feat: MistakeTracker + file-provenance ledger (v2.7.4)

Two native-inference hardening features from boocode_code_review_v2 §1 #12. MistakeTracker: new pure mistake-tracker.ts tracks consecutive heterogeneous tool failures (kinds surfaced per tool from tool-phase.ts). On 3 in a row the turn loop soft-nudges (model-facing recovery guidance + mistake_recovery sentinel + reset), then escalates to stopping the turn (cap-hit-style, Continue affordance) on a re-trip. Complements doom-loop (identical repeats) + cap-hit. File-provenance ledger: compaction.ts derives a deterministic ## Files Read list from the head messages' read-tool calls and injects it into the rolling-summary prompt so provenance survives compaction (no new table; read-only). mistake_recovery sentinel: MessageMetadata arm (server + web) + MessageBubble render branch. Built by 2 parallel agents. Server 545 tests passing (23 new); build + web tsc clean. Native-inference only. Builds on v2.7.3. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Merge sampling-knobs-streamjson: v2.7.3 sampling knobs + live PTY stream-json + token UI
2026-06-01 13:05:03 +00:00 · 2026-06-01 12:47:31 +00:00 · 2026-06-01 12:47:17 +00:00 · 2026-06-01 12:16:08 +00:00 · 2026-06-01 12:15:54 +00:00 · 2026-06-01 12:02:06 +00:00
92 changed files with 7954 additions and 1867 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,50 @@
 All notable changes per release tag. Most recent on top, ordered by tag creation date (which matches the git history). Tag names follow `vMAJOR.MINOR.PATCH-slug` — the slug describes what shipped, so the tag name alone is enough to recall the batch.
 ## v2.7.4-mistake-tracker-ledger — 2026-06-01
 Two native-inference hardening features from `boocode_code_review_v2.md` §1 #12 (cline, algorithm-reimplemented). **MistakeTracker:** complements the doom-loop guard (identical repeats) and cap-hit (budget) by catching a run of consecutive tool *failures*. A new pure `mistake-tracker.ts` tracks heterogeneous failure kinds (`zod_reject`/`tool_not_found`/`exec_error`/`api_error`/`permission_denied`, surfaced per tool from `tool-phase.ts`); after 3 consecutive failures the `turn.ts` loop does a **soft nudge** — injects model-facing recovery guidance into the next step + drops a `mistake_recovery` UI sentinel + resets — then **escalates** to stopping the turn (cap-hit-style, with a Continue affordance) if it re-trips without an intervening success, so heterogeneous failures can't burn the whole step budget. **File-provenance ledger:** `compaction.ts` now derives a deterministic, sorted `## Files Read` list from the head messages' read-tool calls (`view_file`/`grep`/`find_files`/`list_dir`) and injects it into the rolling-summary prompt so file provenance survives compaction (no new table; prompt-driven merge, read-only since BooChat has no write tools). The `mistake_recovery` sentinel adds an arm to `MessageMetadata` in both server + web type copies plus a `MessageBubble` render branch. Built by two parallel agents (backend + frontend sentinel) over disjoint apps; server 545 tests passing (23 new: 12 mistake-tracker + 11 compaction), build + web tsc clean. Native-inference only (external agents run their own loops). Builds on `v2.7.3-sampling-streamjson-tokens`; openspec `mistake-tracker-file-ledger`.
 ## v2.7.3-sampling-streamjson-tokens — 2026-06-01
 Three small BooCode wins from `boocode_code_review_v2.md` §1 #11/#7/#8. **Sampling knobs:** per-agent `top_n_sigma` + the `dry_*` repetition family (`dry_multiplier`/`dry_base`/`dry_allowed_length`/`dry_penalty_last_n`) are now first-class Agent frontmatter fields, parsed in `agents.ts` and threaded into the llama-swap chat-completion body via `providerOptions.openaiCompatible` (the `@ai-sdk/openai-compatible` extra-body channel). This surfaced and fixed a **latent bug**: `top_k` (rejected by the AI-SDK provider as unsupported) and `min_p` (never passed to `streamText` at all) had been dead on the wire — no agent's `top_k`/`min_p` ever affected sampling; both now route through the same channel, so agents that set them will start using them. `--reasoning-budget` is documented in `data/AGENTS.md` (already works via `llama_extra_args`, permitted by the deny-list validator). **Live PTY stream-json:** qwen/claude PTY dispatch sliced stdout opaque; a new `stream-json-parser.ts` line-buffers the Claude-Code-compatible NDJSON and emits text/reasoning/tool frames live as they arrive (mirroring the ACP/opencode paths) + persists the structured parts, with a clean fallback to the old opaque slice when output isn't NDJSON (claude now runs `--output-format stream-json --verbose`). **Token UI:** the per-`(chat,agent)` `agent_sessions.input_tokens`/`output_tokens`/`cost` columns (accumulated since `v2.6.8` but dropped by the read route + wire type) now flow through and render condensed beside the AgentComposerBar session chip. Built by three parallel agents over disjoint subsystems; server 523 + coder 245 tests passing (incl. 11 new stream-json-parser + new agent-parse tests), all builds + web tsc clean. Builds on `v2.7.2-checkpoint-idor`; openspec `sampling-streamjson-tokens`. The qwen-vs-claude `usage` field names in #7 are best-guess pending a live smoke.
 ## v2.7.2-checkpoint-idor — 2026-06-01
 Closes two IDOR authorization holes in the `v2.7.1-write-edit-robustness` checkpoint routes, flagged by the automated push security review. The `GET /api/sessions/:id/checkpoints?chat_id=` list route scoped its `chat_id` branch by `chat_id` alone — any session's `chat_id` would read its checkpoints; it now joins through `chats` and gates on `chats.session_id` (authoritative; `checkpoints.session_id` is a nullable denormalized hint). The `restoreCheckpoint` scope guard was fail-open — `cp.session_id && cp.session_id !== sessionId` fell through whenever the checkpoint's denormalized `session_id` was null, allowing a cross-session restore (worktree reset + transcript trim) — it now resolves the owning session via the checkpoint's chat and denies on any missing-or-mismatched row. A DB-integration regression covers the exact null-`session_id` cross-session case. Real-world blast radius is small (BooCoder is single-user behind Authelia on loopback), but both are genuine authorization bugs. Coder suite 234 passing (7/7 checkpoint tests incl. the regression against live postgres+git), typecheck clean. Hotfix on `v2.7.1-write-edit-robustness`.
 ## v2.7.1-write-edit-robustness — 2026-06-01
 Two BooCoder hardening features for local quantized models, algorithm-reimplemented (not vendored) from the cline findings in `boocode_code_review_v2.md` §1 #3/#4. **Fuzzy patch applier:** `edit_file`'s apply path was exact-`.includes`-or-throw + first-occurrence `.replace` (`pending_changes.ts`), so a qwen3.6 whitespace/indentation/unicode drift in `old_string` lost the edit; a new pure `fuzzy-match.ts` (`locateMatch`) now runs an exact → per-line-trim → unicode-canon (curly quotes/dashes/nbsp) → Levenshtein-≥0.66 ladder and returns the real file span, refusing multi-exact matches as ambiguous rather than silently editing the first. `applyOne`/`rewindOne` both use it. **Worktree checkpoints + conversation-trim:** `rewind` only reversed BooCode's own `pending_changes`, blind to what external agents (opencode/goose/qwen/claude) write directly into the session worktree — so a new `checkpoints` table + `checkpoints.ts` shadow-commit (tracked **and** untracked, captured via a temp-index `read-tree`/`add`/`write-tree`/`commit-tree` into a GC-safe `refs/boocode/checkpoints/<id>`) snapshots the worktree before each external-agent turn (hooked into all three dispatcher paths), anchored to the turn's assistant message. A new `POST /api/sessions/:id/checkpoints/:cid/restore` resets the worktree (`reset --hard` + `clean -fd`), trims the transcript past that message, and resets the `(chat,agent)` backend session so files, transcript, and agent context land consistent at the restore point; a per-message "Restore to here" affordance in `CoderMessageList` drives it. Built by three parallel agents over disjoint files; DB-integration testing caught a microsecond-`created_at` self-deletion bug in the later-checkpoint cleanup. Full coder suite 234 passing (incl. 17 fuzzy-match + 6 checkpoint tests), server+coder build + web tsc clean. Builds on `v2.7.0-mit`; openspec `write-edit-robustness`. Live host smoke (dispatcher hook + restore UI end-to-end) still to run.
 ## v2.7.0-mit — 2026-06-01
 Relicenses BooCode from AGPL-3.0 back to MIT by clearing the three Unsloth-Studio-derived files the `v2.4.0`/`v2.4.1` lifts pulled in — the root `LICENSE` and all five `package.json` had been `AGPL-3.0-only`, making the network-served work AGPL §13-encumbered. The enabling finding decoupled the relicense from the long-planned native-llama-server-parsing retirement: `tool-call-parser.ts`'s Unsloth-ported algorithm (`parseToolCallsFromText`/`scanBalancedBraces` + unused nudge constants) was **dead code** with no production import, so it was simply deleted while the load-bearing `extractToolCallBlocks`/`stripToolMarkup` (BooCode-authored streaming helpers) were kept byte-identical — no behavior change to the live tool-call path. `html-to-md.ts` was swapped to the MIT `node-html-markdown` library (`parse5` dropped; the only behavior delta is column-aligned tables, GFM hard-break `<br>`, and `<ol start>` renumbering, all feeding the LLM via `web_fetch`), and `llama-args-validator.ts` was clean-room rewritten with the managed-flag denylist re-derived from the public llama-server flag list (facts, not copyrightable). The license flip set `LICENSE` to MIT (`Copyright (c) 2026 indifferentketchup`), the five `package.json` to `MIT`, removed every AGPL SPDX header, added a README License section, and added a `license-mit` guard test that fails if AGPL provenance returns. Built by three parallel agents over the disjoint files; full server suite 519 passing (incl. 9 new guard tests), server build + coder typecheck clean. Resolves `boocode_code_review_v2.md` §1 #1 / §5k and the roadmap's `License-debt` batch (openspec `license-debt-mit`); supersedes that batch's original staged plan, which had entangled the flip with a live qwen3.6 validation window.
 ## v2.6.11-close-hooks-staging — 2026-06-01
 The two v2.6 follow-ups left after `v2.6.10-lifecycle-hardening`. **Server close-hook caller:** `apps/server` (BooChat) now fire-and-forgets BooCoder's Phase-3 close hooks so warm agent backends + worktrees tear down *immediately* on delete/archive instead of waiting for the idle-evict/reaper backstop — a new `coder-notify.ts` `notifyCoderClose(kind,id)` (reusing the v2.6.2 `BOOCODER_URL` reach, never-rejects) is `void`-called after the WS frame at session-delete (`POST /api/sessions/:id/close`) and chat archive / archive-all / delete (`POST /api/chats/:id/close`); an unreachable coder can never block or fail the user's delete/archive. **Staging-boundary hint (task 3.7):** the BooCoder DiffPanel now shows a muted one-liner when the selected provider can't see another agent's unapplied worktree edits — native boocode selected + external-agent-staged changes (or vice-versa) → "<agent>'s edits live in its worktree — BooCode won't see them until applied" — derived purely from the per-change `agent` + current provider, no new state. 6 new server tests (`coder-notify`), 537 server tests pass; web + server tsc/build clean. **With these the v2.6 openspec is fully closed** — only the live Smoke 2/2b/3 remain (manual exercise).
 ## v2.6.10-lifecycle-hardening — 2026-06-01
 v2.6 Phase 3 (the last phase) — lifecycle hardening of the warm-process backends. **Idle eviction + LRU cap:** the agent pool runs a 60s sweep that evicts backends/sessions idle past `AGENT_POOL_IDLE_TTL_MS` (30 min default) and any beyond `AGENT_POOL_MAX_LIVE` (10, LRU) — **never a busy one** (in-flight turn, double-checked via a new `isBusy()` backend hook); the worktree persists (DB-backed) and the next turn re-spawns + reattaches. The eviction/LRU/restart decisions are factored into a pure `lifecycle-decisions.ts` (modeled on the inference `selectPruneTargets` pattern). **Crash recovery:** lifts openchamber's health-monitor + busy-aware-restart + consecutive-failure + stale-busy-grace state machine into `opencode-server.ts` (with port reclaim) and `warm-acp.ts` — an opencode server crash settles in-flight turns as failed, marks the rows `crashed`, and recreates fresh sessions (a fresh server can't hold the old in-memory id), while a warm-ACP child crash re-`session/new`s next turn; the F.1 turn-guard and U.6 usage are preserved (their tests still pass). **Worktree reaper:** a periodic reaper removes orphan on-disk worktrees (no live `worktrees` row, 1h grace) behind a superset-style preflight that skips dirty/unpushed/unmerged work, with Paseo-style soft-delete (`status='archived'`). Plus close hooks (`/api/chats/:id/close`, `/api/sessions/:id/close`, awaiting the apps/server caller) and diff re-baseline after `apply_pending`. Built test-first — 35 new tests (`lifecycle-decisions` 22, `agent-pool` 13) + a DB-opt-in reconnect integration test; 215 coder tests pass, tsc + build clean. **This completes v2.6** (Phase 0–3 + F.1 + Phase 1-UX). Remaining follow-ups (out of v2.6 scope): the apps/server close-hook caller, the 3.7 DiffPanel staging-boundary hint (frontend), and live Smoke 2/2b/3.
 ## v2.6.9-warm-acp — 2026-05-31
 v2.6 Phase 2: goose and qwen now run as **warm ACP backends** instead of one-shot-per-task. A new `WarmAcpBackend` (`backends/warm-acp.ts`, implementing the same `AgentBackend` interface as the opencode warm server) holds one persistent `goose acp` / `qwen --acp` child + `ClientSideConnection` + ACP session per `(chat, agent)`, running `initialize` + `session/new` once and reusing the connection across turns; per-turn abort cancels the in-flight prompt (`session/cancel`) without killing the child, and a child exit marks `agent_sessions.status='crashed'` for re-spawn on the next turn. The dispatcher routes `goose`/`qwen` chat-tab tasks to the pooled warm backend via a pure `shouldUseWarmBackend(task)` predicate (warm only when both `session_id` and `chat_id` are set), keeping the one-shot `runExternalAgent` path as the fallback for session-less creators (arena, MCP, `new_task`); broker frames + `persistExternalAgentTurn` + the latest-wins `pending_changes` diff are identical to the opencode path. The `acp-dispatch.ts` `handleSessionUpdate` switch was extracted into a pure shared `acp-event-map.ts` mapper used by both the one-shot and warm paths (one-shot behavior byte-identical, all existing acp tests green). The design's `unstable_resumeSession` concern is resolved — the installed `@agentclientprotocol/sdk@^0.22.1` exposes stable `resumeSession`/`loadSession`, but resume is moot in the hot path (warm reuse needs none); cross-restart resume + idle eviction are deferred to Phase 3. Built test-first (15 new tests: `warm-acp-routing`, `acp-event-map`); 180 coder tests pass, tsc + build clean. **Smoke 2/2b (live two-message warm reuse + the opencode→boocode→opencode switch round-trip) to be run post-deploy.** Phase 3 (lifecycle hardening) is the last v2.6 phase.
 ## v2.6.8-agent-attribution — 2026-05-31
 v2.6 Phase 1-UX: agent attribution + switch affordances over the already-shipped `pending_changes.agent` column and `agent_sessions` table (read+display, no new backend capability). **Backend:** `pending_changes.agent` is now stamped at every queue site (native write tools → `'boocode'`, dispatched external agents → the task's agent, manual RightRail create → `NULL`) and flows through `listPending`; a new `GET /api/sessions/:id/agent-sessions` route returns `[{agent,status,has_session,last_active_at}]` per `(chat,agent)` for the session's chats; and the opencode warm-server backend consumes opencode's `session.next.step.ended` events, accumulating `input_tokens`/`output_tokens`/`cost` onto the `agent_sessions` row (new columns, idempotent). **Frontend:** the BooCoder DiffPanel renders a per-row agent badge (provider icon + label; `null` → "manual") with a "Changes from X, Y" note when a pending set spans multiple agents, and the AgentComposerBar shows a resumed / history / new-session chip beside the Provider picker — gated on an optional `sessionId` prop so BooChat is unaffected — driven by a new `useAgentSessions` hook that refetches on message-complete; `providerIcon` was extracted to a shared `components/coder/providerIcons.tsx`. Built by three parallel subagents over disjoint file sets; web + coder typecheck clean, 165 coder tests pass (9 new across `opencode-usage` and `agent-sessions.routes`). U.6's persisted token totals are conversation-cumulative and not yet surfaced in the UI (deferred). Implements the U.1–U.6 "remaining" plan from the v2.6 openspec reconciliation; Phase 2 (warm ACP goose/qwen) + Phase 3 (lifecycle hardening) remain.
 ## v2.6.7-interrupt-guard — 2026-05-31
 Fixes a post-interrupt correctness bug in the `v2.6.1-phase1-opencode` warm-server backend, made one-click reachable by `v2.6.5-panes-tabs-composer`'s Send→Stop composer. `opencode-server.ts` settled an in-flight turn on opencode's `session.idle`/`session.error` by calling `activeTurn.settle()` on whatever turn currently held the session slot — but opencode emits one trailing terminal event for a *cancelled* turn after `client.session.abort()`, and those events carry only a `sessionID` (no turn id). So after the user hit Stop and immediately sent another message, the aborted turn's orphan `session.idle` settled the *new* turn early as success (Paseo hit and fixed the same class in `1d38aac`). The fix adds a small pure guard (`turn-guard.ts`: `armAbortGuard`/`noteTurnActivity`/`consumeTerminal` over a per-session `swallowNextTerminal` flag): abort arms it, the next terminal is swallowed once, and a new turn's first delta self-heals the flag so a never-arriving orphan can't strand a real turn. Implemented test-first — three regression tests in `turn-guard.test.ts` (swallow-the-orphan, settle-when-no-abort, self-heal); full coder suite green (156 passed). This is the F.1 "fix-next" item from the v2.6 openspec reconciliation; Phase 1-UX / Phase 2 / Phase 3 remain.
 ## v2.6.6-claude-md — 2026-05-31
 Docs-only — CLAUDE.md session-learnings update, no code. Captures four recurring gotchas surfaced while shipping `v2.6.5-panes-tabs-composer`: (1) `sessions.workspace_panes` is now a `WorkspaceState` envelope (`panes` + `tabNumbers`/`nextTabNumber` + `closedPaneStack`), migrated from the legacy bare `WorkspacePane[]` on both frontend hydrate (`toWorkspaceState`) and the union-accepting server PATCH validator; (2) DB/session-aware tools take an optional `ToolExecCtx` (`{ sql, sessionId }`) 4th arg on `ToolDef.execute`, plumbed through the tool phase, with `read_tab_by_number` as the reference; (3) the two-schema-files-one-DB ownership split — `apps/coder/src/schema.sql` owns `agent_sessions`/`worktrees`/`pending_changes`/`available_agents` and extends `tasks`, distinct from BooChat's `apps/server/src/schema.sql` — plus the idempotent `confdeltype` FK-action-flip pattern (guard `ON DELETE` changes on `pg_constraint.confdeltype` so re-runs no-op); and (4) React StrictMode is on, so a `setState` called inside another `setState`'s updater double-fires in dev and must be made idempotent. Pairs with `v2.6.5-panes-tabs-composer`.
 ## v2.6.5-panes-tabs-composer — 2026-05-31
 A workspace UX batch across BooChat panes, tabs, and the composer, plus the persistence model that backs them. **Panes & tabs:** a chat can be opened in a fresh pane (the ChatTabBar tab context menu's "Open in new pane", and the fork button — which now lands the fork beside the original via a new `open_chat_in_new_pane` event instead of replacing the active pane); the per-pane "+" became a New BooChat/BooTerm/BooCode menu; closing a chat pane relocates its tabs (in order) into the oldest chat/empty pane instead of discarding them, and reopen strips the restored chatIds from every live pane first so a relocated-then-reopened pane never duplicates a tab (no stack-shape change); each tab carries a stable session-scoped number assigned on open and retired on close (never reused), rendered map-keyed rather than positional. The per-message "Open in pane" artifact button was removed, and the empty/landing pane became a real session history — the session's open chats plus separately-fetched archived chats, click to open or restore-and-open. **Persistence:** `sessions.workspace_panes` was widened from a bare `WorkspacePane[]` to a `WorkspaceState` envelope (`panes` + `tabNumbers`/`nextTabNumber` + `closedPaneStack`) so tab numbers and the reopen stack survive reload; the PATCH validator accepts the legacy array or the envelope (zod union) and migrates on write, and the `session_workspace_updated` WS-frame schema was widened on both web and server (byte-identical, parity test green) — the same schema-drift class as `v2.6.4-agent-sessions-fk`. **Composer:** the send button morphs Send → Stop → Queue with generation state (BooCoder keys on `sending || activeTaskId`, which also corrected its queue gates and added `cancelTask`), the standalone "Stop generating" pill was folded into it, and pasted chips now trail the typed text so a leading slash command stays first. **Tooling:** adds the read-only `read_tab_by_number` tool — resolves a session-scoped tab number to its chat via the persisted `tabNumbers` map and returns that chat's transcript; tools gained an optional `ToolExecCtx` (`{ sql, sessionId }`) on `execute` to support DB-reading tools. Builds on `v2.6.4-agent-sessions-fk`.
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -126,11 +126,11 @@ Font / CSS pipeline (apps/web):
 ### Multi-pane workspace
-Sessions hold 1–5 panes (chat / empty / placeholder terminal+agent). v1.12.1 moved pane state from per-device localStorage to `sessions.workspace_panes jsonb` for cross-device sync. `PATCH /api/sessions/:id/workspace` persists; `session_workspace_updated` user-channel frame broadcasts to every device watching the session. `useWorkspacePanes` debounces saves 300ms and dedups echoes by JSON string. Legacy localStorage key `boocode.workspace.panes.<sessionId>` is read once on first hydrate (one-time seed-and-delete migration when server is empty but localStorage has data); no longer written. The deprecated `session_panes` table was dropped. `validatePanes(validChatIds)` prunes panes referencing chat IDs that no longer exist (called by `useSessionChats` after the chat list fetch lands). Each chat lives in at most one pane; tab strip is per-pane and tracks `chatIds[]` + `activeChatIdx`. Tab reorder via native HTML5 drag events.
+Sessions hold 1–5 panes (chat / empty / placeholder terminal+agent). v1.12.1 moved pane state from per-device localStorage to `sessions.workspace_panes jsonb` for cross-device sync. `PATCH /api/sessions/:id/workspace` persists; `session_workspace_updated` user-channel frame broadcasts to every device watching the session. `useWorkspacePanes` debounces saves 300ms and dedups echoes by JSON string. Legacy localStorage key `boocode.workspace.panes.<sessionId>` is read once on first hydrate (one-time seed-and-delete migration when server is empty but localStorage has data); no longer written. The deprecated `session_panes` table was dropped. `validatePanes(validChatIds)` prunes panes referencing chat IDs that no longer exist (called by `useSessionChats` after the chat list fetch lands). Each chat lives in at most one pane; tab strip is per-pane and tracks `chatIds[]` + `activeChatIdx`. Tab reorder via native HTML5 drag events. v2.6.5: `workspace_panes` is now a `WorkspaceState` envelope `{panes, tabNumbers (chatId→stable session-scoped tab number, assigned on chat-pane open, retired on close, never reused), nextTabNumber, closedPaneStack (reopen LIFO, max 10, persisted so it survives reload)}` — not a bare `WorkspacePane[]`. Hydrate (`toWorkspaceState`) and the server PATCH validator (`z.union([array, envelope])` in `routes/sessions.ts`) both accept the legacy array and normalize to the envelope on read/write. Closing a chat pane relocates its tabs to the oldest chat/empty pane; `reopenPane` strips the restored chatIds from all live panes first (no duplication). `read_tab_by_number` resolves a number→chatId through `tabNumbers`.
 ## Database
-PostgreSQL 16. Database name: `boochat` (renamed from `boocode` in v2.0.0-alpha; Docker service name stays `boocode_db`). Tables: `projects`, `sessions`, `chats`, `messages`, `settings`, `message_parts` (v1.13.0), `pending_changes` (v2.0.0), `tasks` (v2.0.0), `available_agents` (v2.0.0). Views: `messages_with_parts` (v1.13.1-B parts-merge read path), `tool_cost_stats` (v1.13.10 per-tool 100-call rolling window), `human_inbox` (v2.0.0 — tasks WHERE state IN blocked/failed). (`session_panes` was dropped in v1.12.1; workspace pane state lives in `sessions.workspace_panes jsonb`.) Schema applied idempotently on startup via `applySchema()`. Use `clock_timestamp()` (not `NOW()`) inside transactions. CHECK constraints in place: `projects_status_chk` ('open'|'archived'), `sessions_status_chk` (same), `chats_status_chk` (same), `messages_role_chk`, `messages_status_chk` — keep in sync with the `*_STATUSES` const arrays in `apps/server/src/types/api.ts`. The older anonymous `messages_status_check` (without 'cancelled') and `messages_role_check` (without 'system') were dropped in v1.12.1; only the `_chk` variants remain.
+PostgreSQL 16. Database name: `boochat` (renamed from `boocode` in v2.0.0-alpha; Docker service name stays `boocode_db`). Tables: `projects`, `sessions`, `chats`, `messages`, `settings`, `message_parts` (v1.13.0), `pending_changes` (v2.0.0), `tasks` (v2.0.0), `available_agents` (v2.0.0). Views: `messages_with_parts` (v1.13.1-B parts-merge read path), `tool_cost_stats` (v1.13.10 per-tool 100-call rolling window), `human_inbox` (v2.0.0 — tasks WHERE state IN blocked/failed). (`session_panes` was dropped in v1.12.1; workspace pane state lives in `sessions.workspace_panes jsonb`.) Schema applied idempotently on startup via `applySchema()`. Use `clock_timestamp()` (not `NOW()`) inside transactions. CHECK constraints in place: `projects_status_chk` ('open'|'archived'), `sessions_status_chk` (same), `chats_status_chk` (same), `messages_role_chk`, `messages_status_chk` — keep in sync with the `*_STATUSES` const arrays in `apps/server/src/types/api.ts`. The older anonymous `messages_status_check` (without 'cancelled') and `messages_role_check` (without 'system') were dropped in v1.12.1; only the `_chk` variants remain. **Two schema files, one DB:** `apps/server/src/schema.sql` owns `sessions`/`chats`/`messages`/`message_parts`; `apps/coder/src/schema.sql` (applied by the boocoder host service) owns `agent_sessions`, `worktrees`, `pending_changes`, `available_agents` and extends `tasks`. Both apply idempotently to the one `boochat` DB — so e.g. an `agent_sessions` FK change goes in the **coder** schema, not the server one. Idempotent FK-action flips (e.g. `ON DELETE CASCADE`→`SET NULL`) guard on `pg_constraint.confdeltype` so a re-run/fresh-deploy is a no-op (see the `session_worktrees`/`agent_sessions` defang blocks).
 Schema CHECK migration order when renaming allowed values: (1) `ALTER TABLE ... DROP CONSTRAINT IF EXISTS <system_name>` (inline `CREATE TABLE` checks get `<table>_<column>_check`), (2) `UPDATE` rows to new values, (3) wrap new constraint ADD in `DO $$ ... pg_constraint` guard — that block is the only way to get `ADD CONSTRAINT IF NOT EXISTS`.
@@ -188,8 +188,10 @@ BooCoder at port 9502: `curl http://100.114.205.53:9502/api/health`. Runs as `bo
 - A scrollable list inside a Dialog on mobile: cap `DialogContent` (`max-h-[85vh]` + `grid-rows-[auto_minmax(0,1fr)_auto]`) and make the list the single scroll region with `overscroll-contain` — otherwise touch-scroll drags the whole fixed modal / chains to the page.
 - xterm.js v5 uses canvas rendering — browser doesn't see xterm's selection; the native right-click menu has no working Copy for terminal text. App keybindings (`Cmd/Ctrl-C`, `Cmd/Ctrl-Shift-C`) are the path.
 - **New tools** live in their own `services/<name>.ts` file (see `web_search.ts`, `web_fetch.ts`) — exports a pure `executeFoo(input, ...deps)` for direct test access plus a `ToolDef` wrapper that `loadConfig()`s its real dependencies. Register the ToolDef in `tools.ts` `ALL_TOOLS` (and `READ_ONLY_TOOL_NAMES` if applicable). Inject `fetcher: typeof fetch = fetch` rather than `vi.spyOn(globalThis, 'fetch')` — cleanup is simpler and the production call site stays unchanged.
 - **DB/session-aware tools** take an optional 4th `ToolExecCtx { sql, sessionId }` arg on `ToolDef.execute`, plumbed `executeToolPhase`→`executeToolCall`→`execute`. It's optional so the filesystem tools and the `apps/coder` `ALL_TOOLS` consumer stay compatible; filesystem tools ignore it. `read_tab_by_number` (reads `sessions.workspace_panes` + the chat's messages via `sql`) is the reference.
 - **Sentinels** are `role='system'` rows with structured `metadata.kind` (`cap_hit`, `doom_loop`). UI-only — `buildMessagesPayload` strips them via `isAnySentinel` so the LLM never sees them. A new kind requires arms in `MessageMetadata` in BOTH `apps/server/src/types/api.ts` AND `apps/web/src/api/types.ts`, plus a render branch in `apps/web/src/components/MessageBubble.tsx`.
 - **ReadableStream test stubs** use `pull()` (not `start()`) so chunks are produced lazily — `start()` enqueues everything and calls `controller.close()` before the consumer reads, so a subsequent `reader.cancel()` finds the stream already closed and the `cancel()` callback never fires. Also provide MORE chunks than the test will consume so the source stays in 'readable' state when cancel runs (e.g. cap test reads ~6 chunks, stub provides 10).
 - React **StrictMode is on** (`main.tsx`): an updater passed to one `setState` that itself calls another `setState` (e.g. `setClosedPaneStack` inside a `setPanes` updater) is double-invoked in dev. Make such nested updates idempotent — `useWorkspacePanes`'s `appendClosed` dedupes a value-identical top entry for exactly this reason.
 - Tool-name whitelists must derive from `ALL_TOOLS` in `services/tools.ts`, never hardcoded. `services/agents.ts` `ALL_TOOL_NAMES` had this drift class until v1.12 — same pattern applies to any future tool-aware code.
 - Agent registry lives at `data/AGENTS.md` (global, bind-mounted at `/data/AGENTS.md`). No per-project `AGENTS.md` in this repo — removed in v1.12 to eliminate the two-files-must-stay-in-sync drift. The `getAgentsForProject` per-project override mechanism remains for *other* projects.
 - `data/AGENTS.md` is PARSED (`agents.ts` `splitSections`/`parseAgentSection`): each `## <Name>` is one agent and must be followed by a `---` frontmatter fence or the block throws; content before the first `## ` is discarded. Do NOT add free-form `## ` rule sections — they break the registry. Cross-cutting agent rules go in CLAUDE.md or a parser-ignored preamble.
--- a/682
+++ b/682
@@ -1,661 +1,21 @@
-                    GNU AFFERO GENERAL PUBLIC LICENSE
+MIT License
-                       Version 3, 19 November 2007
+
-
+Copyright (c) 2026 indifferentketchup
- Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
+
- Everyone is permitted to copy and distribute verbatim copies
+Permission is hereby granted, free of charge, to any person obtaining a copy
- of this license document, but changing it is not allowed.
+of this software and associated documentation files (the "Software"), to deal
-
+in the Software without restriction, including without limitation the rights
-                            Preamble
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-
+copies of the Software, and to permit persons to whom the Software is
-  The GNU Affero General Public License is a free, copyleft license for
+furnished to do so, subject to the following conditions:
-software and other kinds of works, specifically designed to ensure
+
-cooperation with the community in the case of network server software.
+The above copyright notice and this permission notice shall be included in all
-
+copies or substantial portions of the Software.
-  The licenses for most software and other practical works are designed
+
-to take away your freedom to share and change the works.  By contrast,
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-our General Public Licenses are intended to guarantee your freedom to
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-share and change all versions of a program--to make sure it remains free
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-software for all its users.
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-  When we speak of free software, we are referring to freedom, not
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
-price.  Our General Public Licenses are designed to make sure that you
+SOFTWARE.
 have the freedom to distribute copies of free software (and charge for
 them if you wish), that you receive source code or can get it if you
 want it, that you can change the software or use pieces of it in new
 free programs, and that you know you can do these things.
  Developers that use our General Public Licenses protect your rights
 with two steps: (1) assert copyright on the software, and (2) offer
 you this License which gives you legal permission to copy, distribute
 and/or modify the software.
  A secondary benefit of defending all users' freedom is that
 improvements made in alternate versions of the program, if they
 receive widespread use, become available for other developers to
 incorporate.  Many developers of free software are heartened and
 encouraged by the resulting cooperation.  However, in the case of
 software used on network servers, this result may fail to come about.
 The GNU General Public License permits making a modified version and
 letting the public access it on a server without ever releasing its
 source code to the public.
  The GNU Affero General Public License is designed specifically to
 ensure that, in such cases, the modified source code becomes available
 to the community.  It requires the operator of a network server to
 provide the source code of the modified version running there to the
 users of that server.  Therefore, public use of a modified version, on
 a publicly accessible server, gives the public access to the source
 code of the modified version.
  An older license, called the Affero General Public License and
 published by Affero, was designed to accomplish similar goals.  This is
 a different license, not a version of the Affero GPL, but Affero has
 released a new version of the Affero GPL which permits relicensing under
 this license.
  The precise terms and conditions for copying, distribution and
 modification follow.
                       TERMS AND CONDITIONS
  0. Definitions.
  "This License" refers to version 3 of the GNU Affero General Public License.
  "Copyright" also means copyright-like laws that apply to other kinds of
 works, such as semiconductor masks.
  "The Program" refers to any copyrightable work licensed under this
 License.  Each licensee is addressed as "you".  "Licensees" and
 "recipients" may be individuals or organizations.
  To "modify" a work means to copy from or adapt all or part of the work
 in a fashion requiring copyright permission, other than the making of an
 exact copy.  The resulting work is called a "modified version" of the
 earlier work or a work "based on" the earlier work.
  A "covered work" means either the unmodified Program or a work based
 on the Program.
  To "propagate" a work means to do anything with it that, without
 permission, would make you directly or secondarily liable for
 infringement under applicable copyright law, except executing it on a
 computer or modifying a private copy.  Propagation includes copying,
 distribution (with or without modification), making available to the
 public, and in some countries other activities as well.
  To "convey" a work means any kind of propagation that enables other
 parties to make or receive copies.  Mere interaction with a user through
 a computer network, with no transfer of a copy, is not conveying.
  An interactive user interface displays "Appropriate Legal Notices"
 to the extent that it includes a convenient and prominently visible
 feature that (1) displays an appropriate copyright notice, and (2)
 tells the user that there is no warranty for the work (except to the
 extent that warranties are provided), that licensees may convey the
 work under this License, and how to view a copy of this License.  If
 the interface presents a list of user commands or options, such as a
 menu, a prominent item in the list meets this criterion.
  1. Source Code.
  The "source code" for a work means the preferred form of the work
 for making modifications to it.  "Object code" means any non-source
 form of a work.
  A "Standard Interface" means an interface that either is an official
 standard defined by a recognized standards body, or, in the case of
 interfaces specified for a particular programming language, one that
 is widely used among developers working in that language.
  The "System Libraries" of an executable work include anything, other
 than the work as a whole, that (a) is included in the normal form of
 packaging a Major Component, but which is not part of that Major
 Component, and (b) serves only to enable use of the work with that
 Major Component, or to implement a Standard Interface for which an
 implementation is available to the public in source code form.  A
 "Major Component", in this context, means a major essential component
 (kernel, window system, and so on) of the specific operating system
 (if any) on which the executable work runs, or a compiler used to
 produce the work, or an object code interpreter used to run it.
  The "Corresponding Source" for a work in object code form means all
 the source code needed to generate, install, and (for an executable
 work) run the object code and to modify the work, including scripts to
 control those activities.  However, it does not include the work's
 System Libraries, or general-purpose tools or generally available free
 programs which are used unmodified in performing those activities but
 which are not part of the work.  For example, Corresponding Source
 includes interface definition files associated with source files for
 the work, and the source code for shared libraries and dynamically
 linked subprograms that the work is specifically designed to require,
 such as by intimate data communication or control flow between those
 subprograms and other parts of the work.
  The Corresponding Source need not include anything that users
 can regenerate automatically from other parts of the Corresponding
 Source.
  The Corresponding Source for a work in source code form is that
 same work.
  2. Basic Permissions.
  All rights granted under this License are granted for the term of
 copyright on the Program, and are irrevocable provided the stated
 conditions are met.  This License explicitly affirms your unlimited
 permission to run the unmodified Program.  The output from running a
 covered work is covered by this License only if the output, given its
 content, constitutes a covered work.  This License acknowledges your
 rights of fair use or other equivalent, as provided by copyright law.
  You may make, run and propagate covered works that you do not
 convey, without conditions so long as your license otherwise remains
 in force.  You may convey covered works to others for the sole purpose
 of having them make modifications exclusively for you, or provide you
 with facilities for running those works, provided that you comply with
 the terms of this License in conveying all material for which you do
 not control copyright.  Those thus making or running the covered works
 for you must do so exclusively on your behalf, under your direction
 and control, on terms that prohibit them from making any copies of
 your copyrighted material outside their relationship with you.
  Conveying under any other circumstances is permitted solely under
 the conditions stated below.  Sublicensing is not allowed; section 10
 makes it unnecessary.
  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
  No covered work shall be deemed part of an effective technological
 measure under any applicable law fulfilling obligations under article
 11 of the WIPO copyright treaty adopted on 20 December 1996, or
 similar laws prohibiting or restricting circumvention of such
 measures.
  When you convey a covered work, you waive any legal power to forbid
 circumvention of technological measures to the extent such circumvention
 is effected by exercising rights under this License with respect to
 the covered work, and you disclaim any intention to limit operation or
 modification of the work as a means of enforcing, against the work's
 users, your or third parties' legal rights to forbid circumvention of
 technological measures.
  4. Conveying Verbatim Copies.
  You may convey verbatim copies of the Program's source code as you
 receive it, in any medium, provided that you conspicuously and
 appropriately publish on each copy an appropriate copyright notice;
 keep intact all notices stating that this License and any
 non-permissive terms added in accord with section 7 apply to the code;
 keep intact all notices of the absence of any warranty; and give all
 recipients a copy of this License along with the Program.
  You may charge any price or no price for each copy that you convey,
 and you may offer support or warranty protection for a fee.
  5. Conveying Modified Source Versions.
  You may convey a work based on the Program, or the modifications to
 produce it from the Program, in the form of source code under the
 terms of section 4, provided that you also meet all of these conditions:
    a) The work must carry prominent notices stating that you modified
    it, and giving a relevant date.
    b) The work must carry prominent notices stating that it is
    released under this License and any conditions added under section
    7.  This requirement modifies the requirement in section 4 to
    "keep intact all notices".
    c) You must license the entire work, as a whole, under this
    License to anyone who comes into possession of a copy.  This
    License will therefore apply, along with any applicable section 7
    additional terms, to the whole of the work, and all its parts,
    regardless of how they are packaged.  This License gives no
    permission to license the work in any other way, but it does not
    invalidate such permission if you have separately received it.
    d) If the work has interactive user interfaces, each must display
    Appropriate Legal Notices; however, if the Program has interactive
    interfaces that do not display Appropriate Legal Notices, your
    work need not make them do so.
  A compilation of a covered work with other separate and independent
 works, which are not by their nature extensions of the covered work,
 and which are not combined with it such as to form a larger program,
 in or on a volume of a storage or distribution medium, is called an
 "aggregate" if the compilation and its resulting copyright are not
 used to limit the access or legal rights of the compilation's users
 beyond what the individual works permit.  Inclusion of a covered work
 in an aggregate does not cause this License to apply to the other
 parts of the aggregate.
  6. Conveying Non-Source Forms.
  You may convey a covered work in object code form under the terms
 of sections 4 and 5, provided that you also convey the
 machine-readable Corresponding Source under the terms of this License,
 in one of these ways:
    a) Convey the object code in, or embodied in, a physical product
    (including a physical distribution medium), accompanied by the
    Corresponding Source fixed on a durable physical medium
    customarily used for software interchange.
    b) Convey the object code in, or embodied in, a physical product
    (including a physical distribution medium), accompanied by a
    written offer, valid for at least three years and valid for as
    long as you offer spare parts or customer support for that product
    model, to give anyone who possesses the object code either (1) a
    copy of the Corresponding Source for all the software in the
    product that is covered by this License, on a durable physical
    medium customarily used for software interchange, for a price no
    more than your reasonable cost of physically performing this
    conveying of source, or (2) access to copy the
    Corresponding Source from a network server at no charge.
    c) Convey individual copies of the object code with a copy of the
    written offer to provide the Corresponding Source.  This
    alternative is allowed only occasionally and noncommercially, and
    only if you received the object code with such an offer, in accord
    with subsection 6b.
    d) Convey the object code by offering access from a designated
    place (gratis or for a charge), and offer equivalent access to the
    Corresponding Source in the same way through the same place at no
    further charge.  You need not require recipients to copy the
    Corresponding Source along with the object code.  If the place to
    copy the object code is a network server, the Corresponding Source
    may be on a different server (operated by you or a third party)
    that supports equivalent copying facilities, provided you maintain
    clear directions next to the object code saying where to find the
    Corresponding Source.  Regardless of what server hosts the
    Corresponding Source, you remain obligated to ensure that it is
    available for as long as needed to satisfy these requirements.
    e) Convey the object code using peer-to-peer transmission, provided
    you inform other peers where the object code and Corresponding
    Source of the work are being offered to the general public at no
    charge under subsection 6d.
  A separable portion of the object code, whose source code is excluded
 from the Corresponding Source as a System Library, need not be
 included in conveying the object code work.
  A "User Product" is either (1) a "consumer product", which means any
 tangible personal property which is normally used for personal, family,
 or household purposes, or (2) anything designed or sold for incorporation
 into a dwelling.  In determining whether a product is a consumer product,
 doubtful cases shall be resolved in favor of coverage.  For a particular
 product received by a particular user, "normally used" refers to a
 typical or common use of that class of product, regardless of the status
 of the particular user or of the way in which the particular user
 actually uses, or expects or is expected to use, the product.  A product
 is a consumer product regardless of whether the product has substantial
 commercial, industrial or non-consumer uses, unless such uses represent
 the only significant mode of use of the product.
  "Installation Information" for a User Product means any methods,
 procedures, authorization keys, or other information required to install
 and execute modified versions of a covered work in that User Product from
 a modified version of its Corresponding Source.  The information must
 suffice to ensure that the continued functioning of the modified object
 code is in no case prevented or interfered with solely because
 modification has been made.
  If you convey an object code work under this section in, or with, or
 specifically for use in, a User Product, and the conveying occurs as
 part of a transaction in which the right of possession and use of the
 User Product is transferred to the recipient in perpetuity or for a
 fixed term (regardless of how the transaction is characterized), the
 Corresponding Source conveyed under this section must be accompanied
 by the Installation Information.  But this requirement does not apply
 if neither you nor any third party retains the ability to install
 modified object code on the User Product (for example, the work has
 been installed in ROM).
  The requirement to provide Installation Information does not include a
 requirement to continue to provide support service, warranty, or updates
 for a work that has been modified or installed by the recipient, or for
 the User Product in which it has been modified or installed.  Access to a
 network may be denied when the modification itself materially and
 adversely affects the operation of the network or violates the rules and
 protocols for communication across the network.
  Corresponding Source conveyed, and Installation Information provided,
 in accord with this section must be in a format that is publicly
 documented (and with an implementation available to the public in
 source code form), and must require no special password or key for
 unpacking, reading or copying.
  7. Additional Terms.
  "Additional permissions" are terms that supplement the terms of this
 License by making exceptions from one or more of its conditions.
 Additional permissions that are applicable to the entire Program shall
 be treated as though they were included in this License, to the extent
 that they are valid under applicable law.  If additional permissions
 apply only to part of the Program, that part may be used separately
 under those permissions, but the entire Program remains governed by
 this License without regard to the additional permissions.
  When you convey a copy of a covered work, you may at your option
 remove any additional permissions from that copy, or from any part of
 it.  (Additional permissions may be written to require their own
 removal in certain cases when you modify the work.)  You may place
 additional permissions on material, added by you to a covered work,
 for which you have or can give appropriate copyright permission.
  Notwithstanding any other provision of this License, for material you
 add to a covered work, you may (if authorized by the copyright holders of
 that material) supplement the terms of this License with terms:
    a) Disclaiming warranty or limiting liability differently from the
    terms of sections 15 and 16 of this License; or
    b) Requiring preservation of specified reasonable legal notices or
    author attributions in that material or in the Appropriate Legal
    Notices displayed by works containing it; or
    c) Prohibiting misrepresentation of the origin of that material, or
    requiring that modified versions of such material be marked in
    reasonable ways as different from the original version; or
    d) Limiting the use for publicity purposes of names of licensors or
    authors of the material; or
    e) Declining to grant rights under trademark law for use of some
    trade names, trademarks, or service marks; or
    f) Requiring indemnification of licensors and authors of that
    material by anyone who conveys the material (or modified versions of
    it) with contractual assumptions of liability to the recipient, for
    any liability that these contractual assumptions directly impose on
    those licensors and authors.
  All other non-permissive additional terms are considered "further
 restrictions" within the meaning of section 10.  If the Program as you
 received it, or any part of it, contains a notice stating that it is
 governed by this License along with a term that is a further
 restriction, you may remove that term.  If a license document contains
 a further restriction but permits relicensing or conveying under this
 License, you may add to a covered work material governed by the terms
 of that license document, provided that the further restriction does
 not survive such relicensing or conveying.
  If you add terms to a covered work in accord with this section, you
 must place, in the relevant source files, a statement of the
 additional terms that apply to those files, or a notice indicating
 where to find the applicable terms.
  Additional terms, permissive or non-permissive, may be stated in the
 form of a separately written license, or stated as exceptions;
 the above requirements apply either way.
  8. Termination.
  You may not propagate or modify a covered work except as expressly
 provided under this License.  Any attempt otherwise to propagate or
 modify it is void, and will automatically terminate your rights under
 this License (including any patent licenses granted under the third
 paragraph of section 11).
  However, if you cease all violation of this License, then your
 license from a particular copyright holder is reinstated (a)
 provisionally, unless and until the copyright holder explicitly and
 finally terminates your license, and (b) permanently, if the copyright
 holder fails to notify you of the violation by some reasonable means
 prior to 60 days after the cessation.
  Moreover, your license from a particular copyright holder is
 reinstated permanently if the copyright holder notifies you of the
 violation by some reasonable means, this is the first time you have
 received notice of violation of this License (for any work) from that
 copyright holder, and you cure the violation prior to 30 days after
 your receipt of the notice.
  Termination of your rights under this section does not terminate the
 licenses of parties who have received copies or rights from you under
 this License.  If your rights have been terminated and not permanently
 reinstated, you do not qualify to receive new licenses for the same
 material under section 10.
  9. Acceptance Not Required for Having Copies.
  You are not required to accept this License in order to receive or
 run a copy of the Program.  Ancillary propagation of a covered work
 occurring solely as a consequence of using peer-to-peer transmission
 to receive a copy likewise does not require acceptance.  However,
 nothing other than this License grants you permission to propagate or
 modify any covered work.  These actions infringe copyright if you do
 not accept this License.  Therefore, by modifying or propagating a
 covered work, you indicate your acceptance of this License to do so.
  10. Automatic Licensing of Downstream Recipients.
  Each time you convey a covered work, the recipient automatically
 receives a license from the original licensors, to run, modify and
 propagate that work, subject to this License.  You are not responsible
 for enforcing compliance by third parties with this License.
  An "entity transaction" is a transaction transferring control of an
 organization, or substantially all assets of one, or subdividing an
 organization, or merging organizations.  If propagation of a covered
 work results from an entity transaction, each party to that
 transaction who receives a copy of the work also receives whatever
 licenses to the work the party's predecessor in interest had or could
 give under the previous paragraph, plus a right to possession of the
 Corresponding Source of the work from the predecessor in interest, if
 the predecessor has it or can get it with reasonable efforts.
  You may not impose any further restrictions on the exercise of the
 rights granted or affirmed under this License.  For example, you may
 not impose a license fee, royalty, or other charge for exercise of
 rights granted under this License, and you may not initiate litigation
 (including a cross-claim or counterclaim in a lawsuit) alleging that
 any patent claim is infringed by making, using, selling, offering for
 sale, or importing the Program or any portion of it.
  11. Patents.
  A "contributor" is a copyright holder who authorizes use under this
 License of the Program or a work on which the Program is based.  The
 work thus licensed is called the contributor's "contributor version".
  A contributor's "essential patent claims" are all patent claims
 owned or controlled by the contributor, whether already acquired or
 hereafter acquired, that would be infringed by some manner, permitted
 by this License, of making, using, or selling its contributor version,
 but do not include claims that would be infringed only as a
 consequence of further modification of the contributor version.  For
 purposes of this definition, "control" includes the right to grant
 patent sublicenses in a manner consistent with the requirements of
 this License.
  Each contributor grants you a non-exclusive, worldwide, royalty-free
 patent license under the contributor's essential patent claims, to
 make, use, sell, offer for sale, import and otherwise run, modify and
 propagate the contents of its contributor version.
  In the following three paragraphs, a "patent license" is any express
 agreement or commitment, however denominated, not to enforce a patent
 (such as an express permission to practice a patent or covenant not to
 sue for patent infringement).  To "grant" such a patent license to a
 party means to make such an agreement or commitment not to enforce a
 patent against the party.
  If you convey a covered work, knowingly relying on a patent license,
 and the Corresponding Source of the work is not available for anyone
 to copy, free of charge and under the terms of this License, through a
 publicly available network server or other readily accessible means,
 then you must either (1) cause the Corresponding Source to be so
 available, or (2) arrange to deprive yourself of the benefit of the
 patent license for this particular work, or (3) arrange, in a manner
 consistent with the requirements of this License, to extend the patent
 license to downstream recipients.  "Knowingly relying" means you have
 actual knowledge that, but for the patent license, your conveying the
 covered work in a country, or your recipient's use of the covered work
 in a country, would infringe one or more identifiable patents in that
 country that you have reason to believe are valid.
  If, pursuant to or in connection with a single transaction or
 arrangement, you convey, or propagate by procuring conveyance of, a
 covered work, and grant a patent license to some of the parties
 receiving the covered work authorizing them to use, propagate, modify
 or convey a specific copy of the covered work, then the patent license
 you grant is automatically extended to all recipients of the covered
 work and works based on it.
  A patent license is "discriminatory" if it does not include within
 the scope of its coverage, prohibits the exercise of, or is
 conditioned on the non-exercise of one or more of the rights that are
 specifically granted under this License.  You may not convey a covered
 work if you are a party to an arrangement with a third party that is
 in the business of distributing software, under which you make payment
 to the third party based on the extent of your activity of conveying
 the work, and under which the third party grants, to any of the
 parties who would receive the covered work from you, a discriminatory
 patent license (a) in connection with copies of the covered work
 conveyed by you (or copies made from those copies), or (b) primarily
 for and in connection with specific products or compilations that
 contain the covered work, unless you entered into that arrangement,
 or that patent license was granted, prior to 28 March 2007.
  Nothing in this License shall be construed as excluding or limiting
 any implied license or other defenses to infringement that may
 otherwise be available to you under applicable patent law.
  12. No Surrender of Others' Freedom.
  If conditions are imposed on you (whether by court order, agreement or
 otherwise) that contradict the conditions of this License, they do not
 excuse you from the conditions of this License.  If you cannot convey a
 covered work so as to satisfy simultaneously your obligations under this
 License and any other pertinent obligations, then as a consequence you may
 not convey it at all.  For example, if you agree to terms that obligate you
 to collect a royalty for further conveying from those to whom you convey
 the Program, the only way you could satisfy both those terms and this
 License would be to refrain entirely from conveying the Program.
  13. Remote Network Interaction; Use with the GNU General Public License.
  Notwithstanding any other provision of this License, if you modify the
 Program, your modified version must prominently offer all users
 interacting with it remotely through a computer network (if your version
 supports such interaction) an opportunity to receive the Corresponding
 Source of your version by providing access to the Corresponding Source
 from a network server at no charge, through some standard or customary
 means of facilitating copying of software.  This Corresponding Source
 shall include the Corresponding Source for any work covered by version 3
 of the GNU General Public License that is incorporated pursuant to the
 following paragraph.
  Notwithstanding any other provision of this License, you have
 permission to link or combine any covered work with a work licensed
 under version 3 of the GNU General Public License into a single
 combined work, and to convey the resulting work.  The terms of this
 License will continue to apply to the part which is the covered work,
 but the work with which it is combined will remain governed by version
 3 of the GNU General Public License.
  14. Revised Versions of this License.
  The Free Software Foundation may publish revised and/or new versions of
 the GNU Affero General Public License from time to time.  Such new versions
 will be similar in spirit to the present version, but may differ in detail to
 address new problems or concerns.
  Each version is given a distinguishing version number.  If the
 Program specifies that a certain numbered version of the GNU Affero General
 Public License "or any later version" applies to it, you have the
 option of following the terms and conditions either of that numbered
 version or of any later version published by the Free Software
 Foundation.  If the Program does not specify a version number of the
 GNU Affero General Public License, you may choose any version ever published
 by the Free Software Foundation.
  If the Program specifies that a proxy can decide which future
 versions of the GNU Affero General Public License can be used, that proxy's
 public statement of acceptance of a version permanently authorizes you
 to choose that version for the Program.
  Later license versions may give you additional or different
 permissions.  However, no additional obligations are imposed on any
 author or copyright holder as a result of your choosing to follow a
 later version.
  15. Disclaimer of Warranty.
  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
 APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
 HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
 OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
 THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
 IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
 ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
  16. Limitation of Liability.
  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
 WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
 THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
 GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
 USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
 DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
 PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
 EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
 SUCH DAMAGES.
  17. Interpretation of Sections 15 and 16.
  If the disclaimer of warranty and limitation of liability provided
 above cannot be given local legal effect according to their terms,
 reviewing courts shall apply local law that most closely approximates
 an absolute waiver of all civil liability in connection with the
 Program, unless a warranty or assumption of liability accompanies a
 copy of the Program in return for a fee.
                     END OF TERMS AND CONDITIONS
            How to Apply These Terms to Your New Programs
  If you develop a new program, and you want it to be of the greatest
 possible use to the public, the best way to achieve this is to make it
 free software which everyone can redistribute and change under these terms.
  To do so, attach the following notices to the program.  It is safest
 to attach them to the start of each source file to most effectively
 state the exclusion of warranty; and each file should have at least
 the "copyright" line and a pointer to where the full notice is found.
    <one line to give the program's name and a brief idea of what it does.>
    Copyright (C) <year>  <name of author>
    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU Affero General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU Affero General Public License for more details.
    You should have received a copy of the GNU Affero General Public License
    along with this program.  If not, see <https://www.gnu.org/licenses/>.
 Also add information on how to contact you by electronic and paper mail.
  If your software can interact with users remotely through a computer
 network, you should also make sure that it provides a way for users to
 get its source.  For example, if your program is a web application, its
 interface could display a "Source" link that leads users to an archive
 of the code.  There are many ways you could offer source, and different
 solutions will be better for different programs; see section 13 for the
 specific requirements.
  You should also get your employer (if you work as a programmer) or school,
 if any, to sign a "copyright disclaimer" for the program, if necessary.
 For more information on this, and how to apply and follow the GNU AGPL, see
 <https://www.gnu.org/licenses/>.
--- a/README.md
+++ b/README.md
@@ -84,3 +84,7 @@ See [`boocode_roadmap.md`](boocode_roadmap.md) for full version history. Highlig
 ## Planned
 - **v2.3 provider lifecycle** — config-backed provider registry (`/data/coder-providers.json`), enable/disable toggles, two-tier probe (openspec drafted). See [`CURRENT.md`](CURRENT.md).
 ## License
 MIT — see [`LICENSE`](LICENSE).
--- a/apps/booterm/package.json
+++ b/apps/booterm/package.json
@@ -24,5 +24,5 @@
    "tsx": "^4.16.2",
    "typescript": "^5.5.0"
  },
-  "license": "AGPL-3.0-only"
+  "license": "MIT"
 }
--- a/apps/coder/package.json
+++ b/apps/coder/package.json
@@ -31,5 +31,5 @@
    "typescript": "^5.5.0",
    "vitest": "^3.0.0"
  },
-  "license": "AGPL-3.0-only"
+  "license": "MIT"
 }
--- a/apps/coder/src/config.ts
+++ b/apps/coder/src/config.ts
@@ -35,6 +35,21 @@ const ConfigSchema = z.object({
  // SSH access to the host for external agent dispatch (Phase 5)
  BOOCODER_SSH_HOST: z.string().default('100.114.205.53'),
  BOOCODER_SSH_USER: z.string().default('samkintop'),
  // v2.6 Phase 3 (lifecycle hardening). Idle TTL: evict a non-busy warm backend
  // (opencode server / warm-ACP child) after this long with no turn — its worktree
  // + agent_sessions row persist, so the next turn re-spawns + reattaches. 30 min
  // default (design §6).
  AGENT_POOL_IDLE_TTL_MS: z.coerce.number().int().positive().default(1_800_000),
  // LRU cap: max live warm backends before the least-recently-used (non-busy) ones
  // are evicted. Bounds the long-lived-daemon's per-(chat,agent) Map growth.
  AGENT_POOL_MAX_LIVE: z.coerce.number().int().positive().default(10),
  // Periodic sweep cadence (idle/LRU pool eviction + orphan-worktree reap). 60s
  // mirrors the apps/server truncation/stale-streaming sweeper.
  LIFECYCLE_SWEEP_INTERVAL_MS: z.coerce.number().int().positive().default(60_000),
  // Orphan-worktree grace: an on-disk worktree dir with no live `worktrees` row is
  // only reaped after it's been untouched this long (avoids sweeping a dir mid
  // ensureSessionWorktree create). 1h default.
  ORPHAN_WORKTREE_GRACE_MS: z.coerce.number().int().positive().default(3_600_000),
 });
 export type Config = z.infer<typeof ConfigSchema>;
--- a/apps/coder/src/index.ts
+++ b/apps/coder/src/index.ts
@@ -25,16 +25,20 @@ import { setInferenceContext, clearInferenceContext } from './services/tools/inf
 import { registerMessageRoutes } from './routes/messages.js';
 import { registerSkillRoutes } from './routes/skills.js';
 import { registerPendingRoutes } from './routes/pending.js';
 import { registerCheckpointRoutes } from './routes/checkpoints.js';
 import { registerAgentSessionRoutes } from './routes/agent-sessions.js';
 import { registerTaskRoutes } from './routes/tasks.js';
 import { registerInboxRoutes } from './routes/inbox.js';
 import { registerStatsRoutes } from './routes/stats.js';
 import { registerArenaRoutes } from './routes/arena.js';
 import { registerProviderRoutes } from './routes/providers.js';
 import { registerWorktreeSafetyRoutes } from './routes/worktree-safety.js';
 import { registerLifecycleRoutes } from './routes/lifecycle.js';
 import { registerWebSocket } from './routes/ws.js';
 // Phase 4: dispatcher + agent probe
 import { createDispatcher } from './services/dispatcher.js';
 import { agentPool } from './services/agent-pool.js';
 import { createOrphanWorktreeReaper } from './services/orphan-worktree-reaper.js';
 import { probeAgents } from './services/agent-probe.js';
 import { getProviderSnapshot, persistProbedModels } from './services/provider-snapshot.js';
 import { setPermissionHooks } from './services/permission-waiter.js';
@@ -180,10 +184,30 @@ async function main() {
  // Phase 4: dispatcher — polls tasks table and runs inference
  const dispatcher = createDispatcher({ sql, inference: inferenceApi, broker, log: app.log, config });
  dispatcher.start();
  // v2.6 Phase 3: configure + start the agent-pool lifecycle sweep (idle-TTL +
  // LRU-cap eviction of warm backends, plus each backend's proactive health probe)
  // and the orphan-worktree reaper. Both run on the same periodic timer.
  agentPool.configure({
    idleTtlMs: config.AGENT_POOL_IDLE_TTL_MS,
    maxLive: config.AGENT_POOL_MAX_LIVE,
    sweepIntervalMs: config.LIFECYCLE_SWEEP_INTERVAL_MS,
    log: app.log,
  });
  agentPool.startReaper(app.log);
  const orphanReaper = createOrphanWorktreeReaper({
    sql,
    log: app.log,
    intervalMs: config.LIFECYCLE_SWEEP_INTERVAL_MS,
    graceMs: config.ORPHAN_WORKTREE_GRACE_MS,
  });
  orphanReaper.start();
  app.addHook('onClose', async () => {
-    // stop() first so in-flight dispatcher turns settle, then drain the pool.
+    // stop() first so in-flight dispatcher turns settle, then stop the reapers and
-    // Pool is empty in Phase 0 (nothing spawns yet) — dispose() is inert.
+    // drain the pool (kills opencode server + warm ACP children).
    await dispatcher.stop();
    orphanReaper.stop();
    await agentPool.dispose();
  });
@@ -191,12 +215,15 @@ async function main() {
  registerMessageRoutes(app, sql, broker, inferenceApi);
  registerSkillRoutes(app, sql, broker, inferenceApi);
  registerPendingRoutes(app, sql);
  registerCheckpointRoutes(app, sql);
  registerAgentSessionRoutes(app, sql);
  registerTaskRoutes(app, sql, inferenceApi);
  registerInboxRoutes(app, sql);
  registerStatsRoutes(app, sql);
  registerArenaRoutes(app, sql);
  registerProviderRoutes(app, sql, config);
  registerWorktreeSafetyRoutes(app, sql);
  registerLifecycleRoutes(app, sql);
  registerWebSocket(app, sql, broker);
  // Serve static frontend (built web app). In production, the dist/ is
--- a/apps/coder/src/routes/tests/agent-sessions.routes.test.ts
+++ b/apps/coder/src/routes/tests/agent-sessions.routes.test.ts
@@ -0,0 +1,75 @@
 import { describe, it, expect } from 'vitest';
 import Fastify, { type FastifyInstance } from 'fastify';
 import { registerAgentSessionRoutes } from '../agent-sessions.js';
 import type { Sql } from '../../db.js';
 // Mock the porsager surface this route uses: a tagged-template `sql` dispatched by
 // query substring. Two queries: the session-existence check and the agent_sessions
 // JOIN. We return post-coercion shapes (booleans/strings) exactly as porsager would
 // hand them to the route — `has_session` already a JS boolean, `last_active_at` a
 // string|null — so the asserted JSON matches the API contract end-to-end.
 interface MockState {
  sessionExists: boolean;
  rows: Array<{ agent: string; status: string; has_session: boolean; last_active_at: string | null }>;
 }
 function mockSql(state: MockState): Sql {
  return ((strings: TemplateStringsArray) => {
    const q = strings.join('');
    if (q.includes('SELECT id FROM sessions')) {
      return Promise.resolve(state.sessionExists ? [{ id: 'session-1' }] : []);
    }
    if (q.includes('FROM agent_sessions')) {
      return Promise.resolve(state.rows);
    }
    return Promise.resolve([]);
  }) as unknown as Sql;
 }
 function buildApp(state: MockState): FastifyInstance {
  const app = Fastify();
  registerAgentSessionRoutes(app, mockSql(state));
  return app;
 }
 describe('GET /api/sessions/:id/agent-sessions', () => {
  it('returns the per-(chat,agent) rows in the contracted shape', async () => {
    const app = buildApp({
      sessionExists: true,
      rows: [
        { agent: 'opencode', status: 'active', has_session: true, last_active_at: '2026-05-31T12:00:00.000Z' },
        { agent: 'goose', status: 'idle', has_session: false, last_active_at: null },
      ],
    });
    const res = await app.inject({ method: 'GET', url: '/api/sessions/session-1/agent-sessions' });
    expect(res.statusCode).toBe(200);
    const body = res.json();
    expect(Array.isArray(body)).toBe(true);
    expect(body).toEqual([
      { agent: 'opencode', status: 'active', has_session: true, last_active_at: '2026-05-31T12:00:00.000Z' },
      { agent: 'goose', status: 'idle', has_session: false, last_active_at: null },
    ]);
    // Contract field types.
    expect(typeof body[0].agent).toBe('string');
    expect(typeof body[0].status).toBe('string');
    expect(typeof body[0].has_session).toBe('boolean');
    expect(body[1].last_active_at).toBeNull();
    await app.close();
  });
  it('returns an empty array when the session has no agent_sessions rows', async () => {
    const app = buildApp({ sessionExists: true, rows: [] });
    const res = await app.inject({ method: 'GET', url: '/api/sessions/session-1/agent-sessions' });
    expect(res.statusCode).toBe(200);
    expect(res.json()).toEqual([]);
    await app.close();
  });
  it('404s when the session does not exist', async () => {
    const app = buildApp({ sessionExists: false, rows: [] });
    const res = await app.inject({ method: 'GET', url: '/api/sessions/nope/agent-sessions' });
    expect(res.statusCode).toBe(404);
    expect(res.json()).toEqual({ error: 'session not found' });
    await app.close();
  });
 });
--- a/apps/coder/src/routes/agent-sessions.ts
+++ b/apps/coder/src/routes/agent-sessions.ts
@@ -0,0 +1,59 @@
 import type { FastifyInstance } from 'fastify';
 import type { Sql } from '../db.js';
 // v2.6 Phase 1-UX (design §9b): chat-scoped "resumed vs new session" indicator.
 // `agent_sessions` is keyed (chat_id, agent) — the tab/chat is the agent-context
 // unit (P1.5-b). The route param is a SESSION id, so we resolve every chat in the
 // session and return the union of their agent_sessions rows. A session with two
 // opencode tabs yields two rows (one per chat); the frontend keys the chip per
 // chat, but the wire shape is a flat per-(chat,agent) list.
 //
 // has_session = agent_session_id IS NOT NULL — i.e. a native backend session id
 // (opencode/ACP) was created and stored, so switching back resumes rather than
 // starts fresh.
 export interface AgentSessionRow {
  agent: string;
  status: string;
  has_session: boolean;
  last_active_at: string | null;
  // v2.6.8 per-(chat,agent) running token/cost totals (sampling-streamjson-tokens
  // #8). BIGINT columns arrive as strings over the wire; the frontend coerces.
  input_tokens: number;
  output_tokens: number;
  cost: number;
 }
 export function registerAgentSessionRoutes(app: FastifyInstance, sql: Sql): void {
  // GET /api/sessions/:sessionId/agent-sessions — list the agent-session rows for
  // every chat in the session (drives the AgentComposerBar resumed/new chip).
  app.get<{ Params: { sessionId: string } }>(
    '/api/sessions/:sessionId/agent-sessions',
    async (req, reply) => {
      const sessionId = req.params.sessionId;
      const session = await sql<{ id: string }[]>`SELECT id FROM sessions WHERE id = ${sessionId}`;
      if (session.length === 0) {
        reply.code(404);
        return { error: 'session not found' };
      }
      // Join through chats so the session-scoped param resolves to its (chat,agent)
      // rows. last_active_at first → the frontend reads the freshest activity.
      const rows = await sql<AgentSessionRow[]>`
        SELECT
          a.agent AS agent,
          a.status AS status,
          (a.agent_session_id IS NOT NULL) AS has_session,
          a.last_active_at AS last_active_at,
          a.input_tokens AS input_tokens,
          a.output_tokens AS output_tokens,
          a.cost AS cost
        FROM agent_sessions a
        JOIN chats c ON c.id = a.chat_id
        WHERE c.session_id = ${sessionId}
        ORDER BY a.last_active_at DESC NULLS LAST, a.agent ASC
      `;
      return rows;
    },
  );
 }
--- a/apps/coder/src/routes/checkpoints.ts
+++ b/apps/coder/src/routes/checkpoints.ts
@@ -0,0 +1,73 @@
 /**
 * write-edit-robustness #4 — checkpoint restore + list routes (coder side).
 *
 * Proxied through the apps/server `/api/coder/*` blanket forwarder (no server-side
 * change needed for new routes). Restore rewinds the session worktree to the
 * checkpoint's shadow commit, trims the transcript from the anchor message forward,
 * and resets the agent backend — see services/checkpoints.ts.
 */
 import type { FastifyInstance } from 'fastify';
 import type { Sql } from '../db.js';
 import { restoreCheckpoint, CheckpointNotFoundError } from '../services/checkpoints.js';
 export function registerCheckpointRoutes(app: FastifyInstance, sql: Sql): void {
  // GET /api/sessions/:sessionId/checkpoints?chat_id= — list a chat's checkpoints
  // so the frontend can mark which messages have a restore point. When chat_id is
  // omitted, returns every checkpoint for the session's chats.
  app.get<{ Params: { sessionId: string }; Querystring: { chat_id?: string } }>(
    '/api/sessions/:sessionId/checkpoints',
    async (req, reply) => {
      const sessionId = req.params.sessionId;
      const chatId = req.query.chat_id;
      const session = await sql<{ id: string }[]>`SELECT id FROM sessions WHERE id = ${sessionId}`;
      if (session.length === 0) {
        reply.code(404);
        return { error: 'session not found' };
      }
      // Scope authoritatively through chats.session_id (always set) — NOT the
      // denormalized checkpoints.session_id (nullable). The chat_id branch must
      // still be session-gated or it's an IDOR (any session's chat_id reads its
      // checkpoints).
      const rows = chatId
        ? await sql<{ id: string; chat_id: string; message_id: string | null; label: string | null; created_at: Date }[]>`
            SELECT cp.id, cp.chat_id, cp.message_id, cp.label, cp.created_at
            FROM checkpoints cp
            JOIN chats c ON c.id = cp.chat_id
            WHERE cp.chat_id = ${chatId} AND c.session_id = ${sessionId}
            ORDER BY cp.created_at
          `
        : await sql<{ id: string; chat_id: string; message_id: string | null; label: string | null; created_at: Date }[]>`
            SELECT cp.id, cp.chat_id, cp.message_id, cp.label, cp.created_at
            FROM checkpoints cp
            JOIN chats c ON c.id = cp.chat_id
            WHERE c.session_id = ${sessionId}
            ORDER BY cp.created_at
          `;
      return rows;
    },
  );
  // POST /api/sessions/:sessionId/checkpoints/:checkpointId/restore — restore.
  app.post<{ Params: { sessionId: string; checkpointId: string } }>(
    '/api/sessions/:sessionId/checkpoints/:checkpointId/restore',
    async (req, reply) => {
      const { sessionId, checkpointId } = req.params;
      try {
        const result = await restoreCheckpoint(sql, checkpointId, {
          sessionId,
          log: app.log,
        });
        return result;
      } catch (err) {
        if (err instanceof CheckpointNotFoundError) {
          reply.code(404);
          return { error: err.message };
        }
        throw err;
      }
    },
  );
 }
--- a/apps/coder/src/routes/lifecycle.ts
+++ b/apps/coder/src/routes/lifecycle.ts
@@ -0,0 +1,122 @@
 /**
 * v2.6 Phase 3 (3.3) — chat/session close-or-archive cleanup hook (coder side).
 *
 * Chat/session close + archive + delete all live in apps/server (Docker), which
 * cannot see the host worktree dirs (/tmp/booworktrees), run git on them, or reach
 * the warm agent processes the dispatcher pooled in THIS (host systemd) process. So
 * — exactly like the `worktree-risk` guard — the server signals the coder when a
 * chat/session closes, and the coder does the real teardown:
 *   1. dispose the chat's warm-ACP backends (`agentPool.closeChat`) — kills the
 *      goose/qwen child processes for that chat,
 *   2. close the chat's opencode session on the shared server (`closeSession`),
 *   3. mark every `agent_sessions` row for the chat 'closed' + (when the session's
 *      last open chat closes) remove the shared session worktree, preflighting
 *      work-at-risk so uncommitted/unmerged work is never silently dropped
 *      (`closeChatBackendState`).
 *
 * Idempotent: closing an already-closed chat is a no-op (0 rows, no backend).
 *
 * SERVER WIRING (not done here — apps/server, out of this batch's scope): the
 * server's `POST /api/chats/:id/archive`, `DELETE /api/chats/:id`, and the
 * session archive/delete routes should fire-and-forget
 *   fetch(`${BOOCODER_URL}/api/chats/${id}/close`, { method: 'POST' })
 * after publishing their WS frame (best-effort; the orphan-worktree reaper +
 * idle-pool eviction are the backstop if the call is missed).
 */
 import type { FastifyInstance } from 'fastify';
 import type { Sql } from '../db.js';
 import { agentPool, OPENCODE_POOL_KEY } from '../services/agent-pool.js';
 import { closeChatBackendState } from '../services/worktrees.js';
 import type { AgentSessionHandle } from '../services/agent-backend.js';
 export function registerLifecycleRoutes(app: FastifyInstance, sql: Sql): void {
  // POST /api/chats/:chatId/close — tear down all warm state for a chat tab.
  app.post<{ Params: { chatId: string }; Querystring: { force?: string } }>(
    '/api/chats/:chatId/close',
    async (req) => {
      const chatId = req.params.chatId;
      const force = req.query.force === 'true' || req.query.force === '1';
      // 1. Close the chat's opencode session on the SHARED server (the server is
      //    not chat-keyed, so agentPool.closeChat won't touch it). Resolve the
      //    stored opencode session id and ask the backend to drop it.
      const ocRows = await sql<{ agent: string; agent_session_id: string | null; worktree_id: string | null; session_id: string | null }[]>`
        SELECT agent, agent_session_id, worktree_id, session_id
        FROM agent_sessions
        WHERE chat_id = ${chatId} AND backend = 'opencode_server'
      `;
      const ocBackend = agentPool.peek(OPENCODE_POOL_KEY, 'opencode');
      if (ocBackend) {
        for (const row of ocRows) {
          if (!row.agent_session_id) continue;
          const handle: AgentSessionHandle = {
            sessionId: row.session_id ?? '',
            agent: row.agent,
            backend: 'opencode_server',
            chatId,
            worktreeId: row.worktree_id ?? '',
            agentSessionId: row.agent_session_id,
            serverPort: null,
          };
          await ocBackend.closeSession(handle).catch((err) => {
            app.log.warn({ err: err instanceof Error ? err.message : String(err), chatId }, 'lifecycle: opencode closeSession threw');
          });
        }
      }
      // 2. Dispose any warm-ACP backends pooled under this chat (kills the
      //    goose/qwen child + marks its agent row closed via the backend).
      const disposed = await agentPool.closeChat(chatId);
      // 3. DB + worktree truth: mark agent rows closed; remove the shared session
      //    worktree iff this was the session's last open chat (preflight at-risk).
      const result = await closeChatBackendState(sql, chatId, { force });
      app.log.info({ chatId, disposed, ...result }, 'lifecycle: chat closed');
      return { ok: true, disposed, ...result };
    },
  );
  // POST /api/sessions/:sessionId/close — close every open chat in a session
  // (session archive/delete). Loops the chat-close path so the same preflight +
  // teardown applies per chat; the worktree is removed on the last one.
  app.post<{ Params: { sessionId: string }; Querystring: { force?: string } }>(
    '/api/sessions/:sessionId/close',
    async (req) => {
      const sessionId = req.params.sessionId;
      const force = req.query.force === 'true' || req.query.force === '1';
      const chats = await sql<{ id: string }[]>`
        SELECT id FROM chats WHERE session_id = ${sessionId}
      `;
      const results: { chatId: string; disposed: string[]; worktreeRemoved: boolean; worktreeAtRisk: boolean }[] = [];
      for (const c of chats) {
        const ocBackend = agentPool.peek(OPENCODE_POOL_KEY, 'opencode');
        if (ocBackend) {
          const ocRows = await sql<{ agent: string; agent_session_id: string | null; worktree_id: string | null; session_id: string | null }[]>`
            SELECT agent, agent_session_id, worktree_id, session_id
            FROM agent_sessions WHERE chat_id = ${c.id} AND backend = 'opencode_server'
          `;
          for (const row of ocRows) {
            if (!row.agent_session_id) continue;
            await ocBackend.closeSession({
              sessionId: row.session_id ?? '',
              agent: row.agent,
              backend: 'opencode_server',
              chatId: c.id,
              worktreeId: row.worktree_id ?? '',
              agentSessionId: row.agent_session_id,
              serverPort: null,
            }).catch(() => {});
          }
        }
        const disposed = await agentPool.closeChat(c.id);
        const r = await closeChatBackendState(sql, c.id, { force });
        results.push({ chatId: c.id, disposed, worktreeRemoved: r.worktreeRemoved, worktreeAtRisk: r.worktreeAtRisk });
      }
      app.log.info({ sessionId, chats: results.length }, 'lifecycle: session closed');
      return { ok: true, results };
    },
  );
 }
--- a/apps/coder/src/routes/pending.ts
+++ b/apps/coder/src/routes/pending.ts
@@ -10,6 +10,7 @@ import {
  queueCreate,
 } from '../services/pending_changes.js';
 import { WriteGuardError } from '../services/write_guard.js';
 import { rebaselineWorktreeAfterApply } from '../services/worktrees.js';
 const CreateBody = z.object({
  file_path: z.string().min(1),
@@ -90,6 +91,8 @@ export function registerPendingRoutes(app: FastifyInstance, sql: Sql): void {
          parsed.data.file_path,
          parsed.data.content,
          projectRoot,
          // Manual RightRail create — no agent staged it; renders as "manual".
          null,
        );
        return change;
      } catch (err) {
@@ -115,6 +118,15 @@ export function registerPendingRoutes(app: FastifyInstance, sql: Sql): void {
      }
      const results = await applyAll(sql, sessionId, projectRoot);
      // v2.6 Phase 3 (3.5): re-baseline the session worktree's diff to the applied
      // state, so the next external-agent turn diffs against applied-not-original
      // and doesn't re-surface the just-applied changes. Best-effort: a worktree
      // session may not exist (native-only chat), and a re-baseline hiccup must not
      // fail the apply the user just requested.
      if (results.some((r) => r.success)) {
        await rebaselineWorktreeAfterApply(sql, sessionId).catch(() => {});
      }
      return { results };
    },
  );
@@ -134,6 +146,15 @@ export function registerPendingRoutes(app: FastifyInstance, sql: Sql): void {
      const result = await applyOne(sql, changeId, projectRoot);
      if (!result.success) {
        reply.code(422);
      } else {
        // v2.6 Phase 3 (3.5): re-baseline the session worktree after a successful
        // apply so the next external-agent turn diffs against applied-not-original.
        // Resolve the change's session; best-effort, never fails the apply.
        const sessRows = await sql<{ session_id: string }[]>`
          SELECT session_id FROM pending_changes WHERE id = ${changeId}
        `;
        const sessionId = sessRows[0]?.session_id;
        if (sessionId) await rebaselineWorktreeAfterApply(sql, sessionId).catch(() => {});
      }
      return result;
    },
--- a/apps/coder/src/schema.sql
+++ b/apps/coder/src/schema.sql
@@ -131,6 +131,17 @@ END $$;
 -- v2.6: config fingerprint for stale-session detection (auto-recover on model change).
 ALTER TABLE agent_sessions ADD COLUMN IF NOT EXISTS config_hash TEXT;
 -- v2.6 Phase 1-UX (U.6): opencode token/cost usage, ACCUMULATED per (chat_id, agent).
 -- opencode's warm server emits `session.next.step.ended` once per LLM step (several
 -- per multi-tool turn) carrying {tokens{input,output,reasoning,cache},cost}. We sum
 -- each step's normalized {input,output,cost} onto the session row — running totals
 -- for the whole conversation context, not last-step. Backend-only; no route/UI yet.
 -- input_tokens folds in cache read+write; output_tokens folds in reasoning (see
 -- backends/opencode-usage.ts). Defaults 0 so accumulation (col + delta) is well-defined.
 ALTER TABLE agent_sessions ADD COLUMN IF NOT EXISTS input_tokens BIGINT NOT NULL DEFAULT 0;
 ALTER TABLE agent_sessions ADD COLUMN IF NOT EXISTS output_tokens BIGINT NOT NULL DEFAULT 0;
 ALTER TABLE agent_sessions ADD COLUMN IF NOT EXISTS cost DOUBLE PRECISION NOT NULL DEFAULT 0;
 -- ─── P1.5-b (corrected): worktrees entity + re-key agent_sessions to (chat_id, agent) ───
 -- The TAB (a chat) is the context unit: two opencode tabs in one session = two
 -- independent contexts sharing one worktree. So agent_sessions keys on
@@ -229,6 +240,27 @@ END $$;
 -- v2.6: attribution for DiffPanel badges (Phase 1 UX reads this).
