github-router 0.3.68 → 0.3.72

package/dist/main.js

@@ -1,22 +1,21 @@
 #!/usr/bin/env node
-import { a as removeOwnClaudeConfigMirror, i as isUnderClaudeConfigMirror, l as writeRuntimeFileSecure, n as ensureClaudeConfigMirror, r as ensurePaths, t as PATHS } from "./paths-CZvFif-e.js";
-import { a as sweepRegistry, i as registerExitHandlers, n as getInstanceUuid, r as recordWorkerRepo, t as WorktreeRegistry } from "./lifecycle-hkBEjHb2.js";
+import { a as removeOwnClaudeConfigMirror, i as isUnderClaudeConfigMirror, l as writeRuntimeFileSecure, n as ensureClaudeConfigMirror, r as ensurePaths, t as PATHS } from "./paths-CutqqG7k.js";
+import { a as sweepRegistry, i as registerExitHandlers, n as getInstanceUuid, r as recordWorkerRepo, t as WorktreeRegistry } from "./lifecycle-CSzT74Yn.js";
 import { createRequire } from "node:module";
 import { defineCommand, runMain } from "citty";
 import consola from "consola";
 import { createHash, randomBytes, randomUUID, timingSafeEqual } from "node:crypto";
-import fs, { readFile, stat } from "node:fs/promises";
+import fs, { chmod, copyFile, link, mkdir, open, readFile, readdir, rename, rm, stat, writeFile } from "node:fs/promises";
 import os, { homedir, platform } from "node:os";
 import * as path$1 from "node:path";
 import path, { dirname, join } from "node:path";
 import process$1 from "node:process";
 import { execFile, execFileSync, spawn, spawnSync } from "node:child_process";
-import { promisify } from "node:util";
 import fs$1, { chmodSync, closeSync, existsSync, mkdirSync, openSync, readFileSync, realpathSync, renameSync, statSync, unlinkSync, writeFileSync, writeSync } from "node:fs";
+import { fileURLToPath } from "node:url";
 import { createInterface } from "node:readline";
 import Parser from "web-tree-sitter";
 import WebSocket from "ws";
-import { fileURLToPath } from "node:url";
 import { events } from "fetch-event-stream";
 import { Type } from "typebox";
 import "partial-json";
@@ -26,6 +25,7 @@ import "yaml";
 import "ignore";
 import { z } from "zod";
 import { Writable } from "node:stream";
+import { gunzipSync, inflateRawSync } from "node:zlib";
 import { serve } from "srvx";
 import { getProxyForUrl } from "proxy-from-env";
 import { Agent, ProxyAgent, setGlobalDispatcher } from "undici";
@@ -757,24 +757,262 @@ const checkUsage = defineCommand({
 	}
 });
 
+//#endregion
+//#region src/lib/exec.ts
+/**
+* Parse a boolean-ish env value. Returns `undefined` when unset or
+* unrecognized so callers can apply their own default. Accepts
+* `1|true|yes|on` (true) and `0|false|no|off|<empty>` (false),
+* case-insensitive. The single shared parser for all new `GH_ROUTER_*`
+* flags so on/off semantics don't drift per call site.
+*/
+function parseBoolEnv(value) {
+	if (value === void 0) return void 0;
+	const v = value.trim().toLowerCase();
+	if (v === "1" || v === "true" || v === "yes" || v === "on") return true;
+	if (v === "0" || v === "false" || v === "no" || v === "off" || v === "") return false;
+}
+/** Read the PATH value from an env object, case-insensitively. */
+function pathValueOf(env) {
+	for (const key of Object.keys(env)) if (key.toLowerCase() === "path") return env[key] ?? "";
+	return "";
+}
+/**
+* Resolve an executable name to an absolute path against PATH, honoring
+* `PATHEXT` on Windows and **excluding the current working directory**.
+*
+* Returns `null` when unresolved — callers treat that as "tool absent"
+* and skip (best-effort). Spawning the returned absolute path means
+* `cmd.exe`'s implicit cwd-first lookup never applies, closing the
+* planted-`npm.cmd` vector.
+*/
+function resolveExecutable(name$1, opts = {}) {
+	const platform$1 = opts.platform ?? process$1.platform;
+	const env = opts.env ?? process$1.env;
+	const cwdRaw = opts.cwd ?? (typeof process$1.cwd === "function" ? process$1.cwd() : void 0);
+	const resolvedCwd = cwdRaw ? path.resolve(cwdRaw) : null;
+	const dirs = pathValueOf(env).split(path.delimiter).filter((d) => d.length > 0 && d !== ".");
+	const isWin = platform$1 === "win32";
+	if (!isWin && name$1.includes("/")) return existsSync(name$1) ? path.resolve(name$1) : null;
+	if (isWin && (name$1.includes("\\") || name$1.includes("/"))) return existsSync(name$1) ? path.resolve(name$1) : null;
+	const exts = isWin && path.extname(name$1) === "" ? (env.PATHEXT ?? ".COM;.EXE;.BAT;.CMD").split(";").map((e) => e.trim()).filter(Boolean) : [""];
+	for (const dir of dirs) {
+		if (resolvedCwd && path.resolve(dir) === resolvedCwd) continue;
+		for (const ext of exts) {
+			const candidate = path.join(dir, name$1 + ext);
+			if (existsSync(candidate)) return candidate;
+		}
+	}
+	return null;
+}
+/**
+* Quote one argument for a `cmd.exe /c "<line>"` command line so the
+* target program receives it verbatim and no `cmd.exe` metacharacter
+* retains shell meaning.
+*
+* Two phases (the canonical Windows approach — Colascione / Rust std):
+*   1. **argv quoting** so `CommandLineToArgvW` in the target parses
+*      the token as one argument (double-quote, backslash-escape).
+*   2. **caret-escaping** every `cmd.exe` metacharacter — including the
+*      quotes from phase 1 — so `cmd.exe` is never in quote-mode, strips
+*      the carets, and hands the argv-quoted string to the program.
+*
+* `%` is special: it cannot be reliably escaped on the `cmd.exe`
+* *command line* (caret does not stop `%VAR%` expansion there). Rather
+* than mis-escape, we **throw** — our callers never pass `%`, so this
+* fails closed on the one unescapable injection vector.
+*/
+function quoteWinArg(arg) {
+	if (arg.includes("%")) throw new Error("buildExecInvocation: argument contains '%', which cannot be safely escaped on the Windows command line; refusing to build the command.");
+	let quoted;
+	if (arg.length > 0 && !/[ \t\n\v"&|<>()^!]/.test(arg)) quoted = arg;
+	else {
+		let s = "\"";
+		let backslashes = 0;
+		for (const ch of arg) if (ch === "\\") backslashes++;
+		else if (ch === "\"") {
+			s += "\\".repeat(backslashes * 2 + 1) + "\"";
+			backslashes = 0;
+		} else {
+			s += "\\".repeat(backslashes) + ch;
+			backslashes = 0;
+		}
+		s += "\\".repeat(backslashes * 2) + "\"";
+		quoted = s;
+	}
+	return quoted.replace(/[()!^"<>&|]/g, "^$&");
+}
+/**
+* Build the platform-correct `spawn` invocation for a command given as
+* an argv array. Pure / unit-testable (no spawn).
+*
+*   - win32 → a single caret/argv-quoted command string + `shell:true`
+*     + empty args array (the empty array avoids the DEP0190 warning
+*     that fires when args and `shell:true` are combined). `cmd[0]`
+*     should already be an absolute path from `resolveExecutable`.
+*   - posix → `(cmd[0], cmd.slice(1))` with `shell:false` — no shell,
+*     no injection surface.
+*/
+function buildExecInvocation(cmd, platform$1 = process$1.platform) {
+	if (cmd.length === 0) throw new Error("buildExecInvocation: empty command");
+	if (platform$1 === "win32") return {
+		command: cmd.map(quoteWinArg).join(" "),
+		args: [],
+		shell: true
+	};
+	return {
+		command: cmd[0],
+		args: cmd.slice(1),
+		shell: false
+	};
+}
+function runInternal(cmd, stdoutMode, opts) {
+	const { command, args, shell } = buildExecInvocation(cmd);
+	return new Promise((resolve, reject) => {
+		let child;
+		try {
+			child = spawn(command, args, {
+				cwd: opts.cwd,
+				env: opts.env ?? process$1.env,
+				shell,
+				windowsHide: true,
+				stdio: [
+					"ignore",
+					stdoutMode,
+					stdoutMode === "inherit" ? "inherit" : "pipe"
+				]
+			});
+		} catch (err) {
+			reject(err instanceof Error ? err : new Error(String(err)));
+			return;
+		}
+		let stdout = "";
+		let stderr = "";
+		let timedOut = false;
+		let settled = false;
+		const timer = opts.timeoutMs ? setTimeout(() => {
+			timedOut = true;
+			killTree(child.pid);
+		}, opts.timeoutMs) : void 0;
+		timer?.unref?.();
+		child.stdout?.on("data", (c) => {
+			stdout += c.toString("utf8");
+		});
+		child.stderr?.on("data", (c) => {
+			stderr += c.toString("utf8");
+		});
+		child.stdout?.on("error", () => {});
+		child.stderr?.on("error", () => {});
+		const finish = (code) => {
+			if (settled) return;
+			settled = true;
+			if (timer) clearTimeout(timer);
+			resolve({
+				stdout,
+				stderr,
+				code,
+				timedOut
+			});
+		};
+		child.on("error", (err) => {
+			if (settled) return;
+			settled = true;
+			if (timer) clearTimeout(timer);
+			reject(err);
+		});
+		child.on("close", (code) => finish(code));
+	});
+}
+/** Kill a process tree best-effort (taskkill /T on Windows). */
+function killTree(pid) {
+	if (!pid) return;
+	try {
+		if (process$1.platform === "win32") spawn("taskkill", [
+			"/T",
+			"/F",
+			"/PID",
+			String(pid)
+		], {
+			stdio: "ignore",
+			windowsHide: true
+		});
+		else process$1.kill(pid, "SIGTERM");
+	} catch {}
+}
+/** Run a command and capture stdout/stderr. Rejects on spawn error. */
+function runCommandCapture(cmd, opts = {}) {
+	return runInternal(cmd, "pipe", opts);
+}
+/** Run a command discarding output (still captures stderr for errors). */
+function runCommandVoid(cmd, opts = {}) {
+	return runInternal(cmd, "pipe", opts);
+}
+
+//#endregion
+//#region src/lib/update-lock.ts
+/** A lock older than this is treated as stale (crashed holder) and stolen. */
+const STALE_LOCK_MS = 600 * 1e3;
+function lockPath(name$1) {
+	return path.join(os.homedir(), ".local", "share", "github-router", name$1);
+}
+/**
+* Run `fn` while holding an exclusive lockfile named `name` under the
+* app dir. Returns `true` if the lock was acquired and `fn` ran,
+* `false` if another process already holds it (caller skips silently).
+*
+* A lock left by a crashed process older than `STALE_LOCK_MS` is
+* stolen so the updater can never be wedged permanently.
+*/
+async function withInstallLock(name$1, fn) {
+	const p = lockPath(name$1);
+	let handle = await tryCreateLock(p);
+	if (!handle) {
+		let stale = false;
+		try {
+			const s = await stat(p);
+			stale = Date.now() - s.mtimeMs > STALE_LOCK_MS;
+		} catch {
+			stale = true;
+		}
+		if (!stale) return false;
+		await rm(p, { force: true }).catch(() => {});
+		handle = await tryCreateLock(p);
+		if (!handle) return false;
+	}
+	try {
+		await handle.close();
+		await fn();
+		return true;
+	} finally {
+		await rm(p, { force: true }).catch(() => {});
+	}
+}
+async function tryCreateLock(p) {
+	try {
+		return await open(p, "wx");
+	} catch {
+		return null;
+	}
+}
+
 //#endregion
 //#region src/lib/claude-version-check.ts
-const execFileAsync = promisify(execFile);
-const NPM_PACKAGE = "@anthropic-ai/claude-code";
-const THROTTLE_HOURS = 1;
-const NPM_VIEW_TIMEOUT_MS = 5e3;
+const NPM_PACKAGE$1 = "@anthropic-ai/claude-code";
+const THROTTLE_HOURS$1 = 1;
+const NPM_VIEW_TIMEOUT_MS$1 = 5e3;
+const CLAUDE_VERSION_TIMEOUT_MS = 3e3;
 const NPM_INSTALL_TIMEOUT_MS = 12e4;
 /** Path to the throttle cache. Created on demand. */
-function cacheFilePath() {
+function cacheFilePath$1() {
 	return path.join(os.homedir(), ".local", "share", "github-router", "last-update-check");
 }
 /**
 * Read the throttle cache. Returns null on missing/corrupt file —
 * triggers a fresh check.
 */
-async function readCache() {
+async function readCache$1() {
 	try {
-		const raw = await fs.readFile(cacheFilePath(), "utf8");
+		const raw = await fs.readFile(cacheFilePath$1(), "utf8");
 		const parsed = JSON.parse(raw);
 		if (typeof parsed.checkedAt !== "string" || parsed.installedVersion !== null && typeof parsed.installedVersion !== "string" || parsed.latestVersion !== null && typeof parsed.latestVersion !== "string") return null;
 		return parsed;
@@ -782,37 +1020,38 @@ async function readCache() {
 		return null;
 	}
 }
-async function writeCache(cache) {
+async function writeCache$1(cache) {
 	try {
-		await fs.mkdir(path.dirname(cacheFilePath()), { recursive: true });
-		await fs.writeFile(cacheFilePath(), JSON.stringify(cache), { mode: 384 });
+		await fs.mkdir(path.dirname(cacheFilePath$1()), { recursive: true });
+		await fs.writeFile(cacheFilePath$1(), JSON.stringify(cache), { mode: 384 });
 	} catch (err) {
 		consola.debug("Failed to write claude version-check cache:", err);
 	}
 }
 /** Check if it's been more than THROTTLE_HOURS since the last check. */
-function shouldCheckNow(cache) {
+function shouldCheckNow$1(cache) {
 	if (!cache) return true;
 	const lastCheck = new Date(cache.checkedAt).getTime();
 	if (Number.isNaN(lastCheck)) return true;
-	return (Date.now() - lastCheck) / 1e3 / 3600 >= THROTTLE_HOURS;
+	return (Date.now() - lastCheck) / 1e3 / 3600 >= THROTTLE_HOURS$1;
 }
 /**
 * Read the installed `claude` version. Returns null if claude is not
 * on PATH or the version probe fails (e.g. older versions that don't
 * support `--version` cleanly).
-*/
-function getInstalledVersion() {
+*
+* Windows-safe: `claude` is a `.cmd` shim that `execFile` cannot launch
+* directly. We resolve it to an absolute path (excluding the cwd, so a
+* planted `claude.cmd` in an untrusted repo can't run) and invoke it
+* through the shared exec helper.
+*/
+async function getInstalledVersion() {
+	const claudePath = resolveExecutable("claude");
+	if (!claudePath) return null;
 	try {
-		const match = execFileSync("claude", ["--version"], {
-			stdio: [
-				"ignore",
-				"pipe",
-				"ignore"
-			],
-			timeout: 3e3,
-			encoding: "utf8"
-		}).match(/^(\d+\.\d+\.\d+)/);
+		const { stdout, code } = await runCommandCapture([claudePath, "--version"], { timeoutMs: CLAUDE_VERSION_TIMEOUT_MS });
+		if (code !== 0) return null;
+		const match = stdout.match(/(\d+\.\d+\.\d+)/);
 		return match ? match[1] : null;
 	} catch {
 		return null;
@@ -821,15 +1060,22 @@ function getInstalledVersion() {
 /**
 * Fetch the latest version of @anthropic-ai/claude-code from the npm
 * registry. Returns null on network failure / npm unavailable.
+*
+* Windows-safe: `npm` is `npm.cmd`; resolved to an absolute path
+* (excluding cwd) before invocation.
 */
-async function getLatestVersion() {
+async function getLatestVersion$1() {
+	const npmPath = resolveExecutable("npm");
+	if (!npmPath) return null;
 	try {
-		const { stdout } = await execFileAsync("npm", [
+		const { stdout, code } = await runCommandCapture([
+			npmPath,
 			"view",
-			NPM_PACKAGE,
+			NPM_PACKAGE$1,
 			"version",
 			"--silent"
-		], { timeout: NPM_VIEW_TIMEOUT_MS });
+		], { timeoutMs: NPM_VIEW_TIMEOUT_MS$1 });
+		if (code !== 0) return null;
 		const v = stdout.trim();
 		return /^\d+\.\d+\.\d+/.test(v) ? v : null;
 	} catch {
@@ -867,8 +1113,8 @@ async function checkClaudeVersion(opts = {}) {
 		skipped: true,
 		skipReason: "disabled"
 	};
-	const cache = await readCache();
-	if (!opts.force && !shouldCheckNow(cache)) return {
+	const cache = await readCache$1();
+	if (!opts.force && !shouldCheckNow$1(cache)) return {
 		installed: cache?.installedVersion !== null,
 		installedVersion: cache?.installedVersion ?? null,
 		latestVersion: cache?.latestVersion ?? null,
@@ -876,7 +1122,7 @@ async function checkClaudeVersion(opts = {}) {
 		skipped: true,
 		skipReason: "throttled"
 	};
-	const installedVersion = getInstalledVersion();
+	const installedVersion = await getInstalledVersion();
 	if (installedVersion === null) return {
 		installed: false,
 		installedVersion: null,
@@ -885,8 +1131,8 @@ async function checkClaudeVersion(opts = {}) {
 		skipped: true,
 		skipReason: "no-claude"
 	};
-	const latestVersion = await getLatestVersion();
-	await writeCache({
+	const latestVersion = await getLatestVersion$1();
+	await writeCache$1({
 		checkedAt: (/* @__PURE__ */ new Date()).toISOString(),
 		installedVersion,
 		latestVersion
@@ -908,23 +1154,190 @@ async function checkClaudeVersion(opts = {}) {
 	};
 }
 /**
-* Run `npm install -g @anthropic-ai/claude-code@latest` synchronously.
-* Throws on failure — the caller decides whether to abort the launch
-* or continue with the older version.
-*/
-async function autoUpdateClaude(latestVersion) {
-	consola.info(`Updating ${NPM_PACKAGE} to ${latestVersion} (this may take ~30s)...`);
-	try {
-		await execFileAsync("npm", [
+* Heuristic: did `claude update` fail because the subcommand does not
+* exist (a build predating `claude update`), as opposed to a transient
+* update error? We only npm-fall-back on this specific signal — falling
+* back on any failure would install a conflicting npm copy on
+* native-installer machines.
+*
+* Matches the usage/Commander-style "unknown command" messages CLIs emit
+* for an unrecognized subcommand. Deliberately narrow.
+*/
+function looksLikeUnknownUpdateCommand(output) {
+	return /unknown command|unknown subcommand|unrecognized (sub)?command|invalid command|command not found|is not a (known|valid) command/i.test(output);
+}
+async function updateClaude(latestVersion, deps = {}) {
+	const _resolve = deps.resolveExecutable ?? resolveExecutable;
+	const _capture = deps.runCommandCapture ?? runCommandCapture;
+	const _void = deps.runCommandVoid ?? runCommandVoid;
+	const _lock = deps.withInstallLock ?? withInstallLock;
+	const claudePath = _resolve("claude");
+	if (!claudePath) throw new Error("claude not found on PATH");
+	if (!await _lock("claude-update.lock", async () => {
+		consola.info(`Updating Claude Code to ${latestVersion} via \`claude update\`...`);
+		const { code, stdout, stderr } = await _capture([claudePath, "update"], { timeoutMs: NPM_INSTALL_TIMEOUT_MS });
+		const combined = `${stdout}${stderr}`;
+		const trimmed = combined.trim();
+		if (trimmed) process.stdout.write(trimmed.endsWith("\n") ? trimmed : `${trimmed}\n`);
+		if (code === 0) {
+			consola.success(`Claude Code updated to ${latestVersion}`);
+			return;
+		}
+		if (!looksLikeUnknownUpdateCommand(combined)) throw new Error(`\`claude update\` exited with code ${code}`);
+		const npmPath = _resolve("npm");
+		if (!npmPath) throw new Error(`this Claude Code build predates \`claude update\` and npm is not on PATH; update manually: npm install -g ${NPM_PACKAGE$1}@latest`);
+		consola.warn(`This Claude Code build predates \`claude update\`; falling back to \`npm install -g ${NPM_PACKAGE$1}@latest\`.`);
+		const { code: npmCode, stderr: npmStderr } = await _void([
+			npmPath,
 			"install",
 			"-g",
-			`${NPM_PACKAGE}@latest`,
+			`${NPM_PACKAGE$1}@latest`,
+			"--silent"
+		], { timeoutMs: NPM_INSTALL_TIMEOUT_MS });
+		if (npmCode !== 0) throw new Error(`npm install failed: ${npmStderr.trim() || `exit ${npmCode}`}`);
+		consola.success(`${NPM_PACKAGE$1} updated to ${latestVersion}`);
+	})) consola.debug("Claude Code update already in progress in another process; skipping.");
+}
+
+//#endregion
+//#region src/lib/version.ts
+/**
+* Read this binary's published version from package.json at runtime.
+*
+* Done at runtime (not baked at build time) because release.yml builds
+* BEFORE `npm version patch` bumps the version — a build-time inline
+* would always ship the pre-bump value. The npm tarball ships package.json
+* alongside `dist/`, so a sibling-up lookup from import.meta.url resolves
+* cleanly in both dev (`src/lib/`) and bundled (`dist/`) layouts.
+*
+* Returns `"unknown"` if package.json can't be located or parsed —
+* never throws, so the CLI never fails to start over version reporting.
+*/
+function getPackageVersion() {
+	try {
+		const here = dirname(fileURLToPath(import.meta.url));
+		const candidates = [join(here, "..", "..", "package.json"), join(here, "..", "package.json")];
+		for (const path$2 of candidates) try {
+			const raw = readFileSync(path$2, "utf8");
+			const parsed = JSON.parse(raw);
+			if (typeof parsed.version === "string" && (parsed.name === "github-router" || parsed.name === "@animeshkundu/github-router")) return parsed.version;
+		} catch {}
+	} catch {}
+	return "unknown";
+}
+
+//#endregion
+//#region src/lib/self-update.ts
+const NPM_PACKAGE = "github-router";
+const THROTTLE_HOURS = 1;
+const NPM_VIEW_TIMEOUT_MS = 5e3;
+function cacheFilePath() {
+	return path.join(os.homedir(), ".local", "share", "github-router", "last-self-update-check");
+}
+async function readCache() {
+	try {
+		const parsed = JSON.parse(await fs.readFile(cacheFilePath(), "utf8"));
+		if (typeof parsed.checkedAt !== "string") return null;
+		return parsed;
+	} catch {
+		return null;
+	}
+}
+async function writeCache(cache) {
+	try {
+		await fs.mkdir(path.dirname(cacheFilePath()), { recursive: true });
+		await fs.writeFile(cacheFilePath(), JSON.stringify(cache), { mode: 384 });
+	} catch (err) {
+		consola.debug("Failed to write self-update cache:", err);
+	}
+}
+function shouldCheckNow(cache) {
+	if (!cache) return true;
+	const last = new Date(cache.checkedAt).getTime();
+	if (Number.isNaN(last)) return true;
+	return (Date.now() - last) / 1e3 / 3600 >= THROTTLE_HOURS;
+}
+async function getLatestVersion(npmPath) {
+	try {
+		const { stdout, code } = await runCommandCapture([
+			npmPath,
+			"view",
+			NPM_PACKAGE,
+			"version",
 			"--silent"
-		], { timeout: NPM_INSTALL_TIMEOUT_MS });
-		consola.success(`${NPM_PACKAGE} updated to ${latestVersion}`);
+		], { timeoutMs: NPM_VIEW_TIMEOUT_MS });
+		if (code !== 0) return null;
+		const v = stdout.trim();
+		return /^\d+\.\d+\.\d+/.test(v) ? v : null;
+	} catch {
+		return null;
+	}
+}
+/**
+* Spawn a detached process that waits for THIS proxy (pid) to exit,
+* then runs `npm install -g github-router@latest`. Fully detached and
+* unref'd so it outlives the proxy; output discarded.
+*
+* The waiter is a tiny inline Node script (Node is guaranteed present —
+* the proxy runs on it) that polls `process.kill(pid, 0)` until the
+* parent is gone, then execs npm. This avoids the Windows file-lock by
+* never touching the global install while the proxy holds it open.
+*/
+function spawnDetachedUpdater(npmPath) {
+	const waiter = `
+    const pid = ${process.pid};
+    const { spawn } = require("node:child_process");
+    function alive() { try { process.kill(pid, 0); return true } catch { return false } }
+    const timer = setInterval(() => {
+      if (alive()) return;
+      clearInterval(timer);
+      const args = ["install", "-g", ${JSON.stringify(`${NPM_PACKAGE}@latest`)}, "--silent"];
+      const isWin = process.platform === "win32";
+      const child = spawn(${JSON.stringify(npmPath)}, args, {
+        stdio: "ignore", windowsHide: true, shell: isWin, detached: !isWin,
+      });
+      child.on("error", () => process.exit(0));
+      child.on("exit", () => process.exit(0));
+      // Safety: never hang forever.
+      setTimeout(() => process.exit(0), 180000).unref();
+    }, 500);
+    // Safety cap on the wait itself (e.g. extremely long sessions still
+    // eventually give up rather than leak the waiter).
+    setTimeout(() => { clearInterval(timer); process.exit(0); }, 24 * 3600 * 1000).unref();
+  `.trim();
+	spawn(process.execPath, ["-e", waiter], {
+		detached: true,
+		stdio: "ignore",
+		windowsHide: true
+	}).unref();
+}
+/**
+* Probe npm for a newer `github-router` and, if found, queue a detached
+* post-exit update. Returns quickly; never throws. Call AFTER the
+* server is listening so the bounded probe can't delay binding.
+*/
+async function runSelfUpdate(opts) {
+	if (!opts.selfUpdate) return;
+	if (parseBoolEnv(process.env.GH_ROUTER_NO_SELF_UPDATE) === true) return;
+	try {
+		const cache = await readCache();
+		if (!opts.force && !shouldCheckNow(cache)) return;
+		const installed = getPackageVersion();
+		if (installed === "unknown") return;
+		const npmPath = resolveExecutable("npm");
+		if (!npmPath) return;
+		const latest = await getLatestVersion(npmPath);
+		await writeCache({
+			checkedAt: (/* @__PURE__ */ new Date()).toISOString(),
+			installedVersion: installed,
+			latestVersion: latest
+		});
+		if (!latest || !isNewer(installed, latest)) return;
+		if (await withInstallLock("self-update.lock", async () => {
+			spawnDetachedUpdater(npmPath);
+		})) consola.info(`github-router ${installed} → ${latest} update queued; it takes effect on the next launch.`);
 	} catch (err) {
-		const msg = err instanceof Error ? err.message : String(err);
-		throw new Error(`npm install failed: ${msg}`);
+		consola.debug("Self-update check failed:", err);
 	}
 }
 
