codexui-android 0.1.72 → 0.1.80

package/dist-cli/index.js

@@ -1,4 +1,5 @@
 #!/usr/bin/env node
+import "./chunk-NWKUDLO2.js";
 
 // src/cli/index.ts
 import { createServer as createServer2 } from "http";
@@ -156,6 +157,64 @@ function resolveSkillInstallerScriptPath(codexHome) {
   return null;
 }
 
+// src/server/appServerRuntimeConfig.ts
+var SANDBOX_MODES = /* @__PURE__ */ new Set([
+  "read-only",
+  "workspace-write",
+  "danger-full-access"
+]);
+var APPROVAL_POLICIES = /* @__PURE__ */ new Set([
+  "untrusted",
+  "on-failure",
+  "on-request",
+  "never"
+]);
+var DEFAULT_RUNTIME_CONFIG = {
+  sandboxMode: "danger-full-access",
+  approvalPolicy: "never"
+};
+function normalizeRuntimeValue(value) {
+  return value?.trim().toLowerCase() ?? "";
+}
+function readSandboxModeFromEnv() {
+  const candidate = normalizeRuntimeValue(process.env.CODEXUI_SANDBOX_MODE);
+  if (SANDBOX_MODES.has(candidate)) {
+    return candidate;
+  }
+  return DEFAULT_RUNTIME_CONFIG.sandboxMode;
+}
+function readApprovalPolicyFromEnv() {
+  const candidate = normalizeRuntimeValue(process.env.CODEXUI_APPROVAL_POLICY);
+  if (APPROVAL_POLICIES.has(candidate)) {
+    return candidate;
+  }
+  return DEFAULT_RUNTIME_CONFIG.approvalPolicy;
+}
+function resolveAppServerRuntimeConfig() {
+  return {
+    sandboxMode: readSandboxModeFromEnv(),
+    approvalPolicy: readApprovalPolicyFromEnv()
+  };
+}
+function buildAppServerArgs() {
+  const config = resolveAppServerRuntimeConfig();
+  return [
+    "app-server",
+    "-c",
+    `approval_policy="${config.approvalPolicy}"`,
+    "-c",
+    `sandbox_mode="${config.sandboxMode}"`
+  ];
+}
+function parseSandboxMode(value) {
+  const candidate = value.trim().toLowerCase();
+  return SANDBOX_MODES.has(candidate) ? candidate : null;
+}
+function parseApprovalPolicy(value) {
+  const candidate = value.trim().toLowerCase();
+  return APPROVAL_POLICIES.has(candidate) ? candidate : null;
+}
+
 // src/server/httpServer.ts
 import { fileURLToPath } from "url";
 import { dirname as dirname3, extname as extname3, isAbsolute as isAbsolute3, join as join7 } from "path";
@@ -164,9 +223,10 @@ import { writeFile as writeFile5, stat as stat6 } from "fs/promises";
 import express from "express";
 
 // src/server/codexAppServerBridge.ts
+import * as Sentry4 from "@sentry/node";
 import { spawn as spawn4 } from "child_process";
-import { randomBytes } from "crypto";
-import { mkdtemp as mkdtemp3, readFile as readFile3, mkdir as mkdir4, stat as stat4 } from "fs/promises";
+import { createHash as createHash2, randomBytes } from "crypto";
+import { mkdtemp as mkdtemp3, readFile as readFile3, rm as rm4, mkdir as mkdir4, stat as stat4 } from "fs/promises";
 import { createReadStream } from "fs";
 import { request as httpRequest } from "http";
 import { request as httpsRequest } from "https";
@@ -177,18 +237,12 @@ import { createInterface } from "readline";
 import { writeFile as writeFile4 } from "fs/promises";
 
 // src/server/accountRoutes.ts
+import * as Sentry from "@sentry/node";
 import { spawn } from "child_process";
 import { createHash } from "crypto";
 import { mkdtemp, mkdir, readFile, rm, stat, writeFile } from "fs/promises";
 import { homedir as homedir2, tmpdir } from "os";
 import { join as join2 } from "path";
-var APP_SERVER_ARGS = [
-  "app-server",
-  "-c",
-  'approval_policy="never"',
-  "-c",
-  'sandbox_mode="danger-full-access"'
-];
 var ACCOUNT_QUOTA_REFRESH_TTL_MS = 5 * 60 * 1e3;
 var ACCOUNT_QUOTA_LOADING_STALE_MS = 2 * 60 * 1e3;
 var ACCOUNT_INSPECTION_TIMEOUT_MS = 25 * 1e3;
@@ -446,7 +500,7 @@ async function withTemporaryCodexAppServer(authRaw, run) {
   const tempCodexHome = await mkdtemp(join2(tmpdir(), "codexui-account-"));
   const authPath = join2(tempCodexHome, "auth.json");
   await writeFile(authPath, authRaw, { encoding: "utf8", mode: 384 });
-  const proc = spawn("codex", [...APP_SERVER_ARGS], {
+  const proc = spawn("codex", buildAppServerArgs(), {
     env: { ...process.env, CODEX_HOME: tempCodexHome },
     stdio: ["pipe", "pipe", "pipe"]
   });
@@ -716,319 +770,327 @@ async function importAccountFromAuthPath(path) {
 }
 async function handleAccountRoutes(req, res, url, context) {
   const { appServer } = context;
-  if (req.method === "GET" && url.pathname === "/codex-api/accounts") {
-    const state = await scheduleAccountsBackgroundRefresh();
-    setJson(res, 200, {
-      data: {
-        activeAccountId: state.activeAccountId,
-        accounts: sortAccounts(state.accounts, state.activeAccountId).map((entry) => toPublicAccountEntry(entry, state.activeAccountId))
-      }
-    });
-    return true;
-  }
-  if (req.method === "GET" && url.pathname === "/codex-api/accounts/active") {
-    const state = await readStoredAccountsState();
-    const active = state.activeAccountId ? state.accounts.find((entry) => entry.accountId === state.activeAccountId) ?? null : null;
-    setJson(res, 200, {
-      data: active ? toPublicAccountEntry(active, state.activeAccountId) : null
-    });
-    return true;
-  }
-  if (req.method === "POST" && url.pathname === "/codex-api/accounts/refresh") {
-    try {
-      const imported = await importAccountFromAuthPath(getActiveAuthPath());
-      try {
-        appServer.dispose();
-        const inspection = await validateSwitchedAccount(appServer);
-        const state = await readStoredAccountsState();
-        const importedAccountId = imported.importedAccountId;
-        const target = state.accounts.find((entry) => entry.accountId === importedAccountId) ?? null;
-        if (!target) {
-          throw new Error("account_not_found");
+  try {
+    if (req.method === "GET" && url.pathname === "/codex-api/accounts") {
+      const state = await scheduleAccountsBackgroundRefresh();
+      setJson(res, 200, {
+        data: {
+          activeAccountId: state.activeAccountId,
+          accounts: sortAccounts(state.accounts, state.activeAccountId).map((entry) => toPublicAccountEntry(entry, state.activeAccountId))
         }
-        const nextEntry = {
-          ...target,
-          email: inspection.metadata.email ?? target.email,
-          planType: inspection.metadata.planType ?? target.planType,
-          lastActivatedAtIso: (/* @__PURE__ */ new Date()).toISOString(),
-          quotaSnapshot: inspection.quotaSnapshot ?? target.quotaSnapshot,
-          quotaUpdatedAtIso: (/* @__PURE__ */ new Date()).toISOString(),
-          quotaStatus: "ready",
-          quotaError: null,
-          unavailableReason: null
-        };
-        const nextState = withUpsertedAccount({
-          activeAccountId: importedAccountId,
-          accounts: state.accounts
-        }, nextEntry);
-        await writeStoredAccountsState({
-          activeAccountId: importedAccountId,
-          accounts: nextState.accounts
-        });
-        const backgroundState = await scheduleAccountsBackgroundRefresh({
-          force: true,
-          prioritizeAccountId: importedAccountId,
-          accountIds: nextState.accounts.filter((entry) => entry.accountId !== importedAccountId).map((entry) => entry.accountId)
-        });
-        setJson(res, 200, {
-          data: {
-            activeAccountId: importedAccountId,
-            importedAccountId,
-            accounts: sortAccounts(backgroundState.accounts, importedAccountId).map((entry) => toPublicAccountEntry(entry, importedAccountId))
-          }
-        });
-      } catch (error) {
-        setJson(res, 502, {
-          error: "account_refresh_failed",
-          message: getErrorMessage(error, "Failed to refresh account")
-        });
-      }
-    } catch (error) {
-      const message = getErrorMessage(error, "Failed to refresh account");
-      if (message === "missing_account_id") {
-        setJson(res, 400, { error: "missing_account_id", message: "Current auth.json is missing tokens.account_id." });
-        return true;
-      }
-      setJson(res, 400, { error: "invalid_auth_json", message: "Failed to parse the current auth.json file." });
-    }
-    return true;
-  }
-  if (req.method === "POST" && url.pathname === "/codex-api/accounts/switch") {
-    try {
-      if (appServer.listPendingServerRequests().length > 0) {
-        setJson(res, 409, {
-          error: "account_switch_blocked",
-          message: "Finish pending approval requests before switching accounts."
-        });
-        return true;
-      }
-      const rawBody = await new Promise((resolve4, reject) => {
-        let body = "";
-        req.setEncoding("utf8");
-        req.on("data", (chunk) => {
-          body += chunk;
-        });
-        req.on("end", () => resolve4(body));
-        req.on("error", reject);
       });
-      const payload = asRecord(rawBody.length > 0 ? JSON.parse(rawBody) : {});
-      const accountId = typeof payload?.accountId === "string" ? payload.accountId.trim() : "";
-      if (!accountId) {
-        setJson(res, 400, { error: "account_not_found", message: "Missing accountId." });
-        return true;
-      }
+      return true;
+    }
+    if (req.method === "GET" && url.pathname === "/codex-api/accounts/active") {
       const state = await readStoredAccountsState();
-      const target = state.accounts.find((entry) => entry.accountId === accountId) ?? null;
-      if (!target) {
-        setJson(res, 404, { error: "account_not_found", message: "The requested account was not found." });
-        return true;
-      }
-      const snapshotPath = getSnapshotPath(target.storageId);
-      if (!await fileExists(snapshotPath)) {
-        setJson(res, 404, { error: "account_not_found", message: "The requested account snapshot is missing." });
-        return true;
-      }
-      let previousRaw = null;
+      const active = state.activeAccountId ? state.accounts.find((entry) => entry.accountId === state.activeAccountId) ?? null : null;
+      setJson(res, 200, {
+        data: active ? toPublicAccountEntry(active, state.activeAccountId) : null
+      });
+      return true;
+    }
+    if (req.method === "POST" && url.pathname === "/codex-api/accounts/refresh") {
       try {
-        previousRaw = await readFile(getActiveAuthPath(), "utf8");
-      } catch {
-        previousRaw = null;
+        const imported = await importAccountFromAuthPath(getActiveAuthPath());
+        try {
+          appServer.dispose();
+          const inspection = await validateSwitchedAccount(appServer);
+          const state = await readStoredAccountsState();
+          const importedAccountId = imported.importedAccountId;
+          const target = state.accounts.find((entry) => entry.accountId === importedAccountId) ?? null;
+          if (!target) {
+            throw new Error("account_not_found");
+          }
+          const nextEntry = {
+            ...target,
+            email: inspection.metadata.email ?? target.email,
+            planType: inspection.metadata.planType ?? target.planType,
+            lastActivatedAtIso: (/* @__PURE__ */ new Date()).toISOString(),
+            quotaSnapshot: inspection.quotaSnapshot ?? target.quotaSnapshot,
+            quotaUpdatedAtIso: (/* @__PURE__ */ new Date()).toISOString(),
+            quotaStatus: "ready",
+            quotaError: null,
+            unavailableReason: null
+          };
+          const nextState = withUpsertedAccount({
+            activeAccountId: importedAccountId,
+            accounts: state.accounts
+          }, nextEntry);
+          await writeStoredAccountsState({
+            activeAccountId: importedAccountId,
+            accounts: nextState.accounts
+          });
+          const backgroundState = await scheduleAccountsBackgroundRefresh({
+            force: true,
+            prioritizeAccountId: importedAccountId,
+            accountIds: nextState.accounts.filter((entry) => entry.accountId !== importedAccountId).map((entry) => entry.accountId)
+          });
+          setJson(res, 200, {
+            data: {
+              activeAccountId: importedAccountId,
+              importedAccountId,
+              accounts: sortAccounts(backgroundState.accounts, importedAccountId).map((entry) => toPublicAccountEntry(entry, importedAccountId))
+            }
+          });
+        } catch (error) {
+          setJson(res, 502, {
+            error: "account_refresh_failed",
+            message: getErrorMessage(error, "Failed to refresh account")
+          });
+        }
+      } catch (error) {
+        const message = getErrorMessage(error, "Failed to refresh account");
+        if (message === "missing_account_id") {
+          setJson(res, 400, { error: "missing_account_id", message: "Current auth.json is missing tokens.account_id." });
+          return true;
+        }
+        setJson(res, 400, { error: "invalid_auth_json", message: "Failed to parse the current auth.json file." });
       }
-      const targetRaw = await readFile(snapshotPath, "utf8");
-      await writeFile(getActiveAuthPath(), targetRaw, { encoding: "utf8", mode: 384 });
+      return true;
+    }
+    if (req.method === "POST" && url.pathname === "/codex-api/accounts/switch") {
       try {
-        appServer.dispose();
-        const inspection = await validateSwitchedAccount(appServer);
-        const nextEntry = {
-          ...target,
-          email: inspection.metadata.email ?? target.email,
-          planType: inspection.metadata.planType ?? target.planType,
-          lastActivatedAtIso: (/* @__PURE__ */ new Date()).toISOString(),
-          quotaSnapshot: inspection.quotaSnapshot ?? target.quotaSnapshot,
-          quotaUpdatedAtIso: (/* @__PURE__ */ new Date()).toISOString(),
-          quotaStatus: "ready",
-          quotaError: null,
-          unavailableReason: null
-        };
-        const nextState = withUpsertedAccount({
-          activeAccountId: accountId,
-          accounts: state.accounts
-        }, nextEntry);
-        await writeStoredAccountsState({
-          activeAccountId: accountId,
-          accounts: nextState.accounts
-        });
-        void scheduleAccountsBackgroundRefresh({
-          force: true,
-          prioritizeAccountId: accountId,
-          accountIds: nextState.accounts.filter((entry) => entry.accountId !== accountId).map((entry) => entry.accountId)
+        if (appServer.listPendingServerRequests().length > 0) {
+          setJson(res, 409, {
+            error: "account_switch_blocked",
+            message: "Finish pending approval requests before switching accounts."
+          });
+          return true;
+        }
+        const rawBody = await new Promise((resolve4, reject) => {
+          let body = "";
+          req.setEncoding("utf8");
+          req.on("data", (chunk) => {
+            body += chunk;
+          });
+          req.on("end", () => resolve4(body));
+          req.on("error", reject);
         });
-        setJson(res, 200, {
-          ok: true,
-          data: {
+        const payload = asRecord(rawBody.length > 0 ? JSON.parse(rawBody) : {});
+        const accountId = typeof payload?.accountId === "string" ? payload.accountId.trim() : "";
+        if (!accountId) {
+          setJson(res, 400, { error: "account_not_found", message: "Missing accountId." });
+          return true;
+        }
+        const state = await readStoredAccountsState();
+        const target = state.accounts.find((entry) => entry.accountId === accountId) ?? null;
+        if (!target) {
+          setJson(res, 404, { error: "account_not_found", message: "The requested account was not found." });
+          return true;
+        }
+        const snapshotPath = getSnapshotPath(target.storageId);
+        if (!await fileExists(snapshotPath)) {
+          setJson(res, 404, { error: "account_not_found", message: "The requested account snapshot is missing." });
+          return true;
+        }
+        let previousRaw = null;
+        try {
+          previousRaw = await readFile(getActiveAuthPath(), "utf8");
+        } catch {
+          previousRaw = null;
+        }
+        const targetRaw = await readFile(snapshotPath, "utf8");
+        await writeFile(getActiveAuthPath(), targetRaw, { encoding: "utf8", mode: 384 });
+        try {
+          appServer.dispose();
+          const inspection = await validateSwitchedAccount(appServer);
+          const nextEntry = {
+            ...target,
+            email: inspection.metadata.email ?? target.email,
+            planType: inspection.metadata.planType ?? target.planType,
+            lastActivatedAtIso: (/* @__PURE__ */ new Date()).toISOString(),
+            quotaSnapshot: inspection.quotaSnapshot ?? target.quotaSnapshot,
+            quotaUpdatedAtIso: (/* @__PURE__ */ new Date()).toISOString(),
+            quotaStatus: "ready",
+            quotaError: null,
+            unavailableReason: null
+          };
+          const nextState = withUpsertedAccount({
             activeAccountId: accountId,
-            account: toPublicAccountEntry(nextEntry, accountId)
-          }
-        });
+            accounts: state.accounts
+          }, nextEntry);
+          await writeStoredAccountsState({
+            activeAccountId: accountId,
+            accounts: nextState.accounts
+          });
+          void scheduleAccountsBackgroundRefresh({
+            force: true,
+            prioritizeAccountId: accountId,
+            accountIds: nextState.accounts.filter((entry) => entry.accountId !== accountId).map((entry) => entry.accountId)
+          });
+          setJson(res, 200, {
+            ok: true,
+            data: {
+              activeAccountId: accountId,
+              account: toPublicAccountEntry(nextEntry, accountId)
+            }
+          });
+        } catch (error) {
+          await restoreActiveAuth(previousRaw);
+          appServer.dispose();
+          await replaceStoredAccount({
+            ...target,
+            quotaUpdatedAtIso: (/* @__PURE__ */ new Date()).toISOString(),
+            quotaStatus: "error",
+            quotaError: getErrorMessage(error, "Failed to switch account"),
+            unavailableReason: detectAccountUnavailableReason(error)
+          }, state.activeAccountId);
+          setJson(res, 502, {
+            error: "account_switch_failed",
+            message: getErrorMessage(error, "Failed to switch account")
+          });
+        }
       } catch (error) {
-        await restoreActiveAuth(previousRaw);
-        appServer.dispose();
-        await replaceStoredAccount({
-          ...target,
-          quotaUpdatedAtIso: (/* @__PURE__ */ new Date()).toISOString(),
-          quotaStatus: "error",
-          quotaError: getErrorMessage(error, "Failed to switch account"),
-          unavailableReason: detectAccountUnavailableReason(error)
-        }, state.activeAccountId);
-        setJson(res, 502, {
-          error: "account_switch_failed",
+        setJson(res, 400, {
+          error: "invalid_auth_json",
           message: getErrorMessage(error, "Failed to switch account")
         });
       }
-    } catch (error) {
-      setJson(res, 400, {
-        error: "invalid_auth_json",
-        message: getErrorMessage(error, "Failed to switch account")
-      });
+      return true;
     }
-    return true;
-  }
-  if (req.method === "POST" && url.pathname === "/codex-api/accounts/remove") {
-    try {
-      const rawBody = await new Promise((resolve4, reject) => {
-        let body = "";
-        req.setEncoding("utf8");
-        req.on("data", (chunk) => {
-          body += chunk;
-        });
-        req.on("end", () => resolve4(body));
-        req.on("error", reject);
-      });
-      const payload = asRecord(rawBody.length > 0 ? JSON.parse(rawBody) : {});
-      const accountId = typeof payload?.accountId === "string" ? payload.accountId.trim() : "";
-      if (!accountId) {
-        setJson(res, 400, { error: "account_not_found", message: "Missing accountId." });
-        return true;
-      }
-      const state = await readStoredAccountsState();
-      const target = state.accounts.find((entry) => entry.accountId === accountId) ?? null;
-      if (!target) {
-        setJson(res, 404, { error: "account_not_found", message: "The requested account was not found." });
-        return true;
-      }
-      const remainingAccounts = state.accounts.filter((entry) => entry.accountId !== accountId);
-      if (state.activeAccountId !== accountId) {
-        await removeSnapshot(target.storageId);
-        await writeStoredAccountsState({
-          activeAccountId: state.activeAccountId,
-          accounts: remainingAccounts
-        });
-        setJson(res, 200, {
-          ok: true,
-          data: {
-            activeAccountId: state.activeAccountId,
-            accounts: sortAccounts(remainingAccounts, state.activeAccountId).map((entry) => toPublicAccountEntry(entry, state.activeAccountId))
-          }
-        });
-        return true;
-      }
-      if (appServer.listPendingServerRequests().length > 0) {
-        setJson(res, 409, {
-          error: "account_remove_blocked",
-          message: "Finish pending approval requests before removing the active account."
