sparkecoder 0.1.85 → 0.1.87

package/dist/server/index.js

@@ -447,7 +447,11 @@ var init_remote = __esm({
         return result.files;
       },
       async getDownloadUrl(fileId) {
-        return storageApi(`/download/${fileId}`);
+        const result = await storageApi(`/download/${fileId}`);
+        return {
+          downloadUrl: result.shortUrl || result.downloadUrl,
+          expiresAt: result.expiresAt
+        };
       },
       async deleteFile(fileId) {
         await storageApi(`/files/${fileId}`, { method: "DELETE" });
@@ -512,7 +516,12 @@ var init_types = __esm({
       // Whether to always inject this skill into context (vs on-demand loading)
       alwaysApply: z.boolean().optional().default(false),
       // Glob patterns - auto-inject when working with matching files
-      globs: z.array(z.string()).optional().default([])
+      globs: z.array(z.string()).optional().default([]),
+      // Platform requirements — skill is hidden from the model on platforms
+      // not listed here. Values match `process.platform`
+      // (darwin, linux, win32, freebsd, ...). If omitted or empty, the skill is
+      // available on all platforms.
+      platforms: z.array(z.string()).optional().default([])
     });
     TaskConfigSchema = z.object({
       enabled: z.boolean(),
@@ -530,7 +539,13 @@ var init_types = __esm({
       approvalWebhook: z.string().url().optional(),
       skillsDirectory: z.string().optional(),
       maxContextChars: z.number().optional().default(2e5),
-      task: TaskConfigSchema.optional()
+      task: TaskConfigSchema.optional(),
+      // Anthropic computer use tool — opt-in. When true, the `computer` tool is
+      // included in the toolset for Anthropic models. Default false.
+      computerUseEnabled: z.boolean().optional(),
+      // Display dimensions for the computer use tool (defaults: 1280x800).
+      computerUseDisplayWidth: z.number().int().positive().optional(),
+      computerUseDisplayHeight: z.number().int().positive().optional()
     });
     VectorGatewayConfigSchema = z.object({
       // Redis cluster nodes URL for Vector Gateway (or use REDIS_CLUSTER_NODES env var)
@@ -1531,7 +1546,8 @@ async function loadSkillsFromDirectory(directory, options = {}) {
         globs: parsed.metadata.globs,
         loadType,
         priority,
-        sourceDir: directory
+        sourceDir: directory,
+        platforms: parsed.metadata.platforms
       });
     } else {
       const name = getSkillNameFromPath(filePath);
@@ -1544,11 +1560,14 @@ async function loadSkillsFromDirectory(directory, options = {}) {
         globs: [],
         loadType: forceAlwaysApply ? "always" : defaultLoadType,
         priority,
-        sourceDir: directory
+        sourceDir: directory,
+        platforms: []
       });
     }
   }
-  return skills;
+  return skills.filter(
+    (s) => s.platforms.length === 0 || s.platforms.includes(process.platform)
+  );
 }
 async function loadAllSkills(directories) {
   const allSkills = [];
@@ -2145,6 +2164,7 @@ __export(webhook_exports, {
   sendWebhook: () => sendWebhook
 });
 async function sendWebhook(url, event) {
+  const t0 = Date.now();
   try {
     const controller = new AbortController();
     const timeout = setTimeout(() => controller.abort(), 5e3);
@@ -2158,17 +2178,36 @@ async function sendWebhook(url, event) {
       signal: controller.signal
     });
     clearTimeout(timeout);
+    const ms = Date.now() - t0;
     if (!response.ok) {
-      console.warn(`[WEBHOOK] ${event.type} to ${url} returned HTTP ${response.status}`);
+      const body = await response.text().catch(() => "");
+      console.warn(
+        `[WEBHOOK] ${event.type} task=${event.taskId} -> HTTP ${response.status} in ${ms}ms${body ? ` (${body.slice(0, 200)})` : ""}`
+      );
+      return;
+    }
+    if (!QUIET || TERMINAL_EVENTS.has(event.type)) {
+      console.log(
+        `[WEBHOOK] ${event.type} task=${event.taskId} -> 200 in ${ms}ms`
+      );
     }
   } catch (err) {
     const reason = err.name === "AbortError" ? "timeout (5s)" : err.message;
-    console.warn(`[WEBHOOK] ${event.type} to ${url} failed: ${reason}`);
+    console.warn(
+      `[WEBHOOK] ${event.type} task=${event.taskId} -> failed: ${reason}`
+    );
   }
 }
+var TERMINAL_EVENTS, QUIET;
 var init_webhook = __esm({
   "src/utils/webhook.ts"() {
     "use strict";
+    TERMINAL_EVENTS = /* @__PURE__ */ new Set([
+      "task.started",
+      "task.completed",
+      "task.failed"
+    ]);
+    QUIET = process.env.SPARKECODER_QUIET_WEBHOOKS === "1";
   }
 });
 
@@ -2378,15 +2417,15 @@ var recorder_exports = {};
 __export(recorder_exports, {
   FrameRecorder: () => FrameRecorder
 });
-import { exec as exec5 } from "child_process";
-import { promisify as promisify5 } from "util";
+import { exec as exec6 } from "child_process";
+import { promisify as promisify6 } from "util";
 import { writeFile as writeFile5, mkdir as mkdir4, readFile as readFile11, unlink as unlink2, readdir as readdir5, rm } from "fs/promises";
-import { join as join8 } from "path";
-import { tmpdir } from "os";
-import { nanoid as nanoid3 } from "nanoid";
+import { join as join9 } from "path";
+import { tmpdir as tmpdir2 } from "os";
+import { nanoid as nanoid4 } from "nanoid";
 async function checkFfmpeg() {
   try {
-    await execAsync5("ffmpeg -version", { timeout: 5e3 });
+    await execAsync6("ffmpeg -version", { timeout: 5e3 });
     return true;
   } catch {
     return false;
@@ -2398,11 +2437,11 @@ async function cleanup(dir) {
   } catch {
   }
 }
-var execAsync5, FrameRecorder;
+var execAsync6, FrameRecorder;
 var init_recorder = __esm({
   "src/browser/recorder.ts"() {
     "use strict";
-    execAsync5 = promisify5(exec5);
+    execAsync6 = promisify6(exec6);
     FrameRecorder = class {
       frames = [];
       startTime = null;
@@ -2438,21 +2477,21 @@ var init_recorder = __esm({
        */
       async encode() {
         if (this.frames.length === 0) return null;
-        const workDir = join8(tmpdir(), `sparkecoder-recording-${nanoid3(8)}`);
+        const workDir = join9(tmpdir2(), `sparkecoder-recording-${nanoid4(8)}`);
         await mkdir4(workDir, { recursive: true });
         try {
           for (let i = 0; i < this.frames.length; i++) {
-            const framePath = join8(workDir, `frame_${String(i).padStart(6, "0")}.jpg`);
+            const framePath = join9(workDir, `frame_${String(i).padStart(6, "0")}.jpg`);
             await writeFile5(framePath, this.frames[i].data);
           }
           const duration = (this.frames[this.frames.length - 1].timestamp - this.frames[0].timestamp) / 1e3;
           const fps = duration > 0 ? Math.round(this.frames.length / duration) : 10;
           const clampedFps = Math.max(1, Math.min(fps, 30));
-          const outputPath = join8(workDir, `recording_${this.sessionId}.mp4`);
+          const outputPath = join9(workDir, `recording_${this.sessionId}.mp4`);
           const hasFfmpeg = await checkFfmpeg();
           if (hasFfmpeg) {
-            await execAsync5(
-              `ffmpeg -y -framerate ${clampedFps} -i "${join8(workDir, "frame_%06d.jpg")}" -c:v libx264 -pix_fmt yuv420p -preset fast -crf 23 "${outputPath}"`,
+            await execAsync6(
+              `ffmpeg -y -framerate ${clampedFps} -i "${join9(workDir, "frame_%06d.jpg")}" -c:v libx264 -pix_fmt yuv420p -preset fast -crf 23 "${outputPath}"`,
               { timeout: 12e4 }
             );
           } else {
@@ -2464,7 +2503,7 @@ var init_recorder = __esm({
           const files = await readdir5(workDir);
           for (const f of files) {
             if (f.startsWith("frame_")) {
-              await unlink2(join8(workDir, f)).catch(() => {
+              await unlink2(join9(workDir, f)).catch(() => {
               });
             }
           }
@@ -2487,12 +2526,12 @@ var init_recorder = __esm({
 
 // src/server/index.ts
 import "dotenv/config";
-import { Hono as Hono6 } from "hono";
+import { Hono as Hono7 } from "hono";
 import { serve } from "@hono/node-server";
 import { cors } from "hono/cors";
 import { logger } from "hono/logger";
-import { existsSync as existsSync17, mkdirSync as mkdirSync7, writeFileSync as writeFileSync5 } from "fs";
-import { resolve as resolve10, dirname as dirname7, join as join12 } from "path";
+import { existsSync as existsSync19, mkdirSync as mkdirSync8, writeFileSync as writeFileSync5 } from "fs";
+import { resolve as resolve10, dirname as dirname7, join as join13 } from "path";
 import { spawn as spawn2 } from "child_process";
 import { createServer as createNetServer } from "net";
 import { fileURLToPath as fileURLToPath4 } from "url";
@@ -2501,17 +2540,17 @@ import { fileURLToPath as fileURLToPath4 } from "url";
 init_db();
 import { Hono } from "hono";
 import { zValidator } from "@hono/zod-validator";
-import { z as z15 } from "zod";
-import { existsSync as existsSync15, mkdirSync as mkdirSync5, writeFileSync as writeFileSync3, readdirSync as readdirSync2, statSync as statSync2, unlinkSync as unlinkSync2 } from "fs";
+import { z as z16 } from "zod";
+import { existsSync as existsSync16, mkdirSync as mkdirSync6, writeFileSync as writeFileSync3, readdirSync as readdirSync2, statSync as statSync2, unlinkSync as unlinkSync3 } from "fs";
 import { readdir as readdir6 } from "fs/promises";
-import { join as join9, basename as basename5, extname as extname8, relative as relative9 } from "path";
-import { nanoid as nanoid5 } from "nanoid";
+import { join as join10, basename as basename5, extname as extname8, relative as relative9 } from "path";
+import { nanoid as nanoid6 } from "nanoid";
 
 // src/agent/index.ts
 import {
   streamText as streamText2,
   generateText as generateText3,
-  tool as tool13,
+  tool as tool14,
   stepCountIs as stepCountIs2
 } from "ai";
 
@@ -2702,8 +2741,8 @@ var SUBAGENT_MODELS = {
 // src/agent/index.ts
 init_db();
 init_config();
-import { z as z14 } from "zod";
-import { nanoid as nanoid4 } from "nanoid";
+import { z as z15 } from "zod";
+import { nanoid as nanoid5 } from "nanoid";
 
 // src/tools/bash.ts
 import { tool } from "ai";
@@ -3770,12 +3809,12 @@ function findNearestRoot(startDir, markers) {
 }
 async function commandExists(cmd) {
   try {
-    const { exec: exec7 } = await import("child_process");
-    const { promisify: promisify7 } = await import("util");
-    const execAsync7 = promisify7(exec7);
+    const { exec: exec8 } = await import("child_process");
+    const { promisify: promisify8 } = await import("util");
+    const execAsync8 = promisify8(exec8);
     const isWindows = process.platform === "win32";
     const checkCmd = isWindows ? `where ${cmd}` : `which ${cmd}`;
-    await execAsync7(checkCmd);
+    await execAsync8(checkCmd);
     return true;
   } catch {
     return false;
@@ -6166,6 +6205,568 @@ function createUploadFileTool(options) {
   });
 }
 
+// src/tools/computer-use.ts
+import { anthropic } from "@ai-sdk/anthropic";
+import { exec as exec5 } from "child_process";
+import { promisify as promisify5 } from "util";
+import { mkdirSync as mkdirSync5, existsSync as existsSync15, readFileSync as readFileSync7, unlinkSync as unlinkSync2 } from "fs";
+import { join as join8 } from "path";
+import { tmpdir } from "os";
+import { nanoid as nanoid3 } from "nanoid";
+var execAsync5 = promisify5(exec5);
+var DEFAULT_WIDTH = 1280;
+var DEFAULT_HEIGHT = 800;
+function isMacOs() {
+  return process.platform === "darwin";
+}
+async function isCliclickInstalled() {
+  try {
+    await execAsync5("command -v cliclick", { timeout: 2e3 });
+    return true;
+  } catch {
+    return false;
+  }
+}
+async function runJxa(script) {
+  try {
+    const escaped = script.replace(/'/g, `'\\''`);
+    const { stdout } = await execAsync5(`osascript -l JavaScript -e '${escaped}'`, {
+      timeout: 5e3
+    });
+    return JSON.parse(stdout.trim());
+  } catch {
+    return null;
+  }
+}
+async function hasAccessibilityPermissions() {
+  try {
+    const { stderr } = await execAsync5("cliclick p:.", { timeout: 3e3 });
+    if (/accessibility privileges not enabled/i.test(stderr)) {
+      return { ok: false, error: stderr.trim().split("\n")[0] };
+    }
+    return { ok: true };
+  } catch (err) {
+    return { ok: false, error: err?.message || String(err) };
+  }
+}
+async function hasScreenRecordingPermissions() {
+  const result = await runJxa(
+    `ObjC.import("Cocoa");
+     ObjC.import("CoreGraphics");
+     ObjC.bindFunction("CGPreflightScreenCaptureAccess", ["bool", []]);
+     JSON.stringify({ hasAccess: !!$.CGPreflightScreenCaptureAccess() });`
+  );
+  return result?.hasAccess ?? false;
+}
+async function requestAccessibilityPrompt() {
+  const result = await runJxa(
+    `ObjC.import("ApplicationServices");
+     var key = $.kAXTrustedCheckOptionPrompt;
+     var dict = $.NSDictionary.dictionaryWithObjectForKey($.kCFBooleanTrue, key);
+     var trusted = $.AXIsProcessTrustedWithOptions(dict);
+     JSON.stringify({ trusted: !!trusted });`
+  );
+  return result?.trusted ?? false;
+}
+async function requestScreenRecordingPrompt() {
+  const result = await runJxa(
+    `ObjC.import("Cocoa");
+     ObjC.import("CoreGraphics");
+     ObjC.bindFunction("CGRequestScreenCaptureAccess", ["bool", []]);
+     JSON.stringify({ granted: !!$.CGRequestScreenCaptureAccess() });`
+  );
+  return result?.granted ?? false;
+}
+async function openSystemSettings(pane) {
+  const url = pane === "accessibility" ? "x-apple.systempreferences:com.apple.preference.security?Privacy_Accessibility" : "x-apple.systempreferences:com.apple.preference.security?Privacy_ScreenCapture";
+  try {
+    await execAsync5(`open '${url}'`, { timeout: 3e3 });
+  } catch {
+  }
+}
+async function detectScreenSize() {
+  try {
+    const { stdout } = await execAsync5(
+      `osascript -e 'tell application "Finder" to get bounds of window of desktop'`,
+      { timeout: 3e3 }
+    );
+    const parts = stdout.trim().split(",").map((s) => parseInt(s.trim(), 10));
+    if (parts.length >= 4 && parts.every((n) => Number.isFinite(n))) {
+      const [x1, y1, x2, y2] = parts;
+      return { width: x2 - x1, height: y2 - y1 };
+    }
+  } catch {
+  }
+  return null;
+}
+async function runCliclick(args) {
+  const quoted = args.map((a) => `'${a.replace(/'/g, `'\\''`)}'`).join(" ");
+  const { stdout, stderr } = await execAsync5(`cliclick ${quoted}`, {
+    timeout: 15e3,
+    maxBuffer: 1024 * 1024
+  });
+  if (/accessibility privileges not enabled/i.test(stderr)) {
+    throw new Error(
+      "Accessibility permissions not granted to cliclick. Open System Settings \u2192 Privacy & Security \u2192 Accessibility, add cliclick (or the agent runtime), and toggle it on."
