tandem-editor 0.11.2 → 0.13.0

package/dist/cli/index.js

@@ -355,8 +355,22 @@ var init_uninstall_scrub = __esm({
   }
 });
 
+// src/cli/skill-content.ts
+import { readFileSync } from "fs";
+import { dirname, resolve } from "path";
+import { fileURLToPath } from "url";
+var __dirname, SKILL_PATH, SKILL_CONTENT;
+var init_skill_content = __esm({
+  "src/cli/skill-content.ts"() {
+    "use strict";
+    __dirname = dirname(fileURLToPath(import.meta.url));
+    SKILL_PATH = resolve(__dirname, "../../skills/tandem/SKILL.md");
+    SKILL_CONTENT = readFileSync(SKILL_PATH, "utf-8");
+  }
+});
+
 // src/shared/constants.ts
-var DEFAULT_MCP_PORT, TANDEM_REPO_URL, TANDEM_ISSUES_NEW_URL, MAX_FILE_SIZE, MAX_WS_PAYLOAD, IDLE_TIMEOUT, SESSION_MAX_AGE, CHANNEL_MAX_RETRIES, CHANNEL_RETRY_DELAY_MS, CHANNEL_CONNECT_FETCH_TIMEOUT_MS, CHANNEL_SSE_INACTIVITY_TIMEOUT_MS, CHANNEL_MODE_FETCH_TIMEOUT_MS, CHANNEL_AWARENESS_FETCH_TIMEOUT_MS, CHANNEL_ERROR_REPORT_TIMEOUT_MS, CHANNEL_REPLY_FETCH_TIMEOUT_MS, CHANNEL_PERMISSION_FETCH_TIMEOUT_MS, CHANNEL_MAX_SSE_BUFFER_BYTES, TOKEN_FILE_NAME;
+var DEFAULT_MCP_PORT, TANDEM_REPO_URL, TANDEM_ISSUES_NEW_URL, MAX_FILE_SIZE, SESSION_MAX_AGE, TANDEM_MODE_DEFAULT, CHANNEL_MAX_RETRIES, CHANNEL_RETRY_DELAY_MS, CHANNEL_CONNECT_FETCH_TIMEOUT_MS, CHANNEL_SSE_INACTIVITY_TIMEOUT_MS, CHANNEL_MODE_FETCH_TIMEOUT_MS, CHANNEL_AWARENESS_FETCH_TIMEOUT_MS, CHANNEL_ERROR_REPORT_TIMEOUT_MS, CHANNEL_REPLY_FETCH_TIMEOUT_MS, CHANNEL_PERMISSION_FETCH_TIMEOUT_MS, CHANNEL_MAX_SSE_BUFFER_BYTES, TOKEN_FILE_NAME;
 var init_constants = __esm({
   "src/shared/constants.ts"() {
     "use strict";
@@ -364,9 +378,8 @@ var init_constants = __esm({
     TANDEM_REPO_URL = "https://github.com/bloknayrb/tandem";
     TANDEM_ISSUES_NEW_URL = `${TANDEM_REPO_URL}/issues/new`;
     MAX_FILE_SIZE = 50 * 1024 * 1024;
-    MAX_WS_PAYLOAD = 10 * 1024 * 1024;
-    IDLE_TIMEOUT = 30 * 60 * 1e3;
     SESSION_MAX_AGE = 30 * 24 * 60 * 60 * 1e3;
+    TANDEM_MODE_DEFAULT = "tandem";
     CHANNEL_MAX_RETRIES = 5;
     CHANNEL_RETRY_DELAY_MS = 2e3;
     CHANNEL_CONNECT_FETCH_TIMEOUT_MS = 1e4;
@@ -381,37 +394,236 @@ var init_constants = __esm({
   }
 });
 
-// src/cli/skill-content.ts
-import { readFileSync } from "fs";
-import { dirname, resolve } from "path";
-import { fileURLToPath } from "url";
-var __dirname, SKILL_PATH, SKILL_CONTENT;
-var init_skill_content = __esm({
-  "src/cli/skill-content.ts"() {
+// src/server/platform.ts
+import envPaths from "env-paths";
+import path3 from "path";
+function resolveAppDataDir() {
+  const envOverride = process.env.TANDEM_APP_DATA_DIR;
+  if (envOverride && envOverride.length > 0) return envOverride;
+  return envPaths("tandem", { suffix: "" }).data;
+}
+var APP_DATA_DIR, SESSION_DIR, LAST_SEEN_VERSION_FILE;
+var init_platform = __esm({
+  "src/server/platform.ts"() {
     "use strict";
-    __dirname = dirname(fileURLToPath(import.meta.url));
-    SKILL_PATH = resolve(__dirname, "../../skills/tandem/SKILL.md");
-    SKILL_CONTENT = readFileSync(SKILL_PATH, "utf-8");
+    APP_DATA_DIR = resolveAppDataDir();
+    SESSION_DIR = path3.join(APP_DATA_DIR, "sessions");
+    LAST_SEEN_VERSION_FILE = path3.join(APP_DATA_DIR, "last-seen-version");
   }
 });
 
-// src/cli/setup.ts
-var setup_exports = {};
-__export(setup_exports, {
-  applyConfig: () => applyConfig,
-  applyConfigWithToken: () => applyConfigWithToken,
-  buildMcpEntries: () => buildMcpEntries,
-  detectTargets: () => detectTargets,
-  installSkill: () => installSkill,
-  runSetup: () => runSetup,
-  validateChannelShimPrereq: () => validateChannelShimPrereq
+// src/server/integrations/acl-win.ts
+import { execFile as execFile2 } from "child_process";
+import { join } from "path";
+import { promisify as promisify2 } from "util";
+function systemBin(name) {
+  return join(process.env.SystemRoot ?? "C:\\Windows", "System32", name);
+}
+async function runPowerShell(script, env) {
+  const args2 = ["-NoProfile", "-NonInteractive", "-Command", script];
+  try {
+    return await execFileAsync2("pwsh.exe", args2, { env });
+  } catch (err) {
+    const code = err.code;
+    if (code !== "ENOENT") throw err;
+    try {
+      return await execFileAsync2("powershell.exe", args2, { env });
+    } catch (fallbackErr) {
+      throw new Error(
+        `runPowerShell: both pwsh.exe and powershell.exe failed (pwsh: ${err.message})`,
+        { cause: fallbackErr }
+      );
+    }
+  }
+}
+async function getCurrentUserSid() {
+  if (cachedCurrentUserSid !== null) return cachedCurrentUserSid;
+  const { stdout } = await execFileAsync2(systemBin("whoami.exe"), ["/user", "/fo", "csv", "/nh"]);
+  const match = stdout.match(/"(S-[\d-]+)"\s*$/m);
+  if (!match) {
+    throw new Error(`getCurrentUserSid: could not parse SID from whoami output: ${stdout.trim()}`);
+  }
+  cachedCurrentUserSid = match[1];
+  return cachedCurrentUserSid;
+}
+async function setRestrictiveAcl(path6) {
+  if (process.platform !== "win32") return;
+  const sid = await getCurrentUserSid();
+  try {
+    await execFileAsync2(systemBin("icacls.exe"), [path6, "/inheritance:r", "/grant:r", `*${sid}:F`]);
+  } catch (err) {
+    throw new Error(`setRestrictiveAcl: icacls failed on ${path6}: ${err.message}`, {
+      cause: err
+    });
+  }
+  await assertNoBroadAce(path6);
+}
+async function assertNoBroadAce(path6) {
+  if (process.platform !== "win32") return;
+  const script = "Import-Module Microsoft.PowerShell.Security; (Get-Acl -LiteralPath $env:TANDEM_ACL_PATH).Sddl";
+  const { stdout } = await runPowerShell(script, {
+    ...process.env,
+    TANDEM_ACL_PATH: path6
+  });
+  const sddl = stdout.trim();
+  for (const fragment of BROAD_SDDL_FRAGMENTS) {
+    if (sddl.includes(fragment)) {
+      throw new Error(
+        `assertNoBroadAce: ${path6} has a broad-principal ACE (SDDL fragment ${fragment}). SDDL:
+${sddl}`
+      );
+    }
+  }
+}
+var execFileAsync2, BROAD_SDDL_FRAGMENTS, cachedCurrentUserSid;
+var init_acl_win = __esm({
+  "src/server/integrations/acl-win.ts"() {
+    "use strict";
+    execFileAsync2 = promisify2(execFile2);
+    BROAD_SDDL_FRAGMENTS = [
+      ";WD)",
+      // Everyone (S-1-1-0)
+      ";AU)",
+      // Authenticated Users (S-1-5-11)
+      ";BU)"
+      // BUILTIN\Users (S-1-5-32-545)
+    ];
+    cachedCurrentUserSid = null;
+  }
 });
+
+// src/server/integrations/backup.ts
