switchroom 0.7.15 → 0.10.0

package/dist/vault/approvals/kernel-server.js

@@ -17,7 +17,7 @@ var __export = (target, all) => {
 var __esm = (fn, res) => () => (fn && (res = fn(fn = 0)), res);
 var __require = /* @__PURE__ */ createRequire(import.meta.url);
 
-// node_modules/zod/v3/helpers/util.js
+// node_modules/.bun/zod@3.25.76/node_modules/zod/v3/helpers/util.js
 var util, objectUtil, ZodParsedType, getParsedType = (data) => {
   const t = typeof data;
   switch (t) {
@@ -148,7 +148,7 @@ var init_util = __esm(() => {
   ]);
 });
 
-// node_modules/zod/v3/ZodError.js
+// node_modules/.bun/zod@3.25.76/node_modules/zod/v3/ZodError.js
 var ZodIssueCode, quotelessJson = (obj) => {
   const json = JSON.stringify(obj, null, 2);
   return json.replace(/"([^"]+)":/g, "$1:");
@@ -269,7 +269,7 @@ var init_ZodError = __esm(() => {
   };
 });
 
-// node_modules/zod/v3/locales/en.js
+// node_modules/.bun/zod@3.25.76/node_modules/zod/v3/locales/en.js
 var errorMap = (issue, _ctx) => {
   let message;
   switch (issue.code) {
@@ -376,7 +376,7 @@ var init_en = __esm(() => {
   en_default = errorMap;
 });
 
-// node_modules/zod/v3/errors.js
+// node_modules/.bun/zod@3.25.76/node_modules/zod/v3/errors.js
 function setErrorMap(map) {
   overrideErrorMap = map;
 }
@@ -389,7 +389,7 @@ var init_errors = __esm(() => {
   overrideErrorMap = en_default;
 });
 
-// node_modules/zod/v3/helpers/parseUtil.js
+// node_modules/.bun/zod@3.25.76/node_modules/zod/v3/helpers/parseUtil.js
 function addIssueToContext(ctx, issueData) {
   const overrideMap = getErrorMap();
   const issue = makeIssue({
@@ -494,10 +494,10 @@ var init_parseUtil = __esm(() => {
   });
 });
 
-// node_modules/zod/v3/helpers/typeAliases.js
+// node_modules/.bun/zod@3.25.76/node_modules/zod/v3/helpers/typeAliases.js
 var init_typeAliases = () => {};
 
-// node_modules/zod/v3/helpers/errorUtil.js
+// node_modules/.bun/zod@3.25.76/node_modules/zod/v3/helpers/errorUtil.js
 var errorUtil;
 var init_errorUtil = __esm(() => {
   (function(errorUtil2) {
@@ -506,7 +506,7 @@ var init_errorUtil = __esm(() => {
   })(errorUtil || (errorUtil = {}));
 });
 
-// node_modules/zod/v3/types.js
+// node_modules/.bun/zod@3.25.76/node_modules/zod/v3/types.js
 class ParseInputLazyPath {
   constructor(parent, value, path, key) {
     this._cachedPath = [];
@@ -3857,7 +3857,7 @@ var init_types = __esm(() => {
   NEVER = INVALID;
 });
 
-// node_modules/zod/v3/external.js
+// node_modules/.bun/zod@3.25.76/node_modules/zod/v3/external.js
 var exports_external = {};
 __export(exports_external, {
   void: () => voidType,
@@ -3977,13 +3977,13 @@ var init_external = __esm(() => {
   init_ZodError();
 });
 
-// node_modules/zod/index.js
+// node_modules/.bun/zod@3.25.76/node_modules/zod/index.js
 var init_zod = __esm(() => {
   init_external();
   init_external();
 });
 
-// node_modules/yaml/dist/nodes/identity.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/nodes/identity.js
 var require_identity = __commonJS((exports) => {
   var ALIAS = Symbol.for("yaml.alias");
   var DOC = Symbol.for("yaml.document");
@@ -4037,7 +4037,7 @@ var require_identity = __commonJS((exports) => {
   exports.isSeq = isSeq;
 });
 
-// node_modules/yaml/dist/visit.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/visit.js
 var require_visit = __commonJS((exports) => {
   var identity = require_identity();
   var BREAK = Symbol("break visit");
@@ -4192,7 +4192,7 @@ var require_visit = __commonJS((exports) => {
   exports.visitAsync = visitAsync;
 });
 
-// node_modules/yaml/dist/doc/directives.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/doc/directives.js
 var require_directives = __commonJS((exports) => {
   var identity = require_identity();
   var visit = require_visit();
@@ -4344,7 +4344,7 @@ var require_directives = __commonJS((exports) => {
   exports.Directives = Directives;
 });
 
-// node_modules/yaml/dist/doc/anchors.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/doc/anchors.js
 var require_anchors = __commonJS((exports) => {
   var identity = require_identity();
   var visit = require_visit();
@@ -4406,7 +4406,7 @@ var require_anchors = __commonJS((exports) => {
   exports.findNewAnchor = findNewAnchor;
 });
 
-// node_modules/yaml/dist/doc/applyReviver.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/doc/applyReviver.js
 var require_applyReviver = __commonJS((exports) => {
   function applyReviver(reviver, obj, key, val) {
     if (val && typeof val === "object") {
@@ -4453,7 +4453,7 @@ var require_applyReviver = __commonJS((exports) => {
   exports.applyReviver = applyReviver;
 });
 
-// node_modules/yaml/dist/nodes/toJS.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/nodes/toJS.js
 var require_toJS = __commonJS((exports) => {
   var identity = require_identity();
   function toJS(value, arg, ctx) {
@@ -4480,7 +4480,7 @@ var require_toJS = __commonJS((exports) => {
   exports.toJS = toJS;
 });
 
-// node_modules/yaml/dist/nodes/Node.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/nodes/Node.js
 var require_Node = __commonJS((exports) => {
   var applyReviver = require_applyReviver();
   var identity = require_identity();
@@ -4517,7 +4517,7 @@ var require_Node = __commonJS((exports) => {
   exports.NodeBase = NodeBase;
 });
 
-// node_modules/yaml/dist/nodes/Alias.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/nodes/Alias.js
 var require_Alias = __commonJS((exports) => {
   var anchors = require_anchors();
   var visit = require_visit();
@@ -4625,7 +4625,7 @@ var require_Alias = __commonJS((exports) => {
   exports.Alias = Alias;
 });
 
-// node_modules/yaml/dist/nodes/Scalar.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/nodes/Scalar.js
 var require_Scalar = __commonJS((exports) => {
   var identity = require_identity();
   var Node = require_Node();
@@ -4653,7 +4653,7 @@ var require_Scalar = __commonJS((exports) => {
   exports.isScalarValue = isScalarValue;
 });
 
-// node_modules/yaml/dist/doc/createNode.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/doc/createNode.js
 var require_createNode = __commonJS((exports) => {
   var Alias = require_Alias();
   var identity = require_identity();
@@ -4725,7 +4725,7 @@ var require_createNode = __commonJS((exports) => {
   exports.createNode = createNode;
 });
 
-// node_modules/yaml/dist/nodes/Collection.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/nodes/Collection.js
 var require_Collection = __commonJS((exports) => {
   var createNode = require_createNode();
   var identity = require_identity();
@@ -4840,7 +4840,7 @@ var require_Collection = __commonJS((exports) => {
   exports.isEmptyPath = isEmptyPath;
 });
 
-// node_modules/yaml/dist/stringify/stringifyComment.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/stringify/stringifyComment.js
 var require_stringifyComment = __commonJS((exports) => {
   var stringifyComment = (str) => str.replace(/^(?!$)(?: $)?/gm, "#");
   function indentComment(comment, indent) {
@@ -4857,7 +4857,7 @@ var require_stringifyComment = __commonJS((exports) => {
   exports.stringifyComment = stringifyComment;
 });
 
-// node_modules/yaml/dist/stringify/foldFlowLines.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/stringify/foldFlowLines.js
 var require_foldFlowLines = __commonJS((exports) => {
   var FOLD_FLOW = "flow";
   var FOLD_BLOCK = "block";
@@ -4994,7 +4994,7 @@ ${indent}${text.slice(fold + 1, end2)}`;
   exports.foldFlowLines = foldFlowLines;
 });
 
-// node_modules/yaml/dist/stringify/stringifyString.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/stringify/stringifyString.js
 var require_stringifyString = __commonJS((exports) => {
   var Scalar = require_Scalar();
   var foldFlowLines = require_foldFlowLines();
@@ -5292,7 +5292,7 @@ ${indent}`);
   exports.stringifyString = stringifyString;
 });
 
-// node_modules/yaml/dist/stringify/stringify.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/stringify/stringify.js
 var require_stringify = __commonJS((exports) => {
   var anchors = require_anchors();
   var identity = require_identity();
@@ -5413,7 +5413,7 @@ ${ctx.indent}${str}`;
   exports.stringify = stringify;
 });
 
-// node_modules/yaml/dist/stringify/stringifyPair.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/stringify/stringifyPair.js
 var require_stringifyPair = __commonJS((exports) => {
   var identity = require_identity();
   var Scalar = require_Scalar();
@@ -5549,7 +5549,7 @@ ${ctx.indent}`;
   exports.stringifyPair = stringifyPair;
 });
 
-// node_modules/yaml/dist/log.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/log.js
 var require_log = __commonJS((exports) => {
   var node_process = __require("process");
   function debug(logLevel, ...messages) {
@@ -5568,7 +5568,7 @@ var require_log = __commonJS((exports) => {
   exports.warn = warn;
 });
 
-// node_modules/yaml/dist/schema/yaml-1.1/merge.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/schema/yaml-1.1/merge.js
 var require_merge = __commonJS((exports) => {
   var identity = require_identity();
   var Scalar = require_Scalar();
@@ -5622,7 +5622,7 @@ var require_merge = __commonJS((exports) => {
   exports.merge = merge;
 });
 
-// node_modules/yaml/dist/nodes/addPairToJSMap.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/nodes/addPairToJSMap.js
 var require_addPairToJSMap = __commonJS((exports) => {
   var log = require_log();
   var merge = require_merge();
@@ -5683,7 +5683,7 @@ var require_addPairToJSMap = __commonJS((exports) => {
   exports.addPairToJSMap = addPairToJSMap;
 });
 
-// node_modules/yaml/dist/nodes/Pair.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/nodes/Pair.js
 var require_Pair = __commonJS((exports) => {
   var createNode = require_createNode();
   var stringifyPair = require_stringifyPair();
@@ -5721,7 +5721,7 @@ var require_Pair = __commonJS((exports) => {
   exports.createPair = createPair;
 });
 
-// node_modules/yaml/dist/stringify/stringifyCollection.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/stringify/stringifyCollection.js
 var require_stringifyCollection = __commonJS((exports) => {
   var identity = require_identity();
   var stringify = require_stringify();
@@ -5873,7 +5873,7 @@ ${indent}${end}`;
   exports.stringifyCollection = stringifyCollection;
 });
 
-// node_modules/yaml/dist/nodes/YAMLMap.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/nodes/YAMLMap.js
 var require_YAMLMap = __commonJS((exports) => {
   var stringifyCollection = require_stringifyCollection();
   var addPairToJSMap = require_addPairToJSMap();
@@ -6000,7 +6000,7 @@ var require_YAMLMap = __commonJS((exports) => {
   exports.findPair = findPair;
 });
 
-// node_modules/yaml/dist/schema/common/map.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/schema/common/map.js
 var require_map = __commonJS((exports) => {
   var identity = require_identity();
   var YAMLMap = require_YAMLMap();
@@ -6019,7 +6019,7 @@ var require_map = __commonJS((exports) => {
   exports.map = map;
 });
 