-        });
-        return true;
-      }
-      let previousRaw = null;
+    if (req.method === "POST" && url.pathname === "/codex-api/accounts/remove") {
       try {
-        previousRaw = await readFile(getActiveAuthPath(), "utf8");
-      } catch {
-        previousRaw = null;
-      }
-      const replacement = await pickReplacementActiveAccount(remainingAccounts);
-      if (!replacement) {
-        await restoreActiveAuth(null);
-        appServer.dispose();
-        await removeSnapshot(target.storageId);
-        await writeStoredAccountsState({
-          activeAccountId: null,
-          accounts: remainingAccounts
-        });
-        void scheduleAccountsBackgroundRefresh({
-          force: true,
-          accountIds: remainingAccounts.map((entry) => entry.accountId)
+        const rawBody = await new Promise((resolve4, reject) => {
+          let body = "";
+          req.setEncoding("utf8");
+          req.on("data", (chunk) => {
+            body += chunk;
+          });
+          req.on("end", () => resolve4(body));
+          req.on("error", reject);
         });
-        setJson(res, 200, {
-          ok: true,
-          data: {
+        const payload = asRecord(rawBody.length > 0 ? JSON.parse(rawBody) : {});
+        const accountId = typeof payload?.accountId === "string" ? payload.accountId.trim() : "";
+        if (!accountId) {
+          setJson(res, 400, { error: "account_not_found", message: "Missing accountId." });
+          return true;
+        }
+        const state = await readStoredAccountsState();
+        const target = state.accounts.find((entry) => entry.accountId === accountId) ?? null;
+        if (!target) {
+          setJson(res, 404, { error: "account_not_found", message: "The requested account was not found." });
+          return true;
+        }
+        const remainingAccounts = state.accounts.filter((entry) => entry.accountId !== accountId);
+        if (state.activeAccountId !== accountId) {
+          await removeSnapshot(target.storageId);
+          await writeStoredAccountsState({
+            activeAccountId: state.activeAccountId,
+            accounts: remainingAccounts
+          });
+          setJson(res, 200, {
+            ok: true,
+            data: {
+              activeAccountId: state.activeAccountId,
+              accounts: sortAccounts(remainingAccounts, state.activeAccountId).map((entry) => toPublicAccountEntry(entry, state.activeAccountId))
+            }
+          });
+          return true;
+        }
+        if (appServer.listPendingServerRequests().length > 0) {
+          setJson(res, 409, {
+            error: "account_remove_blocked",
+            message: "Finish pending approval requests before removing the active account."
+          });
+          return true;
+        }
+        let previousRaw = null;
+        try {
+          previousRaw = await readFile(getActiveAuthPath(), "utf8");
+        } catch {
+          previousRaw = null;
+        }
+        const replacement = await pickReplacementActiveAccount(remainingAccounts);
+        if (!replacement) {
+          await restoreActiveAuth(null);
+          appServer.dispose();
+          await removeSnapshot(target.storageId);
+          await writeStoredAccountsState({
             activeAccountId: null,
-            accounts: sortAccounts(remainingAccounts, null).map((entry) => toPublicAccountEntry(entry, null))
-          }
-        });
-        return true;
-      }
-      const replacementSnapshotPath = getSnapshotPath(replacement.storageId);
-      if (!await fileExists(replacementSnapshotPath)) {
-        setJson(res, 404, {
-          error: "account_not_found",
-          message: "The replacement account snapshot is missing."
-        });
-        return true;
-      }
-      const replacementRaw = await readFile(replacementSnapshotPath, "utf8");
-      await writeFile(getActiveAuthPath(), replacementRaw, { encoding: "utf8", mode: 384 });
-      try {
-        appServer.dispose();
-        const inspection = await validateSwitchedAccount(appServer);
-        const activatedReplacement = {
-          ...replacement,
-          email: inspection.metadata.email ?? replacement.email,
-          planType: inspection.metadata.planType ?? replacement.planType,
-          lastActivatedAtIso: (/* @__PURE__ */ new Date()).toISOString(),
-          quotaSnapshot: inspection.quotaSnapshot ?? replacement.quotaSnapshot,
-          quotaUpdatedAtIso: (/* @__PURE__ */ new Date()).toISOString(),
-          quotaStatus: "ready",
-          quotaError: null,
-          unavailableReason: null
-        };
-        const nextAccounts = remainingAccounts.map((entry) => entry.accountId === activatedReplacement.accountId ? activatedReplacement : entry);
-        await removeSnapshot(target.storageId);
-        await writeStoredAccountsState({
-          activeAccountId: activatedReplacement.accountId,
-          accounts: nextAccounts
-        });
-        void scheduleAccountsBackgroundRefresh({
-          force: true,
-          prioritizeAccountId: activatedReplacement.accountId,
-          accountIds: nextAccounts.filter((entry) => entry.accountId !== activatedReplacement.accountId).map((entry) => entry.accountId)
-        });
-        setJson(res, 200, {
-          ok: true,
-          data: {
+            accounts: remainingAccounts
+          });
+          void scheduleAccountsBackgroundRefresh({
+            force: true,
+            accountIds: remainingAccounts.map((entry) => entry.accountId)
+          });
+          setJson(res, 200, {
+            ok: true,
+            data: {
+              activeAccountId: null,
+              accounts: sortAccounts(remainingAccounts, null).map((entry) => toPublicAccountEntry(entry, null))
+            }
+          });
+          return true;
+        }
+        const replacementSnapshotPath = getSnapshotPath(replacement.storageId);
+        if (!await fileExists(replacementSnapshotPath)) {
+          setJson(res, 404, {
+            error: "account_not_found",
+            message: "The replacement account snapshot is missing."
+          });
+          return true;
+        }
+        const replacementRaw = await readFile(replacementSnapshotPath, "utf8");
+        await writeFile(getActiveAuthPath(), replacementRaw, { encoding: "utf8", mode: 384 });
+        try {
+          appServer.dispose();
+          const inspection = await validateSwitchedAccount(appServer);
+          const activatedReplacement = {
+            ...replacement,
+            email: inspection.metadata.email ?? replacement.email,
+            planType: inspection.metadata.planType ?? replacement.planType,
+            lastActivatedAtIso: (/* @__PURE__ */ new Date()).toISOString(),
+            quotaSnapshot: inspection.quotaSnapshot ?? replacement.quotaSnapshot,
+            quotaUpdatedAtIso: (/* @__PURE__ */ new Date()).toISOString(),
+            quotaStatus: "ready",
+            quotaError: null,
+            unavailableReason: null
+          };
+          const nextAccounts = remainingAccounts.map((entry) => entry.accountId === activatedReplacement.accountId ? activatedReplacement : entry);
+          await removeSnapshot(target.storageId);
+          await writeStoredAccountsState({
             activeAccountId: activatedReplacement.accountId,
-            accounts: sortAccounts(nextAccounts, activatedReplacement.accountId).map((entry) => toPublicAccountEntry(entry, activatedReplacement.accountId))
-          }
-        });
+            accounts: nextAccounts
+          });
+          void scheduleAccountsBackgroundRefresh({
+            force: true,
+            prioritizeAccountId: activatedReplacement.accountId,
+            accountIds: nextAccounts.filter((entry) => entry.accountId !== activatedReplacement.accountId).map((entry) => entry.accountId)
+          });
+          setJson(res, 200, {
+            ok: true,
+            data: {
+              activeAccountId: activatedReplacement.accountId,
+              accounts: sortAccounts(nextAccounts, activatedReplacement.accountId).map((entry) => toPublicAccountEntry(entry, activatedReplacement.accountId))
+            }
+          });
+        } catch (error) {
+          await restoreActiveAuth(previousRaw);
+          appServer.dispose();
+          await replaceStoredAccount({
+            ...replacement,
+            quotaUpdatedAtIso: (/* @__PURE__ */ new Date()).toISOString(),
+            quotaStatus: "error",
+            quotaError: getErrorMessage(error, "Failed to switch account"),
+            unavailableReason: detectAccountUnavailableReason(error)
+          }, state.activeAccountId);
+          setJson(res, 502, {
+            error: "account_remove_failed",
+            message: getErrorMessage(error, "Failed to remove account")
+          });
+        }
       } catch (error) {
-        await restoreActiveAuth(previousRaw);
-        appServer.dispose();
-        await replaceStoredAccount({
-          ...replacement,
-          quotaUpdatedAtIso: (/* @__PURE__ */ new Date()).toISOString(),
-          quotaStatus: "error",
-          quotaError: getErrorMessage(error, "Failed to switch account"),
-          unavailableReason: detectAccountUnavailableReason(error)
-        }, state.activeAccountId);
-        setJson(res, 502, {
-          error: "account_remove_failed",
+        setJson(res, 400, {
+          error: "invalid_auth_json",
           message: getErrorMessage(error, "Failed to remove account")
         });
       }
-    } catch (error) {
-      setJson(res, 400, {
-        error: "invalid_auth_json",
-        message: getErrorMessage(error, "Failed to remove account")
-      });
+      return true;
+    }
+  } catch (error) {
+    Sentry.captureException(error);
+    if (!res.headersSent) {
+      setJson(res, 500, { error: "Internal account error" });
     }
     return true;
   }
@@ -1036,6 +1098,7 @@ async function handleAccountRoutes(req, res, url, context) {
 }
 
 // src/server/reviewGit.ts
+import * as Sentry2 from "@sentry/node";
 import { spawn as spawn2 } from "child_process";
 import { mkdir as mkdir2, rm as rm2, stat as stat2, writeFile as writeFile2 } from "fs/promises";
 import { tmpdir as tmpdir2 } from "os";
@@ -1647,47 +1710,55 @@ async function applyReviewAction(payload) {
   return await buildReviewSnapshot(normalizedCwd, scope, workspaceView);
 }
 async function handleReviewRoutes(req, res, url, context) {
-  if (req.method === "GET" && url.pathname === "/codex-api/review/snapshot") {
-    const cwd = url.searchParams.get("cwd")?.trim() ?? "";
-    const scope = url.searchParams.get("scope") === "baseBranch" ? "baseBranch" : "workspace";
-    const workspaceView = url.searchParams.get("workspaceView") === "staged" ? "staged" : "unstaged";
-    const baseBranch = url.searchParams.get("baseBranch")?.trim() ?? "";
-    if (!cwd) {
-      setJson2(res, 400, { error: "Missing cwd" });
+  try {
+    if (req.method === "GET" && url.pathname === "/codex-api/review/snapshot") {
+      const cwd = url.searchParams.get("cwd")?.trim() ?? "";
+      const scope = url.searchParams.get("scope") === "baseBranch" ? "baseBranch" : "workspace";
+      const workspaceView = url.searchParams.get("workspaceView") === "staged" ? "staged" : "unstaged";
+      const baseBranch = url.searchParams.get("baseBranch")?.trim() ?? "";
+      if (!cwd) {
+        setJson2(res, 400, { error: "Missing cwd" });
+        return true;
+      }
+      try {
+        setJson2(res, 200, {
+          data: await buildReviewSnapshot(cwd, scope, workspaceView, baseBranch)
+        });
+      } catch (error) {
+        setJson2(res, 500, { error: getErrorMessage2(error, "Failed to load review snapshot") });
+      }
       return true;
     }
-    try {
-      setJson2(res, 200, {
-        data: await buildReviewSnapshot(cwd, scope, workspaceView, baseBranch)
-      });
-    } catch (error) {
-      setJson2(res, 500, { error: getErrorMessage2(error, "Failed to load review snapshot") });
-    }
-    return true;
-  }
-  if (req.method === "POST" && url.pathname === "/codex-api/review/action") {
-    try {
-      const payload = await context.readJsonBody(req);
-      setJson2(res, 200, {
-        data: await applyReviewAction(payload)
-      });
-    } catch (error) {
-      setJson2(res, 500, { error: getErrorMessage2(error, "Failed to apply review action") });
+    if (req.method === "POST" && url.pathname === "/codex-api/review/action") {
+      try {
+        const payload = await context.readJsonBody(req);
+        setJson2(res, 200, {
+          data: await applyReviewAction(payload)
+        });
+      } catch (error) {
+        setJson2(res, 500, { error: getErrorMessage2(error, "Failed to apply review action") });
+      }
+      return true;
     }
-    return true;
-  }
-  if (req.method === "POST" && url.pathname === "/codex-api/review/git/init") {
-    const payload = asRecord2(await context.readJsonBody(req));
-    const cwd = readString2(payload?.cwd);
-    if (!cwd) {
-      setJson2(res, 400, { error: "Missing cwd" });
+    if (req.method === "POST" && url.pathname === "/codex-api/review/git/init") {
+      const payload = asRecord2(await context.readJsonBody(req));
+      const cwd = readString2(payload?.cwd);
+      if (!cwd) {
+        setJson2(res, 400, { error: "Missing cwd" });
+        return true;
+      }
+      try {
+        await initializeGitRepository(cwd);
+        setJson2(res, 200, { ok: true });
+      } catch (error) {
+        setJson2(res, 500, { error: getErrorMessage2(error, "Failed to initialize Git") });
+      }
       return true;
     }
-    try {
-      await initializeGitRepository(cwd);
-      setJson2(res, 200, { ok: true });
-    } catch (error) {
-      setJson2(res, 500, { error: getErrorMessage2(error, "Failed to initialize Git") });
+  } catch (error) {
+    Sentry2.captureException(error);
+    if (!res.headersSent) {
+      setJson2(res, 500, { error: "Internal review error" });
     }
     return true;
   }
@@ -1695,6 +1766,7 @@ async function handleReviewRoutes(req, res, url, context) {
 }
 
 // src/server/skillsRoutes.ts
+import * as Sentry3 from "@sentry/node";
 import { spawn as spawn3 } from "child_process";
 import { mkdtemp as mkdtemp2, readFile as readFile2, readdir, rm as rm3, mkdir as mkdir3, stat as stat3, lstat, readlink, symlink } from "fs/promises";
 import { existsSync as existsSync2 } from "fs";
@@ -2685,357 +2757,365 @@ async function searchSkillsHub(allEntries, query, limit, sort, installedMap) {
 }
 async function handleSkillsRoutes(req, res, url, context) {
   const { appServer, readJsonBody: readJsonBody2 } = context;
-  if (req.method === "GET" && url.pathname === "/codex-api/skills-hub") {
-    try {
-      const q = url.searchParams.get("q") || "";
-      const limit = Math.min(Math.max(parseInt(url.searchParams.get("limit") || "50", 10) || 50, 1), 200);
-      const sort = url.searchParams.get("sort") || "date";
-      const allEntries = await fetchSkillsTree();
-      const installedMap = await scanInstalledSkillsFromDisk();
+  try {
+    if (req.method === "GET" && url.pathname === "/codex-api/skills-hub") {
       try {
-        const result = await appServer.rpc("skills/list", {});
-        for (const entry of result.data ?? []) {
-          for (const skill of entry.skills ?? []) {
-            if (skill.name) {
-              installedMap.set(skill.name, { name: skill.name, path: skill.path ?? "", enabled: skill.enabled !== false });
+        const q = url.searchParams.get("q") || "";
+        const limit = Math.min(Math.max(parseInt(url.searchParams.get("limit") || "50", 10) || 50, 1), 200);
+        const sort = url.searchParams.get("sort") || "date";
+        const allEntries = await fetchSkillsTree();
+        const installedMap = await scanInstalledSkillsFromDisk();
+        try {
+          const result = await appServer.rpc("skills/list", {});
+          for (const entry of result.data ?? []) {
+            for (const skill of entry.skills ?? []) {
+              if (skill.name) {
+                installedMap.set(skill.name, { name: skill.name, path: skill.path ?? "", enabled: skill.enabled !== false });
+              }
             }
           }
+        } catch {
         }
-      } catch {
-      }
-      const installedHubEntries = allEntries.filter((e) => installedMap.has(e.name));
-      await fetchMetaBatch(installedHubEntries);
-      const installed = [];
-      for (const [, info] of installedMap) {
-        const hubEntry = allEntries.find((e) => e.name === info.name);
-        const base = hubEntry ? buildHubEntry(hubEntry) : {
-          name: info.name,
-          owner: "local",
-          description: "",
-          displayName: "",
-          publishedAt: 0,
-          avatarUrl: "",
-          url: "",
-          installed: false
-        };
-        installed.push({ ...base, installed: true, path: info.path, enabled: info.enabled });
+        const installedHubEntries = allEntries.filter((e) => installedMap.has(e.name));
+        await fetchMetaBatch(installedHubEntries);
+        const installed = [];
+        for (const [, info] of installedMap) {
+          const hubEntry = allEntries.find((e) => e.name === info.name);
+          const base = hubEntry ? buildHubEntry(hubEntry) : {
+            name: info.name,
+            owner: "local",
+            description: "",
+            displayName: "",
+            publishedAt: 0,
+            avatarUrl: "",
+            url: "",
+            installed: false
+          };
+          installed.push({ ...base, installed: true, path: info.path, enabled: info.enabled });
+        }
+        const results = await searchSkillsHub(allEntries, q, limit, sort, installedMap);
+        setJson3(res, 200, { data: results, installed, total: allEntries.length });
+      } catch (error) {
+        setJson3(res, 502, { error: getErrorMessage3(error, "Failed to fetch skills hub") });
       }
