feat: sampling knobs + live PTY stream-json + token UI (v2.7.3)

Three small wins from boocode_code_review_v2 §1 #11/#7/#8.

#11 sampling knobs: top_n_sigma + dry_* family as first-class Agent fields,
threaded into the request body via providerOptions.openaiCompatible. Fixes a
latent bug — top_k (rejected by the AI-SDK provider) and min_p (never passed to
streamText) were dead on the wire; both now route through the same channel.
--reasoning-budget documented in data/AGENTS.md.

#7 live PTY stream-json: new stream-json-parser.ts line-buffers qwen/claude
NDJSON and emits text/reasoning/tool frames live + persists, with a fallback to
the old opaque slice. claude gets --output-format stream-json --verbose.

#8 token UI: agent_sessions input/output_tokens/cost now flow through the route
+ type and render beside the AgentComposerBar session chip.

Built by 3 parallel agents. Server 523 + coder 245 tests passing; builds + web
tsc clean. Builds on v2.7.2. openspec sampling-streamjson-tokens.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

CHANGELOG.md

@@ -2,6 +2,30 @@
 
 All notable changes per release tag. Most recent on top, ordered by tag creation date (which matches the git history). Tag names follow `vMAJOR.MINOR.PATCH-slug` — the slug describes what shipped, so the tag name alone is enough to recall the batch.
 
+## v2.7.3-sampling-streamjson-tokens — 2026-06-01
+
+Three small BooCode wins from `boocode_code_review_v2.md` §1 #11/#7/#8. **Sampling knobs:** per-agent `top_n_sigma` + the `dry_*` repetition family (`dry_multiplier`/`dry_base`/`dry_allowed_length`/`dry_penalty_last_n`) are now first-class Agent frontmatter fields, parsed in `agents.ts` and threaded into the llama-swap chat-completion body via `providerOptions.openaiCompatible` (the `@ai-sdk/openai-compatible` extra-body channel). This surfaced and fixed a **latent bug**: `top_k` (rejected by the AI-SDK provider as unsupported) and `min_p` (never passed to `streamText` at all) had been dead on the wire — no agent's `top_k`/`min_p` ever affected sampling; both now route through the same channel, so agents that set them will start using them. `--reasoning-budget` is documented in `data/AGENTS.md` (already works via `llama_extra_args`, permitted by the deny-list validator). **Live PTY stream-json:** qwen/claude PTY dispatch sliced stdout opaque; a new `stream-json-parser.ts` line-buffers the Claude-Code-compatible NDJSON and emits text/reasoning/tool frames live as they arrive (mirroring the ACP/opencode paths) + persists the structured parts, with a clean fallback to the old opaque slice when output isn't NDJSON (claude now runs `--output-format stream-json --verbose`). **Token UI:** the per-`(chat,agent)` `agent_sessions.input_tokens`/`output_tokens`/`cost` columns (accumulated since `v2.6.8` but dropped by the read route + wire type) now flow through and render condensed beside the AgentComposerBar session chip. Built by three parallel agents over disjoint subsystems; server 523 + coder 245 tests passing (incl. 11 new stream-json-parser + new agent-parse tests), all builds + web tsc clean. Builds on `v2.7.2-checkpoint-idor`; openspec `sampling-streamjson-tokens`. The qwen-vs-claude `usage` field names in #7 are best-guess pending a live smoke.
+
+## v2.7.2-checkpoint-idor — 2026-06-01
+
+Closes two IDOR authorization holes in the `v2.7.1-write-edit-robustness` checkpoint routes, flagged by the automated push security review. The `GET /api/sessions/:id/checkpoints?chat_id=` list route scoped its `chat_id` branch by `chat_id` alone — any session's `chat_id` would read its checkpoints; it now joins through `chats` and gates on `chats.session_id` (authoritative; `checkpoints.session_id` is a nullable denormalized hint). The `restoreCheckpoint` scope guard was fail-open — `cp.session_id && cp.session_id !== sessionId` fell through whenever the checkpoint's denormalized `session_id` was null, allowing a cross-session restore (worktree reset + transcript trim) — it now resolves the owning session via the checkpoint's chat and denies on any missing-or-mismatched row. A DB-integration regression covers the exact null-`session_id` cross-session case. Real-world blast radius is small (BooCoder is single-user behind Authelia on loopback), but both are genuine authorization bugs. Coder suite 234 passing (7/7 checkpoint tests incl. the regression against live postgres+git), typecheck clean. Hotfix on `v2.7.1-write-edit-robustness`.
+
+## v2.7.1-write-edit-robustness — 2026-06-01
+
+Two BooCoder hardening features for local quantized models, algorithm-reimplemented (not vendored) from the cline findings in `boocode_code_review_v2.md` §1 #3/#4. **Fuzzy patch applier:** `edit_file`'s apply path was exact-`.includes`-or-throw + first-occurrence `.replace` (`pending_changes.ts`), so a qwen3.6 whitespace/indentation/unicode drift in `old_string` lost the edit; a new pure `fuzzy-match.ts` (`locateMatch`) now runs an exact → per-line-trim → unicode-canon (curly quotes/dashes/nbsp) → Levenshtein-≥0.66 ladder and returns the real file span, refusing multi-exact matches as ambiguous rather than silently editing the first. `applyOne`/`rewindOne` both use it. **Worktree checkpoints + conversation-trim:** `rewind` only reversed BooCode's own `pending_changes`, blind to what external agents (opencode/goose/qwen/claude) write directly into the session worktree — so a new `checkpoints` table + `checkpoints.ts` shadow-commit (tracked **and** untracked, captured via a temp-index `read-tree`/`add`/`write-tree`/`commit-tree` into a GC-safe `refs/boocode/checkpoints/<id>`) snapshots the worktree before each external-agent turn (hooked into all three dispatcher paths), anchored to the turn's assistant message. A new `POST /api/sessions/:id/checkpoints/:cid/restore` resets the worktree (`reset --hard` + `clean -fd`), trims the transcript past that message, and resets the `(chat,agent)` backend session so files, transcript, and agent context land consistent at the restore point; a per-message "Restore to here" affordance in `CoderMessageList` drives it. Built by three parallel agents over disjoint files; DB-integration testing caught a microsecond-`created_at` self-deletion bug in the later-checkpoint cleanup. Full coder suite 234 passing (incl. 17 fuzzy-match + 6 checkpoint tests), server+coder build + web tsc clean. Builds on `v2.7.0-mit`; openspec `write-edit-robustness`. Live host smoke (dispatcher hook + restore UI end-to-end) still to run.
+
+## v2.7.0-mit — 2026-06-01
+
+Relicenses BooCode from AGPL-3.0 back to MIT by clearing the three Unsloth-Studio-derived files the `v2.4.0`/`v2.4.1` lifts pulled in — the root `LICENSE` and all five `package.json` had been `AGPL-3.0-only`, making the network-served work AGPL §13-encumbered. The enabling finding decoupled the relicense from the long-planned native-llama-server-parsing retirement: `tool-call-parser.ts`'s Unsloth-ported algorithm (`parseToolCallsFromText`/`scanBalancedBraces` + unused nudge constants) was **dead code** with no production import, so it was simply deleted while the load-bearing `extractToolCallBlocks`/`stripToolMarkup` (BooCode-authored streaming helpers) were kept byte-identical — no behavior change to the live tool-call path. `html-to-md.ts` was swapped to the MIT `node-html-markdown` library (`parse5` dropped; the only behavior delta is column-aligned tables, GFM hard-break `<br>`, and `<ol start>` renumbering, all feeding the LLM via `web_fetch`), and `llama-args-validator.ts` was clean-room rewritten with the managed-flag denylist re-derived from the public llama-server flag list (facts, not copyrightable). The license flip set `LICENSE` to MIT (`Copyright (c) 2026 indifferentketchup`), the five `package.json` to `MIT`, removed every AGPL SPDX header, added a README License section, and added a `license-mit` guard test that fails if AGPL provenance returns. Built by three parallel agents over the disjoint files; full server suite 519 passing (incl. 9 new guard tests), server build + coder typecheck clean. Resolves `boocode_code_review_v2.md` §1 #1 / §5k and the roadmap's `License-debt` batch (openspec `license-debt-mit`); supersedes that batch's original staged plan, which had entangled the flip with a live qwen3.6 validation window.
+
+## v2.6.11-close-hooks-staging — 2026-06-01
+
+The two v2.6 follow-ups left after `v2.6.10-lifecycle-hardening`. **Server close-hook caller:** `apps/server` (BooChat) now fire-and-forgets BooCoder's Phase-3 close hooks so warm agent backends + worktrees tear down *immediately* on delete/archive instead of waiting for the idle-evict/reaper backstop — a new `coder-notify.ts` `notifyCoderClose(kind,id)` (reusing the v2.6.2 `BOOCODER_URL` reach, never-rejects) is `void`-called after the WS frame at session-delete (`POST /api/sessions/:id/close`) and chat archive / archive-all / delete (`POST /api/chats/:id/close`); an unreachable coder can never block or fail the user's delete/archive. **Staging-boundary hint (task 3.7):** the BooCoder DiffPanel now shows a muted one-liner when the selected provider can't see another agent's unapplied worktree edits — native boocode selected + external-agent-staged changes (or vice-versa) → "<agent>'s edits live in its worktree — BooCode won't see them until applied" — derived purely from the per-change `agent` + current provider, no new state. 6 new server tests (`coder-notify`), 537 server tests pass; web + server tsc/build clean. **With these the v2.6 openspec is fully closed** — only the live Smoke 2/2b/3 remain (manual exercise).
+
+## v2.6.10-lifecycle-hardening — 2026-06-01
+
+v2.6 Phase 3 (the last phase) — lifecycle hardening of the warm-process backends. **Idle eviction + LRU cap:** the agent pool runs a 60s sweep that evicts backends/sessions idle past `AGENT_POOL_IDLE_TTL_MS` (30 min default) and any beyond `AGENT_POOL_MAX_LIVE` (10, LRU) — **never a busy one** (in-flight turn, double-checked via a new `isBusy()` backend hook); the worktree persists (DB-backed) and the next turn re-spawns + reattaches. The eviction/LRU/restart decisions are factored into a pure `lifecycle-decisions.ts` (modeled on the inference `selectPruneTargets` pattern). **Crash recovery:** lifts openchamber's health-monitor + busy-aware-restart + consecutive-failure + stale-busy-grace state machine into `opencode-server.ts` (with port reclaim) and `warm-acp.ts` — an opencode server crash settles in-flight turns as failed, marks the rows `crashed`, and recreates fresh sessions (a fresh server can't hold the old in-memory id), while a warm-ACP child crash re-`session/new`s next turn; the F.1 turn-guard and U.6 usage are preserved (their tests still pass). **Worktree reaper:** a periodic reaper removes orphan on-disk worktrees (no live `worktrees` row, 1h grace) behind a superset-style preflight that skips dirty/unpushed/unmerged work, with Paseo-style soft-delete (`status='archived'`). Plus close hooks (`/api/chats/:id/close`, `/api/sessions/:id/close`, awaiting the apps/server caller) and diff re-baseline after `apply_pending`. Built test-first — 35 new tests (`lifecycle-decisions` 22, `agent-pool` 13) + a DB-opt-in reconnect integration test; 215 coder tests pass, tsc + build clean. **This completes v2.6** (Phase 0–3 + F.1 + Phase 1-UX). Remaining follow-ups (out of v2.6 scope): the apps/server close-hook caller, the 3.7 DiffPanel staging-boundary hint (frontend), and live Smoke 2/2b/3.
+
 ## v2.6.9-warm-acp — 2026-05-31
 
 v2.6 Phase 2: goose and qwen now run as **warm ACP backends** instead of one-shot-per-task. A new `WarmAcpBackend` (`backends/warm-acp.ts`, implementing the same `AgentBackend` interface as the opencode warm server) holds one persistent `goose acp` / `qwen --acp` child + `ClientSideConnection` + ACP session per `(chat, agent)`, running `initialize` + `session/new` once and reusing the connection across turns; per-turn abort cancels the in-flight prompt (`session/cancel`) without killing the child, and a child exit marks `agent_sessions.status='crashed'` for re-spawn on the next turn. The dispatcher routes `goose`/`qwen` chat-tab tasks to the pooled warm backend via a pure `shouldUseWarmBackend(task)` predicate (warm only when both `session_id` and `chat_id` are set), keeping the one-shot `runExternalAgent` path as the fallback for session-less creators (arena, MCP, `new_task`); broker frames + `persistExternalAgentTurn` + the latest-wins `pending_changes` diff are identical to the opencode path. The `acp-dispatch.ts` `handleSessionUpdate` switch was extracted into a pure shared `acp-event-map.ts` mapper used by both the one-shot and warm paths (one-shot behavior byte-identical, all existing acp tests green). The design's `unstable_resumeSession` concern is resolved — the installed `@agentclientprotocol/sdk@^0.22.1` exposes stable `resumeSession`/`loadSession`, but resume is moot in the hot path (warm reuse needs none); cross-restart resume + idle eviction are deferred to Phase 3. Built test-first (15 new tests: `warm-acp-routing`, `acp-event-map`); 180 coder tests pass, tsc + build clean. **Smoke 2/2b (live two-message warm reuse + the opencode→boocode→opencode switch round-trip) to be run post-deploy.** Phase 3 (lifecycle hardening) is the last v2.6 phase.

LICENSE

@@ -1,661 +1,21 @@
-                    GNU AFFERO GENERAL PUBLIC LICENSE
-                       Version 3, 19 November 2007
-
- Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
-
-                            Preamble
-
-  The GNU Affero General Public License is a free, copyleft license for
-software and other kinds of works, specifically designed to ensure
-cooperation with the community in the case of network server software.
-
-  The licenses for most software and other practical works are designed
-to take away your freedom to share and change the works.  By contrast,
-our General Public Licenses are intended to guarantee your freedom to
-share and change all versions of a program--to make sure it remains free
-software for all its users.
-
-  When we speak of free software, we are referring to freedom, not
-price.  Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-them if you wish), that you receive source code or can get it if you
-want it, that you can change the software or use pieces of it in new
-free programs, and that you know you can do these things.
-
-  Developers that use our General Public Licenses protect your rights
-with two steps: (1) assert copyright on the software, and (2) offer
-you this License which gives you legal permission to copy, distribute
-and/or modify the software.
-
-  A secondary benefit of defending all users' freedom is that
-improvements made in alternate versions of the program, if they
-receive widespread use, become available for other developers to
-incorporate.  Many developers of free software are heartened and
-encouraged by the resulting cooperation.  However, in the case of
-software used on network servers, this result may fail to come about.
-The GNU General Public License permits making a modified version and
-letting the public access it on a server without ever releasing its
-source code to the public.
-
-  The GNU Affero General Public License is designed specifically to
-ensure that, in such cases, the modified source code becomes available
-to the community.  It requires the operator of a network server to
-provide the source code of the modified version running there to the
-users of that server.  Therefore, public use of a modified version, on
-a publicly accessible server, gives the public access to the source
-code of the modified version.
-
-  An older license, called the Affero General Public License and
-published by Affero, was designed to accomplish similar goals.  This is
-a different license, not a version of the Affero GPL, but Affero has
-released a new version of the Affero GPL which permits relicensing under
-this license.
-
-  The precise terms and conditions for copying, distribution and
-modification follow.
-
-                       TERMS AND CONDITIONS
-
-  0. Definitions.
-
-  "This License" refers to version 3 of the GNU Affero General Public License.
-
-  "Copyright" also means copyright-like laws that apply to other kinds of
-works, such as semiconductor masks.
-
-  "The Program" refers to any copyrightable work licensed under this
-License.  Each licensee is addressed as "you".  "Licensees" and
-"recipients" may be individuals or organizations.
-
-  To "modify" a work means to copy from or adapt all or part of the work
-in a fashion requiring copyright permission, other than the making of an
-exact copy.  The resulting work is called a "modified version" of the
-earlier work or a work "based on" the earlier work.
-
-  A "covered work" means either the unmodified Program or a work based
-on the Program.
-
-  To "propagate" a work means to do anything with it that, without
-permission, would make you directly or secondarily liable for
-infringement under applicable copyright law, except executing it on a
-computer or modifying a private copy.  Propagation includes copying,
-distribution (with or without modification), making available to the
-public, and in some countries other activities as well.
-
-  To "convey" a work means any kind of propagation that enables other
-parties to make or receive copies.  Mere interaction with a user through
-a computer network, with no transfer of a copy, is not conveying.
-
-  An interactive user interface displays "Appropriate Legal Notices"
-to the extent that it includes a convenient and prominently visible
-feature that (1) displays an appropriate copyright notice, and (2)
-tells the user that there is no warranty for the work (except to the
-extent that warranties are provided), that licensees may convey the
-work under this License, and how to view a copy of this License.  If
-the interface presents a list of user commands or options, such as a
-menu, a prominent item in the list meets this criterion.
-
-  1. Source Code.
-
-  The "source code" for a work means the preferred form of the work
-for making modifications to it.  "Object code" means any non-source
-form of a work.
-
-  A "Standard Interface" means an interface that either is an official
-standard defined by a recognized standards body, or, in the case of
-interfaces specified for a particular programming language, one that
-is widely used among developers working in that language.
-
-  The "System Libraries" of an executable work include anything, other
-than the work as a whole, that (a) is included in the normal form of
-packaging a Major Component, but which is not part of that Major
-Component, and (b) serves only to enable use of the work with that
-Major Component, or to implement a Standard Interface for which an
-implementation is available to the public in source code form.  A
-"Major Component", in this context, means a major essential component
-(kernel, window system, and so on) of the specific operating system
-(if any) on which the executable work runs, or a compiler used to
-produce the work, or an object code interpreter used to run it.
-
-  The "Corresponding Source" for a work in object code form means all
-the source code needed to generate, install, and (for an executable
-work) run the object code and to modify the work, including scripts to
-control those activities.  However, it does not include the work's
-System Libraries, or general-purpose tools or generally available free
-programs which are used unmodified in performing those activities but
-which are not part of the work.  For example, Corresponding Source
-includes interface definition files associated with source files for
-the work, and the source code for shared libraries and dynamically
-linked subprograms that the work is specifically designed to require,
-such as by intimate data communication or control flow between those
-subprograms and other parts of the work.
-
-  The Corresponding Source need not include anything that users
-can regenerate automatically from other parts of the Corresponding
-Source.
-
-  The Corresponding Source for a work in source code form is that
-same work.
-
-  2. Basic Permissions.
-
-  All rights granted under this License are granted for the term of
-copyright on the Program, and are irrevocable provided the stated
-conditions are met.  This License explicitly affirms your unlimited
-permission to run the unmodified Program.  The output from running a
-covered work is covered by this License only if the output, given its
-content, constitutes a covered work.  This License acknowledges your
-rights of fair use or other equivalent, as provided by copyright law.
-
-  You may make, run and propagate covered works that you do not
-convey, without conditions so long as your license otherwise remains
-in force.  You may convey covered works to others for the sole purpose
-of having them make modifications exclusively for you, or provide you
-with facilities for running those works, provided that you comply with
-the terms of this License in conveying all material for which you do
-not control copyright.  Those thus making or running the covered works
-for you must do so exclusively on your behalf, under your direction
-and control, on terms that prohibit them from making any copies of
-your copyrighted material outside their relationship with you.
-
-  Conveying under any other circumstances is permitted solely under
-the conditions stated below.  Sublicensing is not allowed; section 10
-makes it unnecessary.
-
-  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
-
-  No covered work shall be deemed part of an effective technological
-measure under any applicable law fulfilling obligations under article
-11 of the WIPO copyright treaty adopted on 20 December 1996, or
-similar laws prohibiting or restricting circumvention of such
-measures.
-
-  When you convey a covered work, you waive any legal power to forbid
-circumvention of technological measures to the extent such circumvention
-is effected by exercising rights under this License with respect to
-the covered work, and you disclaim any intention to limit operation or
-modification of the work as a means of enforcing, against the work's
-users, your or third parties' legal rights to forbid circumvention of
-technological measures.
-
-  4. Conveying Verbatim Copies.
-
-  You may convey verbatim copies of the Program's source code as you
-receive it, in any medium, provided that you conspicuously and
-appropriately publish on each copy an appropriate copyright notice;
-keep intact all notices stating that this License and any
-non-permissive terms added in accord with section 7 apply to the code;
-keep intact all notices of the absence of any warranty; and give all
-recipients a copy of this License along with the Program.
-
-  You may charge any price or no price for each copy that you convey,
-and you may offer support or warranty protection for a fee.
-
-  5. Conveying Modified Source Versions.
-
-  You may convey a work based on the Program, or the modifications to
-produce it from the Program, in the form of source code under the
-terms of section 4, provided that you also meet all of these conditions:
-
-    a) The work must carry prominent notices stating that you modified
-    it, and giving a relevant date.
-
-    b) The work must carry prominent notices stating that it is
-    released under this License and any conditions added under section
-    7.  This requirement modifies the requirement in section 4 to
-    "keep intact all notices".
-
-    c) You must license the entire work, as a whole, under this
-    License to anyone who comes into possession of a copy.  This
-    License will therefore apply, along with any applicable section 7
-    additional terms, to the whole of the work, and all its parts,
-    regardless of how they are packaged.  This License gives no
-    permission to license the work in any other way, but it does not
-    invalidate such permission if you have separately received it.
-
-    d) If the work has interactive user interfaces, each must display
-    Appropriate Legal Notices; however, if the Program has interactive
-    interfaces that do not display Appropriate Legal Notices, your
-    work need not make them do so.
-
-  A compilation of a covered work with other separate and independent
-works, which are not by their nature extensions of the covered work,
-and which are not combined with it such as to form a larger program,
-in or on a volume of a storage or distribution medium, is called an
-"aggregate" if the compilation and its resulting copyright are not
-used to limit the access or legal rights of the compilation's users
-beyond what the individual works permit.  Inclusion of a covered work
-in an aggregate does not cause this License to apply to the other
-parts of the aggregate.
-
-  6. Conveying Non-Source Forms.
-
-  You may convey a covered work in object code form under the terms
-of sections 4 and 5, provided that you also convey the
-machine-readable Corresponding Source under the terms of this License,
-in one of these ways:
-
-    a) Convey the object code in, or embodied in, a physical product
-    (including a physical distribution medium), accompanied by the
-    Corresponding Source fixed on a durable physical medium
-    customarily used for software interchange.
-
-    b) Convey the object code in, or embodied in, a physical product
-    (including a physical distribution medium), accompanied by a
-    written offer, valid for at least three years and valid for as
-    long as you offer spare parts or customer support for that product
-    model, to give anyone who possesses the object code either (1) a
-    copy of the Corresponding Source for all the software in the
-    product that is covered by this License, on a durable physical
-    medium customarily used for software interchange, for a price no
-    more than your reasonable cost of physically performing this
-    conveying of source, or (2) access to copy the
-    Corresponding Source from a network server at no charge.
-
-    c) Convey individual copies of the object code with a copy of the
-    written offer to provide the Corresponding Source.  This
-    alternative is allowed only occasionally and noncommercially, and
-    only if you received the object code with such an offer, in accord
-    with subsection 6b.
-
-    d) Convey the object code by offering access from a designated
-    place (gratis or for a charge), and offer equivalent access to the
-    Corresponding Source in the same way through the same place at no
-    further charge.  You need not require recipients to copy the
-    Corresponding Source along with the object code.  If the place to
-    copy the object code is a network server, the Corresponding Source
-    may be on a different server (operated by you or a third party)
-    that supports equivalent copying facilities, provided you maintain
-    clear directions next to the object code saying where to find the
-    Corresponding Source.  Regardless of what server hosts the
-    Corresponding Source, you remain obligated to ensure that it is
-    available for as long as needed to satisfy these requirements.
-
-    e) Convey the object code using peer-to-peer transmission, provided
-    you inform other peers where the object code and Corresponding
-    Source of the work are being offered to the general public at no
-    charge under subsection 6d.
-
-  A separable portion of the object code, whose source code is excluded
-from the Corresponding Source as a System Library, need not be
-included in conveying the object code work.
-
-  A "User Product" is either (1) a "consumer product", which means any
-tangible personal property which is normally used for personal, family,
-or household purposes, or (2) anything designed or sold for incorporation
-into a dwelling.  In determining whether a product is a consumer product,
-doubtful cases shall be resolved in favor of coverage.  For a particular
-product received by a particular user, "normally used" refers to a
-typical or common use of that class of product, regardless of the status
-of the particular user or of the way in which the particular user
-actually uses, or expects or is expected to use, the product.  A product
-is a consumer product regardless of whether the product has substantial
-commercial, industrial or non-consumer uses, unless such uses represent
-the only significant mode of use of the product.
-
-  "Installation Information" for a User Product means any methods,
-procedures, authorization keys, or other information required to install
-and execute modified versions of a covered work in that User Product from
-a modified version of its Corresponding Source.  The information must
-suffice to ensure that the continued functioning of the modified object
-code is in no case prevented or interfered with solely because
-modification has been made.
-
-  If you convey an object code work under this section in, or with, or
-specifically for use in, a User Product, and the conveying occurs as
-part of a transaction in which the right of possession and use of the
-User Product is transferred to the recipient in perpetuity or for a
-fixed term (regardless of how the transaction is characterized), the
-Corresponding Source conveyed under this section must be accompanied
-by the Installation Information.  But this requirement does not apply
-if neither you nor any third party retains the ability to install
-modified object code on the User Product (for example, the work has
-been installed in ROM).
-
-  The requirement to provide Installation Information does not include a
-requirement to continue to provide support service, warranty, or updates
-for a work that has been modified or installed by the recipient, or for
-the User Product in which it has been modified or installed.  Access to a
-network may be denied when the modification itself materially and
-adversely affects the operation of the network or violates the rules and
-protocols for communication across the network.
-
-  Corresponding Source conveyed, and Installation Information provided,
-in accord with this section must be in a format that is publicly
-documented (and with an implementation available to the public in
-source code form), and must require no special password or key for
-unpacking, reading or copying.
-
-  7. Additional Terms.
-
-  "Additional permissions" are terms that supplement the terms of this
-License by making exceptions from one or more of its conditions.
-Additional permissions that are applicable to the entire Program shall
-be treated as though they were included in this License, to the extent
-that they are valid under applicable law.  If additional permissions
-apply only to part of the Program, that part may be used separately
-under those permissions, but the entire Program remains governed by
-this License without regard to the additional permissions.
-
-  When you convey a copy of a covered work, you may at your option
-remove any additional permissions from that copy, or from any part of
-it.  (Additional permissions may be written to require their own
-removal in certain cases when you modify the work.)  You may place
-additional permissions on material, added by you to a covered work,
-for which you have or can give appropriate copyright permission.
-
-  Notwithstanding any other provision of this License, for material you
-add to a covered work, you may (if authorized by the copyright holders of
-that material) supplement the terms of this License with terms:
-
-    a) Disclaiming warranty or limiting liability differently from the
-    terms of sections 15 and 16 of this License; or
-
-    b) Requiring preservation of specified reasonable legal notices or
-    author attributions in that material or in the Appropriate Legal
-    Notices displayed by works containing it; or
-
-    c) Prohibiting misrepresentation of the origin of that material, or
-    requiring that modified versions of such material be marked in
-    reasonable ways as different from the original version; or
-
-    d) Limiting the use for publicity purposes of names of licensors or
-    authors of the material; or
-
-    e) Declining to grant rights under trademark law for use of some
-    trade names, trademarks, or service marks; or
-
-    f) Requiring indemnification of licensors and authors of that
-    material by anyone who conveys the material (or modified versions of
-    it) with contractual assumptions of liability to the recipient, for
-    any liability that these contractual assumptions directly impose on
-    those licensors and authors.
-
-  All other non-permissive additional terms are considered "further
-restrictions" within the meaning of section 10.  If the Program as you
-received it, or any part of it, contains a notice stating that it is
-governed by this License along with a term that is a further
-restriction, you may remove that term.  If a license document contains
-a further restriction but permits relicensing or conveying under this
-License, you may add to a covered work material governed by the terms
-of that license document, provided that the further restriction does
-not survive such relicensing or conveying.
-
-  If you add terms to a covered work in accord with this section, you
-must place, in the relevant source files, a statement of the
-additional terms that apply to those files, or a notice indicating
-where to find the applicable terms.
-
-  Additional terms, permissive or non-permissive, may be stated in the
-form of a separately written license, or stated as exceptions;
-the above requirements apply either way.
-
-  8. Termination.
-
-  You may not propagate or modify a covered work except as expressly
-provided under this License.  Any attempt otherwise to propagate or
-modify it is void, and will automatically terminate your rights under
-this License (including any patent licenses granted under the third
-paragraph of section 11).
-
-  However, if you cease all violation of this License, then your
-license from a particular copyright holder is reinstated (a)
-provisionally, unless and until the copyright holder explicitly and
-finally terminates your license, and (b) permanently, if the copyright
-holder fails to notify you of the violation by some reasonable means
-prior to 60 days after the cessation.
-
-  Moreover, your license from a particular copyright holder is
-reinstated permanently if the copyright holder notifies you of the
-violation by some reasonable means, this is the first time you have
-received notice of violation of this License (for any work) from that
-copyright holder, and you cure the violation prior to 30 days after
-your receipt of the notice.
-
-  Termination of your rights under this section does not terminate the
-licenses of parties who have received copies or rights from you under
-this License.  If your rights have been terminated and not permanently
-reinstated, you do not qualify to receive new licenses for the same
-material under section 10.
-
-  9. Acceptance Not Required for Having Copies.
-
-  You are not required to accept this License in order to receive or
-run a copy of the Program.  Ancillary propagation of a covered work
-occurring solely as a consequence of using peer-to-peer transmission
-to receive a copy likewise does not require acceptance.  However,
-nothing other than this License grants you permission to propagate or
-modify any covered work.  These actions infringe copyright if you do
-not accept this License.  Therefore, by modifying or propagating a
-covered work, you indicate your acceptance of this License to do so.
-
-  10. Automatic Licensing of Downstream Recipients.
-
-  Each time you convey a covered work, the recipient automatically
-receives a license from the original licensors, to run, modify and
-propagate that work, subject to this License.  You are not responsible
-for enforcing compliance by third parties with this License.
-
-  An "entity transaction" is a transaction transferring control of an
-organization, or substantially all assets of one, or subdividing an
-organization, or merging organizations.  If propagation of a covered
-work results from an entity transaction, each party to that
-transaction who receives a copy of the work also receives whatever
-licenses to the work the party's predecessor in interest had or could
-give under the previous paragraph, plus a right to possession of the
-Corresponding Source of the work from the predecessor in interest, if
-the predecessor has it or can get it with reasonable efforts.
-
-  You may not impose any further restrictions on the exercise of the
-rights granted or affirmed under this License.  For example, you may
-not impose a license fee, royalty, or other charge for exercise of
-rights granted under this License, and you may not initiate litigation
-(including a cross-claim or counterclaim in a lawsuit) alleging that
-any patent claim is infringed by making, using, selling, offering for
-sale, or importing the Program or any portion of it.
-
-  11. Patents.
-
-  A "contributor" is a copyright holder who authorizes use under this
-License of the Program or a work on which the Program is based.  The
-work thus licensed is called the contributor's "contributor version".
-
-  A contributor's "essential patent claims" are all patent claims
-owned or controlled by the contributor, whether already acquired or
-hereafter acquired, that would be infringed by some manner, permitted
-by this License, of making, using, or selling its contributor version,
-but do not include claims that would be infringed only as a
-consequence of further modification of the contributor version.  For
-purposes of this definition, "control" includes the right to grant
-patent sublicenses in a manner consistent with the requirements of
-this License.
-
-  Each contributor grants you a non-exclusive, worldwide, royalty-free
-patent license under the contributor's essential patent claims, to
-make, use, sell, offer for sale, import and otherwise run, modify and
-propagate the contents of its contributor version.
-
-  In the following three paragraphs, a "patent license" is any express
-agreement or commitment, however denominated, not to enforce a patent
-(such as an express permission to practice a patent or covenant not to
-sue for patent infringement).  To "grant" such a patent license to a
-party means to make such an agreement or commitment not to enforce a
-patent against the party.
-
-  If you convey a covered work, knowingly relying on a patent license,
-and the Corresponding Source of the work is not available for anyone
-to copy, free of charge and under the terms of this License, through a
-publicly available network server or other readily accessible means,
-then you must either (1) cause the Corresponding Source to be so
-available, or (2) arrange to deprive yourself of the benefit of the
-patent license for this particular work, or (3) arrange, in a manner
-consistent with the requirements of this License, to extend the patent
-license to downstream recipients.  "Knowingly relying" means you have
-actual knowledge that, but for the patent license, your conveying the
-covered work in a country, or your recipient's use of the covered work
-in a country, would infringe one or more identifiable patents in that
-country that you have reason to believe are valid.
-
-  If, pursuant to or in connection with a single transaction or
-arrangement, you convey, or propagate by procuring conveyance of, a
-covered work, and grant a patent license to some of the parties
-receiving the covered work authorizing them to use, propagate, modify
-or convey a specific copy of the covered work, then the patent license
-you grant is automatically extended to all recipients of the covered
-work and works based on it.
-
-  A patent license is "discriminatory" if it does not include within
-the scope of its coverage, prohibits the exercise of, or is
-conditioned on the non-exercise of one or more of the rights that are
-specifically granted under this License.  You may not convey a covered
-work if you are a party to an arrangement with a third party that is
-in the business of distributing software, under which you make payment
-to the third party based on the extent of your activity of conveying
-the work, and under which the third party grants, to any of the
-parties who would receive the covered work from you, a discriminatory
-patent license (a) in connection with copies of the covered work
-conveyed by you (or copies made from those copies), or (b) primarily
-for and in connection with specific products or compilations that
-contain the covered work, unless you entered into that arrangement,
-or that patent license was granted, prior to 28 March 2007.
-
-  Nothing in this License shall be construed as excluding or limiting
-any implied license or other defenses to infringement that may
-otherwise be available to you under applicable patent law.
-
-  12. No Surrender of Others' Freedom.
-
-  If conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License.  If you cannot convey a
-covered work so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you may
-not convey it at all.  For example, if you agree to terms that obligate you
-to collect a royalty for further conveying from those to whom you convey
-the Program, the only way you could satisfy both those terms and this
-License would be to refrain entirely from conveying the Program.
-
-  13. Remote Network Interaction; Use with the GNU General Public License.
-
-  Notwithstanding any other provision of this License, if you modify the
-Program, your modified version must prominently offer all users
-interacting with it remotely through a computer network (if your version
-supports such interaction) an opportunity to receive the Corresponding
-Source of your version by providing access to the Corresponding Source
-from a network server at no charge, through some standard or customary
-means of facilitating copying of software.  This Corresponding Source
-shall include the Corresponding Source for any work covered by version 3
-of the GNU General Public License that is incorporated pursuant to the
-following paragraph.
-
-  Notwithstanding any other provision of this License, you have
-permission to link or combine any covered work with a work licensed
-under version 3 of the GNU General Public License into a single
-combined work, and to convey the resulting work.  The terms of this
-License will continue to apply to the part which is the covered work,
-but the work with which it is combined will remain governed by version
-3 of the GNU General Public License.
-
-  14. Revised Versions of this License.
-
-  The Free Software Foundation may publish revised and/or new versions of
-the GNU Affero General Public License from time to time.  Such new versions
-will be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
-  Each version is given a distinguishing version number.  If the
-Program specifies that a certain numbered version of the GNU Affero General
-Public License "or any later version" applies to it, you have the
-option of following the terms and conditions either of that numbered
-version or of any later version published by the Free Software
-Foundation.  If the Program does not specify a version number of the
-GNU Affero General Public License, you may choose any version ever published
-by the Free Software Foundation.
-
-  If the Program specifies that a proxy can decide which future
-versions of the GNU Affero General Public License can be used, that proxy's
-public statement of acceptance of a version permanently authorizes you
-to choose that version for the Program.
-
-  Later license versions may give you additional or different
-permissions.  However, no additional obligations are imposed on any
-author or copyright holder as a result of your choosing to follow a
-later version.
-
-  15. Disclaimer of Warranty.
-
-  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
-APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
-HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
-OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
-THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
-IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
-ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
-
-  16. Limitation of Liability.
-
-  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
-THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
-GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
-USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
-DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
-PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
-EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
-SUCH DAMAGES.
-
-  17. Interpretation of Sections 15 and 16.
-
-  If the disclaimer of warranty and limitation of liability provided
-above cannot be given local legal effect according to their terms,
-reviewing courts shall apply local law that most closely approximates
-an absolute waiver of all civil liability in connection with the
-Program, unless a warranty or assumption of liability accompanies a
-copy of the Program in return for a fee.
-
-                     END OF TERMS AND CONDITIONS
-
-            How to Apply These Terms to Your New Programs
-
-  If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
-
-  To do so, attach the following notices to the program.  It is safest
-to attach them to the start of each source file to most effectively
-state the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
-    <one line to give the program's name and a brief idea of what it does.>
-    Copyright (C) <year>  <name of author>
-
-    This program is free software: you can redistribute it and/or modify
-    it under the terms of the GNU Affero General Public License as published by
-    the Free Software Foundation, either version 3 of the License, or
-    (at your option) any later version.
-
-    This program is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU Affero General Public License for more details.
-
-    You should have received a copy of the GNU Affero General Public License
-    along with this program.  If not, see <https://www.gnu.org/licenses/>.
-
-Also add information on how to contact you by electronic and paper mail.
-
-  If your software can interact with users remotely through a computer
-network, you should also make sure that it provides a way for users to
-get its source.  For example, if your program is a web application, its
-interface could display a "Source" link that leads users to an archive
-of the code.  There are many ways you could offer source, and different
-solutions will be better for different programs; see section 13 for the
-specific requirements.
-
-  You should also get your employer (if you work as a programmer) or school,
-if any, to sign a "copyright disclaimer" for the program, if necessary.
-For more information on this, and how to apply and follow the GNU AGPL, see
-<https://www.gnu.org/licenses/>.
+MIT License
+
+Copyright (c) 2026 indifferentketchup
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -84,3 +84,7 @@ See [`boocode_roadmap.md`](boocode_roadmap.md) for full version history. Highlig
 ## Planned
 