-// node_modules/yaml/dist/nodes/YAMLSeq.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/nodes/YAMLSeq.js
 var require_YAMLSeq = __commonJS((exports) => {
   var createNode = require_createNode();
   var stringifyCollection = require_stringifyCollection();
@@ -6112,7 +6112,7 @@ var require_YAMLSeq = __commonJS((exports) => {
   exports.YAMLSeq = YAMLSeq;
 });
 
-// node_modules/yaml/dist/schema/common/seq.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/schema/common/seq.js
 var require_seq = __commonJS((exports) => {
   var identity = require_identity();
   var YAMLSeq = require_YAMLSeq();
@@ -6131,7 +6131,7 @@ var require_seq = __commonJS((exports) => {
   exports.seq = seq;
 });
 
-// node_modules/yaml/dist/schema/common/string.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/schema/common/string.js
 var require_string = __commonJS((exports) => {
   var stringifyString = require_stringifyString();
   var string = {
@@ -6147,7 +6147,7 @@ var require_string = __commonJS((exports) => {
   exports.string = string;
 });
 
-// node_modules/yaml/dist/schema/common/null.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/schema/common/null.js
 var require_null = __commonJS((exports) => {
   var Scalar = require_Scalar();
   var nullTag = {
@@ -6162,7 +6162,7 @@ var require_null = __commonJS((exports) => {
   exports.nullTag = nullTag;
 });
 
-// node_modules/yaml/dist/schema/core/bool.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/schema/core/bool.js
 var require_bool = __commonJS((exports) => {
   var Scalar = require_Scalar();
   var boolTag = {
@@ -6183,7 +6183,7 @@ var require_bool = __commonJS((exports) => {
   exports.boolTag = boolTag;
 });
 
-// node_modules/yaml/dist/stringify/stringifyNumber.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/stringify/stringifyNumber.js
 var require_stringifyNumber = __commonJS((exports) => {
   function stringifyNumber({ format, minFractionDigits, tag, value }) {
     if (typeof value === "bigint")
@@ -6207,7 +6207,7 @@ var require_stringifyNumber = __commonJS((exports) => {
   exports.stringifyNumber = stringifyNumber;
 });
 
-// node_modules/yaml/dist/schema/core/float.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/schema/core/float.js
 var require_float = __commonJS((exports) => {
   var Scalar = require_Scalar();
   var stringifyNumber = require_stringifyNumber();
@@ -6250,7 +6250,7 @@ var require_float = __commonJS((exports) => {
   exports.floatNaN = floatNaN;
 });
 
-// node_modules/yaml/dist/schema/core/int.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/schema/core/int.js
 var require_int = __commonJS((exports) => {
   var stringifyNumber = require_stringifyNumber();
   var intIdentify = (value) => typeof value === "bigint" || Number.isInteger(value);
@@ -6292,7 +6292,7 @@ var require_int = __commonJS((exports) => {
   exports.intOct = intOct;
 });
 
-// node_modules/yaml/dist/schema/core/schema.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/schema/core/schema.js
 var require_schema = __commonJS((exports) => {
   var map = require_map();
   var _null = require_null();
@@ -6317,7 +6317,7 @@ var require_schema = __commonJS((exports) => {
   exports.schema = schema;
 });
 
-// node_modules/yaml/dist/schema/json/schema.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/schema/json/schema.js
 var require_schema2 = __commonJS((exports) => {
   var Scalar = require_Scalar();
   var map = require_map();
@@ -6381,7 +6381,7 @@ var require_schema2 = __commonJS((exports) => {
   exports.schema = schema;
 });
 
-// node_modules/yaml/dist/schema/yaml-1.1/binary.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/schema/yaml-1.1/binary.js
 var require_binary = __commonJS((exports) => {
   var node_buffer = __require("buffer");
   var Scalar = require_Scalar();
@@ -6436,7 +6436,7 @@ var require_binary = __commonJS((exports) => {
   exports.binary = binary;
 });
 
-// node_modules/yaml/dist/schema/yaml-1.1/pairs.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/schema/yaml-1.1/pairs.js
 var require_pairs = __commonJS((exports) => {
   var identity = require_identity();
   var Pair = require_Pair();
@@ -6511,7 +6511,7 @@ ${cn.comment}` : item.comment;
   exports.resolvePairs = resolvePairs;
 });
 
-// node_modules/yaml/dist/schema/yaml-1.1/omap.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/schema/yaml-1.1/omap.js
 var require_omap = __commonJS((exports) => {
   var identity = require_identity();
   var toJS = require_toJS();
@@ -6583,7 +6583,7 @@ var require_omap = __commonJS((exports) => {
   exports.omap = omap;
 });
 
-// node_modules/yaml/dist/schema/yaml-1.1/bool.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/schema/yaml-1.1/bool.js
 var require_bool2 = __commonJS((exports) => {
   var Scalar = require_Scalar();
   function boolStringify({ value, source }, ctx) {
@@ -6612,7 +6612,7 @@ var require_bool2 = __commonJS((exports) => {
   exports.trueTag = trueTag;
 });
 
-// node_modules/yaml/dist/schema/yaml-1.1/float.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/schema/yaml-1.1/float.js
 var require_float2 = __commonJS((exports) => {
   var Scalar = require_Scalar();
   var stringifyNumber = require_stringifyNumber();
@@ -6658,7 +6658,7 @@ var require_float2 = __commonJS((exports) => {
   exports.floatNaN = floatNaN;
 });
 
-// node_modules/yaml/dist/schema/yaml-1.1/int.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/schema/yaml-1.1/int.js
 var require_int2 = __commonJS((exports) => {
   var stringifyNumber = require_stringifyNumber();
   var intIdentify = (value) => typeof value === "bigint" || Number.isInteger(value);
@@ -6734,7 +6734,7 @@ var require_int2 = __commonJS((exports) => {
   exports.intOct = intOct;
 });
 
-// node_modules/yaml/dist/schema/yaml-1.1/set.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/schema/yaml-1.1/set.js
 var require_set = __commonJS((exports) => {
   var identity = require_identity();
   var Pair = require_Pair();
@@ -6817,7 +6817,7 @@ var require_set = __commonJS((exports) => {
   exports.set = set;
 });
 
-// node_modules/yaml/dist/schema/yaml-1.1/timestamp.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/schema/yaml-1.1/timestamp.js
 var require_timestamp = __commonJS((exports) => {
   var stringifyNumber = require_stringifyNumber();
   function parseSexagesimal(str, asBigInt) {
@@ -6899,7 +6899,7 @@ var require_timestamp = __commonJS((exports) => {
   exports.timestamp = timestamp;
 });
 
-// node_modules/yaml/dist/schema/yaml-1.1/schema.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/schema/yaml-1.1/schema.js
 var require_schema3 = __commonJS((exports) => {
   var map = require_map();
   var _null = require_null();
@@ -6940,7 +6940,7 @@ var require_schema3 = __commonJS((exports) => {
   exports.schema = schema;
 });
 
-// node_modules/yaml/dist/schema/tags.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/schema/tags.js
 var require_tags = __commonJS((exports) => {
   var map = require_map();
   var _null = require_null();
@@ -7031,7 +7031,7 @@ var require_tags = __commonJS((exports) => {
   exports.getTags = getTags;
 });
 
-// node_modules/yaml/dist/schema/Schema.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/schema/Schema.js
 var require_Schema = __commonJS((exports) => {
   var identity = require_identity();
   var map = require_map();
@@ -7061,7 +7061,7 @@ var require_Schema = __commonJS((exports) => {
   exports.Schema = Schema;
 });
 
-// node_modules/yaml/dist/stringify/stringifyDocument.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/stringify/stringifyDocument.js
 var require_stringifyDocument = __commonJS((exports) => {
   var identity = require_identity();
   var stringify = require_stringify();
@@ -7141,7 +7141,7 @@ var require_stringifyDocument = __commonJS((exports) => {
   exports.stringifyDocument = stringifyDocument;
 });
 
-// node_modules/yaml/dist/doc/Document.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/doc/Document.js
 var require_Document = __commonJS((exports) => {
   var Alias = require_Alias();
   var Collection = require_Collection();
@@ -7376,7 +7376,7 @@ var require_Document = __commonJS((exports) => {
   exports.Document = Document;
 });
 
-// node_modules/yaml/dist/errors.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/errors.js
 var require_errors = __commonJS((exports) => {
   class YAMLError extends Error {
     constructor(name, pos, code, message) {
@@ -7441,7 +7441,7 @@ ${pointer}
   exports.prettifyError = prettifyError;
 });
 
-// node_modules/yaml/dist/compose/resolve-props.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/compose/resolve-props.js
 var require_resolve_props = __commonJS((exports) => {
   function resolveProps(tokens, { flow, indicator, next, offset, onError, parentIndent, startOnNewline }) {
     let spaceBefore = false;
@@ -7571,7 +7571,7 @@ var require_resolve_props = __commonJS((exports) => {
   exports.resolveProps = resolveProps;
 });
 
-// node_modules/yaml/dist/compose/util-contains-newline.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/compose/util-contains-newline.js
 var require_util_contains_newline = __commonJS((exports) => {
   function containsNewline(key) {
     if (!key)
@@ -7611,7 +7611,7 @@ var require_util_contains_newline = __commonJS((exports) => {
   exports.containsNewline = containsNewline;
 });
 
-// node_modules/yaml/dist/compose/util-flow-indent-check.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/compose/util-flow-indent-check.js
 var require_util_flow_indent_check = __commonJS((exports) => {
   var utilContainsNewline = require_util_contains_newline();
   function flowIndentCheck(indent, fc, onError) {
@@ -7626,7 +7626,7 @@ var require_util_flow_indent_check = __commonJS((exports) => {
   exports.flowIndentCheck = flowIndentCheck;
 });
 
-// node_modules/yaml/dist/compose/util-map-includes.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/compose/util-map-includes.js
 var require_util_map_includes = __commonJS((exports) => {
   var identity = require_identity();
   function mapIncludes(ctx, items, search) {
@@ -7639,7 +7639,7 @@ var require_util_map_includes = __commonJS((exports) => {
   exports.mapIncludes = mapIncludes;
 });
 
-// node_modules/yaml/dist/compose/resolve-block-map.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/compose/resolve-block-map.js
 var require_resolve_block_map = __commonJS((exports) => {
   var Pair = require_Pair();
   var YAMLMap = require_YAMLMap();
@@ -7746,7 +7746,7 @@ var require_resolve_block_map = __commonJS((exports) => {
   exports.resolveBlockMap = resolveBlockMap;
 });
 
-// node_modules/yaml/dist/compose/resolve-block-seq.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/compose/resolve-block-seq.js
 var require_resolve_block_seq = __commonJS((exports) => {
   var YAMLSeq = require_YAMLSeq();
   var resolveProps = require_resolve_props();
@@ -7794,7 +7794,7 @@ var require_resolve_block_seq = __commonJS((exports) => {
   exports.resolveBlockSeq = resolveBlockSeq;
 });
 
-// node_modules/yaml/dist/compose/resolve-end.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/compose/resolve-end.js
 var require_resolve_end = __commonJS((exports) => {
   function resolveEnd(end, offset, reqSpace, onError) {
     let comment = "";
@@ -7834,7 +7834,7 @@ var require_resolve_end = __commonJS((exports) => {
   exports.resolveEnd = resolveEnd;
 });
 
-// node_modules/yaml/dist/compose/resolve-flow-collection.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/compose/resolve-flow-collection.js
 var require_resolve_flow_collection = __commonJS((exports) => {
   var identity = require_identity();
   var Pair = require_Pair();
@@ -8025,7 +8025,7 @@ var require_resolve_flow_collection = __commonJS((exports) => {
   exports.resolveFlowCollection = resolveFlowCollection;
 });
 
-// node_modules/yaml/dist/compose/compose-collection.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/compose/compose-collection.js
 var require_compose_collection = __commonJS((exports) => {
   var identity = require_identity();
   var Scalar = require_Scalar();
@@ -8087,7 +8087,7 @@ var require_compose_collection = __commonJS((exports) => {
   exports.composeCollection = composeCollection;
 });
 