 ALTER TABLE pending_changes ADD COLUMN IF NOT EXISTS agent TEXT;
 -- write-edit-robustness #4: worktree checkpoints. A pre-turn shadow-commit of the
 -- session worktree (tracked + untracked, captured without disturbing the real
 -- index/working tree) stored in a private GC-safe ref refs/boocode/checkpoints/<id>.
 -- Created best-effort before each external-agent turn (opencode / warm-ACP / one-shot
 -- ACP+PTY); restore resets the worktree to commit_sha, trims the transcript from
 -- message_id forward, and resets the backend session. chat_id CASCADEs from chats
 -- (like agent_sessions); worktree_id SET NULL so a checkpoint outlives a reaped
 -- worktree row. session_id / message_id are informational (no FK — message rows are
 -- trimmed by a checkpoint restore and we must not block that on a dangling ref).
 CREATE TABLE IF NOT EXISTS checkpoints (
  id          UUID PRIMARY KEY DEFAULT gen_random_uuid(),
  chat_id     UUID NOT NULL REFERENCES chats(id) ON DELETE CASCADE,
  session_id  UUID,
  worktree_id UUID REFERENCES worktrees(id) ON DELETE SET NULL,
  message_id  UUID,            -- anchor: the assistant turn row this checkpoint precedes
  commit_sha  TEXT NOT NULL,   -- shadow-commit capturing the pre-turn worktree tree
  label       TEXT,
  created_at  TIMESTAMPTZ NOT NULL DEFAULT clock_timestamp()
 );
 CREATE INDEX IF NOT EXISTS checkpoints_chat_created_idx ON checkpoints(chat_id, created_at);
 -- LISTEN/NOTIFY fast path: every tasks INSERT (from any call site — routes,
 -- new_task tool, arena, MCP server) fires pg_notify('tasks_new') in the same
 -- transaction, so the dispatcher reacts immediately instead of waiting for the
--- a/apps/coder/src/services/tests/acp-event-map.test.ts
+++ b/apps/coder/src/services/tests/acp-event-map.test.ts
@@ -0,0 +1,110 @@
 import { describe, it, expect } from 'vitest';
 import type { SessionNotification } from '@agentclientprotocol/sdk';
 import { mapSessionUpdate } from '../acp-event-map.js';
 import type { AcpToolSnapshot } from '../acp-tool-snapshot.js';
 /**
 * Pure event-mapping shared by the one-shot ACP dispatch (AcpStreamContext) and
 * the warm ACP backend (Phase 2). Mirrors the original handleSessionUpdate switch
 * verbatim but returns normalized AgentEvents instead of publishing broker frames.
 */
 describe('mapSessionUpdate (shared ACP event mapping)', () => {
  function note(update: SessionNotification['update']): SessionNotification {
    return { sessionId: 's1', update };
  }
  it('maps an agent_message_chunk text → a text event', () => {
    const events = mapSessionUpdate(
      note({ sessionUpdate: 'agent_message_chunk', content: { type: 'text', text: 'hello' } }),
    );
    expect(events).toEqual([{ type: 'text', text: 'hello' }]);
  });
  it('maps an agent_thought_chunk text → a reasoning event', () => {
    const events = mapSessionUpdate(
      note({ sessionUpdate: 'agent_thought_chunk', content: { type: 'text', text: 'thinking' } }),
    );
    expect(events).toEqual([{ type: 'reasoning', text: 'thinking' }]);
  });
  it('ignores non-text content on message/thought chunks', () => {
    const img = mapSessionUpdate(
      note({
        sessionUpdate: 'agent_message_chunk',
        content: { type: 'image', data: 'x', mimeType: 'image/png' },
      } as never),
    );
    expect(img).toEqual([]);
  });
  it('maps a tool_call → a tool_call event with a merged snapshot', () => {
    const events = mapSessionUpdate(
      note({
        sessionUpdate: 'tool_call',
        toolCallId: 't1',
        title: 'read_file',
        status: 'pending',
        rawInput: { path: 'a.ts' },
      } as never),
    );
    expect(events).toHaveLength(1);
    expect(events[0]!.type).toBe('tool_call');
    const snap = (events[0] as { type: 'tool_call'; toolCall: AcpToolSnapshot }).toolCall;
    expect(snap.toolCallId).toBe('t1');
    expect(snap.title).toBe('read_file');
    expect(snap.status).toBe('pending');
    expect(snap.rawInput).toEqual({ path: 'a.ts' });
  });
  it('maps a tool_call_update → a tool_update event merged over the prior snapshot', () => {
    const prior = new Map<string, AcpToolSnapshot>([
      ['t1', { toolCallId: 't1', title: 'read_file', status: 'pending', rawInput: { path: 'a.ts' } }],
    ]);
    const events = mapSessionUpdate(
      note({
        sessionUpdate: 'tool_call_update',
        toolCallId: 't1',
        status: 'completed',
        rawOutput: 'file body',
      } as never),
      prior,
    );
    expect(events).toHaveLength(1);
    expect(events[0]!.type).toBe('tool_update');
    const snap = (events[0] as { type: 'tool_update'; toolCall: AcpToolSnapshot }).toolCall;
    expect(snap.toolCallId).toBe('t1');
    // merged: title carried from prior, status updated, output added, input retained
    expect(snap.title).toBe('read_file');
    expect(snap.status).toBe('completed');
    expect(snap.rawOutput).toBe('file body');
    expect(snap.rawInput).toEqual({ path: 'a.ts' });
  });
  it('maps available_commands_update → a commands event', () => {
    const events = mapSessionUpdate(
      note({
        sessionUpdate: 'available_commands_update',
        availableCommands: [
          { name: 'plan', description: 'make a plan' },
          { name: 'review', description: null },
        ],
      } as never),
    );
    expect(events).toEqual([
      {
        type: 'commands',
        commands: [
          { name: 'plan', description: 'make a plan' },
          { name: 'review', description: undefined },
        ],
      },
    ]);
  });
  it('returns [] for unhandled update kinds (plan, mode change)', () => {
    expect(mapSessionUpdate(note({ sessionUpdate: 'plan', entries: [] } as never))).toEqual([]);
    expect(
      mapSessionUpdate(note({ sessionUpdate: 'current_mode_update', currentModeId: 'code' } as never)),
    ).toEqual([]);
  });
 });
--- a/apps/coder/src/services/tests/agent-pool.test.ts
+++ b/apps/coder/src/services/tests/agent-pool.test.ts
@@ -0,0 +1,233 @@
 import { describe, it, expect, vi } from 'vitest';
 import { AgentPool, OPENCODE_POOL_KEY } from '../agent-pool.js';
 import type {
  AgentBackend,
  AgentSessionHandle,
  EnsureSessionOpts,
  PromptCtx,
  TurnResult,
 } from '../agent-backend.js';
 /**
 * v2.6 Phase 3 — AgentPool lifecycle unit test (T.1). No DB / no child process:
 * a fake AgentBackend records dispose + reports busy/health, so we exercise
 * get-or-create, idle eviction, the LRU cap, the busy-never-evict rule, closeChat,
 * and dispose-drains directly. The pure decisions are covered separately in
 * backends/__tests__/lifecycle-decisions.test.ts; this verifies the wiring.
 */
 class FakeBackend implements AgentBackend {
  disposed = 0;
  closedSessions = 0;
  private busyFlag = false;
  tickHealthCalls = 0;
  constructor(public readonly name = 'fake') {}
  setBusy(b: boolean): void {
    this.busyFlag = b;
  }
  // — AgentBackend —
  async ensureSession(sessionId: string, opts: EnsureSessionOpts): Promise<AgentSessionHandle> {
    return {
      sessionId,
      agent: opts.agent,
      backend: 'acp_warm',
      chatId: opts.chatId,
      worktreeId: opts.worktreeId,
      agentSessionId: 'fake-session',
      serverPort: null,
    };
  }
  async prompt(_h: AgentSessionHandle, _input: string, _ctx: PromptCtx): Promise<TurnResult> {
    return { ok: true };
  }
  async closeSession(): Promise<void> {
    this.closedSessions++;
  }
  async dispose(): Promise<void> {
    this.disposed++;
  }
  health(): 'up' | 'down' {
    return 'up';
  }
  isBusy(): boolean {
    return this.busyFlag;
  }
  async tickHealth(): Promise<void> {
    this.tickHealthCalls++;
  }
 }
 describe('AgentPool — get/register/touch (3.1)', () => {
  it('register then get returns the same backend', () => {
    const pool = new AgentPool();
    const b = new FakeBackend();
    pool.register('chat-1', 'goose', b);
    expect(pool.get('chat-1', 'goose')).toBe(b);
    expect(pool.get('chat-1', 'qwen')).toBeUndefined();
  });
  it('peek does NOT exist for a missing key', () => {
    const pool = new AgentPool();
    expect(pool.peek('nope', 'goose')).toBeUndefined();
  });
  it('health reports size + busy count', () => {
    const pool = new AgentPool();
    const a = new FakeBackend();
    const b = new FakeBackend();
    b.setBusy(true);
    pool.register('c1', 'goose', a);
    pool.register('c2', 'qwen', b);
    expect(pool.health()).toEqual({ size: 2, busy: 1 });
  });
 });
 describe('AgentPool.sweep — idle TTL eviction (3.1)', () => {
  it('evicts an idle backend past the TTL and disposes it', async () => {
    const pool = new AgentPool({ idleTtlMs: 1_000, maxLive: 100 });
    const b = new FakeBackend();
    pool.register('c1', 'goose', b);
    // Sweep with now far past the registration → idle → evicted.
    const { evicted } = await pool.sweep(Date.now() + 10_000);
    expect(evicted).toEqual(['c1:goose']);
    expect(b.disposed).toBe(1);
    expect(pool.get('c1', 'goose')).toBeUndefined();
  });
  it('never evicts a busy backend even past the TTL', async () => {
    const pool = new AgentPool({ idleTtlMs: 1_000, maxLive: 100 });
    const b = new FakeBackend();
    b.setBusy(true);
    pool.register('c1', 'goose', b);
    const { evicted } = await pool.sweep(Date.now() + 10_000);
    expect(evicted).toEqual([]);
    expect(b.disposed).toBe(0);
    expect(pool.get('c1', 'goose')).toBe(b);
  });
  it('touch keeps a backend warm so the TTL measures from the last turn', async () => {
    const pool = new AgentPool({ idleTtlMs: 5_000, maxLive: 100 });
    const b = new FakeBackend();
    pool.register('c1', 'goose', b);
    const base = Date.now();
    // 4s later, touch — resets activity. A sweep at +6s from base is only +2s from
    // the touch → still within TTL → not evicted.
    vi.spyOn(Date, 'now').mockReturnValue(base + 4_000);
    pool.touch('c1', 'goose');
    vi.restoreAllMocks();
    const { evicted } = await pool.sweep(base + 6_000);
    expect(evicted).toEqual([]);
  });
 });
 describe('AgentPool.sweep — LRU cap (3.4)', () => {
  it('evicts the least-recently-used beyond the cap', async () => {
    const pool = new AgentPool({ idleTtlMs: 1_000_000, maxLive: 2 });
    const base = 1_000_000;
    const mk = (key: string, regAt: number) => {
      vi.spyOn(Date, 'now').mockReturnValue(regAt);
      const b = new FakeBackend(key);
      const [chat, agent] = key.split(':');
      pool.register(chat!, agent!, b);
      vi.restoreAllMocks();
      return b;
    };
    const a = mk('c1:goose', base + 100);
    const b = mk('c2:goose', base + 300);
    const c = mk('c3:goose', base + 200);
    // 3 entries, cap 2, all within idle TTL → LRU (oldest = a@+100) evicted.
    const { evicted } = await pool.sweep(base + 1_000);
    expect(evicted).toEqual(['c1:goose']);
    expect(a.disposed).toBe(1);
    expect(b.disposed).toBe(0);
    expect(c.disposed).toBe(0);
  });
 });
 describe('AgentPool.sweep — proactive health probe (3.2)', () => {
  it('drives each backend tickHealth before eviction', async () => {
    const pool = new AgentPool({ idleTtlMs: 1_000_000, maxLive: 100 });
    const b = new FakeBackend();
    pool.register('c1', 'opencode', b);
    await pool.sweep(Date.now());
    expect(b.tickHealthCalls).toBe(1);
  });
 });
 describe('AgentPool.closeChat — chat-close teardown (3.3)', () => {
  it('disposes only the matching chat keys, leaving others + the shared server', async () => {
    const pool = new AgentPool();
    const goose = new FakeBackend('goose');
    const qwen = new FakeBackend('qwen');
    const other = new FakeBackend('other-chat');
    const ocServer = new FakeBackend('opencode-server');
    pool.register('chat-1', 'goose', goose);
    pool.register('chat-1', 'qwen', qwen);
    pool.register('chat-2', 'goose', other);
    pool.register(OPENCODE_POOL_KEY, 'opencode', ocServer);
    const removed = await pool.closeChat('chat-1');
    expect(removed.sort()).toEqual(['chat-1:goose', 'chat-1:qwen']);
    expect(goose.disposed).toBe(1);
    expect(qwen.disposed).toBe(1);
    // other chat + shared opencode server untouched.
    expect(other.disposed).toBe(0);
    expect(ocServer.disposed).toBe(0);
    expect(pool.peek('chat-2', 'goose')).toBe(other);
    expect(pool.peek(OPENCODE_POOL_KEY, 'opencode')).toBe(ocServer);
  });
  it('does not dispose a busy backend on closeChat', async () => {
    const pool = new AgentPool();
    const b = new FakeBackend();
    b.setBusy(true);
    pool.register('chat-1', 'goose', b);
    const removed = await pool.closeChat('chat-1');
    expect(removed).toEqual([]);
    expect(b.disposed).toBe(0);
  });
  it('does not match a chat id that is a prefix of another', async () => {
    // 'chat-1' must not match 'chat-10' — keys are `${chatId}:${agent}` so the
    // colon delimiter prevents the prefix collision.
    const pool = new AgentPool();
    const a = new FakeBackend();
    const b = new FakeBackend();
    pool.register('chat-1', 'goose', a);
    pool.register('chat-10', 'goose', b);
    await pool.closeChat('chat-1');
    expect(a.disposed).toBe(1);
    expect(b.disposed).toBe(0);
    expect(pool.peek('chat-10', 'goose')).toBe(b);
  });
 });
 describe('AgentPool.dispose — drain all (T.1)', () => {
  it('disposes every backend and clears the map', async () => {
    const pool = new AgentPool();
    const a = new FakeBackend();
    const b = new FakeBackend();
    pool.register('c1', 'goose', a);
    pool.register('c2', 'qwen', b);
    await pool.dispose();
    expect(a.disposed).toBe(1);
    expect(b.disposed).toBe(1);
    expect(pool.health()).toEqual({ size: 0, busy: 0 });
  });
  it('tolerates a backend whose dispose throws', async () => {
    const pool = new AgentPool();
    const good = new FakeBackend();
    const bad = new FakeBackend();
    bad.dispose = async () => {
      throw new Error('boom');
    };
    pool.register('c1', 'goose', bad);
    pool.register('c2', 'qwen', good);
    await expect(pool.dispose()).resolves.toBeUndefined();
    expect(good.disposed).toBe(1);
  });
 });
--- a/apps/coder/src/services/tests/checkpoints.test.ts
+++ b/apps/coder/src/services/tests/checkpoints.test.ts
@@ -0,0 +1,252 @@
 import { describe, it, expect, beforeAll, afterAll } from 'vitest';
 import { readFileSync } from 'node:fs';
 import { rm, mkdir } from 'node:fs/promises';
 import { resolve } from 'node:path';
 import postgres from 'postgres';
 import {
  buildShadowCommitCommand,
  createCheckpoint,
  restoreCheckpoint,
  CheckpointNotFoundError,
 } from '../checkpoints.js';
 import { ensureSessionWorktree } from '../worktrees.js';
 import { hostExec } from '../host-exec.js';
 /**
 * write-edit-robustness #4 — worktree checkpoint tests.
 *
 * Pure-helper coverage (no DB / no host) for the shadow-commit command builder,
 * plus a DB+git integration block (DB-opt-in via DATABASE_URL, skips cleanly
 * otherwise; mirrors reconnect_integration.test.ts) that exercises the real
 * create → restore round trip against a worktree on the host fs.
 */
 describe('buildShadowCommitCommand (pure)', () => {
  it('parks the commit under refs/boocode/checkpoints/<id> and prints only the SHA', () => {
    const cmd = buildShadowCommitCommand('/tmp/booworktrees/sess-abc', 'cp-id-123');
    // Uses a temp index so the real working tree/index is untouched.
    expect(cmd).toContain('TMP=$(mktemp)');
    expect(cmd).toContain('GIT_INDEX_FILE="$TMP" git read-tree HEAD');
    expect(cmd).toContain('GIT_INDEX_FILE="$TMP" git add -A');
    expect(cmd).toContain('git write-tree');
    expect(cmd).toContain("git commit-tree \"$TREE\" -p HEAD -m \"boocode checkpoint\"");
    // Ref name matches the row id, and stdout is ONLY the SHA (printf, no newline).
    expect(cmd).toContain("update-ref 'refs/boocode/checkpoints/cp-id-123'");
    expect(cmd).toContain("printf '%s' \"$SHA\"");
    expect(cmd).not.toContain('echo "$SHA"');
  });
  it('shell-escapes the worktree path and the id', () => {
    const cmd = buildShadowCommitCommand("/tmp/it's a path", "id'; rm -rf /");
    // Single quotes inside the path/id are escaped via the '\'' wrapping idiom — no
    // bare interpolation that could break out of the quoting.
    expect(cmd).toContain("cd '/tmp/it'\\''s a path'");
    expect(cmd).toContain("refs/boocode/checkpoints/id'\\''; rm -rf /");
  });
 });
 describe.runIf(!!process.env.DATABASE_URL)('checkpoint create + restore (DB + git)', () => {
  let sql: ReturnType<typeof postgres>;
  const stamp = Date.now();
  const projectDir = `/tmp/boocode-checkpoint-proj-${stamp}`;
  let projectId: string;
  let sessionId: string;
  let chatId: string;
  let worktreePath: string;
  beforeAll(async () => {
    sql = postgres(process.env.DATABASE_URL!, { max: 3 });
    // Server schema first (FK targets), then coder schema (worktrees + checkpoints).
    const serverSchema = resolve(__dirname, '../../../../server/src/schema.sql');
    const coderSchema = resolve(__dirname, '../../schema.sql');
    await sql.unsafe(readFileSync(serverSchema, 'utf8'));
    await sql.unsafe(readFileSync(coderSchema, 'utf8'));
    await mkdir(projectDir, { recursive: true });
    await hostExec(
      `cd ${projectDir} && git init -q && git config user.email t@t && git config user.name t ` +
        `&& echo hello > README.md && git add -A && git commit -qm init`,
      { timeoutMs: 20_000 },
    );
    const [project] = await sql<{ id: string }[]>`
      INSERT INTO projects (name, path, status) VALUES ('checkpoint-test', ${projectDir}, 'open') RETURNING id
    `;
    projectId = project!.id;
    const [session] = await sql<{ id: string }[]>`
      INSERT INTO sessions (project_id, name, model, status)
      VALUES (${projectId}, 'cp', 'm', 'open') RETURNING id
    `;
    sessionId = session!.id;
    const [chat] = await sql<{ id: string }[]>`
      INSERT INTO chats (session_id, name, status) VALUES (${sessionId}, 'tab', 'open') RETURNING id
    `;
    chatId = chat!.id;
    const wt = await ensureSessionWorktree(sql, projectDir, sessionId);
    worktreePath = wt.worktreePath;
  });
  afterAll(async () => {
    if (sql) {
      const rows = await sql<{ path: string }[]>`SELECT path FROM worktrees WHERE session_id = ${sessionId}`.catch(() => []);
      for (const r of rows) {
        await hostExec(`git -C ${projectDir} worktree remove ${r.path} --force`, { timeoutMs: 10_000 }).catch(() => {});
      }
      await sql`DELETE FROM checkpoints WHERE chat_id = ${chatId}`.catch(() => {});
      await sql`DELETE FROM agent_sessions WHERE chat_id = ${chatId}`.catch(() => {});
      await sql`DELETE FROM worktrees WHERE session_id = ${sessionId}`.catch(() => {});
      await sql`DELETE FROM chats WHERE id = ${chatId}`.catch(() => {});
      await sql`DELETE FROM sessions WHERE id = ${sessionId}`.catch(() => {});
      await sql`DELETE FROM projects WHERE id = ${projectId}`.catch(() => {});
      await sql.end({ timeout: 5 });
    }
    await rm(projectDir, { recursive: true, force: true });
  });
  it('createCheckpoint inserts a row + a private ref capturing tracked + untracked', async () => {
    const [wt] = await sql<{ id: string }[]>`SELECT id FROM worktrees WHERE session_id = ${sessionId} AND status = 'active'`;
    const worktreeId = wt!.id;
    // Pre-turn untracked + tracked-edit state the agent will start from.
    await hostExec(`cd ${worktreePath} && echo edited >> README.md && echo new > extra.txt`, { timeoutMs: 10_000 });
    const [assistantMsg] = await sql<{ id: string }[]>`
      INSERT INTO messages (session_id, chat_id, role, content, status)
      VALUES (${sessionId}, ${chatId}, 'assistant', '', 'streaming') RETURNING id
    `;
    const messageId = assistantMsg!.id;
    const cp = await createCheckpoint(sql, {
      chatId,
      sessionId,
      worktreeId,
      worktreePath,
      messageId,
    });
    expect(cp).not.toBeNull();
    expect(cp!.commit_sha).toMatch(/^[0-9a-f]{40}$/);
    const [row] = await sql<{ commit_sha: string; worktree_id: string; message_id: string }[]>`
      SELECT commit_sha, worktree_id, message_id FROM checkpoints WHERE id = ${cp!.id}
    `;
    expect(row!.commit_sha).toBe(cp!.commit_sha);
    expect(row!.worktree_id).toBe(worktreeId);
    expect(row!.message_id).toBe(messageId);
    // The ref exists and the captured tree carries the untracked file (proves the
    // temp-index `git add -A` snapshotted untracked content).
    const refLs = await hostExec(
      `git -C ${worktreePath} ls-tree -r --name-only ${cp!.commit_sha}`,
      { timeoutMs: 10_000 },
    );
    expect(refLs.exitCode).toBe(0);
    expect(refLs.stdout).toContain('extra.txt');
    // The shadow commit did NOT disturb the real working tree: extra.txt is still
    // present + still untracked (status shows it).
    const status = await hostExec(`git -C ${worktreePath} status --porcelain`, { timeoutMs: 10_000 });
    expect(status.stdout).toContain('extra.txt');
  });
  it('restoreCheckpoint resets the worktree, trims the transcript, and drops later checkpoints', async () => {
    // Clean slate for this test: reset the worktree to HEAD, clear prior rows.
    await hostExec(`git -C ${worktreePath} reset --hard HEAD && git -C ${worktreePath} clean -fd`, { timeoutMs: 10_000 });
    await sql`DELETE FROM checkpoints WHERE chat_id = ${chatId}`;
    await sql`DELETE FROM messages WHERE chat_id = ${chatId}`;
    const [wt] = await sql<{ id: string }[]>`SELECT id FROM worktrees WHERE session_id = ${sessionId} AND status = 'active'`;
    const worktreeId = wt!.id;
    // Turn 1: a user msg, then the assistant turn the checkpoint anchors. The
    // worktree is pristine (matches HEAD) when this checkpoint is captured.
    await sql`INSERT INTO messages (session_id, chat_id, role, content, status) VALUES (${sessionId}, ${chatId}, 'user', 'do it', 'complete')`;
    const [a1] = await sql<{ id: string }[]>`
      INSERT INTO messages (session_id, chat_id, role, content, status)
      VALUES (${sessionId}, ${chatId}, 'assistant', 'turn 1', 'complete') RETURNING id
    `;
    const cp1 = await createCheckpoint(sql, { chatId, sessionId, worktreeId, worktreePath, messageId: a1!.id });
    expect(cp1).not.toBeNull();
    // The agent (turn 1) writes a file into the worktree.
    await hostExec(`cd ${worktreePath} && echo agent-wrote > agent.txt`, { timeoutMs: 10_000 });
    // Turn 2: another user msg + assistant turn, AND a second (later) checkpoint.
    await sql`INSERT INTO messages (session_id, chat_id, role, content, status) VALUES (${sessionId}, ${chatId}, 'user', 'more', 'complete')`;
    const [a2] = await sql<{ id: string }[]>`
      INSERT INTO messages (session_id, chat_id, role, content, status)
      VALUES (${sessionId}, ${chatId}, 'assistant', 'turn 2', 'complete') RETURNING id
    `;
    const cp2 = await createCheckpoint(sql, { chatId, sessionId, worktreeId, worktreePath, messageId: a2!.id });
    expect(cp2).not.toBeNull();
    // An agent_sessions row that restore should mark 'crashed'.
    await sql`
      INSERT INTO agent_sessions (chat_id, session_id, worktree_id, agent, backend, agent_session_id, status, last_active_at)
      VALUES (${chatId}, ${sessionId}, ${worktreeId}, 'goose', 'acp_warm', 'sess-1', 'active', clock_timestamp())
      ON CONFLICT (chat_id, agent) DO UPDATE SET status = 'active'
    `;
    const before = await sql<{ id: string }[]>`SELECT id FROM messages WHERE chat_id = ${chatId} ORDER BY created_at`;
    expect(before.length).toBe(4); // user, a1, user, a2
    // Restore to cp1 (before turn 1's assistant message).
    const result = await restoreCheckpoint(sql, cp1!.id, { sessionId });
    expect(result.checkpoint_id).toBe(cp1!.id);
    expect(result.worktree_reset).toBe(true);
    expect(result.backend_reset).toBe(true);
    // a1, user(turn2), a2 deleted (created_at >= a1) → 3 trimmed.
    expect(result.messages_deleted).toBe(3);
    // Transcript trimmed to just the first user message.
    const after = await sql<{ role: string; content: string }[]>`SELECT role, content FROM messages WHERE chat_id = ${chatId} ORDER BY created_at`;
    expect(after.length).toBe(1);
    expect(after[0]!.role).toBe('user');
    // Worktree reset: the agent's file is gone (it was written after cp1).
    const ls = await hostExec(`ls ${worktreePath}/agent.txt`, { timeoutMs: 10_000 });
    expect(ls.exitCode).not.toBe(0);
    // The agent_sessions row was reset to 'crashed'.
    const [as] = await sql<{ status: string }[]>`SELECT status FROM agent_sessions WHERE chat_id = ${chatId} AND agent = 'goose'`;
    expect(as!.status).toBe('crashed');
    // cp1 survives (re-restorable); cp2 (later) was dropped.
    const cps = await sql<{ id: string }[]>`SELECT id FROM checkpoints WHERE chat_id = ${chatId}`;
    expect(cps.map((c) => c.id)).toEqual([cp1!.id]);
  });
  it('restoreCheckpoint throws CheckpointNotFoundError for an unknown id', async () => {
    await expect(
      restoreCheckpoint(sql, '00000000-0000-0000-0000-000000000000', { sessionId }),
    ).rejects.toBeInstanceOf(CheckpointNotFoundError);
  });
  it('restoreCheckpoint throws when the checkpoint is not in the requested session', async () => {
    // A checkpoint whose session_id differs from the route's sessionId.
    const [wt] = await sql<{ id: string }[]>`SELECT id FROM worktrees WHERE session_id = ${sessionId} AND status = 'active'`;
    const cp = await createCheckpoint(sql, { chatId, sessionId, worktreeId: wt!.id, worktreePath, messageId: null });
    expect(cp).not.toBeNull();
    await expect(
      restoreCheckpoint(sql, cp!.id, { sessionId: '11111111-1111-1111-1111-111111111111' }),
    ).rejects.toBeInstanceOf(CheckpointNotFoundError);
    await sql`DELETE FROM checkpoints WHERE id = ${cp!.id}`;
  });
  it('restoreCheckpoint denies a NULL-session_id checkpoint from another session (no fail-open IDOR)', async () => {
    // Regression for the fail-open authorization bug: a checkpoint row whose
    // denormalized session_id is NULL must STILL be scoped via its chat's owning
    // session (chats.session_id), not skipped. The old guard `cp.session_id &&
    // cp.session_id !== sessionId` fell through on NULL → cross-session restore.
    const [row] = await sql<{ id: string }[]>`
      INSERT INTO checkpoints (chat_id, session_id, message_id, commit_sha)
      VALUES (${chatId}, NULL, NULL, 'deadbeef')
      RETURNING id
    `;
    await expect(
      restoreCheckpoint(sql, row!.id, { sessionId: '22222222-2222-2222-2222-222222222222' }),
    ).rejects.toBeInstanceOf(CheckpointNotFoundError);
    await sql`DELETE FROM checkpoints WHERE id = ${row!.id}`;
  });
 });
--- a/apps/coder/src/services/tests/fuzzy-match.test.ts
+++ b/apps/coder/src/services/tests/fuzzy-match.test.ts
@@ -0,0 +1,173 @@
 import { describe, it, expect } from 'vitest';
 import { locateMatch, SIMILARITY_THRESHOLD } from '../fuzzy-match.js';
 // Helper: assert a resolved span and slice it back out of the content so the
 // test pins the EXACT file text the caller would replace.
 function span(result: ReturnType<typeof locateMatch>): { start: number; end: number } {
  if (result.kind !== 'exact' && result.kind !== 'fuzzy') {
    throw new Error(`expected a located span, got ${result.kind}`);
  }
  return { start: result.start, end: result.end };
 }
 describe('locateMatch — strategy 1: exact', () => {
  it('returns an exact unique span', () => {
    const content = 'alpha\nbeta\ngamma\n';
    const result = locateMatch(content, 'beta');
    expect(result.kind).toBe('exact');
    const { start, end } = span(result);
    expect(content.slice(start, end)).toBe('beta');
  });
  it('returns the right offsets for a multi-line exact needle', () => {
    const content = 'one\ntwo\nthree\nfour\n';
    const needle = 'two\nthree';
    const result = locateMatch(content, needle);
    expect(result.kind).toBe('exact');
    const { start, end } = span(result);
    expect(content.slice(start, end)).toBe(needle);
  });
  it('refuses when the exact needle occurs more than once', () => {
    const content = 'foo\nbar\nfoo\nbar\nfoo\n';
    const result = locateMatch(content, 'foo');
    expect(result).toEqual({ kind: 'ambiguous', count: 3 });
  });
 });
 describe('locateMatch — strategy 2: per-line whitespace', () => {
  it('matches across trailing-whitespace drift at the real span', () => {
    // File has trailing spaces the model dropped from a TWO-line copy. A
    // single-line needle would be located by exact indexOf (it's a substring),
    // so use two lines where line 1's trailing ws breaks an exact substring run.
    const content = 'function f() {\n  setup();   \n  return 1;\n}\n';
    const needle = '  setup();\n  return 1;'; // line 1 missing trailing spaces
    const result = locateMatch(content, needle);
    expect(result.kind).toBe('fuzzy');
    const { start, end } = span(result);
    // The returned span covers the ORIGINAL lines including the trailing spaces.
    expect(content.slice(start, end)).toBe('  setup();   \n  return 1;');
  });
  it('matches across indentation drift (multi-line block)', () => {
    // File indents with 4 spaces; model emitted 2-space indentation. trimEnd
    // alone does not normalize LEADING whitespace, so this exercises... actually
    // leading-indent drift is a Levenshtein-tier fallback. Here we keep the
    // leading indent identical and drift only trailing whitespace per line.
    const content = ['if (x) {', '    doThing();    ', '    doOther();', '}'].join('\n');
    const needle = ['    doThing();', '    doOther();'].join('\n');
    const result = locateMatch(content, needle);
    expect(result.kind).toBe('fuzzy');
    const { start, end } = span(result);
    expect(content.slice(start, end)).toBe('    doThing();    \n    doOther();');
  });
  it('ignores leading/trailing blank needle lines', () => {
    const content = 'header\nbody line\nfooter\n';
    const needle = '\n\nbody line\n\n';
    const result = locateMatch(content, needle);
    expect(result.kind).toBe('fuzzy');
    const { start, end } = span(result);
    expect(content.slice(start, end)).toBe('body line');
  });
  it('reports ambiguous when a whitespace-window matches twice', () => {
    // Both line 1 and line 4 differ from the needle only by trailing whitespace,
    // so exact indexOf fails (no exact substring) and the whitespace tier finds
    // two equivalent windows → ambiguous.
    const content = 'x = 1;  \ny = 2;\nz = 3;\nx = 1;\t\n';
    const needle = 'x = 1;'; // no trailing ws → not an exact substring of either line
    const result = locateMatch(content, needle);
    expect(result).toEqual({ kind: 'ambiguous', count: 2 });
  });
 });
 describe('locateMatch — strategy 3: unicode canonicalization', () => {
  it('matches across curly quotes', () => {
    const content = "const s = 'hello';\n";
    const needle = 'const s = ‘hello’;'; // ‘hello’
    const result = locateMatch(content, needle);
    expect(result.kind).toBe('fuzzy');
    const { start, end } = span(result);
    // Span maps back to ORIGINAL (straight-quote) text.
    expect(content.slice(start, end)).toBe("const s = 'hello';");
  });
  it('matches across curly double-quotes', () => {
    const content = 'log("done");\n';
    const needle = 'log(“done”);'; // “done”
    const result = locateMatch(content, needle);
    expect(result.kind).toBe('fuzzy');
    const { start, end } = span(result);
    expect(content.slice(start, end)).toBe('log("done");');
  });
  it('matches across an em-dash drift', () => {
    const content = 'range 1-10 inclusive\n';
    const needle = 'range 1—10 inclusive'; // em-dash
    const result = locateMatch(content, needle);
    expect(result.kind).toBe('fuzzy');
    const { start, end } = span(result);
    expect(content.slice(start, end)).toBe('range 1-10 inclusive');
  });
  it('matches across a non-breaking space drift', () => {
    const content = 'a b c\n'; // plain spaces
    const needle = 'a b c'; // nbsp between words
    const result = locateMatch(content, needle);
    expect(result.kind).toBe('fuzzy');
    const { start, end } = span(result);
    expect(content.slice(start, end)).toBe('a b c');
  });
 });
 describe('locateMatch — strategy 4: Levenshtein', () => {
  it('matches a >= threshold near-miss (small typo drift)', () => {
    // Needle has a one-char typo ('totals' vs 'total') so it is NOT an exact
    // substring and the whitespace/canonical tiers (which require equality) both
    // miss; Levenshtein similarity stays well above the 0.66 floor.
    const content = 'const total = sum + tax;\n';
    const needle = 'const totals = sum + tax;';
    const result = locateMatch(content, needle);
    expect(result.kind).toBe('fuzzy');
    const { start, end } = span(result);
    // Span maps to the real (correctly-spelled) file line.
    expect(content.slice(start, end)).toBe('const total = sum + tax;');
  });
  it('matches a multi-line block with indentation drift via Levenshtein', () => {
    const content = ['function g() {', '  return compute(a, b);', '}'].join('\n');
    // 6-space indent vs file's 2-space; trimEnd does not fix leading indent, so
    // this lands on the Levenshtein tier (joined-trim makes it identical → ~1.0).
    const needle = ['      return compute(a, b);'].join('\n');
    const result = locateMatch(content, needle);
    expect(result.kind).toBe('fuzzy');
    const { start, end } = span(result);
    expect(content.slice(start, end)).toBe('  return compute(a, b);');
  });
  it('returns not_found for a below-threshold miss', () => {
    const content = 'the quick brown fox jumps over the lazy dog\n';
    const needle = 'completely unrelated string of text here xyz';
    const result = locateMatch(content, needle);
    expect(result).toEqual({ kind: 'not_found' });
  });
  it('returns not_found for a genuinely-absent needle', () => {
    const content = 'alpha\nbeta\ngamma\n';
    const needle = 'this content does not exist anywhere at all';
    const result = locateMatch(content, needle);
    expect(result).toEqual({ kind: 'not_found' });
  });
 });
 describe('locateMatch — edge cases', () => {
  it('returns not_found for an empty needle', () => {
    expect(locateMatch('anything', '')).toEqual({ kind: 'not_found' });
  });
  it('exposes a sane similarity threshold', () => {
    expect(SIMILARITY_THRESHOLD).toBeGreaterThan(0);
    expect(SIMILARITY_THRESHOLD).toBeLessThanOrEqual(1);
  });
 });
--- a/apps/coder/src/services/tests/reconnect_integration.test.ts
+++ b/apps/coder/src/services/tests/reconnect_integration.test.ts
@@ -0,0 +1,170 @@
 import { describe, it, expect, beforeAll, afterAll } from 'vitest';
 import { readFileSync, existsSync } from 'node:fs';
 import { rm, mkdir } from 'node:fs/promises';
 import { resolve } from 'node:path';
 import postgres from 'postgres';
 import {
  ensureSessionWorktree,
  closeChatBackendState,
  rebaselineWorktreeAfterApply,
 } from '../worktrees.js';
 import { reapOrphanWorktrees } from '../orphan-worktree-reaper.js';
 import { hostExec } from '../host-exec.js';
 /**
 * v2.6 Phase 3 (3.6) — reconnect-after-restart integration test.
 *
 * Proves the DB-truth side of crash/restart recovery: a BooCoder restart wipes the
 * in-memory pool, but the persistent `worktrees` + `agent_sessions` rows survive,
 * so the "next turn" re-resolves the SAME worktree (reattach, no new dir) and the
 * agent-session row is still there to resume from. Also exercises the chat-close
 * hook (3.3), the apply re-baseline (3.5), and the orphan reaper (3.4) end-to-end
 * against a real git repo + postgres.
 *
 * Requires DATABASE_URL (DB-opt-in; skips cleanly otherwise) AND git on PATH. Runs:
 *   DATABASE_URL='postgres://boocode:devpass@localhost:5500/boochat' pnpm -C apps/coder test
 */
 describe.runIf(!!process.env.DATABASE_URL)('reconnect after restart (Phase 3)', () => {
  let sql: ReturnType<typeof postgres>;
  const stamp = Date.now();
  const projectDir = `/tmp/boocode-reconnect-proj-${stamp}`;
  let projectId: string;
  let sessionId: string;
  let chatId: string;
  beforeAll(async () => {
    sql = postgres(process.env.DATABASE_URL!, { max: 3 });
    // Both schemas land in the one boochat DB: server owns sessions/chats/projects,
    // coder owns worktrees/agent_sessions (FK targets must pre-exist → server first).
    const serverSchema = resolve(__dirname, '../../../../server/src/schema.sql');
    const coderSchema = resolve(__dirname, '../../schema.sql');
    await sql.unsafe(readFileSync(serverSchema, 'utf8'));
    await sql.unsafe(readFileSync(coderSchema, 'utf8'));
    // A real git repo with one commit so worktree add / diff / rev-parse work.
    await mkdir(projectDir, { recursive: true });
    await hostExec(
      `cd ${projectDir} && git init -q && git config user.email t@t && git config user.name t ` +
        `&& echo hello > README.md && git add -A && git commit -qm init`,
      { timeoutMs: 20_000 },
    );
    const [project] = await sql<{ id: string }[]>`
      INSERT INTO projects (name, path, status) VALUES ('reconnect-test', ${projectDir}, 'open') RETURNING id
    `;
    projectId = project!.id;
    const [session] = await sql<{ id: string }[]>`
      INSERT INTO sessions (project_id, name, model, status)
      VALUES (${projectId}, 'recon', 'm', 'open') RETURNING id
    `;
    sessionId = session!.id;
    const [chat] = await sql<{ id: string }[]>`
      INSERT INTO chats (session_id, name, status) VALUES (${sessionId}, 'tab', 'open') RETURNING id
    `;
    chatId = chat!.id;
  });
  afterAll(async () => {
    if (sql) {
      // Best-effort worktree cleanup before dropping rows.
      const rows = await sql<{ path: string }[]>`SELECT path FROM worktrees WHERE session_id = ${sessionId}`.catch(() => []);
      for (const r of rows) {
        await hostExec(`git -C ${projectDir} worktree remove ${r.path} --force`, { timeoutMs: 10_000 }).catch(() => {});
      }
      await sql`DELETE FROM agent_sessions WHERE chat_id = ${chatId}`.catch(() => {});
      await sql`DELETE FROM worktrees WHERE session_id = ${sessionId}`.catch(() => {});
      await sql`DELETE FROM chats WHERE id = ${chatId}`.catch(() => {});
      await sql`DELETE FROM sessions WHERE id = ${sessionId}`.catch(() => {});
      await sql`DELETE FROM projects WHERE id = ${projectId}`.catch(() => {});
      await sql.end({ timeout: 5 });
    }
    await rm(projectDir, { recursive: true, force: true });
  });
  it('reattaches the SAME worktree across a simulated restart (no new dir)', async () => {
    // "Turn 1" — first ensureSessionWorktree creates the worktree + row.
    const first = await ensureSessionWorktree(sql, projectDir, sessionId);
    expect(existsSync(first.worktreePath)).toBe(true);
    expect(first.baseCommit).toBeTruthy();
    // Simulate an agent_sessions row written by turn 1 (opencode).
    await sql`
      INSERT INTO agent_sessions (chat_id, session_id, worktree_id, agent, backend, agent_session_id, status, last_active_at)
      VALUES (${chatId}, ${sessionId}, ${first.worktreeId}, 'opencode', 'opencode_server', 'oc-sess-1', 'active', clock_timestamp())
      ON CONFLICT (chat_id, agent) DO NOTHING
    `;
    // "Restart" = brand-new resolution with NO in-memory state. ensureSessionWorktree
    // must return the EXISTING row (same id + path), proving reattach not re-create.
    const second = await ensureSessionWorktree(sql, projectDir, sessionId);
    expect(second.worktreeId).toBe(first.worktreeId);
    expect(second.worktreePath).toBe(first.worktreePath);
    expect(second.baseCommit).toBe(first.baseCommit);
    // The agent_sessions row survived the "restart" with its resume handle intact.
    const [row] = await sql<{ agent_session_id: string; status: string }[]>`
      SELECT agent_session_id, status FROM agent_sessions WHERE chat_id = ${chatId} AND agent = 'opencode'
    `;
    expect(row!.agent_session_id).toBe('oc-sess-1');
  });
  it('re-baselines the worktree diff after apply (3.5)', async () => {
    const wt = await ensureSessionWorktree(sql, projectDir, sessionId);
    const baseBefore = wt.baseCommit;
    // Make a change in the worktree (as an external agent would).
    await hostExec(`cd ${wt.worktreePath} && echo change >> README.md`, { timeoutMs: 10_000 });
    const r = await rebaselineWorktreeAfterApply(sql, sessionId);
    expect(r.rebaselined).toBe(true);
    expect(r.newBaseCommit).toBeTruthy();
    expect(r.newBaseCommit).not.toBe(baseBefore);
    const [row] = await sql<{ base_commit: string }[]>`
      SELECT base_commit FROM worktrees WHERE session_id = ${sessionId} AND status = 'active'
    `;
    expect(row!.base_commit).toBe(r.newBaseCommit);
    // Idempotent: a second re-baseline with no new edits is a no-op.
    const r2 = await rebaselineWorktreeAfterApply(sql, sessionId);
    expect(r2.rebaselined).toBe(false);
  });
  it('chat-close hook closes agent rows + removes the worktree on the last chat (3.3)', async () => {
    // Sanity: an active worktree + agent row exist from the prior tests.
    const beforeWt = await sql<{ id: string }[]>`SELECT id FROM worktrees WHERE session_id = ${sessionId} AND status = 'active'`;
    expect(beforeWt.length).toBe(1);
    const result = await closeChatBackendState(sql, chatId);
    expect(result.agentRowsClosed).toBeGreaterThanOrEqual(1);
    // chatId is the session's only chat → worktree removed (it was clean after the
    // re-baseline commit), not at-risk.
    expect(result.worktreeAtRisk).toBe(false);
    expect(result.worktreeRemoved).toBe(true);
    const [agentRow] = await sql<{ status: string }[]>`
      SELECT status FROM agent_sessions WHERE chat_id = ${chatId} AND agent = 'opencode'
    `;
    expect(agentRow!.status).toBe('closed');
    const activeWt = await sql<{ id: string }[]>`SELECT id FROM worktrees WHERE session_id = ${sessionId} AND status = 'active'`;
    expect(activeWt.length).toBe(0); // archived, no longer active
  });
  it('orphan reaper leaves a live worktree alone and reaps a row-less dir (3.4)', async () => {
    // Recreate a live worktree for this session (the close test archived the old one).
    const live = await ensureSessionWorktree(sql, projectDir, sessionId);
    expect(existsSync(live.worktreePath)).toBe(true);
    // A live worktree (active row) with grace 0 must NOT be reaped.
    const r1 = await reapOrphanWorktrees(sql, console as never, 0, Date.now());
    expect(r1.reaped).not.toContain(live.worktreePath);
    // Now archive its row (simulating a leaked dir) and reap again — it becomes an
    // orphan and is reclaimed (it's clean → not at-risk).
    await sql`UPDATE worktrees SET status = 'archived' WHERE id = ${live.worktreeId}`;
    const r2 = await reapOrphanWorktrees(sql, console as never, 0, Date.now());
    expect(r2.reaped).toContain(live.worktreePath);
    expect(existsSync(live.worktreePath)).toBe(false);
  });
 });
--- a/apps/coder/src/services/tests/stream-json-parser.test.ts
+++ b/apps/coder/src/services/tests/stream-json-parser.test.ts
@@ -0,0 +1,189 @@
 import { describe, it, expect } from 'vitest';
 import {
  makeStreamJsonParser,
  makeStreamJsonState,
  parseStreamJsonLine,
  type AgentEventList,
 } from '../stream-json-parser.js';
 import type { AgentEvent } from '../agent-backend.js';
 import type { AcpToolSnapshot } from '../acp-tool-snapshot.js';
 // Helpers to JSON-encode the representative Claude-Code stream-json lines.
 const sys = (sessionId: string) =>
  JSON.stringify({ type: 'system', subtype: 'init', session_id: sessionId, tools: ['read', 'edit'] });
 const streamEvent = (event: unknown) => JSON.stringify({ type: 'stream_event', event });
 const textDelta = (index: number, text: string) =>
  streamEvent({ type: 'content_block_delta', index, delta: { type: 'text_delta', text } });
 const thinkingDelta = (index: number, thinking: string) =>
  streamEvent({ type: 'content_block_delta', index, delta: { type: 'thinking_delta', thinking } });
 const toolStart = (index: number, id: string, name: string) =>
  streamEvent({ type: 'content_block_start', index, content_block: { type: 'tool_use', id, name } });
 const inputJsonDelta = (index: number, partial: string) =>
  streamEvent({ type: 'content_block_delta', index, delta: { type: 'input_json_delta', partial_json: partial } });
 const blockStop = (index: number) => streamEvent({ type: 'content_block_stop', index });
 const resultLine = (input: number, output: number, sessionId?: string) =>
  JSON.stringify({ type: 'result', subtype: 'success', session_id: sessionId, usage: { input_tokens: input, output_tokens: output } });
 describe('parseStreamJsonLine (pure per-line mapping)', () => {
  it('captures session_id from the system init line and emits no events', () => {
    const state = makeStreamJsonState();
    const events = parseStreamJsonLine(sys('sess-abc'), state);
    expect(events).toEqual([]);
    expect(state.sessionId).toBe('sess-abc');
  });
  it('maps a text_delta stream_event → a text event', () => {
    const state = makeStreamJsonState();
    expect(parseStreamJsonLine(textDelta(0, 'Hello'), state)).toEqual([{ type: 'text', text: 'Hello' }]);
  });
  it('maps a thinking_delta stream_event → a reasoning event', () => {
    const state = makeStreamJsonState();
    expect(parseStreamJsonLine(thinkingDelta(0, 'pondering'), state)).toEqual([
      { type: 'reasoning', text: 'pondering' },
    ]);
  });
  it('tolerates a garbage / non-JSON line (returns [], no throw)', () => {
    const state = makeStreamJsonState();
    expect(parseStreamJsonLine('not json at all {{{', state)).toEqual([]);
    expect(parseStreamJsonLine('', state)).toEqual([]);
    expect(parseStreamJsonLine('   ', state)).toEqual([]);
    // A truncated/partial JSON object also yields [] rather than throwing.
    expect(parseStreamJsonLine('{"type":"stream_event","eve', state)).toEqual([]);
  });
  it('ignores unknown top-level line types and the user (tool-result) line', () => {
    const state = makeStreamJsonState();
    expect(parseStreamJsonLine(JSON.stringify({ type: 'user', message: {} }), state)).toEqual([]);
    expect(parseStreamJsonLine(JSON.stringify({ type: 'whatever' }), state)).toEqual([]);
  });
  it('assembles a tool call across input_json_delta chunks (split across lines)', () => {
    const state = makeStreamJsonState();
    // start → tool_call (running, empty args)
    const start = parseStreamJsonLine(toolStart(1, 'toolu_1', 'edit_file'), state);
    expect(start).toHaveLength(1);
    expect(start[0]!.type).toBe('tool_call');
    const startSnap = (start[0] as { type: 'tool_call'; toolCall: AcpToolSnapshot }).toolCall;
    expect(startSnap.toolCallId).toBe('toolu_1');
    expect(startSnap.title).toBe('edit_file');
    expect(startSnap.status).toBe('in_progress');
    expect(startSnap.rawInput).toEqual({});
    // args streamed in fragments — no events until stop
    expect(parseStreamJsonLine(inputJsonDelta(1, '{"path":"a'), state)).toEqual([]);
    expect(parseStreamJsonLine(inputJsonDelta(1, '.ts","content":'), state)).toEqual([]);
    expect(parseStreamJsonLine(inputJsonDelta(1, '"hi"}'), state)).toEqual([]);
    // stop → tool_update with the parsed, fully-assembled input
    const stop = parseStreamJsonLine(blockStop(1), state);
    expect(stop).toHaveLength(1);
    expect(stop[0]!.type).toBe('tool_update');
    const stopSnap = (stop[0] as { type: 'tool_update'; toolCall: AcpToolSnapshot }).toolCall;
    expect(stopSnap.toolCallId).toBe('toolu_1');
    expect(stopSnap.status).toBe('completed');
    expect(stopSnap.rawInput).toEqual({ path: 'a.ts', content: 'hi' });
  });
  it('falls back to {_raw} when accumulated tool args are not valid JSON', () => {
    const state = makeStreamJsonState();
    parseStreamJsonLine(toolStart(0, 'toolu_x', 'run'), state);
    parseStreamJsonLine(inputJsonDelta(0, '{"broken'), state);
    const stop = parseStreamJsonLine(blockStop(0), state);
    const snap = (stop[0] as { type: 'tool_update'; toolCall: AcpToolSnapshot }).toolCall;
    expect(snap.rawInput).toEqual({ _raw: '{"broken' });
  });
  it('captures usage from message_delta and result lines', () => {
    const state = makeStreamJsonState();
    parseStreamJsonLine(streamEvent({ type: 'message_delta', usage: { output_tokens: 42 } }), state);
    expect(state.usage.outputTokens).toBe(42);
    parseStreamJsonLine(resultLine(100, 250, 'sess-z'), state);
    expect(state.usage.inputTokens).toBe(100);
    expect(state.usage.outputTokens).toBe(250);
    expect(state.sessionId).toBe('sess-z');
  });
  it('maps a terminal assistant message (fallback) → text + reasoning + tool events', () => {
    const state = makeStreamJsonState();
    const line = JSON.stringify({
      type: 'assistant',
      session_id: 'sess-asst',
      message: {
        content: [
          { type: 'thinking', thinking: 'let me think' },
          { type: 'text', text: 'Here is the answer' },
          { type: 'tool_use', id: 'toolu_9', name: 'view_file', input: { path: 'x.ts' } },
        ],
        usage: { input_tokens: 5, output_tokens: 7 },
      },
    });
    const events = parseStreamJsonLine(line, state);
    expect(events).toEqual([
      { type: 'reasoning', text: 'let me think' },
      { type: 'text', text: 'Here is the answer' },
      {
        type: 'tool_update',
        toolCall: { toolCallId: 'toolu_9', title: 'view_file', kind: null, status: 'completed', rawInput: { path: 'x.ts' } },
      },
    ]);
    expect(state.usage).toEqual({ inputTokens: 5, outputTokens: 7 });
    expect(state.sessionId).toBe('sess-asst');
  });
 });
 describe('makeStreamJsonParser (stateful wrapper over a full turn)', () => {
  it('streams a representative turn: init → text → thinking → tool → result', () => {
    const parser = makeStreamJsonParser();
    const all: AgentEvent[] = [];
    const feed = (line: string): AgentEventList => {
      const evs = parser.push(line);
      all.push(...evs);
      return evs;
    };
    feed(sys('sess-1'));
    feed(textDelta(0, 'Reading '));
    feed(textDelta(0, 'the file. '));
    feed(thinkingDelta(0, 'I should edit it'));
    feed(toolStart(1, 'toolu_a', 'edit_file'));
    feed(inputJsonDelta(1, '{"path":'));
    feed(inputJsonDelta(1, '"main.ts"}'));
    feed(blockStop(1));
    feed(textDelta(0, 'Done.'));
    feed(resultLine(120, 80, 'sess-1'));
    expect(all).toEqual([
      { type: 'text', text: 'Reading ' },
      { type: 'text', text: 'the file. ' },
      { type: 'reasoning', text: 'I should edit it' },
      {
        type: 'tool_call',
        toolCall: { toolCallId: 'toolu_a', title: 'edit_file', kind: null, status: 'in_progress', rawInput: {} },
      },
      {
        type: 'tool_update',
        toolCall: { toolCallId: 'toolu_a', title: 'edit_file', kind: null, status: 'completed', rawInput: { path: 'main.ts' } },
      },
      { type: 'text', text: 'Done.' },
    ]);
    expect(parser.usage()).toEqual({ inputTokens: 120, outputTokens: 80 });
    expect(parser.sessionId()).toBe('sess-1');
  });
  it('a garbage line interleaved mid-turn does not derail subsequent parsing', () => {
    const parser = makeStreamJsonParser();
    expect(parser.push(textDelta(0, 'a'))).toEqual([{ type: 'text', text: 'a' }]);
    expect(parser.push('>>> not json <<<')).toEqual([]);
    expect(parser.push(textDelta(0, 'b'))).toEqual([{ type: 'text', text: 'b' }]);
  });
 });
--- a/apps/coder/src/services/acp-dispatch.ts
+++ b/apps/coder/src/services/acp-dispatch.ts
@@ -32,9 +32,9 @@ import { createAcpNdJsonStream } from './acp-stream.js';
 import { waitForPermissionResponse, waitForElicitationResponse, cancelPendingPermission } from './permission-waiter.js';
 import { mergeTaskCommands, getTaskCommands } from './agent-commands-cache.js';
 import { readWorktreeTextFile, writeWorktreeTextFile } from './acp-client-fs.js';
 import { mapSessionUpdate } from './acp-event-map.js';
 import {
  type AcpToolSnapshot,
  mergeToolSnapshot,
  snapshotToWireToolCall,
  synthesizeCanceledSnapshots,
 } from './acp-tool-snapshot.js';
@@ -159,63 +159,47 @@ class AcpStreamContext {
    } as WsFrame);
  }
  handleToolUpdate(toolCallId: string, update: Parameters<typeof mergeToolSnapshot>[1]): void {
    const previous = this.toolSnapshots.get(toolCallId);
    const snapshot = mergeToolSnapshot(toolCallId, update, previous);
    this.toolSnapshots.set(toolCallId, snapshot);
    this.publishToolSnapshot(snapshot);
  }
  async handleSessionUpdate(params: SessionNotification): Promise<void> {
-    const update = params.update;
+    // v2.6 Phase 2: the case-by-case mapping now lives in the shared, pure
-    switch (update.sessionUpdate) {
+    // `mapSessionUpdate` (reused by the warm ACP backend). This method keeps the
-      case 'agent_message_chunk': {
+    // identical broker-publishing side effects — it just translates the normalized
-        const content = update.content;
+    // AgentEvents back into the same frames it always emitted. `this.toolSnapshots`
-        if (content.type === 'text' && 'text' in content) {
+    // is the merge accumulator, so a later tool_call_update merges over its
-          const text = (content as { text: string }).text;
+    // tool_call (the prior `handleToolUpdate` behavior, byte-for-byte).
-          this.textChunks.push(text);
+    for (const event of mapSessionUpdate(params, this.toolSnapshots)) {
      switch (event.type) {
        case 'text':
          this.textChunks.push(event.text);
          if (this.canStream()) {
            this.opts.broker!.publishFrame(this.opts.sessionId!, {
              type: 'delta',
              message_id: this.opts.messageId!,
              chat_id: this.opts.chatId!,
-              content: text,
+              content: event.text,
            } as WsFrame);
          }
        }
          break;
-      }
+        case 'reasoning':
-      case 'agent_thought_chunk': {
+          this.reasoningChunks.push(event.text);
        const content = update.content;
        if (content.type === 'text' && 'text' in content) {
          const text = (content as { text: string }).text;
          this.reasoningChunks.push(text);
          if (this.canStream()) {
            this.opts.broker!.publishFrame(this.opts.sessionId!, {
              type: 'reasoning_delta',
              message_id: this.opts.messageId!,
              chat_id: this.opts.chatId!,
-              content: text,
+              content: event.text,
            } as WsFrame);
          }
        }
          break;
      }
        case 'tool_call':
-        this.handleToolUpdate(update.toolCallId, update);
+        case 'tool_update':
          // mapSessionUpdate already stored the merged snapshot in this.toolSnapshots.
          this.publishToolSnapshot(event.toolCall);
          break;
-      case 'tool_call_update':
+        case 'commands':
-        this.handleToolUpdate(update.toolCallId, update);
+          if (this.opts.taskId && event.commands.length > 0) {
-        break;
+            mergeTaskCommands(this.opts.taskId, event.commands);
      case 'available_commands_update': {
        const commands = update.availableCommands.map((cmd) => ({
          name: cmd.name,
          description: cmd.description ?? undefined,
        }));
        if (this.opts.taskId && commands.length > 0) {
          mergeTaskCommands(this.opts.taskId, commands);
            if (this.canStream() && this.opts.sessionId) {
-            const all = getTaskCommands(this.opts.taskId) ?? commands;
+              const all = getTaskCommands(this.opts.taskId) ?? event.commands;
              this.opts.broker!.publishFrame(this.opts.sessionId, {
                type: 'agent_commands',
                task_id: this.opts.taskId,
@@ -226,8 +210,6 @@ class AcpStreamContext {
          }
          break;
      }
      default:
        break;
    }
  }
--- a/apps/coder/src/services/acp-event-map.ts
+++ b/apps/coder/src/services/acp-event-map.ts
@@ -0,0 +1,68 @@
 /**
 * Shared ACP session-update → normalized AgentEvent mapping.
 *
 * Extracted verbatim (v2.6 Phase 2) from `AcpStreamContext.handleSessionUpdate`
 * in `acp-dispatch.ts` so the warm ACP backend (`backends/warm-acp.ts`) and the
 * one-shot dispatch share ONE mapping. The one-shot path translates the returned
 * events into broker frames itself (preserving its prior behavior byte-for-byte);
 * the warm backend forwards them to the dispatcher's `ctx.onEvent` exactly like
 * the opencode-server backend does. No I/O, no broker — pure, so it's unit-testable.
 *
 * Spec: openspec/changes/v2-6-persistent-agent-sessions/design.md §2b.
 */
 import type { SessionNotification } from '@agentclientprotocol/sdk';
 import type { AgentEvent } from './agent-backend.js';
 import { type AcpToolSnapshot, mergeToolSnapshot } from './acp-tool-snapshot.js';
 /**
 * Map one ACP `session/update` notification to zero-or-more normalized AgentEvents.
 *
 * `priorSnapshots` is the caller-owned tool-call snapshot accumulator (toolCallId →
 * snapshot). For `tool_call` / `tool_call_update` the merged snapshot is written
 * back into it (mutated in place, mirroring `AcpStreamContext.handleToolUpdate`)
 * so a later `tool_call_update` merges over the earlier `tool_call`. Pass an empty
 * Map for a stateless single call.
 *
 * Returns an array (never throws) so the caller can splat it onto `onEvent`.
 */
 export function mapSessionUpdate(
  params: SessionNotification,
  priorSnapshots: Map<string, AcpToolSnapshot> = new Map(),
 ): AgentEvent[] {
  const update = params.update;
  switch (update.sessionUpdate) {
    case 'agent_message_chunk': {
      const content = update.content;
      if (content.type === 'text' && 'text' in content) {
        return [{ type: 'text', text: (content as { text: string }).text }];
      }
      return [];
    }
    case 'agent_thought_chunk': {
      const content = update.content;
      if (content.type === 'text' && 'text' in content) {
        return [{ type: 'reasoning', text: (content as { text: string }).text }];
      }
      return [];
    }
    case 'tool_call': {
      const snapshot = mergeToolSnapshot(update.toolCallId, update, priorSnapshots.get(update.toolCallId));
      priorSnapshots.set(update.toolCallId, snapshot);
      return [{ type: 'tool_call', toolCall: snapshot }];
    }
    case 'tool_call_update': {
      const snapshot = mergeToolSnapshot(update.toolCallId, update, priorSnapshots.get(update.toolCallId));
      priorSnapshots.set(update.toolCallId, snapshot);
      return [{ type: 'tool_update', toolCall: snapshot }];
    }
    case 'available_commands_update': {
      const commands = update.availableCommands.map((cmd) => ({
        name: cmd.name,
        description: cmd.description ?? undefined,
      }));
      return [{ type: 'commands', commands }];
    }
    default:
      return [];
  }
 }
--- a/apps/coder/src/services/agent-backend.ts
+++ b/apps/coder/src/services/agent-backend.ts
@@ -70,6 +70,12 @@ export interface PromptCtx {
  model: string;
  signal: AbortSignal;
  onEvent: (e: AgentEvent) => void;
  /** Phase 2: per-turn task id, so a warm ACP backend can route permission /
   *  elicitation prompts back to the UI via the permission-waiter. Optional —
   *  the opencode-server backend (autonomous) ignores it. */
  taskId?: string;
  /** Phase 2: per-turn mode id (gates autonomous mode in the permission-waiter). */
  modeId?: string;
 }
 /** Result of a completed turn (§2). Diff/persist happen outside the backend. */
@@ -93,4 +99,21 @@ export interface AgentBackend {
  dispose(): Promise<void>;
  /** Liveness for health endpoint + dispatcher fallback decision. §2 */
  health(): 'up' | 'down';
  /**
   * v2.6 Phase 3: true iff a turn is in flight on this backend. The pool's idle
   * eviction + LRU cap NEVER evict a busy backend (design §6 busy rule); the
   * health-monitor defers a restart while busy (stale-grace). Optional so the
   * Phase-0 scaffold and any test double stay compatible — absent ⇒ treated as
   * not busy. opencode-server (multi-session) is busy iff ANY session has an
   * active turn; warm-acp (single session) iff its one slot is active.
   */
  isBusy?(): boolean;
  /**
   * v2.6 Phase 3: optional proactive health probe + busy-aware self-restart, run
   * by the pool's periodic sweep. The opencode-server backend implements it
   * (detects a hung-but-not-exited server and restarts when non-busy). Backends
   * with no long-lived shared process (warm-ACP recovers lazily on its own child
   * exit) can omit it. Must never throw — the sweep ignores rejections.
   */
  tickHealth?(now?: number): Promise<void>;
 }
--- a/apps/coder/src/services/agent-pool.ts
+++ b/apps/coder/src/services/agent-pool.ts
@@ -1,44 +1,246 @@
 /**
- * v2.6 — AgentPool (Phase 0 scaffold).
+ * v2.6 — AgentPool.
 *
 * Lazy get-or-create registry of `AgentBackend` instances keyed by
- * `${sessionId}:${agent}`. Phase 0 ships the skeleton only: an in-memory Map,
+ * `${primary}:${agent}` (primary = chatId for warm-ACP, a fixed sentinel for the
- * lookup / register / health, and clean disposal wired to the server's onClose.
+ * single shared opencode server). Phase 0 shipped the skeleton (Map + health +
- * Spawning lands in Phase 1/2; nothing populates the map yet.
+ * dispose). Phase 3 adds the LIFECYCLE: per-entry idle tracking, a periodic
 * idle-TTL + LRU-cap sweep (the pure decisions live in
 * `backends/lifecycle-decisions.ts`), and a `closeChat` helper for the chat-close
 * hook. Reattach after eviction is implicit — the next turn's `ensureSession`
 * rebuilds the backend from `agent_sessions` / `worktrees` (DB is the source of
 * truth; the in-memory pool is a warm cache).
 *
- * Spec: openspec/changes/v2-6-persistent-agent-sessions/design.md §2.
+ * The hard rule (design §6): NEVER evict a busy backend (one with an in-flight
 * turn). `selectIdleEvictionTargets` / `selectLruEvictionTargets` enforce it via
 * `backend.isBusy()`; a long turn that outlives the TTL is left alone.
 *
 * Spec: openspec/changes/v2-6-persistent-agent-sessions/design.md §2 / §6.
 */
 import type { FastifyBaseLogger } from 'fastify';
 import type { AgentBackend } from './agent-backend.js';
 import {
  selectIdleEvictionTargets,
  selectLruEvictionTargets,
  DEFAULT_IDLE_TTL_MS,
  DEFAULT_MAX_LIVE_BACKENDS,
 } from './backends/lifecycle-decisions.js';
 interface PoolEntry {
  primary: string;
  agent: string;
  backend: AgentBackend;
  /** Epoch ms of the last turn boundary (register or touch). Drives idle/LRU. */
  lastActiveAt: number;
 }
 export interface AgentPoolOpts {
  /** Idle TTL before a non-busy backend is evicted. Default 30 min. */
  idleTtlMs?: number;
  /** Max live backends before the LRU cap evicts the least-recently-used. */
  maxLive?: number;
  /** Sweep cadence. Default 60s (mirrors the server's periodic sweeper). */
  sweepIntervalMs?: number;
  log?: FastifyBaseLogger;
 }
 const DEFAULT_SWEEP_INTERVAL_MS = 60_000;
 export class AgentPool {
-  private readonly backends = new Map<string, AgentBackend>();
+  private readonly backends = new Map<string, PoolEntry>();
  private idleTtlMs: number;
  private maxLive: number;
  private sweepIntervalMs: number;
  private log: FastifyBaseLogger | undefined;
  private sweepTimer: ReturnType<typeof setInterval> | null = null;
  /** Serializes sweep runs so a slow eviction can't overlap the next tick. */
  private sweeping = false;
-  private key(sessionId: string, agent: string): string {
+  constructor(opts: AgentPoolOpts = {}) {
-    return `${sessionId}:${agent}`;
+    this.idleTtlMs = opts.idleTtlMs ?? DEFAULT_IDLE_TTL_MS;
    this.maxLive = opts.maxLive ?? DEFAULT_MAX_LIVE_BACKENDS;
    this.sweepIntervalMs = opts.sweepIntervalMs ?? DEFAULT_SWEEP_INTERVAL_MS;
    this.log = opts.log;
  }
-  /** Map lookup only. Spawning is Phase 1/2 — never creates here. */
+  /** Apply env-derived knobs to the module singleton at bootstrap (before
-  get(sessionId: string, agent: string): AgentBackend | undefined {
+   *  startReaper). Only overrides explicitly-provided fields. */
-    return this.backends.get(this.key(sessionId, agent));
+  configure(opts: AgentPoolOpts): void {
    if (opts.idleTtlMs != null) this.idleTtlMs = opts.idleTtlMs;
    if (opts.maxLive != null) this.maxLive = opts.maxLive;
    if (opts.sweepIntervalMs != null) this.sweepIntervalMs = opts.sweepIntervalMs;
    if (opts.log) this.log = opts.log;
  }
-  /** Store a backend instance for this (session, agent). */
+  private key(primary: string, agent: string): string {
-  register(sessionId: string, agent: string, backend: AgentBackend): void {
+    return `${primary}:${agent}`;
-    this.backends.set(this.key(sessionId, agent), backend);
+  }
  /** Map lookup only. Spawning happens in the dispatcher (Phase 1/2). A hit also
   *  marks the entry recently-active so a resolve-without-prompt doesn't get it
   *  evicted out from under an imminent turn. */
  get(primary: string, agent: string): AgentBackend | undefined {
    const entry = this.backends.get(this.key(primary, agent));
    if (entry) entry.lastActiveAt = Date.now();
    return entry?.backend;
  }
  /** Store a backend instance for this (primary, agent). */
  register(primary: string, agent: string, backend: AgentBackend): void {
    this.backends.set(this.key(primary, agent), { primary, agent, backend, lastActiveAt: Date.now() });
  }
  /** Mark a backend recently-active (call at turn start AND settle so a long turn
   *  keeps its slot warm). No-op if the key isn't pooled. */
  touch(primary: string, agent: string): void {
    const entry = this.backends.get(this.key(primary, agent));
    if (entry) entry.lastActiveAt = Date.now();
  }
  /** Snapshot for the decision helpers (busy is read live from the backend). */
  private snapshots(): { key: string; lastActiveAt: number; busy: boolean }[] {
    const out: { key: string; lastActiveAt: number; busy: boolean }[] = [];
    for (const [key, e] of this.backends) {
      out.push({ key, lastActiveAt: e.lastActiveAt, busy: e.backend.isBusy?.() ?? false });
    }
    return out;
  }
  /** Summary for the health endpoint. */
-  health(): { size: number } {
+  health(): { size: number; busy: number } {
-    return { size: this.backends.size };
+    let busy = 0;
    for (const e of this.backends.values()) if (e.backend.isBusy?.()) busy++;
    return { size: this.backends.size, busy };
  }
  // ─── Phase 3: idle-TTL + LRU eviction sweep ──────────────────────────────────
  /** Start the periodic idle + LRU sweep. Idempotent; unref'd so it never holds
   *  the process open on its own. */
  startReaper(log?: FastifyBaseLogger): void {
    if (log) this.log = log;
    if (this.sweepTimer) return;
    this.sweepTimer = setInterval(() => {
      void this.sweep().catch((err) => {
        this.log?.warn({ err: errMsg(err) }, 'agent-pool: sweep error');
      });
    }, this.sweepIntervalMs);
    this.sweepTimer.unref?.();
  }
  stopReaper(): void {
    if (this.sweepTimer) {
      clearInterval(this.sweepTimer);
      this.sweepTimer = null;
    }
  }
  /**
   * One sweep pass: evict idle-past-TTL backends, then enforce the LRU cap.
   * Deduped (a key can't appear in both lists for one pass). Busy backends are
   * excluded by the decision helpers — a live turn is never torn down.
   */
  async sweep(now: number = Date.now()): Promise<{ evicted: string[] }> {
    if (this.sweeping) return { evicted: [] };
    this.sweeping = true;
    try {
      // Phase 3: drive each backend's optional proactive health probe first (the
      // opencode server's busy-aware hung-detect + self-restart). Best-effort —
      // a probe must never fail the sweep.
      for (const e of this.backends.values()) {
        if (e.backend.tickHealth) {
          await e.backend.tickHealth(now).catch((err) => {
            this.log?.warn({ key: this.key(e.primary, e.agent), err: errMsg(err) }, 'agent-pool: tickHealth threw');
          });
        }
      }
      const snaps = this.snapshots();
      const idle = selectIdleEvictionTargets(snaps, now, this.idleTtlMs);
      // LRU runs on what remains after idle eviction, so the two never double-evict.
      const idleSet = new Set(idle);
      const remaining = snaps.filter((s) => !idleSet.has(s.key));
      const lru = selectLruEvictionTargets(remaining, this.maxLive);
      const targets = [...idle, ...lru];
      if (targets.length === 0) return { evicted: [] };
      const evicted: string[] = [];
      for (const key of targets) {
        const entry = this.backends.get(key);
        if (!entry) continue;
        // Re-check busy right before teardown — a turn may have started since the
        // snapshot. Defensive; the decision already excluded busy at snapshot time.
        if (entry.backend.isBusy?.()) continue;
        this.backends.delete(key);
        try {
          await entry.backend.dispose();
        } catch (err) {
          this.log?.warn({ key, err: errMsg(err) }, 'agent-pool: backend dispose threw during eviction');
        }
        evicted.push(key);
      }
      if (evicted.length > 0) {
        this.log?.info({ evicted, size: this.backends.size }, 'agent-pool: evicted idle/over-cap backends');
      }
      return { evicted };
    } finally {
      this.sweeping = false;
    }
  }
  // ─── Phase 3: chat-close cleanup (3.3) ───────────────────────────────────────
  /**
   * Tear down every pooled backend whose key is for this chat. Used by the
   * chat-close hook. The opencode server is shared (keyed on a sentinel, not the
   * chat), so it is NOT disposed here — only its session is closed via
   * `closeSession`, which the hook calls directly with the per-(chat,agent)
   * handle. Returns the keys it removed. Skips busy entries (a close mid-turn is
   * rare but must not kill a live stream — the idle sweep reaps it shortly after).
   */
  async closeChat(chatId: string): Promise<string[]> {
    const removed: string[] = [];
    const prefix = `${chatId}:`;
    for (const [key, entry] of [...this.backends]) {
      if (!key.startsWith(prefix)) continue;
      if (entry.backend.isBusy?.()) continue;
      this.backends.delete(key);
      try {
        await entry.backend.dispose();
      } catch (err) {
        this.log?.warn({ key, err: errMsg(err) }, 'agent-pool: dispose threw during closeChat');
      }
      removed.push(key);
    }
    return removed;
  }
  /** Look up a backend by exact key without bumping its activity (for closeSession). */
  peek(primary: string, agent: string): AgentBackend | undefined {
    return this.backends.get(this.key(primary, agent))?.backend;
  }
  /** Dispose every backend and clear the map. Tolerates throwing backends. */
  async dispose(): Promise<void> {
    this.stopReaper();
    const entries = [...this.backends.values()];
    this.backends.clear();
-    await Promise.allSettled(entries.map((b) => b.dispose()));
+    await Promise.allSettled(entries.map((e) => e.backend.dispose()));
  }
 }
-/** Single shared instance — referenced only by the server's onClose hook in Phase 0. */
+function errMsg(e: unknown): string {
  return e instanceof Error ? e.message : String(e);
 }
 /**
 * The shared opencode server is pooled under a FIXED sentinel (one server per
 * BooCoder process, multiplexing all opencode sessions internally) rather than a
 * chat id — so it is NOT torn down by `closeChat(chatId)` (only its per-chat
 * session is closed). Exported so the dispatcher + the lifecycle close-hook agree
 * on the key without drift.
 */
 export const OPENCODE_POOL_KEY = '__opencode_server__';
 /** Single shared instance — registered by the dispatcher, swept + drained by the
 *  server's onClose hook. */
 export const agentPool = new AgentPool();
--- a/apps/coder/src/services/backends/tests/lifecycle-decisions.test.ts
+++ b/apps/coder/src/services/backends/tests/lifecycle-decisions.test.ts
@@ -0,0 +1,176 @@
 import { describe, it, expect } from 'vitest';
 import {
  selectIdleEvictionTargets,
  selectLruEvictionTargets,
  decideRestart,
  selectOrphanWorktreeTargets,
  DEFAULT_IDLE_TTL_MS,
  DEFAULT_MAX_LIVE_BACKENDS,
  type PoolEntrySnapshot,
 } from '../lifecycle-decisions.js';
 /**
 * v2.6 Phase 3 — pure lifecycle decisions. No DB, no children, no timers; `now`
 * is injected. Models prune.ts:selectPruneTargets — the caller acts on the keys.
