_USER: String(config.rateLimiter.maxRequestsPerUser),
+    RATE_LIMIT_MAX_REQUESTS_PER_ROOM: String(config.rateLimiter.maxRequestsPerRoom),
+    RATE_LIMIT_MAX_CONCURRENT_GLOBAL: String(config.rateLimiter.maxConcurrentGlobal),
+    RATE_LIMIT_MAX_CONCURRENT_PER_USER: String(config.rateLimiter.maxConcurrentPerUser),
+    RATE_LIMIT_MAX_CONCURRENT_PER_ROOM: String(config.rateLimiter.maxConcurrentPerRoom),
+    CLI_COMPAT_MODE: String(config.cliCompat.enabled),
+    CLI_COMPAT_PASSTHROUGH_EVENTS: String(config.cliCompat.passThroughEvents),
+    CLI_COMPAT_PRESERVE_WHITESPACE: String(config.cliCompat.preserveWhitespace),
+    CLI_COMPAT_DISABLE_REPLY_CHUNK_SPLIT: String(config.cliCompat.disableReplyChunkSplit),
+    CLI_COMPAT_PROGRESS_THROTTLE_MS: String(config.cliCompat.progressThrottleMs),
+    CLI_COMPAT_FETCH_MEDIA: String(config.cliCompat.fetchMedia),
+    CLI_COMPAT_RECORD_PATH: config.cliCompat.recordPath ?? "",
+    DOCTOR_HTTP_TIMEOUT_MS: String(config.doctorHttpTimeoutMs),
+    ADMIN_BIND_HOST: config.adminBindHost,
+    ADMIN_PORT: String(config.adminPort),
+    ADMIN_TOKEN: config.adminToken ?? "",
+    ADMIN_IP_ALLOWLIST: config.adminIpAllowlist.join(","),
+    ADMIN_ALLOWED_ORIGINS: config.adminAllowedOrigins.join(","),
+    LOG_LEVEL: config.logLevel
+  };
 }
-function buildAdminServiceUnit(options) {
-  validateUnitOptions(options);
-  const runtimeHome2 = import_node_path11.default.resolve(options.runtimeHome);
-  return [
-    "[Unit]",
-    "Description=CodeHarbor admin service",
-    "After=network-online.target",
-    "Wants=network-online.target",
-    "",
-    "[Service]",
-    "Type=simple",
-    `User=${options.runUser}`,
-    `WorkingDirectory=${runtimeHome2}`,
-    `Environment=CODEHARBOR_HOME=${runtimeHome2}`,
-    `ExecStart=${import_node_path11.default.resolve(options.nodeBinPath)} ${import_node_path11.default.resolve(options.cliScriptPath)} admin serve`,
-    "Restart=always",
-    "RestartSec=3",
-    "NoNewPrivileges=true",
-    "PrivateTmp=true",
-    "ProtectSystem=full",
-    "ProtectHome=false",
-    `ReadWritePaths=${runtimeHome2}`,
-    "",
-    "[Install]",
-    "WantedBy=multi-user.target",
-    ""
-  ].join("\n");
+function parseJsonFile(filePath) {
+  try {
+    const raw = import_node_fs9.default.readFileSync(filePath, "utf8");
+    return JSON.parse(raw);
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    throw new Error(`Failed to parse snapshot JSON: ${message}`, {
+      cause: error
+    });
+  }
 }
-function installSystemdServices(options) {
-  assertLinuxWithSystemd();
-  assertRootPrivileges();
-  const output = options.output ?? process.stdout;
-  const runUser = options.runUser.trim();
-  const runtimeHome2 = import_node_path11.default.resolve(options.runtimeHome);
-  validateSimpleValue(runUser, "runUser");
-  validateSimpleValue(runtimeHome2, "runtimeHome");
-  validateSimpleValue(options.nodeBinPath, "nodeBinPath");
-  validateSimpleValue(options.cliScriptPath, "cliScriptPath");
-  ensureUserExists(runUser);
-  const runGroup = resolveUserGroup(runUser);
-  import_node_fs10.default.mkdirSync(runtimeHome2, { recursive: true });
-  runCommand("chown", ["-R", `${runUser}:${runGroup}`, runtimeHome2]);
-  const mainPath = import_node_path11.default.join(SYSTEMD_DIR, MAIN_SERVICE_NAME);
