fix(security): scope checkpoint routes to session — close 2 IDORs (v2.7.2)

Flagged by the automated push security review on v2.7.1.

- GET /checkpoints?chat_id= : the chat_id branch filtered by chat_id alone
  (any session's chat_id read its checkpoints). Now joins chats and gates on
  chats.session_id.
- restoreCheckpoint scope guard was fail-open: `cp.session_id && cp.session_id
  !== sessionId` fell through on a null denormalized session_id, allowing a
  cross-session restore (worktree reset + transcript trim). Now resolves the
  owning session via the checkpoint's chat and denies on missing/mismatch.
- Adds a DB-integration regression for the null-session_id cross-session case.

Both scope authoritatively through chats.session_id (checkpoints.session_id is
a nullable hint). Coder suite 234 passing; 7/7 checkpoint tests (incl. the
regression) against live postgres+git; typecheck clean. Hotfix on v2.7.1.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

.gitignore

@@ -16,5 +16,5 @@ data/*
 !data/AGENTS.md
 !data/skills/
 !data/mcp.json
-!data/coder-providers.json
+!data/coder-providers.example.json
 codecontext/fork.tar.gz

BOOCODER.md

@@ -37,3 +37,81 @@ Every file modification queues in `pending_changes` before touching disk. The us
 - Never count `dist/` directory sizes as source lines. Only count `src/**/*.ts` files. Compiled output is inflated by inlined types and transpilation artifacts.
 - Before claiming a feature works, run the actual command and show the output. "Should work" is not verification. Acceptable evidence: test output (`pnpm test`), build output (`pnpm build`), curl response, docker logs, `\d tablename` output. If you can't run it, say so explicitly — don't assert success without evidence.
 - When reporting counts (tools, tests, files, routes, lines), derive the number from a command (`grep -c`, `wc -l`, test runner output) — not from memory or approximation.
+
+## Provider lifecycle (v2.3)
+
+BooCoder's coding agents are a **config-backed registry**: built-ins live in `provider-registry.ts`, and `data/coder-providers.json` layers overrides + custom entries on top. Registration ≠ installation — the config lists what you *want*; a probe reports what's *ready*.
+
+### Config file: `data/coder-providers.json`
+
+Resolved from `CODER_PROVIDERS_PATH` (default `/data/coder-providers.json`; dev/host path `/opt/boocode/data/coder-providers.json`). It is **gitignored** — it's live runtime config that the coder reads *and writes* (UI toggles `PATCH` it), so tracking it would churn `git status`. The tracked reference is `data/coder-providers.example.json`; copy it to `coder-providers.json` to seed overrides. A missing file, invalid JSON, or a schema mismatch all fall back to built-ins-only — loading never throws at startup.
+
+```json
+{
+  "providers": {
+    "goose": { "enabled": false },
+    "amp-acp": {
+      "extends": "acp",
+      "label": "Amp",
+      "description": "ACP wrapper for Amp",
+      "command": ["amp-acp"],
+      "enabled": true
+    }
+  }
+}
+```
+
+Per-provider override fields (all optional):
+
+| Field | Meaning |
+|-------|---------|
+| `extends` | `"acp"` — required for a NEW (custom) provider; built-in overrides omit it |
+| `label` | Display name (required for custom) |
+| `description` | Sub-label shown in the picker / settings |
+| `command` | `[binary, ...args]` to spawn (required for custom; overrides a built-in's default argv) |
+| `env` | Extra env vars merged into the spawn |
+| `enabled` | Default `true`; `false` hides it from the composer |
+| `order` | UI sort key |
+| `models` / `additionalModels` | Replace / merge onto the discovered model list |
+
+A PATCH to one provider id **replaces that id's override object wholesale** (per-id shallow merge), so to flip a single field keep the rest; a `null` value for an id deletes its override (reverts to the built-in default).
+
+### Refresh contract
+
+The snapshot is cached and a provider's cold ACP probe (tier-2) is **skipped** while `available_agents.last_probed_at` is younger than `PROVIDER_PROBE_TTL_MS` (default `86400000` = 24h). Opening the composer is therefore fast and does not re-probe. To force a cold re-probe (after installing a CLI or editing models): **`POST /api/providers/refresh`** (the Refresh button in the Providers settings tab), which clears the cache and re-probes.
+
+### Enable / disable
+
+Two ways:
+- **Settings → Providers tab** — open the sidebar → **Settings** → **Providers**: toggle a provider on/off, refresh it, or open its diagnostic. (Earlier builds exposed a gear in the composer; that control was moved into Settings.)
+- **Edit the config** (`"enabled": false`) then `POST /api/providers/refresh`.
+
+A **disabled** provider leaves the composer's provider picker but stays listed in the Providers tab (status "Disabled") so you can re-enable it. **Native `boocode` is always-on** — an `enabled:false` on it is ignored (with a warn log) and it is never rendered as toggleable.
+
+### Adding a custom ACP provider
+
+- **Catalog modal**: Providers tab → **Add provider** → pick an entry → it PATCHes the config (`extends:'acp'` + label + command, enabled) and refreshes that provider.
+- **Hand-edit** `data/coder-providers.json`: add an id with `extends:'acp'`, `label`, and `command`, then `POST /api/providers/refresh`.
+
+Either way, **adding to config does NOT install the binary.** Until the CLI is on `PATH` the provider shows **"Not installed"** (status `unavailable`) and does not appear in the composer picker.
+
+### Known limitation — subset refresh
+
+`POST /api/providers/refresh` accepts an optional `{ "providers": ["id", ...] }` body and returns a `refreshed` count scoped to that subset — **but the underlying cold re-probe currently covers ALL installed providers**, not just the requested subset. True per-provider force is a future change (it needs a snapshot-internal parameter). This is intentional for now, not a bug: a subset refresh still re-probes everything; only the reported count is scoped.
+
+### Deploy + smoke
+
+Two deploy targets:
+- **Routes (host service):** `pnpm -C apps/server build && pnpm -C apps/coder build && sudo systemctl restart boocoder`
+- **Web UI (container):** `docker compose up --build -d boocode`
+
+Green gate (verified across phases 1–5): `pnpm -C apps/coder test` (134 passing) `&& pnpm -C apps/coder build`.
+
+Smoke (via Tailscale):
+
+```bash
+curl http://100.114.205.53:9502/api/providers/snapshot       # lists every registered provider
+curl http://100.114.205.53:9500/api/coder/providers/config   # raw config, through the BooChat proxy
+# Settings → Providers: disable goose → it leaves the composer picker, stays in the tab
+# POST refresh → models repopulate; Add a catalog entry → it appears after refresh (unavailable until its CLI is installed)
+```

CHANGELOG.md

@@ -2,6 +2,82 @@
 
 All notable changes per release tag. Most recent on top, ordered by tag creation date (which matches the git history). Tag names follow `vMAJOR.MINOR.PATCH-slug` — the slug describes what shipped, so the tag name alone is enough to recall the batch.
 
+## v2.7.2-checkpoint-idor — 2026-06-01
+
+Closes two IDOR authorization holes in the `v2.7.1-write-edit-robustness` checkpoint routes, flagged by the automated push security review. The `GET /api/sessions/:id/checkpoints?chat_id=` list route scoped its `chat_id` branch by `chat_id` alone — any session's `chat_id` would read its checkpoints; it now joins through `chats` and gates on `chats.session_id` (authoritative; `checkpoints.session_id` is a nullable denormalized hint). The `restoreCheckpoint` scope guard was fail-open — `cp.session_id && cp.session_id !== sessionId` fell through whenever the checkpoint's denormalized `session_id` was null, allowing a cross-session restore (worktree reset + transcript trim) — it now resolves the owning session via the checkpoint's chat and denies on any missing-or-mismatched row. A DB-integration regression covers the exact null-`session_id` cross-session case. Real-world blast radius is small (BooCoder is single-user behind Authelia on loopback), but both are genuine authorization bugs. Coder suite 234 passing (7/7 checkpoint tests incl. the regression against live postgres+git), typecheck clean. Hotfix on `v2.7.1-write-edit-robustness`.
+
+## v2.7.1-write-edit-robustness — 2026-06-01
+
+Two BooCoder hardening features for local quantized models, algorithm-reimplemented (not vendored) from the cline findings in `boocode_code_review_v2.md` §1 #3/#4. **Fuzzy patch applier:** `edit_file`'s apply path was exact-`.includes`-or-throw + first-occurrence `.replace` (`pending_changes.ts`), so a qwen3.6 whitespace/indentation/unicode drift in `old_string` lost the edit; a new pure `fuzzy-match.ts` (`locateMatch`) now runs an exact → per-line-trim → unicode-canon (curly quotes/dashes/nbsp) → Levenshtein-≥0.66 ladder and returns the real file span, refusing multi-exact matches as ambiguous rather than silently editing the first. `applyOne`/`rewindOne` both use it. **Worktree checkpoints + conversation-trim:** `rewind` only reversed BooCode's own `pending_changes`, blind to what external agents (opencode/goose/qwen/claude) write directly into the session worktree — so a new `checkpoints` table + `checkpoints.ts` shadow-commit (tracked **and** untracked, captured via a temp-index `read-tree`/`add`/`write-tree`/`commit-tree` into a GC-safe `refs/boocode/checkpoints/<id>`) snapshots the worktree before each external-agent turn (hooked into all three dispatcher paths), anchored to the turn's assistant message. A new `POST /api/sessions/:id/checkpoints/:cid/restore` resets the worktree (`reset --hard` + `clean -fd`), trims the transcript past that message, and resets the `(chat,agent)` backend session so files, transcript, and agent context land consistent at the restore point; a per-message "Restore to here" affordance in `CoderMessageList` drives it. Built by three parallel agents over disjoint files; DB-integration testing caught a microsecond-`created_at` self-deletion bug in the later-checkpoint cleanup. Full coder suite 234 passing (incl. 17 fuzzy-match + 6 checkpoint tests), server+coder build + web tsc clean. Builds on `v2.7.0-mit`; openspec `write-edit-robustness`. Live host smoke (dispatcher hook + restore UI end-to-end) still to run.
+
+## v2.7.0-mit — 2026-06-01
+
+Relicenses BooCode from AGPL-3.0 back to MIT by clearing the three Unsloth-Studio-derived files the `v2.4.0`/`v2.4.1` lifts pulled in — the root `LICENSE` and all five `package.json` had been `AGPL-3.0-only`, making the network-served work AGPL §13-encumbered. The enabling finding decoupled the relicense from the long-planned native-llama-server-parsing retirement: `tool-call-parser.ts`'s Unsloth-ported algorithm (`parseToolCallsFromText`/`scanBalancedBraces` + unused nudge constants) was **dead code** with no production import, so it was simply deleted while the load-bearing `extractToolCallBlocks`/`stripToolMarkup` (BooCode-authored streaming helpers) were kept byte-identical — no behavior change to the live tool-call path. `html-to-md.ts` was swapped to the MIT `node-html-markdown` library (`parse5` dropped; the only behavior delta is column-aligned tables, GFM hard-break `<br>`, and `<ol start>` renumbering, all feeding the LLM via `web_fetch`), and `llama-args-validator.ts` was clean-room rewritten with the managed-flag denylist re-derived from the public llama-server flag list (facts, not copyrightable). The license flip set `LICENSE` to MIT (`Copyright (c) 2026 indifferentketchup`), the five `package.json` to `MIT`, removed every AGPL SPDX header, added a README License section, and added a `license-mit` guard test that fails if AGPL provenance returns. Built by three parallel agents over the disjoint files; full server suite 519 passing (incl. 9 new guard tests), server build + coder typecheck clean. Resolves `boocode_code_review_v2.md` §1 #1 / §5k and the roadmap's `License-debt` batch (openspec `license-debt-mit`); supersedes that batch's original staged plan, which had entangled the flip with a live qwen3.6 validation window.
+
+## v2.6.11-close-hooks-staging — 2026-06-01
+
+The two v2.6 follow-ups left after `v2.6.10-lifecycle-hardening`. **Server close-hook caller:** `apps/server` (BooChat) now fire-and-forgets BooCoder's Phase-3 close hooks so warm agent backends + worktrees tear down *immediately* on delete/archive instead of waiting for the idle-evict/reaper backstop — a new `coder-notify.ts` `notifyCoderClose(kind,id)` (reusing the v2.6.2 `BOOCODER_URL` reach, never-rejects) is `void`-called after the WS frame at session-delete (`POST /api/sessions/:id/close`) and chat archive / archive-all / delete (`POST /api/chats/:id/close`); an unreachable coder can never block or fail the user's delete/archive. **Staging-boundary hint (task 3.7):** the BooCoder DiffPanel now shows a muted one-liner when the selected provider can't see another agent's unapplied worktree edits — native boocode selected + external-agent-staged changes (or vice-versa) → "<agent>'s edits live in its worktree — BooCode won't see them until applied" — derived purely from the per-change `agent` + current provider, no new state. 6 new server tests (`coder-notify`), 537 server tests pass; web + server tsc/build clean. **With these the v2.6 openspec is fully closed** — only the live Smoke 2/2b/3 remain (manual exercise).
+
+## v2.6.10-lifecycle-hardening — 2026-06-01
+
+v2.6 Phase 3 (the last phase) — lifecycle hardening of the warm-process backends. **Idle eviction + LRU cap:** the agent pool runs a 60s sweep that evicts backends/sessions idle past `AGENT_POOL_IDLE_TTL_MS` (30 min default) and any beyond `AGENT_POOL_MAX_LIVE` (10, LRU) — **never a busy one** (in-flight turn, double-checked via a new `isBusy()` backend hook); the worktree persists (DB-backed) and the next turn re-spawns + reattaches. The eviction/LRU/restart decisions are factored into a pure `lifecycle-decisions.ts` (modeled on the inference `selectPruneTargets` pattern). **Crash recovery:** lifts openchamber's health-monitor + busy-aware-restart + consecutive-failure + stale-busy-grace state machine into `opencode-server.ts` (with port reclaim) and `warm-acp.ts` — an opencode server crash settles in-flight turns as failed, marks the rows `crashed`, and recreates fresh sessions (a fresh server can't hold the old in-memory id), while a warm-ACP child crash re-`session/new`s next turn; the F.1 turn-guard and U.6 usage are preserved (their tests still pass). **Worktree reaper:** a periodic reaper removes orphan on-disk worktrees (no live `worktrees` row, 1h grace) behind a superset-style preflight that skips dirty/unpushed/unmerged work, with Paseo-style soft-delete (`status='archived'`). Plus close hooks (`/api/chats/:id/close`, `/api/sessions/:id/close`, awaiting the apps/server caller) and diff re-baseline after `apply_pending`. Built test-first — 35 new tests (`lifecycle-decisions` 22, `agent-pool` 13) + a DB-opt-in reconnect integration test; 215 coder tests pass, tsc + build clean. **This completes v2.6** (Phase 0–3 + F.1 + Phase 1-UX). Remaining follow-ups (out of v2.6 scope): the apps/server close-hook caller, the 3.7 DiffPanel staging-boundary hint (frontend), and live Smoke 2/2b/3.
+
+## v2.6.9-warm-acp — 2026-05-31
+
+v2.6 Phase 2: goose and qwen now run as **warm ACP backends** instead of one-shot-per-task. A new `WarmAcpBackend` (`backends/warm-acp.ts`, implementing the same `AgentBackend` interface as the opencode warm server) holds one persistent `goose acp` / `qwen --acp` child + `ClientSideConnection` + ACP session per `(chat, agent)`, running `initialize` + `session/new` once and reusing the connection across turns; per-turn abort cancels the in-flight prompt (`session/cancel`) without killing the child, and a child exit marks `agent_sessions.status='crashed'` for re-spawn on the next turn. The dispatcher routes `goose`/`qwen` chat-tab tasks to the pooled warm backend via a pure `shouldUseWarmBackend(task)` predicate (warm only when both `session_id` and `chat_id` are set), keeping the one-shot `runExternalAgent` path as the fallback for session-less creators (arena, MCP, `new_task`); broker frames + `persistExternalAgentTurn` + the latest-wins `pending_changes` diff are identical to the opencode path. The `acp-dispatch.ts` `handleSessionUpdate` switch was extracted into a pure shared `acp-event-map.ts` mapper used by both the one-shot and warm paths (one-shot behavior byte-identical, all existing acp tests green). The design's `unstable_resumeSession` concern is resolved — the installed `@agentclientprotocol/sdk@^0.22.1` exposes stable `resumeSession`/`loadSession`, but resume is moot in the hot path (warm reuse needs none); cross-restart resume + idle eviction are deferred to Phase 3. Built test-first (15 new tests: `warm-acp-routing`, `acp-event-map`); 180 coder tests pass, tsc + build clean. **Smoke 2/2b (live two-message warm reuse + the opencode→boocode→opencode switch round-trip) to be run post-deploy.** Phase 3 (lifecycle hardening) is the last v2.6 phase.
+
+## v2.6.8-agent-attribution — 2026-05-31
+
+v2.6 Phase 1-UX: agent attribution + switch affordances over the already-shipped `pending_changes.agent` column and `agent_sessions` table (read+display, no new backend capability). **Backend:** `pending_changes.agent` is now stamped at every queue site (native write tools → `'boocode'`, dispatched external agents → the task's agent, manual RightRail create → `NULL`) and flows through `listPending`; a new `GET /api/sessions/:id/agent-sessions` route returns `[{agent,status,has_session,last_active_at}]` per `(chat,agent)` for the session's chats; and the opencode warm-server backend consumes opencode's `session.next.step.ended` events, accumulating `input_tokens`/`output_tokens`/`cost` onto the `agent_sessions` row (new columns, idempotent). **Frontend:** the BooCoder DiffPanel renders a per-row agent badge (provider icon + label; `null` → "manual") with a "Changes from X, Y" note when a pending set spans multiple agents, and the AgentComposerBar shows a resumed / history / new-session chip beside the Provider picker — gated on an optional `sessionId` prop so BooChat is unaffected — driven by a new `useAgentSessions` hook that refetches on message-complete; `providerIcon` was extracted to a shared `components/coder/providerIcons.tsx`. Built by three parallel subagents over disjoint file sets; web + coder typecheck clean, 165 coder tests pass (9 new across `opencode-usage` and `agent-sessions.routes`). U.6's persisted token totals are conversation-cumulative and not yet surfaced in the UI (deferred). Implements the U.1–U.6 "remaining" plan from the v2.6 openspec reconciliation; Phase 2 (warm ACP goose/qwen) + Phase 3 (lifecycle hardening) remain.
+
+## v2.6.7-interrupt-guard — 2026-05-31
+
+Fixes a post-interrupt correctness bug in the `v2.6.1-phase1-opencode` warm-server backend, made one-click reachable by `v2.6.5-panes-tabs-composer`'s Send→Stop composer. `opencode-server.ts` settled an in-flight turn on opencode's `session.idle`/`session.error` by calling `activeTurn.settle()` on whatever turn currently held the session slot — but opencode emits one trailing terminal event for a *cancelled* turn after `client.session.abort()`, and those events carry only a `sessionID` (no turn id). So after the user hit Stop and immediately sent another message, the aborted turn's orphan `session.idle` settled the *new* turn early as success (Paseo hit and fixed the same class in `1d38aac`). The fix adds a small pure guard (`turn-guard.ts`: `armAbortGuard`/`noteTurnActivity`/`consumeTerminal` over a per-session `swallowNextTerminal` flag): abort arms it, the next terminal is swallowed once, and a new turn's first delta self-heals the flag so a never-arriving orphan can't strand a real turn. Implemented test-first — three regression tests in `turn-guard.test.ts` (swallow-the-orphan, settle-when-no-abort, self-heal); full coder suite green (156 passed). This is the F.1 "fix-next" item from the v2.6 openspec reconciliation; Phase 1-UX / Phase 2 / Phase 3 remain.
+
+## v2.6.6-claude-md — 2026-05-31
+
+Docs-only — CLAUDE.md session-learnings update, no code. Captures four recurring gotchas surfaced while shipping `v2.6.5-panes-tabs-composer`: (1) `sessions.workspace_panes` is now a `WorkspaceState` envelope (`panes` + `tabNumbers`/`nextTabNumber` + `closedPaneStack`), migrated from the legacy bare `WorkspacePane[]` on both frontend hydrate (`toWorkspaceState`) and the union-accepting server PATCH validator; (2) DB/session-aware tools take an optional `ToolExecCtx` (`{ sql, sessionId }`) 4th arg on `ToolDef.execute`, plumbed through the tool phase, with `read_tab_by_number` as the reference; (3) the two-schema-files-one-DB ownership split — `apps/coder/src/schema.sql` owns `agent_sessions`/`worktrees`/`pending_changes`/`available_agents` and extends `tasks`, distinct from BooChat's `apps/server/src/schema.sql` — plus the idempotent `confdeltype` FK-action-flip pattern (guard `ON DELETE` changes on `pg_constraint.confdeltype` so re-runs no-op); and (4) React StrictMode is on, so a `setState` called inside another `setState`'s updater double-fires in dev and must be made idempotent. Pairs with `v2.6.5-panes-tabs-composer`.
+
+## v2.6.5-panes-tabs-composer — 2026-05-31
+
+A workspace UX batch across BooChat panes, tabs, and the composer, plus the persistence model that backs them. **Panes & tabs:** a chat can be opened in a fresh pane (the ChatTabBar tab context menu's "Open in new pane", and the fork button — which now lands the fork beside the original via a new `open_chat_in_new_pane` event instead of replacing the active pane); the per-pane "+" became a New BooChat/BooTerm/BooCode menu; closing a chat pane relocates its tabs (in order) into the oldest chat/empty pane instead of discarding them, and reopen strips the restored chatIds from every live pane first so a relocated-then-reopened pane never duplicates a tab (no stack-shape change); each tab carries a stable session-scoped number assigned on open and retired on close (never reused), rendered map-keyed rather than positional. The per-message "Open in pane" artifact button was removed, and the empty/landing pane became a real session history — the session's open chats plus separately-fetched archived chats, click to open or restore-and-open. **Persistence:** `sessions.workspace_panes` was widened from a bare `WorkspacePane[]` to a `WorkspaceState` envelope (`panes` + `tabNumbers`/`nextTabNumber` + `closedPaneStack`) so tab numbers and the reopen stack survive reload; the PATCH validator accepts the legacy array or the envelope (zod union) and migrates on write, and the `session_workspace_updated` WS-frame schema was widened on both web and server (byte-identical, parity test green) — the same schema-drift class as `v2.6.4-agent-sessions-fk`. **Composer:** the send button morphs Send → Stop → Queue with generation state (BooCoder keys on `sending || activeTaskId`, which also corrected its queue gates and added `cancelTask`), the standalone "Stop generating" pill was folded into it, and pasted chips now trail the typed text so a leading slash command stays first. **Tooling:** adds the read-only `read_tab_by_number` tool — resolves a session-scoped tab number to its chat via the persisted `tabNumbers` map and returns that chat's transcript; tools gained an optional `ToolExecCtx` (`{ sql, sessionId }`) on `execute` to support DB-reading tools. Builds on `v2.6.4-agent-sessions-fk`.
+
+## v2.6.4-agent-sessions-fk — 2026-05-31
+
+Follow-up to `v2.6.3-chatkey-and-skills` (P1.5-b): the live `agent_sessions.session_id` foreign key is converged from `ON DELETE CASCADE` to `ON DELETE SET NULL`, matching the schema's stated intent. The P1.5-b re-key block re-adds `session_id_fkey` as `SET NULL`, but the whole block is guarded on `chat_id_fkey`'s absence — so a database already re-keyed to `(chat_id, agent)` while `session_id_fkey` was still `CASCADE` never re-enters it, leaving the live FK at `CASCADE` and diverging from both `worktree_id` (already `SET NULL`) and the `v2.6.3` changelog's own claim that `session_id` is informational `SET NULL`. The fix adds a standalone `confdeltype`-guarded `DO` block (mirroring the `session_worktrees` defang) that flips `session_id_fkey` `CASCADE → SET NULL` independently of the re-key gate; it is idempotent — fires only while the FK is still `'c'`, a no-op on a fresh deploy (already `'n'`) and on every re-run. The live DB was converged by hand with the identical statements, so `applySchema` and the hand-applied state match (`\d agent_sessions` now shows `session_id ... ON DELETE SET NULL`). Also bundles a CLAUDE.md doc-sync (committed separately): per-session SSE (P1.5-a) and the `(chat_id, agent)` re-key reflected in the engineering notes, the stale root `AGENTS.md` navigation pointer dropped, and new conventions for `data/AGENTS.md` parsing and the `data/skills/<vendor>/` layout.
+
+## v2.6.3-chatkey-and-skills — 2026-05-31
+
+Three threads. **agent_sessions re-keyed to `(chat_id, agent)` (P1.5-b):** the tab (a chat) is now the agent-context unit, so two opencode tabs in one BooCode session are two independent contexts that share one worktree. `chat_id` is threaded end-to-end — `tasks.chat_id` added, stamped by the coder message + skills routes from the frontend tab, read by `runOpenCodeServerTask` which falls back to resolve-or-create a chat for session-less creators (arena/MCP/new_task/generic `/api/tasks`) so `ensureSession` never receives a degenerate `(null, agent)` key. A new first-class `worktrees` table (one-per-session, survives session delete via `session_id ON DELETE SET NULL`) supersedes `session_worktrees`, which is defanged (CASCADE dropped, not yet removed); `agent_sessions.chat_id` CASCADEs from `chats` (closing a tab ends its context) while `worktree_id`/`session_id` are informational `SET NULL`. The migration is idempotent with a backfill-verify gate; the live re-key was applied against an empty table after the 35-chat test session `20d28876` was deleted (backed up first). This corrects and supersedes an earlier draft that wrongly keyed on `(worktree_id, agent)`; the delete-guard from `v2.6.2-delete-guard-and-sse` is repointed here from `session_worktrees` to `worktrees` (`worktree_path`→`path`). **dcp-strip cross-chunk fix:** the `<dcp-message-id>` tag streams split across SSE deltas, which the per-chunk strip from `v2.6.1-phase1-opencode` missed — a stateful `makeDcpStreamStripper` at the dispatcher boundary holds back partial-tag tails so neither live frames nor persisted content carry the tag (11 unit tests). **Agent-judgment skills:** `committing-changes` (segment by concern, stage explicitly, present-and-stop, never push) and `using-worktrees` (the when-to-isolate heuristic, autonomous-when-clear vs committing's command-gate) land in `data/skills/boocode/` with eval.yamls, plus a parser-safe `data/AGENTS.md` preamble pointing at both.
+
+## v2.6.2-delete-guard-and-sse — 2026-05-30
+
+Two coder-side batches under one tag. **Session-delete work-loss guard:** deleting a BooChat session CASCADE-wipes its `session_worktrees` row, which would silently orphan uncommitted/unpushed/unmerged work — so the server's `DELETE /api/sessions/:id` now gates before the delete. It reads `session_worktrees` from the shared DB first (no row → chat-only session → delete immediately, zero round-trip), and for worktree-backed sessions calls a new BooCoder endpoint (`/worktree-risk`) that runs git on the host, since the container can't see `/tmp/booworktrees` — only the host systemd service can. `checkWorktreeWorkAtRisk` reports dirty/unpushed/unmerged via the audited `hostExec`+`shellEscape` path, default branch detected from `refs/remotes/origin/HEAD` (never the worktree's own branch, never hardcoded); any at-risk worktree returns 409 with per-worktree `RiskReport[]`, `force=true` bypasses, and the check is fail-closed (BooCoder unreachable also blocks — force still escapes). The sidebar renders a block dialog distinguishing work-at-risk (Commit/Stash/Force; stash uses `-u` and re-blocks on remaining commits) from couldn't-verify (Cancel/Force), and Commit never auto-commits. A follow-up fix gates the `unpushed` arm behind an actual upstream (`atRisk = dirty || unmerged > 0 || (hasUpstream && unpushed > 0)`) so the no-upstream `session-<id>` branches stop flagging every pristine worktree-backed session — no protection lost, since real local work always also surfaces as `unmerged > 0`. **Per-session SSE (P1.5-a):** replaces the single global SSE loop scoped to the most-recent worktree directory — the known limit flagged in `v2.6.1-phase1-opencode` — with one `event.subscribe({directory})` per live opencode session, so sessions in different worktrees stream concurrently instead of the second silently dropping the first's events. Each session owns an `AbortController` wired into `subscribe(…, {signal})`, which also fixes a latent Phase-1 bug where switching directories left the old loop parked forever in its `for await` (zombie loops); a `sessionID` demux guard drops cross-session events so two sessions sharing a worktree (possible after P1.5-b) don't double-process deltas. The opencode SDK was confirmed to open an independent SSE connection per `subscribe()` call, so N concurrent dir-scoped streams are supported.
+
+## v2.6.1-phase1-opencode — 2026-05-30
+
+v2.6 Phase 1: opencode runs as a warm HTTP server (`apps/coder/src/services/backends/opencode-server.ts`) — one `opencode serve` per BooCoder process, one opencode session per BooCode session resumed across turns via the new `agent_sessions` table, with a single SSE read loop, reasoning dedup ported from Paseo, an inactivity watchdog, and a stale-session guard (crashed-not-resumed + a `config_hash` fingerprint over `opencode_server|<model>`, deliberately excluding the ephemeral server port so cross-restart resume survives). Builds on the `v2.6.0-phase0-foundations` schema/interface scaffold. The batch's hard-won fixes: opencode streams `session.next.*` events (not `message.part.*`), and `event.subscribe()` must pass the session's worktree `directory` or events route to the server CWD and turns come back empty; model strings must be `llama-swap/`-prefixed and present in opencode's own config, with `agent-probe` now populating `available_agents.models` via `mergeLlamaSwap` so the frontend stops sending an empty model; `session_worktrees`/`agent_sessions` FKs are `ON DELETE CASCADE` so session deletion no longer 500s. Also bundled: dcp-message-id tag stripping from opencode text output, a reopen-closed-pane control, the `[+]`/split-pane button separation, auto-name using the session's loaded model, and a `systematic-debugging` slash command. Smoke 1 verified end-to-end (two turns, session reuse, turn 2 ~9x faster). Known Phase 1 limit: one SSE stream scoped to the most-recent session's directory — concurrent opencode sessions in different worktrees collide (warns; per-session SSE is Phase 2).
+
+## v2.5.15-acp-path-guard — 2026-05-29
+
+Security fix + repo hygiene. Fixes a path-traversal in the ACP filesystem bridge (`acp-client-fs.ts`, flagged by the automated push security review): the worktree guard used an unbounded `startsWith(resolve(worktreePath))`, so a sibling path sharing the worktree as a string prefix (`<worktree>-evil/…`) escaped the scope — and `writeWorktreeTextFile` writes to disk directly (no `pending_changes` gate), so a confused/buggy ACP agent could write outside its worktree. Now uses a separator-bounded check matching `write_guard.ts` (`resolve()` + `startsWith(root + sep)` / `=== root`) via a shared `resolveInWorktree`, with a regression test covering `../` traversal and the sibling-prefix bug. Symlink-swap/`O_NOFOLLOW` hardening was intentionally skipped — consistent with `write_guard`'s no-realpath stance, and the agent already runs with host FS access so this is a containment guard, not a trust boundary. Separately, stops tracking the live `data/coder-providers.json` (it's runtime config the UI reads *and writes* on provider toggles, which churned `git status`) — it's now gitignored with a tracked `data/coder-providers.example.json` reference; the loader falls back to built-ins-only when the live file is absent. The provider-type duplication (coder ↔ web) stays guarded by the existing text-identity `provider-types-parity.test.ts` — a shared package was considered and declined (drift is already prevented; not worth the Docker/build-order risk at solo scale).
+
+## v2.5.14-claude-md — 2026-05-29
+
+Docs-only — CLAUDE.md session-learnings update, no code. Adds gotchas surfaced while shipping the v2.3 provider-lifecycle batch: the host `boocoder.service` keeps running the old process after `pnpm -C apps/coder build` (stale-process tell = new routes 404 while old routes 200, restart don't re-debug); the `boocode` container `build: .` deploys the working tree, so web edits are live on the Vite dev server but not production until `docker compose up --build -d boocode`; `PATCH /api/providers/config` replaces a provider's override wholesale (send `{...existing, enabled}` or a custom ACP entry's command is wiped) and `data/coder-providers.json` is live config not to be committed as code; external agents dispatch one-shot with no context/token tracking (only native `boocode` tracks ctx; OpenCode-as-server is the unshipped `v2-6-persistent-agent-sessions` plan); the `ui/` primitive inventory with `button role=switch` / Dialog fallbacks for the absent switch/sheet; and the mobile Dialog-with-list scroll-containment recipe. Also backfills previously-uncommitted doc bullets for the `v2.5.7`–`v2.5.11` coder work (provider-type parity test, async ACP command discovery, AgentComposerBar `installed` filter, provider-registry path disambiguation).
+
+## v2.5.13-provider-lifecycle-phase5 — 2026-05-29
+
+Closeout of the v2.3 provider-lifecycle batch — the web UI (Phase 5) plus docs (Phase 6). Provider management moved into **Settings → Providers**: a tab listing every registered provider with a status badge (Available / Disabled / Not installed / Error / Loading), an enable/disable toggle, a per-provider refresh, and a plaintext diagnostic; toggling sends the provider's *full* override (preserving a custom ACP entry's command under the wholesale-replace PATCH merge) then refetches the snapshot. The composer's provider picker now filters to `enabled && (status === 'ready' || 'loading')`, so disabled and unavailable providers drop out of the picker and are managed only in settings (native `boocode` always shows). A curated ACP catalog (`apps/web/src/data/acp-provider-catalog.ts`) + `AddProviderModal` register custom providers via `PATCH /api/providers/config` then a subset refresh, and the web client gained `getProvidersConfig` / `patchProvidersConfig` / `refreshProviders` / `getProviderDiagnostic`. Two mobile fixes ship alongside: the Settings pane is now reachable on phones (opening it pushes `?pane=` atomically so the mobile URL-sync effect keeps it active instead of snapping back to the chat pane), and the Add-provider modal caps to the viewport with a single `overscroll-contain` scroll region so the list scrolls instead of dragging the whole modal. This completes the arc begun in `v2.5.4-provider-lifecycle-phase1` (config-backed registry over the built-ins) → `v2.5.5-provider-lifecycle-phase2` (loading/unavailable snapshot lifecycle + tier-2 probe TTL gate) → `v2.5.6-provider-lifecycle-phase3` (generic `resolveLaunchSpec` ACP dispatch) → `v2.5.12-provider-lifecycle-phase4` (config GET/PATCH, subset refresh, diagnostic HTTP API). Docs landed in `BOOCODER.md` (config file, refresh contract, enable/disable, custom ACP, the honest subset-refresh known limitation) and `docs/DEFERRED-WORK.md` §2 is marked addressed; the remaining Tier-2 follow-ups (WS `provider_snapshot_updated` frame, `available_agents.enabled` column, shared types package, MCP provider tools) stay deferred.
+
+## v2.5.12-provider-lifecycle-phase4 — 2026-05-29
+
+Phase 4 of the v2.3 provider-lifecycle batch (`openspec/changes/v2-3-provider-lifecycle/design.md` §6): the HTTP API to read, patch, refresh, and diagnose providers. `routes/providers.ts` gains `GET /api/providers/config` (the raw loaded `CoderProvidersFile`), `PATCH /api/providers/config` (a partial providers map — an id's override object is replaced wholesale, a `null` value deletes it), an optional `{ providers?: string[] }` body on `POST /api/providers/refresh` (the `refreshed` count reflects the requested subset; the force probe itself still covers all installed providers, since per-provider force is a snapshot-internal change left to a later phase), and `GET /api/providers/:id/diagnostic` returning JSON `{ diagnostic: string }` — a read-only report (resolved def, install_path, last_probed_at, enabled, `which` availability, last cached probe error) with no probe spawn. PATCH correctness is the whole story: the order is validate→save→reload→clear, a malformed body or an invalid merged config returns 422 without writing the file, and a `save()` failure returns 500 without reloading the registry or clearing the snapshot cache, so on-disk and in-memory state can never diverge. New pure `mergeProviderConfigPatch` + `ProviderConfigPatchSchema` in `provider-config.ts`, a read-only `peekSnapshotEntry` cache accessor (source of the diagnostic's last-error — no probe/cache logic change), and a new `provider-diagnostic.ts` formatter. The web client gains `api.coder.getProvidersConfig` / `patchProvidersConfig` / `refreshProviders(providers?)` / `getProviderDiagnostic`, with mirrored `ProviderOverride` / `CoderProvidersFile` / `ProviderConfigPatch` types; the existing `/api/coder/*` proxy blanket-forwards the new routes with no change. +28 tests (134 coder total: pure merge/validate, the diagnostic formatter, and `app.inject` route tests proving the 422-no-write and save-fail-no-divergence guards). The diagnostic returns JSON rather than the §8 plaintext so it flows through the JSON `request` client helper (reconciling design §6.4's `{ diagnostic }` with §8's string report). No UI (Phase 5). Builds on `v2.5.6-provider-lifecycle-phase3`.
+
+## v2.5.11-claude-skill-discovery — 2026-05-29
+
+Surface Claude Code's real enabled commands + plugin skills in the coder slash menu, with icons separating commands from plugin skills. New `claude-command-discovery.ts` reads (user-global scope) `~/.claude/commands/*.md` plus every enabled plugin in `~/.claude/settings.json:enabledPlugins` — each plugin's user-scope install path contributes `skills/<name>/SKILL.md` (kind `skill`) and `commands/*.md` (kind `command`), parsed from frontmatter, bare names, deduped. The snapshot's claude branch discovers these **live** (claude is PTY, no ACP probe; the snapshot cache rate-limits the fs reads). The `/` menu now renders up to three icon'd groups: **`<agent> commands`** (Terminal), **`<agent> skills`** (Puzzle — claude's plugin skills / opencode is all commands), and **BooCoder skills** (Sparkles), via a new optional `icon` on `SlashCommandGroup`. `AgentCommand` gains a `kind` field, added identically to the coder and web copies (the `provider-types-parity` test enforces it); `mergeCommandsByName` is now generic so it preserves the tag. Invocation is unchanged — picking a claude command/skill sends `/name` to claude (PTY), which executes it. Project-local plugins + `<cwd>/.claude/commands` deferred. BooChat unaffected (flat skills). Smoke-test the claude skill slash-execution on the host.
+
 ## v2.5.10-opencode-live-commands — 2026-05-29
 
 Surface opencode's real (live ACP) command set in the coder slash menu without needing a dispatch. Two fixes: (1) the cold ACP probe (`acp-probe.ts`) captured `available_commands` but read `probedCommands` synchronously right after `newSession` — racing opencode's async `available_commands_update` notification, so it captured **zero** and only the 7-item static manifest showed. The probe now waits briefly (poll up to 3s for the first batch + a 300ms settle, capped under the 30s probe timeout) so the commands are actually captured. (2) Captured commands are persisted to a new `available_agents.commands` JSONB column and served (merged with the manifest) on the tier-2-probe-skip path, so the agent's discovered commands survive once the model list is warm and show without a dispatch. Boot warms this via the `force: true` startup snapshot. apps/coder only (probe + schema + snapshot). Caveat: depends on opencode emitting `available_commands_update` on session creation rather than only after a prompt — to be confirmed on the host. Claude (PTY) disk/plugin discovery deferred.

CLAUDE.md

@@ -2,7 +2,7 @@
 
 This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
 
-**Cursor agents:** start with `AGENTS.md` (navigation) and `docs/ARCHITECTURE.md` (diagram). This file is the deep engineering reference.
+**Cursor agents:** start with `docs/ARCHITECTURE.md` (diagram). This file is the deep engineering reference. (Note: the root navigation `AGENTS.md` was removed in v1.12; `data/AGENTS.md` is the agent *registry*, not navigation.)
 
 ## What is BooCode
 
@@ -68,9 +68,9 @@ Key services:
 - **`messages_with_parts` view** (v1.13.1-B; `schema.sql`). Read sites that need `tool_calls` / `tool_results` / `reasoning_parts` SELECT from this view, NOT `messages` directly. v1.13.20 dropped the legacy `messages.tool_calls` / `messages.tool_results` JSON columns; the view now reads parts-only subselects. Writes target `message_parts` exclusively via `insertParts` (or via the helpers `partsFromAssistantMessage` / `partsFromToolMessage`). The `Message` wire type still carries `tool_calls?` / `tool_results?` because the view synthesizes them from parts — frontend reads are unchanged. Shapes: `tool_calls jsonb[]`, `tool_results jsonb` single object, `reasoning_parts jsonb[]` of `{text}`. If you ever need to UPDATE a message and return its full Message shape, do a two-step UPDATE returning `id` followed by SELECT from the view — RETURNING off the bare `messages` table no longer carries the tool fields.
 - **`services/file_ops.ts`** — Shared file operation implementations used by both inference tools and HTTP routes.
 - **`services/auto_name.ts`** — Non-streaming LLM call to generate 4-word session titles after first assistant reply.
-- **`services/provider-registry.ts`** — Static registry of provider metadata (label, transport, model source). `PROVIDERS` array, `PROVIDERS_BY_NAME` map. 5 providers: boocode (native), opencode (acp), goose (pty), claude (pty), qwen (pty).
-- **`services/agent-probe.ts`** — Startup probe using direct `exec()` (not SSH). Discovers installed agents on host, their versions, ACP support, and models. Qwen models read from `~/.qwen/settings.json`. Claude models are static from the registry. Results persisted to `available_agents` table.
-- **`routes/providers.ts`** — `GET /api/providers` returns installed providers with models. Transport field reflects actual capability (checks `supports_acp` from DB, not just registry preference).
+- **`apps/coder/src/services/provider-registry.ts`** (BooCoder, NOT apps/server) — Static registry of provider metadata (label, transport, model source). `PROVIDERS` array, `PROVIDERS_BY_NAME` map. 5 providers: boocode (native), opencode (acp), goose (pty), claude (pty), qwen (pty).
+- **`apps/coder/src/services/agent-probe.ts`** (BooCoder) — Startup probe using direct `exec()` (not SSH). Discovers installed agents on host, their versions, ACP support, and models. Qwen models read from `~/.qwen/settings.json`. Claude models are static from the registry. Results persisted to `available_agents` table.
+- **`apps/coder/src/routes/providers.ts`** (BooCoder) — `GET /api/providers` returns installed providers with models. Transport field reflects actual capability (checks `supports_acp` from DB, not just registry preference). The apps/server side of this flow is the "Provider picker dispatch" bullet below.
 - **Provider picker dispatch**: when `provider !== 'boocode'`, the message route creates a `tasks` row (with `session_id` set) instead of calling `inference.enqueue`. The dispatcher picks it up and dispatches via ACP or PTY using the agent's `install_path`.
 
 Route registration: all routes registered in `index.ts` via `register*Routes(app, sql, ...)` functions. Routes are in `routes/*.ts`.
@@ -80,12 +80,19 @@ Route registration: all routes registered in `index.ts` via `register*Routes(app
 - Write-capable coding agent. Runs as a **systemd service on the host** (`boocoder.service`), NOT in Docker. Fastify server at port 9502, connects to postgres at `127.0.0.1:5500`.
 - **Workspace dependency on `@boocode/server`**: imports `createInferenceRunner`, `createBroker`, `ALL_TOOLS`, `appendMcpTools` from the server's compiled `dist/`. apps/server's `package.json` has an `exports` map with `types` conditions for NodeNext resolution. apps/server must build FIRST.
 - Build + deploy: `pnpm -C apps/server build && pnpm -C apps/coder build && sudo systemctl restart boocoder`. Env file at `apps/coder/.env.host`. Service file at `/etc/systemd/system/boocoder.service`.
+- After `pnpm -C apps/coder build` the host `boocoder.service` keeps running the OLD process until `sudo systemctl restart boocoder` — a stale process shows **new routes 404 with `{error:'not found'}` while old routes still 200** (the `/api` not-found handler returns that shape). Restart, don't re-debug.
 - Agent dispatch spawns binaries directly using `install_path` from `available_agents` — no `spawn('sh', ['-c', ...])` (fails under systemd). Follows Paseo's pattern: `spawn(fullBinaryPath, argsArray, { cwd })`.
 - systemd hardening: only `NoNewPrivileges=true` is safe. `ProtectSystem`, `ProtectHome`, `PrivateTmp` all break agent dispatch (agents need full filesystem access to read configs, write to worktrees).
 - `apps/server/tsconfig.json` has `declaration: true` so `.d.ts` files exist for workspace consumers.
 - Write tools (`edit_file`, `create_file`, `delete_file`, `apply_pending`, `rewind`) queue in `pending_changes` table. Nothing hits disk until `apply_pending` is called. `write_guard.ts` validates paths (resolve + prefix-check, no realpath since files may not exist for creates).
 - Frontend: NOT a separate SPA. BooCoder is a `'coder'` pane type within BooChat's SPA (`apps/web/`). `CoderPane.tsx` in `apps/web/src/components/panes/`. API requests go through `/api/coder/*` proxy (Vite dev + Fastify production) which rewrites to the boocoder host service (`BOOCODER_URL` env var, default `http://100.114.205.53:9502`). WS connects directly to `:9502`.
 - `apps/coder/web/` is a STANDALONE fallback SPA served at `:9502` directly. The PRIMARY BooCoder frontend is the `CoderPane` in BooChat's SPA (`apps/web/src/components/panes/CoderPane.tsx`), accessible via the "Coder" pane in the workspace at `code.indifferentketchup.com`. Both exist; the pane is what Sam uses.
+- **Provider snapshot lifecycle** (`apps/coder/src/services/`): `provider-config.ts` (Zod config, never-throws on bad input) → `provider-config-registry.ts` (`buildResolvedRegistry`, singleton) → `provider-snapshot.ts` (two-tier probe: tier-1 fast presence, tier-2 cold ACP probe skipped unless force / stale `PROVIDER_PROBE_TTL_MS` 24h / dbEmpty; cached). Verify live: `curl http://100.114.205.53:9502/api/providers/snapshot` — returns providers + models + commands, the exact shape `AgentComposerBar` renders.
+- `PATCH /api/providers/config` replaces a provider id's override object **wholesale** (per-id shallow merge) — to flip one field send `{...existing, enabled}`, or a custom ACP entry's `command`/`label` is wiped and it drops out of the resolved registry. `data/coder-providers.json` is **gitignored** (it's live runtime config — the coder reads AND writes it on UI toggles); the tracked reference is `data/coder-providers.example.json`. The loader falls back to `{providers:{}}` (built-ins only) when the live file is absent, so a fresh checkout needs no copy.
+- **opencode** runs as a warm HTTP server (v2.6 Phase 1, `services/backends/opencode-server.ts` — `opencode serve` per BooCoder process, one opencode session per BooCode session, resumed via `agent_sessions`). goose/qwen/claude still dispatch **one-shot** ACP/PTY with no ctx/token usage; only native `boocode` (llama-swap engine) tracks ctx. Paseo's per-provider native clients (design §12) deliberately not ported.
+- **opencode SSE** (`opencode-server.ts`): live streaming arrives as `session.next.text.delta` / `session.next.reasoning.delta` / `session.next.tool.{called,success,failed}` — NOT `message.part.*` (those are terminal/post-hoc). `client.event.subscribe({ directory })` MUST pass the session's worktree directory; omit it and opencode scopes events to the server's `process.cwd()` → zero session events (empty turns, 180s watchdog timeout). Per-session SSE (P1.5-a): each live session owns its own `event.subscribe({directory})` loop + AbortController, so concurrent sessions in different worktrees stream independently; a `sessionID` demux guard drops cross-session events when two share a dir. Turn completes on `session.idle`; `promptAsync` is fire-and-forget (204).
+- **opencode model strings** must be provider-prefixed (`llama-swap/<model>`) AND exist in `~/.config/opencode/opencode.json` `provider.llama-swap.models` — not merely loadable by llama-swap. `parseModel` infers `llama-swap/` for a bare id; the dispatcher coalesces empty→DEFAULT_MODEL then prefixes. `agent-probe` populates opencode's `available_agents.models` via `mergeLlamaSwap` (fetches `/v1/models`); empty model list → frontend sends `''` → no inference (`input:0`, empty turn).
+- **agent_sessions resume**: `config_hash = sha256('opencode_server|<model>')` — must NOT include the server port (random per boot; including it breaks cross-restart resume). P1.5-b: `agent_sessions` is keyed `(chat_id, agent)` — the tab/chat is the context unit (two opencode tabs in one session = two contexts sharing one worktree). `chat_id` CASCADEs from `chats`; `session_id`/`worktree_id` are informational `SET NULL`. The `worktrees` table (one-per-session, `session_id` SET NULL so it survives session delete) supersedes the defanged `session_worktrees`. `tasks.chat_id` threads the tab id to the dispatcher; `runOpenCodeServerTask` falls back to resolve-or-create a chat when it's null (arena/MCP/new_task). The `@opencode-ai/sdk` v2 client takes flattened params (`{sessionID, directory, parts, model:{providerID,modelID}}`), imports `createOpencodeClient` from `@opencode-ai/sdk/v2/client`.
 
 ### Frontend (`apps/web/src/`)
 
@@ -119,11 +126,11 @@ Font / CSS pipeline (apps/web):
 
 ### Multi-pane workspace
 
-Sessions hold 1–5 panes (chat / empty / placeholder terminal+agent). v1.12.1 moved pane state from per-device localStorage to `sessions.workspace_panes jsonb` for cross-device sync. `PATCH /api/sessions/:id/workspace` persists; `session_workspace_updated` user-channel frame broadcasts to every device watching the session. `useWorkspacePanes` debounces saves 300ms and dedups echoes by JSON string. Legacy localStorage key `boocode.workspace.panes.<sessionId>` is read once on first hydrate (one-time seed-and-delete migration when server is empty but localStorage has data); no longer written. The deprecated `session_panes` table was dropped. `validatePanes(validChatIds)` prunes panes referencing chat IDs that no longer exist (called by `useSessionChats` after the chat list fetch lands). Each chat lives in at most one pane; tab strip is per-pane and tracks `chatIds[]` + `activeChatIdx`. Tab reorder via native HTML5 drag events.
+Sessions hold 1–5 panes (chat / empty / placeholder terminal+agent). v1.12.1 moved pane state from per-device localStorage to `sessions.workspace_panes jsonb` for cross-device sync. `PATCH /api/sessions/:id/workspace` persists; `session_workspace_updated` user-channel frame broadcasts to every device watching the session. `useWorkspacePanes` debounces saves 300ms and dedups echoes by JSON string. Legacy localStorage key `boocode.workspace.panes.<sessionId>` is read once on first hydrate (one-time seed-and-delete migration when server is empty but localStorage has data); no longer written. The deprecated `session_panes` table was dropped. `validatePanes(validChatIds)` prunes panes referencing chat IDs that no longer exist (called by `useSessionChats` after the chat list fetch lands). Each chat lives in at most one pane; tab strip is per-pane and tracks `chatIds[]` + `activeChatIdx`. Tab reorder via native HTML5 drag events. v2.6.5: `workspace_panes` is now a `WorkspaceState` envelope `{panes, tabNumbers (chatId→stable session-scoped tab number, assigned on chat-pane open, retired on close, never reused), nextTabNumber, closedPaneStack (reopen LIFO, max 10, persisted so it survives reload)}` — not a bare `WorkspacePane[]`. Hydrate (`toWorkspaceState`) and the server PATCH validator (`z.union([array, envelope])` in `routes/sessions.ts`) both accept the legacy array and normalize to the envelope on read/write. Closing a chat pane relocates its tabs to the oldest chat/empty pane; `reopenPane` strips the restored chatIds from all live panes first (no duplication). `read_tab_by_number` resolves a number→chatId through `tabNumbers`.
 
 ## Database
 
-PostgreSQL 16. Database name: `boochat` (renamed from `boocode` in v2.0.0-alpha; Docker service name stays `boocode_db`). Tables: `projects`, `sessions`, `chats`, `messages`, `settings`, `message_parts` (v1.13.0), `pending_changes` (v2.0.0), `tasks` (v2.0.0), `available_agents` (v2.0.0). Views: `messages_with_parts` (v1.13.1-B parts-merge read path), `tool_cost_stats` (v1.13.10 per-tool 100-call rolling window), `human_inbox` (v2.0.0 — tasks WHERE state IN blocked/failed). (`session_panes` was dropped in v1.12.1; workspace pane state lives in `sessions.workspace_panes jsonb`.) Schema applied idempotently on startup via `applySchema()`. Use `clock_timestamp()` (not `NOW()`) inside transactions. CHECK constraints in place: `projects_status_chk` ('open'|'archived'), `sessions_status_chk` (same), `chats_status_chk` (same), `messages_role_chk`, `messages_status_chk` — keep in sync with the `*_STATUSES` const arrays in `apps/server/src/types/api.ts`. The older anonymous `messages_status_check` (without 'cancelled') and `messages_role_check` (without 'system') were dropped in v1.12.1; only the `_chk` variants remain.
+PostgreSQL 16. Database name: `boochat` (renamed from `boocode` in v2.0.0-alpha; Docker service name stays `boocode_db`). Tables: `projects`, `sessions`, `chats`, `messages`, `settings`, `message_parts` (v1.13.0), `pending_changes` (v2.0.0), `tasks` (v2.0.0), `available_agents` (v2.0.0). Views: `messages_with_parts` (v1.13.1-B parts-merge read path), `tool_cost_stats` (v1.13.10 per-tool 100-call rolling window), `human_inbox` (v2.0.0 — tasks WHERE state IN blocked/failed). (`session_panes` was dropped in v1.12.1; workspace pane state lives in `sessions.workspace_panes jsonb`.) Schema applied idempotently on startup via `applySchema()`. Use `clock_timestamp()` (not `NOW()`) inside transactions. CHECK constraints in place: `projects_status_chk` ('open'|'archived'), `sessions_status_chk` (same), `chats_status_chk` (same), `messages_role_chk`, `messages_status_chk` — keep in sync with the `*_STATUSES` const arrays in `apps/server/src/types/api.ts`. The older anonymous `messages_status_check` (without 'cancelled') and `messages_role_check` (without 'system') were dropped in v1.12.1; only the `_chk` variants remain. **Two schema files, one DB:** `apps/server/src/schema.sql` owns `sessions`/`chats`/`messages`/`message_parts`; `apps/coder/src/schema.sql` (applied by the boocoder host service) owns `agent_sessions`, `worktrees`, `pending_changes`, `available_agents` and extends `tasks`. Both apply idempotently to the one `boochat` DB — so e.g. an `agent_sessions` FK change goes in the **coder** schema, not the server one. Idempotent FK-action flips (e.g. `ON DELETE CASCADE`→`SET NULL`) guard on `pg_constraint.confdeltype` so a re-run/fresh-deploy is a no-op (see the `session_worktrees`/`agent_sessions` defang blocks).
 
 Schema CHECK migration order when renaming allowed values: (1) `ALTER TABLE ... DROP CONSTRAINT IF EXISTS <system_name>` (inline `CREATE TABLE` checks get `<table>_<column>_check`), (2) `UPDATE` rows to new values, (3) wrap new constraint ADD in `DO $$ ... pg_constraint` guard — that block is the only way to get `ADD CONSTRAINT IF NOT EXISTS`.
 
@@ -145,6 +152,7 @@ BooCoder at port 9502: `curl http://100.114.205.53:9502/api/health`. Runs as `bo
 - Tag naming: `vMAJOR.MINOR.PATCH-slug` (e.g. `v1.13.13-ws-publish`). Monotonic per minor — the slug describes the batch's content so the tag name alone is enough to recall what shipped. No letter suffixes (`-a`/`-b`), no pseudo-ranges (`v1.11.x`), no slug-only sub-versions sharing a number (`v1.13.15-tools` + `-openspec` + `-agentlint` — split into sequential patches instead).
 - `CHANGELOG.md` is the per-tag release log, most-recent on top. When a new tag is created, add a `## <tag> — <YYYY-MM-DD>` section with a 3–6 sentence paragraph summarizing what shipped, drawn from the commit body. Cross-reference other tags by name when the batch builds on, fixes, or pairs with prior work (e.g. "pairs with `v1.13.12-ws-schemas`", "fixed in `v1.13.5-stability-bundle`"). No nested bullets — one paragraph.
 - Deploy: `cd /opt/boocode && docker compose up --build -d` (or `docker compose build --no-cache boocode && docker compose up -d` if you suspect a layer-cache issue).
+- The `boocode` container is `build: .` — it builds web+server from the **working tree**, so uncommitted changes deploy. Web edits are live on the Vite dev server (HMR) but NOT on production (`:9500` / code.indifferentketchup.com) until `docker compose up --build -d boocode`.
 - Git push to Gitea: `GIT_SSH_COMMAND="ssh -i /opt/boocode/secrets/boocode_gitea -o IdentitiesOnly=yes" git push origin <branch>`. The default agent identity is rejected; the in-repo deploy key (`secrets/`, gitignored) is the working one. Transient `Connection reset by peer` retries cleanly after `sleep 5`.
 - Don't accumulate `.bak-*` files. Clean them up in the same batch or immediately after merge.
 - DB-integration tests opt-in via env var: `DATABASE_URL='postgres://boocode:devpass@localhost:5500/boochat' pnpm -C apps/server test`. Host port is 5500 (mapped from `boocode_db:5432`); password is `${POSTGRES_PASSWORD}` from `.env` (`devpass`), NOT the literal in `.env`'s `DATABASE_URL=postgres://boocode:Ketchup1479@boocode_db:5432/...` line. `psql` is not on the host PATH — for an interactive query use `docker exec boocode_db psql -U boocode -d boochat -c "..."`. Pattern: `describe.runIf(!!process.env.DATABASE_URL)(...)` with a `beforeAll` that applies the schema via `sql.unsafe(readFileSync(schemaPath))`. Tests skip cleanly when var is unset. `tool_cost_stats.test.ts` is the reference.
@@ -172,16 +180,22 @@ BooCoder at port 9502: `curl http://100.114.205.53:9502/api/health`. Runs as `bo
 - Discriminated unions for type narrowing: `Pane` (by `kind`), `SessionEvent` (by `type`), `InferenceFrame` (by `type`).
 - **Adding a new WS frame type** requires updating BOTH the server's `InferenceFrame` (loose `type:` union + optional fields in `services/inference/turn.ts`) AND the web `WsFrame` (strict discriminated union in `apps/web/src/api/types.ts`). Server publish is permissive; the frontend type is the wire-format gate. The `'usage'` frame added in v1.12.2 needed both sides; missing the web side silently drops the frame at JSON-parse.
 - shadcn primitives live in `components/ui/`. Don't modify them unless adding a new primitive.
+- `ui/` primitives present: button, card, context-menu, dialog, dropdown-menu, input, label, radio-group, sonner, textarea. No switch/sheet/drawer/badge/checkbox — use a `<button role="switch" aria-checked>` toggle (a hand-rolled `Switch` already lives in `SettingsPane.tsx`) and a Dialog-based panel for "drawers".
 - `inferLanguage()` from `lib/attachments.ts` is the canonical file-extension-to-language map. `CodeBlock.tsx` keeps its own `LANG_MAP` because it also resolves markdown fence names.
 - Two UI event buses: `hooks/sessionEvents.ts` for DB-state events (chat_created, session_updated); `lib/events.ts` for ephemeral UI (`sendToTerminal`, `terminalsRegistry`). Don't merge — different subscriber lifecycles.
 - `vite.config.ts` proxy entries are order-sensitive: more-specific prefixes (`/api/term`, `/ws/term`) must come BEFORE `/api`.
 - Mobile pane URL sync (`Session.tsx`): the `?pane=<id>` effect resets `activePaneIdx` whenever `panes` changes. New-pane creation on mobile must push `?pane=` atomically — `addPaneAndSwitch` is the wrapper that does this. `addSplitPane` returns the new pane id for callers.
+- A scrollable list inside a Dialog on mobile: cap `DialogContent` (`max-h-[85vh]` + `grid-rows-[auto_minmax(0,1fr)_auto]`) and make the list the single scroll region with `overscroll-contain` — otherwise touch-scroll drags the whole fixed modal / chains to the page.
 - xterm.js v5 uses canvas rendering — browser doesn't see xterm's selection; the native right-click menu has no working Copy for terminal text. App keybindings (`Cmd/Ctrl-C`, `Cmd/Ctrl-Shift-C`) are the path.
 - **New tools** live in their own `services/<name>.ts` file (see `web_search.ts`, `web_fetch.ts`) — exports a pure `executeFoo(input, ...deps)` for direct test access plus a `ToolDef` wrapper that `loadConfig()`s its real dependencies. Register the ToolDef in `tools.ts` `ALL_TOOLS` (and `READ_ONLY_TOOL_NAMES` if applicable). Inject `fetcher: typeof fetch = fetch` rather than `vi.spyOn(globalThis, 'fetch')` — cleanup is simpler and the production call site stays unchanged.
+- **DB/session-aware tools** take an optional 4th `ToolExecCtx { sql, sessionId }` arg on `ToolDef.execute`, plumbed `executeToolPhase`→`executeToolCall`→`execute`. It's optional so the filesystem tools and the `apps/coder` `ALL_TOOLS` consumer stay compatible; filesystem tools ignore it. `read_tab_by_number` (reads `sessions.workspace_panes` + the chat's messages via `sql`) is the reference.
 - **Sentinels** are `role='system'` rows with structured `metadata.kind` (`cap_hit`, `doom_loop`). UI-only — `buildMessagesPayload` strips them via `isAnySentinel` so the LLM never sees them. A new kind requires arms in `MessageMetadata` in BOTH `apps/server/src/types/api.ts` AND `apps/web/src/api/types.ts`, plus a render branch in `apps/web/src/components/MessageBubble.tsx`.
 - **ReadableStream test stubs** use `pull()` (not `start()`) so chunks are produced lazily — `start()` enqueues everything and calls `controller.close()` before the consumer reads, so a subsequent `reader.cancel()` finds the stream already closed and the `cancel()` callback never fires. Also provide MORE chunks than the test will consume so the source stays in 'readable' state when cancel runs (e.g. cap test reads ~6 chunks, stub provides 10).
+- React **StrictMode is on** (`main.tsx`): an updater passed to one `setState` that itself calls another `setState` (e.g. `setClosedPaneStack` inside a `setPanes` updater) is double-invoked in dev. Make such nested updates idempotent — `useWorkspacePanes`'s `appendClosed` dedupes a value-identical top entry for exactly this reason.
 - Tool-name whitelists must derive from `ALL_TOOLS` in `services/tools.ts`, never hardcoded. `services/agents.ts` `ALL_TOOL_NAMES` had this drift class until v1.12 — same pattern applies to any future tool-aware code.
 - Agent registry lives at `data/AGENTS.md` (global, bind-mounted at `/data/AGENTS.md`). No per-project `AGENTS.md` in this repo — removed in v1.12 to eliminate the two-files-must-stay-in-sync drift. The `getAgentsForProject` per-project override mechanism remains for *other* projects.
+- `data/AGENTS.md` is PARSED (`agents.ts` `splitSections`/`parseAgentSection`): each `## <Name>` is one agent and must be followed by a `---` frontmatter fence or the block throws; content before the first `## ` is discarded. Do NOT add free-form `## ` rule sections — they break the registry. Cross-cutting agent rules go in CLAUDE.md or a parser-ignored preamble.
+- Skills live in `data/skills/<vendor>/`; Sam's own namespace is `boocode/` (`committing-changes`, `using-worktrees`, `improving-boocode-guidance`) — `SKILL.md` + optional `eval.yaml` (gerund names; eval = `skill:` + `tasks:` of `prompt`+`grader`, incl. a negative-trigger task). `data/skills/` is canonical; a divergent mirror at `/opt/skills/` exists.
 - MCP stdio transport uses newline-delimited JSON (NDJSON), NOT LSP-style `Content-Length` headers. The `codecontext/shim.go` framing implementation is the reference; per the MCP spec (modelcontextprotocol.io/specification/server/transports).
 - **Workspace dependency pattern** (`apps/coder` → `@boocode/server`): the consuming package adds `"@boocode/server": "workspace:*"` in `package.json`. The provider's `package.json` needs `exports` with `types` + `default` conditions per subpath: `"./inference": { "types": "./dist/.../index.d.ts", "default": "./dist/.../index.js" }`. Without the `types` condition, NodeNext resolution can't find `.d.ts` files and tsc fails with "Cannot find module" in the consumer.
 - **JSONB columns**: use `sql.json(value as never)` — NOT `${JSON.stringify(value)}::jsonb` which double-serializes (stores a JSON string instead of a JSON object/array). Pattern established in `parts.ts`, `settings.ts`.
@@ -191,6 +205,9 @@ BooCoder at port 9502: `curl http://100.114.205.53:9502/api/health`. Runs as `bo
 - **CoderPane uses ChatInput** (`components/panes/CoderPane.tsx`): shares the same `ChatInput` component as BooChat for full parity — attachments, paste-to-chip, auto-grow textarea, queued messages during send. CoderPane's `sendOneMessage` is the send callback; queued messages drain via `useEffect` when `sending` goes false.
 - **Adding a new `SessionEvent` type**: add the interface, add it to the `SessionEvent` union, add a `case` in `useSidebar.ts` `applyEvent` switch (no-op `return prev` is fine), and subscribe in any hook that needs it (e.g. `useSessionStream` for `refetch_messages`).
 - **BooCoder provider registry** (`apps/coder/src/services/provider-registry.ts`): static list of provider defs (boocode, opencode, goose, claude, qwen). `PROBED_AGENT_NAMES` derives from it. Adding/removing providers means editing this file, not the frontend.
+- **AgentComposerBar filters `e.installed`**: provider snapshot entries with `installed:false` (loading/unavailable) are dropped from the dropdown. `getProviderSnapshot` must await the full build — returning synchronous `loading` placeholders makes every provider vanish (the v2.5.7 "no providers showing up" regression); surfacing loading states needs a client poll.
+- **Coder↔web provider-type parity** (`apps/coder/src/services/provider-types.ts` ↔ `apps/web/src/api/types.ts`): enforced by runtime `provider-types-parity.test.ts` (compile-time cross-import is blocked by TS6307 on web's composite tsconfig). Mirror of the ws-frames parity pattern — edit both copies together or the test fails.
+- **ACP command discovery is async**: `acp-probe.ts` must poll after `newSession` for `available_commands_update` (commands arrive in a later notification; reading synchronously captures 0). PTY providers (claude) instead discover from disk via `claude-command-discovery.ts` (`~/.claude/commands` + `enabledPlugins` `skills/`+`commands/`, bare names, deduped). `AgentCommand.kind` tags `'command'` vs `'skill'`; `CoderPane`'s `slashGroups` splits them into icon'd groups. `SlashCommandPicker`'s `groups?` prop is opt-in — BooChat passes flat `items` (unchanged).
 - **Pane header architecture (mobile vs desktop)**: Desktop coder pane header (BooCode label + [+] [×]) lives in `Workspace.tsx` gated by `isCoder && !isMobile`. Mobile coder controls (● ×) live in `Session.tsx` header row next to `MobileTabSwitcher`/`NewPaneMenu`. `AgentComposerBar` (provider/mode/model pickers) renders inside `CoderPane.tsx` on both. The ● status dot is passed via `connected` prop from CoderPane to AgentComposerBar.
 - **MessageBubble shared between BooChat and BooCoder** (`components/MessageBubble.tsx`): accepts optional `actions?: MessageActions` callbacks (onRegenerate, onResend, onFork, onDelete) and `hideActions?: ('fork'|'delete'|'openInPane')[]`. Defaults use BooChat API; CoderPane overrides via `CoderMessageList` props. `CoderTextBubble` was removed. **`CoderMessageList` passes `CoderMessageWire as unknown as Message`** — the coder wire shape lacks `metadata`/`kind`/`summary`, so those fields are `undefined` (not `null`) on coder messages. Null-guards on any `Message` field MUST use loose `!= null`, not strict `!== null` (`undefined !== null` is `true` → `.kind` throws → blank-screen crash). The `as unknown as` cast hides this from tsc; build + typecheck pass while runtime crashes.
 - **llama-sidecar** (`/opt/forks/llama-sidecar/`): Go daemon for per-agent llama-server process pool. Cross-compile: `GOOS=windows GOARCH=amd64 /snap/go/current/bin/go build -o bin/llama-sidecar.exe ./cmd/llama-sidecar`. Gitea: `indifferentketchup/llama-sidecar`. Windows child process gotchas: use `context.Background()` for child lifetime (not request ctx), `os.Open(os.DevNull)` for stdin, `os.Pipe()` for stdout with drain goroutine, `DETACHED_PROCESS | CREATE_NEW_PROCESS_GROUP` creation flags. SSH to sam-desktop: `ssh samki@100.101.41.16`; use `schtasks` for persistent process spawning (SSH `start /B` doesn't survive session close).

