fix(security): scope checkpoint routes to session — close 2 IDORs (v2.7.2)

Flagged by the automated push security review on v2.7.1. - GET /checkpoints?chat_id= : the chat_id branch filtered by chat_id alone (any session's chat_id read its checkpoints). Now joins chats and gates on chats.session_id. - restoreCheckpoint scope guard was fail-open: `cp.session_id && cp.session_id !== sessionId` fell through on a null denormalized session_id, allowing a cross-session restore (worktree reset + transcript trim). Now resolves the owning session via the checkpoint's chat and denies on missing/mismatch. - Adds a DB-integration regression for the null-session_id cross-session case. Both scope authoritatively through chats.session_id (checkpoints.session_id is a nullable hint). Coder suite 234 passing; 7/7 checkpoint tests (incl. the regression) against live postgres+git; typecheck clean. Hotfix on v2.7.1. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Merge fuzzy-checkpoints: v2.7.1 write/edit robustness (fuzzy applier + worktree checkpoints)
2026-06-01 12:15:54 +00:00 · 2026-06-01 12:02:06 +00:00 · 2026-06-01 12:01:57 +00:00 · 2026-06-01 08:16:25 +00:00 · 2026-06-01 08:16:03 +00:00 · 2026-06-01 02:35:21 +00:00
163 changed files with 13802 additions and 3045 deletions
--- a/.codecontextignore
+++ b/.codecontextignore
@@ -21,6 +21,7 @@ out/
 .opencode/
 .vscode/
 .idea/
 .claude/worktrees/
 # Test artifacts / coverage
 coverage/
--- a/.env.example
+++ b/.env.example
@@ -11,6 +11,11 @@ POSTGRES_PASSWORD=CHANGE_ME
 # point BooCode at a different SearXNG instance.
 SEARXNG_URL=http://100.114.205.53:8888
 # Task model: lightweight model for auto-naming, search rewrite, etc.
 # Direct llama-server instance (NOT llama-swap). Falls back to LLAMA_SWAP_URL
 # with FAST_MODEL when unset.
 # TASK_MODEL_URL=http://100.90.172.55:7995
 # v1.13.15-tools: BOOCODE_TOOLS narrows the tool whitelist sent to the LLM.
 # Unset (default) → all tools (~21k schema). Useful primarily for single-purpose
 # sessions where the model only needs read-only filesystem access.
--- a/.gitignore
+++ b/.gitignore
@@ -16,3 +16,5 @@ data/*
 !data/AGENTS.md
 !data/skills/
 !data/mcp.json
 !data/coder-providers.example.json
 codecontext/fork.tar.gz
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -1,109 +0,0 @@
 # Agent navigation
 Cursor/agent entry point for the BooCode monorepo. **Deep engineering reference:** `CLAUDE.md` (Claude Code). This file is navigation + task routing only.
 Last updated: 2026-05-25
 ## Doc map
 | Need | Read |
 |------|------|
 | Commands, gotchas, inference, DB, env | `CLAUDE.md` |
 | Read-only chat behavior | `BOOCHAT.md` |
 | Write tools, dispatch, pending changes | `BOOCODER.md` |
 | Shipped vs planned, version order | `boocode_roadmap.md` |
 | Latest release truth | `CHANGELOG.md` (top entry = current) |
 | System diagram + data flow | `docs/ARCHITECTURE.md` |
 | Current focus / blockers | `CURRENT.md` |
 | Batch convention | `openspec/README.md` |
 | Shipped batch snapshots | `openspec/changes/archived/` |
 | Chat agent personas + tool lists | `data/AGENTS.md` |
 | External repo lift inventory | `boocode_code_review.md` |
 ## Monorepo layout (actual)
 Three **surfaces**, four **packages**. There is no `apps/chat/` directory.
 | Surface | Packages | Port | Deploy |
 |---------|----------|------|--------|
 | **BooChat** | `apps/server` (API + inference) + `apps/web` (SPA) | `100.114.205.53:9500` | Docker `boocode` container |
 | **BooTerm** | `apps/booterm` | `100.114.205.53:9501` | Docker `booterm` container |
 | **BooCoder** | `apps/coder` | host `:9502` | systemd `boocoder.service` (not Docker since v2.1.0) |
 Shared: Postgres 16 — Docker service `boocode_db`, **database name `boochat`**, host port `127.0.0.1:5500`.
 ## Task routing
 | Task type | Start here |
 |-----------|------------|
 | Chat inference / tools / compaction | `apps/server/src/services/inference/` |
 | WS frames | `apps/server/src/types/ws-frames.ts` + `apps/web/src/api/ws-frames.ts` (keep in sync) |
 | Frontend chat UI | `apps/web/src/components/`, hooks in `apps/web/src/hooks/` |
 | BooCoder write tools / dispatch | `apps/coder/src/` — build server first (`pnpm -C apps/server build`) |
 | Provider picker / external agents | `apps/coder/src/services/provider-registry.ts`, `dispatcher.ts`, `agent-probe.ts` |
 | Terminal panes | `apps/booterm/src/`, frontend `TerminalPane.tsx` |
 | Schema changes | `apps/server/src/schema.sql` + sync `*_STATUSES` in `apps/server/src/types/api.ts` |
 | New batch / feature | `openspec/changes/<slug>/proposal.md` + `tasks.md` (see below) |
 ## Verification (before claiming done)
 ```bash
 pnpm -C apps/server test && pnpm -C apps/server build
 npx tsc -p apps/web/tsconfig.app.json --noEmit   # root tsc can miss web errors
 curl http://100.114.205.53:9500/api/health       # Tailscale IP, not localhost:9500
 curl http://100.114.205.53:9502/api/health       # BooCoder on host
 ```
 Deploy truth beats source-only reads — check running health + `git log --oneline -3`.
 ## Hard rules (from CLAUDE.md)
 - **Do not commit or push** unless Sam explicitly asks.
 - **No app-layer auth** — Authelia at the reverse proxy.
 - **Parts table is source of truth** — read message tool fields from `messages_with_parts` view, write via `insertParts`.
 - **New WS frame type** — update server + web schemas; publish via `publishFrame` / `publishUserFrame` only.
 - **New tool** — own file in `services/`, register in `tools.ts` `ALL_TOOLS`; whitelists derive from there, never hardcoded.
 - **Typecheck web with per-app tsconfig** — root `tsc --noEmit` uses project references and can miss errors.
 - **`includeUsage: true`** on `createOpenAICompatible` in `provider.ts` — do not remove.
 - **Agent dispatch** — direct `spawn`/`exec` on host via `install_path` (v2.1.0+); SSH helpers deprecated.
 - **Event dedup** — server publishes via broker; frontend must not duplicate `sessionEvents.emit` after API calls that already WS-broadcast.
 ## Using openspec with Cursor
 Openspec is a **folder convention**, not a CLI. Use it to give agents a scoped brief before coding.
 ### When starting a batch
 1. Create `openspec/changes/<slug>/` (lowercase-hyphenated, e.g. `v2-2-arena-ui`).
 2. Write `proposal.md` — why, scope, non-goals, dependencies.
 3. Write `tasks.md` — numbered checkbox steps (build + smoke).
 4. Optional `design.md` — schema/API decisions that outlive the batch.
 See `openspec/README.md` for the full shape. Shipped pre-v1.13.15 batches live in `openspec/changes/archived/` as snapshots only.
 ### Prompting an agent
 ```
@openspec/changes/<slug>/proposal.md @openspec/changes/<slug>/tasks.md
 Implement tasks 1–3. Server tests must pass. Do not commit.
 ```
 Attach the spec files with `@` so they load into context. Point at specific code paths when known:
 ```
@openspec/changes/v2-x/proposal.md
 Extend apps/coder/src/routes/providers.ts — follow provider-registry.ts patterns.
 ```
 ### After shipping
 - Tag: `vMAJOR.MINOR.PATCH-slug`
 - Add entry to top of `CHANGELOG.md`
 - Move or snapshot the openspec folder to `archived/` if you want history preserved
 - Update `CURRENT.md` and `boocode_roadmap.md` shipped table if the batch was roadmap-tracked
 ### What not to use openspec for
 - One-line bug fixes — just describe the bug + file.
 - Exploratory questions — Ask mode + `@CLAUDE.md` is enough.
 - Duplicating `CLAUDE.md` — openspec is per-batch scope, not permanent conventions.
--- a/BOOCODER.md
+++ b/BOOCODER.md
@@ -37,3 +37,81 @@ Every file modification queues in `pending_changes` before touching disk. The us
 - Never count `dist/` directory sizes as source lines. Only count `src/**/*.ts` files. Compiled output is inflated by inlined types and transpilation artifacts.
 - Before claiming a feature works, run the actual command and show the output. "Should work" is not verification. Acceptable evidence: test output (`pnpm test`), build output (`pnpm build`), curl response, docker logs, `\d tablename` output. If you can't run it, say so explicitly — don't assert success without evidence.
 - When reporting counts (tools, tests, files, routes, lines), derive the number from a command (`grep -c`, `wc -l`, test runner output) — not from memory or approximation.
 ## Provider lifecycle (v2.3)
 BooCoder's coding agents are a **config-backed registry**: built-ins live in `provider-registry.ts`, and `data/coder-providers.json` layers overrides + custom entries on top. Registration ≠ installation — the config lists what you *want*; a probe reports what's *ready*.
 ### Config file: `data/coder-providers.json`
 Resolved from `CODER_PROVIDERS_PATH` (default `/data/coder-providers.json`; dev/host path `/opt/boocode/data/coder-providers.json`). It is **gitignored** — it's live runtime config that the coder reads *and writes* (UI toggles `PATCH` it), so tracking it would churn `git status`. The tracked reference is `data/coder-providers.example.json`; copy it to `coder-providers.json` to seed overrides. A missing file, invalid JSON, or a schema mismatch all fall back to built-ins-only — loading never throws at startup.
 ```json
 {
  "providers": {
    "goose": { "enabled": false },
    "amp-acp": {
      "extends": "acp",
      "label": "Amp",
      "description": "ACP wrapper for Amp",
      "command": ["amp-acp"],
      "enabled": true
    }
  }
 }
 ```
 Per-provider override fields (all optional):
 | Field | Meaning |
 |-------|---------|
 | `extends` | `"acp"` — required for a NEW (custom) provider; built-in overrides omit it |
 | `label` | Display name (required for custom) |
 | `description` | Sub-label shown in the picker / settings |
 | `command` | `[binary, ...args]` to spawn (required for custom; overrides a built-in's default argv) |
 | `env` | Extra env vars merged into the spawn |
 | `enabled` | Default `true`; `false` hides it from the composer |
 | `order` | UI sort key |
 | `models` / `additionalModels` | Replace / merge onto the discovered model list |
 A PATCH to one provider id **replaces that id's override object wholesale** (per-id shallow merge), so to flip a single field keep the rest; a `null` value for an id deletes its override (reverts to the built-in default).
 ### Refresh contract
 The snapshot is cached and a provider's cold ACP probe (tier-2) is **skipped** while `available_agents.last_probed_at` is younger than `PROVIDER_PROBE_TTL_MS` (default `86400000` = 24h). Opening the composer is therefore fast and does not re-probe. To force a cold re-probe (after installing a CLI or editing models): **`POST /api/providers/refresh`** (the Refresh button in the Providers settings tab), which clears the cache and re-probes.
 ### Enable / disable
 Two ways:
 - **Settings → Providers tab** — open the sidebar → **Settings** → **Providers**: toggle a provider on/off, refresh it, or open its diagnostic. (Earlier builds exposed a gear in the composer; that control was moved into Settings.)
 - **Edit the config** (`"enabled": false`) then `POST /api/providers/refresh`.
 A **disabled** provider leaves the composer's provider picker but stays listed in the Providers tab (status "Disabled") so you can re-enable it. **Native `boocode` is always-on** — an `enabled:false` on it is ignored (with a warn log) and it is never rendered as toggleable.
 ### Adding a custom ACP provider
 - **Catalog modal**: Providers tab → **Add provider** → pick an entry → it PATCHes the config (`extends:'acp'` + label + command, enabled) and refreshes that provider.
 - **Hand-edit** `data/coder-providers.json`: add an id with `extends:'acp'`, `label`, and `command`, then `POST /api/providers/refresh`.
 Either way, **adding to config does NOT install the binary.** Until the CLI is on `PATH` the provider shows **"Not installed"** (status `unavailable`) and does not appear in the composer picker.
 ### Known limitation — subset refresh
 `POST /api/providers/refresh` accepts an optional `{ "providers": ["id", ...] }` body and returns a `refreshed` count scoped to that subset — **but the underlying cold re-probe currently covers ALL installed providers**, not just the requested subset. True per-provider force is a future change (it needs a snapshot-internal parameter). This is intentional for now, not a bug: a subset refresh still re-probes everything; only the reported count is scoped.
 ### Deploy + smoke
 Two deploy targets:
 - **Routes (host service):** `pnpm -C apps/server build && pnpm -C apps/coder build && sudo systemctl restart boocoder`
 - **Web UI (container):** `docker compose up --build -d boocode`
 Green gate (verified across phases 1–5): `pnpm -C apps/coder test` (134 passing) `&& pnpm -C apps/coder build`.
 Smoke (via Tailscale):
 ```bash
 curl http://100.114.205.53:9502/api/providers/snapshot       # lists every registered provider
 curl http://100.114.205.53:9500/api/coder/providers/config   # raw config, through the BooChat proxy
 # Settings → Providers: disable goose → it leaves the composer picker, stays in the tab
 # POST refresh → models repopulate; Add a catalog entry → it appears after refresh (unavailable until its CLI is installed)
 ```
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,118 @@
 All notable changes per release tag. Most recent on top, ordered by tag creation date (which matches the git history). Tag names follow `vMAJOR.MINOR.PATCH-slug` — the slug describes what shipped, so the tag name alone is enough to recall the batch.
 ## v2.7.2-checkpoint-idor — 2026-06-01
 Closes two IDOR authorization holes in the `v2.7.1-write-edit-robustness` checkpoint routes, flagged by the automated push security review. The `GET /api/sessions/:id/checkpoints?chat_id=` list route scoped its `chat_id` branch by `chat_id` alone — any session's `chat_id` would read its checkpoints; it now joins through `chats` and gates on `chats.session_id` (authoritative; `checkpoints.session_id` is a nullable denormalized hint). The `restoreCheckpoint` scope guard was fail-open — `cp.session_id && cp.session_id !== sessionId` fell through whenever the checkpoint's denormalized `session_id` was null, allowing a cross-session restore (worktree reset + transcript trim) — it now resolves the owning session via the checkpoint's chat and denies on any missing-or-mismatched row. A DB-integration regression covers the exact null-`session_id` cross-session case. Real-world blast radius is small (BooCoder is single-user behind Authelia on loopback), but both are genuine authorization bugs. Coder suite 234 passing (7/7 checkpoint tests incl. the regression against live postgres+git), typecheck clean. Hotfix on `v2.7.1-write-edit-robustness`.
 ## v2.7.1-write-edit-robustness — 2026-06-01
 Two BooCoder hardening features for local quantized models, algorithm-reimplemented (not vendored) from the cline findings in `boocode_code_review_v2.md` §1 #3/#4. **Fuzzy patch applier:** `edit_file`'s apply path was exact-`.includes`-or-throw + first-occurrence `.replace` (`pending_changes.ts`), so a qwen3.6 whitespace/indentation/unicode drift in `old_string` lost the edit; a new pure `fuzzy-match.ts` (`locateMatch`) now runs an exact → per-line-trim → unicode-canon (curly quotes/dashes/nbsp) → Levenshtein-≥0.66 ladder and returns the real file span, refusing multi-exact matches as ambiguous rather than silently editing the first. `applyOne`/`rewindOne` both use it. **Worktree checkpoints + conversation-trim:** `rewind` only reversed BooCode's own `pending_changes`, blind to what external agents (opencode/goose/qwen/claude) write directly into the session worktree — so a new `checkpoints` table + `checkpoints.ts` shadow-commit (tracked **and** untracked, captured via a temp-index `read-tree`/`add`/`write-tree`/`commit-tree` into a GC-safe `refs/boocode/checkpoints/<id>`) snapshots the worktree before each external-agent turn (hooked into all three dispatcher paths), anchored to the turn's assistant message. A new `POST /api/sessions/:id/checkpoints/:cid/restore` resets the worktree (`reset --hard` + `clean -fd`), trims the transcript past that message, and resets the `(chat,agent)` backend session so files, transcript, and agent context land consistent at the restore point; a per-message "Restore to here" affordance in `CoderMessageList` drives it. Built by three parallel agents over disjoint files; DB-integration testing caught a microsecond-`created_at` self-deletion bug in the later-checkpoint cleanup. Full coder suite 234 passing (incl. 17 fuzzy-match + 6 checkpoint tests), server+coder build + web tsc clean. Builds on `v2.7.0-mit`; openspec `write-edit-robustness`. Live host smoke (dispatcher hook + restore UI end-to-end) still to run.
 ## v2.7.0-mit — 2026-06-01
 Relicenses BooCode from AGPL-3.0 back to MIT by clearing the three Unsloth-Studio-derived files the `v2.4.0`/`v2.4.1` lifts pulled in — the root `LICENSE` and all five `package.json` had been `AGPL-3.0-only`, making the network-served work AGPL §13-encumbered. The enabling finding decoupled the relicense from the long-planned native-llama-server-parsing retirement: `tool-call-parser.ts`'s Unsloth-ported algorithm (`parseToolCallsFromText`/`scanBalancedBraces` + unused nudge constants) was **dead code** with no production import, so it was simply deleted while the load-bearing `extractToolCallBlocks`/`stripToolMarkup` (BooCode-authored streaming helpers) were kept byte-identical — no behavior change to the live tool-call path. `html-to-md.ts` was swapped to the MIT `node-html-markdown` library (`parse5` dropped; the only behavior delta is column-aligned tables, GFM hard-break `<br>`, and `<ol start>` renumbering, all feeding the LLM via `web_fetch`), and `llama-args-validator.ts` was clean-room rewritten with the managed-flag denylist re-derived from the public llama-server flag list (facts, not copyrightable). The license flip set `LICENSE` to MIT (`Copyright (c) 2026 indifferentketchup`), the five `package.json` to `MIT`, removed every AGPL SPDX header, added a README License section, and added a `license-mit` guard test that fails if AGPL provenance returns. Built by three parallel agents over the disjoint files; full server suite 519 passing (incl. 9 new guard tests), server build + coder typecheck clean. Resolves `boocode_code_review_v2.md` §1 #1 / §5k and the roadmap's `License-debt` batch (openspec `license-debt-mit`); supersedes that batch's original staged plan, which had entangled the flip with a live qwen3.6 validation window.
 ## v2.6.11-close-hooks-staging — 2026-06-01
 The two v2.6 follow-ups left after `v2.6.10-lifecycle-hardening`. **Server close-hook caller:** `apps/server` (BooChat) now fire-and-forgets BooCoder's Phase-3 close hooks so warm agent backends + worktrees tear down *immediately* on delete/archive instead of waiting for the idle-evict/reaper backstop — a new `coder-notify.ts` `notifyCoderClose(kind,id)` (reusing the v2.6.2 `BOOCODER_URL` reach, never-rejects) is `void`-called after the WS frame at session-delete (`POST /api/sessions/:id/close`) and chat archive / archive-all / delete (`POST /api/chats/:id/close`); an unreachable coder can never block or fail the user's delete/archive. **Staging-boundary hint (task 3.7):** the BooCoder DiffPanel now shows a muted one-liner when the selected provider can't see another agent's unapplied worktree edits — native boocode selected + external-agent-staged changes (or vice-versa) → "<agent>'s edits live in its worktree — BooCode won't see them until applied" — derived purely from the per-change `agent` + current provider, no new state. 6 new server tests (`coder-notify`), 537 server tests pass; web + server tsc/build clean. **With these the v2.6 openspec is fully closed** — only the live Smoke 2/2b/3 remain (manual exercise).
 ## v2.6.10-lifecycle-hardening — 2026-06-01
 v2.6 Phase 3 (the last phase) — lifecycle hardening of the warm-process backends. **Idle eviction + LRU cap:** the agent pool runs a 60s sweep that evicts backends/sessions idle past `AGENT_POOL_IDLE_TTL_MS` (30 min default) and any beyond `AGENT_POOL_MAX_LIVE` (10, LRU) — **never a busy one** (in-flight turn, double-checked via a new `isBusy()` backend hook); the worktree persists (DB-backed) and the next turn re-spawns + reattaches. The eviction/LRU/restart decisions are factored into a pure `lifecycle-decisions.ts` (modeled on the inference `selectPruneTargets` pattern). **Crash recovery:** lifts openchamber's health-monitor + busy-aware-restart + consecutive-failure + stale-busy-grace state machine into `opencode-server.ts` (with port reclaim) and `warm-acp.ts` — an opencode server crash settles in-flight turns as failed, marks the rows `crashed`, and recreates fresh sessions (a fresh server can't hold the old in-memory id), while a warm-ACP child crash re-`session/new`s next turn; the F.1 turn-guard and U.6 usage are preserved (their tests still pass). **Worktree reaper:** a periodic reaper removes orphan on-disk worktrees (no live `worktrees` row, 1h grace) behind a superset-style preflight that skips dirty/unpushed/unmerged work, with Paseo-style soft-delete (`status='archived'`). Plus close hooks (`/api/chats/:id/close`, `/api/sessions/:id/close`, awaiting the apps/server caller) and diff re-baseline after `apply_pending`. Built test-first — 35 new tests (`lifecycle-decisions` 22, `agent-pool` 13) + a DB-opt-in reconnect integration test; 215 coder tests pass, tsc + build clean. **This completes v2.6** (Phase 0–3 + F.1 + Phase 1-UX). Remaining follow-ups (out of v2.6 scope): the apps/server close-hook caller, the 3.7 DiffPanel staging-boundary hint (frontend), and live Smoke 2/2b/3.
 ## v2.6.9-warm-acp — 2026-05-31
 v2.6 Phase 2: goose and qwen now run as **warm ACP backends** instead of one-shot-per-task. A new `WarmAcpBackend` (`backends/warm-acp.ts`, implementing the same `AgentBackend` interface as the opencode warm server) holds one persistent `goose acp` / `qwen --acp` child + `ClientSideConnection` + ACP session per `(chat, agent)`, running `initialize` + `session/new` once and reusing the connection across turns; per-turn abort cancels the in-flight prompt (`session/cancel`) without killing the child, and a child exit marks `agent_sessions.status='crashed'` for re-spawn on the next turn. The dispatcher routes `goose`/`qwen` chat-tab tasks to the pooled warm backend via a pure `shouldUseWarmBackend(task)` predicate (warm only when both `session_id` and `chat_id` are set), keeping the one-shot `runExternalAgent` path as the fallback for session-less creators (arena, MCP, `new_task`); broker frames + `persistExternalAgentTurn` + the latest-wins `pending_changes` diff are identical to the opencode path. The `acp-dispatch.ts` `handleSessionUpdate` switch was extracted into a pure shared `acp-event-map.ts` mapper used by both the one-shot and warm paths (one-shot behavior byte-identical, all existing acp tests green). The design's `unstable_resumeSession` concern is resolved — the installed `@agentclientprotocol/sdk@^0.22.1` exposes stable `resumeSession`/`loadSession`, but resume is moot in the hot path (warm reuse needs none); cross-restart resume + idle eviction are deferred to Phase 3. Built test-first (15 new tests: `warm-acp-routing`, `acp-event-map`); 180 coder tests pass, tsc + build clean. **Smoke 2/2b (live two-message warm reuse + the opencode→boocode→opencode switch round-trip) to be run post-deploy.** Phase 3 (lifecycle hardening) is the last v2.6 phase.
 ## v2.6.8-agent-attribution — 2026-05-31
 v2.6 Phase 1-UX: agent attribution + switch affordances over the already-shipped `pending_changes.agent` column and `agent_sessions` table (read+display, no new backend capability). **Backend:** `pending_changes.agent` is now stamped at every queue site (native write tools → `'boocode'`, dispatched external agents → the task's agent, manual RightRail create → `NULL`) and flows through `listPending`; a new `GET /api/sessions/:id/agent-sessions` route returns `[{agent,status,has_session,last_active_at}]` per `(chat,agent)` for the session's chats; and the opencode warm-server backend consumes opencode's `session.next.step.ended` events, accumulating `input_tokens`/`output_tokens`/`cost` onto the `agent_sessions` row (new columns, idempotent). **Frontend:** the BooCoder DiffPanel renders a per-row agent badge (provider icon + label; `null` → "manual") with a "Changes from X, Y" note when a pending set spans multiple agents, and the AgentComposerBar shows a resumed / history / new-session chip beside the Provider picker — gated on an optional `sessionId` prop so BooChat is unaffected — driven by a new `useAgentSessions` hook that refetches on message-complete; `providerIcon` was extracted to a shared `components/coder/providerIcons.tsx`. Built by three parallel subagents over disjoint file sets; web + coder typecheck clean, 165 coder tests pass (9 new across `opencode-usage` and `agent-sessions.routes`). U.6's persisted token totals are conversation-cumulative and not yet surfaced in the UI (deferred). Implements the U.1–U.6 "remaining" plan from the v2.6 openspec reconciliation; Phase 2 (warm ACP goose/qwen) + Phase 3 (lifecycle hardening) remain.
 ## v2.6.7-interrupt-guard — 2026-05-31
 Fixes a post-interrupt correctness bug in the `v2.6.1-phase1-opencode` warm-server backend, made one-click reachable by `v2.6.5-panes-tabs-composer`'s Send→Stop composer. `opencode-server.ts` settled an in-flight turn on opencode's `session.idle`/`session.error` by calling `activeTurn.settle()` on whatever turn currently held the session slot — but opencode emits one trailing terminal event for a *cancelled* turn after `client.session.abort()`, and those events carry only a `sessionID` (no turn id). So after the user hit Stop and immediately sent another message, the aborted turn's orphan `session.idle` settled the *new* turn early as success (Paseo hit and fixed the same class in `1d38aac`). The fix adds a small pure guard (`turn-guard.ts`: `armAbortGuard`/`noteTurnActivity`/`consumeTerminal` over a per-session `swallowNextTerminal` flag): abort arms it, the next terminal is swallowed once, and a new turn's first delta self-heals the flag so a never-arriving orphan can't strand a real turn. Implemented test-first — three regression tests in `turn-guard.test.ts` (swallow-the-orphan, settle-when-no-abort, self-heal); full coder suite green (156 passed). This is the F.1 "fix-next" item from the v2.6 openspec reconciliation; Phase 1-UX / Phase 2 / Phase 3 remain.
 ## v2.6.6-claude-md — 2026-05-31
 Docs-only — CLAUDE.md session-learnings update, no code. Captures four recurring gotchas surfaced while shipping `v2.6.5-panes-tabs-composer`: (1) `sessions.workspace_panes` is now a `WorkspaceState` envelope (`panes` + `tabNumbers`/`nextTabNumber` + `closedPaneStack`), migrated from the legacy bare `WorkspacePane[]` on both frontend hydrate (`toWorkspaceState`) and the union-accepting server PATCH validator; (2) DB/session-aware tools take an optional `ToolExecCtx` (`{ sql, sessionId }`) 4th arg on `ToolDef.execute`, plumbed through the tool phase, with `read_tab_by_number` as the reference; (3) the two-schema-files-one-DB ownership split — `apps/coder/src/schema.sql` owns `agent_sessions`/`worktrees`/`pending_changes`/`available_agents` and extends `tasks`, distinct from BooChat's `apps/server/src/schema.sql` — plus the idempotent `confdeltype` FK-action-flip pattern (guard `ON DELETE` changes on `pg_constraint.confdeltype` so re-runs no-op); and (4) React StrictMode is on, so a `setState` called inside another `setState`'s updater double-fires in dev and must be made idempotent. Pairs with `v2.6.5-panes-tabs-composer`.
 ## v2.6.5-panes-tabs-composer — 2026-05-31
 A workspace UX batch across BooChat panes, tabs, and the composer, plus the persistence model that backs them. **Panes & tabs:** a chat can be opened in a fresh pane (the ChatTabBar tab context menu's "Open in new pane", and the fork button — which now lands the fork beside the original via a new `open_chat_in_new_pane` event instead of replacing the active pane); the per-pane "+" became a New BooChat/BooTerm/BooCode menu; closing a chat pane relocates its tabs (in order) into the oldest chat/empty pane instead of discarding them, and reopen strips the restored chatIds from every live pane first so a relocated-then-reopened pane never duplicates a tab (no stack-shape change); each tab carries a stable session-scoped number assigned on open and retired on close (never reused), rendered map-keyed rather than positional. The per-message "Open in pane" artifact button was removed, and the empty/landing pane became a real session history — the session's open chats plus separately-fetched archived chats, click to open or restore-and-open. **Persistence:** `sessions.workspace_panes` was widened from a bare `WorkspacePane[]` to a `WorkspaceState` envelope (`panes` + `tabNumbers`/`nextTabNumber` + `closedPaneStack`) so tab numbers and the reopen stack survive reload; the PATCH validator accepts the legacy array or the envelope (zod union) and migrates on write, and the `session_workspace_updated` WS-frame schema was widened on both web and server (byte-identical, parity test green) — the same schema-drift class as `v2.6.4-agent-sessions-fk`. **Composer:** the send button morphs Send → Stop → Queue with generation state (BooCoder keys on `sending || activeTaskId`, which also corrected its queue gates and added `cancelTask`), the standalone "Stop generating" pill was folded into it, and pasted chips now trail the typed text so a leading slash command stays first. **Tooling:** adds the read-only `read_tab_by_number` tool — resolves a session-scoped tab number to its chat via the persisted `tabNumbers` map and returns that chat's transcript; tools gained an optional `ToolExecCtx` (`{ sql, sessionId }`) on `execute` to support DB-reading tools. Builds on `v2.6.4-agent-sessions-fk`.
 ## v2.6.4-agent-sessions-fk — 2026-05-31
 Follow-up to `v2.6.3-chatkey-and-skills` (P1.5-b): the live `agent_sessions.session_id` foreign key is converged from `ON DELETE CASCADE` to `ON DELETE SET NULL`, matching the schema's stated intent. The P1.5-b re-key block re-adds `session_id_fkey` as `SET NULL`, but the whole block is guarded on `chat_id_fkey`'s absence — so a database already re-keyed to `(chat_id, agent)` while `session_id_fkey` was still `CASCADE` never re-enters it, leaving the live FK at `CASCADE` and diverging from both `worktree_id` (already `SET NULL`) and the `v2.6.3` changelog's own claim that `session_id` is informational `SET NULL`. The fix adds a standalone `confdeltype`-guarded `DO` block (mirroring the `session_worktrees` defang) that flips `session_id_fkey` `CASCADE → SET NULL` independently of the re-key gate; it is idempotent — fires only while the FK is still `'c'`, a no-op on a fresh deploy (already `'n'`) and on every re-run. The live DB was converged by hand with the identical statements, so `applySchema` and the hand-applied state match (`\d agent_sessions` now shows `session_id ... ON DELETE SET NULL`). Also bundles a CLAUDE.md doc-sync (committed separately): per-session SSE (P1.5-a) and the `(chat_id, agent)` re-key reflected in the engineering notes, the stale root `AGENTS.md` navigation pointer dropped, and new conventions for `data/AGENTS.md` parsing and the `data/skills/<vendor>/` layout.
 ## v2.6.3-chatkey-and-skills — 2026-05-31
 Three threads. **agent_sessions re-keyed to `(chat_id, agent)` (P1.5-b):** the tab (a chat) is now the agent-context unit, so two opencode tabs in one BooCode session are two independent contexts that share one worktree. `chat_id` is threaded end-to-end — `tasks.chat_id` added, stamped by the coder message + skills routes from the frontend tab, read by `runOpenCodeServerTask` which falls back to resolve-or-create a chat for session-less creators (arena/MCP/new_task/generic `/api/tasks`) so `ensureSession` never receives a degenerate `(null, agent)` key. A new first-class `worktrees` table (one-per-session, survives session delete via `session_id ON DELETE SET NULL`) supersedes `session_worktrees`, which is defanged (CASCADE dropped, not yet removed); `agent_sessions.chat_id` CASCADEs from `chats` (closing a tab ends its context) while `worktree_id`/`session_id` are informational `SET NULL`. The migration is idempotent with a backfill-verify gate; the live re-key was applied against an empty table after the 35-chat test session `20d28876` was deleted (backed up first). This corrects and supersedes an earlier draft that wrongly keyed on `(worktree_id, agent)`; the delete-guard from `v2.6.2-delete-guard-and-sse` is repointed here from `session_worktrees` to `worktrees` (`worktree_path`→`path`). **dcp-strip cross-chunk fix:** the `<dcp-message-id>` tag streams split across SSE deltas, which the per-chunk strip from `v2.6.1-phase1-opencode` missed — a stateful `makeDcpStreamStripper` at the dispatcher boundary holds back partial-tag tails so neither live frames nor persisted content carry the tag (11 unit tests). **Agent-judgment skills:** `committing-changes` (segment by concern, stage explicitly, present-and-stop, never push) and `using-worktrees` (the when-to-isolate heuristic, autonomous-when-clear vs committing's command-gate) land in `data/skills/boocode/` with eval.yamls, plus a parser-safe `data/AGENTS.md` preamble pointing at both.
 ## v2.6.2-delete-guard-and-sse — 2026-05-30
 Two coder-side batches under one tag. **Session-delete work-loss guard:** deleting a BooChat session CASCADE-wipes its `session_worktrees` row, which would silently orphan uncommitted/unpushed/unmerged work — so the server's `DELETE /api/sessions/:id` now gates before the delete. It reads `session_worktrees` from the shared DB first (no row → chat-only session → delete immediately, zero round-trip), and for worktree-backed sessions calls a new BooCoder endpoint (`/worktree-risk`) that runs git on the host, since the container can't see `/tmp/booworktrees` — only the host systemd service can. `checkWorktreeWorkAtRisk` reports dirty/unpushed/unmerged via the audited `hostExec`+`shellEscape` path, default branch detected from `refs/remotes/origin/HEAD` (never the worktree's own branch, never hardcoded); any at-risk worktree returns 409 with per-worktree `RiskReport[]`, `force=true` bypasses, and the check is fail-closed (BooCoder unreachable also blocks — force still escapes). The sidebar renders a block dialog distinguishing work-at-risk (Commit/Stash/Force; stash uses `-u` and re-blocks on remaining commits) from couldn't-verify (Cancel/Force), and Commit never auto-commits. A follow-up fix gates the `unpushed` arm behind an actual upstream (`atRisk = dirty || unmerged > 0 || (hasUpstream && unpushed > 0)`) so the no-upstream `session-<id>` branches stop flagging every pristine worktree-backed session — no protection lost, since real local work always also surfaces as `unmerged > 0`. **Per-session SSE (P1.5-a):** replaces the single global SSE loop scoped to the most-recent worktree directory — the known limit flagged in `v2.6.1-phase1-opencode` — with one `event.subscribe({directory})` per live opencode session, so sessions in different worktrees stream concurrently instead of the second silently dropping the first's events. Each session owns an `AbortController` wired into `subscribe(…, {signal})`, which also fixes a latent Phase-1 bug where switching directories left the old loop parked forever in its `for await` (zombie loops); a `sessionID` demux guard drops cross-session events so two sessions sharing a worktree (possible after P1.5-b) don't double-process deltas. The opencode SDK was confirmed to open an independent SSE connection per `subscribe()` call, so N concurrent dir-scoped streams are supported.
 ## v2.6.1-phase1-opencode — 2026-05-30
 v2.6 Phase 1: opencode runs as a warm HTTP server (`apps/coder/src/services/backends/opencode-server.ts`) — one `opencode serve` per BooCoder process, one opencode session per BooCode session resumed across turns via the new `agent_sessions` table, with a single SSE read loop, reasoning dedup ported from Paseo, an inactivity watchdog, and a stale-session guard (crashed-not-resumed + a `config_hash` fingerprint over `opencode_server|<model>`, deliberately excluding the ephemeral server port so cross-restart resume survives). Builds on the `v2.6.0-phase0-foundations` schema/interface scaffold. The batch's hard-won fixes: opencode streams `session.next.*` events (not `message.part.*`), and `event.subscribe()` must pass the session's worktree `directory` or events route to the server CWD and turns come back empty; model strings must be `llama-swap/`-prefixed and present in opencode's own config, with `agent-probe` now populating `available_agents.models` via `mergeLlamaSwap` so the frontend stops sending an empty model; `session_worktrees`/`agent_sessions` FKs are `ON DELETE CASCADE` so session deletion no longer 500s. Also bundled: dcp-message-id tag stripping from opencode text output, a reopen-closed-pane control, the `[+]`/split-pane button separation, auto-name using the session's loaded model, and a `systematic-debugging` slash command. Smoke 1 verified end-to-end (two turns, session reuse, turn 2 ~9x faster). Known Phase 1 limit: one SSE stream scoped to the most-recent session's directory — concurrent opencode sessions in different worktrees collide (warns; per-session SSE is Phase 2).
 ## v2.5.15-acp-path-guard — 2026-05-29
 Security fix + repo hygiene. Fixes a path-traversal in the ACP filesystem bridge (`acp-client-fs.ts`, flagged by the automated push security review): the worktree guard used an unbounded `startsWith(resolve(worktreePath))`, so a sibling path sharing the worktree as a string prefix (`<worktree>-evil/…`) escaped the scope — and `writeWorktreeTextFile` writes to disk directly (no `pending_changes` gate), so a confused/buggy ACP agent could write outside its worktree. Now uses a separator-bounded check matching `write_guard.ts` (`resolve()` + `startsWith(root + sep)` / `=== root`) via a shared `resolveInWorktree`, with a regression test covering `../` traversal and the sibling-prefix bug. Symlink-swap/`O_NOFOLLOW` hardening was intentionally skipped — consistent with `write_guard`'s no-realpath stance, and the agent already runs with host FS access so this is a containment guard, not a trust boundary. Separately, stops tracking the live `data/coder-providers.json` (it's runtime config the UI reads *and writes* on provider toggles, which churned `git status`) — it's now gitignored with a tracked `data/coder-providers.example.json` reference; the loader falls back to built-ins-only when the live file is absent. The provider-type duplication (coder ↔ web) stays guarded by the existing text-identity `provider-types-parity.test.ts` — a shared package was considered and declined (drift is already prevented; not worth the Docker/build-order risk at solo scale).
 ## v2.5.14-claude-md — 2026-05-29
 Docs-only — CLAUDE.md session-learnings update, no code. Adds gotchas surfaced while shipping the v2.3 provider-lifecycle batch: the host `boocoder.service` keeps running the old process after `pnpm -C apps/coder build` (stale-process tell = new routes 404 while old routes 200, restart don't re-debug); the `boocode` container `build: .` deploys the working tree, so web edits are live on the Vite dev server but not production until `docker compose up --build -d boocode`; `PATCH /api/providers/config` replaces a provider's override wholesale (send `{...existing, enabled}` or a custom ACP entry's command is wiped) and `data/coder-providers.json` is live config not to be committed as code; external agents dispatch one-shot with no context/token tracking (only native `boocode` tracks ctx; OpenCode-as-server is the unshipped `v2-6-persistent-agent-sessions` plan); the `ui/` primitive inventory with `button role=switch` / Dialog fallbacks for the absent switch/sheet; and the mobile Dialog-with-list scroll-containment recipe. Also backfills previously-uncommitted doc bullets for the `v2.5.7`–`v2.5.11` coder work (provider-type parity test, async ACP command discovery, AgentComposerBar `installed` filter, provider-registry path disambiguation).
 ## v2.5.13-provider-lifecycle-phase5 — 2026-05-29
 Closeout of the v2.3 provider-lifecycle batch — the web UI (Phase 5) plus docs (Phase 6). Provider management moved into **Settings → Providers**: a tab listing every registered provider with a status badge (Available / Disabled / Not installed / Error / Loading), an enable/disable toggle, a per-provider refresh, and a plaintext diagnostic; toggling sends the provider's *full* override (preserving a custom ACP entry's command under the wholesale-replace PATCH merge) then refetches the snapshot. The composer's provider picker now filters to `enabled && (status === 'ready' || 'loading')`, so disabled and unavailable providers drop out of the picker and are managed only in settings (native `boocode` always shows). A curated ACP catalog (`apps/web/src/data/acp-provider-catalog.ts`) + `AddProviderModal` register custom providers via `PATCH /api/providers/config` then a subset refresh, and the web client gained `getProvidersConfig` / `patchProvidersConfig` / `refreshProviders` / `getProviderDiagnostic`. Two mobile fixes ship alongside: the Settings pane is now reachable on phones (opening it pushes `?pane=` atomically so the mobile URL-sync effect keeps it active instead of snapping back to the chat pane), and the Add-provider modal caps to the viewport with a single `overscroll-contain` scroll region so the list scrolls instead of dragging the whole modal. This completes the arc begun in `v2.5.4-provider-lifecycle-phase1` (config-backed registry over the built-ins) → `v2.5.5-provider-lifecycle-phase2` (loading/unavailable snapshot lifecycle + tier-2 probe TTL gate) → `v2.5.6-provider-lifecycle-phase3` (generic `resolveLaunchSpec` ACP dispatch) → `v2.5.12-provider-lifecycle-phase4` (config GET/PATCH, subset refresh, diagnostic HTTP API). Docs landed in `BOOCODER.md` (config file, refresh contract, enable/disable, custom ACP, the honest subset-refresh known limitation) and `docs/DEFERRED-WORK.md` §2 is marked addressed; the remaining Tier-2 follow-ups (WS `provider_snapshot_updated` frame, `available_agents.enabled` column, shared types package, MCP provider tools) stay deferred.
 ## v2.5.12-provider-lifecycle-phase4 — 2026-05-29
 Phase 4 of the v2.3 provider-lifecycle batch (`openspec/changes/v2-3-provider-lifecycle/design.md` §6): the HTTP API to read, patch, refresh, and diagnose providers. `routes/providers.ts` gains `GET /api/providers/config` (the raw loaded `CoderProvidersFile`), `PATCH /api/providers/config` (a partial providers map — an id's override object is replaced wholesale, a `null` value deletes it), an optional `{ providers?: string[] }` body on `POST /api/providers/refresh` (the `refreshed` count reflects the requested subset; the force probe itself still covers all installed providers, since per-provider force is a snapshot-internal change left to a later phase), and `GET /api/providers/:id/diagnostic` returning JSON `{ diagnostic: string }` — a read-only report (resolved def, install_path, last_probed_at, enabled, `which` availability, last cached probe error) with no probe spawn. PATCH correctness is the whole story: the order is validate→save→reload→clear, a malformed body or an invalid merged config returns 422 without writing the file, and a `save()` failure returns 500 without reloading the registry or clearing the snapshot cache, so on-disk and in-memory state can never diverge. New pure `mergeProviderConfigPatch` + `ProviderConfigPatchSchema` in `provider-config.ts`, a read-only `peekSnapshotEntry` cache accessor (source of the diagnostic's last-error — no probe/cache logic change), and a new `provider-diagnostic.ts` formatter. The web client gains `api.coder.getProvidersConfig` / `patchProvidersConfig` / `refreshProviders(providers?)` / `getProviderDiagnostic`, with mirrored `ProviderOverride` / `CoderProvidersFile` / `ProviderConfigPatch` types; the existing `/api/coder/*` proxy blanket-forwards the new routes with no change. +28 tests (134 coder total: pure merge/validate, the diagnostic formatter, and `app.inject` route tests proving the 422-no-write and save-fail-no-divergence guards). The diagnostic returns JSON rather than the §8 plaintext so it flows through the JSON `request` client helper (reconciling design §6.4's `{ diagnostic }` with §8's string report). No UI (Phase 5). Builds on `v2.5.6-provider-lifecycle-phase3`.
 ## v2.5.11-claude-skill-discovery — 2026-05-29
 Surface Claude Code's real enabled commands + plugin skills in the coder slash menu, with icons separating commands from plugin skills. New `claude-command-discovery.ts` reads (user-global scope) `~/.claude/commands/*.md` plus every enabled plugin in `~/.claude/settings.json:enabledPlugins` — each plugin's user-scope install path contributes `skills/<name>/SKILL.md` (kind `skill`) and `commands/*.md` (kind `command`), parsed from frontmatter, bare names, deduped. The snapshot's claude branch discovers these **live** (claude is PTY, no ACP probe; the snapshot cache rate-limits the fs reads). The `/` menu now renders up to three icon'd groups: **`<agent> commands`** (Terminal), **`<agent> skills`** (Puzzle — claude's plugin skills / opencode is all commands), and **BooCoder skills** (Sparkles), via a new optional `icon` on `SlashCommandGroup`. `AgentCommand` gains a `kind` field, added identically to the coder and web copies (the `provider-types-parity` test enforces it); `mergeCommandsByName` is now generic so it preserves the tag. Invocation is unchanged — picking a claude command/skill sends `/name` to claude (PTY), which executes it. Project-local plugins + `<cwd>/.claude/commands` deferred. BooChat unaffected (flat skills). Smoke-test the claude skill slash-execution on the host.
 ## v2.5.10-opencode-live-commands — 2026-05-29
 Surface opencode's real (live ACP) command set in the coder slash menu without needing a dispatch. Two fixes: (1) the cold ACP probe (`acp-probe.ts`) captured `available_commands` but read `probedCommands` synchronously right after `newSession` — racing opencode's async `available_commands_update` notification, so it captured **zero** and only the 7-item static manifest showed. The probe now waits briefly (poll up to 3s for the first batch + a 300ms settle, capped under the 30s probe timeout) so the commands are actually captured. (2) Captured commands are persisted to a new `available_agents.commands` JSONB column and served (merged with the manifest) on the tier-2-probe-skip path, so the agent's discovered commands survive once the model list is warm and show without a dispatch. Boot warms this via the `force: true` startup snapshot. apps/coder only (probe + schema + snapshot). Caveat: depends on opencode emitting `available_commands_update` on session creation rather than only after a prompt — to be confirmed on the host. Claude (PTY) disk/plugin discovery deferred.
 ## v2.5.9-agent-slash-commands — 2026-05-29
 Segmented per-agent slash menu in the coder pane, plus cross-agent skills. The `/` menu now shows two labeled groups — **the active agent's commands first** (opencode/claude/qwen manifest + live ACP `available_commands`), **BooCoder skills second** — instead of always showing BooCoder's skills regardless of provider. `SlashCommandPicker` gains an opt-in `groups` prop (the flat `items` path is unchanged, so **BooChat's menu is byte-identical** — parity verified: no BooChat caller passes the grouped prop, and the skills lookup / invocation routing are untouched); `ChatInput` takes `slashGroups`; `CoderPane` builds the groups from the selected provider's commands + skills. Skills now **run under the selected agent**: the coder `skill_invoke` route accepts a `provider` and, when external, injects the server-side skill body into a dispatched task (instead of native inference) — so a skill like brainstorming executes through opencode/claude with the body kept server-side, mirroring the messages-route external dispatch. Also folds in the earlier initial-chat fix: invoking a skill on the landing chat now runs the same create-chat → assign-to-pane → invoke transition as a text send (`handleLandingSkill`) rather than invoking invisibly without a pane transition (the blank-screen repro). Web tsc + coder build clean.
 ## v2.5.8-mobile-composer-row — 2026-05-29
 Mobile fix for the `AgentComposerBar`: the refresh button was wrapping to a second line. Root cause was layout order, not width — the status dot carried `ml-auto` (pinned to the far-right edge) and the refresh button followed it in DOM order, so it overflowed and wrapped. The dot + refresh are now one right-aligned (`ml-auto`) unit, keeping the refresh on the top line. Additionally, `CompactPicker` gained an `iconOnly` option and the Mode (permission) picker now renders icon-only on mobile (shield + chevron, no "Bypass"/"Plan" text label; `aria-label`/`title` and the tap-to-open list still convey the value) to free row width. Desktop is unchanged (full labels). Web-only change.
 ## v2.5.7-claude-models-and-picker-fix — 2026-05-29
 Two provider-layer changes. **(1) Fix the empty provider picker** — a regression from `v2.5.5` (Phase 2): on a cache miss `getProviderSnapshot` returned synchronous `installed:false` `loading` entries, which `AgentComposerBar` filters out (`e.installed && e.status !== 'error'`); with the client-side poll deferred to Phase 5, a single fetch landed on `loading` forever and no providers appeared. `getProviderSnapshot` now awaits the build and returns terminal entries (the sync `loading` return is deferred until Phase 5 ships the poll); builds stay fast via the tier-2 cold-probe skip. **(2) Claude models** — the list was a hardcoded 2-entry static list (Opus 4 / Sonnet 4, May 2025), and the v2.3 config schema's `models`/`additionalModels` were parsed but never wired. `buildResolvedRegistry` now carries config `models` (replace) + `additionalModels` (merge) onto `ResolvedProviderDef`, and `provider-snapshot` applies them to every ready model list — so `/data/coder-providers.json` can add or replace any provider's models with no code change. Claude `staticModels` bumped to `opus`/`sonnet`/`haiku` latest-aliases plus pinned `claude-opus-4-8` / `claude-sonnet-4-6` / `claude-haiku-4-5-20251001` (passed verbatim to `claude --model`; the CLI accepts both aliases and pinned full names). +2 unit tests (109 total). Builds on `v2.5.6-provider-lifecycle-phase3`.
 ## v2.5.6-provider-lifecycle-phase3 — 2026-05-29
 Phase 3 of the v2.3 provider-lifecycle batch (`openspec/changes/v2-3-provider-lifecycle/design.md` §5): generic ACP dispatch. `acp-spawn.ts` gains `resolveLaunchSpec(resolved, installPath)` — it consults the resolved registry's `launchCommand` (a config override or a custom-ACP entry's command) first, falling back to the kept `resolveAcpSpawnArgs` switch for built-ins. `acp-dispatch.ts` now spawns `spec.binary`/`spec.args` with `env: { ...process.env, ...spec.env }` instead of the hardcoded per-name argv, and `dispatcher.ts` loads the resolved def by `task.agent` and passes it through. This lets config-defined custom ACP providers dispatch with no new switch case. Built-in dispatch (claude/opencode/goose/qwen) is **byte-identical** to pre-v2.3 — proven by a regression test asserting opencode→`['acp']`, goose→`['acp']`, qwen→`['--acp']`, binary=`installPath ?? id`, and empty config env → plain `process.env`. One deliberate deviation from the spec's literal `!installPath → null`: the `installPath ?? id` fallback is preserved so a missing install path still spawns the bare agent name as before. `setSessionMode`/permission/streaming and the dispatcher poll/NOTIFY/running-guard are untouched. 7 new `acp-spawn.test.ts` cases. No routes/UI (Phase 4+). Builds on `v2.5.5-provider-lifecycle-phase2`.
 ## v2.5.5-provider-lifecycle-phase2 — 2026-05-29
 Phase 2 of the v2.3 provider-lifecycle batch (`openspec/changes/v2-3-provider-lifecycle/design.md` §4). `provider-snapshot.ts` stops returning `null` for uninstalled/disabled providers — it now emits one entry per registered provider with a lifecycle status (`loading | ready | unavailable | error`), an `enabled` flag, and a two-tier probe. Tier-1 is a fast `which`-style availability check (`command-availability.ts`, `execFile`/no-shell); tier-2 — the 5–30s cold ACP probe — is now SKIPPED unless forced (`POST /refresh`), the `available_agents.last_probed_at` row is older than `PROVIDER_PROBE_TTL_MS` (24h default), or the DB model list is empty, which kills snapshot latency on warm reads. A cache miss returns `status:'loading'` synchronously while the build settles in the background (client polling is deferred to Phase 5). `ProviderSnapshotStatus`/`ProviderSnapshotEntry` regained `loading`/`unavailable` and gained `enabled`, `description?`, `fetchedAt?` in both the coder and web copies, guarded by a runtime parity test (`provider-types-parity.test.ts`, mirroring the `ws-frames.test.ts` convention) that fails on any field drift — a compile-time cross-project assignability check was attempted first but blocked by TS6307 (web is a composite tsconfig project). Also tracks the previously-gitignored `data/coder-providers.json` seed via a `.gitignore` exception, completing the Phase 1 config file. No dispatch/route/UI changes (Phase 3+); AgentComposerBar filtering unchanged. Builds on `v2.5.4-provider-lifecycle-phase1`.
 ## v2.5.4-provider-lifecycle-phase1 — 2026-05-29
 Phase 1 of the v2.3 provider-lifecycle batch (`openspec/changes/v2-3-provider-lifecycle/design.md` §2–3): a config-backed provider layer merged over the hardcoded built-ins, with no runtime change when no config file exists. Adds `CODER_PROVIDERS_PATH` (default `/data/coder-providers.json`); `provider-config.ts` (Zod `ProviderOverride`/`CoderProvidersFile` schemas + a loader that never throws at startup — a missing file, invalid JSON, or schema mismatch all fall back to built-ins-only — plus `save` for the Phase 4 PATCH route); and `provider-config-registry.ts` (`ResolvedProviderDef` + `buildResolvedRegistry` merge: built-in overrides, custom `extends:'acp'` entries requiring label+command, `boocode` always enabled, plus a module singleton). `agent-probe.ts` now iterates the resolved registry instead of the hardcoded list — custom ACP entries resolve their binary from `command[0]` via `execFile` (no shell), disabled providers skip probing without losing their row, and `enabled` is read from memory only (no DB column this phase). Six unit tests, including a regression proving an empty config yields exactly the built-ins. No snapshot/dispatch/route/UI changes (Phase 2+). The `data/coder-providers.json` seed exists on disk but is gitignored (`data/*`). Lands on top of `v2.5.3-remove-cursor-copilot`.
 ## v2.5.3-remove-cursor-copilot — 2026-05-29
 Retire the cursor and copilot providers from BooCoder entirely. Removes their `acp-spawn` argv cases, `provider-manifest` mode blocks + manifest keys, `provider-commands` command maps, the `provider-snapshot` cursor model-CLI branch (and the now-orphaned `exec`/`promisify` imports), and the `agent-probe` copilot ACP-detect branch; deletes the dead `cursor-models.ts` module and its test. The `PROVIDERS` registry array already lacked both entries, so only the doc comment needed correcting. Built-ins unchanged: claude, opencode, goose, qwen, native boocode. Standalone cleanup; pairs with `v2.5.4-provider-lifecycle-phase1` which builds on it.
 ## v2.5.2-coder-ux-fixes — 2026-05-29
 Working-tree checkpoint bundling this session's fixes with in-progress coder UI work. This session: the BooCoder dispatcher now reacts to new tasks immediately via a Postgres `LISTEN/NOTIFY` (`tasks_new`) AFTER INSERT trigger, with the poll loop kept at 2s as a missed-notification fallback (`dispatcher.ts`, `apps/coder/src/schema.sql`); the mobile nav drawer no longer sticks open after returning to a backgrounded tab — `useViewport` re-syncs on `pageshow`/`visibilitychange`/`resize`/`orientationchange` (iOS reported a stale width on bfcache restore, leaving `isMobile=false`); assistant reasoning renders as a collapsible "Thinking" block in `MessageBubble`, surfacing ACP `agent_thought_chunk` from opencode/goose/qwen and native `reasoning_parts`; paste-to-chip inserts pasted text verbatim instead of wrapping it in a code fence; and a "New file from pasted text" affordance in the RightRail browser queues a `pending_changes` create through the new `POST /api/sessions/:id/pending/create` endpoint, paired with a fix repointing the DiffPanel's dead approve/reject calls to the real `/api/pending/:id/apply` and `/reject` routes. Also carried in the tree but not authored this session: the CoderPane `ChatInput` migration and `AgentComposerBar` refinements, plus backend tweaks to `auto_name`, inference `tool-phase`/`turn`, `secret_guard`, and `provider-registry`. Ships the `v2-6-persistent-agent-sessions` openspec proposal/design/tasks (free agent-switching with per-agent memory, opencode-as-server) as planning docs only — the feature is unimplemented and reserves the `v2.6.0` tag for it. Build green across server/coder/web; server suite 531 passing. (CHANGELOG note: the v2.3–v2.5.1 entries were never backfilled and remain absent above.)
 ## v2.2.2-xml-placeholder-reject — 2026-05-26
 Reject placeholder XML tool args at parse time in `extractToolCallBlocks` (`xml-parser.ts`). Drops calls when any string arg is `...`, empty/whitespace, `<path>`, `<file>`, `placeholder`, or angle-bracket sentinels; appends the raw XML block to flushed prose instead of silently deleting it. Fixes qwen3.6 answer-then-spurious-tools tail that caused duplicate assistant rows (full answer + failed `xml_call_*` tools + regenerated answer). Four new tests in `xml-parser.test.ts`. Known nit: rejection logs via `console.debug` instead of pino — filed in `docs/DEFERRED-WORK.md` §6 for a later cleanup.
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -2,7 +2,7 @@
 This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
-**Cursor agents:** start with `AGENTS.md` (navigation) and `docs/ARCHITECTURE.md` (diagram). This file is the deep engineering reference.
+**Cursor agents:** start with `docs/ARCHITECTURE.md` (diagram). This file is the deep engineering reference. (Note: the root navigation `AGENTS.md` was removed in v1.12; `data/AGENTS.md` is the agent *registry*, not navigation.)
 ## What is BooCode
@@ -68,9 +68,9 @@ Key services:
 - **`messages_with_parts` view** (v1.13.1-B; `schema.sql`). Read sites that need `tool_calls` / `tool_results` / `reasoning_parts` SELECT from this view, NOT `messages` directly. v1.13.20 dropped the legacy `messages.tool_calls` / `messages.tool_results` JSON columns; the view now reads parts-only subselects. Writes target `message_parts` exclusively via `insertParts` (or via the helpers `partsFromAssistantMessage` / `partsFromToolMessage`). The `Message` wire type still carries `tool_calls?` / `tool_results?` because the view synthesizes them from parts — frontend reads are unchanged. Shapes: `tool_calls jsonb[]`, `tool_results jsonb` single object, `reasoning_parts jsonb[]` of `{text}`. If you ever need to UPDATE a message and return its full Message shape, do a two-step UPDATE returning `id` followed by SELECT from the view — RETURNING off the bare `messages` table no longer carries the tool fields.
 - **`services/file_ops.ts`** — Shared file operation implementations used by both inference tools and HTTP routes.
 - **`services/auto_name.ts`** — Non-streaming LLM call to generate 4-word session titles after first assistant reply.
- **`services/provider-registry.ts`** — Static registry of provider metadata (label, transport, model source). `PROVIDERS` array, `PROVIDERS_BY_NAME` map. 5 providers: boocode (native), opencode (acp), goose (pty), claude (pty), qwen (pty).
+- **`apps/coder/src/services/provider-registry.ts`** (BooCoder, NOT apps/server) — Static registry of provider metadata (label, transport, model source). `PROVIDERS` array, `PROVIDERS_BY_NAME` map. 5 providers: boocode (native), opencode (acp), goose (pty), claude (pty), qwen (pty).
- **`services/agent-probe.ts`** — Startup probe using direct `exec()` (not SSH). Discovers installed agents on host, their versions, ACP support, and models. Qwen models read from `~/.qwen/settings.json`. Claude models are static from the registry. Results persisted to `available_agents` table.
+- **`apps/coder/src/services/agent-probe.ts`** (BooCoder) — Startup probe using direct `exec()` (not SSH). Discovers installed agents on host, their versions, ACP support, and models. Qwen models read from `~/.qwen/settings.json`. Claude models are static from the registry. Results persisted to `available_agents` table.
- **`routes/providers.ts`** — `GET /api/providers` returns installed providers with models. Transport field reflects actual capability (checks `supports_acp` from DB, not just registry preference).
+- **`apps/coder/src/routes/providers.ts`** (BooCoder) — `GET /api/providers` returns installed providers with models. Transport field reflects actual capability (checks `supports_acp` from DB, not just registry preference). The apps/server side of this flow is the "Provider picker dispatch" bullet below.
 - **Provider picker dispatch**: when `provider !== 'boocode'`, the message route creates a `tasks` row (with `session_id` set) instead of calling `inference.enqueue`. The dispatcher picks it up and dispatches via ACP or PTY using the agent's `install_path`.
 Route registration: all routes registered in `index.ts` via `register*Routes(app, sql, ...)` functions. Routes are in `routes/*.ts`.
@@ -80,12 +80,19 @@ Route registration: all routes registered in `index.ts` via `register*Routes(app
 - Write-capable coding agent. Runs as a **systemd service on the host** (`boocoder.service`), NOT in Docker. Fastify server at port 9502, connects to postgres at `127.0.0.1:5500`.
 - **Workspace dependency on `@boocode/server`**: imports `createInferenceRunner`, `createBroker`, `ALL_TOOLS`, `appendMcpTools` from the server's compiled `dist/`. apps/server's `package.json` has an `exports` map with `types` conditions for NodeNext resolution. apps/server must build FIRST.
 - Build + deploy: `pnpm -C apps/server build && pnpm -C apps/coder build && sudo systemctl restart boocoder`. Env file at `apps/coder/.env.host`. Service file at `/etc/systemd/system/boocoder.service`.
 - After `pnpm -C apps/coder build` the host `boocoder.service` keeps running the OLD process until `sudo systemctl restart boocoder` — a stale process shows **new routes 404 with `{error:'not found'}` while old routes still 200** (the `/api` not-found handler returns that shape). Restart, don't re-debug.
 - Agent dispatch spawns binaries directly using `install_path` from `available_agents` — no `spawn('sh', ['-c', ...])` (fails under systemd). Follows Paseo's pattern: `spawn(fullBinaryPath, argsArray, { cwd })`.
 - systemd hardening: only `NoNewPrivileges=true` is safe. `ProtectSystem`, `ProtectHome`, `PrivateTmp` all break agent dispatch (agents need full filesystem access to read configs, write to worktrees).
 - `apps/server/tsconfig.json` has `declaration: true` so `.d.ts` files exist for workspace consumers.
 - Write tools (`edit_file`, `create_file`, `delete_file`, `apply_pending`, `rewind`) queue in `pending_changes` table. Nothing hits disk until `apply_pending` is called. `write_guard.ts` validates paths (resolve + prefix-check, no realpath since files may not exist for creates).
 - Frontend: NOT a separate SPA. BooCoder is a `'coder'` pane type within BooChat's SPA (`apps/web/`). `CoderPane.tsx` in `apps/web/src/components/panes/`. API requests go through `/api/coder/*` proxy (Vite dev + Fastify production) which rewrites to the boocoder host service (`BOOCODER_URL` env var, default `http://100.114.205.53:9502`). WS connects directly to `:9502`.
 - `apps/coder/web/` is a STANDALONE fallback SPA served at `:9502` directly. The PRIMARY BooCoder frontend is the `CoderPane` in BooChat's SPA (`apps/web/src/components/panes/CoderPane.tsx`), accessible via the "Coder" pane in the workspace at `code.indifferentketchup.com`. Both exist; the pane is what Sam uses.
 - **Provider snapshot lifecycle** (`apps/coder/src/services/`): `provider-config.ts` (Zod config, never-throws on bad input) → `provider-config-registry.ts` (`buildResolvedRegistry`, singleton) → `provider-snapshot.ts` (two-tier probe: tier-1 fast presence, tier-2 cold ACP probe skipped unless force / stale `PROVIDER_PROBE_TTL_MS` 24h / dbEmpty; cached). Verify live: `curl http://100.114.205.53:9502/api/providers/snapshot` — returns providers + models + commands, the exact shape `AgentComposerBar` renders.
 - `PATCH /api/providers/config` replaces a provider id's override object **wholesale** (per-id shallow merge) — to flip one field send `{...existing, enabled}`, or a custom ACP entry's `command`/`label` is wiped and it drops out of the resolved registry. `data/coder-providers.json` is **gitignored** (it's live runtime config — the coder reads AND writes it on UI toggles); the tracked reference is `data/coder-providers.example.json`. The loader falls back to `{providers:{}}` (built-ins only) when the live file is absent, so a fresh checkout needs no copy.
 - **opencode** runs as a warm HTTP server (v2.6 Phase 1, `services/backends/opencode-server.ts` — `opencode serve` per BooCoder process, one opencode session per BooCode session, resumed via `agent_sessions`). goose/qwen/claude still dispatch **one-shot** ACP/PTY with no ctx/token usage; only native `boocode` (llama-swap engine) tracks ctx. Paseo's per-provider native clients (design §12) deliberately not ported.
 - **opencode SSE** (`opencode-server.ts`): live streaming arrives as `session.next.text.delta` / `session.next.reasoning.delta` / `session.next.tool.{called,success,failed}` — NOT `message.part.*` (those are terminal/post-hoc). `client.event.subscribe({ directory })` MUST pass the session's worktree directory; omit it and opencode scopes events to the server's `process.cwd()` → zero session events (empty turns, 180s watchdog timeout). Per-session SSE (P1.5-a): each live session owns its own `event.subscribe({directory})` loop + AbortController, so concurrent sessions in different worktrees stream independently; a `sessionID` demux guard drops cross-session events when two share a dir. Turn completes on `session.idle`; `promptAsync` is fire-and-forget (204).
 - **opencode model strings** must be provider-prefixed (`llama-swap/<model>`) AND exist in `~/.config/opencode/opencode.json` `provider.llama-swap.models` — not merely loadable by llama-swap. `parseModel` infers `llama-swap/` for a bare id; the dispatcher coalesces empty→DEFAULT_MODEL then prefixes. `agent-probe` populates opencode's `available_agents.models` via `mergeLlamaSwap` (fetches `/v1/models`); empty model list → frontend sends `''` → no inference (`input:0`, empty turn).
 - **agent_sessions resume**: `config_hash = sha256('opencode_server|<model>')` — must NOT include the server port (random per boot; including it breaks cross-restart resume). P1.5-b: `agent_sessions` is keyed `(chat_id, agent)` — the tab/chat is the context unit (two opencode tabs in one session = two contexts sharing one worktree). `chat_id` CASCADEs from `chats`; `session_id`/`worktree_id` are informational `SET NULL`. The `worktrees` table (one-per-session, `session_id` SET NULL so it survives session delete) supersedes the defanged `session_worktrees`. `tasks.chat_id` threads the tab id to the dispatcher; `runOpenCodeServerTask` falls back to resolve-or-create a chat when it's null (arena/MCP/new_task). The `@opencode-ai/sdk` v2 client takes flattened params (`{sessionID, directory, parts, model:{providerID,modelID}}`), imports `createOpencodeClient` from `@opencode-ai/sdk/v2/client`.
 ### Frontend (`apps/web/src/`)
@@ -119,11 +126,11 @@ Font / CSS pipeline (apps/web):
 ### Multi-pane workspace
-Sessions hold 1–5 panes (chat / empty / placeholder terminal+agent). v1.12.1 moved pane state from per-device localStorage to `sessions.workspace_panes jsonb` for cross-device sync. `PATCH /api/sessions/:id/workspace` persists; `session_workspace_updated` user-channel frame broadcasts to every device watching the session. `useWorkspacePanes` debounces saves 300ms and dedups echoes by JSON string. Legacy localStorage key `boocode.workspace.panes.<sessionId>` is read once on first hydrate (one-time seed-and-delete migration when server is empty but localStorage has data); no longer written. The deprecated `session_panes` table was dropped. `validatePanes(validChatIds)` prunes panes referencing chat IDs that no longer exist (called by `useSessionChats` after the chat list fetch lands). Each chat lives in at most one pane; tab strip is per-pane and tracks `chatIds[]` + `activeChatIdx`. Tab reorder via native HTML5 drag events.
+Sessions hold 1–5 panes (chat / empty / placeholder terminal+agent). v1.12.1 moved pane state from per-device localStorage to `sessions.workspace_panes jsonb` for cross-device sync. `PATCH /api/sessions/:id/workspace` persists; `session_workspace_updated` user-channel frame broadcasts to every device watching the session. `useWorkspacePanes` debounces saves 300ms and dedups echoes by JSON string. Legacy localStorage key `boocode.workspace.panes.<sessionId>` is read once on first hydrate (one-time seed-and-delete migration when server is empty but localStorage has data); no longer written. The deprecated `session_panes` table was dropped. `validatePanes(validChatIds)` prunes panes referencing chat IDs that no longer exist (called by `useSessionChats` after the chat list fetch lands). Each chat lives in at most one pane; tab strip is per-pane and tracks `chatIds[]` + `activeChatIdx`. Tab reorder via native HTML5 drag events. v2.6.5: `workspace_panes` is now a `WorkspaceState` envelope `{panes, tabNumbers (chatId→stable session-scoped tab number, assigned on chat-pane open, retired on close, never reused), nextTabNumber, closedPaneStack (reopen LIFO, max 10, persisted so it survives reload)}` — not a bare `WorkspacePane[]`. Hydrate (`toWorkspaceState`) and the server PATCH validator (`z.union([array, envelope])` in `routes/sessions.ts`) both accept the legacy array and normalize to the envelope on read/write. Closing a chat pane relocates its tabs to the oldest chat/empty pane; `reopenPane` strips the restored chatIds from all live panes first (no duplication). `read_tab_by_number` resolves a number→chatId through `tabNumbers`.
 ## Database
-PostgreSQL 16. Database name: `boochat` (renamed from `boocode` in v2.0.0-alpha; Docker service name stays `boocode_db`). Tables: `projects`, `sessions`, `chats`, `messages`, `settings`, `message_parts` (v1.13.0), `pending_changes` (v2.0.0), `tasks` (v2.0.0), `available_agents` (v2.0.0). Views: `messages_with_parts` (v1.13.1-B parts-merge read path), `tool_cost_stats` (v1.13.10 per-tool 100-call rolling window), `human_inbox` (v2.0.0 — tasks WHERE state IN blocked/failed). (`session_panes` was dropped in v1.12.1; workspace pane state lives in `sessions.workspace_panes jsonb`.) Schema applied idempotently on startup via `applySchema()`. Use `clock_timestamp()` (not `NOW()`) inside transactions. CHECK constraints in place: `projects_status_chk` ('open'|'archived'), `sessions_status_chk` (same), `chats_status_chk` (same), `messages_role_chk`, `messages_status_chk` — keep in sync with the `*_STATUSES` const arrays in `apps/server/src/types/api.ts`. The older anonymous `messages_status_check` (without 'cancelled') and `messages_role_check` (without 'system') were dropped in v1.12.1; only the `_chk` variants remain.
+PostgreSQL 16. Database name: `boochat` (renamed from `boocode` in v2.0.0-alpha; Docker service name stays `boocode_db`). Tables: `projects`, `sessions`, `chats`, `messages`, `settings`, `message_parts` (v1.13.0), `pending_changes` (v2.0.0), `tasks` (v2.0.0), `available_agents` (v2.0.0). Views: `messages_with_parts` (v1.13.1-B parts-merge read path), `tool_cost_stats` (v1.13.10 per-tool 100-call rolling window), `human_inbox` (v2.0.0 — tasks WHERE state IN blocked/failed). (`session_panes` was dropped in v1.12.1; workspace pane state lives in `sessions.workspace_panes jsonb`.) Schema applied idempotently on startup via `applySchema()`. Use `clock_timestamp()` (not `NOW()`) inside transactions. CHECK constraints in place: `projects_status_chk` ('open'|'archived'), `sessions_status_chk` (same), `chats_status_chk` (same), `messages_role_chk`, `messages_status_chk` — keep in sync with the `*_STATUSES` const arrays in `apps/server/src/types/api.ts`. The older anonymous `messages_status_check` (without 'cancelled') and `messages_role_check` (without 'system') were dropped in v1.12.1; only the `_chk` variants remain. **Two schema files, one DB:** `apps/server/src/schema.sql` owns `sessions`/`chats`/`messages`/`message_parts`; `apps/coder/src/schema.sql` (applied by the boocoder host service) owns `agent_sessions`, `worktrees`, `pending_changes`, `available_agents` and extends `tasks`. Both apply idempotently to the one `boochat` DB — so e.g. an `agent_sessions` FK change goes in the **coder** schema, not the server one. Idempotent FK-action flips (e.g. `ON DELETE CASCADE`→`SET NULL`) guard on `pg_constraint.confdeltype` so a re-run/fresh-deploy is a no-op (see the `session_worktrees`/`agent_sessions` defang blocks).