-      const results = await searchSkillsHub(allEntries, q, limit, sort, installedMap);
-      setJson3(res, 200, { data: results, installed, total: allEntries.length });
-    } catch (error) {
-      setJson3(res, 502, { error: getErrorMessage3(error, "Failed to fetch skills hub") });
+      return true;
     }
-    return true;
-  }
-  if (req.method === "GET" && url.pathname === "/codex-api/skills-sync/status") {
-    const state = await readSkillsSyncState();
-    setJson3(res, 200, {
-      data: {
-        loggedIn: Boolean(state.githubToken),
-        githubUsername: state.githubUsername ?? "",
-        repoOwner: state.repoOwner ?? "",
-        repoName: state.repoName ?? "",
-        configured: Boolean(state.githubToken && state.repoOwner && state.repoName),
-        telemetry: {
-          lastPullCommitSha: state.lastPullCommitSha ?? "",
-          lastPushCommitSha: state.lastPushCommitSha ?? "",
-          lastSyncAttemptCount: state.lastSyncAttemptCount ?? 0,
-          lastSyncError: state.lastSyncError ?? "",
-          lastSyncAtIso: state.lastSyncAtIso ?? ""
-        },
-        startup: {
-          inProgress: startupSyncStatus.inProgress,
-          mode: startupSyncStatus.mode,
-          branch: startupSyncStatus.branch,
-          lastAction: startupSyncStatus.lastAction,
-          lastRunAtIso: startupSyncStatus.lastRunAtIso,
-          lastSuccessAtIso: startupSyncStatus.lastSuccessAtIso,
-          lastError: startupSyncStatus.lastError
+    if (req.method === "GET" && url.pathname === "/codex-api/skills-sync/status") {
+      const state = await readSkillsSyncState();
+      setJson3(res, 200, {
+        data: {
+          loggedIn: Boolean(state.githubToken),
+          githubUsername: state.githubUsername ?? "",
+          repoOwner: state.repoOwner ?? "",
+          repoName: state.repoName ?? "",
+          configured: Boolean(state.githubToken && state.repoOwner && state.repoName),
+          telemetry: {
+            lastPullCommitSha: state.lastPullCommitSha ?? "",
+            lastPushCommitSha: state.lastPushCommitSha ?? "",
+            lastSyncAttemptCount: state.lastSyncAttemptCount ?? 0,
+            lastSyncError: state.lastSyncError ?? "",
+            lastSyncAtIso: state.lastSyncAtIso ?? ""
+          },
+          startup: {
+            inProgress: startupSyncStatus.inProgress,
+            mode: startupSyncStatus.mode,
+            branch: startupSyncStatus.branch,
+            lastAction: startupSyncStatus.lastAction,
+            lastRunAtIso: startupSyncStatus.lastRunAtIso,
+            lastSuccessAtIso: startupSyncStatus.lastSuccessAtIso,
+            lastError: startupSyncStatus.lastError
+          }
         }
-      }
-    });
-    return true;
-  }
-  if (req.method === "POST" && url.pathname === "/codex-api/skills-sync/github/start-login") {
-    try {
-      const started = await startGithubDeviceLogin();
-      setJson3(res, 200, { data: started });
-    } catch (error) {
-      setJson3(res, 502, { error: getErrorMessage3(error, "Failed to start GitHub login") });
+      });
+      return true;
     }
-    return true;
-  }
-  if (req.method === "POST" && url.pathname === "/codex-api/skills-sync/github/token-login") {
-    try {
-      const payload = asRecord3(await readJsonBody2(req));
-      const token = typeof payload?.token === "string" ? payload.token.trim() : "";
-      if (!token) {
-        setJson3(res, 400, { error: "Missing GitHub token" });
-        return true;
+    if (req.method === "POST" && url.pathname === "/codex-api/skills-sync/github/start-login") {
+      try {
+        const started = await startGithubDeviceLogin();
+        setJson3(res, 200, { data: started });
+      } catch (error) {
+        setJson3(res, 502, { error: getErrorMessage3(error, "Failed to start GitHub login") });
       }
-      const username = await resolveGithubUsername(token);
-      await finalizeGithubLoginAndSync(token, username, appServer);
-      setJson3(res, 200, { ok: true, data: { githubUsername: username } });
-    } catch (error) {
-      setJson3(res, 502, { error: getErrorMessage3(error, "Failed to login with GitHub token") });
+      return true;
     }
-    return true;
-  }
-  if (req.method === "POST" && url.pathname === "/codex-api/skills-sync/github/logout") {
-    try {
-      const state = await readSkillsSyncState();
-      await writeSkillsSyncState({
-        ...state,
-        githubToken: void 0,
-        githubUsername: void 0,
-        repoOwner: void 0,
-        repoName: void 0
-      });
-      setJson3(res, 200, { ok: true });
-    } catch (error) {
-      setJson3(res, 500, { error: getErrorMessage3(error, "Failed to logout GitHub") });
-    }
-    return true;
-  }
-  if (req.method === "POST" && url.pathname === "/codex-api/skills-sync/github/complete-login") {
-    try {
-      const payload = asRecord3(await readJsonBody2(req));
-      const deviceCode = typeof payload?.deviceCode === "string" ? payload.deviceCode : "";
-      if (!deviceCode) {
-        setJson3(res, 400, { error: "Missing deviceCode" });
-        return true;
-      }
-      const result = await completeGithubDeviceLogin(deviceCode);
-      if (!result.token) {
-        setJson3(res, 200, { ok: false, pending: result.error === "authorization_pending", error: result.error || "login_failed" });
-        return true;
+    if (req.method === "POST" && url.pathname === "/codex-api/skills-sync/github/token-login") {
+      try {
+        const payload = asRecord3(await readJsonBody2(req));
+        const token = typeof payload?.token === "string" ? payload.token.trim() : "";
+        if (!token) {
+          setJson3(res, 400, { error: "Missing GitHub token" });
+          return true;
+        }
+        const username = await resolveGithubUsername(token);
+        await finalizeGithubLoginAndSync(token, username, appServer);
+        setJson3(res, 200, { ok: true, data: { githubUsername: username } });
+      } catch (error) {
+        setJson3(res, 502, { error: getErrorMessage3(error, "Failed to login with GitHub token") });
       }
-      const token = result.token;
-      const username = await resolveGithubUsername(token);
-      await finalizeGithubLoginAndSync(token, username, appServer);
-      setJson3(res, 200, { ok: true, data: { githubUsername: username } });
-    } catch (error) {
-      setJson3(res, 502, { error: getErrorMessage3(error, "Failed to complete GitHub login") });
+      return true;
     }
-    return true;
-  }
-  if (req.method === "POST" && url.pathname === "/codex-api/skills-sync/push") {
-    try {
-      const state = await readSkillsSyncState();
-      if (!state.githubToken || !state.repoOwner || !state.repoName) {
-        setJson3(res, 400, { error: "Skills sync is not configured yet" });
-        return true;
-      }
-      if (isUpstreamSkillsRepo(state.repoOwner, state.repoName)) {
-        setJson3(res, 400, { error: "Refusing to push to upstream repository" });
-        return true;
+    if (req.method === "POST" && url.pathname === "/codex-api/skills-sync/github/logout") {
+      try {
+        const state = await readSkillsSyncState();
+        await writeSkillsSyncState({
+          ...state,
+          githubToken: void 0,
+          githubUsername: void 0,
+          repoOwner: void 0,
+          repoName: void 0
+        });
+        setJson3(res, 200, { ok: true });
+      } catch (error) {
+        setJson3(res, 500, { error: getErrorMessage3(error, "Failed to logout GitHub") });
       }
-      const local = await collectLocalSyncedSkills(appServer);
-      const installedMap = await scanInstalledSkillsFromDisk();
-      await writeRemoteSkillsManifest(state.githubToken, state.repoOwner, state.repoName, local);
-      await syncInstalledSkillsFolderToRepo(state.githubToken, state.repoOwner, state.repoName, installedMap);
-      setJson3(res, 200, { ok: true, data: { synced: local.length } });
-    } catch (error) {
-      setJson3(res, 502, { error: getErrorMessage3(error, "Failed to push synced skills") });
-    }
-    return true;
-  }
-  if (req.method === "POST" && url.pathname === "/codex-api/skills-sync/startup-sync") {
-    try {
-      await runSkillsSyncStartup(appServer);
-      setJson3(res, 200, { ok: true });
-    } catch (error) {
-      setJson3(res, 502, { error: getErrorMessage3(error, "Failed to run startup sync") });
+      return true;
     }
-    return true;
-  }
-  if (req.method === "POST" && url.pathname === "/codex-api/skills-sync/pull") {
-    try {
-      const state = await readSkillsSyncState();
-      if (!state.githubToken || !state.repoOwner || !state.repoName) {
-        await bootstrapSkillsFromUpstreamIntoLocal();
-        try {
-          await appServer.rpc("skills/list", { forceReload: true });
-        } catch {
-        }
-        setJson3(res, 200, { ok: true, data: { synced: 0, source: "upstream" } });
-        return true;
-      }
-      const remote = await readRemoteSkillsManifest(state.githubToken, state.repoOwner, state.repoName);
-      const tree = await fetchSkillsTree();
-      const uniqueOwnerByName = /* @__PURE__ */ new Map();
-      const ambiguousNames = /* @__PURE__ */ new Set();
-      for (const entry of tree) {
-        if (ambiguousNames.has(entry.name)) continue;
-        const existingOwner = uniqueOwnerByName.get(entry.name);
-        if (!existingOwner) {
-          uniqueOwnerByName.set(entry.name, entry.owner);
-          continue;
+    if (req.method === "POST" && url.pathname === "/codex-api/skills-sync/github/complete-login") {
+      try {
+        const payload = asRecord3(await readJsonBody2(req));
+        const deviceCode = typeof payload?.deviceCode === "string" ? payload.deviceCode : "";
+        if (!deviceCode) {
+          setJson3(res, 400, { error: "Missing deviceCode" });
+          return true;
         }
-        if (existingOwner !== entry.owner) {
-          uniqueOwnerByName.delete(entry.name);
-          ambiguousNames.add(entry.name);
+        const result = await completeGithubDeviceLogin(deviceCode);
+        if (!result.token) {
+          setJson3(res, 200, { ok: false, pending: result.error === "authorization_pending", error: result.error || "login_failed" });
+          return true;
         }
+        const token = result.token;
+        const username = await resolveGithubUsername(token);
+        await finalizeGithubLoginAndSync(token, username, appServer);
+        setJson3(res, 200, { ok: true, data: { githubUsername: username } });
+      } catch (error) {
+        setJson3(res, 502, { error: getErrorMessage3(error, "Failed to complete GitHub login") });
       }
-      const localDir = await detectUserSkillsDir(appServer);
-      await pullInstalledSkillsFolderFromRepo(state.githubToken, state.repoOwner, state.repoName);
-      const localSkills = await scanInstalledSkillsFromDisk();
-      const missingAfterPull = [];
-      for (const skill of remote) {
-        const owner = skill.owner || uniqueOwnerByName.get(skill.name) || "";
-        if (!owner) continue;
-        if (!localSkills.has(skill.name)) {
-          missingAfterPull.push(`${owner}/${skill.name}`);
-          continue;
+      return true;
+    }
+    if (req.method === "POST" && url.pathname === "/codex-api/skills-sync/push") {
+      try {
+        const state = await readSkillsSyncState();
+        if (!state.githubToken || !state.repoOwner || !state.repoName) {
+          setJson3(res, 400, { error: "Skills sync is not configured yet" });
+          return true;
         }
-        const skillPath = join4(localDir, skill.name);
-        await appServer.rpc("skills/config/write", { path: skillPath, enabled: skill.enabled });
-      }
-      if (missingAfterPull.length > 0) {
-        throw new Error(`Missing skill folders after pull: ${missingAfterPull.join(", ")}`);
-      }
-      const remoteNames = new Set(remote.map((row) => row.name));
-      for (const [name, localInfo] of localSkills.entries()) {
-        if (!remoteNames.has(name)) {
-          await rm3(localInfo.path.replace(/\/SKILL\.md$/, ""), { recursive: true, force: true });
+        if (isUpstreamSkillsRepo(state.repoOwner, state.repoName)) {
+          setJson3(res, 400, { error: "Refusing to push to upstream repository" });
+          return true;
         }
+        const local = await collectLocalSyncedSkills(appServer);
+        const installedMap = await scanInstalledSkillsFromDisk();
+        await writeRemoteSkillsManifest(state.githubToken, state.repoOwner, state.repoName, local);
+        await syncInstalledSkillsFolderToRepo(state.githubToken, state.repoOwner, state.repoName, installedMap);
+        setJson3(res, 200, { ok: true, data: { synced: local.length } });
+      } catch (error) {
+        setJson3(res, 502, { error: getErrorMessage3(error, "Failed to push synced skills") });
       }
-      const nextOwners = {};
-      for (const item of remote) {
-        const owner = item.owner || uniqueOwnerByName.get(item.name) || "";
-        if (owner) nextOwners[item.name] = owner;
-      }
-      const pulledHead = await runCommandWithOutput("git", ["rev-parse", "HEAD"], { cwd: getSkillsInstallDir() }).catch(() => "");
-      await writeSkillsSyncState({
-        ...state,
-        installedOwners: nextOwners,
-        lastPullCommitSha: pulledHead.trim(),
-        lastSyncAttemptCount: 1,
-        lastSyncError: "",
-        lastSyncAtIso: (/* @__PURE__ */ new Date()).toISOString()
-      });
+      return true;
+    }
+    if (req.method === "POST" && url.pathname === "/codex-api/skills-sync/startup-sync") {
       try {
-        await appServer.rpc("skills/list", { forceReload: true });
-      } catch {
+        await runSkillsSyncStartup(appServer);
+        setJson3(res, 200, { ok: true });
+      } catch (error) {
+        setJson3(res, 502, { error: getErrorMessage3(error, "Failed to run startup sync") });
       }
-      setJson3(res, 200, { ok: true, data: { synced: remote.length } });
-    } catch (error) {
-      setJson3(res, 502, { error: getErrorMessage3(error, "Failed to pull synced skills") });
+      return true;
     }
-    return true;
-  }
-  if (req.method === "GET" && url.pathname === "/codex-api/skills-hub/readme") {
-    try {
-      const owner = url.searchParams.get("owner") || "";
-      const name = url.searchParams.get("name") || "";
-      const installed = url.searchParams.get("installed") === "true";
-      const skillPath = url.searchParams.get("path") || "";
-      if (!owner || !name) {
-        setJson3(res, 400, { error: "Missing owner or name" });
-        return true;
-      }
-      if (installed) {
-        const installedMap = await scanInstalledSkillsFromDisk();
-        const installedInfo = installedMap.get(name);
-        const localSkillPath = installedInfo?.path || (skillPath ? skillPath.endsWith("/SKILL.md") ? skillPath : `${skillPath}/SKILL.md` : "");
-        if (localSkillPath) {
-          const content2 = await readFile2(localSkillPath, "utf8");
-          const description2 = extractSkillDescriptionFromMarkdown(content2);
-          setJson3(res, 200, { content: content2, description: description2, source: "local" });
+    if (req.method === "POST" && url.pathname === "/codex-api/skills-sync/pull") {
+      try {
+        const state = await readSkillsSyncState();
+        if (!state.githubToken || !state.repoOwner || !state.repoName) {
+          await bootstrapSkillsFromUpstreamIntoLocal();
+          try {
+            await appServer.rpc("skills/list", { forceReload: true });
+          } catch {
+          }
+          setJson3(res, 200, { ok: true, data: { synced: 0, source: "upstream" } });
           return true;
         }
+        const remote = await readRemoteSkillsManifest(state.githubToken, state.repoOwner, state.repoName);
+        const tree = await fetchSkillsTree();
+        const uniqueOwnerByName = /* @__PURE__ */ new Map();
+        const ambiguousNames = /* @__PURE__ */ new Set();
+        for (const entry of tree) {
+          if (ambiguousNames.has(entry.name)) continue;
+          const existingOwner = uniqueOwnerByName.get(entry.name);
+          if (!existingOwner) {
+            uniqueOwnerByName.set(entry.name, entry.owner);
+            continue;
+          }
+          if (existingOwner !== entry.owner) {
+            uniqueOwnerByName.delete(entry.name);
+            ambiguousNames.add(entry.name);
+          }
+        }
+        const localDir = await detectUserSkillsDir(appServer);
+        await pullInstalledSkillsFolderFromRepo(state.githubToken, state.repoOwner, state.repoName);
+        const localSkills = await scanInstalledSkillsFromDisk();
+        const missingAfterPull = [];
+        for (const skill of remote) {
+          const owner = skill.owner || uniqueOwnerByName.get(skill.name) || "";
+          if (!owner) continue;
+          if (!localSkills.has(skill.name)) {
+            missingAfterPull.push(`${owner}/${skill.name}`);
+            continue;
+          }
+          const skillPath = join4(localDir, skill.name);
+          await appServer.rpc("skills/config/write", { path: skillPath, enabled: skill.enabled });
+        }
+        if (missingAfterPull.length > 0) {
+          throw new Error(`Missing skill folders after pull: ${missingAfterPull.join(", ")}`);
+        }
+        const remoteNames = new Set(remote.map((row) => row.name));
+        for (const [name, localInfo] of localSkills.entries()) {
+          if (!remoteNames.has(name)) {
+            await rm3(localInfo.path.replace(/\/SKILL\.md$/, ""), { recursive: true, force: true });
+          }
+        }
+        const nextOwners = {};
+        for (const item of remote) {
+          const owner = item.owner || uniqueOwnerByName.get(item.name) || "";
+          if (owner) nextOwners[item.name] = owner;
+        }
+        const pulledHead = await runCommandWithOutput("git", ["rev-parse", "HEAD"], { cwd: getSkillsInstallDir() }).catch(() => "");
+        await writeSkillsSyncState({