 */
 const NOW = 1_000_000_000_000;
 function entry(key: string, ageMs: number, busy = false): PoolEntrySnapshot {
  return { key, lastActiveAt: NOW - ageMs, busy };
 }
 describe('selectIdleEvictionTargets (3.1)', () => {
  it('evicts entries idle past the TTL', () => {
    const entries = [
      entry('a:opencode', DEFAULT_IDLE_TTL_MS + 1),
      entry('b:goose', DEFAULT_IDLE_TTL_MS - 1),
    ];
    expect(selectIdleEvictionTargets(entries, NOW)).toEqual(['a:opencode']);
  });
  it('never evicts a busy entry even when idle past the TTL', () => {
    const entries = [entry('a:opencode', DEFAULT_IDLE_TTL_MS * 10, /* busy */ true)];
    expect(selectIdleEvictionTargets(entries, NOW)).toEqual([]);
  });
  it('respects a custom TTL', () => {
    const entries = [entry('a:goose', 5_000), entry('b:qwen', 500)];
    expect(selectIdleEvictionTargets(entries, NOW, 1_000)).toEqual(['a:goose']);
  });
  it('treats exactly-at-TTL as evictable (>=)', () => {
    expect(selectIdleEvictionTargets([entry('a:x', 1_000)], NOW, 1_000)).toEqual(['a:x']);
  });
  it('returns empty for an empty pool', () => {
    expect(selectIdleEvictionTargets([], NOW)).toEqual([]);
  });
 });
 describe('selectLruEvictionTargets (3.4)', () => {
  it('returns nothing when at or under the cap', () => {
    const entries = [entry('a:x', 10), entry('b:y', 20)];
    expect(selectLruEvictionTargets(entries, 2)).toEqual([]);
    expect(selectLruEvictionTargets(entries, 5)).toEqual([]);
  });
  it('evicts the least-recently-used beyond the cap', () => {
    // oldest first: c (300ms ago) is LRU, then a (100ms), then b (10ms).
    const entries = [entry('a:x', 100), entry('b:y', 10), entry('c:z', 300)];
    expect(selectLruEvictionTargets(entries, 2)).toEqual(['c:z']);
  });
  it('evicts multiple LRU entries to reach the cap', () => {
    const entries = [
      entry('a:x', 100),
      entry('b:y', 10),
      entry('c:z', 300),
      entry('d:w', 200),
    ];
    // cap 1: must remove 3, oldest-first c(300), d(200), a(100).
    expect(selectLruEvictionTargets(entries, 1)).toEqual(['c:z', 'd:w', 'a:x']);
  });
  it('never evicts a busy entry even if it is the LRU', () => {
    // c is LRU but busy → it cannot be evicted; fall to the next-oldest (a).
    const entries = [entry('a:x', 100), entry('b:y', 10), entry('c:z', 300, true)];
    expect(selectLruEvictionTargets(entries, 2)).toEqual(['a:x']);
  });
  it('can transiently exceed the cap when too many are busy', () => {
    // cap 1, but both old entries busy → only the single idle one is evictable.
    const entries = [entry('a:x', 100, true), entry('c:z', 300, true), entry('b:y', 10)];
    expect(selectLruEvictionTargets(entries, 1)).toEqual(['b:y']);
  });
  it('uses the default cap when omitted', () => {
    const entries = Array.from({ length: DEFAULT_MAX_LIVE_BACKENDS + 1 }, (_, i) =>
      entry(`k${String(i).padStart(2, '0')}:a`, (i + 1) * 1000),
    );
    const evicted = selectLruEvictionTargets(entries);
    // exactly one over the default cap → evict the single LRU (largest age).
    expect(evicted).toHaveLength(1);
    expect(evicted[0]).toBe(`k${String(DEFAULT_MAX_LIVE_BACKENDS).padStart(2, '0')}:a`);
  });
 });
 describe('decideRestart (3.2, busy-aware)', () => {
  const base = {
    consecutiveFailures: 0,
    busy: false,
    unhealthyBusySince: 0,
    now: NOW,
    failureThreshold: 3,
    staleBusyGraceMs: 120_000,
  };
  it('does nothing when healthy', () => {
    expect(decideRestart({ ...base, processExited: false, healthy: true }))
      .toEqual({ action: 'none', reason: 'healthy' });
  });
  it('restarts immediately when the process exited', () => {
    expect(decideRestart({ ...base, processExited: true, busy: true }))
      .toEqual({ action: 'restart', reason: 'process-exited' });
  });
  it('waits below the failure threshold', () => {
    expect(decideRestart({ ...base, processExited: false, consecutiveFailures: 2 }))
      .toEqual({ action: 'wait', reason: 'below-threshold' });
  });
  it('restarts at the threshold when idle', () => {
    expect(decideRestart({ ...base, processExited: false, consecutiveFailures: 3 }))
      .toEqual({ action: 'restart', reason: 'threshold' });
  });
  it('defers a restart while busy within the grace window', () => {
    expect(decideRestart({
      ...base, processExited: false, consecutiveFailures: 5, busy: true,
      unhealthyBusySince: NOW - 1_000,
    })).toEqual({ action: 'wait', reason: 'busy-grace' });
  });
  it('force-restarts a busy backend after the stale-busy grace', () => {
    expect(decideRestart({
      ...base, processExited: false, consecutiveFailures: 5, busy: true,
      unhealthyBusySince: NOW - 120_001,
    })).toEqual({ action: 'restart', reason: 'stale-busy-grace' });
  });
  it('waits (busy-grace) when busy + threshold but the window just started', () => {
    // unhealthyBusySince === 0 means the caller is about to stamp it this cycle.
    expect(decideRestart({
      ...base, processExited: false, consecutiveFailures: 5, busy: true,
      unhealthyBusySince: 0,
    })).toEqual({ action: 'wait', reason: 'busy-grace' });
  });
 });
 describe('selectOrphanWorktreeTargets (3.4)', () => {
  it('skips dirs tracked by a live worktrees row', () => {
    const onDisk = [{ path: '/wt/sess-a', mtimeMs: NOW - 10_000_000 }];
    expect(selectOrphanWorktreeTargets(onDisk, new Set(['/wt/sess-a']), NOW, 1000)).toEqual([]);
  });
  it('reaps an untracked dir older than the grace', () => {
    const onDisk = [{ path: '/wt/sess-orphan', mtimeMs: NOW - 5000 }];
    expect(selectOrphanWorktreeTargets(onDisk, new Set(), NOW, 1000)).toEqual(['/wt/sess-orphan']);
  });
  it('never reaps a dir younger than the grace (mid-create race)', () => {
    const onDisk = [{ path: '/wt/sess-fresh', mtimeMs: NOW - 500 }];
    expect(selectOrphanWorktreeTargets(onDisk, new Set(), NOW, 1000)).toEqual([]);
  });
  it('mixes tracked, fresh, and orphaned correctly', () => {
    const onDisk = [
      { path: '/wt/sess-live', mtimeMs: NOW - 10_000 },
      { path: '/wt/sess-fresh', mtimeMs: NOW - 100 },
      { path: '/wt/sess-orphan', mtimeMs: NOW - 10_000 },
    ];
    expect(selectOrphanWorktreeTargets(onDisk, new Set(['/wt/sess-live']), NOW, 1000))
      .toEqual(['/wt/sess-orphan']);
  });
 });
--- a/apps/coder/src/services/backends/tests/opencode-usage.test.ts
+++ b/apps/coder/src/services/backends/tests/opencode-usage.test.ts
@@ -0,0 +1,51 @@
 import { describe, it, expect } from 'vitest';
 import { stepEndedToUsage } from '../opencode-usage.js';
 describe('stepEndedToUsage (U.6)', () => {
  it('folds cache read+write into input and reasoning into output', () => {
    const u = stepEndedToUsage({
      cost: 0.0123,
      tokens: { input: 100, output: 50, reasoning: 20, cache: { read: 10, write: 5 } },
    });
    expect(u).toEqual({ input: 115, output: 70, cost: 0.0123 });
  });
  it('handles a step with no cache and no reasoning', () => {
    const u = stepEndedToUsage({
      cost: 0,
      tokens: { input: 8, output: 4, reasoning: 0, cache: { read: 0, write: 0 } },
    });
    expect(u).toEqual({ input: 8, output: 4, cost: 0 });
  });
  it('is defensive against a missing tokens block', () => {
    const u = stepEndedToUsage({ cost: 0.5 } as never);
    expect(u).toEqual({ input: 0, output: 0, cost: 0.5 });
  });
  it('is defensive against undefined props', () => {
    expect(stepEndedToUsage(undefined)).toEqual({ input: 0, output: 0, cost: 0 });
  });
  it('drops NaN / negative noise to zero rather than poisoning the accumulated total', () => {
    const u = stepEndedToUsage({
      cost: Number.NaN,
      tokens: {
        input: -5,
        output: Number.NaN,
        reasoning: 3,
        cache: { read: Number.POSITIVE_INFINITY, write: 2 },
      },
    });
    // input: (-5→0) + (Inf→0) + 2 = 2; output: (NaN→0) + 3 = 3; cost: NaN→0
    expect(u).toEqual({ input: 2, output: 3, cost: 0 });
  });
  it('rounds fractional token counts', () => {
    const u = stepEndedToUsage({
      cost: 1.5,
      tokens: { input: 10.6, output: 4.4, reasoning: 0, cache: { read: 0, write: 0 } },
    });
    expect(u).toEqual({ input: 11, output: 4, cost: 1.5 });
  });
 });
--- a/apps/coder/src/services/backends/tests/turn-guard.test.ts
+++ b/apps/coder/src/services/backends/tests/turn-guard.test.ts
@@ -0,0 +1,34 @@
 import { describe, it, expect } from 'vitest';
 import {
  armAbortGuard,
  noteTurnActivity,
  consumeTerminal,
  type AbortTerminalGuard,
 } from '../turn-guard.js';
 describe('post-abort terminal guard (F.1)', () => {
  it('swallows the orphan terminal that follows an abort, then settles the next real one', () => {
    // Reproduces the v2.6.5 Stop-button bug: abort turn A, then opencode emits a
    // trailing session.idle for A. That orphan must NOT settle the next turn.
    const g: AbortTerminalGuard = { swallowNextTerminal: false };
    armAbortGuard(g); // user aborts turn A
    expect(consumeTerminal(g)).toBe('swallow'); // opencode's orphan idle for A → dropped
    expect(consumeTerminal(g)).toBe('settle'); // turn B's real idle → settles B
  });
  it('settles a terminal when no abort happened', () => {
    const g: AbortTerminalGuard = { swallowNextTerminal: false };
    expect(consumeTerminal(g)).toBe('settle');
  });
  it('self-heals if the orphan never arrives: new-turn activity clears the guard', () => {
    // If opencode emits no orphan idle (e.g. abort-before-prompt), the next turn's
    // real terminal must still settle rather than being swallowed forever.
    const g: AbortTerminalGuard = { swallowNextTerminal: false };
    armAbortGuard(g); // abort A, but no orphan idle arrives
    noteTurnActivity(g); // turn B produces its first delta
    expect(consumeTerminal(g)).toBe('settle'); // turn B's idle settles, not swallowed
  });
 });
--- a/apps/coder/src/services/backends/tests/warm-acp-routing.test.ts
+++ b/apps/coder/src/services/backends/tests/warm-acp-routing.test.ts
@@ -0,0 +1,59 @@
 import { describe, it, expect } from 'vitest';
 import { shouldUseWarmBackend, isTurnOkForStopReason } from '../warm-acp-routing.js';
 /**
 * Phase 2 routing predicate: which goose/qwen tasks go to the warm pool backend
 * vs the existing one-shot ACP path.
 *
 * The warm backend is keyed (chat_id, agent) — the persistent context unit (same
 * as opencode-server). A task only routes warm when it carries BOTH a session_id
 * and a chat_id, i.e. it originates from a real chat tab (the coder message route
 * stamps both). Session-less creators (arena, MCP-created, generic /api/tasks,
 * new_task) lack chat_id/session_id and keep the one-shot worktree-per-task path,
 * which never spawns a warm process.
 */
 describe('shouldUseWarmBackend (Phase 2 routing)', () => {
  it('routes a chat-tab task (session_id + chat_id) to the warm backend', () => {
    expect(shouldUseWarmBackend({ agent: 'qwen', session_id: 's1', chat_id: 'c1' })).toBe(true);
    expect(shouldUseWarmBackend({ agent: 'goose', session_id: 's1', chat_id: 'c1' })).toBe(true);
  });
  it('keeps a session-less arena/MCP task on the one-shot path', () => {
    expect(shouldUseWarmBackend({ agent: 'qwen', session_id: null, chat_id: null })).toBe(false);
  });
  it('keeps a task with a session but no chat on the one-shot path', () => {
    // chat_id is the warm-key half; without it ensureSession would get a degenerate
    // (null, agent) key, so fall back to one-shot rather than synthesize a chat.
    expect(shouldUseWarmBackend({ agent: 'goose', session_id: 's1', chat_id: null })).toBe(false);
  });
  it('keeps a task with a chat but no session on the one-shot path', () => {
    expect(shouldUseWarmBackend({ agent: 'qwen', session_id: null, chat_id: 'c1' })).toBe(false);
  });
  it('only applies to warm-capable agents (goose, qwen); others never warm here', () => {
    // opencode has its own dedicated warm path; native/claude/etc. are not ACP-warm.
    expect(shouldUseWarmBackend({ agent: 'opencode', session_id: 's1', chat_id: 'c1' })).toBe(false);
    expect(shouldUseWarmBackend({ agent: 'claude', session_id: 's1', chat_id: 'c1' })).toBe(false);
    expect(shouldUseWarmBackend({ agent: null, session_id: 's1', chat_id: 'c1' })).toBe(false);
  });
 });
 describe('isTurnOkForStopReason (ACP stop-reason → ok/fail)', () => {
  it('treats normal completions as ok', () => {
    expect(isTurnOkForStopReason('end_turn')).toBe(true);
    expect(isTurnOkForStopReason('max_tokens')).toBe(true);
    expect(isTurnOkForStopReason('max_turn_requests')).toBe(true);
  });
  it('treats refusal and cancelled as failures', () => {
    expect(isTurnOkForStopReason('refusal')).toBe(false);
    expect(isTurnOkForStopReason('cancelled')).toBe(false);
  });
  it('defaults an absent stop reason to a successful end_turn', () => {
    expect(isTurnOkForStopReason(undefined)).toBe(true);
    expect(isTurnOkForStopReason(null)).toBe(true);
  });
 });
--- a/apps/coder/src/services/backends/lifecycle-decisions.ts
+++ b/apps/coder/src/services/backends/lifecycle-decisions.ts
@@ -0,0 +1,197 @@
 /**
 * v2.6 Phase 3 — pure lifecycle decision helpers.
 *
 * The eviction / LRU-cap / busy-aware-restart / reaper-target logic, factored out
 * of AgentPool + the backends + the periodic sweeper so it's unit-testable with no
 * DB, no child processes, no timers (modeled on
 * apps/server/src/services/inference/prune.ts:selectPruneTargets — a pure decision
 * core the caller acts on).
 *
 * Three decisions live here:
 *   1. selectIdleEvictionTargets — which warm backends to evict for being idle.
 *   2. selectLruEvictionTargets — which warm backends to evict to honour a max-live
 *      cap (least-recently-used beyond the cap), NEVER a busy one.
 *   3. shouldRestartCrashedBackend (busy-aware) — openchamber's skip-while-busy +
 *      stale-grace state machine, re-implemented for BooCode's per-(chat,agent) pool.
 *
 * "Busy" = the backend has an in-flight turn. The hard rule (design §6, decisions):
 * never evict or force-restart a busy backend; defer with a stale-grace.
 */
 // ─── Idle TTL eviction (3.1) ─────────────────────────────────────────────────
 /** Default idle TTL before a warm backend/session is evicted (design §6 ~30 min). */
 export const DEFAULT_IDLE_TTL_MS = 30 * 60 * 1000;
 /** A pool entry as the decision helpers see it (no backend internals). */
 export interface PoolEntrySnapshot {
  /** Pool key `${primary}:${agent}` — opaque to the decision, used for selection. */
  key: string;
  /** Epoch ms of the last turn activity (start or settle) on this backend. */
  lastActiveAt: number;
  /** True iff a turn is in flight right now. Busy entries are never evicted. */
  busy: boolean;
 }
 /**
 * Idle eviction: an entry is evictable when it has been idle (no turn) for longer
 * than `ttlMs` AND is not currently busy. Returns the keys to evict.
 *
 * Pure: `now` is injected so tests don't depend on wall-clock. Busy entries are
 * categorically excluded — a long-running turn that exceeds the TTL must NOT be
 * torn down mid-stream (the §6 / openchamber busy rule).
 */
 export function selectIdleEvictionTargets(
  entries: ReadonlyArray<PoolEntrySnapshot>,
  now: number,
  ttlMs: number = DEFAULT_IDLE_TTL_MS,
 ): string[] {
  const out: string[] = [];
  for (const e of entries) {
    if (e.busy) continue;
    if (now - e.lastActiveAt >= ttlMs) out.push(e.key);
  }
  return out;
 }
 // ─── LRU cap (3.4) ───────────────────────────────────────────────────────────
 /** Default max live warm backends/worktrees before the LRU cap evicts (env-overridable). */
 export const DEFAULT_MAX_LIVE_BACKENDS = 10;
 /**
 * LRU cap: when more than `cap` non-busy entries are live, evict the
 * least-recently-used ones (oldest `lastActiveAt` first) until at most `cap`
 * remain. Busy entries are never evicted AND are not counted toward the cap's
 * "kept" budget being freed — i.e. we only ever evict idle entries, so a burst of
 * concurrent busy turns can transiently exceed the cap rather than kill live work.
 *
 * Returns the keys to evict, least-recently-used first. Pure / deterministic:
 * ties broken by key for stable test output.
 */
 export function selectLruEvictionTargets(
  entries: ReadonlyArray<PoolEntrySnapshot>,
  cap: number = DEFAULT_MAX_LIVE_BACKENDS,
 ): string[] {
  if (cap < 0) cap = 0;
  if (entries.length <= cap) return [];
  // Only idle entries are eligible to be evicted.
  const evictable = entries
    .filter((e) => !e.busy)
    .sort((a, b) => a.lastActiveAt - b.lastActiveAt || (a.key < b.key ? -1 : a.key > b.key ? 1 : 0));
  // We must shrink total live count down to `cap`. Busy entries can't be evicted,
  // so the number we CAN remove is bounded by the evictable pool; evict the oldest
  // (total - cap) of them, never more than exist.
  const overBy = entries.length - cap;
  const toEvict = evictable.slice(0, Math.max(0, overBy));
  return toEvict.map((e) => e.key);
 }
 // ─── Busy-aware crash restart (3.2) — openchamber lift ───────────────────────
 /**
 * Default grace after which a backend that has stayed unhealthy WHILE busy is
 * force-restarted anyway (openchamber's STALE_BUSY_GRACE_MS = 2 min). Guards
 * against a permanently-stuck "busy" turn wedging recovery forever.
 */
 export const DEFAULT_STALE_BUSY_GRACE_MS = 2 * 60 * 1000;
 /** Default consecutive health-check failures before a restart is attempted. */
 export const DEFAULT_HEALTH_FAILURE_THRESHOLD = 3;
 export interface RestartDecisionInput {
  /** True iff the process is actually dead (exited). A dead process restarts
   *  immediately regardless of busy/threshold — there's nothing to protect. */
  processExited: boolean;
  /** Consecutive failed health probes so far (including the current one). */
  consecutiveFailures: number;
  /** Whether the backend currently has an in-flight turn. */
  busy: boolean;
  /** Epoch ms when the unhealthy-while-busy window started, or 0 if not in one. */
  unhealthyBusySince: number;
  /** Injected clock. */
  now: number;
  failureThreshold?: number;
  staleBusyGraceMs?: number;
 }
 export type RestartDecision =
  | { action: 'restart'; reason: 'process-exited' | 'threshold' | 'stale-busy-grace' }
  | { action: 'wait'; reason: 'below-threshold' | 'busy-grace' }
  | { action: 'none'; reason: 'healthy' };
 /**
 * Decide whether to restart a backend after a health probe. Mirrors
 * openchamber's `runHealthCheckCycle` + `shouldSkipRestartForBusySessions`,
 * re-implemented as a pure function over injected state (the caller owns the
 * mutable counters + the actual restart side-effect).
 *
 * Order (matches openchamber):
 *   - process exited            → restart now (nothing live to protect).
 *   - below failure threshold   → wait (transient blip; the next probe re-checks).
 *   - threshold reached + idle   → restart now.
 *   - threshold reached + busy   → skip UNLESS the unhealthy-busy window exceeded
 *                                  the stale grace, then force restart.
 *
 * `healthy: true` callers don't reach here; included for completeness so the
 * caller can pass through and reset counters on a single code path.
 */
 export function decideRestart(input: RestartDecisionInput & { healthy?: boolean }): RestartDecision {
  if (input.healthy) return { action: 'none', reason: 'healthy' };
  if (input.processExited) return { action: 'restart', reason: 'process-exited' };
  const threshold = input.failureThreshold ?? DEFAULT_HEALTH_FAILURE_THRESHOLD;
  if (input.consecutiveFailures < threshold) {
    return { action: 'wait', reason: 'below-threshold' };
  }
  if (!input.busy) {
    return { action: 'restart', reason: 'threshold' };
  }
  // Busy + unhealthy at/over threshold: defer, but not forever.
  const grace = input.staleBusyGraceMs ?? DEFAULT_STALE_BUSY_GRACE_MS;
  if (input.unhealthyBusySince > 0 && input.now - input.unhealthyBusySince >= grace) {
    return { action: 'restart', reason: 'stale-busy-grace' };
  }
  return { action: 'wait', reason: 'busy-grace' };
 }
 // ─── Orphan worktree reaper target selection (3.4) ───────────────────────────
 /** Default TTL: an on-disk worktree dir with no live `worktrees` row is reaped
 *  only after it's been orphaned at least this long (mtime-based grace so a
 *  just-created dir mid-`ensureSessionWorktree` race is never swept). */
 export const DEFAULT_ORPHAN_WORKTREE_GRACE_MS = 60 * 60 * 1000; // 1h
 export interface OnDiskWorktree {
  /** Absolute path of the worktree dir on disk. */
  path: string;
  /** Last-modified epoch ms of the dir (newest of dir + contents, caller's choice). */
  mtimeMs: number;
 }
 /**
 * Reaper target selection: which on-disk worktree dirs are orphans safe to
 * inspect-and-reap. An orphan is a dir under the worktree base that has NO live
 * `worktrees` row (path not in `liveWorktreePaths`) AND whose mtime is older than
 * the grace window (so an in-flight create isn't swept).
 *
 * Pure — the caller (the sweeper) then runs the at-risk preflight (dirty/unpushed)
 * on each returned path and only physically removes the SAFE ones. This helper
 * never decides to remove work-at-risk; it only narrows the candidate set.
 */
 export function selectOrphanWorktreeTargets(
  onDisk: ReadonlyArray<OnDiskWorktree>,
  liveWorktreePaths: ReadonlySet<string>,
  now: number,
  graceMs: number = DEFAULT_ORPHAN_WORKTREE_GRACE_MS,
 ): string[] {
  const out: string[] = [];
  for (const w of onDisk) {
    if (liveWorktreePaths.has(w.path)) continue; // tracked → not an orphan
    if (now - w.mtimeMs < graceMs) continue; // too fresh → could be mid-create
    out.push(w.path);
  }
  return out;
 }
--- a/apps/coder/src/services/backends/opencode-server.ts
+++ b/apps/coder/src/services/backends/opencode-server.ts
@@ -21,9 +21,9 @@
 *   - promptAsync is fire-and-forget (204); the turn completes via a
 *     'session.idle' event for that opencode session id.
 */
-import { spawn, type ChildProcess } from 'node:child_process';
+import { spawn, spawnSync, type ChildProcess } from 'node:child_process';
 import { createHash } from 'node:crypto';
-import { createServer } from 'node:net';
+import { createServer, connect as netConnect } from 'node:net';
 import type { FastifyBaseLogger } from 'fastify';
 import {
  createOpencodeClient,
@@ -37,6 +37,9 @@ import {
 import type { ToolCallStatus } from '@agentclientprotocol/sdk';
 import type { Sql } from '../../db.js';
 import type { AcpToolSnapshot } from '../acp-tool-snapshot.js';
 import { armAbortGuard, noteTurnActivity, consumeTerminal } from './turn-guard.js';
 import { stepEndedToUsage, type StepUsage } from './opencode-usage.js';
 import { decideRestart, DEFAULT_HEALTH_FAILURE_THRESHOLD } from './lifecycle-decisions.js';
 import type {
  AgentBackend,
  AgentEvent,
@@ -78,6 +81,9 @@ interface SessionState {
  /** Per-session SSE subscription handle. Non-null while the loop is running;
   *  aborting it tears down the underlying fetch and exits the loop. */
  sseAbort: AbortController | null;
  /** F.1 post-abort orphan-terminal guard: swallow the one session.idle/error
   *  opencode emits for an aborted turn so it can't settle the next turn. */
  swallowNextTerminal: boolean;
 }
 export interface OpenCodeServerBackendDeps {
@@ -99,6 +105,11 @@ export class OpenCodeServerBackend implements AgentBackend {
  private port: number | null = null;
  private up = false;
  private serverStarting: Promise<void> | null = null;
  // Phase 3 busy-aware health monitor (openchamber lift): consecutive failed
  // probes + the start of an unhealthy-while-busy window feed `decideRestart`.
  private consecutiveHealthFailures = 0;
  private unhealthyBusySince = 0;
  private restarting: Promise<void> | null = null;
  /** opencode session id → demux state. Maintained by ensureSession; read by the SSE loop. */
  private readonly byOpencodeId = new Map<string, SessionState>();
@@ -114,11 +125,30 @@ export class OpenCodeServerBackend implements AgentBackend {
    return this.up ? 'up' : 'down';
  }
-  // ─── Server lifecycle (1.2: spawn once + client + ready) ─────────────────────
+  /** Phase 3: busy iff ANY pooled opencode session has an in-flight turn. The
   *  pool reads this to skip idle/LRU eviction and the health-monitor to defer a
   *  restart (never tear down a session mid-stream). */
  isBusy(): boolean {
    for (const st of this.byOpencodeId.values()) {
      if (st.activeTurn) return true;
    }
    return false;
  }
-  /** Lazy: start the single server on first use. Idempotent — one server per backend. */
+  // ─── Server lifecycle (1.2: spawn once + client + ready; Phase 3 crash-restart) ──
  /**
   * Lazy: start the single server on first use; re-spawn after a crash. Idempotent
   * within one live server — `serverStarting` caches the in-flight start, and is
   * reset to null by the crash handler so the NEXT ensureServer re-spawns a fresh
   * server (Phase 3 crash recovery). A dead-but-not-yet-reaped child (exit handler
   * raced) is also treated as needing a restart.
   */
  private ensureServer(): Promise<void> {
-    if (!this.serverStarting) this.serverStarting = this.startServer();
+    const childDead = this.child != null && (this.child.exitCode !== null || this.child.signalCode !== null);
    if (!this.serverStarting || (!this.up && childDead)) {
      this.serverStarting = this.startServer();
    }
    return this.serverStarting;
  }
@@ -138,11 +168,15 @@ export class OpenCodeServerBackend implements AgentBackend {
    this.port = port;
    // Child lifetime is the backend's (the pool's), NOT a request's. We never tie
-    // it to a per-turn abort signal. On unexpected exit we mark down + log; crash
+    // it to a per-turn abort signal. Phase 3: on unexpected exit we recover —
-    // recovery is Phase 3.
+    // settle any in-flight turns as failed, mark their agent_sessions rows crashed,
    // and reset `serverStarting` so the next ensureServer re-spawns. opencode keeps
    // sessions on disk, but a fresh server's in-memory state is gone, so the next
    // turn's ensureSession (rows now 'crashed') creates fresh opencode sessions.
    child.on('exit', (code, signal) => {
-      this.up = false;
+      // Only react to THIS child's exit (a restart may have swapped in a new one).
-      this.log.warn({ code, signal, port }, 'opencode-server: child exited (recovery is Phase 3)');
+      if (this.child !== child) return;
      this.handleServerCrash(code, signal, port);
    });
    await waitForReady(child, READY_TIMEOUT_MS);
@@ -152,6 +186,136 @@ export class OpenCodeServerBackend implements AgentBackend {
    this.log.info({ port }, 'opencode-server: ready');
  }
  /**
   * Crash handler (Phase 3, lift of openchamber's restart-on-exit path). The
   * server died with N live opencode sessions; we can't restart it here (the next
   * turn does, lazily — avoids a restart storm if the binary is broken). We:
   *   1. fail every in-flight turn so its dispatcher unblocks + publishes an error,
   *   2. mark each session's agent_sessions row 'crashed' so ensureSession won't
   *      resume a now-dead native session id (it creates fresh),
   *   3. tear down the SSE loops + demux state (stale against the dead server),
   *   4. reclaim the port + reset state so the next ensureServer re-spawns.
   */
  private handleServerCrash(code: number | null, signal: NodeJS.Signals | null, port: number): void {
    this.up = false;
    const states = [...this.byOpencodeId.values()];
    this.log.warn(
      { code, signal, port, liveSessions: states.length },
      'opencode-server: child exited — recovering (fail in-flight, mark crashed, re-spawn next turn)',
    );
    const crashedIds: string[] = [];
    for (const st of states) {
      st.sseAbort?.abort();
      if (st.activeTurn) {
        st.activeTurn.settle({ ok: false, error: 'opencode server crashed mid-turn' });
        st.activeTurn = null;
      }
      if (st.watchdog) {
        clearTimeout(st.watchdog);
        st.watchdog = null;
      }
      crashedIds.push(st.agentSessionId);
    }
    // Drop the demux map: every session id is stale against a fresh server.
    this.byOpencodeId.clear();
    this.client = null;
    this.serverStarting = null; // force a re-spawn on the next ensureServer
    if (crashedIds.length > 0) {
      this.sql`
        UPDATE agent_sessions SET status = 'crashed'
        WHERE agent_session_id = ANY(${crashedIds}) AND status <> 'closed'
      `.catch((err) => {
        this.log.warn({ err: errMsg(err) }, 'opencode-server: failed to mark crashed sessions (non-fatal)');
      });
    }
    // Reclaim the port so a re-spawn on a fixed/leaked port isn't blocked. Best
    // effort; the next start uses a fresh ephemeral port anyway.
    reclaimPort(port);
  }
  /**
   * Phase 3 proactive health monitor (openchamber `runHealthCheckCycle` lift,
   * busy-aware). Probes the server's /global/health; on a sustained failure of a
   * NON-busy server, force a restart so the next turn isn't blocked by a wedged
   * (hung-but-not-exited) process. Busy servers are deferred via the stale-grace in
   * `decideRestart` — never tear down live work. Driven by the pool's periodic
   * sweep (best-effort; a crash-exit is already handled by `handleServerCrash` +
   * lazy `ensureServer` re-spawn, so this only catches the hung case). No-op when
   * the server was never started or a restart is already in flight.
   */
  async tickHealth(now: number = Date.now()): Promise<void> {
    if (!this.child || this.restarting) return;
    const childExited = this.child.exitCode !== null || this.child.signalCode !== null;
    // An exited child is recovered lazily by ensureServer; don't double-restart it.
    if (childExited) return;
    const healthy = await this.probeHealth();
    if (healthy) {
      this.consecutiveHealthFailures = 0;
      this.unhealthyBusySince = 0;
      return;
    }
    this.consecutiveHealthFailures += 1;
    const busy = this.isBusy();
    const decision = decideRestart({
      processExited: false,
      consecutiveFailures: this.consecutiveHealthFailures,
      busy,
      unhealthyBusySince: this.unhealthyBusySince,
      now,
      failureThreshold: DEFAULT_HEALTH_FAILURE_THRESHOLD,
    });
    // Stamp the start of an unhealthy-while-busy window so the stale-grace can fire.
    if (busy && this.unhealthyBusySince === 0) this.unhealthyBusySince = now;
    if (decision.action === 'restart') {
      this.log.warn(
        { failures: this.consecutiveHealthFailures, busy, reason: decision.reason },
        'opencode-server: health monitor forcing restart',
      );
      this.consecutiveHealthFailures = 0;
      this.unhealthyBusySince = 0;
      await this.restartServer();
    }
  }
  private async probeHealth(): Promise<boolean> {
    if (!this.client) return false;
    try {
      const res = await this.client.global.health();
      return !res.error;
    } catch {
      return false;
    }
  }
  /** Force-kill the current server + reclaim its port; the next ensureServer
   *  re-spawns (lazy). Mirrors handleServerCrash's state reset but is initiated by
   *  the health monitor rather than the OS. */
  private async restartServer(): Promise<void> {
    if (this.restarting) return this.restarting;
    this.restarting = (async () => {
      const child = this.child;
      const port = this.port;
      this.up = false;
      // Fail in-flight turns + mark sessions crashed via the same path as a crash.
      if (child) {
        this.handleServerCrash(null, null, port ?? 0);
        if (!child.killed) child.kill('SIGTERM');
      }
      if (port) {
        reclaimPort(port);
        await waitForPortRelease(port, 3_000);
      }
      this.child = null;
    })().finally(() => {
      this.restarting = null;
    });
    return this.restarting;
  }
  // ─── SSE read loop + demux + translate (1.3) + dedup (1.4) ───────────────────
  /** Per-session SSE subscription, scoped to the session's worktree directory.
@@ -278,6 +442,19 @@ export class OpenCodeServerBackend implements AgentBackend {
        st.activeTurn.onEvent({ type: 'tool_update', toolCall: snap });
        return;
      }
      // ─── per-step usage (U.6) — token/cost accounting for opencode sessions ──
      case 'session.next.step.ended': {
        const p = ev.properties;
        const st = this.byOpencodeId.get(p.sessionID);
        if (!st?.activeTurn) return;
        this.bumpActivity(st);
        // Accumulate this step's normalized usage onto the (chat_id, agent) row.
        // Fire-and-forget: a DB hiccup must not stall the turn. opencode emits this
        // once per LLM step, so a multi-tool turn sums several deltas.
        const usage = stepEndedToUsage(p);
        void this.accumulateUsage(st, usage);
        return;
      }
      // ─── message.part.* — terminal/post-hoc events (dedup gate) ────────────
      case 'message.part.delta': {
        const p = ev.properties;
@@ -305,13 +482,19 @@ export class OpenCodeServerBackend implements AgentBackend {
      }
      // ─── lifecycle ─────────────────────────────────────────────────────────
      case 'session.idle': {
-        this.byOpencodeId.get(ev.properties.sessionID)?.activeTurn?.settle({ ok: true });
+        const st = this.byOpencodeId.get(ev.properties.sessionID);
        if (!st) return;
        if (consumeTerminal(st) === 'swallow') return; // F.1: drop the post-abort orphan
        st.activeTurn?.settle({ ok: true });
        return;
      }
      case 'session.error': {
        const sid = ev.properties.sessionID;
        if (!sid) return;
-        this.byOpencodeId.get(sid)?.activeTurn?.settle({ ok: false, error: errToString(ev.properties.error) });
+        const st = this.byOpencodeId.get(sid);
        if (!st) return;
        if (consumeTerminal(st) === 'swallow') return; // F.1: drop the post-abort orphan
        st.activeTurn?.settle({ ok: false, error: errToString(ev.properties.error) });
        return;
      }
      default:
@@ -358,6 +541,8 @@ export class OpenCodeServerBackend implements AgentBackend {
  /** Reset the inactivity backstop on any event routed to a session's active turn. */
  private bumpActivity(st: SessionState): void {
    if (!st.activeTurn) return;
    // A live turn is producing → the post-abort orphan-terminal window is over.
    noteTurnActivity(st);
    if (st.watchdog) clearTimeout(st.watchdog);
    st.watchdog = setTimeout(() => {
      void this.onTurnStall(st);
@@ -416,6 +601,33 @@ export class OpenCodeServerBackend implements AgentBackend {
    }
  }
  // ─── per-step usage persistence (U.6) ────────────────────────────────────────
  /**
   * Accumulate one `session.next.step.ended`'s normalized usage onto the session's
   * agent_sessions row, keyed by the resumed `agent_session_id` (unique per active
   * row — the dispatcher's `(chat_id, agent)` lookup wrote it). Running totals for
   * the whole conversation context (not last-step). Zero-delta steps are skipped to
   * avoid a no-op write. Errors are swallowed: usage telemetry must never fail a turn.
   */
  private async accumulateUsage(st: SessionState, u: StepUsage): Promise<void> {
    if (u.input === 0 && u.output === 0 && u.cost === 0) return;
    try {
      await this.sql`
        UPDATE agent_sessions SET
          input_tokens = input_tokens + ${u.input},
          output_tokens = output_tokens + ${u.output},
          cost = cost + ${u.cost}
        WHERE agent_session_id = ${st.agentSessionId}
      `;
    } catch (err) {
      this.log.warn(
        { err: errMsg(err), agentSessionId: st.agentSessionId },
        'opencode-server: failed to persist step usage (non-fatal)',
      );
    }
  }
  // ─── ensureSession: create-or-resume against agent_sessions (1.5) ────────────
  async ensureSession(sessionId: string, opts: EnsureSessionOpts): Promise<AgentSessionHandle> {
@@ -490,6 +702,7 @@ export class OpenCodeServerBackend implements AgentBackend {
        activeTurn: null,
        watchdog: null,
        sseAbort: null,
        swallowNextTerminal: false,
      };
      this.byOpencodeId.set(ocSessionId, state);
    }
@@ -528,6 +741,7 @@ export class OpenCodeServerBackend implements AgentBackend {
        activeTurn: null,
        watchdog: null,
        sseAbort: null,
        swallowNextTerminal: false,
      };
      this.byOpencodeId.set(oc, state);
    }
@@ -561,6 +775,9 @@ export class OpenCodeServerBackend implements AgentBackend {
      const onAbort = () => {
        // Abort the turn only — never the server.
        client.session.abort({ sessionID: oc, directory: ctx.worktreePath }).catch(() => {});
        // F.1: opencode emits one trailing session.idle/error for the cancelled
        // turn — arm the guard so it's swallowed, not used to settle the next turn.
        armAbortGuard(session);
        settle({ ok: false, error: 'aborted' });
      };
@@ -698,6 +915,67 @@ function mapToolStatus(s: ToolState['status'] | undefined): ToolCallStatus | nul
  }
 }
 /**
 * Reclaim a loopback port a dead opencode child may still hold (lift of
 * openchamber `killProcessOnPort`). Best-effort, POSIX-only (`lsof`/`kill`); a
 * failure is harmless because the next spawn allocates a fresh ephemeral port.
 * Never kills this process. Synchronous + short-timeout so the crash handler
 * doesn't block.
 */
 function reclaimPort(port: number | null): void {
  if (!port || process.platform === 'win32') return;
  try {
    const res = spawnSync('lsof', ['-ti', `:${port}`], { encoding: 'utf8', timeout: 3_000, windowsHide: true });
    const out = res.stdout || '';
    const myPid = process.pid;
    for (const pidStr of out.split(/\s+/)) {
      const pid = parseInt(pidStr.trim(), 10);
      if (pid && pid !== myPid) {
        try {
          spawnSync('kill', ['-9', String(pid)], { stdio: 'ignore', timeout: 2_000 });
        } catch {
          // ignore — best effort
        }
      }
    }
  } catch {
    // lsof absent or failed — the fresh-ephemeral-port spawn doesn't need this.
  }
 }
 /**
 * Resolve true once nothing is listening on `port` (lift of openchamber
 * `waitForPortRelease`). Used before re-spawning on a fixed port; with ephemeral
 * ports it's a fast no-op. Probes 127.0.0.1; resolves false at the deadline.
 */
 function waitForPortRelease(port: number, timeoutMs: number): Promise<boolean> {
  const deadline = Date.now() + timeoutMs;
  return new Promise((resolve) => {
    const attempt = () => {
      const socket = netConnect({ port, host: '127.0.0.1' });
      let settled = false;
      const finish = (released: boolean) => {
        if (settled) return;
        settled = true;
        socket.removeAllListeners();
        socket.destroy();
        if (released || Date.now() >= deadline) {
          resolve(released);
          return;
        }
        setTimeout(attempt, 150);
      };
      socket.once('connect', () => finish(false));
      socket.once('error', (err: NodeJS.ErrnoException) => {
        if (err && (err.code === 'ECONNREFUSED' || err.code === 'EHOSTUNREACH')) finish(true);
        else finish(false);
      });
      socket.setTimeout(500, () => finish(true));
    };
    attempt();
  });
 }
 /** Bind-probe an ephemeral port on loopback. */
 function freePort(): Promise<number> {
  return new Promise((resolve, reject) => {
--- a/apps/coder/src/services/backends/opencode-usage.ts
+++ b/apps/coder/src/services/backends/opencode-usage.ts
@@ -0,0 +1,77 @@
 /**
 * v2.6 Phase 1-UX (U.6) — pure mapper for opencode's per-step usage event.
 *
 * opencode's warm server emits `session.next.step.ended` once per completed LLM
 * step (so a multi-tool turn fires it several times). Its `properties` carry the
 * step's token + cost accounting:
 *
 *   {
 *     timestamp: number;
 *     sessionID: string;
 *     finish: string;
 *     cost: number;                                  // USD for this step
 *     tokens: {
 *       input: number; output: number; reasoning: number;
 *       cache: { read: number; write: number };
 *     };
 *     snapshot?: string;
 *   }
 *
 * (Verified against @opencode-ai/sdk@1.15.12 — `EventSessionNextStepEnded` in
 * `dist/v2/gen/types.gen.d.ts`, a member of the `Event` union the SSE loop
 * switches on.)
 *
 * We normalize to the review's target slice `{input, output, cost}` (the
 * provider-agnostic `AgentUsage` shape lands later). cache read/write tokens are
 * folded into `input` so the persisted input count reflects the real context the
 * model billed for; reasoning tokens are folded into `output` since that's what
 * the provider counts them as for generation. This keeps the persisted totals a
 * faithful sum of what opencode reported, without inventing extra columns yet.
 */
 /** The `properties` shape of a `session.next.step.ended` event (subset we read). */
 export interface StepEndedProps {
  cost: number;
  tokens: {
    input: number;
    output: number;
    reasoning: number;
    cache: { read: number; write: number };
  };
 }
 /** Normalized per-step usage delta persisted onto the agent_sessions row. */
 export interface StepUsage {
  input: number;
  output: number;
  cost: number;
 }
 /** Coerce a possibly-missing/NaN number to a non-negative finite integer (tokens). */
 function n(v: unknown): number {
  const x = typeof v === 'number' ? v : Number(v);
  return Number.isFinite(x) && x > 0 ? Math.round(x) : 0;
 }
 /** Coerce a possibly-missing/NaN number to a non-negative finite float (cost USD). */
 function f(v: unknown): number {
  const x = typeof v === 'number' ? v : Number(v);
  return Number.isFinite(x) && x > 0 ? x : 0;
 }
 /**
 * Map a `session.next.step.ended` payload → the normalized `{input, output, cost}`
 * delta. Defensive against missing/partial token blocks (the wire is trusted but
 * we never want a NaN to poison the accumulated DB total). `input` folds in cache
 * read+write; `output` folds in reasoning.
 */
 export function stepEndedToUsage(props: Partial<StepEndedProps> | undefined): StepUsage {
  const t = props?.tokens;
  const cacheRead = n(t?.cache?.read);
  const cacheWrite = n(t?.cache?.write);
  return {
    input: n(t?.input) + cacheRead + cacheWrite,
    output: n(t?.output) + n(t?.reasoning),
    cost: f(props?.cost),
  };
 }
--- a/apps/coder/src/services/backends/turn-guard.ts
+++ b/apps/coder/src/services/backends/turn-guard.ts
@@ -0,0 +1,38 @@
 /**
 * Guard against opencode's post-abort "orphan" terminal event (F.1).
 *
 * When a turn is aborted (`client.session.abort`), opencode emits one trailing
 * `session.idle` / `session.error` for the cancelled turn. Without a guard that
 * orphan settles whatever turn currently holds the session slot — which, after
 * the user immediately sends another message, is the NEXT turn, settling it early
 * as success (the v2.6.5 Stop-button bug). opencode terminal events carry only a
 * `sessionID` (no turn id), so we can't match by id; instead we swallow exactly
 * one terminal per abort, and self-heal if that orphan never arrives.
 */
 export interface AbortTerminalGuard {
  /** True between an abort and the orphan terminal event that follows it. */
  swallowNextTerminal: boolean;
 }
 /** Arm on abort: the next terminal event for this session is the orphan. */
 export function armAbortGuard(g: AbortTerminalGuard): void {
  g.swallowNextTerminal = true;
 }
 /**
 * A new turn produced activity (delta) → the orphan window is over. Self-heals
 * the case where opencode emits no orphan idle (e.g. abort-before-prompt), so a
 * real terminal still settles instead of being swallowed forever.
 */
 export function noteTurnActivity(g: AbortTerminalGuard): void {
  g.swallowNextTerminal = false;
 }
 /** Decide a terminal (idle/error): swallow the post-abort orphan once, else settle. */
 export function consumeTerminal(g: AbortTerminalGuard): 'swallow' | 'settle' {
  if (g.swallowNextTerminal) {
    g.swallowNextTerminal = false;
    return 'swallow';
  }
  return 'settle';
 }
--- a/apps/coder/src/services/backends/warm-acp-routing.ts
+++ b/apps/coder/src/services/backends/warm-acp-routing.ts
@@ -0,0 +1,41 @@
 /**
 * v2.6 Phase 2 — warm-vs-one-shot routing predicate for goose/qwen.
 *
 * The warm ACP backend keys its persistent process + ACP session on (chat_id,
 * agent) — exactly like the opencode-server backend. A task therefore only routes
 * to the warm pool when it carries BOTH a `session_id` and a `chat_id`, i.e. it
 * came from a real chat tab (the coder message route + skills route stamp both).
 *
 * Session-less creators — arena contestants, MCP-created tasks, generic
 * `POST /api/tasks`, `new_task` — leave one or both null. Those keep the existing
 * one-shot worktree-per-task ACP path (`runExternalAgent`), which spawns a fresh
 * `goose acp` / `qwen --acp` per turn and never holds a warm process. Routing them
 * warm would either synthesize a degenerate (null, agent) key or create a chat per
 * arena contestant — neither is wanted, so they stay one-shot.
 *
 * Pure, so it's unit-testable; the dispatcher consumes it.
 */
 const WARM_CAPABLE_AGENTS = new Set(['goose', 'qwen']);
 export function shouldUseWarmBackend(task: {
  agent: string | null;
  session_id: string | null;
  chat_id: string | null;
 }): boolean {
  if (!task.agent || !WARM_CAPABLE_AGENTS.has(task.agent)) return false;
  return task.session_id != null && task.chat_id != null;
 }
 /**
 * Map an ACP prompt `stopReason` to the backend's ok/fail contract (TurnResult.ok).
 *
 * ACP's `StopReason` union includes normal completions (`end_turn`, `max_tokens`,
 * `max_turn_requests`) and abnormal ones (`refusal`, `cancelled`). Only the latter
 * two read as a failed turn; everything else (including an undefined/absent reason,
 * which we default to `end_turn`) is a successful completion. Pure so it's testable
 * independently of the warm process.
 */
 export function isTurnOkForStopReason(stopReason: string | null | undefined): boolean {
  const reason = stopReason ?? 'end_turn';
  return reason !== 'refusal' && reason !== 'cancelled';
 }
--- a/apps/coder/src/services/backends/warm-acp.ts
+++ b/apps/coder/src/services/backends/warm-acp.ts
@@ -0,0 +1,417 @@
 /**
 * v2.6 Phase 2 — WarmAcpBackend (goose, qwen).
 *
 * One persistent stdio process + ONE `ClientSideConnection` per (chat, agent),
 * `initialize` + `session/new` done ONCE, reused across every turn — the warm
 * analogue of the previous one-shot `acp-dispatch.ts` (which spawned/torn-down a
 * fresh `goose acp` / `qwen --acp` per turn). Mirrors Paseo's `SpawnedACPProcess`.
 *
 * Implements the Phase 0 `AgentBackend` interface (same contract as
 * `OpenCodeServerBackend`). Emits transport-agnostic `AgentEvent`s via the SHARED
 * `mapSessionUpdate` (reused verbatim from the one-shot stack); the dispatcher maps
 * those to WS frames + `persistExternalAgentTurn`, unchanged.
 *
 * Lifecycle decisions (design.md §2b / §10):
 *   - **Child lifetime is the pool's, not a request's.** Spawned once; never tied
 *     to a per-turn abort signal. Only the in-flight `prompt` gets `ctx.signal` —
 *     abort = ACP `session/cancel`, NOT killing the child.
 *   - **Per-turn abort** cancels the prompt on the warm connection so the SAME
 *     process serves the next turn.
 *   - **Crash** (child exit) marks `agent_sessions.status='crashed'` + logs; the
 *     next `ensureSession` re-spawns + re-`session/new` (Phase 3 hardens auto-restart).
 *   - **Resume across a process restart is NOT attempted in Phase 2.** goose ACP
 *     advertises no `loadSession`/`session.resume`; qwen does, but cross-restart
 *     resume is Phase 3. Within ONE live process the ACP session persists across
 *     turns (the whole point of "warm"); a restart re-`session/new` (memory loss
 *     across restart, accepted per §10). The agent's resume capabilities ARE
 *     probed and logged for forward-compat.
 *
 * Each WarmAcpBackend instance owns exactly one (chat, agent) — the dispatcher
 * pools them under `agentPool.register(chatId, agent, backend)`.
 *
 * SDK note (@agentclientprotocol/sdk@^0.22.1, cross-checked against the design's
 * `^0.14` worry): the resume method is the STABLE `resumeSession` (`session/resume`,
 * gated by `agentCapabilities.sessionCapabilities.resume`), NOT the `^0.14`
 * `unstable_resumeSession`. `loadSession` is gated by `agentCapabilities.loadSession`.
 */
 import { spawn, type ChildProcess } from 'node:child_process';
 import type { FastifyBaseLogger } from 'fastify';
 import {
  ClientSideConnection,
  type Client,
  type SessionNotification,
  type RequestPermissionRequest,
  type RequestPermissionResponse,
  type ReadTextFileRequest,
  type ReadTextFileResponse,
  type WriteTextFileRequest,
  type WriteTextFileResponse,
  type CreateTerminalRequest,
  type CreateTerminalResponse,
  type CreateElicitationRequest,
  type CreateElicitationResponse,
 } from '@agentclientprotocol/sdk';
 import type { Sql } from '../../db.js';
 import { resolveLaunchSpec } from '../acp-spawn.js';
 import { isTurnOkForStopReason } from './warm-acp-routing.js';
 import { getResolvedRegistry, type ResolvedProviderDef } from '../provider-config-registry.js';
 import { createAcpNdJsonStream } from '../acp-stream.js';
 import { mapSessionUpdate } from '../acp-event-map.js';
 import { readWorktreeTextFile, writeWorktreeTextFile } from '../acp-client-fs.js';
 import { waitForPermissionResponse, waitForElicitationResponse, cancelPendingPermission } from '../permission-waiter.js';
 import { type AcpToolSnapshot, synthesizeCanceledSnapshots } from '../acp-tool-snapshot.js';
 import type {
  AgentBackend,
  AgentEvent,
  AgentSessionHandle,
  EnsureSessionOpts,
  PromptCtx,
  TurnResult,
 } from '../agent-backend.js';
 /** State for one in-flight turn (only one at a time per backend — turns serialize). */
 interface TurnState {
  /** Per-turn task id, for routing permission prompts back to the UI. */
  taskId: string | undefined;
  /** BooCode session id for permission-waiter's broker frames. */
  sessionId: string;
  /** Per-turn mode id (autonomous-mode gate in permission-waiter). */
  modeId: string | undefined;
  onEvent: (e: AgentEvent) => void;
  /** Tool-call snapshot accumulator for this turn — merge across tool_call_update. */
  snapshots: Map<string, AcpToolSnapshot>;
 }
 export interface WarmAcpBackendDeps {
  sql: Sql;
  log: FastifyBaseLogger;
  /** The (chat, agent) this backend serves — its pool identity + DB key. */
  chatId: string;
  agent: string;
  /** Resolved binary for the agent (from available_agents.install_path), or null. */
  installPath: string | null;
  /** Optional override of the resolved registry def (defaults to a live lookup). */
  resolved?: ResolvedProviderDef;
 }
 export class WarmAcpBackend implements AgentBackend {
  readonly backend = 'acp_warm' as const;
  private readonly sql: Sql;
  private readonly log: FastifyBaseLogger;
  private readonly chatId: string;
  private readonly agent: string;
  private readonly installPath: string | null;
  private readonly resolvedOverride: ResolvedProviderDef | undefined;
  private child: ChildProcess | null = null;
  private connection: ClientSideConnection | null = null;
  /** The single ACP session id for this warm process; null until session/new. */
  private acpSessionId: string | null = null;
  private up = false;
  /** Idempotent spawn guard — one warm process per backend, started lazily. */
  private starting: Promise<void> | null = null;
  /** Resume capabilities probed at initialize, logged for forward-compat (Phase 3). */
  private supportsLoadSession = false;
  private supportsResumeSession = false;
  /** The current in-flight turn; the Client closures read it. Null between turns. */
  private activeTurn: TurnState | null = null;
  constructor(deps: WarmAcpBackendDeps) {
    this.sql = deps.sql;
    this.log = deps.log;
    this.chatId = deps.chatId;
    this.agent = deps.agent;
    this.installPath = deps.installPath;
    this.resolvedOverride = deps.resolved;
  }
  /** §2: liveness for the health endpoint + dispatcher fallback decision. */
  health(): 'up' | 'down' {
    return this.up ? 'up' : 'down';
  }
  /** Phase 3: busy iff this backend's single session has an in-flight turn. The
   *  pool reads this to skip idle/LRU eviction (never kill the child mid-prompt). */
  isBusy(): boolean {
    return this.activeTurn != null;
  }
  // ─── warm-process lifecycle (2.1 spawn + initialize + session/new ONCE) ───────
  /** Lazy: spawn the warm process on first use. Idempotent — one process per backend. */
  private ensureProcess(worktreePath: string): Promise<void> {
    if (this.up && this.connection && this.acpSessionId) return Promise.resolve();
    if (!this.starting) {
      this.starting = this.startProcess(worktreePath).catch((err) => {
        // Reset so a later ensureSession can retry the spawn after a failed start.
        this.starting = null;
        throw err;
      });
    }
    return this.starting;
  }
  private async startProcess(worktreePath: string): Promise<void> {
    const resolved = this.resolvedOverride ?? getResolvedRegistry().get(this.agent);
    const spec = resolved ? resolveLaunchSpec(resolved, this.installPath) : null;
    if (!spec) throw new Error(`warm-acp: agent '${this.agent}' does not support ACP (no launch spec)`);
    this.log.info({ agent: this.agent, chatId: this.chatId, binary: spec.binary, worktreePath }, 'warm-acp: spawning warm process');
    // Child lifetime is the pool's. NOT tied to any per-turn abort signal — only
    // the in-flight prompt is cancellable (via ACP session/cancel in prompt()).
    const child = spawn(spec.binary, spec.args, {
      cwd: worktreePath,
      stdio: ['pipe', 'pipe', 'pipe'],
      env: { ...process.env, ...spec.env },
    });
    this.child = child;
    // 2.3: supervise the child; react to its exit, never let a request scope kill it.
    child.on('exit', (code, signal) => {
      this.up = false;
      this.connection = null;
      this.acpSessionId = null;
      this.starting = null;
      this.log.warn({ agent: this.agent, chatId: this.chatId, code, signal }, 'warm-acp: warm process exited — marking crashed (rebuild on next turn)');
      void this.markCrashed();
    });
    // A spawn error (e.g. ENOENT) surfaces here, not as an exit.
    child.on('error', (err) => {
      this.up = false;
      this.log.error({ agent: this.agent, chatId: this.chatId, err: errMsg(err) }, 'warm-acp: warm process error');
    });
    const stream = createAcpNdJsonStream(child);
    const connection = new ClientSideConnection(() => this.buildClient(worktreePath), stream);
    const init = await connection.initialize({
      protocolVersion: 1,
      clientInfo: { name: 'boocoder', version: '2.6.0' },
      clientCapabilities: {},
    });
    const caps = init.agentCapabilities;
    this.supportsLoadSession = caps?.loadSession === true;
    this.supportsResumeSession = caps?.sessionCapabilities?.resume != null;
    const session = await connection.newSession({ cwd: worktreePath, mcpServers: [] });
    this.connection = connection;
    this.acpSessionId = session.sessionId;
    this.up = true;
    this.log.info(
      {
        agent: this.agent,
        chatId: this.chatId,
        acpSessionId: session.sessionId,
        loadSession: this.supportsLoadSession,
        resumeSession: this.supportsResumeSession,
      },
      'warm-acp: warm session ready',
    );
  }
  /** Build the ACP Client callbacks ONCE per connection. They read `this.activeTurn`
   *  so each turn's events/permissions route to the right place — exactly the
   *  opencode-server `activeTurn` pattern. Worktree-scoped FS like AcpStreamContext. */
  private buildClient(worktreePath: string): Client {
    return {
      sessionUpdate: async (params: SessionNotification): Promise<void> => {
        const turn = this.activeTurn;
        if (!turn) return; // between turns — drop (no orphan settles a future turn)
        for (const event of mapSessionUpdate(params, turn.snapshots)) {
          turn.onEvent(event);
        }
      },
      requestPermission: async (params: RequestPermissionRequest): Promise<RequestPermissionResponse> => {
        const turn = this.activeTurn;
        if (turn?.taskId) {
          // Route to the UI via the per-turn task id (same as the one-shot path).
          return waitForPermissionResponse(turn.taskId, turn.sessionId, this.agent, turn.modeId, params);
        }
        const firstOption = params.options[0];
        if (firstOption) return { outcome: { outcome: 'selected', optionId: firstOption.optionId } };
        return { outcome: { outcome: 'cancelled' } };
      },
      readTextFile: async (params: ReadTextFileRequest): Promise<ReadTextFileResponse> => {
        const content = await readWorktreeTextFile(worktreePath, params.path, params.line, params.limit);
        return { content };
      },
      writeTextFile: async (params: WriteTextFileRequest): Promise<WriteTextFileResponse> => {
        await writeWorktreeTextFile(worktreePath, params.path, params.content);
        return {};
      },
      createTerminal: async (_params: CreateTerminalRequest): Promise<CreateTerminalResponse> => {
        return { terminalId: 'noop' };
      },
      unstable_createElicitation: async (params: CreateElicitationRequest): Promise<CreateElicitationResponse> => {
        const turn = this.activeTurn;
        if (turn?.taskId) {
          return waitForElicitationResponse(turn.taskId, turn.sessionId, this.agent, turn.modeId, params);
        }
        return { action: 'decline' };
      },
    };
  }
  // ─── ensureSession: create-or-reuse the warm session (2.1) ───────────────────
  async ensureSession(sessionId: string, opts: EnsureSessionOpts): Promise<AgentSessionHandle> {
    await this.ensureProcess(opts.worktreePath);
    if (!this.acpSessionId) throw new Error('warm-acp: session not ready after ensureProcess');
    // P1.5-b: agent_sessions keys on (chat_id, agent). The ACP session id is the
    // resume handle WITHIN the live process; across a process restart it's stale,
    // so ensureProcess re-`session/new` and we upsert the fresh id here.
    await this.sql`
      INSERT INTO agent_sessions
        (chat_id, session_id, worktree_id, agent, backend, agent_session_id, server_port, status, last_active_at)
      VALUES
        (${opts.chatId}, ${sessionId}, ${opts.worktreeId}, ${opts.agent}, 'acp_warm', ${this.acpSessionId}, NULL, 'active', clock_timestamp())
      ON CONFLICT (chat_id, agent) DO UPDATE SET
        session_id = EXCLUDED.session_id,
        worktree_id = EXCLUDED.worktree_id,
        backend = 'acp_warm',
        agent_session_id = EXCLUDED.agent_session_id,
        server_port = NULL,
        status = 'active',
        last_active_at = clock_timestamp()
    `.catch((err) => {
      this.log.warn({ err: errMsg(err), chatId: opts.chatId, agent: opts.agent }, 'warm-acp: agent_sessions upsert failed (non-fatal)');
    });
    return {
      sessionId,
      agent: opts.agent,
      backend: 'acp_warm',
      chatId: opts.chatId,
      worktreeId: opts.worktreeId,
      agentSessionId: this.acpSessionId,
      serverPort: null,
    };
  }
  // ─── prompt: one turn on the warm connection (2.2) ───────────────────────────
  async prompt(handle: AgentSessionHandle, input: string, ctx: PromptCtx): Promise<TurnResult> {
    // The warm process may have crashed between ensureSession and here, or this
    // backend was rebuilt — re-establish before prompting.
    await this.ensureProcess(ctx.worktreePath);
    const connection = this.connection;
    const acpSessionId = this.acpSessionId;
    if (!connection || !acpSessionId) {
      return { ok: false, error: 'warm-acp: no live ACP connection' };
    }
    const snapshots = new Map<string, AcpToolSnapshot>();
    // taskId routes permission/elicitation prompts back to the UI. The dispatcher
    // passes it (plus mode) on the per-turn PromptCtx; permission-waiter keys on it.
    const turn: TurnState = {
      taskId: ctx.taskId,
      sessionId: handle.sessionId,
      modeId: ctx.modeId,
      onEvent: ctx.onEvent,
      snapshots,
    };
    this.activeTurn = turn;
    // Per-turn abort: cancel the in-flight prompt on the SAME connection — never
    // kill the child (that's the pool's lifetime). On cancel we also synthesize
    // 'canceled' updates for any still-running tool calls so the UI doesn't leave
    // them spinning (mirrors AcpStreamContext.markAborted).
    let aborted = false;
    const onAbort = () => {
      if (aborted) return;
      aborted = true;
      connection.cancel({ sessionId: acpSessionId }).catch(() => {});
      if (ctx.taskId) cancelPendingPermission(ctx.taskId);
      for (const snap of synthesizeCanceledSnapshots(snapshots.values())) {
        snapshots.set(snap.toolCallId, snap);
        ctx.onEvent({ type: 'tool_update', toolCall: snap });
      }
    };
    if (ctx.signal.aborted) {
      this.activeTurn = null;
      return { ok: false, error: 'aborted' };
    }
    ctx.signal.addEventListener('abort', onAbort, { once: true });
    try {
      const result = await connection.prompt({
        sessionId: acpSessionId,
        prompt: [{ type: 'text', text: input }],
      });
      if (aborted) return { ok: false, error: 'aborted' };
      const stopReason = result.stopReason ?? 'end_turn';
      return isTurnOkForStopReason(stopReason)
        ? { ok: true }
        : { ok: false, error: `stop_reason: ${stopReason}` };
    } catch (err) {
      if (aborted) return { ok: false, error: 'aborted' };
      return { ok: false, error: errMsg(err) };
    } finally {
      ctx.signal.removeEventListener('abort', onAbort);
      this.activeTurn = null;
      await this.sql`
        UPDATE agent_sessions SET status = 'idle', last_active_at = clock_timestamp()
        WHERE chat_id = ${this.chatId} AND agent = ${this.agent}
      `.catch(() => {});
    }
  }
  // ─── teardown ────────────────────────────────────────────────────────────────
  async closeSession(handle: AgentSessionHandle): Promise<void> {
    // Gracefully close the ACP session if the agent supports it; then kill the child.
    if (this.connection && this.acpSessionId) {
      await this.connection.closeSession({ sessionId: this.acpSessionId }).catch(() => {});
    }
    await this.killChild();
    await this.sql`
      UPDATE agent_sessions SET status = 'closed'
      WHERE chat_id = ${handle.chatId} AND agent = ${handle.agent}
    `.catch(() => {});
  }
  async dispose(): Promise<void> {
    this.up = false;
    this.activeTurn = null;
    if (this.connection && this.acpSessionId) {
      await this.connection.closeSession({ sessionId: this.acpSessionId }).catch(() => {});
    }
    await this.killChild();
    this.connection = null;
    this.acpSessionId = null;
    this.starting = null;
  }
  private async killChild(): Promise<void> {
    const child = this.child;
    this.child = null;
    if (!child || child.killed) return;
    child.kill('SIGTERM');
    await new Promise<void>((resolve) => {
      const t = setTimeout(() => {
        if (!child.killed) child.kill('SIGKILL');
        resolve();
      }, 5_000);
      t.unref?.();
      child.once('close', () => {
        clearTimeout(t);
        resolve();
      });
    });
  }
  private async markCrashed(): Promise<void> {
    await this.sql`
      UPDATE agent_sessions SET status = 'crashed'
      WHERE chat_id = ${this.chatId} AND agent = ${this.agent}
    `.catch(() => {});
  }
 }
 function errMsg(e: unknown): string {
  return e instanceof Error ? e.message : String(e);
 }
--- a/apps/coder/src/services/checkpoints.ts
+++ b/apps/coder/src/services/checkpoints.ts
@@ -0,0 +1,306 @@
 /**
 * write-edit-robustness #4 — worktree checkpoints.
 *
 * External agents (opencode / goose / qwen / claude) write DIRECTLY into the
 * shared session worktree (`/tmp/booworktrees/sess-<id>`); BooCode's own `rewind`
 * only reverses `pending_changes` against the project root, so it has zero coverage
 * there. A checkpoint is a pre-turn shadow-commit of the worktree tree (tracked +
 * untracked) captured WITHOUT touching the real index/working tree, stored in a
 * private GC-safe ref. `restoreCheckpoint` rewinds the worktree to that commit,
 * trims the transcript from the anchor message forward, and resets the agent
 * backend so the next turn re-establishes a fresh context consistent with the
 * restored files.
 *
 * All git goes through hostExec + shellEscape (BooCoder runs on the host; the
 * worktrees live on the host fs). Checkpoint CREATION is best-effort: a failure
 * logs and returns null — it must NEVER throw into the dispatch turn.
 */
 import { randomUUID } from 'node:crypto';
 import type { FastifyBaseLogger } from 'fastify';
 import type { Sql } from '../db.js';
 import { hostExec } from './host-exec.js';
 import { agentPool, OPENCODE_POOL_KEY } from './agent-pool.js';
 import type { AgentSessionHandle } from './agent-backend.js';
 /** Minimal shell escape for paths/refs (single-quote wrapping). Mirrors worktrees.ts. */
 function shellEscape(s: string): string {
  return "'" + s.replace(/'/g, "'\\''") + "'";
 }
 /**
 * Pure builder for the shadow-commit command. Captures tracked + untracked files
 * in the worktree into a temp index (so the real index/working tree is untouched),
 * writes a tree, commits it parented on HEAD, and parks the commit under a private
 * ref `refs/boocode/checkpoints/<id>` so git's GC never reclaims it. Prints ONLY
 * the resulting SHA on stdout (the trailing `printf '%s'`), so the caller parses
 * stdout.trim() directly.
 *
 * `id` is the row UUID (minted before the ref so the ref name matches the row).
 * Both the worktree path and the id are shell-escaped.
 */
 export function buildShadowCommitCommand(worktreePath: string, id: string): string {
  const wt = shellEscape(worktreePath);
  const ref = shellEscape(`refs/boocode/checkpoints/${id}`);
  return (
    `cd ${wt} && TMP=$(mktemp) && GIT_INDEX_FILE="$TMP" git read-tree HEAD ` +
    `&& GIT_INDEX_FILE="$TMP" git add -A ` +
    `&& TREE=$(GIT_INDEX_FILE="$TMP" git write-tree) ` +
    `&& SHA=$(git commit-tree "$TREE" -p HEAD -m "boocode checkpoint") ` +
    `&& git update-ref ${ref} "$SHA" && rm -f "$TMP" && printf '%s' "$SHA"`
  );
 }
 export interface CreateCheckpointArgs {
  chatId: string;
  sessionId: string | null;
  worktreeId: string | null;
  worktreePath: string;
  messageId: string | null;
  label?: string | null;
 }
 /**
 * Capture a pre-turn checkpoint of the session worktree. Best-effort: returns the
 * inserted row's { id, commit_sha } on success, or null on any failure (the turn
 * proceeds either way — a missing checkpoint just means no restore point for that
 * turn). NEVER throws.
 *
 * The id is minted up front so the git ref name (`refs/boocode/checkpoints/<id>`)
 * matches the DB row id, keeping ref and row in lockstep.
 */
 export async function createCheckpoint(
  sql: Sql,
  args: CreateCheckpointArgs,
  opts?: { signal?: AbortSignal; log?: FastifyBaseLogger },
 ): Promise<{ id: string; commit_sha: string } | null> {
  const id = randomUUID();
  try {
    const cmd = buildShadowCommitCommand(args.worktreePath, id);
    const res = await hostExec(cmd, { signal: opts?.signal, timeoutMs: 30_000 });
    if (res.exitCode !== 0) {
      opts?.log?.warn(
        { chatId: args.chatId, worktreePath: args.worktreePath, stderr: res.stderr.trim().slice(0, 500) },
        'checkpoint: shadow-commit failed (turn proceeds without a checkpoint)',
      );
      return null;
    }
    const commitSha = res.stdout.trim();
    if (!commitSha) {
      opts?.log?.warn(
        { chatId: args.chatId, worktreePath: args.worktreePath },
        'checkpoint: shadow-commit produced no SHA (turn proceeds)',
      );
      return null;
    }
    await sql`
      INSERT INTO checkpoints (id, chat_id, session_id, worktree_id, message_id, commit_sha, label)
      VALUES (${id}, ${args.chatId}, ${args.sessionId}, ${args.worktreeId}, ${args.messageId}, ${commitSha}, ${args.label ?? null})
    `;
    opts?.log?.info({ checkpointId: id, chatId: args.chatId, commitSha }, 'checkpoint: created');
    return { id, commit_sha: commitSha };
  } catch (err) {
    opts?.log?.warn(
      { chatId: args.chatId, err: err instanceof Error ? err.message : String(err) },
      'checkpoint: create threw (turn proceeds without a checkpoint)',
    );
    return null;
  }
 }
 /** Error the route maps to a 404 when the checkpoint can't be resolved / scoped. */
 export class CheckpointNotFoundError extends Error {
  constructor(message: string) {
    super(message);
    this.name = 'CheckpointNotFoundError';
  }
 }
 export interface RestoreCheckpointResult {
  checkpoint_id: string;
  messages_deleted: number;
  worktree_reset: boolean;
  backend_reset: boolean;
 }
 export interface RestoreCheckpointOpts {
  signal?: AbortSignal;
  log?: FastifyBaseLogger;
  /** If set, the checkpoint MUST belong to this session (route scope guard). */
  sessionId?: string;
 }
 interface CheckpointRow {
  id: string;
  chat_id: string;
  session_id: string | null;
  worktree_id: string | null;
  message_id: string | null;
  commit_sha: string;
  created_at: Date;
 }
 /**
 * Restore a checkpoint: rewind its worktree to the shadow commit, trim the
 * transcript from the anchor message forward, reset the backend session, and drop
 * now-orphaned later checkpoints. Throws CheckpointNotFoundError when the
 * checkpoint is missing or not in the requested session (route → 404).
 */
 export async function restoreCheckpoint(
  sql: Sql,
  checkpointId: string,
  opts?: RestoreCheckpointOpts,
 ): Promise<RestoreCheckpointResult> {
  // 1. Resolve the checkpoint.
  const [cp] = await sql<CheckpointRow[]>`
    SELECT id, chat_id, session_id, worktree_id, message_id, commit_sha, created_at
    FROM checkpoints WHERE id = ${checkpointId}
  `;
  if (!cp) {
    throw new CheckpointNotFoundError('checkpoint not found');
  }
  // Authorization scope (fail-safe): the checkpoint's chat must belong to the
  // requested session. cp.session_id is a denormalized hint that may be null, so
  // gating on it directly fails open — resolve the owning session via chats
  // (authoritative; chat_id is NOT NULL) and deny on any mismatch or missing row.
  if (opts?.sessionId) {
    const [owner] = await sql<{ session_id: string | null }[]>`
      SELECT session_id FROM chats WHERE id = ${cp.chat_id}
    `;
    if (!owner || owner.session_id !== opts.sessionId) {
      throw new CheckpointNotFoundError('checkpoint not in session');
    }
  }
  // 2. Resolve the worktree path (by worktree_id, else the session's active one).
  let worktreePath: string | null = null;
  if (cp.worktree_id) {
    const [wt] = await sql<{ path: string }[]>`
      SELECT path FROM worktrees WHERE id = ${cp.worktree_id}
    `;
    worktreePath = wt?.path ?? null;
  }
  if (!worktreePath) {
    const sid = cp.session_id ?? opts?.sessionId ?? null;
    if (sid) {
      const [wt] = await sql<{ path: string }[]>`
        SELECT path FROM worktrees WHERE session_id = ${sid} AND status = 'active' LIMIT 1
      `;
      worktreePath = wt?.path ?? null;
    }
  }
  // 3. Worktree reset — hard-reset to the shadow commit, then clean untracked.
  let worktreeReset = false;
  if (worktreePath) {
    const resetRes = await hostExec(
      `git -C ${shellEscape(worktreePath)} reset --hard ${shellEscape(cp.commit_sha)}`,
      { signal: opts?.signal, timeoutMs: 30_000 },
    ).catch((err) => {
      opts?.log?.warn(
        { checkpointId, err: err instanceof Error ? err.message : String(err) },
        'checkpoint restore: reset --hard threw',
      );
      return null;
    });
    if (resetRes && resetRes.exitCode === 0) {
      const cleanRes = await hostExec(
        `git -C ${shellEscape(worktreePath)} clean -fd`,
        { signal: opts?.signal, timeoutMs: 30_000 },
      ).catch(() => null);
      worktreeReset = cleanRes != null && cleanRes.exitCode === 0;
      if (!worktreeReset) {
        opts?.log?.warn({ checkpointId, worktreePath }, 'checkpoint restore: clean -fd did not succeed');
      }
    } else {
      opts?.log?.warn(
        { checkpointId, worktreePath, stderr: resetRes?.stderr?.trim()?.slice(0, 500) },
        'checkpoint restore: reset --hard did not succeed',
      );
    }
  } else {
    opts?.log?.warn({ checkpointId }, 'checkpoint restore: no worktree path resolved (files not reset)');
  }
  // 4. Trim the transcript from the anchor message forward. message_parts FK to
  //    messages is ON DELETE CASCADE (apps/server schema.sql:49), so parts are
  //    removed with their messages — no explicit parts delete needed.
  let messagesDeleted = 0;
  if (cp.message_id) {
    const deleted = await sql<{ id: string }[]>`
      DELETE FROM messages
      WHERE chat_id = ${cp.chat_id}
        AND created_at >= (SELECT created_at FROM messages WHERE id = ${cp.message_id})
      RETURNING id
    `;
    messagesDeleted = deleted.length;
  }
  // 5. Backend reset — mark the chat's agent sessions crashed so the next turn
  //    re-establishes a fresh backend, and evict the live pool session(s) for this
  //    (chat, agent). Warm backends hold context server-side with no partial
  //    rewind, so a full reset is the only consistent option (proposal §4).
  const agentRows = await sql<{ agent: string; backend: string; agent_session_id: string | null; session_id: string | null; worktree_id: string | null }[]>`
    SELECT agent, backend, agent_session_id, session_id, worktree_id
    FROM agent_sessions WHERE chat_id = ${cp.chat_id}
  `;
  await sql`
    UPDATE agent_sessions SET status = 'crashed' WHERE chat_id = ${cp.chat_id}
  `.catch(() => {});
  let backendReset = false;
  try {
    // opencode runs on the SHARED server (keyed on a sentinel, not the chat) — close
    // just this chat's session(s) on it, mirroring the lifecycle close-hook.
    const ocBackend = agentPool.peek(OPENCODE_POOL_KEY, 'opencode');
    if (ocBackend) {
      for (const row of agentRows) {
        if (row.backend !== 'opencode_server' || !row.agent_session_id) continue;
        const handle: AgentSessionHandle = {
          sessionId: row.session_id ?? '',
          agent: row.agent,
          backend: 'opencode_server',
          chatId: cp.chat_id,
          worktreeId: row.worktree_id ?? '',
          agentSessionId: row.agent_session_id,
          serverPort: null,
        };
        await ocBackend.closeSession(handle).catch((err) => {
          opts?.log?.warn(
            { checkpointId, err: err instanceof Error ? err.message : String(err) },
            'checkpoint restore: opencode closeSession threw',
          );
        });
      }
    }
    // Warm-ACP backends are pooled under the chat id — dispose them (kills the
    // goose/qwen child). closeChat skips busy backends (a live turn isn't torn down).
    const disposed = await agentPool.closeChat(cp.chat_id);
    backendReset = true;
    opts?.log?.info({ checkpointId, chatId: cp.chat_id, disposed }, 'checkpoint restore: backend reset');
  } catch (err) {
    opts?.log?.warn(
      { checkpointId, err: err instanceof Error ? err.message : String(err) },
      'checkpoint restore: backend reset threw',
    );
  }
  // 6. Drop now-orphaned later checkpoints for this chat (their anchor messages were
  //    just trimmed). Compare `created_at` SERVER-SIDE via a subquery (NOT the JS
  //    Date round-trip, which truncates the stored microsecond precision to ms and
  //    would make this checkpoint delete ITSELF), and exclude this checkpoint's own
  //    id so it always survives — letting the user re-restore to it.
  await sql`
    DELETE FROM checkpoints
    WHERE chat_id = ${cp.chat_id}
      AND id <> ${cp.id}
      AND created_at > (SELECT created_at FROM checkpoints WHERE id = ${cp.id})
  `.catch(() => {});
  return {
    checkpoint_id: checkpointId,
    messages_deleted: messagesDeleted,
    worktree_reset: worktreeReset,
    backend_reset: backendReset,
  };
 }
--- a/apps/coder/src/services/dispatcher.ts
+++ b/apps/coder/src/services/dispatcher.ts
@@ -4,6 +4,7 @@ import type { Broker } from '@boocode/server/broker';
 import type { WsFrame } from '@boocode/server/ws-frames';
 import type { Config } from '../config.js';
 import { createWorktree, diffWorktree, cleanupWorktree, ensureSessionWorktree } from './worktrees.js';
 import { createCheckpoint } from './checkpoints.js';
 import { makeDcpStreamStripper } from './dcp-strip.js';
 import { dispatchViaAcp } from './acp-dispatch.js';
 import { getResolvedRegistry } from './provider-config-registry.js';
@@ -12,8 +13,10 @@ import { clearTaskCommands, setTaskCommands } from './agent-commands-cache.js';
 import { getManifestCommands } from './provider-commands.js';
 import { persistExternalAgentTurn } from './agent-turn-persist.js';
 import { snapshotToWireToolCall, type AcpToolSnapshot } from './acp-tool-snapshot.js';
-import { agentPool } from './agent-pool.js';
+import { agentPool, OPENCODE_POOL_KEY } from './agent-pool.js';
 import { OpenCodeServerBackend } from './backends/opencode-server.js';
 import { WarmAcpBackend } from './backends/warm-acp.js';
 import { shouldUseWarmBackend } from './backends/warm-acp-routing.js';
 import type { AgentBackend, AgentEvent } from './agent-backend.js';
 interface InferenceRunner {
@@ -121,10 +124,15 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
        SELECT name, supports_acp, install_path FROM available_agents WHERE name = ${task.agent}
      `;
      if (agentRow) {
-        // v2.6 (1.7): opencode routes to the warm pool backend; every other
+        // v2.6 (1.7): opencode routes to its warm HTTP-server backend.
-        // external agent keeps the existing one-shot ACP/PTY path untouched.
+        // v2.6 Phase 2 (2.4): goose/qwen route to the warm ACP backend WHEN the
        // task came from a real chat tab (session_id + chat_id) — shouldUseWarmBackend.
        // Session-less creators (arena, MCP, new_task, generic /api/tasks) keep the
        // existing one-shot worktree-per-task ACP/PTY path untouched.
        if (task.agent === 'opencode') {
          await runOpenCodeServerTask(task, agentRow.install_path);
        } else if (shouldUseWarmBackend(task)) {
          await runWarmAcpTask(task, agentRow.install_path);
        } else {
          await runExternalAgent(task, agentRow.supports_acp, agentRow.install_path);
        }
@@ -351,6 +359,16 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
      `;
      const assistantId = assistantMsg!.id;
      // write-edit-robustness #4: pre-turn worktree checkpoint (best-effort; a
      // failure logs and never breaks dispatch). This path uses a per-task worktree
      // (createWorktree, not the session worktree), so there's no worktrees-table id
      // — pass null for worktreeId, the path is enough for restore's reset.
      await createCheckpoint(
        sql,
        { chatId, sessionId, worktreeId: null, worktreePath, messageId: assistantId },
        { signal: ac.signal, log },
      ).catch(() => null);
      broker.publishFrame(sessionId, {
        type: 'message_started',
        message_id: assistantId,
@@ -392,6 +410,52 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
        outputSummary = result.output.slice(0, 500);
        await persistExternalAgentTurn(sql, assistantId, result.toolSnapshots, acpReasoning);
      } else {
        // v#7 (stream-json): claude + qwen run with --output-format stream-json.
        // Parse the NDJSON live in pty-dispatch and forward AgentEvents here so we
        // publish the SAME live frames the warm-ACP / opencode paths emit (text,
        // reasoning, tool) and persist structured parts. Accumulate for the final
        // message content + persistence; fall back to the opaque stdout slice when
        // nothing parsed (agent ran without the flag, or crashed before emitting).
        const ptyTextChunks: string[] = [];
        const ptyReasoningChunks: string[] = [];
        const ptyToolSnaps = new Map<string, AcpToolSnapshot>();
        const onPtyEvent = (e: AgentEvent): void => {
          switch (e.type) {
            case 'text':
              ptyTextChunks.push(e.text);
              broker.publishFrame(sessionId, {
                type: 'delta',
                message_id: assistantId,
                chat_id: chatId,
                content: e.text,
              } as WsFrame);
              break;
            case 'reasoning':
              ptyReasoningChunks.push(e.text);
              broker.publishFrame(sessionId, {
                type: 'reasoning_delta',
                message_id: assistantId,
                chat_id: chatId,
                content: e.text,
              } as WsFrame);
              break;
            case 'tool_call':
            case 'tool_update':
              ptyToolSnaps.set(e.toolCall.toolCallId, e.toolCall);
              broker.publishFrame(sessionId, {
                type: 'tool_call',
                message_id: assistantId,
                chat_id: chatId,
                tool_call: snapshotToWireToolCall(e.toolCall),
              } as WsFrame);
              break;
            case 'commands':
              // stream-json carries no commands today; ignore if it ever does.
              break;
          }
        };
        const result = await dispatchViaPty({
          agent,
          task: task.input,
@@ -402,7 +466,22 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
          thinkingOptionId: task.thinking_option_id ?? undefined,
          signal: ac.signal,
          log,
          onEvent: onPtyEvent,
        });
        if (result.streamed) {
          assistantContent = ptyTextChunks.join('').slice(0, 50_000);
          // stream-json text can be empty for a tool-only turn — surface stderr or a
          // placeholder so the message row isn't blank.
          if (!assistantContent) {
            assistantContent = (result.stderr || '(no text output)').slice(0, 50_000);
          }
          outputSummary = (ptyTextChunks.join('') || result.stderr).slice(0, 500);
          acpReasoning = ptyReasoningChunks.join('').slice(0, 200_000);
          await persistExternalAgentTurn(sql, assistantId, [...ptyToolSnaps.values()], acpReasoning);
        } else {
          // Fallback: agent produced no parseable NDJSON (ran without the flag, or
          // crashed). Preserve today's opaque stdout-slice + single delta behavior.
          assistantContent = (result.stdout || result.stderr || '(no output)').slice(0, 50_000);
          outputSummary = (result.stdout || result.stderr).slice(0, 500);
@@ -415,6 +494,7 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
            } as WsFrame);
          }
        }
      }
      await sql`
        UPDATE messages
@@ -441,10 +521,11 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
      const diff = await diffWorktree(worktreePath, projectPath, { signal: ac.signal });
      if (diff) {
-        // Queue a single pending_change entry with the full unified diff
+        // Queue a single pending_change entry with the full unified diff, stamped
        // with the dispatched agent for DiffPanel attribution (v2.6 Phase 1-UX).
        await sql`
-          INSERT INTO pending_changes (session_id, task_id, file_path, operation, diff)
+          INSERT INTO pending_changes (session_id, task_id, file_path, operation, diff, agent)
-          VALUES (${sessionId}, ${taskId}, ${projectPath}, 'edit', ${diff})
+          VALUES (${sessionId}, ${taskId}, ${projectPath}, 'edit', ${diff}, ${agent})
        `;
        log.info({ taskId, diffLength: diff.length }, 'dispatcher: diff queued as pending change');
      } else {
@@ -491,9 +572,8 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
  // OpenCode runs ONE server per BooCoder process, shared across all sessions
  // (the backend multiplexes sessions internally), so it's pooled under a fixed
-  // key rather than per-session. Warm ACP backends (Phase 2) will be per-session.
