codeharbor 0.1.16 → 0.1.18

package/dist/cli.js

@@ -40,1712 +40,250 @@ var import_node_http = __toESM(require("http"));
 var import_node_path5 = __toESM(require("path"));
 var import_node_util2 = require("util");
 
-// src/init.ts
-var import_node_fs = __toESM(require("fs"));
-var import_node_path2 = __toESM(require("path"));
-var import_promises = require("readline/promises");
-var import_dotenv = __toESM(require("dotenv"));
-
-// src/codex-bin.ts
-var import_node_child_process = require("child_process");
-var import_node_os = __toESM(require("os"));
-var import_node_path = __toESM(require("path"));
-var import_node_util = require("util");
-var execFileAsync = (0, import_node_util.promisify)(import_node_child_process.execFile);
-function buildCodexBinCandidates(configuredBin, env = process.env) {
-  const normalized = configuredBin.trim() || "codex";
-  const home = env.HOME?.trim() || import_node_os.default.homedir();
-  const npmGlobalBin = home ? import_node_path.default.resolve(home, ".npm-global/bin/codex") : "";
-  const candidates = [
-    normalized,
-    "codex",
-    npmGlobalBin,
-    "/usr/bin/codex",
-    "/usr/local/bin/codex",
-    "/opt/homebrew/bin/codex"
-  ];
-  const seen = /* @__PURE__ */ new Set();
-  const output = [];
-  for (const candidate of candidates) {
-    const trimmed = candidate.trim();
-    if (!trimmed || seen.has(trimmed)) {
-      continue;
-    }
-    seen.add(trimmed);
-    output.push(trimmed);
-  }
-  return output;
-}
-async function findWorkingCodexBin(configuredBin, options = {}) {
-  const checkBinary = options.checkBinary ?? defaultCheckBinary;
-  const candidates = buildCodexBinCandidates(configuredBin, options.env);
-  for (const candidate of candidates) {
-    try {
-      await checkBinary(candidate);
-      return candidate;
-    } catch {
-    }
-  }
-  return null;
-}
-async function defaultCheckBinary(bin) {
-  await execFileAsync(bin, ["--version"]);
-}
-
-// src/init.ts
-async function runInitCommand(options = {}) {
-  const cwd = options.cwd ?? process.cwd();
-  const envPath = import_node_path2.default.resolve(cwd, ".env");
-  const templatePath = resolveInitTemplatePath(cwd);
-  const input = options.input ?? process.stdin;
-  const output = options.output ?? process.stdout;
-  const templateContent = import_node_fs.default.readFileSync(templatePath, "utf8");
-  const existingContent = import_node_fs.default.existsSync(envPath) ? import_node_fs.default.readFileSync(envPath, "utf8") : "";
-  const existingValues = existingContent ? import_dotenv.default.parse(existingContent) : {};
-  const rl = (0, import_promises.createInterface)({ input, output });
-  try {
-    if (existingContent && !options.force) {
-      const overwrite = await askYesNo(
-        rl,
-        "Detected existing .env file. Overwrite with guided setup?",
-        false
-      );
-      if (!overwrite) {
-        output.write("Init aborted. Keep existing .env unchanged.\n");
-        return;
+// src/admin-console-html.ts
+var ADMIN_CONSOLE_HTML = `<!doctype html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>CodeHarbor Admin Console</title>
+    <style>
+      :root {
+        --bg-start: #0f172a;
+        --bg-end: #1e293b;
+        --panel: #0b1224cc;
+        --panel-border: #334155;
+        --text: #e2e8f0;
+        --muted: #94a3b8;
+        --accent: #22d3ee;
+        --accent-strong: #06b6d4;
+        --danger: #f43f5e;
+        --ok: #10b981;
+        --warn: #f59e0b;
       }
-    }
-    output.write("CodeHarbor setup wizard\n");
-    output.write(`Target file: ${envPath}
-`);
-    const detectedCodexBin = await findWorkingCodexBin(existingValues.CODEX_BIN ?? "codex");
-    const questions = [
-      {
-        key: "MATRIX_HOMESERVER",
-        label: "Matrix homeserver URL",
-        required: true,
-        validate: (value) => {
-          try {
-            new URL(value);
-            return null;
-          } catch {
-            return "Please enter a valid URL, for example https://matrix.example.com";
-          }
-        }
-      },
-      {
-        key: "MATRIX_USER_ID",
-        label: "Matrix bot user id",
-        required: true,
-        validate: (value) => {
-          if (!/^@[^:\s]+:.+/.test(value)) {
-            return "Please enter a Matrix user id like @bot:example.com";
-          }
-          return null;
-        }
-      },
-      {
-        key: "MATRIX_ACCESS_TOKEN",
-        label: "Matrix access token",
-        required: true,
-        hiddenDefault: true
-      },
-      {
-        key: "MATRIX_COMMAND_PREFIX",
-        label: "Group command prefix",
-        fallbackValue: "!code"
-      },
-      {
-        key: "CODEX_BIN",
-        label: "Codex binary",
-        fallbackValue: detectedCodexBin ?? "codex"
-      },
-      {
-        key: "CODEX_WORKDIR",
-        label: "Codex working directory",
-        fallbackValue: cwd,
-        validate: (value) => {
-          const resolved = import_node_path2.default.resolve(cwd, value);
-          if (!import_node_fs.default.existsSync(resolved) || !import_node_fs.default.statSync(resolved).isDirectory()) {
-            return `Directory does not exist: ${resolved}`;
-          }
-          return null;
-        }
+      * {
+        box-sizing: border-box;
       }
-    ];
-    const updates = {};
-    for (const question of questions) {
-      const existingValue = (existingValues[question.key] ?? "").trim();
-      const value = await askValue(rl, question, existingValue);
-      updates[question.key] = value;
-    }
-    const mergedContent = applyEnvOverrides(templateContent, updates);
-    import_node_fs.default.writeFileSync(envPath, mergedContent, "utf8");
-    output.write(`Wrote ${envPath}
-`);
-    output.write("Next steps:\n");
-    output.write("1. codex login\n");
-    output.write("2. codeharbor doctor\n");
-    output.write("3. codeharbor start\n");
-  } finally {
-    rl.close();
-  }
-}
-function resolveInitTemplatePath(cwd) {
-  const candidates = [
-    import_node_path2.default.resolve(cwd, ".env.example"),
-    import_node_path2.default.resolve(__dirname, "..", ".env.example")
-  ];
-  for (const candidate of candidates) {
-    if (import_node_fs.default.existsSync(candidate)) {
-      return candidate;
-    }
-  }
-  throw new Error(`Cannot find template file. Tried: ${candidates.join(", ")}`);
-}
-function applyEnvOverrides(template, overrides) {
-  const lines = template.split(/\r?\n/);
-  const seen = /* @__PURE__ */ new Set();
-  for (let i = 0; i < lines.length; i += 1) {
-    const line = lines[i];
-    const match = /^([A-Z0-9_]+)=(.*)$/.exec(line.trim());
-    if (!match) {
-      continue;
-    }
-    const key = match[1];
-    if (!(key in overrides)) {
-      continue;
-    }
-    lines[i] = `${key}=${formatEnvValue(overrides[key] ?? "")}`;
-    seen.add(key);
-  }
-  for (const [key, value] of Object.entries(overrides)) {
-    if (seen.has(key)) {
-      continue;
-    }
-    lines.push(`${key}=${formatEnvValue(value)}`);
-  }
-  const content = lines.join("\n");
-  return content.endsWith("\n") ? content : `${content}
-`;
-}
-function formatEnvValue(value) {
-  if (!value) {
-    return "";
-  }
-  if (/^[A-Za-z0-9_./:@+-]+$/.test(value)) {
-    return value;
-  }
-  return JSON.stringify(value);
-}
-async function askValue(rl, question, existingValue) {
-  while (true) {
-    const fallback = question.fallbackValue ?? "";
-    const displayDefault = existingValue || fallback;
-    const hint = displayDefault ? question.hiddenDefault ? "[already set]" : `[${displayDefault}]` : "";
-    const answer = (await rl.question(`${question.label} ${hint}: `)).trim();
-    const finalValue = answer || existingValue || fallback;
-    if (question.required && !finalValue) {
-      rl.write("This value is required.\n");
-      continue;
-    }
-    if (question.validate) {
-      const reason = question.validate(finalValue);
-      if (reason) {
-        rl.write(`${reason}
-`);
-        continue;
+      body {
+        margin: 0;
+        font-family: "IBM Plex Sans", "Segoe UI", "Helvetica Neue", sans-serif;
+        color: var(--text);
+        background: radial-gradient(1200px 600px at 20% -10%, #1d4ed8 0%, transparent 55%),
+          radial-gradient(1000px 500px at 100% 0%, #0f766e 0%, transparent 55%),
+          linear-gradient(135deg, var(--bg-start), var(--bg-end));
+        min-height: 100vh;
       }
-    }
-    return finalValue;
-  }
-}
-async function askYesNo(rl, question, defaultValue) {
-  const defaultHint = defaultValue ? "[Y/n]" : "[y/N]";
-  const answer = (await rl.question(`${question} ${defaultHint}: `)).trim().toLowerCase();
-  if (!answer) {
-    return defaultValue;
-  }
-  return answer === "y" || answer === "yes";
-}
-
-// src/service-manager.ts
-var import_node_child_process2 = require("child_process");
-var import_node_fs3 = __toESM(require("fs"));
-var import_node_os3 = __toESM(require("os"));
-var import_node_path4 = __toESM(require("path"));
-
-// src/runtime-home.ts
-var import_node_fs2 = __toESM(require("fs"));
-var import_node_os2 = __toESM(require("os"));
-var import_node_path3 = __toESM(require("path"));
-var LEGACY_RUNTIME_HOME = "/opt/codeharbor";
-var USER_RUNTIME_HOME_DIR = ".codeharbor";
-var DEFAULT_RUNTIME_HOME = import_node_path3.default.resolve(import_node_os2.default.homedir(), USER_RUNTIME_HOME_DIR);
-var RUNTIME_HOME_ENV_KEY = "CODEHARBOR_HOME";
-function resolveRuntimeHome(env = process.env) {
-  const configured = env[RUNTIME_HOME_ENV_KEY]?.trim();
-  if (configured) {
-    return import_node_path3.default.resolve(configured);
-  }
-  const legacyEnvPath = import_node_path3.default.resolve(LEGACY_RUNTIME_HOME, ".env");
-  if (import_node_fs2.default.existsSync(legacyEnvPath)) {
-    return LEGACY_RUNTIME_HOME;
-  }
-  return resolveUserRuntimeHome(env);
-}
-function resolveUserRuntimeHome(env = process.env) {
-  const home = env.HOME?.trim() || import_node_os2.default.homedir();
-  return import_node_path3.default.resolve(home, USER_RUNTIME_HOME_DIR);
-}
-
-// src/service-manager.ts
-var SYSTEMD_DIR = "/etc/systemd/system";
-var MAIN_SERVICE_NAME = "codeharbor.service";
-var ADMIN_SERVICE_NAME = "codeharbor-admin.service";
-var SUDOERS_DIR = "/etc/sudoers.d";
-var RESTART_SUDOERS_FILE = "codeharbor-restart";
-function resolveDefaultRunUser(env = process.env) {
-  const sudoUser = env.SUDO_USER?.trim();
-  if (sudoUser) {
-    return sudoUser;
-  }
-  const user = env.USER?.trim();
-  if (user) {
-    return user;
-  }
-  try {
-    return import_node_os3.default.userInfo().username;
-  } catch {
-    return "root";
-  }
-}
-function resolveRuntimeHomeForUser(runUser, env = process.env, explicitRuntimeHome) {
-  const configuredRuntimeHome = explicitRuntimeHome?.trim() || env[RUNTIME_HOME_ENV_KEY]?.trim();
-  if (configuredRuntimeHome) {
-    return import_node_path4.default.resolve(configuredRuntimeHome);
-  }
-  const userHome = resolveUserHome(runUser);
-  if (userHome) {
-    return import_node_path4.default.resolve(userHome, USER_RUNTIME_HOME_DIR);
-  }
-  return import_node_path4.default.resolve(import_node_os3.default.homedir(), USER_RUNTIME_HOME_DIR);
-}
-function buildMainServiceUnit(options) {
-  validateUnitOptions(options);
-  const runtimeHome2 = import_node_path4.default.resolve(options.runtimeHome);
-  return [
-    "[Unit]",
-    "Description=CodeHarbor main service",
-    "After=network-online.target",
-    "Wants=network-online.target",
-    "",
-    "[Service]",
-    "Type=simple",
-    `User=${options.runUser}`,
-    `WorkingDirectory=${runtimeHome2}`,
-    `Environment=CODEHARBOR_HOME=${runtimeHome2}`,
-    `ExecStart=${import_node_path4.default.resolve(options.nodeBinPath)} ${import_node_path4.default.resolve(options.cliScriptPath)} start`,
-    "Restart=always",
-    "RestartSec=3",
-    "NoNewPrivileges=true",
-    "PrivateTmp=true",
-    "ProtectSystem=full",
-    "ProtectHome=false",
-    `ReadWritePaths=${runtimeHome2}`,
-    "",
-    "[Install]",
-    "WantedBy=multi-user.target",
-    ""
-  ].join("\n");
-}
-function buildAdminServiceUnit(options) {
-  validateUnitOptions(options);
-  const runtimeHome2 = import_node_path4.default.resolve(options.runtimeHome);
-  return [
-    "[Unit]",
-    "Description=CodeHarbor admin service",
-    "After=network-online.target",
-    "Wants=network-online.target",
-    "",
-    "[Service]",
-    "Type=simple",
-    `User=${options.runUser}`,
-    `WorkingDirectory=${runtimeHome2}`,
-    `Environment=CODEHARBOR_HOME=${runtimeHome2}`,
-    `ExecStart=${import_node_path4.default.resolve(options.nodeBinPath)} ${import_node_path4.default.resolve(options.cliScriptPath)} admin serve`,
-    "Restart=always",
-    "RestartSec=3",
-    "NoNewPrivileges=true",
-    "PrivateTmp=true",
-    "ProtectSystem=full",
-    "ProtectHome=false",
-    `ReadWritePaths=${runtimeHome2}`,
-    "",
-    "[Install]",
-    "WantedBy=multi-user.target",
-    ""
-  ].join("\n");
-}
-function buildRestartSudoersPolicy(options) {
-  const runUser = options.runUser.trim();
-  const systemctlPath = options.systemctlPath.trim();
-  validateSimpleValue(runUser, "runUser");
-  validateSimpleValue(systemctlPath, "systemctlPath");
-  if (!import_node_path4.default.isAbsolute(systemctlPath)) {
-    throw new Error("systemctlPath must be an absolute path.");
-  }
-  return [
-    "# Managed by CodeHarbor service install; do not edit manually.",
-    `Defaults:${runUser} !requiretty`,
-    `${runUser} ALL=(root) NOPASSWD: ${systemctlPath} restart ${MAIN_SERVICE_NAME}, ${systemctlPath} restart ${ADMIN_SERVICE_NAME}`,
-    ""
-  ].join("\n");
-}
-function installSystemdServices(options) {
-  assertLinuxWithSystemd();
-  assertRootPrivileges();
-  const output = options.output ?? process.stdout;
-  const runUser = options.runUser.trim();
-  const runtimeHome2 = import_node_path4.default.resolve(options.runtimeHome);
-  validateSimpleValue(runUser, "runUser");
-  validateSimpleValue(runtimeHome2, "runtimeHome");
-  validateSimpleValue(options.nodeBinPath, "nodeBinPath");
-  validateSimpleValue(options.cliScriptPath, "cliScriptPath");
-  ensureUserExists(runUser);
-  const runGroup = resolveUserGroup(runUser);
-  import_node_fs3.default.mkdirSync(runtimeHome2, { recursive: true });
-  runCommand("chown", ["-R", `${runUser}:${runGroup}`, runtimeHome2]);
-  const mainPath = import_node_path4.default.join(SYSTEMD_DIR, MAIN_SERVICE_NAME);
-  const adminPath = import_node_path4.default.join(SYSTEMD_DIR, ADMIN_SERVICE_NAME);
-  const restartSudoersPath = import_node_path4.default.join(SUDOERS_DIR, RESTART_SUDOERS_FILE);
-  const unitOptions = {
-    runUser,
-    runtimeHome: runtimeHome2,
-    nodeBinPath: options.nodeBinPath,
-    cliScriptPath: options.cliScriptPath
-  };
-  import_node_fs3.default.writeFileSync(mainPath, buildMainServiceUnit(unitOptions), "utf8");
-  if (options.installAdmin) {
-    import_node_fs3.default.writeFileSync(adminPath, buildAdminServiceUnit(unitOptions), "utf8");
-    if (runUser !== "root") {
-      const policy = buildRestartSudoersPolicy({
-        runUser,
-        systemctlPath: resolveSystemctlPath()
-      });
-      import_node_fs3.default.mkdirSync(SUDOERS_DIR, { recursive: true });
-      import_node_fs3.default.writeFileSync(restartSudoersPath, policy, "utf8");
-      import_node_fs3.default.chmodSync(restartSudoersPath, 288);
-    }
-  }
-  runSystemctl(["daemon-reload"]);
-  if (options.startNow) {
-    runSystemctl(["enable", "--now", MAIN_SERVICE_NAME]);
-    if (options.installAdmin) {
-      runSystemctl(["enable", "--now", ADMIN_SERVICE_NAME]);
-    }
-  } else {
-    runSystemctl(["enable", MAIN_SERVICE_NAME]);
-    if (options.installAdmin) {
-      runSystemctl(["enable", ADMIN_SERVICE_NAME]);
-    }
-  }
-  output.write(`Installed systemd unit: ${mainPath}
-`);
-  if (options.installAdmin) {
-    output.write(`Installed systemd unit: ${adminPath}
-`);
-    if (runUser !== "root") {
-      output.write(`Installed sudoers policy: ${restartSudoersPath}
-`);
-    }
-  }
-  output.write("Done. Check status with: systemctl status codeharbor --no-pager\n");
-}
-function uninstallSystemdServices(options) {
-  assertLinuxWithSystemd();
-  assertRootPrivileges();
-  const output = options.output ?? process.stdout;
-  const mainPath = import_node_path4.default.join(SYSTEMD_DIR, MAIN_SERVICE_NAME);
-  const adminPath = import_node_path4.default.join(SYSTEMD_DIR, ADMIN_SERVICE_NAME);
-  const restartSudoersPath = import_node_path4.default.join(SUDOERS_DIR, RESTART_SUDOERS_FILE);
-  stopAndDisableIfPresent(MAIN_SERVICE_NAME);
-  if (import_node_fs3.default.existsSync(mainPath)) {
-    import_node_fs3.default.unlinkSync(mainPath);
-  }
-  if (options.removeAdmin) {
-    stopAndDisableIfPresent(ADMIN_SERVICE_NAME);
-    if (import_node_fs3.default.existsSync(adminPath)) {
-      import_node_fs3.default.unlinkSync(adminPath);
-    }
-    if (import_node_fs3.default.existsSync(restartSudoersPath)) {
-      import_node_fs3.default.unlinkSync(restartSudoersPath);
-    }
-  }
-  runSystemctl(["daemon-reload"]);
-  runSystemctlIgnoreFailure(["reset-failed"]);
-  output.write(`Removed systemd unit: ${mainPath}
-`);
-  if (options.removeAdmin) {
-    output.write(`Removed systemd unit: ${adminPath}
-`);
-    output.write(`Removed sudoers policy: ${restartSudoersPath}
-`);
-  }
-  output.write("Done.\n");
-}
-function restartSystemdServices(options) {
-  assertLinuxWithSystemd();
-  const output = options.output ?? process.stdout;
-  const runWithSudoFallback = options.allowSudoFallback ?? true;
-  const systemctlRunner = hasRootPrivileges() || !runWithSudoFallback ? runSystemctl : runSystemctlWithNonInteractiveSudo;
-  systemctlRunner(["restart", MAIN_SERVICE_NAME]);
-  output.write(`Restarted service: ${MAIN_SERVICE_NAME}
-`);
-  if (options.restartAdmin) {
-    systemctlRunner(["restart", ADMIN_SERVICE_NAME]);
-    output.write(`Restarted service: ${ADMIN_SERVICE_NAME}
-`);
-  }
-  output.write("Done.\n");
-}
-function resolveUserHome(runUser) {
-  try {
-    const passwdRaw = import_node_fs3.default.readFileSync("/etc/passwd", "utf8");
-    const line = passwdRaw.split(/\r?\n/).find((item) => item.startsWith(`${runUser}:`));
-    if (!line) {
-      return null;
-    }
-    const fields = line.split(":");
-    return fields[5] ? fields[5].trim() : null;
-  } catch {
-    return null;
-  }
-}
-function validateUnitOptions(options) {
-  validateSimpleValue(options.runUser, "runUser");
-  validateSimpleValue(options.runtimeHome, "runtimeHome");
-  validateSimpleValue(options.nodeBinPath, "nodeBinPath");
-  validateSimpleValue(options.cliScriptPath, "cliScriptPath");
-}
-function validateSimpleValue(value, key) {
-  if (!value.trim()) {
-    throw new Error(`${key} cannot be empty.`);
-  }
-  if (/[\r\n]/.test(value)) {
-    throw new Error(`${key} contains invalid newline characters.`);
-  }
-}
-function assertLinuxWithSystemd() {
-  if (process.platform !== "linux") {
-    throw new Error("Systemd service install only supports Linux.");
-  }
-  try {
-    (0, import_node_child_process2.execFileSync)("systemctl", ["--version"], { stdio: "ignore" });
-  } catch {
-    throw new Error("systemctl is required but not found.");
-  }
-}
-function assertRootPrivileges() {
-  if (!hasRootPrivileges()) {
-    throw new Error("Root privileges are required. Run with sudo.");
-  }
-}
-function hasRootPrivileges() {
-  if (typeof process.getuid !== "function") {
-    return true;
-  }
-  return process.getuid() === 0;
-}
-function ensureUserExists(runUser) {
-  runCommand("id", ["-u", runUser]);
-}
-function resolveUserGroup(runUser) {
-  return runCommand("id", ["-gn", runUser]).trim();
-}
-function runSystemctl(args) {
-  runCommand("systemctl", args);
-}
-function runSystemctlWithNonInteractiveSudo(args) {
-  const systemctlPath = resolveSystemctlPath();
-  try {
-    runCommand("sudo", ["-n", systemctlPath, ...args]);
-  } catch (error) {
-    throw new Error(
-      "Root privileges are required. Configure passwordless sudo for the CodeHarbor service user or run the CLI command manually with sudo.",
-      { cause: error }
-    );
-  }
-}
-function stopAndDisableIfPresent(unitName) {
-  runSystemctlIgnoreFailure(["disable", "--now", unitName]);
-}
-function runSystemctlIgnoreFailure(args) {
-  try {
-    runCommand("systemctl", args);
-  } catch {
-  }
-}
-function resolveSystemctlPath() {
-  const candidates = [];
-  const pathEntries = (process.env.PATH ?? "").split(import_node_path4.default.delimiter).filter(Boolean);
-  for (const entry of pathEntries) {
-    candidates.push(import_node_path4.default.join(entry, "systemctl"));
-  }
-  candidates.push("/usr/bin/systemctl", "/bin/systemctl", "/usr/local/bin/systemctl");
-  for (const candidate of candidates) {
-    if (import_node_path4.default.isAbsolute(candidate) && import_node_fs3.default.existsSync(candidate)) {
-      return candidate;
-    }
-  }
-  throw new Error("Unable to resolve absolute systemctl path.");
-}
-function runCommand(file, args) {
-  try {
-    return (0, import_node_child_process2.execFileSync)(file, args, {
-      encoding: "utf8",
-      stdio: ["ignore", "pipe", "pipe"]
-    });
-  } catch (error) {
-    throw new Error(formatCommandError(file, args, error), { cause: error });
-  }
-}
-function formatCommandError(file, args, error) {
-  const command = `${file} ${args.join(" ")}`.trim();
-  if (error && typeof error === "object") {
-    const maybeError = error;
-    const stderr = bufferToTrimmedString(maybeError.stderr);
-    const stdout = bufferToTrimmedString(maybeError.stdout);
-    const details = stderr || stdout || maybeError.message || "command failed";
-    return `Command failed: ${command}. ${details}`;
-  }
-  return `Command failed: ${command}. ${String(error)}`;
-}
-function bufferToTrimmedString(value) {
-  if (!value) {
-    return "";
-  }
-  const text = typeof value === "string" ? value : value.toString("utf8");
-  return text.trim();
-}
-
-// src/admin-server.ts
-var execFileAsync2 = (0, import_node_util2.promisify)(import_node_child_process3.execFile);
-var HttpError = class extends Error {
-  statusCode;
-  constructor(statusCode, message) {
-    super(message);
-    this.statusCode = statusCode;
-  }
-};
-var AdminServer = class {
-  config;
-  logger;
-  stateStore;
-  configService;
-  host;
-  port;
-  adminToken;
-  adminTokens;
-  adminIpAllowlist;
-  adminAllowedOrigins;
-  cwd;
-  checkCodex;
-  checkMatrix;
-  restartServices;
-  server = null;
-  address = null;
-  constructor(config, logger, stateStore, configService, options) {
-    this.config = config;
-    this.logger = logger;
-    this.stateStore = stateStore;
-    this.configService = configService;
-    this.host = options.host;
-    this.port = options.port;
-    this.adminToken = options.adminToken;
-    this.adminTokens = buildAdminTokenMap(options.adminTokens ?? []);
-    this.adminIpAllowlist = normalizeAllowlist(options.adminIpAllowlist ?? []);
-    this.adminAllowedOrigins = normalizeOriginAllowlist(options.adminAllowedOrigins ?? []);
-    this.cwd = options.cwd ?? process.cwd();
-    this.checkCodex = options.checkCodex ?? defaultCheckCodex;
-    this.checkMatrix = options.checkMatrix ?? defaultCheckMatrix;
-    this.restartServices = options.restartServices ?? defaultRestartServices;
-  }
-  getAddress() {
-    return this.address;
-  }
-  async start() {
-    if (this.server) {
-      return;
-    }
-    this.server = import_node_http.default.createServer((req, res) => {
-      void this.handleRequest(req, res);
-    });
-    await new Promise((resolve, reject) => {
-      if (!this.server) {
-        reject(new Error("admin server is not initialized"));
-        return;
-      }
-      this.server.once("error", reject);
-      this.server.listen(this.port, this.host, () => {
-        this.server?.removeListener("error", reject);
-        const address = this.server?.address();
-        if (!address || typeof address === "string") {
-          reject(new Error("failed to resolve admin server address"));
-          return;
-        }
-        this.address = {
-          host: address.address,
-          port: address.port
-        };
-        resolve();
-      });
-    });
-  }
-  async stop() {
-    if (!this.server) {
-      return;
-    }
-    const server = this.server;
-    this.server = null;
-    this.address = null;
-    await new Promise((resolve, reject) => {
-      server.close((error) => {
-        if (error) {
-          reject(error);
-          return;
-        }
-        resolve();
-      });
-    });
-  }
-  async handleRequest(req, res) {
-    try {
-      const url = new URL(req.url ?? "/", "http://localhost");
-      this.setSecurityHeaders(res);
-      const corsDecision = this.resolveCors(req);
-      this.setCorsHeaders(res, corsDecision);
-      if (!this.isClientAllowed(req)) {
-        this.sendJson(res, 403, {
-          ok: false,
-          error: "Forbidden by ADMIN_IP_ALLOWLIST."
