ragent-cli 1.3.0 → 1.4.0

package/dist/index.js

@@ -31,7 +31,7 @@ var require_package = __commonJS({
   "package.json"(exports2, module2) {
     module2.exports = {
       name: "ragent-cli",
-      version: "1.3.0",
+      version: "1.4.0",
       description: "CLI agent for rAgent Live \u2014 browser-first terminal control plane for AI coding agents",
       main: "dist/index.js",
       bin: {
@@ -127,6 +127,7 @@ var MAX_RECONNECT_DELAY_MS = 3e4;
 var OUTPUT_BUFFER_MAX_BYTES = 100 * 1024;
 
 // src/config.ts
+var crypto = __toESM(require("crypto"));
 var fs = __toESM(require("fs"));
 var os2 = __toESM(require("os"));
 function ensureConfigDir() {
@@ -162,8 +163,35 @@ function saveConfigPatch(patch) {
 function sanitizeHostId(value) {
   return String(value || "").toLowerCase().replace(/[^a-z0-9_-]/g, "-").replace(/^-+/, "").slice(0, 64);
 }
+function readMachineId() {
+  try {
+    const mid = fs.readFileSync("/etc/machine-id", "utf8").trim();
+    if (mid.length >= 16) return mid;
+  } catch {
+  }
+  return null;
+}
 function inferHostId() {
-  return sanitizeHostId(os2.hostname().split(".")[0] || "linux-host");
+  const hostname5 = sanitizeHostId(os2.hostname().split(".")[0] || "linux-host");
+  const machineId = readMachineId();
+  if (machineId) {
+    return sanitizeHostId(`${hostname5}-${machineId.slice(0, 8)}`);
+  }
+  const idFile = `${CONFIG_DIR}/machine-id`;
+  try {
+    const stored = fs.readFileSync(idFile, "utf8").trim();
+    if (stored.length >= 8) {
+      return sanitizeHostId(`${hostname5}-${stored.slice(0, 8)}`);
+    }
+  } catch {
+  }
+  const generated = crypto.randomUUID().replace(/-/g, "");
+  try {
+    ensureConfigDir();
+    fs.writeFileSync(idFile, generated, { encoding: "utf8", mode: 384 });
+  } catch {
+  }
+  return sanitizeHostId(`${hostname5}-${generated.slice(0, 8)}`);
 }
 
 // src/version.ts
@@ -229,13 +257,13 @@ async function maybeWarnUpdate() {
 }
 
 // src/commands/connect.ts
-var os6 = __toESM(require("os"));
+var os7 = __toESM(require("os"));
 
 // src/agent.ts
 var fs3 = __toESM(require("fs"));
-var os5 = __toESM(require("os"));
+var os6 = __toESM(require("os"));
 var path2 = __toESM(require("path"));
-var import_ws2 = __toESM(require("ws"));
+var import_ws5 = __toESM(require("ws"));
 
 // src/auth.ts
 var os3 = __toESM(require("os"));
@@ -249,9 +277,14 @@ function wait(ms) {
 function execAsync(command, options = {}) {
   const timeout = options.timeout ?? 5e3;
   const maxBuffer = options.maxBuffer ?? 1024 * 1024;
+  const allowNonZeroExit = options.allowNonZeroExit ?? false;
   return new Promise((resolve, reject) => {
     (0, import_node_child_process.exec)(command, { timeout, maxBuffer }, (error, stdout, stderr) => {
       if (error) {
+        if (allowNonZeroExit) {
+          resolve(stdout || "");
+          return;
+        }
         reject(new Error((stderr || error.message || "").trim()));
         return;
       }
@@ -332,27 +365,55 @@ async function collectTmuxSessions() {
   }
   try {
     const raw = await execAsync(
-      "tmux list-panes -a -F '#{session_name}|#{window_index}|#{pane_index}|#{pane_current_command}|#{pane_active}|#{pane_last}|#{pane_pid}'"
+      "tmux list-panes -a -F '#{session_name}|#{window_index}|#{pane_index}|#{pane_current_command}|#{pane_active}|#{pane_last}|#{pane_pid}|#{window_layout}|#{pane_current_path}|#{window_name}|#{pane_title}|#{window_flags}|#{session_group}|#{session_grouped}'"
     );
     const rows = raw.split("\n").map((line) => line.trim()).filter(Boolean);
-    return rows.map((row) => {
-      const [sessionName, windowIndex, paneIndex, command, activeFlag, lastEpoch, panePid] = row.split("|");
+    const results = [];
+    for (const row of rows) {
+      const parts = row.split("|");
+      const [
+        sessionName,
+        windowIndex,
+        paneIndex,
+        command,
+        activeFlag,
+        lastEpoch,
+        panePid,
+        windowLayout,
+        paneCurrentPath,
+        windowName,
+        paneTitle,
+        windowFlags,
+        sessionGroup,
+        sessionGrouped
+      ] = parts;
+      if (sessionGrouped === "1" && sessionGroup && sessionGroup !== sessionName) {
+        continue;
+      }
       const id = `tmux:${sessionName}:${windowIndex}.${paneIndex}`;
       const lastActivityAt = Number(lastEpoch) > 0 ? new Date(Number(lastEpoch) * 1e3).toISOString() : (/* @__PURE__ */ new Date()).toISOString();
       const pids = [];
       const pid = Number(panePid);
       if (pid > 0) pids.push(pid);
-      return {
+      results.push({
         id,
         type: "tmux",
         name: `${sessionName}:${windowIndex}.${paneIndex}`,
         status: activeFlag === "1" ? "active" : "detached",
         command,
         agentType: detectAgentType(command),
+        runningCommand: command || void 0,
+        windowLayout: windowLayout || void 0,
+        workingDir: paneCurrentPath || void 0,
+        windowName: windowName || void 0,
+        paneTitle: paneTitle || void 0,
+        isZoomed: windowFlags?.includes("Z") ?? false,
         lastActivityAt,
-        pids
-      };
-    });
+        pids,
+        sessionGroup: sessionGroup || void 0
+      });
+    }
+    return results;
   } catch {
     return [];
   }
@@ -364,12 +425,7 @@ async function collectScreenSessions() {
     return [];
   }
   try {
-    let raw;
-    try {
-      raw = await execAsync("screen -ls");
-    } catch (e) {
-      raw = e instanceof Error ? e.message : "";
-    }
+    const raw = await execAsync("screen -ls", { allowNonZeroExit: true });
     const sessionPattern = /^\s*(\d+)\.(\S+)\s+\((Detached|Attached)\)/;
     const sessions = [];
     for (const line of raw.split("\n")) {
@@ -403,7 +459,7 @@ async function collectZellijSessions() {
     return [];
   }
   try {
-    const raw = await execAsync("zellij list-sessions");
+    const raw = await execAsync("zellij list-sessions --short --no-formatting");
     const sessions = [];
     for (const line of raw.split("\n")) {
       const sessionName = line.trim();
@@ -454,16 +510,18 @@ async function getProcessWorkingDir(pid) {
 }
 async function collectBareAgentProcesses(excludePids) {
   try {
-    const raw = await execAsync("ps axo pid,ppid,comm,args --no-headers");
+    const raw = await execAsync("ps axo pid,ppid,stat,comm,args --no-headers");
     const sessions = [];
     const seen = /* @__PURE__ */ new Set();
     for (const line of raw.split("\n")) {
       const trimmed = line.trim();
       if (!trimmed) continue;
       const parts = trimmed.split(/\s+/);
-      if (parts.length < 4) continue;
+      if (parts.length < 5) continue;
       const pid = Number(parts[0]);
-      const args = parts.slice(3).join(" ");
+      const stat = parts[2];
+      const args = parts.slice(4).join(" ");
+      if (stat.startsWith("Z")) continue;
       const agentType = detectAgentType(args);
       if (!agentType) continue;
       if (excludePids?.has(pid)) continue;
@@ -497,9 +555,20 @@ async function collectSessionInventory(hostId, command) {
     collectZellijSessions()
   ]);
   const multiplexerPids = /* @__PURE__ */ new Set();
-  for (const s of [...tmux, ...screen, ...zellij]) {
+  for (const s of [...screen, ...zellij]) {
     if (s.pids) s.pids.forEach((p) => multiplexerPids.add(p));
   }
+  for (const s of tmux) {
+    if (s.pids) {
+      for (const pid of s.pids) {
+        multiplexerPids.add(pid);
+        const childInfo = await getChildAgentInfo(pid);
+        if (childInfo) {
+          childInfo.childPids.forEach((p) => multiplexerPids.add(p));
+        }
+      }
+    }
+  }
   const bare = await collectBareAgentProcesses(multiplexerPids);
   const ptySession = {
     id: `pty:${hostId}`,
@@ -533,7 +602,10 @@ function detectAgentType(command) {
 }
 function sessionInventoryFingerprint(sessions) {
   const sorted = [...sessions].sort((a, b) => a.id.localeCompare(b.id));
-  return sorted.map((s) => `${s.id}|${s.type}|${s.name}|${s.status}|${s.command || ""}`).join("\n");
+  return sorted.map((s) => {
+    const pidStr = s.pids?.join(",") ?? "";
+    return `${s.id}|${s.type}|${s.name}|${s.status}|${s.command || ""}|${s.runningCommand || ""}|${pidStr}`;
+  }).join("\n");
 }
 async function getChildAgentInfo(parentPid) {
   try {
@@ -755,431 +827,99 @@ var OutputBuffer = class {
   }
 };
 
-// src/pty.ts
-var import_node_child_process2 = require("child_process");
-var pty = __toESM(require("node-pty"));
-function isInteractiveShell(command) {
-  const trimmed = String(command).trim();
-  return ["bash", "sh", "zsh", "fish"].includes(trimmed);
-}
-function spawnConnectorShell(command, onData, onExit) {
-  const shell = "bash";
-  const args = isInteractiveShell(command) ? [] : ["-lc", command];
-  const processName = isInteractiveShell(command) ? command : shell;
-  const ptyProcess = pty.spawn(processName, args, {
-    name: "xterm-color",
-    cols: 80,
-    rows: 30,
-    cwd: process.cwd(),
-    env: process.env
-  });
-  ptyProcess.onData(onData);
-  ptyProcess.onExit(onExit);
-  return ptyProcess;
-}
-async function stopTmuxPaneBySessionId(sessionId) {
-  if (!sessionId.startsWith("tmux:")) return false;
-  const paneTarget = sessionId.slice("tmux:".length).trim();
-  if (!paneTarget) return false;
-  await execAsync(`tmux kill-pane -t ${shellQuote(paneTarget)}`, { timeout: 5e3 });
-  return true;
+// src/websocket.ts
+var import_ws = __toESM(require("ws"));
+var BACKPRESSURE_HIGH_WATER = 256 * 1024;
+function sanitizeForJson(str) {
+  return str.replace(/[\uD800-\uDBFF](?![\uDC00-\uDFFF])|(?<![\uD800-\uDBFF])[\uDC00-\uDFFF]/g, "\uFFFD");
 }
-async function sendInputToTmux(sessionId, data) {
-  if (!sessionId.startsWith("tmux:")) return;
-  const target = sessionId.slice("tmux:".length).trim();
-  if (!target) return;
-  const sessionName = target.split(":")[0].split(".")[0];
-  if (!/^[a-zA-Z0-9_][a-zA-Z0-9_.-]*$/.test(sessionName)) {
-    console.warn(`[rAgent] Invalid tmux session name: ${sessionName}`);
+function sendToGroup(ws, group, data) {
+  if (!group || ws.readyState !== import_ws.default.OPEN) return;
+  if (ws.bufferedAmount > BACKPRESSURE_HIGH_WATER) {
     return;
   }
-  try {
-    await new Promise((resolve, reject) => {
-      (0, import_node_child_process2.execFile)("tmux", ["send-keys", "-t", target, "-l", "--", data], { timeout: 5e3 }, (err) => {
-        if (err) reject(err);
-        else resolve();
-      });
-    });
-  } catch (error) {
-    const message = error instanceof Error ? error.message : String(error);
-    console.warn(`[rAgent] Failed to send input to ${sessionId}: ${message}`);
-  }
+  const sanitized = sanitizePayload(data);
+  ws.send(
+    JSON.stringify({
+      type: "sendToGroup",
+      group,
+      dataType: "json",
+      data: sanitized,
+      noEcho: true
+    })
+  );
 }
-async function stopAllDetachedTmuxSessions() {
-  try {
-    const raw = await execAsync(
-      "tmux list-sessions -F '#{session_name}|#{session_attached}'",
-      { timeout: 5e3 }
-    );
-    const lines = raw.split("\n").map((l) => l.trim()).filter(Boolean);
-    let killed = 0;
-    for (const line of lines) {
-      const [name, attached] = line.split("|");
-      if (attached === "0" && name) {
-        try {
-          await execAsync(`tmux kill-session -t ${shellQuote(name)}`, { timeout: 5e3 });
-          killed++;
-        } catch {
-        }
-      }
+function sanitizePayload(obj) {
+  const result = {};
+  for (const [key, value] of Object.entries(obj)) {
+    if (typeof value === "string") {
+      result[key] = sanitizeForJson(value);
+    } else if (value !== null && typeof value === "object" && !Array.isArray(value)) {
+      result[key] = sanitizePayload(value);
+    } else {
+      result[key] = value;
     }
-    return killed;
-  } catch {
-    return 0;
-  }
-}
-
-// src/service.ts
-var import_child_process = require("child_process");
-var fs2 = __toESM(require("fs"));
-var os4 = __toESM(require("os"));
