svamp-cli 0.1.28 → 0.1.30

package/dist/{run-DYhBROuo.mjs → run-Cxdc5Zmw.mjs}

@@ -8,8 +8,15 @@ import { randomUUID as randomUUID$1 } from 'crypto';
 import { randomUUID } from 'node:crypto';
 import { existsSync, readFileSync, mkdirSync, appendFileSync, writeFileSync } from 'node:fs';
 import { join } from 'node:path';
-import { spawn } from 'node:child_process';
+import { spawn, execSync, execFile } from 'node:child_process';
 import { ndJsonStream, ClientSideConnection } from '@agentclientprotocol/sdk';
+import { homedir, tmpdir } from 'node:os';
+import { Client } from '@modelcontextprotocol/sdk/client/index.js';
+import { StdioClientTransport } from '@modelcontextprotocol/sdk/client/stdio.js';
+import { ElicitRequestSchema } from '@modelcontextprotocol/sdk/types.js';
+import { z } from 'zod';
+import { mkdir, access, mkdtemp, rm, writeFile } from 'node:fs/promises';
+import { promisify } from 'node:util';
 
 let connectToServerFn = null;
 async function getConnectToServer() {
@@ -49,6 +56,37 @@ function getHyphaServerUrl() {
   return process.env.HYPHA_SERVER_URL || "http://localhost:9527";
 }
 
+const ROLE_HIERARCHY = {
+  view: 0,
+  interact: 1,
+  admin: 2
+};
+const ISOLATION_PREFERENCE = ["srt", "bwrap", "docker", "podman"];
+
+function authorizeRequest(context, sharing, requiredRole = "view") {
+  if (!context?.user) return;
+  const userEmail = context.user.email;
+  if (!sharing) return;
+  if (userEmail && userEmail === sharing.owner) return;
+  if (!sharing.enabled) {
+    throw new Error("Access denied: this resource is not shared");
+  }
+  if (!userEmail) {
+    throw new Error("Access denied: no email in user context");
+  }
+  const sharedUser = sharing.allowedUsers.find(
+    (u) => u.email.toLowerCase() === userEmail.toLowerCase()
+  );
+  if (!sharedUser) {
+    throw new Error("Access denied: you are not in the allowed users list");
+  }
+  if (ROLE_HIERARCHY[sharedUser.role] < ROLE_HIERARCHY[requiredRole]) {
+    throw new Error(
+      `Access denied: requires '${requiredRole}' role, you have '${sharedUser.role}'`
+    );
+  }
+}
+
 async function registerMachineService(server, machineId, metadata, daemonState, handlers) {
   let currentMetadata = { ...metadata };
   let currentDaemonState = { ...daemonState };
@@ -89,27 +127,38 @@ async function registerMachineService(server, machineId, metadata, daemonState,
       id: "default",
       name: `Svamp Machine (${metadata.displayName || machineId})`,
       type: "svamp-machine",
-      config: { visibility: "public" },
+      config: { visibility: "public", require_context: true },
       // Machine info
-      getMachineInfo: async () => ({
-        machineId,
-        metadata: currentMetadata,
-        metadataVersion,
-        daemonState: currentDaemonState,
-        daemonStateVersion
-      }),
+      getMachineInfo: async (context) => {
+        authorizeRequest(context, currentMetadata.sharing, "view");
+        return {
+          machineId,
+          metadata: currentMetadata,
+          metadataVersion,
+          daemonState: currentDaemonState,
+          daemonStateVersion
+        };
+      },
       // Heartbeat
-      heartbeat: async () => ({
+      heartbeat: async (context) => ({
         time: Date.now(),
         status: currentDaemonState.status,
         machineId
       }),
       // List active sessions on this machine
-      listSessions: async () => {
+      listSessions: async (context) => {
+        authorizeRequest(context, currentMetadata.sharing, "view");
         return handlers.getTrackedSessions();
       },
       // Spawn a new session
-      spawnSession: async (options) => {
+      spawnSession: async (options, context) => {
+        authorizeRequest(context, currentMetadata.sharing, "interact");
+        if (options.sharing?.enabled && !options.sharing.owner && context?.user?.email) {
+          options = {
+            ...options,
+            sharing: { ...options.sharing, owner: context.user.email }
+          };
+        }
         const result = await handlers.spawnSession({
           ...options,
           machineId
@@ -124,7 +173,8 @@ async function registerMachineService(server, machineId, metadata, daemonState,
         return result;
       },
       // Stop a session
-      stopSession: async (sessionId) => {
+      stopSession: async (sessionId, context) => {
+        authorizeRequest(context, currentMetadata.sharing, "admin");
         const result = handlers.stopSession(sessionId);
         notifyListeners({
           type: "session-stopped",
@@ -133,17 +183,27 @@ async function registerMachineService(server, machineId, metadata, daemonState,
         });
         return result;
       },
+      // Restart agent process in a session (machine-level fallback)
+      restartSession: async (sessionId, context) => {
+        authorizeRequest(context, currentMetadata.sharing, "interact");
+        return await handlers.restartSession(sessionId);
+      },
       // Stop the daemon
-      stopDaemon: async () => {
+      stopDaemon: async (context) => {
+        authorizeRequest(context, currentMetadata.sharing, "admin");
         handlers.requestShutdown();
         return { success: true };
       },
       // Metadata management (with optimistic concurrency)
-      getMetadata: async () => ({
-        metadata: currentMetadata,
-        version: metadataVersion
-      }),
-      updateMetadata: async (newMetadata, expectedVersion) => {
+      getMetadata: async (context) => {
+        authorizeRequest(context, currentMetadata.sharing, "view");
+        return {
+          metadata: currentMetadata,
+          version: metadataVersion
+        };
+      },
+      updateMetadata: async (newMetadata, expectedVersion, context) => {
+        authorizeRequest(context, currentMetadata.sharing, "admin");
         if (expectedVersion !== metadataVersion) {
           return {
             result: "version-mismatch",
@@ -165,11 +225,15 @@ async function registerMachineService(server, machineId, metadata, daemonState,
         };
       },
       // Daemon state management
-      getDaemonState: async () => ({
-        daemonState: currentDaemonState,
-        version: daemonStateVersion
-      }),
-      updateDaemonState: async (newState, expectedVersion) => {
+      getDaemonState: async (context) => {
+        authorizeRequest(context, currentMetadata.sharing, "view");
+        return {
+          daemonState: currentDaemonState,
+          version: daemonStateVersion
+        };
+      },
+      updateDaemonState: async (newState, expectedVersion, context) => {
+        authorizeRequest(context, currentMetadata.sharing, "admin");
         if (expectedVersion !== daemonStateVersion) {
           return {
             result: "version-mismatch",
@@ -190,14 +254,35 @@ async function registerMachineService(server, machineId, metadata, daemonState,
           daemonState: currentDaemonState
         };
       },
+      // ── Sharing Management ──
+      getSharing: async (context) => {
+        authorizeRequest(context, currentMetadata.sharing, "view");
+        return { sharing: currentMetadata.sharing || null };
+      },
+      updateSharing: async (newSharing, context) => {
+        authorizeRequest(context, currentMetadata.sharing, "admin");
+        if (currentMetadata.sharing && context?.user?.email && context.user.email !== currentMetadata.sharing.owner) {
+          throw new Error("Only the machine owner can update sharing settings");
+        }
+        currentMetadata = { ...currentMetadata, sharing: newSharing };
+        metadataVersion++;
+        notifyListeners({
+          type: "update-machine",
+          machineId,
+          metadata: { value: currentMetadata, version: metadataVersion }
+        });
+        return { success: true, sharing: newSharing };
+      },
       // Register a listener for real-time updates (app calls this with _rintf callback)
-      registerListener: async (callback) => {
+      registerListener: async (callback, context) => {
+        authorizeRequest(context, currentMetadata.sharing, "view");
         listeners.push(callback);
         console.log(`[HYPHA MACHINE] Listener registered (total: ${listeners.length})`);
         return { success: true, listenerId: listeners.length - 1 };
       },
       // Shell access
-      bash: async (command, cwd) => {
+      bash: async (command, cwd, context) => {
+        authorizeRequest(context, currentMetadata.sharing, "admin");
         const { exec } = await import('child_process');
         const { homedir } = await import('os');
         return new Promise((resolve) => {
@@ -211,7 +296,8 @@ async function registerMachineService(server, machineId, metadata, daemonState,
         });
       },
       // WISE voice — create ephemeral token for OpenAI Realtime API
-      wiseCreateEphemeralToken: async (params) => {
+      wiseCreateEphemeralToken: async (params, context) => {
+        authorizeRequest(context, currentMetadata.sharing, "interact");
         const apiKey = params.apiKey || process.env.OPENAI_API_KEY;
         if (!apiKey) {
           return { success: false, error: "No OpenAI API key found. Set OPENAI_API_KEY or pass apiKey." };
@@ -344,6 +430,8 @@ async function registerSessionService(server, sessionId, initialMetadata, initia
         data.uuid = randomUUID();
       }
       wrappedContent = { role: "agent", content: { type: "output", data } };
+    } else if (role === "event") {
+      wrappedContent = { role: "agent", content: { type: "event", data: content } };
     } else if (role === "session") {
       wrappedContent = { role: "session", content: { type: "session", data: content } };
     } else {
@@ -359,6 +447,7 @@ async function registerSessionService(server, sessionId, initialMetadata, initia
       updatedAt: Date.now()
     };
     messages.push(msg);
+    if (messages.length > 1e3) messages.splice(0, messages.length - 1e3);
     if (options?.messagesDir) {
       appendMessage(options.messagesDir, sessionId, msg);
     }
@@ -374,9 +463,10 @@ async function registerSessionService(server, sessionId, initialMetadata, initia
       id: `svamp-session-${sessionId}`,
       name: `Svamp Session ${sessionId.slice(0, 8)}`,
       type: "svamp-session",
-      config: { visibility: "public" },
+      config: { visibility: "public", require_context: true },
       // ── Messages ──
-      getMessages: async (afterSeq, limit) => {
+      getMessages: async (afterSeq, limit, context) => {
+        authorizeRequest(context, metadata.sharing, "view");
         const after = afterSeq ?? 0;
         const lim = Math.min(limit ?? 100, 500);
         const filtered = messages.filter((m) => m.seq > after);
@@ -386,7 +476,8 @@ async function registerSessionService(server, sessionId, initialMetadata, initia
           hasMore: filtered.length > lim
         };
       },
-      sendMessage: async (content, localId, meta) => {
+      sendMessage: async (content, localId, meta, context) => {
+        authorizeRequest(context, metadata.sharing, "interact");
         if (localId) {
           const existing = messages.find((m) => m.localId === localId);
           if (existing) {
@@ -417,6 +508,7 @@ async function registerSessionService(server, sessionId, initialMetadata, initia
           updatedAt: Date.now()