-  const adminPath = import_node_path11.default.join(SYSTEMD_DIR, ADMIN_SERVICE_NAME);
-  const unitOptions = {
-    runUser,
-    runtimeHome: runtimeHome2,
-    nodeBinPath: options.nodeBinPath,
-    cliScriptPath: options.cliScriptPath
+function normalizeSnapshotEnv(env, cwd) {
+  return {
+    ...env,
+    CODEX_WORKDIR: import_node_path10.default.resolve(cwd, env.CODEX_WORKDIR),
+    STATE_DB_PATH: import_node_path10.default.resolve(cwd, env.STATE_DB_PATH),
+    STATE_PATH: env.STATE_PATH.trim() ? import_node_path10.default.resolve(cwd, env.STATE_PATH) : "",
+    CLI_COMPAT_RECORD_PATH: env.CLI_COMPAT_RECORD_PATH.trim() ? import_node_path10.default.resolve(cwd, env.CLI_COMPAT_RECORD_PATH) : ""
   };
-  import_node_fs10.default.writeFileSync(mainPath, buildMainServiceUnit(unitOptions), "utf8");
-  if (options.installAdmin) {
-    import_node_fs10.default.writeFileSync(adminPath, buildAdminServiceUnit(unitOptions), "utf8");
-  }
-  runSystemctl(["daemon-reload"]);
-  if (options.startNow) {
-    runSystemctl(["enable", "--now", MAIN_SERVICE_NAME]);
-    if (options.installAdmin) {
-      runSystemctl(["enable", "--now", ADMIN_SERVICE_NAME]);
+}
+function normalizeSnapshotRooms(rooms, cwd) {
+  const normalized = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const room of rooms) {
+    const roomId = room.roomId.trim();
+    if (!roomId) {
+      throw new Error("roomId is required for every room in snapshot.");
     }
-  } else {
-    runSystemctl(["enable", MAIN_SERVICE_NAME]);
-    if (options.installAdmin) {
-      runSystemctl(["enable", ADMIN_SERVICE_NAME]);
+    if (seen.has(roomId)) {
+      throw new Error(`Duplicate roomId in snapshot: ${roomId}`);
+    }
+    seen.add(roomId);
+    const workdir = import_node_path10.default.resolve(cwd, room.workdir);
+    ensureDirectory2(workdir, `room workdir (${roomId})`);
+    normalized.push({
+      roomId,
+      enabled: room.enabled,
+      allowMention: room.allowMention,
+      allowReply: room.allowReply,
+      allowActiveWindow: room.allowActiveWindow,
+      allowPrefix: room.allowPrefix,
+      workdir
+    });
+  }
+  return normalized;
+}
+function synchronizeRoomSettings(stateStore, rooms) {
+  const incoming = new Map(rooms.map((room) => [room.roomId, room]));
+  const existing = stateStore.listRoomSettings();
+  for (const room of existing) {
+    if (!incoming.has(room.roomId)) {
+      stateStore.deleteRoomSettings(room.roomId);
     }
   }
-  output.write(`Installed systemd unit: ${mainPath}
-`);
-  if (options.installAdmin) {
-    output.write(`Installed systemd unit: ${adminPath}
-`);
+  for (const room of rooms) {
+    stateStore.upsertRoomSettings(room);
   }
-  output.write("Done. Check status with: systemctl status codeharbor --no-pager\n");
 }
-function uninstallSystemdServices(options) {
-  assertLinuxWithSystemd();
-  assertRootPrivileges();
-  const output = options.output ?? process.stdout;
-  const mainPath = import_node_path11.default.join(SYSTEMD_DIR, MAIN_SERVICE_NAME);
-  const adminPath = import_node_path11.default.join(SYSTEMD_DIR, ADMIN_SERVICE_NAME);
-  stopAndDisableIfPresent(MAIN_SERVICE_NAME);
-  if (import_node_fs10.default.existsSync(mainPath)) {
-    import_node_fs10.default.unlinkSync(mainPath);