-// node_modules/yaml/dist/compose/resolve-block-scalar.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/compose/resolve-block-scalar.js
 var require_resolve_block_scalar = __commonJS((exports) => {
   var Scalar = require_Scalar();
   function resolveBlockScalar(ctx, scalar, onError) {
@@ -8280,7 +8280,7 @@ var require_resolve_block_scalar = __commonJS((exports) => {
   exports.resolveBlockScalar = resolveBlockScalar;
 });
 
-// node_modules/yaml/dist/compose/resolve-flow-scalar.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/compose/resolve-flow-scalar.js
 var require_resolve_flow_scalar = __commonJS((exports) => {
   var Scalar = require_Scalar();
   var resolveEnd = require_resolve_end();
@@ -8496,7 +8496,7 @@ var require_resolve_flow_scalar = __commonJS((exports) => {
   exports.resolveFlowScalar = resolveFlowScalar;
 });
 
-// node_modules/yaml/dist/compose/compose-scalar.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/compose/compose-scalar.js
 var require_compose_scalar = __commonJS((exports) => {
   var identity = require_identity();
   var Scalar = require_Scalar();
@@ -8574,7 +8574,7 @@ var require_compose_scalar = __commonJS((exports) => {
   exports.composeScalar = composeScalar;
 });
 
-// node_modules/yaml/dist/compose/util-empty-scalar-position.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/compose/util-empty-scalar-position.js
 var require_util_empty_scalar_position = __commonJS((exports) => {
   function emptyScalarPosition(offset, before, pos) {
     if (before) {
@@ -8601,7 +8601,7 @@ var require_util_empty_scalar_position = __commonJS((exports) => {
   exports.emptyScalarPosition = emptyScalarPosition;
 });
 
-// node_modules/yaml/dist/compose/compose-node.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/compose/compose-node.js
 var require_compose_node = __commonJS((exports) => {
   var Alias = require_Alias();
   var identity = require_identity();
@@ -8704,7 +8704,7 @@ var require_compose_node = __commonJS((exports) => {
   exports.composeNode = composeNode;
 });
 
-// node_modules/yaml/dist/compose/compose-doc.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/compose/compose-doc.js
 var require_compose_doc = __commonJS((exports) => {
   var Document = require_Document();
   var composeNode = require_compose_node();
@@ -8744,7 +8744,7 @@ var require_compose_doc = __commonJS((exports) => {
   exports.composeDoc = composeDoc;
 });
 
-// node_modules/yaml/dist/compose/composer.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/compose/composer.js
 var require_composer = __commonJS((exports) => {
   var node_process = __require("process");
   var directives = require_directives();
@@ -8933,7 +8933,7 @@ ${end.comment}` : end.comment;
   exports.Composer = Composer;
 });
 
-// node_modules/yaml/dist/parse/cst-scalar.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/parse/cst-scalar.js
 var require_cst_scalar = __commonJS((exports) => {
   var resolveBlockScalar = require_resolve_block_scalar();
   var resolveFlowScalar = require_resolve_flow_scalar();
@@ -9123,7 +9123,7 @@ var require_cst_scalar = __commonJS((exports) => {
   exports.setScalarValue = setScalarValue;
 });
 
-// node_modules/yaml/dist/parse/cst-stringify.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/parse/cst-stringify.js
 var require_cst_stringify = __commonJS((exports) => {
   var stringify = (cst) => ("type" in cst) ? stringifyToken(cst) : stringifyItem(cst);
   function stringifyToken(token) {
@@ -9181,7 +9181,7 @@ var require_cst_stringify = __commonJS((exports) => {
   exports.stringify = stringify;
 });
 
-// node_modules/yaml/dist/parse/cst-visit.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/parse/cst-visit.js
 var require_cst_visit = __commonJS((exports) => {
   var BREAK = Symbol("break visit");
   var SKIP = Symbol("skip children");
@@ -9240,7 +9240,7 @@ var require_cst_visit = __commonJS((exports) => {
   exports.visit = visit;
 });
 
-// node_modules/yaml/dist/parse/cst.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/parse/cst.js
 var require_cst = __commonJS((exports) => {
   var cstScalar = require_cst_scalar();
   var cstStringify = require_cst_stringify();
@@ -9341,7 +9341,7 @@ var require_cst = __commonJS((exports) => {
   exports.tokenType = tokenType;
 });
 
-// node_modules/yaml/dist/parse/lexer.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/parse/lexer.js
 var require_lexer = __commonJS((exports) => {
   var cst = require_cst();
   function isEmpty(ch) {
@@ -9927,7 +9927,7 @@ var require_lexer = __commonJS((exports) => {
   exports.Lexer = Lexer;
 });
 
-// node_modules/yaml/dist/parse/line-counter.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/parse/line-counter.js
 var require_line_counter = __commonJS((exports) => {
   class LineCounter {
     constructor() {
@@ -9955,7 +9955,7 @@ var require_line_counter = __commonJS((exports) => {
   exports.LineCounter = LineCounter;
 });
 
-// node_modules/yaml/dist/parse/parser.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/parse/parser.js
 var require_parser = __commonJS((exports) => {
   var node_process = __require("process");
   var cst = require_cst();
@@ -10804,7 +10804,7 @@ var require_parser = __commonJS((exports) => {
   exports.Parser = Parser;
 });
 
-// node_modules/yaml/dist/public-api.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/public-api.js
 var require_public_api = __commonJS((exports) => {
   var composer = require_composer();
   var Document = require_Document();
@@ -10898,7 +10898,7 @@ var require_public_api = __commonJS((exports) => {
   exports.stringify = stringify;
 });
 
-// node_modules/yaml/dist/index.js
+// node_modules/.bun/yaml@2.8.3/node_modules/yaml/dist/index.js
 var composer, Document, Schema, errors2, Alias, identity, Pair, Scalar, YAMLMap, YAMLSeq, cst, lexer, lineCounter, parser, publicApi, visit, $Composer, $Document, $Schema, $YAMLError, $YAMLParseError, $YAMLWarning, $Alias, $isAlias, $isCollection, $isDocument, $isMap, $isNode, $isPair, $isScalar, $isSeq, $Pair, $Scalar, $YAMLMap, $YAMLSeq, $Lexer, $LineCounter, $Parser, $parse, $parseAllDocuments, $parseDocument, $stringify, $visit, $visitAsync;
 var init_dist = __esm(() => {
   composer = require_composer();
@@ -10948,7 +10948,7 @@ var init_dist = __esm(() => {
 });
 