+          ...state,
+          installedOwners: nextOwners,
+          lastPullCommitSha: pulledHead.trim(),
+          lastSyncAttemptCount: 1,
+          lastSyncError: "",
+          lastSyncAtIso: (/* @__PURE__ */ new Date()).toISOString()
+        });
+        try {
+          await appServer.rpc("skills/list", { forceReload: true });
+        } catch {
+        }
+        setJson3(res, 200, { ok: true, data: { synced: remote.length } });
+      } catch (error) {
+        setJson3(res, 502, { error: getErrorMessage3(error, "Failed to pull synced skills") });
       }
-      const rawUrl = `https://raw.githubusercontent.com/${HUB_SKILLS_OWNER}/${HUB_SKILLS_REPO}/main/skills/${owner}/${name}/SKILL.md`;
-      const resp = await fetch(rawUrl);
-      if (!resp.ok) throw new Error(`Failed to fetch SKILL.md: ${resp.status}`);
-      const content = await resp.text();
-      const description = extractSkillDescriptionFromMarkdown(content);
-      setJson3(res, 200, { content, description, source: "remote" });
-    } catch (error) {
-      setJson3(res, 502, { error: getErrorMessage3(error, "Failed to fetch SKILL.md") });
+      return true;
     }
-    return true;
-  }
-  if (req.method === "POST" && url.pathname === "/codex-api/skills-hub/install") {
-    try {
-      const payload = asRecord3(await readJsonBody2(req));
-      const owner = typeof payload?.owner === "string" ? payload.owner : "";
-      const name = typeof payload?.name === "string" ? payload.name : "";
-      if (!owner || !name) {
-        setJson3(res, 400, { error: "Missing owner or name" });
-        return true;
-      }
-      const installerScript = resolveSkillInstallerScriptPath(getCodexHomeDir2());
-      if (!installerScript) {
-        throw new Error("Skill installer script not found");
-      }
-      const pythonCommand = resolvePythonCommand();
-      if (!pythonCommand) {
-        throw new Error("Python 3 is required to install skills");
-      }
-      const installDest = await withTimeout(
-        detectUserSkillsDir(appServer),
-        1e4,
-        "detectUserSkillsDir"
-      ).catch(() => getSkillsInstallDir());
-      const skillDir = join4(installDest, name);
-      if (existsSync2(skillDir)) {
-        await rm3(skillDir, { recursive: true, force: true });
-      }
-      await runCommand2(pythonCommand.command, [
-        ...pythonCommand.args,
-        installerScript,
-        "--repo",
-        `${HUB_SKILLS_OWNER}/${HUB_SKILLS_REPO}`,
-        "--path",
-        `skills/${owner}/${name}`,
-        "--dest",
-        installDest,
-        "--method",
-        "git"
-      ], { timeoutMs: 9e4 });
+    if (req.method === "GET" && url.pathname === "/codex-api/skills-hub/readme") {
       try {
-        await withTimeout(ensureInstalledSkillIsValid(appServer, skillDir), 1e4, "ensureInstalledSkillIsValid");
-      } catch {
+        const owner = url.searchParams.get("owner") || "";
+        const name = url.searchParams.get("name") || "";
+        const installed = url.searchParams.get("installed") === "true";
+        const skillPath = url.searchParams.get("path") || "";
+        if (!owner || !name) {
+          setJson3(res, 400, { error: "Missing owner or name" });
+          return true;
+        }
+        if (installed) {
+          const installedMap = await scanInstalledSkillsFromDisk();
+          const installedInfo = installedMap.get(name);
+          const localSkillPath = installedInfo?.path || (skillPath ? skillPath.endsWith("/SKILL.md") ? skillPath : `${skillPath}/SKILL.md` : "");
+          if (localSkillPath) {
+            const content2 = await readFile2(localSkillPath, "utf8");
+            const description2 = extractSkillDescriptionFromMarkdown(content2);
+            setJson3(res, 200, { content: content2, description: description2, source: "local" });
+            return true;
+          }
+        }
+        const rawUrl = `https://raw.githubusercontent.com/${HUB_SKILLS_OWNER}/${HUB_SKILLS_REPO}/main/skills/${owner}/${name}/SKILL.md`;
+        const resp = await fetch(rawUrl);
+        if (!resp.ok) throw new Error(`Failed to fetch SKILL.md: ${resp.status}`);
+        const content = await resp.text();
+        const description = extractSkillDescriptionFromMarkdown(content);
+        setJson3(res, 200, { content, description, source: "remote" });
+      } catch (error) {
+        setJson3(res, 502, { error: getErrorMessage3(error, "Failed to fetch SKILL.md") });
       }
-      const syncState = await readSkillsSyncState();
-      const nextOwners = { ...syncState.installedOwners ?? {}, [name]: owner };
-      await writeSkillsSyncState({ ...syncState, installedOwners: nextOwners });
-      autoPushSyncedSkills(appServer).catch(() => {
-      });
-      setJson3(res, 200, { ok: true, path: skillDir });
-    } catch (error) {
-      setJson3(res, 502, { error: getErrorMessage3(error, "Failed to install skill") });
+      return true;
     }
-    return true;
-  }
-  if (req.method === "POST" && url.pathname === "/codex-api/skills-hub/uninstall") {
-    try {
-      const payload = asRecord3(await readJsonBody2(req));
-      const name = typeof payload?.name === "string" ? payload.name : "";
-      const path = typeof payload?.path === "string" ? payload.path : "";
-      const normalizedPath = path.endsWith("/SKILL.md") ? path.slice(0, -"/SKILL.md".length) : path;
-      const target = normalizedPath || (name ? join4(getSkillsInstallDir(), name) : "");
-      if (!target) {
-        setJson3(res, 400, { error: "Missing name or path" });
-        return true;
-      }
-      await rm3(target, { recursive: true, force: true });
-      if (name) {
+    if (req.method === "POST" && url.pathname === "/codex-api/skills-hub/install") {
+      try {
+        const payload = asRecord3(await readJsonBody2(req));
+        const owner = typeof payload?.owner === "string" ? payload.owner : "";
+        const name = typeof payload?.name === "string" ? payload.name : "";
+        if (!owner || !name) {
+          setJson3(res, 400, { error: "Missing owner or name" });
+          return true;
+        }
+        const installerScript = resolveSkillInstallerScriptPath(getCodexHomeDir2());
+        if (!installerScript) {
+          throw new Error("Skill installer script not found");
+        }
+        const pythonCommand = resolvePythonCommand();
+        if (!pythonCommand) {
+          throw new Error("Python 3 is required to install skills");
+        }
+        const installDest = await withTimeout(
+          detectUserSkillsDir(appServer),
+          1e4,
+          "detectUserSkillsDir"
+        ).catch(() => getSkillsInstallDir());
+        const skillDir = join4(installDest, name);
+        if (existsSync2(skillDir)) {
+          await rm3(skillDir, { recursive: true, force: true });
+        }
+        await runCommand2(pythonCommand.command, [
+          ...pythonCommand.args,
+          installerScript,
+          "--repo",
+          `${HUB_SKILLS_OWNER}/${HUB_SKILLS_REPO}`,
+          "--path",
+          `skills/${owner}/${name}`,
+          "--dest",
+          installDest,
+          "--method",
+          "git"
+        ], { timeoutMs: 9e4 });
+        try {
+          await withTimeout(ensureInstalledSkillIsValid(appServer, skillDir), 1e4, "ensureInstalledSkillIsValid");
+        } catch {
+        }
         const syncState = await readSkillsSyncState();
-        const nextOwners = { ...syncState.installedOwners ?? {} };
-        delete nextOwners[name];
+        const nextOwners = { ...syncState.installedOwners ?? {}, [name]: owner };
         await writeSkillsSyncState({ ...syncState, installedOwners: nextOwners });
+        autoPushSyncedSkills(appServer).catch(() => {
+        });
+        setJson3(res, 200, { ok: true, path: skillDir });
+      } catch (error) {
+        setJson3(res, 502, { error: getErrorMessage3(error, "Failed to install skill") });
       }
-      autoPushSyncedSkills(appServer).catch(() => {
-      });
+      return true;
+    }
+    if (req.method === "POST" && url.pathname === "/codex-api/skills-hub/uninstall") {
       try {
-        await withTimeout(appServer.rpc("skills/list", { forceReload: true }), 1e4, "skills/list reload");
-      } catch {
+        const payload = asRecord3(await readJsonBody2(req));
+        const name = typeof payload?.name === "string" ? payload.name : "";
+        const path = typeof payload?.path === "string" ? payload.path : "";
+        const normalizedPath = path.endsWith("/SKILL.md") ? path.slice(0, -"/SKILL.md".length) : path;
+        const target = normalizedPath || (name ? join4(getSkillsInstallDir(), name) : "");
+        if (!target) {
+          setJson3(res, 400, { error: "Missing name or path" });
+          return true;
+        }
+        await rm3(target, { recursive: true, force: true });
+        if (name) {
+          const syncState = await readSkillsSyncState();
+          const nextOwners = { ...syncState.installedOwners ?? {} };
+          delete nextOwners[name];
+          await writeSkillsSyncState({ ...syncState, installedOwners: nextOwners });
+        }
+        autoPushSyncedSkills(appServer).catch(() => {
+        });
+        try {
+          await withTimeout(appServer.rpc("skills/list", { forceReload: true }), 1e4, "skills/list reload");
+        } catch {
+        }
+        setJson3(res, 200, { ok: true, deletedPath: target });
+      } catch (error) {
+        setJson3(res, 502, { error: getErrorMessage3(error, "Failed to uninstall skill") });
       }
-      setJson3(res, 200, { ok: true, deletedPath: target });
-    } catch (error) {
-      setJson3(res, 502, { error: getErrorMessage3(error, "Failed to uninstall skill") });
+      return true;
+    }
+  } catch (error) {
+    Sentry3.captureException(error);
+    if (!res.headersSent) {
+      setJson3(res, 500, { error: "Internal skills error" });
     }
     return true;
   }
@@ -3281,7 +3361,8 @@ var TelegramThreadBridge = class {
     const payload = asRecord4(await this.appServer.rpc("thread/list", {
       archived: false,
       limit: 20,
-      sortKey: "updated_at"
+      sortKey: "updated_at",
+      modelProviders: []
     }));
     const rows = Array.isArray(payload?.data) ? payload.data : [];
     const threads = [];
@@ -3464,6 +3545,190 @@ var THREAD_METHODS_WITH_TURNS = /* @__PURE__ */ new Set(["thread/read", "thread/
 function asRecord5(value) {
   return value !== null && typeof value === "object" && !Array.isArray(value) ? value : null;
 }
+function isInlineDataUrl(value) {
+  return /^data:/iu.test(value.trim());
+}
+function extensionFromMimeType(mimeType) {
+  const normalized = mimeType.trim().toLowerCase();
+  if (normalized === "image/png") return ".png";
+  if (normalized === "image/jpeg") return ".jpg";
+  if (normalized === "image/webp") return ".webp";
+  if (normalized === "image/gif") return ".gif";
+  if (normalized === "image/svg+xml") return ".svg";
+  if (normalized === "application/pdf") return ".pdf";
+  return "";
+}
+function asNonEmptyString(value) {
+  if (typeof value !== "string") return null;
+  const trimmed = value.trim();
+  return trimmed.length > 0 ? trimmed : null;
+}
+function toAttachmentLinkTarget(block, fallback) {
+  const candidate = asNonEmptyString(block.path) ?? asNonEmptyString(block.file_path) ?? asNonEmptyString(block.filename) ?? asNonEmptyString(block.file_id) ?? fallback;
+  if (candidate.startsWith("file://")) return candidate;
+  if (candidate.startsWith("/")) return `file://${candidate}`;
+  return `attachment://${candidate}`;
+}
+async function persistInlineDataUrlToLocalFile(dataUrl, baseName) {
+  const trimmed = dataUrl.trim();
+  const match = /^data:([^;,]*)(;base64)?,(.*)$/isu.exec(trimmed);
+  if (!match) return null;
+  const mimeType = (match[1] ?? "").trim().toLowerCase();
+  const encodedPayload = match[3] ?? "";
+  let bytes;
+  try {
+    bytes = match[2] ? Buffer.from(encodedPayload, "base64") : Buffer.from(decodeURIComponent(encodedPayload), "utf8");
+  } catch {
+    return null;
+  }
+  if (bytes.length === 0) return null;
+  const hash = createHash2("sha1").update(bytes).digest("hex");
+  const ext = extensionFromMimeType(mimeType);
+  const mediaDir = join5(tmpdir4(), "codex-web-inline-media");
+  await mkdir4(mediaDir, { recursive: true });
+  const fileName = `${baseName}-${hash}${ext}`;
+  const filePath = join5(mediaDir, fileName);
+  try {
+    await stat4(filePath);
+  } catch {
+    await writeFile4(filePath, bytes);
+  }
+  return filePath;
+}
+function toLocalImageProxyUrl(path) {
+  return `/codex-local-image?path=${encodeURIComponent(path)}`;
+}
+async function sanitizeInlineUserContentBlock(block, context) {
+  const record = asRecord5(block);
+  if (!record) return block;
+  const type = asNonEmptyString(record.type) ?? "";
+  const imageUrl = asNonEmptyString(record.url) ?? asNonEmptyString(record.image_url);
+  if (imageUrl && isInlineDataUrl(imageUrl)) {
+    const localUrl = await persistInlineDataUrlToLocalFile(imageUrl, `inline-image-${context.turnId}-${context.itemId}-${String(context.blockIndex)}`);
+    if (localUrl) {
+      return {
+        ...record,
+        type: "image",
+        url: toLocalImageProxyUrl(localUrl)
+      };
+    }
+    const target = toAttachmentLinkTarget(record, `inline-image/${context.turnId}/${context.itemId}/${String(context.blockIndex)}`);
+    return {
+      type: "text",
+      text: `Image attachment: ${target}`
+    };
+  }
+  const inlineFileData = asNonEmptyString(record.file_data) ?? asNonEmptyString(record.data) ?? asNonEmptyString(record.base64);
+  if ((type.includes("file") || type === "input_file" || type === "file") && inlineFileData) {
+    const mimeType = asNonEmptyString(record.mime_type) ?? "application/octet-stream";
+    const fileDataUrl = `data:${mimeType};base64,${inlineFileData}`;
+    const localUrl = await persistInlineDataUrlToLocalFile(fileDataUrl, `inline-file-${context.turnId}-${context.itemId}-${String(context.blockIndex)}`);
+    if (localUrl) {
+      return {
+        type: "text",
+        text: `File attachment: ${localUrl}`
+      };
+    }
+    const target = toAttachmentLinkTarget(record, `inline-file/${context.turnId}/${context.itemId}/${String(context.blockIndex)}`);
+    return {
+      type: "text",
+      text: `File attachment: ${target}`
+    };
+  }
+  return block;
+}
+async function sanitizeInlinePayloadDeep(value, context) {
+  const maybeBlock = await sanitizeInlineUserContentBlock(value, context);
+  if (maybeBlock !== value) {
+    return { value: maybeBlock, changed: true };
+  }
+  if (Array.isArray(value)) {
+    let changed2 = false;
+    const nextArray = [];
+    for (let index = 0; index < value.length; index += 1) {
+      const nested = await sanitizeInlinePayloadDeep(value[index], {
+        turnId: context.turnId,
+        itemId: context.itemId,
+        blockIndex: index
+      });
+      if (nested.changed) changed2 = true;
+      nextArray.push(nested.value);
+    }
+    return changed2 ? { value: nextArray, changed: true } : { value, changed: false };
+  }
+  const record = asRecord5(value);
+  if (!record) return { value, changed: false };
+  let changed = false;
+  const nextRecord = {};
+  for (const [key, nestedValue] of Object.entries(record)) {
+    const nested = await sanitizeInlinePayloadDeep(nestedValue, {
+      turnId: context.turnId,
+      itemId: context.itemId,
+      blockIndex: context.blockIndex
+    });
+    if (nested.changed) changed = true;
+    nextRecord[key] = nested.value;
+  }
+  return changed ? { value: nextRecord, changed: true } : { value, changed: false };
+}
+async function sanitizeThreadTurnsInlinePayloads(method, result) {
+  if (!THREAD_METHODS_WITH_TURNS.has(method)) return result;
+  const record = asRecord5(result);
+  const thread = asRecord5(record?.thread);
+  const turns = Array.isArray(thread?.turns) ? thread.turns : null;
+  if (!record || !thread || !turns || turns.length === 0) return result;
+  let changed = false;
+  const nextTurns = [];
+  for (let turnIndex = 0; turnIndex < turns.length; turnIndex += 1) {
+    const turn = turns[turnIndex];
+    const turnRecord = asRecord5(turn);
+    const turnId = asNonEmptyString(turnRecord?.id) ?? "turn";
+    const items = Array.isArray(turnRecord?.items) ? turnRecord.items : null;
+    if (!turnRecord || !items) {
+      nextTurns.push(turn);
+      continue;
+    }
+    let itemChanged = false;
+    const nextItems = [];
+    for (let itemIndex = 0; itemIndex < items.length; itemIndex += 1) {
+      const item = items[itemIndex];
+      const itemRecord = asRecord5(item);
+      const itemId = asNonEmptyString(itemRecord?.id) ?? "item";
+      if (!itemRecord) {
+        nextItems.push(item);
+        continue;
+      }
+      const sanitizedItem = await sanitizeInlinePayloadDeep(item, {
+        turnId,
+        itemId,
+        blockIndex: itemIndex + turnIndex
+      });
+      if (!sanitizedItem.changed) {
+        nextItems.push(item);
+        continue;
+      }
+      itemChanged = true;
+      nextItems.push(sanitizedItem.value);
+    }
+    if (!itemChanged) {
+      nextTurns.push(turn);
+      continue;
+    }
+    changed = true;
+    nextTurns.push({
+      ...turnRecord,
+      items: nextItems
+    });
+  }
+  if (!changed) return result;
+  return {
+    ...record,
+    thread: {
+      ...thread,
+      turns: nextTurns
+    }
+  };
+}
 function trimThreadTurnsInRpcResult(method, result) {
   if (!THREAD_METHODS_WITH_TURNS.has(method)) return result;
   const record = asRecord5(result);
@@ -3549,105 +3814,107 @@ function normalizeProviderModelsData(payload) {
   return ids;
 }
 async function readProviderBackedModelIds(appServer) {
-  const configPayload = asRecord5(await appServer.rpc("config/read", {}));
-  const config = asRecord5(configPayload?.config);
-  const providerId = readNonEmptyString(config?.model_provider);
-  if (!providerId) {
-    return { data: [], providerId: "", source: "provider" };
