openmates 0.12.0-alpha.23 → 0.12.0-alpha.25

package/dist/{chunk-PHFCP5AM.js → chunk-V7DUGDYQ.js}

@@ -921,8 +921,15 @@ function removeServerConfig() {
 }
 var SOURCE_COMPOSE_MARKER = join2("backend", "core", "docker-compose.yml");
 var IMAGE_COMPOSE_MARKER = join2("backend", "core", "docker-compose.selfhost.yml");
+var UPLOAD_COMPOSE_MARKER = join2("backend", "upload", "docker-compose.yml");
+var PREVIEW_COMPOSE_MARKER = join2("backend", "preview", "docker-compose.preview.yml");
 function isOpenMatesDir(dir) {
-  return existsSync3(join2(dir, SOURCE_COMPOSE_MARKER)) || existsSync3(join2(dir, IMAGE_COMPOSE_MARKER));
+  return [
+    SOURCE_COMPOSE_MARKER,
+    IMAGE_COMPOSE_MARKER,
+    UPLOAD_COMPOSE_MARKER,
+    PREVIEW_COMPOSE_MARKER
+  ].some((marker) => existsSync3(join2(dir, marker)));
 }
 function resolveServerPath(flags) {
   if (typeof flags.path === "string" && flags.path) {
@@ -2052,6 +2059,55 @@ function getClientMessagesVersionForSync(cached) {
   if (cached.messages.length === 0) return 0;
   return typeof cached.details.messages_v === "number" ? cached.details.messages_v : 0;
 }
+var INTEREST_TAG_IDS = [
+  "software_development",
+  "use_the_cli",
+  "open_source",
+  "read_developer_docs",
+  "run_code",
+  "protect_my_privacy",
+  "summarize_documents",
+  "find_apartments",
+  "local_life",
+  "learn_anything"
+];
+var TOPIC_PREFERENCES_SETTINGS_KEY = "topic_preferences";
+function normalizeInterestTagIds(values) {
+  const validIds = new Set(INTEREST_TAG_IDS);
+  const normalized = [];
+  for (const value of values) {
+    if (!validIds.has(value)) {
+      throw new Error(
+        `Unknown interest tag '${value}'. Use one of: ${INTEREST_TAG_IDS.join(", ")}`
+      );
+    }
+    if (!normalized.includes(value)) {
+      normalized.push(value);
+    }
+  }
+  return normalized;
+}
+function normalizeTopicPreferencesPayload(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value)) {
+    return null;
+  }
+  const candidate = value;
+  if (candidate.version !== 1 || !Array.isArray(candidate.selectedTagIds)) {
+    return null;
+  }
+  const validIds = new Set(INTEREST_TAG_IDS);
+  const selectedTagIds = [];
+  for (const value2 of candidate.selectedTagIds) {
+    if (validIds.has(value2) && !selectedTagIds.includes(value2)) {
+      selectedTagIds.push(value2);
+    }
+  }
+  return {
+    version: 1,
+    selectedTagIds,
+    updatedAt: typeof candidate.updatedAt === "string" ? candidate.updatedAt : (/* @__PURE__ */ new Date(0)).toISOString()
+  };
+}
 function buildSubChatConfirmationPayload(params) {
   return {
     chat_id: params.chatId,
@@ -2987,6 +3043,31 @@ var OpenMatesClient = class _OpenMatesClient {
     saveSession(session);
     return response.data.user ?? {};
   }
+  async getTopicPreferences() {
+    const user = await this.whoAmI();
+    return await this.decryptTopicPreferences(user.encrypted_settings);
+  }
+  async setTopicPreferences(selectedTagIds) {
+    const user = await this.whoAmI();
+    const settings = await this.decryptSettingsRecord(user.encrypted_settings);
+    const payload = {
+      version: 1,
+      selectedTagIds: normalizeInterestTagIds(selectedTagIds),
+      updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    settings[TOPIC_PREFERENCES_SETTINGS_KEY] = payload;
+    const encryptedSettings = await encryptWithAesGcmCombined(
+      JSON.stringify(settings),
+      this.getMasterKeyBytes()
+    );
+    await this.settingsPost("topic-preferences", {
+      encrypted_settings: encryptedSettings
+    });
+    return payload;
+  }
+  async clearTopicPreferences() {
+    return await this.setTopicPreferences([]);
+  }
   async getLearningModeStatus() {
     this.requireSession();
     const response = await this.http.get(
@@ -3335,8 +3416,8 @@ var OpenMatesClient = class _OpenMatesClient {
       );
       let msgEmbedIds = [];
       if (clientMsgId && cache.embeds.length > 0) {
-        const { createHash: createHash5 } = await import("crypto");
-        const hashed = createHash5("sha256").update(clientMsgId).digest("hex");
+        const { createHash: createHash6 } = await import("crypto");
+        const hashed = createHash6("sha256").update(clientMsgId).digest("hex");
         msgEmbedIds = cache.embeds.filter(
           (e) => e.hashed_message_id === hashed && // Only include parent embeds (no parent_embed_id).
           // Child embeds inherit the parent's key and are loaded
@@ -3383,8 +3464,8 @@ var OpenMatesClient = class _OpenMatesClient {
       );
     }
     const embedId = String(embed.embed_id ?? embed.id ?? "");
-    const { createHash: createHash5 } = await import("crypto");
-    const hashedEmbedId = createHash5("sha256").update(embedId).digest("hex");
+    const { createHash: createHash6 } = await import("crypto");
+    const hashedEmbedId = createHash6("sha256").update(embedId).digest("hex");
     const embedKeyBytes = await this.resolveEmbedKey(
       cache,
       masterKey,
@@ -3492,7 +3573,7 @@ var OpenMatesClient = class _OpenMatesClient {
   async resolveEmbedKey(cache, masterKey, embed, embedId, hashedEmbedId, visited = /* @__PURE__ */ new Set()) {
     if (visited.has(embedId)) return null;
     visited.add(embedId);
-    const { createHash: createHash5 } = await import("crypto");
+    const { createHash: createHash6 } = await import("crypto");
     const masterKeyEntry = cache.embedKeys.find(
       (ek) => ek.hashed_embed_id === hashedEmbedId && String(ek.key_type) === "master"
     );
@@ -3509,7 +3590,7 @@ var OpenMatesClient = class _OpenMatesClient {
     if (chatKeyEntry && typeof chatKeyEntry.encrypted_embed_key === "string") {
       const hashedChatId = String(chatKeyEntry.hashed_chat_id ?? "");
       const owningChat = cache.chats.find((c) => {
-        const chatHash = createHash5("sha256").update(String(c.details.id ?? "")).digest("hex");
+        const chatHash = createHash6("sha256").update(String(c.details.id ?? "")).digest("hex");
         return chatHash === hashedChatId;
       });
       if (owningChat) {
@@ -3538,7 +3619,7 @@ var OpenMatesClient = class _OpenMatesClient {
         const parentFullId = String(
           parentEmbed2.embed_id ?? parentEmbed2.id ?? ""
         );
-        const parentHashedId = createHash5("sha256").update(parentFullId).digest("hex");
+        const parentHashedId = createHash6("sha256").update(parentFullId).digest("hex");
         const parentKey = await this.resolveEmbedKey(
           cache,
           masterKey,
@@ -5347,7 +5428,7 @@ Required: ${schema.required.join(", ")}`
     const session = this.requireSession();
     const masterKey = base64ToBytes(session.masterKeyExportedB64);
     const cache = await this.ensureSynced();
-    const { createHash: createHash5 } = await import("crypto");
+    const { createHash: createHash6 } = await import("crypto");
     const embed = cache.embeds.find(
       (e) => String(e.embed_id ?? "").startsWith(embedIdOrShort) || String(e.id ?? "").startsWith(embedIdOrShort)
     );
@@ -5355,7 +5436,7 @@ Required: ${schema.required.join(", ")}`
       throw new Error(`Embed '${embedIdOrShort}' not found in local cache.`);
     }
     const embedId = String(embed.embed_id ?? embed.id ?? "");
-    const hashedEmbedId = createHash5("sha256").update(embedId).digest("hex");
+    const hashedEmbedId = createHash6("sha256").update(embedId).digest("hex");
     const embedKeyBytes = await this.resolveEmbedKey(
       cache,
       masterKey,
@@ -5415,8 +5496,8 @@ Required: ${schema.required.join(", ")}`
     if (!embed) {
       throw new Error(`Embed '${embedId}' not found in local cache. Run 'openmates chats list' to sync first.`);
     }
-    const { createHash: createHash5 } = await import("crypto");
-    const hashedEmbedId = createHash5("sha256").update(embedId).digest("hex");
+    const { createHash: createHash6 } = await import("crypto");
+    const hashedEmbedId = createHash6("sha256").update(embedId).digest("hex");
     const embedKey = await this.resolveEmbedKey(
       cache,
       masterKey,
@@ -5510,8 +5591,8 @@ Required: ${schema.required.join(", ")}`
     if (!embed) {
       throw new Error(`Embed '${embedId}' not found in local cache. Run 'openmates chats list' to sync first.`);
     }
-    const { createHash: createHash5 } = await import("crypto");
-    const hashedEmbedId = createHash5("sha256").update(embedId).digest("hex");
+    const { createHash: createHash6 } = await import("crypto");
+    const hashedEmbedId = createHash6("sha256").update(embedId).digest("hex");
     const embedKey = await this.resolveEmbedKey(
       cache,
       masterKey,
@@ -5649,6 +5730,27 @@ Required: ${schema.required.join(", ")}`
     const session = this.requireSession();
     return base64ToBytes(session.masterKeyExportedB64);
   }
+  async decryptTopicPreferences(encryptedSettings) {
+    const settings = await this.decryptSettingsRecord(encryptedSettings);
+    return normalizeTopicPreferencesPayload(settings[TOPIC_PREFERENCES_SETTINGS_KEY]);
+  }
+  async decryptSettingsRecord(encryptedSettings) {
+    if (typeof encryptedSettings !== "string" || encryptedSettings.length === 0) {
+      return {};
+    }
+    const decrypted = await decryptWithAesGcmCombined(
+      encryptedSettings,
+      this.getMasterKeyBytes()
+    );
+    if (!decrypted) {
+      throw new Error("Failed to decrypt encrypted account settings.");
+    }
+    const parsed = JSON.parse(decrypted);
+    if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
+      return {};
+    }
+    return parsed;
+  }
   getValidSessionFromDisk() {
     const session = loadSession();
     if (!session) return null;
@@ -7372,6 +7474,8 @@ var DIRECT_TYPES = /* @__PURE__ */ new Set([
   "recording",
   "mail-email",
   "math-plot",
+  "mindmap",
+  "mindmaps-mindmap",
   "events-event",
   "health-appointment",
   "shopping-product",
@@ -7399,6 +7503,8 @@ var DIRECT_TYPE_LABELS = {
   "recording": "recording",
   "mail-email": "email",
   "math-plot": "plot",
+  "mindmap": "Mind Map",
+  "mindmaps-mindmap": "Mind Map",
   "events-event": "event",
   "health-appointment": "appointment",
   "shopping-product": "product",