 // src/config/schema.ts
-var CodeRepoEntrySchema, ScheduleEntrySchema, AgentSoulSchema, AgentToolsSchema, AgentMemorySchema, HookEntrySchema, AgentHooksSchema, SubagentSchema, SessionSchema, SessionContinuitySchema, TelegramChannelSchema, ChannelsSchema, TIMEZONE_REGEX, ApproverIdSchema, DriveConfigSchema, AgentDriveConfigSchema, profileFields, ProfileSchema, _omitExtends, defaultsFields, AgentDefaultsSchema, AgentSchema, TelegramConfigSchema, MemoryBackendConfigSchema, VaultConfigSchema, QuotaConfigSchema, SwitchroomConfigSchema;
+var CodeRepoEntrySchema, AgentBindMountSchema, ScheduleEntrySchema, AgentSoulSchema, AgentToolsSchema, AgentMemorySchema, HookEntrySchema, AgentHooksSchema, SubagentSchema, SessionSchema, SessionContinuitySchema, TelegramChannelSchema, ChannelsSchema, TIMEZONE_REGEX, ApproverIdSchema, GoogleWorkspaceTierSchema, GoogleWorkspaceConfigSchema, AgentGoogleWorkspaceConfigSchema, ReactionsSchema, profileFields, ProfileSchema, _omitExtends, defaultsFields, AgentDefaultsSchema, AgentSchema, TelegramConfigSchema, MemoryBackendConfigSchema, VaultConfigSchema, QuotaConfigSchema, HostControlConfigSchema, SwitchroomConfigSchema;
 var init_schema = __esm(() => {
   init_zod();
   CodeRepoEntrySchema = exports_external.object({
@@ -10956,10 +10956,15 @@ var init_schema = __esm(() => {
     source: exports_external.string().describe("Absolute or home-relative path to the repo (e.g. ~/code/switchroom)"),
     concurrency: exports_external.number().int().positive().optional().describe("Max simultaneous worktrees for this repo (default 5)")
   });
+  AgentBindMountSchema = exports_external.object({
+    source: exports_external.string().describe("Absolute host path to bind-mount into the container. Tilde-expansion " + "is not performed — use the literal absolute path (e.g. " + "'/home/me/code/switchroom'). The compose generator refuses sources " + "under system paths (/, /etc, /proc, /sys, /dev, /run, /var/run, " + "/boot, /var/lib/docker) and the docker socket."),
+    target: exports_external.string().optional().describe("Container path the source mounts to. Must be absolute. Defaults to " + "the same path as `source` (matches switchroom's existing dual-mount " + "convention so absolute paths in scaffolded scripts Just Work)."),
+    mode: exports_external.enum(["ro", "rw"]).optional().describe("Read-only (default) or read-write. Use `rw` only when the agent " + "must mutate the host path (e.g. editing switchroom source). " + "Default: 'ro'.")
+  });
   ScheduleEntrySchema = exports_external.object({
     cron: exports_external.string().describe("Cron expression (e.g., '0 8 * * *')"),
     prompt: exports_external.string().describe("Prompt to send at the scheduled time"),
-    model: exports_external.string().optional().describe("Model for this task. Defaults to claude-sonnet-4-6 (cheap, fast). " + "Use claude-opus-4-6 for tasks needing complex reasoning."),
+    model: exports_external.string().optional().describe("Model for this task. Defaults to claude-sonnet-4-6 (cheap, fast). " + "Use claude-opus-4-7 for tasks needing complex reasoning."),
     secrets: exports_external.array(exports_external.string().regex(/^[a-zA-Z0-9_\-/]+$/, "Secret key names must contain only alphanumeric characters, underscores, hyphens, and forward slashes")).default([]).describe("Vault key names this cron task may read via the vault-broker daemon. " + "Empty by default — broker requests for unlisted keys are denied. " + "Note: this is misconfiguration protection (a typo in cron-A doesn't " + "accidentally read cron-B's keys) rather than a security boundary — " + "anyone who can edit cron scripts can also edit switchroom.yaml, and " + "anyone with the vault passphrase can read the vault file directly. " + "See docs/configuration.md for the full framing.")
   });
   AgentSoulSchema = exports_external.object({
@@ -10999,7 +11004,7 @@ var init_schema = __esm(() => {
     SessionEnd: exports_external.array(HookEntrySchema).optional()
   }).catchall(exports_external.array(HookEntrySchema)).optional();
   SubagentSchema = exports_external.object({
-    description: exports_external.string().describe("When the main agent should delegate to this sub-agent"),
+    description: exports_external.string().optional().describe("When the main agent should delegate to this sub-agent"),
     model: exports_external.string().optional().describe("Model: 'sonnet', 'opus', 'haiku', full ID, or 'inherit' (default)"),
     background: exports_external.boolean().optional().describe("Run in background by default (non-blocking). Default false"),
     isolation: exports_external.enum(["worktree"]).optional().describe("'worktree' gives the sub-agent its own git branch"),
@@ -11036,10 +11041,6 @@ var init_schema = __esm(() => {
     deferred_completion_timeout_ms: exports_external.number().int().nonnegative().optional().describe("Force-close timeout (ms) for deferred sub-agent completion. After " + "the parent turn_end arrives while sub-agents are still running, the " + "card is force-closed after this many ms even if sub-agents never " + "finish. Watcher-disconnect safety net. Default 180000 (3 min)."),
     sub_agent_tick_interval_ms: exports_external.number().int().nonnegative().optional().describe("Heartbeat tick interval (ms) for sub-agent rendering. Forces a " + "re-render of the elapsed-time counter while sub-agents are running, " + "even during silent stretches between tool calls. Default 10000 (10 s). " + "Set to 0 to disable the elapsed-ticker path."),
     edit_budget_threshold: exports_external.number().int().nonnegative().optional().describe("Telegram API edit budget per minute before the progress-card driver " + "falls back to a slower coalesce window. When a chat accumulates more " + "than this many card edits in the trailing 60 s, the driver switches " + "to a wider coalesce interval until the rate drops back. Default 18. " + "Increase if your gateway frequently bumps the Telegram edit-rate ceiling " + "with many parallel sub-agents; decrease for a more conservative buffer."),
-    progress_card: exports_external.object({
-      delay_ms: exports_external.number().int().nonnegative().optional().describe("First-render delay (ms) for the pinned progress card (#842). The " + "driver buffers SessionEvents for this long after the turn starts; " + "if the turn ends before the threshold trips, no card is ever " + "posted. When the threshold trips, the card renders the full " + "buffered event stream and the live-update loop takes over. " + "Default 45000 (45 s). Set to 0 for the legacy immediate-render " + "behaviour."),
-      delay_ms_background: exports_external.number().int().nonnegative().optional().describe("First-render delay (ms) override for explicit background " + "sub-agent dispatches (#842). When the agent calls " + "`Agent({ run_in_background: true })`, the card is promoted out " + "of the suppression window using this delay instead of " + "`delay_ms`. Default 0 (immediate render — backgrounded work " + "should be visible right away).")
-    }).optional().describe("Progress-card first-render gating (#842). Defers the card until the " + "turn looks meaningful — short turns never flash a card at all."),
     stickers: exports_external.record(exports_external.string(), exports_external.string()).optional().describe("Sticker aliases for the `send_sticker` MCP tool (#576). Maps a " + "short alias name (e.g. 'happy', 'thinking') to a Telegram file_id. " + "Operator-curated — capture file_ids from inbound stickers the user " + "sends and add them here. The agent calls send_sticker(chat_id, " + "alias='happy') and the gateway resolves to the file_id at send " + "time. Aliases enable persona-flavored expressiveness without " + "exposing raw file_ids in the agent prompt. Personal-assistant / " + "health-coach personas benefit; coding agents typically don't " + "configure any."),
     voice_in: exports_external.object({
       enabled: exports_external.boolean().optional().describe("Master switch for voice-message transcription."),
@@ -11082,13 +11083,27 @@ var init_schema = __esm(() => {
   }).optional();
   TIMEZONE_REGEX = /^UTC$|^[A-Z][A-Za-z0-9_+-]+(\/[A-Z][A-Za-z0-9_+-]+){1,2}$/;
   ApproverIdSchema = exports_external.union([exports_external.number(), exports_external.string().regex(/^\d+$/)]);
-  DriveConfigSchema = exports_external.object({
+  GoogleWorkspaceTierSchema = exports_external.enum([
+    "core",
+    "extended",
+    "complete"
+  ]);
+  GoogleWorkspaceConfigSchema = exports_external.object({
     google_client_id: exports_external.string().min(1).describe("Google OAuth client ID (literal string or vault reference e.g. 'vault:google-oauth-client-id')"),
     google_client_secret: exports_external.string().min(1).describe("Google OAuth client secret (literal string or vault reference e.g. 'vault:google-oauth-client-secret')"),
-    approvers: exports_external.array(ApproverIdSchema).min(1).describe("Array of numeric Telegram user IDs authorized to approve drive onboarding. " + "At least one must be specified.")
+    approvers: exports_external.array(ApproverIdSchema).min(1).describe("Array of numeric Telegram user IDs authorized to approve drive onboarding. " + "At least one must be specified."),
+    tier: GoogleWorkspaceTierSchema.optional().describe("RFC G Phase 1: which upstream MCP tier to expose. " + "core (default) = ~16 tools (Drive+Docs+Sheets+Calendar). " + "extended = ~40 tools (+Slides, Forms, Tasks, Chat). " + "complete = ~60+ tools (+Gmail; not recommended yet — see RFC G §5).")
+  }).optional();
+  AgentGoogleWorkspaceConfigSchema = exports_external.object({
+    approvers: exports_external.array(ApproverIdSchema).min(1).optional().describe("Per-agent approver override. When set, replaces (does not extend) " + "the top-level drive.approvers list for this agent's onboarding card."),
+    tier: GoogleWorkspaceTierSchema.optional().describe("Per-agent tier override (RFC G Phase 1). When set, replaces the " + "top-level google_workspace.tier for this agent. Common case: most " + "agents on `core`, one specialist on `extended` for Slides access.")
   }).optional();
-  AgentDriveConfigSchema = exports_external.object({
-    approvers: exports_external.array(ApproverIdSchema).min(1).optional().describe("Per-agent approver override. When set, replaces (does not extend) " + "the top-level drive.approvers list for this agent's onboarding card.")
+  ReactionsSchema = exports_external.object({
+    enabled: exports_external.boolean().optional().describe("Master switch for the reaction-trigger path. When false, " + "reactions are still persisted via recordReaction but never " + "dispatched to the agent as synthetic inbound turns. Default true."),
+    trigger_emojis: exports_external.array(exports_external.string()).optional().describe("Emoji allowlist that triggers a synthetic inbound when reacted " + "to a bot message. Default ['\uD83D\uDC4E', '❌', '\uD83D\uDC4D', '✅']. Cascade " + "mode: REPLACE (not union) — setting this at a layer replaces " + "lower layers entirely, so an operator can narrow to [] to " + "disable triggering without flipping `enabled`."),
+    debounce_ms: exports_external.number().int().nonnegative().optional().describe("Per-chat debounce window in ms. A qualifying reaction holds for " + "this long; a second qualifying reaction within the window " + "collapses both into a single batched synthetic turn. Default 30000."),
+    per_hour_cap: exports_external.number().int().nonnegative().optional().describe("Max reaction-triggered synthetic turns per chat per rolling hour. " + "Refusals are stderr-logged but not surfaced to the agent. " + "Default 10. Set to 0 to disable triggering via the cap path."),
+    group_admin_only: exports_external.boolean().optional().describe("In groups/supergroups (negative chat_id), only trigger a synthetic " + "turn when the reacter is a chat admin (creator or administrator). " + "Failing the lookup is treated as non-admin (fail-closed). " + "DMs are never affected by this flag — the reacter IS the user. " + "Default true.")
   }).optional();
   profileFields = {
     extends: exports_external.string().optional(),
@@ -11114,6 +11129,7 @@ var init_schema = __esm(() => {
       }).optional()
     }).optional(),
     schedule: exports_external.array(ScheduleEntrySchema).optional(),
+    reactions: ReactionsSchema,
     model: exports_external.string().regex(/^[a-zA-Z0-9][a-zA-Z0-9._\-/\[\]:]*$/, "Model name must be alphanumeric with ._-/[]: only").optional(),
     thinking_effort: exports_external.enum(["low", "medium", "high", "xhigh", "max"]).optional().describe("Adaptive-thinking effort level passed as --effort to the claude CLI. " + "lower = faster/cheaper, higher = more reasoning. Omit to use Claude's default."),
     permission_mode: exports_external.enum(["acceptEdits", "auto", "bypassPermissions", "default", "dontAsk", "plan"]).optional().describe("Permission mode passed as --permission-mode to the claude CLI. " + "Omit to use Claude's default (acceptEdits for switchroom agents). " + "Warning: bypassPermissions and dontAsk skip all safety checks — use only in trusted sandboxes."),
@@ -11134,6 +11150,12 @@ var init_schema = __esm(() => {
     claude_md_raw: exports_external.string().optional(),
     cli_args: exports_external.array(exports_external.string()).optional(),
     extra_stable_files: exports_external.array(exports_external.string()).optional().describe("Extra filenames (relative to the agent's workspace directory) to append " + "to the stable bootstrap render. Loaded once at session start via " + "`--append-system-prompt`. Missing files are silently skipped. " + "Example: ['BRIEF.md', 'CONTEXT.md']."),
+    resources: exports_external.object({
+      memory: exports_external.string().regex(/^\d+(\.\d+)?[kmgKMG]?$/, "memory must be a Docker size string like '6g', '512m', '1.5g'").optional().describe("Hard memory cap (Docker `mem_limit` → cgroup memory.max). When the " + "container exceeds this, the kernel OOM-kills processes in the cgroup. " + "Format: '6g', '1.5g', '512m'. When unset at every cascade layer the " + "compose generator falls back to the hard-coded per-profile defaults " + "in src/agents/compose.ts (klanker 6g, coding 2g, conversational 1.5g, " + "lightweight 1g, default 1.5g)."),
+      memory_reservation: exports_external.string().regex(/^\d+(\.\d+)?[kmgKMG]?$/, "memory_reservation must be a Docker size string like '4g', '256m'").optional().describe("Soft memory floor (Docker `mem_reservation` → cgroup memory.low). " + "Under host-wide memory pressure, the kernel protects at least this " + "much from being reclaimed from the cgroup. Must be ≤ memory. Use to " + "keep an agent RAM-resident when the host has other tenants that " + "might push the box (Coolify apps, build jobs). Default: unset."),
+      pids_limit: exports_external.number().int().positive().optional().describe("Max processes the cgroup can spawn (cgroup pids.max). Prevents " + "fork bombs and runaway test runners. Counts every process in the " + "cgroup including bash subprocesses, claude itself, sidecars, and " + "any test/build worker. A typical agent at idle uses ~30 PIDs; " + "`npm test`-style workloads can spike to 200+. Set generously " + "(2000 is a comfortable cap for test-running agents). Default: " + "unset (no cgroup pid cap)."),
+      cpus: exports_external.number().positive().optional().describe("CPU quota (Docker `cpus`). Fractional values OK (e.g. 0.5, 2.0). " + "When unset at every cascade layer the compose generator falls " + "back to the per-profile default (klanker/coding 2.0, default 1.0, " + "lightweight 0.5).")
+    }).optional().describe("Per-agent resource limits. Cascades through defaults → profile → " + "per-agent with per-field merge (agent wins on each field independently). " + "Any field left unset at every layer falls back to the hard-coded " + "per-profile defaults in src/agents/compose.ts."),
     experimental: exports_external.object({
       legacy_pty: exports_external.boolean().optional().describe("Opt out of the default tmux supervisor (#725) and run the agent under " + "the legacy PTY supervisor instead. Default: false (tmux is the default)."),
       legacy_autoaccept_expect: exports_external.boolean().optional().describe("Opt the autoaccept gateway back into the legacy expect-script behaviour " + "instead of the tmux send-keys path. Default: false.")
@@ -11147,13 +11169,13 @@ var init_schema = __esm(() => {
     bot_token: exports_external.string().optional().describe("Per-agent Telegram bot token or vault reference (overrides global telegram.bot_token)"),
     bot_username: exports_external.string().optional().describe("Per-agent Telegram bot username (without leading @) when it doesn't " + "contain the agent slug. Replaces the default 'username includes slug' " + "preflight check with an exact (case-insensitive) match. Use when an " + "agent and its bot have intentionally divergent names (e.g. agent " + "'lawgpt' paired with bot '@meken_law_bot')."),
     timezone: exports_external.string().regex(TIMEZONE_REGEX, "timezone must be an IANA zone name like 'Australia/Melbourne' or 'UTC' " + "(three-letter aliases like EST/PST and bare offsets like UTC+10 are not accepted)").optional().describe("Per-agent IANA timezone override. Wins over any profile/defaults " + "value and over the top-level switchroom.timezone global. Controls " + "the UserPromptSubmit timezone hook's emitted local time and the " + "systemd unit's TZ= env."),
-    auth_label: exports_external.string().optional().describe("Human-readable identity for the session-start greeting (e.g. 'user@example.com'). " + "Anthropic does not expose a public user-profile endpoint for OAuth tokens, so the " + "email/account cannot be read locally; the user declares it here. Appears in the Auth " + "row as '✓ max · <label> · expires ...'."),
     auth: exports_external.object({
-      accounts: exports_external.array(exports_external.string()).optional().describe("Ordered list of Anthropic account labels (from `~/.switchroom/accounts/`) " + "this agent can use. The first non-quota-exhausted account is the active one; " + "subsequent entries are auto-fallback targets. switchroom-auth-broker keeps " + "`<agentDir>/.claude/credentials.json` in sync with the active account on " + "every refresh and on every quota event. When unset, the agent falls back to " + "a single 'default' account; if no `default` account exists, the boot self-test " + "surfaces a one-line nudge to run `switchroom auth account add`.")
-    }).optional().describe("Account routing for switchroom-auth-broker. See " + "reference/share-auth-across-the-fleet.md for the unit-of-authentication model."),
+      override: exports_external.string().min(1).optional().describe("Per-agent override of the fleet-wide `auth.active`. Edge-case use only — " + "this agent talks to the named account regardless of fleet active. See RFC H §4.5.")
+    }).optional().describe("Account routing for switchroom-auth-broker. RFC H schema uses " + "fleet-wide `auth.active` plus per-agent `override:` for edge cases. " + "Pre-RFC-H `auth.accounts: [..]` and `auth_label:` are migrated in-place " + "on first apply (see src/auth/migrate-schema.ts)."),
     dm_only: exports_external.boolean().optional().describe("Mark this agent as a DM-only bot — has its own bot_token and lives " + "exclusively in a private chat with the operator. Suppresses " + "scaffolding's default behavior of inheriting the global " + "telegram.forum_chat_id into the agent's access.json `groups` entry " + "(the forum chat the bot isn't a member of, which would otherwise " + "trigger a 'boot-probe-failed: 400 chat not found' warning every " + "restart). topic_name is still schema-required but unused — set it " + "to a display label like 'DM' for /switchroom status output."),
     topic_name: exports_external.string().describe("Telegram forum topic display name"),
     topic_emoji: exports_external.string().optional().describe("Emoji for the topic (e.g., '\uD83C\uDFCB️')"),
+    purpose: exports_external.string().max(140).optional().describe("One-line description of what this agent does (≤140 chars). Shown to " + "peer agents when they call the agent-config MCP `peers_list` tool, so " + "every agent on the instance can answer 'is there an agent that does X' " + "without baking the fleet into prompts. Sourced live from " + "switchroom.yaml — never memorized into Hindsight. Falls back to " + "`topic_name` when absent."),
     role: exports_external.enum(["assistant", "foreman"]).optional().describe("Agent role. Default (omitted) is `assistant` — a fleet agent doing " + "user-facing tasks. `foreman` opts the agent in to switchroom's bundled " + "operator skills (switchroom-architecture / cli / health / install / manage " + "/ status), auto-symlinked into the agent's .claude/skills/ on scaffold and " + "reconcile. Fleet agents (assistant role) get no operator skills; reconcile " + "actively retracts them if the role flips back. See docs/skills.md for the model."),
     topic_id: exports_external.number().optional().describe("Telegram topic thread ID (auto-populated by switchroom topics sync)"),
     webhook_sources: exports_external.array(exports_external.enum(["github", "generic"])).optional().describe("[DEPRECATED — moved to channels.telegram.webhook_sources in #596] " + "Old per-agent location. Still read but logs a deprecation warning. " + "See channels.telegram.webhook_sources for the canonical spot."),