         };
         messages.push(msg);
+        if (messages.length > 1e3) messages.splice(0, messages.length - 1e3);
         if (options?.messagesDir) {
           appendMessage(options.messagesDir, sessionId, msg);
         }
@@ -429,11 +521,15 @@ async function registerSessionService(server, sessionId, initialMetadata, initia
         return { id: msg.id, seq: msg.seq, localId: msg.localId };
       },
       // ── Metadata ──
-      getMetadata: async () => ({
-        metadata,
-        version: metadataVersion
-      }),
-      updateMetadata: async (newMetadata, expectedVersion) => {
+      getMetadata: async (context) => {
+        authorizeRequest(context, metadata.sharing, "view");
+        return {
+          metadata,
+          version: metadataVersion
+        };
+      },
+      updateMetadata: async (newMetadata, expectedVersion, context) => {
+        authorizeRequest(context, metadata.sharing, "admin");
         if (expectedVersion !== void 0 && expectedVersion !== metadataVersion) {
           return {
             result: "version-mismatch",
@@ -455,11 +551,15 @@ async function registerSessionService(server, sessionId, initialMetadata, initia
         };
       },
       // ── Agent State ──
-      getAgentState: async () => ({
-        agentState,
-        version: agentStateVersion
-      }),
-      updateAgentState: async (newState, expectedVersion) => {
+      getAgentState: async (context) => {
+        authorizeRequest(context, metadata.sharing, "view");
+        return {
+          agentState,
+          version: agentStateVersion
+        };
+      },
+      updateAgentState: async (newState, expectedVersion, context) => {
+        authorizeRequest(context, metadata.sharing, "admin");
         if (expectedVersion !== void 0 && expectedVersion !== agentStateVersion) {
           return {
             result: "version-mismatch",
@@ -481,27 +581,32 @@ async function registerSessionService(server, sessionId, initialMetadata, initia
         };
       },
       // ── Session Control RPCs ──
-      abort: async () => {
+      abort: async (context) => {
+        authorizeRequest(context, metadata.sharing, "interact");
         callbacks.onAbort();
         return { success: true };
       },
-      permissionResponse: async (params) => {
+      permissionResponse: async (params, context) => {
+        authorizeRequest(context, metadata.sharing, "interact");
         callbacks.onPermissionResponse(params);
         return { success: true };
       },
-      switchMode: async (mode) => {
+      switchMode: async (mode, context) => {
+        authorizeRequest(context, metadata.sharing, "interact");
         callbacks.onSwitchMode(mode);
         return { success: true };
       },
-      restartClaude: async () => {
+      restartClaude: async (context) => {
+        authorizeRequest(context, metadata.sharing, "admin");
         return await callbacks.onRestartClaude();
       },
-      killSession: async () => {
+      killSession: async (context) => {
+        authorizeRequest(context, metadata.sharing, "admin");
         callbacks.onKillSession();
         return { success: true };
       },
       // ── Activity ──
-      keepAlive: async (thinking, mode) => {
+      keepAlive: async (thinking, mode, context) => {
         lastActivity = { active: true, thinking: thinking || false, mode: mode || "remote", time: Date.now() };
         notifyListeners({
           type: "activity",
@@ -509,7 +614,7 @@ async function registerSessionService(server, sessionId, initialMetadata, initia
           ...lastActivity
         });
       },
-      sessionEnd: async () => {
+      sessionEnd: async (context) => {
         lastActivity = { active: false, thinking: false, mode: "remote", time: Date.now() };
         notifyListeners({
           type: "activity",
@@ -518,28 +623,34 @@ async function registerSessionService(server, sessionId, initialMetadata, initia
         });
       },
       // ── Activity State Query ──
-      getActivityState: async () => {
+      getActivityState: async (context) => {
+        authorizeRequest(context, metadata.sharing, "view");
         return { ...lastActivity, sessionId };
       },
-      // ── File Operations (optional) ──
-      readFile: async (path) => {
+      // ── File Operations (optional, admin-only) ──
+      readFile: async (path, context) => {
+        authorizeRequest(context, metadata.sharing, "admin");
         if (!callbacks.onReadFile) throw new Error("readFile not supported");
         return await callbacks.onReadFile(path);
       },
-      writeFile: async (path, content) => {
+      writeFile: async (path, content, context) => {
+        authorizeRequest(context, metadata.sharing, "admin");
         if (!callbacks.onWriteFile) throw new Error("writeFile not supported");
         await callbacks.onWriteFile(path, content);
         return { success: true };
       },
-      listDirectory: async (path) => {
+      listDirectory: async (path, context) => {
+        authorizeRequest(context, metadata.sharing, "admin");
         if (!callbacks.onListDirectory) throw new Error("listDirectory not supported");
         return await callbacks.onListDirectory(path);
       },
-      bash: async (command, cwd) => {
+      bash: async (command, cwd, context) => {
+        authorizeRequest(context, metadata.sharing, "admin");
         if (!callbacks.onBash) throw new Error("bash not supported");
         return await callbacks.onBash(command, cwd);
       },
-      ripgrep: async (args, cwd) => {
+      ripgrep: async (args, cwd, context) => {
+        authorizeRequest(context, metadata.sharing, "admin");
         if (!callbacks.onRipgrep) throw new Error("ripgrep not supported");
         try {
           const stdout = await callbacks.onRipgrep(args, cwd);
@@ -548,15 +659,41 @@ async function registerSessionService(server, sessionId, initialMetadata, initia
           return { success: false, stdout: "", stderr: err.message || "", exitCode: 1, error: err.message };
         }
       },
-      getDirectoryTree: async (path, maxDepth) => {
+      getDirectoryTree: async (path, maxDepth, context) => {
+        authorizeRequest(context, metadata.sharing, "admin");
         if (!callbacks.onGetDirectoryTree) throw new Error("getDirectoryTree not supported");
         return await callbacks.onGetDirectoryTree(path, maxDepth ?? 3);
       },
+      // ── Sharing Management ──
+      getSharing: async (context) => {
+        authorizeRequest(context, metadata.sharing, "view");
+        return { sharing: metadata.sharing || null };
+      },
+      updateSharing: async (newSharing, context) => {
+        authorizeRequest(context, metadata.sharing, "admin");
+        if (metadata.sharing && context?.user?.email && context.user.email !== metadata.sharing.owner) {
+          throw new Error("Only the session owner can update sharing settings");
+        }
+        if (newSharing.enabled && !newSharing.owner && context?.user?.email) {
+          newSharing = { ...newSharing, owner: context.user.email };
+        }
+        metadata = { ...metadata, sharing: newSharing };
+        metadataVersion++;
+        notifyListeners({
+          type: "update-session",
+          sessionId,
+          metadata: { value: metadata, version: metadataVersion }
+        });
+        return { success: true, sharing: newSharing };
+      },
       // ── Listener Registration ──
-      registerListener: async (callback) => {
+      registerListener: async (callback, context) => {
+        authorizeRequest(context, metadata.sharing, "view");
         listeners.push(callback);
-        console.log(`[HYPHA SESSION ${sessionId}] Listener registered (total: ${listeners.length}), replaying ${messages.length} messages`);
-        for (const msg of messages) {
+        const replayMessages = messages.slice(-50);
+        console.log(`[HYPHA SESSION ${sessionId}] Listener registered (total: ${listeners.length}), replaying ${replayMessages.length} of ${messages.length} messages`);
+        for (const msg of replayMessages) {
+          if (listeners.indexOf(callback) < 0) break;
           try {
             const result = callback.onUpdate({
               type: "new-message",
@@ -564,14 +701,23 @@ async function registerSessionService(server, sessionId, initialMetadata, initia
               message: msg
             });
             if (result && typeof result.catch === "function") {
-              result.catch((err) => {
-                console.error(`[HYPHA SESSION ${sessionId}] Replay listener error:`, err);
-              });
+              try {
+                await result;
+              } catch (err) {
+                console.error(`[HYPHA SESSION ${sessionId}] Replay listener error, removing:`, err?.message ?? err);
+                removeListener(callback, "replay error");
+                return { success: false, error: "Listener removed during replay" };
+              }
             }
           } catch (err) {
-            console.error(`[HYPHA SESSION ${sessionId}] Replay listener error:`, err);
+            console.error(`[HYPHA SESSION ${sessionId}] Replay listener error, removing:`, err?.message ?? err);
+            removeListener(callback, "replay error");
+            return { success: false, error: "Listener removed during replay" };
           }
         }
+        if (listeners.indexOf(callback) < 0) {
+          return { success: false, error: "Listener was removed during replay" };
+        }
         try {
           const result = callback.onUpdate({
             type: "update-session",
@@ -851,6 +997,7 @@ class SessionArtifactSync {
             lastSyncAt: Date.now(),
             ...sessionData || {}
           },
+          stage: true,
           _rkwargs: true
         });
       } catch {
@@ -867,6 +1014,7 @@ class SessionArtifactSync {
             lastSyncAt: Date.now(),
             ...sessionData || {}
           },
+          stage: true,
           _rkwargs: true
         });
         artifactId = artifact.id;
@@ -1056,6 +1204,106 @@ var DefaultTransport$1 = /*#__PURE__*/Object.freeze({
     DefaultTransport: DefaultTransport
 });
 
+const SVAMP_TOOLS_DIR$1 = join(homedir(), ".svamp", "tools");
+const SVAMP_TOOLS_BIN$1 = join(SVAMP_TOOLS_DIR$1, "node_modules", ".bin");
+const SVAMP_TOOLS_RG_BIN$1 = join(SVAMP_TOOLS_DIR$1, "node_modules", "@vscode", "ripgrep", "bin");
+function wrapWithIsolation(originalCommand, originalArgs, config) {
+  switch (config.method) {
+    case "srt":
+      return wrapWithSrt(originalCommand, originalArgs, config);
+    case "bwrap":
+      return wrapWithBwrap(originalCommand, originalArgs, config);
+    case "docker":
+      return wrapWithContainer("docker", originalCommand, originalArgs, config);
+    case "podman":
+      return wrapWithContainer("podman", originalCommand, originalArgs, config);
+  }
+}
+function wrapWithSrt(command, args, config) {
+  const settings = {
+    filesystem: {
+      denyRead: config.srtConfig?.filesystem?.denyRead ?? [],
+      allowWrite: config.srtConfig?.filesystem?.allowWrite ?? [config.workspacePath],
+      denyWrite: config.srtConfig?.filesystem?.denyWrite ?? []
+    },
+    network: {
+      allowedDomains: config.srtConfig?.network?.allowedDomains ?? [],
+      deniedDomains: config.srtConfig?.network?.deniedDomains ?? []