-function assertConfiguredAgentToken() {
-  const config = loadConfig();
-  if (!config.agentToken) {
-    throw new Error("No saved connector token. Run `ragent connect --token <token>` first.");
-  }
-}
-function getConfiguredServiceBackend() {
-  const config = loadConfig();
-  if (config.serviceBackend === "systemd" || config.serviceBackend === "pidfile") {
-    return config.serviceBackend;
-  }
-  if (fs2.existsSync(SERVICE_FILE)) return "systemd";
-  if (fs2.existsSync(FALLBACK_PID_FILE)) return "pidfile";
-  return null;
-}
-async function canUseSystemdUser() {
-  if (os4.platform() !== "linux") return false;
-  try {
-    await execAsync("systemctl --user --version", { timeout: 4e3 });
-    await execAsync("systemctl --user show-environment", { timeout: 4e3 });
-    return true;
-  } catch {
-    return false;
   }
+  return result;
 }
-async function runSystemctlUser(args, options = {}) {
-  const command = `systemctl --user ${args.map(shellQuote).join(" ")}`;
-  return execAsync(command, { timeout: options.timeout ?? 1e4 });
-}
-function buildSystemdUnit() {
-  return `[Unit]
-Description=rAgent Live connector
-After=network-online.target
-Wants=network-online.target
-
-[Service]
-Type=simple
-ExecStart=${process.execPath} ${__filename} run
-Restart=always
-RestartSec=3
-Environment=NODE_ENV=production
-NoNewPrivileges=true
-PrivateTmp=true
-ProtectSystem=strict
-ProtectHome=read-only
-ReadWritePaths=%h/.config/ragent
 
-[Install]
-WantedBy=default.target
-`;
+// src/session-streamer.ts
+var import_node_child_process2 = require("child_process");
+var import_node_fs = require("fs");
+var import_node_path = require("path");
+var import_node_os = require("os");
+var pty = __toESM(require("node-pty"));
+var STOP_DEBOUNCE_MS = 2e3;
+function parsePaneTarget(sessionId) {
+  if (!sessionId.startsWith("tmux:")) return null;
+  const rest = sessionId.slice("tmux:".length);
+  if (!rest) return null;
+  return rest;
 }
-async function installSystemdService(opts = {}) {
-  assertConfiguredAgentToken();
-  fs2.mkdirSync(SERVICE_DIR, { recursive: true });
-  fs2.writeFileSync(SERVICE_FILE, buildSystemdUnit(), "utf8");
-  await runSystemctlUser(["daemon-reload"]);
-  if (opts.enable !== false) {
-    await runSystemctlUser(["enable", SERVICE_NAME]);
-  }
-  if (opts.start) {
-    await runSystemctlUser(["restart", SERVICE_NAME]);
-  }
-  saveConfigPatch({ serviceBackend: "systemd" });
-  console.log(`[rAgent] Installed systemd user service at ${SERVICE_FILE}`);
+function parseScreenSession(sessionId) {
+  if (!sessionId.startsWith("screen:")) return null;
+  const rest = sessionId.slice("screen:".length);
+  if (!rest) return null;
+  const name = rest.split(":")[0];
+  return name || null;
 }
-function readFallbackPid() {
-  try {
-    const raw = fs2.readFileSync(FALLBACK_PID_FILE, "utf8").trim();
-    const pid = Number.parseInt(raw, 10);
-    return Number.isInteger(pid) ? pid : null;
-  } catch {
-    return null;
-  }
+function parseZellijSession(sessionId) {
+  if (!sessionId.startsWith("zellij:")) return null;
+  const rest = sessionId.slice("zellij:".length);
+  if (!rest) return null;
+  return rest.split(":")[0] || null;
 }
-function isProcessRunning(pid) {
-  if (!pid || !Number.isInteger(pid)) return false;
-  try {
-    process.kill(pid, 0);
-    return true;
-  } catch {
-    return false;
+var SessionStreamer = class {
+  active = /* @__PURE__ */ new Map();
+  pendingStops = /* @__PURE__ */ new Map();
+  sendFn;
+  onStreamStopped;
+  constructor(sendFn, onStreamStopped) {
+    this.sendFn = sendFn;
+    this.onStreamStopped = onStreamStopped;
+    this.cleanupStaleStreams();
   }
-}
-async function startPidfileService() {
-  assertConfiguredAgentToken();
-  const existingPid = readFallbackPid();
-  if (existingPid && isProcessRunning(existingPid)) {
-    console.log(`[rAgent] Service already running (pid ${existingPid})`);
-    return;
-  }
-  ensureConfigDir();
-  const logFd = fs2.openSync(FALLBACK_LOG_FILE, "a");
-  const child = (0, import_child_process.spawn)(process.execPath, [__filename, "run"], {
-    detached: true,
-    stdio: ["ignore", logFd, logFd],
-    cwd: os4.homedir(),
-    env: process.env
-  });
-  child.unref();
-  fs2.closeSync(logFd);
-  fs2.writeFileSync(FALLBACK_PID_FILE, `${child.pid}
-`, "utf8");
-  saveConfigPatch({ serviceBackend: "pidfile" });
-  console.log(`[rAgent] Started fallback background service (pid ${child.pid})`);
-  console.log(`[rAgent] Logs: ${FALLBACK_LOG_FILE}`);
-}
-async function stopPidfileService() {
-  const pid = readFallbackPid();
-  if (!pid || !isProcessRunning(pid)) {
-    try {
-      fs2.unlinkSync(FALLBACK_PID_FILE);
-    } catch {
-    }
-    console.log("[rAgent] Service is not running.");
-    return;
-  }
-  process.kill(pid, "SIGTERM");
-  for (let i = 0; i < 20; i += 1) {
-    if (!isProcessRunning(pid)) break;
-    await wait(150);
-  }
-  if (isProcessRunning(pid)) {
-    process.kill(pid, "SIGKILL");
-  }
-  try {
-    fs2.unlinkSync(FALLBACK_PID_FILE);
-  } catch {
-  }
-  console.log(`[rAgent] Stopped fallback background service (pid ${pid})`);
-}
-async function ensureServiceInstalled(opts = {}) {
-  const wantsSystemd = await canUseSystemdUser();
-  if (wantsSystemd) {
-    await installSystemdService(opts);
-    return "systemd";
-  }
-  saveConfigPatch({ serviceBackend: "pidfile" });
-  if (opts.start) {
-    await startPidfileService();
-  } else {
-    console.log(
-      "[rAgent] systemd user manager unavailable; using fallback pidfile backend."
-    );
-  }
-  return "pidfile";
-}
-async function startService() {
-  const backend = getConfiguredServiceBackend();
-  if (backend === "systemd") {
-    await runSystemctlUser(["start", SERVICE_NAME]);
-    console.log("[rAgent] Started service via systemd.");
-    return;
-  }
-  if (backend === "pidfile") {
-    await startPidfileService();
-    return;
-  }
-  await ensureServiceInstalled({ start: true, enable: true });
-}
-async function stopService() {
-  const backend = getConfiguredServiceBackend();
-  if (backend === "systemd") {
-    await runSystemctlUser(["stop", SERVICE_NAME]);
-    console.log("[rAgent] Stopped service via systemd.");
-    return;
-  }
-  await stopPidfileService();
-}
-async function restartService() {
-  const backend = getConfiguredServiceBackend();
-  if (backend === "systemd") {
-    await runSystemctlUser(["restart", SERVICE_NAME]);
-    console.log("[rAgent] Restarted service via systemd.");
-    return;
-  }
-  await stopPidfileService();
-  await startPidfileService();
-}
-async function printServiceStatus() {
-  const backend = getConfiguredServiceBackend();
-  if (backend === "systemd") {
-    const status = await execAsync(
-      `systemctl --user status ${shellQuote(SERVICE_NAME)} --no-pager --lines=20`,
-      { timeout: 1e4 }
-    ).catch((error) => {
-      console.log(error.message);
-      return "";
-    });
-    if (status) {
-      process.stdout.write(status);
-    }
-    return;
-  }
-  const pid = readFallbackPid();
-  if (pid && isProcessRunning(pid)) {
-    console.log(`[rAgent] fallback service running (pid ${pid})`);
-    console.log(`[rAgent] logs: ${FALLBACK_LOG_FILE}`);
-    return;
-  }
-  console.log("[rAgent] service is not running.");
-}
-async function printServiceLogs(opts) {
-  const lines = Number.parseInt(String(opts.lines || 100), 10) || 100;
-  const follow = Boolean(opts.follow);
-  const backend = getConfiguredServiceBackend();
-  if (backend === "systemd") {
-    if (follow) {
-      await new Promise((resolve) => {
-        const child = (0, import_child_process.spawn)(
-          "journalctl",
-          ["--user", "-u", SERVICE_NAME, "-f", "-n", String(lines)],
-          { stdio: "inherit" }
-        );
-        child.on("exit", () => resolve());
-      });
-      return;
-    }
-    const output = await execAsync(
-      `journalctl --user -u ${shellQuote(SERVICE_NAME)} -n ${lines} --no-pager`,
-      { timeout: 12e3 }
-    );
-    process.stdout.write(output);
-    return;
-  }
-  if (!fs2.existsSync(FALLBACK_LOG_FILE)) {
-    console.log(`[rAgent] No log file found at ${FALLBACK_LOG_FILE}`);
-    return;
-  }
-  if (follow) {
-    await new Promise((resolve) => {
-      const child = (0, import_child_process.spawn)("tail", ["-n", String(lines), "-f", FALLBACK_LOG_FILE], {
-        stdio: "inherit"
-      });
-      child.on("exit", () => resolve());
-    });
-    return;
-  }
-  const content = fs2.readFileSync(FALLBACK_LOG_FILE, "utf8");
-  const tail = content.split("\n").slice(-lines).join("\n");
-  process.stdout.write(`${tail}${tail.endsWith("\n") ? "" : "\n"}`);
-}
-async function uninstallService() {
-  const backend = getConfiguredServiceBackend();
-  if (backend === "systemd") {
-    await runSystemctlUser(["stop", SERVICE_NAME]).catch(() => void 0);
-    await runSystemctlUser(["disable", SERVICE_NAME]).catch(() => void 0);
-    try {
-      fs2.unlinkSync(SERVICE_FILE);
-    } catch {
-    }
-    await runSystemctlUser(["daemon-reload"]).catch(() => void 0);
-  } else {
-    await stopPidfileService();
-  }
-  const config = loadConfig();
-  delete config.serviceBackend;
-  saveConfig(config);
-  console.log("[rAgent] Service uninstalled.");
-}
-function requestStopSelfService() {
-  const backend = getConfiguredServiceBackend();
-  if (backend === "systemd") {
-    const child = (0, import_child_process.spawn)("systemctl", ["--user", "stop", SERVICE_NAME], {
-      detached: true,
-      stdio: "ignore"
-    });
-    child.unref();
-    return;
-  }
-  if (backend === "pidfile") {
-    try {
-      fs2.unlinkSync(FALLBACK_PID_FILE);
-    } catch {
-    }
-  }
-}
-
-// src/websocket.ts
-var import_ws = __toESM(require("ws"));
-var BACKPRESSURE_HIGH_WATER = 256 * 1024;
-function sanitizeForJson(str) {
-  return str.replace(/[\uD800-\uDBFF](?![\uDC00-\uDFFF])|(?<![\uD800-\uDBFF])[\uDC00-\uDFFF]/g, "\uFFFD");
-}
-function sendToGroup(ws, group, data) {
-  if (!group || ws.readyState !== import_ws.default.OPEN) return;
-  if (ws.bufferedAmount > BACKPRESSURE_HIGH_WATER) {
-    return;
-  }
-  const sanitized = sanitizePayload(data);
-  ws.send(
-    JSON.stringify({
-      type: "sendToGroup",
-      group,
-      dataType: "json",
-      data: sanitized,
-      noEcho: true
-    })
-  );
-}
-function sanitizePayload(obj) {
-  const result = {};
-  for (const [key, value] of Object.entries(obj)) {
-    if (typeof value === "string") {
-      result[key] = sanitizeForJson(value);
-    } else if (value !== null && typeof value === "object" && !Array.isArray(value)) {
-      result[key] = sanitizePayload(value);
-    } else {
-      result[key] = value;
-    }
-  }
-  return result;
-}
-
-// src/session-streamer.ts
-var import_node_child_process3 = require("child_process");
-var import_node_fs = require("fs");
-var import_node_path = require("path");
-var import_node_os = require("os");
-var pty2 = __toESM(require("node-pty"));
-var STOP_DEBOUNCE_MS = 2e3;
-function parsePaneTarget(sessionId) {
-  if (!sessionId.startsWith("tmux:")) return null;
-  const rest = sessionId.slice("tmux:".length);
-  if (!rest) return null;
-  return rest;
-}
-function parseScreenSession(sessionId) {
-  if (!sessionId.startsWith("screen:")) return null;
-  const rest = sessionId.slice("screen:".length);
-  if (!rest) return null;
-  const name = rest.split(":")[0];
-  return name || null;
-}
-function parseZellijSession(sessionId) {
-  if (!sessionId.startsWith("zellij:")) return null;
-  const rest = sessionId.slice("zellij:".length);
-  if (!rest) return null;
-  return rest.split(":")[0] || null;
-}
-var SessionStreamer = class {
-  active = /* @__PURE__ */ new Map();
-  pendingStops = /* @__PURE__ */ new Map();
-  sendFn;
-  onStreamStopped;
-  constructor(sendFn, onStreamStopped) {
-    this.sendFn = sendFn;
-    this.onStreamStopped = onStreamStopped;
+  /**
+   * Remove orphaned FIFO directories left behind by a previous crash.