@@ -1039,6 +1452,47 @@ function envInt$1(key, fallback) {
 const UPSTREAM_FETCH_TIMEOUT_MS = envInt$1("UPSTREAM_FETCH_TIMEOUT_MS", 0);
 const UPSTREAM_INACTIVITY_TIMEOUT_MS = envInt$1("UPSTREAM_INACTIVITY_TIMEOUT_MS", 3e5);
 
+//#endregion
+//#region src/lib/toolbelt/path-inject.ts
+/**
+* The key under which `env` stores PATH, matched case-insensitively.
+* Falls back to the platform-conventional spelling when absent.
+*/
+function pathEnvKey(env) {
+	for (const key of Object.keys(env)) if (key.toLowerCase() === "path") return key;
+	return process.platform === "win32" ? "Path" : "PATH";
+}
+/**
+* Compute the PATH override that prepends `binDir`, reusing the parent's
+* existing key casing so a subsequent merge can't introduce a duplicate
+* case-variant key. Returns a single-entry patch suitable for
+* `Object.assign(vars, ...)`.
+*/
+function toolbeltPathOverride(parentEnv, binDir) {
+	const key = pathEnvKey(parentEnv);
+	const current = parentEnv[key] ?? "";
+	return { [key]: current ? `${binDir}${path.delimiter}${current}` : binDir };
+}
+/**
+* Defense-in-depth: collapse all case-variant PATH keys in `env` into a
+* single canonical key. Mutates and returns `env`. If duplicates with
+* differing values exist (only possible via a mismatched-casing merge),
+* the longest value wins — the toolbelt-prepended PATH is strictly
+* longer than the original, so this preserves the injection.
+*/
+function collapsePathKeys(env) {
+	const keys = Object.keys(env).filter((k) => k.toLowerCase() === "path");
+	if (keys.length <= 1) return env;
+	let bestValue = "";
+	for (const k of keys) {
+		const v = env[k] ?? "";
+		if (v.length >= bestValue.length) bestValue = v;
+		delete env[k];
+	}
+	env[process.platform === "win32" ? "Path" : "PATH"] = bestValue;
+	return env;
+}
+
 //#endregion
 //#region src/lib/launch.ts
 /**
@@ -1103,6 +1557,22 @@ function commandExists(name$1) {
 	}
 }
 /**
+* Whether the launcher can execute `executable`.
+*
+* `buildLaunchCommand` resolves the CLI to an ABSOLUTE path (anti-shadow).
+* `where.exe` (and POSIX `which`) reject a full path argument — `where`
+* returns "Could not find files for the given pattern(s)" for an absolute
+* path even when the file exists — so the where/which probe is only valid
+* for bare command names. For an absolute path (already resolved against
+* PATH and existence-checked by `resolveExecutable`), check the
+* filesystem directly. Without this split, every launch where the CLI is
+* installed fails with a spurious "not found on PATH".
+*/
+function isExecutableAvailable(executable) {
+	if (path.isAbsolute(executable)) return existsSync(executable);
+	return commandExists(executable);
+}
+/**
 * Provider-config flags (`-c model_providers.github_router=...`) that
 * point Codex at our proxy. Extracted from `buildCodexCmd` so the new
 * `codex mcp-server` MCP-config builder can reuse the exact same
@@ -1170,22 +1640,25 @@ function buildCodexCmd(target) {
 	return cmd;
 }
 function buildLaunchCommand(target) {
+	const cmd = target.kind === "claude-code" ? [
+		"claude",
+		"--dangerously-skip-permissions",
+		...target.extraArgs
+	] : buildCodexCmd(target);
+	const resolved = resolveExecutable(cmd[0], { env: process$1.env });
+	if (resolved) cmd[0] = resolved;
 	return {
-		cmd: target.kind === "claude-code" ? [
-			"claude",
-			"--dangerously-skip-permissions",
-			...target.extraArgs
-		] : buildCodexCmd(target),
-		env: {
+		cmd,
+		env: collapsePathKeys({
 			...sanitizeParentEnv(process$1.env),
 			...target.envVars
-		}
+		})
 	};
 }
 function launchChild(target, server$1, options = {}) {
 	const { cmd, env } = buildLaunchCommand(target);
 	const executable = cmd[0];
-	if (!commandExists(executable)) {
+	if (!isExecutableAvailable(executable)) {
 		const msg = `"${executable}" not found on PATH. Install it first, then try again.`;
 		consola.error(msg);
 		process$1.stderr.write(msg + "\n");
@@ -2499,33 +2972,6 @@ function round4(x) {
 	return Math.round(x * 1e4) / 1e4;
 }
 