-        });
-        return;
-      }
-      if (url.pathname.startsWith("/api/admin/") && corsDecision.origin && !corsDecision.allowed) {
-        this.sendJson(res, 403, {
-          ok: false,
-          error: "Forbidden by ADMIN_ALLOWED_ORIGINS."
-        });
-        return;
-      }
-      if (req.method === "OPTIONS") {
-        if (corsDecision.origin && !corsDecision.allowed) {
-          this.sendJson(res, 403, {
-            ok: false,
-            error: "Forbidden by ADMIN_ALLOWED_ORIGINS."
-          });
-          return;
-        }
-        res.writeHead(204);
-        res.end();
-        return;
-      }
-      if (req.method === "GET" && isUiPath(url.pathname)) {
-        this.sendHtml(res, renderAdminConsoleHtml());
-        return;
-      }
-      const requiredRole = requiredAdminRoleForRequest(req.method, url.pathname);
-      const authIdentity = requiredRole ? this.resolveAdminIdentity(req) : null;
-      if (requiredRole && !authIdentity) {
-        this.sendJson(res, 401, {
-          ok: false,
-          error: "Unauthorized. Provide Authorization: Bearer <ADMIN_TOKEN> (or token from ADMIN_TOKENS_JSON)."
-        });
-        return;
-      }
-      if (requiredRole && authIdentity && !hasRequiredAdminRole(authIdentity.role, requiredRole)) {
-        this.sendJson(res, 403, {
-          ok: false,
-          error: "Forbidden. This endpoint requires admin write permission."
-        });
-        return;
-      }
-      if (req.method === "GET" && url.pathname === "/api/admin/auth/status") {
-        this.sendJson(res, 200, {
-          ok: true,
-          data: {
-            authenticated: Boolean(authIdentity),
-            role: authIdentity?.role ?? null,
-            source: authIdentity?.source ?? "none",
-            actor: resolveIdentityActor(authIdentity),
-            canWrite: authIdentity ? hasRequiredAdminRole(authIdentity.role, "admin") : false
-          }
-        });
-        return;
-      }
-      if (req.method === "GET" && url.pathname === "/api/admin/config/global") {
-        this.sendJson(res, 200, {
-          ok: true,
-          data: buildGlobalConfigSnapshot(this.config),
-          effective: "next_start_for_env_changes"
-        });
-        return;
-      }
-      if (req.method === "PUT" && url.pathname === "/api/admin/config/global") {
-        const body = await readJsonBody(req);
-        const actor = resolveAuditActor(req, authIdentity);
-        const result = this.updateGlobalConfig(body, actor);
-        this.sendJson(res, 200, {
-          ok: true,
-          ...result
-        });
-        return;
-      }
-      if (req.method === "GET" && url.pathname === "/api/admin/config/rooms") {
-        this.sendJson(res, 200, {
-          ok: true,
-          data: this.configService.listRoomSettings()
-        });
-        return;
-      }
-      const roomMatch = /^\/api\/admin\/config\/rooms\/(.+)$/.exec(url.pathname);
-      if (roomMatch) {
-        const roomId = decodeURIComponent(roomMatch[1]);
-        if (req.method === "GET") {
-          const room = this.configService.getRoomSettings(roomId);
-          if (!room) {
-            throw new HttpError(404, `room settings not found for ${roomId}`);
-          }
-          this.sendJson(res, 200, { ok: true, data: room });
-          return;
-        }
-        if (req.method === "PUT") {
-          const body = await readJsonBody(req);
-          const actor = resolveAuditActor(req, authIdentity);
-          const room = this.updateRoomConfig(roomId, body, actor);
-          this.sendJson(res, 200, { ok: true, data: room });
-          return;
-        }
-        if (req.method === "DELETE") {
-          const actor = resolveAuditActor(req, authIdentity);
-          this.configService.deleteRoomSettings(roomId, actor);
-          this.sendJson(res, 200, { ok: true, roomId });
-          return;
-        }
-      }
-      if (req.method === "GET" && url.pathname === "/api/admin/audit") {
-        const limit = normalizePositiveInt(url.searchParams.get("limit"), 20, 1, 200);
-        this.sendJson(res, 200, {
-          ok: true,
-          data: this.stateStore.listConfigRevisions(limit).map((entry) => formatAuditEntry(entry))
-        });
-        return;
-      }
-      if (req.method === "GET" && url.pathname === "/api/admin/health") {
-        const [codex, matrix] = await Promise.all([
-          this.checkCodex(this.config.codexBin),
-          this.checkMatrix(this.config.matrixHomeserver, this.config.doctorHttpTimeoutMs)
-        ]);
-        this.sendJson(res, 200, {
-          ok: codex.ok && matrix.ok,
-          codex,
-          matrix,
-          timestamp: (/* @__PURE__ */ new Date()).toISOString()
-        });
-        return;
-      }
-      if (req.method === "POST" && url.pathname === "/api/admin/service/restart") {
-        const body = asObject(await readJsonBody(req), "service restart payload");
-        const restartAdmin = normalizeBoolean(body.withAdmin, false);
-        const actor = resolveAuditActor(req, authIdentity);
-        try {
-          const result = await this.restartServices(restartAdmin);
-          this.stateStore.appendConfigRevision(
-            actor,
-            restartAdmin ? "restart services (main + admin)" : "restart service (main)",
-            JSON.stringify({
-              type: "service_restart",
-              restartAdmin,
-              restarted: result.restarted
-            })
-          );
-          this.sendJson(res, 200, {
-            ok: true,
-            restarted: result.restarted
-          });
-          return;
-        } catch (error) {
-          throw new HttpError(
-            500,
-            `Service restart failed: ${formatError(error)}. Install services via "codeharbor service install --with-admin" to auto-configure restart permissions, or run CLI command manually with sudo.`
-          );
-        }
-      }
-      this.sendJson(res, 404, {
-        ok: false,
-        error: `Not found: ${req.method ?? "GET"} ${url.pathname}`
-      });
-    } catch (error) {
-      if (error instanceof HttpError) {
-        this.sendJson(res, error.statusCode, {
-          ok: false,
-          error: error.message
-        });
-        return;
-      }
-      this.logger.error("Admin API request failed", error);
-      this.sendJson(res, 500, {
-        ok: false,
-        error: formatError(error)
-      });
-    }
-  }
-  updateGlobalConfig(rawBody, actor) {
-    const body = asObject(rawBody, "global config payload");
-    const envUpdates = {};
-    const updatedKeys = [];
-    if ("matrixCommandPrefix" in body) {
-      const value = String(body.matrixCommandPrefix ?? "");
-      this.config.matrixCommandPrefix = value;
-      envUpdates.MATRIX_COMMAND_PREFIX = value;
-      updatedKeys.push("matrixCommandPrefix");
-    }
-    if ("codexWorkdir" in body) {
-      const workdir = import_node_path5.default.resolve(String(body.codexWorkdir ?? "").trim());
-      ensureDirectory(workdir, "codexWorkdir");
-      this.config.codexWorkdir = workdir;
-      envUpdates.CODEX_WORKDIR = workdir;
-      updatedKeys.push("codexWorkdir");
-    }
-    if ("rateLimiter" in body) {
-      const limiter = asObject(body.rateLimiter, "rateLimiter");
-      if ("windowMs" in limiter) {
-        const value = normalizePositiveInt(limiter.windowMs, this.config.rateLimiter.windowMs, 1, Number.MAX_SAFE_INTEGER);
-        this.config.rateLimiter.windowMs = value;
-        envUpdates.RATE_LIMIT_WINDOW_SECONDS = String(Math.max(1, Math.round(value / 1e3)));
-        updatedKeys.push("rateLimiter.windowMs");
-      }
-      if ("maxRequestsPerUser" in limiter) {
-        const value = normalizeNonNegativeInt(limiter.maxRequestsPerUser, this.config.rateLimiter.maxRequestsPerUser);
-        this.config.rateLimiter.maxRequestsPerUser = value;
-        envUpdates.RATE_LIMIT_MAX_REQUESTS_PER_USER = String(value);
-        updatedKeys.push("rateLimiter.maxRequestsPerUser");
-      }
-      if ("maxRequestsPerRoom" in limiter) {
-        const value = normalizeNonNegativeInt(limiter.maxRequestsPerRoom, this.config.rateLimiter.maxRequestsPerRoom);
-        this.config.rateLimiter.maxRequestsPerRoom = value;
-        envUpdates.RATE_LIMIT_MAX_REQUESTS_PER_ROOM = String(value);
-        updatedKeys.push("rateLimiter.maxRequestsPerRoom");
-      }
-      if ("maxConcurrentGlobal" in limiter) {
-        const value = normalizeNonNegativeInt(limiter.maxConcurrentGlobal, this.config.rateLimiter.maxConcurrentGlobal);
-        this.config.rateLimiter.maxConcurrentGlobal = value;
-        envUpdates.RATE_LIMIT_MAX_CONCURRENT_GLOBAL = String(value);
-        updatedKeys.push("rateLimiter.maxConcurrentGlobal");
-      }
-      if ("maxConcurrentPerUser" in limiter) {
-        const value = normalizeNonNegativeInt(limiter.maxConcurrentPerUser, this.config.rateLimiter.maxConcurrentPerUser);
-        this.config.rateLimiter.maxConcurrentPerUser = value;
-        envUpdates.RATE_LIMIT_MAX_CONCURRENT_PER_USER = String(value);
-        updatedKeys.push("rateLimiter.maxConcurrentPerUser");
-      }
-      if ("maxConcurrentPerRoom" in limiter) {
-        const value = normalizeNonNegativeInt(limiter.maxConcurrentPerRoom, this.config.rateLimiter.maxConcurrentPerRoom);
-        this.config.rateLimiter.maxConcurrentPerRoom = value;
-        envUpdates.RATE_LIMIT_MAX_CONCURRENT_PER_ROOM = String(value);
-        updatedKeys.push("rateLimiter.maxConcurrentPerRoom");
-      }
-    }
-    if ("defaultGroupTriggerPolicy" in body) {
-      const policy = asObject(body.defaultGroupTriggerPolicy, "defaultGroupTriggerPolicy");
-      if ("allowMention" in policy) {
-        const value = normalizeBoolean(policy.allowMention, this.config.defaultGroupTriggerPolicy.allowMention);
-        this.config.defaultGroupTriggerPolicy.allowMention = value;
-        envUpdates.GROUP_TRIGGER_ALLOW_MENTION = String(value);
-        updatedKeys.push("defaultGroupTriggerPolicy.allowMention");
-      }
-      if ("allowReply" in policy) {
-        const value = normalizeBoolean(policy.allowReply, this.config.defaultGroupTriggerPolicy.allowReply);
-        this.config.defaultGroupTriggerPolicy.allowReply = value;
-        envUpdates.GROUP_TRIGGER_ALLOW_REPLY = String(value);
-        updatedKeys.push("defaultGroupTriggerPolicy.allowReply");
-      }
-      if ("allowActiveWindow" in policy) {
-        const value = normalizeBoolean(policy.allowActiveWindow, this.config.defaultGroupTriggerPolicy.allowActiveWindow);
-        this.config.defaultGroupTriggerPolicy.allowActiveWindow = value;
-        envUpdates.GROUP_TRIGGER_ALLOW_ACTIVE_WINDOW = String(value);
-        updatedKeys.push("defaultGroupTriggerPolicy.allowActiveWindow");
-      }
-      if ("allowPrefix" in policy) {
-        const value = normalizeBoolean(policy.allowPrefix, this.config.defaultGroupTriggerPolicy.allowPrefix);
-        this.config.defaultGroupTriggerPolicy.allowPrefix = value;
-        envUpdates.GROUP_TRIGGER_ALLOW_PREFIX = String(value);
-        updatedKeys.push("defaultGroupTriggerPolicy.allowPrefix");
-      }
-    }
-    if ("matrixProgressUpdates" in body) {
-      const value = normalizeBoolean(body.matrixProgressUpdates, this.config.matrixProgressUpdates);
-      this.config.matrixProgressUpdates = value;
-      envUpdates.MATRIX_PROGRESS_UPDATES = String(value);
-      updatedKeys.push("matrixProgressUpdates");
-    }
-    if ("matrixProgressMinIntervalMs" in body) {
-      const value = normalizePositiveInt(
-        body.matrixProgressMinIntervalMs,
-        this.config.matrixProgressMinIntervalMs,
-        1,
-        Number.MAX_SAFE_INTEGER
-      );
-      this.config.matrixProgressMinIntervalMs = value;
-      envUpdates.MATRIX_PROGRESS_MIN_INTERVAL_MS = String(value);
-      updatedKeys.push("matrixProgressMinIntervalMs");
-    }
-    if ("matrixTypingTimeoutMs" in body) {
-      const value = normalizePositiveInt(
-        body.matrixTypingTimeoutMs,
-        this.config.matrixTypingTimeoutMs,
-        1,
-        Number.MAX_SAFE_INTEGER
-      );
-      this.config.matrixTypingTimeoutMs = value;
-      envUpdates.MATRIX_TYPING_TIMEOUT_MS = String(value);
-      updatedKeys.push("matrixTypingTimeoutMs");
-    }
-    if ("sessionActiveWindowMinutes" in body) {
-      const value = normalizePositiveInt(
-        body.sessionActiveWindowMinutes,
-        this.config.sessionActiveWindowMinutes,
-        1,
-        Number.MAX_SAFE_INTEGER
-      );
-      this.config.sessionActiveWindowMinutes = value;
-      envUpdates.SESSION_ACTIVE_WINDOW_MINUTES = String(value);
-      updatedKeys.push("sessionActiveWindowMinutes");
-    }
-    if ("groupDirectModeEnabled" in body) {
-      const value = normalizeBoolean(body.groupDirectModeEnabled, this.config.groupDirectModeEnabled);
-      this.config.groupDirectModeEnabled = value;
-      envUpdates.GROUP_DIRECT_MODE_ENABLED = String(value);
-      updatedKeys.push("groupDirectModeEnabled");
-    }
-    if ("cliCompat" in body) {
-      const compat = asObject(body.cliCompat, "cliCompat");
-      if ("enabled" in compat) {
-        const value = normalizeBoolean(compat.enabled, this.config.cliCompat.enabled);
-        this.config.cliCompat.enabled = value;
-        envUpdates.CLI_COMPAT_MODE = String(value);
-        updatedKeys.push("cliCompat.enabled");
-      }
-      if ("passThroughEvents" in compat) {
-        const value = normalizeBoolean(compat.passThroughEvents, this.config.cliCompat.passThroughEvents);
-        this.config.cliCompat.passThroughEvents = value;
-        envUpdates.CLI_COMPAT_PASSTHROUGH_EVENTS = String(value);
-        updatedKeys.push("cliCompat.passThroughEvents");
-      }
-      if ("preserveWhitespace" in compat) {
-        const value = normalizeBoolean(compat.preserveWhitespace, this.config.cliCompat.preserveWhitespace);
-        this.config.cliCompat.preserveWhitespace = value;
-        envUpdates.CLI_COMPAT_PRESERVE_WHITESPACE = String(value);
-        updatedKeys.push("cliCompat.preserveWhitespace");
-      }
-      if ("disableReplyChunkSplit" in compat) {
-        const value = normalizeBoolean(compat.disableReplyChunkSplit, this.config.cliCompat.disableReplyChunkSplit);
-        this.config.cliCompat.disableReplyChunkSplit = value;
-        envUpdates.CLI_COMPAT_DISABLE_REPLY_CHUNK_SPLIT = String(value);
-        updatedKeys.push("cliCompat.disableReplyChunkSplit");
-      }
-      if ("progressThrottleMs" in compat) {
-        const value = normalizeNonNegativeInt(compat.progressThrottleMs, this.config.cliCompat.progressThrottleMs);
-        this.config.cliCompat.progressThrottleMs = value;
-        envUpdates.CLI_COMPAT_PROGRESS_THROTTLE_MS = String(value);
-        updatedKeys.push("cliCompat.progressThrottleMs");
-      }
-      if ("fetchMedia" in compat) {
-        const value = normalizeBoolean(compat.fetchMedia, this.config.cliCompat.fetchMedia);
-        this.config.cliCompat.fetchMedia = value;
-        envUpdates.CLI_COMPAT_FETCH_MEDIA = String(value);
-        updatedKeys.push("cliCompat.fetchMedia");
-      }
-    }
-    if ("agentWorkflow" in body) {
-      const workflow = asObject(body.agentWorkflow, "agentWorkflow");
-      const currentAgentWorkflow = ensureAgentWorkflowConfig(this.config);
-      if ("enabled" in workflow) {
-        const value = normalizeBoolean(workflow.enabled, currentAgentWorkflow.enabled);
-        currentAgentWorkflow.enabled = value;
-        envUpdates.AGENT_WORKFLOW_ENABLED = String(value);
-        updatedKeys.push("agentWorkflow.enabled");
-      }
-      if ("autoRepairMaxRounds" in workflow) {
-        const value = normalizePositiveInt(
-          workflow.autoRepairMaxRounds,
-          currentAgentWorkflow.autoRepairMaxRounds,
-          0,
-          10
-        );
-        currentAgentWorkflow.autoRepairMaxRounds = value;
-        envUpdates.AGENT_WORKFLOW_AUTO_REPAIR_MAX_ROUNDS = String(value);
-        updatedKeys.push("agentWorkflow.autoRepairMaxRounds");
-      }
-    }
-    if (updatedKeys.length === 0) {
-      throw new HttpError(400, "No supported global config fields provided.");
-    }
-    this.persistEnvUpdates(envUpdates);
-    this.stateStore.appendConfigRevision(
-      actor,
-      `update global config: ${updatedKeys.join(", ")}`,
-      JSON.stringify({
-        type: "global_config_update",
-        updates: envUpdates
-      })
-    );
-    return {
-      data: buildGlobalConfigSnapshot(this.config),
-      updatedKeys,
-      restartRequired: true
-    };
-  }
-  updateRoomConfig(roomId, rawBody, actor) {
-    const body = asObject(rawBody, "room config payload");
-    const current = this.configService.getRoomSettings(roomId);
-    return this.configService.updateRoomSettings({
-      roomId,
-      enabled: normalizeBoolean(body.enabled, current?.enabled ?? true),
-      allowMention: normalizeBoolean(body.allowMention, current?.allowMention ?? true),
-      allowReply: normalizeBoolean(body.allowReply, current?.allowReply ?? true),
-      allowActiveWindow: normalizeBoolean(body.allowActiveWindow, current?.allowActiveWindow ?? true),
-      allowPrefix: normalizeBoolean(body.allowPrefix, current?.allowPrefix ?? true),
-      workdir: normalizeString(body.workdir, current?.workdir ?? this.config.codexWorkdir, "workdir"),
-      actor,
-      summary: normalizeOptionalString(body.summary)
-    });
-  }
-  resolveAdminIdentity(req) {
-    if (!this.adminToken && this.adminTokens.size === 0) {
-      return {
-        role: "admin",
-        actor: null,
-        source: "open"
-      };
-    }
-    const token = readAdminToken(req);
-    if (!token) {
-      return null;
-    }
-    if (this.adminToken && token === this.adminToken) {
-      return {
-        role: "admin",
-        actor: null,
-        source: "legacy"
-      };
-    }
-    const mappedIdentity = this.adminTokens.get(token);
-    if (!mappedIdentity) {
-      return null;
-    }
-    return {
-      role: mappedIdentity.role,
-      actor: mappedIdentity.actor,
-      source: "scoped"
-    };
-  }
-  isClientAllowed(req) {
-    if (this.adminIpAllowlist.length === 0) {
-      return true;
-    }
-    const normalizedRemote = normalizeRemoteAddress(req.socket.remoteAddress);
-    if (!normalizedRemote) {
-      return false;
-    }
-    return this.adminIpAllowlist.includes(normalizedRemote);
-  }
-  persistEnvUpdates(updates) {
-    const envPath = import_node_path5.default.resolve(this.cwd, ".env");
-    const examplePath = import_node_path5.default.resolve(this.cwd, ".env.example");
-    const template = import_node_fs4.default.existsSync(envPath) ? import_node_fs4.default.readFileSync(envPath, "utf8") : import_node_fs4.default.existsSync(examplePath) ? import_node_fs4.default.readFileSync(examplePath, "utf8") : "";
-    const next = applyEnvOverrides(template, updates);
-    import_node_fs4.default.writeFileSync(envPath, next, "utf8");
-  }
-  resolveCors(req) {
-    const origin = normalizeOriginHeader(req.headers.origin);
-    if (!origin) {
-      return { origin: null, allowed: true };
-    }
-    if (isSameOriginRequest(req, origin)) {
-      return { origin, allowed: true };
-    }
-    if (this.adminAllowedOrigins.includes("*")) {
-      return { origin, allowed: true };
-    }
-    if (this.adminAllowedOrigins.length === 0) {
-      return { origin, allowed: false };
-    }
-    return {
-      origin,
-      allowed: this.adminAllowedOrigins.includes(origin)
-    };
-  }
-  setCorsHeaders(res, corsDecision) {
-    if (!corsDecision.origin || !corsDecision.allowed) {
-      return;
-    }
-    res.setHeader("Access-Control-Allow-Origin", corsDecision.origin);
-    res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization, X-Admin-Token, X-Admin-Actor");
-    res.setHeader("Access-Control-Allow-Methods", "GET, PUT, POST, DELETE, OPTIONS");
-    appendVaryHeader(res, "Origin");
-  }
-  setSecurityHeaders(res) {
-    res.setHeader("X-Content-Type-Options", "nosniff");
-    res.setHeader("X-Frame-Options", "DENY");
-    res.setHeader("Referrer-Policy", "no-referrer");
-    res.setHeader("Permissions-Policy", "camera=(), microphone=(), geolocation=()");
-    res.setHeader("Cross-Origin-Resource-Policy", "same-origin");
-    res.setHeader("Cross-Origin-Opener-Policy", "same-origin");
-    res.setHeader(
-      "Content-Security-Policy",
-      "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'"
-    );
-  }
-  sendHtml(res, html) {
-    res.statusCode = 200;
-    res.setHeader("Content-Type", "text/html; charset=utf-8");
-    res.end(html);
-  }
-  sendJson(res, statusCode, payload) {
-    res.statusCode = statusCode;
-    res.setHeader("Content-Type", "application/json; charset=utf-8");
-    res.end(JSON.stringify(payload));
-  }
-};
-function buildGlobalConfigSnapshot(config) {
-  return {
-    matrixCommandPrefix: config.matrixCommandPrefix,
-    codexWorkdir: config.codexWorkdir,
-    rateLimiter: { ...config.rateLimiter },
-    groupDirectModeEnabled: config.groupDirectModeEnabled,
-    defaultGroupTriggerPolicy: { ...config.defaultGroupTriggerPolicy },
-    matrixProgressUpdates: config.matrixProgressUpdates,
-    matrixProgressMinIntervalMs: config.matrixProgressMinIntervalMs,
-    matrixTypingTimeoutMs: config.matrixTypingTimeoutMs,
-    sessionActiveWindowMinutes: config.sessionActiveWindowMinutes,
-    cliCompat: { ...config.cliCompat },
-    agentWorkflow: { ...ensureAgentWorkflowConfig(config) }
-  };
-}
-function ensureAgentWorkflowConfig(config) {
-  const mutable = config;
-  const existing = mutable.agentWorkflow;
-  if (existing && typeof existing.enabled === "boolean" && Number.isFinite(existing.autoRepairMaxRounds)) {
-    return existing;
-  }
-  const fallback = {
-    enabled: false,
-    autoRepairMaxRounds: 1
-  };
-  mutable.agentWorkflow = fallback;
-  return fallback;
-}
-function formatAuditEntry(entry) {
-  return {
-    id: entry.id,
-    actor: entry.actor,
-    summary: entry.summary,
-    payloadJson: entry.payloadJson,
-    payload: parseJsonLoose(entry.payloadJson),
-    createdAt: entry.createdAt,
-    createdAtIso: new Date(entry.createdAt).toISOString()
-  };
-}
-function parseJsonLoose(raw) {
-  try {
-    return JSON.parse(raw);
-  } catch {
-    return raw;
-  }
-}
-async function defaultRestartServices(restartAdmin) {
-  const outputChunks = [];