@@ -11172,6 +11194,7 @@ var init_schema = __esm(() => {
     tools: AgentToolsSchema,
     memory: AgentMemorySchema,
     schedule: exports_external.array(ScheduleEntrySchema).default([]),
+    reactions: ReactionsSchema,
     model: exports_external.string().regex(/^[a-zA-Z0-9][a-zA-Z0-9._\-/\[\]:]*$/, "Model name must be alphanumeric with ._-/[]: only (no spaces or shell specials)").optional().describe("Claude model override (e.g., 'claude-sonnet-4-6')"),
     thinking_effort: exports_external.enum(["low", "medium", "high", "xhigh", "max"]).optional().describe("Adaptive-thinking effort level passed as --effort to the claude CLI. " + "Per-agent override wins over defaults.thinking_effort. " + "lower = faster/cheaper, higher = more reasoning. Omit to use Claude's default."),
     permission_mode: exports_external.enum(["acceptEdits", "auto", "bypassPermissions", "default", "dontAsk", "plan"]).optional().describe("Permission mode passed as --permission-mode to the claude CLI. " + "Per-agent override wins over defaults.permission_mode. " + "Warning: bypassPermissions and dontAsk skip all safety checks — use only in trusted sandboxes."),
@@ -11188,17 +11211,19 @@ var init_schema = __esm(() => {
     session_continuity: SessionContinuitySchema.describe("Handoff-briefing settings. When enabled (default), a Stop hook " + "summarizes each session at shutdown and start.sh injects that " + "briefing into the next session via --append-system-prompt."),
     channels: ChannelsSchema.describe("Per-channel configuration. Today only `telegram` is defined; the " + "shape is designed to expand to other channels (Slack, Discord, " + "Matrix, Email) as they're added."),
     dangerous_mode: exports_external.boolean().optional().describe("If true, include --dangerously-skip-permissions in start.sh"),
-    skip_permission_prompt: exports_external.boolean().optional().describe("If true, add skipDangerousModePermissionPrompt to settings.json"),
+    skip_permission_prompt: exports_external.boolean().optional().describe("DEPRECATED no-op (accepted for backwards compatibility). Claude Code " + "ignores skipDangerousModePermissionPrompt at project scope; autoaccept " + "(src/agents/autoaccept.ts) handles the bypass-mode prompt instead. " + "Safe to remove from switchroom.yaml."),
     admin: exports_external.boolean().optional().describe("If true, the agent's Telegram gateway intercepts admin slash commands " + "(/agents, /logs, /restart, /delete, /update, /auth, /reconcile, etc.) " + "locally before forwarding to Claude. Commands are handled silently — " + "Claude never sees them. Requires the agent to use the switchroom-telegram " + "plugin. When false or absent, all messages pass through to Claude unchanged."),
     settings_raw: exports_external.record(exports_external.string(), exports_external.unknown()).optional().describe("Escape hatch: raw object deep-merged into the generated " + "settings.json as the final step. Use for Claude Code settings " + "keys switchroom doesn't wrap directly (e.g. effort, apiKeyHelper). " + "Power-user-only — prefer the typed fields when they exist."),
     claude_md_raw: exports_external.string().optional().describe("Escape hatch: markdown text appended verbatim to CLAUDE.md on " + "initial scaffold. Not re-applied on reconcile (CLAUDE.md is " + "user-protected). Use for one-off persona tuning that isn't " + "worth a template."),
     cli_args: exports_external.array(exports_external.string()).optional().describe("Escape hatch: extra arguments appended to the `exec claude` " + "invocation in start.sh. Use for Claude Code CLI flags switchroom " + "doesn't expose directly (e.g. --effort high, " + "--exclude-dynamic-system-prompt-sections)."),
-    add_dirs: exports_external.array(exports_external.string()).optional().describe("Additional filesystem paths the agent's tools can access. Passed " + "as repeated --add-dir <path> on the claude invocation. Use to grant " + "an agent reach into shared dirs (e.g. '/share/collab') without " + "scaffold hacks. Per-agent only — paths are persona-specific. See #199."),
+    add_dirs: exports_external.array(exports_external.string()).optional().describe("Additional filesystem paths the agent's tools can access. Passed " + "as repeated --add-dir <path> on the claude invocation. Use to grant " + "an agent reach into shared dirs (e.g. '/share/collab') without " + "scaffold hacks. Per-agent only — paths are persona-specific. See #199. " + "Note: this only adjusts the claude CLI's --add-dir tool-reach allowlist. " + "If the path is not already inside the agent's container, also declare " + "it in `bind_mounts:` (admin agents only) — otherwise the path doesn't " + "exist inside the sandbox and --add-dir is a no-op."),
+    bind_mounts: exports_external.array(AgentBindMountSchema).optional().describe("Extra host paths bind-mounted into this agent's container, on top of " + "the standard dual-mount baseline. ADMIN-ONLY: the compose generator " + "refuses to emit bind_mounts unless `admin: true` is also set on the " + "same agent. Use to dogfood / self-modify switchroom or another repo " + "(see issue #1164). Pair with `add_dirs:` so claude's tool-reach " + "allowlist also covers the mounted path. System paths (/, /etc, " + "/proc, /sys, /dev, /run, /var/run, /boot, /var/lib/docker, " + "/var/run/docker.sock) are denylisted regardless of mode."),
     allowed_tools: exports_external.array(exports_external.string()).optional().describe("Granular tool allowlist passed verbatim to Claude Code's --allowedTools " + "flag. Supports patterns like 'Bash(git *)' or 'Edit(*.md)' that the " + "coarse `tools.allow` field can't express. When set, Claude Code OR-merges " + "with `tools.allow` (granular only when present, otherwise coarse — chosen " + "via #199 to keep blast radius minimal for existing operators on tools.allow). " + "See #199."),
     disallowed_tools: exports_external.array(exports_external.string()).optional().describe("Granular tool denylist passed verbatim to Claude Code's --disallowedTools " + "flag. Same pattern syntax as allowed_tools (e.g. 'Bash(rm *)'). See #199."),
     extra_stable_files: exports_external.array(exports_external.string()).optional().describe("Extra filenames (relative to the agent's workspace directory) to append " + "to the stable bootstrap render. Loaded once at session start via " + "`--append-system-prompt`. Missing files are silently skipped. " + "Example: ['BRIEF.md', 'CONTEXT.md']."),
     code_repos: exports_external.array(CodeRepoEntrySchema).optional().describe("Git repositories this agent is allowed to claim worktrees from. " + "Each entry provides a short name alias, a source path, and an " + "optional concurrency cap (default 5). When code_repos is set, " + "claim_worktree accepts the alias as the repo argument. " + "Absolute paths may always be passed regardless of this list."),
-    drive: AgentDriveConfigSchema.describe("Per-agent drive onboarding overrides (currently just approvers). " + "When set, replaces the top-level drive.approvers list for this agent. " + "google_client_id/secret are not per-agent — they live at the top level."),
+    drive: AgentGoogleWorkspaceConfigSchema.describe("RFC D legacy key — use `google_workspace:` instead. Per-agent " + "google_workspace overrides (currently approvers + tier). When set, " + "replaces the top-level approvers list for this agent. " + "google_client_id/secret are not per-agent — they live at the top level."),
+    google_workspace: AgentGoogleWorkspaceConfigSchema.describe("RFC G canonical key. Per-agent Google Workspace overrides — currently " + "approvers (replaces, does not extend the top-level list) and tier " + "(`core` | `extended` | `complete`, replaces top-level default). " + "google_client_id/secret are not per-agent — they live at the top level. " + "Mutually exclusive with `drive:` on the same agent (loader fails fast " + "if both are set)."),
     repos: exports_external.record(exports_external.string().regex(/^[a-z0-9][a-z0-9-]*$/, "Repo slug must be kebab-case ASCII: start with a lowercase letter or digit, contain only lowercase letters, digits, and hyphens"), exports_external.object({
       url: exports_external.string().min(1).describe("Git remote URL for the repo (e.g. 'git@github.com:org/repo.git' or " + "'https://github.com/org/repo.git'). Used verbatim for git clone."),
       branch_default: exports_external.string().optional().describe("Default branch to track (defaults to the remote's HEAD, typically 'main'). " + "The per-agent branch 'agent/<agentName>/main' fast-forwards to this branch " + "when the worktree is clean on session start.")
@@ -11206,7 +11231,13 @@ var init_schema = __esm(() => {
     experimental: exports_external.object({
       legacy_pty: exports_external.boolean().optional().describe("Opt out of the default tmux supervisor (#725) and run the agent " + "under the legacy PTY supervisor instead. Default: false."),
       legacy_autoaccept_expect: exports_external.boolean().optional().describe("Opt the autoaccept gateway back into the legacy expect-script " + "behaviour instead of the tmux send-keys path. Default: false.")
-    }).optional().describe("Opt-in flags for experimental / legacy behaviours. Cascades through " + "defaults → profile → per-agent.")
+    }).optional().describe("Opt-in flags for experimental / legacy behaviours. Cascades through " + "defaults → profile → per-agent."),
+    resources: exports_external.object({
+      memory: exports_external.string().regex(/^\d+(\.\d+)?[kmgKMG]?$/).optional(),
+      memory_reservation: exports_external.string().regex(/^\d+(\.\d+)?[kmgKMG]?$/).optional(),
+      pids_limit: exports_external.number().int().positive().optional(),
+      cpus: exports_external.number().positive().optional()
+    }).optional()
   });
   TelegramConfigSchema = exports_external.object({
     bot_token: exports_external.string().describe("Telegram bot token or vault reference (e.g., 'vault:telegram-bot-token')"),
@@ -11229,13 +11260,26 @@ var init_schema = __esm(() => {
       socket: exports_external.string().default("~/.switchroom/vault-broker.sock").describe("Unix domain socket path for the vault-broker daemon"),
       enabled: exports_external.boolean().default(true).describe("Whether to start the vault-broker daemon on agent launch"),
       autoUnlock: exports_external.boolean().default(false).describe("Auto-unlock the vault at broker start using a machine-bound " + "encrypted blob. Off by default. When enabled, the broker reads " + "the configured blob path, derives the AES key from /etc/machine-id, " + "decrypts the passphrase, and unlocks the vault — no sudo, no " + "systemd-creds, no TPM. Run `switchroom vault broker " + "enable-auto-unlock` once to write the blob."),
-      autoUnlockCredentialPath: exports_external.string().default("~/.switchroom/vault-auto-unlock").describe("Path to the machine-bound auto-unlock blob (see " + "src/vault/auto-unlock.ts for the format). Default lives under " + "~/.switchroom so it can be bind-mounted into the vault-broker " + "container by docker compose. Tilde-expansion happens " + "at read time.")
-    }).default({}).describe("Vault-broker daemon configuration. The broker holds the decrypted vault " + "in memory and serves secrets to cron scripts via a Unix socket, so the " + "vault passphrase is entered once at startup rather than per-cron invocation.")
+      autoUnlockCredentialPath: exports_external.string().default("~/.switchroom/vault-auto-unlock").describe("Path to the machine-bound auto-unlock blob (see " + "src/vault/auto-unlock.ts for the format). Default lives under " + "~/.switchroom so it can be bind-mounted into the vault-broker " + "container by docker compose. Tilde-expansion happens " + "at read time."),
+      approvalAuth: exports_external.enum(["passphrase", "telegram-id"]).default("passphrase").describe("Posture for tap-to-Approve on vault grant cards. `passphrase` " + "(default) prompts the operator to type the vault passphrase on " + "every Approve — two-factor (Telegram ID + passphrase). " + "`telegram-id` mints immediately on Approve with no passphrase " + "prompt — single-factor (Telegram ID only); REQUIRES " + "`autoUnlock: true` so the broker already holds the passphrase. " + "Trades a factor of security for smoother UX; opt-in only."),
+      postureMintAgents: exports_external.array(exports_external.string().min(1)).default([]).describe("Per-agent opt-in for posture-attested broker calls (`mint_grant` / " + "`list_grants` / `put` with `attest_via_posture: true`). Only agents " + "whose names are in this list can use the silent-mint path under " + "`approvalAuth: telegram-id`. Default `[]` — no agent can self-mint " + "until the operator explicitly opts it in. The request's `agent` " + "field must also equal the calling peer's resolved agent name " + "(broker rejects cross-agent posture mints). When `approvalAuth` is " + "`passphrase` this list is ignored — passphrase attestation still " + "works as before. Each entry is an agent slug exactly as it appears " + "under `agents:` in this config.")
+    }).default({}).superRefine((broker, ctx) => {
+      if (broker.approvalAuth === "telegram-id" && broker.autoUnlock !== true) {
+        ctx.addIssue({
+          code: exports_external.ZodIssueCode.custom,
+          message: "`vault.broker.approvalAuth: telegram-id` requires `autoUnlock: true` — single-factor approval needs the broker already unlocked at startup.",
+          path: ["approvalAuth"]
+        });
+      }
+    }).describe("Vault-broker daemon configuration. The broker holds the decrypted vault " + "in memory and serves secrets to cron scripts via a Unix socket, so the " + "vault passphrase is entered once at startup rather than per-cron invocation.")
   });
   QuotaConfigSchema = exports_external.object({
     weekly_budget_usd: exports_external.number().positive().optional().describe("Weekly USD spend budget. If unset, the greeting shows raw usage only."),
     monthly_budget_usd: exports_external.number().positive().optional().describe("Monthly USD spend budget. If unset, the greeting shows raw usage only.")
   });
+  HostControlConfigSchema = exports_external.object({
+    enabled: exports_external.boolean().optional().describe("Opt-in to the host-control daemon. Default: false. " + "When true, the compose generator emits per-agent bind mounts " + "at `~/.switchroom/hostd/<name>/sock` for every admin-flagged " + "agent. Install the daemon with `switchroom hostd install` — " + "it runs as a docker container in its own compose project " + "(`switchroom-hostd`), separate from the agent fleet's compose " + "project so `up -d --remove-orphans` cycles of the fleet " + "can't recreate the daemon mid-RPC. See RFC C §5.1. " + "Since Phase 2 (#1175 PR γ) the gateway's /restart, /new, /reset, " + "and /update apply slash-commands automatically dispatch through " + "hostd when enabled — replacing the in-container " + "`spawnSwitchroomDetached` shellout that requires docker access. " + "Set enabled: true on docker-mode installs to make those verbs work " + "(they otherwise fail because the agent container has no docker " + "binary/socket).")
+  });
   SwitchroomConfigSchema = exports_external.object({
     switchroom: exports_external.object({
       version: exports_external.literal(1).describe("Config schema version"),
@@ -11246,8 +11290,28 @@ var init_schema = __esm(() => {
     telegram: TelegramConfigSchema,
     memory: MemoryBackendConfigSchema.optional(),
     vault: VaultConfigSchema.optional(),
-    drive: DriveConfigSchema.describe("Optional drive onboarding configuration. When set, supplies Google " + "OAuth client credentials and the approver allowlist for `switchroom " + "drive connect`. Env vars (SWITCHROOM_GOOGLE_CLIENT_ID, " + "SWITCHROOM_GOOGLE_CLIENT_SECRET, SWITCHROOM_APPROVER_USER_ID) take " + "precedence over this block when set, preserving back-compat with " + "the env-only flow shipped in #766."),
+    auth: exports_external.object({
+      active: exports_external.string().min(1).optional().describe("Fleet-wide active Anthropic account label. Every agent without " + "an explicit `agent.auth.override` uses this account. See " + "docs/auth.md for the full model. Set by `switchroom auth use <label>`."),
+      fallback_order: exports_external.array(exports_external.string().min(1)).optional().describe("Ordered list of account labels for `switchroom auth rotate` to cycle " + "through when the active account hits a quota event. First entry is " + "normally the same as `auth.active`. When unset, `rotate` is a no-op."),
+      consumers: exports_external.array(exports_external.object({
+        name: exports_external.string().regex(/^[a-zA-Z0-9][a-zA-Z0-9_-]*$/, {
+          message: "Consumer name must be a path-safe slug (letters, digits, underscore, hyphen)"
+        }).describe("Socket-path identity; binds at /run/switchroom/auth-broker/<name>/sock"),
+        account: exports_external.string().min(1).describe("Pinned account label for this consumer. `get-credentials` returns " + "this account's credentials; `mark-exhausted` from this consumer " + "only affects this account."),
+        uid: exports_external.number().int().nonnegative().optional().describe("Optional UID to chown the consumer socket to (defaults to 0 = root, " + "suitable for sibling containers running as root).")
+      })).optional().describe("Non-agent peers that hold a broker socket (RFC H §4.8). Each gets " + "its own `/run/switchroom/auth-broker/<name>/sock` chowned to its UID. " + "Consumers cannot be admins; a consumer name that collides with an " + "agent (whether that agent has `admin: true` or not) is a config " + "error caught at schema validation.")
+    }).optional().describe("Switchroom-auth-broker configuration (RFC H). Fleet-wide active account, " + "fallback order, admin-agent ACL, and ephemeral-consumer surface. " + "Required from the v0.8+ schema onwards; pre-v0.8 fleets are migrated " + "in-place by `switchroom apply` (see src/auth/migrate-schema.ts)."),
+    drive: GoogleWorkspaceConfigSchema.describe("RFC D legacy key — use `google_workspace:` instead. Optional Google " + "Workspace onboarding configuration. When set, supplies Google OAuth " + "client credentials, the approver allowlist for `switchroom drive " + "connect`, and the optional tier knob. Env vars " + "(SWITCHROOM_GOOGLE_CLIENT_ID, SWITCHROOM_GOOGLE_CLIENT_SECRET, " + "SWITCHROOM_APPROVER_USER_ID) take precedence over this block when " + "set, preserving back-compat with the env-only flow shipped in #766."),
+    google_workspace: GoogleWorkspaceConfigSchema.describe("RFC G canonical key. Top-level Google Workspace configuration — " + "OAuth client credentials, approver allowlist, and tier knob (`core` " + "| `extended` | `complete`, default `core`). Mutually exclusive with " + "`drive:` at the top level (loader fails fast if both are set)."),
     quota: QuotaConfigSchema.optional().describe("Optional weekly/monthly USD spend budgets rendered in the session " + "greeting. Usage is read from ccusage at runtime; no network calls."),
+    host_control: HostControlConfigSchema.optional().describe("Optional host-control daemon configuration. See RFC C " + "(docs/rfcs/host-control-daemon.md) and the field-level help on " + "`enabled` for the Phase 1 scope."),
+    google_accounts: exports_external.record(exports_external.string().regex(/^[^@\s:]+@[^@\s:]+\.[^@\s:]+$/, {
+      message: "Account key must be a Google account email like 'alice@example.com' (colons not allowed)"
+    }).transform((v) => v.trim().toLowerCase()), exports_external.object({
+      enabled_for: exports_external.array(exports_external.string().regex(/^[a-z0-9][a-z0-9_-]{0,50}$/, {
+        message: "Agent name must match the standard agent-name pattern"
+      })).describe("Agent slugs that may read this account's vault slots " + "(`google:<account>:refresh_token` etc). Per-agent ACL is " + "enforced at the broker, not at the agent identity layer — " + "the agent still authenticates via socket-path-as-identity " + "per RFC D §4.1, broker just gates the cross-agent token share.")
+    })).optional().describe("RFC G Phase 2: per-Google-account ACL for vault slots holding " + "OAuth refresh tokens. Maps account email → list of agents " + "permitted to read that account's slots. Written by `switchroom " + "auth google enable|disable` (Phase 3); read by the broker on " + "every Google slot access. Replaces RFC D's per-agent vault slot " + "scope (which can't express 'two agents share one Google account')."),
     defaults: AgentDefaultsSchema.describe("Implicit bottom-of-cascade profile applied to every agent before " + "per-agent config and `extends:` resolution. Tools, mcp_servers, and " + "schedule are unioned/concatenated; scalars and nested objects are " + "shallow-merged with per-agent values winning."),
     profiles: exports_external.record(exports_external.string(), ProfileSchema).optional().describe("Named profile definitions. Agents reference via `extends: <name>`. " + "Inline profiles declared here take priority over filesystem " + "profiles/<name>/ directories when both exist."),
     agents: exports_external.record(exports_external.string().regex(/^[a-z0-9][a-z0-9_-]{0,50}$/, {
@@ -11282,6 +11346,142 @@ function resolveDualPath(pathStr) {
 var DEFAULT_STATE_DIR = ".switchroom", LEGACY_STATE_DIR = ".clerk";
 var init_paths = () => {};
 