@@ -8355,6 +8461,20 @@ function renderByDirectType(embed, c, ln) {
       ln("\x1B[2m[mathematical plot]\x1B[0m");
       break;
     }
+    case "mindmap":
+    case "mindmaps-mindmap": {
+      const document = mindMapDocumentFromContent(c);
+      const title = str(c.title) ?? str(document?.title) ?? "Mind Map";
+      const nodeCount = typeof c.node_count === "number" ? c.node_count : document?.nodes.length;
+      const edgeCount = typeof c.edge_count === "number" ? c.edge_count : document?.edges?.length ?? 0;
+      ln(title);
+      if (nodeCount !== void 0) ln(`\x1B[2m${nodeCount} nodes \xB7 ${edgeCount} edges\x1B[0m`);
+      const outline = document ? mindMapOutline(document, 8) : "";
+      if (outline) {
+        for (const line of outline.split("\n")) ln(line);
+      }
+      break;
+    }
     case "images-image-result": {
       const title = str(c.title) ?? "";
       const source = str(c.source) ?? str(c.url) ?? "";
@@ -8520,6 +8640,24 @@ function renderDirectTypeFullscreen(embed, c) {
       }
       break;
     }
+    case "mindmap":
+    case "mindmaps-mindmap": {
+      const document = mindMapDocumentFromContent(c);
+      const title = str(c.title) ?? str(document?.title) ?? "Mind Map";
+      process.stdout.write(`\x1B[1m${title}\x1B[0m
+`);
+      if (!document) {
+        console.log("Invalid mind map JSON");
+        break;
+      }
+      console.log(`${document.nodes.length} nodes \xB7 ${document.edges?.length ?? 0} edges
+`);
+      console.log(mindMapOutline(document));
+      console.log("\n```openmates_mindmap");
+      console.log(JSON.stringify(document, null, 2));
+      console.log("```");
+      break;
+    }
     default: {
       for (const [k, v] of Object.entries(c)) {
         if (v === null || v === void 0 || k.startsWith("_")) continue;
@@ -8546,6 +8684,49 @@ function resolveResultCount(c) {
   if (ids.length > 0) return ids.length;
   return null;
 }
+function mindMapDocumentFromContent(c) {
+  const model = c.model;
+  if (isMindMapDocument(model)) return model;
+  const source = str(c.source_json);
+  if (!source) return null;
+  try {
+    const parsed = JSON.parse(source);
+    return isMindMapDocument(parsed) ? parsed : null;
+  } catch {
+    return null;
+  }
+}
+function isMindMapDocument(value) {
+  if (!isRecord(value)) return false;
+  return value.openmatesType === "mindmap" && typeof value.schemaVersion === "number" && typeof value.title === "string" && typeof value.rootId === "string" && Array.isArray(value.nodes);
+}
+function mindMapOutline(document, maxNodes = 100) {
+  const nodesById = /* @__PURE__ */ new Map();
+  for (const node of document.nodes) {
+    if (typeof node.id === "string" && typeof node.label === "string") {
+      nodesById.set(node.id, node);
+    }
+  }
+  const lines = [];
+  const visited = /* @__PURE__ */ new Set();
+  const visit = (nodeId, depth) => {
+    if (visited.size >= maxNodes || visited.has(nodeId)) return;
+    const node = nodesById.get(nodeId);
+    if (!node) return;
+    visited.add(nodeId);
+    lines.push(`${"  ".repeat(depth)}- ${node.label}`);
+    for (const childId of node.children ?? []) visit(childId, depth + 1);
+  };
+  visit(document.rootId, 0);
+  for (const node of document.nodes) {
+    if (visited.size >= maxNodes) break;
+    if (!visited.has(node.id)) visit(node.id, 0);
+  }
+  return lines.join("\n");
+}
+function isRecord(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
 async function resolveChildResults(c, client) {
   const inline = c.results;
   if (Array.isArray(inline) && inline.length > 0) {
@@ -8574,14 +8755,211 @@ function formatTs(ts) {
 
 // src/server.ts
 import { execSync, spawn as nodeSpawn } from "child_process";
-import { randomBytes as randomBytes2 } from "crypto";
-import { copyFileSync, existsSync as existsSync5, mkdirSync as mkdirSync3, readFileSync as readFileSync5, rmSync as rmSync3, writeFileSync as writeFileSync3 } from "fs";
+import { createHash as createHash5, randomBytes as randomBytes2 } from "crypto";
+import { chmodSync as chmodSync2, copyFileSync, cpSync, existsSync as existsSync5, mkdirSync as mkdirSync3, mkdtempSync, readFileSync as readFileSync5, readdirSync, rmSync as rmSync3, writeFileSync as writeFileSync3 } from "fs";
 import { createInterface as createInterface2 } from "readline";
 import { createInterface as createPromptInterface } from "readline/promises";
 import { homedir as homedir5 } from "os";
 import { dirname, join as join3, resolve as resolve3 } from "path";
+
+// src/serverPlanning.ts
+var CORE_WORKER_SERVICES = [
+  "task-worker",
+  "task-scheduler",
+  "app-ai-worker",
+  "app-images-worker",
+  "app-music-worker",
+  "app-videos-worker",
+  "app-pdf-worker",
+  "app-docs-worker",
+  "app-code-worker",
+  "app-social-media-worker"
+];
+var CORE_OBSERVABILITY_BY_PROFILE = {
+  minimal: [],
+  standard: ["openobserve", "promtail"],
+  production: ["openobserve", "promtail", "prometheus", "cadvisor"]
+};
+var ROLE_DEFINITIONS = {
+  core: {
+    dataBearing: true,
+    requiredServices: ["api", "cms", "cms-database", "cache", "vault", "vault-setup", "cms-setup"],
+    optionalServices: [...CORE_WORKER_SERVICES, "admin-sidecar", "webapp", "openobserve", "promtail", "prometheus", "cadvisor", "alertmanager"],
+    healthChecks: ["http://localhost:8000/health"],
+    templatePath: "templates/core/docker-compose.selfhost.yml",
+    composeFile: "backend/core/docker-compose.selfhost.yml"
+  },
+  upload: {
+    dataBearing: true,
+    requiredServices: ["app-uploads", "clamav", "vault", "vault-setup", "admin-sidecar"],
+    optionalServices: [],
+    healthChecks: ["http://localhost:8000/health"],
+    templatePath: "templates/upload/docker-compose.yml",
+    composeFile: "backend/upload/docker-compose.yml"
+  },
+  preview: {
+    dataBearing: false,
+    requiredServices: ["preview", "admin-sidecar"],
+    optionalServices: ["cache"],
+    healthChecks: ["http://localhost:8080/health"],
+    templatePath: "templates/preview/docker-compose.preview.yml",
+    composeFile: "backend/preview/docker-compose.preview.yml"
+  }
+};
+function unique(items) {
+  return [...new Set(items.map((item) => item.trim()).filter(Boolean))];
+}
+function csv(value) {
+  if (value === void 0) return [];
+  if (Array.isArray(value)) return unique(value.flatMap((item) => item.split(",")));
+  return unique(value.split(","));
+}
+function parseServerRole(value) {
+  if (!value) return "core";
+  if (value === "core" || value === "upload" || value === "preview") return value;
+  throw new Error(`Unsupported server role '${value}'. Use core, upload, or preview.`);
+}
+function planServerRuntime(input) {
+  const role = parseServerRole(input.role);
+  const definition = ROLE_DEFINITIONS[role];
+  const coreProfile = input.profile ?? "production";
+  const profile = role === "core" ? coreProfile : null;
+  const profileServices = role === "core" ? [...CORE_OBSERVABILITY_BY_PROFILE[coreProfile]] : [];
+  if (role === "core" && input.withAlerts) profileServices.push("alertmanager");
+  const defaultServices = role === "core" ? unique([...definition.requiredServices, ...CORE_WORKER_SERVICES, "admin-sidecar", ...profileServices, "webapp"]) : unique([...definition.requiredServices, ...definition.optionalServices]);
+  return {
+    role,
+    profile,
+    dataBearing: definition.dataBearing,
+    composeFiles: [definition.composeFile],
+    requiredServices: [...definition.requiredServices],
+    profileServices,
+    defaultServices,
+    healthChecks: [...definition.healthChecks]
+  };
+}
+function resolveServiceSelection(roleValue, filter = {}) {
+  const role = parseServerRole(roleValue);
+  const definition = ROLE_DEFINITIONS[role];
+  const allowed = /* @__PURE__ */ new Set([...definition.requiredServices, ...definition.optionalServices]);
+  const requested = csv(filter.services);
+  const excluded = new Set(csv(filter.exclude));
+  const base = requested.length ? requested : [...allowed];
+  for (const service of [...base, ...excluded]) {
+    if (!allowed.has(service)) {
+      throw new Error(`Invalid service '${service}' for ${role} role.`);
+    }
+  }
+  return base.filter((service) => !excluded.has(service));
+}
+function planUpdate(input) {
+  const runtime = planServerRuntime({ role: input.role });
+  const selectedServices = input.selectedServices?.length ? input.selectedServices : runtime.defaultServices;
+  const missingRequiredSecrets = input.missingRequiredSecrets ?? [];
+  const blocked = input.continuous === true && missingRequiredSecrets.length > 0;
+  const steps = ["preflight"];
+  const backupName = runtime.dataBearing && input.skipBackup !== true ? `latest-pre-update-${runtime.role}.tar.zst` : null;
+  if (backupName) steps.push("backup:latest-pre-update");
+  steps.push("pull", "up", "health-check");
+  return {
+    role: runtime.role,
+    selectedServices,
+    steps,
+    commands: [
+      `docker compose pull ${selectedServices.join(" ")}`,
+      `docker compose up -d ${selectedServices.join(" ")}`
+    ],
+    backupName,
+    blocked,
+    blockReason: blocked ? `Blocked by missing required secrets: ${missingRequiredSecrets.join(", ")}` : null
+  };
+}
+function planBackup(input) {
+  const role = parseServerRole(input.role);
+  const contentsByRole = {
+    core: ["postgres-dump", "directus-uploads", "directus-extensions", "vault-data", "vault-setup-data", "runtime-env", "runtime-config", "manifest", "checksums"],
+    upload: ["vault-data", "vault-setup-data", "runtime-env", "runtime-config", "manifest", "checksums"],
+    preview: ["runtime-env", "runtime-config", "preview-cache", "manifest", "checksums"]
+  };
+  const contents = [...contentsByRole[role]];
+  if (input.includeObservability) contents.push("openobserve-data", "prometheus-data");
+  return { role, contents, fileMode: 384 };
+}
+function planRestore(input) {
+  const role = parseServerRole(input.role);
+  return {
+    role,
+    file: input.file,
+    requiresConfirmation: input.yes !== true,
+    steps: input.yes === true ? ["stop", "restore", "start", "health-check"] : ["confirm", "stop", "restore", "start", "health-check"]