LICENSE

@@ -1,661 +1,21 @@
-                    GNU AFFERO GENERAL PUBLIC LICENSE
-                       Version 3, 19 November 2007
-
- Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
-
-                            Preamble
-
-  The GNU Affero General Public License is a free, copyleft license for
-software and other kinds of works, specifically designed to ensure
-cooperation with the community in the case of network server software.
-
-  The licenses for most software and other practical works are designed
-to take away your freedom to share and change the works.  By contrast,
-our General Public Licenses are intended to guarantee your freedom to
-share and change all versions of a program--to make sure it remains free
-software for all its users.
-
-  When we speak of free software, we are referring to freedom, not
-price.  Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-them if you wish), that you receive source code or can get it if you
-want it, that you can change the software or use pieces of it in new
-free programs, and that you know you can do these things.
-
-  Developers that use our General Public Licenses protect your rights
-with two steps: (1) assert copyright on the software, and (2) offer
-you this License which gives you legal permission to copy, distribute
-and/or modify the software.
-
-  A secondary benefit of defending all users' freedom is that
-improvements made in alternate versions of the program, if they
-receive widespread use, become available for other developers to
-incorporate.  Many developers of free software are heartened and
-encouraged by the resulting cooperation.  However, in the case of
-software used on network servers, this result may fail to come about.
-The GNU General Public License permits making a modified version and
-letting the public access it on a server without ever releasing its
-source code to the public.
-
-  The GNU Affero General Public License is designed specifically to
-ensure that, in such cases, the modified source code becomes available
-to the community.  It requires the operator of a network server to
-provide the source code of the modified version running there to the
-users of that server.  Therefore, public use of a modified version, on
-a publicly accessible server, gives the public access to the source
-code of the modified version.
-
-  An older license, called the Affero General Public License and
-published by Affero, was designed to accomplish similar goals.  This is
-a different license, not a version of the Affero GPL, but Affero has
-released a new version of the Affero GPL which permits relicensing under
-this license.
-
-  The precise terms and conditions for copying, distribution and
-modification follow.
-
-                       TERMS AND CONDITIONS
-
-  0. Definitions.
-
-  "This License" refers to version 3 of the GNU Affero General Public License.
-
-  "Copyright" also means copyright-like laws that apply to other kinds of
-works, such as semiconductor masks.
-
-  "The Program" refers to any copyrightable work licensed under this
-License.  Each licensee is addressed as "you".  "Licensees" and
-"recipients" may be individuals or organizations.
-
-  To "modify" a work means to copy from or adapt all or part of the work
-in a fashion requiring copyright permission, other than the making of an
-exact copy.  The resulting work is called a "modified version" of the
-earlier work or a work "based on" the earlier work.
-
-  A "covered work" means either the unmodified Program or a work based
-on the Program.
-
-  To "propagate" a work means to do anything with it that, without
-permission, would make you directly or secondarily liable for
-infringement under applicable copyright law, except executing it on a
-computer or modifying a private copy.  Propagation includes copying,
-distribution (with or without modification), making available to the
-public, and in some countries other activities as well.
-
-  To "convey" a work means any kind of propagation that enables other
-parties to make or receive copies.  Mere interaction with a user through
-a computer network, with no transfer of a copy, is not conveying.
-
-  An interactive user interface displays "Appropriate Legal Notices"
-to the extent that it includes a convenient and prominently visible
-feature that (1) displays an appropriate copyright notice, and (2)
-tells the user that there is no warranty for the work (except to the
-extent that warranties are provided), that licensees may convey the
-work under this License, and how to view a copy of this License.  If
-the interface presents a list of user commands or options, such as a
-menu, a prominent item in the list meets this criterion.
-
-  1. Source Code.
-
-  The "source code" for a work means the preferred form of the work
-for making modifications to it.  "Object code" means any non-source
-form of a work.
-
-  A "Standard Interface" means an interface that either is an official
-standard defined by a recognized standards body, or, in the case of
-interfaces specified for a particular programming language, one that
-is widely used among developers working in that language.
-
-  The "System Libraries" of an executable work include anything, other
-than the work as a whole, that (a) is included in the normal form of
-packaging a Major Component, but which is not part of that Major
-Component, and (b) serves only to enable use of the work with that
-Major Component, or to implement a Standard Interface for which an
-implementation is available to the public in source code form.  A
-"Major Component", in this context, means a major essential component
-(kernel, window system, and so on) of the specific operating system
-(if any) on which the executable work runs, or a compiler used to
-produce the work, or an object code interpreter used to run it.
-
-  The "Corresponding Source" for a work in object code form means all
-the source code needed to generate, install, and (for an executable
-work) run the object code and to modify the work, including scripts to
-control those activities.  However, it does not include the work's
-System Libraries, or general-purpose tools or generally available free
-programs which are used unmodified in performing those activities but
-which are not part of the work.  For example, Corresponding Source
-includes interface definition files associated with source files for
-the work, and the source code for shared libraries and dynamically
-linked subprograms that the work is specifically designed to require,
-such as by intimate data communication or control flow between those
-subprograms and other parts of the work.
-
-  The Corresponding Source need not include anything that users
-can regenerate automatically from other parts of the Corresponding
-Source.
-
-  The Corresponding Source for a work in source code form is that
-same work.
-
-  2. Basic Permissions.
-
-  All rights granted under this License are granted for the term of
-copyright on the Program, and are irrevocable provided the stated
-conditions are met.  This License explicitly affirms your unlimited
-permission to run the unmodified Program.  The output from running a
-covered work is covered by this License only if the output, given its
-content, constitutes a covered work.  This License acknowledges your
-rights of fair use or other equivalent, as provided by copyright law.
-
-  You may make, run and propagate covered works that you do not
-convey, without conditions so long as your license otherwise remains
-in force.  You may convey covered works to others for the sole purpose
-of having them make modifications exclusively for you, or provide you
-with facilities for running those works, provided that you comply with
-the terms of this License in conveying all material for which you do
-not control copyright.  Those thus making or running the covered works
-for you must do so exclusively on your behalf, under your direction
-and control, on terms that prohibit them from making any copies of
-your copyrighted material outside their relationship with you.
-
-  Conveying under any other circumstances is permitted solely under
-the conditions stated below.  Sublicensing is not allowed; section 10
-makes it unnecessary.
-
-  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
-
-  No covered work shall be deemed part of an effective technological
-measure under any applicable law fulfilling obligations under article
-11 of the WIPO copyright treaty adopted on 20 December 1996, or
-similar laws prohibiting or restricting circumvention of such
-measures.
-
-  When you convey a covered work, you waive any legal power to forbid
-circumvention of technological measures to the extent such circumvention
-is effected by exercising rights under this License with respect to
-the covered work, and you disclaim any intention to limit operation or
-modification of the work as a means of enforcing, against the work's
-users, your or third parties' legal rights to forbid circumvention of
-technological measures.
-
-  4. Conveying Verbatim Copies.
-
-  You may convey verbatim copies of the Program's source code as you
-receive it, in any medium, provided that you conspicuously and
-appropriately publish on each copy an appropriate copyright notice;
-keep intact all notices stating that this License and any
-non-permissive terms added in accord with section 7 apply to the code;
-keep intact all notices of the absence of any warranty; and give all
-recipients a copy of this License along with the Program.
-
-  You may charge any price or no price for each copy that you convey,
-and you may offer support or warranty protection for a fee.
-
-  5. Conveying Modified Source Versions.
-
-  You may convey a work based on the Program, or the modifications to
-produce it from the Program, in the form of source code under the
-terms of section 4, provided that you also meet all of these conditions:
-
-    a) The work must carry prominent notices stating that you modified
-    it, and giving a relevant date.
-
-    b) The work must carry prominent notices stating that it is
-    released under this License and any conditions added under section
-    7.  This requirement modifies the requirement in section 4 to
-    "keep intact all notices".
-
-    c) You must license the entire work, as a whole, under this
-    License to anyone who comes into possession of a copy.  This
-    License will therefore apply, along with any applicable section 7
-    additional terms, to the whole of the work, and all its parts,
-    regardless of how they are packaged.  This License gives no
-    permission to license the work in any other way, but it does not
-    invalidate such permission if you have separately received it.
-
-    d) If the work has interactive user interfaces, each must display
-    Appropriate Legal Notices; however, if the Program has interactive
-    interfaces that do not display Appropriate Legal Notices, your
-    work need not make them do so.
-
-  A compilation of a covered work with other separate and independent
-works, which are not by their nature extensions of the covered work,
-and which are not combined with it such as to form a larger program,
-in or on a volume of a storage or distribution medium, is called an
-"aggregate" if the compilation and its resulting copyright are not
-used to limit the access or legal rights of the compilation's users
-beyond what the individual works permit.  Inclusion of a covered work
-in an aggregate does not cause this License to apply to the other
-parts of the aggregate.
-
-  6. Conveying Non-Source Forms.
-
-  You may convey a covered work in object code form under the terms
-of sections 4 and 5, provided that you also convey the
-machine-readable Corresponding Source under the terms of this License,
-in one of these ways:
-
-    a) Convey the object code in, or embodied in, a physical product
-    (including a physical distribution medium), accompanied by the
-    Corresponding Source fixed on a durable physical medium
-    customarily used for software interchange.
-
-    b) Convey the object code in, or embodied in, a physical product
-    (including a physical distribution medium), accompanied by a
-    written offer, valid for at least three years and valid for as
-    long as you offer spare parts or customer support for that product
-    model, to give anyone who possesses the object code either (1) a
-    copy of the Corresponding Source for all the software in the
-    product that is covered by this License, on a durable physical
-    medium customarily used for software interchange, for a price no
-    more than your reasonable cost of physically performing this
-    conveying of source, or (2) access to copy the
-    Corresponding Source from a network server at no charge.
-
-    c) Convey individual copies of the object code with a copy of the
-    written offer to provide the Corresponding Source.  This
-    alternative is allowed only occasionally and noncommercially, and
-    only if you received the object code with such an offer, in accord
-    with subsection 6b.
-
-    d) Convey the object code by offering access from a designated
-    place (gratis or for a charge), and offer equivalent access to the
-    Corresponding Source in the same way through the same place at no
-    further charge.  You need not require recipients to copy the
-    Corresponding Source along with the object code.  If the place to
-    copy the object code is a network server, the Corresponding Source
-    may be on a different server (operated by you or a third party)
-    that supports equivalent copying facilities, provided you maintain
-    clear directions next to the object code saying where to find the
-    Corresponding Source.  Regardless of what server hosts the
-    Corresponding Source, you remain obligated to ensure that it is
-    available for as long as needed to satisfy these requirements.
-
-    e) Convey the object code using peer-to-peer transmission, provided
-    you inform other peers where the object code and Corresponding
-    Source of the work are being offered to the general public at no
-    charge under subsection 6d.
-
-  A separable portion of the object code, whose source code is excluded
-from the Corresponding Source as a System Library, need not be
-included in conveying the object code work.
-
-  A "User Product" is either (1) a "consumer product", which means any
-tangible personal property which is normally used for personal, family,
-or household purposes, or (2) anything designed or sold for incorporation
-into a dwelling.  In determining whether a product is a consumer product,
-doubtful cases shall be resolved in favor of coverage.  For a particular
-product received by a particular user, "normally used" refers to a
-typical or common use of that class of product, regardless of the status
-of the particular user or of the way in which the particular user
-actually uses, or expects or is expected to use, the product.  A product
-is a consumer product regardless of whether the product has substantial
-commercial, industrial or non-consumer uses, unless such uses represent
-the only significant mode of use of the product.
-
-  "Installation Information" for a User Product means any methods,
-procedures, authorization keys, or other information required to install
-and execute modified versions of a covered work in that User Product from
-a modified version of its Corresponding Source.  The information must
-suffice to ensure that the continued functioning of the modified object
-code is in no case prevented or interfered with solely because
-modification has been made.
-
-  If you convey an object code work under this section in, or with, or
-specifically for use in, a User Product, and the conveying occurs as
-part of a transaction in which the right of possession and use of the
-User Product is transferred to the recipient in perpetuity or for a
-fixed term (regardless of how the transaction is characterized), the
-Corresponding Source conveyed under this section must be accompanied
-by the Installation Information.  But this requirement does not apply
-if neither you nor any third party retains the ability to install
-modified object code on the User Product (for example, the work has
-been installed in ROM).
-
-  The requirement to provide Installation Information does not include a
-requirement to continue to provide support service, warranty, or updates
-for a work that has been modified or installed by the recipient, or for
-the User Product in which it has been modified or installed.  Access to a
-network may be denied when the modification itself materially and
-adversely affects the operation of the network or violates the rules and
-protocols for communication across the network.
-
-  Corresponding Source conveyed, and Installation Information provided,
-in accord with this section must be in a format that is publicly
-documented (and with an implementation available to the public in
-source code form), and must require no special password or key for
-unpacking, reading or copying.
-
-  7. Additional Terms.
-
-  "Additional permissions" are terms that supplement the terms of this
-License by making exceptions from one or more of its conditions.
-Additional permissions that are applicable to the entire Program shall
-be treated as though they were included in this License, to the extent
-that they are valid under applicable law.  If additional permissions
-apply only to part of the Program, that part may be used separately
-under those permissions, but the entire Program remains governed by
-this License without regard to the additional permissions.
-
-  When you convey a copy of a covered work, you may at your option
-remove any additional permissions from that copy, or from any part of
-it.  (Additional permissions may be written to require their own
-removal in certain cases when you modify the work.)  You may place
-additional permissions on material, added by you to a covered work,
-for which you have or can give appropriate copyright permission.
-
-  Notwithstanding any other provision of this License, for material you
-add to a covered work, you may (if authorized by the copyright holders of
-that material) supplement the terms of this License with terms:
-
-    a) Disclaiming warranty or limiting liability differently from the
-    terms of sections 15 and 16 of this License; or
-
-    b) Requiring preservation of specified reasonable legal notices or
-    author attributions in that material or in the Appropriate Legal
-    Notices displayed by works containing it; or
-
-    c) Prohibiting misrepresentation of the origin of that material, or
-    requiring that modified versions of such material be marked in
-    reasonable ways as different from the original version; or
-
-    d) Limiting the use for publicity purposes of names of licensors or
-    authors of the material; or
-
-    e) Declining to grant rights under trademark law for use of some
-    trade names, trademarks, or service marks; or
-
-    f) Requiring indemnification of licensors and authors of that
-    material by anyone who conveys the material (or modified versions of
-    it) with contractual assumptions of liability to the recipient, for
-    any liability that these contractual assumptions directly impose on
-    those licensors and authors.
-
-  All other non-permissive additional terms are considered "further
-restrictions" within the meaning of section 10.  If the Program as you
-received it, or any part of it, contains a notice stating that it is
-governed by this License along with a term that is a further
-restriction, you may remove that term.  If a license document contains
-a further restriction but permits relicensing or conveying under this
-License, you may add to a covered work material governed by the terms
-of that license document, provided that the further restriction does
-not survive such relicensing or conveying.
-
-  If you add terms to a covered work in accord with this section, you
-must place, in the relevant source files, a statement of the
-additional terms that apply to those files, or a notice indicating
-where to find the applicable terms.
-
-  Additional terms, permissive or non-permissive, may be stated in the
-form of a separately written license, or stated as exceptions;
-the above requirements apply either way.
-
-  8. Termination.
-
-  You may not propagate or modify a covered work except as expressly
-provided under this License.  Any attempt otherwise to propagate or
-modify it is void, and will automatically terminate your rights under
-this License (including any patent licenses granted under the third
-paragraph of section 11).
-
-  However, if you cease all violation of this License, then your
-license from a particular copyright holder is reinstated (a)
-provisionally, unless and until the copyright holder explicitly and
-finally terminates your license, and (b) permanently, if the copyright
-holder fails to notify you of the violation by some reasonable means
-prior to 60 days after the cessation.
-
-  Moreover, your license from a particular copyright holder is
-reinstated permanently if the copyright holder notifies you of the
-violation by some reasonable means, this is the first time you have
-received notice of violation of this License (for any work) from that
-copyright holder, and you cure the violation prior to 30 days after
-your receipt of the notice.
-
-  Termination of your rights under this section does not terminate the
-licenses of parties who have received copies or rights from you under
-this License.  If your rights have been terminated and not permanently
-reinstated, you do not qualify to receive new licenses for the same
-material under section 10.
-
-  9. Acceptance Not Required for Having Copies.
-
-  You are not required to accept this License in order to receive or
-run a copy of the Program.  Ancillary propagation of a covered work
-occurring solely as a consequence of using peer-to-peer transmission
-to receive a copy likewise does not require acceptance.  However,
-nothing other than this License grants you permission to propagate or
-modify any covered work.  These actions infringe copyright if you do
-not accept this License.  Therefore, by modifying or propagating a
-covered work, you indicate your acceptance of this License to do so.
-
-  10. Automatic Licensing of Downstream Recipients.
-
-  Each time you convey a covered work, the recipient automatically
-receives a license from the original licensors, to run, modify and
-propagate that work, subject to this License.  You are not responsible
-for enforcing compliance by third parties with this License.
-
-  An "entity transaction" is a transaction transferring control of an
-organization, or substantially all assets of one, or subdividing an
-organization, or merging organizations.  If propagation of a covered
-work results from an entity transaction, each party to that
-transaction who receives a copy of the work also receives whatever
-licenses to the work the party's predecessor in interest had or could
-give under the previous paragraph, plus a right to possession of the
-Corresponding Source of the work from the predecessor in interest, if
-the predecessor has it or can get it with reasonable efforts.
-
-  You may not impose any further restrictions on the exercise of the
-rights granted or affirmed under this License.  For example, you may
-not impose a license fee, royalty, or other charge for exercise of
-rights granted under this License, and you may not initiate litigation
-(including a cross-claim or counterclaim in a lawsuit) alleging that
-any patent claim is infringed by making, using, selling, offering for
-sale, or importing the Program or any portion of it.
-
-  11. Patents.
-
-  A "contributor" is a copyright holder who authorizes use under this
-License of the Program or a work on which the Program is based.  The
-work thus licensed is called the contributor's "contributor version".
-
-  A contributor's "essential patent claims" are all patent claims
-owned or controlled by the contributor, whether already acquired or
-hereafter acquired, that would be infringed by some manner, permitted
-by this License, of making, using, or selling its contributor version,
-but do not include claims that would be infringed only as a
-consequence of further modification of the contributor version.  For
-purposes of this definition, "control" includes the right to grant
-patent sublicenses in a manner consistent with the requirements of
-this License.
-
-  Each contributor grants you a non-exclusive, worldwide, royalty-free
-patent license under the contributor's essential patent claims, to
-make, use, sell, offer for sale, import and otherwise run, modify and
-propagate the contents of its contributor version.
-
-  In the following three paragraphs, a "patent license" is any express
-agreement or commitment, however denominated, not to enforce a patent
-(such as an express permission to practice a patent or covenant not to
-sue for patent infringement).  To "grant" such a patent license to a
-party means to make such an agreement or commitment not to enforce a
-patent against the party.
-
-  If you convey a covered work, knowingly relying on a patent license,
-and the Corresponding Source of the work is not available for anyone
-to copy, free of charge and under the terms of this License, through a
-publicly available network server or other readily accessible means,
-then you must either (1) cause the Corresponding Source to be so
-available, or (2) arrange to deprive yourself of the benefit of the
-patent license for this particular work, or (3) arrange, in a manner
-consistent with the requirements of this License, to extend the patent
-license to downstream recipients.  "Knowingly relying" means you have
-actual knowledge that, but for the patent license, your conveying the
-covered work in a country, or your recipient's use of the covered work
-in a country, would infringe one or more identifiable patents in that
-country that you have reason to believe are valid.
-
-  If, pursuant to or in connection with a single transaction or
-arrangement, you convey, or propagate by procuring conveyance of, a
-covered work, and grant a patent license to some of the parties
-receiving the covered work authorizing them to use, propagate, modify
-or convey a specific copy of the covered work, then the patent license
-you grant is automatically extended to all recipients of the covered
-work and works based on it.
-
-  A patent license is "discriminatory" if it does not include within
-the scope of its coverage, prohibits the exercise of, or is
-conditioned on the non-exercise of one or more of the rights that are
-specifically granted under this License.  You may not convey a covered
-work if you are a party to an arrangement with a third party that is
-in the business of distributing software, under which you make payment
-to the third party based on the extent of your activity of conveying
-the work, and under which the third party grants, to any of the
-parties who would receive the covered work from you, a discriminatory
-patent license (a) in connection with copies of the covered work
-conveyed by you (or copies made from those copies), or (b) primarily
-for and in connection with specific products or compilations that
-contain the covered work, unless you entered into that arrangement,
-or that patent license was granted, prior to 28 March 2007.
-
-  Nothing in this License shall be construed as excluding or limiting
-any implied license or other defenses to infringement that may
-otherwise be available to you under applicable patent law.
-
-  12. No Surrender of Others' Freedom.
-
-  If conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License.  If you cannot convey a
-covered work so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you may
-not convey it at all.  For example, if you agree to terms that obligate you
-to collect a royalty for further conveying from those to whom you convey
-the Program, the only way you could satisfy both those terms and this
-License would be to refrain entirely from conveying the Program.
-
-  13. Remote Network Interaction; Use with the GNU General Public License.
-
-  Notwithstanding any other provision of this License, if you modify the
-Program, your modified version must prominently offer all users
-interacting with it remotely through a computer network (if your version
-supports such interaction) an opportunity to receive the Corresponding
-Source of your version by providing access to the Corresponding Source
-from a network server at no charge, through some standard or customary
-means of facilitating copying of software.  This Corresponding Source
-shall include the Corresponding Source for any work covered by version 3
-of the GNU General Public License that is incorporated pursuant to the
-following paragraph.
-
-  Notwithstanding any other provision of this License, you have
-permission to link or combine any covered work with a work licensed
-under version 3 of the GNU General Public License into a single
-combined work, and to convey the resulting work.  The terms of this
-License will continue to apply to the part which is the covered work,
-but the work with which it is combined will remain governed by version
-3 of the GNU General Public License.
-
-  14. Revised Versions of this License.
-
-  The Free Software Foundation may publish revised and/or new versions of
-the GNU Affero General Public License from time to time.  Such new versions
-will be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
-  Each version is given a distinguishing version number.  If the
-Program specifies that a certain numbered version of the GNU Affero General
-Public License "or any later version" applies to it, you have the
-option of following the terms and conditions either of that numbered
-version or of any later version published by the Free Software
-Foundation.  If the Program does not specify a version number of the
-GNU Affero General Public License, you may choose any version ever published
-by the Free Software Foundation.
-
-  If the Program specifies that a proxy can decide which future
-versions of the GNU Affero General Public License can be used, that proxy's
-public statement of acceptance of a version permanently authorizes you
-to choose that version for the Program.
-
-  Later license versions may give you additional or different
-permissions.  However, no additional obligations are imposed on any
-author or copyright holder as a result of your choosing to follow a
-later version.
-
-  15. Disclaimer of Warranty.
-
-  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
-APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
-HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
-OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
-THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
-IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
-ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
-
-  16. Limitation of Liability.
-
-  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
-THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
-GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
-USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
-DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
-PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
-EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
-SUCH DAMAGES.
-
-  17. Interpretation of Sections 15 and 16.
-
-  If the disclaimer of warranty and limitation of liability provided
-above cannot be given local legal effect according to their terms,
-reviewing courts shall apply local law that most closely approximates
-an absolute waiver of all civil liability in connection with the
-Program, unless a warranty or assumption of liability accompanies a
-copy of the Program in return for a fee.
-
-                     END OF TERMS AND CONDITIONS
-
-            How to Apply These Terms to Your New Programs
-
-  If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
-
-  To do so, attach the following notices to the program.  It is safest
-to attach them to the start of each source file to most effectively
-state the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
-    <one line to give the program's name and a brief idea of what it does.>
-    Copyright (C) <year>  <name of author>
-
-    This program is free software: you can redistribute it and/or modify
-    it under the terms of the GNU Affero General Public License as published by
-    the Free Software Foundation, either version 3 of the License, or
-    (at your option) any later version.
-
-    This program is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU Affero General Public License for more details.
-
-    You should have received a copy of the GNU Affero General Public License
-    along with this program.  If not, see <https://www.gnu.org/licenses/>.
-
-Also add information on how to contact you by electronic and paper mail.
-
-  If your software can interact with users remotely through a computer
-network, you should also make sure that it provides a way for users to
-get its source.  For example, if your program is a web application, its
-interface could display a "Source" link that leads users to an archive
-of the code.  There are many ways you could offer source, and different
-solutions will be better for different programs; see section 13 for the
-specific requirements.
-
-  You should also get your employer (if you work as a programmer) or school,
-if any, to sign a "copyright disclaimer" for the program, if necessary.
-For more information on this, and how to apply and follow the GNU AGPL, see
-<https://www.gnu.org/licenses/>.
+MIT License
+
+Copyright (c) 2026 indifferentketchup
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -84,3 +84,7 @@ See [`boocode_roadmap.md`](boocode_roadmap.md) for full version history. Highlig
 ## Planned
 
 - **v2.3 provider lifecycle** — config-backed provider registry (`/data/coder-providers.json`), enable/disable toggles, two-tier probe (openspec drafted). See [`CURRENT.md`](CURRENT.md).
+
+## License
+
+MIT — see [`LICENSE`](LICENSE).

apps/booterm/package.json

@@ -24,5 +24,5 @@
     "tsx": "^4.16.2",
     "typescript": "^5.5.0"
   },
-  "license": "AGPL-3.0-only"
+  "license": "MIT"
 }

apps/coder/package.json

@@ -16,6 +16,7 @@
     "@agentclientprotocol/sdk": "^0.22.1",
     "@boocode/server": "workspace:*",
     "@fastify/static": "^7.0.4",
+    "@opencode-ai/sdk": "~1.15.0",
     "@fastify/websocket": "^10.0.1",
     "@modelcontextprotocol/sdk": "^1.29.0",
     "fastify": "^4.28.1",
@@ -30,5 +31,5 @@
     "typescript": "^5.5.0",
     "vitest": "^3.0.0"
   },
-  "license": "AGPL-3.0-only"
+  "license": "MIT"
 }

apps/coder/src/config.ts

@@ -35,6 +35,21 @@ const ConfigSchema = z.object({
   // SSH access to the host for external agent dispatch (Phase 5)
   BOOCODER_SSH_HOST: z.string().default('100.114.205.53'),
   BOOCODER_SSH_USER: z.string().default('samkintop'),
+  // v2.6 Phase 3 (lifecycle hardening). Idle TTL: evict a non-busy warm backend
+  // (opencode server / warm-ACP child) after this long with no turn — its worktree
+  // + agent_sessions row persist, so the next turn re-spawns + reattaches. 30 min
+  // default (design §6).
+  AGENT_POOL_IDLE_TTL_MS: z.coerce.number().int().positive().default(1_800_000),
+  // LRU cap: max live warm backends before the least-recently-used (non-busy) ones
+  // are evicted. Bounds the long-lived-daemon's per-(chat,agent) Map growth.
+  AGENT_POOL_MAX_LIVE: z.coerce.number().int().positive().default(10),
+  // Periodic sweep cadence (idle/LRU pool eviction + orphan-worktree reap). 60s
+  // mirrors the apps/server truncation/stale-streaming sweeper.
+  LIFECYCLE_SWEEP_INTERVAL_MS: z.coerce.number().int().positive().default(60_000),
+  // Orphan-worktree grace: an on-disk worktree dir with no live `worktrees` row is
+  // only reaped after it's been untouched this long (avoids sweeping a dir mid
+  // ensureSessionWorktree create). 1h default.
+  ORPHAN_WORKTREE_GRACE_MS: z.coerce.number().int().positive().default(3_600_000),
 });
 
 export type Config = z.infer<typeof ConfigSchema>;

apps/coder/src/index.ts

@@ -25,14 +25,20 @@ import { setInferenceContext, clearInferenceContext } from './services/tools/inf
 import { registerMessageRoutes } from './routes/messages.js';
 import { registerSkillRoutes } from './routes/skills.js';
 import { registerPendingRoutes } from './routes/pending.js';
+import { registerCheckpointRoutes } from './routes/checkpoints.js';
+import { registerAgentSessionRoutes } from './routes/agent-sessions.js';
 import { registerTaskRoutes } from './routes/tasks.js';
 import { registerInboxRoutes } from './routes/inbox.js';
 import { registerStatsRoutes } from './routes/stats.js';
 import { registerArenaRoutes } from './routes/arena.js';
 import { registerProviderRoutes } from './routes/providers.js';
+import { registerWorktreeSafetyRoutes } from './routes/worktree-safety.js';
+import { registerLifecycleRoutes } from './routes/lifecycle.js';
 import { registerWebSocket } from './routes/ws.js';
 // Phase 4: dispatcher + agent probe
 import { createDispatcher } from './services/dispatcher.js';
+import { agentPool } from './services/agent-pool.js';
+import { createOrphanWorktreeReaper } from './services/orphan-worktree-reaper.js';
 import { probeAgents } from './services/agent-probe.js';
 import { getProviderSnapshot, persistProbedModels } from './services/provider-snapshot.js';
 import { setPermissionHooks } from './services/permission-waiter.js';
@@ -178,17 +184,46 @@ async function main() {
   // Phase 4: dispatcher — polls tasks table and runs inference
   const dispatcher = createDispatcher({ sql, inference: inferenceApi, broker, log: app.log, config });
   dispatcher.start();
-  app.addHook('onClose', () => dispatcher.stop());
+
+  // v2.6 Phase 3: configure + start the agent-pool lifecycle sweep (idle-TTL +
+  // LRU-cap eviction of warm backends, plus each backend's proactive health probe)
+  // and the orphan-worktree reaper. Both run on the same periodic timer.
+  agentPool.configure({
+    idleTtlMs: config.AGENT_POOL_IDLE_TTL_MS,
+    maxLive: config.AGENT_POOL_MAX_LIVE,
+    sweepIntervalMs: config.LIFECYCLE_SWEEP_INTERVAL_MS,
+    log: app.log,
+  });
+  agentPool.startReaper(app.log);
+  const orphanReaper = createOrphanWorktreeReaper({
+    sql,
+    log: app.log,
+    intervalMs: config.LIFECYCLE_SWEEP_INTERVAL_MS,
+    graceMs: config.ORPHAN_WORKTREE_GRACE_MS,
+  });
+  orphanReaper.start();
+
+  app.addHook('onClose', async () => {
+    // stop() first so in-flight dispatcher turns settle, then stop the reapers and
+    // drain the pool (kills opencode server + warm ACP children).
+    await dispatcher.stop();
+    orphanReaper.stop();
+    await agentPool.dispose();
+  });
 
   // Register routes
   registerMessageRoutes(app, sql, broker, inferenceApi);
   registerSkillRoutes(app, sql, broker, inferenceApi);
   registerPendingRoutes(app, sql);
+  registerCheckpointRoutes(app, sql);
+  registerAgentSessionRoutes(app, sql);
   registerTaskRoutes(app, sql, inferenceApi);
   registerInboxRoutes(app, sql);
   registerStatsRoutes(app, sql);
   registerArenaRoutes(app, sql);
   registerProviderRoutes(app, sql, config);
+  registerWorktreeSafetyRoutes(app, sql);
+  registerLifecycleRoutes(app, sql);
   registerWebSocket(app, sql, broker);
 
   // Serve static frontend (built web app). In production, the dist/ is

apps/coder/src/routes/__tests__/agent-sessions.routes.test.ts

@@ -0,0 +1,75 @@
+import { describe, it, expect } from 'vitest';
+import Fastify, { type FastifyInstance } from 'fastify';
+import { registerAgentSessionRoutes } from '../agent-sessions.js';
+import type { Sql } from '../../db.js';
+
+// Mock the porsager surface this route uses: a tagged-template `sql` dispatched by
+// query substring. Two queries: the session-existence check and the agent_sessions
+// JOIN. We return post-coercion shapes (booleans/strings) exactly as porsager would
+// hand them to the route — `has_session` already a JS boolean, `last_active_at` a
+// string|null — so the asserted JSON matches the API contract end-to-end.
+interface MockState {
+  sessionExists: boolean;
+  rows: Array<{ agent: string; status: string; has_session: boolean; last_active_at: string | null }>;
+}
+
+function mockSql(state: MockState): Sql {
+  return ((strings: TemplateStringsArray) => {
+    const q = strings.join('');
+    if (q.includes('SELECT id FROM sessions')) {
+      return Promise.resolve(state.sessionExists ? [{ id: 'session-1' }] : []);
+    }
+    if (q.includes('FROM agent_sessions')) {
+      return Promise.resolve(state.rows);
+    }
+    return Promise.resolve([]);
+  }) as unknown as Sql;
+}
+
+function buildApp(state: MockState): FastifyInstance {
+  const app = Fastify();
+  registerAgentSessionRoutes(app, mockSql(state));
+  return app;
+}
+
+describe('GET /api/sessions/:id/agent-sessions', () => {
+  it('returns the per-(chat,agent) rows in the contracted shape', async () => {
+    const app = buildApp({
+      sessionExists: true,
+      rows: [
+        { agent: 'opencode', status: 'active', has_session: true, last_active_at: '2026-05-31T12:00:00.000Z' },
+        { agent: 'goose', status: 'idle', has_session: false, last_active_at: null },
+      ],
+    });
+    const res = await app.inject({ method: 'GET', url: '/api/sessions/session-1/agent-sessions' });
+    expect(res.statusCode).toBe(200);
+    const body = res.json();
+    expect(Array.isArray(body)).toBe(true);
+    expect(body).toEqual([
+      { agent: 'opencode', status: 'active', has_session: true, last_active_at: '2026-05-31T12:00:00.000Z' },
+      { agent: 'goose', status: 'idle', has_session: false, last_active_at: null },
+    ]);
+    // Contract field types.
+    expect(typeof body[0].agent).toBe('string');
+    expect(typeof body[0].status).toBe('string');
+    expect(typeof body[0].has_session).toBe('boolean');
+    expect(body[1].last_active_at).toBeNull();
+    await app.close();
+  });
+
+  it('returns an empty array when the session has no agent_sessions rows', async () => {
+    const app = buildApp({ sessionExists: true, rows: [] });
+    const res = await app.inject({ method: 'GET', url: '/api/sessions/session-1/agent-sessions' });
+    expect(res.statusCode).toBe(200);
+    expect(res.json()).toEqual([]);
+    await app.close();
+  });
+
+  it('404s when the session does not exist', async () => {
+    const app = buildApp({ sessionExists: false, rows: [] });
+    const res = await app.inject({ method: 'GET', url: '/api/sessions/nope/agent-sessions' });
+    expect(res.statusCode).toBe(404);
+    expect(res.json()).toEqual({ error: 'session not found' });
+    await app.close();
+  });
+});

apps/coder/src/routes/__tests__/providers.routes.test.ts

@@ -0,0 +1,211 @@
+import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest';
+import Fastify, { type FastifyInstance } from 'fastify';
+import { existsSync, readFileSync, writeFileSync, rmSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { registerProviderRoutes } from '../providers.js';
+import { load } from '../../services/provider-config.js';
+import { loadProviderConfig } from '../../services/provider-config-registry.js';
+import { clearProviderSnapshotCache } from '../../services/provider-snapshot.js';
+import type { Config } from '../../config.js';
+import type { Sql } from '../../db.js';
+
+/** Minimal sql stub: available_agents reads return []. */
+function mockSql(): Sql {
+  return vi.fn((strings: TemplateStringsArray) => {
+    const q = strings.join('');
+    if (q.includes('available_agents')) return Promise.resolve([]);
+    return Promise.resolve([]);
+  }) as unknown as Sql;
+}
+
+let tmpCounter = 0;
+function freshPath(): string {
+  tmpCounter += 1;
+  return join(tmpdir(), `coder-providers-routes-${process.pid}-${tmpCounter}.json`);
+}
+
+function buildApp(providersPath: string): FastifyInstance {
+  const app = Fastify();
+  // Mirror index.ts: tolerate empty JSON bodies.
+  app.removeContentTypeParser(['application/json']);
+  app.addContentTypeParser('application/json', { parseAs: 'string' }, (_req, body, done) => {
+    const str = (body as string) ?? '';
+    if (str.trim().length === 0) return done(null, {});
+    try {
+      done(null, JSON.parse(str));
+    } catch (err) {
+      done(err as Error, undefined);
+    }
+  });
+  const config = {
+    CODER_PROVIDERS_PATH: providersPath,
+    LLAMA_SWAP_URL: 'http://llama-swap.test',
+    PROVIDER_PROBE_TTL_MS: 86_400_000,
+  } as unknown as Config;
+  registerProviderRoutes(app, mockSql(), config);
+  return app;
+}
+
+const JSON_HEADERS = { 'content-type': 'application/json' };
+const createdPaths: string[] = [];
+
+beforeEach(() => {
+  clearProviderSnapshotCache();
+  loadProviderConfig('/nonexistent-coder-providers.json'); // reset registry to built-ins
+  vi.restoreAllMocks();
+  vi.stubGlobal('fetch', vi.fn().mockRejectedValue(new Error('no network in test')));
+});
+
+afterEach(() => {
+  for (const p of createdPaths.splice(0)) {
+    try {
+      rmSync(p, { force: true });
+    } catch {
+      /* ignore */
+    }
+  }
+});
+
+describe('GET /api/providers/config', () => {
+  it('returns the current config file (built-ins-only when missing)', async () => {
+    const path = freshPath();
+    createdPaths.push(path);
+    const app = buildApp(path);
+    const res = await app.inject({ method: 'GET', url: '/api/providers/config' });
+    expect(res.statusCode).toBe(200);
+    expect(res.json()).toEqual({ providers: {} });
+    await app.close();
+  });
+
+  it('reflects an existing file', async () => {
+    const path = freshPath();
+    createdPaths.push(path);
+    writeFileSync(path, JSON.stringify({ providers: { goose: { enabled: false } } }));
+    const app = buildApp(path);
+    const res = await app.inject({ method: 'GET', url: '/api/providers/config' });
+    expect(res.json()).toEqual({ providers: { goose: { enabled: false } } });
+    await app.close();
+  });
+});
+
+describe('PATCH /api/providers/config', () => {
+  it('valid patch → 200, writes the merged file (order: validate→save→reload→clear)', async () => {
+    const path = freshPath();
+    createdPaths.push(path);
+    writeFileSync(path, JSON.stringify({ providers: { goose: { label: 'Goose' } } }));
+    const app = buildApp(path);
+
+    const res = await app.inject({
+      method: 'PATCH',
+      url: '/api/providers/config',
+      headers: JSON_HEADERS,
+      payload: JSON.stringify({ providers: { opencode: { enabled: false } } }),
+    });
+
+    expect(res.statusCode).toBe(200);
+    expect(res.json()).toMatchObject({ ok: true });
+    // File written + merged (goose untouched, opencode added).
+    const onDisk = load(path);
+    expect(onDisk.providers).toEqual({
+      goose: { label: 'Goose' },
+      opencode: { enabled: false },
+    });
+    await app.close();
+  });
+
+  it('null value deletes the override', async () => {
+    const path = freshPath();
+    createdPaths.push(path);
+    writeFileSync(path, JSON.stringify({ providers: { goose: { enabled: false }, opencode: { enabled: false } } }));
+    const app = buildApp(path);
+
+    const res = await app.inject({
+      method: 'PATCH',
+      url: '/api/providers/config',
+      headers: JSON_HEADERS,
+      payload: JSON.stringify({ providers: { goose: null } }),
+    });
+
+    expect(res.statusCode).toBe(200);
+    expect(load(path).providers).toEqual({ opencode: { enabled: false } });
+    await app.close();
+  });
+
+  it('INVALID body → 422 and the file is NOT written (validate before save)', async () => {
+    const path = freshPath();
+    createdPaths.push(path);
+    const before = JSON.stringify({ providers: { goose: { enabled: true } } });
+    writeFileSync(path, before);
+    const app = buildApp(path);
+
+    const res = await app.inject({
+      method: 'PATCH',
+      url: '/api/providers/config',
+      headers: JSON_HEADERS,
+      payload: JSON.stringify({ providers: { goose: { enabled: 'yes' } } }), // bad type
+    });
+
+    expect(res.statusCode).toBe(422);
+    // File must be byte-for-byte unchanged — nothing written on a 422.
+    expect(readFileSync(path, 'utf8')).toBe(before);
+    await app.close();
+  });
+
+  it('save failure → 500 and the file is NOT created (no state divergence)', async () => {
+    const path = join(tmpdir(), `no-such-dir-${process.pid}-${Date.now()}`, 'coder-providers.json');
+    const app = buildApp(path);
+
+    const res = await app.inject({
+      method: 'PATCH',
+      url: '/api/providers/config',
+      headers: JSON_HEADERS,
+      payload: JSON.stringify({ providers: { goose: { enabled: false } } }),
+    });
+
+    expect(res.statusCode).toBe(500);
+    expect(existsSync(path)).toBe(false);
+    await app.close();
+  });
+});
+
+describe('POST /api/providers/refresh', () => {
+  it('no body → refreshes all registered providers', async () => {
+    const app = buildApp(freshPath());
+    const res = await app.inject({ method: 'POST', url: '/api/providers/refresh' });
+    expect(res.statusCode).toBe(200);
+    expect(res.json().refreshed).toBeGreaterThan(0);
+    await app.close();
+  });
+
+  it('subset body → refreshed count reflects only the requested providers', async () => {
+    const app = buildApp(freshPath());
+    const res = await app.inject({
+      method: 'POST',
+      url: '/api/providers/refresh',
+      headers: JSON_HEADERS,
+      payload: JSON.stringify({ providers: ['boocode'] }),
+    });
+    expect(res.statusCode).toBe(200);
+    expect(res.json()).toEqual({ refreshed: 1 });
+    await app.close();
+  });
+});
+
+describe('GET /api/providers/:id/diagnostic', () => {
+  it('known provider → 200 JSON { diagnostic }', async () => {
+    const app = buildApp(freshPath());
+    const res = await app.inject({ method: 'GET', url: '/api/providers/boocode/diagnostic' });
+    expect(res.statusCode).toBe(200);
+    expect(res.headers['content-type']).toContain('application/json');
+    expect(res.json().diagnostic).toContain('provider: boocode');
+    await app.close();
+  });
+
+  it('unknown provider → 404', async () => {
+    const app = buildApp(freshPath());
+    const res = await app.inject({ method: 'GET', url: '/api/providers/nope/diagnostic' });
+    expect(res.statusCode).toBe(404);
+    await app.close();
+  });
+});

apps/coder/src/routes/agent-sessions.ts

@@ -0,0 +1,51 @@
+import type { FastifyInstance } from 'fastify';
+import type { Sql } from '../db.js';
+
+// v2.6 Phase 1-UX (design §9b): chat-scoped "resumed vs new session" indicator.
+// `agent_sessions` is keyed (chat_id, agent) — the tab/chat is the agent-context
+// unit (P1.5-b). The route param is a SESSION id, so we resolve every chat in the
+// session and return the union of their agent_sessions rows. A session with two
+// opencode tabs yields two rows (one per chat); the frontend keys the chip per
+// chat, but the wire shape is a flat per-(chat,agent) list.
+//
+// has_session = agent_session_id IS NOT NULL — i.e. a native backend session id
+// (opencode/ACP) was created and stored, so switching back resumes rather than
+// starts fresh.
+export interface AgentSessionRow {
+  agent: string;
+  status: string;
+  has_session: boolean;
+  last_active_at: string | null;
+}
+
+export function registerAgentSessionRoutes(app: FastifyInstance, sql: Sql): void {
+  // GET /api/sessions/:sessionId/agent-sessions — list the agent-session rows for
+  // every chat in the session (drives the AgentComposerBar resumed/new chip).
+  app.get<{ Params: { sessionId: string } }>(
+    '/api/sessions/:sessionId/agent-sessions',
+    async (req, reply) => {
+      const sessionId = req.params.sessionId;
+
+      const session = await sql<{ id: string }[]>`SELECT id FROM sessions WHERE id = ${sessionId}`;
+      if (session.length === 0) {
+        reply.code(404);
+        return { error: 'session not found' };
+      }
+
+      // Join through chats so the session-scoped param resolves to its (chat,agent)
+      // rows. last_active_at first → the frontend reads the freshest activity.
+      const rows = await sql<AgentSessionRow[]>`
+        SELECT
+          a.agent AS agent,
+          a.status AS status,
+          (a.agent_session_id IS NOT NULL) AS has_session,
+          a.last_active_at AS last_active_at
+        FROM agent_sessions a
+        JOIN chats c ON c.id = a.chat_id
+        WHERE c.session_id = ${sessionId}
+        ORDER BY a.last_active_at DESC NULLS LAST, a.agent ASC
+      `;
+      return rows;
+    },
+  );
+}

apps/coder/src/routes/checkpoints.ts

@@ -0,0 +1,73 @@
+/**
+ * write-edit-robustness #4 — checkpoint restore + list routes (coder side).
+ *
+ * Proxied through the apps/server `/api/coder/*` blanket forwarder (no server-side
+ * change needed for new routes). Restore rewinds the session worktree to the
+ * checkpoint's shadow commit, trims the transcript from the anchor message forward,
+ * and resets the agent backend — see services/checkpoints.ts.
+ */
+import type { FastifyInstance } from 'fastify';
+import type { Sql } from '../db.js';
+import { restoreCheckpoint, CheckpointNotFoundError } from '../services/checkpoints.js';
+
+export function registerCheckpointRoutes(app: FastifyInstance, sql: Sql): void {
+  // GET /api/sessions/:sessionId/checkpoints?chat_id= — list a chat's checkpoints
+  // so the frontend can mark which messages have a restore point. When chat_id is
+  // omitted, returns every checkpoint for the session's chats.
+  app.get<{ Params: { sessionId: string }; Querystring: { chat_id?: string } }>(
+    '/api/sessions/:sessionId/checkpoints',
+    async (req, reply) => {
+      const sessionId = req.params.sessionId;
+      const chatId = req.query.chat_id;
+
+      const session = await sql<{ id: string }[]>`SELECT id FROM sessions WHERE id = ${sessionId}`;
+      if (session.length === 0) {
+        reply.code(404);
+        return { error: 'session not found' };
+      }
+
+      // Scope authoritatively through chats.session_id (always set) — NOT the
+      // denormalized checkpoints.session_id (nullable). The chat_id branch must
+      // still be session-gated or it's an IDOR (any session's chat_id reads its
+      // checkpoints).
+      const rows = chatId
+        ? await sql<{ id: string; chat_id: string; message_id: string | null; label: string | null; created_at: Date }[]>`
+            SELECT cp.id, cp.chat_id, cp.message_id, cp.label, cp.created_at
+            FROM checkpoints cp
+            JOIN chats c ON c.id = cp.chat_id
+            WHERE cp.chat_id = ${chatId} AND c.session_id = ${sessionId}
+            ORDER BY cp.created_at
+          `
+        : await sql<{ id: string; chat_id: string; message_id: string | null; label: string | null; created_at: Date }[]>`
+            SELECT cp.id, cp.chat_id, cp.message_id, cp.label, cp.created_at
+            FROM checkpoints cp
+            JOIN chats c ON c.id = cp.chat_id
+            WHERE c.session_id = ${sessionId}
+            ORDER BY cp.created_at
+          `;
+      return rows;
+    },
+  );
+
+  // POST /api/sessions/:sessionId/checkpoints/:checkpointId/restore — restore.
+  app.post<{ Params: { sessionId: string; checkpointId: string } }>(
+    '/api/sessions/:sessionId/checkpoints/:checkpointId/restore',
+    async (req, reply) => {
+      const { sessionId, checkpointId } = req.params;
+
+      try {
+        const result = await restoreCheckpoint(sql, checkpointId, {
+          sessionId,
+          log: app.log,
+        });
+        return result;
+      } catch (err) {
+        if (err instanceof CheckpointNotFoundError) {
+          reply.code(404);
+          return { error: err.message };
+        }
+        throw err;
+      }
+    },
+  );
+}

apps/coder/src/routes/lifecycle.ts

@@ -0,0 +1,122 @@
+/**
+ * v2.6 Phase 3 (3.3) — chat/session close-or-archive cleanup hook (coder side).
+ *
+ * Chat/session close + archive + delete all live in apps/server (Docker), which
+ * cannot see the host worktree dirs (/tmp/booworktrees), run git on them, or reach
+ * the warm agent processes the dispatcher pooled in THIS (host systemd) process. So
+ * — exactly like the `worktree-risk` guard — the server signals the coder when a
+ * chat/session closes, and the coder does the real teardown:
+ *   1. dispose the chat's warm-ACP backends (`agentPool.closeChat`) — kills the
+ *      goose/qwen child processes for that chat,
+ *   2. close the chat's opencode session on the shared server (`closeSession`),
+ *   3. mark every `agent_sessions` row for the chat 'closed' + (when the session's
+ *      last open chat closes) remove the shared session worktree, preflighting
+ *      work-at-risk so uncommitted/unmerged work is never silently dropped
+ *      (`closeChatBackendState`).
+ *
+ * Idempotent: closing an already-closed chat is a no-op (0 rows, no backend).
+ *
+ * SERVER WIRING (not done here — apps/server, out of this batch's scope): the
+ * server's `POST /api/chats/:id/archive`, `DELETE /api/chats/:id`, and the
+ * session archive/delete routes should fire-and-forget
+ *   fetch(`${BOOCODER_URL}/api/chats/${id}/close`, { method: 'POST' })
+ * after publishing their WS frame (best-effort; the orphan-worktree reaper +
+ * idle-pool eviction are the backstop if the call is missed).
+ */
+import type { FastifyInstance } from 'fastify';
+import type { Sql } from '../db.js';
+import { agentPool, OPENCODE_POOL_KEY } from '../services/agent-pool.js';
+import { closeChatBackendState } from '../services/worktrees.js';
+import type { AgentSessionHandle } from '../services/agent-backend.js';
+
+export function registerLifecycleRoutes(app: FastifyInstance, sql: Sql): void {
+  // POST /api/chats/:chatId/close — tear down all warm state for a chat tab.
+  app.post<{ Params: { chatId: string }; Querystring: { force?: string } }>(
+    '/api/chats/:chatId/close',
+    async (req) => {
+      const chatId = req.params.chatId;
+      const force = req.query.force === 'true' || req.query.force === '1';
+
+      // 1. Close the chat's opencode session on the SHARED server (the server is
+      //    not chat-keyed, so agentPool.closeChat won't touch it). Resolve the
+      //    stored opencode session id and ask the backend to drop it.
+      const ocRows = await sql<{ agent: string; agent_session_id: string | null; worktree_id: string | null; session_id: string | null }[]>`
+        SELECT agent, agent_session_id, worktree_id, session_id
+        FROM agent_sessions
+        WHERE chat_id = ${chatId} AND backend = 'opencode_server'
+      `;
+      const ocBackend = agentPool.peek(OPENCODE_POOL_KEY, 'opencode');
+      if (ocBackend) {
+        for (const row of ocRows) {
+          if (!row.agent_session_id) continue;
+          const handle: AgentSessionHandle = {
+            sessionId: row.session_id ?? '',
+            agent: row.agent,
+            backend: 'opencode_server',
+            chatId,
+            worktreeId: row.worktree_id ?? '',
+            agentSessionId: row.agent_session_id,
+            serverPort: null,
+          };
+          await ocBackend.closeSession(handle).catch((err) => {
+            app.log.warn({ err: err instanceof Error ? err.message : String(err), chatId }, 'lifecycle: opencode closeSession threw');
+          });
+        }
+      }
+
+      // 2. Dispose any warm-ACP backends pooled under this chat (kills the
+      //    goose/qwen child + marks its agent row closed via the backend).
+      const disposed = await agentPool.closeChat(chatId);
+
+      // 3. DB + worktree truth: mark agent rows closed; remove the shared session
+      //    worktree iff this was the session's last open chat (preflight at-risk).
+      const result = await closeChatBackendState(sql, chatId, { force });
+
+      app.log.info({ chatId, disposed, ...result }, 'lifecycle: chat closed');
+      return { ok: true, disposed, ...result };
+    },
+  );
+
+  // POST /api/sessions/:sessionId/close — close every open chat in a session
+  // (session archive/delete). Loops the chat-close path so the same preflight +
+  // teardown applies per chat; the worktree is removed on the last one.
+  app.post<{ Params: { sessionId: string }; Querystring: { force?: string } }>(
+    '/api/sessions/:sessionId/close',
+    async (req) => {
+      const sessionId = req.params.sessionId;
+      const force = req.query.force === 'true' || req.query.force === '1';
+
+      const chats = await sql<{ id: string }[]>`
+        SELECT id FROM chats WHERE session_id = ${sessionId}
+      `;
+      const results: { chatId: string; disposed: string[]; worktreeRemoved: boolean; worktreeAtRisk: boolean }[] = [];
+      for (const c of chats) {
+        const ocBackend = agentPool.peek(OPENCODE_POOL_KEY, 'opencode');
+        if (ocBackend) {
+          const ocRows = await sql<{ agent: string; agent_session_id: string | null; worktree_id: string | null; session_id: string | null }[]>`
+            SELECT agent, agent_session_id, worktree_id, session_id
+            FROM agent_sessions WHERE chat_id = ${c.id} AND backend = 'opencode_server'
+          `;
+          for (const row of ocRows) {
+            if (!row.agent_session_id) continue;
+            await ocBackend.closeSession({
+              sessionId: row.session_id ?? '',
+              agent: row.agent,
+              backend: 'opencode_server',
+              chatId: c.id,
+              worktreeId: row.worktree_id ?? '',
+              agentSessionId: row.agent_session_id,
+              serverPort: null,
+            }).catch(() => {});
+          }
+        }
+        const disposed = await agentPool.closeChat(c.id);
+        const r = await closeChatBackendState(sql, c.id, { force });
+        results.push({ chatId: c.id, disposed, worktreeRemoved: r.worktreeRemoved, worktreeAtRisk: r.worktreeAtRisk });
+      }
+
+      app.log.info({ sessionId, chats: results.length }, 'lifecycle: session closed');
+      return { ok: true, results };
+    },
+  );
+}

apps/coder/src/routes/messages.ts

@@ -224,8 +224,8 @@ export function registerMessageRoutes(
         // External provider: create a task for the dispatcher
         const projectId = sessionRows[0]!.project_id;
         const [task] = await sql<{ id: string; state: string }[]>`
-          INSERT INTO tasks (project_id, input, agent, model, mode_id, thinking_option_id, session_id)
-          VALUES (${projectId}, ${content}, ${provider}, ${model ?? null}, ${mode_id ?? null}, ${thinking_option_id ?? null}, ${sessionId})
+          INSERT INTO tasks (project_id, input, agent, model, mode_id, thinking_option_id, session_id, chat_id)
+          VALUES (${projectId}, ${content}, ${provider}, ${model ?? null}, ${mode_id ?? null}, ${thinking_option_id ?? null}, ${sessionId}, ${chatId})
           RETURNING id, state
         `;
         reply.code(202);

apps/coder/src/routes/pending.ts

@@ -10,6 +10,7 @@ import {
   queueCreate,
 } from '../services/pending_changes.js';
 import { WriteGuardError } from '../services/write_guard.js';
+import { rebaselineWorktreeAfterApply } from '../services/worktrees.js';
 
 const CreateBody = z.object({
   file_path: z.string().min(1),
@@ -90,6 +91,8 @@ export function registerPendingRoutes(app: FastifyInstance, sql: Sql): void {
           parsed.data.file_path,
           parsed.data.content,
           projectRoot,
+          // Manual RightRail create — no agent staged it; renders as "manual".
+          null,
         );
         return change;
       } catch (err) {
@@ -115,6 +118,15 @@ export function registerPendingRoutes(app: FastifyInstance, sql: Sql): void {
       }
 
       const results = await applyAll(sql, sessionId, projectRoot);
+
+      // v2.6 Phase 3 (3.5): re-baseline the session worktree's diff to the applied
+      // state, so the next external-agent turn diffs against applied-not-original
+      // and doesn't re-surface the just-applied changes. Best-effort: a worktree
+      // session may not exist (native-only chat), and a re-baseline hiccup must not
+      // fail the apply the user just requested.
+      if (results.some((r) => r.success)) {
+        await rebaselineWorktreeAfterApply(sql, sessionId).catch(() => {});
+      }
       return { results };
     },
   );
@@ -134,6 +146,15 @@ export function registerPendingRoutes(app: FastifyInstance, sql: Sql): void {
       const result = await applyOne(sql, changeId, projectRoot);
       if (!result.success) {
         reply.code(422);
+      } else {
+        // v2.6 Phase 3 (3.5): re-baseline the session worktree after a successful
+        // apply so the next external-agent turn diffs against applied-not-original.
+        // Resolve the change's session; best-effort, never fails the apply.
+        const sessRows = await sql<{ session_id: string }[]>`
+          SELECT session_id FROM pending_changes WHERE id = ${changeId}
+        `;
+        const sessionId = sessRows[0]?.session_id;
+        if (sessionId) await rebaselineWorktreeAfterApply(sql, sessionId).catch(() => {});
       }
       return result;
     },

apps/coder/src/routes/providers.ts

@@ -1,7 +1,29 @@
 import type { FastifyInstance } from 'fastify';
+import { z } from 'zod';
 import type { Sql } from '../db.js';
 import type { Config } from '../config.js';
-import { getProviderSnapshot, clearProviderSnapshotCache } from '../services/provider-snapshot.js';
+import {
+  getProviderSnapshot,
+  clearProviderSnapshotCache,
+  peekSnapshotEntry,
+} from '../services/provider-snapshot.js';
+import {
+  load,
+  save,
+  CoderProvidersFileSchema,
+  ProviderConfigPatchSchema,
+  mergeProviderConfigPatch,
+} from '../services/provider-config.js';
+import {
+  reloadProviderConfig,
+  getResolvedRegistry,
+} from '../services/provider-config-registry.js';
+import {
+  getProviderDiagnostic,
+  type DiagnosticAgentRow,
+} from '../services/provider-diagnostic.js';
+
+const RefreshBodySchema = z.object({ providers: z.array(z.string()).optional() });
 
 export function registerProviderRoutes(app: FastifyInstance, sql: Sql, config: Config): void {
   app.get<{ Querystring: { cwd?: string } }>('/api/providers/snapshot', async (req, _reply) => {
@@ -9,9 +31,97 @@ export function registerProviderRoutes(app: FastifyInstance, sql: Sql, config: C
     return getProviderSnapshot(sql, config, cwd);
   });
 
-  app.post('/api/providers/refresh', async (_req, _reply) => {
-    clearProviderSnapshotCache();
-    const entries = await getProviderSnapshot(sql, config, undefined, true);
-    return { refreshed: entries.length };
+  // 4.1 — current loaded config file (raw CoderProvidersFile, not the resolved registry).
+  app.get('/api/providers/config', async (_req, _reply) => {
+    return load(config.CODER_PROVIDERS_PATH);
+  });
+
+  // 4.2 — patch the config file (design.md §6.2). Strict order is the whole
+  // correctness story: validate → save → reload → clear. A malformed body or an
+  // invalid merged result returns 422 and NEVER writes; a save failure returns
+  // 500 and leaves in-memory state untouched (no file/registry divergence).
+  app.patch('/api/providers/config', async (req, reply) => {
+    // 1. Validate the PATCH body shape (malformed → 422, never reaches merge).
+    const parsed = ProviderConfigPatchSchema.safeParse(req.body);
+    if (!parsed.success) {
+      return reply.code(422).send({
+        error: 'invalid provider config patch',
+        issues: parsed.error.flatten(),
+      });
+    }
+
+    // 2. Shallow per-id merge over the current file (null deletes; object replaces).
+    const current = load(config.CODER_PROVIDERS_PATH);
+    const merged = mergeProviderConfigPatch(current, parsed.data);
+
+    // 3. Validate the merged result — refuse to write a config that won't load.
+    const validated = CoderProvidersFileSchema.safeParse(merged);
+    if (!validated.success) {
+      return reply.code(422).send({
+        error: 'merged provider config is invalid',
+        issues: validated.error.flatten(),
+      });
+    }
+
+    // 4. Persist. If save throws, STOP here — do NOT reload/clear, so the file on
+    // disk and the in-memory resolved registry can never diverge.
+    try {
+      save(config.CODER_PROVIDERS_PATH, validated.data);
+    } catch (err) {
+      req.log.error(
+        { err: err instanceof Error ? err.message : String(err), path: config.CODER_PROVIDERS_PATH },
+        'provider-config: save failed — in-memory state untouched',
+      );
+      return reply.code(500).send({ error: 'failed to write provider config' });
+    }
+
+    // 5 + 6. Rebuild the in-memory resolved registry from the new file, then drop
+    // the snapshot cache so the next /snapshot reflects the change.
+    reloadProviderConfig();
+    clearProviderSnapshotCache();
+
+    // 7. Return the new config (per §6.2 `{ ok: true }`, plus the merged providers
+    // so the client can update without a follow-up GET).
+    return { ok: true, providers: validated.data.providers };
+  });
+
+  // 4.3 — force a cold probe. Optional { providers?: string[] } narrows the
+  // reported subset (design.md §6.3 Paseo pattern). The force=true snapshot is
+  // the only existing re-probe primitive (per-provider force would be a
+  // snapshot-internal change, out of Phase 4 scope), so the probe runs for all
+  // installed providers; the `refreshed` count reflects the requested subset.
+  app.post('/api/providers/refresh', async (req, reply) => {
+    const parsed = RefreshBodySchema.safeParse(req.body ?? {});
+    if (!parsed.success) {
+      return reply.code(422).send({ error: 'invalid refresh body', issues: parsed.error.flatten() });
+    }
+    const subset = parsed.data.providers;
+    clearProviderSnapshotCache();
+    const entries = await getProviderSnapshot(sql, config, undefined, true);
+    const refreshed =
+      subset && subset.length > 0
+        ? entries.filter((e) => subset.includes(e.name)).length
+        : entries.length;
+    return { refreshed };
+  });
+
+  // 4.4 — per-provider diagnostic (design.md §6.4 → JSON `{ diagnostic: string }`).
+  // Read-only: reports cached state (resolved def + available_agents row + warm
+  // snapshot cache for the last probe error) plus a `which` PATH check. No probe
+  // spawn. The report itself is a plaintext block (§8); the route wraps it as JSON.
+  app.get<{ Params: { id: string } }>('/api/providers/:id/diagnostic', async (req, reply) => {
+    const id = req.params.id;
+    const resolved = getResolvedRegistry().get(id);
+    if (!resolved) {
+      return reply.code(404).send({ error: `unknown provider '${id}'` });
+    }
+    const rows = await sql<DiagnosticAgentRow[]>`
+      SELECT name, install_path, supports_acp, models, last_probed_at
+      FROM available_agents WHERE name = ${id}
+    `;
+    const report = await getProviderDiagnostic(resolved, rows[0], {
+      cachedEntry: peekSnapshotEntry(id),
+    });
+    return { diagnostic: report };
   });
 }

apps/coder/src/routes/skills.ts

@@ -91,8 +91,8 @@ export function registerSkillRoutes(
 
         const taskInput = `${body}\n\n---\n\n${userText}`;
         const [task] = await sql<{ id: string; state: string }[]>`
-          INSERT INTO tasks (project_id, input, agent, model, mode_id, thinking_option_id, session_id)
-          VALUES (${sessionRows[0]!.project_id}, ${taskInput}, ${provider}, ${model ?? null}, ${mode_id ?? null}, ${thinking_option_id ?? null}, ${sessionId})
+          INSERT INTO tasks (project_id, input, agent, model, mode_id, thinking_option_id, session_id, chat_id)
+          VALUES (${sessionRows[0]!.project_id}, ${taskInput}, ${provider}, ${model ?? null}, ${mode_id ?? null}, ${thinking_option_id ?? null}, ${sessionId}, ${chatId})
           RETURNING id, state
         `;
         await sql`UPDATE chats SET updated_at = clock_timestamp() WHERE id = ${chatId}`;

apps/coder/src/routes/worktree-safety.ts

@@ -0,0 +1,45 @@
+/**
+ * Session-delete work-loss guard (coder side).
+ *
+ * Session delete itself lives in apps/server (Docker), which CANNOT see the
+ * host worktree dirs (/tmp/booworktrees) or run git on them. Only BooCoder
+ * (host systemd) can. So the server's DELETE route calls these endpoints
+ * pre-delete to learn whether a session's worktree holds work at risk, and to
+ * stash it. The server owns the gate; coder owns the git truth.
+ */
+import type { FastifyInstance } from 'fastify';
+import type { Sql } from '../db.js';
+import { checkWorktreeWorkAtRisk, stashWorktree } from '../services/worktrees.js';
+
+export function registerWorktreeSafetyRoutes(app: FastifyInstance, sql: Sql): void {
+  // GET risk for a session's worktree(s). One row per session today (PK on
+  // session_id); the loop already handles the Phase-1.5 multi-worktree case.
+  app.get<{ Params: { sessionId: string } }>(
+    '/api/sessions/:sessionId/worktree-risk',
+    async (req) => {
+      const rows = await sql<{ worktree_path: string }[]>`
+        SELECT path AS worktree_path FROM worktrees WHERE session_id = ${req.params.sessionId}
+      `;
+      const reports = [];
+      for (const row of rows) {
+        reports.push(await checkWorktreeWorkAtRisk(row.worktree_path));
+      }
+      return { reports };
+    },
+  );
+
+  // Stash a session's worktree(s) — clears the dirty risk; recoverable.
+  app.post<{ Params: { sessionId: string } }>(
+    '/api/sessions/:sessionId/worktree-stash',
+    async (req) => {
+      const rows = await sql<{ worktree_path: string }[]>`
+        SELECT path AS worktree_path FROM worktrees WHERE session_id = ${req.params.sessionId}
+      `;
+      const results = [];
+      for (const row of rows) {
+        results.push({ worktreePath: row.worktree_path, ...(await stashWorktree(row.worktree_path)) });
+      }
+      return { results };
+    },
+  );
+}

apps/coder/src/schema.sql

@@ -76,6 +76,191 @@ ALTER TABLE tasks ADD COLUMN IF NOT EXISTS mode_id TEXT;
 ALTER TABLE tasks ADD COLUMN IF NOT EXISTS thinking_option_id TEXT;
 ALTER TABLE tasks ADD COLUMN IF NOT EXISTS feature_values JSONB;
 
+-- v2.6: one shared worktree per session (all agents/panes in the session operate in it).
+CREATE TABLE IF NOT EXISTS session_worktrees (
+  session_id UUID PRIMARY KEY REFERENCES sessions(id) ON DELETE CASCADE,
+  worktree_path TEXT NOT NULL,
+  base_commit TEXT,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT clock_timestamp()
+);
+-- P1.5-b: DEFANG the CASCADE — a session delete must no longer wipe its worktree
+-- row. This table is SUPERSEDED by `worktrees` below; all readers are repointed
+-- this phase, so the row just persists (dead) on session delete until a later
+-- cleanup drops the table. session_id is this table's PRIMARY KEY, so it cannot be
+-- nullable → SET NULL is invalid and NO ACTION/RESTRICT would block deletes; the
+-- only valid defang is to drop the FK with no replacement. Idempotent: only fires
+-- while the FK is still ON DELETE CASCADE ('c').
+DO $$ BEGIN
+  IF EXISTS (
+    SELECT 1 FROM pg_constraint
+    WHERE conname = 'session_worktrees_session_id_fkey'
+      AND confdeltype = 'c'
+  ) THEN
+    ALTER TABLE session_worktrees DROP CONSTRAINT session_worktrees_session_id_fkey;
+  END IF;
+END $$;
+
+-- v2.6: one backend session per (session, agent); resumed on switch-back.
+CREATE TABLE IF NOT EXISTS agent_sessions (
+  session_id UUID NOT NULL REFERENCES sessions(id) ON DELETE CASCADE,
+  agent TEXT NOT NULL,
+  backend TEXT NOT NULL,
+  agent_session_id TEXT,
+  server_port INTEGER,
+  status TEXT NOT NULL DEFAULT 'idle',
+  last_active_at TIMESTAMPTZ,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT clock_timestamp(),
+  PRIMARY KEY (session_id, agent),
+  CONSTRAINT agent_sessions_backend_chk CHECK (backend IN ('opencode_server', 'acp_warm')),
+  CONSTRAINT agent_sessions_status_chk CHECK (status IN ('idle', 'active', 'crashed', 'closed'))
+);
+
+-- Migrate existing agent_sessions FK to CASCADE.
+DO $$ BEGIN
+  IF EXISTS (
+    SELECT 1 FROM pg_constraint
+    WHERE conname = 'agent_sessions_session_id_fkey'
+      AND confdeltype <> 'c'
+  ) THEN
+    ALTER TABLE agent_sessions DROP CONSTRAINT agent_sessions_session_id_fkey;
+    ALTER TABLE agent_sessions ADD CONSTRAINT agent_sessions_session_id_fkey
+      FOREIGN KEY (session_id) REFERENCES sessions(id) ON DELETE CASCADE;
+  END IF;
+END $$;
+
+-- v2.6: config fingerprint for stale-session detection (auto-recover on model change).
+ALTER TABLE agent_sessions ADD COLUMN IF NOT EXISTS config_hash TEXT;
+
+-- v2.6 Phase 1-UX (U.6): opencode token/cost usage, ACCUMULATED per (chat_id, agent).
+-- opencode's warm server emits `session.next.step.ended` once per LLM step (several
+-- per multi-tool turn) carrying {tokens{input,output,reasoning,cache},cost}. We sum
+-- each step's normalized {input,output,cost} onto the session row — running totals
+-- for the whole conversation context, not last-step. Backend-only; no route/UI yet.
+-- input_tokens folds in cache read+write; output_tokens folds in reasoning (see
+-- backends/opencode-usage.ts). Defaults 0 so accumulation (col + delta) is well-defined.
+ALTER TABLE agent_sessions ADD COLUMN IF NOT EXISTS input_tokens BIGINT NOT NULL DEFAULT 0;
+ALTER TABLE agent_sessions ADD COLUMN IF NOT EXISTS output_tokens BIGINT NOT NULL DEFAULT 0;
+ALTER TABLE agent_sessions ADD COLUMN IF NOT EXISTS cost DOUBLE PRECISION NOT NULL DEFAULT 0;
+
+-- ─── P1.5-b (corrected): worktrees entity + re-key agent_sessions to (chat_id, agent) ───
+-- The TAB (a chat) is the context unit: two opencode tabs in one session = two
+-- independent contexts sharing one worktree. So agent_sessions keys on
+-- (chat_id, agent), NOT (worktree_id, agent) or (session_id, agent). The
+-- `worktrees` table is one-per-session (selectable later) and only referenced
+-- informationally by agent_sessions.worktree_id (SET NULL); chat_id is the key.
+--
+-- PREREQUISITE: the unmigratable test session (35 chats, 1 agent_sessions row that
+-- maps to no single chat) is DELETED before this runs, so agent_sessions is empty
+-- and the chat_id backfill is N/A. If a row with NULL chat_id remains, the verify
+-- gate below RAISEs and aborts — delete the offending session first.
+
+-- worktree as a first-class entity; survives session delete (session_id SET NULL).
+CREATE TABLE IF NOT EXISTS worktrees (
+  id          UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  session_id  UUID REFERENCES sessions(id) ON DELETE SET NULL,
+  project_id  UUID,
+  path        TEXT NOT NULL,
+  branch      TEXT,
+  base_commit TEXT,
+  slug        TEXT,
+  status      TEXT NOT NULL DEFAULT 'active' CHECK (status IN ('active','archived')),
+  created_at  TIMESTAMPTZ NOT NULL DEFAULT clock_timestamp()
+);
+CREATE UNIQUE INDEX IF NOT EXISTS worktrees_active_path_uidx ON worktrees(path) WHERE status='active';
+
+-- Migrate any surviving session_worktrees rows → worktrees (idempotent; 0 rows
+-- after the test-session delete, kept for generality / fresh-DB safety).
+INSERT INTO worktrees (session_id, path, branch, base_commit, status)
+SELECT sw.session_id, sw.worktree_path, 'session-' || sw.session_id, sw.base_commit, 'active'
+FROM session_worktrees sw
+WHERE NOT EXISTS (SELECT 1 FROM worktrees w WHERE w.session_id = sw.session_id AND w.status='active');
+
+-- Dispatch hint: which chat (tab) a task belongs to. The coder message route and
+-- skills route set it from the frontend tab; session-less creators (arena, MCP,
+-- new_task, generic /api/tasks) leave it NULL and the dispatcher creates a chat.
+ALTER TABLE tasks ADD COLUMN IF NOT EXISTS chat_id UUID REFERENCES chats(id) ON DELETE SET NULL;
+
+-- Re-key columns on agent_sessions.
+ALTER TABLE agent_sessions ADD COLUMN IF NOT EXISTS chat_id UUID;
+ALTER TABLE agent_sessions ADD COLUMN IF NOT EXISTS worktree_id UUID;
+
+-- BACKFILL-VERIFY GATE: the new PK is (chat_id, agent), so chat_id must be
+-- non-null on every row before the swap. With the test session deleted this is a
+-- 0-row assertion; if any row has NULL chat_id (an unmigratable pre-existing row),
+-- abort loudly rather than create a degenerate (NULL, agent) key.
+DO $$
+DECLARE n int;
+BEGIN
+  SELECT count(*) INTO n FROM agent_sessions WHERE chat_id IS NULL;
+  IF n > 0 THEN
+    RAISE EXCEPTION 'P1.5-b: % agent_sessions row(s) have NULL chat_id — delete the unmigratable session(s) before applying', n;
+  END IF;
+END $$;
+
+-- Swap PK (session_id,agent) → (chat_id,agent) + FKs (run-once, guarded on the new
+-- FK's absence). chat_id CASCADEs from chats (closing a tab ends its context);
+-- worktree_id is informational SET NULL; session_id defanged to nullable SET NULL.
+DO $$ BEGIN
+  IF NOT EXISTS (SELECT 1 FROM pg_constraint WHERE conname = 'agent_sessions_chat_id_fkey') THEN
+    ALTER TABLE agent_sessions DROP CONSTRAINT IF EXISTS agent_sessions_pkey;
+    ALTER TABLE agent_sessions DROP CONSTRAINT IF EXISTS agent_sessions_session_id_fkey;
+    ALTER TABLE agent_sessions ALTER COLUMN session_id DROP NOT NULL;
+    ALTER TABLE agent_sessions ALTER COLUMN chat_id SET NOT NULL;
+    ALTER TABLE agent_sessions ADD CONSTRAINT agent_sessions_pkey PRIMARY KEY (chat_id, agent);
+    ALTER TABLE agent_sessions ADD CONSTRAINT agent_sessions_chat_id_fkey
+      FOREIGN KEY (chat_id) REFERENCES chats(id) ON DELETE CASCADE;
+    ALTER TABLE agent_sessions ADD CONSTRAINT agent_sessions_session_id_fkey
+      FOREIGN KEY (session_id) REFERENCES sessions(id) ON DELETE SET NULL;
+    ALTER TABLE agent_sessions ADD CONSTRAINT agent_sessions_worktree_id_fkey
+      FOREIGN KEY (worktree_id) REFERENCES worktrees(id) ON DELETE SET NULL;
+  END IF;
+END $$;
+
+-- P1.5-b follow-up: converge agent_sessions.session_id FK CASCADE → SET NULL.
+-- The re-key block above re-adds session_id_fkey as SET NULL, but it is guarded on
+-- chat_id_fkey's ABSENCE — so a DB already re-keyed to (chat_id, agent) while
+-- session_id_fkey was still ON DELETE CASCADE never re-enters that block and stays
+-- 'c'. This standalone guard flips it to SET NULL ('n'), matching worktree_id.
+-- Idempotent (mirrors the session_worktrees defang's confdeltype check): only fires
+-- while the FK is still CASCADE — a no-op on a fresh deploy (already 'n' from the
+-- re-key block) and on every re-run thereafter.
+DO $$ BEGIN
+  IF EXISTS (
+    SELECT 1 FROM pg_constraint
+    WHERE conname = 'agent_sessions_session_id_fkey'
+      AND confdeltype = 'c'
+  ) THEN
+    ALTER TABLE agent_sessions ALTER COLUMN session_id DROP NOT NULL;
+    ALTER TABLE agent_sessions DROP CONSTRAINT agent_sessions_session_id_fkey;
+    ALTER TABLE agent_sessions ADD CONSTRAINT agent_sessions_session_id_fkey
+      FOREIGN KEY (session_id) REFERENCES sessions(id) ON DELETE SET NULL;
+  END IF;
+END $$;
+
+-- v2.6: attribution for DiffPanel badges (Phase 1 UX reads this).
+ALTER TABLE pending_changes ADD COLUMN IF NOT EXISTS agent TEXT;
+
+-- write-edit-robustness #4: worktree checkpoints. A pre-turn shadow-commit of the
+-- session worktree (tracked + untracked, captured without disturbing the real
+-- index/working tree) stored in a private GC-safe ref refs/boocode/checkpoints/<id>.
+-- Created best-effort before each external-agent turn (opencode / warm-ACP / one-shot
+-- ACP+PTY); restore resets the worktree to commit_sha, trims the transcript from
+-- message_id forward, and resets the backend session. chat_id CASCADEs from chats
+-- (like agent_sessions); worktree_id SET NULL so a checkpoint outlives a reaped
+-- worktree row. session_id / message_id are informational (no FK — message rows are
+-- trimmed by a checkpoint restore and we must not block that on a dangling ref).
+CREATE TABLE IF NOT EXISTS checkpoints (
+  id          UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  chat_id     UUID NOT NULL REFERENCES chats(id) ON DELETE CASCADE,
+  session_id  UUID,
+  worktree_id UUID REFERENCES worktrees(id) ON DELETE SET NULL,
+  message_id  UUID,            -- anchor: the assistant turn row this checkpoint precedes
+  commit_sha  TEXT NOT NULL,   -- shadow-commit capturing the pre-turn worktree tree
+  label       TEXT,
+  created_at  TIMESTAMPTZ NOT NULL DEFAULT clock_timestamp()
+);
+CREATE INDEX IF NOT EXISTS checkpoints_chat_created_idx ON checkpoints(chat_id, created_at);
+
 -- LISTEN/NOTIFY fast path: every tasks INSERT (from any call site — routes,
 -- new_task tool, arena, MCP server) fires pg_notify('tasks_new') in the same
 -- transaction, so the dispatcher reacts immediately instead of waiting for the

apps/coder/src/services/__tests__/acp-client-fs.test.ts

@@ -0,0 +1,50 @@
+import { describe, it, expect, afterEach } from 'vitest';
+import { mkdtempSync, rmSync } from 'node:fs';
+import { tmpdir } from 'node:os';
+import { join } from 'node:path';
+import { readWorktreeTextFile, writeWorktreeTextFile } from '../acp-client-fs.js';
+
+const created: string[] = [];
+function freshWorktree(): string {
+  const wt = mkdtempSync(join(tmpdir(), 'acp-wt-'));
+  created.push(wt);
+  return wt;
+}
+afterEach(() => {
+  for (const d of created.splice(0)) {
+    try {
+      rmSync(d, { recursive: true, force: true });
+      rmSync(`${d}-evil`, { recursive: true, force: true });
+    } catch {
+      /* ignore */
+    }
+  }
+});
+
+describe('acp-client-fs worktree scoping', () => {
+  it('writes then reads a file inside the worktree', async () => {
+    const wt = freshWorktree();
+    await writeWorktreeTextFile(wt, 'sub/dir/note.txt', 'hello');
+    expect(await readWorktreeTextFile(wt, 'sub/dir/note.txt')).toBe('hello');
+  });
+
+  it('rejects ../ traversal on read', async () => {
+    const wt = freshWorktree();
+    await expect(readWorktreeTextFile(wt, '../../etc/passwd')).rejects.toThrow(/escapes worktree/);
+  });
+
+  it('rejects ../ traversal on write', async () => {
+    const wt = freshWorktree();
+    await expect(writeWorktreeTextFile(wt, '../escape.txt', 'x')).rejects.toThrow(/escapes worktree/);
+  });
+
+  it('rejects a sibling-prefix path (the unbounded-startsWith bug)', async () => {
+    const wt = freshWorktree();
+    // Absolute path that shares the worktree as a STRING prefix but is a sibling
+    // dir: `<wt>-evil/...`. A bare `startsWith(<wt>)` wrongly admits it.
+    await expect(readWorktreeTextFile(wt, `${wt}-evil/secret.txt`)).rejects.toThrow(/escapes worktree/);
+    await expect(writeWorktreeTextFile(wt, `${wt}-evil/secret.txt`, 'x')).rejects.toThrow(
+      /escapes worktree/,
+    );
+  });
+});