 - **v2.3 provider lifecycle** — config-backed provider registry (`/data/coder-providers.json`), enable/disable toggles, two-tier probe (openspec drafted). See [`CURRENT.md`](CURRENT.md).
+
+## License
+
+MIT — see [`LICENSE`](LICENSE).

apps/booterm/package.json

@@ -24,5 +24,5 @@
     "tsx": "^4.16.2",
     "typescript": "^5.5.0"
   },
-  "license": "AGPL-3.0-only"
+  "license": "MIT"
 }

apps/coder/package.json

@@ -31,5 +31,5 @@
     "typescript": "^5.5.0",
     "vitest": "^3.0.0"
   },
-  "license": "AGPL-3.0-only"
+  "license": "MIT"
 }

apps/coder/src/config.ts

@@ -35,6 +35,21 @@ const ConfigSchema = z.object({
   // SSH access to the host for external agent dispatch (Phase 5)
   BOOCODER_SSH_HOST: z.string().default('100.114.205.53'),
   BOOCODER_SSH_USER: z.string().default('samkintop'),
+  // v2.6 Phase 3 (lifecycle hardening). Idle TTL: evict a non-busy warm backend
+  // (opencode server / warm-ACP child) after this long with no turn — its worktree
+  // + agent_sessions row persist, so the next turn re-spawns + reattaches. 30 min
+  // default (design §6).
+  AGENT_POOL_IDLE_TTL_MS: z.coerce.number().int().positive().default(1_800_000),
+  // LRU cap: max live warm backends before the least-recently-used (non-busy) ones
+  // are evicted. Bounds the long-lived-daemon's per-(chat,agent) Map growth.
+  AGENT_POOL_MAX_LIVE: z.coerce.number().int().positive().default(10),
+  // Periodic sweep cadence (idle/LRU pool eviction + orphan-worktree reap). 60s
+  // mirrors the apps/server truncation/stale-streaming sweeper.
+  LIFECYCLE_SWEEP_INTERVAL_MS: z.coerce.number().int().positive().default(60_000),
+  // Orphan-worktree grace: an on-disk worktree dir with no live `worktrees` row is
+  // only reaped after it's been untouched this long (avoids sweeping a dir mid
+  // ensureSessionWorktree create). 1h default.
+  ORPHAN_WORKTREE_GRACE_MS: z.coerce.number().int().positive().default(3_600_000),
 });
 
 export type Config = z.infer<typeof ConfigSchema>;

apps/coder/src/index.ts

@@ -25,6 +25,7 @@ import { setInferenceContext, clearInferenceContext } from './services/tools/inf
 import { registerMessageRoutes } from './routes/messages.js';
 import { registerSkillRoutes } from './routes/skills.js';
 import { registerPendingRoutes } from './routes/pending.js';
+import { registerCheckpointRoutes } from './routes/checkpoints.js';
 import { registerAgentSessionRoutes } from './routes/agent-sessions.js';
 import { registerTaskRoutes } from './routes/tasks.js';
 import { registerInboxRoutes } from './routes/inbox.js';
@@ -32,10 +33,12 @@ import { registerStatsRoutes } from './routes/stats.js';
 import { registerArenaRoutes } from './routes/arena.js';
 import { registerProviderRoutes } from './routes/providers.js';
 import { registerWorktreeSafetyRoutes } from './routes/worktree-safety.js';
+import { registerLifecycleRoutes } from './routes/lifecycle.js';
 import { registerWebSocket } from './routes/ws.js';
 // Phase 4: dispatcher + agent probe
 import { createDispatcher } from './services/dispatcher.js';
 import { agentPool } from './services/agent-pool.js';
+import { createOrphanWorktreeReaper } from './services/orphan-worktree-reaper.js';
 import { probeAgents } from './services/agent-probe.js';
 import { getProviderSnapshot, persistProbedModels } from './services/provider-snapshot.js';
 import { setPermissionHooks } from './services/permission-waiter.js';
@@ -181,10 +184,30 @@ async function main() {
   // Phase 4: dispatcher — polls tasks table and runs inference
   const dispatcher = createDispatcher({ sql, inference: inferenceApi, broker, log: app.log, config });
   dispatcher.start();
+
+  // v2.6 Phase 3: configure + start the agent-pool lifecycle sweep (idle-TTL +
+  // LRU-cap eviction of warm backends, plus each backend's proactive health probe)
+  // and the orphan-worktree reaper. Both run on the same periodic timer.
+  agentPool.configure({
+    idleTtlMs: config.AGENT_POOL_IDLE_TTL_MS,
+    maxLive: config.AGENT_POOL_MAX_LIVE,
+    sweepIntervalMs: config.LIFECYCLE_SWEEP_INTERVAL_MS,
+    log: app.log,
+  });
+  agentPool.startReaper(app.log);
+  const orphanReaper = createOrphanWorktreeReaper({
+    sql,
+    log: app.log,
+    intervalMs: config.LIFECYCLE_SWEEP_INTERVAL_MS,
+    graceMs: config.ORPHAN_WORKTREE_GRACE_MS,
+  });
+  orphanReaper.start();
+
   app.addHook('onClose', async () => {
-    // stop() first so in-flight dispatcher turns settle, then drain the pool.
-    // Pool is empty in Phase 0 (nothing spawns yet) — dispose() is inert.
+    // stop() first so in-flight dispatcher turns settle, then stop the reapers and
+    // drain the pool (kills opencode server + warm ACP children).
     await dispatcher.stop();
+    orphanReaper.stop();
     await agentPool.dispose();
   });
 
@@ -192,6 +215,7 @@ async function main() {
   registerMessageRoutes(app, sql, broker, inferenceApi);
   registerSkillRoutes(app, sql, broker, inferenceApi);
   registerPendingRoutes(app, sql);
+  registerCheckpointRoutes(app, sql);
   registerAgentSessionRoutes(app, sql);
   registerTaskRoutes(app, sql, inferenceApi);
   registerInboxRoutes(app, sql);
@@ -199,6 +223,7 @@ async function main() {
   registerArenaRoutes(app, sql);
   registerProviderRoutes(app, sql, config);
   registerWorktreeSafetyRoutes(app, sql);
+  registerLifecycleRoutes(app, sql);
   registerWebSocket(app, sql, broker);
 
   // Serve static frontend (built web app). In production, the dist/ is

apps/coder/src/routes/agent-sessions.ts

@@ -16,6 +16,11 @@ export interface AgentSessionRow {
   status: string;
   has_session: boolean;
   last_active_at: string | null;
+  // v2.6.8 per-(chat,agent) running token/cost totals (sampling-streamjson-tokens
+  // #8). BIGINT columns arrive as strings over the wire; the frontend coerces.
+  input_tokens: number;
+  output_tokens: number;
+  cost: number;
 }
 
 export function registerAgentSessionRoutes(app: FastifyInstance, sql: Sql): void {
@@ -39,7 +44,10 @@ export function registerAgentSessionRoutes(app: FastifyInstance, sql: Sql): void
           a.agent AS agent,
           a.status AS status,
           (a.agent_session_id IS NOT NULL) AS has_session,
-          a.last_active_at AS last_active_at
+          a.last_active_at AS last_active_at,
+          a.input_tokens AS input_tokens,
+          a.output_tokens AS output_tokens,
+          a.cost AS cost
         FROM agent_sessions a
         JOIN chats c ON c.id = a.chat_id
         WHERE c.session_id = ${sessionId}

apps/coder/src/routes/checkpoints.ts

@@ -0,0 +1,73 @@
+/**
+ * write-edit-robustness #4 — checkpoint restore + list routes (coder side).
+ *
+ * Proxied through the apps/server `/api/coder/*` blanket forwarder (no server-side
+ * change needed for new routes). Restore rewinds the session worktree to the
+ * checkpoint's shadow commit, trims the transcript from the anchor message forward,
+ * and resets the agent backend — see services/checkpoints.ts.
+ */
+import type { FastifyInstance } from 'fastify';
+import type { Sql } from '../db.js';
+import { restoreCheckpoint, CheckpointNotFoundError } from '../services/checkpoints.js';
+
+export function registerCheckpointRoutes(app: FastifyInstance, sql: Sql): void {
+  // GET /api/sessions/:sessionId/checkpoints?chat_id= — list a chat's checkpoints
+  // so the frontend can mark which messages have a restore point. When chat_id is
+  // omitted, returns every checkpoint for the session's chats.
+  app.get<{ Params: { sessionId: string }; Querystring: { chat_id?: string } }>(
+    '/api/sessions/:sessionId/checkpoints',
+    async (req, reply) => {
+      const sessionId = req.params.sessionId;
+      const chatId = req.query.chat_id;
+
+      const session = await sql<{ id: string }[]>`SELECT id FROM sessions WHERE id = ${sessionId}`;
+      if (session.length === 0) {
+        reply.code(404);
+        return { error: 'session not found' };
+      }
+
+      // Scope authoritatively through chats.session_id (always set) — NOT the
+      // denormalized checkpoints.session_id (nullable). The chat_id branch must
+      // still be session-gated or it's an IDOR (any session's chat_id reads its
+      // checkpoints).
+      const rows = chatId
+        ? await sql<{ id: string; chat_id: string; message_id: string | null; label: string | null; created_at: Date }[]>`
+            SELECT cp.id, cp.chat_id, cp.message_id, cp.label, cp.created_at
+            FROM checkpoints cp
+            JOIN chats c ON c.id = cp.chat_id
+            WHERE cp.chat_id = ${chatId} AND c.session_id = ${sessionId}
+            ORDER BY cp.created_at
+          `
+        : await sql<{ id: string; chat_id: string; message_id: string | null; label: string | null; created_at: Date }[]>`
+            SELECT cp.id, cp.chat_id, cp.message_id, cp.label, cp.created_at
+            FROM checkpoints cp
+            JOIN chats c ON c.id = cp.chat_id
+            WHERE c.session_id = ${sessionId}
+            ORDER BY cp.created_at
+          `;
+      return rows;
+    },
+  );
+
+  // POST /api/sessions/:sessionId/checkpoints/:checkpointId/restore — restore.
+  app.post<{ Params: { sessionId: string; checkpointId: string } }>(
+    '/api/sessions/:sessionId/checkpoints/:checkpointId/restore',
+    async (req, reply) => {
+      const { sessionId, checkpointId } = req.params;
+
+      try {
+        const result = await restoreCheckpoint(sql, checkpointId, {
+          sessionId,
+          log: app.log,
+        });
+        return result;
+      } catch (err) {
+        if (err instanceof CheckpointNotFoundError) {
+          reply.code(404);
+          return { error: err.message };
+        }
+        throw err;
+      }
+    },
+  );
+}

apps/coder/src/routes/lifecycle.ts

@@ -0,0 +1,122 @@
+/**
+ * v2.6 Phase 3 (3.3) — chat/session close-or-archive cleanup hook (coder side).
+ *
+ * Chat/session close + archive + delete all live in apps/server (Docker), which
+ * cannot see the host worktree dirs (/tmp/booworktrees), run git on them, or reach
+ * the warm agent processes the dispatcher pooled in THIS (host systemd) process. So
+ * — exactly like the `worktree-risk` guard — the server signals the coder when a
+ * chat/session closes, and the coder does the real teardown:
+ *   1. dispose the chat's warm-ACP backends (`agentPool.closeChat`) — kills the
+ *      goose/qwen child processes for that chat,
+ *   2. close the chat's opencode session on the shared server (`closeSession`),
+ *   3. mark every `agent_sessions` row for the chat 'closed' + (when the session's
+ *      last open chat closes) remove the shared session worktree, preflighting
+ *      work-at-risk so uncommitted/unmerged work is never silently dropped
+ *      (`closeChatBackendState`).
+ *
+ * Idempotent: closing an already-closed chat is a no-op (0 rows, no backend).
+ *
+ * SERVER WIRING (not done here — apps/server, out of this batch's scope): the
+ * server's `POST /api/chats/:id/archive`, `DELETE /api/chats/:id`, and the
+ * session archive/delete routes should fire-and-forget
+ *   fetch(`${BOOCODER_URL}/api/chats/${id}/close`, { method: 'POST' })
+ * after publishing their WS frame (best-effort; the orphan-worktree reaper +
+ * idle-pool eviction are the backstop if the call is missed).
+ */
+import type { FastifyInstance } from 'fastify';
+import type { Sql } from '../db.js';
+import { agentPool, OPENCODE_POOL_KEY } from '../services/agent-pool.js';
+import { closeChatBackendState } from '../services/worktrees.js';
+import type { AgentSessionHandle } from '../services/agent-backend.js';
+
+export function registerLifecycleRoutes(app: FastifyInstance, sql: Sql): void {
+  // POST /api/chats/:chatId/close — tear down all warm state for a chat tab.
+  app.post<{ Params: { chatId: string }; Querystring: { force?: string } }>(
+    '/api/chats/:chatId/close',
+    async (req) => {
+      const chatId = req.params.chatId;
+      const force = req.query.force === 'true' || req.query.force === '1';
+
+      // 1. Close the chat's opencode session on the SHARED server (the server is
+      //    not chat-keyed, so agentPool.closeChat won't touch it). Resolve the
+      //    stored opencode session id and ask the backend to drop it.
+      const ocRows = await sql<{ agent: string; agent_session_id: string | null; worktree_id: string | null; session_id: string | null }[]>`
+        SELECT agent, agent_session_id, worktree_id, session_id
+        FROM agent_sessions
+        WHERE chat_id = ${chatId} AND backend = 'opencode_server'
+      `;
+      const ocBackend = agentPool.peek(OPENCODE_POOL_KEY, 'opencode');
+      if (ocBackend) {
+        for (const row of ocRows) {
+          if (!row.agent_session_id) continue;
+          const handle: AgentSessionHandle = {
+            sessionId: row.session_id ?? '',
+            agent: row.agent,
+            backend: 'opencode_server',
+            chatId,
+            worktreeId: row.worktree_id ?? '',
+            agentSessionId: row.agent_session_id,
+            serverPort: null,
+          };
+          await ocBackend.closeSession(handle).catch((err) => {
+            app.log.warn({ err: err instanceof Error ? err.message : String(err), chatId }, 'lifecycle: opencode closeSession threw');
+          });
+        }
+      }
+
+      // 2. Dispose any warm-ACP backends pooled under this chat (kills the
+      //    goose/qwen child + marks its agent row closed via the backend).
+      const disposed = await agentPool.closeChat(chatId);
+
+      // 3. DB + worktree truth: mark agent rows closed; remove the shared session
+      //    worktree iff this was the session's last open chat (preflight at-risk).
+      const result = await closeChatBackendState(sql, chatId, { force });
+
+      app.log.info({ chatId, disposed, ...result }, 'lifecycle: chat closed');
+      return { ok: true, disposed, ...result };
+    },
+  );
+
+  // POST /api/sessions/:sessionId/close — close every open chat in a session
+  // (session archive/delete). Loops the chat-close path so the same preflight +
+  // teardown applies per chat; the worktree is removed on the last one.
+  app.post<{ Params: { sessionId: string }; Querystring: { force?: string } }>(
+    '/api/sessions/:sessionId/close',
+    async (req) => {
+      const sessionId = req.params.sessionId;
+      const force = req.query.force === 'true' || req.query.force === '1';
+
+      const chats = await sql<{ id: string }[]>`
+        SELECT id FROM chats WHERE session_id = ${sessionId}
+      `;
+      const results: { chatId: string; disposed: string[]; worktreeRemoved: boolean; worktreeAtRisk: boolean }[] = [];
+      for (const c of chats) {
+        const ocBackend = agentPool.peek(OPENCODE_POOL_KEY, 'opencode');
+        if (ocBackend) {
+          const ocRows = await sql<{ agent: string; agent_session_id: string | null; worktree_id: string | null; session_id: string | null }[]>`
+            SELECT agent, agent_session_id, worktree_id, session_id
+            FROM agent_sessions WHERE chat_id = ${c.id} AND backend = 'opencode_server'
+          `;
+          for (const row of ocRows) {
+            if (!row.agent_session_id) continue;
+            await ocBackend.closeSession({
+              sessionId: row.session_id ?? '',
+              agent: row.agent,
+              backend: 'opencode_server',
+              chatId: c.id,
+              worktreeId: row.worktree_id ?? '',
+              agentSessionId: row.agent_session_id,
+              serverPort: null,
+            }).catch(() => {});
+          }
+        }
+        const disposed = await agentPool.closeChat(c.id);
+        const r = await closeChatBackendState(sql, c.id, { force });
+        results.push({ chatId: c.id, disposed, worktreeRemoved: r.worktreeRemoved, worktreeAtRisk: r.worktreeAtRisk });
+      }
+
+      app.log.info({ sessionId, chats: results.length }, 'lifecycle: session closed');
+      return { ok: true, results };
+    },
+  );
+}

apps/coder/src/routes/pending.ts

@@ -10,6 +10,7 @@ import {
   queueCreate,
 } from '../services/pending_changes.js';
 import { WriteGuardError } from '../services/write_guard.js';
+import { rebaselineWorktreeAfterApply } from '../services/worktrees.js';
 
 const CreateBody = z.object({
   file_path: z.string().min(1),
@@ -117,6 +118,15 @@ export function registerPendingRoutes(app: FastifyInstance, sql: Sql): void {
       }
 
       const results = await applyAll(sql, sessionId, projectRoot);
+
+      // v2.6 Phase 3 (3.5): re-baseline the session worktree's diff to the applied
+      // state, so the next external-agent turn diffs against applied-not-original
+      // and doesn't re-surface the just-applied changes. Best-effort: a worktree
+      // session may not exist (native-only chat), and a re-baseline hiccup must not
+      // fail the apply the user just requested.
+      if (results.some((r) => r.success)) {
+        await rebaselineWorktreeAfterApply(sql, sessionId).catch(() => {});
+      }
       return { results };
     },
   );
@@ -136,6 +146,15 @@ export function registerPendingRoutes(app: FastifyInstance, sql: Sql): void {
       const result = await applyOne(sql, changeId, projectRoot);
       if (!result.success) {
         reply.code(422);
+      } else {
+        // v2.6 Phase 3 (3.5): re-baseline the session worktree after a successful
+        // apply so the next external-agent turn diffs against applied-not-original.
+        // Resolve the change's session; best-effort, never fails the apply.
+        const sessRows = await sql<{ session_id: string }[]>`
+          SELECT session_id FROM pending_changes WHERE id = ${changeId}
+        `;
+        const sessionId = sessRows[0]?.session_id;
+        if (sessionId) await rebaselineWorktreeAfterApply(sql, sessionId).catch(() => {});
       }
       return result;
     },

apps/coder/src/schema.sql

@@ -240,6 +240,27 @@ END $$;
 -- v2.6: attribution for DiffPanel badges (Phase 1 UX reads this).
 ALTER TABLE pending_changes ADD COLUMN IF NOT EXISTS agent TEXT;
 