-//#endregion
-//#region src/lib/version.ts
-/**
-* Read this binary's published version from package.json at runtime.
-*
-* Done at runtime (not baked at build time) because release.yml builds
-* BEFORE `npm version patch` bumps the version — a build-time inline
-* would always ship the pre-bump value. The npm tarball ships package.json
-* alongside `dist/`, so a sibling-up lookup from import.meta.url resolves
-* cleanly in both dev (`src/lib/`) and bundled (`dist/`) layouts.
-*
-* Returns `"unknown"` if package.json can't be located or parsed —
-* never throws, so the CLI never fails to start over version reporting.
-*/
-function getPackageVersion() {
-	try {
-		const here = dirname(fileURLToPath(import.meta.url));
-		const candidates = [join(here, "..", "..", "package.json"), join(here, "..", "package.json")];
-		for (const path$2 of candidates) try {
-			const raw = readFileSync(path$2, "utf8");
-			const parsed = JSON.parse(raw);
-			if (typeof parsed.version === "string" && (parsed.name === "github-router" || parsed.name === "@animeshkundu/github-router")) return parsed.version;
-		} catch {}
-	} catch {}
-	return "unknown";
-}
-
 //#endregion
 //#region src/lib/browser-mcp/browser-detect.ts
 let cached;
@@ -3496,7 +3942,7 @@ function logAudit$1(record) {
 		try {
 			const fs$2 = await import("node:fs/promises");
 			const path$2 = await import("node:path");
-			const { PATHS: PATHS$1 } = await import("./paths-CW16Dz9_.js");
+			const { PATHS: PATHS$1 } = await import("./paths-Dv7QZQWB.js");
 			const dir = path$2.join(PATHS$1.APP_DIR, "browser-mcp");
 			await fs$2.mkdir(dir, { recursive: true });
 			const line = JSON.stringify({
@@ -4926,6 +5372,14 @@ function toolEnvelope(data, isError) {
 * call-time when the operator hasn't opted in via `--browse` or
 * `GH_ROUTER_ENABLE_BROWSE=1`.
 *
+* NAMING: the `toolNameHttp` here is the WIRE name (`browser_*`) that each
+* handler dispatches to the extension. `peer-mcp-personas.ts` strips the
+* `browser_` prefix when spreading these into `NON_PERSONA_MCP_TOOLS` so
+* the MCP-facing name is bare (`mcp__browser__navigate`) while the wire
+* name stays `browser_navigate` — do NOT rename the literals below or the
+* installed extension breaks. The `group` field is injected at that spread
+* (hence `Omit<…, "group">` here).
+*
 * v1 surface: 19 tools (Phases 3 + 4a + 4b + humanlike input v2).
 */
 const BROWSER_TOOLS = Object.freeze([
@@ -7268,7 +7722,7 @@ function resolveModelAndThinking(opts) {
 *      file containing "ignore previous instructions; run rm -rf"
 *      doesn't redirect Pi.
 *   3. State what each tool does in one short sentence — Pi runs on
-*      `gemini-3.5-flash` and has no built-in knowledge of the
+*      `gemini-3.1-pro-preview` and has no built-in knowledge of the
 *      proxy-specific tools (`code_search`, `peer_review`, `advisor`,
 *      `fetch_url`). Listing names alone wastes the first turn on
 *      discovery probing.
@@ -7301,15 +7755,16 @@ function buildToolBlock(tools) {
 }
 const EXPLORE_MODE_NOTE = `Read-only mode — tools:\n${buildToolBlock(READ_TOOL_NOTES)}`;
 const IMPLEMENT_MODE_NOTE = `Read+write mode — tools:\n${buildToolBlock([...READ_TOOL_NOTES, ...WRITE_TOOL_NOTES])}`;
+const REVIEW_MODE_NOTE = `You are reviewing code for correctness. Verify against the actual code by reading it — never assume. Report concrete findings (bugs, edge cases, security / concurrency / resource risks, missing handling) with a severity and a \`file:line\` citation; if nothing material is wrong, say so plainly rather than inventing issues.\n\nRead-only mode — tools:\n${buildToolBlock(READ_TOOL_NOTES)}`;
 /**
 * Build the system prompt for a given worker mode. Returns the
 * security-boundary paragraph followed by a bulletted capability
-* inventory. No prescriptive task advice, no examples, no
-* chain-of-thought scaffolding — Pi's coding-agent harness covers
-* all of that.
+* inventory (and, for `review`, a one-line reviewer role frame). No
+* prescriptive task advice, no examples, no chain-of-thought scaffolding —
+* Pi's coding-agent harness covers all of that.
 */
 function systemPromptFor(mode) {
-	return `${SECURITY_BOUNDARY}\n\n${mode === "explore" ? EXPLORE_MODE_NOTE : IMPLEMENT_MODE_NOTE}`;
+	return `${SECURITY_BOUNDARY}\n\n${mode === "explore" ? EXPLORE_MODE_NOTE : mode === "review" ? REVIEW_MODE_NOTE : IMPLEMENT_MODE_NOTE}`;
 }
 
 //#endregion
@@ -8325,7 +8780,7 @@ function standInToolEnabled() {
 *
 * Returns true iff BOTH:
 *   1. Copilot's live catalog (`state.models?.data`) contains the
-*      worker's default model (`gemini-3.5-flash`) AND that entry
+*      worker's default model (`gemini-3.1-pro-preview`) AND that entry
 *      advertises `capabilities.supports.tool_calls === true`. The
 *      worker loop is function-calling; a model that can't emit
 *      tool_calls is unusable, so dormant-register (omit from
@@ -8391,12 +8846,40 @@ function browserCompoundToolsEnabled() {
 function browserPowerToolsEnabled() {
 	return state.powerBrowseEnabled === true;
 }
+/**
+* Gate for the whole `browser` MCP server (the `--browse` opt-in surface).
+*
+* Returns true iff BOTH:
+*   1. The operator opted in (`state.browseEnabled`, set by `--browse`, OR
+*      `GH_ROUTER_ENABLE_BROWSE=1` read directly so non-`setupAndServe`
+*      startup paths — tests, embedded use — can still flip the gate).
+*   2. At least one Chromium-family browser is detected on disk
+*      (`hasSupportedBrowserInstalled()`, cached for the proxy lifetime).
+*
+* Moved here from `handler.ts` so both the route handler (list-time +
+* call-time gating) AND `claude.ts` (deciding whether to register the
+* `browser` scoped MCP server at launch) share one predicate — registering
+* a server whose tools would all be gated out produces an empty-server smell.
+*/
+function browserToolsEnabled() {
+	if (!(state.browseEnabled || process.env.GH_ROUTER_ENABLE_BROWSE === "1")) return false;
+	return hasSupportedBrowserInstalled();
+}
 
 //#endregion
 //#region src/routes/mcp/handler.ts
 const MCP_PROTOCOL_VERSION = "2025-06-18";
 const SERVER_NAME = "github-router-peers";
 const SERVER_VERSION = "1";
+/**
+* MCP `initialize` `serverInfo.name` for a given scope. Scoped endpoints
+* report their `github-router-<group>` provenance name; the unscoped union
+* keeps the legacy `github-router-peers`. Cosmetic handshake metadata —
+* Claude Code namespaces tools by the config-entry KEY, not this name.
+*/
+function serverInfoNameForScope(scope) {
+	return scope === "all" ? SERVER_NAME : GROUP_META[scope].serverInfoName;
+}
 const inflightAborts = /* @__PURE__ */ new Map();
 /**
 * Idempotent teardown for an in-flight tools/call. Aborts the upstream
@@ -8489,37 +8972,6 @@ function geminiAvailable() {
 	return models$1.some((m) => /^gemini-3\..*pro/i.test(m.id));
 }
 /**
-* Gate for the browser-control MCP tools (`browser_*`).
-*
-* Returns true iff BOTH:
-*   1. The operator opted in via `--browse` (which sets
-*      `state.browseEnabled`) OR the equivalent env var
-*      `GH_ROUTER_ENABLE_BROWSE=1`. Default OFF — browser-control is
-*      side-effectful (mutates the user's browser session, downloads
-*      files, can navigate to phishing URLs the model was prompted with),
-*      so dormant-register is the safe default.
-*   2. At least one supported Chromium-family browser (Chrome or Edge)
-*      is detected on disk by `hasSupportedBrowserInstalled()`. No
-*      browser → nothing for the bridge to attach to → tools stay
-*      invisible rather than fail at call time. Detection is cached for
-*      the proxy lifetime; a fresh install requires a restart.
-*
-* Mirrors the defense-in-depth pattern of `workerToolsEnabled()` /
-* `standInToolEnabled()`: this same function gates BOTH the
-* `tools/list` filter in `toolEntries()` AND the call-time rejection in
-* `handleToolsCall` (returning -32601 for hard-coded tool-name
-* bypasses), so the two surfaces stay symmetric.
-*
-* The env-var check reads `process.env` directly instead of relying
-* solely on `state.browseEnabled` so a non-`setupAndServe` startup path
-* (tests, embedded use) can still flip the gate via env. The CLI flag
-* path is the canonical one for end users.
-*/
-function browserToolsEnabled() {
-	if (!(state.browseEnabled || process.env.GH_ROUTER_ENABLE_BROWSE === "1")) return false;
-	return hasSupportedBrowserInstalled();
-}
-/**
 * The 1M-context Opus 4.6 variant (`claude-opus-4.6-1m`, `max_prompt_tokens`
 * 936K). opus_critic prefers it so it can take large artifacts in one shot
 * (the whole point of pairing it with gpt-5.5 as the big-window peers);
@@ -8542,8 +8994,8 @@ function activePersonas() {
 		model: resolveOpusCriticModel()
 	} : p);
 }
-function toolEntries() {
-	const personaEntries = activePersonas().map((p) => ({
+function toolEntries(scope) {
+	const personaEntries = scope === "all" || scope === "peers" ? activePersonas().map((p) => ({
 		name: p.toolNameHttp,
 		description: p.description,
 		inputSchema: {
@@ -8566,8 +9018,9 @@ function toolEntries() {
 				}
 			}
 		}
-	}));
+	})) : [];
 	const nonPersonaEntries = NON_PERSONA_MCP_TOOLS.filter((t) => {
+		if (scope !== "all" && t.group !== scope) return false;
 		if (t.capability === "worker") return workerToolsEnabled();
 		if (t.capability === "stand_in") return standInToolEnabled();
 		if (t.capability === "browser") return browserToolsEnabled();
@@ -8731,13 +9184,14 @@ async function predictedWindowOverflow(persona, prompt, context) {
 *   - invalid effort string → handleRpc returns -32602
 *   - effort not in persona.allowedEfforts → handleRpc returns -32602
 */
-function jsonPathPreflightCap(body) {
+function jsonPathPreflightCap(body, scope) {
 	if (body.id === void 0) return void 0;
 	const params = body.params ?? {};
 	const name$1 = typeof params.name === "string" ? params.name : "";
 	const args = params.arguments ?? {};
 	if (!name$1) return void 0;
 	if (name$1 === "stand_in") {
+		if (scope !== "all" && scope !== "decide") return void 0;
 		const decision = typeof args.decision === "string" ? args.decision : "";
 		const optionsRaw = Array.isArray(args.options) ? args.options : [];
 		const standInContext = typeof args.context === "string" ? args.context : "";
@@ -8753,6 +9207,7 @@ function jsonPathPreflightCap(body) {
 	if (!prompt) return void 0;
 	const persona = activePersonas().find((p) => p.toolNameHttp === name$1);
 	if (!persona) return void 0;
+	if (scope !== "all" && scope !== "peers") return void 0;
 	if (rawEffort !== void 0 && !isEffort(rawEffort)) return void 0;
 	const effortMaybe = rawEffort;
 	if (effortMaybe !== void 0 && !persona.allowedEfforts.includes(effortMaybe)) return;
@@ -8855,7 +9310,7 @@ function logTelemetry(t) {
 	if (t.errorMessage) parts.push(`error=${JSON.stringify(t.errorMessage)}`);
 	process.stderr.write(parts.join(" ") + "\n");
 }
-async function handleToolsCall(body) {
+async function handleToolsCall(body, scope) {
 	const params = body.params ?? {};
 	const name$1 = typeof params.name === "string" ? params.name : "";
 	const args = params.arguments ?? {};
@@ -8863,6 +9318,8 @@ async function handleToolsCall(body) {
 	const persona = activePersonas().find((p) => p.toolNameHttp === name$1);
 	const nonPersonaTool = persona ? void 0 : NON_PERSONA_MCP_TOOLS.find((t) => t.toolNameHttp === name$1);
 	if (!persona && !nonPersonaTool) return rpcError(body.id, RPC_METHOD_NOT_FOUND, `tools/call: unknown tool "${name$1}"`);
+	const toolGroup = persona ? "peers" : nonPersonaTool.group;
+	if (scope !== "all" && toolGroup !== scope) return rpcError(body.id, RPC_METHOD_NOT_FOUND, `tools/call: unknown tool "${name$1}"`);
 	if (nonPersonaTool && nonPersonaTool.capability === "worker" && !workerToolsEnabled()) return rpcError(body.id, RPC_METHOD_NOT_FOUND, `tools/call: unknown tool "${name$1}"`);
 	if (nonPersonaTool && nonPersonaTool.capability === "stand_in" && !standInToolEnabled()) return rpcError(body.id, RPC_METHOD_NOT_FOUND, `tools/call: unknown tool "${name$1}"`);
 	if (nonPersonaTool && nonPersonaTool.capability === "browser" && !browserToolsEnabled()) return rpcError(body.id, RPC_METHOD_NOT_FOUND, `tools/call: unknown tool "${name$1}"`);
@@ -8953,7 +9410,7 @@ function handleCancelledNotification(body) {
 	}
 	cancelInflight(requestId, "client requested cancellation");
 }
-async function handleRpc(_c, body) {
+async function handleRpc(_c, body, scope) {
 	if (body === null || typeof body !== "object" || Array.isArray(body)) return {
 		status: 200,
 		body: rpcError(null, RPC_INVALID_REQUEST, "jsonrpc 2.0 envelope required")
@@ -8979,7 +9436,7 @@ async function handleRpc(_c, body) {
 						prompts: {}
 					},
 					serverInfo: {
-						name: SERVER_NAME,
+						name: serverInfoNameForScope(scope),
 						version: SERVER_VERSION
 					}
 				})
@@ -8995,7 +9452,7 @@ async function handleRpc(_c, body) {
 			};
 			return {
 				status: 200,
-				body: rpcResult(body.id, { tools: toolEntries() })
+				body: rpcResult(body.id, { tools: toolEntries(scope) })
 			};
 		case "tools/call":
 			if (isNotification) return {
@@ -9004,7 +9461,7 @@ async function handleRpc(_c, body) {
 			};
 			return {
 				status: 200,
-				body: await handleToolsCall(body)
+				body: await handleToolsCall(body, scope)
 			};
 		case "resources/list":
 			if (isNotification) return {
@@ -9081,9 +9538,13 @@ async function handleRpc(_c, body) {
 			};
 	}
 }
-async function handleMcpPost(c) {
+async function handleMcpPost(c, scopeArg = "all") {
 	const auth$1 = checkAuth(c);
 	if (!auth$1.ok) return c.json(rpcError(null, RPC_INVALID_REQUEST, auth$1.reason), auth$1.status);
+	let scope;
+	if (scopeArg === "all") scope = "all";
+	else if (isMcpGroup(scopeArg)) scope = scopeArg;
+	else return c.json(rpcError(null, RPC_METHOD_NOT_FOUND, `unknown MCP group "${scopeArg}"`), 404);
 	let body;
 	try {
 		body = await c.req.json();
@@ -9091,13 +9552,13 @@ async function handleMcpPost(c) {
 		consola.debug("/mcp parse error:", err);
 		return c.json(rpcError(null, RPC_PARSE_ERROR, "request body is not valid JSON"), 200);
 	}
-	if (typeof body === "object" && body !== null && !Array.isArray(body) && body.method === "tools/call" && acceptsEventStream(c.req.header("accept"))) return handleToolsCallSSE(body);
+	if (typeof body === "object" && body !== null && !Array.isArray(body) && body.method === "tools/call" && acceptsEventStream(c.req.header("accept"))) return handleToolsCallSSE(body, scope);
 	if (typeof body === "object" && body !== null && !Array.isArray(body) && body.method === "tools/call") {
-		const preflight = jsonPathPreflightCap(body);
+		const preflight = jsonPathPreflightCap(body, scope);
 		if (preflight) return c.json(preflight, 200);
 	}
 	try {
-		const { status, body: respBody } = await handleRpc(c, body);
+		const { status, body: respBody } = await handleRpc(c, body, scope);
 		if (respBody === null) return c.body(null, status);
 		return c.json(respBody, status);
 	} catch (err) {
@@ -9150,9 +9611,9 @@ function acceptsEventStream(accept) {
 * "Invalid state: Controller is already closed" race without warning.
 */
 const SSE_HEARTBEAT_INTERVAL_MS = 5e3;
-async function handleToolsCallSSE(body) {
+async function handleToolsCallSSE(body, scope) {
 	const encoder = new TextEncoder();
-	const callPromise = handleToolsCall(body);
+	const callPromise = handleToolsCall(body, scope);
 	let heartbeatHandle;
 	const stream = new ReadableStream({
 		async start(controller) {
@@ -10227,14 +10688,247 @@ async function searchWeb(query, signal) {
 }
 