apps/coder/src/services/__tests__/acp-event-map.test.ts

@@ -0,0 +1,110 @@
+import { describe, it, expect } from 'vitest';
+import type { SessionNotification } from '@agentclientprotocol/sdk';
+import { mapSessionUpdate } from '../acp-event-map.js';
+import type { AcpToolSnapshot } from '../acp-tool-snapshot.js';
+
+/**
+ * Pure event-mapping shared by the one-shot ACP dispatch (AcpStreamContext) and
+ * the warm ACP backend (Phase 2). Mirrors the original handleSessionUpdate switch
+ * verbatim but returns normalized AgentEvents instead of publishing broker frames.
+ */
+describe('mapSessionUpdate (shared ACP event mapping)', () => {
+  function note(update: SessionNotification['update']): SessionNotification {
+    return { sessionId: 's1', update };
+  }
+
+  it('maps an agent_message_chunk text → a text event', () => {
+    const events = mapSessionUpdate(
+      note({ sessionUpdate: 'agent_message_chunk', content: { type: 'text', text: 'hello' } }),
+    );
+    expect(events).toEqual([{ type: 'text', text: 'hello' }]);
+  });
+
+  it('maps an agent_thought_chunk text → a reasoning event', () => {
+    const events = mapSessionUpdate(
+      note({ sessionUpdate: 'agent_thought_chunk', content: { type: 'text', text: 'thinking' } }),
+    );
+    expect(events).toEqual([{ type: 'reasoning', text: 'thinking' }]);
+  });
+
+  it('ignores non-text content on message/thought chunks', () => {
+    const img = mapSessionUpdate(
+      note({
+        sessionUpdate: 'agent_message_chunk',
+        content: { type: 'image', data: 'x', mimeType: 'image/png' },
+      } as never),
+    );
+    expect(img).toEqual([]);
+  });
+
+  it('maps a tool_call → a tool_call event with a merged snapshot', () => {
+    const events = mapSessionUpdate(
+      note({
+        sessionUpdate: 'tool_call',
+        toolCallId: 't1',
+        title: 'read_file',
+        status: 'pending',
+        rawInput: { path: 'a.ts' },
+      } as never),
+    );
+    expect(events).toHaveLength(1);
+    expect(events[0]!.type).toBe('tool_call');
+    const snap = (events[0] as { type: 'tool_call'; toolCall: AcpToolSnapshot }).toolCall;
+    expect(snap.toolCallId).toBe('t1');
+    expect(snap.title).toBe('read_file');
+    expect(snap.status).toBe('pending');
+    expect(snap.rawInput).toEqual({ path: 'a.ts' });
+  });
+
+  it('maps a tool_call_update → a tool_update event merged over the prior snapshot', () => {
+    const prior = new Map<string, AcpToolSnapshot>([
+      ['t1', { toolCallId: 't1', title: 'read_file', status: 'pending', rawInput: { path: 'a.ts' } }],
+    ]);
+    const events = mapSessionUpdate(
+      note({
+        sessionUpdate: 'tool_call_update',
+        toolCallId: 't1',
+        status: 'completed',
+        rawOutput: 'file body',
+      } as never),
+      prior,
+    );
+    expect(events).toHaveLength(1);
+    expect(events[0]!.type).toBe('tool_update');
+    const snap = (events[0] as { type: 'tool_update'; toolCall: AcpToolSnapshot }).toolCall;
+    expect(snap.toolCallId).toBe('t1');
+    // merged: title carried from prior, status updated, output added, input retained
+    expect(snap.title).toBe('read_file');
+    expect(snap.status).toBe('completed');
+    expect(snap.rawOutput).toBe('file body');
+    expect(snap.rawInput).toEqual({ path: 'a.ts' });
+  });
+
+  it('maps available_commands_update → a commands event', () => {
+    const events = mapSessionUpdate(
+      note({
+        sessionUpdate: 'available_commands_update',
+        availableCommands: [
+          { name: 'plan', description: 'make a plan' },
+          { name: 'review', description: null },
+        ],
+      } as never),
+    );
+    expect(events).toEqual([
+      {
+        type: 'commands',
+        commands: [
+          { name: 'plan', description: 'make a plan' },
+          { name: 'review', description: undefined },
+        ],
+      },
+    ]);
+  });
+
+  it('returns [] for unhandled update kinds (plan, mode change)', () => {
+    expect(mapSessionUpdate(note({ sessionUpdate: 'plan', entries: [] } as never))).toEqual([]);
+    expect(
+      mapSessionUpdate(note({ sessionUpdate: 'current_mode_update', currentModeId: 'code' } as never)),
+    ).toEqual([]);
+  });
+});

apps/coder/src/services/__tests__/agent-pool.test.ts

@@ -0,0 +1,233 @@
+import { describe, it, expect, vi } from 'vitest';
+import { AgentPool, OPENCODE_POOL_KEY } from '../agent-pool.js';
+import type {
+  AgentBackend,
+  AgentSessionHandle,
+  EnsureSessionOpts,
+  PromptCtx,
+  TurnResult,
+} from '../agent-backend.js';
+
+/**
+ * v2.6 Phase 3 — AgentPool lifecycle unit test (T.1). No DB / no child process:
+ * a fake AgentBackend records dispose + reports busy/health, so we exercise
+ * get-or-create, idle eviction, the LRU cap, the busy-never-evict rule, closeChat,
+ * and dispose-drains directly. The pure decisions are covered separately in
+ * backends/__tests__/lifecycle-decisions.test.ts; this verifies the wiring.
+ */
+
+class FakeBackend implements AgentBackend {
+  disposed = 0;
+  closedSessions = 0;
+  private busyFlag = false;
+  tickHealthCalls = 0;
+
+  constructor(public readonly name = 'fake') {}
+
+  setBusy(b: boolean): void {
+    this.busyFlag = b;
+  }
+
+  // — AgentBackend —
+  async ensureSession(sessionId: string, opts: EnsureSessionOpts): Promise<AgentSessionHandle> {
+    return {
+      sessionId,
+      agent: opts.agent,
+      backend: 'acp_warm',
+      chatId: opts.chatId,
+      worktreeId: opts.worktreeId,
+      agentSessionId: 'fake-session',
+      serverPort: null,
+    };
+  }
+  async prompt(_h: AgentSessionHandle, _input: string, _ctx: PromptCtx): Promise<TurnResult> {
+    return { ok: true };
+  }
+  async closeSession(): Promise<void> {
+    this.closedSessions++;
+  }
+  async dispose(): Promise<void> {
+    this.disposed++;
+  }
+  health(): 'up' | 'down' {
+    return 'up';
+  }
+  isBusy(): boolean {
+    return this.busyFlag;
+  }
+  async tickHealth(): Promise<void> {
+    this.tickHealthCalls++;
+  }
+}
+
+describe('AgentPool — get/register/touch (3.1)', () => {
+  it('register then get returns the same backend', () => {
+    const pool = new AgentPool();
+    const b = new FakeBackend();
+    pool.register('chat-1', 'goose', b);
+    expect(pool.get('chat-1', 'goose')).toBe(b);
+    expect(pool.get('chat-1', 'qwen')).toBeUndefined();
+  });
+
+  it('peek does NOT exist for a missing key', () => {
+    const pool = new AgentPool();
+    expect(pool.peek('nope', 'goose')).toBeUndefined();
+  });
+
+  it('health reports size + busy count', () => {
+    const pool = new AgentPool();
+    const a = new FakeBackend();
+    const b = new FakeBackend();
+    b.setBusy(true);
+    pool.register('c1', 'goose', a);
+    pool.register('c2', 'qwen', b);
+    expect(pool.health()).toEqual({ size: 2, busy: 1 });
+  });
+});
+
+describe('AgentPool.sweep — idle TTL eviction (3.1)', () => {
+  it('evicts an idle backend past the TTL and disposes it', async () => {
+    const pool = new AgentPool({ idleTtlMs: 1_000, maxLive: 100 });
+    const b = new FakeBackend();
+    pool.register('c1', 'goose', b);
+    // Sweep with now far past the registration → idle → evicted.
+    const { evicted } = await pool.sweep(Date.now() + 10_000);
+    expect(evicted).toEqual(['c1:goose']);
+    expect(b.disposed).toBe(1);
+    expect(pool.get('c1', 'goose')).toBeUndefined();
+  });
+
+  it('never evicts a busy backend even past the TTL', async () => {
+    const pool = new AgentPool({ idleTtlMs: 1_000, maxLive: 100 });
+    const b = new FakeBackend();
+    b.setBusy(true);
+    pool.register('c1', 'goose', b);
+    const { evicted } = await pool.sweep(Date.now() + 10_000);
+    expect(evicted).toEqual([]);
+    expect(b.disposed).toBe(0);
+    expect(pool.get('c1', 'goose')).toBe(b);
+  });
+
+  it('touch keeps a backend warm so the TTL measures from the last turn', async () => {
+    const pool = new AgentPool({ idleTtlMs: 5_000, maxLive: 100 });
+    const b = new FakeBackend();
+    pool.register('c1', 'goose', b);
+    const base = Date.now();
+    // 4s later, touch — resets activity. A sweep at +6s from base is only +2s from
+    // the touch → still within TTL → not evicted.
+    vi.spyOn(Date, 'now').mockReturnValue(base + 4_000);
+    pool.touch('c1', 'goose');
+    vi.restoreAllMocks();
+    const { evicted } = await pool.sweep(base + 6_000);
+    expect(evicted).toEqual([]);
+  });
+});
+
+describe('AgentPool.sweep — LRU cap (3.4)', () => {
+  it('evicts the least-recently-used beyond the cap', async () => {
+    const pool = new AgentPool({ idleTtlMs: 1_000_000, maxLive: 2 });
+    const base = 1_000_000;
+    const mk = (key: string, regAt: number) => {
+      vi.spyOn(Date, 'now').mockReturnValue(regAt);
+      const b = new FakeBackend(key);
+      const [chat, agent] = key.split(':');
+      pool.register(chat!, agent!, b);
+      vi.restoreAllMocks();
+      return b;
+    };
+    const a = mk('c1:goose', base + 100);
+    const b = mk('c2:goose', base + 300);
+    const c = mk('c3:goose', base + 200);
+    // 3 entries, cap 2, all within idle TTL → LRU (oldest = a@+100) evicted.
+    const { evicted } = await pool.sweep(base + 1_000);
+    expect(evicted).toEqual(['c1:goose']);
+    expect(a.disposed).toBe(1);
+    expect(b.disposed).toBe(0);
+    expect(c.disposed).toBe(0);
+  });
+});
+
+describe('AgentPool.sweep — proactive health probe (3.2)', () => {
+  it('drives each backend tickHealth before eviction', async () => {
+    const pool = new AgentPool({ idleTtlMs: 1_000_000, maxLive: 100 });
+    const b = new FakeBackend();
+    pool.register('c1', 'opencode', b);
+    await pool.sweep(Date.now());
+    expect(b.tickHealthCalls).toBe(1);
+  });
+});
+
+describe('AgentPool.closeChat — chat-close teardown (3.3)', () => {
+  it('disposes only the matching chat keys, leaving others + the shared server', async () => {
+    const pool = new AgentPool();
+    const goose = new FakeBackend('goose');
+    const qwen = new FakeBackend('qwen');
+    const other = new FakeBackend('other-chat');
+    const ocServer = new FakeBackend('opencode-server');
+    pool.register('chat-1', 'goose', goose);
+    pool.register('chat-1', 'qwen', qwen);
+    pool.register('chat-2', 'goose', other);
+    pool.register(OPENCODE_POOL_KEY, 'opencode', ocServer);
+
+    const removed = await pool.closeChat('chat-1');
+    expect(removed.sort()).toEqual(['chat-1:goose', 'chat-1:qwen']);
+    expect(goose.disposed).toBe(1);
+    expect(qwen.disposed).toBe(1);
+    // other chat + shared opencode server untouched.
+    expect(other.disposed).toBe(0);
+    expect(ocServer.disposed).toBe(0);
+    expect(pool.peek('chat-2', 'goose')).toBe(other);
+    expect(pool.peek(OPENCODE_POOL_KEY, 'opencode')).toBe(ocServer);
+  });
+
+  it('does not dispose a busy backend on closeChat', async () => {
+    const pool = new AgentPool();
+    const b = new FakeBackend();
+    b.setBusy(true);
+    pool.register('chat-1', 'goose', b);
+    const removed = await pool.closeChat('chat-1');
+    expect(removed).toEqual([]);
+    expect(b.disposed).toBe(0);
+  });
+
+  it('does not match a chat id that is a prefix of another', async () => {
+    // 'chat-1' must not match 'chat-10' — keys are `${chatId}:${agent}` so the
+    // colon delimiter prevents the prefix collision.
+    const pool = new AgentPool();
+    const a = new FakeBackend();
+    const b = new FakeBackend();
+    pool.register('chat-1', 'goose', a);
+    pool.register('chat-10', 'goose', b);
+    await pool.closeChat('chat-1');
+    expect(a.disposed).toBe(1);
+    expect(b.disposed).toBe(0);
+    expect(pool.peek('chat-10', 'goose')).toBe(b);
+  });
+});
+
+describe('AgentPool.dispose — drain all (T.1)', () => {
+  it('disposes every backend and clears the map', async () => {
+    const pool = new AgentPool();
+    const a = new FakeBackend();
+    const b = new FakeBackend();
+    pool.register('c1', 'goose', a);
+    pool.register('c2', 'qwen', b);
+    await pool.dispose();
+    expect(a.disposed).toBe(1);
+    expect(b.disposed).toBe(1);
+    expect(pool.health()).toEqual({ size: 0, busy: 0 });
+  });
+
+  it('tolerates a backend whose dispose throws', async () => {
+    const pool = new AgentPool();
+    const good = new FakeBackend();
+    const bad = new FakeBackend();
+    bad.dispose = async () => {
+      throw new Error('boom');
+    };
+    pool.register('c1', 'goose', bad);
+    pool.register('c2', 'qwen', good);
+    await expect(pool.dispose()).resolves.toBeUndefined();
+    expect(good.disposed).toBe(1);
+  });
+});

apps/coder/src/services/__tests__/checkpoints.test.ts

@@ -0,0 +1,252 @@
+import { describe, it, expect, beforeAll, afterAll } from 'vitest';
+import { readFileSync } from 'node:fs';
+import { rm, mkdir } from 'node:fs/promises';
+import { resolve } from 'node:path';
+import postgres from 'postgres';
+import {
+  buildShadowCommitCommand,
+  createCheckpoint,
+  restoreCheckpoint,
+  CheckpointNotFoundError,
+} from '../checkpoints.js';
+import { ensureSessionWorktree } from '../worktrees.js';
+import { hostExec } from '../host-exec.js';
+
+/**
+ * write-edit-robustness #4 — worktree checkpoint tests.
+ *
+ * Pure-helper coverage (no DB / no host) for the shadow-commit command builder,
+ * plus a DB+git integration block (DB-opt-in via DATABASE_URL, skips cleanly
+ * otherwise; mirrors reconnect_integration.test.ts) that exercises the real
+ * create → restore round trip against a worktree on the host fs.
+ */
+
+describe('buildShadowCommitCommand (pure)', () => {
+  it('parks the commit under refs/boocode/checkpoints/<id> and prints only the SHA', () => {
+    const cmd = buildShadowCommitCommand('/tmp/booworktrees/sess-abc', 'cp-id-123');
+    // Uses a temp index so the real working tree/index is untouched.
+    expect(cmd).toContain('TMP=$(mktemp)');
+    expect(cmd).toContain('GIT_INDEX_FILE="$TMP" git read-tree HEAD');
+    expect(cmd).toContain('GIT_INDEX_FILE="$TMP" git add -A');
+    expect(cmd).toContain('git write-tree');
+    expect(cmd).toContain("git commit-tree \"$TREE\" -p HEAD -m \"boocode checkpoint\"");
+    // Ref name matches the row id, and stdout is ONLY the SHA (printf, no newline).
+    expect(cmd).toContain("update-ref 'refs/boocode/checkpoints/cp-id-123'");
+    expect(cmd).toContain("printf '%s' \"$SHA\"");
+    expect(cmd).not.toContain('echo "$SHA"');
+  });
+
+  it('shell-escapes the worktree path and the id', () => {
+    const cmd = buildShadowCommitCommand("/tmp/it's a path", "id'; rm -rf /");
+    // Single quotes inside the path/id are escaped via the '\'' wrapping idiom — no
+    // bare interpolation that could break out of the quoting.
+    expect(cmd).toContain("cd '/tmp/it'\\''s a path'");
+    expect(cmd).toContain("refs/boocode/checkpoints/id'\\''; rm -rf /");
+  });
+});
+
+describe.runIf(!!process.env.DATABASE_URL)('checkpoint create + restore (DB + git)', () => {
+  let sql: ReturnType<typeof postgres>;
+  const stamp = Date.now();
+  const projectDir = `/tmp/boocode-checkpoint-proj-${stamp}`;
+  let projectId: string;
+  let sessionId: string;
+  let chatId: string;
+  let worktreePath: string;
+
+  beforeAll(async () => {
+    sql = postgres(process.env.DATABASE_URL!, { max: 3 });
+
+    // Server schema first (FK targets), then coder schema (worktrees + checkpoints).
+    const serverSchema = resolve(__dirname, '../../../../server/src/schema.sql');
+    const coderSchema = resolve(__dirname, '../../schema.sql');
+    await sql.unsafe(readFileSync(serverSchema, 'utf8'));
+    await sql.unsafe(readFileSync(coderSchema, 'utf8'));
+
+    await mkdir(projectDir, { recursive: true });
+    await hostExec(
+      `cd ${projectDir} && git init -q && git config user.email t@t && git config user.name t ` +
+        `&& echo hello > README.md && git add -A && git commit -qm init`,
+      { timeoutMs: 20_000 },
+    );
+
+    const [project] = await sql<{ id: string }[]>`
+      INSERT INTO projects (name, path, status) VALUES ('checkpoint-test', ${projectDir}, 'open') RETURNING id
+    `;
+    projectId = project!.id;
+    const [session] = await sql<{ id: string }[]>`
+      INSERT INTO sessions (project_id, name, model, status)
+      VALUES (${projectId}, 'cp', 'm', 'open') RETURNING id
+    `;
+    sessionId = session!.id;
+    const [chat] = await sql<{ id: string }[]>`
+      INSERT INTO chats (session_id, name, status) VALUES (${sessionId}, 'tab', 'open') RETURNING id
+    `;
+    chatId = chat!.id;
+
+    const wt = await ensureSessionWorktree(sql, projectDir, sessionId);
+    worktreePath = wt.worktreePath;
+  });
+
+  afterAll(async () => {
+    if (sql) {
+      const rows = await sql<{ path: string }[]>`SELECT path FROM worktrees WHERE session_id = ${sessionId}`.catch(() => []);
+      for (const r of rows) {
+        await hostExec(`git -C ${projectDir} worktree remove ${r.path} --force`, { timeoutMs: 10_000 }).catch(() => {});
+      }
+      await sql`DELETE FROM checkpoints WHERE chat_id = ${chatId}`.catch(() => {});
+      await sql`DELETE FROM agent_sessions WHERE chat_id = ${chatId}`.catch(() => {});
+      await sql`DELETE FROM worktrees WHERE session_id = ${sessionId}`.catch(() => {});
+      await sql`DELETE FROM chats WHERE id = ${chatId}`.catch(() => {});
+      await sql`DELETE FROM sessions WHERE id = ${sessionId}`.catch(() => {});
+      await sql`DELETE FROM projects WHERE id = ${projectId}`.catch(() => {});
+      await sql.end({ timeout: 5 });
+    }
+    await rm(projectDir, { recursive: true, force: true });
+  });
+
+  it('createCheckpoint inserts a row + a private ref capturing tracked + untracked', async () => {
+    const [wt] = await sql<{ id: string }[]>`SELECT id FROM worktrees WHERE session_id = ${sessionId} AND status = 'active'`;
+    const worktreeId = wt!.id;
+
+    // Pre-turn untracked + tracked-edit state the agent will start from.
+    await hostExec(`cd ${worktreePath} && echo edited >> README.md && echo new > extra.txt`, { timeoutMs: 10_000 });
+
+    const [assistantMsg] = await sql<{ id: string }[]>`
+      INSERT INTO messages (session_id, chat_id, role, content, status)
+      VALUES (${sessionId}, ${chatId}, 'assistant', '', 'streaming') RETURNING id
+    `;
+    const messageId = assistantMsg!.id;
+
+    const cp = await createCheckpoint(sql, {
+      chatId,
+      sessionId,
+      worktreeId,
+      worktreePath,
+      messageId,
+    });
+    expect(cp).not.toBeNull();
+    expect(cp!.commit_sha).toMatch(/^[0-9a-f]{40}$/);
+
+    const [row] = await sql<{ commit_sha: string; worktree_id: string; message_id: string }[]>`
+      SELECT commit_sha, worktree_id, message_id FROM checkpoints WHERE id = ${cp!.id}
+    `;
+    expect(row!.commit_sha).toBe(cp!.commit_sha);
+    expect(row!.worktree_id).toBe(worktreeId);
+    expect(row!.message_id).toBe(messageId);
+
+    // The ref exists and the captured tree carries the untracked file (proves the
+    // temp-index `git add -A` snapshotted untracked content).
+    const refLs = await hostExec(
+      `git -C ${worktreePath} ls-tree -r --name-only ${cp!.commit_sha}`,
+      { timeoutMs: 10_000 },
+    );
+    expect(refLs.exitCode).toBe(0);
+    expect(refLs.stdout).toContain('extra.txt');
+
+    // The shadow commit did NOT disturb the real working tree: extra.txt is still
+    // present + still untracked (status shows it).
+    const status = await hostExec(`git -C ${worktreePath} status --porcelain`, { timeoutMs: 10_000 });
+    expect(status.stdout).toContain('extra.txt');
+  });
+
+  it('restoreCheckpoint resets the worktree, trims the transcript, and drops later checkpoints', async () => {
+    // Clean slate for this test: reset the worktree to HEAD, clear prior rows.
+    await hostExec(`git -C ${worktreePath} reset --hard HEAD && git -C ${worktreePath} clean -fd`, { timeoutMs: 10_000 });
+    await sql`DELETE FROM checkpoints WHERE chat_id = ${chatId}`;
+    await sql`DELETE FROM messages WHERE chat_id = ${chatId}`;
+
+    const [wt] = await sql<{ id: string }[]>`SELECT id FROM worktrees WHERE session_id = ${sessionId} AND status = 'active'`;
+    const worktreeId = wt!.id;
+
+    // Turn 1: a user msg, then the assistant turn the checkpoint anchors. The
+    // worktree is pristine (matches HEAD) when this checkpoint is captured.
+    await sql`INSERT INTO messages (session_id, chat_id, role, content, status) VALUES (${sessionId}, ${chatId}, 'user', 'do it', 'complete')`;
+    const [a1] = await sql<{ id: string }[]>`
+      INSERT INTO messages (session_id, chat_id, role, content, status)
+      VALUES (${sessionId}, ${chatId}, 'assistant', 'turn 1', 'complete') RETURNING id
+    `;
+    const cp1 = await createCheckpoint(sql, { chatId, sessionId, worktreeId, worktreePath, messageId: a1!.id });
+    expect(cp1).not.toBeNull();
+
+    // The agent (turn 1) writes a file into the worktree.
+    await hostExec(`cd ${worktreePath} && echo agent-wrote > agent.txt`, { timeoutMs: 10_000 });
+
+    // Turn 2: another user msg + assistant turn, AND a second (later) checkpoint.
+    await sql`INSERT INTO messages (session_id, chat_id, role, content, status) VALUES (${sessionId}, ${chatId}, 'user', 'more', 'complete')`;
+    const [a2] = await sql<{ id: string }[]>`
+      INSERT INTO messages (session_id, chat_id, role, content, status)
+      VALUES (${sessionId}, ${chatId}, 'assistant', 'turn 2', 'complete') RETURNING id
+    `;
+    const cp2 = await createCheckpoint(sql, { chatId, sessionId, worktreeId, worktreePath, messageId: a2!.id });
+    expect(cp2).not.toBeNull();
+
+    // An agent_sessions row that restore should mark 'crashed'.
+    await sql`
+      INSERT INTO agent_sessions (chat_id, session_id, worktree_id, agent, backend, agent_session_id, status, last_active_at)
+      VALUES (${chatId}, ${sessionId}, ${worktreeId}, 'goose', 'acp_warm', 'sess-1', 'active', clock_timestamp())
+      ON CONFLICT (chat_id, agent) DO UPDATE SET status = 'active'
+    `;
+
+    const before = await sql<{ id: string }[]>`SELECT id FROM messages WHERE chat_id = ${chatId} ORDER BY created_at`;
+    expect(before.length).toBe(4); // user, a1, user, a2
+
+    // Restore to cp1 (before turn 1's assistant message).
+    const result = await restoreCheckpoint(sql, cp1!.id, { sessionId });
+    expect(result.checkpoint_id).toBe(cp1!.id);
+    expect(result.worktree_reset).toBe(true);
+    expect(result.backend_reset).toBe(true);
+    // a1, user(turn2), a2 deleted (created_at >= a1) → 3 trimmed.
+    expect(result.messages_deleted).toBe(3);
+
+    // Transcript trimmed to just the first user message.
+    const after = await sql<{ role: string; content: string }[]>`SELECT role, content FROM messages WHERE chat_id = ${chatId} ORDER BY created_at`;
+    expect(after.length).toBe(1);
+    expect(after[0]!.role).toBe('user');
+
+    // Worktree reset: the agent's file is gone (it was written after cp1).
+    const ls = await hostExec(`ls ${worktreePath}/agent.txt`, { timeoutMs: 10_000 });
+    expect(ls.exitCode).not.toBe(0);
+
+    // The agent_sessions row was reset to 'crashed'.
+    const [as] = await sql<{ status: string }[]>`SELECT status FROM agent_sessions WHERE chat_id = ${chatId} AND agent = 'goose'`;
+    expect(as!.status).toBe('crashed');
+
+    // cp1 survives (re-restorable); cp2 (later) was dropped.
+    const cps = await sql<{ id: string }[]>`SELECT id FROM checkpoints WHERE chat_id = ${chatId}`;
+    expect(cps.map((c) => c.id)).toEqual([cp1!.id]);
+  });
+
+  it('restoreCheckpoint throws CheckpointNotFoundError for an unknown id', async () => {
+    await expect(
+      restoreCheckpoint(sql, '00000000-0000-0000-0000-000000000000', { sessionId }),
+    ).rejects.toBeInstanceOf(CheckpointNotFoundError);
+  });
+
+  it('restoreCheckpoint throws when the checkpoint is not in the requested session', async () => {
+    // A checkpoint whose session_id differs from the route's sessionId.
+    const [wt] = await sql<{ id: string }[]>`SELECT id FROM worktrees WHERE session_id = ${sessionId} AND status = 'active'`;
+    const cp = await createCheckpoint(sql, { chatId, sessionId, worktreeId: wt!.id, worktreePath, messageId: null });
+    expect(cp).not.toBeNull();
+    await expect(
+      restoreCheckpoint(sql, cp!.id, { sessionId: '11111111-1111-1111-1111-111111111111' }),
+    ).rejects.toBeInstanceOf(CheckpointNotFoundError);
+    await sql`DELETE FROM checkpoints WHERE id = ${cp!.id}`;
+  });
+
+  it('restoreCheckpoint denies a NULL-session_id checkpoint from another session (no fail-open IDOR)', async () => {
+    // Regression for the fail-open authorization bug: a checkpoint row whose
+    // denormalized session_id is NULL must STILL be scoped via its chat's owning
+    // session (chats.session_id), not skipped. The old guard `cp.session_id &&
+    // cp.session_id !== sessionId` fell through on NULL → cross-session restore.
+    const [row] = await sql<{ id: string }[]>`
+      INSERT INTO checkpoints (chat_id, session_id, message_id, commit_sha)
+      VALUES (${chatId}, NULL, NULL, 'deadbeef')
+      RETURNING id
+    `;
+    await expect(
+      restoreCheckpoint(sql, row!.id, { sessionId: '22222222-2222-2222-2222-222222222222' }),
+    ).rejects.toBeInstanceOf(CheckpointNotFoundError);
+    await sql`DELETE FROM checkpoints WHERE id = ${row!.id}`;
+  });
+});

apps/coder/src/services/__tests__/dcp-strip.test.ts

@@ -0,0 +1,73 @@
+import { describe, it, expect } from 'vitest';
+import { stripDcpTags, makeDcpStreamStripper } from '../dcp-strip.js';
+
+// Feed chunks through a fresh stripper and return the fully reassembled output
+// (everything emitted during streaming + the final flush) — i.e. what the
+// dispatcher would accumulate into the persisted message content.
+function run(chunks: string[]): string {
+  const s = makeDcpStreamStripper();
+  let out = '';
+  for (const c of chunks) out += s.push(c);
+  out += s.flush();
+  return out;
+}
+
+describe('stripDcpTags (one-shot)', () => {
+  it('removes a complete tag', () => {
+    expect(stripDcpTags('Yes — "Test".\n\n<dcp-message-id>m0019</dcp-message-id>')).toBe(
+      'Yes — "Test".\n\n',
+    );
+  });
+  it('leaves text without a tag untouched', () => {
+    expect(stripDcpTags('no tag here')).toBe('no tag here');
+  });
+});
+
+describe('per-chunk strip is INSUFFICIENT (documents the bug)', () => {
+  it('a tag split across chunks survives a naive per-chunk .replace()', () => {
+    const chunks = ['Yes.\n\n<dcp', '-message', '-id>m0019</dcp', '-message-id>'];
+    const naive = chunks.map(stripDcpTags).join('');
+    // The reassembled content still contains the tag — this is the screenshot bug.
+    expect(naive).toContain('<dcp-message-id>m0019</dcp-message-id>');
+  });
+});
+
+describe('makeDcpStreamStripper (cross-chunk fix)', () => {
+  it('strips a tag split across chunks (the real opencode case)', () => {
+    expect(run(['Yes.\n\n<dcp', '-message', '-id>m0019</dcp', '-message-id>'])).toBe('Yes.\n\n');
+  });
+
+  it('strips a tag split at EVERY character boundary', () => {
+    const full = 'Answer.<dcp-message-id>m0019</dcp-message-id>';
+    expect(run([...full])).toBe('Answer.');
+  });
+
+  it('strips a tag delivered whole in one chunk', () => {
+    expect(run(['Answer.<dcp-message-id>m0019</dcp-message-id>'])).toBe('Answer.');
+  });
+
+  it('passes through text with no tag', () => {
+    expect(run(['hello ', 'world'])).toBe('hello world');
+  });
+
+  it('does NOT swallow legitimate < content (code/HTML/generics)', () => {
+    expect(run(['use ', '<div>', ' and ', 'Array<', 'string>'])).toBe('use <div> and Array<string>');
+  });
+
+  it('handles a lone < that is not a dcp tag, split across chunks', () => {
+    expect(run(['a <', 'b c'])).toBe('a <b c');
+  });
+
+  it('emits surrounding text and strips a mid-text tag', () => {
+    expect(run(['before ', '<dcp-message-id>', 'm1', '</dcp-message-id>', ' after'])).toBe(
+      'before  after',
+    );
+  });
+
+  it('flushes a truncated/never-closed partial tag without leaking it as a complete tag', () => {
+    // If the stream ends mid-tag, flush strips complete tags; an incomplete
+    // remnant is returned as-is (no complete tag ever existed to render).
+    const out = run(['done.<dcp-message-id>m00']);
+    expect(out).not.toContain('</dcp-message-id>');
+  });
+});

apps/coder/src/services/__tests__/fuzzy-match.test.ts

@@ -0,0 +1,173 @@
+import { describe, it, expect } from 'vitest';
+import { locateMatch, SIMILARITY_THRESHOLD } from '../fuzzy-match.js';
+
+// Helper: assert a resolved span and slice it back out of the content so the
+// test pins the EXACT file text the caller would replace.
+function span(result: ReturnType<typeof locateMatch>): { start: number; end: number } {
+  if (result.kind !== 'exact' && result.kind !== 'fuzzy') {
+    throw new Error(`expected a located span, got ${result.kind}`);
+  }
+  return { start: result.start, end: result.end };
+}
+
+describe('locateMatch — strategy 1: exact', () => {
+  it('returns an exact unique span', () => {
+    const content = 'alpha\nbeta\ngamma\n';
+    const result = locateMatch(content, 'beta');
+    expect(result.kind).toBe('exact');
+    const { start, end } = span(result);
+    expect(content.slice(start, end)).toBe('beta');
+  });
+
+  it('returns the right offsets for a multi-line exact needle', () => {
+    const content = 'one\ntwo\nthree\nfour\n';
+    const needle = 'two\nthree';
+    const result = locateMatch(content, needle);
+    expect(result.kind).toBe('exact');
+    const { start, end } = span(result);
+    expect(content.slice(start, end)).toBe(needle);
+  });
+
+  it('refuses when the exact needle occurs more than once', () => {
+    const content = 'foo\nbar\nfoo\nbar\nfoo\n';
+    const result = locateMatch(content, 'foo');
+    expect(result).toEqual({ kind: 'ambiguous', count: 3 });
+  });
+});
+
+describe('locateMatch — strategy 2: per-line whitespace', () => {
+  it('matches across trailing-whitespace drift at the real span', () => {
+    // File has trailing spaces the model dropped from a TWO-line copy. A
+    // single-line needle would be located by exact indexOf (it's a substring),
+    // so use two lines where line 1's trailing ws breaks an exact substring run.
+    const content = 'function f() {\n  setup();   \n  return 1;\n}\n';
+    const needle = '  setup();\n  return 1;'; // line 1 missing trailing spaces
+    const result = locateMatch(content, needle);
+    expect(result.kind).toBe('fuzzy');
+    const { start, end } = span(result);
+    // The returned span covers the ORIGINAL lines including the trailing spaces.
+    expect(content.slice(start, end)).toBe('  setup();   \n  return 1;');
+  });
+
+  it('matches across indentation drift (multi-line block)', () => {
+    // File indents with 4 spaces; model emitted 2-space indentation. trimEnd
+    // alone does not normalize LEADING whitespace, so this exercises... actually
+    // leading-indent drift is a Levenshtein-tier fallback. Here we keep the
+    // leading indent identical and drift only trailing whitespace per line.
+    const content = ['if (x) {', '    doThing();    ', '    doOther();', '}'].join('\n');
+    const needle = ['    doThing();', '    doOther();'].join('\n');
+    const result = locateMatch(content, needle);
+    expect(result.kind).toBe('fuzzy');
+    const { start, end } = span(result);
+    expect(content.slice(start, end)).toBe('    doThing();    \n    doOther();');
+  });
+
+  it('ignores leading/trailing blank needle lines', () => {
+    const content = 'header\nbody line\nfooter\n';
+    const needle = '\n\nbody line\n\n';
+    const result = locateMatch(content, needle);
+    expect(result.kind).toBe('fuzzy');
+    const { start, end } = span(result);
+    expect(content.slice(start, end)).toBe('body line');
+  });
+
+  it('reports ambiguous when a whitespace-window matches twice', () => {
+    // Both line 1 and line 4 differ from the needle only by trailing whitespace,
+    // so exact indexOf fails (no exact substring) and the whitespace tier finds
+    // two equivalent windows → ambiguous.
+    const content = 'x = 1;  \ny = 2;\nz = 3;\nx = 1;\t\n';
+    const needle = 'x = 1;'; // no trailing ws → not an exact substring of either line
+    const result = locateMatch(content, needle);
+    expect(result).toEqual({ kind: 'ambiguous', count: 2 });
+  });
+});
+
+describe('locateMatch — strategy 3: unicode canonicalization', () => {
+  it('matches across curly quotes', () => {
+    const content = "const s = 'hello';\n";
+    const needle = 'const s = ‘hello’;'; // ‘hello’
+    const result = locateMatch(content, needle);
+    expect(result.kind).toBe('fuzzy');
+    const { start, end } = span(result);
+    // Span maps back to ORIGINAL (straight-quote) text.
+    expect(content.slice(start, end)).toBe("const s = 'hello';");
+  });
+
+  it('matches across curly double-quotes', () => {
+    const content = 'log("done");\n';
+    const needle = 'log(“done”);'; // “done”
+    const result = locateMatch(content, needle);
+    expect(result.kind).toBe('fuzzy');
+    const { start, end } = span(result);
+    expect(content.slice(start, end)).toBe('log("done");');
+  });
+
+  it('matches across an em-dash drift', () => {
+    const content = 'range 1-10 inclusive\n';
+    const needle = 'range 1—10 inclusive'; // em-dash
+    const result = locateMatch(content, needle);
+    expect(result.kind).toBe('fuzzy');
+    const { start, end } = span(result);
+    expect(content.slice(start, end)).toBe('range 1-10 inclusive');
+  });
+
+  it('matches across a non-breaking space drift', () => {
+    const content = 'a b c\n'; // plain spaces
+    const needle = 'a b c'; // nbsp between words
+    const result = locateMatch(content, needle);
+    expect(result.kind).toBe('fuzzy');
+    const { start, end } = span(result);
+    expect(content.slice(start, end)).toBe('a b c');
+  });
+});
+
+describe('locateMatch — strategy 4: Levenshtein', () => {
+  it('matches a >= threshold near-miss (small typo drift)', () => {
+    // Needle has a one-char typo ('totals' vs 'total') so it is NOT an exact
+    // substring and the whitespace/canonical tiers (which require equality) both
+    // miss; Levenshtein similarity stays well above the 0.66 floor.
+    const content = 'const total = sum + tax;\n';
+    const needle = 'const totals = sum + tax;';
+    const result = locateMatch(content, needle);
+    expect(result.kind).toBe('fuzzy');
+    const { start, end } = span(result);
+    // Span maps to the real (correctly-spelled) file line.
+    expect(content.slice(start, end)).toBe('const total = sum + tax;');
+  });
+
+  it('matches a multi-line block with indentation drift via Levenshtein', () => {
+    const content = ['function g() {', '  return compute(a, b);', '}'].join('\n');
+    // 6-space indent vs file's 2-space; trimEnd does not fix leading indent, so
+    // this lands on the Levenshtein tier (joined-trim makes it identical → ~1.0).
+    const needle = ['      return compute(a, b);'].join('\n');
+    const result = locateMatch(content, needle);
+    expect(result.kind).toBe('fuzzy');
+    const { start, end } = span(result);
+    expect(content.slice(start, end)).toBe('  return compute(a, b);');
+  });
+
+  it('returns not_found for a below-threshold miss', () => {
+    const content = 'the quick brown fox jumps over the lazy dog\n';
+    const needle = 'completely unrelated string of text here xyz';
+    const result = locateMatch(content, needle);
+    expect(result).toEqual({ kind: 'not_found' });
+  });
+
+  it('returns not_found for a genuinely-absent needle', () => {
+    const content = 'alpha\nbeta\ngamma\n';
+    const needle = 'this content does not exist anywhere at all';
+    const result = locateMatch(content, needle);
+    expect(result).toEqual({ kind: 'not_found' });
+  });
+});
+
+describe('locateMatch — edge cases', () => {
+  it('returns not_found for an empty needle', () => {
+    expect(locateMatch('anything', '')).toEqual({ kind: 'not_found' });
+  });
+
+  it('exposes a sane similarity threshold', () => {
+    expect(SIMILARITY_THRESHOLD).toBeGreaterThan(0);
+    expect(SIMILARITY_THRESHOLD).toBeLessThanOrEqual(1);
+  });
+});

apps/coder/src/services/__tests__/provider-config.test.ts

@@ -0,0 +1,96 @@
+import { describe, it, expect } from 'vitest';
+import {
+  mergeProviderConfigPatch,
+  ProviderConfigPatchSchema,
+  CoderProvidersFileSchema,
+  type CoderProvidersFile,
+} from '../provider-config.js';
+
+describe('ProviderConfigPatchSchema', () => {
+  it('accepts a per-provider override patch', () => {
+    const parsed = ProviderConfigPatchSchema.safeParse({ providers: { goose: { enabled: false } } });
+    expect(parsed.success).toBe(true);
+  });
+
+  it('accepts a null value (delete-the-override sentinel)', () => {
+    const parsed = ProviderConfigPatchSchema.safeParse({ providers: { goose: null } });
+    expect(parsed.success).toBe(true);
+  });
+
+  it('defaults providers to {} on an empty body', () => {
+    const parsed = ProviderConfigPatchSchema.safeParse({});
+    expect(parsed.success).toBe(true);
+    if (parsed.success) expect(parsed.data.providers).toEqual({});
+  });
+
+  it('rejects a malformed override (wrong field type)', () => {
+    const parsed = ProviderConfigPatchSchema.safeParse({ providers: { goose: { enabled: 'yes' } } });
+    expect(parsed.success).toBe(false);
+  });
+
+  it('rejects a non-object providers map', () => {
+    const parsed = ProviderConfigPatchSchema.safeParse({ providers: 123 });
+    expect(parsed.success).toBe(false);
+  });
+});
+
+describe('mergeProviderConfigPatch', () => {
+  const current: CoderProvidersFile = {
+    providers: {
+      goose: { enabled: true, label: 'Goose' },
+      opencode: { enabled: true },
+    },
+  };
+
+  it('replaces an existing override object wholesale (not deep-merge)', () => {
+    const merged = mergeProviderConfigPatch(current, { providers: { goose: { enabled: false } } });
+    // Whole override replaced — the prior `label` is gone, only `enabled` remains.
+    expect(merged.providers.goose).toEqual({ enabled: false });
+  });
+
+  it('adds a brand-new override id', () => {
+    const merged = mergeProviderConfigPatch(current, {
+      providers: { 'amp-acp': { extends: 'acp', label: 'Amp', command: ['amp-acp'] } },
+    });
+    expect(merged.providers['amp-acp']).toEqual({ extends: 'acp', label: 'Amp', command: ['amp-acp'] });
+  });
+
+  it('deletes an override when the value is null', () => {
+    const merged = mergeProviderConfigPatch(current, { providers: { goose: null } });
+    expect(merged.providers.goose).toBeUndefined();
+    expect(Object.keys(merged.providers)).toEqual(['opencode']);
+  });
+
+  it('leaves ids absent from the patch untouched', () => {
+    const merged = mergeProviderConfigPatch(current, { providers: { goose: { enabled: false } } });
+    expect(merged.providers.opencode).toEqual({ enabled: true });
+  });
+
+  it('does not mutate the input config', () => {
+    const snapshot = JSON.parse(JSON.stringify(current));
+    mergeProviderConfigPatch(current, { providers: { goose: null, opencode: { enabled: false } } });
+    expect(current).toEqual(snapshot);
+  });
+
+  it('empty patch returns an equivalent config', () => {
+    const merged = mergeProviderConfigPatch(current, { providers: {} });
+    expect(merged).toEqual(current);
+  });
+});
+
+describe('CoderProvidersFileSchema (validate-before-save guard)', () => {
+  it('accepts a clean merged config', () => {
+    const merged = mergeProviderConfigPatch(
+      { providers: {} },
+      { providers: { goose: { enabled: false } } },
+    );
+    expect(CoderProvidersFileSchema.safeParse(merged).success).toBe(true);
+  });
+
+  it('rejects a config carrying an invalid override (never written)', () => {
+    // A merged object that somehow holds a bad override must fail validation
+    // so the PATCH route returns 422 and never calls save().
+    const invalid = { providers: { goose: { enabled: 'nope' } } };
+    expect(CoderProvidersFileSchema.safeParse(invalid).success).toBe(false);
+  });
+});

apps/coder/src/services/__tests__/provider-diagnostic.test.ts

@@ -0,0 +1,85 @@
+import { describe, it, expect } from 'vitest';
+import { getProviderDiagnostic, type DiagnosticAgentRow } from '../provider-diagnostic.js';
+import { buildResolvedRegistry } from '../provider-config-registry.js';
+import { PROVIDERS } from '../provider-registry.js';
+import type { ProviderSnapshotEntry } from '../provider-types.js';
+
+const registry = buildResolvedRegistry(PROVIDERS, {
+  providers: {
+    goose: { enabled: false },
+    'amp-acp': { extends: 'acp', label: 'Amp', command: ['amp-acp', '--acp'] },
+  },
+});
+
+const alwaysAvailable = () => Promise.resolve(true);
+const neverAvailable = () => Promise.resolve(false);
+
+describe('getProviderDiagnostic', () => {
+  it('reports a disabled built-in (enabled:false, no install)', async () => {
+    const report = await getProviderDiagnostic(registry.get('goose')!, undefined, {
+      checkAvailable: neverAvailable,
+    });
+    expect(report).toContain('provider: goose');
+    expect(report).toContain('enabled: false');
+    expect(report).toContain('installed: false');
+    expect(report).toMatch(/command_available:\s*false/);
+  });
+
+  it('reports an installed built-in with its install_path, last_probed_at, model count', async () => {
+    const agentRow: DiagnosticAgentRow = {
+      name: 'opencode',
+      install_path: '/usr/bin/opencode',
+      supports_acp: true,
+      models: [
+        { id: 'm1', label: 'M1' },
+        { id: 'm2', label: 'M2' },
+      ],
+      last_probed_at: '2026-05-29T12:00:00.000Z',
+    };
+    const report = await getProviderDiagnostic(registry.get('opencode')!, agentRow, {
+      checkAvailable: alwaysAvailable,
+    });
+    expect(report).toContain('install_path: /usr/bin/opencode');
+    expect(report).toContain('2026-05-29T12:00:00.000Z');
+    expect(report).toContain('installed: true');
+    expect(report).toMatch(/models_in_db:\s*2/);
+    expect(report).toMatch(/command_available:\s*true/);
+  });
+
+  it('reports a custom ACP launch command + its binary', async () => {
+    const report = await getProviderDiagnostic(registry.get('amp-acp')!, undefined, {
+      checkAvailable: alwaysAvailable,
+    });
+    expect(report).toContain('provider: amp-acp');
+    expect(report).toContain('amp-acp --acp');
+    expect(report).toContain('customAcp: true');
+  });
+
+  it('surfaces the last probe error from a cached snapshot entry', async () => {
+    const cachedEntry: ProviderSnapshotEntry = {
+      name: 'opencode',
+      label: 'OpenCode',
+      transport: 'acp',
+      status: 'error',
+      enabled: true,
+      installed: true,
+      models: [],
+      modes: [],
+      defaultModeId: null,
+      commands: [],
+      error: 'ACP initialize timed out',
+    };
+    const report = await getProviderDiagnostic(registry.get('opencode')!, undefined, {
+      cachedEntry,
+      checkAvailable: alwaysAvailable,
+    });
+    expect(report).toContain('ACP initialize timed out');
+  });
+
+  it('reports no error when none is cached', async () => {
+    const report = await getProviderDiagnostic(registry.get('opencode')!, undefined, {
+      checkAvailable: alwaysAvailable,
+    });
+    expect(report).toMatch(/last_probe_error:\s*\(none/);
+  });
+});

apps/coder/src/services/__tests__/provider-snapshot.test.ts

@@ -7,6 +7,7 @@ import {
   prefixLlamaSwapModels,
   clearProviderSnapshotCache,
   getProviderSnapshot,
+  peekSnapshotEntry,
 } from '../provider-snapshot.js';
 import { loadProviderConfig } from '../provider-config-registry.js';
 
@@ -324,6 +325,18 @@ describe('getProviderSnapshot', () => {
     expect(claude!.models.find((m) => m.id === 'claude-opus-4-8')?.thinkingOptions?.length).toBeGreaterThan(0);
   });
 
+  it('peekSnapshotEntry returns a cached entry (read-only) and undefined when cold/unknown', async () => {
+    loadConfigFixture({});
+    // Cold cache → undefined (no build triggered).
+    expect(peekSnapshotEntry('boocode', '/tmp/peek')).toBeUndefined();
+
+    const sql = mockSql([]);
+    await getProviderSnapshot(sql, config, '/tmp/peek', true);
+
+    expect(peekSnapshotEntry('boocode', '/tmp/peek')?.name).toBe('boocode');
+    expect(peekSnapshotEntry('does-not-exist', '/tmp/peek')).toBeUndefined();
+  });
+
   it('2.7 warm cache: a second snapshot within the warm window spawns ZERO probes', async () => {
     loadConfigFixture({});
     mockProbe.mockResolvedValue({

apps/coder/src/services/__tests__/reconnect_integration.test.ts

@@ -0,0 +1,170 @@
+import { describe, it, expect, beforeAll, afterAll } from 'vitest';
+import { readFileSync, existsSync } from 'node:fs';
+import { rm, mkdir } from 'node:fs/promises';
+import { resolve } from 'node:path';
+import postgres from 'postgres';
+import {
+  ensureSessionWorktree,
+  closeChatBackendState,
+  rebaselineWorktreeAfterApply,
+} from '../worktrees.js';
+import { reapOrphanWorktrees } from '../orphan-worktree-reaper.js';
+import { hostExec } from '../host-exec.js';
+
+/**
+ * v2.6 Phase 3 (3.6) — reconnect-after-restart integration test.
+ *
+ * Proves the DB-truth side of crash/restart recovery: a BooCoder restart wipes the
+ * in-memory pool, but the persistent `worktrees` + `agent_sessions` rows survive,
+ * so the "next turn" re-resolves the SAME worktree (reattach, no new dir) and the
+ * agent-session row is still there to resume from. Also exercises the chat-close
+ * hook (3.3), the apply re-baseline (3.5), and the orphan reaper (3.4) end-to-end
+ * against a real git repo + postgres.
+ *
+ * Requires DATABASE_URL (DB-opt-in; skips cleanly otherwise) AND git on PATH. Runs:
+ *   DATABASE_URL='postgres://boocode:devpass@localhost:5500/boochat' pnpm -C apps/coder test
+ */
+describe.runIf(!!process.env.DATABASE_URL)('reconnect after restart (Phase 3)', () => {
+  let sql: ReturnType<typeof postgres>;
+  const stamp = Date.now();
+  const projectDir = `/tmp/boocode-reconnect-proj-${stamp}`;
+  let projectId: string;
+  let sessionId: string;
+  let chatId: string;
+
+  beforeAll(async () => {
+    sql = postgres(process.env.DATABASE_URL!, { max: 3 });
+
+    // Both schemas land in the one boochat DB: server owns sessions/chats/projects,
+    // coder owns worktrees/agent_sessions (FK targets must pre-exist → server first).
+    const serverSchema = resolve(__dirname, '../../../../server/src/schema.sql');
+    const coderSchema = resolve(__dirname, '../../schema.sql');
+    await sql.unsafe(readFileSync(serverSchema, 'utf8'));
+    await sql.unsafe(readFileSync(coderSchema, 'utf8'));
+
+    // A real git repo with one commit so worktree add / diff / rev-parse work.
+    await mkdir(projectDir, { recursive: true });
+    await hostExec(
+      `cd ${projectDir} && git init -q && git config user.email t@t && git config user.name t ` +
+        `&& echo hello > README.md && git add -A && git commit -qm init`,
+      { timeoutMs: 20_000 },
+    );
+
+    const [project] = await sql<{ id: string }[]>`
+      INSERT INTO projects (name, path, status) VALUES ('reconnect-test', ${projectDir}, 'open') RETURNING id
+    `;
+    projectId = project!.id;
+    const [session] = await sql<{ id: string }[]>`
+      INSERT INTO sessions (project_id, name, model, status)
+      VALUES (${projectId}, 'recon', 'm', 'open') RETURNING id
+    `;
+    sessionId = session!.id;
+    const [chat] = await sql<{ id: string }[]>`
+      INSERT INTO chats (session_id, name, status) VALUES (${sessionId}, 'tab', 'open') RETURNING id
+    `;
+    chatId = chat!.id;
+  });
+
+  afterAll(async () => {
+    if (sql) {
+      // Best-effort worktree cleanup before dropping rows.
+      const rows = await sql<{ path: string }[]>`SELECT path FROM worktrees WHERE session_id = ${sessionId}`.catch(() => []);
+      for (const r of rows) {
+        await hostExec(`git -C ${projectDir} worktree remove ${r.path} --force`, { timeoutMs: 10_000 }).catch(() => {});
+      }
+      await sql`DELETE FROM agent_sessions WHERE chat_id = ${chatId}`.catch(() => {});
+      await sql`DELETE FROM worktrees WHERE session_id = ${sessionId}`.catch(() => {});
+      await sql`DELETE FROM chats WHERE id = ${chatId}`.catch(() => {});
+      await sql`DELETE FROM sessions WHERE id = ${sessionId}`.catch(() => {});
+      await sql`DELETE FROM projects WHERE id = ${projectId}`.catch(() => {});
+      await sql.end({ timeout: 5 });
+    }
+    await rm(projectDir, { recursive: true, force: true });
+  });
+
+  it('reattaches the SAME worktree across a simulated restart (no new dir)', async () => {
+    // "Turn 1" — first ensureSessionWorktree creates the worktree + row.
+    const first = await ensureSessionWorktree(sql, projectDir, sessionId);
+    expect(existsSync(first.worktreePath)).toBe(true);
+    expect(first.baseCommit).toBeTruthy();
+
+    // Simulate an agent_sessions row written by turn 1 (opencode).
+    await sql`
+      INSERT INTO agent_sessions (chat_id, session_id, worktree_id, agent, backend, agent_session_id, status, last_active_at)
+      VALUES (${chatId}, ${sessionId}, ${first.worktreeId}, 'opencode', 'opencode_server', 'oc-sess-1', 'active', clock_timestamp())
+      ON CONFLICT (chat_id, agent) DO NOTHING
+    `;
+
+    // "Restart" = brand-new resolution with NO in-memory state. ensureSessionWorktree
+    // must return the EXISTING row (same id + path), proving reattach not re-create.
+    const second = await ensureSessionWorktree(sql, projectDir, sessionId);
+    expect(second.worktreeId).toBe(first.worktreeId);
+    expect(second.worktreePath).toBe(first.worktreePath);
+    expect(second.baseCommit).toBe(first.baseCommit);
+
+    // The agent_sessions row survived the "restart" with its resume handle intact.
+    const [row] = await sql<{ agent_session_id: string; status: string }[]>`
+      SELECT agent_session_id, status FROM agent_sessions WHERE chat_id = ${chatId} AND agent = 'opencode'
+    `;
+    expect(row!.agent_session_id).toBe('oc-sess-1');
+  });
+
+  it('re-baselines the worktree diff after apply (3.5)', async () => {
+    const wt = await ensureSessionWorktree(sql, projectDir, sessionId);
+    const baseBefore = wt.baseCommit;
+    // Make a change in the worktree (as an external agent would).
+    await hostExec(`cd ${wt.worktreePath} && echo change >> README.md`, { timeoutMs: 10_000 });
+
+    const r = await rebaselineWorktreeAfterApply(sql, sessionId);
+    expect(r.rebaselined).toBe(true);
+    expect(r.newBaseCommit).toBeTruthy();
+    expect(r.newBaseCommit).not.toBe(baseBefore);
+
+    const [row] = await sql<{ base_commit: string }[]>`
+      SELECT base_commit FROM worktrees WHERE session_id = ${sessionId} AND status = 'active'
+    `;
+    expect(row!.base_commit).toBe(r.newBaseCommit);
+
+    // Idempotent: a second re-baseline with no new edits is a no-op.
+    const r2 = await rebaselineWorktreeAfterApply(sql, sessionId);
+    expect(r2.rebaselined).toBe(false);
+  });
+
+  it('chat-close hook closes agent rows + removes the worktree on the last chat (3.3)', async () => {
+    // Sanity: an active worktree + agent row exist from the prior tests.
+    const beforeWt = await sql<{ id: string }[]>`SELECT id FROM worktrees WHERE session_id = ${sessionId} AND status = 'active'`;
+    expect(beforeWt.length).toBe(1);
+
+    const result = await closeChatBackendState(sql, chatId);
+    expect(result.agentRowsClosed).toBeGreaterThanOrEqual(1);
+    // chatId is the session's only chat → worktree removed (it was clean after the
+    // re-baseline commit), not at-risk.
+    expect(result.worktreeAtRisk).toBe(false);
+    expect(result.worktreeRemoved).toBe(true);
+
+    const [agentRow] = await sql<{ status: string }[]>`
+      SELECT status FROM agent_sessions WHERE chat_id = ${chatId} AND agent = 'opencode'
+    `;
+    expect(agentRow!.status).toBe('closed');
+
+    const activeWt = await sql<{ id: string }[]>`SELECT id FROM worktrees WHERE session_id = ${sessionId} AND status = 'active'`;
+    expect(activeWt.length).toBe(0); // archived, no longer active
+  });
+
+  it('orphan reaper leaves a live worktree alone and reaps a row-less dir (3.4)', async () => {
+    // Recreate a live worktree for this session (the close test archived the old one).
+    const live = await ensureSessionWorktree(sql, projectDir, sessionId);
+    expect(existsSync(live.worktreePath)).toBe(true);
+
+    // A live worktree (active row) with grace 0 must NOT be reaped.
+    const r1 = await reapOrphanWorktrees(sql, console as never, 0, Date.now());
+    expect(r1.reaped).not.toContain(live.worktreePath);
+
+    // Now archive its row (simulating a leaked dir) and reap again — it becomes an
+    // orphan and is reclaimed (it's clean → not at-risk).
+    await sql`UPDATE worktrees SET status = 'archived' WHERE id = ${live.worktreeId}`;
+    const r2 = await reapOrphanWorktrees(sql, console as never, 0, Date.now());
+    expect(r2.reaped).toContain(live.worktreePath);
+    expect(existsSync(live.worktreePath)).toBe(false);
+  });
+});

apps/coder/src/services/acp-client-fs.ts

@@ -1,5 +1,25 @@
 import { promises as fs } from 'node:fs';
-import { dirname, isAbsolute, join, resolve } from 'node:path';
+import { dirname, isAbsolute, resolve, sep } from 'node:path';
+
+/**
+ * Resolve an ACP-supplied path against the agent worktree and reject anything
+ * that escapes it. Mirrors `write_guard.ts`'s check: `resolve()` to normalize
+ * `../` segments, then a **separator-bounded** prefix test — a bare
+ * `startsWith(root)` wrongly admits a sibling dir like `<root>-evil/...`.
+ *
+ * No realpath (consistent with `write_guard.ts`: the target may not exist yet on
+ * write). This is a containment guard for the ACP fs bridge, not a hard trust
+ * boundary — the agent process already runs with host FS access; symlink-swap
+ * hardening (`O_NOFOLLOW`/realpath) is out of scope here.
+ */
+function resolveInWorktree(worktreePath: string, filePath: string): string {
+  const root = resolve(worktreePath);
+  const absolute = isAbsolute(filePath) ? resolve(filePath) : resolve(root, filePath);
+  if (absolute !== root && !absolute.startsWith(root + sep)) {
+    throw new Error(`path escapes worktree: ${filePath}`);
+  }
+  return absolute;
+}
 
 /** Resolve an ACP path against the agent worktree and read a slice of lines. */
 export async function readWorktreeTextFile(
@@ -8,10 +28,7 @@ export async function readWorktreeTextFile(
   line?: number | null,
   limit?: number | null,
 ): Promise<string> {
-  const absolute = isAbsolute(filePath) ? filePath : resolve(worktreePath, filePath);
-  if (!absolute.startsWith(resolve(worktreePath))) {
-    throw new Error(`path escapes worktree: ${filePath}`);
-  }
+  const absolute = resolveInWorktree(worktreePath, filePath);
   const raw = await fs.readFile(absolute, 'utf8');
   if (!line && !limit) return raw;
   const lines = raw.split(/\r?\n/);
@@ -26,10 +43,7 @@ export async function writeWorktreeTextFile(
   filePath: string,
   content: string,
 ): Promise<void> {
-  const absolute = isAbsolute(filePath) ? filePath : resolve(worktreePath, filePath);
-  if (!absolute.startsWith(resolve(worktreePath))) {
-    throw new Error(`path escapes worktree: ${filePath}`);
-  }
+  const absolute = resolveInWorktree(worktreePath, filePath);
   await fs.mkdir(dirname(absolute), { recursive: true });
   await fs.writeFile(absolute, content, 'utf8');
 }

apps/coder/src/services/acp-dispatch.ts

@@ -32,9 +32,9 @@ import { createAcpNdJsonStream } from './acp-stream.js';
 import { waitForPermissionResponse, waitForElicitationResponse, cancelPendingPermission } from './permission-waiter.js';
 import { mergeTaskCommands, getTaskCommands } from './agent-commands-cache.js';
 import { readWorktreeTextFile, writeWorktreeTextFile } from './acp-client-fs.js';
+import { mapSessionUpdate } from './acp-event-map.js';
 import {
   type AcpToolSnapshot,
-  mergeToolSnapshot,
   snapshotToWireToolCall,
   synthesizeCanceledSnapshots,
 } from './acp-tool-snapshot.js';
@@ -159,63 +159,47 @@ class AcpStreamContext {
     } as WsFrame);
   }
 
-  handleToolUpdate(toolCallId: string, update: Parameters<typeof mergeToolSnapshot>[1]): void {
-    const previous = this.toolSnapshots.get(toolCallId);
-    const snapshot = mergeToolSnapshot(toolCallId, update, previous);
-    this.toolSnapshots.set(toolCallId, snapshot);
-    this.publishToolSnapshot(snapshot);
-  }
-
   async handleSessionUpdate(params: SessionNotification): Promise<void> {
-    const update = params.update;
-    switch (update.sessionUpdate) {
-      case 'agent_message_chunk': {
-        const content = update.content;
-        if (content.type === 'text' && 'text' in content) {
-          const text = (content as { text: string }).text;
-          this.textChunks.push(text);
+    // v2.6 Phase 2: the case-by-case mapping now lives in the shared, pure
+    // `mapSessionUpdate` (reused by the warm ACP backend). This method keeps the
+    // identical broker-publishing side effects — it just translates the normalized
+    // AgentEvents back into the same frames it always emitted. `this.toolSnapshots`
+    // is the merge accumulator, so a later tool_call_update merges over its
+    // tool_call (the prior `handleToolUpdate` behavior, byte-for-byte).
+    for (const event of mapSessionUpdate(params, this.toolSnapshots)) {
+      switch (event.type) {
+        case 'text':
+          this.textChunks.push(event.text);
           if (this.canStream()) {
             this.opts.broker!.publishFrame(this.opts.sessionId!, {
               type: 'delta',
               message_id: this.opts.messageId!,
               chat_id: this.opts.chatId!,
-              content: text,
+              content: event.text,
             } as WsFrame);
           }
-        }
           break;
-      }
-      case 'agent_thought_chunk': {
-        const content = update.content;
-        if (content.type === 'text' && 'text' in content) {
-          const text = (content as { text: string }).text;
-          this.reasoningChunks.push(text);
+        case 'reasoning':
+          this.reasoningChunks.push(event.text);
           if (this.canStream()) {
             this.opts.broker!.publishFrame(this.opts.sessionId!, {
               type: 'reasoning_delta',
               message_id: this.opts.messageId!,
               chat_id: this.opts.chatId!,
-              content: text,
+              content: event.text,
             } as WsFrame);
           }
-        }
           break;
-      }
         case 'tool_call':
-        this.handleToolUpdate(update.toolCallId, update);
+        case 'tool_update':
+          // mapSessionUpdate already stored the merged snapshot in this.toolSnapshots.
+          this.publishToolSnapshot(event.toolCall);
           break;
-      case 'tool_call_update':
-        this.handleToolUpdate(update.toolCallId, update);
-        break;
-      case 'available_commands_update': {
-        const commands = update.availableCommands.map((cmd) => ({
-          name: cmd.name,
-          description: cmd.description ?? undefined,
-        }));
-        if (this.opts.taskId && commands.length > 0) {
-          mergeTaskCommands(this.opts.taskId, commands);
+        case 'commands':
+          if (this.opts.taskId && event.commands.length > 0) {
+            mergeTaskCommands(this.opts.taskId, event.commands);
             if (this.canStream() && this.opts.sessionId) {
-            const all = getTaskCommands(this.opts.taskId) ?? commands;
+              const all = getTaskCommands(this.opts.taskId) ?? event.commands;
               this.opts.broker!.publishFrame(this.opts.sessionId, {
                 type: 'agent_commands',
                 task_id: this.opts.taskId,
@@ -226,8 +210,6 @@ class AcpStreamContext {
           }
           break;
       }
-      default:
-        break;
     }
   }
 

apps/coder/src/services/acp-event-map.ts

@@ -0,0 +1,68 @@
+/**
+ * Shared ACP session-update → normalized AgentEvent mapping.
+ *
+ * Extracted verbatim (v2.6 Phase 2) from `AcpStreamContext.handleSessionUpdate`
+ * in `acp-dispatch.ts` so the warm ACP backend (`backends/warm-acp.ts`) and the
+ * one-shot dispatch share ONE mapping. The one-shot path translates the returned
+ * events into broker frames itself (preserving its prior behavior byte-for-byte);
+ * the warm backend forwards them to the dispatcher's `ctx.onEvent` exactly like
+ * the opencode-server backend does. No I/O, no broker — pure, so it's unit-testable.
+ *
+ * Spec: openspec/changes/v2-6-persistent-agent-sessions/design.md §2b.
+ */
+import type { SessionNotification } from '@agentclientprotocol/sdk';
+import type { AgentEvent } from './agent-backend.js';
+import { type AcpToolSnapshot, mergeToolSnapshot } from './acp-tool-snapshot.js';
+
+/**
+ * Map one ACP `session/update` notification to zero-or-more normalized AgentEvents.
+ *
+ * `priorSnapshots` is the caller-owned tool-call snapshot accumulator (toolCallId →
+ * snapshot). For `tool_call` / `tool_call_update` the merged snapshot is written
+ * back into it (mutated in place, mirroring `AcpStreamContext.handleToolUpdate`)
+ * so a later `tool_call_update` merges over the earlier `tool_call`. Pass an empty
+ * Map for a stateless single call.
+ *
+ * Returns an array (never throws) so the caller can splat it onto `onEvent`.
+ */
+export function mapSessionUpdate(
+  params: SessionNotification,
+  priorSnapshots: Map<string, AcpToolSnapshot> = new Map(),
+): AgentEvent[] {
+  const update = params.update;
+  switch (update.sessionUpdate) {
+    case 'agent_message_chunk': {
+      const content = update.content;
+      if (content.type === 'text' && 'text' in content) {
+        return [{ type: 'text', text: (content as { text: string }).text }];
+      }
+      return [];
+    }
+    case 'agent_thought_chunk': {
+      const content = update.content;
+      if (content.type === 'text' && 'text' in content) {
+        return [{ type: 'reasoning', text: (content as { text: string }).text }];
+      }
+      return [];
+    }
+    case 'tool_call': {
+      const snapshot = mergeToolSnapshot(update.toolCallId, update, priorSnapshots.get(update.toolCallId));
+      priorSnapshots.set(update.toolCallId, snapshot);
+      return [{ type: 'tool_call', toolCall: snapshot }];
+    }
+    case 'tool_call_update': {
+      const snapshot = mergeToolSnapshot(update.toolCallId, update, priorSnapshots.get(update.toolCallId));
+      priorSnapshots.set(update.toolCallId, snapshot);
+      return [{ type: 'tool_update', toolCall: snapshot }];
+    }
+    case 'available_commands_update': {
+      const commands = update.availableCommands.map((cmd) => ({
+        name: cmd.name,
+        description: cmd.description ?? undefined,
+      }));
+      return [{ type: 'commands', commands }];
+    }
+    default:
+      return [];
+  }
+}

apps/coder/src/services/agent-backend.ts

@@ -0,0 +1,119 @@
+/**
+ * v2.6 — AgentBackend abstraction (Phase 0 scaffold; types only, zero runtime logic).
+ *
+ * The core abstraction for persistent agent sessions. Two implementations land
+ * later: `OpenCodeServerBackend` (Phase 1, opencode HTTP server) and
+ * `WarmAcpBackend` (Phase 2, long-lived ACP process). Backends emit
+ * transport-agnostic `AgentEvent`s; the dispatcher maps them to WS frames.
+ *
+ * Nothing imports this file yet — it must compile standalone.
+ * Spec: openspec/changes/v2-6-persistent-agent-sessions/design.md §2.
+ */
+import type { AcpToolSnapshot } from './acp-tool-snapshot.js';
+import type { AgentCommand } from './provider-types.js';
+
+/** Backend transport kind. Mirrors `agent_sessions.backend` CHECK in schema.sql. */
+export type AgentBackendKind = 'opencode_server' | 'acp_warm';
+
+/**
+ * Normalized, transport-agnostic events a backend emits during a turn (§2).
+ * Derived from acp-dispatch's session-update handling, but WITHOUT the WS
+ * envelope (message_id/chat_id) — the dispatcher owns frame mapping.
+ *
+ * `tool_call` vs `tool_update` are kept distinct on purpose: acp-dispatch
+ * currently merges both into one snapshot frame, but opencode's SSE
+ * distinguishes tool-start from tool-result, so the contract carries both.
+ * `commands` mirrors the ACP `available_commands_update` path (v2.5.10).
+ */
+export type AgentEvent =
+  | { type: 'text'; text: string }
+  | { type: 'reasoning'; text: string }
+  | { type: 'tool_call'; toolCall: AcpToolSnapshot }
+  | { type: 'tool_update'; toolCall: AcpToolSnapshot }
+  | { type: 'commands'; commands: AgentCommand[] };
+
+/** Params to establish (or look up) a backend session (§2). */
+export interface EnsureSessionOpts {
+  agent: string;
+  /** Resolved model id. */
+  model: string;
+  /** P1.5-b: the chat (tab) this turn belongs to. agent_sessions is keyed
+   *  (chat_id, agent) — the tab/chat is the context unit. Always non-null:
+   *  the dispatcher creates a chat for session-less tasks before calling. */
+  chatId: string;
+  /** Shared per-session worktree (one per `sessions.id`, not per pane). */
+  worktreePath: string;
+  /** P1.5-b: the `worktrees.id` for this session's worktree — stored on the
+   *  agent_sessions row informationally (NOT the key). */
+  worktreeId: string;
+  projectId: string;
+}
+
+/** Opaque handle to a live backend session, persisted to `agent_sessions` (§2). */
+export interface AgentSessionHandle {
+  sessionId: string;
+  agent: string;
+  backend: AgentBackendKind;
+  /** P1.5-b: the chat (tab) this session is keyed on (with agent). */
+  chatId: string;
+  /** P1.5-b: the worktree this session's chat runs in (informational link). */
+  worktreeId: string;
+  /** Provider's own session id (resume token); null until the backend assigns one. */
+  agentSessionId: string | null;
+  /** opencode HTTP server port; null for ACP backends. */
+  serverPort: number | null;
+}
+
+/** Per-turn context passed to `prompt` (§2). */
+export interface PromptCtx {
+  worktreePath: string;
+  model: string;
+  signal: AbortSignal;
+  onEvent: (e: AgentEvent) => void;
+  /** Phase 2: per-turn task id, so a warm ACP backend can route permission /
+   *  elicitation prompts back to the UI via the permission-waiter. Optional —
+   *  the opencode-server backend (autonomous) ignores it. */
+  taskId?: string;
+  /** Phase 2: per-turn mode id (gates autonomous mode in the permission-waiter). */
+  modeId?: string;
+}
+
+/** Result of a completed turn (§2). Diff/persist happen outside the backend. */
+export interface TurnResult {
+  ok: boolean;
+  error?: string;
+}
+
+/**
+ * The core backend abstraction (§2). Implementations: OpenCodeServerBackend
+ * (Phase 1), WarmAcpBackend (Phase 2).
+ */
+export interface AgentBackend {
+  /** Lazy: spawn server / warm process if not already up for this (session, agent). §2 */
+  ensureSession(sessionId: string, opts: EnsureSessionOpts): Promise<AgentSessionHandle>;
+  /** Send a prompt; stream events via ctx.onEvent; resolves when the turn completes. §2 */
+  prompt(handle: AgentSessionHandle, input: string, ctx: PromptCtx): Promise<TurnResult>;
+  /** Graceful teardown of one session (session close or idle timeout). §2 */
+  closeSession(handle: AgentSessionHandle): Promise<void>;
+  /** Full teardown — kills all spawned servers/processes. §2 */
+  dispose(): Promise<void>;
+  /** Liveness for health endpoint + dispatcher fallback decision. §2 */
+  health(): 'up' | 'down';
+  /**
+   * v2.6 Phase 3: true iff a turn is in flight on this backend. The pool's idle
+   * eviction + LRU cap NEVER evict a busy backend (design §6 busy rule); the
+   * health-monitor defers a restart while busy (stale-grace). Optional so the
+   * Phase-0 scaffold and any test double stay compatible — absent ⇒ treated as
+   * not busy. opencode-server (multi-session) is busy iff ANY session has an
+   * active turn; warm-acp (single session) iff its one slot is active.
+   */
+  isBusy?(): boolean;
+  /**
+   * v2.6 Phase 3: optional proactive health probe + busy-aware self-restart, run
+   * by the pool's periodic sweep. The opencode-server backend implements it
+   * (detects a hung-but-not-exited server and restarts when non-busy). Backends
+   * with no long-lived shared process (warm-ACP recovers lazily on its own child
+   * exit) can omit it. Must never throw — the sweep ignores rejections.
+   */
+  tickHealth?(now?: number): Promise<void>;
+}