 Schema CHECK migration order when renaming allowed values: (1) `ALTER TABLE ... DROP CONSTRAINT IF EXISTS <system_name>` (inline `CREATE TABLE` checks get `<table>_<column>_check`), (2) `UPDATE` rows to new values, (3) wrap new constraint ADD in `DO $$ ... pg_constraint` guard — that block is the only way to get `ADD CONSTRAINT IF NOT EXISTS`.
@@ -145,10 +152,12 @@ BooCoder at port 9502: `curl http://100.114.205.53:9502/api/health`. Runs as `bo
 - Tag naming: `vMAJOR.MINOR.PATCH-slug` (e.g. `v1.13.13-ws-publish`). Monotonic per minor — the slug describes the batch's content so the tag name alone is enough to recall what shipped. No letter suffixes (`-a`/`-b`), no pseudo-ranges (`v1.11.x`), no slug-only sub-versions sharing a number (`v1.13.15-tools` + `-openspec` + `-agentlint` — split into sequential patches instead).
 - `CHANGELOG.md` is the per-tag release log, most-recent on top. When a new tag is created, add a `## <tag> — <YYYY-MM-DD>` section with a 3–6 sentence paragraph summarizing what shipped, drawn from the commit body. Cross-reference other tags by name when the batch builds on, fixes, or pairs with prior work (e.g. "pairs with `v1.13.12-ws-schemas`", "fixed in `v1.13.5-stability-bundle`"). No nested bullets — one paragraph.
 - Deploy: `cd /opt/boocode && docker compose up --build -d` (or `docker compose build --no-cache boocode && docker compose up -d` if you suspect a layer-cache issue).
 - The `boocode` container is `build: .` — it builds web+server from the **working tree**, so uncommitted changes deploy. Web edits are live on the Vite dev server (HMR) but NOT on production (`:9500` / code.indifferentketchup.com) until `docker compose up --build -d boocode`.
 - Git push to Gitea: `GIT_SSH_COMMAND="ssh -i /opt/boocode/secrets/boocode_gitea -o IdentitiesOnly=yes" git push origin <branch>`. The default agent identity is rejected; the in-repo deploy key (`secrets/`, gitignored) is the working one. Transient `Connection reset by peer` retries cleanly after `sleep 5`.
 - Don't accumulate `.bak-*` files. Clean them up in the same batch or immediately after merge.
- DB-integration tests opt-in via env var: `DATABASE_URL='postgres://boocode:devpass@localhost:5500/boochat' pnpm -C apps/server test`. Host port is 5500 (mapped from `boocode_db:5432`); password is `${POSTGRES_PASSWORD}` from `.env` (`devpass`), NOT the literal in `.env`'s `DATABASE_URL=postgres://boocode:Ketchup1479@boocode_db:5432/...` line. Pattern: `describe.runIf(!!process.env.DATABASE_URL)(...)` with a `beforeAll` that applies the schema via `sql.unsafe(readFileSync(schemaPath))`. Tests skip cleanly when var is unset. `tool_cost_stats.test.ts` is the reference.
+- DB-integration tests opt-in via env var: `DATABASE_URL='postgres://boocode:devpass@localhost:5500/boochat' pnpm -C apps/server test`. Host port is 5500 (mapped from `boocode_db:5432`); password is `${POSTGRES_PASSWORD}` from `.env` (`devpass`), NOT the literal in `.env`'s `DATABASE_URL=postgres://boocode:Ketchup1479@boocode_db:5432/...` line. `psql` is not on the host PATH — for an interactive query use `docker exec boocode_db psql -U boocode -d boochat -c "..."`. Pattern: `describe.runIf(!!process.env.DATABASE_URL)(...)` with a `beforeAll` that applies the schema via `sql.unsafe(readFileSync(schemaPath))`. Tests skip cleanly when var is unset. `tool_cost_stats.test.ts` is the reference.
 - Host-side smoke endpoint: `curl http://100.114.205.53:9500/api/...`. The boocode container's port mapping binds to the Tailscale IP, not `0.0.0.0`, so `localhost:9500` doesn't work from the host shell. Same for booterm at `:9501`.
 - Frontend blank-screen / runtime crash: get the stack-trace column offset from the browser console, then `cut -c <start>-<end> apps/web/dist/assets/index-*.js | sed -n '<line>p'` to read the exact minified expression that threw. Faster than bisecting source. Watch for `=== null`/`!== null` on optional fields fed an `as unknown as` cast — those bypass tsc.
 - Fastify global JSON parser tolerates empty bodies (overridden in `index.ts`); bodyless POSTs (archive, unarchive, stop) work without setting `Content-Type` tricks on the client.
 - Event dedup discipline: for any mutation the server publishes via `broker.publishUser`, do NOT add a local `sessionEvents.emit(...)` after the API call — `useUserEvents` forwards the WS frame onto the bus. Frontend mutation handlers must be idempotent (dedup by id, no-op on already-present).
 - `node:20-*` base images ship a `node` user at uid/gid 1000 — delete it (`userdel`/`groupdel` on debian, `deluser`/`delgroup` on alpine) before adding samkintop at 1000.
@@ -157,8 +166,8 @@ BooCoder at port 9502: `curl http://100.114.205.53:9502/api/health`. Runs as `bo
 - A local PreToolUse hook (`security_reminder_hook.py`) regex-flags Node's older `child_process` spawn helpers as unsafe (false positive even on the File-suffixed variant). Use `spawn` — it's accepted.
 - `/opt/boolab` hosts a working sibling BooCode terminal at `boocode.indifferentketchup.com`. Useful for visual side-by-side comparison on the same iPhone when debugging booterm rendering. Boolab uses Tailwind v3 (`@tailwind base`); boocode uses v4 — many subtle build differences. Don't assume parity.
 - booterm SSHs to the host as `samkintop@100.114.205.53` (the Tailscale IP). The hostname `ubuntu-homelab` (shown in the bash prompt after login) does NOT resolve from inside the container — only the host's `/etc/hosts` knows it. Override via `BOOTERM_SSH_HOST` / `BOOTERM_SSH_USER` env vars in docker-compose if you ever move the shell to a different machine.
- codecontext sidecar lives at `/opt/boocode/codecontext/`. Sidecar HTTP API at `http://codecontext:8080/v1/<tool_name>` over the `boocode_net` bridge (no host port). BooCode wrappers in `apps/server/src/services/tools/codecontext/`. The `.codecontextignore.template` documents recommended ignore patterns; users copy and adapt to project root manually.
+- codecontext sidecar lives at `/opt/boocode/codecontext/`. Sidecar HTTP API at `http://codecontext:8080/v1/<tool_name>` over the `boocode_net` bridge (no host port). BooCode wrappers in `apps/server/src/services/tools/codecontext/`. The `.codecontextignore` at project root is honored when `--respect-gitignore` is passed (enabled in the shim).
- codecontext fork at `/opt/forks/codecontext/` — separate git repo (branch `boocode-ts`), pushed via the same boocode_gitea SSH key to `indifferentketchup/codecontext`. Build: `go build ./...`. Test: `go test ./...`. Docker rebuild: `docker compose build --no-cache codecontext`.
+- codecontext fork at `/opt/forks/codecontext/` — separate git repo (branch `boocode-ts`), pushed via the same boocode_gitea SSH key to `indifferentketchup/codecontext`. Build: `go build ./...`. Test: `go test ./...`. Docker rebuild requires staging the fork source first: `tar -czf codecontext/fork.tar.gz -C /opt/forks/codecontext --exclude=.git --exclude=bin .` then `docker compose build --no-cache codecontext`. The Dockerfile COPYs `fork.tar.gz` into the builder stage (Gitea is behind Authelia, no HTTP clone). `fork.tar.gz` is gitignored.
 - Go binary: `/snap/go/current/bin/go` (not on PATH by default). Use `export PATH=$PATH:/snap/go/current/bin` or full path for Go commands.
 - `os/exec` child supervisors must explicitly call `child.Wait()` in a goroutine and `os.Exit` on child death. `Signal(0)` returns nil on zombies and is NOT a liveness check. Without `Wait()`, docker's `restart: unless-stopped` policy never fires because the parent stays alive. The `codecontext/shim.go` implementation is the reference pattern.
@@ -171,17 +180,34 @@ BooCoder at port 9502: `curl http://100.114.205.53:9502/api/health`. Runs as `bo
 - Discriminated unions for type narrowing: `Pane` (by `kind`), `SessionEvent` (by `type`), `InferenceFrame` (by `type`).
 - **Adding a new WS frame type** requires updating BOTH the server's `InferenceFrame` (loose `type:` union + optional fields in `services/inference/turn.ts`) AND the web `WsFrame` (strict discriminated union in `apps/web/src/api/types.ts`). Server publish is permissive; the frontend type is the wire-format gate. The `'usage'` frame added in v1.12.2 needed both sides; missing the web side silently drops the frame at JSON-parse.
 - shadcn primitives live in `components/ui/`. Don't modify them unless adding a new primitive.
 - `ui/` primitives present: button, card, context-menu, dialog, dropdown-menu, input, label, radio-group, sonner, textarea. No switch/sheet/drawer/badge/checkbox — use a `<button role="switch" aria-checked>` toggle (a hand-rolled `Switch` already lives in `SettingsPane.tsx`) and a Dialog-based panel for "drawers".
 - `inferLanguage()` from `lib/attachments.ts` is the canonical file-extension-to-language map. `CodeBlock.tsx` keeps its own `LANG_MAP` because it also resolves markdown fence names.
 - Two UI event buses: `hooks/sessionEvents.ts` for DB-state events (chat_created, session_updated); `lib/events.ts` for ephemeral UI (`sendToTerminal`, `terminalsRegistry`). Don't merge — different subscriber lifecycles.
 - `vite.config.ts` proxy entries are order-sensitive: more-specific prefixes (`/api/term`, `/ws/term`) must come BEFORE `/api`.
 - Mobile pane URL sync (`Session.tsx`): the `?pane=<id>` effect resets `activePaneIdx` whenever `panes` changes. New-pane creation on mobile must push `?pane=` atomically — `addPaneAndSwitch` is the wrapper that does this. `addSplitPane` returns the new pane id for callers.
 - A scrollable list inside a Dialog on mobile: cap `DialogContent` (`max-h-[85vh]` + `grid-rows-[auto_minmax(0,1fr)_auto]`) and make the list the single scroll region with `overscroll-contain` — otherwise touch-scroll drags the whole fixed modal / chains to the page.
 - xterm.js v5 uses canvas rendering — browser doesn't see xterm's selection; the native right-click menu has no working Copy for terminal text. App keybindings (`Cmd/Ctrl-C`, `Cmd/Ctrl-Shift-C`) are the path.
 - **New tools** live in their own `services/<name>.ts` file (see `web_search.ts`, `web_fetch.ts`) — exports a pure `executeFoo(input, ...deps)` for direct test access plus a `ToolDef` wrapper that `loadConfig()`s its real dependencies. Register the ToolDef in `tools.ts` `ALL_TOOLS` (and `READ_ONLY_TOOL_NAMES` if applicable). Inject `fetcher: typeof fetch = fetch` rather than `vi.spyOn(globalThis, 'fetch')` — cleanup is simpler and the production call site stays unchanged.
 - **DB/session-aware tools** take an optional 4th `ToolExecCtx { sql, sessionId }` arg on `ToolDef.execute`, plumbed `executeToolPhase`→`executeToolCall`→`execute`. It's optional so the filesystem tools and the `apps/coder` `ALL_TOOLS` consumer stay compatible; filesystem tools ignore it. `read_tab_by_number` (reads `sessions.workspace_panes` + the chat's messages via `sql`) is the reference.
 - **Sentinels** are `role='system'` rows with structured `metadata.kind` (`cap_hit`, `doom_loop`). UI-only — `buildMessagesPayload` strips them via `isAnySentinel` so the LLM never sees them. A new kind requires arms in `MessageMetadata` in BOTH `apps/server/src/types/api.ts` AND `apps/web/src/api/types.ts`, plus a render branch in `apps/web/src/components/MessageBubble.tsx`.
 - **ReadableStream test stubs** use `pull()` (not `start()`) so chunks are produced lazily — `start()` enqueues everything and calls `controller.close()` before the consumer reads, so a subsequent `reader.cancel()` finds the stream already closed and the `cancel()` callback never fires. Also provide MORE chunks than the test will consume so the source stays in 'readable' state when cancel runs (e.g. cap test reads ~6 chunks, stub provides 10).
 - React **StrictMode is on** (`main.tsx`): an updater passed to one `setState` that itself calls another `setState` (e.g. `setClosedPaneStack` inside a `setPanes` updater) is double-invoked in dev. Make such nested updates idempotent — `useWorkspacePanes`'s `appendClosed` dedupes a value-identical top entry for exactly this reason.
 - Tool-name whitelists must derive from `ALL_TOOLS` in `services/tools.ts`, never hardcoded. `services/agents.ts` `ALL_TOOL_NAMES` had this drift class until v1.12 — same pattern applies to any future tool-aware code.
 - Agent registry lives at `data/AGENTS.md` (global, bind-mounted at `/data/AGENTS.md`). No per-project `AGENTS.md` in this repo — removed in v1.12 to eliminate the two-files-must-stay-in-sync drift. The `getAgentsForProject` per-project override mechanism remains for *other* projects.
 - `data/AGENTS.md` is PARSED (`agents.ts` `splitSections`/`parseAgentSection`): each `## <Name>` is one agent and must be followed by a `---` frontmatter fence or the block throws; content before the first `## ` is discarded. Do NOT add free-form `## ` rule sections — they break the registry. Cross-cutting agent rules go in CLAUDE.md or a parser-ignored preamble.
 - Skills live in `data/skills/<vendor>/`; Sam's own namespace is `boocode/` (`committing-changes`, `using-worktrees`, `improving-boocode-guidance`) — `SKILL.md` + optional `eval.yaml` (gerund names; eval = `skill:` + `tasks:` of `prompt`+`grader`, incl. a negative-trigger task). `data/skills/` is canonical; a divergent mirror at `/opt/skills/` exists.
 - MCP stdio transport uses newline-delimited JSON (NDJSON), NOT LSP-style `Content-Length` headers. The `codecontext/shim.go` framing implementation is the reference; per the MCP spec (modelcontextprotocol.io/specification/server/transports).
 - **Workspace dependency pattern** (`apps/coder` → `@boocode/server`): the consuming package adds `"@boocode/server": "workspace:*"` in `package.json`. The provider's `package.json` needs `exports` with `types` + `default` conditions per subpath: `"./inference": { "types": "./dist/.../index.d.ts", "default": "./dist/.../index.js" }`. Without the `types` condition, NodeNext resolution can't find `.d.ts` files and tsc fails with "Cannot find module" in the consumer.
 - **JSONB columns**: use `sql.json(value as never)` — NOT `${JSON.stringify(value)}::jsonb` which double-serializes (stores a JSON string instead of a JSON object/array). Pattern established in `parts.ts`, `settings.ts`.
 - **`payload.ts:loadContext` SELECT**: must include every `Session` field that downstream code reads. The tool phase reads `session.allowed_read_paths`; if the SELECT omits it, cross-repo read grants silently fail. The `Session` TypeScript type doesn't catch this because `sql<Session[]>` doesn't enforce column coverage.
 - **Sidecar routing** (`services/inference/provider.ts`): `upstreamModel(config, modelId, agent)` routes to `LLAMA_SIDECAR_URL` when agent has `llama_extra_args`, otherwise `LLAMA_SWAP_URL`. `resolveRoute(agent)` returns `{route: 'swap'|'sidecar', flags}`. Sidecar provider created fresh per call (not cached) because `X-Agent-Flags` header varies per agent. Boot-time guard in `index.ts` refuses to start if any agent has `llama_extra_args` but `LLAMA_SIDECAR_URL` is unset.
 - **Secret guard safe patterns** (`services/secret_guard.ts`): `.env.example`, `.env.sample`, `.env.template`, `.env.defaults` are allowlisted via `SAFE_PATTERNS` set. Do NOT add `.env.production`/`.env.development`/`.env.test` — those can hold real secrets.
 - **CoderPane uses ChatInput** (`components/panes/CoderPane.tsx`): shares the same `ChatInput` component as BooChat for full parity — attachments, paste-to-chip, auto-grow textarea, queued messages during send. CoderPane's `sendOneMessage` is the send callback; queued messages drain via `useEffect` when `sending` goes false.
 - **Adding a new `SessionEvent` type**: add the interface, add it to the `SessionEvent` union, add a `case` in `useSidebar.ts` `applyEvent` switch (no-op `return prev` is fine), and subscribe in any hook that needs it (e.g. `useSessionStream` for `refetch_messages`).
 - **BooCoder provider registry** (`apps/coder/src/services/provider-registry.ts`): static list of provider defs (boocode, opencode, goose, claude, qwen). `PROBED_AGENT_NAMES` derives from it. Adding/removing providers means editing this file, not the frontend.
 - **AgentComposerBar filters `e.installed`**: provider snapshot entries with `installed:false` (loading/unavailable) are dropped from the dropdown. `getProviderSnapshot` must await the full build — returning synchronous `loading` placeholders makes every provider vanish (the v2.5.7 "no providers showing up" regression); surfacing loading states needs a client poll.
 - **Coder↔web provider-type parity** (`apps/coder/src/services/provider-types.ts` ↔ `apps/web/src/api/types.ts`): enforced by runtime `provider-types-parity.test.ts` (compile-time cross-import is blocked by TS6307 on web's composite tsconfig). Mirror of the ws-frames parity pattern — edit both copies together or the test fails.
 - **ACP command discovery is async**: `acp-probe.ts` must poll after `newSession` for `available_commands_update` (commands arrive in a later notification; reading synchronously captures 0). PTY providers (claude) instead discover from disk via `claude-command-discovery.ts` (`~/.claude/commands` + `enabledPlugins` `skills/`+`commands/`, bare names, deduped). `AgentCommand.kind` tags `'command'` vs `'skill'`; `CoderPane`'s `slashGroups` splits them into icon'd groups. `SlashCommandPicker`'s `groups?` prop is opt-in — BooChat passes flat `items` (unchanged).
 - **Pane header architecture (mobile vs desktop)**: Desktop coder pane header (BooCode label + [+] [×]) lives in `Workspace.tsx` gated by `isCoder && !isMobile`. Mobile coder controls (● ×) live in `Session.tsx` header row next to `MobileTabSwitcher`/`NewPaneMenu`. `AgentComposerBar` (provider/mode/model pickers) renders inside `CoderPane.tsx` on both. The ● status dot is passed via `connected` prop from CoderPane to AgentComposerBar.
 - **MessageBubble shared between BooChat and BooCoder** (`components/MessageBubble.tsx`): accepts optional `actions?: MessageActions` callbacks (onRegenerate, onResend, onFork, onDelete) and `hideActions?: ('fork'|'delete'|'openInPane')[]`. Defaults use BooChat API; CoderPane overrides via `CoderMessageList` props. `CoderTextBubble` was removed. **`CoderMessageList` passes `CoderMessageWire as unknown as Message`** — the coder wire shape lacks `metadata`/`kind`/`summary`, so those fields are `undefined` (not `null`) on coder messages. Null-guards on any `Message` field MUST use loose `!= null`, not strict `!== null` (`undefined !== null` is `true` → `.kind` throws → blank-screen crash). The `as unknown as` cast hides this from tsc; build + typecheck pass while runtime crashes.
 - **llama-sidecar** (`/opt/forks/llama-sidecar/`): Go daemon for per-agent llama-server process pool. Cross-compile: `GOOS=windows GOARCH=amd64 /snap/go/current/bin/go build -o bin/llama-sidecar.exe ./cmd/llama-sidecar`. Gitea: `indifferentketchup/llama-sidecar`. Windows child process gotchas: use `context.Background()` for child lifetime (not request ctx), `os.Open(os.DevNull)` for stdin, `os.Pipe()` for stdout with drain goroutine, `DETACHED_PROCESS | CREATE_NEW_PROCESS_GROUP` creation flags. SSH to sam-desktop: `ssh samki@100.101.41.16`; use `schtasks` for persistent process spawning (SSH `start /B` doesn't survive session close).
--- a/682
+++ b/682
@@ -1,661 +1,21 @@
-                    GNU AFFERO GENERAL PUBLIC LICENSE
+MIT License
-                       Version 3, 19 November 2007
+
-
+Copyright (c) 2026 indifferentketchup
- Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
+
- Everyone is permitted to copy and distribute verbatim copies
+Permission is hereby granted, free of charge, to any person obtaining a copy
- of this license document, but changing it is not allowed.
+of this software and associated documentation files (the "Software"), to deal
-
+in the Software without restriction, including without limitation the rights
-                            Preamble
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-
+copies of the Software, and to permit persons to whom the Software is
-  The GNU Affero General Public License is a free, copyleft license for
+furnished to do so, subject to the following conditions:
-software and other kinds of works, specifically designed to ensure
+
-cooperation with the community in the case of network server software.
+The above copyright notice and this permission notice shall be included in all
-
+copies or substantial portions of the Software.
-  The licenses for most software and other practical works are designed
+
-to take away your freedom to share and change the works.  By contrast,
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-our General Public Licenses are intended to guarantee your freedom to
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-share and change all versions of a program--to make sure it remains free
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-software for all its users.
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-  When we speak of free software, we are referring to freedom, not
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-price.  Our General Public Licenses are designed to make sure that you
+SOFTWARE.
 have the freedom to distribute copies of free software (and charge for
 them if you wish), that you receive source code or can get it if you
 want it, that you can change the software or use pieces of it in new
 free programs, and that you know you can do these things.
  Developers that use our General Public Licenses protect your rights
 with two steps: (1) assert copyright on the software, and (2) offer
 you this License which gives you legal permission to copy, distribute
 and/or modify the software.
  A secondary benefit of defending all users' freedom is that
 improvements made in alternate versions of the program, if they
 receive widespread use, become available for other developers to
 incorporate.  Many developers of free software are heartened and
 encouraged by the resulting cooperation.  However, in the case of
 software used on network servers, this result may fail to come about.
 The GNU General Public License permits making a modified version and
 letting the public access it on a server without ever releasing its
 source code to the public.
  The GNU Affero General Public License is designed specifically to
 ensure that, in such cases, the modified source code becomes available
 to the community.  It requires the operator of a network server to
 provide the source code of the modified version running there to the
 users of that server.  Therefore, public use of a modified version, on
 a publicly accessible server, gives the public access to the source
 code of the modified version.
  An older license, called the Affero General Public License and
 published by Affero, was designed to accomplish similar goals.  This is
 a different license, not a version of the Affero GPL, but Affero has
 released a new version of the Affero GPL which permits relicensing under
 this license.
  The precise terms and conditions for copying, distribution and
 modification follow.
                       TERMS AND CONDITIONS
  0. Definitions.
  "This License" refers to version 3 of the GNU Affero General Public License.
  "Copyright" also means copyright-like laws that apply to other kinds of
 works, such as semiconductor masks.
  "The Program" refers to any copyrightable work licensed under this
 License.  Each licensee is addressed as "you".  "Licensees" and
 "recipients" may be individuals or organizations.
  To "modify" a work means to copy from or adapt all or part of the work
 in a fashion requiring copyright permission, other than the making of an
 exact copy.  The resulting work is called a "modified version" of the
 earlier work or a work "based on" the earlier work.
  A "covered work" means either the unmodified Program or a work based
 on the Program.
  To "propagate" a work means to do anything with it that, without
 permission, would make you directly or secondarily liable for
 infringement under applicable copyright law, except executing it on a
 computer or modifying a private copy.  Propagation includes copying,
 distribution (with or without modification), making available to the
 public, and in some countries other activities as well.
  To "convey" a work means any kind of propagation that enables other
 parties to make or receive copies.  Mere interaction with a user through
 a computer network, with no transfer of a copy, is not conveying.
  An interactive user interface displays "Appropriate Legal Notices"
 to the extent that it includes a convenient and prominently visible
 feature that (1) displays an appropriate copyright notice, and (2)
 tells the user that there is no warranty for the work (except to the
 extent that warranties are provided), that licensees may convey the
 work under this License, and how to view a copy of this License.  If
 the interface presents a list of user commands or options, such as a
 menu, a prominent item in the list meets this criterion.
  1. Source Code.
  The "source code" for a work means the preferred form of the work
 for making modifications to it.  "Object code" means any non-source
 form of a work.
  A "Standard Interface" means an interface that either is an official
 standard defined by a recognized standards body, or, in the case of
 interfaces specified for a particular programming language, one that
 is widely used among developers working in that language.
  The "System Libraries" of an executable work include anything, other
 than the work as a whole, that (a) is included in the normal form of
 packaging a Major Component, but which is not part of that Major
 Component, and (b) serves only to enable use of the work with that
 Major Component, or to implement a Standard Interface for which an
 implementation is available to the public in source code form.  A
 "Major Component", in this context, means a major essential component
 (kernel, window system, and so on) of the specific operating system
 (if any) on which the executable work runs, or a compiler used to
 produce the work, or an object code interpreter used to run it.
  The "Corresponding Source" for a work in object code form means all
 the source code needed to generate, install, and (for an executable
 work) run the object code and to modify the work, including scripts to
 control those activities.  However, it does not include the work's
 System Libraries, or general-purpose tools or generally available free
 programs which are used unmodified in performing those activities but
 which are not part of the work.  For example, Corresponding Source
 includes interface definition files associated with source files for
 the work, and the source code for shared libraries and dynamically
 linked subprograms that the work is specifically designed to require,
 such as by intimate data communication or control flow between those
 subprograms and other parts of the work.
  The Corresponding Source need not include anything that users
 can regenerate automatically from other parts of the Corresponding
 Source.
  The Corresponding Source for a work in source code form is that
 same work.
  2. Basic Permissions.
  All rights granted under this License are granted for the term of
 copyright on the Program, and are irrevocable provided the stated
 conditions are met.  This License explicitly affirms your unlimited
 permission to run the unmodified Program.  The output from running a
 covered work is covered by this License only if the output, given its
 content, constitutes a covered work.  This License acknowledges your
 rights of fair use or other equivalent, as provided by copyright law.
  You may make, run and propagate covered works that you do not
 convey, without conditions so long as your license otherwise remains
 in force.  You may convey covered works to others for the sole purpose
 of having them make modifications exclusively for you, or provide you
 with facilities for running those works, provided that you comply with
 the terms of this License in conveying all material for which you do
 not control copyright.  Those thus making or running the covered works
 for you must do so exclusively on your behalf, under your direction
 and control, on terms that prohibit them from making any copies of
 your copyrighted material outside their relationship with you.
  Conveying under any other circumstances is permitted solely under
 the conditions stated below.  Sublicensing is not allowed; section 10
 makes it unnecessary.
  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
  No covered work shall be deemed part of an effective technological
 measure under any applicable law fulfilling obligations under article
 11 of the WIPO copyright treaty adopted on 20 December 1996, or
 similar laws prohibiting or restricting circumvention of such
 measures.
  When you convey a covered work, you waive any legal power to forbid
 circumvention of technological measures to the extent such circumvention
 is effected by exercising rights under this License with respect to
 the covered work, and you disclaim any intention to limit operation or
 modification of the work as a means of enforcing, against the work's
 users, your or third parties' legal rights to forbid circumvention of
 technological measures.
  4. Conveying Verbatim Copies.
  You may convey verbatim copies of the Program's source code as you
 receive it, in any medium, provided that you conspicuously and
 appropriately publish on each copy an appropriate copyright notice;
 keep intact all notices stating that this License and any
 non-permissive terms added in accord with section 7 apply to the code;
 keep intact all notices of the absence of any warranty; and give all
 recipients a copy of this License along with the Program.
  You may charge any price or no price for each copy that you convey,
 and you may offer support or warranty protection for a fee.
  5. Conveying Modified Source Versions.
  You may convey a work based on the Program, or the modifications to
 produce it from the Program, in the form of source code under the
 terms of section 4, provided that you also meet all of these conditions:
    a) The work must carry prominent notices stating that you modified
    it, and giving a relevant date.
    b) The work must carry prominent notices stating that it is
    released under this License and any conditions added under section
    7.  This requirement modifies the requirement in section 4 to
    "keep intact all notices".
    c) You must license the entire work, as a whole, under this
    License to anyone who comes into possession of a copy.  This
    License will therefore apply, along with any applicable section 7
    additional terms, to the whole of the work, and all its parts,
    regardless of how they are packaged.  This License gives no
    permission to license the work in any other way, but it does not
    invalidate such permission if you have separately received it.
    d) If the work has interactive user interfaces, each must display
    Appropriate Legal Notices; however, if the Program has interactive
    interfaces that do not display Appropriate Legal Notices, your
    work need not make them do so.
  A compilation of a covered work with other separate and independent
 works, which are not by their nature extensions of the covered work,
 and which are not combined with it such as to form a larger program,
 in or on a volume of a storage or distribution medium, is called an
 "aggregate" if the compilation and its resulting copyright are not
 used to limit the access or legal rights of the compilation's users
 beyond what the individual works permit.  Inclusion of a covered work
 in an aggregate does not cause this License to apply to the other
 parts of the aggregate.
  6. Conveying Non-Source Forms.
  You may convey a covered work in object code form under the terms
 of sections 4 and 5, provided that you also convey the
 machine-readable Corresponding Source under the terms of this License,
 in one of these ways:
    a) Convey the object code in, or embodied in, a physical product
    (including a physical distribution medium), accompanied by the
    Corresponding Source fixed on a durable physical medium
    customarily used for software interchange.
    b) Convey the object code in, or embodied in, a physical product
    (including a physical distribution medium), accompanied by a
    written offer, valid for at least three years and valid for as
    long as you offer spare parts or customer support for that product
    model, to give anyone who possesses the object code either (1) a
    copy of the Corresponding Source for all the software in the
    product that is covered by this License, on a durable physical
    medium customarily used for software interchange, for a price no
    more than your reasonable cost of physically performing this
    conveying of source, or (2) access to copy the
    Corresponding Source from a network server at no charge.
    c) Convey individual copies of the object code with a copy of the
    written offer to provide the Corresponding Source.  This
    alternative is allowed only occasionally and noncommercially, and
    only if you received the object code with such an offer, in accord
    with subsection 6b.
    d) Convey the object code by offering access from a designated
    place (gratis or for a charge), and offer equivalent access to the
    Corresponding Source in the same way through the same place at no
    further charge.  You need not require recipients to copy the
    Corresponding Source along with the object code.  If the place to
    copy the object code is a network server, the Corresponding Source
    may be on a different server (operated by you or a third party)
    that supports equivalent copying facilities, provided you maintain
    clear directions next to the object code saying where to find the
    Corresponding Source.  Regardless of what server hosts the
    Corresponding Source, you remain obligated to ensure that it is
    available for as long as needed to satisfy these requirements.
    e) Convey the object code using peer-to-peer transmission, provided
    you inform other peers where the object code and Corresponding
    Source of the work are being offered to the general public at no
    charge under subsection 6d.
  A separable portion of the object code, whose source code is excluded
 from the Corresponding Source as a System Library, need not be
 included in conveying the object code work.
  A "User Product" is either (1) a "consumer product", which means any
 tangible personal property which is normally used for personal, family,
 or household purposes, or (2) anything designed or sold for incorporation
 into a dwelling.  In determining whether a product is a consumer product,
 doubtful cases shall be resolved in favor of coverage.  For a particular
 product received by a particular user, "normally used" refers to a
 typical or common use of that class of product, regardless of the status
 of the particular user or of the way in which the particular user
 actually uses, or expects or is expected to use, the product.  A product
 is a consumer product regardless of whether the product has substantial
 commercial, industrial or non-consumer uses, unless such uses represent
 the only significant mode of use of the product.
  "Installation Information" for a User Product means any methods,
 procedures, authorization keys, or other information required to install
 and execute modified versions of a covered work in that User Product from
 a modified version of its Corresponding Source.  The information must
 suffice to ensure that the continued functioning of the modified object
 code is in no case prevented or interfered with solely because
 modification has been made.
  If you convey an object code work under this section in, or with, or
 specifically for use in, a User Product, and the conveying occurs as
 part of a transaction in which the right of possession and use of the
 User Product is transferred to the recipient in perpetuity or for a
 fixed term (regardless of how the transaction is characterized), the
 Corresponding Source conveyed under this section must be accompanied
 by the Installation Information.  But this requirement does not apply
 if neither you nor any third party retains the ability to install
 modified object code on the User Product (for example, the work has
 been installed in ROM).
  The requirement to provide Installation Information does not include a
 requirement to continue to provide support service, warranty, or updates
 for a work that has been modified or installed by the recipient, or for
 the User Product in which it has been modified or installed.  Access to a
 network may be denied when the modification itself materially and
 adversely affects the operation of the network or violates the rules and
 protocols for communication across the network.
  Corresponding Source conveyed, and Installation Information provided,
 in accord with this section must be in a format that is publicly
 documented (and with an implementation available to the public in
 source code form), and must require no special password or key for
 unpacking, reading or copying.
  7. Additional Terms.
  "Additional permissions" are terms that supplement the terms of this
 License by making exceptions from one or more of its conditions.
 Additional permissions that are applicable to the entire Program shall
 be treated as though they were included in this License, to the extent
 that they are valid under applicable law.  If additional permissions
 apply only to part of the Program, that part may be used separately
 under those permissions, but the entire Program remains governed by
 this License without regard to the additional permissions.
  When you convey a copy of a covered work, you may at your option
 remove any additional permissions from that copy, or from any part of
 it.  (Additional permissions may be written to require their own
 removal in certain cases when you modify the work.)  You may place
 additional permissions on material, added by you to a covered work,
 for which you have or can give appropriate copyright permission.
  Notwithstanding any other provision of this License, for material you
 add to a covered work, you may (if authorized by the copyright holders of
 that material) supplement the terms of this License with terms:
    a) Disclaiming warranty or limiting liability differently from the
    terms of sections 15 and 16 of this License; or
    b) Requiring preservation of specified reasonable legal notices or
    author attributions in that material or in the Appropriate Legal
    Notices displayed by works containing it; or
    c) Prohibiting misrepresentation of the origin of that material, or
    requiring that modified versions of such material be marked in
    reasonable ways as different from the original version; or
    d) Limiting the use for publicity purposes of names of licensors or
    authors of the material; or
    e) Declining to grant rights under trademark law for use of some
    trade names, trademarks, or service marks; or
    f) Requiring indemnification of licensors and authors of that
    material by anyone who conveys the material (or modified versions of
    it) with contractual assumptions of liability to the recipient, for
    any liability that these contractual assumptions directly impose on
    those licensors and authors.
  All other non-permissive additional terms are considered "further
 restrictions" within the meaning of section 10.  If the Program as you
 received it, or any part of it, contains a notice stating that it is
 governed by this License along with a term that is a further
 restriction, you may remove that term.  If a license document contains
 a further restriction but permits relicensing or conveying under this
 License, you may add to a covered work material governed by the terms
 of that license document, provided that the further restriction does
 not survive such relicensing or conveying.
  If you add terms to a covered work in accord with this section, you
 must place, in the relevant source files, a statement of the
 additional terms that apply to those files, or a notice indicating
 where to find the applicable terms.
  Additional terms, permissive or non-permissive, may be stated in the
 form of a separately written license, or stated as exceptions;
 the above requirements apply either way.
  8. Termination.
  You may not propagate or modify a covered work except as expressly
 provided under this License.  Any attempt otherwise to propagate or
 modify it is void, and will automatically terminate your rights under
 this License (including any patent licenses granted under the third
 paragraph of section 11).
  However, if you cease all violation of this License, then your
 license from a particular copyright holder is reinstated (a)
 provisionally, unless and until the copyright holder explicitly and
 finally terminates your license, and (b) permanently, if the copyright
 holder fails to notify you of the violation by some reasonable means
 prior to 60 days after the cessation.
  Moreover, your license from a particular copyright holder is
 reinstated permanently if the copyright holder notifies you of the
 violation by some reasonable means, this is the first time you have
 received notice of violation of this License (for any work) from that
 copyright holder, and you cure the violation prior to 30 days after
 your receipt of the notice.
  Termination of your rights under this section does not terminate the
 licenses of parties who have received copies or rights from you under
 this License.  If your rights have been terminated and not permanently
 reinstated, you do not qualify to receive new licenses for the same
 material under section 10.
  9. Acceptance Not Required for Having Copies.
  You are not required to accept this License in order to receive or
 run a copy of the Program.  Ancillary propagation of a covered work
 occurring solely as a consequence of using peer-to-peer transmission
 to receive a copy likewise does not require acceptance.  However,
 nothing other than this License grants you permission to propagate or
 modify any covered work.  These actions infringe copyright if you do
 not accept this License.  Therefore, by modifying or propagating a
 covered work, you indicate your acceptance of this License to do so.
  10. Automatic Licensing of Downstream Recipients.
  Each time you convey a covered work, the recipient automatically
 receives a license from the original licensors, to run, modify and
 propagate that work, subject to this License.  You are not responsible
 for enforcing compliance by third parties with this License.
  An "entity transaction" is a transaction transferring control of an
 organization, or substantially all assets of one, or subdividing an
 organization, or merging organizations.  If propagation of a covered
 work results from an entity transaction, each party to that
 transaction who receives a copy of the work also receives whatever
 licenses to the work the party's predecessor in interest had or could
 give under the previous paragraph, plus a right to possession of the
 Corresponding Source of the work from the predecessor in interest, if
 the predecessor has it or can get it with reasonable efforts.
  You may not impose any further restrictions on the exercise of the
 rights granted or affirmed under this License.  For example, you may
 not impose a license fee, royalty, or other charge for exercise of
 rights granted under this License, and you may not initiate litigation
 (including a cross-claim or counterclaim in a lawsuit) alleging that
 any patent claim is infringed by making, using, selling, offering for
 sale, or importing the Program or any portion of it.
  11. Patents.
  A "contributor" is a copyright holder who authorizes use under this
 License of the Program or a work on which the Program is based.  The
 work thus licensed is called the contributor's "contributor version".
  A contributor's "essential patent claims" are all patent claims
 owned or controlled by the contributor, whether already acquired or
 hereafter acquired, that would be infringed by some manner, permitted
 by this License, of making, using, or selling its contributor version,
 but do not include claims that would be infringed only as a
 consequence of further modification of the contributor version.  For
 purposes of this definition, "control" includes the right to grant
 patent sublicenses in a manner consistent with the requirements of
 this License.
  Each contributor grants you a non-exclusive, worldwide, royalty-free
 patent license under the contributor's essential patent claims, to
 make, use, sell, offer for sale, import and otherwise run, modify and
 propagate the contents of its contributor version.
  In the following three paragraphs, a "patent license" is any express
 agreement or commitment, however denominated, not to enforce a patent
 (such as an express permission to practice a patent or covenant not to
 sue for patent infringement).  To "grant" such a patent license to a
 party means to make such an agreement or commitment not to enforce a
 patent against the party.
  If you convey a covered work, knowingly relying on a patent license,
 and the Corresponding Source of the work is not available for anyone
 to copy, free of charge and under the terms of this License, through a
 publicly available network server or other readily accessible means,
 then you must either (1) cause the Corresponding Source to be so
 available, or (2) arrange to deprive yourself of the benefit of the
 patent license for this particular work, or (3) arrange, in a manner
 consistent with the requirements of this License, to extend the patent
 license to downstream recipients.  "Knowingly relying" means you have
 actual knowledge that, but for the patent license, your conveying the
 covered work in a country, or your recipient's use of the covered work
 in a country, would infringe one or more identifiable patents in that
 country that you have reason to believe are valid.
  If, pursuant to or in connection with a single transaction or
 arrangement, you convey, or propagate by procuring conveyance of, a
 covered work, and grant a patent license to some of the parties
 receiving the covered work authorizing them to use, propagate, modify
 or convey a specific copy of the covered work, then the patent license
 you grant is automatically extended to all recipients of the covered
 work and works based on it.
  A patent license is "discriminatory" if it does not include within
 the scope of its coverage, prohibits the exercise of, or is
 conditioned on the non-exercise of one or more of the rights that are
 specifically granted under this License.  You may not convey a covered
 work if you are a party to an arrangement with a third party that is
 in the business of distributing software, under which you make payment
 to the third party based on the extent of your activity of conveying
 the work, and under which the third party grants, to any of the
 parties who would receive the covered work from you, a discriminatory
 patent license (a) in connection with copies of the covered work
 conveyed by you (or copies made from those copies), or (b) primarily
 for and in connection with specific products or compilations that
 contain the covered work, unless you entered into that arrangement,
 or that patent license was granted, prior to 28 March 2007.
  Nothing in this License shall be construed as excluding or limiting
 any implied license or other defenses to infringement that may
 otherwise be available to you under applicable patent law.
  12. No Surrender of Others' Freedom.
  If conditions are imposed on you (whether by court order, agreement or
 otherwise) that contradict the conditions of this License, they do not
 excuse you from the conditions of this License.  If you cannot convey a
 covered work so as to satisfy simultaneously your obligations under this
 License and any other pertinent obligations, then as a consequence you may
 not convey it at all.  For example, if you agree to terms that obligate you
 to collect a royalty for further conveying from those to whom you convey
 the Program, the only way you could satisfy both those terms and this
 License would be to refrain entirely from conveying the Program.
  13. Remote Network Interaction; Use with the GNU General Public License.
  Notwithstanding any other provision of this License, if you modify the
 Program, your modified version must prominently offer all users
 interacting with it remotely through a computer network (if your version
 supports such interaction) an opportunity to receive the Corresponding
 Source of your version by providing access to the Corresponding Source
 from a network server at no charge, through some standard or customary
 means of facilitating copying of software.  This Corresponding Source
 shall include the Corresponding Source for any work covered by version 3
 of the GNU General Public License that is incorporated pursuant to the
 following paragraph.
  Notwithstanding any other provision of this License, you have
 permission to link or combine any covered work with a work licensed
 under version 3 of the GNU General Public License into a single
 combined work, and to convey the resulting work.  The terms of this
 License will continue to apply to the part which is the covered work,
 but the work with which it is combined will remain governed by version
 3 of the GNU General Public License.
  14. Revised Versions of this License.
  The Free Software Foundation may publish revised and/or new versions of
 the GNU Affero General Public License from time to time.  Such new versions
 will be similar in spirit to the present version, but may differ in detail to
 address new problems or concerns.
  Each version is given a distinguishing version number.  If the
 Program specifies that a certain numbered version of the GNU Affero General
 Public License "or any later version" applies to it, you have the
 option of following the terms and conditions either of that numbered
 version or of any later version published by the Free Software
 Foundation.  If the Program does not specify a version number of the
 GNU Affero General Public License, you may choose any version ever published
 by the Free Software Foundation.
  If the Program specifies that a proxy can decide which future
 versions of the GNU Affero General Public License can be used, that proxy's
 public statement of acceptance of a version permanently authorizes you
 to choose that version for the Program.
  Later license versions may give you additional or different
 permissions.  However, no additional obligations are imposed on any
 author or copyright holder as a result of your choosing to follow a
 later version.
  15. Disclaimer of Warranty.
  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
 APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
 HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
 OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
 THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
 IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
 ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
  16. Limitation of Liability.
  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
 WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
 THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
 GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
 USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
 DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
 PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
 EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
 SUCH DAMAGES.
  17. Interpretation of Sections 15 and 16.
  If the disclaimer of warranty and limitation of liability provided
 above cannot be given local legal effect according to their terms,
 reviewing courts shall apply local law that most closely approximates
 an absolute waiver of all civil liability in connection with the
 Program, unless a warranty or assumption of liability accompanies a
 copy of the Program in return for a fee.
                     END OF TERMS AND CONDITIONS
            How to Apply These Terms to Your New Programs
  If you develop a new program, and you want it to be of the greatest
 possible use to the public, the best way to achieve this is to make it
 free software which everyone can redistribute and change under these terms.
  To do so, attach the following notices to the program.  It is safest
 to attach them to the start of each source file to most effectively
 state the exclusion of warranty; and each file should have at least
 the "copyright" line and a pointer to where the full notice is found.
    <one line to give the program's name and a brief idea of what it does.>
    Copyright (C) <year>  <name of author>
    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU Affero General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU Affero General Public License for more details.
    You should have received a copy of the GNU Affero General Public License
    along with this program.  If not, see <https://www.gnu.org/licenses/>.
 Also add information on how to contact you by electronic and paper mail.
  If your software can interact with users remotely through a computer
 network, you should also make sure that it provides a way for users to
 get its source.  For example, if your program is a web application, its
 interface could display a "Source" link that leads users to an archive
 of the code.  There are many ways you could offer source, and different
 solutions will be better for different programs; see section 13 for the
 specific requirements.
  You should also get your employer (if you work as a programmer) or school,
 if any, to sign a "copyright disclaimer" for the program, if necessary.
 For more information on this, and how to apply and follow the GNU AGPL, see
 <https://www.gnu.org/licenses/>.
--- a/README.md
+++ b/README.md
@@ -84,3 +84,7 @@ See [`boocode_roadmap.md`](boocode_roadmap.md) for full version history. Highlig
 ## Planned
 - **v2.3 provider lifecycle** — config-backed provider registry (`/data/coder-providers.json`), enable/disable toggles, two-tier probe (openspec drafted). See [`CURRENT.md`](CURRENT.md).
 ## License
 MIT — see [`LICENSE`](LICENSE).
--- a/apps/booterm/package.json
+++ b/apps/booterm/package.json
@@ -24,5 +24,5 @@
    "tsx": "^4.16.2",
    "typescript": "^5.5.0"
  },
-  "license": "AGPL-3.0-only"
+  "license": "MIT"
 }
--- a/apps/coder/.env.host
+++ b/apps/coder/.env.host
@@ -13,3 +13,4 @@ GITEA_USER=indifferentketchup
 GITEA_SSH_HOST=100.114.205.53:2222
 MCP_CONFIG_PATH=/data/mcp.json
 SKILLS_ROOT=/opt/boocode/data/skills
 CODER_PROVIDERS_PATH=/opt/boocode/data/coder-providers.json
--- a/apps/coder/package.json
+++ b/apps/coder/package.json
@@ -16,6 +16,7 @@
    "@agentclientprotocol/sdk": "^0.22.1",
    "@boocode/server": "workspace:*",
    "@fastify/static": "^7.0.4",
    "@opencode-ai/sdk": "~1.15.0",
    "@fastify/websocket": "^10.0.1",
    "@modelcontextprotocol/sdk": "^1.29.0",
    "fastify": "^4.28.1",
@@ -30,5 +31,5 @@
    "typescript": "^5.5.0",
    "vitest": "^3.0.0"
  },
-  "license": "AGPL-3.0-only"
+  "license": "MIT"
 }
--- a/apps/coder/src/config.ts
+++ b/apps/coder/src/config.ts
@@ -23,11 +23,33 @@ const ConfigSchema = z.object({
  GITEA_TOKEN: z.string().optional(),
  GITEA_SSH_HOST: z.string().default('100.114.205.53:2222'),
  MCP_CONFIG_PATH: z.string().optional(),
  // v2.3: config-backed provider overrides/custom-ACP entries merged over the
  // hardcoded built-ins. Missing file = built-ins only (see provider-config.ts).
  CODER_PROVIDERS_PATH: z.string().default('/data/coder-providers.json'),
  // v2.3 phase 2: tier-2 (cold ACP probe) is skipped when available_agents was
  // probed more recently than this. 24h default — stale model lists self-heal
  // on the next snapshot; an explicit /refresh always re-probes.
  PROVIDER_PROBE_TTL_MS: z.coerce.number().int().positive().default(86_400_000),
  // v2.0.5: cheaper model for titles, summaries, labeling.
  FAST_MODEL: z.string().optional(),
  // SSH access to the host for external agent dispatch (Phase 5)
  BOOCODER_SSH_HOST: z.string().default('100.114.205.53'),
  BOOCODER_SSH_USER: z.string().default('samkintop'),
  // v2.6 Phase 3 (lifecycle hardening). Idle TTL: evict a non-busy warm backend
  // (opencode server / warm-ACP child) after this long with no turn — its worktree
  // + agent_sessions row persist, so the next turn re-spawns + reattaches. 30 min
  // default (design §6).
  AGENT_POOL_IDLE_TTL_MS: z.coerce.number().int().positive().default(1_800_000),
  // LRU cap: max live warm backends before the least-recently-used (non-busy) ones
  // are evicted. Bounds the long-lived-daemon's per-(chat,agent) Map growth.
  AGENT_POOL_MAX_LIVE: z.coerce.number().int().positive().default(10),
  // Periodic sweep cadence (idle/LRU pool eviction + orphan-worktree reap). 60s
  // mirrors the apps/server truncation/stale-streaming sweeper.
  LIFECYCLE_SWEEP_INTERVAL_MS: z.coerce.number().int().positive().default(60_000),
  // Orphan-worktree grace: an on-disk worktree dir with no live `worktrees` row is
  // only reaped after it's been untouched this long (avoids sweeping a dir mid
  // ensureSessionWorktree create). 1h default.
  ORPHAN_WORKTREE_GRACE_MS: z.coerce.number().int().positive().default(3_600_000),
 });
 export type Config = z.infer<typeof ConfigSchema>;
--- a/apps/coder/src/index.ts
+++ b/apps/coder/src/index.ts
@@ -25,14 +25,20 @@ import { setInferenceContext, clearInferenceContext } from './services/tools/inf
 import { registerMessageRoutes } from './routes/messages.js';
 import { registerSkillRoutes } from './routes/skills.js';
 import { registerPendingRoutes } from './routes/pending.js';
 import { registerCheckpointRoutes } from './routes/checkpoints.js';
 import { registerAgentSessionRoutes } from './routes/agent-sessions.js';
 import { registerTaskRoutes } from './routes/tasks.js';
 import { registerInboxRoutes } from './routes/inbox.js';
 import { registerStatsRoutes } from './routes/stats.js';
 import { registerArenaRoutes } from './routes/arena.js';
 import { registerProviderRoutes } from './routes/providers.js';
 import { registerWorktreeSafetyRoutes } from './routes/worktree-safety.js';
 import { registerLifecycleRoutes } from './routes/lifecycle.js';
 import { registerWebSocket } from './routes/ws.js';
 // Phase 4: dispatcher + agent probe
 import { createDispatcher } from './services/dispatcher.js';
 import { agentPool } from './services/agent-pool.js';
 import { createOrphanWorktreeReaper } from './services/orphan-worktree-reaper.js';
 import { probeAgents } from './services/agent-probe.js';
 import { getProviderSnapshot, persistProbedModels } from './services/provider-snapshot.js';
 import { setPermissionHooks } from './services/permission-waiter.js';
@@ -178,17 +184,46 @@ async function main() {
  // Phase 4: dispatcher — polls tasks table and runs inference
  const dispatcher = createDispatcher({ sql, inference: inferenceApi, broker, log: app.log, config });
  dispatcher.start();
-  app.addHook('onClose', () => dispatcher.stop());
+
  // v2.6 Phase 3: configure + start the agent-pool lifecycle sweep (idle-TTL +
  // LRU-cap eviction of warm backends, plus each backend's proactive health probe)
  // and the orphan-worktree reaper. Both run on the same periodic timer.
  agentPool.configure({
    idleTtlMs: config.AGENT_POOL_IDLE_TTL_MS,
    maxLive: config.AGENT_POOL_MAX_LIVE,
    sweepIntervalMs: config.LIFECYCLE_SWEEP_INTERVAL_MS,
    log: app.log,
  });
  agentPool.startReaper(app.log);
  const orphanReaper = createOrphanWorktreeReaper({
    sql,
    log: app.log,
    intervalMs: config.LIFECYCLE_SWEEP_INTERVAL_MS,
    graceMs: config.ORPHAN_WORKTREE_GRACE_MS,
  });
  orphanReaper.start();
  app.addHook('onClose', async () => {
    // stop() first so in-flight dispatcher turns settle, then stop the reapers and
    // drain the pool (kills opencode server + warm ACP children).
    await dispatcher.stop();
    orphanReaper.stop();
    await agentPool.dispose();
  });
  // Register routes
  registerMessageRoutes(app, sql, broker, inferenceApi);
  registerSkillRoutes(app, sql, broker, inferenceApi);
  registerPendingRoutes(app, sql);
  registerCheckpointRoutes(app, sql);
  registerAgentSessionRoutes(app, sql);
  registerTaskRoutes(app, sql, inferenceApi);
  registerInboxRoutes(app, sql);
  registerStatsRoutes(app, sql);
  registerArenaRoutes(app, sql);
  registerProviderRoutes(app, sql, config);
  registerWorktreeSafetyRoutes(app, sql);
  registerLifecycleRoutes(app, sql);
  registerWebSocket(app, sql, broker);
  // Serve static frontend (built web app). In production, the dist/ is
--- a/apps/coder/src/routes/tests/agent-sessions.routes.test.ts
+++ b/apps/coder/src/routes/tests/agent-sessions.routes.test.ts
@@ -0,0 +1,75 @@
 import { describe, it, expect } from 'vitest';
 import Fastify, { type FastifyInstance } from 'fastify';
 import { registerAgentSessionRoutes } from '../agent-sessions.js';
 import type { Sql } from '../../db.js';
 // Mock the porsager surface this route uses: a tagged-template `sql` dispatched by
 // query substring. Two queries: the session-existence check and the agent_sessions
 // JOIN. We return post-coercion shapes (booleans/strings) exactly as porsager would
 // hand them to the route — `has_session` already a JS boolean, `last_active_at` a
 // string|null — so the asserted JSON matches the API contract end-to-end.
 interface MockState {
  sessionExists: boolean;
  rows: Array<{ agent: string; status: string; has_session: boolean; last_active_at: string | null }>;
 }
 function mockSql(state: MockState): Sql {
  return ((strings: TemplateStringsArray) => {
    const q = strings.join('');
    if (q.includes('SELECT id FROM sessions')) {
      return Promise.resolve(state.sessionExists ? [{ id: 'session-1' }] : []);
    }
    if (q.includes('FROM agent_sessions')) {
      return Promise.resolve(state.rows);
    }
    return Promise.resolve([]);
  }) as unknown as Sql;
 }
 function buildApp(state: MockState): FastifyInstance {
  const app = Fastify();
  registerAgentSessionRoutes(app, mockSql(state));
  return app;
 }
 describe('GET /api/sessions/:id/agent-sessions', () => {
  it('returns the per-(chat,agent) rows in the contracted shape', async () => {
    const app = buildApp({
      sessionExists: true,
      rows: [
        { agent: 'opencode', status: 'active', has_session: true, last_active_at: '2026-05-31T12:00:00.000Z' },
        { agent: 'goose', status: 'idle', has_session: false, last_active_at: null },
      ],
    });
    const res = await app.inject({ method: 'GET', url: '/api/sessions/session-1/agent-sessions' });
    expect(res.statusCode).toBe(200);
    const body = res.json();
    expect(Array.isArray(body)).toBe(true);
    expect(body).toEqual([
      { agent: 'opencode', status: 'active', has_session: true, last_active_at: '2026-05-31T12:00:00.000Z' },
      { agent: 'goose', status: 'idle', has_session: false, last_active_at: null },
    ]);
    // Contract field types.
    expect(typeof body[0].agent).toBe('string');
    expect(typeof body[0].status).toBe('string');
    expect(typeof body[0].has_session).toBe('boolean');
    expect(body[1].last_active_at).toBeNull();
    await app.close();
  });
  it('returns an empty array when the session has no agent_sessions rows', async () => {
    const app = buildApp({ sessionExists: true, rows: [] });
    const res = await app.inject({ method: 'GET', url: '/api/sessions/session-1/agent-sessions' });
    expect(res.statusCode).toBe(200);
    expect(res.json()).toEqual([]);
    await app.close();
  });
  it('404s when the session does not exist', async () => {
    const app = buildApp({ sessionExists: false, rows: [] });
    const res = await app.inject({ method: 'GET', url: '/api/sessions/nope/agent-sessions' });
    expect(res.statusCode).toBe(404);
    expect(res.json()).toEqual({ error: 'session not found' });
    await app.close();
  });
 });
--- a/apps/coder/src/routes/tests/providers.routes.test.ts
+++ b/apps/coder/src/routes/tests/providers.routes.test.ts
@@ -0,0 +1,211 @@
 import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest';
 import Fastify, { type FastifyInstance } from 'fastify';
 import { existsSync, readFileSync, writeFileSync, rmSync } from 'node:fs';
 import { tmpdir } from 'node:os';
 import { join } from 'node:path';
 import { registerProviderRoutes } from '../providers.js';
 import { load } from '../../services/provider-config.js';
 import { loadProviderConfig } from '../../services/provider-config-registry.js';
 import { clearProviderSnapshotCache } from '../../services/provider-snapshot.js';
 import type { Config } from '../../config.js';
 import type { Sql } from '../../db.js';
 /** Minimal sql stub: available_agents reads return []. */
 function mockSql(): Sql {
  return vi.fn((strings: TemplateStringsArray) => {
    const q = strings.join('');
    if (q.includes('available_agents')) return Promise.resolve([]);
    return Promise.resolve([]);
  }) as unknown as Sql;
 }
 let tmpCounter = 0;
 function freshPath(): string {
  tmpCounter += 1;
  return join(tmpdir(), `coder-providers-routes-${process.pid}-${tmpCounter}.json`);
 }
 function buildApp(providersPath: string): FastifyInstance {
  const app = Fastify();
  // Mirror index.ts: tolerate empty JSON bodies.
  app.removeContentTypeParser(['application/json']);
  app.addContentTypeParser('application/json', { parseAs: 'string' }, (_req, body, done) => {
    const str = (body as string) ?? '';
    if (str.trim().length === 0) return done(null, {});
    try {
      done(null, JSON.parse(str));
    } catch (err) {
      done(err as Error, undefined);
    }
  });
  const config = {
    CODER_PROVIDERS_PATH: providersPath,
    LLAMA_SWAP_URL: 'http://llama-swap.test',
    PROVIDER_PROBE_TTL_MS: 86_400_000,
  } as unknown as Config;
  registerProviderRoutes(app, mockSql(), config);
  return app;
 }
 const JSON_HEADERS = { 'content-type': 'application/json' };
 const createdPaths: string[] = [];
 beforeEach(() => {
  clearProviderSnapshotCache();
  loadProviderConfig('/nonexistent-coder-providers.json'); // reset registry to built-ins
  vi.restoreAllMocks();
  vi.stubGlobal('fetch', vi.fn().mockRejectedValue(new Error('no network in test')));
 });
 afterEach(() => {
  for (const p of createdPaths.splice(0)) {
    try {
      rmSync(p, { force: true });
    } catch {
      /* ignore */
    }
  }
 });
 describe('GET /api/providers/config', () => {
  it('returns the current config file (built-ins-only when missing)', async () => {
    const path = freshPath();
    createdPaths.push(path);
    const app = buildApp(path);
    const res = await app.inject({ method: 'GET', url: '/api/providers/config' });
    expect(res.statusCode).toBe(200);
    expect(res.json()).toEqual({ providers: {} });
    await app.close();
  });
  it('reflects an existing file', async () => {
    const path = freshPath();
    createdPaths.push(path);
    writeFileSync(path, JSON.stringify({ providers: { goose: { enabled: false } } }));
    const app = buildApp(path);
    const res = await app.inject({ method: 'GET', url: '/api/providers/config' });
    expect(res.json()).toEqual({ providers: { goose: { enabled: false } } });
    await app.close();
  });
 });
 describe('PATCH /api/providers/config', () => {
  it('valid patch → 200, writes the merged file (order: validate→save→reload→clear)', async () => {
    const path = freshPath();
    createdPaths.push(path);
    writeFileSync(path, JSON.stringify({ providers: { goose: { label: 'Goose' } } }));
    const app = buildApp(path);
    const res = await app.inject({
      method: 'PATCH',
      url: '/api/providers/config',
      headers: JSON_HEADERS,
      payload: JSON.stringify({ providers: { opencode: { enabled: false } } }),
    });
    expect(res.statusCode).toBe(200);
    expect(res.json()).toMatchObject({ ok: true });
    // File written + merged (goose untouched, opencode added).
    const onDisk = load(path);
    expect(onDisk.providers).toEqual({
      goose: { label: 'Goose' },
      opencode: { enabled: false },
    });
    await app.close();
  });
  it('null value deletes the override', async () => {
    const path = freshPath();
    createdPaths.push(path);
    writeFileSync(path, JSON.stringify({ providers: { goose: { enabled: false }, opencode: { enabled: false } } }));
    const app = buildApp(path);
    const res = await app.inject({
      method: 'PATCH',
      url: '/api/providers/config',
      headers: JSON_HEADERS,
      payload: JSON.stringify({ providers: { goose: null } }),
    });
    expect(res.statusCode).toBe(200);
    expect(load(path).providers).toEqual({ opencode: { enabled: false } });
    await app.close();
  });
  it('INVALID body → 422 and the file is NOT written (validate before save)', async () => {
    const path = freshPath();
    createdPaths.push(path);
    const before = JSON.stringify({ providers: { goose: { enabled: true } } });
    writeFileSync(path, before);
    const app = buildApp(path);
    const res = await app.inject({
      method: 'PATCH',
      url: '/api/providers/config',
      headers: JSON_HEADERS,
      payload: JSON.stringify({ providers: { goose: { enabled: 'yes' } } }), // bad type
    });
    expect(res.statusCode).toBe(422);
    // File must be byte-for-byte unchanged — nothing written on a 422.
    expect(readFileSync(path, 'utf8')).toBe(before);
    await app.close();
  });
  it('save failure → 500 and the file is NOT created (no state divergence)', async () => {
    const path = join(tmpdir(), `no-such-dir-${process.pid}-${Date.now()}`, 'coder-providers.json');
    const app = buildApp(path);
    const res = await app.inject({
      method: 'PATCH',
      url: '/api/providers/config',
      headers: JSON_HEADERS,
      payload: JSON.stringify({ providers: { goose: { enabled: false } } }),
    });
    expect(res.statusCode).toBe(500);
    expect(existsSync(path)).toBe(false);
    await app.close();
  });
 });
 describe('POST /api/providers/refresh', () => {
  it('no body → refreshes all registered providers', async () => {
    const app = buildApp(freshPath());
    const res = await app.inject({ method: 'POST', url: '/api/providers/refresh' });
    expect(res.statusCode).toBe(200);
    expect(res.json().refreshed).toBeGreaterThan(0);
    await app.close();
  });
  it('subset body → refreshed count reflects only the requested providers', async () => {
    const app = buildApp(freshPath());
    const res = await app.inject({
      method: 'POST',
      url: '/api/providers/refresh',
      headers: JSON_HEADERS,
      payload: JSON.stringify({ providers: ['boocode'] }),
    });
    expect(res.statusCode).toBe(200);
    expect(res.json()).toEqual({ refreshed: 1 });
    await app.close();
  });
 });
 describe('GET /api/providers/:id/diagnostic', () => {
  it('known provider → 200 JSON { diagnostic }', async () => {
    const app = buildApp(freshPath());
    const res = await app.inject({ method: 'GET', url: '/api/providers/boocode/diagnostic' });
    expect(res.statusCode).toBe(200);
    expect(res.headers['content-type']).toContain('application/json');
    expect(res.json().diagnostic).toContain('provider: boocode');
    await app.close();
  });
  it('unknown provider → 404', async () => {
    const app = buildApp(freshPath());
    const res = await app.inject({ method: 'GET', url: '/api/providers/nope/diagnostic' });
    expect(res.statusCode).toBe(404);
    await app.close();
  });
 });
--- a/apps/coder/src/routes/agent-sessions.ts
+++ b/apps/coder/src/routes/agent-sessions.ts
@@ -0,0 +1,51 @@
 import type { FastifyInstance } from 'fastify';
 import type { Sql } from '../db.js';
 // v2.6 Phase 1-UX (design §9b): chat-scoped "resumed vs new session" indicator.
 // `agent_sessions` is keyed (chat_id, agent) — the tab/chat is the agent-context
 // unit (P1.5-b). The route param is a SESSION id, so we resolve every chat in the
 // session and return the union of their agent_sessions rows. A session with two
 // opencode tabs yields two rows (one per chat); the frontend keys the chip per
 // chat, but the wire shape is a flat per-(chat,agent) list.
 //
 // has_session = agent_session_id IS NOT NULL — i.e. a native backend session id
 // (opencode/ACP) was created and stored, so switching back resumes rather than
 // starts fresh.
 export interface AgentSessionRow {
  agent: string;
  status: string;
  has_session: boolean;
  last_active_at: string | null;
 }
 export function registerAgentSessionRoutes(app: FastifyInstance, sql: Sql): void {
  // GET /api/sessions/:sessionId/agent-sessions — list the agent-session rows for
  // every chat in the session (drives the AgentComposerBar resumed/new chip).
  app.get<{ Params: { sessionId: string } }>(
    '/api/sessions/:sessionId/agent-sessions',
    async (req, reply) => {
      const sessionId = req.params.sessionId;
      const session = await sql<{ id: string }[]>`SELECT id FROM sessions WHERE id = ${sessionId}`;
      if (session.length === 0) {
        reply.code(404);
        return { error: 'session not found' };
      }
      // Join through chats so the session-scoped param resolves to its (chat,agent)
      // rows. last_active_at first → the frontend reads the freshest activity.
      const rows = await sql<AgentSessionRow[]>`
        SELECT
          a.agent AS agent,
          a.status AS status,
          (a.agent_session_id IS NOT NULL) AS has_session,
          a.last_active_at AS last_active_at
        FROM agent_sessions a
        JOIN chats c ON c.id = a.chat_id
        WHERE c.session_id = ${sessionId}
        ORDER BY a.last_active_at DESC NULLS LAST, a.agent ASC
      `;
      return rows;
    },
  );
 }
--- a/apps/coder/src/routes/checkpoints.ts
+++ b/apps/coder/src/routes/checkpoints.ts
@@ -0,0 +1,73 @@
 /**
 * write-edit-robustness #4 — checkpoint restore + list routes (coder side).
 *
 * Proxied through the apps/server `/api/coder/*` blanket forwarder (no server-side
 * change needed for new routes). Restore rewinds the session worktree to the
 * checkpoint's shadow commit, trims the transcript from the anchor message forward,
 * and resets the agent backend — see services/checkpoints.ts.
 */
 import type { FastifyInstance } from 'fastify';
 import type { Sql } from '../db.js';
 import { restoreCheckpoint, CheckpointNotFoundError } from '../services/checkpoints.js';
 export function registerCheckpointRoutes(app: FastifyInstance, sql: Sql): void {
  // GET /api/sessions/:sessionId/checkpoints?chat_id= — list a chat's checkpoints
  // so the frontend can mark which messages have a restore point. When chat_id is
  // omitted, returns every checkpoint for the session's chats.
  app.get<{ Params: { sessionId: string }; Querystring: { chat_id?: string } }>(
    '/api/sessions/:sessionId/checkpoints',
    async (req, reply) => {
      const sessionId = req.params.sessionId;
      const chatId = req.query.chat_id;
      const session = await sql<{ id: string }[]>`SELECT id FROM sessions WHERE id = ${sessionId}`;
      if (session.length === 0) {
        reply.code(404);
        return { error: 'session not found' };
      }
      // Scope authoritatively through chats.session_id (always set) — NOT the
      // denormalized checkpoints.session_id (nullable). The chat_id branch must
      // still be session-gated or it's an IDOR (any session's chat_id reads its
      // checkpoints).
      const rows = chatId
        ? await sql<{ id: string; chat_id: string; message_id: string | null; label: string | null; created_at: Date }[]>`
            SELECT cp.id, cp.chat_id, cp.message_id, cp.label, cp.created_at
            FROM checkpoints cp
            JOIN chats c ON c.id = cp.chat_id
            WHERE cp.chat_id = ${chatId} AND c.session_id = ${sessionId}
            ORDER BY cp.created_at
          `
        : await sql<{ id: string; chat_id: string; message_id: string | null; label: string | null; created_at: Date }[]>`
            SELECT cp.id, cp.chat_id, cp.message_id, cp.label, cp.created_at
            FROM checkpoints cp
            JOIN chats c ON c.id = cp.chat_id
            WHERE c.session_id = ${sessionId}
            ORDER BY cp.created_at
          `;
      return rows;
    },
  );
  // POST /api/sessions/:sessionId/checkpoints/:checkpointId/restore — restore.
  app.post<{ Params: { sessionId: string; checkpointId: string } }>(
    '/api/sessions/:sessionId/checkpoints/:checkpointId/restore',
    async (req, reply) => {
      const { sessionId, checkpointId } = req.params;
      try {
        const result = await restoreCheckpoint(sql, checkpointId, {
          sessionId,
          log: app.log,
        });
        return result;
      } catch (err) {
        if (err instanceof CheckpointNotFoundError) {
          reply.code(404);
          return { error: err.message };
        }
        throw err;
      }
    },
  );
 }
--- a/apps/coder/src/routes/lifecycle.ts
+++ b/apps/coder/src/routes/lifecycle.ts
@@ -0,0 +1,122 @@
 /**
 * v2.6 Phase 3 (3.3) — chat/session close-or-archive cleanup hook (coder side).
 *
 * Chat/session close + archive + delete all live in apps/server (Docker), which
 * cannot see the host worktree dirs (/tmp/booworktrees), run git on them, or reach
 * the warm agent processes the dispatcher pooled in THIS (host systemd) process. So
 * — exactly like the `worktree-risk` guard — the server signals the coder when a
 * chat/session closes, and the coder does the real teardown:
 *   1. dispose the chat's warm-ACP backends (`agentPool.closeChat`) — kills the
 *      goose/qwen child processes for that chat,
 *   2. close the chat's opencode session on the shared server (`closeSession`),
 *   3. mark every `agent_sessions` row for the chat 'closed' + (when the session's
 *      last open chat closes) remove the shared session worktree, preflighting
 *      work-at-risk so uncommitted/unmerged work is never silently dropped
 *      (`closeChatBackendState`).
 *
 * Idempotent: closing an already-closed chat is a no-op (0 rows, no backend).
 *
 * SERVER WIRING (not done here — apps/server, out of this batch's scope): the
 * server's `POST /api/chats/:id/archive`, `DELETE /api/chats/:id`, and the
 * session archive/delete routes should fire-and-forget
 *   fetch(`${BOOCODER_URL}/api/chats/${id}/close`, { method: 'POST' })
 * after publishing their WS frame (best-effort; the orphan-worktree reaper +
 * idle-pool eviction are the backstop if the call is missed).