+  };
+}
+function planCaddyCommand(input) {
+  const role = parseServerRole(input.role);
+  const templatePath = `templates/caddy/${role}/Caddyfile`;
+  const stepsByAction = {
+    check: ["render-template", "validate"],
+    status: ["hash-template", "hash-applied", "validate"],
+    diff: ["hash-template", "hash-applied", "diff"],
+    apply: ["render-template", "validate", "backup-applied", "write", "reload"]
+  };
+  return {
+    role,
+    action: input.action,
+    templatePath,
+    appliedPath: input.appliedPath ?? "/etc/caddy/Caddyfile",
+    steps: stepsByAction[input.action]
+  };
+}
+function planContinuousUpdateService(input) {
+  const role = parseServerRole(input.role);
+  const channel = input.channel ?? "main";
+  const window = input.window ?? "02:00-04:00 UTC";
+  const serviceName = `openmates-${role}-continuous-update.service`;
+  const timerName = `openmates-${role}-continuous-update.timer`;
+  return {
+    role,
+    serviceName,
+    timerName,
+    unit: [
+      "[Unit]",
+      `Description=OpenMates ${role} continuous updater`,
+      "After=docker.service network-online.target",
+      "Wants=network-online.target",
+      "",
+      "[Service]",
+      "Type=oneshot",
+      `ExecStart=openmates server update --role ${role} --channel ${channel} --continuous`,
+      `Environment=OPENMATES_UPDATE_WINDOW=${window}`,
+      ""
+    ].join("\n"),
+    timer: [
+      "[Unit]",
+      `Description=Run OpenMates ${role} continuous updater`,
+      "",
+      "[Timer]",
+      "OnCalendar=*:0/30",
+      "Persistent=true",
+      "",
+      "[Install]",
+      "WantedBy=timers.target",
+      ""
+    ].join("\n")
+  };
+}
+
+// src/server.ts
 var SOURCE_COMPOSE_FILE = join3("backend", "core", "docker-compose.yml");
-var IMAGE_COMPOSE_FILE = join3("backend", "core", "docker-compose.selfhost.yml");
+var ROLE_IMAGE_COMPOSE_FILES = {
+  core: join3("backend", "core", "docker-compose.selfhost.yml"),
+  upload: join3("backend", "upload", "docker-compose.yml"),
+  preview: join3("backend", "preview", "docker-compose.preview.yml")
+};
+var ROLE_TEMPLATE_FILES = {
+  core: join3("core", "docker-compose.selfhost.yml"),
+  upload: join3("upload", "docker-compose.yml"),
+  preview: join3("preview", "docker-compose.preview.yml")
+};
 var COMPOSE_OVERRIDE = join3("backend", "core", "docker-compose.override.yml");
 var DEFAULT_INSTALL_PATH = join3(homedir5(), "openmates");
 var REPO_URL = "https://github.com/glowingkitty/OpenMates.git";
@@ -8668,6 +9046,12 @@ SELF_HOST_SIGNUP_MODE=invite_only
 SELF_HOST_SIGNUP_ALLOWED_DOMAINS=
 SELF_HOST_FIRST_INVITE_CODE=
 APPLICATION_PREVIEW_ORIGIN=
+PROD_CORE_API_URL=
+PROD_INTERNAL_API_SHARED_TOKEN=
+DEV_CORE_API_URL=
+DEV_INTERNAL_API_SHARED_TOKEN=
+PREVIEW_CORS_ORIGINS=https://openmates.org
+PREVIEW_ALLOWED_REFERERS=https://openmates.org/*
 OPENMATES_IMAGE_REGISTRY=${DEFAULT_IMAGE_REGISTRY}
 OPENMATES_IMAGE_TAG=
 GIT_WORK_DIR=
@@ -8714,9 +9098,26 @@ function loadConfigForInstallPath(installPath) {
 }
 function getInstallMode(installPath, config = loadConfigForInstallPath(installPath)) {
   if (config?.installMode) return config.installMode;
-  if (existsSync5(join3(installPath, IMAGE_COMPOSE_FILE))) return "image";
+  if (Object.values(ROLE_IMAGE_COMPOSE_FILES).some((composeFile) => existsSync5(join3(installPath, composeFile)))) return "image";
   return "source";
 }
+function getServerRole(flags, config) {
+  return parseServerRole(typeof flags.role === "string" ? flags.role : config?.serverRole);
+}
+function getCoreProfile(flags, config) {
+  const value = typeof flags.profile === "string" ? flags.profile : config?.serverProfile;
+  if (value === "minimal" || value === "standard" || value === "production") return value;
+  return "production";
+}
+function hasServiceFilter(flags) {
+  return typeof flags.services === "string" || typeof flags.exclude === "string";
+}
+function selectedComposeServices(role, flags) {
+  return resolveServiceSelection(role, {
+    services: typeof flags.services === "string" ? flags.services : void 0,
+    exclude: typeof flags.exclude === "string" ? flags.exclude : void 0
+  });
+}
 function shouldPullImages() {
   return process.env.OPENMATES_SKIP_IMAGE_PULL !== "1";
 }
@@ -8779,8 +9180,8 @@ ${renderFeatureOverrides(overrides)}`;
 function featureKind(featureId) {
   return featureId.split(":", 1)[0] || "unknown";
 }
-function composeArgs(installPath, withOverrides, installMode = getInstallMode(installPath)) {
-  const composeFile = installMode === "image" ? IMAGE_COMPOSE_FILE : SOURCE_COMPOSE_FILE;
+function composeArgs(installPath, withOverrides, installMode = getInstallMode(installPath), role = "core") {
+  const composeFile = installMode === "image" ? ROLE_IMAGE_COMPOSE_FILES[role] : SOURCE_COMPOSE_FILE;
   const args = ["compose", "--env-file", ".env", "-f", composeFile];
   if (withOverrides && existsSync5(join3(installPath, COMPOSE_OVERRIDE))) {
     args.push("-f", COMPOSE_OVERRIDE);
@@ -8912,25 +9313,35 @@ async function fetchText(url) {
   }
   return response.text();
 }
-async function loadSelfHostComposeTemplate(templateRef) {
+function packagedTemplatePath(role) {
+  return join3(dirname(new URL(import.meta.url).pathname), "..", "templates", ROLE_TEMPLATE_FILES[role]);
+}
+function packagedCaddyTemplatePath(role) {
+  return join3(dirname(new URL(import.meta.url).pathname), "..", "templates", "caddy", role, "Caddyfile");
+}
+function fileHash(path) {
+  if (!existsSync5(path)) return null;
+  return createHash5("sha256").update(readFileSync5(path)).digest("hex");
+}
+async function loadSelfHostComposeTemplate(templateRef, role) {
   const templateDir = process.env.OPENMATES_SELFHOST_TEMPLATE_DIR;
   if (templateDir) {
-    return readFileSync5(join3(resolve3(templateDir), IMAGE_COMPOSE_FILE), "utf-8");
+    return readFileSync5(join3(resolve3(templateDir), ROLE_TEMPLATE_FILES[role]), "utf-8");
   }
   const overrideUrl = process.env.OPENMATES_SELFHOST_COMPOSE_URL;
   if (overrideUrl) {
     return fetchText(overrideUrl);
   }
-  return fetchText(
-    `https://raw.githubusercontent.com/glowingkitty/OpenMates/${templateRef}/backend/core/docker-compose.selfhost.yml`
-  );
+  const packaged = packagedTemplatePath(role);
+  if (existsSync5(packaged)) return readFileSync5(packaged, "utf-8");
+  return fetchText(`https://raw.githubusercontent.com/glowingkitty/OpenMates/${templateRef}/${ROLE_IMAGE_COMPOSE_FILES[role]}`);
 }
-async function writeImageModeRuntimeFiles(installPath, imageTag) {
-  const coreDir = join3(installPath, "backend", "core");
-  const vaultConfigDir = join3(coreDir, "vault", "config");
+async function writeImageModeRuntimeFiles(installPath, imageTag, role) {
+  const roleDir = join3(installPath, "backend", role === "core" ? "core" : role);
+  const vaultConfigDir = join3(roleDir, "vault", "config");
   mkdirSync3(vaultConfigDir, { recursive: true });
   mkdirSync3(join3(installPath, "config", "providers"), { recursive: true });
-  writeFileSync3(join3(coreDir, "docker-compose.selfhost.yml"), await loadSelfHostComposeTemplate(templateRefForImageTag(imageTag, getPackageVersion())));
+  writeFileSync3(join3(installPath, ROLE_IMAGE_COMPOSE_FILES[role]), await loadSelfHostComposeTemplate(templateRefForImageTag(imageTag, getPackageVersion()), role));
   writeFileSync3(join3(vaultConfigDir, "vault.hcl"), VAULT_CONFIG_TEMPLATE);
   ensureImageRuntimeConfig(installPath);
   const envPath = join3(installPath, ".env");
@@ -8975,7 +9386,16 @@ async function checkUrl(url) {
     clearTimeout(timeout);
   }
 }
-async function waitForServerHealth(installPath) {
+async function waitForServerHealth(installPath, role = "core") {
+  if (role === "upload" || role === "preview") {
+    const healthUrl = role === "upload" ? "http://localhost:8000/health" : "http://localhost:8080/health";
+    const deadline2 = Date.now() + UPDATE_HEALTH_TIMEOUT_MS;
+    while (Date.now() < deadline2) {
+      if (await checkUrl(healthUrl)) return;
+      await sleep2(UPDATE_HEALTH_INTERVAL_MS);
+    }
+    throw new Error(`Updated ${role} server did not pass health checks in time. Tried ${healthUrl}.`);
+  }
   const envPath = join3(installPath, ".env");
   const envContent = existsSync5(envPath) ? readFileSync5(envPath, "utf-8") : "";
   const urls = deriveSelfHostCliUrls(envContent);
@@ -9104,6 +9524,185 @@ function boolFromFlag(value, defaultValue = false) {
   const normalized = value.toLowerCase();
   return ["1", "true", "yes", "y", "on"].includes(normalized);
 }
+function shellQuote(value) {
+  return `'${value.replace(/'/g, `'"'"'`)}'`;
+}
+function nowStamp() {
+  return (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
+}
+function backupRoot(installPath) {
+  return join3(installPath, "backups");
+}
+function roleBackupDir(installPath, role) {
+  return join3(backupRoot(installPath), role);
+}
+function updateStatusFile(installPath, role) {
+  return join3(installPath, ".openmates", `${role}-update-status.json`);
+}
+function writeUpdateStatus(installPath, role, status) {
+  const filePath = updateStatusFile(installPath, role);
+  mkdirSync3(dirname(filePath), { recursive: true, mode: 448 });
+  writeFileSync3(filePath, `${JSON.stringify({ role, updated_at: (/* @__PURE__ */ new Date()).toISOString(), ...status }, null, 2)}
+`, { mode: 384 });
+}
+function copyIfExists(source, destination) {
+  if (!existsSync5(source)) return;
+  mkdirSync3(dirname(destination), { recursive: true });
+  cpSync(source, destination, { recursive: true, force: true });
+}
+function readEnvMap(installPath) {
+  const envPath = join3(installPath, ".env");
+  if (!existsSync5(envPath)) return {};
+  const values = {};
+  for (const line of readFileSync5(envPath, "utf-8").split("\n")) {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith("#")) continue;
+    const eqIdx = trimmed.indexOf("=");
+    if (eqIdx === -1) continue;
+    values[trimmed.slice(0, eqIdx)] = trimmed.slice(eqIdx + 1).replace(/^"|"$/g, "");
+  }
+  return values;
+}
+function requiredRuntimeEnvKeys(role) {
+  if (role === "core") {
+    return [
+      "DATABASE_ADMIN_EMAIL",