apps/coder/src/services/agent-pool.ts

@@ -0,0 +1,246 @@
+/**
+ * v2.6 — AgentPool.
+ *
+ * Lazy get-or-create registry of `AgentBackend` instances keyed by
+ * `${primary}:${agent}` (primary = chatId for warm-ACP, a fixed sentinel for the
+ * single shared opencode server). Phase 0 shipped the skeleton (Map + health +
+ * dispose). Phase 3 adds the LIFECYCLE: per-entry idle tracking, a periodic
+ * idle-TTL + LRU-cap sweep (the pure decisions live in
+ * `backends/lifecycle-decisions.ts`), and a `closeChat` helper for the chat-close
+ * hook. Reattach after eviction is implicit — the next turn's `ensureSession`
+ * rebuilds the backend from `agent_sessions` / `worktrees` (DB is the source of
+ * truth; the in-memory pool is a warm cache).
+ *
+ * The hard rule (design §6): NEVER evict a busy backend (one with an in-flight
+ * turn). `selectIdleEvictionTargets` / `selectLruEvictionTargets` enforce it via
+ * `backend.isBusy()`; a long turn that outlives the TTL is left alone.
+ *
+ * Spec: openspec/changes/v2-6-persistent-agent-sessions/design.md §2 / §6.
+ */
+import type { FastifyBaseLogger } from 'fastify';
+import type { AgentBackend } from './agent-backend.js';
+import {
+  selectIdleEvictionTargets,
+  selectLruEvictionTargets,
+  DEFAULT_IDLE_TTL_MS,
+  DEFAULT_MAX_LIVE_BACKENDS,
+} from './backends/lifecycle-decisions.js';
+
+interface PoolEntry {
+  primary: string;
+  agent: string;
+  backend: AgentBackend;
+  /** Epoch ms of the last turn boundary (register or touch). Drives idle/LRU. */
+  lastActiveAt: number;
+}
+
+export interface AgentPoolOpts {
+  /** Idle TTL before a non-busy backend is evicted. Default 30 min. */
+  idleTtlMs?: number;
+  /** Max live backends before the LRU cap evicts the least-recently-used. */
+  maxLive?: number;
+  /** Sweep cadence. Default 60s (mirrors the server's periodic sweeper). */
+  sweepIntervalMs?: number;
+  log?: FastifyBaseLogger;
+}
+
+const DEFAULT_SWEEP_INTERVAL_MS = 60_000;
+
+export class AgentPool {
+  private readonly backends = new Map<string, PoolEntry>();
+  private idleTtlMs: number;
+  private maxLive: number;
+  private sweepIntervalMs: number;
+  private log: FastifyBaseLogger | undefined;
+  private sweepTimer: ReturnType<typeof setInterval> | null = null;
+  /** Serializes sweep runs so a slow eviction can't overlap the next tick. */
+  private sweeping = false;
+
+  constructor(opts: AgentPoolOpts = {}) {
+    this.idleTtlMs = opts.idleTtlMs ?? DEFAULT_IDLE_TTL_MS;
+    this.maxLive = opts.maxLive ?? DEFAULT_MAX_LIVE_BACKENDS;
+    this.sweepIntervalMs = opts.sweepIntervalMs ?? DEFAULT_SWEEP_INTERVAL_MS;
+    this.log = opts.log;
+  }
+
+  /** Apply env-derived knobs to the module singleton at bootstrap (before
+   *  startReaper). Only overrides explicitly-provided fields. */
+  configure(opts: AgentPoolOpts): void {
+    if (opts.idleTtlMs != null) this.idleTtlMs = opts.idleTtlMs;
+    if (opts.maxLive != null) this.maxLive = opts.maxLive;
+    if (opts.sweepIntervalMs != null) this.sweepIntervalMs = opts.sweepIntervalMs;
+    if (opts.log) this.log = opts.log;
+  }
+
+  private key(primary: string, agent: string): string {
+    return `${primary}:${agent}`;
+  }
+
+  /** Map lookup only. Spawning happens in the dispatcher (Phase 1/2). A hit also
+   *  marks the entry recently-active so a resolve-without-prompt doesn't get it
+   *  evicted out from under an imminent turn. */
+  get(primary: string, agent: string): AgentBackend | undefined {
+    const entry = this.backends.get(this.key(primary, agent));
+    if (entry) entry.lastActiveAt = Date.now();
+    return entry?.backend;
+  }
+
+  /** Store a backend instance for this (primary, agent). */
+  register(primary: string, agent: string, backend: AgentBackend): void {
+    this.backends.set(this.key(primary, agent), { primary, agent, backend, lastActiveAt: Date.now() });
+  }
+
+  /** Mark a backend recently-active (call at turn start AND settle so a long turn
+   *  keeps its slot warm). No-op if the key isn't pooled. */
+  touch(primary: string, agent: string): void {
+    const entry = this.backends.get(this.key(primary, agent));
+    if (entry) entry.lastActiveAt = Date.now();
+  }
+
+  /** Snapshot for the decision helpers (busy is read live from the backend). */
+  private snapshots(): { key: string; lastActiveAt: number; busy: boolean }[] {
+    const out: { key: string; lastActiveAt: number; busy: boolean }[] = [];
+    for (const [key, e] of this.backends) {
+      out.push({ key, lastActiveAt: e.lastActiveAt, busy: e.backend.isBusy?.() ?? false });
+    }
+    return out;
+  }
+
+  /** Summary for the health endpoint. */
+  health(): { size: number; busy: number } {
+    let busy = 0;
+    for (const e of this.backends.values()) if (e.backend.isBusy?.()) busy++;
+    return { size: this.backends.size, busy };
+  }
+
+  // ─── Phase 3: idle-TTL + LRU eviction sweep ──────────────────────────────────
+
+  /** Start the periodic idle + LRU sweep. Idempotent; unref'd so it never holds
+   *  the process open on its own. */
+  startReaper(log?: FastifyBaseLogger): void {
+    if (log) this.log = log;
+    if (this.sweepTimer) return;
+    this.sweepTimer = setInterval(() => {
+      void this.sweep().catch((err) => {
+        this.log?.warn({ err: errMsg(err) }, 'agent-pool: sweep error');
+      });
+    }, this.sweepIntervalMs);
+    this.sweepTimer.unref?.();
+  }
+
+  stopReaper(): void {
+    if (this.sweepTimer) {
+      clearInterval(this.sweepTimer);
+      this.sweepTimer = null;
+    }
+  }
+
+  /**
+   * One sweep pass: evict idle-past-TTL backends, then enforce the LRU cap.
+   * Deduped (a key can't appear in both lists for one pass). Busy backends are
+   * excluded by the decision helpers — a live turn is never torn down.
+   */
+  async sweep(now: number = Date.now()): Promise<{ evicted: string[] }> {
+    if (this.sweeping) return { evicted: [] };
+    this.sweeping = true;
+    try {
+      // Phase 3: drive each backend's optional proactive health probe first (the
+      // opencode server's busy-aware hung-detect + self-restart). Best-effort —
+      // a probe must never fail the sweep.
+      for (const e of this.backends.values()) {
+        if (e.backend.tickHealth) {
+          await e.backend.tickHealth(now).catch((err) => {
+            this.log?.warn({ key: this.key(e.primary, e.agent), err: errMsg(err) }, 'agent-pool: tickHealth threw');
+          });
+        }
+      }
+      const snaps = this.snapshots();
+      const idle = selectIdleEvictionTargets(snaps, now, this.idleTtlMs);
+      // LRU runs on what remains after idle eviction, so the two never double-evict.
+      const idleSet = new Set(idle);
+      const remaining = snaps.filter((s) => !idleSet.has(s.key));
+      const lru = selectLruEvictionTargets(remaining, this.maxLive);
+      const targets = [...idle, ...lru];
+      if (targets.length === 0) return { evicted: [] };
+
+      const evicted: string[] = [];
+      for (const key of targets) {
+        const entry = this.backends.get(key);
+        if (!entry) continue;
+        // Re-check busy right before teardown — a turn may have started since the
+        // snapshot. Defensive; the decision already excluded busy at snapshot time.
+        if (entry.backend.isBusy?.()) continue;
+        this.backends.delete(key);
+        try {
+          await entry.backend.dispose();
+        } catch (err) {
+          this.log?.warn({ key, err: errMsg(err) }, 'agent-pool: backend dispose threw during eviction');
+        }
+        evicted.push(key);
+      }
+      if (evicted.length > 0) {
+        this.log?.info({ evicted, size: this.backends.size }, 'agent-pool: evicted idle/over-cap backends');
+      }
+      return { evicted };
+    } finally {
+      this.sweeping = false;
+    }
+  }
+
+  // ─── Phase 3: chat-close cleanup (3.3) ───────────────────────────────────────
+
+  /**
+   * Tear down every pooled backend whose key is for this chat. Used by the
+   * chat-close hook. The opencode server is shared (keyed on a sentinel, not the
+   * chat), so it is NOT disposed here — only its session is closed via
+   * `closeSession`, which the hook calls directly with the per-(chat,agent)
+   * handle. Returns the keys it removed. Skips busy entries (a close mid-turn is
+   * rare but must not kill a live stream — the idle sweep reaps it shortly after).
+   */
+  async closeChat(chatId: string): Promise<string[]> {
+    const removed: string[] = [];
+    const prefix = `${chatId}:`;
+    for (const [key, entry] of [...this.backends]) {
+      if (!key.startsWith(prefix)) continue;
+      if (entry.backend.isBusy?.()) continue;
+      this.backends.delete(key);
+      try {
+        await entry.backend.dispose();
+      } catch (err) {
+        this.log?.warn({ key, err: errMsg(err) }, 'agent-pool: dispose threw during closeChat');
+      }
+      removed.push(key);
+    }
+    return removed;
+  }
+
+  /** Look up a backend by exact key without bumping its activity (for closeSession). */
+  peek(primary: string, agent: string): AgentBackend | undefined {
+    return this.backends.get(this.key(primary, agent))?.backend;
+  }
+
+  /** Dispose every backend and clear the map. Tolerates throwing backends. */
+  async dispose(): Promise<void> {
+    this.stopReaper();
+    const entries = [...this.backends.values()];
+    this.backends.clear();
+    await Promise.allSettled(entries.map((e) => e.backend.dispose()));
+  }
+}
+
+function errMsg(e: unknown): string {
+  return e instanceof Error ? e.message : String(e);
+}
+
+/**
+ * The shared opencode server is pooled under a FIXED sentinel (one server per
+ * BooCoder process, multiplexing all opencode sessions internally) rather than a
+ * chat id — so it is NOT torn down by `closeChat(chatId)` (only its per-chat
+ * session is closed). Exported so the dispatcher + the lifecycle close-hook agree
+ * on the key without drift.
+ */
+export const OPENCODE_POOL_KEY = '__opencode_server__';
+
+/** Single shared instance — registered by the dispatcher, swept + drained by the
+ *  server's onClose hook. */
+export const agentPool = new AgentPool();

apps/coder/src/services/agent-probe.ts

@@ -4,7 +4,7 @@ import { exec as execCb, execFile as execFileCb } from 'node:child_process';
 import { promisify } from 'node:util';
 import { PROVIDERS_BY_NAME } from './provider-registry.js';
 import { resolveAcpProbeBinaries } from './acp-spawn.js';
-import { clearProviderSnapshotCache } from './provider-snapshot.js';
+import { clearProviderSnapshotCache, fetchLlamaSwapModels, prefixLlamaSwapModels } from './provider-snapshot.js';
 import { readQwenSettingsModels } from './qwen-settings.js';
 import { loadConfig } from '../config.js';
 import { loadProviderConfig } from './provider-config-registry.js';
@@ -117,6 +117,15 @@ export async function probeAgents(sql: Sql, log: FastifyBaseLogger): Promise<voi
         if (agentName === 'qwen') {
           models = await readQwenSettingsModels();
         }
+        if (providerDef?.mergeLlamaSwap) {
+          try {
+            const config = loadConfig();
+            const llamaModels = prefixLlamaSwapModels(await fetchLlamaSwapModels(config));
+            models = [...models, ...llamaModels];
+          } catch (err) {
+            log.warn({ agent: agentName, err: err instanceof Error ? err.message : String(err) }, 'agent-probe: llama-swap model fetch failed (non-fatal)');
+          }
+        }
       }
 
       const label = resolved.configLabel ?? resolved.label;

apps/coder/src/services/backends/__tests__/lifecycle-decisions.test.ts

@@ -0,0 +1,176 @@
+import { describe, it, expect } from 'vitest';
+import {
+  selectIdleEvictionTargets,
+  selectLruEvictionTargets,
+  decideRestart,
+  selectOrphanWorktreeTargets,
+  DEFAULT_IDLE_TTL_MS,
+  DEFAULT_MAX_LIVE_BACKENDS,
+  type PoolEntrySnapshot,
+} from '../lifecycle-decisions.js';
+
+/**
+ * v2.6 Phase 3 — pure lifecycle decisions. No DB, no children, no timers; `now`
+ * is injected. Models prune.ts:selectPruneTargets — the caller acts on the keys.
+ */
+
+const NOW = 1_000_000_000_000;
+
+function entry(key: string, ageMs: number, busy = false): PoolEntrySnapshot {
+  return { key, lastActiveAt: NOW - ageMs, busy };
+}
+
+describe('selectIdleEvictionTargets (3.1)', () => {
+  it('evicts entries idle past the TTL', () => {
+    const entries = [
+      entry('a:opencode', DEFAULT_IDLE_TTL_MS + 1),
+      entry('b:goose', DEFAULT_IDLE_TTL_MS - 1),
+    ];
+    expect(selectIdleEvictionTargets(entries, NOW)).toEqual(['a:opencode']);
+  });
+
+  it('never evicts a busy entry even when idle past the TTL', () => {
+    const entries = [entry('a:opencode', DEFAULT_IDLE_TTL_MS * 10, /* busy */ true)];
+    expect(selectIdleEvictionTargets(entries, NOW)).toEqual([]);
+  });
+
+  it('respects a custom TTL', () => {
+    const entries = [entry('a:goose', 5_000), entry('b:qwen', 500)];
+    expect(selectIdleEvictionTargets(entries, NOW, 1_000)).toEqual(['a:goose']);
+  });
+
+  it('treats exactly-at-TTL as evictable (>=)', () => {
+    expect(selectIdleEvictionTargets([entry('a:x', 1_000)], NOW, 1_000)).toEqual(['a:x']);
+  });
+
+  it('returns empty for an empty pool', () => {
+    expect(selectIdleEvictionTargets([], NOW)).toEqual([]);
+  });
+});
+
+describe('selectLruEvictionTargets (3.4)', () => {
+  it('returns nothing when at or under the cap', () => {
+    const entries = [entry('a:x', 10), entry('b:y', 20)];
+    expect(selectLruEvictionTargets(entries, 2)).toEqual([]);
+    expect(selectLruEvictionTargets(entries, 5)).toEqual([]);
+  });
+
+  it('evicts the least-recently-used beyond the cap', () => {
+    // oldest first: c (300ms ago) is LRU, then a (100ms), then b (10ms).
+    const entries = [entry('a:x', 100), entry('b:y', 10), entry('c:z', 300)];
+    expect(selectLruEvictionTargets(entries, 2)).toEqual(['c:z']);
+  });
+
+  it('evicts multiple LRU entries to reach the cap', () => {
+    const entries = [
+      entry('a:x', 100),
+      entry('b:y', 10),
+      entry('c:z', 300),
+      entry('d:w', 200),
+    ];
+    // cap 1: must remove 3, oldest-first c(300), d(200), a(100).
+    expect(selectLruEvictionTargets(entries, 1)).toEqual(['c:z', 'd:w', 'a:x']);
+  });
+
+  it('never evicts a busy entry even if it is the LRU', () => {
+    // c is LRU but busy → it cannot be evicted; fall to the next-oldest (a).
+    const entries = [entry('a:x', 100), entry('b:y', 10), entry('c:z', 300, true)];
+    expect(selectLruEvictionTargets(entries, 2)).toEqual(['a:x']);
+  });
+
+  it('can transiently exceed the cap when too many are busy', () => {
+    // cap 1, but both old entries busy → only the single idle one is evictable.
+    const entries = [entry('a:x', 100, true), entry('c:z', 300, true), entry('b:y', 10)];
+    expect(selectLruEvictionTargets(entries, 1)).toEqual(['b:y']);
+  });
+
+  it('uses the default cap when omitted', () => {
+    const entries = Array.from({ length: DEFAULT_MAX_LIVE_BACKENDS + 1 }, (_, i) =>
+      entry(`k${String(i).padStart(2, '0')}:a`, (i + 1) * 1000),
+    );
+    const evicted = selectLruEvictionTargets(entries);
+    // exactly one over the default cap → evict the single LRU (largest age).
+    expect(evicted).toHaveLength(1);
+    expect(evicted[0]).toBe(`k${String(DEFAULT_MAX_LIVE_BACKENDS).padStart(2, '0')}:a`);
+  });
+});
+
+describe('decideRestart (3.2, busy-aware)', () => {
+  const base = {
+    consecutiveFailures: 0,
+    busy: false,
+    unhealthyBusySince: 0,
+    now: NOW,
+    failureThreshold: 3,
+    staleBusyGraceMs: 120_000,
+  };
+
+  it('does nothing when healthy', () => {
+    expect(decideRestart({ ...base, processExited: false, healthy: true }))
+      .toEqual({ action: 'none', reason: 'healthy' });
+  });
+
+  it('restarts immediately when the process exited', () => {
+    expect(decideRestart({ ...base, processExited: true, busy: true }))
+      .toEqual({ action: 'restart', reason: 'process-exited' });
+  });
+
+  it('waits below the failure threshold', () => {
+    expect(decideRestart({ ...base, processExited: false, consecutiveFailures: 2 }))
+      .toEqual({ action: 'wait', reason: 'below-threshold' });
+  });
+
+  it('restarts at the threshold when idle', () => {
+    expect(decideRestart({ ...base, processExited: false, consecutiveFailures: 3 }))
+      .toEqual({ action: 'restart', reason: 'threshold' });
+  });
+
+  it('defers a restart while busy within the grace window', () => {
+    expect(decideRestart({
+      ...base, processExited: false, consecutiveFailures: 5, busy: true,
+      unhealthyBusySince: NOW - 1_000,
+    })).toEqual({ action: 'wait', reason: 'busy-grace' });
+  });
+
+  it('force-restarts a busy backend after the stale-busy grace', () => {
+    expect(decideRestart({
+      ...base, processExited: false, consecutiveFailures: 5, busy: true,
+      unhealthyBusySince: NOW - 120_001,
+    })).toEqual({ action: 'restart', reason: 'stale-busy-grace' });
+  });
+
+  it('waits (busy-grace) when busy + threshold but the window just started', () => {
+    // unhealthyBusySince === 0 means the caller is about to stamp it this cycle.
+    expect(decideRestart({
+      ...base, processExited: false, consecutiveFailures: 5, busy: true,
+      unhealthyBusySince: 0,
+    })).toEqual({ action: 'wait', reason: 'busy-grace' });
+  });
+});
+
+describe('selectOrphanWorktreeTargets (3.4)', () => {
+  it('skips dirs tracked by a live worktrees row', () => {
+    const onDisk = [{ path: '/wt/sess-a', mtimeMs: NOW - 10_000_000 }];
+    expect(selectOrphanWorktreeTargets(onDisk, new Set(['/wt/sess-a']), NOW, 1000)).toEqual([]);
+  });
+
+  it('reaps an untracked dir older than the grace', () => {
+    const onDisk = [{ path: '/wt/sess-orphan', mtimeMs: NOW - 5000 }];
+    expect(selectOrphanWorktreeTargets(onDisk, new Set(), NOW, 1000)).toEqual(['/wt/sess-orphan']);
+  });
+
+  it('never reaps a dir younger than the grace (mid-create race)', () => {
+    const onDisk = [{ path: '/wt/sess-fresh', mtimeMs: NOW - 500 }];
+    expect(selectOrphanWorktreeTargets(onDisk, new Set(), NOW, 1000)).toEqual([]);
+  });
+
+  it('mixes tracked, fresh, and orphaned correctly', () => {
+    const onDisk = [
+      { path: '/wt/sess-live', mtimeMs: NOW - 10_000 },
+      { path: '/wt/sess-fresh', mtimeMs: NOW - 100 },
+      { path: '/wt/sess-orphan', mtimeMs: NOW - 10_000 },
+    ];
+    expect(selectOrphanWorktreeTargets(onDisk, new Set(['/wt/sess-live']), NOW, 1000))
+      .toEqual(['/wt/sess-orphan']);
+  });
+});

apps/coder/src/services/backends/__tests__/opencode-usage.test.ts

@@ -0,0 +1,51 @@
+import { describe, it, expect } from 'vitest';
+import { stepEndedToUsage } from '../opencode-usage.js';
+
+describe('stepEndedToUsage (U.6)', () => {
+  it('folds cache read+write into input and reasoning into output', () => {
+    const u = stepEndedToUsage({
+      cost: 0.0123,
+      tokens: { input: 100, output: 50, reasoning: 20, cache: { read: 10, write: 5 } },
+    });
+    expect(u).toEqual({ input: 115, output: 70, cost: 0.0123 });
+  });
+
+  it('handles a step with no cache and no reasoning', () => {
+    const u = stepEndedToUsage({
+      cost: 0,
+      tokens: { input: 8, output: 4, reasoning: 0, cache: { read: 0, write: 0 } },
+    });
+    expect(u).toEqual({ input: 8, output: 4, cost: 0 });
+  });
+
+  it('is defensive against a missing tokens block', () => {
+    const u = stepEndedToUsage({ cost: 0.5 } as never);
+    expect(u).toEqual({ input: 0, output: 0, cost: 0.5 });
+  });
+
+  it('is defensive against undefined props', () => {
+    expect(stepEndedToUsage(undefined)).toEqual({ input: 0, output: 0, cost: 0 });
+  });
+
+  it('drops NaN / negative noise to zero rather than poisoning the accumulated total', () => {
+    const u = stepEndedToUsage({
+      cost: Number.NaN,
+      tokens: {
+        input: -5,
+        output: Number.NaN,
+        reasoning: 3,
+        cache: { read: Number.POSITIVE_INFINITY, write: 2 },
+      },
+    });
+    // input: (-5→0) + (Inf→0) + 2 = 2; output: (NaN→0) + 3 = 3; cost: NaN→0
+    expect(u).toEqual({ input: 2, output: 3, cost: 0 });
+  });
+
+  it('rounds fractional token counts', () => {
+    const u = stepEndedToUsage({
+      cost: 1.5,
+      tokens: { input: 10.6, output: 4.4, reasoning: 0, cache: { read: 0, write: 0 } },
+    });
+    expect(u).toEqual({ input: 11, output: 4, cost: 1.5 });
+  });
+});

apps/coder/src/services/backends/__tests__/turn-guard.test.ts

@@ -0,0 +1,34 @@
+import { describe, it, expect } from 'vitest';
+import {
+  armAbortGuard,
+  noteTurnActivity,
+  consumeTerminal,
+  type AbortTerminalGuard,
+} from '../turn-guard.js';
+
+describe('post-abort terminal guard (F.1)', () => {
+  it('swallows the orphan terminal that follows an abort, then settles the next real one', () => {
+    // Reproduces the v2.6.5 Stop-button bug: abort turn A, then opencode emits a
+    // trailing session.idle for A. That orphan must NOT settle the next turn.
+    const g: AbortTerminalGuard = { swallowNextTerminal: false };
+
+    armAbortGuard(g); // user aborts turn A
+    expect(consumeTerminal(g)).toBe('swallow'); // opencode's orphan idle for A → dropped
+    expect(consumeTerminal(g)).toBe('settle'); // turn B's real idle → settles B
+  });
+
+  it('settles a terminal when no abort happened', () => {
+    const g: AbortTerminalGuard = { swallowNextTerminal: false };
+    expect(consumeTerminal(g)).toBe('settle');
+  });
+
+  it('self-heals if the orphan never arrives: new-turn activity clears the guard', () => {
+    // If opencode emits no orphan idle (e.g. abort-before-prompt), the next turn's
+    // real terminal must still settle rather than being swallowed forever.
+    const g: AbortTerminalGuard = { swallowNextTerminal: false };
+
+    armAbortGuard(g); // abort A, but no orphan idle arrives
+    noteTurnActivity(g); // turn B produces its first delta
+    expect(consumeTerminal(g)).toBe('settle'); // turn B's idle settles, not swallowed
+  });
+});

apps/coder/src/services/backends/__tests__/warm-acp-routing.test.ts

@@ -0,0 +1,59 @@
+import { describe, it, expect } from 'vitest';
+import { shouldUseWarmBackend, isTurnOkForStopReason } from '../warm-acp-routing.js';
+
+/**
+ * Phase 2 routing predicate: which goose/qwen tasks go to the warm pool backend
+ * vs the existing one-shot ACP path.
+ *
+ * The warm backend is keyed (chat_id, agent) — the persistent context unit (same
+ * as opencode-server). A task only routes warm when it carries BOTH a session_id
+ * and a chat_id, i.e. it originates from a real chat tab (the coder message route
+ * stamps both). Session-less creators (arena, MCP-created, generic /api/tasks,
+ * new_task) lack chat_id/session_id and keep the one-shot worktree-per-task path,
+ * which never spawns a warm process.
+ */
+describe('shouldUseWarmBackend (Phase 2 routing)', () => {
+  it('routes a chat-tab task (session_id + chat_id) to the warm backend', () => {
+    expect(shouldUseWarmBackend({ agent: 'qwen', session_id: 's1', chat_id: 'c1' })).toBe(true);
+    expect(shouldUseWarmBackend({ agent: 'goose', session_id: 's1', chat_id: 'c1' })).toBe(true);
+  });
+
+  it('keeps a session-less arena/MCP task on the one-shot path', () => {
+    expect(shouldUseWarmBackend({ agent: 'qwen', session_id: null, chat_id: null })).toBe(false);
+  });
+
+  it('keeps a task with a session but no chat on the one-shot path', () => {
+    // chat_id is the warm-key half; without it ensureSession would get a degenerate
+    // (null, agent) key, so fall back to one-shot rather than synthesize a chat.
+    expect(shouldUseWarmBackend({ agent: 'goose', session_id: 's1', chat_id: null })).toBe(false);
+  });
+
+  it('keeps a task with a chat but no session on the one-shot path', () => {
+    expect(shouldUseWarmBackend({ agent: 'qwen', session_id: null, chat_id: 'c1' })).toBe(false);
+  });
+
+  it('only applies to warm-capable agents (goose, qwen); others never warm here', () => {
+    // opencode has its own dedicated warm path; native/claude/etc. are not ACP-warm.
+    expect(shouldUseWarmBackend({ agent: 'opencode', session_id: 's1', chat_id: 'c1' })).toBe(false);
+    expect(shouldUseWarmBackend({ agent: 'claude', session_id: 's1', chat_id: 'c1' })).toBe(false);
+    expect(shouldUseWarmBackend({ agent: null, session_id: 's1', chat_id: 'c1' })).toBe(false);
+  });
+});
+
+describe('isTurnOkForStopReason (ACP stop-reason → ok/fail)', () => {
+  it('treats normal completions as ok', () => {
+    expect(isTurnOkForStopReason('end_turn')).toBe(true);
+    expect(isTurnOkForStopReason('max_tokens')).toBe(true);
+    expect(isTurnOkForStopReason('max_turn_requests')).toBe(true);
+  });
+
+  it('treats refusal and cancelled as failures', () => {
+    expect(isTurnOkForStopReason('refusal')).toBe(false);
+    expect(isTurnOkForStopReason('cancelled')).toBe(false);
+  });
+
+  it('defaults an absent stop reason to a successful end_turn', () => {
+    expect(isTurnOkForStopReason(undefined)).toBe(true);
+    expect(isTurnOkForStopReason(null)).toBe(true);
+  });
+});

apps/coder/src/services/backends/lifecycle-decisions.ts

@@ -0,0 +1,197 @@
+/**
+ * v2.6 Phase 3 — pure lifecycle decision helpers.
+ *
+ * The eviction / LRU-cap / busy-aware-restart / reaper-target logic, factored out
+ * of AgentPool + the backends + the periodic sweeper so it's unit-testable with no
+ * DB, no child processes, no timers (modeled on
+ * apps/server/src/services/inference/prune.ts:selectPruneTargets — a pure decision
+ * core the caller acts on).
+ *
+ * Three decisions live here:
+ *   1. selectIdleEvictionTargets — which warm backends to evict for being idle.
+ *   2. selectLruEvictionTargets — which warm backends to evict to honour a max-live
+ *      cap (least-recently-used beyond the cap), NEVER a busy one.
+ *   3. shouldRestartCrashedBackend (busy-aware) — openchamber's skip-while-busy +
+ *      stale-grace state machine, re-implemented for BooCode's per-(chat,agent) pool.
+ *
+ * "Busy" = the backend has an in-flight turn. The hard rule (design §6, decisions):
+ * never evict or force-restart a busy backend; defer with a stale-grace.
+ */
+
+// ─── Idle TTL eviction (3.1) ─────────────────────────────────────────────────
+
+/** Default idle TTL before a warm backend/session is evicted (design §6 ~30 min). */
+export const DEFAULT_IDLE_TTL_MS = 30 * 60 * 1000;
+
+/** A pool entry as the decision helpers see it (no backend internals). */
+export interface PoolEntrySnapshot {
+  /** Pool key `${primary}:${agent}` — opaque to the decision, used for selection. */
+  key: string;
+  /** Epoch ms of the last turn activity (start or settle) on this backend. */
+  lastActiveAt: number;
+  /** True iff a turn is in flight right now. Busy entries are never evicted. */
+  busy: boolean;
+}
+
+/**
+ * Idle eviction: an entry is evictable when it has been idle (no turn) for longer
+ * than `ttlMs` AND is not currently busy. Returns the keys to evict.
+ *
+ * Pure: `now` is injected so tests don't depend on wall-clock. Busy entries are
+ * categorically excluded — a long-running turn that exceeds the TTL must NOT be
+ * torn down mid-stream (the §6 / openchamber busy rule).
+ */
+export function selectIdleEvictionTargets(
+  entries: ReadonlyArray<PoolEntrySnapshot>,
+  now: number,
+  ttlMs: number = DEFAULT_IDLE_TTL_MS,
+): string[] {
+  const out: string[] = [];
+  for (const e of entries) {
+    if (e.busy) continue;
+    if (now - e.lastActiveAt >= ttlMs) out.push(e.key);
+  }
+  return out;
+}
+
+// ─── LRU cap (3.4) ───────────────────────────────────────────────────────────
+
+/** Default max live warm backends/worktrees before the LRU cap evicts (env-overridable). */
+export const DEFAULT_MAX_LIVE_BACKENDS = 10;
+
+/**
+ * LRU cap: when more than `cap` non-busy entries are live, evict the
+ * least-recently-used ones (oldest `lastActiveAt` first) until at most `cap`
+ * remain. Busy entries are never evicted AND are not counted toward the cap's
+ * "kept" budget being freed — i.e. we only ever evict idle entries, so a burst of
+ * concurrent busy turns can transiently exceed the cap rather than kill live work.
+ *
+ * Returns the keys to evict, least-recently-used first. Pure / deterministic:
+ * ties broken by key for stable test output.
+ */
+export function selectLruEvictionTargets(
+  entries: ReadonlyArray<PoolEntrySnapshot>,
+  cap: number = DEFAULT_MAX_LIVE_BACKENDS,
+): string[] {
+  if (cap < 0) cap = 0;
+  if (entries.length <= cap) return [];
+  // Only idle entries are eligible to be evicted.
+  const evictable = entries
+    .filter((e) => !e.busy)
+    .sort((a, b) => a.lastActiveAt - b.lastActiveAt || (a.key < b.key ? -1 : a.key > b.key ? 1 : 0));
+  // We must shrink total live count down to `cap`. Busy entries can't be evicted,
+  // so the number we CAN remove is bounded by the evictable pool; evict the oldest
+  // (total - cap) of them, never more than exist.
+  const overBy = entries.length - cap;
+  const toEvict = evictable.slice(0, Math.max(0, overBy));
+  return toEvict.map((e) => e.key);
+}
+
+// ─── Busy-aware crash restart (3.2) — openchamber lift ───────────────────────
+
+/**
+ * Default grace after which a backend that has stayed unhealthy WHILE busy is
+ * force-restarted anyway (openchamber's STALE_BUSY_GRACE_MS = 2 min). Guards
+ * against a permanently-stuck "busy" turn wedging recovery forever.
+ */
+export const DEFAULT_STALE_BUSY_GRACE_MS = 2 * 60 * 1000;
+
+/** Default consecutive health-check failures before a restart is attempted. */
+export const DEFAULT_HEALTH_FAILURE_THRESHOLD = 3;
+
+export interface RestartDecisionInput {
+  /** True iff the process is actually dead (exited). A dead process restarts
+   *  immediately regardless of busy/threshold — there's nothing to protect. */
+  processExited: boolean;
+  /** Consecutive failed health probes so far (including the current one). */
+  consecutiveFailures: number;
+  /** Whether the backend currently has an in-flight turn. */
+  busy: boolean;
+  /** Epoch ms when the unhealthy-while-busy window started, or 0 if not in one. */
+  unhealthyBusySince: number;
+  /** Injected clock. */
+  now: number;
+  failureThreshold?: number;
+  staleBusyGraceMs?: number;
+}
+
+export type RestartDecision =
+  | { action: 'restart'; reason: 'process-exited' | 'threshold' | 'stale-busy-grace' }
+  | { action: 'wait'; reason: 'below-threshold' | 'busy-grace' }
+  | { action: 'none'; reason: 'healthy' };
+
+/**
+ * Decide whether to restart a backend after a health probe. Mirrors
+ * openchamber's `runHealthCheckCycle` + `shouldSkipRestartForBusySessions`,
+ * re-implemented as a pure function over injected state (the caller owns the
+ * mutable counters + the actual restart side-effect).
+ *
+ * Order (matches openchamber):
+ *   - process exited            → restart now (nothing live to protect).
+ *   - below failure threshold   → wait (transient blip; the next probe re-checks).
+ *   - threshold reached + idle   → restart now.
+ *   - threshold reached + busy   → skip UNLESS the unhealthy-busy window exceeded
+ *                                  the stale grace, then force restart.
+ *
+ * `healthy: true` callers don't reach here; included for completeness so the
+ * caller can pass through and reset counters on a single code path.
+ */
+export function decideRestart(input: RestartDecisionInput & { healthy?: boolean }): RestartDecision {
+  if (input.healthy) return { action: 'none', reason: 'healthy' };
+  if (input.processExited) return { action: 'restart', reason: 'process-exited' };
+
+  const threshold = input.failureThreshold ?? DEFAULT_HEALTH_FAILURE_THRESHOLD;
+  if (input.consecutiveFailures < threshold) {
+    return { action: 'wait', reason: 'below-threshold' };
+  }
+
+  if (!input.busy) {
+    return { action: 'restart', reason: 'threshold' };
+  }
+
+  // Busy + unhealthy at/over threshold: defer, but not forever.
+  const grace = input.staleBusyGraceMs ?? DEFAULT_STALE_BUSY_GRACE_MS;
+  if (input.unhealthyBusySince > 0 && input.now - input.unhealthyBusySince >= grace) {
+    return { action: 'restart', reason: 'stale-busy-grace' };
+  }
+  return { action: 'wait', reason: 'busy-grace' };
+}
+
+// ─── Orphan worktree reaper target selection (3.4) ───────────────────────────
+
+/** Default TTL: an on-disk worktree dir with no live `worktrees` row is reaped
+ *  only after it's been orphaned at least this long (mtime-based grace so a
+ *  just-created dir mid-`ensureSessionWorktree` race is never swept). */
+export const DEFAULT_ORPHAN_WORKTREE_GRACE_MS = 60 * 60 * 1000; // 1h
+
+export interface OnDiskWorktree {
+  /** Absolute path of the worktree dir on disk. */
+  path: string;
+  /** Last-modified epoch ms of the dir (newest of dir + contents, caller's choice). */
+  mtimeMs: number;
+}
+
+/**
+ * Reaper target selection: which on-disk worktree dirs are orphans safe to
+ * inspect-and-reap. An orphan is a dir under the worktree base that has NO live
+ * `worktrees` row (path not in `liveWorktreePaths`) AND whose mtime is older than
+ * the grace window (so an in-flight create isn't swept).
+ *
+ * Pure — the caller (the sweeper) then runs the at-risk preflight (dirty/unpushed)
+ * on each returned path and only physically removes the SAFE ones. This helper
+ * never decides to remove work-at-risk; it only narrows the candidate set.
+ */
+export function selectOrphanWorktreeTargets(
+  onDisk: ReadonlyArray<OnDiskWorktree>,
+  liveWorktreePaths: ReadonlySet<string>,
+  now: number,
+  graceMs: number = DEFAULT_ORPHAN_WORKTREE_GRACE_MS,
+): string[] {
+  const out: string[] = [];
+  for (const w of onDisk) {
+    if (liveWorktreePaths.has(w.path)) continue; // tracked → not an orphan
+    if (now - w.mtimeMs < graceMs) continue; // too fresh → could be mid-create
+    out.push(w.path);
+  }
+  return out;
+}

apps/coder/src/services/backends/opencode-usage.ts

@@ -0,0 +1,77 @@
+/**
+ * v2.6 Phase 1-UX (U.6) — pure mapper for opencode's per-step usage event.
+ *
+ * opencode's warm server emits `session.next.step.ended` once per completed LLM
+ * step (so a multi-tool turn fires it several times). Its `properties` carry the
+ * step's token + cost accounting:
+ *
+ *   {
+ *     timestamp: number;
+ *     sessionID: string;
+ *     finish: string;
+ *     cost: number;                                  // USD for this step
+ *     tokens: {
+ *       input: number; output: number; reasoning: number;
+ *       cache: { read: number; write: number };
+ *     };
+ *     snapshot?: string;
+ *   }
+ *
+ * (Verified against @opencode-ai/sdk@1.15.12 — `EventSessionNextStepEnded` in
+ * `dist/v2/gen/types.gen.d.ts`, a member of the `Event` union the SSE loop
+ * switches on.)
+ *
+ * We normalize to the review's target slice `{input, output, cost}` (the
+ * provider-agnostic `AgentUsage` shape lands later). cache read/write tokens are
+ * folded into `input` so the persisted input count reflects the real context the
+ * model billed for; reasoning tokens are folded into `output` since that's what
+ * the provider counts them as for generation. This keeps the persisted totals a
+ * faithful sum of what opencode reported, without inventing extra columns yet.
+ */
+
+/** The `properties` shape of a `session.next.step.ended` event (subset we read). */
+export interface StepEndedProps {
+  cost: number;
+  tokens: {
+    input: number;
+    output: number;
+    reasoning: number;
+    cache: { read: number; write: number };
+  };
+}
+
+/** Normalized per-step usage delta persisted onto the agent_sessions row. */
+export interface StepUsage {
+  input: number;
+  output: number;
+  cost: number;
+}
+
+/** Coerce a possibly-missing/NaN number to a non-negative finite integer (tokens). */
+function n(v: unknown): number {
+  const x = typeof v === 'number' ? v : Number(v);
+  return Number.isFinite(x) && x > 0 ? Math.round(x) : 0;
+}
+
+/** Coerce a possibly-missing/NaN number to a non-negative finite float (cost USD). */
+function f(v: unknown): number {
+  const x = typeof v === 'number' ? v : Number(v);
+  return Number.isFinite(x) && x > 0 ? x : 0;
+}
+
+/**
+ * Map a `session.next.step.ended` payload → the normalized `{input, output, cost}`
+ * delta. Defensive against missing/partial token blocks (the wire is trusted but
+ * we never want a NaN to poison the accumulated DB total). `input` folds in cache
+ * read+write; `output` folds in reasoning.
+ */
+export function stepEndedToUsage(props: Partial<StepEndedProps> | undefined): StepUsage {
+  const t = props?.tokens;
+  const cacheRead = n(t?.cache?.read);
+  const cacheWrite = n(t?.cache?.write);
+  return {
+    input: n(t?.input) + cacheRead + cacheWrite,
+    output: n(t?.output) + n(t?.reasoning),
+    cost: f(props?.cost),
+  };
+}

apps/coder/src/services/backends/turn-guard.ts

@@ -0,0 +1,38 @@
+/**
+ * Guard against opencode's post-abort "orphan" terminal event (F.1).
+ *
+ * When a turn is aborted (`client.session.abort`), opencode emits one trailing
+ * `session.idle` / `session.error` for the cancelled turn. Without a guard that
+ * orphan settles whatever turn currently holds the session slot — which, after
+ * the user immediately sends another message, is the NEXT turn, settling it early
+ * as success (the v2.6.5 Stop-button bug). opencode terminal events carry only a
+ * `sessionID` (no turn id), so we can't match by id; instead we swallow exactly
+ * one terminal per abort, and self-heal if that orphan never arrives.
+ */
+export interface AbortTerminalGuard {
+  /** True between an abort and the orphan terminal event that follows it. */
+  swallowNextTerminal: boolean;
+}
+
+/** Arm on abort: the next terminal event for this session is the orphan. */
+export function armAbortGuard(g: AbortTerminalGuard): void {
+  g.swallowNextTerminal = true;
+}
+
+/**
+ * A new turn produced activity (delta) → the orphan window is over. Self-heals
+ * the case where opencode emits no orphan idle (e.g. abort-before-prompt), so a
+ * real terminal still settles instead of being swallowed forever.
+ */
+export function noteTurnActivity(g: AbortTerminalGuard): void {
+  g.swallowNextTerminal = false;
+}
+
+/** Decide a terminal (idle/error): swallow the post-abort orphan once, else settle. */
+export function consumeTerminal(g: AbortTerminalGuard): 'swallow' | 'settle' {
+  if (g.swallowNextTerminal) {
+    g.swallowNextTerminal = false;
+    return 'swallow';
+  }
+  return 'settle';
+}

apps/coder/src/services/backends/warm-acp-routing.ts

@@ -0,0 +1,41 @@
+/**
+ * v2.6 Phase 2 — warm-vs-one-shot routing predicate for goose/qwen.
+ *
+ * The warm ACP backend keys its persistent process + ACP session on (chat_id,
+ * agent) — exactly like the opencode-server backend. A task therefore only routes
+ * to the warm pool when it carries BOTH a `session_id` and a `chat_id`, i.e. it
+ * came from a real chat tab (the coder message route + skills route stamp both).
+ *
+ * Session-less creators — arena contestants, MCP-created tasks, generic
+ * `POST /api/tasks`, `new_task` — leave one or both null. Those keep the existing
+ * one-shot worktree-per-task ACP path (`runExternalAgent`), which spawns a fresh
+ * `goose acp` / `qwen --acp` per turn and never holds a warm process. Routing them
+ * warm would either synthesize a degenerate (null, agent) key or create a chat per
+ * arena contestant — neither is wanted, so they stay one-shot.
+ *
+ * Pure, so it's unit-testable; the dispatcher consumes it.
+ */
+const WARM_CAPABLE_AGENTS = new Set(['goose', 'qwen']);
+
+export function shouldUseWarmBackend(task: {
+  agent: string | null;
+  session_id: string | null;
+  chat_id: string | null;
+}): boolean {
+  if (!task.agent || !WARM_CAPABLE_AGENTS.has(task.agent)) return false;
+  return task.session_id != null && task.chat_id != null;
+}
+
+/**
+ * Map an ACP prompt `stopReason` to the backend's ok/fail contract (TurnResult.ok).
+ *
+ * ACP's `StopReason` union includes normal completions (`end_turn`, `max_tokens`,
+ * `max_turn_requests`) and abnormal ones (`refusal`, `cancelled`). Only the latter
+ * two read as a failed turn; everything else (including an undefined/absent reason,
+ * which we default to `end_turn`) is a successful completion. Pure so it's testable
+ * independently of the warm process.
+ */
+export function isTurnOkForStopReason(stopReason: string | null | undefined): boolean {
+  const reason = stopReason ?? 'end_turn';
+  return reason !== 'refusal' && reason !== 'cancelled';
+}

apps/coder/src/services/backends/warm-acp.ts

@@ -0,0 +1,417 @@
+/**
+ * v2.6 Phase 2 — WarmAcpBackend (goose, qwen).
+ *
+ * One persistent stdio process + ONE `ClientSideConnection` per (chat, agent),
+ * `initialize` + `session/new` done ONCE, reused across every turn — the warm
+ * analogue of the previous one-shot `acp-dispatch.ts` (which spawned/torn-down a
+ * fresh `goose acp` / `qwen --acp` per turn). Mirrors Paseo's `SpawnedACPProcess`.
+ *
+ * Implements the Phase 0 `AgentBackend` interface (same contract as
+ * `OpenCodeServerBackend`). Emits transport-agnostic `AgentEvent`s via the SHARED
+ * `mapSessionUpdate` (reused verbatim from the one-shot stack); the dispatcher maps
+ * those to WS frames + `persistExternalAgentTurn`, unchanged.
+ *
+ * Lifecycle decisions (design.md §2b / §10):
+ *   - **Child lifetime is the pool's, not a request's.** Spawned once; never tied
+ *     to a per-turn abort signal. Only the in-flight `prompt` gets `ctx.signal` —
+ *     abort = ACP `session/cancel`, NOT killing the child.
+ *   - **Per-turn abort** cancels the prompt on the warm connection so the SAME
+ *     process serves the next turn.
+ *   - **Crash** (child exit) marks `agent_sessions.status='crashed'` + logs; the
+ *     next `ensureSession` re-spawns + re-`session/new` (Phase 3 hardens auto-restart).
+ *   - **Resume across a process restart is NOT attempted in Phase 2.** goose ACP
+ *     advertises no `loadSession`/`session.resume`; qwen does, but cross-restart
+ *     resume is Phase 3. Within ONE live process the ACP session persists across
+ *     turns (the whole point of "warm"); a restart re-`session/new` (memory loss
+ *     across restart, accepted per §10). The agent's resume capabilities ARE
+ *     probed and logged for forward-compat.
+ *
+ * Each WarmAcpBackend instance owns exactly one (chat, agent) — the dispatcher
+ * pools them under `agentPool.register(chatId, agent, backend)`.
+ *
+ * SDK note (@agentclientprotocol/sdk@^0.22.1, cross-checked against the design's
+ * `^0.14` worry): the resume method is the STABLE `resumeSession` (`session/resume`,
+ * gated by `agentCapabilities.sessionCapabilities.resume`), NOT the `^0.14`
+ * `unstable_resumeSession`. `loadSession` is gated by `agentCapabilities.loadSession`.
+ */
+import { spawn, type ChildProcess } from 'node:child_process';
+import type { FastifyBaseLogger } from 'fastify';
+import {
+  ClientSideConnection,
+  type Client,
+  type SessionNotification,
+  type RequestPermissionRequest,
+  type RequestPermissionResponse,
+  type ReadTextFileRequest,
+  type ReadTextFileResponse,
+  type WriteTextFileRequest,
+  type WriteTextFileResponse,
+  type CreateTerminalRequest,
+  type CreateTerminalResponse,
+  type CreateElicitationRequest,
+  type CreateElicitationResponse,
+} from '@agentclientprotocol/sdk';
+import type { Sql } from '../../db.js';
+import { resolveLaunchSpec } from '../acp-spawn.js';
+import { isTurnOkForStopReason } from './warm-acp-routing.js';
+import { getResolvedRegistry, type ResolvedProviderDef } from '../provider-config-registry.js';
+import { createAcpNdJsonStream } from '../acp-stream.js';
+import { mapSessionUpdate } from '../acp-event-map.js';
+import { readWorktreeTextFile, writeWorktreeTextFile } from '../acp-client-fs.js';
+import { waitForPermissionResponse, waitForElicitationResponse, cancelPendingPermission } from '../permission-waiter.js';
+import { type AcpToolSnapshot, synthesizeCanceledSnapshots } from '../acp-tool-snapshot.js';
+import type {
+  AgentBackend,
+  AgentEvent,
+  AgentSessionHandle,
+  EnsureSessionOpts,
+  PromptCtx,
+  TurnResult,
+} from '../agent-backend.js';
+
+/** State for one in-flight turn (only one at a time per backend — turns serialize). */
+interface TurnState {
+  /** Per-turn task id, for routing permission prompts back to the UI. */
+  taskId: string | undefined;
+  /** BooCode session id for permission-waiter's broker frames. */
+  sessionId: string;
+  /** Per-turn mode id (autonomous-mode gate in permission-waiter). */
+  modeId: string | undefined;
+  onEvent: (e: AgentEvent) => void;
+  /** Tool-call snapshot accumulator for this turn — merge across tool_call_update. */
+  snapshots: Map<string, AcpToolSnapshot>;
+}
+
+export interface WarmAcpBackendDeps {
+  sql: Sql;
+  log: FastifyBaseLogger;
+  /** The (chat, agent) this backend serves — its pool identity + DB key. */
+  chatId: string;
+  agent: string;
+  /** Resolved binary for the agent (from available_agents.install_path), or null. */
+  installPath: string | null;
+  /** Optional override of the resolved registry def (defaults to a live lookup). */
+  resolved?: ResolvedProviderDef;
+}
+
+export class WarmAcpBackend implements AgentBackend {
+  readonly backend = 'acp_warm' as const;
+
+  private readonly sql: Sql;
+  private readonly log: FastifyBaseLogger;
+  private readonly chatId: string;
+  private readonly agent: string;
+  private readonly installPath: string | null;
+  private readonly resolvedOverride: ResolvedProviderDef | undefined;
+
+  private child: ChildProcess | null = null;
+  private connection: ClientSideConnection | null = null;
+  /** The single ACP session id for this warm process; null until session/new. */
+  private acpSessionId: string | null = null;
+  private up = false;
+  /** Idempotent spawn guard — one warm process per backend, started lazily. */
+  private starting: Promise<void> | null = null;
+  /** Resume capabilities probed at initialize, logged for forward-compat (Phase 3). */
+  private supportsLoadSession = false;
+  private supportsResumeSession = false;
+
+  /** The current in-flight turn; the Client closures read it. Null between turns. */
+  private activeTurn: TurnState | null = null;
+
+  constructor(deps: WarmAcpBackendDeps) {
+    this.sql = deps.sql;
+    this.log = deps.log;
+    this.chatId = deps.chatId;
+    this.agent = deps.agent;
+    this.installPath = deps.installPath;
+    this.resolvedOverride = deps.resolved;
+  }
+
+  /** §2: liveness for the health endpoint + dispatcher fallback decision. */
+  health(): 'up' | 'down' {
+    return this.up ? 'up' : 'down';
+  }
+
+  /** Phase 3: busy iff this backend's single session has an in-flight turn. The
+   *  pool reads this to skip idle/LRU eviction (never kill the child mid-prompt). */
+  isBusy(): boolean {
+    return this.activeTurn != null;
+  }
+
+  // ─── warm-process lifecycle (2.1 spawn + initialize + session/new ONCE) ───────
+
+  /** Lazy: spawn the warm process on first use. Idempotent — one process per backend. */
+  private ensureProcess(worktreePath: string): Promise<void> {
+    if (this.up && this.connection && this.acpSessionId) return Promise.resolve();
+    if (!this.starting) {
+      this.starting = this.startProcess(worktreePath).catch((err) => {
+        // Reset so a later ensureSession can retry the spawn after a failed start.
+        this.starting = null;
+        throw err;
+      });
+    }
+    return this.starting;
+  }
+
+  private async startProcess(worktreePath: string): Promise<void> {
+    const resolved = this.resolvedOverride ?? getResolvedRegistry().get(this.agent);
+    const spec = resolved ? resolveLaunchSpec(resolved, this.installPath) : null;
+    if (!spec) throw new Error(`warm-acp: agent '${this.agent}' does not support ACP (no launch spec)`);
+
+    this.log.info({ agent: this.agent, chatId: this.chatId, binary: spec.binary, worktreePath }, 'warm-acp: spawning warm process');
+    // Child lifetime is the pool's. NOT tied to any per-turn abort signal — only
+    // the in-flight prompt is cancellable (via ACP session/cancel in prompt()).
+    const child = spawn(spec.binary, spec.args, {
+      cwd: worktreePath,
+      stdio: ['pipe', 'pipe', 'pipe'],
+      env: { ...process.env, ...spec.env },
+    });
+    this.child = child;
+
+    // 2.3: supervise the child; react to its exit, never let a request scope kill it.
+    child.on('exit', (code, signal) => {
+      this.up = false;
+      this.connection = null;
+      this.acpSessionId = null;
+      this.starting = null;
+      this.log.warn({ agent: this.agent, chatId: this.chatId, code, signal }, 'warm-acp: warm process exited — marking crashed (rebuild on next turn)');
+      void this.markCrashed();
+    });
+    // A spawn error (e.g. ENOENT) surfaces here, not as an exit.
+    child.on('error', (err) => {
+      this.up = false;
+      this.log.error({ agent: this.agent, chatId: this.chatId, err: errMsg(err) }, 'warm-acp: warm process error');
+    });
+
+    const stream = createAcpNdJsonStream(child);
+    const connection = new ClientSideConnection(() => this.buildClient(worktreePath), stream);
+
+    const init = await connection.initialize({
+      protocolVersion: 1,
+      clientInfo: { name: 'boocoder', version: '2.6.0' },
+      clientCapabilities: {},
+    });
+    const caps = init.agentCapabilities;
+    this.supportsLoadSession = caps?.loadSession === true;
+    this.supportsResumeSession = caps?.sessionCapabilities?.resume != null;
+
+    const session = await connection.newSession({ cwd: worktreePath, mcpServers: [] });
+    this.connection = connection;
+    this.acpSessionId = session.sessionId;
+    this.up = true;
+    this.log.info(
+      {
+        agent: this.agent,
+        chatId: this.chatId,
+        acpSessionId: session.sessionId,
+        loadSession: this.supportsLoadSession,
+        resumeSession: this.supportsResumeSession,
+      },
+      'warm-acp: warm session ready',
+    );
+  }
+
+  /** Build the ACP Client callbacks ONCE per connection. They read `this.activeTurn`
+   *  so each turn's events/permissions route to the right place — exactly the
+   *  opencode-server `activeTurn` pattern. Worktree-scoped FS like AcpStreamContext. */
+  private buildClient(worktreePath: string): Client {
+    return {
+      sessionUpdate: async (params: SessionNotification): Promise<void> => {
+        const turn = this.activeTurn;
+        if (!turn) return; // between turns — drop (no orphan settles a future turn)
+        for (const event of mapSessionUpdate(params, turn.snapshots)) {
+          turn.onEvent(event);
+        }
+      },
+      requestPermission: async (params: RequestPermissionRequest): Promise<RequestPermissionResponse> => {
+        const turn = this.activeTurn;
+        if (turn?.taskId) {
+          // Route to the UI via the per-turn task id (same as the one-shot path).
+          return waitForPermissionResponse(turn.taskId, turn.sessionId, this.agent, turn.modeId, params);
+        }
+        const firstOption = params.options[0];
+        if (firstOption) return { outcome: { outcome: 'selected', optionId: firstOption.optionId } };
+        return { outcome: { outcome: 'cancelled' } };
+      },
+      readTextFile: async (params: ReadTextFileRequest): Promise<ReadTextFileResponse> => {
+        const content = await readWorktreeTextFile(worktreePath, params.path, params.line, params.limit);
+        return { content };
+      },
+      writeTextFile: async (params: WriteTextFileRequest): Promise<WriteTextFileResponse> => {
+        await writeWorktreeTextFile(worktreePath, params.path, params.content);
+        return {};
+      },
+      createTerminal: async (_params: CreateTerminalRequest): Promise<CreateTerminalResponse> => {
+        return { terminalId: 'noop' };
+      },
+      unstable_createElicitation: async (params: CreateElicitationRequest): Promise<CreateElicitationResponse> => {
+        const turn = this.activeTurn;
+        if (turn?.taskId) {
+          return waitForElicitationResponse(turn.taskId, turn.sessionId, this.agent, turn.modeId, params);
+        }
+        return { action: 'decline' };
+      },
+    };
+  }
+
+  // ─── ensureSession: create-or-reuse the warm session (2.1) ───────────────────
+
+  async ensureSession(sessionId: string, opts: EnsureSessionOpts): Promise<AgentSessionHandle> {
+    await this.ensureProcess(opts.worktreePath);
+    if (!this.acpSessionId) throw new Error('warm-acp: session not ready after ensureProcess');
+
+    // P1.5-b: agent_sessions keys on (chat_id, agent). The ACP session id is the
+    // resume handle WITHIN the live process; across a process restart it's stale,
+    // so ensureProcess re-`session/new` and we upsert the fresh id here.
+    await this.sql`
+      INSERT INTO agent_sessions
+        (chat_id, session_id, worktree_id, agent, backend, agent_session_id, server_port, status, last_active_at)
+      VALUES
+        (${opts.chatId}, ${sessionId}, ${opts.worktreeId}, ${opts.agent}, 'acp_warm', ${this.acpSessionId}, NULL, 'active', clock_timestamp())
+      ON CONFLICT (chat_id, agent) DO UPDATE SET
+        session_id = EXCLUDED.session_id,
+        worktree_id = EXCLUDED.worktree_id,
+        backend = 'acp_warm',
+        agent_session_id = EXCLUDED.agent_session_id,
+        server_port = NULL,
+        status = 'active',
+        last_active_at = clock_timestamp()
+    `.catch((err) => {
+      this.log.warn({ err: errMsg(err), chatId: opts.chatId, agent: opts.agent }, 'warm-acp: agent_sessions upsert failed (non-fatal)');
+    });
+
+    return {
+      sessionId,
+      agent: opts.agent,
+      backend: 'acp_warm',
+      chatId: opts.chatId,
+      worktreeId: opts.worktreeId,
+      agentSessionId: this.acpSessionId,
+      serverPort: null,
+    };
+  }
+
+  // ─── prompt: one turn on the warm connection (2.2) ───────────────────────────
+
+  async prompt(handle: AgentSessionHandle, input: string, ctx: PromptCtx): Promise<TurnResult> {
+    // The warm process may have crashed between ensureSession and here, or this
+    // backend was rebuilt — re-establish before prompting.
+    await this.ensureProcess(ctx.worktreePath);
+    const connection = this.connection;
+    const acpSessionId = this.acpSessionId;
+    if (!connection || !acpSessionId) {
+      return { ok: false, error: 'warm-acp: no live ACP connection' };
+    }
+
+    const snapshots = new Map<string, AcpToolSnapshot>();
+    // taskId routes permission/elicitation prompts back to the UI. The dispatcher
+    // passes it (plus mode) on the per-turn PromptCtx; permission-waiter keys on it.
+    const turn: TurnState = {
+      taskId: ctx.taskId,
+      sessionId: handle.sessionId,
+      modeId: ctx.modeId,
+      onEvent: ctx.onEvent,
+      snapshots,
+    };
+    this.activeTurn = turn;
+
+    // Per-turn abort: cancel the in-flight prompt on the SAME connection — never
+    // kill the child (that's the pool's lifetime). On cancel we also synthesize
+    // 'canceled' updates for any still-running tool calls so the UI doesn't leave
+    // them spinning (mirrors AcpStreamContext.markAborted).
+    let aborted = false;
+    const onAbort = () => {
+      if (aborted) return;
+      aborted = true;
+      connection.cancel({ sessionId: acpSessionId }).catch(() => {});
+      if (ctx.taskId) cancelPendingPermission(ctx.taskId);
+      for (const snap of synthesizeCanceledSnapshots(snapshots.values())) {
+        snapshots.set(snap.toolCallId, snap);
+        ctx.onEvent({ type: 'tool_update', toolCall: snap });
+      }
+    };
+
+    if (ctx.signal.aborted) {
+      this.activeTurn = null;
+      return { ok: false, error: 'aborted' };
+    }
+    ctx.signal.addEventListener('abort', onAbort, { once: true });
+
+    try {
+      const result = await connection.prompt({
+        sessionId: acpSessionId,
+        prompt: [{ type: 'text', text: input }],
+      });
+      if (aborted) return { ok: false, error: 'aborted' };
+      const stopReason = result.stopReason ?? 'end_turn';
+      return isTurnOkForStopReason(stopReason)
+        ? { ok: true }
+        : { ok: false, error: `stop_reason: ${stopReason}` };
+    } catch (err) {
+      if (aborted) return { ok: false, error: 'aborted' };
+      return { ok: false, error: errMsg(err) };
+    } finally {
+      ctx.signal.removeEventListener('abort', onAbort);
+      this.activeTurn = null;
+      await this.sql`
+        UPDATE agent_sessions SET status = 'idle', last_active_at = clock_timestamp()
+        WHERE chat_id = ${this.chatId} AND agent = ${this.agent}
+      `.catch(() => {});
+    }
+  }
+
+  // ─── teardown ────────────────────────────────────────────────────────────────
+
+  async closeSession(handle: AgentSessionHandle): Promise<void> {
+    // Gracefully close the ACP session if the agent supports it; then kill the child.
+    if (this.connection && this.acpSessionId) {
+      await this.connection.closeSession({ sessionId: this.acpSessionId }).catch(() => {});
+    }
+    await this.killChild();
+    await this.sql`
+      UPDATE agent_sessions SET status = 'closed'
+      WHERE chat_id = ${handle.chatId} AND agent = ${handle.agent}
+    `.catch(() => {});
+  }
+
+  async dispose(): Promise<void> {
+    this.up = false;
+    this.activeTurn = null;
+    if (this.connection && this.acpSessionId) {
+      await this.connection.closeSession({ sessionId: this.acpSessionId }).catch(() => {});
+    }
+    await this.killChild();
+    this.connection = null;
+    this.acpSessionId = null;
+    this.starting = null;
+  }
+
+  private async killChild(): Promise<void> {
+    const child = this.child;
+    this.child = null;
+    if (!child || child.killed) return;
+    child.kill('SIGTERM');
+    await new Promise<void>((resolve) => {
+      const t = setTimeout(() => {
+        if (!child.killed) child.kill('SIGKILL');
+        resolve();
+      }, 5_000);
+      t.unref?.();
+      child.once('close', () => {
+        clearTimeout(t);
+        resolve();
+      });
+    });
+  }
+
+  private async markCrashed(): Promise<void> {
+    await this.sql`
+      UPDATE agent_sessions SET status = 'crashed'
+      WHERE chat_id = ${this.chatId} AND agent = ${this.agent}
+    `.catch(() => {});
+  }
+}
+
+function errMsg(e: unknown): string {
+  return e instanceof Error ? e.message : String(e);
+}

apps/coder/src/services/checkpoints.ts

@@ -0,0 +1,306 @@
+/**
+ * write-edit-robustness #4 — worktree checkpoints.
+ *
+ * External agents (opencode / goose / qwen / claude) write DIRECTLY into the
+ * shared session worktree (`/tmp/booworktrees/sess-<id>`); BooCode's own `rewind`
+ * only reverses `pending_changes` against the project root, so it has zero coverage
+ * there. A checkpoint is a pre-turn shadow-commit of the worktree tree (tracked +
+ * untracked) captured WITHOUT touching the real index/working tree, stored in a
+ * private GC-safe ref. `restoreCheckpoint` rewinds the worktree to that commit,
+ * trims the transcript from the anchor message forward, and resets the agent
+ * backend so the next turn re-establishes a fresh context consistent with the
+ * restored files.
+ *
+ * All git goes through hostExec + shellEscape (BooCoder runs on the host; the
+ * worktrees live on the host fs). Checkpoint CREATION is best-effort: a failure
+ * logs and returns null — it must NEVER throw into the dispatch turn.
+ */
+import { randomUUID } from 'node:crypto';
+import type { FastifyBaseLogger } from 'fastify';
+import type { Sql } from '../db.js';
+import { hostExec } from './host-exec.js';
+import { agentPool, OPENCODE_POOL_KEY } from './agent-pool.js';
+import type { AgentSessionHandle } from './agent-backend.js';
+
+/** Minimal shell escape for paths/refs (single-quote wrapping). Mirrors worktrees.ts. */
+function shellEscape(s: string): string {
+  return "'" + s.replace(/'/g, "'\\''") + "'";
+}
+
+/**
+ * Pure builder for the shadow-commit command. Captures tracked + untracked files
+ * in the worktree into a temp index (so the real index/working tree is untouched),
+ * writes a tree, commits it parented on HEAD, and parks the commit under a private
+ * ref `refs/boocode/checkpoints/<id>` so git's GC never reclaims it. Prints ONLY
+ * the resulting SHA on stdout (the trailing `printf '%s'`), so the caller parses
+ * stdout.trim() directly.
+ *
+ * `id` is the row UUID (minted before the ref so the ref name matches the row).
+ * Both the worktree path and the id are shell-escaped.
+ */
+export function buildShadowCommitCommand(worktreePath: string, id: string): string {
+  const wt = shellEscape(worktreePath);
+  const ref = shellEscape(`refs/boocode/checkpoints/${id}`);
+  return (
+    `cd ${wt} && TMP=$(mktemp) && GIT_INDEX_FILE="$TMP" git read-tree HEAD ` +
+    `&& GIT_INDEX_FILE="$TMP" git add -A ` +
+    `&& TREE=$(GIT_INDEX_FILE="$TMP" git write-tree) ` +
+    `&& SHA=$(git commit-tree "$TREE" -p HEAD -m "boocode checkpoint") ` +
+    `&& git update-ref ${ref} "$SHA" && rm -f "$TMP" && printf '%s' "$SHA"`
+  );
+}
+
+export interface CreateCheckpointArgs {
+  chatId: string;
+  sessionId: string | null;
+  worktreeId: string | null;
+  worktreePath: string;
+  messageId: string | null;
+  label?: string | null;
+}
+
+/**
+ * Capture a pre-turn checkpoint of the session worktree. Best-effort: returns the
+ * inserted row's { id, commit_sha } on success, or null on any failure (the turn
+ * proceeds either way — a missing checkpoint just means no restore point for that
+ * turn). NEVER throws.
+ *
+ * The id is minted up front so the git ref name (`refs/boocode/checkpoints/<id>`)
+ * matches the DB row id, keeping ref and row in lockstep.
+ */
+export async function createCheckpoint(
+  sql: Sql,
+  args: CreateCheckpointArgs,
+  opts?: { signal?: AbortSignal; log?: FastifyBaseLogger },
+): Promise<{ id: string; commit_sha: string } | null> {
+  const id = randomUUID();
+  try {
+    const cmd = buildShadowCommitCommand(args.worktreePath, id);
+    const res = await hostExec(cmd, { signal: opts?.signal, timeoutMs: 30_000 });
+    if (res.exitCode !== 0) {
+      opts?.log?.warn(
+        { chatId: args.chatId, worktreePath: args.worktreePath, stderr: res.stderr.trim().slice(0, 500) },
+        'checkpoint: shadow-commit failed (turn proceeds without a checkpoint)',
+      );
+      return null;
+    }
+    const commitSha = res.stdout.trim();
+    if (!commitSha) {
+      opts?.log?.warn(
+        { chatId: args.chatId, worktreePath: args.worktreePath },
+        'checkpoint: shadow-commit produced no SHA (turn proceeds)',
+      );
+      return null;
+    }
+
+    await sql`
+      INSERT INTO checkpoints (id, chat_id, session_id, worktree_id, message_id, commit_sha, label)
+      VALUES (${id}, ${args.chatId}, ${args.sessionId}, ${args.worktreeId}, ${args.messageId}, ${commitSha}, ${args.label ?? null})
+    `;
+    opts?.log?.info({ checkpointId: id, chatId: args.chatId, commitSha }, 'checkpoint: created');
+    return { id, commit_sha: commitSha };
+  } catch (err) {
+    opts?.log?.warn(
+      { chatId: args.chatId, err: err instanceof Error ? err.message : String(err) },
+      'checkpoint: create threw (turn proceeds without a checkpoint)',
+    );
+    return null;
+  }
+}
+
+/** Error the route maps to a 404 when the checkpoint can't be resolved / scoped. */
+export class CheckpointNotFoundError extends Error {
+  constructor(message: string) {
+    super(message);
+    this.name = 'CheckpointNotFoundError';
+  }
+}
+
+export interface RestoreCheckpointResult {
+  checkpoint_id: string;
+  messages_deleted: number;
+  worktree_reset: boolean;
+  backend_reset: boolean;
+}
+
+export interface RestoreCheckpointOpts {
+  signal?: AbortSignal;
+  log?: FastifyBaseLogger;
+  /** If set, the checkpoint MUST belong to this session (route scope guard). */
+  sessionId?: string;
+}
+
+interface CheckpointRow {
+  id: string;
+  chat_id: string;
+  session_id: string | null;
+  worktree_id: string | null;
+  message_id: string | null;
+  commit_sha: string;
+  created_at: Date;
+}
+
+/**
+ * Restore a checkpoint: rewind its worktree to the shadow commit, trim the
+ * transcript from the anchor message forward, reset the backend session, and drop
+ * now-orphaned later checkpoints. Throws CheckpointNotFoundError when the
+ * checkpoint is missing or not in the requested session (route → 404).
+ */
+export async function restoreCheckpoint(
+  sql: Sql,
+  checkpointId: string,
+  opts?: RestoreCheckpointOpts,
+): Promise<RestoreCheckpointResult> {
+  // 1. Resolve the checkpoint.
+  const [cp] = await sql<CheckpointRow[]>`
+    SELECT id, chat_id, session_id, worktree_id, message_id, commit_sha, created_at
+    FROM checkpoints WHERE id = ${checkpointId}
+  `;
+  if (!cp) {
+    throw new CheckpointNotFoundError('checkpoint not found');
+  }
+  // Authorization scope (fail-safe): the checkpoint's chat must belong to the
+  // requested session. cp.session_id is a denormalized hint that may be null, so
+  // gating on it directly fails open — resolve the owning session via chats
+  // (authoritative; chat_id is NOT NULL) and deny on any mismatch or missing row.
+  if (opts?.sessionId) {
+    const [owner] = await sql<{ session_id: string | null }[]>`
+      SELECT session_id FROM chats WHERE id = ${cp.chat_id}
+    `;
+    if (!owner || owner.session_id !== opts.sessionId) {
+      throw new CheckpointNotFoundError('checkpoint not in session');
+    }
+  }
+
+  // 2. Resolve the worktree path (by worktree_id, else the session's active one).
+  let worktreePath: string | null = null;
+  if (cp.worktree_id) {
+    const [wt] = await sql<{ path: string }[]>`
+      SELECT path FROM worktrees WHERE id = ${cp.worktree_id}
+    `;
+    worktreePath = wt?.path ?? null;
+  }
+  if (!worktreePath) {
+    const sid = cp.session_id ?? opts?.sessionId ?? null;
+    if (sid) {
+      const [wt] = await sql<{ path: string }[]>`
+        SELECT path FROM worktrees WHERE session_id = ${sid} AND status = 'active' LIMIT 1
+      `;
+      worktreePath = wt?.path ?? null;
+    }
+  }
+
+  // 3. Worktree reset — hard-reset to the shadow commit, then clean untracked.
+  let worktreeReset = false;
+  if (worktreePath) {
+    const resetRes = await hostExec(
+      `git -C ${shellEscape(worktreePath)} reset --hard ${shellEscape(cp.commit_sha)}`,
+      { signal: opts?.signal, timeoutMs: 30_000 },
+    ).catch((err) => {
+      opts?.log?.warn(
+        { checkpointId, err: err instanceof Error ? err.message : String(err) },
+        'checkpoint restore: reset --hard threw',
+      );
+      return null;
+    });
+    if (resetRes && resetRes.exitCode === 0) {
+      const cleanRes = await hostExec(
+        `git -C ${shellEscape(worktreePath)} clean -fd`,
+        { signal: opts?.signal, timeoutMs: 30_000 },
+      ).catch(() => null);
+      worktreeReset = cleanRes != null && cleanRes.exitCode === 0;
+      if (!worktreeReset) {
+        opts?.log?.warn({ checkpointId, worktreePath }, 'checkpoint restore: clean -fd did not succeed');
+      }
+    } else {
+      opts?.log?.warn(
+        { checkpointId, worktreePath, stderr: resetRes?.stderr?.trim()?.slice(0, 500) },
+        'checkpoint restore: reset --hard did not succeed',
+      );
+    }
+  } else {
+    opts?.log?.warn({ checkpointId }, 'checkpoint restore: no worktree path resolved (files not reset)');
+  }
+
+  // 4. Trim the transcript from the anchor message forward. message_parts FK to
+  //    messages is ON DELETE CASCADE (apps/server schema.sql:49), so parts are
+  //    removed with their messages — no explicit parts delete needed.
+  let messagesDeleted = 0;
+  if (cp.message_id) {
+    const deleted = await sql<{ id: string }[]>`
+      DELETE FROM messages
+      WHERE chat_id = ${cp.chat_id}
+        AND created_at >= (SELECT created_at FROM messages WHERE id = ${cp.message_id})
+      RETURNING id
+    `;
+    messagesDeleted = deleted.length;
+  }
+
+  // 5. Backend reset — mark the chat's agent sessions crashed so the next turn
+  //    re-establishes a fresh backend, and evict the live pool session(s) for this
+  //    (chat, agent). Warm backends hold context server-side with no partial
+  //    rewind, so a full reset is the only consistent option (proposal §4).
+  const agentRows = await sql<{ agent: string; backend: string; agent_session_id: string | null; session_id: string | null; worktree_id: string | null }[]>`
+    SELECT agent, backend, agent_session_id, session_id, worktree_id
+    FROM agent_sessions WHERE chat_id = ${cp.chat_id}
+  `;
+  await sql`
+    UPDATE agent_sessions SET status = 'crashed' WHERE chat_id = ${cp.chat_id}
+  `.catch(() => {});
+
+  let backendReset = false;
+  try {
+    // opencode runs on the SHARED server (keyed on a sentinel, not the chat) — close
+    // just this chat's session(s) on it, mirroring the lifecycle close-hook.
+    const ocBackend = agentPool.peek(OPENCODE_POOL_KEY, 'opencode');
+    if (ocBackend) {
+      for (const row of agentRows) {
+        if (row.backend !== 'opencode_server' || !row.agent_session_id) continue;
+        const handle: AgentSessionHandle = {
+          sessionId: row.session_id ?? '',
+          agent: row.agent,
+          backend: 'opencode_server',
+          chatId: cp.chat_id,
+          worktreeId: row.worktree_id ?? '',
+          agentSessionId: row.agent_session_id,
+          serverPort: null,
+        };
+        await ocBackend.closeSession(handle).catch((err) => {
+          opts?.log?.warn(
+            { checkpointId, err: err instanceof Error ? err.message : String(err) },
+            'checkpoint restore: opencode closeSession threw',
+          );
+        });
+      }
+    }
+    // Warm-ACP backends are pooled under the chat id — dispose them (kills the
+    // goose/qwen child). closeChat skips busy backends (a live turn isn't torn down).
+    const disposed = await agentPool.closeChat(cp.chat_id);
+    backendReset = true;
+    opts?.log?.info({ checkpointId, chatId: cp.chat_id, disposed }, 'checkpoint restore: backend reset');
+  } catch (err) {
+    opts?.log?.warn(
+      { checkpointId, err: err instanceof Error ? err.message : String(err) },
+      'checkpoint restore: backend reset threw',
+    );
+  }
+
+  // 6. Drop now-orphaned later checkpoints for this chat (their anchor messages were
+  //    just trimmed). Compare `created_at` SERVER-SIDE via a subquery (NOT the JS
+  //    Date round-trip, which truncates the stored microsecond precision to ms and
+  //    would make this checkpoint delete ITSELF), and exclude this checkpoint's own
+  //    id so it always survives — letting the user re-restore to it.
+  await sql`
+    DELETE FROM checkpoints
+    WHERE chat_id = ${cp.chat_id}
+      AND id <> ${cp.id}
+      AND created_at > (SELECT created_at FROM checkpoints WHERE id = ${cp.id})
+  `.catch(() => {});
+
+  return {
+    checkpoint_id: checkpointId,
+    messages_deleted: messagesDeleted,
+    worktree_reset: worktreeReset,
+    backend_reset: backendReset,
+  };
+}

apps/coder/src/services/claude-command-discovery.ts

@@ -0,0 +1,108 @@
+/**
+ * v2.5.11: discover Claude Code's real, enabled commands + plugin skills from
+ * disk so the coder slash menu shows them (claude is PTY — no ACP discovery).
+ *
+ * Scope (v1): user-global only — `~/.claude/commands/*.md` plus the enabled
+ * plugins listed in `~/.claude/settings.json:enabledPlugins` (user-scope install
+ * paths from `~/.claude/plugins/.../installed_plugins.json`). Project-local
+ * plugins and `<cwd>/.claude/commands` are deferred. Names are bare.
+ */
+import { readFileSync, readdirSync, existsSync } from 'node:fs';
+import { homedir } from 'node:os';
+import { join } from 'node:path';
+import type { AgentCommand } from './provider-types.js';
+
+/** Minimal frontmatter reader — single-line `key: value` between `---` fences. */
+function frontmatterField(content: string, field: string): string | undefined {
+  const block = content.match(/^---\r?\n([\s\S]*?)\r?\n---/);
+  if (!block?.[1]) return undefined;
+  const m = block[1].match(new RegExp(`^${field}:\\s*(.+)$`, 'm'));
+  return m?.[1]?.trim().replace(/^["']|["']$/g, '') || undefined;
+}
+
+function readCommandDir(dir: string): AgentCommand[] {
+  if (!existsSync(dir)) return [];
+  let files: string[];
+  try {
+    files = readdirSync(dir);
+  } catch {
+    return [];
+  }
+  const out: AgentCommand[] = [];
+  for (const f of files) {
+    if (!f.endsWith('.md')) continue;
+    let description: string | undefined;
+    try {
+      description = frontmatterField(readFileSync(join(dir, f), 'utf8'), 'description');
+    } catch {
+      /* unreadable — still list the command by name */
+    }
+    out.push({ name: f.slice(0, -3), kind: 'command', ...(description ? { description } : {}) });
+  }
+  return out;
+}
+
+function readSkillDir(dir: string): AgentCommand[] {
+  if (!existsSync(dir)) return [];
+  let entries: string[];
+  try {
+    entries = readdirSync(dir);
+  } catch {
+    return [];
+  }
+  const out: AgentCommand[] = [];
+  for (const sub of entries) {
+    const skillMd = join(dir, sub, 'SKILL.md');
+    if (!existsSync(skillMd)) continue;
+    let content: string;
+    try {
+      content = readFileSync(skillMd, 'utf8');
+    } catch {
+      continue;
+    }
+    out.push({
+      name: frontmatterField(content, 'name') ?? sub,
+      kind: 'skill',
+      ...(() => {
+        const d = frontmatterField(content, 'description');
+        return d ? { description: d } : {};
+      })(),
+    });
+  }
+  return out;
+}
+
+export function discoverClaudeCommands(): AgentCommand[] {
+  const root = join(homedir(), '.claude');
+  const out: AgentCommand[] = [];
+
+  // User custom commands.
+  out.push(...readCommandDir(join(root, 'commands')));
+
+  // Enabled plugins (user-scope installs).
+  try {
+    const settings = JSON.parse(readFileSync(join(root, 'settings.json'), 'utf8')) as {
+      enabledPlugins?: Record<string, boolean>;
+    };
+    const installed = JSON.parse(
+      readFileSync(join(root, 'plugins', 'installed_plugins.json'), 'utf8'),
+    ) as { plugins?: Record<string, Array<{ scope?: string; installPath?: string }>> };
+
+    const enabled = settings.enabledPlugins ?? {};
+    const plugins = installed.plugins ?? {};
+    for (const [key, on] of Object.entries(enabled)) {
+      if (!on) continue;
+      const installs = plugins[key] ?? [];
+      const installPath = (installs.find((i) => i.scope === 'user') ?? installs[0])?.installPath;
+      if (!installPath || !existsSync(installPath)) continue;
+      out.push(...readSkillDir(join(installPath, 'skills')));
+      out.push(...readCommandDir(join(installPath, 'commands')));
+    }
+  } catch {
+    /* missing/unreadable plugin config → user commands only */
+  }
+
+  // Dedupe by name (first wins).
+  const seen = new Set<string>();
+  return out.filter((c) => (seen.has(c.name) ? false : (seen.add(c.name), true)));
+}

apps/coder/src/services/dcp-strip.ts

@@ -0,0 +1,77 @@
+/**
+ * Strip opencode-dcp plugin tags (`<dcp-message-id>mNNNN</dcp-message-id>`) that
+ * the @tarquinen/opencode-dcp plugin appends to assistant text and which
+ * otherwise render as literal text in the UI.
+ *
+ * Why a streaming stripper and not a per-chunk `.replace()`: opencode streams
+ * assistant text token-by-token, so the tag arrives SPLIT across many SSE deltas
+ * (`<dcp`, `-message`, `-id>`, `m0019`, `</dcp`, …). A per-chunk regex never sees
+ * a complete tag in any single fragment, so the fragments pass through and the
+ * dispatcher reassembles the full tag in the persisted/displayed content. The
+ * stripper below buffers across chunks: it emits everything that cannot be part
+ * of a forming tag and holds back only a trailing partial-tag prefix until the
+ * next chunk resolves it — without holding back legitimate `<…>` content.
+ */
+
+const DCP_TAG_RE = /<dcp-message-id>[^<]*<\/dcp-message-id>/g;
+const OPEN = '<dcp-message-id>';
+const CLOSE = '</dcp-message-id>';
+
+/** One-shot strip of COMPLETE tags. Safe for non-streaming / final content. */
+export function stripDcpTags(s: string): string {
+  return s.replace(DCP_TAG_RE, '');
+}
+
+/**
+ * Could `tail` (a substring starting at a `<`) still grow into a complete dcp
+ * tag on a future chunk? If so the caller must hold it back rather than emit it.
+ * Returns false for unrelated `<` content (`<div>`, `<T>`, …) so those stream
+ * normally.
+ */
+function isPartialDcp(tail: string): boolean {
+  // A prefix of the opening marker: '<', '<d', …, '<dcp-message-id'.
+  if (OPEN.startsWith(tail)) return true;
+  // Opening marker fully seen — content (and maybe a forming close) still streaming.
+  if (tail.startsWith(OPEN)) {
+    const rest = tail.slice(OPEN.length);
+    const lt = rest.indexOf('<');
+    if (lt === -1) return true; // still inside the [^<]* content run
+    return CLOSE.startsWith(rest.slice(lt)); // a partial close marker forming
+  }
+  return false;
+}
+
+export interface DcpStreamStripper {
+  /** Feed one text chunk; returns the portion safe to emit now (may be ''). */
+  push(chunk: string): string;
+  /** Stream end: returns whatever was held back, with complete tags stripped. */
+  flush(): string;
+}
+
+/** Stateful, cross-chunk-safe dcp stripper. One instance per turn. */
+export function makeDcpStreamStripper(): DcpStreamStripper {
+  let buf = '';
+  return {
+    push(chunk: string): string {
+      buf += chunk;
+      buf = buf.replace(DCP_TAG_RE, ''); // drop any now-complete tags
+      // Find the earliest `<` whose suffix is a forming dcp tag; hold from there,
+      // emit everything before it (real text, including unrelated `<…>`).
+      for (let i = buf.indexOf('<'); i !== -1; i = buf.indexOf('<', i + 1)) {
+        if (isPartialDcp(buf.slice(i))) {
+          const emit = buf.slice(0, i);
+          buf = buf.slice(i);
+          return emit;
+        }
+      }
+      const emit = buf;
+      buf = '';
+      return emit;
+    },
+    flush(): string {
+      const out = stripDcpTags(buf);
+      buf = '';
+      return out;
+    },
+  };
+}

apps/coder/src/services/dispatcher.ts

@@ -3,13 +3,21 @@ import type { FastifyBaseLogger } from 'fastify';
 import type { Broker } from '@boocode/server/broker';
 import type { WsFrame } from '@boocode/server/ws-frames';
 import type { Config } from '../config.js';
-import { createWorktree, diffWorktree, cleanupWorktree } from './worktrees.js';
+import { createWorktree, diffWorktree, cleanupWorktree, ensureSessionWorktree } from './worktrees.js';
+import { createCheckpoint } from './checkpoints.js';
+import { makeDcpStreamStripper } from './dcp-strip.js';
 import { dispatchViaAcp } from './acp-dispatch.js';
 import { getResolvedRegistry } from './provider-config-registry.js';
 import { dispatchViaPty } from './pty-dispatch.js';
 import { clearTaskCommands, setTaskCommands } from './agent-commands-cache.js';
 import { getManifestCommands } from './provider-commands.js';
 import { persistExternalAgentTurn } from './agent-turn-persist.js';
+import { snapshotToWireToolCall, type AcpToolSnapshot } from './acp-tool-snapshot.js';
+import { agentPool, OPENCODE_POOL_KEY } from './agent-pool.js';
+import { OpenCodeServerBackend } from './backends/opencode-server.js';
+import { WarmAcpBackend } from './backends/warm-acp.js';
+import { shouldUseWarmBackend } from './backends/warm-acp-routing.js';
+import type { AgentBackend, AgentEvent } from './agent-backend.js';
 
 interface InferenceRunner {
   enqueue: (sessionId: string, chatId: string, assistantId: string, user: string) => void;
@@ -35,23 +43,35 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
   const { sql, inference, broker, log, config } = deps;
   let timer: ReturnType<typeof setInterval> | null = null;
   let listener: { unlisten: () => Promise<void> } | null = null;
-  let running = false;
+  let polling = false;
   let stopping = false;
-  let inflightPromise: Promise<void> | null = null;
+  // v2.6 (1.9): per-session in-flight registry replaces the global `running`
+  // boolean. Key = session_id (or `task:<id>` for sessionless tasks). Sessions
+  // without an in-flight turn run concurrently; within a session, strictly one
+  // turn at a time.
+  const inflight = new Map<string, Promise<void>>();
 