 import { randomUUID } from "crypto";
-import { existsSync, readdirSync, readFileSync as readFileSync2 } from "fs";
-import { copyFile, mkdir, rename, unlink, writeFile } from "fs/promises";
-import { homedir } from "os";
-import { basename, dirname as dirname2, join, resolve as resolve2 } from "path";
+import { open, readdir, rm } from "fs/promises";
+import { join as join2 } from "path";
+function backupDir(appDataDir) {
+  return join2(appDataDir, BACKUP_DIR_NAME);
+}
+function formatTimestamp(d) {
+  const pad = (n) => String(n).padStart(2, "0");
+  return `${d.getFullYear()}${pad(d.getMonth() + 1)}${pad(d.getDate())}-${pad(d.getHours())}${pad(d.getMinutes())}${pad(d.getSeconds())}`;
+}
+function backupFilename(now = /* @__PURE__ */ new Date()) {
+  const ts = formatTimestamp(now);
+  const uuid8 = randomUUID().slice(0, 8);
+  return `${BACKUP_PREFIX}${ts}-${uuid8}${BACKUP_SUFFIX}`;
+}
+async function writeBackup(dir, content) {
+  const backupPath = join2(dir, backupFilename());
+  const fd = await open(backupPath, "wx", 384);
+  let writeFailed = false;
+  try {
+    try {
+      await fd.write(content);
+    } catch (writeErr) {
+      writeFailed = true;
+      throw writeErr;
+    }
+  } finally {
+    await fd.close();
+    if (writeFailed) {
+      await rm(backupPath, { force: true }).catch(() => {
+      });
+    }
+  }
+  if (process.platform === "win32") {
+    try {
+      await setRestrictiveAcl(backupPath);
+    } catch (aclErr) {
+      await rm(backupPath, { force: true }).catch(() => {
+      });
+      throw aclErr;
+    }
+  }
+  return backupPath;
+}
+async function listBackups(dir, prefix = BACKUP_PREFIX, suffix = BACKUP_SUFFIX) {
+  let entries;
+  try {
+    entries = await readdir(dir);
+  } catch (err) {
+    if (err.code === "ENOENT") return [];
+    throw err;
+  }
+  return entries.filter((e) => e.startsWith(prefix) && e.endsWith(suffix)).sort().reverse();
+}
+async function pruneOldBackups(dir, prefix = BACKUP_PREFIX, suffix = BACKUP_SUFFIX, max = MAX_BACKUPS) {
+  const all = await listBackups(dir, prefix, suffix);
+  const toRemove = all.slice(max);
+  const failures = [];
+  for (const name of toRemove) {
+    const fullPath = join2(dir, name);
+    try {
+      await rm(fullPath, { force: true });
+    } catch (err) {
+      failures.push({ path: fullPath, err });
+    }
+  }
+  if (failures.length > 0) {
+    const summary = failures.map((f) => `${f.path}: ${f.err instanceof Error ? f.err.message : String(f.err)}`).join("; ");
+    console.error(
+      `[tandem] backup sweep: ${failures.length} entries could not be removed (${summary})`
+    );
+  }
+  return toRemove.map((name) => join2(dir, name));
+}
+function shouldBackup(existing, newEntry) {
+  if (existing == null) return false;
+  return canonicalJson(existing) !== canonicalJson(newEntry);
+}
+function canonicalJson(value) {
+  if (value === null || typeof value !== "object") return JSON.stringify(value);
+  if (Array.isArray(value)) return `[${value.map(canonicalJson).join(",")}]`;
+  const keys = Object.keys(value).sort();
+  const parts = keys.map(
+    (k) => `${JSON.stringify(k)}:${canonicalJson(value[k])}`
+  );
+  return `{${parts.join(",")}}`;
+}
+var BACKUP_DIR_NAME, BACKUP_PREFIX, BACKUP_SUFFIX, MAX_BACKUPS;
+var init_backup = __esm({
+  "src/server/integrations/backup.ts"() {
+    "use strict";
+    init_acl_win();
+    BACKUP_DIR_NAME = ".backups";
+    BACKUP_PREFIX = "claude-json-";
+    BACKUP_SUFFIX = ".json";
+    MAX_BACKUPS = 3;
+  }
+});
+
+// src/server/integrations/apply.ts
+import { randomUUID as randomUUID2 } from "crypto";
+import {
+  chmodSync,
+  existsSync,
+  constants as fsConstants,
+  lstatSync,
+  mkdirSync,
+  readdirSync,
+  readFileSync as readFileSync2,
+  realpathSync,
+  statSync
+} from "fs";
+import {
+  chmod,
+  copyFile,
+  mkdir,
+  open as open2,
+  readFile,
+  rename,
+  unlink,
+  writeFile
+} from "fs/promises";
+import { homedir, tmpdir } from "os";
+import { basename, dirname as dirname2, join as join3, resolve as resolve2, sep } from "path";
 import { fileURLToPath as fileURLToPath2 } from "url";
+function applyOpsForCli(create, opts) {
+  return {
+    create,
+    remove: opts.withChannelShim ? [] : ["tandem-channel"]
+  };
+}
 function buildMcpEntries(channelPath, opts = {}) {
   const isDesktop = opts.targetKind === "claude-desktop";
   let tandemEntry;
@@ -445,20 +657,66 @@ function buildMcpEntries(channelPath, opts = {}) {
   }
   return entries;
 }
+function realpathCached(p) {
+  const cached = DEFAULT_ROOTS_CACHE.get(p);
+  if (cached !== void 0) return cached;
+  try {
+    const r = realpathSync(p);
+    DEFAULT_ROOTS_CACHE.set(p, r);
+    return r;
+  } catch {
+    return p;
+  }
+}
+function assertPathSafe(targetPath, opts = {}) {
+  const allowedRoots = (opts.allowedRoots ?? [homedir(), tmpdir()]).map(realpathCached);
+  let cursor = targetPath;
+  let existing = null;
+  while (true) {
+    if (existsSync(cursor)) {
+      const st = lstatSync(cursor);
+      if (st.isSymbolicLink()) {
+        throw new PathRejectedError(
+          targetPath,
+          "symlink",
+          `Refusing to operate on symlinked path: ${cursor}`
+        );
+      }
+      existing = cursor;
+      break;
+    }
+    const parent = dirname2(cursor);
+    if (parent === cursor) break;
+    cursor = parent;
+  }
+  const resolved = existing ? realpathSync(existing) : targetPath;
+  const ok = allowedRoots.some((root) => {
+    if (resolved === root) return true;
+    const normRoot = root.endsWith(sep) ? root : `${root}${sep}`;
+    return resolved.startsWith(normRoot);
+  });
+  if (!ok) {
+    throw new PathRejectedError(
+      targetPath,
+      "outside-home",
+      `Refusing path outside allowed roots: realpath=${resolved}`
+    );
+  }
+}
 function detectTargets(opts = {}) {
   const home = opts.homeOverride ?? homedir();
   const targets = [];
-  const claudeCodeConfig = join(home, ".claude.json");
-  const claudeCodeDir = join(home, ".claude");
+  const claudeCodeConfig = join3(home, ".claude.json");
+  const claudeCodeDir = join3(home, ".claude");
   if (opts.force || existsSync(claudeCodeConfig) || existsSync(claudeCodeDir)) {
     targets.push({ label: "Claude Code", configPath: claudeCodeConfig, kind: "claude-code" });
   }
   let desktopConfig = null;
   if (process.platform === "win32") {