+    }
+  };
+  const settingsPath = join(tmpdir(), `srt-settings-${process.pid}-${Date.now()}.json`);
+  writeFileSync(settingsPath, JSON.stringify(settings));
+  const pathParts = [SVAMP_TOOLS_BIN$1, SVAMP_TOOLS_RG_BIN$1];
+  if (process.env.PATH) pathParts.push(process.env.PATH);
+  return {
+    command: config.binaryPath,
+    args: ["--settings", settingsPath, command, ...args],
+    env: { PATH: pathParts.join(":") },
+    cleanupFiles: [settingsPath]
+  };
+}
+function wrapWithBwrap(command, args, config) {
+  const bwrapArgs = [
+    // Mount root filesystem read-only
+    "--ro-bind",
+    "/",
+    "/",
+    // Mount workspace read-write
+    "--bind",
+    config.workspacePath,
+    config.workspacePath,
+    // Mount /tmp read-write (many tools need it)
+    "--bind",
+    "/tmp",
+    "/tmp",
+    // Mount /dev read-write
+    "--dev",
+    "/dev",
+    // Mount /proc
+    "--proc",
+    "/proc",
+    // Unshare network — no network access inside sandbox
+    "--unshare-net",
+    // Unshare PID namespace
+    "--unshare-pid",
+    // Die when parent dies
+    "--die-with-parent",
+    // The actual command
+    "--",
+    command,
+    ...args
+  ];
+  return {
+    command: config.binaryPath,
+    args: bwrapArgs
+  };
+}
+function wrapWithContainer(runtime, command, args, config) {
+  const image = config.containerConfig?.image || "node:lts-slim";
+  const networkMode = config.containerConfig?.networkMode || "none";
+  const containerArgs = [
+    "run",
+    "--rm",
+    "-i",
+    // interactive (for stdin/stdout piping)
+    `--network=${networkMode}`,
+    "-v",
+    `${config.workspacePath}:${config.workspacePath}`,
+    "-w",
+    config.workspacePath
+  ];
+  if (config.containerConfig?.extraMounts) {
+    for (const mount of config.containerConfig.extraMounts) {
+      containerArgs.push("-v", mount);
+    }
+  }
+  containerArgs.push(image, command, ...args);
+  return {
+    command: config.binaryPath,
+    args: containerArgs
+  };
+}
+
 const DEFAULT_IDLE_TIMEOUT_MS = 500;
 const DEFAULT_TOOL_CALL_TIMEOUT_MS = 12e4;
 function parseArgsFromContent(content) {
@@ -1374,21 +1622,41 @@ class AcpBackend {
     let startupStatusErrorEmitted = false;
     try {
       const args = this.options.args || [];
+      let spawnCommand = this.options.command;
+      let spawnArgs = args;
+      let isoEnv = {};
+      let isoCleanupFiles = [];
+      if (this.options.isolationConfig) {
+        const wrapped = wrapWithIsolation(spawnCommand, spawnArgs, this.options.isolationConfig);
+        spawnCommand = wrapped.command;
+        spawnArgs = wrapped.args;
+        if (wrapped.env) isoEnv = wrapped.env;
+        if (wrapped.cleanupFiles) isoCleanupFiles = wrapped.cleanupFiles;
+        this.log(`[ACP] Isolation: ${this.options.isolationConfig.method}`);
+      }
+      const spawnEnv = { ...process.env, ...this.options.env, ...isoEnv };
       if (process.platform === "win32") {
-        const fullCommand = [this.options.command, ...args].join(" ");
+        const fullCommand = [spawnCommand, ...spawnArgs].join(" ");
         this.process = spawn("cmd.exe", ["/c", fullCommand], {
           cwd: this.options.cwd,
-          env: { ...process.env, ...this.options.env },
+          env: spawnEnv,
           stdio: ["pipe", "pipe", "pipe"],
           windowsHide: true
         });
       } else {
-        this.process = spawn(this.options.command, args, {
+        this.process = spawn(spawnCommand, spawnArgs, {
           cwd: this.options.cwd,
-          env: { ...process.env, ...this.options.env },
+          env: spawnEnv,
           stdio: ["pipe", "pipe", "pipe"]
         });
       }
+      if (isoCleanupFiles.length > 0) {
+        this.process.on("exit", async () => {
+          const { rm } = await import('node:fs/promises');
+          for (const f of isoCleanupFiles) rm(f, { force: true }).catch(() => {
+          });
+        });
+      }
       if (!this.process.stdin || !this.process.stdout || !this.process.stderr) {
         throw new Error("Failed to create stdio pipes");
       }
@@ -1907,6 +2175,9 @@ const KNOWN_ACP_AGENTS = {
   gemini: { command: "gemini", args: ["--experimental-acp"] },
   opencode: { command: "opencode", args: ["acp"] }
 };
+const KNOWN_MCP_AGENTS = {
+  codex: { command: "codex", args: ["mcp-server"] }
+};
 function resolveAcpAgentConfig(cliArgs) {
   if (cliArgs.length === 0) {
     throw new Error("Usage: svamp agent <agent-name> or svamp agent -- <command> [args]");
@@ -1923,13 +2194,21 @@ function resolveAcpAgentConfig(cliArgs) {
     };
   }
   const agentName = cliArgs[0];
-  const known = KNOWN_ACP_AGENTS[agentName];
-  if (known) {
+  const knownAcp = KNOWN_ACP_AGENTS[agentName];
+  if (knownAcp) {
     const passthroughArgs = cliArgs.slice(1).filter((arg) => !(agentName === "opencode" && arg === "--acp"));
     return {
       agentName,
-      command: known.command,
-      args: [...known.args, ...passthroughArgs]
+      command: knownAcp.command,
+      args: [...knownAcp.args, ...passthroughArgs]
+    };
+  }
+  const knownMcp = KNOWN_MCP_AGENTS[agentName];
+  if (knownMcp) {
+    return {
+      agentName,
+      command: knownMcp.command,
+      args: [...knownMcp.args, ...cliArgs.slice(1)]
     };
   }
   return {
@@ -1942,6 +2221,7 @@ function resolveAcpAgentConfig(cliArgs) {
 var acpAgentConfig = /*#__PURE__*/Object.freeze({
     __proto__: null,
     KNOWN_ACP_AGENTS: KNOWN_ACP_AGENTS,
+    KNOWN_MCP_AGENTS: KNOWN_MCP_AGENTS,
     resolveAcpAgentConfig: resolveAcpAgentConfig
 });
 
@@ -1989,15 +2269,15 @@ function bridgeAcpToSession(backend, sessionService, getMetadata, setMetadata, l
           setMetadata((m) => ({ ...m, lifecycleState: "running" }));
         } else if (msg.status === "error") {
           flushText();
-          sessionService.pushMessage({
-            type: "assistant",
-            content: [{ type: "text", text: `Error: ${msg.detail || "Unknown error"}` }]
-          }, "agent");
-          sessionService.sendKeepAlive(false);
+          sessionService.pushMessage(
+            { type: "message", message: `Agent process exited unexpectedly: ${msg.detail || "Unknown error"}` },
+            "event"
+          );
+          sessionService.sendSessionEnd();
           setMetadata((m) => ({ ...m, lifecycleState: "error" }));
         } else if (msg.status === "stopped") {
           flushText();
-          sessionService.sendKeepAlive(false);
+          sessionService.sendSessionEnd();
           setMetadata((m) => ({ ...m, lifecycleState: "stopped" }));
         }
         break;
@@ -2118,6 +2398,426 @@ class HyphaPermissionHandler {
   }
 }
 
+const DEFAULT_TIMEOUT = 14 * 24 * 60 * 60 * 1e3;
+function getCodexMcpCommand() {
+  try {
+    const version = execSync("codex --version", { encoding: "utf8" }).trim();
+    const match = version.match(/codex-cli\s+(\d+\.\d+\.\d+(?:-alpha\.\d+)?)/);
+    if (!match) return "mcp-server";
+    const versionStr = match[1];
+    const [major, minor, patch] = versionStr.split(/[-.]/).map(Number);
+    if (major > 0 || minor > 43) return "mcp-server";
+    if (minor === 43 && patch === 0) {
+      if (versionStr.includes("-alpha.")) {
+        const alphaNum = parseInt(versionStr.split("-alpha.")[1]);
+        return alphaNum >= 5 ? "mcp-server" : "mcp";
+      }
+      return "mcp-server";
+    }
+    return "mcp";
+  } catch {
+    return null;
+  }
+}
+class CodexMcpBackend {
+  listeners = [];
+  client;
+  transport = null;
+  disposed = false;
+  codexSessionId = null;
+  conversationId = null;
+  svampSessionId = null;
+  log;
+  options;
+  connected = false;
+  // Pending elicitation approvals
+  pendingApprovals = /* @__PURE__ */ new Map();
+  // Temp files from isolation wrapping (cleaned up on disconnect)
+  _isolationCleanupFiles = [];
+  constructor(options) {
+    this.options = options;
+    this.log = options.log || (() => {
+    });
+    this.client = new Client(
+      { name: "svamp-codex-client", version: "1.0.0" },
+      { capabilities: { elicitation: {} } }
+    );
+    this.client.setNotificationHandler(z.object({
+      method: z.literal("codex/event"),
+      params: z.object({ msg: z.any() })
+    }).passthrough(), (data) => {
+      const msg = data.params.msg;
+      this.updateIdentifiersFromEvent(msg);
+      this.handleCodexEvent(msg);
+    });
+  }
+  // ── AgentBackend interface ──────────────────────────────────────────
+  onMessage(handler) {
+    this.listeners.push(handler);
+  }
+  offMessage(handler) {
+    const idx = this.listeners.indexOf(handler);
+    if (idx !== -1) this.listeners.splice(idx, 1);
+  }
+  async startSession(initialPrompt) {
+    const sessionId = randomUUID();
+    this.svampSessionId = sessionId;
+    this.emit({ type: "status", status: "starting" });
+    await this.connect();
+    this.emit({ type: "status", status: "idle" });
+    if (initialPrompt) {
+      this.sendPrompt(sessionId, initialPrompt).catch((err) => {
+        this.log(`[Codex] Error sending initial prompt: ${err.message}`);
+        this.emit({ type: "status", status: "error", detail: err.message });
+      });
+    }
+    return { sessionId };
+  }
+  async sendPrompt(sessionId, prompt) {
+    if (!this.connected) throw new Error("Codex not connected");
+    this.emit({ type: "status", status: "running" });
+    try {
+      let response;
+      if (this.codexSessionId) {
+        response = await this.continueSession(prompt);
+      } else {
+        const config = {
+          prompt,
+          cwd: this.options.cwd,
+          ...this.options.model ? { model: this.options.model } : {}
+        };
+        response = await this.startCodexSession(config);
+      }
+      if (response?.content && Array.isArray(response.content)) {
+        for (const block of response.content) {
+          if (block.type === "text" && block.text) {
+            this.emit({ type: "model-output", fullText: block.text });
+          }
+        }
+      }
+    } catch (err) {
+      this.log(`[Codex] Error in sendPrompt: ${err.message}`);
+      this.emit({ type: "status", status: "error", detail: err.message });
+      throw err;
+    } finally {
+      this.emit({ type: "status", status: "idle" });
+    }
+  }
+  async cancel(_sessionId) {
+    this.log("[Codex] Cancel requested");
+    this.emit({ type: "status", status: "idle" });
+  }
+  async respondToPermission(requestId, approved) {
+    const pending = this.pendingApprovals.get(requestId);
+    if (pending) {
+      this.pendingApprovals.delete(requestId);
+      pending.resolve({
+        action: approved ? "accept" : "decline",
+        content: { approval: approved ? "approve" : "deny" }
+      });
+      this.emit({ type: "permission-response", id: requestId, approved });
+    }
+  }
+  async dispose() {
+    if (this.disposed) return;
+    this.disposed = true;
+    this.log("[Codex] Disposing backend");
+    for (const [, pending] of this.pendingApprovals) {
+      pending.resolve({ action: "decline" });
+    }
+    this.pendingApprovals.clear();
+    await this.disconnect();
+    this.listeners = [];
+  }
+  /** Get the transport's child process PID for tracking */
+  get pid() {
+    return this.transport?.pid ?? null;
+  }
+  /**
+   * Return a process-like object for TrackedSession.childProcess.