+      "DATABASE_ADMIN_PASSWORD",
+      "DATABASE_NAME",
+      "DATABASE_USERNAME",
+      "DATABASE_PASSWORD",
+      "DIRECTUS_TOKEN",
+      "DIRECTUS_SECRET",
+      "DRAGONFLY_PASSWORD",
+      "INTERNAL_API_SHARED_TOKEN"
+    ];
+  }
+  if (role === "upload") {
+    return ["PROD_CORE_API_URL", "PROD_INTERNAL_API_SHARED_TOKEN", "DEV_CORE_API_URL", "DEV_INTERNAL_API_SHARED_TOKEN"];
+  }
+  return ["PREVIEW_CORS_ORIGINS", "PREVIEW_ALLOWED_REFERERS"];
+}
+function missingRequiredEnvKeys(installPath, role) {
+  const env = readEnvMap(installPath);
+  return requiredRuntimeEnvKeys(role).filter((key) => !env[key]);
+}
+function writeChecksums(rootDir) {
+  const lines = [];
+  const walk = (dir) => {
+    for (const entry of readdirSync(dir, { withFileTypes: true })) {
+      const path = join3(dir, entry.name);
+      if (entry.isDirectory()) {
+        walk(path);
+        continue;
+      }
+      if (entry.name === "checksums.sha256") continue;
+      const relative2 = path.slice(rootDir.length + 1);
+      const hash = createHash5("sha256").update(readFileSync5(path)).digest("hex");
+      lines.push(`${hash}  ${relative2}`);
+    }
+  };
+  walk(rootDir);
+  writeFileSync3(join3(rootDir, "checksums.sha256"), `${lines.sort().join("\n")}
+`);
+}
+function verifyChecksums(rootDir) {
+  const checksumsPath = join3(rootDir, "checksums.sha256");
+  if (!existsSync5(checksumsPath)) throw new Error("Backup archive is missing checksums.sha256.");
+  for (const line of readFileSync5(checksumsPath, "utf-8").split("\n")) {
+    const trimmed = line.trim();
+    if (!trimmed) continue;
+    const match = trimmed.match(/^([a-f0-9]{64}) {2}(.+)$/);
+    if (!match) throw new Error(`Invalid checksum entry: ${trimmed}`);
+    const relative2 = match[2];
+    if (relative2.startsWith("/") || relative2.split(/[\\/]/).includes("..")) {
+      throw new Error(`Unsafe checksum path in backup archive: ${relative2}`);
+    }
+    const filePath = join3(rootDir, relative2);
+    if (!existsSync5(filePath)) throw new Error(`Backup archive is missing checksummed file: ${relative2}`);
+    const actual = createHash5("sha256").update(readFileSync5(filePath)).digest("hex");
+    if (actual !== match[1]) throw new Error(`Backup checksum mismatch for ${relative2}.`);
+  }
+}
+function createServerBackup(installPath, role, options = {}) {
+  const plan = planBackup({ role, includeObservability: options.includeObservability });
+  const backupDir = roleBackupDir(installPath, role);
+  mkdirSync3(backupDir, { recursive: true, mode: 448 });
+  const archivePath = options.output ? resolve3(options.output) : join3(backupDir, options.preUpdate ? `latest-pre-update-${role}.tar.gz` : `openmates-${role}-${nowStamp()}.tar.gz`);
+  const tempDir = mkdtempSync(join3(backupDir, ".tmp-"));
+  const env = readEnvMap(installPath);
+  const manifest = {
+    role,
+    created_at: (/* @__PURE__ */ new Date()).toISOString(),
+    cli_version: getPackageVersion(),
+    image_tag: getEnvVar(existsSync5(join3(installPath, ".env")) ? readFileSync5(join3(installPath, ".env"), "utf-8") : "", "OPENMATES_IMAGE_TAG"),
+    include_observability: options.includeObservability === true,
+    contents: plan.contents
+  };
+  try {
+    writeFileSync3(join3(tempDir, "manifest.json"), `${JSON.stringify(manifest, null, 2)}
+`);
+    copyIfExists(join3(installPath, ".env"), join3(tempDir, "runtime", ".env"));
+    copyIfExists(join3(installPath, "config"), join3(tempDir, "runtime", "config"));
+    if (role === "core") {
+      const databaseUser = env.DATABASE_USERNAME || "directus";
+      const databaseName = env.DATABASE_NAME || "directus";
+      try {
+        const dump = execSync(
+          `docker exec cms-database pg_dump --clean --if-exists --no-owner --no-privileges -U ${shellQuote(databaseUser)} ${shellQuote(databaseName)}`,
+          { encoding: "utf-8" }
+        );
+        writeFileSync3(join3(tempDir, "postgres.sql"), dump);
+      } catch (error) {
+        throw new Error(`Postgres backup failed. Is cms-database running? ${error instanceof Error ? error.message : String(error)}`);
+      }
+    }
+    for (const item of [
+      [join3(installPath, "backend", "core", "uploads"), join3(tempDir, "directus-uploads")],
+      [join3(installPath, "backend", "core", "extensions"), join3(tempDir, "directus-extensions")],
+      [join3(installPath, "backend", role, "vault"), join3(tempDir, `${role}-vault-config`)]
+    ]) {
+      copyIfExists(item[0], item[1]);
+    }
+    writeChecksums(tempDir);
+    execSync(`tar -czf ${shellQuote(archivePath)} -C ${shellQuote(tempDir)} .`, { stdio: "pipe" });
+    chmodSync2(archivePath, plan.fileMode);
+    return archivePath;
+  } finally {
+    rmSync3(tempDir, { recursive: true, force: true });
+  }
+}
+function restoreServerBackup(installPath, role, file) {
+  const archivePath = resolve3(file);
+  if (!existsSync5(archivePath)) throw new Error(`Backup file not found: ${archivePath}`);
+  mkdirSync3(roleBackupDir(installPath, role), { recursive: true, mode: 448 });
+  const tempDir = mkdtempSync(join3(roleBackupDir(installPath, role), ".restore-"));
+  const env = readEnvMap(installPath);
+  try {
+    execSync(`tar -xzf ${shellQuote(archivePath)} -C ${shellQuote(tempDir)}`, { stdio: "pipe" });
+    verifyChecksums(tempDir);
+    const manifestPath = join3(tempDir, "manifest.json");
+    if (!existsSync5(manifestPath)) throw new Error("Backup archive is missing manifest.json.");
+    const manifest = JSON.parse(readFileSync5(manifestPath, "utf-8"));
+    if (manifest.role !== role) throw new Error(`Backup role '${manifest.role}' does not match requested role '${role}'.`);
+    copyIfExists(join3(tempDir, "runtime", ".env"), join3(installPath, ".env"));
+    copyIfExists(join3(tempDir, "runtime", "config"), join3(installPath, "config"));
+    const postgresDump = join3(tempDir, "postgres.sql");
+    if (role === "core" && existsSync5(postgresDump)) {
+      const databaseUser = env.DATABASE_USERNAME || "directus";
+      const databaseName = env.DATABASE_NAME || "directus";
+      execSync(`docker exec -i cms-database psql -v ON_ERROR_STOP=1 -U ${shellQuote(databaseUser)} ${shellQuote(databaseName)}`, {
+        input: readFileSync5(postgresDump),
+        stdio: ["pipe", "pipe", "pipe"]
+      });
+    }
+  } finally {
+    rmSync3(tempDir, { recursive: true, force: true });
+  }
+}
+function restoreStopServices(role) {
+  if (role !== "core") return [];
+  return resolveServiceSelection("core", { exclude: "cms-database" });
+}
 async function promptText(question, defaultValue = "") {
   const rl = createPromptInterface({ input: process.stdin, output: process.stderr });
   try {
@@ -9200,11 +9799,13 @@ async function serverStatus(flags) {
   const installPath = resolveServerPath(flags);
   ensureGitWorkDirEnv(installPath);
   const config = loadConfigForInstallPath(installPath);
+  const role = getServerRole(flags, config);
   const withOverrides = config?.composeProfile === "full";
-  const args = [...composeArgs(installPath, withOverrides, getInstallMode(installPath, config)), "ps"];
+  const args = [...composeArgs(installPath, withOverrides, getInstallMode(installPath, config), role), "ps"];
   if (flags.json === true) {
     args.push("--format", "json");
   }
+  if (hasServiceFilter(flags)) args.push(...selectedComposeServices(role, flags));
   const code = await runInteractive("docker", args, installPath);
   if (code !== 0) process.exit(code);
 }
@@ -9215,9 +9816,15 @@ async function serverStart(flags) {
   warnIfMissingLlmCredentials(installPath);
   const withOverrides = flags["with-overrides"] === true;
   const config = loadConfigForInstallPath(installPath);
+  const role = getServerRole(flags, config);
   const installMode = getInstallMode(installPath, config);
-  const pullArgs = [...composeArgs(installPath, withOverrides, installMode), "pull"];
-  const args = [...composeArgs(installPath, withOverrides, installMode), "up", "-d"];
+  const pullArgs = [...composeArgs(installPath, withOverrides, installMode, role), "pull"];
+  const args = [...composeArgs(installPath, withOverrides, installMode, role), "up", "-d"];
+  if (hasServiceFilter(flags)) {
+    const services = selectedComposeServices(role, flags);
+    pullArgs.push(...services);
+    args.push(...services);
+  }
   if (config && withOverrides && config.composeProfile !== "full") {
     saveServerConfig({ ...config, composeProfile: "full" });
   }
@@ -9246,8 +9853,9 @@ async function serverStop(flags) {
   const installPath = resolveServerPath(flags);
   ensureGitWorkDirEnv(installPath);
   const config = loadConfigForInstallPath(installPath);
+  const role = getServerRole(flags, config);
   const withOverrides = config?.composeProfile === "full";
-  const args = [...composeArgs(installPath, withOverrides, getInstallMode(installPath, config)), "down"];
+  const args = hasServiceFilter(flags) ? [...composeArgs(installPath, withOverrides, getInstallMode(installPath, config), role), "stop", ...selectedComposeServices(role, flags)] : [...composeArgs(installPath, withOverrides, getInstallMode(installPath, config), role), "down"];
   console.error("Stopping OpenMates server...");
   const code = await runInteractive("docker", args, installPath);
   if (code !== 0) process.exit(code);
@@ -9262,31 +9870,36 @@ async function serverRestart(flags) {
   const installPath = resolveServerPath(flags);
   ensureGitWorkDirEnv(installPath);
   const config = loadConfigForInstallPath(installPath);
+  const role = getServerRole(flags, config);
   const withOverrides = config?.composeProfile === "full";
   const installMode = getInstallMode(installPath, config);
   if (flags.rebuild === true) {
+    if (hasServiceFilter(flags)) {
+      throw new Error("--services/--exclude cannot be combined with --rebuild. Use graceful restart for service-scoped restarts.");
+    }
     if (installMode === "image") {
       throw new Error(
         "Image-mode installs use prebuilt images and cannot rebuild locally. Run 'openmates server update' to pull newer images, or reinstall with --from-source to build from source."