   // Shared entry point for both the poll timer and the NOTIFY listener. poll()'s
-  // `running`/`stopping` guard makes this safe to call concurrently — a notify
-  // arriving mid-task returns immediately and never double-dispatches.
+  // `polling`/`stopping` guard makes this safe to call concurrently — a notify
+  // arriving mid-poll returns immediately and never double-dispatches.
   function triggerPoll(reason: string): void {
     poll().catch((err) => {
       log.error({ err, reason }, 'dispatcher: poll error');
     });
   }
 
-  async function poll(): Promise<void> {
-    if (running || stopping) return;
+  function concurrencyKey(task: { id: string; session_id: string | null }): string {
+    return task.session_id ?? `task:${task.id}`;
+  }
 
-    // Grab one pending task
+  async function poll(): Promise<void> {
+    // `polling` serializes poll() execution itself (timer + NOTIFY can fire
+    // concurrently) so we never double-select a task. It does NOT serialize task
+    // execution — that's what `inflight` (keyed per session) governs.
+    if (polling || stopping) return;
+    polling = true;
+    try {
+      // Oldest-first; start every pending task whose session isn't already busy.
       const rows = await sql<{
         id: string;
         project_id: string;
@@ -61,21 +81,28 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
         mode_id: string | null;
         thinking_option_id: string | null;
         session_id: string | null;
+        chat_id: string | null;
       }[]>`
-      SELECT id, project_id, input, agent, model, mode_id, thinking_option_id, session_id
+        SELECT id, project_id, input, agent, model, mode_id, thinking_option_id, session_id, chat_id
         FROM tasks
         WHERE state = 'pending'
         ORDER BY created_at
-      LIMIT 1
+        LIMIT 50
       `;
-    if (rows.length === 0) return;
-
-    const task = rows[0]!;
-    running = true;
-    inflightPromise = runTask(task).finally(() => {
-      running = false;
-      inflightPromise = null;
+      for (const task of rows) {
+        if (stopping) break;
+        const key = concurrencyKey(task);
+        if (inflight.has(key)) continue; // this session already has an in-flight turn
+        // Register synchronously (before any await) so a later row in this pass
+        // with the same key is skipped and a concurrent poll can't re-pick it.
+        const p = runTask(task).finally(() => {
+          inflight.delete(key);
         });
+        inflight.set(key, p);
+      }
+    } finally {
+      polling = false;
+    }
   }
 
   async function runTask(task: {
@@ -87,6 +114,7 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
     mode_id: string | null;
     thinking_option_id: string | null;
     session_id: string | null;
+    chat_id: string | null;
   }): Promise<void> {
     const taskId = task.id;
 
@@ -96,7 +124,18 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
         SELECT name, supports_acp, install_path FROM available_agents WHERE name = ${task.agent}
       `;
       if (agentRow) {
+        // v2.6 (1.7): opencode routes to its warm HTTP-server backend.
+        // v2.6 Phase 2 (2.4): goose/qwen route to the warm ACP backend WHEN the
+        // task came from a real chat tab (session_id + chat_id) — shouldUseWarmBackend.
+        // Session-less creators (arena, MCP, new_task, generic /api/tasks) keep the
+        // existing one-shot worktree-per-task ACP/PTY path untouched.
+        if (task.agent === 'opencode') {
+          await runOpenCodeServerTask(task, agentRow.install_path);
+        } else if (shouldUseWarmBackend(task)) {
+          await runWarmAcpTask(task, agentRow.install_path);
+        } else {
           await runExternalAgent(task, agentRow.supports_acp, agentRow.install_path);
+        }
         return;
       }
       // Agent specified but not available — fall through to Path A with a warning
@@ -320,6 +359,16 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
       `;
       const assistantId = assistantMsg!.id;
 
+      // write-edit-robustness #4: pre-turn worktree checkpoint (best-effort; a
+      // failure logs and never breaks dispatch). This path uses a per-task worktree
+      // (createWorktree, not the session worktree), so there's no worktrees-table id
+      // — pass null for worktreeId, the path is enough for restore's reset.
+      await createCheckpoint(
+        sql,
+        { chatId, sessionId, worktreeId: null, worktreePath, messageId: assistantId },
+        { signal: ac.signal, log },
+      ).catch(() => null);
+
       broker.publishFrame(sessionId, {
         type: 'message_started',
         message_id: assistantId,
@@ -410,10 +459,11 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
       const diff = await diffWorktree(worktreePath, projectPath, { signal: ac.signal });
 
       if (diff) {
-        // Queue a single pending_change entry with the full unified diff
+        // Queue a single pending_change entry with the full unified diff, stamped
+        // with the dispatched agent for DiffPanel attribution (v2.6 Phase 1-UX).
         await sql`
-          INSERT INTO pending_changes (session_id, task_id, file_path, operation, diff)
-          VALUES (${sessionId}, ${taskId}, ${projectPath}, 'edit', ${diff})
+          INSERT INTO pending_changes (session_id, task_id, file_path, operation, diff, agent)
+          VALUES (${sessionId}, ${taskId}, ${projectPath}, 'edit', ${diff}, ${agent})
         `;
         log.info({ taskId, diffLength: diff.length }, 'dispatcher: diff queued as pending change');
       } else {
@@ -456,6 +506,567 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
     }
   }
 
+  // ─── Path B (opencode): warm OpenCode server backend (v2.6 1.7 + 1.10) ───────
+
+  // OpenCode runs ONE server per BooCoder process, shared across all sessions
+  // (the backend multiplexes sessions internally), so it's pooled under a fixed
+  // key (OPENCODE_POOL_KEY, shared with the lifecycle close-hook) rather than
+  // per-session. Warm ACP backends (Phase 2) are per (chat, agent).
+  function getOpenCodeBackend(installPath: string | null): AgentBackend {
+    let backend = agentPool.get(OPENCODE_POOL_KEY, 'opencode');
+    if (!backend) {
+      backend = new OpenCodeServerBackend({ sql, log, opencodeBinary: installPath ?? 'opencode' });
+      agentPool.register(OPENCODE_POOL_KEY, 'opencode', backend);
+    }
+    return backend;
+  }
+
+  async function runOpenCodeServerTask(
+    task: {
+      id: string;
+      project_id: string;
+      input: string;
+      agent: string | null;
+      model: string | null;
+      mode_id: string | null;
+      thinking_option_id: string | null;
+      session_id: string | null;
+      chat_id: string | null;
+    },
+    installPath: string | null,
+  ): Promise<void> {
+    const taskId = task.id;
+    const agent = 'opencode';
+    log.info({ taskId, agent }, 'dispatcher: starting task (path B — opencode server)');
+
+    const [project] = await sql<{ path: string | null }[]>`
+      SELECT path FROM projects WHERE id = ${task.project_id}
+    `;
+    const projectPath = project?.path;
+    if (!projectPath) {
+      await sql`
+        UPDATE tasks
+        SET state = 'failed', ended_at = clock_timestamp(), output_summary = 'Project has no path — cannot create worktree'
+        WHERE id = ${taskId}
+      `;
+      return;
+    }
+
+    const ac = new AbortController();
+
+    try {
+      // execution_path = 'acp' — the schema CHECK has no 'opencode_server' value
+      // (schema is frozen at Phase 0); the warm-vs-one-shot distinction lives in
+      // agent_sessions.backend. Reuse the closest existing value.
+      await sql`
+        UPDATE tasks
+        SET state = 'running', started_at = clock_timestamp(), execution_path = 'acp'
+        WHERE id = ${taskId}
+      `;
+
+      // Resolve session + chat. P1.5-b: the chat (tab) is the context key, so the
+      // chat_id MUST be non-null and stable before ensureSession. The coder message
+      // route + skills route stamp task.chat_id with the frontend tab's chat — use
+      // it directly. Session-less creators (arena, MCP, new_task, generic
+      // /api/tasks) leave it null; fall back to resolving/creating a real chat so
+      // ensureSession never receives a degenerate (null, agent) key.
+      let sessionId: string;
+      let chatId: string;
+      if (task.chat_id && task.session_id) {
+        sessionId = task.session_id;
+        chatId = task.chat_id;
+      } else if (task.session_id) {
+        sessionId = task.session_id;
+        const chats = await sql<{ id: string }[]>`
+          SELECT id FROM chats WHERE session_id = ${sessionId} AND status = 'open' ORDER BY created_at DESC LIMIT 1
+        `;
+        if (chats.length === 0) {
+          const [chat] = await sql<{ id: string }[]>`
+            INSERT INTO chats (session_id, name, status)
+            VALUES (${sessionId}, 'External agent execution', 'open')
+            RETURNING id
+          `;
+          chatId = chat!.id;
+        } else {
+          chatId = chats[0]!.id;
+        }
+      } else {
+        const sessionName = `Task [${agent}]: ${task.input.slice(0, 30)}`;
+        const [session] = await sql<{ id: string }[]>`
+          INSERT INTO sessions (project_id, name, model, status)
+          VALUES (${task.project_id}, ${sessionName}, ${task.model ?? config.DEFAULT_MODEL}, 'open')
+          RETURNING id
+        `;
+        sessionId = session!.id;
+        const [chat] = await sql<{ id: string }[]>`
+          INSERT INTO chats (session_id, name, status)
+          VALUES (${sessionId}, 'External agent execution', 'open')
+          RETURNING id
+        `;
+        chatId = chat!.id;
+        await sql`UPDATE tasks SET session_id = ${sessionId} WHERE id = ${taskId}`;
+      }
+
+      if (!task.session_id) {
+        await sql`
+          INSERT INTO messages (session_id, chat_id, role, content, status, created_at)
+          VALUES (${sessionId}, ${chatId}, 'user', ${task.input}, 'complete', clock_timestamp())
+        `;
+      }
+
+      // Persistent, session-keyed worktree (shared across turns; NOT torn down
+      // per turn — Phase 3 reaps it). Captures base_commit for a stable diff.
+      const { worktreeId, worktreePath, baseCommit } = await ensureSessionWorktree(sql, projectPath, sessionId, {
+        signal: ac.signal,
+      });
+      log.info({ taskId, worktreePath }, 'dispatcher: session worktree ready');
+
+      const [assistantMsg] = await sql<{ id: string }[]>`
+        INSERT INTO messages (session_id, chat_id, role, content, status, created_at)
+        VALUES (${sessionId}, ${chatId}, 'assistant', '', 'streaming', clock_timestamp())
+        RETURNING id
+      `;
+      const assistantId = assistantMsg!.id;
+
+      // write-edit-robustness #4: pre-turn checkpoint of the persistent session
+      // worktree (best-effort; never breaks dispatch). worktreeId comes from the
+      // worktrees table (ensureSessionWorktree above).
+      await createCheckpoint(
+        sql,
+        { chatId, sessionId, worktreeId, worktreePath, messageId: assistantId },
+        { signal: ac.signal, log },
+      ).catch(() => null);
+
+      broker.publishFrame(sessionId, {
+        type: 'message_started',
+        message_id: assistantId,
+        chat_id: chatId,
+        role: 'assistant',
+      } as WsFrame);
+
+      const manifestCommands = getManifestCommands(agent);
+      if (manifestCommands.length > 0) {
+        setTaskCommands(taskId, manifestCommands);
+        broker.publishFrame(sessionId, {
+          type: 'agent_commands',
+          task_id: taskId,
+          session_id: sessionId,
+          commands: manifestCommands,
+        } as WsFrame);
+      }
+
+      // Accumulate the turn's stream for persistence + the final message content.
+      const textChunks: string[] = [];
+      const reasoningChunks: string[] = [];
+      const toolSnaps = new Map<string, AcpToolSnapshot>();
+      // opencode's dcp plugin appends <dcp-message-id>…</dcp-message-id> to the
+      // text, streamed split across deltas — a per-chunk regex misses it (see
+      // dcp-strip.ts). Buffer text through a cross-chunk stripper so neither the
+      // live `delta` frames nor the persisted content ever carry the tag.
+      const dcp = makeDcpStreamStripper();
+
+      // Map transport-agnostic AgentEvents → the SAME WS frames the ACP path emits.
+      // This boundary is where message_id/chat_id get attached (the backend never
+      // owns them).
+      const onEvent = (e: AgentEvent): void => {
+        switch (e.type) {
+          case 'text': {
+            const safe = dcp.push(e.text);
+            if (safe) {
+              textChunks.push(safe);
+              broker.publishFrame(sessionId, {
+                type: 'delta',
+                message_id: assistantId,
+                chat_id: chatId,
+                content: safe,
+              } as WsFrame);
+            }
+            break;
+          }
+          case 'reasoning':
+            reasoningChunks.push(e.text);
+            broker.publishFrame(sessionId, {
+              type: 'reasoning_delta',
+              message_id: assistantId,
+              chat_id: chatId,
+              content: e.text,
+            } as WsFrame);
+            break;
+          case 'tool_call':
+          case 'tool_update':
+            toolSnaps.set(e.toolCall.toolCallId, e.toolCall);
+            broker.publishFrame(sessionId, {
+              type: 'tool_call',
+              message_id: assistantId,
+              chat_id: chatId,
+              tool_call: snapshotToWireToolCall(e.toolCall),
+            } as WsFrame);
+            break;
+          case 'commands':
+            // opencode-server doesn't emit these today; ignore if it ever does.
+            break;
+        }
+      };
+
+      // opencode expects provider-prefixed model ids (e.g. 'llama-swap/qwen3.6-35b…').
+      // DEFAULT_MODEL is bare (no prefix) because native inference uses it directly
+      // against llama-swap. Coalesce empty string (frontend sends '' when no models
+      // listed) and prefix bare ids so parseModel always succeeds.
+      const rawModel = (task.model && task.model.trim()) || config.DEFAULT_MODEL;
+      const model = rawModel.includes('/') ? rawModel : `llama-swap/${rawModel}`;
+      const backend = getOpenCodeBackend(installPath);
+      const handle = await backend.ensureSession(sessionId, {
+        agent,
+        model,
+        chatId,
+        worktreePath,
+        worktreeId,
+        projectId: task.project_id,
+      });
+      const result = await backend.prompt(handle, task.input, {
+        worktreePath,
+        model,
+        signal: ac.signal,
+        onEvent,
+      });
+      // Phase 3: keep the pooled backend's slot warm across this (possibly long)
+      // turn so the idle sweep measures from turn END, not start.
+      agentPool.touch(OPENCODE_POOL_KEY, agent);
+
+      // Flush any text held back mid-tag at stream end (complete tags stripped).
+      const dcpTail = dcp.flush();
+      if (dcpTail) {
+        textChunks.push(dcpTail);
+        broker.publishFrame(sessionId, {
+          type: 'delta',
+          message_id: assistantId,
+          chat_id: chatId,
+          content: dcpTail,
+        } as WsFrame);
+      }
+
+      const assistantContent = textChunks.join('').slice(0, 50_000);
+      const reasoningText = reasoningChunks.join('').slice(0, 200_000);
+      const outputSummary = (result.ok ? textChunks.join('') : result.error ?? 'opencode turn failed').slice(0, 500);
+
+      await persistExternalAgentTurn(sql, assistantId, [...toolSnaps.values()], reasoningText);
+
+      await sql`
+        UPDATE messages
+        SET content = ${assistantContent}, status = 'complete', finished_at = clock_timestamp()
+        WHERE id = ${assistantId}
+      `;
+      broker.publishFrame(sessionId, {
+        type: 'message_complete',
+        message_id: assistantId,
+        chat_id: chatId,
+      } as WsFrame);
+
+      if (stopping) {
+        await sql`UPDATE tasks SET state = 'cancelled', ended_at = clock_timestamp() WHERE id = ${taskId}`;
+        return; // worktree persists (no cleanup); backend stays warm
+      }
+
+      // 1.10: diff the persistent worktree against its captured baseline and
+      // SUPERSEDE the session's prior pending row (latest-wins, one accumulating
+      // diff) instead of stacking. Stamp agent for DiffPanel attribution.
+      const diff = await diffWorktree(worktreePath, projectPath, {
+        signal: ac.signal,
+        baseRef: baseCommit ?? 'HEAD',
+      });
+      if (diff) {
+        await sql`
+          DELETE FROM pending_changes WHERE session_id = ${sessionId} AND status = 'pending'
+        `;
+        await sql`
+          INSERT INTO pending_changes (session_id, task_id, file_path, operation, diff, agent)
+          VALUES (${sessionId}, ${taskId}, ${projectPath}, 'edit', ${diff}, ${agent})
+        `;
+        log.info({ taskId, diffLength: diff.length }, 'dispatcher: diff superseded prior pending change');
+      } else {
+        log.info({ taskId }, 'dispatcher: no changes detected in session worktree');
+      }
+
+      // NO worktree cleanup — it's persistent (Phase 3 reaps it). Backend stays warm.
+
+      const [extCostRow] = await sql<{ total: number | null }[]>`
+        SELECT SUM(tokens_used)::int AS total
+        FROM messages
+        WHERE session_id = ${sessionId} AND tokens_used IS NOT NULL
+      `;
+      const extCostTokens = extCostRow?.total ?? null;
+
+      const finalState = result.ok ? 'completed' : 'failed';
+      await sql`
+        UPDATE tasks
+        SET state = ${finalState}, ended_at = clock_timestamp(), output_summary = ${outputSummary}, cost_tokens = ${extCostTokens}
+        WHERE id = ${taskId}
+      `;
+      log.info({ taskId, agent, finalState, costTokens: extCostTokens }, 'dispatcher: task finished (opencode server)');
+      clearTaskCommands(taskId);
+    } catch (err) {
+      const errMsg = err instanceof Error ? err.message : String(err);
+      log.error({ taskId, agent, err: errMsg }, 'dispatcher: opencode server error');
+      await sql`
+        UPDATE tasks
+        SET state = 'failed', ended_at = clock_timestamp(), output_summary = ${errMsg.slice(0, 500)}
+        WHERE id = ${taskId}
+      `.catch(() => {});
+      clearTaskCommands(taskId);
+      // No worktree cleanup (persistent); backend stays warm for the next turn.
+    }
+  }
+
+  // ─── Path B (warm ACP): goose / qwen warm backend (v2.6 Phase 2) ─────────────
+
+  // Warm ACP backends are per (chat, agent): each owns ONE stdio process + ACP
+  // connection + session. Pool key = chatId; the AgentPool's secondary key is the
+  // agent. This mirrors agent_sessions' (chat_id, agent) PK.
+  function getWarmAcpBackend(chatId: string, agent: string, installPath: string | null): WarmAcpBackend {
+    let backend = agentPool.get(chatId, agent);
+    if (!backend) {
+      backend = new WarmAcpBackend({
+        sql,
+        log,
+        chatId,
+        agent,
+        installPath,
+        resolved: getResolvedRegistry().get(agent),
+      });
+      agentPool.register(chatId, agent, backend);
+    }
+    return backend as WarmAcpBackend;
+  }
+
+  async function runWarmAcpTask(
+    task: {
+      id: string;
+      project_id: string;
+      input: string;
+      agent: string | null;
+      model: string | null;
+      mode_id: string | null;
+      thinking_option_id: string | null;
+      session_id: string | null;
+      chat_id: string | null;
+    },
+    installPath: string | null,
+  ): Promise<void> {
+    const taskId = task.id;
+    const agent = task.agent!;
+    // shouldUseWarmBackend guarantees both non-null before we get here.
+    const sessionId = task.session_id!;
+    const chatId = task.chat_id!;
+    log.info({ taskId, agent, chatId }, 'dispatcher: starting task (path B — warm ACP)');
+
+    const [project] = await sql<{ path: string | null }[]>`
+      SELECT path FROM projects WHERE id = ${task.project_id}
+    `;
+    const projectPath = project?.path;
+    if (!projectPath) {
+      await sql`
+        UPDATE tasks
+        SET state = 'failed', ended_at = clock_timestamp(), output_summary = 'Project has no path — cannot create worktree'
+        WHERE id = ${taskId}
+      `;
+      return;
+    }
+
+    const ac = new AbortController();
+
+    try {
+      await sql`
+        UPDATE tasks
+        SET state = 'running', started_at = clock_timestamp(), execution_path = 'acp'
+        WHERE id = ${taskId}
+      `;
+
+      // Persistent, session-keyed worktree (shared across turns + agents; NOT torn
+      // down per turn — Phase 3 reaps it). Same as the opencode-server path so a
+      // chat that switches opencode↔goose↔qwen shares one worktree.
+      const { worktreeId, worktreePath, baseCommit } = await ensureSessionWorktree(sql, projectPath, sessionId, {
+        signal: ac.signal,
+      });
+      log.info({ taskId, worktreePath }, 'dispatcher: session worktree ready (warm ACP)');
+
+      const [assistantMsg] = await sql<{ id: string }[]>`
+        INSERT INTO messages (session_id, chat_id, role, content, status, created_at)
+        VALUES (${sessionId}, ${chatId}, 'assistant', '', 'streaming', clock_timestamp())
+        RETURNING id
+      `;
+      const assistantId = assistantMsg!.id;
+
+      // write-edit-robustness #4: pre-turn checkpoint of the persistent session
+      // worktree (best-effort; never breaks dispatch). Same worktree the opencode
+      // path uses — a chat that switches opencode↔goose↔qwen shares one worktree.
+      await createCheckpoint(
+        sql,
+        { chatId, sessionId, worktreeId, worktreePath, messageId: assistantId },
+        { signal: ac.signal, log },
+      ).catch(() => null);
+
+      broker.publishFrame(sessionId, {
+        type: 'message_started',
+        message_id: assistantId,
+        chat_id: chatId,
+        role: 'assistant',
+      } as WsFrame);
+
+      const manifestCommands = getManifestCommands(agent);
+      if (manifestCommands.length > 0) {
+        setTaskCommands(taskId, manifestCommands);
+        broker.publishFrame(sessionId, {
+          type: 'agent_commands',
+          task_id: taskId,
+          session_id: sessionId,
+          commands: manifestCommands,
+        } as WsFrame);
+      }
+
+      // Accumulate the turn's stream for persistence + the final message content.
+      const textChunks: string[] = [];
+      const reasoningChunks: string[] = [];
+      const toolSnaps = new Map<string, AcpToolSnapshot>();
+
+      // Map transport-agnostic AgentEvents → the SAME WS frames the one-shot ACP
+      // path emits (identical to runOpenCodeServerTask's onEvent). No dcp stripping:
+      // that's an opencode-plugin artifact; goose/qwen don't emit dcp tags.
+      const onEvent = (e: AgentEvent): void => {
+        switch (e.type) {
+          case 'text':
+            textChunks.push(e.text);
+            broker.publishFrame(sessionId, {
+              type: 'delta',
+              message_id: assistantId,
+              chat_id: chatId,
+              content: e.text,
+            } as WsFrame);
+            break;
+          case 'reasoning':
+            reasoningChunks.push(e.text);
+            broker.publishFrame(sessionId, {
+              type: 'reasoning_delta',
+              message_id: assistantId,
+              chat_id: chatId,
+              content: e.text,
+            } as WsFrame);
+            break;
+          case 'tool_call':
+          case 'tool_update':
+            toolSnaps.set(e.toolCall.toolCallId, e.toolCall);
+            broker.publishFrame(sessionId, {
+              type: 'tool_call',
+              message_id: assistantId,
+              chat_id: chatId,
+              tool_call: snapshotToWireToolCall(e.toolCall),
+            } as WsFrame);
+            break;
+          case 'commands':
+            if (e.commands.length > 0) {
+              setTaskCommands(taskId, e.commands);
+              broker.publishFrame(sessionId, {
+                type: 'agent_commands',
+                task_id: taskId,
+                session_id: sessionId,
+                commands: e.commands,
+              } as WsFrame);
+            }
+            break;
+        }
+      };
+
+      const model = task.model ?? undefined;
+      const backend = getWarmAcpBackend(chatId, agent, installPath);
+      const handle = await backend.ensureSession(sessionId, {
+        agent,
+        model: model ?? '',
+        chatId,
+        worktreePath,
+        worktreeId,
+        projectId: task.project_id,
+      });
+      const result = await backend.prompt(handle, task.input, {
+        worktreePath,
+        model: model ?? '',
+        signal: ac.signal,
+        onEvent,
+        taskId,
+        modeId: task.mode_id ?? undefined,
+      });
+      // Phase 3: keep the pooled (chat,agent) backend warm across the turn.
+      agentPool.touch(chatId, agent);
+
+      const assistantContent = textChunks.join('').slice(0, 50_000);
+      const reasoningText = reasoningChunks.join('').slice(0, 200_000);
+      const outputSummary = (result.ok ? textChunks.join('') : result.error ?? 'warm ACP turn failed').slice(0, 500);
+
+      await persistExternalAgentTurn(sql, assistantId, [...toolSnaps.values()], reasoningText);
+
+      await sql`
+        UPDATE messages
+        SET content = ${assistantContent}, status = 'complete', finished_at = clock_timestamp()
+        WHERE id = ${assistantId}
+      `;
+      broker.publishFrame(sessionId, {
+        type: 'message_complete',
+        message_id: assistantId,
+        chat_id: chatId,
+      } as WsFrame);
+
+      if (stopping) {
+        await sql`UPDATE tasks SET state = 'cancelled', ended_at = clock_timestamp() WHERE id = ${taskId}`;
+        return; // worktree persists (no cleanup); backend stays warm
+      }
+
+      // Diff the persistent worktree against its captured baseline and SUPERSEDE
+      // the session's prior pending row (latest-wins) — identical to opencode.
+      const diff = await diffWorktree(worktreePath, projectPath, {
+        signal: ac.signal,
+        baseRef: baseCommit ?? 'HEAD',
+      });
+      if (diff) {
+        await sql`
+          DELETE FROM pending_changes WHERE session_id = ${sessionId} AND status = 'pending'
+        `;
+        await sql`
+          INSERT INTO pending_changes (session_id, task_id, file_path, operation, diff, agent)
+          VALUES (${sessionId}, ${taskId}, ${projectPath}, 'edit', ${diff}, ${agent})
+        `;
+        log.info({ taskId, diffLength: diff.length }, 'dispatcher: diff superseded prior pending change (warm ACP)');
+      } else {
+        log.info({ taskId }, 'dispatcher: no changes detected in session worktree (warm ACP)');
+      }
+
+      // NO worktree cleanup — persistent (Phase 3 reaps it). Backend stays warm.
+
+      const [extCostRow] = await sql<{ total: number | null }[]>`
+        SELECT SUM(tokens_used)::int AS total
+        FROM messages
+        WHERE session_id = ${sessionId} AND tokens_used IS NOT NULL
+      `;
+      const extCostTokens = extCostRow?.total ?? null;
+
+      const finalState = result.ok ? 'completed' : 'failed';
+      await sql`
+        UPDATE tasks
+        SET state = ${finalState}, ended_at = clock_timestamp(), output_summary = ${outputSummary}, cost_tokens = ${extCostTokens}
+        WHERE id = ${taskId}
+      `;
+      log.info({ taskId, agent, finalState }, 'dispatcher: task finished (warm ACP)');
+      clearTaskCommands(taskId);
+    } catch (err) {
+      const errMsg = err instanceof Error ? err.message : String(err);
+      log.error({ taskId, agent, err: errMsg }, 'dispatcher: warm ACP error');
+      await sql`
+        UPDATE tasks
+        SET state = 'failed', ended_at = clock_timestamp(), output_summary = ${errMsg.slice(0, 500)}
+        WHERE id = ${taskId}
+      `.catch(() => {});
+      clearTaskCommands(taskId);
+      // No worktree cleanup (persistent); backend stays warm for the next turn.
+    }
+  }
+
   // ─── Helpers ────────────────────────────────────────────────────────────────
 
   async function waitForCompletion(assistantId: string): Promise<string> {
@@ -514,9 +1125,9 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
         });
         listener = null;
       }
-      if (inflightPromise) {
-        log.info('dispatcher: waiting for in-flight task');
-        await inflightPromise;
+      if (inflight.size > 0) {
+        log.info({ count: inflight.size }, 'dispatcher: waiting for in-flight tasks');
+        await Promise.allSettled([...inflight.values()]);
       }
       log.info('dispatcher: stopped');
     },

apps/coder/src/services/fuzzy-match.ts

@@ -0,0 +1,271 @@
+// Fuzzy patch locator for staged edits.
+//
+// Local quantized models (qwen3.6 and friends) frequently reproduce an
+// `old_string` with small, semantically-irrelevant drift: trailing whitespace,
+// a different indent width, or "smart" unicode punctuation (curly quotes, an
+// en/em-dash, a non-breaking space) where the source has the plain ASCII form.
+// An exact `String.includes` then fails and the queued edit is lost even though
+// a human would say it obviously matches.
+//
+// `locateMatch` walks a ladder of progressively looser strategies and returns
+// the real `[start, end)` byte-offset span in the ORIGINAL content so the caller
+// can splice in `new_string` over the true file text (preserving the file's own
+// whitespace/unicode, not the model's drifted copy). The ladder stops at the
+// first strategy that resolves to a single span:
+//
+//   1. exact            — indexOf; >1 hit is reported `ambiguous` (we refuse to
+//                         guess which occurrence the model meant).
+//   2. per-line ws      — line-window compare ignoring per-line trailing
+//                         whitespace and leading/trailing blank needle lines.
+//   3. unicode canon    — same line-window compare after folding smart
+//                         punctuation to ASCII on both sides; the match is
+//                         mapped back to original offsets.
+//   4. levenshtein      — best line-window by normalized edit-distance
+//                         similarity; accepted only at >= SIMILARITY_THRESHOLD.
+//
+// Pure and dependency-free (Levenshtein is the standard iterative two-row DP),
+// reimplemented from the general technique — no vendored source.
+
+export type MatchResult =
+  | { kind: 'exact' | 'fuzzy'; start: number; end: number } // [start,end) offsets into content
+  | { kind: 'ambiguous'; count: number }
+  | { kind: 'not_found' };
+
+/** Levenshtein similarity floor for the final fuzzy fallback (strategy 4). */
+export const SIMILARITY_THRESHOLD = 0.66;
+
+export function locateMatch(content: string, needle: string): MatchResult {
+  // Empty needle has no meaningful match.
+  if (needle.length === 0) return { kind: 'not_found' };
+
+  // --- 1. Exact ----------------------------------------------------------------
+  const exact = locateExact(content, needle);
+  if (exact) return exact;
+
+  // --- 2. Per-line whitespace-insensitive -------------------------------------
+  const ws = locateByLineWindow(content, needle);
+  if (ws) return ws;
+
+  // --- 3. Unicode-canonicalized whitespace pass -------------------------------
+  const canon = locateCanonical(content, needle);
+  if (canon) return canon;
+
+  // --- 4. Levenshtein similarity ----------------------------------------------
+  const lev = locateByLevenshtein(content, needle);
+  if (lev) return lev;
+
+  return { kind: 'not_found' };
+}
+
+// --- Strategy 1: exact -------------------------------------------------------
+
+function locateExact(content: string, needle: string): MatchResult | null {
+  const first = content.indexOf(needle);
+  if (first === -1) return null;
+  const second = content.indexOf(needle, first + 1);
+  if (second === -1) {
+    return { kind: 'exact', start: first, end: first + needle.length };
+  }
+  // Count all occurrences so the caller can report a useful number.
+  let count = 2;
+  let idx = content.indexOf(needle, second + 1);
+  while (idx !== -1) {
+    count++;
+    idx = content.indexOf(needle, idx + 1);
+  }
+  return { kind: 'ambiguous', count };
+}
+
+// --- Line-window machinery ---------------------------------------------------
+
+interface Line {
+  /** Raw line text (no trailing newline). */
+  text: string;
+  /** Offset of the first char of this line in the original content. */
+  start: number;
+  /** Offset one past the last char of this line (before its newline, if any). */
+  end: number;
+}
+
+/**
+ * Split content into lines, tracking each line's real offset span. The span
+ * EXCLUDES the trailing newline so consecutive line spans plus their newlines
+ * exactly reconstruct the content; the match span we hand back covers from the
+ * first matched line's start through the last matched line's end (i.e. without a
+ * trailing newline), which is what an in-place splice wants.
+ */
+function splitLines(content: string): Line[] {
+  const lines: Line[] = [];
+  let start = 0;
+  for (let i = 0; i <= content.length; i++) {
+    if (i === content.length || content[i] === '\n') {
+      lines.push({ text: content.slice(start, i), start, end: i });
+      start = i + 1;
+    }
+  }
+  return lines;
+}
+
+/** Strip leading/trailing all-blank lines; returns the trimmed slice. */
+function trimBlankLines(lines: string[]): string[] {
+  let lo = 0;
+  let hi = lines.length;
+  while (lo < hi && lines[lo]!.trim() === '') lo++;
+  while (hi > lo && lines[hi - 1]!.trim() === '') hi--;
+  return lines.slice(lo, hi);
+}
+
+/**
+ * Find a contiguous window of content lines whose trailing-whitespace-trimmed
+ * text equals the needle's (blank-trimmed) lines. Returns the real offset span
+ * over the matched content lines, or null if zero match. Multiple matches →
+ * ambiguous. `normalize` lets the caller fold unicode before comparing.
+ */
+function locateByLineWindow(
+  content: string,
+  needle: string,
+  normalize: (s: string) => string = (s) => s,
+): MatchResult | null {
+  const contentLines = splitLines(content);
+  const needleLines = trimBlankLines(needle.split('\n'));
+  const n = needleLines.length;
+  if (n === 0) return null;
+  // A single needle line that is itself blank can't be located meaningfully.
+  if (n === 1 && needleLines[0]!.trim() === '') return null;
+
+  const needleKey = needleLines.map((l) => normalize(l.trimEnd())).join('\n');
+
+  const hits: Array<{ start: number; end: number }> = [];
+  for (let i = 0; i + n <= contentLines.length; i++) {
+    const windowKey = contentLines
+      .slice(i, i + n)
+      .map((l) => normalize(l.text.trimEnd()))
+      .join('\n');
+    if (windowKey === needleKey) {
+      hits.push({ start: contentLines[i]!.start, end: contentLines[i + n - 1]!.end });
+    }
+  }
+
+  if (hits.length === 0) return null;
+  if (hits.length > 1) return { kind: 'ambiguous', count: hits.length };
+  return { kind: 'fuzzy', start: hits[0]!.start, end: hits[0]!.end };
+}
+
+// --- Strategy 3: unicode canonicalization ------------------------------------
+
+/**
+ * Fold smart punctuation to its ASCII equivalent. Crucially this is a
+ * length-PRESERVING, per-character map (every replacement is one char → one
+ * char), so an offset into the canonical string is also a valid offset into the
+ * original — letting strategy 3 reuse the line-window matcher and still hand
+ * back true original-content offsets.
+ */
+function canonicalizeChar(ch: string): string {
+  switch (ch) {
+    // single quotes / apostrophes
+    case '‘': // '
+    case '’': // '
+    case '‚': // ‚
+    case '‛': // ‛
+      return "'";
+    // double quotes
+    case '“': // "
+    case '”': // "
+    case '„': // „
+    case '‟': // ‟
+      return '"';
+    // dashes
+    case '–': // – en dash
+    case '—': // — em dash
+    case '‒': // ‒ figure dash
+    case '―': // ― horizontal bar
+    case '−': // − minus sign
+      return '-';
+    // spaces
+    case ' ': // nbsp
+    case ' ': // figure space
+    case ' ': // narrow nbsp
+      return ' ';
+    default:
+      return ch;
+  }
+}
+
+function canonicalize(s: string): string {
+  let out = '';
+  for (const ch of s) out += canonicalizeChar(ch);
+  return out;
+}
+
+function locateCanonical(content: string, needle: string): MatchResult | null {
+  // Only worth running if canonicalization actually changes something on either
+  // side — otherwise it's identical to strategy 2 which already failed.
+  const canonContent = canonicalize(content);
+  const canonNeedle = canonicalize(needle);
+  if (canonContent === content && canonNeedle === needle) return null;
+  // Offsets are preserved (length-preserving fold), so a match on the canonical
+  // content maps directly back to the original.
+  return locateByLineWindow(canonContent, canonNeedle);
+}
+
+// --- Strategy 4: Levenshtein similarity --------------------------------------
+
+/** Standard iterative two-row Levenshtein edit distance. */
+function levenshtein(a: string, b: string): number {
+  if (a === b) return 0;
+  if (a.length === 0) return b.length;
+  if (b.length === 0) return a.length;
+
+  let prev = new Array<number>(b.length + 1);
+  let curr = new Array<number>(b.length + 1);
+  for (let j = 0; j <= b.length; j++) prev[j] = j;
+
+  for (let i = 1; i <= a.length; i++) {
+    curr[0] = i;
+    const ac = a.charCodeAt(i - 1);
+    for (let j = 1; j <= b.length; j++) {
+      const cost = ac === b.charCodeAt(j - 1) ? 0 : 1;
+      curr[j] = Math.min(
+        prev[j]! + 1, // deletion
+        curr[j - 1]! + 1, // insertion
+        prev[j - 1]! + cost, // substitution
+      );
+    }
+    [prev, curr] = [curr, prev];
+  }
+  return prev[b.length]!;
+}
+
+/** Normalized similarity in [0,1]: 1 - dist / max(len). */
+function similarity(a: string, b: string): number {
+  const maxLen = Math.max(a.length, b.length);
+  if (maxLen === 0) return 1;
+  return 1 - levenshtein(a, b) / maxLen;
+}
+
+function locateByLevenshtein(content: string, needle: string): MatchResult | null {
+  const contentLines = splitLines(content);
+  const needleLines = trimBlankLines(needle.split('\n'));
+  const n = needleLines.length;
+  if (n === 0) return null;
+  if (contentLines.length < n) return null;
+
+  const needleJoined = needleLines.map((l) => l.trim()).join('\n');
+
+  let best = -1;
+  let bestSpan: { start: number; end: number } | null = null;
+  for (let i = 0; i + n <= contentLines.length; i++) {
+    const window = contentLines.slice(i, i + n);
+    const windowJoined = window.map((l) => l.text.trim()).join('\n');
+    const score = similarity(windowJoined, needleJoined);
+    if (score > best) {
+      best = score;
+      bestSpan = { start: window[0]!.start, end: window[n - 1]!.end };
+    }
+  }
+
+  if (bestSpan && best >= SIMILARITY_THRESHOLD) {
+    return { kind: 'fuzzy', start: bestSpan.start, end: bestSpan.end };
+  }
+  return null;
+}

apps/coder/src/services/orphan-worktree-reaper.ts

@@ -0,0 +1,170 @@
+/**
+ * v2.6 Phase 3 (3.4) — orphan worktree reaper.
+ *
+ * Reclaims on-disk session worktree dirs under WORKTREE_BASE that have NO live
+ * (`status='active'`) row in the `worktrees` table — leaks from a crash between
+ * `git worktree add` and the DB insert, a missed chat-close hook, or a manual rm
+ * of the DB row. Extends the periodic-sweeper pattern (apps/server's truncation +
+ * stale-streaming reaper).
+ *
+ * SAFETY (Paseo worktree-archive cascade + superset destroy-saga lift): before
+ * removing ANY dir, run `checkWorktreeWorkAtRisk` — a dirty / unpushed / unmerged
+ * worktree is SKIPPED (logged), never force-removed. The pure orphan-target
+ * selection (which dirs are candidates) lives in
+ * `backends/lifecycle-decisions.ts:selectOrphanWorktreeTargets` and is unit-tested;
+ * this module does the DB read + fs stat + git preflight + removal side-effects.
+ *
+ * The mtime grace (default 1h) means a dir mid-`ensureSessionWorktree` (created on
+ * disk, row not yet committed) is never swept — the grace window covers the gap.
+ */
+import { readdir, stat } from 'node:fs/promises';
+import { join } from 'node:path';
+import type { FastifyBaseLogger } from 'fastify';
+import type { Sql } from '../db.js';
+import { WORKTREE_BASE, checkWorktreeWorkAtRisk } from './worktrees.js';
+import { hostExec } from './host-exec.js';
+import {
+  selectOrphanWorktreeTargets,
+  DEFAULT_ORPHAN_WORKTREE_GRACE_MS,
+} from './backends/lifecycle-decisions.js';
+
+export interface OrphanWorktreeReaperDeps {
+  sql: Sql;
+  log: FastifyBaseLogger;
+  intervalMs: number;
+  graceMs?: number;
+}
+
+export interface OrphanReaperResult {
+  scanned: number;
+  candidates: number;
+  reaped: string[];
+  skippedAtRisk: string[];
+}
+
+/** Single-pass reap: select orphan candidates, preflight at-risk, remove the safe. */
+export async function reapOrphanWorktrees(
+  sql: Sql,
+  log: FastifyBaseLogger,
+  graceMs: number = DEFAULT_ORPHAN_WORKTREE_GRACE_MS,
+  now: number = Date.now(),
+): Promise<OrphanReaperResult> {
+  // Enumerate on-disk session worktree dirs (`sess-*`). Per-task worktrees
+  // (arena/new_task/MCP) are cleaned up inline by the one-shot path, so we only
+  // own the persistent session dirs the warm paths leave behind.
+  let dirents: string[];
+  try {
+    dirents = await readdir(WORKTREE_BASE);
+  } catch {
+    return { scanned: 0, candidates: 0, reaped: [], skippedAtRisk: [] }; // base absent → nothing to do
+  }
+  const onDisk: { path: string; mtimeMs: number }[] = [];
+  for (const name of dirents) {
+    if (!name.startsWith('sess-')) continue; // only persistent session worktrees
+    const path = join(WORKTREE_BASE, name);
+    try {
+      const s = await stat(path);
+      if (!s.isDirectory()) continue;
+      onDisk.push({ path, mtimeMs: s.mtimeMs });
+    } catch {
+      // vanished between readdir and stat — skip
+    }
+  }
+
+  // Live worktree paths from the DB (active rows only — archived/removed rows are
+  // not "live", so their leftover dirs are reapable orphans).
+  const liveRows = await sql<{ path: string }[]>`
+    SELECT path FROM worktrees WHERE status = 'active'
+  `;
+  const live = new Set(liveRows.map((r) => r.path));
+
+  const candidates = selectOrphanWorktreeTargets(onDisk, live, now, graceMs);
+  const reaped: string[] = [];
+  const skippedAtRisk: string[] = [];
+
+  for (const path of candidates) {
+    // Preflight: never reap work at risk. A git error forces atRisk=true (fail
+    // closed), so a half-broken worktree is kept, not silently destroyed.
+    const risk = await checkWorktreeWorkAtRisk(path);
+    if (risk.atRisk) {
+      skippedAtRisk.push(path);
+      log.warn({ path, dirty: risk.dirty, unmerged: risk.unmerged, error: risk.error }, 'orphan-reaper: skipping at-risk orphan worktree');
+      continue;
+    }
+    const removed = await removeOrphanDir(path);
+    if (removed) reaped.push(path);
+  }
+
+  if (reaped.length > 0 || skippedAtRisk.length > 0) {
+    log.info({ scanned: onDisk.length, candidates: candidates.length, reaped, skippedAtRisk }, 'orphan-reaper: pass complete');
+  }
+  return { scanned: onDisk.length, candidates: candidates.length, reaped, skippedAtRisk };
+}
+
+/**
+ * Remove a single orphan worktree dir. Resolve its main repo via the git
+ * common-dir, run `worktree remove --force` from there + prune, then rm the dir as
+ * a backstop. Best-effort: every step is independently fault-tolerant so a partial
+ * state (dir present, git untracked) still gets reclaimed.
+ */
+async function removeOrphanDir(path: string): Promise<boolean> {
+  // Find the owning repo (the common git dir's parent). When the dir isn't a valid
+  // worktree anymore, this fails and we fall back to a plain rm.
+  const common = await hostExec(
+    `git -C ${shellEscape(path)} rev-parse --path-format=absolute --git-common-dir`,
+    { timeoutMs: 10_000 },
+  ).catch(() => null);
+  const commonDir = common && common.exitCode === 0 ? common.stdout.trim() : '';
+  // The repo worktree root is the parent of the .git common dir (strip trailing /.git).
+  const repoRoot = commonDir.replace(/\/\.git\/?$/, '').replace(/\/\.git$/, '');
+
+  if (repoRoot && repoRoot !== commonDir) {
+    await hostExec(
+      `git -C ${shellEscape(repoRoot)} worktree remove ${shellEscape(path)} --force`,
+      { timeoutMs: 15_000 },
+    ).catch(() => {});
+    await hostExec(
+      `git -C ${shellEscape(repoRoot)} worktree prune`,
+      { timeoutMs: 10_000 },
+    ).catch(() => {});
+  }
+  // Backstop: ensure the dir is gone even if the git remove no-op'd.
+  const rm = await hostExec(`rm -rf ${shellEscape(path)}`, { timeoutMs: 15_000 }).catch(() => null);
+  return rm != null && rm.exitCode === 0;
+}
+
+/** Minimal single-quote shell escape (mirrors worktrees.ts). */
+function shellEscape(s: string): string {
+  return "'" + s.replace(/'/g, "'\\''") + "'";
+}
+
+/** Periodic orphan-worktree reaper, started/stopped by the bootstrap. Unref'd. */
+export function createOrphanWorktreeReaper(deps: OrphanWorktreeReaperDeps): { start(): void; stop(): void } {
+  const { sql, log, intervalMs } = deps;
+  const graceMs = deps.graceMs ?? DEFAULT_ORPHAN_WORKTREE_GRACE_MS;
+  let timer: ReturnType<typeof setInterval> | null = null;
+  let running = false;
+
+  return {
+    start() {
+      if (timer) return;
+      timer = setInterval(() => {
+        if (running) return; // a slow pass must not overlap the next tick
+        running = true;
+        void reapOrphanWorktrees(sql, log, graceMs)
+          .catch((err) => log.warn({ err: err instanceof Error ? err.message : String(err) }, 'orphan-reaper: pass error'))
+          .finally(() => {
+            running = false;
+          });
+      }, intervalMs);
+      timer.unref?.();
+      log.info({ intervalMs, graceMs }, 'orphan-reaper: started');
+    },
+    stop() {
+      if (timer) {
+        clearInterval(timer);
+        timer = null;
+      }
+    },
+  };
+}

apps/coder/src/services/pending_changes.ts

@@ -2,6 +2,7 @@ import { readFile, writeFile, unlink, mkdir } from 'node:fs/promises';
 import { dirname } from 'node:path';
 import type { Sql } from '../db.js';
 import { resolveWritePath } from './write_guard.js';
+import { locateMatch } from './fuzzy-match.js';
 
 // --- Types -------------------------------------------------------------------
 
@@ -13,6 +14,10 @@ export interface PendingChange {
   operation: 'create' | 'edit' | 'delete';
   diff: string;
   status: 'pending' | 'applied' | 'rejected' | 'reverted';
+  // v2.6 Phase 1-UX: which agent staged this change (DiffPanel attribution).
+  // Native boocode write tools stamp 'boocode'; the manual RightRail create path
+  // passes null (renders as "manual"). NULL on legacy rows queued pre-v2.6.
+  agent: string | null;
   created_at: string;
 }
 
@@ -34,13 +39,17 @@ export async function queueEdit(
   oldString: string,
   newString: string,
   projectRoot: string,
+  // v2.6 Phase 1-UX: attribution. Defaults to 'boocode' because the only callers
+  // that omit it are the native write tools (edit_file/create_file/delete_file).
+  // Pass null explicitly for the manual RightRail create path.
+  agent: string | null = 'boocode',
 ): Promise<PendingChange> {
   const resolved = resolveWritePath(projectRoot, filePath);
   const diff = JSON.stringify({ old: oldString, new: newString });
 
   const [row] = await sql<PendingChange[]>`
-    INSERT INTO pending_changes (session_id, task_id, file_path, operation, diff)
-    VALUES (${sessionId}, ${taskId}, ${resolved}, 'edit', ${diff})
+    INSERT INTO pending_changes (session_id, task_id, file_path, operation, diff, agent)
+    VALUES (${sessionId}, ${taskId}, ${resolved}, 'edit', ${diff}, ${agent})
     RETURNING *
   `;
   return row!;
@@ -53,12 +62,15 @@ export async function queueCreate(
   filePath: string,
   content: string,
   projectRoot: string,
+  // See queueEdit: defaults to 'boocode' for the native write tools; the manual
+  // RightRail create route passes null.
+  agent: string | null = 'boocode',
 ): Promise<PendingChange> {
   const resolved = resolveWritePath(projectRoot, filePath);
 
   const [row] = await sql<PendingChange[]>`
-    INSERT INTO pending_changes (session_id, task_id, file_path, operation, diff)
-    VALUES (${sessionId}, ${taskId}, ${resolved}, 'create', ${content})
+    INSERT INTO pending_changes (session_id, task_id, file_path, operation, diff, agent)
+    VALUES (${sessionId}, ${taskId}, ${resolved}, 'create', ${content}, ${agent})
     RETURNING *
   `;
   return row!;
@@ -70,12 +82,14 @@ export async function queueDelete(
   taskId: string | null,
   filePath: string,
   projectRoot: string,
+  // See queueEdit: defaults to 'boocode' for the native write tools.
+  agent: string | null = 'boocode',
 ): Promise<PendingChange> {
   const resolved = resolveWritePath(projectRoot, filePath);
 
   const [row] = await sql<PendingChange[]>`
-    INSERT INTO pending_changes (session_id, task_id, file_path, operation, diff)
-    VALUES (${sessionId}, ${taskId}, ${resolved}, 'delete', '')
+    INSERT INTO pending_changes (session_id, task_id, file_path, operation, diff, agent)
+    VALUES (${sessionId}, ${taskId}, ${resolved}, 'delete', '', ${agent})
     RETURNING *
   `;
   return row!;
@@ -108,10 +122,18 @@ export async function applyOne(
       case 'edit': {
         const { old: oldStr, new: newStr } = JSON.parse(change.diff) as { old: string; new: string };
         const content = await readFile(change.file_path, 'utf8');
-        if (!content.includes(oldStr)) {
-          throw new Error('old_string not found in file — file may have changed since the edit was queued');
+        const match = locateMatch(content, oldStr);
+        if (match.kind === 'ambiguous') {
+          throw new Error(
+            `old_string matches ${match.count} locations — add surrounding context to disambiguate`,
+          );
         }
-        const updated = content.replace(oldStr, newStr);
+        if (match.kind === 'not_found') {
+          throw new Error(
+            'old_string not found in file (even fuzzily) — file may have changed since the edit was queued',
+          );
+        }
+        const updated = content.slice(0, match.start) + newStr + content.slice(match.end);
         await writeFile(change.file_path, updated, 'utf8');
         break;
       }
@@ -190,10 +212,18 @@ export async function rewindOne(
         // Reverse an edit: swap old and new
         const { old: oldStr, new: newStr } = JSON.parse(change.diff) as { old: string; new: string };
         const content = await readFile(change.file_path, 'utf8');
-        if (!content.includes(newStr)) {
-          throw new Error('new_string not found in file — cannot rewind; file may have been modified since apply');
+        const match = locateMatch(content, newStr);
+        if (match.kind === 'ambiguous') {
+          throw new Error(
+            `new_string matches ${match.count} locations — cannot rewind; add surrounding context to disambiguate`,
+          );
         }
-        const reverted = content.replace(newStr, oldStr);
+        if (match.kind === 'not_found') {
+          throw new Error(
+            'new_string not found in file (even fuzzily) — cannot rewind; file may have been modified since apply',
+          );
+        }
+        const reverted = content.slice(0, match.start) + oldStr + content.slice(match.end);
         await writeFile(change.file_path, reverted, 'utf8');
         break;
       }

apps/coder/src/services/provider-config.ts

@@ -29,6 +29,41 @@ export const CoderProvidersFileSchema = z.object({
 export type ProviderOverride = z.infer<typeof ProviderOverrideSchema>;
 export type CoderProvidersFile = z.infer<typeof CoderProvidersFileSchema>;
 
+/**
+ * PATCH body schema (design.md §6.2). A partial providers map where each value
+ * is either a full override object (REPLACES that id's override) or `null`
+ * (DELETES the override → revert to the built-in default). Ids absent from the
+ * patch are left untouched. The route validates the body against this first
+ * (malformed → 422) so a bad shape can never reach the merge/save step.
+ */
+export const ProviderConfigPatchSchema = z.object({
+  providers: z.record(ProviderOverrideSchema.nullable()).default({}),
+});
+
+export type ProviderConfigPatch = z.infer<typeof ProviderConfigPatchSchema>;
+
+/**
+ * Shallow per-id merge (design.md §6.2 / Paseo `patchConfig`). Each key in
+ * `patch.providers` REPLACES that id's override object wholesale (NOT a deep
+ * field merge); a `null` value DELETES the override. Returns a new object —
+ * never mutates `current`. The result is a plain CoderProvidersFile (no nulls),
+ * which the route re-validates against CoderProvidersFileSchema before save.
+ */
+export function mergeProviderConfigPatch(
+  current: CoderProvidersFile,
+  patch: ProviderConfigPatch,
+): CoderProvidersFile {
+  const providers: Record<string, ProviderOverride> = { ...current.providers };
+  for (const [id, override] of Object.entries(patch.providers)) {
+    if (override === null) {
+      delete providers[id];
+    } else {
+      providers[id] = override;
+    }
+  }
+  return { providers };
+}
+
 /** Read + parse + validate. Falls back to built-ins-only on any failure; never throws. */
 export function load(path: string): CoderProvidersFile {
   let raw: string;

apps/coder/src/services/provider-diagnostic.ts

@@ -0,0 +1,71 @@
+/**
+ * v2.3 Phase 4 (design.md §8) — per-provider plaintext diagnostic report.
+ *
+ * Read-only by default: reports CACHED state (resolved registry def + the
+ * available_agents row + the warm snapshot-cache entry) plus a `which`-style
+ * PATH check for the launch binary. It does NOT spawn an ACP probe — §8 lists
+ * the live initialize probe as optional, and the route defaults to cached state.
+ *
+ * A template string is the whole formatter (no Paseo diagnostic-utils port).
+ */
+import type { ResolvedProviderDef } from './provider-config-registry.js';
+import type { ProviderSnapshotEntry, ProviderModel } from './provider-types.js';
+import { isCommandAvailable } from './command-availability.js';
+
+/** The subset of an `available_agents` row the diagnostic reads. */
+export interface DiagnosticAgentRow {
+  name: string;
+  install_path: string | null;
+  supports_acp?: boolean;
+  models?: ProviderModel[] | null;
+  last_probed_at?: string | Date | null;
+}
+
+interface DiagnosticOpts {
+  /** Warm snapshot-cache entry (read-only peek) — source of the last probe error. */
+  cachedEntry?: ProviderSnapshotEntry;
+  /** Injectable PATH check (defaults to the real `which`); stubbed in tests. */
+  checkAvailable?: (binary: string) => Promise<boolean>;
+}
+
+/** Resolve the binary the dispatcher would launch (for the PATH check + report). */
+function resolveBinary(resolved: ResolvedProviderDef, agentRow: DiagnosticAgentRow | undefined): string {
+  return resolved.launchCommand?.[0] ?? agentRow?.install_path ?? resolved.id;
+}
+
+export async function getProviderDiagnostic(
+  resolved: ResolvedProviderDef,
+  agentRow: DiagnosticAgentRow | undefined,
+  opts: DiagnosticOpts = {},
+): Promise<string> {
+  const checkAvailable = opts.checkAvailable ?? isCommandAvailable;
+  const installed = agentRow?.install_path != null;
+  const binary = resolveBinary(resolved, agentRow);
+  // boocode is native (no binary to launch) — short-circuit the PATH check.
+  const commandAvailable = resolved.transport === 'native' ? true : await checkAvailable(binary);
+  const lastProbedAt =
+    agentRow?.last_probed_at != null ? new Date(agentRow.last_probed_at).toISOString() : '(never)';
+  const modelCount = agentRow?.models?.length ?? 0;
+  const launchCommand = resolved.launchCommand
+    ? resolved.launchCommand.join(' ')
+    : '(built-in default, resolved at dispatch)';
+  const lastError = opts.cachedEntry?.error ?? '(none recorded)';
+
+  return [
+    `provider: ${resolved.id}`,
+    `label: ${resolved.configLabel ?? resolved.label}`,
+    `transport: ${resolved.transport}`,
+    `enabled: ${resolved.enabled}`,
+    `builtin: ${resolved.isBuiltin}`,
+    `customAcp: ${resolved.isCustomAcp}`,
+    `installed: ${installed}`,
+    `install_path: ${agentRow?.install_path ?? '(none)'}`,
+    `binary: ${binary}`,
+    `command_available: ${commandAvailable}`,
+    `launch_command: ${launchCommand}`,
+    `supports_acp: ${agentRow?.supports_acp ?? '(unknown)'}`,
+    `last_probed_at: ${lastProbedAt}`,
+    `models_in_db: ${modelCount}`,
+    `last_probe_error: ${lastError}`,
+  ].join('\n');
+}

apps/coder/src/services/provider-snapshot.ts

@@ -16,6 +16,7 @@ import { getManifestCommands, mergeCommands } from './provider-commands.js';
 import { readQwenSettingsModels } from './qwen-settings.js';
 import { getResolvedRegistry, type ResolvedProviderDef } from './provider-config-registry.js';
 import { isCommandAvailable } from './command-availability.js';
+import { discoverClaudeCommands } from './claude-command-discovery.js';
 
 interface AgentRow {
   name: string;
@@ -28,7 +29,7 @@ interface AgentRow {
   last_probed_at: string | Date | null;
 }
 
-async function fetchLlamaSwapModels(config: Config): Promise<ProviderModel[]> {
+export async function fetchLlamaSwapModels(config: Config): Promise<ProviderModel[]> {
   try {
     const res = await fetch(`${config.LLAMA_SWAP_URL}/v1/models`);
     if (!res.ok) return [];
@@ -149,10 +150,12 @@ async function buildProviderEntry(
 
   // claude: static models + thinking options, no ACP probe (unchanged from v2.2).
   if (name === 'claude') {
+    // claude is PTY (no ACP discovery) — read its enabled commands + plugin
+    // skills from disk live (the snapshot cache rate-limits the fs reads).
     return {
       name, label, transport, status: 'ready', enabled: true, installed: true,
       models: attachClaudeThinking(withConfigModels(models)), modes: fallbackModes, defaultModeId,
-      commands: manifestCommands,
+      commands: mergeCommands(manifestCommands, discoverClaudeCommands()),
     };
   }
 
@@ -280,6 +283,16 @@ export function clearProviderSnapshotCache(): void {
   snapshotInflight.clear();
 }
 
+/**
+ * Read-only peek into the warm snapshot cache for one provider (no build, no
+ * probe). Used by the diagnostic route to report the last computed probe error
+ * without spawning anything. Returns undefined on a cold cache / unknown name.
+ */
+export function peekSnapshotEntry(name: string, cwd?: string): ProviderSnapshotEntry | undefined {
+  const resolvedCwd = cwd?.trim() || homedir();
+  return snapshotCache.get(resolvedCwd)?.entries.find((e) => e.name === name);
+}
+
 /** Persist probed model lists back to available_agents for fast legacy reads. */
 export async function persistProbedModels(
   sql: Sql,

apps/coder/src/services/provider-types.ts

@@ -30,6 +30,9 @@ export type ProviderSnapshotStatus = 'loading' | 'ready' | 'unavailable' | 'erro
 export interface AgentCommand {
   name: string;
   description?: string;
+  // v2.5.11: 'skill' (plugin skill) vs 'command' (native/CLI slash command).
+  // Drives the icon split in the coder slash menu. Undefined → command.
+  kind?: 'command' | 'skill';
 }
 
 // KEEP IN SYNC with apps/web/src/api/types.ts ProviderSnapshotEntry — parity is

apps/coder/src/services/worktrees.ts

@@ -6,9 +6,10 @@
  * After the agent completes, we diff the worktree against HEAD and
  * queue the diff into pending_changes.
  */
+import type { Sql } from '../db.js';
 import { hostExec } from './host-exec.js';
 
-const WORKTREE_BASE = '/tmp/booworktrees';
+export const WORKTREE_BASE = '/tmp/booworktrees';
 
 /**
  * Create a git worktree for a task on the host.
@@ -45,7 +46,7 @@ export async function createWorktree(
 export async function diffWorktree(
   worktreePath: string,
   projectPath: string,
-  opts?: { signal?: AbortSignal },
+  opts?: { signal?: AbortSignal; baseRef?: string },
 ): Promise<string> {
   // First, commit any uncommitted changes in the worktree so we can diff branches
   // Stage all changes
@@ -74,9 +75,13 @@ export async function diffWorktree(
     { signal: opts?.signal, timeoutMs: 15_000 },
   );
 
-  // Diff the worktree branch against the parent commit (HEAD of main tree)
+  // Diff the worktree branch against the baseline. Per-task callers default to the
+  // main tree's current HEAD; the session-worktree (opencode) path passes the
+  // captured base_commit so the accumulated diff is stable across turns even if
+  // project HEAD advances.
+  const baseRef = opts?.baseRef ?? 'HEAD';
   const diffResult = await hostExec(
-    `git -C ${shellEscape(projectPath)} diff HEAD...$(git -C ${shellEscape(worktreePath)} rev-parse HEAD)`,
+    `git -C ${shellEscape(projectPath)} diff ${shellEscape(baseRef)}...$(git -C ${shellEscape(worktreePath)} rev-parse HEAD)`,
     { signal: opts?.signal, timeoutMs: 60_000 },
   );
 
@@ -111,6 +116,427 @@ export async function cleanupWorktree(
   ).catch(() => {});
 }
 