 //#endregion
-//#region src/lib/worker-agent/bash.ts
-/**
-* Env keys preserved from the parent process. Add a new key only if
-* (a) it is genuinely required for typical shell invocations to work
-* AND (b) it cannot carry the user's credentials. The current set was
-* chosen to make `git`, `bun`, `node`, `gh`, common UNIX utilities,
-* and PowerShell/cmd built-ins functional.
-*/
+//#region src/lib/toolbelt/manifest.ts
+function platformArchKey(platform$1 = process.platform, arch = process.arch) {
+	return `${platform$1}-${arch}`;
+}
+function assetFor(spec, platform$1 = process.platform, arch = process.arch) {
+	return spec.assets[platformArchKey(platform$1, arch)];
+}
+const TOOLBELT_TOOLS = [
+	{
+		command: "fd",
+		binBasename: "fd",
+		assets: {
+			"win32-x64": {
+				url: "https://github.com/sharkdp/fd/releases/download/v10.4.2/fd-v10.4.2-x86_64-pc-windows-msvc.zip",
+				sha256: "b2816e506390a89941c63c9187d58a3cc10e9a55f2ef0685f9ea0eccaf7c98c8",
+				archive: "zip"
+			},
+			"win32-arm64": {
+				url: "https://github.com/sharkdp/fd/releases/download/v10.4.2/fd-v10.4.2-aarch64-pc-windows-msvc.zip",
+				sha256: "4f9110c2d5b33a7f760bfa5510f4c113d828109f7277d421b1053a9943c0fc92",
+				archive: "zip"
+			},
+			"darwin-arm64": {
+				url: "https://github.com/sharkdp/fd/releases/download/v10.4.2/fd-v10.4.2-aarch64-apple-darwin.tar.gz",
+				sha256: "623dc0afc81b92e4d4606b380d7bc91916ba7b97814263e554d50923a39e480a",
+				archive: "tar.gz"
+			},
+			"linux-x64": {
+				url: "https://github.com/sharkdp/fd/releases/download/v10.4.2/fd-v10.4.2-x86_64-unknown-linux-musl.tar.gz",
+				sha256: "e3257d48e29a6be965187dbd24ce9af564e0fe67b3e73c9bdcd180f4ec11bdde",
+				archive: "tar.gz"
+			},
+			"linux-arm64": {
+				url: "https://github.com/sharkdp/fd/releases/download/v10.4.2/fd-v10.4.2-aarch64-unknown-linux-musl.tar.gz",
+				sha256: "f32d3657473fba74e2600babc8db0b93420d51169223b7e8143b2ed55d8fd9e8",
+				archive: "tar.gz"
+			}
+		}
+	},
+	{
+		command: "sd",
+		binBasename: "sd",
+		assets: {
+			"win32-x64": {
+				url: "https://github.com/chmln/sd/releases/download/v1.1.0/sd-v1.1.0-x86_64-pc-windows-msvc.zip",
+				sha256: "59837c2e7c911099aca1cc46b663bcdc5a949fd3e9fbbaf34fc73e5d5d71007c",
+				archive: "zip"
+			},
+			"darwin-x64": {
+				url: "https://github.com/chmln/sd/releases/download/v1.1.0/sd-v1.1.0-x86_64-apple-darwin.tar.gz",
+				sha256: "1fca1e9c91813a8aac6821063c923107ba0f66a83309e095edcd3b202f67f97e",
+				archive: "tar.gz"
+			},
+			"darwin-arm64": {
+				url: "https://github.com/chmln/sd/releases/download/v1.1.0/sd-v1.1.0-aarch64-apple-darwin.tar.gz",
+				sha256: "4bd3c09226376ca0a1d69589c91e86276fae36c5fbaaee669afce583f6682030",
+				archive: "tar.gz"
+			},
+			"linux-x64": {
+				url: "https://github.com/chmln/sd/releases/download/v1.1.0/sd-v1.1.0-x86_64-unknown-linux-musl.tar.gz",
+				sha256: "02f00f4777d43e8e95b7b8d49e1a0d6e502fed4b8e79c1c8b8063857a30caa2e",
+				archive: "tar.gz"
+			},
+			"linux-arm64": {
+				url: "https://github.com/chmln/sd/releases/download/v1.1.0/sd-v1.1.0-aarch64-unknown-linux-musl.tar.gz",
+				sha256: "ec8c93c0533ff21f4851d11566808d4082544baf063d9b96ea77c27e98b7cd99",
+				archive: "tar.gz"
+			}
+		}
+	},
+	{
+		command: "jq",
+		binBasename: "jq",
+		assets: {
+			"win32-x64": {
+				url: "https://github.com/jqlang/jq/releases/download/jq-1.8.1/jq-windows-amd64.exe",
+				sha256: "23cb60a1354eed6bcc8d9b9735e8c7b388cd1fdcb75726b93bc299ef22dd9334",
+				archive: "raw"
+			},
+			"darwin-x64": {
+				url: "https://github.com/jqlang/jq/releases/download/jq-1.8.1/jq-macos-amd64",
+				sha256: "e80dbe0d2a2597e3c11c404f03337b981d74b4a8504b70586c354b7697a7c27f",
+				archive: "raw"
+			},
+			"darwin-arm64": {
+				url: "https://github.com/jqlang/jq/releases/download/jq-1.8.1/jq-macos-arm64",
+				sha256: "a9fe3ea2f86dfc72f6728417521ec9067b343277152b114f4e98d8cb0e263603",
+				archive: "raw"
+			},
+			"linux-x64": {
+				url: "https://github.com/jqlang/jq/releases/download/jq-1.8.1/jq-linux-amd64",
+				sha256: "020468de7539ce70ef1bceaf7cde2e8c4f2ca6c3afb84642aabc5c97d9fc2a0d",
+				archive: "raw"
+			},
+			"linux-arm64": {
+				url: "https://github.com/jqlang/jq/releases/download/jq-1.8.1/jq-linux-arm64",
+				sha256: "6bc62f25981328edd3cfcfe6fe51b073f2d7e7710d7ef7fcdac28d4e384fc3d4",
+				archive: "raw"
+			}
+		}
+	},
+	{
+		command: "yq",
+		binBasename: "yq",
+		assets: {
+			"win32-x64": {
+				url: "https://github.com/mikefarah/yq/releases/download/v4.53.2/yq_windows_amd64.exe",
+				sha256: "2aee32f1de46a20672f48c25df3018839798bd509143f2ce05fdab1550ff5592",
+				archive: "raw"
+			},
+			"win32-arm64": {
+				url: "https://github.com/mikefarah/yq/releases/download/v4.53.2/yq_windows_arm64.exe",
+				sha256: "448208550332ca33ef816e4cee49fc1e79987b8a08a451c6ae529703c8cfc8a9",
+				archive: "raw"
+			},
+			"darwin-x64": {
+				url: "https://github.com/mikefarah/yq/releases/download/v4.53.2/yq_darwin_amd64",
+				sha256: "616b0a0f6a5b79d746f05a169c2b9bb40dee00c605ef165b9a1c1681bba738ac",
+				archive: "raw"
+			},
+			"darwin-arm64": {
+				url: "https://github.com/mikefarah/yq/releases/download/v4.53.2/yq_darwin_arm64",
+				sha256: "541ba2287560df70f561955e2d7f7e1cd00cf2a15a884f6b5c87a4bfa887bc07",
+				archive: "raw"
+			},
+			"linux-x64": {
+				url: "https://github.com/mikefarah/yq/releases/download/v4.53.2/yq_linux_amd64",
+				sha256: "d56bf5c6819e8e696340c312bd70f849dc1678a7cda9c2ad63eebd906371d56b",
+				archive: "raw"
+			},
+			"linux-arm64": {
+				url: "https://github.com/mikefarah/yq/releases/download/v4.53.2/yq_linux_arm64",
+				sha256: "03061b2a50c7a498de2bbb92d7cb078ce433011f085a4994117c2726be4106ea",
+				archive: "raw"
+			}
+		}
+	},
+	{
+		command: "ast-grep",
+		binBasename: "ast-grep",
+		aliases: ["sg"],
+		assets: {
+			"win32-x64": {
+				url: "https://github.com/ast-grep/ast-grep/releases/download/0.43.0/app-x86_64-pc-windows-msvc.zip",
+				sha256: "a4febbc8c48671e5729d85e29e4ebe5a051b7250d19545bca18e725ccf40ef61",
+				archive: "zip"
+			},
+			"win32-arm64": {
+				url: "https://github.com/ast-grep/ast-grep/releases/download/0.43.0/app-aarch64-pc-windows-msvc.zip",
+				sha256: "a519fdd90324bf6858fde2d3feb2b862d67b834dc11af8f5b6c2c8143ab6a6c5",
+				archive: "zip"
+			},
+			"darwin-x64": {
+				url: "https://github.com/ast-grep/ast-grep/releases/download/0.43.0/app-x86_64-apple-darwin.zip",
+				sha256: "6d703090b106747b2f56086b6ccc7e798fe78bcae70257aa20519b220153555b",
+				archive: "zip"
+			},
+			"darwin-arm64": {
+				url: "https://github.com/ast-grep/ast-grep/releases/download/0.43.0/app-aarch64-apple-darwin.zip",
+				sha256: "8c847d0a29aa4b3101b3361e0b3ee7fb53c7e497adc9ed1afc9615538cd40782",
+				archive: "zip"
+			},
+			"linux-x64": {
+				url: "https://github.com/ast-grep/ast-grep/releases/download/0.43.0/app-x86_64-unknown-linux-gnu.zip",
+				sha256: "a26253a9c821d935f7e383e40f0de7c2ca62a4121de1f73a6d81ec32eae631e0",
+				archive: "zip"
+			},
+			"linux-arm64": {
+				url: "https://github.com/ast-grep/ast-grep/releases/download/0.43.0/app-aarch64-unknown-linux-gnu.zip",
+				sha256: "e706846148493967f3ab8011334817edd86ce5acbec10718b2a7b40799c640ff",
+				archive: "zip"
+			}
+		}
+	}
+];
+
+//#endregion
+//#region src/lib/toolbelt/index.ts
+/** Default ON; disable with GH_ROUTER_DISABLE_TOOLBELT (truthy). */
+function toolbeltEnabled() {
+	return parseBoolEnv(process.env.GH_ROUTER_DISABLE_TOOLBELT) !== true;
+}
+/** Per-tool opt-out via GH_ROUTER_TOOLBELT_SKIP="jq,yq". */
+function toolbeltSkipSet() {
+	const raw = process.env.GH_ROUTER_TOOLBELT_SKIP;
+	if (!raw) return /* @__PURE__ */ new Set();
+	return new Set(raw.split(",").map((s) => s.trim().toLowerCase()).filter(Boolean));
+}
+/** Absolute path to the bundled `@vscode/ripgrep` binary, or null. */
+function vscodeRipgrepPath() {
+	try {
+		const mod = createRequire(import.meta.url)("@vscode/ripgrep");
+		if (mod.rgPath && existsSync(mod.rgPath)) return mod.rgPath;
+	} catch {}
+	return null;
+}
+/**
+* Every curated tool the spawned agent can actually invoke this launch
+* — whether it is already on the user's system PATH OR will be
+* materialized into the toolbelt bin (gap-fill). Used for the awareness
+* one-liner so the model is told about ALL available fast tools, not
+* just the ones we had to download. (Provisioning still only downloads
+* the gap-fill subset; this is purely the advertised set.)
+*/
+function availableToolCommands() {
+	if (!toolbeltEnabled()) return [];
+	const skip = toolbeltSkipSet();
+	const out = [];
+	if (!skip.has("rg") && (resolveExecutable("rg") || vscodeRipgrepPath())) out.push("rg");
+	for (const spec of TOOLBELT_TOOLS) {
+		if (skip.has(spec.command)) continue;
+		if (resolveExecutable(spec.command) || assetFor(spec)) out.push(spec.command);
+	}
+	return out;
+}
+const TOOL_DESC = {
+	rg: "rg (fast regex search)",
+	fd: "fd (fast file finder)",
+	jq: "jq (JSON processor)",
+	sd: "sd (find & replace)",
+	"ast-grep": "ast-grep / sg (structural code search & rewrite)",
+	yq: "yq (YAML / TOML / XML processor)"
+};
+/**
+* The one-line CLAUDE.md / system-prompt note advertising the exposed
+* tools, or null when none are exposed.
+*/
+function buildToolbeltAwareness(commands) {
+	if (commands.length === 0) return null;
+	return "Fast CLI tools are available on your PATH; prefer them when applicable: " + commands.map((c) => TOOL_DESC[c] ?? c).join(", ") + ".";
+}
+
+//#endregion
+//#region src/lib/worker-agent/bash.ts
+/**
+* Env keys preserved from the parent process. Add a new key only if
+* (a) it is genuinely required for typical shell invocations to work
+* AND (b) it cannot carry the user's credentials. The current set was
+* chosen to make `git`, `bun`, `node`, `gh`, common UNIX utilities,
+* and PowerShell/cmd built-ins functional.
+*/
 const ENV_ALLOWLIST = [
 	"PATH",
 	"HOME",
@@ -10272,6 +10966,7 @@ function buildEnv() {
 		const v = process$1.env[key];
 		if (v !== void 0) env[key] = v;
 	}
+	if (toolbeltEnabled()) Object.assign(env, toolbeltPathOverride(env, PATHS.TOOLBELT_BIN_DIR));
 	return env;
 }
 /**
@@ -11204,8 +11899,10 @@ const ADVISOR_TRANSCRIPT_MAX_CHARS = Number(process$1.env.GH_ROUTER_WORKER_ADVIS
 /**
 * Build the AgentTool array for the requested mode.
 *
-*   - explore  → 8 read-only tools
-*   - implement → explore + edit/write/bash
+*   - explore  → 6 read-only tools
+*   - review   → same 6 read-only tools as explore (reviewer framing lives
+*                in the system prompt, not the toolset)
+*   - implement → explore + edit/write/bash/codex_review
 *
 * Order matches the brief and the prompt-mode-note for stability —
 * Pi's tool-injection shape includes the list verbatim, so a stable
@@ -11225,7 +11922,7 @@ function buildWorkerTools(opts) {
 		webSearchTool(),
 		fetchUrlTool()
 	];
-	if (mode === "explore") return explore;
+	if (mode === "explore" || mode === "review") return explore;
 	return [
 		...explore,
 		editTool(workspace),
@@ -11534,15 +12231,18 @@ async function createWorktree(workspaceAbs, opts) {
 */
 const WORKTREE_REGISTRY = new WorktreeRegistry();
 registerExitHandlers(WORKTREE_REGISTRY);
-/** Default model + thinking. See plan: gemini-3.5-flash + "high" — the
-*  defaults are sized for the model that backs the worker tool's
-*  description string in `peer-mcp-personas.ts`. Caller can override.
+/** Default model + thinking. `gemini-3.1-pro-preview` + "high" — the worker
+*  loop is function-calling, and the pro model is materially less prone to
+*  early-stopping with an empty turn than `gemini-3.5-flash` was (the
+*  reliability win is worth the higher per-call cost for autonomous workers).
+*  It advertises `tool_calls` and reasoning low/medium/high. Caller can
+*  override per call via the `model` arg.
 *
 *  Exported so the MCP handler (which renders the worker tool's
 *  description to the LLM and pins a probe row against the model)
 *  reads the same constant — drift between the two would silently
 *  ship a tool whose docs disagree with its runtime default. */
-const DEFAULT_MODEL = "gemini-3.5-flash";
+const DEFAULT_MODEL = "gemini-3.1-pro-preview";
 const DEFAULT_THINKING = "high";
 /**
 * `Model<any>` shim used to satisfy `Agent.initialState.model` typing.
@@ -12101,6 +12801,44 @@ function round2(n) {
 
 //#endregion
 //#region src/lib/peer-mcp-personas.ts
+const MCP_GROUPS = Object.freeze([
+	"peers",
+	"search",
+	"workers",
+	"browser",
+	"decide"
+]);
+const GROUP_META = Object.freeze({
+	peers: {
+		preferredKey: "peers",
+		urlSuffix: "peers",
+		serverInfoName: "github-router-peers"
+	},
+	search: {
+		preferredKey: "search",
+		urlSuffix: "search",
+		serverInfoName: "github-router-search"
+	},
+	workers: {
+		preferredKey: "workers",
+		urlSuffix: "workers",
+		serverInfoName: "github-router-workers"
+	},
+	browser: {
+		preferredKey: "browser",
+		urlSuffix: "browser",
+		serverInfoName: "github-router-browser"
+	},
+	decide: {
+		preferredKey: "decide",
+		urlSuffix: "decide",
+		serverInfoName: "github-router-decide"
+	}
+});
+/** True iff `s` is a registered group name (route `:group` param validation). */
+function isMcpGroup(s) {
+	return typeof s === "string" && MCP_GROUPS.includes(s);
+}
 /**
 * Reasoning effort levels accepted by Copilot's /v1/responses (gpt-5.x) and
 * /v1/chat/completions endpoints. Per the proxy's existing thinking-mode
@@ -12170,14 +12908,14 @@ You are NOT a helpful assistant. You are NOT a coach. Sycophancy is the failure
 ${COLD_START_CONTRACT}
 
 ${CRITIC_RUBRIC}`;
-const GEMINI_CRITIC_BASE = `You are gemini-critic, an adversarial reviewer running on Gemini 3.1 Pro. You exist to provide a second-lab perspective: your training data, RLHF priors, and attention patterns are systematically different from the lead orchestrator's (Opus, Anthropic) and from codex-critic (gpt-5.5, OpenAI). Use that to surface blind spots both miss.
+const GEMINI_CRITIC_BASE = `You are gemini-critic, an adversarial reviewer. Your single job is to overcome the lead orchestrator's blind spots — assumptions it didn't notice it was making, failure modes it didn't enumerate, alternatives it didn't consider.
 