+  // key (OPENCODE_POOL_KEY, shared with the lifecycle close-hook) rather than
-  const OPENCODE_POOL_KEY = '__opencode_server__';
+  // per-session. Warm ACP backends (Phase 2) are per (chat, agent).
  function getOpenCodeBackend(installPath: string | null): AgentBackend {
    let backend = agentPool.get(OPENCODE_POOL_KEY, 'opencode');
    if (!backend) {
@@ -610,6 +690,15 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
      `;
      const assistantId = assistantMsg!.id;
      // write-edit-robustness #4: pre-turn checkpoint of the persistent session
      // worktree (best-effort; never breaks dispatch). worktreeId comes from the
      // worktrees table (ensureSessionWorktree above).
      await createCheckpoint(
        sql,
        { chatId, sessionId, worktreeId, worktreePath, messageId: assistantId },
        { signal: ac.signal, log },
      ).catch(() => null);
      broker.publishFrame(sessionId, {
        type: 'message_started',
        message_id: assistantId,
@@ -702,6 +791,9 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
        signal: ac.signal,
        onEvent,
      });
      // Phase 3: keep the pooled backend's slot warm across this (possibly long)
      // turn so the idle sweep measures from turn END, not start.
      agentPool.touch(OPENCODE_POOL_KEY, agent);
      // Flush any text held back mid-tag at stream end (complete tags stripped).
      const dcpTail = dcp.flush();
@@ -787,6 +879,256 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
    }
  }
  // ─── Path B (warm ACP): goose / qwen warm backend (v2.6 Phase 2) ─────────────
  // Warm ACP backends are per (chat, agent): each owns ONE stdio process + ACP
  // connection + session. Pool key = chatId; the AgentPool's secondary key is the
  // agent. This mirrors agent_sessions' (chat_id, agent) PK.
  function getWarmAcpBackend(chatId: string, agent: string, installPath: string | null): WarmAcpBackend {
    let backend = agentPool.get(chatId, agent);
    if (!backend) {
      backend = new WarmAcpBackend({
        sql,
        log,
        chatId,
        agent,
        installPath,
        resolved: getResolvedRegistry().get(agent),
      });
      agentPool.register(chatId, agent, backend);
    }
    return backend as WarmAcpBackend;
  }
  async function runWarmAcpTask(
    task: {
      id: string;
      project_id: string;
      input: string;
      agent: string | null;
      model: string | null;
      mode_id: string | null;
      thinking_option_id: string | null;
      session_id: string | null;
      chat_id: string | null;
    },
    installPath: string | null,
  ): Promise<void> {
    const taskId = task.id;
    const agent = task.agent!;
    // shouldUseWarmBackend guarantees both non-null before we get here.
    const sessionId = task.session_id!;
    const chatId = task.chat_id!;
    log.info({ taskId, agent, chatId }, 'dispatcher: starting task (path B — warm ACP)');
    const [project] = await sql<{ path: string | null }[]>`
      SELECT path FROM projects WHERE id = ${task.project_id}
    `;
    const projectPath = project?.path;
    if (!projectPath) {
      await sql`
        UPDATE tasks
        SET state = 'failed', ended_at = clock_timestamp(), output_summary = 'Project has no path — cannot create worktree'
        WHERE id = ${taskId}
      `;
      return;
    }
    const ac = new AbortController();
    try {
      await sql`
        UPDATE tasks
        SET state = 'running', started_at = clock_timestamp(), execution_path = 'acp'
        WHERE id = ${taskId}
      `;
      // Persistent, session-keyed worktree (shared across turns + agents; NOT torn
      // down per turn — Phase 3 reaps it). Same as the opencode-server path so a
      // chat that switches opencode↔goose↔qwen shares one worktree.
      const { worktreeId, worktreePath, baseCommit } = await ensureSessionWorktree(sql, projectPath, sessionId, {
        signal: ac.signal,
      });
      log.info({ taskId, worktreePath }, 'dispatcher: session worktree ready (warm ACP)');
      const [assistantMsg] = await sql<{ id: string }[]>`
        INSERT INTO messages (session_id, chat_id, role, content, status, created_at)
        VALUES (${sessionId}, ${chatId}, 'assistant', '', 'streaming', clock_timestamp())
        RETURNING id
      `;
      const assistantId = assistantMsg!.id;
      // write-edit-robustness #4: pre-turn checkpoint of the persistent session
      // worktree (best-effort; never breaks dispatch). Same worktree the opencode
      // path uses — a chat that switches opencode↔goose↔qwen shares one worktree.
      await createCheckpoint(
        sql,
        { chatId, sessionId, worktreeId, worktreePath, messageId: assistantId },
        { signal: ac.signal, log },
      ).catch(() => null);
      broker.publishFrame(sessionId, {
        type: 'message_started',
        message_id: assistantId,
        chat_id: chatId,
        role: 'assistant',
      } as WsFrame);
      const manifestCommands = getManifestCommands(agent);
      if (manifestCommands.length > 0) {
        setTaskCommands(taskId, manifestCommands);
        broker.publishFrame(sessionId, {
          type: 'agent_commands',
          task_id: taskId,
          session_id: sessionId,
          commands: manifestCommands,
        } as WsFrame);
      }
      // Accumulate the turn's stream for persistence + the final message content.
      const textChunks: string[] = [];
      const reasoningChunks: string[] = [];
      const toolSnaps = new Map<string, AcpToolSnapshot>();
      // Map transport-agnostic AgentEvents → the SAME WS frames the one-shot ACP
      // path emits (identical to runOpenCodeServerTask's onEvent). No dcp stripping:
      // that's an opencode-plugin artifact; goose/qwen don't emit dcp tags.
      const onEvent = (e: AgentEvent): void => {
        switch (e.type) {
          case 'text':
            textChunks.push(e.text);
            broker.publishFrame(sessionId, {
              type: 'delta',
              message_id: assistantId,
              chat_id: chatId,
              content: e.text,
            } as WsFrame);
            break;
          case 'reasoning':
            reasoningChunks.push(e.text);
            broker.publishFrame(sessionId, {
              type: 'reasoning_delta',
              message_id: assistantId,
              chat_id: chatId,
              content: e.text,
            } as WsFrame);
            break;
          case 'tool_call':
          case 'tool_update':
            toolSnaps.set(e.toolCall.toolCallId, e.toolCall);
            broker.publishFrame(sessionId, {
              type: 'tool_call',
              message_id: assistantId,
              chat_id: chatId,
              tool_call: snapshotToWireToolCall(e.toolCall),
            } as WsFrame);
            break;
          case 'commands':
            if (e.commands.length > 0) {
              setTaskCommands(taskId, e.commands);
              broker.publishFrame(sessionId, {
                type: 'agent_commands',
                task_id: taskId,
                session_id: sessionId,
                commands: e.commands,
              } as WsFrame);
            }
            break;
        }
      };
      const model = task.model ?? undefined;
      const backend = getWarmAcpBackend(chatId, agent, installPath);
      const handle = await backend.ensureSession(sessionId, {
        agent,
        model: model ?? '',
        chatId,
        worktreePath,
        worktreeId,
        projectId: task.project_id,
      });
      const result = await backend.prompt(handle, task.input, {
        worktreePath,
        model: model ?? '',
        signal: ac.signal,
        onEvent,
        taskId,
        modeId: task.mode_id ?? undefined,
      });
      // Phase 3: keep the pooled (chat,agent) backend warm across the turn.
      agentPool.touch(chatId, agent);
      const assistantContent = textChunks.join('').slice(0, 50_000);
      const reasoningText = reasoningChunks.join('').slice(0, 200_000);
      const outputSummary = (result.ok ? textChunks.join('') : result.error ?? 'warm ACP turn failed').slice(0, 500);
      await persistExternalAgentTurn(sql, assistantId, [...toolSnaps.values()], reasoningText);
      await sql`
        UPDATE messages
        SET content = ${assistantContent}, status = 'complete', finished_at = clock_timestamp()
        WHERE id = ${assistantId}
      `;
      broker.publishFrame(sessionId, {
        type: 'message_complete',
        message_id: assistantId,
        chat_id: chatId,
      } as WsFrame);
      if (stopping) {
        await sql`UPDATE tasks SET state = 'cancelled', ended_at = clock_timestamp() WHERE id = ${taskId}`;
        return; // worktree persists (no cleanup); backend stays warm
      }
      // Diff the persistent worktree against its captured baseline and SUPERSEDE
      // the session's prior pending row (latest-wins) — identical to opencode.
      const diff = await diffWorktree(worktreePath, projectPath, {
        signal: ac.signal,
        baseRef: baseCommit ?? 'HEAD',
      });
      if (diff) {
        await sql`
          DELETE FROM pending_changes WHERE session_id = ${sessionId} AND status = 'pending'
        `;
        await sql`
          INSERT INTO pending_changes (session_id, task_id, file_path, operation, diff, agent)
          VALUES (${sessionId}, ${taskId}, ${projectPath}, 'edit', ${diff}, ${agent})
        `;
        log.info({ taskId, diffLength: diff.length }, 'dispatcher: diff superseded prior pending change (warm ACP)');
      } else {
        log.info({ taskId }, 'dispatcher: no changes detected in session worktree (warm ACP)');
      }
      // NO worktree cleanup — persistent (Phase 3 reaps it). Backend stays warm.
      const [extCostRow] = await sql<{ total: number | null }[]>`
        SELECT SUM(tokens_used)::int AS total
        FROM messages
        WHERE session_id = ${sessionId} AND tokens_used IS NOT NULL
      `;
      const extCostTokens = extCostRow?.total ?? null;
      const finalState = result.ok ? 'completed' : 'failed';
      await sql`
        UPDATE tasks
        SET state = ${finalState}, ended_at = clock_timestamp(), output_summary = ${outputSummary}, cost_tokens = ${extCostTokens}
        WHERE id = ${taskId}
      `;
      log.info({ taskId, agent, finalState }, 'dispatcher: task finished (warm ACP)');
      clearTaskCommands(taskId);
    } catch (err) {
      const errMsg = err instanceof Error ? err.message : String(err);
      log.error({ taskId, agent, err: errMsg }, 'dispatcher: warm ACP error');
      await sql`
        UPDATE tasks
        SET state = 'failed', ended_at = clock_timestamp(), output_summary = ${errMsg.slice(0, 500)}
        WHERE id = ${taskId}
      `.catch(() => {});
      clearTaskCommands(taskId);
      // No worktree cleanup (persistent); backend stays warm for the next turn.
    }
  }
  // ─── Helpers ────────────────────────────────────────────────────────────────
  async function waitForCompletion(assistantId: string): Promise<string> {
--- a/apps/coder/src/services/fuzzy-match.ts
+++ b/apps/coder/src/services/fuzzy-match.ts
@@ -0,0 +1,271 @@
 // Fuzzy patch locator for staged edits.
 //
 // Local quantized models (qwen3.6 and friends) frequently reproduce an
 // `old_string` with small, semantically-irrelevant drift: trailing whitespace,
 // a different indent width, or "smart" unicode punctuation (curly quotes, an
 // en/em-dash, a non-breaking space) where the source has the plain ASCII form.
 // An exact `String.includes` then fails and the queued edit is lost even though
 // a human would say it obviously matches.
 //
 // `locateMatch` walks a ladder of progressively looser strategies and returns
 // the real `[start, end)` byte-offset span in the ORIGINAL content so the caller
 // can splice in `new_string` over the true file text (preserving the file's own
 // whitespace/unicode, not the model's drifted copy). The ladder stops at the
 // first strategy that resolves to a single span:
 //
 //   1. exact            — indexOf; >1 hit is reported `ambiguous` (we refuse to
 //                         guess which occurrence the model meant).
 //   2. per-line ws      — line-window compare ignoring per-line trailing
 //                         whitespace and leading/trailing blank needle lines.
 //   3. unicode canon    — same line-window compare after folding smart
 //                         punctuation to ASCII on both sides; the match is
 //                         mapped back to original offsets.
 //   4. levenshtein      — best line-window by normalized edit-distance
 //                         similarity; accepted only at >= SIMILARITY_THRESHOLD.
 //
 // Pure and dependency-free (Levenshtein is the standard iterative two-row DP),
 // reimplemented from the general technique — no vendored source.
 export type MatchResult =
  | { kind: 'exact' | 'fuzzy'; start: number; end: number } // [start,end) offsets into content
  | { kind: 'ambiguous'; count: number }
  | { kind: 'not_found' };
 /** Levenshtein similarity floor for the final fuzzy fallback (strategy 4). */
 export const SIMILARITY_THRESHOLD = 0.66;
 export function locateMatch(content: string, needle: string): MatchResult {
  // Empty needle has no meaningful match.
  if (needle.length === 0) return { kind: 'not_found' };
  // --- 1. Exact ----------------------------------------------------------------
  const exact = locateExact(content, needle);
  if (exact) return exact;
  // --- 2. Per-line whitespace-insensitive -------------------------------------
  const ws = locateByLineWindow(content, needle);
  if (ws) return ws;
  // --- 3. Unicode-canonicalized whitespace pass -------------------------------
  const canon = locateCanonical(content, needle);
  if (canon) return canon;
  // --- 4. Levenshtein similarity ----------------------------------------------
  const lev = locateByLevenshtein(content, needle);
  if (lev) return lev;
  return { kind: 'not_found' };
 }
 // --- Strategy 1: exact -------------------------------------------------------
 function locateExact(content: string, needle: string): MatchResult | null {
  const first = content.indexOf(needle);
  if (first === -1) return null;
  const second = content.indexOf(needle, first + 1);
  if (second === -1) {
    return { kind: 'exact', start: first, end: first + needle.length };
  }
  // Count all occurrences so the caller can report a useful number.
  let count = 2;
  let idx = content.indexOf(needle, second + 1);
  while (idx !== -1) {
    count++;
    idx = content.indexOf(needle, idx + 1);
  }
  return { kind: 'ambiguous', count };
 }
 // --- Line-window machinery ---------------------------------------------------
 interface Line {
  /** Raw line text (no trailing newline). */
  text: string;
  /** Offset of the first char of this line in the original content. */
  start: number;
  /** Offset one past the last char of this line (before its newline, if any). */
  end: number;
 }
 /**
 * Split content into lines, tracking each line's real offset span. The span
 * EXCLUDES the trailing newline so consecutive line spans plus their newlines
 * exactly reconstruct the content; the match span we hand back covers from the
 * first matched line's start through the last matched line's end (i.e. without a
 * trailing newline), which is what an in-place splice wants.
 */
 function splitLines(content: string): Line[] {
  const lines: Line[] = [];
  let start = 0;
  for (let i = 0; i <= content.length; i++) {
    if (i === content.length || content[i] === '\n') {
      lines.push({ text: content.slice(start, i), start, end: i });
      start = i + 1;
    }
  }
  return lines;
 }
 /** Strip leading/trailing all-blank lines; returns the trimmed slice. */
 function trimBlankLines(lines: string[]): string[] {
  let lo = 0;
  let hi = lines.length;
  while (lo < hi && lines[lo]!.trim() === '') lo++;
  while (hi > lo && lines[hi - 1]!.trim() === '') hi--;
  return lines.slice(lo, hi);
 }
 /**
 * Find a contiguous window of content lines whose trailing-whitespace-trimmed
 * text equals the needle's (blank-trimmed) lines. Returns the real offset span
 * over the matched content lines, or null if zero match. Multiple matches →
 * ambiguous. `normalize` lets the caller fold unicode before comparing.
 */
 function locateByLineWindow(
  content: string,
  needle: string,
  normalize: (s: string) => string = (s) => s,
 ): MatchResult | null {
  const contentLines = splitLines(content);
  const needleLines = trimBlankLines(needle.split('\n'));
  const n = needleLines.length;
  if (n === 0) return null;
  // A single needle line that is itself blank can't be located meaningfully.
  if (n === 1 && needleLines[0]!.trim() === '') return null;
  const needleKey = needleLines.map((l) => normalize(l.trimEnd())).join('\n');
  const hits: Array<{ start: number; end: number }> = [];
  for (let i = 0; i + n <= contentLines.length; i++) {
    const windowKey = contentLines
      .slice(i, i + n)
      .map((l) => normalize(l.text.trimEnd()))
      .join('\n');
    if (windowKey === needleKey) {
      hits.push({ start: contentLines[i]!.start, end: contentLines[i + n - 1]!.end });
    }
  }
  if (hits.length === 0) return null;
  if (hits.length > 1) return { kind: 'ambiguous', count: hits.length };
  return { kind: 'fuzzy', start: hits[0]!.start, end: hits[0]!.end };
 }
 // --- Strategy 3: unicode canonicalization ------------------------------------
 /**
 * Fold smart punctuation to its ASCII equivalent. Crucially this is a
 * length-PRESERVING, per-character map (every replacement is one char → one
 * char), so an offset into the canonical string is also a valid offset into the
 * original — letting strategy 3 reuse the line-window matcher and still hand
 * back true original-content offsets.
 */
 function canonicalizeChar(ch: string): string {
  switch (ch) {
    // single quotes / apostrophes
    case '‘': // '
    case '’': // '
    case '‚': // ‚
    case '‛': // ‛
      return "'";
    // double quotes
    case '“': // "
    case '”': // "
    case '„': // „
    case '‟': // ‟
      return '"';
    // dashes
    case '–': // – en dash
    case '—': // — em dash
    case '‒': // ‒ figure dash
    case '―': // ― horizontal bar
    case '−': // − minus sign
      return '-';
    // spaces
    case ' ': // nbsp
    case ' ': // figure space
    case ' ': // narrow nbsp
      return ' ';
    default:
      return ch;
  }
 }
 function canonicalize(s: string): string {
  let out = '';
  for (const ch of s) out += canonicalizeChar(ch);
  return out;
 }
 function locateCanonical(content: string, needle: string): MatchResult | null {
  // Only worth running if canonicalization actually changes something on either
  // side — otherwise it's identical to strategy 2 which already failed.
  const canonContent = canonicalize(content);
  const canonNeedle = canonicalize(needle);
  if (canonContent === content && canonNeedle === needle) return null;
  // Offsets are preserved (length-preserving fold), so a match on the canonical
  // content maps directly back to the original.
  return locateByLineWindow(canonContent, canonNeedle);
 }
 // --- Strategy 4: Levenshtein similarity --------------------------------------
 /** Standard iterative two-row Levenshtein edit distance. */
 function levenshtein(a: string, b: string): number {
  if (a === b) return 0;
  if (a.length === 0) return b.length;
  if (b.length === 0) return a.length;
  let prev = new Array<number>(b.length + 1);
  let curr = new Array<number>(b.length + 1);
  for (let j = 0; j <= b.length; j++) prev[j] = j;
  for (let i = 1; i <= a.length; i++) {
    curr[0] = i;
    const ac = a.charCodeAt(i - 1);
    for (let j = 1; j <= b.length; j++) {
      const cost = ac === b.charCodeAt(j - 1) ? 0 : 1;
      curr[j] = Math.min(
        prev[j]! + 1, // deletion
        curr[j - 1]! + 1, // insertion
        prev[j - 1]! + cost, // substitution
      );
    }
    [prev, curr] = [curr, prev];
  }
  return prev[b.length]!;
 }
 /** Normalized similarity in [0,1]: 1 - dist / max(len). */
 function similarity(a: string, b: string): number {
  const maxLen = Math.max(a.length, b.length);
  if (maxLen === 0) return 1;
  return 1 - levenshtein(a, b) / maxLen;
 }
 function locateByLevenshtein(content: string, needle: string): MatchResult | null {
  const contentLines = splitLines(content);
  const needleLines = trimBlankLines(needle.split('\n'));
  const n = needleLines.length;
  if (n === 0) return null;
  if (contentLines.length < n) return null;
  const needleJoined = needleLines.map((l) => l.trim()).join('\n');
  let best = -1;
  let bestSpan: { start: number; end: number } | null = null;
  for (let i = 0; i + n <= contentLines.length; i++) {
    const window = contentLines.slice(i, i + n);
    const windowJoined = window.map((l) => l.text.trim()).join('\n');
    const score = similarity(windowJoined, needleJoined);
    if (score > best) {
      best = score;
      bestSpan = { start: window[0]!.start, end: window[n - 1]!.end };
    }
  }
  if (bestSpan && best >= SIMILARITY_THRESHOLD) {
    return { kind: 'fuzzy', start: bestSpan.start, end: bestSpan.end };
  }
  return null;
 }
--- a/apps/coder/src/services/orphan-worktree-reaper.ts
+++ b/apps/coder/src/services/orphan-worktree-reaper.ts
@@ -0,0 +1,170 @@
 /**
 * v2.6 Phase 3 (3.4) — orphan worktree reaper.
 *
 * Reclaims on-disk session worktree dirs under WORKTREE_BASE that have NO live
 * (`status='active'`) row in the `worktrees` table — leaks from a crash between
 * `git worktree add` and the DB insert, a missed chat-close hook, or a manual rm
 * of the DB row. Extends the periodic-sweeper pattern (apps/server's truncation +
 * stale-streaming reaper).
 *
 * SAFETY (Paseo worktree-archive cascade + superset destroy-saga lift): before
 * removing ANY dir, run `checkWorktreeWorkAtRisk` — a dirty / unpushed / unmerged
 * worktree is SKIPPED (logged), never force-removed. The pure orphan-target
 * selection (which dirs are candidates) lives in
 * `backends/lifecycle-decisions.ts:selectOrphanWorktreeTargets` and is unit-tested;
 * this module does the DB read + fs stat + git preflight + removal side-effects.
 *
 * The mtime grace (default 1h) means a dir mid-`ensureSessionWorktree` (created on
 * disk, row not yet committed) is never swept — the grace window covers the gap.
 */
 import { readdir, stat } from 'node:fs/promises';
 import { join } from 'node:path';
 import type { FastifyBaseLogger } from 'fastify';
 import type { Sql } from '../db.js';
 import { WORKTREE_BASE, checkWorktreeWorkAtRisk } from './worktrees.js';
 import { hostExec } from './host-exec.js';
 import {
  selectOrphanWorktreeTargets,
  DEFAULT_ORPHAN_WORKTREE_GRACE_MS,
 } from './backends/lifecycle-decisions.js';
 export interface OrphanWorktreeReaperDeps {
  sql: Sql;
  log: FastifyBaseLogger;
  intervalMs: number;
  graceMs?: number;
 }
 export interface OrphanReaperResult {
  scanned: number;
  candidates: number;
  reaped: string[];
  skippedAtRisk: string[];
 }
 /** Single-pass reap: select orphan candidates, preflight at-risk, remove the safe. */
 export async function reapOrphanWorktrees(
  sql: Sql,
  log: FastifyBaseLogger,
  graceMs: number = DEFAULT_ORPHAN_WORKTREE_GRACE_MS,
  now: number = Date.now(),
 ): Promise<OrphanReaperResult> {
  // Enumerate on-disk session worktree dirs (`sess-*`). Per-task worktrees
  // (arena/new_task/MCP) are cleaned up inline by the one-shot path, so we only
  // own the persistent session dirs the warm paths leave behind.
  let dirents: string[];
  try {
    dirents = await readdir(WORKTREE_BASE);
  } catch {
    return { scanned: 0, candidates: 0, reaped: [], skippedAtRisk: [] }; // base absent → nothing to do
  }
  const onDisk: { path: string; mtimeMs: number }[] = [];
  for (const name of dirents) {
    if (!name.startsWith('sess-')) continue; // only persistent session worktrees
    const path = join(WORKTREE_BASE, name);
    try {
      const s = await stat(path);
      if (!s.isDirectory()) continue;
      onDisk.push({ path, mtimeMs: s.mtimeMs });
    } catch {
      // vanished between readdir and stat — skip
    }
  }
  // Live worktree paths from the DB (active rows only — archived/removed rows are
  // not "live", so their leftover dirs are reapable orphans).
  const liveRows = await sql<{ path: string }[]>`
    SELECT path FROM worktrees WHERE status = 'active'
  `;
  const live = new Set(liveRows.map((r) => r.path));
  const candidates = selectOrphanWorktreeTargets(onDisk, live, now, graceMs);
  const reaped: string[] = [];
  const skippedAtRisk: string[] = [];
  for (const path of candidates) {
    // Preflight: never reap work at risk. A git error forces atRisk=true (fail
    // closed), so a half-broken worktree is kept, not silently destroyed.
    const risk = await checkWorktreeWorkAtRisk(path);
    if (risk.atRisk) {
      skippedAtRisk.push(path);
      log.warn({ path, dirty: risk.dirty, unmerged: risk.unmerged, error: risk.error }, 'orphan-reaper: skipping at-risk orphan worktree');
      continue;
    }
    const removed = await removeOrphanDir(path);
    if (removed) reaped.push(path);
  }
  if (reaped.length > 0 || skippedAtRisk.length > 0) {
    log.info({ scanned: onDisk.length, candidates: candidates.length, reaped, skippedAtRisk }, 'orphan-reaper: pass complete');
  }
  return { scanned: onDisk.length, candidates: candidates.length, reaped, skippedAtRisk };
 }
 /**
 * Remove a single orphan worktree dir. Resolve its main repo via the git
 * common-dir, run `worktree remove --force` from there + prune, then rm the dir as
 * a backstop. Best-effort: every step is independently fault-tolerant so a partial
 * state (dir present, git untracked) still gets reclaimed.
 */
 async function removeOrphanDir(path: string): Promise<boolean> {
  // Find the owning repo (the common git dir's parent). When the dir isn't a valid
  // worktree anymore, this fails and we fall back to a plain rm.
  const common = await hostExec(
    `git -C ${shellEscape(path)} rev-parse --path-format=absolute --git-common-dir`,
    { timeoutMs: 10_000 },
  ).catch(() => null);
  const commonDir = common && common.exitCode === 0 ? common.stdout.trim() : '';
  // The repo worktree root is the parent of the .git common dir (strip trailing /.git).
  const repoRoot = commonDir.replace(/\/\.git\/?$/, '').replace(/\/\.git$/, '');
  if (repoRoot && repoRoot !== commonDir) {
    await hostExec(
      `git -C ${shellEscape(repoRoot)} worktree remove ${shellEscape(path)} --force`,
      { timeoutMs: 15_000 },
    ).catch(() => {});
    await hostExec(
      `git -C ${shellEscape(repoRoot)} worktree prune`,
      { timeoutMs: 10_000 },
    ).catch(() => {});
  }
  // Backstop: ensure the dir is gone even if the git remove no-op'd.
  const rm = await hostExec(`rm -rf ${shellEscape(path)}`, { timeoutMs: 15_000 }).catch(() => null);
  return rm != null && rm.exitCode === 0;
 }
 /** Minimal single-quote shell escape (mirrors worktrees.ts). */
 function shellEscape(s: string): string {
  return "'" + s.replace(/'/g, "'\\''") + "'";
 }
 /** Periodic orphan-worktree reaper, started/stopped by the bootstrap. Unref'd. */
 export function createOrphanWorktreeReaper(deps: OrphanWorktreeReaperDeps): { start(): void; stop(): void } {
  const { sql, log, intervalMs } = deps;
  const graceMs = deps.graceMs ?? DEFAULT_ORPHAN_WORKTREE_GRACE_MS;
  let timer: ReturnType<typeof setInterval> | null = null;
  let running = false;
  return {
    start() {
      if (timer) return;
      timer = setInterval(() => {
        if (running) return; // a slow pass must not overlap the next tick
        running = true;
        void reapOrphanWorktrees(sql, log, graceMs)
          .catch((err) => log.warn({ err: err instanceof Error ? err.message : String(err) }, 'orphan-reaper: pass error'))
          .finally(() => {
            running = false;
          });
      }, intervalMs);
      timer.unref?.();
      log.info({ intervalMs, graceMs }, 'orphan-reaper: started');
    },
    stop() {
      if (timer) {
        clearInterval(timer);
        timer = null;
      }
    },
  };
 }
--- a/apps/coder/src/services/pending_changes.ts
+++ b/apps/coder/src/services/pending_changes.ts
@@ -2,6 +2,7 @@ import { readFile, writeFile, unlink, mkdir } from 'node:fs/promises';
 import { dirname } from 'node:path';
 import type { Sql } from '../db.js';
 import { resolveWritePath } from './write_guard.js';
 import { locateMatch } from './fuzzy-match.js';
 // --- Types -------------------------------------------------------------------
@@ -13,6 +14,10 @@ export interface PendingChange {
  operation: 'create' | 'edit' | 'delete';
  diff: string;
  status: 'pending' | 'applied' | 'rejected' | 'reverted';
  // v2.6 Phase 1-UX: which agent staged this change (DiffPanel attribution).
  // Native boocode write tools stamp 'boocode'; the manual RightRail create path
  // passes null (renders as "manual"). NULL on legacy rows queued pre-v2.6.
  agent: string | null;
  created_at: string;
 }
@@ -34,13 +39,17 @@ export async function queueEdit(
  oldString: string,
  newString: string,
  projectRoot: string,
  // v2.6 Phase 1-UX: attribution. Defaults to 'boocode' because the only callers
  // that omit it are the native write tools (edit_file/create_file/delete_file).
  // Pass null explicitly for the manual RightRail create path.
  agent: string | null = 'boocode',
 ): Promise<PendingChange> {
  const resolved = resolveWritePath(projectRoot, filePath);
  const diff = JSON.stringify({ old: oldString, new: newString });
  const [row] = await sql<PendingChange[]>`
-    INSERT INTO pending_changes (session_id, task_id, file_path, operation, diff)
+    INSERT INTO pending_changes (session_id, task_id, file_path, operation, diff, agent)
-    VALUES (${sessionId}, ${taskId}, ${resolved}, 'edit', ${diff})
+    VALUES (${sessionId}, ${taskId}, ${resolved}, 'edit', ${diff}, ${agent})
    RETURNING *
  `;
  return row!;
@@ -53,12 +62,15 @@ export async function queueCreate(
  filePath: string,
  content: string,
  projectRoot: string,
  // See queueEdit: defaults to 'boocode' for the native write tools; the manual
  // RightRail create route passes null.
  agent: string | null = 'boocode',
 ): Promise<PendingChange> {
  const resolved = resolveWritePath(projectRoot, filePath);
  const [row] = await sql<PendingChange[]>`
-    INSERT INTO pending_changes (session_id, task_id, file_path, operation, diff)
+    INSERT INTO pending_changes (session_id, task_id, file_path, operation, diff, agent)
-    VALUES (${sessionId}, ${taskId}, ${resolved}, 'create', ${content})
+    VALUES (${sessionId}, ${taskId}, ${resolved}, 'create', ${content}, ${agent})
    RETURNING *
  `;
  return row!;
@@ -70,12 +82,14 @@ export async function queueDelete(
  taskId: string | null,
  filePath: string,
  projectRoot: string,
  // See queueEdit: defaults to 'boocode' for the native write tools.
  agent: string | null = 'boocode',
 ): Promise<PendingChange> {
  const resolved = resolveWritePath(projectRoot, filePath);
  const [row] = await sql<PendingChange[]>`
-    INSERT INTO pending_changes (session_id, task_id, file_path, operation, diff)
+    INSERT INTO pending_changes (session_id, task_id, file_path, operation, diff, agent)
-    VALUES (${sessionId}, ${taskId}, ${resolved}, 'delete', '')
+    VALUES (${sessionId}, ${taskId}, ${resolved}, 'delete', '', ${agent})
    RETURNING *
  `;
  return row!;
@@ -108,10 +122,18 @@ export async function applyOne(
      case 'edit': {
        const { old: oldStr, new: newStr } = JSON.parse(change.diff) as { old: string; new: string };
        const content = await readFile(change.file_path, 'utf8');
-        if (!content.includes(oldStr)) {
+        const match = locateMatch(content, oldStr);
-          throw new Error('old_string not found in file — file may have changed since the edit was queued');
+        if (match.kind === 'ambiguous') {
          throw new Error(
            `old_string matches ${match.count} locations — add surrounding context to disambiguate`,
          );
        }
-        const updated = content.replace(oldStr, newStr);
+        if (match.kind === 'not_found') {
          throw new Error(
            'old_string not found in file (even fuzzily) — file may have changed since the edit was queued',
          );
        }
        const updated = content.slice(0, match.start) + newStr + content.slice(match.end);
        await writeFile(change.file_path, updated, 'utf8');
        break;
      }
@@ -190,10 +212,18 @@ export async function rewindOne(
        // Reverse an edit: swap old and new
        const { old: oldStr, new: newStr } = JSON.parse(change.diff) as { old: string; new: string };
        const content = await readFile(change.file_path, 'utf8');
-        if (!content.includes(newStr)) {
+        const match = locateMatch(content, newStr);
-          throw new Error('new_string not found in file — cannot rewind; file may have been modified since apply');
+        if (match.kind === 'ambiguous') {
          throw new Error(
            `new_string matches ${match.count} locations — cannot rewind; add surrounding context to disambiguate`,
          );
        }
-        const reverted = content.replace(newStr, oldStr);
+        if (match.kind === 'not_found') {
          throw new Error(
            'new_string not found in file (even fuzzily) — cannot rewind; file may have been modified since apply',
          );
        }
        const reverted = content.slice(0, match.start) + oldStr + content.slice(match.end);
        await writeFile(change.file_path, reverted, 'utf8');
        break;
      }
--- a/apps/coder/src/services/pty-dispatch.ts
+++ b/apps/coder/src/services/pty-dispatch.ts
@@ -1,13 +1,29 @@
 /**
 * PTY dispatch — runs external agents directly on the host.
 *
 * claude + qwen run with `--output-format stream-json` and emit Claude-Code's
 * stream-json NDJSON on stdout. When an `onEvent` callback is supplied we
 * line-buffer that stdout (split on `\n`, hold the partial tail) and feed complete
 * lines to `makeStreamJsonParser` so deltas surface live as AgentEvents. The raw
 * stdout is still accumulated + returned for back-compat (and the dispatcher's
 * fallback when nothing parsed). See `stream-json-parser.ts`.
 */
 import type { FastifyBaseLogger } from 'fastify';
 import { spawn } from 'node:child_process';
 import type { AgentEvent } from './agent-backend.js';
 import { makeStreamJsonParser, type StreamJsonUsage } from './stream-json-parser.js';
 export interface DispatchResult {
  exitCode: number;
  stdout: string;
  stderr: string;
  /** True iff at least one NDJSON AgentEvent was parsed from stdout (v#7). When
   *  false the dispatcher falls back to slicing stdout as the assistant content. */
  streamed: boolean;
  /** Final usage parsed from the stream-json `result` / `message_delta`, if any. */
  usage?: StreamJsonUsage;
  /** Provider session id from the stream-json `system` init line, if any. */
  agentSessionId?: string | null;
 }
 export interface PtyDispatchOpts {
@@ -20,6 +36,10 @@ export interface PtyDispatchOpts {
  installPath?: string;
  signal?: AbortSignal;
  log: FastifyBaseLogger;
  /** Optional live event sink. When set, stdout is line-buffered + NDJSON-parsed
   *  and each AgentEvent is forwarded here as it arrives. Absent → opaque (old)
   *  behavior: stdout is accumulated and returned, no parsing. */
  onEvent?: (e: AgentEvent) => void;
 }
 interface PtySpawnSpec {
@@ -40,7 +60,9 @@ function buildPtySpawnSpec(
  switch (agent) {
    case 'claude': {
-      const args = ['-p'];
+      // stream-json on -p requires --verbose (Claude Code rejects stream-json
      // print mode without it). qwen needs no such flag.
      const args = ['-p', '--output-format', 'stream-json', '--verbose'];
      if (model) args.push('--model', model);
      if (modeId) args.push('--permission-mode', modeId);
      if (thinkingOptionId) args.push('--effort', thinkingOptionId);
@@ -73,7 +95,7 @@ function buildPtySpawnSpec(
 }
 export async function dispatchViaPty(opts: PtyDispatchOpts): Promise<DispatchResult> {
-  const { agent, task, worktreePath, model, modeId, thinkingOptionId, installPath, signal, log } = opts;
+  const { agent, task, worktreePath, model, modeId, thinkingOptionId, installPath, signal, log, onEvent } = opts;
  const cmd = buildPtySpawnSpec(agent, task, model, modeId, thinkingOptionId, installPath);
  if (!cmd) {
@@ -81,6 +103,7 @@ export async function dispatchViaPty(opts: PtyDispatchOpts): Promise<DispatchRes
      exitCode: 1,
      stdout: '',
      stderr: `Agent '${agent}' is not yet supported for PTY dispatch.`,
      streamed: false,
    };
  }
@@ -102,7 +125,32 @@ export async function dispatchViaPty(opts: PtyDispatchOpts): Promise<DispatchRes
    let stderr = '';
    let killed = false;
-    child.stdout!.on('data', (chunk: Buffer) => { stdout += chunk.toString(); });
+    // Live NDJSON parsing (only when a sink is supplied). Line-buffer: split on
    // '\n', dispatch complete lines, hold the partial tail until the next chunk.
    const parser = onEvent ? makeStreamJsonParser() : null;
    let lineBuf = '';
    let streamed = false;
    const feedLine = (line: string): void => {
      if (!parser || !onEvent) return;
      for (const e of parser.push(line)) {
        streamed = true;
        onEvent(e);
      }
    };
    child.stdout!.on('data', (chunk: Buffer) => {
      const text = chunk.toString();
      stdout += text;
      if (!parser) return;
      lineBuf += text;
      let nl = lineBuf.indexOf('\n');
      while (nl !== -1) {
        const line = lineBuf.slice(0, nl);
        lineBuf = lineBuf.slice(nl + 1);
        feedLine(line);
        nl = lineBuf.indexOf('\n');
      }
    });
    child.stderr!.on('data', (chunk: Buffer) => { stderr += chunk.toString(); });
    const cleanup = () => {
@@ -116,7 +164,7 @@ export async function dispatchViaPty(opts: PtyDispatchOpts): Promise<DispatchRes
    if (signal) {
      if (signal.aborted) {
        cleanup();
-        resolve({ exitCode: 130, stdout: '', stderr: 'Aborted before start' });
+        resolve({ exitCode: 130, stdout: '', stderr: 'Aborted before start', streamed: false });
        return;
      }
      signal.addEventListener('abort', cleanup, { once: true });
@@ -124,8 +172,18 @@ export async function dispatchViaPty(opts: PtyDispatchOpts): Promise<DispatchRes
    child.on('close', (code) => {
      if (signal) signal.removeEventListener('abort', cleanup);
-      log.info({ agent, exitCode: code }, 'pty-dispatch: completed');
+      // Flush any final line with no trailing newline.
-      resolve({ exitCode: code ?? 1, stdout, stderr });
+      if (lineBuf.trim()) feedLine(lineBuf);
      lineBuf = '';
      log.info({ agent, exitCode: code, streamed }, 'pty-dispatch: completed');
      resolve({
        exitCode: code ?? 1,
        stdout,
        stderr,
        streamed,
        usage: parser?.usage(),
        agentSessionId: parser?.sessionId() ?? null,
      });
    });
    child.on('error', (err) => {
--- a/apps/coder/src/services/stream-json-parser.ts
+++ b/apps/coder/src/services/stream-json-parser.ts
@@ -0,0 +1,296 @@
 /**
 * Claude-Code-compatible stream-json NDJSON parser (feature #7,
 * openspec `sampling-streamjson-tokens`).
 *
 * qwen (`--output-format stream-json`) and claude (`--output-format stream-json`)
 * both emit Claude-Code's stream-json NDJSON on stdout: one JSON object per line.
 * This module turns that stream into the same transport-agnostic `AgentEvent`s the
 * ACP / opencode-server backends emit, so the PTY dispatch path can publish live
 * broker frames + persist structured parts instead of slicing stdout opaque.
 *
 * Two surfaces:
 *  - `parseStreamJsonLine(line, state)` — PURE per-line mapping (unit-testable).
 *    `state` is the caller-owned accumulator (open tool blocks + usage/session_id).
 *  - `makeStreamJsonParser()` — a thin stateful wrapper holding the state, with a
 *    `push(line)` that returns the events for that line and getters for the final
 *    `usage` / `sessionId`.
 *
 * Defensive by contract: a non-JSON / partial / garbage line yields `[]` and never
 * throws. Tool args (`input_json_delta`) arrive fragmented across many lines; we
 * accumulate the partial JSON string per content-block index and only surface the
 * parsed `rawInput` once the block stops (or, as a fallback, off the terminal
 * `assistant` message which carries the fully-assembled `tool_use` blocks).
 *
 * Schema (keyed on top-level `type`):
 *  - `system`     — init: { session_id, tools, ... }
 *  - `assistant`  — { message: { content: [ {type:'text'|'thinking'|'tool_use', ...} ], usage? } }
 *  - `user`       — tool results (ignored — diffing the worktree captures effects)
 *  - `result`     — final: { usage: { input_tokens, output_tokens }, session_id? }
 *  - `stream_event` — { event: { type, index?, content_block?, delta?, usage? } }
 *      event.type:
 *        content_block_start  — { index, content_block: {type, id?, name?} }
 *        content_block_delta  — { index, delta: {type, text?|thinking?|partial_json?} }
 *        content_block_stop   — { index }
 *        message_delta        — { usage: { output_tokens } }
 *        message_start        — { message: { usage } }
 */
 import type { AgentEvent } from './agent-backend.js';
 import type { AcpToolSnapshot } from './acp-tool-snapshot.js';
 /** Convenience alias for the per-line return value. */
 export type AgentEventList = AgentEvent[];
 export interface StreamJsonUsage {
  inputTokens?: number;
  outputTokens?: number;
 }
 /** Per-open-content-block accumulation for tool args assembled across deltas. */
 interface OpenToolBlock {
  toolCallId: string;
  name: string;
  /** Concatenated `input_json_delta.partial_json` fragments. */
  partialJson: string;
 }
 export interface StreamJsonState {
  /** content-block index → open tool block (only `tool_use` blocks are tracked). */
  toolBlocks: Map<number, OpenToolBlock>;
  sessionId: string | null;
  usage: StreamJsonUsage;
 }
 export function makeStreamJsonState(): StreamJsonState {
  return { toolBlocks: new Map(), sessionId: null, usage: {} };
 }
 function asRecord(value: unknown): Record<string, unknown> | null {
  if (value && typeof value === 'object' && !Array.isArray(value)) {
    return value as Record<string, unknown>;
  }
  return null;
 }
 function asString(value: unknown): string | undefined {
  return typeof value === 'string' ? value : undefined;
 }
 function asNumber(value: unknown): number | undefined {
  return typeof value === 'number' && Number.isFinite(value) ? value : undefined;
 }
 /** Pull token counts out of an Anthropic-shape `usage` object, mutating state. */
 function captureUsage(usage: Record<string, unknown> | null, state: StreamJsonState): void {
  if (!usage) return;
  const input = asNumber(usage.input_tokens);
  const output = asNumber(usage.output_tokens);
  if (input !== undefined) state.usage.inputTokens = input;
  // output_tokens is reported incrementally on message_delta; keep the latest.
  if (output !== undefined) state.usage.outputTokens = output;
 }
 /** Parse the accumulated tool-arg JSON; tolerate an unparseable/partial body. */
 function parseToolInput(partialJson: string): unknown {
  const trimmed = partialJson.trim();
  if (!trimmed) return {};
  try {
    return JSON.parse(trimmed);
  } catch {
    return { _raw: partialJson };
  }
 }
 function toolSnapshot(block: OpenToolBlock, rawInput: unknown, status: AcpToolSnapshot['status']): AcpToolSnapshot {
  return {
    toolCallId: block.toolCallId,
    title: block.name,
    kind: null,
    status,
    rawInput,
  };
 }
 /**
 * Map one stream-event sub-object (the `event` field of a `stream_event` line) to
 * AgentEvents, mutating `state` for open tool blocks + usage.
 */
 function handleStreamEvent(event: Record<string, unknown>, state: StreamJsonState): AgentEvent[] {
  const eventType = asString(event.type);
  if (!eventType) return [];
  switch (eventType) {
    case 'content_block_start': {
      const index = asNumber(event.index);
      const block = asRecord(event.content_block);
      if (index === undefined || !block) return [];
      if (asString(block.type) !== 'tool_use') return [];
      const toolCallId = asString(block.id) ?? `tool_${index}`;
      const name = asString(block.name) ?? 'tool';
      const open: OpenToolBlock = { toolCallId, name, partialJson: '' };
      state.toolBlocks.set(index, open);
      // Surface the tool start immediately (running, no args yet) so the UI shows
      // the call before the args finish streaming.
      return [{ type: 'tool_call', toolCall: toolSnapshot(open, {}, 'in_progress') }];
    }
    case 'content_block_delta': {
      const index = asNumber(event.index);
      const delta = asRecord(event.delta);
      if (delta === null) return [];
      const deltaType = asString(delta.type);
      if (deltaType === 'text_delta') {
        const text = asString(delta.text);
        return text ? [{ type: 'text', text }] : [];
      }
      if (deltaType === 'thinking_delta') {
        const text = asString(delta.thinking);
        return text ? [{ type: 'reasoning', text }] : [];
      }
      if (deltaType === 'input_json_delta') {
        // Accumulate tool args; no event until the block stops.
        const fragment = asString(delta.partial_json);
        if (index !== undefined && fragment) {
          const open = state.toolBlocks.get(index);
          if (open) open.partialJson += fragment;
        }
        return [];
      }
      return [];
    }
    case 'content_block_stop': {
      const index = asNumber(event.index);
      if (index === undefined) return [];
      const open = state.toolBlocks.get(index);
      if (!open) return [];
      state.toolBlocks.delete(index);
      const rawInput = parseToolInput(open.partialJson);
      return [{ type: 'tool_update', toolCall: toolSnapshot(open, rawInput, 'completed') }];
    }
    case 'message_start': {
      const message = asRecord(event.message);
      captureUsage(asRecord(message?.usage), state);
      return [];
    }
    case 'message_delta': {
      captureUsage(asRecord(event.usage), state);
      return [];
    }
    default:
      return [];
  }
 }
 /**
 * Map the terminal `assistant` message (post-hoc full message) to AgentEvents. Used
 * as a fallback for transports that emit only the assembled `assistant` line and no
 * incremental `stream_event`s. When stream_events already streamed a block, the
 * caller dedups by toolCallId, so re-emitting the assembled tool_use is harmless.
 */
 function handleAssistantMessage(message: Record<string, unknown>, state: StreamJsonState): AgentEvent[] {
  captureUsage(asRecord(message.usage), state);
  const content = message.content;
  if (!Array.isArray(content)) return [];
  const out: AgentEvent[] = [];
  let toolIdx = 0;
  for (const rawBlock of content) {
    const block = asRecord(rawBlock);
    if (!block) continue;
    const blockType = asString(block.type);
    if (blockType === 'text') {
      const text = asString(block.text);
      if (text) out.push({ type: 'text', text });
    } else if (blockType === 'thinking') {
      const text = asString(block.thinking);
      if (text) out.push({ type: 'reasoning', text });
    } else if (blockType === 'tool_use') {
      const toolCallId = asString(block.id) ?? `tool_${toolIdx}`;
      const name = asString(block.name) ?? 'tool';
      const rawInput = 'input' in block ? block.input : {};
      out.push({
        type: 'tool_update',
        toolCall: { toolCallId, title: name, kind: null, status: 'completed', rawInput },
      });
    }
    toolIdx++;
  }
  return out;
 }
 /**
 * Pure per-line mapping. `line` is a single complete NDJSON line (no trailing
 * newline required; surrounding whitespace tolerated). Returns the AgentEvents the
 * line produces and mutates `state` (open tool blocks, usage, session_id). A blank,
 * non-JSON, or unrecognized line yields `[]` and never throws.
 */
 export function parseStreamJsonLine(line: string, state: StreamJsonState): AgentEvent[] {
  const trimmed = line.trim();
  if (!trimmed) return [];
  let obj: Record<string, unknown> | null;
  try {
    const parsed: unknown = JSON.parse(trimmed);
    obj = asRecord(parsed);
  } catch {
    return [];
  }
  if (!obj) return [];
  const type = asString(obj.type);
  switch (type) {
    case 'system': {
      const sid = asString(obj.session_id);
      if (sid) state.sessionId = sid;
      return [];
    }
    case 'stream_event': {
      const event = asRecord(obj.event);
      return event ? handleStreamEvent(event, state) : [];
    }
    case 'assistant': {
      const sid = asString(obj.session_id);
      if (sid) state.sessionId = sid;
      const message = asRecord(obj.message);
      return message ? handleAssistantMessage(message, state) : [];
    }
    case 'result': {
      const sid = asString(obj.session_id);
      if (sid) state.sessionId = sid;
      captureUsage(asRecord(obj.usage), state);
      return [];
    }
    default:
      // `user` (tool results) and any unknown line type — ignore.
      return [];
  }
 }
 export interface StreamJsonParser {
  /** Feed one complete NDJSON line; returns its AgentEvents (never throws). */
  push(line: string): AgentEvent[];
  /** Final usage (input/output tokens) accumulated so far. */
  usage(): StreamJsonUsage;
  /** Provider session id from the init `system` line / `result`, if seen. */
  sessionId(): string | null;
 }
 /**
 * Stateful wrapper around `parseStreamJsonLine`. Holds per-tool-block accumulation
 * + usage/session_id across the turn. Line-buffering (splitting stdout on `\n` and
 * holding the partial tail) is the caller's job — see `pty-dispatch.ts`.
 */
 export function makeStreamJsonParser(): StreamJsonParser {
  const state = makeStreamJsonState();
  return {
    push: (line: string) => parseStreamJsonLine(line, state),
    usage: () => ({ ...state.usage }),
    sessionId: () => state.sessionId,
  };
 }
--- a/apps/coder/src/services/worktrees.ts
+++ b/apps/coder/src/services/worktrees.ts
@@ -9,7 +9,7 @@
 import type { Sql } from '../db.js';
 import { hostExec } from './host-exec.js';
-const WORKTREE_BASE = '/tmp/booworktrees';
+export const WORKTREE_BASE = '/tmp/booworktrees';
 /**
 * Create a git worktree for a task on the host.
@@ -197,6 +197,187 @@ export async function ensureSessionWorktree(
  };
 }
 /**
 * v2.6 Phase 3 (3.3 / 3.4): physically remove a session's persistent worktree —
 * the git worktree dir + its branch — and archive its `worktrees` row. Used by the
 * chat/session-close hook (when the last chat in a session closes) and the orphan
 * reaper. Best-effort on the git side (a dir already gone is not an error); the DB
 * row is flipped to 'archived' (soft-delete, Paseo's worktree-archive pattern) so
 * history/attribution survives and a re-run is idempotent.
 *
 * SAFETY: callers MUST run `checkWorktreeWorkAtRisk` first and skip at-risk
 * worktrees — this function force-removes (`--force`), so it never silently drops
 * uncommitted/unmerged work unless the caller already cleared/accepted the risk.
 */
 export async function removeSessionWorktree(
  sql: Sql,
  projectPath: string,
  worktree: { id: string; path: string; branch?: string | null },
  opts?: { signal?: AbortSignal },
 ): Promise<void> {
  await hostExec(
    `git -C ${shellEscape(projectPath)} worktree remove ${shellEscape(worktree.path)} --force`,
    { signal: opts?.signal, timeoutMs: 15_000 },
  ).catch(() => {});
  const branch = worktree.branch ?? null;
  if (branch) {
    await hostExec(
      `git -C ${shellEscape(projectPath)} branch -D ${shellEscape(branch)}`,
      { signal: opts?.signal, timeoutMs: 10_000 },
    ).catch(() => {});
  }
  // Prune any stale worktree administrative entries left behind by a partial remove.
  await hostExec(
    `git -C ${shellEscape(projectPath)} worktree prune`,
    { signal: opts?.signal, timeoutMs: 10_000 },
  ).catch(() => {});
  await sql`UPDATE worktrees SET status = 'archived' WHERE id = ${worktree.id}`.catch(() => {});
 }
 /**
 * v2.6 Phase 3 (3.3): the chat-close cleanup. Mark every `agent_sessions` row for
 * the chat 'closed', then — only if this was the session's LAST open chat — remove
 * the shared session worktree (a worktree is one-per-session, shared across the
 * session's chat tabs, so closing one tab must not pull the rug from sibling tabs).
 *
 * Returns what it did so the route can report it. The actual backend (process /
 * server-session) teardown is the pool's job (`agentPool.closeChat` +
 * `backend.closeSession`); this owns the DB + git truth.
 *
 * `worktreeRemoved` is false when other open chats remain (worktree kept) OR when
 * the worktree held work at risk (preflight blocked it — never silently dropped).
 */
 export interface ChatCloseResult {
  agentRowsClosed: number;
  worktreeRemoved: boolean;
  worktreeAtRisk: boolean;
 }
 export async function closeChatBackendState(
  sql: Sql,
  chatId: string,
  opts?: { signal?: AbortSignal; force?: boolean },
 ): Promise<ChatCloseResult> {
  // Resolve the chat's session (and that session's project path) before we touch
  // anything — a deleted chat row leaves agent_sessions/worktrees pointing nowhere.
  const [chatRow] = await sql<{ session_id: string | null }[]>`
    SELECT session_id FROM chats WHERE id = ${chatId}
  `;
  // chat row may already be gone (delete fired first); fall back to agent_sessions'
  // session_id link, which SET NULLs only on session delete, not chat delete.
  let sessionId = chatRow?.session_id ?? null;
  if (!sessionId) {
    const [as] = await sql<{ session_id: string | null }[]>`
      SELECT session_id FROM agent_sessions WHERE chat_id = ${chatId} AND session_id IS NOT NULL LIMIT 1
    `;
    sessionId = as?.session_id ?? null;
  }
  // Mark this chat's (chat,agent) backend rows closed (idempotent).
  const closedRows = await sql<{ agent: string }[]>`
    UPDATE agent_sessions SET status = 'closed'
    WHERE chat_id = ${chatId} AND status <> 'closed'
    RETURNING agent
  `;
  let worktreeRemoved = false;
  let worktreeAtRisk = false;
  if (sessionId) {
    // Other open chats still sharing the session worktree? If so, keep it.
    const openRows = await sql<{ open_count: number }[]>`
      SELECT COUNT(*)::int AS open_count FROM chats
      WHERE session_id = ${sessionId} AND status = 'open' AND id <> ${chatId}
    `;
    const openCount = openRows[0]?.open_count ?? 0;
    if (openCount === 0) {
      const [wt] = await sql<{ id: string; path: string; branch: string | null }[]>`
        SELECT id, path, branch FROM worktrees
        WHERE session_id = ${sessionId} AND status = 'active' LIMIT 1
      `;
      if (wt) {
        const projRows = await sql<{ path: string | null }[]>`
          SELECT p.path FROM sessions s JOIN projects p ON p.id = s.project_id WHERE s.id = ${sessionId}
        `;
        const projectPath = projRows[0]?.path ?? null;
        // Preflight (close-hook semantics): a DELIBERATE chat/session close — the
        // server's session-delete already ran the full work-at-risk gate
        // (dirty/unpushed/unmerged) before calling us, and chat-close discards the
        // tab's staged review intentionally. So here we only block on UNCOMMITTED
        // working-tree changes (`dirty`) — work the user never even staged into the
        // review diff. The session branch's own commits (the diff-staging
        // mechanism) are NOT a block; treating them as "unmerged risk" would make
        // the worktree un-removable on every real session (the orphan reaper keeps
        // the full at-risk gate because it runs unattended). `force` skips this.
        if (!opts?.force) {
          const risk = await checkWorktreeWorkAtRisk(wt.path, opts);
          worktreeAtRisk = risk.dirty || risk.error != null;
        }
        if (projectPath && (opts?.force || !worktreeAtRisk)) {
          await removeSessionWorktree(sql, projectPath, wt, opts);
          worktreeRemoved = true;
        }
      }
    }
  }
  return { agentRowsClosed: closedRows.length, worktreeRemoved, worktreeAtRisk };
 }
 /**
 * v2.6 Phase 3 (3.5): re-baseline a session's worktree diff after a successful
 * `apply_pending`. The applied changes were written to the PROJECT ROOT; the
 * worktree branch still holds the same delta against the ORIGINAL `base_commit`,
 * so the next turn's `diffWorktree(base_commit...worktree-HEAD)` would re-surface
 * the already-applied changes as "pending" — a confusing double-count.
 *
 * Fix: advance the stored `base_commit` to the worktree's CURRENT HEAD (the
 * `diffWorktree` path commits the worktree's accumulated changes before diffing,
 * so HEAD already encodes the applied state). The next turn then diffs against
 * that, surfacing only edits made AFTER the apply. Idempotent: if the worktree has
 * no new commits, the base is unchanged.
 *
 * Diff-baseline-correctness note (design §7): we re-baseline to the worktree's own
 * HEAD, NOT to a moving project HEAD — so an out-of-band edit to the project root
 * after apply doesn't corrupt the baseline. The trade-off is that a manual project
 * edit isn't reflected as "already there"; acceptable, and matches the stored-base
 * (not moving-target) decision in §7.
 */
 export async function rebaselineWorktreeAfterApply(
  sql: Sql,
  sessionId: string,
  opts?: { signal?: AbortSignal },
 ): Promise<{ rebaselined: boolean; newBaseCommit: string | null }> {
  const [wt] = await sql<{ id: string; path: string; base_commit: string | null }[]>`
    SELECT id, path, base_commit FROM worktrees
    WHERE session_id = ${sessionId} AND status = 'active' LIMIT 1
  `;
  if (!wt) return { rebaselined: false, newBaseCommit: null };
  // Make sure the worktree's accumulated edits are committed so HEAD encodes the
  // just-applied state (the diff path normally does this, but apply may run with no
  // prior diff this turn). Commit ONLY when something is staged — NO --allow-empty,
  // so a re-baseline with no new edits doesn't advance HEAD and stays idempotent.
  await hostExec(
    `cd ${shellEscape(wt.path)} && git add -A && ` +
      `git diff --cached --quiet || ` +
      `git -c user.email=boocoder@local -c user.name=BooCoder commit -q -m "rebaseline after apply"`,
    { signal: opts?.signal, timeoutMs: 15_000 },
  ).catch(() => {});
  const headRes = await hostExec(
    `git -C ${shellEscape(wt.path)} rev-parse HEAD`,
    { signal: opts?.signal, timeoutMs: 10_000 },
  ).catch(() => null);
  const newBase = headRes && headRes.exitCode === 0 ? headRes.stdout.trim() || null : null;
  if (!newBase || newBase === wt.base_commit) {
    return { rebaselined: false, newBaseCommit: wt.base_commit };
  }
  await sql`UPDATE worktrees SET base_commit = ${newBase} WHERE id = ${wt.id}`;
  return { rebaselined: true, newBaseCommit: newBase };
 }
 // ─── Session-delete work-loss guard ─────────────────────────────────────────
 /**
--- a/apps/server/package.json
+++ b/apps/server/package.json
@@ -87,7 +87,7 @@
    "@modelcontextprotocol/sdk": "^1.29.0",
    "ai": "^6.0.190",
    "fastify": "^4.28.1",
-    "parse5": "^8.0.1",
+    "node-html-markdown": "^1.3.0",
    "postgres": "^3.4.4",
    "ws": "^8.18.0",
    "zod": "^3.23.8"
@@ -99,5 +99,5 @@
    "typescript": "^5.5.0",
    "vitest": "^3.2.4"
  },
-  "license": "AGPL-3.0-only"
+  "license": "MIT"
 }
--- a/apps/server/src/routes/chats.ts
+++ b/apps/server/src/routes/chats.ts
@@ -4,6 +4,7 @@ import type { Sql } from '../db.js';
 import type { Broker } from '../services/broker.js';
 import type { Chat, Message } from '../types/api.js';
 import { getModelContext } from '../services/model-context.js';
 import { notifyCoderClose } from '../services/coder-notify.js';
 const CreateBody = z.object({
  name: z.string().min(1).max(200).optional(),
@@ -167,6 +168,9 @@ export function registerChatRoutes(
          chat_id: id,
          session_id: req.params.id,
        });
        // Fire-and-forget per archived chat: tear down its warm agent backends
        // on the coder. Best-effort — never blocks/fails the bulk archive.
        void notifyCoderClose('chat', id, req.log);
      }
      return { archived: ids.length, ids };
    }
@@ -208,6 +212,9 @@ export function registerChatRoutes(
        chat_id: row.id,
        session_id: row.session_id,
      });
      // Fire-and-forget: tear down this chat's warm agent backends + (last-chat)
      // worktree on the coder. Best-effort — never blocks/fails the archive.
      void notifyCoderClose('chat', row.id, req.log);
      reply.code(204);
      return null;
    }
@@ -248,6 +255,9 @@ export function registerChatRoutes(
        chat_id: row.id,
        session_id: row.session_id,
      });
      // Fire-and-forget: tear down this chat's warm agent backends + (last-chat)
      // worktree on the coder. Best-effort — never blocks/fails the delete.
      void notifyCoderClose('chat', row.id, req.log);
      reply.code(204);
      return null;
    }
--- a/apps/server/src/routes/sessions.ts
+++ b/apps/server/src/routes/sessions.ts
@@ -5,6 +5,7 @@ import type { Config } from '../config.js';
 import type { Broker } from '../services/broker.js';
 import type { Session, WorktreeRiskReport } from '../types/api.js';
 import { getSetting } from './settings.js';
 import { notifyCoderClose } from '../services/coder-notify.js';
 const CreateBody = z.object({
  name: z.string().min(1).max(200).optional(),
@@ -513,6 +514,10 @@ export function registerSessionRoutes(
      }
      const project_id = deleted[0]!.project_id;
      broker.publishUserFrame('default', { type: 'session_deleted', session_id: id, project_id });
      // Fire-and-forget: ask BooCoder to tear down this session's warm agent
      // backends + worktree immediately. Best-effort — never blocks/fails the
      // delete; the coder's idle-evict + orphan reaper backstop a missed call.
      void notifyCoderClose('session', id, req.log);
      reply.code(204);
      return null;
    }
--- a/apps/server/src/services/tests/agents.test.ts
+++ b/apps/server/src/services/tests/agents.test.ts
@@ -1,4 +1,4 @@
-import { describe, it, expect } from 'vitest';
+import { describe, it, expect, vi, afterEach } from 'vitest';
 import { isAgentRegistryMarkdown, parseAgentsMd } from '../agents.js';
 describe('isAgentRegistryMarkdown', () => {
@@ -31,3 +31,87 @@ Start here
    expect(r.errors.length).toBeGreaterThan(0);
  });
 });
 // v2.6 sampling-streamjson-tokens (#11): per-agent llama.cpp sampler extensions.
 describe('parseAgentsMd: v2.6 sampling knobs', () => {
  afterEach(() => {
    vi.restoreAllMocks();
  });
  const withFrontmatter = (lines: string) => `# Agents
 ## Sampler
 ---
 temperature: 0.6
 ${lines}
 tools: [view_file]
 description: test
 ---
 You sample.
 `;
  it('parses top_n_sigma and the dry_* family from frontmatter', () => {
    const md = withFrontmatter(
      [
        'top_n_sigma: 1.5',
        'dry_multiplier: 0.8',
        'dry_base: 1.75',
        'dry_allowed_length: 2',
        'dry_penalty_last_n: -1',
      ].join('\n'),
    );
    const { agents, errors } = parseAgentsMd(md);
    expect(errors).toHaveLength(0);
    expect(agents).toHaveLength(1);
    const a = agents[0]!;
    expect(a.top_n_sigma).toBe(1.5);
    expect(a.dry_multiplier).toBe(0.8);
    expect(a.dry_base).toBe(1.75);
    expect(a.dry_allowed_length).toBe(2);
    expect(a.dry_penalty_last_n).toBe(-1);
  });
  it('defaults the new sampler fields to null when omitted', () => {
    const { agents } = parseAgentsMd(withFrontmatter('top_p: 0.95'));
    const a = agents[0]!;
    expect(a.top_n_sigma).toBeNull();
    expect(a.dry_multiplier).toBeNull();
    expect(a.dry_base).toBeNull();
    expect(a.dry_allowed_length).toBeNull();
    expect(a.dry_penalty_last_n).toBeNull();
  });
  it('warns (does not error) on out-of-range top_n_sigma / dry_* values', () => {
    const warn = vi.spyOn(console, 'warn').mockImplementation(() => {});
    const md = withFrontmatter(
      [
        'top_n_sigma: -1',
        'dry_multiplier: -0.5',
        'dry_base: -2',
        'dry_allowed_length: -3',
        'dry_penalty_last_n: -5',
      ].join('\n'),
    );
    const { agents, errors } = parseAgentsMd(md);
    expect(errors).toHaveLength(0);
    expect(agents).toHaveLength(1);
    // Mirrors top_k/min_p: out-of-range still stored, with a warning.
    expect(warn).toHaveBeenCalled();
    const warnings = warn.mock.calls.map((c) => String(c[0])).join('\n');
    expect(warnings).toContain('top_n_sigma');
    expect(warnings).toContain('dry_multiplier');
    expect(warnings).toContain('dry_base');
    expect(warnings).toContain('dry_allowed_length');
    expect(warnings).toContain('dry_penalty_last_n');
  });
  it('errors on non-numeric / non-integer sampler values', () => {
    const md = withFrontmatter(
      ['top_n_sigma: high', 'dry_allowed_length: 2.5'].join('\n'),
    );
    const { errors } = parseAgentsMd(md);
    const joined = errors.map((e) => e.reason).join('\n');
    expect(joined).toContain('top_n_sigma must be a number');
    expect(joined).toContain('dry_allowed_length must be an integer');
  });
 });
--- a/apps/server/src/services/tests/coder-notify.test.ts
+++ b/apps/server/src/services/tests/coder-notify.test.ts
@@ -0,0 +1,67 @@
 // v2.6.10 Phase 3 (server wiring) — notifyCoderClose fire-and-forget helper.
 //
 // The guarantee under test: the helper NEVER throws (so it can't break the
 // user's delete/archive path), targets the correct coder URL shape, and folds
 // every failure mode (non-2xx, network error) into a `false` result.
 import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
 import { notifyCoderClose } from '../coder-notify.js';
 const ORIGINAL_BOOCODER_URL = process.env.BOOCODER_URL;
 describe('notifyCoderClose', () => {
  beforeEach(() => {
    delete process.env.BOOCODER_URL;
  });
  afterEach(() => {
    if (ORIGINAL_BOOCODER_URL === undefined) delete process.env.BOOCODER_URL;
    else process.env.BOOCODER_URL = ORIGINAL_BOOCODER_URL;
  });
  it('POSTs the chat close hook at the default coder origin and resolves true on 2xx', async () => {
    const fetcher = vi.fn().mockResolvedValue(new Response(null, { status: 200 }));
    const ok = await notifyCoderClose('chat', 'chat-123', undefined, fetcher as unknown as typeof fetch);
    expect(ok).toBe(true);
    expect(fetcher).toHaveBeenCalledTimes(1);
    const [url, init] = fetcher.mock.calls[0]!;
    expect(url).toBe('http://boocoder:3000/api/chats/chat-123/close');
    expect(init).toEqual({ method: 'POST' });
  });
  it('POSTs the session close hook with the sessions segment', async () => {
    const fetcher = vi.fn().mockResolvedValue(new Response(null, { status: 200 }));
    const ok = await notifyCoderClose('session', 'sess-abc', undefined, fetcher as unknown as typeof fetch);
    expect(ok).toBe(true);
    expect(fetcher.mock.calls[0]![0]).toBe('http://boocoder:3000/api/sessions/sess-abc/close');
  });
  it('honors BOOCODER_URL for the origin', async () => {
    process.env.BOOCODER_URL = 'http://100.114.205.53:9502';
    const fetcher = vi.fn().mockResolvedValue(new Response(null, { status: 200 }));
    await notifyCoderClose('chat', 'c1', undefined, fetcher as unknown as typeof fetch);
    expect(fetcher.mock.calls[0]![0]).toBe('http://100.114.205.53:9502/api/chats/c1/close');
  });
  it('resolves false on a non-2xx response (does not throw)', async () => {
    const fetcher = vi.fn().mockResolvedValue(new Response(null, { status: 500 }));
    const log = { debug: vi.fn() };
    const ok = await notifyCoderClose('chat', 'c1', log, fetcher as unknown as typeof fetch);
    expect(ok).toBe(false);
    expect(log.debug).toHaveBeenCalledTimes(1);
  });
  it('resolves false on a network error (coder unreachable) — never rejects', async () => {
    const fetcher = vi.fn().mockRejectedValue(new Error('ECONNREFUSED'));
    const log = { debug: vi.fn() };
    const ok = await notifyCoderClose('session', 's1', log, fetcher as unknown as typeof fetch);
    expect(ok).toBe(false);
    expect(log.debug).toHaveBeenCalledTimes(1);
  });
  it('does not require a logger', async () => {
    const fetcher = vi.fn().mockRejectedValue(new Error('boom'));
    await expect(
      notifyCoderClose('chat', 'c1', undefined, fetcher as unknown as typeof fetch),
    ).resolves.toBe(false);
  });
 });
--- a/apps/server/src/services/tests/compaction.test.ts
+++ b/apps/server/src/services/tests/compaction.test.ts
@@ -7,6 +7,8 @@ import {
  select,
  buildPrompt,
  buildHeadPayload,
  deriveFilesRead,
  buildFilesReadContext,
  type CompactionMessage,
 } from '../compaction.js';
 import { SUMMARY_TEMPLATE } from '../compaction-prompt.js';
@@ -321,3 +323,105 @@ describe('buildHeadPayload reasoning render', () => {
    expect(out[1]!.content).not.toContain('<reasoning>');
  });
 });
 // ---- buildHeadPayload sentinel stripping (#12) -------------------------------
 describe('buildHeadPayload strips all UI sentinels', () => {
  it('drops cap_hit, doom_loop, and mistake_recovery system rows', () => {
    const out = buildHeadPayload([
      mkMsg('user', 'do the thing'),
      mkMsg('system', 'budget reached', { metadata: { kind: 'cap_hit' } }),
      mkMsg('system', 'looping', { metadata: { kind: 'doom_loop' } }),
      mkMsg('system', 'repeated errors', { metadata: { kind: 'mistake_recovery' } }),
      mkMsg('assistant', 'answer'),
    ]);
    // Only the user + assistant rows survive; all three sentinels stripped.
    expect(out).toHaveLength(2);
    expect(out[0]!.role).toBe('user');
    expect(out[1]!.role).toBe('assistant');
  });
  it('keeps a non-sentinel system row (e.g. compact bridge) untouched', () => {
    const out = buildHeadPayload([
      mkMsg('system', 'legacy compact', { kind: 'compact', metadata: null }),
      mkMsg('user', 'q'),
    ]);
    expect(out[0]!.role).toBe('system');
    expect(out[0]!.content).toBe('legacy compact');
  });
 });
 // ---- file-provenance ledger (#12, Part B) -----------------------------------
 describe('deriveFilesRead', () => {
  it('returns [] when the head has no read-tool calls', () => {
    expect(deriveFilesRead([mkMsg('user', 'hi'), mkMsg('assistant', 'hello')])).toEqual([]);
  });
  it('extracts the path arg from view_file / list_dir / grep / find_files', () => {
    const head = [
      mkMsg('assistant', '', {
        tool_calls: [
          { id: 'c1', name: 'view_file', args: { path: 'src/index.ts' } },
          { id: 'c2', name: 'list_dir', args: { path: 'src' } },
          { id: 'c3', name: 'grep', args: { pattern: 'TODO', path: 'apps' } },
          { id: 'c4', name: 'find_files', args: { pattern: '**/*.ts', path: 'lib' } },
        ],
      }),
    ];
    expect(deriveFilesRead(head)).toEqual(['apps', 'lib', 'src', 'src/index.ts']);
  });
  it('dedupes and sorts paths across multiple assistant turns', () => {
    const head = [
      mkMsg('assistant', '', { tool_calls: [{ id: 'c1', name: 'view_file', args: { path: 'b.ts' } }] }),
      mkMsg('assistant', '', { tool_calls: [{ id: 'c2', name: 'view_file', args: { path: 'a.ts' } }] }),
      mkMsg('assistant', '', { tool_calls: [{ id: 'c3', name: 'view_file', args: { path: 'b.ts' } }] }),
    ];
    expect(deriveFilesRead(head)).toEqual(['a.ts', 'b.ts']);
  });
  it('ignores non-read tools and grep calls without a path arg', () => {
    const head = [
      mkMsg('assistant', '', {
        tool_calls: [
          { id: 'c1', name: 'web_search', args: { query: 'x' } },
          { id: 'c2', name: 'grep', args: { pattern: 'foo' } }, // no path → root, skipped
          { id: 'c3', name: 'view_file', args: { path: 'kept.ts' } },
        ],
      }),
    ];
    expect(deriveFilesRead(head)).toEqual(['kept.ts']);
  });
  it('ignores read-tool calls on non-assistant rows', () => {
    const head = [
      mkMsg('user', '', { tool_calls: [{ id: 'c1', name: 'view_file', args: { path: 'nope.ts' } }] }),
    ];
    expect(deriveFilesRead(head)).toEqual([]);
  });
 });
 describe('buildFilesReadContext', () => {
  it('returns null when nothing was read (no empty section injected)', () => {
    expect(buildFilesReadContext([mkMsg('user', 'hi')])).toBeNull();
  });
  it('formats a ## Files Read block with sorted bullet paths', () => {
    const head = [
      mkMsg('assistant', '', {
        tool_calls: [
          { id: 'c1', name: 'view_file', args: { path: 'z.ts' } },
          { id: 'c2', name: 'view_file', args: { path: 'a.ts' } },
        ],
      }),
    ];
    expect(buildFilesReadContext(head)).toBe('## Files Read\n- a.ts\n- z.ts');
  });
 });
 describe('SUMMARY_TEMPLATE includes the Files Read section (#12)', () => {
  it('declares a ## Files Read section the model must maintain', () => {
    expect(SUMMARY_TEMPLATE).toContain('## Files Read');
  });
 });
--- a/apps/server/src/services/tests/html-to-md.test.ts
+++ b/apps/server/src/services/tests/html-to-md.test.ts
@@ -70,10 +70,16 @@ describe('htmlToMarkdown', () => {
        </tbody>
      </table>`;
    const md = htmlToMarkdown(html);
-    expect(md).toContain('| Name | Age | City |');
+    // node-html-markdown pads columns to align them; assert structure rather
-    expect(md).toContain('| --- | --- | --- |');
+    // than exact spacing. Each cell value and a GFM separator row are present.
-    expect(md).toContain('| Alice | 30 | NYC |');
+    expect(md).toContain('| Name ');
-    expect(md).toContain('| Bob | 25 | LA |');
+    expect(md).toContain('| Age ');
    expect(md).toContain('| City |');
    expect(md).toMatch(/\| -+ \| -+ \| -+ \|/); // separator row
    expect(md).toContain('| Alice ');
    expect(md).toContain('| NYC  |');
    expect(md).toContain('| Bob   ');
    expect(md).toContain('| LA   |');
  });
  it('escapes pipe characters in table cells', () => {
@@ -162,14 +168,17 @@ describe('htmlToMarkdown', () => {
  it('converts br to newline', () => {
    const md = htmlToMarkdown('line one<br>line two');
-    expect(md).toContain('line one\nline two');
+    // node-html-markdown emits a GFM hard line break (trailing two spaces).
    expect(md).toContain('line one  \nline two');
  });
  it('handles ol with start attribute', () => {
    const html = '<ol start="5"><li>five</li><li>six</li></ol>';
    const md = htmlToMarkdown(html);
-    expect(md).toContain('5. five');
+    // node-html-markdown does not honor the `start` attribute; it always
-    expect(md).toContain('6. six');
+    // renumbers ordered lists from 1. (Old parse5 renderer honored start=.)
    expect(md).toContain('1. five');
    expect(md).toContain('2. six');
  });
  it('collapses excessive blank lines', () => {
@@ -212,9 +221,12 @@ describe('htmlToMarkdown', () => {
    expect(md).toContain('[a link](https://example.com)');
    expect(md).toContain('## Features');
    expect(md).toContain('* Fast');
-    expect(md).toContain('| Metric | Value |');
+    // Table columns are padded to align (node-html-markdown behavior).