-  const output = {
-    write: (chunk) => {
-      outputChunks.push(typeof chunk === "string" ? chunk : Buffer.from(chunk).toString("utf8"));
-      return true;
-    }
-  };
-  restartSystemdServices({
-    restartAdmin,
-    output
-  });
-  return {
-    restarted: restartAdmin ? ["codeharbor", "codeharbor-admin"] : ["codeharbor"]
-  };
-}
-function isUiPath(pathname) {
-  return pathname === "/" || pathname === "/index.html" || pathname === "/settings/global" || pathname === "/settings/rooms" || pathname === "/health" || pathname === "/audit";
-}
-function normalizeAllowlist(entries) {
-  const output = /* @__PURE__ */ new Set();
-  for (const entry of entries) {
-    const normalized = normalizeRemoteAddress(entry);
-    if (normalized) {
-      output.add(normalized);
-    }
-  }
-  return [...output];
-}
-function normalizeOriginAllowlist(entries) {
-  const output = /* @__PURE__ */ new Set();
-  for (const entry of entries) {
-    const normalized = normalizeOrigin(entry);
-    if (normalized) {
-      output.add(normalized);
-    }
-  }
-  return [...output];
-}
-function normalizeRemoteAddress(value) {
-  if (!value) {
-    return null;
-  }
-  const trimmed = value.trim().toLowerCase();
-  if (!trimmed) {
-    return null;
-  }
-  const withoutZone = trimmed.includes("%") ? trimmed.slice(0, trimmed.indexOf("%")) : trimmed;
-  if (withoutZone === "::1" || withoutZone === "0:0:0:0:0:0:0:1") {
-    return "127.0.0.1";
-  }
-  if (withoutZone.startsWith("::ffff:")) {
-    return withoutZone.slice("::ffff:".length);
-  }
-  return withoutZone;
-}
-function normalizeOriginHeader(value) {
-  if (!value) {
-    return null;
-  }
-  const raw = Array.isArray(value) ? value[0] ?? "" : value;
-  return normalizeOrigin(raw);
-}
-function normalizeOrigin(value) {
-  const trimmed = value.trim();
-  if (!trimmed) {
-    return null;
-  }
-  if (trimmed === "*") {
-    return "*";
-  }
-  try {
-    const parsed = new URL(trimmed);
-    return `${parsed.protocol}//${parsed.host}`.toLowerCase();
-  } catch {
-    return null;
-  }
-}
-function isSameOriginRequest(req, origin) {
-  const host = normalizeHeaderValue(req.headers.host);
-  if (!host) {
-    return false;
-  }
-  const forwardedProto = normalizeHeaderValue(req.headers["x-forwarded-proto"]);
-  const protocol = forwardedProto || "http";
-  return origin === `${protocol}://${host}`.toLowerCase();
-}
-function appendVaryHeader(res, headerName) {
-  const current = res.getHeader("Vary");
-  const existing = typeof current === "string" ? current.split(",").map((v) => v.trim()).filter(Boolean) : [];
-  if (!existing.includes(headerName)) {
-    existing.push(headerName);
-  }
-  res.setHeader("Vary", existing.join(", "));
-}
-function renderAdminConsoleHtml() {
-  return ADMIN_CONSOLE_HTML;
-}
-async function readJsonBody(req) {
-  const chunks = [];
-  for await (const chunk of req) {
-    chunks.push(Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk));
-  }
-  if (chunks.length === 0) {
-    return {};
-  }
-  const raw = Buffer.concat(chunks).toString("utf8").trim();
-  if (!raw) {
-    return {};
-  }
-  try {
-    return JSON.parse(raw);
-  } catch {
-    throw new HttpError(400, "Request body must be valid JSON.");
-  }
-}
-function asObject(value, name) {
-  if (!value || typeof value !== "object" || Array.isArray(value)) {
-    throw new HttpError(400, `${name} must be a JSON object.`);
-  }
-  return value;
-}
-function normalizeBoolean(value, fallback) {
-  if (value === void 0) {
-    return fallback;
-  }
-  if (typeof value !== "boolean") {
-    throw new HttpError(400, "Expected boolean value.");
-  }
-  return value;
-}
-function normalizeString(value, fallback, fieldName) {
-  if (value === void 0) {
-    return fallback;
-  }
-  if (typeof value !== "string") {
-    throw new HttpError(400, `Expected string value for ${fieldName}.`);
-  }
-  return value.trim();
-}
-function normalizeOptionalString(value) {
-  if (value === void 0 || value === null) {
-    return null;
-  }
-  if (typeof value !== "string") {
-    throw new HttpError(400, "Expected string value.");
-  }
-  const trimmed = value.trim();
-  return trimmed || null;
-}
-function normalizePositiveInt(value, fallback, min, max) {
-  if (value === void 0 || value === null) {
-    return fallback;
-  }
-  const parsed = Number.parseInt(String(value), 10);
-  if (!Number.isFinite(parsed) || parsed < min || parsed > max) {
-    throw new HttpError(400, `Expected integer in range [${min}, ${max}].`);
-  }
-  return parsed;
-}
-function normalizeNonNegativeInt(value, fallback) {
-  return normalizePositiveInt(value, fallback, 0, Number.MAX_SAFE_INTEGER);
-}
-function ensureDirectory(targetPath, fieldName) {
-  if (!import_node_fs4.default.existsSync(targetPath) || !import_node_fs4.default.statSync(targetPath).isDirectory()) {
-    throw new HttpError(400, `${fieldName} must be an existing directory: ${targetPath}`);
-  }
-}
-function normalizeHeaderValue(value) {
-  if (!value) {
-    return "";
-  }
-  if (Array.isArray(value)) {
-    return value[0]?.trim() ?? "";
-  }
-  return value.trim();
-}
-function readAdminToken(req) {
-  const authorization = normalizeHeaderValue(req.headers.authorization);
-  if (authorization) {
-    const match = /^bearer\s+(.+)$/i.exec(authorization);
-    const token = match?.[1]?.trim() ?? "";
-    if (token) {
-      return token;
-    }
-  }
-  const fromHeader = normalizeHeaderValue(req.headers["x-admin-token"]);
-  return fromHeader || null;
-}
-function resolveIdentityActor(identity) {
-  if (!identity || identity.source !== "scoped") {
-    return null;
-  }
-  if (identity.actor) {
-    return identity.actor;
-  }
-  return identity.role === "admin" ? "admin-token" : "viewer-token";
-}
-function resolveAuditActor(req, identity) {
-  const scopedActor = resolveIdentityActor(identity);
-  if (scopedActor) {
-    return scopedActor;
-  }
-  const actor = normalizeHeaderValue(req.headers["x-admin-actor"]);
-  return actor || null;
-}
-function requiredAdminRoleForRequest(method, pathname) {
-  if (!pathname.startsWith("/api/admin/")) {
-    return null;
-  }
-  const normalizedMethod = (method ?? "GET").toUpperCase();
-  if (normalizedMethod === "GET" || normalizedMethod === "HEAD") {
-    return "viewer";
-  }
-  return "admin";
-}
-function hasRequiredAdminRole(role, requiredRole) {
-  if (requiredRole === "viewer") {
-    return role === "viewer" || role === "admin";
-  }
-  return role === "admin";
-}
-function buildAdminTokenMap(tokens) {
-  const mapped = /* @__PURE__ */ new Map();
-  for (const token of tokens) {
-    mapped.set(token.token, {
-      role: token.role,
-      actor: token.actor
-    });
-  }
-  return mapped;
-}
-function formatError(error) {
-  if (error instanceof Error) {
-    return error.message;
-  }
-  return String(error);
-}
-var ADMIN_CONSOLE_HTML = `<!doctype html>
-<html lang="en">
-  <head>
-    <meta charset="utf-8" />
-    <meta name="viewport" content="width=device-width, initial-scale=1" />
-    <title>CodeHarbor Admin Console</title>
-    <style>
-      :root {
-        --bg-start: #0f172a;
-        --bg-end: #1e293b;
-        --panel: #0b1224cc;
-        --panel-border: #334155;
-        --text: #e2e8f0;
-        --muted: #94a3b8;
-        --accent: #22d3ee;
-        --accent-strong: #06b6d4;
-        --danger: #f43f5e;
-        --ok: #10b981;
-        --warn: #f59e0b;
-      }
-      * {
-        box-sizing: border-box;
-      }
-      body {
-        margin: 0;
-        font-family: "IBM Plex Sans", "Segoe UI", "Helvetica Neue", sans-serif;
-        color: var(--text);
-        background: radial-gradient(1200px 600px at 20% -10%, #1d4ed8 0%, transparent 55%),
-          radial-gradient(1000px 500px at 100% 0%, #0f766e 0%, transparent 55%),
-          linear-gradient(135deg, var(--bg-start), var(--bg-end));
-        min-height: 100vh;
-      }
-      .shell {
-        max-width: 1100px;
-        margin: 0 auto;
-        padding: 20px 16px 40px;
-      }
-      .header {
-        background: var(--panel);
-        border: 1px solid var(--panel-border);
-        border-radius: 16px;
-        padding: 16px;
-        backdrop-filter: blur(8px);
-      }
-      .title {
-        margin: 0 0 8px;
-        font-size: 24px;
-        letter-spacing: 0.2px;
-      }
-      .subtitle {
-        margin: 0 0 14px;
-        color: var(--muted);
-        font-size: 14px;
-      }
-      .tabs {
-        display: flex;
-        gap: 8px;
-        flex-wrap: wrap;
-        margin-bottom: 12px;
-      }
-      .tab {
-        color: var(--text);
-        text-decoration: none;
-        border: 1px solid var(--panel-border);
-        border-radius: 999px;
-        padding: 6px 12px;
-        font-size: 13px;
-      }
-      .tab.active {
-        border-color: var(--accent);
-        background: #155e7555;
-      }
-      .auth-row {
-        display: grid;
-        grid-template-columns: repeat(2, minmax(220px, 1fr)) auto auto;
-        gap: 8px;
-        align-items: end;
-      }
-      .field {
-        display: flex;
-        flex-direction: column;
-        gap: 4px;
-      }
-      .field-label {
-        font-size: 12px;
-        color: var(--muted);
-      }
-      input,
-      button,
-      textarea {
-        font: inherit;
-      }
-      input[type="text"],
-      input[type="password"],
-      input[type="number"] {
-        border: 1px solid var(--panel-border);
-        background: #0f172acc;
-        color: var(--text);
-        border-radius: 10px;
-        padding: 8px 10px;
-      }
-      button {
-        border: 1px solid var(--accent);
-        background: #164e63;
-        color: #ecfeff;
-        border-radius: 10px;
-        padding: 8px 12px;
-        cursor: pointer;
-      }
-      button.secondary {
-        border-color: var(--panel-border);
-        background: #1e293b;
-        color: var(--text);
-      }
-      button.danger {
-        border-color: var(--danger);
-        background: #881337;
-      }
-      .notice {
-        margin: 12px 0 0;
-        border-radius: 10px;
-        padding: 8px 10px;
-        font-size: 13px;
-        border: 1px solid #334155;
-        color: var(--muted);
-      }
-      .notice.ok {
-        border-color: #065f46;
-        color: #d1fae5;
-        background: #064e3b88;
-      }
-      .notice.error {
-        border-color: #881337;
-        color: #ffe4e6;
-        background: #4c051988;
-      }
-      .notice.warn {
-        border-color: #92400e;
-        color: #fef3c7;
-        background: #78350f88;
-      }
-      .panel {
-        margin-top: 14px;
-        background: var(--panel);
-        border: 1px solid var(--panel-border);
-        border-radius: 16px;
-        padding: 16px;
-      }
-      .panel[hidden] {
-        display: none;
-      }
-      .panel-title {
-        margin: 0 0 12px;
-      }
-      .grid {
-        display: grid;
-        grid-template-columns: repeat(2, minmax(0, 1fr));
-        gap: 10px;
-      }
-      .full {
-        grid-column: 1 / -1;
-      }
-      .checkbox {
-        display: flex;
-        gap: 8px;
-        align-items: center;
-        font-size: 14px;
-      }
-      .actions {
-        display: flex;
-        gap: 8px;
-        flex-wrap: wrap;
-        margin-top: 12px;
-      }
-      .table-wrap {
-        overflow-x: auto;
-        border: 1px solid #334155;
-        border-radius: 12px;
-        margin-top: 12px;
-      }
-      table {
-        width: 100%;
-        border-collapse: collapse;
-        min-width: 720px;
-      }
-      th,
-      td {
-        border-bottom: 1px solid #334155;
-        text-align: left;
-        padding: 8px;
-        font-size: 12px;
-        vertical-align: top;
-      }
-      th {
-        color: var(--muted);
-      }
-      pre {
-        margin: 0;
-        white-space: pre-wrap;
-        word-break: break-word;
-        font-size: 11px;
-        color: #cbd5e1;
-      }
-      .muted {
-        color: var(--muted);
-        font-size: 12px;
-      }
-      @media (max-width: 900px) {
-        .auth-row {
-          grid-template-columns: 1fr;
-        }
-        .grid {
-          grid-template-columns: 1fr;
-        }
-      }
-    </style>
-  </head>
-  <body>
-    <main class="shell">
-      <section class="header">
-        <h1 class="title">CodeHarbor Admin Console</h1>
-        <p class="subtitle">Manage global settings, room policies, health checks, and config audit records.</p>
-        <nav class="tabs">
-          <a class="tab" data-page="settings-global" href="#/settings/global">Global</a>
-          <a class="tab" data-page="settings-rooms" href="#/settings/rooms">Rooms</a>
-          <a class="tab" data-page="health" href="#/health">Health</a>
-          <a class="tab" data-page="audit" href="#/audit">Audit</a>
-        </nav>
-        <div class="auth-row">
-          <label class="field">
-            <span class="field-label">Admin Token (optional)</span>
-            <input id="auth-token" type="password" placeholder="ADMIN_TOKEN" />
-          </label>
-          <label class="field">
-            <span class="field-label">Actor (for audit logs)</span>
-            <input id="auth-actor" type="text" placeholder="your-name" />
-          </label>
-          <button id="auth-save-btn" type="button" class="secondary">Save Auth</button>
-          <button id="auth-clear-btn" type="button" class="secondary">Clear Auth</button>
-        </div>
-        <div id="notice" class="notice">Ready.</div>
-        <p id="auth-role" class="muted">Permission: unknown</p>
-      </section>
+      .shell {
+        max-width: 1100px;
+        margin: 0 auto;
+        padding: 20px 16px 40px;
+      }
+      .header {
+        background: var(--panel);
+        border: 1px solid var(--panel-border);
+        border-radius: 16px;
+        padding: 16px;
+        backdrop-filter: blur(8px);
+      }
+      .title {
+        margin: 0 0 8px;
+        font-size: 24px;
+        letter-spacing: 0.2px;
+      }
+      .subtitle {
+        margin: 0 0 14px;
+        color: var(--muted);
+        font-size: 14px;
+      }
+      .tabs {
+        display: flex;
+        gap: 8px;
+        flex-wrap: wrap;
+        margin-bottom: 12px;
+      }
+      .tab {
+        color: var(--text);
+        text-decoration: none;
+        border: 1px solid var(--panel-border);
+        border-radius: 999px;
+        padding: 6px 12px;
+        font-size: 13px;
+      }
+      .tab.active {
+        border-color: var(--accent);
+        background: #155e7555;
+      }
+      .auth-row {
+        display: grid;
+        grid-template-columns: repeat(2, minmax(220px, 1fr)) auto auto;
+        gap: 8px;
+        align-items: end;
+      }
+      .field {
+        display: flex;
+        flex-direction: column;
+        gap: 4px;
+      }
+      .field-label {
+        font-size: 12px;
+        color: var(--muted);
+      }
+      input,
+      button,
+      textarea {
+        font: inherit;
+      }
+      input[type="text"],
+      input[type="password"],
+      input[type="number"] {
+        border: 1px solid var(--panel-border);
+        background: #0f172acc;
+        color: var(--text);
+        border-radius: 10px;
+        padding: 8px 10px;
+      }
+      button {
+        border: 1px solid var(--accent);
+        background: #164e63;
+        color: #ecfeff;
+        border-radius: 10px;
+        padding: 8px 12px;
+        cursor: pointer;
+      }
+      button.secondary {
+        border-color: var(--panel-border);
+        background: #1e293b;
+        color: var(--text);
+      }
+      button.danger {
+        border-color: var(--danger);
+        background: #881337;
+      }
+      .notice {
+        margin: 12px 0 0;
+        border-radius: 10px;
+        padding: 8px 10px;
+        font-size: 13px;
+        border: 1px solid #334155;
+        color: var(--muted);
+      }
+      .notice.ok {
+        border-color: #065f46;
+        color: #d1fae5;
+        background: #064e3b88;
+      }
+      .notice.error {
+        border-color: #881337;
+        color: #ffe4e6;
+        background: #4c051988;
+      }
+      .notice.warn {
+        border-color: #92400e;
+        color: #fef3c7;
+        background: #78350f88;
+      }
+      .panel {
+        margin-top: 14px;
+        background: var(--panel);
+        border: 1px solid var(--panel-border);
+        border-radius: 16px;
+        padding: 16px;
+      }
+      .panel[hidden] {
+        display: none;
+      }
+      .panel-title {
+        margin: 0 0 12px;
+      }
+      .grid {
+        display: grid;
+        grid-template-columns: repeat(2, minmax(0, 1fr));
+        gap: 10px;
+      }
+      .full {
+        grid-column: 1 / -1;
+      }
+      .checkbox {
+        display: flex;
+        gap: 8px;
+        align-items: center;
+        font-size: 14px;
+      }
+      .actions {
+        display: flex;
+        gap: 8px;
+        flex-wrap: wrap;
+        margin-top: 12px;
+      }
+      .table-wrap {
+        overflow-x: auto;
+        border: 1px solid #334155;
+        border-radius: 12px;
+        margin-top: 12px;
+      }
+      table {
+        width: 100%;
+        border-collapse: collapse;
+        min-width: 720px;
+      }
+      th,
+      td {
+        border-bottom: 1px solid #334155;
+        text-align: left;
+        padding: 8px;
+        font-size: 12px;
+        vertical-align: top;
+      }
+      th {
+        color: var(--muted);
+      }
+      pre {
+        margin: 0;
+        white-space: pre-wrap;
+        word-break: break-word;
+        font-size: 11px;
+        color: #cbd5e1;
+      }
+      .muted {
+        color: var(--muted);
+        font-size: 12px;
+      }
+      @media (max-width: 900px) {
+        .auth-row {
+          grid-template-columns: 1fr;
+        }
+        .grid {
+          grid-template-columns: 1fr;
+        }
+      }
+    </style>
+  </head>
+  <body>
+    <main class="shell">
+      <section class="header">
+        <h1 class="title">CodeHarbor Admin Console</h1>
+        <p class="subtitle">Manage global settings, room policies, health checks, and config audit records.</p>
+        <nav class="tabs">
+          <a class="tab" data-page="settings-global" href="#/settings/global">Global</a>
+          <a class="tab" data-page="settings-rooms" href="#/settings/rooms">Rooms</a>
+          <a class="tab" data-page="health" href="#/health">Health</a>
+          <a class="tab" data-page="audit" href="#/audit">Audit</a>
+        </nav>
+        <div class="auth-row">
+          <label class="field">
+            <span class="field-label">Admin Token (optional)</span>
+            <input id="auth-token" type="password" placeholder="ADMIN_TOKEN" />
+          </label>
+          <label class="field">
+            <span class="field-label">Actor (for audit logs)</span>
+            <input id="auth-actor" type="text" placeholder="your-name" />
+          </label>
+          <button id="auth-save-btn" type="button" class="secondary">Save Auth</button>
+          <button id="auth-clear-btn" type="button" class="secondary">Clear Auth</button>
+        </div>
+        <div id="notice" class="notice">Ready.</div>
+        <p id="auth-role" class="muted">Permission: unknown</p>
+      </section>
 
       <section class="panel" data-view="settings-global">
         <h2 class="panel-title">Global Config</h2>
@@ -2257,148 +795,1626 @@ var ADMIN_CONSOLE_HTML = `<!doctype html>
             return;
           }
           try {
-            var response = await apiRequest("/api/admin/config/rooms/" + encodeURIComponent(roomId), "GET");
-            fillRoomForm(response.data || {});
-            showNotice("ok", "Room config loaded for " + roomId + ".");
-          } catch (error) {
-            showNotice("error", "Failed to load room config: " + error.message);
+            var response = await apiRequest("/api/admin/config/rooms/" + encodeURIComponent(roomId), "GET");
+            fillRoomForm(response.data || {});
+            showNotice("ok", "Room config loaded for " + roomId + ".");
+          } catch (error) {
+            showNotice("error", "Failed to load room config: " + error.message);
+          }
+        }
+
+        function fillRoomForm(data) {
+          document.getElementById("room-enabled").checked = Boolean(data.enabled);
+          document.getElementById("room-mention").checked = Boolean(data.allowMention);
+          document.getElementById("room-reply").checked = Boolean(data.allowReply);
+          document.getElementById("room-window").checked = Boolean(data.allowActiveWindow);
+          document.getElementById("room-prefix").checked = Boolean(data.allowPrefix);
+          document.getElementById("room-workdir").value = data.workdir || "";
+        }
+
+        async function saveRoom() {
+          var roomId = asText("room-id");
+          if (!roomId) {
+            showNotice("warn", "Room ID is required.");
+            return;
+          }
+          try {
+            var body = {
+              enabled: asBool("room-enabled"),
+              allowMention: asBool("room-mention"),
+              allowReply: asBool("room-reply"),
+              allowActiveWindow: asBool("room-window"),
+              allowPrefix: asBool("room-prefix"),
+              workdir: asText("room-workdir"),
+              summary: asText("room-summary")
+            };
+            await apiRequest("/api/admin/config/rooms/" + encodeURIComponent(roomId), "PUT", body);
+            showNotice("ok", "Room config saved for " + roomId + ".");
+            await refreshRoomList();
+            await loadAudit();
+          } catch (error) {
+            showNotice("error", "Failed to save room config: " + error.message);
+          }
+        }
+
+        async function deleteRoom() {
+          var roomId = asText("room-id");
+          if (!roomId) {
+            showNotice("warn", "Room ID is required.");
+            return;
+          }
+          if (!window.confirm("Delete room config for " + roomId + "?")) {
+            return;
+          }
+          try {
+            await apiRequest("/api/admin/config/rooms/" + encodeURIComponent(roomId), "DELETE");
+            showNotice("ok", "Room config deleted for " + roomId + ".");