+   * These stale FIFOs can cause tmux pipe-pane to block if the reader is dead.
+   */
+  cleanupStaleStreams() {
+    const streamsBase = (0, import_node_path.join)((0, import_node_os.homedir)(), ".config", "ragent", "streams");
+    try {
+      const entries = (0, import_node_fs.readdirSync)(streamsBase);
+      for (const entry of entries) {
+        if (entry.startsWith("s-")) {
+          try {
+            (0, import_node_fs.rmSync)((0, import_node_path.join)(streamsBase, entry), { recursive: true, force: true });
+          } catch {
+          }
+        }
+      }
+      if (entries.some((e) => e.startsWith("s-"))) {
+        console.log("[rAgent] Cleaned up stale stream directories from previous run.");
+      }
+    } catch {
+    }
   }
   /**
    * Start streaming a session. Dispatches based on session type prefix.
@@ -1223,12 +963,27 @@ var SessionStreamer = class {
     }
   }
   /**
-   * Stop streaming a session (debounced to absorb React remount cycles).
+   * Resize a PTY-attached stream (screen/zellij).
    */
-  stopStream(sessionId) {
+  resize(sessionId, cols, rows) {
     const stream = this.active.get(sessionId);
-    if (!stream) return;
-    if (this.pendingStops.has(sessionId)) return;
+    if (!stream || stream.stopped || stream.streamType !== "pty-attach" || !stream.ptyProc) return;
+    try {
+      stream.ptyProc.resize(cols, rows);
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      if (!message.includes("EBADF")) {
+        console.warn(`[rAgent] Resize failed for ${sessionId}: ${message}`);
+      }
+    }
+  }
+  /**
+   * Stop streaming a session (debounced to absorb React remount cycles).
+   */
+  stopStream(sessionId) {
+    const stream = this.active.get(sessionId);
+    if (!stream) return;
+    if (this.pendingStops.has(sessionId)) return;
     const timer = setTimeout(() => {
       this.pendingStops.delete(sessionId);
       const s = this.active.get(sessionId);
@@ -1275,9 +1030,19 @@ var SessionStreamer = class {
       const cleanEnv = { ...process.env };
       delete cleanEnv.TMUX;
       delete cleanEnv.TMUX_PANE;
-      const tmpDir = (0, import_node_fs.mkdtempSync)((0, import_node_path.join)((0, import_node_os.tmpdir)(), "ragent-stream-"));
+      const streamsBase = (0, import_node_path.join)((0, import_node_os.homedir)(), ".config", "ragent", "streams");
+      try {
+        (0, import_node_fs.mkdirSync)(streamsBase, { recursive: true });
+      } catch {
+      }
+      let tmpDir;
+      try {
+        tmpDir = (0, import_node_fs.mkdtempSync)((0, import_node_path.join)(streamsBase, "s-"));
+      } catch {
+        tmpDir = (0, import_node_fs.mkdtempSync)((0, import_node_path.join)((0, import_node_os.tmpdir)(), "ragent-stream-"));
+      }
       const fifoPath = (0, import_node_path.join)(tmpDir, "pane.fifo");
-      (0, import_node_child_process3.execFileSync)("mkfifo", ["-m", "600", fifoPath]);
+      (0, import_node_child_process2.execFileSync)("mkfifo", ["-m", "600", fifoPath]);
       const stream = {
         sessionId,
         streamType: "tmux-pipe",
@@ -1288,13 +1053,14 @@ var SessionStreamer = class {
         stopped: false,
         initializing: true,
         initBuffer: [],
+        cleanEnv,
         ptyProc: null
       };
       this.active.set(sessionId, stream);
       try {
-        (0, import_node_child_process3.execFileSync)(
+        (0, import_node_child_process2.execFileSync)(
           "tmux",
-          ["pipe-pane", "-O", "-t", paneTarget, `cat > ${fifoPath}`],
+          ["pipe-pane", "-O", "-t", paneTarget, `cat > ${shellQuote(fifoPath)}`],
           { env: cleanEnv, timeout: 5e3 }
         );
       } catch (error) {
@@ -1303,7 +1069,7 @@ var SessionStreamer = class {
         console.warn(`[rAgent] Failed pipe-pane for ${sessionId}: ${message}`);
         return false;
       }
-      const catProc = (0, import_node_child_process3.spawn)("cat", [fifoPath], { env: cleanEnv, stdio: ["ignore", "pipe", "ignore"] });
+      const catProc = (0, import_node_child_process2.spawn)("cat", [fifoPath], { env: cleanEnv, stdio: ["ignore", "pipe", "ignore"] });
       stream.catProc = catProc;
       catProc.stdout.on("data", (chunk) => {
         if (stream.stopped) return;
@@ -1323,9 +1089,20 @@ var SessionStreamer = class {
           this.onStreamStopped?.(sessionId);
         }
       });
+      try {
+        const scrollback = (0, import_node_child_process2.execFileSync)(
+          "tmux",
+          ["capture-pane", "-t", paneTarget, "-p", "-e", "-S", "-5000", "-E", "-1"],
+          { env: cleanEnv, timeout: 1e4, encoding: "utf-8" }
+        );
+        if (scrollback && scrollback.length > 0) {
+          this.sendFn(sessionId, scrollback);
+        }
+      } catch {
+      }
       this.sendFn(sessionId, "\x1B[2J\x1B[H");
       try {
-        const initial = (0, import_node_child_process3.execFileSync)(
+        const initial = (0, import_node_child_process2.execFileSync)(
           "tmux",
           ["capture-pane", "-t", paneTarget, "-p", "-e"],
           { env: cleanEnv, timeout: 5e3, encoding: "utf-8" }
@@ -1336,7 +1113,7 @@ var SessionStreamer = class {
       } catch {
       }
       try {
-        const cursorInfo = (0, import_node_child_process3.execFileSync)(
+        const cursorInfo = (0, import_node_child_process2.execFileSync)(
           "tmux",
           ["display-message", "-t", paneTarget, "-p", "#{cursor_x} #{cursor_y}"],
           { env: cleanEnv, timeout: 5e3, encoding: "utf-8" }
@@ -1352,12 +1129,7 @@ var SessionStreamer = class {
       } catch {
       }
       stream.initializing = false;
-      if (stream.initBuffer.length > 0) {
-        for (const buffered of stream.initBuffer) {
-          this.sendFn(sessionId, buffered);
-        }
-        stream.initBuffer = [];
-      }
+      stream.initBuffer = [];
       console.log(`[rAgent] Started streaming: ${sessionId} (pane: ${paneTarget})`);
       return true;
     } catch (error) {
@@ -1373,7 +1145,7 @@ var SessionStreamer = class {
     const sessionName = parseScreenSession(sessionId);
     if (!sessionName) return false;
     try {
-      const proc = pty2.spawn("screen", ["-x", sessionName], {
+      const proc = pty.spawn("screen", ["-x", sessionName], {
         name: "xterm-256color",
         cols: 80,
         rows: 30,
@@ -1422,7 +1194,7 @@ var SessionStreamer = class {
     const sessionName = parseZellijSession(sessionId);
     if (!sessionName) return false;
     try {
-      const proc = pty2.spawn("zellij", ["attach", sessionName], {
+      const proc = pty.spawn("zellij", ["attach", sessionName], {
         name: "xterm-256color",
         cols: 80,
         rows: 30,
@@ -1471,7 +1243,10 @@ var SessionStreamer = class {
     stream.stopped = true;
     if (stream.streamType === "tmux-pipe") {
       try {
-        (0, import_node_child_process3.execFileSync)("tmux", ["pipe-pane", "-t", stream.paneTarget], { timeout: 5e3 });
+        (0, import_node_child_process2.execFileSync)("tmux", ["pipe-pane", "-t", stream.paneTarget], {
+          timeout: 5e3,
+          env: stream.cleanEnv
+        });
       } catch {
       }
       if (stream.catProc && !stream.catProc.killed) {
@@ -1496,10 +1271,680 @@ var SessionStreamer = class {
       }
     }
   }
-};
+};
+
+// src/crypto-channel.ts
+var import_node_crypto = require("crypto");
+function deriveAesKey(sessionKey) {
+  return Buffer.from(sessionKey.slice(0, 64), "hex");
+}
+function encryptPayload(data, sessionKey) {
+  const key = deriveAesKey(sessionKey);
+  const iv = (0, import_node_crypto.randomBytes)(12);
+  const cipher = (0, import_node_crypto.createCipheriv)("aes-256-gcm", key, iv);
+  const encrypted = Buffer.concat([
+    cipher.update(data, "utf-8"),
+    cipher.final()
+  ]);
+  const authTag = cipher.getAuthTag();
+  const combined = Buffer.concat([encrypted, authTag]);
+  return {
+    enc: combined.toString("base64"),
+    iv: iv.toString("base64")
+  };
+}
+function decryptPayload(enc, iv, sessionKey) {
+  try {
+    const key = deriveAesKey(sessionKey);
+    const ivBuf = Buffer.from(iv, "base64");
+    const combined = Buffer.from(enc, "base64");
+    if (combined.length < 16) return null;
+    const ciphertext = combined.subarray(0, combined.length - 16);
+    const authTag = combined.subarray(combined.length - 16);
+    const decipher = (0, import_node_crypto.createDecipheriv)("aes-256-gcm", key, ivBuf);
+    decipher.setAuthTag(authTag);
+    const decrypted = Buffer.concat([
+      decipher.update(ciphertext),
+      decipher.final()
+    ]);
+    return decrypted.toString("utf-8");
+  } catch {
+    return null;
+  }
+}
+
+// src/pty.ts
+var import_node_child_process3 = require("child_process");
+var pty2 = __toESM(require("node-pty"));
+function isInteractiveShell(command) {
+  const trimmed = String(command).trim();
+  return ["bash", "sh", "zsh", "fish"].includes(trimmed);
+}
+function spawnConnectorShell(command, onData, onExit) {
+  const shell = "bash";
+  const args = isInteractiveShell(command) ? [] : ["-lc", command];
+  const processName = isInteractiveShell(command) ? command : shell;
+  const ptyProcess = pty2.spawn(processName, args, {
+    name: "xterm-color",
+    cols: 80,
+    rows: 30,
+    cwd: process.cwd(),
+    env: process.env
+  });
+  ptyProcess.onData(onData);
+  ptyProcess.onExit(onExit);
+  return ptyProcess;
+}
+async function stopTmuxPaneBySessionId(sessionId) {
+  if (!sessionId.startsWith("tmux:")) return false;
+  const paneTarget = sessionId.slice("tmux:".length).trim();
+  if (!paneTarget) return false;
+  await execAsync(`tmux kill-pane -t ${shellQuote(paneTarget)}`, { timeout: 5e3 });
+  return true;
+}
+async function sendInputToTmux(sessionId, data) {