+    );
+  }
+  if (stderr && !stdout) throw new Error(stderr.trim());
+  return (stdout || "").trim();
+}
+async function runScreencapture(path) {
+  await execAsync5(`screencapture -x -t png '${path.replace(/'/g, `'\\''`)}'`, {
+    timeout: 5e3
+  });
+}
+async function resizeScreenshotToPoints(path, targetWidth, targetHeight) {
+  const sharpModule = await import("sharp");
+  const sharp2 = sharpModule.default || sharpModule;
+  const meta = await sharp2(path).metadata();
+  if (meta.width === targetWidth && meta.height === targetHeight) {
+    return readFileSync7(path);
+  }
+  return await sharp2(path).resize(targetWidth, targetHeight, { fit: "fill" }).png().toBuffer();
+}
+async function runScroll(dx, dy) {
+  const wheelY = -Math.round(dy);
+  const wheelX = -Math.round(dx);
+  const script = `ObjC.import('CoreGraphics');var ev = $.CGEventCreateScrollWheelEvent(null, 0, 2, ${wheelY}, ${wheelX});$.CGEventPost(0, ev);`;
+  await execAsync5(
+    `osascript -l JavaScript -e '${script.replace(/'/g, `'\\''`)}'`,
+    { timeout: 5e3 }
+  );
+}
+function translateKeyForCliclick(key) {
+  if (!key) return [];
+  const parts = key.split("+").map((p) => p.trim()).filter(Boolean);
+  if (parts.length === 0) return [];
+  const modMap = {
+    ctrl: "ctrl",
+    control: "ctrl",
+    alt: "alt",
+    option: "alt",
+    shift: "shift",
+    cmd: "cmd",
+    super: "cmd",
+    meta: "cmd",
+    win: "cmd",
+    fn: "fn"
+  };
+  const keyMap = {
+    return: "enter",
+    enter: "enter",
+    esc: "esc",
+    escape: "esc",
+    backspace: "delete",
+    back_space: "delete",
+    delete: "fwd-delete",
+    fwd_delete: "fwd-delete",
+    forward_delete: "fwd-delete",
+    tab: "tab",
+    space: "space",
+    up: "arrow-up",
+    arrow_up: "arrow-up",
+    down: "arrow-down",
+    arrow_down: "arrow-down",
+    left: "arrow-left",
+    arrow_left: "arrow-left",
+    right: "arrow-right",
+    arrow_right: "arrow-right",
+    page_up: "page-up",
+    pageup: "page-up",
+    page_down: "page-down",
+    pagedown: "page-down",
+    home: "home",
+    end: "end",
+    f1: "f1",
+    f2: "f2",
+    f3: "f3",
+    f4: "f4",
+    f5: "f5",
+    f6: "f6",
+    f7: "f7",
+    f8: "f8",
+    f9: "f9",
+    f10: "f10",
+    f11: "f11",
+    f12: "f12"
+  };
+  const modifiers = [];
+  let mainKey = null;
+  for (let i = 0; i < parts.length; i++) {
+    const lower = parts[i].toLowerCase().replace(/-/g, "_");
+    if (i < parts.length - 1 && modMap[lower]) {
+      modifiers.push(modMap[lower]);
+    } else {
+      mainKey = keyMap[lower] || lower;
+    }
+  }
+  const args = [];
+  if (modifiers.length > 0) args.push(`kd:${modifiers.join(",")}`);
+  if (mainKey) {
+    const isNamedKey = Object.values(keyMap).includes(mainKey) || /^f([1-9]|1[0-9]|20)$/.test(mainKey) || /^num-/.test(mainKey);
+    if (isNamedKey) {
+      args.push(`kp:${mainKey}`);
+    } else {
+      args.push(`t:${mainKey}`);
+    }
+  }
+  if (modifiers.length > 0) args.push(`ku:${modifiers.join(",")}`);
+  return args;
+}
+function modifierStringToCliclick(text) {
+  return text.split("+").map((p) => p.trim().toLowerCase()).map((p) => {
+    if (p === "ctrl" || p === "control") return "ctrl";
+    if (p === "alt" || p === "option") return "alt";
+    if (p === "shift") return "shift";
+    if (p === "super" || p === "meta" || p === "cmd") return "cmd";
+    return "";
+  }).filter(Boolean);
+}
+function createComputerUseTool(options) {
+  const displayWidth = options.displayWidth ?? DEFAULT_WIDTH;
+  const displayHeight = options.displayHeight ?? DEFAULT_HEIGHT;
+  return anthropic.tools.computer_20251124({
+    displayWidthPx: displayWidth,
+    displayHeightPx: displayHeight,
+    enableZoom: true,
+    execute: async (input) => {
+      try {
+        switch (input.action) {
+          case "screenshot": {
+            const path = join8(tmpdir(), `cu-${nanoid3(8)}.png`);
+            await runScreencapture(path);
+            const resized = await resizeScreenshotToPoints(path, displayWidth, displayHeight);
+            try {
+              unlinkSync2(path);
+            } catch {
+            }
+            return { type: "image", data: resized.toString("base64") };
+          }
+          case "left_click": {
+            const [x, y] = input.coordinate ?? [0, 0];
+            if (input.text) {
+              const mods = modifierStringToCliclick(input.text);
+              if (mods.length > 0) {
+                await runCliclick([`kd:${mods.join(",")}`, `c:${x},${y}`, `ku:${mods.join(",")}`]);
+              } else {
+                await runCliclick([`c:${x},${y}`]);
+              }
+            } else {
+              await runCliclick([`c:${x},${y}`]);
+            }
+            return `clicked at (${x}, ${y})${input.text ? ` with ${input.text}` : ""}`;
+          }
+          case "right_click": {
+            const [x, y] = input.coordinate ?? [0, 0];
+            await runCliclick([`rc:${x},${y}`]);
+            return `right-clicked at (${x}, ${y})`;
+          }
+          case "middle_click": {
+            const [x, y] = input.coordinate ?? [0, 0];
+            const script = `ObjC.import('CoreGraphics');var loc = $.CGPointMake(${x}, ${y});var down = $.CGEventCreateMouseEvent(null, 25, loc, 2);var up = $.CGEventCreateMouseEvent(null, 26, loc, 2);$.CGEventPost(0, down); $.CGEventPost(0, up);`;
+            await execAsync5(
+              `osascript -l JavaScript -e '${script.replace(/'/g, `'\\''`)}'`,
+              { timeout: 3e3 }
+            );
+            return `middle-clicked at (${x}, ${y})`;
+          }
+          case "double_click": {
+            const [x, y] = input.coordinate ?? [0, 0];
+            await runCliclick([`dc:${x},${y}`]);
+            return `double-clicked at (${x}, ${y})`;
+          }
+          case "triple_click": {
+            const [x, y] = input.coordinate ?? [0, 0];
+            await runCliclick([`tc:${x},${y}`]);
+            return `triple-clicked at (${x}, ${y})`;
+          }
+          case "mouse_move": {
+            const [x, y] = input.coordinate ?? [0, 0];
+            await runCliclick([`m:${x},${y}`]);
+            return `moved cursor to (${x}, ${y})`;
+          }
+          case "left_mouse_down": {
+            const [x, y] = input.coordinate ?? [0, 0];
+            await runCliclick([`dd:${x},${y}`]);
+            return `left mouse button pressed at (${x}, ${y})`;
+          }
+          case "left_mouse_up": {
+            const [x, y] = input.coordinate ?? [0, 0];
+            await runCliclick([`du:${x},${y}`]);
+            return `left mouse button released at (${x}, ${y})`;
+          }
+          case "left_click_drag": {
+            const [sx, sy] = input.start_coordinate ?? [0, 0];
+            const [ex, ey] = input.coordinate ?? [0, 0];
+            await runCliclick([`dd:${sx},${sy}`, `m:${ex},${ey}`, `du:${ex},${ey}`]);
+            return `dragged from (${sx}, ${sy}) to (${ex}, ${ey})`;
+          }
+          case "type": {
+            const text = input.text ?? "";
+            await runCliclick([`t:${text}`]);
+            return `typed ${text.length} character(s)`;
+          }
+          case "key": {
+            const args = translateKeyForCliclick(input.text ?? "");
+            if (args.length === 0) return "no key specified";
+            await runCliclick(args);
+            return `pressed ${input.text}`;
+          }
+          case "hold_key": {
+            const text = (input.text ?? "").toLowerCase();
+            const duration = input.duration ?? 1;
+            const modMap = {
+              ctrl: "ctrl",
+              control: "ctrl",
+              alt: "alt",
+              option: "alt",
+              shift: "shift",
+              cmd: "cmd",
+              super: "cmd",
+              meta: "cmd",
+              fn: "fn"
+            };
+            const cliName = modMap[text] || text;
+            await runCliclick([`kd:${cliName}`]);
+            await new Promise((r) => setTimeout(r, duration * 1e3));
+            await runCliclick([`ku:${cliName}`]);
+            return `held ${text} for ${duration}s`;
+          }
+          case "scroll": {
+            const direction = input.scroll_direction ?? "down";
+            const amount = input.scroll_amount ?? 3;
+            const px = amount * 100;
+            const dx = direction === "left" ? -px : direction === "right" ? px : 0;
+            const dy = direction === "up" ? -px : direction === "down" ? px : 0;
+            if (input.coordinate) {
+              const [x, y] = input.coordinate;
+              await runCliclick([`m:${x},${y}`]);
+            }
+            const mods = input.text ? modifierStringToCliclick(input.text) : [];
+            if (mods.length > 0) {
+              await runCliclick([`kd:${mods.join(",")}`]);
+            }
+            await runScroll(dx, dy);
+            if (mods.length > 0) {
+              await runCliclick([`ku:${mods.join(",")}`]);
+            }
+            return `scrolled ${direction} by ${amount}`;
+          }
+          case "wait": {
+            const duration = input.duration ?? 1;
+            await new Promise((r) => setTimeout(r, duration * 1e3));
+            return `waited ${duration}s`;
+          }
+          case "cursor_position": {
+            const out = await runCliclick(["p:."]);
+            return `cursor at ${out}`;
+          }
+          case "zoom": {
+            const region = input.region ?? [0, 0, displayWidth, displayHeight];
+            const [x1, y1, x2, y2] = region;
+            const tmpPath = join8(tmpdir(), `cu-zoom-${nanoid3(8)}.png`);
+            await runScreencapture(tmpPath);
+            const sharpModule = await import("sharp");
+            const sharp2 = sharpModule.default || sharpModule;
+            const meta = await sharp2(tmpPath).metadata();
+            const scaleX = (meta.width || displayWidth) / displayWidth;
+            const scaleY = (meta.height || displayHeight) / displayHeight;
+            const px = {
+              left: Math.max(0, Math.round(x1 * scaleX)),
+              top: Math.max(0, Math.round(y1 * scaleY)),
+              width: Math.max(1, Math.round((x2 - x1) * scaleX)),
+              height: Math.max(1, Math.round((y2 - y1) * scaleY))
+            };
+            const buf = await sharp2(tmpPath).extract(px).png().toBuffer();
+            try {
+              unlinkSync2(tmpPath);
+            } catch {
+            }
+            return { type: "image", data: buf.toString("base64") };
+          }
+          default: {
+            const exhaustive = input.action;
+            return `unsupported action: ${String(exhaustive)}`;
+          }
+        }
+      } catch (err) {
+        const msg = err?.message || String(err);
+        let hint = "";
+        if (/accessibility|not authorized|tcc|operation not permitted/i.test(msg)) {
+          hint = " (Hint: call enable_computer_use to (re-)check permissions and open System Settings)";
+        } else if (/command not found/i.test(msg)) {
+          hint = " (Hint: install cliclick with `brew install cliclick`)";
+        }
+        return `Error: ${msg}${hint}`;
+      }
+    },
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    toModelOutput({ output }) {
+      if (typeof output === "string") {
+        return { type: "content", value: [{ type: "text", text: output }] };
+      }
+      return {
+        type: "content",
+        value: [{ type: "media", data: output.data, mediaType: "image/png" }]
+      };
+    }
+  });
+}
+
+// src/tools/enable-computer-use.ts
+init_db();
+import { tool as tool13 } from "ai";
+import { z as z14 } from "zod";
+var inputSchema = z14.object({
+  display_width: z14.number().int().positive().optional().describe("Display width in pixels (defaults to detected primary display, fallback 1280)"),
+  display_height: z14.number().int().positive().optional().describe("Display height in pixels (defaults to detected primary display, fallback 800)"),
+  request_permissions: z14.boolean().optional().default(true).describe(
+    "When true (default), proactively trigger macOS permission prompts and open System Settings panes for any missing permissions."