+-- write-edit-robustness #4: worktree checkpoints. A pre-turn shadow-commit of the
+-- session worktree (tracked + untracked, captured without disturbing the real
+-- index/working tree) stored in a private GC-safe ref refs/boocode/checkpoints/<id>.
+-- Created best-effort before each external-agent turn (opencode / warm-ACP / one-shot
+-- ACP+PTY); restore resets the worktree to commit_sha, trims the transcript from
+-- message_id forward, and resets the backend session. chat_id CASCADEs from chats
+-- (like agent_sessions); worktree_id SET NULL so a checkpoint outlives a reaped
+-- worktree row. session_id / message_id are informational (no FK — message rows are
+-- trimmed by a checkpoint restore and we must not block that on a dangling ref).
+CREATE TABLE IF NOT EXISTS checkpoints (
+  id          UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  chat_id     UUID NOT NULL REFERENCES chats(id) ON DELETE CASCADE,
+  session_id  UUID,
+  worktree_id UUID REFERENCES worktrees(id) ON DELETE SET NULL,
+  message_id  UUID,            -- anchor: the assistant turn row this checkpoint precedes
+  commit_sha  TEXT NOT NULL,   -- shadow-commit capturing the pre-turn worktree tree
+  label       TEXT,
+  created_at  TIMESTAMPTZ NOT NULL DEFAULT clock_timestamp()
+);
+CREATE INDEX IF NOT EXISTS checkpoints_chat_created_idx ON checkpoints(chat_id, created_at);
+
 -- LISTEN/NOTIFY fast path: every tasks INSERT (from any call site — routes,
 -- new_task tool, arena, MCP server) fires pg_notify('tasks_new') in the same
 -- transaction, so the dispatcher reacts immediately instead of waiting for the

apps/coder/src/services/__tests__/agent-pool.test.ts

@@ -0,0 +1,233 @@
+import { describe, it, expect, vi } from 'vitest';
+import { AgentPool, OPENCODE_POOL_KEY } from '../agent-pool.js';
+import type {
+  AgentBackend,
+  AgentSessionHandle,
+  EnsureSessionOpts,
+  PromptCtx,
+  TurnResult,
+} from '../agent-backend.js';
+
+/**
+ * v2.6 Phase 3 — AgentPool lifecycle unit test (T.1). No DB / no child process:
+ * a fake AgentBackend records dispose + reports busy/health, so we exercise
+ * get-or-create, idle eviction, the LRU cap, the busy-never-evict rule, closeChat,
+ * and dispose-drains directly. The pure decisions are covered separately in
+ * backends/__tests__/lifecycle-decisions.test.ts; this verifies the wiring.
+ */
+
+class FakeBackend implements AgentBackend {
+  disposed = 0;
+  closedSessions = 0;
+  private busyFlag = false;
+  tickHealthCalls = 0;
+
+  constructor(public readonly name = 'fake') {}
+
+  setBusy(b: boolean): void {
+    this.busyFlag = b;
+  }
+
+  // — AgentBackend —
+  async ensureSession(sessionId: string, opts: EnsureSessionOpts): Promise<AgentSessionHandle> {
+    return {
+      sessionId,
+      agent: opts.agent,
+      backend: 'acp_warm',
+      chatId: opts.chatId,
+      worktreeId: opts.worktreeId,
+      agentSessionId: 'fake-session',
+      serverPort: null,
+    };
+  }
+  async prompt(_h: AgentSessionHandle, _input: string, _ctx: PromptCtx): Promise<TurnResult> {
+    return { ok: true };
+  }
+  async closeSession(): Promise<void> {
+    this.closedSessions++;
+  }
+  async dispose(): Promise<void> {
+    this.disposed++;
+  }
+  health(): 'up' | 'down' {
+    return 'up';
+  }
+  isBusy(): boolean {
+    return this.busyFlag;
+  }
+  async tickHealth(): Promise<void> {
+    this.tickHealthCalls++;
+  }
+}
+
+describe('AgentPool — get/register/touch (3.1)', () => {
+  it('register then get returns the same backend', () => {
+    const pool = new AgentPool();
+    const b = new FakeBackend();
+    pool.register('chat-1', 'goose', b);
+    expect(pool.get('chat-1', 'goose')).toBe(b);
+    expect(pool.get('chat-1', 'qwen')).toBeUndefined();
+  });
+
+  it('peek does NOT exist for a missing key', () => {
+    const pool = new AgentPool();
+    expect(pool.peek('nope', 'goose')).toBeUndefined();
+  });
+
+  it('health reports size + busy count', () => {
+    const pool = new AgentPool();
+    const a = new FakeBackend();
+    const b = new FakeBackend();
+    b.setBusy(true);
+    pool.register('c1', 'goose', a);
+    pool.register('c2', 'qwen', b);
+    expect(pool.health()).toEqual({ size: 2, busy: 1 });
+  });
+});
+
+describe('AgentPool.sweep — idle TTL eviction (3.1)', () => {
+  it('evicts an idle backend past the TTL and disposes it', async () => {
+    const pool = new AgentPool({ idleTtlMs: 1_000, maxLive: 100 });
+    const b = new FakeBackend();
+    pool.register('c1', 'goose', b);
+    // Sweep with now far past the registration → idle → evicted.
+    const { evicted } = await pool.sweep(Date.now() + 10_000);
+    expect(evicted).toEqual(['c1:goose']);
+    expect(b.disposed).toBe(1);
+    expect(pool.get('c1', 'goose')).toBeUndefined();
+  });
+
+  it('never evicts a busy backend even past the TTL', async () => {
+    const pool = new AgentPool({ idleTtlMs: 1_000, maxLive: 100 });
+    const b = new FakeBackend();
+    b.setBusy(true);
+    pool.register('c1', 'goose', b);
+    const { evicted } = await pool.sweep(Date.now() + 10_000);
+    expect(evicted).toEqual([]);
+    expect(b.disposed).toBe(0);
+    expect(pool.get('c1', 'goose')).toBe(b);
+  });
+
+  it('touch keeps a backend warm so the TTL measures from the last turn', async () => {
+    const pool = new AgentPool({ idleTtlMs: 5_000, maxLive: 100 });
+    const b = new FakeBackend();
+    pool.register('c1', 'goose', b);
+    const base = Date.now();
+    // 4s later, touch — resets activity. A sweep at +6s from base is only +2s from
+    // the touch → still within TTL → not evicted.
+    vi.spyOn(Date, 'now').mockReturnValue(base + 4_000);
+    pool.touch('c1', 'goose');
+    vi.restoreAllMocks();
+    const { evicted } = await pool.sweep(base + 6_000);
+    expect(evicted).toEqual([]);
+  });
+});
+
+describe('AgentPool.sweep — LRU cap (3.4)', () => {
+  it('evicts the least-recently-used beyond the cap', async () => {
+    const pool = new AgentPool({ idleTtlMs: 1_000_000, maxLive: 2 });
+    const base = 1_000_000;
+    const mk = (key: string, regAt: number) => {
+      vi.spyOn(Date, 'now').mockReturnValue(regAt);
+      const b = new FakeBackend(key);
+      const [chat, agent] = key.split(':');
+      pool.register(chat!, agent!, b);
+      vi.restoreAllMocks();
+      return b;
+    };
+    const a = mk('c1:goose', base + 100);
+    const b = mk('c2:goose', base + 300);
+    const c = mk('c3:goose', base + 200);
+    // 3 entries, cap 2, all within idle TTL → LRU (oldest = a@+100) evicted.
+    const { evicted } = await pool.sweep(base + 1_000);
+    expect(evicted).toEqual(['c1:goose']);
+    expect(a.disposed).toBe(1);
+    expect(b.disposed).toBe(0);
+    expect(c.disposed).toBe(0);
+  });
+});
+
+describe('AgentPool.sweep — proactive health probe (3.2)', () => {
+  it('drives each backend tickHealth before eviction', async () => {
+    const pool = new AgentPool({ idleTtlMs: 1_000_000, maxLive: 100 });
+    const b = new FakeBackend();
+    pool.register('c1', 'opencode', b);
+    await pool.sweep(Date.now());
+    expect(b.tickHealthCalls).toBe(1);
+  });
+});
+
+describe('AgentPool.closeChat — chat-close teardown (3.3)', () => {
+  it('disposes only the matching chat keys, leaving others + the shared server', async () => {
+    const pool = new AgentPool();
+    const goose = new FakeBackend('goose');
+    const qwen = new FakeBackend('qwen');
+    const other = new FakeBackend('other-chat');
+    const ocServer = new FakeBackend('opencode-server');
+    pool.register('chat-1', 'goose', goose);
+    pool.register('chat-1', 'qwen', qwen);
+    pool.register('chat-2', 'goose', other);
+    pool.register(OPENCODE_POOL_KEY, 'opencode', ocServer);
+
+    const removed = await pool.closeChat('chat-1');
+    expect(removed.sort()).toEqual(['chat-1:goose', 'chat-1:qwen']);
+    expect(goose.disposed).toBe(1);
+    expect(qwen.disposed).toBe(1);
+    // other chat + shared opencode server untouched.
+    expect(other.disposed).toBe(0);
+    expect(ocServer.disposed).toBe(0);
+    expect(pool.peek('chat-2', 'goose')).toBe(other);
+    expect(pool.peek(OPENCODE_POOL_KEY, 'opencode')).toBe(ocServer);
+  });
+
+  it('does not dispose a busy backend on closeChat', async () => {
+    const pool = new AgentPool();
+    const b = new FakeBackend();
+    b.setBusy(true);
+    pool.register('chat-1', 'goose', b);
+    const removed = await pool.closeChat('chat-1');
+    expect(removed).toEqual([]);
+    expect(b.disposed).toBe(0);
+  });
+
+  it('does not match a chat id that is a prefix of another', async () => {
+    // 'chat-1' must not match 'chat-10' — keys are `${chatId}:${agent}` so the
+    // colon delimiter prevents the prefix collision.
+    const pool = new AgentPool();
+    const a = new FakeBackend();
+    const b = new FakeBackend();
+    pool.register('chat-1', 'goose', a);
+    pool.register('chat-10', 'goose', b);
+    await pool.closeChat('chat-1');
+    expect(a.disposed).toBe(1);
+    expect(b.disposed).toBe(0);
+    expect(pool.peek('chat-10', 'goose')).toBe(b);
+  });
+});
+
+describe('AgentPool.dispose — drain all (T.1)', () => {
+  it('disposes every backend and clears the map', async () => {
+    const pool = new AgentPool();
+    const a = new FakeBackend();
+    const b = new FakeBackend();
+    pool.register('c1', 'goose', a);
+    pool.register('c2', 'qwen', b);
+    await pool.dispose();
+    expect(a.disposed).toBe(1);
+    expect(b.disposed).toBe(1);
+    expect(pool.health()).toEqual({ size: 0, busy: 0 });
+  });
+
+  it('tolerates a backend whose dispose throws', async () => {
+    const pool = new AgentPool();
+    const good = new FakeBackend();
+    const bad = new FakeBackend();
+    bad.dispose = async () => {
+      throw new Error('boom');
+    };
+    pool.register('c1', 'goose', bad);
+    pool.register('c2', 'qwen', good);
+    await expect(pool.dispose()).resolves.toBeUndefined();
+    expect(good.disposed).toBe(1);
+  });
+});

apps/coder/src/services/__tests__/checkpoints.test.ts

@@ -0,0 +1,252 @@
+import { describe, it, expect, beforeAll, afterAll } from 'vitest';
+import { readFileSync } from 'node:fs';
+import { rm, mkdir } from 'node:fs/promises';
+import { resolve } from 'node:path';
+import postgres from 'postgres';
+import {
+  buildShadowCommitCommand,
+  createCheckpoint,
+  restoreCheckpoint,
+  CheckpointNotFoundError,
+} from '../checkpoints.js';
+import { ensureSessionWorktree } from '../worktrees.js';
+import { hostExec } from '../host-exec.js';
+
+/**
+ * write-edit-robustness #4 — worktree checkpoint tests.
+ *
+ * Pure-helper coverage (no DB / no host) for the shadow-commit command builder,
+ * plus a DB+git integration block (DB-opt-in via DATABASE_URL, skips cleanly
+ * otherwise; mirrors reconnect_integration.test.ts) that exercises the real
+ * create → restore round trip against a worktree on the host fs.
+ */
+
+describe('buildShadowCommitCommand (pure)', () => {
+  it('parks the commit under refs/boocode/checkpoints/<id> and prints only the SHA', () => {
+    const cmd = buildShadowCommitCommand('/tmp/booworktrees/sess-abc', 'cp-id-123');
+    // Uses a temp index so the real working tree/index is untouched.
+    expect(cmd).toContain('TMP=$(mktemp)');
+    expect(cmd).toContain('GIT_INDEX_FILE="$TMP" git read-tree HEAD');
+    expect(cmd).toContain('GIT_INDEX_FILE="$TMP" git add -A');
+    expect(cmd).toContain('git write-tree');
+    expect(cmd).toContain("git commit-tree \"$TREE\" -p HEAD -m \"boocode checkpoint\"");
+    // Ref name matches the row id, and stdout is ONLY the SHA (printf, no newline).
+    expect(cmd).toContain("update-ref 'refs/boocode/checkpoints/cp-id-123'");
+    expect(cmd).toContain("printf '%s' \"$SHA\"");
+    expect(cmd).not.toContain('echo "$SHA"');
+  });
+
+  it('shell-escapes the worktree path and the id', () => {
+    const cmd = buildShadowCommitCommand("/tmp/it's a path", "id'; rm -rf /");
+    // Single quotes inside the path/id are escaped via the '\'' wrapping idiom — no
+    // bare interpolation that could break out of the quoting.
+    expect(cmd).toContain("cd '/tmp/it'\\''s a path'");
+    expect(cmd).toContain("refs/boocode/checkpoints/id'\\''; rm -rf /");
+  });
+});
+
+describe.runIf(!!process.env.DATABASE_URL)('checkpoint create + restore (DB + git)', () => {
+  let sql: ReturnType<typeof postgres>;
+  const stamp = Date.now();
+  const projectDir = `/tmp/boocode-checkpoint-proj-${stamp}`;
+  let projectId: string;
+  let sessionId: string;
+  let chatId: string;
+  let worktreePath: string;
+
+  beforeAll(async () => {
+    sql = postgres(process.env.DATABASE_URL!, { max: 3 });
+
+    // Server schema first (FK targets), then coder schema (worktrees + checkpoints).
+    const serverSchema = resolve(__dirname, '../../../../server/src/schema.sql');
+    const coderSchema = resolve(__dirname, '../../schema.sql');
+    await sql.unsafe(readFileSync(serverSchema, 'utf8'));
+    await sql.unsafe(readFileSync(coderSchema, 'utf8'));
+
+    await mkdir(projectDir, { recursive: true });
+    await hostExec(
+      `cd ${projectDir} && git init -q && git config user.email t@t && git config user.name t ` +
+        `&& echo hello > README.md && git add -A && git commit -qm init`,
+      { timeoutMs: 20_000 },
+    );
+
+    const [project] = await sql<{ id: string }[]>`
+      INSERT INTO projects (name, path, status) VALUES ('checkpoint-test', ${projectDir}, 'open') RETURNING id
+    `;
+    projectId = project!.id;
+    const [session] = await sql<{ id: string }[]>`
+      INSERT INTO sessions (project_id, name, model, status)
+      VALUES (${projectId}, 'cp', 'm', 'open') RETURNING id
+    `;
+    sessionId = session!.id;
+    const [chat] = await sql<{ id: string }[]>`
+      INSERT INTO chats (session_id, name, status) VALUES (${sessionId}, 'tab', 'open') RETURNING id
+    `;
+    chatId = chat!.id;
+
+    const wt = await ensureSessionWorktree(sql, projectDir, sessionId);
+    worktreePath = wt.worktreePath;
+  });
+
+  afterAll(async () => {
+    if (sql) {
+      const rows = await sql<{ path: string }[]>`SELECT path FROM worktrees WHERE session_id = ${sessionId}`.catch(() => []);
+      for (const r of rows) {
+        await hostExec(`git -C ${projectDir} worktree remove ${r.path} --force`, { timeoutMs: 10_000 }).catch(() => {});
+      }
+      await sql`DELETE FROM checkpoints WHERE chat_id = ${chatId}`.catch(() => {});
+      await sql`DELETE FROM agent_sessions WHERE chat_id = ${chatId}`.catch(() => {});
+      await sql`DELETE FROM worktrees WHERE session_id = ${sessionId}`.catch(() => {});
+      await sql`DELETE FROM chats WHERE id = ${chatId}`.catch(() => {});
+      await sql`DELETE FROM sessions WHERE id = ${sessionId}`.catch(() => {});
+      await sql`DELETE FROM projects WHERE id = ${projectId}`.catch(() => {});
+      await sql.end({ timeout: 5 });
+    }
+    await rm(projectDir, { recursive: true, force: true });
+  });
+
+  it('createCheckpoint inserts a row + a private ref capturing tracked + untracked', async () => {
+    const [wt] = await sql<{ id: string }[]>`SELECT id FROM worktrees WHERE session_id = ${sessionId} AND status = 'active'`;
+    const worktreeId = wt!.id;
+
+    // Pre-turn untracked + tracked-edit state the agent will start from.
+    await hostExec(`cd ${worktreePath} && echo edited >> README.md && echo new > extra.txt`, { timeoutMs: 10_000 });
+
+    const [assistantMsg] = await sql<{ id: string }[]>`
+      INSERT INTO messages (session_id, chat_id, role, content, status)
+      VALUES (${sessionId}, ${chatId}, 'assistant', '', 'streaming') RETURNING id
+    `;
+    const messageId = assistantMsg!.id;
+
+    const cp = await createCheckpoint(sql, {
+      chatId,
+      sessionId,
+      worktreeId,
+      worktreePath,
+      messageId,
+    });
+    expect(cp).not.toBeNull();
+    expect(cp!.commit_sha).toMatch(/^[0-9a-f]{40}$/);
+
+    const [row] = await sql<{ commit_sha: string; worktree_id: string; message_id: string }[]>`
+      SELECT commit_sha, worktree_id, message_id FROM checkpoints WHERE id = ${cp!.id}
+    `;
+    expect(row!.commit_sha).toBe(cp!.commit_sha);
+    expect(row!.worktree_id).toBe(worktreeId);
+    expect(row!.message_id).toBe(messageId);
+
+    // The ref exists and the captured tree carries the untracked file (proves the
+    // temp-index `git add -A` snapshotted untracked content).
+    const refLs = await hostExec(
+      `git -C ${worktreePath} ls-tree -r --name-only ${cp!.commit_sha}`,
+      { timeoutMs: 10_000 },
+    );
+    expect(refLs.exitCode).toBe(0);
+    expect(refLs.stdout).toContain('extra.txt');
+
+    // The shadow commit did NOT disturb the real working tree: extra.txt is still
+    // present + still untracked (status shows it).
+    const status = await hostExec(`git -C ${worktreePath} status --porcelain`, { timeoutMs: 10_000 });
+    expect(status.stdout).toContain('extra.txt');
+  });
+
+  it('restoreCheckpoint resets the worktree, trims the transcript, and drops later checkpoints', async () => {
+    // Clean slate for this test: reset the worktree to HEAD, clear prior rows.
+    await hostExec(`git -C ${worktreePath} reset --hard HEAD && git -C ${worktreePath} clean -fd`, { timeoutMs: 10_000 });
+    await sql`DELETE FROM checkpoints WHERE chat_id = ${chatId}`;
+    await sql`DELETE FROM messages WHERE chat_id = ${chatId}`;
+
+    const [wt] = await sql<{ id: string }[]>`SELECT id FROM worktrees WHERE session_id = ${sessionId} AND status = 'active'`;
+    const worktreeId = wt!.id;
+
+    // Turn 1: a user msg, then the assistant turn the checkpoint anchors. The
+    // worktree is pristine (matches HEAD) when this checkpoint is captured.
+    await sql`INSERT INTO messages (session_id, chat_id, role, content, status) VALUES (${sessionId}, ${chatId}, 'user', 'do it', 'complete')`;
+    const [a1] = await sql<{ id: string }[]>`
+      INSERT INTO messages (session_id, chat_id, role, content, status)
+      VALUES (${sessionId}, ${chatId}, 'assistant', 'turn 1', 'complete') RETURNING id
+    `;
+    const cp1 = await createCheckpoint(sql, { chatId, sessionId, worktreeId, worktreePath, messageId: a1!.id });
+    expect(cp1).not.toBeNull();
+
+    // The agent (turn 1) writes a file into the worktree.
+    await hostExec(`cd ${worktreePath} && echo agent-wrote > agent.txt`, { timeoutMs: 10_000 });
+
+    // Turn 2: another user msg + assistant turn, AND a second (later) checkpoint.
+    await sql`INSERT INTO messages (session_id, chat_id, role, content, status) VALUES (${sessionId}, ${chatId}, 'user', 'more', 'complete')`;
+    const [a2] = await sql<{ id: string }[]>`
+      INSERT INTO messages (session_id, chat_id, role, content, status)
+      VALUES (${sessionId}, ${chatId}, 'assistant', 'turn 2', 'complete') RETURNING id
+    `;
+    const cp2 = await createCheckpoint(sql, { chatId, sessionId, worktreeId, worktreePath, messageId: a2!.id });
+    expect(cp2).not.toBeNull();
+
+    // An agent_sessions row that restore should mark 'crashed'.
+    await sql`
+      INSERT INTO agent_sessions (chat_id, session_id, worktree_id, agent, backend, agent_session_id, status, last_active_at)
+      VALUES (${chatId}, ${sessionId}, ${worktreeId}, 'goose', 'acp_warm', 'sess-1', 'active', clock_timestamp())
+      ON CONFLICT (chat_id, agent) DO UPDATE SET status = 'active'
+    `;
+
+    const before = await sql<{ id: string }[]>`SELECT id FROM messages WHERE chat_id = ${chatId} ORDER BY created_at`;
+    expect(before.length).toBe(4); // user, a1, user, a2
+
+    // Restore to cp1 (before turn 1's assistant message).
+    const result = await restoreCheckpoint(sql, cp1!.id, { sessionId });
+    expect(result.checkpoint_id).toBe(cp1!.id);
+    expect(result.worktree_reset).toBe(true);
+    expect(result.backend_reset).toBe(true);
+    // a1, user(turn2), a2 deleted (created_at >= a1) → 3 trimmed.
+    expect(result.messages_deleted).toBe(3);
+
+    // Transcript trimmed to just the first user message.
+    const after = await sql<{ role: string; content: string }[]>`SELECT role, content FROM messages WHERE chat_id = ${chatId} ORDER BY created_at`;
+    expect(after.length).toBe(1);
+    expect(after[0]!.role).toBe('user');
+
+    // Worktree reset: the agent's file is gone (it was written after cp1).
+    const ls = await hostExec(`ls ${worktreePath}/agent.txt`, { timeoutMs: 10_000 });
+    expect(ls.exitCode).not.toBe(0);
+
+    // The agent_sessions row was reset to 'crashed'.
+    const [as] = await sql<{ status: string }[]>`SELECT status FROM agent_sessions WHERE chat_id = ${chatId} AND agent = 'goose'`;
+    expect(as!.status).toBe('crashed');
+
+    // cp1 survives (re-restorable); cp2 (later) was dropped.
+    const cps = await sql<{ id: string }[]>`SELECT id FROM checkpoints WHERE chat_id = ${chatId}`;
+    expect(cps.map((c) => c.id)).toEqual([cp1!.id]);
+  });
+
+  it('restoreCheckpoint throws CheckpointNotFoundError for an unknown id', async () => {
+    await expect(
+      restoreCheckpoint(sql, '00000000-0000-0000-0000-000000000000', { sessionId }),
+    ).rejects.toBeInstanceOf(CheckpointNotFoundError);
+  });
+
+  it('restoreCheckpoint throws when the checkpoint is not in the requested session', async () => {
+    // A checkpoint whose session_id differs from the route's sessionId.
+    const [wt] = await sql<{ id: string }[]>`SELECT id FROM worktrees WHERE session_id = ${sessionId} AND status = 'active'`;
+    const cp = await createCheckpoint(sql, { chatId, sessionId, worktreeId: wt!.id, worktreePath, messageId: null });
+    expect(cp).not.toBeNull();
+    await expect(
+      restoreCheckpoint(sql, cp!.id, { sessionId: '11111111-1111-1111-1111-111111111111' }),
+    ).rejects.toBeInstanceOf(CheckpointNotFoundError);
+    await sql`DELETE FROM checkpoints WHERE id = ${cp!.id}`;
+  });
+
+  it('restoreCheckpoint denies a NULL-session_id checkpoint from another session (no fail-open IDOR)', async () => {
+    // Regression for the fail-open authorization bug: a checkpoint row whose
+    // denormalized session_id is NULL must STILL be scoped via its chat's owning
+    // session (chats.session_id), not skipped. The old guard `cp.session_id &&
+    // cp.session_id !== sessionId` fell through on NULL → cross-session restore.
+    const [row] = await sql<{ id: string }[]>`
+      INSERT INTO checkpoints (chat_id, session_id, message_id, commit_sha)
+      VALUES (${chatId}, NULL, NULL, 'deadbeef')
+      RETURNING id
+    `;
+    await expect(
+      restoreCheckpoint(sql, row!.id, { sessionId: '22222222-2222-2222-2222-222222222222' }),
+    ).rejects.toBeInstanceOf(CheckpointNotFoundError);
+    await sql`DELETE FROM checkpoints WHERE id = ${row!.id}`;
+  });
+});

apps/coder/src/services/__tests__/fuzzy-match.test.ts

@@ -0,0 +1,173 @@
+import { describe, it, expect } from 'vitest';
+import { locateMatch, SIMILARITY_THRESHOLD } from '../fuzzy-match.js';
+
+// Helper: assert a resolved span and slice it back out of the content so the
+// test pins the EXACT file text the caller would replace.
+function span(result: ReturnType<typeof locateMatch>): { start: number; end: number } {
+  if (result.kind !== 'exact' && result.kind !== 'fuzzy') {
+    throw new Error(`expected a located span, got ${result.kind}`);
+  }
+  return { start: result.start, end: result.end };
+}
+
+describe('locateMatch — strategy 1: exact', () => {
+  it('returns an exact unique span', () => {
+    const content = 'alpha\nbeta\ngamma\n';
+    const result = locateMatch(content, 'beta');
+    expect(result.kind).toBe('exact');
+    const { start, end } = span(result);
+    expect(content.slice(start, end)).toBe('beta');
+  });
+
+  it('returns the right offsets for a multi-line exact needle', () => {
+    const content = 'one\ntwo\nthree\nfour\n';
+    const needle = 'two\nthree';
+    const result = locateMatch(content, needle);
+    expect(result.kind).toBe('exact');
+    const { start, end } = span(result);
+    expect(content.slice(start, end)).toBe(needle);
+  });
+
+  it('refuses when the exact needle occurs more than once', () => {
+    const content = 'foo\nbar\nfoo\nbar\nfoo\n';
+    const result = locateMatch(content, 'foo');
+    expect(result).toEqual({ kind: 'ambiguous', count: 3 });
+  });
+});
+
+describe('locateMatch — strategy 2: per-line whitespace', () => {
+  it('matches across trailing-whitespace drift at the real span', () => {
+    // File has trailing spaces the model dropped from a TWO-line copy. A
+    // single-line needle would be located by exact indexOf (it's a substring),
+    // so use two lines where line 1's trailing ws breaks an exact substring run.
+    const content = 'function f() {\n  setup();   \n  return 1;\n}\n';
+    const needle = '  setup();\n  return 1;'; // line 1 missing trailing spaces
+    const result = locateMatch(content, needle);
+    expect(result.kind).toBe('fuzzy');
+    const { start, end } = span(result);
+    // The returned span covers the ORIGINAL lines including the trailing spaces.
+    expect(content.slice(start, end)).toBe('  setup();   \n  return 1;');
+  });
+
+  it('matches across indentation drift (multi-line block)', () => {
+    // File indents with 4 spaces; model emitted 2-space indentation. trimEnd
+    // alone does not normalize LEADING whitespace, so this exercises... actually
+    // leading-indent drift is a Levenshtein-tier fallback. Here we keep the
+    // leading indent identical and drift only trailing whitespace per line.
+    const content = ['if (x) {', '    doThing();    ', '    doOther();', '}'].join('\n');
+    const needle = ['    doThing();', '    doOther();'].join('\n');
+    const result = locateMatch(content, needle);
+    expect(result.kind).toBe('fuzzy');
+    const { start, end } = span(result);
+    expect(content.slice(start, end)).toBe('    doThing();    \n    doOther();');
+  });
+
+  it('ignores leading/trailing blank needle lines', () => {
+    const content = 'header\nbody line\nfooter\n';
+    const needle = '\n\nbody line\n\n';
+    const result = locateMatch(content, needle);
+    expect(result.kind).toBe('fuzzy');
+    const { start, end } = span(result);
+    expect(content.slice(start, end)).toBe('body line');
+  });
+
+  it('reports ambiguous when a whitespace-window matches twice', () => {
+    // Both line 1 and line 4 differ from the needle only by trailing whitespace,
+    // so exact indexOf fails (no exact substring) and the whitespace tier finds
+    // two equivalent windows → ambiguous.
+    const content = 'x = 1;  \ny = 2;\nz = 3;\nx = 1;\t\n';
+    const needle = 'x = 1;'; // no trailing ws → not an exact substring of either line
+    const result = locateMatch(content, needle);
+    expect(result).toEqual({ kind: 'ambiguous', count: 2 });
+  });
+});
+
+describe('locateMatch — strategy 3: unicode canonicalization', () => {
+  it('matches across curly quotes', () => {
+    const content = "const s = 'hello';\n";
+    const needle = 'const s = ‘hello’;'; // ‘hello’
+    const result = locateMatch(content, needle);
+    expect(result.kind).toBe('fuzzy');
+    const { start, end } = span(result);
+    // Span maps back to ORIGINAL (straight-quote) text.
+    expect(content.slice(start, end)).toBe("const s = 'hello';");
+  });
+
+  it('matches across curly double-quotes', () => {
+    const content = 'log("done");\n';
+    const needle = 'log(“done”);'; // “done”
+    const result = locateMatch(content, needle);
+    expect(result.kind).toBe('fuzzy');
+    const { start, end } = span(result);
+    expect(content.slice(start, end)).toBe('log("done");');
+  });
+
+  it('matches across an em-dash drift', () => {
+    const content = 'range 1-10 inclusive\n';
+    const needle = 'range 1—10 inclusive'; // em-dash
+    const result = locateMatch(content, needle);
+    expect(result.kind).toBe('fuzzy');
+    const { start, end } = span(result);
+    expect(content.slice(start, end)).toBe('range 1-10 inclusive');
+  });
+
+  it('matches across a non-breaking space drift', () => {
+    const content = 'a b c\n'; // plain spaces
+    const needle = 'a b c'; // nbsp between words
+    const result = locateMatch(content, needle);
+    expect(result.kind).toBe('fuzzy');
+    const { start, end } = span(result);
+    expect(content.slice(start, end)).toBe('a b c');
+  });
+});
+
+describe('locateMatch — strategy 4: Levenshtein', () => {
+  it('matches a >= threshold near-miss (small typo drift)', () => {
+    // Needle has a one-char typo ('totals' vs 'total') so it is NOT an exact
+    // substring and the whitespace/canonical tiers (which require equality) both
+    // miss; Levenshtein similarity stays well above the 0.66 floor.
+    const content = 'const total = sum + tax;\n';
+    const needle = 'const totals = sum + tax;';
+    const result = locateMatch(content, needle);
+    expect(result.kind).toBe('fuzzy');
+    const { start, end } = span(result);
+    // Span maps to the real (correctly-spelled) file line.
+    expect(content.slice(start, end)).toBe('const total = sum + tax;');
+  });
+
+  it('matches a multi-line block with indentation drift via Levenshtein', () => {
+    const content = ['function g() {', '  return compute(a, b);', '}'].join('\n');
+    // 6-space indent vs file's 2-space; trimEnd does not fix leading indent, so
+    // this lands on the Levenshtein tier (joined-trim makes it identical → ~1.0).
+    const needle = ['      return compute(a, b);'].join('\n');
+    const result = locateMatch(content, needle);
+    expect(result.kind).toBe('fuzzy');
+    const { start, end } = span(result);
+    expect(content.slice(start, end)).toBe('  return compute(a, b);');
+  });
+
+  it('returns not_found for a below-threshold miss', () => {
+    const content = 'the quick brown fox jumps over the lazy dog\n';
+    const needle = 'completely unrelated string of text here xyz';
+    const result = locateMatch(content, needle);
+    expect(result).toEqual({ kind: 'not_found' });
+  });
+
+  it('returns not_found for a genuinely-absent needle', () => {
+    const content = 'alpha\nbeta\ngamma\n';
+    const needle = 'this content does not exist anywhere at all';
+    const result = locateMatch(content, needle);
+    expect(result).toEqual({ kind: 'not_found' });
+  });
+});
+
+describe('locateMatch — edge cases', () => {
+  it('returns not_found for an empty needle', () => {
+    expect(locateMatch('anything', '')).toEqual({ kind: 'not_found' });
+  });
+
+  it('exposes a sane similarity threshold', () => {
+    expect(SIMILARITY_THRESHOLD).toBeGreaterThan(0);
+    expect(SIMILARITY_THRESHOLD).toBeLessThanOrEqual(1);
+  });
+});