+  if (!sessionId.startsWith("tmux:")) return;
+  const target = sessionId.slice("tmux:".length).trim();
+  if (!target) return;
+  const sessionName = target.split(":")[0].split(".")[0];
+  if (!/^[a-zA-Z0-9_][a-zA-Z0-9_.-]*$/.test(sessionName)) {
+    console.warn(`[rAgent] Invalid tmux session name: ${sessionName}`);
+    return;
+  }
+  try {
+    await new Promise((resolve, reject) => {
+      (0, import_node_child_process3.execFile)("tmux", ["send-keys", "-t", target, "-l", "--", data], { timeout: 5e3 }, (err) => {
+        if (err) reject(err);
+        else resolve();
+      });
+    });
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error);
+    console.warn(`[rAgent] Failed to send input to ${sessionId}: ${message}`);
+  }
+}
+async function stopAllDetachedTmuxSessions() {
+  try {
+    const raw = await execAsync(
+      "tmux list-sessions -F '#{session_name}|#{session_attached}'",
+      { timeout: 5e3 }
+    );
+    const lines = raw.split("\n").map((l) => l.trim()).filter(Boolean);
+    let killed = 0;
+    for (const line of lines) {
+      const [name, attached] = line.split("|");
+      if (attached === "0" && name) {
+        try {
+          await execAsync(`tmux kill-session -t ${shellQuote(name)}`, { timeout: 5e3 });
+          killed++;
+        } catch {
+        }
+      }
+    }
+    return killed;
+  } catch {
+    return 0;
+  }
+}
+
+// src/shell-manager.ts
+var ShellManager = class {
+  ptyProcess = null;
+  suppressNextRespawn = false;
+  shouldRun = true;
+  sendOutput;
+  command;
+  constructor(command, sendOutput) {
+    this.command = command;
+    this.sendOutput = sendOutput;
+  }
+  /** Start the initial shell process. */
+  spawn() {
+    this.spawnOrRespawn();
+  }
+  /** Kill current shell and spawn a new one. */
+  restart() {
+    this.kill();
+    this.spawnOrRespawn();
+  }
+  /** Kill the current shell process (suppresses auto-respawn). */
+  kill() {
+    if (!this.ptyProcess) return;
+    this.suppressNextRespawn = true;
+    try {
+      this.ptyProcess.kill();
+    } catch {
+    }
+    this.ptyProcess = null;
+  }
+  /** Write input data to the PTY process. */
+  write(data) {
+    if (this.ptyProcess) this.ptyProcess.write(data);
+  }
+  /** Resize the PTY process. */
+  resize(cols, rows) {
+    try {
+      if (this.ptyProcess) this.ptyProcess.resize(cols, rows);
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      if (!message.includes("EBADF")) {
+        console.warn(`[rAgent] Resize failed: ${message}`);
+      }
+    }
+  }
+  /** Signal that the agent is shutting down (prevents respawn). */
+  stop() {
+    this.shouldRun = false;
+    this.kill();
+  }
+  spawnOrRespawn() {
+    this.ptyProcess = spawnConnectorShell(this.command, this.sendOutput, () => {
+      if (this.suppressNextRespawn) {
+        this.suppressNextRespawn = false;
+        return;
+      }
+      if (!this.shouldRun) return;
+      console.warn("[rAgent] Shell exited. Restarting shell process.");
+      setTimeout(() => {
+        if (this.shouldRun) this.spawnOrRespawn();
+      }, 200);
+    });
+  }
+};
+
+// src/inventory-manager.ts
+var os4 = __toESM(require("os"));
+var import_child_process = require("child_process");
+var import_ws2 = __toESM(require("ws"));
+var InventoryManager = class {
+  lastSentFingerprint = "";
+  lastHttpHeartbeatAt = 0;
+  prevCpuSnapshot = null;
+  options;
+  constructor(options) {
+    this.options = options;
+  }
+  /** Update options (e.g., after token refresh). */
+  updateOptions(options) {
+    this.options = options;
+  }
+  /** Announce to the registry group via WebSocket. */
+  async announceToRegistry(ws, registryGroup, type = "heartbeat") {
+    if (ws.readyState !== import_ws2.default.OPEN || !registryGroup) return;
+    const sessions = await collectSessionInventory(this.options.hostId, this.options.command);
+    const vitals = this.collectVitals();
+    sendToGroup(ws, registryGroup, {
+      type,
+      hostId: this.options.hostId,
+      hostName: this.options.hostName,
+      environment: os4.hostname(),
+      sessions,
+      vitals,
+      agentVersion: CURRENT_VERSION,
+      lastSeenAt: (/* @__PURE__ */ new Date()).toISOString()
+    });
+  }
+  /**
+   * Sync inventory: detect changes via fingerprint, send WS announcement
+   * and HTTP heartbeat as needed.
+   */
+  async syncInventory(ws, groups, force = false) {
+    const sessions = await collectSessionInventory(this.options.hostId, this.options.command);
+    const fingerprint = sessionInventoryFingerprint(sessions);
+    const changed = fingerprint !== this.lastSentFingerprint;
+    const checkpointDue = Date.now() - this.lastHttpHeartbeatAt > HTTP_HEARTBEAT_MS;
+    if (changed || force) {
+      if (ws && ws.readyState === import_ws2.default.OPEN) {
+        await this.announceToRegistry(ws, groups.registryGroup, "inventory");
+      }
+      this.lastSentFingerprint = fingerprint;
+    }
+    if (changed || checkpointDue || force) {
+      await postHeartbeat({
+        portal: this.options.portal,
+        agentToken: this.options.agentToken,
+        hostId: this.options.hostId,
+        hostName: this.options.hostName,
+        command: this.options.command
+      });
+      this.lastHttpHeartbeatAt = Date.now();
+    }
+  }
+  /** Collect system vitals (CPU, memory, disk). */
+  collectVitals() {
+    const currentSnapshot = this.takeCpuSnapshot();
+    let cpuUsage = 0;
+    if (this.prevCpuSnapshot) {
+      const idleDelta = currentSnapshot.idle - this.prevCpuSnapshot.idle;
+      const totalDelta = currentSnapshot.total - this.prevCpuSnapshot.total;
+      cpuUsage = totalDelta > 0 ? Math.round((totalDelta - idleDelta) / totalDelta * 100) : 0;
+    }
+    this.prevCpuSnapshot = currentSnapshot;
+    const totalMem = os4.totalmem();
+    const freeMem = os4.freemem();
+    const memUsedPct = totalMem > 0 ? Math.round((totalMem - freeMem) / totalMem * 100) : 0;
+    let diskUsedPct = 0;
+    try {
+      const dfOutput = (0, import_child_process.execSync)("df -P / | tail -1", { encoding: "utf8", timeout: 5e3 });
+      const parts = dfOutput.trim().split(/\s+/);
+      if (parts.length >= 5) {
+        diskUsedPct = parseInt(parts[4].replace("%", ""), 10) || 0;
+      }
+    } catch {
+    }
+    return { cpu: cpuUsage, memUsedPct, diskUsedPct };
+  }
+  takeCpuSnapshot() {
+    const cpus2 = os4.cpus();
+    let idle = 0;
+    let total = 0;
+    for (const cpu of cpus2) {
+      for (const type of Object.keys(cpu.times)) {
+        total += cpu.times[type];
+      }
+      idle += cpu.times.idle;
+    }
+    return { idle, total };
+  }
+};
+
+// src/connection-manager.ts
+var import_ws3 = __toESM(require("ws"));
+var ConnectionManager = class {
+  activeSocket = null;
+  activeGroups = { privateGroup: "", registryGroup: "" };
+  sessionKey = null;
+  reconnectDelay = DEFAULT_RECONNECT_DELAY_MS;
+  wsHeartbeatTimer = null;
+  httpHeartbeatTimer = null;
+  wsPingTimer = null;
+  wsPongTimeout = null;
+  sessionStreamer;
+  outputBuffer;
+  constructor(sessionStreamer, outputBuffer) {
+    this.sessionStreamer = sessionStreamer;
+    this.outputBuffer = outputBuffer;
+  }
+  /** Check if the WebSocket is open and ready. */
+  isReady() {
+    return this.activeSocket !== null && this.activeSocket.readyState === import_ws3.default.OPEN;
+  }
+  /** Set the active socket and groups from a negotiate result. */
+  setConnection(ws, groups, sessionKey) {
+    this.activeSocket = ws;
+    this.activeGroups = groups;
+    this.sessionKey = sessionKey;
+  }
+  /** Reset reconnect delay on successful connection. */
+  resetReconnectDelay() {
+    this.reconnectDelay = DEFAULT_RECONNECT_DELAY_MS;
+  }
+  /**
+   * Start periodic timers (heartbeat, inventory sync, ping/pong).
+   */
+  startTimers(onWsHeartbeat, onHttpHeartbeat) {
+    this.wsHeartbeatTimer = setInterval(async () => {
+      if (!this.isReady()) return;
+      await onWsHeartbeat();
+    }, WS_HEARTBEAT_MS);
+    this.httpHeartbeatTimer = setInterval(async () => {
+      if (!this.isReady()) return;
+      await onHttpHeartbeat();
+    }, HTTP_HEARTBEAT_MS);
+    this.wsPingTimer = setInterval(() => {
+      if (!this.activeSocket || this.activeSocket.readyState !== import_ws3.default.OPEN) return;
+      this.activeSocket.ping();
+      this.wsPongTimeout = setTimeout(() => {
+        console.warn("[rAgent] No pong received within 10s \u2014 closing stale connection.");
+        try {
+          this.activeSocket?.terminate();
+        } catch {
+        }
+      }, 1e4);
+    }, 2e4);
+  }
+  /** Handle pong response — clear timeout. */
+  onPong() {
+    if (this.wsPongTimeout) {
+      clearTimeout(this.wsPongTimeout);
+      this.wsPongTimeout = null;
+    }
+  }
+  /**
+   * Cleanup socket and timers.
+   * @param opts.stopStreams - Also stop all session streams (on intentional shutdown)
+   */
+  cleanup(opts = {}) {
+    if (opts.stopStreams) this.sessionStreamer.stopAll();
+    if (this.wsPingTimer) {
+      clearInterval(this.wsPingTimer);
+      this.wsPingTimer = null;
+    }
+    if (this.wsPongTimeout) {
+      clearTimeout(this.wsPongTimeout);
+      this.wsPongTimeout = null;
+    }
+    if (this.wsHeartbeatTimer) {
+      clearInterval(this.wsHeartbeatTimer);
+      this.wsHeartbeatTimer = null;
+    }
+    if (this.httpHeartbeatTimer) {
+      clearInterval(this.httpHeartbeatTimer);
+      this.httpHeartbeatTimer = null;
+    }
+    if (this.activeSocket) {
+      this.activeSocket.removeAllListeners();
+      try {
+        this.activeSocket.close();
+      } catch {
+      }
+      this.activeSocket = null;
+    }
+    this.activeGroups = { privateGroup: "", registryGroup: "" };
+  }
+  /**
+   * Drain buffered output and replay through the WebSocket.