+  )
+});
+var ACCESSIBILITY_URL = "x-apple.systempreferences:com.apple.preference.security?Privacy_Accessibility";
+var SCREEN_RECORDING_URL = "x-apple.systempreferences:com.apple.preference.security?Privacy_ScreenCapture";
+function createEnableComputerUseTool(options) {
+  return tool13({
+    description: "Enable Anthropic's computer use beta tool for this session. macOS only. Drives the actual desktop (mouse, keyboard, screenshots) at pixel coordinates. Requires `cliclick` (brew install cliclick), Accessibility permissions, and Screen Recording permissions. When called, this tool will automatically request any missing permissions and open System Settings to the right pane. Only works on Anthropic Claude models. After this tool succeeds, you MUST stop the current turn and ask the user to send another message \u2014 the `computer` tool only becomes available on the NEXT message because the toolset is fixed for the current turn.",
+    inputSchema,
+    execute: async ({ display_width, display_height, request_permissions }) => {
+      try {
+        if (!isMacOs()) {
+          return {
+            success: false,
+            error: "Computer use is currently only supported on macOS.",
+            platform: process.platform
+          };
+        }
+        if (!await isCliclickInstalled()) {
+          return {
+            success: false,
+            error: "`cliclick` is not installed. It is required for mouse/keyboard control on macOS.",
+            installCommand: "brew install cliclick",
+            fixSteps: [
+              "In a terminal on this Mac, run: brew install cliclick",
+              "(If Homebrew is not installed, install it first from https://brew.sh)",
+              "Then call enable_computer_use again"
+            ]
+          };
+        }
+        const acc = await hasAccessibilityPermissions();
+        const screen = await hasScreenRecordingPermissions();
+        const missing = [];
+        if (!acc.ok) {
+          let prompted = false;
+          let panelOpened = false;
+          if (request_permissions) {
+            prompted = await requestAccessibilityPrompt().then(() => true).catch(() => false);
+            await openSystemSettings("accessibility").then(() => {
+              panelOpened = true;
+            }).catch(() => void 0);
+          }
+          missing.push({
+            name: "Accessibility",
+            reason: "cliclick failed: " + (acc.error?.split("\n")[0] || "no permission"),
+            pane: "accessibility",
+            settingsUrl: ACCESSIBILITY_URL,
+            fixSteps: [
+              "In the System Settings \u2192 Privacy & Security \u2192 Accessibility pane that opened",
+              "Click the + button",
+              "Add the application running the agent (Terminal, iTerm, your IDE, or `node`)",
+              "Toggle the switch ON",
+              "Restart the agent process so the new permission takes effect",
+              "Then call enable_computer_use again"
+            ],
+            prompted,
+            panelOpened
+          });
+        }
+        if (!screen) {
+          let prompted = false;
+          let panelOpened = false;
+          if (request_permissions) {
+            prompted = await requestScreenRecordingPrompt().then(() => true).catch(() => false);
+            await openSystemSettings("screen-recording").then(() => {
+              panelOpened = true;
+            }).catch(() => void 0);
+          }
+          missing.push({
+            name: "Screen Recording",
+            reason: "CGPreflightScreenCaptureAccess returned false",
+            pane: "screen-recording",
+            settingsUrl: SCREEN_RECORDING_URL,
+            fixSteps: [
+              "In the System Settings \u2192 Privacy & Security \u2192 Screen Recording pane that opened",
+              "Click the + button",
+              "Add the application running the agent (Terminal, iTerm, your IDE, or `node`)",
+              "Toggle the switch ON",
+              "Restart the agent process so the new permission takes effect",
+              "Then call enable_computer_use again"
+            ],
+            prompted,
+            panelOpened
+          });
+        }
+        if (missing.length > 0) {
+          return {
+            success: false,
+            error: `Missing permission${missing.length > 1 ? "s" : ""}: ` + missing.map((m) => m.name).join(" and ") + ".",
+            missingPermissions: missing,
+            note: request_permissions ? "System permission prompts have been triggered (best-effort) and System Settings has been opened to the relevant pane(s). After granting and restarting the agent, call enable_computer_use again." : "Re-run with request_permissions: true to auto-open System Settings."
+          };
+        }
+        let width = display_width;
+        let height = display_height;
+        let detected = null;
+        if (width === void 0 || height === void 0) {
+          detected = await detectScreenSize();
+          width = width ?? detected?.width ?? 1280;
+          height = height ?? detected?.height ?? 800;
+        }
+        const session = await sessionQueries.getById(options.sessionId);
+        if (!session) {
+          return { success: false, error: "Session not found" };
+        }
+        const config = session.config || {};
+        if (config.computerUseEnabled === true && config.computerUseDisplayWidth === width && config.computerUseDisplayHeight === height) {
+          return {
+            success: true,
+            alreadyEnabled: true,
+            message: "Computer use was already enabled for this session.",
+            displayWidth: width,
+            displayHeight: height
+          };
+        }
+        const updated = {
+          ...config,
+          computerUseEnabled: true,
+          computerUseDisplayWidth: width,
+          computerUseDisplayHeight: height
+        };
+        await sessionQueries.update(options.sessionId, { config: updated });
+        return {
+          success: true,
+          enabled: true,
+          platform: "darwin",
+          displayWidth: width,
+          displayHeight: height,
+          detectedScreenSize: detected || void 0,
+          permissions: {
+            accessibility: "granted",
+            screenRecording: "granted"
+          },
+          message: `Computer use is now enabled for this session. IMPORTANT: The \`computer\` tool is NOT yet available in this turn. Stop here, send a brief message to the user telling them computer use is enabled (display: ${width}x${height}), and ask them to send their next message to begin using it.`
+        };
+      } catch (err) {
+        return {
+          success: false,
+          error: err?.message || String(err)
+        };
+      }
+    }
+  });
+}
+
 // src/tools/index.ts
 init_semantic();
 init_remote();
@@ -6214,6 +6815,20 @@ async function createTools(options) {
       sessionId: options.sessionId
     });
   }
+  if (process.platform === "darwin") {
+    if (options.enableComputerUse) {
+      tools.computer = createComputerUseTool({
+        workingDirectory: options.workingDirectory,
+        sessionId: options.sessionId,
+        displayWidth: options.computerUseDisplayWidth,
+        displayHeight: options.computerUseDisplayHeight
+      });
+    } else {
+      tools.enable_computer_use = createEnableComputerUseTool({
+        sessionId: options.sessionId
+      });
+    }
+  }
   if (options.enableSemanticSearch !== false) {
     try {
       if (isVectorGatewayConfigured()) {
@@ -6244,11 +6859,11 @@ init_db();
 init_todo();
 import os from "os";
 function getSearchInstructions() {
-  const platform3 = process.platform;
+  const platform5 = process.platform;
   const common = `- **Prefer \`read_file\` over shell commands** for reading files - don't use \`cat\`, \`head\`, or \`tail\` when \`read_file\` is available
 - **Avoid unbounded searches** - always scope searches with glob patterns and directory paths to prevent overwhelming output
 - **Search strategically**: Start with specific patterns and directories, then broaden only if needed`;
-  if (platform3 === "win32") {
+  if (platform5 === "win32") {
     return `${common}
 - **Find files**: \`dir /s /b *.ts\` or PowerShell: \`Get-ChildItem -Recurse -Filter *.ts\`
 - **Search content**: \`findstr /s /n "pattern" *.ts\` or PowerShell: \`Select-String -Pattern "pattern" -Path *.ts -Recurse\`
@@ -6295,13 +6910,13 @@ async function buildSystemPrompt(options) {
   );
   const hasNoTodos = todos.length === 0;
   const plansContext = formatPlansForContext(plans, allTodosDone || hasNoTodos);
-  const platform3 = process.platform === "win32" ? "Windows" : process.platform === "darwin" ? "macOS" : "Linux";
+  const platform5 = process.platform === "win32" ? "Windows" : process.platform === "darwin" ? "macOS" : "Linux";
   const currentDate = (/* @__PURE__ */ new Date()).toLocaleDateString("en-US", { weekday: "long", year: "numeric", month: "long", day: "numeric" });
   const searchInstructions = getSearchInstructions();
   const systemPrompt = `You are SparkECoder, an expert AI coding assistant. You help developers write, debug, and improve code.