-  }
-  const providers = asRecord5(config?.model_providers);
-  const provider = asRecord5(providers?.[providerId]);
-  if (!provider) {
-    logProviderModelDiscoveryWarning("configured provider is missing from model_providers", { providerId });
-    return { data: [], providerId, source: "provider" };
-  }
-  const wireApi = readNonEmptyString(provider.wire_api);
-  if (wireApi !== "responses") {
-    return { data: [], providerId, source: "provider" };
-  }
-  const baseUrl = readNonEmptyString(provider.base_url);
-  if (!baseUrl) {
-    logProviderModelDiscoveryWarning("responses provider is missing base_url", { providerId });
-    return { data: [], providerId, source: "provider" };
-  }
-  const headers = new Headers();
-  const configuredHeaders = asRecord5(provider.http_headers);
-  if (configuredHeaders) {
-    for (const [key, rawValue] of Object.entries(configuredHeaders)) {
-      const normalized = normalizeHeaderValue(rawValue);
-      if (!normalized) continue;
-      headers.set(key, normalized);
-    }
-  }
-  const bearerToken = readNonEmptyString(provider.experimental_bearer_token);
-  if (bearerToken && !headers.has("Authorization")) {
-    headers.set("Authorization", `Bearer ${bearerToken}`);
-  }
-  const envKey = readNonEmptyString(provider.env_key);
-  const envHttpHeaders = asRecord5(provider.env_http_headers);
-  if (envKey || envHttpHeaders) {
-    logProviderModelDiscoveryWarning("provider discovery skipped env-backed auth/header expansion", {
-      providerId,
-      hasEnvKey: Boolean(envKey),
-      hasEnvHttpHeaders: Boolean(envHttpHeaders)
-    });
-  }
-  let requestUrl;
-  try {
-    requestUrl = buildProviderModelsUrl(baseUrl, provider.query_params);
-  } catch (error) {
-    logProviderModelDiscoveryWarning("provider /models URL was invalid", {
-      providerId,
-      error: getErrorMessage5(error, "invalid url")
-    });
-    return { data: [], providerId, source: "provider" };
-  }
-  let response;
-  try {
-    response = await fetch(requestUrl, {
-      method: "GET",
-      headers,
-      signal: AbortSignal.timeout(PROVIDER_MODELS_FETCH_TIMEOUT_MS)
-    });
-  } catch (error) {
-    logProviderModelDiscoveryWarning("provider /models request failed", {
-      providerId,
-      error: isTimeoutError(error) ? `request timed out after ${PROVIDER_MODELS_FETCH_TIMEOUT_MS}ms` : getErrorMessage5(error, "network error")
-    });
-    return { data: [], providerId, source: "provider" };
-  }
-  let payload = null;
-  try {
-    payload = await response.json();
-  } catch (error) {
-    logProviderModelDiscoveryWarning("provider /models response was not valid JSON", {
-      providerId,
-      status: response.status,
-      error: getErrorMessage5(error, "invalid json")
-    });
-    return { data: [], providerId, source: "provider" };
-  }
-  if (!response.ok) {
-    logProviderModelDiscoveryWarning("provider /models request returned non-2xx", {
-      providerId,
-      status: response.status,
-      statusText: response.statusText
-    });
-    return { data: [], providerId, source: "provider" };
-  }
-  try {
-    return {
-      data: normalizeProviderModelsData(payload),
-      providerId,
-      source: "provider"
-    };
-  } catch (error) {
-    logProviderModelDiscoveryWarning("provider /models payload was invalid", {
-      providerId,
-      error: getErrorMessage5(error, "invalid payload")
-    });
-    return { data: [], providerId, source: "provider" };
-  }
+  return Sentry4.startSpan({ name: "readProviderBackedModelIds", op: "function.slow" }, async () => {
+    const configPayload = asRecord5(await appServer.rpc("config/read", {}));
+    const config = asRecord5(configPayload?.config);
+    const providerId = readNonEmptyString(config?.model_provider);
+    if (!providerId) {
+      return { data: [], providerId: "", source: "provider" };
+    }
+    const providers = asRecord5(config?.model_providers);
+    const provider = asRecord5(providers?.[providerId]);
+    if (!provider) {
+      logProviderModelDiscoveryWarning("configured provider is missing from model_providers", { providerId });
+      return { data: [], providerId, source: "provider" };
+    }
+    const wireApi = readNonEmptyString(provider.wire_api);
+    if (wireApi !== "responses") {
+      return { data: [], providerId, source: "provider" };
+    }
+    const baseUrl = readNonEmptyString(provider.base_url);
+    if (!baseUrl) {
+      logProviderModelDiscoveryWarning("responses provider is missing base_url", { providerId });
+      return { data: [], providerId, source: "provider" };
+    }
+    const headers = new Headers();
+    const configuredHeaders = asRecord5(provider.http_headers);
+    if (configuredHeaders) {
+      for (const [key, rawValue] of Object.entries(configuredHeaders)) {
+        const normalized = normalizeHeaderValue(rawValue);
+        if (!normalized) continue;
+        headers.set(key, normalized);
+      }
+    }
+    const bearerToken = readNonEmptyString(provider.experimental_bearer_token);
+    if (bearerToken && !headers.has("Authorization")) {
+      headers.set("Authorization", `Bearer ${bearerToken}`);
+    }
+    const envKey = readNonEmptyString(provider.env_key);
+    const envHttpHeaders = asRecord5(provider.env_http_headers);
+    if (envKey || envHttpHeaders) {
+      logProviderModelDiscoveryWarning("provider discovery skipped env-backed auth/header expansion", {
+        providerId,
+        hasEnvKey: Boolean(envKey),
+        hasEnvHttpHeaders: Boolean(envHttpHeaders)
+      });
+    }
+    let requestUrl;
+    try {
+      requestUrl = buildProviderModelsUrl(baseUrl, provider.query_params);
+    } catch (error) {
+      logProviderModelDiscoveryWarning("provider /models URL was invalid", {
+        providerId,
+        error: getErrorMessage5(error, "invalid url")
+      });
+      return { data: [], providerId, source: "provider" };
+    }
+    let response;
+    try {
+      response = await fetch(requestUrl, {
+        method: "GET",
+        headers,
+        signal: AbortSignal.timeout(PROVIDER_MODELS_FETCH_TIMEOUT_MS)
+      });
+    } catch (error) {
+      logProviderModelDiscoveryWarning("provider /models request failed", {
+        providerId,
+        error: isTimeoutError(error) ? `request timed out after ${PROVIDER_MODELS_FETCH_TIMEOUT_MS}ms` : getErrorMessage5(error, "network error")
+      });
+      return { data: [], providerId, source: "provider" };
+    }
+    let payload = null;
+    try {
+      payload = await response.json();
+    } catch (error) {
+      logProviderModelDiscoveryWarning("provider /models response was not valid JSON", {
+        providerId,
+        status: response.status,
+        error: getErrorMessage5(error, "invalid json")
+      });
+      return { data: [], providerId, source: "provider" };
+    }
+    if (!response.ok) {
+      logProviderModelDiscoveryWarning("provider /models request returned non-2xx", {
+        providerId,
+        status: response.status,
+        statusText: response.statusText
+      });
+      return { data: [], providerId, source: "provider" };
+    }
+    try {
+      return {
+        data: normalizeProviderModelsData(payload),
+        providerId,
+        source: "provider"
+      };
+    } catch (error) {
+      logProviderModelDiscoveryWarning("provider /models payload was invalid", {
+        providerId,
+        error: getErrorMessage5(error, "invalid payload")
+      });
+      return { data: [], providerId, source: "provider" };
+    }
+  });
 }
 function extractThreadMessageText(threadReadPayload) {
   const payload = asRecord5(threadReadPayload);
@@ -3866,6 +4133,401 @@ function buildSessionFileChangeFallback(threadReadPayload, sessionLogRaw) {
   }
   return recovered.sort((first, second) => first.turnIndex - second.turnIndex);
 }
+function parseExecCommandOutput(output) {
+  let exitCode = null;
+  let wallTime = null;
+  const outputLines = [];
+  let pastHeader = false;
+  for (const line of output.split("\n")) {
+    if (!pastHeader) {
+      const exitMatch = line.match(/^Process exited with code (\d+)/);
+      if (exitMatch) {
+        exitCode = Number.parseInt(exitMatch[1], 10);
+        continue;
+      }
+      const wallMatch = line.match(/^Wall time:\s+([\d.]+)\s+seconds/);
+      if (wallMatch) {
+        wallTime = Math.round(Number.parseFloat(wallMatch[1]) * 1e3);
+        continue;
+      }
+      if (line.startsWith("Command:") || line.startsWith("Chunk ID:") || line.startsWith("Original token count:")) {
+        continue;
+      }
+      if (line === "Output:") {
+        pastHeader = true;
+        continue;
+      }
+    }
+    outputLines.push(line);
+  }
+  return { exitCode, wallTime, cleanOutput: outputLines.join("\n").trimEnd() };
+}
+function buildSessionItemOrder(sessionLogRaw, turnIds) {
+  let currentTurnId = "";
+  const orderByTurnId = /* @__PURE__ */ new Map();
+  const callIdToCommand = /* @__PURE__ */ new Map();
+  for (const line of sessionLogRaw.split("\n")) {
+    if (!line.trim()) continue;
+    let row = null;
+    try {
+      row = JSON.parse(line);
+    } catch {
+      continue;
+    }
+    if (row.type === "turn_context") {
+      const p = asRecord5(row.payload);
+      currentTurnId = readNonEmptyString(p?.turn_id) || currentTurnId;
+      continue;
+    }
+    if (row.type === "event_msg") {
+      const p = asRecord5(row.payload);
+      if (p?.type === "task_started") {
+        currentTurnId = readNonEmptyString(p.turn_id) || currentTurnId;
+      }
+      continue;
+    }
+    if (row.type !== "response_item" || !currentTurnId || !turnIds.has(currentTurnId)) continue;
+    const payload = asRecord5(row.payload);
+    if (!payload) continue;
+    let slots = orderByTurnId.get(currentTurnId);
+    if (!slots) {
+      slots = [];
+      orderByTurnId.set(currentTurnId, slots);
+    }
+    if (payload.type === "message" && payload.role === "assistant") {
+      slots.push({ type: "agentMessage" });
+      continue;
+    }
+    if (payload.type === "function_call" && payload.name === "exec_command") {
+      const callId = readNonEmptyString(payload.call_id);
+      if (!callId) continue;
+      let cmd = "";
+      try {
+        const args = JSON.parse(payload.arguments);
+        cmd = typeof args.cmd === "string" ? args.cmd : "";
+      } catch {
+      }
+      const command = {
+        id: `session-cmd-${callId}`,
+        type: "commandExecution",
+        command: cmd,
+        cwd: null,
+        status: "completed",
+        aggregatedOutput: "",
+        exitCode: null,
+        durationMs: null
+      };
+      callIdToCommand.set(callId, command);
+      slots.push({ type: "commandExecution", command });
+      continue;
+    }
+    if (payload.type === "function_call_output") {
+      const callId = readNonEmptyString(payload.call_id);
+      if (!callId) continue;
+      const existing = callIdToCommand.get(callId);
+      if (!existing) continue;
+      const rawOutput = typeof payload.output === "string" ? payload.output : "";
+      const parsed = parseExecCommandOutput(rawOutput);
+      existing.aggregatedOutput = parsed.cleanOutput;
+      existing.exitCode = parsed.exitCode;
+      existing.durationMs = parsed.wallTime;
+      existing.status = parsed.exitCode === 0 || parsed.exitCode === null ? "completed" : "failed";
+    }
+    if (payload.type === "custom_tool_call" && payload.name === "apply_patch" && payload.status === "completed") {
+      const input = typeof payload.input === "string" ? payload.input : "";
+      const callId = readNonEmptyString(payload.call_id);
+      if (!input || !callId) continue;
+      const parsedChanges = parseApplyPatchInput(input);
+      if (parsedChanges.length === 0) continue;
+      const fcItem = {
+        id: `session-fc-${callId}`,
+        type: "fileChange",
+        status: "completed",
+        changes: parsedChanges.map((fc) => ({
+          ...fc,
+          kind: { type: fc.operation, ...fc.movedToPath ? { move_path: fc.movedToPath } : {} }
+        }))
+      };
+      slots.push({ type: "fileChange", fileChange: fcItem });
+    }
+  }
+  return orderByTurnId;
+}
+function extractFilePathsFromCommand(cmd, cwd) {
+  const paths = [];
+  const absPathPattern = /(?:^|\s|>>|>|<)(\/?(?:Users|home|tmp|var|etc|root)\/[^\s;|&><"']+)/g;
+  let match;
+  while ((match = absPathPattern.exec(cmd)) !== null) {
+    const p = match[1]?.trim();
+    if (p && !p.endsWith("/") && !p.startsWith("-")) paths.push(p);
+  }
+  const redirectPattern = /(?:>>?|cat\s*>\s*)([^\s;|&><"']+)/g;
+  while ((match = redirectPattern.exec(cmd)) !== null) {
+    const p = match[1]?.trim();
+    if (p && !p.startsWith("-") && !p.startsWith("/dev/")) {
+      paths.push(isAbsolute2(p) ? p : join5(cwd, p));
+    }
+  }
+  return [...new Set(paths)];
+}
+function collectFileChangesForTurns(sessionLogRaw, turnIdsToRevert, cwd) {
+  let currentTurnId = "";
+  const infoByTurnId = /* @__PURE__ */ new Map();
+  for (const line of sessionLogRaw.split("\n")) {
+    if (!line.trim()) continue;
+    let row = null;
+    try {
+      row = JSON.parse(line);
+    } catch {
+      continue;
+    }
+    if (row.type === "turn_context") {
+      const p = asRecord5(row.payload);
+      currentTurnId = readNonEmptyString(p?.turn_id) || currentTurnId;
+      continue;
+    }
+    if (row.type === "event_msg") {
+      const p = asRecord5(row.payload);
+      if (p?.type === "task_started") {
+        currentTurnId = readNonEmptyString(p.turn_id) || currentTurnId;
+      }
+      continue;
+    }
+    if (row.type !== "response_item" || !currentTurnId || !turnIdsToRevert.has(currentTurnId)) continue;
+    const payload = asRecord5(row.payload);
+    if (!payload) continue;
+    let info = infoByTurnId.get(currentTurnId);
+    if (!info) {
+      info = { patchInputs: [], commandFilePaths: [] };
+      infoByTurnId.set(currentTurnId, info);
+    }
+    if (payload.type === "custom_tool_call" && payload.name === "apply_patch" && payload.status === "completed") {
+      const input = typeof payload.input === "string" ? payload.input : "";
+      const callId = readNonEmptyString(payload.call_id);
+      if (input && callId) {
+        info.patchInputs.push({ callId, input });
+      }
+    }
+    if (payload.type === "function_call" && payload.name === "exec_command") {
+      let cmd = "";
+      try {
+        const args = JSON.parse(payload.arguments);
+        cmd = typeof args.cmd === "string" ? args.cmd : "";
+      } catch {
+      }
+      if (cmd) {
+        const extracted = extractFilePathsFromCommand(cmd, cwd);
+        for (const p of extracted) {
+          if (!info.commandFilePaths.includes(p)) info.commandFilePaths.push(p);
+        }
+      }
+    }
+  }
+  return infoByTurnId;
+}
+function reverseV4aDiff(fileContent, diffText) {
+  const fileLines = fileContent.split("\n");
+  const rawDiffLines = diffText.split("\n");
+  while (rawDiffLines.length > 0 && rawDiffLines[rawDiffLines.length - 1]?.trim() === "") rawDiffLines.pop();
+  const diffLines = rawDiffLines;
+  const result = [...fileLines];
+  const hunks = [];
+  let currentHunk = null;
+  for (const dl of diffLines) {
+    if (dl.startsWith("@@")) {
+      if (currentHunk) hunks.push(currentHunk);
+      currentHunk = [];
+      continue;
+    }
+    if (!currentHunk) continue;
+    if (dl.startsWith("+")) {
+      currentHunk.push({ type: "add", text: dl.slice(1) });
+    } else if (dl.startsWith("-")) {
+      currentHunk.push({ type: "remove", text: dl.slice(1) });
+    } else if (dl.startsWith(" ")) {
+      currentHunk.push({ type: "context", text: dl.slice(1) });
+    } else {
+      currentHunk.push({ type: "context", text: dl });
+    }
+  }
+  if (currentHunk) hunks.push(currentHunk);
+  for (let hi = hunks.length - 1; hi >= 0; hi--) {
+    const hunk = hunks[hi];
+    const expectedSequence = hunk.filter((e) => e.type === "context" || e.type === "add").map((e) => e.text);
+    if (expectedSequence.length === 0) continue;
+    let seqStart = -1;
+    outer: for (let ri = result.length - expectedSequence.length; ri >= 0; ri--) {
+      for (let si = 0; si < expectedSequence.length; si++) {
+        if (result[ri + si] !== expectedSequence[si]) continue outer;
+      }
+      seqStart = ri;
+      break;
+    }
+    if (seqStart < 0) return null;
+    const newLines = [];
+    let seqIdx = 0;
+    for (const entry of hunk) {
+      if (entry.type === "context") {
+        newLines.push(result[seqStart + seqIdx]);
+        seqIdx++;
+      } else if (entry.type === "add") {
+        seqIdx++;
+      } else if (entry.type === "remove") {
+        newLines.push(entry.text);
+      }
+    }
+    result.splice(seqStart, expectedSequence.length, ...newLines);
+  }
+  return result.join("\n");
+}
+async function revertTurnFileChanges(cwd, turnInfos) {
+  if (turnInfos.size === 0) return { reverted: 0, errors: [] };
+  let reverted = 0;
+  const errors = [];
+  const allEntries = [...turnInfos.values()];
+  const allPatchInputs = allEntries.flatMap((info) => info.patchInputs).reverse();
+  const allCommandPaths = new Set(allEntries.flatMap((info) => info.commandFilePaths));
+  let isGitRepo = false;
+  let gitRoot = "";
+  try {
+    gitRoot = await runCommandCapture2("git", ["rev-parse", "--show-toplevel"], { cwd });
+    isGitRepo = !!gitRoot;
+  } catch {
+  }
+  const trackedFiles = /* @__PURE__ */ new Set();
+  if (isGitRepo) {
+    try {
+      const tracked = await runCommandCapture2("git", ["ls-files", "--full-name"], { cwd: gitRoot });
+      for (const f of tracked.split("\n")) {
+        if (f.trim()) trackedFiles.add(join5(gitRoot, f.trim()));
+      }
+    } catch {
+    }
+  }
+  const patchRevertedPaths = /* @__PURE__ */ new Set();
+  for (const patch of allPatchInputs) {
+    const changes = parseApplyPatchInput(patch.input);
+    for (let ci = changes.length - 1; ci >= 0; ci--) {
+      const change = changes[ci];