+// ─── v2.6: session-keyed persistent worktree ────────────────────────────────
+
+export interface SessionWorktree {
+  /** P1.5-b: the `worktrees.id` — stored on agent_sessions informationally. */
+  worktreeId: string;
+  worktreePath: string;
+  baseCommit: string | null;
+}
+
+/**
+ * v2.6 / P1.5-b: create-or-reuse ONE worktree per BooCode session (shared across
+ * all tabs/agents in the session), recorded in `worktrees` (was the superseded
+ * `session_worktrees`). Persists — NOT torn down per turn (cleanup is Phase 3) —
+ * and now survives session delete (`worktrees.session_id` is ON DELETE SET NULL).
+ * Captures the project's current HEAD as `base_commit` for a stable diff baseline.
+ *
+ * Distinct path namespace (`session-<id>` branch, `/sess-<id>` dir) so it never
+ * collides with the per-task worktrees that arena/new_task/MCP still use.
+ */
+export async function ensureSessionWorktree(
+  sql: Sql,
+  projectPath: string,
+  sessionId: string,
+  opts?: { signal?: AbortSignal },
+): Promise<SessionWorktree> {
+  const [existing] = await sql<{ id: string; path: string; base_commit: string | null }[]>`
+    SELECT id, path, base_commit FROM worktrees
+    WHERE session_id = ${sessionId} AND status = 'active'
+    LIMIT 1
+  `;
+  if (existing) {
+    return { worktreeId: existing.id, worktreePath: existing.path, baseCommit: existing.base_commit };
+  }
+
+  const worktreePath = `${WORKTREE_BASE}/sess-${sessionId}`;
+  const branchName = `session-${sessionId}`;
+
+  await hostExec(`mkdir -p ${WORKTREE_BASE}`, { signal: opts?.signal });
+
+  // Capture the baseline commit BEFORE branching, so the diff is stable even if
+  // project HEAD later advances.
+  const headResult = await hostExec(
+    `git -C ${shellEscape(projectPath)} rev-parse HEAD`,
+    { signal: opts?.signal, timeoutMs: 10_000 },
+  );
+  const baseCommit = headResult.exitCode === 0 ? headResult.stdout.trim() || null : null;
+
+  const result = await hostExec(
+    `git -C ${shellEscape(projectPath)} worktree add ${shellEscape(worktreePath)} -b ${shellEscape(branchName)} HEAD`,
+    { signal: opts?.signal, timeoutMs: 30_000 },
+  );
+  if (result.exitCode !== 0) {
+    throw new Error(`Failed to create session worktree: ${result.stderr.trim() || result.stdout.trim()}`);
+  }
+
+  // Insert-or-get: WHERE NOT EXISTS keeps the first writer's row if two turns race
+  // the create (the partial unique on active path also backstops it).
+  const [inserted] = await sql<{ id: string; path: string; base_commit: string | null }[]>`
+    INSERT INTO worktrees (session_id, path, branch, base_commit, status)
+    SELECT ${sessionId}, ${worktreePath}, ${branchName}, ${baseCommit}, 'active'
+    WHERE NOT EXISTS (
+      SELECT 1 FROM worktrees WHERE session_id = ${sessionId} AND status = 'active'
+    )
+    RETURNING id, path, base_commit
+  `;
+  if (inserted) {
+    return { worktreeId: inserted.id, worktreePath: inserted.path, baseCommit: inserted.base_commit };
+  }
+  // Lost the race — another turn inserted first; read its row.
+  const [row] = await sql<{ id: string; path: string; base_commit: string | null }[]>`
+    SELECT id, path, base_commit FROM worktrees
+    WHERE session_id = ${sessionId} AND status = 'active'
+    LIMIT 1
+  `;
+  return {
+    worktreeId: row!.id,
+    worktreePath: row?.path ?? worktreePath,
+    baseCommit: row?.base_commit ?? baseCommit,
+  };
+}
+
+/**
+ * v2.6 Phase 3 (3.3 / 3.4): physically remove a session's persistent worktree —
+ * the git worktree dir + its branch — and archive its `worktrees` row. Used by the
+ * chat/session-close hook (when the last chat in a session closes) and the orphan
+ * reaper. Best-effort on the git side (a dir already gone is not an error); the DB
+ * row is flipped to 'archived' (soft-delete, Paseo's worktree-archive pattern) so
+ * history/attribution survives and a re-run is idempotent.
+ *
+ * SAFETY: callers MUST run `checkWorktreeWorkAtRisk` first and skip at-risk
+ * worktrees — this function force-removes (`--force`), so it never silently drops
+ * uncommitted/unmerged work unless the caller already cleared/accepted the risk.
+ */
+export async function removeSessionWorktree(
+  sql: Sql,
+  projectPath: string,
+  worktree: { id: string; path: string; branch?: string | null },
+  opts?: { signal?: AbortSignal },
+): Promise<void> {
+  await hostExec(
+    `git -C ${shellEscape(projectPath)} worktree remove ${shellEscape(worktree.path)} --force`,
+    { signal: opts?.signal, timeoutMs: 15_000 },
+  ).catch(() => {});
+  const branch = worktree.branch ?? null;
+  if (branch) {
+    await hostExec(
+      `git -C ${shellEscape(projectPath)} branch -D ${shellEscape(branch)}`,
+      { signal: opts?.signal, timeoutMs: 10_000 },
+    ).catch(() => {});
+  }
+  // Prune any stale worktree administrative entries left behind by a partial remove.
+  await hostExec(
+    `git -C ${shellEscape(projectPath)} worktree prune`,
+    { signal: opts?.signal, timeoutMs: 10_000 },
+  ).catch(() => {});
+  await sql`UPDATE worktrees SET status = 'archived' WHERE id = ${worktree.id}`.catch(() => {});
+}
+
+/**
+ * v2.6 Phase 3 (3.3): the chat-close cleanup. Mark every `agent_sessions` row for
+ * the chat 'closed', then — only if this was the session's LAST open chat — remove
+ * the shared session worktree (a worktree is one-per-session, shared across the
+ * session's chat tabs, so closing one tab must not pull the rug from sibling tabs).
+ *
+ * Returns what it did so the route can report it. The actual backend (process /
+ * server-session) teardown is the pool's job (`agentPool.closeChat` +
+ * `backend.closeSession`); this owns the DB + git truth.
+ *
+ * `worktreeRemoved` is false when other open chats remain (worktree kept) OR when
+ * the worktree held work at risk (preflight blocked it — never silently dropped).
+ */
+export interface ChatCloseResult {
+  agentRowsClosed: number;
+  worktreeRemoved: boolean;
+  worktreeAtRisk: boolean;
+}
+
+export async function closeChatBackendState(
+  sql: Sql,
+  chatId: string,
+  opts?: { signal?: AbortSignal; force?: boolean },
+): Promise<ChatCloseResult> {
+  // Resolve the chat's session (and that session's project path) before we touch
+  // anything — a deleted chat row leaves agent_sessions/worktrees pointing nowhere.
+  const [chatRow] = await sql<{ session_id: string | null }[]>`
+    SELECT session_id FROM chats WHERE id = ${chatId}
+  `;
+  // chat row may already be gone (delete fired first); fall back to agent_sessions'
+  // session_id link, which SET NULLs only on session delete, not chat delete.
+  let sessionId = chatRow?.session_id ?? null;
+  if (!sessionId) {
+    const [as] = await sql<{ session_id: string | null }[]>`
+      SELECT session_id FROM agent_sessions WHERE chat_id = ${chatId} AND session_id IS NOT NULL LIMIT 1
+    `;
+    sessionId = as?.session_id ?? null;
+  }
+
+  // Mark this chat's (chat,agent) backend rows closed (idempotent).
+  const closedRows = await sql<{ agent: string }[]>`
+    UPDATE agent_sessions SET status = 'closed'
+    WHERE chat_id = ${chatId} AND status <> 'closed'
+    RETURNING agent
+  `;
+
+  let worktreeRemoved = false;
+  let worktreeAtRisk = false;
+
+  if (sessionId) {
+    // Other open chats still sharing the session worktree? If so, keep it.
+    const openRows = await sql<{ open_count: number }[]>`
+      SELECT COUNT(*)::int AS open_count FROM chats
+      WHERE session_id = ${sessionId} AND status = 'open' AND id <> ${chatId}
+    `;
+    const openCount = openRows[0]?.open_count ?? 0;
+    if (openCount === 0) {
+      const [wt] = await sql<{ id: string; path: string; branch: string | null }[]>`
+        SELECT id, path, branch FROM worktrees
+        WHERE session_id = ${sessionId} AND status = 'active' LIMIT 1
+      `;
+      if (wt) {
+        const projRows = await sql<{ path: string | null }[]>`
+          SELECT p.path FROM sessions s JOIN projects p ON p.id = s.project_id WHERE s.id = ${sessionId}
+        `;
+        const projectPath = projRows[0]?.path ?? null;
+        // Preflight (close-hook semantics): a DELIBERATE chat/session close — the
+        // server's session-delete already ran the full work-at-risk gate
+        // (dirty/unpushed/unmerged) before calling us, and chat-close discards the
+        // tab's staged review intentionally. So here we only block on UNCOMMITTED
+        // working-tree changes (`dirty`) — work the user never even staged into the
+        // review diff. The session branch's own commits (the diff-staging
+        // mechanism) are NOT a block; treating them as "unmerged risk" would make
+        // the worktree un-removable on every real session (the orphan reaper keeps
+        // the full at-risk gate because it runs unattended). `force` skips this.
+        if (!opts?.force) {
+          const risk = await checkWorktreeWorkAtRisk(wt.path, opts);
+          worktreeAtRisk = risk.dirty || risk.error != null;
+        }
+        if (projectPath && (opts?.force || !worktreeAtRisk)) {
+          await removeSessionWorktree(sql, projectPath, wt, opts);
+          worktreeRemoved = true;
+        }
+      }
+    }
+  }
+
+  return { agentRowsClosed: closedRows.length, worktreeRemoved, worktreeAtRisk };
+}
+
+/**
+ * v2.6 Phase 3 (3.5): re-baseline a session's worktree diff after a successful
+ * `apply_pending`. The applied changes were written to the PROJECT ROOT; the
+ * worktree branch still holds the same delta against the ORIGINAL `base_commit`,
+ * so the next turn's `diffWorktree(base_commit...worktree-HEAD)` would re-surface
+ * the already-applied changes as "pending" — a confusing double-count.
+ *
+ * Fix: advance the stored `base_commit` to the worktree's CURRENT HEAD (the
+ * `diffWorktree` path commits the worktree's accumulated changes before diffing,
+ * so HEAD already encodes the applied state). The next turn then diffs against
+ * that, surfacing only edits made AFTER the apply. Idempotent: if the worktree has
+ * no new commits, the base is unchanged.
+ *
+ * Diff-baseline-correctness note (design §7): we re-baseline to the worktree's own
+ * HEAD, NOT to a moving project HEAD — so an out-of-band edit to the project root
+ * after apply doesn't corrupt the baseline. The trade-off is that a manual project
+ * edit isn't reflected as "already there"; acceptable, and matches the stored-base
+ * (not moving-target) decision in §7.
+ */
+export async function rebaselineWorktreeAfterApply(
+  sql: Sql,
+  sessionId: string,
+  opts?: { signal?: AbortSignal },
+): Promise<{ rebaselined: boolean; newBaseCommit: string | null }> {
+  const [wt] = await sql<{ id: string; path: string; base_commit: string | null }[]>`
+    SELECT id, path, base_commit FROM worktrees
+    WHERE session_id = ${sessionId} AND status = 'active' LIMIT 1
+  `;
+  if (!wt) return { rebaselined: false, newBaseCommit: null };
+
+  // Make sure the worktree's accumulated edits are committed so HEAD encodes the
+  // just-applied state (the diff path normally does this, but apply may run with no
+  // prior diff this turn). Commit ONLY when something is staged — NO --allow-empty,
+  // so a re-baseline with no new edits doesn't advance HEAD and stays idempotent.
+  await hostExec(
+    `cd ${shellEscape(wt.path)} && git add -A && ` +
+      `git diff --cached --quiet || ` +
+      `git -c user.email=boocoder@local -c user.name=BooCoder commit -q -m "rebaseline after apply"`,
+    { signal: opts?.signal, timeoutMs: 15_000 },
+  ).catch(() => {});
+
+  const headRes = await hostExec(
+    `git -C ${shellEscape(wt.path)} rev-parse HEAD`,
+    { signal: opts?.signal, timeoutMs: 10_000 },
+  ).catch(() => null);
+  const newBase = headRes && headRes.exitCode === 0 ? headRes.stdout.trim() || null : null;
+  if (!newBase || newBase === wt.base_commit) {
+    return { rebaselined: false, newBaseCommit: wt.base_commit };
+  }
+
+  await sql`UPDATE worktrees SET base_commit = ${newBase} WHERE id = ${wt.id}`;
+  return { rebaselined: true, newBaseCommit: newBase };
+}
+
+// ─── Session-delete work-loss guard ─────────────────────────────────────────
+
+/**
+ * Risk report for a single worktree, returned by checkWorktreeWorkAtRisk.
+ * `atRisk` is the gate the server reads before allowing a session delete.
+ * A git error never silently passes — it forces `atRisk` true and surfaces
+ * the message in `error` (fail-closed).
+ */
+export interface RiskReport {
+  worktreePath: string;
+  branch: string;
+  dirty: boolean;   // uncommitted working-tree changes (incl. untracked)
+  unpushed: number; // commits ahead of upstream, or -1 if no upstream is set
+  unmerged: number; // commits on this branch not in the project default branch
+  atRisk: boolean;  // dirty || unmerged > 0 || (upstream && unpushed > 0) || git error
+  error?: string;   // populated on a git failure; presence forces atRisk
+}
+
+/**
+ * Resolve the project's default branch as a git-usable ref (e.g. "origin/main").
+ *
+ * `refs/remotes/origin/HEAD` lives in the repo's COMMON git dir and is shared
+ * across every linked worktree, so reading it from the session worktree returns
+ * the REMOTE's default branch — never this worktree's own `session-<id>` branch
+ * (that would be `symbolic-ref HEAD`, a different ref). Falls back to probing
+ * common defaults by verified existence when origin/HEAD isn't set (e.g. a repo
+ * that never ran `git remote set-head`). Returns null if none resolve, in which
+ * case the unmerged check is skipped (dirty + unpushed still protect the work).
+ */
+async function detectDefaultBranchRef(
+  worktreePath: string,
+  opts?: { signal?: AbortSignal },
+): Promise<string | null> {
+  const head = await hostExec(
+    `git -C ${shellEscape(worktreePath)} symbolic-ref --short refs/remotes/origin/HEAD`,
+    { signal: opts?.signal, timeoutMs: 10_000 },
+  );
+  if (head.exitCode === 0) {
+    const ref = head.stdout.trim(); // e.g. "origin/main"
+    if (ref) {
+      const verify = await hostExec(
+        `git -C ${shellEscape(worktreePath)} rev-parse --verify --quiet ${shellEscape(ref + '^{commit}')}`,
+        { signal: opts?.signal, timeoutMs: 10_000 },
+      );
+      if (verify.exitCode === 0 && verify.stdout.trim()) return ref;
+    }
+  }
+  // origin/HEAD unset or unresolvable — probe common defaults. Prefer the
+  // remote-tracking ref (always resolvable in a fresh worktree) over the local
+  // head, which may not exist if the default branch lives only in the main tree.
+  for (const cand of ['origin/main', 'origin/master', 'main', 'master']) {
+    const verify = await hostExec(
+      `git -C ${shellEscape(worktreePath)} rev-parse --verify --quiet ${shellEscape(cand + '^{commit}')}`,
+      { signal: opts?.signal, timeoutMs: 10_000 },
+    );
+    if (verify.exitCode === 0 && verify.stdout.trim()) return cand;
+  }
+  return null;
+}
+
+/**
+ * Inspect a worktree for work that would be lost if its session were deleted.
+ * Three checks, all via the audited hostExec + shellEscape path (every
+ * interpolated value — paths, refs — is single-quote-escaped; no bare
+ * interpolation). Any unexpected git failure is treated as at-risk, never a
+ * silent pass.
+ */
+export async function checkWorktreeWorkAtRisk(
+  worktreePath: string,
+  opts?: { signal?: AbortSignal },
+): Promise<RiskReport> {
+  // Branch name — also doubles as the "is this still a git worktree?" probe.
+  const br = await hostExec(
+    `git -C ${shellEscape(worktreePath)} rev-parse --abbrev-ref HEAD`,
+    { signal: opts?.signal, timeoutMs: 10_000 },
+  );
+  if (br.exitCode !== 0) {
+    return {
+      worktreePath,
+      branch: '',
+      dirty: false,
+      unpushed: 0,
+      unmerged: 0,
+      atRisk: true,
+      error: `git rev-parse failed: ${br.stderr.trim() || 'not a git worktree'}`,
+    };
+  }
+  const branch = br.stdout.trim();
+
+  // (a) Uncommitted (dirty working tree, including untracked files).
+  const st = await hostExec(
+    `git -C ${shellEscape(worktreePath)} status --porcelain`,
+    { signal: opts?.signal, timeoutMs: 15_000 },
+  );
+  if (st.exitCode !== 0) {
+    return {
+      worktreePath,
+      branch,
+      dirty: false,
+      unpushed: 0,
+      unmerged: 0,
+      atRisk: true,
+      error: `git status failed: ${st.stderr.trim()}`,
+    };
+  }
+  const dirty = st.stdout.trim().length > 0;
+
+  // (b) Unpushed commits. No upstream configured => work exists only locally;
+  // treat as unpushed-by-definition (-1) rather than an error.
+  const up = await hostExec(
+    `git -C ${shellEscape(worktreePath)} rev-list --count ${shellEscape('@{u}..HEAD')}`,
+    { signal: opts?.signal, timeoutMs: 15_000 },
+  );
+  const unpushed = up.exitCode === 0 ? (parseInt(up.stdout.trim() || '0', 10) || 0) : -1;
+
+  // (c) Unmerged commits — on this branch but not in the project default branch.
+  const defaultRef = await detectDefaultBranchRef(worktreePath, opts);
+  let unmerged = 0;
+  if (defaultRef) {
+    const rl = await hostExec(
+      `git -C ${shellEscape(worktreePath)} rev-list --count ${shellEscape(defaultRef + '..HEAD')}`,
+      { signal: opts?.signal, timeoutMs: 15_000 },
+    );
+    if (rl.exitCode === 0) unmerged = parseInt(rl.stdout.trim() || '0', 10) || 0;
+  }
+
+  // unpushed only contributes when an upstream actually exists. Session branches
+  // (session-<id>) never have one (unpushed === -1), and any real local-only work
+  // there already surfaces as unmerged > 0 — so the no-upstream case adds no
+  // protection, only friction (it flagged every pristine worktree-backed session).
+  // The unpushed > 0 arm stays forward-compatible with P1.5 pushable branches.
+  const hasUpstream = unpushed !== -1;
+  const atRisk = dirty || unmerged > 0 || (hasUpstream && unpushed > 0);
+  return { worktreePath, branch, dirty, unpushed, unmerged, atRisk };
+}
+
+/**
+ * Stash a worktree's uncommitted changes (including untracked, via -u) so the
+ * working tree is clean. Stash entries live in the repo's common git dir, so
+ * they survive worktree-dir removal — this is the recoverable, safe-by-default
+ * escape. Note it only clears the *dirty* risk; unpushed/unmerged commits
+ * remain on the branch, so a re-attempted delete may still block on those.
+ */
+export async function stashWorktree(
+  worktreePath: string,
+  opts?: { signal?: AbortSignal },
+): Promise<{ stashed: boolean; error?: string }> {
+  const r = await hostExec(
+    `git -C ${shellEscape(worktreePath)} stash push -u -m ${shellEscape('boocode: pre-delete stash')}`,
+    { signal: opts?.signal, timeoutMs: 30_000 },
+  );
+  if (r.exitCode !== 0) {
+    return { stashed: false, error: r.stderr.trim() || r.stdout.trim() };
+  }
+  // "No local changes to save" => exit 0, nothing stashed — not an error.
+  const stashed = !/no local changes to save/i.test(r.stdout);
+  return { stashed };
+}
+
 /** Minimal shell escape for paths (single-quote wrapping). */
 function shellEscape(s: string): string {
   // Replace single quotes with escaped version, wrap in single quotes

apps/server/package.json

@@ -87,7 +87,7 @@
     "@modelcontextprotocol/sdk": "^1.29.0",
     "ai": "^6.0.190",
     "fastify": "^4.28.1",
-    "parse5": "^8.0.1",
+    "node-html-markdown": "^1.3.0",
     "postgres": "^3.4.4",
     "ws": "^8.18.0",
     "zod": "^3.23.8"
@@ -99,5 +99,5 @@
     "typescript": "^5.5.0",
     "vitest": "^3.2.4"
   },
-  "license": "AGPL-3.0-only"
+  "license": "MIT"
 }

apps/server/src/routes/chats.ts

@@ -4,6 +4,7 @@ import type { Sql } from '../db.js';
 import type { Broker } from '../services/broker.js';
 import type { Chat, Message } from '../types/api.js';
 import { getModelContext } from '../services/model-context.js';
+import { notifyCoderClose } from '../services/coder-notify.js';
 
 const CreateBody = z.object({
   name: z.string().min(1).max(200).optional(),
@@ -167,6 +168,9 @@ export function registerChatRoutes(
           chat_id: id,
           session_id: req.params.id,
         });
+        // Fire-and-forget per archived chat: tear down its warm agent backends
+        // on the coder. Best-effort — never blocks/fails the bulk archive.
+        void notifyCoderClose('chat', id, req.log);
       }
       return { archived: ids.length, ids };
     }
@@ -208,6 +212,9 @@ export function registerChatRoutes(
         chat_id: row.id,
         session_id: row.session_id,
       });
+      // Fire-and-forget: tear down this chat's warm agent backends + (last-chat)
+      // worktree on the coder. Best-effort — never blocks/fails the archive.
+      void notifyCoderClose('chat', row.id, req.log);
       reply.code(204);
       return null;
     }
@@ -248,6 +255,9 @@ export function registerChatRoutes(
         chat_id: row.id,
         session_id: row.session_id,
       });
+      // Fire-and-forget: tear down this chat's warm agent backends + (last-chat)
+      // worktree on the coder. Best-effort — never blocks/fails the delete.
+      void notifyCoderClose('chat', row.id, req.log);
       reply.code(204);
       return null;
     }

apps/server/src/routes/sessions.ts

@@ -3,8 +3,9 @@ import { z } from 'zod';
 import type { Sql } from '../db.js';
 import type { Config } from '../config.js';
 import type { Broker } from '../services/broker.js';
-import type { Session } from '../types/api.js';
+import type { Session, WorktreeRiskReport } from '../types/api.js';
 import { getSetting } from './settings.js';
+import { notifyCoderClose } from '../services/coder-notify.js';
 
 const CreateBody = z.object({
   name: z.string().min(1).max(200).optional(),
@@ -28,9 +29,7 @@ const HtmlArtifactStateZ = z.object({
   title: z.string().max(500),
 });
 
-const WorkspacePaneZ = z.object({
-  id: z.string().min(1).max(200),
-  kind: z.enum([
+const PaneKindZ = z.enum([
   'chat',
   'terminal',
   'coder',
@@ -39,7 +38,11 @@ const WorkspacePaneZ = z.object({
   'settings',
   'markdown_artifact',
   'html_artifact',
-  ]),
+]);
+
+const WorkspacePaneZ = z.object({
+  id: z.string().min(1).max(200),
+  kind: PaneKindZ,
   chatId: z.string().min(1).max(200).optional(),
   chatIds: z.array(z.string().min(1).max(200)).max(50),
   activeChatIdx: z.number().int(),
@@ -47,8 +50,27 @@ const WorkspacePaneZ = z.object({
   html_artifact_state: HtmlArtifactStateZ.optional(),
 });
 
+// v2.6.x: workspace_panes column widened from a bare WorkspacePane[] to a
+// WorkspaceState envelope (panes + stable session-scoped tab numbering +
+// reopen stack). closedPaneStack entries are lighter than full panes — just
+// the kind + chat ids needed to recreate a closed pane on reopen.
+const ClosedPaneEntryZ = z.object({
+  kind: PaneKindZ,
+  chatIds: z.array(z.string().min(1).max(200)).max(50),
+  activeChatIdx: z.number().int(),
+});
+
+const WorkspaceStateZ = z.object({
+  panes: z.array(WorkspacePaneZ).max(10),
+  tabNumbers: z.record(z.string(), z.number().int()).default({}),
+  nextTabNumber: z.number().int().default(1),
+  closedPaneStack: z.array(ClosedPaneEntryZ).max(10).default([]),
+});
+
+// Accept either the legacy bare array OR the envelope. The handler normalizes
+// to a full envelope before storing (see MIGRATION rule in the PATCH handler).
 const WorkspacePanesBody = z.object({
-  workspace_panes: z.array(WorkspacePaneZ).max(10),
+  workspace_panes: z.union([z.array(WorkspacePaneZ).max(10), WorkspaceStateZ]),
 });
 
 const PatchBody = z.object({
@@ -308,12 +330,20 @@ export function registerSessionRoutes(
         reply.code(400);
         return { error: 'invalid body', details: parsed.error.flatten() };
       }
-      const workspacePanes = parsed.data.workspace_panes.map((pane) =>
+      // v2.6.x MIGRATION: the body is either a legacy bare WorkspacePane[] or
+      // the WorkspaceState envelope. Normalize to a full envelope so the column
+      // always stores the envelope shape going forward.
+      const body = parsed.data.workspace_panes;
+      const envelope = Array.isArray(body)
+        ? { panes: body, tabNumbers: {}, nextTabNumber: 1, closedPaneStack: [] }
+        : body;
+      // agent → coder normalization on the panes array (unchanged write rule).
+      envelope.panes = envelope.panes.map((pane) =>
         pane.kind === 'agent' ? { ...pane, kind: 'coder' as const } : pane,
       );
       const rows = await sql<Session[]>`
         UPDATE sessions
-        SET workspace_panes = ${sql.json(workspacePanes as never)},
+        SET workspace_panes = ${sql.json(envelope as never)},
             updated_at = clock_timestamp()
         WHERE id = ${req.params.id}
         RETURNING id, project_id, name, model, system_prompt, status, created_at, updated_at,
@@ -426,10 +456,55 @@ export function registerSessionRoutes(
     }
   );
 
-  app.delete<{ Params: { id: string } }>(
+  app.delete<{ Params: { id: string }; Querystring: { force?: string } }>(
     '/api/sessions/:id',
     async (req, reply) => {
       const id = req.params.id;
+      const force = req.query.force === 'true' || req.query.force === '1';
+
+      // Session-delete work-loss guard. The check MUST run BEFORE the DELETE:
+      // worktrees.session_id is ON DELETE SET NULL (P1.5-b), so once the session
+      // is gone the worktree rows no longer point back to it — read them while
+      // the link still exists.
+      //
+      // Optimization: read worktrees (P1.5-b — was session_worktrees) from our
+      // own (shared) DB first. No row => chat-only session => nothing on disk =>
+      // delete immediately, zero round-trip. Only worktree-backed sessions pay
+      // the host git check.
+      if (!force) {
+        const worktrees = await sql<{ path: string }[]>`
+          SELECT path FROM worktrees WHERE session_id = ${id}
+        `;
+        if (worktrees.length > 0) {
+          // Worktree dirs live on the host; only BooCoder can run git on them.
+          const origin = process.env.BOOCODER_URL ?? 'http://boocoder:3000';
+          let reports: WorktreeRiskReport[];
+          try {
+            const res = await fetch(`${origin}/api/sessions/${id}/worktree-risk`);
+            if (!res.ok) {
+              // Fail-closed: can't verify => don't risk silent loss. Force escapes.
+              reply.code(409);
+              return {
+                error: 'could not verify worktree safety (BooCoder check failed). Use force to delete anyway.',
+                reports: [] as WorktreeRiskReport[],
+              };
+            }
+            reports = ((await res.json()) as { reports?: WorktreeRiskReport[] }).reports ?? [];
+          } catch {
+            // Fail-closed: BooCoder unreachable. Force bypasses this path entirely.
+            reply.code(409);
+            return {
+              error: 'BooCoder unreachable; cannot verify worktree safety. Use force to delete anyway.',
+              reports: [] as WorktreeRiskReport[],
+            };
+          }
+          if (reports.some((r) => r.atRisk)) {
+            reply.code(409);
+            return { error: 'This session has work at risk in its worktree.', reports };
+          }
+        }
+      }
+
       const deleted = await sql<{ project_id: string }[]>`
         DELETE FROM sessions WHERE id = ${id} RETURNING project_id
       `;
@@ -439,6 +514,10 @@ export function registerSessionRoutes(
       }
       const project_id = deleted[0]!.project_id;
       broker.publishUserFrame('default', { type: 'session_deleted', session_id: id, project_id });
+      // Fire-and-forget: ask BooCoder to tear down this session's warm agent
+      // backends + worktree immediately. Best-effort — never blocks/fails the
+      // delete; the coder's idle-evict + orphan reaper backstop a missed call.
+      void notifyCoderClose('session', id, req.log);
       reply.code(204);
       return null;
     }

apps/server/src/services/__tests__/coder-notify.test.ts

@@ -0,0 +1,67 @@
+// v2.6.10 Phase 3 (server wiring) — notifyCoderClose fire-and-forget helper.
+//
+// The guarantee under test: the helper NEVER throws (so it can't break the
+// user's delete/archive path), targets the correct coder URL shape, and folds
+// every failure mode (non-2xx, network error) into a `false` result.
+
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+import { notifyCoderClose } from '../coder-notify.js';
+
+const ORIGINAL_BOOCODER_URL = process.env.BOOCODER_URL;
+
+describe('notifyCoderClose', () => {
+  beforeEach(() => {
+    delete process.env.BOOCODER_URL;
+  });
+  afterEach(() => {
+    if (ORIGINAL_BOOCODER_URL === undefined) delete process.env.BOOCODER_URL;
+    else process.env.BOOCODER_URL = ORIGINAL_BOOCODER_URL;
+  });
+
+  it('POSTs the chat close hook at the default coder origin and resolves true on 2xx', async () => {
+    const fetcher = vi.fn().mockResolvedValue(new Response(null, { status: 200 }));
+    const ok = await notifyCoderClose('chat', 'chat-123', undefined, fetcher as unknown as typeof fetch);
+    expect(ok).toBe(true);
+    expect(fetcher).toHaveBeenCalledTimes(1);
+    const [url, init] = fetcher.mock.calls[0]!;
+    expect(url).toBe('http://boocoder:3000/api/chats/chat-123/close');
+    expect(init).toEqual({ method: 'POST' });
+  });
+
+  it('POSTs the session close hook with the sessions segment', async () => {
+    const fetcher = vi.fn().mockResolvedValue(new Response(null, { status: 200 }));
+    const ok = await notifyCoderClose('session', 'sess-abc', undefined, fetcher as unknown as typeof fetch);
+    expect(ok).toBe(true);
+    expect(fetcher.mock.calls[0]![0]).toBe('http://boocoder:3000/api/sessions/sess-abc/close');
+  });
+
+  it('honors BOOCODER_URL for the origin', async () => {
+    process.env.BOOCODER_URL = 'http://100.114.205.53:9502';
+    const fetcher = vi.fn().mockResolvedValue(new Response(null, { status: 200 }));
+    await notifyCoderClose('chat', 'c1', undefined, fetcher as unknown as typeof fetch);
+    expect(fetcher.mock.calls[0]![0]).toBe('http://100.114.205.53:9502/api/chats/c1/close');
+  });
+
+  it('resolves false on a non-2xx response (does not throw)', async () => {
+    const fetcher = vi.fn().mockResolvedValue(new Response(null, { status: 500 }));
+    const log = { debug: vi.fn() };
+    const ok = await notifyCoderClose('chat', 'c1', log, fetcher as unknown as typeof fetch);
+    expect(ok).toBe(false);
+    expect(log.debug).toHaveBeenCalledTimes(1);
+  });
+
+  it('resolves false on a network error (coder unreachable) — never rejects', async () => {
+    const fetcher = vi.fn().mockRejectedValue(new Error('ECONNREFUSED'));
+    const log = { debug: vi.fn() };
+    const ok = await notifyCoderClose('session', 's1', log, fetcher as unknown as typeof fetch);
+    expect(ok).toBe(false);
+    expect(log.debug).toHaveBeenCalledTimes(1);
+  });
+
+  it('does not require a logger', async () => {
+    const fetcher = vi.fn().mockRejectedValue(new Error('boom'));
+    await expect(
+      notifyCoderClose('chat', 'c1', undefined, fetcher as unknown as typeof fetch),
+    ).resolves.toBe(false);
+  });
+});

apps/server/src/services/__tests__/html-to-md.test.ts

@@ -70,10 +70,16 @@ describe('htmlToMarkdown', () => {
         </tbody>
       </table>`;
     const md = htmlToMarkdown(html);
-    expect(md).toContain('| Name | Age | City |');
-    expect(md).toContain('| --- | --- | --- |');
-    expect(md).toContain('| Alice | 30 | NYC |');
-    expect(md).toContain('| Bob | 25 | LA |');
+    // node-html-markdown pads columns to align them; assert structure rather
+    // than exact spacing. Each cell value and a GFM separator row are present.
+    expect(md).toContain('| Name ');
+    expect(md).toContain('| Age ');
+    expect(md).toContain('| City |');
+    expect(md).toMatch(/\| -+ \| -+ \| -+ \|/); // separator row
+    expect(md).toContain('| Alice ');
+    expect(md).toContain('| NYC  |');
+    expect(md).toContain('| Bob   ');
+    expect(md).toContain('| LA   |');
   });
 
   it('escapes pipe characters in table cells', () => {
@@ -162,14 +168,17 @@ describe('htmlToMarkdown', () => {
 
   it('converts br to newline', () => {
     const md = htmlToMarkdown('line one<br>line two');
+    // node-html-markdown emits a GFM hard line break (trailing two spaces).
     expect(md).toContain('line one  \nline two');
   });
 
   it('handles ol with start attribute', () => {
     const html = '<ol start="5"><li>five</li><li>six</li></ol>';
     const md = htmlToMarkdown(html);
-    expect(md).toContain('5. five');
-    expect(md).toContain('6. six');
+    // node-html-markdown does not honor the `start` attribute; it always
+    // renumbers ordered lists from 1. (Old parse5 renderer honored start=.)
+    expect(md).toContain('1. five');
+    expect(md).toContain('2. six');
   });
 
   it('collapses excessive blank lines', () => {
@@ -212,9 +221,12 @@ describe('htmlToMarkdown', () => {
     expect(md).toContain('[a link](https://example.com)');
     expect(md).toContain('## Features');
     expect(md).toContain('* Fast');
-    expect(md).toContain('| Metric | Value |');
-    expect(md).toContain('| --- | --- |');
-    expect(md).toContain('| Uptime | 99.9% |');
+    // Table columns are padded to align (node-html-markdown behavior).
+    expect(md).toContain('| Metric ');
+    expect(md).toContain('| Value |');
+    expect(md).toMatch(/\| -+ \| -+ \|/); // separator row
+    expect(md).toContain('| Uptime ');
+    expect(md).toContain('| 99.9% |');
     expect(md).toContain('> This tool is amazing.');
     expect(md).toContain('```js\nconsole.log("hello");\n```');
     expect(md).not.toContain('evil');

apps/server/src/services/__tests__/license-mit.test.ts

@@ -0,0 +1,46 @@
+import { describe, expect, it } from 'vitest';
+import { readFileSync } from 'node:fs';
+import { fileURLToPath } from 'node:url';
+import { dirname, resolve } from 'node:path';
+
+// Guards the AGPL-3.0 -> MIT relicense (openspec license-debt-mit). If any of
+// these fail, AGPL-derived provenance has crept back in.
+const ROOT = resolve(dirname(fileURLToPath(import.meta.url)), '../../../../..');
+
+describe('license: MIT relicense guard', () => {
+  it('LICENSE is MIT (no Affero/AGPL text)', () => {
+    const license = readFileSync(resolve(ROOT, 'LICENSE'), 'utf8');
+    expect(license).toMatch(/^MIT License/);
+    expect(license).not.toMatch(/AFFERO|AGPL/i);
+  });
+
+  const PACKAGE_JSONS = [
+    'package.json',
+    'apps/server/package.json',
+    'apps/web/package.json',
+    'apps/coder/package.json',
+    'apps/booterm/package.json',
+  ];
+  for (const rel of PACKAGE_JSONS) {
+    it(`${rel} declares "license": "MIT"`, () => {
+      const pkg = JSON.parse(readFileSync(resolve(ROOT, rel), 'utf8')) as { license?: string };
+      expect(pkg.license).toBe('MIT');
+    });
+  }
+
+  // The three files that were ported from Unsloth Studio (AGPL-3.0-only) and
+  // cleared in this batch — they must carry no AGPL/Unsloth provenance.
+  const FORMERLY_AGPL = [
+    'apps/server/src/services/inference/tool-call-parser.ts',
+    'apps/server/src/services/web/html-to-md.ts',
+    'apps/server/src/services/inference/llama-args-validator.ts',
+  ];
+  for (const rel of FORMERLY_AGPL) {
+    it(`${rel} carries no AGPL / Unsloth provenance`, () => {
+      const src = readFileSync(resolve(ROOT, rel), 'utf8');
+      expect(src).not.toMatch(/AGPL/);
+      expect(src).not.toMatch(/SPDX-License-Identifier:\s*AGPL/);
+      expect(src).not.toMatch(/Unsloth/i);
+    });
+  }
+});

apps/server/src/services/__tests__/tool-call-parser.test.ts

@@ -4,18 +4,11 @@ import {
   parseInvokeToolCall,
   partialXmlOpenerStart,
   extractToolCallBlocks,
-  parseToolCallsFromText,
   stripToolMarkup,
-  hasToolSignal,
   XML_TOOL_OPEN,
   XML_TOOL_CLOSE,
   INVOKE_TOOL_OPEN,
   INVOKE_TOOL_CLOSE,
-  TOOL_XML_SIGNALS,
-  BUDGET_EXHAUSTED_NUDGE,
-  DUPLICATE_CALL_NUDGE,
-  TOOL_ERROR_NUDGE,
-  TOOL_ERROR_PREFIXES,
 } from '../inference/tool-call-parser.js';
 
 // ── Ported from xml-parser.test.ts ───────────────────────────────────────
@@ -301,38 +294,6 @@ describe('extractToolCallBlocks (v1.13.16 — unified extraction)', () => {
   });
 });
 
-// ── New tests: Unsloth-ported functions ──────────────────────────────────
-
-describe('hasToolSignal', () => {
-  it('returns true for <tool_call>', () => {
-    expect(hasToolSignal('prefix <tool_call> suffix')).toBe(true);
-  });
-
-  it('returns true for <function=', () => {
-    expect(hasToolSignal('prefix <function=view_file> suffix')).toBe(true);
-  });
-
-  it('returns true for <invoke', () => {
-    expect(hasToolSignal('prefix <invoke name="x"> suffix')).toBe(true);
-  });
-
-  it('returns false for near-miss <tool>', () => {
-    expect(hasToolSignal('prefix <tool> suffix')).toBe(false);
-  });
-
-  it('returns false for near-miss <function>', () => {
-    expect(hasToolSignal('prefix <function> suffix')).toBe(false);
-  });
-
-  it('returns false for near-miss <tool_call_thing>', () => {
-    expect(hasToolSignal('<tool_call_thing>')).toBe(false);
-  });
-
-  it('returns false for plain text', () => {
-    expect(hasToolSignal('just some text')).toBe(false);
-  });
-});
-
 describe('stripToolMarkup', () => {
   it('strips closed <tool_call> blocks', () => {
     const input = 'before <tool_call>{"name":"x"}</tool_call> after';
@@ -380,166 +341,11 @@ describe('stripToolMarkup', () => {
   });
 });
 
-describe('parseToolCallsFromText', () => {
-  describe('pattern 1: <tool_call>{json}</tool_call>', () => {
-    it('parses a well-formed JSON tool call', () => {
-      const input = '<tool_call>{"name":"web_search","arguments":{"query":"hello"}}</tool_call>';
-      const calls = parseToolCallsFromText(input);
-      expect(calls).toHaveLength(1);
-      expect(calls[0]!.id).toBe('call_0');
-      expect(calls[0]!.type).toBe('function');
-      expect(calls[0]!.function.name).toBe('web_search');
-      expect(JSON.parse(calls[0]!.function.arguments)).toEqual({ query: 'hello' });
-    });
-
-    it('handles string arguments field', () => {
-      const input = '<tool_call>{"name":"x","arguments":"already a string"}</tool_call>';
-      const calls = parseToolCallsFromText(input);
-      expect(calls[0]!.function.arguments).toBe('already a string');
-    });
-
-    it('handles balanced braces inside JSON strings', () => {
-      const input = '<tool_call>{"name":"x","arguments":{"q":"} { extra "}}</tool_call>';
-      const calls = parseToolCallsFromText(input);
-      expect(calls).toHaveLength(1);
-      const parsed = JSON.parse(calls[0]!.function.arguments);
-      expect(parsed.q).toBe('} { extra ');
-    });
-
-    it('respects idOffset', () => {
-      const input = '<tool_call>{"name":"a","arguments":{}}</tool_call>';
-      const calls = parseToolCallsFromText(input, { idOffset: 5 });
-      expect(calls[0]!.id).toBe('call_5');
-    });
-
-    it('parses multiple JSON tool calls', () => {
-      const input =
-        '<tool_call>{"name":"a","arguments":{}}</tool_call>' +
-        '<tool_call>{"name":"b","arguments":{}}</tool_call>';
-      const calls = parseToolCallsFromText(input);
-      expect(calls).toHaveLength(2);
-      expect(calls[0]!.id).toBe('call_0');
-      expect(calls[1]!.id).toBe('call_1');
-    });
-
-    it('skips malformed JSON', () => {
-      const input = '<tool_call>{not json}</tool_call>';
-      const calls = parseToolCallsFromText(input);
-      expect(calls).toHaveLength(0);
-    });
-
-    it('handles missing closing tag', () => {
-      const input = '<tool_call>{"name":"x","arguments":{"q":"hello"}}';
-      const calls = parseToolCallsFromText(input);
-      expect(calls).toHaveLength(1);
-      expect(calls[0]!.function.name).toBe('x');
-    });
-  });
-
-  describe('pattern 2: <function=name><parameter=key>value', () => {
-    it('parses a single-parameter function call', () => {
-      const input = '<function=view_file><parameter=path>/tmp/foo</parameter></function>';
-      const calls = parseToolCallsFromText(input);
-      expect(calls).toHaveLength(1);
-      expect(calls[0]!.function.name).toBe('view_file');
-      expect(JSON.parse(calls[0]!.function.arguments)).toEqual({ path: '/tmp/foo' });
-    });
-
-    it('single-param fast path preserves embedded </parameter>', () => {
-      const input = '<function=run_bash><parameter=command>echo "</parameter>"</parameter></function>';
-      const calls = parseToolCallsFromText(input);
-      expect(calls).toHaveLength(1);
-      expect(JSON.parse(calls[0]!.function.arguments).command).toBe('echo "</parameter>"');
-    });
-
-    it('multi-param: value of first stops at start of second', () => {
-      const input = '<function=grep><parameter=pattern>foo</parameter><parameter=path>src/</parameter></function>';
-      const calls = parseToolCallsFromText(input);
-      expect(calls).toHaveLength(1);
-      const args = JSON.parse(calls[0]!.function.arguments);
-      expect(args.pattern).toBe('foo');
-      expect(args.path).toBe('src/');
-    });
-
-    it('tolerates missing closing tags', () => {
-      const input = '<function=view_file><parameter=path>/tmp/foo';
-      const calls = parseToolCallsFromText(input);
-      expect(calls).toHaveLength(1);
-      expect(calls[0]!.function.name).toBe('view_file');
-      expect(JSON.parse(calls[0]!.function.arguments)).toEqual({ path: '/tmp/foo' });
-    });
-
-    it('does not fire when pattern 1 found results', () => {
-      const input = '<tool_call>{"name":"a","arguments":{}}</tool_call><function=b><parameter=x>y</parameter></function>';
-      const calls = parseToolCallsFromText(input);
-      expect(calls).toHaveLength(1);
-      expect(calls[0]!.function.name).toBe('a');
-    });
-  });
-
-  describe('pattern 3: <invoke name="..."><parameter name="...">value (Anthropic)', () => {
-    it('parses a single-parameter invoke call', () => {
-      const input = '<invoke name="view_file"><parameter name="path">/tmp/foo</parameter></invoke>';
-      const calls = parseToolCallsFromText(input);
-      expect(calls).toHaveLength(1);
-      expect(calls[0]!.function.name).toBe('view_file');
-      expect(JSON.parse(calls[0]!.function.arguments)).toEqual({ path: '/tmp/foo' });
-    });
-
-    it('parses multi-parameter invoke call', () => {
-      const input = '<invoke name="grep"><parameter name="pattern">foo</parameter><parameter name="path">src/</parameter></invoke>';
-      const calls = parseToolCallsFromText(input);
-      expect(calls).toHaveLength(1);
-      const args = JSON.parse(calls[0]!.function.arguments);
-      expect(args.pattern).toBe('foo');
-      expect(args.path).toBe('src/');
-    });
-
-    it('does not fire when pattern 1 found results', () => {
-      const input = '<tool_call>{"name":"a","arguments":{}}</tool_call><invoke name="b"><parameter name="x">y</parameter></invoke>';
-      const calls = parseToolCallsFromText(input);
-      expect(calls).toHaveLength(1);
-      expect(calls[0]!.function.name).toBe('a');
-    });
-
-    it('does not fire when pattern 2 found results', () => {
-      const input = '<function=a><parameter=x>y</parameter></function><invoke name="b"><parameter name="x">y</parameter></invoke>';
-      const calls = parseToolCallsFromText(input);
-      expect(calls).toHaveLength(1);
-      expect(calls[0]!.function.name).toBe('a');
-    });
-
-    it('tolerates missing closing tags', () => {
-      const input = '<invoke name="view_file"><parameter name="path">/tmp/foo';
-      const calls = parseToolCallsFromText(input);
-      expect(calls).toHaveLength(1);
-      expect(JSON.parse(calls[0]!.function.arguments)).toEqual({ path: '/tmp/foo' });
-    });
-
-    it('supports single-quoted attributes', () => {
-      const input = "<invoke name='view_file'><parameter name='path'>/tmp/foo</parameter></invoke>";
-      const calls = parseToolCallsFromText(input);
-      expect(calls).toHaveLength(1);
-      expect(calls[0]!.function.name).toBe('view_file');
-    });
-  });
-});
-
-describe('constants', () => {
-  it('TOOL_XML_SIGNALS includes all three signal prefixes', () => {
-    expect(TOOL_XML_SIGNALS).toContain('<tool_call>');
-    expect(TOOL_XML_SIGNALS).toContain('<function=');
-    expect(TOOL_XML_SIGNALS).toContain('<invoke');
-  });
-
-  it('nudge constants are non-empty strings', () => {
-    expect(BUDGET_EXHAUSTED_NUDGE.length).toBeGreaterThan(0);
-    expect(DUPLICATE_CALL_NUDGE.length).toBeGreaterThan(0);
-    expect(TOOL_ERROR_NUDGE.length).toBeGreaterThan(0);
-  });
-
-  it('TOOL_ERROR_PREFIXES is a non-empty tuple', () => {
-    expect(TOOL_ERROR_PREFIXES.length).toBeGreaterThan(0);
-    expect(TOOL_ERROR_PREFIXES).toContain('Error');
+describe('delimiter constants', () => {
+  it('exports the expected delimiters', () => {
+    expect(INVOKE_TOOL_OPEN).toBe('<invoke');
+    expect(INVOKE_TOOL_CLOSE).toBe('</invoke>');
+    expect(XML_TOOL_OPEN).toBe('<tool_call>');
+    expect(XML_TOOL_CLOSE).toBe('</tool_call>');
   });
 });

apps/server/src/services/auto_name.ts

@@ -37,9 +37,11 @@ export async function maybeAutoNameChat(
   if ((counts[0]?.n ?? 0) < 1) return;
 
   const chatRows = await ctx.sql<
-    { id: string; name: string | null; session_id: string }[]
+    { id: string; name: string | null; session_id: string; model: string | null }[]
   >`
-    SELECT id, name, session_id FROM chats WHERE id = ${chatId}
+    SELECT c.id, c.name, c.session_id, s.model
+    FROM chats c JOIN sessions s ON s.id = c.session_id
+    WHERE c.id = ${chatId}
   `;
   const chat = chatRows[0];
   if (!chat) return;
@@ -67,6 +69,7 @@ export async function maybeAutoNameChat(
     user: namingInput,
     maxTokens: 30,
     temperature: 0.3,
+    fallbackModel: chat.model ?? undefined,
   });
   const name = cleanTitle(raw);
   if (!name) {

apps/server/src/services/coder-notify.ts

@@ -0,0 +1,64 @@
+// v2.6.10 Phase 3 (server wiring) — fire-and-forget BooCoder close hooks.
+//
+// BooCoder (apps/coder, host systemd) added close hooks in
+// apps/coder/src/routes/lifecycle.ts:
+//   POST /api/chats/:chatId/close      — evict the chat's warm (chat,agent)
+//                                        backends, close its opencode session,
+//                                        mark agent_sessions closed, and remove
+//                                        the shared worktree on the last chat.
+//   POST /api/sessions/:sessionId/close — loop the chat-close path for every
+//                                        chat in the session.
+//
+// apps/server (Docker) can't see the host worktree dirs or reach the warm agent
+// processes, so — exactly like the existing `worktree-risk` guard in
+// routes/sessions.ts — it signals the coder over HTTP and the coder does the
+// real teardown. This call is BEST-EFFORT: the coder's idle-pool eviction and
+// the orphan-worktree reaper backstop a missed/failed call. It MUST NEVER block
+// or fail the user's delete/archive — hence fire-and-forget with a swallowed
+// catch. We do not await the returned promise at the call sites.
+
+import type { FastifyBaseLogger } from 'fastify';
+
+export type CoderCloseKind = 'chat' | 'session';
+
+function coderOrigin(): string {
+  // Same env + default as routes/sessions.ts' worktree-risk fetch.
+  return process.env.BOOCODER_URL ?? 'http://boocoder:3000';
+}
+
+/**
+ * Fire-and-forget POST to the BooCoder close hook for a chat or session.
+ *
+ * Resolves to `true` if the coder acknowledged (HTTP 2xx), `false` otherwise
+ * (non-2xx or network error). Callers SHOULD NOT await this — invoke it and
+ * move on. The returned promise never rejects: every failure path is caught,
+ * logged at debug, and folded into a `false` result so an unreachable or
+ * erroring coder can't surface to the user's delete/archive request.
+ */
+export async function notifyCoderClose(
+  kind: CoderCloseKind,
+  id: string,
+  log?: Pick<FastifyBaseLogger, 'debug'>,
+  fetcher: typeof fetch = fetch,
+): Promise<boolean> {
+  const segment = kind === 'chat' ? 'chats' : 'sessions';
+  const url = `${coderOrigin()}/api/${segment}/${id}/close`;
+  try {
+    const res = await fetcher(url, { method: 'POST' });
+    if (!res.ok) {
+      log?.debug(
+        { kind, id, status: res.status },
+        'coder close hook returned non-2xx (best-effort; reaper backstops)',
+      );
+      return false;
+    }
+    log?.debug({ kind, id }, 'coder close hook acknowledged');
+    return true;
+  } catch (err) {
+    log?.debug(
+      { kind, id, err: err instanceof Error ? err.message : String(err) },
+      'coder close hook unreachable (best-effort; reaper backstops)',
+    );
+    return false;
+  }
+}

apps/server/src/services/inference/llama-args-validator.ts

@@ -1,80 +1,139 @@
-// SPDX-License-Identifier: AGPL-3.0-only
-// Copyright 2026-present the Unsloth AI Inc. team. All rights reserved.
-// Ported from studio/backend/core/inference/llama_server_args.py.
-// Original: https://github.com/unslothai/unsloth/blob/main/studio/backend/core/inference/llama_server_args.py
+// Guards against agent-supplied llama-server CLI flags that would clash with
+// values BooCode sets itself. Two concerns live here:
+//
+//   1. A hard denylist of flags that BooCode owns outright (model selection,
+//      the listening socket, credentials, the bundled web UI). Passing any of
+//      these is a configuration error and is rejected loudly.
+//
+//   2. A "shadowing" set of flags that are legal to pass but, because of
+//      llama.cpp's last-wins argument parsing, would override a first-class
+//      BooCode setting. These are silently removed from the auto-generated
+//      argv so the agent's explicit choice takes precedence without leaving a
+//      duplicate flag behind.
+//
+// All flag spellings below are the public llama-server option names (short and
+// long aliases) documented in its --help output.
 
-// Each group is the full set of aliases (short + long) for one hard-denied
-// flag, taken from the llama-server README. Flags NOT in this list pass
-// through and override auto-set values via llama.cpp's last-wins CLI parsing.
-const DENYLIST_GROUPS: ReadonlyArray<ReadonlySet<string>> = [
-  // Model identity
-  new Set(['-m', '--model']),
-  new Set(['-mu', '--model-url']),
-  new Set(['-dr', '--docker-repo']),
-  new Set(['-hf', '-hfr', '--hf-repo']),
-  new Set(['-hff', '--hf-file']),
-  new Set(['-hfv', '-hfrv', '--hf-repo-v']),
-  new Set(['-hffv', '--hf-file-v']),
-  new Set(['-hft', '--hf-token']),
-  new Set(['-mm', '--mmproj']),
-  new Set(['-mmu', '--mmproj-url']),
-  // Networking
-  new Set(['--host']),
-  new Set(['--port']),
-  new Set(['--path']),
-  new Set(['--api-prefix']),
-  new Set(['--reuse-port']),
-  // Auth / TLS
-  new Set(['--api-key']),
-  new Set(['--api-key-file']),
-  new Set(['--ssl-key-file']),
-  new Set(['--ssl-cert-file']),
-  // Single-model server / UI
-  new Set(['--webui', '--no-webui']),
-  new Set(['--ui', '--no-ui']),
-  new Set(['--ui-config']),
-  new Set(['--ui-config-file']),
-  new Set(['--ui-mcp-proxy', '--no-ui-mcp-proxy']),
-  new Set(['--models-dir']),
-  new Set(['--models-preset']),
-  new Set(['--models-max']),
-  new Set(['--models-autoload', '--no-models-autoload']),
+// --- Hard denylist -------------------------------------------------------
+
+// Authored as named buckets purely for readability; every alias is folded
+// into one flat lookup set at module load. Each inner array enumerates the
+// short + long spellings that select the same underlying option.
+const MODEL_SOURCE_FLAGS = [
+  ['-m', '--model'],
+  ['-mu', '--model-url'],
+  ['-dr', '--docker-repo'],
+  ['-hf', '-hfr', '--hf-repo'],
+  ['-hff', '--hf-file'],
+  ['-hfv', '-hfrv', '--hf-repo-v'],
+  ['-hffv', '--hf-file-v'],
+  ['-hft', '--hf-token'],
+  ['-mm', '--mmproj'],
+  ['-mmu', '--mmproj-url'],
 ];
 
-const DENYLIST: ReadonlySet<string> = new Set(
-  DENYLIST_GROUPS.flatMap((g) => [...g]),
+const LISTEN_FLAGS = [
+  ['--host'],
+  ['--port'],
+  ['--path'],
+  ['--api-prefix'],
+  ['--reuse-port'],
+];
+
+const CREDENTIAL_FLAGS = [
+  ['--api-key'],
+  ['--api-key-file'],
+  ['--ssl-key-file'],
+  ['--ssl-cert-file'],
+];
+
+const WEBUI_FLAGS = [
+  ['--webui', '--no-webui'],
+  ['--ui', '--no-ui'],
+  ['--ui-config'],
+  ['--ui-config-file'],
+  ['--ui-mcp-proxy', '--no-ui-mcp-proxy'],
+  ['--models-dir'],
+  ['--models-preset'],
+  ['--models-max'],
+  ['--models-autoload', '--no-models-autoload'],
+];
+
+const MANAGED_FLAGS: ReadonlySet<string> = new Set(
+  [
+    ...MODEL_SOURCE_FLAGS,
+    ...LISTEN_FLAGS,
+    ...CREDENTIAL_FLAGS,
+    ...WEBUI_FLAGS,
+  ].flat(),
 );
 
-function flagName(token: string): string | null {
-  if (!token.startsWith('-') || token === '-' || token === '--') return null;
-  if (token.length >= 2 && (token[1]!.match(/\d/) || token[1] === '.')) return null;
-  return token.split('=', 1)[0]!;
+// --- Token parsing -------------------------------------------------------
+
+const DIGIT = /^[0-9]$/;
+
+/**
+ * Extract the flag name from a single argv token, or `null` when the token is
+ * not a flag.
+ *
+ * A token is treated as a flag only when it begins with `-` and the character
+ * after the leading dash is neither a digit nor a decimal point — that rule
+ * keeps negative numeric values such as `-1` or `-0.5` from being mistaken for
+ * options. A bare `-` or `--` is not a flag either. The returned name is the
+ * portion before any `=`, so `--ctx-size=4096` yields `--ctx-size`.
+ */
+function parseFlag(token: string): string | null {
+  if (!token.startsWith('-')) return null;
+  if (token === '-' || token === '--') return null;
+
+  const second = token[1]!;
+  if (DIGIT.test(second) || second === '.') return null;
+
+  const eq = token.indexOf('=');
+  return eq === -1 ? token : token.slice(0, eq);
 }
 
+// --- Public API ----------------------------------------------------------
+
+/**
+ * Validate a sequence of extra llama-server args, rejecting any that name a
+ * BooCode-managed flag. Returns the args materialised as a string[] when they
+ * all pass.
+ */
 export function validateExtraArgs(args?: Iterable<string>): string[] {
-  if (!args) return [];
-  const out: string[] = [];
-  for (const raw of args) {
-    const token = String(raw);
-    const flag = flagName(token);
-    if (flag !== null && DENYLIST.has(flag)) {
+  const result: string[] = [];
+  if (!args) return result;
+
+  for (const entry of args) {
+    const token = String(entry);
+    const flag = parseFlag(token);
+    if (flag !== null && MANAGED_FLAGS.has(flag)) {
       throw new Error(
         `llama-server flag '${flag}' is managed and cannot be passed as an extra arg`,
       );
     }
-    out.push(token);
-  }
-  return out;
+    result.push(token);
   }
 
+  return result;
+}
+
+/** True when `flag` is a BooCode-managed flag that callers may not override. */
 export function isManagedFlag(flag: string): boolean {
-  return DENYLIST.has(flag);
+  return MANAGED_FLAGS.has(flag);
 }
 
-// Shadowing flag groups: pass-through flags that shadow first-class settings.
-const CONTEXT_FLAGS = new Set(['-c', '--ctx-size']);
-const CACHE_FLAGS = new Set(['-ctk', '--cache-type-k', '-ctv', '--cache-type-v']);
-const SPEC_FLAGS = new Set([
+// --- Shadowing flags -----------------------------------------------------
+
+// Flags below are legal for an agent to pass, but each shadows a setting
+// BooCode applies itself. They are categorised so a caller can opt out of
+// stripping any one category.
+
+const SHADOW_CONTEXT = ['-c', '--ctx-size'];
+
+const SHADOW_CACHE = ['-ctk', '--cache-type-k', '-ctv', '--cache-type-v'];
+
+const SHADOW_SPEC = [
   '--spec-default',
   '--spec-type',
   '--spec-ngram-size-n',
@@ -88,17 +147,22 @@ const SPEC_FLAGS = new Set([
   '--spec-ngram-mod-n-match',
   '--spec-ngram-mod-n-min',
   '--spec-ngram-mod-n-max',
-]);
-const TEMPLATE_FLAGS = new Set([
+];
+
+const SHADOW_TEMPLATE = [
   '--chat-template',
   '--chat-template-file',
   '--chat-template-kwargs',
   '--jinja',
   '--no-jinja',
-]);
+];
 
-const BOOLEAN_SHADOWING_FLAGS = new Set([
-  '--spec-default', '--jinja', '--no-jinja',
+// Shadowing flags that take no value — a boolean switch — so the stripper must
+// not also drop the following token.
+const VALUELESS_SHADOW_FLAGS: ReadonlySet<string> = new Set([
+  '--spec-default',
+  '--jinja',
+  '--no-jinja',
 ]);
 
 export interface StripOptions {
@@ -108,35 +172,49 @@ export interface StripOptions {
   stripTemplate?: boolean;
 }
 
+/**
+ * Remove shadowing flags (and their values) from an argv sequence.
+ *
+ * Each category is stripped by default; pass the matching `strip*: false`
+ * option to retain that category. When a stripped flag carries its value as a
+ * separate following token (e.g. `-c 4096`), that token is removed too; the
+ * `--flag=value` and boolean-switch forms consume only the single token.
+ */
 export function stripShadowingFlags(
   args: Iterable<string>,
   opts?: StripOptions,
 ): string[] {
-  const shadowing = new Set<string>();
-  if (opts?.stripContext !== false) for (const f of CONTEXT_FLAGS) shadowing.add(f);
-  if (opts?.stripCache !== false) for (const f of CACHE_FLAGS) shadowing.add(f);
-  if (opts?.stripSpec !== false) for (const f of SPEC_FLAGS) shadowing.add(f);
-  if (opts?.stripTemplate !== false) for (const f of TEMPLATE_FLAGS) shadowing.add(f);
+  const targets = new Set<string>();
+  if (opts?.stripContext !== false) for (const f of SHADOW_CONTEXT) targets.add(f);
+  if (opts?.stripCache !== false) for (const f of SHADOW_CACHE) targets.add(f);
+  if (opts?.stripSpec !== false) for (const f of SHADOW_SPEC) targets.add(f);
+  if (opts?.stripTemplate !== false) for (const f of SHADOW_TEMPLATE) targets.add(f);
 
-  const tokens = [...args].map(String);
-  const out: string[] = [];
-  let i = 0;
-  const n = tokens.length;
-  while (i < n) {
-    const tok = tokens[i]!;
-    const flag = flagName(tok);
-    if (flag === null || !shadowing.has(flag)) {
-      out.push(tok);
-      i++;
+  const tokens = Array.from(args, String);
+  const kept: string[] = [];
+
+  for (let i = 0; i < tokens.length; i++) {
+    const token = tokens[i]!;
+    const flag = parseFlag(token);
+
+    // Not a targeted shadow flag — keep it verbatim.
+    if (flag === null || !targets.has(flag)) {
+      kept.push(token);
       continue;
     }
-    if (BOOLEAN_SHADOWING_FLAGS.has(flag) || tok.includes('=')) {
-      i++;
-    } else if (i + 1 < n && flagName(tokens[i + 1]!) === null) {
-      i += 2;
-    } else {
-      i++;
+
+    // Targeted: drop it. Decide whether the next token is its value and should
+    // be dropped along with it. Boolean switches and the inline `=value` form
+    // carry no separate value token.
+    const carriesInlineValue = token.includes('=');
+    const isBoolean = VALUELESS_SHADOW_FLAGS.has(flag);
+    const next = tokens[i + 1];
+    const nextIsValue = next !== undefined && parseFlag(next) === null;
+
+    if (!isBoolean && !carriesInlineValue && nextIsValue) {
+      i++; // also skip the value token
     }
   }
-  return out;
+
+  return kept;
 }

apps/server/src/services/inference/tool-call-parser.ts

@@ -1,7 +1,7 @@
-// SPDX-License-Identifier: AGPL-3.0-only
-// Copyright 2026-present the Unsloth AI Inc. team. All rights reserved.
-// Ported from studio/backend/core/inference/tool_call_parser.py.
-// Original: https://github.com/unslothai/unsloth/blob/main/studio/backend/core/inference/tool_call_parser.py
+// Streaming tool-call extraction for the qwen3.6 XML fallback path.
+// `extractToolCallBlocks` is the incremental streaming scanner used by
+// stream-phase.ts; `stripToolMarkup` removes tool-call wire markup from
+// assistant prose (used by tool-phase.ts and error-handler.ts).
 
 // ── Constants ────────────────────────────────────────────────────────────
 
@@ -10,34 +10,6 @@ export const XML_TOOL_CLOSE = '</tool_call>';
 export const INVOKE_TOOL_OPEN = '<invoke';
 export const INVOKE_TOOL_CLOSE = '</invoke>';
 
-export const TOOL_XML_SIGNALS = [XML_TOOL_OPEN, '<function=', INVOKE_TOOL_OPEN] as const;
-
-export const TOOL_ERROR_PREFIXES = [
-  'Error',
-  'Search failed',
-  'Execution error',
-  'Blocked:',
-  'Exit code',
-  'Failed to fetch',
-  'Failed to resolve',
-  'No query provided',
-] as const;
-
-export const DUPLICATE_CALL_NUDGE =
-  'You already made this exact call. Do not repeat the same tool ' +
-  'call. Try a different approach: fetch a URL from previous ' +
-  'results, use Python to process data you already have, or ' +
-  'provide your final answer now.';
-
-export const TOOL_ERROR_NUDGE =
-  '\n\nThe tool call encountered an issue. Please try a different ' +
-  'approach or rephrase your request.';
-
-export const BUDGET_EXHAUSTED_NUDGE =
-  'You have used all available tool calls. Based on everything you ' +
-  'have found so far, provide your final answer now. Do not call ' +
-  'any more tools.';
-
 // ── Strip patterns ───────────────────────────────────────────────────────
 
 const TOOL_CLOSED_PATS = [
@@ -53,7 +25,7 @@ const TOOL_ALL_PATS = [
   /<invoke\s[^>]*>.*$/gs,
 ];
 
-// ── Strip / signal ───────────────────────────────────────────────────────
+// ── Strip ────────────────────────────────────────────────────────────────
 
 export function stripToolMarkup(text: string, opts?: { final?: boolean }): string {
   const pats = opts?.final ? TOOL_ALL_PATS : TOOL_CLOSED_PATS;
@@ -63,206 +35,6 @@ export function stripToolMarkup(text: string, opts?: { final?: boolean }): strin
   return opts?.final ? text.trim() : text;
 }
 
-export function hasToolSignal(text: string): boolean {
-  return TOOL_XML_SIGNALS.some((s) => text.includes(s));
-}
-
-// ── parseToolCallsFromText (Unsloth port + Anthropic extension) ──────────
-
-export interface OpenAiToolCall {
-  id: string;
-  type: 'function';
-  function: { name: string; arguments: string };
-}
-
-const TC_JSON_START_RE = /<tool_call>\s*\{/g;
-const TC_FUNC_START_RE = /<function=(\w+)>\s*/g;
-const TC_END_TAG_RE = /<\/tool_call>/;
-const TC_FUNC_CLOSE_RE = /\s*<\/function>\s*$/;
-const TC_PARAM_START_RE = /<parameter=(\w+)>\s*/g;
-const TC_PARAM_CLOSE_RE = /\s*<\/parameter>\s*$/;
-
-const TC_INVOKE_START_RE = /<invoke\s+name\s*=\s*(?:"([^"]*)"|'([^']*)')\s*>/g;
-const TC_INVOKE_CLOSE_RE = /\s*<\/invoke>\s*$/;
-const TC_INVOKE_PARAM_RE = /<parameter\s+name\s*=\s*(?:"([^"]*)"|'([^']*)')\s*>/g;
-const TC_INVOKE_PARAM_CLOSE_RE = /\s*<\/parameter>\s*$/;
-
-function scanBalancedBraces(content: string, start: number): number {
-  let depth = 0;
-  let i = start;
-  let inString = false;
-  while (i < content.length) {
-    const ch = content[i]!;
-    if (inString) {
-      if (ch === '\\' && i + 1 < content.length) {
-        i += 2;
-        continue;
-      }
-      if (ch === '"') inString = false;
-    } else if (ch === '"') {
-      inString = true;
-    } else if (ch === '{') {
-      depth++;
-    } else if (ch === '}') {
-      depth--;
-      if (depth === 0) return i;
-    }
-    i++;
-  }
-  return -1;
-}
-
-export function parseToolCallsFromText(
-  content: string,
-  opts?: { idOffset?: number },
-): OpenAiToolCall[] {
-  const toolCalls: OpenAiToolCall[] = [];
-  const idOffset = opts?.idOffset ?? 0;
-
-  // Pattern 1: <tool_call>{json}</tool_call> -- balanced-brace JSON scanner.
-  // Skips braces inside JSON strings so nested objects parse correctly.
-  TC_JSON_START_RE.lastIndex = 0;
-  let m: RegExpExecArray | null;
-  while ((m = TC_JSON_START_RE.exec(content)) !== null) {
-    const braceStart = m.index + m[0].length - 1;
-    const braceEnd = scanBalancedBraces(content, braceStart);
-    if (braceEnd === -1) continue;
-    const jsonStr = content.slice(braceStart, braceEnd + 1);
-    try {
-      const obj = JSON.parse(jsonStr) as Record<string, unknown>;
-      const name = typeof obj.name === 'string' ? obj.name : '';
-      let args: string;
-      const rawArgs = obj.arguments ?? {};
-      if (typeof rawArgs === 'string') {
-        args = rawArgs;
-      } else {
-        args = JSON.stringify(rawArgs);
-      }
-      toolCalls.push({
-        id: `call_${idOffset + toolCalls.length}`,
-        type: 'function',
-        function: { name, arguments: args },
-      });
-    } catch {
-      // malformed JSON -- skip
-    }
-  }
-
-  // Pattern 2: <function=name><parameter=key>value -- closing tags optional.
-  // Body boundary uses </tool_call> or next <function= (not </function>,
-  // because code parameter values can contain that literal).
-  if (toolCalls.length === 0) {
-    TC_FUNC_START_RE.lastIndex = 0;
-    const funcStarts: Array<{ match: RegExpExecArray; name: string }> = [];
-    while ((m = TC_FUNC_START_RE.exec(content)) !== null) {
-      funcStarts.push({ match: m, name: m[1]! });
-    }
-    for (let idx = 0; idx < funcStarts.length; idx++) {
-      const { match: fm, name: funcName } = funcStarts[idx]!;
-      const bodyStart = fm.index + fm[0].length;
-      const nextFunc = idx + 1 < funcStarts.length
-        ? funcStarts[idx + 1]!.match.index
-        : content.length;
-      const endTag = TC_END_TAG_RE.exec(content.slice(bodyStart));
-      let bodyEnd = endTag ? bodyStart + endTag.index : content.length;
-      bodyEnd = Math.min(bodyEnd, nextFunc);
-      let body = content.slice(bodyStart, bodyEnd);
-      body = body.replace(TC_FUNC_CLOSE_RE, '');
-
-      const args: Record<string, string> = {};
-      TC_PARAM_START_RE.lastIndex = 0;
-      const paramStarts: Array<{ match: RegExpExecArray; name: string }> = [];
-      let pm: RegExpExecArray | null;
-      while ((pm = TC_PARAM_START_RE.exec(body)) !== null) {
-        paramStarts.push({ match: pm, name: pm[1]! });
-      }
-      if (paramStarts.length === 1) {
-        // Single param: take everything to body end so embedded
-        // </parameter> in code strings is preserved.
-        const p = paramStarts[0]!;
-        let val = body.slice(p.match.index + p.match[0].length);
-        val = val.replace(TC_PARAM_CLOSE_RE, '');
-        args[p.name] = val.trim();
-      } else {
-        for (let pidx = 0; pidx < paramStarts.length; pidx++) {
-          const p = paramStarts[pidx]!;
-          const valStart = p.match.index + p.match[0].length;
-          const nextParam = pidx + 1 < paramStarts.length
-            ? paramStarts[pidx + 1]!.match.index
-            : body.length;
-          let val = body.slice(valStart, nextParam);
-          val = val.replace(TC_PARAM_CLOSE_RE, '');
-          args[p.name] = val.trim();
-        }
-      }
-
-      toolCalls.push({
-        id: `call_${idOffset + toolCalls.length}`,
-        type: 'function',
-        function: { name: funcName, arguments: JSON.stringify(args) },
-      });
-    }
-  }
-
-  // Pattern 3: <invoke name="..."><parameter name="...">value -- Anthropic
-  // shape that qwen3.6 drifts to from Claude Code documentation residue.
-  // Closing tags optional; same single-param fast path as pattern 2.
-  if (toolCalls.length === 0) {
-    TC_INVOKE_START_RE.lastIndex = 0;
-    const invokeStarts: Array<{ match: RegExpExecArray; name: string }> = [];
-    while ((m = TC_INVOKE_START_RE.exec(content)) !== null) {
-      const name = (m[1] ?? m[2] ?? '').trim();
-      if (name) invokeStarts.push({ match: m, name });
-    }
-    for (let idx = 0; idx < invokeStarts.length; idx++) {
-      const { match: im, name: invokeName } = invokeStarts[idx]!;
-      const bodyStart = im.index + im[0].length;
-      const nextInvoke = idx + 1 < invokeStarts.length
-        ? invokeStarts[idx + 1]!.match.index
-        : content.length;
-      const closeTag = content.slice(bodyStart).match(/<\/invoke>/);
-      let bodyEnd = closeTag ? bodyStart + (closeTag.index ?? 0) : content.length;
-      bodyEnd = Math.min(bodyEnd, nextInvoke);
-      let body = content.slice(bodyStart, bodyEnd);
-      body = body.replace(TC_INVOKE_CLOSE_RE, '');
-
-      const args: Record<string, string> = {};
-      TC_INVOKE_PARAM_RE.lastIndex = 0;
-      const paramStarts: Array<{ match: RegExpExecArray; name: string }> = [];
-      let pm: RegExpExecArray | null;
-      while ((pm = TC_INVOKE_PARAM_RE.exec(body)) !== null) {
-        const pname = (pm[1] ?? pm[2] ?? '').trim();
-        if (pname) paramStarts.push({ match: pm, name: pname });
-      }
-      if (paramStarts.length === 1) {
-        const p = paramStarts[0]!;
-        let val = body.slice(p.match.index + p.match[0].length);
-        val = val.replace(TC_INVOKE_PARAM_CLOSE_RE, '');
-        args[p.name] = val.trim();
-      } else {
-        for (let pidx = 0; pidx < paramStarts.length; pidx++) {
-          const p = paramStarts[pidx]!;
-          const valStart = p.match.index + p.match[0].length;
-          const nextParam = pidx + 1 < paramStarts.length
-            ? paramStarts[pidx + 1]!.match.index
-            : body.length;
-          let val = body.slice(valStart, nextParam);
-          val = val.replace(TC_INVOKE_PARAM_CLOSE_RE, '');
-          args[p.name] = val.trim();
-        }
-      }
-
-      toolCalls.push({
-        id: `call_${idOffset + toolCalls.length}`,
-        type: 'function',
-        function: { name: invokeName, arguments: JSON.stringify(args) },
-      });
-    }
-  }
-
-  return toolCalls;
-}
-
 // ── BooCode streaming helpers ────────────────────────────────────────────
 
 export interface ParsedCall {

apps/server/src/services/inference/tool-phase.ts

@@ -2,6 +2,7 @@ import type { Agent, Session, ToolCall } from '../../types/api.js';
 import * as modelContext from '../model-context.js';
 import { PathScopeError } from '../path_guard.js';
 import { TOOLS_BY_NAME } from '../tools.js';
+import type { ToolExecCtx } from '../tools.js';
 import { matchToolGlob } from '../agents.js';
 import { maybeFlagForCompaction } from './payload.js';
 import { insertParts, partsFromAssistantMessage, partsFromToolMessage } from './parts.js';
@@ -31,6 +32,7 @@ async function executeToolCall(
   projectRoot: string,
   toolCall: ToolCall,
   extraRoots: readonly string[],
+  toolCtx?: ToolExecCtx,
 ): Promise<{ output: unknown; truncated: boolean; error?: string }> {
   const tool = TOOLS_BY_NAME[toolCall.name];
   if (!tool) {
@@ -65,7 +67,7 @@ async function executeToolCall(
     };
   }
   try {
-    const output = await tool.execute(parsed.data, projectRoot, extraRoots);
+    const output = await tool.execute(parsed.data, projectRoot, extraRoots, toolCtx);
     const truncated =
       typeof output === 'object' && output !== null && 'truncated' in output
         ? Boolean((output as { truncated: unknown }).truncated)
@@ -289,7 +291,10 @@ export async function executeToolPhase(
         });
         return;
       }
-      const tres = await executeToolCall(projectRoot, tc, session.allowed_read_paths);
+      const tres = await executeToolCall(projectRoot, tc, session.allowed_read_paths, {
+        sql: ctx.sql,
+        sessionId,
+      });
       if (SYNTHESIS_TOOLS.has(tc.name)) {
         synthEntries.push({ tc, output: tres.output, ...(tres.error ? { error: tres.error } : {}) });
       }

apps/server/src/services/read_tab_by_number.ts

@@ -0,0 +1,142 @@
+// v2.6.x: read_tab_by_number tool. Reads the conversation transcript of the
+// chat that occupies a given session-scoped tab number. Stable tab numbers are
+// stored in the session's workspace_panes envelope (WorkspaceState.tabNumbers),
+// keyed by chat id. Lives in its own file (not appended to tools.ts) so tests
+// can import the executor directly without dragging in the whole tool registry.
+// Registered in tools.ts ALL_TOOLS + READ_ONLY_TOOL_NAMES.
+
+import { z } from 'zod';
+import type { Sql } from '../db.js';
+// type-only import to dodge the runtime cycle (tools.ts re-exports this tool
+// via ALL_TOOLS; importing ToolDef/ToolExecCtx at type level keeps the dep
+// one-way).
+import type { ToolDef, ToolExecCtx } from './tools.js';
+
+const ReadTabByNumberInput = z.object({
+  number: z.number().int().positive(),
+});
+export type ReadTabByNumberInputT = z.infer<typeof ReadTabByNumberInput>;
+
+// Cap total transcript size so a long conversation can't blow the context
+// window. The model gets a clear truncation marker when the cap is hit.
+const MAX_TRANSCRIPT_CHARS = 20_000;
+
+// WorkspaceState envelope shape (panes omitted — we only need tabNumbers here).
+interface WorkspaceStateLike {
+  panes?: unknown;
+  tabNumbers?: Record<string, number>;
+  nextTabNumber?: number;
+  closedPaneStack?: unknown[];
+}
+
+// MIGRATION: the stored workspace_panes value may be the legacy bare
+// WorkspacePane[] OR the WorkspaceState envelope. Normalize to an envelope so
+// tabNumbers is always available (empty for the legacy shape — no tab numbers
+// were tracked before the envelope landed).
+function normalizeWorkspaceState(v: unknown): {
+  tabNumbers: Record<string, number>;
+} {
+  if (Array.isArray(v)) {
+    return { tabNumbers: {} };
+  }
+  if (v && typeof v === 'object' && Array.isArray((v as WorkspaceStateLike).panes)) {
+    const env = v as WorkspaceStateLike;
+    return { tabNumbers: env.tabNumbers ?? {} };
+  }
+  return { tabNumbers: {} };
+}
+
+// Pure executor split out from the ToolDef wrapper so tests can call it with a
+// mocked Sql. Returns a transcript string (read-only — never writes).
+export async function executeReadTabByNumber(
+  input: ReadTabByNumberInputT,
+  sql: Sql,
+  sessionId: string,
+): Promise<string> {
+  const sessionRows = await sql<{ workspace_panes: unknown }[]>`
+    SELECT workspace_panes FROM sessions WHERE id = ${sessionId}
+  `;
+  if (sessionRows.length === 0) {
+    return `Session not found.`;
+  }
+  const { tabNumbers } = normalizeWorkspaceState(sessionRows[0]!.workspace_panes);
+
+  // Reverse-lookup: find the chat id whose stable tab number equals the input.
+  let chatId: string | null = null;
+  for (const [cid, num] of Object.entries(tabNumbers)) {
+    if (num === input.number) {
+      chatId = cid;
+      break;
+    }
+  }
+  if (chatId === null) {
+    return `No tab is numbered ${input.number} in this session.`;
+  }
+
+  // Read the conversation: skip system sentinels (role='system') and empty
+  // content rows. Oldest first.
+  const messages = await sql<{ role: string; content: string }[]>`
+    SELECT role, content
+      FROM messages
+     WHERE chat_id = ${chatId}
+       AND role <> 'system'
+       AND content <> ''
+     ORDER BY created_at ASC
+  `;
+  if (messages.length === 0) {
+    return `Tab ${input.number} (chat ${chatId}) has no messages yet.`;
+  }
+
+  // Format a compact transcript, capping total output size.
+  const parts: string[] = [];
+  let total = 0;
+  let truncated = false;
+  for (const m of messages) {
+    const block = `### ${m.role}\n${m.content}`;
+    // +2 accounts for the "\n\n" joiner between blocks.
+    if (total + block.length + 2 > MAX_TRANSCRIPT_CHARS) {
+      truncated = true;
+      break;
+    }
+    parts.push(block);
+    total += block.length + 2;
+  }
+
+  let out = parts.join('\n\n');
+  if (truncated) {
+    out += `\n\n[transcript truncated at ${MAX_TRANSCRIPT_CHARS} chars]`;
+  }
+  return out;
+}
+
+export const readTabByNumber: ToolDef<ReadTabByNumberInputT> = {
+  name: 'read_tab_by_number',
+  description:
+    'Read the conversation transcript of the tab with the given session-scoped tab number. Tab numbers are stable per session (shown in the workspace tab strip). Returns the messages of that tab oldest-first as a compact transcript. Read-only.',
+  inputSchema: ReadTabByNumberInput,
+  jsonSchema: {
+    type: 'function',
+    function: {
+      name: 'read_tab_by_number',
+      description:
+        'Read the conversation transcript of the tab with the given session-scoped tab number. Read-only.',
+      parameters: {
+        type: 'object',
+        properties: {
+          number: {
+            type: 'integer',
+            description: 'The session-scoped tab number (positive integer).',
+          },
+        },
+        required: ['number'],
+        additionalProperties: false,
+      },
+    },
+  },
+  async execute(input, _projectRoot, _extraRoots, toolCtx?: ToolExecCtx) {
+    if (!toolCtx) {
+      return 'read_tab_by_number unavailable: no session context';
+    }
+    return await executeReadTabByNumber(input, toolCtx.sql, toolCtx.sessionId);
+  },
+};

apps/server/src/services/tools.ts

@@ -1,6 +1,7 @@
 import { readFile, readdir, stat } from 'node:fs/promises';
 import { resolve, basename, relative } from 'node:path';
 import { z } from 'zod';
+import type { Sql } from '../db.js';
 import { pathGuard, PathScopeError } from './path_guard.js';
 import { isSecretPath, SecretBlockedError, filterSecretEntries } from './secret_guard.js';
 import { grep as fileOpsGrep, findFiles as fileOpsFindFiles } from './file_ops.js';
@@ -30,6 +31,9 @@ import {
 // with the pause-on-pending-grant branch in inference/tool-phase.ts and the
 // POST /api/chats/:id/grant_read_access endpoint in routes/messages.ts.
 import { requestReadAccess } from './request_read_access.js';
+// v2.6.x: read-only tool that reads a tab's transcript by its session-scoped
+// tab number. Needs DB/session context (ToolExecCtx 4th arg).
+import { readTabByNumber } from './read_tab_by_number.js';
 
 const MAX_FILE_BYTES = 5 * 1024 * 1024;
 const DEFAULT_VIEW_LINES = 200;
@@ -48,6 +52,16 @@ export interface ToolJsonSchema {
   };
 }
 