 
 ## Environment
-- **Platform**: ${platform3} (${os.release()})
+- **Platform**: ${platform5} (${os.release()})
 - **Date**: ${currentDate}
 - **Working Directory**: ${workingDirectory}
 
@@ -7239,10 +7854,14 @@ var Agent = class _Agent {
    */
   async createToolsWithCallbacks(options) {
     const config = getConfig();
+    const sessionConfig = this.session.config || {};
     return createTools({
       sessionId: this.session.id,
       workingDirectory: this.session.workingDirectory,
       skillsDirectories: config.resolvedSkillsDirectories,
+      enableComputerUse: sessionConfig.computerUseEnabled === true,
+      computerUseDisplayWidth: sessionConfig.computerUseDisplayWidth,
+      computerUseDisplayHeight: sessionConfig.computerUseDisplayHeight,
       onBashProgress: options.onToolProgress ? (progress) => options.onToolProgress({ toolName: "bash", data: progress }) : void 0,
       onWriteFileProgress: options.onToolProgress ? (progress) => options.onToolProgress({ toolName: "write_file", data: progress }) : void 0,
       onSearchProgress: options.onToolProgress ? (progress) => options.onToolProgress({ toolName: "explore_agent", data: progress }) : void 0
@@ -7275,10 +7894,14 @@ var Agent = class _Agent {
       keepRecentMessages: config.context?.keepRecentMessages || 10,
       autoSummarize: config.context?.autoSummarize ?? true
     });
+    const sessionConfig = session.config || {};
     const tools = await createTools({
       sessionId: session.id,
       workingDirectory: session.workingDirectory,
-      skillsDirectories: config.resolvedSkillsDirectories
+      skillsDirectories: config.resolvedSkillsDirectories,
+      enableComputerUse: sessionConfig.computerUseEnabled === true,
+      computerUseDisplayWidth: sessionConfig.computerUseDisplayWidth,
+      computerUseDisplayHeight: sessionConfig.computerUseDisplayHeight
     });
     return new _Agent(session, context, tools);
   }
@@ -7451,10 +8074,10 @@ ${prompt}` });
     const maxIterations = options.taskConfig.maxIterations ?? 50;
     const webhookUrl = options.taskConfig.webhookUrl;
     const parentTaskId = options.taskConfig.parentTaskId;
-    const fireWebhook = (type, data) => {
+    const fireWebhook = (type2, data) => {
       if (!webhookUrl) return;
       sendWebhook(webhookUrl, {
-        type,
+        type: type2,
         taskId: this.session.id,
         sessionId: this.session.id,
         ...parentTaskId ? { parentTaskId } : {},
@@ -7497,10 +8120,14 @@ ${prompt}` });
         });
       }
     };
+    const taskSessionConfig = this.session.config || {};
     const taskTools = await createTools({
       sessionId: this.session.id,
       workingDirectory: this.session.workingDirectory,
       skillsDirectories: config.resolvedSkillsDirectories,
+      enableComputerUse: taskSessionConfig.computerUseEnabled === true,
+      computerUseDisplayWidth: taskSessionConfig.computerUseDisplayWidth,
+      computerUseDisplayHeight: taskSessionConfig.computerUseDisplayHeight,
       onBashProgress: bashProgressHandler,
       onWriteFileProgress: (progress) => {
         options.onToolProgress?.({ toolName: "write_file", data: progress });
@@ -7783,11 +8410,11 @@ ${taskAddendum}`;
       const { isRemoteConfigured: isRemoteConfigured2, storageQueries: storageQueries2 } = await Promise.resolve().then(() => (init_remote(), remote_exports));
       if (!isRemoteConfigured2()) return [];
       const { readFile: readFile12 } = await import("fs/promises");
-      const { join: join13, basename: basename6 } = await import("path");
+      const { join: join14, basename: basename6 } = await import("path");
       const urls = [];
       for (const filePath of filePaths) {
         try {
-          const fullPath = filePath.startsWith("/") ? filePath : join13(this.session.workingDirectory, filePath);
+          const fullPath = filePath.startsWith("/") ? filePath : join14(this.session.workingDirectory, filePath);
           const fileName = basename6(fullPath);
           const ext = fileName.split(".").pop()?.toLowerCase() || "";
           const mimeMap = {
@@ -7845,11 +8472,11 @@ ${taskAddendum}`;
         wrappedTools[name] = originalTool;
         continue;
       }
-      wrappedTools[name] = tool13({
+      wrappedTools[name] = tool14({
         description: originalTool.description || "",
-        inputSchema: originalTool.inputSchema || z14.object({}),
+        inputSchema: originalTool.inputSchema || z15.object({}),
         execute: async (input, toolOptions) => {
-          const toolCallId = toolOptions.toolCallId || nanoid4();
+          const toolCallId = toolOptions.toolCallId || nanoid5();
           const execution = toolExecutionQueries.create({
             sessionId: this.session.id,
             toolName: name,
@@ -7867,10 +8494,10 @@ ${taskAddendum}`;
           const resolverData = approvalResolvers.get(toolCallId);
           approvalResolvers.delete(toolCallId);
           this.pendingApprovals.delete(toolCallId);
-          const exec7 = await execution;
+          const exec8 = await execution;
           if (!approved) {
             const reason = resolverData?.reason || "User rejected the tool execution";
-            await toolExecutionQueries.reject(exec7.id);
+            await toolExecutionQueries.reject(exec8.id);
             await sessionQueries.updateStatus(this.session.id, "active");
             return {
               status: "rejected",
@@ -7880,14 +8507,14 @@ ${taskAddendum}`;
               message: `Tool "${name}" was rejected by the user. Reason: ${reason}`
             };
           }
-          await toolExecutionQueries.approve(exec7.id);
+          await toolExecutionQueries.approve(exec8.id);
           await sessionQueries.updateStatus(this.session.id, "active");
           try {
             const result = await originalTool.execute(input, toolOptions);
-            await toolExecutionQueries.complete(exec7.id, result);
+            await toolExecutionQueries.complete(exec8.id, result);
             return result;
           } catch (error) {
-            await toolExecutionQueries.complete(exec7.id, null, error.message);
+            await toolExecutionQueries.complete(exec8.id, null, error.message);
             throw error;
           }
         }
@@ -7988,18 +8615,20 @@ function cleanupPendingInputs() {
     }
   }
 }
-var createSessionSchema = z15.object({
-  name: z15.string().optional(),
-  workingDirectory: z15.string().optional(),
-  model: z15.string().optional(),
-  toolApprovals: z15.record(z15.string(), z15.boolean()).optional()
+var createSessionSchema = z16.object({
+  name: z16.string().optional(),
+  workingDirectory: z16.string().optional(),
+  model: z16.string().optional(),
+  toolApprovals: z16.record(z16.string(), z16.boolean()).optional(),
+  // Optional full session-config passthrough (computerUseEnabled, etc.)
+  config: z16.record(z16.string(), z16.unknown()).optional()
 });
-var paginationQuerySchema = z15.object({
-  limit: z15.string().optional(),
-  offset: z15.string().optional()
+var paginationQuerySchema = z16.object({
+  limit: z16.string().optional(),
+  offset: z16.string().optional()
 });
-var messagesQuerySchema = z15.object({
-  limit: z15.string().optional()
+var messagesQuerySchema = z16.object({
+  limit: z16.string().optional()
 });
 sessions.get(
   "/",
@@ -8037,11 +8666,20 @@ sessions.post(
   async (c) => {
     const body = c.req.valid("json");
     const config = getConfig();
+    const cuDefault = process.env.SPARKECODER_COMPUTER_USE === "1";
+    const baseConfig = body.config || {};
+    const mergedConfig = {
+      ...baseConfig,
+      ...body.toolApprovals ? { toolApprovals: body.toolApprovals } : {},
+      // Turn on computer use by default if the server was launched with --enable-computer-use,
+      // unless the client explicitly provided a value.
+      ...cuDefault && baseConfig.computerUseEnabled === void 0 ? { computerUseEnabled: true } : {}
+    };
     const agent = await Agent.create({
       name: body.name,
       workingDirectory: body.workingDirectory || config.resolvedWorkingDirectory,
       model: body.model || config.defaultModel,
-      sessionConfig: body.toolApprovals ? { toolApprovals: body.toolApprovals } : void 0
+      sessionConfig: Object.keys(mergedConfig).length > 0 ? mergedConfig : void 0
     });
     const session = agent.getSession();
     return c.json({
@@ -8138,10 +8776,10 @@ sessions.get("/:id/tools", async (c) => {
     count: executions.length
   });
 });
-var updateSessionSchema = z15.object({
-  model: z15.string().optional(),
-  name: z15.string().optional(),
-  toolApprovals: z15.record(z15.string(), z15.boolean()).optional()
+var updateSessionSchema = z16.object({
+  model: z16.string().optional(),
+  name: z16.string().optional(),
+  toolApprovals: z16.record(z16.string(), z16.boolean()).optional()
 });
 sessions.patch(
   "/:id",
@@ -8211,8 +8849,8 @@ sessions.post("/:id/clear", async (c) => {
   await agent.clearContext();
   return c.json({ success: true, sessionId: id });
 });
-var pendingInputSchema = z15.object({
-  text: z15.string()
+var pendingInputSchema = z16.object({
+  text: z16.string()
 });
 sessions.post(
   "/:id/pending-input",
@@ -8243,13 +8881,13 @@ sessions.get("/:id/pending-input", async (c) => {
     createdAt: pending.createdAt.toISOString()
   });
 });
-var devtoolsContextSchema = z15.object({
-  url: z15.string(),
-  path: z15.string(),
-  pageName: z15.string().optional(),
-  screenWidth: z15.number().optional(),
-  screenHeight: z15.number().optional(),
-  devicePixelRatio: z15.number().optional()
+var devtoolsContextSchema = z16.object({
+  url: z16.string(),
+  path: z16.string(),
+  pageName: z16.string().optional(),
+  screenWidth: z16.number().optional(),
+  screenHeight: z16.number().optional(),
+  devicePixelRatio: z16.number().optional()
 });
 sessions.post(
   "/:id/devtools-context",
@@ -8435,12 +9073,12 @@ sessions.get("/:id/diff/:filePath", async (c) => {
 });
 function getAttachmentsDir(sessionId) {
   const appDataDir = getAppDataDirectory();
-  return join9(appDataDir, "attachments", sessionId);
+  return join10(appDataDir, "attachments", sessionId);
 }
 function ensureAttachmentsDir(sessionId) {
   const dir = getAttachmentsDir(sessionId);
-  if (!existsSync15(dir)) {
-    mkdirSync5(dir, { recursive: true });
+  if (!existsSync16(dir)) {
+    mkdirSync6(dir, { recursive: true });
   }
   return dir;
 }
@@ -8451,12 +9089,12 @@ sessions.get("/:id/attachments", async (c) => {
     return c.json({ error: "Session not found" }, 404);
   }
   const dir = getAttachmentsDir(sessionId);
-  if (!existsSync15(dir)) {
+  if (!existsSync16(dir)) {
     return c.json({ sessionId, attachments: [], count: 0 });
   }
   const files = readdirSync2(dir);
   const attachments = files.map((filename) => {
-    const filePath = join9(dir, filename);
+    const filePath = join10(dir, filename);
     const stats = statSync2(filePath);
     return {
       id: filename.split("_")[0],
@@ -8488,10 +9126,10 @@ sessions.post("/:id/attachments", async (c) => {
         return c.json({ error: "No file provided" }, 400);
       }
       const dir = ensureAttachmentsDir(sessionId);
-      const id = nanoid5(10);
+      const id = nanoid6(10);
       const ext = extname8(file.name) || "";
       const safeFilename = `${id}_${basename5(file.name).replace(/[^a-zA-Z0-9._-]/g, "_")}`;
-      const filePath = join9(dir, safeFilename);
+      const filePath = join10(dir, safeFilename);
       const arrayBuffer = await file.arrayBuffer();
       writeFileSync3(filePath, Buffer.from(arrayBuffer));
       return c.json({
@@ -8514,10 +9152,10 @@ sessions.post("/:id/attachments", async (c) => {
       return c.json({ error: "Missing filename or data" }, 400);
     }
     const dir = ensureAttachmentsDir(sessionId);