+            await refreshRoomList();
+            await loadAudit();
+          } catch (error) {
+            showNotice("error", "Failed to delete room config: " + error.message);
+          }
+        }
+
+        async function loadHealth() {
+          try {
+            var response = await apiRequest("/api/admin/health", "GET");
+            healthBody.innerHTML = "";
+
+            var codex = response.codex || {};
+            var matrix = response.matrix || {};
+
+            appendHealthRow("Codex", Boolean(codex.ok), codex.ok ? (codex.version || "ok") : (codex.error || "failed"));
+            appendHealthRow(
+              "Matrix",
+              Boolean(matrix.ok),
+              matrix.ok ? "HTTP " + matrix.status + " " + JSON.stringify(matrix.versions || []) : (matrix.error || "failed")
+            );
+            appendHealthRow("Overall", Boolean(response.ok), response.timestamp || "");
+            showNotice("ok", "Health check completed.");
+          } catch (error) {
+            showNotice("error", "Health check failed: " + error.message);
+            renderEmptyRow(healthBody, 3, "Failed to run health check.");
+          }
+        }
+
+        function appendHealthRow(component, ok, detail) {
+          var row = document.createElement("tr");
+          appendCell(row, component);
+          appendCell(row, ok ? "OK" : "FAIL");
+          appendCell(row, detail);
+          healthBody.appendChild(row);
+        }
+
+        async function loadAudit() {
+          var limit = asNumber("audit-limit", 30);
+          if (limit < 1) {
+            limit = 1;
+          }
+          if (limit > 200) {
+            limit = 200;
+          }
+          try {
+            var response = await apiRequest("/api/admin/audit?limit=" + limit, "GET");
+            var items = Array.isArray(response.data) ? response.data : [];
+            auditBody.innerHTML = "";
+            if (items.length === 0) {
+              renderEmptyRow(auditBody, 5, "No audit records.");
+              return;
+            }
+            for (var i = 0; i < items.length; i += 1) {
+              var item = items[i];
+              var row = document.createElement("tr");
+              appendCell(row, String(item.id || ""));
+              appendCell(row, item.createdAtIso || "");
+              appendCell(row, item.actor || "-");
+              appendCell(row, item.summary || "");
+              var payloadCell = document.createElement("td");
+              var payloadNode = document.createElement("pre");
+              payloadNode.textContent = formatPayload(item);
+              payloadCell.appendChild(payloadNode);
+              row.appendChild(payloadCell);
+              auditBody.appendChild(row);
+            }
+            showNotice("ok", "Audit loaded: " + items.length + " record(s).");
+          } catch (error) {
+            showNotice("error", "Failed to load audit: " + error.message);
+            renderEmptyRow(auditBody, 5, "Failed to load audit records.");
+          }
+        }
+
+        function formatPayload(item) {
+          if (item.payload && typeof item.payload === "object") {
+            return JSON.stringify(item.payload, null, 2);
+          }
+          if (typeof item.payloadJson === "string" && item.payloadJson) {
+            return item.payloadJson;
+          }
+          return "";
+        }
+      })();
+    </script>
+  </body>
+</html>
+`;
+
+// src/init.ts
+var import_node_fs = __toESM(require("fs"));
+var import_node_path2 = __toESM(require("path"));
+var import_promises = require("readline/promises");
+var import_dotenv = __toESM(require("dotenv"));
+
+// src/codex-bin.ts
+var import_node_child_process = require("child_process");
+var import_node_os = __toESM(require("os"));
+var import_node_path = __toESM(require("path"));
+var import_node_util = require("util");
+var execFileAsync = (0, import_node_util.promisify)(import_node_child_process.execFile);
+function buildCodexBinCandidates(configuredBin, env = process.env) {
+  const normalized = configuredBin.trim() || "codex";
+  const home = env.HOME?.trim() || import_node_os.default.homedir();
+  const npmGlobalBin = home ? import_node_path.default.resolve(home, ".npm-global/bin/codex") : "";
+  const candidates = [
+    normalized,
+    "codex",
+    npmGlobalBin,
+    "/usr/bin/codex",
+    "/usr/local/bin/codex",
+    "/opt/homebrew/bin/codex"
+  ];
+  const seen = /* @__PURE__ */ new Set();
+  const output = [];
+  for (const candidate of candidates) {
+    const trimmed = candidate.trim();
+    if (!trimmed || seen.has(trimmed)) {
+      continue;
+    }
+    seen.add(trimmed);
+    output.push(trimmed);
+  }
+  return output;
+}
+async function findWorkingCodexBin(configuredBin, options = {}) {
+  const checkBinary = options.checkBinary ?? defaultCheckBinary;
+  const candidates = buildCodexBinCandidates(configuredBin, options.env);
+  for (const candidate of candidates) {
+    try {
+      await checkBinary(candidate);
+      return candidate;
+    } catch {
+    }
+  }
+  return null;
+}
+async function defaultCheckBinary(bin) {
+  await execFileAsync(bin, ["--version"]);
+}
+
+// src/init.ts
+async function runInitCommand(options = {}) {
+  const cwd = options.cwd ?? process.cwd();
+  const envPath = import_node_path2.default.resolve(cwd, ".env");
+  const templatePath = resolveInitTemplatePath(cwd);
+  const input = options.input ?? process.stdin;
+  const output = options.output ?? process.stdout;
+  const templateContent = import_node_fs.default.readFileSync(templatePath, "utf8");
+  const existingContent = import_node_fs.default.existsSync(envPath) ? import_node_fs.default.readFileSync(envPath, "utf8") : "";
+  const existingValues = existingContent ? import_dotenv.default.parse(existingContent) : {};
+  const rl = (0, import_promises.createInterface)({ input, output });
+  try {
+    if (existingContent && !options.force) {
+      const overwrite = await askYesNo(
+        rl,
+        "Detected existing .env file. Overwrite with guided setup?",
+        false
+      );
+      if (!overwrite) {
+        output.write("Init aborted. Keep existing .env unchanged.\n");
+        return;
+      }
+    }
+    output.write("CodeHarbor setup wizard\n");
+    output.write(`Target file: ${envPath}
+`);
+    const detectedCodexBin = await findWorkingCodexBin(existingValues.CODEX_BIN ?? "codex");
+    const questions = [
+      {
+        key: "MATRIX_HOMESERVER",
+        label: "Matrix homeserver URL",
+        required: true,
+        validate: (value) => {
+          try {
+            new URL(value);
+            return null;
+          } catch {
+            return "Please enter a valid URL, for example https://matrix.example.com";
           }
         }
-
-        function fillRoomForm(data) {
-          document.getElementById("room-enabled").checked = Boolean(data.enabled);
-          document.getElementById("room-mention").checked = Boolean(data.allowMention);
-          document.getElementById("room-reply").checked = Boolean(data.allowReply);
-          document.getElementById("room-window").checked = Boolean(data.allowActiveWindow);
-          document.getElementById("room-prefix").checked = Boolean(data.allowPrefix);
-          document.getElementById("room-workdir").value = data.workdir || "";
-        }
-
-        async function saveRoom() {
-          var roomId = asText("room-id");
-          if (!roomId) {
-            showNotice("warn", "Room ID is required.");
-            return;
-          }
-          try {
-            var body = {
-              enabled: asBool("room-enabled"),
-              allowMention: asBool("room-mention"),
-              allowReply: asBool("room-reply"),
-              allowActiveWindow: asBool("room-window"),
-              allowPrefix: asBool("room-prefix"),
-              workdir: asText("room-workdir"),
-              summary: asText("room-summary")
-            };
-            await apiRequest("/api/admin/config/rooms/" + encodeURIComponent(roomId), "PUT", body);
-            showNotice("ok", "Room config saved for " + roomId + ".");
-            await refreshRoomList();
-            await loadAudit();
-          } catch (error) {
-            showNotice("error", "Failed to save room config: " + error.message);
+      },
+      {
+        key: "MATRIX_USER_ID",
+        label: "Matrix bot user id",
+        required: true,
+        validate: (value) => {
+          if (!/^@[^:\s]+:.+/.test(value)) {
+            return "Please enter a Matrix user id like @bot:example.com";
           }
+          return null;
         }
-
-        async function deleteRoom() {
-          var roomId = asText("room-id");
-          if (!roomId) {
-            showNotice("warn", "Room ID is required.");
-            return;
-          }
-          if (!window.confirm("Delete room config for " + roomId + "?")) {
-            return;
-          }
-          try {
-            await apiRequest("/api/admin/config/rooms/" + encodeURIComponent(roomId), "DELETE");
-            showNotice("ok", "Room config deleted for " + roomId + ".");
-            await refreshRoomList();
-            await loadAudit();
-          } catch (error) {
-            showNotice("error", "Failed to delete room config: " + error.message);
+      },
+      {
+        key: "MATRIX_ACCESS_TOKEN",
+        label: "Matrix access token",
+        required: true,
+        hiddenDefault: true
+      },
+      {
+        key: "MATRIX_COMMAND_PREFIX",
+        label: "Group command prefix",
+        fallbackValue: "!code"
+      },
+      {
+        key: "CODEX_BIN",
+        label: "Codex binary",
+        fallbackValue: detectedCodexBin ?? "codex"
+      },
+      {
+        key: "CODEX_WORKDIR",
+        label: "Codex working directory",
+        fallbackValue: cwd,
+        validate: (value) => {
+          const resolved = import_node_path2.default.resolve(cwd, value);
+          if (!import_node_fs.default.existsSync(resolved) || !import_node_fs.default.statSync(resolved).isDirectory()) {
+            return `Directory does not exist: ${resolved}`;
           }
+          return null;
         }
+      }
+    ];
+    const updates = {};
+    for (const question of questions) {
+      const existingValue = (existingValues[question.key] ?? "").trim();
+      const value = await askValue(rl, question, existingValue);
+      updates[question.key] = value;
+    }
+    const mergedContent = applyEnvOverrides(templateContent, updates);
+    import_node_fs.default.writeFileSync(envPath, mergedContent, "utf8");
+    output.write(`Wrote ${envPath}
+`);
+    output.write("Next steps:\n");
+    output.write("1. codex login\n");
+    output.write("2. codeharbor doctor\n");
+    output.write("3. codeharbor start\n");
+  } finally {
+    rl.close();
+  }
+}
+function resolveInitTemplatePath(cwd) {
+  const candidates = [
+    import_node_path2.default.resolve(cwd, ".env.example"),
+    import_node_path2.default.resolve(__dirname, "..", ".env.example")
+  ];
+  for (const candidate of candidates) {
+    if (import_node_fs.default.existsSync(candidate)) {
+      return candidate;
+    }
+  }
+  throw new Error(`Cannot find template file. Tried: ${candidates.join(", ")}`);
+}
+function applyEnvOverrides(template, overrides) {
+  const lines = template.split(/\r?\n/);
+  const seen = /* @__PURE__ */ new Set();
+  for (let i = 0; i < lines.length; i += 1) {
+    const line = lines[i];
+    const match = /^([A-Z0-9_]+)=(.*)$/.exec(line.trim());
+    if (!match) {
+      continue;
+    }
+    const key = match[1];
+    if (!(key in overrides)) {
+      continue;
+    }
+    lines[i] = `${key}=${formatEnvValue(overrides[key] ?? "")}`;
+    seen.add(key);
+  }
+  for (const [key, value] of Object.entries(overrides)) {
+    if (seen.has(key)) {
+      continue;
+    }
+    lines.push(`${key}=${formatEnvValue(value)}`);
+  }
+  const content = lines.join("\n");
+  return content.endsWith("\n") ? content : `${content}
+`;
+}
+function formatEnvValue(value) {
+  if (!value) {
+    return "";
+  }
+  if (/^[A-Za-z0-9_./:@+-]+$/.test(value)) {
+    return value;
+  }
+  return JSON.stringify(value);
+}
+async function askValue(rl, question, existingValue) {
+  while (true) {
+    const fallback = question.fallbackValue ?? "";
+    const displayDefault = existingValue || fallback;
+    const hint = displayDefault ? question.hiddenDefault ? "[already set]" : `[${displayDefault}]` : "";
+    const answer = (await rl.question(`${question.label} ${hint}: `)).trim();
+    const finalValue = answer || existingValue || fallback;
+    if (question.required && !finalValue) {
+      rl.write("This value is required.\n");
+      continue;
+    }
+    if (question.validate) {
+      const reason = question.validate(finalValue);
+      if (reason) {
+        rl.write(`${reason}
+`);
+        continue;
+      }
+    }
+    return finalValue;
+  }
+}
+async function askYesNo(rl, question, defaultValue) {
+  const defaultHint = defaultValue ? "[Y/n]" : "[y/N]";
+  const answer = (await rl.question(`${question} ${defaultHint}: `)).trim().toLowerCase();
+  if (!answer) {
+    return defaultValue;
+  }
+  return answer === "y" || answer === "yes";
+}
 
-        async function loadHealth() {
-          try {
-            var response = await apiRequest("/api/admin/health", "GET");
-            healthBody.innerHTML = "";
+// src/service-manager.ts
+var import_node_child_process2 = require("child_process");
+var import_node_fs3 = __toESM(require("fs"));
+var import_node_os3 = __toESM(require("os"));
+var import_node_path4 = __toESM(require("path"));
 
-            var codex = response.codex || {};
-            var matrix = response.matrix || {};
+// src/runtime-home.ts
+var import_node_fs2 = __toESM(require("fs"));
+var import_node_os2 = __toESM(require("os"));
+var import_node_path3 = __toESM(require("path"));
+var LEGACY_RUNTIME_HOME = "/opt/codeharbor";
+var USER_RUNTIME_HOME_DIR = ".codeharbor";
+var DEFAULT_RUNTIME_HOME = import_node_path3.default.resolve(import_node_os2.default.homedir(), USER_RUNTIME_HOME_DIR);
+var RUNTIME_HOME_ENV_KEY = "CODEHARBOR_HOME";
+function resolveRuntimeHome(env = process.env) {
+  const configured = env[RUNTIME_HOME_ENV_KEY]?.trim();
+  if (configured) {
+    return import_node_path3.default.resolve(configured);
+  }
+  const legacyEnvPath = import_node_path3.default.resolve(LEGACY_RUNTIME_HOME, ".env");
+  if (import_node_fs2.default.existsSync(legacyEnvPath)) {
+    return LEGACY_RUNTIME_HOME;
+  }
+  return resolveUserRuntimeHome(env);
+}
+function resolveUserRuntimeHome(env = process.env) {
+  const home = env.HOME?.trim() || import_node_os2.default.homedir();
+  return import_node_path3.default.resolve(home, USER_RUNTIME_HOME_DIR);
+}
+
+// src/service-manager.ts
+var SYSTEMD_DIR = "/etc/systemd/system";
+var MAIN_SERVICE_NAME = "codeharbor.service";
+var ADMIN_SERVICE_NAME = "codeharbor-admin.service";
+var SUDOERS_DIR = "/etc/sudoers.d";
+var RESTART_SUDOERS_FILE = "codeharbor-restart";
+function resolveDefaultRunUser(env = process.env) {
+  const sudoUser = env.SUDO_USER?.trim();
+  if (sudoUser) {
+    return sudoUser;
+  }
+  const user = env.USER?.trim();
+  if (user) {
+    return user;
+  }
+  try {
+    return import_node_os3.default.userInfo().username;
+  } catch {
+    return "root";
+  }
+}
+function resolveRuntimeHomeForUser(runUser, env = process.env, explicitRuntimeHome) {
+  const configuredRuntimeHome = explicitRuntimeHome?.trim() || env[RUNTIME_HOME_ENV_KEY]?.trim();
+  if (configuredRuntimeHome) {
+    return import_node_path4.default.resolve(configuredRuntimeHome);
+  }
+  const userHome = resolveUserHome(runUser);
+  if (userHome) {
+    return import_node_path4.default.resolve(userHome, USER_RUNTIME_HOME_DIR);
+  }
+  return import_node_path4.default.resolve(import_node_os3.default.homedir(), USER_RUNTIME_HOME_DIR);
+}
+function buildMainServiceUnit(options) {
+  validateUnitOptions(options);
+  const runtimeHome2 = import_node_path4.default.resolve(options.runtimeHome);
+  return [
+    "[Unit]",
+    "Description=CodeHarbor main service",
+    "After=network-online.target",
+    "Wants=network-online.target",
+    "",
+    "[Service]",
+    "Type=simple",
+    `User=${options.runUser}`,
+    `WorkingDirectory=${runtimeHome2}`,
+    `Environment=CODEHARBOR_HOME=${runtimeHome2}`,
+    `ExecStart=${import_node_path4.default.resolve(options.nodeBinPath)} ${import_node_path4.default.resolve(options.cliScriptPath)} start`,
+    "Restart=always",
+    "RestartSec=3",
+    "NoNewPrivileges=true",
+    "PrivateTmp=true",
+    "ProtectSystem=full",
+    "ProtectHome=false",
+    `ReadWritePaths=${runtimeHome2}`,
+    "",
+    "[Install]",
+    "WantedBy=multi-user.target",
+    ""
+  ].join("\n");
+}
+function buildAdminServiceUnit(options) {
+  validateUnitOptions(options);
+  const runtimeHome2 = import_node_path4.default.resolve(options.runtimeHome);
+  return [
+    "[Unit]",
+    "Description=CodeHarbor admin service",
+    "After=network-online.target",
+    "Wants=network-online.target",
+    "",
+    "[Service]",
+    "Type=simple",
+    `User=${options.runUser}`,
+    `WorkingDirectory=${runtimeHome2}`,
+    `Environment=CODEHARBOR_HOME=${runtimeHome2}`,
+    `ExecStart=${import_node_path4.default.resolve(options.nodeBinPath)} ${import_node_path4.default.resolve(options.cliScriptPath)} admin serve`,
+    "Restart=always",
+    "RestartSec=3",
+    "NoNewPrivileges=true",
+    "PrivateTmp=true",
+    "ProtectSystem=full",
+    "ProtectHome=false",
+    `ReadWritePaths=${runtimeHome2}`,
+    "",
+    "[Install]",
+    "WantedBy=multi-user.target",
+    ""
+  ].join("\n");
+}
+function buildRestartSudoersPolicy(options) {
+  const runUser = options.runUser.trim();
+  const systemctlPath = options.systemctlPath.trim();
+  validateSimpleValue(runUser, "runUser");
+  validateSimpleValue(systemctlPath, "systemctlPath");
+  if (!import_node_path4.default.isAbsolute(systemctlPath)) {
+    throw new Error("systemctlPath must be an absolute path.");
+  }
+  return [
+    "# Managed by CodeHarbor service install; do not edit manually.",
+    `Defaults:${runUser} !requiretty`,
+    `${runUser} ALL=(root) NOPASSWD: ${systemctlPath} restart ${MAIN_SERVICE_NAME}, ${systemctlPath} restart ${ADMIN_SERVICE_NAME}`,
+    ""
+  ].join("\n");
+}
+function installSystemdServices(options) {
+  assertLinuxWithSystemd();
+  assertRootPrivileges();
+  const output = options.output ?? process.stdout;
+  const runUser = options.runUser.trim();
+  const runtimeHome2 = import_node_path4.default.resolve(options.runtimeHome);
+  validateSimpleValue(runUser, "runUser");
+  validateSimpleValue(runtimeHome2, "runtimeHome");
+  validateSimpleValue(options.nodeBinPath, "nodeBinPath");
+  validateSimpleValue(options.cliScriptPath, "cliScriptPath");
+  ensureUserExists(runUser);
+  const runGroup = resolveUserGroup(runUser);
+  import_node_fs3.default.mkdirSync(runtimeHome2, { recursive: true });
+  runCommand("chown", ["-R", `${runUser}:${runGroup}`, runtimeHome2]);
+  const mainPath = import_node_path4.default.join(SYSTEMD_DIR, MAIN_SERVICE_NAME);
+  const adminPath = import_node_path4.default.join(SYSTEMD_DIR, ADMIN_SERVICE_NAME);
+  const restartSudoersPath = import_node_path4.default.join(SUDOERS_DIR, RESTART_SUDOERS_FILE);
+  const unitOptions = {
+    runUser,
+    runtimeHome: runtimeHome2,
+    nodeBinPath: options.nodeBinPath,
+    cliScriptPath: options.cliScriptPath
+  };
+  import_node_fs3.default.writeFileSync(mainPath, buildMainServiceUnit(unitOptions), "utf8");
+  if (options.installAdmin) {
+    import_node_fs3.default.writeFileSync(adminPath, buildAdminServiceUnit(unitOptions), "utf8");
+    if (runUser !== "root") {
+      const policy = buildRestartSudoersPolicy({
+        runUser,
+        systemctlPath: resolveSystemctlPath()
+      });
+      import_node_fs3.default.mkdirSync(SUDOERS_DIR, { recursive: true });
+      import_node_fs3.default.writeFileSync(restartSudoersPath, policy, "utf8");
+      import_node_fs3.default.chmodSync(restartSudoersPath, 288);
+    }
+  }
+  runSystemctl(["daemon-reload"]);
+  if (options.startNow) {
+    runSystemctl(["enable", "--now", MAIN_SERVICE_NAME]);
+    if (options.installAdmin) {
+      runSystemctl(["enable", "--now", ADMIN_SERVICE_NAME]);
+    }
+  } else {
+    runSystemctl(["enable", MAIN_SERVICE_NAME]);
+    if (options.installAdmin) {
+      runSystemctl(["enable", ADMIN_SERVICE_NAME]);
+    }
+  }
+  output.write(`Installed systemd unit: ${mainPath}
+`);
+  if (options.installAdmin) {
+    output.write(`Installed systemd unit: ${adminPath}
+`);
+    if (runUser !== "root") {
+      output.write(`Installed sudoers policy: ${restartSudoersPath}
+`);
+    }
+  }
+  output.write("Done. Check status with: systemctl status codeharbor --no-pager\n");
+}
+function uninstallSystemdServices(options) {
+  assertLinuxWithSystemd();
+  assertRootPrivileges();
+  const output = options.output ?? process.stdout;
+  const mainPath = import_node_path4.default.join(SYSTEMD_DIR, MAIN_SERVICE_NAME);
+  const adminPath = import_node_path4.default.join(SYSTEMD_DIR, ADMIN_SERVICE_NAME);
+  const restartSudoersPath = import_node_path4.default.join(SUDOERS_DIR, RESTART_SUDOERS_FILE);
+  stopAndDisableIfPresent(MAIN_SERVICE_NAME);
+  if (import_node_fs3.default.existsSync(mainPath)) {
+    import_node_fs3.default.unlinkSync(mainPath);
+  }
+  if (options.removeAdmin) {
+    stopAndDisableIfPresent(ADMIN_SERVICE_NAME);
+    if (import_node_fs3.default.existsSync(adminPath)) {
+      import_node_fs3.default.unlinkSync(adminPath);
+    }
+    if (import_node_fs3.default.existsSync(restartSudoersPath)) {
+      import_node_fs3.default.unlinkSync(restartSudoersPath);
+    }
+  }
+  runSystemctl(["daemon-reload"]);
+  runSystemctlIgnoreFailure(["reset-failed"]);
+  output.write(`Removed systemd unit: ${mainPath}
+`);
+  if (options.removeAdmin) {
+    output.write(`Removed systemd unit: ${adminPath}
+`);
+    output.write(`Removed sudoers policy: ${restartSudoersPath}
+`);
+  }
+  output.write("Done.\n");
+}
+function restartSystemdServices(options) {
+  assertLinuxWithSystemd();
+  const output = options.output ?? process.stdout;
+  const runWithSudoFallback = options.allowSudoFallback ?? true;