apps/coder/src/services/__tests__/reconnect_integration.test.ts

@@ -0,0 +1,170 @@
+import { describe, it, expect, beforeAll, afterAll } from 'vitest';
+import { readFileSync, existsSync } from 'node:fs';
+import { rm, mkdir } from 'node:fs/promises';
+import { resolve } from 'node:path';
+import postgres from 'postgres';
+import {
+  ensureSessionWorktree,
+  closeChatBackendState,
+  rebaselineWorktreeAfterApply,
+} from '../worktrees.js';
+import { reapOrphanWorktrees } from '../orphan-worktree-reaper.js';
+import { hostExec } from '../host-exec.js';
+
+/**
+ * v2.6 Phase 3 (3.6) — reconnect-after-restart integration test.
+ *
+ * Proves the DB-truth side of crash/restart recovery: a BooCoder restart wipes the
+ * in-memory pool, but the persistent `worktrees` + `agent_sessions` rows survive,
+ * so the "next turn" re-resolves the SAME worktree (reattach, no new dir) and the
+ * agent-session row is still there to resume from. Also exercises the chat-close
+ * hook (3.3), the apply re-baseline (3.5), and the orphan reaper (3.4) end-to-end
+ * against a real git repo + postgres.
+ *
+ * Requires DATABASE_URL (DB-opt-in; skips cleanly otherwise) AND git on PATH. Runs:
+ *   DATABASE_URL='postgres://boocode:devpass@localhost:5500/boochat' pnpm -C apps/coder test
+ */
+describe.runIf(!!process.env.DATABASE_URL)('reconnect after restart (Phase 3)', () => {
+  let sql: ReturnType<typeof postgres>;
+  const stamp = Date.now();
+  const projectDir = `/tmp/boocode-reconnect-proj-${stamp}`;
+  let projectId: string;
+  let sessionId: string;
+  let chatId: string;
+
+  beforeAll(async () => {
+    sql = postgres(process.env.DATABASE_URL!, { max: 3 });
+
+    // Both schemas land in the one boochat DB: server owns sessions/chats/projects,
+    // coder owns worktrees/agent_sessions (FK targets must pre-exist → server first).
+    const serverSchema = resolve(__dirname, '../../../../server/src/schema.sql');
+    const coderSchema = resolve(__dirname, '../../schema.sql');
+    await sql.unsafe(readFileSync(serverSchema, 'utf8'));
+    await sql.unsafe(readFileSync(coderSchema, 'utf8'));
+
+    // A real git repo with one commit so worktree add / diff / rev-parse work.
+    await mkdir(projectDir, { recursive: true });
+    await hostExec(
+      `cd ${projectDir} && git init -q && git config user.email t@t && git config user.name t ` +
+        `&& echo hello > README.md && git add -A && git commit -qm init`,
+      { timeoutMs: 20_000 },
+    );
+
+    const [project] = await sql<{ id: string }[]>`
+      INSERT INTO projects (name, path, status) VALUES ('reconnect-test', ${projectDir}, 'open') RETURNING id
+    `;
+    projectId = project!.id;
+    const [session] = await sql<{ id: string }[]>`
+      INSERT INTO sessions (project_id, name, model, status)
+      VALUES (${projectId}, 'recon', 'm', 'open') RETURNING id
+    `;
+    sessionId = session!.id;
+    const [chat] = await sql<{ id: string }[]>`
+      INSERT INTO chats (session_id, name, status) VALUES (${sessionId}, 'tab', 'open') RETURNING id
+    `;
+    chatId = chat!.id;
+  });
+
+  afterAll(async () => {
+    if (sql) {
+      // Best-effort worktree cleanup before dropping rows.
+      const rows = await sql<{ path: string }[]>`SELECT path FROM worktrees WHERE session_id = ${sessionId}`.catch(() => []);
+      for (const r of rows) {
+        await hostExec(`git -C ${projectDir} worktree remove ${r.path} --force`, { timeoutMs: 10_000 }).catch(() => {});
+      }
+      await sql`DELETE FROM agent_sessions WHERE chat_id = ${chatId}`.catch(() => {});
+      await sql`DELETE FROM worktrees WHERE session_id = ${sessionId}`.catch(() => {});
+      await sql`DELETE FROM chats WHERE id = ${chatId}`.catch(() => {});
+      await sql`DELETE FROM sessions WHERE id = ${sessionId}`.catch(() => {});
+      await sql`DELETE FROM projects WHERE id = ${projectId}`.catch(() => {});
+      await sql.end({ timeout: 5 });
+    }
+    await rm(projectDir, { recursive: true, force: true });
+  });
+
+  it('reattaches the SAME worktree across a simulated restart (no new dir)', async () => {
+    // "Turn 1" — first ensureSessionWorktree creates the worktree + row.
+    const first = await ensureSessionWorktree(sql, projectDir, sessionId);
+    expect(existsSync(first.worktreePath)).toBe(true);
+    expect(first.baseCommit).toBeTruthy();
+
+    // Simulate an agent_sessions row written by turn 1 (opencode).
+    await sql`
+      INSERT INTO agent_sessions (chat_id, session_id, worktree_id, agent, backend, agent_session_id, status, last_active_at)
+      VALUES (${chatId}, ${sessionId}, ${first.worktreeId}, 'opencode', 'opencode_server', 'oc-sess-1', 'active', clock_timestamp())
+      ON CONFLICT (chat_id, agent) DO NOTHING
+    `;
+
+    // "Restart" = brand-new resolution with NO in-memory state. ensureSessionWorktree
+    // must return the EXISTING row (same id + path), proving reattach not re-create.
+    const second = await ensureSessionWorktree(sql, projectDir, sessionId);
+    expect(second.worktreeId).toBe(first.worktreeId);
+    expect(second.worktreePath).toBe(first.worktreePath);
+    expect(second.baseCommit).toBe(first.baseCommit);
+
+    // The agent_sessions row survived the "restart" with its resume handle intact.
+    const [row] = await sql<{ agent_session_id: string; status: string }[]>`
+      SELECT agent_session_id, status FROM agent_sessions WHERE chat_id = ${chatId} AND agent = 'opencode'
+    `;
+    expect(row!.agent_session_id).toBe('oc-sess-1');
+  });
+
+  it('re-baselines the worktree diff after apply (3.5)', async () => {
+    const wt = await ensureSessionWorktree(sql, projectDir, sessionId);
+    const baseBefore = wt.baseCommit;
+    // Make a change in the worktree (as an external agent would).
+    await hostExec(`cd ${wt.worktreePath} && echo change >> README.md`, { timeoutMs: 10_000 });
+
+    const r = await rebaselineWorktreeAfterApply(sql, sessionId);
+    expect(r.rebaselined).toBe(true);
+    expect(r.newBaseCommit).toBeTruthy();
+    expect(r.newBaseCommit).not.toBe(baseBefore);
+
+    const [row] = await sql<{ base_commit: string }[]>`
+      SELECT base_commit FROM worktrees WHERE session_id = ${sessionId} AND status = 'active'
+    `;
+    expect(row!.base_commit).toBe(r.newBaseCommit);
+
+    // Idempotent: a second re-baseline with no new edits is a no-op.
+    const r2 = await rebaselineWorktreeAfterApply(sql, sessionId);
+    expect(r2.rebaselined).toBe(false);
+  });
+
+  it('chat-close hook closes agent rows + removes the worktree on the last chat (3.3)', async () => {
+    // Sanity: an active worktree + agent row exist from the prior tests.
+    const beforeWt = await sql<{ id: string }[]>`SELECT id FROM worktrees WHERE session_id = ${sessionId} AND status = 'active'`;
+    expect(beforeWt.length).toBe(1);
+
+    const result = await closeChatBackendState(sql, chatId);
+    expect(result.agentRowsClosed).toBeGreaterThanOrEqual(1);
+    // chatId is the session's only chat → worktree removed (it was clean after the
+    // re-baseline commit), not at-risk.
+    expect(result.worktreeAtRisk).toBe(false);
+    expect(result.worktreeRemoved).toBe(true);
+
+    const [agentRow] = await sql<{ status: string }[]>`
+      SELECT status FROM agent_sessions WHERE chat_id = ${chatId} AND agent = 'opencode'
+    `;
+    expect(agentRow!.status).toBe('closed');
+
+    const activeWt = await sql<{ id: string }[]>`SELECT id FROM worktrees WHERE session_id = ${sessionId} AND status = 'active'`;
+    expect(activeWt.length).toBe(0); // archived, no longer active
+  });
+
+  it('orphan reaper leaves a live worktree alone and reaps a row-less dir (3.4)', async () => {
+    // Recreate a live worktree for this session (the close test archived the old one).
+    const live = await ensureSessionWorktree(sql, projectDir, sessionId);
+    expect(existsSync(live.worktreePath)).toBe(true);
+
+    // A live worktree (active row) with grace 0 must NOT be reaped.
+    const r1 = await reapOrphanWorktrees(sql, console as never, 0, Date.now());
+    expect(r1.reaped).not.toContain(live.worktreePath);
+
+    // Now archive its row (simulating a leaked dir) and reap again — it becomes an
+    // orphan and is reclaimed (it's clean → not at-risk).
+    await sql`UPDATE worktrees SET status = 'archived' WHERE id = ${live.worktreeId}`;
+    const r2 = await reapOrphanWorktrees(sql, console as never, 0, Date.now());
+    expect(r2.reaped).toContain(live.worktreePath);
+    expect(existsSync(live.worktreePath)).toBe(false);
+  });
+});

apps/coder/src/services/__tests__/stream-json-parser.test.ts

@@ -0,0 +1,189 @@
+import { describe, it, expect } from 'vitest';
+import {
+  makeStreamJsonParser,
+  makeStreamJsonState,
+  parseStreamJsonLine,
+  type AgentEventList,
+} from '../stream-json-parser.js';
+import type { AgentEvent } from '../agent-backend.js';
+import type { AcpToolSnapshot } from '../acp-tool-snapshot.js';
+
+// Helpers to JSON-encode the representative Claude-Code stream-json lines.
+const sys = (sessionId: string) =>
+  JSON.stringify({ type: 'system', subtype: 'init', session_id: sessionId, tools: ['read', 'edit'] });
+
+const streamEvent = (event: unknown) => JSON.stringify({ type: 'stream_event', event });
+
+const textDelta = (index: number, text: string) =>
+  streamEvent({ type: 'content_block_delta', index, delta: { type: 'text_delta', text } });
+
+const thinkingDelta = (index: number, thinking: string) =>
+  streamEvent({ type: 'content_block_delta', index, delta: { type: 'thinking_delta', thinking } });
+
+const toolStart = (index: number, id: string, name: string) =>
+  streamEvent({ type: 'content_block_start', index, content_block: { type: 'tool_use', id, name } });
+
+const inputJsonDelta = (index: number, partial: string) =>
+  streamEvent({ type: 'content_block_delta', index, delta: { type: 'input_json_delta', partial_json: partial } });
+
+const blockStop = (index: number) => streamEvent({ type: 'content_block_stop', index });
+
+const resultLine = (input: number, output: number, sessionId?: string) =>
+  JSON.stringify({ type: 'result', subtype: 'success', session_id: sessionId, usage: { input_tokens: input, output_tokens: output } });
+
+describe('parseStreamJsonLine (pure per-line mapping)', () => {
+  it('captures session_id from the system init line and emits no events', () => {
+    const state = makeStreamJsonState();
+    const events = parseStreamJsonLine(sys('sess-abc'), state);
+    expect(events).toEqual([]);
+    expect(state.sessionId).toBe('sess-abc');
+  });
+
+  it('maps a text_delta stream_event → a text event', () => {
+    const state = makeStreamJsonState();
+    expect(parseStreamJsonLine(textDelta(0, 'Hello'), state)).toEqual([{ type: 'text', text: 'Hello' }]);
+  });
+
+  it('maps a thinking_delta stream_event → a reasoning event', () => {
+    const state = makeStreamJsonState();
+    expect(parseStreamJsonLine(thinkingDelta(0, 'pondering'), state)).toEqual([
+      { type: 'reasoning', text: 'pondering' },
+    ]);
+  });
+
+  it('tolerates a garbage / non-JSON line (returns [], no throw)', () => {
+    const state = makeStreamJsonState();
+    expect(parseStreamJsonLine('not json at all {{{', state)).toEqual([]);
+    expect(parseStreamJsonLine('', state)).toEqual([]);
+    expect(parseStreamJsonLine('   ', state)).toEqual([]);
+    // A truncated/partial JSON object also yields [] rather than throwing.
+    expect(parseStreamJsonLine('{"type":"stream_event","eve', state)).toEqual([]);
+  });
+
+  it('ignores unknown top-level line types and the user (tool-result) line', () => {
+    const state = makeStreamJsonState();
+    expect(parseStreamJsonLine(JSON.stringify({ type: 'user', message: {} }), state)).toEqual([]);
+    expect(parseStreamJsonLine(JSON.stringify({ type: 'whatever' }), state)).toEqual([]);
+  });
+
+  it('assembles a tool call across input_json_delta chunks (split across lines)', () => {
+    const state = makeStreamJsonState();
+    // start → tool_call (running, empty args)
+    const start = parseStreamJsonLine(toolStart(1, 'toolu_1', 'edit_file'), state);
+    expect(start).toHaveLength(1);
+    expect(start[0]!.type).toBe('tool_call');
+    const startSnap = (start[0] as { type: 'tool_call'; toolCall: AcpToolSnapshot }).toolCall;
+    expect(startSnap.toolCallId).toBe('toolu_1');
+    expect(startSnap.title).toBe('edit_file');
+    expect(startSnap.status).toBe('in_progress');
+    expect(startSnap.rawInput).toEqual({});
+
+    // args streamed in fragments — no events until stop
+    expect(parseStreamJsonLine(inputJsonDelta(1, '{"path":"a'), state)).toEqual([]);
+    expect(parseStreamJsonLine(inputJsonDelta(1, '.ts","content":'), state)).toEqual([]);
+    expect(parseStreamJsonLine(inputJsonDelta(1, '"hi"}'), state)).toEqual([]);
+
+    // stop → tool_update with the parsed, fully-assembled input
+    const stop = parseStreamJsonLine(blockStop(1), state);
+    expect(stop).toHaveLength(1);
+    expect(stop[0]!.type).toBe('tool_update');
+    const stopSnap = (stop[0] as { type: 'tool_update'; toolCall: AcpToolSnapshot }).toolCall;
+    expect(stopSnap.toolCallId).toBe('toolu_1');
+    expect(stopSnap.status).toBe('completed');
+    expect(stopSnap.rawInput).toEqual({ path: 'a.ts', content: 'hi' });
+  });
+
+  it('falls back to {_raw} when accumulated tool args are not valid JSON', () => {
+    const state = makeStreamJsonState();
+    parseStreamJsonLine(toolStart(0, 'toolu_x', 'run'), state);
+    parseStreamJsonLine(inputJsonDelta(0, '{"broken'), state);
+    const stop = parseStreamJsonLine(blockStop(0), state);
+    const snap = (stop[0] as { type: 'tool_update'; toolCall: AcpToolSnapshot }).toolCall;
+    expect(snap.rawInput).toEqual({ _raw: '{"broken' });
+  });
+
+  it('captures usage from message_delta and result lines', () => {
+    const state = makeStreamJsonState();
+    parseStreamJsonLine(streamEvent({ type: 'message_delta', usage: { output_tokens: 42 } }), state);
+    expect(state.usage.outputTokens).toBe(42);
+    parseStreamJsonLine(resultLine(100, 250, 'sess-z'), state);
+    expect(state.usage.inputTokens).toBe(100);
+    expect(state.usage.outputTokens).toBe(250);
+    expect(state.sessionId).toBe('sess-z');
+  });
+
+  it('maps a terminal assistant message (fallback) → text + reasoning + tool events', () => {
+    const state = makeStreamJsonState();
+    const line = JSON.stringify({
+      type: 'assistant',
+      session_id: 'sess-asst',
+      message: {
+        content: [
+          { type: 'thinking', thinking: 'let me think' },
+          { type: 'text', text: 'Here is the answer' },
+          { type: 'tool_use', id: 'toolu_9', name: 'view_file', input: { path: 'x.ts' } },
+        ],
+        usage: { input_tokens: 5, output_tokens: 7 },
+      },
+    });
+    const events = parseStreamJsonLine(line, state);
+    expect(events).toEqual([
+      { type: 'reasoning', text: 'let me think' },
+      { type: 'text', text: 'Here is the answer' },
+      {
+        type: 'tool_update',
+        toolCall: { toolCallId: 'toolu_9', title: 'view_file', kind: null, status: 'completed', rawInput: { path: 'x.ts' } },
+      },
+    ]);
+    expect(state.usage).toEqual({ inputTokens: 5, outputTokens: 7 });
+    expect(state.sessionId).toBe('sess-asst');
+  });
+});
+
+describe('makeStreamJsonParser (stateful wrapper over a full turn)', () => {
+  it('streams a representative turn: init → text → thinking → tool → result', () => {
+    const parser = makeStreamJsonParser();
+    const all: AgentEvent[] = [];
+    const feed = (line: string): AgentEventList => {
+      const evs = parser.push(line);
+      all.push(...evs);
+      return evs;
+    };
+
+    feed(sys('sess-1'));
+    feed(textDelta(0, 'Reading '));
+    feed(textDelta(0, 'the file. '));
+    feed(thinkingDelta(0, 'I should edit it'));
+    feed(toolStart(1, 'toolu_a', 'edit_file'));
+    feed(inputJsonDelta(1, '{"path":'));
+    feed(inputJsonDelta(1, '"main.ts"}'));
+    feed(blockStop(1));
+    feed(textDelta(0, 'Done.'));
+    feed(resultLine(120, 80, 'sess-1'));
+
+    expect(all).toEqual([
+      { type: 'text', text: 'Reading ' },
+      { type: 'text', text: 'the file. ' },
+      { type: 'reasoning', text: 'I should edit it' },
+      {
+        type: 'tool_call',
+        toolCall: { toolCallId: 'toolu_a', title: 'edit_file', kind: null, status: 'in_progress', rawInput: {} },
+      },
+      {
+        type: 'tool_update',
+        toolCall: { toolCallId: 'toolu_a', title: 'edit_file', kind: null, status: 'completed', rawInput: { path: 'main.ts' } },
+      },
+      { type: 'text', text: 'Done.' },
+    ]);
+
+    expect(parser.usage()).toEqual({ inputTokens: 120, outputTokens: 80 });
+    expect(parser.sessionId()).toBe('sess-1');
+  });
+
+  it('a garbage line interleaved mid-turn does not derail subsequent parsing', () => {
+    const parser = makeStreamJsonParser();
+    expect(parser.push(textDelta(0, 'a'))).toEqual([{ type: 'text', text: 'a' }]);
+    expect(parser.push('>>> not json <<<')).toEqual([]);
+    expect(parser.push(textDelta(0, 'b'))).toEqual([{ type: 'text', text: 'b' }]);
+  });
+});

apps/coder/src/services/agent-backend.ts

@@ -99,4 +99,21 @@ export interface AgentBackend {
   dispose(): Promise<void>;
   /** Liveness for health endpoint + dispatcher fallback decision. §2 */
   health(): 'up' | 'down';
+  /**
+   * v2.6 Phase 3: true iff a turn is in flight on this backend. The pool's idle
+   * eviction + LRU cap NEVER evict a busy backend (design §6 busy rule); the
+   * health-monitor defers a restart while busy (stale-grace). Optional so the
+   * Phase-0 scaffold and any test double stay compatible — absent ⇒ treated as
+   * not busy. opencode-server (multi-session) is busy iff ANY session has an
+   * active turn; warm-acp (single session) iff its one slot is active.
+   */
+  isBusy?(): boolean;
+  /**
+   * v2.6 Phase 3: optional proactive health probe + busy-aware self-restart, run
+   * by the pool's periodic sweep. The opencode-server backend implements it
+   * (detects a hung-but-not-exited server and restarts when non-busy). Backends
+   * with no long-lived shared process (warm-ACP recovers lazily on its own child
+   * exit) can omit it. Must never throw — the sweep ignores rejections.
+   */
+  tickHealth?(now?: number): Promise<void>;
 }

apps/coder/src/services/agent-pool.ts

@@ -1,44 +1,246 @@
 /**
- * v2.6 — AgentPool (Phase 0 scaffold).
+ * v2.6 — AgentPool.
  *
  * Lazy get-or-create registry of `AgentBackend` instances keyed by
- * `${sessionId}:${agent}`. Phase 0 ships the skeleton only: an in-memory Map,
- * lookup / register / health, and clean disposal wired to the server's onClose.
- * Spawning lands in Phase 1/2; nothing populates the map yet.
+ * `${primary}:${agent}` (primary = chatId for warm-ACP, a fixed sentinel for the
+ * single shared opencode server). Phase 0 shipped the skeleton (Map + health +
+ * dispose). Phase 3 adds the LIFECYCLE: per-entry idle tracking, a periodic
+ * idle-TTL + LRU-cap sweep (the pure decisions live in
+ * `backends/lifecycle-decisions.ts`), and a `closeChat` helper for the chat-close
+ * hook. Reattach after eviction is implicit — the next turn's `ensureSession`
+ * rebuilds the backend from `agent_sessions` / `worktrees` (DB is the source of
+ * truth; the in-memory pool is a warm cache).
  *
- * Spec: openspec/changes/v2-6-persistent-agent-sessions/design.md §2.
+ * The hard rule (design §6): NEVER evict a busy backend (one with an in-flight
+ * turn). `selectIdleEvictionTargets` / `selectLruEvictionTargets` enforce it via
+ * `backend.isBusy()`; a long turn that outlives the TTL is left alone.
+ *
+ * Spec: openspec/changes/v2-6-persistent-agent-sessions/design.md §2 / §6.
  */
+import type { FastifyBaseLogger } from 'fastify';
 import type { AgentBackend } from './agent-backend.js';
+import {
+  selectIdleEvictionTargets,
+  selectLruEvictionTargets,
+  DEFAULT_IDLE_TTL_MS,
+  DEFAULT_MAX_LIVE_BACKENDS,
+} from './backends/lifecycle-decisions.js';
+
+interface PoolEntry {
+  primary: string;
+  agent: string;
+  backend: AgentBackend;
+  /** Epoch ms of the last turn boundary (register or touch). Drives idle/LRU. */
+  lastActiveAt: number;
+}
+
+export interface AgentPoolOpts {
+  /** Idle TTL before a non-busy backend is evicted. Default 30 min. */
+  idleTtlMs?: number;
+  /** Max live backends before the LRU cap evicts the least-recently-used. */
+  maxLive?: number;
+  /** Sweep cadence. Default 60s (mirrors the server's periodic sweeper). */
+  sweepIntervalMs?: number;
+  log?: FastifyBaseLogger;
+}
+
+const DEFAULT_SWEEP_INTERVAL_MS = 60_000;
 
 export class AgentPool {
-  private readonly backends = new Map<string, AgentBackend>();
+  private readonly backends = new Map<string, PoolEntry>();
+  private idleTtlMs: number;
+  private maxLive: number;
+  private sweepIntervalMs: number;
+  private log: FastifyBaseLogger | undefined;
+  private sweepTimer: ReturnType<typeof setInterval> | null = null;
+  /** Serializes sweep runs so a slow eviction can't overlap the next tick. */
+  private sweeping = false;
 
-  private key(sessionId: string, agent: string): string {
-    return `${sessionId}:${agent}`;
+  constructor(opts: AgentPoolOpts = {}) {
+    this.idleTtlMs = opts.idleTtlMs ?? DEFAULT_IDLE_TTL_MS;
+    this.maxLive = opts.maxLive ?? DEFAULT_MAX_LIVE_BACKENDS;
+    this.sweepIntervalMs = opts.sweepIntervalMs ?? DEFAULT_SWEEP_INTERVAL_MS;
+    this.log = opts.log;
   }
 
-  /** Map lookup only. Spawning is Phase 1/2 — never creates here. */
-  get(sessionId: string, agent: string): AgentBackend | undefined {
-    return this.backends.get(this.key(sessionId, agent));
+  /** Apply env-derived knobs to the module singleton at bootstrap (before
+   *  startReaper). Only overrides explicitly-provided fields. */
+  configure(opts: AgentPoolOpts): void {
+    if (opts.idleTtlMs != null) this.idleTtlMs = opts.idleTtlMs;
+    if (opts.maxLive != null) this.maxLive = opts.maxLive;
+    if (opts.sweepIntervalMs != null) this.sweepIntervalMs = opts.sweepIntervalMs;
+    if (opts.log) this.log = opts.log;
   }
 
-  /** Store a backend instance for this (session, agent). */
-  register(sessionId: string, agent: string, backend: AgentBackend): void {
-    this.backends.set(this.key(sessionId, agent), backend);
+  private key(primary: string, agent: string): string {
+    return `${primary}:${agent}`;
+  }
+
+  /** Map lookup only. Spawning happens in the dispatcher (Phase 1/2). A hit also
+   *  marks the entry recently-active so a resolve-without-prompt doesn't get it
+   *  evicted out from under an imminent turn. */
+  get(primary: string, agent: string): AgentBackend | undefined {
+    const entry = this.backends.get(this.key(primary, agent));
+    if (entry) entry.lastActiveAt = Date.now();
+    return entry?.backend;
+  }
+
+  /** Store a backend instance for this (primary, agent). */
+  register(primary: string, agent: string, backend: AgentBackend): void {
+    this.backends.set(this.key(primary, agent), { primary, agent, backend, lastActiveAt: Date.now() });
+  }
+
+  /** Mark a backend recently-active (call at turn start AND settle so a long turn
+   *  keeps its slot warm). No-op if the key isn't pooled. */
+  touch(primary: string, agent: string): void {
+    const entry = this.backends.get(this.key(primary, agent));
+    if (entry) entry.lastActiveAt = Date.now();
+  }
+
+  /** Snapshot for the decision helpers (busy is read live from the backend). */
+  private snapshots(): { key: string; lastActiveAt: number; busy: boolean }[] {
+    const out: { key: string; lastActiveAt: number; busy: boolean }[] = [];
+    for (const [key, e] of this.backends) {
+      out.push({ key, lastActiveAt: e.lastActiveAt, busy: e.backend.isBusy?.() ?? false });
+    }
+    return out;
   }
 
   /** Summary for the health endpoint. */
-  health(): { size: number } {
-    return { size: this.backends.size };
+  health(): { size: number; busy: number } {
+    let busy = 0;
+    for (const e of this.backends.values()) if (e.backend.isBusy?.()) busy++;
+    return { size: this.backends.size, busy };
+  }
+
+  // ─── Phase 3: idle-TTL + LRU eviction sweep ──────────────────────────────────
+
+  /** Start the periodic idle + LRU sweep. Idempotent; unref'd so it never holds
+   *  the process open on its own. */
+  startReaper(log?: FastifyBaseLogger): void {
+    if (log) this.log = log;
+    if (this.sweepTimer) return;
+    this.sweepTimer = setInterval(() => {
+      void this.sweep().catch((err) => {
+        this.log?.warn({ err: errMsg(err) }, 'agent-pool: sweep error');
+      });
+    }, this.sweepIntervalMs);
+    this.sweepTimer.unref?.();
+  }
+
+  stopReaper(): void {
+    if (this.sweepTimer) {
+      clearInterval(this.sweepTimer);
+      this.sweepTimer = null;
+    }
+  }
+
+  /**
+   * One sweep pass: evict idle-past-TTL backends, then enforce the LRU cap.
+   * Deduped (a key can't appear in both lists for one pass). Busy backends are
+   * excluded by the decision helpers — a live turn is never torn down.
+   */
+  async sweep(now: number = Date.now()): Promise<{ evicted: string[] }> {
+    if (this.sweeping) return { evicted: [] };
+    this.sweeping = true;
+    try {
+      // Phase 3: drive each backend's optional proactive health probe first (the
+      // opencode server's busy-aware hung-detect + self-restart). Best-effort —
+      // a probe must never fail the sweep.
+      for (const e of this.backends.values()) {
+        if (e.backend.tickHealth) {
+          await e.backend.tickHealth(now).catch((err) => {
+            this.log?.warn({ key: this.key(e.primary, e.agent), err: errMsg(err) }, 'agent-pool: tickHealth threw');
+          });
+        }
+      }
+      const snaps = this.snapshots();
+      const idle = selectIdleEvictionTargets(snaps, now, this.idleTtlMs);
+      // LRU runs on what remains after idle eviction, so the two never double-evict.
+      const idleSet = new Set(idle);
+      const remaining = snaps.filter((s) => !idleSet.has(s.key));
+      const lru = selectLruEvictionTargets(remaining, this.maxLive);
+      const targets = [...idle, ...lru];
+      if (targets.length === 0) return { evicted: [] };
+
+      const evicted: string[] = [];
+      for (const key of targets) {
+        const entry = this.backends.get(key);
+        if (!entry) continue;
+        // Re-check busy right before teardown — a turn may have started since the
+        // snapshot. Defensive; the decision already excluded busy at snapshot time.
+        if (entry.backend.isBusy?.()) continue;
+        this.backends.delete(key);
+        try {
+          await entry.backend.dispose();
+        } catch (err) {
+          this.log?.warn({ key, err: errMsg(err) }, 'agent-pool: backend dispose threw during eviction');
+        }
+        evicted.push(key);
+      }
+      if (evicted.length > 0) {
+        this.log?.info({ evicted, size: this.backends.size }, 'agent-pool: evicted idle/over-cap backends');
+      }
+      return { evicted };
+    } finally {
+      this.sweeping = false;
+    }
+  }
+
+  // ─── Phase 3: chat-close cleanup (3.3) ───────────────────────────────────────
+
+  /**
+   * Tear down every pooled backend whose key is for this chat. Used by the
+   * chat-close hook. The opencode server is shared (keyed on a sentinel, not the
+   * chat), so it is NOT disposed here — only its session is closed via
+   * `closeSession`, which the hook calls directly with the per-(chat,agent)
+   * handle. Returns the keys it removed. Skips busy entries (a close mid-turn is
+   * rare but must not kill a live stream — the idle sweep reaps it shortly after).
+   */
+  async closeChat(chatId: string): Promise<string[]> {
+    const removed: string[] = [];
+    const prefix = `${chatId}:`;
+    for (const [key, entry] of [...this.backends]) {
+      if (!key.startsWith(prefix)) continue;
+      if (entry.backend.isBusy?.()) continue;
+      this.backends.delete(key);
+      try {
+        await entry.backend.dispose();
+      } catch (err) {
+        this.log?.warn({ key, err: errMsg(err) }, 'agent-pool: dispose threw during closeChat');
+      }
+      removed.push(key);
+    }
+    return removed;
+  }
+
+  /** Look up a backend by exact key without bumping its activity (for closeSession). */
+  peek(primary: string, agent: string): AgentBackend | undefined {
+    return this.backends.get(this.key(primary, agent))?.backend;
   }
 
   /** Dispose every backend and clear the map. Tolerates throwing backends. */
   async dispose(): Promise<void> {
+    this.stopReaper();
     const entries = [...this.backends.values()];
     this.backends.clear();
-    await Promise.allSettled(entries.map((b) => b.dispose()));
+    await Promise.allSettled(entries.map((e) => e.backend.dispose()));
   }
 }
 