+   */
+  replayBufferedOutput(sendChunk) {
+    const buffered = this.outputBuffer.drain();
+    if (buffered.length > 0) {
+      console.log(
+        `[rAgent] Replaying ${buffered.length} buffered output chunks (${buffered.reduce((sum, c) => sum + Buffer.byteLength(c, "utf8"), 0)} bytes)`
+      );
+      for (const chunk of buffered) {
+        sendChunk(chunk);
+      }
+    }
+  }
+};
+
+// src/control-dispatcher.ts
+var crypto2 = __toESM(require("crypto"));
+var import_ws4 = __toESM(require("ws"));
+
+// src/service.ts
+var import_child_process2 = require("child_process");
+var fs2 = __toESM(require("fs"));
+var os5 = __toESM(require("os"));
+function assertConfiguredAgentToken() {
+  const config = loadConfig();
+  if (!config.agentToken) {
+    throw new Error("No saved connector token. Run `ragent connect --token <token>` first.");
+  }
+}
+function getConfiguredServiceBackend() {
+  const config = loadConfig();
+  if (config.serviceBackend === "systemd" || config.serviceBackend === "pidfile") {
+    return config.serviceBackend;
+  }
+  if (fs2.existsSync(SERVICE_FILE)) return "systemd";
+  if (fs2.existsSync(FALLBACK_PID_FILE)) return "pidfile";
+  return null;
+}
+async function canUseSystemdUser() {
+  if (os5.platform() !== "linux") return false;
+  try {
+    await execAsync("systemctl --user --version", { timeout: 4e3 });
+    await execAsync("systemctl --user show-environment", { timeout: 4e3 });
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function runSystemctlUser(args, options = {}) {
+  const command = `systemctl --user ${args.map(shellQuote).join(" ")}`;
+  return execAsync(command, { timeout: options.timeout ?? 1e4 });
+}
+function buildSystemdUnit() {
+  return `[Unit]
+Description=rAgent Live connector
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+ExecStart=${process.execPath} ${__filename} run
+Restart=always
+RestartSec=3
+Environment=NODE_ENV=production
+NoNewPrivileges=true
+PrivateTmp=true
+ProtectSystem=strict
+ProtectHome=read-only
+ReadWritePaths=%h/.config/ragent
+
+[Install]
+WantedBy=default.target
+`;
+}
+async function installSystemdService(opts = {}) {
+  assertConfiguredAgentToken();
+  fs2.mkdirSync(SERVICE_DIR, { recursive: true });
+  fs2.writeFileSync(SERVICE_FILE, buildSystemdUnit(), "utf8");
+  await runSystemctlUser(["daemon-reload"]);
+  if (opts.enable !== false) {
+    await runSystemctlUser(["enable", SERVICE_NAME]);
+  }
+  if (opts.start) {
+    await runSystemctlUser(["restart", SERVICE_NAME]);
+  }
+  saveConfigPatch({ serviceBackend: "systemd" });
+  console.log(`[rAgent] Installed systemd user service at ${SERVICE_FILE}`);
+}
+function readFallbackPid() {
+  try {
+    const raw = fs2.readFileSync(FALLBACK_PID_FILE, "utf8").trim();
+    const pid = Number.parseInt(raw, 10);
+    return Number.isInteger(pid) ? pid : null;
+  } catch {
+    return null;
+  }
+}
+function isProcessRunning(pid) {
+  if (!pid || !Number.isInteger(pid)) return false;
+  try {
+    process.kill(pid, 0);
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function startPidfileService() {
+  assertConfiguredAgentToken();
+  const existingPid = readFallbackPid();
+  if (existingPid && isProcessRunning(existingPid)) {
+    console.log(`[rAgent] Service already running (pid ${existingPid})`);
+    return;
+  }
+  ensureConfigDir();
+  const logFd = fs2.openSync(FALLBACK_LOG_FILE, "a");
+  const child = (0, import_child_process2.spawn)(process.execPath, [__filename, "run"], {
+    detached: true,
+    stdio: ["ignore", logFd, logFd],
+    cwd: os5.homedir(),
+    env: process.env
+  });
+  child.unref();
+  fs2.closeSync(logFd);
+  fs2.writeFileSync(FALLBACK_PID_FILE, `${child.pid}
+`, "utf8");
+  saveConfigPatch({ serviceBackend: "pidfile" });
+  console.log(`[rAgent] Started fallback background service (pid ${child.pid})`);
+  console.log(`[rAgent] Logs: ${FALLBACK_LOG_FILE}`);
+}
+async function stopPidfileService() {
+  const pid = readFallbackPid();
+  if (!pid || !isProcessRunning(pid)) {
+    try {
+      fs2.unlinkSync(FALLBACK_PID_FILE);
+    } catch {
+    }
+    console.log("[rAgent] Service is not running.");
+    return;
+  }
+  process.kill(pid, "SIGTERM");
+  for (let i = 0; i < 20; i += 1) {
+    if (!isProcessRunning(pid)) break;
+    await wait(150);
+  }
+  if (isProcessRunning(pid)) {
+    process.kill(pid, "SIGKILL");
+  }
+  try {
+    fs2.unlinkSync(FALLBACK_PID_FILE);
+  } catch {
+  }
+  console.log(`[rAgent] Stopped fallback background service (pid ${pid})`);
+}
+async function ensureServiceInstalled(opts = {}) {
+  const wantsSystemd = await canUseSystemdUser();
+  if (wantsSystemd) {
+    await installSystemdService(opts);
+    return "systemd";
+  }
+  saveConfigPatch({ serviceBackend: "pidfile" });
+  if (opts.start) {
+    await startPidfileService();
+  } else {
+    console.log(
+      "[rAgent] systemd user manager unavailable; using fallback pidfile backend."
+    );
+  }
+  return "pidfile";
+}
+async function startService() {
+  const backend = getConfiguredServiceBackend();
+  if (backend === "systemd") {
+    await runSystemctlUser(["start", SERVICE_NAME]);
+    console.log("[rAgent] Started service via systemd.");
+    return;
+  }
+  if (backend === "pidfile") {
+    await startPidfileService();
+    return;
+  }
+  await ensureServiceInstalled({ start: true, enable: true });
+}
+async function stopService() {
+  const backend = getConfiguredServiceBackend();
+  if (backend === "systemd") {
+    await runSystemctlUser(["stop", SERVICE_NAME]);
+    console.log("[rAgent] Stopped service via systemd.");
+    return;
+  }
+  await stopPidfileService();
+}
+async function restartService() {
+  const backend = getConfiguredServiceBackend();
+  if (backend === "systemd") {
+    await runSystemctlUser(["restart", SERVICE_NAME]);
+    console.log("[rAgent] Restarted service via systemd.");
+    return;
+  }
+  await stopPidfileService();
+  await startPidfileService();
+}
+async function printServiceStatus() {
+  const backend = getConfiguredServiceBackend();
+  if (backend === "systemd") {
+    const status = await execAsync(
+      `systemctl --user status ${shellQuote(SERVICE_NAME)} --no-pager --lines=20`,
+      { timeout: 1e4 }
+    ).catch((error) => {
+      console.log(error.message);
+      return "";
+    });
+    if (status) {
+      process.stdout.write(status);
+    }
+    return;
+  }
+  const pid = readFallbackPid();
+  if (pid && isProcessRunning(pid)) {
+    console.log(`[rAgent] fallback service running (pid ${pid})`);
+    console.log(`[rAgent] logs: ${FALLBACK_LOG_FILE}`);
+    return;
+  }
+  console.log("[rAgent] service is not running.");
+}
+async function printServiceLogs(opts) {
+  const lines = Number.parseInt(String(opts.lines || 100), 10) || 100;
+  const follow = Boolean(opts.follow);
+  const backend = getConfiguredServiceBackend();
+  if (backend === "systemd") {
+    if (follow) {
+      await new Promise((resolve) => {
+        const child = (0, import_child_process2.spawn)(
+          "journalctl",
+          ["--user", "-u", SERVICE_NAME, "-f", "-n", String(lines)],
+          { stdio: "inherit" }
+        );
+        child.on("exit", () => resolve());
+      });
+      return;
+    }
+    const output = await execAsync(
+      `journalctl --user -u ${shellQuote(SERVICE_NAME)} -n ${lines} --no-pager`,
+      { timeout: 12e3 }
+    );
+    process.stdout.write(output);
+    return;
+  }
+  if (!fs2.existsSync(FALLBACK_LOG_FILE)) {
+    console.log(`[rAgent] No log file found at ${FALLBACK_LOG_FILE}`);
+    return;
+  }
+  if (follow) {
+    await new Promise((resolve) => {
+      const child = (0, import_child_process2.spawn)("tail", ["-n", String(lines), "-f", FALLBACK_LOG_FILE], {
+        stdio: "inherit"
+      });
+      child.on("exit", () => resolve());
+    });
+    return;
+  }
+  const content = fs2.readFileSync(FALLBACK_LOG_FILE, "utf8");
+  const tail = content.split("\n").slice(-lines).join("\n");
+  process.stdout.write(`${tail}${tail.endsWith("\n") ? "" : "\n"}`);
+}
+async function uninstallService() {
+  const backend = getConfiguredServiceBackend();
+  if (backend === "systemd") {
+    await runSystemctlUser(["stop", SERVICE_NAME]).catch(() => void 0);
+    await runSystemctlUser(["disable", SERVICE_NAME]).catch(() => void 0);
+    try {
+      fs2.unlinkSync(SERVICE_FILE);
+    } catch {
+    }
+    await runSystemctlUser(["daemon-reload"]).catch(() => void 0);
+  } else {
+    await stopPidfileService();
+  }
+  const config = loadConfig();
+  delete config.serviceBackend;
+  saveConfig(config);
+  console.log("[rAgent] Service uninstalled.");
+}
+function requestStopSelfService() {
+  const backend = getConfiguredServiceBackend();
+  if (backend === "systemd") {
+    const child = (0, import_child_process2.spawn)("systemctl", ["--user", "stop", SERVICE_NAME], {
+      detached: true,
+      stdio: "ignore"
+    });
+    child.unref();
+    return;
+  }
+  if (backend === "pidfile") {
+    try {
+      fs2.unlinkSync(FALLBACK_PID_FILE);
+    } catch {
+    }
+  }
+}
 
 // src/provisioner.ts
-var import_child_process2 = require("child_process");
+var import_child_process3 = require("child_process");
 var DANGEROUS_PATTERN = /rm\s+-r[fe]*\s+\/|mkfs|dd\s+if=|:()\s*\{|>\s*\/dev\/sd/i;
 function shellQuote2(s) {
   return `'${s.replace(/'/g, "'\\''")}'`;
@@ -1507,7 +1952,7 @@ function shellQuote2(s) {
 var SESSION_NAME_RE = /^[a-zA-Z0-9_-]+$/;
 var MAX_SESSION_NAME = 128;
 function runCommand(cmd, timeout = 12e4) {
-  return (0, import_child_process2.execSync)(cmd, {
+  return (0, import_child_process3.execSync)(cmd, {
     encoding: "utf8",
     timeout,
     maxBuffer: 10 * 1024 * 1024,
@@ -1518,7 +1963,7 @@ function runCommand(cmd, timeout = 12e4) {
 function commandExists2(cmd) {
   if (!/^[a-zA-Z0-9._+-]+$/.test(cmd)) return false;
   try {
-    (0, import_child_process2.execFileSync)("sh", ["-c", `command -v -- ${cmd} >/dev/null 2>&1`], { stdio: "ignore" });
+    (0, import_child_process3.execFileSync)("sh", ["-c", `command -v -- ${cmd} >/dev/null 2>&1`], { stdio: "ignore" });
     return true;
   } catch {
     return false;
@@ -1668,7 +2113,7 @@ function startAgent(request, onProgress) {
   }
   tmuxArgs.push(fullCmd);
   try {
-    (0, import_child_process2.execFileSync)("tmux", tmuxArgs, { stdio: "ignore" });
+    (0, import_child_process3.execFileSync)("tmux", tmuxArgs, { stdio: "ignore" });
     onProgress({
       type: "provision-progress",
       provisionId: request.provisionId,
@@ -1703,6 +2148,250 @@ async function executeProvision(request, onProgress) {
   return startAgent(request, emit);
 }
 
+// src/control-dispatcher.ts
+var ControlDispatcher = class {
+  shell;
+  streamer;
+  inventory;
+  connection;
+  options;
+  /** Set to true when a reconnect was requested (restart-agent, disconnect). */
+  reconnectRequested = false;
+  /** Set to false to stop the agent. */
+  shouldRun = true;
+  constructor(shell, streamer, inventory, connection, options) {
+    this.shell = shell;
+    this.streamer = streamer;
+    this.inventory = inventory;
+    this.connection = connection;
+    this.options = options;
+  }
+  /** Update options (e.g., after token refresh). */
+  updateOptions(options) {
+    this.options = options;
+  }
+  /**
+   * Verify HMAC-SHA256 signature on a control message.