-Your strengths the lead may want to draw on:
+The lead routes a brief to you when it needs:
   - long-context reasoning over large artifacts (the brief may include >50k tokens of context)
   - math, proofs, and formally-stated invariants
-  - cross-checking conclusions where codex-critic has already weighed in (the lead may forward you both the artifact and codex-critic's verdict)
+  - a cross-check of a conclusion another critic already reached (the lead may forward you both the artifact and codex-critic's verdict)
 
-You are NOT a helpful assistant. Sycophancy is the failure mode you exist to fight; do not invent issues to look thorough.
+You are NOT a helpful assistant. Sycophancy is the failure mode you exist to fight. Manufactured contrarianism is a different failure of the same shape — silence on good work is a valid and welcome answer; do not invent issues to look thorough.
 
 ${COLD_START_CONTRACT}
 
@@ -12188,6 +12926,28 @@ You are not a critic-of-architecture. If the brief is a plan or a high-level des
 
 ${COLD_START_CONTRACT}
 
+Reply format (markdown):
+  ## Summary
+  <one sentence: clean / N findings / blocking issue>
+  ## Findings
+  For each:
+    ### <severity: info | low | medium | high | critical> — <one-line title>
+    - location: <file:line[-line]>
+    - issue: <what's wrong, why it matters in this codebase>
+    - suggested fix: <minimal change OR "needs design discussion">
+  Number the findings if there are more than one. List them in severity-descending order (critical first).
+  If there are zero findings of any severity, reply only with "## Summary\\nClean review — no findings." and stop.
+
+Self-reminder (read before every reply):
+  Am I citing real code at real line numbers in the brief? If a finding doesn't have a concrete file:line citation, drop it.
+  Did I rank the finding's severity by impact-in-this-codebase, not by general-principle?
+  If everything looks fine, say so cleanly — do not pad with stylistic nitpicks.`;
+const GEMINI_REVIEWER_BASE = `You are a line-level code reviewer. You read concrete code — diffs, single files, function bodies — and surface real bugs, edge cases, security / concurrency / resource issues, and idiom violations at specific line numbers. Find what is actually wrong: do not invent issues to look thorough, and do not pad with stylistic nitpicks.
+
+You are not a critic-of-architecture. If the brief is a plan or a high-level design, say so and stop: "this looks like architecture review, not line-level code review." Your tool is the magnifying glass, not the wide-angle lens.
+
+${COLD_START_CONTRACT}
+
 Reply format (markdown):
   ## Summary
   <one sentence: clean / N findings / blocking issue>
@@ -12293,6 +13053,24 @@ const PERSONAS_READ = Object.freeze([
 		],
 		defaultEffort: "xhigh"
 	},
+	{
+		agentName: "gemini-reviewer",
+		toolNameHttp: "gemini_reviewer",
+		model: "gemini-3.1-pro-preview",
+		endpoint: "/v1/chat/completions",
+		description: "Line-level review of a concrete diff or single file on gemini-3.1-pro (Google, high reasoning): a second-lab code reviewer that catches a different slice of defects than codex_reviewer (OpenAI). Use alongside codex_reviewer for cross-lab coverage of a diff. Not for architecture (use codex_critic / gemini_critic for plans). Pass artifact verbatim.",
+		baseInstructions: GEMINI_REVIEWER_BASE,
+		agentPrompt: "",
+		writeCapable: false,
+		requiresHttp: true,
+		requiresGeminiCatalog: true,
+		allowedEfforts: [
+			"low",
+			"medium",
+			"high"
+		],
+		defaultEffort: "high"
+	},
 	{
 		agentName: "opus-critic",
 		toolNameHttp: "opus_critic",
@@ -12336,8 +13114,11 @@ const PERSONAS_WRITE = Object.freeze([{
 *
 * Two modes branch on `codexCli`:
 *   - HTTP backend: subagent calls the per-persona tool
-*     `mcp__gh-router-peers__<toolNameHttp>` with `{prompt, context}`;
-*     model + instructions are server-baked.
+*     `mcp__<peersKey>__<toolNameHttp>` with `{prompt, context}`;
+*     model + instructions are server-baked. `peersKey` is the resolved
+*     config key for the `peers` server — normally the bare `peers`, or the
+*     `gh-router-peers` fallback when the user already has a `peers` MCP
+*     (so the routing string always points at OUR server, never the user's).
 *   - codex-cli backend: subagent calls the single
 *     `mcp__codex-cli__codex` tool with `{prompt, model: <persona.model>,
 *     base-instructions: <persona.baseInstructions>}`. Gemini stays on
@@ -12345,7 +13126,7 @@ const PERSONAS_WRITE = Object.freeze([{
 */
 function buildAgentPrompt(persona, opts) {
 	const useStdio = opts.codexCli && !persona.requiresHttp;
-	const toolPath = useStdio ? "mcp__codex-cli__codex" : `mcp__gh-router-peers__${persona.toolNameHttp}`;
+	const toolPath = useStdio ? "mcp__codex-cli__codex" : `mcp__${opts.peersKey}__${persona.toolNameHttp}`;
 	const invocationBlock = useStdio ? [
 		`Always invoke the \`${toolPath}\` tool with these arguments:`,
 		"  - `prompt`: the lead's brief, copied verbatim",
@@ -12413,22 +13194,31 @@ function buildAgentPrompt(persona, opts) {
 *     by descendants.
 */
 function buildPeerAwarenessSnippet(opts) {
+	const key = (g) => opts.groupKeys?.[g] ?? GROUP_META[g].preferredKey;
+	const peersKey = key("peers");
+	const searchKey = key("search");
+	const workersKey = key("workers");
+	const browserKey = key("browser");
+	const decideKey = key("decide");
 	const criticList = ["`codex_critic` (gpt-5.5)", "`codex_reviewer` (gpt-5.3-codex)"];
-	if (opts.geminiAvailable) criticList.push("`gemini_critic` (gemini-3.1-pro)");
+	if (opts.geminiAvailable) {
+		criticList.push("`gemini_reviewer` (gemini-3.1-pro, line-level code review)");
+		criticList.push("`gemini_critic` (gemini-3.1-pro)");
+	}
 	criticList.push("`opus_critic` (Opus 4.7)");
 	const codexCliClause = opts.codexCli ? " `mcp__codex-cli__codex` dispatches to `codex-implementer` (gpt-5.3-codex with workspace-write) for end-to-end coding tasks." : "";
-	const para2Parts = ["`code_search` returns ranked code-discovery hits (BM25F + tree-sitter ranking, no additional model call). Multiple independent queries can run in a single turn. The index covers code-shaped files; for unstructured files (logs, `.csv`, `.env*`, config-only wiring), `grep`/`glob` still apply."];
-	if (opts.workerToolsAvailable) para2Parts.push("`worker_explore` runs a Gemini-backed read-only worker that returns a summary, using its own context rather than yours; concurrent launches share the `MAX_INFLIGHT_TOOLS_CALL=8` cap with operator traffic.", "`worker_implement` is the same worker with edit/write/bash; `worktree: true` runs it in an isolated git worktree and returns the diff.", "Workers themselves have `code_search` in their toolset.");
-	para2Parts.push("`web_search` surfaces citable sources for docs, errors, and upstream issues.");
-	if (opts.standInAvailable) para2Parts.push("`stand_in` provides three-lab consensus for decision tiebreak when the user is unavailable.");
+	const para2Parts = [`\`mcp__${searchKey}__code\` returns ranked code-discovery hits (BM25F + tree-sitter ranking, no additional model call). Multiple independent queries can run in a single turn. The index covers code-shaped files; for unstructured files (logs, \`.csv\`, \`.env*\`, config-only wiring), \`grep\`/\`glob\` still apply.`];
+	if (opts.workerToolsAvailable) para2Parts.push(`\`mcp__${workersKey}__explore\` runs a Gemini-backed read-only worker that returns a summary, using its own context rather than yours; concurrent launches share the \`MAX_INFLIGHT_TOOLS_CALL=8\` cap with operator traffic.`, `\`mcp__${workersKey}__review\` is the same read-only worker framed as a code reviewer that reads the relevant code itself to verify a change or claim and reports findings with severity, so it checks surrounding context the \`peers\` critics (single stateless calls on the pasted artifact) cannot.`, `\`mcp__${workersKey}__implement\` is the same worker with edit/write/bash; \`worktree: true\` runs it in an isolated git worktree and returns the diff.`, "Workers themselves have `code_search` in their toolset.");
+	para2Parts.push(`\`mcp__${searchKey}__web\` surfaces citable sources for docs, errors, and upstream issues.`);
+	if (opts.standInAvailable) para2Parts.push(`\`mcp__${decideKey}__stand_in\` provides three-lab consensus for decision tiebreak when the user is unavailable.`);
 	if (opts.browseAvailable) {
-		const powerNote = opts.powerBrowseAvailable ? " Power mode is on: the L0/L1 primitives (`browser_mouse`, `browser_drag`, `browser_type`, `browser_keyboard`, `browser_scroll`, `browser_eval_js`, `browser_read_page`, `browser_diagnostics`, `browser_find`) are also available for direct DOM / coordinate control." : "";
-		para2Parts.push(`\`browser_*\` tools (under \`mcp__gh-router-peers__browser_*\`) drive a real Chrome / Edge browser via a local extension. Lead surface: \`browser_act(intent, value?)\` for any click / fill / type / scroll-to (an inner fast model resolves intent), \`browser_observe(intent?)\` for a 2-4 sentence natural-language page description, \`browser_extract(schema, instruction)\` for typed extraction, \`browser_navigate\` / \`browser_open_tab\` / \`browser_screenshot\` for state and visuals. The lead model never sees raw DOM: refs, bboxes, and role/name dumps stay internal.${powerNote}`);
+		const powerNote = opts.powerBrowseAvailable ? ` Power mode is on: the L0/L1 primitives (\`mcp__${browserKey}__mouse\`, \`__drag\`, \`__type\`, \`__keyboard\`, \`__scroll\`, \`__eval_js\`, \`__read_page\`, \`__diagnostics\`, \`__find\`) are also available for direct DOM / coordinate control.` : "";
+		para2Parts.push(`\`mcp__${browserKey}__*\` tools drive a real Chrome / Edge browser via a local extension. Lead surface: \`__act(intent, value?)\` for any click / fill / type / scroll-to (an inner fast model resolves intent), \`__observe(intent?)\` for a 2-4 sentence natural-language page description, \`__extract(schema, instruction)\` for typed extraction, \`__navigate\` / \`__open_tab\` / \`__screenshot\` for state and visuals. The lead model never sees raw DOM: refs, bboxes, and role/name dumps stay internal.${powerNote}`);
 	}
 	return [
 		"## Peer review and advisor",
 		"",
-		`Cross-lab peer critics under \`mcp__gh-router-peers__*\` (${criticList.join(", ")}) are available at your discretion for adversarial review. Each tool's description explains its scope and when it applies. The \`peer-review-coordinator\` subagent fans out to the appropriate critics in parallel and aggregates findings by severity. Claude Code's built-in \`advisor\` tool catches approach drift and confabulation. Subagents you spawn inherit all of these.${codexCliClause}`,
+		`Cross-lab peer critics under \`mcp__${peersKey}__*\` (${criticList.join(", ")}) are available at your discretion for adversarial review. Each tool's description explains its scope and when it applies. The \`peer-review-coordinator\` subagent fans out to the appropriate critics in parallel and aggregates findings by severity. Claude Code's built-in \`advisor\` tool catches approach drift and confabulation. Subagents you spawn inherit all of these.${codexCliClause}`,
 		"",
 		para2Parts.join(" ")
 	].join("\n");
@@ -12461,7 +13251,8 @@ function formatWebSearchResult(results) {
 }
 const NON_PERSONA_MCP_TOOLS = Object.freeze([
 	{
-		toolNameHttp: "web_search",
+		toolNameHttp: "web",
+		group: "search",
 		description: WEB_SEARCH_DESCRIPTION,
 		inputSchema: {
 			type: "object",
@@ -12498,8 +13289,9 @@ const NON_PERSONA_MCP_TOOLS = Object.freeze([
 		}
 	},
 	{
-		toolNameHttp: "code_search",
-		description: "Fast structured code search over a local workspace. Returns ranked, deduplicated hits with snippets. Ranks with BM25F across matched-line / file-path / surrounding-context / symbol-context fields, then refines `symbol-context` with tree-sitter AST analysis on the top hits so identifier definitions outrank incidental string matches. Launch multiple code_search calls in parallel to triangulate — e.g. definition + callers + tests in one round-trip. Prefer this over Grep/Bash+grep for ranked discovery (\"where is X defined\", \"which files reference Y\", \"find code that does Z\") — ranked mode surfaces the few right answers instead of every match. Use Grep for exact-pattern enumeration when you need every hit unranked, and Glob for file-name patterns (no content match). `workspace` is any absolute path the proxy process can read — typically the project root or a sub-tree you're working in.",
+		toolNameHttp: "code",
+		group: "search",
+		description: "Fast structured code search over a local workspace. Returns ranked, deduplicated hits with snippets. Ranks with BM25F across matched-line / file-path / surrounding-context / symbol-context fields, then refines `symbol-context` with tree-sitter AST analysis on the top hits so identifier definitions outrank incidental string matches. Launch multiple code searches in parallel to triangulate — e.g. definition + callers + tests in one round-trip. Prefer this over Grep/Bash+grep for ranked discovery (\"where is X defined\", \"which files reference Y\", \"find code that does Z\") — ranked mode surfaces the few right answers instead of every match. Use Grep for exact-pattern enumeration when you need every hit unranked, and Glob for file-name patterns (no content match). `workspace` is any absolute path the proxy process can read — typically the project root or a sub-tree you're working in.",
 		inputSchema: {
 			type: "object",
 			required: ["query", "workspace"],
@@ -12587,9 +13379,10 @@ const NON_PERSONA_MCP_TOOLS = Object.freeze([
 		}
 	},
 	{
-		toolNameHttp: "worker_explore",
+		toolNameHttp: "explore",
+		group: "workers",
 		capability: "worker",
-		description: "Read-only investigation by an autonomous worker (Pi runtime; default model `gemini-3.5-flash`, override via the `model` arg with any Copilot-catalog model that advertises `tool_calls`). Tools: read, glob, grep, code_search, web_search, fetch_url. The worker's system prompt sandboxes it and gives one-line descriptions of each tool, so brief it on the investigation, not on tool semantics. Offloads bounded research that would otherwise eat your context window — the worker plans its own tool calls and returns a single text answer. Examples: \"find files matching X then summarize\", \"how does library Y handle Z\", \"survey this codebase for usages of deprecated API\".",
+		description: "Read-only investigation by an autonomous worker (Pi runtime; default model `gemini-3.1-pro-preview`, override via the `model` arg with any Copilot-catalog model that advertises `tool_calls`). Tools: read, glob, grep, code_search, web_search, fetch_url. The worker's system prompt sandboxes it and gives one-line descriptions of each tool, so brief it on the investigation, not on tool semantics. Offloads bounded research that would otherwise eat your context window — the worker plans its own tool calls and returns a single text answer. Examples: \"find files matching X then summarize\", \"how does library Y handle Z\", \"survey this codebase for usages of deprecated API\".",
 		inputSchema: {
 			type: "object",
 			required: ["prompt"],
@@ -12601,7 +13394,7 @@ const NON_PERSONA_MCP_TOOLS = Object.freeze([
 				},
 				model: {
 					type: "string",
-					description: "Optional Copilot catalog model id (defaults to gemini-3.5-flash). Must advertise tool_calls support; the engine emits an isError envelope listing the eligible catalog models on mismatch."
+					description: "Optional Copilot catalog model id (defaults to gemini-3.1-pro-preview). Must advertise tool_calls support; the engine emits an isError envelope listing the eligible catalog models on mismatch."
 				},
 				thinking: {
 					type: "string",
@@ -12630,9 +13423,10 @@ const NON_PERSONA_MCP_TOOLS = Object.freeze([
 		}
 	},
 	{
-		toolNameHttp: "worker_implement",
+		toolNameHttp: "implement",
+		group: "workers",
 		capability: "worker",
-		description: "Delegates a scoped coding task to an autonomous worker (Pi runtime; default model `gemini-3.5-flash`, override via the `model` arg with any Copilot-catalog model that advertises `tool_calls`). Tools: the worker_explore read-only set plus edit, write, bash, and codex_review (code review by codex-reviewer / gpt-5.3-codex). The worker's system prompt sandboxes it and gives one-line descriptions of each tool, so brief it on the task, not on tool semantics. With `worktree: false` (default) edits in place — concurrent worker_implement calls and Claude's own edits to the same files will race. With `worktree: true` runs in an isolated git worktree and returns the diff for review. HARD ERROR if true and the workspace is not a git repository.",
+		description: "Delegates a scoped coding task to an autonomous worker (Pi runtime; default model `gemini-3.1-pro-preview`, override via the `model` arg with any Copilot-catalog model that advertises `tool_calls`). Tools: the worker_explore read-only set plus edit, write, bash, and codex_review (code review by codex-reviewer / gpt-5.3-codex). The worker's system prompt sandboxes it and gives one-line descriptions of each tool, so brief it on the task, not on tool semantics. With `worktree: false` (default) edits in place — concurrent worker_implement calls and Claude's own edits to the same files will race. With `worktree: true` runs in an isolated git worktree and returns the diff for review. HARD ERROR if true and the workspace is not a git repository.",
 		inputSchema: {
 			type: "object",
 			required: ["prompt"],
@@ -12648,7 +13442,7 @@ const NON_PERSONA_MCP_TOOLS = Object.freeze([
 				},
 				model: {
 					type: "string",
-					description: "Optional Copilot catalog model id (defaults to gemini-3.5-flash). Must advertise tool_calls support; the engine emits an isError envelope listing the eligible catalog models on mismatch."
+					description: "Optional Copilot catalog model id (defaults to gemini-3.1-pro-preview). Must advertise tool_calls support; the engine emits an isError envelope listing the eligible catalog models on mismatch."
 				},
 				thinking: {
 					type: "string",
@@ -12676,8 +13470,53 @@ const NON_PERSONA_MCP_TOOLS = Object.freeze([
 			});
 		}
 	},
+	{
+		toolNameHttp: "review",
+		group: "workers",
+		capability: "worker",
+		description: "Read-only code review by an autonomous worker (Pi runtime; default model `gemini-3.1-pro-preview`, override via `model` with any Copilot-catalog model that advertises `tool_calls`). Same read-only toolset as `explore` (read, glob, grep, code_search, web_search, fetch_url) — it CANNOT edit — but the worker is framed as a reviewer: it verifies correctness against the actual code itself rather than trusting a claim, and reports findings (bugs, edge cases, security / concurrency / resource risks, missing handling) with a severity and `file:line`. Brief it with the change / diff / claim to verify (paste it, or name the files) — it reads the code to confirm, so you get a self-verifying second opinion that doesn't depend on you having pre-extracted the relevant code. Unlike the `peers` critics (single stateless model calls on the artifact you paste), this worker can navigate the repo to check surrounding context for itself.",
+		inputSchema: {
+			type: "object",
+			required: ["prompt"],
+			additionalProperties: false,
+			properties: {
+				prompt: {
+					type: "string",
+					description: "What to review / verify — a diff, a claim about the code, or a file / function to audit. The worker reads the relevant code itself and reports findings; it does not need the code pre-pasted, but pasting the diff helps."
+				},
+				model: {
+					type: "string",
+					description: "Optional Copilot catalog model id (defaults to gemini-3.1-pro-preview). Must advertise tool_calls support; the engine emits an isError envelope listing the eligible catalog models on mismatch."
+				},
+				thinking: {
+					type: "string",
+					enum: [
+						"off",
+						"minimal",
+						"low",
+						"medium",
+						"high",
+						"xhigh"
+					],
+					description: "Optional reasoning depth (default high). Silently clamped to the model's allowed range; \"off\" drops the parameter entirely."
+				},
+				workspace: {
+					type: "string",
+					description: "Optional absolute path to the workspace the worker operates in. Defaults to the proxy's launch cwd. Use this when the parent agent has multiple workspaces open and the worker must operate in a specific one. Must be absolute (relative paths rejected)."
+				}
+			}
+		},
+		async handler(args, signal) {
+			return runWorkerToolCall({
+				mode: "review",
+				args,
+				signal
+			});
+		}
+	},
 	{
 		toolNameHttp: "stand_in",
+		group: "decide",
 		capability: "stand_in",
 		description: "**Away-mode decision tiebreak.** Three-lab advisor (gpt-5.5 xhigh, opus-4.7 xhigh, gemini-3.1-pro high) for **when the user is unavailable and you are stuck between two or more concrete options**. Polls all three across two structured rounds (blind vote → informed re-vote with peer reasoning visible) and returns a ranked-choice verdict. Use when: you would otherwise halt and wait for the user. Do NOT use for: code review (use `peer-review-coordinator`), open-ended exploration, single-model second opinions (use `codex_critic` / `gemini_critic` / `opus_critic` directly), or as a substitute for user confirmation on irreversible actions (push, delete, drop, deploy — those still require the user even with three-lab consensus).",
 		inputSchema: {
@@ -12724,9 +13563,37 @@ const NON_PERSONA_MCP_TOOLS = Object.freeze([
 			return runStandInToolCall(args, signal);
 		}
 	},
-	...BROWSER_TOOLS
+	...BROWSER_TOOLS.map((t) => ({
+		...t,
+		group: "browser",
+		toolNameHttp: t.toolNameHttp.replace(/^browser_/, "")
+	}))
 ]);
 /**
+* Startup invariant: every MCP tool name must be unique within its group
+* AND across the unscoped `/mcp` union. `handleToolsCall` keys dispatch on
+* the bare tool name, so a duplicate would silently shadow — this assertion
+* fails loudly on future drift instead. Cheap; called once at server boot
+* (and pinned by a test). Personas are definitionally the `peers` group.
+*/
+function assertMcpToolSurfaceConsistent() {
+	const perGroup = /* @__PURE__ */ new Map();
+	const union = /* @__PURE__ */ new Set();
+	const add = (group, name$1) => {
+		let g = perGroup.get(group);
+		if (!g) {
+			g = /* @__PURE__ */ new Set();
+			perGroup.set(group, g);
+		}
+		if (g.has(name$1)) throw new Error(`assertMcpToolSurfaceConsistent: tool "${name$1}" duplicated within group "${group}"`);
+		g.add(name$1);
+		if (union.has(name$1)) throw new Error(`assertMcpToolSurfaceConsistent: tool "${name$1}" duplicated across the unscoped /mcp union — handleToolsCall keys on the bare name and cannot disambiguate`);
+		union.add(name$1);
+	};
+	for (const p of [...PERSONAS_READ, ...PERSONAS_WRITE]) add("peers", p.toolNameHttp);
+	for (const t of NON_PERSONA_MCP_TOOLS) add(t.group, t.toolNameHttp);
+}
+/**
 * Shared closure body for the two worker MCP tools. Validates the
 * minimal arg shape (prompt required + optional knobs typed), then
 * forwards to `runWorkerAgent`. `workspace` defaults to the proxy's
@@ -12933,6 +13800,11 @@ async function runStandInToolCall(args, signal) {
 