-    const appdata = process.env.APPDATA ?? join(home, "AppData", "Roaming");
-    desktopConfig = join(appdata, "Claude", "claude_desktop_config.json");
+    const appdata = process.env.APPDATA ?? join3(home, "AppData", "Roaming");
+    desktopConfig = join3(appdata, "Claude", "claude_desktop_config.json");
   } else if (process.platform === "darwin") {
-    desktopConfig = join(
+    desktopConfig = join3(
       home,
       "Library",
       "Application Support",
@@ -466,18 +724,24 @@ function detectTargets(opts = {}) {
       "claude_desktop_config.json"
     );
   } else {
-    desktopConfig = join(home, ".config", "claude", "claude_desktop_config.json");
+    desktopConfig = join3(home, ".config", "claude", "claude_desktop_config.json");
   }
   if (desktopConfig && (opts.force || existsSync(desktopConfig))) {
     targets.push({ label: "Claude Desktop", configPath: desktopConfig, kind: "claude-desktop" });
   }
   if (process.platform === "win32") {
-    const localAppData = opts.localAppDataOverride ?? process.env.LOCALAPPDATA ?? join(home, "AppData", "Local");
-    const packagesDir = join(localAppData, "Packages");
+    const localAppData = opts.localAppDataOverride ?? process.env.LOCALAPPDATA ?? join3(home, "AppData", "Local");
+    try {
+      assertPathSafe(localAppData, { allowedRoots: [home] });
+    } catch {
+      return targets;
+    }
+    const packagesDir = join3(localAppData, "Packages");
     try {
       const entries = readdirSync(packagesDir);
-      for (const pkg of entries.filter((n) => n.startsWith("Claude_"))) {
-        const msixConfig = join(
+      const matching = entries.filter((n) => MSIX_PACKAGE_PATTERN.test(n));
+      for (const pkg of matching) {
+        const msixConfig = join3(
           packagesDir,
           pkg,
           "LocalCache",
@@ -486,7 +750,7 @@ function detectTargets(opts = {}) {
           "claude_desktop_config.json"
         );
         if (opts.force || existsSync(msixConfig)) {
-          const suffix = entries.filter((n) => n.startsWith("Claude_")).length > 1 ? ` (${pkg.slice(0, 12)}\u2026)` : "";
+          const suffix = matching.length > 1 ? ` (${pkg.slice(0, 12)}\u2026)` : "";
           targets.push({
             label: `Claude Desktop MSIX${suffix}`,
             configPath: msixConfig,
@@ -500,37 +764,102 @@ function detectTargets(opts = {}) {
   return targets;
 }
 async function atomicWrite(content, dest) {
-  const tmp = join(dirname2(dest), `.tandem-setup-${randomUUID()}.tmp`);
+  const tmp = join3(dirname2(dest), `.tandem-setup-${randomUUID2()}.tmp`);
   await writeFile(tmp, content, "utf-8");
+  try {
+    if (process.platform === "win32") {
+      await setRestrictiveAcl(tmp);
+    } else {
+      await chmod(tmp, 384);
+    }
+  } catch (tightenErr) {
+    await unlinkOrLeak(tmp, tightenErr);
+    throw tightenErr;
+  }
   try {
     await rename(tmp, dest);
   } catch (err) {
     if (err.code === "EXDEV") {
       await copyFile(tmp, dest);
-      await unlink(tmp).catch((cleanupErr) => {
-        console.error(`  Warning: could not remove temp file ${tmp}: ${cleanupErr.message}`);
-      });
+      await unlinkOrLeak(tmp, err);
+      if (process.platform === "win32") await setRestrictiveAcl(dest);
+      else await chmod(dest, 384);
     } else {
-      await unlink(tmp).catch((cleanupErr) => {
-        console.error(`  Warning: could not remove temp file ${tmp}: ${cleanupErr.message}`);
-      });
+      await unlinkOrLeak(tmp, err);
       throw err;
     }
   }
 }
-async function applyConfig(configPath, entries) {
+async function unlinkOrLeak(path6, originalErr) {
+  try {
+    await unlink(path6);
+  } catch (cleanupErr) {
+    if (originalErr instanceof Error && originalErr.cause === void 0) {
+      originalErr.cause = cleanupErr;
+    }
+    console.error(
+      `  Warning: could not remove ${path6} after a previous failure: ${cleanupErr.message}`
+    );
+  }
+}
+async function applyConfig(configPath, ops) {
+  assertPathSafe(configPath);
+  try {
+    const { size } = statSync(configPath);
+    if (size > MAX_CONFIG_BYTES) {
+      throw new Error(
+        `${configPath} is ${size} bytes; refusing to read (cap: ${MAX_CONFIG_BYTES}).`
+      );
+    }
+  } catch (err) {
+    if (err.code !== "ENOENT") throw err;
+  }
   let existing = {};
   try {
-    existing = JSON.parse(readFileSync2(configPath, "utf-8"));
+    let raw = readFileSync2(configPath, "utf-8");
+    if (raw.charCodeAt(0) === 65279) raw = raw.slice(1);
+    const parsed = JSON.parse(raw);
+    if (parsed === null || typeof parsed !== "object" || Array.isArray(parsed)) {
+      throw new Error(`${configPath} root is not a JSON object \u2014 refusing to rewrite`);
+    }
+    const maybeServers = parsed.mcpServers;
+    if (maybeServers !== void 0 && (maybeServers === null || typeof maybeServers !== "object" || Array.isArray(maybeServers))) {
+      throw new Error(`${configPath} mcpServers is not an object \u2014 refusing to rewrite`);
+    }
+    existing = parsed;
   } catch (err) {
     const code = err.code;
     if (code === "ENOENT") {
     } else if (err instanceof SyntaxError) {
-      const backupPath = `${configPath}.broken-${Date.now()}`;
+      const brokenBackupDir = join3(resolveAppDataDir(), ".broken-backups");
+      assertPathSafe(brokenBackupDir);
+      mkdirSync(brokenBackupDir, { recursive: true, mode: 448 });
+      const backupPath2 = join3(
+        brokenBackupDir,
+        `${basename(configPath)}.broken-${Date.now()}-${randomUUID2()}`
+      );
       try {
-        await copyFile(configPath, backupPath);
+        if (process.platform === "win32") {
+          try {
+            await setRestrictiveAcl(brokenBackupDir);
+          } catch (aclErr) {
+            throw new Error(
+              `failed to apply restrictive ACL to broken-backups dir ${brokenBackupDir}: ${aclErr instanceof Error ? aclErr.message : String(aclErr)}`,
+              { cause: aclErr }
+            );
+          }
+          await copyFile(configPath, backupPath2, fsConstants.COPYFILE_EXCL);
+        } else {
+          const data = await readFile(configPath);
+          const fd = await open2(backupPath2, "wx", 384);
+          try {
+            await fd.write(data);
+          } finally {
+            await fd.close();
+          }
+        }
         console.error(