+   * Returns true if valid or no session key is available (backward compat).
+   */
+  verifyMessageHmac(payload) {
+    const sessionKey = this.connection.sessionKey;
+    if (!sessionKey) return true;
+    const receivedHmac = payload.hmac;
+    if (typeof receivedHmac !== "string") {
+      console.warn("[rAgent] Control message missing HMAC signature.");
+      return false;
+    }
+    const { hmac: _, ...payloadWithoutHmac } = payload;
+    const canonical = JSON.stringify(payloadWithoutHmac, Object.keys(payloadWithoutHmac).sort());
+    const expected = crypto2.createHmac("sha256", sessionKey).update(canonical).digest("hex");
+    return crypto2.timingSafeEqual(Buffer.from(receivedHmac, "hex"), Buffer.from(expected, "hex"));
+  }
+  /** Dispatch a control action message. */
+  async handleControlAction(payload) {
+    const action = typeof payload?.action === "string" ? payload.action : "";
+    const sessionId = typeof payload?.sessionId === "string" && payload.sessionId.trim().length > 0 ? payload.sessionId.trim() : null;
+    const dangerousActions = /* @__PURE__ */ new Set([
+      "stop-agent",
+      "restart-agent",
+      "restart-shell",
+      "stop-session",
+      "stop-detached",
+      "disconnect"
+    ]);
+    if (dangerousActions.has(action) && this.connection.sessionKey) {
+      if (!this.verifyMessageHmac(payload)) {
+        console.warn(`[rAgent] Rejecting control action "${action}" \u2014 HMAC verification failed.`);
+        return;
+      }
+    }
+    switch (action) {
+      case "restart-shell":
+        this.shell.restart();
+        await this.syncInventory();
+        return;
+      case "restart-agent":
+      case "disconnect":
+        this.reconnectRequested = true;
+        this.streamer.stopAll();
+        if (this.connection.activeSocket?.readyState === import_ws4.default.OPEN) {
+          this.connection.activeSocket.close();
+        }
+        return;
+      case "stop-agent":
+        this.shouldRun = false;
+        this.streamer.stopAll();
+        requestStopSelfService();
+        if (this.connection.activeSocket?.readyState === import_ws4.default.OPEN) {
+          this.connection.activeSocket.close();
+        }
+        return;
+      case "stop-session":
+        if (!sessionId) return;
+        if (sessionId.startsWith("pty:")) {
+          this.shell.restart();
+          await this.syncInventory();
+          return;
+        }
+        if (sessionId.startsWith("tmux:")) {
+          try {
+            await stopTmuxPaneBySessionId(sessionId);
+            console.log(`[rAgent] Closed remote session ${sessionId}.`);
+          } catch (error) {
+            const message = error instanceof Error ? error.message : String(error);
+            console.warn(`[rAgent] Failed to close ${sessionId}: ${message}`);
+          }
+          await this.syncInventory();
+        }
+        return;
+      case "stop-detached": {
+        const killed = await stopAllDetachedTmuxSessions();
+        console.log(`[rAgent] Killed ${killed} detached tmux session(s).`);
+        await this.syncInventory();
+        return;
+      }
+      case "start-agent":
+        await this.handleStartAgent(payload);
+        return;
+      case "stream-session":
+        this.handleStreamSession(sessionId);
+        return;
+      case "stop-stream":
+        if (sessionId) this.streamer.stopStream(sessionId);
+        return;
+      default:
+    }
+  }
+  /** Handle input routing to the correct target. */
+  handleInput(data, sessionId) {
+    if (!sessionId || sessionId.startsWith("pty:")) {
+      this.shell.write(data);
+    } else if (sessionId.startsWith("tmux:")) {
+      sendInputToTmux(sessionId, data).catch(() => {
+      });
+    } else if (sessionId.startsWith("screen:") || sessionId.startsWith("zellij:")) {
+      this.streamer.writeInput(sessionId, data);
+    }
+  }
+  /** Handle resize routing. */
+  handleResize(cols, rows, sessionId) {
+    if (!sessionId || sessionId.startsWith("pty:")) {
+      this.shell.resize(cols, rows);
+    } else if (sessionId.startsWith("screen:") || sessionId.startsWith("zellij:")) {
+      this.streamer.resize(sessionId, cols, rows);
+    }
+  }
+  /** Handle provision request from dashboard. */
+  async handleProvision(payload) {
+    const provReq = payload;
+    if (!provReq.provisionId || !provReq.manifest) return;
+    console.log(`[rAgent] Provision request: ${provReq.manifest.name} (${provReq.provisionId})`);
+    const sendProgress = (progress) => {
+      const ws = this.connection.activeSocket;
+      if (ws && ws.readyState === import_ws4.default.OPEN && this.connection.activeGroups.registryGroup) {
+        sendToGroup(ws, this.connection.activeGroups.registryGroup, {
+          ...progress,
+          hostId: this.options.hostId
+        });
+      }
+    };
+    try {
+      await executeProvision(provReq, sendProgress);
+      await this.syncInventory(true);
+    } catch (error) {
+      const errMsg = error instanceof Error ? error.message : String(error);
+      sendProgress({
+        type: "provision-progress",
+        provisionId: provReq.provisionId,
+        step: "error",
+        message: `Provision failed: ${errMsg}`
+      });
+    }
+  }
+  async syncInventory(force = false) {
+    await this.inventory.syncInventory(
+      this.connection.activeSocket,
+      this.connection.activeGroups,
+      force
+    );
+  }
+  async handleStartAgent(payload) {
+    const sessionName = typeof payload?.sessionName === "string" && payload.sessionName.trim().length > 0 ? payload.sessionName.trim() : `agent-${Date.now().toString(36)}`;
+    const cmd = typeof payload?.command === "string" && payload.command.trim().length > 0 ? payload.command.trim() : null;
+    if (!cmd) {
+      console.warn("[rAgent] start-agent: no command provided, ignoring.");
+      return;
+    }
+    if (sessionName.length > 128 || !/^[a-zA-Z0-9_-]+$/.test(sessionName)) {
+      console.warn("[rAgent] start-agent: invalid session name, ignoring.");
+      return;
+    }
+    const dangerous = /rm\s+-r[fe]*\s+\/|mkfs|dd\s+if=|:()\s*\{|>\s*\/dev\/sd/i;
+    if (dangerous.test(cmd)) {
+      console.warn(`[rAgent] start-agent: rejected dangerous command: ${cmd}`);
+      return;
+    }
+    const workingDir = typeof payload?.workingDir === "string" && payload.workingDir.trim().length > 0 ? payload.workingDir.trim() : void 0;
+    const envVars = payload?.envVars && typeof payload.envVars === "object" ? payload.envVars : void 0;
+    const tmuxArgs = ["new-session", "-d", "-s", sessionName];
+    if (workingDir) {
+      tmuxArgs.push("-c", workingDir);
+    }
+    let fullCmd = cmd;
+    if (envVars) {
+      const entries = Object.entries(envVars).filter(([k, v]) => /^[A-Z_][A-Z0-9_]*$/i.test(k) && typeof v === "string").map(([k, v]) => `${k}='${v.replace(/'/g, "'\\''")}'`).join(" ");
+      if (entries) fullCmd = `${entries} ${cmd}`;
+    }
+    tmuxArgs.push(fullCmd);
+    try {
+      const { execFileSync: execFileSync3 } = await import("child_process");
+      execFileSync3("tmux", tmuxArgs, { stdio: "ignore" });
+      console.log(`[rAgent] Started agent session "${sessionName}": ${cmd}`);
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      console.error(`[rAgent] Failed to start agent session "${sessionName}": ${message}`);
+    }
+    await this.syncInventory(true);
+  }
+  handleStreamSession(sessionId) {
+    if (!sessionId) return;
+    const ws = this.connection.activeSocket;
+    const group = this.connection.activeGroups.privateGroup;
+    if (sessionId.startsWith("process:")) {
+      if (ws && ws.readyState === import_ws4.default.OPEN && group) {
+        sendToGroup(ws, group, {
+          type: "stream-error",
+          sessionId,
+          error: "This agent is running outside a terminal multiplexer. Stop and relaunch via Start Agent to enable live streaming."
+        });
+      }
+      return;
+    }
+    if (sessionId.startsWith("tmux:") || sessionId.startsWith("screen:") || sessionId.startsWith("zellij:")) {
+      const started = this.streamer.startStream(sessionId);
+      if (ws && ws.readyState === import_ws4.default.OPEN && group) {
+        if (started) {
+          sendToGroup(ws, group, { type: "stream-started", sessionId });
+        } else {
+          sendToGroup(ws, group, {
+            type: "stream-error",
+            sessionId,
+            error: "Failed to attach to session. It may no longer exist."
+          });
+        }
+      }
+      return;
+    }
+    if (ws && ws.readyState === import_ws4.default.OPEN && group) {
+      sendToGroup(ws, group, {
+        type: "stream-error",
+        sessionId,
+        error: "Live streaming is not yet supported for this session type."