-  }
-  if (options.removeAdmin) {
-    stopAndDisableIfPresent(ADMIN_SERVICE_NAME);
-    if (import_node_fs10.default.existsSync(adminPath)) {
-      import_node_fs10.default.unlinkSync(adminPath);
-    }
+function persistEnvSnapshot(cwd, env) {
+  const envPath = import_node_path10.default.resolve(cwd, ".env");
+  const examplePath = import_node_path10.default.resolve(cwd, ".env.example");
+  const template = import_node_fs9.default.existsSync(envPath) ? import_node_fs9.default.readFileSync(envPath, "utf8") : import_node_fs9.default.existsSync(examplePath) ? import_node_fs9.default.readFileSync(examplePath, "utf8") : "";
+  const overrides = {};
+  for (const key of CONFIG_SNAPSHOT_ENV_KEYS) {
+    overrides[key] = env[key];
   }
-  runSystemctl(["daemon-reload"]);
-  runSystemctlIgnoreFailure(["reset-failed"]);
-  output.write(`Removed systemd unit: ${mainPath}
-`);
-  if (options.removeAdmin) {
-    output.write(`Removed systemd unit: ${adminPath}
-`);
+  const next = applyEnvOverrides(template, overrides);
+  import_node_fs9.default.writeFileSync(envPath, next, "utf8");
+}
+function ensureDirectory2(dirPath, label) {
+  if (!import_node_fs9.default.existsSync(dirPath) || !import_node_fs9.default.statSync(dirPath).isDirectory()) {
+    throw new Error(`${label} does not exist or is not a directory: ${dirPath}`);
   }
-  output.write("Done.\n");
 }
-function restartSystemdServices(options) {
-  assertLinuxWithSystemd();
-  assertRootPrivileges();
-  const output = options.output ?? process.stdout;
-  runSystemctl(["restart", MAIN_SERVICE_NAME]);
-  output.write(`Restarted service: ${MAIN_SERVICE_NAME}
-`);
-  if (options.restartAdmin) {
-    runSystemctl(["restart", ADMIN_SERVICE_NAME]);
-    output.write(`Restarted service: ${ADMIN_SERVICE_NAME}
-`);
+function parseIntStrict(raw) {
+  const value = Number.parseInt(raw, 10);
+  if (!Number.isFinite(value)) {
+    throw new Error(`Invalid integer value: ${raw}`);
   }
-  output.write("Done.\n");
+  return value;
 }
-function resolveUserHome(runUser) {
-  try {
-    const passwdRaw = import_node_fs10.default.readFileSync("/etc/passwd", "utf8");
-    const line = passwdRaw.split(/\r?\n/).find((item) => item.startsWith(`${runUser}:`));
-    if (!line) {
-      return null;
+function serializeJsonObject(value) {
+  return Object.keys(value).length > 0 ? JSON.stringify(value) : "";
+}
+function booleanStringSchema(key) {
+  return import_zod2.z.string().refine((value) => BOOLEAN_STRING.test(value), {
+    message: `${key} must be a boolean string (true/false).`
+  });
+}
+function integerStringSchema(key, min, max = Number.MAX_SAFE_INTEGER) {
+  return import_zod2.z.string().refine((value) => {
+    const trimmed = value.trim();
+    if (!INTEGER_STRING.test(trimmed)) {
+      return false;
     }
-    const fields = line.split(":");
-    return fields[5] ? fields[5].trim() : null;
-  } catch {
-    return null;
-  }
+    const parsed = Number.parseInt(trimmed, 10);
+    if (!Number.isFinite(parsed)) {
+      return false;
+    }
+    return parsed >= min && parsed <= max;
+  }, {
+    message: `${key} must be an integer string in range [${min}, ${max}].`
+  });
 }
-function validateUnitOptions(options) {
-  validateSimpleValue(options.runUser, "runUser");