-          `  Warning: ${configPath} contains malformed JSON \u2014 backed up to ${basename(backupPath)}, replacing with fresh config`
+          `  Warning: ${configPath} contains malformed JSON \u2014 backed up to ${backupPath2}, replacing with fresh config`
         );
       } catch (copyErr) {
         console.error(
@@ -542,28 +871,61 @@ async function applyConfig(configPath, entries) {
       throw err;
     }
   }
+  const backupPath = await maybeBackupExistingConfig(configPath, existing, ops);
+  if (backupPath && ops.onBackup) {
+    try {
+      ops.onBackup(backupPath);
+    } catch (cbErr) {
+      console.error(
+        `  Warning: onBackup callback threw \u2014 continuing with rewrite: ${cbErr instanceof Error ? cbErr.message : cbErr}`
+      );
+    }
+  }
   const merged = {
     ...existing.mcpServers ?? {},
-    ...entries
+    ...ops.create
   };
-  if (!entries["tandem-channel"]) {
-    if (merged["tandem-channel"]) {
-      console.error(
-        `  Warning: removed stale tandem-channel entry from ${configPath} (legacy Tauri install artifact)`
-      );
+  for (const key of ops.remove) {
+    if (merged[key]) {
+      console.error(`  Note: removed mcpServers.${key} from ${configPath}`);
     }
-    delete merged["tandem-channel"];
+    delete merged[key];
   }
   const updated = { ...existing, mcpServers: merged };
   await mkdir(dirname2(configPath), { recursive: true });
   await atomicWrite(JSON.stringify(updated, null, 2) + "\n", configPath);
 }
+async function maybeBackupExistingConfig(configPath, existing, ops) {
+  const existingTandem = existing.mcpServers?.tandem;
+  if (!shouldBackup(existingTandem, ops.create.tandem)) return void 0;
+  const dir = backupDir(resolveAppDataDir());
+  assertPathSafe(dir);
+  mkdirSync(dir, { recursive: true, mode: 448 });
+  if (process.platform !== "win32") {
+    try {
+      const dirStat = statSync(dir);
+      if ((dirStat.mode & 511) !== 448) chmodSync(dir, 448);
+    } catch {
+    }
+  }
+  const content = readFileSync2(configPath);
+  const backupPath = await writeBackup(dir, content);
+  await pruneOldBackups(dir);
+  return backupPath;
+}
 async function installSkill(opts = {}) {
   const home = opts.homeOverride ?? homedir();
-  const skillPath = join(home, ".claude", "skills", "tandem", "SKILL.md");
+  const skillPath = join3(home, ".claude", "skills", "tandem", "SKILL.md");
+  assertPathSafe(skillPath, { allowedRoots: opts.homeOverride ? [opts.homeOverride] : void 0 });
   await mkdir(dirname2(skillPath), { recursive: true });
   await atomicWrite(SKILL_CONTENT, skillPath);
 }
+function readSkillVersion(skillContent) {
+  const match = skillContent.match(/^version:\s*(\d+)\s*$/m);
+  if (!match) return 0;
+  const n = parseInt(match[1], 10);
+  return Number.isFinite(n) ? n : 0;
+}
 function validateChannelShimPrereq(channelPath) {
   return existsSync(channelPath);
 }
@@ -578,7 +940,10 @@ async function applyConfigWithToken(token, opts = {}) {
       targetKind: t.kind
     });
     try {
-      await applyConfig(t.configPath, entries);
+      await applyConfig(
+        t.configPath,
+        applyOpsForCli(entries, { withChannelShim: !!opts.withChannelShim })
+      );
       updated++;
     } catch (err) {
       errors.push(`${t.label}: ${err instanceof Error ? err.message : String(err)}`);
@@ -586,6 +951,53 @@ async function applyConfigWithToken(token, opts = {}) {
   }
   return { updated, errors };
 }
+var __dirname2, PACKAGE_ROOT, CHANNEL_DIST, MCP_URL, MAX_CONFIG_BYTES, PathRejectedError, DEFAULT_ROOTS_CACHE, MSIX_PACKAGE_PATTERN, BUNDLED_SKILL_VERSION;
+var init_apply = __esm({
+  "src/server/integrations/apply.ts"() {
+    "use strict";
+    init_skill_content();
+    init_constants();
+    init_platform();
+    init_acl_win();
+    init_backup();
+    __dirname2 = dirname2(fileURLToPath2(import.meta.url));
+    PACKAGE_ROOT = (() => {
+      const fromBundle = resolve2(__dirname2, "../..");
+      if (existsSync(join3(fromBundle, "package.json"))) return fromBundle;
+      return resolve2(__dirname2, "../../..");
+    })();
+    CHANNEL_DIST = resolve2(PACKAGE_ROOT, "dist/channel/index.js");
+    MCP_URL = `http://127.0.0.1:${DEFAULT_MCP_PORT}`;
+    MAX_CONFIG_BYTES = 5 * 1024 * 1024;
+    PathRejectedError = class extends Error {
+      constructor(path6, reason, message) {
+        super(message);
+        this.path = path6;
+        this.reason = reason;
+      }
+      name = "PathRejectedError";
+    };
+    DEFAULT_ROOTS_CACHE = /* @__PURE__ */ new Map();
+    MSIX_PACKAGE_PATTERN = /^Claude_[A-Za-z0-9]+$/;
+    BUNDLED_SKILL_VERSION = readSkillVersion(SKILL_CONTENT);
+  }
+});
+
+// src/cli/setup.ts
+var setup_exports = {};
+__export(setup_exports, {
+  PathRejectedError: () => PathRejectedError,
+  applyConfig: () => applyConfig,
+  applyConfigWithToken: () => applyConfigWithToken,
+  applyOpsForCli: () => applyOpsForCli,
+  buildMcpEntries: () => buildMcpEntries,
+  detectTargets: () => detectTargets,
+  installSkill: () => installSkill,
+  runSetup: () => runSetup,
+  validateChannelShimPrereq: () => validateChannelShimPrereq
+});
+import { existsSync as existsSync2 } from "fs";
+import { join as join4 } from "path";
 async function runSetup(opts = {}) {
   console.error("\nTandem Setup\n");
   if (opts.withChannelShim && !validateChannelShimPrereq(CHANNEL_DIST)) {
@@ -614,7 +1026,10 @@ Run 'npm run build' first, or drop --with-channel-shim to use the plugin monitor
       targetKind: t.kind
     });
     try {
-      await applyConfig(t.configPath, entries);
+      await applyConfig(
+        t.configPath,
+        applyOpsForCli(entries, { withChannelShim: !!opts.withChannelShim })
+      );
       console.error(`  \x1B[32m\u2713\x1B[0m ${t.label}`);
     } catch (err) {
       failures++;
@@ -645,8 +1060,8 @@ Setup partially complete (${failures} target(s) failed). Start Tandem with: tand
     );
   }
   if (failures < targets.length) {
-    const pluginManifest = join(PACKAGE_ROOT, ".claude-plugin", "plugin.json");
-    const devInstructions = existsSync(pluginManifest) ? `  Or for development, load directly from this package:
+    const pluginManifest = join4(PACKAGE_ROOT, ".claude-plugin", "plugin.json");
+    const devInstructions = existsSync2(pluginManifest) ? `  Or for development, load directly from this package:
 