 */
 import type { FastifyInstance } from 'fastify';
 import type { Sql } from '../db.js';
 import { agentPool, OPENCODE_POOL_KEY } from '../services/agent-pool.js';
 import { closeChatBackendState } from '../services/worktrees.js';
 import type { AgentSessionHandle } from '../services/agent-backend.js';
 export function registerLifecycleRoutes(app: FastifyInstance, sql: Sql): void {
  // POST /api/chats/:chatId/close — tear down all warm state for a chat tab.
  app.post<{ Params: { chatId: string }; Querystring: { force?: string } }>(
    '/api/chats/:chatId/close',
    async (req) => {
      const chatId = req.params.chatId;
      const force = req.query.force === 'true' || req.query.force === '1';
      // 1. Close the chat's opencode session on the SHARED server (the server is
      //    not chat-keyed, so agentPool.closeChat won't touch it). Resolve the
      //    stored opencode session id and ask the backend to drop it.
      const ocRows = await sql<{ agent: string; agent_session_id: string | null; worktree_id: string | null; session_id: string | null }[]>`
        SELECT agent, agent_session_id, worktree_id, session_id
        FROM agent_sessions
        WHERE chat_id = ${chatId} AND backend = 'opencode_server'
      `;
      const ocBackend = agentPool.peek(OPENCODE_POOL_KEY, 'opencode');
      if (ocBackend) {
        for (const row of ocRows) {
          if (!row.agent_session_id) continue;
          const handle: AgentSessionHandle = {
            sessionId: row.session_id ?? '',
            agent: row.agent,
            backend: 'opencode_server',
            chatId,
            worktreeId: row.worktree_id ?? '',
            agentSessionId: row.agent_session_id,
            serverPort: null,
          };
          await ocBackend.closeSession(handle).catch((err) => {
            app.log.warn({ err: err instanceof Error ? err.message : String(err), chatId }, 'lifecycle: opencode closeSession threw');
          });
        }
      }
      // 2. Dispose any warm-ACP backends pooled under this chat (kills the
      //    goose/qwen child + marks its agent row closed via the backend).
      const disposed = await agentPool.closeChat(chatId);
      // 3. DB + worktree truth: mark agent rows closed; remove the shared session
      //    worktree iff this was the session's last open chat (preflight at-risk).
      const result = await closeChatBackendState(sql, chatId, { force });
      app.log.info({ chatId, disposed, ...result }, 'lifecycle: chat closed');
      return { ok: true, disposed, ...result };
    },
  );
  // POST /api/sessions/:sessionId/close — close every open chat in a session
  // (session archive/delete). Loops the chat-close path so the same preflight +
  // teardown applies per chat; the worktree is removed on the last one.
  app.post<{ Params: { sessionId: string }; Querystring: { force?: string } }>(
    '/api/sessions/:sessionId/close',
    async (req) => {
      const sessionId = req.params.sessionId;
      const force = req.query.force === 'true' || req.query.force === '1';
      const chats = await sql<{ id: string }[]>`
        SELECT id FROM chats WHERE session_id = ${sessionId}
      `;
      const results: { chatId: string; disposed: string[]; worktreeRemoved: boolean; worktreeAtRisk: boolean }[] = [];
      for (const c of chats) {
        const ocBackend = agentPool.peek(OPENCODE_POOL_KEY, 'opencode');
        if (ocBackend) {
          const ocRows = await sql<{ agent: string; agent_session_id: string | null; worktree_id: string | null; session_id: string | null }[]>`
            SELECT agent, agent_session_id, worktree_id, session_id
            FROM agent_sessions WHERE chat_id = ${c.id} AND backend = 'opencode_server'
          `;
          for (const row of ocRows) {
            if (!row.agent_session_id) continue;
            await ocBackend.closeSession({
              sessionId: row.session_id ?? '',
              agent: row.agent,
              backend: 'opencode_server',
              chatId: c.id,
              worktreeId: row.worktree_id ?? '',
              agentSessionId: row.agent_session_id,
              serverPort: null,
            }).catch(() => {});
          }
        }
        const disposed = await agentPool.closeChat(c.id);
        const r = await closeChatBackendState(sql, c.id, { force });
        results.push({ chatId: c.id, disposed, worktreeRemoved: r.worktreeRemoved, worktreeAtRisk: r.worktreeAtRisk });
      }
      app.log.info({ sessionId, chats: results.length }, 'lifecycle: session closed');
      return { ok: true, results };
    },
  );
 }
--- a/apps/coder/src/routes/messages.ts
+++ b/apps/coder/src/routes/messages.ts
@@ -224,8 +224,8 @@ export function registerMessageRoutes(
        // External provider: create a task for the dispatcher
        const projectId = sessionRows[0]!.project_id;
        const [task] = await sql<{ id: string; state: string }[]>`
-          INSERT INTO tasks (project_id, input, agent, model, mode_id, thinking_option_id, session_id)
+          INSERT INTO tasks (project_id, input, agent, model, mode_id, thinking_option_id, session_id, chat_id)
-          VALUES (${projectId}, ${content}, ${provider}, ${model ?? null}, ${mode_id ?? null}, ${thinking_option_id ?? null}, ${sessionId})
+          VALUES (${projectId}, ${content}, ${provider}, ${model ?? null}, ${mode_id ?? null}, ${thinking_option_id ?? null}, ${sessionId}, ${chatId})
          RETURNING id, state
        `;
        reply.code(202);
--- a/apps/coder/src/routes/pending.ts
+++ b/apps/coder/src/routes/pending.ts
@@ -1,4 +1,5 @@
 import type { FastifyInstance } from 'fastify';
 import { z } from 'zod';
 import type { Sql } from '../db.js';
 import {
  listPending,
@@ -6,7 +7,15 @@ import {
  applyAll,
  rejectOne,
  rewindOne,
  queueCreate,
 } from '../services/pending_changes.js';
 import { WriteGuardError } from '../services/write_guard.js';
 import { rebaselineWorktreeAfterApply } from '../services/worktrees.js';
 const CreateBody = z.object({
  file_path: z.string().min(1),
  content: z.string(),
 });
 /**
 * Resolve project root from a session's project path.
@@ -51,6 +60,51 @@ export function registerPendingRoutes(app: FastifyInstance, sql: Sql): void {
    },
  );
  // POST /api/sessions/:sessionId/pending/create — queue a new-file create
  // (manual create from the RightRail file browser; no inference involved).
  // queueCreate runs resolveWritePath internally, so a path that escapes the
  // project root or hits a secret file throws WriteGuardError → 422 with the
  // guard message. Mirrors the { error } 404 shape used by the other routes
  // and the 422 status used by apply/rewind on failure.
  app.post<{ Params: { sessionId: string } }>(
    '/api/sessions/:sessionId/pending/create',
    async (req, reply) => {
      const sessionId = req.params.sessionId;
      const parsed = CreateBody.safeParse(req.body);
      if (!parsed.success) {
        reply.code(400);
        return { error: 'invalid body', details: parsed.error.flatten() };
      }
      const projectRoot = await resolveProjectRoot(sql, sessionId);
      if (!projectRoot) {
        reply.code(404);
        return { error: 'session or project not found' };
      }
      try {
        const change = await queueCreate(
          sql,
          sessionId,
          null,
          parsed.data.file_path,
          parsed.data.content,
          projectRoot,
          // Manual RightRail create — no agent staged it; renders as "manual".
          null,
        );
        return change;
      } catch (err) {
        if (err instanceof WriteGuardError) {
          reply.code(422);
          return { error: err.message };
        }
        throw err;
      }
    },
  );
  // POST /api/sessions/:sessionId/pending/apply — apply all pending changes
  app.post<{ Params: { sessionId: string } }>(
    '/api/sessions/:sessionId/pending/apply',
@@ -64,6 +118,15 @@ export function registerPendingRoutes(app: FastifyInstance, sql: Sql): void {
      }
      const results = await applyAll(sql, sessionId, projectRoot);
      // v2.6 Phase 3 (3.5): re-baseline the session worktree's diff to the applied
      // state, so the next external-agent turn diffs against applied-not-original
      // and doesn't re-surface the just-applied changes. Best-effort: a worktree
      // session may not exist (native-only chat), and a re-baseline hiccup must not
      // fail the apply the user just requested.
      if (results.some((r) => r.success)) {
        await rebaselineWorktreeAfterApply(sql, sessionId).catch(() => {});
      }
      return { results };
    },
  );
@@ -83,6 +146,15 @@ export function registerPendingRoutes(app: FastifyInstance, sql: Sql): void {
      const result = await applyOne(sql, changeId, projectRoot);
      if (!result.success) {
        reply.code(422);
      } else {
        // v2.6 Phase 3 (3.5): re-baseline the session worktree after a successful
        // apply so the next external-agent turn diffs against applied-not-original.
        // Resolve the change's session; best-effort, never fails the apply.
        const sessRows = await sql<{ session_id: string }[]>`
          SELECT session_id FROM pending_changes WHERE id = ${changeId}
        `;
        const sessionId = sessRows[0]?.session_id;
        if (sessionId) await rebaselineWorktreeAfterApply(sql, sessionId).catch(() => {});
      }
      return result;
    },
--- a/apps/coder/src/routes/providers.ts
+++ b/apps/coder/src/routes/providers.ts
@@ -1,7 +1,29 @@
 import type { FastifyInstance } from 'fastify';
 import { z } from 'zod';
 import type { Sql } from '../db.js';
 import type { Config } from '../config.js';
-import { getProviderSnapshot, clearProviderSnapshotCache } from '../services/provider-snapshot.js';
+import {
  getProviderSnapshot,
  clearProviderSnapshotCache,
  peekSnapshotEntry,
 } from '../services/provider-snapshot.js';
 import {
  load,
  save,
  CoderProvidersFileSchema,
  ProviderConfigPatchSchema,
  mergeProviderConfigPatch,
 } from '../services/provider-config.js';
 import {
  reloadProviderConfig,
  getResolvedRegistry,
 } from '../services/provider-config-registry.js';
 import {
  getProviderDiagnostic,
  type DiagnosticAgentRow,
 } from '../services/provider-diagnostic.js';
 const RefreshBodySchema = z.object({ providers: z.array(z.string()).optional() });
 export function registerProviderRoutes(app: FastifyInstance, sql: Sql, config: Config): void {
  app.get<{ Querystring: { cwd?: string } }>('/api/providers/snapshot', async (req, _reply) => {
@@ -9,9 +31,97 @@ export function registerProviderRoutes(app: FastifyInstance, sql: Sql, config: C
    return getProviderSnapshot(sql, config, cwd);
  });
-  app.post('/api/providers/refresh', async (_req, _reply) => {
+  // 4.1 — current loaded config file (raw CoderProvidersFile, not the resolved registry).
  app.get('/api/providers/config', async (_req, _reply) => {
    return load(config.CODER_PROVIDERS_PATH);
  });
  // 4.2 — patch the config file (design.md §6.2). Strict order is the whole
  // correctness story: validate → save → reload → clear. A malformed body or an
  // invalid merged result returns 422 and NEVER writes; a save failure returns
  // 500 and leaves in-memory state untouched (no file/registry divergence).
  app.patch('/api/providers/config', async (req, reply) => {
    // 1. Validate the PATCH body shape (malformed → 422, never reaches merge).
    const parsed = ProviderConfigPatchSchema.safeParse(req.body);
    if (!parsed.success) {
      return reply.code(422).send({
        error: 'invalid provider config patch',
        issues: parsed.error.flatten(),
      });
    }
    // 2. Shallow per-id merge over the current file (null deletes; object replaces).
    const current = load(config.CODER_PROVIDERS_PATH);
    const merged = mergeProviderConfigPatch(current, parsed.data);
    // 3. Validate the merged result — refuse to write a config that won't load.
    const validated = CoderProvidersFileSchema.safeParse(merged);
    if (!validated.success) {
      return reply.code(422).send({
        error: 'merged provider config is invalid',
        issues: validated.error.flatten(),
      });
    }
    // 4. Persist. If save throws, STOP here — do NOT reload/clear, so the file on
    // disk and the in-memory resolved registry can never diverge.
    try {
      save(config.CODER_PROVIDERS_PATH, validated.data);
    } catch (err) {
      req.log.error(
        { err: err instanceof Error ? err.message : String(err), path: config.CODER_PROVIDERS_PATH },
        'provider-config: save failed — in-memory state untouched',
      );
      return reply.code(500).send({ error: 'failed to write provider config' });
    }
    // 5 + 6. Rebuild the in-memory resolved registry from the new file, then drop
    // the snapshot cache so the next /snapshot reflects the change.
    reloadProviderConfig();
    clearProviderSnapshotCache();
    // 7. Return the new config (per §6.2 `{ ok: true }`, plus the merged providers
    // so the client can update without a follow-up GET).
    return { ok: true, providers: validated.data.providers };
  });
  // 4.3 — force a cold probe. Optional { providers?: string[] } narrows the
  // reported subset (design.md §6.3 Paseo pattern). The force=true snapshot is
  // the only existing re-probe primitive (per-provider force would be a
  // snapshot-internal change, out of Phase 4 scope), so the probe runs for all
  // installed providers; the `refreshed` count reflects the requested subset.
  app.post('/api/providers/refresh', async (req, reply) => {
    const parsed = RefreshBodySchema.safeParse(req.body ?? {});
    if (!parsed.success) {
      return reply.code(422).send({ error: 'invalid refresh body', issues: parsed.error.flatten() });
    }
    const subset = parsed.data.providers;
    clearProviderSnapshotCache();
    const entries = await getProviderSnapshot(sql, config, undefined, true);
-    return { refreshed: entries.length };
+    const refreshed =
      subset && subset.length > 0
        ? entries.filter((e) => subset.includes(e.name)).length
        : entries.length;
    return { refreshed };
  });
  // 4.4 — per-provider diagnostic (design.md §6.4 → JSON `{ diagnostic: string }`).
  // Read-only: reports cached state (resolved def + available_agents row + warm
  // snapshot cache for the last probe error) plus a `which` PATH check. No probe
  // spawn. The report itself is a plaintext block (§8); the route wraps it as JSON.
  app.get<{ Params: { id: string } }>('/api/providers/:id/diagnostic', async (req, reply) => {
    const id = req.params.id;
    const resolved = getResolvedRegistry().get(id);
    if (!resolved) {
      return reply.code(404).send({ error: `unknown provider '${id}'` });
    }
    const rows = await sql<DiagnosticAgentRow[]>`
      SELECT name, install_path, supports_acp, models, last_probed_at
      FROM available_agents WHERE name = ${id}
    `;
    const report = await getProviderDiagnostic(resolved, rows[0], {
      cachedEntry: peekSnapshotEntry(id),
    });
    return { diagnostic: report };
  });
 }
--- a/apps/coder/src/routes/skills.ts
+++ b/apps/coder/src/routes/skills.ts
@@ -16,6 +16,12 @@ const SkillInvokeBody = z.object({
  pane_id: z.string().min(1).max(200),
  skill_name: z.string().min(1),
  user_message: z.string().max(64_000).nullable().optional(),
  // v2.5.9: when set to an external provider, the skill runs UNDER that agent —
  // its body is injected into a dispatched task instead of native inference.
  provider: z.string().max(100).optional(),
  model: z.string().max(200).optional(),
  mode_id: z.string().max(200).optional(),
  thinking_option_id: z.string().max(200).optional(),
 });
 interface InferenceApi {
@@ -39,9 +45,9 @@ export function registerSkillRoutes(
      }
      const sessionId = req.params.sessionId;
-      const { pane_id, skill_name } = parsed.data;
+      const { pane_id, skill_name, provider, model, mode_id, thinking_option_id } = parsed.data;
-      const sessionRows = await sql<{ id: string }[]>`
+      const sessionRows = await sql<{ id: string; project_id: string }[]>`
-        SELECT id FROM sessions WHERE id = ${sessionId}
+        SELECT id, project_id FROM sessions WHERE id = ${sessionId}
      `;
      if (sessionRows.length === 0) {
        reply.code(404);
@@ -69,6 +75,31 @@ export function registerSkillRoutes(
        return { error: 'unknown_skill', message: `unknown skill: ${skill_name}` };
      }
      // v2.5.9: external agent → run the skill UNDER that agent. The skill body
      // stays server-side (like the native path's tool message) and is injected
      // into a dispatched task; the agent receives the skill instructions + the
      // user's text. Mirrors the messages-route external-provider dispatch.
      if (provider && provider !== 'boocode') {
        const [userMsg] = await sql<{ id: string }[]>`
          INSERT INTO messages (session_id, chat_id, role, content, status, created_at)
          VALUES (${sessionId}, ${chatId}, 'user', ${userText}, 'complete', clock_timestamp())
          RETURNING id
        `;
        broker.publishFrame(sessionId, { type: 'message_started', message_id: userMsg!.id, chat_id: chatId, role: 'user' } as WsFrame);
        broker.publishFrame(sessionId, { type: 'delta', message_id: userMsg!.id, chat_id: chatId, content: userText } as WsFrame);
        broker.publishFrame(sessionId, { type: 'message_complete', message_id: userMsg!.id, chat_id: chatId } as WsFrame);
        const taskInput = `${body}\n\n---\n\n${userText}`;
        const [task] = await sql<{ id: string; state: string }[]>`
          INSERT INTO tasks (project_id, input, agent, model, mode_id, thinking_option_id, session_id, chat_id)
          VALUES (${sessionRows[0]!.project_id}, ${taskInput}, ${provider}, ${model ?? null}, ${mode_id ?? null}, ${thinking_option_id ?? null}, ${sessionId}, ${chatId})
          RETURNING id, state
        `;
        await sql`UPDATE chats SET updated_at = clock_timestamp() WHERE id = ${chatId}`;
        reply.code(202);
        return { user_message_id: userMsg!.id, task_id: task!.id, dispatched: true };
      }
      const { result, toolCall } = await runSkillInvokeTransaction(sql, {
        sessionId,
        chatId,
--- a/apps/coder/src/routes/worktree-safety.ts
+++ b/apps/coder/src/routes/worktree-safety.ts
@@ -0,0 +1,45 @@
 /**
 * Session-delete work-loss guard (coder side).
 *
 * Session delete itself lives in apps/server (Docker), which CANNOT see the
 * host worktree dirs (/tmp/booworktrees) or run git on them. Only BooCoder
 * (host systemd) can. So the server's DELETE route calls these endpoints
 * pre-delete to learn whether a session's worktree holds work at risk, and to
 * stash it. The server owns the gate; coder owns the git truth.
 */
 import type { FastifyInstance } from 'fastify';
 import type { Sql } from '../db.js';
 import { checkWorktreeWorkAtRisk, stashWorktree } from '../services/worktrees.js';
 export function registerWorktreeSafetyRoutes(app: FastifyInstance, sql: Sql): void {
  // GET risk for a session's worktree(s). One row per session today (PK on
  // session_id); the loop already handles the Phase-1.5 multi-worktree case.
  app.get<{ Params: { sessionId: string } }>(
    '/api/sessions/:sessionId/worktree-risk',
    async (req) => {
      const rows = await sql<{ worktree_path: string }[]>`
        SELECT path AS worktree_path FROM worktrees WHERE session_id = ${req.params.sessionId}
      `;
      const reports = [];
      for (const row of rows) {
        reports.push(await checkWorktreeWorkAtRisk(row.worktree_path));
      }
      return { reports };
    },
  );
  // Stash a session's worktree(s) — clears the dirty risk; recoverable.
  app.post<{ Params: { sessionId: string } }>(
    '/api/sessions/:sessionId/worktree-stash',
    async (req) => {
      const rows = await sql<{ worktree_path: string }[]>`
        SELECT path AS worktree_path FROM worktrees WHERE session_id = ${req.params.sessionId}
      `;
      const results = [];
      for (const row of rows) {
        results.push({ worktreePath: row.worktree_path, ...(await stashWorktree(row.worktree_path)) });
      }
      return { results };
    },
  );
 }
--- a/apps/coder/src/schema.sql
+++ b/apps/coder/src/schema.sql
@@ -66,8 +66,216 @@ CREATE OR REPLACE VIEW human_inbox AS
 ALTER TABLE available_agents ADD COLUMN IF NOT EXISTS models JSONB DEFAULT '[]'::jsonb;
 ALTER TABLE available_agents ADD COLUMN IF NOT EXISTS label TEXT;
 ALTER TABLE available_agents ADD COLUMN IF NOT EXISTS transport TEXT DEFAULT 'pty';
 -- v2.5.10: persisted ACP available_commands (captured during the cold probe), so
 -- an agent's live command set survives the tier-2 probe skip and shows without a
 -- dispatch.
 ALTER TABLE available_agents ADD COLUMN IF NOT EXISTS commands JSONB DEFAULT '[]'::jsonb;
 -- v2.2.0: Paseo-style session config on tasks.
 ALTER TABLE tasks ADD COLUMN IF NOT EXISTS mode_id TEXT;
 ALTER TABLE tasks ADD COLUMN IF NOT EXISTS thinking_option_id TEXT;
 ALTER TABLE tasks ADD COLUMN IF NOT EXISTS feature_values JSONB;
 -- v2.6: one shared worktree per session (all agents/panes in the session operate in it).
 CREATE TABLE IF NOT EXISTS session_worktrees (
  session_id UUID PRIMARY KEY REFERENCES sessions(id) ON DELETE CASCADE,
  worktree_path TEXT NOT NULL,
  base_commit TEXT,
  created_at TIMESTAMPTZ NOT NULL DEFAULT clock_timestamp()
 );
 -- P1.5-b: DEFANG the CASCADE — a session delete must no longer wipe its worktree
 -- row. This table is SUPERSEDED by `worktrees` below; all readers are repointed
 -- this phase, so the row just persists (dead) on session delete until a later
 -- cleanup drops the table. session_id is this table's PRIMARY KEY, so it cannot be
 -- nullable → SET NULL is invalid and NO ACTION/RESTRICT would block deletes; the
 -- only valid defang is to drop the FK with no replacement. Idempotent: only fires
 -- while the FK is still ON DELETE CASCADE ('c').
 DO $$ BEGIN
  IF EXISTS (
    SELECT 1 FROM pg_constraint
    WHERE conname = 'session_worktrees_session_id_fkey'
      AND confdeltype = 'c'
  ) THEN
    ALTER TABLE session_worktrees DROP CONSTRAINT session_worktrees_session_id_fkey;
  END IF;
 END $$;
 -- v2.6: one backend session per (session, agent); resumed on switch-back.
 CREATE TABLE IF NOT EXISTS agent_sessions (
  session_id UUID NOT NULL REFERENCES sessions(id) ON DELETE CASCADE,
  agent TEXT NOT NULL,
  backend TEXT NOT NULL,
  agent_session_id TEXT,
  server_port INTEGER,
  status TEXT NOT NULL DEFAULT 'idle',
  last_active_at TIMESTAMPTZ,
  created_at TIMESTAMPTZ NOT NULL DEFAULT clock_timestamp(),
  PRIMARY KEY (session_id, agent),
  CONSTRAINT agent_sessions_backend_chk CHECK (backend IN ('opencode_server', 'acp_warm')),
  CONSTRAINT agent_sessions_status_chk CHECK (status IN ('idle', 'active', 'crashed', 'closed'))
 );
 -- Migrate existing agent_sessions FK to CASCADE.
 DO $$ BEGIN
  IF EXISTS (
    SELECT 1 FROM pg_constraint
    WHERE conname = 'agent_sessions_session_id_fkey'
      AND confdeltype <> 'c'
  ) THEN
    ALTER TABLE agent_sessions DROP CONSTRAINT agent_sessions_session_id_fkey;
    ALTER TABLE agent_sessions ADD CONSTRAINT agent_sessions_session_id_fkey
      FOREIGN KEY (session_id) REFERENCES sessions(id) ON DELETE CASCADE;
  END IF;
 END $$;
 -- v2.6: config fingerprint for stale-session detection (auto-recover on model change).
 ALTER TABLE agent_sessions ADD COLUMN IF NOT EXISTS config_hash TEXT;
 -- v2.6 Phase 1-UX (U.6): opencode token/cost usage, ACCUMULATED per (chat_id, agent).
 -- opencode's warm server emits `session.next.step.ended` once per LLM step (several
 -- per multi-tool turn) carrying {tokens{input,output,reasoning,cache},cost}. We sum
 -- each step's normalized {input,output,cost} onto the session row — running totals
 -- for the whole conversation context, not last-step. Backend-only; no route/UI yet.
 -- input_tokens folds in cache read+write; output_tokens folds in reasoning (see
 -- backends/opencode-usage.ts). Defaults 0 so accumulation (col + delta) is well-defined.
 ALTER TABLE agent_sessions ADD COLUMN IF NOT EXISTS input_tokens BIGINT NOT NULL DEFAULT 0;
 ALTER TABLE agent_sessions ADD COLUMN IF NOT EXISTS output_tokens BIGINT NOT NULL DEFAULT 0;
 ALTER TABLE agent_sessions ADD COLUMN IF NOT EXISTS cost DOUBLE PRECISION NOT NULL DEFAULT 0;
 -- ─── P1.5-b (corrected): worktrees entity + re-key agent_sessions to (chat_id, agent) ───
 -- The TAB (a chat) is the context unit: two opencode tabs in one session = two
 -- independent contexts sharing one worktree. So agent_sessions keys on
 -- (chat_id, agent), NOT (worktree_id, agent) or (session_id, agent). The
 -- `worktrees` table is one-per-session (selectable later) and only referenced
 -- informationally by agent_sessions.worktree_id (SET NULL); chat_id is the key.
 --
 -- PREREQUISITE: the unmigratable test session (35 chats, 1 agent_sessions row that
 -- maps to no single chat) is DELETED before this runs, so agent_sessions is empty
 -- and the chat_id backfill is N/A. If a row with NULL chat_id remains, the verify
 -- gate below RAISEs and aborts — delete the offending session first.
 -- worktree as a first-class entity; survives session delete (session_id SET NULL).
 CREATE TABLE IF NOT EXISTS worktrees (
  id          UUID PRIMARY KEY DEFAULT gen_random_uuid(),
  session_id  UUID REFERENCES sessions(id) ON DELETE SET NULL,
  project_id  UUID,
  path        TEXT NOT NULL,
  branch      TEXT,
  base_commit TEXT,
  slug        TEXT,
  status      TEXT NOT NULL DEFAULT 'active' CHECK (status IN ('active','archived')),
  created_at  TIMESTAMPTZ NOT NULL DEFAULT clock_timestamp()
 );
 CREATE UNIQUE INDEX IF NOT EXISTS worktrees_active_path_uidx ON worktrees(path) WHERE status='active';
 -- Migrate any surviving session_worktrees rows → worktrees (idempotent; 0 rows
 -- after the test-session delete, kept for generality / fresh-DB safety).
 INSERT INTO worktrees (session_id, path, branch, base_commit, status)
 SELECT sw.session_id, sw.worktree_path, 'session-' || sw.session_id, sw.base_commit, 'active'
 FROM session_worktrees sw
 WHERE NOT EXISTS (SELECT 1 FROM worktrees w WHERE w.session_id = sw.session_id AND w.status='active');
 -- Dispatch hint: which chat (tab) a task belongs to. The coder message route and
 -- skills route set it from the frontend tab; session-less creators (arena, MCP,
 -- new_task, generic /api/tasks) leave it NULL and the dispatcher creates a chat.
 ALTER TABLE tasks ADD COLUMN IF NOT EXISTS chat_id UUID REFERENCES chats(id) ON DELETE SET NULL;
 -- Re-key columns on agent_sessions.
 ALTER TABLE agent_sessions ADD COLUMN IF NOT EXISTS chat_id UUID;
 ALTER TABLE agent_sessions ADD COLUMN IF NOT EXISTS worktree_id UUID;
 -- BACKFILL-VERIFY GATE: the new PK is (chat_id, agent), so chat_id must be
 -- non-null on every row before the swap. With the test session deleted this is a
 -- 0-row assertion; if any row has NULL chat_id (an unmigratable pre-existing row),
 -- abort loudly rather than create a degenerate (NULL, agent) key.
 DO $$
 DECLARE n int;
 BEGIN
  SELECT count(*) INTO n FROM agent_sessions WHERE chat_id IS NULL;
  IF n > 0 THEN
    RAISE EXCEPTION 'P1.5-b: % agent_sessions row(s) have NULL chat_id — delete the unmigratable session(s) before applying', n;
  END IF;
 END $$;
 -- Swap PK (session_id,agent) → (chat_id,agent) + FKs (run-once, guarded on the new
 -- FK's absence). chat_id CASCADEs from chats (closing a tab ends its context);
 -- worktree_id is informational SET NULL; session_id defanged to nullable SET NULL.
 DO $$ BEGIN
  IF NOT EXISTS (SELECT 1 FROM pg_constraint WHERE conname = 'agent_sessions_chat_id_fkey') THEN
    ALTER TABLE agent_sessions DROP CONSTRAINT IF EXISTS agent_sessions_pkey;
    ALTER TABLE agent_sessions DROP CONSTRAINT IF EXISTS agent_sessions_session_id_fkey;
    ALTER TABLE agent_sessions ALTER COLUMN session_id DROP NOT NULL;
    ALTER TABLE agent_sessions ALTER COLUMN chat_id SET NOT NULL;
    ALTER TABLE agent_sessions ADD CONSTRAINT agent_sessions_pkey PRIMARY KEY (chat_id, agent);
    ALTER TABLE agent_sessions ADD CONSTRAINT agent_sessions_chat_id_fkey
      FOREIGN KEY (chat_id) REFERENCES chats(id) ON DELETE CASCADE;
    ALTER TABLE agent_sessions ADD CONSTRAINT agent_sessions_session_id_fkey
      FOREIGN KEY (session_id) REFERENCES sessions(id) ON DELETE SET NULL;
    ALTER TABLE agent_sessions ADD CONSTRAINT agent_sessions_worktree_id_fkey
      FOREIGN KEY (worktree_id) REFERENCES worktrees(id) ON DELETE SET NULL;
  END IF;
 END $$;
 -- P1.5-b follow-up: converge agent_sessions.session_id FK CASCADE → SET NULL.
 -- The re-key block above re-adds session_id_fkey as SET NULL, but it is guarded on
 -- chat_id_fkey's ABSENCE — so a DB already re-keyed to (chat_id, agent) while
 -- session_id_fkey was still ON DELETE CASCADE never re-enters that block and stays
 -- 'c'. This standalone guard flips it to SET NULL ('n'), matching worktree_id.
 -- Idempotent (mirrors the session_worktrees defang's confdeltype check): only fires
 -- while the FK is still CASCADE — a no-op on a fresh deploy (already 'n' from the
 -- re-key block) and on every re-run thereafter.
 DO $$ BEGIN
  IF EXISTS (
    SELECT 1 FROM pg_constraint
    WHERE conname = 'agent_sessions_session_id_fkey'
      AND confdeltype = 'c'
  ) THEN
    ALTER TABLE agent_sessions ALTER COLUMN session_id DROP NOT NULL;
    ALTER TABLE agent_sessions DROP CONSTRAINT agent_sessions_session_id_fkey;
    ALTER TABLE agent_sessions ADD CONSTRAINT agent_sessions_session_id_fkey
      FOREIGN KEY (session_id) REFERENCES sessions(id) ON DELETE SET NULL;
  END IF;
 END $$;
 -- v2.6: attribution for DiffPanel badges (Phase 1 UX reads this).
 ALTER TABLE pending_changes ADD COLUMN IF NOT EXISTS agent TEXT;
 -- write-edit-robustness #4: worktree checkpoints. A pre-turn shadow-commit of the
 -- session worktree (tracked + untracked, captured without disturbing the real
 -- index/working tree) stored in a private GC-safe ref refs/boocode/checkpoints/<id>.
 -- Created best-effort before each external-agent turn (opencode / warm-ACP / one-shot
 -- ACP+PTY); restore resets the worktree to commit_sha, trims the transcript from
 -- message_id forward, and resets the backend session. chat_id CASCADEs from chats
 -- (like agent_sessions); worktree_id SET NULL so a checkpoint outlives a reaped
 -- worktree row. session_id / message_id are informational (no FK — message rows are
 -- trimmed by a checkpoint restore and we must not block that on a dangling ref).
 CREATE TABLE IF NOT EXISTS checkpoints (
  id          UUID PRIMARY KEY DEFAULT gen_random_uuid(),
  chat_id     UUID NOT NULL REFERENCES chats(id) ON DELETE CASCADE,
  session_id  UUID,
  worktree_id UUID REFERENCES worktrees(id) ON DELETE SET NULL,
  message_id  UUID,            -- anchor: the assistant turn row this checkpoint precedes
  commit_sha  TEXT NOT NULL,   -- shadow-commit capturing the pre-turn worktree tree
  label       TEXT,
  created_at  TIMESTAMPTZ NOT NULL DEFAULT clock_timestamp()
 );
 CREATE INDEX IF NOT EXISTS checkpoints_chat_created_idx ON checkpoints(chat_id, created_at);
 -- LISTEN/NOTIFY fast path: every tasks INSERT (from any call site — routes,
 -- new_task tool, arena, MCP server) fires pg_notify('tasks_new') in the same
 -- transaction, so the dispatcher reacts immediately instead of waiting for the
 -- fallback poll. Postgres holds the notification until COMMIT, so the listener
 -- always sees the committed row. A trigger covers all insert paths with no
 -- app-code drift. Idempotent: re-applied on every startup.
 CREATE OR REPLACE FUNCTION notify_tasks_new() RETURNS trigger AS $$
 BEGIN
  PERFORM pg_notify('tasks_new', '');
  RETURN NEW;
 END;
 $$ LANGUAGE plpgsql;
 DROP TRIGGER IF EXISTS tasks_notify_new ON tasks;
 CREATE TRIGGER tasks_notify_new
  AFTER INSERT ON tasks
  FOR EACH ROW
  EXECUTE FUNCTION notify_tasks_new();
--- a/apps/coder/src/services/tests/acp-client-fs.test.ts
+++ b/apps/coder/src/services/tests/acp-client-fs.test.ts
@@ -0,0 +1,50 @@
 import { describe, it, expect, afterEach } from 'vitest';
 import { mkdtempSync, rmSync } from 'node:fs';
 import { tmpdir } from 'node:os';
 import { join } from 'node:path';
 import { readWorktreeTextFile, writeWorktreeTextFile } from '../acp-client-fs.js';
 const created: string[] = [];
 function freshWorktree(): string {
  const wt = mkdtempSync(join(tmpdir(), 'acp-wt-'));
  created.push(wt);
  return wt;
 }
 afterEach(() => {
  for (const d of created.splice(0)) {
    try {
      rmSync(d, { recursive: true, force: true });
      rmSync(`${d}-evil`, { recursive: true, force: true });
    } catch {
      /* ignore */
    }
  }
 });
 describe('acp-client-fs worktree scoping', () => {
  it('writes then reads a file inside the worktree', async () => {
    const wt = freshWorktree();
    await writeWorktreeTextFile(wt, 'sub/dir/note.txt', 'hello');
    expect(await readWorktreeTextFile(wt, 'sub/dir/note.txt')).toBe('hello');
  });
  it('rejects ../ traversal on read', async () => {
    const wt = freshWorktree();
    await expect(readWorktreeTextFile(wt, '../../etc/passwd')).rejects.toThrow(/escapes worktree/);
  });
  it('rejects ../ traversal on write', async () => {
    const wt = freshWorktree();
    await expect(writeWorktreeTextFile(wt, '../escape.txt', 'x')).rejects.toThrow(/escapes worktree/);
  });
  it('rejects a sibling-prefix path (the unbounded-startsWith bug)', async () => {
    const wt = freshWorktree();
    // Absolute path that shares the worktree as a STRING prefix but is a sibling
    // dir: `<wt>-evil/...`. A bare `startsWith(<wt>)` wrongly admits it.
    await expect(readWorktreeTextFile(wt, `${wt}-evil/secret.txt`)).rejects.toThrow(/escapes worktree/);
    await expect(writeWorktreeTextFile(wt, `${wt}-evil/secret.txt`, 'x')).rejects.toThrow(
      /escapes worktree/,
    );
  });
 });
--- a/apps/coder/src/services/tests/acp-event-map.test.ts
+++ b/apps/coder/src/services/tests/acp-event-map.test.ts
@@ -0,0 +1,110 @@
 import { describe, it, expect } from 'vitest';
 import type { SessionNotification } from '@agentclientprotocol/sdk';
 import { mapSessionUpdate } from '../acp-event-map.js';
 import type { AcpToolSnapshot } from '../acp-tool-snapshot.js';
 /**
 * Pure event-mapping shared by the one-shot ACP dispatch (AcpStreamContext) and
 * the warm ACP backend (Phase 2). Mirrors the original handleSessionUpdate switch
 * verbatim but returns normalized AgentEvents instead of publishing broker frames.
 */
 describe('mapSessionUpdate (shared ACP event mapping)', () => {
  function note(update: SessionNotification['update']): SessionNotification {
    return { sessionId: 's1', update };
  }
  it('maps an agent_message_chunk text → a text event', () => {
    const events = mapSessionUpdate(
      note({ sessionUpdate: 'agent_message_chunk', content: { type: 'text', text: 'hello' } }),
    );
    expect(events).toEqual([{ type: 'text', text: 'hello' }]);
  });
  it('maps an agent_thought_chunk text → a reasoning event', () => {
    const events = mapSessionUpdate(
      note({ sessionUpdate: 'agent_thought_chunk', content: { type: 'text', text: 'thinking' } }),
    );
    expect(events).toEqual([{ type: 'reasoning', text: 'thinking' }]);
  });
  it('ignores non-text content on message/thought chunks', () => {
    const img = mapSessionUpdate(
      note({
        sessionUpdate: 'agent_message_chunk',
        content: { type: 'image', data: 'x', mimeType: 'image/png' },
      } as never),
    );
    expect(img).toEqual([]);
  });
  it('maps a tool_call → a tool_call event with a merged snapshot', () => {
    const events = mapSessionUpdate(
      note({
        sessionUpdate: 'tool_call',
        toolCallId: 't1',
        title: 'read_file',
        status: 'pending',
        rawInput: { path: 'a.ts' },
      } as never),
    );
    expect(events).toHaveLength(1);
    expect(events[0]!.type).toBe('tool_call');
    const snap = (events[0] as { type: 'tool_call'; toolCall: AcpToolSnapshot }).toolCall;
    expect(snap.toolCallId).toBe('t1');
    expect(snap.title).toBe('read_file');
    expect(snap.status).toBe('pending');
    expect(snap.rawInput).toEqual({ path: 'a.ts' });
  });
  it('maps a tool_call_update → a tool_update event merged over the prior snapshot', () => {
    const prior = new Map<string, AcpToolSnapshot>([
      ['t1', { toolCallId: 't1', title: 'read_file', status: 'pending', rawInput: { path: 'a.ts' } }],
    ]);
    const events = mapSessionUpdate(
      note({
        sessionUpdate: 'tool_call_update',
        toolCallId: 't1',
        status: 'completed',
        rawOutput: 'file body',
      } as never),
      prior,
    );
    expect(events).toHaveLength(1);
    expect(events[0]!.type).toBe('tool_update');
    const snap = (events[0] as { type: 'tool_update'; toolCall: AcpToolSnapshot }).toolCall;
    expect(snap.toolCallId).toBe('t1');
    // merged: title carried from prior, status updated, output added, input retained
    expect(snap.title).toBe('read_file');
    expect(snap.status).toBe('completed');
    expect(snap.rawOutput).toBe('file body');
    expect(snap.rawInput).toEqual({ path: 'a.ts' });
  });
  it('maps available_commands_update → a commands event', () => {
    const events = mapSessionUpdate(
      note({
        sessionUpdate: 'available_commands_update',
        availableCommands: [
          { name: 'plan', description: 'make a plan' },
          { name: 'review', description: null },
        ],
      } as never),
    );
    expect(events).toEqual([
      {
        type: 'commands',
        commands: [
          { name: 'plan', description: 'make a plan' },
          { name: 'review', description: undefined },
        ],
      },
    ]);
  });
  it('returns [] for unhandled update kinds (plan, mode change)', () => {
    expect(mapSessionUpdate(note({ sessionUpdate: 'plan', entries: [] } as never))).toEqual([]);
    expect(
      mapSessionUpdate(note({ sessionUpdate: 'current_mode_update', currentModeId: 'code' } as never)),
    ).toEqual([]);
  });
 });
--- a/apps/coder/src/services/tests/acp-spawn.test.ts
+++ b/apps/coder/src/services/tests/acp-spawn.test.ts
@@ -0,0 +1,73 @@
 import { describe, it, expect } from 'vitest';
 import { resolveLaunchSpec, resolveAcpSpawnArgs } from '../acp-spawn.js';
 import { buildResolvedRegistry } from '../provider-config-registry.js';
 import type { CoderProvidersFile } from '../provider-config.js';
 import { PROVIDERS } from '../provider-registry.js';
 /** Resolved def for a provider id under the given config (default: no override). */
 function builtin(name: string, providers: CoderProvidersFile['providers'] = {}) {
  const def = buildResolvedRegistry(PROVIDERS, { providers }).get(name);
  if (!def) throw new Error(`no resolved def for ${name}`);
  return def;
 }
 describe('resolveLaunchSpec', () => {
  // --- byte-identical built-in regression (the HARD CONSTRAINT) ---------------
  // These argv values are the pre-v2.3 resolveAcpSpawnArgs switch outputs and
  // MUST NOT change. spawn() is `spawn(spec.binary, spec.args, ...)`, so argv
  // parity here is dispatch parity.
  it('opencode (no override) → byte-identical argv ["acp"], binary = installPath', () => {
    const spec = resolveLaunchSpec(builtin('opencode'), '/usr/bin/opencode');
    expect(spec).not.toBeNull();
    expect(spec!.args).toEqual(['acp']); // pre-v2.3 value
    expect(spec!.binary).toBe('/usr/bin/opencode');
    expect(spec!.env).toBeUndefined();
    // cross-check against the switch source-of-truth
    expect(spec!.args).toEqual(resolveAcpSpawnArgs('opencode'));
  });
  it('goose → ["acp"], qwen → ["--acp"] (byte-identical)', () => {
    expect(resolveLaunchSpec(builtin('goose'), '/usr/bin/goose')!.args).toEqual(['acp']);
    expect(resolveLaunchSpec(builtin('qwen'), '/usr/bin/qwen')!.args).toEqual(['--acp']);
  });
  it('built-in with null installPath falls back to the bare id (pre-v2.3 `installPath ?? agent`)', () => {
    const spec = resolveLaunchSpec(builtin('opencode'), null);
    expect(spec!.binary).toBe('opencode');
    expect(spec!.args).toEqual(['acp']);
  });
  it('non-ACP / unknown provider → null (claude has no ACP argv)', () => {
    expect(resolveLaunchSpec(builtin('claude'), '/usr/bin/claude')).toBeNull();
    expect(resolveLaunchSpec(builtin('boocode'), null)).toBeNull();
  });
  // --- config-driven launch (the new capability) ------------------------------
  it('custom ACP entry → configured command + env reach the spec', () => {
    const def = builtin('amp-acp', {
      'amp-acp': { extends: 'acp', label: 'Amp', command: ['amp-acp', '--acp'], env: { AMP_KEY: 'x' } },
    });
    const spec = resolveLaunchSpec(def, '/usr/local/bin/amp-acp');
    expect(spec).not.toBeNull();
    expect(spec!.binary).toBe('amp-acp'); // command[0], not the resolved install path
    expect(spec!.args).toEqual(['--acp']); // command.slice(1)
    expect(spec!.env).toEqual({ AMP_KEY: 'x' });
  });
  it('built-in WITH a config command override uses the override, not the switch default', () => {
    const def = builtin('opencode', { opencode: { command: ['opencode', 'acp', '--verbose'], env: { DEBUG: '1' } } });
    const spec = resolveLaunchSpec(def, '/usr/bin/opencode');
    expect(spec!.binary).toBe('opencode');
    expect(spec!.args).toEqual(['acp', '--verbose']);
    expect(spec!.env).toEqual({ DEBUG: '1' });
  });
 });
 describe('acp-dispatch spawn wiring (documented pass-through)', () => {
  // dispatchViaAcp spawns `spawn(spec.binary, spec.args, { env: { ...process.env, ...spec.env } })`.
  // The env merge layers config env over process.env; for a built-in with no
  // config env, spec.env is undefined → { ...process.env } (byte-identical).
  it('built-in with no config env yields an undefined spec.env (→ plain process.env at spawn)', () => {
    expect(resolveLaunchSpec(builtin('opencode'), '/usr/bin/opencode')!.env).toBeUndefined();
  });
 });
--- a/apps/coder/src/services/tests/agent-pool.test.ts
+++ b/apps/coder/src/services/tests/agent-pool.test.ts
@@ -0,0 +1,233 @@
 import { describe, it, expect, vi } from 'vitest';
 import { AgentPool, OPENCODE_POOL_KEY } from '../agent-pool.js';
 import type {
  AgentBackend,
  AgentSessionHandle,
  EnsureSessionOpts,
  PromptCtx,
  TurnResult,
 } from '../agent-backend.js';
 /**
 * v2.6 Phase 3 — AgentPool lifecycle unit test (T.1). No DB / no child process:
 * a fake AgentBackend records dispose + reports busy/health, so we exercise
 * get-or-create, idle eviction, the LRU cap, the busy-never-evict rule, closeChat,
 * and dispose-drains directly. The pure decisions are covered separately in
 * backends/__tests__/lifecycle-decisions.test.ts; this verifies the wiring.
 */
 class FakeBackend implements AgentBackend {
  disposed = 0;
  closedSessions = 0;
  private busyFlag = false;
  tickHealthCalls = 0;
  constructor(public readonly name = 'fake') {}
  setBusy(b: boolean): void {
    this.busyFlag = b;
  }
  // — AgentBackend —
  async ensureSession(sessionId: string, opts: EnsureSessionOpts): Promise<AgentSessionHandle> {
    return {
      sessionId,
      agent: opts.agent,
      backend: 'acp_warm',
      chatId: opts.chatId,
      worktreeId: opts.worktreeId,
      agentSessionId: 'fake-session',
      serverPort: null,
    };
  }
  async prompt(_h: AgentSessionHandle, _input: string, _ctx: PromptCtx): Promise<TurnResult> {
    return { ok: true };
  }
  async closeSession(): Promise<void> {
    this.closedSessions++;
  }
  async dispose(): Promise<void> {
    this.disposed++;
  }
  health(): 'up' | 'down' {
    return 'up';
  }
  isBusy(): boolean {
    return this.busyFlag;
  }
  async tickHealth(): Promise<void> {
    this.tickHealthCalls++;
  }
 }
 describe('AgentPool — get/register/touch (3.1)', () => {
  it('register then get returns the same backend', () => {
    const pool = new AgentPool();
    const b = new FakeBackend();
    pool.register('chat-1', 'goose', b);
    expect(pool.get('chat-1', 'goose')).toBe(b);
    expect(pool.get('chat-1', 'qwen')).toBeUndefined();
  });
  it('peek does NOT exist for a missing key', () => {
    const pool = new AgentPool();
    expect(pool.peek('nope', 'goose')).toBeUndefined();
  });
  it('health reports size + busy count', () => {
    const pool = new AgentPool();
    const a = new FakeBackend();
    const b = new FakeBackend();
    b.setBusy(true);
    pool.register('c1', 'goose', a);
    pool.register('c2', 'qwen', b);
    expect(pool.health()).toEqual({ size: 2, busy: 1 });
  });
 });
 describe('AgentPool.sweep — idle TTL eviction (3.1)', () => {
  it('evicts an idle backend past the TTL and disposes it', async () => {
    const pool = new AgentPool({ idleTtlMs: 1_000, maxLive: 100 });
    const b = new FakeBackend();
    pool.register('c1', 'goose', b);
    // Sweep with now far past the registration → idle → evicted.
    const { evicted } = await pool.sweep(Date.now() + 10_000);
    expect(evicted).toEqual(['c1:goose']);
    expect(b.disposed).toBe(1);
    expect(pool.get('c1', 'goose')).toBeUndefined();
  });
  it('never evicts a busy backend even past the TTL', async () => {
    const pool = new AgentPool({ idleTtlMs: 1_000, maxLive: 100 });
    const b = new FakeBackend();
    b.setBusy(true);
    pool.register('c1', 'goose', b);
    const { evicted } = await pool.sweep(Date.now() + 10_000);
    expect(evicted).toEqual([]);
    expect(b.disposed).toBe(0);
    expect(pool.get('c1', 'goose')).toBe(b);
  });
  it('touch keeps a backend warm so the TTL measures from the last turn', async () => {
    const pool = new AgentPool({ idleTtlMs: 5_000, maxLive: 100 });
    const b = new FakeBackend();
    pool.register('c1', 'goose', b);
    const base = Date.now();
    // 4s later, touch — resets activity. A sweep at +6s from base is only +2s from
    // the touch → still within TTL → not evicted.
    vi.spyOn(Date, 'now').mockReturnValue(base + 4_000);
    pool.touch('c1', 'goose');
    vi.restoreAllMocks();
    const { evicted } = await pool.sweep(base + 6_000);
    expect(evicted).toEqual([]);
  });
 });
 describe('AgentPool.sweep — LRU cap (3.4)', () => {
  it('evicts the least-recently-used beyond the cap', async () => {
    const pool = new AgentPool({ idleTtlMs: 1_000_000, maxLive: 2 });
    const base = 1_000_000;
    const mk = (key: string, regAt: number) => {
      vi.spyOn(Date, 'now').mockReturnValue(regAt);
      const b = new FakeBackend(key);
      const [chat, agent] = key.split(':');
      pool.register(chat!, agent!, b);
      vi.restoreAllMocks();
      return b;
    };
    const a = mk('c1:goose', base + 100);
    const b = mk('c2:goose', base + 300);
    const c = mk('c3:goose', base + 200);
    // 3 entries, cap 2, all within idle TTL → LRU (oldest = a@+100) evicted.
    const { evicted } = await pool.sweep(base + 1_000);
    expect(evicted).toEqual(['c1:goose']);
    expect(a.disposed).toBe(1);
    expect(b.disposed).toBe(0);
    expect(c.disposed).toBe(0);
  });
 });
 describe('AgentPool.sweep — proactive health probe (3.2)', () => {
  it('drives each backend tickHealth before eviction', async () => {
    const pool = new AgentPool({ idleTtlMs: 1_000_000, maxLive: 100 });
    const b = new FakeBackend();
    pool.register('c1', 'opencode', b);
    await pool.sweep(Date.now());
    expect(b.tickHealthCalls).toBe(1);
  });
 });
 describe('AgentPool.closeChat — chat-close teardown (3.3)', () => {
  it('disposes only the matching chat keys, leaving others + the shared server', async () => {
    const pool = new AgentPool();
    const goose = new FakeBackend('goose');
    const qwen = new FakeBackend('qwen');
    const other = new FakeBackend('other-chat');
    const ocServer = new FakeBackend('opencode-server');
    pool.register('chat-1', 'goose', goose);
    pool.register('chat-1', 'qwen', qwen);
    pool.register('chat-2', 'goose', other);
    pool.register(OPENCODE_POOL_KEY, 'opencode', ocServer);
    const removed = await pool.closeChat('chat-1');
    expect(removed.sort()).toEqual(['chat-1:goose', 'chat-1:qwen']);
    expect(goose.disposed).toBe(1);
    expect(qwen.disposed).toBe(1);
    // other chat + shared opencode server untouched.
    expect(other.disposed).toBe(0);
    expect(ocServer.disposed).toBe(0);
    expect(pool.peek('chat-2', 'goose')).toBe(other);
    expect(pool.peek(OPENCODE_POOL_KEY, 'opencode')).toBe(ocServer);
  });
  it('does not dispose a busy backend on closeChat', async () => {
    const pool = new AgentPool();
    const b = new FakeBackend();
    b.setBusy(true);
    pool.register('chat-1', 'goose', b);
    const removed = await pool.closeChat('chat-1');
    expect(removed).toEqual([]);
    expect(b.disposed).toBe(0);
  });
  it('does not match a chat id that is a prefix of another', async () => {
    // 'chat-1' must not match 'chat-10' — keys are `${chatId}:${agent}` so the
    // colon delimiter prevents the prefix collision.
    const pool = new AgentPool();
    const a = new FakeBackend();
    const b = new FakeBackend();
    pool.register('chat-1', 'goose', a);
    pool.register('chat-10', 'goose', b);
    await pool.closeChat('chat-1');
    expect(a.disposed).toBe(1);
    expect(b.disposed).toBe(0);
    expect(pool.peek('chat-10', 'goose')).toBe(b);
  });
 });
 describe('AgentPool.dispose — drain all (T.1)', () => {
  it('disposes every backend and clears the map', async () => {
    const pool = new AgentPool();
    const a = new FakeBackend();
    const b = new FakeBackend();
    pool.register('c1', 'goose', a);
    pool.register('c2', 'qwen', b);
    await pool.dispose();
    expect(a.disposed).toBe(1);
    expect(b.disposed).toBe(1);
    expect(pool.health()).toEqual({ size: 0, busy: 0 });
  });
  it('tolerates a backend whose dispose throws', async () => {
    const pool = new AgentPool();
    const good = new FakeBackend();
    const bad = new FakeBackend();
    bad.dispose = async () => {
      throw new Error('boom');
    };
    pool.register('c1', 'goose', bad);
    pool.register('c2', 'qwen', good);
    await expect(pool.dispose()).resolves.toBeUndefined();
    expect(good.disposed).toBe(1);
  });
 });
--- a/apps/coder/src/services/tests/checkpoints.test.ts
+++ b/apps/coder/src/services/tests/checkpoints.test.ts
@@ -0,0 +1,252 @@
 import { describe, it, expect, beforeAll, afterAll } from 'vitest';
 import { readFileSync } from 'node:fs';
 import { rm, mkdir } from 'node:fs/promises';
 import { resolve } from 'node:path';
 import postgres from 'postgres';
 import {
  buildShadowCommitCommand,
  createCheckpoint,
  restoreCheckpoint,
  CheckpointNotFoundError,
 } from '../checkpoints.js';
 import { ensureSessionWorktree } from '../worktrees.js';
 import { hostExec } from '../host-exec.js';
 /**
 * write-edit-robustness #4 — worktree checkpoint tests.
 *
 * Pure-helper coverage (no DB / no host) for the shadow-commit command builder,
 * plus a DB+git integration block (DB-opt-in via DATABASE_URL, skips cleanly
 * otherwise; mirrors reconnect_integration.test.ts) that exercises the real
 * create → restore round trip against a worktree on the host fs.
 */
 describe('buildShadowCommitCommand (pure)', () => {
  it('parks the commit under refs/boocode/checkpoints/<id> and prints only the SHA', () => {
    const cmd = buildShadowCommitCommand('/tmp/booworktrees/sess-abc', 'cp-id-123');
    // Uses a temp index so the real working tree/index is untouched.
    expect(cmd).toContain('TMP=$(mktemp)');
    expect(cmd).toContain('GIT_INDEX_FILE="$TMP" git read-tree HEAD');
    expect(cmd).toContain('GIT_INDEX_FILE="$TMP" git add -A');
    expect(cmd).toContain('git write-tree');
    expect(cmd).toContain("git commit-tree \"$TREE\" -p HEAD -m \"boocode checkpoint\"");
    // Ref name matches the row id, and stdout is ONLY the SHA (printf, no newline).
    expect(cmd).toContain("update-ref 'refs/boocode/checkpoints/cp-id-123'");
    expect(cmd).toContain("printf '%s' \"$SHA\"");
    expect(cmd).not.toContain('echo "$SHA"');
  });
  it('shell-escapes the worktree path and the id', () => {
    const cmd = buildShadowCommitCommand("/tmp/it's a path", "id'; rm -rf /");
    // Single quotes inside the path/id are escaped via the '\'' wrapping idiom — no
    // bare interpolation that could break out of the quoting.
    expect(cmd).toContain("cd '/tmp/it'\\''s a path'");
    expect(cmd).toContain("refs/boocode/checkpoints/id'\\''; rm -rf /");
  });
 });
 describe.runIf(!!process.env.DATABASE_URL)('checkpoint create + restore (DB + git)', () => {
  let sql: ReturnType<typeof postgres>;
  const stamp = Date.now();
  const projectDir = `/tmp/boocode-checkpoint-proj-${stamp}`;
  let projectId: string;
  let sessionId: string;
  let chatId: string;
  let worktreePath: string;
  beforeAll(async () => {
    sql = postgres(process.env.DATABASE_URL!, { max: 3 });
    // Server schema first (FK targets), then coder schema (worktrees + checkpoints).
    const serverSchema = resolve(__dirname, '../../../../server/src/schema.sql');
    const coderSchema = resolve(__dirname, '../../schema.sql');
    await sql.unsafe(readFileSync(serverSchema, 'utf8'));
    await sql.unsafe(readFileSync(coderSchema, 'utf8'));
    await mkdir(projectDir, { recursive: true });
    await hostExec(
      `cd ${projectDir} && git init -q && git config user.email t@t && git config user.name t ` +
        `&& echo hello > README.md && git add -A && git commit -qm init`,
      { timeoutMs: 20_000 },
    );
    const [project] = await sql<{ id: string }[]>`
      INSERT INTO projects (name, path, status) VALUES ('checkpoint-test', ${projectDir}, 'open') RETURNING id
    `;
    projectId = project!.id;
    const [session] = await sql<{ id: string }[]>`
      INSERT INTO sessions (project_id, name, model, status)
      VALUES (${projectId}, 'cp', 'm', 'open') RETURNING id
    `;
    sessionId = session!.id;
    const [chat] = await sql<{ id: string }[]>`
      INSERT INTO chats (session_id, name, status) VALUES (${sessionId}, 'tab', 'open') RETURNING id
    `;
    chatId = chat!.id;
    const wt = await ensureSessionWorktree(sql, projectDir, sessionId);
    worktreePath = wt.worktreePath;
  });
  afterAll(async () => {
    if (sql) {
      const rows = await sql<{ path: string }[]>`SELECT path FROM worktrees WHERE session_id = ${sessionId}`.catch(() => []);
      for (const r of rows) {
        await hostExec(`git -C ${projectDir} worktree remove ${r.path} --force`, { timeoutMs: 10_000 }).catch(() => {});
      }
      await sql`DELETE FROM checkpoints WHERE chat_id = ${chatId}`.catch(() => {});
      await sql`DELETE FROM agent_sessions WHERE chat_id = ${chatId}`.catch(() => {});
      await sql`DELETE FROM worktrees WHERE session_id = ${sessionId}`.catch(() => {});
      await sql`DELETE FROM chats WHERE id = ${chatId}`.catch(() => {});
      await sql`DELETE FROM sessions WHERE id = ${sessionId}`.catch(() => {});
      await sql`DELETE FROM projects WHERE id = ${projectId}`.catch(() => {});
      await sql.end({ timeout: 5 });
    }
    await rm(projectDir, { recursive: true, force: true });
  });
  it('createCheckpoint inserts a row + a private ref capturing tracked + untracked', async () => {
    const [wt] = await sql<{ id: string }[]>`SELECT id FROM worktrees WHERE session_id = ${sessionId} AND status = 'active'`;
    const worktreeId = wt!.id;
    // Pre-turn untracked + tracked-edit state the agent will start from.
    await hostExec(`cd ${worktreePath} && echo edited >> README.md && echo new > extra.txt`, { timeoutMs: 10_000 });
    const [assistantMsg] = await sql<{ id: string }[]>`
      INSERT INTO messages (session_id, chat_id, role, content, status)
      VALUES (${sessionId}, ${chatId}, 'assistant', '', 'streaming') RETURNING id
    `;
    const messageId = assistantMsg!.id;
    const cp = await createCheckpoint(sql, {
      chatId,
      sessionId,
      worktreeId,
      worktreePath,
      messageId,
    });
    expect(cp).not.toBeNull();
    expect(cp!.commit_sha).toMatch(/^[0-9a-f]{40}$/);
    const [row] = await sql<{ commit_sha: string; worktree_id: string; message_id: string }[]>`
      SELECT commit_sha, worktree_id, message_id FROM checkpoints WHERE id = ${cp!.id}
    `;
    expect(row!.commit_sha).toBe(cp!.commit_sha);
    expect(row!.worktree_id).toBe(worktreeId);
    expect(row!.message_id).toBe(messageId);
    // The ref exists and the captured tree carries the untracked file (proves the
    // temp-index `git add -A` snapshotted untracked content).
    const refLs = await hostExec(
      `git -C ${worktreePath} ls-tree -r --name-only ${cp!.commit_sha}`,
      { timeoutMs: 10_000 },
    );
    expect(refLs.exitCode).toBe(0);
    expect(refLs.stdout).toContain('extra.txt');
    // The shadow commit did NOT disturb the real working tree: extra.txt is still
    // present + still untracked (status shows it).
    const status = await hostExec(`git -C ${worktreePath} status --porcelain`, { timeoutMs: 10_000 });
    expect(status.stdout).toContain('extra.txt');
  });
  it('restoreCheckpoint resets the worktree, trims the transcript, and drops later checkpoints', async () => {
    // Clean slate for this test: reset the worktree to HEAD, clear prior rows.
    await hostExec(`git -C ${worktreePath} reset --hard HEAD && git -C ${worktreePath} clean -fd`, { timeoutMs: 10_000 });
    await sql`DELETE FROM checkpoints WHERE chat_id = ${chatId}`;
    await sql`DELETE FROM messages WHERE chat_id = ${chatId}`;
    const [wt] = await sql<{ id: string }[]>`SELECT id FROM worktrees WHERE session_id = ${sessionId} AND status = 'active'`;
    const worktreeId = wt!.id;
    // Turn 1: a user msg, then the assistant turn the checkpoint anchors. The
    // worktree is pristine (matches HEAD) when this checkpoint is captured.
    await sql`INSERT INTO messages (session_id, chat_id, role, content, status) VALUES (${sessionId}, ${chatId}, 'user', 'do it', 'complete')`;
    const [a1] = await sql<{ id: string }[]>`
      INSERT INTO messages (session_id, chat_id, role, content, status)
      VALUES (${sessionId}, ${chatId}, 'assistant', 'turn 1', 'complete') RETURNING id
    `;
    const cp1 = await createCheckpoint(sql, { chatId, sessionId, worktreeId, worktreePath, messageId: a1!.id });
    expect(cp1).not.toBeNull();
    // The agent (turn 1) writes a file into the worktree.
    await hostExec(`cd ${worktreePath} && echo agent-wrote > agent.txt`, { timeoutMs: 10_000 });
    // Turn 2: another user msg + assistant turn, AND a second (later) checkpoint.
    await sql`INSERT INTO messages (session_id, chat_id, role, content, status) VALUES (${sessionId}, ${chatId}, 'user', 'more', 'complete')`;
    const [a2] = await sql<{ id: string }[]>`
      INSERT INTO messages (session_id, chat_id, role, content, status)
      VALUES (${sessionId}, ${chatId}, 'assistant', 'turn 2', 'complete') RETURNING id
    `;
    const cp2 = await createCheckpoint(sql, { chatId, sessionId, worktreeId, worktreePath, messageId: a2!.id });
    expect(cp2).not.toBeNull();
    // An agent_sessions row that restore should mark 'crashed'.
    await sql`
      INSERT INTO agent_sessions (chat_id, session_id, worktree_id, agent, backend, agent_session_id, status, last_active_at)
      VALUES (${chatId}, ${sessionId}, ${worktreeId}, 'goose', 'acp_warm', 'sess-1', 'active', clock_timestamp())
      ON CONFLICT (chat_id, agent) DO UPDATE SET status = 'active'
    `;
    const before = await sql<{ id: string }[]>`SELECT id FROM messages WHERE chat_id = ${chatId} ORDER BY created_at`;
    expect(before.length).toBe(4); // user, a1, user, a2
    // Restore to cp1 (before turn 1's assistant message).
    const result = await restoreCheckpoint(sql, cp1!.id, { sessionId });
    expect(result.checkpoint_id).toBe(cp1!.id);
    expect(result.worktree_reset).toBe(true);
    expect(result.backend_reset).toBe(true);
    // a1, user(turn2), a2 deleted (created_at >= a1) → 3 trimmed.
    expect(result.messages_deleted).toBe(3);
    // Transcript trimmed to just the first user message.
    const after = await sql<{ role: string; content: string }[]>`SELECT role, content FROM messages WHERE chat_id = ${chatId} ORDER BY created_at`;
    expect(after.length).toBe(1);
    expect(after[0]!.role).toBe('user');
    // Worktree reset: the agent's file is gone (it was written after cp1).
    const ls = await hostExec(`ls ${worktreePath}/agent.txt`, { timeoutMs: 10_000 });
    expect(ls.exitCode).not.toBe(0);
    // The agent_sessions row was reset to 'crashed'.
    const [as] = await sql<{ status: string }[]>`SELECT status FROM agent_sessions WHERE chat_id = ${chatId} AND agent = 'goose'`;
    expect(as!.status).toBe('crashed');
    // cp1 survives (re-restorable); cp2 (later) was dropped.
    const cps = await sql<{ id: string }[]>`SELECT id FROM checkpoints WHERE chat_id = ${chatId}`;
    expect(cps.map((c) => c.id)).toEqual([cp1!.id]);
  });
  it('restoreCheckpoint throws CheckpointNotFoundError for an unknown id', async () => {
    await expect(
      restoreCheckpoint(sql, '00000000-0000-0000-0000-000000000000', { sessionId }),
    ).rejects.toBeInstanceOf(CheckpointNotFoundError);
  });
  it('restoreCheckpoint throws when the checkpoint is not in the requested session', async () => {
    // A checkpoint whose session_id differs from the route's sessionId.
    const [wt] = await sql<{ id: string }[]>`SELECT id FROM worktrees WHERE session_id = ${sessionId} AND status = 'active'`;
    const cp = await createCheckpoint(sql, { chatId, sessionId, worktreeId: wt!.id, worktreePath, messageId: null });
    expect(cp).not.toBeNull();
    await expect(
      restoreCheckpoint(sql, cp!.id, { sessionId: '11111111-1111-1111-1111-111111111111' }),
    ).rejects.toBeInstanceOf(CheckpointNotFoundError);
    await sql`DELETE FROM checkpoints WHERE id = ${cp!.id}`;
  });
  it('restoreCheckpoint denies a NULL-session_id checkpoint from another session (no fail-open IDOR)', async () => {
    // Regression for the fail-open authorization bug: a checkpoint row whose
    // denormalized session_id is NULL must STILL be scoped via its chat's owning
    // session (chats.session_id), not skipped. The old guard `cp.session_id &&
    // cp.session_id !== sessionId` fell through on NULL → cross-session restore.
    const [row] = await sql<{ id: string }[]>`
      INSERT INTO checkpoints (chat_id, session_id, message_id, commit_sha)
      VALUES (${chatId}, NULL, NULL, 'deadbeef')
      RETURNING id
    `;
    await expect(
      restoreCheckpoint(sql, row!.id, { sessionId: '22222222-2222-2222-2222-222222222222' }),
    ).rejects.toBeInstanceOf(CheckpointNotFoundError);
    await sql`DELETE FROM checkpoints WHERE id = ${row!.id}`;
  });
 });
--- a/apps/coder/src/services/tests/cursor-models.test.ts
+++ b/apps/coder/src/services/tests/cursor-models.test.ts
@@ -1,47 +0,0 @@
 import { describe, it, expect } from 'vitest';
 import { parseCursorAgentModelsOutput } from '../cursor-models.js';
 describe('parseCursorAgentModelsOutput', () => {
  it('parses cursor-agent models output with default marker', () => {
    const output = `
 Available models
 claude-4-sonnet - Claude 4 Sonnet (default)
 gpt-4.1 - GPT-4.1
 Tip: use cursor-agent models for full list
 `.trim();
    const models = parseCursorAgentModelsOutput(output);
    expect(models).toEqual([
      { id: 'claude-4-sonnet', label: 'Claude 4 Sonnet', isDefault: true },
      { id: 'gpt-4.1', label: 'GPT-4.1', isDefault: false },
    ]);
  });
  it('uses current marker when no default', () => {
    const output = `
 model-a - Model A (current)
 model-b - Model B
 `.trim();
    const models = parseCursorAgentModelsOutput(output);
    expect(models.find((m) => m.id === 'model-a')?.isDefault).toBe(true);
    expect(models.find((m) => m.id === 'model-b')?.isDefault).toBe(false);
  });
  it('defaults to first model when no markers', () => {
    const output = 'alpha - Alpha\nbeta - Beta';
    const models = parseCursorAgentModelsOutput(output);
    expect(models[0]?.isDefault).toBe(true);
    expect(models[1]?.isDefault).toBe(false);
  });
  it('skips malformed lines', () => {
    const output = 'no-separator\nvalid - Valid';
    const models = parseCursorAgentModelsOutput(output);
    expect(models).toEqual([{ id: 'valid', label: 'Valid', isDefault: true }]);
  });
 });
--- a/apps/coder/src/services/tests/dcp-strip.test.ts
+++ b/apps/coder/src/services/tests/dcp-strip.test.ts
@@ -0,0 +1,73 @@
 import { describe, it, expect } from 'vitest';
 import { stripDcpTags, makeDcpStreamStripper } from '../dcp-strip.js';
 // Feed chunks through a fresh stripper and return the fully reassembled output
 // (everything emitted during streaming + the final flush) — i.e. what the
 // dispatcher would accumulate into the persisted message content.
 function run(chunks: string[]): string {
  const s = makeDcpStreamStripper();
  let out = '';
  for (const c of chunks) out += s.push(c);
  out += s.flush();
  return out;
 }
 describe('stripDcpTags (one-shot)', () => {
  it('removes a complete tag', () => {
    expect(stripDcpTags('Yes — "Test".\n\n<dcp-message-id>m0019</dcp-message-id>')).toBe(
      'Yes — "Test".\n\n',
    );
  });
  it('leaves text without a tag untouched', () => {
    expect(stripDcpTags('no tag here')).toBe('no tag here');
  });
 });
 describe('per-chunk strip is INSUFFICIENT (documents the bug)', () => {
  it('a tag split across chunks survives a naive per-chunk .replace()', () => {
    const chunks = ['Yes.\n\n<dcp', '-message', '-id>m0019</dcp', '-message-id>'];
    const naive = chunks.map(stripDcpTags).join('');
    // The reassembled content still contains the tag — this is the screenshot bug.
    expect(naive).toContain('<dcp-message-id>m0019</dcp-message-id>');
  });
 });
 describe('makeDcpStreamStripper (cross-chunk fix)', () => {
  it('strips a tag split across chunks (the real opencode case)', () => {
    expect(run(['Yes.\n\n<dcp', '-message', '-id>m0019</dcp', '-message-id>'])).toBe('Yes.\n\n');
  });
  it('strips a tag split at EVERY character boundary', () => {
    const full = 'Answer.<dcp-message-id>m0019</dcp-message-id>';
    expect(run([...full])).toBe('Answer.');
  });
  it('strips a tag delivered whole in one chunk', () => {
    expect(run(['Answer.<dcp-message-id>m0019</dcp-message-id>'])).toBe('Answer.');
  });
  it('passes through text with no tag', () => {
    expect(run(['hello ', 'world'])).toBe('hello world');
  });
  it('does NOT swallow legitimate < content (code/HTML/generics)', () => {
    expect(run(['use ', '<div>', ' and ', 'Array<', 'string>'])).toBe('use <div> and Array<string>');
  });
  it('handles a lone < that is not a dcp tag, split across chunks', () => {
    expect(run(['a <', 'b c'])).toBe('a <b c');
  });
  it('emits surrounding text and strips a mid-text tag', () => {
    expect(run(['before ', '<dcp-message-id>', 'm1', '</dcp-message-id>', ' after'])).toBe(
      'before  after',
    );
  });
  it('flushes a truncated/never-closed partial tag without leaking it as a complete tag', () => {
    // If the stream ends mid-tag, flush strips complete tags; an incomplete
    // remnant is returned as-is (no complete tag ever existed to render).