-/** Single shared instance — referenced only by the server's onClose hook in Phase 0. */
+function errMsg(e: unknown): string {
+  return e instanceof Error ? e.message : String(e);
+}
+
+/**
+ * The shared opencode server is pooled under a FIXED sentinel (one server per
+ * BooCoder process, multiplexing all opencode sessions internally) rather than a
+ * chat id — so it is NOT torn down by `closeChat(chatId)` (only its per-chat
+ * session is closed). Exported so the dispatcher + the lifecycle close-hook agree
+ * on the key without drift.
+ */
+export const OPENCODE_POOL_KEY = '__opencode_server__';
+
+/** Single shared instance — registered by the dispatcher, swept + drained by the
+ *  server's onClose hook. */
 export const agentPool = new AgentPool();

apps/coder/src/services/backends/__tests__/lifecycle-decisions.test.ts

@@ -0,0 +1,176 @@
+import { describe, it, expect } from 'vitest';
+import {
+  selectIdleEvictionTargets,
+  selectLruEvictionTargets,
+  decideRestart,
+  selectOrphanWorktreeTargets,
+  DEFAULT_IDLE_TTL_MS,
+  DEFAULT_MAX_LIVE_BACKENDS,
+  type PoolEntrySnapshot,
+} from '../lifecycle-decisions.js';
+
+/**
+ * v2.6 Phase 3 — pure lifecycle decisions. No DB, no children, no timers; `now`
+ * is injected. Models prune.ts:selectPruneTargets — the caller acts on the keys.
+ */
+
+const NOW = 1_000_000_000_000;
+
+function entry(key: string, ageMs: number, busy = false): PoolEntrySnapshot {
+  return { key, lastActiveAt: NOW - ageMs, busy };
+}
+
+describe('selectIdleEvictionTargets (3.1)', () => {
+  it('evicts entries idle past the TTL', () => {
+    const entries = [
+      entry('a:opencode', DEFAULT_IDLE_TTL_MS + 1),
+      entry('b:goose', DEFAULT_IDLE_TTL_MS - 1),
+    ];
+    expect(selectIdleEvictionTargets(entries, NOW)).toEqual(['a:opencode']);
+  });
+
+  it('never evicts a busy entry even when idle past the TTL', () => {
+    const entries = [entry('a:opencode', DEFAULT_IDLE_TTL_MS * 10, /* busy */ true)];
+    expect(selectIdleEvictionTargets(entries, NOW)).toEqual([]);
+  });
+
+  it('respects a custom TTL', () => {
+    const entries = [entry('a:goose', 5_000), entry('b:qwen', 500)];
+    expect(selectIdleEvictionTargets(entries, NOW, 1_000)).toEqual(['a:goose']);
+  });
+
+  it('treats exactly-at-TTL as evictable (>=)', () => {
+    expect(selectIdleEvictionTargets([entry('a:x', 1_000)], NOW, 1_000)).toEqual(['a:x']);
+  });
+
+  it('returns empty for an empty pool', () => {
+    expect(selectIdleEvictionTargets([], NOW)).toEqual([]);
+  });
+});
+
+describe('selectLruEvictionTargets (3.4)', () => {
+  it('returns nothing when at or under the cap', () => {
+    const entries = [entry('a:x', 10), entry('b:y', 20)];
+    expect(selectLruEvictionTargets(entries, 2)).toEqual([]);
+    expect(selectLruEvictionTargets(entries, 5)).toEqual([]);
+  });
+
+  it('evicts the least-recently-used beyond the cap', () => {
+    // oldest first: c (300ms ago) is LRU, then a (100ms), then b (10ms).
+    const entries = [entry('a:x', 100), entry('b:y', 10), entry('c:z', 300)];
+    expect(selectLruEvictionTargets(entries, 2)).toEqual(['c:z']);
+  });
+
+  it('evicts multiple LRU entries to reach the cap', () => {
+    const entries = [
+      entry('a:x', 100),
+      entry('b:y', 10),
+      entry('c:z', 300),
+      entry('d:w', 200),
+    ];
+    // cap 1: must remove 3, oldest-first c(300), d(200), a(100).
+    expect(selectLruEvictionTargets(entries, 1)).toEqual(['c:z', 'd:w', 'a:x']);
+  });
+
+  it('never evicts a busy entry even if it is the LRU', () => {
+    // c is LRU but busy → it cannot be evicted; fall to the next-oldest (a).
+    const entries = [entry('a:x', 100), entry('b:y', 10), entry('c:z', 300, true)];
+    expect(selectLruEvictionTargets(entries, 2)).toEqual(['a:x']);
+  });
+
+  it('can transiently exceed the cap when too many are busy', () => {
+    // cap 1, but both old entries busy → only the single idle one is evictable.
+    const entries = [entry('a:x', 100, true), entry('c:z', 300, true), entry('b:y', 10)];
+    expect(selectLruEvictionTargets(entries, 1)).toEqual(['b:y']);
+  });
+
+  it('uses the default cap when omitted', () => {
+    const entries = Array.from({ length: DEFAULT_MAX_LIVE_BACKENDS + 1 }, (_, i) =>
+      entry(`k${String(i).padStart(2, '0')}:a`, (i + 1) * 1000),
+    );
+    const evicted = selectLruEvictionTargets(entries);
+    // exactly one over the default cap → evict the single LRU (largest age).
+    expect(evicted).toHaveLength(1);
+    expect(evicted[0]).toBe(`k${String(DEFAULT_MAX_LIVE_BACKENDS).padStart(2, '0')}:a`);
+  });
+});
+
+describe('decideRestart (3.2, busy-aware)', () => {
+  const base = {
+    consecutiveFailures: 0,
+    busy: false,
+    unhealthyBusySince: 0,
+    now: NOW,
+    failureThreshold: 3,
+    staleBusyGraceMs: 120_000,
+  };
+
+  it('does nothing when healthy', () => {
+    expect(decideRestart({ ...base, processExited: false, healthy: true }))
+      .toEqual({ action: 'none', reason: 'healthy' });
+  });
+
+  it('restarts immediately when the process exited', () => {
+    expect(decideRestart({ ...base, processExited: true, busy: true }))
+      .toEqual({ action: 'restart', reason: 'process-exited' });
+  });
+
+  it('waits below the failure threshold', () => {
+    expect(decideRestart({ ...base, processExited: false, consecutiveFailures: 2 }))
+      .toEqual({ action: 'wait', reason: 'below-threshold' });
+  });
+
+  it('restarts at the threshold when idle', () => {
+    expect(decideRestart({ ...base, processExited: false, consecutiveFailures: 3 }))
+      .toEqual({ action: 'restart', reason: 'threshold' });
+  });
+
+  it('defers a restart while busy within the grace window', () => {
+    expect(decideRestart({
+      ...base, processExited: false, consecutiveFailures: 5, busy: true,
+      unhealthyBusySince: NOW - 1_000,
+    })).toEqual({ action: 'wait', reason: 'busy-grace' });
+  });
+
+  it('force-restarts a busy backend after the stale-busy grace', () => {
+    expect(decideRestart({
+      ...base, processExited: false, consecutiveFailures: 5, busy: true,
+      unhealthyBusySince: NOW - 120_001,
+    })).toEqual({ action: 'restart', reason: 'stale-busy-grace' });
+  });
+
+  it('waits (busy-grace) when busy + threshold but the window just started', () => {
+    // unhealthyBusySince === 0 means the caller is about to stamp it this cycle.
+    expect(decideRestart({
+      ...base, processExited: false, consecutiveFailures: 5, busy: true,
+      unhealthyBusySince: 0,
+    })).toEqual({ action: 'wait', reason: 'busy-grace' });
+  });
+});
+
+describe('selectOrphanWorktreeTargets (3.4)', () => {
+  it('skips dirs tracked by a live worktrees row', () => {
+    const onDisk = [{ path: '/wt/sess-a', mtimeMs: NOW - 10_000_000 }];
+    expect(selectOrphanWorktreeTargets(onDisk, new Set(['/wt/sess-a']), NOW, 1000)).toEqual([]);
+  });
+
+  it('reaps an untracked dir older than the grace', () => {
+    const onDisk = [{ path: '/wt/sess-orphan', mtimeMs: NOW - 5000 }];
+    expect(selectOrphanWorktreeTargets(onDisk, new Set(), NOW, 1000)).toEqual(['/wt/sess-orphan']);
+  });
+
+  it('never reaps a dir younger than the grace (mid-create race)', () => {
+    const onDisk = [{ path: '/wt/sess-fresh', mtimeMs: NOW - 500 }];
+    expect(selectOrphanWorktreeTargets(onDisk, new Set(), NOW, 1000)).toEqual([]);
+  });
+
+  it('mixes tracked, fresh, and orphaned correctly', () => {
+    const onDisk = [
+      { path: '/wt/sess-live', mtimeMs: NOW - 10_000 },
+      { path: '/wt/sess-fresh', mtimeMs: NOW - 100 },
+      { path: '/wt/sess-orphan', mtimeMs: NOW - 10_000 },
+    ];
+    expect(selectOrphanWorktreeTargets(onDisk, new Set(['/wt/sess-live']), NOW, 1000))
+      .toEqual(['/wt/sess-orphan']);
+  });
+});

apps/coder/src/services/backends/lifecycle-decisions.ts

@@ -0,0 +1,197 @@
+/**
+ * v2.6 Phase 3 — pure lifecycle decision helpers.
+ *
+ * The eviction / LRU-cap / busy-aware-restart / reaper-target logic, factored out
+ * of AgentPool + the backends + the periodic sweeper so it's unit-testable with no
+ * DB, no child processes, no timers (modeled on
+ * apps/server/src/services/inference/prune.ts:selectPruneTargets — a pure decision
+ * core the caller acts on).
+ *
+ * Three decisions live here:
+ *   1. selectIdleEvictionTargets — which warm backends to evict for being idle.
+ *   2. selectLruEvictionTargets — which warm backends to evict to honour a max-live
+ *      cap (least-recently-used beyond the cap), NEVER a busy one.
+ *   3. shouldRestartCrashedBackend (busy-aware) — openchamber's skip-while-busy +
+ *      stale-grace state machine, re-implemented for BooCode's per-(chat,agent) pool.
+ *
+ * "Busy" = the backend has an in-flight turn. The hard rule (design §6, decisions):
+ * never evict or force-restart a busy backend; defer with a stale-grace.
+ */
+
+// ─── Idle TTL eviction (3.1) ─────────────────────────────────────────────────
+
+/** Default idle TTL before a warm backend/session is evicted (design §6 ~30 min). */
+export const DEFAULT_IDLE_TTL_MS = 30 * 60 * 1000;
+
+/** A pool entry as the decision helpers see it (no backend internals). */
+export interface PoolEntrySnapshot {
+  /** Pool key `${primary}:${agent}` — opaque to the decision, used for selection. */
+  key: string;
+  /** Epoch ms of the last turn activity (start or settle) on this backend. */
+  lastActiveAt: number;
+  /** True iff a turn is in flight right now. Busy entries are never evicted. */
+  busy: boolean;
+}
+
+/**
+ * Idle eviction: an entry is evictable when it has been idle (no turn) for longer
+ * than `ttlMs` AND is not currently busy. Returns the keys to evict.
+ *
+ * Pure: `now` is injected so tests don't depend on wall-clock. Busy entries are
+ * categorically excluded — a long-running turn that exceeds the TTL must NOT be
+ * torn down mid-stream (the §6 / openchamber busy rule).
+ */
+export function selectIdleEvictionTargets(
+  entries: ReadonlyArray<PoolEntrySnapshot>,
+  now: number,
+  ttlMs: number = DEFAULT_IDLE_TTL_MS,
+): string[] {
+  const out: string[] = [];
+  for (const e of entries) {
+    if (e.busy) continue;
+    if (now - e.lastActiveAt >= ttlMs) out.push(e.key);
+  }
+  return out;
+}
+
+// ─── LRU cap (3.4) ───────────────────────────────────────────────────────────
+
+/** Default max live warm backends/worktrees before the LRU cap evicts (env-overridable). */
+export const DEFAULT_MAX_LIVE_BACKENDS = 10;
+
+/**
+ * LRU cap: when more than `cap` non-busy entries are live, evict the
+ * least-recently-used ones (oldest `lastActiveAt` first) until at most `cap`
+ * remain. Busy entries are never evicted AND are not counted toward the cap's
+ * "kept" budget being freed — i.e. we only ever evict idle entries, so a burst of
+ * concurrent busy turns can transiently exceed the cap rather than kill live work.
+ *
+ * Returns the keys to evict, least-recently-used first. Pure / deterministic:
+ * ties broken by key for stable test output.
+ */
+export function selectLruEvictionTargets(
+  entries: ReadonlyArray<PoolEntrySnapshot>,
+  cap: number = DEFAULT_MAX_LIVE_BACKENDS,
+): string[] {
+  if (cap < 0) cap = 0;
+  if (entries.length <= cap) return [];
+  // Only idle entries are eligible to be evicted.
+  const evictable = entries
+    .filter((e) => !e.busy)
+    .sort((a, b) => a.lastActiveAt - b.lastActiveAt || (a.key < b.key ? -1 : a.key > b.key ? 1 : 0));
+  // We must shrink total live count down to `cap`. Busy entries can't be evicted,
+  // so the number we CAN remove is bounded by the evictable pool; evict the oldest
+  // (total - cap) of them, never more than exist.
+  const overBy = entries.length - cap;
+  const toEvict = evictable.slice(0, Math.max(0, overBy));
+  return toEvict.map((e) => e.key);
+}
+
+// ─── Busy-aware crash restart (3.2) — openchamber lift ───────────────────────
+
+/**
+ * Default grace after which a backend that has stayed unhealthy WHILE busy is
+ * force-restarted anyway (openchamber's STALE_BUSY_GRACE_MS = 2 min). Guards
+ * against a permanently-stuck "busy" turn wedging recovery forever.
+ */
+export const DEFAULT_STALE_BUSY_GRACE_MS = 2 * 60 * 1000;
+
+/** Default consecutive health-check failures before a restart is attempted. */
+export const DEFAULT_HEALTH_FAILURE_THRESHOLD = 3;
+
+export interface RestartDecisionInput {
+  /** True iff the process is actually dead (exited). A dead process restarts
+   *  immediately regardless of busy/threshold — there's nothing to protect. */
+  processExited: boolean;
+  /** Consecutive failed health probes so far (including the current one). */
+  consecutiveFailures: number;
+  /** Whether the backend currently has an in-flight turn. */
+  busy: boolean;
+  /** Epoch ms when the unhealthy-while-busy window started, or 0 if not in one. */
+  unhealthyBusySince: number;
+  /** Injected clock. */
+  now: number;
+  failureThreshold?: number;
+  staleBusyGraceMs?: number;
+}
+
+export type RestartDecision =
+  | { action: 'restart'; reason: 'process-exited' | 'threshold' | 'stale-busy-grace' }
+  | { action: 'wait'; reason: 'below-threshold' | 'busy-grace' }
+  | { action: 'none'; reason: 'healthy' };
+
+/**
+ * Decide whether to restart a backend after a health probe. Mirrors
+ * openchamber's `runHealthCheckCycle` + `shouldSkipRestartForBusySessions`,
+ * re-implemented as a pure function over injected state (the caller owns the
+ * mutable counters + the actual restart side-effect).
+ *
+ * Order (matches openchamber):
+ *   - process exited            → restart now (nothing live to protect).
+ *   - below failure threshold   → wait (transient blip; the next probe re-checks).
+ *   - threshold reached + idle   → restart now.
+ *   - threshold reached + busy   → skip UNLESS the unhealthy-busy window exceeded
+ *                                  the stale grace, then force restart.
+ *
+ * `healthy: true` callers don't reach here; included for completeness so the
+ * caller can pass through and reset counters on a single code path.
+ */
+export function decideRestart(input: RestartDecisionInput & { healthy?: boolean }): RestartDecision {
+  if (input.healthy) return { action: 'none', reason: 'healthy' };
+  if (input.processExited) return { action: 'restart', reason: 'process-exited' };
+
+  const threshold = input.failureThreshold ?? DEFAULT_HEALTH_FAILURE_THRESHOLD;
+  if (input.consecutiveFailures < threshold) {
+    return { action: 'wait', reason: 'below-threshold' };
+  }
+
+  if (!input.busy) {
+    return { action: 'restart', reason: 'threshold' };
+  }
+
+  // Busy + unhealthy at/over threshold: defer, but not forever.
+  const grace = input.staleBusyGraceMs ?? DEFAULT_STALE_BUSY_GRACE_MS;
+  if (input.unhealthyBusySince > 0 && input.now - input.unhealthyBusySince >= grace) {
+    return { action: 'restart', reason: 'stale-busy-grace' };
+  }
+  return { action: 'wait', reason: 'busy-grace' };
+}
+
+// ─── Orphan worktree reaper target selection (3.4) ───────────────────────────
+
+/** Default TTL: an on-disk worktree dir with no live `worktrees` row is reaped
+ *  only after it's been orphaned at least this long (mtime-based grace so a
+ *  just-created dir mid-`ensureSessionWorktree` race is never swept). */
+export const DEFAULT_ORPHAN_WORKTREE_GRACE_MS = 60 * 60 * 1000; // 1h
+
+export interface OnDiskWorktree {
+  /** Absolute path of the worktree dir on disk. */
+  path: string;
+  /** Last-modified epoch ms of the dir (newest of dir + contents, caller's choice). */
+  mtimeMs: number;
+}
+
+/**
+ * Reaper target selection: which on-disk worktree dirs are orphans safe to
+ * inspect-and-reap. An orphan is a dir under the worktree base that has NO live
+ * `worktrees` row (path not in `liveWorktreePaths`) AND whose mtime is older than
+ * the grace window (so an in-flight create isn't swept).
+ *
+ * Pure — the caller (the sweeper) then runs the at-risk preflight (dirty/unpushed)
+ * on each returned path and only physically removes the SAFE ones. This helper
+ * never decides to remove work-at-risk; it only narrows the candidate set.
+ */
+export function selectOrphanWorktreeTargets(
+  onDisk: ReadonlyArray<OnDiskWorktree>,
+  liveWorktreePaths: ReadonlySet<string>,
+  now: number,
+  graceMs: number = DEFAULT_ORPHAN_WORKTREE_GRACE_MS,
+): string[] {
+  const out: string[] = [];
+  for (const w of onDisk) {
+    if (liveWorktreePaths.has(w.path)) continue; // tracked → not an orphan
+    if (now - w.mtimeMs < graceMs) continue; // too fresh → could be mid-create
+    out.push(w.path);
+  }
+  return out;
+}

apps/coder/src/services/backends/opencode-server.ts

@@ -21,9 +21,9 @@
  *   - promptAsync is fire-and-forget (204); the turn completes via a
  *     'session.idle' event for that opencode session id.
  */
-import { spawn, type ChildProcess } from 'node:child_process';
+import { spawn, spawnSync, type ChildProcess } from 'node:child_process';
 import { createHash } from 'node:crypto';
-import { createServer } from 'node:net';
+import { createServer, connect as netConnect } from 'node:net';
 import type { FastifyBaseLogger } from 'fastify';
 import {
   createOpencodeClient,
@@ -39,6 +39,7 @@ import type { Sql } from '../../db.js';
 import type { AcpToolSnapshot } from '../acp-tool-snapshot.js';
 import { armAbortGuard, noteTurnActivity, consumeTerminal } from './turn-guard.js';
 import { stepEndedToUsage, type StepUsage } from './opencode-usage.js';
+import { decideRestart, DEFAULT_HEALTH_FAILURE_THRESHOLD } from './lifecycle-decisions.js';
 import type {
   AgentBackend,
   AgentEvent,
@@ -104,6 +105,11 @@ export class OpenCodeServerBackend implements AgentBackend {
   private port: number | null = null;
   private up = false;
   private serverStarting: Promise<void> | null = null;
+  // Phase 3 busy-aware health monitor (openchamber lift): consecutive failed
+  // probes + the start of an unhealthy-while-busy window feed `decideRestart`.
+  private consecutiveHealthFailures = 0;
+  private unhealthyBusySince = 0;
+  private restarting: Promise<void> | null = null;
 
   /** opencode session id → demux state. Maintained by ensureSession; read by the SSE loop. */
   private readonly byOpencodeId = new Map<string, SessionState>();
@@ -119,11 +125,30 @@ export class OpenCodeServerBackend implements AgentBackend {
     return this.up ? 'up' : 'down';
   }
 
-  // ─── Server lifecycle (1.2: spawn once + client + ready) ─────────────────────
+  /** Phase 3: busy iff ANY pooled opencode session has an in-flight turn. The
+   *  pool reads this to skip idle/LRU eviction and the health-monitor to defer a
+   *  restart (never tear down a session mid-stream). */
+  isBusy(): boolean {
+    for (const st of this.byOpencodeId.values()) {
+      if (st.activeTurn) return true;
+    }
+    return false;
+  }
 
-  /** Lazy: start the single server on first use. Idempotent — one server per backend. */
+  // ─── Server lifecycle (1.2: spawn once + client + ready; Phase 3 crash-restart) ──
+
+  /**
+   * Lazy: start the single server on first use; re-spawn after a crash. Idempotent
+   * within one live server — `serverStarting` caches the in-flight start, and is
+   * reset to null by the crash handler so the NEXT ensureServer re-spawns a fresh
+   * server (Phase 3 crash recovery). A dead-but-not-yet-reaped child (exit handler
+   * raced) is also treated as needing a restart.
+   */
   private ensureServer(): Promise<void> {
-    if (!this.serverStarting) this.serverStarting = this.startServer();
+    const childDead = this.child != null && (this.child.exitCode !== null || this.child.signalCode !== null);
+    if (!this.serverStarting || (!this.up && childDead)) {
+      this.serverStarting = this.startServer();
+    }
     return this.serverStarting;
   }
 
@@ -143,11 +168,15 @@ export class OpenCodeServerBackend implements AgentBackend {
     this.port = port;
 
     // Child lifetime is the backend's (the pool's), NOT a request's. We never tie
-    // it to a per-turn abort signal. On unexpected exit we mark down + log; crash
-    // recovery is Phase 3.
+    // it to a per-turn abort signal. Phase 3: on unexpected exit we recover —
+    // settle any in-flight turns as failed, mark their agent_sessions rows crashed,
+    // and reset `serverStarting` so the next ensureServer re-spawns. opencode keeps
+    // sessions on disk, but a fresh server's in-memory state is gone, so the next
+    // turn's ensureSession (rows now 'crashed') creates fresh opencode sessions.
     child.on('exit', (code, signal) => {
-      this.up = false;
-      this.log.warn({ code, signal, port }, 'opencode-server: child exited (recovery is Phase 3)');
+      // Only react to THIS child's exit (a restart may have swapped in a new one).
+      if (this.child !== child) return;
+      this.handleServerCrash(code, signal, port);
     });
 
     await waitForReady(child, READY_TIMEOUT_MS);
@@ -157,6 +186,136 @@ export class OpenCodeServerBackend implements AgentBackend {
     this.log.info({ port }, 'opencode-server: ready');
   }
 
+  /**
+   * Crash handler (Phase 3, lift of openchamber's restart-on-exit path). The
+   * server died with N live opencode sessions; we can't restart it here (the next
+   * turn does, lazily — avoids a restart storm if the binary is broken). We:
+   *   1. fail every in-flight turn so its dispatcher unblocks + publishes an error,
+   *   2. mark each session's agent_sessions row 'crashed' so ensureSession won't
+   *      resume a now-dead native session id (it creates fresh),
+   *   3. tear down the SSE loops + demux state (stale against the dead server),
+   *   4. reclaim the port + reset state so the next ensureServer re-spawns.
+   */
+  private handleServerCrash(code: number | null, signal: NodeJS.Signals | null, port: number): void {
+    this.up = false;
+    const states = [...this.byOpencodeId.values()];
+    this.log.warn(
+      { code, signal, port, liveSessions: states.length },
+      'opencode-server: child exited — recovering (fail in-flight, mark crashed, re-spawn next turn)',
+    );
+
+    const crashedIds: string[] = [];
+    for (const st of states) {
+      st.sseAbort?.abort();
+      if (st.activeTurn) {
+        st.activeTurn.settle({ ok: false, error: 'opencode server crashed mid-turn' });
+        st.activeTurn = null;
+      }
+      if (st.watchdog) {
+        clearTimeout(st.watchdog);
+        st.watchdog = null;
+      }
+      crashedIds.push(st.agentSessionId);
+    }
+    // Drop the demux map: every session id is stale against a fresh server.
+    this.byOpencodeId.clear();
+    this.client = null;
+    this.serverStarting = null; // force a re-spawn on the next ensureServer
+
+    if (crashedIds.length > 0) {
+      this.sql`
+        UPDATE agent_sessions SET status = 'crashed'
+        WHERE agent_session_id = ANY(${crashedIds}) AND status <> 'closed'
+      `.catch((err) => {
+        this.log.warn({ err: errMsg(err) }, 'opencode-server: failed to mark crashed sessions (non-fatal)');
+      });
+    }
+
+    // Reclaim the port so a re-spawn on a fixed/leaked port isn't blocked. Best
+    // effort; the next start uses a fresh ephemeral port anyway.
+    reclaimPort(port);
+  }
+
+  /**
+   * Phase 3 proactive health monitor (openchamber `runHealthCheckCycle` lift,
+   * busy-aware). Probes the server's /global/health; on a sustained failure of a
+   * NON-busy server, force a restart so the next turn isn't blocked by a wedged
+   * (hung-but-not-exited) process. Busy servers are deferred via the stale-grace in
+   * `decideRestart` — never tear down live work. Driven by the pool's periodic
+   * sweep (best-effort; a crash-exit is already handled by `handleServerCrash` +
+   * lazy `ensureServer` re-spawn, so this only catches the hung case). No-op when
+   * the server was never started or a restart is already in flight.
+   */
+  async tickHealth(now: number = Date.now()): Promise<void> {
+    if (!this.child || this.restarting) return;
+    const childExited = this.child.exitCode !== null || this.child.signalCode !== null;
+    // An exited child is recovered lazily by ensureServer; don't double-restart it.
+    if (childExited) return;
+
+    const healthy = await this.probeHealth();
+    if (healthy) {
+      this.consecutiveHealthFailures = 0;
+      this.unhealthyBusySince = 0;
+      return;
+    }
+    this.consecutiveHealthFailures += 1;
+    const busy = this.isBusy();
+    const decision = decideRestart({
+      processExited: false,
+      consecutiveFailures: this.consecutiveHealthFailures,
+      busy,
+      unhealthyBusySince: this.unhealthyBusySince,
+      now,
+      failureThreshold: DEFAULT_HEALTH_FAILURE_THRESHOLD,
+    });
+    // Stamp the start of an unhealthy-while-busy window so the stale-grace can fire.
+    if (busy && this.unhealthyBusySince === 0) this.unhealthyBusySince = now;
+    if (decision.action === 'restart') {
+      this.log.warn(
+        { failures: this.consecutiveHealthFailures, busy, reason: decision.reason },
+        'opencode-server: health monitor forcing restart',
+      );
+      this.consecutiveHealthFailures = 0;
+      this.unhealthyBusySince = 0;
+      await this.restartServer();
+    }
+  }
+
+  private async probeHealth(): Promise<boolean> {
+    if (!this.client) return false;
+    try {
+      const res = await this.client.global.health();
+      return !res.error;
+    } catch {
+      return false;
+    }
+  }
+
+  /** Force-kill the current server + reclaim its port; the next ensureServer
+   *  re-spawns (lazy). Mirrors handleServerCrash's state reset but is initiated by
+   *  the health monitor rather than the OS. */
+  private async restartServer(): Promise<void> {
+    if (this.restarting) return this.restarting;
+    this.restarting = (async () => {
+      const child = this.child;
+      const port = this.port;
+      this.up = false;
+      // Fail in-flight turns + mark sessions crashed via the same path as a crash.
+      if (child) {
+        this.handleServerCrash(null, null, port ?? 0);
+        if (!child.killed) child.kill('SIGTERM');
+      }
+      if (port) {
+        reclaimPort(port);
+        await waitForPortRelease(port, 3_000);
+      }
+      this.child = null;
+    })().finally(() => {
+      this.restarting = null;
+    });
+    return this.restarting;
+  }
+
   // ─── SSE read loop + demux + translate (1.3) + dedup (1.4) ───────────────────
 
   /** Per-session SSE subscription, scoped to the session's worktree directory.
@@ -756,6 +915,67 @@ function mapToolStatus(s: ToolState['status'] | undefined): ToolCallStatus | nul
   }
 }
 
+/**
+ * Reclaim a loopback port a dead opencode child may still hold (lift of
+ * openchamber `killProcessOnPort`). Best-effort, POSIX-only (`lsof`/`kill`); a
+ * failure is harmless because the next spawn allocates a fresh ephemeral port.
+ * Never kills this process. Synchronous + short-timeout so the crash handler
+ * doesn't block.
+ */
+function reclaimPort(port: number | null): void {
+  if (!port || process.platform === 'win32') return;
+  try {
+    const res = spawnSync('lsof', ['-ti', `:${port}`], { encoding: 'utf8', timeout: 3_000, windowsHide: true });
+    const out = res.stdout || '';
+    const myPid = process.pid;
+    for (const pidStr of out.split(/\s+/)) {
+      const pid = parseInt(pidStr.trim(), 10);
+      if (pid && pid !== myPid) {
+        try {
+          spawnSync('kill', ['-9', String(pid)], { stdio: 'ignore', timeout: 2_000 });
+        } catch {
+          // ignore — best effort
+        }
+      }
+    }
+  } catch {
+    // lsof absent or failed — the fresh-ephemeral-port spawn doesn't need this.
+  }
+}
+
+/**
+ * Resolve true once nothing is listening on `port` (lift of openchamber
+ * `waitForPortRelease`). Used before re-spawning on a fixed port; with ephemeral
+ * ports it's a fast no-op. Probes 127.0.0.1; resolves false at the deadline.
+ */
+function waitForPortRelease(port: number, timeoutMs: number): Promise<boolean> {
+  const deadline = Date.now() + timeoutMs;
+  return new Promise((resolve) => {
+    const attempt = () => {
+      const socket = netConnect({ port, host: '127.0.0.1' });
+      let settled = false;
+      const finish = (released: boolean) => {
+        if (settled) return;
+        settled = true;
+        socket.removeAllListeners();
+        socket.destroy();
+        if (released || Date.now() >= deadline) {
+          resolve(released);
+          return;
+        }
+        setTimeout(attempt, 150);
+      };
+      socket.once('connect', () => finish(false));
+      socket.once('error', (err: NodeJS.ErrnoException) => {
+        if (err && (err.code === 'ECONNREFUSED' || err.code === 'EHOSTUNREACH')) finish(true);
+        else finish(false);
+      });
+      socket.setTimeout(500, () => finish(true));
+    };
+    attempt();
+  });
+}
+
 /** Bind-probe an ephemeral port on loopback. */
 function freePort(): Promise<number> {
   return new Promise((resolve, reject) => {

apps/coder/src/services/backends/warm-acp.ts

@@ -132,6 +132,12 @@ export class WarmAcpBackend implements AgentBackend {
     return this.up ? 'up' : 'down';
   }
 
+  /** Phase 3: busy iff this backend's single session has an in-flight turn. The
+   *  pool reads this to skip idle/LRU eviction (never kill the child mid-prompt). */
+  isBusy(): boolean {
+    return this.activeTurn != null;
+  }
+
   // ─── warm-process lifecycle (2.1 spawn + initialize + session/new ONCE) ───────
 