     claude --plugin-dir ${PACKAGE_ROOT}
 
@@ -658,16 +1073,11 @@ Setup partially complete (${failures} target(s) failed). Start Tandem with: tand
     );
   }
 }
-var __dirname2, PACKAGE_ROOT, CHANNEL_DIST, MCP_URL;
 var init_setup = __esm({
   "src/cli/setup.ts"() {
     "use strict";
-    init_constants();
-    init_skill_content();
-    __dirname2 = dirname2(fileURLToPath2(import.meta.url));
-    PACKAGE_ROOT = resolve2(__dirname2, "../..");
-    CHANNEL_DIST = resolve2(PACKAGE_ROOT, "dist/channel/index.js");
-    MCP_URL = `http://localhost:${DEFAULT_MCP_PORT}`;
+    init_apply();
+    init_apply();
   }
 });
 
@@ -689,7 +1099,7 @@ function resolveTandemUrlCandidate(override) {
   for (const url of candidates) {
     if (url !== void 0 && url.trim() !== "") return url.trim();
   }
-  return `http://localhost:${DEFAULT_MCP_PORT}`;
+  return `http://127.0.0.1:${DEFAULT_MCP_PORT}`;
 }
 function resolveAuthTokenCandidate(override) {
   const candidates = [
@@ -1057,6 +1467,21 @@ ${err.stack ?? ""}
   }
 });
 
+// src/shared/api-paths.ts
+var API_EVENTS, API_CHANNEL_AWARENESS, API_CHANNEL_ERROR, API_CHANNEL_REPLY, API_CHANNEL_PERMISSION, API_MODE, API_ROTATE_TOKEN;
+var init_api_paths = __esm({
+  "src/shared/api-paths.ts"() {
+    "use strict";
+    API_EVENTS = "/api/events";
+    API_CHANNEL_AWARENESS = "/api/channel-awareness";
+    API_CHANNEL_ERROR = "/api/channel-error";
+    API_CHANNEL_REPLY = "/api/channel-reply";
+    API_CHANNEL_PERMISSION = "/api/channel-permission";
+    API_MODE = "/api/mode";
+    API_ROTATE_TOKEN = "/api/rotate-token";
+  }
+});
+
 // src/shared/fetch-with-timeout.ts
 async function fetchWithTimeout(url, init, timeoutMs) {
   const timeoutSignal = AbortSignal.timeout(timeoutMs);
@@ -1199,50 +1624,113 @@ var init_types = __esm({
   }
 });
 
-// src/channel/event-bridge.ts
-async function startEventBridge(mcp, tandemUrl) {
+// src/shared/positions/types.ts
+var init_types2 = __esm({
+  "src/shared/positions/types.ts"() {
+    "use strict";
+  }
+});
+
+// src/shared/types.ts
+import { z } from "zod";
+var AnnotationTypeSchema, AnnotationStatusSchema, HighlightColorSchema, SeveritySchema, TandemModeSchema, AuthorSchema, ReplyAuthorSchema, AnnotationActionSchema, ExportFormatSchema, DocumentFormatSchema, ToolErrorCodeSchema, ChannelErrorCodeSchema, CHANNEL_CONNECT_FAILED;
+var init_types3 = __esm({
+  "src/shared/types.ts"() {
+    "use strict";
+    init_types2();
+    AnnotationTypeSchema = z.enum(["highlight", "note", "comment"]);
+    AnnotationStatusSchema = z.enum(["pending", "accepted", "dismissed"]);
+    HighlightColorSchema = z.enum(["yellow", "green", "blue", "pink"]);
+    SeveritySchema = z.enum(["info", "warning", "error", "success"]);
+    TandemModeSchema = z.enum(["solo", "tandem"]);
+    AuthorSchema = z.enum(["user", "claude", "import"]);
+    ReplyAuthorSchema = z.enum(["user", "claude"]);
+    AnnotationActionSchema = z.enum(["accept", "dismiss"]);
+    ExportFormatSchema = z.enum(["markdown", "json"]);
+    DocumentFormatSchema = z.enum(["md", "txt", "html", "docx"]);
+    ToolErrorCodeSchema = z.enum([
+      "RANGE_GONE",
+      "RANGE_MOVED",
+      "FILE_LOCKED",
+      "FILE_NOT_FOUND",
+      "NO_DOCUMENT",
+      "INVALID_RANGE",
+      "INVALID_ARGUMENT",
+      "NOT_FOUND",
+      "ANNOTATION_RESOLVED",
+      "FORMAT_ERROR",
+      "PERMISSION_DENIED"
+    ]);
+    ChannelErrorCodeSchema = z.enum(["CHANNEL_CONNECT_FAILED", "MONITOR_CONNECT_FAILED"]);
+    CHANNEL_CONNECT_FAILED = "CHANNEL_CONNECT_FAILED";
+  }
+});
+
+// src/shared/sse-consumer.ts
+function trackAwareness(p) {
+  outstandingAwareness.add(p);
+  p.finally(() => outstandingAwareness.delete(p));
+}
+async function runEventConsumer(opts) {
+  await getCachedMode(opts.tandemUrl, opts.logPrefix).catch(() => {
+  });
   let retries = 0;
   let lastEventId;
   while (retries < CHANNEL_MAX_RETRIES) {
     try {
-      await connectAndStream(mcp, tandemUrl, lastEventId, (id) => {
-        lastEventId = id;
-        retries = 0;
+      await connectAndStreamOnce(opts, lastEventId, {
+        onEventId: (id) => {
+          lastEventId = id;
+        },
+        onStable: () => {
+          retries = 0;
+        }
       });
     } catch (err) {
       retries++;
       console.error(
-        `[Channel] SSE connection failed (${retries}/${CHANNEL_MAX_RETRIES}):`,
+        `${opts.logPrefix} SSE connection failed (${retries}/${CHANNEL_MAX_RETRIES}):`,
         err instanceof Error ? err.message : err
       );
       if (retries >= CHANNEL_MAX_RETRIES) {
-        console.error("[Channel] SSE connection exhausted, reporting error and exiting");
+        console.error(`${opts.logPrefix} SSE connection exhausted, reporting error and exiting`);
         try {
           await fetchWithTimeout(
-            `${tandemUrl}/api/channel-error`,
+            `${opts.tandemUrl}${API_CHANNEL_ERROR}`,
             {
               method: "POST",
               headers: { "Content-Type": "application/json" },
               body: JSON.stringify({
-                error: "CHANNEL_CONNECT_FAILED",
-                message: `Channel shim lost connection after ${CHANNEL_MAX_RETRIES} retries.`
+                error: opts.errorCode,
+                message: `${opts.logPrefix} lost connection after ${CHANNEL_MAX_RETRIES} retries.`
               })
             },
             CHANNEL_ERROR_REPORT_TIMEOUT_MS
           );
         } catch (reportErr) {
           console.error(
-            "[Channel] Could not report failure to server:",
-            describeFetchError(reportErr, "/api/channel-error", CHANNEL_ERROR_REPORT_TIMEOUT_MS)
+            `${opts.logPrefix} Could not report failure to server:`,
+            describeFetchError(reportErr, API_CHANNEL_ERROR, CHANNEL_ERROR_REPORT_TIMEOUT_MS)
           );
         }
+        opts.onExhaustion?.();
         process.exit(1);
       }
-      await new Promise((r) => setTimeout(r, CHANNEL_RETRY_DELAY_MS));
+      const delay = Math.min(CHANNEL_RETRY_DELAY_MS * 2 ** (retries - 1), RETRY_MAX_DELAY_MS);
+      console.error(
+        `${opts.logPrefix} Retrying in ${delay}ms (attempt ${retries}/${CHANNEL_MAX_RETRIES})...`
+      );
+      await new Promise((r) => setTimeout(r, delay));
     }
   }
+  console.error(
+    `${opts.logPrefix} Retry loop exited unexpectedly (retries=${retries}/${CHANNEL_MAX_RETRIES})`