-    const id = nanoid5(10);
+    const id = nanoid6(10);
     const ext = extname8(body.filename) || "";
     const safeFilename = `${id}_${basename5(body.filename).replace(/[^a-zA-Z0-9._-]/g, "_")}`;
-    const filePath = join9(dir, safeFilename);
+    const filePath = join10(dir, safeFilename);
     let base64Data = body.data;
     if (base64Data.includes(",")) {
       base64Data = base64Data.split(",")[1];
@@ -8546,7 +9184,7 @@ sessions.delete("/:id/attachments/:attachmentId", async (c) => {
     return c.json({ error: "Session not found" }, 404);
   }
   const dir = getAttachmentsDir(sessionId);
-  if (!existsSync15(dir)) {
+  if (!existsSync16(dir)) {
     return c.json({ error: "Attachment not found" }, 404);
   }
   const files = readdirSync2(dir);
@@ -8554,14 +9192,14 @@ sessions.delete("/:id/attachments/:attachmentId", async (c) => {
   if (!file) {
     return c.json({ error: "Attachment not found" }, 404);
   }
-  const filePath = join9(dir, file);
-  unlinkSync2(filePath);
+  const filePath = join10(dir, file);
+  unlinkSync3(filePath);
   return c.json({ success: true, id: attachmentId });
 });
-var filesQuerySchema = z15.object({
-  query: z15.string().optional(),
+var filesQuerySchema = z16.object({
+  query: z16.string().optional(),
   // Filter query (e.g., "src/com" to match "src/components")
-  limit: z15.string().optional()
+  limit: z16.string().optional()
   // Max results (default 50)
 });
 var IGNORED_DIRECTORIES = /* @__PURE__ */ new Set([
@@ -8637,7 +9275,7 @@ async function listWorkspaceFiles(baseDir, currentDir, query, limit, results = [
     const entries = await readdir6(currentDir, { withFileTypes: true });
     for (const entry of entries) {
       if (results.length >= limit * 2) break;
-      const fullPath = join9(currentDir, entry.name);
+      const fullPath = join10(currentDir, entry.name);
       const relativePath = relative9(baseDir, fullPath);
       if (entry.isDirectory() && IGNORED_DIRECTORIES.has(entry.name)) {
         continue;
@@ -8685,7 +9323,7 @@ sessions.get(
       return c.json({ error: "Session not found" }, 404);
     }
     const workingDirectory = session.workingDirectory;
-    if (!existsSync15(workingDirectory)) {
+    if (!existsSync16(workingDirectory)) {
       return c.json({
         sessionId,
         workingDirectory,
@@ -8795,9 +9433,9 @@ sessions.get("/:id/browser-recording", async (c) => {
 init_db();
 import { Hono as Hono2 } from "hono";
 import { zValidator as zValidator2 } from "@hono/zod-validator";
-import { z as z16 } from "zod";
-import { existsSync as existsSync16, mkdirSync as mkdirSync6, writeFileSync as writeFileSync4 } from "fs";
-import { join as join10 } from "path";
+import { z as z17 } from "zod";
+import { existsSync as existsSync17, mkdirSync as mkdirSync7, writeFileSync as writeFileSync4 } from "fs";
+import { join as join11 } from "path";
 init_config();
 
 // src/server/resumable-stream.ts
@@ -8884,7 +9522,7 @@ var streamContext = createResumableStreamContext({
 });
 
 // src/server/routes/agents.ts
-import { nanoid as nanoid6 } from "nanoid";
+import { nanoid as nanoid7 } from "nanoid";
 init_stream_proxy();
 init_recorder();
 init_remote();
@@ -8975,40 +9613,40 @@ function enrichPromptWithDevtoolsContext(sessionId, prompt) {
 ${prompt}`;
 }
 var agents = new Hono2();
-var attachmentSchema = z16.object({
-  type: z16.enum(["image", "file"]),
-  data: z16.string(),
+var attachmentSchema = z17.object({
+  type: z17.enum(["image", "file"]),
+  data: z17.string(),
   // base64 data URL or raw base64
-  mediaType: z16.string().optional(),
-  filename: z16.string().optional()
+  mediaType: z17.string().optional(),
+  filename: z17.string().optional()
 });
-var runPromptSchema = z16.object({
-  prompt: z16.string(),
+var runPromptSchema = z17.object({
+  prompt: z17.string(),
   // Can be empty if attachments are provided
-  attachments: z16.array(attachmentSchema).optional()
+  attachments: z17.array(attachmentSchema).optional()
 }).refine(
   (data) => data.prompt.trim().length > 0 || data.attachments && data.attachments.length > 0,
   { message: "Either prompt or attachments must be provided" }
 );
-var quickStartSchema = z16.object({
-  prompt: z16.string().min(1),
-  name: z16.string().optional(),
-  workingDirectory: z16.string().optional(),
-  model: z16.string().optional(),
-  toolApprovals: z16.record(z16.string(), z16.boolean()).optional()
+var quickStartSchema = z17.object({
+  prompt: z17.string().min(1),
+  name: z17.string().optional(),
+  workingDirectory: z17.string().optional(),
+  model: z17.string().optional(),
+  toolApprovals: z17.record(z17.string(), z17.boolean()).optional()
 });
-var rejectSchema = z16.object({
-  reason: z16.string().optional()
+var rejectSchema = z17.object({
+  reason: z17.string().optional()
 }).optional();
 var streamAbortControllers = /* @__PURE__ */ new Map();
 function getAttachmentsDirectory(sessionId) {
   const appDataDir = getAppDataDirectory();
-  return join10(appDataDir, "attachments", sessionId);
+  return join11(appDataDir, "attachments", sessionId);
 }
 async function saveAttachmentToDisk(sessionId, attachment, index) {
   const attachmentsDir = getAttachmentsDirectory(sessionId);
-  if (!existsSync16(attachmentsDir)) {
-    mkdirSync6(attachmentsDir, { recursive: true });
+  if (!existsSync17(attachmentsDir)) {
+    mkdirSync7(attachmentsDir, { recursive: true });
   }
   let filename = attachment.filename;
   if (!filename) {
@@ -9026,7 +9664,7 @@ async function saveAttachmentToDisk(sessionId, attachment, index) {
     attachment.mediaType = resized.mediaType;
     attachment.data = buffer.toString("base64");
   }
-  const filePath = join10(attachmentsDir, filename);
+  const filePath = join11(attachmentsDir, filename);
   writeFileSync4(filePath, buffer);
   return filePath;
 }
@@ -9037,9 +9675,9 @@ function stripDataUrlPrefix2(data) {
   }
   return data;
 }
-function getExtensionFromMediaType(mediaType, type) {
+function getExtensionFromMediaType(mediaType, type2) {
   if (!mediaType) {
-    return type === "image" ? ".png" : ".bin";
+    return type2 === "image" ? ".png" : ".bin";
   }
   const mimeToExt = {
     "image/png": ".png",
@@ -9443,7 +10081,7 @@ ${prompt}` });
       userMessageContent = prompt;
     }
     await messageQueries.create(id, { role: "user", content: userMessageContent });
-    const streamId = `stream_${id}_${nanoid6(10)}`;
+    const streamId = `stream_${id}_${nanoid7(10)}`;
     console.log(`[STREAM] Creating stream ${streamId} for session ${id}`);
     await activeStreamQueries.create(id, streamId);
     const stream = await streamContext.resumableStream(
@@ -9648,7 +10286,7 @@ agents.post(
     });
     const session = agent.getSession();
     const enrichedPrompt = enrichPromptWithDevtoolsContext(session.id, body.prompt);
-    const streamId = `stream_${session.id}_${nanoid6(10)}`;
+    const streamId = `stream_${session.id}_${nanoid7(10)}`;
     await createCheckpoint(session.id, session.workingDirectory, 0);
     await activeStreamQueries.create(session.id, streamId);
     const createQuickStreamProducer = () => {
@@ -9915,23 +10553,23 @@ agents.post(
     });
   }
 );
-var browserInputSchema = z16.object({
-  type: z16.enum(["input_mouse", "input_keyboard", "input_touch"]),
-  eventType: z16.string(),
-  x: z16.number().optional(),
-  y: z16.number().optional(),
-  button: z16.string().optional(),
-  clickCount: z16.number().optional(),
-  deltaX: z16.number().optional(),
-  deltaY: z16.number().optional(),
-  key: z16.string().optional(),
-  code: z16.string().optional(),
-  text: z16.string().optional(),
-  modifiers: z16.number().optional(),
-  touchPoints: z16.array(z16.object({
-    x: z16.number(),
-    y: z16.number(),
-    id: z16.number().optional()
+var browserInputSchema = z17.object({
+  type: z17.enum(["input_mouse", "input_keyboard", "input_touch"]),
+  eventType: z17.string(),
+  x: z17.number().optional(),
+  y: z17.number().optional(),
+  button: z17.string().optional(),
+  clickCount: z17.number().optional(),
+  deltaX: z17.number().optional(),
+  deltaY: z17.number().optional(),
+  key: z17.string().optional(),
+  code: z17.string().optional(),
+  text: z17.string().optional(),
+  modifiers: z17.number().optional(),
+  touchPoints: z17.array(z17.object({
+    x: z17.number(),
+    y: z17.number(),
+    id: z17.number().optional()
   })).optional()
 });
 agents.post(
@@ -9966,27 +10604,279 @@ agents.get("/:id/browser-stream", async (c) => {
 init_config();
 import { Hono as Hono3 } from "hono";
 import { zValidator as zValidator3 } from "@hono/zod-validator";
-import { z as z17 } from "zod";
-import { readFileSync as readFileSync7 } from "fs";
+import { z as z18 } from "zod";
+import { readFileSync as readFileSync10 } from "fs";
 import { fileURLToPath as fileURLToPath3 } from "url";
-import { dirname as dirname6, join as join11 } from "path";
+import { dirname as dirname6, join as join12 } from "path";
+
+// src/personal-agent/heartbeat.ts
+import { execSync as execSync3 } from "child_process";
+import { readFileSync as readFileSync9 } from "fs";
+import { hostname as hostname2, platform as platform3 } from "os";
+
+// src/personal-agent/system-metrics.ts
+import { execSync as execSync2 } from "child_process";
+import { readdirSync as readdirSync3, readFileSync as readFileSync8 } from "fs";
+import {
+  arch,
+  cpus,
+  freemem,
+  hostname,
+  loadavg,
+  networkInterfaces,
+  platform as platform2,
+  release,
+  totalmem,
+  type,
+  uptime,
+  userInfo
+} from "os";
+var _lastSample = null;
+function snapshotCpuTimes() {
+  const sum = { user: 0, nice: 0, sys: 0, idle: 0, irq: 0 };
+  for (const c of cpus()) {
+    sum.user += c.times.user;
+    sum.nice += c.times.nice;
+    sum.sys += c.times.sys;
+    sum.idle += c.times.idle;
+    sum.irq += c.times.irq;
+  }
+  return sum;
+}
+function readCpuUsage() {
+  const now = snapshotCpuTimes();
+  if (!_lastSample) {
+    _lastSample = now;
+    return 0;
+  }
+  const dUser = now.user - _lastSample.user;
+  const dNice = now.nice - _lastSample.nice;
+  const dSys = now.sys - _lastSample.sys;
+  const dIdle = now.idle - _lastSample.idle;
+  const dIrq = now.irq - _lastSample.irq;
+  const total = dUser + dNice + dSys + dIdle + dIrq;
+  _lastSample = now;
+  if (total <= 0) return 0;
+  return Math.max(0, Math.min(1, (total - dIdle) / total));
+}
+snapshotCpuTimes();
+function readCpuTempC() {
+  try {
+    if (platform2() === "linux") {
+      let hottest = -Infinity;
+      try {
+        for (const entry of readdirSync3("/sys/class/thermal")) {
+          if (!entry.startsWith("thermal_zone")) continue;
+          try {
+            const v = Number(
+              readFileSync8(`/sys/class/thermal/${entry}/temp`, "utf8").trim()
+            );
+            if (Number.isFinite(v) && v > hottest) hottest = v;
+          } catch {
+          }
+        }
+      } catch {
+      }
+      if (hottest > -Infinity) return hottest / 1e3;
+    }
+    const overrideCmd = process.env.PERSONAL_AGENT_TEMP_CMD;
+    if (overrideCmd) {
+      const out = execSync2(overrideCmd, { encoding: "utf8", timeout: 1500 }).trim();
+      const v = Number(out);
+      if (Number.isFinite(v)) return v;
+    }
+  } catch {
+  }
+  return void 0;
+}
+function readDisks() {
+  try {
+    const p = platform2();
+    if (p === "darwin" || p === "linux") {
+      const raw = execSync2("df -kP", { encoding: "utf8", timeout: 2e3 });
+      const lines = raw.trim().split("\n").slice(1);
+      const out = [];
+      for (const line of lines) {
+        const parts = line.trim().split(/\s+/);
+        if (parts.length < 6) continue;
+        const filesystem = parts[0];
+        const total1k = Number(parts[1]);
+        const used1k = Number(parts[2]);
+        const free1k = Number(parts[3]);