+// src/config/overlay-schema.ts
+var OverlayDocSchema;
+var init_overlay_schema = __esm(() => {
+  init_zod();
+  init_schema();
+  OverlayDocSchema = exports_external.object({
+    schedule: exports_external.array(ScheduleEntrySchema).optional(),
+    skills: exports_external.array(exports_external.string()).optional()
+  }).strict();
+});
+
+// src/config/overlay-loader.ts
+import { existsSync as existsSync2, readFileSync, readdirSync, statSync } from "node:fs";
+import { resolve as resolve2 } from "node:path";
+function overlayDirFor(agentName, subdir) {
+  const base = resolveDualPath(`~/.switchroom/agents/${agentName}/${subdir}`);
+  return resolve2(base);
+}
+function listYamlFiles(dir) {
+  if (!existsSync2(dir))
+    return [];
+  let entries;
+  try {
+    entries = readdirSync(dir);
+  } catch {
+    return [];
+  }
+  const out = [];
+  for (const name of entries) {
+    if (!/\.ya?ml$/i.test(name))
+      continue;
+    const full = resolve2(dir, name);
+    try {
+      if (statSync(full).isFile())
+        out.push(full);
+    } catch {}
+  }
+  return out.sort();
+}
+function stampOverlay(entry) {
+  Object.defineProperty(entry, OVERLAY_SOURCE, {
+    value: true,
+    enumerable: false,
+    configurable: false,
+    writable: false
+  });
+  return entry;
+}
+function applyAgentOverlays(config) {
+  const warnings = [];
+  const agents = config.agents ?? {};
+  for (const [agentName, agentCfg] of Object.entries(agents)) {
+    try {
+      const scheduleDir = overlayDirFor(agentName, "schedule.d");
+      const files = listYamlFiles(scheduleDir);
+      if (files.length > 0) {
+        const merged = [...agentCfg.schedule ?? []];
+        for (const file of files) {
+          try {
+            const raw = readFileSync(file, "utf-8");
+            const parsed = $parse(raw);
+            const doc = OverlayDocSchema.parse(parsed);
+            for (const entry of doc.schedule ?? []) {
+              if (entry.secrets && entry.secrets.length > 0) {
+                const w = {
+                  agent: agentName,
+                  file,
+                  reason: "Overlay schedule entry declares secrets — dropped pending Phase E operator approval"
+                };
+                warnings.push(w);
+                console.warn(`[switchroom] overlay-loader: agent='${agentName}' file='${file}': ${w.reason}`);
+                continue;
+              }
+              merged.push(stampOverlay(entry));
+            }
+          } catch (err) {
+            const reason = err instanceof ZodError ? `schema rejection: ${err.errors.map((e) => `${e.path.join(".")}: ${e.message}`).join("; ")}` : `parse error: ${err.message}`;
+            warnings.push({ agent: agentName, file, reason });
+            console.warn(`[switchroom] overlay-loader: agent='${agentName}' file='${file}': ${reason}`);
+          }
+        }
+        agentCfg.schedule = merged;
+      }
+    } catch (err) {
+      warnings.push({
+        agent: agentName,
+        file: "(agent schedule overlay scan)",
+        reason: `unexpected error: ${err.message}`
+      });
+      console.warn(`[switchroom] overlay-loader: agent='${agentName}' schedule.d: unexpected error: ${err.message}`);
+    }
+    try {
+      const skillsDir = overlayDirFor(agentName, "skills.d");
+      const skillFiles = listYamlFiles(skillsDir);
+      if (skillFiles.length === 0) {} else {
+        const merged = [...agentCfg.skills ?? []];
+        const seen = new Set(merged);
+        for (const file of skillFiles) {
+          try {
+            const raw = readFileSync(file, "utf-8");
+            const parsed = $parse(raw);
+            const doc = OverlayDocSchema.parse(parsed);
+            for (const skillName of doc.skills ?? []) {
+              if (seen.has(skillName))
+                continue;
+              seen.add(skillName);
+              merged.push(skillName);
+            }
+          } catch (err) {
+            const reason = err instanceof ZodError ? `schema rejection: ${err.errors.map((e) => `${e.path.join(".")}: ${e.message}`).join("; ")}` : `parse error: ${err.message}`;
+            warnings.push({ agent: agentName, file, reason });
+            console.warn(`[switchroom] overlay-loader: agent='${agentName}' file='${file}': ${reason}`);
+          }
+        }
+        agentCfg.skills = merged;
+      }
+    } catch (err) {
+      warnings.push({
+        agent: agentName,
+        file: "(agent skills overlay scan)",
+        reason: `unexpected error: ${err.message}`
+      });
+      console.warn(`[switchroom] overlay-loader: agent='${agentName}' skills.d: unexpected error: ${err.message}`);
+    }
+  }
+  return { config, warnings };
+}
+var OVERLAY_SOURCE;
+var init_overlay_loader = __esm(() => {
+  init_dist();
+  init_zod();
+  init_overlay_schema();
+  init_paths();
+  OVERLAY_SOURCE = Symbol.for("switchroom.config.overlay-source");
+});
+
 // src/config/loader.ts
 var exports_loader = {};
 __export(exports_loader, {
@@ -11291,36 +11491,74 @@ __export(exports_loader, {
   findConfigFile: () => findConfigFile,
   ConfigError: () => ConfigError
 });
-import { readFileSync, existsSync as existsSync2 } from "node:fs";
+import { readFileSync as readFileSync2, existsSync as existsSync3 } from "node:fs";
 import { homedir } from "node:os";
-import { resolve as resolve2 } from "node:path";
+import { resolve as resolve3 } from "node:path";
 function formatZodErrors(error) {
   return error.errors.map((e) => {
     const path = e.path.join(".");
     return `  ${path}: ${e.message}`;
   });
 }
+function coerceLegacyGoogleWorkspaceKeys(parsed, filePath) {
+  const stableStringify = (v) => {
+    if (v === null || typeof v !== "object")
+      return JSON.stringify(v);
+    if (Array.isArray(v))
+      return `[${v.map(stableStringify).join(",")}]`;
+    const obj = v;
+    const keys = Object.keys(obj).sort();
+    return `{${keys.map((k) => `${JSON.stringify(k)}:${stableStringify(obj[k])}`).join(",")}}`;
+  };
+  const aliasInPlace = (obj, where) => {
+    const a = obj.drive;
+    const b = obj.google_workspace;
+    if (a !== undefined && b !== undefined) {
+      if (stableStringify(a) !== stableStringify(b)) {
+        throw new ConfigError(`Both \`drive:\` and \`google_workspace:\` are set on ${where} in ${filePath} with different values.`, [
+          "  These are aliases — pick one and remove the other.",
+          "  `google_workspace:` is the RFC G canonical key; `drive:` is the legacy alias.",
+          "  Allowed during transition: setting both with identical values."
+        ]);
+      }
+      return;
+    }
+    if (a !== undefined && b === undefined)
+      obj.google_workspace = a;
+    if (b !== undefined && a === undefined)
+      obj.drive = b;
+  };
+  aliasInPlace(parsed, "the top level");
+  const agents = parsed.agents;
+  if (agents && typeof agents === "object" && !Array.isArray(agents)) {
+    for (const [name, agent] of Object.entries(agents)) {
+      if (agent && typeof agent === "object" && !Array.isArray(agent)) {
+        aliasInPlace(agent, `agent \`${name}\``);
+      }
+    }
+  }
+}
 function findConfigFile(startDir) {
   const envPath = process.env.SWITCHROOM_CONFIG;
   const home2 = homedir();
-  const userDir = resolve2(home2, ".switchroom");
+  const userDir = resolve3(home2, ".switchroom");
   const searchPaths = [
-    envPath ? resolve2(envPath) : null,
-    startDir ? resolve2(startDir, "switchroom.yaml") : null,
-    startDir ? resolve2(startDir, "switchroom.yml") : null,
-    startDir ? resolve2(startDir, "clerk.yaml") : null,
-    startDir ? resolve2(startDir, "clerk.yml") : null,
-    resolve2(process.cwd(), "switchroom.yaml"),
-    resolve2(process.cwd(), "switchroom.yml"),
-    resolve2(process.cwd(), "clerk.yaml"),
-    resolve2(process.cwd(), "clerk.yml"),
-    resolve2(userDir, "switchroom.yaml"),
-    resolve2(userDir, "switchroom.yml"),
-    resolve2(userDir, "clerk.yaml"),
-    resolve2(userDir, "clerk.yml")
+    envPath ? resolve3(envPath) : null,
+    startDir ? resolve3(startDir, "switchroom.yaml") : null,
+    startDir ? resolve3(startDir, "switchroom.yml") : null,
+    startDir ? resolve3(startDir, "clerk.yaml") : null,
+    startDir ? resolve3(startDir, "clerk.yml") : null,
+    resolve3(process.cwd(), "switchroom.yaml"),
+    resolve3(process.cwd(), "switchroom.yml"),
+    resolve3(process.cwd(), "clerk.yaml"),
+    resolve3(process.cwd(), "clerk.yml"),
+    resolve3(userDir, "switchroom.yaml"),
+    resolve3(userDir, "switchroom.yml"),
+    resolve3(userDir, "clerk.yaml"),
+    resolve3(userDir, "clerk.yml")
   ].filter(Boolean);
   for (const path of searchPaths) {
-    if (existsSync2(path)) {
+    if (existsSync3(path)) {
       return path;
     }
   }
@@ -11328,12 +11566,12 @@ function findConfigFile(startDir) {
 }
 function loadConfig(configPath) {
   const filePath = configPath ?? findConfigFile();
-  if (!existsSync2(filePath)) {
+  if (!existsSync3(filePath)) {
     throw new ConfigError(`Config file not found: ${filePath}`);
   }
   let raw;
   try {
-    raw = readFileSync(filePath, "utf-8");
+    raw = readFileSync2(filePath, "utf-8");
   } catch (err) {
     throw new ConfigError(`Failed to read config file: ${filePath}`, [
       `  ${err.message}`
@@ -11352,16 +11590,26 @@ function loadConfig(configPath) {
     obj.switchroom = obj.clerk;
     delete obj.clerk;
   }
+  if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
+    coerceLegacyGoogleWorkspaceKeys(parsed, filePath);
+  }
+  let config;
   try {
-    return SwitchroomConfigSchema.parse(parsed);
+    config = SwitchroomConfigSchema.parse(parsed);
   } catch (err) {
     if (err instanceof ZodError) {
       throw new ConfigError("Invalid switchroom.yaml configuration", formatZodErrors(err));
     }
     throw err;
   }
+  applyAgentOverlays(config);
+  return config;
 }
 function resolveAgentsDir(config) {
+  const override = process.env.SWITCHROOM_AGENTS_DIR;
+  if (override && override.length > 0 && override.startsWith("/")) {
+    return override;
+  }
   return resolveDualPath(config.switchroom.agents_dir);
 }
 function resolvePath(pathStr) {
@@ -11373,6 +11621,7 @@ var init_loader = __esm(() => {
   init_zod();
   init_schema();
   init_paths();
+  init_overlay_loader();
   ConfigError = class ConfigError extends Error {
     details;
     constructor(message, details) {
@@ -11385,8 +11634,8 @@ var init_loader = __esm(() => {
 