+  );
+  process.exit(1);
 }
-async function connectAndStream(mcp, tandemUrl, lastEventId, onEventId) {
+async function connectAndStreamOnce(opts, lastEventId, cb) {
+  const onStable = cb.onStable ?? (() => {
+  });
   const headers = { Accept: "text/event-stream" };
   if (lastEventId) headers["Last-Event-ID"] = lastEventId;
   const connectCtrl = new AbortController();
@@ -1252,12 +1740,16 @@ async function connectAndStream(mcp, tandemUrl, lastEventId, onEventId) {
   );
   let res;
   try {
-    res = await authFetch(`${tandemUrl}/api/events`, { headers, signal: connectCtrl.signal });
+    res = await authFetch(`${opts.tandemUrl}${API_EVENTS}`, {
+      headers,
+      signal: connectCtrl.signal
+    });
   } finally {
     clearTimeout(connectTimer);
   }
   if (!res.ok) throw new Error(`SSE endpoint returned ${res.status}`);
   if (!res.body) throw new Error("SSE endpoint returned no body");
+  const stableTimer = setTimeout(onStable, STABLE_CONNECTION_MS);
   const reader = res.body.getReader();
   const decoder = new TextDecoder();
   let buffer = "";
@@ -1270,13 +1762,10 @@ async function connectAndStream(mcp, tandemUrl, lastEventId, onEventId) {
       });
     }
   }, CHANNEL_SSE_INACTIVITY_TIMEOUT_MS / 4);
-  let awarenessTimer = null;
-  let clearAwarenessTimer = null;
   let pendingAwareness = null;
-  const AWARENESS_CLEAR_MS = 3e3;
-  function clearAwareness(documentId) {
-    fetchWithTimeout(
-      `${tandemUrl}/api/channel-awareness`,
+  function clearAwarenessNow(documentId) {
+    const p = fetchWithTimeout(
+      `${opts.tandemUrl}${API_CHANNEL_AWARENESS}`,
       {
         method: "POST",
         headers: { "Content-Type": "application/json" },
@@ -1289,17 +1778,23 @@ async function connectAndStream(mcp, tandemUrl, lastEventId, onEventId) {
       CHANNEL_AWARENESS_FETCH_TIMEOUT_MS
     ).catch((err) => {
       console.error(
-        "[Channel] clearAwareness failed (non-fatal):",
-        describeFetchError(err, "/api/channel-awareness clear", CHANNEL_AWARENESS_FETCH_TIMEOUT_MS)
+        `${opts.logPrefix} Awareness clear failed:`,
+        describeFetchError(
+          err,
+          `${API_CHANNEL_AWARENESS} clear`,
+          CHANNEL_AWARENESS_FETCH_TIMEOUT_MS
+        )
       );
     });
+    trackAwareness(p);
   }
   function flushAwareness() {
     if (!pendingAwareness) return;
     const event = pendingAwareness;
     pendingAwareness = null;
-    fetchWithTimeout(
-      `${tandemUrl}/api/channel-awareness`,
+    if (event.documentId) shutdownTimers.lastDocumentId = event.documentId;
+    const p = fetchWithTimeout(
+      `${opts.tandemUrl}${API_CHANNEL_AWARENESS}`,
       {
         method: "POST",
         headers: { "Content-Type": "application/json" },
@@ -1312,21 +1807,25 @@ async function connectAndStream(mcp, tandemUrl, lastEventId, onEventId) {
       CHANNEL_AWARENESS_FETCH_TIMEOUT_MS
     ).catch((err) => {
       console.error(
-        "[Channel] Awareness update failed:",
+        `${opts.logPrefix} Awareness update failed:`,
         describeFetchError(
           err,
-          "/api/channel-awareness update",
+          `${API_CHANNEL_AWARENESS} update`,
           CHANNEL_AWARENESS_FETCH_TIMEOUT_MS
         )
       );
     });
-    if (clearAwarenessTimer) clearTimeout(clearAwarenessTimer);
-    clearAwarenessTimer = setTimeout(() => clearAwareness(event.documentId), AWARENESS_CLEAR_MS);
+    trackAwareness(p);
+    if (shutdownTimers.clearAwarenessTimer) clearTimeout(shutdownTimers.clearAwarenessTimer);
+    shutdownTimers.clearAwarenessTimer = setTimeout(
+      () => clearAwarenessNow(event.documentId),
+      AWARENESS_CLEAR_MS
+    );
   }
   function scheduleAwareness(event) {
     pendingAwareness = event;
-    if (awarenessTimer) clearTimeout(awarenessTimer);
-    awarenessTimer = setTimeout(flushAwareness, AWARENESS_DEBOUNCE_MS);
+    if (shutdownTimers.awarenessTimer) clearTimeout(shutdownTimers.awarenessTimer);
+    shutdownTimers.awarenessTimer = setTimeout(flushAwareness, AWARENESS_DEBOUNCE_MS);
   }
   try {
     while (true) {
@@ -1354,90 +1853,164 @@ async function connectAndStream(mcp, tandemUrl, lastEventId, onEventId) {
           else if (line.startsWith("data: ")) data = line.slice(6);
         }
         if (!data) continue;
-        let event;
+        let raw;
         try {
-          event = parseTandemEvent(JSON.parse(data));
-        } catch {
+          raw = JSON.parse(data);
+        } catch (err) {
           console.error(
-            "[Channel] Malformed SSE event data (skipping), eventId=%s:",
-            eventId,
-            data.slice(0, 200)
+            `${opts.logPrefix} SSE JSON parse failed (eventId=${eventId ?? "none"}, len=${data.length}): ${err instanceof Error ? err.message : err}. Tail:`,
+            data.slice(Math.max(0, data.length - 200))
           );
-          if (eventId) onEventId(eventId);
+          if (eventId) cb.onEventId(eventId);
           continue;
         }
+        const event = parseTandemEvent(raw);
         if (!event) {
           console.error(
-            "[Channel] Invalid SSE event structure (skipping), eventId=%s:",
-            eventId,
-            data.slice(0, 200)
+            `${opts.logPrefix} SSE event failed validation (eventId=${eventId ?? "none"}): shape mismatch`
           );
-          if (eventId) onEventId(eventId);
+          if (eventId) cb.onEventId(eventId);
           continue;
         }
         if (event.type !== "chat:message") {
-          const mode = await getCachedMode(tandemUrl);
-          if (mode === "solo") {
-            console.error(`[Channel] Solo mode: suppressed ${event.type} event`);
-            if (eventId) onEventId(eventId);
+          refreshMode(opts.tandemUrl, opts.logPrefix);
+          if (getModeSync() === "solo") {
+            console.error(`${opts.logPrefix} Solo mode: suppressed ${event.type} event`);
+            if (eventId) cb.onEventId(eventId);
             continue;
           }
         }
         try {
-          await mcp.notification({
-            method: "notifications/claude/channel",
-            params: {
-              content: formatEventContent(event),
-              meta: formatEventMeta(event)
-            }
-          });
+          await opts.onEvent(event, eventId);
         } catch (err) {