    const out = run(['done.<dcp-message-id>m00']);
    expect(out).not.toContain('</dcp-message-id>');
  });
 });
--- a/apps/coder/src/services/tests/fuzzy-match.test.ts
+++ b/apps/coder/src/services/tests/fuzzy-match.test.ts
@@ -0,0 +1,173 @@
 import { describe, it, expect } from 'vitest';
 import { locateMatch, SIMILARITY_THRESHOLD } from '../fuzzy-match.js';
 // Helper: assert a resolved span and slice it back out of the content so the
 // test pins the EXACT file text the caller would replace.
 function span(result: ReturnType<typeof locateMatch>): { start: number; end: number } {
  if (result.kind !== 'exact' && result.kind !== 'fuzzy') {
    throw new Error(`expected a located span, got ${result.kind}`);
  }
  return { start: result.start, end: result.end };
 }
 describe('locateMatch — strategy 1: exact', () => {
  it('returns an exact unique span', () => {
    const content = 'alpha\nbeta\ngamma\n';
    const result = locateMatch(content, 'beta');
    expect(result.kind).toBe('exact');
    const { start, end } = span(result);
    expect(content.slice(start, end)).toBe('beta');
  });
  it('returns the right offsets for a multi-line exact needle', () => {
    const content = 'one\ntwo\nthree\nfour\n';
    const needle = 'two\nthree';
    const result = locateMatch(content, needle);
    expect(result.kind).toBe('exact');
    const { start, end } = span(result);
    expect(content.slice(start, end)).toBe(needle);
  });
  it('refuses when the exact needle occurs more than once', () => {
    const content = 'foo\nbar\nfoo\nbar\nfoo\n';
    const result = locateMatch(content, 'foo');
    expect(result).toEqual({ kind: 'ambiguous', count: 3 });
  });
 });
 describe('locateMatch — strategy 2: per-line whitespace', () => {
  it('matches across trailing-whitespace drift at the real span', () => {
    // File has trailing spaces the model dropped from a TWO-line copy. A
    // single-line needle would be located by exact indexOf (it's a substring),
    // so use two lines where line 1's trailing ws breaks an exact substring run.
    const content = 'function f() {\n  setup();   \n  return 1;\n}\n';
    const needle = '  setup();\n  return 1;'; // line 1 missing trailing spaces
    const result = locateMatch(content, needle);
    expect(result.kind).toBe('fuzzy');
    const { start, end } = span(result);
    // The returned span covers the ORIGINAL lines including the trailing spaces.
    expect(content.slice(start, end)).toBe('  setup();   \n  return 1;');
  });
  it('matches across indentation drift (multi-line block)', () => {
    // File indents with 4 spaces; model emitted 2-space indentation. trimEnd
    // alone does not normalize LEADING whitespace, so this exercises... actually
    // leading-indent drift is a Levenshtein-tier fallback. Here we keep the
    // leading indent identical and drift only trailing whitespace per line.
    const content = ['if (x) {', '    doThing();    ', '    doOther();', '}'].join('\n');
    const needle = ['    doThing();', '    doOther();'].join('\n');
    const result = locateMatch(content, needle);
    expect(result.kind).toBe('fuzzy');
    const { start, end } = span(result);
    expect(content.slice(start, end)).toBe('    doThing();    \n    doOther();');
  });
  it('ignores leading/trailing blank needle lines', () => {
    const content = 'header\nbody line\nfooter\n';
    const needle = '\n\nbody line\n\n';
    const result = locateMatch(content, needle);
    expect(result.kind).toBe('fuzzy');
    const { start, end } = span(result);
    expect(content.slice(start, end)).toBe('body line');
  });
  it('reports ambiguous when a whitespace-window matches twice', () => {
    // Both line 1 and line 4 differ from the needle only by trailing whitespace,
    // so exact indexOf fails (no exact substring) and the whitespace tier finds
    // two equivalent windows → ambiguous.
    const content = 'x = 1;  \ny = 2;\nz = 3;\nx = 1;\t\n';
    const needle = 'x = 1;'; // no trailing ws → not an exact substring of either line
    const result = locateMatch(content, needle);
    expect(result).toEqual({ kind: 'ambiguous', count: 2 });
  });
 });
 describe('locateMatch — strategy 3: unicode canonicalization', () => {
  it('matches across curly quotes', () => {
    const content = "const s = 'hello';\n";
    const needle = 'const s = ‘hello’;'; // ‘hello’
    const result = locateMatch(content, needle);
    expect(result.kind).toBe('fuzzy');
    const { start, end } = span(result);
    // Span maps back to ORIGINAL (straight-quote) text.
    expect(content.slice(start, end)).toBe("const s = 'hello';");
  });
  it('matches across curly double-quotes', () => {
    const content = 'log("done");\n';
    const needle = 'log(“done”);'; // “done”
    const result = locateMatch(content, needle);
    expect(result.kind).toBe('fuzzy');
    const { start, end } = span(result);
    expect(content.slice(start, end)).toBe('log("done");');
  });
  it('matches across an em-dash drift', () => {
    const content = 'range 1-10 inclusive\n';
    const needle = 'range 1—10 inclusive'; // em-dash
    const result = locateMatch(content, needle);
    expect(result.kind).toBe('fuzzy');
    const { start, end } = span(result);
    expect(content.slice(start, end)).toBe('range 1-10 inclusive');
  });
  it('matches across a non-breaking space drift', () => {
    const content = 'a b c\n'; // plain spaces
    const needle = 'a b c'; // nbsp between words
    const result = locateMatch(content, needle);
    expect(result.kind).toBe('fuzzy');
    const { start, end } = span(result);
    expect(content.slice(start, end)).toBe('a b c');
  });
 });
 describe('locateMatch — strategy 4: Levenshtein', () => {
  it('matches a >= threshold near-miss (small typo drift)', () => {
    // Needle has a one-char typo ('totals' vs 'total') so it is NOT an exact
    // substring and the whitespace/canonical tiers (which require equality) both
    // miss; Levenshtein similarity stays well above the 0.66 floor.
    const content = 'const total = sum + tax;\n';
    const needle = 'const totals = sum + tax;';
    const result = locateMatch(content, needle);
    expect(result.kind).toBe('fuzzy');
    const { start, end } = span(result);
    // Span maps to the real (correctly-spelled) file line.
    expect(content.slice(start, end)).toBe('const total = sum + tax;');
  });
  it('matches a multi-line block with indentation drift via Levenshtein', () => {
    const content = ['function g() {', '  return compute(a, b);', '}'].join('\n');
    // 6-space indent vs file's 2-space; trimEnd does not fix leading indent, so
    // this lands on the Levenshtein tier (joined-trim makes it identical → ~1.0).
    const needle = ['      return compute(a, b);'].join('\n');
    const result = locateMatch(content, needle);
    expect(result.kind).toBe('fuzzy');
    const { start, end } = span(result);
    expect(content.slice(start, end)).toBe('  return compute(a, b);');
  });
  it('returns not_found for a below-threshold miss', () => {
    const content = 'the quick brown fox jumps over the lazy dog\n';
    const needle = 'completely unrelated string of text here xyz';
    const result = locateMatch(content, needle);
    expect(result).toEqual({ kind: 'not_found' });
  });
  it('returns not_found for a genuinely-absent needle', () => {
    const content = 'alpha\nbeta\ngamma\n';
    const needle = 'this content does not exist anywhere at all';
    const result = locateMatch(content, needle);
    expect(result).toEqual({ kind: 'not_found' });
  });
 });
 describe('locateMatch — edge cases', () => {
  it('returns not_found for an empty needle', () => {
    expect(locateMatch('anything', '')).toEqual({ kind: 'not_found' });
  });
  it('exposes a sane similarity threshold', () => {
    expect(SIMILARITY_THRESHOLD).toBeGreaterThan(0);
    expect(SIMILARITY_THRESHOLD).toBeLessThanOrEqual(1);
  });
 });
--- a/apps/coder/src/services/tests/provider-commands.test.ts
+++ b/apps/coder/src/services/tests/provider-commands.test.ts
@@ -3,7 +3,7 @@ import { getManifestCommands, mergeCommands, PROVIDER_COMMANDS } from '../provid
 describe('provider-commands', () => {
  it('defines commands for every external harness', () => {
-    for (const name of ['claude', 'opencode', 'cursor', 'goose', 'qwen', 'copilot']) {
+    for (const name of ['claude', 'opencode', 'goose', 'qwen']) {
      expect(getManifestCommands(name).length, name).toBeGreaterThan(0);
    }
  });
--- a/apps/coder/src/services/tests/provider-config-registry.test.ts
+++ b/apps/coder/src/services/tests/provider-config-registry.test.ts
@@ -0,0 +1,93 @@
 import { describe, it, expect, vi } from 'vitest';
 import { buildResolvedRegistry } from '../provider-config-registry.js';
 import { PROVIDERS } from '../provider-registry.js';
 import type { CoderProvidersFile } from '../provider-config.js';
 describe('buildResolvedRegistry', () => {
  it('applies a built-in override (goose label)', () => {
    const config: CoderProvidersFile = { providers: { goose: { label: 'Goosey' } } };
    const reg = buildResolvedRegistry(PROVIDERS, config);
    const goose = reg.get('goose');
    expect(goose).toBeDefined();
    expect(goose!.label).toBe('Goosey');
    expect(goose!.configLabel).toBe('Goosey');
    expect(goose!.enabled).toBe(true);
    expect(goose!.isBuiltin).toBe(true);
    expect(goose!.isCustomAcp).toBe(false);
  });
  it('adds a custom ACP entry (extends:acp + label + command)', () => {
    const config: CoderProvidersFile = {
      providers: {
        'amp-acp': { extends: 'acp', label: 'Amp', description: 'ACP wrapper', command: ['amp-acp', '--acp'], env: { AMP: '1' } },
      },
    };
    const reg = buildResolvedRegistry(PROVIDERS, config);
    const amp = reg.get('amp-acp');
    expect(amp).toBeDefined();
    expect(amp!.isCustomAcp).toBe(true);
    expect(amp!.isBuiltin).toBe(false);
    expect(amp!.transport).toBe('acp');
    expect(amp!.modelSource).toBe('probe');
    expect(amp!.launchCommand).toEqual(['amp-acp', '--acp']);
    expect(amp!.env).toEqual({ AMP: '1' });
    expect(amp!.enabled).toBe(true);
  });
  it('keeps a disabled built-in in the registry flagged disabled (goose)', () => {
    const config: CoderProvidersFile = { providers: { goose: { enabled: false } } };
    const reg = buildResolvedRegistry(PROVIDERS, config);
    expect(reg.has('goose')).toBe(true);
    expect(reg.get('goose')!.enabled).toBe(false);
  });
  it('skips a custom id without extends (no throw)', () => {
    const config: CoderProvidersFile = { providers: { weird: { label: 'Weird', command: ['weird'] } } };
    const warn = vi.spyOn(console, 'warn').mockImplementation(() => {});
    const reg = buildResolvedRegistry(PROVIDERS, config);
    expect(reg.has('weird')).toBe(false);
    // built-ins untouched
    expect(reg.size).toBe(PROVIDERS.length);
    expect(warn).toHaveBeenCalled();
    warn.mockRestore();
  });
  it('ignores enabled:false on boocode and warns', () => {
    const config: CoderProvidersFile = { providers: { boocode: { enabled: false } } };
    const warn = vi.spyOn(console, 'warn').mockImplementation(() => {});
    const reg = buildResolvedRegistry(PROVIDERS, config);
    expect(reg.get('boocode')!.enabled).toBe(true);
    expect(warn).toHaveBeenCalled();
    warn.mockRestore();
  });
  it('carries config models + additionalModels onto built-in and custom defs', () => {
    const reg = buildResolvedRegistry(PROVIDERS, {
      providers: {
        claude: { models: [{ id: 'claude-opus-4-8', label: 'Opus 4.8' }] },
        'amp-acp': {
          extends: 'acp',
          label: 'Amp',
          command: ['amp-acp'],
          additionalModels: [{ id: 'amp-1', label: 'Amp 1' }],
        },
      },
    });
    expect(reg.get('claude')!.configModels).toEqual([{ id: 'claude-opus-4-8', label: 'Opus 4.8' }]);
    expect(reg.get('amp-acp')!.configAdditionalModels).toEqual([{ id: 'amp-1', label: 'Amp 1' }]);
  });
  it('REGRESSION: empty config returns exactly the built-ins, all enabled', () => {
    const reg = buildResolvedRegistry(PROVIDERS, { providers: {} });
    expect(reg.size).toBe(PROVIDERS.length);
    expect([...reg.keys()]).toEqual(PROVIDERS.map((p) => p.name));
    for (const def of PROVIDERS) {
      const r = reg.get(def.name)!;
      expect(r.enabled).toBe(true);
      expect(r.isBuiltin).toBe(true);
      expect(r.isCustomAcp).toBe(false);
      expect(r.launchCommand).toBeNull();
      expect(r.label).toBe(def.label);
    }
  });
 });
--- a/apps/coder/src/services/tests/provider-config.test.ts
+++ b/apps/coder/src/services/tests/provider-config.test.ts
@@ -0,0 +1,96 @@
 import { describe, it, expect } from 'vitest';
 import {
  mergeProviderConfigPatch,
  ProviderConfigPatchSchema,
  CoderProvidersFileSchema,
  type CoderProvidersFile,
 } from '../provider-config.js';
 describe('ProviderConfigPatchSchema', () => {
  it('accepts a per-provider override patch', () => {
    const parsed = ProviderConfigPatchSchema.safeParse({ providers: { goose: { enabled: false } } });
    expect(parsed.success).toBe(true);
  });
  it('accepts a null value (delete-the-override sentinel)', () => {
    const parsed = ProviderConfigPatchSchema.safeParse({ providers: { goose: null } });
    expect(parsed.success).toBe(true);
  });
  it('defaults providers to {} on an empty body', () => {
    const parsed = ProviderConfigPatchSchema.safeParse({});
    expect(parsed.success).toBe(true);
    if (parsed.success) expect(parsed.data.providers).toEqual({});
  });
  it('rejects a malformed override (wrong field type)', () => {
    const parsed = ProviderConfigPatchSchema.safeParse({ providers: { goose: { enabled: 'yes' } } });
    expect(parsed.success).toBe(false);
  });
  it('rejects a non-object providers map', () => {
    const parsed = ProviderConfigPatchSchema.safeParse({ providers: 123 });
    expect(parsed.success).toBe(false);
  });
 });
 describe('mergeProviderConfigPatch', () => {
  const current: CoderProvidersFile = {
    providers: {
      goose: { enabled: true, label: 'Goose' },
      opencode: { enabled: true },
    },
  };
  it('replaces an existing override object wholesale (not deep-merge)', () => {
    const merged = mergeProviderConfigPatch(current, { providers: { goose: { enabled: false } } });
    // Whole override replaced — the prior `label` is gone, only `enabled` remains.
    expect(merged.providers.goose).toEqual({ enabled: false });
  });
  it('adds a brand-new override id', () => {
    const merged = mergeProviderConfigPatch(current, {
      providers: { 'amp-acp': { extends: 'acp', label: 'Amp', command: ['amp-acp'] } },
    });
    expect(merged.providers['amp-acp']).toEqual({ extends: 'acp', label: 'Amp', command: ['amp-acp'] });
  });
  it('deletes an override when the value is null', () => {
    const merged = mergeProviderConfigPatch(current, { providers: { goose: null } });
    expect(merged.providers.goose).toBeUndefined();
    expect(Object.keys(merged.providers)).toEqual(['opencode']);
  });
  it('leaves ids absent from the patch untouched', () => {
    const merged = mergeProviderConfigPatch(current, { providers: { goose: { enabled: false } } });
    expect(merged.providers.opencode).toEqual({ enabled: true });
  });
  it('does not mutate the input config', () => {
    const snapshot = JSON.parse(JSON.stringify(current));
    mergeProviderConfigPatch(current, { providers: { goose: null, opencode: { enabled: false } } });
    expect(current).toEqual(snapshot);
  });
  it('empty patch returns an equivalent config', () => {
    const merged = mergeProviderConfigPatch(current, { providers: {} });
    expect(merged).toEqual(current);
  });
 });
 describe('CoderProvidersFileSchema (validate-before-save guard)', () => {
  it('accepts a clean merged config', () => {
    const merged = mergeProviderConfigPatch(
      { providers: {} },
      { providers: { goose: { enabled: false } } },
    );
    expect(CoderProvidersFileSchema.safeParse(merged).success).toBe(true);
  });
  it('rejects a config carrying an invalid override (never written)', () => {
    // A merged object that somehow holds a bad override must fail validation
    // so the PATCH route returns 422 and never calls save().
    const invalid = { providers: { goose: { enabled: 'nope' } } };
    expect(CoderProvidersFileSchema.safeParse(invalid).success).toBe(false);
  });
 });
--- a/apps/coder/src/services/tests/provider-diagnostic.test.ts
+++ b/apps/coder/src/services/tests/provider-diagnostic.test.ts
@@ -0,0 +1,85 @@
 import { describe, it, expect } from 'vitest';
 import { getProviderDiagnostic, type DiagnosticAgentRow } from '../provider-diagnostic.js';
 import { buildResolvedRegistry } from '../provider-config-registry.js';
 import { PROVIDERS } from '../provider-registry.js';
 import type { ProviderSnapshotEntry } from '../provider-types.js';
 const registry = buildResolvedRegistry(PROVIDERS, {
  providers: {
    goose: { enabled: false },
    'amp-acp': { extends: 'acp', label: 'Amp', command: ['amp-acp', '--acp'] },
  },
 });
 const alwaysAvailable = () => Promise.resolve(true);
 const neverAvailable = () => Promise.resolve(false);
 describe('getProviderDiagnostic', () => {
  it('reports a disabled built-in (enabled:false, no install)', async () => {
    const report = await getProviderDiagnostic(registry.get('goose')!, undefined, {
      checkAvailable: neverAvailable,
    });
    expect(report).toContain('provider: goose');
    expect(report).toContain('enabled: false');
    expect(report).toContain('installed: false');
    expect(report).toMatch(/command_available:\s*false/);
  });
  it('reports an installed built-in with its install_path, last_probed_at, model count', async () => {
    const agentRow: DiagnosticAgentRow = {
      name: 'opencode',
      install_path: '/usr/bin/opencode',
      supports_acp: true,
      models: [
        { id: 'm1', label: 'M1' },
        { id: 'm2', label: 'M2' },
      ],
      last_probed_at: '2026-05-29T12:00:00.000Z',
    };
    const report = await getProviderDiagnostic(registry.get('opencode')!, agentRow, {
      checkAvailable: alwaysAvailable,
    });
    expect(report).toContain('install_path: /usr/bin/opencode');
    expect(report).toContain('2026-05-29T12:00:00.000Z');
    expect(report).toContain('installed: true');
    expect(report).toMatch(/models_in_db:\s*2/);
    expect(report).toMatch(/command_available:\s*true/);
  });
  it('reports a custom ACP launch command + its binary', async () => {
    const report = await getProviderDiagnostic(registry.get('amp-acp')!, undefined, {
      checkAvailable: alwaysAvailable,
    });
    expect(report).toContain('provider: amp-acp');
    expect(report).toContain('amp-acp --acp');
    expect(report).toContain('customAcp: true');
  });
  it('surfaces the last probe error from a cached snapshot entry', async () => {
    const cachedEntry: ProviderSnapshotEntry = {
      name: 'opencode',
      label: 'OpenCode',
      transport: 'acp',
      status: 'error',
      enabled: true,
      installed: true,
      models: [],
      modes: [],
      defaultModeId: null,
      commands: [],
      error: 'ACP initialize timed out',
    };
    const report = await getProviderDiagnostic(registry.get('opencode')!, undefined, {
      cachedEntry,
      checkAvailable: alwaysAvailable,
    });
    expect(report).toContain('ACP initialize timed out');
  });
  it('reports no error when none is cached', async () => {
    const report = await getProviderDiagnostic(registry.get('opencode')!, undefined, {
      checkAvailable: alwaysAvailable,
    });
    expect(report).toMatch(/last_probe_error:\s*\(none/);
  });
 });
--- a/apps/coder/src/services/tests/provider-snapshot.test.ts
+++ b/apps/coder/src/services/tests/provider-snapshot.test.ts
@@ -1,10 +1,15 @@
 import { describe, it, expect, vi, beforeEach } from 'vitest';
 import { writeFileSync } from 'node:fs';
 import { tmpdir } from 'node:os';
 import { join } from 'node:path';
 import {
  mergeModels,
  prefixLlamaSwapModels,
  clearProviderSnapshotCache,
  getProviderSnapshot,
  peekSnapshotEntry,
 } from '../provider-snapshot.js';
 import { loadProviderConfig } from '../provider-config-registry.js';
 vi.mock('../acp-probe.js', () => ({
  probeAcpProvider: vi.fn(),
@@ -14,6 +19,13 @@ import { probeAcpProvider } from '../acp-probe.js';
 const mockProbe = vi.mocked(probeAcpProvider);
 /** Write a temp coder-providers.json and point the resolved registry at it. */
 function loadConfigFixture(providers: Record<string, unknown>): void {
  const path = join(tmpdir(), `coder-providers-test-${providers ? Object.keys(providers).join('-') || 'empty' : 'empty'}.json`);
  writeFileSync(path, JSON.stringify({ providers }), 'utf8');
  loadProviderConfig(path);
 }
 function mockSql(agents: Array<{
  name: string;
  install_path: string | null;
@@ -21,6 +33,7 @@ function mockSql(agents: Array<{
  models: Array<{ id: string; label: string }> | null;
  label: string | null;
  transport: string | null;
  last_probed_at?: string | null;
 }>) {
  return vi.fn((strings: TemplateStringsArray) => {
    const query = strings.join('');
@@ -36,6 +49,7 @@ function mockSql(agents: Array<{
 const config = {
  LLAMA_SWAP_URL: 'http://llama-swap.test',
  PROVIDER_PROBE_TTL_MS: 86_400_000,
 } as import('../config.js').Config;
 describe('prefixLlamaSwapModels', () => {
@@ -68,6 +82,8 @@ describe('mergeModels', () => {
 describe('getProviderSnapshot', () => {
  beforeEach(() => {
    clearProviderSnapshotCache();
    // Reset the resolved registry to built-ins-only (missing path → {} config).
    loadProviderConfig('/nonexistent-coder-providers.json');
    vi.restoreAllMocks();
    vi.stubGlobal(
      'fetch',
@@ -165,4 +181,190 @@ describe('getProviderSnapshot', () => {
    expect(claude?.modes.length).toBeGreaterThan(0);
    expect(claude?.commands.some((c) => c.name === 'help')).toBe(true);
  });
  it('disabled provider → unavailable + enabled:false, WITHOUT spawning a probe', async () => {
    loadConfigFixture({ goose: { enabled: false } });
    mockProbe.mockResolvedValue({ ok: true, models: [], modes: [], defaultModeId: null, commands: [] });
    const sql = mockSql([
      {
        name: 'goose',
        install_path: '/usr/bin/goose',
        supports_acp: true,
        models: [{ id: 'g1', label: 'G1' }],
        label: 'Goose',
        transport: 'acp',
        last_probed_at: new Date().toISOString(),
      },
    ]);
    const entries = await getProviderSnapshot(sql, config, '/tmp/project', true);
    const goose = entries.find((e) => e.name === 'goose');
    expect(goose?.status).toBe('unavailable');
    expect(goose?.enabled).toBe(false);
    expect(goose?.installed).toBe(false);
    expect(mockProbe).not.toHaveBeenCalled();
  });
  it('uninstalled provider → unavailable + enabled:true + installed:false', async () => {
    loadConfigFixture({});
    mockProbe.mockResolvedValue({ ok: true, models: [], modes: [], defaultModeId: null, commands: [] });
    const sql = mockSql([]); // nothing probed/installed
    const entries = await getProviderSnapshot(sql, config, '/tmp/project', true);
    const opencode = entries.find((e) => e.name === 'opencode');
    expect(opencode?.status).toBe('unavailable');
    expect(opencode?.enabled).toBe(true);
    expect(opencode?.installed).toBe(false);
    expect(mockProbe).not.toHaveBeenCalled();
  });
  it('fresh DB within TTL → tier-2 cold probe SKIPPED (serves DB models)', async () => {
    loadConfigFixture({});
    // If this were wrongly called, cached-goose would be replaced and the
    // not.toHaveBeenCalled assertion would fail.
    mockProbe.mockResolvedValue({
      ok: true,
      models: [{ id: 'SHOULD-NOT-APPEAR', label: 'nope' }],
      modes: [],
      defaultModeId: null,
      commands: [],
    });
    const sql = mockSql([
      {
        name: 'goose',
        install_path: '/usr/bin/goose',
        supports_acp: true,
        models: [{ id: 'cached-goose', label: 'Cached Goose' }],
        label: 'Goose',
        transport: 'acp',
        last_probed_at: new Date().toISOString(), // fresh
      },
    ]);
    // force=false → cache-miss returns loading; second call joins the build / cache.
    await getProviderSnapshot(sql, config, '/tmp/cwd', false);
    const entries = await getProviderSnapshot(sql, config, '/tmp/cwd', false);
    const goose = entries.find((e) => e.name === 'goose');
    expect(goose?.status).toBe('ready');
    expect(goose?.installed).toBe(true);
    expect(goose?.models.map((m) => m.id)).toContain('cached-goose');
    expect(goose?.models.map((m) => m.id)).not.toContain('SHOULD-NOT-APPEAR');
    expect(mockProbe).not.toHaveBeenCalled();
  });
  it('force refresh → tier-2 cold probe RUNS even when DB is fresh', async () => {
    loadConfigFixture({});
    mockProbe.mockResolvedValue({
      ok: true,
      models: [{ id: 'fresh-probe', label: 'Fresh' }],
      modes: [],
      defaultModeId: null,
      commands: [],
    });
    const sql = mockSql([
      {
        name: 'goose',
        install_path: '/usr/bin/goose',
        supports_acp: true,
        models: [{ id: 'cached-goose', label: 'Cached' }],
        label: 'Goose',
        transport: 'acp',
        last_probed_at: new Date().toISOString(), // fresh, but force overrides
      },
    ]);
    await getProviderSnapshot(sql, config, '/tmp/cwd', true);
    expect(mockProbe).toHaveBeenCalled();
  });
  it('native boocode → ready, enabled, installed', async () => {
    loadConfigFixture({});
    const sql = mockSql([]);
    const entries = await getProviderSnapshot(sql, config, '/tmp/project', true);
    const boocode = entries.find((e) => e.name === 'boocode');
    expect(boocode?.status).toBe('ready');
    expect(boocode?.enabled).toBe(true);
    expect(boocode?.installed).toBe(true);
  });
  it('config models REPLACE the claude static list; additionalModels merge (+ thinking)', async () => {
    loadConfigFixture({
      claude: {
        models: [{ id: 'claude-opus-4-8', label: 'Opus 4.8' }],
        additionalModels: [{ id: 'sonnet', label: 'Sonnet (latest)' }],
      },
    });
    const sql = mockSql([
      {
        name: 'claude',
        install_path: '/usr/bin/claude',
        supports_acp: false,
        models: [{ id: 'old-static', label: 'Old' }],
        label: 'Claude Code',
        transport: 'pty',
        last_probed_at: new Date().toISOString(),
      },
    ]);
    const entries = await getProviderSnapshot(sql, config, '/tmp/project', true);
    const claude = entries.find((e) => e.name === 'claude');
    const ids = claude!.models.map((m) => m.id);
    expect(ids).toContain('claude-opus-4-8'); // config models replaced the DB/static list
    expect(ids).toContain('sonnet'); // additionalModels merged on top
    expect(ids).not.toContain('old-static'); // replaced, not appended
    // thinking options still attach to the config-provided models
    expect(claude!.models.find((m) => m.id === 'claude-opus-4-8')?.thinkingOptions?.length).toBeGreaterThan(0);
  });
  it('peekSnapshotEntry returns a cached entry (read-only) and undefined when cold/unknown', async () => {
    loadConfigFixture({});
    // Cold cache → undefined (no build triggered).
    expect(peekSnapshotEntry('boocode', '/tmp/peek')).toBeUndefined();
    const sql = mockSql([]);
    await getProviderSnapshot(sql, config, '/tmp/peek', true);
    expect(peekSnapshotEntry('boocode', '/tmp/peek')?.name).toBe('boocode');
    expect(peekSnapshotEntry('does-not-exist', '/tmp/peek')).toBeUndefined();
  });
  it('2.7 warm cache: a second snapshot within the warm window spawns ZERO probes', async () => {
    loadConfigFixture({});
    mockProbe.mockResolvedValue({
      ok: true,
      models: [{ id: 'm1', label: 'M1' }],
      modes: [],
      defaultModeId: null,
      commands: [],
    });
    const sql = mockSql([
      {
        name: 'goose',
        install_path: '/usr/bin/goose',
        supports_acp: true,
        models: null,
        label: 'Goose',
        transport: 'acp',
        last_probed_at: null,
      },
    ]);
    await getProviderSnapshot(sql, config, '/tmp/cwd', true); // cold populate
    const probeCallsAfterFirst = mockProbe.mock.calls.length;
    await getProviderSnapshot(sql, config, '/tmp/cwd', false); // warm read
    const probeCallsAfterSecond = mockProbe.mock.calls.length;
    // Success criterion: second snapshot is served from cache with no ACP spawns.
    expect(probeCallsAfterSecond - probeCallsAfterFirst).toBe(0);
  });
 });
--- a/apps/coder/src/services/tests/provider-types-parity.test.ts
+++ b/apps/coder/src/services/tests/provider-types-parity.test.ts
@@ -0,0 +1,64 @@
 import { describe, it, expect } from 'vitest';
 import { readFileSync } from 'node:fs';
 import { resolve, dirname } from 'node:path';
 import { fileURLToPath } from 'node:url';
 /**
 * Parity guard between the two copies of the provider snapshot types:
 *   apps/coder/src/services/provider-types.ts  (backend source of truth)
 *   apps/web/src/api/types.ts                  (web wire copy)
 *
 * APPROACH: text-identity of each shared type block (mirrors the repo's existing
 * ws-frames.test.ts byte-parity convention). A compile-time bidirectional-
 * assignability check was attempted first (a web-side file importing coder's
 * import-free provider-types.ts), but apps/web/tsconfig.app.json is a composite
 * project and rejects out-of-include files with TS6307 — so cross-project type
 * import is structurally blocked. This runtime guard FAILS on any field
 * add/remove/rename/loosen in either copy, including the nested model/mode/
 * command types that ProviderSnapshotEntry references. Single-source-of-truth
 * (shared workspace package) is deferred as a Tier-2 follow-up.
 */
 const here = dirname(fileURLToPath(import.meta.url));
 const coderSrc = readFileSync(resolve(here, '../provider-types.ts'), 'utf8');
 const webSrc = readFileSync(resolve(here, '../../../../web/src/api/types.ts'), 'utf8');
 function extractBlock(src: string, name: string): string {
  const iface = src.match(new RegExp(`export interface ${name} \\{[\\s\\S]*?\\n\\}`));
  const alias = src.match(new RegExp(`export type ${name} =[^;]*;`));
  const block = iface?.[0] ?? alias?.[0];
  if (!block) throw new Error(`type block '${name}' not found`);
  // Normalize to type structure: drop blank + comment lines (//, /* */, *),
  // trim each line. Field add/remove/rename/loosen still changes a field line.
  return block
    .split('\n')
    .map((l) => l.trim())
    .filter(
      (l) =>
        l.length > 0 &&
        !l.startsWith('//') &&
        !l.startsWith('/*') &&
        !l.startsWith('*'),
    )
    .join('\n');
 }
 describe('provider snapshot type parity (coder ↔ web)', () => {
  // Includes the nested types ProviderSnapshotEntry references, so structural
  // drift anywhere in the snapshot surface is caught.
  const names = [
    'ProviderSnapshotStatus',
    'ProviderSnapshotEntry',
    'ProviderModel',
    'ProviderMode',
    'ThinkingOption',
    'AgentCommand',
  ];
  for (const name of names) {
    it(`${name} is identical in both copies`, () => {
      expect(
        extractBlock(webSrc, name),
        `${name} drifted between apps/coder/src/services/provider-types.ts and apps/web/src/api/types.ts`,
      ).toBe(extractBlock(coderSrc, name));
    });
  }
 });
--- a/apps/coder/src/services/tests/reconnect_integration.test.ts
+++ b/apps/coder/src/services/tests/reconnect_integration.test.ts
@@ -0,0 +1,170 @@
 import { describe, it, expect, beforeAll, afterAll } from 'vitest';
 import { readFileSync, existsSync } from 'node:fs';
 import { rm, mkdir } from 'node:fs/promises';
 import { resolve } from 'node:path';
 import postgres from 'postgres';
 import {
  ensureSessionWorktree,
  closeChatBackendState,
  rebaselineWorktreeAfterApply,
 } from '../worktrees.js';
 import { reapOrphanWorktrees } from '../orphan-worktree-reaper.js';
 import { hostExec } from '../host-exec.js';
 /**
 * v2.6 Phase 3 (3.6) — reconnect-after-restart integration test.
 *
 * Proves the DB-truth side of crash/restart recovery: a BooCoder restart wipes the
 * in-memory pool, but the persistent `worktrees` + `agent_sessions` rows survive,
 * so the "next turn" re-resolves the SAME worktree (reattach, no new dir) and the
 * agent-session row is still there to resume from. Also exercises the chat-close
 * hook (3.3), the apply re-baseline (3.5), and the orphan reaper (3.4) end-to-end
 * against a real git repo + postgres.
 *
 * Requires DATABASE_URL (DB-opt-in; skips cleanly otherwise) AND git on PATH. Runs:
 *   DATABASE_URL='postgres://boocode:devpass@localhost:5500/boochat' pnpm -C apps/coder test
 */
 describe.runIf(!!process.env.DATABASE_URL)('reconnect after restart (Phase 3)', () => {
  let sql: ReturnType<typeof postgres>;
  const stamp = Date.now();
  const projectDir = `/tmp/boocode-reconnect-proj-${stamp}`;
  let projectId: string;
  let sessionId: string;
  let chatId: string;
  beforeAll(async () => {
    sql = postgres(process.env.DATABASE_URL!, { max: 3 });
    // Both schemas land in the one boochat DB: server owns sessions/chats/projects,
    // coder owns worktrees/agent_sessions (FK targets must pre-exist → server first).
    const serverSchema = resolve(__dirname, '../../../../server/src/schema.sql');
    const coderSchema = resolve(__dirname, '../../schema.sql');
    await sql.unsafe(readFileSync(serverSchema, 'utf8'));
    await sql.unsafe(readFileSync(coderSchema, 'utf8'));
    // A real git repo with one commit so worktree add / diff / rev-parse work.
    await mkdir(projectDir, { recursive: true });
    await hostExec(
      `cd ${projectDir} && git init -q && git config user.email t@t && git config user.name t ` +
        `&& echo hello > README.md && git add -A && git commit -qm init`,
      { timeoutMs: 20_000 },
    );
    const [project] = await sql<{ id: string }[]>`
      INSERT INTO projects (name, path, status) VALUES ('reconnect-test', ${projectDir}, 'open') RETURNING id
    `;
    projectId = project!.id;
    const [session] = await sql<{ id: string }[]>`
      INSERT INTO sessions (project_id, name, model, status)
      VALUES (${projectId}, 'recon', 'm', 'open') RETURNING id
    `;
    sessionId = session!.id;
    const [chat] = await sql<{ id: string }[]>`
      INSERT INTO chats (session_id, name, status) VALUES (${sessionId}, 'tab', 'open') RETURNING id
    `;
    chatId = chat!.id;
  });
  afterAll(async () => {
    if (sql) {
      // Best-effort worktree cleanup before dropping rows.
      const rows = await sql<{ path: string }[]>`SELECT path FROM worktrees WHERE session_id = ${sessionId}`.catch(() => []);
      for (const r of rows) {
        await hostExec(`git -C ${projectDir} worktree remove ${r.path} --force`, { timeoutMs: 10_000 }).catch(() => {});
      }
      await sql`DELETE FROM agent_sessions WHERE chat_id = ${chatId}`.catch(() => {});
      await sql`DELETE FROM worktrees WHERE session_id = ${sessionId}`.catch(() => {});
      await sql`DELETE FROM chats WHERE id = ${chatId}`.catch(() => {});
      await sql`DELETE FROM sessions WHERE id = ${sessionId}`.catch(() => {});
      await sql`DELETE FROM projects WHERE id = ${projectId}`.catch(() => {});
      await sql.end({ timeout: 5 });
    }
    await rm(projectDir, { recursive: true, force: true });
  });
  it('reattaches the SAME worktree across a simulated restart (no new dir)', async () => {
    // "Turn 1" — first ensureSessionWorktree creates the worktree + row.
    const first = await ensureSessionWorktree(sql, projectDir, sessionId);
    expect(existsSync(first.worktreePath)).toBe(true);
    expect(first.baseCommit).toBeTruthy();
    // Simulate an agent_sessions row written by turn 1 (opencode).
    await sql`
      INSERT INTO agent_sessions (chat_id, session_id, worktree_id, agent, backend, agent_session_id, status, last_active_at)
      VALUES (${chatId}, ${sessionId}, ${first.worktreeId}, 'opencode', 'opencode_server', 'oc-sess-1', 'active', clock_timestamp())
      ON CONFLICT (chat_id, agent) DO NOTHING
    `;
    // "Restart" = brand-new resolution with NO in-memory state. ensureSessionWorktree
    // must return the EXISTING row (same id + path), proving reattach not re-create.
    const second = await ensureSessionWorktree(sql, projectDir, sessionId);
    expect(second.worktreeId).toBe(first.worktreeId);
    expect(second.worktreePath).toBe(first.worktreePath);
    expect(second.baseCommit).toBe(first.baseCommit);
    // The agent_sessions row survived the "restart" with its resume handle intact.
    const [row] = await sql<{ agent_session_id: string; status: string }[]>`
      SELECT agent_session_id, status FROM agent_sessions WHERE chat_id = ${chatId} AND agent = 'opencode'
    `;
    expect(row!.agent_session_id).toBe('oc-sess-1');
  });
  it('re-baselines the worktree diff after apply (3.5)', async () => {
    const wt = await ensureSessionWorktree(sql, projectDir, sessionId);
    const baseBefore = wt.baseCommit;
    // Make a change in the worktree (as an external agent would).
    await hostExec(`cd ${wt.worktreePath} && echo change >> README.md`, { timeoutMs: 10_000 });
    const r = await rebaselineWorktreeAfterApply(sql, sessionId);
    expect(r.rebaselined).toBe(true);
    expect(r.newBaseCommit).toBeTruthy();
    expect(r.newBaseCommit).not.toBe(baseBefore);
    const [row] = await sql<{ base_commit: string }[]>`
      SELECT base_commit FROM worktrees WHERE session_id = ${sessionId} AND status = 'active'
    `;
    expect(row!.base_commit).toBe(r.newBaseCommit);
    // Idempotent: a second re-baseline with no new edits is a no-op.
    const r2 = await rebaselineWorktreeAfterApply(sql, sessionId);
    expect(r2.rebaselined).toBe(false);
  });
  it('chat-close hook closes agent rows + removes the worktree on the last chat (3.3)', async () => {
    // Sanity: an active worktree + agent row exist from the prior tests.
    const beforeWt = await sql<{ id: string }[]>`SELECT id FROM worktrees WHERE session_id = ${sessionId} AND status = 'active'`;
    expect(beforeWt.length).toBe(1);
    const result = await closeChatBackendState(sql, chatId);
    expect(result.agentRowsClosed).toBeGreaterThanOrEqual(1);
    // chatId is the session's only chat → worktree removed (it was clean after the
    // re-baseline commit), not at-risk.
    expect(result.worktreeAtRisk).toBe(false);
    expect(result.worktreeRemoved).toBe(true);
    const [agentRow] = await sql<{ status: string }[]>`
      SELECT status FROM agent_sessions WHERE chat_id = ${chatId} AND agent = 'opencode'
    `;
    expect(agentRow!.status).toBe('closed');
    const activeWt = await sql<{ id: string }[]>`SELECT id FROM worktrees WHERE session_id = ${sessionId} AND status = 'active'`;
    expect(activeWt.length).toBe(0); // archived, no longer active
  });
  it('orphan reaper leaves a live worktree alone and reaps a row-less dir (3.4)', async () => {
    // Recreate a live worktree for this session (the close test archived the old one).
    const live = await ensureSessionWorktree(sql, projectDir, sessionId);
    expect(existsSync(live.worktreePath)).toBe(true);
    // A live worktree (active row) with grace 0 must NOT be reaped.
    const r1 = await reapOrphanWorktrees(sql, console as never, 0, Date.now());
    expect(r1.reaped).not.toContain(live.worktreePath);
    // Now archive its row (simulating a leaked dir) and reap again — it becomes an
    // orphan and is reclaimed (it's clean → not at-risk).
    await sql`UPDATE worktrees SET status = 'archived' WHERE id = ${live.worktreeId}`;
    const r2 = await reapOrphanWorktrees(sql, console as never, 0, Date.now());
    expect(r2.reaped).toContain(live.worktreePath);
    expect(existsSync(live.worktreePath)).toBe(false);
  });
 });
--- a/apps/coder/src/services/acp-client-fs.ts
+++ b/apps/coder/src/services/acp-client-fs.ts
@@ -1,5 +1,25 @@
 import { promises as fs } from 'node:fs';
-import { dirname, isAbsolute, join, resolve } from 'node:path';
+import { dirname, isAbsolute, resolve, sep } from 'node:path';
 /**
 * Resolve an ACP-supplied path against the agent worktree and reject anything
 * that escapes it. Mirrors `write_guard.ts`'s check: `resolve()` to normalize
 * `../` segments, then a **separator-bounded** prefix test — a bare
 * `startsWith(root)` wrongly admits a sibling dir like `<root>-evil/...`.
 *
 * No realpath (consistent with `write_guard.ts`: the target may not exist yet on
 * write). This is a containment guard for the ACP fs bridge, not a hard trust
 * boundary — the agent process already runs with host FS access; symlink-swap
 * hardening (`O_NOFOLLOW`/realpath) is out of scope here.
 */
 function resolveInWorktree(worktreePath: string, filePath: string): string {
  const root = resolve(worktreePath);
  const absolute = isAbsolute(filePath) ? resolve(filePath) : resolve(root, filePath);
  if (absolute !== root && !absolute.startsWith(root + sep)) {
    throw new Error(`path escapes worktree: ${filePath}`);
  }
  return absolute;
 }
 /** Resolve an ACP path against the agent worktree and read a slice of lines. */
 export async function readWorktreeTextFile(
@@ -8,10 +28,7 @@ export async function readWorktreeTextFile(
  line?: number | null,
  limit?: number | null,
 ): Promise<string> {
-  const absolute = isAbsolute(filePath) ? filePath : resolve(worktreePath, filePath);
+  const absolute = resolveInWorktree(worktreePath, filePath);
  if (!absolute.startsWith(resolve(worktreePath))) {
    throw new Error(`path escapes worktree: ${filePath}`);
  }
  const raw = await fs.readFile(absolute, 'utf8');
  if (!line && !limit) return raw;
  const lines = raw.split(/\r?\n/);
@@ -26,10 +43,7 @@ export async function writeWorktreeTextFile(
  filePath: string,
  content: string,
 ): Promise<void> {
-  const absolute = isAbsolute(filePath) ? filePath : resolve(worktreePath, filePath);
+  const absolute = resolveInWorktree(worktreePath, filePath);
  if (!absolute.startsWith(resolve(worktreePath))) {
    throw new Error(`path escapes worktree: ${filePath}`);
  }
  await fs.mkdir(dirname(absolute), { recursive: true });
  await fs.writeFile(absolute, content, 'utf8');
 }
--- a/apps/coder/src/services/acp-dispatch.ts
+++ b/apps/coder/src/services/acp-dispatch.ts
@@ -26,14 +26,15 @@ import type { Broker } from '@boocode/server/broker';
 import type { WsFrame } from '@boocode/server/ws-frames';
 import { spawn } from 'node:child_process';
 import { findThoughtLevelConfigId } from './acp-derive.js';
-import { resolveAcpSpawnArgs } from './acp-spawn.js';
+import { resolveLaunchSpec } from './acp-spawn.js';
 import { getResolvedRegistry, type ResolvedProviderDef } from './provider-config-registry.js';
 import { createAcpNdJsonStream } from './acp-stream.js';
 import { waitForPermissionResponse, waitForElicitationResponse, cancelPendingPermission } from './permission-waiter.js';
 import { mergeTaskCommands, getTaskCommands } from './agent-commands-cache.js';
 import { readWorktreeTextFile, writeWorktreeTextFile } from './acp-client-fs.js';
 import { mapSessionUpdate } from './acp-event-map.js';
 import {
  type AcpToolSnapshot,
  mergeToolSnapshot,
  snapshotToWireToolCall,
  synthesizeCanceledSnapshots,
 } from './acp-tool-snapshot.js';
@@ -59,6 +60,9 @@ export interface AcpDispatchOpts {
  messageId?: string;
  broker?: Broker;
  installPath?: string;
  /** v2.3 phase 3: resolved registry def for launch-spec resolution. The
   *  dispatcher loads this by task.agent; falls back to a registry lookup here. */
  resolved?: ResolvedProviderDef;
  signal?: AbortSignal;
  log: FastifyBaseLogger;
 }
@@ -155,63 +159,47 @@ class AcpStreamContext {
    } as WsFrame);
  }
  handleToolUpdate(toolCallId: string, update: Parameters<typeof mergeToolSnapshot>[1]): void {
    const previous = this.toolSnapshots.get(toolCallId);
    const snapshot = mergeToolSnapshot(toolCallId, update, previous);
    this.toolSnapshots.set(toolCallId, snapshot);
    this.publishToolSnapshot(snapshot);
  }
  async handleSessionUpdate(params: SessionNotification): Promise<void> {
-    const update = params.update;
+    // v2.6 Phase 2: the case-by-case mapping now lives in the shared, pure
-    switch (update.sessionUpdate) {
+    // `mapSessionUpdate` (reused by the warm ACP backend). This method keeps the
-      case 'agent_message_chunk': {
+    // identical broker-publishing side effects — it just translates the normalized
-        const content = update.content;
+    // AgentEvents back into the same frames it always emitted. `this.toolSnapshots`
-        if (content.type === 'text' && 'text' in content) {
+    // is the merge accumulator, so a later tool_call_update merges over its
-          const text = (content as { text: string }).text;
+    // tool_call (the prior `handleToolUpdate` behavior, byte-for-byte).
-          this.textChunks.push(text);
+    for (const event of mapSessionUpdate(params, this.toolSnapshots)) {
      switch (event.type) {
        case 'text':
          this.textChunks.push(event.text);
          if (this.canStream()) {
            this.opts.broker!.publishFrame(this.opts.sessionId!, {
              type: 'delta',
              message_id: this.opts.messageId!,
              chat_id: this.opts.chatId!,
-              content: text,
+              content: event.text,
            } as WsFrame);
          }
        }
          break;
-      }
+        case 'reasoning':
-      case 'agent_thought_chunk': {
+          this.reasoningChunks.push(event.text);
        const content = update.content;
        if (content.type === 'text' && 'text' in content) {
          const text = (content as { text: string }).text;
          this.reasoningChunks.push(text);
          if (this.canStream()) {
            this.opts.broker!.publishFrame(this.opts.sessionId!, {
              type: 'reasoning_delta',
              message_id: this.opts.messageId!,
              chat_id: this.opts.chatId!,
-              content: text,
+              content: event.text,
            } as WsFrame);
          }
        }
          break;
      }
        case 'tool_call':
-        this.handleToolUpdate(update.toolCallId, update);
+        case 'tool_update':
          // mapSessionUpdate already stored the merged snapshot in this.toolSnapshots.
          this.publishToolSnapshot(event.toolCall);
          break;
-      case 'tool_call_update':
+        case 'commands':
-        this.handleToolUpdate(update.toolCallId, update);
+          if (this.opts.taskId && event.commands.length > 0) {
-        break;
+            mergeTaskCommands(this.opts.taskId, event.commands);
      case 'available_commands_update': {
        const commands = update.availableCommands.map((cmd) => ({
          name: cmd.name,
          description: cmd.description ?? undefined,
        }));
        if (this.opts.taskId && commands.length > 0) {
          mergeTaskCommands(this.opts.taskId, commands);
            if (this.canStream() && this.opts.sessionId) {
-            const all = getTaskCommands(this.opts.taskId) ?? commands;
+              const all = getTaskCommands(this.opts.taskId) ?? event.commands;
              this.opts.broker!.publishFrame(this.opts.sessionId, {
                type: 'agent_commands',
                task_id: this.opts.taskId,
@@ -222,8 +210,6 @@ class AcpStreamContext {
          }
          break;
      }
      default:
        break;
    }
  }
@@ -282,8 +268,12 @@ export async function dispatchViaAcp(opts: AcpDispatchOpts): Promise<AcpDispatch
    broker,
  } = opts;
-  const args = resolveAcpSpawnArgs(agent);
+  // v2.3 phase 3: launch from the resolved registry def (config override /
-  if (!args) {
+  // custom-ACP command) with the built-in switch as the fallback. The dispatcher
  // passes `resolved`; fall back to a registry lookup if it didn't.
  const resolved = opts.resolved ?? getResolvedRegistry().get(agent);
  const spec = resolved ? resolveLaunchSpec(resolved, installPath ?? null) : null;
  if (!spec) {
    return {
      exitCode: 1,
      output: `Agent '${agent}' does not support ACP.`,
@@ -293,12 +283,11 @@ export async function dispatchViaAcp(opts: AcpDispatchOpts): Promise<AcpDispatch
    };
  }
-  const binary = installPath ?? agent;
+  log.info({ agent, binary: spec.binary, worktreePath, modeId, model: opts.model }, 'acp-dispatch: spawning');
-  log.info({ agent, binary, worktreePath, modeId, model: opts.model }, 'acp-dispatch: spawning');
+  const child = spawn(spec.binary, spec.args, {
  const child = spawn(binary, args, {
    cwd: worktreePath,
    stdio: ['pipe', 'pipe', 'pipe'],
-    env: { ...process.env },
+    env: { ...process.env, ...spec.env },
  });
  const streamCtx = new AcpStreamContext(
--- a/apps/coder/src/services/acp-event-map.ts
+++ b/apps/coder/src/services/acp-event-map.ts
@@ -0,0 +1,68 @@
 /**
 * Shared ACP session-update → normalized AgentEvent mapping.
 *
 * Extracted verbatim (v2.6 Phase 2) from `AcpStreamContext.handleSessionUpdate`
 * in `acp-dispatch.ts` so the warm ACP backend (`backends/warm-acp.ts`) and the
 * one-shot dispatch share ONE mapping. The one-shot path translates the returned
 * events into broker frames itself (preserving its prior behavior byte-for-byte);
 * the warm backend forwards them to the dispatcher's `ctx.onEvent` exactly like
 * the opencode-server backend does. No I/O, no broker — pure, so it's unit-testable.
 *
 * Spec: openspec/changes/v2-6-persistent-agent-sessions/design.md §2b.
 */
 import type { SessionNotification } from '@agentclientprotocol/sdk';
 import type { AgentEvent } from './agent-backend.js';
 import { type AcpToolSnapshot, mergeToolSnapshot } from './acp-tool-snapshot.js';
 /**
 * Map one ACP `session/update` notification to zero-or-more normalized AgentEvents.
 *
 * `priorSnapshots` is the caller-owned tool-call snapshot accumulator (toolCallId →
 * snapshot). For `tool_call` / `tool_call_update` the merged snapshot is written
 * back into it (mutated in place, mirroring `AcpStreamContext.handleToolUpdate`)
 * so a later `tool_call_update` merges over the earlier `tool_call`. Pass an empty
 * Map for a stateless single call.
 *
 * Returns an array (never throws) so the caller can splat it onto `onEvent`.
 */
 export function mapSessionUpdate(
  params: SessionNotification,
  priorSnapshots: Map<string, AcpToolSnapshot> = new Map(),
 ): AgentEvent[] {
  const update = params.update;
  switch (update.sessionUpdate) {
    case 'agent_message_chunk': {
      const content = update.content;
      if (content.type === 'text' && 'text' in content) {
        return [{ type: 'text', text: (content as { text: string }).text }];
      }
      return [];
    }
    case 'agent_thought_chunk': {
      const content = update.content;
      if (content.type === 'text' && 'text' in content) {
        return [{ type: 'reasoning', text: (content as { text: string }).text }];
      }
      return [];
    }
    case 'tool_call': {
      const snapshot = mergeToolSnapshot(update.toolCallId, update, priorSnapshots.get(update.toolCallId));
      priorSnapshots.set(update.toolCallId, snapshot);
      return [{ type: 'tool_call', toolCall: snapshot }];
    }
    case 'tool_call_update': {
      const snapshot = mergeToolSnapshot(update.toolCallId, update, priorSnapshots.get(update.toolCallId));
      priorSnapshots.set(update.toolCallId, snapshot);
      return [{ type: 'tool_update', toolCall: snapshot }];
    }
    case 'available_commands_update': {
      const commands = update.availableCommands.map((cmd) => ({
        name: cmd.name,
        description: cmd.description ?? undefined,
      }));
      return [{ type: 'commands', commands }];
    }
    default:
      return [];
  }
 }
--- a/apps/coder/src/services/acp-probe.ts
+++ b/apps/coder/src/services/acp-probe.ts
@@ -130,6 +130,17 @@ export async function probeAcpProvider(
    });
    const session = await connection.newSession({ cwd, mcpServers: [] });
    // available_commands_update is an async session notification opencode sends
    // shortly AFTER newSession resolves — reading probedCommands synchronously
    // here races it and captures nothing. Wait briefly for the first batch, then
    // a short settle for any stragglers (capped well under PROBE_TIMEOUT_MS).
    const deadline = Date.now() + 3_000;
    while (probedCommands.length === 0 && Date.now() < deadline) {
      await new Promise((r) => setTimeout(r, 150));
    }
    if (probedCommands.length > 0) {
      await new Promise((r) => setTimeout(r, 300));
    }
    const result = parseSessionResponse(session, agent);
    result.commands = probedCommands;
    await connection.closeSession({ sessionId: session.sessionId }).catch(() => {});
--- a/apps/coder/src/services/acp-spawn.ts
+++ b/apps/coder/src/services/acp-spawn.ts
@@ -1,15 +1,15 @@
 import type { ResolvedProviderDef } from './provider-config-registry.js';
 /**
- * Resolve ACP spawn argv per provider (host-probe verified 2026-05-25).
+ * Resolve ACP spawn argv per built-in provider (host-probe verified 2026-05-25).
 * Source of truth for built-in default argv — resolveLaunchSpec wraps these; it
 * does NOT replace them.
 */
 export function resolveAcpSpawnArgs(agent: string): string[] | null {
  switch (agent) {
    case 'opencode':
    case 'goose':
      return ['acp'];
    case 'cursor':
      return ['acp'];
    case 'copilot':
      return ['--acp'];
    case 'qwen':
      return ['--acp'];
    default:
@@ -17,13 +17,34 @@ export function resolveAcpSpawnArgs(agent: string): string[] | null {
  }
 }
-export function resolveAcpProbeBinaries(agent: string): string[] {
+/**
-  switch (agent) {
+ * v2.3 phase 3: resolve the launch spec for an ACP dispatch (design.md §5.1).
-    case 'cursor':
+ * Consults the resolved registry's launchCommand (config override or custom-ACP
-      return ['cursor-agent', 'agent'];
+ * entry) first; otherwise falls back to the built-in default argv above.
-    case 'copilot':
+ *
-      return ['copilot'];
+ * Byte-identical to pre-v2.3 for built-ins with no override: binary is
-    default:
+ * `installPath ?? id` and args come from resolveAcpSpawnArgs — exactly the
-      return [agent];
+ * `binary = installPath ?? agent` + `resolveAcpSpawnArgs(agent)` the dispatcher
 * used before. (Deliberate deviation from design §5.1's `!installPath → null`:
 * the old path spawned the bare agent name when install_path was missing, so we
 * preserve the `?? id` fallback rather than fail.)
 */
 export function resolveLaunchSpec(
  resolved: ResolvedProviderDef,
  installPath: string | null,
 ): { binary: string; args: string[]; env?: Record<string, string> } | null {
  if (resolved.launchCommand) {
    return {
      binary: resolved.launchCommand[0],
      args: resolved.launchCommand.slice(1),
      env: resolved.env,
    };
  }
  const args = resolveAcpSpawnArgs(resolved.id);
  if (!args) return null;
  return { binary: installPath ?? resolved.id, args, env: resolved.env };
 }
 export function resolveAcpProbeBinaries(agent: string): string[] {
  return [agent];
 }
--- a/apps/coder/src/services/agent-backend.ts
+++ b/apps/coder/src/services/agent-backend.ts
@@ -0,0 +1,119 @@
 /**
 * v2.6 — AgentBackend abstraction (Phase 0 scaffold; types only, zero runtime logic).
 *
 * The core abstraction for persistent agent sessions. Two implementations land
 * later: `OpenCodeServerBackend` (Phase 1, opencode HTTP server) and
 * `WarmAcpBackend` (Phase 2, long-lived ACP process). Backends emit
 * transport-agnostic `AgentEvent`s; the dispatcher maps them to WS frames.
 *
 * Nothing imports this file yet — it must compile standalone.
 * Spec: openspec/changes/v2-6-persistent-agent-sessions/design.md §2.
 */
 import type { AcpToolSnapshot } from './acp-tool-snapshot.js';
 import type { AgentCommand } from './provider-types.js';
 /** Backend transport kind. Mirrors `agent_sessions.backend` CHECK in schema.sql. */
 export type AgentBackendKind = 'opencode_server' | 'acp_warm';
 /**
 * Normalized, transport-agnostic events a backend emits during a turn (§2).
 * Derived from acp-dispatch's session-update handling, but WITHOUT the WS
 * envelope (message_id/chat_id) — the dispatcher owns frame mapping.
 *
 * `tool_call` vs `tool_update` are kept distinct on purpose: acp-dispatch
 * currently merges both into one snapshot frame, but opencode's SSE
 * distinguishes tool-start from tool-result, so the contract carries both.
 * `commands` mirrors the ACP `available_commands_update` path (v2.5.10).
 */
 export type AgentEvent =
  | { type: 'text'; text: string }
  | { type: 'reasoning'; text: string }
  | { type: 'tool_call'; toolCall: AcpToolSnapshot }
  | { type: 'tool_update'; toolCall: AcpToolSnapshot }
  | { type: 'commands'; commands: AgentCommand[] };
 /** Params to establish (or look up) a backend session (§2). */
 export interface EnsureSessionOpts {
  agent: string;
  /** Resolved model id. */
  model: string;
  /** P1.5-b: the chat (tab) this turn belongs to. agent_sessions is keyed
   *  (chat_id, agent) — the tab/chat is the context unit. Always non-null:
   *  the dispatcher creates a chat for session-less tasks before calling. */
  chatId: string;
  /** Shared per-session worktree (one per `sessions.id`, not per pane). */
  worktreePath: string;
  /** P1.5-b: the `worktrees.id` for this session's worktree — stored on the
   *  agent_sessions row informationally (NOT the key). */
  worktreeId: string;
  projectId: string;
 }
 /** Opaque handle to a live backend session, persisted to `agent_sessions` (§2). */
 export interface AgentSessionHandle {
  sessionId: string;
  agent: string;
  backend: AgentBackendKind;
  /** P1.5-b: the chat (tab) this session is keyed on (with agent). */
  chatId: string;
  /** P1.5-b: the worktree this session's chat runs in (informational link). */
  worktreeId: string;
  /** Provider's own session id (resume token); null until the backend assigns one. */
  agentSessionId: string | null;
  /** opencode HTTP server port; null for ACP backends. */
  serverPort: number | null;
 }
 /** Per-turn context passed to `prompt` (§2). */
 export interface PromptCtx {
  worktreePath: string;
  model: string;
  signal: AbortSignal;
  onEvent: (e: AgentEvent) => void;
  /** Phase 2: per-turn task id, so a warm ACP backend can route permission /
   *  elicitation prompts back to the UI via the permission-waiter. Optional —
   *  the opencode-server backend (autonomous) ignores it. */
  taskId?: string;
  /** Phase 2: per-turn mode id (gates autonomous mode in the permission-waiter). */
  modeId?: string;
 }
 /** Result of a completed turn (§2). Diff/persist happen outside the backend. */
 export interface TurnResult {
  ok: boolean;
  error?: string;
 }
 /**
 * The core backend abstraction (§2). Implementations: OpenCodeServerBackend
 * (Phase 1), WarmAcpBackend (Phase 2).
 */
 export interface AgentBackend {
  /** Lazy: spawn server / warm process if not already up for this (session, agent). §2 */
  ensureSession(sessionId: string, opts: EnsureSessionOpts): Promise<AgentSessionHandle>;
  /** Send a prompt; stream events via ctx.onEvent; resolves when the turn completes. §2 */
  prompt(handle: AgentSessionHandle, input: string, ctx: PromptCtx): Promise<TurnResult>;
  /** Graceful teardown of one session (session close or idle timeout). §2 */
  closeSession(handle: AgentSessionHandle): Promise<void>;
  /** Full teardown — kills all spawned servers/processes. §2 */
  dispose(): Promise<void>;
  /** Liveness for health endpoint + dispatcher fallback decision. §2 */
  health(): 'up' | 'down';
  /**
   * v2.6 Phase 3: true iff a turn is in flight on this backend. The pool's idle
   * eviction + LRU cap NEVER evict a busy backend (design §6 busy rule); the
   * health-monitor defers a restart while busy (stale-grace). Optional so the
   * Phase-0 scaffold and any test double stay compatible — absent ⇒ treated as
   * not busy. opencode-server (multi-session) is busy iff ANY session has an
   * active turn; warm-acp (single session) iff its one slot is active.
   */
  isBusy?(): boolean;
  /**
   * v2.6 Phase 3: optional proactive health probe + busy-aware self-restart, run
   * by the pool's periodic sweep. The opencode-server backend implements it
   * (detects a hung-but-not-exited server and restarts when non-busy). Backends
   * with no long-lived shared process (warm-ACP recovers lazily on its own child
   * exit) can omit it. Must never throw — the sweep ignores rejections.
   */
  tickHealth?(now?: number): Promise<void>;
 }
--- a/apps/coder/src/services/agent-pool.ts
+++ b/apps/coder/src/services/agent-pool.ts
@@ -0,0 +1,246 @@
 /**
 * v2.6 — AgentPool.
 *
 * Lazy get-or-create registry of `AgentBackend` instances keyed by
 * `${primary}:${agent}` (primary = chatId for warm-ACP, a fixed sentinel for the
 * single shared opencode server). Phase 0 shipped the skeleton (Map + health +
 * dispose). Phase 3 adds the LIFECYCLE: per-entry idle tracking, a periodic
 * idle-TTL + LRU-cap sweep (the pure decisions live in
 * `backends/lifecycle-decisions.ts`), and a `closeChat` helper for the chat-close
 * hook. Reattach after eviction is implicit — the next turn's `ensureSession`
 * rebuilds the backend from `agent_sessions` / `worktrees` (DB is the source of
 * truth; the in-memory pool is a warm cache).
 *
 * The hard rule (design §6): NEVER evict a busy backend (one with an in-flight
 * turn). `selectIdleEvictionTargets` / `selectLruEvictionTargets` enforce it via
 * `backend.isBusy()`; a long turn that outlives the TTL is left alone.
 *
 * Spec: openspec/changes/v2-6-persistent-agent-sessions/design.md §2 / §6.
 */
 import type { FastifyBaseLogger } from 'fastify';
 import type { AgentBackend } from './agent-backend.js';
 import {
  selectIdleEvictionTargets,
  selectLruEvictionTargets,
  DEFAULT_IDLE_TTL_MS,
  DEFAULT_MAX_LIVE_BACKENDS,
 } from './backends/lifecycle-decisions.js';
 interface PoolEntry {
  primary: string;
  agent: string;
  backend: AgentBackend;
  /** Epoch ms of the last turn boundary (register or touch). Drives idle/LRU. */
  lastActiveAt: number;
 }
 export interface AgentPoolOpts {
  /** Idle TTL before a non-busy backend is evicted. Default 30 min. */
  idleTtlMs?: number;
  /** Max live backends before the LRU cap evicts the least-recently-used. */
  maxLive?: number;
  /** Sweep cadence. Default 60s (mirrors the server's periodic sweeper). */
  sweepIntervalMs?: number;
  log?: FastifyBaseLogger;
 }
 const DEFAULT_SWEEP_INTERVAL_MS = 60_000;
 export class AgentPool {
  private readonly backends = new Map<string, PoolEntry>();
  private idleTtlMs: number;
  private maxLive: number;
  private sweepIntervalMs: number;
  private log: FastifyBaseLogger | undefined;
  private sweepTimer: ReturnType<typeof setInterval> | null = null;
  /** Serializes sweep runs so a slow eviction can't overlap the next tick. */
  private sweeping = false;
  constructor(opts: AgentPoolOpts = {}) {
    this.idleTtlMs = opts.idleTtlMs ?? DEFAULT_IDLE_TTL_MS;
    this.maxLive = opts.maxLive ?? DEFAULT_MAX_LIVE_BACKENDS;
    this.sweepIntervalMs = opts.sweepIntervalMs ?? DEFAULT_SWEEP_INTERVAL_MS;
    this.log = opts.log;
  }
  /** Apply env-derived knobs to the module singleton at bootstrap (before
   *  startReaper). Only overrides explicitly-provided fields. */
  configure(opts: AgentPoolOpts): void {
    if (opts.idleTtlMs != null) this.idleTtlMs = opts.idleTtlMs;
    if (opts.maxLive != null) this.maxLive = opts.maxLive;
    if (opts.sweepIntervalMs != null) this.sweepIntervalMs = opts.sweepIntervalMs;
    if (opts.log) this.log = opts.log;
  }
  private key(primary: string, agent: string): string {
    return `${primary}:${agent}`;
  }
  /** Map lookup only. Spawning happens in the dispatcher (Phase 1/2). A hit also
   *  marks the entry recently-active so a resolve-without-prompt doesn't get it
   *  evicted out from under an imminent turn. */
  get(primary: string, agent: string): AgentBackend | undefined {
    const entry = this.backends.get(this.key(primary, agent));
    if (entry) entry.lastActiveAt = Date.now();
    return entry?.backend;
  }
  /** Store a backend instance for this (primary, agent). */
  register(primary: string, agent: string, backend: AgentBackend): void {
    this.backends.set(this.key(primary, agent), { primary, agent, backend, lastActiveAt: Date.now() });
  }
  /** Mark a backend recently-active (call at turn start AND settle so a long turn
   *  keeps its slot warm). No-op if the key isn't pooled. */
  touch(primary: string, agent: string): void {
    const entry = this.backends.get(this.key(primary, agent));
    if (entry) entry.lastActiveAt = Date.now();
  }
  /** Snapshot for the decision helpers (busy is read live from the backend). */
  private snapshots(): { key: string; lastActiveAt: number; busy: boolean }[] {
    const out: { key: string; lastActiveAt: number; busy: boolean }[] = [];
    for (const [key, e] of this.backends) {
      out.push({ key, lastActiveAt: e.lastActiveAt, busy: e.backend.isBusy?.() ?? false });
    }
    return out;
  }
  /** Summary for the health endpoint. */
  health(): { size: number; busy: number } {
    let busy = 0;
    for (const e of this.backends.values()) if (e.backend.isBusy?.()) busy++;
    return { size: this.backends.size, busy };
  }
  // ─── Phase 3: idle-TTL + LRU eviction sweep ──────────────────────────────────
  /** Start the periodic idle + LRU sweep. Idempotent; unref'd so it never holds
   *  the process open on its own. */
  startReaper(log?: FastifyBaseLogger): void {
    if (log) this.log = log;
    if (this.sweepTimer) return;
    this.sweepTimer = setInterval(() => {
      void this.sweep().catch((err) => {
        this.log?.warn({ err: errMsg(err) }, 'agent-pool: sweep error');
      });
    }, this.sweepIntervalMs);
    this.sweepTimer.unref?.();
  }
  stopReaper(): void {
    if (this.sweepTimer) {
      clearInterval(this.sweepTimer);
      this.sweepTimer = null;
    }
  }
  /**
   * One sweep pass: evict idle-past-TTL backends, then enforce the LRU cap.
   * Deduped (a key can't appear in both lists for one pass). Busy backends are
   * excluded by the decision helpers — a live turn is never torn down.
   */
  async sweep(now: number = Date.now()): Promise<{ evicted: string[] }> {
    if (this.sweeping) return { evicted: [] };
    this.sweeping = true;
    try {
      // Phase 3: drive each backend's optional proactive health probe first (the
      // opencode server's busy-aware hung-detect + self-restart). Best-effort —
      // a probe must never fail the sweep.
      for (const e of this.backends.values()) {
        if (e.backend.tickHealth) {
          await e.backend.tickHealth(now).catch((err) => {
            this.log?.warn({ key: this.key(e.primary, e.agent), err: errMsg(err) }, 'agent-pool: tickHealth threw');
          });
        }
      }
      const snaps = this.snapshots();
      const idle = selectIdleEvictionTargets(snaps, now, this.idleTtlMs);
      // LRU runs on what remains after idle eviction, so the two never double-evict.
      const idleSet = new Set(idle);
      const remaining = snaps.filter((s) => !idleSet.has(s.key));
      const lru = selectLruEvictionTargets(remaining, this.maxLive);
      const targets = [...idle, ...lru];
      if (targets.length === 0) return { evicted: [] };
      const evicted: string[] = [];
      for (const key of targets) {
        const entry = this.backends.get(key);
        if (!entry) continue;
        // Re-check busy right before teardown — a turn may have started since the
        // snapshot. Defensive; the decision already excluded busy at snapshot time.
        if (entry.backend.isBusy?.()) continue;
        this.backends.delete(key);
        try {
          await entry.backend.dispose();
        } catch (err) {
          this.log?.warn({ key, err: errMsg(err) }, 'agent-pool: backend dispose threw during eviction');
        }
        evicted.push(key);
      }
      if (evicted.length > 0) {
        this.log?.info({ evicted, size: this.backends.size }, 'agent-pool: evicted idle/over-cap backends');
      }
      return { evicted };
    } finally {
      this.sweeping = false;
    }
  }
  // ─── Phase 3: chat-close cleanup (3.3) ───────────────────────────────────────
  /**
   * Tear down every pooled backend whose key is for this chat. Used by the
   * chat-close hook. The opencode server is shared (keyed on a sentinel, not the
   * chat), so it is NOT disposed here — only its session is closed via
   * `closeSession`, which the hook calls directly with the per-(chat,agent)
   * handle. Returns the keys it removed. Skips busy entries (a close mid-turn is
   * rare but must not kill a live stream — the idle sweep reaps it shortly after).