       );
     }
     console.error("Rebuilding OpenMates server (this may take a few minutes)...");
-    const downArgs = [...composeArgs(installPath, withOverrides, installMode), "down"];
+    const downArgs = [...composeArgs(installPath, withOverrides, installMode, role), "down"];
     let code = await runInteractive("docker", downArgs, installPath);
     if (code !== 0) process.exit(code);
     try {
       exec("docker volume rm openmates-cache-data", installPath);
     } catch {
     }
-    const buildArgs = [...composeArgs(installPath, withOverrides, installMode), "build"];
+    const buildArgs = [...composeArgs(installPath, withOverrides, installMode, role), "build"];
     code = await runInteractive("docker", buildArgs, installPath);
     if (code !== 0) process.exit(code);
-    const upArgs = [...composeArgs(installPath, withOverrides, installMode), "up", "-d"];
+    const upArgs = [...composeArgs(installPath, withOverrides, installMode, role), "up", "-d"];
     code = await runInteractive("docker", upArgs, installPath);
     if (code !== 0) process.exit(code);
   } else {
     console.error("Restarting OpenMates server...");
-    const args = [...composeArgs(installPath, withOverrides, installMode), "restart"];
+    const args = [...composeArgs(installPath, withOverrides, installMode, role), "restart"];
+    if (hasServiceFilter(flags)) args.push(...selectedComposeServices(role, flags));
     const code = await runInteractive("docker", args, installPath);
     if (code !== 0) process.exit(code);
   }
@@ -9301,8 +9914,9 @@ async function serverLogs(flags) {
   const installPath = resolveServerPath(flags);
   ensureGitWorkDirEnv(installPath);
   const config = loadConfigForInstallPath(installPath);
+  const role = getServerRole(flags, config);
   const withOverrides = config?.composeProfile === "full";
-  const args = [...composeArgs(installPath, withOverrides, getInstallMode(installPath, config)), "logs"];
+  const args = [...composeArgs(installPath, withOverrides, getInstallMode(installPath, config), role), "logs"];
   if (flags.follow === true || flags.f === true) {
     args.push("--follow");
   }
@@ -9312,9 +9926,13 @@ async function serverLogs(flags) {
   } else {
     args.push("--tail", "100");
   }
-  const container = flags.container;
-  if (typeof container === "string") {
-    args.push(container);
+  if (hasServiceFilter(flags)) {
+    args.push(...selectedComposeServices(role, flags));
+  } else {
+    const container = flags.container;
+    if (typeof container === "string") {
+      args.push(container);
+    }
   }
   const code = await runInteractive("docker", args, installPath);
   if (code !== 0) process.exit(code);
@@ -9323,7 +9941,10 @@ async function serverInstall(flags) {
   const installPath = typeof flags.path === "string" ? resolve3(flags.path) : DEFAULT_INSTALL_PATH;
   const sourcePath = typeof flags["source-path"] === "string" ? resolve3(flags["source-path"]) : null;
   const fromSource = flags["from-source"] === true || sourcePath !== null;
-  if (existsSync5(join3(installPath, SOURCE_COMPOSE_FILE)) || existsSync5(join3(installPath, IMAGE_COMPOSE_FILE))) {
+  const role = getServerRole(flags, null);
+  const profile = getCoreProfile(flags, null);
+  const runtimePlan = planServerRuntime({ role, profile, withAlerts: flags["with-alerts"] === true });
+  if (existsSync5(join3(installPath, SOURCE_COMPOSE_FILE)) || Object.values(ROLE_IMAGE_COMPOSE_FILES).some((composeFile) => existsSync5(join3(installPath, composeFile)))) {
     console.error(`OpenMates already exists at ${installPath}.`);
     console.error("Use 'openmates server update' to update, or choose a different --path.");
     process.exit(1);
@@ -9341,7 +9962,7 @@ async function serverInstall(flags) {
     }
     const imageTag = typeof flags["image-tag"] === "string" ? flags["image-tag"] : getDefaultImageTag();
     console.error(`Preparing OpenMates image-mode install at ${installPath}...`);
-    await writeImageModeRuntimeFiles(installPath, imageTag);
+    await writeImageModeRuntimeFiles(installPath, imageTag, role);
     const cliUrls2 = deriveSelfHostCliUrls(readFileSync5(join3(installPath, ".env"), "utf-8"));
     try {
       exec("docker network create openmates", installPath);
@@ -9350,7 +9971,11 @@ async function serverInstall(flags) {
     saveServerConfig({
       installPath,
       installedAt: Date.now(),
-      composeProfile: "core",
+      composeProfile: role === "core" ? "core" : "core",
+      serverRole: role,
+      serverProfile: profile,
+      defaultServices: runtimePlan.defaultServices,
+      composeFiles: runtimePlan.composeFiles,
       installMode: "image",
       imageTag,
       ...cliUrls2
@@ -9417,6 +10042,10 @@ CLI default API: ${cliUrls2.apiUrl}`);
     installPath,
     installedAt: Date.now(),
     composeProfile: "core",
+    serverRole: role,
+    serverProfile: profile,
+    defaultServices: runtimePlan.defaultServices,
+    composeFiles: runtimePlan.composeFiles,
     installMode: "source",
     ...cliUrls
   });
@@ -9434,13 +10063,71 @@ CLI default API: ${cliUrls.apiUrl}`);
     console.log("\nOptional: edit .env first to add LLM provider API keys. Without keys, the web app and backend still start, but AI model processing is unavailable.");
   }
 }
-async function serverUpdate(flags) {
+async function installContinuousUpdateService(flags) {
+  const config = loadServerConfig();
+  const role = getServerRole(flags, config);
+  const channel = typeof flags.channel === "string" ? flags.channel : config?.imageChannel ?? "main";
+  const window = typeof flags.window === "string" ? flags.window : "02:00-04:00 UTC";
+  const plan = planContinuousUpdateService({ role, channel, window });
+  const servicePath = join3("/etc", "systemd", "system", plan.serviceName);
+  const timerPath = join3("/etc", "systemd", "system", plan.timerName);
+  if (flags["dry-run"] === true || flags.json === true) {
+    printJson({ command: "update install-service", status: "planned", role, servicePath, timerPath, unit: plan.unit, timer: plan.timer });
+    return;
+  }
+  try {
+    writeFileSync3(servicePath, plan.unit, { mode: 420 });
+    writeFileSync3(timerPath, plan.timer, { mode: 420 });
+    execSync("systemctl daemon-reload", { stdio: "pipe" });
+    execSync(`systemctl enable --now ${shellQuote(plan.timerName)}`, { stdio: "pipe" });
+  } catch (error) {
+    throw new Error(
+      `Could not install systemd updater. Run with sudo or use --dry-run to inspect generated units. ${error instanceof Error ? error.message : String(error)}`
+    );
+  }
+  console.log(`Installed ${plan.timerName}.`);
+}
+async function serverUpdate(rest, flags) {
+  if (rest[0] === "status") {
+    const installPath2 = resolveServerPath(flags);
+    const config2 = loadConfigForInstallPath(installPath2);
+    const role2 = getServerRole(flags, config2);
+    const filePath = updateStatusFile(installPath2, role2);
+    if (flags.json === true) {
+      printJson(existsSync5(filePath) ? JSON.parse(readFileSync5(filePath, "utf-8")) : { role: role2, status: "unknown" });
+      return;
+    }
+    if (!existsSync5(filePath)) {
+      console.log(`No update status recorded for ${role2}.`);
+      return;
+    }
+    console.log(readFileSync5(filePath, "utf-8").trim());
+    return;
+  }
+  if (rest[0] === "install-service") {
+    if (flags.continuous !== true) throw new Error("Usage: openmates server update install-service --continuous [--channel main|dev|stable]");
+    await installContinuousUpdateService(flags);
+    return;
+  }
+  if (flags.continuous === true) {
+    const intervalMinutes = typeof flags.interval === "string" ? Number.parseInt(flags.interval, 10) : 30;
+    if (!Number.isFinite(intervalMinutes) || intervalMinutes < 5) throw new Error("--interval must be at least 5 minutes.");
+    console.error(`Running continuous updater every ${intervalMinutes} minutes. Use Ctrl+C to stop.`);
+    while (true) {
+      await serverUpdate([], { ...flags, continuous: false });
+      await sleep2(intervalMinutes * 6e4);
+    }
+  }
   const installPath = resolveServerPath(flags);
   const dryRun = flags["dry-run"] === true;
   if (!dryRun) ensureGitWorkDirEnv(installPath);
   const config = loadConfigForInstallPath(installPath);
+  const role = getServerRole(flags, config);
   const withOverrides = config?.composeProfile === "full";
   const installMode = getInstallMode(installPath, config);
+  const filterRequested = hasServiceFilter(flags);
+  const selectedServices = filterRequested ? selectedComposeServices(role, flags) : [];
+  const missingEnvKeys = missingRequiredEnvKeys(installPath, role);
   if (installMode === "source" && (flags["image-tag"] !== void 0 || flags.channel !== void 0)) {
     throw new Error("--image-tag and --channel only apply to image-mode installs. Source-mode installs update from Git.");
   }
@@ -9450,14 +10137,22 @@ async function serverUpdate(flags) {
     const currentTag = getImageTagFromEnv(installPath, config);
     const target = resolveTargetImageTag(flags, currentTag, getPackageVersion());
     const templateRef = templateRefForImageTag(target.tag, getPackageVersion());
+    const safetyPlan = planUpdate({ role, selectedServices, dryRun, skipBackup: flags["skip-backup"] === true, continuous: false, missingRequiredSecrets: missingEnvKeys });
     const plan = {
       command: "update",
+      role,
       path: installPath,
       mode: "image",
       currentImageTag: currentTag || null,
       targetImageTag: target.tag,
       channel: target.channel ?? null,
       templateRef,
+      selectedServices: filterRequested ? selectedServices : "all",
+      steps: safetyPlan.steps,
+      backupName: safetyPlan.backupName,
+      missingRequiredEnvKeys: missingEnvKeys,
+      blocked: safetyPlan.blocked,
+      blockReason: safetyPlan.blockReason,
       dryRun
     };
     if (dryRun) {
@@ -9469,37 +10164,59 @@ async function serverUpdate(flags) {
         console.log(`  Current tag:   ${currentTag || "unknown"}`);