-    expect(md).toContain('| --- | --- |');
+    expect(md).toContain('| Metric ');
-    expect(md).toContain('| Uptime | 99.9% |');
+    expect(md).toContain('| Value |');
    expect(md).toMatch(/\| -+ \| -+ \|/); // separator row
    expect(md).toContain('| Uptime ');
    expect(md).toContain('| 99.9% |');
    expect(md).toContain('> This tool is amazing.');
    expect(md).toContain('```js\nconsole.log("hello");\n```');
    expect(md).not.toContain('evil');
--- a/apps/server/src/services/tests/license-mit.test.ts
+++ b/apps/server/src/services/tests/license-mit.test.ts
@@ -0,0 +1,46 @@
 import { describe, expect, it } from 'vitest';
 import { readFileSync } from 'node:fs';
 import { fileURLToPath } from 'node:url';
 import { dirname, resolve } from 'node:path';
 // Guards the AGPL-3.0 -> MIT relicense (openspec license-debt-mit). If any of
 // these fail, AGPL-derived provenance has crept back in.
 const ROOT = resolve(dirname(fileURLToPath(import.meta.url)), '../../../../..');
 describe('license: MIT relicense guard', () => {
  it('LICENSE is MIT (no Affero/AGPL text)', () => {
    const license = readFileSync(resolve(ROOT, 'LICENSE'), 'utf8');
    expect(license).toMatch(/^MIT License/);
    expect(license).not.toMatch(/AFFERO|AGPL/i);
  });
  const PACKAGE_JSONS = [
    'package.json',
    'apps/server/package.json',
    'apps/web/package.json',
    'apps/coder/package.json',
    'apps/booterm/package.json',
  ];
  for (const rel of PACKAGE_JSONS) {
    it(`${rel} declares "license": "MIT"`, () => {
      const pkg = JSON.parse(readFileSync(resolve(ROOT, rel), 'utf8')) as { license?: string };
      expect(pkg.license).toBe('MIT');
    });
  }
  // The three files that were ported from Unsloth Studio (AGPL-3.0-only) and
  // cleared in this batch — they must carry no AGPL/Unsloth provenance.
  const FORMERLY_AGPL = [
    'apps/server/src/services/inference/tool-call-parser.ts',
    'apps/server/src/services/web/html-to-md.ts',
    'apps/server/src/services/inference/llama-args-validator.ts',
  ];
  for (const rel of FORMERLY_AGPL) {
    it(`${rel} carries no AGPL / Unsloth provenance`, () => {
      const src = readFileSync(resolve(ROOT, rel), 'utf8');
      expect(src).not.toMatch(/AGPL/);
      expect(src).not.toMatch(/SPDX-License-Identifier:\s*AGPL/);
      expect(src).not.toMatch(/Unsloth/i);
    });
  }
 });
--- a/apps/server/src/services/tests/mistake-tracker.test.ts
+++ b/apps/server/src/services/tests/mistake-tracker.test.ts
@@ -0,0 +1,164 @@
 import { describe, it, expect } from 'vitest';
 import {
  MISTAKE_THRESHOLD,
  freshMistakeState,
  recordStep,
  detectMistakePattern,
  MISTAKE_RECOVERY_NOTE,
  type FailureKind,
 } from '../inference/mistake-tracker.js';
 // ---- helpers ----------------------------------------------------------------
 // Replays a sequence of outcomes against a fresh state, returning the final
 // state so assertions can read .run / .nudges. The caller mimics turn.ts: after
 // each recordStep we consult detectMistakePattern and, if it returns 'nudge',
 // bump nudges + reset run (the loop's nudge-handling side effect).
 function replay(
  outcomes: (FailureKind | 'success')[],
  { applyNudge = false }: { applyNudge?: boolean } = {},
 ) {
  const state = freshMistakeState();
  const decisions: (ReturnType<typeof detectMistakePattern>)[] = [];
  for (const o of outcomes) {
    recordStep(state, o);
    const decision = detectMistakePattern(state);
    decisions.push(decision);
    if (applyNudge && decision === 'nudge') {
      // Mirror turn.ts's nudge side effect: bump the counter, reset the streak.
      state.nudges += 1;
      state.run = [];
    }
  }
  return { state, decisions };
 }
 // ---- fresh state ------------------------------------------------------------
 describe('freshMistakeState', () => {
  it('starts with an empty run and zero nudges', () => {
    const s = freshMistakeState();
    expect(s.run).toEqual([]);
    expect(s.nudges).toBe(0);
  });
 });
 // ---- below threshold --------------------------------------------------------
 describe('detectMistakePattern — below threshold', () => {
  it('returns null on a fresh state', () => {
    expect(detectMistakePattern(freshMistakeState())).toBeNull();
  });
  it('returns null after fewer than MISTAKE_THRESHOLD failures', () => {
    const { decisions } = replay(['zod_reject', 'exec_error']);
    expect(decisions).toEqual([null, null]);
  });
 });
 // ---- success reset ----------------------------------------------------------
 describe('recordStep — success resets', () => {
  it("'success' clears both the run streak and the nudge counter", () => {
    const state = freshMistakeState();
    recordStep(state, 'zod_reject');
    recordStep(state, 'exec_error');
    state.nudges = 2; // simulate prior nudges
    recordStep(state, 'success');
    expect(state.run).toEqual([]);
    expect(state.nudges).toBe(0);
  });
  it('a success mid-streak prevents the threshold from tripping', () => {
    // fail, fail, success, fail, fail → streak never reaches 3.
    const { decisions } = replay([
      'zod_reject',
      'exec_error',
      'success',
      'tool_not_found',
      'permission_denied',
    ]);
    expect(decisions.every((d) => d === null)).toBe(true);
  });
 });
 // ---- 3-streak nudge ---------------------------------------------------------
 describe('detectMistakePattern — nudge on 3-streak', () => {
  it("returns 'nudge' the first time the streak reaches MISTAKE_THRESHOLD", () => {
    const { decisions } = replay(['zod_reject', 'exec_error', 'tool_not_found']);
    expect(decisions).toEqual([null, null, 'nudge']);
  });
  it("fires 'nudge' for a streak of identical kinds too (kind-agnostic)", () => {
    const { decisions } = replay(['exec_error', 'exec_error', 'exec_error']);
    expect(decisions[2]).toBe('nudge');
  });
 });
 // ---- re-trip escalate -------------------------------------------------------
 describe('detectMistakePattern — escalate on re-trip', () => {
  it("escalates when the streak re-trips after a nudge with no intervening success", () => {
    // 3 fails → nudge (run reset, nudges=1), then 3 more fails → escalate.
    const { decisions } = replay(
      [
        'zod_reject',
        'exec_error',
        'tool_not_found',
        'permission_denied',
        'exec_error',
        'zod_reject',
      ],
      { applyNudge: true },
    );
    expect(decisions[2]).toBe('nudge');
    expect(decisions[5]).toBe('escalate');
  });
  it("does NOT escalate if a success lands between the nudge and the next streak", () => {
    const { decisions } = replay(
      [
        'zod_reject',
        'exec_error',
        'tool_not_found', // nudge here
        'success', // clears nudges back to 0
        'exec_error',
        'zod_reject',
        'tool_not_found', // 3-streak again → nudge, NOT escalate
      ],
      { applyNudge: true },
    );
    expect(decisions[2]).toBe('nudge');
    expect(decisions[6]).toBe('nudge');
    expect(decisions).not.toContain('escalate');
  });
 });
 // ---- mixed kinds ------------------------------------------------------------
 describe('detectMistakePattern — mixed failure kinds', () => {
  it('counts a streak of all five distinct kinds toward the threshold', () => {
    const { state, decisions } = replay([
      'zod_reject',
      'tool_not_found',
      'exec_error',
    ]);
    expect(decisions[2]).toBe('nudge');
    expect(state.run).toEqual(['zod_reject', 'tool_not_found', 'exec_error']);
  });
 });
 // ---- contract ---------------------------------------------------------------
 describe('MISTAKE_THRESHOLD + MISTAKE_RECOVERY_NOTE', () => {
  it('threshold is a positive integer (tests assume 3)', () => {
    expect(MISTAKE_THRESHOLD).toBeGreaterThan(0);
    expect(Number.isInteger(MISTAKE_THRESHOLD)).toBe(true);
  });
  it('recovery note is a non-empty model-facing string', () => {
    expect(typeof MISTAKE_RECOVERY_NOTE).toBe('string');
    expect(MISTAKE_RECOVERY_NOTE.length).toBeGreaterThan(0);
  });
 });
--- a/apps/server/src/services/tests/tool-call-parser.test.ts
+++ b/apps/server/src/services/tests/tool-call-parser.test.ts
@@ -4,18 +4,11 @@ import {
  parseInvokeToolCall,
  partialXmlOpenerStart,
  extractToolCallBlocks,
  parseToolCallsFromText,
  stripToolMarkup,
  hasToolSignal,
  XML_TOOL_OPEN,
  XML_TOOL_CLOSE,
  INVOKE_TOOL_OPEN,
  INVOKE_TOOL_CLOSE,
  TOOL_XML_SIGNALS,
  BUDGET_EXHAUSTED_NUDGE,
  DUPLICATE_CALL_NUDGE,
  TOOL_ERROR_NUDGE,
  TOOL_ERROR_PREFIXES,
 } from '../inference/tool-call-parser.js';
 // ── Ported from xml-parser.test.ts ───────────────────────────────────────
@@ -301,38 +294,6 @@ describe('extractToolCallBlocks (v1.13.16 — unified extraction)', () => {
  });
 });
 // ── New tests: Unsloth-ported functions ──────────────────────────────────
 describe('hasToolSignal', () => {
  it('returns true for <tool_call>', () => {
    expect(hasToolSignal('prefix <tool_call> suffix')).toBe(true);
  });
  it('returns true for <function=', () => {
    expect(hasToolSignal('prefix <function=view_file> suffix')).toBe(true);
  });
  it('returns true for <invoke', () => {
    expect(hasToolSignal('prefix <invoke name="x"> suffix')).toBe(true);
  });
  it('returns false for near-miss <tool>', () => {
    expect(hasToolSignal('prefix <tool> suffix')).toBe(false);
  });
  it('returns false for near-miss <function>', () => {
    expect(hasToolSignal('prefix <function> suffix')).toBe(false);
  });
  it('returns false for near-miss <tool_call_thing>', () => {
    expect(hasToolSignal('<tool_call_thing>')).toBe(false);
  });
  it('returns false for plain text', () => {
    expect(hasToolSignal('just some text')).toBe(false);
  });
 });
 describe('stripToolMarkup', () => {
  it('strips closed <tool_call> blocks', () => {
    const input = 'before <tool_call>{"name":"x"}</tool_call> after';
@@ -380,166 +341,11 @@ describe('stripToolMarkup', () => {
  });
 });
-describe('parseToolCallsFromText', () => {
+describe('delimiter constants', () => {
-  describe('pattern 1: <tool_call>{json}</tool_call>', () => {
+  it('exports the expected delimiters', () => {
-    it('parses a well-formed JSON tool call', () => {
+    expect(INVOKE_TOOL_OPEN).toBe('<invoke');
-      const input = '<tool_call>{"name":"web_search","arguments":{"query":"hello"}}</tool_call>';
+    expect(INVOKE_TOOL_CLOSE).toBe('</invoke>');
-      const calls = parseToolCallsFromText(input);
+    expect(XML_TOOL_OPEN).toBe('<tool_call>');
-      expect(calls).toHaveLength(1);
+    expect(XML_TOOL_CLOSE).toBe('</tool_call>');
      expect(calls[0]!.id).toBe('call_0');
      expect(calls[0]!.type).toBe('function');
      expect(calls[0]!.function.name).toBe('web_search');
      expect(JSON.parse(calls[0]!.function.arguments)).toEqual({ query: 'hello' });
    });
    it('handles string arguments field', () => {
      const input = '<tool_call>{"name":"x","arguments":"already a string"}</tool_call>';
      const calls = parseToolCallsFromText(input);
      expect(calls[0]!.function.arguments).toBe('already a string');
    });
    it('handles balanced braces inside JSON strings', () => {
      const input = '<tool_call>{"name":"x","arguments":{"q":"} { extra "}}</tool_call>';
      const calls = parseToolCallsFromText(input);
      expect(calls).toHaveLength(1);
      const parsed = JSON.parse(calls[0]!.function.arguments);
      expect(parsed.q).toBe('} { extra ');
    });
    it('respects idOffset', () => {
      const input = '<tool_call>{"name":"a","arguments":{}}</tool_call>';
      const calls = parseToolCallsFromText(input, { idOffset: 5 });
      expect(calls[0]!.id).toBe('call_5');
    });
    it('parses multiple JSON tool calls', () => {
      const input =
        '<tool_call>{"name":"a","arguments":{}}</tool_call>' +
        '<tool_call>{"name":"b","arguments":{}}</tool_call>';
      const calls = parseToolCallsFromText(input);
      expect(calls).toHaveLength(2);
      expect(calls[0]!.id).toBe('call_0');
      expect(calls[1]!.id).toBe('call_1');
    });
    it('skips malformed JSON', () => {
      const input = '<tool_call>{not json}</tool_call>';
      const calls = parseToolCallsFromText(input);
      expect(calls).toHaveLength(0);
    });
    it('handles missing closing tag', () => {
      const input = '<tool_call>{"name":"x","arguments":{"q":"hello"}}';
      const calls = parseToolCallsFromText(input);
      expect(calls).toHaveLength(1);
      expect(calls[0]!.function.name).toBe('x');
    });
  });
  describe('pattern 2: <function=name><parameter=key>value', () => {
    it('parses a single-parameter function call', () => {
      const input = '<function=view_file><parameter=path>/tmp/foo</parameter></function>';
      const calls = parseToolCallsFromText(input);
      expect(calls).toHaveLength(1);
      expect(calls[0]!.function.name).toBe('view_file');
      expect(JSON.parse(calls[0]!.function.arguments)).toEqual({ path: '/tmp/foo' });
    });
    it('single-param fast path preserves embedded </parameter>', () => {
      const input = '<function=run_bash><parameter=command>echo "</parameter>"</parameter></function>';
      const calls = parseToolCallsFromText(input);
      expect(calls).toHaveLength(1);
      expect(JSON.parse(calls[0]!.function.arguments).command).toBe('echo "</parameter>"');
    });
    it('multi-param: value of first stops at start of second', () => {
      const input = '<function=grep><parameter=pattern>foo</parameter><parameter=path>src/</parameter></function>';
      const calls = parseToolCallsFromText(input);
      expect(calls).toHaveLength(1);
      const args = JSON.parse(calls[0]!.function.arguments);
      expect(args.pattern).toBe('foo');
      expect(args.path).toBe('src/');
    });
    it('tolerates missing closing tags', () => {
      const input = '<function=view_file><parameter=path>/tmp/foo';
      const calls = parseToolCallsFromText(input);
      expect(calls).toHaveLength(1);
      expect(calls[0]!.function.name).toBe('view_file');
      expect(JSON.parse(calls[0]!.function.arguments)).toEqual({ path: '/tmp/foo' });
    });
    it('does not fire when pattern 1 found results', () => {
      const input = '<tool_call>{"name":"a","arguments":{}}</tool_call><function=b><parameter=x>y</parameter></function>';
      const calls = parseToolCallsFromText(input);
      expect(calls).toHaveLength(1);
      expect(calls[0]!.function.name).toBe('a');
    });
  });
  describe('pattern 3: <invoke name="..."><parameter name="...">value (Anthropic)', () => {
    it('parses a single-parameter invoke call', () => {
      const input = '<invoke name="view_file"><parameter name="path">/tmp/foo</parameter></invoke>';
      const calls = parseToolCallsFromText(input);
      expect(calls).toHaveLength(1);
      expect(calls[0]!.function.name).toBe('view_file');
      expect(JSON.parse(calls[0]!.function.arguments)).toEqual({ path: '/tmp/foo' });
    });
    it('parses multi-parameter invoke call', () => {
      const input = '<invoke name="grep"><parameter name="pattern">foo</parameter><parameter name="path">src/</parameter></invoke>';
      const calls = parseToolCallsFromText(input);
      expect(calls).toHaveLength(1);
      const args = JSON.parse(calls[0]!.function.arguments);
      expect(args.pattern).toBe('foo');
      expect(args.path).toBe('src/');
    });
    it('does not fire when pattern 1 found results', () => {
      const input = '<tool_call>{"name":"a","arguments":{}}</tool_call><invoke name="b"><parameter name="x">y</parameter></invoke>';
      const calls = parseToolCallsFromText(input);
      expect(calls).toHaveLength(1);
      expect(calls[0]!.function.name).toBe('a');
    });
    it('does not fire when pattern 2 found results', () => {
      const input = '<function=a><parameter=x>y</parameter></function><invoke name="b"><parameter name="x">y</parameter></invoke>';
      const calls = parseToolCallsFromText(input);
      expect(calls).toHaveLength(1);
      expect(calls[0]!.function.name).toBe('a');
    });
    it('tolerates missing closing tags', () => {
      const input = '<invoke name="view_file"><parameter name="path">/tmp/foo';
      const calls = parseToolCallsFromText(input);
      expect(calls).toHaveLength(1);
      expect(JSON.parse(calls[0]!.function.arguments)).toEqual({ path: '/tmp/foo' });
    });
    it('supports single-quoted attributes', () => {
      const input = "<invoke name='view_file'><parameter name='path'>/tmp/foo</parameter></invoke>";
      const calls = parseToolCallsFromText(input);
      expect(calls).toHaveLength(1);
      expect(calls[0]!.function.name).toBe('view_file');
    });
  });
 });
 describe('constants', () => {
  it('TOOL_XML_SIGNALS includes all three signal prefixes', () => {
    expect(TOOL_XML_SIGNALS).toContain('<tool_call>');
    expect(TOOL_XML_SIGNALS).toContain('<function=');
    expect(TOOL_XML_SIGNALS).toContain('<invoke');
  });
  it('nudge constants are non-empty strings', () => {
    expect(BUDGET_EXHAUSTED_NUDGE.length).toBeGreaterThan(0);
    expect(DUPLICATE_CALL_NUDGE.length).toBeGreaterThan(0);
    expect(TOOL_ERROR_NUDGE.length).toBeGreaterThan(0);
  });
  it('TOOL_ERROR_PREFIXES is a non-empty tuple', () => {
    expect(TOOL_ERROR_PREFIXES.length).toBeGreaterThan(0);
    expect(TOOL_ERROR_PREFIXES).toContain('Error');
  });
 });
--- a/apps/server/src/services/agents.ts
+++ b/apps/server/src/services/agents.ts
@@ -88,6 +88,12 @@ interface ParsedFrontmatter {
  top_k?: number;
  min_p?: number;
  presence_penalty?: number;
  // v2.6 sampling-streamjson-tokens (#11): llama.cpp sampler extensions.
  top_n_sigma?: number;
  dry_multiplier?: number;
  dry_base?: number;
  dry_allowed_length?: number;
  dry_penalty_last_n?: number;
  tools?: string[];
  description?: string;
  model?: string;
@@ -178,6 +184,63 @@ function parseFrontmatter(yaml: string): { data: ParsedFrontmatter; errors: stri
      } else {
        errors.push(`presence_penalty must be a number (got "${valueRaw}")`);
      }
    } else if (key === 'top_n_sigma') {
      // v2.6 #11: llama.cpp top-n-sigma sampler. Float ≥ 0 (typical 0-3).
      // Mirrors top_p/min_p: store then warn on out-of-range (non-numeric
      // hard-fails the block).
      const n = Number(valueRaw);
      if (Number.isFinite(n)) {
        data.top_n_sigma = n;
        if (n < 0) {
          console.warn(`agents: top_n_sigma ${n} out of range (≥0), ignoring (falling back to default)`);
        }
      } else {
        errors.push(`top_n_sigma must be a number (got "${valueRaw}")`);
      }
    } else if (key === 'dry_multiplier') {
      // v2.6 #11: DRY repetition-penalty multiplier. Float ≥ 0 (0 disables DRY).
      const n = Number(valueRaw);
      if (Number.isFinite(n)) {
        data.dry_multiplier = n;
        if (n < 0) {
          console.warn(`agents: dry_multiplier ${n} out of range (≥0), ignoring (falling back to default)`);
        }
      } else {
        errors.push(`dry_multiplier must be a number (got "${valueRaw}")`);
      }
    } else if (key === 'dry_base') {
      // v2.6 #11: DRY penalty growth base. Float ≥ 0.
      const n = Number(valueRaw);
      if (Number.isFinite(n)) {
        data.dry_base = n;
        if (n < 0) {
          console.warn(`agents: dry_base ${n} out of range (≥0), ignoring (falling back to default)`);
        }
      } else {
        errors.push(`dry_base must be a number (got "${valueRaw}")`);
      }
    } else if (key === 'dry_allowed_length') {
      // v2.6 #11: DRY max sequence length not penalized. Integer ≥ 0.
      const n = Number(valueRaw);
      if (Number.isInteger(n)) {
        data.dry_allowed_length = n;
        if (n < 0) {
          console.warn(`agents: dry_allowed_length ${n} out of range (≥0), ignoring (falling back to default)`);
        }
      } else {
        errors.push(`dry_allowed_length must be an integer (got "${valueRaw}")`);
      }
    } else if (key === 'dry_penalty_last_n') {
      // v2.6 #11: DRY lookback window. Integer ≥ -1 (-1 = whole context, 0 = off).
      const n = Number(valueRaw);
      if (Number.isInteger(n)) {
        data.dry_penalty_last_n = n;
        if (n < -1) {
          console.warn(`agents: dry_penalty_last_n ${n} out of range (≥-1), ignoring (falling back to default)`);
        }
      } else {
        errors.push(`dry_penalty_last_n must be an integer (got "${valueRaw}")`);
      }
    } else if (key === 'tools') {
      if (valueRaw === '') {
        data.tools = [];
@@ -354,6 +417,11 @@ function parseAgentSection(section: RawSection): Omit<Agent, 'source'> {
    top_k: typeof fm.top_k === 'number' ? fm.top_k : null,
    min_p: typeof fm.min_p === 'number' ? fm.min_p : null,
    presence_penalty: typeof fm.presence_penalty === 'number' ? fm.presence_penalty : null,
    top_n_sigma: typeof fm.top_n_sigma === 'number' ? fm.top_n_sigma : null,
    dry_multiplier: typeof fm.dry_multiplier === 'number' ? fm.dry_multiplier : null,
    dry_base: typeof fm.dry_base === 'number' ? fm.dry_base : null,
    dry_allowed_length: typeof fm.dry_allowed_length === 'number' ? fm.dry_allowed_length : null,
    dry_penalty_last_n: typeof fm.dry_penalty_last_n === 'number' ? fm.dry_penalty_last_n : null,
    tools: filteredTools,
    model: typeof fm.model === 'string' && fm.model.length > 0 ? fm.model : null,
    max_tool_calls: typeof fm.max_tool_calls === 'number' ? fm.max_tool_calls : null,
--- a/apps/server/src/services/coder-notify.ts
+++ b/apps/server/src/services/coder-notify.ts
@@ -0,0 +1,64 @@
 // v2.6.10 Phase 3 (server wiring) — fire-and-forget BooCoder close hooks.
 //
 // BooCoder (apps/coder, host systemd) added close hooks in
 // apps/coder/src/routes/lifecycle.ts:
 //   POST /api/chats/:chatId/close      — evict the chat's warm (chat,agent)
 //                                        backends, close its opencode session,
 //                                        mark agent_sessions closed, and remove
 //                                        the shared worktree on the last chat.
 //   POST /api/sessions/:sessionId/close — loop the chat-close path for every
 //                                        chat in the session.
 //
 // apps/server (Docker) can't see the host worktree dirs or reach the warm agent
 // processes, so — exactly like the existing `worktree-risk` guard in
 // routes/sessions.ts — it signals the coder over HTTP and the coder does the
 // real teardown. This call is BEST-EFFORT: the coder's idle-pool eviction and
 // the orphan-worktree reaper backstop a missed/failed call. It MUST NEVER block
 // or fail the user's delete/archive — hence fire-and-forget with a swallowed
 // catch. We do not await the returned promise at the call sites.
 import type { FastifyBaseLogger } from 'fastify';
 export type CoderCloseKind = 'chat' | 'session';
 function coderOrigin(): string {
  // Same env + default as routes/sessions.ts' worktree-risk fetch.
  return process.env.BOOCODER_URL ?? 'http://boocoder:3000';
 }
 /**
 * Fire-and-forget POST to the BooCoder close hook for a chat or session.
 *
 * Resolves to `true` if the coder acknowledged (HTTP 2xx), `false` otherwise
 * (non-2xx or network error). Callers SHOULD NOT await this — invoke it and
 * move on. The returned promise never rejects: every failure path is caught,
 * logged at debug, and folded into a `false` result so an unreachable or
 * erroring coder can't surface to the user's delete/archive request.
 */
 export async function notifyCoderClose(
  kind: CoderCloseKind,
  id: string,
  log?: Pick<FastifyBaseLogger, 'debug'>,
  fetcher: typeof fetch = fetch,
 ): Promise<boolean> {
  const segment = kind === 'chat' ? 'chats' : 'sessions';
  const url = `${coderOrigin()}/api/${segment}/${id}/close`;
  try {
    const res = await fetcher(url, { method: 'POST' });
    if (!res.ok) {
      log?.debug(
        { kind, id, status: res.status },
        'coder close hook returned non-2xx (best-effort; reaper backstops)',
      );
      return false;
    }
    log?.debug({ kind, id }, 'coder close hook acknowledged');
    return true;
  } catch (err) {
    log?.debug(
      { kind, id, err: err instanceof Error ? err.message : String(err) },
      'coder close hook unreachable (best-effort; reaper backstops)',
    );
    return false;
  }
 }
--- a/apps/server/src/services/compaction-prompt.ts
+++ b/apps/server/src/services/compaction-prompt.ts
@@ -31,10 +31,16 @@ export const SUMMARY_TEMPLATE = `Output exactly the Markdown structure shown ins
 ## Relevant Files
 - [file or directory path: why it matters, or "(none)"]
 ## Files Read
 - [file or directory path that has been read/searched this session, or "(none)"]
 </template>
 Rules:
 - Keep every section, even when empty.
 - Use terse bullets, not prose paragraphs.
 - Preserve exact file paths, commands, error strings, and identifiers when known.
 - For ## Files Read: this is a cumulative provenance ledger. MERGE the paths
  listed in any "## Files Read" block provided below with those already in the
  previous summary — never drop a previously-recorded path. Sort and dedupe.
 - Do not mention the summary process or that context was compacted.`;
--- a/apps/server/src/services/compaction.ts
+++ b/apps/server/src/services/compaction.ts
@@ -181,6 +181,54 @@ export function select(
  };
 }
 // === file-provenance ledger (#12, Part B) ===
 // Read tools whose path/target arg names a file or directory that was read.
 // BooChat (apps/server) is read-only — there are no write tools, so the ledger
 // only ever has a "Files Read" side (apps/coder can add "Modified" later).
 const READ_TOOL_ARG: Record<string, string> = {
  view_file: 'path',
  list_dir: 'path',
  grep: 'path',
  find_files: 'path',
 };
 // Derive a deterministic, deduped, sorted list of file/dir paths read by the
 // HEAD messages being summarized. Pure — scans assistant tool_calls only; the
 // boundary (which messages are "head") is decided by select() at the call site.
 // We derive at compaction time rather than via a live accumulator because
 // TurnArgs resets per turn and would miss reads on non-compacting turns; the
 // head messages are the authoritative record of what was read in the window
 // being summarized. The result propagates forward as summary text across
 // compactions (the LLM merges it into ## Files Read), so a path read long ago
 // survives even after its originating messages are compacted out.
 export function deriveFilesRead(head: CompactionMessage[]): string[] {
  const paths = new Set<string>();
  for (const m of head) {
    if (m.role !== 'assistant') continue;
    if (!m.tool_calls) continue;
    for (const tc of m.tool_calls) {
      const argName = READ_TOOL_ARG[tc.name];
      if (!argName) continue;
      const raw = (tc.args as Record<string, unknown> | null)?.[argName];
      if (typeof raw === 'string' && raw.trim().length > 0) {
        paths.add(raw.trim());
      }
    }
  }
  return [...paths].sort();
 }
 // Format the derived paths as a deterministic ## Files Read block for injection
 // into buildPrompt's context array. Returns null when nothing was read (so we
 // don't inject an empty section). The summarizer merges this into the rolling
 // summary's ## Files Read section per the SUMMARY_TEMPLATE instructions.
 export function buildFilesReadContext(head: CompactionMessage[]): string | null {
  const paths = deriveFilesRead(head);
  if (paths.length === 0) return null;
  return ['## Files Read', ...paths.map((p) => `- ${p}`)].join('\n');
 }
 // === prompt assembly ===
 // Build the final user message that asks the model to (re)produce the
@@ -220,15 +268,26 @@ export interface OpenAiMessage {
  tool_call_id?: string;
 }
-function isCapHitSentinel(m: CompactionMessage): boolean {
+// #12: mirror inference/sentinels.ts:isAnySentinel over the CompactionMessage
-  return m.role === 'system' && m.metadata != null && m.metadata.kind === 'cap_hit';
+// shape (which carries metadata as { kind?: string } | null, not the full
 // Message type isAnySentinel expects). All UI-only sentinels are stripped from
 // the head payload — they never go to the summarizer LLM. Keep the kind list in
 // sync with isAnySentinel in sentinels.ts.
 const SENTINEL_KINDS = new Set(['cap_hit', 'doom_loop', 'mistake_recovery']);
 function isAnySentinel(m: CompactionMessage): boolean {
  return (
    m.role === 'system' &&
    m.metadata != null &&
    typeof m.metadata.kind === 'string' &&
    SENTINEL_KINDS.has(m.metadata.kind)
  );
 }
 // v1.13.6: exported for unit-test access (reasoning render coverage).
 export function buildHeadPayload(head: CompactionMessage[]): OpenAiMessage[] {
  const out: OpenAiMessage[] = [];
  for (const m of head) {
-    if (isCapHitSentinel(m)) continue;
+    if (isAnySentinel(m)) continue;
    if (m.role === 'assistant' && (m.status === 'streaming' || m.status === 'cancelled')) continue;
    if (m.kind === 'compact') {
      // Legacy compact row — pass through as system context. The new
@@ -417,7 +476,14 @@ export async function process(input: ProcessInput): Promise<void> {
  // user message carrying buildPrompt(previousSummary, []). No system prompt
  // — matches opencode (`system: []`); the template + anchor are sufficient.
  const headPayload = buildHeadPayload(sel.head);
-  const finalUser: OpenAiMessage = { role: 'user', content: buildPrompt(previousSummary, []) };
+  // #12 Part B: derive the file-provenance ledger from the head's read-tool
  // calls and inject it as a deterministic ## Files Read context block so the
  // summarizer merges it into the rolling summary. Empty → no injection.
  const filesReadCtx = buildFilesReadContext(sel.head);
  const finalUser: OpenAiMessage = {
    role: 'user',
    content: buildPrompt(previousSummary, filesReadCtx ? [filesReadCtx] : []),
  };
  const payload = [...headPayload, finalUser];
  log.info(
--- a/apps/server/src/services/inference/index.ts
+++ b/apps/server/src/services/inference/index.ts
@@ -19,6 +19,14 @@ export type {
 } from './turn.js';
 export type { ToolPhaseResult } from './tool-phase.js';
 export { detectDoomLoop, DOOM_LOOP_THRESHOLD } from './sentinels.js';
 export {
  detectMistakePattern,
  freshMistakeState,
  recordStep,
  MISTAKE_THRESHOLD,
  MISTAKE_RECOVERY_NOTE,
 } from './mistake-tracker.js';
 export type { FailureKind, MistakeState } from './mistake-tracker.js';
 export { buildMessagesPayload } from './payload.js';
 export { generateToolUseSummary } from './tool-summaries.js';
 export type { ToolInfo } from './tool-summaries.js';
--- a/apps/server/src/services/inference/llama-args-validator.ts
+++ b/apps/server/src/services/inference/llama-args-validator.ts
@@ -1,80 +1,139 @@
-// SPDX-License-Identifier: AGPL-3.0-only
+// Guards against agent-supplied llama-server CLI flags that would clash with
-// Copyright 2026-present the Unsloth AI Inc. team. All rights reserved.
+// values BooCode sets itself. Two concerns live here:
-// Ported from studio/backend/core/inference/llama_server_args.py.
+//
-// Original: https://github.com/unslothai/unsloth/blob/main/studio/backend/core/inference/llama_server_args.py
+//   1. A hard denylist of flags that BooCode owns outright (model selection,
 //      the listening socket, credentials, the bundled web UI). Passing any of
 //      these is a configuration error and is rejected loudly.
 //
 //   2. A "shadowing" set of flags that are legal to pass but, because of
 //      llama.cpp's last-wins argument parsing, would override a first-class
 //      BooCode setting. These are silently removed from the auto-generated
 //      argv so the agent's explicit choice takes precedence without leaving a
 //      duplicate flag behind.
 //
 // All flag spellings below are the public llama-server option names (short and
 // long aliases) documented in its --help output.
-// Each group is the full set of aliases (short + long) for one hard-denied
+// --- Hard denylist -------------------------------------------------------
-// flag, taken from the llama-server README. Flags NOT in this list pass
+
-// through and override auto-set values via llama.cpp's last-wins CLI parsing.
+// Authored as named buckets purely for readability; every alias is folded
-const DENYLIST_GROUPS: ReadonlyArray<ReadonlySet<string>> = [
+// into one flat lookup set at module load. Each inner array enumerates the
-  // Model identity
+// short + long spellings that select the same underlying option.
-  new Set(['-m', '--model']),
+const MODEL_SOURCE_FLAGS = [
-  new Set(['-mu', '--model-url']),
+  ['-m', '--model'],
-  new Set(['-dr', '--docker-repo']),
+  ['-mu', '--model-url'],
-  new Set(['-hf', '-hfr', '--hf-repo']),
+  ['-dr', '--docker-repo'],
-  new Set(['-hff', '--hf-file']),
+  ['-hf', '-hfr', '--hf-repo'],
-  new Set(['-hfv', '-hfrv', '--hf-repo-v']),
+  ['-hff', '--hf-file'],
-  new Set(['-hffv', '--hf-file-v']),
+  ['-hfv', '-hfrv', '--hf-repo-v'],
-  new Set(['-hft', '--hf-token']),
+  ['-hffv', '--hf-file-v'],
-  new Set(['-mm', '--mmproj']),
+  ['-hft', '--hf-token'],
-  new Set(['-mmu', '--mmproj-url']),
+  ['-mm', '--mmproj'],
-  // Networking
+  ['-mmu', '--mmproj-url'],
  new Set(['--host']),
  new Set(['--port']),
  new Set(['--path']),
  new Set(['--api-prefix']),
  new Set(['--reuse-port']),
  // Auth / TLS
  new Set(['--api-key']),
  new Set(['--api-key-file']),
  new Set(['--ssl-key-file']),
  new Set(['--ssl-cert-file']),
  // Single-model server / UI
  new Set(['--webui', '--no-webui']),
  new Set(['--ui', '--no-ui']),
  new Set(['--ui-config']),
  new Set(['--ui-config-file']),
  new Set(['--ui-mcp-proxy', '--no-ui-mcp-proxy']),
  new Set(['--models-dir']),
  new Set(['--models-preset']),
  new Set(['--models-max']),
  new Set(['--models-autoload', '--no-models-autoload']),
 ];
-const DENYLIST: ReadonlySet<string> = new Set(
+const LISTEN_FLAGS = [
-  DENYLIST_GROUPS.flatMap((g) => [...g]),
+  ['--host'],
  ['--port'],
  ['--path'],
  ['--api-prefix'],
  ['--reuse-port'],
 ];
 const CREDENTIAL_FLAGS = [
  ['--api-key'],
  ['--api-key-file'],
  ['--ssl-key-file'],
  ['--ssl-cert-file'],
 ];
 const WEBUI_FLAGS = [
  ['--webui', '--no-webui'],
  ['--ui', '--no-ui'],
  ['--ui-config'],
  ['--ui-config-file'],
  ['--ui-mcp-proxy', '--no-ui-mcp-proxy'],
  ['--models-dir'],
  ['--models-preset'],
  ['--models-max'],
  ['--models-autoload', '--no-models-autoload'],
 ];
 const MANAGED_FLAGS: ReadonlySet<string> = new Set(
  [
    ...MODEL_SOURCE_FLAGS,
    ...LISTEN_FLAGS,
    ...CREDENTIAL_FLAGS,
    ...WEBUI_FLAGS,
  ].flat(),
 );
-function flagName(token: string): string | null {
+// --- Token parsing -------------------------------------------------------
-  if (!token.startsWith('-') || token === '-' || token === '--') return null;
+
-  if (token.length >= 2 && (token[1]!.match(/\d/) || token[1] === '.')) return null;
+const DIGIT = /^[0-9]$/;
-  return token.split('=', 1)[0]!;
+
 /**
 * Extract the flag name from a single argv token, or `null` when the token is
 * not a flag.
 *
 * A token is treated as a flag only when it begins with `-` and the character
 * after the leading dash is neither a digit nor a decimal point — that rule
 * keeps negative numeric values such as `-1` or `-0.5` from being mistaken for
 * options. A bare `-` or `--` is not a flag either. The returned name is the
 * portion before any `=`, so `--ctx-size=4096` yields `--ctx-size`.
 */
 function parseFlag(token: string): string | null {
  if (!token.startsWith('-')) return null;
  if (token === '-' || token === '--') return null;
  const second = token[1]!;
  if (DIGIT.test(second) || second === '.') return null;
  const eq = token.indexOf('=');
  return eq === -1 ? token : token.slice(0, eq);
 }
 // --- Public API ----------------------------------------------------------
 /**
 * Validate a sequence of extra llama-server args, rejecting any that name a
 * BooCode-managed flag. Returns the args materialised as a string[] when they
 * all pass.
 */
 export function validateExtraArgs(args?: Iterable<string>): string[] {
-  if (!args) return [];
+  const result: string[] = [];
-  const out: string[] = [];
+  if (!args) return result;
-  for (const raw of args) {
+
-    const token = String(raw);
+  for (const entry of args) {
-    const flag = flagName(token);
+    const token = String(entry);
-    if (flag !== null && DENYLIST.has(flag)) {
+    const flag = parseFlag(token);
    if (flag !== null && MANAGED_FLAGS.has(flag)) {
      throw new Error(
        `llama-server flag '${flag}' is managed and cannot be passed as an extra arg`,
      );
    }
-    out.push(token);
+    result.push(token);
  }
-  return out;
+
  return result;
 }
 /** True when `flag` is a BooCode-managed flag that callers may not override. */
 export function isManagedFlag(flag: string): boolean {
-  return DENYLIST.has(flag);
+  return MANAGED_FLAGS.has(flag);
 }
-// Shadowing flag groups: pass-through flags that shadow first-class settings.
+// --- Shadowing flags -----------------------------------------------------
-const CONTEXT_FLAGS = new Set(['-c', '--ctx-size']);
+
-const CACHE_FLAGS = new Set(['-ctk', '--cache-type-k', '-ctv', '--cache-type-v']);
+// Flags below are legal for an agent to pass, but each shadows a setting
-const SPEC_FLAGS = new Set([
+// BooCode applies itself. They are categorised so a caller can opt out of
 // stripping any one category.
 const SHADOW_CONTEXT = ['-c', '--ctx-size'];
 const SHADOW_CACHE = ['-ctk', '--cache-type-k', '-ctv', '--cache-type-v'];
 const SHADOW_SPEC = [
  '--spec-default',
  '--spec-type',
  '--spec-ngram-size-n',
@@ -88,17 +147,22 @@ const SPEC_FLAGS = new Set([
  '--spec-ngram-mod-n-match',
  '--spec-ngram-mod-n-min',
  '--spec-ngram-mod-n-max',
-]);
+];
-const TEMPLATE_FLAGS = new Set([
+
 const SHADOW_TEMPLATE = [
  '--chat-template',
  '--chat-template-file',
  '--chat-template-kwargs',
  '--jinja',
  '--no-jinja',
-]);
+];
-const BOOLEAN_SHADOWING_FLAGS = new Set([
+// Shadowing flags that take no value — a boolean switch — so the stripper must
-  '--spec-default', '--jinja', '--no-jinja',
+// not also drop the following token.
 const VALUELESS_SHADOW_FLAGS: ReadonlySet<string> = new Set([
  '--spec-default',
  '--jinja',
  '--no-jinja',
 ]);
 export interface StripOptions {
@@ -108,35 +172,49 @@ export interface StripOptions {
  stripTemplate?: boolean;
 }
 /**
 * Remove shadowing flags (and their values) from an argv sequence.
 *
 * Each category is stripped by default; pass the matching `strip*: false`
 * option to retain that category. When a stripped flag carries its value as a
 * separate following token (e.g. `-c 4096`), that token is removed too; the
 * `--flag=value` and boolean-switch forms consume only the single token.
 */
 export function stripShadowingFlags(
  args: Iterable<string>,
  opts?: StripOptions,
 ): string[] {
-  const shadowing = new Set<string>();
+  const targets = new Set<string>();
-  if (opts?.stripContext !== false) for (const f of CONTEXT_FLAGS) shadowing.add(f);
+  if (opts?.stripContext !== false) for (const f of SHADOW_CONTEXT) targets.add(f);
-  if (opts?.stripCache !== false) for (const f of CACHE_FLAGS) shadowing.add(f);
+  if (opts?.stripCache !== false) for (const f of SHADOW_CACHE) targets.add(f);
-  if (opts?.stripSpec !== false) for (const f of SPEC_FLAGS) shadowing.add(f);
+  if (opts?.stripSpec !== false) for (const f of SHADOW_SPEC) targets.add(f);
-  if (opts?.stripTemplate !== false) for (const f of TEMPLATE_FLAGS) shadowing.add(f);
+  if (opts?.stripTemplate !== false) for (const f of SHADOW_TEMPLATE) targets.add(f);
-  const tokens = [...args].map(String);
+  const tokens = Array.from(args, String);
-  const out: string[] = [];
+  const kept: string[] = [];
-  let i = 0;
+
-  const n = tokens.length;
+  for (let i = 0; i < tokens.length; i++) {
-  while (i < n) {
+    const token = tokens[i]!;
-    const tok = tokens[i]!;
+    const flag = parseFlag(token);
-    const flag = flagName(tok);
+
-    if (flag === null || !shadowing.has(flag)) {
+    // Not a targeted shadow flag — keep it verbatim.
-      out.push(tok);
+    if (flag === null || !targets.has(flag)) {
-      i++;
+      kept.push(token);
      continue;
    }
-    if (BOOLEAN_SHADOWING_FLAGS.has(flag) || tok.includes('=')) {
+
-      i++;
+    // Targeted: drop it. Decide whether the next token is its value and should
-    } else if (i + 1 < n && flagName(tokens[i + 1]!) === null) {
+    // be dropped along with it. Boolean switches and the inline `=value` form
-      i += 2;
+    // carry no separate value token.
-    } else {
+    const carriesInlineValue = token.includes('=');
-      i++;
+    const isBoolean = VALUELESS_SHADOW_FLAGS.has(flag);
    const next = tokens[i + 1];
    const nextIsValue = next !== undefined && parseFlag(next) === null;
    if (!isBoolean && !carriesInlineValue && nextIsValue) {
      i++; // also skip the value token
    }
  }
-  return out;
+
  return kept;
 }
--- a/apps/server/src/services/inference/mistake-tracker.ts
+++ b/apps/server/src/services/inference/mistake-tracker.ts
@@ -0,0 +1,69 @@
 // v#12 MistakeTracker: heterogeneous-failure recovery. Complements the
 // doom-loop guard (sentinels.ts:detectDoomLoop, which only catches *identical*
 // repeats) by catching a run of consecutive tool FAILURES the model isn't
 // recovering from — even when each failure is a *different* error. Algorithm
 // reimplemented from cline's mistake-counting pattern (NOT vendored).
 //
 // Pure module — mirrors sentinels.ts:detectDoomLoop. No DB, no I/O. The state
 // lives loop-local in TurnArgs (reset per runInference, like recentToolCalls).
 // The failure taxonomy already distinguished in tool-phase.ts:executeToolCall.
 // 'api_error' is reserved for upstream-model failures surfaced as tool outcomes
 // (no current emit site on apps/server, but the union mirrors the design doc
 // so a future caller can record it without a type change).
 export type FailureKind =
  | 'zod_reject'
  | 'tool_not_found'
  | 'exec_error'
  | 'api_error'
  | 'permission_denied';
 // Smallest streak that doesn't false-positive on a model that retries once
 // after a transient error. Matches DOOM_LOOP_THRESHOLD's rationale.
 export const MISTAKE_THRESHOLD = 3;
 export interface MistakeState {
  // The current consecutive-failure streak (any successful tool step clears it).
  run: FailureKind[];
  // How many recovery nudges have fired without an intervening success. Used to
  // escalate (stop the turn) on the second trip rather than nudging forever.
  nudges: number;
 }
 export function freshMistakeState(): MistakeState {
  return { run: [], nudges: 0 };
 }
 // Record one tool step's outcome. A 'success' clears BOTH the streak and the
 // nudge counter (the model recovered). A FailureKind pushes onto the streak.
 export function recordStep(
  state: MistakeState,
  outcome: FailureKind | 'success',
 ): void {
  if (outcome === 'success') {
    state.run = [];
    state.nudges = 0;
    return;
  }
  state.run.push(outcome);
 }
 // Decide whether to intervene given the current streak. When the streak has
 // reached MISTAKE_THRESHOLD: 'nudge' the first time (no nudge fired yet),
 // 'escalate' if it trips again while a nudge is already outstanding (no
 // intervening success cleared `nudges`). Below threshold → null.
 //
 // Pure — the caller is responsible for mutating `nudges`/`run` after acting on
 // the decision (mirrors how turn.ts consumes detectDoomLoop's result).
 export function detectMistakePattern(
  state: MistakeState,
 ): 'nudge' | 'escalate' | null {
  if (state.run.length < MISTAKE_THRESHOLD) return null;
  return state.nudges === 0 ? 'nudge' : 'escalate';
 }
 // Model-facing guidance injected (transiently, for the next step only) when a
 // nudge fires. Short + declarative for the same reliability reason as the
 // cap-hit / doom-loop notes.
 export const MISTAKE_RECOVERY_NOTE =
  "You've hit several different errors in a row. Stop retrying variations — re-read the tool schemas, verify file paths and arguments exist before calling, and try a fundamentally different approach.";
--- a/apps/server/src/services/inference/sentinel-summaries.ts
+++ b/apps/server/src/services/inference/sentinel-summaries.ts
@@ -86,7 +86,7 @@ export async function runCapHitSummary(
      ctx,
      session.model,
      messages,
-      { tools: null, temperature: agent?.temperature, top_p: agent?.top_p ?? undefined, top_k: agent?.top_k ?? undefined, min_p: agent?.min_p ?? undefined, presence_penalty: agent?.presence_penalty ?? undefined },
+      { tools: null, temperature: agent?.temperature, top_p: agent?.top_p ?? undefined, top_k: agent?.top_k ?? undefined, min_p: agent?.min_p ?? undefined, presence_penalty: agent?.presence_penalty ?? undefined, top_n_sigma: agent?.top_n_sigma ?? undefined, dry_multiplier: agent?.dry_multiplier ?? undefined, dry_base: agent?.dry_base ?? undefined, dry_allowed_length: agent?.dry_allowed_length ?? undefined, dry_penalty_last_n: agent?.dry_penalty_last_n ?? undefined },
      (delta) => {
        accumulated += delta;
        ctx.publish(sessionId, {
@@ -346,7 +346,7 @@ export async function runDoomLoopSummary(
      ctx,
      session.model,
      messages,
-      { tools: null, temperature: agent?.temperature, top_p: agent?.top_p ?? undefined, top_k: agent?.top_k ?? undefined, min_p: agent?.min_p ?? undefined, presence_penalty: agent?.presence_penalty ?? undefined },
+      { tools: null, temperature: agent?.temperature, top_p: agent?.top_p ?? undefined, top_k: agent?.top_k ?? undefined, min_p: agent?.min_p ?? undefined, presence_penalty: agent?.presence_penalty ?? undefined, top_n_sigma: agent?.top_n_sigma ?? undefined, dry_multiplier: agent?.dry_multiplier ?? undefined, dry_base: agent?.dry_base ?? undefined, dry_allowed_length: agent?.dry_allowed_length ?? undefined, dry_penalty_last_n: agent?.dry_penalty_last_n ?? undefined },
      (delta) => {
        accumulated += delta;
        ctx.publish(sessionId, {
@@ -545,7 +545,7 @@ export async function runStepCapSummary(
      ctx,
      session.model,
      messages,
-      { tools: null, temperature: agent?.temperature, top_p: agent?.top_p ?? undefined, top_k: agent?.top_k ?? undefined, min_p: agent?.min_p ?? undefined, presence_penalty: agent?.presence_penalty ?? undefined },
+      { tools: null, temperature: agent?.temperature, top_p: agent?.top_p ?? undefined, top_k: agent?.top_k ?? undefined, min_p: agent?.min_p ?? undefined, presence_penalty: agent?.presence_penalty ?? undefined, top_n_sigma: agent?.top_n_sigma ?? undefined, dry_multiplier: agent?.dry_multiplier ?? undefined, dry_base: agent?.dry_base ?? undefined, dry_allowed_length: agent?.dry_allowed_length ?? undefined, dry_penalty_last_n: agent?.dry_penalty_last_n ?? undefined },
      (delta) => {
        accumulated += delta;
        ctx.publish(sessionId, {
@@ -717,3 +717,57 @@ async function insertDoomLoopSentinel(
    metadata,
  });
 }
 // #12 MistakeTracker: heterogeneous-failure recovery sentinel. Mirrors
 // insertDoomLoopSentinel structurally — a role='system', status='complete' row
 // firing the standard message_started → delta → message_complete frame
 // sequence. Two variants distinguished by `escalated`:
 //   - escalated:false → a nudge fired; recovery guidance was injected into the
 //     model's next step and the loop continued. can_continue is true (the turn
 //     is still live).
 //   - escalated:true  → the nudge didn't break the failure run; the turn was
 //     stopped (cap-hit-style). can_continue is true so the UI can still offer a
 //     Continue affordance — a fresh user turn resets the tracker.
 export async function insertMistakeRecoverySentinel(
  ctx: InferenceContext,
  sessionId: string,
  chatId: string,
  opts: { failureKinds: string[]; count: number; escalated: boolean; canContinue: boolean },
 ): Promise<void> {
  const metadata: MessageMetadata = {
    kind: 'mistake_recovery',
    failure_kinds: opts.failureKinds,
    count: opts.count,
    escalated: opts.escalated,
    can_continue: opts.canContinue,
  };
  const content = opts.escalated
    ? `Repeated different errors persisted after a recovery nudge (${opts.count} in a row). Stopping the tool-call loop.`
    : `Hit ${opts.count} different errors in a row. Injected recovery guidance and continuing.`;
  const [row] = await ctx.sql<{ id: string }[]>`
    INSERT INTO messages (session_id, chat_id, role, content, status, created_at, metadata)
    VALUES (${sessionId}, ${chatId}, 'system', ${content}, 'complete', clock_timestamp(), ${ctx.sql.json(metadata as never)})
    RETURNING id
  `;
  // Standard frame sequence — same as cap-hit / doom-loop sentinels.
  ctx.publish(sessionId, {
    type: 'message_started',
    message_id: row!.id,
    chat_id: chatId,
    role: 'system',
  });
  ctx.publish(sessionId, {
    type: 'delta',
    message_id: row!.id,
    chat_id: chatId,
    content,
  });
  ctx.publish(sessionId, {
    type: 'message_complete',
    message_id: row!.id,
    chat_id: chatId,
    metadata,
  });
 }
--- a/apps/server/src/services/inference/sentinels.ts
+++ b/apps/server/src/services/inference/sentinels.ts
@@ -48,6 +48,18 @@ export function isDoomLoopSentinel(m: Message): boolean {
  );
 }
-export function isAnySentinel(m: Message): boolean {
+// #12: mistake-recovery sentinel. Same UI-only semantics as cap-hit /
-  return isCapHitSentinel(m) || isDoomLoopSentinel(m);
+// doom-loop — never sent to the LLM (filtered via the isAnySentinel check
 // below, which buildMessagesPayload + buildHeadPayload both consult).
 export function isMistakeRecoverySentinel(m: Message): boolean {
  return (
    m.role === 'system' &&
    m.metadata !== null &&
    typeof m.metadata === 'object' &&
    (m.metadata as { kind?: unknown }).kind === 'mistake_recovery'
  );
 }
 export function isAnySentinel(m: Message): boolean {
  return isCapHitSentinel(m) || isDoomLoopSentinel(m) || isMistakeRecoverySentinel(m);
 }
--- a/apps/server/src/services/inference/stream-phase.ts
+++ b/apps/server/src/services/inference/stream-phase.ts
@@ -33,6 +33,39 @@ interface StreamOptions {
  top_k?: number | null;
  min_p?: number | null;
  presence_penalty?: number | null;
  // v2.6 sampling-streamjson-tokens (#11): llama.cpp sampler extensions. These
  // are NOT standard AI-SDK streamText options and are NOT serialized by the
  // openai-compatible provider's standardized-settings path (topK is even
  // explicitly dropped with an "unsupported feature: topK" warning). They reach
  // llama-server only via providerOptions.openaiCompatible (see buildSamplerProviderOptions).
  top_n_sigma?: number | null;
  dry_multiplier?: number | null;
  dry_base?: number | null;
  dry_allowed_length?: number | null;
  dry_penalty_last_n?: number | null;
 }
 // v2.6 #11: build the providerOptions.openaiCompatible extraBody object for the
 // llama.cpp sampler extensions. @ai-sdk/openai-compatible (2.0.47) merges every
 // non-reserved key under providerOptions.openaiCompatible straight into the
 // chat-completion request body (see its getArgs: the Object.fromEntries spread
 // filtered against openaiCompatibleLanguageModelChatOptions.shape). This is the
 // ONLY working passthrough for these params:
 //   - top_k / min_p were latently dropped before this: top_k was passed as the
 //     AI-SDK `topK` setting which the openai-compatible provider rejects as
 //     unsupported; min_p was never passed to streamText at all.
 //   - top_n_sigma + the dry_* family have no AI-SDK equivalent.
 // Keys use llama-server's snake_case body names so they land verbatim.
 function buildSamplerProviderOptions(opts: StreamOptions): Record<string, number> | undefined {
  const body: Record<string, number> = {};
  if (typeof opts.top_k === 'number') body.top_k = opts.top_k;
  if (typeof opts.min_p === 'number') body.min_p = opts.min_p;
  if (typeof opts.top_n_sigma === 'number') body.top_n_sigma = opts.top_n_sigma;
  if (typeof opts.dry_multiplier === 'number') body.dry_multiplier = opts.dry_multiplier;
  if (typeof opts.dry_base === 'number') body.dry_base = opts.dry_base;
  if (typeof opts.dry_allowed_length === 'number') body.dry_allowed_length = opts.dry_allowed_length;
  if (typeof opts.dry_penalty_last_n === 'number') body.dry_penalty_last_n = opts.dry_penalty_last_n;
  return Object.keys(body).length > 0 ? body : undefined;
 }
 // v1.13.1-A: convert BooCode's OpenAI-shaped history into AI SDK
@@ -195,6 +228,14 @@ export async function streamCompletion(
    return toolCall;
  };
  // v2.6 #11: llama.cpp sampler extensions (top_k, min_p, top_n_sigma, dry_*)
  // ride providerOptions.openaiCompatible — they are NOT standardized streamText
  // settings. NB: top_k used to be passed below as the AI-SDK `topK` setting;
  // the openai-compatible provider dropped it with an "unsupported feature: topK"
  // warning and min_p was never wired at all, so both were dead on the wire
  // before this. They now go through the same extraBody path as the new params.
  const samplerBody = buildSamplerProviderOptions(opts);
  const result = streamText({
    model: upstreamModel(ctx.config, model, agent ?? null),
    messages: aiMessages,
@@ -203,8 +244,8 @@ export async function streamCompletion(
      : {}),
    ...(typeof opts.temperature === 'number' ? { temperature: opts.temperature } : {}),
    ...(typeof opts.top_p === 'number' ? { topP: opts.top_p } : {}),
    ...(typeof opts.top_k === 'number' ? { topK: opts.top_k } : {}),
    ...(typeof opts.presence_penalty === 'number' ? { presencePenalty: opts.presence_penalty } : {}),
    ...(samplerBody ? { providerOptions: { openaiCompatible: samplerBody } } : {}),
    abortSignal: signal,
  });
@@ -398,6 +439,12 @@ export async function executeStreamPhase(
  const effectiveTopK = agent?.top_k ?? undefined;
  const effectiveMinP = agent?.min_p ?? undefined;
  const effectivePresencePenalty = agent?.presence_penalty ?? undefined;
  // v2.6 #11: llama.cpp sampler extensions, threaded the same way as top_k/min_p.
  const effectiveTopNSigma = agent?.top_n_sigma ?? undefined;
  const effectiveDryMultiplier = agent?.dry_multiplier ?? undefined;
  const effectiveDryBase = agent?.dry_base ?? undefined;
  const effectiveDryAllowedLength = agent?.dry_allowed_length ?? undefined;
  const effectiveDryPenaltyLastN = agent?.dry_penalty_last_n ?? undefined;
  // v1.12.2: ctx_max lookup is cached after the first hit per model, so this
  // is a Map probe in steady state. We capture nCtx once at the top of the
@@ -435,7 +482,19 @@ export async function executeStreamPhase(
      ctx,
      session.model,
      messages,
-      { tools: effectiveTools, temperature: effectiveTemperature, top_p: effectiveTopP, top_k: effectiveTopK, min_p: effectiveMinP, presence_penalty: effectivePresencePenalty },
+      {
        tools: effectiveTools,
        temperature: effectiveTemperature,
        top_p: effectiveTopP,
        top_k: effectiveTopK,
        min_p: effectiveMinP,
        presence_penalty: effectivePresencePenalty,
        top_n_sigma: effectiveTopNSigma,
        dry_multiplier: effectiveDryMultiplier,
        dry_base: effectiveDryBase,
        dry_allowed_length: effectiveDryAllowedLength,
        dry_penalty_last_n: effectiveDryPenaltyLastN,
      },
      (delta) => {
        state.accumulated += delta;
        ctx.publish(sessionId, {
--- a/apps/server/src/services/inference/tool-call-parser.ts
+++ b/apps/server/src/services/inference/tool-call-parser.ts
@@ -1,7 +1,7 @@
-// SPDX-License-Identifier: AGPL-3.0-only
+// Streaming tool-call extraction for the qwen3.6 XML fallback path.
-// Copyright 2026-present the Unsloth AI Inc. team. All rights reserved.
+// `extractToolCallBlocks` is the incremental streaming scanner used by
-// Ported from studio/backend/core/inference/tool_call_parser.py.
+// stream-phase.ts; `stripToolMarkup` removes tool-call wire markup from
-// Original: https://github.com/unslothai/unsloth/blob/main/studio/backend/core/inference/tool_call_parser.py
+// assistant prose (used by tool-phase.ts and error-handler.ts).
 // ── Constants ────────────────────────────────────────────────────────────
@@ -10,34 +10,6 @@ export const XML_TOOL_CLOSE = '</tool_call>';
 export const INVOKE_TOOL_OPEN = '<invoke';
 export const INVOKE_TOOL_CLOSE = '</invoke>';
 export const TOOL_XML_SIGNALS = [XML_TOOL_OPEN, '<function=', INVOKE_TOOL_OPEN] as const;
 export const TOOL_ERROR_PREFIXES = [
  'Error',
  'Search failed',
  'Execution error',
  'Blocked:',
  'Exit code',
  'Failed to fetch',
  'Failed to resolve',
  'No query provided',
 ] as const;
 export const DUPLICATE_CALL_NUDGE =
  'You already made this exact call. Do not repeat the same tool ' +
  'call. Try a different approach: fetch a URL from previous ' +
  'results, use Python to process data you already have, or ' +
  'provide your final answer now.';
 export const TOOL_ERROR_NUDGE =
  '\n\nThe tool call encountered an issue. Please try a different ' +
  'approach or rephrase your request.';
 export const BUDGET_EXHAUSTED_NUDGE =
  'You have used all available tool calls. Based on everything you ' +
  'have found so far, provide your final answer now. Do not call ' +
  'any more tools.';
 // ── Strip patterns ───────────────────────────────────────────────────────
 const TOOL_CLOSED_PATS = [
@@ -53,7 +25,7 @@ const TOOL_ALL_PATS = [
  /<invoke\s[^>]*>.*$/gs,
 ];
-// ── Strip / signal ───────────────────────────────────────────────────────
+// ── Strip ────────────────────────────────────────────────────────────────
 export function stripToolMarkup(text: string, opts?: { final?: boolean }): string {
  const pats = opts?.final ? TOOL_ALL_PATS : TOOL_CLOSED_PATS;
@@ -63,206 +35,6 @@ export function stripToolMarkup(text: string, opts?: { final?: boolean }): strin
  return opts?.final ? text.trim() : text;
 }
 export function hasToolSignal(text: string): boolean {
  return TOOL_XML_SIGNALS.some((s) => text.includes(s));
 }
 // ── parseToolCallsFromText (Unsloth port + Anthropic extension) ──────────
 export interface OpenAiToolCall {
  id: string;
  type: 'function';
  function: { name: string; arguments: string };
 }
 const TC_JSON_START_RE = /<tool_call>\s*\{/g;
 const TC_FUNC_START_RE = /<function=(\w+)>\s*/g;
 const TC_END_TAG_RE = /<\/tool_call>/;
 const TC_FUNC_CLOSE_RE = /\s*<\/function>\s*$/;
 const TC_PARAM_START_RE = /<parameter=(\w+)>\s*/g;
 const TC_PARAM_CLOSE_RE = /\s*<\/parameter>\s*$/;
 const TC_INVOKE_START_RE = /<invoke\s+name\s*=\s*(?:"([^"]*)"|'([^']*)')\s*>/g;
 const TC_INVOKE_CLOSE_RE = /\s*<\/invoke>\s*$/;
 const TC_INVOKE_PARAM_RE = /<parameter\s+name\s*=\s*(?:"([^"]*)"|'([^']*)')\s*>/g;
 const TC_INVOKE_PARAM_CLOSE_RE = /\s*<\/parameter>\s*$/;
 function scanBalancedBraces(content: string, start: number): number {
  let depth = 0;
  let i = start;
  let inString = false;
  while (i < content.length) {
    const ch = content[i]!;
    if (inString) {
      if (ch === '\\' && i + 1 < content.length) {
        i += 2;
        continue;
      }
      if (ch === '"') inString = false;
    } else if (ch === '"') {
      inString = true;
    } else if (ch === '{') {
      depth++;
    } else if (ch === '}') {
      depth--;
      if (depth === 0) return i;
    }
    i++;
  }
  return -1;
 }
 export function parseToolCallsFromText(
  content: string,
  opts?: { idOffset?: number },
 ): OpenAiToolCall[] {
  const toolCalls: OpenAiToolCall[] = [];
  const idOffset = opts?.idOffset ?? 0;
  // Pattern 1: <tool_call>{json}</tool_call> -- balanced-brace JSON scanner.
  // Skips braces inside JSON strings so nested objects parse correctly.
  TC_JSON_START_RE.lastIndex = 0;
  let m: RegExpExecArray | null;
  while ((m = TC_JSON_START_RE.exec(content)) !== null) {
    const braceStart = m.index + m[0].length - 1;
    const braceEnd = scanBalancedBraces(content, braceStart);
    if (braceEnd === -1) continue;
    const jsonStr = content.slice(braceStart, braceEnd + 1);
    try {
      const obj = JSON.parse(jsonStr) as Record<string, unknown>;
      const name = typeof obj.name === 'string' ? obj.name : '';
      let args: string;
      const rawArgs = obj.arguments ?? {};
      if (typeof rawArgs === 'string') {
        args = rawArgs;
      } else {
        args = JSON.stringify(rawArgs);
      }
      toolCalls.push({
        id: `call_${idOffset + toolCalls.length}`,
        type: 'function',
        function: { name, arguments: args },
      });
    } catch {
      // malformed JSON -- skip
    }
  }
  // Pattern 2: <function=name><parameter=key>value -- closing tags optional.
  // Body boundary uses </tool_call> or next <function= (not </function>,
  // because code parameter values can contain that literal).
  if (toolCalls.length === 0) {
    TC_FUNC_START_RE.lastIndex = 0;
    const funcStarts: Array<{ match: RegExpExecArray; name: string }> = [];
    while ((m = TC_FUNC_START_RE.exec(content)) !== null) {
      funcStarts.push({ match: m, name: m[1]! });
    }
    for (let idx = 0; idx < funcStarts.length; idx++) {
      const { match: fm, name: funcName } = funcStarts[idx]!;
      const bodyStart = fm.index + fm[0].length;
      const nextFunc = idx + 1 < funcStarts.length
        ? funcStarts[idx + 1]!.match.index
        : content.length;
      const endTag = TC_END_TAG_RE.exec(content.slice(bodyStart));
      let bodyEnd = endTag ? bodyStart + endTag.index : content.length;
      bodyEnd = Math.min(bodyEnd, nextFunc);
      let body = content.slice(bodyStart, bodyEnd);
      body = body.replace(TC_FUNC_CLOSE_RE, '');
      const args: Record<string, string> = {};
      TC_PARAM_START_RE.lastIndex = 0;
      const paramStarts: Array<{ match: RegExpExecArray; name: string }> = [];
      let pm: RegExpExecArray | null;
      while ((pm = TC_PARAM_START_RE.exec(body)) !== null) {
        paramStarts.push({ match: pm, name: pm[1]! });
      }
      if (paramStarts.length === 1) {
        // Single param: take everything to body end so embedded
        // </parameter> in code strings is preserved.
        const p = paramStarts[0]!;
        let val = body.slice(p.match.index + p.match[0].length);
        val = val.replace(TC_PARAM_CLOSE_RE, '');
        args[p.name] = val.trim();
      } else {
        for (let pidx = 0; pidx < paramStarts.length; pidx++) {
          const p = paramStarts[pidx]!;
          const valStart = p.match.index + p.match[0].length;
          const nextParam = pidx + 1 < paramStarts.length
            ? paramStarts[pidx + 1]!.match.index
            : body.length;
          let val = body.slice(valStart, nextParam);
          val = val.replace(TC_PARAM_CLOSE_RE, '');
          args[p.name] = val.trim();
        }
      }
      toolCalls.push({
        id: `call_${idOffset + toolCalls.length}`,
        type: 'function',
        function: { name: funcName, arguments: JSON.stringify(args) },
      });
    }
  }
  // Pattern 3: <invoke name="..."><parameter name="...">value -- Anthropic
  // shape that qwen3.6 drifts to from Claude Code documentation residue.
  // Closing tags optional; same single-param fast path as pattern 2.
  if (toolCalls.length === 0) {
    TC_INVOKE_START_RE.lastIndex = 0;
    const invokeStarts: Array<{ match: RegExpExecArray; name: string }> = [];
    while ((m = TC_INVOKE_START_RE.exec(content)) !== null) {
      const name = (m[1] ?? m[2] ?? '').trim();
      if (name) invokeStarts.push({ match: m, name });
    }
    for (let idx = 0; idx < invokeStarts.length; idx++) {
      const { match: im, name: invokeName } = invokeStarts[idx]!;
      const bodyStart = im.index + im[0].length;
      const nextInvoke = idx + 1 < invokeStarts.length
        ? invokeStarts[idx + 1]!.match.index
        : content.length;
      const closeTag = content.slice(bodyStart).match(/<\/invoke>/);
      let bodyEnd = closeTag ? bodyStart + (closeTag.index ?? 0) : content.length;
      bodyEnd = Math.min(bodyEnd, nextInvoke);
      let body = content.slice(bodyStart, bodyEnd);
      body = body.replace(TC_INVOKE_CLOSE_RE, '');
      const args: Record<string, string> = {};
      TC_INVOKE_PARAM_RE.lastIndex = 0;
      const paramStarts: Array<{ match: RegExpExecArray; name: string }> = [];
      let pm: RegExpExecArray | null;
      while ((pm = TC_INVOKE_PARAM_RE.exec(body)) !== null) {
        const pname = (pm[1] ?? pm[2] ?? '').trim();
        if (pname) paramStarts.push({ match: pm, name: pname });
      }
      if (paramStarts.length === 1) {
        const p = paramStarts[0]!;
        let val = body.slice(p.match.index + p.match[0].length);
        val = val.replace(TC_INVOKE_PARAM_CLOSE_RE, '');
        args[p.name] = val.trim();
      } else {
        for (let pidx = 0; pidx < paramStarts.length; pidx++) {
          const p = paramStarts[pidx]!;
          const valStart = p.match.index + p.match[0].length;
          const nextParam = pidx + 1 < paramStarts.length
            ? paramStarts[pidx + 1]!.match.index
            : body.length;
          let val = body.slice(valStart, nextParam);
          val = val.replace(TC_INVOKE_PARAM_CLOSE_RE, '');
          args[p.name] = val.trim();
        }
      }
      toolCalls.push({
        id: `call_${idOffset + toolCalls.length}`,
        type: 'function',
        function: { name: invokeName, arguments: JSON.stringify(args) },
      });
    }
  }
  return toolCalls;
 }
 // ── BooCode streaming helpers ────────────────────────────────────────────
 export interface ParsedCall {
--- a/apps/server/src/services/inference/tool-phase.ts
+++ b/apps/server/src/services/inference/tool-phase.ts
@@ -17,6 +17,7 @@ import { formatUnknownToolError } from './tool-suggestions.js';
 // prompted about paths we couldn't grant anyway (e.g. /etc/passwd).
 import { resolveGrantRoot } from '../grant_resolver.js';
 import { stripToolMarkup } from './tool-call-parser.js';
 import type { FailureKind } from './mistake-tracker.js';
 import type {
  InferenceContext,
  StreamResult,
@@ -33,13 +34,18 @@ async function executeToolCall(
  toolCall: ToolCall,
  extraRoots: readonly string[],
  toolCtx?: ToolExecCtx,
-): Promise<{ output: unknown; truncated: boolean; error?: string }> {
+): Promise<{ output: unknown; truncated: boolean; error?: string; outcome: FailureKind | 'success' }> {
  // v#12 MistakeTracker: every return path carries an `outcome` so the turn
  // loop can detect a run of heterogeneous failures. The failure taxonomy
  // mirrors mistake-tracker.ts:FailureKind. Does NOT alter the existing
  // output/truncated/error shape — outcome is purely additive.
  const tool = TOOLS_BY_NAME[toolCall.name];
  if (!tool) {
    return {
      output: null,
      truncated: false,
      error: formatUnknownToolError(toolCall.name, Object.keys(TOOLS_BY_NAME)),
      outcome: 'tool_not_found',
    };
  }
  const parsed = tool.inputSchema.safeParse(toolCall.args);
@@ -64,6 +70,7 @@ async function executeToolCall(
      output: null,
      truncated: false,
      error: `tool '${toolCall.name}' rejected — ${hint}`,
      outcome: 'zod_reject',
    };
  }
  try {
@@ -72,15 +79,16 @@ async function executeToolCall(
      typeof output === 'object' && output !== null && 'truncated' in output
        ? Boolean((output as { truncated: unknown }).truncated)
        : false;
-    return { output, truncated };
+    return { output, truncated, outcome: 'success' };
  } catch (err) {
    if (err instanceof PathScopeError) {
-      return { output: null, truncated: false, error: err.message };
+      return { output: null, truncated: false, error: err.message, outcome: 'permission_denied' };
    }
    return {
      output: null,
      truncated: false,
      error: err instanceof Error ? err.message : String(err),
      outcome: 'exec_error',
    };
  }
 }
@@ -93,6 +101,12 @@ export interface ToolPhaseResult {
  toolCallCount: number;
  toolCalls: ToolCall[];
  nextAssistantId: string | null;
  // v#12 MistakeTracker: one outcome per executed tool call, in no particular
  // order (filled inside the Promise.all callbacks). The turn loop folds these
  // into TurnArgs.mistakeTracker via recordStep. Pause/auto-grant control-flow
  // tools record 'success' (they aren't model mistakes); the genuine error
  // paths record their FailureKind.
  outcomes: (FailureKind | 'success')[];
 }
 export async function executeToolPhase(
@@ -187,6 +201,10 @@ export async function executeToolPhase(
  // for the synthesis input. Race-free under Promise.all because each
  // callback pushes its own captured value.
  const synthEntries: Array<{ tc: ToolCall; output: unknown; error?: string }> = [];
  // v#12 MistakeTracker: collect each tool's outcome. Concurrent pushes under
  // Promise.all are safe (each callback appends its own value; order is not
  // significant to recordStep which folds them sequentially).
  const outcomes: (FailureKind | 'success')[] = [];
  await Promise.all(
    toolCalls.map(async (tc) => {
      const [toolRow] = await ctx.sql<{ id: string }[]>`
@@ -197,6 +215,7 @@ export async function executeToolPhase(
      const toolMessageId = toolRow!.id;
      if (tc.name === 'ask_user_input') {
        pausingForUserInput = true;
        outcomes.push('success');
        const sentinel = { tool_call_id: tc.id, output: null, truncated: false };
        // v1.13.20: parts-only. The answer-endpoint UPDATE later
        // (messages.ts) will delete and re-insert this part when the user
@@ -227,7 +246,10 @@ export async function executeToolPhase(
        );
        if (!resolution.ok) {
          // Auto-deny without pausing. The model sees the reason on its
-          // next turn and decides what to do.
+          // next turn and decides what to do. Counts as a permission_denied
          // failure for the mistake tracker (the model asked for a path it
          // can't have — a recoverable mistake it should learn from).
          outcomes.push('permission_denied');
          const stored = {
            tool_call_id: tc.id,
            output: `denied: ${resolution.reason}`,
@@ -255,6 +277,7 @@ export async function executeToolPhase(
        // pause. The grant endpoint re-derives the root at decision time
        // (state may have changed in the meantime) so we don't stash it here.
        pausingForUserInput = true;
        outcomes.push('success');
        const sentinel = { tool_call_id: tc.id, output: null, truncated: false };
        // v1.13.20: parts-only write.
        await insertParts(
@@ -267,6 +290,10 @@ export async function executeToolPhase(
        return;
      }
      if (agent && !matchToolGlob(tc.name, agent.tools)) {
        // Agent-scope denial — the model called a tool outside its whitelist.
        // permission_denied for the mistake tracker (the model should pick a
        // tool it's actually allowed to use).
        outcomes.push('permission_denied');
        const stored = {
          tool_call_id: tc.id,
          output: null,
@@ -295,6 +322,10 @@ export async function executeToolPhase(
        sql: ctx.sql,
        sessionId,
      });
      // v#12 MistakeTracker: record the real execution outcome (success or a
      // FailureKind). This is the primary signal for heterogeneous-failure
      // detection.
      outcomes.push(tres.outcome);
      if (SYNTHESIS_TOOLS.has(tc.name)) {
        synthEntries.push({ tc, output: tres.output, ...(tres.error ? { error: tres.error } : {}) });
      }
@@ -340,6 +371,7 @@ export async function executeToolPhase(
      toolCallCount: toolCalls.length,
      toolCalls,
      nextAssistantId: null,
      outcomes,
    };
  }
@@ -378,6 +410,7 @@ export async function executeToolPhase(
        toolCallCount: toolCalls.length,
        toolCalls,
        nextAssistantId: null,
        outcomes,
      };
    }
    // ran === false → synthesis failed (timeout / model error) → fall through
@@ -397,5 +430,6 @@ export async function executeToolPhase(
    toolCallCount: toolCalls.length,
    toolCalls,
    nextAssistantId: nextAssistant!.id,
    outcomes,
  };
 }
--- a/apps/server/src/services/inference/turn.ts
+++ b/apps/server/src/services/inference/turn.ts
@@ -22,6 +22,13 @@ import { resolveToolBudget } from './budget.js';
 import {
  detectDoomLoop,
 } from './sentinels.js';
 import {
  detectMistakePattern,
  freshMistakeState,
  recordStep,
  MISTAKE_RECOVERY_NOTE,
  type MistakeState,
 } from './mistake-tracker.js';
 import {
  buildMessagesPayload,
  loadContext,
@@ -39,6 +46,7 @@ import {
  runCapHitSummary,
  runDoomLoopSummary,
  runStepCapSummary,
  insertMistakeRecoverySentinel,
 } from './sentinel-summaries.js';
 // v1.14.0: hard ceiling on the number of stream-and-tool iterations per
@@ -144,6 +152,16 @@ export interface TurnArgs {
  // boundaries by runInference, same as toolsUsed. Doom-loop check at the
  // top of runAssistantTurn slices the last DOOM_LOOP_THRESHOLD entries.
  recentToolCalls: ToolCall[];
  // v#12 MistakeTracker: heterogeneous-failure recovery state. Loop-local,
  // reset per runInference (user-message boundary) like recentToolCalls. Folds
  // tool-phase outcomes via recordStep each iteration; detectMistakePattern
  // gates the nudge/escalate decision.
  mistakeTracker: MistakeState;
  // v#12: transient model-facing recovery note set when a nudge fires. Consumed
  // (appended as a role:'system' message + cleared) on the NEXT payload build.
  // Never persisted — mirrors how the cap-hit/doom-loop notes live only inside
  // the summary call's messages array.
  pendingRecoveryNote?: string;
  signal: AbortSignal | undefined;
 }
@@ -188,6 +206,12 @@ export async function runAssistantTurn(
  let toolsUsed = args.toolsUsed;
  let recentToolCalls = args.recentToolCalls;
  let assistantMessageId = args.assistantMessageId;
  // v#12 MistakeTracker: the tracker state is carried on `args` (mutated in
  // place by recordStep). pendingRecoveryNote is a loop-local because it is a
  // single-step transient — set when a nudge fires, consumed (injected into the
  // next payload) and cleared on the following iteration.
  const mistakeTracker = args.mistakeTracker;
  let pendingRecoveryNote: string | undefined = args.pendingRecoveryNote;
  while (stepNumber < effectiveCap) {
    // ---- doom-loop check (moved from top-of-function) ----
@@ -196,7 +220,7 @@ export async function runAssistantTurn(
      // Need fresh history for the summary.
      const loaded = await loadContext(ctx.sql, sessionId, chatId);
      if (loaded) {
-        const iterArgs: TurnArgs = { sessionId, chatId, assistantMessageId, toolsUsed, recentToolCalls, signal };
+        const iterArgs: TurnArgs = { sessionId, chatId, assistantMessageId, toolsUsed, recentToolCalls, mistakeTracker, signal };
        await runDoomLoopSummary(ctx, iterArgs, loaded.session, loaded.project, loaded.history, agent, loop);
      }
      break;
@@ -206,7 +230,7 @@ export async function runAssistantTurn(
    if (toolsUsed >= budget) {
      const loaded = await loadContext(ctx.sql, sessionId, chatId);
      if (loaded) {
-        const iterArgs: TurnArgs = { sessionId, chatId, assistantMessageId, toolsUsed, recentToolCalls, signal };
+        const iterArgs: TurnArgs = { sessionId, chatId, assistantMessageId, toolsUsed, recentToolCalls, mistakeTracker, signal };
        await runCapHitSummary(ctx, iterArgs, loaded.session, loaded.project, loaded.history, agent, budget);
      }
      break;
@@ -265,7 +289,16 @@ export async function runAssistantTurn(
      }
    }
-    const iterArgs: TurnArgs = { sessionId, chatId, assistantMessageId, toolsUsed, recentToolCalls, signal };
+    // v#12 MistakeTracker: if the prior iteration's nudge fired, append the
    // transient recovery note to THIS payload (consumed exactly once, then
    // cleared). Never persisted — same lifecycle as the cap-hit/doom-loop
    // summary notes, which live only inside the in-memory messages array.
    if (pendingRecoveryNote) {
      messages.push({ role: 'system', content: pendingRecoveryNote });
      pendingRecoveryNote = undefined;
    }
    const iterArgs: TurnArgs = { sessionId, chatId, assistantMessageId, toolsUsed, recentToolCalls, mistakeTracker, signal };
    const state: StreamPhaseState = { accumulated: '', startedAt: null };
    let result: StreamResult;
    try {
@@ -305,10 +338,78 @@ export async function runAssistantTurn(
    recentToolCalls = [...recentToolCalls, ...toolPhaseResult.toolCalls];
    stepNumber++;
    // v#12 MistakeTracker: fold this iteration's tool outcomes into the
    // tracker, in order. recordStep mutates `mistakeTracker` in place (it is
    // the same object referenced by args). A 'success' clears the streak.
    for (const o of toolPhaseResult.outcomes) {
      recordStep(mistakeTracker, o);
    }
    if (toolPhaseResult.action !== 'continue') {
-      // 'paused' (user input) or 'synthesis_done' — stop the loop.
+      // 'paused' (user input) or 'synthesis_done' — stop the loop. The turn is
      // already ending, so neither a nudge nor an escalate would change the
      // control flow; we skip the mistake decision here.
      break;
    }
    // v#12 MistakeTracker: heterogeneous-failure decision. Only evaluated on
    // the 'continue' path (the only case where the loop would otherwise
    // proceed to another step). Complements the doom-loop check above, which
    // only catches *identical* repeats.
    const mistake = detectMistakePattern(mistakeTracker);
    if (mistake === 'nudge') {
      // Soft intervention: inject model-facing recovery guidance into the NEXT
      // step's payload, drop a UI sentinel, bump nudges, reset the streak, and
      // continue. The note is consumed (and cleared) at the top of the next
      // iteration's payload build.
      pendingRecoveryNote = MISTAKE_RECOVERY_NOTE;
      const failureKinds = [...mistakeTracker.run];
      await insertMistakeRecoverySentinel(ctx, sessionId, chatId, {
        failureKinds,
        count: failureKinds.length,
        escalated: false,
        canContinue: true,
      });
      mistakeTracker.nudges += 1;
      mistakeTracker.run = [];
      ctx.log.info(
        { sessionId, chatId, step: stepNumber, nudges: mistakeTracker.nudges, failureKinds },
        'mistake_recovery nudge',
      );
      assistantMessageId = toolPhaseResult.nextAssistantId!;
      continue;
    }
    if (mistake === 'escalate') {
      // The nudge didn't break the failure run — stop the turn (cap-hit-style)
      // to avoid burning the whole step budget on heterogeneous failures. The
      // next assistant row is still 'streaming'; finalize it as a short note so
      // the slot doesn't dangle, then drop the escalate sentinel.
      const failureKinds = [...mistakeTracker.run];
      assistantMessageId = toolPhaseResult.nextAssistantId!;
      await ctx.sql`
        UPDATE messages
        SET content = '', status = 'complete', finished_at = clock_timestamp()
        WHERE id = ${assistantMessageId}
      `;
      ctx.publish(sessionId, {
        type: 'message_complete',
        message_id: assistantMessageId,
        chat_id: chatId,
      });
      await insertMistakeRecoverySentinel(ctx, sessionId, chatId, {
        failureKinds,
        count: failureKinds.length,
        escalated: true,
        canContinue: true,
      });
      ctx.publishUser({ type: 'chat_status', chat_id: chatId, status: 'idle', at: new Date().toISOString() });
      ctx.log.info(
        { sessionId, chatId, step: stepNumber, failureKinds },
        'mistake_recovery escalate — stopping turn',
      );
      break;
    }
    // 'continue' — advance to next assistant message.
    assistantMessageId = toolPhaseResult.nextAssistantId!;
  }
@@ -320,7 +421,7 @@ export async function runAssistantTurn(
  if (stepNumber >= effectiveCap && effectiveCap < Infinity) {
    const loaded = await loadContext(ctx.sql, sessionId, chatId);
    if (loaded) {
-      const capArgs: TurnArgs = { sessionId, chatId, assistantMessageId, toolsUsed, recentToolCalls, signal };
+      const capArgs: TurnArgs = { sessionId, chatId, assistantMessageId, toolsUsed, recentToolCalls, mistakeTracker, signal };
      await runStepCapSummary(ctx, capArgs, loaded.session, loaded.project, loaded.history, agent, stepNumber, effectiveCap);
    }
  }
@@ -378,12 +479,16 @@ export async function runInference(
  // per-call budget.
  // v1.11.6: recentToolCalls also resets — doom-loop detection is scoped
  // to a single user-message turn, so a Continue starts with no history.
  // v#12 MistakeTracker: fresh per user-message turn, like recentToolCalls.