+  const systemctlRunner = hasRootPrivileges() || !runWithSudoFallback ? runSystemctl : runSystemctlWithNonInteractiveSudo;
+  systemctlRunner(["restart", MAIN_SERVICE_NAME]);
+  output.write(`Restarted service: ${MAIN_SERVICE_NAME}
+`);
+  if (options.restartAdmin) {
+    systemctlRunner(["restart", ADMIN_SERVICE_NAME]);
+    output.write(`Restarted service: ${ADMIN_SERVICE_NAME}
+`);
+  }
+  output.write("Done.\n");
+}
+function resolveUserHome(runUser) {
+  try {
+    const passwdRaw = import_node_fs3.default.readFileSync("/etc/passwd", "utf8");
+    const line = passwdRaw.split(/\r?\n/).find((item) => item.startsWith(`${runUser}:`));
+    if (!line) {
+      return null;
+    }
+    const fields = line.split(":");
+    return fields[5] ? fields[5].trim() : null;
+  } catch {
+    return null;
+  }
+}
+function validateUnitOptions(options) {
+  validateSimpleValue(options.runUser, "runUser");
+  validateSimpleValue(options.runtimeHome, "runtimeHome");
+  validateSimpleValue(options.nodeBinPath, "nodeBinPath");
+  validateSimpleValue(options.cliScriptPath, "cliScriptPath");
+}
+function validateSimpleValue(value, key) {
+  if (!value.trim()) {
+    throw new Error(`${key} cannot be empty.`);
+  }
+  if (/[\r\n]/.test(value)) {
+    throw new Error(`${key} contains invalid newline characters.`);
+  }
+}
+function assertLinuxWithSystemd() {
+  if (process.platform !== "linux") {
+    throw new Error("Systemd service install only supports Linux.");
+  }
+  try {
+    (0, import_node_child_process2.execFileSync)("systemctl", ["--version"], { stdio: "ignore" });
+  } catch {
+    throw new Error("systemctl is required but not found.");
+  }
+}
+function assertRootPrivileges() {
+  if (!hasRootPrivileges()) {
+    throw new Error("Root privileges are required. Run with sudo.");
+  }
+}
+function hasRootPrivileges() {
+  if (typeof process.getuid !== "function") {
+    return true;
+  }
+  return process.getuid() === 0;
+}
+function ensureUserExists(runUser) {
+  runCommand("id", ["-u", runUser]);
+}
+function resolveUserGroup(runUser) {
+  return runCommand("id", ["-gn", runUser]).trim();
+}
+function runSystemctl(args) {
+  runCommand("systemctl", args);
+}
+function runSystemctlWithNonInteractiveSudo(args) {
+  const systemctlPath = resolveSystemctlPath();
+  try {
+    runCommand("sudo", ["-n", systemctlPath, ...args]);
+  } catch (error) {
+    throw new Error(
+      "Root privileges are required. Configure passwordless sudo for the CodeHarbor service user or run the CLI command manually with sudo.",
+      { cause: error }
+    );
+  }
+}
+function stopAndDisableIfPresent(unitName) {
+  runSystemctlIgnoreFailure(["disable", "--now", unitName]);
+}
+function runSystemctlIgnoreFailure(args) {
+  try {
+    runCommand("systemctl", args);
+  } catch {
+  }
+}
+function resolveSystemctlPath() {
+  const candidates = [];
+  const pathEntries = (process.env.PATH ?? "").split(import_node_path4.default.delimiter).filter(Boolean);
+  for (const entry of pathEntries) {
+    candidates.push(import_node_path4.default.join(entry, "systemctl"));
+  }
+  candidates.push("/usr/bin/systemctl", "/bin/systemctl", "/usr/local/bin/systemctl");
+  for (const candidate of candidates) {
+    if (import_node_path4.default.isAbsolute(candidate) && import_node_fs3.default.existsSync(candidate)) {
+      return candidate;
+    }
+  }
+  throw new Error("Unable to resolve absolute systemctl path.");
+}
+function runCommand(file, args) {
+  try {
+    return (0, import_node_child_process2.execFileSync)(file, args, {
+      encoding: "utf8",
+      stdio: ["ignore", "pipe", "pipe"]
+    });
+  } catch (error) {
+    throw new Error(formatCommandError(file, args, error), { cause: error });
+  }
+}
+function formatCommandError(file, args, error) {
+  const command = `${file} ${args.join(" ")}`.trim();
+  if (error && typeof error === "object") {
+    const maybeError = error;
+    const stderr = bufferToTrimmedString(maybeError.stderr);
+    const stdout = bufferToTrimmedString(maybeError.stdout);
+    const details = stderr || stdout || maybeError.message || "command failed";
+    return `Command failed: ${command}. ${details}`;
+  }
+  return `Command failed: ${command}. ${String(error)}`;
+}
+function bufferToTrimmedString(value) {
+  if (!value) {
+    return "";
+  }
+  const text = typeof value === "string" ? value : value.toString("utf8");
+  return text.trim();
+}
 
-            appendHealthRow("Codex", Boolean(codex.ok), codex.ok ? (codex.version || "ok") : (codex.error || "failed"));
-            appendHealthRow(
-              "Matrix",
-              Boolean(matrix.ok),
-              matrix.ok ? "HTTP " + matrix.status + " " + JSON.stringify(matrix.versions || []) : (matrix.error || "failed")
-            );
-            appendHealthRow("Overall", Boolean(response.ok), response.timestamp || "");
-            showNotice("ok", "Health check completed.");
-          } catch (error) {
-            showNotice("error", "Health check failed: " + error.message);
-            renderEmptyRow(healthBody, 3, "Failed to run health check.");
-          }
+// src/admin-server.ts
+var execFileAsync2 = (0, import_node_util2.promisify)(import_node_child_process3.execFile);
+var ADMIN_MAX_JSON_BODY_BYTES = 1048576;
+var HttpError = class extends Error {
+  statusCode;
+  constructor(statusCode, message) {
+    super(message);
+    this.statusCode = statusCode;
+  }
+};
+var AdminServer = class {
+  config;
+  logger;
+  stateStore;
+  configService;
+  host;
+  port;
+  adminToken;
+  adminTokens;
+  adminIpAllowlist;
+  adminAllowedOrigins;
+  cwd;
+  checkCodex;
+  checkMatrix;
+  restartServices;
+  server = null;
+  address = null;
+  constructor(config, logger, stateStore, configService, options) {
+    this.config = config;
+    this.logger = logger;
+    this.stateStore = stateStore;
+    this.configService = configService;
+    this.host = options.host;
+    this.port = options.port;
+    this.adminToken = options.adminToken;
+    this.adminTokens = buildAdminTokenMap(options.adminTokens ?? []);
+    this.adminIpAllowlist = normalizeAllowlist(options.adminIpAllowlist ?? []);
+    this.adminAllowedOrigins = normalizeOriginAllowlist(options.adminAllowedOrigins ?? []);
+    this.cwd = options.cwd ?? process.cwd();
+    this.checkCodex = options.checkCodex ?? defaultCheckCodex;
+    this.checkMatrix = options.checkMatrix ?? defaultCheckMatrix;
+    this.restartServices = options.restartServices ?? defaultRestartServices;
+  }
+  getAddress() {
+    return this.address;
+  }
+  async start() {
+    if (this.server) {
+      return;
+    }
+    this.server = import_node_http.default.createServer((req, res) => {
+      void this.handleRequest(req, res);
+    });
+    await new Promise((resolve, reject) => {
+      if (!this.server) {
+        reject(new Error("admin server is not initialized"));
+        return;
+      }
+      this.server.once("error", reject);
+      this.server.listen(this.port, this.host, () => {
+        this.server?.removeListener("error", reject);
+        const address = this.server?.address();
+        if (!address || typeof address === "string") {
+          reject(new Error("failed to resolve admin server address"));
+          return;
         }
-
-        function appendHealthRow(component, ok, detail) {
-          var row = document.createElement("tr");
-          appendCell(row, component);
-          appendCell(row, ok ? "OK" : "FAIL");
-          appendCell(row, detail);
-          healthBody.appendChild(row);
+        this.address = {
+          host: address.address,
+          port: address.port
+        };
+        resolve();
+      });
+    });
+  }
+  async stop() {
+    if (!this.server) {
+      return;
+    }
+    const server = this.server;
+    this.server = null;
+    this.address = null;
+    await new Promise((resolve, reject) => {
+      server.close((error) => {
+        if (error) {
+          reject(error);
+          return;
         }
-
-        async function loadAudit() {
-          var limit = asNumber("audit-limit", 30);
-          if (limit < 1) {
-            limit = 1;
-          }
-          if (limit > 200) {
-            limit = 200;
-          }
-          try {
-            var response = await apiRequest("/api/admin/audit?limit=" + limit, "GET");
-            var items = Array.isArray(response.data) ? response.data : [];
-            auditBody.innerHTML = "";
-            if (items.length === 0) {
-              renderEmptyRow(auditBody, 5, "No audit records.");
-              return;
-            }
-            for (var i = 0; i < items.length; i += 1) {
-              var item = items[i];
-              var row = document.createElement("tr");
-              appendCell(row, String(item.id || ""));
-              appendCell(row, item.createdAtIso || "");
-              appendCell(row, item.actor || "-");
-              appendCell(row, item.summary || "");
-              var payloadCell = document.createElement("td");
-              var payloadNode = document.createElement("pre");
-              payloadNode.textContent = formatPayload(item);
-              payloadCell.appendChild(payloadNode);
-              row.appendChild(payloadCell);
-              auditBody.appendChild(row);
-            }
-            showNotice("ok", "Audit loaded: " + items.length + " record(s).");
-          } catch (error) {
-            showNotice("error", "Failed to load audit: " + error.message);
-            renderEmptyRow(auditBody, 5, "Failed to load audit records.");
-          }
+        resolve();
+      });
+    });
+  }
+  async handleRequest(req, res) {
+    try {
+      const url = new URL(req.url ?? "/", "http://localhost");
+      this.setSecurityHeaders(res);
+      const corsDecision = this.resolveCors(req);
+      this.setCorsHeaders(res, corsDecision);
+      if (!this.isClientAllowed(req)) {
+        this.sendJson(res, 403, {
+          ok: false,
+          error: "Forbidden by ADMIN_IP_ALLOWLIST."
+        });
+        return;
+      }
+      if (url.pathname.startsWith("/api/admin/") && corsDecision.origin && !corsDecision.allowed) {
+        this.sendJson(res, 403, {
+          ok: false,
+          error: "Forbidden by ADMIN_ALLOWED_ORIGINS."
+        });
+        return;
+      }
+      if (req.method === "OPTIONS") {
+        if (corsDecision.origin && !corsDecision.allowed) {
+          this.sendJson(res, 403, {
+            ok: false,
+            error: "Forbidden by ADMIN_ALLOWED_ORIGINS."
+          });
+          return;
         }
-
-        function formatPayload(item) {
-          if (item.payload && typeof item.payload === "object") {
-            return JSON.stringify(item.payload, null, 2);
+        res.writeHead(204);
+        res.end();
+        return;
+      }
+      if (req.method === "GET" && isUiPath(url.pathname)) {
+        this.sendHtml(res, renderAdminConsoleHtml());
+        return;
+      }
+      const requiredRole = requiredAdminRoleForRequest(req.method, url.pathname);
+      const authIdentity = requiredRole ? this.resolveAdminIdentity(req) : null;
+      if (requiredRole && !authIdentity) {
+        this.sendJson(res, 401, {
+          ok: false,
+          error: "Unauthorized. Provide Authorization: Bearer <ADMIN_TOKEN> (or token from ADMIN_TOKENS_JSON)."
+        });
+        return;
+      }
+      if (requiredRole && authIdentity && !hasRequiredAdminRole(authIdentity.role, requiredRole)) {
+        this.sendJson(res, 403, {
+          ok: false,
+          error: "Forbidden. This endpoint requires admin write permission."
+        });
+        return;
+      }
+      if (req.method === "GET" && url.pathname === "/api/admin/auth/status") {
+        this.sendJson(res, 200, {
+          ok: true,
+          data: {
+            authenticated: Boolean(authIdentity),
+            role: authIdentity?.role ?? null,
+            source: authIdentity?.source ?? "none",
+            actor: resolveIdentityActor(authIdentity),
+            canWrite: authIdentity ? hasRequiredAdminRole(authIdentity.role, "admin") : false
           }
-          if (typeof item.payloadJson === "string" && item.payloadJson) {
-            return item.payloadJson;
+        });
+        return;
+      }
+      if (req.method === "GET" && url.pathname === "/api/admin/config/global") {
+        this.sendJson(res, 200, {
+          ok: true,
+          data: buildGlobalConfigSnapshot(this.config),
+          effective: "next_start_for_env_changes"
+        });
+        return;
+      }
+      if (req.method === "PUT" && url.pathname === "/api/admin/config/global") {
+        const body = await readJsonBody(req, ADMIN_MAX_JSON_BODY_BYTES);
+        const actor = resolveAuditActor(req, authIdentity);
+        const result = this.updateGlobalConfig(body, actor);
+        this.sendJson(res, 200, {
+          ok: true,
+          ...result
+        });
+        return;
+      }
+      if (req.method === "GET" && url.pathname === "/api/admin/config/rooms") {
+        this.sendJson(res, 200, {
+          ok: true,
+          data: this.configService.listRoomSettings()
+        });
+        return;
+      }
+      const roomMatch = /^\/api\/admin\/config\/rooms\/(.+)$/.exec(url.pathname);
+      if (roomMatch) {
+        const roomId = decodeURIComponent(roomMatch[1]);
+        if (req.method === "GET") {
+          const room = this.configService.getRoomSettings(roomId);
+          if (!room) {
+            throw new HttpError(404, `room settings not found for ${roomId}`);
           }
-          return "";
+          this.sendJson(res, 200, { ok: true, data: room });
+          return;
         }
-      })();
-    </script>
-  </body>
-</html>
-`;
+        if (req.method === "PUT") {
+          const body = await readJsonBody(req, ADMIN_MAX_JSON_BODY_BYTES);
+          const actor = resolveAuditActor(req, authIdentity);
+          const room = this.updateRoomConfig(roomId, body, actor);
+          this.sendJson(res, 200, { ok: true, data: room });
+          return;
+        }
+        if (req.method === "DELETE") {
+          const actor = resolveAuditActor(req, authIdentity);
+          this.configService.deleteRoomSettings(roomId, actor);
+          this.sendJson(res, 200, { ok: true, roomId });
+          return;
+        }
+      }
+      if (req.method === "GET" && url.pathname === "/api/admin/audit") {
+        const limit = normalizePositiveInt(url.searchParams.get("limit"), 20, 1, 200);
+        this.sendJson(res, 200, {
+          ok: true,
+          data: this.stateStore.listConfigRevisions(limit).map((entry) => formatAuditEntry(entry))
+        });
+        return;
+      }
+      if (req.method === "GET" && url.pathname === "/api/admin/health") {
+        const [codex, matrix] = await Promise.all([
+          this.checkCodex(this.config.codexBin),
+          this.checkMatrix(this.config.matrixHomeserver, this.config.doctorHttpTimeoutMs)
+        ]);
+        this.sendJson(res, 200, {
+          ok: codex.ok && matrix.ok,
+          codex,
+          matrix,
+          timestamp: (/* @__PURE__ */ new Date()).toISOString()
+        });
+        return;
+      }
+      if (req.method === "POST" && url.pathname === "/api/admin/service/restart") {
+        const body = asObject(await readJsonBody(req, ADMIN_MAX_JSON_BODY_BYTES), "service restart payload");
+        const restartAdmin = normalizeBoolean(body.withAdmin, false);
+        const actor = resolveAuditActor(req, authIdentity);
+        try {
+          const result = await this.restartServices(restartAdmin);
+          this.stateStore.appendConfigRevision(
+            actor,
+            restartAdmin ? "restart services (main + admin)" : "restart service (main)",
+            JSON.stringify({
+              type: "service_restart",
+              restartAdmin,
+              restarted: result.restarted
+            })
+          );
+          this.sendJson(res, 200, {
+            ok: true,
+            restarted: result.restarted
+          });
+          return;
+        } catch (error) {
+          throw new HttpError(
+            500,
+            `Service restart failed: ${formatError(error)}. Install services via "codeharbor service install --with-admin" to auto-configure restart permissions, or run CLI command manually with sudo.`
+          );
+        }
+      }
+      this.sendJson(res, 404, {
+        ok: false,
+        error: `Not found: ${req.method ?? "GET"} ${url.pathname}`
+      });
+    } catch (error) {
+      if (error instanceof HttpError) {
+        this.sendJson(res, error.statusCode, {
+          ok: false,
+          error: error.message
+        });
+        return;
+      }
+      this.logger.error("Admin API request failed", error);
+      this.sendJson(res, 500, {
+        ok: false,
+        error: formatError(error)
+      });
+    }
+  }
+  updateGlobalConfig(rawBody, actor) {
+    const body = asObject(rawBody, "global config payload");
+    const envUpdates = {};
+    const updatedKeys = [];
+    if ("matrixCommandPrefix" in body) {
+      const value = String(body.matrixCommandPrefix ?? "");
+      this.config.matrixCommandPrefix = value;
+      envUpdates.MATRIX_COMMAND_PREFIX = value;
+      updatedKeys.push("matrixCommandPrefix");
+    }
+    if ("codexWorkdir" in body) {
+      const workdir = import_node_path5.default.resolve(String(body.codexWorkdir ?? "").trim());
+      ensureDirectory(workdir, "codexWorkdir");
+      this.config.codexWorkdir = workdir;
+      envUpdates.CODEX_WORKDIR = workdir;
+      updatedKeys.push("codexWorkdir");
+    }
+    if ("rateLimiter" in body) {
+      const limiter = asObject(body.rateLimiter, "rateLimiter");
+      if ("windowMs" in limiter) {
+        const value = normalizePositiveInt(limiter.windowMs, this.config.rateLimiter.windowMs, 1, Number.MAX_SAFE_INTEGER);
+        this.config.rateLimiter.windowMs = value;
+        envUpdates.RATE_LIMIT_WINDOW_SECONDS = String(Math.max(1, Math.round(value / 1e3)));
+        updatedKeys.push("rateLimiter.windowMs");
+      }
+      if ("maxRequestsPerUser" in limiter) {
+        const value = normalizeNonNegativeInt(limiter.maxRequestsPerUser, this.config.rateLimiter.maxRequestsPerUser);
+        this.config.rateLimiter.maxRequestsPerUser = value;
+        envUpdates.RATE_LIMIT_MAX_REQUESTS_PER_USER = String(value);
+        updatedKeys.push("rateLimiter.maxRequestsPerUser");
+      }
+      if ("maxRequestsPerRoom" in limiter) {
+        const value = normalizeNonNegativeInt(limiter.maxRequestsPerRoom, this.config.rateLimiter.maxRequestsPerRoom);
+        this.config.rateLimiter.maxRequestsPerRoom = value;
+        envUpdates.RATE_LIMIT_MAX_REQUESTS_PER_ROOM = String(value);
+        updatedKeys.push("rateLimiter.maxRequestsPerRoom");
+      }
+      if ("maxConcurrentGlobal" in limiter) {
+        const value = normalizeNonNegativeInt(limiter.maxConcurrentGlobal, this.config.rateLimiter.maxConcurrentGlobal);
+        this.config.rateLimiter.maxConcurrentGlobal = value;
+        envUpdates.RATE_LIMIT_MAX_CONCURRENT_GLOBAL = String(value);
+        updatedKeys.push("rateLimiter.maxConcurrentGlobal");
+      }
+      if ("maxConcurrentPerUser" in limiter) {
+        const value = normalizeNonNegativeInt(limiter.maxConcurrentPerUser, this.config.rateLimiter.maxConcurrentPerUser);
+        this.config.rateLimiter.maxConcurrentPerUser = value;
+        envUpdates.RATE_LIMIT_MAX_CONCURRENT_PER_USER = String(value);
+        updatedKeys.push("rateLimiter.maxConcurrentPerUser");
+      }
+      if ("maxConcurrentPerRoom" in limiter) {
+        const value = normalizeNonNegativeInt(limiter.maxConcurrentPerRoom, this.config.rateLimiter.maxConcurrentPerRoom);
+        this.config.rateLimiter.maxConcurrentPerRoom = value;
+        envUpdates.RATE_LIMIT_MAX_CONCURRENT_PER_ROOM = String(value);
+        updatedKeys.push("rateLimiter.maxConcurrentPerRoom");
+      }
+    }
+    if ("defaultGroupTriggerPolicy" in body) {
+      const policy = asObject(body.defaultGroupTriggerPolicy, "defaultGroupTriggerPolicy");
+      if ("allowMention" in policy) {
+        const value = normalizeBoolean(policy.allowMention, this.config.defaultGroupTriggerPolicy.allowMention);
+        this.config.defaultGroupTriggerPolicy.allowMention = value;
+        envUpdates.GROUP_TRIGGER_ALLOW_MENTION = String(value);
+        updatedKeys.push("defaultGroupTriggerPolicy.allowMention");
+      }
+      if ("allowReply" in policy) {
+        const value = normalizeBoolean(policy.allowReply, this.config.defaultGroupTriggerPolicy.allowReply);
+        this.config.defaultGroupTriggerPolicy.allowReply = value;
+        envUpdates.GROUP_TRIGGER_ALLOW_REPLY = String(value);
+        updatedKeys.push("defaultGroupTriggerPolicy.allowReply");
+      }
+      if ("allowActiveWindow" in policy) {
+        const value = normalizeBoolean(policy.allowActiveWindow, this.config.defaultGroupTriggerPolicy.allowActiveWindow);
+        this.config.defaultGroupTriggerPolicy.allowActiveWindow = value;
+        envUpdates.GROUP_TRIGGER_ALLOW_ACTIVE_WINDOW = String(value);
+        updatedKeys.push("defaultGroupTriggerPolicy.allowActiveWindow");
+      }
+      if ("allowPrefix" in policy) {
+        const value = normalizeBoolean(policy.allowPrefix, this.config.defaultGroupTriggerPolicy.allowPrefix);
+        this.config.defaultGroupTriggerPolicy.allowPrefix = value;
+        envUpdates.GROUP_TRIGGER_ALLOW_PREFIX = String(value);
+        updatedKeys.push("defaultGroupTriggerPolicy.allowPrefix");
+      }
+    }
+    if ("matrixProgressUpdates" in body) {
+      const value = normalizeBoolean(body.matrixProgressUpdates, this.config.matrixProgressUpdates);
+      this.config.matrixProgressUpdates = value;
+      envUpdates.MATRIX_PROGRESS_UPDATES = String(value);
+      updatedKeys.push("matrixProgressUpdates");
+    }
+    if ("matrixProgressMinIntervalMs" in body) {
+      const value = normalizePositiveInt(
+        body.matrixProgressMinIntervalMs,
+        this.config.matrixProgressMinIntervalMs,
+        1,
+        Number.MAX_SAFE_INTEGER
+      );
+      this.config.matrixProgressMinIntervalMs = value;
+      envUpdates.MATRIX_PROGRESS_MIN_INTERVAL_MS = String(value);
+      updatedKeys.push("matrixProgressMinIntervalMs");
+    }
+    if ("matrixTypingTimeoutMs" in body) {
+      const value = normalizePositiveInt(