         console.log(`  Target tag:    ${target.tag}`);
         console.log(`  Template ref:  ${templateRef}`);
+        console.log(`  Role:          ${role}`);
+        console.log(`  Services:      ${filterRequested ? selectedServices.join(", ") : "all"}`);
+        console.log(`  Backup:        ${safetyPlan.backupName ?? "none"}`);
+        console.log(`  Steps:         ${safetyPlan.steps.join(" -> ")}`);
+        console.log(`  Env preflight: ${missingEnvKeys.length ? `missing ${missingEnvKeys.join(", ")}` : "ok"}`);
         console.log("  Commands:      refresh compose, docker compose pull, docker compose up -d, health checks");
       }
       return;
     }
+    if (safetyPlan.blocked) throw new Error(safetyPlan.blockReason ?? "Update blocked by preflight.");
+    if (missingEnvKeys.length && flags.yes !== true) {
+      throw new Error(`Required environment keys are missing: ${missingEnvKeys.join(", ")}. Add them to .env or rerun with --yes after reviewing.`);
+    }
     console.error(`Mode: image`);
     console.error(`Current image tag: ${currentTag || "unknown"}`);
     console.error(`Target image tag: ${target.tag}`);
+    writeUpdateStatus(installPath, role, { status: "in_progress", targetImageTag: target.tag, step: "backup" });
+    if (safetyPlan.backupName) {
+      console.error(`Creating rotating pre-update backup: ${safetyPlan.backupName}`);
+      createServerBackup(installPath, role, { preUpdate: true });
+    } else {
+      console.error("Skipping pre-update backup for this role or because --skip-backup was passed.");
+    }
     console.error(`Refreshing self-host runtime files from ${templateRef}...`);
-    await writeImageModeRuntimeFiles(installPath, target.tag);
-    const pullArgs = [...composeArgs(installPath, withOverrides, installMode), "pull"];
+    await writeImageModeRuntimeFiles(installPath, target.tag, role);
+    const pullArgs = [...composeArgs(installPath, withOverrides, installMode, role), "pull"];
+    if (filterRequested) pullArgs.push(...selectedServices);
     let code2 = 0;
     if (shouldPullImages()) {
+      writeUpdateStatus(installPath, role, { status: "in_progress", targetImageTag: target.tag, step: "pull" });
       console.error("Pulling prebuilt images...");
       code2 = await runInteractive("docker", pullArgs, installPath);
       if (code2 !== 0) process.exit(code2);
     } else {
       console.error("Skipping image pull because OPENMATES_SKIP_IMAGE_PULL=1.");
     }
-    const upArgs2 = [...composeArgs(installPath, withOverrides, installMode), "up", "-d"];
+    writeUpdateStatus(installPath, role, { status: "in_progress", targetImageTag: target.tag, step: "up" });
+    const upArgs2 = [...composeArgs(installPath, withOverrides, installMode, role), "up", "-d"];
+    if (filterRequested) upArgs2.push(...selectedServices);
     code2 = await runInteractive("docker", upArgs2, installPath);
     if (code2 !== 0) process.exit(code2);
-    console.error("Waiting for API and web health checks...");
+    console.error("Waiting for role health checks...");
     try {
-      await waitForServerHealth(installPath);
+      writeUpdateStatus(installPath, role, { status: "in_progress", targetImageTag: target.tag, step: "health-check" });
+      await waitForServerHealth(installPath, role);
     } catch (error) {
-      await runInteractive("docker", [...composeArgs(installPath, withOverrides, installMode), "ps"], installPath);
+      await runInteractive("docker", [...composeArgs(installPath, withOverrides, installMode, role), "ps"], installPath);
       throw error;
     }
     if (config) {
       saveServerConfig({ ...config, imageTag: target.tag, imageChannel: target.channel });
     }
+    writeUpdateStatus(installPath, role, { status: "success", targetImageTag: target.tag, step: "complete" });
     if (flags.json === true) {
       printJson({ ...plan, status: "success", dryRun: false });
     } else {
@@ -9545,18 +10262,18 @@ async function serverUpdate(flags) {
     } catch {
     }
   }
-  const buildArgs = [...composeArgs(installPath, withOverrides, installMode), "build"];
+  const buildArgs = [...composeArgs(installPath, withOverrides, installMode, role), "build"];
   console.error("Rebuilding containers...");
   let code = await runInteractive("docker", buildArgs, installPath);
   if (code !== 0) process.exit(code);
-  const upArgs = [...composeArgs(installPath, withOverrides, installMode), "up", "-d"];
+  const upArgs = [...composeArgs(installPath, withOverrides, installMode, role), "up", "-d"];
   code = await runInteractive("docker", upArgs, installPath);
   if (code !== 0) process.exit(code);
   console.error("Waiting for API and web health checks...");
   try {
-    await waitForServerHealth(installPath);
+    await waitForServerHealth(installPath, role);
   } catch (error) {
-    await runInteractive("docker", [...composeArgs(installPath, withOverrides, installMode), "ps"], installPath);
+    await runInteractive("docker", [...composeArgs(installPath, withOverrides, installMode, role), "ps"], installPath);
     throw error;
   }
   if (flags.json === true) {
@@ -9570,6 +10287,7 @@ async function serverReset(flags) {
   const installPath = resolveServerPath(flags);
   ensureGitWorkDirEnv(installPath);
   const config = loadConfigForInstallPath(installPath);
+  const role = getServerRole(flags, config);
   const withOverrides = config?.composeProfile === "full";
   const installMode = getInstallMode(installPath, config);
   const userDataOnly = flags["delete-user-data-only"] === true;
@@ -9591,7 +10309,7 @@ async function serverReset(flags) {
   }
   console.error("Resetting server...");
   if (userDataOnly) {
-    const downArgs = [...composeArgs(installPath, withOverrides, installMode), "down"];
+    const downArgs = [...composeArgs(installPath, withOverrides, installMode, role), "down"];
     let code = await runInteractive("docker", downArgs, installPath);
     if (code !== 0) process.exit(code);
     for (const vol of ["openmates-cache-data", "openmates-postgres-data", "openmates-cms-database-data"]) {
@@ -9602,15 +10320,15 @@ async function serverReset(flags) {
       }
     }
     if (installMode === "source") {
-      const buildArgs = [...composeArgs(installPath, withOverrides, installMode), "build"];
+      const buildArgs = [...composeArgs(installPath, withOverrides, installMode, role), "build"];
       code = await runInteractive("docker", buildArgs, installPath);
       if (code !== 0) process.exit(code);
     }
-    const upArgs = [...composeArgs(installPath, withOverrides, installMode), "up", "-d"];
+    const upArgs = [...composeArgs(installPath, withOverrides, installMode, role), "up", "-d"];
     code = await runInteractive("docker", upArgs, installPath);
     if (code !== 0) process.exit(code);
   } else {
-    const args = [...composeArgs(installPath, withOverrides, installMode), "down", "-v"];
+    const args = [...composeArgs(installPath, withOverrides, installMode, role), "down", "-v"];
     const code = await runInteractive("docker", args, installPath);
     if (code !== 0) process.exit(code);
   }
@@ -9888,11 +10606,76 @@ async function serverAi(rest, flags) {
       throw new Error(`Unknown server ai models command '${action}'. Use add, list, test, or remove.`);
   }
 }
+async function serverBackup(rest, flags) {
+  const action = rest[0];
+  const installPath = resolveServerPath(flags);
+  const config = loadConfigForInstallPath(installPath);
+  const role = getServerRole(flags, config);
+  if (action === "list") {
+    const dir = roleBackupDir(installPath, role);
+    const files = existsSync5(dir) ? readdirSync(dir).filter((item) => item.endsWith(".tar.gz")).sort() : [];
+    if (flags.json === true) {
+      printJson({ role, backupDir: dir, files });
+      return;
+    }
+    console.log(`Backups for ${role}:`);
+    if (!files.length) {
+      console.log("  none");
+      return;
+    }
+    for (const file of files) console.log(`  ${join3(dir, file)}`);
+    return;
+  }
+  requireDocker();
+  const output = typeof flags.output === "string" ? flags.output : void 0;
+  const archivePath = createServerBackup(installPath, role, {
+    output,
+    includeObservability: flags["include-observability"] === true
+  });
+  if (flags.json === true) {
+    printJson({ command: "backup", status: "success", role, file: archivePath });
+  } else {
+    console.log(`Backup created: ${archivePath}`);
+  }
+}
+async function serverRestore(flags) {
+  requireDocker();
+  const installPath = resolveServerPath(flags);
+  const config = loadConfigForInstallPath(installPath);
+  const role = getServerRole(flags, config);
+  const file = typeof flags.file === "string" ? flags.file : "";
+  if (!file) throw new Error("Usage: openmates server restore --file <backup.tar.gz> [--role core|upload|preview] [--yes]");
+  const restorePlan = planRestore({ role, file, yes: flags.yes === true });
+  if (restorePlan.requiresConfirmation) {
+    console.error(`
+WARNING: This will restore ${role} data from ${file}.`);
+    const confirmed = await confirmDestructive("RESTORE OPENMATES BACKUP");
+    if (!confirmed) {
+      console.error("Restore cancelled.");
+      return;
+    }
+  }
+  const withOverrides = config?.composeProfile === "full";
+  const installMode = getInstallMode(installPath, config);
+  const stopArgs = [...composeArgs(installPath, withOverrides, installMode, role), "stop", ...restoreStopServices(role)];
+  let code = await runInteractive("docker", stopArgs, installPath);
+  if (code !== 0) process.exit(code);
+  restoreServerBackup(installPath, role, file);
+  code = await runInteractive("docker", [...composeArgs(installPath, withOverrides, installMode, role), "up", "-d"], installPath);
+  if (code !== 0) process.exit(code);
+  await waitForServerHealth(installPath, role);
+  if (flags.json === true) {
+    printJson({ command: "restore", status: "success", role, file });
+  } else {
+    console.log(`Restore completed for ${role}.`);
+  }
+}