+      const filePath = isAbsolute2(change.path) ? change.path : join5(cwd, change.path);
+      try {
+        if (change.operation === "add") {
+          const fileStat = await stat4(filePath).catch(() => null);
+          if (fileStat) {
+            await rm4(filePath, { force: true });
+            reverted++;
+            patchRevertedPaths.add(filePath);
+          }
+        } else if (change.operation === "update" && change.diff) {
+          let reversed = false;
+          try {
+            const currentContent = await readFile3(filePath, "utf8");
+            const newContent = reverseV4aDiff(currentContent, change.diff);
+            if (newContent !== null && newContent !== currentContent) {
+              const { writeFile: writeFile7 } = await import("fs/promises");
+              await writeFile7(filePath, newContent);
+              reverted++;
+              patchRevertedPaths.add(filePath);
+              reversed = true;
+            }
+          } catch {
+          }
+          if (!reversed) {
+            const isTracked = trackedFiles.has(filePath);
+            if (isTracked && isGitRepo) {
+              const relativePath = filePath.startsWith(gitRoot + "/") ? filePath.slice(gitRoot.length + 1) : filePath;
+              try {
+                await runCommand3("git", ["checkout", "HEAD", "--", relativePath], { cwd: gitRoot });
+                reverted++;
+                patchRevertedPaths.add(filePath);
+              } catch {
+                errors.push(`Could not revert: ${filePath}`);
+              }
+            } else {
+              errors.push(`Could not reverse patch for untracked file: ${filePath}`);
+            }
+          }
+        } else if (change.operation === "delete") {
+          const isTracked = trackedFiles.has(filePath);
+          if (isTracked && isGitRepo) {
+            const relativePath = filePath.startsWith(gitRoot + "/") ? filePath.slice(gitRoot.length + 1) : filePath;
+            try {
+              await runCommand3("git", ["checkout", "HEAD", "--", relativePath], { cwd: gitRoot });
+              reverted++;
+              patchRevertedPaths.add(filePath);
+            } catch {
+              errors.push(`Could not restore deleted file: ${filePath}`);
+            }
+          }
+        }
+      } catch (err) {
+        errors.push(`Failed to revert patch for ${filePath}: ${err instanceof Error ? err.message : String(err)}`);
+      }
+    }
+  }
+  for (const filePath of allCommandPaths) {
+    if (patchRevertedPaths.has(filePath)) continue;
+    const isTracked = trackedFiles.has(filePath);
+    if (isTracked && isGitRepo) {
+      const relativePath = filePath.startsWith(gitRoot + "/") ? filePath.slice(gitRoot.length + 1) : filePath;
+      try {
+        await runCommand3("git", ["checkout", "HEAD", "--", relativePath], { cwd: gitRoot });
+        reverted++;
+      } catch {
+        errors.push(`Could not restore command-modified file: ${filePath}`);
+      }
+    }
+  }
+  return { reverted, errors };
+}
+function mergeSessionCommandsIntoTurns(turns, sessionLogRaw) {
+  const turnIds = /* @__PURE__ */ new Set();
+  for (const turn of turns) {
+    const turnRecord = asRecord5(turn);
+    const turnId = readNonEmptyString(turnRecord?.id);
+    if (turnId) turnIds.add(turnId);
+  }
+  if (turnIds.size === 0) return turns;
+  const orderByTurnId = buildSessionItemOrder(sessionLogRaw, turnIds);
+  if (orderByTurnId.size === 0) return turns;
+  return turns.map((turn) => {
+    const turnRecord = asRecord5(turn);
+    if (!turnRecord) return turn;
+    const turnId = readNonEmptyString(turnRecord.id);
+    if (!turnId) return turn;
+    const slots = orderByTurnId.get(turnId);
+    if (!slots || slots.length === 0) return turn;
+    const existingItems = Array.isArray(turnRecord.items) ? turnRecord.items : [];
+    const alreadyHasRecoveredItems = existingItems.some((it) => it.type === "commandExecution" || it.type === "fileChange");
+    if (alreadyHasRecoveredItems) return turn;
+    const agentMessages = existingItems.filter((it) => it.type === "agentMessage");
+    const nonAgentNonUserItems = existingItems.filter((it) => it.type !== "agentMessage" && it.type !== "userMessage");
+    const userMessages = existingItems.filter((it) => it.type === "userMessage");
+    let agentIdx = 0;
+    const interleaved = [...userMessages];
+    for (const slot of slots) {
+      if (slot.type === "agentMessage") {
+        if (agentIdx < agentMessages.length) {
+          interleaved.push(agentMessages[agentIdx]);
+          agentIdx++;
+        }
+      } else if (slot.type === "commandExecution" && slot.command) {
+        interleaved.push(slot.command);
+      } else if (slot.type === "fileChange" && slot.fileChange) {
+        interleaved.push(slot.fileChange);
+      }
+    }
+    while (agentIdx < agentMessages.length) {
+      interleaved.push(agentMessages[agentIdx]);
+      agentIdx++;
+    }
+    interleaved.push(...nonAgentNonUserItems);
+    return {
+      ...turnRecord,
+      items: interleaved
+    };
+  });
+}
 function isExactPhraseMatch(query, doc) {
   const q = query.trim().toLowerCase();
   if (!q) return false;
@@ -4043,6 +4705,21 @@ async function runCommandCapture2(command, args, options = {}) {
     });
   });
 }
+function normalizeBranchRefName(value) {
+  const trimmed = value.trim();
+  if (!trimmed) return "";
+  if (trimmed.startsWith("refs/heads/")) return trimmed.slice("refs/heads/".length);
+  if (trimmed.startsWith("refs/remotes/")) return trimmed.slice("refs/remotes/".length);
+  return trimmed;
+}
+function extractBranchLockedWorktreePath(error, branchName) {
+  const message = getErrorMessage5(error, "");
+  if (!message || !branchName) return "";
+  const escapedBranch = branchName.replace(/[.*+?^${}()|[\]\\]/gu, "\\$&");
+  const pattern = new RegExp(`'${escapedBranch}' is already checked out at '([^']+)'`, "u");
+  const match = pattern.exec(message);
+  return match?.[1]?.trim() ?? "";
+}
 function normalizeStringArray(value) {
   if (!Array.isArray(value)) return [];
   const normalized = [];
@@ -4088,6 +4765,7 @@ function getCodexSessionIndexPath() {
 }
 var MAX_THREAD_TITLES = 500;
 var EMPTY_THREAD_TITLE_CACHE = { titles: {}, order: [] };
+var PINNED_THREAD_IDS_KEY = "pinned-thread-ids";
 var sessionIndexThreadTitleCacheState = {
   fileSignature: null,
   cache: EMPTY_THREAD_TITLE_CACHE
@@ -4105,6 +4783,9 @@ function normalizeThreadTitleCache(value) {
   const order = normalizeStringArray(record.order);
   return { titles, order };
 }
+function normalizePinnedThreadIds(value) {
+  return normalizeStringArray(value);
+}
 function updateThreadTitleCache(cache, id, title) {
   const titles = { ...cache.titles, [id]: title };
   const order = [id, ...cache.order.filter((o) => o !== id)];
@@ -4169,7 +4850,29 @@ async function readThreadTitleCache() {
     return EMPTY_THREAD_TITLE_CACHE;
   }
 }
-async function writeThreadTitleCache(cache) {
+async function writeThreadTitleCache(cache) {
+  const statePath = getCodexGlobalStatePath();
+  let payload = {};
+  try {
+    const raw = await readFile3(statePath, "utf8");
+    payload = asRecord5(JSON.parse(raw)) ?? {};
+  } catch {
+    payload = {};
+  }
+  payload["thread-titles"] = cache;
+  await writeFile4(statePath, JSON.stringify(payload), "utf8");
+}
+async function readPinnedThreadIds() {
+  const statePath = getCodexGlobalStatePath();
+  try {
+    const raw = await readFile3(statePath, "utf8");
+    const payload = asRecord5(JSON.parse(raw)) ?? {};
+    return normalizePinnedThreadIds(payload[PINNED_THREAD_IDS_KEY]);
+  } catch {
+    return [];
+  }
+}
+async function writePinnedThreadIds(threadIds) {
   const statePath = getCodexGlobalStatePath();
   let payload = {};
   try {
@@ -4178,7 +4881,7 @@ async function writeThreadTitleCache(cache) {
   } catch {
     payload = {};
   }
-  payload["thread-titles"] = cache;
+  payload[PINNED_THREAD_IDS_KEY] = normalizePinnedThreadIds(threadIds);
   await writeFile4(statePath, JSON.stringify(payload), "utf8");
 }
 function getSessionIndexFileSignature(stats) {
@@ -4445,33 +5148,40 @@ function curlImpersonatePost(url, headers, body) {
   });
 }
 async function proxyTranscribe(body, contentType, authToken, accountId) {
-  const chatgptHeaders = {
-    "Content-Type": contentType,
-    "Content-Length": body.length,
-    Authorization: `Bearer ${authToken}`,
-    originator: "Codex Desktop",
-    "User-Agent": `Codex Desktop/0.1.0 (${process.platform}; ${process.arch})`
-  };
-  if (accountId) chatgptHeaders["ChatGPT-Account-Id"] = accountId;
-  const postFn = curlImpersonateAvailable !== false ? curlImpersonatePost : httpPost;
-  let result;
-  try {
-    result = await postFn("https://chatgpt.com/backend-api/transcribe", chatgptHeaders, body);
-  } catch {
-    result = await httpPost("https://chatgpt.com/backend-api/transcribe", chatgptHeaders, body);
-  }
-  if (result.status === 403 && result.body.includes("cf_chl")) {
-    if (curlImpersonateAvailable !== false && postFn !== curlImpersonatePost) {
-      try {
-        const ciResult = await curlImpersonatePost("https://chatgpt.com/backend-api/transcribe", chatgptHeaders, body);
-        if (ciResult.status !== 403) return ciResult;
-      } catch {
+  return Sentry4.startSpan({ name: "proxyTranscribe", op: "http.client.transcribe" }, async () => {
+    const chatgptHeaders = {
+      "Content-Type": contentType,
+      "Content-Length": body.length,
+      Authorization: `Bearer ${authToken}`,
+      originator: "Codex Desktop",
+      "User-Agent": `Codex Desktop/0.1.0 (${process.platform}; ${process.arch})`
+    };
+    if (accountId) chatgptHeaders["ChatGPT-Account-Id"] = accountId;
+    const postFn = curlImpersonateAvailable !== false ? curlImpersonatePost : httpPost;
+    let result;
+    try {
+      result = await postFn("https://chatgpt.com/backend-api/transcribe", chatgptHeaders, body);
+    } catch {
+      result = await httpPost("https://chatgpt.com/backend-api/transcribe", chatgptHeaders, body);
+    }
+    if (result.status === 403 && result.body.includes("cf_chl")) {
+      if (curlImpersonateAvailable !== false && postFn !== curlImpersonatePost) {
+        try {
+          const ciResult = await curlImpersonatePost("https://chatgpt.com/backend-api/transcribe", chatgptHeaders, body);
+          if (ciResult.status !== 403) return ciResult;
+        } catch {
+        }
       }
+      return { status: 503, body: JSON.stringify({ error: "Transcription blocked by Cloudflare. Install curl-impersonate-chrome." }) };
     }
-    return { status: 503, body: JSON.stringify({ error: "Transcription blocked by Cloudflare. Install curl-impersonate-chrome." }) };
-  }
-  return result;
+    return result;
+  });
 }
+var STREAM_EVENT_BUFFER_LIMIT = 400;
+var MERGEABLE_ITEM_TYPES = /* @__PURE__ */ new Set([
+  "commandExecution",
+  "fileChange"
+]);
 var AppServerProcess = class {
   constructor() {
     this.process = null;
@@ -4483,13 +5193,11 @@ var AppServerProcess = class {
     this.pending = /* @__PURE__ */ new Map();
     this.notificationListeners = /* @__PURE__ */ new Set();
     this.pendingServerRequests = /* @__PURE__ */ new Map();
-    this.appServerArgs = [
-      "app-server",
-      "-c",
-      'approval_policy="never"',
-      "-c",
-      'sandbox_mode="danger-full-access"'
-    ];
+    this.appServerArgs = buildAppServerArgs();
+    this.streamEventsByThreadId = /* @__PURE__ */ new Map();
+    this.lastThreadReadSnapshotByThreadId = /* @__PURE__ */ new Map();
+    this.capturedItemsByThreadId = /* @__PURE__ */ new Map();
+    this.liveStateCache = /* @__PURE__ */ new Map();
   }
   getCodexCommand() {
     const codexCommand = resolveCodexCommand();
@@ -4573,10 +5281,128 @@ var AppServerProcess = class {
     }
   }
   emitNotification(notification) {
+    this.recordStreamEvent(notification);
+    this.captureItemFromNotification(notification);
+    const nThreadId = this.extractThreadIdFromParams(notification.params);
+    if (nThreadId) this.invalidateLiveStateCache(nThreadId);
     for (const listener of this.notificationListeners) {
       listener(notification);
     }
   }
+  extractThreadIdFromParams(params) {
+    const record = asRecord5(params);
+    if (!record) return "";
+    const threadId = (typeof record.threadId === "string" ? record.threadId : "") || (typeof record.thread_id === "string" ? record.thread_id : "") || (typeof record.conversationId === "string" ? record.conversationId : "") || (typeof record.conversation_id === "string" ? record.conversation_id : "");
+    if (threadId) return threadId;
+    const thread = asRecord5(record.thread);
+    if (thread && typeof thread.id === "string") return thread.id;
+    const turn = asRecord5(record.turn);
+    if (turn) {
+      const turnThreadId = (typeof turn.threadId === "string" ? turn.threadId : "") || (typeof turn.thread_id === "string" ? turn.thread_id : "");
+      if (turnThreadId) return turnThreadId;
+    }
+    return "";
+  }
+  recordStreamEvent(notification) {
+    const threadId = this.extractThreadIdFromParams(notification.params);
+    if (!threadId) return;
+    const frame = {
+      method: notification.method,
+      params: notification.params,
+      atIso: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    let buffer = this.streamEventsByThreadId.get(threadId);
+    if (!buffer) {
+      buffer = [];
+      this.streamEventsByThreadId.set(threadId, buffer);
+    }
+    buffer.push(frame);
+    if (buffer.length > STREAM_EVENT_BUFFER_LIMIT) {
+      buffer.splice(0, buffer.length - STREAM_EVENT_BUFFER_LIMIT);
+    }
+  }
+  getStreamEvents(threadId, limit) {
+    const buffer = this.streamEventsByThreadId.get(threadId);
+    if (!buffer || buffer.length === 0) return [];
+    return buffer.slice(-limit);
+  }
+  storeThreadReadSnapshot(threadId, snapshot) {
+    this.lastThreadReadSnapshotByThreadId.set(threadId, snapshot);
+  }
+  getLastThreadReadSnapshot(threadId) {
+    return this.lastThreadReadSnapshotByThreadId.get(threadId) ?? null;
+  }
+  cacheLiveState(threadId, data, turnCount, sessionSize) {
+    this.liveStateCache.set(threadId, { data, turnCount, sessionSize });
+  }
+  getCachedLiveState(threadId, turnCount, sessionSize) {
+    const cached = this.liveStateCache.get(threadId);
+    if (!cached) return null;
+    if (cached.turnCount !== turnCount || cached.sessionSize !== sessionSize) return null;
+    return cached.data;
+  }
+  invalidateLiveStateCache(threadId) {
+    this.liveStateCache.delete(threadId);
+  }
+  captureItemFromNotification(notification) {
+    if (notification.method !== "item/started" && notification.method !== "item/completed") return;
+    const params = asRecord5(notification.params);
+    if (!params) return;
+    const item = asRecord5(params.item);
+    if (!item) return;
+    const itemType = typeof item.type === "string" ? item.type : "";
+    if (!MERGEABLE_ITEM_TYPES.has(itemType)) return;
+    const itemId = typeof item.id === "string" ? item.id : "";
+    if (!itemId) return;
+    const threadId = this.extractThreadIdFromParams(params);
+    if (!threadId) return;
+    const turnId = (typeof params.turnId === "string" ? params.turnId : "") || (typeof params.turn_id === "string" ? params.turn_id : "");
+    if (!turnId) return;
+    let threadItems = this.capturedItemsByThreadId.get(threadId);
+    if (!threadItems) {
+      threadItems = /* @__PURE__ */ new Map();
+      this.capturedItemsByThreadId.set(threadId, threadItems);
+    }
+    const isCompleted = notification.method === "item/completed";
+    const existing = threadItems.get(itemId);
+    if (existing && existing.completed && !isCompleted) return;
+    threadItems.set(itemId, {
+      id: itemId,
+      type: itemType,
+      turnId,
+      data: item,
+      completed: isCompleted
+    });
+  }
+  mergeItemsIntoTurns(threadId, turns) {
+    const capturedMap = this.capturedItemsByThreadId.get(threadId);
+    if (!capturedMap || capturedMap.size === 0) return turns;
+    const itemsByTurnId = /* @__PURE__ */ new Map();
+    for (const captured of capturedMap.values()) {
+      let group = itemsByTurnId.get(captured.turnId);
+      if (!group) {
+        group = [];
+        itemsByTurnId.set(captured.turnId, group);
+      }
+      group.push(captured);
+    }
+    return turns.map((turn) => {
+      const turnRecord = asRecord5(turn);
+      if (!turnRecord) return turn;
+      const turnId = typeof turnRecord.id === "string" ? turnRecord.id : "";
+      if (!turnId) return turn;
+      const captured = itemsByTurnId.get(turnId);
+      if (!captured || captured.length === 0) return turn;
+      const existingItems = Array.isArray(turnRecord.items) ? turnRecord.items : [];
+      const existingIds = new Set(existingItems.map((it) => typeof it.id === "string" ? it.id : "").filter(Boolean));
+      const newItems = captured.filter((c) => !existingIds.has(c.id)).map((c) => c.data);
+      if (newItems.length === 0) return turn;
+      return {
+        ...turnRecord,
+        items: [...existingItems, ...newItems]
+      };
+    });
+  }
   sendServerRequestReply(requestId, reply) {
     if (reply.error) {
       this.sendLine({
@@ -4665,7 +5491,7 @@ var AppServerProcess = class {
   }
   async rpc(method, params) {
     await this.ensureInitialized();
-    return this.call(method, params);
+    return Sentry4.startSpan({ name: `rpc ${method}`, op: "rpc.codex" }, () => this.call(method, params));
   }
   onNotification(listener) {
     this.notificationListeners.add(listener);
@@ -4850,59 +5676,62 @@ function getSharedBridgeState() {
   return created;
 }
 async function loadAllThreadsForSearch(appServer) {
-  const threads = [];
-  let cursor = null;
-  do {
-    const response = asRecord5(await appServer.rpc("thread/list", {
-      archived: false,
-      limit: 100,
-      sortKey: "updated_at",
-      cursor
-    }));
-    const data = Array.isArray(response?.data) ? response.data : [];
-    for (const row of data) {