+        const mount = parts.slice(5).join(" ");
+        if (!Number.isFinite(total1k) || total1k <= 0) continue;
+        if (filesystem === "tmpfs" || filesystem === "devfs" || filesystem === "map" || filesystem.startsWith("/dev/loop") || mount.startsWith("/System/Volumes/") || mount.startsWith("/private/var/vm") || mount.startsWith("/proc") || mount.startsWith("/sys") || mount.startsWith("/run") || mount.startsWith("/snap")) {
+          if (mount !== "/") continue;
+        }
+        out.push({
+          mount,
+          filesystem,
+          totalBytes: total1k * 1024,
+          usedBytes: used1k * 1024,
+          freeBytes: free1k * 1024,
+          usage: total1k > 0 ? used1k / total1k : 0
+        });
+      }
+      out.sort((a, b) => {
+        const score = (m) => m === "/" ? 0 : m.startsWith("/Users") || m.startsWith("/home") ? 1 : 2;
+        return score(a.mount) - score(b.mount);
+      });
+      return out.slice(0, 6);
+    }
+    if (p === "win32") {
+      const raw = execSync2(
+        "wmic logicaldisk get DeviceID,Size,FreeSpace /format:csv",
+        { encoding: "utf8", timeout: 3e3 }
+      );
+      const out = [];
+      for (const line of raw.trim().split(/\r?\n/).slice(1)) {
+        const cols = line.split(",");
+        if (cols.length < 4) continue;
+        const [, deviceId, freeStr, sizeStr] = cols;
+        const total = Number(sizeStr);
+        const free = Number(freeStr);
+        if (!Number.isFinite(total) || total <= 0) continue;
+        const used = Math.max(0, total - free);
+        out.push({
+          mount: deviceId,
+          totalBytes: total,
+          usedBytes: used,
+          freeBytes: free,
+          usage: used / total
+        });
+      }
+      return out;
+    }
+  } catch {
+  }
+  return void 0;
+}
+function readNetwork() {
+  try {
+    const out = [];
+    const ifaces = networkInterfaces();
+    for (const [name, addrs] of Object.entries(ifaces)) {
+      if (!addrs) continue;
+      for (const a of addrs) {
+        if (a.internal) continue;
+        out.push({
+          iface: name,
+          family: a.family,
+          address: a.address,
+          mac: a.mac,
+          internal: a.internal
+        });
+      }
+    }
+    return out;
+  } catch {
+    return void 0;
+  }
+}
+function readSystemMetrics() {
+  const cpuList = cpus();
+  const usage = readCpuUsage();
+  const tot = totalmem();
+  const free = freemem();
+  const metrics = {
+    collectedAt: (/* @__PURE__ */ new Date()).toISOString(),
+    hostname: hostname(),
+    platform: platform2(),
+    arch: arch(),
+    kernelRelease: release(),
+    osType: type(),
+    processUptimeSec: Math.round(process.uptime()),
+    systemUptimeSec: Math.round(uptime()),
+    user: safeUser(),
+    cpu: cpuList[0] ? {
+      model: cpuList[0].model,
+      count: cpuList.length,
+      speedMhz: cpuList[0].speed,
+      loadAvg1: loadavg()[0],
+      loadAvg5: loadavg()[1],
+      loadAvg15: loadavg()[2],
+      usage,
+      tempC: readCpuTempC()
+    } : void 0,
+    memory: {
+      totalBytes: tot,
+      freeBytes: free,
+      usedBytes: Math.max(0, tot - free),
+      usage: tot > 0 ? (tot - free) / tot : 0
+    },
+    disks: readDisks(),
+    network: readNetwork()
+  };
+  return metrics;
+}
+function safeUser() {
+  try {
+    return userInfo().username;
+  } catch {
+    return process.env.USER ?? process.env.USERNAME ?? "unknown";
+  }
+}
+
+// src/personal-agent/heartbeat.ts
+var _cachedHwid = null;
+function getHardwareIdCached() {
+  if (_cachedHwid !== null) return _cachedHwid;
+  _cachedHwid = getHardwareId();
+  return _cachedHwid;
+}
+function getHardwareId() {
+  const p = platform3();
+  try {
+    if (p === "darwin") {
+      const out = execSync3(
+        `ioreg -rd1 -c IOPlatformExpertDevice | awk -F\\" '/IOPlatformUUID/ {print $4}'`,
+        { encoding: "utf8", timeout: 2e3 }
+      ).trim();
+      if (out) return normalize2(out);
+    } else if (p === "linux") {
+      try {
+        return normalize2(readFileSync9("/etc/machine-id", "utf8").trim());
+      } catch {
+        return normalize2(readFileSync9("/var/lib/dbus/machine-id", "utf8").trim());
+      }
+    } else if (p === "win32") {
+      const out = execSync3("wmic csproduct get uuid /value", {
+        encoding: "utf8",
+        timeout: 3e3
+      });
+      const m = out.match(/UUID=([\w-]+)/i);
+      if (m && m[1]) return normalize2(m[1]);
+    }
+  } catch (e) {
+    console.warn(`[personal-agent] could not read hardware UUID: ${e.message}`);
+  }
+  console.warn(
+    "[personal-agent] falling back to hostname for HWID; this is NOT stable across rename/reinstall"
+  );
+  return `host-${hostname2()}`;
+}
+function normalize2(raw) {
+  return raw.trim().toLowerCase().replace(/[^a-z0-9-]/g, "");
+}
+
+// src/server/routes/health.ts
 var __filename = fileURLToPath3(import.meta.url);
 var __dirname = dirname6(__filename);
 var possiblePaths = [
-  join11(__dirname, "../package.json"),
+  join12(__dirname, "../package.json"),
   // From dist/server -> dist/../package.json
-  join11(__dirname, "../../package.json"),
+  join12(__dirname, "../../package.json"),
   // From dist/server (if nested differently)
-  join11(__dirname, "../../../package.json"),
+  join12(__dirname, "../../../package.json"),
   // From src/server/routes (development)
-  join11(process.cwd(), "package.json")
+  join12(process.cwd(), "package.json")
   // From current working directory
 ];
 var currentVersion = "0.0.0";
 var packageName = "sparkecoder";
 for (const packageJsonPath of possiblePaths) {
   try {
-    const packageJson = JSON.parse(readFileSync7(packageJsonPath, "utf-8"));
+    const packageJson = JSON.parse(readFileSync10(packageJsonPath, "utf-8"));
     if (packageJson.name === "sparkecoder") {
       currentVersion = packageJson.version || "0.0.0";
       packageName = packageJson.name || "sparkecoder";
@@ -10001,11 +10891,17 @@ health.get("/", async (c) => {
   const apiKeyStatus = getApiKeyStatus();
   const gatewayKey = apiKeyStatus.find((s) => s.provider === "ai-gateway");
   const hasApiKey = gatewayKey?.configured ?? false;
+  let hwid;
+  try {
+    hwid = getHardwareIdCached();
+  } catch {
+  }
   return c.json({
     status: "ok",
     version: currentVersion,
     uptime: process.uptime(),
     apiKeyConfigured: hasApiKey,
+    hwid,
     config: {
       workingDirectory: config.resolvedWorkingDirectory,
       defaultModel: config.defaultModel,
@@ -10076,9 +10972,9 @@ health.get("/api-keys", async (c) => {
     supportedProviders: SUPPORTED_PROVIDERS
   });
 });
-var setApiKeySchema = z17.object({
-  provider: z17.string(),
-  apiKey: z17.string().min(1)
+var setApiKeySchema = z18.object({
+  provider: z18.string(),
+  apiKey: z18.string().min(1)
 });
 health.post(
   "/api-keys",
@@ -10117,13 +11013,13 @@ health.delete("/api-keys/:provider", async (c) => {
 // src/server/routes/terminals.ts
 import { Hono as Hono4 } from "hono";
 import { zValidator as zValidator4 } from "@hono/zod-validator";
-import { z as z18 } from "zod";
+import { z as z19 } from "zod";
 init_db();
 var terminals = new Hono4();
-var spawnSchema = z18.object({
-  command: z18.string(),
-  cwd: z18.string().optional(),
-  name: z18.string().optional()
+var spawnSchema = z19.object({
+  command: z19.string(),
+  cwd: z19.string().optional(),
+  name: z19.string().optional()
 });
 terminals.post(
   "/:sessionId/terminals",
@@ -10204,8 +11100,8 @@ terminals.get("/:sessionId/terminals/:terminalId", async (c) => {
     // We don't track exit codes in tmux mode
   });
 });
-var logsQuerySchema = z18.object({
-  tail: z18.string().optional().transform((v) => v ? parseInt(v, 10) : void 0)
+var logsQuerySchema = z19.object({
+  tail: z19.string().optional().transform((v) => v ? parseInt(v, 10) : void 0)
 });
 terminals.get(
   "/:sessionId/terminals/:terminalId/logs",
@@ -10229,8 +11125,8 @@ terminals.get(
     });
   }
 );
-var killSchema = z18.object({
-  signal: z18.enum(["SIGTERM", "SIGKILL"]).optional()
+var killSchema = z19.object({
+  signal: z19.enum(["SIGTERM", "SIGKILL"]).optional()
 });
 terminals.post(
   "/:sessionId/terminals/:terminalId/kill",
@@ -10244,8 +11140,8 @@ terminals.post(
     return c.json({ success: true, message: "Terminal killed" });
   }
 );
-var writeSchema = z18.object({
-  input: z18.string()
+var writeSchema = z19.object({
+  input: z19.string()
 });
 terminals.post(
   "/:sessionId/terminals/:terminalId/write",
@@ -10430,20 +11326,20 @@ data: ${JSON.stringify({ status: "stopped" })}
 init_db();
 import { Hono as Hono5 } from "hono";
 import { zValidator as zValidator5 } from "@hono/zod-validator";
-import { z as z19 } from "zod";
-import { nanoid as nanoid7 } from "nanoid";
+import { z as z20 } from "zod";
+import { nanoid as nanoid8 } from "nanoid";
 init_config();
 var tasks = new Hono5();
 var taskAbortControllers = /* @__PURE__ */ new Map();
-var createTaskSchema = z19.object({
-  prompt: z19.string().min(1),
-  outputSchema: z19.record(z19.string(), z19.unknown()),
-  webhookUrl: z19.string().url().optional(),
-  model: z19.string().optional(),
-  workingDirectory: z19.string().optional(),
-  name: z19.string().optional(),
-  maxIterations: z19.number().int().min(1).max(500).optional(),
-  parentTaskId: z19.string().optional()
+var createTaskSchema = z20.object({
+  prompt: z20.string().min(1),
+  outputSchema: z20.record(z20.string(), z20.unknown()),
+  webhookUrl: z20.string().url().optional(),
+  model: z20.string().optional(),
+  workingDirectory: z20.string().optional(),
+  name: z20.string().optional(),
+  maxIterations: z20.number().int().min(1).max(500).optional(),
+  parentTaskId: z20.string().optional()
 });
 tasks.post(
   "/",
@@ -10505,7 +11401,7 @@ tasks.post(
     const taskId = agent.sessionId;
     const abortController = new AbortController();
     taskAbortControllers.set(taskId, abortController);
-    const streamId = `stream_${taskId}_${nanoid7(10)}`;
+    const streamId = `stream_${taskId}_${nanoid8(10)}`;
     await activeStreamQueries.create(taskId, streamId);
     const taskStreamProducer = () => {
       const { readable, writable } = new TransformStream();
@@ -10655,17 +11551,581 @@ tasks.post("/:id/cancel", async (c) => {
 });
 var tasks_default = tasks;
 
+// src/server/routes/system.ts
+import { Hono as Hono6 } from "hono";
+import { streamSSE } from "hono/streaming";
+var system = new Hono6();
+system.get("/metrics", (c) => {
+  return c.json(readSystemMetrics());
+});
+system.get("/metrics/stream", (c) => {
+  return streamSSE(c, async (stream) => {
+    const intervalMs = Number(c.req.query("intervalMs") ?? 2e3);
+    const safeMs = Number.isFinite(intervalMs) ? Math.max(500, Math.min(6e4, intervalMs)) : 2e3;
+    let id = 0;
+    let aborted = false;
+    c.req.raw.signal.addEventListener("abort", () => {
+      aborted = true;
+    });
+    while (!aborted) {
+      try {
+        const snap = readSystemMetrics();
+        await stream.writeSSE({
+          id: String(id++),
+          event: "metrics",
+          data: JSON.stringify(snap)
+        });
+      } catch (e) {
+        await stream.writeSSE({
+          id: String(id++),
+          event: "error",
+          data: JSON.stringify({ error: e.message })
+        });
+      }
+      await stream.sleep(safeMs);
+    }
+  });
+});
+
+// src/personal-agent/hwid-middleware.ts
+var SKIP_PATHS = /* @__PURE__ */ new Set(["/health", "/health/", "/health/ready", "/health/version"]);
+function personalAgentConfigured() {
+  return process.env.PERSONAL_AGENT_MODE === "1" || process.env.PERSONAL_AGENT_MODE === "true" || Boolean(process.env.PERSONAL_AGENT_PUBLIC_KEY) || Boolean(process.env.PERSONAL_AGENT_DASHBOARD);
+}
+function hwidMiddleware() {
+  const enabled = personalAgentConfigured();
+  let warnedMissing = false;