 // src/vault/approvals/kernel-server.ts
 import * as net from "node:net";
-import { mkdirSync, chmodSync, chownSync, existsSync as existsSync3, unlinkSync, readdirSync, statSync } from "node:fs";
-import { dirname, resolve as resolve3, basename } from "node:path";
+import { mkdirSync, chmodSync, chownSync, existsSync as existsSync4, unlinkSync, readdirSync as readdirSync2, statSync as statSync2 } from "node:fs";
+import { dirname, resolve as resolve4, basename } from "node:path";
 import { Database } from "bun:sqlite";
 
 // src/vault/broker/protocol.ts
@@ -11408,7 +11657,8 @@ var PutRequestSchema = exports_external.object({
     exports_external.object({ kind: exports_external.literal("binary"), value: exports_external.string() })
   ]),
   token: exports_external.string().optional(),
-  passphrase: exports_external.string().optional()
+  passphrase: exports_external.string().optional(),
+  attest_via_posture: exports_external.boolean().optional()
 });
 var ListRequestSchema = exports_external.object({
   v: exports_external.literal(1),
@@ -11422,12 +11672,16 @@ var MintGrantRequestSchema = exports_external.object({
   keys: exports_external.array(exports_external.string().min(1)),
   ttl_seconds: exports_external.number().int().positive().nullable(),
   description: exports_external.string().optional(),
-  write_keys: exports_external.array(exports_external.string().min(1)).optional()
+  write_keys: exports_external.array(exports_external.string().min(1)).optional(),
+  passphrase: exports_external.string().optional(),
+  attest_via_posture: exports_external.boolean().optional()
 });
 var ListGrantsRequestSchema = exports_external.object({
   v: exports_external.literal(1),
   op: exports_external.literal("list_grants"),
-  agent: exports_external.string().optional()
+  agent: exports_external.string().optional(),
+  passphrase: exports_external.string().optional(),
+  attest_via_posture: exports_external.boolean().optional()
 });
 var RevokeGrantRequestSchema = exports_external.object({
   v: exports_external.literal(1),
@@ -11682,11 +11936,8 @@ function canonicalizeApproverSet(approvers) {
 