  // Tracks consecutive heterogeneous tool failures across the loop's
  // stream-and-tool iterations within this turn.
  return runAssistantTurn(ctx, {
    sessionId,
    chatId,
    assistantMessageId,
    toolsUsed: 0,
    recentToolCalls: [],
    mistakeTracker: freshMistakeState(),
    signal,
  });
 }
--- a/apps/server/src/services/web/html-to-md.ts
+++ b/apps/server/src/services/web/html-to-md.ts
@@ -1,347 +1,24 @@
-// SPDX-License-Identifier: AGPL-3.0-only
+import { NodeHtmlMarkdown } from 'node-html-markdown';
 // Copyright 2026-present the Unsloth AI Inc. team. All rights reserved.
 // Ported from studio/backend/core/inference/_html_to_md.py.
 // Original: https://github.com/unslothai/unsloth/blob/main/studio/backend/core/inference/_html_to_md.py
-import { parse, type DefaultTreeAdapterTypes } from 'parse5';
+// MIT-licensed HTML→Markdown rendering for the web_fetch tool. Output feeds an
-
+// LLM, so structural fidelity matters more than exact whitespace.
-type Document = DefaultTreeAdapterTypes.Document;
+const OPTIONS = {
-type ChildNode = DefaultTreeAdapterTypes.ChildNode;
+  // GFM-style emphasis markers (matches what most models expect).
-type Element = DefaultTreeAdapterTypes.Element;
+  emDelimiter: '*',
-type TextNode = DefaultTreeAdapterTypes.TextNode;
+  strongDelimiter: '**',
-
+  bulletMarker: '*',
-const SKIP_TAGS = new Set([
+  codeFence: '```',
-  'script', 'style', 'head', 'noscript', 'svg', 'math', 'nav', 'footer',
+  codeBlockStyle: 'fenced' as const,
-]);
+  // Always use []() syntax for links rather than <url> autolinks.
-
+  useInlineLinks: false,
-const BLOCK_TAGS = new Set([
+  // Collapse runs of blank lines to a single separator.
-  'p', 'div', 'section', 'article', 'main', 'aside', 'figure',
+  maxConsecutiveNewlines: 1,
-  'figcaption', 'details', 'summary', 'dl', 'dt', 'dd',
+  // Strip non-content elements entirely (script/style are skipped by default,
-]);
+  // but listing them here is explicit; head/nav/footer/etc. drop their text).
-
+  ignore: ['script', 'style', 'head', 'noscript', 'svg', 'math', 'nav', 'footer'],
 const HEADING_TAGS = new Set(['h1', 'h2', 'h3', 'h4', 'h5', 'h6']);
 const INLINE_EMPHASIS: Record<string, string> = {
  strong: '**', b: '**', em: '*', i: '*',
 };
 function isElement(node: ChildNode): node is Element {
  return 'tagName' in node;
 }
 function isText(node: ChildNode): node is TextNode {
  return node.nodeName === '#text';
 }
 class MarkdownRenderer {
  private out: string[] = [];
  private inLink = false;
  private linkHref: string | null = null;
  private linkTextParts: string[] = [];
  private listStack: string[] = [];
  private olCounter: number[] = [];
  private inTable = false;
  private currentRow: string[] = [];
  private cellParts: string[] = [];
  private inCell = false;
  private headerRowDone = false;
  private rowHasTh = false;
  private isFirstRow = false;
  private inPre = false;
  private preParts: string[] = [];
  private preLanguage: string | null = null;
  private inInlineCode = false;
  private bqStack: string[][] = [];
  private emit(text: string): void {
    if (this.inLink) {
      this.linkTextParts.push(text);
    } else if (this.inCell) {
      this.cellParts.push(text);
    } else if (this.inPre) {
      this.preParts.push(text);
    } else if (this.bqStack.length > 0) {
      this.bqStack[this.bqStack.length - 1]!.push(text);
    } else {
      this.out.push(text);
    }
  }
  private prefixBlockquote(content: string): string {
    content = content.replace(/[ \t]+$/gm, '');
    content = content.replace(/\n{3,}/g, '\n\n').trim();
    if (!content) return '';
    return content.split('\n').map(line =>
      line.trim() ? '> ' + line : '>'
    ).join('\n');
  }
  private finishCell(): void {
    if (!this.inCell) return;
    this.inCell = false;
    let cellText = this.cellParts.join('').trim().replace(/\n/g, ' ');
    cellText = cellText.replace(/\|/g, '\\|');
    this.currentRow.push(cellText);
    this.cellParts = [];
  }
  private finishRow(): void {
    if (this.currentRow.length === 0) return;
    const line = '| ' + this.currentRow.join(' | ') + ' |';
    this.emit(line + '\n');
    if (!this.headerRowDone && (this.rowHasTh || this.isFirstRow)) {
      const sep = '| ' + this.currentRow.map(() => '---').join(' | ') + ' |';
      this.emit(sep + '\n');
      this.headerRowDone = true;
    }
    this.isFirstRow = false;
    this.currentRow = [];
    this.rowHasTh = false;
  }
  private finishLink(): void {
    const text = this.linkTextParts.join('').replace(/\s+/g, ' ').trim();
    const href = this.linkHref ?? '';
    this.inLink = false;
    if (href && text) {
      this.emit(`[${text}](${href})`);
    } else if (text) {
      this.emit(text);
    }
  }
  private getAttr(el: Element, name: string): string | undefined {
    return el.attrs.find(a => a.name === name)?.value;
  }
  private handleOpen(el: Element): void {
    const tag = el.tagName.toLowerCase();
    if (HEADING_TAGS.has(tag)) {
      const level = parseInt(tag[1]!, 10);
      this.emit('\n\n' + '#'.repeat(level) + ' ');
    } else if (tag === 'a') {
      this.linkHref = this.getAttr(el, 'href') ?? null;
      this.linkTextParts = [];
      this.inLink = true;
    } else if (tag in INLINE_EMPHASIS) {
      this.emit(INLINE_EMPHASIS[tag]!);
    } else if (tag === 'br') {
      this.emit('\n');
    } else if (BLOCK_TAGS.has(tag)) {
      this.emit('\n\n');
    } else if (tag === 'hr') {
      this.emit('\n\n---\n\n');
    } else if (tag === 'blockquote') {
      this.emit('\n\n');
      this.bqStack.push([]);
    } else if (tag === 'ul') {
      this.listStack.push('ul');
      this.emit('\n');
    } else if (tag === 'ol') {
      this.listStack.push('ol');
      const startAttr = this.getAttr(el, 'start');
      let start = 1;
      if (startAttr != null) {
        const parsed = parseInt(startAttr, 10);
        if (!isNaN(parsed)) start = parsed;
      }
      this.olCounter.push(start - 1);
      this.emit('\n');
    } else if (tag === 'li') {
      const indent = '  '.repeat(Math.max(0, this.listStack.length - 1));
      if (this.listStack.length > 0 && this.listStack[this.listStack.length - 1] === 'ol') {
        if (this.olCounter.length > 0) {
          this.olCounter[this.olCounter.length - 1]!++;
          this.emit(`\n${indent}${this.olCounter[this.olCounter.length - 1]}. `);
        } else {
          this.emit(`\n${indent}1. `);
        }
      } else {
        this.emit(`\n${indent}* `);
      }
    } else if (tag === 'pre') {
      this.preParts = [];
      this.inPre = true;
      this.preLanguage = null;
      const codeChild = el.childNodes.find(
        (c): c is Element => isElement(c) && c.tagName === 'code'
      );
      if (codeChild) {
        const cls = this.getAttr(codeChild, 'class') ?? '';
        const langMatch = cls.match(/(?:^|\s)language-(\S+)/);
        if (langMatch) this.preLanguage = langMatch[1]!;
      }
    } else if (tag === 'code' && !this.inPre) {
      this.inInlineCode = true;
      this.emit('`');
    } else if (tag === 'table') {
      this.inTable = true;
      this.headerRowDone = false;
      this.isFirstRow = true;
      this.emit('\n\n');
    } else if (tag === 'tr') {
      this.finishCell();
      this.finishRow();
    } else if (tag === 'th' || tag === 'td') {
      this.finishCell();
      this.cellParts = [];
      this.inCell = true;
      if (tag === 'th') this.rowHasTh = true;
    }
  }
  private handleClose(tag: string): void {
    tag = tag.toLowerCase();
    if (HEADING_TAGS.has(tag)) {
      this.emit('\n\n');
    } else if (tag === 'a') {
      this.finishLink();
    } else if (tag in INLINE_EMPHASIS) {
      this.emit(INLINE_EMPHASIS[tag]!);
    } else if (BLOCK_TAGS.has(tag)) {
      this.emit('\n\n');
    } else if (tag === 'blockquote') {
      if (this.bqStack.length > 0) {
        const content = this.bqStack.pop()!.join('');
        const prefixed = this.prefixBlockquote(content);
        if (prefixed) this.emit('\n\n' + prefixed + '\n\n');
      }
    } else if (tag === 'ul') {
      if (this.listStack.length > 0 && this.listStack[this.listStack.length - 1] === 'ul') {
        this.listStack.pop();
      }
      this.emit('\n');
    } else if (tag === 'ol') {
      if (this.listStack.length > 0 && this.listStack[this.listStack.length - 1] === 'ol') {
        this.listStack.pop();
        if (this.olCounter.length > 0) this.olCounter.pop();
      }
      this.emit('\n');
    } else if (tag === 'pre') {
      const raw = this.preParts.join('');
      this.inPre = false;
      const lang = this.preLanguage ?? '';
      const block = '```' + lang + '\n' + raw + '\n```';
      this.emit('\n\n' + block + '\n\n');
      this.preLanguage = null;
    } else if (tag === 'code' && !this.inPre) {
      this.inInlineCode = false;
      this.emit('`');
    } else if (tag === 'th' || tag === 'td') {
      this.finishCell();
    } else if (tag === 'tr') {
      this.finishCell();
      this.finishRow();
    } else if (tag === 'table') {
      this.finishCell();
      this.finishRow();
      this.inTable = false;
      this.emit('\n');
    }
  }
  private handleText(data: string): void {
    if (this.inPre) {
      this.preParts.push(data);
      return;
    }
    if (this.inInlineCode) {
      this.emit(data);
      return;
    }
    const text = data.replace(/\s+/g, ' ');
    if (this.inTable && !this.inCell && !text.trim()) return;
    this.emit(text);
  }
  walk(node: ChildNode | Document): void {
    if (isText(node as ChildNode)) {
      this.handleText((node as TextNode).value);
      return;
    }
    if (node.nodeName === '#comment') return;
    if (isElement(node as ChildNode)) {
      const el = node as Element;
      const tag = el.tagName.toLowerCase();
      if (SKIP_TAGS.has(tag)) return;
      if (tag === 'img') return;
      this.handleOpen(el);
      if (tag === 'pre') {
        for (const child of el.childNodes) {
          if (isElement(child) && child.tagName === 'code') {
            for (const grandchild of child.childNodes) {
              this.walk(grandchild);
            }
          } else {
            this.walk(child);
          }
        }
      } else {
        for (const child of el.childNodes) {
          this.walk(child);
        }
      }
      this.handleClose(tag);
      return;
    }
    if ('childNodes' in node) {
      for (const child of (node as Document).childNodes) {
        this.walk(child);
      }
    }
  }
  getOutput(): string {
    return this.out.join('');
  }
 }
 function cleanup(text: string): string {
  const lines = text.split('\n');
  const out: string[] = [];
  let inFence = false;
  let blankRun = 0;
  for (const line of lines) {
    const stripped = line.replace(/[ \t]+$/, '');
    if (stripped.startsWith('```')) {
      inFence = !inFence;
      blankRun = 0;
      out.push(stripped);
      continue;
    }
    if (inFence) {
      out.push(line);
      continue;
    }
    if (!stripped) {
      blankRun++;
      if (blankRun <= 1) out.push('');
      continue;
    }
    blankRun = 0;
    out.push(stripped);
  }
  return out.join('\n').trim();
 }
 export function htmlToMarkdown(sourceHtml: string): string {
-  sourceHtml = sourceHtml.replace(/\r\n/g, '\n').replace(/\r/g, '\n');
+  if (!sourceHtml) return '';
-  const doc = parse(sourceHtml);
+  return NodeHtmlMarkdown.translate(sourceHtml, OPTIONS).trim();
  const renderer = new MarkdownRenderer();
  renderer.walk(doc);
  return cleanup(renderer.getOutput());
 }
--- a/apps/server/src/types/api.ts
+++ b/apps/server/src/types/api.ts
@@ -117,6 +117,15 @@ export interface Agent {
  top_k: number | null;  // null means omit from request body
  min_p: number | null;  // null means omit from request body
  presence_penalty: number | null;  // null means omit from request body
  // v2.6 sampling-streamjson-tokens (#11): llama.cpp sampler extensions.
  // null = omit from request body. top_n_sigma + the DRY repetition family
  // help the doom-loop-prone local model. All travel via the same
  // providerOptions.openaiCompatible extraBody channel as top_k/min_p.
  top_n_sigma: number | null;
  dry_multiplier: number | null;
  dry_base: number | null;
  dry_allowed_length: number | null;
  dry_penalty_last_n: number | null;
  tools: string[];       // whitelist of tool names; empty = no tools allowed
  model: string | null;  // null means "session.model wins"
  source: AgentSource;
@@ -201,6 +210,11 @@ export type ErrorReason =
 //   cap_hit          — system sentinel emitted when tool budget is exhausted
 //   doom_loop        — system sentinel emitted when the model called the same
 //                      tool with the same args DOOM_LOOP_THRESHOLD times in a row
 //   mistake_recovery — system sentinel emitted when a run of consecutive
 //                      *heterogeneous* tool failures is detected (#12). A nudge
 //                      (escalated:false) injects model-facing recovery guidance
 //                      and continues; an escalate (escalated:true) stops the
 //                      turn after the nudge failed to break the failure run.
 //   error            — attached to a failed assistant message so UI can show reason
 export type MessageMetadata =
  | {
@@ -216,6 +230,14 @@ export type MessageMetadata =
      args: Record<string, unknown>;
      threshold: number;
    }
  | {
      // PINNED CONTRACT (#12) — mirrored byte-for-byte in apps/web/src/api/types.ts.
      kind: 'mistake_recovery';
      failure_kinds: string[];
      count: number;
      escalated: boolean;
      can_continue?: boolean;
    }
  | {
      kind: 'error';
      error_reason: ErrorReason;
--- a/apps/web/package.json
+++ b/apps/web/package.json
@@ -44,5 +44,5 @@
    "typescript": "^5.5.0",
    "vite": "^5.3.4"
  },
-  "license": "AGPL-3.0-only"
+  "license": "MIT"
 }
--- a/apps/web/src/api/client.ts
+++ b/apps/web/src/api/client.ts
@@ -25,6 +25,41 @@ import type {
  WorkspaceState,
 } from './types';
 // v2.6 Phase 1-UX §9b: chat-scoped agent-session rows. Returned by
 // GET /api/coder/sessions/:id/agent-sessions; drives the AgentComposerBar
 // resumed/new-session chip via useAgentSessions. `has_session` is true when a
 // resumable backend session id exists for that agent in the chat.
 export interface AgentSessionInfo {
  agent: string;
  status: string;
  has_session: boolean;
  last_active_at: string | null;
  // v2.6.8 per-(chat,agent) running token/cost totals (sampling-streamjson-tokens
  // #8). input_tokens/output_tokens are BIGINT and may arrive as strings; cost is
  // DOUBLE. AgentComposerBar coerces with Number(...) before rendering.
  input_tokens: number;
  output_tokens: number;
  cost: number;
 }
 // write-edit-robustness #4: a pre-turn worktree snapshot anchored to an
 // assistant message. Returned by GET .../checkpoints; drives the per-message
 // "Restore to here" affordance in CoderMessageList.
 export interface CoderCheckpoint {
  id: string;
  message_id: string;
  created_at: string;
  label: string | null;
 }
 // write-edit-robustness #4: result of POST .../checkpoints/:id/restore.
 export interface CoderRestoreResult {
  checkpoint_id: string;
  messages_deleted: number;
  worktree_reset: boolean;
  backend_reset: boolean;
 }
 export class ApiError extends Error {
  constructor(
    public status: number,
@@ -363,6 +398,11 @@ export const api = {
      request<CoderMessageWire[]>(
        `/api/coder/sessions/${sessionId}/messages${chatId ? `?chat_id=${encodeURIComponent(chatId)}` : ''}`,
      ),
    // v2.6 Phase 1-UX §9b: per-(chat,agent) backend-session state for the
    // resumed/new-session chip. Chat-scoped (NOT foldable into the project-level
    // provider snapshot). Proxied to boocoder at /api/sessions/:id/agent-sessions.
    agentSessions: (sessionId: string) =>
      request<AgentSessionInfo[]>(`/api/coder/sessions/${sessionId}/agent-sessions`),
    skillInvoke: (
      sessionId: string,
      paneId: string,
@@ -391,6 +431,22 @@ export const api = {
          ...(config?.thinking_option_id ? { thinking_option_id: config.thinking_option_id } : {}),
        }),
      }),
    // write-edit-robustness #4: worktree checkpoints. List which assistant
    // messages in a chat have a pre-turn worktree snapshot ("Restore to here"
    // is offered only on those). Proxied to boocoder.
    getCheckpoints: (sessionId: string, chatId: string) =>
      request<{ checkpoints: CoderCheckpoint[] }>(
        `/api/coder/sessions/${sessionId}/checkpoints?chat_id=${encodeURIComponent(chatId)}`,
      ),
    // write-edit-robustness #4: reset the worktree to a checkpoint, trim the
    // transcript past its anchor message, and reset the agent backend. After it
    // returns, the caller refetches messages (+ checkpoints) so the trimmed
    // transcript shows.
    restoreCheckpoint: (sessionId: string, checkpointId: string) =>
      request<CoderRestoreResult>(
        `/api/coder/sessions/${sessionId}/checkpoints/${encodeURIComponent(checkpointId)}/restore`,
        { method: 'POST' },
      ),
    // Queue a new-file create from the RightRail browser → BooCoder
    // pending_changes (operation='create'). Surfaces in the CoderPane DiffPanel
    // for explicit apply. A WriteGuardError comes back as a 422 whose { error }
--- a/apps/web/src/api/types.ts
+++ b/apps/web/src/api/types.ts
@@ -155,6 +155,9 @@ export type ErrorReason =
 //                budget + agent name + whether Continue is still allowed.
 //   doom_loop  — sentinel emitted when the model called the same tool with
 //                the same arguments threshold times in a row.
 //   mistake_recovery — sentinel emitted when the model hit repeated *different*
 //                errors; non-escalated means recovery guidance was injected and
 //                the turn continues, escalated means the turn was stopped.
 //   error      — attached to a failed assistant message so the bubble can show
 //                a specific reason on reload (WS error frame is one-shot).
 export type MessageMetadata =
@@ -171,6 +174,13 @@ export type MessageMetadata =
      args: Record<string, unknown>;
      threshold: number;
    }
  | {
      kind: 'mistake_recovery';
      failure_kinds: string[];
      count: number;
      escalated: boolean;
      can_continue?: boolean;
    }
  | {
      kind: 'error';
      error_reason: ErrorReason;
--- a/apps/web/src/components/AgentComposerBar.tsx
+++ b/apps/web/src/components/AgentComposerBar.tsx
@@ -1,9 +1,10 @@
 import { useEffect, useMemo, useRef, useState } from 'react';
-import { Check, ChevronDown, RefreshCw, Loader2, Shield, Brain, Bird, Bot, Dog, Terminal as TermIcon } from 'lucide-react';
+import { Check, ChevronDown, RefreshCw, Loader2, Shield, Brain, Bot } from 'lucide-react';
 import { ClaudeIcon, OpenCodeIcon } from '@/components/icons/ProviderIcons';
 import { api } from '@/api/client';
 import type { AgentSessionConfig, ProviderSnapshotEntry, AgentCommand } from '@/api/types';
 import { useProviderSnapshot, refreshProviderSnapshot } from '@/hooks/useProviderSnapshot';
 import { providerIcon } from '@/components/coder/providerIcons';
 import { useAgentSessions } from '@/hooks/useAgentSessions';
 import {
  DropdownMenu,
  DropdownMenuContent,
@@ -172,9 +173,44 @@ interface Props {
  onChange: (next: AgentSessionConfig) => void;
  onProviderCommandsChange?: (commands: AgentCommand[]) => void;
  connected?: boolean;
  // v2.6 Phase 1-UX §9b: chat id for the resumed/new-session chip. Optional so
  // BooChat and any other AgentComposerBar caller renders no chip and is
  // otherwise unaffected. When present + connected + the chat has ≥1 prior
  // turn, a chip right of the Provider picker reports whether switching to the
  // current provider resumes an agent session, replays history (boocode), or
  // starts fresh.
  sessionId?: string;
  // True once the chat has at least one prior turn — gates the chip so it stays
  // hidden on a brand-new chat. Defaults to false (no chip).
  hasPriorTurn?: boolean;
 }
-export function AgentComposerBar({ projectPath, value, onChange, onProviderCommandsChange, connected }: Props) {
+// Condensed token count: 950 → "950", 12_400 → "12.4K", 3_200_000 → "3.2M".
 // Sub-1000 stays exact; thousands/millions get one decimal, trailing .0 trimmed.
 function abbrevTokens(n: number): string {
  if (!Number.isFinite(n) || n < 1000) return String(Math.max(0, Math.round(n)));
  if (n < 1_000_000) return `${(n / 1000).toFixed(1).replace(/\.0$/, '')}K`;
  return `${(n / 1_000_000).toFixed(1).replace(/\.0$/, '')}M`;
 }
 // Relative-time formatter for the resumed-chip title (e.g. "3m ago").
 function relativeTime(iso: string | null): string {
  if (!iso) return 'unknown';
  const then = new Date(iso).getTime();
  if (Number.isNaN(then)) return 'unknown';
  const diffMs = Date.now() - then;
  if (diffMs < 0) return 'just now';
  const sec = Math.floor(diffMs / 1000);
  if (sec < 60) return 'just now';
  const min = Math.floor(sec / 60);
  if (min < 60) return `${min}m ago`;
  const hr = Math.floor(min / 60);
  if (hr < 24) return `${hr}h ago`;
  const day = Math.floor(hr / 24);
  return `${day}d ago`;
 }
 export function AgentComposerBar({ projectPath, value, onChange, onProviderCommandsChange, connected, sessionId, hasPriorTurn }: Props) {
  const allEntries = useProviderSnapshot(projectPath);
  // 5.5 — the composer picker only offers ENABLED providers that are ready (or
  // still loading). Disabled (enabled:false) and unavailable/error providers are
@@ -186,6 +222,13 @@ export function AgentComposerBar({ projectPath, value, onChange, onProviderComma
  );
  const [refreshing, setRefreshing] = useState(false);
  // v2.6 Phase 1-UX §9b: chat-scoped agent-session rows for the resumed/new
  // chip. Hook is unconditional (hooks rule); it self-no-ops when sessionId is
  // undefined or the chat has no prior turn, so BooChat callers cost nothing.
  const { sessions: agentSessions } = useAgentSessions(
    sessionId && hasPriorTurn ? sessionId : undefined,
  );
  const hydratedRef = useRef(false);
  useEffect(() => {
@@ -294,21 +337,45 @@ export function AgentComposerBar({ projectPath, value, onChange, onProviderComma
    );
  }
  const providerIcon = (name: string) => {
    switch (name) {
      case 'claude': return <ClaudeIcon size={13} className="shrink-0" />;
      case 'opencode': return <OpenCodeIcon size={13} className="shrink-0" />;
      case 'goose': return <Bird size={13} className="shrink-0" />;
      case 'qwen': return <TermIcon size={13} className="shrink-0" />;
      default: return <Dog size={13} className="shrink-0" />;
    }
  };
  const providerOptions = entries.map((e) => ({ id: e.name, label: e.label }));
  const modeOptions = (currentEntry?.modes ?? []).map((m) => ({ id: m.id, label: m.label }));
  const modelOptions = (currentEntry?.models ?? []).map((m) => ({ id: m.id, label: m.label }));
  const thinkingOpts = thinkingOptions.map((t) => ({ id: t.id, label: t.label }));
  // v2.6 Phase 1-UX §9b: resumed / history / new-session chip. Only meaningful
  // when this is a real chat (sessionId), the WS is connected, and the chat has
  // ≥1 prior turn — otherwise render nothing so fresh chats and non-coder
  // callers stay clean.
  const sessionRow = agentSessions.find((s) => s.agent === value.provider);
  const sessionChip: { label: string; title: string } | null =
    sessionId && hasPriorTurn && connected
      ? value.provider === 'boocode'
        ? // Native boocode never holds an agent_sessions row — it reconstructs
          // the conversation from the chat transcript each turn.
          { label: 'history', title: 'BooCode replays the chat transcript each turn' }
        : sessionRow?.has_session
          ? {
              label: 'resumed',
              title: `Resuming ${value.provider} · last active ${relativeTime(sessionRow.last_active_at)}`,
            }
          : { label: 'new session', title: `${value.provider} starts a fresh session this turn` }
      : null;
  // sampling-streamjson-tokens #8: condensed per-(chat,agent) token/cost readout
  // beside the session chip. Coerce — input/output are BIGINT (string over wire).
  // Hidden when no session row or all totals are zero (e.g. native boocode, which
  // holds no agent_sessions row, or a provider that hasn't run yet).
  const usageReadout = (() => {
    if (!sessionChip || !sessionRow) return null;
    const inTok = Number(sessionRow.input_tokens) || 0;
    const outTok = Number(sessionRow.output_tokens) || 0;
    const cost = Number(sessionRow.cost) || 0;
    if (inTok <= 0 && outTok <= 0 && cost <= 0) return null;
    const parts = [`${abbrevTokens(inTok)} in`, `${abbrevTokens(outTok)} out`];
    if (cost > 0) parts.push(`$${cost.toFixed(2)}`);
    return parts.join(' · ');
  })();
  return (
    <div className="flex flex-wrap items-center gap-1 px-2 py-1 border-b border-border bg-muted/20 shrink-0">
      <CompactPicker
@@ -322,6 +389,22 @@ export function AgentComposerBar({ projectPath, value, onChange, onProviderComma
            : providerIcon(value.provider)
        }
      />
      {sessionChip && (
        <span
          title={sessionChip.title}
          className="inline-flex items-center rounded-full border border-border bg-muted/40 px-1.5 py-0.5 text-[10px] font-medium text-muted-foreground shrink-0"
        >
          {sessionChip.label}
        </span>
      )}
      {usageReadout && (
        <span
          className="text-[10px] text-muted-foreground tabular-nums whitespace-nowrap shrink-0"
          title="Tokens in · out · cost for this agent session"
        >
          {usageReadout}
        </span>
      )}
      <CompactPicker
        label="Mode"
        value={value.modeId ?? ''}
--- a/apps/web/src/components/MessageBubble.tsx
+++ b/apps/web/src/components/MessageBubble.tsx
@@ -1,6 +1,6 @@
 import { useEffect, useState } from 'react';
 import type { ReactNode } from 'react';
-import { ChevronDown, ChevronRight, Copy, RefreshCw, Check, Share2, RotateCw, GitFork, Trash2, Brain } from 'lucide-react';
+import { ChevronDown, ChevronRight, Copy, RefreshCw, Check, Share2, RotateCw, GitFork, Trash2, Brain, History, AlertCircle } from 'lucide-react';
 import { toast } from 'sonner';
 import type { Chat, ErrorReason, Message } from '@/api/types';
 import { api } from '@/api/client';
@@ -110,6 +110,10 @@ export interface MessageActions {
  onResend?: (chatId: string, content: string) => Promise<void>;
  onFork?: (chatId: string, messageId: string) => Promise<void>;
  onDelete?: (chatId: string, messageId: string) => Promise<void>;
  // write-edit-robustness #4 (BooCoder only): reset the worktree to this
  // message's pre-turn checkpoint and trim the transcript past it. BooChat
  // passes no such callback → the "Restore to here" control never renders.
  onRestoreCheckpoint?: (chatId: string, messageId: string) => Promise<void>;
 }
 interface Props {
@@ -119,6 +123,17 @@ interface Props {
  actions?: MessageActions;
  /** Hide actions that don't apply (fork, delete). */
  hideActions?: ('fork' | 'delete')[];
  /**
   * write-edit-robustness #4: this assistant message has a worktree checkpoint
   * → render "Restore to here" (only when `actions.onRestoreCheckpoint` is also
   * provided). CoderMessageList sets this from the checkpoint set.
   */
  hasCheckpoint?: boolean;
  /**
   * write-edit-robustness #4: suppress the restore control during an active
   * turn (mirrors composer gating). Defaults to enabled.
   */
  restoreDisabled?: boolean;
 }
 function StatsLine({ message }: { message: Message }) {
@@ -155,16 +170,22 @@ function ActionRow({
  message,
  actions,
  hiddenSet,
  hasCheckpoint = false,
  restoreDisabled = false,
 }: {
  message: Message;
  actions?: MessageActions;
  hiddenSet: Set<string>;
  hasCheckpoint?: boolean;
  restoreDisabled?: boolean;
 }) {
  const [justCopied, setJustCopied] = useState(false);
  const [regenerating, setRegenerating] = useState(false);
  const [forking, setForking] = useState(false);
  const [deleteOpen, setDeleteOpen] = useState(false);
  const [deleting, setDeleting] = useState(false);
  const [restoreOpen, setRestoreOpen] = useState(false);
  const [restoring, setRestoring] = useState(false);
  async function copy() {
    try {
@@ -240,12 +261,33 @@ function ActionRow({
    }
  }
  async function confirmRestore() {
    if (restoring || !actions?.onRestoreCheckpoint) return;
    setRestoring(true);
    try {
      await actions.onRestoreCheckpoint(message.chat_id, message.id);
      setRestoreOpen(false);
    } catch (err) {
      toast.error(err instanceof Error ? err.message : 'restore failed');
    } finally {
      setRestoring(false);
    }
  }
  const isAssistant = message.role === 'assistant';
  const isUser = message.role === 'user';
  const canRegen = isAssistant && message.status !== 'streaming';
  const canResend = isUser && message.status === 'complete' && !!message.content?.trim();
  const canFork = message.status === 'complete';
  const canDelete = message.status !== 'streaming';
  // write-edit-robustness #4: show "Restore to here" only for a completed
  // assistant message that has a checkpoint AND when the coder wired the
  // callback. Disabled (but visible) during an active turn.
  const canRestore =
    isAssistant &&
    hasCheckpoint &&
    message.status === 'complete' &&
    !!actions?.onRestoreCheckpoint;
  return (
    <>
@@ -306,6 +348,18 @@ function ActionRow({
          <Trash2 className="size-3" />
        </button>
        )}
        {canRestore && (
          <button
            type="button"
            onClick={() => setRestoreOpen(true)}
            disabled={restoreDisabled || restoring}
            className="inline-flex items-center justify-center size-6 rounded text-muted-foreground hover:bg-muted hover:text-foreground disabled:opacity-40 disabled:cursor-not-allowed max-md:min-h-[44px] max-md:min-w-[44px]"
            aria-label="Restore to here"
            title="Restore worktree to this point"
          >
            <History className="size-3" />
          </button>
        )}
      </div>
      <Dialog
        open={deleteOpen}
@@ -338,6 +392,39 @@ function ActionRow({
          </DialogFooter>
        </DialogContent>
      </Dialog>
      <Dialog
        open={restoreOpen}
        onOpenChange={(open) => {
          if (!restoring) setRestoreOpen(open);
        }}
      >
        <DialogContent>
          <DialogHeader>
            <DialogTitle>Restore to this point?</DialogTitle>
            <DialogDescription>
              This resets the worktree to before this turn, removes every later
              message in this chat, and resets the agent's session. This cannot
              be undone.
            </DialogDescription>
          </DialogHeader>
          <DialogFooter>
            <Button
              variant="outline"
              onClick={() => setRestoreOpen(false)}
              disabled={restoring}
            >
              Cancel
            </Button>
            <Button
              variant="destructive"
              onClick={() => void confirmRestore()}
              disabled={restoring}
            >
              {restoring ? 'Restoring…' : 'Restore'}
            </Button>
          </DialogFooter>
        </DialogContent>
      </Dialog>
    </>
  );
 }
@@ -550,7 +637,85 @@ function ReasoningBlock({ text, streaming }: { text: string; streaming: boolean
  );
 }
-export function MessageBubble({ message, sessionChats, capHitInfo, actions, hideActions }: Props) {
+// feature #12: mistake-recovery sentinel. Inserted by the backend as a
 // role='system', metadata.kind='mistake_recovery' row when the model hit
 // repeated *different* errors (distinct from doom_loop, which is the same
 // call repeated). Visual treatment mirrors CapHitSentinel / DoomLoopSentinel
 // (amber card + alert icon). Non-escalated → recovery guidance was injected
 // and the turn continues. Escalated → the turn was stopped; if can_continue
 // is set, offer the same Continue affordance as the cap-hit sentinel.
 // Loose `!= null` guards per the CLAUDE.md coder-message note (coder rows pass
 // metadata as undefined, not null).
 function MistakeRecoverySentinel({ message }: { message: Message }) {
  const meta = message.metadata;
  const isMistakeRecovery =
    meta != null && typeof meta === 'object' && meta.kind === 'mistake_recovery';
  const failureKinds = isMistakeRecovery ? meta.failure_kinds : [];
  const escalated = isMistakeRecovery ? meta.escalated : false;
  const canContinue = isMistakeRecovery ? meta.can_continue === true : false;
  const [continuing, setContinuing] = useState(false);
  async function handleContinue() {
    if (continuing || !canContinue) return;
    setContinuing(true);
    try {
      await api.chats.continue(message.chat_id, message.id);
    } catch (err) {
      toast.error(err instanceof Error ? err.message : 'continue failed');
    } finally {
      setContinuing(false);
    }
  }
  const kindsLabel =
    Array.isArray(failureKinds) && failureKinds.length > 0
      ? failureKinds.join(', ')
      : null;
  return (
    <div className="rounded-md border border-amber-500/40 bg-amber-500/10 text-sm">
      <div className="px-3 py-2 flex items-start gap-2">
        <AlertCircle className="size-4 text-amber-500 shrink-0 mt-0.5" />
        <div className="flex-1 min-w-0 space-y-1">
          <div className="text-xs font-medium text-amber-700 dark:text-amber-300">
            {escalated ? 'Repeated errors — turn stopped' : 'Recovering from repeated errors'}
          </div>
          <div className="text-xs text-muted-foreground">
            {escalated
              ? 'Repeated errors persisted — stopped the turn.'
              : kindsLabel
                ? `Hit repeated different errors (${kindsLabel}) — recovery guidance injected, continuing.`
                : 'Hit repeated different errors — recovery guidance injected, continuing.'}
          </div>
          {escalated && canContinue && (
            <div className="pt-1">
              <Button
                type="button"
                size="sm"
                variant="outline"
                onClick={() => void handleContinue()}
                disabled={continuing}
              >
                {continuing ? 'Continuing…' : 'Continue'}
              </Button>
            </div>
          )}
        </div>
      </div>
    </div>
  );
 }
 export function MessageBubble({
  message,
  sessionChats,
  capHitInfo,
  actions,
  hideActions,
  hasCheckpoint,
  restoreDisabled,
 }: Props) {
  const hiddenSet = new Set(hideActions ?? []);
  // v1.11: anchored rolling summary row. Checked BEFORE the kind==='compact'
  // branch because summary=true never coexists with kind='compact' (new
@@ -586,6 +751,13 @@ export function MessageBubble({ message, sessionChats, capHitInfo, actions, hide
    return <DoomLoopSentinel message={message} />;
  }
  // feature #12: mistake-recovery sentinel. Non-escalated rows narrate that
  // recovery guidance was injected mid-turn; escalated rows report the turn
  // was stopped and (when can_continue) offer the cap-hit-style Continue.
  if (message.role === 'system' && message.metadata?.kind === 'mistake_recovery') {
    return <MistakeRecoverySentinel message={message} />;
  }
  // v1.8.2: tool messages and assistant tool_calls are now rendered by
  // MessageList via ToolCallLine / ToolCallGroup. Tool-role messages reach
  // this point only if MessageList didn't consume them (shouldn't happen,
@@ -652,7 +824,15 @@ export function MessageBubble({ message, sessionChats, capHitInfo, actions, hide
        </div>
      )}
      {!isStreaming && <StatsLine message={message} />}
-      {!isStreaming && hasContent && <ActionRow message={message} actions={actions} hiddenSet={hiddenSet} />}
+      {!isStreaming && hasContent && (
        <ActionRow
          message={message}
          actions={actions}
          hiddenSet={hiddenSet}
          hasCheckpoint={hasCheckpoint}
          restoreDisabled={restoreDisabled}
        />
      )}
    </div>
  );
 }
--- a/apps/web/src/components/coder/providerIcons.tsx
+++ b/apps/web/src/components/coder/providerIcons.tsx
@@ -0,0 +1,56 @@
 // Shared provider icon + label helpers for BooCoder UI.
 //
 // Single source of truth for the per-provider glyph used in the
 // AgentComposerBar picker and the CoderPane DiffPanel agent-attribution
 // badges (v2.6 Phase 1-UX §9a/§9b). Extracted from AgentComposerBar's local
 // `providerIcon` switch so both call sites stay in sync.
 import type { ReactNode } from 'react';
 import { Bird, Dog, Terminal as TermIcon } from 'lucide-react';
 import { ClaudeIcon, OpenCodeIcon } from '@/components/icons/ProviderIcons';
 /**
 * Glyph for a provider/agent name. Mirrors AgentComposerBar's original
 * `providerIcon` switch verbatim — `boocode` (native) falls through to the
 * neutral dog like any unmapped name, preserving the composer's prior look.
 * Sized to match the picker (13px) by default; pass a different size for
 * inline badges.
 */
 export function providerIcon(name: string | null, size = 13): ReactNode {
  switch (name) {
    case 'claude':
      return <ClaudeIcon size={size} className="shrink-0" />;
    case 'opencode':
      return <OpenCodeIcon size={size} className="shrink-0" />;
    case 'goose':
      return <Bird size={size} className="shrink-0" />;
    case 'qwen':
      return <TermIcon size={size} className="shrink-0" />;
    default:
      return <Dog size={size} className="shrink-0" />;
  }
 }
 /**
 * Human label for a provider/agent name. `null` → "manual" (a RightRail-staged
 * change with no dispatching agent, per §9a). Unknown names pass through
 * verbatim so a future provider still reads sensibly.
 */
 export function providerLabel(name: string | null): string {
  switch (name) {
    case null:
      return 'manual';
    case 'boocode':
      return 'BooCode';
    case 'opencode':
      return 'opencode';
    case 'claude':
      return 'Claude';
    case 'goose':
      return 'goose';
    case 'qwen':
      return 'Qwen';
    default:
      return name;
  }
 }
--- a/apps/web/src/components/panes/CoderMessageList.tsx
+++ b/apps/web/src/components/panes/CoderMessageList.tsx
@@ -147,11 +147,24 @@ interface Props {
  chatId?: string;
  footer?: ReactNode;
  actions?: MessageActions;
  // write-edit-robustness #4: assistant message ids that have a worktree
  // checkpoint. The "Restore to here" control renders only on these.
  checkpointMessageIds?: Set<string>;
  // write-edit-robustness #4: suppress restore during an active turn (mirrors
  // composer gating in CoderPane).
  restoreDisabled?: boolean;
 }
 const CODER_HIDDEN_ACTIONS: ('fork' | 'delete')[] = ['fork'];
-export function CoderMessageList({ messages, chatId, footer, actions }: Props) {
+export function CoderMessageList({
  messages,
  chatId,
  footer,
  actions,
  checkpointMessageIds,
  restoreDisabled,
 }: Props) {
  const endRef = useRef<HTMLDivElement>(null);
  const scrollRef = useRef<HTMLDivElement>(null);
  const isNearBottomRef = useRef(true);
@@ -189,6 +202,8 @@ export function CoderMessageList({ messages, chatId, footer, actions }: Props) {
                message={item.message as unknown as Message}
                actions={actions}
                hideActions={CODER_HIDDEN_ACTIONS}
                hasCheckpoint={checkpointMessageIds?.has(item.message.id) ?? false}
                restoreDisabled={restoreDisabled}
              />
            );
          }
--- a/apps/web/src/components/panes/CoderPane.tsx
+++ b/apps/web/src/components/panes/CoderPane.tsx
@@ -16,6 +16,8 @@ import { toast } from 'sonner';
 import { isSlashCommandToken, mergeCommandsByName, parseSlashInput, slashQuery } from '@/lib/slash-command';
 import { mergeWireToolCall } from '@/lib/coder-tools';
 import { CoderMessageList, type CoderTimelineWire } from '@/components/panes/CoderMessageList';
 import { providerIcon, providerLabel } from '@/components/coder/providerIcons';
 import { refreshAgentSessions } from '@/hooks/useAgentSessions';
 import { cn } from '@/lib/utils';
 // ---------------------------------------------------------------------------
@@ -56,6 +58,10 @@ interface PendingChange {
  diff?: string;
  new_content?: string;
  status: 'pending' | 'approved' | 'rejected';
  // v2.6 Phase 1-UX §9a: which agent staged this change. 'boocode' for native
  // write tools, the dispatched agent for worktree edits, null for a manual
  // RightRail-staged create (renders as a neutral "manual" badge).
  agent: string | null;
 }
 interface Props {
@@ -375,6 +381,29 @@ function usePendingChanges(sessionId: string) {
  return { changes, loading, refresh, approve, reject };
 }
 // write-edit-robustness #4: which assistant messages in this chat have a
 // worktree checkpoint, so CoderMessageList can offer "Restore to here" only on
 // those. Refetched on message_complete (same trigger as pending changes) and
 // after a successful restore.
 function useCheckpoints(sessionId: string, chatId: string | undefined) {
  const [messageIds, setMessageIds] = useState<Set<string>>(() => new Set());
  const refresh = useCallback(() => {
    if (!chatId) {
      setMessageIds(new Set());
      return Promise.resolve();
    }
    return api.coder
      .getCheckpoints(sessionId, chatId)
      .then((res) => setMessageIds(new Set(res.checkpoints.map((c) => c.message_id))))
      .catch(() => {/* boocoder may be down / endpoint not ready */});
  }, [sessionId, chatId]);
  useEffect(() => { void refresh(); }, [refresh]);
  return { checkpointMessageIds: messageIds, refreshCheckpoints: refresh };
 }
 // ---------------------------------------------------------------------------
 // Sub-components
 // ---------------------------------------------------------------------------
@@ -382,18 +411,52 @@ function usePendingChanges(sessionId: string) {
 function DiffPanel({
  changes,
  loading,
  currentProvider,
  onRefresh,
  onApprove,
  onReject,
 }: {
  changes: PendingChange[];
  loading: boolean;
  currentProvider: string;
  onRefresh: () => void;
  onApprove: (id: string) => void;
  onReject: (id: string) => void;
 }) {
  const pending = changes.filter((c) => c.status === 'pending');
  // v2.6 Phase 1-UX §9a: when pending changes span >1 distinct agent, surface a
  // one-line "Changes from <a>, <b>" note so mixed provenance is obvious. Null
  // (manual) counts as its own bucket and renders as "manual".
  const distinctAgents = Array.from(new Set(pending.map((c) => c.agent)));
  const mixedNote =
    distinctAgents.length > 1
      ? `Changes from ${distinctAgents.map((a) => providerLabel(a)).join(', ')}`
      : null;
  // v2.6 §9c: staging-boundary caveat. External agents (opencode/goose/qwen/
  // claude) edit *inside their worktree*; native boocode reads/writes the
  // *project root* via pending_changes. Unapplied edits don't cross that
  // boundary. When the currently-selected provider can't see another side's
  // staged-but-unapplied edits, surface a muted one-liner. agent===null
  // (manual) is boundary-neutral. Pure derivation — no new state/fetch.
  const isNativeProvider = currentProvider === 'boocode';
  const boundaryHint = (() => {
    if (isNativeProvider) {
      // Native boocode is selected: it won't see external-worktree edits.
      const external = distinctAgents.filter((a) => a !== null && a !== 'boocode');
      if (external.length === 0) return null;
      const who =
        external.length === 1
          ? providerLabel(external[0]!)
          : external.map((a) => providerLabel(a)).join(', ');
      return `${who}'s edits live in its worktree — BooCode won't see them until applied.`;
    }
    // An external agent is selected: it won't see boocode's project-root edits.
    if (!distinctAgents.includes('boocode')) return null;
    return `BooCode's edits live in the project root — ${providerLabel(currentProvider)} won't see them until applied.`;
  })();
  return (
    <div className="flex flex-col h-full border-t border-border">
      <div className="flex items-center justify-between px-3 py-1.5 border-b border-border bg-muted/30">
@@ -410,6 +473,19 @@ function DiffPanel({
          <RefreshCw size={12} className={loading ? 'animate-spin' : ''} />
        </button>
      </div>
      {mixedNote && (
        <div className="px-3 py-1 border-b border-border bg-muted/10 text-[11px] text-muted-foreground truncate">
          {mixedNote}
        </div>
      )}
      {boundaryHint && (
        <div
          className="px-3 py-1 border-b border-border bg-muted/10 text-xs text-muted-foreground"
          title={boundaryHint}
        >
          {boundaryHint}
        </div>
      )}
      <div className="flex-1 overflow-y-auto">
        {pending.length === 0 ? (
          <div className="flex items-center justify-center h-full text-sm text-muted-foreground">
@@ -420,14 +496,25 @@ function DiffPanel({
            {pending.map((change) => (
              <div key={change.id} className="px-3 py-2">
                <div className="flex items-center justify-between mb-1">
-                  <span className="text-xs font-mono text-foreground truncate flex-1 mr-2">
+                  <span className="text-xs font-mono text-foreground truncate flex-1 mr-2 inline-flex items-center min-w-0">
                    <span
                      className="inline-flex items-center gap-1 rounded border border-border bg-muted/40 px-1 py-px mr-1.5 text-[10px] font-medium text-muted-foreground shrink-0"
                      title={
                        change.agent === null
                          ? 'Manually staged (no dispatching agent)'
                          : `Staged by ${providerLabel(change.agent)}`
                      }
                    >
                      {providerIcon(change.agent, 11)}
                      <span>{providerLabel(change.agent)}</span>
                    </span>
                    <span className={cn(
-                      'inline-block w-1.5 h-1.5 rounded-full mr-1.5',
+                      'inline-block w-1.5 h-1.5 rounded-full mr-1.5 shrink-0',
                      change.operation === 'create' && 'bg-green-500',
                      change.operation === 'modify' && 'bg-yellow-500',
                      change.operation === 'delete' && 'bg-red-500',
                    )} />
-                    {change.file_path}
+                    <span className="truncate">{change.file_path}</span>
                  </span>
                  <div className="flex items-center gap-1 shrink-0">
                    <button
@@ -576,6 +663,7 @@ export function CoderPane({
    },
  });
  const { changes, loading, refresh, approve, reject } = usePendingChanges(sessionId);
  const { checkpointMessageIds, refreshCheckpoints } = useCheckpoints(sessionId, chatId);
  const [input, setInput] = useState('');
  const [sending, setSending] = useState(false);
  const [queue, setQueue] = useState<string[]>([]);
@@ -586,15 +674,27 @@ export function CoderPane({
  // dispatch returns — so queueing/stop must key on this combined signal.
  const generating = sending || activeTaskId !== null;
-  // Refresh pending changes when a message_complete arrives
+  // Refresh pending changes (and agent-session state for the §9b chip) when a
  // message_complete arrives — same trigger usePendingChanges already uses.
  // write-edit-robustness #4: also refetch checkpoints so a new turn's snapshot
  // surfaces its "Restore to here" control.
  useEffect(() => {
    const lastAssistant = [...messages].reverse().find(
      (m): m is CoderMessage => m.role === 'assistant',
    );
    if (lastAssistant?.status === 'complete') {
      refresh();
      void refreshCheckpoints();
      void refreshAgentSessions(sessionId);
    }
-  }, [messages, refresh]);
+  }, [messages, refresh, refreshCheckpoints, sessionId]);
  // The §9b chip only shows once the chat has ≥1 prior turn (a completed
  // assistant message). Hidden on a brand-new chat.
  const hasPriorTurn = useMemo(
    () => messages.some((m) => m.role === 'assistant' && (m as CoderMessage).status === 'complete'),
    [messages],
  );
  // Poll fallbacks when WS is disconnected (reconnect uses WS as source of truth)
  useEffect(() => {
@@ -794,6 +894,38 @@ export function CoderPane({
    }
  }, [activeTaskId]);
  // write-edit-robustness #4: reset the worktree to a message's checkpoint and
  // trim the transcript past it. The confirm lives in MessageBubble's ActionRow
  // (plain Cancel/Restore). The restore route is keyed by checkpoint id, so we
  // resolve message→checkpoint via a fresh GET (cheap, and avoids a stale id if
  // the set changed). On success, refetch messages so the trimmed transcript
  // shows, plus checkpoints (later ones were deleted server-side) and pending
  // changes (the worktree was reset).
  const handleRestoreCheckpoint = useCallback(async (_chatId: string, messageId: string) => {
    if (!chatId || generating) return;
    let checkpointId: string | undefined;
    try {
      const res = await api.coder.getCheckpoints(sessionId, chatId);
      checkpointId = res.checkpoints.find((c) => c.message_id === messageId)?.id;
    } catch (err) {
      toast.error(err instanceof Error ? err.message : 'failed to load checkpoint');
      return;
    }
    if (!checkpointId) {
      toast.error('No checkpoint found for this message');
      return;
    }
    try {
      await api.coder.restoreCheckpoint(sessionId, checkpointId);
      await loadMessages();
      await refreshCheckpoints();
      refresh();
      toast.success('Restored to checkpoint');
    } catch (err) {
      toast.error(err instanceof Error ? err.message : 'restore failed');
    }
  }, [chatId, generating, sessionId, loadMessages, refreshCheckpoints, refresh]);
  const handleChatInputSlash = useCallback(async (skillName: string, userMessage: string) => {
    if (!chatId) return;
    // Only BooCoder skills route here; an agent's own commands (not skills) fall
@@ -834,6 +966,8 @@ export function CoderPane({
        onChange={setAgentConfig}
        onProviderCommandsChange={handleProviderCommandsChange}
        connected={connected}
        sessionId={sessionId}
        hasPriorTurn={hasPriorTurn}
      />
      {/* Chat area — BooChat-style timeline (text + tool runs as siblings) */}
      <div className="flex-1 min-h-0 flex flex-col">
@@ -846,8 +980,11 @@ export function CoderPane({
          <CoderMessageList
            messages={messages as CoderTimelineWire[]}
            chatId={chatId}
            checkpointMessageIds={checkpointMessageIds}
            restoreDisabled={generating}
            actions={{
              onResend: async (_chatId, content) => { await sendOneMessage(content); },
              onRestoreCheckpoint: handleRestoreCheckpoint,
            }}
            footer={
              activeTaskId && !permissionPrompt && sending === false ? (
@@ -872,6 +1009,7 @@ export function CoderPane({
          <DiffPanel
            changes={changes}
            loading={loading}
            currentProvider={agentConfig.provider}
            onRefresh={refresh}
            onApprove={approve}
            onReject={reject}
--- a/apps/web/src/hooks/useAgentSessions.ts
+++ b/apps/web/src/hooks/useAgentSessions.ts
@@ -0,0 +1,88 @@
 // v2.6 Phase 1-UX §9b — chat-scoped agent-session state.
 //
 // Reads GET /api/coder/sessions/:id/agent-sessions (the per-(chat,agent)
 // backend-session rows) and drives the AgentComposerBar resumed/new-session
 // chip. Module-singleton external store keyed by sessionId — same shape as
 // useProviderSnapshot — so the two consumers (CoderPane, which owns the
 // message_complete WS signal, and AgentComposerBar, which renders the chip)
 // share one cache and one fetch per chat. CoderPane calls
 // refreshAgentSessions(sessionId) on each message_complete (the same trigger
 // usePendingChanges already keys off); the chip then reflects the freshly
 // resumed/created session.
 import { useEffect, useSyncExternalStore } from 'react';
 import { api, type AgentSessionInfo } from '@/api/client';
 type Entry = {
  data: AgentSessionInfo[];
  inflight: Promise<AgentSessionInfo[]> | null;
 };
 const store = new Map<string, Entry>();
 const listeners = new Set<() => void>();
 const EMPTY: AgentSessionInfo[] = [];
 function notify(): void {
  for (const fn of listeners) fn();
 }
 function subscribe(fn: () => void): () => void {
  listeners.add(fn);
  return () => listeners.delete(fn);
 }
 function getEntry(sessionId: string): Entry {
  let entry = store.get(sessionId);
  if (!entry) {
    entry = { data: EMPTY, inflight: null };
    store.set(sessionId, entry);
  }
  return entry;
 }
 async function doFetch(sessionId: string): Promise<AgentSessionInfo[]> {
  const data = await api.coder.agentSessions(sessionId);
  const entry = getEntry(sessionId);
  entry.data = data;
  entry.inflight = null;
  notify();
  return data;
 }
 function ensureLoaded(sessionId: string): void {
  const entry = getEntry(sessionId);
  if (entry.data !== EMPTY || entry.inflight) return;
  entry.inflight = doFetch(sessionId).catch(() => {
    // boocoder may be down or the chat has no agent-session rows yet; treat as
    // empty (the chip falls back to "new session" / hides).
    const e = getEntry(sessionId);
    e.inflight = null;
    return EMPTY;
  });
 }
 /** Force a refetch for one chat. Wired to message_complete by CoderPane. */
 export function refreshAgentSessions(sessionId: string): Promise<AgentSessionInfo[]> {
  const entry = getEntry(sessionId);
  entry.inflight = null;
  return doFetch(sessionId);
 }
 /**
 * Chat-scoped agent-session rows. Pass `undefined` to opt out (no fetch, empty
 * result) — AgentComposerBar does this for BooChat callers and fresh chats so
 * the chip stays hidden. Fetches on mount (and on sessionId change); refetch on
 * message_complete is driven externally via refreshAgentSessions.
 */
 export function useAgentSessions(sessionId: string | undefined): {
  sessions: AgentSessionInfo[];
 } {
  const sessions = useSyncExternalStore(
    subscribe,
    () => (sessionId ? getEntry(sessionId).data : EMPTY),
  );
  useEffect(() => {
    if (sessionId) ensureLoaded(sessionId);
  }, [sessionId]);
  return { sessions: sessionId ? sessions : EMPTY };
 }
--- a/boocode_code_review_v2.md
+++ b/boocode_code_review_v2.md
@@ -0,0 +1,253 @@
 # BooCode — External Code Review v2 (lift findings)
 Last updated: 2026-05-31
 **Synced through `v2.6.6-claude-md` (HEAD, 2026-05-31).** The **AGPL-3.0 → MIT relicense decision** (remove all **3** AGPL-derived files) and the **jinja-gate-green** resolution are folded in below — they **supersede this doc's earlier "AGPL confirmed, recommendation stands" / two-file framing.** Canonical plan: the roadmap's `## License-debt — relicense AGPL-3.0 → MIT (planned)` batch.
 A point-in-time **findings** doc, not a standing inventory. It consolidates two reconnaissance passes against the upstream forks at `/opt/forks/` and decides, per area, what BooCode should do about it. Pin it so the same upstreams aren't re-evaluated from scratch next month.
 > **Companion docs:** `boocode_code_review.md` is the standing external-repo inventory (every repo BooCode references, *why* each earned its row, license analysis). `boocode_roadmap.md` is the canonical shipping-state / version-ordering source. This v2 doc is the **action layer** on top of both: "given what's upstream as of 2026-05-31, here's the lift/cross-check/re-derive/n-a call." Reconcile shipping state via the roadmap when in doubt; fold durable rows back into `boocode_code_review.md`.
 ## Sources feeding this doc
 1. **Paseo recon (Sam)** — two passes: a Phase 2/3 server-manager recon and a claude-transport recon. Conclusions consolidated by area below (§2a). AGPL-3.0 — **pattern-only, no code lift, ever.**
 2. **Three-fork agent sweep (this session, 2026-05-31)** — read-only general-purpose agents over `anomalyco/opencode` (MIT, code-liftable), `getpaseo/paseo` (AGPL, pattern-only), `ggml-org/llama.cpp` (consumed via llama-swap/sidecar — adopt features/flags, not C++). Detail in §2–§4.
 3. **Second fork sweep (this session, 2026-05-31)** — 8 read-only agents over the remaining 11 repos in `/opt/forks/` (conductor, superset, openchamber, happy, cline, qwen-code, amp-acp, pi-acp, claude-code, goose, unsloth). Detail in §5; high-value items folded into §1.
 ### Caveats
 - `/opt/forks/llama.cpp` is a **shallow clone** (90 commits, ~5 days visible). llama.cpp findings are read from source as it stands today; "what changed when" attribution is limited. `git fetch --unshallow` before the next review.
 - `/opt/forks/opencode` arrived shallow (rooted 2026-05-25); the agent ran `git fetch --unshallow` and re-surveyed the real 6-week window. opencode also did a v2 Effect/event-sourced rewrite (`packages/core/`, `packages/llm/`) — most of that churn is architecturally divergent and ruled out.
 - HEADs at review time: paseo `41cb1af` (main, v0.1.87), opencode `1afa9e3` (dev, ~v1.15.13), llama.cpp `aa46bda8` (detached).
 ## Verdict legend
 | Verdict | Meaning |
 |---|---|
 | **LIFT** | Take it. Flavor noted: *code-lift* (MIT), *pattern-lift* (AGPL/clean-room re-impl), *config-adopt* (new upstream flag), *drop-our-code* (upstream now does it → delete ours). |
 | **RE-DERIVE** | Idea is right, their impl is insufficient/divergent for our needs — write fresh, don't adapt theirs. |
 | **CROSS-CHECK** | We already have it; confirmed current vs upstream. No action. |
 | **TRACK** | Behavioral/external change to be aware of. No code action now. |
 | **N-A** | Not liftable into our architecture, or reduces to a separate decision. |
 -----
 ## 1. Net actionables (priority roll-up)
 Updated after the **second fork sweep** (2026-05-31, §5). New items from that sweep are tagged ⁺.
 | # | Item | Source | Verdict | Maps to | Effort |
 |---|------|--------|---------|---------|--------|
 | 1 | **Relicense AGPL-3.0 → MIT — remove all 3 AGPL files** (`tool-call-parser.ts`, `html-to-md.ts`, `llama-args-validator.ts`). llama-server now parses qwen3.x tool calls server-side (**jinja gate green, §6.1**) → parser goes; html-to-md → permissive lib; llama-args-validator → clean-room; then flip `LICENSE` + 5 `package.json` + headers + prose. **The tree is currently AGPL-3.0.** | llama.cpp + unsloth⁺ | LIFT · drop-our-code (relicense) | License-debt batch (roadmap) | M, staged |
 | 2 | **Warm-ACP backend (goose/qwen)** — one spawn, one `session/new`, many prompts; **validated by qwen's own `qwen --acp` reference impl** (the "qwen ACP was HTTP-only" premise is stale) | Paseo recon + qwen-code⁺ | LIFT · pattern | **v2.6 Phase 2** | M |
 | 3 ⁺ | **Fuzzy patch applier for `edit_file`** — exact→whitespace→Levenshtein match ladder + unicode canon + multi-occurrence guard; BooCoder's `edit_file` is exact-`.includes`-or-throw today | cline⁺ | LIFT · code | edit/diff robustness (local-model drift) | M |
 | 4 ⁺ | **`git stash create` + private-ref checkpoint** — per-turn workspace snapshot capturing **all** state incl. external-agent edits (BooCode `rewind` only undoes its own queued edits) | cline⁺ | LIFT · code | checkpoint/restore UX | M |
 | 5 ⁺ | **opencode lifecycle hardening** — health monitor + crash auto-restart + busy-aware restart + port reclaim + stall-detecting SSE; **MIT, same warm-server architecture** (supersedes the paseo RE-DERIVE — better source) | openchamber⁺ | LIFT · pattern/code | **v2.6 Phase 3** | M |
 | 6 | **Post-interrupt stale-terminal guard** — confirmed correctness bug in `opencode-server.ts`; **now more user-reachable** since `v2.6.5` shipped the Send→Stop composer (`cancelTask`) → abort path is one click | opencode/paseo (verified) | LIFT · pattern (bugfix) | v2.6 Phase 1/2 | S (~½ day) |
 | 7 ⁺ | **Parse qwen/claude `stream-json` NDJSON in PTY fallback** — today stdout is sliced opaque; one parser serves both (Claude-Code-compatible schema) | qwen-code⁺ | LIFT · pattern | v2.6 Phase 2 / dispatch parsing | S |
 | 8 | **ctx/token usage for opencode sessions** — `session.next.step.ended` already on the wire | opencode + paseo (converged) | LIFT · code | v2.6 Phase 1 UX | S–M (~80–150 LoC) |
 | 9 | **Claude continuity + transport** — adopt `@anthropic-ai/claude-agent-sdk`; resume via the SDK's **native `SessionStore`** (`0.3.x`) keyed `(chat_id,agent)`, not happy's hook/jsonl-watcher (predates it). SDK is commercial-terms → runtime dep OK, code reference-only | happy⁺ + SDK `.d.ts`⁺ | LIFT · code + decision | claude-provider batch | M |
 | 10 ⁺ | **Universal-agent notify-hook → normalized status** — inject a hook into each PTY agent's config, normalize ~30 event names → 5 states; gives goose/qwen/claude real working/blocked/done signals | superset⁺ (clean-room, ELv2) | RE-DERIVE | v2.6 Phase 2/3 status | M–H |
 | 11 | **New sampling knobs** `top_n_sigma`, `dry_*` family; **`--reasoning-budget`** | llama.cpp | LIFT · config-adopt | AGENTS.md frontmatter + validator allowlist | S |
 | 12 ⁺ | **File-provenance compaction ledger** (`## Files Read/Modified`) + **`MistakeTracker`** (heterogeneous-failure recovery) | cline⁺ | LIFT · pattern | context-mgmt / recovery | S–M |
 | 13 | Bundle/watch: stall-timeout + retry/backoff (opencode); worktree-archive cascade (paseo); LRU-bound caches; subagent permission demux; tool-pair-atomic prune cross-check (cline)⁺; diff-line→agent re-prompt (superset)⁺ | mixed | WATCH | Phase 2/3, review UX, resilience | varies |
 **Headline:** #1 is the strategic win and is now a **committed decision: relicense AGPL-3.0 → MIT** (the tree is *currently* AGPL — `LICENSE` + all 5 `package.json` are `AGPL-3.0-only`). Scope is **3 AGPL-derived files**, not 2 — this doc's earlier count missed `llama-args-validator.ts` (corrected in §5k). The jinja gate is **green** (§6.1), so it's actionable now. The second sweep added four genuinely-new code lifts: **#3 fuzzy patch applier** and **#4 git-stash checkpoint** (both cline, both directly fix where BooCoder's write/edit surface is weakest for local models), **#5 openchamber lifecycle hardening** (the concrete, MIT, same-architecture answer to v2.6 Phase 3 — supersedes the weaker paseo re-derive), and **#7 stream-json parsing** (cheap, shared by qwen+claude PTY). #2 Phase-2 warm-ACP is now de-risked by qwen's own reference impl. #9 resolves the claude direction (lean SDK).
 -----
 ## 2. Paseo (AGPL-3.0 — pattern-only)
 ### 2a. Consolidated recon, by area (Sam's two passes)
 | Area | Verdict | One-line |
 |------|---------|----------|
 | OpenCode server lifecycle | **CROSS-CHECK** | Paseo hand-rolls the spawn (not `createOpencodeServer`), waits for "listening on" on stdout, port-0 allocation, concurrent callers wait on one `startPromise`, no `OPENCODE_SERVER_PASSWORD`. Same shape BooCode shipped in v2.6.1 — nothing to lift. |
 | OpenCode crash recovery + reconnect | **RE-DERIVE → superseded** | Lazy restart-on-demand (exit handler nulls the server, next `getCurrentServer()` respawns), no active supervision; `resumeSession` does **not** verify the session exists on disk before resuming. Insufficient for Phase 3. **Update (2nd sweep):** `openchamber` (§5c) has a *better, MIT, same-architecture* version — health-monitor state machine + crash auto-restart + busy-aware restart. Lift from openchamber, not paseo. |
 | Warm-ACP supervision (goose/qwen) | **LIFT · pattern** | `SpawnedACPProcess`: one spawn, one `session/new`, many prompts; child lives for the session not the turn; per-turn abort = `connection.cancel({sessionId})` **without killing the child**; child-exit fires `turn_failed` (no restart). Clean signal split; integrates against BooCode's existing `acp-dispatch.ts`. **This is the Phase 2 lift — and qwen-code (§5f) ships its own `qwen --acp` reference impl that validates the whole approach.** |
 | OpenCode reasoning dedup | **CROSS-CHECK** | `streamedPartKeys` keyed `reasoning:${partID}`; delta adds the key, final part skips if present, cleared per turn. Identical to v2.6.1. |
 | Claude transport | **N-A** | Paseo uses `@anthropic-ai/claude-agent-sdk` in stream-json mode, not PTY. Getting Paseo's transport means adopting the SDK — net-new integration, not a lift. |
 | Claude continuity | **LIFT · code** | `claude --resume <sessionId>` across turns: capture the session id from claude's output, store it, pass `--resume` next turn; claude re-reads its transcript and continues. Small change to BooCode's PTY dispatch (run with `--output-format stream-json`, parse the id, persist, resume). **The actionable claude finding.** |
 | Claude streaming/parsing | **N-A** | Structured events (tool calls, reasoning, partials) come from the SDK; PTY degrades to scraping. Adopting structured claude streaming = adopting the SDK — separate decision. |
 | Claude session persistence | **CROSS-CHECK** | Same `describePersistence`/`resumeSession` shape BooCode already has for opencode; claude slots in. Neither Paseo nor BooCode verifies the transcript exists on disk before resume (**shared open question** — see §5). |
 **Recon's net:** LIFT = warm-ACP supervision (Phase 2) + claude `--resume` continuity (standalone batch). RE-DERIVE = OpenCode crash recovery (Phase 3). Everything else cross-check or n/a. The two n/a claude items both reduce to **one deferred decision: adopt `@anthropic-ai/claude-agent-sdk` or stay PTY.**
 ### 2b. Additional findings (this session's Paseo agent sweep)
 These came from the broader agent pass, not the targeted Phase 2/3 recon. Where they touch the same code as §2a, the §2a recon is authoritative.
 | Finding | Verdict | Notes |
 |---------|---------|-------|
 | **Post-interrupt stale-terminal suppression** (paseo `1d38aac`) | **LIFT · pattern (bugfix)** | See §3 #3 — verified to be a live bug in BooCode. Highest-confidence paseo item. |
 | **Provider-agnostic `AgentUsage`** normalized usage/cost frame | **LIFT · pattern** | Converges with opencode's `session.next.step.ended` (§3 #4). Paseo's `{inputTokens, cachedInputTokens, outputTokens, totalCostUsd, contextWindowMax/Used}` is the target *shape* for normalizing across providers; do the opencode slice first. |
 | **Worktree-archive → cascade-archive agents + schedule cleanup** (paseo `b6103a5`) | **WATCH → adopt in Phase 3** | Soft-delete (keep `archivedAt`), single archive event fans out to children + downstream rows, `Promise.allSettled` so one failed delete doesn't abandon the rest. Right shape for the v2.6 Phase 3 worktree reaper. |
 | **Server retire/refcount + LRU-bound caches** (paseo `server-manager.ts`, leak-fix `f20393d`) | **WATCH** (low confidence) | The agent read a retire-set/refcount mechanism; the §2a server-manager recon concluded "nothing to lift." Treat the *lifecycle* as cross-check (§2a wins). The one durable takeaway: **bound the per-session/per-worktree Maps in the warm opencode server** (long-lived daemon → unbounded caches leak). Confirm against §2a before acting. |
 | **Subagent permission forwarding** (paseo `44863ec`) | **WATCH (gated)** | opencode `task` tool spawns child sessions; forward `permission.asked` from tracked children by `parentID` demux. **Blocked:** BooCode's opencode-SSE path has zero permission handling today (runs auto-approve). Reachable only after BooCoder builds opencode-SSE permission cards at all. Ties to v2.4. |
 -----
 ## 3. OpenCode (MIT — code-liftable)
 | # | Finding | Evidence | Verdict | Notes |
 |---|---------|----------|---------|-------|
 | 1 | **Consume the fuller `session.next.*` event set** in `opencode-server.ts` | `packages/core/src/session/event.ts:105-365`; BooCode handles only ~5 arms (`opencode-server.ts:215-311`) | **LIFT · code** | Events already in the **installed** `@opencode-ai/sdk` — **no dep bump.** High-value arms: **`step.ended`** (`{tokens{input,output,reasoning,cache},cost}` → #4 below); **`compaction.{started,delta,ended}`** (warm server auto-compacts mid-conversation; today shows as a silent context gap); `tool.progress`, `tool.input.{started,delta}`, `retried`, `step.failed`. |
 | 4 | **ctx/token usage for opencode** (the high-value slice of #1) | `event.ts:117-135` | **LIFT · code** | Closes the roadmap-named gap: *"opencode/goose/qwen/claude dispatch with no ctx/token usage; only native boocode tracks ctx."* Mirror BooChat's existing `'usage'` WS frame on the coder side; accumulate per `(chat, agent)`. Converges with paseo `AgentUsage` (§2b). |
 | 2 | **Stalled-stream chunk-timeout** (`wrapSSE` + header timeout) | `provider/provider.ts:40-96` (`f965db9`, `c7e1fc5`) | **WATCH · pattern** | BooChat's `stream-phase.ts` has **no server-side stall timeout** — a hung llama-swap stream relies entirely on the frontend 60s `discard_stale` watchdog. ~40-60 LoC to wrap the `fullStream` loop with a per-chunk timeout firing the existing abort path. Low incidence on a single local instance; do it if stuck rows recur. |
 | 3 | **Retry-with-backoff + retryability classifier** (`session/retry.ts`) | `session/retry.ts`, `message-v2.ts:1155` (`14e0b9b`) | **WATCH · pattern** | BooChat has **zero** retry logic. `delay()` parses `retry-after[-ms]` headers w/ exp-backoff fallback; `retryable()` classifies transient-5xx / rate-limit / context-overflow-exclusion. Strip the Go-billing arms. Pairs naturally with #2. llama-swap rarely emits `retry-after`, so value is mostly transient-5xx/stall retry. |
 | — | **MCP auth file-lock** (`mcp/auth.ts`, `fa73ec4`) | — | **N-A (deferred)** | Serializes concurrent OAuth token refreshes. Can't trigger — BooCode's config schema *rejects* OAuth MCP servers until secret storage lands (roadmap). Note for when OAuth MCP is un-deferred. |
 **Confirmed current (cross-check, no refresh needed):** compaction algorithm (incl. `tail_start_id`/`splitTurn` post-fix — verified identical), two-tier prune, truncate, run-loop (BooCode drives off live `result.toolCalls`, not a history scan — not vulnerable to opencode's interrupted-tool re-prompt bug), doom-loop guard, MCP client, permission ruleset. **Ruled out:** v2 Effect/event-sourced core, `packages/llm/` native runtime (diverges from the AI SDK v6 BooCode just adopted), adaptive-reasoning (cloud-Anthropic only), `acp-next` (BooCoder is the ACP *client*).
 -----
 ## 4. llama.cpp (consumed via llama-swap / llama-sidecar — adopt features, not C++)
 ### 4a. ⭐ Retire the AGPL tool-call parser — **LIFT · drop-our-code**
 llama-server moved to a **template-learning PEG auto-parser + lazy grammar** that parses qwen3.5/3.6's tool markup server-side into OpenAI `tool_calls`.
 - **Evidence:** `common/chat-auto-parser-generator.cpp`, `common/chat-diff-analyzer.cpp` (1570 lines), `common/chat-peg-parser.cpp`; shipped `models/templates/Qwen3.5-4B.jinja` (uses BooCode's exact Pattern-2 `<tool_call><function=…><parameter=…>` + `<think>`); server emits structured `tool_calls` in **both** non-streaming and streaming (`tools/server/server-chat.cpp:421-577`), reasoning split into `reasoning_content`/`reasoning_content_delta`. `tool_choice=required` + grammar-constrained calls exist (`common/chat.cpp:290-300`).
 - **Gate (RESOLVED — green, Sam 2026-05-31):** llama-server runs with **`--jinja` + a qwen3.x template**, so server-side tool-call parsing is live. BooCode already treats `--jinja`/`--chat-template*` as managed flags (`llama-args-validator.ts:92-102` — itself one of the 3 AGPL files to clean-room) and sends `tools`/`toolChoice:'auto'` through the AI SDK (`stream-phase.ts:202,438`). The retirement is actionable now (§6.1).
 - **What's missing:** no qwen3.x-named native handler — qwen3.6 rides the generic template-driven path. The template teaches Patterns 1 (`<tool_call>{json}`) and 2 (`<function=…>`) but **not Pattern 3 (`<invoke name=…>`)**, the Anthropic-shape residue qwen drifts into.
 - **Staged plan (do not delete blind — CLAUDE.md notes qwen3.6 was unreliable):**
  1. Confirm `--jinja` + Qwen3.5 template are live (add the flags if not).
  2. Validate native `tool_calls` against **real qwen3.6 streaming** for one release, behind a feature flag.
  3. Trim `tool-call-parser.ts` to a **clean-room `<invoke>`-only fallback** (~250 of 427 lines deletable; rewrite the remainder without Unsloth/AGPL provenance). **Net: AGPL-3.0 liability eliminated** even if a thin fallback stays.
 ### 4b. Config-level adopts — **LIFT · config-adopt** (pass straight through llama-swap as OpenAI-compat body fields; no binary upgrade)
 - **New sampling params** (`server-task.cpp:279-290`): `top_n_sigma`, `xtc_probability/threshold`, `typical_p`, the **`dry_*` repetition family** (`dry_multiplier/base/allowed_length/penalty_last_n/sequence_breakers`), `frequency_penalty`, `repeat_penalty`. `top_n_sigma` + `dry_*` are the high-value pair for an agentic model prone to loops — ties to the doom-loop sentinel. Surface in AGENTS.md frontmatter + the validator allowlist.
 - **`--reasoning-budget N`** (`LLAMA_ARG_THINK_BUDGET`) + `--reasoning on|off|auto`, default `reasoning_format=auto`: server-side cap on qwen3.6 thinking (cheaper turns) without prompt hacks, and `reasoning_content` arrives as a **separate field** — BooCode could consume it directly instead of scraping `<think>`.
 ### 4c. Behavioral changes — **TRACK** (no code action; awareness)
 - **SSE headers sent at slot-start** (`0821c5fcf`): in stream mode, HTTP 200 + headers flush when prompt processing *begins*, before the first token. BooCode keys its stale-stream timer on **token activity**, not header arrival → safe, but time-to-headers semantics shift. Also `task_params.stream` default flipped `true → false` — harmless for BooCode (always sets `stream`), but any llama-swap/sidecar code omitting `stream` now defaults to non-streaming.
 - **`/props` router-mode dummy `n_ctx:0`** (`server-models.cpp:1170-1173`): llama.cpp gained a native multi-model router; its **bare** `/props` (no `?model=`) returns `n_ctx:0`. BooCode reads `/upstream/<model>/props` which resolves to a specific model → still correct today. Silent failure mode only if a bare router `/props` is ever hit: `ctx_max=0` → rejected → negative-cache masks the misconfig → compaction budget degrades. (Aside: the native router could eventually **replace llama-swap** — separate evaluation.)
 - **`LLAMA_ARG_` env-prefix unification** (`6b4e4bd58`): confirm the sidecar's `LLAMA_*` env vars use the `LLAMA_ARG_` prefix.
 ### 4d. **SKIP**
 - Native **Anthropic Messages API** in llama-server (`test_compat_anthropic.py`) — BooCode is OpenAI-compat via the AI SDK; switching wire formats buys nothing. (Minor TRACK: could in principle back a local "claude-compatible" provider — net-new feature, not a lift.)
 - Qwen 3.5/3.6 **TP granularity fix** (`8b0e0db60`) — only relevant if running qwen3.6 across 3 GPUs with tensor-parallel; then it's a binary-upgrade correctness fix, not an API change.
 - HTTP ETags / `--api-key-file` / timeout bump — irrelevant behind Authelia + llama-swap.
 -----
 ## 5. Second fork sweep (2026-05-31) — 11 repos
 Read-only agent review of everything else in `/opt/forks/` except the three already covered (paseo/opencode/llama.cpp), BooCode's own `llama-sidecar`, and `codecontext`/`codesight` (skipped on request). Repos: **conductor, superset, openchamber, happy, cline, qwen-code, amp-acp, pi-acp, claude-code, goose, unsloth.** Shallow clones (history-limited but source intact): cline, qwen-code, amp-acp, pi-acp, claude-code, goose, unsloth. Full: conductor, superset, openchamber, happy.
 ### 5a. openchamber (`openchamber/openchamber`, **MIT** — code-liftable) ⭐
 Multi-runtime (web/PWA/Electron/VS Code) GUI for **opencode-as-warm-server** — the closest architectural sibling to BooCoder's backend. **Stronger than BooCode in exactly one dimension: opencode process-lifecycle hardening** (BooCode's v2.6 Phase 3 frontier). Divergence shaping every lift: openchamber runs **one global opencode server + one `/global/event` stream**; BooCode runs per-`(chat,agent)` sessions with per-session `event.subscribe({directory})` — so these are pattern/code-adaptation lifts, not drop-ins.
 | # | Finding | Evidence (HEAD `a394a877`) | Verdict | Maps to |
 |---|---------|---------|---------|---------|
 | 5c | **Lifecycle hardening: health monitor + crash auto-restart + busy-aware restart** | `packages/web/server/lib/opencode/lifecycle.js` — `runHealthCheckCycle` (L896), `HEALTH_CHECK_MAX_CONSECUTIVE_FAILURES=20`, `shouldSkipRestartForBusySessions`+`STALE_BUSY_GRACE_MS` (L872/838), `startHealthMonitoring` 15s (L938), `triggerHealthCheck` (L930). BooCode's `opencode-server.ts:143` literally comments *"recovery is Phase 3"* | **LIFT · pattern** | **v2.6 Phase 3** (#5) |
 | | **Port reclaim before respawn** (`killProcessOnPort` lsof+kill, `waitForPortRelease` net.connect poll) | `lifecycle.js:44,101`, used in `restartOpenCode` L595 | LIFT · code (S) | Phase 3 |
 | | **Stall-detecting SSE reader + `Last-Event-ID` replay** (2048-event ring, 20s stall-abort) | `lib/event-stream/upstream-reader.js:110-131`, `global-hub.js:88-149` | LIFT · pattern (the stall-timer half is S, high-value) | hardens `runSessionEventLoop` |
 | | **`OPENCODE_SERVER_PASSWORD` scheme confirmed** = `Authorization: Basic base64("opencode:"+pw)`, rotate-on-restart | `packages/vscode/src/opencode.ts:55-65,786`; `lifecycle.js:458` | CROSS-CHECK → LIFT · config | closes a known unknown (BooCode runs the warm server unsecured on loopback) |
 | | Worktree layout/reaper mirrors opencode's `<data>/worktree/<projectID>/`; `removeWorktree` saga | `packages/vscode/src/gitService.ts:1062,1874` | CROSS-CHECK | Phase 3 reaper; check BooCode's worktree paths align with opencode's expected layout |
 Ruled out: warm-ACP/goose/qwen/claude (openchamber is **opencode-only**), SSE part-translation/reasoning-dedup (BooCode's is more complete), Arena-equivalent, permission cards — all already-better-in-BooCode or N-A.