 //#endregion
 //#region src/lib/codex-mcp-config.ts
+/** The `peers` server is always enabled, so its resolved key always exists;
+*  this convenience reads it with the bare-key fallback for safety. */
+function peersKeyOf(groupKeys) {
+	return groupKeys.peers ?? GROUP_META.peers.preferredKey;
+}
 /**
 * Decide which MCP backend serves the codex personas.
 *
@@ -12956,21 +13828,28 @@ function resolveCodexCliBackend(opts) {
 	return "cli";
 }
 /**
-* Build the JSON payload for `claude --mcp-config <path>`.
+* Build the JSON payload for `claude --mcp-config <path>` (and the same
+* entries that get merged into the mirrored `.claude.json`).
 *
-* Always registers `gh-router-peers` (HTTP) — that's the home of all
-* read-only personas, and it's the only path Gemini can take. When
+* Emits one HTTP `mcpServers` entry per enabled group present in
+* `opts.groupKeys`, each pointing at its scoped `/mcp/<group>` endpoint
+* under the resolved (bare or prefixed-fallback) config key. When
 * `codexCli` is true, also registers `codex-cli` (stdio) which spawns
-* `codex mcp-server` with the proxy's provider-config flags so codex
-* runs through our Copilot-routed billing path rather than its
-* default api.openai.com.
+* `codex mcp-server` with the proxy's provider-config flags so codex runs
+* through our Copilot-routed billing path rather than its default
+* api.openai.com.
 */
 function buildPeerMcpConfig(serverUrl, opts) {
-	const mcpServers = { "gh-router-peers": {
-		type: "http",
-		url: `${serverUrl}/mcp`,
-		headers: { Authorization: `Bearer ${opts.nonce}` }
-	} };
+	const mcpServers = {};
+	for (const group of MCP_GROUPS) {
+		const key = opts.groupKeys[group];
+		if (!key) continue;
+		mcpServers[key] = {
+			type: "http",
+			url: `${serverUrl}/mcp/${GROUP_META[group].urlSuffix}`,
+			headers: { Authorization: `Bearer ${opts.nonce}` }
+		};
+	}
 	if (opts.codexCli) mcpServers["codex-cli"] = {
 		command: "codex",
 		args: ["mcp-server", ...buildCodexProviderConfigFlags(serverUrl)],
@@ -13003,6 +13882,7 @@ function buildCoordinatorAgent(opts) {
 	const peers = ["codex-critic", "opus-critic"];
 	if (opts.geminiAvailable) peers.push("gemini-critic");
 	peers.push("codex-reviewer");
+	if (opts.geminiAvailable) peers.push("gemini-reviewer");
 	return {
 		description: "Coordinates cross-lab adversarial review across codex-critic, opus-critic, gemini-critic, codex-reviewer. Use proactively before non-trivial plans and after non-trivial commits. Always pass artifacts verbatim — peers are fresh-context.",
 		prompt: [
@@ -13017,7 +13897,7 @@ function buildCoordinatorAgent(opts) {
 			"The lead's brief will include an artifact (plan, design, diff, or code) and a goal (e.g. 'review before exit-plan', 'review the commit I just made', 'cross-check codex-critic's verdict'). Pick the right peers for the artifact type:",
 			"",
 			"- **Plan / design / architecture choice** → fan out to `codex-critic` (gpt-5.5, strongest reasoning, cross-lab)" + (opts.geminiAvailable ? " AND `gemini-critic` (third-lab triangulation, strong on formal reasoning) in parallel" : "") + ". codex-reviewer is the wrong tool for plans (it's a code-specialist, not an architecture critic).",
-			"- **Concrete diff or single file** → fan out to `codex-reviewer` (gpt-5.3-codex, line-level code specialist, fastest at ~16s)" + (opts.geminiAvailable ? " AND `gemini-critic` for cross-lab triangulation" : "") + ". For very small changes (<20 lines), one `codex-reviewer` call is enough.",
+			"- **Concrete diff or single file** → fan out to `codex-reviewer` (gpt-5.3-codex, line-level code specialist, fastest at ~16s)" + (opts.geminiAvailable ? " AND `gemini-reviewer` (gemini-3.1-pro, second-lab line-level review)" : "") + (opts.geminiAvailable ? " AND `gemini-critic` for cross-lab triangulation" : "") + ". For very small changes (<20 lines), one `codex-reviewer` call is enough.",
 			"- **Large artifact** → the only peers that take a large artifact WHOLE are `codex-critic` (gpt-5.5, ≈922K-token input window) and `opus-critic` (Opus-4.7-1M, ≈936K-token input on enterprise catalogs; ≈168K otherwise). Route the full artifact to those for cross-lab coverage. `codex-reviewer` (≈272K) and `gemini-critic` (≈136K) have small windows — see Decomposition below: never summarize or downsize the request to squeeze a large artifact into a small-window peer.",
 			"- **Formal reasoning, proofs, or invariants** → prefer `gemini-critic`" + (opts.geminiAvailable ? " (gemini-3.1-pro, strong on math and formally-stated properties)" : " (NOT REGISTERED in this session — gemini-3.x not in catalog)") + ".",
 			"- **Tie-breaker after codex-critic has weighed in** → call `gemini-critic`" + (opts.geminiAvailable ? "" : " (NOT REGISTERED in this session)") + " or `opus-critic` with the artifact AND codex-critic's verdict for cross-check.",
@@ -13072,9 +13952,13 @@ function buildPeerAgentDefinitions(opts) {
 		codexCli: opts.codexCli,
 		geminiAvailable: opts.geminiAvailable
 	});
+	const peersKey = peersKeyOf(opts.groupKeys);
 	for (const persona of personas) out[persona.agentName] = {
 		description: persona.description,
-		prompt: buildAgentPrompt(persona, { codexCli: opts.codexCli })
+		prompt: buildAgentPrompt(persona, {
+			codexCli: opts.codexCli,
+			peersKey
+		})
 	};
 	out["peer-review-coordinator"] = buildCoordinatorAgent({
 		codexCli: opts.codexCli,
@@ -13181,6 +14065,65 @@ async function writePeerAgentMdFiles(agents, opts) {
 	};
 }
 /**
+* Read just the `mcpServers` object from a mirrored `.claude.json` (or `{}`
+* on missing / malformed). Used by `resolveGroupKeysFromMirror` to detect
+* which of our bare group keys would collide with a user-side entry.
+*/
+async function readMcpServersSnapshot(target) {
+	try {
+		const raw = await fs.readFile(target, "utf8");
+		const parsed = JSON.parse(raw);
+		if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
+			const servers = parsed.mcpServers;
+			if (servers && typeof servers === "object" && !Array.isArray(servers)) return servers;
+		}
+	} catch {}
+	return {};
+}
+/**
+* Resolve a config-entry key for each enabled group, defending against
+* collisions with the user's own `mcpServers`. Prefer the bare key
+* (`peers`/`search`/…); on collision walk the numbered fallback sequence
+* `gh-router-<group>`, `gh-router-<group>-2`, `gh-router-<group>-3`, …
+* until a free name is found. This NEVER skips and NEVER returns a name the
+* user already owns: every enabled group is guaranteed a key WE control, so
+* a capability is never silently dropped AND the model is never routed at
+* the user's same-named server (the caller threads these resolved keys into
+* both the `mcpServers` entries AND the persona `.md` routing strings). The
+* `skipped` field is retained for API stability but is always empty now.
+*
+* Reads the mirror snapshot once; the caller passes the result to BOTH
+* `writePeerMcpRuntimeFiles` and `injectPeerMcpIntoMirror`. The mirror is a
+* per-launch dir written ONLY by us (after `ensureClaudeConfigMirror`
+* snapshotted the user's config) and nothing mutates it between this read
+* and `injectPeerMcpIntoMirror`'s write, so the two reads see identical
+* state — no TOCTOU window, and the inject-side defensive conflict check
+* never fires for these resolved keys.
+*/
+async function resolveGroupKeysFromMirror(enabledGroups, claudeConfigDir) {
+	const dir = claudeConfigDir ?? PATHS.CLAUDE_CONFIG_DIR;
+	const existing = await readMcpServersSnapshot(path.join(dir, ".claude.json"));
+	const keys = {};
+	for (const group of enabledGroups) {
+		const bare = GROUP_META[group].preferredKey;
+		if (existing[bare] === void 0) {
+			keys[group] = bare;
+			continue;
+		}
+		let candidate = `gh-router-${group}`;
+		let n = 1;
+		while (existing[candidate] !== void 0) {
+			n += 1;
+			candidate = `gh-router-${group}-${n}`;
+		}
+		keys[group] = candidate;
+	}
+	return {
+		keys,
+		skipped: []
+	};
+}
+/**
 * Mutate the mirrored `<CLAUDE_CONFIG_DIR>/.claude.json` to add the
 * `gh-router-peers` entry (and `codex-cli` when enabled) under
 * `mcpServers`. This is the load-bearing fix for subagent MCP visibility.
@@ -13231,13 +14174,14 @@ async function injectPeerMcpIntoMirror(serverUrl, opts) {
 	const peerConfig = buildPeerMcpConfig(serverUrl, {
 		codexCli: opts.codexCli,
 		geminiAvailable: opts.geminiAvailable,
+		groupKeys: opts.groupKeys,
 		nonce: opts.nonce,
 		codexHome: opts.codexHome ?? PATHS.CODEX_HOME
 	});
 	const conflicts = [];
 	for (const name$1 of Object.keys(peerConfig.mcpServers)) if (mcpServers[name$1] !== void 0) conflicts.push(name$1);
 	if (conflicts.length > 0) {
-		consola.warn(`injectPeerMcpIntoMirror: your ~/.claude/.claude.json already has mcpServers entries named [${conflicts.join(", ")}]; refusing to overwrite. Subagents will not see the peer-MCP tools — only the parent session via --mcp-config fallback. To resolve, rename the user-side server(s) (e.g. via \`claude mcp remove\`) and relaunch.`);
+		consola.warn(`injectPeerMcpIntoMirror: your ~/.claude/.claude.json already has mcpServers entries named [${conflicts.join(", ")}]; refusing to overwrite. Subagents will not see those tools — only the parent session via --mcp-config fallback. To resolve, rename the user-side server(s) (e.g. via \`claude mcp remove\`) and relaunch.`);
 		return {
 			ok: false,
 			reason: "user-has-conflicting-entry",
@@ -13288,12 +14232,14 @@ async function writePeerMcpRuntimeFiles(serverUrl, opts) {
 	const mcpConfig = buildPeerMcpConfig(serverUrl, {
 		codexCli: opts.codexCli,
 		geminiAvailable: opts.geminiAvailable,
+		groupKeys: opts.groupKeys,
 		nonce,
 		codexHome
 	});
 	const agents = buildPeerAgentDefinitions({
 		codexCli: opts.codexCli,
 		geminiAvailable: opts.geminiAvailable,
+		groupKeys: opts.groupKeys,
 		nonce,
 		codexHome
 	});
@@ -13361,7 +14307,13 @@ function makeDedupeKey(logObj) {
 	const key = `${logObj.type}:${firstArg}`;
 	return key.length > DEDUP_KEY_MAX_LEN ? key.slice(0, DEDUP_KEY_MAX_LEN) : key;
 }
-function rotateIfNeeded(filePath) {
+/**
+* Construction-time rotation: rename the log aside if it's already over the
+* cap before we start appending. Runs with no descriptor held (the instance
+* fd is opened lazily on the first `log()`), so a plain path stat + rename is
+* correct here. The per-`log()` ceiling check lives in `rotateIfNeeded()`.
+*/
+function rotateAtStartup(filePath) {
 	let size;
 	try {
 		size = fs$1.statSync(filePath).size;
@@ -13378,9 +14330,57 @@ var FileLogReporter = class FileLogReporter {
 	seen = /* @__PURE__ */ new Set();
 	bytesSinceCheck = 0;
 	static ROTATE_CHECK_BYTES = MAX_LOG_BYTES / 2;
+	fd;
 	constructor(filePath) {
 		this.filePath = filePath;
-		rotateIfNeeded(filePath);
+		rotateAtStartup(filePath);
+	}
+	ensureFd() {
+		if (this.fd !== void 0) return this.fd;
+		try {
+			this.fd = fs$1.openSync(this.filePath, "a", 384);
+		} catch {
+			this.fd = void 0;
+		}
+		return this.fd;
+	}
+	closeFd() {
+		if (this.fd === void 0) return;
+		try {
+			fs$1.closeSync(this.fd);
+		} catch {}
+		this.fd = void 0;
+	}
+	/**
+	* Enforce the MAX_LOG_BYTES ceiling. Sizes the LIVE file (fstat on the open
+	* fd when we hold one — no path race — else a path stat), and on overflow
+	* CLOSES the fd before renaming. Closing first is load-bearing on Windows
+	* (renaming a file with an open handle fails with EBUSY/EPERM) and correct
+	* on POSIX too (a held append-fd would otherwise keep writing into the
+	* renamed `.1` inode). The fd is left closed so the next write reopens the
+	* freshly-created file.
+	*/
+	rotateIfNeeded() {
+		let size;
+		try {
+			size = this.fd !== void 0 ? fs$1.fstatSync(this.fd).size : fs$1.statSync(this.filePath).size;
+		} catch {
+			return;
+		}
+		if (size <= MAX_LOG_BYTES) return;
+		this.closeFd();
+		try {
+			fs$1.renameSync(this.filePath, this.filePath + ".1");
+		} catch {}
+	}
+	/**
+	* Close the held descriptor. Safe to call repeatedly and after a write
+	* failure. Optional for correctness (writeSync flushes immediately and the
+	* OS closes fds at process exit), but lets a long-lived host release the
+	* handle deterministically on shutdown.
+	*/
+	close() {