+      });
+    }
+  }
+};
+
 // src/agent.ts
 function pidFilePath(hostId) {
   return path2.join(CONFIG_DIR, `agent-${hostId}.pid`);
@@ -1751,7 +2440,7 @@ function resolveRunOptions(commandOptions) {
   const config = loadConfig();
   const portal = commandOptions.portal || config.portal || DEFAULT_PORTAL;
   const hostId = sanitizeHostId(commandOptions.id || config.hostId || inferHostId());
-  const hostName = commandOptions.name || config.hostName || os5.hostname();
+  const hostName = commandOptions.name || config.hostName || os6.hostname();
   const command = commandOptions.command || config.command || "bash";
   const agentToken = commandOptions.agentToken || config.agentToken || "";
   return { portal, hostId, hostName, command, agentToken };
@@ -1772,400 +2461,93 @@ async function runAgent(rawOptions) {
     }
   } catch {
   }
-  let shouldRun = true;
-  let reconnectRequested = false;
-  let reconnectDelay = DEFAULT_RECONNECT_DELAY_MS;
-  let activeSocket = null;
-  let activeGroups = { privateGroup: "", registryGroup: "" };
-  let wsHeartbeatTimer = null;
-  let httpHeartbeatTimer = null;
-  let wsPingTimer = null;
-  let wsPongTimeout = null;
-  let suppressNextShellRespawn = false;
-  let lastSentFingerprint = "";
-  let lastHttpHeartbeatAt = 0;
   const outputBuffer = new OutputBuffer();
-  let ptyProcess = null;
   const ptySessionId = `pty:${options.hostId}`;
-  const sendOutput = (chunk) => {
-    const ws = activeSocket;
-    if (!ws || ws.readyState !== import_ws2.default.OPEN || !activeGroups.privateGroup) {
-      outputBuffer.push(chunk);
-      return;
-    }
-    sendToGroup(ws, activeGroups.privateGroup, { type: "output", data: chunk, sessionId: ptySessionId });
-  };
   const sessionStreamer = new SessionStreamer(
     (sessionId, data) => {
-      const ws = activeSocket;
-      if (!ws || ws.readyState !== import_ws2.default.OPEN || !activeGroups.privateGroup) return;
-      sendToGroup(ws, activeGroups.privateGroup, { type: "output", data, sessionId });
+      if (!conn.isReady()) return;
+      if (conn.sessionKey) {
+        const { enc, iv } = encryptPayload(data, conn.sessionKey);
+        sendToGroup(conn.activeSocket, conn.activeGroups.privateGroup, { type: "output", enc, iv, sessionId });
+      } else {
+        sendToGroup(conn.activeSocket, conn.activeGroups.privateGroup, { type: "output", data, sessionId });
+      }
     },
     (sessionId) => {
-      const ws = activeSocket;
-      if (!ws || ws.readyState !== import_ws2.default.OPEN || !activeGroups.privateGroup) return;
-      sendToGroup(ws, activeGroups.privateGroup, { type: "stream-stopped", sessionId });
+      if (!conn.isReady()) return;
+      sendToGroup(conn.activeSocket, conn.activeGroups.privateGroup, { type: "stream-stopped", sessionId });
     }
   );
-  const killCurrentShell = () => {
-    if (!ptyProcess) return;
-    suppressNextShellRespawn = true;
-    try {
-      ptyProcess.kill();
-    } catch {
-    }
-    ptyProcess = null;
-  };
-  const spawnOrRespawnShell = () => {
-    ptyProcess = spawnConnectorShell(options.command, sendOutput, () => {
-      if (suppressNextShellRespawn) {
-        suppressNextShellRespawn = false;
-        return;
-      }
-      if (!shouldRun) return;
-      console.warn("[rAgent] Shell exited. Restarting shell process.");
-      setTimeout(() => {
-        if (shouldRun) spawnOrRespawnShell();
-      }, 200);
-    });
-  };
-  const restartLocalShell = () => {
-    killCurrentShell();
-    spawnOrRespawnShell();
-  };
-  spawnOrRespawnShell();
-  const cleanupSocket = (opts = {}) => {
-    if (opts.stopStreams) sessionStreamer.stopAll();
-    if (wsPingTimer) {
-      clearInterval(wsPingTimer);
-      wsPingTimer = null;
-    }
-    if (wsPongTimeout) {
-      clearTimeout(wsPongTimeout);
-      wsPongTimeout = null;
-    }
-    if (wsHeartbeatTimer) {
-      clearInterval(wsHeartbeatTimer);
-      wsHeartbeatTimer = null;
-    }
-    if (httpHeartbeatTimer) {
-      clearInterval(httpHeartbeatTimer);
-      httpHeartbeatTimer = null;
-    }
-    if (activeSocket) {
-      activeSocket.removeAllListeners();
-      try {
-        activeSocket.close();
-      } catch {
-      }
-      activeSocket = null;
-    }
-    activeGroups = { privateGroup: "", registryGroup: "" };
-  };
-  let prevCpuSnapshot = null;
-  function takeCpuSnapshot() {
-    const cpus2 = os5.cpus();
-    let idle = 0;
-    let total = 0;
-    for (const cpu of cpus2) {
-      for (const type of Object.keys(cpu.times)) {
-        total += cpu.times[type];
-      }
-      idle += cpu.times.idle;
-    }
-    return { idle, total };
-  }
-  const collectVitals = () => {
-    const currentSnapshot = takeCpuSnapshot();
-    let cpuUsage = 0;
-    if (prevCpuSnapshot) {
-      const idleDelta = currentSnapshot.idle - prevCpuSnapshot.idle;
-      const totalDelta = currentSnapshot.total - prevCpuSnapshot.total;
-      cpuUsage = totalDelta > 0 ? Math.round((totalDelta - idleDelta) / totalDelta * 100) : 0;
-    }
-    prevCpuSnapshot = currentSnapshot;
-    const totalMem = os5.totalmem();
-    const freeMem = os5.freemem();
-    const memUsedPct = totalMem > 0 ? Math.round((totalMem - freeMem) / totalMem * 100) : 0;
-    let diskUsedPct = 0;
-    try {
-      const { execSync: execSync2 } = require("child_process");
-      const dfOutput = execSync2("df -P / | tail -1", { encoding: "utf8", timeout: 5e3 });
-      const parts = dfOutput.trim().split(/\s+/);
-      if (parts.length >= 5) {
-        diskUsedPct = parseInt(parts[4].replace("%", ""), 10) || 0;
-      }
-    } catch {
-    }
-    return { cpu: cpuUsage, memUsedPct, diskUsedPct };
-  };
-  const announceToRegistry = async (type = "heartbeat") => {
-    const ws = activeSocket;
-    if (!ws || ws.readyState !== import_ws2.default.OPEN || !activeGroups.registryGroup) return;
-    const sessions = await collectSessionInventory(options.hostId, options.command);
-    const vitals = collectVitals();
-    sendToGroup(ws, activeGroups.registryGroup, {
-      type,
-      hostId: options.hostId,
-      hostName: options.hostName,
-      environment: os5.hostname(),
-      sessions,
-      vitals,
-      agentVersion: CURRENT_VERSION,
-      lastSeenAt: (/* @__PURE__ */ new Date()).toISOString()
-    });
-  };
-  const syncInventory = async (force = false) => {
-    const sessions = await collectSessionInventory(options.hostId, options.command);
-    const fingerprint = sessionInventoryFingerprint(sessions);
-    const changed = fingerprint !== lastSentFingerprint;
-    const checkpointDue = Date.now() - lastHttpHeartbeatAt > HTTP_HEARTBEAT_MS;
-    if (changed || force) {
-      await announceToRegistry("inventory");
-      lastSentFingerprint = fingerprint;
-    }
-    if (changed || checkpointDue || force) {
-      await postHeartbeat({
-        portal: options.portal,
-        agentToken: options.agentToken,
-        hostId: options.hostId,
-        hostName: options.hostName,
-        command: options.command
-      });
-      lastHttpHeartbeatAt = Date.now();
+  const conn = new ConnectionManager(sessionStreamer, outputBuffer);
+  const sendOutput = (chunk) => {
+    if (!conn.isReady()) {
+      outputBuffer.push(chunk);
+      return;
     }
-  };
-  const handleControlAction = async (payload) => {
-    const action = typeof payload?.action === "string" ? payload.action : "";
-    const sessionId = typeof payload?.sessionId === "string" && payload.sessionId.trim().length > 0 ? payload.sessionId.trim() : null;
-    switch (action) {
-      case "restart-shell":
-        restartLocalShell();
-        await syncInventory();
-        return;
-      case "restart-agent":
-      case "disconnect":
-        reconnectRequested = true;
-        sessionStreamer.stopAll();
-        if (activeSocket && activeSocket.readyState === import_ws2.default.OPEN) {
-          activeSocket.close();
-        }
-        return;
-      case "stop-agent":
-        shouldRun = false;
-        sessionStreamer.stopAll();
-        requestStopSelfService();
-        if (activeSocket && activeSocket.readyState === import_ws2.default.OPEN) {
-          activeSocket.close();
-        }
-        return;
-      case "stop-session":
-        if (!sessionId) return;
-        if (sessionId.startsWith("pty:")) {
-          restartLocalShell();
-          await syncInventory();
-          return;
-        }
-        if (sessionId.startsWith("tmux:")) {
-          try {
-            await stopTmuxPaneBySessionId(sessionId);
-            console.log(`[rAgent] Closed remote session ${sessionId}.`);
-          } catch (error) {
-            const message = error instanceof Error ? error.message : String(error);
-            console.warn(
-              `[rAgent] Failed to close ${sessionId}: ${message}`
-            );
-          }
-          await syncInventory();
-        }
-        return;
-      case "stop-detached": {
-        const killed = await stopAllDetachedTmuxSessions();
-        console.log(`[rAgent] Killed ${killed} detached tmux session(s).`);
-        await syncInventory();
-        return;
-      }
-      case "start-agent": {
-        const sessionName = typeof payload?.sessionName === "string" && payload.sessionName.trim().length > 0 ? payload.sessionName.trim() : `agent-${Date.now().toString(36)}`;
-        const cmd = typeof payload?.command === "string" && payload.command.trim().length > 0 ? payload.command.trim() : null;
-        if (!cmd) {
-          console.warn("[rAgent] start-agent: no command provided, ignoring.");
-          return;
-        }
-        if (sessionName.length > 128 || !/^[a-zA-Z0-9_-]+$/.test(sessionName)) {
-          console.warn("[rAgent] start-agent: invalid session name, ignoring.");
-          return;
-        }
-        const dangerous = /rm\s+-r[fe]*\s+\/|mkfs|dd\s+if=|:()\s*\{|>\s*\/dev\/sd/i;
-        if (dangerous.test(cmd)) {
-          console.warn(`[rAgent] start-agent: rejected dangerous command: ${cmd}`);
-          return;
-        }
-        const workingDir = typeof payload?.workingDir === "string" && payload.workingDir.trim().length > 0 ? payload.workingDir.trim() : void 0;
-        const envVars = payload?.envVars && typeof payload.envVars === "object" ? payload.envVars : void 0;
-        const tmuxArgs = ["new-session", "-d", "-s", sessionName];
-        if (workingDir) {
-          tmuxArgs.push("-c", workingDir);
-        }
-        let fullCmd = cmd;
-        if (envVars) {
-          const entries = Object.entries(envVars).filter(([k, v]) => /^[A-Z_][A-Z0-9_]*$/i.test(k) && typeof v === "string").map(([k, v]) => `${k}='${v.replace(/'/g, "'\\''")}'`).join(" ");
-          if (entries) fullCmd = `${entries} ${cmd}`;
-        }
-        tmuxArgs.push(fullCmd);
-        try {
-          const { execFileSync: execFileSync3 } = await import("child_process");
-          execFileSync3("tmux", tmuxArgs, { stdio: "ignore" });
-          console.log(`[rAgent] Started agent session "${sessionName}": ${cmd}`);
-        } catch (error) {
-          const message = error instanceof Error ? error.message : String(error);
-          console.error(`[rAgent] Failed to start agent session "${sessionName}": ${message}`);
-        }
-        await syncInventory(true);
-        return;
-      }
-      case "stream-session": {
-        if (!sessionId) return;
-        if (sessionId.startsWith("process:")) {
-          const ws2 = activeSocket;
-          if (ws2 && ws2.readyState === import_ws2.default.OPEN && activeGroups.privateGroup) {
-            sendToGroup(ws2, activeGroups.privateGroup, {
-              type: "stream-error",
-              sessionId,
-              error: "This agent is running outside a terminal multiplexer. Stop and relaunch via Start Agent to enable live streaming."
-            });
-          }
-          return;
-        }
-        if (sessionId.startsWith("tmux:") || sessionId.startsWith("screen:") || sessionId.startsWith("zellij:")) {
-          const started = sessionStreamer.startStream(sessionId);
-          const ws2 = activeSocket;
-          if (ws2 && ws2.readyState === import_ws2.default.OPEN && activeGroups.privateGroup) {
-            if (started) {
-              sendToGroup(ws2, activeGroups.privateGroup, {
-                type: "stream-started",
-                sessionId
-              });
-            } else {
-              sendToGroup(ws2, activeGroups.privateGroup, {
-                type: "stream-error",
-                sessionId,
-                error: "Failed to attach to session. It may no longer exist."
-              });
-            }
-          }
-          return;
-        }
-        const ws = activeSocket;
-        if (ws && ws.readyState === import_ws2.default.OPEN && activeGroups.privateGroup) {
-          sendToGroup(ws, activeGroups.privateGroup, {
-            type: "stream-error",
-            sessionId,
-            error: "Live streaming is not yet supported for this session type."