+   * We expose a minimal { kill } object that closes the transport.
+   */
+  getProcess() {
+    if (!this.transport) return null;
+    const pid = this.pid;
+    return {
+      kill: (signal) => {
+        if (pid) {
+          try {
+            process.kill(pid, signal || "SIGTERM");
+          } catch {
+          }
+        }
+      }
+    };
+  }
+  // ── MCP connection ─────────────────────────────────────────────────
+  async connect() {
+    if (this.connected) return;
+    const mcpCommand = getCodexMcpCommand();
+    if (mcpCommand === null) {
+      throw new Error(
+        "Codex CLI not found or not executable.\n\nTo install codex:\n  npm install -g @openai/codex\n"
+      );
+    }
+    this.log(`[Codex] Connecting via: codex ${mcpCommand}`);
+    const env = {};
+    for (const key of Object.keys(process.env)) {
+      const value = process.env[key];
+      if (typeof value === "string") env[key] = value;
+    }
+    if (this.options.env) {
+      Object.assign(env, this.options.env);
+    }
+    const rolloutFilter = "codex_core::rollout::list=off";
+    const existingRustLog = env.RUST_LOG?.trim();
+    if (!existingRustLog) {
+      env.RUST_LOG = rolloutFilter;
+    } else if (!existingRustLog.includes("codex_core::rollout::list=")) {
+      env.RUST_LOG = `${existingRustLog},${rolloutFilter}`;
+    }
+    let transportCommand = "codex";
+    let transportArgs = [mcpCommand];
+    if (this.options.isolationConfig) {
+      const wrapped = wrapWithIsolation(transportCommand, transportArgs, this.options.isolationConfig);
+      transportCommand = wrapped.command;
+      transportArgs = wrapped.args;
+      if (wrapped.env) Object.assign(env, wrapped.env);
+      if (wrapped.cleanupFiles) {
+        this._isolationCleanupFiles = wrapped.cleanupFiles;
+      }
+      this.log(`[Codex] Isolation: ${this.options.isolationConfig.method}`);
+    }
+    this.transport = new StdioClientTransport({
+      command: transportCommand,
+      args: transportArgs,
+      env
+    });
+    this.registerPermissionHandlers();
+    try {
+      await this.client.connect(this.transport);
+      this.connected = true;
+      this.log("[Codex] MCP connection established");
+    } catch (err) {
+      this.transport = null;
+      throw err;
+    }
+  }
+  async disconnect() {
+    if (!this.connected) return;
+    const pid = this.pid;
+    this.log(`[Codex] Disconnecting (pid=${pid ?? "none"})`);
+    try {
+      await this.client.close();
+    } catch {
+      try {
+        await this.transport?.close?.();
+      } catch {
+      }
+    }
+    if (pid) {
+      try {
+        process.kill(pid, 0);
+        try {
+          process.kill(pid, "SIGKILL");
+        } catch {
+        }
+      } catch {
+      }
+    }
+    this.transport = null;
+    this.connected = false;
+    if (this._isolationCleanupFiles.length > 0) {
+      const { rm } = await import('node:fs/promises');
+      for (const f of this._isolationCleanupFiles) rm(f, { force: true }).catch(() => {
+      });
+      this._isolationCleanupFiles = [];
+    }
+  }
+  // ── Permission handling ────────────────────────────────────────────
+  registerPermissionHandlers() {
+    this.client.setRequestHandler(
+      ElicitRequestSchema,
+      async (request) => {
+        const params = request.params;
+        const callId = params.codex_call_id || randomUUID();
+        this.log(`[Codex] Elicitation request: ${params.message}`);
+        this.emit({
+          type: "permission-request",
+          id: callId,
+          reason: params.codex_command ? `Execute: ${Array.isArray(params.codex_command) ? params.codex_command.join(" ") : params.codex_command}` : params.message || "Codex requires approval",
+          payload: {
+            toolName: "CodexBash",
+            input: {
+              command: params.codex_command,
+              cwd: params.codex_cwd
+            }
+          }
+        });
+        return new Promise((resolve) => {
+          this.pendingApprovals.set(callId, { resolve });
+          setTimeout(() => {
+            if (this.pendingApprovals.has(callId)) {
+              this.pendingApprovals.delete(callId);
+              resolve({ action: "decline" });
+            }
+          }, 5 * 60 * 1e3);
+        });
+      }
+    );
+  }
+  // ── Codex MCP tools ────────────────────────────────────────────────
+  async startCodexSession(config) {
+    const response = await this.client.callTool({
+      name: "codex",
+      arguments: config
+    }, void 0, { timeout: DEFAULT_TIMEOUT });
+    this.extractIdentifiers(response);
+    return response;
+  }
+  async continueSession(prompt) {
+    if (!this.conversationId) {
+      this.conversationId = this.codexSessionId;
+    }
+    const response = await this.client.callTool({
+      name: "codex-reply",
+      arguments: {
+        sessionId: this.codexSessionId,
+        conversationId: this.conversationId,
+        prompt
+      }
+    }, void 0, { timeout: DEFAULT_TIMEOUT });
+    this.extractIdentifiers(response);
+    return response;
+  }
+  // ── Event handling ─────────────────────────────────────────────────
+  handleCodexEvent(event) {
+    if (!event || typeof event !== "object") return;
+    const eventType = event.type;
+    this.log(`[Codex] Event: ${eventType}`);
+    switch (eventType) {
+      case "task_started":
+        this.emit({ type: "status", status: "running" });
+        break;
+      case "task_complete":
+      case "turn_aborted":
+        this.emit({ type: "status", status: "idle" });
+        break;
+      case "agent_message": {
+        const content = event.content;
+        if (Array.isArray(content)) {
+          for (const block of content) {
+            if (block.type === "output_text" && block.text) {
+              this.emit({ type: "model-output", fullText: block.text });
+            }
+          }
+        }
+        break;
+      }
+      case "agent_reasoning_delta": {
+        const text = event.delta?.text || event.text;
+        if (text) {
+          this.emit({ type: "event", name: "thinking", payload: { text } });
+        }
+        break;
+      }
+      case "agent_reasoning": {
+        const text = event.text || (Array.isArray(event.content) ? event.content.map((c) => c.text).join("") : "");
+        if (text) {
+          this.emit({ type: "event", name: "thinking", payload: { text } });
+        }
+        break;
+      }
+      case "exec_command_begin": {
+        const callId = event.call_id || event.callId || randomUUID();
+        const command = Array.isArray(event.command) ? event.command.join(" ") : String(event.command || "");
+        this.emit({
+          type: "tool-call",
+          toolName: "CodexBash",
+          callId,
+          args: { command, cwd: event.cwd }
+        });
+        break;
+      }
+      case "exec_command_end": {
+        const callId = event.call_id || event.callId || "";
+        this.emit({
+          type: "tool-result",
+          toolName: "CodexBash",
+          callId,
+          result: {
+            exitCode: event.exit_code ?? event.exitCode,
+            stdout: event.stdout || "",
+            stderr: event.stderr || ""
+          }
+        });
+        break;
+      }
+      case "patch_apply_begin": {
+        const callId = event.call_id || event.callId || randomUUID();
+        this.emit({
+          type: "tool-call",
+          toolName: "CodexPatch",
+          callId,
+          args: { filePath: event.file_path || event.filePath, patch: event.patch }
+        });
+        break;
+      }
+      case "patch_apply_end": {
+        const callId = event.call_id || event.callId || "";
+        this.emit({
+          type: "tool-result",
+          toolName: "CodexPatch",
+          callId,
+          result: {
+            filePath: event.file_path || event.filePath,
+            applied: event.applied,
+            error: event.error
+          }
+        });
+        break;
+      }
+      default:
+        this.log(`[Codex] Unhandled event: ${eventType}`);
+        break;
+    }
+  }
+  // ── Identifier extraction ──────────────────────────────────────────
+  updateIdentifiersFromEvent(event) {
+    if (!event || typeof event !== "object") return;
+    const candidates = [event];
+    if (event.data && typeof event.data === "object") candidates.push(event.data);
+    for (const c of candidates) {
+      const sid = c.session_id ?? c.sessionId;
+      if (sid) this.codexSessionId = sid;
+      const cid = c.conversation_id ?? c.conversationId;
+      if (cid) this.conversationId = cid;
+    }
+  }
+  extractIdentifiers(response) {
+    const meta = response?.meta || {};
+    this.codexSessionId = meta.sessionId || response?.sessionId || this.codexSessionId;
+    this.conversationId = meta.conversationId || response?.conversationId || this.conversationId;
+    const content = response?.content;
+    if (Array.isArray(content)) {
+      for (const item of content) {
+        if (!this.codexSessionId && item?.sessionId) this.codexSessionId = item.sessionId;
+        if (!this.conversationId && item?.conversationId) this.conversationId = item.conversationId;
+      }
+    }
+  }
+  // ── Helpers ────────────────────────────────────────────────────────
+  emit(msg) {
+    if (this.disposed) return;
+    for (const h of this.listeners) {
+      try {
+        h(msg);
+      } catch {
+      }
+    }
+  }
+}
+
 const GEMINI_TIMEOUTS = {
   init: 12e4,
   toolCall: 12e4,
@@ -2253,6 +2953,264 @@ var GeminiTransport$1 = /*#__PURE__*/Object.freeze({
     GeminiTransport: GeminiTransport
 });
 
+const execFileAsync = promisify(execFile);
+const SVAMP_TOOLS_DIR = join(homedir(), ".svamp", "tools");
+const SVAMP_TOOLS_BIN = join(SVAMP_TOOLS_DIR, "node_modules", ".bin");
+const SVAMP_TOOLS_RG_BIN = join(SVAMP_TOOLS_DIR, "node_modules", "@vscode", "ripgrep", "bin");
+function getToolsPath() {
+  const parts = [SVAMP_TOOLS_BIN, SVAMP_TOOLS_RG_BIN];
+  if (process.env.PATH) parts.push(process.env.PATH);
+  return parts.join(":");
+}