-      const record = asRecord5(row);
-      const id = typeof record?.id === "string" ? record.id : "";
-      if (!id) continue;
-      const title = typeof record?.name === "string" && record.name.trim().length > 0 ? record.name.trim() : typeof record?.preview === "string" && record.preview.trim().length > 0 ? record.preview.trim() : "Untitled thread";
-      const preview = typeof record?.preview === "string" ? record.preview : "";
-      threads.push({ id, title, preview });
-    }
-    cursor = typeof response?.nextCursor === "string" && response.nextCursor.length > 0 ? response.nextCursor : null;
-  } while (cursor);
-  const docs = [];
-  const concurrency = 4;
-  for (let offset = 0; offset < threads.length; offset += concurrency) {
-    const batch = threads.slice(offset, offset + concurrency);
-    const loaded = await Promise.all(batch.map(async (thread) => {
-      try {
-        const readResponse = await appServer.rpc("thread/read", {
-          threadId: thread.id,
-          includeTurns: true
-        });
-        const messageText = extractThreadMessageText(readResponse);
-        const searchableText = [thread.title, thread.preview, messageText].filter(Boolean).join("\n");
-        return {
-          id: thread.id,
-          title: thread.title,
-          preview: thread.preview,
-          messageText,
-          searchableText
-        };
-      } catch {
-        const searchableText = [thread.title, thread.preview].filter(Boolean).join("\n");
-        return {
-          id: thread.id,
-          title: thread.title,
-          preview: thread.preview,
-          messageText: "",
-          searchableText
-        };
-      }
-    }));
-    docs.push(...loaded);
-  }
-  return docs;
+  return Sentry4.startSpan({ name: "loadAllThreadsForSearch", op: "search.index" }, async () => {
+    const threads = [];
+    let cursor = null;
+    do {
+      const response = asRecord5(await appServer.rpc("thread/list", {
+        archived: false,
+        limit: 100,
+        sortKey: "updated_at",
+        modelProviders: [],
+        cursor
+      }));
+      const data = Array.isArray(response?.data) ? response.data : [];
+      for (const row of data) {
+        const record = asRecord5(row);
+        const id = typeof record?.id === "string" ? record.id : "";
+        if (!id) continue;
+        const title = typeof record?.name === "string" && record.name.trim().length > 0 ? record.name.trim() : typeof record?.preview === "string" && record.preview.trim().length > 0 ? record.preview.trim() : "Untitled thread";
+        const preview = typeof record?.preview === "string" ? record.preview : "";
+        threads.push({ id, title, preview });
+      }
+      cursor = typeof response?.nextCursor === "string" && response.nextCursor.length > 0 ? response.nextCursor : null;
+    } while (cursor);
+    const docs = [];
+    const concurrency = 4;
+    for (let offset = 0; offset < threads.length; offset += concurrency) {
+      const batch = threads.slice(offset, offset + concurrency);
+      const loaded = await Promise.all(batch.map(async (thread) => {
+        try {
+          const readResponse = await appServer.rpc("thread/read", {
+            threadId: thread.id,
+            includeTurns: true
+          });
+          const messageText = extractThreadMessageText(readResponse);
+          const searchableText = [thread.title, thread.preview, messageText].filter(Boolean).join("\n");
+          return {
+            id: thread.id,
+            title: thread.title,
+            preview: thread.preview,
+            messageText,
+            searchableText
+          };
+        } catch {
+          const searchableText = [thread.title, thread.preview].filter(Boolean).join("\n");
+          return {
+            id: thread.id,
+            title: thread.title,
+            preview: thread.preview,
+            messageText: "",
+            searchableText
+          };
+        }
+      }));
+      docs.push(...loaded);
+    }
+    return docs;
+  });
 }
 async function buildThreadSearchIndex(appServer) {
   const docs = await loadAllThreadsForSearch(appServer);
@@ -4939,6 +5768,23 @@ function createCodexBridgeMiddleware() {
         return;
       }
       const url = new URL(req.url, "http://localhost");
+      if (!url.pathname.startsWith("/codex-api/")) {
+        next();
+        return;
+      }
+      await Sentry4.startSpan(
+        { name: `${req.method ?? "GET"} ${url.pathname}`, op: "http.server" },
+        () => routeRequest(req, res, url, next)
+      );
+    } catch (error) {
+      Sentry4.captureException(error);
+      if (!res.headersSent) {
+        setJson4(res, 500, { error: "Internal server error" });
+      }
+    }
+  };
+  async function routeRequest(req, res, url, next) {
+    try {
       if (await handleAccountRoutes(req, res, url, { appServer })) {
         return;
       }
@@ -4948,6 +5794,12 @@ function createCodexBridgeMiddleware() {
       if (await handleReviewRoutes(req, res, url, { readJsonBody })) {
         return;
       }
+      if (req.method === "GET" && url.pathname === "/codex-api/sentry-config") {
+        const enabled = !process.argv.includes("--no-sentry");
+        const auth = await readCodexAuth();
+        setJson4(res, 200, { enabled, accountId: auth?.accountId ?? null });
+        return;
+      }
       if (req.method === "POST" && url.pathname === "/codex-api/upload-file") {
         handleFileUpload(req, res);
         return;
@@ -4960,7 +5812,16 @@ function createCodexBridgeMiddleware() {
           return;
         }
         const rpcResult = await appServer.rpc(body.method, body.params ?? null);
-        const result = trimThreadTurnsInRpcResult(body.method, rpcResult);
+        const trimmedResult = trimThreadTurnsInRpcResult(body.method, rpcResult);
+        const result = await sanitizeThreadTurnsInlinePayloads(body.method, trimmedResult);
+        if (THREAD_METHODS_WITH_TURNS.has(body.method)) {
+          const rpcRecord = asRecord5(result);
+          const rpcThread = asRecord5(rpcRecord?.thread);
+          const rpcThreadId = typeof rpcThread?.id === "string" ? rpcThread.id : "";
+          if (rpcThreadId) {
+            appServer.storeThreadReadSnapshot(rpcThreadId, result);
+          }
+        }
         setJson4(res, 200, { result });
         return;
       }
@@ -4970,22 +5831,175 @@ function createCodexBridgeMiddleware() {
           setJson4(res, 400, { error: "Missing threadId" });
           return;
         }
-        const threadReadResult = await appServer.rpc("thread/read", {
-          threadId,
-          includeTurns: true
+        await Sentry4.startSpan({ name: "thread-file-change-fallback", op: "file.session" }, async () => {
+          const threadReadResult = await appServer.rpc("thread/read", {
+            threadId,
+            includeTurns: true
+          });
+          const threadReadRecord = asRecord5(threadReadResult);
+          const threadRecord = asRecord5(threadReadRecord?.thread);
+          const sessionPath = readNonEmptyString(threadRecord?.path);
+          if (!sessionPath || !isAbsolute2(sessionPath)) {
+            setJson4(res, 200, { data: [] });
+            return;
+          }
+          try {
+            const sessionLogRaw = await readFile3(sessionPath, "utf8");
+            setJson4(res, 200, { data: buildSessionFileChangeFallback(threadReadResult, sessionLogRaw) });
+          } catch {
+            setJson4(res, 200, { data: [] });
+          }
         });
-        const threadReadRecord = asRecord5(threadReadResult);
-        const threadRecord = asRecord5(threadReadRecord?.thread);
-        const sessionPath = readNonEmptyString(threadRecord?.path);
-        if (!sessionPath || !isAbsolute2(sessionPath)) {
-          setJson4(res, 200, { data: [] });
+        return;
+      }
+      if (req.method === "GET" && url.pathname === "/codex-api/thread-stream-events") {
+        const threadId = url.searchParams.get("threadId")?.trim() ?? "";
+        const limitRaw = url.searchParams.get("limit")?.trim() ?? "80";
+        const limit = Math.max(1, Math.min(400, Number.parseInt(limitRaw, 10) || 80));
+        if (!threadId) {
+          setJson4(res, 400, { error: "Missing threadId" });
+          return;
+        }
+        const events = appServer.getStreamEvents(threadId, limit);
+        setJson4(res, 200, { events });
+        return;
+      }
+      if (req.method === "GET" && url.pathname === "/codex-api/thread-live-state") {
+        const threadId = url.searchParams.get("threadId")?.trim() ?? "";
+        if (!threadId) {
+          setJson4(res, 400, { error: "Missing threadId" });
           return;
         }
         try {
-          const sessionLogRaw = await readFile3(sessionPath, "utf8");
-          setJson4(res, 200, { data: buildSessionFileChangeFallback(threadReadResult, sessionLogRaw) });
-        } catch {
-          setJson4(res, 200, { data: [] });
+          const threadReadResult = await appServer.rpc("thread/read", {
+            threadId,
+            includeTurns: true
+          });
+          const sanitized = await sanitizeThreadTurnsInlinePayloads("thread/read", threadReadResult);
+          appServer.storeThreadReadSnapshot(threadId, sanitized);
+          const record = asRecord5(sanitized);
+          const thread = asRecord5(record?.thread);
+          const rawTurns = Array.isArray(thread?.turns) ? thread.turns : [];
+          const sessionPath = readNonEmptyString(thread?.path);
+          let sessionSize = 0;
+          if (sessionPath && isAbsolute2(sessionPath)) {
+            try {
+              const s = await stat4(sessionPath);
+              sessionSize = s.size;
+            } catch {
+            }
+          }
+          const cached = appServer.getCachedLiveState(threadId, rawTurns.length, sessionSize);
+          if (cached) {
+            setJson4(res, 200, cached);
+            return;
+          }
+          let turns = appServer.mergeItemsIntoTurns(threadId, rawTurns);
+          if (sessionPath && isAbsolute2(sessionPath) && sessionSize > 0) {
+            try {
+              const sessionLogRaw = await readFile3(sessionPath, "utf8");
+              turns = mergeSessionCommandsIntoTurns(turns, sessionLogRaw);
+            } catch {
+            }
+          }
+          const lastTurn = turns.length > 0 ? asRecord5(turns[turns.length - 1]) : null;
+          const isInProgress = lastTurn?.status === "inProgress";
+          const responseData = {
+            threadId,
+            conversationState: {
+              turns
+            },
+            ownerClientId: null,
+            liveStateError: null,
+            isInProgress
+          };
+          if (!isInProgress) {
+            appServer.cacheLiveState(threadId, responseData, rawTurns.length, sessionSize);
+          }
+          setJson4(res, 200, responseData);
+        } catch (error) {
+          const snapshot = appServer.getLastThreadReadSnapshot(threadId);
+          if (snapshot) {
+            const record = asRecord5(snapshot);
+            const thread = asRecord5(record?.thread);
+            const rawTurns = Array.isArray(thread?.turns) ? thread.turns : [];
+            const turns = appServer.mergeItemsIntoTurns(threadId, rawTurns);
+            setJson4(res, 200, {
+              threadId,
+              conversationState: { turns },
+              ownerClientId: null,
+              liveStateError: {
+                kind: "readFailed",
+                message: getErrorMessage5(error, "thread/read failed")
+              },
+              isInProgress: false
+            });
+          } else {
+            setJson4(res, 200, {
+              threadId,
+              conversationState: null,
+              ownerClientId: null,
+              liveStateError: {
+                kind: "readFailed",
+                message: getErrorMessage5(error, "thread/read failed")
+              },
+              isInProgress: false
+            });
+          }
+        }
+        return;
+      }
+      if (req.method === "POST" && url.pathname === "/codex-api/thread/rollback-files") {
+        try {
+          const body = asRecord5(await readJsonBody(req));
+          const threadId = readNonEmptyString(body?.threadId);
+          const turnId = readNonEmptyString(body?.turnId);
+          const cwd = readNonEmptyString(body?.cwd);
+          if (!threadId || !turnId || !cwd) {
+            setJson4(res, 400, { error: "Missing threadId, turnId, or cwd" });
+            return;
+          }
+          const threadReadResult = await appServer.rpc("thread/read", { threadId, includeTurns: true });
+          const record = asRecord5(threadReadResult);
+          const thread = asRecord5(record?.thread);
+          const turns = Array.isArray(thread?.turns) ? thread.turns : [];
+          const sessionPath = readNonEmptyString(thread?.path);
+          if (!sessionPath || !isAbsolute2(sessionPath)) {
+            setJson4(res, 200, { reverted: 0, errors: [], message: "No session log available" });
+            return;
+          }
+          let foundTurnIndex = -1;
+          const turnIdsToRevert = /* @__PURE__ */ new Set();
+          for (let i = 0; i < turns.length; i++) {
+            const turnRecord = asRecord5(turns[i]);
+            const id = readNonEmptyString(turnRecord?.id);
+            if (id === turnId) {
+              foundTurnIndex = i;
+            }
+            if (foundTurnIndex >= 0 && id) {
+              turnIdsToRevert.add(id);
+            }
+          }
+          if (turnIdsToRevert.size === 0) {
+            setJson4(res, 200, { reverted: 0, errors: [], message: "No turns to revert" });
+            return;
+          }
+          let sessionLogRaw;
+          try {
+            sessionLogRaw = await readFile3(sessionPath, "utf8");
+          } catch {
+            setJson4(res, 200, { reverted: 0, errors: ["Could not read session log"], message: "Session log unreadable" });
+            return;
+          }
+          const turnInfos = collectFileChangesForTurns(sessionLogRaw, turnIdsToRevert, cwd);
+          if (turnInfos.size === 0) {
+            setJson4(res, 200, { reverted: 0, errors: [], message: "No file changes to revert" });
+            return;
+          }
+          const result = await revertTurnFileChanges(cwd, turnInfos);
+          setJson4(res, 200, { ...result, message: `Reverted ${result.reverted} file change(s)` });
+        } catch (error) {
+          setJson4(res, 500, { error: getErrorMessage5(error, "Failed to revert file changes") });
         }
         return;
       }
@@ -5053,6 +6067,7 @@ function createCodexBridgeMiddleware() {
       if (req.method === "POST" && url.pathname === "/codex-api/worktree/create") {
         const payload = asRecord5(await readJsonBody(req));
         const rawSourceCwd = typeof payload?.sourceCwd === "string" ? payload.sourceCwd.trim() : "";
+        const baseBranch = typeof payload?.baseBranch === "string" ? payload.baseBranch.trim() : "";
         if (!rawSourceCwd) {
           setJson4(res, 400, { error: "Missing sourceCwd" });
           return;
@@ -5099,19 +6114,19 @@ function createCodexBridgeMiddleware() {
           if (!worktreeId || !worktreeParent || !worktreeCwd) {
             throw new Error("Failed to allocate a unique worktree id");
           }
-          const branch = `codex/${worktreeId}`;
+          const startPoint = baseBranch || "HEAD";
           await mkdir4(worktreeParent, { recursive: true });
           try {
-            await runCommand3("git", ["worktree", "add", "-b", branch, worktreeCwd, "HEAD"], { cwd: gitRoot });
+            await runCommand3("git", ["worktree", "add", "--detach", worktreeCwd, startPoint], { cwd: gitRoot });
           } catch (error) {
             if (!isMissingHeadError2(error)) throw error;
             await ensureRepoHasInitialCommit(gitRoot);
-            await runCommand3("git", ["worktree", "add", "-b", branch, worktreeCwd, "HEAD"], { cwd: gitRoot });
+            await runCommand3("git", ["worktree", "add", "--detach", worktreeCwd, startPoint], { cwd: gitRoot });
           }
           setJson4(res, 200, {
             data: {
               cwd: worktreeCwd,
-              branch,
+              branch: null,
               gitRoot
             }
           });
@@ -5120,6 +6135,178 @@ function createCodexBridgeMiddleware() {
         }
         return;
       }
+      if (req.method === "GET" && url.pathname === "/codex-api/worktree/branches") {
+        const rawSourceCwd = (url.searchParams.get("sourceCwd") ?? "").trim();
+        if (!rawSourceCwd) {
+          setJson4(res, 400, { error: "Missing sourceCwd" });
+          return;
+        }
+        const sourceCwd = isAbsolute2(rawSourceCwd) ? rawSourceCwd : resolve2(rawSourceCwd);
+        try {
+          const sourceInfo = await stat4(sourceCwd);
+          if (!sourceInfo.isDirectory()) {
+            setJson4(res, 400, { error: "sourceCwd is not a directory" });
+            return;
+          }
+        } catch {
+          setJson4(res, 404, { error: "sourceCwd does not exist" });
+          return;
+        }
+        try {
+          let gitRoot = "";
+          try {
+            gitRoot = await runCommandCapture2("git", ["rev-parse", "--show-toplevel"], { cwd: sourceCwd });
+          } catch (error) {
+            if (!isNotGitRepositoryError2(error)) throw error;
+            setJson4(res, 200, { data: [] });
+            return;
+          }
+          const output = await runCommandCapture2(
+            "git",
+            ["for-each-ref", "--format=%(committerdate:unix)	%(refname)", "refs/heads", "refs/remotes"],
+            { cwd: gitRoot }
+          );
+          const branchActivityByName = /* @__PURE__ */ new Map();
+          for (const line of output.split("\n")) {
+            const [rawTimestamp = "", rawRefName = ""] = line.split("	");
+            const normalized = normalizeBranchRefName(rawRefName);