   */
  async closeChat(chatId: string): Promise<string[]> {
    const removed: string[] = [];
    const prefix = `${chatId}:`;
    for (const [key, entry] of [...this.backends]) {
      if (!key.startsWith(prefix)) continue;
      if (entry.backend.isBusy?.()) continue;
      this.backends.delete(key);
      try {
        await entry.backend.dispose();
      } catch (err) {
        this.log?.warn({ key, err: errMsg(err) }, 'agent-pool: dispose threw during closeChat');
      }
      removed.push(key);
    }
    return removed;
  }
  /** Look up a backend by exact key without bumping its activity (for closeSession). */
  peek(primary: string, agent: string): AgentBackend | undefined {
    return this.backends.get(this.key(primary, agent))?.backend;
  }
  /** Dispose every backend and clear the map. Tolerates throwing backends. */
  async dispose(): Promise<void> {
    this.stopReaper();
    const entries = [...this.backends.values()];
    this.backends.clear();
    await Promise.allSettled(entries.map((e) => e.backend.dispose()));
  }
 }
 function errMsg(e: unknown): string {
  return e instanceof Error ? e.message : String(e);
 }
 /**
 * The shared opencode server is pooled under a FIXED sentinel (one server per
 * BooCoder process, multiplexing all opencode sessions internally) rather than a
 * chat id — so it is NOT torn down by `closeChat(chatId)` (only its per-chat
 * session is closed). Exported so the dispatcher + the lifecycle close-hook agree
 * on the key without drift.
 */
 export const OPENCODE_POOL_KEY = '__opencode_server__';
 /** Single shared instance — registered by the dispatcher, swept + drained by the
 *  server's onClose hook. */
 export const agentPool = new AgentPool();
--- a/apps/coder/src/services/agent-probe.ts
+++ b/apps/coder/src/services/agent-probe.ts
@@ -1,24 +1,34 @@
 import type { Sql } from '../db.js';
 import type { FastifyBaseLogger } from 'fastify';
-import { exec as execCb } from 'node:child_process';
+import { exec as execCb, execFile as execFileCb } from 'node:child_process';
 import { promisify } from 'node:util';
-import { PROVIDERS_BY_NAME, PROBED_AGENT_NAMES } from './provider-registry.js';
+import { PROVIDERS_BY_NAME } from './provider-registry.js';
 import { resolveAcpProbeBinaries } from './acp-spawn.js';
-import { clearProviderSnapshotCache } from './provider-snapshot.js';
+import { clearProviderSnapshotCache, fetchLlamaSwapModels, prefixLlamaSwapModels } from './provider-snapshot.js';
 import { readQwenSettingsModels } from './qwen-settings.js';
 import { loadConfig } from '../config.js';
 import { loadProviderConfig } from './provider-config-registry.js';
 const exec = promisify(execCb);
 const execFile = promisify(execFileCb);
 // `which` via execFile (no shell) — the binary name can come from the config
 // file (custom ACP entries), so avoid interpolating it into a shell string.
 async function whichBinary(bin: string): Promise<string | null> {
  try {
    const { stdout } = await execFile('which', [bin], { timeout: 10_000 });
    const path = stdout.trim();
    return path || null;
  } catch {
    return null;
  }
 }
 async function resolveInstallPath(agentName: string): Promise<string | null> {
  const candidates = resolveAcpProbeBinaries(agentName);
  for (const bin of candidates) {
-    try {
+    const path = await whichBinary(bin);
      const { stdout } = await exec(`which ${bin}`, { timeout: 10_000 });
      const path = stdout.trim();
    if (path) return path;
    } catch {
      /* try next */
    }
  }
  return null;
 }
@@ -27,15 +37,6 @@ async function detectAcpSupport(agentName: string, installPath: string): Promise
  const transport = PROVIDERS_BY_NAME.get(agentName)?.transport;
  if (transport !== 'acp') return false;
  if (agentName === 'copilot') {
    try {
      const { stdout } = await exec(`"${installPath}" --help`, { timeout: 10_000 });
      return stdout.includes('--acp');
    } catch {
      return false;
    }
  }
  if (agentName === 'qwen') {
    try {
      const { stdout } = await exec(`"${installPath}" --help`, { timeout: 10_000 });
@@ -55,14 +56,37 @@ async function detectAcpSupport(agentName: string, installPath: string): Promise
 /**
 * Probe for available agents on the HOST.
 *
 * v2.3: iterates the resolved provider registry (built-ins + config-backed
 * custom ACP entries) rather than the hardcoded `PROBED_AGENT_NAMES`. Native
 * boocode is not probed; disabled providers are skipped (their `available_agents`
 * row is kept, not deleted). `enabled` is read from the in-memory registry only —
 * no DB column in Phase 1 (design.md §3.3).
 */
 export async function probeAgents(sql: Sql, log: FastifyBaseLogger): Promise<void> {
  clearProviderSnapshotCache();
  log.info('agent-probe: scanning for known agents');
-  for (const agentName of PROBED_AGENT_NAMES) {
+  const registry = loadProviderConfig(loadConfig().CODER_PROVIDERS_PATH);
  for (const resolved of registry.values()) {
    const agentName = resolved.id;
    // Native boocode is not a probed host agent.
    if (resolved.transport === 'native') continue;
    // Disabled providers: skip the probe, keep any existing row.
    if (!resolved.enabled) {
      log.info({ agent: agentName }, 'agent-probe: skipping disabled provider');
      continue;
    }
    try {
-      const installPath = await resolveInstallPath(agentName);
+      // Custom ACP entries resolve their binary from command[0]; built-ins use
      // the per-agent probe binaries.
      const installPath = resolved.isCustomAcp && resolved.launchCommand
        ? await whichBinary(resolved.launchCommand[0])
        : await resolveInstallPath(agentName);
      if (!installPath) continue;
      let version: string | null = null;
@@ -73,24 +97,43 @@ export async function probeAgents(sql: Sql, log: FastifyBaseLogger): Promise<voi
        /* optional */
      }
-      const providerDef = PROVIDERS_BY_NAME.get(agentName);
+      // Custom ACP entries are ACP by declaration; built-ins detect support.
-      let supportsAcp = providerDef?.transport === 'acp';
+      let supportsAcp: boolean;
      if (resolved.isCustomAcp) {
        supportsAcp = true;
      } else {
        supportsAcp = resolved.transport === 'acp';
        if (supportsAcp) {
          supportsAcp = await detectAcpSupport(agentName, installPath);
        }
      }
      let models: Array<{ id: string; label: string }> = [];
      if (!resolved.isCustomAcp) {
        const providerDef = PROVIDERS_BY_NAME.get(agentName);
        if (providerDef?.modelSource === 'static' && providerDef.staticModels) {
          models = providerDef.staticModels;
        }
        if (agentName === 'qwen') {
          models = await readQwenSettingsModels();
        }
        if (providerDef?.mergeLlamaSwap) {
          try {
            const config = loadConfig();
            const llamaModels = prefixLlamaSwapModels(await fetchLlamaSwapModels(config));
            models = [...models, ...llamaModels];
          } catch (err) {
            log.warn({ agent: agentName, err: err instanceof Error ? err.message : String(err) }, 'agent-probe: llama-swap model fetch failed (non-fatal)');
          }
        }
      }
-      const label = providerDef?.label ?? agentName;
+      const label = resolved.configLabel ?? resolved.label;
-      const transport =
+      const transport = resolved.isCustomAcp
-        providerDef?.transport === 'acp' && !supportsAcp ? 'pty' : (providerDef?.transport ?? 'pty');
+        ? 'acp'
        : resolved.transport === 'acp' && !supportsAcp
          ? 'pty'
          : (resolved.transport ?? 'pty');
      await sql`
        INSERT INTO available_agents (name, install_path, version, supports_acp, last_probed_at, models, label, transport)
--- a/apps/coder/src/services/backends/tests/lifecycle-decisions.test.ts
+++ b/apps/coder/src/services/backends/tests/lifecycle-decisions.test.ts
@@ -0,0 +1,176 @@
 import { describe, it, expect } from 'vitest';
 import {
  selectIdleEvictionTargets,
  selectLruEvictionTargets,
  decideRestart,
  selectOrphanWorktreeTargets,
  DEFAULT_IDLE_TTL_MS,
  DEFAULT_MAX_LIVE_BACKENDS,
  type PoolEntrySnapshot,
 } from '../lifecycle-decisions.js';
 /**
 * v2.6 Phase 3 — pure lifecycle decisions. No DB, no children, no timers; `now`
 * is injected. Models prune.ts:selectPruneTargets — the caller acts on the keys.
 */
 const NOW = 1_000_000_000_000;
 function entry(key: string, ageMs: number, busy = false): PoolEntrySnapshot {
  return { key, lastActiveAt: NOW - ageMs, busy };
 }
 describe('selectIdleEvictionTargets (3.1)', () => {
  it('evicts entries idle past the TTL', () => {
    const entries = [
      entry('a:opencode', DEFAULT_IDLE_TTL_MS + 1),
      entry('b:goose', DEFAULT_IDLE_TTL_MS - 1),
    ];
    expect(selectIdleEvictionTargets(entries, NOW)).toEqual(['a:opencode']);
  });
  it('never evicts a busy entry even when idle past the TTL', () => {
    const entries = [entry('a:opencode', DEFAULT_IDLE_TTL_MS * 10, /* busy */ true)];
    expect(selectIdleEvictionTargets(entries, NOW)).toEqual([]);
  });
  it('respects a custom TTL', () => {
    const entries = [entry('a:goose', 5_000), entry('b:qwen', 500)];
    expect(selectIdleEvictionTargets(entries, NOW, 1_000)).toEqual(['a:goose']);
  });
  it('treats exactly-at-TTL as evictable (>=)', () => {
    expect(selectIdleEvictionTargets([entry('a:x', 1_000)], NOW, 1_000)).toEqual(['a:x']);
  });
  it('returns empty for an empty pool', () => {
    expect(selectIdleEvictionTargets([], NOW)).toEqual([]);
  });
 });
 describe('selectLruEvictionTargets (3.4)', () => {
  it('returns nothing when at or under the cap', () => {
    const entries = [entry('a:x', 10), entry('b:y', 20)];
    expect(selectLruEvictionTargets(entries, 2)).toEqual([]);
    expect(selectLruEvictionTargets(entries, 5)).toEqual([]);
  });
  it('evicts the least-recently-used beyond the cap', () => {
    // oldest first: c (300ms ago) is LRU, then a (100ms), then b (10ms).
    const entries = [entry('a:x', 100), entry('b:y', 10), entry('c:z', 300)];
    expect(selectLruEvictionTargets(entries, 2)).toEqual(['c:z']);
  });
  it('evicts multiple LRU entries to reach the cap', () => {
    const entries = [
      entry('a:x', 100),
      entry('b:y', 10),
      entry('c:z', 300),
      entry('d:w', 200),
    ];
    // cap 1: must remove 3, oldest-first c(300), d(200), a(100).
    expect(selectLruEvictionTargets(entries, 1)).toEqual(['c:z', 'd:w', 'a:x']);
  });
  it('never evicts a busy entry even if it is the LRU', () => {
    // c is LRU but busy → it cannot be evicted; fall to the next-oldest (a).
    const entries = [entry('a:x', 100), entry('b:y', 10), entry('c:z', 300, true)];
    expect(selectLruEvictionTargets(entries, 2)).toEqual(['a:x']);
  });
  it('can transiently exceed the cap when too many are busy', () => {
    // cap 1, but both old entries busy → only the single idle one is evictable.
    const entries = [entry('a:x', 100, true), entry('c:z', 300, true), entry('b:y', 10)];
    expect(selectLruEvictionTargets(entries, 1)).toEqual(['b:y']);
  });
  it('uses the default cap when omitted', () => {
    const entries = Array.from({ length: DEFAULT_MAX_LIVE_BACKENDS + 1 }, (_, i) =>
      entry(`k${String(i).padStart(2, '0')}:a`, (i + 1) * 1000),
    );
    const evicted = selectLruEvictionTargets(entries);
    // exactly one over the default cap → evict the single LRU (largest age).
    expect(evicted).toHaveLength(1);
    expect(evicted[0]).toBe(`k${String(DEFAULT_MAX_LIVE_BACKENDS).padStart(2, '0')}:a`);
  });
 });
 describe('decideRestart (3.2, busy-aware)', () => {
  const base = {
    consecutiveFailures: 0,
    busy: false,
    unhealthyBusySince: 0,
    now: NOW,
    failureThreshold: 3,
    staleBusyGraceMs: 120_000,
  };
  it('does nothing when healthy', () => {
    expect(decideRestart({ ...base, processExited: false, healthy: true }))
      .toEqual({ action: 'none', reason: 'healthy' });
  });
  it('restarts immediately when the process exited', () => {
    expect(decideRestart({ ...base, processExited: true, busy: true }))
      .toEqual({ action: 'restart', reason: 'process-exited' });
  });
  it('waits below the failure threshold', () => {
    expect(decideRestart({ ...base, processExited: false, consecutiveFailures: 2 }))
      .toEqual({ action: 'wait', reason: 'below-threshold' });
  });
  it('restarts at the threshold when idle', () => {
    expect(decideRestart({ ...base, processExited: false, consecutiveFailures: 3 }))
      .toEqual({ action: 'restart', reason: 'threshold' });
  });
  it('defers a restart while busy within the grace window', () => {
    expect(decideRestart({
      ...base, processExited: false, consecutiveFailures: 5, busy: true,
      unhealthyBusySince: NOW - 1_000,
    })).toEqual({ action: 'wait', reason: 'busy-grace' });
  });
  it('force-restarts a busy backend after the stale-busy grace', () => {
    expect(decideRestart({
      ...base, processExited: false, consecutiveFailures: 5, busy: true,
      unhealthyBusySince: NOW - 120_001,
    })).toEqual({ action: 'restart', reason: 'stale-busy-grace' });
  });
  it('waits (busy-grace) when busy + threshold but the window just started', () => {
    // unhealthyBusySince === 0 means the caller is about to stamp it this cycle.
    expect(decideRestart({
      ...base, processExited: false, consecutiveFailures: 5, busy: true,
      unhealthyBusySince: 0,
    })).toEqual({ action: 'wait', reason: 'busy-grace' });
  });
 });
 describe('selectOrphanWorktreeTargets (3.4)', () => {
  it('skips dirs tracked by a live worktrees row', () => {
    const onDisk = [{ path: '/wt/sess-a', mtimeMs: NOW - 10_000_000 }];
    expect(selectOrphanWorktreeTargets(onDisk, new Set(['/wt/sess-a']), NOW, 1000)).toEqual([]);
  });
  it('reaps an untracked dir older than the grace', () => {
    const onDisk = [{ path: '/wt/sess-orphan', mtimeMs: NOW - 5000 }];
    expect(selectOrphanWorktreeTargets(onDisk, new Set(), NOW, 1000)).toEqual(['/wt/sess-orphan']);
  });
  it('never reaps a dir younger than the grace (mid-create race)', () => {
    const onDisk = [{ path: '/wt/sess-fresh', mtimeMs: NOW - 500 }];
    expect(selectOrphanWorktreeTargets(onDisk, new Set(), NOW, 1000)).toEqual([]);
  });
  it('mixes tracked, fresh, and orphaned correctly', () => {
    const onDisk = [
      { path: '/wt/sess-live', mtimeMs: NOW - 10_000 },
      { path: '/wt/sess-fresh', mtimeMs: NOW - 100 },
      { path: '/wt/sess-orphan', mtimeMs: NOW - 10_000 },
    ];
    expect(selectOrphanWorktreeTargets(onDisk, new Set(['/wt/sess-live']), NOW, 1000))
      .toEqual(['/wt/sess-orphan']);
  });
 });
--- a/apps/coder/src/services/backends/tests/opencode-usage.test.ts
+++ b/apps/coder/src/services/backends/tests/opencode-usage.test.ts
@@ -0,0 +1,51 @@
 import { describe, it, expect } from 'vitest';
 import { stepEndedToUsage } from '../opencode-usage.js';
 describe('stepEndedToUsage (U.6)', () => {
  it('folds cache read+write into input and reasoning into output', () => {
    const u = stepEndedToUsage({
      cost: 0.0123,
      tokens: { input: 100, output: 50, reasoning: 20, cache: { read: 10, write: 5 } },
    });
    expect(u).toEqual({ input: 115, output: 70, cost: 0.0123 });
  });
  it('handles a step with no cache and no reasoning', () => {
    const u = stepEndedToUsage({
      cost: 0,
      tokens: { input: 8, output: 4, reasoning: 0, cache: { read: 0, write: 0 } },
    });
    expect(u).toEqual({ input: 8, output: 4, cost: 0 });
  });
  it('is defensive against a missing tokens block', () => {
    const u = stepEndedToUsage({ cost: 0.5 } as never);
    expect(u).toEqual({ input: 0, output: 0, cost: 0.5 });
  });
  it('is defensive against undefined props', () => {
    expect(stepEndedToUsage(undefined)).toEqual({ input: 0, output: 0, cost: 0 });
  });
  it('drops NaN / negative noise to zero rather than poisoning the accumulated total', () => {
    const u = stepEndedToUsage({
      cost: Number.NaN,
      tokens: {
        input: -5,
        output: Number.NaN,
        reasoning: 3,
        cache: { read: Number.POSITIVE_INFINITY, write: 2 },
      },
    });
    // input: (-5→0) + (Inf→0) + 2 = 2; output: (NaN→0) + 3 = 3; cost: NaN→0
    expect(u).toEqual({ input: 2, output: 3, cost: 0 });
  });
  it('rounds fractional token counts', () => {
    const u = stepEndedToUsage({
      cost: 1.5,
      tokens: { input: 10.6, output: 4.4, reasoning: 0, cache: { read: 0, write: 0 } },
    });
    expect(u).toEqual({ input: 11, output: 4, cost: 1.5 });
  });
 });
--- a/apps/coder/src/services/backends/tests/turn-guard.test.ts
+++ b/apps/coder/src/services/backends/tests/turn-guard.test.ts
@@ -0,0 +1,34 @@
 import { describe, it, expect } from 'vitest';
 import {
  armAbortGuard,
  noteTurnActivity,
  consumeTerminal,
  type AbortTerminalGuard,
 } from '../turn-guard.js';
 describe('post-abort terminal guard (F.1)', () => {
  it('swallows the orphan terminal that follows an abort, then settles the next real one', () => {
    // Reproduces the v2.6.5 Stop-button bug: abort turn A, then opencode emits a
    // trailing session.idle for A. That orphan must NOT settle the next turn.
    const g: AbortTerminalGuard = { swallowNextTerminal: false };
    armAbortGuard(g); // user aborts turn A
    expect(consumeTerminal(g)).toBe('swallow'); // opencode's orphan idle for A → dropped
    expect(consumeTerminal(g)).toBe('settle'); // turn B's real idle → settles B
  });
  it('settles a terminal when no abort happened', () => {
    const g: AbortTerminalGuard = { swallowNextTerminal: false };
    expect(consumeTerminal(g)).toBe('settle');
  });
  it('self-heals if the orphan never arrives: new-turn activity clears the guard', () => {
    // If opencode emits no orphan idle (e.g. abort-before-prompt), the next turn's
    // real terminal must still settle rather than being swallowed forever.
    const g: AbortTerminalGuard = { swallowNextTerminal: false };
    armAbortGuard(g); // abort A, but no orphan idle arrives
    noteTurnActivity(g); // turn B produces its first delta
    expect(consumeTerminal(g)).toBe('settle'); // turn B's idle settles, not swallowed
  });
 });
--- a/apps/coder/src/services/backends/tests/warm-acp-routing.test.ts
+++ b/apps/coder/src/services/backends/tests/warm-acp-routing.test.ts
@@ -0,0 +1,59 @@
 import { describe, it, expect } from 'vitest';
 import { shouldUseWarmBackend, isTurnOkForStopReason } from '../warm-acp-routing.js';
 /**
 * Phase 2 routing predicate: which goose/qwen tasks go to the warm pool backend
 * vs the existing one-shot ACP path.
 *
 * The warm backend is keyed (chat_id, agent) — the persistent context unit (same
 * as opencode-server). A task only routes warm when it carries BOTH a session_id
 * and a chat_id, i.e. it originates from a real chat tab (the coder message route
 * stamps both). Session-less creators (arena, MCP-created, generic /api/tasks,
 * new_task) lack chat_id/session_id and keep the one-shot worktree-per-task path,
 * which never spawns a warm process.
 */
 describe('shouldUseWarmBackend (Phase 2 routing)', () => {
  it('routes a chat-tab task (session_id + chat_id) to the warm backend', () => {
    expect(shouldUseWarmBackend({ agent: 'qwen', session_id: 's1', chat_id: 'c1' })).toBe(true);
    expect(shouldUseWarmBackend({ agent: 'goose', session_id: 's1', chat_id: 'c1' })).toBe(true);
  });
  it('keeps a session-less arena/MCP task on the one-shot path', () => {
    expect(shouldUseWarmBackend({ agent: 'qwen', session_id: null, chat_id: null })).toBe(false);
  });
  it('keeps a task with a session but no chat on the one-shot path', () => {
    // chat_id is the warm-key half; without it ensureSession would get a degenerate
    // (null, agent) key, so fall back to one-shot rather than synthesize a chat.
    expect(shouldUseWarmBackend({ agent: 'goose', session_id: 's1', chat_id: null })).toBe(false);
  });
  it('keeps a task with a chat but no session on the one-shot path', () => {
    expect(shouldUseWarmBackend({ agent: 'qwen', session_id: null, chat_id: 'c1' })).toBe(false);
  });
  it('only applies to warm-capable agents (goose, qwen); others never warm here', () => {
    // opencode has its own dedicated warm path; native/claude/etc. are not ACP-warm.
    expect(shouldUseWarmBackend({ agent: 'opencode', session_id: 's1', chat_id: 'c1' })).toBe(false);
    expect(shouldUseWarmBackend({ agent: 'claude', session_id: 's1', chat_id: 'c1' })).toBe(false);
    expect(shouldUseWarmBackend({ agent: null, session_id: 's1', chat_id: 'c1' })).toBe(false);
  });
 });
 describe('isTurnOkForStopReason (ACP stop-reason → ok/fail)', () => {
  it('treats normal completions as ok', () => {
    expect(isTurnOkForStopReason('end_turn')).toBe(true);
    expect(isTurnOkForStopReason('max_tokens')).toBe(true);
    expect(isTurnOkForStopReason('max_turn_requests')).toBe(true);
  });
  it('treats refusal and cancelled as failures', () => {
    expect(isTurnOkForStopReason('refusal')).toBe(false);
    expect(isTurnOkForStopReason('cancelled')).toBe(false);
  });
  it('defaults an absent stop reason to a successful end_turn', () => {
    expect(isTurnOkForStopReason(undefined)).toBe(true);
    expect(isTurnOkForStopReason(null)).toBe(true);
  });
 });
--- a/apps/coder/src/services/backends/lifecycle-decisions.ts
+++ b/apps/coder/src/services/backends/lifecycle-decisions.ts
@@ -0,0 +1,197 @@
 /**
 * v2.6 Phase 3 — pure lifecycle decision helpers.
 *
 * The eviction / LRU-cap / busy-aware-restart / reaper-target logic, factored out
 * of AgentPool + the backends + the periodic sweeper so it's unit-testable with no
 * DB, no child processes, no timers (modeled on
 * apps/server/src/services/inference/prune.ts:selectPruneTargets — a pure decision
 * core the caller acts on).
 *
 * Three decisions live here:
 *   1. selectIdleEvictionTargets — which warm backends to evict for being idle.
 *   2. selectLruEvictionTargets — which warm backends to evict to honour a max-live
 *      cap (least-recently-used beyond the cap), NEVER a busy one.
 *   3. shouldRestartCrashedBackend (busy-aware) — openchamber's skip-while-busy +
 *      stale-grace state machine, re-implemented for BooCode's per-(chat,agent) pool.
 *
 * "Busy" = the backend has an in-flight turn. The hard rule (design §6, decisions):
 * never evict or force-restart a busy backend; defer with a stale-grace.
 */
 // ─── Idle TTL eviction (3.1) ─────────────────────────────────────────────────
 /** Default idle TTL before a warm backend/session is evicted (design §6 ~30 min). */
 export const DEFAULT_IDLE_TTL_MS = 30 * 60 * 1000;
 /** A pool entry as the decision helpers see it (no backend internals). */
 export interface PoolEntrySnapshot {
  /** Pool key `${primary}:${agent}` — opaque to the decision, used for selection. */
  key: string;
  /** Epoch ms of the last turn activity (start or settle) on this backend. */
  lastActiveAt: number;
  /** True iff a turn is in flight right now. Busy entries are never evicted. */
  busy: boolean;
 }
 /**
 * Idle eviction: an entry is evictable when it has been idle (no turn) for longer
 * than `ttlMs` AND is not currently busy. Returns the keys to evict.
 *
 * Pure: `now` is injected so tests don't depend on wall-clock. Busy entries are
 * categorically excluded — a long-running turn that exceeds the TTL must NOT be
 * torn down mid-stream (the §6 / openchamber busy rule).
 */
 export function selectIdleEvictionTargets(
  entries: ReadonlyArray<PoolEntrySnapshot>,
  now: number,
  ttlMs: number = DEFAULT_IDLE_TTL_MS,
 ): string[] {
  const out: string[] = [];
  for (const e of entries) {
    if (e.busy) continue;
    if (now - e.lastActiveAt >= ttlMs) out.push(e.key);
  }
  return out;
 }
 // ─── LRU cap (3.4) ───────────────────────────────────────────────────────────
 /** Default max live warm backends/worktrees before the LRU cap evicts (env-overridable). */
 export const DEFAULT_MAX_LIVE_BACKENDS = 10;
 /**
 * LRU cap: when more than `cap` non-busy entries are live, evict the
 * least-recently-used ones (oldest `lastActiveAt` first) until at most `cap`
 * remain. Busy entries are never evicted AND are not counted toward the cap's
 * "kept" budget being freed — i.e. we only ever evict idle entries, so a burst of
 * concurrent busy turns can transiently exceed the cap rather than kill live work.
 *
 * Returns the keys to evict, least-recently-used first. Pure / deterministic:
 * ties broken by key for stable test output.
 */
 export function selectLruEvictionTargets(
  entries: ReadonlyArray<PoolEntrySnapshot>,
  cap: number = DEFAULT_MAX_LIVE_BACKENDS,
 ): string[] {
  if (cap < 0) cap = 0;
  if (entries.length <= cap) return [];
  // Only idle entries are eligible to be evicted.
  const evictable = entries
    .filter((e) => !e.busy)
    .sort((a, b) => a.lastActiveAt - b.lastActiveAt || (a.key < b.key ? -1 : a.key > b.key ? 1 : 0));
  // We must shrink total live count down to `cap`. Busy entries can't be evicted,
  // so the number we CAN remove is bounded by the evictable pool; evict the oldest
  // (total - cap) of them, never more than exist.
  const overBy = entries.length - cap;
  const toEvict = evictable.slice(0, Math.max(0, overBy));
  return toEvict.map((e) => e.key);
 }
 // ─── Busy-aware crash restart (3.2) — openchamber lift ───────────────────────
 /**
 * Default grace after which a backend that has stayed unhealthy WHILE busy is
 * force-restarted anyway (openchamber's STALE_BUSY_GRACE_MS = 2 min). Guards
 * against a permanently-stuck "busy" turn wedging recovery forever.
 */
 export const DEFAULT_STALE_BUSY_GRACE_MS = 2 * 60 * 1000;
 /** Default consecutive health-check failures before a restart is attempted. */
 export const DEFAULT_HEALTH_FAILURE_THRESHOLD = 3;
 export interface RestartDecisionInput {
  /** True iff the process is actually dead (exited). A dead process restarts
   *  immediately regardless of busy/threshold — there's nothing to protect. */
  processExited: boolean;
  /** Consecutive failed health probes so far (including the current one). */
  consecutiveFailures: number;
  /** Whether the backend currently has an in-flight turn. */
  busy: boolean;
  /** Epoch ms when the unhealthy-while-busy window started, or 0 if not in one. */
  unhealthyBusySince: number;
  /** Injected clock. */
  now: number;
  failureThreshold?: number;
  staleBusyGraceMs?: number;
 }
 export type RestartDecision =
  | { action: 'restart'; reason: 'process-exited' | 'threshold' | 'stale-busy-grace' }
  | { action: 'wait'; reason: 'below-threshold' | 'busy-grace' }
  | { action: 'none'; reason: 'healthy' };
 /**
 * Decide whether to restart a backend after a health probe. Mirrors
 * openchamber's `runHealthCheckCycle` + `shouldSkipRestartForBusySessions`,
 * re-implemented as a pure function over injected state (the caller owns the
 * mutable counters + the actual restart side-effect).
 *
 * Order (matches openchamber):
 *   - process exited            → restart now (nothing live to protect).
 *   - below failure threshold   → wait (transient blip; the next probe re-checks).
 *   - threshold reached + idle   → restart now.
 *   - threshold reached + busy   → skip UNLESS the unhealthy-busy window exceeded
 *                                  the stale grace, then force restart.
 *
 * `healthy: true` callers don't reach here; included for completeness so the
 * caller can pass through and reset counters on a single code path.
 */
 export function decideRestart(input: RestartDecisionInput & { healthy?: boolean }): RestartDecision {
  if (input.healthy) return { action: 'none', reason: 'healthy' };
  if (input.processExited) return { action: 'restart', reason: 'process-exited' };
  const threshold = input.failureThreshold ?? DEFAULT_HEALTH_FAILURE_THRESHOLD;
  if (input.consecutiveFailures < threshold) {
    return { action: 'wait', reason: 'below-threshold' };
  }
  if (!input.busy) {
    return { action: 'restart', reason: 'threshold' };
  }
  // Busy + unhealthy at/over threshold: defer, but not forever.
  const grace = input.staleBusyGraceMs ?? DEFAULT_STALE_BUSY_GRACE_MS;
  if (input.unhealthyBusySince > 0 && input.now - input.unhealthyBusySince >= grace) {
    return { action: 'restart', reason: 'stale-busy-grace' };
  }
  return { action: 'wait', reason: 'busy-grace' };
 }
 // ─── Orphan worktree reaper target selection (3.4) ───────────────────────────
 /** Default TTL: an on-disk worktree dir with no live `worktrees` row is reaped
 *  only after it's been orphaned at least this long (mtime-based grace so a
 *  just-created dir mid-`ensureSessionWorktree` race is never swept). */
 export const DEFAULT_ORPHAN_WORKTREE_GRACE_MS = 60 * 60 * 1000; // 1h
 export interface OnDiskWorktree {
  /** Absolute path of the worktree dir on disk. */
  path: string;
  /** Last-modified epoch ms of the dir (newest of dir + contents, caller's choice). */
  mtimeMs: number;
 }
 /**
 * Reaper target selection: which on-disk worktree dirs are orphans safe to
 * inspect-and-reap. An orphan is a dir under the worktree base that has NO live
 * `worktrees` row (path not in `liveWorktreePaths`) AND whose mtime is older than
 * the grace window (so an in-flight create isn't swept).
 *
 * Pure — the caller (the sweeper) then runs the at-risk preflight (dirty/unpushed)
 * on each returned path and only physically removes the SAFE ones. This helper
 * never decides to remove work-at-risk; it only narrows the candidate set.
 */
 export function selectOrphanWorktreeTargets(
  onDisk: ReadonlyArray<OnDiskWorktree>,
  liveWorktreePaths: ReadonlySet<string>,
  now: number,
  graceMs: number = DEFAULT_ORPHAN_WORKTREE_GRACE_MS,
 ): string[] {
  const out: string[] = [];
  for (const w of onDisk) {
    if (liveWorktreePaths.has(w.path)) continue; // tracked → not an orphan
    if (now - w.mtimeMs < graceMs) continue; // too fresh → could be mid-create
    out.push(w.path);
  }
  return out;
 }
--- a/apps/coder/src/services/backends/opencode-server.ts
+++ b/apps/coder/src/services/backends/opencode-server.ts
--- a/apps/coder/src/services/backends/opencode-usage.ts
+++ b/apps/coder/src/services/backends/opencode-usage.ts
@@ -0,0 +1,77 @@
 /**
 * v2.6 Phase 1-UX (U.6) — pure mapper for opencode's per-step usage event.
 *
 * opencode's warm server emits `session.next.step.ended` once per completed LLM
 * step (so a multi-tool turn fires it several times). Its `properties` carry the
 * step's token + cost accounting:
 *
 *   {
 *     timestamp: number;
 *     sessionID: string;
 *     finish: string;
 *     cost: number;                                  // USD for this step
 *     tokens: {
 *       input: number; output: number; reasoning: number;
 *       cache: { read: number; write: number };
 *     };
 *     snapshot?: string;
 *   }
 *
 * (Verified against @opencode-ai/sdk@1.15.12 — `EventSessionNextStepEnded` in
 * `dist/v2/gen/types.gen.d.ts`, a member of the `Event` union the SSE loop
 * switches on.)
 *
 * We normalize to the review's target slice `{input, output, cost}` (the
 * provider-agnostic `AgentUsage` shape lands later). cache read/write tokens are
 * folded into `input` so the persisted input count reflects the real context the
 * model billed for; reasoning tokens are folded into `output` since that's what
 * the provider counts them as for generation. This keeps the persisted totals a
 * faithful sum of what opencode reported, without inventing extra columns yet.
 */
 /** The `properties` shape of a `session.next.step.ended` event (subset we read). */
 export interface StepEndedProps {
  cost: number;
  tokens: {
    input: number;
    output: number;
    reasoning: number;
    cache: { read: number; write: number };
  };
 }
 /** Normalized per-step usage delta persisted onto the agent_sessions row. */
 export interface StepUsage {
  input: number;
  output: number;
  cost: number;
 }
 /** Coerce a possibly-missing/NaN number to a non-negative finite integer (tokens). */
 function n(v: unknown): number {
  const x = typeof v === 'number' ? v : Number(v);
  return Number.isFinite(x) && x > 0 ? Math.round(x) : 0;
 }
 /** Coerce a possibly-missing/NaN number to a non-negative finite float (cost USD). */
 function f(v: unknown): number {
  const x = typeof v === 'number' ? v : Number(v);
  return Number.isFinite(x) && x > 0 ? x : 0;
 }
 /**
 * Map a `session.next.step.ended` payload → the normalized `{input, output, cost}`
 * delta. Defensive against missing/partial token blocks (the wire is trusted but
 * we never want a NaN to poison the accumulated DB total). `input` folds in cache
 * read+write; `output` folds in reasoning.
 */
 export function stepEndedToUsage(props: Partial<StepEndedProps> | undefined): StepUsage {
  const t = props?.tokens;
  const cacheRead = n(t?.cache?.read);
  const cacheWrite = n(t?.cache?.write);
  return {
    input: n(t?.input) + cacheRead + cacheWrite,
    output: n(t?.output) + n(t?.reasoning),
    cost: f(props?.cost),
  };
 }
--- a/apps/coder/src/services/backends/turn-guard.ts
+++ b/apps/coder/src/services/backends/turn-guard.ts
@@ -0,0 +1,38 @@
 /**
 * Guard against opencode's post-abort "orphan" terminal event (F.1).
 *
 * When a turn is aborted (`client.session.abort`), opencode emits one trailing
 * `session.idle` / `session.error` for the cancelled turn. Without a guard that
 * orphan settles whatever turn currently holds the session slot — which, after
 * the user immediately sends another message, is the NEXT turn, settling it early
 * as success (the v2.6.5 Stop-button bug). opencode terminal events carry only a
 * `sessionID` (no turn id), so we can't match by id; instead we swallow exactly
 * one terminal per abort, and self-heal if that orphan never arrives.
 */
 export interface AbortTerminalGuard {
  /** True between an abort and the orphan terminal event that follows it. */
  swallowNextTerminal: boolean;
 }
 /** Arm on abort: the next terminal event for this session is the orphan. */
 export function armAbortGuard(g: AbortTerminalGuard): void {
  g.swallowNextTerminal = true;
 }
 /**
 * A new turn produced activity (delta) → the orphan window is over. Self-heals
 * the case where opencode emits no orphan idle (e.g. abort-before-prompt), so a
 * real terminal still settles instead of being swallowed forever.
 */
 export function noteTurnActivity(g: AbortTerminalGuard): void {
  g.swallowNextTerminal = false;
 }
 /** Decide a terminal (idle/error): swallow the post-abort orphan once, else settle. */
 export function consumeTerminal(g: AbortTerminalGuard): 'swallow' | 'settle' {
  if (g.swallowNextTerminal) {
    g.swallowNextTerminal = false;
    return 'swallow';
  }
  return 'settle';
 }
--- a/apps/coder/src/services/backends/warm-acp-routing.ts
+++ b/apps/coder/src/services/backends/warm-acp-routing.ts
@@ -0,0 +1,41 @@
 /**
 * v2.6 Phase 2 — warm-vs-one-shot routing predicate for goose/qwen.
 *
 * The warm ACP backend keys its persistent process + ACP session on (chat_id,
 * agent) — exactly like the opencode-server backend. A task therefore only routes
 * to the warm pool when it carries BOTH a `session_id` and a `chat_id`, i.e. it
 * came from a real chat tab (the coder message route + skills route stamp both).
 *
 * Session-less creators — arena contestants, MCP-created tasks, generic
 * `POST /api/tasks`, `new_task` — leave one or both null. Those keep the existing
 * one-shot worktree-per-task ACP path (`runExternalAgent`), which spawns a fresh
 * `goose acp` / `qwen --acp` per turn and never holds a warm process. Routing them
 * warm would either synthesize a degenerate (null, agent) key or create a chat per
 * arena contestant — neither is wanted, so they stay one-shot.
 *
 * Pure, so it's unit-testable; the dispatcher consumes it.
 */
 const WARM_CAPABLE_AGENTS = new Set(['goose', 'qwen']);
 export function shouldUseWarmBackend(task: {
  agent: string | null;
  session_id: string | null;
  chat_id: string | null;
 }): boolean {
  if (!task.agent || !WARM_CAPABLE_AGENTS.has(task.agent)) return false;
  return task.session_id != null && task.chat_id != null;
 }
 /**
 * Map an ACP prompt `stopReason` to the backend's ok/fail contract (TurnResult.ok).
 *
 * ACP's `StopReason` union includes normal completions (`end_turn`, `max_tokens`,
 * `max_turn_requests`) and abnormal ones (`refusal`, `cancelled`). Only the latter
 * two read as a failed turn; everything else (including an undefined/absent reason,
 * which we default to `end_turn`) is a successful completion. Pure so it's testable
 * independently of the warm process.
 */
 export function isTurnOkForStopReason(stopReason: string | null | undefined): boolean {
  const reason = stopReason ?? 'end_turn';
  return reason !== 'refusal' && reason !== 'cancelled';
 }
--- a/apps/coder/src/services/backends/warm-acp.ts
+++ b/apps/coder/src/services/backends/warm-acp.ts
@@ -0,0 +1,417 @@
 /**
 * v2.6 Phase 2 — WarmAcpBackend (goose, qwen).
 *
 * One persistent stdio process + ONE `ClientSideConnection` per (chat, agent),
 * `initialize` + `session/new` done ONCE, reused across every turn — the warm
 * analogue of the previous one-shot `acp-dispatch.ts` (which spawned/torn-down a
 * fresh `goose acp` / `qwen --acp` per turn). Mirrors Paseo's `SpawnedACPProcess`.
 *
 * Implements the Phase 0 `AgentBackend` interface (same contract as
 * `OpenCodeServerBackend`). Emits transport-agnostic `AgentEvent`s via the SHARED
 * `mapSessionUpdate` (reused verbatim from the one-shot stack); the dispatcher maps
 * those to WS frames + `persistExternalAgentTurn`, unchanged.
 *
 * Lifecycle decisions (design.md §2b / §10):
 *   - **Child lifetime is the pool's, not a request's.** Spawned once; never tied
 *     to a per-turn abort signal. Only the in-flight `prompt` gets `ctx.signal` —
 *     abort = ACP `session/cancel`, NOT killing the child.
 *   - **Per-turn abort** cancels the prompt on the warm connection so the SAME
 *     process serves the next turn.
 *   - **Crash** (child exit) marks `agent_sessions.status='crashed'` + logs; the
 *     next `ensureSession` re-spawns + re-`session/new` (Phase 3 hardens auto-restart).
 *   - **Resume across a process restart is NOT attempted in Phase 2.** goose ACP
 *     advertises no `loadSession`/`session.resume`; qwen does, but cross-restart
 *     resume is Phase 3. Within ONE live process the ACP session persists across
 *     turns (the whole point of "warm"); a restart re-`session/new` (memory loss
 *     across restart, accepted per §10). The agent's resume capabilities ARE
 *     probed and logged for forward-compat.
 *
 * Each WarmAcpBackend instance owns exactly one (chat, agent) — the dispatcher
 * pools them under `agentPool.register(chatId, agent, backend)`.
 *
 * SDK note (@agentclientprotocol/sdk@^0.22.1, cross-checked against the design's
 * `^0.14` worry): the resume method is the STABLE `resumeSession` (`session/resume`,
 * gated by `agentCapabilities.sessionCapabilities.resume`), NOT the `^0.14`
 * `unstable_resumeSession`. `loadSession` is gated by `agentCapabilities.loadSession`.
 */
 import { spawn, type ChildProcess } from 'node:child_process';
 import type { FastifyBaseLogger } from 'fastify';
 import {
  ClientSideConnection,
  type Client,
  type SessionNotification,
  type RequestPermissionRequest,
  type RequestPermissionResponse,
  type ReadTextFileRequest,
  type ReadTextFileResponse,
  type WriteTextFileRequest,
  type WriteTextFileResponse,
  type CreateTerminalRequest,
  type CreateTerminalResponse,
  type CreateElicitationRequest,
  type CreateElicitationResponse,
 } from '@agentclientprotocol/sdk';
 import type { Sql } from '../../db.js';
 import { resolveLaunchSpec } from '../acp-spawn.js';
 import { isTurnOkForStopReason } from './warm-acp-routing.js';
 import { getResolvedRegistry, type ResolvedProviderDef } from '../provider-config-registry.js';
 import { createAcpNdJsonStream } from '../acp-stream.js';
 import { mapSessionUpdate } from '../acp-event-map.js';
 import { readWorktreeTextFile, writeWorktreeTextFile } from '../acp-client-fs.js';
 import { waitForPermissionResponse, waitForElicitationResponse, cancelPendingPermission } from '../permission-waiter.js';
 import { type AcpToolSnapshot, synthesizeCanceledSnapshots } from '../acp-tool-snapshot.js';
 import type {
  AgentBackend,
  AgentEvent,
  AgentSessionHandle,
  EnsureSessionOpts,
  PromptCtx,
  TurnResult,
 } from '../agent-backend.js';
 /** State for one in-flight turn (only one at a time per backend — turns serialize). */
 interface TurnState {
  /** Per-turn task id, for routing permission prompts back to the UI. */
  taskId: string | undefined;
  /** BooCode session id for permission-waiter's broker frames. */
  sessionId: string;
  /** Per-turn mode id (autonomous-mode gate in permission-waiter). */
  modeId: string | undefined;
  onEvent: (e: AgentEvent) => void;
  /** Tool-call snapshot accumulator for this turn — merge across tool_call_update. */
  snapshots: Map<string, AcpToolSnapshot>;
 }
 export interface WarmAcpBackendDeps {
  sql: Sql;
  log: FastifyBaseLogger;
  /** The (chat, agent) this backend serves — its pool identity + DB key. */
  chatId: string;
  agent: string;
  /** Resolved binary for the agent (from available_agents.install_path), or null. */
  installPath: string | null;
  /** Optional override of the resolved registry def (defaults to a live lookup). */
  resolved?: ResolvedProviderDef;
 }
 export class WarmAcpBackend implements AgentBackend {
  readonly backend = 'acp_warm' as const;
  private readonly sql: Sql;
  private readonly log: FastifyBaseLogger;
  private readonly chatId: string;
  private readonly agent: string;
  private readonly installPath: string | null;
  private readonly resolvedOverride: ResolvedProviderDef | undefined;
  private child: ChildProcess | null = null;
  private connection: ClientSideConnection | null = null;
  /** The single ACP session id for this warm process; null until session/new. */
  private acpSessionId: string | null = null;
  private up = false;
  /** Idempotent spawn guard — one warm process per backend, started lazily. */
  private starting: Promise<void> | null = null;
  /** Resume capabilities probed at initialize, logged for forward-compat (Phase 3). */
  private supportsLoadSession = false;
  private supportsResumeSession = false;
  /** The current in-flight turn; the Client closures read it. Null between turns. */
  private activeTurn: TurnState | null = null;
  constructor(deps: WarmAcpBackendDeps) {
    this.sql = deps.sql;
    this.log = deps.log;
    this.chatId = deps.chatId;
    this.agent = deps.agent;
    this.installPath = deps.installPath;
    this.resolvedOverride = deps.resolved;
  }
  /** §2: liveness for the health endpoint + dispatcher fallback decision. */
  health(): 'up' | 'down' {
    return this.up ? 'up' : 'down';
  }
  /** Phase 3: busy iff this backend's single session has an in-flight turn. The
   *  pool reads this to skip idle/LRU eviction (never kill the child mid-prompt). */
  isBusy(): boolean {
    return this.activeTurn != null;
  }
  // ─── warm-process lifecycle (2.1 spawn + initialize + session/new ONCE) ───────
  /** Lazy: spawn the warm process on first use. Idempotent — one process per backend. */
  private ensureProcess(worktreePath: string): Promise<void> {
    if (this.up && this.connection && this.acpSessionId) return Promise.resolve();
    if (!this.starting) {
      this.starting = this.startProcess(worktreePath).catch((err) => {
        // Reset so a later ensureSession can retry the spawn after a failed start.
        this.starting = null;
        throw err;
      });
    }
    return this.starting;
  }
  private async startProcess(worktreePath: string): Promise<void> {
    const resolved = this.resolvedOverride ?? getResolvedRegistry().get(this.agent);
    const spec = resolved ? resolveLaunchSpec(resolved, this.installPath) : null;
    if (!spec) throw new Error(`warm-acp: agent '${this.agent}' does not support ACP (no launch spec)`);
    this.log.info({ agent: this.agent, chatId: this.chatId, binary: spec.binary, worktreePath }, 'warm-acp: spawning warm process');
    // Child lifetime is the pool's. NOT tied to any per-turn abort signal — only
    // the in-flight prompt is cancellable (via ACP session/cancel in prompt()).
    const child = spawn(spec.binary, spec.args, {
      cwd: worktreePath,
      stdio: ['pipe', 'pipe', 'pipe'],
      env: { ...process.env, ...spec.env },
    });
    this.child = child;
    // 2.3: supervise the child; react to its exit, never let a request scope kill it.
    child.on('exit', (code, signal) => {
      this.up = false;
      this.connection = null;
      this.acpSessionId = null;
      this.starting = null;
      this.log.warn({ agent: this.agent, chatId: this.chatId, code, signal }, 'warm-acp: warm process exited — marking crashed (rebuild on next turn)');
      void this.markCrashed();
    });
    // A spawn error (e.g. ENOENT) surfaces here, not as an exit.
    child.on('error', (err) => {
      this.up = false;
      this.log.error({ agent: this.agent, chatId: this.chatId, err: errMsg(err) }, 'warm-acp: warm process error');
    });
    const stream = createAcpNdJsonStream(child);
    const connection = new ClientSideConnection(() => this.buildClient(worktreePath), stream);
    const init = await connection.initialize({
      protocolVersion: 1,
      clientInfo: { name: 'boocoder', version: '2.6.0' },
      clientCapabilities: {},
    });
    const caps = init.agentCapabilities;
    this.supportsLoadSession = caps?.loadSession === true;
    this.supportsResumeSession = caps?.sessionCapabilities?.resume != null;
    const session = await connection.newSession({ cwd: worktreePath, mcpServers: [] });
    this.connection = connection;
    this.acpSessionId = session.sessionId;
    this.up = true;
    this.log.info(
      {
        agent: this.agent,
        chatId: this.chatId,
        acpSessionId: session.sessionId,
        loadSession: this.supportsLoadSession,
        resumeSession: this.supportsResumeSession,
      },
      'warm-acp: warm session ready',
    );
  }
  /** Build the ACP Client callbacks ONCE per connection. They read `this.activeTurn`
   *  so each turn's events/permissions route to the right place — exactly the
   *  opencode-server `activeTurn` pattern. Worktree-scoped FS like AcpStreamContext. */
  private buildClient(worktreePath: string): Client {
    return {
      sessionUpdate: async (params: SessionNotification): Promise<void> => {
        const turn = this.activeTurn;
        if (!turn) return; // between turns — drop (no orphan settles a future turn)
        for (const event of mapSessionUpdate(params, turn.snapshots)) {
          turn.onEvent(event);
        }
      },
      requestPermission: async (params: RequestPermissionRequest): Promise<RequestPermissionResponse> => {
        const turn = this.activeTurn;
        if (turn?.taskId) {
          // Route to the UI via the per-turn task id (same as the one-shot path).
          return waitForPermissionResponse(turn.taskId, turn.sessionId, this.agent, turn.modeId, params);
        }
        const firstOption = params.options[0];
        if (firstOption) return { outcome: { outcome: 'selected', optionId: firstOption.optionId } };
        return { outcome: { outcome: 'cancelled' } };
      },
      readTextFile: async (params: ReadTextFileRequest): Promise<ReadTextFileResponse> => {
        const content = await readWorktreeTextFile(worktreePath, params.path, params.line, params.limit);
        return { content };
      },
      writeTextFile: async (params: WriteTextFileRequest): Promise<WriteTextFileResponse> => {
        await writeWorktreeTextFile(worktreePath, params.path, params.content);
        return {};
      },
      createTerminal: async (_params: CreateTerminalRequest): Promise<CreateTerminalResponse> => {
        return { terminalId: 'noop' };
      },
      unstable_createElicitation: async (params: CreateElicitationRequest): Promise<CreateElicitationResponse> => {
        const turn = this.activeTurn;
        if (turn?.taskId) {
          return waitForElicitationResponse(turn.taskId, turn.sessionId, this.agent, turn.modeId, params);
        }
        return { action: 'decline' };
      },
    };
  }
  // ─── ensureSession: create-or-reuse the warm session (2.1) ───────────────────
  async ensureSession(sessionId: string, opts: EnsureSessionOpts): Promise<AgentSessionHandle> {
    await this.ensureProcess(opts.worktreePath);
    if (!this.acpSessionId) throw new Error('warm-acp: session not ready after ensureProcess');
    // P1.5-b: agent_sessions keys on (chat_id, agent). The ACP session id is the
    // resume handle WITHIN the live process; across a process restart it's stale,
    // so ensureProcess re-`session/new` and we upsert the fresh id here.
    await this.sql`
      INSERT INTO agent_sessions
        (chat_id, session_id, worktree_id, agent, backend, agent_session_id, server_port, status, last_active_at)
      VALUES
        (${opts.chatId}, ${sessionId}, ${opts.worktreeId}, ${opts.agent}, 'acp_warm', ${this.acpSessionId}, NULL, 'active', clock_timestamp())
      ON CONFLICT (chat_id, agent) DO UPDATE SET
        session_id = EXCLUDED.session_id,
        worktree_id = EXCLUDED.worktree_id,
        backend = 'acp_warm',
        agent_session_id = EXCLUDED.agent_session_id,
        server_port = NULL,
        status = 'active',
        last_active_at = clock_timestamp()
    `.catch((err) => {
      this.log.warn({ err: errMsg(err), chatId: opts.chatId, agent: opts.agent }, 'warm-acp: agent_sessions upsert failed (non-fatal)');
    });
    return {
      sessionId,
      agent: opts.agent,
      backend: 'acp_warm',
      chatId: opts.chatId,
      worktreeId: opts.worktreeId,
      agentSessionId: this.acpSessionId,
      serverPort: null,
    };
  }
  // ─── prompt: one turn on the warm connection (2.2) ───────────────────────────
  async prompt(handle: AgentSessionHandle, input: string, ctx: PromptCtx): Promise<TurnResult> {
    // The warm process may have crashed between ensureSession and here, or this
    // backend was rebuilt — re-establish before prompting.
    await this.ensureProcess(ctx.worktreePath);
    const connection = this.connection;
    const acpSessionId = this.acpSessionId;
    if (!connection || !acpSessionId) {
      return { ok: false, error: 'warm-acp: no live ACP connection' };
    }
    const snapshots = new Map<string, AcpToolSnapshot>();
    // taskId routes permission/elicitation prompts back to the UI. The dispatcher
    // passes it (plus mode) on the per-turn PromptCtx; permission-waiter keys on it.
    const turn: TurnState = {
      taskId: ctx.taskId,
      sessionId: handle.sessionId,
      modeId: ctx.modeId,
      onEvent: ctx.onEvent,
      snapshots,
    };
    this.activeTurn = turn;
    // Per-turn abort: cancel the in-flight prompt on the SAME connection — never
    // kill the child (that's the pool's lifetime). On cancel we also synthesize
    // 'canceled' updates for any still-running tool calls so the UI doesn't leave
    // them spinning (mirrors AcpStreamContext.markAborted).
    let aborted = false;
    const onAbort = () => {
      if (aborted) return;
      aborted = true;
      connection.cancel({ sessionId: acpSessionId }).catch(() => {});
      if (ctx.taskId) cancelPendingPermission(ctx.taskId);
      for (const snap of synthesizeCanceledSnapshots(snapshots.values())) {
        snapshots.set(snap.toolCallId, snap);
        ctx.onEvent({ type: 'tool_update', toolCall: snap });
      }
    };
    if (ctx.signal.aborted) {
      this.activeTurn = null;
      return { ok: false, error: 'aborted' };
    }
    ctx.signal.addEventListener('abort', onAbort, { once: true });
    try {
      const result = await connection.prompt({
        sessionId: acpSessionId,
        prompt: [{ type: 'text', text: input }],
      });
      if (aborted) return { ok: false, error: 'aborted' };
      const stopReason = result.stopReason ?? 'end_turn';
      return isTurnOkForStopReason(stopReason)
        ? { ok: true }
        : { ok: false, error: `stop_reason: ${stopReason}` };
    } catch (err) {
      if (aborted) return { ok: false, error: 'aborted' };
      return { ok: false, error: errMsg(err) };
    } finally {
      ctx.signal.removeEventListener('abort', onAbort);
      this.activeTurn = null;
      await this.sql`
        UPDATE agent_sessions SET status = 'idle', last_active_at = clock_timestamp()
        WHERE chat_id = ${this.chatId} AND agent = ${this.agent}
      `.catch(() => {});
    }
  }
  // ─── teardown ────────────────────────────────────────────────────────────────
  async closeSession(handle: AgentSessionHandle): Promise<void> {
    // Gracefully close the ACP session if the agent supports it; then kill the child.
    if (this.connection && this.acpSessionId) {
      await this.connection.closeSession({ sessionId: this.acpSessionId }).catch(() => {});
    }
    await this.killChild();
    await this.sql`
      UPDATE agent_sessions SET status = 'closed'
      WHERE chat_id = ${handle.chatId} AND agent = ${handle.agent}
    `.catch(() => {});
  }
  async dispose(): Promise<void> {
    this.up = false;
    this.activeTurn = null;
    if (this.connection && this.acpSessionId) {
      await this.connection.closeSession({ sessionId: this.acpSessionId }).catch(() => {});
    }
    await this.killChild();
    this.connection = null;
    this.acpSessionId = null;
    this.starting = null;
  }
  private async killChild(): Promise<void> {
    const child = this.child;
    this.child = null;
    if (!child || child.killed) return;
    child.kill('SIGTERM');
    await new Promise<void>((resolve) => {
      const t = setTimeout(() => {
        if (!child.killed) child.kill('SIGKILL');
        resolve();
      }, 5_000);
      t.unref?.();
      child.once('close', () => {
        clearTimeout(t);
        resolve();
      });
    });
  }
  private async markCrashed(): Promise<void> {
    await this.sql`
      UPDATE agent_sessions SET status = 'crashed'
      WHERE chat_id = ${this.chatId} AND agent = ${this.agent}
    `.catch(() => {});
  }
 }
 function errMsg(e: unknown): string {
  return e instanceof Error ? e.message : String(e);
 }
--- a/apps/coder/src/services/checkpoints.ts
+++ b/apps/coder/src/services/checkpoints.ts
@@ -0,0 +1,306 @@
 /**
 * write-edit-robustness #4 — worktree checkpoints.
 *
 * External agents (opencode / goose / qwen / claude) write DIRECTLY into the
 * shared session worktree (`/tmp/booworktrees/sess-<id>`); BooCode's own `rewind`
 * only reverses `pending_changes` against the project root, so it has zero coverage
 * there. A checkpoint is a pre-turn shadow-commit of the worktree tree (tracked +
 * untracked) captured WITHOUT touching the real index/working tree, stored in a
 * private GC-safe ref. `restoreCheckpoint` rewinds the worktree to that commit,
 * trims the transcript from the anchor message forward, and resets the agent
 * backend so the next turn re-establishes a fresh context consistent with the
 * restored files.
 *
 * All git goes through hostExec + shellEscape (BooCoder runs on the host; the
 * worktrees live on the host fs). Checkpoint CREATION is best-effort: a failure
 * logs and returns null — it must NEVER throw into the dispatch turn.
 */
 import { randomUUID } from 'node:crypto';
 import type { FastifyBaseLogger } from 'fastify';
 import type { Sql } from '../db.js';
 import { hostExec } from './host-exec.js';
 import { agentPool, OPENCODE_POOL_KEY } from './agent-pool.js';
 import type { AgentSessionHandle } from './agent-backend.js';
 /** Minimal shell escape for paths/refs (single-quote wrapping). Mirrors worktrees.ts. */
 function shellEscape(s: string): string {
  return "'" + s.replace(/'/g, "'\\''") + "'";
 }
 /**
 * Pure builder for the shadow-commit command. Captures tracked + untracked files
 * in the worktree into a temp index (so the real index/working tree is untouched),
 * writes a tree, commits it parented on HEAD, and parks the commit under a private
 * ref `refs/boocode/checkpoints/<id>` so git's GC never reclaims it. Prints ONLY
 * the resulting SHA on stdout (the trailing `printf '%s'`), so the caller parses
 * stdout.trim() directly.
 *
 * `id` is the row UUID (minted before the ref so the ref name matches the row).
 * Both the worktree path and the id are shell-escaped.
 */
 export function buildShadowCommitCommand(worktreePath: string, id: string): string {
  const wt = shellEscape(worktreePath);
  const ref = shellEscape(`refs/boocode/checkpoints/${id}`);
  return (
    `cd ${wt} && TMP=$(mktemp) && GIT_INDEX_FILE="$TMP" git read-tree HEAD ` +
    `&& GIT_INDEX_FILE="$TMP" git add -A ` +
    `&& TREE=$(GIT_INDEX_FILE="$TMP" git write-tree) ` +
    `&& SHA=$(git commit-tree "$TREE" -p HEAD -m "boocode checkpoint") ` +
    `&& git update-ref ${ref} "$SHA" && rm -f "$TMP" && printf '%s' "$SHA"`
  );
 }
 export interface CreateCheckpointArgs {
  chatId: string;
  sessionId: string | null;
  worktreeId: string | null;
  worktreePath: string;
  messageId: string | null;
  label?: string | null;
 }
 /**
 * Capture a pre-turn checkpoint of the session worktree. Best-effort: returns the
 * inserted row's { id, commit_sha } on success, or null on any failure (the turn
 * proceeds either way — a missing checkpoint just means no restore point for that
 * turn). NEVER throws.
 *
 * The id is minted up front so the git ref name (`refs/boocode/checkpoints/<id>`)
 * matches the DB row id, keeping ref and row in lockstep.
 */
 export async function createCheckpoint(
  sql: Sql,
  args: CreateCheckpointArgs,
  opts?: { signal?: AbortSignal; log?: FastifyBaseLogger },
 ): Promise<{ id: string; commit_sha: string } | null> {
  const id = randomUUID();
  try {
    const cmd = buildShadowCommitCommand(args.worktreePath, id);
    const res = await hostExec(cmd, { signal: opts?.signal, timeoutMs: 30_000 });
    if (res.exitCode !== 0) {
      opts?.log?.warn(
        { chatId: args.chatId, worktreePath: args.worktreePath, stderr: res.stderr.trim().slice(0, 500) },
        'checkpoint: shadow-commit failed (turn proceeds without a checkpoint)',
      );
      return null;
    }
    const commitSha = res.stdout.trim();
    if (!commitSha) {
      opts?.log?.warn(
        { chatId: args.chatId, worktreePath: args.worktreePath },
        'checkpoint: shadow-commit produced no SHA (turn proceeds)',
      );
      return null;
    }
    await sql`
      INSERT INTO checkpoints (id, chat_id, session_id, worktree_id, message_id, commit_sha, label)
      VALUES (${id}, ${args.chatId}, ${args.sessionId}, ${args.worktreeId}, ${args.messageId}, ${commitSha}, ${args.label ?? null})
    `;
    opts?.log?.info({ checkpointId: id, chatId: args.chatId, commitSha }, 'checkpoint: created');
    return { id, commit_sha: commitSha };
  } catch (err) {
    opts?.log?.warn(
      { chatId: args.chatId, err: err instanceof Error ? err.message : String(err) },
      'checkpoint: create threw (turn proceeds without a checkpoint)',
    );
    return null;
  }
 }
 /** Error the route maps to a 404 when the checkpoint can't be resolved / scoped. */
 export class CheckpointNotFoundError extends Error {
  constructor(message: string) {
    super(message);
    this.name = 'CheckpointNotFoundError';
  }
 }
 export interface RestoreCheckpointResult {
  checkpoint_id: string;
  messages_deleted: number;
  worktree_reset: boolean;
  backend_reset: boolean;
 }
 export interface RestoreCheckpointOpts {
  signal?: AbortSignal;
  log?: FastifyBaseLogger;
  /** If set, the checkpoint MUST belong to this session (route scope guard). */
  sessionId?: string;
 }
 interface CheckpointRow {
  id: string;
  chat_id: string;
  session_id: string | null;
  worktree_id: string | null;
  message_id: string | null;
  commit_sha: string;
  created_at: Date;
 }
 /**
 * Restore a checkpoint: rewind its worktree to the shadow commit, trim the
 * transcript from the anchor message forward, reset the backend session, and drop
 * now-orphaned later checkpoints. Throws CheckpointNotFoundError when the
 * checkpoint is missing or not in the requested session (route → 404).
 */
 export async function restoreCheckpoint(
  sql: Sql,
  checkpointId: string,
  opts?: RestoreCheckpointOpts,
 ): Promise<RestoreCheckpointResult> {
  // 1. Resolve the checkpoint.
  const [cp] = await sql<CheckpointRow[]>`
    SELECT id, chat_id, session_id, worktree_id, message_id, commit_sha, created_at
    FROM checkpoints WHERE id = ${checkpointId}
  `;
  if (!cp) {
    throw new CheckpointNotFoundError('checkpoint not found');
  }
  // Authorization scope (fail-safe): the checkpoint's chat must belong to the
  // requested session. cp.session_id is a denormalized hint that may be null, so
  // gating on it directly fails open — resolve the owning session via chats
  // (authoritative; chat_id is NOT NULL) and deny on any mismatch or missing row.
  if (opts?.sessionId) {
    const [owner] = await sql<{ session_id: string | null }[]>`
      SELECT session_id FROM chats WHERE id = ${cp.chat_id}
    `;
    if (!owner || owner.session_id !== opts.sessionId) {
      throw new CheckpointNotFoundError('checkpoint not in session');
    }
  }
  // 2. Resolve the worktree path (by worktree_id, else the session's active one).
  let worktreePath: string | null = null;
  if (cp.worktree_id) {
    const [wt] = await sql<{ path: string }[]>`
      SELECT path FROM worktrees WHERE id = ${cp.worktree_id}
    `;
    worktreePath = wt?.path ?? null;
  }
  if (!worktreePath) {
    const sid = cp.session_id ?? opts?.sessionId ?? null;
    if (sid) {
      const [wt] = await sql<{ path: string }[]>`
        SELECT path FROM worktrees WHERE session_id = ${sid} AND status = 'active' LIMIT 1
      `;
      worktreePath = wt?.path ?? null;
    }
  }
  // 3. Worktree reset — hard-reset to the shadow commit, then clean untracked.
  let worktreeReset = false;
  if (worktreePath) {
    const resetRes = await hostExec(
      `git -C ${shellEscape(worktreePath)} reset --hard ${shellEscape(cp.commit_sha)}`,
      { signal: opts?.signal, timeoutMs: 30_000 },
    ).catch((err) => {
      opts?.log?.warn(
        { checkpointId, err: err instanceof Error ? err.message : String(err) },
        'checkpoint restore: reset --hard threw',
      );
      return null;
    });
    if (resetRes && resetRes.exitCode === 0) {
      const cleanRes = await hostExec(
        `git -C ${shellEscape(worktreePath)} clean -fd`,
        { signal: opts?.signal, timeoutMs: 30_000 },
      ).catch(() => null);
      worktreeReset = cleanRes != null && cleanRes.exitCode === 0;
      if (!worktreeReset) {
        opts?.log?.warn({ checkpointId, worktreePath }, 'checkpoint restore: clean -fd did not succeed');
      }
    } else {
      opts?.log?.warn(
        { checkpointId, worktreePath, stderr: resetRes?.stderr?.trim()?.slice(0, 500) },
        'checkpoint restore: reset --hard did not succeed',
      );
    }
  } else {
    opts?.log?.warn({ checkpointId }, 'checkpoint restore: no worktree path resolved (files not reset)');
  }
  // 4. Trim the transcript from the anchor message forward. message_parts FK to
  //    messages is ON DELETE CASCADE (apps/server schema.sql:49), so parts are
  //    removed with their messages — no explicit parts delete needed.
  let messagesDeleted = 0;
  if (cp.message_id) {
    const deleted = await sql<{ id: string }[]>`
      DELETE FROM messages
      WHERE chat_id = ${cp.chat_id}
        AND created_at >= (SELECT created_at FROM messages WHERE id = ${cp.message_id})
      RETURNING id
    `;
    messagesDeleted = deleted.length;
  }
  // 5. Backend reset — mark the chat's agent sessions crashed so the next turn
  //    re-establishes a fresh backend, and evict the live pool session(s) for this
  //    (chat, agent). Warm backends hold context server-side with no partial
  //    rewind, so a full reset is the only consistent option (proposal §4).
  const agentRows = await sql<{ agent: string; backend: string; agent_session_id: string | null; session_id: string | null; worktree_id: string | null }[]>`
    SELECT agent, backend, agent_session_id, session_id, worktree_id
    FROM agent_sessions WHERE chat_id = ${cp.chat_id}
  `;
  await sql`
    UPDATE agent_sessions SET status = 'crashed' WHERE chat_id = ${cp.chat_id}
  `.catch(() => {});
  let backendReset = false;
  try {
    // opencode runs on the SHARED server (keyed on a sentinel, not the chat) — close
    // just this chat's session(s) on it, mirroring the lifecycle close-hook.
    const ocBackend = agentPool.peek(OPENCODE_POOL_KEY, 'opencode');
    if (ocBackend) {
      for (const row of agentRows) {
        if (row.backend !== 'opencode_server' || !row.agent_session_id) continue;
        const handle: AgentSessionHandle = {
          sessionId: row.session_id ?? '',
          agent: row.agent,
          backend: 'opencode_server',
          chatId: cp.chat_id,
          worktreeId: row.worktree_id ?? '',
          agentSessionId: row.agent_session_id,
          serverPort: null,
        };
        await ocBackend.closeSession(handle).catch((err) => {
          opts?.log?.warn(
            { checkpointId, err: err instanceof Error ? err.message : String(err) },
            'checkpoint restore: opencode closeSession threw',
          );
        });
      }
    }
    // Warm-ACP backends are pooled under the chat id — dispose them (kills the
    // goose/qwen child). closeChat skips busy backends (a live turn isn't torn down).
    const disposed = await agentPool.closeChat(cp.chat_id);
    backendReset = true;
    opts?.log?.info({ checkpointId, chatId: cp.chat_id, disposed }, 'checkpoint restore: backend reset');
  } catch (err) {
    opts?.log?.warn(
      { checkpointId, err: err instanceof Error ? err.message : String(err) },
      'checkpoint restore: backend reset threw',
    );
  }
  // 6. Drop now-orphaned later checkpoints for this chat (their anchor messages were
  //    just trimmed). Compare `created_at` SERVER-SIDE via a subquery (NOT the JS
  //    Date round-trip, which truncates the stored microsecond precision to ms and
  //    would make this checkpoint delete ITSELF), and exclude this checkpoint's own
  //    id so it always survives — letting the user re-restore to it.
  await sql`
    DELETE FROM checkpoints
    WHERE chat_id = ${cp.chat_id}
      AND id <> ${cp.id}
      AND created_at > (SELECT created_at FROM checkpoints WHERE id = ${cp.id})
  `.catch(() => {});
  return {
    checkpoint_id: checkpointId,
    messages_deleted: messagesDeleted,
    worktree_reset: worktreeReset,
    backend_reset: backendReset,
  };
 }
--- a/apps/coder/src/services/claude-command-discovery.ts
+++ b/apps/coder/src/services/claude-command-discovery.ts
@@ -0,0 +1,108 @@
 /**
 * v2.5.11: discover Claude Code's real, enabled commands + plugin skills from
 * disk so the coder slash menu shows them (claude is PTY — no ACP discovery).
 *
 * Scope (v1): user-global only — `~/.claude/commands/*.md` plus the enabled
 * plugins listed in `~/.claude/settings.json:enabledPlugins` (user-scope install
 * paths from `~/.claude/plugins/.../installed_plugins.json`). Project-local
 * plugins and `<cwd>/.claude/commands` are deferred. Names are bare.
 */
 import { readFileSync, readdirSync, existsSync } from 'node:fs';
 import { homedir } from 'node:os';
 import { join } from 'node:path';
 import type { AgentCommand } from './provider-types.js';
 /** Minimal frontmatter reader — single-line `key: value` between `---` fences. */
 function frontmatterField(content: string, field: string): string | undefined {
  const block = content.match(/^---\r?\n([\s\S]*?)\r?\n---/);
  if (!block?.[1]) return undefined;
  const m = block[1].match(new RegExp(`^${field}:\\s*(.+)$`, 'm'));
  return m?.[1]?.trim().replace(/^["']|["']$/g, '') || undefined;
 }
 function readCommandDir(dir: string): AgentCommand[] {
  if (!existsSync(dir)) return [];
  let files: string[];
  try {
    files = readdirSync(dir);
  } catch {
    return [];
  }
  const out: AgentCommand[] = [];
  for (const f of files) {
    if (!f.endsWith('.md')) continue;
    let description: string | undefined;
    try {
      description = frontmatterField(readFileSync(join(dir, f), 'utf8'), 'description');
    } catch {
      /* unreadable — still list the command by name */
    }
    out.push({ name: f.slice(0, -3), kind: 'command', ...(description ? { description } : {}) });
  }
  return out;
 }
 function readSkillDir(dir: string): AgentCommand[] {
  if (!existsSync(dir)) return [];
  let entries: string[];
  try {
    entries = readdirSync(dir);
  } catch {
    return [];
  }
  const out: AgentCommand[] = [];
  for (const sub of entries) {
    const skillMd = join(dir, sub, 'SKILL.md');
    if (!existsSync(skillMd)) continue;
    let content: string;
    try {
      content = readFileSync(skillMd, 'utf8');
    } catch {
      continue;
    }
    out.push({
      name: frontmatterField(content, 'name') ?? sub,
      kind: 'skill',
      ...(() => {
        const d = frontmatterField(content, 'description');
        return d ? { description: d } : {};
      })(),
    });
  }
  return out;
 }
 export function discoverClaudeCommands(): AgentCommand[] {
  const root = join(homedir(), '.claude');
  const out: AgentCommand[] = [];
  // User custom commands.
  out.push(...readCommandDir(join(root, 'commands')));
  // Enabled plugins (user-scope installs).
  try {
    const settings = JSON.parse(readFileSync(join(root, 'settings.json'), 'utf8')) as {
      enabledPlugins?: Record<string, boolean>;
    };
    const installed = JSON.parse(
      readFileSync(join(root, 'plugins', 'installed_plugins.json'), 'utf8'),
    ) as { plugins?: Record<string, Array<{ scope?: string; installPath?: string }>> };
    const enabled = settings.enabledPlugins ?? {};
    const plugins = installed.plugins ?? {};
    for (const [key, on] of Object.entries(enabled)) {
      if (!on) continue;
      const installs = plugins[key] ?? [];
      const installPath = (installs.find((i) => i.scope === 'user') ?? installs[0])?.installPath;
      if (!installPath || !existsSync(installPath)) continue;
      out.push(...readSkillDir(join(installPath, 'skills')));
      out.push(...readCommandDir(join(installPath, 'commands')));
    }
  } catch {
    /* missing/unreadable plugin config → user commands only */
  }
  // Dedupe by name (first wins).
  const seen = new Set<string>();
  return out.filter((c) => (seen.has(c.name) ? false : (seen.add(c.name), true)));
 }
--- a/apps/coder/src/services/command-availability.ts
+++ b/apps/coder/src/services/command-availability.ts
@@ -0,0 +1,22 @@
 /**
 * v2.3 phase 2: tier-1 fast availability check — is a binary on PATH?