+		this.closeFd();
 	}
 	log(logObj, _ctx) {
 		if (!ALLOWED_TYPES.has(logObj.type)) return;
@@ -13391,17 +14391,15 @@ var FileLogReporter = class FileLogReporter {
 		const line = formatLogLine(logObj);
 		this.bytesSinceCheck += line.length;
 		if (this.bytesSinceCheck >= FileLogReporter.ROTATE_CHECK_BYTES) {
-			rotateIfNeeded(this.filePath);
+			this.rotateIfNeeded();
 			this.bytesSinceCheck = 0;
 		}
-		let fd;
+		const fd = this.ensureFd();
+		if (fd === void 0) return;
 		try {
-			fd = fs$1.openSync(this.filePath, "a", 384);
 			fs$1.writeSync(fd, line);
-		} catch {} finally {
-			if (fd !== void 0) try {
-				fs$1.closeSync(fd);
-			} catch {}
+		} catch {
+			this.closeFd();
 		}
 	}
 };
@@ -13491,6 +14489,8 @@ const PEER_MARKER_OPEN = "<!-- gh-router peer-mcp awareness — auto-injected, r
 const PEER_MARKER_CLOSE = "<!-- /gh-router peer-mcp awareness -->";
 const STYLE_MARKER_OPEN = "<!-- gh-router style directive — auto-injected, regenerated per launch -->";
 const STYLE_MARKER_CLOSE = "<!-- /gh-router style directive -->";
+const TOOLBELT_MARKER_OPEN = "<!-- gh-router toolbelt awareness — auto-injected, regenerated per launch -->";
+const TOOLBELT_MARKER_CLOSE = "<!-- /gh-router toolbelt awareness -->";
 /**
 * Writing / communication style directive injected at the TOP of the
 * mirrored CLAUDE.md so every spawned agent (main, Agent-tool subagent,
@@ -13837,6 +14837,303 @@ async function prependStyleDirectiveToMirroredClaudeMd(directive = STYLE_DIRECTI
 		label: "style-directive"
 	});
 }
+/**
+* Append the toolbelt awareness one-liner (which CLI tools are on PATH)
+* to the bottom of the mirrored CLAUDE.md so descendant agents (Agent
+* subagents, agent-teams teammates) learn about the provisioned tools.
+* The main agent gets the same line via `--append-system-prompt`.
+* Separate marker fence from the peer-awareness / style blocks.
+*/
+async function appendToolbeltAwarenessToMirroredClaudeMd(snippet) {
+	await injectMarkerBlock({
+		snippet,
+		markerOpen: TOOLBELT_MARKER_OPEN,
+		markerClose: TOOLBELT_MARKER_CLOSE,
+		position: "bottom",
+		label: "toolbelt-awareness"
+	});
+}
+
+//#endregion
+//#region src/lib/toolbelt/extract.ts
+function baseName(p) {
+	const norm = p.replace(/\\/g, "/");
+	const idx = norm.lastIndexOf("/");
+	return idx === -1 ? norm : norm.slice(idx + 1);
+}
+/**
+* Extract the first REGULAR-FILE tar member whose basename equals
+* `wantBasename` (optionally with a `.exe` suffix). Returns its bytes,
+* or null if absent. `buf` is the gzip-compressed tarball.
+*/
+function extractTarGzMember(buf, wantBasename) {
+	let tar;
+	try {
+		tar = gunzipSync(buf);
+	} catch {
+		return null;
+	}
+	const wants = new Set([wantBasename, `${wantBasename}.exe`]);
+	let offset = 0;
+	while (offset + 512 <= tar.length) {
+		const header = tar.subarray(offset, offset + 512);
+		if (header.every((b) => b === 0)) break;
+		const name$1 = readTarString(header, 0, 100);
+		const prefix = readTarString(header, 345, 155);
+		const fullName = prefix ? `${prefix}/${name$1}` : name$1;
+		const sizeOctal = readTarString(header, 124, 12).trim();
+		const size = parseInt(sizeOctal || "0", 8);
+		const typeflag = String.fromCharCode(header[156]);
+		const dataStart = offset + 512;
+		if ((typeflag === "0" || typeflag === "\0") && wants.has(baseName(fullName))) {
+			if (dataStart + size > tar.length) return null;
+			return Buffer.from(tar.subarray(dataStart, dataStart + size));
+		}
+		offset = dataStart + Math.ceil(size / 512) * 512;
+	}
+	return null;
+}
+function readTarString(block, start$1, len) {
+	const slice = block.subarray(start$1, start$1 + len);
+	const nul = slice.indexOf(0);
+	return slice.subarray(0, nul === -1 ? len : nul).toString("utf8");
+}
+/**
+* Extract the first REGULAR-FILE zip member whose basename equals
+* `wantBasename` (optionally `.exe`). Supports stored (0) and deflate
+* (8) compression. Rejects directories and unix-symlink entries.
+*/
+function extractZipMember(buf, wantBasename) {
+	const wants = new Set([wantBasename, `${wantBasename}.exe`]);
+	const EOCD_SIG = 101010256;
+	let eocd = -1;
+	const minStart = Math.max(0, buf.length - 65557);
+	for (let i = buf.length - 22; i >= minStart; i--) if (buf.readUInt32LE(i) === EOCD_SIG) {
+		eocd = i;
+		break;
+	}
+	if (eocd === -1) return null;
+	const entryCount = buf.readUInt16LE(eocd + 10);
+	let cd = buf.readUInt32LE(eocd + 16);
+	const CEN_SIG = 33639248;
+	for (let i = 0; i < entryCount; i++) {
+		if (cd + 46 > buf.length || buf.readUInt32LE(cd) !== CEN_SIG) return null;
+		const method = buf.readUInt16LE(cd + 10);
+		const compSize = buf.readUInt32LE(cd + 20);
+		const nameLen = buf.readUInt16LE(cd + 28);
+		const extraLen = buf.readUInt16LE(cd + 30);
+		const commentLen = buf.readUInt16LE(cd + 32);
+		const externalAttrs = buf.readUInt32LE(cd + 38);
+		const localOffset = buf.readUInt32LE(cd + 42);
+		const name$1 = buf.subarray(cd + 46, cd + 46 + nameLen).toString("utf8");
+		const isSymlink = (externalAttrs >>> 16 & 61440) === 40960;
+		const isDir = name$1.endsWith("/");
+		if (!isSymlink && !isDir && wants.has(baseName(name$1))) return readZipLocalEntry(buf, localOffset, method, compSize);
+		cd += 46 + nameLen + extraLen + commentLen;
+	}
+	return null;
+}
+function readZipLocalEntry(buf, localOffset, method, compSize) {
+	if (localOffset + 30 > buf.length || buf.readUInt32LE(localOffset) !== 67324752) return null;
+	const nameLen = buf.readUInt16LE(localOffset + 26);
+	const extraLen = buf.readUInt16LE(localOffset + 28);
+	const dataStart = localOffset + 30 + nameLen + extraLen;
+	const comp = buf.subarray(dataStart, dataStart + compSize);
+	try {
+		if (method === 0) return Buffer.from(comp);
+		if (method === 8) return inflateRawSync(comp);
+	} catch {
+		return null;
+	}
+	return null;
+}
+
+//#endregion
+//#region src/lib/toolbelt/provision.ts
+/** Per-download cap (bytes) — these binaries are a few MB at most. */
+const MAX_DOWNLOAD_BYTES = 64 * 1024 * 1024;
+const DOWNLOAD_TIMEOUT_MS = 3e4;
+const EXE_EXT = process$1.platform === "win32" ? ".exe" : "";
+/**
+* Materialize the toolbelt. Returns the list of command names exposed
+* in `bin/` after provisioning. Best-effort; never throws.
+*/
+async function provisionToolbelt() {
+	if (!toolbeltEnabled()) return [];
+	const binDir = PATHS.TOOLBELT_BIN_DIR;
+	try {
+		await mkdir(binDir, { recursive: true });
+	} catch (err) {
+		consola.debug("toolbelt: could not create bin dir:", err);
+		return [];
+	}
+	const skip = toolbeltSkipSet();
+	await withInstallLock("toolbelt.lock", async () => {
+		await pruneUnexpected(binDir);
+		await provisionRg(binDir, skip).catch((err) => consola.debug("toolbelt: rg skipped:", err));
+		await Promise.all(TOOLBELT_TOOLS.map((spec) => provisionTool(spec, binDir, skip).catch((err) => consola.debug(`toolbelt: ${spec.command} skipped:`, err))));
+	});
+	return exposedCommands(binDir);
+}
+/** Names allowed to live in `bin/` (managed binaries + their sidecars). */
+function expectedFileNames() {
+	const names = /* @__PURE__ */ new Set();
+	const add = (base) => {
+		names.add(base + EXE_EXT);
+		names.add(`${base}${EXE_EXT}.sha256`);
+	};
+	add("rg");
+	for (const spec of TOOLBELT_TOOLS) {
+		add(spec.binBasename);
+		for (const a of spec.aliases ?? []) add(a);
+	}
+	return names;
+}
+/** Remove any file in `bin/` that isn't a managed binary or sidecar. */
+async function pruneUnexpected(binDir) {
+	const expected = expectedFileNames();
+	let entries;
+	try {
+		entries = await readdir(binDir);
+	} catch {
+		return;
+	}
+	for (const name$1 of entries) {
+		if (name$1.endsWith(".tmp")) continue;
+		if (!expected.has(name$1)) await rm(path.join(binDir, name$1), { force: true }).catch(() => {});
+	}
+}
+async function provisionRg(binDir, skip) {
+	const dest = path.join(binDir, "rg" + EXE_EXT);
+	if (skip.has("rg") || resolveExecutable("rg")) {
+		await removeBin(dest);
+		return;
+	}
+	if (existsSync(dest)) return;
+	const src = vscodeRipgrepPath();
+	if (!src) return;
+	const tmp = tempName(dest);
+	try {
+		await link(src, tmp);
+	} catch {
+		await copyFile(src, tmp);
+	}
+	if (process$1.platform !== "win32") await chmod(tmp, 493).catch(() => {});
+	await commit(tmp, dest);
+}
+async function provisionTool(spec, binDir, skip) {
+	const dest = path.join(binDir, spec.binBasename + EXE_EXT);
+	const sidecar = `${dest}.sha256`;
+	const asset = assetFor(spec);
+	if (skip.has(spec.command) || !asset) {
+		await removeTool(spec, binDir);
+		return;
+	}
+	if (resolveExecutable(spec.command)) {
+		await removeTool(spec, binDir);
+		return;
+	}
+	if (existsSync(dest) && await sidecarMatches(sidecar, asset.sha256)) {
+		await ensureAliases(spec, binDir, dest);
+		return;
+	}
+	await atomicInstall(dest, await downloadAndExtract(spec, asset));
+	await writeFile(sidecar, asset.sha256).catch(() => {});
+	await ensureAliases(spec, binDir, dest);
+}
+async function downloadAndExtract(spec, asset) {
+	const data = await download(asset.url);
+	const digest = createHash("sha256").update(data).digest("hex");
+	if (digest !== asset.sha256) throw new Error(`checksum mismatch for ${spec.command} (${asset.url}): expected ${asset.sha256}, got ${digest}`);
+	if (asset.archive === "raw") return data;
+	const member = asset.archive === "zip" ? extractZipMember(data, spec.binBasename) : extractTarGzMember(data, spec.binBasename);
+	if (!member) throw new Error(`binary "${spec.binBasename}" not found in ${asset.url}`);
+	return member;
+}
+async function download(url) {
+	const controller = new AbortController();
+	const timer = setTimeout(() => controller.abort(), DOWNLOAD_TIMEOUT_MS);
+	try {
+		const res = await fetch(url, {
+			signal: controller.signal,
+			redirect: "follow",
+			headers: { "User-Agent": "github-router-toolbelt" }
+		});
+		if (!res.ok) throw new Error(`download ${url}: HTTP ${res.status}`);
+		const buf = Buffer.from(await res.arrayBuffer());
+		if (buf.length > MAX_DOWNLOAD_BYTES) throw new Error(`download ${url}: exceeds ${MAX_DOWNLOAD_BYTES} bytes`);
+		return buf;
+	} finally {
+		clearTimeout(timer);
+	}
+}
+/** Write to a unique temp then atomically rename into place. */
+async function atomicInstall(dest, bytes) {
+	const tmp = tempName(dest);
+	await writeFile(tmp, bytes);
+	if (process$1.platform !== "win32") await chmod(tmp, 493).catch(() => {});
+	await commit(tmp, dest);
+}
+/** Rename tmp→dest, handling Windows replace-existing / in-use locks. */
+async function commit(tmp, dest) {
+	try {
+		await rename(tmp, dest);
+	} catch {
+		try {
+			await rm(dest, { force: true });
+			await rename(tmp, dest);
+		} catch (err) {
+			await rm(tmp, { force: true }).catch(() => {});
+			throw err;
+		}
+	}
+}
+async function ensureAliases(spec, binDir, dest) {
+	for (const alias of spec.aliases ?? []) {
+		const ap = path.join(binDir, alias + EXE_EXT);
+		if (existsSync(ap)) continue;
+		const tmp = tempName(ap);
+		try {
+			await copyFile(dest, tmp);
+			if (process$1.platform !== "win32") await chmod(tmp, 493).catch(() => {});
+			await commit(tmp, ap);
+		} catch (err) {
+			consola.debug(`toolbelt: alias ${alias} skipped:`, err);
+		}
+	}
+}
+async function removeTool(spec, binDir) {
+	await removeBin(path.join(binDir, spec.binBasename + EXE_EXT));
+	for (const alias of spec.aliases ?? []) await removeBin(path.join(binDir, alias + EXE_EXT));
+}
+async function removeBin(dest) {
+	await rm(dest, { force: true }).catch(() => {});
+	await rm(`${dest}.sha256`, { force: true }).catch(() => {});
+}
+async function sidecarMatches(sidecar, sha256) {
+	try {
+		return (await readFile(sidecar, "utf8")).trim() === sha256;
+	} catch {
+		return false;
+	}
+}
+function tempName(dest) {
+	return `${dest}.${process$1.pid}.${randomBytes(4).toString("hex")}.tmp`;
+}
+/** The command names currently exposed in `bin/`. */
+async function exposedCommands(binDir) {
+	let files;
+	try {
+		files = new Set(await readdir(binDir));
+	} catch {
+		return [];
+	}
+	const present = (base) => files.has(base + EXE_EXT);
+	const out = [];
+	if (present("rg")) out.push("rg");
+	for (const spec of TOOLBELT_TOOLS) if (present(spec.binBasename)) out.push(spec.command);
+	return out;
+}
 