 // src/vault/approvals/schema.ts
 function migrateApprovalSchema(db) {
-  db.run(`DROP TABLE IF EXISTS approval_audit`);
-  db.run(`DROP TABLE IF EXISTS approval_nonces`);
-  db.run(`DROP TABLE IF EXISTS approval_decisions`);
   db.run(`
-    CREATE TABLE approval_decisions (
+    CREATE TABLE IF NOT EXISTS approval_decisions (
       id                       TEXT PRIMARY KEY,
       agent_unit               TEXT NOT NULL,
       scope                    TEXT NOT NULL,
@@ -11702,12 +11953,12 @@ function migrateApprovalSchema(db) {
     )
   `);
   db.run(`
-    CREATE INDEX approval_decisions_lookup
+    CREATE INDEX IF NOT EXISTS approval_decisions_lookup
     ON approval_decisions(agent_unit, scope, action)
     WHERE revoked_at IS NULL
   `);
   db.run(`
-    CREATE TABLE approval_nonces (
+    CREATE TABLE IF NOT EXISTS approval_nonces (
       request_id   TEXT PRIMARY KEY,
       decision_id  TEXT,
       agent_unit   TEXT NOT NULL,
@@ -11722,12 +11973,12 @@ function migrateApprovalSchema(db) {
     )
   `);
   db.run(`
-    CREATE INDEX approval_nonces_pending
+    CREATE INDEX IF NOT EXISTS approval_nonces_pending
     ON approval_nonces(agent_unit, expires_at)
     WHERE consumed_at IS NULL
   `);
   db.run(`
-    CREATE TABLE approval_audit (
+    CREATE TABLE IF NOT EXISTS approval_audit (
       seq         INTEGER PRIMARY KEY AUTOINCREMENT,
       ts          INTEGER NOT NULL,
       agent_unit  TEXT NOT NULL,
@@ -11740,7 +11991,7 @@ function migrateApprovalSchema(db) {
     )
   `);
   db.run(`
-    CREATE INDEX approval_audit_by_scope
+    CREATE INDEX IF NOT EXISTS approval_audit_by_scope
     ON approval_audit(scope, ts)
   `);
 }
@@ -12277,6 +12528,23 @@ function mergeAgentConfig(defaultsIn, agentIn) {
     const a = merged.extra_stable_files ?? [];
     merged.extra_stable_files = dedupe([...d, ...a]);
   }
+  const dReactions = defaults.reactions;
+  const mReactions = merged.reactions;
+  if (dReactions || mReactions) {
+    const base = dReactions ?? {};
+    const override = mReactions ?? {};
+    const combined = { ...base };
+    for (const [k, v] of Object.entries(override)) {
+      if (v !== undefined)
+        combined[k] = v;
+    }
+    merged.reactions = combined;
+  }
+  if (defaults.resources || merged.resources) {
+    const d = defaults.resources ?? {};
+    const a = merged.resources ?? {};
+    merged.resources = { ...d, ...a };
+  }
   if (defaults.experimental || merged.experimental) {
     const d = defaults.experimental ?? {};
     const a = merged.experimental ?? {};
@@ -12289,39 +12557,6 @@ function mergeAgentConfig(defaultsIn, agentIn) {
   mergeAgentConfig.notifiedWorkerIsolationMove = false;
 })(mergeAgentConfig ||= {});
 
-// src/agents/compose.ts
-var AGENT_UID_MIN = 10001;
-var AGENT_UID_MAX = 10999;
-function allocateAgentUid(name) {
-  const hash = createHash("sha256").update(name).digest();
-  const u32 = hash.readUInt32BE(0);
-  const range = AGENT_UID_MAX - AGENT_UID_MIN + 1;
-  return AGENT_UID_MIN + u32 % range;
-}
-
-// src/vault/approvals/acl.ts
-function checkApprovalAclByAgent(listenerAgent, claimedAgentUnit) {
-  if (!listenerAgent) {
-    return {
-      allow: false,
-      reason: "listener has no bound agent identity (kernel-server bind misconfiguration)"
-    };
-  }
-  if (!claimedAgentUnit) {
-    return {
-      allow: false,
-      reason: "request has no agent_unit; refusing to attribute to listener identity by default"
-    };
-  }
-  if (claimedAgentUnit !== listenerAgent) {
-    return {
-      allow: false,
-      reason: `agent_unit mismatch: socket=${listenerAgent}, claim=${claimedAgentUnit}`
-    };
-  }
-  return { allow: true };
-}
-
 // src/vault/broker/peercred-ffi.ts
 function getPeerCred(fd) {
   if (process.platform !== "linux")
@@ -12374,6 +12609,55 @@ function getPeerCred(fd) {
   }
 }
 
+// src/vault/broker/peercred.ts
+var RESERVED_AGENT_NAMES = new Set(["operator", "hostd"]);
+function isReservedAgentName(name) {
+  return RESERVED_AGENT_NAMES.has(name);
+}
+
+// src/memory/hindsight.ts
+var DEFAULT_RETAIN_MISSION = "Extract user preferences, ongoing projects, recurring commitments, " + "important context, and durable facts that should help across future " + "conversations. Skip one-off chatter and temporary task noise.";
+
+// src/agents/reconcile-default-skills.ts
+var warnedMissingPool = new Set;
+
+// src/agents/compose.ts
+var AGENT_UID_MIN = 10001;
+var AGENT_UID_MAX = 10999;
+function allocateAgentUid(name) {
+  if (isReservedAgentName(name)) {
+    throw new Error(`agent name '${name}' is reserved by switchroom for another identity kind ` + `(see vault/broker/peercred.ts:RESERVED_AGENT_NAMES). Pick a different name.`);
+  }
+  const hash = createHash("sha256").update(name).digest();
+  const u32 = hash.readUInt32BE(0);
+  const range = AGENT_UID_MAX - AGENT_UID_MIN + 1;
+  return AGENT_UID_MIN + u32 % range;
+}
+var BIND_MOUNT_EXACT_SOURCE_DENY = new Set(["/var/run/docker.sock"]);
+
+// src/vault/approvals/acl.ts
+function checkApprovalAclByAgent(listenerAgent, claimedAgentUnit) {
+  if (!listenerAgent) {
+    return {
+      allow: false,
+      reason: "listener has no bound agent identity (kernel-server bind misconfiguration)"
+    };
+  }
+  if (!claimedAgentUnit) {
+    return {
+      allow: false,
+      reason: "request has no agent_unit; refusing to attribute to listener identity by default"
+    };
+  }
+  if (claimedAgentUnit !== listenerAgent) {
+    return {
+      allow: false,
+      reason: `agent_unit mismatch: socket=${listenerAgent}, claim=${claimedAgentUnit}`
+    };
+  }
+  return { allow: true };
+}
+
 // src/vault/approvals/kernel-server.ts
 var DEFAULT_SOCKET_PARENT = "/run/switchroom/kernel";
 var DEFAULT_DB_PATH = "/state/approvals/kernel.db";
@@ -12390,7 +12674,7 @@ function openKernelDb(dbPath) {
   return db;
 }
 async function bindAgentSocket(parentDir, agent, db) {
-  const dir = resolve3(parentDir, agent);
+  const dir = resolve4(parentDir, agent);
   mkdirSync(dir, { recursive: true, mode: 448 });
   try {
     chownSync(dir, 0, 0);
@@ -12399,8 +12683,8 @@ async function bindAgentSocket(parentDir, agent, db) {
     chmodSync(dir, 448);
   } catch {}
   const uid = allocateAgentUid(agent);
-  const socketPath = resolve3(dir, "sock");
-  if (existsSync3(socketPath)) {
+  const socketPath = resolve4(dir, "sock");
+  if (existsSync4(socketPath)) {
     try {
       unlinkSync(socketPath);
     } catch (err) {
@@ -12444,8 +12728,7 @@ function handleConnection(socket, agent, db) {
   socket.on("data", (chunk) => {
     buffer += chunk.toString("utf8");
     if (Buffer.byteLength(buffer, "utf8") > MAX_FRAME_BYTES) {
-      socket.write(encodeResponse(errorResponse("BAD_REQUEST", "Frame exceeds 64 KiB limit")));
-      socket.destroy();
+      socket.end(encodeResponse(errorResponse("BAD_REQUEST", "Frame exceeds 64 KiB limit")));
       return;
     }
     let nl;
@@ -12614,7 +12897,7 @@ async function bootstrap(opts) {
           l.server.close();
         } catch {}
         try {
-          if (existsSync3(l.socketPath))
+          if (existsSync4(l.socketPath))
             unlinkSync(l.socketPath);
         } catch {}
       }
@@ -12626,16 +12909,16 @@ async function bootstrap(opts) {
 }
 async function main() {
   const socketEnv = process.env.SWITCHROOM_KERNEL_SOCKET ?? `${DEFAULT_SOCKET_PARENT}/approval-kernel.sock`;
-  const socketParent = dirname(resolve3(socketEnv));
+  const socketParent = dirname(resolve4(socketEnv));
   const dbPath = process.env.SWITCHROOM_KERNEL_DB_PATH ?? DEFAULT_DB_PATH;
   const configPath = process.env.SWITCHROOM_CONFIG;
   let agents = [];
   try {
-    if (existsSync3(socketParent)) {
-      agents = readdirSync(socketParent).filter((name) => {
+    if (existsSync4(socketParent)) {
+      agents = readdirSync2(socketParent).filter((name) => {
         try {
-          const p = resolve3(socketParent, name);
-          return statSync(p).isDirectory();
+          const p = resolve4(socketParent, name);
+          return statSync2(p).isDirectory();
         } catch {
           return false;
         }
@@ -12663,8 +12946,8 @@ async function main() {
       chmodSync(socketParent, 493);
     } catch {}
     const db = openKernelDb(dbPath);
-    const socketPath = resolve3(socketEnv);
-    if (existsSync3(socketPath)) {
+    const socketPath = resolve4(socketEnv);
+    if (existsSync4(socketPath)) {
       try {
         unlinkSync(socketPath);
       } catch {}
@@ -12686,7 +12969,7 @@ async function main() {
         server.close();
       } catch {}
       try {
-        if (existsSync3(socketPath))
+        if (existsSync4(socketPath))
           unlinkSync(socketPath);
       } catch {}
       try {