+// v2.6.x: optional DB/session context threaded into a tool's execute(). Only
+// tools that need to read session-scoped DB state (e.g. read_tab_by_number)
+// use it; every other tool ignores the 4th arg. Kept optional so existing
+// 3-arg execute() implementations stay assignable (apps/coder consumes this
+// type from the compiled dist — the optional param keeps it backward-compatible).
+export interface ToolExecCtx {
+  sql: Sql;
+  sessionId: string;
+}
+
 export interface ToolDef<TInput> {
   name: string;
   description: string;
@@ -59,7 +73,15 @@ export interface ToolDef<TInput> {
   // view_truncated_output) forward it to pathGuard; other tools accept the
   // arg and ignore it. The execute signature stays compatible with
   // pre-v1.13.17 callsites because the parameter is optional.
-  execute(input: TInput, projectRoot: string, extraRoots?: readonly string[]): Promise<unknown>;
+  // v2.6.x: optional 4th param toolCtx carries DB/session context for tools
+  // that read session-scoped state (read_tab_by_number). Optional so 3-arg
+  // implementations remain assignable.
+  execute(
+    input: TInput,
+    projectRoot: string,
+    extraRoots?: readonly string[],
+    toolCtx?: ToolExecCtx,
+  ): Promise<unknown>;
 }
 
 const ViewFileInput = z.object({
@@ -694,6 +716,9 @@ export let ALL_TOOLS: ToolDef<unknown>[] = [
   // state change is appending to sessions.allowed_read_paths via the
   // grant endpoint, gated by user consent.
   requestReadAccess as ToolDef<unknown>,
+  // v2.6.x: read a tab's transcript by its session-scoped tab number.
+  // Read-only; uses the ToolExecCtx 4th arg for DB/session access.
+  readTabByNumber as ToolDef<unknown>,
 ].sort((a, b) => a.name.localeCompare(b.name));
 
 // v1.8.2: forward-compatible read-only whitelist. An agent whose `tools` is
@@ -734,6 +759,9 @@ export const READ_ONLY_TOOL_NAMES = [
   // state directly (the grant endpoint appends to sessions.allowed_read_paths
   // only with user consent). Belongs in the read-only budget tier.
   'request_read_access',
+  // v2.6.x: reads a tab's transcript from session-scoped DB state; never
+  // writes. Belongs in the read-only budget tier.
+  'read_tab_by_number',
 ] as const;
 
 export let TOOLS_BY_NAME: Record<string, ToolDef<unknown>> = Object.fromEntries(

apps/server/src/services/web/html-to-md.ts

@@ -1,347 +1,24 @@
-// SPDX-License-Identifier: AGPL-3.0-only
-// Copyright 2026-present the Unsloth AI Inc. team. All rights reserved.
-// Ported from studio/backend/core/inference/_html_to_md.py.
-// Original: https://github.com/unslothai/unsloth/blob/main/studio/backend/core/inference/_html_to_md.py
+import { NodeHtmlMarkdown } from 'node-html-markdown';
 
-import { parse, type DefaultTreeAdapterTypes } from 'parse5';
-
-type Document = DefaultTreeAdapterTypes.Document;
-type ChildNode = DefaultTreeAdapterTypes.ChildNode;
-type Element = DefaultTreeAdapterTypes.Element;
-type TextNode = DefaultTreeAdapterTypes.TextNode;
-
-const SKIP_TAGS = new Set([
-  'script', 'style', 'head', 'noscript', 'svg', 'math', 'nav', 'footer',
-]);
-
-const BLOCK_TAGS = new Set([
-  'p', 'div', 'section', 'article', 'main', 'aside', 'figure',
-  'figcaption', 'details', 'summary', 'dl', 'dt', 'dd',
-]);
-
-const HEADING_TAGS = new Set(['h1', 'h2', 'h3', 'h4', 'h5', 'h6']);
-
-const INLINE_EMPHASIS: Record<string, string> = {
-  strong: '**', b: '**', em: '*', i: '*',
+// MIT-licensed HTML→Markdown rendering for the web_fetch tool. Output feeds an
+// LLM, so structural fidelity matters more than exact whitespace.
+const OPTIONS = {
+  // GFM-style emphasis markers (matches what most models expect).
+  emDelimiter: '*',
+  strongDelimiter: '**',
+  bulletMarker: '*',
+  codeFence: '```',
+  codeBlockStyle: 'fenced' as const,
+  // Always use []() syntax for links rather than <url> autolinks.
+  useInlineLinks: false,
+  // Collapse runs of blank lines to a single separator.
+  maxConsecutiveNewlines: 1,
+  // Strip non-content elements entirely (script/style are skipped by default,
+  // but listing them here is explicit; head/nav/footer/etc. drop their text).
+  ignore: ['script', 'style', 'head', 'noscript', 'svg', 'math', 'nav', 'footer'],
 };
 
-function isElement(node: ChildNode): node is Element {
-  return 'tagName' in node;
-}
-
-function isText(node: ChildNode): node is TextNode {
-  return node.nodeName === '#text';
-}
-
-class MarkdownRenderer {
-  private out: string[] = [];
-
-  private inLink = false;
-  private linkHref: string | null = null;
-  private linkTextParts: string[] = [];
-
-  private listStack: string[] = [];
-  private olCounter: number[] = [];
-
-  private inTable = false;
-  private currentRow: string[] = [];
-  private cellParts: string[] = [];
-  private inCell = false;
-  private headerRowDone = false;
-  private rowHasTh = false;
-  private isFirstRow = false;
-
-  private inPre = false;
-  private preParts: string[] = [];
-  private preLanguage: string | null = null;
-  private inInlineCode = false;
-
-  private bqStack: string[][] = [];
-
-  private emit(text: string): void {
-    if (this.inLink) {
-      this.linkTextParts.push(text);
-    } else if (this.inCell) {
-      this.cellParts.push(text);
-    } else if (this.inPre) {
-      this.preParts.push(text);
-    } else if (this.bqStack.length > 0) {
-      this.bqStack[this.bqStack.length - 1]!.push(text);
-    } else {
-      this.out.push(text);
-    }
-  }
-
-  private prefixBlockquote(content: string): string {
-    content = content.replace(/[ \t]+$/gm, '');
-    content = content.replace(/\n{3,}/g, '\n\n').trim();
-    if (!content) return '';
-    return content.split('\n').map(line =>
-      line.trim() ? '> ' + line : '>'
-    ).join('\n');
-  }
-
-  private finishCell(): void {
-    if (!this.inCell) return;
-    this.inCell = false;
-    let cellText = this.cellParts.join('').trim().replace(/\n/g, ' ');
-    cellText = cellText.replace(/\|/g, '\\|');
-    this.currentRow.push(cellText);
-    this.cellParts = [];
-  }
-
-  private finishRow(): void {
-    if (this.currentRow.length === 0) return;
-    const line = '| ' + this.currentRow.join(' | ') + ' |';
-    this.emit(line + '\n');
-    if (!this.headerRowDone && (this.rowHasTh || this.isFirstRow)) {
-      const sep = '| ' + this.currentRow.map(() => '---').join(' | ') + ' |';
-      this.emit(sep + '\n');
-      this.headerRowDone = true;
-    }
-    this.isFirstRow = false;
-    this.currentRow = [];
-    this.rowHasTh = false;
-  }
-
-  private finishLink(): void {
-    const text = this.linkTextParts.join('').replace(/\s+/g, ' ').trim();
-    const href = this.linkHref ?? '';
-    this.inLink = false;
-    if (href && text) {
-      this.emit(`[${text}](${href})`);
-    } else if (text) {
-      this.emit(text);
-    }
-  }
-
-  private getAttr(el: Element, name: string): string | undefined {
-    return el.attrs.find(a => a.name === name)?.value;
-  }
-
-  private handleOpen(el: Element): void {
-    const tag = el.tagName.toLowerCase();
-
-    if (HEADING_TAGS.has(tag)) {
-      const level = parseInt(tag[1]!, 10);
-      this.emit('\n\n' + '#'.repeat(level) + ' ');
-    } else if (tag === 'a') {
-      this.linkHref = this.getAttr(el, 'href') ?? null;
-      this.linkTextParts = [];
-      this.inLink = true;
-    } else if (tag in INLINE_EMPHASIS) {
-      this.emit(INLINE_EMPHASIS[tag]!);
-    } else if (tag === 'br') {
-      this.emit('\n');
-    } else if (BLOCK_TAGS.has(tag)) {
-      this.emit('\n\n');
-    } else if (tag === 'hr') {
-      this.emit('\n\n---\n\n');
-    } else if (tag === 'blockquote') {
-      this.emit('\n\n');
-      this.bqStack.push([]);
-    } else if (tag === 'ul') {
-      this.listStack.push('ul');
-      this.emit('\n');
-    } else if (tag === 'ol') {
-      this.listStack.push('ol');
-      const startAttr = this.getAttr(el, 'start');
-      let start = 1;
-      if (startAttr != null) {
-        const parsed = parseInt(startAttr, 10);
-        if (!isNaN(parsed)) start = parsed;
-      }
-      this.olCounter.push(start - 1);
-      this.emit('\n');
-    } else if (tag === 'li') {
-      const indent = '  '.repeat(Math.max(0, this.listStack.length - 1));
-      if (this.listStack.length > 0 && this.listStack[this.listStack.length - 1] === 'ol') {
-        if (this.olCounter.length > 0) {
-          this.olCounter[this.olCounter.length - 1]!++;
-          this.emit(`\n${indent}${this.olCounter[this.olCounter.length - 1]}. `);
-        } else {
-          this.emit(`\n${indent}1. `);
-        }
-      } else {
-        this.emit(`\n${indent}* `);
-      }
-    } else if (tag === 'pre') {
-      this.preParts = [];
-      this.inPre = true;
-      this.preLanguage = null;
-      const codeChild = el.childNodes.find(
-        (c): c is Element => isElement(c) && c.tagName === 'code'
-      );
-      if (codeChild) {
-        const cls = this.getAttr(codeChild, 'class') ?? '';
-        const langMatch = cls.match(/(?:^|\s)language-(\S+)/);
-        if (langMatch) this.preLanguage = langMatch[1]!;
-      }
-    } else if (tag === 'code' && !this.inPre) {
-      this.inInlineCode = true;
-      this.emit('`');
-    } else if (tag === 'table') {
-      this.inTable = true;
-      this.headerRowDone = false;
-      this.isFirstRow = true;
-      this.emit('\n\n');
-    } else if (tag === 'tr') {
-      this.finishCell();
-      this.finishRow();
-    } else if (tag === 'th' || tag === 'td') {
-      this.finishCell();
-      this.cellParts = [];
-      this.inCell = true;
-      if (tag === 'th') this.rowHasTh = true;
-    }
-  }
-
-  private handleClose(tag: string): void {
-    tag = tag.toLowerCase();
-
-    if (HEADING_TAGS.has(tag)) {
-      this.emit('\n\n');
-    } else if (tag === 'a') {
-      this.finishLink();
-    } else if (tag in INLINE_EMPHASIS) {
-      this.emit(INLINE_EMPHASIS[tag]!);
-    } else if (BLOCK_TAGS.has(tag)) {
-      this.emit('\n\n');
-    } else if (tag === 'blockquote') {
-      if (this.bqStack.length > 0) {
-        const content = this.bqStack.pop()!.join('');
-        const prefixed = this.prefixBlockquote(content);
-        if (prefixed) this.emit('\n\n' + prefixed + '\n\n');
-      }
-    } else if (tag === 'ul') {
-      if (this.listStack.length > 0 && this.listStack[this.listStack.length - 1] === 'ul') {
-        this.listStack.pop();
-      }
-      this.emit('\n');
-    } else if (tag === 'ol') {
-      if (this.listStack.length > 0 && this.listStack[this.listStack.length - 1] === 'ol') {
-        this.listStack.pop();
-        if (this.olCounter.length > 0) this.olCounter.pop();
-      }
-      this.emit('\n');
-    } else if (tag === 'pre') {
-      const raw = this.preParts.join('');
-      this.inPre = false;
-      const lang = this.preLanguage ?? '';
-      const block = '```' + lang + '\n' + raw + '\n```';
-      this.emit('\n\n' + block + '\n\n');
-      this.preLanguage = null;
-    } else if (tag === 'code' && !this.inPre) {
-      this.inInlineCode = false;
-      this.emit('`');
-    } else if (tag === 'th' || tag === 'td') {
-      this.finishCell();
-    } else if (tag === 'tr') {
-      this.finishCell();
-      this.finishRow();
-    } else if (tag === 'table') {
-      this.finishCell();
-      this.finishRow();
-      this.inTable = false;
-      this.emit('\n');
-    }
-  }
-
-  private handleText(data: string): void {
-    if (this.inPre) {
-      this.preParts.push(data);
-      return;
-    }
-    if (this.inInlineCode) {
-      this.emit(data);
-      return;
-    }
-    const text = data.replace(/\s+/g, ' ');
-    if (this.inTable && !this.inCell && !text.trim()) return;
-    this.emit(text);
-  }
-
-  walk(node: ChildNode | Document): void {
-    if (isText(node as ChildNode)) {
-      this.handleText((node as TextNode).value);
-      return;
-    }
-    if (node.nodeName === '#comment') return;
-
-    if (isElement(node as ChildNode)) {
-      const el = node as Element;
-      const tag = el.tagName.toLowerCase();
-      if (SKIP_TAGS.has(tag)) return;
-      if (tag === 'img') return;
-
-      this.handleOpen(el);
-
-      if (tag === 'pre') {
-        for (const child of el.childNodes) {
-          if (isElement(child) && child.tagName === 'code') {
-            for (const grandchild of child.childNodes) {
-              this.walk(grandchild);
-            }
-          } else {
-            this.walk(child);
-          }
-        }
-      } else {
-        for (const child of el.childNodes) {
-          this.walk(child);
-        }
-      }
-
-      this.handleClose(tag);
-      return;
-    }
-
-    if ('childNodes' in node) {
-      for (const child of (node as Document).childNodes) {
-        this.walk(child);
-      }
-    }
-  }
-
-  getOutput(): string {
-    return this.out.join('');
-  }
-}
-
-function cleanup(text: string): string {
-  const lines = text.split('\n');
-  const out: string[] = [];
-  let inFence = false;
-  let blankRun = 0;
-
-  for (const line of lines) {
-    const stripped = line.replace(/[ \t]+$/, '');
-    if (stripped.startsWith('```')) {
-      inFence = !inFence;
-      blankRun = 0;
-      out.push(stripped);
-      continue;
-    }
-    if (inFence) {
-      out.push(line);
-      continue;
-    }
-    if (!stripped) {
-      blankRun++;
-      if (blankRun <= 1) out.push('');
-      continue;
-    }
-    blankRun = 0;
-    out.push(stripped);
-  }
-
-  return out.join('\n').trim();
-}
-
 export function htmlToMarkdown(sourceHtml: string): string {
-  sourceHtml = sourceHtml.replace(/\r\n/g, '\n').replace(/\r/g, '\n');
-  const doc = parse(sourceHtml);
-  const renderer = new MarkdownRenderer();
-  renderer.walk(doc);
-  return cleanup(renderer.getOutput());
+  if (!sourceHtml) return '';
+  return NodeHtmlMarkdown.translate(sourceHtml, OPTIONS).trim();
 }

apps/server/src/types/api.ts

@@ -25,6 +25,20 @@ export interface AvailableProject {
 
 export type SessionStatus = 'open' | 'archived';
 
+// Session-delete work-loss guard. Returned (as `reports`) in the 409 body when
+// a delete is blocked because the session's worktree holds work at risk. The
+// shape is produced by BooCoder's checkWorktreeWorkAtRisk and passed through
+// verbatim; mirrored byte-for-byte in apps/web/src/api/types.ts for the dialog.
+export interface WorktreeRiskReport {
+  worktreePath: string;
+  branch: string;
+  dirty: boolean;
+  unpushed: number; // commits ahead of upstream, or -1 if no upstream
+  unmerged: number; // commits not in the project default branch
+  atRisk: boolean;
+  error?: string;
+}
+
 export interface Session {
   id: string;
   project_id: string;

apps/server/src/types/ws-frames.ts

@@ -203,7 +203,12 @@ export const SessionDeletedFrame = z.object({
 export const SessionWorkspaceUpdatedFrame = z.object({
   type: z.literal('session_workspace_updated'),
   session_id: Uuid,
-  workspace_panes: z.array(OpaqueObject),
+  // v2.6.x: widened from z.array — the payload is now either the legacy bare
+  // WorkspacePane[] OR the WorkspaceState envelope object (panes + tabNumbers +
+  // nextTabNumber + closedPaneStack). z.array alone would fail-closed and drop
+  // every envelope frame at validation. MUST be mirrored in the server's
+  // byte-identical copy (parity test).
+  workspace_panes: z.union([z.array(OpaqueObject), z.record(z.unknown())]),
 });
 
 export const ChatCreatedFrame = z.object({

apps/web/package.json

@@ -44,5 +44,5 @@
     "typescript": "^5.5.0",
     "vite": "^5.3.4"
   },
-  "license": "AGPL-3.0-only"
+  "license": "MIT"
 }

apps/web/src/api/client.ts

@@ -14,14 +14,46 @@ import type {
   AskUserAnswer,
   ToolCostStat,
   ProviderSnapshotEntry,
+  CoderProvidersFile,
+  ProviderConfigPatch,
   CoderSendMessageBody,
   CoderSendMessageResponse,
   CoderMessageWire,
   CoderTaskDetail,
   PermissionPrompt,
   AgentCommand,
+  WorkspaceState,
 } from './types';
 
+// v2.6 Phase 1-UX §9b: chat-scoped agent-session rows. Returned by
+// GET /api/coder/sessions/:id/agent-sessions; drives the AgentComposerBar
+// resumed/new-session chip via useAgentSessions. `has_session` is true when a
+// resumable backend session id exists for that agent in the chat.
+export interface AgentSessionInfo {
+  agent: string;
+  status: string;
+  has_session: boolean;
+  last_active_at: string | null;
+}
+
+// write-edit-robustness #4: a pre-turn worktree snapshot anchored to an
+// assistant message. Returned by GET .../checkpoints; drives the per-message
+// "Restore to here" affordance in CoderMessageList.
+export interface CoderCheckpoint {
+  id: string;
+  message_id: string;
+  created_at: string;
+  label: string | null;
+}
+
+// write-edit-robustness #4: result of POST .../checkpoints/:id/restore.
+export interface CoderRestoreResult {
+  checkpoint_id: string;
+  messages_deleted: number;
+  worktree_reset: boolean;
+  backend_reset: boolean;
+}
+
 export class ApiError extends Error {
   constructor(
     public status: number,
@@ -149,8 +181,17 @@ export const api = {
         method: 'PATCH',
         body: JSON.stringify(body),
       }),
-    remove: (id: string) =>
-      request<void>(`/api/sessions/${id}`, { method: 'DELETE' }),
+    // force=true bypasses the server-side worktree work-loss guard. A blocked
+    // delete throws ApiError(409) whose body carries { error, reports }.
+    remove: (id: string, force = false) =>
+      request<void>(`/api/sessions/${id}${force ? '?force=true' : ''}`, { method: 'DELETE' }),
+    // Stash the session's worktree (uncommitted changes) on the host, via the
+    // BooCoder proxy. Recoverable escape from the work-at-risk dialog.
+    worktreeStash: (id: string) =>
+      request<{ results: { worktreePath: string; stashed: boolean; error?: string }[] }>(
+        `/api/coder/sessions/${id}/worktree-stash`,
+        { method: 'POST' },
+      ),
     archive: (id: string) =>
       request<void>(`/api/sessions/${id}/archive`, { method: 'POST' }),
     unarchive: (id: string) =>
@@ -164,10 +205,10 @@ export const api = {
       ),
     openChatsCount: (id: string) =>
       request<{ count: number }>(`/api/sessions/${id}/chats/open-count`),
-    updateWorkspacePanes: (id: string, panes: Session['workspace_panes']) =>
+    updateWorkspacePanes: (id: string, state: WorkspaceState) =>
       request<Session>(`/api/sessions/${id}/workspace`, {
         method: 'PATCH',
-        body: JSON.stringify({ workspace_panes: panes }),
+        body: JSON.stringify({ workspace_panes: state }),
       }),
   },
 
@@ -310,8 +351,23 @@ export const api = {
       const qs = cwd ? `?cwd=${encodeURIComponent(cwd)}` : '';
       return request<ProviderSnapshotEntry[]>(`/api/coder/providers/snapshot${qs}`);
     },
-    refreshProviders: () =>
-      request<{ refreshed: number }>('/api/coder/providers/refresh', { method: 'POST' }),
+    // v2.3 Phase 4: optional subset narrows the reported `refreshed` count.
+    refreshProviders: (providers?: string[]) =>
+      request<{ refreshed: number }>('/api/coder/providers/refresh', {
+        method: 'POST',
+        ...(providers && providers.length > 0 ? { body: JSON.stringify({ providers }) } : {}),
+      }),
+    // v2.3 Phase 4: read/patch the provider config file. PATCH returns the new
+    // config; a `null` value in the patch deletes that id's override.
+    getProvidersConfig: () => request<CoderProvidersFile>('/api/coder/providers/config'),
+    patchProvidersConfig: (patch: ProviderConfigPatch) =>
+      request<{ ok: true } & CoderProvidersFile>('/api/coder/providers/config', {
+        method: 'PATCH',
+        body: JSON.stringify(patch),
+      }),
+    // v2.3 Phase 4: per-provider diagnostic — JSON { diagnostic: string } (§6.4).
+    getProviderDiagnostic: (id: string) =>
+      request<{ diagnostic: string }>(`/api/coder/providers/${encodeURIComponent(id)}/diagnostic`),
     sendMessage: (sessionId: string, body: CoderSendMessageBody) =>
       request<CoderSendMessageResponse>(`/api/coder/sessions/${sessionId}/messages`, {
         method: 'POST',
@@ -328,10 +384,19 @@ export const api = {
       request<{ taskId: string; commands: AgentCommand[] }>(`/api/coder/tasks/${taskId}/commands`),
     getTask: (taskId: string) =>
       request<CoderTaskDetail>(`/api/coder/tasks/${taskId}`),
+    // Cancel a pending/running coder task (cancels permission wait + inference;
+    // server sets state='cancelled'). Used by CoderPane's stop button.
+    cancelTask: (taskId: string) =>
+      request<{ cancelled: boolean }>(`/api/coder/tasks/${taskId}/cancel`, { method: 'POST' }),
     listMessages: (sessionId: string, chatId?: string) =>
       request<CoderMessageWire[]>(
         `/api/coder/sessions/${sessionId}/messages${chatId ? `?chat_id=${encodeURIComponent(chatId)}` : ''}`,
       ),
+    // v2.6 Phase 1-UX §9b: per-(chat,agent) backend-session state for the
+    // resumed/new-session chip. Chat-scoped (NOT foldable into the project-level
+    // provider snapshot). Proxied to boocoder at /api/sessions/:id/agent-sessions.
+    agentSessions: (sessionId: string) =>
+      request<AgentSessionInfo[]>(`/api/coder/sessions/${sessionId}/agent-sessions`),
     skillInvoke: (
       sessionId: string,
       paneId: string,
@@ -360,6 +425,22 @@ export const api = {
           ...(config?.thinking_option_id ? { thinking_option_id: config.thinking_option_id } : {}),
         }),
       }),
+    // write-edit-robustness #4: worktree checkpoints. List which assistant
+    // messages in a chat have a pre-turn worktree snapshot ("Restore to here"
+    // is offered only on those). Proxied to boocoder.
+    getCheckpoints: (sessionId: string, chatId: string) =>
+      request<{ checkpoints: CoderCheckpoint[] }>(
+        `/api/coder/sessions/${sessionId}/checkpoints?chat_id=${encodeURIComponent(chatId)}`,
+      ),
+    // write-edit-robustness #4: reset the worktree to a checkpoint, trim the
+    // transcript past its anchor message, and reset the agent backend. After it
+    // returns, the caller refetches messages (+ checkpoints) so the trimmed
+    // transcript shows.
+    restoreCheckpoint: (sessionId: string, checkpointId: string) =>
+      request<CoderRestoreResult>(
+        `/api/coder/sessions/${sessionId}/checkpoints/${encodeURIComponent(checkpointId)}/restore`,
+        { method: 'POST' },
+      ),
     // Queue a new-file create from the RightRail browser → BooCoder
     // pending_changes (operation='create'). Surfaces in the CoderPane DiffPanel
     // for explicit apply. A WriteGuardError comes back as a 422 whose { error }

apps/web/src/api/types.ts

@@ -34,6 +34,19 @@ export interface AvailableProject {
 
 export type SessionStatus = 'open' | 'archived';
 
+// Session-delete work-loss guard. Mirror of WorktreeRiskReport in
+// apps/server/src/types/api.ts — edit both copies together. Arrives as the
+// `reports` field of the 409 body when a delete is blocked.
+export interface WorktreeRiskReport {
+  worktreePath: string;
+  branch: string;
+  dirty: boolean;
+  unpushed: number; // commits ahead of upstream, or -1 if no upstream
+  unmerged: number; // commits not in the project default branch
+  atRisk: boolean;
+  error?: string;
+}
+
 export interface Session {
   id: string;
   project_id: string;
@@ -47,7 +60,10 @@ export interface Session {
   // v1.9: null = inherit from project.default_web_search_enabled.
   web_search_enabled: boolean | null;
   // v1.12.1: server-authoritative pane layout, replaces localStorage.
-  workspace_panes: WorkspacePane[];
+  // A value may be the legacy bare WorkspacePane[] (older rows) OR the new
+  // WorkspaceState envelope (panes + tab numbering + reopen stack). Normalize
+  // on read via useWorkspacePanes' toWorkspaceState.
+  workspace_panes: WorkspacePane[] | WorkspaceState;
   // v1.13.17: paths the agent has been granted read access to via the
   // request_read_access tool. Empty by default. Settings UI surfaces the
   // list with per-row revoke; the grant flow itself appends through the
@@ -253,6 +269,31 @@ export interface ProviderSnapshotEntry {
   fetchedAt?: string;
 }
 
+// v2.3 Phase 4: provider config file wire types. Mirror of the Zod-inferred
+// ProviderOverride / CoderProvidersFile in apps/coder/src/services/provider-config.ts
+// (web can't cross-import the coder package — TS6307 on the composite project).
+export interface ProviderOverride {
+  extends?: 'acp';
+  label?: string;
+  description?: string;
+  command?: string[];
+  env?: Record<string, string>;
+  enabled?: boolean;
+  order?: number;
+  models?: Array<{ id: string; label: string }>;
+  additionalModels?: Array<{ id: string; label: string }>;
+}
+
+export interface CoderProvidersFile {
+  providers: Record<string, ProviderOverride>;
+}
+
+// PATCH body: a partial providers map. A `null` value deletes that id's
+// override (revert to built-in default); an object replaces it wholesale.
+export interface ProviderConfigPatch {
+  providers: Record<string, ProviderOverride | null>;
+}
+
 export interface AgentSessionConfig {
   provider: string;
   model: string;
@@ -273,6 +314,9 @@ export interface PermissionPrompt {
 export interface AgentCommand {
   name: string;
   description?: string;
+  // v2.5.11: 'skill' (plugin skill) vs 'command' (native/CLI slash command).
+  // Drives the icon split in the coder slash menu. Undefined → command.
+  kind?: 'command' | 'skill';
 }
 
 export interface CoderSendMessageBody {
@@ -470,6 +514,30 @@ export interface WorkspacePane {
   html_artifact_state?: HtmlArtifactState;
 }
 
+// Reopen LIFO stack entry. Shape unchanged from the prior module-level stack;
+// now persisted inside the WorkspaceState envelope so the reopen-pane stack
+// survives a reload / cross-device sync.
+export interface ClosedPaneEntry {
+  kind: WorkspacePane['kind'];
+  chatIds: string[];
+  activeChatIdx: number;
+}
+
+// Envelope persisted to sessions.workspace_panes. Supersedes the bare
+// WorkspacePane[] shape (still accepted on read for legacy rows — see the
+// migration in useWorkspacePanes.toWorkspaceState). The server accepts either
+// shape; the frontend always emits this envelope going forward.
+export interface WorkspaceState {
+  panes: WorkspacePane[];
+  // Stable, session-scoped tab number per chat id. Numbers only ever increase
+  // and are never reused (retired entries are pruned on tab close).
+  tabNumbers: { [chatId: string]: number };
+  // Next number to hand out; starts at 1; ONLY increments.
+  nextTabNumber: number;
+  // Reopen LIFO stack, max 10, most-recent last.
+  closedPaneStack: ClosedPaneEntry[];
+}
+
 export type WsFrame =
   | { type: 'snapshot'; messages: Message[] }
   | { type: 'message_started'; message_id: string; chat_id?: string; role: MessageRole }

apps/web/src/api/ws-frames.ts

@@ -203,7 +203,12 @@ export const SessionDeletedFrame = z.object({
 export const SessionWorkspaceUpdatedFrame = z.object({
   type: z.literal('session_workspace_updated'),
   session_id: Uuid,
-  workspace_panes: z.array(OpaqueObject),
+  // v2.6.x: widened from z.array — the payload is now either the legacy bare
+  // WorkspacePane[] OR the WorkspaceState envelope object (panes + tabNumbers +
+  // nextTabNumber + closedPaneStack). z.array alone would fail-closed and drop
+  // every envelope frame at validation. MUST be mirrored in the server's
+  // byte-identical copy (parity test).
+  workspace_panes: z.union([z.array(OpaqueObject), z.record(z.unknown())]),
 });
 
 export const ChatCreatedFrame = z.object({

apps/web/src/components/AgentComposerBar.tsx

@@ -1,9 +1,10 @@
 import { useEffect, useMemo, useRef, useState } from 'react';
-import { Check, ChevronDown, RefreshCw, Shield, Brain, Bird, Bot, Dog, Terminal as TermIcon } from 'lucide-react';
-import { ClaudeIcon, OpenCodeIcon } from '@/components/icons/ProviderIcons';
+import { Check, ChevronDown, RefreshCw, Loader2, Shield, Brain, Bot } from 'lucide-react';
 import { api } from '@/api/client';
 import type { AgentSessionConfig, ProviderSnapshotEntry, AgentCommand } from '@/api/types';
 import { useProviderSnapshot, refreshProviderSnapshot } from '@/hooks/useProviderSnapshot';
+import { providerIcon } from '@/components/coder/providerIcons';
+import { useAgentSessions } from '@/hooks/useAgentSessions';
 import {
   DropdownMenu,
   DropdownMenuContent,
@@ -172,16 +173,54 @@ interface Props {
   onChange: (next: AgentSessionConfig) => void;
   onProviderCommandsChange?: (commands: AgentCommand[]) => void;
   connected?: boolean;
+  // v2.6 Phase 1-UX §9b: chat id for the resumed/new-session chip. Optional so
+  // BooChat and any other AgentComposerBar caller renders no chip and is
+  // otherwise unaffected. When present + connected + the chat has ≥1 prior
+  // turn, a chip right of the Provider picker reports whether switching to the
+  // current provider resumes an agent session, replays history (boocode), or
+  // starts fresh.
+  sessionId?: string;
+  // True once the chat has at least one prior turn — gates the chip so it stays
+  // hidden on a brand-new chat. Defaults to false (no chip).
+  hasPriorTurn?: boolean;
 }
 
-export function AgentComposerBar({ projectPath, value, onChange, onProviderCommandsChange, connected }: Props) {
+// Relative-time formatter for the resumed-chip title (e.g. "3m ago").
+function relativeTime(iso: string | null): string {
+  if (!iso) return 'unknown';
+  const then = new Date(iso).getTime();
+  if (Number.isNaN(then)) return 'unknown';
+  const diffMs = Date.now() - then;
+  if (diffMs < 0) return 'just now';
+  const sec = Math.floor(diffMs / 1000);
+  if (sec < 60) return 'just now';
+  const min = Math.floor(sec / 60);
+  if (min < 60) return `${min}m ago`;
+  const hr = Math.floor(min / 60);
+  if (hr < 24) return `${hr}h ago`;
+  const day = Math.floor(hr / 24);
+  return `${day}d ago`;
+}
+
+export function AgentComposerBar({ projectPath, value, onChange, onProviderCommandsChange, connected, sessionId, hasPriorTurn }: Props) {
   const allEntries = useProviderSnapshot(projectPath);
+  // 5.5 — the composer picker only offers ENABLED providers that are ready (or
+  // still loading). Disabled (enabled:false) and unavailable/error providers are
+  // hidden here and managed in Settings → Providers. Native boocode is always
+  // enabled+ready, so it always appears.
   const entries = useMemo(
-    () => allEntries?.filter((e) => e.installed && e.status !== 'error') ?? null,
+    () => allEntries?.filter((e) => e.enabled && (e.status === 'ready' || e.status === 'loading')) ?? null,
     [allEntries],
   );
   const [refreshing, setRefreshing] = useState(false);
 
+  // v2.6 Phase 1-UX §9b: chat-scoped agent-session rows for the resumed/new
+  // chip. Hook is unconditional (hooks rule); it self-no-ops when sessionId is
+  // undefined or the chat has no prior turn, so BooChat callers cost nothing.
+  const { sessions: agentSessions } = useAgentSessions(
+    sessionId && hasPriorTurn ? sessionId : undefined,
+  );
+
   const hydratedRef = useRef(false);
 
   useEffect(() => {
@@ -200,6 +239,35 @@ export function AgentComposerBar({ projectPath, value, onChange, onProviderComma
     onChange(resolveConfig(entry, prefs));
   }, [entries, onChange, value.provider]);
 
+  // If the active provider is disabled in the settings drawer it drops out of
+  // `entries` (the 5.5 filter) — fall back to boocode so the composer never
+  // strands on an unselectable provider with empty model/mode pickers.
+  useEffect(() => {
+    if (!entries?.length) return;
+    if (entries.some((e) => e.name === value.provider)) return;
+    const fallback = entries.find((e) => e.name === 'boocode') ?? entries[0];
+    if (!fallback) return;
+    onChange(resolveConfig(fallback, loadPrefs()));
+  }, [entries, value.provider, onChange]);
+
+  // 5.6 — loading poll: while any entry is loading (Phase 2's sync cache-miss
+  // return), refetch until terminal. Capped; no provider_snapshot_updated WS
+  // frame (deferred Tier-2). Dormant today since the snapshot awaits the build.
+  const pollsRef = useRef(0);
+  useEffect(() => {
+    const anyLoading = allEntries?.some((e) => e.status === 'loading') ?? false;
+    if (!anyLoading) {
+      pollsRef.current = 0;
+      return;
+    }
+    if (pollsRef.current >= 10) return;
+    const t = setTimeout(() => {
+      pollsRef.current += 1;
+      void refreshProviderSnapshot(projectPath);
+    }, 2000);
+    return () => clearTimeout(t);
+  }, [allEntries, projectPath]);
+
   const currentEntry = useMemo(
     () => entries?.find((e) => e.name === value.provider),
     [entries, value.provider],
@@ -261,21 +329,30 @@ export function AgentComposerBar({ projectPath, value, onChange, onProviderComma
     );
   }
 
-  const providerIcon = (name: string) => {
-    switch (name) {
-      case 'claude': return <ClaudeIcon size={13} className="shrink-0" />;
-      case 'opencode': return <OpenCodeIcon size={13} className="shrink-0" />;
-      case 'goose': return <Bird size={13} className="shrink-0" />;
-      case 'qwen': return <TermIcon size={13} className="shrink-0" />;
-      default: return <Dog size={13} className="shrink-0" />;
-    }
-  };
-
   const providerOptions = entries.map((e) => ({ id: e.name, label: e.label }));
   const modeOptions = (currentEntry?.modes ?? []).map((m) => ({ id: m.id, label: m.label }));
   const modelOptions = (currentEntry?.models ?? []).map((m) => ({ id: m.id, label: m.label }));
   const thinkingOpts = thinkingOptions.map((t) => ({ id: t.id, label: t.label }));
 
+  // v2.6 Phase 1-UX §9b: resumed / history / new-session chip. Only meaningful
+  // when this is a real chat (sessionId), the WS is connected, and the chat has
+  // ≥1 prior turn — otherwise render nothing so fresh chats and non-coder
+  // callers stay clean.
+  const sessionRow = agentSessions.find((s) => s.agent === value.provider);
+  const sessionChip: { label: string; title: string } | null =
+    sessionId && hasPriorTurn && connected
+      ? value.provider === 'boocode'
+        ? // Native boocode never holds an agent_sessions row — it reconstructs
+          // the conversation from the chat transcript each turn.
+          { label: 'history', title: 'BooCode replays the chat transcript each turn' }
+        : sessionRow?.has_session
+          ? {
+              label: 'resumed',
+              title: `Resuming ${value.provider} · last active ${relativeTime(sessionRow.last_active_at)}`,
+            }
+          : { label: 'new session', title: `${value.provider} starts a fresh session this turn` }
+      : null;
+
   return (
     <div className="flex flex-wrap items-center gap-1 px-2 py-1 border-b border-border bg-muted/20 shrink-0">
       <CompactPicker
@@ -283,8 +360,20 @@ export function AgentComposerBar({ projectPath, value, onChange, onProviderComma
         value={value.provider}
         options={providerOptions}
         onPick={pickProvider}
-        icon={providerIcon(value.provider)}
+        icon={
+          currentEntry?.status === 'loading'
+            ? <Loader2 size={13} className="shrink-0 animate-spin" />
+            : providerIcon(value.provider)
+        }
       />
+      {sessionChip && (
+        <span
+          title={sessionChip.title}
+          className="inline-flex items-center rounded-full border border-border bg-muted/40 px-1.5 py-0.5 text-[10px] font-medium text-muted-foreground shrink-0"
+        >
+          {sessionChip.label}
+        </span>
+      )}
       <CompactPicker
         label="Mode"
         value={value.modeId ?? ''}

apps/web/src/components/ChatInput.tsx

@@ -1,5 +1,5 @@
 import { useCallback, useEffect, useMemo, useRef, useState, type DragEvent, type KeyboardEvent } from 'react';
-import { Check, Plus, Send } from 'lucide-react';
+import { Check, ListPlus, Plus, Send, Square } from 'lucide-react';
 import { toast } from 'sonner';
 import { Textarea } from '@/components/ui/textarea';
 import { Button } from '@/components/ui/button';
@@ -51,6 +51,11 @@ interface Props {
   webSearchEnabled?: boolean | null;
   onSend: (content: string) => void | Promise<void>;
   onForceSend?: (content: string) => void | Promise<void>;
+  // When the assistant/agent is generating, the send button morphs: empty draft
+  // → Stop (calls onStop); non-empty draft → Queue (submits, which the caller
+  // queues while busy). Omitting onStop falls back to a (disabled) Send button.
+  generating?: boolean;
+  onStop?: () => void | Promise<void>;
   // Batch 9.6: slash-command dispatch. When the input parses to a known skill,
   // ChatInput calls this with the skill name + the post-name args (possibly
   // empty). Callers wire this to api.chats.skillInvoke. Omitting the prop
@@ -78,7 +83,7 @@ interface Props {
   modelContextLimit?: number | null;
 }
 
-export function ChatInput({ disabled, projectId, agentId, onAgentChange, sessionId, webSearchEnabled, onSend, onForceSend, onSlashCommand, slashGroups, chatId, chatLabel, messages, modelContextLimit }: Props) {
+export function ChatInput({ disabled, projectId, agentId, onAgentChange, sessionId, webSearchEnabled, onSend, onForceSend, generating, onStop, onSlashCommand, slashGroups, chatId, chatLabel, messages, modelContextLimit }: Props) {
   const { isMobile } = useViewport();
   const [value, setValue] = useState('');
   const [busy, setBusy] = useState(false);
@@ -651,14 +656,38 @@ export function ChatInput({ disabled, projectId, agentId, onAgentChange, session
           rows={3}
           className="resize-none min-h-[68px] max-h-[240px]"
         />
+        {(() => {
+          const hasContent = value.trim().length > 0 || attachments.length > 0;
+          // While generating with an empty draft, the button stops generation.
+          if (generating && onStop && !hasContent) {
+            return (
+              <Button
+                onClick={() => void onStop()}
+                size="icon-lg"
+                variant="outline"
+                aria-label="Stop generating"
+                title="Stop generating"
+              >
+                <Square className="fill-current size-3.5" />
+              </Button>
+            );
+          }
+          // With a draft, submit. While generating the caller queues it, so the
+          // button reads as Queue; otherwise it's a normal Send.
+          const queueing = !!generating && hasContent;
+          return (
             <Button
               onClick={() => void submit()}
-          disabled={disabled || busy || (!value.trim() && attachments.length === 0)}
+              disabled={disabled || busy || !hasContent}
               size="icon-lg"
-          aria-label="Send"
+              variant={queueing ? 'secondary' : 'default'}
+              aria-label={queueing ? 'Queue message' : 'Send'}
+              title={queueing ? 'Queue message' : 'Send'}
             >
-          <Send />
+              {queueing ? <ListPlus /> : <Send />}
             </Button>
+          );
+        })()}
       </div>
       </div>
       <AttachmentPreviewModal

apps/web/src/components/ChatTabBar.tsx

@@ -1,5 +1,5 @@
 import { useState } from 'react';
-import { Code, History, MessageSquare, Plus, Terminal, X } from 'lucide-react';
+import { Code, Columns2, History, MessageSquare, Plus, RotateCcw, Terminal, X } from 'lucide-react';
 import type { Chat, WorkspacePane } from '@/api/types';
 import { StatusDot } from '@/components/StatusDot';
 import {
@@ -16,17 +16,23 @@ import {
   DropdownMenuTrigger,
 } from '@/components/ui/dropdown-menu';
 import { useLongPress } from '@/hooks/useLongPress';
+import { sessionEvents } from '@/hooks/sessionEvents';
 import { cn } from '@/lib/utils';
 
 interface Props {
   pane: WorkspacePane;
   tabs: Chat[];
+  // v2.6.x (Batch 3a): stable session-scoped tab number per chat id. Keyed by
+  // chat.id, NEVER by tab position.
+  tabNumbers: Record<string, number>;
   onSwitchTab: (tabIdx: number) => void;
   onRemoveTab: (chatId: string) => void;
   onCloseOthers: (chatId: string) => void;
   onCloseToRight: (chatId: string) => void;
   onCloseAll: () => void;
-  onAddPane: (kind: 'chat' | 'terminal' | 'coder') => void;
+  onNewTab: () => void;
+  onSplitPane: (kind: 'chat' | 'terminal' | 'coder') => void;
+  onReopenPane?: () => void;
   onShowHistory: () => void;
   onRename: (chatId: string, name: string) => Promise<void>;
   onRemovePane?: () => void;
@@ -35,12 +41,15 @@ interface Props {
 export function ChatTabBar({
   pane,
   tabs,
+  tabNumbers,
   onSwitchTab,
   onRemoveTab,
   onCloseOthers,
   onCloseToRight,
   onCloseAll,
-  onAddPane,
+  onNewTab,
+  onSplitPane,
+  onReopenPane,
   onShowHistory,
   onRename,
   onRemovePane,
@@ -79,6 +88,9 @@ export function ChatTabBar({
         const isLast = tabIdx === tabs.length - 1;
         const onlyTab = tabs.length === 1;
         const label = chat.name ?? 'New chat';
+        // v2.6.x: stable tab number keyed by chat.id (NOT tab position).
+        // Omit gracefully when not yet assigned.
+        const tabNumber = tabNumbers[chat.id];
         return (
           <ContextMenu key={chat.id}>
             <ContextMenuTrigger asChild>
@@ -113,8 +125,11 @@ export function ChatTabBar({
                     className="bg-transparent border-b border-border text-xs outline-none w-28"
                   />
                 ) : (
-                  <span className="truncate max-w-[140px]" title={label}>
-                    {label}
+                  <span
+                    className="truncate max-w-[140px]"
+                    title={tabNumber !== undefined ? `${tabNumber} · ${label}` : label}
+                  >
+                    {tabNumber !== undefined ? `${tabNumber} · ${label}` : label}
                   </span>
                 )}
                 <button
@@ -131,9 +146,16 @@ export function ChatTabBar({
               </div>
             </ContextMenuTrigger>
             <ContextMenuContent>
-              <ContextMenuItem onSelect={() => onAddPane('chat')}>
+              <ContextMenuItem onSelect={onNewTab}>
                 New chat
               </ContextMenuItem>
+              <ContextMenuItem
+                onSelect={() =>
+                  sessionEvents.emit({ type: 'open_chat_in_new_pane', chat_id: chat.id })
+                }
+              >
+                Open in new pane
+              </ContextMenuItem>
               <ContextMenuSeparator />
               <ContextMenuItem onSelect={() => startRename(chat.id, chat.name)}>
                 Rename
@@ -175,24 +197,60 @@ export function ChatTabBar({
             <button
               type="button"
               className="inline-flex items-center justify-center p-1 rounded text-muted-foreground hover:bg-muted hover:text-foreground max-md:min-h-[44px] max-md:min-w-[44px]"
-              aria-label="New pane"
-              title="New pane"
+              aria-label="New chat, terminal, or coder"
+              title="New chat / terminal / coder"
             >
               <Plus size={12} />
             </button>
           </DropdownMenuTrigger>
           <DropdownMenuContent align="end" className="w-fit">
-            <DropdownMenuItem onSelect={() => onAddPane('chat')}>
+            {/* New BooChat opens a tab in THIS pane; terminal/coder can't be
+                tabs, so they split into a new pane (matches the Split menu). */}
+            <DropdownMenuItem onSelect={onNewTab}>
               <MessageSquare size={14} /> New BooChat
             </DropdownMenuItem>
-            <DropdownMenuItem onSelect={() => onAddPane('terminal')}>
+            <DropdownMenuItem onSelect={() => onSplitPane('terminal')}>
               <Terminal size={14} /> New BooTerm
             </DropdownMenuItem>
-            <DropdownMenuItem onSelect={() => onAddPane('coder')}>
+            <DropdownMenuItem onSelect={() => onSplitPane('coder')}>
               <Code size={14} /> New BooCode
             </DropdownMenuItem>
           </DropdownMenuContent>
         </DropdownMenu>
+        <DropdownMenu>
+          <DropdownMenuTrigger asChild>
+            <button
+              type="button"
+              className="inline-flex items-center justify-center p-1 rounded text-muted-foreground hover:bg-muted hover:text-foreground max-md:min-h-[44px] max-md:min-w-[44px]"
+              aria-label="Split pane"
+              title="Split pane"
+            >
+              <Columns2 size={12} />
+            </button>
+          </DropdownMenuTrigger>
+          <DropdownMenuContent align="end" className="w-fit">
+            <DropdownMenuItem onSelect={() => onSplitPane('chat')}>
+              <MessageSquare size={14} /> New BooChat
+            </DropdownMenuItem>
+            <DropdownMenuItem onSelect={() => onSplitPane('terminal')}>
+              <Terminal size={14} /> New BooTerm
+            </DropdownMenuItem>
+            <DropdownMenuItem onSelect={() => onSplitPane('coder')}>
+              <Code size={14} /> New BooCode
+            </DropdownMenuItem>
+          </DropdownMenuContent>
+        </DropdownMenu>
+        {onReopenPane && (
+          <button
+            type="button"
+            onClick={onReopenPane}
+            className="inline-flex items-center justify-center p-1 rounded text-muted-foreground hover:bg-muted hover:text-foreground max-md:min-h-[44px] max-md:min-w-[44px]"
+            aria-label="Reopen closed pane"
+            title="Reopen closed pane"
+          >
+            <RotateCcw size={12} />
+          </button>
+        )}
         <button
           type="button"
           onClick={onShowHistory}

apps/web/src/components/MessageBubble.tsx

@@ -1,9 +1,9 @@
 import { useEffect, useState } from 'react';
 import type { ReactNode } from 'react';
-import { ChevronDown, ChevronRight, Copy, RefreshCw, Check, Share2, RotateCw, GitFork, Trash2, PanelRightOpen, Brain } from 'lucide-react';
+import { ChevronDown, ChevronRight, Copy, RefreshCw, Check, Share2, RotateCw, GitFork, Trash2, Brain, History } from 'lucide-react';
 import { toast } from 'sonner';
 import type { Chat, ErrorReason, Message } from '@/api/types';
-import { api, ApiError } from '@/api/client';
+import { api } from '@/api/client';
 import { sessionEvents } from '@/hooks/sessionEvents';
 import { sendToTerminal, terminalsRegistry, type TerminalRegistration } from '@/lib/events';
 import { CapHitSentinel } from './CapHitSentinel';
@@ -105,23 +105,15 @@ const ERROR_REASON_LABELS: Record<ErrorReason, string> = {
 // moved to apps/web/src/components/MarkdownRenderer.tsx so the new artifact
 // panes can render assistant content with the same Shiki + remark-gfm setup.
 
-// Pane-header title derivation for a markdown artifact. Order matches the
-// server slug logic in services/artifacts.ts: first `# ` heading → first 6
-// words of the body → 'Markdown artifact'. Truncated to keep the pane header
-// readable.
-function deriveMarkdownTitle(content: string): string {
-  const headingMatch = content.match(/^\s*#\s+(.+?)\s*$/m);
-  if (headingMatch && headingMatch[1]) return headingMatch[1].slice(0, 80);
-  const words = content.trim().split(/\s+/).slice(0, 6).join(' ');
-  if (words) return words.slice(0, 80);
-  return 'Markdown artifact';
-}
-
 export interface MessageActions {
   onRegenerate?: (chatId: string, messageId: string) => Promise<void>;
   onResend?: (chatId: string, content: string) => Promise<void>;
   onFork?: (chatId: string, messageId: string) => Promise<void>;
   onDelete?: (chatId: string, messageId: string) => Promise<void>;
+  // write-edit-robustness #4 (BooCoder only): reset the worktree to this
+  // message's pre-turn checkpoint and trim the transcript past it. BooChat
+  // passes no such callback → the "Restore to here" control never renders.
+  onRestoreCheckpoint?: (chatId: string, messageId: string) => Promise<void>;
 }
 
 interface Props {
@@ -129,8 +121,19 @@ interface Props {
   sessionChats?: Chat[];
   capHitInfo?: { position: number; isLatest: boolean };
   actions?: MessageActions;
-  /** Hide actions that don't apply (fork, delete, open-in-pane). */
-  hideActions?: ('fork' | 'delete' | 'openInPane')[];
+  /** Hide actions that don't apply (fork, delete). */
+  hideActions?: ('fork' | 'delete')[];
+  /**
+   * write-edit-robustness #4: this assistant message has a worktree checkpoint
+   * → render "Restore to here" (only when `actions.onRestoreCheckpoint` is also
+   * provided). CoderMessageList sets this from the checkpoint set.
+   */
+  hasCheckpoint?: boolean;
+  /**
+   * write-edit-robustness #4: suppress the restore control during an active
+   * turn (mirrors composer gating). Defaults to enabled.
+   */
+  restoreDisabled?: boolean;
 }
 
 function StatsLine({ message }: { message: Message }) {
@@ -167,16 +170,22 @@ function ActionRow({
   message,
   actions,
   hiddenSet,
+  hasCheckpoint = false,
+  restoreDisabled = false,
 }: {
   message: Message;
   actions?: MessageActions;
   hiddenSet: Set<string>;
+  hasCheckpoint?: boolean;
+  restoreDisabled?: boolean;
 }) {
   const [justCopied, setJustCopied] = useState(false);
   const [regenerating, setRegenerating] = useState(false);
   const [forking, setForking] = useState(false);
   const [deleteOpen, setDeleteOpen] = useState(false);
   const [deleting, setDeleting] = useState(false);
+  const [restoreOpen, setRestoreOpen] = useState(false);
+  const [restoring, setRestoring] = useState(false);
 
   async function copy() {
     try {
@@ -226,7 +235,7 @@ function ActionRow({
       } else {
         const chat = await api.chats.fork(message.chat_id, { messageId: message.id });
         sessionEvents.emit({ type: 'refetch_messages' });
-        sessionEvents.emit({ type: 'open_chat_in_active_pane', chat_id: chat.id });
+        sessionEvents.emit({ type: 'open_chat_in_new_pane', chat_id: chat.id });
       }
     } catch (err) {
       toast.error(err instanceof Error ? err.message : 'fork failed');
@@ -252,60 +261,33 @@ function ActionRow({
     }
   }
 
+  async function confirmRestore() {
+    if (restoring || !actions?.onRestoreCheckpoint) return;
+    setRestoring(true);
+    try {
+      await actions.onRestoreCheckpoint(message.chat_id, message.id);
+      setRestoreOpen(false);
+    } catch (err) {
+      toast.error(err instanceof Error ? err.message : 'restore failed');
+    } finally {
+      setRestoring(false);
+    }
+  }
+
   const isAssistant = message.role === 'assistant';
   const isUser = message.role === 'user';
   const canRegen = isAssistant && message.status !== 'streaming';
   const canResend = isUser && message.status === 'complete' && !!message.content?.trim();
   const canFork = message.status === 'complete';
   const canDelete = message.status !== 'streaming';
-  const [openingPane, setOpeningPane] = useState(false);
-
-  // v1.14.x-html-artifact-panes: probe for an html_artifact part. If present,
-  // open the HTML pane variant; otherwise fall back to the markdown variant.
-  // Title derivation for markdown: first `# ` heading → first 6 words of the
-  // body → 'Markdown artifact' (mirrors the slug logic in
-  // services/artifacts.ts).
-  async function openInPane() {
-    if (openingPane || message.status === 'streaming') return;
-    setOpeningPane(true);
-    try {
-      try {
-        const payload = await api.messages.getHtmlArtifact(
-          message.chat_id,
-          message.id,
-        );
-        sessionEvents.emit({
-          type: 'open_html_artifact_pane',
-          state: {
-            chat_id: message.chat_id,
-            message_id: message.id,
-            title: payload.title,
-          },
-        });
-        return;
-      } catch (err) {
-        // 404 (no html_artifact part) is the expected fall-through path —
-        // markdown variant opens below. Any other error (network, 500) is
-        // a real failure; toast and bail rather than masquerading as markdown.
-        const status = err instanceof ApiError ? err.status : null;
-        if (status !== 404) {
-          toast.error(err instanceof Error ? err.message : 'open in pane failed');
-          return;
-        }
-      }
-      const title = deriveMarkdownTitle(message.content);
-      sessionEvents.emit({
-        type: 'open_markdown_artifact_pane',
-        state: {
-          chat_id: message.chat_id,
-          message_id: message.id,
-          title,
-        },
-      });
-    } finally {
-      setOpeningPane(false);
-    }
-  }
+  // write-edit-robustness #4: show "Restore to here" only for a completed
+  // assistant message that has a checkpoint AND when the coder wired the
+  // callback. Disabled (but visible) during an active turn.
+  const canRestore =
+    isAssistant &&
+    hasCheckpoint &&
+    message.status === 'complete' &&
+    !!actions?.onRestoreCheckpoint;
 
   return (
     <>
@@ -330,18 +312,6 @@ function ActionRow({
             <RefreshCw className="size-3" />
           </button>
         )}
-        {isAssistant && !hiddenSet.has('openInPane') && (
-          <button
-            type="button"
-            onClick={() => void openInPane()}
-            disabled={openingPane || message.status === 'streaming'}
-            className="inline-flex items-center justify-center size-6 rounded text-muted-foreground hover:bg-muted hover:text-foreground disabled:opacity-40 disabled:cursor-not-allowed max-md:min-h-[44px] max-md:min-w-[44px]"
-            aria-label="Open in pane"
-            title="Open in pane"
-          >
-            <PanelRightOpen className="size-3" />
-          </button>
-        )}
         {isAssistant && (
           <button
             type="button"
@@ -378,6 +348,18 @@ function ActionRow({
           <Trash2 className="size-3" />
         </button>
         )}
+        {canRestore && (
+          <button
+            type="button"
+            onClick={() => setRestoreOpen(true)}
+            disabled={restoreDisabled || restoring}
+            className="inline-flex items-center justify-center size-6 rounded text-muted-foreground hover:bg-muted hover:text-foreground disabled:opacity-40 disabled:cursor-not-allowed max-md:min-h-[44px] max-md:min-w-[44px]"
+            aria-label="Restore to here"
+            title="Restore worktree to this point"
+          >
+            <History className="size-3" />
+          </button>
+        )}
       </div>
       <Dialog
         open={deleteOpen}
@@ -410,6 +392,39 @@ function ActionRow({
           </DialogFooter>
         </DialogContent>
       </Dialog>
+      <Dialog
+        open={restoreOpen}
+        onOpenChange={(open) => {
+          if (!restoring) setRestoreOpen(open);
+        }}
+      >
+        <DialogContent>
+          <DialogHeader>
+            <DialogTitle>Restore to this point?</DialogTitle>
+            <DialogDescription>
+              This resets the worktree to before this turn, removes every later
+              message in this chat, and resets the agent's session. This cannot
+              be undone.
+            </DialogDescription>
+          </DialogHeader>
+          <DialogFooter>
+            <Button
+              variant="outline"
+              onClick={() => setRestoreOpen(false)}
+              disabled={restoring}
+            >
+              Cancel
+            </Button>
+            <Button
+              variant="destructive"
+              onClick={() => void confirmRestore()}
+              disabled={restoring}
+            >
+              {restoring ? 'Restoring…' : 'Restore'}
+            </Button>
+          </DialogFooter>
+        </DialogContent>
+      </Dialog>
     </>
   );
 }
@@ -622,7 +637,15 @@ function ReasoningBlock({ text, streaming }: { text: string; streaming: boolean
   );
 }
 
-export function MessageBubble({ message, sessionChats, capHitInfo, actions, hideActions }: Props) {
+export function MessageBubble({
+  message,
+  sessionChats,
+  capHitInfo,
+  actions,
+  hideActions,
+  hasCheckpoint,
+  restoreDisabled,
+}: Props) {
   const hiddenSet = new Set(hideActions ?? []);
   // v1.11: anchored rolling summary row. Checked BEFORE the kind==='compact'
   // branch because summary=true never coexists with kind='compact' (new
@@ -724,7 +747,15 @@ export function MessageBubble({ message, sessionChats, capHitInfo, actions, hide
         </div>
       )}
       {!isStreaming && <StatsLine message={message} />}
-      {!isStreaming && hasContent && <ActionRow message={message} actions={actions} hiddenSet={hiddenSet} />}
+      {!isStreaming && hasContent && (
+        <ActionRow
+          message={message}
+          actions={actions}
+          hiddenSet={hiddenSet}
+          hasCheckpoint={hasCheckpoint}
+          restoreDisabled={restoreDisabled}
+        />
+      )}
     </div>
   );
 }

apps/web/src/components/ProjectSidebar.tsx

@@ -19,12 +19,12 @@ import {
   DialogDescription,
 } from '@/components/ui/dialog';
 import { AddProjectModal } from './AddProjectModal';
-import { api } from '@/api/client';
+import { api, ApiError } from '@/api/client';
 import { useSidebar } from '@/hooks/useSidebar';
 import { useSidebarDrawer } from '@/hooks/useSidebarDrawer';
 import { useViewport } from '@/hooks/useViewport';
 import { usePullToRefresh } from '@/hooks/usePullToRefresh';
-import type { SidebarProject } from '@/api/types';
+import type { SidebarProject, WorktreeRiskReport } from '@/api/types';
 import { giteaUrlFor } from '@/lib/projectUrls';
 import { isCoderSessionName } from '@/lib/coder-session';
 import { cn } from '@/lib/utils';
@@ -110,6 +110,16 @@ export function ProjectSidebar() {
   const [renamingProject, setRenamingProject] = useState<string | null>(null);
   const [renameProjectValue, setRenameProjectValue] = useState('');
   const [archiveProjectConfirm, setArchiveProjectConfirm] = useState<{ id: string; name: string } | null>(null);
+  // Work-at-risk dialog: shown when a delete is blocked (409) because the
+  // session's worktree holds uncommitted/unpushed/unmerged work.
+  const [riskState, setRiskState] = useState<{
+    sessionId: string;
+    projectId: string;
+    name: string;
+    message: string;
+    reports: WorktreeRiskReport[];
+  } | null>(null);
+  const [riskBusy, setRiskBusy] = useState(false);
   const navigate = useNavigate();
   const location = useLocation();
   const lastToastedError = useRef<string | null>(null);
@@ -174,16 +184,81 @@ export function ProjectSidebar() {
     }
   }
 
-  async function handleDeleteSession(sessionId: string, projectId: string) {
+  async function handleDeleteSession(
+    sessionId: string,
+    projectId: string,
+    name: string,
+    force = false,
+  ) {
     try {
-      await api.sessions.remove(sessionId);
+      await api.sessions.remove(sessionId, force);
       // Server publishes session_deleted via WS; useUserEvents delivers it.
+      setRiskState(null);
       if (activeSession === sessionId) navigate(`/project/${projectId}`);
     } catch (err) {
+      // 409 => the server's work-loss guard blocked the delete. Open the
+      // work-at-risk dialog with the per-worktree reports instead of toasting.
+      if (
+        err instanceof ApiError &&
+        err.status === 409 &&
+        err.body && typeof err.body === 'object' && 'reports' in err.body
+      ) {
+        const body = err.body as { error?: string; reports?: WorktreeRiskReport[] };
+        setRiskState({
+          sessionId,
+          projectId,
+          name,
+          message: body.error ?? 'This session has work at risk.',
+          reports: body.reports ?? [],
+        });
+        return;
+      }
       toast.error(err instanceof Error ? err.message : 'failed to delete session');
     }
   }
 
+  // Stash the worktree's uncommitted changes (recoverable), then re-attempt the
+  // delete. If unpushed/unmerged commits remain, the retry 409s again and the
+  // dialog re-renders with the narrowed risk.
+  async function handleStashAndRetry() {
+    if (!riskState || riskBusy) return;
+    setRiskBusy(true);
+    try {
+      const { results } = await api.sessions.worktreeStash(riskState.sessionId);
+      const failed = results.find((r) => r.error);
+      if (failed) {
+        toast.error(`stash failed: ${failed.error}`);
+        return;
+      }
+      await handleDeleteSession(riskState.sessionId, riskState.projectId, riskState.name, false);
+    } catch (err) {
+      toast.error(err instanceof Error ? err.message : 'stash failed');
+    } finally {
+      setRiskBusy(false);
+    }
+  }
+
+  // Explicit, destructive override — deletes despite work at risk.
+  async function handleForceDelete() {
+    if (!riskState || riskBusy) return;
+    setRiskBusy(true);
+    try {
+      await handleDeleteSession(riskState.sessionId, riskState.projectId, riskState.name, true);
+    } finally {
+      setRiskBusy(false);
+    }
+  }
+
+  // Route the user to commit it themselves — never auto-commit. Opens the
+  // session workspace where they can use a terminal or agent pane.
+  function handleGoCommit() {
+    if (!riskState) return;
+    const sessionId = riskState.sessionId;
+    setRiskState(null);
+    navigate(`/session/${sessionId}`);
+    toast.info('Open a terminal or agent in this session, commit and push your work, then delete again.');
+  }
+
   async function handleRenameSession(sessionId: string) {
     const trimmed = renameValue.trim();
     setRenamingSession(null);
@@ -216,6 +291,20 @@ export function ProjectSidebar() {
       )
     : 'w-60 shrink-0 border-r bg-sidebar text-sidebar-foreground flex flex-col h-screen';
 
+  // Work-at-risk dialog framing. The server returns 409 in two distinct
+  // situations: (1) work genuinely at risk (reports has ≥1 atRisk entry), or
+  // (2) it couldn't verify (BooCoder down/errored → reports is empty). These
+  // are different user stories — "your work is in danger" vs "the checker is
+  // offline" — so the dialog must not show one generic message for both.
+  const atRiskReports = riskState?.reports.filter((r) => r.atRisk) ?? [];
+  const verifyFailed = riskState !== null && atRiskReports.length === 0;
+  const anyDirty = atRiskReports.some((r) => r.dirty);
+  // Commit-based risk (unpushed/unmerged) that stash can NOT clear. When this is
+  // all that remains (e.g. after a stash cleared the dirty changes), the dialog
+  // explains why it re-blocked and hides the Stash button so it doesn't look
+  // like stash "didn't work".
+  const anyCommits = atRiskReports.some((r) => r.unpushed !== 0 || r.unmerged > 0);
+
   return (
     <aside className={asideCls}>
       <div className="px-4 py-3 border-b flex items-center justify-between">
@@ -499,7 +588,7 @@ export function ProjectSidebar() {
                   const projectId = projects.find((p) =>
                     p.recent_sessions.some((s) => s.id === deleteConfirm.id)
                   )?.id;
-                  if (projectId) void handleDeleteSession(deleteConfirm.id, projectId);
+                  if (projectId) void handleDeleteSession(deleteConfirm.id, projectId, deleteConfirm.name);
                 }
                 setDeleteConfirm(null);
               }}
@@ -509,6 +598,77 @@ export function ProjectSidebar() {
           </div>
         </DialogContent>
       </Dialog>
+
+      <Dialog open={riskState !== null} onOpenChange={(open) => { if (!open && !riskBusy) setRiskState(null); }}>
+        <DialogContent>
+          <DialogHeader>
+            <DialogTitle>
+              {verifyFailed ? 'Could not verify worktree safety' : 'This session has work at risk'}
+            </DialogTitle>
+            <DialogDescription>
+              {verifyFailed ? (
+                <>
+                  {riskState?.message ?? 'The worktree safety check is unavailable.'} Your work may be
+                  fine, but it couldn&apos;t be checked — only force-delete if you&apos;re sure.
+                </>
+              ) : anyDirty && anyCommits ? (
+                <>
+                  Deleting {riskState ? `"${riskState.name}"` : 'this session'} would orphan uncommitted
+                  changes <em>and</em> commits that aren&apos;t pushed or merged. Stash clears the
+                  changes (recoverable), but the commits will still block — push them or force-delete.
+                </>
+              ) : anyDirty ? (
+                <>
+                  Deleting {riskState ? `"${riskState.name}"` : 'this session'} would orphan uncommitted
+                  changes in its worktree. Stash them (recoverable), commit them, or force-delete.
+                </>
+              ) : (
+                <>
+                  Deleting {riskState ? `"${riskState.name}"` : 'this session'} would orphan commits that
+                  aren&apos;t pushed or merged. Stashing won&apos;t recover these — push them, or
+                  force-delete.
+                </>
+              )}
+            </DialogDescription>
+          </DialogHeader>
+          {!verifyFailed && (
+            <div className="flex flex-col gap-2 py-1 text-sm">
+              {atRiskReports.map((r) => (
+                <div key={r.worktreePath} className="rounded border border-border/60 px-3 py-2">
+                  <div className="font-mono text-xs text-muted-foreground truncate" title={r.worktreePath}>
+                    {r.branch || r.worktreePath}
+                  </div>
+                  <ul className="mt-1 list-disc pl-5 text-foreground/90">
+                    {r.error && <li className="text-destructive">git error: {r.error}</li>}
+                    {r.dirty && <li>uncommitted changes</li>}
+                    {r.unpushed === -1 && <li>local-only branch (no upstream)</li>}
+                    {r.unpushed > 0 && <li>{r.unpushed} unpushed commit{r.unpushed === 1 ? '' : 's'}</li>}
+                    {r.unmerged > 0 && <li>{r.unmerged} unmerged commit{r.unmerged === 1 ? '' : 's'}</li>}
+                  </ul>
+                </div>
+              ))}
+            </div>
+          )}
+          <div className="flex flex-wrap gap-2 justify-end pt-2">
+            <Button variant="outline" disabled={riskBusy} onClick={() => setRiskState(null)}>
+              Cancel
+            </Button>
+            {!verifyFailed && (
+              <Button variant="outline" disabled={riskBusy} onClick={handleGoCommit}>
+                Commit&hellip;
+              </Button>
+            )}
+            {!verifyFailed && anyDirty && (
+              <Button variant="outline" disabled={riskBusy} onClick={() => void handleStashAndRetry()}>
+                Stash &amp; delete
+              </Button>
+            )}
+            <Button variant="destructive" disabled={riskBusy} onClick={() => void handleForceDelete()}>
+              Force delete
+            </Button>
+          </div>
+        </DialogContent>
+      </Dialog>
     </aside>
   );
 }

apps/web/src/components/SessionLandingPage.tsx

@@ -1,6 +1,9 @@
-import { useCallback, useState } from 'react';
+import { useCallback, useEffect, useState } from 'react';
+import { Archive, MessageSquare, RotateCcw } from 'lucide-react';
 import { toast } from 'sonner';
 import { ChatInput } from '@/components/ChatInput';
+import { api } from '@/api/client';
+import type { Chat } from '@/api/types';
 
 interface Props {
   projectId: string;
@@ -13,6 +16,30 @@ interface Props {
   // the skill — same transition the text send uses. See useSessionChats.
   onSkillInvoke: (skillName: string, userMessage: string | null) => void;
   createChat: () => Promise<{ id: string }>;
+  // Session history: the session's open chats (live), and callbacks to open one
+  // in THIS pane / restore an archived one. Archived chats are fetched here
+  // (the default open-only list excludes them).
+  chats: Chat[];
+  onOpenChat: (chatId: string) => void;
+  onUnarchiveChat: (chatId: string) => Promise<void>;
+}
+
+function formatRelative(iso: string): string {
+  const then = new Date(iso).getTime();
+  if (Number.isNaN(then)) return '';
+  const s = Math.max(0, Math.round((Date.now() - then) / 1000));
+  if (s < 60) return 'just now';
+  const m = Math.round(s / 60);
+  if (m < 60) return `${m}m ago`;
+  const h = Math.round(m / 60);
+  if (h < 24) return `${h}h ago`;
+  const d = Math.round(h / 24);
+  if (d < 7) return `${d}d ago`;
+  return new Date(iso).toLocaleDateString();
+}
+
+function byRecent(a: Chat, b: Chat): number {
+  return (b.updated_at ?? '').localeCompare(a.updated_at ?? '');
 }
 
 export function SessionLandingPage({
@@ -23,8 +50,24 @@ export function SessionLandingPage({
   onSend,
   onSkillInvoke,
   createChat,
+  chats,
+  onOpenChat,
+  onUnarchiveChat,
 }: Props) {
   const [chatId, setChatId] = useState<string | null>(null);
+  const [archived, setArchived] = useState<Chat[]>([]);
+
+  // Archived chats aren't in the default (open-only) list, so fetch them. One
+  // shot on session change — the history view is transient (pick a chat and
+  // it's gone), so slight staleness is fine; reopening the pane refetches.
+  useEffect(() => {
+    let cancelled = false;
+    api.chats
+      .listForSession(sessionId, { status: 'archived' })
+      .then((list) => { if (!cancelled) setArchived(list); })
+      .catch(() => {});
+    return () => { cancelled = true; };
+  }, [sessionId]);
 
   const ensureChat = useCallback(async (): Promise<string> => {
     if (chatId) return chatId;
@@ -57,12 +100,87 @@ export function SessionLandingPage({
     onSkillInvoke(skillName, userMessage.length > 0 ? userMessage : null);
   }, [onSkillInvoke]);
 