-  validateSimpleValue(options.runtimeHome, "runtimeHome");
-  validateSimpleValue(options.nodeBinPath, "nodeBinPath");
-  validateSimpleValue(options.cliScriptPath, "cliScriptPath");
+function jsonObjectStringSchema(key, allowEmpty) {
+  return import_zod2.z.string().refine((value) => {
+    const trimmed = value.trim();
+    if (!trimmed) {
+      return allowEmpty;
+    }
+    let parsed;
+    try {
+      parsed = JSON.parse(trimmed);
+    } catch {
+      return false;
+    }
+    return Boolean(parsed) && typeof parsed === "object" && !Array.isArray(parsed);
+  }, {
+    message: `${key} must be an empty string or a JSON object string.`
+  });
 }
-function validateSimpleValue(value, key) {
-  if (!value.trim()) {
-    throw new Error(`${key} cannot be empty.`);
+// src/preflight.ts
+var import_node_child_process5 = require("child_process");
+var import_node_fs10 = __toESM(require("fs"));
+var import_node_path11 = __toESM(require("path"));
+var import_node_util3 = require("util");
+var execFileAsync3 = (0, import_node_util3.promisify)(import_node_child_process5.execFile);
+var REQUIRED_ENV_KEYS = ["MATRIX_HOMESERVER", "MATRIX_USER_ID", "MATRIX_ACCESS_TOKEN"];
+async function runStartupPreflight(options = {}) {
+  const env = options.env ?? process.env;
+  const cwd = options.cwd ?? process.cwd();
+  const checkCodexBinary = options.checkCodexBinary ?? defaultCheckCodexBinary;
+  const fileExists = options.fileExists ?? import_node_fs10.default.existsSync;
+  const isDirectory = options.isDirectory ?? defaultIsDirectory;
+  const issues = [];
+  const envPath = import_node_path11.default.resolve(cwd, ".env");
+  if (!fileExists(envPath)) {
+    issues.push({
+      level: "warn",
+      code: "missing_dotenv",
+      check: ".env",
+      message: `No .env file found at ${envPath}.`,
+      fix: 'Run "codeharbor init" to create baseline config.'
+    });
   }
-  if (/[\r\n]/.test(value)) {
-    throw new Error(`${key} contains invalid newline characters.`);
+  for (const key of REQUIRED_ENV_KEYS) {
+    if (!readEnv(env, key)) {
+      issues.push({
+        level: "error",
+        code: "missing_env",
+        check: key,
+        message: `${key} is required.`,
+        fix: `Run "codeharbor init" or set ${key} in .env.`
+      });
+    }
   }
-}
-function assertLinuxWithSystemd() {
-  if (process.platform !== "linux") {
-    throw new Error("Systemd service install only supports Linux.");
+  const matrixHomeserver = readEnv(env, "MATRIX_HOMESERVER");
+  if (matrixHomeserver) {
+    try {
+      new URL(matrixHomeserver);
+    } catch {
+      issues.push({
+        level: "error",
+        code: "invalid_matrix_homeserver",
+        check: "MATRIX_HOMESERVER",
+        message: `Invalid URL: "${matrixHomeserver}".`,
+        fix: "Set MATRIX_HOMESERVER to a full URL, for example https://matrix.example.com."
+      });
+    }
+  }
+  const matrixUserId = readEnv(env, "MATRIX_USER_ID");
+  if (matrixUserId && !/^@[^:\s]+:.+/.test(matrixUserId)) {
+    issues.push({
+      level: "error",
+      code: "invalid_matrix_user_id",
+      check: "MATRIX_USER_ID",
+      message: `Unexpected Matrix user id format: "${matrixUserId}".`,
+      fix: "Set MATRIX_USER_ID like @bot:example.com."