+async function checkCommand(command, versionArgs, extraEnv) {
+  const envWithPath = extraEnv ? { ...process.env, ...extraEnv } : void 0;
+  try {
+    const { stdout } = await execFileAsync(command, versionArgs, {
+      timeout: 5e3,
+      env: envWithPath
+    });
+    const version = stdout.trim().split("\n")[0];
+    return { found: true, version, path: command };
+  } catch {
+  }
+  const localPath = join(SVAMP_TOOLS_BIN, command);
+  try {
+    const { stdout } = await execFileAsync(localPath, versionArgs, {
+      timeout: 5e3,
+      env: envWithPath
+    });
+    const version = stdout.trim().split("\n")[0];
+    return { found: true, version, path: localPath };
+  } catch {
+  }
+  return { found: false };
+}
+async function installSrt() {
+  const platform = process.platform;
+  if (platform !== "darwin" && platform !== "linux") {
+    return false;
+  }
+  console.log("[isolation] srt not found. Installing @anthropic-ai/sandbox-runtime...");
+  try {
+    await mkdir(SVAMP_TOOLS_DIR, { recursive: true });
+    await execFileAsync("npm", [
+      "install",
+      "--prefix",
+      SVAMP_TOOLS_DIR,
+      "@anthropic-ai/sandbox-runtime@latest",
+      "@vscode/ripgrep"
+    ], { timeout: 12e4 });
+    const srtPath = join(SVAMP_TOOLS_BIN, "srt");
+    try {
+      await access(srtPath);
+      console.log(`[isolation] srt installed successfully at ${srtPath}`);
+      return true;
+    } catch {
+      console.warn("[isolation] npm install completed but srt binary not found");
+      return false;
+    }
+  } catch (e) {
+    console.warn(`[isolation] Failed to install srt: ${e.message}`);
+    return false;
+  }
+}
+async function parseIsolationTestOutput(stdout, probeFile) {
+  const output = stdout.trim();
+  const wMatch = output.match(/W=(\d+)/);
+  const pMatch = output.match(/P=(\d+)/);
+  if (!wMatch || !pMatch) {
+    return { passed: false, error: `unexpected test output: ${output}` };
+  }
+  const workspaceWriteOk = wMatch[1] === "0";
+  const probeExitCode = parseInt(pMatch[1], 10);
+  if (!workspaceWriteOk) {
+    return { passed: false, error: "sandbox blocked writes to allowed workspace path" };
+  }
+  if (probeExitCode === 0) {
+    try {
+      await access(probeFile);
+      return {
+        passed: false,
+        error: "writes outside workspace were NOT blocked \u2014 file leaked to host filesystem"
+      };
+    } catch {
+      return { passed: true };
+    }
+  }
+  return { passed: true };
+}
+async function verifySrtIsolation(binaryPath) {
+  const testBase = "/tmp";
+  const workDir = await mkdtemp(join(testBase, "svamp-iso-work-"));
+  const probeDir = await mkdtemp(join(testBase, "svamp-iso-probe-"));
+  const probeFile = join(probeDir, "leak-test");
+  const settingsFile = join(workDir, "srt-settings.json");
+  try {
+    await writeFile(settingsFile, JSON.stringify({
+      filesystem: {
+        denyRead: [],
+        allowWrite: [workDir],
+        denyWrite: []
+      },
+      network: {
+        allowedDomains: [],
+        deniedDomains: []
+      }
+    }));
+    const testScript = [
+      `echo ok > "${workDir}/test" 2>/dev/null; W=$?`,
+      `echo leak > "${probeFile}" 2>/dev/null; P=$?`,
+      `echo "W=$W P=$P"`
+    ].join("; ");
+    const { stdout } = await execFileAsync(binaryPath, [
+      "--settings",
+      settingsFile,
+      "sh",
+      "-c",
+      testScript
+    ], {
+      timeout: 15e3,
+      env: { ...process.env, PATH: getToolsPath() }
+    });
+    return parseIsolationTestOutput(stdout, probeFile);
+  } catch (e) {
+    return { passed: false, error: e.message };
+  } finally {
+    await rm(workDir, { recursive: true, force: true }).catch(() => {
+    });
+    await rm(probeDir, { recursive: true, force: true }).catch(() => {
+    });
+  }
+}
+async function verifyBwrapIsolation(binaryPath) {
+  const testBase = "/tmp";
+  const workDir = await mkdtemp(join(testBase, "svamp-iso-work-"));
+  const probeDir = await mkdtemp(join(testBase, "svamp-iso-probe-"));
+  const probeFile = join(probeDir, "leak-test");
+  try {
+    const testScript = [
+      `echo ok > "${workDir}/test" 2>/dev/null; W=$?`,
+      `echo leak > "${probeFile}" 2>/dev/null; P=$?`,
+      `echo "W=$W P=$P"`
+    ].join("; ");
+    const { stdout } = await execFileAsync(binaryPath, [
+      "--ro-bind",
+      "/",
+      "/",
+      "--bind",
+      workDir,
+      workDir,
+      "--dev",
+      "/dev",
+      "--proc",
+      "/proc",
+      "--unshare-pid",
+      "--die-with-parent",
+      "--",
+      "sh",
+      "-c",
+      testScript
+    ], { timeout: 15e3 });
+    return parseIsolationTestOutput(stdout, probeFile);
+  } catch (e) {
+    return { passed: false, error: e.message };
+  } finally {
+    await rm(workDir, { recursive: true, force: true }).catch(() => {
+    });
+    await rm(probeDir, { recursive: true, force: true }).catch(() => {
+    });
+  }
+}
+async function verifyContainerIsolation(method, binaryPath) {
+  try {
+    await execFileAsync(binaryPath, ["info"], { timeout: 15e3 });
+  } catch (e) {
+    return { passed: false, error: `${method} daemon not accessible: ${e.message}` };
+  }
+  try {
+    const { stdout } = await execFileAsync(
+      binaryPath,
+      ["run", "--rm", "--network=none", "alpine", "echo", "isolation-ok"],
+      { timeout: 3e4 }
+    );
+    if (!stdout.includes("isolation-ok")) {
+      return { passed: false, error: `container test returned unexpected output: ${stdout.trim()}` };
+    }
+    return { passed: true };
+  } catch (e) {
+    if (e.message?.includes("pull access denied") || e.message?.includes("not found")) {
+      return { passed: true };
+    }
+    return { passed: false, error: `container test failed: ${e.message}` };
+  }
+}
+async function verifyIsolation(method, binaryPath) {
+  switch (method) {
+    case "srt":
+      return verifySrtIsolation(binaryPath);
+    case "bwrap":
+      return verifyBwrapIsolation(binaryPath);
+    case "docker":
+    case "podman":
+      return verifyContainerIsolation(method, binaryPath);
+  }
+}
+async function detectIsolationCapabilities() {
+  const srtEnv = { PATH: getToolsPath() };
+  const checks = {
+    srt: checkCommand("srt", ["--version"], srtEnv),
+    bwrap: checkCommand("bwrap", ["--version"]),
+    docker: checkCommand("docker", ["--version"]),
+    podman: checkCommand("podman", ["--version"])
+  };
+  const checkResults = await Promise.all(
+    Object.entries(checks).map(async ([method, promise]) => {
+      const detail = await promise;
+      return [method, detail];
+    })
+  );
+  const details = Object.fromEntries(checkResults);
+  if (!details.srt.found) {
+    const installed = await installSrt();
+    if (installed) {
+      details.srt = await checkCommand("srt", ["--version"], srtEnv);
+    }
+  }
+  const foundMethods = ISOLATION_PREFERENCE.filter((m) => details[m].found);
+  if (foundMethods.length > 0) {
+    console.log(`[isolation] Found runtimes: ${foundMethods.join(", ")}. Verifying isolation...`);
+    await Promise.all(
+      foundMethods.map(async (method) => {
+        const binaryPath = details[method].path || method;
+        const result = await verifyIsolation(method, binaryPath);
+        details[method].verified = result.passed;
+        if (!result.passed) {
+          details[method].verificationError = result.error;
+          console.warn(
+            `[isolation] WARNING: ${method} found but verification FAILED: ${result.error}. This runtime will NOT be used for isolation.`
+          );
+        } else {
+          console.log(`[isolation] ${method}: verified OK`);
+        }
+      })
+    );
+  }
+  const available = ISOLATION_PREFERENCE.filter(
+    (m) => details[m].found && details[m].verified === true
+  );
+  const preferred = available.length > 0 ? available[0] : null;
+  if (available.length === 0 && foundMethods.length > 0) {
+    console.warn(
+      `[isolation] No isolation runtime passed verification (found: ${foundMethods.join(", ")}). Session sharing will be DISABLED.`
+    );
+  } else if (available.length === 0) {
+    console.log("[isolation] No isolation runtimes found. Session sharing will be unavailable.");
+  } else {
+    console.log(`[isolation] Preferred isolation method: ${preferred}`);
+  }
+  return { available, preferred, details };
+}
+
 const __filename$1 = fileURLToPath(import.meta.url);
 const __dirname$1 = dirname(__filename$1);
 function loadDotEnv() {
@@ -2423,22 +3381,24 @@ function deletePersistedSession(sessionId) {
 function loadPersistedSessions() {
   const sessions = [];
   const index = loadSessionIndex();
+  let indexChanged = false;
   for (const [sessionId, entry] of Object.entries(index)) {
     const filePath = getSessionFilePath(entry.directory, sessionId);
     try {
       const data = JSON.parse(readFileSync$1(filePath, "utf-8"));
       if (data.sessionId && data.directory) {
-        if (data.stopped) {
-          delete index[sessionId];
-        } else {
+        if (!data.stopped) {
           sessions.push(data);
         }
       }
     } catch {
       delete index[sessionId];
+      indexChanged = true;
     }
   }
-  saveSessionIndex(index);
+  if (indexChanged) {
+    saveSessionIndex(index);
+  }
   return sessions;
 }
 function ensureHomeDir() {
@@ -2530,6 +3490,7 @@ async function startDaemon() {
   let isReconnecting = false;
   process.on("SIGINT", () => requestShutdown("os-signal"));
   process.on("SIGTERM", () => requestShutdown("os-signal"));
+  process.on("SIGUSR1", () => requestShutdown("os-signal-cleanup"));
   process.on("uncaughtException", (error) => {
     if (shutdownRequested) return;
     logger.error("Uncaught exception:", error);
@@ -2681,8 +3642,8 @@ async function startDaemon() {
       }
       const sessionId = options.sessionId || randomUUID$1();
       const agentName = options.agent || agentConfig.agent_type || "claude";
-      if (agentName !== "claude" && KNOWN_ACP_AGENTS[agentName]) {
-        return await spawnAcpSession(sessionId, directory, agentName, options, resumeSessionId);