 async function serverUninstall(flags) {
   requireDocker();
   const installPath = resolveServerPath(flags);
   ensureGitWorkDirEnv(installPath);
   const config = loadConfigForInstallPath(installPath);
+  const role = getServerRole(flags, config);
   const withOverrides = config?.composeProfile === "full";
   const keepData = flags["keep-data"] === true;
   console.error("\nWARNING: This will completely uninstall OpenMates:");
@@ -9914,7 +10697,7 @@ async function serverUninstall(flags) {
     }
   }
   console.error("Uninstalling OpenMates...");
-  const downArgs = [...composeArgs(installPath, withOverrides, getInstallMode(installPath, config)), "down", "--rmi", "local"];
+  const downArgs = [...composeArgs(installPath, withOverrides, getInstallMode(installPath, config), role), "down", "--rmi", "local"];
   if (!keepData) {
     downArgs.push("-v");
   }
@@ -9940,6 +10723,113 @@ async function serverUninstall(flags) {
     }
   }
 }
+async function serverPreflight(flags) {
+  const installPath = resolveServerPath(flags);
+  const config = loadConfigForInstallPath(installPath);
+  const role = getServerRole(flags, config);
+  const services = hasServiceFilter(flags) ? selectedComposeServices(role, flags) : [];
+  const updatePlan = planUpdate({ role, selectedServices: services, dryRun: true });
+  const missingEnvKeys = missingRequiredEnvKeys(installPath, role);
+  const runtimePlan = planServerRuntime({
+    role,
+    profile: getCoreProfile(flags, config),
+    withAlerts: flags["with-alerts"] === true
+  });
+  const caddyPlan = planCaddyCommand({ role, action: "status" });
+  const preflight = {
+    command: "preflight",
+    status: updatePlan.blocked ? "blocked" : "ok",
+    path: installPath,
+    role,
+    profile: runtimePlan.profile,
+    services: hasServiceFilter(flags) ? services : "all",
+    healthChecks: runtimePlan.healthChecks,
+    updateSteps: updatePlan.steps,
+    backupName: updatePlan.backupName,
+    missingRequiredEnvKeys: missingEnvKeys,
+    caddy: caddyPlan
+  };
+  if (flags.json === true) {
+    printJson(preflight);
+    return;
+  }
+  console.log("Server preflight plan:");
+  console.log(`  Role:          ${role}`);
+  console.log(`  Profile:       ${runtimePlan.profile ?? "n/a"}`);
+  console.log(`  Services:      ${hasServiceFilter(flags) ? services.join(", ") : "all"}`);
+  console.log(`  Backup:        ${updatePlan.backupName ?? "none"}`);
+  console.log(`  Env preflight: ${missingEnvKeys.length ? `missing ${missingEnvKeys.join(", ")}` : "ok"}`);
+  console.log(`  Health checks: ${runtimePlan.healthChecks.join(", ")}`);
+  console.log(`  Caddy steps:   ${caddyPlan.steps.join(" -> ")}`);
+}
+async function serverCaddy(rest, flags) {
+  const action = rest[0] ?? "status";
+  if (!["check", "status", "diff", "apply"].includes(action)) {
+    throw new Error("Usage: openmates server caddy check|status|diff|apply [--role core|upload|preview]");
+  }
+  const config = loadServerConfig();
+  const role = getServerRole(flags, config);
+  const appliedPath = typeof flags.config === "string" ? flags.config : "/etc/caddy/Caddyfile";
+  const templatePath = packagedCaddyTemplatePath(role);
+  if (!existsSync5(templatePath)) throw new Error(`Packaged Caddy template not found: ${templatePath}`);
+  const plan = planCaddyCommand({ role, action, appliedPath });
+  const payload = {
+    ...plan,
+    templatePath,
+    templateHash: fileHash(templatePath),
+    appliedHash: fileHash(appliedPath),
+    drift: fileHash(templatePath) !== fileHash(appliedPath)
+  };
+  if (flags.json === true) {
+    printJson(payload);
+    return;
+  }
+  if (action === "check") {
+    execSync(`caddy validate --config ${shellQuote(templatePath)}`, { stdio: "inherit" });
+    console.log(`Caddy template is valid for ${role}.`);
+    return;
+  }
+  if (action === "diff") {
+    if (!existsSync5(appliedPath)) throw new Error(`Applied Caddyfile not found: ${appliedPath}`);
+    try {
+      execSync(`diff -u ${shellQuote(appliedPath)} ${shellQuote(templatePath)}`, { stdio: "inherit" });
+    } catch (error) {
+      const status = typeof error === "object" && error !== null && "status" in error ? error.status : void 0;
+      if (status !== 1) throw error;
+    }
+    return;
+  }
+  if (action === "apply") {
+    execSync(`caddy validate --config ${shellQuote(templatePath)}`, { stdio: "inherit" });
+    if (flags.yes !== true) {
+      console.error(`
+WARNING: This will replace ${appliedPath} with the packaged ${role} Caddyfile.`);
+      const confirmed = await confirmDestructive("APPLY CADDYFILE");
+      if (!confirmed) {
+        console.error("Caddy apply cancelled.");
+        return;
+      }
+    }
+    const backupPath = `${appliedPath}.openmates-backup-${nowStamp()}`;
+    try {
+      if (existsSync5(appliedPath)) copyFileSync(appliedPath, backupPath);
+      copyFileSync(templatePath, appliedPath);
+      execSync("systemctl reload caddy", { stdio: "inherit" });
+    } catch (error) {
+      throw new Error(`Could not apply Caddyfile. Run with sudo or use --config <writable path>. ${error instanceof Error ? error.message : String(error)}`);
+    }
+    console.log(`Applied Caddyfile for ${role}. Backup: ${backupPath}`);
+    return;
+  }
+  console.log(`Caddy ${action} plan:`);
+  console.log(`  Role:          ${payload.role}`);
+  console.log(`  Template:      ${payload.templatePath}`);
+  console.log(`  Applied:       ${payload.appliedPath}`);
+  console.log(`  Template hash: ${payload.templateHash ?? "missing"}`);
+  console.log(`  Applied hash:  ${payload.appliedHash ?? "missing"}`);
+  console.log(`  Drift:         ${payload.drift ? "yes" : "no"}`);
+  console.log(`  Steps:         ${payload.steps.join(" -> ")}`);
+}
 function printServerHelp() {
   console.log(`
 OpenMates Server Management
@@ -9954,6 +10844,10 @@ Commands:
   status          Show server status (container health)
   logs            Display server logs
   update          Update to latest version (pull images, or git pull + rebuild for source installs)
+  preflight       Show role/update/Caddy preflight plan
+  caddy           Plan host-level Caddyfile check/status/diff/apply operations
+  backup          Create or list backups
+  restore         Restore a backup archive
   make-admin      Grant admin privileges to a user
   ai              Manage self-hosted local AI models
   reset           Reset server data (requires confirmation)
@@ -9962,33 +10856,57 @@ Commands:
 Global Options:
   --path <dir>    Override the server installation directory
   --json          Output machine-readable JSON
+  --role <role>   Server role: core, upload, or preview (default: core)
   --help          Show this help message
 
 Command Options:
   install:
     --path <dir>        Install directory (default: ~/openmates)
     --env-path <file>   Copy a pre-existing .env file during install
+    --profile <name>    Core profile: minimal, standard, or production
+    --with-alerts       Include alertmanager in production profile planning
     --image-tag <tag>   Prebuilt image tag (default: CLI version tag)
     --from-source       Clone/build from source instead of using prebuilt GHCR images
     --source-path <dir> Clone from a local checkout instead of GitHub (implies --from-source)
 
   start:
     --with-overrides    Include admin UIs (Directus CMS, Grafana)
+    --services <csv>    Start only selected role services
+    --exclude <csv>     Start all role services except selected services
 
   restart:
     --rebuild           Full rebuild (down + build + up) instead of graceful restart
+    --services <csv>    Restart only selected role services
+    --exclude <csv>     Restart all role services except selected services
 
   logs:
     --container <name>  Filter logs to a specific service (e.g. api, cms)
+    --services <csv>    Filter logs to selected role services
+    --exclude <csv>     Filter logs to all role services except selected services
     --follow, -f        Stream logs in real time
     --tail <n>          Number of lines to show (default: 100)
 
   update:
     --dry-run           Show update plan without changing files or containers
+    --services <csv>    Update only selected role services
+    --exclude <csv>     Update all role services except selected services
     --image-tag <tag>   Image mode: update to a specific prebuilt image tag
     --channel <name>    Image mode: update using stable/main or dev channel tags
+    --continuous        Run continuously in foreground, or use with install-service
+    --interval <min>    Foreground continuous update interval (default: 30)
+    install-service --continuous --channel <name> --window <window>
     --force             Source mode: stash local changes before pulling
 
+  backup:
+    openmates server backup [--role core|upload|preview] [--output <file>] [--include-observability]
+    openmates server backup list [--role core|upload|preview]
+
+  restore:
+    openmates server restore --file <backup.tar.gz> [--role core|upload|preview] [--yes]
+
+  caddy:
+    openmates server caddy check|status|diff|apply [--role core|upload|preview] [--config /etc/caddy/Caddyfile]
+
   reset:
     --delete-user-data-only   Only delete database and cache (preserve config)
     --yes                     Skip confirmation prompt
@@ -10047,7 +10965,15 @@ async function handleServer(subcommand, rest, flags) {
     case "install":
       return serverInstall(flags);
     case "update":
-      return serverUpdate(flags);
+      return serverUpdate(rest, flags);
+    case "preflight":
+      return serverPreflight(flags);
+    case "caddy":
+      return serverCaddy(rest, flags);
+    case "backup":
+      return serverBackup(rest, flags);
+    case "restore":
+      return serverRestore(flags);
     case "reset":
       return serverReset(flags);
     case "make-admin":
@@ -26725,6 +27651,12 @@ Only output the final Markdown table. Do NOT include explanations, notes, or any
         text: "Upload PDFs and read or search their content."