-          });
-        }
-        return;
-      }
-      case "stop-stream": {
-        if (!sessionId) return;
-        sessionStreamer.stopStream(sessionId);
-        return;
-      }
-      default:
+    if (conn.sessionKey) {
+      const { enc, iv } = encryptPayload(chunk, conn.sessionKey);
+      sendToGroup(conn.activeSocket, conn.activeGroups.privateGroup, { type: "output", enc, iv, sessionId: ptySessionId });
+    } else {
+      sendToGroup(conn.activeSocket, conn.activeGroups.privateGroup, { type: "output", data: chunk, sessionId: ptySessionId });
     }
   };
+  const shell = new ShellManager(options.command, sendOutput);
+  const inventory = new InventoryManager(options);
+  const dispatcher = new ControlDispatcher(shell, sessionStreamer, inventory, conn, options);
+  shell.spawn();
   const onSignal = () => {
-    shouldRun = false;
-    cleanupSocket({ stopStreams: true });
-    killCurrentShell();
+    dispatcher.shouldRun = false;
+    conn.cleanup({ stopStreams: true });
+    shell.stop();
     releasePidLock(lockPath);
   };
   process.once("SIGTERM", onSignal);
   process.once("SIGINT", onSignal);
   try {
-    while (shouldRun) {
-      reconnectRequested = false;
+    while (dispatcher.shouldRun) {
+      dispatcher.reconnectRequested = false;
       try {
         options.agentToken = await refreshTokenIfNeeded({
           portal: options.portal,
           agentToken: options.agentToken
         });
+        inventory.updateOptions(options);
+        dispatcher.updateOptions(options);
         const negotiated = await negotiateAgent({
           portal: options.portal,
           agentToken: options.agentToken
         });
-        activeGroups = {
+        const groups = {
           privateGroup: negotiated.groups.privateGroup,
           registryGroup: negotiated.groups.registryGroup
         };
         await new Promise((resolve) => {
-          const ws = new import_ws2.default(
-            negotiated.url,
-            "json.webpubsub.azure.v1"
-          );
-          activeSocket = ws;
+          const ws = new import_ws5.default(negotiated.url, "json.webpubsub.azure.v1");
+          conn.setConnection(ws, groups, negotiated.sessionKey ?? null);
           ws.on("open", async () => {
             console.log("[rAgent] Connector connected to relay.");
-            reconnectDelay = DEFAULT_RECONNECT_DELAY_MS;
-            ws.send(
-              JSON.stringify({
-                type: "joinGroup",
-                group: activeGroups.privateGroup
-              })
-            );
-            ws.send(
-              JSON.stringify({
-                type: "joinGroup",
-                group: activeGroups.registryGroup
-              })
-            );
-            sendToGroup(ws, activeGroups.privateGroup, {
+            conn.resetReconnectDelay();
+            ws.send(JSON.stringify({ type: "joinGroup", group: groups.privateGroup }));
+            ws.send(JSON.stringify({ type: "joinGroup", group: groups.registryGroup }));
+            sendToGroup(ws, groups.privateGroup, {
               type: "register",
               hostName: options.hostName,
-              environment: os5.platform()
+              environment: os6.platform()
             });
-            const buffered = outputBuffer.drain();
-            if (buffered.length > 0) {
-              console.log(
-                `[rAgent] Replaying ${buffered.length} buffered output chunks (${buffered.reduce((sum, c) => sum + Buffer.byteLength(c, "utf8"), 0)} bytes)`
-              );
-              for (const chunk of buffered) {
-                sendToGroup(ws, activeGroups.privateGroup, {
-                  type: "output",
-                  data: chunk,
-                  sessionId: ptySessionId
-                });
-              }
-            }
-            await syncInventory(true);
-            wsHeartbeatTimer = setInterval(async () => {
-              if (!activeSocket || activeSocket.readyState !== import_ws2.default.OPEN)
-                return;
-              await announceToRegistry("heartbeat");
-            }, WS_HEARTBEAT_MS);
-            httpHeartbeatTimer = setInterval(async () => {
-              if (!activeSocket || activeSocket.readyState !== import_ws2.default.OPEN)
-                return;
-              await syncInventory();
-            }, HTTP_HEARTBEAT_MS);
-            wsPingTimer = setInterval(() => {
-              if (!activeSocket || activeSocket.readyState !== import_ws2.default.OPEN) return;
-              activeSocket.ping();
-              wsPongTimeout = setTimeout(() => {
-                console.warn("[rAgent] No pong received within 10s \u2014 closing stale connection.");
-                try {
-                  activeSocket?.terminate();
-                } catch {
-                }
-              }, 1e4);
-            }, 2e4);
-          });
-          ws.on("pong", () => {
-            if (wsPongTimeout) {
-              clearTimeout(wsPongTimeout);
-              wsPongTimeout = null;
-            }
+            conn.replayBufferedOutput((chunk) => {
+              sendToGroup(ws, groups.privateGroup, {
+                type: "output",
+                data: chunk,
+                sessionId: ptySessionId
+              });
+            });
+            await inventory.syncInventory(ws, groups, true);
+            conn.startTimers(
+              () => inventory.announceToRegistry(ws, groups.registryGroup, "heartbeat"),
+              () => inventory.syncInventory(ws, groups)
+            );
           });
+          ws.on("pong", () => conn.onPong());
           ws.on("message", async (data) => {
             let msg;
             try {
@@ -2173,69 +2555,37 @@ async function runAgent(rawOptions) {
             } catch {
               return;
             }
-            if (msg.type === "message" && msg.group === activeGroups.privateGroup) {
+            if (msg.type === "message" && msg.group === groups.privateGroup) {
               const payload = msg.data || {};
-              if (payload.type === "input" && typeof payload.data === "string") {
-                const sid = typeof payload.sessionId === "string" ? payload.sessionId.trim() : "";
-                if (!sid || sid.startsWith("pty:")) {
-                  if (ptyProcess) ptyProcess.write(payload.data);
-                } else if (sid.startsWith("tmux:")) {
-                  await sendInputToTmux(sid, payload.data);
-                } else if (sid.startsWith("screen:") || sid.startsWith("zellij:")) {
-                  sessionStreamer.writeInput(sid, payload.data);
+              if (payload.type === "input") {
+                let inputData = null;
+                if (typeof payload.enc === "string" && typeof payload.iv === "string" && conn.sessionKey) {
+                  inputData = decryptPayload(payload.enc, payload.iv, conn.sessionKey);
+                  if (inputData === null) {
+                    console.warn("[rAgent] Failed to decrypt input \u2014 ignoring.");
+                  }
+                } else if (typeof payload.data === "string") {
+                  inputData = payload.data;
+                }
+                if (inputData !== null) {
+                  const sid = typeof payload.sessionId === "string" ? payload.sessionId.trim() : "";
+                  dispatcher.handleInput(inputData, sid);
                 }
               } else if (payload.type === "resize" && Number.isInteger(payload.cols) && Number.isInteger(payload.rows)) {
                 const sid = typeof payload.sessionId === "string" ? payload.sessionId.trim() : "";
-                if (!sid || sid.startsWith("pty:")) {
-                  try {
-                    if (ptyProcess)
-                      ptyProcess.resize(
-                        payload.cols,
-                        payload.rows
-                      );
-                  } catch (error) {
-                    const message = error instanceof Error ? error.message : String(error);
-                    if (!message.includes("EBADF")) {
-                      console.warn(`[rAgent] Resize failed: ${message}`);
-                    }
-                  }
-                }
+                dispatcher.handleResize(payload.cols, payload.rows, sid);
               } else if (payload.type === "control" && typeof payload.action === "string") {
-                await handleControlAction(payload);
+                await dispatcher.handleControlAction(payload);
               } else if (payload.type === "start-agent") {
-                await handleControlAction({ ...payload, action: "start-agent" });
+                await dispatcher.handleControlAction({ ...payload, action: "start-agent" });
               } else if (payload.type === "provision") {
-                const provReq = payload;
-                if (provReq.provisionId && provReq.manifest) {
-                  console.log(`[rAgent] Provision request: ${provReq.manifest.name} (${provReq.provisionId})`);
-                  const sendProgress = (progress) => {
-                    const currentWs = activeSocket;
-                    if (currentWs && currentWs.readyState === import_ws2.default.OPEN && activeGroups.registryGroup) {
-                      sendToGroup(currentWs, activeGroups.registryGroup, {
-                        ...progress,
-                        hostId: options.hostId
-                      });
-                    }
-                  };
-                  try {
-                    await executeProvision(provReq, sendProgress);
-                    await syncInventory(true);
-                  } catch (error) {
-                    const errMsg = error instanceof Error ? error.message : String(error);
-                    sendProgress({
-                      type: "provision-progress",
-                      provisionId: provReq.provisionId,
-                      step: "error",
-                      message: `Provision failed: ${errMsg}`
-                    });
-                  }
-                }
+                await dispatcher.handleProvision(payload);
               }
             }
-            if (msg.type === "message" && msg.group === activeGroups.registryGroup) {
+            if (msg.type === "message" && msg.group === groups.registryGroup) {
               const payload = msg.data || {};
               if (payload.type === "ping") {
-                await announceToRegistry("announce");
+                await inventory.announceToRegistry(ws, groups.registryGroup, "announce");
               }
             }
           });
@@ -2243,10 +2593,8 @@ async function runAgent(rawOptions) {
             console.error("[rAgent] WebSocket error:", error.message);
           });
           ws.on("close", () => {
-            console.log(
-              "[rAgent] Relay disconnected. Output will be buffered until reconnect."
-            );
-            cleanupSocket();
+            console.log("[rAgent] Relay disconnected. Output will be buffered until reconnect.");
+            conn.cleanup();
             resolve();
           });
         });
@@ -2256,28 +2604,26 @@ async function runAgent(rawOptions) {
           console.error(
             "[rAgent] Connector token is invalid or revoked. Stopping. Re-connect with: ragent connect --token <token>"
           );
-          shouldRun = false;
+          dispatcher.shouldRun = false;
           break;
         }
         const message = error instanceof Error ? error.message : String(error);
         console.error(`[rAgent] Relay connect failed: ${message}`);
       }
-      if (!shouldRun) break;
-      if (reconnectRequested) {
+      if (!dispatcher.shouldRun) break;
+      if (dispatcher.reconnectRequested) {
         console.log("[rAgent] Reconnecting to relay...");
         await wait(300);
         continue;
       }
-      const jitteredDelay = reconnectDelay * (0.5 + Math.random());
-      console.log(
-        `[rAgent] Disconnected. Reconnecting in ${Math.round(jitteredDelay / 1e3)}s...`
-      );
+      const jitteredDelay = conn.reconnectDelay * (0.5 + Math.random());
+      console.log(`[rAgent] Disconnected. Reconnecting in ${Math.round(jitteredDelay / 1e3)}s...`);
       await wait(jitteredDelay);
-      reconnectDelay = Math.min(reconnectDelay * 1.5, MAX_RECONNECT_DELAY_MS);
+      conn.reconnectDelay = Math.min(conn.reconnectDelay * 1.5, MAX_RECONNECT_DELAY_MS);
     }
   } finally {
-    cleanupSocket({ stopStreams: true });
-    killCurrentShell();
+    conn.cleanup({ stopStreams: true });
+    shell.stop();
     releasePidLock(lockPath);
     process.removeListener("SIGTERM", onSignal);
     process.removeListener("SIGINT", onSignal);
@@ -2372,7 +2718,7 @@ function printCommandArt(title, subtitle = "remote agent control") {
 async function connectMachine(opts) {
   const portal = opts.portal || DEFAULT_PORTAL;
   const hostId = sanitizeHostId(opts.id || inferHostId());
-  const hostName = opts.name || os6.hostname();
+  const hostName = opts.name || os7.hostname();
   const command = opts.command || "bash";
   if (!opts.token) {
     throw new Error("Connection token is required.");
@@ -2446,12 +2792,12 @@ function registerRunCommand(program2) {
 }
 
 // src/commands/doctor.ts
-var os7 = __toESM(require("os"));
+var os8 = __toESM(require("os"));
 async function runDoctor(opts) {
   const options = resolveRunOptions(opts);
   const checks = [];
-  const platformOk = os7.platform() === "linux";
-  checks.push({ name: "platform", ok: platformOk, detail: os7.platform() });
+  const platformOk = os8.platform() === "linux";
+  checks.push({ name: "platform", ok: platformOk, detail: os8.platform() });
   checks.push({
     name: "node",
     ok: Number(process.versions.node.split(".")[0]) >= 20,