+      if (agentName !== "claude" && (KNOWN_ACP_AGENTS[agentName] || KNOWN_MCP_AGENTS[agentName])) {
+        return await spawnAgentSession(sessionId, directory, agentName, options, resumeSessionId);
       }
       try {
         let parseBashPermission2 = function(permission) {
@@ -2731,8 +3692,19 @@ async function startDaemon() {
               proc.kill(signal);
             }
           });
+        }, buildIsolationConfig2 = function(dir) {
+          if (!sessionMetadata.sharing?.enabled) return null;
+          const method = isolationCapabilities.preferred;
+          if (!method) return null;
+          const detail = isolationCapabilities.details[method];
+          if (!detail.found || detail.verified === false) return null;
+          return {
+            method,
+            binaryPath: detail.path || method,
+            workspacePath: dir
+          };
         };
-        var parseBashPermission = parseBashPermission2, shouldAutoAllow = shouldAutoAllow2, killAndWaitForExit = killAndWaitForExit2;
+        var parseBashPermission = parseBashPermission2, shouldAutoAllow = shouldAutoAllow2, killAndWaitForExit = killAndWaitForExit2, buildIsolationConfig = buildIsolationConfig2;
         let sessionMetadata = {
           path: directory,
           host: os.hostname(),
@@ -2744,7 +3716,8 @@ async function startDaemon() {
           svampToolsDir: join$1(__dirname$1, "..", "tools"),
           startedFromDaemon: true,
           startedBy: "daemon",
-          lifecycleState: resumeSessionId ? "idle" : "starting"
+          lifecycleState: resumeSessionId ? "idle" : "starting",
+          sharing: options.sharing
         };
         let claudeProcess = null;
         const allPersisted = loadPersistedSessions();
@@ -2780,8 +3753,14 @@ async function startDaemon() {
         let turnInitiatedByUser = true;
         let isKillingClaude = false;
         let checkSvampConfig;
+        const CLAUDE_PERMISSION_MODE_MAP = {
+          "auto-approve-all": "bypassPermissions"
+        };
+        const toClaudePermissionMode = (mode) => CLAUDE_PERMISSION_MODE_MAP[mode] || mode;
+        let isolationCleanupFiles = [];
         const spawnClaude = (initialMessage, meta) => {
-          const permissionMode = meta?.permissionMode || agentConfig.default_permission_mode || currentPermissionMode;
+          const rawPermissionMode = meta?.permissionMode || agentConfig.default_permission_mode || currentPermissionMode;
+          const permissionMode = toClaudePermissionMode(rawPermissionMode);
           currentPermissionMode = permissionMode;
           const model = meta?.model || agentConfig.default_model || void 0;
           const appendSystemPrompt = meta?.appendSystemPrompt || agentConfig.append_system_prompt || void 0;
@@ -2799,10 +3778,26 @@ async function startDaemon() {
           if (model) args.push("--model", model);
           if (appendSystemPrompt) args.push("--append-system-prompt", appendSystemPrompt);
           if (claudeResumeId) args.push("--resume", claudeResumeId);
-          logger.log(`[Session ${sessionId}] Spawning Claude: claude ${args.join(" ")} (cwd: ${directory})`);
-          const spawnEnv = { ...process.env };
+          let spawnCommand = "claude";
+          let spawnArgs = args;
+          let extraEnv = {};
+          isolationCleanupFiles = [];
+          const isoConfig = buildIsolationConfig2(directory);
+          if (isoConfig) {
+            const wrapped = wrapWithIsolation(spawnCommand, spawnArgs, isoConfig);
+            spawnCommand = wrapped.command;
+            spawnArgs = wrapped.args;
+            if (wrapped.env) extraEnv = wrapped.env;
+            if (wrapped.cleanupFiles) isolationCleanupFiles = wrapped.cleanupFiles;
+            sessionMetadata = { ...sessionMetadata, isolationMethod: isoConfig.method };
+            logger.log(`[Session ${sessionId}] Isolation: ${isoConfig.method} (binary: ${isoConfig.binaryPath})`);
+          } else {
+            sessionMetadata = { ...sessionMetadata, isolationMethod: void 0 };
+          }
+          logger.log(`[Session ${sessionId}] Spawning Claude: ${spawnCommand} ${spawnArgs.join(" ")} (cwd: ${directory})`);
+          const spawnEnv = { ...process.env, ...extraEnv };
           delete spawnEnv.CLAUDECODE;
-          const child = spawn$1("claude", args, {
+          const child = spawn$1(spawnCommand, spawnArgs, {
             cwd: directory,
             stdio: ["pipe", "pipe", "pipe"],
             env: spawnEnv,
@@ -2812,17 +3807,11 @@ async function startDaemon() {
           logger.log(`[Session ${sessionId}] Claude PID: ${child.pid}, stdin: ${!!child.stdin}, stdout: ${!!child.stdout}, stderr: ${!!child.stderr}`);
           child.on("error", (err) => {
             logger.log(`[Session ${sessionId}] Claude process error: ${err.message}`);
-            sessionService.pushMessage({
-              type: "assistant",
-              content: [{
-                type: "text",
-                text: `Error: Failed to start Claude Code CLI: ${err.message}
-
-Please ensure Claude Code CLI is installed on this machine. You can install it with:
-\`npm install -g @anthropic-ai/claude-code\``
-              }]
-            }, "agent");
-            sessionService.sendKeepAlive(false);
+            sessionService.pushMessage(
+              { type: "message", message: `Agent process exited unexpectedly: ${err.message}. Please ensure Claude Code CLI is installed.` },
+              "event"
+            );
+            sessionService.sendSessionEnd();
           });
           let stdoutBuffer = "";
           let lastErrorMessagePushed = false;
@@ -2924,15 +3913,24 @@ Please ensure Claude Code CLI is installed on this machine. You can install it w
                     }
                   }
                   if (msg.type === "result") {
-                    if (msg.is_error && msg.duration_api_ms === 0) {
+                    if (msg.is_error) {
                       const resultText = msg.result || "";
-                      logger.error(`[Session ${sessionId}] Claude startup failure (no API calls made): "${resultText}"`);
-                      const isLoginIssue = resultText.toLowerCase().includes("login") || resultText.toLowerCase().includes("logged in") || resultText.toLowerCase().includes("auth") || resultText.toLowerCase().includes("api key") || resultText.toLowerCase().includes("unauthorized");
-                      const hint = isLoginIssue ? "\n\nRun `claude login` in your terminal on the machine running the daemon to re-authenticate." : "\n\nCheck that the Claude Code CLI is properly installed and configured.";
-                      const displayMsg = resultText || "Claude Code failed to start without making any API calls.";
+                      logger.error(`[Session ${sessionId}] Claude error (is_error=true, api_ms=${msg.duration_api_ms}): "${resultText}"`);
+                      const lower = resultText.toLowerCase();
+                      const isLoginIssue = lower.includes("login") || lower.includes("logged in") || lower.includes("auth") || lower.includes("api key") || lower.includes("unauthorized");
+                      const isResumeIssue = lower.includes("tool_use.name") || lower.includes("invalid_request") || lower.includes("messages.");
+                      let hint = "";
+                      if (isLoginIssue) {
+                        hint = "\n\nRun `claude login` in your terminal on the machine running the daemon to re-authenticate.";
+                      } else if (isResumeIssue) {
+                        hint = "\n\nThe conversation history may be corrupted. Try starting a fresh session.";
+                      } else {
+                        hint = "\n\nCheck that the Claude Code CLI is properly installed and configured.";
+                      }
+                      const displayMsg = resultText || "Claude Code exited with an error.";
                       sessionService.pushMessage({
                         type: "assistant",
-                        content: [{ type: "text", text: `\u26A0\uFE0F **Claude Code error:** ${displayMsg}${hint}` }]
+                        content: [{ type: "text", text: `**Error:** ${displayMsg}${hint}` }]
                       }, "agent");
                       lastErrorMessagePushed = true;
                     }
@@ -2969,10 +3967,8 @@ Please ensure Claude Code CLI is installed on this machine. You can install it w
                   userMessagePending = false;
                   if (msg.session_id) {
                     claudeResumeId = msg.session_id;
-                    sessionService.updateMetadata({
-                      ...sessionMetadata,
-                      claudeSessionId: msg.session_id
-                    });
+                    sessionMetadata = { ...sessionMetadata, claudeSessionId: msg.session_id };
+                    sessionService.updateMetadata(sessionMetadata);
                     saveSession({
                       sessionId,
                       directory,
@@ -3009,27 +4005,25 @@ Please ensure Claude Code CLI is installed on this machine. You can install it w
           child.on("exit", (code, signal) => {
             logger.log(`[Session ${sessionId}] Claude exited: code=${code}, signal=${signal}`);
             claudeProcess = null;
+            for (const f of isolationCleanupFiles) {
+              fs.rm(f, { force: true }).catch(() => {
+              });
+            }
+            isolationCleanupFiles = [];
             for (const [id, pending] of pendingPermissions) {
               pending.resolve({ behavior: "deny", message: "Claude process exited" });
             }
             pendingPermissions.clear();
             if (code !== 0 && code !== null && !lastErrorMessagePushed) {
-              sessionService.pushMessage({
-                type: "assistant",
-                content: [{
-                  type: "text",
-                  text: `Error: Claude process exited with code ${code}${signal ? ` (signal: ${signal})` : ""}.