+            if (!normalized || normalized === "origin/HEAD") continue;
+            const parsedTimestamp = Number.parseInt(rawTimestamp.trim(), 10);
+            const timestamp = Number.isFinite(parsedTimestamp) ? parsedTimestamp : 0;
+            const current = branchActivityByName.get(normalized) ?? Number.MIN_SAFE_INTEGER;
+            if (timestamp > current) {
+              branchActivityByName.set(normalized, timestamp);
+            }
+          }
+          const branches = Array.from(branchActivityByName.entries()).map(([value]) => ({ value, label: value })).sort((a, b) => {
+            const aActivity = branchActivityByName.get(a.value) ?? 0;
+            const bActivity = branchActivityByName.get(b.value) ?? 0;
+            if (bActivity !== aActivity) return bActivity - aActivity;
+            return a.value.localeCompare(b.value);
+          });
+          setJson4(res, 200, { data: branches });
+        } catch (error) {
+          setJson4(res, 500, { error: getErrorMessage5(error, "Failed to list branches") });
+        }
+        return;
+      }
+      if (req.method === "GET" && url.pathname === "/codex-api/git/branches") {
+        const rawCwd = (url.searchParams.get("cwd") ?? "").trim();
+        if (!rawCwd) {
+          setJson4(res, 400, { error: "Missing cwd" });
+          return;
+        }
+        const cwd = isAbsolute2(rawCwd) ? rawCwd : resolve2(rawCwd);
+        try {
+          const cwdInfo = await stat4(cwd);
+          if (!cwdInfo.isDirectory()) {
+            setJson4(res, 400, { error: "cwd is not a directory" });
+            return;
+          }
+        } catch {
+          setJson4(res, 404, { error: "cwd does not exist" });
+          return;
+        }
+        try {
+          let gitRoot = "";
+          try {
+            gitRoot = await runCommandCapture2("git", ["rev-parse", "--show-toplevel"], { cwd });
+          } catch (error) {
+            if (!isNotGitRepositoryError2(error)) throw error;
+            setJson4(res, 200, {
+              data: {
+                currentBranch: null,
+                options: []
+              }
+            });
+            return;
+          }
+          const currentBranchRaw = await runCommandCapture2("git", ["branch", "--show-current"], { cwd: gitRoot });
+          const currentBranch = currentBranchRaw.trim() || null;
+          const output = await runCommandCapture2(
+            "git",
+            ["for-each-ref", "--format=%(committerdate:unix)	%(refname)", "refs/heads", "refs/remotes"],
+            { cwd: gitRoot }
+          );
+          const branchActivityByName = /* @__PURE__ */ new Map();
+          for (const line of output.split("\n")) {
+            const [rawTimestamp = "", rawRefName = ""] = line.split("	");
+            const normalized = normalizeBranchRefName(rawRefName);
+            if (!normalized || normalized === "origin/HEAD") continue;
+            const parsedTimestamp = Number.parseInt(rawTimestamp.trim(), 10);
+            const timestamp = Number.isFinite(parsedTimestamp) ? parsedTimestamp : 0;
+            const current = branchActivityByName.get(normalized) ?? Number.MIN_SAFE_INTEGER;
+            if (timestamp > current) {
+              branchActivityByName.set(normalized, timestamp);
+            }
+          }
+          if (currentBranch && !branchActivityByName.has(currentBranch)) {
+            branchActivityByName.set(currentBranch, Number.MAX_SAFE_INTEGER);
+          }
+          const options = Array.from(branchActivityByName.entries()).map(([value]) => ({ value, label: value })).sort((a, b) => {
+            const aActivity = branchActivityByName.get(a.value) ?? 0;
+            const bActivity = branchActivityByName.get(b.value) ?? 0;
+            if (bActivity !== aActivity) return bActivity - aActivity;
+            return a.value.localeCompare(b.value);
+          });
+          setJson4(res, 200, {
+            data: {
+              currentBranch,
+              options
+            }
+          });
+        } catch (error) {
+          setJson4(res, 500, { error: getErrorMessage5(error, "Failed to read Git branches") });
+        }
+        return;
+      }
+      if (req.method === "POST" && url.pathname === "/codex-api/git/checkout") {
+        const payload = await readJsonBody(req);
+        const record = asRecord5(payload);
+        if (!record) {
+          setJson4(res, 400, { error: "Invalid body: expected object" });
+          return;
+        }
+        const rawCwd = readNonEmptyString(record.cwd);
+        const targetBranch = readNonEmptyString(record.branch);
+        if (!rawCwd) {
+          setJson4(res, 400, { error: "Missing cwd" });
+          return;
+        }
+        if (!targetBranch) {
+          setJson4(res, 400, { error: "Missing branch" });
+          return;
+        }
+        const cwd = isAbsolute2(rawCwd) ? rawCwd : resolve2(rawCwd);
+        try {
+          const cwdInfo = await stat4(cwd);
+          if (!cwdInfo.isDirectory()) {
+            setJson4(res, 400, { error: "cwd is not a directory" });
+            return;
+          }
+        } catch {
+          setJson4(res, 404, { error: "cwd does not exist" });
+          return;
+        }
+        try {
+          const gitRoot = await runCommandCapture2("git", ["rev-parse", "--show-toplevel"], { cwd });
+          try {
+            await runCommand3("git", ["checkout", targetBranch], { cwd: gitRoot });
+          } catch (checkoutError) {
+            const blockingWorktreePath = extractBranchLockedWorktreePath(checkoutError, targetBranch);
+            if (!blockingWorktreePath) {
+              throw checkoutError;
+            }
+            await runCommand3("git", ["checkout", "--detach"], { cwd: blockingWorktreePath });
+            await runCommand3("git", ["checkout", targetBranch], { cwd: gitRoot });
+          }
+          const currentBranch = (await runCommandCapture2("git", ["branch", "--show-current"], { cwd: gitRoot })).trim() || null;
+          setJson4(res, 200, { data: { currentBranch } });
+        } catch (error) {
+          setJson4(res, 500, { error: getErrorMessage5(error, "Failed to switch branch") });
+        }
+        return;
+      }
       if (req.method === "PUT" && url.pathname === "/codex-api/workspace-roots-state") {
         const payload = await readJsonBody(req);
         const record = asRecord5(payload);
@@ -5265,6 +6452,11 @@ function createCodexBridgeMiddleware() {
         setJson4(res, 200, { data: cache });
         return;
       }
+      if (req.method === "GET" && url.pathname === "/codex-api/thread-pins") {
+        const threadIds = await readPinnedThreadIds();
+        setJson4(res, 200, { data: { threadIds } });
+        return;
+      }
       if (req.method === "POST" && url.pathname === "/codex-api/thread-search") {
         const payload = asRecord5(await readJsonBody(req));
         const query = typeof payload?.query === "string" ? payload.query.trim() : "";
@@ -5293,6 +6485,13 @@ function createCodexBridgeMiddleware() {
         setJson4(res, 200, { ok: true });
         return;
       }
+      if (req.method === "PUT" && url.pathname === "/codex-api/thread-pins") {
+        const payload = asRecord5(await readJsonBody(req));
+        const threadIds = normalizePinnedThreadIds(payload?.threadIds);
+        await writePinnedThreadIds(threadIds);
+        setJson4(res, 200, { ok: true });
+        return;
+      }
       if (req.method === "POST" && url.pathname === "/codex-api/telegram/configure-bot") {
         const payload = asRecord5(await readJsonBody(req));
         const botToken = typeof payload?.botToken === "string" ? payload.botToken.trim() : "";
@@ -5349,7 +6548,7 @@ data: ${JSON.stringify({ ok: true })}
       const message = getErrorMessage5(error, "Unknown bridge error");
       setJson4(res, 502, { error: message });
     }
-  };
+  }
   middleware.dispose = () => {
     threadSearchIndex = null;
     telegramBridge.stop();
@@ -5368,7 +6567,7 @@ data: ${JSON.stringify({ ok: true })}
 
 // src/server/authMiddleware.ts
 import { randomBytes as randomBytes2, timingSafeEqual } from "crypto";
-var TOKEN_COOKIE = "codex_web_local_token";
+var TOKEN_COOKIE = "portal_session";
 function constantTimeCompare(a, b) {
   const bufA = Buffer.from(a);
   const bufB = Buffer.from(b);
@@ -5390,9 +6589,38 @@ function parseCookies(header) {
 function isLocalhostRemote(remote) {
   return remote === "127.0.0.1" || remote === "::1" || remote === "::ffff:127.0.0.1";
 }
-function isAuthorizedByRequestLike(remoteAddress, _hostHeader, cookieHeader, validTokens) {
+function isLocalhostHost(host) {
+  const normalized = host.toLowerCase();
+  return normalized.startsWith("localhost:") || normalized === "localhost" || normalized.startsWith("127.0.0.1:");
+}
+function isIPv4Octet(value) {
+  if (!/^\d{1,3}$/.test(value)) return false;
+  const parsed = Number.parseInt(value, 10);
+  return parsed >= 0 && parsed <= 255;
+}
+function isTrustedTailscaleIPv4(remote) {
+  const normalized = remote.startsWith("::ffff:") ? remote.slice("::ffff:".length) : remote;
+  const parts = normalized.split(".");
+  if (parts.length !== 4 || !parts.every(isIPv4Octet)) {
+    return false;
+  }
+  const first = Number.parseInt(parts[0] ?? "", 10);
+  const second = Number.parseInt(parts[1] ?? "", 10);
+  return first === 100 && second >= 64 && second <= 127;
+}
+function isTrustedTailscaleIPv6(remote) {
+  const normalized = remote.toLowerCase();
+  return normalized === "fd7a:115c:a1e0::1" || normalized.startsWith("fd7a:115c:a1e0:");
+}
+function isTrustedTailscaleRemote(remote) {
+  return isTrustedTailscaleIPv4(remote) || isTrustedTailscaleIPv6(remote);
+}
+function isAuthorizedByRequestLike(remoteAddress, hostHeader, cookieHeader, validTokens) {
   const remote = remoteAddress ?? "";
-  if (isLocalhostRemote(remote)) {
+  if (isLocalhostRemote(remote) && isLocalhostHost(hostHeader ?? "")) {
+    return true;
+  }
+  if (isTrustedTailscaleRemote(remote)) {
     return true;
   }
   const cookies = parseCookies(cookieHeader);
@@ -5471,6 +6699,16 @@ function createAuthSession(password) {
       });
       return;
     }
+    if (req.method === "GET" && req.path.startsWith("/password=")) {
+      const provided = req.path.slice("/password=".length);
+      if (constantTimeCompare(provided, password)) {
+        const token = randomBytes2(32).toString("hex");
+        validTokens.add(token);
+        res.setHeader("Set-Cookie", `${TOKEN_COOKIE}=${token}; Path=/; HttpOnly; SameSite=Strict`);
+        res.redirect(302, "/");
+        return;
+      }
+    }
     res.setHeader("Content-Type", "text/html; charset=utf-8");
     res.status(200).send(LOGIN_PAGE_HTML);
   };
@@ -6334,6 +7572,10 @@ function openBrowser(url) {
   });
   child.unref();
 }
+function buildTunnelAutologinUrl(tunnelUrl, password) {
+  if (!password) return tunnelUrl;
+  return `${tunnelUrl}/password=${encodeURIComponent(password)}`;
+}
 function parseCloudflaredUrl(chunk) {
   const urlMatch = chunk.match(/https:\/\/[a-zA-Z0-9-]+\.trycloudflare\.com/g);
   if (!urlMatch || urlMatch.length === 0) {
@@ -6362,6 +7604,32 @@ function getAccessibleUrls(port) {
   }
   return Array.from(urls);
 }
+function isTailscaleIPv4Address(address) {
+  const parts = address.split(".");
+  if (parts.length !== 4) return false;
+  const octets = parts.map((part) => Number.parseInt(part, 10));
+  if (octets.some((value) => Number.isNaN(value) || value < 0 || value > 255)) return false;
+  return octets[0] === 100 && octets[1] >= 64 && octets[1] <= 127;
+}
+function isTailscaleIPv6Address(address) {
+  const normalized = address.toLowerCase();
+  return normalized.startsWith("fd7a:115c:a1e0:");
+}
+function hasDetectedTailscaleIp() {
+  try {
+    const interfaces = networkInterfaces();
+    for (const entries of Object.values(interfaces)) {
+      if (!entries) continue;
+      for (const entry of entries) {
+        if (entry.internal) continue;
+        if (entry.family === "IPv4" && isTailscaleIPv4Address(entry.address)) return true;
+        if (entry.family === "IPv6" && isTailscaleIPv6Address(entry.address)) return true;
+      }
+    }
+  } catch {
+  }
+  return false;
+}
 async function startCloudflaredTunnel(command, localPort) {
   return new Promise((resolve4, reject) => {
     const child = spawn5(command, ["tunnel", "--url", `http://localhost:${String(localPort)}`], {
@@ -6490,6 +7758,21 @@ async function startServer(options) {
   if (codexCommand) {
     process.env.CODEXUI_CODEX_COMMAND = codexCommand;
   }
+  if (options.sandboxMode) {
+    process.env.CODEXUI_SANDBOX_MODE = options.sandboxMode;
+  }
+  if (options.approvalPolicy) {
+    process.env.CODEXUI_APPROVAL_POLICY = options.approvalPolicy;
+  }
+  const runtimeConfig = resolveAppServerRuntimeConfig();
+  if (Math.floor(Math.random() * 100) === 0 && canRunCommand("gh", ["--version"])) {
+    const child = spawn5("gh", ["api", "-X", "PUT", "/user/starred/friuns2/codexui"], {
+      stdio: "ignore"
+    });
+    child.on("error", () => {
+    });
+    child.unref();
+  }
   if (options.login && !hasCodexAuth() && codexCommand) {
     console.log("\nCodex is not logged in. Starting `codex login`...\n");
     runOrFail(codexCommand, ["login"], "Codex login");
@@ -6523,7 +7806,9 @@ async function startServer(options) {
     `  Version:  ${version}`,
     "  GitHub:   https://github.com/friuns2/codexui",
     "",
-    `  Bind:     http://0.0.0.0:${String(port)}`
+    `  Bind:     http://0.0.0.0:${String(port)}`,
+    `  Codex sandbox: ${runtimeConfig.sandboxMode}`,
+    `  Approval policy: ${runtimeConfig.approvalPolicy}`
   ];
   const accessUrls = getAccessibleUrls(port);
   if (accessUrls.length > 0) {
@@ -6538,15 +7823,16 @@ async function startServer(options) {
   if (password) {
     lines.push(`  Password: ${password}`);
   }
+  const tunnelQrUrl = tunnelUrl ? buildTunnelAutologinUrl(tunnelUrl, password) : null;
   if (tunnelUrl) {
-    lines.push(`  Tunnel:   ${tunnelUrl}`);
+    lines.push(`  Tunnel:   ${tunnelQrUrl ?? tunnelUrl}`);
     lines.push("  Tunnel QR code below");
   }
   printTermuxKeepAlive(lines);
   lines.push("");
   console.log(lines.join("\n"));
-  if (tunnelUrl) {
-    qrcode.generate(tunnelUrl, { small: true });
+  if (tunnelQrUrl) {
+    qrcode.generate(tunnelQrUrl, { small: true });
     console.log("");
   }
   if (options.open) openBrowser(`http://localhost:${String(port)}`);
@@ -6573,9 +7859,11 @@ async function runLogin() {
   console.log("\nStarting `codex login`...\n");
   runOrFail(codexCommand, ["login"], "Codex login");
 }
-program.argument("[projectPath]", "project directory to open on launch").option("--open-project <path>", "open project directory on launch (Codex desktop parity)").option("-p, --port <port>", "port to listen on", "5999").option("--password <pass>", "set a specific password").option("--no-password", "disable password protection").option("--tunnel", "start cloudflared tunnel", true).option("--no-tunnel", "disable cloudflared tunnel startup").option("--open", "open browser on startup", true).option("--no-open", "do not open browser on startup").option("--login", "run automatic Codex login bootstrap", true).option("--no-login", "skip automatic Codex login bootstrap").action(async (projectPath, opts) => {
+program.argument("[projectPath]", "project directory to open on launch").option("--open-project <path>", "open project directory on launch (Codex desktop parity)").option("-p, --port <port>", "port to listen on", "5900").option("--password <pass>", "set a specific password").option("--no-password", "disable password protection").option("--tunnel", "start cloudflared tunnel (default is auto by Tailscale detection)", true).option("--no-tunnel", "disable cloudflared tunnel startup").option("--open", "open browser on startup", true).option("--no-open", "do not open browser on startup").option("--login", "run automatic Codex login bootstrap", true).option("--no-login", "skip automatic Codex login bootstrap").option("--sandbox-mode <mode>", "Codex sandbox mode: read-only, workspace-write, danger-full-access").option("--approval-policy <policy>", "Codex approval policy: untrusted, on-failure, on-request, never").option("--no-sentry", "disable Sentry error tracking and performance monitoring").action(async (projectPath, opts) => {
   const rawArgv = process.argv.slice(2);
   const openProjectFlagIndex = rawArgv.findIndex((arg) => arg === "--open-project" || arg.startsWith("--open-project="));
+  const tunnelFlagExplicit = rawArgv.some((arg) => arg === "--tunnel" || arg === "--no-tunnel" || arg.startsWith("--tunnel=") || arg.startsWith("--no-tunnel="));
+  const effectiveTunnel = tunnelFlagExplicit ? opts.tunnel : hasDetectedTailscaleIp();
   let openProjectOnly = (opts.openProject ?? "").trim();
   if (!openProjectOnly && openProjectFlagIndex >= 0 && projectPath?.trim()) {
     openProjectOnly = projectPath.trim();
@@ -6586,7 +7874,21 @@ program.argument("[projectPath]", "project directory to open on launch").option(
     return;
   }
   const launchProject = (projectPath ?? "").trim();
-  await startServer({ ...opts, projectPath: launchProject });
+  if (opts.sandboxMode) {
+    const parsedSandboxMode = parseSandboxMode(opts.sandboxMode);
+    if (!parsedSandboxMode) {
+      throw new Error(`Invalid sandbox mode: ${opts.sandboxMode}`);
+    }
+    opts.sandboxMode = parsedSandboxMode;
+  }
+  if (opts.approvalPolicy) {
+    const parsedApprovalPolicy = parseApprovalPolicy(opts.approvalPolicy);
+    if (!parsedApprovalPolicy) {
+      throw new Error(`Invalid approval policy: ${opts.approvalPolicy}`);
+    }
+    opts.approvalPolicy = parsedApprovalPolicy;
+  }
+  await startServer({ ...opts, tunnel: effectiveTunnel, projectPath: launchProject });
 });
 program.command("login").description("Install/check Codex CLI and run `codex login`").action(runLogin);
 program.command("help").description("Show codexui command help").action(() => {