   /** Lazy: spawn the warm process on first use. Idempotent — one process per backend. */

apps/coder/src/services/checkpoints.ts

@@ -0,0 +1,306 @@
+/**
+ * write-edit-robustness #4 — worktree checkpoints.
+ *
+ * External agents (opencode / goose / qwen / claude) write DIRECTLY into the
+ * shared session worktree (`/tmp/booworktrees/sess-<id>`); BooCode's own `rewind`
+ * only reverses `pending_changes` against the project root, so it has zero coverage
+ * there. A checkpoint is a pre-turn shadow-commit of the worktree tree (tracked +
+ * untracked) captured WITHOUT touching the real index/working tree, stored in a
+ * private GC-safe ref. `restoreCheckpoint` rewinds the worktree to that commit,
+ * trims the transcript from the anchor message forward, and resets the agent
+ * backend so the next turn re-establishes a fresh context consistent with the
+ * restored files.
+ *
+ * All git goes through hostExec + shellEscape (BooCoder runs on the host; the
+ * worktrees live on the host fs). Checkpoint CREATION is best-effort: a failure
+ * logs and returns null — it must NEVER throw into the dispatch turn.
+ */
+import { randomUUID } from 'node:crypto';
+import type { FastifyBaseLogger } from 'fastify';
+import type { Sql } from '../db.js';
+import { hostExec } from './host-exec.js';
+import { agentPool, OPENCODE_POOL_KEY } from './agent-pool.js';
+import type { AgentSessionHandle } from './agent-backend.js';
+
+/** Minimal shell escape for paths/refs (single-quote wrapping). Mirrors worktrees.ts. */
+function shellEscape(s: string): string {
+  return "'" + s.replace(/'/g, "'\\''") + "'";
+}
+
+/**
+ * Pure builder for the shadow-commit command. Captures tracked + untracked files
+ * in the worktree into a temp index (so the real index/working tree is untouched),
+ * writes a tree, commits it parented on HEAD, and parks the commit under a private
+ * ref `refs/boocode/checkpoints/<id>` so git's GC never reclaims it. Prints ONLY
+ * the resulting SHA on stdout (the trailing `printf '%s'`), so the caller parses
+ * stdout.trim() directly.
+ *
+ * `id` is the row UUID (minted before the ref so the ref name matches the row).
+ * Both the worktree path and the id are shell-escaped.
+ */
+export function buildShadowCommitCommand(worktreePath: string, id: string): string {
+  const wt = shellEscape(worktreePath);
+  const ref = shellEscape(`refs/boocode/checkpoints/${id}`);
+  return (
+    `cd ${wt} && TMP=$(mktemp) && GIT_INDEX_FILE="$TMP" git read-tree HEAD ` +
+    `&& GIT_INDEX_FILE="$TMP" git add -A ` +
+    `&& TREE=$(GIT_INDEX_FILE="$TMP" git write-tree) ` +
+    `&& SHA=$(git commit-tree "$TREE" -p HEAD -m "boocode checkpoint") ` +
+    `&& git update-ref ${ref} "$SHA" && rm -f "$TMP" && printf '%s' "$SHA"`
+  );
+}
+
+export interface CreateCheckpointArgs {
+  chatId: string;
+  sessionId: string | null;
+  worktreeId: string | null;
+  worktreePath: string;
+  messageId: string | null;
+  label?: string | null;
+}
+
+/**
+ * Capture a pre-turn checkpoint of the session worktree. Best-effort: returns the
+ * inserted row's { id, commit_sha } on success, or null on any failure (the turn
+ * proceeds either way — a missing checkpoint just means no restore point for that
+ * turn). NEVER throws.
+ *
+ * The id is minted up front so the git ref name (`refs/boocode/checkpoints/<id>`)
+ * matches the DB row id, keeping ref and row in lockstep.
+ */
+export async function createCheckpoint(
+  sql: Sql,
+  args: CreateCheckpointArgs,
+  opts?: { signal?: AbortSignal; log?: FastifyBaseLogger },
+): Promise<{ id: string; commit_sha: string } | null> {
+  const id = randomUUID();
+  try {
+    const cmd = buildShadowCommitCommand(args.worktreePath, id);
+    const res = await hostExec(cmd, { signal: opts?.signal, timeoutMs: 30_000 });
+    if (res.exitCode !== 0) {
+      opts?.log?.warn(
+        { chatId: args.chatId, worktreePath: args.worktreePath, stderr: res.stderr.trim().slice(0, 500) },
+        'checkpoint: shadow-commit failed (turn proceeds without a checkpoint)',
+      );
+      return null;
+    }
+    const commitSha = res.stdout.trim();
+    if (!commitSha) {
+      opts?.log?.warn(
+        { chatId: args.chatId, worktreePath: args.worktreePath },
+        'checkpoint: shadow-commit produced no SHA (turn proceeds)',
+      );
+      return null;
+    }
+
+    await sql`
+      INSERT INTO checkpoints (id, chat_id, session_id, worktree_id, message_id, commit_sha, label)
+      VALUES (${id}, ${args.chatId}, ${args.sessionId}, ${args.worktreeId}, ${args.messageId}, ${commitSha}, ${args.label ?? null})
+    `;
+    opts?.log?.info({ checkpointId: id, chatId: args.chatId, commitSha }, 'checkpoint: created');
+    return { id, commit_sha: commitSha };
+  } catch (err) {
+    opts?.log?.warn(
+      { chatId: args.chatId, err: err instanceof Error ? err.message : String(err) },
+      'checkpoint: create threw (turn proceeds without a checkpoint)',
+    );
+    return null;
+  }
+}
+
+/** Error the route maps to a 404 when the checkpoint can't be resolved / scoped. */
+export class CheckpointNotFoundError extends Error {
+  constructor(message: string) {
+    super(message);
+    this.name = 'CheckpointNotFoundError';
+  }
+}
+
+export interface RestoreCheckpointResult {
+  checkpoint_id: string;
+  messages_deleted: number;
+  worktree_reset: boolean;
+  backend_reset: boolean;
+}
+
+export interface RestoreCheckpointOpts {
+  signal?: AbortSignal;
+  log?: FastifyBaseLogger;
+  /** If set, the checkpoint MUST belong to this session (route scope guard). */
+  sessionId?: string;
+}
+
+interface CheckpointRow {
+  id: string;
+  chat_id: string;
+  session_id: string | null;
+  worktree_id: string | null;
+  message_id: string | null;
+  commit_sha: string;
+  created_at: Date;
+}
+
+/**
+ * Restore a checkpoint: rewind its worktree to the shadow commit, trim the
+ * transcript from the anchor message forward, reset the backend session, and drop
+ * now-orphaned later checkpoints. Throws CheckpointNotFoundError when the
+ * checkpoint is missing or not in the requested session (route → 404).
+ */
+export async function restoreCheckpoint(
+  sql: Sql,
+  checkpointId: string,
+  opts?: RestoreCheckpointOpts,
+): Promise<RestoreCheckpointResult> {
+  // 1. Resolve the checkpoint.
+  const [cp] = await sql<CheckpointRow[]>`
+    SELECT id, chat_id, session_id, worktree_id, message_id, commit_sha, created_at
+    FROM checkpoints WHERE id = ${checkpointId}
+  `;
+  if (!cp) {
+    throw new CheckpointNotFoundError('checkpoint not found');
+  }
+  // Authorization scope (fail-safe): the checkpoint's chat must belong to the
+  // requested session. cp.session_id is a denormalized hint that may be null, so
+  // gating on it directly fails open — resolve the owning session via chats
+  // (authoritative; chat_id is NOT NULL) and deny on any mismatch or missing row.
+  if (opts?.sessionId) {
+    const [owner] = await sql<{ session_id: string | null }[]>`
+      SELECT session_id FROM chats WHERE id = ${cp.chat_id}
+    `;
+    if (!owner || owner.session_id !== opts.sessionId) {
+      throw new CheckpointNotFoundError('checkpoint not in session');
+    }
+  }
+
+  // 2. Resolve the worktree path (by worktree_id, else the session's active one).
+  let worktreePath: string | null = null;
+  if (cp.worktree_id) {
+    const [wt] = await sql<{ path: string }[]>`
+      SELECT path FROM worktrees WHERE id = ${cp.worktree_id}
+    `;
+    worktreePath = wt?.path ?? null;
+  }
+  if (!worktreePath) {
+    const sid = cp.session_id ?? opts?.sessionId ?? null;
+    if (sid) {
+      const [wt] = await sql<{ path: string }[]>`
+        SELECT path FROM worktrees WHERE session_id = ${sid} AND status = 'active' LIMIT 1
+      `;
+      worktreePath = wt?.path ?? null;
+    }
+  }
+
+  // 3. Worktree reset — hard-reset to the shadow commit, then clean untracked.
+  let worktreeReset = false;
+  if (worktreePath) {
+    const resetRes = await hostExec(
+      `git -C ${shellEscape(worktreePath)} reset --hard ${shellEscape(cp.commit_sha)}`,
+      { signal: opts?.signal, timeoutMs: 30_000 },
+    ).catch((err) => {
+      opts?.log?.warn(
+        { checkpointId, err: err instanceof Error ? err.message : String(err) },
+        'checkpoint restore: reset --hard threw',
+      );
+      return null;
+    });
+    if (resetRes && resetRes.exitCode === 0) {
+      const cleanRes = await hostExec(
+        `git -C ${shellEscape(worktreePath)} clean -fd`,
+        { signal: opts?.signal, timeoutMs: 30_000 },
+      ).catch(() => null);
+      worktreeReset = cleanRes != null && cleanRes.exitCode === 0;
+      if (!worktreeReset) {
+        opts?.log?.warn({ checkpointId, worktreePath }, 'checkpoint restore: clean -fd did not succeed');
+      }
+    } else {
+      opts?.log?.warn(
+        { checkpointId, worktreePath, stderr: resetRes?.stderr?.trim()?.slice(0, 500) },
+        'checkpoint restore: reset --hard did not succeed',
+      );
+    }
+  } else {
+    opts?.log?.warn({ checkpointId }, 'checkpoint restore: no worktree path resolved (files not reset)');
+  }
+
+  // 4. Trim the transcript from the anchor message forward. message_parts FK to
+  //    messages is ON DELETE CASCADE (apps/server schema.sql:49), so parts are
+  //    removed with their messages — no explicit parts delete needed.
+  let messagesDeleted = 0;
+  if (cp.message_id) {
+    const deleted = await sql<{ id: string }[]>`
+      DELETE FROM messages
+      WHERE chat_id = ${cp.chat_id}
+        AND created_at >= (SELECT created_at FROM messages WHERE id = ${cp.message_id})
+      RETURNING id
+    `;
+    messagesDeleted = deleted.length;
+  }
+
+  // 5. Backend reset — mark the chat's agent sessions crashed so the next turn
+  //    re-establishes a fresh backend, and evict the live pool session(s) for this
+  //    (chat, agent). Warm backends hold context server-side with no partial
+  //    rewind, so a full reset is the only consistent option (proposal §4).
+  const agentRows = await sql<{ agent: string; backend: string; agent_session_id: string | null; session_id: string | null; worktree_id: string | null }[]>`
+    SELECT agent, backend, agent_session_id, session_id, worktree_id
+    FROM agent_sessions WHERE chat_id = ${cp.chat_id}
+  `;
+  await sql`
+    UPDATE agent_sessions SET status = 'crashed' WHERE chat_id = ${cp.chat_id}
+  `.catch(() => {});
+
+  let backendReset = false;
+  try {
+    // opencode runs on the SHARED server (keyed on a sentinel, not the chat) — close
+    // just this chat's session(s) on it, mirroring the lifecycle close-hook.
+    const ocBackend = agentPool.peek(OPENCODE_POOL_KEY, 'opencode');
+    if (ocBackend) {
+      for (const row of agentRows) {
+        if (row.backend !== 'opencode_server' || !row.agent_session_id) continue;
+        const handle: AgentSessionHandle = {
+          sessionId: row.session_id ?? '',
+          agent: row.agent,
+          backend: 'opencode_server',
+          chatId: cp.chat_id,
+          worktreeId: row.worktree_id ?? '',
+          agentSessionId: row.agent_session_id,
+          serverPort: null,
+        };
+        await ocBackend.closeSession(handle).catch((err) => {
+          opts?.log?.warn(
+            { checkpointId, err: err instanceof Error ? err.message : String(err) },
+            'checkpoint restore: opencode closeSession threw',
+          );
+        });
+      }
+    }
+    // Warm-ACP backends are pooled under the chat id — dispose them (kills the
+    // goose/qwen child). closeChat skips busy backends (a live turn isn't torn down).
+    const disposed = await agentPool.closeChat(cp.chat_id);
+    backendReset = true;
+    opts?.log?.info({ checkpointId, chatId: cp.chat_id, disposed }, 'checkpoint restore: backend reset');
+  } catch (err) {
+    opts?.log?.warn(
+      { checkpointId, err: err instanceof Error ? err.message : String(err) },
+      'checkpoint restore: backend reset threw',
+    );
+  }
+
+  // 6. Drop now-orphaned later checkpoints for this chat (their anchor messages were
+  //    just trimmed). Compare `created_at` SERVER-SIDE via a subquery (NOT the JS
+  //    Date round-trip, which truncates the stored microsecond precision to ms and
+  //    would make this checkpoint delete ITSELF), and exclude this checkpoint's own
+  //    id so it always survives — letting the user re-restore to it.
+  await sql`
+    DELETE FROM checkpoints
+    WHERE chat_id = ${cp.chat_id}
+      AND id <> ${cp.id}
+      AND created_at > (SELECT created_at FROM checkpoints WHERE id = ${cp.id})
+  `.catch(() => {});
+
+  return {
+    checkpoint_id: checkpointId,
+    messages_deleted: messagesDeleted,
+    worktree_reset: worktreeReset,
+    backend_reset: backendReset,
+  };
+}

apps/coder/src/services/dispatcher.ts

@@ -4,6 +4,7 @@ import type { Broker } from '@boocode/server/broker';
 import type { WsFrame } from '@boocode/server/ws-frames';
 import type { Config } from '../config.js';
 import { createWorktree, diffWorktree, cleanupWorktree, ensureSessionWorktree } from './worktrees.js';
+import { createCheckpoint } from './checkpoints.js';
 import { makeDcpStreamStripper } from './dcp-strip.js';
 import { dispatchViaAcp } from './acp-dispatch.js';
 import { getResolvedRegistry } from './provider-config-registry.js';
@@ -12,7 +13,7 @@ import { clearTaskCommands, setTaskCommands } from './agent-commands-cache.js';
 import { getManifestCommands } from './provider-commands.js';
 import { persistExternalAgentTurn } from './agent-turn-persist.js';
 import { snapshotToWireToolCall, type AcpToolSnapshot } from './acp-tool-snapshot.js';
-import { agentPool } from './agent-pool.js';
+import { agentPool, OPENCODE_POOL_KEY } from './agent-pool.js';
 import { OpenCodeServerBackend } from './backends/opencode-server.js';
 import { WarmAcpBackend } from './backends/warm-acp.js';
 import { shouldUseWarmBackend } from './backends/warm-acp-routing.js';
@@ -358,6 +359,16 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
       `;
       const assistantId = assistantMsg!.id;
 
+      // write-edit-robustness #4: pre-turn worktree checkpoint (best-effort; a
+      // failure logs and never breaks dispatch). This path uses a per-task worktree
+      // (createWorktree, not the session worktree), so there's no worktrees-table id
+      // — pass null for worktreeId, the path is enough for restore's reset.
+      await createCheckpoint(
+        sql,
+        { chatId, sessionId, worktreeId: null, worktreePath, messageId: assistantId },
+        { signal: ac.signal, log },
+      ).catch(() => null);
+
       broker.publishFrame(sessionId, {
         type: 'message_started',
         message_id: assistantId,
@@ -399,6 +410,52 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
         outputSummary = result.output.slice(0, 500);
         await persistExternalAgentTurn(sql, assistantId, result.toolSnapshots, acpReasoning);
       } else {
+        // v#7 (stream-json): claude + qwen run with --output-format stream-json.
+        // Parse the NDJSON live in pty-dispatch and forward AgentEvents here so we
+        // publish the SAME live frames the warm-ACP / opencode paths emit (text,
+        // reasoning, tool) and persist structured parts. Accumulate for the final
+        // message content + persistence; fall back to the opaque stdout slice when
+        // nothing parsed (agent ran without the flag, or crashed before emitting).
+        const ptyTextChunks: string[] = [];
+        const ptyReasoningChunks: string[] = [];
+        const ptyToolSnaps = new Map<string, AcpToolSnapshot>();
+
+        const onPtyEvent = (e: AgentEvent): void => {
+          switch (e.type) {
+            case 'text':
+              ptyTextChunks.push(e.text);
+              broker.publishFrame(sessionId, {
+                type: 'delta',
+                message_id: assistantId,
+                chat_id: chatId,
+                content: e.text,
+              } as WsFrame);
+              break;
+            case 'reasoning':
+              ptyReasoningChunks.push(e.text);
+              broker.publishFrame(sessionId, {
+                type: 'reasoning_delta',
+                message_id: assistantId,
+                chat_id: chatId,
+                content: e.text,
+              } as WsFrame);
+              break;
+            case 'tool_call':
+            case 'tool_update':
+              ptyToolSnaps.set(e.toolCall.toolCallId, e.toolCall);
+              broker.publishFrame(sessionId, {
+                type: 'tool_call',
+                message_id: assistantId,
+                chat_id: chatId,
+                tool_call: snapshotToWireToolCall(e.toolCall),
+              } as WsFrame);
+              break;
+            case 'commands':
+              // stream-json carries no commands today; ignore if it ever does.
+              break;
+          }
+        };
+
         const result = await dispatchViaPty({
           agent,
           task: task.input,
@@ -409,7 +466,22 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
           thinkingOptionId: task.thinking_option_id ?? undefined,
           signal: ac.signal,
           log,
+          onEvent: onPtyEvent,
         });
+
+        if (result.streamed) {
+          assistantContent = ptyTextChunks.join('').slice(0, 50_000);
+          // stream-json text can be empty for a tool-only turn — surface stderr or a
+          // placeholder so the message row isn't blank.
+          if (!assistantContent) {
+            assistantContent = (result.stderr || '(no text output)').slice(0, 50_000);
+          }
+          outputSummary = (ptyTextChunks.join('') || result.stderr).slice(0, 500);
+          acpReasoning = ptyReasoningChunks.join('').slice(0, 200_000);
+          await persistExternalAgentTurn(sql, assistantId, [...ptyToolSnaps.values()], acpReasoning);
+        } else {
+          // Fallback: agent produced no parseable NDJSON (ran without the flag, or
+          // crashed). Preserve today's opaque stdout-slice + single delta behavior.
           assistantContent = (result.stdout || result.stderr || '(no output)').slice(0, 50_000);
           outputSummary = (result.stdout || result.stderr).slice(0, 500);
 
@@ -422,6 +494,7 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
             } as WsFrame);
           }
         }
+      }
 
       await sql`
         UPDATE messages
@@ -499,9 +572,8 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
 
   // OpenCode runs ONE server per BooCoder process, shared across all sessions
   // (the backend multiplexes sessions internally), so it's pooled under a fixed
-  // key rather than per-session. Warm ACP backends (Phase 2) will be per-session.
-  const OPENCODE_POOL_KEY = '__opencode_server__';
-
+  // key (OPENCODE_POOL_KEY, shared with the lifecycle close-hook) rather than
+  // per-session. Warm ACP backends (Phase 2) are per (chat, agent).
   function getOpenCodeBackend(installPath: string | null): AgentBackend {
     let backend = agentPool.get(OPENCODE_POOL_KEY, 'opencode');
     if (!backend) {
@@ -618,6 +690,15 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
       `;
       const assistantId = assistantMsg!.id;
 
+      // write-edit-robustness #4: pre-turn checkpoint of the persistent session
+      // worktree (best-effort; never breaks dispatch). worktreeId comes from the
+      // worktrees table (ensureSessionWorktree above).
+      await createCheckpoint(
+        sql,
+        { chatId, sessionId, worktreeId, worktreePath, messageId: assistantId },
+        { signal: ac.signal, log },
+      ).catch(() => null);
+
       broker.publishFrame(sessionId, {
         type: 'message_started',
         message_id: assistantId,
@@ -710,6 +791,9 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
         signal: ac.signal,
         onEvent,
       });
+      // Phase 3: keep the pooled backend's slot warm across this (possibly long)
+      // turn so the idle sweep measures from turn END, not start.
+      agentPool.touch(OPENCODE_POOL_KEY, agent);
 
       // Flush any text held back mid-tag at stream end (complete tags stripped).
       const dcpTail = dcp.flush();
@@ -874,6 +958,15 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
       `;
       const assistantId = assistantMsg!.id;
 
+      // write-edit-robustness #4: pre-turn checkpoint of the persistent session
+      // worktree (best-effort; never breaks dispatch). Same worktree the opencode
+      // path uses — a chat that switches opencode↔goose↔qwen shares one worktree.
+      await createCheckpoint(
+        sql,
+        { chatId, sessionId, worktreeId, worktreePath, messageId: assistantId },
+        { signal: ac.signal, log },
+      ).catch(() => null);
+
       broker.publishFrame(sessionId, {
         type: 'message_started',
         message_id: assistantId,
@@ -962,6 +1055,8 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
         taskId,
         modeId: task.mode_id ?? undefined,
       });
+      // Phase 3: keep the pooled (chat,agent) backend warm across the turn.
+      agentPool.touch(chatId, agent);
 
       const assistantContent = textChunks.join('').slice(0, 50_000);
       const reasoningText = reasoningChunks.join('').slice(0, 200_000);

apps/coder/src/services/fuzzy-match.ts

@@ -0,0 +1,271 @@
+// Fuzzy patch locator for staged edits.
+//
+// Local quantized models (qwen3.6 and friends) frequently reproduce an
+// `old_string` with small, semantically-irrelevant drift: trailing whitespace,
+// a different indent width, or "smart" unicode punctuation (curly quotes, an
+// en/em-dash, a non-breaking space) where the source has the plain ASCII form.
+// An exact `String.includes` then fails and the queued edit is lost even though
+// a human would say it obviously matches.
+//
+// `locateMatch` walks a ladder of progressively looser strategies and returns
+// the real `[start, end)` byte-offset span in the ORIGINAL content so the caller
+// can splice in `new_string` over the true file text (preserving the file's own
+// whitespace/unicode, not the model's drifted copy). The ladder stops at the
+// first strategy that resolves to a single span:
+//
+//   1. exact            — indexOf; >1 hit is reported `ambiguous` (we refuse to
+//                         guess which occurrence the model meant).
+//   2. per-line ws      — line-window compare ignoring per-line trailing
+//                         whitespace and leading/trailing blank needle lines.
+//   3. unicode canon    — same line-window compare after folding smart
+//                         punctuation to ASCII on both sides; the match is
+//                         mapped back to original offsets.
+//   4. levenshtein      — best line-window by normalized edit-distance
+//                         similarity; accepted only at >= SIMILARITY_THRESHOLD.
+//
+// Pure and dependency-free (Levenshtein is the standard iterative two-row DP),
+// reimplemented from the general technique — no vendored source.
+
+export type MatchResult =
+  | { kind: 'exact' | 'fuzzy'; start: number; end: number } // [start,end) offsets into content
+  | { kind: 'ambiguous'; count: number }
+  | { kind: 'not_found' };
+
+/** Levenshtein similarity floor for the final fuzzy fallback (strategy 4). */
+export const SIMILARITY_THRESHOLD = 0.66;
+
+export function locateMatch(content: string, needle: string): MatchResult {
+  // Empty needle has no meaningful match.
+  if (needle.length === 0) return { kind: 'not_found' };
+
+  // --- 1. Exact ----------------------------------------------------------------
+  const exact = locateExact(content, needle);
+  if (exact) return exact;
+
+  // --- 2. Per-line whitespace-insensitive -------------------------------------
+  const ws = locateByLineWindow(content, needle);
+  if (ws) return ws;
+
+  // --- 3. Unicode-canonicalized whitespace pass -------------------------------
+  const canon = locateCanonical(content, needle);
+  if (canon) return canon;
+
+  // --- 4. Levenshtein similarity ----------------------------------------------
+  const lev = locateByLevenshtein(content, needle);
+  if (lev) return lev;
+
+  return { kind: 'not_found' };
+}
+
+// --- Strategy 1: exact -------------------------------------------------------
+
+function locateExact(content: string, needle: string): MatchResult | null {
+  const first = content.indexOf(needle);
+  if (first === -1) return null;
+  const second = content.indexOf(needle, first + 1);
+  if (second === -1) {
+    return { kind: 'exact', start: first, end: first + needle.length };
+  }
+  // Count all occurrences so the caller can report a useful number.
+  let count = 2;
+  let idx = content.indexOf(needle, second + 1);
+  while (idx !== -1) {
+    count++;
+    idx = content.indexOf(needle, idx + 1);
+  }
+  return { kind: 'ambiguous', count };
+}
+
+// --- Line-window machinery ---------------------------------------------------
+
+interface Line {
+  /** Raw line text (no trailing newline). */
+  text: string;
+  /** Offset of the first char of this line in the original content. */
+  start: number;
+  /** Offset one past the last char of this line (before its newline, if any). */
+  end: number;
+}
+
+/**
+ * Split content into lines, tracking each line's real offset span. The span
+ * EXCLUDES the trailing newline so consecutive line spans plus their newlines
+ * exactly reconstruct the content; the match span we hand back covers from the
+ * first matched line's start through the last matched line's end (i.e. without a
+ * trailing newline), which is what an in-place splice wants.
+ */
+function splitLines(content: string): Line[] {
+  const lines: Line[] = [];
+  let start = 0;
+  for (let i = 0; i <= content.length; i++) {
+    if (i === content.length || content[i] === '\n') {
+      lines.push({ text: content.slice(start, i), start, end: i });
+      start = i + 1;
+    }
+  }
+  return lines;
+}
+
+/** Strip leading/trailing all-blank lines; returns the trimmed slice. */
+function trimBlankLines(lines: string[]): string[] {
+  let lo = 0;
+  let hi = lines.length;
+  while (lo < hi && lines[lo]!.trim() === '') lo++;
+  while (hi > lo && lines[hi - 1]!.trim() === '') hi--;
+  return lines.slice(lo, hi);
+}
+
+/**
+ * Find a contiguous window of content lines whose trailing-whitespace-trimmed
+ * text equals the needle's (blank-trimmed) lines. Returns the real offset span
+ * over the matched content lines, or null if zero match. Multiple matches →
+ * ambiguous. `normalize` lets the caller fold unicode before comparing.
+ */
+function locateByLineWindow(
+  content: string,
+  needle: string,
+  normalize: (s: string) => string = (s) => s,
+): MatchResult | null {
+  const contentLines = splitLines(content);
+  const needleLines = trimBlankLines(needle.split('\n'));
+  const n = needleLines.length;
+  if (n === 0) return null;
+  // A single needle line that is itself blank can't be located meaningfully.
+  if (n === 1 && needleLines[0]!.trim() === '') return null;
+
+  const needleKey = needleLines.map((l) => normalize(l.trimEnd())).join('\n');
+
+  const hits: Array<{ start: number; end: number }> = [];
+  for (let i = 0; i + n <= contentLines.length; i++) {
+    const windowKey = contentLines
+      .slice(i, i + n)
+      .map((l) => normalize(l.text.trimEnd()))
+      .join('\n');
+    if (windowKey === needleKey) {
+      hits.push({ start: contentLines[i]!.start, end: contentLines[i + n - 1]!.end });
+    }
+  }
+
+  if (hits.length === 0) return null;
+  if (hits.length > 1) return { kind: 'ambiguous', count: hits.length };
+  return { kind: 'fuzzy', start: hits[0]!.start, end: hits[0]!.end };
+}
+
+// --- Strategy 3: unicode canonicalization ------------------------------------
+
+/**
+ * Fold smart punctuation to its ASCII equivalent. Crucially this is a
+ * length-PRESERVING, per-character map (every replacement is one char → one
+ * char), so an offset into the canonical string is also a valid offset into the
+ * original — letting strategy 3 reuse the line-window matcher and still hand
+ * back true original-content offsets.
+ */
+function canonicalizeChar(ch: string): string {
+  switch (ch) {
+    // single quotes / apostrophes
+    case '‘': // '
+    case '’': // '
+    case '‚': // ‚
+    case '‛': // ‛
+      return "'";
+    // double quotes
+    case '“': // "
+    case '”': // "
+    case '„': // „
+    case '‟': // ‟
+      return '"';
+    // dashes
+    case '–': // – en dash
+    case '—': // — em dash
+    case '‒': // ‒ figure dash
+    case '―': // ― horizontal bar
+    case '−': // − minus sign
+      return '-';
+    // spaces
+    case ' ': // nbsp
+    case ' ': // figure space
+    case ' ': // narrow nbsp
+      return ' ';
+    default:
+      return ch;
+  }
+}
+
+function canonicalize(s: string): string {
+  let out = '';
+  for (const ch of s) out += canonicalizeChar(ch);
+  return out;
+}
+
+function locateCanonical(content: string, needle: string): MatchResult | null {
+  // Only worth running if canonicalization actually changes something on either
+  // side — otherwise it's identical to strategy 2 which already failed.
+  const canonContent = canonicalize(content);
+  const canonNeedle = canonicalize(needle);
+  if (canonContent === content && canonNeedle === needle) return null;
+  // Offsets are preserved (length-preserving fold), so a match on the canonical
+  // content maps directly back to the original.
+  return locateByLineWindow(canonContent, canonNeedle);
+}
+
+// --- Strategy 4: Levenshtein similarity --------------------------------------
+
+/** Standard iterative two-row Levenshtein edit distance. */
+function levenshtein(a: string, b: string): number {
+  if (a === b) return 0;
+  if (a.length === 0) return b.length;
+  if (b.length === 0) return a.length;
+
+  let prev = new Array<number>(b.length + 1);
+  let curr = new Array<number>(b.length + 1);
+  for (let j = 0; j <= b.length; j++) prev[j] = j;
+
+  for (let i = 1; i <= a.length; i++) {
+    curr[0] = i;
+    const ac = a.charCodeAt(i - 1);
+    for (let j = 1; j <= b.length; j++) {
+      const cost = ac === b.charCodeAt(j - 1) ? 0 : 1;
+      curr[j] = Math.min(
+        prev[j]! + 1, // deletion
+        curr[j - 1]! + 1, // insertion
+        prev[j - 1]! + cost, // substitution
+      );
+    }
+    [prev, curr] = [curr, prev];
+  }
+  return prev[b.length]!;
+}
+
+/** Normalized similarity in [0,1]: 1 - dist / max(len). */
+function similarity(a: string, b: string): number {
+  const maxLen = Math.max(a.length, b.length);
+  if (maxLen === 0) return 1;
+  return 1 - levenshtein(a, b) / maxLen;
+}
+
+function locateByLevenshtein(content: string, needle: string): MatchResult | null {
+  const contentLines = splitLines(content);
+  const needleLines = trimBlankLines(needle.split('\n'));
+  const n = needleLines.length;
+  if (n === 0) return null;
+  if (contentLines.length < n) return null;
+
+  const needleJoined = needleLines.map((l) => l.trim()).join('\n');
+
+  let best = -1;
+  let bestSpan: { start: number; end: number } | null = null;
+  for (let i = 0; i + n <= contentLines.length; i++) {
+    const window = contentLines.slice(i, i + n);
+    const windowJoined = window.map((l) => l.text.trim()).join('\n');
+    const score = similarity(windowJoined, needleJoined);
+    if (score > best) {
+      best = score;
+      bestSpan = { start: window[0]!.start, end: window[n - 1]!.end };
+    }
+  }
+
+  if (bestSpan && best >= SIMILARITY_THRESHOLD) {
+    return { kind: 'fuzzy', start: bestSpan.start, end: bestSpan.end };
+  }
+  return null;
+}