-
-This may indicate that Claude Code CLI is not properly installed or configured.`
-                }]
-              }, "agent");
+              sessionService.pushMessage(
+                { type: "message", message: `Agent process exited unexpectedly (code ${code}${signal ? `, signal: ${signal}` : ""})` },
+                "event"
+              );
             }
             lastErrorMessagePushed = false;
-            sessionService.updateMetadata({
-              ...sessionMetadata,
-              lifecycleState: claudeResumeId ? "idle" : "stopped"
-            });
-            sessionService.sendKeepAlive(false);
+            sessionMetadata = { ...sessionMetadata, lifecycleState: claudeResumeId ? "idle" : "stopped" };
+            sessionService.updateMetadata(sessionMetadata);
+            sessionService.sendSessionEnd();
             if (claudeResumeId && !trackedSession.stopped) {
               saveSession({
                 sessionId,
@@ -3053,6 +4047,30 @@ This may indicate that Claude Code CLI is not properly installed or configured.`
           }
           return child;
         };
+        const restartClaudeHandler = async () => {
+          logger.log(`[Session ${sessionId}] Restart Claude requested`);
+          try {
+            if (claudeProcess && claudeProcess.exitCode === null) {
+              isKillingClaude = true;
+              sessionMetadata = { ...sessionMetadata, lifecycleState: "restarting" };
+              sessionService.updateMetadata(sessionMetadata);
+              await killAndWaitForExit2(claudeProcess);
+              isKillingClaude = false;
+            }
+            if (claudeResumeId) {
+              spawnClaude(void 0, { permissionMode: currentPermissionMode });
+              logger.log(`[Session ${sessionId}] Claude respawned with --resume ${claudeResumeId}`);
+              return { success: true, message: "Claude process restarted successfully." };
+            } else {
+              logger.log(`[Session ${sessionId}] No resume ID \u2014 cannot restart`);
+              return { success: false, message: "No session to resume. Send a message to start a new session." };
+            }
+          } catch (err) {
+            isKillingClaude = false;
+            logger.log(`[Session ${sessionId}] Restart failed: ${err.message}`);
+            return { success: false, message: `Restart failed: ${err.message}` };
+          }
+        };
         const sessionService = await registerSessionService(
           server,
           sessionId,
@@ -3080,7 +4098,7 @@ This may indicate that Claude Code CLI is not properly installed or configured.`
                 text = typeof content === "string" ? content : JSON.stringify(content);
               }
               if (msgMeta?.permissionMode) {
-                currentPermissionMode = msgMeta.permissionMode;
+                currentPermissionMode = toClaudePermissionMode(msgMeta.permissionMode);
                 logger.log(`[Session ${sessionId}] Permission mode updated to: ${currentPermissionMode}`);
               }
               if (isKillingClaude) {
@@ -3110,8 +4128,8 @@ This may indicate that Claude Code CLI is not properly installed or configured.`
               const requestId = params.id;
               const pending = pendingPermissions.get(requestId);
               if (params.mode) {
-                logger.log(`[Session ${sessionId}] Permission mode changed to: ${params.mode}`);
-                currentPermissionMode = params.mode;
+                currentPermissionMode = toClaudePermissionMode(params.mode);
+                logger.log(`[Session ${sessionId}] Permission mode changed to: ${currentPermissionMode}`);
               }
               if (params.allowTools && Array.isArray(params.allowTools)) {
                 for (const tool of params.allowTools) {
@@ -3150,32 +4168,7 @@ This may indicate that Claude Code CLI is not properly installed or configured.`
                 spawnClaude(void 0, { permissionMode: mode });
               }
             },
-            onRestartClaude: async () => {
-              logger.log(`[Session ${sessionId}] Restart Claude requested`);
-              try {
-                if (claudeProcess && claudeProcess.exitCode === null) {
-                  isKillingClaude = true;
-                  sessionService.updateMetadata({
-                    ...sessionMetadata,
-                    lifecycleState: "restarting"
-                  });
-                  await killAndWaitForExit2(claudeProcess);
-                  isKillingClaude = false;
-                }
-                if (claudeResumeId) {
-                  spawnClaude(void 0, { permissionMode: currentPermissionMode });
-                  logger.log(`[Session ${sessionId}] Claude respawned with --resume ${claudeResumeId}`);
-                  return { success: true, message: "Claude process restarted successfully." };
-                } else {
-                  logger.log(`[Session ${sessionId}] No resume ID \u2014 cannot restart`);
-                  return { success: false, message: "No session to resume. Send a message to start a new session." };
-                }
-              } catch (err) {
-                isKillingClaude = false;
-                logger.log(`[Session ${sessionId}] Restart failed: ${err.message}`);
-                return { success: false, message: `Restart failed: ${err.message}` };
-              }
-            },
+            onRestartClaude: restartClaudeHandler,
             onKillSession: () => {
               logger.log(`[Session ${sessionId}] Kill session requested`);
               stopSession(sessionId);
@@ -3293,10 +4286,8 @@ This may indicate that Claude Code CLI is not properly installed or configured.`
           }
         };
         pidToTrackedSession.set(process.pid + Math.floor(Math.random() * 1e5), trackedSession);
-        sessionService.updateMetadata({
-          ...sessionMetadata,
-          lifecycleState: "idle"
-        });
+        sessionMetadata = { ...sessionMetadata, lifecycleState: "idle" };
+        sessionService.updateMetadata(sessionMetadata);
         logger.log(`Session ${sessionId} registered on Hypha, waiting for first message to spawn Claude`);
         return {
           type: "success",
@@ -3311,8 +4302,8 @@ This may indicate that Claude Code CLI is not properly installed or configured.`
         };
       }
     };
-    const spawnAcpSession = async (sessionId, directory, agentName, options, resumeSessionId) => {
-      logger.log(`[ACP] Spawning ${agentName} session: ${sessionId}`);
+    const spawnAgentSession = async (sessionId, directory, agentName, options, resumeSessionId) => {
+      logger.log(`[Agent] Spawning ${agentName} session: ${sessionId}`);
       try {
         let parseBashPermission2 = function(permission) {
           if (permission === "Bash") return;
@@ -3353,7 +4344,8 @@ This may indicate that Claude Code CLI is not properly installed or configured.`
           startedFromDaemon: true,
           startedBy: "daemon",
           lifecycleState: "starting",
-          flavor: agentName
+          flavor: agentName,
+          sharing: options.sharing
         };
         let currentPermissionMode = "default";
         const allowedTools = /* @__PURE__ */ new Set();
@@ -3367,7 +4359,7 @@ This may indicate that Claude Code CLI is not properly installed or configured.`
           { controlledByUser: false },
           {
             onUserMessage: (content, meta) => {
-              logger.log(`[ACP Session ${sessionId}] User message received`);
+              logger.log(`[${agentName} Session ${sessionId}] User message received`);
               let text;
               let msgMeta = meta;
               try {
@@ -3387,17 +4379,17 @@ This may indicate that Claude Code CLI is not properly installed or configured.`
               if (msgMeta?.permissionMode) {
                 currentPermissionMode = msgMeta.permissionMode;
               }
-              acpBackend.sendPrompt(sessionId, text).catch((err) => {
-                logger.error(`[ACP Session ${sessionId}] Error sending prompt:`, err);
+              agentBackend.sendPrompt(sessionId, text).catch((err) => {
+                logger.error(`[${agentName} Session ${sessionId}] Error sending prompt:`, err);
               });
             },
             onAbort: () => {
-              logger.log(`[ACP Session ${sessionId}] Abort requested`);
-              acpBackend.cancel(sessionId).catch(() => {
+              logger.log(`[${agentName} Session ${sessionId}] Abort requested`);
+              agentBackend.cancel(sessionId).catch(() => {
               });
             },
             onPermissionResponse: (params) => {
-              logger.log(`[ACP Session ${sessionId}] Permission response:`, JSON.stringify(params));
+              logger.log(`[${agentName} Session ${sessionId}] Permission response:`, JSON.stringify(params));
               const requestId = params.id;
               if (params.mode) currentPermissionMode = params.mode;
               if (params.allowTools && Array.isArray(params.allowTools)) {
@@ -3410,17 +4402,18 @@ This may indicate that Claude Code CLI is not properly installed or configured.`
                 }
               }
               permissionHandler.resolvePermission(requestId, params.approved);
+              agentBackend.respondToPermission?.(requestId, params.approved);
             },
             onSwitchMode: (mode) => {
-              logger.log(`[ACP Session ${sessionId}] Switch mode: ${mode}`);
+              logger.log(`[${agentName} Session ${sessionId}] Switch mode: ${mode}`);
               currentPermissionMode = mode;
             },
             onRestartClaude: async () => {
-              logger.log(`[ACP Session ${sessionId}] Restart agent requested`);