-          console.error("[Channel] MCP notification failed (transport broken?):", err);
+          console.error(`${opts.logPrefix} onEvent failed (transport broken?):`, err);
           throw err;
         }
-        if (eventId) onEventId(eventId);
+        if (eventId) cb.onEventId(eventId);
         scheduleAwareness(event);
       }
     }
   } finally {
+    clearTimeout(stableTimer);
     clearInterval(watchdog);
-    if (awarenessTimer) clearTimeout(awarenessTimer);
-    if (clearAwarenessTimer) clearTimeout(clearAwarenessTimer);
+    if (shutdownTimers.awarenessTimer) clearTimeout(shutdownTimers.awarenessTimer);
+    if (shutdownTimers.clearAwarenessTimer) clearTimeout(shutdownTimers.clearAwarenessTimer);
+    shutdownTimers.awarenessTimer = null;
+    shutdownTimers.clearAwarenessTimer = null;
+    pendingAwareness = null;
   }
 }
-async function getCachedMode(tandemUrl) {
-  const now = Date.now();
-  if (now - cachedModeAt < MODE_CACHE_TTL_MS) return cachedMode;
+async function fetchMode(tandemUrl) {
   try {
-    const res = await fetchWithTimeout(`${tandemUrl}/api/mode`, {}, CHANNEL_MODE_FETCH_TIMEOUT_MS);
-    if (res.ok) {
-      const { mode } = await res.json();
-      cachedMode = mode;
-    } else {
-      console.error(`[Channel] Mode check returned ${res.status}, using cached: "${cachedMode}"`);
-    }
-    cachedModeAt = now;
+    const res = await fetchWithTimeout(
+      `${tandemUrl}${API_MODE}`,
+      {},
+      CHANNEL_MODE_FETCH_TIMEOUT_MS
+    );
+    if (!res.ok) return { ok: false, reason: `status ${res.status}` };
+    const body = await res.json();
+    const parsed = TandemModeSchema.safeParse(body.mode);
+    if (!parsed.success) return { ok: false, reason: `invalid mode ${JSON.stringify(body.mode)}` };
+    return { ok: true, mode: parsed.data };
   } catch (err) {
+    return { ok: false, reason: describeFetchError(err, API_MODE, CHANNEL_MODE_FETCH_TIMEOUT_MS) };
+  }
+}
+async function getCachedMode(tandemUrl, logPrefix = "[Tandem]") {
+  const now = Date.now();
+  if (now - cachedModeAt < MODE_CACHE_TTL_MS && cachedModeAt !== 0) return cachedMode;
+  const result = await fetchMode(tandemUrl);
+  if (!result.ok) {
+    if (cachedModeAt !== 0) {
+      console.error(
+        `${logPrefix} Mode check failed (${result.reason}), preserving last known mode '${cachedMode}'`
+      );
+      return cachedMode;
+    }
     console.error(
-      "[Channel] Mode check failed, delivering event (fail-open):",
-      describeFetchError(err, "/api/mode", CHANNEL_MODE_FETCH_TIMEOUT_MS)
+      `${logPrefix} Mode check failed (${result.reason}), no prior mode \u2014 using cold-start default '${TANDEM_MODE_DEFAULT}'`
     );
-    cachedModeAt = now;
+    cachedMode = TANDEM_MODE_DEFAULT;
+    return TANDEM_MODE_DEFAULT;
   }
+  cachedMode = result.mode;
+  cachedModeAt = now;
   return cachedMode;
 }
-var AWARENESS_DEBOUNCE_MS, MODE_CACHE_TTL_MS, cachedMode, cachedModeAt;
-var init_event_bridge = __esm({
-  "src/channel/event-bridge.ts"() {
+function getModeSync() {
+  return cachedMode;
+}
+function refreshMode(tandemUrl, logPrefix) {
+  if (_modeRefreshInFlight) return;
+  const now = Date.now();
+  if (now - cachedModeAt < MODE_CACHE_TTL_MS) return;
+  if (now - cachedModeFailedAt < MODE_CACHE_TTL_MS) return;
+  _modeRefreshInFlight = (async () => {
+    try {
+      const result = await fetchMode(tandemUrl);
+      if (result.ok) {
+        cachedMode = result.mode;
+        cachedModeAt = Date.now();
+        cachedModeFailedAt = 0;
+      } else {
+        cachedModeFailedAt = Date.now();
+        console.error(
+          `${logPrefix} Background mode refresh failed (${result.reason}), keeping cached`
+        );
+      }
+    } finally {
+      _modeRefreshInFlight = null;
+    }
+  })().catch((err) => {
+    console.error(`${logPrefix} refreshMode unexpected error:`, err);
+    cachedModeFailedAt = Date.now();
+  });
+}
+var AWARENESS_DEBOUNCE_MS, AWARENESS_CLEAR_MS, MODE_CACHE_TTL_MS, STABLE_CONNECTION_MS, RETRY_MAX_DELAY_MS, shutdownTimers, outstandingAwareness, cachedMode, cachedModeAt, cachedModeFailedAt, _modeRefreshInFlight;
+var init_sse_consumer = __esm({
+  "src/shared/sse-consumer.ts"() {
     "use strict";
+    init_api_paths();
     init_cli_runtime();
     init_constants();
     init_types();
     init_fetch_with_timeout();
+    init_types3();
     AWARENESS_DEBOUNCE_MS = 500;
+    AWARENESS_CLEAR_MS = 3e3;
     MODE_CACHE_TTL_MS = 2e3;
-    cachedMode = "tandem";
+    STABLE_CONNECTION_MS = 6e4;
+    RETRY_MAX_DELAY_MS = 3e4;
+    shutdownTimers = { awarenessTimer: null, clearAwarenessTimer: null, lastDocumentId: null };
+    outstandingAwareness = /* @__PURE__ */ new Set();
+    cachedMode = TANDEM_MODE_DEFAULT;
     cachedModeAt = 0;
+    cachedModeFailedAt = 0;
+    _modeRefreshInFlight = null;
+  }
+});
+
+// src/channel/event-bridge.ts
+async function startEventBridge(mcp, tandemUrl) {
+  return runEventConsumer({
+    tandemUrl,
+    logPrefix: "[Channel]",
+    errorCode: CHANNEL_CONNECT_FAILED,
+    onEvent: (event) => mcp.notification({
+      method: "notifications/claude/channel",
+      params: {
+        content: formatEventContent(event),
+        meta: formatEventMeta(event)
+      }
+    })
+  });
+}
+var init_event_bridge = __esm({
+  "src/channel/event-bridge.ts"() {
+    "use strict";
+    init_types();
+    init_sse_consumer();
+    init_types3();
   }
 });
 
@@ -1446,7 +2019,7 @@ import { createConnection } from "net";
 import { Server } from "@modelcontextprotocol/sdk/server/index.js";
 import { StdioServerTransport as StdioServerTransport2 } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { CallToolRequestSchema, ListToolsRequestSchema } from "@modelcontextprotocol/sdk/types.js";
-import { z } from "zod";
+import { z as z2 } from "zod";
 async function runChannel(opts = {}) {
   redirectConsoleToStderr();
   const tandemUrl = resolveTandemUrl();
@@ -1501,7 +2074,7 @@ async function runChannel(opts = {}) {
       const args2 = req.params.arguments;
       try {
         const res = await fetchWithTimeout(
-          `${tandemUrl}/api/channel-reply`,
+          `${tandemUrl}${API_CHANNEL_REPLY}`,
           {
             method: "POST",
             headers: { "Content-Type": "application/json" },
@@ -1535,7 +2108,7 @@ async function runChannel(opts = {}) {