+  const restoreAndOpen = useCallback(async (id: string) => {
+    try {
+      await onUnarchiveChat(id);
+      onOpenChat(id);
+    } catch {
+      // onUnarchiveChat surfaces its own toast.
+    }
+  }, [onUnarchiveChat, onOpenChat]);
+
+  const openChats = [...chats.filter((c) => c.status === 'open')].sort(byRecent);
+  const openIds = new Set(openChats.map((c) => c.id));
+  const archivedChats = archived.filter((c) => !openIds.has(c.id)).sort(byRecent);
+  const isEmpty = openChats.length === 0 && archivedChats.length === 0;
+
   return (
     <div className="flex flex-col h-full min-h-0">
-      <div className="flex-1 flex items-center justify-center px-6">
-        <p className="text-sm text-muted-foreground">
-          Send a message to start.
+      <div className="flex-1 min-h-0 overflow-y-auto">
+        <div className="max-w-[760px] mx-auto w-full px-4 py-4">
+          {isEmpty ? (
+            <p className="text-sm text-muted-foreground text-center py-8">
+              No conversations yet. Send a message to start.
             </p>
+          ) : (
+            <>
+              {openChats.length > 0 && (
+                <>
+                  <h3 className="text-xs font-medium uppercase tracking-wide text-muted-foreground px-1 mb-1.5">
+                    Conversations
+                  </h3>
+                  <div className="space-y-0.5 mb-4">
+                    {openChats.map((c) => (
+                      <button
+                        key={c.id}
+                        type="button"
+                        onClick={() => onOpenChat(c.id)}
+                        className="w-full flex items-center gap-2 text-left px-2 py-1.5 rounded hover:bg-muted text-sm max-md:min-h-[44px]"
+                      >
+                        <MessageSquare size={14} className="shrink-0 text-muted-foreground" />
+                        <span className="truncate shrink-0 max-w-[45%]">{c.name ?? 'New chat'}</span>
+                        {c.last_message_preview && (
+                          <span className="truncate flex-1 text-xs text-muted-foreground hidden sm:block">
+                            {c.last_message_preview}
+                          </span>
+                        )}
+                        <span className="shrink-0 ml-auto text-xs text-muted-foreground">
+                          {formatRelative(c.updated_at)}
+                        </span>
+                      </button>
+                    ))}
+                  </div>
+                </>
+              )}
+              {archivedChats.length > 0 && (
+                <>
+                  <h3 className="text-xs font-medium uppercase tracking-wide text-muted-foreground px-1 mb-1.5">
+                    Archived
+                  </h3>
+                  <div className="space-y-0.5">
+                    {archivedChats.map((c) => (
+                      <button
+                        key={c.id}
+                        type="button"
+                        onClick={() => void restoreAndOpen(c.id)}
+                        title="Restore and open"
+                        className="group/arch w-full flex items-center gap-2 text-left px-2 py-1.5 rounded hover:bg-muted text-sm text-muted-foreground max-md:min-h-[44px]"
+                      >
+                        <Archive size={14} className="shrink-0" />
+                        <span className="truncate flex-1">{c.name ?? 'New chat'}</span>
+                        <span className="shrink-0 text-xs">{formatRelative(c.updated_at)}</span>
+                        <RotateCcw
+                          size={13}
+                          className="shrink-0 opacity-0 group-hover/arch:opacity-100"
+                        />
+                      </button>
+                    ))}
+                  </div>
+                </>
+              )}
+            </>
+          )}
+        </div>
       </div>
       <ChatInput
         disabled={false}

apps/web/src/components/SlashCommandPicker.tsx

@@ -1,5 +1,5 @@
 import { useEffect, useMemo, useRef, useState } from 'react';
-import type { CSSProperties, RefObject } from 'react';
+import type { CSSProperties, ReactNode, RefObject } from 'react';
 import { createPortal } from 'react-dom';
 import { cn } from '@/lib/utils';
 
@@ -11,6 +11,7 @@ export interface SlashCommandItem {
 export interface SlashCommandGroup {
   label: string;
   items: SlashCommandItem[];
+  icon?: ReactNode;
 }
 
 interface Props {
@@ -50,7 +51,7 @@ export function SlashCommandPicker({
     () =>
       groups
         ? groups
-            .map((g) => ({ label: g.label, items: filterByPrefix(g.items, query) }))
+            .map((g) => ({ label: g.label, icon: g.icon, items: filterByPrefix(g.items, query) }))
             .filter((g) => g.items.length > 0)
         : null,
     [groups, query],
@@ -203,7 +204,8 @@ export function SlashCommandPicker({
       {filteredGroups
         ? filteredGroups.map((g) => (
             <div key={g.label}>
-              <div className="px-2.5 pt-2 pb-1 text-[10px] font-semibold uppercase tracking-wide text-muted-foreground/70">
+              <div className="px-2.5 pt-2 pb-1 text-[10px] font-semibold uppercase tracking-wide text-muted-foreground/70 flex items-center gap-1.5">
+                {g.icon}
                 {g.label}
               </div>
               {g.items.map((item) => renderItem(item, (runningIndex += 1)))}

apps/web/src/components/Workspace.tsx

@@ -54,6 +54,7 @@ export function Workspace({
 }: Props) {
   const {
     panes,
+    tabNumbers,
     activePaneIdx,
     setActivePaneIdx,
     openChatInPane,
@@ -65,6 +66,8 @@ export function Workspace({
     showLandingPage,
     addSplitPane,
     removePane,
+    reopenPane,
+    hasClosedPanes,
     isPaneChatPending,
     handlePaneDragStart,
     handlePaneDragOver,
@@ -202,15 +205,15 @@ export function Workspace({
                 <ChatTabBar
                   pane={pane}
                   tabs={chatsForPane(pane)}
+                  tabNumbers={tabNumbers}
                   onSwitchTab={(tabIdx) => switchTab(idx, tabIdx)}
                   onRemoveTab={(chatId) => removeTab(idx, chatId)}
                   onCloseOthers={(chatId) => closeOtherTabs(idx, chatId)}
                   onCloseToRight={(chatId) => closeTabsToRight(idx, chatId)}
                   onCloseAll={() => closeAllTabs(idx)}
-                  onAddPane={(kind) => {
-                    if (kind === 'chat') void createChat(idx);
-                    else onAddPane(kind);
-                  }}
+                  onNewTab={() => void createChat(idx)}
+                  onSplitPane={(kind) => onAddPane(kind)}
+                  onReopenPane={hasClosedPanes ? reopenPane : undefined}
                   onShowHistory={() => showLandingPage(idx)}
                   onRename={renameChat}
                   onRemovePane={panes.length > 1 ? () => removePane(idx) : undefined}
@@ -389,6 +392,9 @@ export function Workspace({
                   createChat={() => api.chats.create(sessionId)}
                   onSend={(content) => void handleLandingSend(idx, content)}
                   onSkillInvoke={(skillName, userMessage) => void handleLandingSkill(idx, skillName, userMessage)}
+                  chats={chats}
+                  onOpenChat={(chatId) => openChatInPane(idx, chatId)}
+                  onUnarchiveChat={unarchiveChat}
                 />
               )}
             </div>

apps/web/src/components/coder/AddProviderModal.tsx

@@ -0,0 +1,139 @@
+import { useMemo, useState } from 'react';
+import { ExternalLink, Search } from 'lucide-react';
+import { api } from '@/api/client';
+import { Button } from '@/components/ui/button';
+import {
+  Dialog,
+  DialogContent,
+  DialogDescription,
+  DialogFooter,
+  DialogHeader,
+  DialogTitle,
+} from '@/components/ui/dialog';
+import { Input } from '@/components/ui/input';
+import {
+  ACP_PROVIDER_CATALOG,
+  buildAcpProviderConfigPatch,
+  type AcpCatalogEntry,
+} from '@/data/acp-provider-catalog';
+
+interface Props {
+  open: boolean;
+  onOpenChange: (open: boolean) => void;
+  /** Fired after a successful add so the parent can refetch the snapshot. */
+  onAdded: (id: string) => void;
+}
+
+/**
+ * v2.3 Phase 5 (design.md §7.3). Search the curated ACP catalog and register a
+ * provider: PATCH /api/providers/config with its custom-ACP override, then
+ * refresh that one provider. Adding only edits config — it does NOT install the
+ * binary, so the provider shows "Not installed" until the CLI is on PATH.
+ */
+export function AddProviderModal({ open, onOpenChange, onAdded }: Props) {
+  const [query, setQuery] = useState('');
+  const [busyId, setBusyId] = useState<string | null>(null);
+  const [error, setError] = useState<string | null>(null);
+
+  const filtered = useMemo(() => {
+    const q = query.trim().toLowerCase();
+    if (!q) return ACP_PROVIDER_CATALOG;
+    return ACP_PROVIDER_CATALOG.filter(
+      (e) =>
+        e.id.toLowerCase().includes(q) ||
+        e.label.toLowerCase().includes(q) ||
+        e.description.toLowerCase().includes(q),
+    );
+  }, [query]);
+
+  async function add(entry: AcpCatalogEntry): Promise<void> {
+    setBusyId(entry.id);
+    setError(null);
+    try {
+      await api.coder.patchProvidersConfig(buildAcpProviderConfigPatch(entry));
+      await api.coder.refreshProviders([entry.id]);
+      onAdded(entry.id);
+      onOpenChange(false);
+    } catch (err) {
+      // 422 from PATCH (invalid override) surfaces here as ApiError.message.
+      setError(err instanceof Error ? err.message : 'failed to add provider');
+    } finally {
+      setBusyId(null);
+    }
+  }
+
+  return (
+    <Dialog open={open} onOpenChange={onOpenChange}>
+      <DialogContent className="sm:max-w-lg max-h-[85vh] grid-rows-[auto_minmax(0,1fr)_auto]">
+        <DialogHeader>
+          <DialogTitle>Add ACP provider</DialogTitle>
+          <DialogDescription>
+            Registers the provider in your coder config. It is not installed — install the CLI
+            yourself; until it's on PATH it shows as “Not installed”.
+          </DialogDescription>
+        </DialogHeader>
+
+        <div className="flex flex-col min-h-0 gap-3">
+          <div className="relative shrink-0">
+            <Search className="absolute left-2 top-1/2 -translate-y-1/2 size-3.5 text-muted-foreground" />
+            <Input
+              value={query}
+              onChange={(e) => setQuery(e.target.value)}
+              placeholder="Search providers…"
+              className="pl-7"
+            />
+          </div>
+
+          <div className="flex-1 min-h-0 rounded-md border overflow-y-auto overscroll-contain divide-y">
+            {filtered.length === 0 && (
+              <div className="px-3 py-2 text-sm text-muted-foreground">No matching providers.</div>
+            )}
+            {filtered.map((e) => (
+              <div key={e.id} className="px-3 py-2.5 space-y-1.5">
+                <div className="flex items-start justify-between gap-2">
+                  <div className="min-w-0">
+                    <div className="text-sm font-medium">{e.label}</div>
+                    <div className="text-xs text-muted-foreground">{e.description}</div>
+                  </div>
+                  <Button
+                    size="sm"
+                    disabled={busyId !== null}
+                    onClick={() => void add(e)}
+                  >
+                    {busyId === e.id ? 'Adding…' : 'Add'}
+                  </Button>
+                </div>
+                <div className="font-mono text-[11px] text-muted-foreground truncate">
+                  $ {e.command.join(' ')}
+                </div>
+                <div className="flex items-center gap-3">
+                  <a
+                    href={e.installUrl}
+                    target="_blank"
+                    rel="noreferrer"
+                    className="inline-flex items-center gap-1 text-xs text-primary hover:underline"
+                  >
+                    Install {e.label} <ExternalLink className="size-3" />
+                  </a>
+                  {e.installCmd && (
+                    <span className="font-mono text-[11px] text-muted-foreground truncate">
+                      {e.installCmd}
+                    </span>
+                  )}
+                </div>
+              </div>
+            ))}
+          </div>
+
+          {error && <div className="text-sm text-destructive shrink-0">{error}</div>}
+        </div>
+
+        <DialogFooter>
+          <Button variant="outline" onClick={() => onOpenChange(false)} disabled={busyId !== null}>
+            Close
+          </Button>
+        </DialogFooter>
+      </DialogContent>
+    </Dialog>
+  );
+}

apps/web/src/components/coder/ProvidersSettings.tsx

@@ -0,0 +1,218 @@
+import { useEffect, useRef, useState } from 'react';
+import { Loader2, Plus, RefreshCw, Stethoscope } from 'lucide-react';
+import { api } from '@/api/client';
+import type { CoderProvidersFile, ProviderOverride, ProviderSnapshotEntry } from '@/api/types';
+import { useProviderSnapshot, refreshProviderSnapshot } from '@/hooks/useProviderSnapshot';
+import { Button } from '@/components/ui/button';
+import { AddProviderModal } from './AddProviderModal';
+import { cn } from '@/lib/utils';
+
+/** Map a snapshot entry to a status badge (design.md §7.1 labels). */
+function statusBadge(e: ProviderSnapshotEntry): { label: string; cls: string } {
+  if (e.status === 'loading') return { label: 'Loading', cls: 'bg-muted text-muted-foreground' };
+  if (!e.enabled) return { label: 'Disabled', cls: 'bg-muted text-muted-foreground' };
+  if (e.status === 'ready')
+    return { label: 'Available', cls: 'bg-green-500/15 text-green-600 dark:text-green-400' };
+  if (e.status === 'error')
+    return { label: 'Error', cls: 'bg-red-500/15 text-red-600 dark:text-red-400' };
+  if (!e.installed)
+    return { label: 'Not installed', cls: 'bg-amber-500/15 text-amber-600 dark:text-amber-400' };
+  return { label: 'Unavailable', cls: 'bg-muted text-muted-foreground' };
+}
+
+/**
+ * v2.3 — provider management as a Settings tab section (design.md §7.1). Lists
+ * ALL registered providers (including the disabled/unavailable ones the composer
+ * picker hides). Per row: label + model count, status badge, per-id refresh,
+ * diagnostic, and an enable/disable toggle. Native boocode is always-on.
+ *
+ * Uses the home-cwd snapshot (no project arg) — provider management is global,
+ * not per-project (design.md §4.5).
+ */
+export function ProvidersSettings() {
+  const allEntries = useProviderSnapshot();
+  const [config, setConfig] = useState<CoderProvidersFile | null>(null);
+  const [busyId, setBusyId] = useState<string | null>(null);
+  const [error, setError] = useState<string | null>(null);
+  const [addOpen, setAddOpen] = useState(false);
+  const [diagId, setDiagId] = useState<string | null>(null);
+  const [diagText, setDiagText] = useState<string | null>(null);
+
+  // The raw config is needed to preserve a provider's FULL override when
+  // toggling: the PATCH replaces an id's override wholesale, so a bare
+  // { enabled } would wipe a custom ACP provider's command/label.
+  useEffect(() => {
+    api.coder
+      .getProvidersConfig()
+      .then(setConfig)
+      .catch(() => setConfig({ providers: {} }));
+  }, []);
+
+  // While any entry is loading, refetch until terminal (capped, no WS frame).
+  const pollsRef = useRef(0);
+  useEffect(() => {
+    const anyLoading = allEntries?.some((e) => e.status === 'loading') ?? false;
+    if (!anyLoading) {
+      pollsRef.current = 0;
+      return;
+    }
+    if (pollsRef.current >= 10) return;
+    const t = setTimeout(() => {
+      pollsRef.current += 1;
+      void refreshProviderSnapshot();
+    }, 2000);
+    return () => clearTimeout(t);
+  }, [allEntries]);
+
+  async function toggle(e: ProviderSnapshotEntry): Promise<void> {
+    setBusyId(e.name);
+    setError(null);
+    try {
+      const existing: ProviderOverride = config?.providers[e.name] ?? {};
+      const resp = await api.coder.patchProvidersConfig({
+        providers: { [e.name]: { ...existing, enabled: !e.enabled } },
+      });
+      setConfig({ providers: resp.providers });
+      await refreshProviderSnapshot();
+    } catch (err) {
+      setError(err instanceof Error ? err.message : 'failed to update provider');
+    } finally {
+      setBusyId(null);
+    }
+  }
+
+  async function refreshOne(id: string): Promise<void> {
+    setBusyId(id);
+    setError(null);
+    try {
+      await api.coder.refreshProviders([id]);
+      await refreshProviderSnapshot();
+    } catch (err) {
+      setError(err instanceof Error ? err.message : 'failed to refresh');
+    } finally {
+      setBusyId(null);
+    }
+  }
+
+  async function openDiagnostic(id: string): Promise<void> {
+    if (diagId === id) {
+      setDiagId(null);
+      setDiagText(null);
+      return;
+    }
+    setDiagId(id);
+    setDiagText('Loading…');
+    try {
+      const { diagnostic } = await api.coder.getProviderDiagnostic(id);
+      setDiagText(diagnostic);
+    } catch (err) {
+      setDiagText(err instanceof Error ? err.message : 'failed to load diagnostic');
+    }
+  }
+
+  const entries = allEntries ?? [];
+
+  return (
+    <div className="space-y-3">
+      <div className="flex items-center justify-between gap-2">
+        <p className="text-xs text-muted-foreground">
+          Enable, disable, refresh, or add coding agents. Disabled and unavailable providers are
+          hidden from the composer picker but managed here.
+        </p>
+        <Button variant="outline" size="sm" onClick={() => setAddOpen(true)} className="shrink-0">
+          <Plus className="size-3.5" /> Add provider
+        </Button>
+      </div>
+
+      <div className="rounded-md border divide-y">
+        {allEntries === null && (
+          <div className="px-3 py-2 text-sm text-muted-foreground">Loading…</div>
+        )}
+        {entries.map((e) => {
+          const badge = statusBadge(e);
+          const isNative = e.transport === 'native';
+          const busy = busyId === e.name;
+          return (
+            <div key={e.name} className="px-3 py-2.5">
+              <div className="flex items-center gap-2">
+                <div className="min-w-0 flex-1">
+                  <div className="text-sm font-medium truncate">{e.label}</div>
+                  <div className="text-xs text-muted-foreground">
+                    {e.models.length} model{e.models.length === 1 ? '' : 's'}
+                  </div>
+                </div>
+                <span
+                  className={cn(
+                    'inline-flex items-center rounded px-1.5 py-0.5 text-[11px] font-medium',
+                    badge.cls,
+                  )}
+                >
+                  {e.status === 'loading' && <Loader2 className="size-3 mr-1 animate-spin" />}
+                  {badge.label}
+                </span>
+                <button
+                  type="button"
+                  onClick={() => void refreshOne(e.name)}
+                  disabled={busy}
+                  className="inline-flex items-center justify-center size-7 rounded text-muted-foreground hover:text-foreground disabled:opacity-40"
+                  aria-label={`Refresh ${e.label}`}
+                  title="Refresh"
+                >
+                  <RefreshCw className={cn('size-3.5', busy && 'animate-spin')} />
+                </button>
+                <button
+                  type="button"
+                  onClick={() => void openDiagnostic(e.name)}
+                  className="inline-flex items-center justify-center size-7 rounded text-muted-foreground hover:text-foreground"
+                  aria-label={`Diagnostic for ${e.label}`}
+                  title="Diagnostic"
+                >
+                  <Stethoscope className="size-3.5" />
+                </button>
+                {isNative ? (
+                  <span className="text-[11px] text-muted-foreground w-14 text-center">
+                    Always on
+                  </span>
+                ) : (
+                  <button
+                    type="button"
+                    role="switch"
+                    aria-checked={e.enabled}
+                    disabled={busy}
+                    onClick={() => void toggle(e)}
+                    className={cn(
+                      'relative inline-flex h-5 w-9 shrink-0 items-center rounded-full transition-colors disabled:opacity-40',
+                      e.enabled ? 'bg-primary' : 'bg-muted-foreground/30',
+                    )}
+                    aria-label={`${e.enabled ? 'Disable' : 'Enable'} ${e.label}`}
+                    title={e.enabled ? 'Enabled — click to disable' : 'Disabled — click to enable'}
+                  >
+                    <span
+                      className={cn(
+                        'inline-block size-4 rounded-full bg-background transition-transform',
+                        e.enabled ? 'translate-x-4' : 'translate-x-0.5',
+                      )}
+                    />
+                  </button>
+                )}
+              </div>
+              {diagId === e.name && (
+                <pre className="mt-2 max-h-48 overflow-auto rounded bg-muted/50 p-2 text-[11px] font-mono whitespace-pre-wrap">
+                  {diagText}
+                </pre>
+              )}
+            </div>
+          );
+        })}
+      </div>
+
+      {error && <div className="text-sm text-destructive">{error}</div>}
+
+      <AddProviderModal
+        open={addOpen}
+        onOpenChange={setAddOpen}
+        onAdded={() => void refreshProviderSnapshot()}
+      />
+    </div>
+  );
+}

apps/web/src/components/coder/providerIcons.tsx

@@ -0,0 +1,56 @@
+// Shared provider icon + label helpers for BooCoder UI.
+//
+// Single source of truth for the per-provider glyph used in the
+// AgentComposerBar picker and the CoderPane DiffPanel agent-attribution
+// badges (v2.6 Phase 1-UX §9a/§9b). Extracted from AgentComposerBar's local
+// `providerIcon` switch so both call sites stay in sync.
+
+import type { ReactNode } from 'react';
+import { Bird, Dog, Terminal as TermIcon } from 'lucide-react';
+import { ClaudeIcon, OpenCodeIcon } from '@/components/icons/ProviderIcons';
+
+/**
+ * Glyph for a provider/agent name. Mirrors AgentComposerBar's original
+ * `providerIcon` switch verbatim — `boocode` (native) falls through to the
+ * neutral dog like any unmapped name, preserving the composer's prior look.
+ * Sized to match the picker (13px) by default; pass a different size for
+ * inline badges.
+ */
+export function providerIcon(name: string | null, size = 13): ReactNode {
+  switch (name) {
+    case 'claude':
+      return <ClaudeIcon size={size} className="shrink-0" />;
+    case 'opencode':
+      return <OpenCodeIcon size={size} className="shrink-0" />;
+    case 'goose':
+      return <Bird size={size} className="shrink-0" />;
+    case 'qwen':
+      return <TermIcon size={size} className="shrink-0" />;
+    default:
+      return <Dog size={size} className="shrink-0" />;
+  }
+}
+
+/**
+ * Human label for a provider/agent name. `null` → "manual" (a RightRail-staged
+ * change with no dispatching agent, per §9a). Unknown names pass through
+ * verbatim so a future provider still reads sensibly.
+ */
+export function providerLabel(name: string | null): string {
+  switch (name) {
+    case null:
+      return 'manual';
+    case 'boocode':
+      return 'BooCode';
+    case 'opencode':
+      return 'opencode';
+    case 'claude':
+      return 'Claude';
+    case 'goose':
+      return 'goose';
+    case 'qwen':
+      return 'Qwen';
+    default:
+      return name;
+  }
+}

apps/web/src/components/panes/ChatPane.tsx

@@ -1,5 +1,5 @@
 import { useCallback, useEffect, useRef, useState } from 'react';
-import { Pencil, Send, Square, X } from 'lucide-react';
+import { Pencil, Send, X } from 'lucide-react';
 import { toast } from 'sonner';
 import { api } from '@/api/client';
 import { useSessionStream } from '@/hooks/useSessionStream';
@@ -248,22 +248,6 @@ export function ChatPane({ sessionId, chatId, projectId, agentId, onAgentChange,
         </div>
       )}
 
-      {/* Stop button when streaming */}
-      {streaming && (
-        <div className="border-t py-1">
-          <div className="max-w-[1000px] mx-auto w-full flex justify-center">
-          <button
-            type="button"
-            onClick={() => void handleStop()}
-            className="flex items-center gap-1.5 text-xs px-3 py-1 rounded-full border hover:bg-muted text-muted-foreground hover:text-foreground max-md:min-h-[44px] max-md:px-5"
-          >
-            <Square size={10} className="fill-current" />
-            Stop generating
-          </button>
-          </div>
-        </div>
-      )}
-
       {stale && streamingId && (
         <StaleStreamBanner
           onRetry={() => void handleRetryStale()}
@@ -280,6 +264,8 @@ export function ChatPane({ sessionId, chatId, projectId, agentId, onAgentChange,
         webSearchEnabled={webSearchEnabled}
         onSend={handleSend}
         onForceSend={streaming ? handleForceSend : undefined}
+        generating={streaming}
+        onStop={handleStop}
         onSlashCommand={handleSlashCommand}
         chatId={chatId}
         chatLabel={sessionChats?.find((c) => c.id === chatId)?.name ?? 'Chat'}

apps/web/src/components/panes/CoderMessageList.tsx

@@ -147,11 +147,24 @@ interface Props {
   chatId?: string;
   footer?: ReactNode;
   actions?: MessageActions;
+  // write-edit-robustness #4: assistant message ids that have a worktree
+  // checkpoint. The "Restore to here" control renders only on these.
+  checkpointMessageIds?: Set<string>;
+  // write-edit-robustness #4: suppress restore during an active turn (mirrors
+  // composer gating in CoderPane).
+  restoreDisabled?: boolean;
 }
 
-const CODER_HIDDEN_ACTIONS: ('fork' | 'delete' | 'openInPane')[] = ['fork', 'openInPane'];
+const CODER_HIDDEN_ACTIONS: ('fork' | 'delete')[] = ['fork'];
 
-export function CoderMessageList({ messages, chatId, footer, actions }: Props) {
+export function CoderMessageList({
+  messages,
+  chatId,
+  footer,
+  actions,
+  checkpointMessageIds,
+  restoreDisabled,
+}: Props) {
   const endRef = useRef<HTMLDivElement>(null);
   const scrollRef = useRef<HTMLDivElement>(null);
   const isNearBottomRef = useRef(true);
@@ -189,6 +202,8 @@ export function CoderMessageList({ messages, chatId, footer, actions }: Props) {
                 message={item.message as unknown as Message}
                 actions={actions}
                 hideActions={CODER_HIDDEN_ACTIONS}
+                hasCheckpoint={checkpointMessageIds?.has(item.message.id) ?? false}
+                restoreDisabled={restoreDisabled}
               />
             );
           }

apps/web/src/components/panes/CoderPane.tsx

@@ -4,10 +4,11 @@
 // WS: /api/coder/ws/sessions/:id (Vite dev proxies to :9502).
 
 import { useCallback, useEffect, useMemo, useRef, useState } from 'react';
-import { Code, Check, X, RefreshCw } from 'lucide-react';
+import { Code, Check, X, RefreshCw, Terminal, Puzzle, Sparkles } from 'lucide-react';
 import { AgentComposerBar } from '@/components/AgentComposerBar';
 import { PermissionCard } from '@/components/PermissionCard';
 import { ChatInput } from '@/components/ChatInput';
+import type { SlashCommandGroup } from '@/components/SlashCommandPicker';
 import { api } from '@/api/client';
 import type { AgentSessionConfig, PermissionPrompt, AgentCommand } from '@/api/types';
 import { useSkills } from '@/hooks/useSkills';
@@ -15,6 +16,8 @@ import { toast } from 'sonner';
 import { isSlashCommandToken, mergeCommandsByName, parseSlashInput, slashQuery } from '@/lib/slash-command';
 import { mergeWireToolCall } from '@/lib/coder-tools';
 import { CoderMessageList, type CoderTimelineWire } from '@/components/panes/CoderMessageList';
+import { providerIcon, providerLabel } from '@/components/coder/providerIcons';
+import { refreshAgentSessions } from '@/hooks/useAgentSessions';
 import { cn } from '@/lib/utils';
 
 // ---------------------------------------------------------------------------
@@ -55,6 +58,10 @@ interface PendingChange {
   diff?: string;
   new_content?: string;
   status: 'pending' | 'approved' | 'rejected';
+  // v2.6 Phase 1-UX §9a: which agent staged this change. 'boocode' for native
+  // write tools, the dispatched agent for worktree edits, null for a manual
+  // RightRail-staged create (renders as a neutral "manual" badge).
+  agent: string | null;
 }
 
 interface Props {
@@ -374,6 +381,29 @@ function usePendingChanges(sessionId: string) {
   return { changes, loading, refresh, approve, reject };
 }
 
+// write-edit-robustness #4: which assistant messages in this chat have a
+// worktree checkpoint, so CoderMessageList can offer "Restore to here" only on
+// those. Refetched on message_complete (same trigger as pending changes) and
+// after a successful restore.
+function useCheckpoints(sessionId: string, chatId: string | undefined) {
+  const [messageIds, setMessageIds] = useState<Set<string>>(() => new Set());
+
+  const refresh = useCallback(() => {
+    if (!chatId) {
+      setMessageIds(new Set());
+      return Promise.resolve();
+    }
+    return api.coder
+      .getCheckpoints(sessionId, chatId)
+      .then((res) => setMessageIds(new Set(res.checkpoints.map((c) => c.message_id))))
+      .catch(() => {/* boocoder may be down / endpoint not ready */});
+  }, [sessionId, chatId]);
+
+  useEffect(() => { void refresh(); }, [refresh]);
+
+  return { checkpointMessageIds: messageIds, refreshCheckpoints: refresh };
+}
+
 // ---------------------------------------------------------------------------
 // Sub-components
 // ---------------------------------------------------------------------------
@@ -381,18 +411,52 @@ function usePendingChanges(sessionId: string) {
 function DiffPanel({
   changes,
   loading,
+  currentProvider,
   onRefresh,
   onApprove,
   onReject,
 }: {
   changes: PendingChange[];
   loading: boolean;
+  currentProvider: string;
   onRefresh: () => void;
   onApprove: (id: string) => void;
   onReject: (id: string) => void;
 }) {
   const pending = changes.filter((c) => c.status === 'pending');
 
+  // v2.6 Phase 1-UX §9a: when pending changes span >1 distinct agent, surface a
+  // one-line "Changes from <a>, <b>" note so mixed provenance is obvious. Null
+  // (manual) counts as its own bucket and renders as "manual".
+  const distinctAgents = Array.from(new Set(pending.map((c) => c.agent)));
+  const mixedNote =
+    distinctAgents.length > 1
+      ? `Changes from ${distinctAgents.map((a) => providerLabel(a)).join(', ')}`
+      : null;
+
+  // v2.6 §9c: staging-boundary caveat. External agents (opencode/goose/qwen/
+  // claude) edit *inside their worktree*; native boocode reads/writes the
+  // *project root* via pending_changes. Unapplied edits don't cross that
+  // boundary. When the currently-selected provider can't see another side's
+  // staged-but-unapplied edits, surface a muted one-liner. agent===null
+  // (manual) is boundary-neutral. Pure derivation — no new state/fetch.
+  const isNativeProvider = currentProvider === 'boocode';
+  const boundaryHint = (() => {
+    if (isNativeProvider) {
+      // Native boocode is selected: it won't see external-worktree edits.
+      const external = distinctAgents.filter((a) => a !== null && a !== 'boocode');
+      if (external.length === 0) return null;
+      const who =
+        external.length === 1
+          ? providerLabel(external[0]!)
+          : external.map((a) => providerLabel(a)).join(', ');
+      return `${who}'s edits live in its worktree — BooCode won't see them until applied.`;
+    }
+    // An external agent is selected: it won't see boocode's project-root edits.
+    if (!distinctAgents.includes('boocode')) return null;
+    return `BooCode's edits live in the project root — ${providerLabel(currentProvider)} won't see them until applied.`;
+  })();
+
   return (
     <div className="flex flex-col h-full border-t border-border">
       <div className="flex items-center justify-between px-3 py-1.5 border-b border-border bg-muted/30">
@@ -409,6 +473,19 @@ function DiffPanel({
           <RefreshCw size={12} className={loading ? 'animate-spin' : ''} />
         </button>
       </div>
+      {mixedNote && (
+        <div className="px-3 py-1 border-b border-border bg-muted/10 text-[11px] text-muted-foreground truncate">
+          {mixedNote}
+        </div>
+      )}
+      {boundaryHint && (
+        <div
+          className="px-3 py-1 border-b border-border bg-muted/10 text-xs text-muted-foreground"
+          title={boundaryHint}
+        >
+          {boundaryHint}
+        </div>
+      )}
       <div className="flex-1 overflow-y-auto">
         {pending.length === 0 ? (
           <div className="flex items-center justify-center h-full text-sm text-muted-foreground">
@@ -419,14 +496,25 @@ function DiffPanel({
             {pending.map((change) => (
               <div key={change.id} className="px-3 py-2">
                 <div className="flex items-center justify-between mb-1">
-                  <span className="text-xs font-mono text-foreground truncate flex-1 mr-2">
+                  <span className="text-xs font-mono text-foreground truncate flex-1 mr-2 inline-flex items-center min-w-0">
+                    <span
+                      className="inline-flex items-center gap-1 rounded border border-border bg-muted/40 px-1 py-px mr-1.5 text-[10px] font-medium text-muted-foreground shrink-0"
+                      title={
+                        change.agent === null
+                          ? 'Manually staged (no dispatching agent)'
+                          : `Staged by ${providerLabel(change.agent)}`
+                      }
+                    >
+                      {providerIcon(change.agent, 11)}
+                      <span>{providerLabel(change.agent)}</span>
+                    </span>
                     <span className={cn(
-                      'inline-block w-1.5 h-1.5 rounded-full mr-1.5',
+                      'inline-block w-1.5 h-1.5 rounded-full mr-1.5 shrink-0',
                       change.operation === 'create' && 'bg-green-500',
                       change.operation === 'modify' && 'bg-yellow-500',
                       change.operation === 'delete' && 'bg-red-500',
                     )} />
-                    {change.file_path}
+                    <span className="truncate">{change.file_path}</span>
                   </span>
                   <div className="flex items-center gap-1 shrink-0">
                     <button
@@ -525,12 +613,31 @@ export function CoderPane({
     [skills],
   );
   const slashGroups = useMemo(() => {
-    const groups: Array<{ label: string; items: Array<{ name: string; description?: string }> }> = [];
-    if (agentCommands.length > 0) {
-      groups.push({ label: `${agentConfig.provider} commands`, items: agentCommands });
+    const groups: SlashCommandGroup[] = [];
+    // Split the active agent's set: native/CLI commands vs plugin skills, each
+    // with its own icon. BooCoder skills always come last.
+    const agentCmds = agentCommands.filter((c) => c.kind !== 'skill');
+    const agentSkills = agentCommands.filter((c) => c.kind === 'skill');
+    if (agentCmds.length > 0) {
+      groups.push({
+        label: `${agentConfig.provider} commands`,
+        items: agentCmds,
+        icon: <Terminal className="size-3 shrink-0" />,
+      });
+    }
+    if (agentSkills.length > 0) {
+      groups.push({
+        label: `${agentConfig.provider} skills`,
+        items: agentSkills,
+        icon: <Puzzle className="size-3 shrink-0" />,
+      });
     }
     if (skillItems.length > 0) {
-      groups.push({ label: 'Skills', items: skillItems });
+      groups.push({
+        label: 'BooCoder skills',
+        items: skillItems,
+        icon: <Sparkles className="size-3 shrink-0" />,
+      });
     }
     return groups;
   }, [agentCommands, skillItems, agentConfig.provider]);
@@ -556,21 +663,38 @@ export function CoderPane({
     },
   });
   const { changes, loading, refresh, approve, reject } = usePendingChanges(sessionId);
+  const { checkpointMessageIds, refreshCheckpoints } = useCheckpoints(sessionId, chatId);
   const [input, setInput] = useState('');
   const [sending, setSending] = useState(false);
   const [queue, setQueue] = useState<string[]>([]);
   const queueProcessing = useRef(false);
   const inputRef = useRef<HTMLTextAreaElement>(null);
+  // The agent is "generating" during the dispatch POST (sending) AND while its
+  // task runs (activeTaskId). sending alone is too brief — it clears the moment
+  // dispatch returns — so queueing/stop must key on this combined signal.
+  const generating = sending || activeTaskId !== null;
 
-  // Refresh pending changes when a message_complete arrives
+  // Refresh pending changes (and agent-session state for the §9b chip) when a
+  // message_complete arrives — same trigger usePendingChanges already uses.
+  // write-edit-robustness #4: also refetch checkpoints so a new turn's snapshot
+  // surfaces its "Restore to here" control.
   useEffect(() => {
     const lastAssistant = [...messages].reverse().find(
       (m): m is CoderMessage => m.role === 'assistant',
     );
     if (lastAssistant?.status === 'complete') {
       refresh();
+      void refreshCheckpoints();
+      void refreshAgentSessions(sessionId);
     }
-  }, [messages, refresh]);
+  }, [messages, refresh, refreshCheckpoints, sessionId]);
+
+  // The §9b chip only shows once the chat has ≥1 prior turn (a completed
+  // assistant message). Hidden on a brand-new chat.
+  const hasPriorTurn = useMemo(
+    () => messages.some((m) => m.role === 'assistant' && (m as CoderMessage).status === 'complete'),
+    [messages],
+  );
 
   // Poll fallbacks when WS is disconnected (reconnect uses WS as source of truth)
   useEffect(() => {
@@ -740,24 +864,67 @@ export function CoderPane({
     }
   }, [sessionId, paneId, chatId, agentConfig, setMessages]);
 
-  // Drain queue when not busy
+  // Drain queue once the agent is idle (not just past the dispatch POST).
   useEffect(() => {
-    if (sending || queue.length === 0 || queueProcessing.current) return;
+    if (generating || queue.length === 0 || queueProcessing.current) return;
     queueProcessing.current = true;
     const next = queue[0]!;
     setQueue((prev) => prev.slice(1));
     sendOneMessage(next).finally(() => { queueProcessing.current = false; });
-  }, [sending, queue, sendOneMessage]);
+  }, [generating, queue, sendOneMessage]);
 
   const handleChatInputSend = useCallback(async (content: string) => {
     const text = content.trim();
     if (!text || !chatId) return;
-    if (sending) {
+    if (generating) {
       setQueue((prev) => [...prev, text]);
       return;
     }
     await sendOneMessage(text);
-  }, [sending, chatId, sendOneMessage]);
+  }, [generating, chatId, sendOneMessage]);
+
+  const handleStop = useCallback(async () => {
+    const taskId = activeTaskId;
+    if (!taskId) return;
+    try {
+      await api.coder.cancelTask(taskId);
+      setActiveTaskId(null); // optimistic; WS/poll terminal-state also clears it
+    } catch (err) {
+      toast.error(err instanceof Error ? err.message : 'stop failed');
+    }
+  }, [activeTaskId]);
+
+  // write-edit-robustness #4: reset the worktree to a message's checkpoint and
+  // trim the transcript past it. The confirm lives in MessageBubble's ActionRow
+  // (plain Cancel/Restore). The restore route is keyed by checkpoint id, so we
+  // resolve message→checkpoint via a fresh GET (cheap, and avoids a stale id if
+  // the set changed). On success, refetch messages so the trimmed transcript
+  // shows, plus checkpoints (later ones were deleted server-side) and pending
+  // changes (the worktree was reset).
+  const handleRestoreCheckpoint = useCallback(async (_chatId: string, messageId: string) => {
+    if (!chatId || generating) return;
+    let checkpointId: string | undefined;
+    try {
+      const res = await api.coder.getCheckpoints(sessionId, chatId);
+      checkpointId = res.checkpoints.find((c) => c.message_id === messageId)?.id;
+    } catch (err) {
+      toast.error(err instanceof Error ? err.message : 'failed to load checkpoint');
+      return;
+    }
+    if (!checkpointId) {
+      toast.error('No checkpoint found for this message');
+      return;
+    }
+    try {
+      await api.coder.restoreCheckpoint(sessionId, checkpointId);
+      await loadMessages();
+      await refreshCheckpoints();
+      refresh();
+      toast.success('Restored to checkpoint');
+    } catch (err) {
+      toast.error(err instanceof Error ? err.message : 'restore failed');
+    }
+  }, [chatId, generating, sessionId, loadMessages, refreshCheckpoints, refresh]);
 
   const handleChatInputSlash = useCallback(async (skillName: string, userMessage: string) => {
     if (!chatId) return;
@@ -799,6 +966,8 @@ export function CoderPane({
         onChange={setAgentConfig}
         onProviderCommandsChange={handleProviderCommandsChange}
         connected={connected}
+        sessionId={sessionId}
+        hasPriorTurn={hasPriorTurn}
       />
       {/* Chat area — BooChat-style timeline (text + tool runs as siblings) */}
       <div className="flex-1 min-h-0 flex flex-col">
@@ -811,8 +980,11 @@ export function CoderPane({
           <CoderMessageList
             messages={messages as CoderTimelineWire[]}
             chatId={chatId}
+            checkpointMessageIds={checkpointMessageIds}
+            restoreDisabled={generating}
             actions={{
               onResend: async (_chatId, content) => { await sendOneMessage(content); },
+              onRestoreCheckpoint: handleRestoreCheckpoint,
             }}
             footer={
               activeTaskId && !permissionPrompt && sending === false ? (
@@ -837,6 +1009,7 @@ export function CoderPane({
           <DiffPanel
             changes={changes}
             loading={loading}
+            currentProvider={agentConfig.provider}
             onRefresh={refresh}
             onApprove={approve}
             onReject={reject}
@@ -847,9 +1020,11 @@ export function CoderPane({
       {/* Composer + input */}
       <div className="shrink-0 border-t border-border">
         <ChatInput
-          disabled={sending || !chatId || chatPending}
+          disabled={!chatId || chatPending}
           projectId={projectPath ?? ''}
           onSend={handleChatInputSend}
+          generating={generating}
+          onStop={handleStop}
           onSlashCommand={handleChatInputSlash}
           slashGroups={slashGroups}
           chatId={chatId ?? undefined}

apps/web/src/components/panes/SettingsPane.tsx

@@ -15,9 +15,10 @@ import {
 } from '@/components/ui/dialog';
 import { ModelPicker } from '@/components/ModelPicker';
 import { ThemePicker } from '@/components/ThemePicker';
+import { ProvidersSettings } from '@/components/coder/ProvidersSettings';
 import { cn } from '@/lib/utils';
 
-type Section = 'session' | 'project' | 'theme';
+type Section = 'session' | 'project' | 'theme' | 'providers';
 
 interface Props {
   session: Session;
@@ -73,7 +74,7 @@ export function SettingsPane({ session, project, maximized, onToggleMaximize, on
     <div className="flex flex-col h-full min-h-0">
       <div className="flex items-center gap-2 border-b border-border bg-muted/20 px-3 py-1.5 shrink-0">
         <div className="flex items-center gap-1 flex-1 min-w-0">
-          {(['session', 'project', 'theme'] as const).map((s) => (
+          {(['session', 'project', 'theme', 'providers'] as const).map((s) => (
             <button
               key={s}
               type="button"
@@ -116,6 +117,7 @@ export function SettingsPane({ session, project, maximized, onToggleMaximize, on
           {activeSection === 'session' && <SessionSection session={session} project={project} />}
           {activeSection === 'project' && <ProjectSection project={project} />}
           {activeSection === 'theme' && <ThemePicker />}
+          {activeSection === 'providers' && <ProvidersSettings />}
         </div>
       </div>
     </div>

apps/web/src/data/acp-provider-catalog.ts

@@ -0,0 +1,83 @@
+import type { ProviderConfigPatch } from '@/api/types';
+
+/**
+ * v2.3 Phase 5 (design.md §7.3) — a SMALL curated catalog of ACP coding agents
+ * the user might register. We deliberately do NOT port Paseo's 30+ entry list.
+ *
+ * Non-goal: we never install anything. Each entry is a manual-install hint
+ * (`installUrl` / `installCmd`) plus the config `command` that gets written into
+ * `/data/coder-providers.json`. The user installs the CLI themselves; until the
+ * binary is on PATH the provider shows as "Not installed". Commands are
+ * editable after adding — versions are aliased/untrimmed on purpose; pin on your
+ * own host once verified.
+ */
+export interface AcpCatalogEntry {
+  id: string;
+  label: string;
+  description: string;
+  /** Config command written verbatim into providers[id].command: [binary, ...args]. */
+  command: [string, ...string[]];
+  /** Where to install the CLI manually — we LINK, never install. */
+  installUrl: string;
+  /** Optional suggested install command, shown as a copyable hint. */
+  installCmd?: string;
+}
+
+export const ACP_PROVIDER_CATALOG: AcpCatalogEntry[] = [
+  {
+    id: 'amp-acp',
+    label: 'Amp',
+    description: 'Sourcegraph Amp — agentic coding CLI with an ACP bridge.',
+    command: ['amp-acp'],
+    installUrl: 'https://ampcode.com/',
+    installCmd: 'npm i -g @sourcegraph/amp',
+  },
+  {
+    id: 'gemini',
+    label: 'Gemini CLI',
+    description: 'Google Gemini CLI in ACP mode (--experimental-acp).',
+    command: ['gemini', '--experimental-acp'],
+    installUrl: 'https://github.com/google-gemini/gemini-cli',
+    installCmd: 'npm i -g @google/gemini-cli',
+  },
+  {
+    id: 'cline',
+    label: 'Cline',
+    description: 'Cline coding agent over ACP (run via npx).',
+    command: ['npx', '-y', 'cline', '--acp'],
+    installUrl: 'https://cline.bot/',
+  },
+  {
+    id: 'claude-code-acp',
+    label: 'Claude Code (ACP)',
+    description: "Zed's ACP adapter for Claude Code — distinct from the built-in PTY claude provider.",
+    command: ['npx', '-y', '@zed-industries/claude-code-acp'],
+    installUrl: 'https://github.com/zed-industries/claude-code-acp',
+  },
+  {
+    id: 'pi-acp',
+    label: 'Pi',
+    description: 'Example custom ACP entry — build the binary from source, then edit the command.',
+    command: ['pi-acp'],
+    installUrl: 'https://agentclientprotocol.com/',
+  },
+];
+
+/**
+ * Build the PATCH body that registers a catalog entry: a single-id partial
+ * providers map with the custom-ACP override (extends:'acp' + label + command),
+ * enabled. Sent to PATCH /api/providers/config (then refreshProviders([id])).
+ */
+export function buildAcpProviderConfigPatch(entry: AcpCatalogEntry): ProviderConfigPatch {
+  return {
+    providers: {
+      [entry.id]: {
+        extends: 'acp',
+        label: entry.label,
+        description: entry.description,
+        command: entry.command,
+        enabled: true,
+      },
+    },
+  };
+}

apps/web/src/hooks/sessionEvents.ts

@@ -51,7 +51,11 @@ export interface SessionUpdatedEvent {
 export interface SessionWorkspaceUpdatedEvent {
   type: 'session_workspace_updated';
   session_id: string;
-  workspace_panes: import('@/api/types').WorkspacePane[];
+  // Legacy bare array OR the new envelope — useWorkspacePanes normalizes both
+  // via toWorkspaceState.
+  workspace_panes:
+    | import('@/api/types').WorkspacePane[]
+    | import('@/api/types').WorkspaceState;
 }
 
 export interface SessionLoadedEvent {
@@ -75,6 +79,14 @@ export interface OpenChatInActivePaneEvent {
   chat_id: string;
 }
 
+// Open a whole chat in a fresh split pane (vs the active pane). Emitted by the
+// ChatTabBar tab context menu ("Open in new pane") and by MessageBubble.fork()
+// so a fork lands beside the original. useWorkspacePanes subscribes.
+export interface OpenChatInNewPaneEvent {
+  type: 'open_chat_in_new_pane';
+  chat_id: string;
+}
+
 // v1.14.x-html-artifact-panes: ActionRow's "Open in pane" button emits one of
 // these; useWorkspacePanes subscribes and inserts the corresponding artifact
 // pane (or focuses an existing one keyed by message_id).
@@ -178,6 +190,7 @@ export type SessionEvent =
   | OpenFileInBrowserEvent
   | AttachChatFileEvent
   | OpenChatInActivePaneEvent
+  | OpenChatInNewPaneEvent
   | OpenMarkdownArtifactPaneEvent
   | OpenHtmlArtifactPaneEvent
   | OpenSettingsPaneEvent

apps/web/src/hooks/useAgentSessions.ts

@@ -0,0 +1,88 @@
+// v2.6 Phase 1-UX §9b — chat-scoped agent-session state.
+//
+// Reads GET /api/coder/sessions/:id/agent-sessions (the per-(chat,agent)
+// backend-session rows) and drives the AgentComposerBar resumed/new-session
+// chip. Module-singleton external store keyed by sessionId — same shape as
+// useProviderSnapshot — so the two consumers (CoderPane, which owns the
+// message_complete WS signal, and AgentComposerBar, which renders the chip)
+// share one cache and one fetch per chat. CoderPane calls
+// refreshAgentSessions(sessionId) on each message_complete (the same trigger
+// usePendingChanges already keys off); the chip then reflects the freshly
+// resumed/created session.
+
+import { useEffect, useSyncExternalStore } from 'react';
+import { api, type AgentSessionInfo } from '@/api/client';
+
+type Entry = {
+  data: AgentSessionInfo[];
+  inflight: Promise<AgentSessionInfo[]> | null;
+};
+
+const store = new Map<string, Entry>();
+const listeners = new Set<() => void>();
+const EMPTY: AgentSessionInfo[] = [];
+
+function notify(): void {
+  for (const fn of listeners) fn();
+}
+
+function subscribe(fn: () => void): () => void {
+  listeners.add(fn);
+  return () => listeners.delete(fn);
+}
+
+function getEntry(sessionId: string): Entry {
+  let entry = store.get(sessionId);
+  if (!entry) {
+    entry = { data: EMPTY, inflight: null };
+    store.set(sessionId, entry);
+  }
+  return entry;
+}
+
+async function doFetch(sessionId: string): Promise<AgentSessionInfo[]> {
+  const data = await api.coder.agentSessions(sessionId);
+  const entry = getEntry(sessionId);
+  entry.data = data;
+  entry.inflight = null;
+  notify();
+  return data;
+}
+
+function ensureLoaded(sessionId: string): void {
+  const entry = getEntry(sessionId);
+  if (entry.data !== EMPTY || entry.inflight) return;
+  entry.inflight = doFetch(sessionId).catch(() => {
+    // boocoder may be down or the chat has no agent-session rows yet; treat as
+    // empty (the chip falls back to "new session" / hides).
+    const e = getEntry(sessionId);
+    e.inflight = null;
+    return EMPTY;
+  });
+}
+
+/** Force a refetch for one chat. Wired to message_complete by CoderPane. */
+export function refreshAgentSessions(sessionId: string): Promise<AgentSessionInfo[]> {
+  const entry = getEntry(sessionId);
+  entry.inflight = null;
+  return doFetch(sessionId);
+}
+
+/**
+ * Chat-scoped agent-session rows. Pass `undefined` to opt out (no fetch, empty
+ * result) — AgentComposerBar does this for BooChat callers and fresh chats so
+ * the chip stays hidden. Fetches on mount (and on sessionId change); refetch on
+ * message_complete is driven externally via refreshAgentSessions.
+ */
+export function useAgentSessions(sessionId: string | undefined): {
+  sessions: AgentSessionInfo[];
+} {
+  const sessions = useSyncExternalStore(
+    subscribe,
+    () => (sessionId ? getEntry(sessionId).data : EMPTY),
+  );
+  useEffect(() => {
+    if (sessionId) ensureLoaded(sessionId);
+  }, [sessionId]);
+  return { sessions: sessionId ? sessions : EMPTY };
+}

apps/web/src/hooks/useSidebar.ts

@@ -152,6 +152,7 @@ function applyEvent(prev: SidebarResponse, event: import('./sessionEvents').Sess
     case 'attach_chat_file':
       return prev;
     case 'open_chat_in_active_pane':
+    case 'open_chat_in_new_pane':
       // Consumed by Workspace; sidebar has no business with pane state.
       return prev;
     case 'open_markdown_artifact_pane':

apps/web/src/hooks/useWorkspacePanes.ts

@@ -3,9 +3,11 @@ import type { DragEvent } from 'react';
 import { toast } from 'sonner';
 import { api } from '@/api/client';
 import type {
+  ClosedPaneEntry,
   HtmlArtifactState,
   MarkdownArtifactState,
   WorkspacePane,
+  WorkspaceState,
 } from '@/api/types';
 import { setActivePaneInfo, clearActivePane } from '@/hooks/useActivePane';
 import { sessionEvents } from '@/hooks/sessionEvents';
@@ -32,6 +34,37 @@ function chatPane(chatId: string): WorkspacePane {
   return { id: generateId(), kind: 'chat', chatId, chatIds: [chatId], activeChatIdx: 0 };
 }
 
+// v2.6.x: reopen stack cap. The stack now lives in React state (persisted in
+// the WorkspaceState envelope), not a module-level array. `appendClosed` is the
+// pure state-updater helper.
+const MAX_CLOSED = 10;
+
+// Pure helper: append a closed-pane entry derived from `pane` to `stack`,
+// capped at MAX_CLOSED (most-recent last). Returns the SAME reference when the
+// pane is not eligible (empty/settings/no chats) so callers can skip setState.
+function appendClosed(stack: ClosedPaneEntry[], pane: WorkspacePane): ClosedPaneEntry[] {
+  if (pane.kind === 'empty' || pane.kind === 'settings') return stack;
+  if (pane.chatIds.length === 0) return stack;
+  const entry = { kind: pane.kind, chatIds: [...pane.chatIds], activeChatIdx: pane.activeChatIdx };
+  // Dedupe a value-identical top entry. This is called via setClosedPaneStack
+  // inside the setPanes updater in removePane; React StrictMode double-invokes
+  // that updater in dev, which would otherwise push two identical entries.
+  // Real closes never collide (one chat lives in at most one pane).
+  const top = stack[stack.length - 1];
+  if (
+    top &&
+    top.kind === entry.kind &&
+    top.activeChatIdx === entry.activeChatIdx &&
+    top.chatIds.length === entry.chatIds.length &&
+    top.chatIds.every((id, i) => id === entry.chatIds[i])
+  ) {
+    return stack;
+  }
+  const next = [...stack, entry];
+  if (next.length > MAX_CLOSED) next.splice(0, next.length - MAX_CLOSED);
+  return next;
+}
+
 function chatNameForPaneKind(kind: 'coder' | 'terminal'): string {
   return kind === 'coder' ? 'BooCoder' : 'Terminal';
 }
@@ -50,8 +83,8 @@ export function activePaneChatId(pane: WorkspacePane): string | undefined {
 // v1.9: settings pane factory. No chats, no state beyond identity — the
 // SettingsPane component renders Session/Project sections from the
 // surrounding session/project.
-function settingsPane(): WorkspacePane {
-  return { id: generateId(), kind: 'settings', chatIds: [], activeChatIdx: -1 };
+function settingsPane(id: string = generateId()): WorkspacePane {
+  return { id, kind: 'settings', chatIds: [], activeChatIdx: -1 };
 }
 
 // v1.14.x-html-artifact-panes: artifact pane factories. Payload travels with
@@ -95,6 +128,26 @@ function persistablePanes(panes: WorkspacePane[]): WorkspacePane[] {
   return normalizePanes(panes).filter((p) => p.kind !== 'settings');
 }
 
+// v2.6.x: LOCKED migration — a value read from session.workspace_panes (or the
+// session_workspace_updated frame) may be EITHER the legacy bare
+// WorkspacePane[] OR the new WorkspaceState envelope. Normalize to the
+// envelope. Must match the server's normalization byte-for-byte.
+function toWorkspaceState(raw: unknown): WorkspaceState {
+  if (Array.isArray(raw)) {
+    return { panes: raw as WorkspacePane[], tabNumbers: {}, nextTabNumber: 1, closedPaneStack: [] };
+  }
+  if (raw && typeof raw === 'object' && Array.isArray((raw as WorkspaceState).panes)) {
+    const env = raw as WorkspaceState;
+    return {
+      panes: env.panes,
+      tabNumbers: env.tabNumbers ?? {},
+      nextTabNumber: env.nextTabNumber ?? 1,
+      closedPaneStack: env.closedPaneStack ?? [],
+    };
+  }
+  return { panes: [], tabNumbers: {}, nextTabNumber: 1, closedPaneStack: [] };
+}
+
 // v1.9: per recon decision (c), settings panes don't count toward MAX_PANES.
 // Helper used at every pane-insertion site so the rule lives in one place.
 function nonSettingsCount(panes: WorkspacePane[]): number {
@@ -117,6 +170,9 @@ function readLegacyPanes(sessionId: string): WorkspacePane[] | null {
 
 export interface UseWorkspacePanesResult {
   panes: WorkspacePane[];
+  // v2.6.x: stable session-scoped tab number per chat id (Batch 3a). Keyed by
+  // chat.id, NEVER by tab position.
+  tabNumbers: Record<string, number>;
   activePaneIdx: number;
   setActivePaneIdx: React.Dispatch<React.SetStateAction<number>>;
   activePaneIdxRef: React.MutableRefObject<number>;
@@ -135,8 +191,10 @@ export interface UseWorkspacePanesResult {
   // Open-on-first-click, close-on-second-click. Singleton — settings panes
   // don't count toward MAX_PANES. Closing the only remaining pane (edge case)
   // falls back to an empty pane to preserve the "always one pane" invariant.
-  toggleSettingsPane: () => void;
+  toggleSettingsPane: () => string | null;
   removePane: (idx: number) => void;
+  reopenPane: () => void;
+  hasClosedPanes: boolean;
   removeChatFromPanes: (chatId: string) => void;
   initializeFirstChatIfEmpty: (chatId: string) => void;
   validatePanes: (validChatIds: Set<string>) => void;
@@ -154,6 +212,12 @@ export interface UseWorkspacePanesResult {
 export function useWorkspacePanes(sessionId: string): UseWorkspacePanesResult {
   const [panes, setPanes] = useState<WorkspacePane[]>(() => [emptyPane()]);
   const [activePaneIdx, setActivePaneIdx] = useState(0);
+  // v2.6.x envelope state. Persisted alongside `panes` in the WorkspaceState
+  // envelope. `tabNumbers` is the stable session-scoped tab number per chat id;
+  // `nextTabNumber` only ever increments; `closedPaneStack` is the reopen LIFO.
+  const [tabNumbers, setTabNumbers] = useState<Record<string, number>>({});
+  const [nextTabNumber, setNextTabNumber] = useState(1);
+  const [closedPaneStack, setClosedPaneStack] = useState<ClosedPaneEntry[]>([]);
   const draggingIdxRef = useRef<number | null>(null);
   const [dragOverIdx, setDragOverIdx] = useState<number | null>(null);
   // v1.12.1: skip PATCH while hydrating from the server. Without this, the
@@ -220,27 +284,42 @@ export function useWorkspacePanes(sessionId: string): UseWorkspacePanesResult {
       try {
         const session = await api.sessions.get(sessionId);
         if (cancelled) return;
-        let initial: WorkspacePane[] = Array.isArray(session.workspace_panes)
-          ? normalizePanes(session.workspace_panes)
-          : [];
+        let env = toWorkspaceState(session.workspace_panes);
+        let initial: WorkspacePane[] = normalizePanes(env.panes);
         // One-time migration: if server is empty but legacy localStorage has
-        // a layout, seed the server and delete the local key.
+        // a layout, seed the server (as an envelope) and delete the local key.
         if (initial.length === 0) {
           const legacy = readLegacyPanes(sessionId);
           if (legacy && legacy.length > 0) {
             try {
-              const updated = await api.sessions.updateWorkspacePanes(sessionId, legacy);
+              const seedState: WorkspaceState = {
+                panes: persistablePanes(legacy),
+                tabNumbers: {},
+                nextTabNumber: 1,
+                closedPaneStack: [],
+              };
+              const updated = await api.sessions.updateWorkspacePanes(sessionId, seedState);
               if (cancelled) return;
-              initial = updated.workspace_panes;
+              env = toWorkspaceState(updated.workspace_panes);
+              initial = normalizePanes(env.panes);
               localStorage.removeItem(`${LEGACY_STORAGE_KEY}.${sessionId}`);
             } catch {
-              initial = legacy;
+              env = { ...env, panes: legacy };
+              initial = normalizePanes(legacy);
             }
           }
         }
         const next = initial.length > 0 ? initial : [emptyPane()];
-        lastRemoteJsonRef.current = JSON.stringify(persistablePanes(next));
+        lastRemoteJsonRef.current = JSON.stringify({
+          panes: persistablePanes(next),
+          tabNumbers: env.tabNumbers,
+          nextTabNumber: env.nextTabNumber,
+          closedPaneStack: env.closedPaneStack,
+        });
         setPanes(next);
+        setTabNumbers(env.tabNumbers);
+        setNextTabNumber(env.nextTabNumber);
+        setClosedPaneStack(env.closedPaneStack);
         setActivePaneIdx(0);
         seedEmptyScopedPanes(next);
       } finally {
@@ -256,15 +335,25 @@ export function useWorkspacePanes(sessionId: string): UseWorkspacePanesResult {
     return sessionEvents.subscribe((ev) => {
       if (ev.type !== 'session_workspace_updated') return;
       if (ev.session_id !== sessionId) return;
-      const incoming = normalizePanes(
-        Array.isArray(ev.workspace_panes) ? ev.workspace_panes : [],
-      );
-      const json = JSON.stringify(incoming);
+      const env = toWorkspaceState(ev.workspace_panes);
+      const incoming = normalizePanes(env.panes);
+      // Echo-dedup on the FULL envelope so tabNumber / stack-only changes are
+      // not mistaken for our own write echo.
+      const json = JSON.stringify({
+        panes: persistablePanes(incoming),
+        tabNumbers: env.tabNumbers,
+        nextTabNumber: env.nextTabNumber,
+        closedPaneStack: env.closedPaneStack,
+      });
       if (json === lastRemoteJsonRef.current) return;
       lastRemoteJsonRef.current = json;
-      setPanes(incoming.length > 0 ? incoming : [emptyPane()]);
+      const nextPanes = incoming.length > 0 ? incoming : [emptyPane()];
+      setPanes(nextPanes);
+      setTabNumbers(env.tabNumbers);
+      setNextTabNumber(env.nextTabNumber);
+      setClosedPaneStack(env.closedPaneStack);
       setActivePaneIdx((prev) => Math.min(prev, Math.max(0, incoming.length - 1)));
-      seedEmptyScopedPanes(incoming.length > 0 ? incoming : [emptyPane()]);
+      seedEmptyScopedPanes(nextPanes);
     });
   }, [sessionId, seedEmptyScopedPanes]);
 
@@ -316,18 +405,75 @@ export function useWorkspacePanes(sessionId: string): UseWorkspacePanesResult {
   // before saving (ephemeral per v1.9).
   useEffect(() => {
     if (!hydratedRef.current) return;
-    const payload = persistablePanes(panes);
-    const json = JSON.stringify(payload);
+    // v2.6.x: persist the full WorkspaceState envelope. The dedup ref compares
+    // the whole envelope so tabNumber / reopen-stack changes also persist.
+    const envelope: WorkspaceState = {
+      panes: persistablePanes(panes),
+      tabNumbers,
+      nextTabNumber,
+      closedPaneStack,
+    };
+    const json = JSON.stringify(envelope);
     if (json === lastRemoteJsonRef.current) return;
     const timer = setTimeout(() => {
       lastRemoteJsonRef.current = json;
-      api.sessions.updateWorkspacePanes(sessionId, payload).catch(() => {
+      api.sessions.updateWorkspacePanes(sessionId, envelope).catch(() => {
         // Non-fatal: next change retries. Persistent failures surface via
         // the network layer's existing reconnect toast.
       });
     }, SAVE_DEBOUNCE_MS);
     return () => clearTimeout(timer);
-  }, [sessionId, panes]);
+  }, [sessionId, panes, tabNumbers, nextTabNumber, closedPaneStack]);
+
+  // v2.6.x (Batch 3a): maintain stable, session-scoped tab numbers. Collect the
+  // chat ids that appear in CHAT-kind panes in deterministic order (pane index,
+  // then tab index). Assign numbers to any without one (global per session,
+  // only ever increasing, never reused) and prune entries whose chat is no
+  // longer in any chat-kind pane. Guarded against render loops: only setState
+  // when something actually changed.
+  useEffect(() => {
+    const liveChatIds: string[] = [];
+    const liveSet = new Set<string>();
+    for (const pane of panes) {
+      if (pane.kind !== 'chat') continue;
+      for (const id of pane.chatIds) {
+        if (!liveSet.has(id)) {
+          liveSet.add(id);
+          liveChatIds.push(id);
+        }
+      }
+    }
+
+    // Assign: walk live ids in deterministic order, handing out numbers.
+    let counter = nextTabNumber;
+    const additions: Record<string, number> = {};
+    for (const id of liveChatIds) {
+      if (tabNumbers[id] === undefined && additions[id] === undefined) {
+        additions[id] = counter;
+        counter += 1;
+      }
+    }
+
+    // Prune: retire numbers for chats no longer in any chat-kind pane.
+    const removals: string[] = [];
+    for (const id of Object.keys(tabNumbers)) {
+      if (!liveSet.has(id)) removals.push(id);
+    }
+
+    const hasAdditions = Object.keys(additions).length > 0;
+    const hasRemovals = removals.length > 0;
+    if (!hasAdditions && !hasRemovals) return;
+
+    setTabNumbers((prev) => {
+      const next: Record<string, number> = {};
+      for (const [id, n] of Object.entries(prev)) {
+        if (!removals.includes(id)) next[id] = n;
+      }
+      Object.assign(next, additions);
+      return next;
+    });
+    if (hasAdditions) setNextTabNumber(counter);
+  }, [panes, tabNumbers, nextTabNumber]);
 
   useEffect(() => {
     const active = panes[activePaneIdx];
@@ -374,6 +520,37 @@ export function useWorkspacePanes(sessionId: string): UseWorkspacePanesResult {
     setActivePaneIdx(paneIdx);
   }, []);
 
+  // Open a whole chat in its own fresh pane (focused). Detaches the chat from
+  // any pane currently showing it so it lives in exactly one pane (preserves
+  // the one-chat-per-pane model), dropping a source pane left with no tabs. For
+  // fork the chat isn't in any pane yet, so the detach is a no-op (pure append).
+  const openChatInNewPane = useCallback((chatId: string) => {
+    setPanes((prev) => {
+      const detached = prev.flatMap((p) => {
+        if (!p.chatIds.includes(chatId)) return [p];
+        const nextIds = p.chatIds.filter((id) => id !== chatId);
+        if (nextIds.length === 0) return [];
+        const ai = Math.min(p.activeChatIdx, nextIds.length - 1);
+        return [{ ...p, kind: 'chat' as const, chatId: nextIds[ai], chatIds: nextIds, activeChatIdx: ai }];
+      });
+      if (nonSettingsCount(detached) >= MAX_PANES) {
+        toast.error(`Maximum ${MAX_PANES} panes`);
+        return prev;
+      }
+      const next = [...detached, chatPane(chatId)];
+      setActivePaneIdx(next.length - 1);
+      return next;
+    });
+  }, []);
+
+  // ChatTabBar's "Open in new pane" + MessageBubble.fork() emit this.
+  useEffect(() => {
+    return sessionEvents.subscribe((ev) => {
+      if (ev.type !== 'open_chat_in_new_pane') return;
+      openChatInNewPane(ev.chat_id);
+    });
+  }, [openChatInNewPane]);
+
   const switchTab = useCallback((paneIdx: number, tabIdx: number) => {
     setPanes((prev) => {
       const next = [...prev];
@@ -391,6 +568,14 @@ export function useWorkspacePanes(sessionId: string): UseWorkspacePanesResult {
       const pane = next[paneIdx]!;
       const nextIds = pane.chatIds.filter((id) => id !== chatId);
       if (nextIds.length === 0) {
+        if (next.length > 1) {
+          // Last tab closed and other panes exist — remove the whole pane
+          // instead of leaving an orphaned empty panel.
+          setClosedPaneStack((stack) => appendClosed(stack, pane));
+          const spliced = next.filter((_, i) => i !== paneIdx);
+          setActivePaneIdx((ai) => Math.min(ai, spliced.length - 1));
+          return spliced;
+        }
         next[paneIdx] = { ...pane, kind: 'empty', chatId: undefined, chatIds: [], activeChatIdx: -1 };
       } else {
         const nextActiveIdx = Math.min(pane.activeChatIdx, nextIds.length - 1);
@@ -492,14 +677,21 @@ export function useWorkspacePanes(sessionId: string): UseWorkspacePanesResult {
     return success ? newPaneId : null;
   }, [seedPaneChat]);
 
-  const toggleSettingsPane = useCallback(() => {
+  // Returns the new settings pane id when one is OPENED (so mobile callers can
+  // push ?pane= atomically — see addPaneAndSwitch), or null when it was closed.
+  // Id generated outside the updater so a strict-mode double-invoke agrees.
+  const toggleSettingsPane = useCallback((): string | null => {
+    const newPaneId = generateId();
+    let openedId: string | null = null;
     setPanes((prev) => {
       const existingIdx = prev.findIndex((p) => p.kind === 'settings');
       if (existingIdx < 0) {
-        const next = [...prev, settingsPane()];
+        const next = [...prev, settingsPane(newPaneId)];
         setActivePaneIdx(next.length - 1);
+        openedId = newPaneId;
         return next;
       }
+      openedId = null;
       if (prev.length <= 1) {
         setActivePaneIdx(0);
         return [emptyPane()];
@@ -508,13 +700,15 @@ export function useWorkspacePanes(sessionId: string): UseWorkspacePanesResult {
       setActivePaneIdx((ai) => Math.min(ai, next.length - 1));
       return next;
     });
+    return openedId;
   }, []);
 
   const removePane = useCallback((idx: number) => {
     setPanes((prev) => {
       if (prev.length <= 1) {
         // Settings is the only kind that can be the last pane and still need
-        // closing (X / Esc / sidebar toggle). Fall back to empty.
+        // closing (X / Esc / sidebar toggle). Fall back to empty. One-pane
+        // edge: no relocation — there is no other pane.
         if (prev[idx]?.kind === 'settings') {
           setActivePaneIdx(0);
           return [emptyPane()];
@@ -526,15 +720,102 @@ export function useWorkspacePanes(sessionId: string): UseWorkspacePanesResult {
       // The endpoint is idempotent (404 on missing session) so a strict-mode
       // double-invoke of the updater is safe.
       const removed = prev[idx];
+      // Push the original pane (with its chatIds intact) to the reopen stack.
+      if (removed) setClosedPaneStack((stack) => appendClosed(stack, removed));
       if (removed?.kind === 'terminal') {
         api.terminals.kill(sessionId, removed.id).catch(() => { /* non-fatal */ });
       }
-      const next = prev.filter((_, i) => i !== idx);
+
+      // v2.6.x (Batch 1): relocate a closing CHAT pane's tabs to the oldest
+      // remaining pane that can host chat tabs, so chats aren't lost on close.
+      // Only chat panes relocate — terminal/coder panes own a scoped chat bound
+      // to the pane, so those close exactly as before (no relocation).
+      let working = prev;
+      if (removed && removed.kind === 'chat' && removed.chatIds.length > 0) {
+        // "Oldest remaining": lowest index, excluding `idx`, that is a chat or
+        // empty pane (the only kinds that can host arbitrary chat tabs). Skip
+        // terminal/coder/settings/artifact panes.
+        let targetIdx = -1;
+        for (let i = 0; i < prev.length; i += 1) {
+          if (i === idx) continue;
+          const p = prev[i]!;
+          if (p.kind === 'chat' || p.kind === 'empty') {
+            targetIdx = i;
+            break;
+          }
+        }
+        if (targetIdx >= 0) {
+          working = prev.map((p, i) => {
+            if (i !== targetIdx) return p;
+            const mergedIds = [...p.chatIds, ...removed.chatIds];
+            // Preserve the target's existing focus — append, don't force-focus
+            // the moved tabs. Clamp only when the target had no active tab.
+            const ai = p.activeChatIdx >= 0 ? p.activeChatIdx : 0;
+            return {
+              ...p,
+              kind: 'chat' as const,
+              chatIds: mergedIds,
+              activeChatIdx: ai,
+              chatId: mergedIds[ai],
+            };
+          });
+        }
+      }
+
+      const next = working.filter((_, i) => i !== idx);
       setActivePaneIdx((ai) => Math.min(ai, next.length - 1));
       return next;
     });
   }, [sessionId]);
 
+  const hasClosedPanes = closedPaneStack.length > 0;
+
+  const reopenPane = useCallback(() => {
+    // Read the top entry from the current render's stack (not inside the
+    // updater) so a StrictMode double-invoke can't pop two entries. The pop
+    // setState is idempotent: filtering by reference removes exactly this entry.
+    const e = closedPaneStack[closedPaneStack.length - 1];
+    if (!e) return;
+    setClosedPaneStack((stack) => (stack[stack.length - 1] === e ? stack.slice(0, -1) : stack));
+    setPanes((prev) => {
+      // v2.6.x (Batch 4): reversible reopen. The closed tabs may have been
+      // relocated into another pane on close (Batch 1). Strip e.chatIds from
+      // every existing pane first so reopening never duplicates a tab —
+      // whether or not it was relocated (a no-op strip when it wasn't). Mirror
+      // removeTab's emptiness handling: a chat pane emptied by the strip is
+      // dropped when other panes remain, else turned empty.
+      const stripped: WorkspacePane[] = [];
+      for (const p of prev) {
+        const idxs = p.chatIds.filter((id) => !e.chatIds.includes(id));
+        if (idxs.length === p.chatIds.length) {
+          stripped.push(p);
+          continue;
+        }
+        if (idxs.length === 0) {
+          if (p.kind === 'chat') {
+            // Drop the now-empty chat pane (we still have the restored pane plus
+            // possibly others). If it would leave zero panes, turn it empty.
+            continue;
+          }
+          stripped.push({ ...p, chatId: undefined, chatIds: [], activeChatIdx: -1 });
+          continue;
+        }
+        const ai = Math.min(p.activeChatIdx, idxs.length - 1);
+        stripped.push({ ...p, chatIds: idxs, activeChatIdx: ai < 0 ? 0 : ai, chatId: idxs[ai < 0 ? 0 : ai] });
+      }
+      const restored: WorkspacePane = {
+        id: generateId(),
+        kind: e.kind,
+        chatId: e.chatIds[e.activeChatIdx] ?? e.chatIds[0],
+        chatIds: e.chatIds,
+        activeChatIdx: Math.min(e.activeChatIdx, e.chatIds.length - 1),
+      };
+      const next = [...stripped, restored];
+      setActivePaneIdx(next.length - 1);
+      return next;
+    });
+  }, [closedPaneStack]);
+
   // Replaces a single empty default pane with a chat pane. Used by the initial
   // chat fetch to land on the most-recent open chat if no saved pane state.
   const initializeFirstChatIfEmpty = useCallback((chatId: string) => {
@@ -651,6 +932,7 @@ export function useWorkspacePanes(sessionId: string): UseWorkspacePanesResult {
 
   return {
     panes,
+    tabNumbers,
     activePaneIdx,
     setActivePaneIdx,
     activePaneIdxRef,
@@ -664,6 +946,8 @@ export function useWorkspacePanes(sessionId: string): UseWorkspacePanesResult {
     addSplitPane,
     toggleSettingsPane,
     removePane,
+    reopenPane,
+    hasClosedPanes,
     removeChatFromPanes,
     initializeFirstChatIfEmpty,
     validatePanes,