+        body.matrixTypingTimeoutMs,
+        this.config.matrixTypingTimeoutMs,
+        1,
+        Number.MAX_SAFE_INTEGER
+      );
+      this.config.matrixTypingTimeoutMs = value;
+      envUpdates.MATRIX_TYPING_TIMEOUT_MS = String(value);
+      updatedKeys.push("matrixTypingTimeoutMs");
+    }
+    if ("sessionActiveWindowMinutes" in body) {
+      const value = normalizePositiveInt(
+        body.sessionActiveWindowMinutes,
+        this.config.sessionActiveWindowMinutes,
+        1,
+        Number.MAX_SAFE_INTEGER
+      );
+      this.config.sessionActiveWindowMinutes = value;
+      envUpdates.SESSION_ACTIVE_WINDOW_MINUTES = String(value);
+      updatedKeys.push("sessionActiveWindowMinutes");
+    }
+    if ("groupDirectModeEnabled" in body) {
+      const value = normalizeBoolean(body.groupDirectModeEnabled, this.config.groupDirectModeEnabled);
+      this.config.groupDirectModeEnabled = value;
+      envUpdates.GROUP_DIRECT_MODE_ENABLED = String(value);
+      updatedKeys.push("groupDirectModeEnabled");
+    }
+    if ("cliCompat" in body) {
+      const compat = asObject(body.cliCompat, "cliCompat");
+      if ("enabled" in compat) {
+        const value = normalizeBoolean(compat.enabled, this.config.cliCompat.enabled);
+        this.config.cliCompat.enabled = value;
+        envUpdates.CLI_COMPAT_MODE = String(value);
+        updatedKeys.push("cliCompat.enabled");
+      }
+      if ("passThroughEvents" in compat) {
+        const value = normalizeBoolean(compat.passThroughEvents, this.config.cliCompat.passThroughEvents);
+        this.config.cliCompat.passThroughEvents = value;
+        envUpdates.CLI_COMPAT_PASSTHROUGH_EVENTS = String(value);
+        updatedKeys.push("cliCompat.passThroughEvents");
+      }
+      if ("preserveWhitespace" in compat) {
+        const value = normalizeBoolean(compat.preserveWhitespace, this.config.cliCompat.preserveWhitespace);
+        this.config.cliCompat.preserveWhitespace = value;
+        envUpdates.CLI_COMPAT_PRESERVE_WHITESPACE = String(value);
+        updatedKeys.push("cliCompat.preserveWhitespace");
+      }
+      if ("disableReplyChunkSplit" in compat) {
+        const value = normalizeBoolean(compat.disableReplyChunkSplit, this.config.cliCompat.disableReplyChunkSplit);
+        this.config.cliCompat.disableReplyChunkSplit = value;
+        envUpdates.CLI_COMPAT_DISABLE_REPLY_CHUNK_SPLIT = String(value);
+        updatedKeys.push("cliCompat.disableReplyChunkSplit");
+      }
+      if ("progressThrottleMs" in compat) {
+        const value = normalizeNonNegativeInt(compat.progressThrottleMs, this.config.cliCompat.progressThrottleMs);
+        this.config.cliCompat.progressThrottleMs = value;
+        envUpdates.CLI_COMPAT_PROGRESS_THROTTLE_MS = String(value);
+        updatedKeys.push("cliCompat.progressThrottleMs");
+      }
+      if ("fetchMedia" in compat) {
+        const value = normalizeBoolean(compat.fetchMedia, this.config.cliCompat.fetchMedia);
+        this.config.cliCompat.fetchMedia = value;
+        envUpdates.CLI_COMPAT_FETCH_MEDIA = String(value);
+        updatedKeys.push("cliCompat.fetchMedia");
+      }
+    }
+    if ("agentWorkflow" in body) {
+      const workflow = asObject(body.agentWorkflow, "agentWorkflow");
+      const currentAgentWorkflow = ensureAgentWorkflowConfig(this.config);
+      if ("enabled" in workflow) {
+        const value = normalizeBoolean(workflow.enabled, currentAgentWorkflow.enabled);
+        currentAgentWorkflow.enabled = value;
+        envUpdates.AGENT_WORKFLOW_ENABLED = String(value);
+        updatedKeys.push("agentWorkflow.enabled");
+      }
+      if ("autoRepairMaxRounds" in workflow) {
+        const value = normalizePositiveInt(
+          workflow.autoRepairMaxRounds,
+          currentAgentWorkflow.autoRepairMaxRounds,
+          0,
+          10
+        );
+        currentAgentWorkflow.autoRepairMaxRounds = value;
+        envUpdates.AGENT_WORKFLOW_AUTO_REPAIR_MAX_ROUNDS = String(value);
+        updatedKeys.push("agentWorkflow.autoRepairMaxRounds");
+      }
+    }
+    if (updatedKeys.length === 0) {
+      throw new HttpError(400, "No supported global config fields provided.");
+    }
+    this.persistEnvUpdates(envUpdates);
+    this.stateStore.appendConfigRevision(
+      actor,
+      `update global config: ${updatedKeys.join(", ")}`,
+      JSON.stringify({
+        type: "global_config_update",
+        updates: envUpdates
+      })
+    );
+    return {
+      data: buildGlobalConfigSnapshot(this.config),
+      updatedKeys,
+      restartRequired: true
+    };
+  }
+  updateRoomConfig(roomId, rawBody, actor) {
+    const body = asObject(rawBody, "room config payload");
+    const current = this.configService.getRoomSettings(roomId);
+    return this.configService.updateRoomSettings({
+      roomId,
+      enabled: normalizeBoolean(body.enabled, current?.enabled ?? true),
+      allowMention: normalizeBoolean(body.allowMention, current?.allowMention ?? true),
+      allowReply: normalizeBoolean(body.allowReply, current?.allowReply ?? true),
+      allowActiveWindow: normalizeBoolean(body.allowActiveWindow, current?.allowActiveWindow ?? true),
+      allowPrefix: normalizeBoolean(body.allowPrefix, current?.allowPrefix ?? true),
+      workdir: normalizeString(body.workdir, current?.workdir ?? this.config.codexWorkdir, "workdir"),
+      actor,
+      summary: normalizeOptionalString(body.summary)
+    });
+  }
+  resolveAdminIdentity(req) {
+    if (!this.adminToken && this.adminTokens.size === 0) {
+      return {
+        role: "admin",
+        actor: null,
+        source: "open"
+      };
+    }
+    const token = readAdminToken(req);
+    if (!token) {
+      return null;
+    }
+    if (this.adminToken && token === this.adminToken) {
+      return {
+        role: "admin",
+        actor: null,
+        source: "legacy"
+      };
+    }
+    const mappedIdentity = this.adminTokens.get(token);
+    if (!mappedIdentity) {
+      return null;
+    }
+    return {
+      role: mappedIdentity.role,
+      actor: mappedIdentity.actor,
+      source: "scoped"
+    };
+  }
+  isClientAllowed(req) {
+    if (this.adminIpAllowlist.length === 0) {
+      return true;
+    }
+    const normalizedRemote = normalizeRemoteAddress(req.socket.remoteAddress);
+    if (!normalizedRemote) {
+      return false;
+    }
+    return this.adminIpAllowlist.includes(normalizedRemote);
+  }
+  persistEnvUpdates(updates) {
+    const envPath = import_node_path5.default.resolve(this.cwd, ".env");
+    const examplePath = import_node_path5.default.resolve(this.cwd, ".env.example");
+    const template = import_node_fs4.default.existsSync(envPath) ? import_node_fs4.default.readFileSync(envPath, "utf8") : import_node_fs4.default.existsSync(examplePath) ? import_node_fs4.default.readFileSync(examplePath, "utf8") : "";
+    const next = applyEnvOverrides(template, updates);
+    import_node_fs4.default.writeFileSync(envPath, next, "utf8");
+  }
+  resolveCors(req) {
+    const origin = normalizeOriginHeader(req.headers.origin);
+    if (!origin) {
+      return { origin: null, allowed: true };
+    }
+    if (isSameOriginRequest(req, origin)) {
+      return { origin, allowed: true };
+    }
+    if (this.adminAllowedOrigins.includes("*")) {
+      return { origin, allowed: true };
+    }
+    if (this.adminAllowedOrigins.length === 0) {
+      return { origin, allowed: false };
+    }
+    return {
+      origin,
+      allowed: this.adminAllowedOrigins.includes(origin)
+    };
+  }
+  setCorsHeaders(res, corsDecision) {
+    if (!corsDecision.origin || !corsDecision.allowed) {
+      return;
+    }
+    res.setHeader("Access-Control-Allow-Origin", corsDecision.origin);
+    res.setHeader("Access-Control-Allow-Headers", "Content-Type, Authorization, X-Admin-Token, X-Admin-Actor");
+    res.setHeader("Access-Control-Allow-Methods", "GET, PUT, POST, DELETE, OPTIONS");
+    appendVaryHeader(res, "Origin");
+  }
+  setSecurityHeaders(res) {
+    res.setHeader("X-Content-Type-Options", "nosniff");
+    res.setHeader("X-Frame-Options", "DENY");
+    res.setHeader("Referrer-Policy", "no-referrer");
+    res.setHeader("Permissions-Policy", "camera=(), microphone=(), geolocation=()");
+    res.setHeader("Cross-Origin-Resource-Policy", "same-origin");
+    res.setHeader("Cross-Origin-Opener-Policy", "same-origin");
+    res.setHeader(
+      "Content-Security-Policy",
+      "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'"
+    );
+  }
+  sendHtml(res, html) {
+    res.statusCode = 200;
+    res.setHeader("Content-Type", "text/html; charset=utf-8");
+    res.end(html);
+  }
+  sendJson(res, statusCode, payload) {
+    res.statusCode = statusCode;
+    res.setHeader("Content-Type", "application/json; charset=utf-8");
+    res.end(JSON.stringify(payload));
+  }
+};
+function buildGlobalConfigSnapshot(config) {
+  return {
+    matrixCommandPrefix: config.matrixCommandPrefix,
+    codexWorkdir: config.codexWorkdir,
+    rateLimiter: { ...config.rateLimiter },
+    groupDirectModeEnabled: config.groupDirectModeEnabled,
+    defaultGroupTriggerPolicy: { ...config.defaultGroupTriggerPolicy },
+    matrixProgressUpdates: config.matrixProgressUpdates,
+    matrixProgressMinIntervalMs: config.matrixProgressMinIntervalMs,
+    matrixTypingTimeoutMs: config.matrixTypingTimeoutMs,
+    sessionActiveWindowMinutes: config.sessionActiveWindowMinutes,
+    cliCompat: { ...config.cliCompat },
+    agentWorkflow: { ...ensureAgentWorkflowConfig(config) }
+  };
+}
+function ensureAgentWorkflowConfig(config) {
+  const mutable = config;
+  const existing = mutable.agentWorkflow;
+  if (existing && typeof existing.enabled === "boolean" && Number.isFinite(existing.autoRepairMaxRounds)) {
+    return existing;
+  }
+  const fallback = {
+    enabled: false,
+    autoRepairMaxRounds: 1
+  };
+  mutable.agentWorkflow = fallback;
+  return fallback;
+}
+function formatAuditEntry(entry) {
+  return {
+    id: entry.id,
+    actor: entry.actor,
+    summary: entry.summary,
+    payloadJson: entry.payloadJson,
+    payload: parseJsonLoose(entry.payloadJson),
+    createdAt: entry.createdAt,
+    createdAtIso: new Date(entry.createdAt).toISOString()
+  };
+}
+function parseJsonLoose(raw) {
+  try {
+    return JSON.parse(raw);
+  } catch {
+    return raw;
+  }
+}
+async function defaultRestartServices(restartAdmin) {
+  const outputChunks = [];
+  const output = {
+    write: (chunk) => {
+      outputChunks.push(typeof chunk === "string" ? chunk : Buffer.from(chunk).toString("utf8"));
+      return true;
+    }
+  };
+  restartSystemdServices({
+    restartAdmin,
+    output
+  });
+  return {
+    restarted: restartAdmin ? ["codeharbor", "codeharbor-admin"] : ["codeharbor"]
+  };
+}
+function isUiPath(pathname) {
+  return pathname === "/" || pathname === "/index.html" || pathname === "/settings/global" || pathname === "/settings/rooms" || pathname === "/health" || pathname === "/audit";
+}
+function normalizeAllowlist(entries) {
+  const output = /* @__PURE__ */ new Set();
+  for (const entry of entries) {
+    const normalized = normalizeRemoteAddress(entry);
+    if (normalized) {
+      output.add(normalized);
+    }
+  }
+  return [...output];
+}
+function normalizeOriginAllowlist(entries) {
+  const output = /* @__PURE__ */ new Set();
+  for (const entry of entries) {
+    const normalized = normalizeOrigin(entry);
+    if (normalized) {
+      output.add(normalized);
+    }
+  }
+  return [...output];
+}
+function normalizeRemoteAddress(value) {
+  if (!value) {
+    return null;
+  }
+  const trimmed = value.trim().toLowerCase();
+  if (!trimmed) {
+    return null;
+  }
+  const withoutZone = trimmed.includes("%") ? trimmed.slice(0, trimmed.indexOf("%")) : trimmed;
+  if (withoutZone === "::1" || withoutZone === "0:0:0:0:0:0:0:1") {
+    return "127.0.0.1";
+  }
+  if (withoutZone.startsWith("::ffff:")) {
+    return withoutZone.slice("::ffff:".length);
+  }
+  return withoutZone;
+}
+function normalizeOriginHeader(value) {
+  if (!value) {
+    return null;
+  }
+  const raw = Array.isArray(value) ? value[0] ?? "" : value;
+  return normalizeOrigin(raw);
+}
+function normalizeOrigin(value) {
+  const trimmed = value.trim();
+  if (!trimmed) {
+    return null;
+  }
+  if (trimmed === "*") {
+    return "*";
+  }
+  try {
+    const parsed = new URL(trimmed);
+    return `${parsed.protocol}//${parsed.host}`.toLowerCase();
+  } catch {
+    return null;
+  }
+}
+function isSameOriginRequest(req, origin) {
+  const host = normalizeHeaderValue(req.headers.host);
+  if (!host) {
+    return false;
+  }
+  const forwardedProto = normalizeHeaderValue(req.headers["x-forwarded-proto"]);
+  const protocol = forwardedProto || "http";
+  return origin === `${protocol}://${host}`.toLowerCase();
+}
+function appendVaryHeader(res, headerName) {
+  const current = res.getHeader("Vary");
+  const existing = typeof current === "string" ? current.split(",").map((v) => v.trim()).filter(Boolean) : [];
+  if (!existing.includes(headerName)) {
+    existing.push(headerName);
+  }
+  res.setHeader("Vary", existing.join(", "));
+}
+function renderAdminConsoleHtml() {
+  return ADMIN_CONSOLE_HTML;
+}
+async function readJsonBody(req, maxBytes) {
+  const contentLengthHeader = req.headers["content-length"];
+  if (typeof contentLengthHeader === "string" && contentLengthHeader.trim()) {
+    const declaredLength = Number.parseInt(contentLengthHeader, 10);
+    if (Number.isFinite(declaredLength) && declaredLength > maxBytes) {
+      throw new HttpError(413, `Request body too large. Max allowed bytes: ${maxBytes}.`);
+    }
+  }
+  const chunks = [];
+  let totalBytes = 0;
+  for await (const chunk of req) {
+    const buffer = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk);
+    totalBytes += buffer.length;
+    if (totalBytes > maxBytes) {
+      throw new HttpError(413, `Request body too large. Max allowed bytes: ${maxBytes}.`);
+    }
+    chunks.push(buffer);
+  }
+  if (chunks.length === 0) {
+    return {};
+  }
+  const raw = Buffer.concat(chunks).toString("utf8").trim();
+  if (!raw) {
+    return {};
+  }
+  try {
+    return JSON.parse(raw);
+  } catch {
+    throw new HttpError(400, "Request body must be valid JSON.");
+  }
+}
+function asObject(value, name) {
+  if (!value || typeof value !== "object" || Array.isArray(value)) {
+    throw new HttpError(400, `${name} must be a JSON object.`);
+  }
+  return value;
+}
+function normalizeBoolean(value, fallback) {
+  if (value === void 0) {
+    return fallback;
+  }
+  if (typeof value !== "boolean") {
+    throw new HttpError(400, "Expected boolean value.");
+  }
+  return value;
+}
+function normalizeString(value, fallback, fieldName) {
+  if (value === void 0) {
+    return fallback;
+  }
+  if (typeof value !== "string") {
+    throw new HttpError(400, `Expected string value for ${fieldName}.`);
+  }
+  return value.trim();
+}
+function normalizeOptionalString(value) {
+  if (value === void 0 || value === null) {
+    return null;
+  }
+  if (typeof value !== "string") {
+    throw new HttpError(400, "Expected string value.");
+  }
+  const trimmed = value.trim();
+  return trimmed || null;
+}
+function normalizePositiveInt(value, fallback, min, max) {
+  if (value === void 0 || value === null) {
+    return fallback;
+  }
+  const parsed = Number.parseInt(String(value), 10);
+  if (!Number.isFinite(parsed) || parsed < min || parsed > max) {
+    throw new HttpError(400, `Expected integer in range [${min}, ${max}].`);
+  }
+  return parsed;
+}
+function normalizeNonNegativeInt(value, fallback) {
+  return normalizePositiveInt(value, fallback, 0, Number.MAX_SAFE_INTEGER);
+}
+function ensureDirectory(targetPath, fieldName) {
+  if (!import_node_fs4.default.existsSync(targetPath) || !import_node_fs4.default.statSync(targetPath).isDirectory()) {
+    throw new HttpError(400, `${fieldName} must be an existing directory: ${targetPath}`);
+  }
+}
+function normalizeHeaderValue(value) {
+  if (!value) {
+    return "";
+  }
+  if (Array.isArray(value)) {
+    return value[0]?.trim() ?? "";
+  }
+  return value.trim();
+}
+function readAdminToken(req) {
+  const authorization = normalizeHeaderValue(req.headers.authorization);
+  if (authorization) {
+    const match = /^bearer\s+(.+)$/i.exec(authorization);
+    const token = match?.[1]?.trim() ?? "";
+    if (token) {
+      return token;
+    }
+  }
+  const fromHeader = normalizeHeaderValue(req.headers["x-admin-token"]);
+  return fromHeader || null;
+}
+function resolveIdentityActor(identity) {
+  if (!identity || identity.source !== "scoped") {
+    return null;
+  }
+  if (identity.actor) {
+    return identity.actor;
+  }
+  return identity.role === "admin" ? "admin-token" : "viewer-token";
+}
+function resolveAuditActor(req, identity) {
+  const scopedActor = resolveIdentityActor(identity);
+  if (scopedActor) {
+    return scopedActor;
+  }
+  const actor = normalizeHeaderValue(req.headers["x-admin-actor"]);
+  return actor || null;
+}
+function requiredAdminRoleForRequest(method, pathname) {
+  if (!pathname.startsWith("/api/admin/")) {
+    return null;
+  }
+  const normalizedMethod = (method ?? "GET").toUpperCase();
+  if (normalizedMethod === "GET" || normalizedMethod === "HEAD") {
+    return "viewer";
+  }
+  return "admin";
+}
+function hasRequiredAdminRole(role, requiredRole) {
+  if (requiredRole === "viewer") {
+    return role === "viewer" || role === "admin";
+  }
+  return role === "admin";
+}
+function buildAdminTokenMap(tokens) {
+  const mapped = /* @__PURE__ */ new Map();
+  for (const token of tokens) {
+    mapped.set(token.token, {
+      role: token.role,
+      actor: token.actor
+    });
+  }
+  return mapped;
+}
+function formatError(error) {
+  if (error instanceof Error) {
+    return error.message;
+  }
+  return String(error);
+}
 async function defaultCheckCodex(bin) {
   try {
     const { stdout } = await execFileAsync2(bin, ["--version"]);
@@ -2594,6 +2610,10 @@ function findBreakIndex(candidate) {
 
 // src/channels/matrix-channel.ts
 var LOCAL_TXN_PREFIX = "codeharbor-";
+var MATRIX_HTTP_TIMEOUT_MS = 15e3;
+var MATRIX_HTTP_MAX_RETRIES = 2;
+var RETRYABLE_HTTP_STATUS = /* @__PURE__ */ new Set([408, 425, 429, 500, 502, 503, 504]);
+var ACCEPTED_MSG_TYPES = /* @__PURE__ */ new Set(["m.text", "m.image", "m.file", "m.audio", "m.video"]);
 var MatrixChannel = class {
   config;
   logger;
@@ -2720,8 +2740,7 @@ var MatrixChannel = class {
       return;
     }
     const msgtype = typeof content.msgtype === "string" ? content.msgtype : "";
-    const acceptedMsgtypes = /* @__PURE__ */ new Set(["m.text", "m.image", "m.file", "m.audio", "m.video"]);
-    if (!acceptedMsgtypes.has(msgtype)) {
+    if (!ACCEPTED_MSG_TYPES.has(msgtype)) {
       return;
     }
     const eventId = event.getId();
@@ -2822,8 +2841,9 @@ var MatrixChannel = class {
   }
   async sendRawEvent(conversationId, content) {
     const txnId = `${LOCAL_TXN_PREFIX}${Date.now()}-${Math.floor(Math.random() * 1e6)}`;
-    const response = await fetch(
-      `${this.config.matrixHomeserver}/_matrix/client/v3/rooms/${encodeURIComponent(conversationId)}/send/m.room.message/${encodeURIComponent(txnId)}`,
+    const url = `${this.config.matrixHomeserver}/_matrix/client/v3/rooms/${encodeURIComponent(conversationId)}/send/m.room.message/${encodeURIComponent(txnId)}`;
+    const response = await fetchWithRetry(
+      url,
       {
         method: "PUT",
         headers: {
@@ -2831,10 +2851,17 @@ var MatrixChannel = class {
           "Content-Type": "application/json"
         },
         body: JSON.stringify(content)
+      },
+      {
+        timeoutMs: MATRIX_HTTP_TIMEOUT_MS,
+        maxRetries: MATRIX_HTTP_MAX_RETRIES
       }
     );
     if (!response.ok) {
-      throw new Error(`Matrix send failed (${response.status} ${response.statusText})`);
+      const responseSnippet = await readResponseSnippet(response);
+      throw new Error(
+        `Matrix send failed (${response.status} ${response.statusText})${responseSnippet ? `: ${responseSnippet}` : ""}`
+      );
     }
     const payload = await response.json();
     if (!payload.event_id || typeof payload.event_id !== "string") {
@@ -2888,15 +2915,25 @@ var MatrixChannel = class {
       Authorization: `Bearer ${this.config.matrixAccessToken}`
     };
     let response = null;
+    const failedStatuses = [];
     for (const url of mediaUrls) {
-      const candidate = await fetch(url, { headers });
+      const candidate = await fetchWithRetry(
+        url,
+        { headers },
+        {
+          timeoutMs: MATRIX_HTTP_TIMEOUT_MS,
+          maxRetries: MATRIX_HTTP_MAX_RETRIES
+        }
+      );
       if (candidate.ok) {
         response = candidate;
         break;
       }
+      failedStatuses.push(candidate.status);
     }
     if (!response) {
-      throw new Error(`Failed to download media for ${mxcUrl}`);
+      const suffix = failedStatuses.length > 0 ? ` (statuses: ${failedStatuses.join(",")})` : "";
+      throw new Error(`Failed to download media for ${mxcUrl}${suffix}`);
     }
     const bytes = Buffer.from(await response.arrayBuffer());
     const extension = resolveFileExtension(fileName, mimeType);
@@ -2907,7 +2944,68 @@ var MatrixChannel = class {
     await import_promises2.default.writeFile(targetPath, bytes);
     return targetPath;
   }
-};
+};
+async function fetchWithRetry(url, init, options) {
+  let attempt = 0;
+  let lastError = null;
+  while (attempt <= options.maxRetries) {
+    try {
+      const response = await fetchWithTimeout(url, init, options.timeoutMs);
+      if (response.ok || !RETRYABLE_HTTP_STATUS.has(response.status) || attempt === options.maxRetries) {
+        return response;
+      }
+    } catch (error) {
+      lastError = error;
+      if (attempt === options.maxRetries) {
+        throw error;
+      }
+    }
+    const delayMs = computeRetryDelayMs(attempt);
+    await sleep(delayMs);
+    attempt += 1;
+  }
+  throw new Error(`HTTP request failed for ${url}: ${formatError2(lastError)}`);
+}
+async function fetchWithTimeout(url, init, timeoutMs) {
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), timeoutMs);
+  timer.unref?.();
+  try {
+    return await fetch(url, {
+      ...init,
+      signal: controller.signal