               type: "text",
               text: `Failed to send reply: ${describeFetchError(
                 err,
-                "/api/channel-reply",
+                API_CHANNEL_REPLY,
                 CHANNEL_REPLY_FETCH_TIMEOUT_MS
               )}`
             }
@@ -1546,19 +2119,19 @@ async function runChannel(opts = {}) {
     }
     throw new Error(`Unknown tool: ${req.params.name}`);
   });
-  const PermissionRequestSchema = z.object({
-    method: z.literal("notifications/claude/channel/permission_request"),
-    params: z.object({
-      request_id: z.string(),
-      tool_name: z.string(),
-      description: z.string(),
-      input_preview: z.string()
+  const PermissionRequestSchema = z2.object({
+    method: z2.literal("notifications/claude/channel/permission_request"),
+    params: z2.object({
+      request_id: z2.string(),
+      tool_name: z2.string(),
+      description: z2.string(),
+      input_preview: z2.string()
     })
   });
   mcp.setNotificationHandler(PermissionRequestSchema, async ({ params }) => {
     try {
       const res = await fetchWithTimeout(
-        `${tandemUrl}/api/channel-permission`,
+        `${tandemUrl}${API_CHANNEL_PERMISSION}`,
         {
           method: "POST",
           headers: { "Content-Type": "application/json" },
@@ -1579,7 +2152,7 @@ async function runChannel(opts = {}) {
     } catch (err) {
       console.error(
         "[Channel] Failed to forward permission request:",
-        describeFetchError(err, "/api/channel-permission", CHANNEL_PERMISSION_FETCH_TIMEOUT_MS)
+        describeFetchError(err, API_CHANNEL_PERMISSION, CHANNEL_PERMISSION_FETCH_TIMEOUT_MS)
       );
     }
   });
@@ -1605,7 +2178,7 @@ async function checkServerReachable(url, timeoutMs = 2e3) {
     parsed = new URL(url);
   } catch {
     console.error(
-      `[Channel] Invalid TANDEM_URL: "${url}" \u2014 expected format: http://localhost:3479`
+      `[Channel] Invalid TANDEM_URL: "${url}" \u2014 expected format: http://127.0.0.1:3479`
     );
     return false;
   }
@@ -1630,6 +2203,7 @@ async function checkServerReachable(url, timeoutMs = 2e3) {
 var init_run = __esm({
   "src/channel/run.ts"() {
     "use strict";
+    init_api_paths();
     init_cli_runtime();
     init_constants();
     init_fetch_with_timeout();
@@ -1655,11 +2229,11 @@ var init_channel = __esm({
 });
 
 // src/shared/auth/token-file.ts
-import envPaths from "env-paths";
+import envPaths2 from "env-paths";
 import fs2 from "fs";
-import path3 from "path";
+import path4 from "path";
 function getTokenFilePath() {
-  return path3.join(envPaths("tandem", { suffix: "" }).data, TOKEN_FILE_NAME);
+  return path4.join(envPaths2("tandem", { suffix: "" }).data, TOKEN_FILE_NAME);
 }
 async function readTokenFromFile() {
   const filePath = getTokenFilePath();
@@ -1696,7 +2270,7 @@ __export(rotate_token_exports, {
 });
 import { createHash, randomBytes } from "crypto";
 import { promises as fsPromises2 } from "fs";
-import path4 from "path";
+import path5 from "path";
 function fingerprint(token) {
   return createHash("sha256").update(token, "utf8").digest("hex").slice(0, 8);
 }
@@ -1724,8 +2298,8 @@ async function rotateToken() {
   }
   const newToken = generateToken();
   const tokenPath = getTokenFilePath();
-  const dir = path4.dirname(tokenPath);
-  const tmpPath = path4.join(dir, `.auth-token-tmp-${randomBytes(4).toString("hex")}`);
+  const dir = path5.dirname(tokenPath);
+  const tmpPath = path5.join(dir, `.auth-token-tmp-${randomBytes(4).toString("hex")}`);
   try {
     await fsPromises2.writeFile(tmpPath, newToken, { encoding: "utf8", mode: 384 });
     await fsPromises2.rename(tmpPath, tokenPath);
@@ -1739,7 +2313,7 @@ async function rotateToken() {
   let serverRejected = false;
   let serverRejectedStatus = 0;
   try {
-    const resp = await fetch(`${serverUrl}/api/rotate-token`, {
+    const resp = await fetch(`${serverUrl}${API_ROTATE_TOKEN}`, {
       method: "POST",
       headers: {
         "Content-Type": "application/json",
@@ -1809,6 +2383,7 @@ async function rotateToken() {
 var init_rotate_token = __esm({
   "src/cli/rotate-token.ts"() {
     "use strict";
+    init_api_paths();
     init_token_file();
     init_cli_runtime();
     init_setup();
@@ -1821,19 +2396,23 @@ __export(start_exports, {
   runStart: () => runStart
 });
 import { spawn } from "child_process";
-import { existsSync as existsSync2 } from "fs";
+import { existsSync as existsSync3 } from "fs";
 import { dirname as dirname3, resolve as resolve3 } from "path";
 import { fileURLToPath as fileURLToPath3 } from "url";
 function runStart() {
-  if (!existsSync2(SERVER_DIST)) {
+  if (!existsSync3(SERVER_DIST)) {
     console.error(`[Tandem] Server not found at ${SERVER_DIST}`);
     console.error("[Tandem] The installation may be corrupted. Try: npm install -g tandem-editor");
     process.exit(1);
   }
+  console.error(
+    "[Tandem] Browser distribution is deprecated; the Tauri desktop app is the primary form factor."
+  );
+  console.error("[Tandem] See https://github.com/bloknayrb/tandem/issues/477 for context.");
   console.error("[Tandem] Starting server...");
   const proc = spawn("node", [SERVER_DIST], {
     stdio: "inherit",
-    env: { ...process.env, TANDEM_OPEN_BROWSER: "1" }
+    env: process.env
   });
   proc.on("error", (err) => {
     console.error(`[Tandem] Failed to start server: ${err.message}`);
@@ -1872,7 +2451,7 @@ process.once("unhandledRejection", (reason) => {
 `);
   process.exit(1);
 });
-var version = true ? "0.11.2" : "0.0.0-dev";
+var version = true ? "0.13.0" : "0.0.0-dev";
 var args = process.argv.slice(2);
 var isStdioMode = args[0] === "mcp-stdio" || args[0] === "channel";
 if (!isStdioMode) {
@@ -1883,7 +2462,7 @@ if (args.includes("--help") || args.includes("-h")) {
 
 Usage:
   tandem                            Start Tandem server and open the editor
-  tandem setup                      Register MCP tools with Claude Code / Claude Desktop
+  tandem setup                      Register MCP tools with your AI client (Claude Code / Claude Desktop by default)
   tandem setup --force              Register to default paths regardless of detection
   tandem setup --with-channel-shim  Also register the stdio channel shim (legacy opt-in)
   tandem rotate-token               Rotate the auth token with a 60-second grace window