+              logger.log(`[${agentName} Session ${sessionId}] Restart agent requested`);
               return { success: false, message: "Restart is not supported for this agent type." };
             },
             onKillSession: () => {
-              logger.log(`[ACP Session ${sessionId}] Kill session requested`);
+              logger.log(`[${agentName} Session ${sessionId}] Kill session requested`);
               stopSession(sessionId);
             },
             onBash: async (command, cwd) => {
@@ -3522,21 +4515,46 @@ This may indicate that Claude Code CLI is not properly installed or configured.`
           sessionService,
           logger
         );
-        const transportHandler = agentName === "gemini" ? new GeminiTransport() : new DefaultTransport(agentName);
         const permissionHandler = new HyphaPermissionHandler(shouldAutoAllow2, logger.log);
-        const acpConfig = KNOWN_ACP_AGENTS[agentName];
-        const acpBackend = new AcpBackend({
-          agentName,
-          cwd: directory,
-          command: acpConfig.command,
-          args: acpConfig.args,
-          env: options.environmentVariables,
-          permissionHandler,
-          transportHandler,
-          log: logger.log
-        });
+        let agentIsoConfig;
+        if (sessionMetadata.sharing?.enabled && isolationCapabilities.preferred) {
+          const method = isolationCapabilities.preferred;
+          const detail = isolationCapabilities.details[method];
+          if (detail.found && detail.verified !== false) {
+            agentIsoConfig = {
+              method,
+              binaryPath: detail.path || method,
+              workspacePath: directory
+            };
+            sessionMetadata = { ...sessionMetadata, isolationMethod: method };
+            logger.log(`[Agent Session ${sessionId}] Isolation: ${method}`);
+          }
+        }
+        let agentBackend;
+        if (KNOWN_MCP_AGENTS[agentName]) {
+          agentBackend = new CodexMcpBackend({
+            cwd: directory,
+            env: options.environmentVariables,
+            log: logger.log,
+            isolationConfig: agentIsoConfig
+          });
+        } else {
+          const transportHandler = agentName === "gemini" ? new GeminiTransport() : new DefaultTransport(agentName);
+          const acpConfig = KNOWN_ACP_AGENTS[agentName];
+          agentBackend = new AcpBackend({
+            agentName,
+            cwd: directory,
+            command: acpConfig.command,
+            args: acpConfig.args,
+            env: options.environmentVariables,
+            permissionHandler,
+            transportHandler,
+            log: logger.log,
+            isolationConfig: agentIsoConfig
+          });
+        }
         bridgeAcpToSession(
-          acpBackend,
+          agentBackend,
           sessionService,
           () => sessionMetadata,
           (updater) => {
@@ -3555,33 +4573,28 @@ This may indicate that Claude Code CLI is not properly installed or configured.`
           directory,
           resumeSessionId,
           get childProcess() {
-            return acpBackend.getProcess() || void 0;
+            return agentBackend.getProcess?.() || void 0;
           }
         };
         pidToTrackedSession.set(process.pid + Math.floor(Math.random() * 1e5), trackedSession);
-        logger.log(`[ACP Session ${sessionId}] Starting ${agentName} backend...`);
-        acpBackend.startSession().then(() => {
-          logger.log(`[ACP Session ${sessionId}] ${agentName} backend started, waiting for first message`);
+        logger.log(`[Agent Session ${sessionId}] Starting ${agentName} backend...`);
+        agentBackend.startSession().then(() => {
+          logger.log(`[Agent Session ${sessionId}] ${agentName} backend started, waiting for first message`);
         }).catch((err) => {
-          logger.error(`[ACP Session ${sessionId}] Failed to start ${agentName}:`, err);
-          sessionService.pushMessage({
-            type: "assistant",
-            content: [{
-              type: "text",
-              text: `Error: Failed to start ${agentName} agent: ${err.message}
-
-Please ensure the ${agentName} CLI is installed.`
-            }]
-          }, "agent");
-          sessionService.sendKeepAlive(false);
+          logger.error(`[Agent Session ${sessionId}] Failed to start ${agentName}:`, err);
+          sessionService.pushMessage(
+            { type: "message", message: `Agent process exited unexpectedly: ${err.message}. Please ensure the ${agentName} CLI is installed.` },
+            "event"
+          );
+          sessionService.sendSessionEnd();
         });
         return {
           type: "success",
           sessionId,
-          message: `ACP session (${agentName}) registered as svamp-session-${sessionId}`
+          message: `Agent session (${agentName}) registered as svamp-session-${sessionId}`
         };
       } catch (err) {
-        logger.error(`[ACP] Failed to spawn ${agentName} session:`, err);
+        logger.error(`[Agent] Failed to spawn ${agentName} session:`, err);
         return {
           type: "error",
           errorMessage: `Failed to spawn ${agentName} session: ${err.message}`
@@ -3610,6 +4623,25 @@ Please ensure the ${agentName} CLI is installed.`
       logger.log(`Session ${sessionId} not found`);
       return false;
     };
+    const restartSession = async (sessionId) => {
+      for (const session of pidToTrackedSession.values()) {
+        if (session.svampSessionId === sessionId && !session.stopped) {
+          if (session.restartAgent) {
+            return await session.restartAgent();
+          }
+          return { success: false, message: "This session does not support restart." };
+        }
+      }
+      return { success: false, message: `Session ${sessionId} not found or already stopped.` };
+    };
+    let isolationCapabilities;
+    try {
+      isolationCapabilities = await detectIsolationCapabilities();
+      logger.log(`Isolation capabilities: ${isolationCapabilities.available.join(", ") || "none"} (preferred: ${isolationCapabilities.preferred || "none"})`);
+    } catch (err) {
+      logger.log(`Failed to detect isolation capabilities: ${err}`);
+      isolationCapabilities = { available: [], preferred: null, details: { srt: { found: false }, bwrap: { found: false }, docker: { found: false }, podman: { found: false } } };
+    }
     const defaultHomeDir = existsSync$1("/data") ? "/data" : os.homedir();
     const machineMetadata = {
       host: os.hostname(),
@@ -3618,7 +4650,8 @@ Please ensure the ${agentName} CLI is installed.`
       homeDir: defaultHomeDir,
       svampHomeDir: SVAMP_HOME,
       svampLibDir: join$1(__dirname$1, ".."),
-      displayName: process.env.SVAMP_DISPLAY_NAME || void 0
+      displayName: process.env.SVAMP_DISPLAY_NAME || void 0,
+      isolationCapabilities
     };
     const initialDaemonState = {
       status: "running",
@@ -3633,6 +4666,7 @@ Please ensure the ${agentName} CLI is installed.`
       {
         spawnSession,
         stopSession,
+        restartSession,
         requestShutdown: () => requestShutdown("hypha-app"),
         getTrackedSessions: getCurrentChildren
       }
@@ -3727,7 +4761,7 @@ Please ensure the ${agentName} CLI is installed.`
     console.log(`  Service: svamp-machine-${machineId}`);
     console.log(`  Log file: ${logger.logFilePath}`);
     let consecutiveHeartbeatFailures = 0;
-    const MAX_HEARTBEAT_FAILURES = 10;
+    const MAX_HEARTBEAT_FAILURES = 60;
     const heartbeatInterval = setInterval(async () => {
       try {
         const state = readDaemonStateFile();
@@ -3828,16 +4862,22 @@ Please ensure the ${agentName} CLI is installed.`
           }
         }
       }
-      try {
-        const index = loadSessionIndex();
-        for (const [sessionId, entry] of Object.entries(index)) {
-          const filePath = getSessionFilePath(entry.directory, sessionId);
-          if (existsSync$1(filePath)) {
-            const data = JSON.parse(readFileSync$1(filePath, "utf-8"));
-            writeFileSync$1(filePath, JSON.stringify({ ...data, stopped: true }, null, 2), "utf-8");
+      const shouldMarkStopped = source === "os-signal-cleanup";
+      if (shouldMarkStopped) {
+        try {
+          const index = loadSessionIndex();
+          for (const [sessionId, entry] of Object.entries(index)) {
+            const filePath = getSessionFilePath(entry.directory, sessionId);
+            if (existsSync$1(filePath)) {
+              const data = JSON.parse(readFileSync$1(filePath, "utf-8"));
+              writeFileSync$1(filePath, JSON.stringify({ ...data, stopped: true }, null, 2), "utf-8");
+            }
           }
+          logger.log("Marked all sessions as stopped (--cleanup mode)");
+        } catch {
         }
-      } catch {
+      } else {
+        logger.log("Sessions preserved for auto-restore on next start");
       }
       try {
         await machineService.disconnect();
@@ -3873,16 +4913,18 @@ Please ensure the ${agentName} CLI is installed.`
     process.exit(1);
   }
 }
-async function stopDaemon() {
+async function stopDaemon(options) {
   const state = readDaemonStateFile();
   if (!state) {
     console.log("No daemon running");
     return;
   }
+  const signal = options?.cleanup ? "SIGUSR1" : "SIGTERM";
+  const mode = options?.cleanup ? "cleanup (sessions will be stopped)" : "quick (sessions preserved for auto-restore)";
   try {
     process.kill(state.pid, 0);
-    process.kill(state.pid, "SIGTERM");
-    console.log(`Sent SIGTERM to daemon PID ${state.pid}`);
+    process.kill(state.pid, signal);
+    console.log(`Sent ${signal} to daemon PID ${state.pid} \u2014 ${mode}`);
     for (let i = 0; i < 30; i++) {
       await new Promise((r) => setTimeout(r, 100));
       try {