+    });
+  } finally {
+    clearTimeout(timer);
+  }
+}
+function computeRetryDelayMs(attempt) {
+  const base = 250;
+  return Math.min(2e3, base * 2 ** attempt);
+}
+async function sleep(delayMs) {
+  await new Promise((resolve) => {
+    const timer = setTimeout(resolve, delayMs);
+    timer.unref?.();
+  });
+}
+async function readResponseSnippet(response) {
+  try {
+    const text = (await response.text()).trim();
+    if (!text) {
+      return "";
+    }
+    return text.length > 300 ? `${text.slice(0, 300)}...` : text;
+  } catch {
+    return "";
+  }
+}
+function formatError2(error) {
+  if (error instanceof Error) {
+    return error.message;
+  }
+  return String(error);
+}
 function buildRequestId(eventId) {
   const suffix = Math.random().toString(36).slice(2, 8);
   return `${eventId}:${suffix}`;
@@ -3030,7 +3128,7 @@ function renderMatrixHtml(body, msgtype) {
   let match;
   while ((match = codeFencePattern.exec(normalized)) !== null) {
     const before = normalized.slice(cursor, match.index);
-    const renderedBefore = renderTextSection(before);
+    const renderedBefore = renderMarkdownSection(before);
     if (renderedBefore) {
       sections.push(renderedBefore);
     }
@@ -3043,29 +3141,142 @@ function renderMatrixHtml(body, msgtype) {
     cursor = match.index + match[0].length;
   }
   const tail = normalized.slice(cursor);
-  const renderedTail = renderTextSection(tail);
+  const renderedTail = renderMarkdownSection(tail);
   if (renderedTail) {
     sections.push(renderedTail);
   }
   if (sections.length === 0) {
     sections.push("<p>(\u7A7A\u6D88\u606F)</p>");
   }
-  const badge = msgtype === "m.notice" ? `<p><font color="#8a5a00"><b>\u{1F4E3} CodeHarbor \u63D0\u793A</b></font></p>` : `<p><font color="#1f7a5a"><b>\u{1F916} AI \u56DE\u590D</b></font></p>`;
+  const badge = msgtype === "m.notice" ? `<p><font color="#8a5a00"><b>CodeHarbor \u63D0\u793A</b></font></p>` : `<p><font color="#1f7a5a"><b>CodeHarbor AI \u56DE\u590D</b></font></p>`;
   return `<div>${badge}${sections.join("")}</div>`;
 }
-function renderTextSection(raw) {
+function renderMarkdownSection(raw) {
   if (!raw.trim()) {
     return "";
   }
-  const normalized = raw.replace(/\r\n/g, "\n").trim();
-  const paragraphs = normalized.split(/\n{2,}/);
-  const rendered = paragraphs.map((paragraph) => {
-    const escaped = escapeHtml(paragraph);
-    const inlineCode = escaped.replace(/`([^`\n]+)`/g, "<code>$1</code>");
-    return `<p>${inlineCode.replace(/\n/g, "<br/>")}</p>`;
-  }).join("");
+  const lines = raw.replace(/\r\n/g, "\n").trim().split("\n");
+  const blocks = [];
+  let index = 0;
+  while (index < lines.length) {
+    const line = lines[index];
+    const trimmed = line.trim();
+    if (!trimmed) {
+      index += 1;
+      continue;
+    }
+    const headingMatch = /^(#{1,6})\s+(.+)$/.exec(trimmed);
+    if (headingMatch) {
+      const level = Math.min(6, headingMatch[1].length + 1);
+      blocks.push(`<h${level}>${renderInlineMarkup(headingMatch[2])}</h${level}>`);
+      index += 1;
+      continue;
+    }
+    if (/^(?:-{3,}|\*{3,}|_{3,})$/.test(trimmed)) {
+      blocks.push("<hr/>");
+      index += 1;
+      continue;
+    }
+    if (/^>\s?/.test(trimmed)) {
+      const quoteLines = [];
+      while (index < lines.length) {
+        const current = lines[index].trim();
+        if (!current) {
+          break;
+        }
+        if (!/^>\s?/.test(current)) {
+          break;
+        }
+        quoteLines.push(current.replace(/^>\s?/, ""));
+        index += 1;
+      }
+      if (quoteLines.length > 0) {
+        blocks.push(`<blockquote><p>${quoteLines.map((entry) => renderInlineMarkup(entry)).join("<br/>")}</p></blockquote>`);
+      }
+      continue;
+    }
+    if (/^\s*[-*]\s+/.test(line)) {
+      const items = [];
+      while (index < lines.length && /^\s*[-*]\s+/.test(lines[index])) {
+        items.push(lines[index].replace(/^\s*[-*]\s+/, "").trim());
+        index += 1;
+      }
+      blocks.push(`<ul>${items.map((item) => `<li>${renderInlineMarkup(item)}</li>`).join("")}</ul>`);
+      continue;
+    }
+    if (/^\s*\d+\.\s+/.test(line)) {
+      const items = [];
+      while (index < lines.length && /^\s*\d+\.\s+/.test(lines[index])) {
+        items.push(lines[index].replace(/^\s*\d+\.\s+/, "").trim());
+        index += 1;
+      }
+      blocks.push(`<ol>${items.map((item) => `<li>${renderInlineMarkup(item)}</li>`).join("")}</ol>`);
+      continue;
+    }
+    const paragraphLines = [];
+    while (index < lines.length) {
+      const current = lines[index];
+      if (!current.trim()) {
+        break;
+      }
+      if (isBlockBoundaryLine(current)) {
+        break;
+      }
+      paragraphLines.push(current.trimEnd());
+      index += 1;
+    }
+    if (paragraphLines.length > 0) {
+      blocks.push(`<p>${paragraphLines.map((entry) => renderInlineMarkup(entry)).join("<br/>")}</p>`);
+      continue;
+    }
+    index += 1;
+  }
+  return blocks.join("");
+}
+function isBlockBoundaryLine(line) {
+  const trimmed = line.trim();
+  if (!trimmed) {
+    return false;
+  }
+  return /^(#{1,6})\s+/.test(trimmed) || /^(?:-{3,}|\*{3,}|_{3,})$/.test(trimmed) || /^>\s?/.test(trimmed) || /^\s*[-*]\s+/.test(trimmed) || /^\s*\d+\.\s+/.test(trimmed);
+}
+function renderInlineMarkup(raw) {
+  if (!raw) {
+    return "";
+  }
+  const inlineCodeSegments = [];
+  const withPlaceholders = raw.replace(/`([^`\n]+)`/g, (_match, code) => {
+    const token = `@@CHCODE${inlineCodeSegments.length}@@`;
+    inlineCodeSegments.push(`<code>${escapeHtml(code)}</code>`);
+    return token;
+  });
+  let rendered = escapeHtml(withPlaceholders);
+  rendered = rendered.replace(/\[([^\]\n]+)\]\((https?:\/\/[^\s)]+)\)/g, (_match, label, url) => {
+    const safeUrl = sanitizeLinkUrl(url);
+    if (!safeUrl) {
+      return escapeHtml(label);
+    }
+    return `<a href="${escapeHtml(safeUrl)}">${escapeHtml(label)}</a>`;
+  });
+  rendered = rendered.replace(/\*\*([^*\n]+)\*\*/g, "<strong>$1</strong>");
+  rendered = rendered.replace(/(^|[^*])\*([^*\n]+)\*/g, "$1<em>$2</em>");
+  rendered = rendered.replace(/(^|[^_])_([^_\n]+)_/g, "$1<em>$2</em>");
+  for (let i = 0; i < inlineCodeSegments.length; i += 1) {
+    rendered = rendered.replace(`@@CHCODE${i}@@`, inlineCodeSegments[i]);
+  }
   return rendered;
 }
+function sanitizeLinkUrl(url) {
+  try {
+    const parsed = new URL(url);
+    if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+      return null;
+    }
+    return parsed.toString();
+  } catch {
+    return null;
+  }
+}
 function escapeHtml(value) {
   return value.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#39;");
 }
@@ -3611,13 +3822,20 @@ var RateLimiter = class {
       return [];
     }
     const threshold = now - this.options.windowMs;
-    const pruned = existing.filter((ts) => ts > threshold);
-    if (pruned.length === 0) {
+    let writeIndex = 0;
+    for (let readIndex = 0; readIndex < existing.length; readIndex += 1) {
+      const timestamp = existing[readIndex];
+      if (timestamp > threshold) {
+        existing[writeIndex] = timestamp;
+        writeIndex += 1;
+      }
+    }
+    if (writeIndex === 0) {
       container.delete(key);
       return [];
     }
-    container.set(key, pruned);
-    return pruned;
+    existing.length = writeIndex;
+    return existing;
   }
   decrementCounter(container, key) {
     const current = container.get(key) ?? 0;
@@ -4194,6 +4412,8 @@ function escapeRegex(value) {
 }
 
 // src/orchestrator.ts
+var RUN_SNAPSHOT_TTL_MS = 6 * 60 * 60 * 1e3;
+var RUN_SNAPSHOT_MAX_ENTRIES = 500;
 var RequestMetrics = class {
   total = 0;
   success = 0;
@@ -4336,299 +4556,303 @@ var Orchestrator = class {
     this.sessionRuntime = new CodexSessionRuntime(this.executor);
   }
   async handleMessage(message) {
-    const receivedAt = Date.now();
-    const requestId = message.requestId || message.eventId;
-    const sessionKey = buildSessionKey(message);
-    const directCommand = parseControlCommand(message.text.trim());
-    if (directCommand === "stop") {
-      if (this.stateStore.hasProcessedEvent(sessionKey, message.eventId)) {
-        this.metrics.record("duplicate", 0, 0, 0);
-        this.logger.debug("Duplicate stop command ignored", { requestId, eventId: message.eventId, sessionKey });
-        return;
-      }
-      await this.handleStopCommand(sessionKey, message, requestId);
-      this.stateStore.markEventProcessed(sessionKey, message.eventId);
-      return;
-    }
-    const lock = this.getLock(sessionKey);
-    await lock.runExclusive(async () => {
-      const queueWaitMs = Date.now() - receivedAt;
-      if (this.stateStore.hasProcessedEvent(sessionKey, message.eventId)) {
-        this.metrics.record("duplicate", queueWaitMs, 0, 0);
-        this.logger.debug("Duplicate event ignored", { requestId, eventId: message.eventId, sessionKey, queueWaitMs });
-        return;
-      }
-      const roomConfig = this.resolveRoomRuntimeConfig(message.conversationId);
-      const route = this.routeMessage(message, sessionKey, roomConfig);
-      if (route.kind === "ignore") {
-        this.metrics.record("ignored", queueWaitMs, 0, 0);
-        this.logger.debug("Message ignored by routing policy", {
-          requestId,
-          sessionKey,
-          isDirectMessage: message.isDirectMessage,
-          mentionsBot: message.mentionsBot,
-          repliesToBot: message.repliesToBot
-        });
-        return;
-      }
-      if (route.kind === "command") {
-        await this.handleControlCommand(route.command, sessionKey, message, requestId);
-        this.stateStore.markEventProcessed(sessionKey, message.eventId);
-        return;
-      }
-      const workflowCommand = this.workflowRunner.isEnabled() ? parseWorkflowCommand(route.prompt) : null;
-      const autoDevCommand = this.workflowRunner.isEnabled() ? parseAutoDevCommand(route.prompt) : null;
-      if (workflowCommand?.kind === "status") {
-        await this.handleWorkflowStatusCommand(sessionKey, message);
-        this.stateStore.markEventProcessed(sessionKey, message.eventId);
-        return;
-      }
-      if (autoDevCommand?.kind === "status") {
-        await this.handleAutoDevStatusCommand(sessionKey, message, roomConfig.workdir);
-        this.stateStore.markEventProcessed(sessionKey, message.eventId);
-        return;
-      }
-      const rateDecision = this.rateLimiter.tryAcquire({
-        userId: message.senderId,
-        roomId: message.conversationId
-      });
-      if (!rateDecision.allowed) {
-        this.metrics.record("rate_limited", queueWaitMs, 0, 0);
-        await this.channel.sendNotice(message.conversationId, buildRateLimitNotice(rateDecision));
+    const attachmentPaths = collectImagePaths(message);
+    try {
+      const receivedAt = Date.now();
+      const requestId = message.requestId || message.eventId;
+      const sessionKey = buildSessionKey(message);
+      const directCommand = parseControlCommand(message.text.trim());
+      if (directCommand === "stop") {
+        if (this.stateStore.hasProcessedEvent(sessionKey, message.eventId)) {
+          this.metrics.record("duplicate", 0, 0, 0);
+          this.logger.debug("Duplicate stop command ignored", { requestId, eventId: message.eventId, sessionKey });
+          return;
+        }
+        await this.handleStopCommand(sessionKey, message, requestId);
         this.stateStore.markEventProcessed(sessionKey, message.eventId);
-        this.logger.warn("Request rejected by rate limiter", {
-          requestId,
-          sessionKey,
-          reason: rateDecision.reason,
-          retryAfterMs: rateDecision.retryAfterMs ?? null,
-          queueWaitMs
-        });
         return;
       }
-      if (workflowCommand?.kind === "run") {
-        const executionStartedAt = Date.now();
-        let sendDurationMs2 = 0;
-        this.stateStore.activateSession(sessionKey, this.sessionActiveWindowMs);
-        try {
-          const sendStartedAt = Date.now();
-          await this.handleWorkflowRunCommand(
-            workflowCommand.objective,
-            sessionKey,
-            message,
-            requestId,
-            roomConfig.workdir
-          );
-          sendDurationMs2 += Date.now() - sendStartedAt;
-          this.stateStore.markEventProcessed(sessionKey, message.eventId);
-          this.metrics.record("success", queueWaitMs, Date.now() - executionStartedAt, sendDurationMs2);
-        } catch (error) {
-          sendDurationMs2 += await this.sendWorkflowFailure(message.conversationId, error);
-          this.stateStore.commitExecutionHandled(sessionKey, message.eventId);
-          const status = classifyExecutionOutcome(error);
-          this.metrics.record(status, queueWaitMs, Date.now() - executionStartedAt, sendDurationMs2);
-          this.logger.error("Workflow request failed", {
+      const lock = this.getLock(sessionKey);
+      await lock.runExclusive(async () => {
+        const queueWaitMs = Date.now() - receivedAt;
+        if (this.stateStore.hasProcessedEvent(sessionKey, message.eventId)) {
+          this.metrics.record("duplicate", queueWaitMs, 0, 0);
+          this.logger.debug("Duplicate event ignored", { requestId, eventId: message.eventId, sessionKey, queueWaitMs });
+          return;
+        }
+        const roomConfig = this.resolveRoomRuntimeConfig(message.conversationId);
+        const route = this.routeMessage(message, sessionKey, roomConfig);
+        if (route.kind === "ignore") {
+          this.metrics.record("ignored", queueWaitMs, 0, 0);
+          this.logger.debug("Message ignored by routing policy", {
             requestId,
             sessionKey,
-            error: formatError2(error)
+            isDirectMessage: message.isDirectMessage,
+            mentionsBot: message.mentionsBot,
+            repliesToBot: message.repliesToBot
           });
-        } finally {
-          rateDecision.release?.();
+          return;
         }
-        return;
-      }
-      if (autoDevCommand?.kind === "run") {
-        const executionStartedAt = Date.now();
-        let sendDurationMs2 = 0;
-        this.stateStore.activateSession(sessionKey, this.sessionActiveWindowMs);
-        try {
-          const sendStartedAt = Date.now();
-          await this.handleAutoDevRunCommand(
-            autoDevCommand.taskId,
-            sessionKey,
-            message,
-            requestId,
-            roomConfig.workdir
-          );
-          sendDurationMs2 += Date.now() - sendStartedAt;
+        if (route.kind === "command") {
+          await this.handleControlCommand(route.command, sessionKey, message, requestId);
           this.stateStore.markEventProcessed(sessionKey, message.eventId);
-          this.metrics.record("success", queueWaitMs, Date.now() - executionStartedAt, sendDurationMs2);
-        } catch (error) {
-          sendDurationMs2 += await this.sendAutoDevFailure(message.conversationId, error);
-          this.stateStore.commitExecutionHandled(sessionKey, message.eventId);
-          const status = classifyExecutionOutcome(error);
-          this.metrics.record(status, queueWaitMs, Date.now() - executionStartedAt, sendDurationMs2);
-          this.logger.error("AutoDev request failed", {
+          return;
+        }
+        const workflowCommand = this.workflowRunner.isEnabled() ? parseWorkflowCommand(route.prompt) : null;
+        const autoDevCommand = this.workflowRunner.isEnabled() ? parseAutoDevCommand(route.prompt) : null;
+        if (workflowCommand?.kind === "status") {
+          await this.handleWorkflowStatusCommand(sessionKey, message);
+          this.stateStore.markEventProcessed(sessionKey, message.eventId);
+          return;
+        }
+        if (autoDevCommand?.kind === "status") {
+          await this.handleAutoDevStatusCommand(sessionKey, message, roomConfig.workdir);
+          this.stateStore.markEventProcessed(sessionKey, message.eventId);
+          return;
+        }
+        const rateDecision = this.rateLimiter.tryAcquire({
+          userId: message.senderId,
+          roomId: message.conversationId
+        });
+        if (!rateDecision.allowed) {
+          this.metrics.record("rate_limited", queueWaitMs, 0, 0);
+          await this.channel.sendNotice(message.conversationId, buildRateLimitNotice(rateDecision));
+          this.stateStore.markEventProcessed(sessionKey, message.eventId);
+          this.logger.warn("Request rejected by rate limiter", {
             requestId,
             sessionKey,
-            error: formatError2(error)
+            reason: rateDecision.reason,
+            retryAfterMs: rateDecision.retryAfterMs ?? null,
+            queueWaitMs
           });
-        } finally {
-          rateDecision.release?.();
+          return;
         }
-        return;
-      }
-      this.stateStore.activateSession(sessionKey, this.sessionActiveWindowMs);
-      const previousCodexSessionId = this.stateStore.getCodexSessionId(sessionKey);
-      const executionPrompt = this.buildExecutionPrompt(route.prompt, message);
-      const imagePaths = collectImagePaths(message);
-      let lastProgressAt = 0;
-      let lastProgressText = "";
-      let progressNoticeEventId = null;
-      let progressChain = Promise.resolve();
-      let executionHandle = null;
-      let executionDurationMs = 0;
-      let sendDurationMs = 0;
-      const requestStartedAt = Date.now();
-      let cancelRequested = false;
-      this.runningExecutions.set(sessionKey, {
-        requestId,
-        startedAt: requestStartedAt,
-        cancel: () => {
-          cancelRequested = true;
-          executionHandle?.cancel();
+        if (workflowCommand?.kind === "run") {
+          const executionStartedAt = Date.now();
+          let sendDurationMs2 = 0;
+          this.stateStore.activateSession(sessionKey, this.sessionActiveWindowMs);
+          try {
+            const sendStartedAt = Date.now();
+            await this.handleWorkflowRunCommand(
+              workflowCommand.objective,
+              sessionKey,
+              message,
+              requestId,
+              roomConfig.workdir
+            );
+            sendDurationMs2 += Date.now() - sendStartedAt;
+            this.stateStore.markEventProcessed(sessionKey, message.eventId);
+            this.metrics.record("success", queueWaitMs, Date.now() - executionStartedAt, sendDurationMs2);
+          } catch (error) {
+            sendDurationMs2 += await this.sendWorkflowFailure(message.conversationId, error);
+            this.stateStore.commitExecutionHandled(sessionKey, message.eventId);
+            const status = classifyExecutionOutcome(error);
+            this.metrics.record(status, queueWaitMs, Date.now() - executionStartedAt, sendDurationMs2);
+            this.logger.error("Workflow request failed", {
+              requestId,
+              sessionKey,
+              error: formatError3(error)
+            });
+          } finally {
+            rateDecision.release?.();
+          }
+          return;
         }
-      });
-      await this.recordCliCompatPrompt({
-        requestId,
-        sessionKey,
-        conversationId: message.conversationId,
-        senderId: message.senderId,
-        prompt: executionPrompt,
-        imageCount: imagePaths.length
-      });
-      this.logger.info("Processing message", {
-        requestId,
-        sessionKey,
-        hasCodexSession: Boolean(previousCodexSessionId),
-        queueWaitMs,
-        attachmentCount: message.attachments.length,
-        workdir: roomConfig.workdir,
-        roomConfigSource: roomConfig.source,
-        isDirectMessage: message.isDirectMessage,
-        mentionsBot: message.mentionsBot,
-        repliesToBot: message.repliesToBot
-      });
-      const stopTyping = this.startTypingHeartbeat(message.conversationId);
-      try {
-        const executionStartedAt = Date.now();
-        executionHandle = this.sessionRuntime.startExecution(
-          sessionKey,
-          executionPrompt,
-          previousCodexSessionId,
-          (progress) => {
-            progressChain = progressChain.then(
-              () => this.handleProgress(
-                message.conversationId,
-                message.isDirectMessage,
-                progress,
-                () => lastProgressAt,
-                (next) => {
-                  lastProgressAt = next;
-                },
-                () => lastProgressText,
-                (next) => {
-                  lastProgressText = next;
-                },
-                () => progressNoticeEventId,
-                (next) => {
-                  progressNoticeEventId = next;
-                }
-              )
-            ).catch((progressError) => {
-              this.logger.debug("Failed to process progress callback", { progressError });
+        if (autoDevCommand?.kind === "run") {
+          const executionStartedAt = Date.now();
+          let sendDurationMs2 = 0;
+          this.stateStore.activateSession(sessionKey, this.sessionActiveWindowMs);
+          try {
+            const sendStartedAt = Date.now();
+            await this.handleAutoDevRunCommand(
+              autoDevCommand.taskId,
+              sessionKey,
+              message,
+              requestId,
+              roomConfig.workdir
+            );
+            sendDurationMs2 += Date.now() - sendStartedAt;
+            this.stateStore.markEventProcessed(sessionKey, message.eventId);
+            this.metrics.record("success", queueWaitMs, Date.now() - executionStartedAt, sendDurationMs2);
+          } catch (error) {
+            sendDurationMs2 += await this.sendAutoDevFailure(message.conversationId, error);
+            this.stateStore.commitExecutionHandled(sessionKey, message.eventId);
+            const status = classifyExecutionOutcome(error);
+            this.metrics.record(status, queueWaitMs, Date.now() - executionStartedAt, sendDurationMs2);
+            this.logger.error("AutoDev request failed", {
+              requestId,
+              sessionKey,
+              error: formatError3(error)
             });
-          },
-          {
-            passThroughRawEvents: this.cliCompat.enabled && this.cliCompat.passThroughEvents,
-            imagePaths,
-            workdir: roomConfig.workdir