+  return async (c, next) => {
+    if (!enabled) return next();
+    const path = c.req.path;
+    if (SKIP_PATHS.has(path) || path.startsWith("/health/api-keys")) {
+      return next();
+    }
+    const got = c.req.header("x-device-hwid");
+    if (!got) {
+      if (!warnedMissing) {
+        warnedMissing = true;
+        console.warn(
+          `[personal-agent] request to ${path} arrived without X-Device-Hwid; allowing (backwards compat)`
+        );
+      }
+      return next();
+    }
+    const expected = getHardwareIdCached();
+    if (got !== expected) {
+      console.warn(
+        `[personal-agent] HWID mismatch on ${path}: got=${got.slice(0, 12)}\u2026, expected=${expected.slice(0, 12)}\u2026`
+      );
+      return c.json(
+        {
+          error: "hwid mismatch",
+          message: "This sparkecoder's hardware UUID does not match what the dashboard expected. Likely cause: a Cloudflare tunnel hostname is pointing at the wrong machine.",
+          expected: expected.slice(0, 12) + "\u2026",
+          got: got.slice(0, 12) + "\u2026"
+        },
+        409
+      );
+    }
+    return next();
+  };
+}
+
+// src/personal-agent/signature-verify.ts
+import { createHash as createHash3, createPublicKey, verify as cryptoVerify } from "crypto";
+import { existsSync as existsSync18, readFileSync as readFileSync11 } from "fs";
+var REPLAY_WINDOW_SECONDS = 5 * 60;
+var _cachedKey = null;
+var _cachedFromInput = null;
+function loadPublicKey(input) {
+  if (_cachedFromInput === input && _cachedKey) return _cachedKey;
+  let pem = input;
+  if (!input.includes("BEGIN") && existsSync18(input)) {
+    pem = readFileSync11(input, "utf8");
+  }
+  const key = createPublicKey({ key: pem, format: "pem" });
+  if (key.asymmetricKeyType !== "ed25519") {
+    throw new Error(
+      `expected an ed25519 public key, got ${key.asymmetricKeyType}. Generate with personal-agents/scripts/generate-signing-keys.mjs.`
+    );
+  }
+  _cachedKey = key;
+  _cachedFromInput = input;
+  return key;
+}
+function bodyHashB64(body) {
+  const hash = createHash3("sha256");
+  if (body == null || body === "") {
+  } else if (typeof body === "string") {
+    hash.update(body, "utf8");
+  } else if (Buffer.isBuffer(body)) {
+    hash.update(body);
+  } else {
+    hash.update(Buffer.from(body));
+  }
+  return hash.digest("base64");
+}
+function canonicalSigningString(args) {
+  return [
+    args.method.toUpperCase(),
+    args.path,
+    String(args.timestamp),
+    args.bodyHashB64
+  ].join("\n");
+}
+function fromBase64Url(s) {
+  const padded = s.padEnd(s.length + (4 - s.length % 4) % 4, "=");
+  const std = padded.replace(/-/g, "+").replace(/_/g, "/");
+  return Buffer.from(std, "base64");
+}
+function verifyEmbedToken(args) {
+  const dot = args.token.indexOf(".");
+  if (dot < 1 || dot >= args.token.length - 1) {
+    return { ok: false, reason: "malformed" };
+  }
+  const payloadB64 = args.token.slice(0, dot);
+  const sigB64 = args.token.slice(dot + 1);
+  let sigBuf;
+  try {
+    sigBuf = fromBase64Url(sigB64);
+  } catch {
+    return { ok: false, reason: "bad-encoding" };
+  }
+  const sigOk = cryptoVerify(
+    null,
+    Buffer.from(payloadB64, "utf8"),
+    args.publicKey,
+    sigBuf
+  );
+  if (!sigOk) return { ok: false, reason: "signature-mismatch" };
+  let payload;
+  try {
+    const json = JSON.parse(fromBase64Url(payloadB64).toString("utf8"));
+    if (!json || typeof json !== "object" || typeof json.sid !== "string" || typeof json.exp !== "number") {
+      return { ok: false, reason: "bad-payload" };
+    }
+    payload = { sid: json.sid, exp: json.exp };
+  } catch (e) {
+    return { ok: false, reason: "bad-payload", detail: e.message };
+  }
+  const now = args.now ?? Math.floor(Date.now() / 1e3);
+  if (payload.exp < now) {
+    return {
+      ok: false,
+      reason: "expired",
+      detail: `${now - payload.exp}s past expiry`
+    };
+  }
+  return { ok: true, payload };
+}
+function verifyRequest(args) {
+  if (!args.signatureB64 || !args.timestampSeconds || !args.algorithm) {
+    return { ok: false, reason: "missing-headers" };
+  }
+  if (args.algorithm.toLowerCase() !== "ed25519") {
+    return { ok: false, reason: "bad-algorithm", detail: args.algorithm };
+  }
+  const ts = Number(args.timestampSeconds);
+  if (!Number.isFinite(ts)) {
+    return { ok: false, reason: "bad-timestamp", detail: args.timestampSeconds };
+  }
+  const now = args.now ?? Math.floor(Date.now() / 1e3);
+  if (Math.abs(now - ts) > REPLAY_WINDOW_SECONDS) {
+    return {
+      ok: false,
+      reason: "stale-timestamp",
+      detail: `${Math.abs(now - ts)}s outside the ${REPLAY_WINDOW_SECONDS}s window`
+    };
+  }
+  let sigBuf;
+  try {
+    sigBuf = Buffer.from(args.signatureB64, "base64");
+  } catch {
+    return { ok: false, reason: "bad-signature-encoding" };
+  }
+  const canonical = canonicalSigningString({
+    method: args.method,
+    path: args.path,
+    timestamp: ts,
+    bodyHashB64: bodyHashB64(args.body)
+  });
+  const ok = cryptoVerify(null, Buffer.from(canonical, "utf8"), args.publicKey, sigBuf);
+  return ok ? { ok: true } : { ok: false, reason: "signature-mismatch" };
+}
+
+// src/personal-agent/signature-middleware.ts
+var SKIP_PATHS2 = /* @__PURE__ */ new Set(["/health", "/health/", "/health/ready", "/health/version"]);
+function isSkipped(path) {
+  return SKIP_PATHS2.has(path) || path.startsWith("/health/api-keys");
+}
+function pathBindsSessionId(path, sid) {
+  const cleanPath = path.split("?")[0];
+  const segments = cleanPath.split("/").filter(Boolean);
+  return segments.includes(sid);
+}
+function signatureMiddleware(opts = {}) {
+  const acceptSignedOnly = opts.acceptSignedOnly ?? process.env.PERSONAL_AGENT_ACCEPT_SIGNED_ONLY === "1";
+  const publicKeyInput = opts.publicKeyInput ?? process.env.PERSONAL_AGENT_PUBLIC_KEY ?? "";
+  if (acceptSignedOnly && !publicKeyInput) {
+    return async (c) => c.json(
+      {
+        error: "signature middleware misconfigured",
+        message: "started with --accept-signed-only but no --personal-agent-public-key / PERSONAL_AGENT_PUBLIC_KEY supplied. Refusing all non-/health traffic."
+      },
+      500
+    );
+  }
+  if (!publicKeyInput) {
+    return async (_c, next) => next();
+  }
+  const publicKey = loadPublicKey(publicKeyInput);
+  let warnedUnsigned = false;
+  return async (c, next) => {
+    const path = c.req.path;
+    if (isSkipped(path)) return next();
+    const sig = c.req.header("x-signature");
+    const ts = c.req.header("x-signature-timestamp");
+    const alg = c.req.header("x-signature-algorithm");
+    if (!sig && (c.req.method === "GET" || c.req.method === "HEAD")) {
+      const embedTok = c.req.header("x-embed-token") ?? c.req.query("embed_token");
+      if (embedTok) {
+        const result2 = verifyEmbedToken({ publicKey, token: embedTok });
+        if (!result2.ok) {
+          return c.json(
+            {
+              error: "embed token verification failed",
+              reason: result2.reason,
+              detail: result2.detail
+            },
+            401
+          );
+        }
+        if (!pathBindsSessionId(path, result2.payload.sid)) {
+          return c.json(
+            {
+              error: "embed token scoped to a different session",
+              detail: `token sid=${result2.payload.sid} but request path=${path}`
+            },
+            403
+          );
+        }
+        return next();
+      }
+    }
+    if (!sig) {
+      if (acceptSignedOnly) {
+        return c.json(
+          {
+            error: "signature required",
+            message: "this sparkecoder is started with --accept-signed-only; every request must carry X-Signature, X-Signature-Timestamp, X-Signature-Algorithm."
+          },
+          401
+        );
+      }
+      if (!warnedUnsigned) {
+        warnedUnsigned = true;
+        console.warn(
+          `[personal-agent] inbound ${c.req.method} ${path} arrived without X-Signature; allowed because --accept-signed-only is off`
+        );
+      }
+      return next();
+    }
+    let body;
+    if (c.req.method !== "GET" && c.req.method !== "HEAD") {
+      body = Buffer.from(await c.req.raw.clone().arrayBuffer());
+    }
+    const result = verifyRequest({
+      publicKey,
+      method: c.req.method,
+      path,
+      body,
+      signatureB64: sig,
+      timestampSeconds: ts,
+      algorithm: alg
+    });
+    if (!result.ok) {
+      console.warn(
+        `[personal-agent] signature verification failed on ${c.req.method} ${path}: ${result.reason}${result.detail ? ` (${result.detail})` : ""}`
+      );
+      return c.json(
+        {
+          error: "signature verification failed",
+          reason: result.reason,
+          detail: result.detail
+        },
+        401
+      );
+    }
+    return next();
+  };
+}
+
+// src/personal-agent/pty-server.ts
+import { hostname as hostname3 } from "os";
+import { WebSocketServer } from "ws";
+var RESIZE_RE = /\x1b\[RESIZE:(\d+);(\d+)\]/;
+var _ptyMod = null;
+async function loadPty() {
+  if (_ptyMod) return _ptyMod;
+  try {
+    const mod = await import("node-pty");
+    _ptyMod = mod;
+    return mod;
+  } catch (e) {
+    console.warn(
+      `[personal-agent] node-pty failed to load; /pty WebSocket disabled. (${e.message})`
+    );
+    return null;
+  }
+}
+function defaultShell() {
+  if (process.platform === "win32") {
+    return { file: process.env.COMSPEC || "cmd.exe", args: [] };
+  }
+  return { file: process.env.SHELL || "/bin/zsh", args: ["-l"] };
+}
+function cleanEnv() {
+  const env = {};
+  for (const [k, v] of Object.entries(process.env)) {
+    if (typeof v === "string") env[k] = v;
+  }
+  if (!env.TERM) env.TERM = "xterm-256color";
+  if (!env.LANG) env.LANG = "en_US.UTF-8";
+  return env;
+}
+function parseUpgrade(req) {
+  const url = new URL(req.url || "/", "http://placeholder");
+  const cols = clampInt(url.searchParams.get("cols"), 80, 10, 500);
+  const rows = clampInt(url.searchParams.get("rows"), 24, 5, 500);
+  const cwd = url.searchParams.get("cwd") || void 0;
+  const shell = url.searchParams.get("shell") || void 0;
+  return {
+    cols,
+    rows,
+    cwd,
+    shell,
+    hwidHeader: headerStr(req, "x-device-hwid") ?? url.searchParams.get("hwid") ?? void 0,
+    sigHeader: headerStr(req, "x-signature") ?? url.searchParams.get("sig") ?? void 0,
+    tsHeader: headerStr(req, "x-signature-timestamp") ?? url.searchParams.get("ts") ?? void 0,
+    algHeader: headerStr(req, "x-signature-algorithm") ?? url.searchParams.get("alg") ?? void 0
+  };
+}
+function clampInt(v, dflt, lo, hi) {
+  if (!v) return dflt;
+  const n = parseInt(v, 10);
+  if (!Number.isFinite(n)) return dflt;
+  return Math.max(lo, Math.min(hi, n));
+}
+function headerStr(req, name) {
+  const v = req.headers[name];
+  if (Array.isArray(v)) return v[0];
+  return v;
+}
+function authenticate(parsed, path, pubKey, signedOnly) {
+  if (parsed.hwidHeader) {
+    const expected = getHardwareIdCached();
+    if (parsed.hwidHeader !== expected) {
+      return {
+        ok: false,
+        status: 409,
+        reason: `hwid mismatch: got ${parsed.hwidHeader.slice(0, 12)}\u2026, expected ${expected.slice(0, 12)}\u2026`
+      };
+    }
+  }
+  if (!pubKey) {
+    if (signedOnly) {
+      return { ok: false, status: 500, reason: "signature required but no public key configured" };
+    }
+    return { ok: true };
+  }
+  if (!parsed.sigHeader) {
+    if (signedOnly) {
+      return { ok: false, status: 401, reason: "missing X-Signature on upgrade request" };
+    }
+    return { ok: true };
+  }
+  const result = verifyRequest({
+    publicKey: pubKey,
+    method: "GET",
+    path,
+    body: void 0,
+    signatureB64: parsed.sigHeader,
+    timestampSeconds: parsed.tsHeader,