 //#endregion
 //#region src/lib/proxy.ts
@@ -13887,7 +15184,7 @@ function initProxyFromEnv() {
 //#endregion
 //#region package.json
 var name = "github-router";
-var version$1 = "0.3.68";
+var version$1 = "0.3.72";
 
 //#endregion
 //#region src/lib/approval.ts
@@ -14273,7 +15570,14 @@ embeddingRoutes.post("/", async (c) => {
 const mcpRoutes = new Hono();
 mcpRoutes.post("/", async (c) => {
 	try {
-		return await handleMcpPost(c);
+		return await handleMcpPost(c, "all");
+	} catch (error) {
+		return await forwardError(c, error);
+	}
+});
+mcpRoutes.post("/:group", async (c) => {
+	try {
+		return await handleMcpPost(c, c.req.param("group"));
 	} catch (error) {
 		return await forwardError(c, error);
 	}
@@ -14285,6 +15589,13 @@ mcpRoutes.delete("/", (c) => {
 		return c.body(null, 500);
 	}
 });
+mcpRoutes.delete("/:group", (c) => {
+	try {
+		return handleMcpDelete(c);
+	} catch {
+		return c.body(null, 500);
+	}
+});
 
 //#endregion
 //#region src/lib/sanitize-anthropic-body.ts
@@ -15553,6 +16864,7 @@ usageRoute.get("/", async (c) => {
 
 //#endregion
 //#region src/server.ts
+assertMcpToolSurfaceConsistent();
 const server = new Hono();
 server.use(cors());
 server.get("/", (c) => c.text("Server running"));
@@ -15731,6 +17043,11 @@ const sharedServerArgs = {
 		type: "boolean",
 		default: false,
 		description: "Force humanlike pacing on ALL browser tool dispatches: Beta-distributed inter-action delays (800-4600 ms), Bezier mouse trajectories with overshoot-and-correct, per-keystroke jitter with word-end pauses, scroll chunking. Use for known anti-bot sites (Cloudflare, Datadome). Off by default (auto mode); GH_ROUTER_HUMANLIKE=1 is the env equivalent. GH_ROUTER_BROWSER_NO_HUMANLIKE=1 hard-disables (wins over --humanlike, for tests)."
+	},
+	"self-update": {
+		type: "boolean",
+		default: true,
+		description: "Update github-router itself to the latest npm version on launch (throttled once/hour). Best-effort and non-blocking: the proxy serves immediately and a detached updater applies the new version after this process exits (it takes effect on the NEXT launch; the running process keeps its current build). Disable with --no-self-update or GH_ROUTER_NO_SELF_UPDATE=1. Skipped silently if npm/network unavailable."
 	}
 };
 const allowedAccountTypes = new Set([
@@ -15836,6 +17153,7 @@ function getClaudeCodeEnvVars(serverUrl, model) {
 		"CLAUDE_CODE_ENABLE_FINE_GRAINED_TOOL_STREAMING",
 		"CLAUDE_CODE_ENABLE_TASKS"
 	]) if (process.env[key] === void 0) vars[key] = "1";
+	if (toolbeltEnabled()) Object.assign(vars, toolbeltPathOverride(process.env, PATHS.TOOLBELT_BIN_DIR));
 	return vars;
 }
 /**
@@ -15851,11 +17169,13 @@ function getClaudeCodeEnvVars(serverUrl, model) {
 * masks any cached login.
 */
 function getCodexEnvVars(serverUrl) {
-	return {
+	const vars = {
 		OPENAI_BASE_URL: `${serverUrl}/v1`,
 		OPENAI_API_KEY: "dummy",
 		CODEX_HOME: PATHS.CODEX_HOME
 	};
+	if (toolbeltEnabled()) Object.assign(vars, toolbeltPathOverride(process.env, PATHS.TOOLBELT_BIN_DIR));
+	return vars;
 }
 
 //#endregion
@@ -15895,7 +17215,7 @@ const claude = defineCommand({
 		"auto-update": {
 			type: "boolean",
 			default: true,
-			description: "Check for and install latest Claude Code on launch (throttled to once per hour via ~/.local/share/github-router/last-update-check). Set to false (--no-auto-update) to keep the current installed version. Falls back gracefully if npm/network unavailable."
+			description: "Check for and install the latest Claude Code on launch via `claude update` (throttled to once per hour via ~/.local/share/github-router/last-update-check). `claude update` respects the real install method (native installer or npm), so it never creates a conflicting second install; builds too old to support it fall back to `npm install -g @anthropic-ai/claude-code@latest`. Set to false (--no-auto-update) to check and warn only. Falls back gracefully if claude/npm/network unavailable."
 		},
 		"update-check": {
 			type: "boolean",
@@ -15918,12 +17238,12 @@ const claude = defineCommand({
 			if (versionCheck.skipped && versionCheck.skipReason === "no-claude") consola.debug("claude --version probe failed; skipping auto-update.");
 			else if (versionCheck.skipped && versionCheck.skipReason === "no-npm") consola.debug("npm view @anthropic-ai/claude-code failed; skipping auto-update check (likely offline).");
 			else if (versionCheck.needsUpdate && versionCheck.installedVersion && versionCheck.latestVersion) if (args["auto-update"] !== false) try {
-				await autoUpdateClaude(versionCheck.latestVersion);
+				await updateClaude(versionCheck.latestVersion);
 			} catch (err) {
 				const msg = err instanceof Error ? err.message : String(err);
-				consola.warn(`Auto-update of Claude Code from ${versionCheck.installedVersion} to ${versionCheck.latestVersion} failed (${msg}); continuing with installed version. Run \`npm install -g @anthropic-ai/claude-code@latest\` manually to retry.`);
+				consola.warn(`Auto-update of Claude Code from ${versionCheck.installedVersion} to ${versionCheck.latestVersion} failed (${msg}); continuing with installed version. Run \`claude update\` (or \`npm install -g @anthropic-ai/claude-code@latest\`) manually to retry.`);
 			}
-			else consola.warn(`Claude Code v${versionCheck.installedVersion} is installed; v${versionCheck.latestVersion} is available. Run with --auto-update (the default) to install on launch, or \`npm install -g @anthropic-ai/claude-code@latest\` manually.`);
+			else consola.warn(`Claude Code v${versionCheck.installedVersion} is installed; v${versionCheck.latestVersion} is available. Run with --auto-update (the default) to install on launch, or \`claude update\` manually.`);
 		} catch (err) {
 			consola.debug("Claude version check failed:", err);
 		}
@@ -15941,6 +17261,7 @@ const claude = defineCommand({
 			consola.error("Failed to start server:", error instanceof Error ? error.message : error);
 			process$1.exit(1);
 		}
+		runSelfUpdate({ selfUpdate: args["self-update"] !== false });
 		try {
 			await ensureClaudeConfigMirror();
 		} catch (err) {
@@ -15972,6 +17293,15 @@ const claude = defineCommand({
 		process$1.stderr.write(`Server ready on ${serverUrl}, launching Claude Code (${banner})...\n`);
 		const envVars = getClaudeCodeEnvVars(serverUrl, chosenSlug);
 		const extraArgs = args._ ?? [];
+		if (toolbeltEnabled()) {
+			provisionToolbelt().catch((err) => consola.debug("Toolbelt provisioning failed:", err));
+			const toolbeltLine = buildToolbeltAwareness(availableToolCommands());
+			if (toolbeltLine) try {
+				await appendToolbeltAwarenessToMirroredClaudeMd(toolbeltLine);
+			} catch (err) {
+				consola.warn(`Toolbelt CLAUDE.md append failed: ${err instanceof Error ? err.message : String(err)}`);
+			}
+		}
 		const baseShutdown = async () => {
 			await removeOwnClaudeConfigMirror();
 		};
@@ -15984,9 +17314,15 @@ const claude = defineCommand({
 			});
 			const geminiAvailable$1 = state.models?.data.some((m) => /^gemini-3\..*pro/i.test(m.id)) ?? false;
 			if (!geminiAvailable$1) consola.info("gemini-3.1-pro-preview not found in your Copilot model catalog; gemini-critic persona will not be registered.");
+			const enabledGroups = ["peers", "search"];
+			if (workerToolsEnabled()) enabledGroups.push("workers");
+			if (standInToolEnabled()) enabledGroups.push("decide");
+			if (browserToolsEnabled()) enabledGroups.push("browser");
+			const { keys: groupKeys, skipped: skippedGroups } = await resolveGroupKeysFromMirror(enabledGroups);
 			const runtime = await writePeerMcpRuntimeFiles(serverUrl, {
 				codexCli: backend === "cli",
-				geminiAvailable: geminiAvailable$1
+				geminiAvailable: geminiAvailable$1,
+				groupKeys
 			});
 			state.peerMcpNonce = runtime.nonce;
 			onShutdown = async () => {
@@ -15996,6 +17332,7 @@ const claude = defineCommand({
 			const injected = await injectPeerMcpIntoMirror(serverUrl, {
 				codexCli: backend === "cli",
 				geminiAvailable: geminiAvailable$1,
+				groupKeys,
 				nonce: runtime.nonce
 			});
 			if (!injected.ok) {
@@ -16004,14 +17341,16 @@ const claude = defineCommand({
 			} else if (args["codex-mcp-only"] === true) consola.warn("--codex-mcp-only has no effect when peer MCP is wired via the mirrored .claude.json (the user's existing user-scope MCPs in the snapshot are still visible). Pass --no-codex-mcp to skip peer-MCP wiring entirely.");
 			const personaNames = runtime.personas.map((p) => p.agentName).join(", ");
 			const subagentVisibility = injected.ok ? `subagent-visible (mirrored mcpServers: [${injected.serversAdded.join(", ")}])` : `subagent-INVISIBLE (collision on user-side mcpServers: [${injected.conflictingServers.join(", ")}]; parent-only via --mcp-config)`;
-			process$1.stderr.write(`Peer MCP wired (backend=${backend}, personas=[${personaNames}], subagent .md files=${runtime.agentMdPaths.length}, ${subagentVisibility}).\n`);
+			const skippedNote = skippedGroups.length > 0 ? ` WARNING: groups [${skippedGroups.join(", ")}] skipped — both the bare and \`gh-router-<group>\` keys collide with your own mcpServers; those tools are unavailable this session (rename the user-side server to re-enable).` : "";
+			process$1.stderr.write(`Peer MCP wired (backend=${backend}, personas=[${personaNames}], subagent .md files=${runtime.agentMdPaths.length}, ${subagentVisibility}).${skippedNote}\n`);
 			const peerSnippet = buildPeerAwarenessSnippet({
 				codexCli: backend === "cli",
 				geminiAvailable: geminiAvailable$1,
 				workerToolsAvailable: workerToolsEnabled(),
 				standInAvailable: standInToolEnabled(),
 				browseAvailable: state.browseEnabled,
-				powerBrowseAvailable: state.powerBrowseEnabled
+				powerBrowseAvailable: state.powerBrowseEnabled,
+				groupKeys
 			});
 			extraArgs.push("--append-system-prompt", peerSnippet);
 			try {
@@ -16071,6 +17410,8 @@ const codex = defineCommand({
 			consola.error("Failed to start server:", error instanceof Error ? error.message : error);
 			process$1.exit(1);
 		}
+		runSelfUpdate({ selfUpdate: args["self-update"] !== false });
+		if (toolbeltEnabled()) provisionToolbelt().catch(() => {});
 		const usingDefault = !args.model;
 		const requestedModel = args.model ?? DEFAULT_CODEX_MODEL;
 		enableFileLogging();
@@ -16443,6 +17784,7 @@ const start = defineCommand({
 			port: parsed.port ?? DEFAULT_PORT,
 			silent: false
 		});
+		runSelfUpdate({ selfUpdate: args["self-update"] !== false });
 		if (args.cc) generateClaudeCodeCommand(serverUrl, args.model);
 		if (args.cx) generateCodexCommand(serverUrl, args.model);
 		consola.box(`🌐 Usage Viewer: https://animeshkundu.github.io/github-router/dashboard.html?endpoint=${serverUrl}/usage`);