 *
 * Uses execFile (NO shell) because the binary name can come from the provider
 * config file (custom ACP entries) — mirrors the Phase 1 agent-probe hardening.
 * Note: agent-probe's `whichBinary` returns the resolved path (it needs it for
 * `install_path`); this returns a boolean. Kept separate rather than over-
 * refactored into one helper — different return contracts, two short call sites.
 */
 import { execFile as execFileCb } from 'node:child_process';
 import { promisify } from 'node:util';
 const execFile = promisify(execFileCb);
 export async function isCommandAvailable(binary: string): Promise<boolean> {
  try {
    const { stdout } = await execFile('which', [binary], { timeout: 10_000 });
    return stdout.trim().length > 0;
  } catch {
    return false;
  }
 }
--- a/apps/coder/src/services/cursor-models.ts
+++ b/apps/coder/src/services/cursor-models.ts
@@ -1,39 +0,0 @@
 /**
 * Cursor model list parser — lifted from Paseo cursor-acp-agent.ts
 */
 import type { ProviderModel } from './provider-types.js';
 const CURSOR_MODEL_MARKER_PATTERN = /\s+\((?:default|current)\)$/;
 export function parseCursorAgentModelsOutput(output: string): ProviderModel[] {
  const parsed = output
    .split(/\r?\n/)
    .map((line) => line.trim())
    .filter((line) => line && line !== 'Available models' && !line.startsWith('Tip:'))
    .map((line) => {
      const separatorIndex = line.indexOf(' - ');
      if (separatorIndex <= 0) return null;
      const id = line.slice(0, separatorIndex).trim();
      const rawLabel = line.slice(separatorIndex + 3).trim();
      if (!id || !rawLabel) return null;
      let marker: 'default' | 'current' | null = null;
      if (rawLabel.endsWith(' (default)')) marker = 'default';
      else if (rawLabel.endsWith(' (current)')) marker = 'current';
      return { id, label: rawLabel.replace(CURSOR_MODEL_MARKER_PATTERN, ''), marker };
    })
    .filter((m): m is { id: string; label: string; marker: 'default' | 'current' | null } => m !== null);
  const defaultModelId =
    parsed.find((m) => m.marker === 'default')?.id ??
    parsed.find((m) => m.marker === 'current')?.id ??
    parsed[0]?.id;
  return parsed.map((model) => ({
    id: model.id,
    label: model.label,
    isDefault: model.id === defaultModelId,
  }));
 }
--- a/apps/coder/src/services/dcp-strip.ts
+++ b/apps/coder/src/services/dcp-strip.ts
@@ -0,0 +1,77 @@
 /**
 * Strip opencode-dcp plugin tags (`<dcp-message-id>mNNNN</dcp-message-id>`) that
 * the @tarquinen/opencode-dcp plugin appends to assistant text and which
 * otherwise render as literal text in the UI.
 *
 * Why a streaming stripper and not a per-chunk `.replace()`: opencode streams
 * assistant text token-by-token, so the tag arrives SPLIT across many SSE deltas
 * (`<dcp`, `-message`, `-id>`, `m0019`, `</dcp`, …). A per-chunk regex never sees
 * a complete tag in any single fragment, so the fragments pass through and the
 * dispatcher reassembles the full tag in the persisted/displayed content. The
 * stripper below buffers across chunks: it emits everything that cannot be part
 * of a forming tag and holds back only a trailing partial-tag prefix until the
 * next chunk resolves it — without holding back legitimate `<…>` content.
 */
 const DCP_TAG_RE = /<dcp-message-id>[^<]*<\/dcp-message-id>/g;
 const OPEN = '<dcp-message-id>';
 const CLOSE = '</dcp-message-id>';
 /** One-shot strip of COMPLETE tags. Safe for non-streaming / final content. */
 export function stripDcpTags(s: string): string {
  return s.replace(DCP_TAG_RE, '');
 }
 /**
 * Could `tail` (a substring starting at a `<`) still grow into a complete dcp
 * tag on a future chunk? If so the caller must hold it back rather than emit it.
 * Returns false for unrelated `<` content (`<div>`, `<T>`, …) so those stream
 * normally.
 */
 function isPartialDcp(tail: string): boolean {
  // A prefix of the opening marker: '<', '<d', …, '<dcp-message-id'.
  if (OPEN.startsWith(tail)) return true;
  // Opening marker fully seen — content (and maybe a forming close) still streaming.
  if (tail.startsWith(OPEN)) {
    const rest = tail.slice(OPEN.length);
    const lt = rest.indexOf('<');
    if (lt === -1) return true; // still inside the [^<]* content run
    return CLOSE.startsWith(rest.slice(lt)); // a partial close marker forming
  }
  return false;
 }
 export interface DcpStreamStripper {
  /** Feed one text chunk; returns the portion safe to emit now (may be ''). */
  push(chunk: string): string;
  /** Stream end: returns whatever was held back, with complete tags stripped. */
  flush(): string;
 }
 /** Stateful, cross-chunk-safe dcp stripper. One instance per turn. */
 export function makeDcpStreamStripper(): DcpStreamStripper {
  let buf = '';
  return {
    push(chunk: string): string {
      buf += chunk;
      buf = buf.replace(DCP_TAG_RE, ''); // drop any now-complete tags
      // Find the earliest `<` whose suffix is a forming dcp tag; hold from there,
      // emit everything before it (real text, including unrelated `<…>`).
      for (let i = buf.indexOf('<'); i !== -1; i = buf.indexOf('<', i + 1)) {
        if (isPartialDcp(buf.slice(i))) {
          const emit = buf.slice(0, i);
          buf = buf.slice(i);
          return emit;
        }
      }
      const emit = buf;
      buf = '';
      return emit;
    },
    flush(): string {
      const out = stripDcpTags(buf);
      buf = '';
      return out;
    },
  };
 }
--- a/apps/coder/src/services/dispatcher.ts
+++ b/apps/coder/src/services/dispatcher.ts
@@ -3,12 +3,21 @@ import type { FastifyBaseLogger } from 'fastify';
 import type { Broker } from '@boocode/server/broker';
 import type { WsFrame } from '@boocode/server/ws-frames';
 import type { Config } from '../config.js';
-import { createWorktree, diffWorktree, cleanupWorktree } from './worktrees.js';
+import { createWorktree, diffWorktree, cleanupWorktree, ensureSessionWorktree } from './worktrees.js';
 import { createCheckpoint } from './checkpoints.js';
 import { makeDcpStreamStripper } from './dcp-strip.js';
 import { dispatchViaAcp } from './acp-dispatch.js';
 import { getResolvedRegistry } from './provider-config-registry.js';
 import { dispatchViaPty } from './pty-dispatch.js';
 import { clearTaskCommands, setTaskCommands } from './agent-commands-cache.js';
 import { getManifestCommands } from './provider-commands.js';
 import { persistExternalAgentTurn } from './agent-turn-persist.js';
 import { snapshotToWireToolCall, type AcpToolSnapshot } from './acp-tool-snapshot.js';
 import { agentPool, OPENCODE_POOL_KEY } from './agent-pool.js';
 import { OpenCodeServerBackend } from './backends/opencode-server.js';
 import { WarmAcpBackend } from './backends/warm-acp.js';
 import { shouldUseWarmBackend } from './backends/warm-acp-routing.js';
 import type { AgentBackend, AgentEvent } from './agent-backend.js';
 interface InferenceRunner {
  enqueue: (sessionId: string, chatId: string, assistantId: string, user: string) => void;
@@ -24,20 +33,45 @@ interface Deps {
  config: Config;
 }
-const POLL_INTERVAL_MS = 5_000;
+// LISTEN/NOTIFY ('tasks_new') is the fast path — the dispatcher reacts to new
 // tasks immediately. The poll is only a safety net for notifications missed
 // during a listen-connection drop (porsager auto-reconnects), so it can stay slow.
 const POLL_INTERVAL_MS = 2_000;
 const COMPLETION_POLL_MS = 2_000;
 export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<void> } {
  const { sql, inference, broker, log, config } = deps;
  let timer: ReturnType<typeof setInterval> | null = null;
-  let running = false;
+  let listener: { unlisten: () => Promise<void> } | null = null;
  let polling = false;
  let stopping = false;
-  let inflightPromise: Promise<void> | null = null;
+  // v2.6 (1.9): per-session in-flight registry replaces the global `running`
  // boolean. Key = session_id (or `task:<id>` for sessionless tasks). Sessions
  // without an in-flight turn run concurrently; within a session, strictly one
  // turn at a time.
  const inflight = new Map<string, Promise<void>>();
  // Shared entry point for both the poll timer and the NOTIFY listener. poll()'s
  // `polling`/`stopping` guard makes this safe to call concurrently — a notify
  // arriving mid-poll returns immediately and never double-dispatches.
  function triggerPoll(reason: string): void {
    poll().catch((err) => {
      log.error({ err, reason }, 'dispatcher: poll error');
    });
  }
  function concurrencyKey(task: { id: string; session_id: string | null }): string {
    return task.session_id ?? `task:${task.id}`;
  }
  async function poll(): Promise<void> {
-    if (running || stopping) return;
+    // `polling` serializes poll() execution itself (timer + NOTIFY can fire
-
+    // concurrently) so we never double-select a task. It does NOT serialize task
-    // Grab one pending task
+    // execution — that's what `inflight` (keyed per session) governs.
    if (polling || stopping) return;
    polling = true;
    try {
      // Oldest-first; start every pending task whose session isn't already busy.
      const rows = await sql<{
        id: string;
        project_id: string;
@@ -47,21 +81,28 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
        mode_id: string | null;
        thinking_option_id: string | null;
        session_id: string | null;
        chat_id: string | null;
      }[]>`
-      SELECT id, project_id, input, agent, model, mode_id, thinking_option_id, session_id
+        SELECT id, project_id, input, agent, model, mode_id, thinking_option_id, session_id, chat_id
        FROM tasks
        WHERE state = 'pending'
        ORDER BY created_at
-      LIMIT 1
+        LIMIT 50
      `;
-    if (rows.length === 0) return;
+      for (const task of rows) {
-
+        if (stopping) break;
-    const task = rows[0]!;
+        const key = concurrencyKey(task);
-    running = true;
+        if (inflight.has(key)) continue; // this session already has an in-flight turn
-    inflightPromise = runTask(task).finally(() => {
+        // Register synchronously (before any await) so a later row in this pass
-      running = false;
+        // with the same key is skipped and a concurrent poll can't re-pick it.
-      inflightPromise = null;
+        const p = runTask(task).finally(() => {
          inflight.delete(key);
        });
        inflight.set(key, p);
      }
    } finally {
      polling = false;
    }
  }
  async function runTask(task: {
@@ -73,6 +114,7 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
    mode_id: string | null;
    thinking_option_id: string | null;
    session_id: string | null;
    chat_id: string | null;
  }): Promise<void> {
    const taskId = task.id;
@@ -82,7 +124,18 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
        SELECT name, supports_acp, install_path FROM available_agents WHERE name = ${task.agent}
      `;
      if (agentRow) {
        // v2.6 (1.7): opencode routes to its warm HTTP-server backend.
        // v2.6 Phase 2 (2.4): goose/qwen route to the warm ACP backend WHEN the
        // task came from a real chat tab (session_id + chat_id) — shouldUseWarmBackend.
        // Session-less creators (arena, MCP, new_task, generic /api/tasks) keep the
        // existing one-shot worktree-per-task ACP/PTY path untouched.
        if (task.agent === 'opencode') {
          await runOpenCodeServerTask(task, agentRow.install_path);
        } else if (shouldUseWarmBackend(task)) {
          await runWarmAcpTask(task, agentRow.install_path);
        } else {
          await runExternalAgent(task, agentRow.supports_acp, agentRow.install_path);
        }
        return;
      }
      // Agent specified but not available — fall through to Path A with a warning
@@ -306,6 +359,16 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
      `;
      const assistantId = assistantMsg!.id;
      // write-edit-robustness #4: pre-turn worktree checkpoint (best-effort; a
      // failure logs and never breaks dispatch). This path uses a per-task worktree
      // (createWorktree, not the session worktree), so there's no worktrees-table id
      // — pass null for worktreeId, the path is enough for restore's reset.
      await createCheckpoint(
        sql,
        { chatId, sessionId, worktreeId: null, worktreePath, messageId: assistantId },
        { signal: ac.signal, log },
      ).catch(() => null);
      broker.publishFrame(sessionId, {
        type: 'message_started',
        message_id: assistantId,
@@ -327,6 +390,7 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
      if (supportsAcp) {
        const result = await dispatchViaAcp({
          agent,
          resolved: getResolvedRegistry().get(agent),
          task: task.input,
          worktreePath,
          installPath: installPath ?? undefined,
@@ -395,10 +459,11 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
      const diff = await diffWorktree(worktreePath, projectPath, { signal: ac.signal });
      if (diff) {
-        // Queue a single pending_change entry with the full unified diff
+        // Queue a single pending_change entry with the full unified diff, stamped
        // with the dispatched agent for DiffPanel attribution (v2.6 Phase 1-UX).
        await sql`
-          INSERT INTO pending_changes (session_id, task_id, file_path, operation, diff)
+          INSERT INTO pending_changes (session_id, task_id, file_path, operation, diff, agent)
-          VALUES (${sessionId}, ${taskId}, ${projectPath}, 'edit', ${diff})
+          VALUES (${sessionId}, ${taskId}, ${projectPath}, 'edit', ${diff}, ${agent})
        `;
        log.info({ taskId, diffLength: diff.length }, 'dispatcher: diff queued as pending change');
      } else {
@@ -441,6 +506,567 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
    }
  }
  // ─── Path B (opencode): warm OpenCode server backend (v2.6 1.7 + 1.10) ───────
  // OpenCode runs ONE server per BooCoder process, shared across all sessions
  // (the backend multiplexes sessions internally), so it's pooled under a fixed
  // key (OPENCODE_POOL_KEY, shared with the lifecycle close-hook) rather than
  // per-session. Warm ACP backends (Phase 2) are per (chat, agent).
  function getOpenCodeBackend(installPath: string | null): AgentBackend {
    let backend = agentPool.get(OPENCODE_POOL_KEY, 'opencode');
    if (!backend) {
      backend = new OpenCodeServerBackend({ sql, log, opencodeBinary: installPath ?? 'opencode' });
      agentPool.register(OPENCODE_POOL_KEY, 'opencode', backend);
    }
    return backend;
  }
  async function runOpenCodeServerTask(
    task: {
      id: string;
      project_id: string;
      input: string;
      agent: string | null;
      model: string | null;
      mode_id: string | null;
      thinking_option_id: string | null;
      session_id: string | null;
      chat_id: string | null;
    },
    installPath: string | null,
  ): Promise<void> {
    const taskId = task.id;
    const agent = 'opencode';
    log.info({ taskId, agent }, 'dispatcher: starting task (path B — opencode server)');
    const [project] = await sql<{ path: string | null }[]>`
      SELECT path FROM projects WHERE id = ${task.project_id}
    `;
    const projectPath = project?.path;
    if (!projectPath) {
      await sql`
        UPDATE tasks
        SET state = 'failed', ended_at = clock_timestamp(), output_summary = 'Project has no path — cannot create worktree'
        WHERE id = ${taskId}
      `;
      return;
    }
    const ac = new AbortController();
    try {
      // execution_path = 'acp' — the schema CHECK has no 'opencode_server' value
      // (schema is frozen at Phase 0); the warm-vs-one-shot distinction lives in
      // agent_sessions.backend. Reuse the closest existing value.
      await sql`
        UPDATE tasks
        SET state = 'running', started_at = clock_timestamp(), execution_path = 'acp'
        WHERE id = ${taskId}
      `;
      // Resolve session + chat. P1.5-b: the chat (tab) is the context key, so the
      // chat_id MUST be non-null and stable before ensureSession. The coder message
      // route + skills route stamp task.chat_id with the frontend tab's chat — use
      // it directly. Session-less creators (arena, MCP, new_task, generic
      // /api/tasks) leave it null; fall back to resolving/creating a real chat so
      // ensureSession never receives a degenerate (null, agent) key.
      let sessionId: string;
      let chatId: string;
      if (task.chat_id && task.session_id) {
        sessionId = task.session_id;
        chatId = task.chat_id;
      } else if (task.session_id) {
        sessionId = task.session_id;
        const chats = await sql<{ id: string }[]>`
          SELECT id FROM chats WHERE session_id = ${sessionId} AND status = 'open' ORDER BY created_at DESC LIMIT 1
        `;
        if (chats.length === 0) {
          const [chat] = await sql<{ id: string }[]>`
            INSERT INTO chats (session_id, name, status)
            VALUES (${sessionId}, 'External agent execution', 'open')
            RETURNING id
          `;
          chatId = chat!.id;
        } else {
          chatId = chats[0]!.id;
        }
      } else {
        const sessionName = `Task [${agent}]: ${task.input.slice(0, 30)}`;
        const [session] = await sql<{ id: string }[]>`
          INSERT INTO sessions (project_id, name, model, status)
          VALUES (${task.project_id}, ${sessionName}, ${task.model ?? config.DEFAULT_MODEL}, 'open')
          RETURNING id
        `;
        sessionId = session!.id;
        const [chat] = await sql<{ id: string }[]>`
          INSERT INTO chats (session_id, name, status)
          VALUES (${sessionId}, 'External agent execution', 'open')
          RETURNING id
        `;
        chatId = chat!.id;
        await sql`UPDATE tasks SET session_id = ${sessionId} WHERE id = ${taskId}`;
      }
      if (!task.session_id) {
        await sql`
          INSERT INTO messages (session_id, chat_id, role, content, status, created_at)
          VALUES (${sessionId}, ${chatId}, 'user', ${task.input}, 'complete', clock_timestamp())
        `;
      }
      // Persistent, session-keyed worktree (shared across turns; NOT torn down
      // per turn — Phase 3 reaps it). Captures base_commit for a stable diff.
      const { worktreeId, worktreePath, baseCommit } = await ensureSessionWorktree(sql, projectPath, sessionId, {
        signal: ac.signal,
      });
      log.info({ taskId, worktreePath }, 'dispatcher: session worktree ready');
      const [assistantMsg] = await sql<{ id: string }[]>`
        INSERT INTO messages (session_id, chat_id, role, content, status, created_at)
        VALUES (${sessionId}, ${chatId}, 'assistant', '', 'streaming', clock_timestamp())
        RETURNING id
      `;
      const assistantId = assistantMsg!.id;
      // write-edit-robustness #4: pre-turn checkpoint of the persistent session
      // worktree (best-effort; never breaks dispatch). worktreeId comes from the
      // worktrees table (ensureSessionWorktree above).
      await createCheckpoint(
        sql,
        { chatId, sessionId, worktreeId, worktreePath, messageId: assistantId },
        { signal: ac.signal, log },
      ).catch(() => null);
      broker.publishFrame(sessionId, {
        type: 'message_started',
        message_id: assistantId,
        chat_id: chatId,
        role: 'assistant',
      } as WsFrame);
      const manifestCommands = getManifestCommands(agent);
      if (manifestCommands.length > 0) {
        setTaskCommands(taskId, manifestCommands);
        broker.publishFrame(sessionId, {
          type: 'agent_commands',
          task_id: taskId,
          session_id: sessionId,
          commands: manifestCommands,
        } as WsFrame);
      }
      // Accumulate the turn's stream for persistence + the final message content.
      const textChunks: string[] = [];
      const reasoningChunks: string[] = [];
      const toolSnaps = new Map<string, AcpToolSnapshot>();
      // opencode's dcp plugin appends <dcp-message-id>…</dcp-message-id> to the
      // text, streamed split across deltas — a per-chunk regex misses it (see
      // dcp-strip.ts). Buffer text through a cross-chunk stripper so neither the
      // live `delta` frames nor the persisted content ever carry the tag.
      const dcp = makeDcpStreamStripper();
      // Map transport-agnostic AgentEvents → the SAME WS frames the ACP path emits.
      // This boundary is where message_id/chat_id get attached (the backend never
      // owns them).
      const onEvent = (e: AgentEvent): void => {
        switch (e.type) {
          case 'text': {
            const safe = dcp.push(e.text);
            if (safe) {
              textChunks.push(safe);
              broker.publishFrame(sessionId, {
                type: 'delta',
                message_id: assistantId,
                chat_id: chatId,
                content: safe,
              } as WsFrame);
            }
            break;
          }
          case 'reasoning':
            reasoningChunks.push(e.text);
            broker.publishFrame(sessionId, {
              type: 'reasoning_delta',
              message_id: assistantId,
              chat_id: chatId,
              content: e.text,
            } as WsFrame);
            break;
          case 'tool_call':
          case 'tool_update':
            toolSnaps.set(e.toolCall.toolCallId, e.toolCall);
            broker.publishFrame(sessionId, {
              type: 'tool_call',
              message_id: assistantId,
              chat_id: chatId,
              tool_call: snapshotToWireToolCall(e.toolCall),
            } as WsFrame);
            break;
          case 'commands':
            // opencode-server doesn't emit these today; ignore if it ever does.
            break;
        }
      };
      // opencode expects provider-prefixed model ids (e.g. 'llama-swap/qwen3.6-35b…').
      // DEFAULT_MODEL is bare (no prefix) because native inference uses it directly
      // against llama-swap. Coalesce empty string (frontend sends '' when no models
      // listed) and prefix bare ids so parseModel always succeeds.
      const rawModel = (task.model && task.model.trim()) || config.DEFAULT_MODEL;
      const model = rawModel.includes('/') ? rawModel : `llama-swap/${rawModel}`;
      const backend = getOpenCodeBackend(installPath);
      const handle = await backend.ensureSession(sessionId, {
        agent,
        model,
        chatId,
        worktreePath,
        worktreeId,
        projectId: task.project_id,
      });
      const result = await backend.prompt(handle, task.input, {
        worktreePath,
        model,
        signal: ac.signal,
        onEvent,
      });
      // Phase 3: keep the pooled backend's slot warm across this (possibly long)
      // turn so the idle sweep measures from turn END, not start.
      agentPool.touch(OPENCODE_POOL_KEY, agent);
      // Flush any text held back mid-tag at stream end (complete tags stripped).
      const dcpTail = dcp.flush();
      if (dcpTail) {
        textChunks.push(dcpTail);
        broker.publishFrame(sessionId, {
          type: 'delta',
          message_id: assistantId,
          chat_id: chatId,
          content: dcpTail,
        } as WsFrame);
      }
      const assistantContent = textChunks.join('').slice(0, 50_000);
      const reasoningText = reasoningChunks.join('').slice(0, 200_000);
      const outputSummary = (result.ok ? textChunks.join('') : result.error ?? 'opencode turn failed').slice(0, 500);
      await persistExternalAgentTurn(sql, assistantId, [...toolSnaps.values()], reasoningText);
      await sql`
        UPDATE messages
        SET content = ${assistantContent}, status = 'complete', finished_at = clock_timestamp()
        WHERE id = ${assistantId}
      `;
      broker.publishFrame(sessionId, {
        type: 'message_complete',
        message_id: assistantId,
        chat_id: chatId,
      } as WsFrame);
      if (stopping) {
        await sql`UPDATE tasks SET state = 'cancelled', ended_at = clock_timestamp() WHERE id = ${taskId}`;
        return; // worktree persists (no cleanup); backend stays warm
      }
      // 1.10: diff the persistent worktree against its captured baseline and
      // SUPERSEDE the session's prior pending row (latest-wins, one accumulating
      // diff) instead of stacking. Stamp agent for DiffPanel attribution.
      const diff = await diffWorktree(worktreePath, projectPath, {
        signal: ac.signal,
        baseRef: baseCommit ?? 'HEAD',
      });
      if (diff) {
        await sql`
          DELETE FROM pending_changes WHERE session_id = ${sessionId} AND status = 'pending'
        `;
        await sql`
          INSERT INTO pending_changes (session_id, task_id, file_path, operation, diff, agent)
          VALUES (${sessionId}, ${taskId}, ${projectPath}, 'edit', ${diff}, ${agent})
        `;
        log.info({ taskId, diffLength: diff.length }, 'dispatcher: diff superseded prior pending change');
      } else {
        log.info({ taskId }, 'dispatcher: no changes detected in session worktree');
      }
      // NO worktree cleanup — it's persistent (Phase 3 reaps it). Backend stays warm.
      const [extCostRow] = await sql<{ total: number | null }[]>`
        SELECT SUM(tokens_used)::int AS total
        FROM messages
        WHERE session_id = ${sessionId} AND tokens_used IS NOT NULL
      `;
      const extCostTokens = extCostRow?.total ?? null;
      const finalState = result.ok ? 'completed' : 'failed';
      await sql`
        UPDATE tasks
        SET state = ${finalState}, ended_at = clock_timestamp(), output_summary = ${outputSummary}, cost_tokens = ${extCostTokens}
        WHERE id = ${taskId}
      `;
      log.info({ taskId, agent, finalState, costTokens: extCostTokens }, 'dispatcher: task finished (opencode server)');
      clearTaskCommands(taskId);
    } catch (err) {
      const errMsg = err instanceof Error ? err.message : String(err);
      log.error({ taskId, agent, err: errMsg }, 'dispatcher: opencode server error');
      await sql`
        UPDATE tasks
        SET state = 'failed', ended_at = clock_timestamp(), output_summary = ${errMsg.slice(0, 500)}
        WHERE id = ${taskId}
      `.catch(() => {});
      clearTaskCommands(taskId);
      // No worktree cleanup (persistent); backend stays warm for the next turn.
    }
  }
  // ─── Path B (warm ACP): goose / qwen warm backend (v2.6 Phase 2) ─────────────
  // Warm ACP backends are per (chat, agent): each owns ONE stdio process + ACP
  // connection + session. Pool key = chatId; the AgentPool's secondary key is the
  // agent. This mirrors agent_sessions' (chat_id, agent) PK.
  function getWarmAcpBackend(chatId: string, agent: string, installPath: string | null): WarmAcpBackend {
    let backend = agentPool.get(chatId, agent);
    if (!backend) {
      backend = new WarmAcpBackend({
        sql,
        log,
        chatId,
        agent,
        installPath,
        resolved: getResolvedRegistry().get(agent),
      });
      agentPool.register(chatId, agent, backend);
    }
    return backend as WarmAcpBackend;
  }
  async function runWarmAcpTask(
    task: {
      id: string;
      project_id: string;
      input: string;
      agent: string | null;
      model: string | null;
      mode_id: string | null;
      thinking_option_id: string | null;
      session_id: string | null;
      chat_id: string | null;
    },
    installPath: string | null,
  ): Promise<void> {
    const taskId = task.id;
    const agent = task.agent!;
    // shouldUseWarmBackend guarantees both non-null before we get here.
    const sessionId = task.session_id!;
    const chatId = task.chat_id!;
    log.info({ taskId, agent, chatId }, 'dispatcher: starting task (path B — warm ACP)');
    const [project] = await sql<{ path: string | null }[]>`
      SELECT path FROM projects WHERE id = ${task.project_id}
    `;
    const projectPath = project?.path;
    if (!projectPath) {
      await sql`
        UPDATE tasks
        SET state = 'failed', ended_at = clock_timestamp(), output_summary = 'Project has no path — cannot create worktree'
        WHERE id = ${taskId}
      `;
      return;
    }
    const ac = new AbortController();
    try {
      await sql`
        UPDATE tasks
        SET state = 'running', started_at = clock_timestamp(), execution_path = 'acp'
        WHERE id = ${taskId}
      `;
      // Persistent, session-keyed worktree (shared across turns + agents; NOT torn
      // down per turn — Phase 3 reaps it). Same as the opencode-server path so a
      // chat that switches opencode↔goose↔qwen shares one worktree.
      const { worktreeId, worktreePath, baseCommit } = await ensureSessionWorktree(sql, projectPath, sessionId, {
        signal: ac.signal,
      });
      log.info({ taskId, worktreePath }, 'dispatcher: session worktree ready (warm ACP)');
      const [assistantMsg] = await sql<{ id: string }[]>`
        INSERT INTO messages (session_id, chat_id, role, content, status, created_at)
        VALUES (${sessionId}, ${chatId}, 'assistant', '', 'streaming', clock_timestamp())
        RETURNING id
      `;
      const assistantId = assistantMsg!.id;
      // write-edit-robustness #4: pre-turn checkpoint of the persistent session
      // worktree (best-effort; never breaks dispatch). Same worktree the opencode
      // path uses — a chat that switches opencode↔goose↔qwen shares one worktree.
      await createCheckpoint(
        sql,
        { chatId, sessionId, worktreeId, worktreePath, messageId: assistantId },
        { signal: ac.signal, log },
      ).catch(() => null);
      broker.publishFrame(sessionId, {
        type: 'message_started',
        message_id: assistantId,
        chat_id: chatId,
        role: 'assistant',
      } as WsFrame);
      const manifestCommands = getManifestCommands(agent);
      if (manifestCommands.length > 0) {
        setTaskCommands(taskId, manifestCommands);
        broker.publishFrame(sessionId, {
          type: 'agent_commands',
          task_id: taskId,
          session_id: sessionId,
          commands: manifestCommands,
        } as WsFrame);
      }
      // Accumulate the turn's stream for persistence + the final message content.
      const textChunks: string[] = [];
      const reasoningChunks: string[] = [];
      const toolSnaps = new Map<string, AcpToolSnapshot>();
      // Map transport-agnostic AgentEvents → the SAME WS frames the one-shot ACP
      // path emits (identical to runOpenCodeServerTask's onEvent). No dcp stripping:
      // that's an opencode-plugin artifact; goose/qwen don't emit dcp tags.
      const onEvent = (e: AgentEvent): void => {
        switch (e.type) {
          case 'text':
            textChunks.push(e.text);
            broker.publishFrame(sessionId, {
              type: 'delta',
              message_id: assistantId,
              chat_id: chatId,
              content: e.text,
            } as WsFrame);
            break;
          case 'reasoning':
            reasoningChunks.push(e.text);
            broker.publishFrame(sessionId, {
              type: 'reasoning_delta',
              message_id: assistantId,
              chat_id: chatId,
              content: e.text,
            } as WsFrame);
            break;
          case 'tool_call':
          case 'tool_update':
            toolSnaps.set(e.toolCall.toolCallId, e.toolCall);
            broker.publishFrame(sessionId, {
              type: 'tool_call',
              message_id: assistantId,
              chat_id: chatId,
              tool_call: snapshotToWireToolCall(e.toolCall),
            } as WsFrame);
            break;
          case 'commands':
            if (e.commands.length > 0) {
              setTaskCommands(taskId, e.commands);
              broker.publishFrame(sessionId, {
                type: 'agent_commands',
                task_id: taskId,
                session_id: sessionId,
                commands: e.commands,
              } as WsFrame);
            }
            break;
        }
      };
      const model = task.model ?? undefined;
      const backend = getWarmAcpBackend(chatId, agent, installPath);
      const handle = await backend.ensureSession(sessionId, {
        agent,
        model: model ?? '',
        chatId,
        worktreePath,
        worktreeId,
        projectId: task.project_id,
      });
      const result = await backend.prompt(handle, task.input, {
        worktreePath,
        model: model ?? '',
        signal: ac.signal,
        onEvent,
        taskId,
        modeId: task.mode_id ?? undefined,
      });
      // Phase 3: keep the pooled (chat,agent) backend warm across the turn.
      agentPool.touch(chatId, agent);
      const assistantContent = textChunks.join('').slice(0, 50_000);
      const reasoningText = reasoningChunks.join('').slice(0, 200_000);
      const outputSummary = (result.ok ? textChunks.join('') : result.error ?? 'warm ACP turn failed').slice(0, 500);
      await persistExternalAgentTurn(sql, assistantId, [...toolSnaps.values()], reasoningText);
      await sql`
        UPDATE messages
        SET content = ${assistantContent}, status = 'complete', finished_at = clock_timestamp()
        WHERE id = ${assistantId}
      `;
      broker.publishFrame(sessionId, {
        type: 'message_complete',
        message_id: assistantId,
        chat_id: chatId,
      } as WsFrame);
      if (stopping) {
        await sql`UPDATE tasks SET state = 'cancelled', ended_at = clock_timestamp() WHERE id = ${taskId}`;
        return; // worktree persists (no cleanup); backend stays warm
      }
      // Diff the persistent worktree against its captured baseline and SUPERSEDE
      // the session's prior pending row (latest-wins) — identical to opencode.
      const diff = await diffWorktree(worktreePath, projectPath, {
        signal: ac.signal,
        baseRef: baseCommit ?? 'HEAD',
      });
      if (diff) {
        await sql`
          DELETE FROM pending_changes WHERE session_id = ${sessionId} AND status = 'pending'
        `;
        await sql`
          INSERT INTO pending_changes (session_id, task_id, file_path, operation, diff, agent)
          VALUES (${sessionId}, ${taskId}, ${projectPath}, 'edit', ${diff}, ${agent})
        `;
        log.info({ taskId, diffLength: diff.length }, 'dispatcher: diff superseded prior pending change (warm ACP)');
      } else {
        log.info({ taskId }, 'dispatcher: no changes detected in session worktree (warm ACP)');
      }
      // NO worktree cleanup — persistent (Phase 3 reaps it). Backend stays warm.
      const [extCostRow] = await sql<{ total: number | null }[]>`
        SELECT SUM(tokens_used)::int AS total
        FROM messages
        WHERE session_id = ${sessionId} AND tokens_used IS NOT NULL
      `;
      const extCostTokens = extCostRow?.total ?? null;
      const finalState = result.ok ? 'completed' : 'failed';
      await sql`
        UPDATE tasks
        SET state = ${finalState}, ended_at = clock_timestamp(), output_summary = ${outputSummary}, cost_tokens = ${extCostTokens}
        WHERE id = ${taskId}
      `;
      log.info({ taskId, agent, finalState }, 'dispatcher: task finished (warm ACP)');
      clearTaskCommands(taskId);
    } catch (err) {
      const errMsg = err instanceof Error ? err.message : String(err);
      log.error({ taskId, agent, err: errMsg }, 'dispatcher: warm ACP error');
      await sql`
        UPDATE tasks
        SET state = 'failed', ended_at = clock_timestamp(), output_summary = ${errMsg.slice(0, 500)}
        WHERE id = ${taskId}
      `.catch(() => {});
      clearTaskCommands(taskId);
      // No worktree cleanup (persistent); backend stays warm for the next turn.
    }
  }
  // ─── Helpers ────────────────────────────────────────────────────────────────
  async function waitForCompletion(assistantId: string): Promise<string> {
@@ -463,12 +1089,28 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
  return {
    start() {
-      log.info('dispatcher: starting poll loop');
+      log.info('dispatcher: starting poll loop + tasks_new listener');
-      timer = setInterval(() => {
+
-        poll().catch((err) => {
+      // Fallback poll — catches notifications missed while the listen connection
-          log.error({ err }, 'dispatcher: poll error');
+      // was down. The fast path is the NOTIFY listener below.
      timer = setInterval(() => triggerPoll('interval'), POLL_INTERVAL_MS);
      // Fast path: react immediately to new tasks. porsager reserves a dedicated
      // connection and auto-resubscribes on reconnect; the onlisten callback
      // fires on each (re)subscribe, so we kick a catch-up poll there too to
      // sweep up anything inserted during a disconnect.
      sql
        .listen(
          'tasks_new',
          () => triggerPoll('notify'),
          () => triggerPoll('listen-subscribed'),
        )
        .then((meta) => {
          listener = meta;
        })
        .catch((err) => {
          log.error({ err }, 'dispatcher: failed to LISTEN tasks_new — relying on poll fallback');
        });
      }, POLL_INTERVAL_MS);
    },
    async stop() {
@@ -477,9 +1119,15 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
        clearInterval(timer);
        timer = null;
      }
-      if (inflightPromise) {
+      if (listener) {
-        log.info('dispatcher: waiting for in-flight task');
+        await listener.unlisten().catch((err) => {
-        await inflightPromise;
+          log.error({ err }, 'dispatcher: unlisten error');
        });
        listener = null;
      }
      if (inflight.size > 0) {
        log.info({ count: inflight.size }, 'dispatcher: waiting for in-flight tasks');
        await Promise.allSettled([...inflight.values()]);
      }
      log.info('dispatcher: stopped');
    },
--- a/apps/coder/src/services/fuzzy-match.ts
+++ b/apps/coder/src/services/fuzzy-match.ts
@@ -0,0 +1,271 @@
 // Fuzzy patch locator for staged edits.
 //
 // Local quantized models (qwen3.6 and friends) frequently reproduce an
 // `old_string` with small, semantically-irrelevant drift: trailing whitespace,
 // a different indent width, or "smart" unicode punctuation (curly quotes, an
 // en/em-dash, a non-breaking space) where the source has the plain ASCII form.
 // An exact `String.includes` then fails and the queued edit is lost even though
 // a human would say it obviously matches.
 //
 // `locateMatch` walks a ladder of progressively looser strategies and returns
 // the real `[start, end)` byte-offset span in the ORIGINAL content so the caller
 // can splice in `new_string` over the true file text (preserving the file's own
 // whitespace/unicode, not the model's drifted copy). The ladder stops at the
 // first strategy that resolves to a single span:
 //
 //   1. exact            — indexOf; >1 hit is reported `ambiguous` (we refuse to
 //                         guess which occurrence the model meant).
 //   2. per-line ws      — line-window compare ignoring per-line trailing
 //                         whitespace and leading/trailing blank needle lines.
 //   3. unicode canon    — same line-window compare after folding smart
 //                         punctuation to ASCII on both sides; the match is
 //                         mapped back to original offsets.
 //   4. levenshtein      — best line-window by normalized edit-distance
 //                         similarity; accepted only at >= SIMILARITY_THRESHOLD.
 //
 // Pure and dependency-free (Levenshtein is the standard iterative two-row DP),
 // reimplemented from the general technique — no vendored source.
 export type MatchResult =
  | { kind: 'exact' | 'fuzzy'; start: number; end: number } // [start,end) offsets into content
  | { kind: 'ambiguous'; count: number }
  | { kind: 'not_found' };
 /** Levenshtein similarity floor for the final fuzzy fallback (strategy 4). */
 export const SIMILARITY_THRESHOLD = 0.66;
 export function locateMatch(content: string, needle: string): MatchResult {
  // Empty needle has no meaningful match.
  if (needle.length === 0) return { kind: 'not_found' };
  // --- 1. Exact ----------------------------------------------------------------
  const exact = locateExact(content, needle);
  if (exact) return exact;
  // --- 2. Per-line whitespace-insensitive -------------------------------------
  const ws = locateByLineWindow(content, needle);
  if (ws) return ws;
  // --- 3. Unicode-canonicalized whitespace pass -------------------------------
  const canon = locateCanonical(content, needle);
  if (canon) return canon;
  // --- 4. Levenshtein similarity ----------------------------------------------
  const lev = locateByLevenshtein(content, needle);
  if (lev) return lev;
  return { kind: 'not_found' };
 }
 // --- Strategy 1: exact -------------------------------------------------------
 function locateExact(content: string, needle: string): MatchResult | null {
  const first = content.indexOf(needle);
  if (first === -1) return null;
  const second = content.indexOf(needle, first + 1);
  if (second === -1) {
    return { kind: 'exact', start: first, end: first + needle.length };
  }
  // Count all occurrences so the caller can report a useful number.
  let count = 2;
  let idx = content.indexOf(needle, second + 1);
  while (idx !== -1) {
    count++;
    idx = content.indexOf(needle, idx + 1);
  }
  return { kind: 'ambiguous', count };
 }
 // --- Line-window machinery ---------------------------------------------------
 interface Line {
  /** Raw line text (no trailing newline). */
  text: string;
  /** Offset of the first char of this line in the original content. */
  start: number;
  /** Offset one past the last char of this line (before its newline, if any). */
  end: number;
 }
 /**
 * Split content into lines, tracking each line's real offset span. The span
 * EXCLUDES the trailing newline so consecutive line spans plus their newlines
 * exactly reconstruct the content; the match span we hand back covers from the
 * first matched line's start through the last matched line's end (i.e. without a
 * trailing newline), which is what an in-place splice wants.
 */
 function splitLines(content: string): Line[] {
  const lines: Line[] = [];
  let start = 0;
  for (let i = 0; i <= content.length; i++) {
    if (i === content.length || content[i] === '\n') {
      lines.push({ text: content.slice(start, i), start, end: i });
      start = i + 1;
    }
  }
  return lines;
 }
 /** Strip leading/trailing all-blank lines; returns the trimmed slice. */
 function trimBlankLines(lines: string[]): string[] {
  let lo = 0;
  let hi = lines.length;
  while (lo < hi && lines[lo]!.trim() === '') lo++;
  while (hi > lo && lines[hi - 1]!.trim() === '') hi--;
  return lines.slice(lo, hi);
 }
 /**
 * Find a contiguous window of content lines whose trailing-whitespace-trimmed
 * text equals the needle's (blank-trimmed) lines. Returns the real offset span
 * over the matched content lines, or null if zero match. Multiple matches →
 * ambiguous. `normalize` lets the caller fold unicode before comparing.
 */
 function locateByLineWindow(
  content: string,
  needle: string,
  normalize: (s: string) => string = (s) => s,
 ): MatchResult | null {
  const contentLines = splitLines(content);
  const needleLines = trimBlankLines(needle.split('\n'));
  const n = needleLines.length;
  if (n === 0) return null;
  // A single needle line that is itself blank can't be located meaningfully.
  if (n === 1 && needleLines[0]!.trim() === '') return null;
  const needleKey = needleLines.map((l) => normalize(l.trimEnd())).join('\n');
  const hits: Array<{ start: number; end: number }> = [];
  for (let i = 0; i + n <= contentLines.length; i++) {
    const windowKey = contentLines
      .slice(i, i + n)
      .map((l) => normalize(l.text.trimEnd()))
      .join('\n');
    if (windowKey === needleKey) {
      hits.push({ start: contentLines[i]!.start, end: contentLines[i + n - 1]!.end });
    }
  }
  if (hits.length === 0) return null;
  if (hits.length > 1) return { kind: 'ambiguous', count: hits.length };
  return { kind: 'fuzzy', start: hits[0]!.start, end: hits[0]!.end };
 }
 // --- Strategy 3: unicode canonicalization ------------------------------------
 /**
 * Fold smart punctuation to its ASCII equivalent. Crucially this is a
 * length-PRESERVING, per-character map (every replacement is one char → one
 * char), so an offset into the canonical string is also a valid offset into the
 * original — letting strategy 3 reuse the line-window matcher and still hand
 * back true original-content offsets.
 */
 function canonicalizeChar(ch: string): string {
  switch (ch) {
    // single quotes / apostrophes
    case '‘': // '
    case '’': // '
    case '‚': // ‚
    case '‛': // ‛
      return "'";
    // double quotes
    case '“': // "
    case '”': // "
    case '„': // „
    case '‟': // ‟
      return '"';
    // dashes
    case '–': // – en dash
    case '—': // — em dash
    case '‒': // ‒ figure dash
    case '―': // ― horizontal bar
    case '−': // − minus sign
      return '-';
    // spaces
    case ' ': // nbsp
    case ' ': // figure space
    case ' ': // narrow nbsp
      return ' ';
    default:
      return ch;
  }
 }
 function canonicalize(s: string): string {
  let out = '';
  for (const ch of s) out += canonicalizeChar(ch);
  return out;
 }
 function locateCanonical(content: string, needle: string): MatchResult | null {
  // Only worth running if canonicalization actually changes something on either
  // side — otherwise it's identical to strategy 2 which already failed.
  const canonContent = canonicalize(content);
  const canonNeedle = canonicalize(needle);
  if (canonContent === content && canonNeedle === needle) return null;
  // Offsets are preserved (length-preserving fold), so a match on the canonical
  // content maps directly back to the original.
  return locateByLineWindow(canonContent, canonNeedle);
 }
 // --- Strategy 4: Levenshtein similarity --------------------------------------
 /** Standard iterative two-row Levenshtein edit distance. */
 function levenshtein(a: string, b: string): number {
  if (a === b) return 0;
  if (a.length === 0) return b.length;
  if (b.length === 0) return a.length;
  let prev = new Array<number>(b.length + 1);
  let curr = new Array<number>(b.length + 1);
  for (let j = 0; j <= b.length; j++) prev[j] = j;
  for (let i = 1; i <= a.length; i++) {
    curr[0] = i;
    const ac = a.charCodeAt(i - 1);
    for (let j = 1; j <= b.length; j++) {
      const cost = ac === b.charCodeAt(j - 1) ? 0 : 1;
      curr[j] = Math.min(
        prev[j]! + 1, // deletion
        curr[j - 1]! + 1, // insertion
        prev[j - 1]! + cost, // substitution
      );
    }
    [prev, curr] = [curr, prev];
  }
  return prev[b.length]!;
 }
 /** Normalized similarity in [0,1]: 1 - dist / max(len). */
 function similarity(a: string, b: string): number {
  const maxLen = Math.max(a.length, b.length);
  if (maxLen === 0) return 1;
  return 1 - levenshtein(a, b) / maxLen;
 }
 function locateByLevenshtein(content: string, needle: string): MatchResult | null {
  const contentLines = splitLines(content);
  const needleLines = trimBlankLines(needle.split('\n'));
  const n = needleLines.length;
  if (n === 0) return null;
  if (contentLines.length < n) return null;
  const needleJoined = needleLines.map((l) => l.trim()).join('\n');
  let best = -1;
  let bestSpan: { start: number; end: number } | null = null;
  for (let i = 0; i + n <= contentLines.length; i++) {
    const window = contentLines.slice(i, i + n);
    const windowJoined = window.map((l) => l.text.trim()).join('\n');
    const score = similarity(windowJoined, needleJoined);
    if (score > best) {
      best = score;
      bestSpan = { start: window[0]!.start, end: window[n - 1]!.end };
    }
  }
  if (bestSpan && best >= SIMILARITY_THRESHOLD) {
    return { kind: 'fuzzy', start: bestSpan.start, end: bestSpan.end };
  }
  return null;
 }
--- a/apps/coder/src/services/orphan-worktree-reaper.ts
+++ b/apps/coder/src/services/orphan-worktree-reaper.ts
@@ -0,0 +1,170 @@
 /**
 * v2.6 Phase 3 (3.4) — orphan worktree reaper.
 *
 * Reclaims on-disk session worktree dirs under WORKTREE_BASE that have NO live
 * (`status='active'`) row in the `worktrees` table — leaks from a crash between
 * `git worktree add` and the DB insert, a missed chat-close hook, or a manual rm
 * of the DB row. Extends the periodic-sweeper pattern (apps/server's truncation +
 * stale-streaming reaper).
 *
 * SAFETY (Paseo worktree-archive cascade + superset destroy-saga lift): before
 * removing ANY dir, run `checkWorktreeWorkAtRisk` — a dirty / unpushed / unmerged
 * worktree is SKIPPED (logged), never force-removed. The pure orphan-target
 * selection (which dirs are candidates) lives in
 * `backends/lifecycle-decisions.ts:selectOrphanWorktreeTargets` and is unit-tested;
 * this module does the DB read + fs stat + git preflight + removal side-effects.
 *
 * The mtime grace (default 1h) means a dir mid-`ensureSessionWorktree` (created on
 * disk, row not yet committed) is never swept — the grace window covers the gap.
 */
 import { readdir, stat } from 'node:fs/promises';
 import { join } from 'node:path';
 import type { FastifyBaseLogger } from 'fastify';
 import type { Sql } from '../db.js';
 import { WORKTREE_BASE, checkWorktreeWorkAtRisk } from './worktrees.js';
 import { hostExec } from './host-exec.js';
 import {
  selectOrphanWorktreeTargets,
  DEFAULT_ORPHAN_WORKTREE_GRACE_MS,
 } from './backends/lifecycle-decisions.js';
 export interface OrphanWorktreeReaperDeps {
  sql: Sql;
  log: FastifyBaseLogger;
  intervalMs: number;
  graceMs?: number;
 }
 export interface OrphanReaperResult {
  scanned: number;
  candidates: number;
  reaped: string[];
  skippedAtRisk: string[];
 }
 /** Single-pass reap: select orphan candidates, preflight at-risk, remove the safe. */
 export async function reapOrphanWorktrees(
  sql: Sql,
  log: FastifyBaseLogger,
  graceMs: number = DEFAULT_ORPHAN_WORKTREE_GRACE_MS,
  now: number = Date.now(),
 ): Promise<OrphanReaperResult> {
  // Enumerate on-disk session worktree dirs (`sess-*`). Per-task worktrees
  // (arena/new_task/MCP) are cleaned up inline by the one-shot path, so we only
  // own the persistent session dirs the warm paths leave behind.
  let dirents: string[];
  try {
    dirents = await readdir(WORKTREE_BASE);
  } catch {
    return { scanned: 0, candidates: 0, reaped: [], skippedAtRisk: [] }; // base absent → nothing to do
  }
  const onDisk: { path: string; mtimeMs: number }[] = [];
  for (const name of dirents) {
    if (!name.startsWith('sess-')) continue; // only persistent session worktrees
    const path = join(WORKTREE_BASE, name);
    try {
      const s = await stat(path);
      if (!s.isDirectory()) continue;
      onDisk.push({ path, mtimeMs: s.mtimeMs });
    } catch {
      // vanished between readdir and stat — skip
    }
  }
  // Live worktree paths from the DB (active rows only — archived/removed rows are
  // not "live", so their leftover dirs are reapable orphans).
  const liveRows = await sql<{ path: string }[]>`
    SELECT path FROM worktrees WHERE status = 'active'
  `;
  const live = new Set(liveRows.map((r) => r.path));
  const candidates = selectOrphanWorktreeTargets(onDisk, live, now, graceMs);
  const reaped: string[] = [];
  const skippedAtRisk: string[] = [];
  for (const path of candidates) {
    // Preflight: never reap work at risk. A git error forces atRisk=true (fail
    // closed), so a half-broken worktree is kept, not silently destroyed.
    const risk = await checkWorktreeWorkAtRisk(path);
    if (risk.atRisk) {
      skippedAtRisk.push(path);
      log.warn({ path, dirty: risk.dirty, unmerged: risk.unmerged, error: risk.error }, 'orphan-reaper: skipping at-risk orphan worktree');
      continue;
    }
    const removed = await removeOrphanDir(path);
    if (removed) reaped.push(path);
  }
  if (reaped.length > 0 || skippedAtRisk.length > 0) {
    log.info({ scanned: onDisk.length, candidates: candidates.length, reaped, skippedAtRisk }, 'orphan-reaper: pass complete');
  }
  return { scanned: onDisk.length, candidates: candidates.length, reaped, skippedAtRisk };
 }
 /**
 * Remove a single orphan worktree dir. Resolve its main repo via the git
 * common-dir, run `worktree remove --force` from there + prune, then rm the dir as
 * a backstop. Best-effort: every step is independently fault-tolerant so a partial
 * state (dir present, git untracked) still gets reclaimed.
 */
 async function removeOrphanDir(path: string): Promise<boolean> {
  // Find the owning repo (the common git dir's parent). When the dir isn't a valid
  // worktree anymore, this fails and we fall back to a plain rm.
  const common = await hostExec(
    `git -C ${shellEscape(path)} rev-parse --path-format=absolute --git-common-dir`,
    { timeoutMs: 10_000 },
  ).catch(() => null);
  const commonDir = common && common.exitCode === 0 ? common.stdout.trim() : '';
  // The repo worktree root is the parent of the .git common dir (strip trailing /.git).
  const repoRoot = commonDir.replace(/\/\.git\/?$/, '').replace(/\/\.git$/, '');
  if (repoRoot && repoRoot !== commonDir) {
    await hostExec(
      `git -C ${shellEscape(repoRoot)} worktree remove ${shellEscape(path)} --force`,
      { timeoutMs: 15_000 },
    ).catch(() => {});
    await hostExec(
      `git -C ${shellEscape(repoRoot)} worktree prune`,
      { timeoutMs: 10_000 },
    ).catch(() => {});
  }
  // Backstop: ensure the dir is gone even if the git remove no-op'd.
  const rm = await hostExec(`rm -rf ${shellEscape(path)}`, { timeoutMs: 15_000 }).catch(() => null);
  return rm != null && rm.exitCode === 0;
 }
 /** Minimal single-quote shell escape (mirrors worktrees.ts). */
 function shellEscape(s: string): string {
  return "'" + s.replace(/'/g, "'\\''") + "'";
 }
 /** Periodic orphan-worktree reaper, started/stopped by the bootstrap. Unref'd. */
 export function createOrphanWorktreeReaper(deps: OrphanWorktreeReaperDeps): { start(): void; stop(): void } {
  const { sql, log, intervalMs } = deps;
  const graceMs = deps.graceMs ?? DEFAULT_ORPHAN_WORKTREE_GRACE_MS;
  let timer: ReturnType<typeof setInterval> | null = null;
  let running = false;
  return {
    start() {
      if (timer) return;
      timer = setInterval(() => {
        if (running) return; // a slow pass must not overlap the next tick
        running = true;
        void reapOrphanWorktrees(sql, log, graceMs)
          .catch((err) => log.warn({ err: err instanceof Error ? err.message : String(err) }, 'orphan-reaper: pass error'))
          .finally(() => {
            running = false;
          });
      }, intervalMs);
      timer.unref?.();
      log.info({ intervalMs, graceMs }, 'orphan-reaper: started');
    },
    stop() {
      if (timer) {
        clearInterval(timer);
        timer = null;
      }
    },
  };
 }
--- a/apps/coder/src/services/pending_changes.ts
+++ b/apps/coder/src/services/pending_changes.ts
@@ -2,6 +2,7 @@ import { readFile, writeFile, unlink, mkdir } from 'node:fs/promises';
 import { dirname } from 'node:path';
 import type { Sql } from '../db.js';
 import { resolveWritePath } from './write_guard.js';
 import { locateMatch } from './fuzzy-match.js';
 // --- Types -------------------------------------------------------------------
@@ -13,6 +14,10 @@ export interface PendingChange {
  operation: 'create' | 'edit' | 'delete';
  diff: string;
  status: 'pending' | 'applied' | 'rejected' | 'reverted';
  // v2.6 Phase 1-UX: which agent staged this change (DiffPanel attribution).
  // Native boocode write tools stamp 'boocode'; the manual RightRail create path
  // passes null (renders as "manual"). NULL on legacy rows queued pre-v2.6.
  agent: string | null;
  created_at: string;
 }
@@ -34,13 +39,17 @@ export async function queueEdit(
  oldString: string,
  newString: string,
  projectRoot: string,
  // v2.6 Phase 1-UX: attribution. Defaults to 'boocode' because the only callers
  // that omit it are the native write tools (edit_file/create_file/delete_file).
  // Pass null explicitly for the manual RightRail create path.
  agent: string | null = 'boocode',
 ): Promise<PendingChange> {
  const resolved = resolveWritePath(projectRoot, filePath);
  const diff = JSON.stringify({ old: oldString, new: newString });
  const [row] = await sql<PendingChange[]>`
-    INSERT INTO pending_changes (session_id, task_id, file_path, operation, diff)
+    INSERT INTO pending_changes (session_id, task_id, file_path, operation, diff, agent)
-    VALUES (${sessionId}, ${taskId}, ${resolved}, 'edit', ${diff})
+    VALUES (${sessionId}, ${taskId}, ${resolved}, 'edit', ${diff}, ${agent})
    RETURNING *
  `;
  return row!;
@@ -53,12 +62,15 @@ export async function queueCreate(
  filePath: string,
  content: string,
  projectRoot: string,
  // See queueEdit: defaults to 'boocode' for the native write tools; the manual
  // RightRail create route passes null.
  agent: string | null = 'boocode',
 ): Promise<PendingChange> {
  const resolved = resolveWritePath(projectRoot, filePath);
  const [row] = await sql<PendingChange[]>`
-    INSERT INTO pending_changes (session_id, task_id, file_path, operation, diff)
+    INSERT INTO pending_changes (session_id, task_id, file_path, operation, diff, agent)
-    VALUES (${sessionId}, ${taskId}, ${resolved}, 'create', ${content})
+    VALUES (${sessionId}, ${taskId}, ${resolved}, 'create', ${content}, ${agent})
    RETURNING *
  `;
  return row!;
@@ -70,12 +82,14 @@ export async function queueDelete(
  taskId: string | null,
  filePath: string,
  projectRoot: string,
  // See queueEdit: defaults to 'boocode' for the native write tools.
  agent: string | null = 'boocode',
 ): Promise<PendingChange> {
  const resolved = resolveWritePath(projectRoot, filePath);
  const [row] = await sql<PendingChange[]>`
-    INSERT INTO pending_changes (session_id, task_id, file_path, operation, diff)
+    INSERT INTO pending_changes (session_id, task_id, file_path, operation, diff, agent)
-    VALUES (${sessionId}, ${taskId}, ${resolved}, 'delete', '')
+    VALUES (${sessionId}, ${taskId}, ${resolved}, 'delete', '', ${agent})
    RETURNING *
  `;
  return row!;
@@ -108,10 +122,18 @@ export async function applyOne(
      case 'edit': {
        const { old: oldStr, new: newStr } = JSON.parse(change.diff) as { old: string; new: string };
        const content = await readFile(change.file_path, 'utf8');
-        if (!content.includes(oldStr)) {
+        const match = locateMatch(content, oldStr);
-          throw new Error('old_string not found in file — file may have changed since the edit was queued');
+        if (match.kind === 'ambiguous') {
          throw new Error(
            `old_string matches ${match.count} locations — add surrounding context to disambiguate`,
          );
        }
-        const updated = content.replace(oldStr, newStr);
+        if (match.kind === 'not_found') {
          throw new Error(
            'old_string not found in file (even fuzzily) — file may have changed since the edit was queued',
          );
        }
        const updated = content.slice(0, match.start) + newStr + content.slice(match.end);
        await writeFile(change.file_path, updated, 'utf8');
        break;
      }
@@ -190,10 +212,18 @@ export async function rewindOne(
        // Reverse an edit: swap old and new
        const { old: oldStr, new: newStr } = JSON.parse(change.diff) as { old: string; new: string };
        const content = await readFile(change.file_path, 'utf8');
-        if (!content.includes(newStr)) {
+        const match = locateMatch(content, newStr);
-          throw new Error('new_string not found in file — cannot rewind; file may have been modified since apply');
+        if (match.kind === 'ambiguous') {
          throw new Error(
            `new_string matches ${match.count} locations — cannot rewind; add surrounding context to disambiguate`,
          );
        }
-        const reverted = content.replace(newStr, oldStr);
+        if (match.kind === 'not_found') {
          throw new Error(
            'new_string not found in file (even fuzzily) — cannot rewind; file may have been modified since apply',
          );
        }
        const reverted = content.slice(0, match.start) + oldStr + content.slice(match.end);
        await writeFile(change.file_path, reverted, 'utf8');
        break;
      }
--- a/apps/coder/src/services/provider-commands.ts
+++ b/apps/coder/src/services/provider-commands.ts
@@ -27,13 +27,6 @@ const OPENCODE_COMMANDS: AgentCommand[] = [
  { name: 'export', description: 'Export session' },
 ];
 const CURSOR_COMMANDS: AgentCommand[] = [
  { name: 'help', description: 'Show available slash commands' },
  { name: 'clear', description: 'Clear conversation' },
  { name: 'compact', description: 'Compact context' },
  { name: 'resume', description: 'Resume a prior session' },
 ];
 const GOOSE_COMMANDS: AgentCommand[] = [
  { name: 'help', description: 'Show available commands' },
  { name: 'clear', description: 'Clear conversation' },
@@ -49,23 +42,12 @@ const QWEN_COMMANDS: AgentCommand[] = [
  { name: 'review', description: 'Review changes' },
 ];
 const COPILOT_COMMANDS: AgentCommand[] = [
  { name: 'help', description: 'Show available commands' },
  { name: 'explain', description: 'Explain selected code' },
  { name: 'fix', description: 'Fix issues in context' },
  { name: 'tests', description: 'Generate or run tests' },
  { name: 'doc', description: 'Generate documentation' },
  { name: 'clear', description: 'Clear conversation' },
 ];
 /** boocode harness uses /api/skills — merged on the frontend. */
 export const PROVIDER_COMMANDS: Record<string, AgentCommand[]> = {
  claude: CLAUDE_COMMANDS,
  opencode: OPENCODE_COMMANDS,
  cursor: CURSOR_COMMANDS,
  goose: GOOSE_COMMANDS,
  qwen: QWEN_COMMANDS,
  copilot: COPILOT_COMMANDS,
  boocode: [],
 };
--- a/apps/coder/src/services/provider-config-registry.ts
+++ b/apps/coder/src/services/provider-config-registry.ts
@@ -0,0 +1,133 @@
 /**
 * v2.3 resolved provider registry — single in-memory source of truth after
 * merging the hardcoded built-ins (provider-registry.ts) with the config file
 * (provider-config.ts). Mirrors Paseo's buildProviderRegistry/addDerivedProviders.
 *
 * Phase 1 scope: build + expose the resolved registry. `launchCommand` is null
 * for built-ins (the default argv is resolved at dispatch time in Phase 3) and
 * is the config `command` for custom ACP entries. No DB columns (design.md §3.3);
 * `enabled` lives in memory only.
 */
 import type { ProviderDef } from './provider-registry.js';
 import { PROVIDERS } from './provider-registry.js';
 import { load, type CoderProvidersFile } from './provider-config.js';
 export interface ResolvedProviderDef extends ProviderDef {
  id: string;
  enabled: boolean;
  isBuiltin: boolean;
  isCustomAcp: boolean;
  /** Full argv for spawn: [binary, ...args]. Null for built-ins (resolved at dispatch). */
  launchCommand: [string, ...string[]] | null;
  env: Record<string, string> | undefined;
  configLabel?: string;
  configDescription?: string;
  /** Config `models` — REPLACES the discovered/static model list when present. */
  configModels?: Array<{ id: string; label: string }>;
  /** Config `additionalModels` — MERGED on top of the resolved model list. */
  configAdditionalModels?: Array<{ id: string; label: string }>;
 }
 /**
 * Merge built-ins with config overrides into the resolved registry.
 * Algorithm verbatim from design.md §3.1.
 */
 export function buildResolvedRegistry(
  builtins: ProviderDef[],
  config: CoderProvidersFile,
 ): Map<string, ResolvedProviderDef> {
  const out = new Map<string, ResolvedProviderDef>();
  const overrides = config.providers ?? {};
  const builtinNames = new Set(builtins.map((b) => b.name));
  // 1. Built-ins, applying a config override if one is present.
  for (const def of builtins) {
    const ov = overrides[def.name];
    let enabled = ov?.enabled !== false;
    // 3. boocode is always enabled; an enabled:false override is ignored + warned.
    if (def.name === 'boocode' && ov?.enabled === false) {
      console.warn("provider-config: ignoring enabled:false for built-in 'boocode' (always enabled)");
      enabled = true;
    }
    const launchCommand =
      ov?.command && ov.command.length > 0 ? (ov.command as [string, ...string[]]) : null;
    out.set(def.name, {
      ...def,
      label: ov?.label ?? def.label,
      id: def.name,
      enabled,
      isBuiltin: true,
      isCustomAcp: false,
      launchCommand,
      env: ov?.env,
      configLabel: ov?.label,
      configDescription: ov?.description,
      configModels: ov?.models,
      configAdditionalModels: ov?.additionalModels,
    });
  }
  // 2. Config ids that are not built-ins → custom ACP entries.
  for (const [id, ov] of Object.entries(overrides)) {
    if (builtinNames.has(id)) continue;
    // §2.2 rules: "New id without extends → Reject at load with log."
    if (ov.extends !== 'acp' || !ov.label || !ov.command || ov.command.length === 0) {
      console.warn(
        `provider-config: skipping custom provider '${id}' — requires extends:'acp', label, and command`,
      );
      continue;
    }
    out.set(id, {
      name: id,
      label: ov.label,
      transport: 'acp',
      modelSource: 'probe',
      id,
      enabled: ov.enabled !== false,
      isBuiltin: false,
      isCustomAcp: true,
      launchCommand: ov.command as [string, ...string[]],
      env: ov.env,
      configLabel: ov.label,
      configDescription: ov.description,
      configModels: ov.models,
      configAdditionalModels: ov.additionalModels,
    });
  }
  return out;
 }
 // --- Module singleton ---------------------------------------------------------
 let cachedRegistry: Map<string, ResolvedProviderDef> | null = null;
 let cachedPath: string | null = null;
 /** Load the config file at `path`, rebuild, and cache the resolved registry. */
 export function loadProviderConfig(path: string): Map<string, ResolvedProviderDef> {
  cachedPath = path;
  cachedRegistry = buildResolvedRegistry(PROVIDERS, load(path));
  return cachedRegistry;
 }
 /** Re-read the last-loaded config file and rebuild (Phase 4 calls this after PATCH). */
 export function reloadProviderConfig(): Map<string, ResolvedProviderDef> {
  if (cachedPath == null) {
    cachedRegistry = buildResolvedRegistry(PROVIDERS, { providers: {} });
    return cachedRegistry;
  }
  return loadProviderConfig(cachedPath);
 }
 /** The cached resolved registry (built-ins only if nothing has been loaded yet). */
 export function getResolvedRegistry(): Map<string, ResolvedProviderDef> {
  return cachedRegistry ?? buildResolvedRegistry(PROVIDERS, { providers: {} });
 }
 /** Resolved provider ids in registry order. */
 export function getResolvedProviderIds(): string[] {
  return [...getResolvedRegistry().keys()];
 }
--- a/apps/coder/src/services/provider-config.ts
+++ b/apps/coder/src/services/provider-config.ts
@@ -0,0 +1,100 @@
 /**
 * v2.3 provider config file (`/data/coder-providers.json`) — schema + loader.
 *
 * Layers config-backed overrides/custom-ACP entries over the hardcoded built-ins
 * (see provider-config-registry.ts). Loading NEVER throws at startup (design.md
 * §2.1): a missing file, invalid JSON, or schema mismatch all fall back to
 * `{ providers: {} }` (built-ins only, all enabled).
 */
 import { readFileSync, writeFileSync } from 'node:fs';
 import { z } from 'zod';
 // Schemas verbatim from design.md §2.2.
 export const ProviderOverrideSchema = z.object({
  extends: z.enum(['acp']).optional(), // v2.3: only 'acp' for custom; built-ins omit extends
  label: z.string().min(1).optional(),
  description: z.string().optional(),
  command: z.array(z.string().min(1)).min(1).optional(), // [binary, ...args]
  env: z.record(z.string()).optional(),
  enabled: z.boolean().optional(), // default true
  order: z.number().int().optional(), // UI sort key
  models: z.array(z.object({ id: z.string(), label: z.string() })).optional(),
  additionalModels: z.array(z.object({ id: z.string(), label: z.string() })).optional(),
 });
 export const CoderProvidersFileSchema = z.object({
  providers: z.record(ProviderOverrideSchema).default({}),
 });
 export type ProviderOverride = z.infer<typeof ProviderOverrideSchema>;
 export type CoderProvidersFile = z.infer<typeof CoderProvidersFileSchema>;
 /**
 * PATCH body schema (design.md §6.2). A partial providers map where each value
 * is either a full override object (REPLACES that id's override) or `null`
 * (DELETES the override → revert to the built-in default). Ids absent from the
 * patch are left untouched. The route validates the body against this first
 * (malformed → 422) so a bad shape can never reach the merge/save step.
 */
 export const ProviderConfigPatchSchema = z.object({
  providers: z.record(ProviderOverrideSchema.nullable()).default({}),
 });
 export type ProviderConfigPatch = z.infer<typeof ProviderConfigPatchSchema>;
 /**
 * Shallow per-id merge (design.md §6.2 / Paseo `patchConfig`). Each key in
 * `patch.providers` REPLACES that id's override object wholesale (NOT a deep
 * field merge); a `null` value DELETES the override. Returns a new object —
 * never mutates `current`. The result is a plain CoderProvidersFile (no nulls),
 * which the route re-validates against CoderProvidersFileSchema before save.
 */
 export function mergeProviderConfigPatch(
  current: CoderProvidersFile,
  patch: ProviderConfigPatch,
 ): CoderProvidersFile {
  const providers: Record<string, ProviderOverride> = { ...current.providers };
  for (const [id, override] of Object.entries(patch.providers)) {
    if (override === null) {
      delete providers[id];
    } else {
      providers[id] = override;
    }
  }
  return { providers };
 }
 /** Read + parse + validate. Falls back to built-ins-only on any failure; never throws. */
 export function load(path: string): CoderProvidersFile {
  let raw: string;
  try {
    raw = readFileSync(path, 'utf8');
  } catch {
    // Missing file → built-ins only. Expected, not an error.
    return { providers: {} };
  }
  let json: unknown;
  try {
    json = JSON.parse(raw);
  } catch (err) {
    console.error(`provider-config: invalid JSON in ${path} — using built-ins only`, err);
    return { providers: {} };
  }
  const parsed = CoderProvidersFileSchema.safeParse(json);
  if (!parsed.success) {
    console.error(
      `provider-config: schema validation failed for ${path} — using built-ins only`,
      parsed.error.flatten(),
    );
    return { providers: {} };
  }
  return parsed.data;
 }
 /** Write the config back to disk (used by the Phase 4 PATCH route). */
 export function save(path: string, config: CoderProvidersFile): void {
  writeFileSync(path, `${JSON.stringify(config, null, 2)}\n`, 'utf8');
 }
--- a/apps/coder/src/services/provider-diagnostic.ts
+++ b/apps/coder/src/services/provider-diagnostic.ts
@@ -0,0 +1,71 @@
 /**
 * v2.3 Phase 4 (design.md §8) — per-provider plaintext diagnostic report.
 *
 * Read-only by default: reports CACHED state (resolved registry def + the
 * available_agents row + the warm snapshot-cache entry) plus a `which`-style
 * PATH check for the launch binary. It does NOT spawn an ACP probe — §8 lists
 * the live initialize probe as optional, and the route defaults to cached state.
 *
 * A template string is the whole formatter (no Paseo diagnostic-utils port).