+    algorithm: parsed.algHeader
+  });
+  if (!result.ok) {
+    return { ok: false, status: 401, reason: `signature verification failed: ${result.reason}` };
+  }
+  return { ok: true };
+}
+function rejectUpgrade(socket, status, reason) {
+  const body = JSON.stringify({ error: reason });
+  socket.write(
+    `HTTP/1.1 ${status} ${reasonText(status)}\r
+Content-Type: application/json\r
+Content-Length: ${Buffer.byteLength(body)}\r
+Connection: close\r
+\r
+` + body
+  );
+  socket.destroy();
+}
+function reasonText(status) {
+  switch (status) {
+    case 401:
+      return "Unauthorized";
+    case 409:
+      return "Conflict";
+    case 500:
+      return "Internal Server Error";
+    case 503:
+      return "Service Unavailable";
+    default:
+      return "Error";
+  }
+}
+function attachPtyServer(httpServer, opts = {}) {
+  const path = opts.path ?? "/pty";
+  const wss = new WebSocketServer({ noServer: true, perMessageDeflate: false });
+  const acceptSignedOnly = process.env.PERSONAL_AGENT_ACCEPT_SIGNED_ONLY === "1";
+  const publicKeyInput = process.env.PERSONAL_AGENT_PUBLIC_KEY ?? "";
+  let pubKey = null;
+  if (publicKeyInput) {
+    try {
+      pubKey = loadPublicKey(publicKeyInput);
+    } catch (e) {
+      console.warn(
+        `[personal-agent] /pty signature verification disabled \u2014 failed to load public key: ${e.message}`
+      );
+    }
+  }
+  const handler = (req, socket, head) => {
+    let pathname = "/";
+    try {
+      pathname = new URL(req.url || "/", "http://placeholder").pathname;
+    } catch {
+    }
+    if (pathname !== path) return;
+    const parsed = parseUpgrade(req);
+    const auth = authenticate(parsed, pathname, pubKey, acceptSignedOnly);
+    if (!auth.ok) {
+      console.warn(`[personal-agent] rejecting /pty upgrade: ${auth.reason}`);
+      rejectUpgrade(socket, auth.status ?? 401, auth.reason ?? "unauthorized");
+      return;
+    }
+    void loadPty().then((pty) => {
+      if (!pty) {
+        rejectUpgrade(
+          socket,
+          503,
+          "node-pty is not available on this device (failed to load native module)"
+        );
+        return;
+      }
+      wss.handleUpgrade(req, socket, head, (ws) => {
+        spawnPty(ws, pty, parsed, opts);
+      });
+    });
+  };
+  httpServer.on("upgrade", handler);
+  if (!opts.quiet) {
+    console.log(
+      `[personal-agent] WebSocket PTY server attached at ${path} (host: ${hostname3()}, sigCheck: ${pubKey ? "on" : "off"})`
+    );
+  }
+  return {
+    close: () => {
+      httpServer.off("upgrade", handler);
+      wss.close();
+    }
+  };
+}
+function spawnPty(ws, pty, parsed, opts) {
+  const { file, args } = (() => {
+    if (parsed.shell || opts.shell) {
+      const s = parsed.shell ?? opts.shell;
+      return { file: s, args: process.platform === "win32" ? [] : ["-l"] };
+    }
+    return defaultShell();
+  })();
+  const cwd = parsed.cwd ?? opts.cwd ?? process.env.HOME ?? process.cwd();
+  let proc;
+  try {
+    proc = pty.spawn(file, args, {
+      name: "xterm-256color",
+      cols: parsed.cols,
+      rows: parsed.rows,
+      cwd,
+      env: cleanEnv()
+    });
+  } catch (e) {
+    const msg = e.message;
+    safeSend(ws, `\r
+\x1B[31mFailed to spawn shell: ${msg}\x1B[0m\r
+`);
+    try {
+      ws.close();
+    } catch {
+    }
+    return;
+  }
+  const banner = `\x1B[90m[sparkecoder pty] ${file} on ${hostname3()} pid=${proc.pid} ${parsed.cols}x${parsed.rows}\x1B[0m\r
+`;
+  safeSend(ws, banner);
+  proc.onData((data) => safeSend(ws, data));
+  proc.onExit(({ exitCode }) => {
+    safeSend(ws, `\r
+\x1B[90m[exit ${exitCode}]\x1B[0m\r
+`);
+    try {
+      ws.close();
+    } catch {
+    }
+  });
+  ws.on("message", (msg, isBinary) => {
+    const input = typeof msg === "string" ? msg : Buffer.isBuffer(msg) ? msg.toString(isBinary ? "utf8" : "utf8") : Array.isArray(msg) ? Buffer.concat(msg).toString("utf8") : "";
+    if (!input) return;
+    const m = input.match(RESIZE_RE);
+    if (m) {
+      const cols = clampInt(m[1], 80, 10, 500);
+      const rows = clampInt(m[2], 24, 5, 500);
+      try {
+        proc.resize(cols, rows);
+      } catch {
+      }
+      if (input.replace(RESIZE_RE, "").length === 0) return;
+      proc.write(input.replace(RESIZE_RE, ""));
+      return;
+    }
+    proc.write(input);
+  });
+  const onClose = () => {
+    try {
+      proc.kill();
+    } catch {
+    }
+  };
+  ws.on("close", onClose);
+  ws.on("error", onClose);
+}
+function safeSend(ws, data) {
+  if (ws.readyState !== 1) return;
+  try {
+    ws.send(data);
+  } catch {
+  }
+}
+
 // src/server/index.ts
 init_config();
 init_db();
 
 // src/utils/dependencies.ts
-import { exec as exec6 } from "child_process";
-import { promisify as promisify6 } from "util";
-import { platform as platform2 } from "os";
-var execAsync6 = promisify6(exec6);
+import { exec as exec7 } from "child_process";
+import { promisify as promisify7 } from "util";
+import { platform as platform4 } from "os";
+var execAsync7 = promisify7(exec7);
 function getInstallInstructions() {
-  const os2 = platform2();
+  const os2 = platform4();
   if (os2 === "darwin") {
     return `
 Install tmux on macOS:
@@ -10696,7 +12156,7 @@ Install tmux:
 }
 async function checkTmux() {
   try {
-    const { stdout } = await execAsync6("tmux -V", { timeout: 5e3 });
+    const { stdout } = await execAsync7("tmux -V", { timeout: 5e3 });
     const version = stdout.trim();
     return {
       available: true,
@@ -10745,11 +12205,11 @@ function getWebDirectory() {
   try {
     const currentDir = dirname7(fileURLToPath4(import.meta.url));
     const webDir = resolve10(currentDir, "..", "web");
-    if (existsSync17(webDir) && existsSync17(join12(webDir, "package.json"))) {
+    if (existsSync19(webDir) && existsSync19(join13(webDir, "package.json"))) {
       return webDir;
     }
     const altWebDir = resolve10(currentDir, "..", "..", "web");
-    if (existsSync17(altWebDir) && existsSync17(join12(altWebDir, "package.json"))) {
+    if (existsSync19(altWebDir) && existsSync19(join13(altWebDir, "package.json"))) {
       return altWebDir;
     }
     return null;
@@ -10807,23 +12267,23 @@ async function findWebPort(preferredPort) {
   return { port: preferredPort, alreadyRunning: false };
 }
 function hasProductionBuild(webDir) {
-  const buildIdPath = join12(webDir, ".next", "BUILD_ID");
-  return existsSync17(buildIdPath);
+  const buildIdPath = join13(webDir, ".next", "BUILD_ID");
+  return existsSync19(buildIdPath);
 }
 function hasSourceFiles(webDir) {
-  const appDir = join12(webDir, "src", "app");
-  const pagesDir = join12(webDir, "src", "pages");
-  const rootAppDir = join12(webDir, "app");
-  const rootPagesDir = join12(webDir, "pages");
-  return existsSync17(appDir) || existsSync17(pagesDir) || existsSync17(rootAppDir) || existsSync17(rootPagesDir);
+  const appDir = join13(webDir, "src", "app");
+  const pagesDir = join13(webDir, "src", "pages");
+  const rootAppDir = join13(webDir, "app");
+  const rootPagesDir = join13(webDir, "pages");
+  return existsSync19(appDir) || existsSync19(pagesDir) || existsSync19(rootAppDir) || existsSync19(rootPagesDir);
 }
 function getStandaloneServerPath(webDir) {
   const possiblePaths2 = [
-    join12(webDir, ".next", "standalone", "server.js"),
-    join12(webDir, ".next", "standalone", "web", "server.js")
+    join13(webDir, ".next", "standalone", "server.js"),
+    join13(webDir, ".next", "standalone", "web", "server.js")
   ];
   for (const serverPath of possiblePaths2) {
-    if (existsSync17(serverPath)) {
+    if (existsSync19(serverPath)) {
       return serverPath;
     }
   }
@@ -10863,13 +12323,13 @@ async function startWebUI(apiPort, webPort = DEFAULT_WEB_PORT, quiet = false, pu
     if (!quiet) console.log(`  \u2713 Web UI already running at http://localhost:${actualPort}`);
     return { process: null, port: actualPort };
   }
-  const usePnpm = existsSync17(join12(webDir, "pnpm-lock.yaml"));
-  const useNpm = !usePnpm && existsSync17(join12(webDir, "package-lock.json"));
+  const usePnpm = existsSync19(join13(webDir, "pnpm-lock.yaml"));
+  const useNpm = !usePnpm && existsSync19(join13(webDir, "package-lock.json"));
   const pkgManager = usePnpm ? "pnpm" : useNpm ? "npm" : "npx";
-  const { NODE_OPTIONS, TSX_TSCONFIG_PATH, ...cleanEnv } = process.env;
+  const { NODE_OPTIONS, TSX_TSCONFIG_PATH, ...cleanEnv2 } = process.env;
   const apiUrl = publicUrl || `http://127.0.0.1:${apiPort}`;
   const runtimeConfig = { apiBaseUrl: apiUrl };
-  const runtimeConfigPath = join12(webDir, "runtime-config.json");
+  const runtimeConfigPath = join13(webDir, "runtime-config.json");
   try {
     writeFileSync5(runtimeConfigPath, JSON.stringify(runtimeConfig, null, 2));
     if (!quiet) console.log(`  \u{1F4DD} Runtime config written to ${runtimeConfigPath}`);
@@ -10877,7 +12337,7 @@ async function startWebUI(apiPort, webPort = DEFAULT_WEB_PORT, quiet = false, pu
     if (!quiet) console.warn(`  \u26A0 Could not write runtime config: ${err}`);
   }
   const webEnv = {
-    ...cleanEnv,
+    ...cleanEnv2,
     PORT: String(actualPort)
     // Next.js respects PORT env var
   };
@@ -10991,12 +12451,28 @@ function stopWebUI() {
   }
 }
 async function createApp(options = {}) {
-  const app = new Hono6();
+  const app = new Hono7();
   app.use("*", cors({
     origin: "*",
     // Allow all origins
     allowMethods: ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
-    allowHeaders: ["Content-Type", "Authorization", "X-Requested-With"],
+    allowHeaders: [
+      "Content-Type",
+      "Authorization",
+      "X-Requested-With",
+      // Personal-agent dashboard signs every request to the device with
+      // these. Without them whitelisted the browser preflight strips the
+      // headers and the signature middleware 401s.
+      "X-Signature",
+      "X-Signature-Timestamp",
+      "X-Signature-Algorithm",
+      "X-Device-Hwid",
+      // Short-lived embed token used by the iframed SparkECoder web UI
+      // when it's hosted inside the personal-agents dashboard. The
+      // bootstrap in `web/src/lib/embed-bootstrap.ts` adds this header
+      // to every API call.
+      "X-Embed-Token"
+    ],
     exposeHeaders: ["X-Stream-Id", "x-stream-id"],
     maxAge: 86400
     // 24 hours
@@ -11004,12 +12480,15 @@ async function createApp(options = {}) {
   if (!options.quiet) {
     app.use("*", logger());
   }
+  app.use("*", hwidMiddleware());
+  app.use("*", signatureMiddleware());
   app.route("/health", health);
   app.route("/sessions", sessions);
   app.route("/agents", agents);
   app.route("/sessions", terminals);
   app.route("/terminals", terminals);
   app.route("/tasks", tasks_default);
+  app.route("/system", system);
   app.get("/openapi.json", async (c) => {
     return c.json(generateOpenAPISpec());
   });
@@ -11062,8 +12541,8 @@ async function startServer(options = {}) {
   if (options.workingDirectory) {
     config.resolvedWorkingDirectory = options.workingDirectory;
   }
-  if (!existsSync17(config.resolvedWorkingDirectory)) {
-    mkdirSync7(config.resolvedWorkingDirectory, { recursive: true });
+  if (!existsSync19(config.resolvedWorkingDirectory)) {
+    mkdirSync8(config.resolvedWorkingDirectory, { recursive: true });
     if (!options.quiet) console.log(`\u{1F4C1} Created agent workspace: ${config.resolvedWorkingDirectory}`);
   }
   if (!config.resolvedRemoteServer.url) {
@@ -11098,6 +12577,15 @@ async function startServer(options = {}) {
     port,
     hostname: host
   });
+  try {
+    attachPtyServer(serverInstance, {
+      quiet: options.quiet
+    });
+  } catch (e) {
+    if (!options.quiet) {
+      console.warn(`  \u26A0 Failed to attach /pty WebSocket server: ${e.message}`);
+    }
+  }
   let webPort;
   let webStarted;
   if (options.webUI !== false) {