apps/coder/src/services/orphan-worktree-reaper.ts

@@ -0,0 +1,170 @@
+/**
+ * v2.6 Phase 3 (3.4) — orphan worktree reaper.
+ *
+ * Reclaims on-disk session worktree dirs under WORKTREE_BASE that have NO live
+ * (`status='active'`) row in the `worktrees` table — leaks from a crash between
+ * `git worktree add` and the DB insert, a missed chat-close hook, or a manual rm
+ * of the DB row. Extends the periodic-sweeper pattern (apps/server's truncation +
+ * stale-streaming reaper).
+ *
+ * SAFETY (Paseo worktree-archive cascade + superset destroy-saga lift): before
+ * removing ANY dir, run `checkWorktreeWorkAtRisk` — a dirty / unpushed / unmerged
+ * worktree is SKIPPED (logged), never force-removed. The pure orphan-target
+ * selection (which dirs are candidates) lives in
+ * `backends/lifecycle-decisions.ts:selectOrphanWorktreeTargets` and is unit-tested;
+ * this module does the DB read + fs stat + git preflight + removal side-effects.
+ *
+ * The mtime grace (default 1h) means a dir mid-`ensureSessionWorktree` (created on
+ * disk, row not yet committed) is never swept — the grace window covers the gap.
+ */
+import { readdir, stat } from 'node:fs/promises';
+import { join } from 'node:path';
+import type { FastifyBaseLogger } from 'fastify';
+import type { Sql } from '../db.js';
+import { WORKTREE_BASE, checkWorktreeWorkAtRisk } from './worktrees.js';
+import { hostExec } from './host-exec.js';
+import {
+  selectOrphanWorktreeTargets,
+  DEFAULT_ORPHAN_WORKTREE_GRACE_MS,
+} from './backends/lifecycle-decisions.js';
+
+export interface OrphanWorktreeReaperDeps {
+  sql: Sql;
+  log: FastifyBaseLogger;
+  intervalMs: number;
+  graceMs?: number;
+}
+
+export interface OrphanReaperResult {
+  scanned: number;
+  candidates: number;
+  reaped: string[];
+  skippedAtRisk: string[];
+}
+
+/** Single-pass reap: select orphan candidates, preflight at-risk, remove the safe. */
+export async function reapOrphanWorktrees(
+  sql: Sql,
+  log: FastifyBaseLogger,
+  graceMs: number = DEFAULT_ORPHAN_WORKTREE_GRACE_MS,
+  now: number = Date.now(),
+): Promise<OrphanReaperResult> {
+  // Enumerate on-disk session worktree dirs (`sess-*`). Per-task worktrees
+  // (arena/new_task/MCP) are cleaned up inline by the one-shot path, so we only
+  // own the persistent session dirs the warm paths leave behind.
+  let dirents: string[];
+  try {
+    dirents = await readdir(WORKTREE_BASE);
+  } catch {
+    return { scanned: 0, candidates: 0, reaped: [], skippedAtRisk: [] }; // base absent → nothing to do
+  }
+  const onDisk: { path: string; mtimeMs: number }[] = [];
+  for (const name of dirents) {
+    if (!name.startsWith('sess-')) continue; // only persistent session worktrees
+    const path = join(WORKTREE_BASE, name);
+    try {
+      const s = await stat(path);
+      if (!s.isDirectory()) continue;
+      onDisk.push({ path, mtimeMs: s.mtimeMs });
+    } catch {
+      // vanished between readdir and stat — skip
+    }
+  }
+
+  // Live worktree paths from the DB (active rows only — archived/removed rows are
+  // not "live", so their leftover dirs are reapable orphans).
+  const liveRows = await sql<{ path: string }[]>`
+    SELECT path FROM worktrees WHERE status = 'active'
+  `;
+  const live = new Set(liveRows.map((r) => r.path));
+
+  const candidates = selectOrphanWorktreeTargets(onDisk, live, now, graceMs);
+  const reaped: string[] = [];
+  const skippedAtRisk: string[] = [];
+
+  for (const path of candidates) {
+    // Preflight: never reap work at risk. A git error forces atRisk=true (fail
+    // closed), so a half-broken worktree is kept, not silently destroyed.
+    const risk = await checkWorktreeWorkAtRisk(path);
+    if (risk.atRisk) {
+      skippedAtRisk.push(path);
+      log.warn({ path, dirty: risk.dirty, unmerged: risk.unmerged, error: risk.error }, 'orphan-reaper: skipping at-risk orphan worktree');
+      continue;
+    }
+    const removed = await removeOrphanDir(path);
+    if (removed) reaped.push(path);
+  }
+
+  if (reaped.length > 0 || skippedAtRisk.length > 0) {
+    log.info({ scanned: onDisk.length, candidates: candidates.length, reaped, skippedAtRisk }, 'orphan-reaper: pass complete');
+  }
+  return { scanned: onDisk.length, candidates: candidates.length, reaped, skippedAtRisk };
+}
+
+/**
+ * Remove a single orphan worktree dir. Resolve its main repo via the git
+ * common-dir, run `worktree remove --force` from there + prune, then rm the dir as
+ * a backstop. Best-effort: every step is independently fault-tolerant so a partial
+ * state (dir present, git untracked) still gets reclaimed.
+ */
+async function removeOrphanDir(path: string): Promise<boolean> {
+  // Find the owning repo (the common git dir's parent). When the dir isn't a valid
+  // worktree anymore, this fails and we fall back to a plain rm.
+  const common = await hostExec(
+    `git -C ${shellEscape(path)} rev-parse --path-format=absolute --git-common-dir`,
+    { timeoutMs: 10_000 },
+  ).catch(() => null);
+  const commonDir = common && common.exitCode === 0 ? common.stdout.trim() : '';
+  // The repo worktree root is the parent of the .git common dir (strip trailing /.git).
+  const repoRoot = commonDir.replace(/\/\.git\/?$/, '').replace(/\/\.git$/, '');
+
+  if (repoRoot && repoRoot !== commonDir) {
+    await hostExec(
+      `git -C ${shellEscape(repoRoot)} worktree remove ${shellEscape(path)} --force`,
+      { timeoutMs: 15_000 },
+    ).catch(() => {});
+    await hostExec(
+      `git -C ${shellEscape(repoRoot)} worktree prune`,
+      { timeoutMs: 10_000 },
+    ).catch(() => {});
+  }
+  // Backstop: ensure the dir is gone even if the git remove no-op'd.
+  const rm = await hostExec(`rm -rf ${shellEscape(path)}`, { timeoutMs: 15_000 }).catch(() => null);
+  return rm != null && rm.exitCode === 0;
+}
+
+/** Minimal single-quote shell escape (mirrors worktrees.ts). */
+function shellEscape(s: string): string {
+  return "'" + s.replace(/'/g, "'\\''") + "'";
+}
+
+/** Periodic orphan-worktree reaper, started/stopped by the bootstrap. Unref'd. */
+export function createOrphanWorktreeReaper(deps: OrphanWorktreeReaperDeps): { start(): void; stop(): void } {
+  const { sql, log, intervalMs } = deps;
+  const graceMs = deps.graceMs ?? DEFAULT_ORPHAN_WORKTREE_GRACE_MS;
+  let timer: ReturnType<typeof setInterval> | null = null;
+  let running = false;
+
+  return {
+    start() {
+      if (timer) return;
+      timer = setInterval(() => {
+        if (running) return; // a slow pass must not overlap the next tick
+        running = true;
+        void reapOrphanWorktrees(sql, log, graceMs)
+          .catch((err) => log.warn({ err: err instanceof Error ? err.message : String(err) }, 'orphan-reaper: pass error'))
+          .finally(() => {
+            running = false;
+          });
+      }, intervalMs);
+      timer.unref?.();
+      log.info({ intervalMs, graceMs }, 'orphan-reaper: started');
+    },
+    stop() {
+      if (timer) {
+        clearInterval(timer);
+        timer = null;
+      }
+    },
+  };
+}

apps/coder/src/services/pending_changes.ts

@@ -2,6 +2,7 @@ import { readFile, writeFile, unlink, mkdir } from 'node:fs/promises';
 import { dirname } from 'node:path';
 import type { Sql } from '../db.js';
 import { resolveWritePath } from './write_guard.js';
+import { locateMatch } from './fuzzy-match.js';
 
 // --- Types -------------------------------------------------------------------
 
@@ -121,10 +122,18 @@ export async function applyOne(
       case 'edit': {
         const { old: oldStr, new: newStr } = JSON.parse(change.diff) as { old: string; new: string };
         const content = await readFile(change.file_path, 'utf8');
-        if (!content.includes(oldStr)) {
-          throw new Error('old_string not found in file — file may have changed since the edit was queued');
+        const match = locateMatch(content, oldStr);
+        if (match.kind === 'ambiguous') {
+          throw new Error(
+            `old_string matches ${match.count} locations — add surrounding context to disambiguate`,
+          );
         }
-        const updated = content.replace(oldStr, newStr);
+        if (match.kind === 'not_found') {
+          throw new Error(
+            'old_string not found in file (even fuzzily) — file may have changed since the edit was queued',
+          );
+        }
+        const updated = content.slice(0, match.start) + newStr + content.slice(match.end);
         await writeFile(change.file_path, updated, 'utf8');
         break;
       }
@@ -203,10 +212,18 @@ export async function rewindOne(
         // Reverse an edit: swap old and new
         const { old: oldStr, new: newStr } = JSON.parse(change.diff) as { old: string; new: string };
         const content = await readFile(change.file_path, 'utf8');
-        if (!content.includes(newStr)) {
-          throw new Error('new_string not found in file — cannot rewind; file may have been modified since apply');
+        const match = locateMatch(content, newStr);
+        if (match.kind === 'ambiguous') {
+          throw new Error(
+            `new_string matches ${match.count} locations — cannot rewind; add surrounding context to disambiguate`,
+          );
         }
-        const reverted = content.replace(newStr, oldStr);
+        if (match.kind === 'not_found') {
+          throw new Error(
+            'new_string not found in file (even fuzzily) — cannot rewind; file may have been modified since apply',
+          );
+        }
+        const reverted = content.slice(0, match.start) + oldStr + content.slice(match.end);
         await writeFile(change.file_path, reverted, 'utf8');
         break;
       }

apps/coder/src/services/pty-dispatch.ts

@@ -1,13 +1,29 @@
 /**
  * PTY dispatch — runs external agents directly on the host.
+ *
+ * claude + qwen run with `--output-format stream-json` and emit Claude-Code's
+ * stream-json NDJSON on stdout. When an `onEvent` callback is supplied we
+ * line-buffer that stdout (split on `\n`, hold the partial tail) and feed complete
+ * lines to `makeStreamJsonParser` so deltas surface live as AgentEvents. The raw
+ * stdout is still accumulated + returned for back-compat (and the dispatcher's
+ * fallback when nothing parsed). See `stream-json-parser.ts`.
  */
 import type { FastifyBaseLogger } from 'fastify';
 import { spawn } from 'node:child_process';
+import type { AgentEvent } from './agent-backend.js';
+import { makeStreamJsonParser, type StreamJsonUsage } from './stream-json-parser.js';
 
 export interface DispatchResult {
   exitCode: number;
   stdout: string;
   stderr: string;
+  /** True iff at least one NDJSON AgentEvent was parsed from stdout (v#7). When
+   *  false the dispatcher falls back to slicing stdout as the assistant content. */
+  streamed: boolean;
+  /** Final usage parsed from the stream-json `result` / `message_delta`, if any. */
+  usage?: StreamJsonUsage;
+  /** Provider session id from the stream-json `system` init line, if any. */
+  agentSessionId?: string | null;
 }
 
 export interface PtyDispatchOpts {
@@ -20,6 +36,10 @@ export interface PtyDispatchOpts {
   installPath?: string;
   signal?: AbortSignal;
   log: FastifyBaseLogger;
+  /** Optional live event sink. When set, stdout is line-buffered + NDJSON-parsed
+   *  and each AgentEvent is forwarded here as it arrives. Absent → opaque (old)
+   *  behavior: stdout is accumulated and returned, no parsing. */
+  onEvent?: (e: AgentEvent) => void;
 }
 
 interface PtySpawnSpec {
@@ -40,7 +60,9 @@ function buildPtySpawnSpec(
 
   switch (agent) {
     case 'claude': {
-      const args = ['-p'];
+      // stream-json on -p requires --verbose (Claude Code rejects stream-json
+      // print mode without it). qwen needs no such flag.
+      const args = ['-p', '--output-format', 'stream-json', '--verbose'];
       if (model) args.push('--model', model);
       if (modeId) args.push('--permission-mode', modeId);
       if (thinkingOptionId) args.push('--effort', thinkingOptionId);
@@ -73,7 +95,7 @@ function buildPtySpawnSpec(
 }
 
 export async function dispatchViaPty(opts: PtyDispatchOpts): Promise<DispatchResult> {
-  const { agent, task, worktreePath, model, modeId, thinkingOptionId, installPath, signal, log } = opts;
+  const { agent, task, worktreePath, model, modeId, thinkingOptionId, installPath, signal, log, onEvent } = opts;
 
   const cmd = buildPtySpawnSpec(agent, task, model, modeId, thinkingOptionId, installPath);
   if (!cmd) {
@@ -81,6 +103,7 @@ export async function dispatchViaPty(opts: PtyDispatchOpts): Promise<DispatchRes
       exitCode: 1,
       stdout: '',
       stderr: `Agent '${agent}' is not yet supported for PTY dispatch.`,
+      streamed: false,
     };
   }
 
@@ -102,7 +125,32 @@ export async function dispatchViaPty(opts: PtyDispatchOpts): Promise<DispatchRes
     let stderr = '';
     let killed = false;
 
-    child.stdout!.on('data', (chunk: Buffer) => { stdout += chunk.toString(); });
+    // Live NDJSON parsing (only when a sink is supplied). Line-buffer: split on
+    // '\n', dispatch complete lines, hold the partial tail until the next chunk.
+    const parser = onEvent ? makeStreamJsonParser() : null;
+    let lineBuf = '';
+    let streamed = false;
+    const feedLine = (line: string): void => {
+      if (!parser || !onEvent) return;
+      for (const e of parser.push(line)) {
+        streamed = true;
+        onEvent(e);
+      }
+    };
+
+    child.stdout!.on('data', (chunk: Buffer) => {
+      const text = chunk.toString();
+      stdout += text;
+      if (!parser) return;
+      lineBuf += text;
+      let nl = lineBuf.indexOf('\n');
+      while (nl !== -1) {
+        const line = lineBuf.slice(0, nl);
+        lineBuf = lineBuf.slice(nl + 1);
+        feedLine(line);
+        nl = lineBuf.indexOf('\n');
+      }
+    });
     child.stderr!.on('data', (chunk: Buffer) => { stderr += chunk.toString(); });
 
     const cleanup = () => {
@@ -116,7 +164,7 @@ export async function dispatchViaPty(opts: PtyDispatchOpts): Promise<DispatchRes
     if (signal) {
       if (signal.aborted) {
         cleanup();
-        resolve({ exitCode: 130, stdout: '', stderr: 'Aborted before start' });
+        resolve({ exitCode: 130, stdout: '', stderr: 'Aborted before start', streamed: false });
         return;
       }
       signal.addEventListener('abort', cleanup, { once: true });
@@ -124,8 +172,18 @@ export async function dispatchViaPty(opts: PtyDispatchOpts): Promise<DispatchRes
 
     child.on('close', (code) => {
       if (signal) signal.removeEventListener('abort', cleanup);
-      log.info({ agent, exitCode: code }, 'pty-dispatch: completed');
-      resolve({ exitCode: code ?? 1, stdout, stderr });
+      // Flush any final line with no trailing newline.
+      if (lineBuf.trim()) feedLine(lineBuf);
+      lineBuf = '';
+      log.info({ agent, exitCode: code, streamed }, 'pty-dispatch: completed');
+      resolve({
+        exitCode: code ?? 1,
+        stdout,
+        stderr,
+        streamed,
+        usage: parser?.usage(),
+        agentSessionId: parser?.sessionId() ?? null,
+      });
     });
 
     child.on('error', (err) => {

apps/coder/src/services/stream-json-parser.ts

@@ -0,0 +1,296 @@
+/**
+ * Claude-Code-compatible stream-json NDJSON parser (feature #7,
+ * openspec `sampling-streamjson-tokens`).
+ *
+ * qwen (`--output-format stream-json`) and claude (`--output-format stream-json`)
+ * both emit Claude-Code's stream-json NDJSON on stdout: one JSON object per line.
+ * This module turns that stream into the same transport-agnostic `AgentEvent`s the
+ * ACP / opencode-server backends emit, so the PTY dispatch path can publish live
+ * broker frames + persist structured parts instead of slicing stdout opaque.
+ *
+ * Two surfaces:
+ *  - `parseStreamJsonLine(line, state)` — PURE per-line mapping (unit-testable).
+ *    `state` is the caller-owned accumulator (open tool blocks + usage/session_id).
+ *  - `makeStreamJsonParser()` — a thin stateful wrapper holding the state, with a
+ *    `push(line)` that returns the events for that line and getters for the final
+ *    `usage` / `sessionId`.
+ *
+ * Defensive by contract: a non-JSON / partial / garbage line yields `[]` and never
+ * throws. Tool args (`input_json_delta`) arrive fragmented across many lines; we
+ * accumulate the partial JSON string per content-block index and only surface the
+ * parsed `rawInput` once the block stops (or, as a fallback, off the terminal
+ * `assistant` message which carries the fully-assembled `tool_use` blocks).
+ *
+ * Schema (keyed on top-level `type`):
+ *  - `system`     — init: { session_id, tools, ... }
+ *  - `assistant`  — { message: { content: [ {type:'text'|'thinking'|'tool_use', ...} ], usage? } }
+ *  - `user`       — tool results (ignored — diffing the worktree captures effects)
+ *  - `result`     — final: { usage: { input_tokens, output_tokens }, session_id? }
+ *  - `stream_event` — { event: { type, index?, content_block?, delta?, usage? } }
+ *      event.type:
+ *        content_block_start  — { index, content_block: {type, id?, name?} }
+ *        content_block_delta  — { index, delta: {type, text?|thinking?|partial_json?} }
+ *        content_block_stop   — { index }
+ *        message_delta        — { usage: { output_tokens } }
+ *        message_start        — { message: { usage } }
+ */
+import type { AgentEvent } from './agent-backend.js';
+import type { AcpToolSnapshot } from './acp-tool-snapshot.js';
+
+/** Convenience alias for the per-line return value. */
+export type AgentEventList = AgentEvent[];
+
+export interface StreamJsonUsage {
+  inputTokens?: number;
+  outputTokens?: number;
+}
+
+/** Per-open-content-block accumulation for tool args assembled across deltas. */
+interface OpenToolBlock {
+  toolCallId: string;
+  name: string;
+  /** Concatenated `input_json_delta.partial_json` fragments. */
+  partialJson: string;
+}
+
+export interface StreamJsonState {
+  /** content-block index → open tool block (only `tool_use` blocks are tracked). */
+  toolBlocks: Map<number, OpenToolBlock>;
+  sessionId: string | null;
+  usage: StreamJsonUsage;
+}
+
+export function makeStreamJsonState(): StreamJsonState {
+  return { toolBlocks: new Map(), sessionId: null, usage: {} };
+}
+
+function asRecord(value: unknown): Record<string, unknown> | null {
+  if (value && typeof value === 'object' && !Array.isArray(value)) {
+    return value as Record<string, unknown>;
+  }
+  return null;
+}
+
+function asString(value: unknown): string | undefined {
+  return typeof value === 'string' ? value : undefined;
+}
+
+function asNumber(value: unknown): number | undefined {
+  return typeof value === 'number' && Number.isFinite(value) ? value : undefined;
+}
+
+/** Pull token counts out of an Anthropic-shape `usage` object, mutating state. */
+function captureUsage(usage: Record<string, unknown> | null, state: StreamJsonState): void {
+  if (!usage) return;
+  const input = asNumber(usage.input_tokens);
+  const output = asNumber(usage.output_tokens);
+  if (input !== undefined) state.usage.inputTokens = input;
+  // output_tokens is reported incrementally on message_delta; keep the latest.
+  if (output !== undefined) state.usage.outputTokens = output;
+}
+
+/** Parse the accumulated tool-arg JSON; tolerate an unparseable/partial body. */
+function parseToolInput(partialJson: string): unknown {
+  const trimmed = partialJson.trim();
+  if (!trimmed) return {};
+  try {
+    return JSON.parse(trimmed);
+  } catch {
+    return { _raw: partialJson };
+  }
+}
+
+function toolSnapshot(block: OpenToolBlock, rawInput: unknown, status: AcpToolSnapshot['status']): AcpToolSnapshot {
+  return {
+    toolCallId: block.toolCallId,
+    title: block.name,
+    kind: null,
+    status,
+    rawInput,
+  };
+}
+
+/**
+ * Map one stream-event sub-object (the `event` field of a `stream_event` line) to
+ * AgentEvents, mutating `state` for open tool blocks + usage.
+ */
+function handleStreamEvent(event: Record<string, unknown>, state: StreamJsonState): AgentEvent[] {
+  const eventType = asString(event.type);
+  if (!eventType) return [];
+
+  switch (eventType) {
+    case 'content_block_start': {
+      const index = asNumber(event.index);
+      const block = asRecord(event.content_block);
+      if (index === undefined || !block) return [];
+      if (asString(block.type) !== 'tool_use') return [];
+      const toolCallId = asString(block.id) ?? `tool_${index}`;
+      const name = asString(block.name) ?? 'tool';
+      const open: OpenToolBlock = { toolCallId, name, partialJson: '' };
+      state.toolBlocks.set(index, open);
+      // Surface the tool start immediately (running, no args yet) so the UI shows
+      // the call before the args finish streaming.
+      return [{ type: 'tool_call', toolCall: toolSnapshot(open, {}, 'in_progress') }];
+    }
+
+    case 'content_block_delta': {
+      const index = asNumber(event.index);
+      const delta = asRecord(event.delta);
+      if (delta === null) return [];
+      const deltaType = asString(delta.type);
+      if (deltaType === 'text_delta') {
+        const text = asString(delta.text);
+        return text ? [{ type: 'text', text }] : [];
+      }
+      if (deltaType === 'thinking_delta') {
+        const text = asString(delta.thinking);
+        return text ? [{ type: 'reasoning', text }] : [];
+      }
+      if (deltaType === 'input_json_delta') {
+        // Accumulate tool args; no event until the block stops.
+        const fragment = asString(delta.partial_json);
+        if (index !== undefined && fragment) {
+          const open = state.toolBlocks.get(index);
+          if (open) open.partialJson += fragment;
+        }
+        return [];
+      }
+      return [];
+    }
+
+    case 'content_block_stop': {
+      const index = asNumber(event.index);
+      if (index === undefined) return [];
+      const open = state.toolBlocks.get(index);
+      if (!open) return [];
+      state.toolBlocks.delete(index);
+      const rawInput = parseToolInput(open.partialJson);
+      return [{ type: 'tool_update', toolCall: toolSnapshot(open, rawInput, 'completed') }];
+    }
+
+    case 'message_start': {
+      const message = asRecord(event.message);
+      captureUsage(asRecord(message?.usage), state);
+      return [];
+    }
+
+    case 'message_delta': {
+      captureUsage(asRecord(event.usage), state);
+      return [];
+    }
+
+    default:
+      return [];
+  }
+}
+
+/**
+ * Map the terminal `assistant` message (post-hoc full message) to AgentEvents. Used
+ * as a fallback for transports that emit only the assembled `assistant` line and no
+ * incremental `stream_event`s. When stream_events already streamed a block, the
+ * caller dedups by toolCallId, so re-emitting the assembled tool_use is harmless.
+ */
+function handleAssistantMessage(message: Record<string, unknown>, state: StreamJsonState): AgentEvent[] {
+  captureUsage(asRecord(message.usage), state);
+  const content = message.content;
+  if (!Array.isArray(content)) return [];
+  const out: AgentEvent[] = [];
+  let toolIdx = 0;
+  for (const rawBlock of content) {
+    const block = asRecord(rawBlock);
+    if (!block) continue;
+    const blockType = asString(block.type);
+    if (blockType === 'text') {
+      const text = asString(block.text);
+      if (text) out.push({ type: 'text', text });
+    } else if (blockType === 'thinking') {
+      const text = asString(block.thinking);
+      if (text) out.push({ type: 'reasoning', text });
+    } else if (blockType === 'tool_use') {
+      const toolCallId = asString(block.id) ?? `tool_${toolIdx}`;
+      const name = asString(block.name) ?? 'tool';
+      const rawInput = 'input' in block ? block.input : {};
+      out.push({
+        type: 'tool_update',
+        toolCall: { toolCallId, title: name, kind: null, status: 'completed', rawInput },
+      });
+    }
+    toolIdx++;
+  }
+  return out;
+}
+
+/**
+ * Pure per-line mapping. `line` is a single complete NDJSON line (no trailing
+ * newline required; surrounding whitespace tolerated). Returns the AgentEvents the
+ * line produces and mutates `state` (open tool blocks, usage, session_id). A blank,
+ * non-JSON, or unrecognized line yields `[]` and never throws.
+ */
+export function parseStreamJsonLine(line: string, state: StreamJsonState): AgentEvent[] {
+  const trimmed = line.trim();
+  if (!trimmed) return [];
+
+  let obj: Record<string, unknown> | null;
+  try {
+    const parsed: unknown = JSON.parse(trimmed);
+    obj = asRecord(parsed);
+  } catch {
+    return [];
+  }
+  if (!obj) return [];
+
+  const type = asString(obj.type);
+  switch (type) {
+    case 'system': {
+      const sid = asString(obj.session_id);
+      if (sid) state.sessionId = sid;
+      return [];
+    }
+
+    case 'stream_event': {
+      const event = asRecord(obj.event);
+      return event ? handleStreamEvent(event, state) : [];
+    }
+
+    case 'assistant': {
+      const sid = asString(obj.session_id);
+      if (sid) state.sessionId = sid;
+      const message = asRecord(obj.message);
+      return message ? handleAssistantMessage(message, state) : [];
+    }
+
+    case 'result': {
+      const sid = asString(obj.session_id);
+      if (sid) state.sessionId = sid;
+      captureUsage(asRecord(obj.usage), state);
+      return [];
+    }
+
+    default:
+      // `user` (tool results) and any unknown line type — ignore.
+      return [];
+  }
+}
+
+export interface StreamJsonParser {
+  /** Feed one complete NDJSON line; returns its AgentEvents (never throws). */
+  push(line: string): AgentEvent[];
+  /** Final usage (input/output tokens) accumulated so far. */
+  usage(): StreamJsonUsage;
+  /** Provider session id from the init `system` line / `result`, if seen. */
+  sessionId(): string | null;
+}
+
+/**
+ * Stateful wrapper around `parseStreamJsonLine`. Holds per-tool-block accumulation
+ * + usage/session_id across the turn. Line-buffering (splitting stdout on `\n` and
+ * holding the partial tail) is the caller's job — see `pty-dispatch.ts`.
+ */
+export function makeStreamJsonParser(): StreamJsonParser {
+  const state = makeStreamJsonState();
+  return {
+    push: (line: string) => parseStreamJsonLine(line, state),
+    usage: () => ({ ...state.usage }),
+    sessionId: () => state.sessionId,
+  };
+}

apps/coder/src/services/worktrees.ts

@@ -9,7 +9,7 @@
 import type { Sql } from '../db.js';
 import { hostExec } from './host-exec.js';
 
-const WORKTREE_BASE = '/tmp/booworktrees';
+export const WORKTREE_BASE = '/tmp/booworktrees';
 
 /**
  * Create a git worktree for a task on the host.
@@ -197,6 +197,187 @@ export async function ensureSessionWorktree(
   };
 }
 