       }
     },
+    mindmaps: {
+      text: "Mind Maps",
+      description: {
+        text: "Create structured idea maps and brainstorm topic trees."
+      }
+    },
     math: {
       text: "Math",
       description: {
@@ -26788,6 +27720,47 @@ Only output the final Markdown table. Do NOT include explanations, notes, or any
     generated_by_cost: {
       text: "Cost: {credits} credits"
     },
+    interests: {
+      eyebrow: {
+        text: "Private local personalization"
+      },
+      title: {
+        text: "What are you interested in?"
+      },
+      continue: {
+        text: "Continue"
+      },
+      software_development: {
+        text: "software development"
+      },
+      use_the_cli: {
+        text: "use the CLI"
+      },
+      open_source: {
+        text: "open source"
+      },
+      read_developer_docs: {
+        text: "read developer docs"
+      },
+      run_code: {
+        text: "run code"
+      },
+      protect_my_privacy: {
+        text: "protect my privacy"
+      },
+      summarize_documents: {
+        text: "summarize documents"
+      },
+      find_apartments: {
+        text: "find apartments"
+      },
+      local_life: {
+        text: "local life"
+      },
+      learn_anything: {
+        text: "learn anything"
+      }
+    },
     new_chat: {
       text: "New chat"
     },
@@ -27213,6 +28186,9 @@ Only output the final Markdown table. Do NOT include explanations, notes, or any
       learn_coding: {
         text: "How do I start learning to code?"
       },
+      use_openmates_cli_api: {
+        text: "Show me how to use OpenMates from the CLI or API"
+      },
       stock_market: {
         text: "Explain how the stock market works"
       },
@@ -30378,6 +31354,32 @@ Only output the final Markdown table. Do NOT include explanations, notes, or any
         text: "Plot"
       }
     },
+    mindmaps: {
+      mindmap: {
+        text: "Mind Map"
+      },
+      counts: {
+        text: "{nodes} nodes \xB7 {edges} edges"
+      },
+      invalid_json: {
+        text: "Invalid mind map JSON"
+      },
+      invalid_content: {
+        text: "Invalid content"
+      },
+      validation_warnings: {
+        text: "Validation warnings"
+      },
+      source: {
+        text: "Source"
+      },
+      expand: {
+        text: "Expand {label}"
+      },
+      collapse: {
+        text: "Collapse {label}"
+      }
+    },
     diagrams: {
       mermaid: {
         text: "Mermaid Diagram"
@@ -36409,6 +37411,21 @@ As of mid-2026, the severe supply shocks from the 2024\u20132025 avian flu have
       },
       import_importing: {
         text: "Importing\u2026"
+      },
+      interests: {
+        text: "Interests"
+      },
+      interests_description: {
+        text: "Choose the topics OpenMates should prioritize when it suggests chats, examples, and product tips."
+      },
+      interests_privacy_note: {
+        text: "These preferences are encrypted on your device before syncing. The server stores only ciphertext."
+      },
+      interests_saved: {
+        text: "Interests saved"
+      },
+      interests_save_error: {
+        text: "Could not save interests. Please try again."
       }
     },
     ai: {
@@ -39929,6 +40946,9 @@ As of mid-2026, the severe supply shocks from the 2024\u20132025 avian flu have
     server_will_be_restarted: {
       text: "The server will be restarted and\ntherefore briefly offline once\nthe update has been installed."
     },
+    cli_managed_update_notice: {
+      text: "Install updates from the server host with <code>openmates server update</code>."
+    },
     installing_update: {
       text: "Installing update..."
     },
@@ -42301,7 +43321,7 @@ function buildAssistantFeedbackDecision(rating) {
 
 // src/benchmark.ts
 import { randomUUID as randomUUID3 } from "crypto";
-import { existsSync as existsSync6, mkdtempSync, readFileSync as readFileSync6, readdirSync, writeFileSync as writeFileSync4 } from "fs";
+import { existsSync as existsSync6, mkdtempSync as mkdtempSync2, readFileSync as readFileSync6, readdirSync as readdirSync2, writeFileSync as writeFileSync4 } from "fs";
 import { tmpdir } from "os";
 import { dirname as dirname2, join as join4, resolve as resolve5 } from "path";
 import { fileURLToPath } from "url";
@@ -43100,7 +44120,7 @@ function loadProviderPricing() {
   const providersDir = findProvidersDir();
   const pricing = /* @__PURE__ */ new Map();
   if (!providersDir) return pricing;
-  for (const fileName of readdirSync(providersDir)) {
+  for (const fileName of readdirSync2(providersDir)) {
     if (!fileName.endsWith(".yml")) continue;
     const filePath = join4(providersDir, fileName);
     const text = readFileSync6(filePath, "utf-8");
@@ -43285,7 +44305,7 @@ function defaultImageFixturePath() {
   const fixtureDir = join4(dirname2(fileURLToPath(import.meta.url)), "..", "fixtures");
   const fixturePath = join4(fixtureDir, "brandenburger-tor.png");
   if (existsSync6(fixturePath)) return fixturePath;
-  const tempDir = mkdtempSync(join4(tmpdir(), "openmates-benchmark-"));
+  const tempDir = mkdtempSync2(join4(tmpdir(), "openmates-benchmark-"));
   const tempPath = join4(tempDir, "brandenburger-tor.svg");
   writeFileSync4(tempPath, FIXTURE_IMAGE_SVG, "utf-8");
   return tempPath;
@@ -44804,6 +45824,9 @@ async function handleEmbeds(client, subcommand, rest, flags) {
 var SETTINGS_EXECUTABLE_COMMANDS = [
   { path: ["account", "info"], description: "Show account info", examples: ["openmates settings account info --json"] },
   { path: ["account", "timezone", "set"], description: "Set account timezone", examples: ["openmates settings account timezone set Europe/Berlin"] },
+  { path: ["account", "interests", "list"], description: "Show encrypted account topic interests", examples: ["openmates settings account interests list --json"] },
+  { path: ["account", "interests", "set"], description: "Set encrypted account topic interests", examples: ["openmates settings account interests set software_development use_the_cli"] },
+  { path: ["account", "interests", "clear"], description: "Clear encrypted account topic interests", examples: ["openmates settings account interests clear --yes"] },
   { path: ["account", "export", "manifest"], description: "Show account export manifest", examples: ["openmates settings account export manifest --json"] },
   { path: ["account", "export", "data"], description: "Fetch account export data", examples: ["openmates settings account export data --json"] },
   { path: ["account", "import-chat"], description: "Import a CLI chat export file", examples: ["openmates settings account import-chat ./chat.yml", "openmates settings account import-chat ./payload.json"] },
@@ -44905,6 +45928,30 @@ async function printSettingsMutationResult(resultPromise, flags) {
   process.stdout.write("\x1B[32m\u2713\x1B[0m Settings updated\n");
   if (result && typeof result === "object") printGenericObject(result);
 }
+function printTopicPreferences(preferences, flags, successLabel) {
+  const payload = preferences ?? {
+    version: 1,
+    selectedTagIds: [],
+    updatedAt: null
+  };
+  const result = {
+    ...payload,
+    availableTagIds: INTEREST_TAG_IDS
+  };
+  if (flags.json === true) {
+    printJson2(result);
+    return;
+  }
+  if (successLabel) {
+    process.stdout.write(`\x1B[32m\u2713\x1B[0m ${successLabel}
+`);
+  }
+  const selected = result.selectedTagIds.length > 0 ? result.selectedTagIds.join(", ") : "none";
+  process.stdout.write(`Selected interests: ${selected}
+`);
+  process.stdout.write(`Available interests: ${INTEREST_TAG_IDS.join(", ")}
+`);
+}
 function printReportIssueCreateResult(result, flags) {
   if (flags.json === true) {
     printJson2(result);
@@ -45428,6 +46475,30 @@ async function handleSettings(client, subcommand, rest, flags) {
     );
     return;
   }
+  if (matches(tokens, ["account", "interests", "list"])) {
+    const preferences = await client.getTopicPreferences();
+    printTopicPreferences(preferences, flags);
+    return;
+  }
+  if (matches(tokens, ["account", "interests", "set"])) {
+    const selectedTagIds = rest.slice(2);
+    if (selectedTagIds.length === 0) {
+      throw new Error(
+        `Missing interest tag IDs. Use one or more of: ${INTEREST_TAG_IDS.join(", ")}`
+      );
+    }
+    const preferences = await client.setTopicPreferences(selectedTagIds);
+    printTopicPreferences(preferences, flags, "Interests updated");
+    return;
+  }
+  if (matches(tokens, ["account", "interests", "clear"])) {
+    if (flags.yes !== true) {
+      await confirmOrExit("Clear account interests? [y/N] ");
+    }
+    const preferences = await client.clearTopicPreferences();
+    printTopicPreferences(preferences, flags, "Interests cleared");
+    return;
+  }
   if (matches(tokens, ["account", "export", "manifest"])) {
     await printSettingsResult(client.settingsGet("export-account-manifest"), flags);
     return;
@@ -48323,6 +49394,8 @@ if (isCliEntrypoint()) {
 }
 
 export {
+  INTEREST_TAG_IDS,
+  normalizeInterestTagIds,
   MEMORY_TYPE_REGISTRY,
   MATE_NAMES,
   deriveAppUrl,