 */
 import type { ResolvedProviderDef } from './provider-config-registry.js';
 import type { ProviderSnapshotEntry, ProviderModel } from './provider-types.js';
 import { isCommandAvailable } from './command-availability.js';
 /** The subset of an `available_agents` row the diagnostic reads. */
 export interface DiagnosticAgentRow {
  name: string;
  install_path: string | null;
  supports_acp?: boolean;
  models?: ProviderModel[] | null;
  last_probed_at?: string | Date | null;
 }
 interface DiagnosticOpts {
  /** Warm snapshot-cache entry (read-only peek) — source of the last probe error. */
  cachedEntry?: ProviderSnapshotEntry;
  /** Injectable PATH check (defaults to the real `which`); stubbed in tests. */
  checkAvailable?: (binary: string) => Promise<boolean>;
 }
 /** Resolve the binary the dispatcher would launch (for the PATH check + report). */
 function resolveBinary(resolved: ResolvedProviderDef, agentRow: DiagnosticAgentRow | undefined): string {
  return resolved.launchCommand?.[0] ?? agentRow?.install_path ?? resolved.id;
 }
 export async function getProviderDiagnostic(
  resolved: ResolvedProviderDef,
  agentRow: DiagnosticAgentRow | undefined,
  opts: DiagnosticOpts = {},
 ): Promise<string> {
  const checkAvailable = opts.checkAvailable ?? isCommandAvailable;
  const installed = agentRow?.install_path != null;
  const binary = resolveBinary(resolved, agentRow);
  // boocode is native (no binary to launch) — short-circuit the PATH check.
  const commandAvailable = resolved.transport === 'native' ? true : await checkAvailable(binary);
  const lastProbedAt =
    agentRow?.last_probed_at != null ? new Date(agentRow.last_probed_at).toISOString() : '(never)';
  const modelCount = agentRow?.models?.length ?? 0;
  const launchCommand = resolved.launchCommand
    ? resolved.launchCommand.join(' ')
    : '(built-in default, resolved at dispatch)';
  const lastError = opts.cachedEntry?.error ?? '(none recorded)';
  return [
    `provider: ${resolved.id}`,
    `label: ${resolved.configLabel ?? resolved.label}`,
    `transport: ${resolved.transport}`,
    `enabled: ${resolved.enabled}`,
    `builtin: ${resolved.isBuiltin}`,
    `customAcp: ${resolved.isCustomAcp}`,
    `installed: ${installed}`,
    `install_path: ${agentRow?.install_path ?? '(none)'}`,
    `binary: ${binary}`,
    `command_available: ${commandAvailable}`,
    `launch_command: ${launchCommand}`,
    `supports_acp: ${agentRow?.supports_acp ?? '(unknown)'}`,
    `last_probed_at: ${lastProbedAt}`,
    `models_in_db: ${modelCount}`,
    `last_probe_error: ${lastError}`,
  ].join('\n');
 }
--- a/apps/coder/src/services/provider-manifest.ts
+++ b/apps/coder/src/services/provider-manifest.ts
@@ -24,31 +24,6 @@ const OPENCODE_MODES: ProviderMode[] = [
  { id: 'full-access', label: 'Full Access', description: 'Auto-approves all tool prompts', isUnattended: true },
 ];
 const COPILOT_MODES: ProviderMode[] = [
  {
    id: 'https://agentclientprotocol.com/protocol/session-modes#agent',
    label: 'Agent',
    description: 'Default agent mode',
  },
  {
    id: 'https://agentclientprotocol.com/protocol/session-modes#plan',
    label: 'Plan',
    description: 'Plan mode for multi-step work',
  },
  {
    id: 'allow-all',
    label: 'Allow All',
    description: 'Automatically approves all tool, path, and URL requests',
    isUnattended: true,
  },
 ];
 const CURSOR_CLI_MODES: ProviderMode[] = [
  { id: 'agent', label: 'Agent', description: 'Full agent capabilities with tool access' },
  { id: 'plan', label: 'Plan', description: 'Read-only planning mode' },
  { id: 'ask', label: 'Ask', description: 'Q&A read-only mode' },
 ];
 const QWEN_PTY_MODES: ProviderMode[] = [
  { id: 'default', label: 'Default', description: 'Prompt for approval' },
  { id: 'plan', label: 'Plan', description: 'Plan only — no edits' },
@@ -75,14 +50,6 @@ export const PROVIDER_MANIFEST: Record<string, ProviderManifestEntry> = {
    defaultModeId: 'build',
    modes: OPENCODE_MODES,
  },
  copilot: {
    defaultModeId: 'https://agentclientprotocol.com/protocol/session-modes#agent',
    modes: COPILOT_MODES,
  },
  cursor: {
    defaultModeId: 'agent',
    modes: CURSOR_CLI_MODES,
  },
  goose: {
    defaultModeId: null,
    modes: [],
--- a/apps/coder/src/services/provider-registry.ts
+++ b/apps/coder/src/services/provider-registry.ts
@@ -13,8 +13,7 @@ export interface ProviderDef {
 * - boocode: llama-swap only
 * - opencode: ACP probe + mergeLlamaSwap (prefixed llama-swap/* ids)
 * - qwen: ACP probe + merge ~/.qwen/settings.json; PTY fallback reads settings only
- * - cursor: ACP probe + cursor-agent models CLI fallback
+ * - goose: ACP probe only
 * - goose / copilot: ACP probe only
 * - claude: static manifest models + thinking options
 */
 export const PROVIDERS: ProviderDef[] = [
@@ -24,12 +23,6 @@ export const PROVIDERS: ProviderDef[] = [
    transport: 'native',
    modelSource: 'llama-swap',
  },
  {
    name: 'cursor',
    label: 'Cursor Agent',
    transport: 'acp',
    modelSource: 'probe',
  },
  {
    name: 'opencode',
    label: 'OpenCode',
@@ -48,9 +41,18 @@ export const PROVIDERS: ProviderDef[] = [
    label: 'Claude Code',
    transport: 'pty',
    modelSource: 'static',
    // Passed verbatim to `claude --model <id>` (PTY dispatch). The CLI accepts a
    // latest-alias ('opus'/'sonnet'/'haiku') or a pinned full name
    // ('claude-opus-4-8'). Aliases never go stale; pinned IDs let you select an
    // exact version. Extend/replace per-install via data/coder-providers.json
    // (models / additionalModels) without a code change.
    staticModels: [
-      { id: 'claude-opus-4-20250514', label: 'Opus 4' },
+      { id: 'opus', label: 'Opus (latest)' },
-      { id: 'claude-sonnet-4-20250514', label: 'Sonnet 4' },
+      { id: 'claude-opus-4-8', label: 'Opus 4.8' },
      { id: 'sonnet', label: 'Sonnet (latest)' },
      { id: 'claude-sonnet-4-6', label: 'Sonnet 4.6' },
      { id: 'haiku', label: 'Haiku (latest)' },
      { id: 'claude-haiku-4-5-20251001', label: 'Haiku 4.5' },
    ],
  },
  {
@@ -59,12 +61,6 @@ export const PROVIDERS: ProviderDef[] = [
    transport: 'acp',
    modelSource: 'probe',
  },
  {
    name: 'copilot',
    label: 'GitHub Copilot',
    transport: 'acp',
    modelSource: 'probe',
  },
 ];
 export const PROVIDERS_BY_NAME = new Map(PROVIDERS.map((p) => [p.name, p]));
--- a/apps/coder/src/services/provider-snapshot.ts
+++ b/apps/coder/src/services/provider-snapshot.ts
@@ -2,35 +2,34 @@
 * Provider snapshot cache — cold ACP probe per provider + static manifest merge.
 */
 import { homedir } from 'node:os';
 import { exec as execCb } from 'node:child_process';
 import { promisify } from 'node:util';
 import type { FastifyBaseLogger } from 'fastify';
 import type { Sql } from '../db.js';
 import type { Config } from '../config.js';
 import { PROVIDERS, type ProviderDef } from './provider-registry.js';
 import {
  getManifestDefaultModeId,
  getManifestModes,
  PROVIDER_MANIFEST,
 } from './provider-manifest.js';
 import { probeAcpProvider } from './acp-probe.js';
-import { parseCursorAgentModelsOutput } from './cursor-models.js';
+import type { ProviderModel, ProviderSnapshotEntry, AgentCommand } from './provider-types.js';
 import type { ProviderModel, ProviderSnapshotEntry } from './provider-types.js';
 import { getManifestCommands, mergeCommands } from './provider-commands.js';
 import { readQwenSettingsModels } from './qwen-settings.js';
-
+import { getResolvedRegistry, type ResolvedProviderDef } from './provider-config-registry.js';
-const exec = promisify(execCb);
+import { isCommandAvailable } from './command-availability.js';
 import { discoverClaudeCommands } from './claude-command-discovery.js';
 interface AgentRow {
  name: string;
  install_path: string | null;
  supports_acp: boolean;
  models: ProviderModel[] | null;
  commands: AgentCommand[] | null;
  label: string | null;
  transport: string | null;
  last_probed_at: string | Date | null;
 }
-async function fetchLlamaSwapModels(config: Config): Promise<ProviderModel[]> {
+export async function fetchLlamaSwapModels(config: Config): Promise<ProviderModel[]> {
  try {
    const res = await fetch(`${config.LLAMA_SWAP_URL}/v1/models`);
    if (!res.ok) return [];
@@ -41,15 +40,6 @@ async function fetchLlamaSwapModels(config: Config): Promise<ProviderModel[]> {
  }
 }
 async function fetchCursorModelsCli(installPath: string): Promise<ProviderModel[]> {
  try {
    const { stdout } = await exec(`"${installPath}" models`, { timeout: 15_000, maxBuffer: 1024 * 1024 });
    return parseCursorAgentModelsOutput(stdout);
  } catch {
    return [];
  }
 }
 /** Prefix llama-swap model ids so they don't collide with provider-native models. */
 export function prefixLlamaSwapModels(models: ProviderModel[]): ProviderModel[] {
  return models.map((m) => ({
@@ -82,112 +72,155 @@ export function mergeModels(...lists: ProviderModel[][]): ProviderModel[] {
 }
 async function buildProviderEntry(
-  provider: ProviderDef,
+  resolved: ResolvedProviderDef,
  agentRow: AgentRow | undefined,
  llamaModels: ProviderModel[],
  cwd: string,
-): Promise<ProviderSnapshotEntry | null> {
+  ttlMs: number,
-  const isNative = provider.name === 'boocode';
+  force: boolean,
-  const installed = isNative || !!agentRow;
+): Promise<ProviderSnapshotEntry> {
-  if (!installed) return null;
+  const name = resolved.id;
  const isNative = resolved.transport === 'native';
  const fallbackModes = getManifestModes(name);
  const defaultModeId = getManifestDefaultModeId(name);
  const manifestCommands = getManifestCommands(name);
  // Manifest + persisted live ACP commands (captured on a prior cold probe), so
  // the agent's discovered commands show even when the tier-2 probe is skipped.
  const dbCommands = mergeCommands(manifestCommands, agentRow?.commands ?? []);
  const label = agentRow?.label ?? resolved.configLabel ?? resolved.label;
  const descr = resolved.configDescription ? { description: resolved.configDescription } : {};
-  let transport = provider.transport;
+  // v2.3: config `models` REPLACES the discovered/static list; `additionalModels`
-  if (agentRow && provider.transport === 'acp' && !agentRow.supports_acp) {
+  // MERGES on top. Applied to every ready/installed model list below.
  const withConfigModels = (m: ProviderModel[]): ProviderModel[] => {
    let out = resolved.configModels && resolved.configModels.length > 0 ? resolved.configModels : m;
    if (resolved.configAdditionalModels && resolved.configAdditionalModels.length > 0) {
      out = mergeModels(out, resolved.configAdditionalModels);
    }
    return out;
  };
  // ACP built-ins fall back to PTY transport when the installed binary lacks ACP.
  let transport = resolved.transport;
  if (agentRow && resolved.transport === 'acp' && !agentRow.supports_acp) {
    transport = 'pty';
  }
-  const fallbackModes = getManifestModes(provider.name);
+  // 1. Disabled → unavailable, no probe.
-  const defaultModeId = getManifestDefaultModeId(provider.name);
+  if (!resolved.enabled) {
  if (isNative) {
    return {
-      name: provider.name,
+      name, label, ...descr, transport, status: 'unavailable',
-      label: provider.label,
+      enabled: false, installed: false, models: [], modes: fallbackModes,
-      transport,
+      defaultModeId, commands: manifestCommands,
      status: 'ready',
      installed: true,
      models: llamaModels,
      modes: [],
      defaultModeId: null,
      commands: getManifestCommands(provider.name),
    };
  }
  // 2. Native boocode → always ready (llama-swap models).
  if (isNative) {
    return {
      name, label: resolved.label, transport, status: 'ready',
      enabled: true, installed: true, models: withConfigModels(llamaModels), modes: [],
      defaultModeId: null, commands: manifestCommands,
    };
  }
  // 3. Tier-1 fast availability: installed iff a probed install_path exists or
  // the launch binary is on PATH. No spawn beyond a `which` for custom entries.
  const fast =
    agentRow?.install_path != null ||
    (resolved.launchCommand ? await isCommandAvailable(resolved.launchCommand[0]) : false);
  if (!fast) {
    return {
      name, label, ...descr, transport, status: 'unavailable',
      enabled: true, installed: false, models: [], modes: fallbackModes,
      defaultModeId, commands: manifestCommands,
    };
  }
  // Baseline model precedence (used by claude + non-probe fallbacks).
  let models: ProviderModel[] = [];
-  if (provider.modelSource === 'llama-swap' && provider.mergeLlamaSwap) {
+  if (resolved.modelSource === 'llama-swap' && resolved.mergeLlamaSwap) {
    models = llamaModels;
  } else if (agentRow?.models?.length) {
    models = agentRow.models;
-  } else if (provider.staticModels) {
+  } else if (resolved.staticModels) {
-    models = provider.staticModels.map((m) => ({ id: m.id, label: m.label }));
+    models = resolved.staticModels.map((m) => ({ id: m.id, label: m.label }));
  }
-  if (provider.name === 'claude') {
+  // claude: static models + thinking options, no ACP probe (unchanged from v2.2).
-    models = attachClaudeThinking(models);
+  if (name === 'claude') {
    // claude is PTY (no ACP discovery) — read its enabled commands + plugin
    // skills from disk live (the snapshot cache rate-limits the fs reads).
    return {
-      name: provider.name,
+      name, label, transport, status: 'ready', enabled: true, installed: true,
-      label: agentRow?.label ?? provider.label,
+      models: attachClaudeThinking(withConfigModels(models)), modes: fallbackModes, defaultModeId,
-      transport,
+      commands: mergeCommands(manifestCommands, discoverClaudeCommands()),
      status: 'ready',
      installed: true,
      models,
      modes: fallbackModes,
      defaultModeId,
      commands: getManifestCommands(provider.name),
    };
  }
-  if (transport === 'acp' && agentRow?.install_path && agentRow.supports_acp) {
+  const canProbeAcp =
-    const probe = await probeAcpProvider(provider.name, agentRow.install_path, cwd);
+    transport === 'acp' &&
-    if (probe.models.length > 0) {
+    ((agentRow?.install_path != null && agentRow.supports_acp) ||
-      models = probe.models;
+      (resolved.isCustomAcp && resolved.launchCommand != null));
-    } else if (provider.name === 'cursor' && agentRow.install_path) {
+
-      models = await fetchCursorModelsCli(agentRow.install_path);
+  if (canProbeAcp) {
-    } else if (provider.modelSource === 'llama-swap') {
+    // Tier-2 gate (§4.3): cold ACP probe only on force, staleness, or empty DB
-      models = llamaModels;
+    // models. Otherwise serve DB models + manifest modes/commands — no spawn.
    const lastProbedMs =
      agentRow?.last_probed_at != null ? new Date(agentRow.last_probed_at).getTime() : NaN;
    const stale = Number.isNaN(lastProbedMs) || Date.now() - lastProbedMs > ttlMs;
    const dbEmpty = !(agentRow?.models && agentRow.models.length > 0);
    const runTier2 = force || stale || dbEmpty;
    if (!runTier2) {
      let skipModels = agentRow?.models ?? [];
      if (resolved.mergeLlamaSwap && resolved.modelSource !== 'llama-swap') {
        skipModels = mergeModels(skipModels, prefixLlamaSwapModels(llamaModels));
      } else if (resolved.modelSource === 'llama-swap' && skipModels.length === 0) {
        skipModels = llamaModels;
      }
      return {
        name, label, transport, status: 'ready', enabled: true, installed: true,
        models: withConfigModels(skipModels), modes: fallbackModes, defaultModeId, commands: dbCommands,
      };
    }
-    if (provider.name === 'qwen') {
+    const probeTarget =
-      const settingsModels = await readQwenSettingsModels();
+      resolved.isCustomAcp && resolved.launchCommand
-      models = mergeModels(models, settingsModels);
+        ? resolved.launchCommand[0]
-    }
+        : agentRow!.install_path!;
    const probe = await probeAcpProvider(name, probeTarget, cwd);
-    if (provider.mergeLlamaSwap && provider.modelSource !== 'llama-swap') {
+    let probeModels = probe.models.length > 0 ? probe.models : models;
-      const nativeModels = probe.models.length > 0 ? probe.models : models;
+    if (name === 'qwen') {
-      models = mergeModels(nativeModels, prefixLlamaSwapModels(llamaModels));
+      probeModels = mergeModels(probeModels, await readQwenSettingsModels());
    }
    if (resolved.mergeLlamaSwap && resolved.modelSource !== 'llama-swap') {
      const nativeModels = probe.models.length > 0 ? probe.models : probeModels;
      probeModels = mergeModels(nativeModels, prefixLlamaSwapModels(llamaModels));
    }
    return {
-      name: provider.name,
+      name, label, transport,
      label: agentRow.label ?? provider.label,
      transport,
      status: probe.ok ? 'ready' : 'error',
-      installed: true,
+      enabled: true, installed: true,
-      models,
+      models: withConfigModels(probeModels),
      modes: probe.modes.length > 0 ? probe.modes : fallbackModes,
      defaultModeId: probe.defaultModeId ?? defaultModeId,
-      commands: mergeCommands(getManifestCommands(provider.name), probe.commands),
+      commands: mergeCommands(manifestCommands, probe.commands),
-      error: probe.error,
+      ...(probe.error ? { error: probe.error } : {}),
      fetchedAt: new Date().toISOString(),
    };
  }
-  // PTY-only providers (qwen fallback when ACP unavailable)
+  // PTY-only fallback (e.g. qwen without ACP) — installed + ready.
-  if (provider.name === 'qwen') {
+  if (name === 'qwen' && models.length === 0) {
    if (models.length === 0) {
    models = await readQwenSettingsModels();
  }
  }
  return {
-    name: provider.name,
+    name, label, transport, status: 'ready', enabled: true, installed: true,
-    label: agentRow?.label ?? provider.label,
+    models: withConfigModels(models), modes: fallbackModes, defaultModeId, commands: dbCommands,
    transport,
    status: 'ready',
    installed: true,
    models,
    modes: fallbackModes,
    defaultModeId,
    commands: getManifestCommands(provider.name),
  };
 }
@@ -216,16 +249,16 @@ export async function getProviderSnapshot(
  const build = async (): Promise<ProviderSnapshotEntry[]> => {
    const llamaModels = await fetchLlamaSwapModels(config);
    const agents = await sql<AgentRow[]>`
-      SELECT name, install_path, supports_acp, models, label, transport FROM available_agents
+      SELECT name, install_path, supports_acp, models, commands, label, transport, last_probed_at FROM available_agents
    `;
    const agentMap = new Map(agents.map((a) => [a.name, a]));
    const ttlMs = config.PROVIDER_PROBE_TTL_MS;
-    const built = await Promise.all(
+    const entries = await Promise.all(
-      PROVIDERS.map((provider) =>
+      [...getResolvedRegistry().values()].map((resolved) =>
-        buildProviderEntry(provider, agentMap.get(provider.name), llamaModels, resolvedCwd),
+        buildProviderEntry(resolved, agentMap.get(resolved.id), llamaModels, resolvedCwd, ttlMs, force),
      ),
    );
    const entries = built.filter((entry): entry is ProviderSnapshotEntry => entry !== null);
    snapshotCache.set(cacheKey, { at: Date.now(), entries });
    return entries;
@@ -235,6 +268,13 @@ export async function getProviderSnapshot(
    snapshotInflight.delete(cacheKey);
  });
  snapshotInflight.set(cacheKey, promise);
  // Await the build (force or cache-miss) and return terminal entries. The sync
  // `loading` return (design §4.4) is DEFERRED until Phase 5 ships the client
  // poll that resolves it: without that poll, a single fetch lands on
  // installed:false `loading` entries, which AgentComposerBar filters out
  // (`e.installed && ...`) → empty picker. Builds stay fast via the tier-2 skip
  // once available_agents.models is warm.
  return promise;
 }
@@ -243,6 +283,16 @@ export function clearProviderSnapshotCache(): void {
  snapshotInflight.clear();
 }
 /**
 * Read-only peek into the warm snapshot cache for one provider (no build, no
 * probe). Used by the diagnostic route to report the last computed probe error
 * without spawning anything. Returns undefined on a cold cache / unknown name.
 */
 export function peekSnapshotEntry(name: string, cwd?: string): ProviderSnapshotEntry | undefined {
  const resolvedCwd = cwd?.trim() || homedir();
  return snapshotCache.get(resolvedCwd)?.entries.find((e) => e.name === name);
 }
 /** Persist probed model lists back to available_agents for fast legacy reads. */
 export async function persistProbedModels(
  sql: Sql,
@@ -251,16 +301,34 @@ export async function persistProbedModels(
 ): Promise<void> {
  let count = 0;
  for (const entry of entries) {
-    if (entry.name === 'boocode' || entry.models.length === 0) continue;
+    if (entry.name === 'boocode') continue;
    let persisted = false;
    if (entry.models.length > 0) {
      const flatModels = entry.models.map(({ id, label }) => ({ id, label }));
      await sql`
        UPDATE available_agents
        SET models = ${sql.json(flatModels as never)}, last_probed_at = clock_timestamp()
        WHERE name = ${entry.name}
      `;
-    count++;
+      persisted = true;
    }
    // Persist captured ACP commands so they survive the tier-2 probe skip and
    // show without a dispatch. Only when non-empty — never clobber a prior set.
    if (entry.commands.length > 0) {
      const flatCommands = entry.commands.map((c) => ({
        name: c.name,
        ...(c.description ? { description: c.description } : {}),
      }));
      await sql`
        UPDATE available_agents
        SET commands = ${sql.json(flatCommands as never)}, last_probed_at = clock_timestamp()
        WHERE name = ${entry.name}
      `;
      persisted = true;
    }
    if (persisted) count++;
  }
  if (count > 0) {
-    log.info({ count }, 'provider-snapshot: persisted models to available_agents');
+    log.info({ count }, 'provider-snapshot: persisted models/commands to available_agents');
  }
 }
--- a/apps/coder/src/services/provider-types.ts
+++ b/apps/coder/src/services/provider-types.ts
@@ -23,24 +23,34 @@ export interface ProviderModel {
  defaultThinkingOptionId?: string;
 }
-export type ProviderSnapshotStatus = 'ready' | 'error';
+// v2.3 phase 2: 'loading' (cache-miss, probe in flight) + 'unavailable'
 // (disabled or not installed) restored alongside the terminal 'ready' | 'error'.
 export type ProviderSnapshotStatus = 'loading' | 'ready' | 'unavailable' | 'error';
 export interface AgentCommand {
  name: string;
  description?: string;
  // v2.5.11: 'skill' (plugin skill) vs 'command' (native/CLI slash command).
  // Drives the icon split in the coder slash menu. Undefined → command.
  kind?: 'command' | 'skill';
 }
 // KEEP IN SYNC with apps/web/src/api/types.ts ProviderSnapshotEntry — parity is
 // enforced by __tests__/provider-types-parity.test.ts (fails on any field drift).
 export interface ProviderSnapshotEntry {
  name: string;
  label: string;
  description?: string;
  transport: string;
  status: ProviderSnapshotStatus;
  enabled: boolean;
  installed: boolean;
  models: ProviderModel[];
  modes: ProviderMode[];
  defaultModeId: string | null;
  commands: AgentCommand[];
  error?: string;
  fetchedAt?: string;
 }
 export interface AgentSessionConfig {
--- a/apps/coder/src/services/worktrees.ts
+++ b/apps/coder/src/services/worktrees.ts
@@ -6,9 +6,10 @@
 * After the agent completes, we diff the worktree against HEAD and
 * queue the diff into pending_changes.
 */
 import type { Sql } from '../db.js';
 import { hostExec } from './host-exec.js';
-const WORKTREE_BASE = '/tmp/booworktrees';
+export const WORKTREE_BASE = '/tmp/booworktrees';
 /**
 * Create a git worktree for a task on the host.
@@ -45,7 +46,7 @@ export async function createWorktree(
 export async function diffWorktree(
  worktreePath: string,
  projectPath: string,
-  opts?: { signal?: AbortSignal },
+  opts?: { signal?: AbortSignal; baseRef?: string },
 ): Promise<string> {
  // First, commit any uncommitted changes in the worktree so we can diff branches
  // Stage all changes
@@ -74,9 +75,13 @@ export async function diffWorktree(
    { signal: opts?.signal, timeoutMs: 15_000 },
  );
-  // Diff the worktree branch against the parent commit (HEAD of main tree)
+  // Diff the worktree branch against the baseline. Per-task callers default to the
  // main tree's current HEAD; the session-worktree (opencode) path passes the
  // captured base_commit so the accumulated diff is stable across turns even if
  // project HEAD advances.
  const baseRef = opts?.baseRef ?? 'HEAD';
  const diffResult = await hostExec(
-    `git -C ${shellEscape(projectPath)} diff HEAD...$(git -C ${shellEscape(worktreePath)} rev-parse HEAD)`,
+    `git -C ${shellEscape(projectPath)} diff ${shellEscape(baseRef)}...$(git -C ${shellEscape(worktreePath)} rev-parse HEAD)`,
    { signal: opts?.signal, timeoutMs: 60_000 },
  );
@@ -111,6 +116,427 @@ export async function cleanupWorktree(
  ).catch(() => {});
 }
 // ─── v2.6: session-keyed persistent worktree ────────────────────────────────
 export interface SessionWorktree {
  /** P1.5-b: the `worktrees.id` — stored on agent_sessions informationally. */
  worktreeId: string;
  worktreePath: string;
  baseCommit: string | null;
 }
 /**
 * v2.6 / P1.5-b: create-or-reuse ONE worktree per BooCode session (shared across
 * all tabs/agents in the session), recorded in `worktrees` (was the superseded
 * `session_worktrees`). Persists — NOT torn down per turn (cleanup is Phase 3) —
 * and now survives session delete (`worktrees.session_id` is ON DELETE SET NULL).
 * Captures the project's current HEAD as `base_commit` for a stable diff baseline.
 *
 * Distinct path namespace (`session-<id>` branch, `/sess-<id>` dir) so it never
 * collides with the per-task worktrees that arena/new_task/MCP still use.
 */
 export async function ensureSessionWorktree(
  sql: Sql,
  projectPath: string,
  sessionId: string,
  opts?: { signal?: AbortSignal },
 ): Promise<SessionWorktree> {
  const [existing] = await sql<{ id: string; path: string; base_commit: string | null }[]>`
    SELECT id, path, base_commit FROM worktrees
    WHERE session_id = ${sessionId} AND status = 'active'
    LIMIT 1
  `;
  if (existing) {
    return { worktreeId: existing.id, worktreePath: existing.path, baseCommit: existing.base_commit };
  }
  const worktreePath = `${WORKTREE_BASE}/sess-${sessionId}`;
  const branchName = `session-${sessionId}`;
  await hostExec(`mkdir -p ${WORKTREE_BASE}`, { signal: opts?.signal });
  // Capture the baseline commit BEFORE branching, so the diff is stable even if
  // project HEAD later advances.
  const headResult = await hostExec(
    `git -C ${shellEscape(projectPath)} rev-parse HEAD`,
    { signal: opts?.signal, timeoutMs: 10_000 },
  );
  const baseCommit = headResult.exitCode === 0 ? headResult.stdout.trim() || null : null;
  const result = await hostExec(
    `git -C ${shellEscape(projectPath)} worktree add ${shellEscape(worktreePath)} -b ${shellEscape(branchName)} HEAD`,
    { signal: opts?.signal, timeoutMs: 30_000 },
  );
  if (result.exitCode !== 0) {
    throw new Error(`Failed to create session worktree: ${result.stderr.trim() || result.stdout.trim()}`);
  }
  // Insert-or-get: WHERE NOT EXISTS keeps the first writer's row if two turns race
  // the create (the partial unique on active path also backstops it).
  const [inserted] = await sql<{ id: string; path: string; base_commit: string | null }[]>`
    INSERT INTO worktrees (session_id, path, branch, base_commit, status)
    SELECT ${sessionId}, ${worktreePath}, ${branchName}, ${baseCommit}, 'active'
    WHERE NOT EXISTS (
      SELECT 1 FROM worktrees WHERE session_id = ${sessionId} AND status = 'active'
    )
    RETURNING id, path, base_commit
  `;
  if (inserted) {
    return { worktreeId: inserted.id, worktreePath: inserted.path, baseCommit: inserted.base_commit };
  }
  // Lost the race — another turn inserted first; read its row.
  const [row] = await sql<{ id: string; path: string; base_commit: string | null }[]>`
    SELECT id, path, base_commit FROM worktrees
    WHERE session_id = ${sessionId} AND status = 'active'
    LIMIT 1
  `;
  return {
    worktreeId: row!.id,
    worktreePath: row?.path ?? worktreePath,
    baseCommit: row?.base_commit ?? baseCommit,
  };
 }
 /**
 * v2.6 Phase 3 (3.3 / 3.4): physically remove a session's persistent worktree —
 * the git worktree dir + its branch — and archive its `worktrees` row. Used by the
 * chat/session-close hook (when the last chat in a session closes) and the orphan
 * reaper. Best-effort on the git side (a dir already gone is not an error); the DB
 * row is flipped to 'archived' (soft-delete, Paseo's worktree-archive pattern) so
 * history/attribution survives and a re-run is idempotent.
 *
 * SAFETY: callers MUST run `checkWorktreeWorkAtRisk` first and skip at-risk
 * worktrees — this function force-removes (`--force`), so it never silently drops
 * uncommitted/unmerged work unless the caller already cleared/accepted the risk.
 */
 export async function removeSessionWorktree(
  sql: Sql,
  projectPath: string,
  worktree: { id: string; path: string; branch?: string | null },
  opts?: { signal?: AbortSignal },
 ): Promise<void> {
  await hostExec(
    `git -C ${shellEscape(projectPath)} worktree remove ${shellEscape(worktree.path)} --force`,
    { signal: opts?.signal, timeoutMs: 15_000 },
  ).catch(() => {});
  const branch = worktree.branch ?? null;
  if (branch) {
    await hostExec(
      `git -C ${shellEscape(projectPath)} branch -D ${shellEscape(branch)}`,
      { signal: opts?.signal, timeoutMs: 10_000 },
    ).catch(() => {});
  }
  // Prune any stale worktree administrative entries left behind by a partial remove.
  await hostExec(
    `git -C ${shellEscape(projectPath)} worktree prune`,
    { signal: opts?.signal, timeoutMs: 10_000 },
  ).catch(() => {});
  await sql`UPDATE worktrees SET status = 'archived' WHERE id = ${worktree.id}`.catch(() => {});
 }
 /**
 * v2.6 Phase 3 (3.3): the chat-close cleanup. Mark every `agent_sessions` row for
 * the chat 'closed', then — only if this was the session's LAST open chat — remove
 * the shared session worktree (a worktree is one-per-session, shared across the
 * session's chat tabs, so closing one tab must not pull the rug from sibling tabs).
 *
 * Returns what it did so the route can report it. The actual backend (process /
 * server-session) teardown is the pool's job (`agentPool.closeChat` +
 * `backend.closeSession`); this owns the DB + git truth.
 *
 * `worktreeRemoved` is false when other open chats remain (worktree kept) OR when
 * the worktree held work at risk (preflight blocked it — never silently dropped).
 */
 export interface ChatCloseResult {
  agentRowsClosed: number;
  worktreeRemoved: boolean;
  worktreeAtRisk: boolean;
 }
 export async function closeChatBackendState(
  sql: Sql,
  chatId: string,
  opts?: { signal?: AbortSignal; force?: boolean },
 ): Promise<ChatCloseResult> {
  // Resolve the chat's session (and that session's project path) before we touch
  // anything — a deleted chat row leaves agent_sessions/worktrees pointing nowhere.
  const [chatRow] = await sql<{ session_id: string | null }[]>`
    SELECT session_id FROM chats WHERE id = ${chatId}
  `;
  // chat row may already be gone (delete fired first); fall back to agent_sessions'
  // session_id link, which SET NULLs only on session delete, not chat delete.
  let sessionId = chatRow?.session_id ?? null;
  if (!sessionId) {
    const [as] = await sql<{ session_id: string | null }[]>`
      SELECT session_id FROM agent_sessions WHERE chat_id = ${chatId} AND session_id IS NOT NULL LIMIT 1
    `;
    sessionId = as?.session_id ?? null;
  }
  // Mark this chat's (chat,agent) backend rows closed (idempotent).
  const closedRows = await sql<{ agent: string }[]>`
    UPDATE agent_sessions SET status = 'closed'
    WHERE chat_id = ${chatId} AND status <> 'closed'
    RETURNING agent
  `;
  let worktreeRemoved = false;
  let worktreeAtRisk = false;
  if (sessionId) {
    // Other open chats still sharing the session worktree? If so, keep it.
    const openRows = await sql<{ open_count: number }[]>`
      SELECT COUNT(*)::int AS open_count FROM chats
      WHERE session_id = ${sessionId} AND status = 'open' AND id <> ${chatId}
    `;
    const openCount = openRows[0]?.open_count ?? 0;
    if (openCount === 0) {
      const [wt] = await sql<{ id: string; path: string; branch: string | null }[]>`
        SELECT id, path, branch FROM worktrees
        WHERE session_id = ${sessionId} AND status = 'active' LIMIT 1
      `;
      if (wt) {
        const projRows = await sql<{ path: string | null }[]>`
          SELECT p.path FROM sessions s JOIN projects p ON p.id = s.project_id WHERE s.id = ${sessionId}
        `;
        const projectPath = projRows[0]?.path ?? null;
        // Preflight (close-hook semantics): a DELIBERATE chat/session close — the
        // server's session-delete already ran the full work-at-risk gate
        // (dirty/unpushed/unmerged) before calling us, and chat-close discards the
        // tab's staged review intentionally. So here we only block on UNCOMMITTED
        // working-tree changes (`dirty`) — work the user never even staged into the
        // review diff. The session branch's own commits (the diff-staging
        // mechanism) are NOT a block; treating them as "unmerged risk" would make
        // the worktree un-removable on every real session (the orphan reaper keeps
        // the full at-risk gate because it runs unattended). `force` skips this.
        if (!opts?.force) {
          const risk = await checkWorktreeWorkAtRisk(wt.path, opts);
          worktreeAtRisk = risk.dirty || risk.error != null;
        }
        if (projectPath && (opts?.force || !worktreeAtRisk)) {
          await removeSessionWorktree(sql, projectPath, wt, opts);
          worktreeRemoved = true;
        }
      }
    }
  }
  return { agentRowsClosed: closedRows.length, worktreeRemoved, worktreeAtRisk };
 }
 /**
 * v2.6 Phase 3 (3.5): re-baseline a session's worktree diff after a successful
 * `apply_pending`. The applied changes were written to the PROJECT ROOT; the
 * worktree branch still holds the same delta against the ORIGINAL `base_commit`,
 * so the next turn's `diffWorktree(base_commit...worktree-HEAD)` would re-surface
 * the already-applied changes as "pending" — a confusing double-count.
 *
 * Fix: advance the stored `base_commit` to the worktree's CURRENT HEAD (the
 * `diffWorktree` path commits the worktree's accumulated changes before diffing,
 * so HEAD already encodes the applied state). The next turn then diffs against
 * that, surfacing only edits made AFTER the apply. Idempotent: if the worktree has
 * no new commits, the base is unchanged.
 *
 * Diff-baseline-correctness note (design §7): we re-baseline to the worktree's own
 * HEAD, NOT to a moving project HEAD — so an out-of-band edit to the project root
 * after apply doesn't corrupt the baseline. The trade-off is that a manual project
 * edit isn't reflected as "already there"; acceptable, and matches the stored-base
 * (not moving-target) decision in §7.
 */
 export async function rebaselineWorktreeAfterApply(
  sql: Sql,
  sessionId: string,
  opts?: { signal?: AbortSignal },
 ): Promise<{ rebaselined: boolean; newBaseCommit: string | null }> {
  const [wt] = await sql<{ id: string; path: string; base_commit: string | null }[]>`
    SELECT id, path, base_commit FROM worktrees
    WHERE session_id = ${sessionId} AND status = 'active' LIMIT 1
  `;
  if (!wt) return { rebaselined: false, newBaseCommit: null };
  // Make sure the worktree's accumulated edits are committed so HEAD encodes the
  // just-applied state (the diff path normally does this, but apply may run with no
  // prior diff this turn). Commit ONLY when something is staged — NO --allow-empty,
  // so a re-baseline with no new edits doesn't advance HEAD and stays idempotent.
  await hostExec(
    `cd ${shellEscape(wt.path)} && git add -A && ` +
      `git diff --cached --quiet || ` +
      `git -c user.email=boocoder@local -c user.name=BooCoder commit -q -m "rebaseline after apply"`,
    { signal: opts?.signal, timeoutMs: 15_000 },
  ).catch(() => {});
  const headRes = await hostExec(
    `git -C ${shellEscape(wt.path)} rev-parse HEAD`,
    { signal: opts?.signal, timeoutMs: 10_000 },
  ).catch(() => null);
  const newBase = headRes && headRes.exitCode === 0 ? headRes.stdout.trim() || null : null;
  if (!newBase || newBase === wt.base_commit) {
    return { rebaselined: false, newBaseCommit: wt.base_commit };
  }
  await sql`UPDATE worktrees SET base_commit = ${newBase} WHERE id = ${wt.id}`;
  return { rebaselined: true, newBaseCommit: newBase };
 }
 // ─── Session-delete work-loss guard ─────────────────────────────────────────
 /**
 * Risk report for a single worktree, returned by checkWorktreeWorkAtRisk.
 * `atRisk` is the gate the server reads before allowing a session delete.
 * A git error never silently passes — it forces `atRisk` true and surfaces
 * the message in `error` (fail-closed).
 */
 export interface RiskReport {
  worktreePath: string;
  branch: string;
  dirty: boolean;   // uncommitted working-tree changes (incl. untracked)
  unpushed: number; // commits ahead of upstream, or -1 if no upstream is set
  unmerged: number; // commits on this branch not in the project default branch
  atRisk: boolean;  // dirty || unmerged > 0 || (upstream && unpushed > 0) || git error
  error?: string;   // populated on a git failure; presence forces atRisk
 }
 /**
 * Resolve the project's default branch as a git-usable ref (e.g. "origin/main").
 *
 * `refs/remotes/origin/HEAD` lives in the repo's COMMON git dir and is shared
 * across every linked worktree, so reading it from the session worktree returns
 * the REMOTE's default branch — never this worktree's own `session-<id>` branch
 * (that would be `symbolic-ref HEAD`, a different ref). Falls back to probing
 * common defaults by verified existence when origin/HEAD isn't set (e.g. a repo
 * that never ran `git remote set-head`). Returns null if none resolve, in which
 * case the unmerged check is skipped (dirty + unpushed still protect the work).
 */
 async function detectDefaultBranchRef(
  worktreePath: string,
  opts?: { signal?: AbortSignal },
 ): Promise<string | null> {
  const head = await hostExec(
    `git -C ${shellEscape(worktreePath)} symbolic-ref --short refs/remotes/origin/HEAD`,
    { signal: opts?.signal, timeoutMs: 10_000 },
  );
  if (head.exitCode === 0) {
    const ref = head.stdout.trim(); // e.g. "origin/main"
    if (ref) {
      const verify = await hostExec(
        `git -C ${shellEscape(worktreePath)} rev-parse --verify --quiet ${shellEscape(ref + '^{commit}')}`,
        { signal: opts?.signal, timeoutMs: 10_000 },
      );
      if (verify.exitCode === 0 && verify.stdout.trim()) return ref;
    }
  }
  // origin/HEAD unset or unresolvable — probe common defaults. Prefer the
  // remote-tracking ref (always resolvable in a fresh worktree) over the local
  // head, which may not exist if the default branch lives only in the main tree.
  for (const cand of ['origin/main', 'origin/master', 'main', 'master']) {
    const verify = await hostExec(
      `git -C ${shellEscape(worktreePath)} rev-parse --verify --quiet ${shellEscape(cand + '^{commit}')}`,
      { signal: opts?.signal, timeoutMs: 10_000 },
    );
    if (verify.exitCode === 0 && verify.stdout.trim()) return cand;
  }
  return null;
 }
 /**
 * Inspect a worktree for work that would be lost if its session were deleted.
 * Three checks, all via the audited hostExec + shellEscape path (every
 * interpolated value — paths, refs — is single-quote-escaped; no bare
 * interpolation). Any unexpected git failure is treated as at-risk, never a
 * silent pass.
 */
 export async function checkWorktreeWorkAtRisk(
  worktreePath: string,
  opts?: { signal?: AbortSignal },
 ): Promise<RiskReport> {
  // Branch name — also doubles as the "is this still a git worktree?" probe.
  const br = await hostExec(
    `git -C ${shellEscape(worktreePath)} rev-parse --abbrev-ref HEAD`,
    { signal: opts?.signal, timeoutMs: 10_000 },
  );
  if (br.exitCode !== 0) {
    return {
      worktreePath,
      branch: '',
      dirty: false,
      unpushed: 0,
      unmerged: 0,
      atRisk: true,
      error: `git rev-parse failed: ${br.stderr.trim() || 'not a git worktree'}`,
    };
  }
  const branch = br.stdout.trim();
  // (a) Uncommitted (dirty working tree, including untracked files).
  const st = await hostExec(
    `git -C ${shellEscape(worktreePath)} status --porcelain`,
    { signal: opts?.signal, timeoutMs: 15_000 },
  );
  if (st.exitCode !== 0) {
    return {
      worktreePath,
      branch,
      dirty: false,
      unpushed: 0,
      unmerged: 0,
      atRisk: true,
      error: `git status failed: ${st.stderr.trim()}`,
    };
  }
  const dirty = st.stdout.trim().length > 0;
  // (b) Unpushed commits. No upstream configured => work exists only locally;
  // treat as unpushed-by-definition (-1) rather than an error.
  const up = await hostExec(
    `git -C ${shellEscape(worktreePath)} rev-list --count ${shellEscape('@{u}..HEAD')}`,
    { signal: opts?.signal, timeoutMs: 15_000 },
  );
  const unpushed = up.exitCode === 0 ? (parseInt(up.stdout.trim() || '0', 10) || 0) : -1;
  // (c) Unmerged commits — on this branch but not in the project default branch.
  const defaultRef = await detectDefaultBranchRef(worktreePath, opts);
  let unmerged = 0;
  if (defaultRef) {
    const rl = await hostExec(
      `git -C ${shellEscape(worktreePath)} rev-list --count ${shellEscape(defaultRef + '..HEAD')}`,
      { signal: opts?.signal, timeoutMs: 15_000 },
    );
    if (rl.exitCode === 0) unmerged = parseInt(rl.stdout.trim() || '0', 10) || 0;
  }
  // unpushed only contributes when an upstream actually exists. Session branches
  // (session-<id>) never have one (unpushed === -1), and any real local-only work
  // there already surfaces as unmerged > 0 — so the no-upstream case adds no
  // protection, only friction (it flagged every pristine worktree-backed session).
  // The unpushed > 0 arm stays forward-compatible with P1.5 pushable branches.
  const hasUpstream = unpushed !== -1;
  const atRisk = dirty || unmerged > 0 || (hasUpstream && unpushed > 0);
  return { worktreePath, branch, dirty, unpushed, unmerged, atRisk };
 }
 /**
 * Stash a worktree's uncommitted changes (including untracked, via -u) so the
 * working tree is clean. Stash entries live in the repo's common git dir, so
 * they survive worktree-dir removal — this is the recoverable, safe-by-default
 * escape. Note it only clears the *dirty* risk; unpushed/unmerged commits
 * remain on the branch, so a re-attempted delete may still block on those.
 */
 export async function stashWorktree(
  worktreePath: string,
  opts?: { signal?: AbortSignal },
 ): Promise<{ stashed: boolean; error?: string }> {
  const r = await hostExec(
    `git -C ${shellEscape(worktreePath)} stash push -u -m ${shellEscape('boocode: pre-delete stash')}`,
    { signal: opts?.signal, timeoutMs: 30_000 },
  );
  if (r.exitCode !== 0) {
    return { stashed: false, error: r.stderr.trim() || r.stdout.trim() };
  }
  // "No local changes to save" => exit 0, nothing stashed — not an error.
  const stashed = !/no local changes to save/i.test(r.stdout);
  return { stashed };
 }
 /** Minimal shell escape for paths (single-quote wrapping). */
 function shellEscape(s: string): string {
  // Replace single quotes with escaped version, wrap in single quotes
--- a/apps/server/package.json
+++ b/apps/server/package.json
@@ -87,7 +87,7 @@
    "@modelcontextprotocol/sdk": "^1.29.0",
    "ai": "^6.0.190",
    "fastify": "^4.28.1",
-    "parse5": "^8.0.1",
+    "node-html-markdown": "^1.3.0",
    "postgres": "^3.4.4",
    "ws": "^8.18.0",
    "zod": "^3.23.8"
@@ -99,5 +99,5 @@
    "typescript": "^5.5.0",
    "vitest": "^3.2.4"
  },
-  "license": "AGPL-3.0-only"
+  "license": "MIT"
 }
--- a/apps/server/src/routes/chats.ts
+++ b/apps/server/src/routes/chats.ts
@@ -4,6 +4,7 @@ import type { Sql } from '../db.js';
 import type { Broker } from '../services/broker.js';
 import type { Chat, Message } from '../types/api.js';
 import { getModelContext } from '../services/model-context.js';
 import { notifyCoderClose } from '../services/coder-notify.js';
 const CreateBody = z.object({
  name: z.string().min(1).max(200).optional(),
@@ -167,6 +168,9 @@ export function registerChatRoutes(
          chat_id: id,
          session_id: req.params.id,
        });
        // Fire-and-forget per archived chat: tear down its warm agent backends
        // on the coder. Best-effort — never blocks/fails the bulk archive.
        void notifyCoderClose('chat', id, req.log);
      }
      return { archived: ids.length, ids };
    }
@@ -208,6 +212,9 @@ export function registerChatRoutes(
        chat_id: row.id,
        session_id: row.session_id,
      });
      // Fire-and-forget: tear down this chat's warm agent backends + (last-chat)
      // worktree on the coder. Best-effort — never blocks/fails the archive.
      void notifyCoderClose('chat', row.id, req.log);
      reply.code(204);
      return null;
    }
@@ -248,6 +255,9 @@ export function registerChatRoutes(
        chat_id: row.id,
        session_id: row.session_id,
      });
      // Fire-and-forget: tear down this chat's warm agent backends + (last-chat)
      // worktree on the coder. Best-effort — never blocks/fails the delete.
      void notifyCoderClose('chat', row.id, req.log);
      reply.code(204);
      return null;
    }
--- a/apps/server/src/routes/sessions.ts
+++ b/apps/server/src/routes/sessions.ts
@@ -3,8 +3,9 @@ import { z } from 'zod';
 import type { Sql } from '../db.js';
 import type { Config } from '../config.js';
 import type { Broker } from '../services/broker.js';
-import type { Session } from '../types/api.js';
+import type { Session, WorktreeRiskReport } from '../types/api.js';
 import { getSetting } from './settings.js';
 import { notifyCoderClose } from '../services/coder-notify.js';
 const CreateBody = z.object({
  name: z.string().min(1).max(200).optional(),
@@ -28,9 +29,7 @@ const HtmlArtifactStateZ = z.object({
  title: z.string().max(500),
 });
-const WorkspacePaneZ = z.object({
+const PaneKindZ = z.enum([
  id: z.string().min(1).max(200),
  kind: z.enum([
  'chat',
  'terminal',
  'coder',
@@ -39,7 +38,11 @@ const WorkspacePaneZ = z.object({
  'settings',
  'markdown_artifact',
  'html_artifact',
-  ]),
+]);
 const WorkspacePaneZ = z.object({
  id: z.string().min(1).max(200),
  kind: PaneKindZ,
  chatId: z.string().min(1).max(200).optional(),
  chatIds: z.array(z.string().min(1).max(200)).max(50),
  activeChatIdx: z.number().int(),
@@ -47,8 +50,27 @@ const WorkspacePaneZ = z.object({
  html_artifact_state: HtmlArtifactStateZ.optional(),
 });
 // v2.6.x: workspace_panes column widened from a bare WorkspacePane[] to a
 // WorkspaceState envelope (panes + stable session-scoped tab numbering +
 // reopen stack). closedPaneStack entries are lighter than full panes — just
 // the kind + chat ids needed to recreate a closed pane on reopen.
 const ClosedPaneEntryZ = z.object({
  kind: PaneKindZ,
  chatIds: z.array(z.string().min(1).max(200)).max(50),
  activeChatIdx: z.number().int(),
 });
 const WorkspaceStateZ = z.object({
  panes: z.array(WorkspacePaneZ).max(10),
  tabNumbers: z.record(z.string(), z.number().int()).default({}),
  nextTabNumber: z.number().int().default(1),
  closedPaneStack: z.array(ClosedPaneEntryZ).max(10).default([]),
 });
 // Accept either the legacy bare array OR the envelope. The handler normalizes
 // to a full envelope before storing (see MIGRATION rule in the PATCH handler).
 const WorkspacePanesBody = z.object({
-  workspace_panes: z.array(WorkspacePaneZ).max(10),
+  workspace_panes: z.union([z.array(WorkspacePaneZ).max(10), WorkspaceStateZ]),
 });
 const PatchBody = z.object({
@@ -308,12 +330,20 @@ export function registerSessionRoutes(
        reply.code(400);
        return { error: 'invalid body', details: parsed.error.flatten() };
      }
-      const workspacePanes = parsed.data.workspace_panes.map((pane) =>
+      // v2.6.x MIGRATION: the body is either a legacy bare WorkspacePane[] or
      // the WorkspaceState envelope. Normalize to a full envelope so the column
      // always stores the envelope shape going forward.
      const body = parsed.data.workspace_panes;
      const envelope = Array.isArray(body)
        ? { panes: body, tabNumbers: {}, nextTabNumber: 1, closedPaneStack: [] }
        : body;
      // agent → coder normalization on the panes array (unchanged write rule).
      envelope.panes = envelope.panes.map((pane) =>
        pane.kind === 'agent' ? { ...pane, kind: 'coder' as const } : pane,
      );
      const rows = await sql<Session[]>`
        UPDATE sessions
-        SET workspace_panes = ${sql.json(workspacePanes as never)},
+        SET workspace_panes = ${sql.json(envelope as never)},
            updated_at = clock_timestamp()
        WHERE id = ${req.params.id}
        RETURNING id, project_id, name, model, system_prompt, status, created_at, updated_at,
@@ -426,10 +456,55 @@ export function registerSessionRoutes(
    }
  );
-  app.delete<{ Params: { id: string } }>(
+  app.delete<{ Params: { id: string }; Querystring: { force?: string } }>(
    '/api/sessions/:id',
    async (req, reply) => {
      const id = req.params.id;
      const force = req.query.force === 'true' || req.query.force === '1';
      // Session-delete work-loss guard. The check MUST run BEFORE the DELETE:
      // worktrees.session_id is ON DELETE SET NULL (P1.5-b), so once the session
      // is gone the worktree rows no longer point back to it — read them while
      // the link still exists.
      //
      // Optimization: read worktrees (P1.5-b — was session_worktrees) from our
      // own (shared) DB first. No row => chat-only session => nothing on disk =>
      // delete immediately, zero round-trip. Only worktree-backed sessions pay
      // the host git check.
      if (!force) {
        const worktrees = await sql<{ path: string }[]>`
          SELECT path FROM worktrees WHERE session_id = ${id}
        `;
        if (worktrees.length > 0) {
          // Worktree dirs live on the host; only BooCoder can run git on them.
          const origin = process.env.BOOCODER_URL ?? 'http://boocoder:3000';
          let reports: WorktreeRiskReport[];
          try {
            const res = await fetch(`${origin}/api/sessions/${id}/worktree-risk`);
            if (!res.ok) {
              // Fail-closed: can't verify => don't risk silent loss. Force escapes.
              reply.code(409);
              return {
                error: 'could not verify worktree safety (BooCoder check failed). Use force to delete anyway.',
                reports: [] as WorktreeRiskReport[],
              };
            }
            reports = ((await res.json()) as { reports?: WorktreeRiskReport[] }).reports ?? [];
          } catch {
            // Fail-closed: BooCoder unreachable. Force bypasses this path entirely.
            reply.code(409);
            return {
              error: 'BooCoder unreachable; cannot verify worktree safety. Use force to delete anyway.',
              reports: [] as WorktreeRiskReport[],
            };
          }
          if (reports.some((r) => r.atRisk)) {
            reply.code(409);
            return { error: 'This session has work at risk in its worktree.', reports };
          }
        }
      }
      const deleted = await sql<{ project_id: string }[]>`
        DELETE FROM sessions WHERE id = ${id} RETURNING project_id
      `;
@@ -439,6 +514,10 @@ export function registerSessionRoutes(
      }
      const project_id = deleted[0]!.project_id;
      broker.publishUserFrame('default', { type: 'session_deleted', session_id: id, project_id });
      // Fire-and-forget: ask BooCoder to tear down this session's warm agent
      // backends + worktree immediately. Best-effort — never blocks/fails the
      // delete; the coder's idle-evict + orphan reaper backstop a missed call.
      void notifyCoderClose('session', id, req.log);
      reply.code(204);
      return null;
    }
--- a/apps/server/src/schema.sql
+++ b/apps/server/src/schema.sql
@@ -344,6 +344,7 @@ INSERT INTO settings (key, value) VALUES ('theme_mode', '"dark"') ON CONFLICT (k
 ALTER TABLE projects ADD COLUMN IF NOT EXISTS default_system_prompt TEXT NOT NULL DEFAULT '';
 ALTER TABLE projects ADD COLUMN IF NOT EXISTS default_web_search_enabled BOOLEAN NOT NULL DEFAULT false;
 ALTER TABLE sessions ADD COLUMN IF NOT EXISTS web_search_enabled BOOLEAN;
 ALTER TABLE sessions ADD COLUMN IF NOT EXISTS tags TEXT[] DEFAULT '{}';
 -- v1.11: anchored rolling compaction.
 --   compacted_at  — marks rows that are "behind the curtain" of the latest
@@ -366,3 +367,39 @@ ALTER TABLE messages ADD COLUMN IF NOT EXISTS summary BOOLEAN NOT NULL DEFAULT F
 ALTER TABLE messages ADD COLUMN IF NOT EXISTS tail_start_id UUID REFERENCES messages(id) ON DELETE SET NULL;
 ALTER TABLE chats ADD COLUMN IF NOT EXISTS needs_compaction BOOLEAN NOT NULL DEFAULT FALSE;
 CREATE INDEX IF NOT EXISTS idx_messages_chat_compacted ON messages (chat_id, compacted_at);
 -- tasks table (provider dispatch, arena)
 CREATE TABLE IF NOT EXISTS tasks (
  id                UUID PRIMARY KEY DEFAULT gen_random_uuid(),
  project_id        UUID NOT NULL REFERENCES projects(id) ON DELETE CASCADE,
  session_id        UUID REFERENCES sessions(id) ON DELETE CASCADE,
  parent_task_id    UUID REFERENCES tasks(id),
  arena_id          UUID,
  state             TEXT NOT NULL DEFAULT 'pending'
                    CHECK (state IN ('pending','running','completed','failed','blocked','cancelled')),
  input             TEXT NOT NULL,
  output_summary    TEXT,
  agent             TEXT,
  model             TEXT,
  mode_id           TEXT,
  thinking_option_id TEXT,
  feature_values    JSONB,
  execution_path    TEXT CHECK (execution_path IS NULL OR execution_path IN ('native','acp','pty','qwen')),
  worktree_path     TEXT,
  cost_tokens       INTEGER,
  started_at        TIMESTAMPTZ,
  ended_at          TIMESTAMPTZ,
  created_at        TIMESTAMPTZ NOT NULL DEFAULT clock_timestamp()
 );
 -- Fix tasks FK to cascade on session delete (existing tables without CASCADE)
 DO $$ BEGIN
  IF EXISTS (
    SELECT 1 FROM pg_constraint WHERE conname = 'tasks_session_id_fkey'
    AND confdeltype != 'c'
  ) THEN
    ALTER TABLE tasks DROP CONSTRAINT tasks_session_id_fkey;
    ALTER TABLE tasks ADD CONSTRAINT tasks_session_id_fkey
      FOREIGN KEY (session_id) REFERENCES sessions(id) ON DELETE CASCADE;
  END IF;
 END $$;
--- a/apps/server/src/services/tests/agent-allowlist.test.ts
+++ b/apps/server/src/services/tests/agent-allowlist.test.ts
@@ -0,0 +1,107 @@
 import { describe, it, expect } from 'vitest';
 import { parseAgentsMd, matchToolGlob } from '../agents.js';
 import { toolJsonSchemas } from '../tools.js';
 describe('agent tool allowlist', () => {
  const plannerMd = `# Agents
 ## Planner
 ---
 temperature: 0.6
 tools: [view_file, grep, list_dir, find_files]
 description: Read-only planner
 ---
 You plan.
 `;
  it('parses an agent with a restricted tool allowlist', () => {
    const { agents, errors } = parseAgentsMd(plannerMd);
    expect(errors).toHaveLength(0);
    expect(agents).toHaveLength(1);
    const planner = agents[0]!;
    expect(planner.name).toBe('Planner');
    expect(planner.tools).toEqual(['view_file', 'grep', 'list_dir', 'find_files']);
  });
  it('stream-phase filter: agent allowlist excludes tools not in the list', () => {
    const { agents } = parseAgentsMd(plannerMd);
    const planner = agents[0]!;
    const allSchemas = toolJsonSchemas();
    const filtered = allSchemas.filter((t) =>
      matchToolGlob(t.function.name, planner.tools),
    );
    const filteredNames = filtered.map((t) => t.function.name);
    expect(filteredNames).toContain('view_file');
    expect(filteredNames).toContain('grep');
    expect(filteredNames).not.toContain('edit_file');
    expect(filteredNames).not.toContain('web_search');
    expect(filteredNames).not.toContain('get_codebase_overview');
    expect(filtered).toHaveLength(4);
  });
  it('tool-phase guard: rejects tool call not in agent allowlist', () => {
    const { agents } = parseAgentsMd(plannerMd);
    const planner = agents[0]!;
    expect(matchToolGlob('edit_file', planner.tools)).toBe(false);
    expect(matchToolGlob('create_file', planner.tools)).toBe(false);
    expect(matchToolGlob('delete_file', planner.tools)).toBe(false);
    expect(matchToolGlob('web_search', planner.tools)).toBe(false);
  });
  it('tool-phase guard: allows tool call in agent allowlist', () => {
    const { agents } = parseAgentsMd(plannerMd);
    const planner = agents[0]!;
    expect(matchToolGlob('view_file', planner.tools)).toBe(true);
    expect(matchToolGlob('grep', planner.tools)).toBe(true);
    expect(matchToolGlob('list_dir', planner.tools)).toBe(true);
    expect(matchToolGlob('find_files', planner.tools)).toBe(true);
  });
  it('null/absent tools field defaults to all tools (no regression)', () => {
    const noToolsMd = `# Agents
 ## Default
 ---
 temperature: 0.7
 description: Uses all tools
 ---
 Default agent.
 `;
    const { agents } = parseAgentsMd(noToolsMd);
    const agent = agents[0]!;
    const allSchemas = toolJsonSchemas();
    const filtered = allSchemas.filter((t) =>
      matchToolGlob(t.function.name, agent.tools),
    );
    expect(filtered.length).toBe(allSchemas.length);
  });
  it('builder agent: write tools filtered out when not in ALL_TOOLS (BooChat context)', () => {
    const builderMd = `# Agents
 ## Builder
 ---
 temperature: 0.6
 tools: [view_file, grep, list_dir, find_files, edit_file, create_file, delete_file, apply_pending, rewind]
 description: Read and write tools
 ---
 You build.
 `;
    const { agents } = parseAgentsMd(builderMd);
    const builder = agents[0]!;
    expect(matchToolGlob('view_file', builder.tools)).toBe(true);
    expect(matchToolGlob('grep', builder.tools)).toBe(true);
    // Write tools not in server's ALL_TOOLS are silently filtered during parsing.
    // In BooCoder context (where ALL_TOOLS includes write tools), they'd be retained.
    expect(builder.tools).not.toContain('edit_file');
    expect(builder.tools).not.toContain('create_file');
    expect(matchToolGlob('web_search', builder.tools)).toBe(false);
  });
  it('matchToolGlob rejects hallucinated tool against exact allowlist', () => {
    const allowlist = ['view_file', 'grep', 'list_dir'];
    expect(matchToolGlob('edit_file', allowlist)).toBe(false);
    expect(matchToolGlob('rm_rf', allowlist)).toBe(false);
    expect(matchToolGlob('view_file_extended', allowlist)).toBe(false);
  });
 });
--- a/apps/server/src/services/tests/coder-notify.test.ts
+++ b/apps/server/src/services/tests/coder-notify.test.ts
@@ -0,0 +1,67 @@
 // v2.6.10 Phase 3 (server wiring) — notifyCoderClose fire-and-forget helper.
 //
 // The guarantee under test: the helper NEVER throws (so it can't break the
 // user's delete/archive path), targets the correct coder URL shape, and folds
 // every failure mode (non-2xx, network error) into a `false` result.
 import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
 import { notifyCoderClose } from '../coder-notify.js';
 const ORIGINAL_BOOCODER_URL = process.env.BOOCODER_URL;
 describe('notifyCoderClose', () => {
  beforeEach(() => {
    delete process.env.BOOCODER_URL;
  });
  afterEach(() => {
    if (ORIGINAL_BOOCODER_URL === undefined) delete process.env.BOOCODER_URL;
    else process.env.BOOCODER_URL = ORIGINAL_BOOCODER_URL;
  });
  it('POSTs the chat close hook at the default coder origin and resolves true on 2xx', async () => {
    const fetcher = vi.fn().mockResolvedValue(new Response(null, { status: 200 }));
    const ok = await notifyCoderClose('chat', 'chat-123', undefined, fetcher as unknown as typeof fetch);
    expect(ok).toBe(true);
    expect(fetcher).toHaveBeenCalledTimes(1);
    const [url, init] = fetcher.mock.calls[0]!;
    expect(url).toBe('http://boocoder:3000/api/chats/chat-123/close');
    expect(init).toEqual({ method: 'POST' });
  });
  it('POSTs the session close hook with the sessions segment', async () => {
    const fetcher = vi.fn().mockResolvedValue(new Response(null, { status: 200 }));
    const ok = await notifyCoderClose('session', 'sess-abc', undefined, fetcher as unknown as typeof fetch);
    expect(ok).toBe(true);
    expect(fetcher.mock.calls[0]![0]).toBe('http://boocoder:3000/api/sessions/sess-abc/close');
  });
  it('honors BOOCODER_URL for the origin', async () => {
    process.env.BOOCODER_URL = 'http://100.114.205.53:9502';
    const fetcher = vi.fn().mockResolvedValue(new Response(null, { status: 200 }));
    await notifyCoderClose('chat', 'c1', undefined, fetcher as unknown as typeof fetch);
    expect(fetcher.mock.calls[0]![0]).toBe('http://100.114.205.53:9502/api/chats/c1/close');
  });
  it('resolves false on a non-2xx response (does not throw)', async () => {
    const fetcher = vi.fn().mockResolvedValue(new Response(null, { status: 500 }));
    const log = { debug: vi.fn() };
    const ok = await notifyCoderClose('chat', 'c1', log, fetcher as unknown as typeof fetch);
    expect(ok).toBe(false);
    expect(log.debug).toHaveBeenCalledTimes(1);
  });
  it('resolves false on a network error (coder unreachable) — never rejects', async () => {
    const fetcher = vi.fn().mockRejectedValue(new Error('ECONNREFUSED'));
    const log = { debug: vi.fn() };
    const ok = await notifyCoderClose('session', 's1', log, fetcher as unknown as typeof fetch);
    expect(ok).toBe(false);
    expect(log.debug).toHaveBeenCalledTimes(1);
  });
  it('does not require a logger', async () => {
    const fetcher = vi.fn().mockRejectedValue(new Error('boom'));
    await expect(
      notifyCoderClose('chat', 'c1', undefined, fetcher as unknown as typeof fetch),
    ).resolves.toBe(false);
  });
 });
--- a/apps/server/src/services/tests/html-to-md.test.ts
+++ b/apps/server/src/services/tests/html-to-md.test.ts
@@ -70,10 +70,16 @@ describe('htmlToMarkdown', () => {
        </tbody>
      </table>`;
    const md = htmlToMarkdown(html);
-    expect(md).toContain('| Name | Age | City |');
+    // node-html-markdown pads columns to align them; assert structure rather
-    expect(md).toContain('| --- | --- | --- |');
+    // than exact spacing. Each cell value and a GFM separator row are present.
-    expect(md).toContain('| Alice | 30 | NYC |');
+    expect(md).toContain('| Name ');
-    expect(md).toContain('| Bob | 25 | LA |');
+    expect(md).toContain('| Age ');
    expect(md).toContain('| City |');
    expect(md).toMatch(/\| -+ \| -+ \| -+ \|/); // separator row
    expect(md).toContain('| Alice ');
    expect(md).toContain('| NYC  |');
    expect(md).toContain('| Bob   ');
    expect(md).toContain('| LA   |');
  });
  it('escapes pipe characters in table cells', () => {
@@ -162,14 +168,17 @@ describe('htmlToMarkdown', () => {
  it('converts br to newline', () => {
    const md = htmlToMarkdown('line one<br>line two');
-    expect(md).toContain('line one\nline two');
+    // node-html-markdown emits a GFM hard line break (trailing two spaces).
    expect(md).toContain('line one  \nline two');
  });
  it('handles ol with start attribute', () => {
    const html = '<ol start="5"><li>five</li><li>six</li></ol>';
    const md = htmlToMarkdown(html);
-    expect(md).toContain('5. five');
+    // node-html-markdown does not honor the `start` attribute; it always
-    expect(md).toContain('6. six');
+    // renumbers ordered lists from 1. (Old parse5 renderer honored start=.)
    expect(md).toContain('1. five');
    expect(md).toContain('2. six');
  });
  it('collapses excessive blank lines', () => {
@@ -212,9 +221,12 @@ describe('htmlToMarkdown', () => {
    expect(md).toContain('[a link](https://example.com)');
    expect(md).toContain('## Features');
    expect(md).toContain('* Fast');
-    expect(md).toContain('| Metric | Value |');
+    // Table columns are padded to align (node-html-markdown behavior).