+    });
   }
+  const codexBin = readEnv(env, "CODEX_BIN") || "codex";
   try {
-    (0, import_node_child_process5.execFileSync)("systemctl", ["--version"], { stdio: "ignore" });
-  } catch {
-    throw new Error("systemctl is required but not found.");
+    await checkCodexBinary(codexBin);
+  } catch (error) {
+    const reason = error instanceof Error && error.message ? ` (${error.message})` : "";
+    issues.push({
+      level: "error",
+      code: "missing_codex_bin",
+      check: "CODEX_BIN",
+      message: `Unable to execute "${codexBin}"${reason}.`,
+      fix: `Install Codex CLI and ensure "${codexBin}" is in PATH, or set CODEX_BIN=/absolute/path/to/codex.`
+    });
+  }
+  const configuredWorkdir = readEnv(env, "CODEX_WORKDIR");
+  const workdir = import_node_path11.default.resolve(cwd, configuredWorkdir || cwd);
+  if (!fileExists(workdir) || !isDirectory(workdir)) {
+    issues.push({
+      level: "error",
+      code: "invalid_codex_workdir",
+      check: "CODEX_WORKDIR",
+      message: `Working directory does not exist or is not a directory: ${workdir}.`,
+      fix: `Set CODEX_WORKDIR to an existing directory, for example CODEX_WORKDIR=${cwd}.`
+    });
   }
+  return {
+    ok: issues.every((issue) => issue.level !== "error"),
+    issues
+  };
 }
-function assertRootPrivileges() {
-  if (typeof process.getuid !== "function") {
-    return;
+function formatPreflightReport(result, commandName) {
+  const lines = [];
+  const errors = result.issues.filter((issue) => issue.level === "error").length;
+  const warnings = result.issues.filter((issue) => issue.level === "warn").length;
+  if (result.ok) {
+    lines.push(`Preflight check passed for "codeharbor ${commandName}" with ${warnings} warning(s).`);
+  } else {
+    lines.push(
+      `Preflight check failed for "codeharbor ${commandName}" with ${errors} error(s) and ${warnings} warning(s).`
+    );
   }
-  if (process.getuid() !== 0) {
-    throw new Error("Root privileges are required. Run with sudo.");
+  for (const issue of result.issues) {
+    const level = issue.level.toUpperCase();
+    lines.push(`- [${level}] ${issue.check}: ${issue.message}`);
+    lines.push(`  fix: ${issue.fix}`);
   }
+  return `${lines.join("\n")}
+`;
 }
-function ensureUserExists(runUser) {
-  runCommand("id", ["-u", runUser]);
-}
-function resolveUserGroup(runUser) {
-  return runCommand("id", ["-gn", runUser]).trim();
-}
-function runSystemctl(args) {
-  runCommand("systemctl", args);
-}
-function stopAndDisableIfPresent(unitName) {
-  runSystemctlIgnoreFailure(["disable", "--now", unitName]);
+async function defaultCheckCodexBinary(bin) {
+  await execFileAsync3(bin, ["--version"]);
 }
-function runSystemctlIgnoreFailure(args) {
+function defaultIsDirectory(targetPath) {
   try {
-    runCommand("systemctl", args);
+    return import_node_fs10.default.statSync(targetPath).isDirectory();
   } catch {
+    return false;
   }
 }
-function runCommand(file, args) {
-  try {
-    return (0, import_node_child_process5.execFileSync)(file, args, {
-      encoding: "utf8",
-      stdio: ["ignore", "pipe", "pipe"]
-    });
-  } catch (error) {
-    throw new Error(formatCommandError(file, args, error), { cause: error });
-  }
-}
-function formatCommandError(file, args, error) {
-  const command = `${file} ${args.join(" ")}`.trim();
-  if (error && typeof error === "object") {
-    const maybeError = error;
-    const stderr = bufferToTrimmedString(maybeError.stderr);
-    const stdout = bufferToTrimmedString(maybeError.stdout);
-    const details = stderr || stdout || maybeError.message || "command failed";
-    return `Command failed: ${command}. ${details}`;
-  }
-  return `Command failed: ${command}. ${String(error)}`;
-}
-function bufferToTrimmedString(value) {
-  if (!value) {
-    return "";
-  }
-  const text = typeof value === "string" ? value : value.toString("utf8");
-  return text.trim();
+function readEnv(env, key) {
+  return env[key]?.trim() ?? "";
 }
 // src/cli.ts