 ### 5b. cline (`cline/cline`, **Apache-2.0** — code-liftable) ⭐
 Re-architected into a layered SDK. Two strong **code** lifts that hit exactly where BooCoder's write/edit surface is weakest for local quantized models.
 | # | Finding | Evidence (HEAD `31a118f`) | Verdict | Maps to |
 |---|---------|---------|---------|---------|
 | 5d | **`git stash create` + private-ref checkpoint** — per-turn snapshot of full dirty worktree, GC-safe, invisible to `git stash list`, restorable with conversation-trim in sync | `sdk/packages/core/src/hooks/checkpoint-hooks.ts:177-253`; `session/checkpoint-restore.ts:161-189` | **LIFT · code+pattern** (#4) | checkpoint/restore — captures **external-agent** edits BooCode's `rewind` can't |
 | 5e | **Fuzzy patch applier** — exact→`trimEnd`→`trim`→Levenshtein≥0.66 ladder + unicode canon (dashes/curly-quotes/nbsp) + multi-occurrence guard; unmatched→warning not throw | `extensions/tools/executors/apply-patch-parser.ts:347-431,58-83`; `editor.ts:133-143` | **LIFT · code** (#3) | BooCoder `edit_file` is exact `.includes`-or-throw (`pending_changes.ts:111`) |
 | | **File-provenance carry-forward** — `## Files {Read,Modified}` ledger merged across compactions, deterministic | `extensions/context/compaction-shared.ts:351-410` | LIFT · pattern (#12) | context-mgmt |
 | | **`MistakeTracker`** — counts *heterogeneous* consecutive failures (api/invalid-tool/exec), injects recovery guidance + resets vs hard-stop | `runtime/safety/mistake-tracker.ts:82-142` | LIFT · pattern (#12) | complements doom-loop (which only catches *identical* repeats) |
 | | Tool-pair-atomic compaction eviction (BFS over `tool_use_id`, turn-boundary cut) | `extensions/context/basic-compaction.ts:181-205` | CROSS-CHECK | verify `selectPruneTargets` never orphans a `tool_result` |
 Ruled out: prompt-caching (Anthropic `cache_control` markers — N-A, llama.cpp auto-prefix-caches), stream retry (delegated to AI SDK — same as BooCode), MCP marketplace, hub/daemon (multi-client — BooCode is single-process).
 ### 5f. qwen-code (`QwenLM/qwen-code` v0.17.0, **Apache-2.0** — code-liftable) ⭐
 **The "qwen = one-shot PTY because ACP was HTTP-only" premise is obsolete.** qwen now ships a full stdio-ACP agent, a `qwen serve` HTTP+SSE daemon, and a Claude-Code-compatible stream-json protocol.
 | # | Finding | Evidence | Verdict | Maps to |
 |---|---------|---------|---------|---------|
 | | **Warm `qwen --acp` is real** — multi-session `Map<sessionId,Session>`, `loadSession`/`unstable_resumeSession`, `setSessionMode`/`unstable_setSessionModel`, stdio NDJSON via `@agentclientprotocol/sdk` | `packages/cli/src/acp-integration/acpAgent.ts:308,322-351,384-568` | CROSS-CHECK → **LIFT · pattern** (#2) | **v2.6 Phase 2** — validates the openspec plan; wire goose/qwen to `acp-dispatch.ts` |
 | 5g | **stream-json = Claude-compatible NDJSON** (`system`/`assistant`/`result`/`stream_event` with `content_block_delta` text/thinking/tool deltas, `usage`, `session_id`) — BooCode **parses none of it** (`dispatcher.ts:406` slices stdout opaque) | `nonInteractive/types.ts:88-262`, `StreamJsonOutputAdapter.ts` | **LIFT · pattern** (#7) | one parser serves qwen **and** claude PTY fallbacks |
 | | **Resume primitives** `--resume <uuid\|title>` / `--continue` / `--session-id <uuid>` / `--fork-session` | `config/config.ts:825-985,1668-1721` | LIFT · config | mint a stable per-`(chat,agent)` UUID; parity with claude `--resume` |
 | | `qwen serve` daemon + `@qwen-code/sdk` (HTTP+SSE, **`Last-Event-ID` replay ring**, better than opencode's SSE) | `commands/serve.ts:51-266`; `packages/sdk-typescript/src/daemon/*` | TRACK | stdio-ACP is cheaper now; mine its SSE-reconnect design when hardening opencode SSE (converges w/ openchamber 5c) |
 Note: BooCode ships `@agentclientprotocol/sdk@^0.22.1` (newer than qwen's `^0.14.1`) — same package family, BooCode ahead; **cross-check the v0.14↔v0.22 `initialize`/capability handshake before relying on `unstable_resumeSession`** (the `unstable_` prefix signals churn). Ruled out: the `rewind` commit (`c699738`) is a qwen-TUI history-count fix, not a wire event — N-A.
 ### 5h. happy (`slopus/happy`, **MIT** — code-liftable) ⭐
 Mobile/remote client that drives **Claude Code** via the **`@anthropic-ai/claude-agent-sdk`** (NOT PTY). A working existence-proof for BooCode's claude SDK-vs-PTY decision. **SDK note (published `.d.ts` reviewed 2026-05-31, `@0.3.158`):** the SDK is under **Anthropic Commercial Terms** (`package.json` `license: "SEE LICENSE IN README.md"`) — not OSS, so **runtime dep OK but code/examples are reference-only, do not vendor** (esp. mid AGPL→MIT cleanup). It now ships a **native pluggable `SessionStore` + `resume`** that **supersedes happy's hook/jsonl-watcher** (happy pins `^0.2.96`, before that API landed). Readable refs on disk: `/opt/forks/claude-agent-sdk-python` (MIT mirror) + `/opt/forks/claude-agent-sdk-typescript` (examples, commercial terms).
 | # | Finding | Evidence (HEAD `21c6ced`) | Verdict | Maps to |
 |---|---------|---------|---------|---------|
 | | **Claude Agent SDK in streaming-input mode** — one persistent `query()` fed a `PushableAsyncIterable<SDKUserMessage>`; structured `system/init` (tools/skills/mcp), `assistant`, `result`, tool parts — no stdout scraping | `claude/sdk/query.ts`, `claude/claudeRemote.ts:152-259`; dep `@anthropic-ai/claude-agent-sdk@^0.2.96` | **LIFT · pattern** + resolves the decision → **lean SDK** (#9) | claude-provider direction |
 | 5i | **Session resume — use the SDK's native `SessionStore`, not happy's hook/watcher.** happy uses a SessionStart-hook + jsonl-watcher because it pins SDK `^0.2.96`; the current SDK (`0.3.158`) exposes a pluggable `SessionStore` (`append`/`load`/`listSessions`/`delete`/`listSubkeys`) + `query({options:{sessionStore,resume}})`. Implement `PostgresSessionStore` over BooCode's Postgres keyed `(chat_id,agent)`; `importSessionToStore()` migrates a local session, `InMemorySessionStore` is the shape. | `sdk.d.ts@0.3.158` (`InMemorySessionStore` L870, `query` L2391, `resume` L1695); happy `claude/utils/*` = legacy ref | **LIFT · code** (#9) | native, supersedes the hook/watcher; clean-room the store (SDK is commercial-terms) |
 | | `canUseTool` permission callback — single chokepoint, live `setPermissionMode`, bash-prefix allow-cache | `claude/claudeRemote.ts:134,169`, `permissionHandler.ts` | CROSS-CHECK | cleaner integration point than parsing PTY permission prompts |
 | | Local↔remote single-session handoff (TTY ⇄ SDK share one Claude UUID); E2E socket.io relay | `claude/loop.ts:77-115`; `api/encryption.ts` | TRACK / N-A | relay N-A (Authelia owns auth); handoff only if BooTerm⇄CoderPane session-continue is ever wanted |
 ### 5j. superset (`superset-sh/superset`, **Elastic License 2.0 — source-available, PATTERN-ONLY**)
 Electron macOS "code editor for AI agents"; runs every agent as a **raw PTY process** and learns state purely from **hooks the agents POST back** (no editor↔agent protocol, tracks **zero** tokens/cost). All items clean-room only.
 | # | Finding | Evidence (HEAD `7f3e5b3`) | Verdict | Maps to |
 |---|---------|---------|---------|---------|
 | 5j | **Universal-agent lifecycle hooks → normalized status** — inject a notify hook into each agent's native config (`~/.claude/settings.json`, `~/.codex/hooks.json`, opencode plugin), POST `{terminalId,eventType,agent}`; server collapses ~30 vendor event names → 5 states | `apps/desktop/.../agent-setup/*`, `templates/notify-hook.template.sh`, `host-service/.../map-event-type.ts` | **RE-DERIVE** (#10) | gives BooCode's **PTY agents (goose/qwen/claude) real working/blocked/done state** it lacks today |
 | | Worktree destroy saga — preflight `inspect` (dirty/unpushed) + ordered failure semantics + in-flight guard | `host-service/.../workspace-cleanup.ts` | RE-DERIVE | Phase 3 worktree reaper |
 | | Out-of-process PTY daemon w/ crash supervision + adoption (circuit-breaker, adopted-PID liveness poll) | `host-service/.../DaemonSupervisor.ts` | RE-DERIVE / TRACK | Phase 3 (BooTerm tmux already does some) |
 | | Diff-line → agent-comment re-prompt loop (select lines → send to existing session or new agent) | `apps/desktop/.../DiffPane/AgentCommentComposer/*` | RE-DERIVE | review/diff UX frontier |
 Ruled out: token/cost (superset tracks **none** — BooCode ahead), permission cards (BooCode's intercept-and-render is richer; superset just chimes + bypass-flags the agent), editor↔agent protocol (there is none), all SaaS/cloud/billing plumbing.
 ### 5k. unsloth (`unslothai/unsloth`) — **DECISION: remove all AGPL code, relicense BooCode AGPL-3.0 → MIT**
 **Tree audit (corrects this doc's earlier 2-file count):** BooCode is **currently licensed AGPL-3.0** — root `LICENSE` is GNU Affero GPL v3 and **all five `package.json` declare `"license": "AGPL-3.0-only"`** (cause: the `v2.4.0`/`v2.4.1` Unsloth-Studio lifts). **Three** files carry `SPDX-License-Identifier: AGPL-3.0-only`, not two — `llama-args-validator.ts` was missed: `apps/server/src/services/inference/tool-call-parser.ts` (← `tool_call_parser.py`), `apps/server/src/services/web/html-to-md.ts` (← `_html_to_md.py`), `apps/server/src/services/inference/llama-args-validator.ts` (← `llama_server_args.py`). Unsloth is dual-licensed — core `unsloth/` = Apache-2.0, but the `studio/` subtree (source of all three) = **AGPL-3.0-only** (dedicated `studio/LICENSE.AGPL-3.0`, `studio/package.json` `"license":"AGPL-3.0-only"`, per-file SPDX headers, README line 262 carves Studio out). Network-served ⇒ **AGPL §13 network-copyleft is the live liability.**
 **Decision (Sam, 2026-05-31): relicense AGPL-3.0 → MIT** (supersedes this doc's earlier "clean-room recommendation stands" framing — it's now a committed batch, not a flag). Remove all three: parser → native llama-server parsing (jinja green) + clean-room `<invoke>` fallback; html-to-md → permissive lib (turndown / node-html-markdown); llama-args-validator → clean-room from the llama-server README flag list. Then flip `LICENSE` + the five `package.json` + per-file headers + roadmap/README prose. Canonical plan: roadmap `## License-debt — relicense AGPL-3.0 → MIT (planned)`.
 ### 5l. conductor (`conductor-oss/conductor`, **Apache-2.0**, Java) — **LOW / near-NONE**
 Confirmed **Netflix/Orkes Conductor** — enterprise distributed workflow engine (5600 commits, Spring/Flyway/Cassandra), **not** the Mac Claude-Code app. Wrong scale + wrong substrate (polling workers + Redis queues vs BooCode's single-user Postgres LISTEN/NOTIFY), and BooCode already sourced its task-DAG/dispatcher/pipelines/human_inbox from `agent-hub` + Roo Boomerang. **One** worth-a-glance reference: the **retry/backoff/timeout taxonomy** (`TaskDef.java` `RetryLogic{FIXED,LINEAR,EXP}` + `TimeoutPolicy`, delay formula in `DeciderService.java:634-680`, with jitter + total-time-budget guard) — BooCode has **no retries today**; copy the *field set + three formulas* when retries land. Everything else (decider-replay engine, 24 task mappers, fork-join, sub-workflow, human-task) = N-A, already-covered or wrong-scale.
 ### 5m. ACP provider candidates — amp-acp **SKIP**, pi-acp **WATCH**
 Both are config-only adds to BooCode's v2.3 catalog (`{extends:'acp', label, command, env}`) and both use **`@agentclientprotocol/sdk@~0.22/0.12`, proto v1 — wire-compatible with BooCode's own `@agentclientprotocol/sdk@0.22.1`** (see correction in §6).
 - **amp-acp** (`tao12345666333/amp-acp`, Apache-2.0): adapter for Sourcegraph **Amp**. `npx -y amp-acp` + `AMP_API_KEY`. **SKIP** — Amp is a **paid cloud product with no self-host / no BYO-key / no local-model path**; can't point at llama-swap. Keep only as the canonical *"does add-from-catalog work"* smoke entry (lowest-risk Apache-2.0 ACP adapter).
 - **pi-acp** (`svkozak/pi-acp`, MIT): bridge for **pi** (spawns `pi --mode rpc`). `npx -y pi-acp`, pi free + self-hostable, dynamic model discovery. **WATCH** — but found **no evidence pi supports an OpenAI-compatible/llama-swap base URL** (cloud BYO-keys only today) + v0.0.27 maturity ("MVP", MCP not wired). Re-evaluate if pi adds a local provider — then it's a strong config-only ADD.
 ### 5n. claude-code & goose — low/cosmetic
 - **claude-code** (`anthropics/claude-code`, depth-1): the public **issue-tracker/docs repo, not source.** Thin. No stream-json schema doc (keep relying on observed output). Notables: `CLAUDE_CODE_SESSION_ID` env injected into Bash-tool subprocesses (hook↔session correlation); `examples/settings/*.json` permission/sandbox shapes; `SKILL.md` frontmatter is simpler (`name/description/version`) than BooCode's `eval.yaml`. The one example hook (`bash_command_validator`) is the same family BooCode already vendored. **Nothing net-new liftable.**
 - **goose** (`block/goose`, depth-1, Apache-2.0 Rust → pattern-only): the **AAIF/Linux-Foundation move is cosmetic** — binary `goose`, `goose acp` invocation, and `~/.config/goose/` config path all **UNCHANGED**; only org/URLs changed (`block/goose` → `aaif-goose/goose`). **Watch:** grep BooCode install docs for `block/goose` URLs (will eventually 404). **For v2.6 Phase 2:** goose ACP supports multi-session + mid-session model/mode switch + session persistence, but **no `loadSession`/resume method surfaced** → cross-restart resume looks thinner than opencode's; don't assume opencode-style `agent_sessions` resume works identically for goose.
 -----
 ## 6. Open decisions / things to think about
 1. **The jinja gate — RESOLVED (green, Sam 2026-05-31).** `--jinja` + a qwen3.x template are live in the llama-swap/sidecar config, so llama-server already does server-side tool-call parsing. #1 (the relicense batch's parser removal) is **actionable now** — step 1 is to validate native parsing on live qwen3.6 behind a flag for one release, then delete.
 2. **Claude transport: SDK vs PTY — now evidenced, leaning SDK.** `happy` (§5h) is a working existence-proof that `@anthropic-ai/claude-agent-sdk` in streaming-input mode drives Claude Code with structured events (tool calls, reasoning, `system/init` tool/skill/mcp lists, usage) and clean continuity — richer than PTY stdout-scraping. **Decision narrowed to: adopt the SDK** (net-new integration, ~100-line streaming-input pump) **vs. stay PTY + just add `--resume`.** Independent of warm-ACP Phase 2. Note the continuity mechanism is now the SDK's **native `SessionStore`** (§5i — a `PostgresSessionStore` keyed `(chat_id,agent)`, superseding happy's hook/jsonl-watcher) and is transport-independent — ship it either way.
 3. **`stream-json` parser is shared infrastructure, not a per-agent chore.** qwen-code (§5g) and claude-code emit the *same* Claude-Code-compatible NDJSON. One parser keyed on `type` / `stream_event.event.type` unlocks tool/reasoning/usage surfacing for **both** qwen and claude PTY fallbacks (today both are sliced opaque). Decide whether to build it as a shared module now (cheap) rather than twice later.
 4. **Transcript/session verification before resume (shared gap).** Neither Paseo nor BooCode (nor openchamber, nor goose's ACP) verifies the session/transcript exists on disk before resuming — true for opencode, claude, qwen. Folds into v2.6 Phase 3 (crash recovery + active supervision, now lifting from openchamber §5c). Decide whether "resume blindly, recover on failure" is good enough for single-user, or worth a pre-resume existence check. **Caveat:** goose ACP exposes no `loadSession`/resume (§5n) → its cross-restart resume needs a different design than opencode's.
 5. **Usage *and status* normalization scope.** Two converging gaps: (a) **tokens/cost** — the opencode token slice (#8) converges with paseo `AgentUsage`; (b) **liveness/status** — superset's notify-hook pattern (§5j, #10) is the only way to know whether a one-shot PTY agent (goose/qwen/claude) is working / blocked-on-permission / done. Decide whether to design one normalized per-`(chat,agent)` "agent telemetry" shape (tokens + status) up front so all providers slot in, or ship opencode-token-only and generalize at Phase 2.
 6. **Correction — ACP SDK package.** This doc and the roadmap state BooCode uses `@zed-industries/agent-client-protocol`; the live `apps/coder/package.json` actually declares **`@agentclientprotocol/sdk@^0.22.1`** (verified installed). Both amp-acp and pi-acp use the same package, so the "version-drift" worry is moot. ✅ Now corrected in `boocode_roadmap.md`'s lift table (2026-05-31).
 -----
 ## 7. Housekeeping
 - **Stale `.bak` in the working tree:** `apps/server/src/services/inference/tool-phase.ts.bak-20260531` (today, 15.5 KB). Violates CLAUDE.md's "don't accumulate `.bak-*`". Dated today and `tool-phase.ts` is on the active path — may be an in-progress safety copy. **Confirm before removing.**
 - **Unshallow `/opt/forks/llama.cpp`** (`git fetch --unshallow`) before the next review so commit-level attribution is possible. (opencode was unshallowed mid-review; cline/qwen-code/amp-acp/pi-acp/claude-code/goose/unsloth remain shallow but their source was intact.)
 - **Grep BooCode install docs/scripts for `block/goose` URLs** — goose moved to `aaif-goose/goose` (§5n); old release URLs will eventually 404.
 - **Correct the ACP-SDK package name** in `boocode_roadmap.md`'s lift table → `@agentclientprotocol/sdk@0.22.1` (§6.6).
 -----
 ## 8. Roadmap mapping (where each actionable lands)
 | Roadmap slot | Items from this review |
 |---|---|
 | **v2.6 Phase 2** (warm ACP goose/qwen) | #2 warm-ACP backend — **validated by qwen's own `qwen --acp`** (§5f); #7 parse qwen/claude stream-json in the one-shot fallback |
 | **v2.6 Phase 3** (lifecycle hardening) | **#5 openchamber lifecycle hardening** (health monitor + crash restart + port reclaim + stall-SSE — §5c, supersedes the paseo re-derive); worktree-archive cascade (paseo) + superset destroy-saga (§5j); LRU-bound caches; pre-resume session verification |
 | **v2.6 Phase 1 UX** | #6 interrupt-bug fix; #8 opencode token/ctx usage; richer SSE arms (compaction surfacing) |
 | **Write/edit robustness (NEW batch)** | **#3 fuzzy patch applier** + **#4 git-stash checkpoint** (cline §5b) — both directly harden BooCoder's edit/rewind surface for local models |
 | **Cross-agent telemetry (NEW)** | #10 superset notify-hook → normalized **status** for PTY agents (§5j); pairs with #8 token usage |
 | **Standalone claude-provider batch** | #9 SDK transport + native `SessionStore` resume (§5h–§5i; supersedes hook/jsonl-watcher) + the SDK-vs-PTY decision (lean-SDK, §6.2); #12 MistakeTracker + file-provenance ledger (cline) |
 | **Inference / license-debt batch** | #1 AGPL parser retirement (**AGPL confirmed §5k**; gated on the jinja check §6.1); #11 sampling/reasoning-budget config adopts |
 | **BooChat resilience (opportunistic)** | stall-timeout + retry/backoff (opencode); tool-pair-atomic prune cross-check (cline §5b) |
 | **Provider catalog** | amp-acp = keep as add-from-catalog **smoke test only** (§5m); pi-acp = WATCH for a local-provider mode |
 | **Deferred / gated** | subagent permission demux (needs opencode-SSE permission cards first); MCP auth lock (needs OAuth MCP un-deferred); `qwen serve` HTTP backend (stdio-ACP cheaper) |
 | **Not actionable** | conductor (wrong scale — only the retry-taxonomy reference §5l); claude-code public repo (docs only §5n) |
--- a/boocode_roadmap.md
+++ b/boocode_roadmap.md
@@ -1,6 +1,6 @@
 # BooCode roadmap (v1.x–v2.x)
-Last updated: 2026-05-26
+Last updated: 2026-05-31
 > **Companion doc:** `boocode_code_review.md` holds the full external-repo inventory, lift rationale, and license analysis. This document is the canonical source for shipping state, version ordering, and what's planned vs. shipped.
@@ -9,7 +9,7 @@ Last updated: 2026-05-26
 BooCode is a **3-app monorepo** at `/opt/boocode/` (locked 2026-05-22):
 - **BooChat** (`apps/server` + `apps/web`, port `9500`, `code.indifferentketchup.com`) — read-only chat with file-inspection tools. Backend in `apps/server`, SPA in `apps/web`. Database `boochat` (renamed from `boocode` at v2.0).
- **BooCoder** (`apps/coder`, port `9502`, `coder.indifferentketchup.com`) — write tools + external-CLI dispatch. **Shipped v2.0.0–v2.2.1.** Host systemd service (not Docker since v2.1.0). In-process inference (with `pending_changes` table) AND Paseo-style ACP dispatch for seven providers (cursor, opencode, goose, claude, qwen, copilot + native boocode) with PTY fallback where ACP is unavailable.
+- **BooCoder** (`apps/coder`, port `9502`, `coder.indifferentketchup.com`) — write tools + external-CLI dispatch. **Shipped v2.0.0–v2.6.6** (repo tag line; v2.6.5–v2.6.6 were BooChat workspace UX + docs). Host systemd service (not Docker since v2.1.0). In-process inference (with `pending_changes` table) AND Paseo-style ACP dispatch for five providers (opencode, goose, claude, qwen + native boocode; cursor + copilot retired at v2.5.3) with PTY fallback where ACP is unavailable. Provider lifecycle is config-backed (`data/coder-providers.json`, enable/disable, two-tier probe — shipped v2.5.4–v2.5.13). opencode now runs as a **warm HTTP server** with persistent per-chat sessions (v2.6 Phase 1); goose/qwen/claude still dispatch one-shot.
 - **BooTerm** (`apps/booterm`, port `9501`) — PTY/tmux/xterm.js. **Live since May 2026.** bookworm-slim + node-pty + tmux + xterm.js. Tmux session per pane (`bc-<uuid>`), SSH-out works (openssh-client + gosu in the image). Shares Postgres database `boochat`.
 Caddy → Authelia → Tailscale → `100.114.205.53` → 9500/9501/9502. Three apps, **one shared Postgres** (Docker service `boocode_db`, database name `boochat`).
@@ -21,7 +21,7 @@ Caddy → Authelia → Tailscale → `100.114.205.53` → 9500/9501/9502. Three
 - **Mount strategy: blanket `/opt:rw`, permission gating at the write-tool layer.** Per-project scoping is policy, not mount. Path-guard correctness is the #1 test target for v2.0.
 - **External CLI agents (`opencode`/`claude`/`goose`/`pi`) live on the host, not in containers.** BooCoder shells out via local-exec PTY or ACP subprocess. Host install inherits Sam's existing `~/.opencode/`, `~/.claude/`, `~/.config/goose/` configs.
 - **Protocol roles locked (2026-05-22):** **BooChat = MCP client only** (read-only tool consumer, never enables write-capable MCP servers). **BooCoder = MCP client + MCP server + ACP client (host) + ACP agent (driveable)** — full matrix. BooCoder's ACP-client role replaces raw-PTY dispatch for ACP-capable agents (opencode `opencode acp`, goose `goose acp`); PTY fallback retained for claude/pi/smallcode.
- **Paseo-equivalent dispatcher inside BooCode** (2026-05-22 pivot, **shipped v2.2**). Paseo (`getpaseo/paseo`) is AGPL-3.0 — incompatible with BooCode's MIT license and network-served deployment. BooCode reproduces the architecture using license-clean patterns only (`provider-snapshot.ts`, ACP merge/stream/persist, `AgentComposerBar`). Primary architectural template: `Dominic789654/agent-hub` (Apache-2.0). Critical context-management primitive: Roo Code Boomerang Tasks pattern. Observation pattern: Claude Code hooks (siropkin/budi reference).
+- **Paseo-equivalent dispatcher inside BooCode** (2026-05-22 pivot, **shipped v2.2**). Paseo (`getpaseo/paseo`) is AGPL-3.0 — incompatible with BooCode's **target** MIT license and network-served deployment (the tree is *currently* AGPL-3.0 via the v2.4 Unsloth-Studio lifts — see the **License-debt → relicense to MIT** batch; the Paseo pattern-only rule holds regardless). BooCode reproduces the architecture using license-clean patterns only (`provider-snapshot.ts`, ACP merge/stream/persist, `AgentComposerBar`). Primary architectural template: `Dominic789654/agent-hub` (Apache-2.0). Critical context-management primitive: Roo Code Boomerang Tasks pattern. Observation pattern: Claude Code hooks (siropkin/budi reference).
 External code lifted from / referenced in: see `boocode_code_review.md` for full inventory.
@@ -348,9 +348,50 @@ Per-session Docker sandbox spawned by BooCoder on first write. Only project path
 -----
 ## Shipped (v2.2.2–v2.6.11 — interactive ACP, provider lifecycle, persistent agent sessions, workspace UX)
 All tags `vMAJOR.MINOR.PATCH-slug`, monotonic per minor, assigned at ship time (planning slugs differ — see the numbering-discipline note below). `CHANGELOG.md` is the canonical per-tag record. **Note on numbering divergence:** the *planned-feature* "v2.3 — Provider lifecycle" actually shipped under the **v2.5.4–v2.5.13** tags; the *planned-feature* "v2.4 — BooCoder as ACP agent" remains **unshipped** even though v2.4.0/v2.4.1 *tags* shipped unrelated content (Unsloth lifts, sidecar routing). The patch-tag thread and the conceptual-milestone thread have diverged — read tags as the ship record, the `## v2.x` feature sections below as the milestone plan. The v2.3.0–v2.5.1 tags were never CHANGELOG-backfilled; summarized here from commit bodies.
 - `v2.2.2-xml-placeholder-reject` — reject placeholder XML tool args (`...`, `<path>`, empty/whitespace, angle-bracket sentinels) at parse time; appends raw block to prose instead of silent-deleting. Fixes qwen3.6 answer-then-spurious-tools duplicate-row tail
 - `v2.3.0-sampling-params-ask-user` — per-agent sampling params (`top_p`/`top_k`/`min_p`/`presence_penalty`) in AGENTS.md frontmatter threaded through inference (null = omit, preserve provider default); `ask_user_input` interactive card wired into both BooCoder frontends (CoderPane + standalone coder SPA)
 - `v2.3.1-permission-questions` — enrich ACP `permission_requested` frame with `kind` (`tool`|`question`|`plan`|`elicitation`) + `input` + `description`; PermissionCard renders interactive radio/checkbox forms for AskUserQuestion; ACP `createElicitation` (experimental) JSON-Schema-driven forms
 - `v2.3.2-coder-answer-endpoint` — fix `ask_user_input` submit in CoderPane (register `answer_user_input` on the boocoder service; `apiPrefix` routes through `/api/coder/...` so the right inference runner picks up the answer)
 - `v2.4.0-unsloth-studio-lift` — port of Unsloth Studio modules: `tool-call-parser.ts` (replaces `xml-parser.ts`; balanced-brace JSON scanner, `hasToolSignal`/`stripToolMarkup`/`parseToolCallsFromText`, stripping at all 3 final-write sites) + `web/html-to-md.ts` (parse5 HTML→Markdown for `web_fetch`). **License consequence (recorded 2026-05-31):** Unsloth Studio is AGPL-3.0-only — this lift (plus `llama-args-validator.ts` from `v2.4.1-sidecar-routing`) put the **whole BooCode tree under AGPL-3.0** (`LICENSE` + all five `package.json` are `AGPL-3.0-only`; three files carry the AGPL SPDX header). Scheduled for removal in the **License-debt → relicense to MIT** batch
 - `v2.4.1-sidecar-routing` — route per-agent `llama_extra_args` to `LLAMA_SIDECAR_URL` via `X-Agent-Flags` (boot guard if set but URL unset); `resolveRoute` + PrefixFingerprint `route` field. AGENTS.md tool-gap fix: 8 post-hoc tools (`request_read_access`, `view_truncated_output`, `ask_user_input`, `git_status`, …) added to every agent's whitelist
 - `v2.5.0-task-model` — lightweight task-model services (`TASK_MODEL_URL` dedicated llama-server, falls back to `LLAMA_SWAP_URL`+`FAST_MODEL`) for auto-naming/search-rewrite/tags/summaries; search-query rewriting on step 0 when web tools enabled; `sessions.tags` column
 - `v2.5.1-budget-100` — tool-call budgets raised 50/10/50 → **100/100/100** (read-only / non-read-only / no-agent); per-agent `max_tool_calls` still overrides. `.claude/worktrees/` added to `.codecontextignore`
 - `v2.5.2-coder-ux-fixes` — dispatcher reacts immediately via Postgres `LISTEN/NOTIFY` (`tasks_new` trigger, 2s poll fallback); mobile nav-drawer bfcache fix (`useViewport` re-syncs on `pageshow`/`visibilitychange`); reasoning "Thinking" collapsible in MessageBubble (ACP `agent_thought_chunk` + native `reasoning_parts`); paste-to-chip verbatim; "New file from pasted text" RightRail affordance; DiffPanel approve/reject repointed to real routes. Ships the `v2-6-persistent-agent-sessions` openspec as planning docs only
 - `v2.5.3-remove-cursor-copilot` — retire cursor + copilot providers entirely (argv cases, manifest, command maps, cursor model-CLI branch, `cursor-models.ts`). Built-ins now: claude, opencode, goose, qwen, native boocode
 - `v2.5.4-provider-lifecycle-phase1` — **(v2.3 milestone, phase 1/5)** config-backed provider layer (`CODER_PROVIDERS_PATH` default `/data/coder-providers.json`; `provider-config.ts` never-throws loader; `buildResolvedRegistry` merge) over built-ins; `agent-probe` iterates the resolved registry. No runtime change when no config file exists
 - `v2.5.5-provider-lifecycle-phase2` — **(phase 2/5)** snapshot lifecycle status (`loading`|`ready`|`unavailable`|`error`) + `enabled` flag; always lists every registered provider; two-tier probe (fast `which` vs cold ACP, skipped unless forced / `PROVIDER_PROBE_TTL_MS` 24h stale / DB-empty); `provider-types-parity.test.ts`
 - `v2.5.6-provider-lifecycle-phase3` — **(phase 3/5)** generic ACP dispatch (`resolveLaunchSpec` from config `launchCommand`; spawn `spec.binary`/`args`/`env`); built-in dispatch byte-identical (regression-tested). Config-defined custom ACP providers dispatch with no new switch case
 - `v2.5.7-claude-models-and-picker-fix` — fix the empty provider picker (a v2.5.5 regression: `getProviderSnapshot` returned sync `loading` entries the composer filtered out → now awaits build, returns terminal entries); wire config `models` (replace) / `additionalModels` (merge); claude static models bumped to opus/sonnet/haiku latest-aliases + pinned full names
 - `v2.5.8-mobile-composer-row` — AgentComposerBar mobile fix (dot + refresh as one right-aligned unit, was wrapping); Mode picker icon-only on mobile via `CompactPicker` `iconOnly`. Desktop unchanged
 - `v2.5.9-agent-slash-commands` — segmented per-agent slash menu (active agent's commands first, BooCoder skills second; opt-in `groups` prop, BooChat flat path byte-identical); skills now run under the selected external agent (skill body injected into a dispatched task); landing-chat skill-invoke fix
 - `v2.5.10-opencode-live-commands` — capture opencode's live ACP `available_commands` (poll for the async `available_commands_update`, was racing to 0); persist to new `available_agents.commands` JSONB; serve merged on the tier-2-probe-skip path
 - `v2.5.11-claude-skill-discovery` — surface Claude Code's real enabled commands + plugin skills in the coder slash menu (`claude-command-discovery.ts` reads `~/.claude/commands` + `enabledPlugins` skills/commands); three icon'd groups (agent commands / agent skills / BooCoder skills); `AgentCommand.kind`
 - `v2.5.12-provider-lifecycle-phase4` — **(phase 4/5)** HTTP API: `GET`/`PATCH /api/providers/config`, optional-subset `POST /refresh`, `GET /:id/diagnostic`. PATCH ordering validate→save→reload→clear (malformed body → 422 no-write; save-fail → 500 no-divergence); `mergeProviderConfigPatch`; +28 tests
 - `v2.5.13-provider-lifecycle-phase5` — **(phase 5/5, closes the v2.3 arc)** Settings → Providers UI (status badge, enable/disable toggle, per-provider refresh, plaintext diagnostic); composer filters to `enabled && ready|loading`; curated ACP catalog + `AddProviderModal`; two mobile fixes (Settings reachable on phones; modal scroll-containment). `docs/DEFERRED-WORK.md` §2 marked addressed
 - `v2.5.14-claude-md` — docs-only CLAUDE.md session-learnings (stale boocoder process after build, container `build:.` deploys working tree, wholesale `PATCH /providers/config` merge, one-shot external dispatch has no ctx tracking, `ui/` switch/sheet fallbacks, mobile Dialog scroll recipe); backfills v2.5.7–v2.5.11 doc bullets
 - `v2.5.15-acp-path-guard` — security: separator-bounded worktree path guard in `acp-client-fs.ts` (closes a sibling-prefix `<worktree>-evil/` escape; `writeWorktreeTextFile` bypasses `pending_changes`, writes disk directly) via shared `resolveInWorktree` + regression test; stop tracking live `data/coder-providers.json` (gitignore + `data/coder-providers.example.json` reference; loader falls back to built-ins-only)
 - `v2.6.0-phase0-foundations` — **(v2.6 Phase 0, no behavior change)** schema + interface scaffold: `session_worktrees` (one shared worktree per session) + `agent_sessions` (one backend session per `(session, agent)`) tables, `pending_changes.agent` attribution column; `AgentBackend`/`AgentSessionHandle` interface + normalized transport-agnostic `AgentEvent` union (types only)
 - `v2.6.1-phase1-opencode` — **(Phase 1)** opencode as a **warm HTTP server** (`opencode serve` per BooCoder process, one opencode session per BooCode session resumed across turns via `agent_sessions`); single SSE read loop, Paseo reasoning-dedup, inactivity watchdog, stale-session guard (`config_hash` = `opencode_server|<model>`, excludes the ephemeral port so cross-restart resume survives). Hard-won: opencode streams `session.next.*` (not `message.part.*`), `event.subscribe()` must pass the worktree `directory`, models must be `llama-swap/`-prefixed + in opencode's config. Bundled: dcp-message-id strip, reopen-pane control, `[+]`/split separation, auto-name on session model, `systematic-debugging` slash command. Known limit (closed in v2.6.2): single SSE scoped to the most-recent directory
 - `v2.6.2-delete-guard-and-sse` — session-delete work-loss guard (server gates `DELETE /api/sessions/:id`: reads `session_worktrees`, calls BooCoder `/worktree-risk` which runs git on the host; dirty/unpushed/unmerged → 409 + per-worktree `RiskReport[]`, `force` bypasses, fail-closed; sidebar block dialog distinguishes at-risk from couldn't-verify, never auto-commits). **Per-session SSE (P1.5-a):** one `event.subscribe({directory})` per live opencode session, each with an `AbortController`, so sessions in different worktrees stream concurrently (was: second silently dropped); `sessionID` demux guard + zombie-loop fix
 - `v2.6.3-chatkey-and-skills` — re-key `agent_sessions` to **`(chat_id, agent)`** (P1.5-b: the tab/chat is the agent-context unit; two opencode tabs in one session = two contexts sharing one worktree); `tasks.chat_id` threaded end-to-end (`runOpenCodeServerTask` resolve-or-creates a chat for session-less creators); first-class `worktrees` table (one-per-session, survives session delete) supersedes the defanged `session_worktrees`; `agent_sessions.chat_id` CASCADEs from `chats`; stateful cross-chunk dcp-message-id stripper; `committing-changes` + `using-worktrees` judgment skills in `data/skills/boocode/` + parser-safe `data/AGENTS.md` preamble
 - `v2.6.4-agent-sessions-fk` — converge the live `agent_sessions.session_id` FK `CASCADE → SET NULL` (standalone `confdeltype`-guarded `DO` block, idempotent — the P1.5-b re-key gate skipped already-re-keyed DBs and left it diverged); CLAUDE.md doc-sync (per-session SSE, `(chat_id, agent)` re-key, `data/AGENTS.md` parsing + `data/skills/<vendor>/` conventions)
 - `v2.6.5-panes-tabs-composer` — **workspace UX batch (BooChat panes/tabs/composer + the persistence that backs it).** *Panes/tabs:* open a chat in a fresh pane (ChatTabBar "Open in new pane" + fork-beside-original via a new `open_chat_in_new_pane` event), per-pane `[+]` → New BooChat/BooTerm/BooCode menu, closing a chat pane relocates its tabs (in order) to the oldest chat/empty pane (reopen strips restored chatIds from every live pane first → no dup), stable session-scoped tab numbers (assigned on open, retired on close, never reused, map-keyed render), and the empty/landing pane became a real session history (open + separately-fetched archived chats). Removed the per-message "Open in pane" artifact button. *Persistence:* `sessions.workspace_panes` widened from bare `WorkspacePane[]` → a `WorkspaceState` envelope (`panes` + `tabNumbers`/`nextTabNumber` + `closedPaneStack`); PATCH validator zod-unions legacy-array-or-envelope and migrates on write; `session_workspace_updated` WS frame widened (web+server byte-identical, parity test green). *Composer:* morphing **Send → Stop → Queue** button keyed on `sending || activeTaskId` (folds in the standalone Stop pill, adds `cancelTask`); pasted chips trail the typed text so a leading slash stays first. *Tooling:* new read-only `read_tab_by_number` tool + an optional `ToolExecCtx` (`{ sql, sessionId }`) 4th arg on `ToolDef.execute`
 - `v2.6.6-claude-md` — docs-only CLAUDE.md session-learnings from the v2.6.5 batch: the `WorkspaceState` envelope migration, the `ToolExecCtx` plumb (`read_tab_by_number` as reference), the two-schema-files-one-DB ownership split + idempotent `confdeltype` FK-action-flip pattern, and React-StrictMode nested-`setState` idempotency
 - `v2.6.7-interrupt-guard` — **F.1 fix:** post-interrupt stale-terminal bug in the opencode warm-server backend (one-click reachable since `v2.6.5`'s Stop button). opencode emits one trailing `session.idle`/`session.error` for a cancelled turn (sessionID only, no turn id) that settled the *next* turn early as success. Pure per-session guard (`backends/turn-guard.ts` — arm-on-abort / swallow-one-orphan / self-heal-on-activity) wired into `opencode-server.ts`; 3 regression tests (TDD). First item of the v2.6 openspec "remaining" plan; Phase 1-UX / 2 / 3 still open
 - `v2.6.8-agent-attribution` — **v2.6 Phase 1-UX** (U.1–U.6), built by 3 parallel subagents over disjoint files. Backend: `pending_changes.agent` stamped at every queue site + flows through `listPending`; new `GET /api/sessions/:id/agent-sessions` route; opencode warm-server consumes `session.next.step.ended` → accumulates `input_tokens`/`output_tokens`/`cost` on `agent_sessions`. Frontend: DiffPanel per-row agent badges + multi-agent note; AgentComposerBar resumed/history/new-session chip (gated on optional `sessionId`, BooChat unaffected); shared `providerIcons.tsx` + `useAgentSessions` hook. 9 new tests; web+coder tsc clean. Both surfaces deployed (boocoder restart + `boocode` Docker rebuild). Phase 2/3 remain
 - `v2.6.9-warm-acp` — **v2.6 Phase 2:** goose/qwen run as **warm ACP backends** (one persistent `goose acp`/`qwen --acp` child + `ClientSideConnection` + ACP session per `(chat,agent)`, `initialize`+`session/new` once, reused across turns) instead of one-shot. New `WarmAcpBackend` (same `AgentBackend` interface as opencode); abort = `session/cancel` the prompt only (never kills the child); dispatcher routes goose/qwen chat-tab tasks via pure `shouldUseWarmBackend` (one-shot fallback kept for arena/MCP/`new_task`); `handleSessionUpdate` extracted to a shared pure `acp-event-map.ts` (one-shot path byte-identical). SDK concern resolved (`@agentclientprotocol/sdk@^0.22.1` has stable resume; moot warm, deferred to Phase 3). 15 new tests, 180 coder tests pass. Backend-only deploy (boocoder restart). **Smoke 2/2b pending live.** Phase 3 (lifecycle hardening) is the last v2.6 phase
 - `v2.6.10-lifecycle-hardening` — **v2.6 Phase 3 (final phase — completes v2.6).** Idle TTL eviction (`AGENT_POOL_IDLE_TTL_MS`=30min) + LRU cap (`AGENT_POOL_MAX_LIVE`=10), busy backends never evicted; pure `lifecycle-decisions.ts`. Crash recovery via openchamber's health-monitor + busy-aware-restart + stale-grace state machine in `opencode-server.ts` (+ port reclaim) + `warm-acp.ts` (opencode → fresh sessions; ACP → re-`session/new`; F.1 guard + U.6 usage preserved). Orphan worktree reaper (1h grace, superset-style dirty/unpushed preflight, Paseo soft-delete) + close hooks + re-baseline after apply. 35 new tests + DB-opt-in reconnect test; 215 coder tests pass. Backend-only deploy. **Follow-ups (out of v2.6 scope): apps/server close-hook caller, 3.7 DiffPanel staging hint (frontend), live Smoke 2/2b/3.** With this, **v2.6 persistent agent sessions is complete** (Phase 0–3 + F.1 + Phase 1-UX)
 - `v2.6.11-close-hooks-staging` — the two v2.6 follow-ups. **apps/server close-hook caller:** BooChat fire-and-forgets BooCoder's Phase-3 close hooks (new `coder-notify.ts`, never-rejects) on session-delete + chat archive/delete, so warm backends + worktrees tear down immediately (the idle-evict/reaper was the backstop). **Task 3.7 staging hint:** BooCoder DiffPanel shows a muted one-liner when the selected provider can't see another agent's unapplied worktree edits (pure derivation from per-change `agent` + current provider). 6 new server tests; web+server tsc/build clean; deploys via the `boocode` Docker container. **The v2.6 openspec is now fully closed** — only live Smoke 2/2b/3 remain (manual)
 -----
 ## v2.3 — Provider lifecycle (Paseo-style registry)
-**Planned.** Config-backed provider registry (`/data/coder-providers.json`), merged built-ins + overrides, enable/disable toggles, two-tier probe (fast binary vs slow ACP session), generic ACP spawn from config without new code paths. Depends on v2.2 snapshot wire shape. Openspec: `openspec/changes/v2-3-provider-lifecycle/`. See `CURRENT.md`.
+**Shipped across `v2.5.4`–`v2.5.13` (5 phases, 2026-05-29).** Config-backed provider registry (`data/coder-providers.json`), merged built-ins + overrides, enable/disable toggles in Settings → Providers, two-tier probe (fast binary vs slow ACP session, TTL-gated), generic ACP spawn from config without new code paths, HTTP config/refresh/diagnostic API, curated add-from-catalog. The milestone shipped under v2.5.x patch tags (not "v2.3.x") because patch numbers are assigned at ship time. Openspec: `openspec/changes/v2-3-provider-lifecycle/` (design §2–§6 map to phases 1–4; phase 5 = UI). `docs/DEFERRED-WORK.md` §2 marked addressed; Tier-2 follow-ups (WS `provider_snapshot_updated` frame, `available_agents.enabled` column, shared types package, MCP provider tools) stay deferred.
 **Lift source:** Paseo provider docs (design only — no AGPL code lift).
@@ -360,6 +401,8 @@ Per-session Docker sandbox spawned by BooCoder on first write. Only project path
 ## v2.4 — BooCoder as ACP agent (driveable from external editors)
 **Status: not shipped.** This is a conceptual milestone, not yet built. The `v2.4.0`/`v2.4.1` *patch tags* shipped unrelated content (Unsloth Studio parser/HTML-to-md lift, llama-sidecar routing) — patch numbers are assigned at ship time and have outrun the milestone plan. The outbound ACP-agent surface below is still future work.
 **Goal:** expose `boocoder acp` so Zed, JetBrains, Avante.nvim, CodeCompanion.nvim can drive BooCoder as their agent. Outbound exposure of the BooCoder write-tool surface to ACP-compatible editors.
 **Scope:**
@@ -378,6 +421,76 @@ Per-session Docker sandbox spawned by BooCoder on first write. Only project path
 -----
 ## v2.6 — Persistent agent sessions (warm processes + OpenCode server)
 **Goal:** make a BooCode chat map to a **persistent agent backend + a persistent worktree** that live for the whole conversation, so turns are warm and the agent sees its own accumulating edits. Replaces the one-shot-per-task model (fresh worktree + process spawn + ACP handshake every turn) with Paseo's pattern: OpenCode as a long-lived HTTP server, goose/qwen as warm stdio-ACP processes. Reasoning passthrough was already solved in v2.5.2's Thinking block — this batch is about persistence, not capability.
 **Decisions locked:** persistent worktree per session (shared across agents); free agent-switch with per-agent memory (one backend session per `(chat, agent)` pair, re-keyed from `(session, agent)` in P1.5-b); OpenCode → one shared `opencode serve` HTTP server (multi-session, directory-routed); goose/qwen → warm stdio ACP per live session; claude stays one-shot PTY.
 **Shipped so far:**
 1. `v2.6.0-phase0-foundations` ✅ — schema + `AgentBackend`/`AgentEvent` interface scaffold (no behavior change).
 1. `v2.6.1-phase1-opencode` ✅ — OpenCode warm-server backend, per-chat resumable session, SSE demux, reasoning dedup, watchdog, stale-session guard.
 1. `v2.6.2-delete-guard-and-sse` ✅ — session-delete work-loss guard + **per-session SSE (P1.5-a)** so concurrent opencode sessions in different worktrees stream independently.
 1. `v2.6.3-chatkey-and-skills` ✅ — **P1.5-b** re-key `agent_sessions` to `(chat_id, agent)`; first-class `worktrees` table; `tasks.chat_id` threading; cross-chunk dcp-strip; judgment skills.
 1. `v2.6.4-agent-sessions-fk` ✅ — converge `agent_sessions.session_id` FK to `SET NULL`; doc-sync.
 **Remaining (per openspec `v2-6-persistent-agent-sessions/tasks.md`):**
 - **Phase 1 UX** — DiffPanel per-change agent attribution (`pending_changes.agent` badges), resumed/new-session chip on AgentComposerBar (`GET /api/sessions/:id/agent-sessions`), staging-boundary hint.
 - **Phase 2 — warm ACP backend (goose, qwen)** — persistent `SpawnedACPProcess` connection reused across turns (one `session/new`, many prompts); dispatcher routes goose/qwen to the warm backend; switch round-trip smoke (opencode → boocode → opencode resumes the same session). **De-risked (v2 review, 2026-05-31):** `qwen --acp` is a real stdio multi-session agent (`Map<sessionId,Session>`, `loadSession`/`resume`, mid-session model/mode switch) — the old "qwen ACP was HTTP-only → use PTY" premise is **stale**, so wire qwen into the existing `acp-dispatch.ts` stack. Cross-check qwen's `@agentclientprotocol/sdk@^0.14` vs BooCode's `^0.22` handshake before relying on `unstable_resumeSession`. Separately, qwen's one-shot PTY fallback emits Claude-Code-compatible `stream-json` NDJSON (today sliced opaque in `dispatcher.ts`) — **one parser serves both qwen and claude** PTY fallbacks.
 - **Phase 3 — lifecycle hardening** — idle TTL eviction per `(chat, agent)`, crash recovery, chat-close/archive worktree cleanup, orphan reaper + max-live-worktrees LRU cap, re-baseline diff after `apply_pending`, reconnect test. **Primary reference (v2 review, 2026-05-31): `openchamber` (MIT, same warm-opencode-server architecture — code-liftable)** — health-monitor + crash auto-restart + busy-aware restart + port reclaim (`killProcessOnPort`/`waitForPortRelease`) + stall-detecting SSE reader; **supersedes the Paseo "re-derive"** (paseo's lazy restart-on-demand has no active supervision). Also confirms the deferred `OPENCODE_SERVER_PASSWORD` scheme = `Authorization: Basic base64("opencode:"+pw)`.
 **Lift sources:** `getpaseo/paseo` (design only — OpenCode-as-HTTP-server pattern, `streamedPartKeys` reasoning dedup), `@opencode-ai/sdk` (v2 client), `/opt/forks/opencode`; **`openchamber` (MIT — Phase 3 lifecycle hardening, code-liftable)**; **`QwenLM/qwen-code` (Apache-2.0 — `qwen --acp` reference + `stream-json` schema)**. See `boocode_code_review_v2.md` §5a/§5f for evidence.
 **Dependencies:** v2.2 (ACP dispatch) + v2.3 provider lifecycle (registry/snapshot). Openspec: `openspec/changes/v2-6-persistent-agent-sessions/`.
 -----
 ## License-debt — relicense AGPL-3.0 → MIT (shipped 2026-06-01)
 **Status: SHIPPED 2026-06-01** (openspec `license-debt-mit`). Recorded 2026-05-31 from the v2 external review (`boocode_code_review_v2.md` §5k) + a direct tree audit. **Decision (Sam, 2026-05-31): relicense the project back to MIT.**
 **What was the problem:** the tree was AGPL-3.0 — root `LICENSE` was GNU Affero GPL v3 and all five `package.json` declared `"license": "AGPL-3.0-only"`. Cause: the `v2.4.0`/`v2.4.1` Unsloth-Studio lifts pulled in three AGPL-3.0-only files, making the whole network-served work AGPL-encumbered (AGPL §13 network-copyleft). Clearing those three files made the MIT flip valid.
 **The three AGPL-3.0-only files (cleared):**
 1. `apps/server/src/services/inference/tool-call-parser.ts` (← `tool_call_parser.py`) — the Unsloth-ported algorithm (`parseToolCallsFromText`/`scanBalancedBraces` + unused nudge constants) was **dead code** (no production import; only the file + its test referenced it). Deleted it. The load-bearing parser (`extractToolCallBlocks` + the BooCode-authored streaming helpers) and `stripToolMarkup` were kept byte-identical and the AGPL header dropped. **No behavior change to the live tool-call path.**
 2. `apps/server/src/services/web/html-to-md.ts` (← `_html_to_md.py`, used by `web_fetch`) — **swapped** to the MIT `node-html-markdown` library (a distinct third-party lib, not a rewrite-from-memory); `parse5` dropped. `htmlToMarkdown(html): string` signature preserved.
 3. `apps/server/src/services/inference/llama-args-validator.ts` (← `llama_server_args.py`) — **clean-room rewrite** with independent structure; the managed-flag denylist re-derived from the public llama-server flag list (facts, not copyrightable).
 **Key correction to the original plan:** the native-llama-server-parsing retirement (which would have needed a live qwen3.6 validation window "behind a flag for one release") was **decoupled** from the relicense and proved unnecessary — the ported parser code was already dead, so the relicense stripped *provenance, not capability*. The native-parsing retirement remains a separate, optional future optimization.
 **License flip:** root `LICENSE` AGPL→MIT (`Copyright (c) 2026 indifferentketchup`); the five `package.json` `license` fields → `MIT`; AGPL SPDX headers removed from all three files; a `## License` section added to `README.md`; a guard test asserts no AGPL header / SPDX-AGPL survives. The `boocode_code_review*.md` point-in-time snapshots were left as-is. **No AGPL remains in the tree.**
 **Source:** `boocode_code_review_v2.md` §1 #1, §5k; openspec `license-debt-mit`.
 -----
 ## Write/edit robustness (planned)
 **Status: planned, not started.** From the v2 review (`boocode_code_review_v2.md` §5b; `cline/cline`, Apache-2.0 — code-liftable). Two lifts that harden BooCoder's write surface where it's weakest for local quantized models:
 1. **Fuzzy patch applier for `edit_file`.** BooCoder's `edit_file` is exact-match today (`apps/coder/src/services/pending_changes.ts` — `if (!content.includes(oldStr)) throw`; no whitespace/unicode tolerance, no multi-occurrence guard). Lift cline's tiered match ladder (exact → `trimEnd` → `trim` → Levenshtein ≥0.66) + unicode canonicalization (dashes, curly quotes, nbsp) + multi-occurrence guard; unmatched → warning, not throw. `apply-patch-parser.ts:347-431`.
 2. **`git stash create` + private-ref checkpoint.** A per-turn workspace snapshot that captures **all** state — including edits made by dispatched external agents (opencode/claude/qwen/goose), build artifacts, test side-effects — which BooCoder's current `rewind` cannot (it only reverse-applies BooCoder's own queued `pending_changes`). Snapshot stored under a private `refs/…/checkpoints/…` ref, restorable with conversation-trim in sync. `checkpoint-hooks.ts:177-253`.
 **Source:** `boocode_code_review_v2.md` §1 #3–#4, §5b.
 -----
 ## Claude provider — SDK transport + native session resume (planned)
 **Status: planned, not started.** From the v2 review (`boocode_code_review_v2.md` §5h–§5i) + a direct read of the published SDK `.d.ts` (`@anthropic-ai/claude-agent-sdk@0.3.158`, reviewed 2026-05-31). Today BooCoder dispatches `claude` one-shot via PTY (`claude --output-format stream-json`) with no continuity. Plan:
 1. **Adopt the Agent SDK** (`@anthropic-ai/claude-agent-sdk`) over the PTY path. `query({ prompt, options })` yields structured `SDKMessage`s — `SDKSystemMessage` (`subtype:'init'`, carries the session id + tool/skill/mcp lists), `SDKPartialAssistantMessage` (`type:'stream_event'` deltas), `SDKResultMessage` (turn end) — no stdout scraping. `happy` (`slopus/happy`) is the working existence-proof.
 2. **Native session resume via a pluggable `SessionStore`.** Implement `PostgresSessionStore implements SessionStore` (5 methods: `append`/`load`/`listSessions`/`delete`/`listSubkeys`) over BooCode's Postgres, keyed by `(chat_id, agent)`; drive turns with `query({ options: { sessionStore, resume } })` and the SDK materializes the stored session for the CLI subprocess. **This supersedes happy's SessionStart-hook + jsonl-watcher** — that was a workaround predating the feature (happy pins SDK `^0.2.96`; the `SessionStore` API is `0.3.x`). `importSessionToStore()` migrates an existing local session; `InMemorySessionStore` is the reference shape.
 3. **Permissions:** wire BooCoder's permission cards to the SDK's `canUseTool(toolName, input, opts) → Promise<PermissionResult>` callback (one chokepoint, supports `permissionMode`) instead of parsing PTY permission prompts.
 **License posture (reference-only):** `@anthropic-ai/claude-agent-sdk` is under **Anthropic Commercial Terms** (`package.json` `license: "SEE LICENSE IN README.md"`), **not OSS** — acceptable as a runtime **dependency** (same posture as already shelling out to the `claude` CLI), but its source/examples (incl. GitHub `examples/session-stores/postgres`) are **reference-only — do not vendor**, especially mid AGPL→MIT cleanup (relicense batch). Readable references on disk: `/opt/forks/claude-agent-sdk-python` (MIT mirror) + `/opt/forks/claude-agent-sdk-typescript` (examples, commercial terms).
 **Source:** `boocode_code_review_v2.md` §1 #9, §5h–§5i. Refines the v2.6 "claude stays one-shot PTY" assumption on the continuity dimension.
 -----
 ## v2.1.0 — Provider picker + model discovery
 **Shipped `v2.1.0-provider-picker`.** Provider registry with 5 providers (boocode, opencode, goose, claude, qwen). Model discovery via `LLAMA_SWAP_URL/upstream/<model>/props`. `/api/providers` route returns installed providers with models. v2.1 `ProviderPicker` UI **superseded by `AgentComposerBar` in v2.2.** Agent-probe startup probe discovers installed agents on host, their versions, ACP support, and models. Booterm SSH host configurable via `BOOTERM_SSH_HOST`/`BOOTERM_SSH_USER` env vars.
@@ -412,7 +525,7 @@ Per-session Docker sandbox spawned by BooCoder on first write. Only project path
 |-------------------------------|---------------------|-----------------------------|------------------------------------------------------------------------|----------------------|
 |`boochat` (was `boocode`)      |`100.114.205.53:9500`|`/opt:/opt:ro`               |Read-only chat + SPA host + MCP client                                  |Live (renames at v2.0)|
 |`booterm`                      |`100.114.205.53:9501`|`/opt:/opt`                  |PTY/tmux terminal sessions                                              |**Live (May 2026)**   |
-|`boocoder` (host systemd)       |`100.114.205.53:9502`|full host FS (policy-gated)  |Write tools + ACP client + MCP client + MCP server + external-CLI dispatch|**Shipped v2.0.0–v2.2.1** (systemd since v2.1.0) |
+|`boocoder` (host systemd)       |`100.114.205.53:9502`|full host FS (policy-gated)  |Write tools + ACP client + MCP client + MCP server + external-CLI dispatch + warm opencode server|**Shipped v2.0.0–v2.6.6** (systemd since v2.1.0) |
 |**`boochat`** (Docker service `boocode_db`)|`127.0.0.1:5500`     |`boocode_pgdata` volume      |Postgres 16-alpine (shared by all three)                                |**Live** (DB renamed from `boocode` at v2.0)|
 |`codecontext`                  |`:8080` (internal, Docker network)   |`/opt:/opt:ro`|Go HTTP sidecar for code graph tools                                          |**Live (v1.12.0)**    |
@@ -459,7 +572,12 @@ term.indifferentketchup.com         → booterm   :9501   (or routed under code.
 - **v1.16:** `repo_health_cache (project_id, file_hashes_sig, payload JSONB, created_at)`
 - **v2.0 (shipped):** `pending_changes`, `tasks`, `available_agents`, `human_inbox` view; database renamed `boocode` → `boochat`
 - **v2.2 (shipped):** none (provider snapshot + ACP dispatch are runtime/services; pane chat scoping uses existing `sessions.workspace_panes` + `chats`)
- **v2.4:** none (`boocoder acp` is a new entry point, not a schema change)
+- **v2.5.0 (shipped):** `sessions.tags` column (task-model tagging)
 - **v2.5.10 (shipped):** `available_agents.commands jsonb` column (persisted ACP `available_commands`)
 - **v2.6.0 (shipped):** `session_worktrees` (one shared worktree per session) + `agent_sessions` (one backend session per `(session, agent)`, `backend`/`status` CHECKs) tables; `pending_changes.agent` attribution column. All idempotent (`IF NOT EXISTS`)
 - **v2.6.3 (shipped):** re-key `agent_sessions` to `(chat_id, agent)` (`chat_id` FK CASCADEs from `chats`; `session_id`/`worktree_id` informational); new first-class `worktrees` table (one-per-session, `session_id` `SET NULL`) supersedes the defanged `session_worktrees`; `tasks.chat_id` column
 - **v2.6.4 (shipped):** `agent_sessions.session_id` FK converged `CASCADE → SET NULL` (standalone `confdeltype`-guarded `DO` block; idempotent)
 - **v2.4 (planned, not shipped):** none (`boocoder acp` is a new entry point, not a schema change)
 -----
@@ -494,8 +612,9 @@ Full inventory and rationale in `boocode_code_review.md`. Headline items below;
 |`spirituslab/codesight`                                                         |MIT-ish                                 |Repo health analyzer (`analyze.mjs`)                                                                                      |v1.16                                         |
 |`plandex-ai/plandex`                                                            |MIT                                     |Pending-changes data model + diff/apply/rewind UX                                                                         |v2.0                                          |
 |`Dominic789654/agent-hub`                                                       |Apache-2.0                              |**Task DAG schema, dispatcher worker, project registry, human inbox** — primary architectural template for v2.0 dispatcher|v2.0                                          |
-|`getpaseo/paseo`                                                                |AGPL-3.0 (**design only, no code lift**)|Daemon+clients arch, CLI verb shape, –worktree flag, provider snapshot/dispatch patterns                                  |**v2.2 (shipped)** / v2.x                                   |
+|`getpaseo/paseo`                                                                |AGPL-3.0 (**design only, no code lift**)|Daemon+clients arch, CLI verb shape, –worktree flag, provider snapshot/dispatch, OpenCode-as-HTTP-server + reasoning dedup |**v2.2, v2.6 (shipped)** / v2.x              |
-|**`agentclientprotocol.com` spec + `@zed-industries/agent-client-protocol` SDK**|**Apache-2.0**                          |**ACP client (host) — replaces raw-PTY dispatch for opencode/goose/cursor**                                               |**v2.0 → v2.2**                                      |
+|**`@opencode-ai/sdk`**                                                          |**MIT**                                 |**OpenCode warm HTTP server client (`opencode serve`, SSE `session.next.*`, multi-session)**                              |**v2.6.1 (shipped)**                          |
 |**`agentclientprotocol.com` spec + `@agentclientprotocol/sdk@^0.22.1`**|**Apache-2.0**                          |**ACP client (host) — replaces raw-PTY dispatch for opencode/goose (cursor retired v2.5.3)**                              |**v2.0 → v2.2**                                      |
 |**anthropics/skills `mcp-builder`**                                             |**MIT**                                 |**MCP server build workflow + 10-question evaluation framework**                                                          |**v2.0 (BooCoder MCP server)**                |
 |**`zed-industries/codex-acp`**                                                  |**Apache-2.0**                          |**ACP server-side reference for `boocoder acp`**                                                                          |**v2.4**                                      |
 |Roo Code: Boomerang Tasks                                                       |Apache-2.0 (pattern only)               |Orchestrator capability restriction + down-pass/up-pass context discipline                                                |v1.14 (AGENTS.md) → v2.0 (real delegation)    |
@@ -547,14 +666,14 @@ Full inventory and rationale in `boocode_code_review.md`. Headline items below;
 ### Strategic pivot: Paseo-equivalent dispatcher (2026-05-22, **shipped v2.2**)
-Sam wanted BooCode to function like Paseo without using Paseo itself. **Paseo is AGPL-3.0** — incompatible with BooCode's MIT license and its network-served deployment at `code.indifferentketchup.com`. Solution: **reproduce the architecture in BooCode's existing Fastify + TS + PostgreSQL + React stack, using only license-clean patterns**.
+Sam wanted BooCode to function like Paseo without using Paseo itself. **Paseo is AGPL-3.0** — incompatible with BooCode's **target** MIT license and its network-served deployment at `code.indifferentketchup.com`. Solution: **reproduce the architecture in BooCode's existing Fastify + TS + PostgreSQL + React stack, using only license-clean patterns**. **Reality check (2026-05-31):** the no-AGPL-code-lift rule was later broken by the `v2.4.0`/`v2.4.1` Unsloth-Studio lifts, which put the whole tree under AGPL-3.0 (root `LICENSE` + all five `package.json` are `AGPL-3.0-only` today). The **License-debt → relicense to MIT** batch restores the MIT target.
 - **Primary architectural template:** `Dominic789654/agent-hub` (Apache-2.0) — three-process model (board server + dispatcher + assistant terminal) and schema (tasks/projects/templates/pipelines/human_inbox).
 - **Critical context-management primitive:** Roo Code Boomerang Tasks pattern — orchestrator with intentional capability restriction, down-pass/up-pass context discipline, no implicit inheritance.
 - **Observation pattern:** Claude Code hooks (siropkin/budi reference) — register BooCode as the hook receiver for `SessionStart`/`UserPromptSubmit`/`PostToolUse`/`SubagentStart`/`Stop`.
 - **Protocol-level Paseo equivalence (shipped v2.2):** the ACP client + MCP server combination in BooCoder is the protocol-spelled version of Paseo's daemon. ACP gives multi-agent dispatch with structured events instead of free-form PTY output. MCP server gives BooCoder-as-task-board, callable from any MCP client (Termius-based opencode, future editors). One MCP config feeds every dispatched agent (via `context_servers` auto-forward). v2.2 added provider snapshot, mode/thinking, permission prompts, and Paseo-style stream/persist.
-**Next on this track:** v2.3 provider lifecycle (config-backed registry, enable/disable, two-tier probe). See openspec `v2-3-provider-lifecycle`.
+**Next on this track:** v2.3 provider lifecycle shipped (`v2.5.4`–`v2.5.13`); the live frontier is **v2.6 persistent agent sessions** — Phase 0/1 + P1.5-a/b shipped (`v2.6.0`–`v2.6.4`), Phase 2 (warm ACP for goose/qwen) + Phase 3 (lifecycle hardening) remain. See openspec `v2-6-persistent-agent-sessions`.
 ### BooCoder execution: both Option A AND Option B, full-featured (2026-05-22)
@@ -575,9 +694,19 @@ The v1.13.x cleanup line shipped 21 batches over a single intense window in `vMA
 - **v2.2-paseo-providers** ✅ — 7-provider snapshot, `AgentComposerBar`, ACP dispatch rewrite, permission prompts, agent commands, cursor/copilot providers
 - **v2.2.1-pane-scoped-chats** ✅ — pane-scoped chat resolution, `CoderMessageList` tool UI, WS user-delta fix, inference orphan tool_call stripping
 ### v2.2.2–v2.6 shipped (2026-05-26 → 2026-05-31)
 Full per-tag detail in the **Shipped (v2.2.2–v2.6.6)** section above and in `CHANGELOG.md`. Threads:
 - **Interactive ACP** (`v2.2.2`–`v2.3.2`) ✅ — placeholder-XML reject; per-agent sampling params; `ask_user_input` cards in both BooCoder frontends; enriched `permission_requested` frame (question/plan/elicitation) with interactive PermissionCard; coder `answer_user_input` endpoint fix.
 - **Unsloth lift + sidecar + task model** (`v2.4.0`–`v2.5.1`) ✅ — Unsloth Studio `tool-call-parser.ts` (replaces `xml-parser.ts`) + parse5 `html-to-md.ts` + `llama-args-validator.ts` (**all three AGPL-3.0-only — this is what relicensed the whole tree to AGPL-3.0**); llama-sidecar per-agent-flags routing; dedicated task-model services; tool budgets → 100/100/100. **→ removal tracked in the License-debt → relicense to MIT batch.**
 - **Provider lifecycle = the planned "v2.3"** (`v2.5.3`–`v2.5.15`) ✅ — cursor/copilot retired; config-backed registry + snapshot lifecycle + two-tier probe (phases 1–5); empty-picker fix; claude model list; mobile composer; per-agent + claude/opencode slash-command discovery; ACP path-guard security fix.
 - **v2.6 persistent agent sessions** (`v2.6.0`–`v2.6.4`) ✅ Phase 0/1 + P1.5-a/b — foundations scaffold; opencode warm HTTP server with per-chat resumable sessions; session-delete work-loss guard; per-session SSE; `(chat_id, agent)` re-key + `worktrees` table; FK convergence.
 - **Workspace UX + composer** (`v2.6.5`–`v2.6.6`) ✅ — BooChat panes/tabs overhaul (open-in-new-pane, `[+]` New BooChat/BooTerm/BooCode menu, tab relocation, stable tab numbers, session-history landing pane); `workspace_panes` → `WorkspaceState` envelope; morphing Send→Stop→Queue composer + `cancelTask`; `read_tab_by_number` tool + `ToolExecCtx`; CLAUDE.md doc-sync. (This is the work the earlier draft listed as "uncommitted frontend UX" — now shipped.)
 ### In flight
- **v2.3-provider-lifecycle** — config-backed provider registry, enable/disable, two-tier probe (openspec drafted; not started). See `CURRENT.md`.
+- **v2.6 persistent agent sessions — Phase 2/3** — warm ACP backend for goose/qwen (persistent process reused across turns) + lifecycle hardening (idle eviction, crash recovery, worktree cleanup/reaper, post-apply re-baseline) + the Phase-1 UX attribution work (DiffPanel agent badges, resumed/new-session chip). See openspec `v2-6-persistent-agent-sessions/tasks.md`.
 ### Numbering and scope-revision discipline during v1.13.x (2026-05-23)
--- a/data/AGENTS.md
+++ b/data/AGENTS.md
@@ -6,6 +6,10 @@ Operating rules for every agent in this registry. Full procedures live in the `c
 **Worktrees** — Isolate work in a worktree when it is parallel to in-progress work, risky/experimental, a hotfix interrupting other work, or splits into independent units — just create when clear, propose in one line when ambiguous, skip quick/small single-stream work. Branch from a stable base (default branch); worktrees persist (never auto-remove or auto-merge); they isolate code state, not runtime (ports/DBs/services still collide). Full heuristic: invoke `using-worktrees`.
 **Sampling knobs** — Each `## Name` frontmatter block accepts these per-agent sampler fields, threaded into the llama-swap chat-completion request: `temperature`, `top_p`, `top_k`, `min_p`, `presence_penalty`, and (v2.6) `top_n_sigma`, `dry_multiplier`, `dry_base`, `dry_allowed_length`, `dry_penalty_last_n`. The `top_n_sigma` + `dry_*` repetition family curb the doom-loop-prone local model. Omit a field to leave it at the server default. Example: `top_n_sigma: 1.0`, `dry_multiplier: 0.8`, `dry_base: 1.75`, `dry_allowed_length: 2`, `dry_penalty_last_n: -1` (-1 = whole context).
 **Reasoning budget** — To cap a reasoning model's thinking tokens, pass `--reasoning-budget` through `llama_extra_args` (already permitted by the deny-list validator; routes the agent to llama-sidecar). Example frontmatter line: `llama_extra_args: ["--reasoning-budget", "2048"]`. This is a sidecar process flag, not a chat-completion body param — distinct from the sampling knobs above.
 ## Code Reviewer
 ---
 temperature: 0.6
--- a/openspec/changes/license-debt-mit/proposal.md
+++ b/openspec/changes/license-debt-mit/proposal.md
@@ -0,0 +1,51 @@
 # License-debt — relicense AGPL-3.0 → MIT
 **Status:** in progress (started 2026-06-01)
 **Decision:** Sam, 2026-05-31 — relicense BooCode back to MIT.
 **Source:** `boocode_code_review_v2.md` §1 #1, §5k; roadmap `## License-debt` batch.
 ## Why
 The tree is **currently AGPL-3.0** — root `LICENSE` is GNU Affero GPL v3 and all five
 `package.json` declare `"license": "AGPL-3.0-only"`. Cause: the `v2.4.0`/`v2.4.1`
 Unsloth-Studio lifts pulled in three AGPL-3.0-only files. BooCode is network-served, so
 AGPL §13 network-copyleft is a live liability. Clearing the three files makes the MIT flip
 valid; nothing else AGPL remains once they are gone.
 ## Core insight (supersedes the roadmap's staged steps)
 The roadmap entangled the relicense with retiring `tool-call-parser.ts` behind a live
 qwen3.6 validation window. That is **not necessary**: the Unsloth-ported algorithm
 (`parseToolCallsFromText` / `scanBalancedBraces` + unused constants) is **dead code** —
 no production consumer imports it (verified: only the file and its test reference it). The
 load-bearing parser (`extractToolCallBlocks`, under the file's own "BooCode streaming
 helpers" banner) and `stripToolMarkup` are BooCode-authored. So the relicense **strips
 provenance, not capability** — zero behavior change, no validation gate. The
 native-llama-server-parsing retirement remains a separate, optional future optimization.
 ## The three AGPL-3.0-only files to clear
 1. `apps/server/src/services/web/html-to-md.ts` (← `_html_to_md.py`) — **swap** to
   `node-html-markdown` (MIT). A different third-party library, not a rewrite-from-memory
   (which would still be a derivative). Consumed by `web_fetch` via `web/index.ts`;
   `htmlToMarkdown(html): string` signature preserved.
 2. `apps/server/src/services/inference/llama-args-validator.ts` (← `llama_server_args.py`)
   — **clean-room** re-derive the flag denylist from the public llama-server README (CLI
   flag names are facts, not copyrightable); the shadowing logic is already BooCode's own.
 3. `apps/server/src/services/inference/tool-call-parser.ts` (← `tool_call_parser.py`) —
   **delete** the dead Unsloth-ported code; keep BooCode's streaming helpers +
   `stripToolMarkup` (re-derive its strip regexes from qwen's wire format); drop the header.
   No change to the live tool-call path.
 ## Decisions (Sam, 2026-06-01)
 - html-to-md library: **node-html-markdown** (single MIT dep, GFM tables built-in).
 - tool-call-parser: **relicense-only** — defer native-parsing retirement.
 - MIT copyright line: **`Copyright (c) 2026 indifferentketchup`**.
 - Leave `boocode_code_review*.md` (point-in-time snapshots) untouched; update the roadmap
  batch (planned → shipped) and add a README License section.
 ## Out of scope
 - Retiring `tool-call-parser` patterns 1 & 2 in favour of native llama-server parsing.
 - Bumping the stale README "Latest release" line / AGENTS.md pointer.
--- a/openspec/changes/license-debt-mit/tasks.md
+++ b/openspec/changes/license-debt-mit/tasks.md
@@ -0,0 +1,51 @@
 # Tasks — relicense AGPL-3.0 → MIT
 Four units. A/B/C are disjoint files (parallelizable); D is the join (runs after A/B/C).
 The shared `node-html-markdown` dependency swap + `pnpm install` is done before A so the
 parallel agents don't race on `apps/server/package.json`.
 ## Pre: dependency swap (done by coordinator)
 - [ ] Add `node-html-markdown` to `apps/server/package.json` dependencies; remove `parse5`
      (only html-to-md consumed it).
 - [ ] `pnpm install`.
 ## A — html-to-md → node-html-markdown
 - [ ] Replace `apps/server/src/services/web/html-to-md.ts` with a thin MIT wrapper exporting
      `htmlToMarkdown(sourceHtml: string): string` over `NodeHtmlMarkdown.translate`.
 - [ ] Drop the AGPL/Unsloth SPDX header.
 - [ ] Update `html-to-md.test.ts` to the new library's output (structure-level `.toContain`
      where whitespace differs; output feeds an LLM so exact format is not load-bearing).
 - [ ] Keep `web/index.ts` re-export and `web_fetch.ts` untouched.
 ## B — llama-args-validator → clean-room
 - [ ] Rewrite `apps/server/src/services/inference/llama-args-validator.ts`: re-derive the
      managed-flag denylist from the public llama-server README; keep the BooCode
      shadowing-flag logic. Same exports (`validateExtraArgs`, `isManagedFlag`,
      `stripShadowingFlags`, `StripOptions`).
 - [ ] Drop the AGPL/Unsloth SPDX header.
 - [ ] Keep `llama-args-validator.test.ts` green (it pins the contract).
 ## C — tool-call-parser → minimal clean (relicense-only)
 - [ ] Delete dead Unsloth-ported exports: `parseToolCallsFromText`, `scanBalancedBraces`,
      `OpenAiToolCall`, `hasToolSignal`, and the unused nudge constants
      (`DUPLICATE_CALL_NUDGE`, `TOOL_ERROR_NUDGE`, `TOOL_ERROR_PREFIXES`,
      `BUDGET_EXHAUSTED_NUDGE`).
 - [ ] Keep `extractToolCallBlocks` + streaming helpers + `stripToolMarkup` (re-derive its
      strip regexes from qwen's wire format). Drop the AGPL/Unsloth SPDX header.
 - [ ] Remove the now-dead tests from `tool-call-parser.test.ts`; keep streaming/strip tests.
 - [ ] Verify `stream-phase.ts` (`extractToolCallBlocks`) + `tool-phase.ts` / `error-handler.ts`
      (`stripToolMarkup`) still compile.
 ## D — license flip (join)
 - [ ] `LICENSE`: replace AGPL-3.0 text with MIT, `Copyright (c) 2026 indifferentketchup`.
 - [ ] Flip `"license"` to `"MIT"` in all 5 `package.json` (root, server, web, coder, booterm).
 - [ ] Confirm no `SPDX-License-Identifier: AGPL` header survives in the 3 files.
 - [ ] Roadmap `License-debt` batch: planned → shipped (note the decoupled-from-parser-retirement
      approach). Add a `## License` section to `README.md` (MIT).
 - [ ] Optional guard test: assert no `AGPL` SPDX header in `apps/**` and all 5 `package.json`
      are MIT.
 ## Verify
 - [ ] `pnpm -C apps/server test`
 - [ ] `pnpm -C apps/server build`
 - [ ] root `npx tsc --noEmit`
--- a/openspec/changes/mistake-tracker-file-ledger/proposal.md
+++ b/openspec/changes/mistake-tracker-file-ledger/proposal.md
@@ -0,0 +1,70 @@
 # MistakeTracker + file-provenance ledger (#12)
 **Status:** in progress (started 2026-06-01)
 **Source:** `boocode_code_review_v2.md` §1 #12, §5e (cline — algorithm-reimplemented, not vendored).
 Two native-inference (apps/server) hardening features. One cohesive backend change (they share
 `TurnArgs` + the tool-phase observation point) + a small frontend sentinel render.
 ## Part A — MistakeTracker (heterogeneous-failure recovery)
 Complements the doom-loop guard (`sentinels.ts:detectDoomLoop`, which only catches *identical*
 repeats) by catching a run of consecutive tool **failures** the model isn't recovering from.
 - New pure `apps/server/src/services/inference/mistake-tracker.ts` (mirrors `detectDoomLoop`):
  - `FailureKind = 'zod_reject' | 'tool_not_found' | 'exec_error' | 'api_error' | 'permission_denied'`
    (all already distinguished in `tool-phase.ts:executeToolCall`).
  - `MISTAKE_THRESHOLD = 3`.
  - State `{ run: FailureKind[]; nudges: number }` — `run` is the current consecutive-failure streak,
    reset on ANY successful tool step; `nudges` counts recovery injections not yet cleared by a success.
  - `recordStep(state, outcome)` where outcome is a failure kind or `'success'`.
  - `detectMistakePattern(state): 'nudge' | 'escalate' | null` — `run.length >= 3` → `'nudge'` the first
    time (`nudges === 0`), `'escalate'` if it trips again while `nudges >= 1` (no intervening success).
 - Lives in `TurnArgs` (loop-local, reset per `runInference`, like `recentToolCalls`).
 - Integration in `turn.ts` loop: after each tool phase, `recordStep` per tool outcome; then
  `detectMistakePattern`:
  - `'nudge'` (decision: soft + escalate): append a transient **model-facing** recovery-guidance system
    message to the NEXT turn's payload (re-read schemas, verify paths exist before acting, try a
    different approach — not retry variations), insert a `mistake_recovery` UI sentinel
    (`escalated:false`), bump `nudges`, reset `run`. Loop continues.
  - `'escalate'`: stop the turn (break), insert a `mistake_recovery` sentinel (`escalated:true`,
    `can_continue:true`, cap-hit-style), finalize. Prevents heterogeneous failures from burning the
    whole step budget.
 ## Part B — File-provenance ledger (Read-only)
 - Accumulate file paths read by `view_file`/`grep`/`find_files`/`list_dir` into `TurnArgs.filesRead:
  Set<string>` (recorded at the tool-phase, like the failure outcomes).
 - On compaction (`compaction.ts:buildPrompt`), inject a deterministic, sorted `## Files Read` list into
  the summary prompt context so the summarizer merges it into the rolling summary — **no new
  table/column**; it propagates as summary text across compactions. `compaction-prompt.ts`'s
  `SUMMARY_TEMPLATE` already has a `## Relevant Files` section to extend/merge with.
 - BooChat is **read-only** (no write tools on apps/server) → "Files Modified" is N/A here; only
  "Files Read". (The apps/coder write side can add "Modified" later.)
 ## Sentinel contract (pinned — backend + frontend must match)
 New sentinel kind on `MessageMetadata` in BOTH `apps/server/src/types/api.ts` AND
 `apps/web/src/api/types.ts`:
 ```
 { kind: 'mistake_recovery'; failure_kinds: string[]; count: number; escalated: boolean; can_continue?: boolean }
 ```
 - `role='system'`, `status='complete'`, stripped from the LLM payload via `isAnySentinel` in
  `payload.ts` (UI-only) and `compaction.ts:buildHeadPayload`.
 - Frontend render branch in `apps/web/src/components/MessageBubble.tsx`: `escalated:false` →
  "Hit repeated different errors — recovery guidance injected, continuing." `escalated:true` →
  "Repeated errors persisted — stopped the turn." (mirror the doom-loop/cap-hit branches).