-    expect(md).toContain('| --- | --- |');
+    expect(md).toContain('| Metric ');
-    expect(md).toContain('| Uptime | 99.9% |');
+    expect(md).toContain('| Value |');
    expect(md).toMatch(/\| -+ \| -+ \|/); // separator row
    expect(md).toContain('| Uptime ');
    expect(md).toContain('| 99.9% |');
    expect(md).toContain('> This tool is amazing.');
    expect(md).toContain('```js\nconsole.log("hello");\n```');
    expect(md).not.toContain('evil');
--- a/apps/server/src/services/tests/license-mit.test.ts
+++ b/apps/server/src/services/tests/license-mit.test.ts
@@ -0,0 +1,46 @@
 import { describe, expect, it } from 'vitest';
 import { readFileSync } from 'node:fs';
 import { fileURLToPath } from 'node:url';
 import { dirname, resolve } from 'node:path';
 // Guards the AGPL-3.0 -> MIT relicense (openspec license-debt-mit). If any of
 // these fail, AGPL-derived provenance has crept back in.
 const ROOT = resolve(dirname(fileURLToPath(import.meta.url)), '../../../../..');
 describe('license: MIT relicense guard', () => {
  it('LICENSE is MIT (no Affero/AGPL text)', () => {
    const license = readFileSync(resolve(ROOT, 'LICENSE'), 'utf8');
    expect(license).toMatch(/^MIT License/);
    expect(license).not.toMatch(/AFFERO|AGPL/i);
  });
  const PACKAGE_JSONS = [
    'package.json',
    'apps/server/package.json',
    'apps/web/package.json',
    'apps/coder/package.json',
    'apps/booterm/package.json',
  ];
  for (const rel of PACKAGE_JSONS) {
    it(`${rel} declares "license": "MIT"`, () => {
      const pkg = JSON.parse(readFileSync(resolve(ROOT, rel), 'utf8')) as { license?: string };
      expect(pkg.license).toBe('MIT');
    });
  }
  // The three files that were ported from Unsloth Studio (AGPL-3.0-only) and
  // cleared in this batch — they must carry no AGPL/Unsloth provenance.
  const FORMERLY_AGPL = [
    'apps/server/src/services/inference/tool-call-parser.ts',
    'apps/server/src/services/web/html-to-md.ts',
    'apps/server/src/services/inference/llama-args-validator.ts',
  ];
  for (const rel of FORMERLY_AGPL) {
    it(`${rel} carries no AGPL / Unsloth provenance`, () => {
      const src = readFileSync(resolve(ROOT, rel), 'utf8');
      expect(src).not.toMatch(/AGPL/);
      expect(src).not.toMatch(/SPDX-License-Identifier:\s*AGPL/);
      expect(src).not.toMatch(/Unsloth/i);
    });
  }
 });
--- a/apps/server/src/services/tests/tool-call-parser.test.ts
+++ b/apps/server/src/services/tests/tool-call-parser.test.ts
@@ -4,18 +4,11 @@ import {
  parseInvokeToolCall,
  partialXmlOpenerStart,
  extractToolCallBlocks,
  parseToolCallsFromText,
  stripToolMarkup,
  hasToolSignal,
  XML_TOOL_OPEN,
  XML_TOOL_CLOSE,
  INVOKE_TOOL_OPEN,
  INVOKE_TOOL_CLOSE,
  TOOL_XML_SIGNALS,
  BUDGET_EXHAUSTED_NUDGE,
  DUPLICATE_CALL_NUDGE,
  TOOL_ERROR_NUDGE,
  TOOL_ERROR_PREFIXES,
 } from '../inference/tool-call-parser.js';
 // ── Ported from xml-parser.test.ts ───────────────────────────────────────
@@ -301,38 +294,6 @@ describe('extractToolCallBlocks (v1.13.16 — unified extraction)', () => {
  });
 });
 // ── New tests: Unsloth-ported functions ──────────────────────────────────
 describe('hasToolSignal', () => {
  it('returns true for <tool_call>', () => {
    expect(hasToolSignal('prefix <tool_call> suffix')).toBe(true);
  });
  it('returns true for <function=', () => {
    expect(hasToolSignal('prefix <function=view_file> suffix')).toBe(true);
  });
  it('returns true for <invoke', () => {
    expect(hasToolSignal('prefix <invoke name="x"> suffix')).toBe(true);
  });
  it('returns false for near-miss <tool>', () => {
    expect(hasToolSignal('prefix <tool> suffix')).toBe(false);
  });
  it('returns false for near-miss <function>', () => {
    expect(hasToolSignal('prefix <function> suffix')).toBe(false);
  });
  it('returns false for near-miss <tool_call_thing>', () => {
    expect(hasToolSignal('<tool_call_thing>')).toBe(false);
  });
  it('returns false for plain text', () => {
    expect(hasToolSignal('just some text')).toBe(false);
  });
 });
 describe('stripToolMarkup', () => {
  it('strips closed <tool_call> blocks', () => {
    const input = 'before <tool_call>{"name":"x"}</tool_call> after';
@@ -380,166 +341,11 @@ describe('stripToolMarkup', () => {
  });
 });
-describe('parseToolCallsFromText', () => {
+describe('delimiter constants', () => {
-  describe('pattern 1: <tool_call>{json}</tool_call>', () => {
+  it('exports the expected delimiters', () => {
-    it('parses a well-formed JSON tool call', () => {
+    expect(INVOKE_TOOL_OPEN).toBe('<invoke');
-      const input = '<tool_call>{"name":"web_search","arguments":{"query":"hello"}}</tool_call>';
+    expect(INVOKE_TOOL_CLOSE).toBe('</invoke>');
-      const calls = parseToolCallsFromText(input);
+    expect(XML_TOOL_OPEN).toBe('<tool_call>');
-      expect(calls).toHaveLength(1);
+    expect(XML_TOOL_CLOSE).toBe('</tool_call>');
      expect(calls[0]!.id).toBe('call_0');
      expect(calls[0]!.type).toBe('function');
      expect(calls[0]!.function.name).toBe('web_search');
      expect(JSON.parse(calls[0]!.function.arguments)).toEqual({ query: 'hello' });
    });
    it('handles string arguments field', () => {
      const input = '<tool_call>{"name":"x","arguments":"already a string"}</tool_call>';
      const calls = parseToolCallsFromText(input);
      expect(calls[0]!.function.arguments).toBe('already a string');
    });
    it('handles balanced braces inside JSON strings', () => {
      const input = '<tool_call>{"name":"x","arguments":{"q":"} { extra "}}</tool_call>';
      const calls = parseToolCallsFromText(input);
      expect(calls).toHaveLength(1);
      const parsed = JSON.parse(calls[0]!.function.arguments);
      expect(parsed.q).toBe('} { extra ');
    });
    it('respects idOffset', () => {
      const input = '<tool_call>{"name":"a","arguments":{}}</tool_call>';
      const calls = parseToolCallsFromText(input, { idOffset: 5 });
      expect(calls[0]!.id).toBe('call_5');
    });
    it('parses multiple JSON tool calls', () => {
      const input =
        '<tool_call>{"name":"a","arguments":{}}</tool_call>' +
        '<tool_call>{"name":"b","arguments":{}}</tool_call>';
      const calls = parseToolCallsFromText(input);
      expect(calls).toHaveLength(2);
      expect(calls[0]!.id).toBe('call_0');
      expect(calls[1]!.id).toBe('call_1');
    });
    it('skips malformed JSON', () => {
      const input = '<tool_call>{not json}</tool_call>';
      const calls = parseToolCallsFromText(input);
      expect(calls).toHaveLength(0);
    });
    it('handles missing closing tag', () => {
      const input = '<tool_call>{"name":"x","arguments":{"q":"hello"}}';
      const calls = parseToolCallsFromText(input);
      expect(calls).toHaveLength(1);
      expect(calls[0]!.function.name).toBe('x');
    });
  });
  describe('pattern 2: <function=name><parameter=key>value', () => {
    it('parses a single-parameter function call', () => {
      const input = '<function=view_file><parameter=path>/tmp/foo</parameter></function>';
      const calls = parseToolCallsFromText(input);
      expect(calls).toHaveLength(1);
      expect(calls[0]!.function.name).toBe('view_file');
      expect(JSON.parse(calls[0]!.function.arguments)).toEqual({ path: '/tmp/foo' });
    });
    it('single-param fast path preserves embedded </parameter>', () => {
      const input = '<function=run_bash><parameter=command>echo "</parameter>"</parameter></function>';
      const calls = parseToolCallsFromText(input);
      expect(calls).toHaveLength(1);
      expect(JSON.parse(calls[0]!.function.arguments).command).toBe('echo "</parameter>"');
    });
    it('multi-param: value of first stops at start of second', () => {
      const input = '<function=grep><parameter=pattern>foo</parameter><parameter=path>src/</parameter></function>';
      const calls = parseToolCallsFromText(input);
      expect(calls).toHaveLength(1);
      const args = JSON.parse(calls[0]!.function.arguments);
      expect(args.pattern).toBe('foo');
      expect(args.path).toBe('src/');
    });
    it('tolerates missing closing tags', () => {
      const input = '<function=view_file><parameter=path>/tmp/foo';
      const calls = parseToolCallsFromText(input);
      expect(calls).toHaveLength(1);
      expect(calls[0]!.function.name).toBe('view_file');
      expect(JSON.parse(calls[0]!.function.arguments)).toEqual({ path: '/tmp/foo' });
    });
    it('does not fire when pattern 1 found results', () => {
      const input = '<tool_call>{"name":"a","arguments":{}}</tool_call><function=b><parameter=x>y</parameter></function>';
      const calls = parseToolCallsFromText(input);
      expect(calls).toHaveLength(1);
      expect(calls[0]!.function.name).toBe('a');
    });
  });
  describe('pattern 3: <invoke name="..."><parameter name="...">value (Anthropic)', () => {
    it('parses a single-parameter invoke call', () => {
      const input = '<invoke name="view_file"><parameter name="path">/tmp/foo</parameter></invoke>';
      const calls = parseToolCallsFromText(input);
      expect(calls).toHaveLength(1);
      expect(calls[0]!.function.name).toBe('view_file');
      expect(JSON.parse(calls[0]!.function.arguments)).toEqual({ path: '/tmp/foo' });
    });
    it('parses multi-parameter invoke call', () => {
      const input = '<invoke name="grep"><parameter name="pattern">foo</parameter><parameter name="path">src/</parameter></invoke>';
      const calls = parseToolCallsFromText(input);
      expect(calls).toHaveLength(1);
      const args = JSON.parse(calls[0]!.function.arguments);
      expect(args.pattern).toBe('foo');
      expect(args.path).toBe('src/');
    });
    it('does not fire when pattern 1 found results', () => {
      const input = '<tool_call>{"name":"a","arguments":{}}</tool_call><invoke name="b"><parameter name="x">y</parameter></invoke>';
      const calls = parseToolCallsFromText(input);
      expect(calls).toHaveLength(1);
      expect(calls[0]!.function.name).toBe('a');
    });
    it('does not fire when pattern 2 found results', () => {
      const input = '<function=a><parameter=x>y</parameter></function><invoke name="b"><parameter name="x">y</parameter></invoke>';
      const calls = parseToolCallsFromText(input);
      expect(calls).toHaveLength(1);
      expect(calls[0]!.function.name).toBe('a');
    });
    it('tolerates missing closing tags', () => {
      const input = '<invoke name="view_file"><parameter name="path">/tmp/foo';
      const calls = parseToolCallsFromText(input);
      expect(calls).toHaveLength(1);
      expect(JSON.parse(calls[0]!.function.arguments)).toEqual({ path: '/tmp/foo' });
    });
    it('supports single-quoted attributes', () => {
      const input = "<invoke name='view_file'><parameter name='path'>/tmp/foo</parameter></invoke>";
      const calls = parseToolCallsFromText(input);
      expect(calls).toHaveLength(1);
      expect(calls[0]!.function.name).toBe('view_file');
    });
  });
 });
 describe('constants', () => {
  it('TOOL_XML_SIGNALS includes all three signal prefixes', () => {
    expect(TOOL_XML_SIGNALS).toContain('<tool_call>');
    expect(TOOL_XML_SIGNALS).toContain('<function=');
    expect(TOOL_XML_SIGNALS).toContain('<invoke');
  });
  it('nudge constants are non-empty strings', () => {
    expect(BUDGET_EXHAUSTED_NUDGE.length).toBeGreaterThan(0);
    expect(DUPLICATE_CALL_NUDGE.length).toBeGreaterThan(0);
    expect(TOOL_ERROR_NUDGE.length).toBeGreaterThan(0);
  });
  it('TOOL_ERROR_PREFIXES is a non-empty tuple', () => {
    expect(TOOL_ERROR_PREFIXES.length).toBeGreaterThan(0);
    expect(TOOL_ERROR_PREFIXES).toContain('Error');
  });
 });
--- a/apps/server/src/services/auto_name.ts
+++ b/apps/server/src/services/auto_name.ts
@@ -1,9 +1,10 @@
 import type { InferenceContext } from './inference/index.js';
 import { taskModelCompletion } from './task-model.js';
 const NAMING_SYSTEM_PROMPT =
-  'You name chat sessions based on what the assistant did. Summarize the topic or outcome — do NOT copy the first few words verbatim. Reply directly with no thinking, reasoning, or explanation. Output ONLY the title, 4 words max, no quotes, no punctuation, no prefix like "Title:".';
+  'You name chat sessions. Reply with ONLY the title. 4 to 6 words. No quotes, no punctuation, no prefix.';
-const MAX_TITLE_CHARS = 60;
+const MAX_TITLE_CHARS = 80;
 function cleanTitle(raw: string): string {
  let name = raw.trim();
@@ -18,27 +19,7 @@ function cleanTitle(raw: string): string {
  return name;
 }
-interface NamingResponse {
+// TODO: wire suggestTags after task model validation
  choices?: Array<{
    message?: {
      content?: string;
      reasoning_content?: string;
    };
  }>;
 }
 function pickTitleSource(data: NamingResponse): string {
  const choice = data.choices?.[0]?.message;
  if (!choice) return '';
  if (choice.content && choice.content.trim().length > 0) return choice.content;
  const reasoning = choice.reasoning_content ?? '';
  if (reasoning.length === 0) return '';
  const lines = reasoning
    .split('\n')
    .map((l) => l.trim())
    .filter((l) => l.length > 0);
  return lines[lines.length - 1] ?? '';
 }
 export async function maybeAutoNameChat(
  ctx: InferenceContext,
@@ -56,60 +37,40 @@ export async function maybeAutoNameChat(
  if ((counts[0]?.n ?? 0) < 1) return;
  const chatRows = await ctx.sql<
-    { id: string; name: string | null; session_id: string }[]
+    { id: string; name: string | null; session_id: string; model: string | null }[]
  >`
-    SELECT id, name, session_id FROM chats WHERE id = ${chatId}
+    SELECT c.id, c.name, c.session_id, s.model
    FROM chats c JOIN sessions s ON s.id = c.session_id
    WHERE c.id = ${chatId}
  `;
  const chat = chatRows[0];
  if (!chat) return;
  if (chat.name !== null && chat.name !== '') return;
-  const sessionRows = await ctx.sql<{ model: string }[]>`
+  const firstMsgs = await ctx.sql<{ role: string; content: string }[]>`
-    SELECT model FROM sessions WHERE id = ${sessionId}
+    SELECT role, content FROM messages
  `;
  // v2.0.5: prefer FAST_MODEL for cheap LLM calls (titles, summaries).
  const model = ctx.config.FAST_MODEL ?? sessionRows[0]?.model;
  if (!model) return;
  const assistantMsg = await ctx.sql<{ content: string }[]>`
    SELECT content FROM messages
    WHERE chat_id = ${chatId}
-      AND role = 'assistant'
+      AND role IN ('user', 'assistant')
-      AND status = 'complete'
+      AND status IN ('complete', 'ok')
      AND content <> ''
    ORDER BY created_at ASC
-    LIMIT 1
+    LIMIT 2
  `;
-  if (!assistantMsg[0]) return;
+  const userMsg = firstMsgs.find(m => m.role === 'user');
  const assistantMsg = firstMsgs.find(m => m.role === 'assistant');
  if (!assistantMsg) return;
-  const assistantText = assistantMsg[0].content.slice(0, 2000);
+  let namingInput = '';
  if (userMsg) namingInput += `User: ${userMsg.content.slice(0, 1000)}\n\n`;
  namingInput += `Assistant: ${assistantMsg.content.slice(0, 1000)}`;
-  const body = {
+  const raw = await taskModelCompletion({
-    model,
+    system: NAMING_SYSTEM_PROMPT,
-    messages: [
+    user: namingInput,
-      { role: 'system', content: NAMING_SYSTEM_PROMPT },
+    maxTokens: 30,
      {
        role: 'user',
        content: assistantText,
      },
    ],
    max_tokens: 30,
    temperature: 0.3,
-    stream: false,
+    fallbackModel: chat.model ?? undefined,
    chat_template_kwargs: { enable_thinking: false },
  };
  const res = await fetch(`${ctx.config.LLAMA_SWAP_URL}/v1/chat/completions`, {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify(body),
  });
  if (!res.ok) {
    const text = await res.text().catch(() => '');
    throw new Error(`naming request failed: ${res.status} ${text.slice(0, 200)}`);
  }
  const data = (await res.json()) as NamingResponse;
  const raw = pickTitleSource(data);
  const name = cleanTitle(raw);
  if (!name) {
    ctx.log.warn({ chatId, raw }, 'auto-name: empty title from model');
--- a/apps/server/src/services/coder-notify.ts
+++ b/apps/server/src/services/coder-notify.ts
@@ -0,0 +1,64 @@
 // v2.6.10 Phase 3 (server wiring) — fire-and-forget BooCoder close hooks.
 //
 // BooCoder (apps/coder, host systemd) added close hooks in
 // apps/coder/src/routes/lifecycle.ts:
 //   POST /api/chats/:chatId/close      — evict the chat's warm (chat,agent)
 //                                        backends, close its opencode session,
 //                                        mark agent_sessions closed, and remove
 //                                        the shared worktree on the last chat.
 //   POST /api/sessions/:sessionId/close — loop the chat-close path for every
 //                                        chat in the session.
 //
 // apps/server (Docker) can't see the host worktree dirs or reach the warm agent
 // processes, so — exactly like the existing `worktree-risk` guard in
 // routes/sessions.ts — it signals the coder over HTTP and the coder does the
 // real teardown. This call is BEST-EFFORT: the coder's idle-pool eviction and
 // the orphan-worktree reaper backstop a missed/failed call. It MUST NEVER block
 // or fail the user's delete/archive — hence fire-and-forget with a swallowed
 // catch. We do not await the returned promise at the call sites.
 import type { FastifyBaseLogger } from 'fastify';
 export type CoderCloseKind = 'chat' | 'session';
 function coderOrigin(): string {
  // Same env + default as routes/sessions.ts' worktree-risk fetch.
  return process.env.BOOCODER_URL ?? 'http://boocoder:3000';
 }
 /**
 * Fire-and-forget POST to the BooCoder close hook for a chat or session.
 *
 * Resolves to `true` if the coder acknowledged (HTTP 2xx), `false` otherwise
 * (non-2xx or network error). Callers SHOULD NOT await this — invoke it and
 * move on. The returned promise never rejects: every failure path is caught,
 * logged at debug, and folded into a `false` result so an unreachable or
 * erroring coder can't surface to the user's delete/archive request.
 */
 export async function notifyCoderClose(
  kind: CoderCloseKind,
  id: string,
  log?: Pick<FastifyBaseLogger, 'debug'>,
  fetcher: typeof fetch = fetch,
 ): Promise<boolean> {
  const segment = kind === 'chat' ? 'chats' : 'sessions';
  const url = `${coderOrigin()}/api/${segment}/${id}/close`;
  try {
    const res = await fetcher(url, { method: 'POST' });
    if (!res.ok) {
      log?.debug(
        { kind, id, status: res.status },
        'coder close hook returned non-2xx (best-effort; reaper backstops)',
      );
      return false;
    }
    log?.debug({ kind, id }, 'coder close hook acknowledged');
    return true;
  } catch (err) {
    log?.debug(
      { kind, id, err: err instanceof Error ? err.message : String(err) },
      'coder close hook unreachable (best-effort; reaper backstops)',
    );
    return false;
  }
 }
--- a/apps/server/src/services/inference/budget.ts
+++ b/apps/server/src/services/inference/budget.ts
@@ -18,9 +18,9 @@ import { READ_ONLY_TOOL_NAMES } from '../tools.js';
 // turns + deeper exploration without changing the safety floor materially —
 // the doom-loop guard (3 identical calls → abort) catches the actual failure
 // mode this cap was guarding against.
-export const BUDGET_READ_ONLY = 50;
+export const BUDGET_READ_ONLY = 100;
-export const BUDGET_NON_READ_ONLY = 10;
+export const BUDGET_NON_READ_ONLY = 100;
-export const BUDGET_NO_AGENT = 50;
+export const BUDGET_NO_AGENT = 100;
 const READ_ONLY_SET: ReadonlySet<string> = new Set(READ_ONLY_TOOL_NAMES);
--- a/apps/server/src/services/inference/llama-args-validator.ts
+++ b/apps/server/src/services/inference/llama-args-validator.ts
@@ -1,80 +1,139 @@
-// SPDX-License-Identifier: AGPL-3.0-only
+// Guards against agent-supplied llama-server CLI flags that would clash with
-// Copyright 2026-present the Unsloth AI Inc. team. All rights reserved.
+// values BooCode sets itself. Two concerns live here:
-// Ported from studio/backend/core/inference/llama_server_args.py.
+//
-// Original: https://github.com/unslothai/unsloth/blob/main/studio/backend/core/inference/llama_server_args.py
+//   1. A hard denylist of flags that BooCode owns outright (model selection,
 //      the listening socket, credentials, the bundled web UI). Passing any of
 //      these is a configuration error and is rejected loudly.
 //
 //   2. A "shadowing" set of flags that are legal to pass but, because of
 //      llama.cpp's last-wins argument parsing, would override a first-class
 //      BooCode setting. These are silently removed from the auto-generated
 //      argv so the agent's explicit choice takes precedence without leaving a
 //      duplicate flag behind.
 //
 // All flag spellings below are the public llama-server option names (short and
 // long aliases) documented in its --help output.
-// Each group is the full set of aliases (short + long) for one hard-denied
+// --- Hard denylist -------------------------------------------------------
-// flag, taken from the llama-server README. Flags NOT in this list pass
+
-// through and override auto-set values via llama.cpp's last-wins CLI parsing.
+// Authored as named buckets purely for readability; every alias is folded
-const DENYLIST_GROUPS: ReadonlyArray<ReadonlySet<string>> = [
+// into one flat lookup set at module load. Each inner array enumerates the
-  // Model identity
+// short + long spellings that select the same underlying option.
-  new Set(['-m', '--model']),
+const MODEL_SOURCE_FLAGS = [
-  new Set(['-mu', '--model-url']),
+  ['-m', '--model'],
-  new Set(['-dr', '--docker-repo']),
+  ['-mu', '--model-url'],
-  new Set(['-hf', '-hfr', '--hf-repo']),
+  ['-dr', '--docker-repo'],
-  new Set(['-hff', '--hf-file']),
+  ['-hf', '-hfr', '--hf-repo'],
-  new Set(['-hfv', '-hfrv', '--hf-repo-v']),
+  ['-hff', '--hf-file'],
-  new Set(['-hffv', '--hf-file-v']),
+  ['-hfv', '-hfrv', '--hf-repo-v'],
-  new Set(['-hft', '--hf-token']),
+  ['-hffv', '--hf-file-v'],
-  new Set(['-mm', '--mmproj']),
+  ['-hft', '--hf-token'],
-  new Set(['-mmu', '--mmproj-url']),
+  ['-mm', '--mmproj'],
-  // Networking
+  ['-mmu', '--mmproj-url'],
  new Set(['--host']),
  new Set(['--port']),
  new Set(['--path']),
  new Set(['--api-prefix']),
  new Set(['--reuse-port']),
  // Auth / TLS
  new Set(['--api-key']),
  new Set(['--api-key-file']),
  new Set(['--ssl-key-file']),
  new Set(['--ssl-cert-file']),
  // Single-model server / UI
  new Set(['--webui', '--no-webui']),
  new Set(['--ui', '--no-ui']),
  new Set(['--ui-config']),
  new Set(['--ui-config-file']),
  new Set(['--ui-mcp-proxy', '--no-ui-mcp-proxy']),
  new Set(['--models-dir']),
  new Set(['--models-preset']),
  new Set(['--models-max']),
  new Set(['--models-autoload', '--no-models-autoload']),
 ];
-const DENYLIST: ReadonlySet<string> = new Set(
+const LISTEN_FLAGS = [
-  DENYLIST_GROUPS.flatMap((g) => [...g]),
+  ['--host'],
  ['--port'],
  ['--path'],
  ['--api-prefix'],
  ['--reuse-port'],
 ];
 const CREDENTIAL_FLAGS = [
  ['--api-key'],
  ['--api-key-file'],
  ['--ssl-key-file'],
  ['--ssl-cert-file'],
 ];
 const WEBUI_FLAGS = [
  ['--webui', '--no-webui'],
  ['--ui', '--no-ui'],
  ['--ui-config'],
  ['--ui-config-file'],
  ['--ui-mcp-proxy', '--no-ui-mcp-proxy'],
  ['--models-dir'],
  ['--models-preset'],
  ['--models-max'],
  ['--models-autoload', '--no-models-autoload'],
 ];
 const MANAGED_FLAGS: ReadonlySet<string> = new Set(
  [
    ...MODEL_SOURCE_FLAGS,
    ...LISTEN_FLAGS,
    ...CREDENTIAL_FLAGS,
    ...WEBUI_FLAGS,
  ].flat(),
 );
-function flagName(token: string): string | null {
+// --- Token parsing -------------------------------------------------------
-  if (!token.startsWith('-') || token === '-' || token === '--') return null;
+
-  if (token.length >= 2 && (token[1]!.match(/\d/) || token[1] === '.')) return null;
+const DIGIT = /^[0-9]$/;
-  return token.split('=', 1)[0]!;
+
 /**
 * Extract the flag name from a single argv token, or `null` when the token is
 * not a flag.
 *
 * A token is treated as a flag only when it begins with `-` and the character
 * after the leading dash is neither a digit nor a decimal point — that rule
 * keeps negative numeric values such as `-1` or `-0.5` from being mistaken for
 * options. A bare `-` or `--` is not a flag either. The returned name is the
 * portion before any `=`, so `--ctx-size=4096` yields `--ctx-size`.
 */
 function parseFlag(token: string): string | null {
  if (!token.startsWith('-')) return null;
  if (token === '-' || token === '--') return null;
  const second = token[1]!;
  if (DIGIT.test(second) || second === '.') return null;
  const eq = token.indexOf('=');
  return eq === -1 ? token : token.slice(0, eq);
 }
 // --- Public API ----------------------------------------------------------
 /**
 * Validate a sequence of extra llama-server args, rejecting any that name a
 * BooCode-managed flag. Returns the args materialised as a string[] when they
 * all pass.
 */
 export function validateExtraArgs(args?: Iterable<string>): string[] {
-  if (!args) return [];
+  const result: string[] = [];
-  const out: string[] = [];
+  if (!args) return result;
-  for (const raw of args) {
+
-    const token = String(raw);
+  for (const entry of args) {
-    const flag = flagName(token);
+    const token = String(entry);
-    if (flag !== null && DENYLIST.has(flag)) {
+    const flag = parseFlag(token);
    if (flag !== null && MANAGED_FLAGS.has(flag)) {
      throw new Error(
        `llama-server flag '${flag}' is managed and cannot be passed as an extra arg`,
      );
    }
-    out.push(token);
+    result.push(token);
  }
-  return out;
+
  return result;
 }
 /** True when `flag` is a BooCode-managed flag that callers may not override. */
 export function isManagedFlag(flag: string): boolean {
-  return DENYLIST.has(flag);
+  return MANAGED_FLAGS.has(flag);
 }
-// Shadowing flag groups: pass-through flags that shadow first-class settings.
+// --- Shadowing flags -----------------------------------------------------
-const CONTEXT_FLAGS = new Set(['-c', '--ctx-size']);
+
-const CACHE_FLAGS = new Set(['-ctk', '--cache-type-k', '-ctv', '--cache-type-v']);
+// Flags below are legal for an agent to pass, but each shadows a setting
-const SPEC_FLAGS = new Set([
+// BooCode applies itself. They are categorised so a caller can opt out of
 // stripping any one category.
 const SHADOW_CONTEXT = ['-c', '--ctx-size'];
 const SHADOW_CACHE = ['-ctk', '--cache-type-k', '-ctv', '--cache-type-v'];
 const SHADOW_SPEC = [
  '--spec-default',
  '--spec-type',
  '--spec-ngram-size-n',
@@ -88,17 +147,22 @@ const SPEC_FLAGS = new Set([
  '--spec-ngram-mod-n-match',
  '--spec-ngram-mod-n-min',
  '--spec-ngram-mod-n-max',
-]);
+];
-const TEMPLATE_FLAGS = new Set([
+
 const SHADOW_TEMPLATE = [
  '--chat-template',
  '--chat-template-file',
  '--chat-template-kwargs',
  '--jinja',
  '--no-jinja',
-]);
+];
-const BOOLEAN_SHADOWING_FLAGS = new Set([
+// Shadowing flags that take no value — a boolean switch — so the stripper must
-  '--spec-default', '--jinja', '--no-jinja',
+// not also drop the following token.
 const VALUELESS_SHADOW_FLAGS: ReadonlySet<string> = new Set([
  '--spec-default',
  '--jinja',
  '--no-jinja',
 ]);
 export interface StripOptions {
@@ -108,35 +172,49 @@ export interface StripOptions {
  stripTemplate?: boolean;
 }
 /**
 * Remove shadowing flags (and their values) from an argv sequence.
 *
 * Each category is stripped by default; pass the matching `strip*: false`
 * option to retain that category. When a stripped flag carries its value as a
 * separate following token (e.g. `-c 4096`), that token is removed too; the
 * `--flag=value` and boolean-switch forms consume only the single token.
 */
 export function stripShadowingFlags(
  args: Iterable<string>,
  opts?: StripOptions,
 ): string[] {
-  const shadowing = new Set<string>();
+  const targets = new Set<string>();
-  if (opts?.stripContext !== false) for (const f of CONTEXT_FLAGS) shadowing.add(f);
+  if (opts?.stripContext !== false) for (const f of SHADOW_CONTEXT) targets.add(f);
-  if (opts?.stripCache !== false) for (const f of CACHE_FLAGS) shadowing.add(f);
+  if (opts?.stripCache !== false) for (const f of SHADOW_CACHE) targets.add(f);
-  if (opts?.stripSpec !== false) for (const f of SPEC_FLAGS) shadowing.add(f);
+  if (opts?.stripSpec !== false) for (const f of SHADOW_SPEC) targets.add(f);
-  if (opts?.stripTemplate !== false) for (const f of TEMPLATE_FLAGS) shadowing.add(f);
+  if (opts?.stripTemplate !== false) for (const f of SHADOW_TEMPLATE) targets.add(f);
-  const tokens = [...args].map(String);
+  const tokens = Array.from(args, String);
-  const out: string[] = [];
+  const kept: string[] = [];
-  let i = 0;
+
-  const n = tokens.length;
+  for (let i = 0; i < tokens.length; i++) {
-  while (i < n) {
+    const token = tokens[i]!;
-    const tok = tokens[i]!;
+    const flag = parseFlag(token);
-    const flag = flagName(tok);
+
-    if (flag === null || !shadowing.has(flag)) {
+    // Not a targeted shadow flag — keep it verbatim.
-      out.push(tok);
+    if (flag === null || !targets.has(flag)) {
-      i++;
+      kept.push(token);
      continue;
    }
-    if (BOOLEAN_SHADOWING_FLAGS.has(flag) || tok.includes('=')) {
+
-      i++;
+    // Targeted: drop it. Decide whether the next token is its value and should
-    } else if (i + 1 < n && flagName(tokens[i + 1]!) === null) {
+    // be dropped along with it. Boolean switches and the inline `=value` form
-      i += 2;
+    // carry no separate value token.
-    } else {
+    const carriesInlineValue = token.includes('=');
-      i++;
+    const isBoolean = VALUELESS_SHADOW_FLAGS.has(flag);
    const next = tokens[i + 1];
    const nextIsValue = next !== undefined && parseFlag(next) === null;
    if (!isBoolean && !carriesInlineValue && nextIsValue) {
      i++; // also skip the value token
    }
  }
-  return out;
+
  return kept;
 }
--- a/apps/server/src/services/inference/tool-call-parser.ts
+++ b/apps/server/src/services/inference/tool-call-parser.ts
@@ -1,7 +1,7 @@
-// SPDX-License-Identifier: AGPL-3.0-only
+// Streaming tool-call extraction for the qwen3.6 XML fallback path.
-// Copyright 2026-present the Unsloth AI Inc. team. All rights reserved.
+// `extractToolCallBlocks` is the incremental streaming scanner used by
-// Ported from studio/backend/core/inference/tool_call_parser.py.
+// stream-phase.ts; `stripToolMarkup` removes tool-call wire markup from
-// Original: https://github.com/unslothai/unsloth/blob/main/studio/backend/core/inference/tool_call_parser.py
+// assistant prose (used by tool-phase.ts and error-handler.ts).
 // ── Constants ────────────────────────────────────────────────────────────
@@ -10,34 +10,6 @@ export const XML_TOOL_CLOSE = '</tool_call>';
 export const INVOKE_TOOL_OPEN = '<invoke';
 export const INVOKE_TOOL_CLOSE = '</invoke>';
 export const TOOL_XML_SIGNALS = [XML_TOOL_OPEN, '<function=', INVOKE_TOOL_OPEN] as const;
 export const TOOL_ERROR_PREFIXES = [
  'Error',
  'Search failed',
  'Execution error',
  'Blocked:',
  'Exit code',
  'Failed to fetch',
  'Failed to resolve',
  'No query provided',
 ] as const;
 export const DUPLICATE_CALL_NUDGE =
  'You already made this exact call. Do not repeat the same tool ' +
  'call. Try a different approach: fetch a URL from previous ' +
  'results, use Python to process data you already have, or ' +
  'provide your final answer now.';
 export const TOOL_ERROR_NUDGE =
  '\n\nThe tool call encountered an issue. Please try a different ' +
  'approach or rephrase your request.';
 export const BUDGET_EXHAUSTED_NUDGE =
  'You have used all available tool calls. Based on everything you ' +
  'have found so far, provide your final answer now. Do not call ' +
  'any more tools.';
 // ── Strip patterns ───────────────────────────────────────────────────────
 const TOOL_CLOSED_PATS = [
@@ -53,7 +25,7 @@ const TOOL_ALL_PATS = [
  /<invoke\s[^>]*>.*$/gs,
 ];
-// ── Strip / signal ───────────────────────────────────────────────────────
+// ── Strip ────────────────────────────────────────────────────────────────
 export function stripToolMarkup(text: string, opts?: { final?: boolean }): string {
  const pats = opts?.final ? TOOL_ALL_PATS : TOOL_CLOSED_PATS;
@@ -63,206 +35,6 @@ export function stripToolMarkup(text: string, opts?: { final?: boolean }): strin
  return opts?.final ? text.trim() : text;
 }
 export function hasToolSignal(text: string): boolean {
  return TOOL_XML_SIGNALS.some((s) => text.includes(s));
 }
 // ── parseToolCallsFromText (Unsloth port + Anthropic extension) ──────────
 export interface OpenAiToolCall {
  id: string;
  type: 'function';
  function: { name: string; arguments: string };
 }
 const TC_JSON_START_RE = /<tool_call>\s*\{/g;
 const TC_FUNC_START_RE = /<function=(\w+)>\s*/g;
 const TC_END_TAG_RE = /<\/tool_call>/;
 const TC_FUNC_CLOSE_RE = /\s*<\/function>\s*$/;
 const TC_PARAM_START_RE = /<parameter=(\w+)>\s*/g;
 const TC_PARAM_CLOSE_RE = /\s*<\/parameter>\s*$/;
 const TC_INVOKE_START_RE = /<invoke\s+name\s*=\s*(?:"([^"]*)"|'([^']*)')\s*>/g;
 const TC_INVOKE_CLOSE_RE = /\s*<\/invoke>\s*$/;
 const TC_INVOKE_PARAM_RE = /<parameter\s+name\s*=\s*(?:"([^"]*)"|'([^']*)')\s*>/g;
 const TC_INVOKE_PARAM_CLOSE_RE = /\s*<\/parameter>\s*$/;
 function scanBalancedBraces(content: string, start: number): number {
  let depth = 0;
  let i = start;
  let inString = false;
  while (i < content.length) {
    const ch = content[i]!;
    if (inString) {
      if (ch === '\\' && i + 1 < content.length) {
        i += 2;
        continue;
      }
      if (ch === '"') inString = false;
    } else if (ch === '"') {
      inString = true;
    } else if (ch === '{') {
      depth++;
    } else if (ch === '}') {
      depth--;
      if (depth === 0) return i;
    }
    i++;
  }
  return -1;
 }
 export function parseToolCallsFromText(
  content: string,
  opts?: { idOffset?: number },
 ): OpenAiToolCall[] {
  const toolCalls: OpenAiToolCall[] = [];
  const idOffset = opts?.idOffset ?? 0;
  // Pattern 1: <tool_call>{json}</tool_call> -- balanced-brace JSON scanner.
  // Skips braces inside JSON strings so nested objects parse correctly.
  TC_JSON_START_RE.lastIndex = 0;
  let m: RegExpExecArray | null;
  while ((m = TC_JSON_START_RE.exec(content)) !== null) {
    const braceStart = m.index + m[0].length - 1;
    const braceEnd = scanBalancedBraces(content, braceStart);
    if (braceEnd === -1) continue;
    const jsonStr = content.slice(braceStart, braceEnd + 1);
    try {
      const obj = JSON.parse(jsonStr) as Record<string, unknown>;
      const name = typeof obj.name === 'string' ? obj.name : '';
      let args: string;
      const rawArgs = obj.arguments ?? {};
      if (typeof rawArgs === 'string') {
        args = rawArgs;
      } else {
        args = JSON.stringify(rawArgs);
      }
      toolCalls.push({
        id: `call_${idOffset + toolCalls.length}`,
        type: 'function',
        function: { name, arguments: args },
      });
    } catch {
      // malformed JSON -- skip
    }
  }
  // Pattern 2: <function=name><parameter=key>value -- closing tags optional.
  // Body boundary uses </tool_call> or next <function= (not </function>,
  // because code parameter values can contain that literal).
  if (toolCalls.length === 0) {
    TC_FUNC_START_RE.lastIndex = 0;
    const funcStarts: Array<{ match: RegExpExecArray; name: string }> = [];
    while ((m = TC_FUNC_START_RE.exec(content)) !== null) {
      funcStarts.push({ match: m, name: m[1]! });
    }
    for (let idx = 0; idx < funcStarts.length; idx++) {
      const { match: fm, name: funcName } = funcStarts[idx]!;
      const bodyStart = fm.index + fm[0].length;
      const nextFunc = idx + 1 < funcStarts.length
        ? funcStarts[idx + 1]!.match.index
        : content.length;
      const endTag = TC_END_TAG_RE.exec(content.slice(bodyStart));
      let bodyEnd = endTag ? bodyStart + endTag.index : content.length;
      bodyEnd = Math.min(bodyEnd, nextFunc);
      let body = content.slice(bodyStart, bodyEnd);
      body = body.replace(TC_FUNC_CLOSE_RE, '');
      const args: Record<string, string> = {};
      TC_PARAM_START_RE.lastIndex = 0;
      const paramStarts: Array<{ match: RegExpExecArray; name: string }> = [];
      let pm: RegExpExecArray | null;
      while ((pm = TC_PARAM_START_RE.exec(body)) !== null) {
        paramStarts.push({ match: pm, name: pm[1]! });
      }
      if (paramStarts.length === 1) {
        // Single param: take everything to body end so embedded
        // </parameter> in code strings is preserved.
        const p = paramStarts[0]!;
        let val = body.slice(p.match.index + p.match[0].length);
        val = val.replace(TC_PARAM_CLOSE_RE, '');
        args[p.name] = val.trim();
      } else {
        for (let pidx = 0; pidx < paramStarts.length; pidx++) {
          const p = paramStarts[pidx]!;
          const valStart = p.match.index + p.match[0].length;
          const nextParam = pidx + 1 < paramStarts.length
            ? paramStarts[pidx + 1]!.match.index
            : body.length;
          let val = body.slice(valStart, nextParam);
          val = val.replace(TC_PARAM_CLOSE_RE, '');
          args[p.name] = val.trim();
        }
      }
      toolCalls.push({
        id: `call_${idOffset + toolCalls.length}`,
        type: 'function',
        function: { name: funcName, arguments: JSON.stringify(args) },
      });
    }
  }
  // Pattern 3: <invoke name="..."><parameter name="...">value -- Anthropic
  // shape that qwen3.6 drifts to from Claude Code documentation residue.
  // Closing tags optional; same single-param fast path as pattern 2.
  if (toolCalls.length === 0) {
    TC_INVOKE_START_RE.lastIndex = 0;
    const invokeStarts: Array<{ match: RegExpExecArray; name: string }> = [];
    while ((m = TC_INVOKE_START_RE.exec(content)) !== null) {
      const name = (m[1] ?? m[2] ?? '').trim();
      if (name) invokeStarts.push({ match: m, name });
    }
    for (let idx = 0; idx < invokeStarts.length; idx++) {
      const { match: im, name: invokeName } = invokeStarts[idx]!;
      const bodyStart = im.index + im[0].length;
      const nextInvoke = idx + 1 < invokeStarts.length
        ? invokeStarts[idx + 1]!.match.index
        : content.length;
      const closeTag = content.slice(bodyStart).match(/<\/invoke>/);
      let bodyEnd = closeTag ? bodyStart + (closeTag.index ?? 0) : content.length;
      bodyEnd = Math.min(bodyEnd, nextInvoke);
      let body = content.slice(bodyStart, bodyEnd);
      body = body.replace(TC_INVOKE_CLOSE_RE, '');
      const args: Record<string, string> = {};
      TC_INVOKE_PARAM_RE.lastIndex = 0;
      const paramStarts: Array<{ match: RegExpExecArray; name: string }> = [];
      let pm: RegExpExecArray | null;
      while ((pm = TC_INVOKE_PARAM_RE.exec(body)) !== null) {
        const pname = (pm[1] ?? pm[2] ?? '').trim();
        if (pname) paramStarts.push({ match: pm, name: pname });
      }
      if (paramStarts.length === 1) {
        const p = paramStarts[0]!;
        let val = body.slice(p.match.index + p.match[0].length);
        val = val.replace(TC_INVOKE_PARAM_CLOSE_RE, '');
        args[p.name] = val.trim();
      } else {
        for (let pidx = 0; pidx < paramStarts.length; pidx++) {
          const p = paramStarts[pidx]!;
          const valStart = p.match.index + p.match[0].length;
          const nextParam = pidx + 1 < paramStarts.length
            ? paramStarts[pidx + 1]!.match.index
            : body.length;
          let val = body.slice(valStart, nextParam);
          val = val.replace(TC_INVOKE_PARAM_CLOSE_RE, '');
          args[p.name] = val.trim();
        }
      }
      toolCalls.push({
        id: `call_${idOffset + toolCalls.length}`,
        type: 'function',
        function: { name: invokeName, arguments: JSON.stringify(args) },
      });
    }
  }
  return toolCalls;
 }
 // ── BooCode streaming helpers ────────────────────────────────────────────
 export interface ParsedCall {
--- a/apps/server/src/services/inference/tool-phase.ts
+++ b/apps/server/src/services/inference/tool-phase.ts
@@ -1,7 +1,9 @@
-import type { Session, ToolCall } from '../../types/api.js';
+import type { Agent, Session, ToolCall } from '../../types/api.js';
 import * as modelContext from '../model-context.js';
 import { PathScopeError } from '../path_guard.js';
 import { TOOLS_BY_NAME } from '../tools.js';
 import type { ToolExecCtx } from '../tools.js';
 import { matchToolGlob } from '../agents.js';
 import { maybeFlagForCompaction } from './payload.js';
 import { insertParts, partsFromAssistantMessage, partsFromToolMessage } from './parts.js';
 // v1.13.16: richer unknown-tool error so the model can self-correct when it
@@ -30,6 +32,7 @@ async function executeToolCall(
  projectRoot: string,
  toolCall: ToolCall,
  extraRoots: readonly string[],
  toolCtx?: ToolExecCtx,
 ): Promise<{ output: unknown; truncated: boolean; error?: string }> {
  const tool = TOOLS_BY_NAME[toolCall.name];
  if (!tool) {
@@ -64,7 +67,7 @@ async function executeToolCall(
    };
  }
  try {
-    const output = await tool.execute(parsed.data, projectRoot, extraRoots);
+    const output = await tool.execute(parsed.data, projectRoot, extraRoots, toolCtx);
    const truncated =
      typeof output === 'object' && output !== null && 'truncated' in output
        ? Boolean((output as { truncated: unknown }).truncated)
@@ -98,7 +101,8 @@ export async function executeToolPhase(
  result: StreamResult,
  startedAt: string | null,
  session: Session,
-  projectRoot: string
+  projectRoot: string,
  agent?: Agent | null,
 ): Promise<ToolPhaseResult> {
  const { sessionId, chatId, assistantMessageId } = args;
  const content = stripToolMarkup(result.content, { final: true });
@@ -262,7 +266,35 @@ export async function executeToolPhase(
        );
        return;
      }
-      const tres = await executeToolCall(projectRoot, tc, session.allowed_read_paths);
+      if (agent && !matchToolGlob(tc.name, agent.tools)) {
        const stored = {
          tool_call_id: tc.id,
          output: null,
          truncated: false,
          error: `tool '${tc.name}' is not allowed for agent '${agent.name}'`,
        };
        await insertParts(
          ctx.sql,
          partsFromToolMessage({ tool_results: stored }).map((p) => ({
            ...p,
            message_id: toolMessageId,
          })),
        );
        ctx.publish(sessionId, {
          type: 'tool_result',
          tool_message_id: toolMessageId,
          chat_id: chatId,
          tool_call_id: tc.id,
          output: stored.output,
          truncated: false,
          error: stored.error,
        });
        return;
      }
      const tres = await executeToolCall(projectRoot, tc, session.allowed_read_paths, {
        sql: ctx.sql,
        sessionId,
      });
      if (SYNTHESIS_TOOLS.has(tc.name)) {
        synthEntries.push({ tc, output: tres.output, ...(tres.error ? { error: tres.error } : {}) });
      }
--- a/apps/server/src/services/inference/turn.ts
+++ b/apps/server/src/services/inference/turn.ts
@@ -14,6 +14,7 @@ import type {
 import { ALL_TOOLS } from '../tools.js';
 import { resolveProjectRoot } from '../path_guard.js';
 import { maybeAutoNameChat } from '../auto_name.js';
 import { rewriteSearchQuery } from '../task-search-rewrite.js';
 import { getAgentById } from '../agents.js';
 import * as compaction from '../compaction.js';
 import type { Broker } from '../broker.js';
@@ -254,6 +255,16 @@ export async function runAssistantTurn(
    const webToolsEnabled =
      iterSession.web_search_enabled ?? iterProject.default_web_search_enabled ?? false;
    if (stepNumber === 0 && webToolsEnabled && messages.length >= 2) {
      const lastUserMsg = [...messages].reverse().find((m) => m.role === 'user');
      if (lastUserMsg?.content) {
        const hint = await rewriteSearchQuery(lastUserMsg.content);
        if (hint && messages[0]?.role === 'system' && messages[0].content) {
          messages[0].content += `\n\nThe user's search intent can be summarized as: "${hint}"`;
        }
      }
    }
    const iterArgs: TurnArgs = { sessionId, chatId, assistantMessageId, toolsUsed, recentToolCalls, signal };
    const state: StreamPhaseState = { accumulated: '', startedAt: null };
    let result: StreamResult;
@@ -281,7 +292,7 @@ export async function runAssistantTurn(
    // ---- tool phase ----
    let toolPhaseResult: ToolPhaseResult;
    try {
-      toolPhaseResult = await executeToolPhase(ctx, iterArgs, result, state.startedAt, iterSession, projectRoot);
+      toolPhaseResult = await executeToolPhase(ctx, iterArgs, result, state.startedAt, iterSession, projectRoot, agent);
    } catch (err) {
      // Tool phase errors are unexpected (individual tool failures are
      // caught inside executeToolPhase). Log and break.
--- a/apps/server/src/services/read_tab_by_number.ts
+++ b/apps/server/src/services/read_tab_by_number.ts
@@ -0,0 +1,142 @@
 // v2.6.x: read_tab_by_number tool. Reads the conversation transcript of the
 // chat that occupies a given session-scoped tab number. Stable tab numbers are
 // stored in the session's workspace_panes envelope (WorkspaceState.tabNumbers),
 // keyed by chat id. Lives in its own file (not appended to tools.ts) so tests
 // can import the executor directly without dragging in the whole tool registry.
 // Registered in tools.ts ALL_TOOLS + READ_ONLY_TOOL_NAMES.
 import { z } from 'zod';
 import type { Sql } from '../db.js';
 // type-only import to dodge the runtime cycle (tools.ts re-exports this tool
 // via ALL_TOOLS; importing ToolDef/ToolExecCtx at type level keeps the dep
 // one-way).
 import type { ToolDef, ToolExecCtx } from './tools.js';
 const ReadTabByNumberInput = z.object({
  number: z.number().int().positive(),
 });
 export type ReadTabByNumberInputT = z.infer<typeof ReadTabByNumberInput>;
 // Cap total transcript size so a long conversation can't blow the context
 // window. The model gets a clear truncation marker when the cap is hit.
 const MAX_TRANSCRIPT_CHARS = 20_000;
 // WorkspaceState envelope shape (panes omitted — we only need tabNumbers here).
 interface WorkspaceStateLike {
  panes?: unknown;
  tabNumbers?: Record<string, number>;
  nextTabNumber?: number;
  closedPaneStack?: unknown[];
 }
 // MIGRATION: the stored workspace_panes value may be the legacy bare
 // WorkspacePane[] OR the WorkspaceState envelope. Normalize to an envelope so
 // tabNumbers is always available (empty for the legacy shape — no tab numbers
 // were tracked before the envelope landed).
 function normalizeWorkspaceState(v: unknown): {
  tabNumbers: Record<string, number>;
 } {
  if (Array.isArray(v)) {
    return { tabNumbers: {} };
  }
  if (v && typeof v === 'object' && Array.isArray((v as WorkspaceStateLike).panes)) {
    const env = v as WorkspaceStateLike;
    return { tabNumbers: env.tabNumbers ?? {} };
  }
  return { tabNumbers: {} };
 }
 // Pure executor split out from the ToolDef wrapper so tests can call it with a
 // mocked Sql. Returns a transcript string (read-only — never writes).
 export async function executeReadTabByNumber(
  input: ReadTabByNumberInputT,
  sql: Sql,
  sessionId: string,
 ): Promise<string> {
  const sessionRows = await sql<{ workspace_panes: unknown }[]>`
    SELECT workspace_panes FROM sessions WHERE id = ${sessionId}
  `;
  if (sessionRows.length === 0) {
    return `Session not found.`;
  }
  const { tabNumbers } = normalizeWorkspaceState(sessionRows[0]!.workspace_panes);
  // Reverse-lookup: find the chat id whose stable tab number equals the input.
  let chatId: string | null = null;
  for (const [cid, num] of Object.entries(tabNumbers)) {
    if (num === input.number) {
      chatId = cid;
      break;
    }
  }
  if (chatId === null) {
    return `No tab is numbered ${input.number} in this session.`;
  }
  // Read the conversation: skip system sentinels (role='system') and empty
  // content rows. Oldest first.
  const messages = await sql<{ role: string; content: string }[]>`
    SELECT role, content
      FROM messages
     WHERE chat_id = ${chatId}
       AND role <> 'system'
       AND content <> ''
     ORDER BY created_at ASC
  `;
  if (messages.length === 0) {
    return `Tab ${input.number} (chat ${chatId}) has no messages yet.`;
  }
  // Format a compact transcript, capping total output size.
  const parts: string[] = [];
  let total = 0;
  let truncated = false;
  for (const m of messages) {
    const block = `### ${m.role}\n${m.content}`;
    // +2 accounts for the "\n\n" joiner between blocks.
    if (total + block.length + 2 > MAX_TRANSCRIPT_CHARS) {
      truncated = true;
      break;
    }
    parts.push(block);
    total += block.length + 2;
  }
  let out = parts.join('\n\n');
  if (truncated) {
    out += `\n\n[transcript truncated at ${MAX_TRANSCRIPT_CHARS} chars]`;
  }
  return out;
 }
 export const readTabByNumber: ToolDef<ReadTabByNumberInputT> = {
  name: 'read_tab_by_number',
  description:
    'Read the conversation transcript of the tab with the given session-scoped tab number. Tab numbers are stable per session (shown in the workspace tab strip). Returns the messages of that tab oldest-first as a compact transcript. Read-only.',
  inputSchema: ReadTabByNumberInput,
  jsonSchema: {
    type: 'function',
    function: {
      name: 'read_tab_by_number',
      description:
        'Read the conversation transcript of the tab with the given session-scoped tab number. Read-only.',
      parameters: {
        type: 'object',
        properties: {
          number: {
            type: 'integer',
            description: 'The session-scoped tab number (positive integer).',
          },
        },
        required: ['number'],
        additionalProperties: false,
      },
    },
  },
  async execute(input, _projectRoot, _extraRoots, toolCtx?: ToolExecCtx) {
    if (!toolCtx) {
      return 'read_tab_by_number unavailable: no session context';
    }
    return await executeReadTabByNumber(input, toolCtx.sql, toolCtx.sessionId);
  },
 };
--- a/apps/server/src/services/secret_guard.ts
+++ b/apps/server/src/services/secret_guard.ts
@@ -163,6 +163,13 @@ const COMPILED: ReadonlyArray<CompiledPattern> = DEFAULT_SECURITY_IGNORE_FILETYP
 // Returns true when `relPath` matches a known-secret pattern. Case-insensitive
 // (regex 'i' flag). Always normalize path separators to `/` so Windows-origin
 // paths match the same patterns. Empty or root-only paths return false.
 const SAFE_PATTERNS: ReadonlySet<string> = new Set([
  '.env.example',
  '.env.sample',
  '.env.template',
  '.env.defaults',
 ]);
 export function isSecretPath(relPath: string): boolean {
  if (!relPath) return false;
  const normalized = relPath.replace(/\\/g, '/');
@@ -170,6 +177,8 @@ export function isSecretPath(relPath: string): boolean {
  if (segments.length === 0) return false;
  const base = segments[segments.length - 1]!;
  if (SAFE_PATTERNS.has(base.toLowerCase())) return false;
  for (const compiled of COMPILED) {
    if (compiled.mode === 'basename') {
      if (compiled.regex.test(base)) return true;
--- a/apps/server/src/services/task-model.ts
+++ b/apps/server/src/services/task-model.ts
@@ -0,0 +1,68 @@
 import { loadConfig, type Config } from '../config.js';
 const TIMEOUT_MS = 10_000;
 export async function taskModelCompletion(opts: {
  system: string;
  user: string;
  maxTokens?: number;
  temperature?: number;
  fallbackModel?: string;
 }): Promise<string> {
  const config = loadConfig();
  const maxTokens = opts.maxTokens ?? 30;
  const temperature = opts.temperature ?? 0.3;
  const { url, model } = resolveEndpoint(config, opts.fallbackModel);
  try {
    const res = await fetch(`${url}/v1/chat/completions`, {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({
        model,
        messages: [
          { role: 'system', content: opts.system },
          { role: 'user', content: opts.user },
        ],
        max_tokens: maxTokens,
        temperature,
        stream: false,
        chat_template_kwargs: { enable_thinking: false },
      }),
      signal: AbortSignal.timeout(TIMEOUT_MS),
    });
    if (!res.ok) {
      const text = await res.text().catch(() => '');
      console.warn(`task-model: ${res.status} ${text.slice(0, 200)}`);
      return '';
    }
    const data = (await res.json()) as {
      choices?: Array<{
        message?: { content?: string; reasoning_content?: string };
      }>;
    };
    const choice = data.choices?.[0]?.message;
    if (!choice) return '';
    const content = (choice.content ?? '').trim();
    if (content.length > 0) return content;
    const reasoning = choice.reasoning_content ?? '';
    if (reasoning.length === 0) return '';
    const lines = reasoning.split('\n').map((l) => l.trim()).filter((l) => l.length > 0);
    return lines[lines.length - 1] ?? '';
  } catch (err) {
    console.warn('task-model: request failed', err);
    return '';
  }
 }
 function resolveEndpoint(
  config: Config,
  fallbackModel?: string,
 ): { url: string; model: string } {
  if (config.TASK_MODEL_URL) {
    return { url: config.TASK_MODEL_URL, model: 'gemma-3-270m-it' };
  }
  const model = config.FAST_MODEL ?? fallbackModel ?? config.DEFAULT_MODEL;
  return { url: config.LLAMA_SWAP_URL, model };
 }
--- a/apps/server/src/services/task-search-rewrite.ts
+++ b/apps/server/src/services/task-search-rewrite.ts
@@ -0,0 +1,19 @@
 import { taskModelCompletion } from './task-model.js';
 const SYSTEM_PROMPT =
  'You rewrite user messages into concise web search queries. Reply with ONLY the search query. 3 to 6 words. No quotes, no explanation.';
 const MAX_INPUT_CHARS = 500;
 const FALLBACK_CHARS = 60;
 export async function rewriteSearchQuery(userMessage: string): Promise<string> {
  const input = userMessage.slice(0, MAX_INPUT_CHARS);
  const result = await taskModelCompletion({
    system: SYSTEM_PROMPT,
    user: input,
    maxTokens: 20,
    temperature: 0.2,
  });
  if (result.length > 0) return result;
  return userMessage.slice(0, FALLBACK_CHARS).trim();
 }
--- a/apps/server/src/services/task-summary.ts
+++ b/apps/server/src/services/task-summary.ts
@@ -0,0 +1,24 @@
 import { taskModelCompletion } from './task-model.js';
 const SYSTEM_PROMPT =
  'Summarize this conversation in one sentence, 15 words max. No quotes, no prefix.';
 const MAX_INPUT_CHARS = 1000;
 export async function oneLineSummary(
  messages: Array<{ role: string; content: string }>,
 ): Promise<string> {
  const lastPairs = messages.slice(-6);
  let input = lastPairs
    .map((m) => `${m.role}: ${m.content}`)
    .join('\n');
  if (input.length > MAX_INPUT_CHARS) {
    input = input.slice(0, MAX_INPUT_CHARS);
  }
  return taskModelCompletion({
    system: SYSTEM_PROMPT,
    user: input,
    maxTokens: 30,
    temperature: 0.3,
  });
 }
--- a/apps/server/src/services/task-tags.ts
+++ b/apps/server/src/services/task-tags.ts
@@ -0,0 +1,22 @@
 import { taskModelCompletion } from './task-model.js';
 const SYSTEM_PROMPT =
  'You tag chat sessions. Reply with 1 to 3 lowercase tags separated by commas. Tags should describe the topic. No explanation. Examples: "docker, deployment", "python, debugging", "react, styling".';
 export async function suggestTags(
  userMessage: string,
  assistantReply: string,
 ): Promise<string[]> {
  const input = `User: ${userMessage.slice(0, 300)}\nAssistant: ${assistantReply.slice(0, 300)}`;
  const result = await taskModelCompletion({
    system: SYSTEM_PROMPT,
    user: input,
    maxTokens: 30,
    temperature: 0.3,
  });
  if (result.length === 0) return [];
  return result
    .split(',')
    .map((t) => t.trim().toLowerCase())
    .filter((t) => t.length > 0 && t.length <= 30);
 }
--- a/apps/server/src/services/tools.ts
+++ b/apps/server/src/services/tools.ts
@@ -1,6 +1,7 @@
 import { readFile, readdir, stat } from 'node:fs/promises';
 import { resolve, basename, relative } from 'node:path';
 import { z } from 'zod';
 import type { Sql } from '../db.js';
 import { pathGuard, PathScopeError } from './path_guard.js';
 import { isSecretPath, SecretBlockedError, filterSecretEntries } from './secret_guard.js';
 import { grep as fileOpsGrep, findFiles as fileOpsFindFiles } from './file_ops.js';
@@ -30,6 +31,9 @@ import {
 // with the pause-on-pending-grant branch in inference/tool-phase.ts and the
 // POST /api/chats/:id/grant_read_access endpoint in routes/messages.ts.
 import { requestReadAccess } from './request_read_access.js';
 // v2.6.x: read-only tool that reads a tab's transcript by its session-scoped
 // tab number. Needs DB/session context (ToolExecCtx 4th arg).
 import { readTabByNumber } from './read_tab_by_number.js';
 const MAX_FILE_BYTES = 5 * 1024 * 1024;
 const DEFAULT_VIEW_LINES = 200;
@@ -48,6 +52,16 @@ export interface ToolJsonSchema {
  };
 }
 // v2.6.x: optional DB/session context threaded into a tool's execute(). Only
 // tools that need to read session-scoped DB state (e.g. read_tab_by_number)
 // use it; every other tool ignores the 4th arg. Kept optional so existing
 // 3-arg execute() implementations stay assignable (apps/coder consumes this
 // type from the compiled dist — the optional param keeps it backward-compatible).
 export interface ToolExecCtx {
  sql: Sql;
  sessionId: string;
 }
 export interface ToolDef<TInput> {
  name: string;
  description: string;
@@ -59,7 +73,15 @@ export interface ToolDef<TInput> {
  // view_truncated_output) forward it to pathGuard; other tools accept the
  // arg and ignore it. The execute signature stays compatible with
  // pre-v1.13.17 callsites because the parameter is optional.
-  execute(input: TInput, projectRoot: string, extraRoots?: readonly string[]): Promise<unknown>;
+  // v2.6.x: optional 4th param toolCtx carries DB/session context for tools
  // that read session-scoped state (read_tab_by_number). Optional so 3-arg
  // implementations remain assignable.
  execute(
    input: TInput,
    projectRoot: string,
    extraRoots?: readonly string[],
    toolCtx?: ToolExecCtx,
  ): Promise<unknown>;
 }
 const ViewFileInput = z.object({
@@ -694,6 +716,9 @@ export let ALL_TOOLS: ToolDef<unknown>[] = [
  // state change is appending to sessions.allowed_read_paths via the
  // grant endpoint, gated by user consent.
  requestReadAccess as ToolDef<unknown>,
  // v2.6.x: read a tab's transcript by its session-scoped tab number.
  // Read-only; uses the ToolExecCtx 4th arg for DB/session access.
  readTabByNumber as ToolDef<unknown>,
 ].sort((a, b) => a.name.localeCompare(b.name));
 // v1.8.2: forward-compatible read-only whitelist. An agent whose `tools` is
@@ -734,6 +759,9 @@ export const READ_ONLY_TOOL_NAMES = [
  // state directly (the grant endpoint appends to sessions.allowed_read_paths
  // only with user consent). Belongs in the read-only budget tier.
  'request_read_access',
  // v2.6.x: reads a tab's transcript from session-scoped DB state; never
  // writes. Belongs in the read-only budget tier.
  'read_tab_by_number',
 ] as const;
 export let TOOLS_BY_NAME: Record<string, ToolDef<unknown>> = Object.fromEntries(
--- a/apps/server/src/services/web/html-to-md.ts
+++ b/apps/server/src/services/web/html-to-md.ts
@@ -1,347 +1,24 @@
-// SPDX-License-Identifier: AGPL-3.0-only
+import { NodeHtmlMarkdown } from 'node-html-markdown';
 // Copyright 2026-present the Unsloth AI Inc. team. All rights reserved.
 // Ported from studio/backend/core/inference/_html_to_md.py.
 // Original: https://github.com/unslothai/unsloth/blob/main/studio/backend/core/inference/_html_to_md.py
-import { parse, type DefaultTreeAdapterTypes } from 'parse5';
+// MIT-licensed HTML→Markdown rendering for the web_fetch tool. Output feeds an
-
+// LLM, so structural fidelity matters more than exact whitespace.
-type Document = DefaultTreeAdapterTypes.Document;
+const OPTIONS = {
-type ChildNode = DefaultTreeAdapterTypes.ChildNode;
+  // GFM-style emphasis markers (matches what most models expect).
-type Element = DefaultTreeAdapterTypes.Element;
+  emDelimiter: '*',
-type TextNode = DefaultTreeAdapterTypes.TextNode;
+  strongDelimiter: '**',
-
+  bulletMarker: '*',
-const SKIP_TAGS = new Set([
+  codeFence: '```',
-  'script', 'style', 'head', 'noscript', 'svg', 'math', 'nav', 'footer',
+  codeBlockStyle: 'fenced' as const,
-]);
+  // Always use []() syntax for links rather than <url> autolinks.
-
+  useInlineLinks: false,
-const BLOCK_TAGS = new Set([
+  // Collapse runs of blank lines to a single separator.
-  'p', 'div', 'section', 'article', 'main', 'aside', 'figure',
+  maxConsecutiveNewlines: 1,
-  'figcaption', 'details', 'summary', 'dl', 'dt', 'dd',
+  // Strip non-content elements entirely (script/style are skipped by default,
-]);
+  // but listing them here is explicit; head/nav/footer/etc. drop their text).
-
+  ignore: ['script', 'style', 'head', 'noscript', 'svg', 'math', 'nav', 'footer'],
 const HEADING_TAGS = new Set(['h1', 'h2', 'h3', 'h4', 'h5', 'h6']);
 const INLINE_EMPHASIS: Record<string, string> = {
  strong: '**', b: '**', em: '*', i: '*',
 };
 function isElement(node: ChildNode): node is Element {
  return 'tagName' in node;
 }
 function isText(node: ChildNode): node is TextNode {
  return node.nodeName === '#text';
 }
 class MarkdownRenderer {
  private out: string[] = [];
  private inLink = false;
  private linkHref: string | null = null;
  private linkTextParts: string[] = [];
  private listStack: string[] = [];
  private olCounter: number[] = [];
  private inTable = false;
  private currentRow: string[] = [];
  private cellParts: string[] = [];
  private inCell = false;
  private headerRowDone = false;
  private rowHasTh = false;
  private isFirstRow = false;
  private inPre = false;
  private preParts: string[] = [];
  private preLanguage: string | null = null;
  private inInlineCode = false;
  private bqStack: string[][] = [];
  private emit(text: string): void {
    if (this.inLink) {
      this.linkTextParts.push(text);
    } else if (this.inCell) {
      this.cellParts.push(text);
    } else if (this.inPre) {
      this.preParts.push(text);
    } else if (this.bqStack.length > 0) {
      this.bqStack[this.bqStack.length - 1]!.push(text);
    } else {
      this.out.push(text);
    }
  }
  private prefixBlockquote(content: string): string {
    content = content.replace(/[ \t]+$/gm, '');
    content = content.replace(/\n{3,}/g, '\n\n').trim();
    if (!content) return '';
    return content.split('\n').map(line =>
      line.trim() ? '> ' + line : '>'
    ).join('\n');
  }
  private finishCell(): void {
    if (!this.inCell) return;
    this.inCell = false;
    let cellText = this.cellParts.join('').trim().replace(/\n/g, ' ');
    cellText = cellText.replace(/\|/g, '\\|');
    this.currentRow.push(cellText);
    this.cellParts = [];
  }
  private finishRow(): void {
    if (this.currentRow.length === 0) return;
    const line = '| ' + this.currentRow.join(' | ') + ' |';
    this.emit(line + '\n');
    if (!this.headerRowDone && (this.rowHasTh || this.isFirstRow)) {
      const sep = '| ' + this.currentRow.map(() => '---').join(' | ') + ' |';
      this.emit(sep + '\n');
      this.headerRowDone = true;
    }
    this.isFirstRow = false;
    this.currentRow = [];
    this.rowHasTh = false;
  }
  private finishLink(): void {
    const text = this.linkTextParts.join('').replace(/\s+/g, ' ').trim();
    const href = this.linkHref ?? '';
    this.inLink = false;
    if (href && text) {
      this.emit(`[${text}](${href})`);
    } else if (text) {
      this.emit(text);
    }
  }
  private getAttr(el: Element, name: string): string | undefined {
    return el.attrs.find(a => a.name === name)?.value;
  }
  private handleOpen(el: Element): void {
    const tag = el.tagName.toLowerCase();
    if (HEADING_TAGS.has(tag)) {
      const level = parseInt(tag[1]!, 10);
      this.emit('\n\n' + '#'.repeat(level) + ' ');
    } else if (tag === 'a') {
      this.linkHref = this.getAttr(el, 'href') ?? null;
      this.linkTextParts = [];
      this.inLink = true;
    } else if (tag in INLINE_EMPHASIS) {
      this.emit(INLINE_EMPHASIS[tag]!);
    } else if (tag === 'br') {
      this.emit('\n');
    } else if (BLOCK_TAGS.has(tag)) {
      this.emit('\n\n');
    } else if (tag === 'hr') {
      this.emit('\n\n---\n\n');
    } else if (tag === 'blockquote') {
      this.emit('\n\n');
      this.bqStack.push([]);
    } else if (tag === 'ul') {
      this.listStack.push('ul');
      this.emit('\n');
    } else if (tag === 'ol') {
      this.listStack.push('ol');
      const startAttr = this.getAttr(el, 'start');
      let start = 1;
      if (startAttr != null) {
        const parsed = parseInt(startAttr, 10);
        if (!isNaN(parsed)) start = parsed;
      }
      this.olCounter.push(start - 1);
      this.emit('\n');
    } else if (tag === 'li') {
      const indent = '  '.repeat(Math.max(0, this.listStack.length - 1));
      if (this.listStack.length > 0 && this.listStack[this.listStack.length - 1] === 'ol') {
        if (this.olCounter.length > 0) {
          this.olCounter[this.olCounter.length - 1]!++;
          this.emit(`\n${indent}${this.olCounter[this.olCounter.length - 1]}. `);
        } else {
          this.emit(`\n${indent}1. `);
        }
      } else {
        this.emit(`\n${indent}* `);
      }
    } else if (tag === 'pre') {
      this.preParts = [];
      this.inPre = true;
      this.preLanguage = null;
      const codeChild = el.childNodes.find(
        (c): c is Element => isElement(c) && c.tagName === 'code'
      );
      if (codeChild) {
        const cls = this.getAttr(codeChild, 'class') ?? '';
        const langMatch = cls.match(/(?:^|\s)language-(\S+)/);
        if (langMatch) this.preLanguage = langMatch[1]!;
      }
    } else if (tag === 'code' && !this.inPre) {
      this.inInlineCode = true;
      this.emit('`');
    } else if (tag === 'table') {
      this.inTable = true;
      this.headerRowDone = false;
      this.isFirstRow = true;
      this.emit('\n\n');
    } else if (tag === 'tr') {
      this.finishCell();
      this.finishRow();
    } else if (tag === 'th' || tag === 'td') {
      this.finishCell();
      this.cellParts = [];
      this.inCell = true;
      if (tag === 'th') this.rowHasTh = true;
    }
  }
  private handleClose(tag: string): void {
    tag = tag.toLowerCase();
    if (HEADING_TAGS.has(tag)) {
      this.emit('\n\n');
    } else if (tag === 'a') {
      this.finishLink();
    } else if (tag in INLINE_EMPHASIS) {
      this.emit(INLINE_EMPHASIS[tag]!);
    } else if (BLOCK_TAGS.has(tag)) {
      this.emit('\n\n');
    } else if (tag === 'blockquote') {
      if (this.bqStack.length > 0) {
        const content = this.bqStack.pop()!.join('');
        const prefixed = this.prefixBlockquote(content);
        if (prefixed) this.emit('\n\n' + prefixed + '\n\n');
      }
    } else if (tag === 'ul') {
      if (this.listStack.length > 0 && this.listStack[this.listStack.length - 1] === 'ul') {
        this.listStack.pop();
      }
      this.emit('\n');
    } else if (tag === 'ol') {
      if (this.listStack.length > 0 && this.listStack[this.listStack.length - 1] === 'ol') {
        this.listStack.pop();
        if (this.olCounter.length > 0) this.olCounter.pop();
      }
      this.emit('\n');
    } else if (tag === 'pre') {
      const raw = this.preParts.join('');
      this.inPre = false;
      const lang = this.preLanguage ?? '';
      const block = '```' + lang + '\n' + raw + '\n```';
      this.emit('\n\n' + block + '\n\n');
      this.preLanguage = null;
    } else if (tag === 'code' && !this.inPre) {
      this.inInlineCode = false;
      this.emit('`');
    } else if (tag === 'th' || tag === 'td') {
      this.finishCell();
    } else if (tag === 'tr') {
      this.finishCell();
      this.finishRow();
    } else if (tag === 'table') {
      this.finishCell();
      this.finishRow();
      this.inTable = false;
      this.emit('\n');
    }
  }
  private handleText(data: string): void {
    if (this.inPre) {
      this.preParts.push(data);
      return;
    }
    if (this.inInlineCode) {
      this.emit(data);
      return;
    }
    const text = data.replace(/\s+/g, ' ');
    if (this.inTable && !this.inCell && !text.trim()) return;
    this.emit(text);
  }
  walk(node: ChildNode | Document): void {
    if (isText(node as ChildNode)) {
      this.handleText((node as TextNode).value);
      return;
    }
    if (node.nodeName === '#comment') return;
    if (isElement(node as ChildNode)) {
      const el = node as Element;
      const tag = el.tagName.toLowerCase();
      if (SKIP_TAGS.has(tag)) return;
      if (tag === 'img') return;
      this.handleOpen(el);
      if (tag === 'pre') {
        for (const child of el.childNodes) {
          if (isElement(child) && child.tagName === 'code') {
            for (const grandchild of child.childNodes) {
              this.walk(grandchild);
            }
          } else {
            this.walk(child);
          }
        }
      } else {
        for (const child of el.childNodes) {
          this.walk(child);
        }
      }
      this.handleClose(tag);
      return;
    }
    if ('childNodes' in node) {
      for (const child of (node as Document).childNodes) {
        this.walk(child);
      }
    }
  }
  getOutput(): string {
    return this.out.join('');
  }
 }
 function cleanup(text: string): string {
  const lines = text.split('\n');
  const out: string[] = [];
  let inFence = false;
  let blankRun = 0;
  for (const line of lines) {
    const stripped = line.replace(/[ \t]+$/, '');
    if (stripped.startsWith('```')) {
      inFence = !inFence;
      blankRun = 0;
      out.push(stripped);
      continue;
    }
    if (inFence) {
      out.push(line);
      continue;
    }
    if (!stripped) {
      blankRun++;
      if (blankRun <= 1) out.push('');
      continue;
    }
    blankRun = 0;
    out.push(stripped);
  }
  return out.join('\n').trim();
 }
 export function htmlToMarkdown(sourceHtml: string): string {
-  sourceHtml = sourceHtml.replace(/\r\n/g, '\n').replace(/\r/g, '\n');
+  if (!sourceHtml) return '';
-  const doc = parse(sourceHtml);
+  return NodeHtmlMarkdown.translate(sourceHtml, OPTIONS).trim();
  const renderer = new MarkdownRenderer();
  renderer.walk(doc);
  return cleanup(renderer.getOutput());
 }
--- a/Show More
+++ b/Show More