+          } finally {
+            rateDecision.release?.();
           }
-        );
-        const running = this.runningExecutions.get(sessionKey);
-        if (running?.requestId === requestId) {
-          running.startedAt = executionStartedAt;
-          running.cancel = () => {
+          return;
+        }
+        this.stateStore.activateSession(sessionKey, this.sessionActiveWindowMs);
+        const previousCodexSessionId = this.stateStore.getCodexSessionId(sessionKey);
+        const executionPrompt = this.buildExecutionPrompt(route.prompt, message);
+        const imagePaths = collectImagePaths(message);
+        let lastProgressAt = 0;
+        let lastProgressText = "";
+        let progressNoticeEventId = null;
+        let progressChain = Promise.resolve();
+        let executionHandle = null;
+        let executionDurationMs = 0;
+        let sendDurationMs = 0;
+        const requestStartedAt = Date.now();
+        let cancelRequested = false;
+        this.runningExecutions.set(sessionKey, {
+          requestId,
+          startedAt: requestStartedAt,
+          cancel: () => {
             cancelRequested = true;
             executionHandle?.cancel();
-          };
-        }
-        if (cancelRequested) {
-          executionHandle.cancel();
-        }
-        const result = await executionHandle.result;
-        executionDurationMs = Date.now() - executionStartedAt;
-        await progressChain;
-        const sendStartedAt = Date.now();
-        await this.channel.sendMessage(message.conversationId, result.reply);
-        await this.finishProgress(
-          {
-            conversationId: message.conversationId,
-            isDirectMessage: message.isDirectMessage,
-            getProgressNoticeEventId: () => progressNoticeEventId,
-            setProgressNoticeEventId: (next) => {
-              progressNoticeEventId = next;
-            }
-          },
-          `\u5904\u7406\u5B8C\u6210\uFF08\u8017\u65F6 ${formatDurationMs(Date.now() - requestStartedAt)}\uFF09`
-        );
-        sendDurationMs = Date.now() - sendStartedAt;
-        this.stateStore.commitExecutionSuccess(sessionKey, message.eventId, result.sessionId);
-        this.metrics.record("success", queueWaitMs, executionDurationMs, sendDurationMs);
-        this.logger.info("Request completed", {
+          }
+        });
+        await this.recordCliCompatPrompt({
           requestId,
           sessionKey,
-          status: "success",
-          queueWaitMs,
-          executionDurationMs,
-          sendDurationMs,
-          totalDurationMs: Date.now() - receivedAt
+          conversationId: message.conversationId,
+          senderId: message.senderId,
+          prompt: executionPrompt,
+          imageCount: imagePaths.length
         });
-      } catch (error) {
-        const status = classifyExecutionOutcome(error);
-        executionDurationMs = Date.now() - requestStartedAt;
-        await progressChain;
-        await this.finishProgress(
-          {
-            conversationId: message.conversationId,
-            isDirectMessage: message.isDirectMessage,
-            getProgressNoticeEventId: () => progressNoticeEventId,
-            setProgressNoticeEventId: (next) => {
-              progressNoticeEventId = next;
-            }
-          },
-          buildFailureProgressSummary(status, requestStartedAt, error)
-        );
-        if (status !== "cancelled") {
-          try {
-            await this.channel.sendMessage(
-              message.conversationId,
-              `[CodeHarbor] Failed to process request: ${formatError2(error)}`
-            );
-          } catch (sendError) {
-            this.logger.error("Failed to send error reply to Matrix", sendError);
-          }
-        }
-        this.stateStore.commitExecutionHandled(sessionKey, message.eventId);
-        this.metrics.record(status, queueWaitMs, executionDurationMs, sendDurationMs);
-        this.logger.error("Request failed", {
+        this.logger.info("Processing message", {
           requestId,
           sessionKey,
-          status,
+          hasCodexSession: Boolean(previousCodexSessionId),
           queueWaitMs,
-          executionDurationMs,
-          totalDurationMs: Date.now() - receivedAt,
-          error: formatError2(error)
+          attachmentCount: message.attachments.length,
+          workdir: roomConfig.workdir,
+          roomConfigSource: roomConfig.source,
+          isDirectMessage: message.isDirectMessage,
+          mentionsBot: message.mentionsBot,
+          repliesToBot: message.repliesToBot
         });
-      } finally {
-        const running = this.runningExecutions.get(sessionKey);
-        if (running?.requestId === requestId) {
-          this.runningExecutions.delete(sessionKey);
+        const stopTyping = this.startTypingHeartbeat(message.conversationId);
+        try {
+          const executionStartedAt = Date.now();
+          executionHandle = this.sessionRuntime.startExecution(
+            sessionKey,
+            executionPrompt,
+            previousCodexSessionId,
+            (progress) => {
+              progressChain = progressChain.then(
+                () => this.handleProgress(
+                  message.conversationId,
+                  message.isDirectMessage,
+                  progress,
+                  () => lastProgressAt,
+                  (next) => {
+                    lastProgressAt = next;
+                  },
+                  () => lastProgressText,
+                  (next) => {
+                    lastProgressText = next;
+                  },
+                  () => progressNoticeEventId,
+                  (next) => {
+                    progressNoticeEventId = next;
+                  }
+                )
+              ).catch((progressError) => {
+                this.logger.debug("Failed to process progress callback", { progressError });
+              });
+            },
+            {
+              passThroughRawEvents: this.cliCompat.enabled && this.cliCompat.passThroughEvents,
+              imagePaths,
+              workdir: roomConfig.workdir
+            }
+          );
+          const running = this.runningExecutions.get(sessionKey);
+          if (running?.requestId === requestId) {
+            running.startedAt = executionStartedAt;
+            running.cancel = () => {
+              cancelRequested = true;
+              executionHandle?.cancel();
+            };
+          }
+          if (cancelRequested) {
+            executionHandle.cancel();
+          }
+          const result = await executionHandle.result;
+          executionDurationMs = Date.now() - executionStartedAt;
+          await progressChain;
+          const sendStartedAt = Date.now();
+          await this.channel.sendMessage(message.conversationId, result.reply);
+          await this.finishProgress(
+            {
+              conversationId: message.conversationId,
+              isDirectMessage: message.isDirectMessage,
+              getProgressNoticeEventId: () => progressNoticeEventId,
+              setProgressNoticeEventId: (next) => {
+                progressNoticeEventId = next;
+              }
+            },
+            `\u5904\u7406\u5B8C\u6210\uFF08\u8017\u65F6 ${formatDurationMs(Date.now() - requestStartedAt)}\uFF09`
+          );
+          sendDurationMs = Date.now() - sendStartedAt;
+          this.stateStore.commitExecutionSuccess(sessionKey, message.eventId, result.sessionId);
+          this.metrics.record("success", queueWaitMs, executionDurationMs, sendDurationMs);
+          this.logger.info("Request completed", {
+            requestId,
+            sessionKey,
+            status: "success",
+            queueWaitMs,
+            executionDurationMs,
+            sendDurationMs,
+            totalDurationMs: Date.now() - receivedAt
+          });
+        } catch (error) {
+          const status = classifyExecutionOutcome(error);
+          executionDurationMs = Date.now() - requestStartedAt;
+          await progressChain;
+          await this.finishProgress(
+            {
+              conversationId: message.conversationId,
+              isDirectMessage: message.isDirectMessage,
+              getProgressNoticeEventId: () => progressNoticeEventId,
+              setProgressNoticeEventId: (next) => {
+                progressNoticeEventId = next;
+              }
+            },
+            buildFailureProgressSummary(status, requestStartedAt, error)
+          );
+          if (status !== "cancelled") {
+            try {
+              await this.channel.sendMessage(
+                message.conversationId,
+                `[CodeHarbor] Failed to process request: ${formatError3(error)}`
+              );
+            } catch (sendError) {
+              this.logger.error("Failed to send error reply to Matrix", sendError);
+            }
+          }
+          this.stateStore.commitExecutionHandled(sessionKey, message.eventId);
+          this.metrics.record(status, queueWaitMs, executionDurationMs, sendDurationMs);
+          this.logger.error("Request failed", {
+            requestId,
+            sessionKey,
+            status,
+            queueWaitMs,
+            executionDurationMs,
+            totalDurationMs: Date.now() - receivedAt,
+            error: formatError3(error)
+          });
+        } finally {
+          const running = this.runningExecutions.get(sessionKey);
+          if (running?.requestId === requestId) {
+            this.runningExecutions.delete(sessionKey);
+          }
+          rateDecision.release?.();
+          await stopTyping();
         }
-        rateDecision.release?.();
-        await stopTyping();
-        await cleanupAttachmentFiles(imagePaths);
-      }
-    });
+      });
+    } finally {
+      await cleanupAttachmentFiles(attachmentPaths);
+    }
   }
   routeMessage(message, sessionKey, roomConfig) {
     const incomingRaw = message.text;
@@ -4674,6 +4898,8 @@ var Orchestrator = class {
       this.stateStore.clearCodexSessionId(sessionKey);
       this.stateStore.activateSession(sessionKey, this.sessionActiveWindowMs);
       this.sessionRuntime.clearSession(sessionKey);
+      this.workflowSnapshots.delete(sessionKey);
+      this.autoDevSnapshots.delete(sessionKey);
       await this.channel.sendNotice(
         message.conversationId,
         "[CodeHarbor] \u4E0A\u4E0B\u6587\u5DF2\u91CD\u7F6E\u3002\u4F60\u53EF\u4EE5\u7EE7\u7EED\u76F4\u63A5\u53D1\u9001\u65B0\u9700\u6C42\u3002"
@@ -4740,7 +4966,7 @@ var Orchestrator = class {
 - runError: ${snapshot.error ?? "N/A"}`
       );
     } catch (error) {
-      await this.channel.sendNotice(message.conversationId, `[CodeHarbor] AutoDev \u72B6\u6001\u8BFB\u53D6\u5931\u8D25: ${formatError2(error)}`);
+      await this.channel.sendNotice(message.conversationId, `[CodeHarbor] AutoDev \u72B6\u6001\u8BFB\u53D6\u5931\u8D25: ${formatError3(error)}`);
     }
   }
   async handleAutoDevRunCommand(taskId, sessionKey, message, requestId, workdir) {
@@ -4791,7 +5017,7 @@ var Orchestrator = class {
       promotedToInProgress = true;
     }
     const startedAtIso = (/* @__PURE__ */ new Date()).toISOString();
-    this.autoDevSnapshots.set(sessionKey, {
+    this.setAutoDevSnapshot(sessionKey, {
       state: "running",
       startedAt: startedAtIso,
       endedAt: null,
@@ -4821,7 +5047,7 @@ var Orchestrator = class {
         finalTask = await updateAutoDevTaskStatus(context.taskListPath, activeTask, "completed");
       }
       const endedAtIso = (/* @__PURE__ */ new Date()).toISOString();
-      this.autoDevSnapshots.set(sessionKey, {
+      this.setAutoDevSnapshot(sessionKey, {
         state: "succeeded",
         startedAt: startedAtIso,
         endedAt: endedAtIso,
@@ -4848,13 +5074,13 @@ var Orchestrator = class {
         } catch (restoreError) {
           this.logger.warn("Failed to restore AutoDev task status after failure", {
             taskId: activeTask.id,
-            error: formatError2(restoreError)
+            error: formatError3(restoreError)
           });
         }
       }
       const status = classifyExecutionOutcome(error);
       const endedAtIso = (/* @__PURE__ */ new Date()).toISOString();
-      this.autoDevSnapshots.set(sessionKey, {
+      this.setAutoDevSnapshot(sessionKey, {
         state: status === "cancelled" ? "idle" : "failed",
         startedAt: startedAtIso,
         endedAt: endedAtIso,
@@ -4862,7 +5088,7 @@ var Orchestrator = class {
         taskDescription: activeTask.description,
         approved: null,
         repairRounds: 0,
-        error: formatError2(error)
+        error: formatError3(error)
       });
       throw error;
     }
@@ -4884,7 +5110,7 @@ var Orchestrator = class {
       }
     };
     const startedAtIso = (/* @__PURE__ */ new Date()).toISOString();
-    this.workflowSnapshots.set(sessionKey, {
+    this.setWorkflowSnapshot(sessionKey, {
       state: "running",
       startedAt: startedAtIso,
       endedAt: null,
@@ -4922,7 +5148,7 @@ var Orchestrator = class {
         }
       });
       const endedAtIso = (/* @__PURE__ */ new Date()).toISOString();
-      this.workflowSnapshots.set(sessionKey, {
+      this.setWorkflowSnapshot(sessionKey, {
         state: "succeeded",
         startedAt: startedAtIso,
         endedAt: endedAtIso,
@@ -4937,14 +5163,14 @@ var Orchestrator = class {
     } catch (error) {
       const status = classifyExecutionOutcome(error);
       const endedAtIso = (/* @__PURE__ */ new Date()).toISOString();
-      this.workflowSnapshots.set(sessionKey, {
+      this.setWorkflowSnapshot(sessionKey, {
         state: status === "cancelled" ? "idle" : "failed",
         startedAt: startedAtIso,
         endedAt: endedAtIso,
         objective: normalizedObjective,
         approved: null,
         repairRounds: 0,
-        error: formatError2(error)
+        error: formatError3(error)
       });
       await this.finishProgress(progressCtx, buildFailureProgressSummary(status, requestStartedAt, error));
       throw error;
@@ -4963,7 +5189,7 @@ var Orchestrator = class {
       await this.channel.sendNotice(conversationId, "[CodeHarbor] Multi-Agent workflow \u5DF2\u53D6\u6D88\u3002");
       return Date.now() - startedAt;
     }
-    await this.channel.sendMessage(conversationId, `[CodeHarbor] Multi-Agent workflow \u5931\u8D25: ${formatError2(error)}`);
+    await this.channel.sendMessage(conversationId, `[CodeHarbor] Multi-Agent workflow \u5931\u8D25: ${formatError3(error)}`);
     return Date.now() - startedAt;
   }
   async sendAutoDevFailure(conversationId, error) {
@@ -4973,7 +5199,7 @@ var Orchestrator = class {
       await this.channel.sendNotice(conversationId, "[CodeHarbor] AutoDev \u5DF2\u53D6\u6D88\u3002");
       return Date.now() - startedAt;
     }
-    await this.channel.sendMessage(conversationId, `[CodeHarbor] AutoDev \u5931\u8D25: ${formatError2(error)}`);
+    await this.channel.sendMessage(conversationId, `[CodeHarbor] AutoDev \u5931\u8D25: ${formatError3(error)}`);
     return Date.now() - startedAt;
   }
   async handleStopCommand(sessionKey, message, requestId) {
@@ -5141,11 +5367,34 @@ ${attachmentSummary}
       });
     }
   }
+  setWorkflowSnapshot(sessionKey, snapshot) {
+    this.workflowSnapshots.set(sessionKey, snapshot);
+    this.pruneRunSnapshots(Date.now());
+  }
+  setAutoDevSnapshot(sessionKey, snapshot) {
+    this.autoDevSnapshots.set(sessionKey, snapshot);
+    this.pruneRunSnapshots(Date.now());
+  }
+  pruneRunSnapshots(now) {
+    pruneSnapshotMap(
+      this.workflowSnapshots,
+      now,
+      (snapshot) => snapshot.state !== "running",
+      (snapshot) => snapshot.endedAt ?? snapshot.startedAt
+    );
+    pruneSnapshotMap(
+      this.autoDevSnapshots,
+      now,
+      (snapshot) => snapshot.state !== "running",
+      (snapshot) => snapshot.endedAt ?? snapshot.startedAt
+    );
+  }
   getLock(key) {
     const now = Date.now();
     if (now - this.lastLockPruneAt >= this.lockPruneIntervalMs) {
       this.lastLockPruneAt = now;
       this.pruneSessionLocks(now);
+      this.pruneRunSnapshots(now);
     }
     let entry = this.sessionLocks.get(key);
     if (!entry) {
@@ -5171,6 +5420,44 @@ ${attachmentSummary}
     }
   }
 };
+function pruneSnapshotMap(snapshots, now, isPrunable, resolveSnapshotTimeIso) {
+  const staleKeys = [];
+  const candidatesForOverflow = [];
+  for (const [key, snapshot] of snapshots.entries()) {
+    if (!isPrunable(snapshot)) {
+      continue;
+    }
+    const timeIso = resolveSnapshotTimeIso(snapshot);
+    if (!timeIso) {
+      staleKeys.push(key);
+      continue;
+    }
+    const timestamp = Date.parse(timeIso);
+    if (!Number.isFinite(timestamp)) {
+      staleKeys.push(key);
+      continue;
+    }
+    if (now - timestamp > RUN_SNAPSHOT_TTL_MS) {
+      staleKeys.push(key);
+      continue;
+    }
+    candidatesForOverflow.push({ key, timestamp });
+  }
+  for (const key of staleKeys) {
+    snapshots.delete(key);
+  }
+  if (snapshots.size <= RUN_SNAPSHOT_MAX_ENTRIES) {
+    return;
+  }
+  const overflow = snapshots.size - RUN_SNAPSHOT_MAX_ENTRIES;
+  if (overflow <= 0) {
+    return;
+  }
+  candidatesForOverflow.sort((a, b) => a.timestamp - b.timestamp);
+  for (let i = 0; i < overflow && i < candidatesForOverflow.length; i += 1) {
+    snapshots.delete(candidatesForOverflow[i].key);
+  }
+}
 function createIdleAutoDevSnapshot() {
   return {
     state: "idle",
@@ -5186,7 +5473,7 @@ function createIdleAutoDevSnapshot() {
 function buildSessionKey(message) {
   return `${message.channel}:${message.conversationId}:${message.senderId}`;
 }
-function formatError2(error) {
+function formatError3(error) {
   if (error instanceof Error) {
     return error.message;
   }
@@ -5285,7 +5572,7 @@ function classifyExecutionOutcome(error) {
   if (error instanceof CodexExecutionCancelledError) {
     return "cancelled";
   }
-  const message = formatError2(error).toLowerCase();
+  const message = formatError3(error).toLowerCase();
   if (message.includes("timed out")) {
     return "timeout";
   }
@@ -5297,9 +5584,9 @@ function buildFailureProgressSummary(status, startedAt, error) {
     return `\u5904\u7406\u5DF2\u53D6\u6D88\uFF08\u8017\u65F6 ${elapsed}\uFF09`;
   }
   if (status === "timeout") {
-    return `\u5904\u7406\u8D85\u65F6\uFF08\u8017\u65F6 ${elapsed}\uFF09: ${formatError2(error)}`;
+    return `\u5904\u7406\u8D85\u65F6\uFF08\u8017\u65F6 ${elapsed}\uFF09: ${formatError3(error)}`;
   }
-  return `\u5904\u7406\u5931\u8D25\uFF08\u8017\u65F6 ${elapsed}\uFF09: ${formatError2(error)}`;
+  return `\u5904\u7406\u5931\u8D25\uFF08\u8017\u65F6 ${elapsed}\uFF09: ${formatError3(error)}`;
 }
 function buildWorkflowResultReply(result) {
   return `[CodeHarbor] Multi-Agent workflow \u5B8C\u6210
@@ -6048,7 +6335,54 @@ function parseExtraArgs(raw) {
   if (!trimmed) {
     return [];
   }
-  return trimmed.split(/\s+/).map((entry) => entry.trim()).filter((entry) => entry.length > 0);
+  const args = [];
+  let current = "";
+  let quoteMode = null;
+  let escaping = false;
+  const pushCurrent = () => {
+    if (!current) {
+      return;
+    }
+    args.push(current);
+    current = "";
+  };
+  for (const char of trimmed) {
+    if (escaping) {
+      current += char;
+      escaping = false;
+      continue;
+    }
+    if (quoteMode === null) {
+      if (/\s/.test(char)) {
+        pushCurrent();
+        continue;
+      }
+      if (char === "'" || char === '"') {
+        quoteMode = char;
+        continue;
+      }
+      if (char === "\\") {
+        escaping = true;
+        continue;
+      }
+      current += char;
+      continue;
+    }
+    if (char === quoteMode) {
+      quoteMode = null;
+      continue;
+    }
+    if (quoteMode === '"' && char === "\\") {
+      escaping = true;
+      continue;
+    }
+    current += char;
+  }
+  if (escaping || quoteMode !== null) {
+    throw new Error("CODEX_EXTRA_ARGS contains unmatched quote or trailing escape.");
+  }
+  pushCurrent();
+  return args;
 }
 function parseExtraEnv(raw) {
   const trimmed = raw.trim();
@@ -6803,7 +7137,7 @@ configCommand.command("export").description("Export config snapshot as JSON").op
     const home = ensureRuntimeHomeOrExit();
     await runConfigExportCommand({ outputPath: options.output, cwd: home });
   } catch (error) {
-    process.stderr.write(`Config export failed: ${formatError3(error)}
+    process.stderr.write(`Config export failed: ${formatError4(error)}
 `);
     process.exitCode = 1;
   }
@@ -6817,7 +7151,7 @@ configCommand.command("import").description("Import config snapshot from JSON").
       cwd: home
     });
   } catch (error) {
-    process.stderr.write(`Config import failed: ${formatError3(error)}
+    process.stderr.write(`Config import failed: ${formatError4(error)}
 `);
     process.exitCode = 1;
   }
@@ -6836,7 +7170,7 @@ serviceCommand.command("install").description("Install and enable codeharbor sys
       startNow: options.start ?? true
     });
   } catch (error) {
-    process.stderr.write(`Service install failed: ${formatError3(error)}
+    process.stderr.write(`Service install failed: ${formatError4(error)}
 `);
     process.stderr.write(
       [
@@ -6857,7 +7191,7 @@ serviceCommand.command("uninstall").description("Remove codeharbor systemd servi
       removeAdmin: options.withAdmin ?? false
     });
   } catch (error) {
-    process.stderr.write(`Service uninstall failed: ${formatError3(error)}
+    process.stderr.write(`Service uninstall failed: ${formatError4(error)}
 `);
     process.stderr.write(
       [
@@ -6878,7 +7212,7 @@ serviceCommand.command("restart").description("Restart installed codeharbor syst
       restartAdmin: options.withAdmin ?? false
     });
   } catch (error) {
-    process.stderr.write(`Service restart failed: ${formatError3(error)}
+    process.stderr.write(`Service restart failed: ${formatError4(error)}
 `);
     process.stderr.write(
       [
@@ -6998,7 +7332,7 @@ function shellQuote(value) {
 function buildExplicitSudoCommand(subcommand) {
   return `sudo ${shellQuote(process.execPath)} ${shellQuote(resolveCliScriptPath())} ${subcommand}`;
 }
-function formatError3(error) {
+function formatError4(error) {
   if (error instanceof Error) {
     return error.message;
   }