 ## Decisions (2026-06-01)
 - MistakeTracker intervention: **soft nudge + escalate**.
 - **UI sentinel** for recovery (`mistake_recovery`).
 ## Files (backend, one agent) / (frontend, one agent)
 - Backend: `mistake-tracker.ts` (new), `turn.ts`, `tool-phase.ts`, `sentinels.ts`,
  `sentinel-summaries.ts`, `payload.ts`, `compaction.ts`, `compaction-prompt.ts`, `types/api.ts` +
  tests (`mistake-tracker.test.ts`, ledger/compaction assertions).
 - Frontend: `apps/web/src/api/types.ts` (MessageMetadata arm) + `MessageBubble.tsx` (render branch).
  MUST NOT touch Sam's WIP web files.
 ## Verify
 - `pnpm -C apps/server test`; `pnpm -C apps/server build`; `npx tsc -p apps/web/tsconfig.app.json --noEmit`
--- a/openspec/changes/sampling-streamjson-tokens/proposal.md
+++ b/openspec/changes/sampling-streamjson-tokens/proposal.md
@@ -0,0 +1,45 @@
 # Small wins — sampling knobs + PTY stream-json + token UI
 **Status:** in progress (started 2026-06-01)
 **Source:** `boocode_code_review_v2.md` §1 #11 / #7 / #8 (config-adopt + qwen-code §5g + opencode §3 #4).
 Three independent BooCode improvements, disjoint subsystems (apps/server / apps/coder / apps/web).
 ## #11 — New sampling knobs (apps/server)
 Per-agent `top_n_sigma` + the `dry_*` repetition family help the doom-loop-prone local model.
 Today the Agent type threads `temperature/top_p/top_k/min_p/presence_penalty` into the inference
 request (`stream-phase.ts:396–438`). Add `top_n_sigma`, `dry_multiplier`, `dry_base`,
 `dry_allowed_length`, `dry_penalty_last_n` as first-class Agent fields (`types/api.ts`), parse them in
 `agents.ts:parseFrontmatter` (same bounded per-field numeric pattern + out-of-range warn), and thread
 them into the request body **via the same mechanism `top_k`/`min_p` already use** (the agent must
 confirm whether that's an AI-SDK `providerOptions`/`extraBody` passthrough — these are llama.cpp
 extensions, not standard OpenAI fields — and ride it; surface it if `top_k`/`min_p` turn out to be
 silently dropped today). `--reasoning-budget` is a llama-server CLI flag already permitted by the
 deny-list validator, so it works via `llama_extra_args: ["--reasoning-budget","N"]` now — document it
 in `data/AGENTS.md`. apps/server only.
 ## #7 — Live PTY stream-json NDJSON parsing (apps/coder)
 qwen/claude PTY dispatch slices stdout opaque (`dispatcher.ts` PTY path; qwen already runs
 `--output-format stream-json`). Add a parser for the Claude-Code-compatible NDJSON
 (`system`/`assistant`/`result`/`stream_event` → `content_block_delta` text/thinking/tool deltas +
 `usage` + `session_id`) that maps to the existing `AgentEvent` union (`agent-backend.ts`). **Live
 incremental** (decision 2026-06-01): line-buffer the PTY stdout `data` events, parse each complete
 NDJSON line as it arrives, and emit broker frames live (text/reasoning/tool) like the ACP/opencode
 paths — plus accumulate for `persistExternalAgentTurn`. claude gets `--output-format stream-json` too.
 One parser serves both (same schema). apps/coder only (`pty-dispatch.ts`, `dispatcher.ts`, new
 `stream-json-parser.ts` + test).
 ## #8 — Surface opencode token usage (apps/coder route + apps/web)
 `agent_sessions.input_tokens/output_tokens/cost` are accumulated (v2.6.8) but the
 `GET /api/sessions/:id/agent-sessions` SELECT + the `AgentSessionInfo` type drop them. Add the 3
 columns to both, render condensed beside the existing session chip in `AgentComposerBar`
 (ChatThroughput styling: `tabular-nums`, muted, e.g. "12.4K in / 3.2K out / $0.25"). MUST NOT touch
 Sam's uncommitted WIP (`ChatTabBar`, `SessionLandingPage`, `Workspace`, `useWorkspacePanes`,
 `PaneHeaderActions`).
 ## Decisions (2026-06-01)
 - #7 surfacing: **live incremental** streaming (not parse-at-end).
 ## Verify
 - `pnpm -C apps/server test` (+ new agent-parse tests); `pnpm -C apps/coder test` (+ new parser tests)
 - `pnpm -C apps/server build && pnpm -C apps/coder build`; `npx tsc -p apps/web/tsconfig.app.json --noEmit`
--- a/openspec/changes/v2-3-provider-lifecycle/design.md
+++ b/openspec/changes/v2-3-provider-lifecycle/design.md
@@ -2,6 +2,8 @@
 Detailed implementation plan for Paseo-style provider registration, readiness probing, and enable/disable toggles in BooCoder.
 > **✅ Shipped 2026-05-29 across `v2.5.4`–`v2.5.13` (reconciled 2026-05-31).** All 6 phases live. As-built deltas: the diagnostic ships as JSON `{ diagnostic: string }` (§6) rather than a plaintext HTTP body (§8's framing); the provider-management UI landed as a **Settings → Providers tab** (the §7.1 "or section under existing settings" path), not a standalone `ProviderSettingsDrawer`; `AddProviderModal` is at `apps/web/src/components/coder/`. **Deferred** (the §7.1 "optional phase 2" + tasks O.1–O.3): WS `provider_snapshot_updated` frame, `available_agents.enabled` column, diagnostic row-click modal — tracked in `docs/DEFERRED-WORK.md`.
 **Audience:** Sam + future agents implementing the batch.  
 **Paseo reference:** `/opt/forks/paseo/packages/server/src/server/agent/` (registry, snapshot manager, generic ACP), `/opt/forks/paseo/packages/app/src/screens/settings/providers-section.tsx` (UI behavior).
--- a/openspec/changes/v2-3-provider-lifecycle/proposal.md
+++ b/openspec/changes/v2-3-provider-lifecycle/proposal.md
@@ -1,10 +1,12 @@
 # v2.3 Provider lifecycle (Paseo-style registry)
-**Status:** Planned  
+**Status:** ✅ **Shipped** across `v2.5.4`–`v2.5.13` (2026-05-29; reconciled 2026-05-31) — all 6 phases live; only the 3 optional Tier-2 items deferred  
 **Depends on:** v2.2 Paseo providers (snapshot, modes, commands, ACP dispatch)  
 **Reference fork:** `/opt/forks/paseo`  
 **Related deferred work:** [`docs/DEFERRED-WORK.md`](../../../docs/DEFERRED-WORK.md) §2 (cold-probe skip)
 > **Shipped mapping (reconciled 2026-05-31):** Phase 1 → `v2.5.4`, Phase 2 → `v2.5.5`, Phase 3 → `v2.5.6`, Phase 4 → `v2.5.12`, Phase 5 → `v2.5.13`, Phase 6 docs → `v2.5.13`/`v2.5.14`. **Deferred (tasks O.1–O.3):** WS `provider_snapshot_updated` frame, `available_agents.enabled` column, diagnostic row-click modal — tracked in `docs/DEFERRED-WORK.md`. (Cursor was retired in `v2.5.3`, so the success-criterion mention below is historical.)
 ## Why
 BooCode v2.2 copied Paseo’s **snapshot wire shape** (modes, thinking, commands) but not Paseo’s **provider lifecycle**:
@@ -46,12 +48,12 @@ Paseo’s model (see `/opt/forks/paseo/public-docs/providers.md`) treats provide
 ## Success criteria
- Add `amp-acp` via catalog → appears in picker after refresh without coder redeploy
+- ✅ Add `amp-acp` via catalog → appears in picker after refresh without coder redeploy *(catalog smoke-test entry; per `boocode_code_review_v2.md` §5m, Amp itself is paid-cloud, not a usable local provider)*
- Disable goose in settings → gone from picker, still visible as “Disabled” in settings
+- ✅ Disable goose in settings → gone from picker, still visible as “Disabled” in settings
- opencode not on PATH → shows “Not installed” in settings, hidden from picker
+- ✅ opencode not on PATH → shows “Not installed” in settings, hidden from picker
- Second snapshot open within warm window completes in &lt;500ms (no ACP spawns)
+- ✅ Second snapshot open within warm window completes in &lt;500ms (no ACP spawns)
- `POST /api/providers/refresh` still runs full cold probe
+- ✅ `POST /api/providers/refresh` still runs full cold probe
- Existing v2.2 dispatch (cursor, opencode, claude, qwen) unchanged for built-ins
+- ✅ Existing v2.2 dispatch unchanged for built-ins *(opencode, claude, qwen, goose — cursor + copilot retired `v2.5.3`)*
 ## Deliverables
--- a/openspec/changes/v2-3-provider-lifecycle/tasks.md
+++ b/openspec/changes/v2-3-provider-lifecycle/tasks.md
@@ -2,70 +2,68 @@
 Implement in phase order from [`design.md`](./design.md). Do not commit unless Sam asks.
-## Phase 1 — Config + registry
+> **✅ SHIPPED across `v2.5.4`–`v2.5.13` (reconciled 2026-05-31).** All 6 phases done; the 3 Optional items (O.1–O.3) deferred (tracked in `docs/DEFERRED-WORK.md`). Verified in tree: `provider-config.ts`, `provider-config-registry.ts`, `command-availability.ts`, `provider-diagnostic.ts`, `acp-provider-catalog.ts`, `components/coder/AddProviderModal.tsx`, Settings→Providers tab.
- [ ] 1.1 Add `CODER_PROVIDERS_PATH` to `apps/coder/src/config.ts` (default `/data/coder-providers.json`)
+## Phase 1 — Config + registry — ✅ `v2.5.4-provider-lifecycle-phase1`
 - [ ] 1.2 Add `data/coder-providers.json` example + wire in `apps/coder/.env.host`
 - [ ] 1.3 Implement `provider-config.ts` (Zod schema + load/merge/save)
 - [ ] 1.4 Implement `provider-config-registry.ts` (`buildResolvedRegistry`, module singleton + reload)
 - [ ] 1.5 Unit tests: built-in override, custom ACP add, enabled false, invalid entry skipped
 - [ ] 1.6 Update `agent-probe.ts` to iterate resolved registry (include custom ids, respect enabled)
-## Phase 2 — Snapshot lifecycle
+- [x] 1.1 Add `CODER_PROVIDERS_PATH` to `apps/coder/src/config.ts` (default `/data/coder-providers.json`)
 - [x] 1.2 Add `data/coder-providers.json` example + wire in `apps/coder/.env.host`
 - [x] 1.3 Implement `provider-config.ts` (Zod schema + load/merge/save)
 - [x] 1.4 Implement `provider-config-registry.ts` (`buildResolvedRegistry`, module singleton + reload)
 - [x] 1.5 Unit tests: built-in override, custom ACP add, enabled false, invalid entry skipped
 - [x] 1.6 Update `agent-probe.ts` to iterate resolved registry (include custom ids, respect enabled)
- [ ] 2.1 Extend `ProviderSnapshotEntry` / status union in coder + web types (`loading`, `unavailable`, `enabled`)
+## Phase 2 — Snapshot lifecycle — ✅ `v2.5.5-provider-lifecycle-phase2`
 - [ ] 2.2 Add `command-availability.ts` (`isCommandAvailable`)
 - [ ] 2.3 Rewrite `buildProviderEntry`: never return null; handle disabled/uninstalled/loading
 - [ ] 2.4 Implement tier-2 skip using `available_agents.last_probed_at` + `PROVIDER_PROBE_TTL_MS`
 - [ ] 2.5 Return `loading` entries synchronously on cache miss; complete via inflight promise
 - [ ] 2.6 Extend `provider-snapshot.test.ts` for disabled, uninstalled, fresh DB skip, force refresh
 - [ ] 2.7 Verify warm cache: second snapshot call does not invoke `probeAcpProvider` (mock assert)
-## Phase 3 — Generic dispatch
+- [x] 2.1 Extend `ProviderSnapshotEntry` / status union in coder + web types (`loading`, `unavailable`, `enabled`)
 - [x] 2.2 Add `command-availability.ts` (`isCommandAvailable`)
 - [x] 2.3 Rewrite `buildProviderEntry`: never return null; handle disabled/uninstalled/loading
 - [x] 2.4 Implement tier-2 skip using `available_agents.last_probed_at` + `PROVIDER_PROBE_TTL_MS`
 - [x] 2.5 Return `loading` entries synchronously on cache miss; complete via inflight promise *(client-side poll deferred to Phase 5; cache miss returns `loading` then settles)*
 - [x] 2.6 Extend `provider-snapshot.test.ts` for disabled, uninstalled, fresh DB skip, force refresh
 - [x] 2.7 Verify warm cache: second snapshot call does not invoke `probeAcpProvider` (mock assert)
- [ ] 3.1 Add `resolveLaunchSpec()` to `acp-spawn.ts`
+## Phase 3 — Generic dispatch — ✅ `v2.5.6-provider-lifecycle-phase3`
 - [ ] 3.2 Wire `acp-dispatch.ts` to use launch spec + env merge
 - [ ] 3.3 Wire `dispatcher.ts` to load resolved def by agent name
 - [ ] 3.4 Unit test: custom command argv reaches spawn
 - [ ] 3.5 Smoke: task dispatch for one custom catalog provider (if installed on host)
-## Phase 4 — HTTP API
+- [x] 3.1 Add `resolveLaunchSpec()` to `acp-spawn.ts`
 - [x] 3.2 Wire `acp-dispatch.ts` to use launch spec + env merge
 - [x] 3.3 Wire `dispatcher.ts` to load resolved def by agent name
 - [x] 3.4 Unit test: custom command argv reaches spawn (built-in dispatch byte-identical)
 - [x] 3.5 Smoke: task dispatch for one custom catalog provider (if installed on host)
- [ ] 4.1 `GET /api/providers/config`
+## Phase 4 — HTTP API — ✅ `v2.5.12-provider-lifecycle-phase4`
 - [ ] 4.2 `PATCH /api/providers/config` (merge + write file + reload registry + clear snapshot cache)
 - [ ] 4.3 `POST /api/providers/refresh` optional body `{ providers?: string[] }`
 - [ ] 4.4 `GET /api/providers/:id/diagnostic` (plaintext report)
 - [ ] 4.5 Extend `apps/web/src/api/client.ts` coder namespace
 - [ ] 4.6 Confirm BooChat proxy forwards new routes (or document direct :9502)
-## Phase 5 — Web UI
+- [x] 4.1 `GET /api/providers/config`
 - [x] 4.2 `PATCH /api/providers/config` (merge + write file + reload registry + clear snapshot cache)
 - [x] 4.3 `POST /api/providers/refresh` optional body `{ providers?: string[] }`
 - [x] 4.4 `GET /api/providers/:id/diagnostic` *(ships as JSON `{ diagnostic: string }`, not plaintext — see design §8 delta)*
 - [x] 4.5 Extend `apps/web/src/api/client.ts` coder namespace
 - [x] 4.6 Confirm BooChat proxy forwards new routes (blanket `/api/coder/*` forward)
- [ ] 5.1 Create `apps/web/src/data/acp-provider-catalog.ts` (5–10 curated entries)
+## Phase 5 — Web UI — ✅ `v2.5.13-provider-lifecycle-phase5`
 - [ ] 5.2 `AddProviderModal.tsx` — search, install → patch + refresh subset
 - [ ] 5.3 `ProviderSettingsDrawer.tsx` — list, status, toggle, refresh, link to add
 - [ ] 5.4 Entry point from CoderPane / AgentComposerBar (gear or settings link)
 - [ ] 5.5 Filter `AgentComposerBar` selectable providers (`enabled && ready`)
 - [ ] 5.6 Loading state while snapshot entries `loading` (poll or one-shot refetch)
 - [ ] 5.7 `npx tsc -p apps/web/tsconfig.app.json --noEmit`
-## Phase 6 — Docs, deploy, closeout
+- [x] 5.1 Create `apps/web/src/data/acp-provider-catalog.ts` (5–10 curated entries)
 - [x] 5.2 `AddProviderModal.tsx` — search, install → patch + refresh subset *(at `components/coder/`)*
 - [x] 5.3 Provider management UI *(shipped as a **Settings → Providers tab** in `SettingsPane.tsx`, not a standalone `ProviderSettingsDrawer` — design §7.1 "or section under existing settings")*
 - [x] 5.4 Entry point from CoderPane / AgentComposerBar (gear or settings link)
 - [x] 5.5 Filter `AgentComposerBar` selectable providers (`enabled && ready|loading`)
 - [x] 5.6 Loading state while snapshot entries `loading`
 - [x] 5.7 `npx tsc -p apps/web/tsconfig.app.json --noEmit`
- [ ] 6.1 `BOOCODER.md` — config file, refresh contract, enable/disable
+## Phase 6 — Docs, deploy, closeout — ✅ `v2.5.13` / docs `v2.5.14`
 - [ ] 6.2 Update `docs/DEFERRED-WORK.md` — mark tier-2 cold-probe item addressed
 - [ ] 6.3 `CHANGELOG.md` entry when tagged
 - [ ] 6.4 `pnpm -C apps/coder test && pnpm -C apps/coder build`
 - [ ] 6.5 `sudo systemctl restart boocoder`
 - [ ] 6.6 Smoke via Tailscale:
  - `curl http://100.114.205.53:9502/api/providers/snapshot`
  - PATCH disable goose → absent from composer, visible in settings
  - POST refresh → models repopulate
  - Add catalog entry → appears after refresh
-## Optional (same batch if time)
+- [x] 6.1 `BOOCODER.md` — config file, refresh contract, enable/disable
 - [x] 6.2 Update `docs/DEFERRED-WORK.md` — tier-2 cold-probe item marked addressed
 - [x] 6.3 `CHANGELOG.md` entries (per-phase tags, not a single tag)
 - [x] 6.4 `pnpm -C apps/coder test && pnpm -C apps/coder build`
 - [x] 6.5 `sudo systemctl restart boocoder`
 - [x] 6.6 Smoke via Tailscale (snapshot / disable goose / refresh / add-catalog)
- [ ] O.1 WS frame `provider_snapshot_updated` (skip polling)
+## Optional — ⬜ DEFERRED (tracked in `docs/DEFERRED-WORK.md`)
- [ ] O.2 `available_agents.enabled` column mirror
+
- [ ] O.3 Diagnostic sheet UI (row click → modal)
+- [ ] O.1 WS frame `provider_snapshot_updated` (skip polling) — **deferred**; `AgentComposerBar:219` polls instead (comment notes the absence)
 - [ ] O.2 `available_agents.enabled` column mirror — **deferred**; `enabled` read from config memory only (no DB column)
 - [ ] O.3 Diagnostic sheet UI (row click → modal) — **deferred**; the plaintext/JSON diagnostic API + Settings surface shipped, the modal polish did not
 ## Explicitly out of scope
--- a/openspec/changes/v2-6-persistent-agent-sessions/design.md
+++ b/openspec/changes/v2-6-persistent-agent-sessions/design.md
@@ -3,6 +3,8 @@
 Reference implementations: `/opt/forks/opencode` (server + SDK),
 `/opt/forks/paseo` (warm ACP + opencode server-manager + reasoning dedup).
 > **⚠️ Reconciled 2026-05-31 — read the proposal's Reconciliation note first.** §2a and §3 describe the *original* design; four details were revised during implementation (per-session SSE; `(chat_id, agent)` key + `worktrees` table; `session.next.*` events; password deferred) — flagged inline. **Phases 2–3 and the Phase-1 UX (§2b, §6, §9) are not yet built**; updated lift sources for them are in new **§10**.
 ## 1. Architecture overview
 ```
@@ -47,6 +49,8 @@ interface AgentBackend {
 ### 2a. OpenCodeServerBackend (shared HTTP server)
 > **⚠️ Shipped deltas vs the bullets below:** (a) **per-session SSE** — one `event.subscribe({directory})` per live opencode session (P1.5-a, `v2.6.2`), NOT one global `/event` loop; (b) events are **`session.next.*`** (`text.delta`/`reasoning.delta`/`tool.{called,success,failed}`), NOT `message.part.*`; (c) **`OPENCODE_SERVER_PASSWORD` deferred** — server binds loopback unsecured.
 - **Spawn once per BooCoder process:** `opencode serve --hostname 127.0.0.1 --port <p>`
  with `OPENCODE_SERVER_PASSWORD=<random-at-boot>` (verified: `serve.ts`, `network.ts`;
  default port 4096, prints `opencode server listening on http://…`). Use the official
@@ -82,6 +86,8 @@ interface AgentBackend {
 ## 3. Data model
 > **⚠️ Shipped (P1.5-b, `v2.6.3`–`v2.6.4`):** `agent_sessions` is keyed **`(chat_id, agent)`** (the tab/chat is the agent-context unit; `chat_id` CASCADEs from `chats`), and a first-class **`worktrees`** table (one-per-session, survives session delete via `session_id` `SET NULL`) replaced `session_worktrees`. `tasks.chat_id` threads the tab id to the dispatcher. The SQL below is the original `(session_id, agent)` / `session_worktrees` shape — see `apps/coder/src/schema.sql` for the live DDL.
 Agent switching is **free** within a chat (the picker is per-turn, not locked), so
 the worktree is shared across agents but each agent keeps its own backend session.
 That splits into two tables: one **shared worktree per chat**, and one **backend
@@ -281,3 +287,12 @@ over the new `agent` column and `agent_sessions` — no dispatch-logic change.
  "opencode's edits live in its worktree — boocode won't see them until applied."
  Derived purely from per-change `agent` + current `value.provider`; no new state.
  Keeps the §3a staging caveat from biting silently.
 ## 10. Lift sources for the remaining phases (added 2026-05-31)
 From the second external review (`boocode_code_review_v2.md`). These supersede/augment §2b, §6, §9 for the unbuilt work:
 - **Phase 2 (warm ACP, goose/qwen) — `qwen --acp` is a validated reference.** qwen-code ships a real stdio multi-session ACP agent (`Map<sessionID,Session>`, `loadSession`/`unstable_resumeSession`, mid-session model/mode switch), so `warm-acp.ts` (§2b) wires qwen into the existing `acp-dispatch.ts` stack as planned. **Caveat:** goose ACP exposes **no `loadSession`/resume** → its cross-restart resume needs a different design than opencode's (re-`session/new` + accept memory loss, or replay). Cross-check qwen's `@agentclientprotocol/sdk@^0.14` vs BooCode's `^0.22` handshake before relying on `unstable_resumeSession`. (`boocode_code_review_v2.md` §5f, §5n.)
 - **Phase 3 (lifecycle hardening) — lift from `openchamber` (MIT, same warm-opencode-server architecture), not Paseo.** Health-monitor + crash auto-restart + busy-aware restart (skip-while-busy + stale-grace) + port reclaim (`killProcessOnPort`/`waitForPortRelease`) + stall-detecting SSE reader — a concrete state machine for §6's "supervise children / rebuild on next turn" sketch. Worktree reaper: Paseo's worktree-archive cascade (soft-delete + `Promise.allSettled` fan-out) + superset's destroy-saga (preflight dirty/unpushed inspect + ordered failure semantics). Bound the warm server's per-session Maps (LRU) — long-lived-daemon leak class. (`boocode_code_review_v2.md` §5c, §5b, §5j.)
 - **Fix-next (Phase 1/2) — the post-interrupt stale-terminal bug (confirmed live).** `opencode-server.ts:~307` settles any `session.idle` onto whatever `activeTurn` holds the session slot, with **no turn-identity guard** → after abort + new prompt, a stale `session.idle` from the cancelled turn settles the *new* turn early as success. Paseo fix `1d38aac` (suppress-terminal-until-next-user-message). **Now one-click reachable** since `v2.6.5` shipped the Send→Stop composer. (`boocode_code_review_v2.md` §1 #6, §3.)
 - **Phase 1 UX (§9) — opencode already streams token/ctx usage.** `session.next.step.ended` carries `{tokens, cost}` on the wire (SDK already installed) → consume it to fill ctx/token usage for opencode sessions, closing the "no usage for external agents" gap; surfaces beside the §9b chip. (`boocode_code_review_v2.md` §1 #8, §3.)
--- a/openspec/changes/v2-6-persistent-agent-sessions/proposal.md
+++ b/openspec/changes/v2-6-persistent-agent-sessions/proposal.md
@@ -1,10 +1,16 @@
 # v2.6 Persistent agent sessions (warm processes + OpenCode server)
-**Status:** Planned
+**Status:** Phase 0 + Phase 1 + P1.5-a/b **shipped** (`v2.6.0`–`v2.6.4`); Phase 1-UX, Phase 2, Phase 3, and unit tests **remaining.** (Reconciled 2026-05-31.)
 **Depends on:** v2.2 Paseo providers (ACP dispatch), v2.3 provider lifecycle (registry/snapshot)
-**Reference fork:** `/opt/forks/paseo`, `/opt/forks/opencode`
+**Reference fork:** `/opt/forks/paseo`, `/opt/forks/opencode`; **remaining-phase lift sources in `boocode_code_review_v2.md`** (openchamber → Phase 3, qwen-code → Phase 2).
 **Pairs with:** the v2.5.x MessageBubble "Thinking" render fix — reasoning already flows; this batch is about persistence, not capability.
 > **Reconciliation note (2026-05-31).** Four design details below were revised *during* implementation; the original prose/SQL is now superseded:
 > 1. **Per-session SSE** — one `event.subscribe({directory})` per live opencode session (P1.5-a, `v2.6.2`) replaced the single global `/event` read loop (design §2a).
 > 2. **`agent_sessions` is keyed `(chat_id, agent)`**, and a first-class **`worktrees`** table replaced `session_worktrees` (P1.5-b, `v2.6.3`); `session_id`/`worktree_id` are informational `SET NULL` (`v2.6.4`). The design §3 SQL is the *original* shape.
 > 3. **opencode streams `session.next.*` events**, not `message.part.*` (design §2a's event names were wrong).
 > 4. **`OPENCODE_SERVER_PASSWORD` was deferred** — the warm server binds loopback unsecured (design §2a specified a random password). Basic-auth scheme since confirmed (openchamber, `boocode_code_review_v2.md` §5c) if ever wanted.
 ## Why
 BooCode dispatches external agents (opencode, goose, qwen) **one-shot per task**:
@@ -93,18 +99,20 @@ this batch does not touch it beyond porting OpenCode's reasoning-dedup.
 ## Success criteria
- Send two messages in one external-agent chat → second turn reuses the same agent
+(Status reconciled 2026-05-31: ✅ met · 🟡 partial · ⬜ remaining)
 - ✅ Send two messages in one external-agent chat → second turn reuses the same agent
  session **and** the same worktree (verified: no second `createWorktree`, agent
-  references files it edited in turn 1).
+  references files it edited in turn 1). *(opencode; Smoke 1, `v2.6.1`)*
- Warm-start latency for turn 2 materially below turn 1 (no spawn/handshake).
+- ✅ Warm-start latency for turn 2 materially below turn 1 (no spawn/handshake). *(turn 2 ~9× faster, `v2.6.1`)*
- opencode reasoning shows once per thought (no dupes) in the Thinking block.
+- ✅ opencode reasoning shows once per thought (no dupes) in the Thinking block.
- Killing the opencode server mid-session → pool restarts it and the next turn
+- ⬜ Killing the opencode server mid-session → pool restarts it and the next turn
-  recovers (opencode persists sessions on disk).
+  recovers (opencode persists sessions on disk). *(Phase 3 — `opencode-server.ts` still comments "recovery is Phase 3")*
- Switch opencode → boocode → opencode in one chat → opencode resumes its *same*
+- 🟡 Switch opencode → boocode → opencode in one chat → opencode resumes its *same*
  session (its memory intact), boocode saw opencode's turns as history, and all three
-  shared the one worktree. No agent is locked to the chat.
+  shared the one worktree. No agent is locked to the chat. *(opencode↔boocode works; goose/qwen warm side is Phase 2 → full round-trip = Smoke 2b, unshipped)*
- Closing/archiving a session removes its worktree; BooCoder restart drains cleanly.
+- ⬜ Closing/archiving a session removes its worktree; BooCoder restart drains cleanly. *(delete-guard shipped `v2.6.2`, but the close→cleanup hook + orphan reaper are Phase 3)*
- Existing one-shot paths (arena, `new_task` tool, MCP create-task) still work.
+- ✅ Existing one-shot paths (arena, `new_task` tool, MCP create-task) still work. *(dispatcher resolve-or-create fallback)*
 ## Deliverables
--- a/openspec/changes/v2-6-persistent-agent-sessions/tasks.md
+++ b/openspec/changes/v2-6-persistent-agent-sessions/tasks.md
@@ -4,91 +4,98 @@ Phased so each phase is independently shippable and smoke-testable. Phase 1
 (OpenCode server) delivers the most value on the cleanest API; goose/qwen warm
 ACP follows; hardening last.
-## Phase 0 — Foundations (no behavior change)
+## Phase 0 — Foundations (no behavior change) — ✅ SHIPPED `v2.6.0-phase0-foundations`
- [ ] 0.1 Add `session_worktrees` + `agent_sessions` tables (per `(session_id, agent)`)
+- [x] 0.1 Tables added to `apps/coder/src/schema.sql` (idempotent) + `pending_changes.agent` column. *Later re-keyed to `(chat_id, agent)` + `worktrees` table in P1.5-b.*
-      to `apps/coder/src/schema.sql` (idempotent; see design §3).
+- [x] 0.2 `AgentBackend` / `AgentSessionHandle` interface + normalized `AgentEvent` union — `apps/coder/src/services/agent-backend.ts`.
- [ ] 0.2 Define `AgentBackend` / `AgentSessionHandle` interface + normalized `onEvent`
+- [x] 0.3 `agent-pool.ts` scaffolded (lazy get-or-create, health, `dispose()`, `onClose` hook).
      event union (reuse shapes from `acp-dispatch.ts`).
 - [ ] 0.3 Scaffold `agent-pool.ts` with lazy get-or-create keyed by `(chat, agent)`,
      health, `dispose()`; wire `app.addHook('onClose')` to dispose alongside dispatcher `stop()`.
-## Phase 1 — OpenCode server backend (multi-turn, warm)
+## Phase 1 — OpenCode server backend (multi-turn, warm) — ✅ SHIPPED `v2.6.1-phase1-opencode` (Smoke 1 verified)
- [ ] 1.1 Add `@opencode-ai/sdk` to `apps/coder/package.json`; pin to installed opencode major.
+- [x] 1.1 `@opencode-ai/sdk` added to `apps/coder/package.json`.
- [ ] 1.2 `backends/opencode-server.ts`: spawn `opencode serve` once (random
+- [x] 1.2 `backends/opencode-server.ts`: spawn `opencode serve`, allocated port, wait for ready line. *`OPENCODE_SERVER_PASSWORD` deferred — loopback-unsecured.*
-      `OPENCODE_SERVER_PASSWORD`, allocated port), `createOpencodeClient`, wait for ready line.
+- [x] 1.3 SSE read loop + demux + text/reasoning/tool mapping. *Superseded by per-session SSE (P1.5-a); events are `session.next.*`, not `message.part.*`.*
- [ ] 1.3 Single `/event` SSE read loop; demux by `properties.sessionID`; map
+- [x] 1.4 Paseo `streamedPartKeys` reasoning dedup (delta vs final part).
-      `message.part.delta`/`updated` (text + reasoning) + tool parts to `onEvent`.
+- [x] 1.5 `ensureSession` reuse/resume. *Re-keyed `(chat_id, agent)` in P1.5-b.*
- [ ] 1.4 Port Paseo `streamedPartKeys` reasoning dedup (delta vs final part).
+- [x] 1.6 `prompt` via SDK with worktree `directory` + `model`.
- [ ] 1.5 `ensureSession`: reuse the `(chat, opencode)` `agent_sessions` row if present
+- [x] 1.7 Dispatcher routes `agent==='opencode'` to the pool backend; broker frames + `persistExternalAgentTurn` identical.
-      (resume on switch-back), else `client.session.create()` → store `agent_session_id`.
+- [x] 1.8 Persistent worktree, chat-keyed, base commit captured, reused across turns/agents. *Now the first-class `worktrees` table (P1.5-b).*
- [ ] 1.6 `prompt`: send via SDK with `x-opencode-directory` = session worktree + `model`.
+- [x] 1.9 Per-session concurrency: `Map<sessionId,Promise>`; `poll()` skips in-flight sessions.
- [ ] 1.7 Dispatcher: when `agent==='opencode'`, route to pool backend instead of
+- [x] 1.10 Per-turn diff supersedes prior `pending_changes` row (latest-wins).
-      `dispatchViaAcp`; keep broker frames + `persistExternalAgentTurn` identical.
+- [x] **Smoke 1** — verified end-to-end (two turns, same session + worktree, turn 2 ~9× faster, reasoning once).
 - [ ] 1.8 Persistent worktree: chat-keyed `createWorktree` (shared across agents);
      capture base commit in `session_worktrees`; reuse across turns and agents.
 - [ ] 1.9 Per-session concurrency: replace global `running` with `Map<sessionId,Promise>`;
      `poll()` skips sessions with an in-flight turn.
 - [ ] 1.10 Per-turn diff → supersede prior `pending_changes` row for the session (latest-wins).
 - [ ] **Smoke 1:** two messages in one opencode chat → same `agent_session_id`, same worktree,
      no second `createWorktree`; agent references turn-1 edits; reasoning shows once; turn-2 faster.
-## Phase 1 (UX) — Attribution & switch affordances (design §9)
+## Phase 1.5 — concurrency + chat-keying follow-ups (added during impl, not in original plan) — ✅ SHIPPED
- [ ] U.1 Stamp `pending_changes.agent` at queue time (worktree path → task agent;
+- [x] P1.5-a **Per-session SSE** (`v2.6.2-delete-guard-and-sse`): one `event.subscribe({directory})` per live opencode session, each with an `AbortController`; `sessionID` demux guard + zombie-loop fix — replaces task 1.3's single global loop. Bundled: session-delete work-loss guard (`/worktree-risk`).
-      native write tools → `'boocode'`; manual RightRail create → NULL).
+- [x] P1.5-b **Re-key `agent_sessions` → `(chat_id, agent)`** + first-class `worktrees` table (`v2.6.3-chatkey-and-skills`); `tasks.chat_id` threaded; `runOpenCodeServerTask` resolve-or-creates a chat for session-less creators; cross-chunk dcp-strip. FK convergence to `SET NULL` (`v2.6.4-agent-sessions-fk`).
- [ ] U.2 Add `agent` to `listPending` response + frontend `PendingChange` type.
+
- [ ] U.3 Extract `providerIcon()` to a shared helper; DiffPanel renders an agent badge
+## Phase 1 (UX) — Attribution & switch affordances (design §9) — ✅ SHIPPED `v2.6.8-agent-attribution` (Smoke U pending live frontend deploy)
-      per row + a "Changes from X, Y" note when the pending set spans >1 agent (§9a).
+
- [ ] U.4 `GET /api/sessions/:id/agent-sessions` route + `api.coder.agentSessions` +
+- [x] U.1 Stamp `pending_changes.agent` at queue time — native tools default `'boocode'`, dispatched external → `task.agent`, manual RightRail → `NULL` (`pending_changes.ts`, `dispatcher.ts`).
-      `useAgentSessions(sessionId)` (refetch on `message_complete`) (§9b).
+- [x] U.2 `agent` flows through `listPending` + backend & frontend `PendingChange` types.
- [ ] U.5 `AgentComposerBar` optional `sessionId` prop → resumed / history / new-session
+- [x] U.3 Shared `components/coder/providerIcons.tsx`; DiffPanel per-row agent badge + "Changes from X, Y" multi-agent note (§9a).
-      chip beside the Provider picker; hidden on fresh chats and other callers (§9b).
+- [x] U.4 `GET /api/sessions/:id/agent-sessions` route + `api.coder.agentSessions` + `useAgentSessions` hook (refetch on message-complete) (§9b).
 - [x] U.5 `AgentComposerBar` optional `sessionId` prop → resumed/history/new-session chip; hidden on fresh chats + other callers (§9b).
 - [x] U.6 Consume opencode `session.next.step.ended` → accumulate `input_tokens`/`output_tokens`/`cost` on `agent_sessions` (new cols). Backend persist only; UI surfacing deferred.
 - [ ] **Smoke U:** stage edits with opencode then boocode → DiffPanel badges each row to the
-      right agent; composer shows "resumed" when re-selecting opencode, "new session" for goose.
+      right agent; composer shows "resumed" when re-selecting opencode, "new session" for goose. *(pending live frontend deploy — Docker container rebuild)*
-## Phase 2 — Warm ACP backend (goose, qwen)
+## Phase 2 — Warm ACP backend (goose, qwen) — ✅ SHIPPED `v2.6.9-warm-acp` (Smoke 2/2b pending live)
- [ ] 2.1 `backends/warm-acp.ts`: persistent spawn + `ClientSideConnection`; `initialize` +
+> **Lift (design §10):** `qwen --acp` is a validated reference (real stdio multi-session, `loadSession`/resume) — wire qwen into the existing `acp-dispatch.ts` stack. **goose ACP has no `loadSession`/resume** → cross-restart resume needs a different design (re-`session/new` + accept memory loss, or replay). Cross-check qwen `@agentclientprotocol/sdk@^0.14` vs BooCode `^0.22` before relying on `unstable_resumeSession`. Do **qwen first** to de-risk.
-      `session/new` once; reuse `acp-dispatch.ts` `handleSessionUpdate`.
+
- [ ] 2.2 `prompt`: `session/prompt` on the warm connection per turn; per-turn abort signal only.
+- [x] 2.1 `backends/warm-acp.ts` `WarmAcpBackend` — persistent spawn + `ClientSideConnection`; `initialize` + `session/new` once per `(chat,agent)`. `handleSessionUpdate` extracted to a shared pure `acp-event-map.ts` (one-shot path byte-identical).
- [ ] 2.3 Child supervision: detached lifetime, exit handler marks `status='crashed'`.
+- [x] 2.2 `prompt`: `session/prompt` on the warm connection per turn; abort = `session/cancel` the prompt only (never kills the child).
- [ ] 2.4 Dispatcher routes `goose`/`qwen` to warm backend; keep one-shot fallback for arena/MCP
+- [x] 2.3 Child supervision: pool-owned lifetime; `exit` marks `agent_sessions.status='crashed'` → re-spawn next turn.
-      (or opt those into pool too — decide in review).
+- [x] 2.4 Dispatcher routes `goose`/`qwen` chat-tab tasks to the warm backend via pure `shouldUseWarmBackend(task)` (needs `session_id`+`chat_id`); one-shot `runExternalAgent` fallback kept for arena/MCP/`new_task`. *(SDK note resolved: installed `@agentclientprotocol/sdk@^0.22.1` has stable `resumeSession`/`loadSession`; resume moot in the warm hot path, deferred to Phase 3.)*
 - [ ] **Smoke 2:** two messages in a goose chat reuse the same process + ACP session + worktree;
      reasoning still renders; no per-turn respawn.
 - [ ] **Smoke 2b (switch round-trip):** opencode → boocode → opencode in one chat — opencode
      resumes the SAME `agent_session_id` (memory intact), boocode saw opencode's turns as
      history, all three shared the one worktree, and no agent was locked to the chat.
-## Phase 3 — Lifecycle hardening
+## Phase 3 — Lifecycle hardening — ✅ COMPLETE (`v2.6.10` 3.1–3.6; `v2.6.11` closed 3.7 + the apps/server close-hook caller)
- [ ] 3.1 Idle TTL eviction keyed per `(chat, agent)`; reattach-on-next-turn from `agent_sessions`.
+> **Lift (design §10):** hardening from **openchamber** (MIT, same warm-opencode-server architecture) — health-monitor + crash auto-restart + busy-aware restart + port reclaim (`killProcessOnPort`/`waitForPortRelease`) + stall-SSE = a concrete state machine for 3.1/3.2/3.6. Reaper (3.3/3.4): Paseo worktree-archive cascade + superset destroy-saga (preflight dirty/unpushed inspect) + LRU cap on warm-server Maps. Do crash-recovery + reaper together (shared supervision loop).
 - [ ] 3.2 Crash recovery: opencode server restart recreates sessions; ACP re-`session/new`.
 - [ ] 3.3 Chat close/archive hook → `closeSession` for every `(chat, agent)` + remove the
      shared `session_worktrees` row + worktree; mark agent rows `status='closed'`.
 - [ ] 3.4 Orphan worktree reaper (extend periodic sweeper) + max-live-worktrees LRU cap.
 - [ ] 3.5 Re-baseline worktree diff after `apply_pending`.
 - [ ] 3.6 Reconnect test: restart BooCoder mid-session → next turn reattaches/recreates cleanly.
 - [ ] 3.7 Staging-boundary hint in DiffPanel (§9c): muted one-liner when the selected
      provider can't see another agent's unapplied worktree edits (derived from per-change
      `agent` + current provider; no new state).
-## Tests
+- [x] 3.1 Idle TTL eviction per `(chat, agent)` (`AGENT_POOL_IDLE_TTL_MS`=30min) + LRU cap (`AGENT_POOL_MAX_LIVE`=10), busy never evicted; reattach next turn. Pure `lifecycle-decisions.ts` (TDD).
 - [x] 3.2 Crash recovery: openchamber health-monitor + busy-aware-restart + stale-grace state machine in `opencode-server.ts` (+ port reclaim) + `warm-acp.ts`. opencode → fresh sessions; ACP → re-`session/new`. F.1 guard + U.6 usage preserved.
 - [x] 3.3 Close hooks (`/api/chats/:id/close`, `/api/sessions/:id/close`) → `closeChat` evicts backends + archives the `worktrees` row + removes the worktree. **apps/server caller wired in `v2.6.11`** (`coder-notify.ts`, fire-and-forget on session-delete + chat archive/delete).
 - [x] 3.4 Orphan worktree reaper (periodic, 1h grace, superset-style dirty/unpushed preflight, Paseo soft-delete) + LRU cap on the pool.
 - [x] 3.5 Re-baseline `worktrees.base_commit` after a successful `apply_pending` (both apply routes).
 - [x] 3.6 Reconnect integration test (DB-opt-in): restart mid-session → next turn reattaches/recreates from `agent_sessions`/`worktrees`.
 - [x] 3.7 Staging-boundary hint in DiffPanel (§9c) — `v2.6.11`: muted one-liner when the selected provider can't see another agent's unapplied worktree edits (derived from per-change `agent` + current provider; no new state).
 ## Tests — ⬜ REMAINING (none of T.1–T.3 exist yet)
 - [ ] T.1 `agent-pool` unit: get-or-create, idle evict, dispose drains in-flight (DB-opt-in pattern).
- [ ] T.2 opencode SSE demux + reasoning dedup unit (fixture event stream).
+- [ ] T.2 opencode SSE demux + reasoning dedup unit (fixture event stream). *Fold in an F.1 interrupt-bug regression case.*
 - [ ] T.3 per-session concurrency: two sessions run concurrently, one session serializes.
 ## Docs
- [ ] D.1 Update `CLAUDE.md` (BooCoder dispatch section) + `BOOCODER.md` health/contract.
+- [~] D.1 `CLAUDE.md` BooCoder-dispatch section **done** (v2.6.1 / v2.6.4 doc-syncs); **`BOOCODER.md` health/contract still pending** (no v2.6 warm-server mentions).
- [ ] D.2 Note opencode `@opencode-ai/sdk` dep + `OPENCODE_SERVER_PASSWORD` env in env docs.
+- [~] D.2 `@opencode-ai/sdk` dep noted; `OPENCODE_SERVER_PASSWORD` env n/a (deferred — loopback-unsecured).
- [ ] D.3 `CHANGELOG.md` entry on tag (`v2.6.0-persistent-agent-sessions`).
+- [x] D.3 `CHANGELOG.md` entries per tag (`v2.6.0`–`v2.6.4`) — shipped as 5 tags, not the single planned `-persistent-agent-sessions`.
-## Build / deploy gate
+## Build / deploy gate — ✅ (per shipped tags; re-run per remaining batch)
- [ ] B.1 `pnpm -C apps/server build && pnpm -C apps/coder build` clean.
+- [x] B.1 `pnpm -C apps/server build && pnpm -C apps/coder build` clean.
- [ ] B.2 `pnpm -C apps/server test` (+ DB-opt-in) green.
+- [x] B.2 `pnpm -C apps/server test` green. *(v2.6-specific T.1–T.3 units still unwritten.)*
- [ ] B.3 Deploy: `sudo systemctl restart boocoder`; `curl :9502/api/health` reports tool count.
+- [x] B.3 Deployed (`sudo systemctl restart boocoder`; `curl :9502/api/health`).
 -----
 ## Fix-next (before Phase 2) — ✅ SHIPPED `v2.6.7-interrupt-guard`
 - [x] F.1 **Post-interrupt stale-terminal guard.** opencode emits one trailing `session.idle`/`session.error` for a cancelled turn (sessionID only, no turn id) which settled the *next* turn early. Fixed with a pure per-session guard (`backends/turn-guard.ts`: `armAbortGuard`/`noteTurnActivity`/`consumeTerminal` over `swallowNextTerminal`) wired into `opencode-server.ts` (arm on abort, swallow the orphan terminal, self-heal on next-turn activity). 3 regression tests (`turn-guard.test.ts`), TDD. Paseo parallel: `1d38aac`.
 ## Remaining — recommended order (implementation plan, 2026-05-31)
 1. ~~**F.1 interrupt-bug fix**~~ — ✅ shipped `v2.6.7-interrupt-guard` (3 regression tests, TDD).
 2. ~~**Phase 1-UX** (U.1–U.6)~~ — ✅ shipped `v2.6.8-agent-attribution` (3 parallel agents, disjoint files; 9 new tests). Smoke U pending the frontend Docker rebuild.
 3. ~~**Phase 2 — warm ACP, qwen first then goose**~~ — ✅ shipped `v2.6.9-warm-acp` (15 new tests; one-shot path preserved). Smoke 2 + 2b pending live exercise post-deploy.
 4. **Phase 3 — lifecycle hardening** — lift openchamber's state machine; do crash-recovery (3.1/3.2/3.6) + worktree reaper (3.3/3.4 + LRU) together (shared supervision loop). Closes the two ⬜ success criteria (server-crash recovery, close→cleanup).
 5. **Tests T.1–T.3 + `BOOCODER.md` (D.1 remainder)** — backfill alongside each phase, not at the end.
 Each phase stays independently shippable + smoke-testable (original phasing holds). Tag monotonically from `v2.6.7`, one batch per phase.
--- a/openspec/changes/write-edit-robustness/proposal.md
+++ b/openspec/changes/write-edit-robustness/proposal.md
@@ -0,0 +1,101 @@
 # Write/edit robustness — fuzzy patch applier + worktree checkpoints
 **Status:** in progress (started 2026-06-01)
 **Source:** `boocode_code_review_v2.md` §1 #3 + #4, §5b/§5d–5e (cline, Apache-2.0 — algorithm clean-reimplemented, not vendored).
 Two independent BooCoder hardening features for local quantized models.
 ## #3 — Fuzzy patch applier
 **Problem:** `applyOne`'s edit case (`apps/coder/src/services/pending_changes.ts:124`) does exact
 `content.includes(oldStr)` → throw, then `content.replace(oldStr, newStr)` (first occurrence).
 `rewindOne` (line 206) is the same. Local models (qwen3.6) drift `old_string` by whitespace/
 indentation/unicode (curly quotes, en/em-dash, nbsp), so a valid edit fails at apply with
 "old_string not found" and is lost.
 **Design:** new pure module `apps/coder/src/services/fuzzy-match.ts`:
 `locateMatch(content: string, needle: string): { kind: 'exact'|'fuzzy'; start: number; end: number }
 | { kind: 'ambiguous'; count: number } | { kind: 'not_found' }`. Match ladder:
 1. **Exact** `indexOf`. If exactly one → exact span. If >1 → **ambiguous** (refuse; decision
   2026-06-01: safer than silently editing the first).
 2. **Per-line whitespace-insensitive** — compare `needle` lines to file line-windows ignoring per-line
   `trimEnd`/leading-trailing blank lines.
 3. **Unicode canonicalization** — normalize curly→straight quotes, en/em-dash→`-`, nbsp→space on both
   sides, then retry the whitespace pass.
 4. **Levenshtein** similarity ≥ 0.66 over line-windows sized to `needle`'s line count; best window wins.
 Non-exact (fuzzy) matches return the actual file span so the caller replaces the real file text with
 `new_string`. `pending_changes.ts` `applyOne`/`rewindOne` use `locateMatch`; `ambiguous`/`not_found`
 return `success:false` with a clear message (no throw escaping the existing catch). Unit-tested
 (`apps/coder/src/services/__tests__/fuzzy-match.test.ts`), per the `turn-guard.ts` pure-helper pattern.
 ## #4 — Worktree checkpoint + conversation-trim
 **Problem:** `rewind` only reverses BooCode's own `pending_changes` (applied to the project root).
 External agents (opencode/goose/qwen/claude) write **directly into the session worktree**
 (`/tmp/booworktrees/sess-<id>`); rewind has zero coverage there.
 **Schema** (`apps/coder/src/schema.sql`):
 ```sql
 CREATE TABLE IF NOT EXISTS checkpoints (
  id          UUID PRIMARY KEY DEFAULT gen_random_uuid(),
  chat_id     UUID NOT NULL REFERENCES chats(id) ON DELETE CASCADE,
  session_id  UUID,
  worktree_id UUID REFERENCES worktrees(id) ON DELETE SET NULL,
  message_id  UUID,            -- anchor: the assistant turn row this checkpoint precedes
  commit_sha  TEXT NOT NULL,   -- shadow-commit capturing the pre-turn worktree tree
  label       TEXT,
  created_at  TIMESTAMPTZ NOT NULL DEFAULT clock_timestamp()
 );
 CREATE INDEX IF NOT EXISTS checkpoints_chat_created_idx ON checkpoints(chat_id, created_at);
 ```
 **Create** (`apps/coder/src/services/checkpoints.ts` → `createCheckpoint`): hooked into the three
 external-agent dispatch paths in `dispatcher.ts` (`runWarmAcpTask` ~821, `runOpenCodeServerTask` ~513,
 `runExternalAgent` ~255) — after `ensureSessionWorktree()` and the assistant-message insert (so the
 anchor `message_id` exists), before the backend runs. Snapshot captures tracked **+ untracked** via a
 temp-index shadow commit, stored in a private GC-safe ref:
 ```
 cd <wt> && TMP=$(mktemp) && GIT_INDEX_FILE="$TMP" git read-tree HEAD \
  && GIT_INDEX_FILE="$TMP" git add -A \
  && TREE=$(GIT_INDEX_FILE="$TMP" git write-tree) \
  && SHA=$(git commit-tree "$TREE" -p HEAD -m "boocode checkpoint") \
  && git update-ref refs/boocode/checkpoints/<id> "$SHA" && rm -f "$TMP" && echo "$SHA"
 ```
 Best-effort: a checkpoint failure logs and never breaks the turn. Native-boocode turns (project-root,
 rewind-covered) get no checkpoint.
 **Restore** (`POST /api/sessions/:sessionId/checkpoints/:checkpointId/restore`, proxied `/api/coder/*`):
 1. Resolve + validate the checkpoint belongs to the session.
 2. Reset worktree: `git -C <wt> reset --hard <commit_sha> && git -C <wt> clean -fd` (hostExec+shellEscape).
 3. Trim transcript: `DELETE FROM messages WHERE chat_id = <cp.chat_id> AND created_at >=
   (SELECT created_at FROM messages WHERE id = <cp.message_id>)` (+ explicit `message_parts` delete if
   the FK isn't ON DELETE CASCADE — verify).
 4. Reset backend (decision 2026-06-01): `UPDATE agent_sessions SET status='crashed' WHERE
   chat_id=<cp.chat_id>` and evict the live pool session for `(chat,agent)` if present, so the next turn
   re-establishes a fresh backend — transcript, files, and agent context all consistent at the restore
   point. (Warm backends hold context server-side; no partial rewind exists.)
 5. Delete now-orphaned later checkpoints: `DELETE FROM checkpoints WHERE chat_id=? AND created_at >
   <cp.created_at>`.
 6. Return `{ checkpoint_id, messages_deleted, worktree_reset, backend_reset }`.
 **Frontend:** per-message "Restore to here" in `CoderMessageList.tsx` (via a new optional
 `onRestoreCheckpoint?(chatId, messageId)` on `MessageActions` in `MessageBubble.tsx`), wired in
 `CoderPane.tsx`; guarded to `status==='complete'` and to messages that have a checkpoint. After the call
 returns, refetch the chat's messages (existing GET) — no new WS frame required.
 ## Decisions (2026-06-01)
 - Multi-exact-match → **refuse as ambiguous** (#3).
 - #4 **full** scope incl. conversation-trim.
 - Restore **resets** the external-agent backend session (context re-established fresh).
 ## Parallelization
 - **Unit 1 (#3)** — fully independent (`fuzzy-match.ts` + `pending_changes.ts` + test).
 - **Unit 2 (#4 backend)** — schema + `checkpoints.ts` (create+restore) + 3 dispatcher hooks + restore route + backend reset. One agent owns all #4 coder backend (shared `checkpoints.ts`).
 - **Unit 3 (#4 frontend)** — `CoderMessageList`/`MessageBubble`/`CoderPane`, against the pinned restore contract. Parallel with Unit 2. MUST NOT touch Sam's uncommitted WIP (`ChatTabBar`, `SessionLandingPage`, `Workspace`, `useWorkspacePanes`, `PaneHeaderActions`).
 ## Verify
 - `pnpm -C apps/coder test` (incl. new `fuzzy-match` + any checkpoint pure-helper tests)
 - `pnpm -C apps/server build` then `pnpm -C apps/coder build`
 - `npx tsc -p apps/web/tsconfig.app.json --noEmit`
 - Live smoke (manual, host): external-agent edit → checkpoint row; "Restore to here" → worktree reset + transcript trimmed + next turn fresh.
--- a/package.json
+++ b/package.json
@@ -11,5 +11,5 @@
  "devDependencies": {
    "typescript": "^5.5.0"
  },
-  "license": "AGPL-3.0-only"
+  "license": "MIT"
 }
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -158,9 +158,9 @@ importers:
      fastify:
        specifier: ^4.28.1
        version: 4.29.1
-      parse5:
+      node-html-markdown:
-        specifier: ^8.0.1
+        specifier: ^1.3.0
-        version: 8.0.1
+        version: 1.3.0
      postgres:
        specifier: ^3.4.4
        version: 3.4.9
@@ -2108,6 +2108,9 @@ packages:
    resolution: {integrity: sha512-oP5VkATKlNwcgvxi0vM0p/D3n2C3EReYVX+DNYs5TjZFn/oQt2j+4sVJtSMr18pdRr8wjTcBl6LoV+FUwzPmNA==}
    engines: {node: '>=18'}
  boolbase@1.0.0:
    resolution: {integrity: sha512-JZOSA7Mo9sNGB8+UjSgzdLtokWAky1zbztM3WRLCbZ70/3cTANmQmOdR7y2g+J0e2WXywy1yS468tY+IruqEww==}
  brace-expansion@2.1.0:
    resolution: {integrity: sha512-TN1kCZAgdgweJhWWpgKYrQaMNHcDULHkWwQIspdtjV4Y5aurRdZpjAqn6yX3FPqTA9ngHCc4hJxMAMgGfve85w==}
@@ -2270,6 +2273,13 @@ packages:
    resolution: {integrity: sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA==}
    engines: {node: '>= 8'}
  css-select@5.2.2:
    resolution: {integrity: sha512-TizTzUddG/xYLA3NXodFM0fSbNizXjOKhqiQQwvhlspadZokn1KDy0NZFS0wuEubIYAV5/c1/lAr0TaaFXEXzw==}
  css-what@6.2.2:
    resolution: {integrity: sha512-u/O3vwbptzhMs3L1fQE82ZSLHQQfto5gyZzwteVIEyeaY5Fc7R4dapF/BvRoSYFeqfBk4m0V1Vafq5Pjv25wvA==}
    engines: {node: '>= 6'}
  cssesc@3.0.0:
    resolution: {integrity: sha512-/Tb/JcjK111nNScGob5MNtsntNM1aCNUDipB/TkwZFhyDrrE47SOx/18wF2bbjgc3ZzCSKW1T5nt5EbFoAz/Vg==}
    engines: {node: '>=4'}
@@ -2344,6 +2354,19 @@ packages:
    resolution: {integrity: sha512-DPi0FmjiSU5EvQV0++GFDOJ9ASQUVFh5kD+OzOnYdi7n3Wpm9hWWGfB/O2blfHcMVTL5WkQXSnRiK9makhrcnw==}
    engines: {node: '>=0.3.1'}
  dom-serializer@2.0.0:
    resolution: {integrity: sha512-wIkAryiqt/nV5EQKqQpo3SToSOV9J0DnbJqwK7Wv/Trc92zIAYZ4FlMu+JPFW1DfGFt81ZTCGgDEabffXeLyJg==}
  domelementtype@2.3.0:
    resolution: {integrity: sha512-OLETBj6w0OsagBwdXnPdN0cnMfF9opN69co+7ZrbfPGrdpPVNBUj02spi6B1N7wChLQiPn4CSH/zJvXw56gmHw==}
  domhandler@5.0.3:
    resolution: {integrity: sha512-cgwlv/1iFQiFnU96XXgROh8xTeetsnJiDsTc7TYCLFd9+/WNkIqPTxiM/8pSd8VIrhXGTf1Ny1q1hquVqDJB5w==}
    engines: {node: '>= 4'}
  domutils@3.2.2:
    resolution: {integrity: sha512-6kZKyUajlDuqlHKVX1w7gyslj9MPIXzIFiz/rGu35uC1wMi+kMhQwGhl4lt9unC9Vb9INnY9Z3/ZA3+FhASLaw==}
  dotenv@17.4.2:
    resolution: {integrity: sha512-nI4U3TottKAcAD9LLud4Cb7b2QztQMUEfHbvhTH09bqXTxnSie8WnjPALV/WMCrJZ6UV/qHJ6L03OqO3LcdYZw==}
    engines: {node: '>=12'}
@@ -2391,9 +2414,9 @@ packages:
    resolution: {integrity: sha512-QyL119InA+XXEkNLNTPCXPugSvOfhwv0JOlGNzvxs0hZaiHLNvXSpudUWsOlsXGWJh8G6ckCScEkVHfX3kw/2Q==}
    engines: {node: '>=10.13.0'}
-  entities@8.0.0:
+  entities@4.5.0:
-    resolution: {integrity: sha512-zwfzJecQ/Uej6tusMqwAqU/6KL2XaB2VZ2Jg54Je6ahNBGNH6Ek6g3jjNCF0fG9EWQKGZNddNjU5F1ZQn/sBnA==}
+    resolution: {integrity: sha512-V0hjH4dGPh9Ao5p0MoRY6BVqtwCjhz6vI5LT8AJ55H+4g9/4vbHx1I54fS0XuclLhDHArPQCiMjDxjaL8fPxhw==}
-    engines: {node: '>=20.19.0'}
+    engines: {node: '>=0.12'}
  env-paths@2.2.1:
    resolution: {integrity: sha512-+h1lkLKhZMTYjog1VEpJNG7NZJWcuc2DDk/qsqSTRRCOXiLjeQ1d1/udrUGhqMxUgAlwKNZ0cf2uqan5GLuS2A==}
@@ -2662,6 +2685,10 @@ packages:
  hast-util-whitespace@3.0.0:
    resolution: {integrity: sha512-88JUN06ipLwsnv+dVn+OIYOvAuvBMy/Qoi6O7mQHxdPXpjy+Cd6xRkWwux7DKO+4sYILtLBRIKgsdpS2gQc7qw==}
  he@1.2.0:
    resolution: {integrity: sha512-F/1DnUGPopORZi0ni+CvrCgHQ5FyEAHRLSApuYWMmrbSwoN2Mn/7k+Gl38gJnR7yyDZk6WLXwiGod1JOWNDKGw==}
    hasBin: true
  headers-polyfill@5.0.1:
    resolution: {integrity: sha512-1TJ6Fih/b8h5TIcv+1+Hw0PDQWJTKDKzFZzcKOiW1wJza3XoAQlkCuXLbymPYB8+ZQyw8mHvdw560e8zVFIWyA==}
@@ -3210,6 +3237,13 @@ packages:
    resolution: {integrity: sha512-dRB78srN/l6gqWulah9SrxeYnxeddIG30+GOqK/9OlLVyLg3HPnr6SqOWTWOXKRwC2eGYCkZ59NNuSgvSrpgOA==}
    engines: {node: ^12.20.0 || ^14.13.1 || >=16.0.0}
  node-html-markdown@1.3.0:
    resolution: {integrity: sha512-OeFi3QwC/cPjvVKZ114tzzu+YoR+v9UXW5RwSXGUqGb0qCl0DvP406tzdL7SFn8pZrMyzXoisfG2zcuF9+zw4g==}
    engines: {node: '>=10.0.0'}
  node-html-parser@6.1.13:
    resolution: {integrity: sha512-qIsTMOY4C/dAa5Q5vsobRpOOvPfC4pB61UVW2uSwZNUp0QU/jCekTal1vMmbO0DgdHeLUJpv/ARmDqErVxA3Sg==}
  node-pty@1.1.0:
    resolution: {integrity: sha512-20JqtutY6JPXTUnL0ij1uad7Qe1baT46lyolh2sSENDd4sTzKZ4nmAFkeAARDKwmlLjPx6XKRlwRUxwjOy+lUg==}
@@ -3224,6 +3258,9 @@ packages:
    resolution: {integrity: sha512-9qny7Z9DsQU8Ou39ERsPU4OZQlSTP47ShQzuKZ6PRXpYLtIFgl/DEBYEXKlvcEa+9tHVcK8CF81Y2V72qaZhWA==}
    engines: {node: '>=18'}
  nth-check@2.1.1:
    resolution: {integrity: sha512-lqjrjmaOoAnWfMmBPL+XNnynZh2+swxiX3WUE0s4yEHI6m+AwrK2UZOimIRl3X/4QctVqS8AiZjFqyOGrMXb/w==}
  object-assign@4.1.1:
    resolution: {integrity: sha512-rJgTQnkUnH1sFw8yT6VSU3zD3sWmu6sZhIseY8VX+GRu3P6F7Fu+JNDoXfklElbLJSnc3FUQHVe4cU5hj+BcUg==}
    engines: {node: '>=0.10.0'}
@@ -3287,9 +3324,6 @@ packages:
    resolution: {integrity: sha512-TXfryirbmq34y8QBwgqCVLi+8oA3oWx2eAnSn62ITyEhEYaWRlVZ2DvMM9eZbMs/RfxPu/PK/aBLyGj4IrqMHw==}
    engines: {node: '>=18'}
  parse5@8.0.1:
    resolution: {integrity: sha512-z1e/HMG90obSGeidlli3hj7cbocou0/wa5HacvI3ASx34PecNjNQeaHNo5WIZpWofN9kgkqV1q5YvXe3F0FoPw==}
  parseurl@1.3.3:
    resolution: {integrity: sha512-CiyeOxFT/JZyN5m0z9PfXw4SCBJ6Sygz1Dpl0wqjlhDEGGBP1GnsUVEL0p63hoG1fcj3fHynXi9NYO4nWOL+qQ==}
    engines: {node: '>= 0.8'}
@@ -5904,6 +5938,8 @@ snapshots:
    transitivePeerDependencies:
      - supports-color
  boolbase@1.0.0: {}
  brace-expansion@2.1.0:
    dependencies:
      balanced-match: 1.0.2
@@ -6040,6 +6076,16 @@ snapshots:
      shebang-command: 2.0.0
      which: 2.0.2
  css-select@5.2.2:
    dependencies:
      boolbase: 1.0.0
      css-what: 6.2.2
      domhandler: 5.0.3
      domutils: 3.2.2
      nth-check: 2.1.1
  css-what@6.2.2: {}
  cssesc@3.0.0: {}
  csstype@3.2.3: {}
@@ -6083,6 +6129,24 @@ snapshots:
  diff@8.0.4: {}
  dom-serializer@2.0.0:
    dependencies:
      domelementtype: 2.3.0
      domhandler: 5.0.3
      entities: 4.5.0
  domelementtype@2.3.0: {}
  domhandler@5.0.3:
    dependencies:
      domelementtype: 2.3.0
  domutils@3.2.2:
    dependencies:
      dom-serializer: 2.0.0
      domelementtype: 2.3.0
      domhandler: 5.0.3
  dotenv@17.4.2: {}
  dunder-proto@1.0.1:
@@ -6130,7 +6194,7 @@ snapshots:
      graceful-fs: 4.2.11
      tapable: 2.3.3
-  entities@8.0.0: {}
+  entities@4.5.0: {}
  env-paths@2.2.1: {}
@@ -6519,6 +6583,8 @@ snapshots:
    dependencies:
      '@types/hast': 3.0.4
  he@1.2.0: {}
  headers-polyfill@5.0.1:
    dependencies:
      '@types/set-cookie-parser': 2.4.10
@@ -7196,6 +7262,15 @@ snapshots:
      fetch-blob: 3.2.0
      formdata-polyfill: 4.0.10
  node-html-markdown@1.3.0:
    dependencies:
      node-html-parser: 6.1.13
  node-html-parser@6.1.13:
    dependencies:
      css-select: 5.2.2
      he: 1.2.0
  node-pty@1.1.0:
    dependencies:
      node-addon-api: 7.1.1
@@ -7211,6 +7286,10 @@ snapshots:
      path-key: 4.0.0
      unicorn-magic: 0.3.0
  nth-check@2.1.1:
    dependencies:
      boolbase: 1.0.0
  object-assign@4.1.1: {}
  object-inspect@1.13.4: {}
@@ -7289,10 +7368,6 @@ snapshots:
  parse-ms@4.0.0: {}
  parse5@8.0.1:
    dependencies:
      entities: 8.0.0
  parseurl@1.3.3: {}
  path-browserify@1.0.1: {}
Author	SHA1	Message	Date
indifferentketchup	bcc89d8adc	feat: MistakeTracker + file-provenance ledger (v2.7.4) Two native-inference hardening features from boocode_code_review_v2 §1 #12. MistakeTracker: new pure mistake-tracker.ts tracks consecutive heterogeneous tool failures (kinds surfaced per tool from tool-phase.ts). On 3 in a row the turn loop soft-nudges (model-facing recovery guidance + mistake_recovery sentinel + reset), then escalates to stopping the turn (cap-hit-style, Continue affordance) on a re-trip. Complements doom-loop (identical repeats) + cap-hit. File-provenance ledger: compaction.ts derives a deterministic ## Files Read list from the head messages' read-tool calls and injects it into the rolling-summary prompt so provenance survives compaction (no new table; read-only). mistake_recovery sentinel: MessageMetadata arm (server + web) + MessageBubble render branch. Built by 2 parallel agents. Server 545 tests passing (23 new); build + web tsc clean. Native-inference only. Builds on v2.7.3. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-01 13:05:03 +00:00
indifferentketchup	f53d6a8afd	Merge sampling-knobs-streamjson: v2.7.3 sampling knobs + live PTY stream-json + token UI	2026-06-01 12:47:31 +00:00
indifferentketchup	a584dd16b0	feat: sampling knobs + live PTY stream-json + token UI (v2.7.3) Three small wins from boocode_code_review_v2 §1 #11/#7/#8. #11 sampling knobs: top_n_sigma + dry_* family as first-class Agent fields, threaded into the request body via providerOptions.openaiCompatible. Fixes a latent bug — top_k (rejected by the AI-SDK provider) and min_p (never passed to streamText) were dead on the wire; both now route through the same channel. --reasoning-budget documented in data/AGENTS.md. #7 live PTY stream-json: new stream-json-parser.ts line-buffers qwen/claude NDJSON and emits text/reasoning/tool frames live + persists, with a fallback to the old opaque slice. claude gets --output-format stream-json --verbose. #8 token UI: agent_sessions input/output_tokens/cost now flow through the route + type and render beside the AgentComposerBar session chip. Built by 3 parallel agents. Server 523 + coder 245 tests passing; builds + web tsc clean. Builds on v2.7.2. openspec sampling-streamjson-tokens. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-01 12:47:17 +00:00
indifferentketchup	5651f56039	Merge checkpoint-idor-fix: v2.7.2 close 2 checkpoint IDOR holes	2026-06-01 12:16:08 +00:00
indifferentketchup	9c7d80e2d8	fix(security): scope checkpoint routes to session — close 2 IDORs (v2.7.2) Flagged by the automated push security review on v2.7.1. - GET /checkpoints?chat_id= : the chat_id branch filtered by chat_id alone (any session's chat_id read its checkpoints). Now joins chats and gates on chats.session_id. - restoreCheckpoint scope guard was fail-open: `cp.session_id && cp.session_id !== sessionId` fell through on a null denormalized session_id, allowing a cross-session restore (worktree reset + transcript trim). Now resolves the owning session via the checkpoint's chat and denies on missing/mismatch. - Adds a DB-integration regression for the null-session_id cross-session case. Both scope authoritatively through chats.session_id (checkpoints.session_id is a nullable hint). Coder suite 234 passing; 7/7 checkpoint tests (incl. the regression) against live postgres+git; typecheck clean. Hotfix on v2.7.1. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-01 12:15:54 +00:00
indifferentketchup	a41a02a62b	Merge fuzzy-checkpoints: v2.7.1 write/edit robustness (fuzzy applier + worktree checkpoints)	2026-06-01 12:02:06 +00:00
indifferentketchup	59f07e8cb8	feat: write/edit robustness — fuzzy patch applier + worktree checkpoints (v2.7.1) #3 Fuzzy patch applier: new pure fuzzy-match.ts (locateMatch, exact→trim→ unicode-canon→Levenshtein≥0.66, refuse-on-ambiguous) wired into pending_changes applyOne/rewindOne so local-model whitespace/unicode drift in old_string no longer loses the edit. #4 Worktree checkpoint + conversation-trim: checkpoints table + checkpoints.ts (shadow-commit of tracked+untracked into refs/boocode/checkpoints, hooked into the 3 external-agent dispatcher paths) + POST restore route (reset --hard + clean -fd -> transcript trim -> backend-session reset) + "Restore to here" UI. Built by 3 parallel agents; DB-integration testing caught a created_at self-deletion bug. Coder suite 234 passing; server+coder build + web tsc clean. Builds on v2.7.0-mit. openspec write-edit-robustness. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-01 12:01:57 +00:00
indifferentketchup	1108d07fb2	Merge relicense-agpl-to-mit: v2.7.0 AGPL-3.0 → MIT relicense	2026-06-01 08:16:25 +00:00
indifferentketchup	a8bfde8f8d	feat: relicense AGPL-3.0 → MIT (v2.7.0) Clear the 3 Unsloth-Studio-derived AGPL files and flip LICENSE + 5 package.json from AGPL-3.0-only to MIT. - html-to-md.ts → MIT node-html-markdown (parse5 dropped) - llama-args-validator.ts → clean-room (flag denylist = facts) - tool-call-parser.ts → delete dead Unsloth-ported code; keep extractToolCallBlocks/stripToolMarkup byte-identical (no behavior change) - LICENSE → MIT (Copyright (c) 2026 indifferentketchup); 5 package.json → MIT; AGPL SPDX headers removed; README License section; license-mit guard test - roadmap License-debt batch marked shipped; openspec/changes/license-debt-mit Decouples the relicense from the native-parsing retirement (the ported parser was dead code). Server suite 519 passing; build + coder typecheck clean. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-01 08:16:03 +00:00
indifferentketchup	9c1ddcaa7c	Merge v2611-followups: v2.6.11 apps/server close-hook caller + DiffPanel staging hint	2026-06-01 02:35:21 +00:00
indifferentketchup	217f487395	docs(changelog): v2.6.11-close-hooks-staging (closes the v2.6 openspec) CHANGELOG + roadmap (through v2.6.11) + openspec v2-6 Phase 3 fully closed (3.7 + apps/server close-hook caller done). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-01 02:35:21 +00:00
indifferentketchup	2dfbef4c41	feat: v2.6 follow-ups — apps/server close-hook caller + DiffPanel staging hint (3.7) apps/server fire-and-forgets BooCoder's Phase-3 close hooks (new coder-notify.ts, reuses BOOCODER_URL, never-rejects) on session-delete + chat archive/archive-all/delete, so warm backends + worktrees tear down immediately (idle-evict/reaper was the backstop). 3.7: BooCoder DiffPanel shows a muted one-liner when the selected provider can't see another agent's unapplied worktree edits (pure derivation from per-change agent + current provider, no new state). 6 new server tests (coder-notify); 537 server tests pass; web+server tsc/build clean. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-01 02:35:11 +00:00
indifferentketchup	c7a8128059	Merge phase3-lifecycle: v2.6.10 lifecycle hardening (completes v2.6 persistent agent sessions)	2026-06-01 01:10:16 +00:00
indifferentketchup	986c8a83a9	docs(changelog): v2.6.10-lifecycle-hardening (completes v2.6) CHANGELOG + roadmap (through v2.6.10; v2.6 marked complete) + openspec v2-6 Phase 3 checked off (3.1-3.6; 3.7 frontend + apps/server caller as follow-ups). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-01 01:10:16 +00:00
indifferentketchup	aa3797e356	feat(coder): v2.6 Phase 3 — lifecycle hardening (idle evict, crash recovery, worktree reaper) Idle TTL eviction per (chat,agent) + LRU cap (never a busy backend); pure lifecycle-decisions.ts (TDD). Crash recovery lifts openchamber's health-monitor + busy-aware-restart + stale-grace state machine into opencode-server.ts (+ port reclaim) and warm-acp.ts; opencode crash -> fresh sessions, ACP -> re-session/new. F.1 turn-guard + U.6 usage preserved (their tests pass). Orphan worktree reaper (1h grace, superset-style dirty/unpushed preflight, Paseo soft-delete) + close hooks + diff re-baseline after apply_pending. 35 new tests + DB-opt-in reconnect test; 215 coder tests pass; tsc + build clean. Completes v2.6. Follow-ups out of scope: apps/server close-hook caller, 3.7 DiffPanel staging hint, live smokes. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-01 01:10:09 +00:00
indifferentketchup	850d48853f	Merge phase2-warm-acp: v2.6.9 warm ACP backend for goose/qwen	2026-05-31 23:57:14 +00:00
indifferentketchup	f619ae0978	docs(changelog): v2.6.9-warm-acp CHANGELOG + roadmap (through v2.6.9) + openspec v2-6 Phase 2 checked off (2.1-2.4; Smoke 2/2b pending live). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-05-31 23:57:09 +00:00
indifferentketchup	0d3d08f5f2	feat(coder): v2.6 Phase 2 — warm ACP backend for goose/qwen WarmAcpBackend (AgentBackend) holds one persistent goose acp / qwen --acp child + ClientSideConnection + ACP session per (chat,agent); initialize+session/new once, reused across turns. Abort = session/cancel the prompt only (never kills the child); child exit -> agent_sessions.status='crashed' -> re-spawn next turn. Dispatcher routes goose/qwen chat-tab tasks to the pooled warm backend via pure shouldUseWarmBackend (needs session_id+chat_id); one-shot runExternalAgent kept as fallback for arena/MCP/new_task. handleSessionUpdate extracted to a shared pure acp-event-map.ts (one-shot path byte-identical). SDK: installed @agentclientprotocol/sdk@^0.22.1 has stable resumeSession/loadSession; resume moot in the warm hot path, deferred to Phase 3. 15 new tests (warm-acp-routing, acp-event-map); 180 coder tests pass; tsc + build clean. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-05-31 23:57:03 +00:00
indifferentketchup	0658d19b64	Merge phase1-ux: v2.6.8 agent attribution (DiffPanel badges + composer chip + agent-sessions route + opencode usage)	2026-05-31 22:07:39 +00:00
indifferentketchup	631af5dd4c	docs(changelog): v2.6.8-agent-attribution CHANGELOG + roadmap shipped record (through v2.6.8) + openspec v2-6 Phase 1-UX checked off (U.1-U.6; Smoke U pending the frontend Docker rebuild). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-05-31 22:07:32 +00:00
indifferentketchup	5db6551361	feat(web): Phase 1-UX frontend — DiffPanel agent badges + resumed/new-session chip DiffPanel renders a per-row agent badge (icon+label; null -> 'manual') + a 'Changes from X, Y' note when the pending set spans >1 agent. AgentComposerBar gains an optional sessionId prop -> resumed/history/new-session chip beside the Provider picker (gated, so BooChat callers are unchanged), driven by a new useAgentSessions hook (refetch on message-complete). providerIcon extracted to shared components/coder/providerIcons.tsx; api.coder gains agentSessions(sessionId); PendingChange type gains agent. web tsc clean. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-05-31 22:07:26 +00:00
indifferentketchup	c060778258	feat(coder): Phase 1-UX backend — agent attribution + agent-sessions route + opencode usage pending_changes.agent stamped at every queue site (native -> 'boocode', dispatched external -> task.agent, manual RightRail -> NULL) + flows through listPending. New GET /api/sessions/:id/agent-sessions -> [{agent,status,has_session,last_active_at}] per (chat,agent). opencode warm server consumes session.next.step.ended, accumulating input_tokens/output_tokens/cost onto agent_sessions (new idempotent columns) via a pure opencode-usage.ts mapper. Tests: agent-sessions.routes (3) + opencode-usage (6); tsc clean. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-05-31 22:07:14 +00:00
indifferentketchup	48c1d70baf	Merge f1-interrupt-guard: F.1 opencode post-interrupt stale-terminal guard + doc reconciliation (v2.6.7)	2026-05-31 21:32:25 +00:00
indifferentketchup	457010391a	docs(changelog): v2.6.7-interrupt-guard + reconcile roadmap/review/openspec CHANGELOG entry for v2.6.7. Plus the session's doc reconciliation: roadmap shipped record synced through v2.6.7 (v2.3 lifecycle marked shipped, relicense AGPL->MIT batch, fork-sweep lift items, claude-agent-sdk SessionStore, ACP package fix); boocode_code_review_v2 (two fork sweeps, relicense decision = 3 AGPL files, jinja gate green); openspec v2-3 reconciled to shipped (v2.5.4-v2.5.13); openspec v2-6 Phase 0/1 + P1.5 shipped, F.1 done, remaining-phase plan + lift sources. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-05-31 21:31:47 +00:00
indifferentketchup	372651bcb1	fix(coder): F.1 post-interrupt stale-terminal guard (opencode warm server) opencode emits one trailing session.idle/error for a turn cancelled via client.session.abort(), carrying only a sessionID (no turn id). The warm-server backend settled activeTurn on that event, so after Stop + an immediate new message the orphan idle settled the NEXT turn early as success (one-click reachable since v2.6.5's Send->Stop composer). Adds a pure per-session guard (backends/turn-guard.ts: armAbortGuard / noteTurnActivity / consumeTerminal over swallowNextTerminal) wired into opencode-server.ts: abort arms it, the next terminal is swallowed once, and a new turn's first delta self-heals so a never-arriving orphan can't strand a real turn. Test-first; 3 regression tests in turn-guard.test.ts. Paseo parallel: 1d38aac. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-05-31 21:31:35 +00:00
indifferentketchup	d66948c925	docs(changelog): v2.6.6-claude-md Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-05-31 12:44:33 +00:00
indifferentketchup	58d0c0f132	docs(claude-md): v2.6.5 session learnings Capture four recurring gotchas from the panes/tabs/composer batch: the workspace_panes WorkspaceState envelope (+ legacy-array migration on hydrate and the union-accepting server PATCH validator); the optional ToolExecCtx ({ sql, sessionId }) 4th arg on ToolDef.execute for DB/session-aware tools (read_tab_by_number reference); the two-schema-files-one-DB ownership split (apps/coder owns agent_sessions/worktrees/pending_changes/available_agents) plus the idempotent confdeltype FK-action-flip pattern; and that React StrictMode is on, so a setState called inside another setState's updater double-fires in dev. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-05-31 12:44:20 +00:00
indifferentketchup	7b4f41b26f	docs: roadmap shipping-state update + external code-review v2 findings Update boocode_roadmap.md's shipped section through v2.6.4 (provider lifecycle, persistent agent sessions, cursor/copilot retirement) and add boocode_code_review_v2.md — a point-in-time external-fork lift/cross-check findings doc (Paseo + opencode + llama.cpp + the second fork sweep), companion to the standing boocode_code_review.md inventory. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-05-31 02:28:13 +00:00