+/**
+ * v2.6 Phase 3 (3.3 / 3.4): physically remove a session's persistent worktree —
+ * the git worktree dir + its branch — and archive its `worktrees` row. Used by the
+ * chat/session-close hook (when the last chat in a session closes) and the orphan
+ * reaper. Best-effort on the git side (a dir already gone is not an error); the DB
+ * row is flipped to 'archived' (soft-delete, Paseo's worktree-archive pattern) so
+ * history/attribution survives and a re-run is idempotent.
+ *
+ * SAFETY: callers MUST run `checkWorktreeWorkAtRisk` first and skip at-risk
+ * worktrees — this function force-removes (`--force`), so it never silently drops
+ * uncommitted/unmerged work unless the caller already cleared/accepted the risk.
+ */
+export async function removeSessionWorktree(
+  sql: Sql,
+  projectPath: string,
+  worktree: { id: string; path: string; branch?: string | null },
+  opts?: { signal?: AbortSignal },
+): Promise<void> {
+  await hostExec(
+    `git -C ${shellEscape(projectPath)} worktree remove ${shellEscape(worktree.path)} --force`,
+    { signal: opts?.signal, timeoutMs: 15_000 },
+  ).catch(() => {});
+  const branch = worktree.branch ?? null;
+  if (branch) {
+    await hostExec(
+      `git -C ${shellEscape(projectPath)} branch -D ${shellEscape(branch)}`,
+      { signal: opts?.signal, timeoutMs: 10_000 },
+    ).catch(() => {});
+  }
+  // Prune any stale worktree administrative entries left behind by a partial remove.
+  await hostExec(
+    `git -C ${shellEscape(projectPath)} worktree prune`,
+    { signal: opts?.signal, timeoutMs: 10_000 },
+  ).catch(() => {});
+  await sql`UPDATE worktrees SET status = 'archived' WHERE id = ${worktree.id}`.catch(() => {});
+}
+
+/**
+ * v2.6 Phase 3 (3.3): the chat-close cleanup. Mark every `agent_sessions` row for
+ * the chat 'closed', then — only if this was the session's LAST open chat — remove
+ * the shared session worktree (a worktree is one-per-session, shared across the
+ * session's chat tabs, so closing one tab must not pull the rug from sibling tabs).
+ *
+ * Returns what it did so the route can report it. The actual backend (process /
+ * server-session) teardown is the pool's job (`agentPool.closeChat` +
+ * `backend.closeSession`); this owns the DB + git truth.
+ *
+ * `worktreeRemoved` is false when other open chats remain (worktree kept) OR when
+ * the worktree held work at risk (preflight blocked it — never silently dropped).
+ */
+export interface ChatCloseResult {
+  agentRowsClosed: number;
+  worktreeRemoved: boolean;
+  worktreeAtRisk: boolean;
+}
+
+export async function closeChatBackendState(
+  sql: Sql,
+  chatId: string,
+  opts?: { signal?: AbortSignal; force?: boolean },
+): Promise<ChatCloseResult> {
+  // Resolve the chat's session (and that session's project path) before we touch
+  // anything — a deleted chat row leaves agent_sessions/worktrees pointing nowhere.
+  const [chatRow] = await sql<{ session_id: string | null }[]>`
+    SELECT session_id FROM chats WHERE id = ${chatId}
+  `;
+  // chat row may already be gone (delete fired first); fall back to agent_sessions'
+  // session_id link, which SET NULLs only on session delete, not chat delete.
+  let sessionId = chatRow?.session_id ?? null;
+  if (!sessionId) {
+    const [as] = await sql<{ session_id: string | null }[]>`
+      SELECT session_id FROM agent_sessions WHERE chat_id = ${chatId} AND session_id IS NOT NULL LIMIT 1
+    `;
+    sessionId = as?.session_id ?? null;
+  }
+
+  // Mark this chat's (chat,agent) backend rows closed (idempotent).
+  const closedRows = await sql<{ agent: string }[]>`
+    UPDATE agent_sessions SET status = 'closed'
+    WHERE chat_id = ${chatId} AND status <> 'closed'
+    RETURNING agent
+  `;
+
+  let worktreeRemoved = false;
+  let worktreeAtRisk = false;
+
+  if (sessionId) {
+    // Other open chats still sharing the session worktree? If so, keep it.
+    const openRows = await sql<{ open_count: number }[]>`
+      SELECT COUNT(*)::int AS open_count FROM chats
+      WHERE session_id = ${sessionId} AND status = 'open' AND id <> ${chatId}
+    `;
+    const openCount = openRows[0]?.open_count ?? 0;
+    if (openCount === 0) {
+      const [wt] = await sql<{ id: string; path: string; branch: string | null }[]>`
+        SELECT id, path, branch FROM worktrees
+        WHERE session_id = ${sessionId} AND status = 'active' LIMIT 1
+      `;
+      if (wt) {
+        const projRows = await sql<{ path: string | null }[]>`
+          SELECT p.path FROM sessions s JOIN projects p ON p.id = s.project_id WHERE s.id = ${sessionId}
+        `;
+        const projectPath = projRows[0]?.path ?? null;
+        // Preflight (close-hook semantics): a DELIBERATE chat/session close — the
+        // server's session-delete already ran the full work-at-risk gate
+        // (dirty/unpushed/unmerged) before calling us, and chat-close discards the
+        // tab's staged review intentionally. So here we only block on UNCOMMITTED
+        // working-tree changes (`dirty`) — work the user never even staged into the
+        // review diff. The session branch's own commits (the diff-staging
+        // mechanism) are NOT a block; treating them as "unmerged risk" would make
+        // the worktree un-removable on every real session (the orphan reaper keeps
+        // the full at-risk gate because it runs unattended). `force` skips this.
+        if (!opts?.force) {
+          const risk = await checkWorktreeWorkAtRisk(wt.path, opts);
+          worktreeAtRisk = risk.dirty || risk.error != null;
+        }
+        if (projectPath && (opts?.force || !worktreeAtRisk)) {
+          await removeSessionWorktree(sql, projectPath, wt, opts);
+          worktreeRemoved = true;
+        }
+      }
+    }
+  }
+
+  return { agentRowsClosed: closedRows.length, worktreeRemoved, worktreeAtRisk };
+}
+
+/**
+ * v2.6 Phase 3 (3.5): re-baseline a session's worktree diff after a successful
+ * `apply_pending`. The applied changes were written to the PROJECT ROOT; the
+ * worktree branch still holds the same delta against the ORIGINAL `base_commit`,
+ * so the next turn's `diffWorktree(base_commit...worktree-HEAD)` would re-surface
+ * the already-applied changes as "pending" — a confusing double-count.
+ *
+ * Fix: advance the stored `base_commit` to the worktree's CURRENT HEAD (the
+ * `diffWorktree` path commits the worktree's accumulated changes before diffing,
+ * so HEAD already encodes the applied state). The next turn then diffs against
+ * that, surfacing only edits made AFTER the apply. Idempotent: if the worktree has
+ * no new commits, the base is unchanged.
+ *
+ * Diff-baseline-correctness note (design §7): we re-baseline to the worktree's own
+ * HEAD, NOT to a moving project HEAD — so an out-of-band edit to the project root
+ * after apply doesn't corrupt the baseline. The trade-off is that a manual project
+ * edit isn't reflected as "already there"; acceptable, and matches the stored-base
+ * (not moving-target) decision in §7.
+ */
+export async function rebaselineWorktreeAfterApply(
+  sql: Sql,
+  sessionId: string,
+  opts?: { signal?: AbortSignal },
+): Promise<{ rebaselined: boolean; newBaseCommit: string | null }> {
+  const [wt] = await sql<{ id: string; path: string; base_commit: string | null }[]>`
+    SELECT id, path, base_commit FROM worktrees
+    WHERE session_id = ${sessionId} AND status = 'active' LIMIT 1
+  `;
+  if (!wt) return { rebaselined: false, newBaseCommit: null };
+
+  // Make sure the worktree's accumulated edits are committed so HEAD encodes the
+  // just-applied state (the diff path normally does this, but apply may run with no
+  // prior diff this turn). Commit ONLY when something is staged — NO --allow-empty,
+  // so a re-baseline with no new edits doesn't advance HEAD and stays idempotent.
+  await hostExec(
+    `cd ${shellEscape(wt.path)} && git add -A && ` +
+      `git diff --cached --quiet || ` +
+      `git -c user.email=boocoder@local -c user.name=BooCoder commit -q -m "rebaseline after apply"`,
+    { signal: opts?.signal, timeoutMs: 15_000 },
+  ).catch(() => {});
+
+  const headRes = await hostExec(
+    `git -C ${shellEscape(wt.path)} rev-parse HEAD`,
+    { signal: opts?.signal, timeoutMs: 10_000 },
+  ).catch(() => null);
+  const newBase = headRes && headRes.exitCode === 0 ? headRes.stdout.trim() || null : null;
+  if (!newBase || newBase === wt.base_commit) {
+    return { rebaselined: false, newBaseCommit: wt.base_commit };
+  }
+
+  await sql`UPDATE worktrees SET base_commit = ${newBase} WHERE id = ${wt.id}`;
+  return { rebaselined: true, newBaseCommit: newBase };
+}
+
 // ─── Session-delete work-loss guard ─────────────────────────────────────────
 
 /**

apps/server/package.json

@@ -87,7 +87,7 @@
     "@modelcontextprotocol/sdk": "^1.29.0",
     "ai": "^6.0.190",
     "fastify": "^4.28.1",
-    "parse5": "^8.0.1",
+    "node-html-markdown": "^1.3.0",
     "postgres": "^3.4.4",
     "ws": "^8.18.0",
     "zod": "^3.23.8"
@@ -99,5 +99,5 @@
     "typescript": "^5.5.0",
     "vitest": "^3.2.4"
   },
-  "license": "AGPL-3.0-only"
+  "license": "MIT"
 }

apps/server/src/routes/chats.ts

@@ -4,6 +4,7 @@ import type { Sql } from '../db.js';
 import type { Broker } from '../services/broker.js';
 import type { Chat, Message } from '../types/api.js';
 import { getModelContext } from '../services/model-context.js';
+import { notifyCoderClose } from '../services/coder-notify.js';
 
 const CreateBody = z.object({
   name: z.string().min(1).max(200).optional(),
@@ -167,6 +168,9 @@ export function registerChatRoutes(
           chat_id: id,
           session_id: req.params.id,
         });
+        // Fire-and-forget per archived chat: tear down its warm agent backends
+        // on the coder. Best-effort — never blocks/fails the bulk archive.
+        void notifyCoderClose('chat', id, req.log);
       }
       return { archived: ids.length, ids };
     }
@@ -208,6 +212,9 @@ export function registerChatRoutes(
         chat_id: row.id,
         session_id: row.session_id,
       });
+      // Fire-and-forget: tear down this chat's warm agent backends + (last-chat)
+      // worktree on the coder. Best-effort — never blocks/fails the archive.
+      void notifyCoderClose('chat', row.id, req.log);
       reply.code(204);
       return null;
     }
@@ -248,6 +255,9 @@ export function registerChatRoutes(
         chat_id: row.id,
         session_id: row.session_id,
       });
+      // Fire-and-forget: tear down this chat's warm agent backends + (last-chat)
+      // worktree on the coder. Best-effort — never blocks/fails the delete.
+      void notifyCoderClose('chat', row.id, req.log);
       reply.code(204);
       return null;
     }

apps/server/src/routes/sessions.ts

@@ -5,6 +5,7 @@ import type { Config } from '../config.js';
 import type { Broker } from '../services/broker.js';
 import type { Session, WorktreeRiskReport } from '../types/api.js';
 import { getSetting } from './settings.js';
+import { notifyCoderClose } from '../services/coder-notify.js';
 
 const CreateBody = z.object({
   name: z.string().min(1).max(200).optional(),
@@ -513,6 +514,10 @@ export function registerSessionRoutes(
       }
       const project_id = deleted[0]!.project_id;
       broker.publishUserFrame('default', { type: 'session_deleted', session_id: id, project_id });
+      // Fire-and-forget: ask BooCoder to tear down this session's warm agent
+      // backends + worktree immediately. Best-effort — never blocks/fails the
+      // delete; the coder's idle-evict + orphan reaper backstop a missed call.
+      void notifyCoderClose('session', id, req.log);
       reply.code(204);
       return null;
     }

apps/server/src/services/__tests__/agents.test.ts

@@ -1,4 +1,4 @@
-import { describe, it, expect } from 'vitest';
+import { describe, it, expect, vi, afterEach } from 'vitest';
 import { isAgentRegistryMarkdown, parseAgentsMd } from '../agents.js';
 
 describe('isAgentRegistryMarkdown', () => {
@@ -31,3 +31,87 @@ Start here
     expect(r.errors.length).toBeGreaterThan(0);
   });
 });
+
+// v2.6 sampling-streamjson-tokens (#11): per-agent llama.cpp sampler extensions.
+describe('parseAgentsMd: v2.6 sampling knobs', () => {
+  afterEach(() => {
+    vi.restoreAllMocks();
+  });
+
+  const withFrontmatter = (lines: string) => `# Agents
+
+## Sampler
+---
+temperature: 0.6
+${lines}
+tools: [view_file]
+description: test
+---
+You sample.
+`;
+
+  it('parses top_n_sigma and the dry_* family from frontmatter', () => {
+    const md = withFrontmatter(
+      [
+        'top_n_sigma: 1.5',
+        'dry_multiplier: 0.8',
+        'dry_base: 1.75',
+        'dry_allowed_length: 2',
+        'dry_penalty_last_n: -1',
+      ].join('\n'),
+    );
+    const { agents, errors } = parseAgentsMd(md);
+    expect(errors).toHaveLength(0);
+    expect(agents).toHaveLength(1);
+    const a = agents[0]!;
+    expect(a.top_n_sigma).toBe(1.5);
+    expect(a.dry_multiplier).toBe(0.8);
+    expect(a.dry_base).toBe(1.75);
+    expect(a.dry_allowed_length).toBe(2);
+    expect(a.dry_penalty_last_n).toBe(-1);
+  });
+
+  it('defaults the new sampler fields to null when omitted', () => {
+    const { agents } = parseAgentsMd(withFrontmatter('top_p: 0.95'));
+    const a = agents[0]!;
+    expect(a.top_n_sigma).toBeNull();
+    expect(a.dry_multiplier).toBeNull();
+    expect(a.dry_base).toBeNull();
+    expect(a.dry_allowed_length).toBeNull();
+    expect(a.dry_penalty_last_n).toBeNull();
+  });
+
+  it('warns (does not error) on out-of-range top_n_sigma / dry_* values', () => {
+    const warn = vi.spyOn(console, 'warn').mockImplementation(() => {});
+    const md = withFrontmatter(
+      [
+        'top_n_sigma: -1',
+        'dry_multiplier: -0.5',
+        'dry_base: -2',
+        'dry_allowed_length: -3',
+        'dry_penalty_last_n: -5',
+      ].join('\n'),
+    );
+    const { agents, errors } = parseAgentsMd(md);
+    expect(errors).toHaveLength(0);
+    expect(agents).toHaveLength(1);
+    // Mirrors top_k/min_p: out-of-range still stored, with a warning.
+    expect(warn).toHaveBeenCalled();
+    const warnings = warn.mock.calls.map((c) => String(c[0])).join('\n');
+    expect(warnings).toContain('top_n_sigma');
+    expect(warnings).toContain('dry_multiplier');
+    expect(warnings).toContain('dry_base');
+    expect(warnings).toContain('dry_allowed_length');
+    expect(warnings).toContain('dry_penalty_last_n');
+  });
+
+  it('errors on non-numeric / non-integer sampler values', () => {
+    const md = withFrontmatter(
+      ['top_n_sigma: high', 'dry_allowed_length: 2.5'].join('\n'),
+    );
+    const { errors } = parseAgentsMd(md);
+    const joined = errors.map((e) => e.reason).join('\n');
+    expect(joined).toContain('top_n_sigma must be a number');
+    expect(joined).toContain('dry_allowed_length must be an integer');
+  });
+});

apps/server/src/services/__tests__/coder-notify.test.ts

@@ -0,0 +1,67 @@
+// v2.6.10 Phase 3 (server wiring) — notifyCoderClose fire-and-forget helper.
+//
+// The guarantee under test: the helper NEVER throws (so it can't break the
+// user's delete/archive path), targets the correct coder URL shape, and folds
+// every failure mode (non-2xx, network error) into a `false` result.
+
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+import { notifyCoderClose } from '../coder-notify.js';
+
+const ORIGINAL_BOOCODER_URL = process.env.BOOCODER_URL;
+
+describe('notifyCoderClose', () => {
+  beforeEach(() => {
+    delete process.env.BOOCODER_URL;
+  });
+  afterEach(() => {
+    if (ORIGINAL_BOOCODER_URL === undefined) delete process.env.BOOCODER_URL;
+    else process.env.BOOCODER_URL = ORIGINAL_BOOCODER_URL;
+  });
+
+  it('POSTs the chat close hook at the default coder origin and resolves true on 2xx', async () => {
+    const fetcher = vi.fn().mockResolvedValue(new Response(null, { status: 200 }));
+    const ok = await notifyCoderClose('chat', 'chat-123', undefined, fetcher as unknown as typeof fetch);
+    expect(ok).toBe(true);
+    expect(fetcher).toHaveBeenCalledTimes(1);
+    const [url, init] = fetcher.mock.calls[0]!;
+    expect(url).toBe('http://boocoder:3000/api/chats/chat-123/close');
+    expect(init).toEqual({ method: 'POST' });
+  });
+
+  it('POSTs the session close hook with the sessions segment', async () => {
+    const fetcher = vi.fn().mockResolvedValue(new Response(null, { status: 200 }));
+    const ok = await notifyCoderClose('session', 'sess-abc', undefined, fetcher as unknown as typeof fetch);
+    expect(ok).toBe(true);
+    expect(fetcher.mock.calls[0]![0]).toBe('http://boocoder:3000/api/sessions/sess-abc/close');
+  });
+
+  it('honors BOOCODER_URL for the origin', async () => {
+    process.env.BOOCODER_URL = 'http://100.114.205.53:9502';
+    const fetcher = vi.fn().mockResolvedValue(new Response(null, { status: 200 }));
+    await notifyCoderClose('chat', 'c1', undefined, fetcher as unknown as typeof fetch);
+    expect(fetcher.mock.calls[0]![0]).toBe('http://100.114.205.53:9502/api/chats/c1/close');
+  });
+
+  it('resolves false on a non-2xx response (does not throw)', async () => {
+    const fetcher = vi.fn().mockResolvedValue(new Response(null, { status: 500 }));
+    const log = { debug: vi.fn() };
+    const ok = await notifyCoderClose('chat', 'c1', log, fetcher as unknown as typeof fetch);
+    expect(ok).toBe(false);
+    expect(log.debug).toHaveBeenCalledTimes(1);
+  });
+
+  it('resolves false on a network error (coder unreachable) — never rejects', async () => {
+    const fetcher = vi.fn().mockRejectedValue(new Error('ECONNREFUSED'));
+    const log = { debug: vi.fn() };
+    const ok = await notifyCoderClose('session', 's1', log, fetcher as unknown as typeof fetch);
+    expect(ok).toBe(false);
+    expect(log.debug).toHaveBeenCalledTimes(1);
+  });
+
+  it('does not require a logger', async () => {
+    const fetcher = vi.fn().mockRejectedValue(new Error('boom'));
+    await expect(
+      notifyCoderClose('chat', 'c1', undefined, fetcher as unknown as typeof fetch),
+    ).resolves.toBe(false);
+  });
+});

apps/server/src/services/__tests__/html-to-md.test.ts

@@ -70,10 +70,16 @@ describe('htmlToMarkdown', () => {
         </tbody>
       </table>`;
     const md = htmlToMarkdown(html);
-    expect(md).toContain('| Name | Age | City |');
-    expect(md).toContain('| --- | --- | --- |');
-    expect(md).toContain('| Alice | 30 | NYC |');
-    expect(md).toContain('| Bob | 25 | LA |');
+    // node-html-markdown pads columns to align them; assert structure rather
+    // than exact spacing. Each cell value and a GFM separator row are present.
+    expect(md).toContain('| Name ');
+    expect(md).toContain('| Age ');
+    expect(md).toContain('| City |');
+    expect(md).toMatch(/\| -+ \| -+ \| -+ \|/); // separator row
+    expect(md).toContain('| Alice ');
+    expect(md).toContain('| NYC  |');
+    expect(md).toContain('| Bob   ');
+    expect(md).toContain('| LA   |');
   });
 
   it('escapes pipe characters in table cells', () => {
@@ -162,14 +168,17 @@ describe('htmlToMarkdown', () => {
 
   it('converts br to newline', () => {
     const md = htmlToMarkdown('line one<br>line two');
-    expect(md).toContain('line one\nline two');
+    // node-html-markdown emits a GFM hard line break (trailing two spaces).
+    expect(md).toContain('line one  \nline two');
   });
 
   it('handles ol with start attribute', () => {
     const html = '<ol start="5"><li>five</li><li>six</li></ol>';
     const md = htmlToMarkdown(html);
-    expect(md).toContain('5. five');
-    expect(md).toContain('6. six');
+    // node-html-markdown does not honor the `start` attribute; it always
+    // renumbers ordered lists from 1. (Old parse5 renderer honored start=.)
+    expect(md).toContain('1. five');
+    expect(md).toContain('2. six');
   });
 
   it('collapses excessive blank lines', () => {
@@ -212,9 +221,12 @@ describe('htmlToMarkdown', () => {
     expect(md).toContain('[a link](https://example.com)');
     expect(md).toContain('## Features');
     expect(md).toContain('* Fast');
-    expect(md).toContain('| Metric | Value |');
-    expect(md).toContain('| --- | --- |');
-    expect(md).toContain('| Uptime | 99.9% |');
+    // Table columns are padded to align (node-html-markdown behavior).
+    expect(md).toContain('| Metric ');
+    expect(md).toContain('| Value |');
+    expect(md).toMatch(/\| -+ \| -+ \|/); // separator row
+    expect(md).toContain('| Uptime ');
+    expect(md).toContain('| 99.9% |');
     expect(md).toContain('> This tool is amazing.');
     expect(md).toContain('```js\nconsole.log("hello");\n```');
     expect(md).not.toContain('evil');

apps/server/src/services/__tests__/license-mit.test.ts

@@ -0,0 +1,46 @@
+import { describe, expect, it } from 'vitest';
+import { readFileSync } from 'node:fs';
+import { fileURLToPath } from 'node:url';
+import { dirname, resolve } from 'node:path';
+
+// Guards the AGPL-3.0 -> MIT relicense (openspec license-debt-mit). If any of
+// these fail, AGPL-derived provenance has crept back in.
+const ROOT = resolve(dirname(fileURLToPath(import.meta.url)), '../../../../..');
+
+describe('license: MIT relicense guard', () => {
+  it('LICENSE is MIT (no Affero/AGPL text)', () => {
+    const license = readFileSync(resolve(ROOT, 'LICENSE'), 'utf8');
+    expect(license).toMatch(/^MIT License/);
+    expect(license).not.toMatch(/AFFERO|AGPL/i);
+  });
+
+  const PACKAGE_JSONS = [
+    'package.json',
+    'apps/server/package.json',
+    'apps/web/package.json',
+    'apps/coder/package.json',
+    'apps/booterm/package.json',
+  ];
+  for (const rel of PACKAGE_JSONS) {
+    it(`${rel} declares "license": "MIT"`, () => {
+      const pkg = JSON.parse(readFileSync(resolve(ROOT, rel), 'utf8')) as { license?: string };
+      expect(pkg.license).toBe('MIT');
+    });
+  }
+
+  // The three files that were ported from Unsloth Studio (AGPL-3.0-only) and
+  // cleared in this batch — they must carry no AGPL/Unsloth provenance.
+  const FORMERLY_AGPL = [
+    'apps/server/src/services/inference/tool-call-parser.ts',
+    'apps/server/src/services/web/html-to-md.ts',
+    'apps/server/src/services/inference/llama-args-validator.ts',
+  ];
+  for (const rel of FORMERLY_AGPL) {
+    it(`${rel} carries no AGPL / Unsloth provenance`, () => {
+      const src = readFileSync(resolve(ROOT, rel), 'utf8');
+      expect(src).not.toMatch(/AGPL/);
+      expect(src).not.toMatch(/SPDX-License-Identifier:\s*AGPL/);
+      expect(src).not.toMatch(/Unsloth/i);
+    });
+  }
+});

apps/server/src/services/__tests__/tool-call-parser.test.ts

@@ -4,18 +4,11 @@ import {
   parseInvokeToolCall,
   partialXmlOpenerStart,
   extractToolCallBlocks,
-  parseToolCallsFromText,
   stripToolMarkup,
-  hasToolSignal,
   XML_TOOL_OPEN,
   XML_TOOL_CLOSE,
   INVOKE_TOOL_OPEN,
   INVOKE_TOOL_CLOSE,
-  TOOL_XML_SIGNALS,
-  BUDGET_EXHAUSTED_NUDGE,
-  DUPLICATE_CALL_NUDGE,
-  TOOL_ERROR_NUDGE,
-  TOOL_ERROR_PREFIXES,
 } from '../inference/tool-call-parser.js';
 
 // ── Ported from xml-parser.test.ts ───────────────────────────────────────
@@ -301,38 +294,6 @@ describe('extractToolCallBlocks (v1.13.16 — unified extraction)', () => {
   });
 });
 
-// ── New tests: Unsloth-ported functions ──────────────────────────────────
-
-describe('hasToolSignal', () => {
-  it('returns true for <tool_call>', () => {
-    expect(hasToolSignal('prefix <tool_call> suffix')).toBe(true);
-  });
-
-  it('returns true for <function=', () => {
-    expect(hasToolSignal('prefix <function=view_file> suffix')).toBe(true);
-  });
-
-  it('returns true for <invoke', () => {
-    expect(hasToolSignal('prefix <invoke name="x"> suffix')).toBe(true);
-  });
-
-  it('returns false for near-miss <tool>', () => {
-    expect(hasToolSignal('prefix <tool> suffix')).toBe(false);
-  });
-
-  it('returns false for near-miss <function>', () => {
-    expect(hasToolSignal('prefix <function> suffix')).toBe(false);
-  });
-
-  it('returns false for near-miss <tool_call_thing>', () => {
-    expect(hasToolSignal('<tool_call_thing>')).toBe(false);
-  });
-
-  it('returns false for plain text', () => {
-    expect(hasToolSignal('just some text')).toBe(false);
-  });
-});
-
 describe('stripToolMarkup', () => {
   it('strips closed <tool_call> blocks', () => {
     const input = 'before <tool_call>{"name":"x"}</tool_call> after';
@@ -380,166 +341,11 @@ describe('stripToolMarkup', () => {
   });
 });
 
-describe('parseToolCallsFromText', () => {
-  describe('pattern 1: <tool_call>{json}</tool_call>', () => {
-    it('parses a well-formed JSON tool call', () => {
-      const input = '<tool_call>{"name":"web_search","arguments":{"query":"hello"}}</tool_call>';
-      const calls = parseToolCallsFromText(input);
-      expect(calls).toHaveLength(1);
-      expect(calls[0]!.id).toBe('call_0');
-      expect(calls[0]!.type).toBe('function');
-      expect(calls[0]!.function.name).toBe('web_search');
-      expect(JSON.parse(calls[0]!.function.arguments)).toEqual({ query: 'hello' });
-    });
-
-    it('handles string arguments field', () => {
-      const input = '<tool_call>{"name":"x","arguments":"already a string"}</tool_call>';
-      const calls = parseToolCallsFromText(input);
-      expect(calls[0]!.function.arguments).toBe('already a string');
-    });
-
-    it('handles balanced braces inside JSON strings', () => {
-      const input = '<tool_call>{"name":"x","arguments":{"q":"} { extra "}}</tool_call>';
-      const calls = parseToolCallsFromText(input);
-      expect(calls).toHaveLength(1);
-      const parsed = JSON.parse(calls[0]!.function.arguments);
-      expect(parsed.q).toBe('} { extra ');
-    });
-
-    it('respects idOffset', () => {
-      const input = '<tool_call>{"name":"a","arguments":{}}</tool_call>';
-      const calls = parseToolCallsFromText(input, { idOffset: 5 });
-      expect(calls[0]!.id).toBe('call_5');
-    });
-
-    it('parses multiple JSON tool calls', () => {
-      const input =
-        '<tool_call>{"name":"a","arguments":{}}</tool_call>' +
-        '<tool_call>{"name":"b","arguments":{}}</tool_call>';
-      const calls = parseToolCallsFromText(input);
-      expect(calls).toHaveLength(2);
-      expect(calls[0]!.id).toBe('call_0');
-      expect(calls[1]!.id).toBe('call_1');
-    });
-
-    it('skips malformed JSON', () => {
-      const input = '<tool_call>{not json}</tool_call>';
-      const calls = parseToolCallsFromText(input);
-      expect(calls).toHaveLength(0);
-    });
-
-    it('handles missing closing tag', () => {
-      const input = '<tool_call>{"name":"x","arguments":{"q":"hello"}}';
-      const calls = parseToolCallsFromText(input);
-      expect(calls).toHaveLength(1);
-      expect(calls[0]!.function.name).toBe('x');
-    });
-  });
-
-  describe('pattern 2: <function=name><parameter=key>value', () => {
-    it('parses a single-parameter function call', () => {
-      const input = '<function=view_file><parameter=path>/tmp/foo</parameter></function>';
-      const calls = parseToolCallsFromText(input);
-      expect(calls).toHaveLength(1);
-      expect(calls[0]!.function.name).toBe('view_file');
-      expect(JSON.parse(calls[0]!.function.arguments)).toEqual({ path: '/tmp/foo' });
-    });
-
-    it('single-param fast path preserves embedded </parameter>', () => {
-      const input = '<function=run_bash><parameter=command>echo "</parameter>"</parameter></function>';
-      const calls = parseToolCallsFromText(input);
-      expect(calls).toHaveLength(1);
-      expect(JSON.parse(calls[0]!.function.arguments).command).toBe('echo "</parameter>"');
-    });
-
-    it('multi-param: value of first stops at start of second', () => {
-      const input = '<function=grep><parameter=pattern>foo</parameter><parameter=path>src/</parameter></function>';
-      const calls = parseToolCallsFromText(input);
-      expect(calls).toHaveLength(1);
-      const args = JSON.parse(calls[0]!.function.arguments);
-      expect(args.pattern).toBe('foo');
-      expect(args.path).toBe('src/');
-    });
-
-    it('tolerates missing closing tags', () => {
-      const input = '<function=view_file><parameter=path>/tmp/foo';
-      const calls = parseToolCallsFromText(input);
-      expect(calls).toHaveLength(1);
-      expect(calls[0]!.function.name).toBe('view_file');
-      expect(JSON.parse(calls[0]!.function.arguments)).toEqual({ path: '/tmp/foo' });
-    });
-
-    it('does not fire when pattern 1 found results', () => {
-      const input = '<tool_call>{"name":"a","arguments":{}}</tool_call><function=b><parameter=x>y</parameter></function>';
-      const calls = parseToolCallsFromText(input);
-      expect(calls).toHaveLength(1);
-      expect(calls[0]!.function.name).toBe('a');
-    });
-  });
-
-  describe('pattern 3: <invoke name="..."><parameter name="...">value (Anthropic)', () => {
-    it('parses a single-parameter invoke call', () => {
-      const input = '<invoke name="view_file"><parameter name="path">/tmp/foo</parameter></invoke>';
-      const calls = parseToolCallsFromText(input);
-      expect(calls).toHaveLength(1);
-      expect(calls[0]!.function.name).toBe('view_file');
-      expect(JSON.parse(calls[0]!.function.arguments)).toEqual({ path: '/tmp/foo' });
-    });
-
-    it('parses multi-parameter invoke call', () => {
-      const input = '<invoke name="grep"><parameter name="pattern">foo</parameter><parameter name="path">src/</parameter></invoke>';
-      const calls = parseToolCallsFromText(input);
-      expect(calls).toHaveLength(1);
-      const args = JSON.parse(calls[0]!.function.arguments);
-      expect(args.pattern).toBe('foo');
-      expect(args.path).toBe('src/');
-    });
-
-    it('does not fire when pattern 1 found results', () => {
-      const input = '<tool_call>{"name":"a","arguments":{}}</tool_call><invoke name="b"><parameter name="x">y</parameter></invoke>';
-      const calls = parseToolCallsFromText(input);
-      expect(calls).toHaveLength(1);
-      expect(calls[0]!.function.name).toBe('a');
-    });
-
-    it('does not fire when pattern 2 found results', () => {
-      const input = '<function=a><parameter=x>y</parameter></function><invoke name="b"><parameter name="x">y</parameter></invoke>';
-      const calls = parseToolCallsFromText(input);
-      expect(calls).toHaveLength(1);
-      expect(calls[0]!.function.name).toBe('a');
-    });
-
-    it('tolerates missing closing tags', () => {
-      const input = '<invoke name="view_file"><parameter name="path">/tmp/foo';
-      const calls = parseToolCallsFromText(input);
-      expect(calls).toHaveLength(1);
-      expect(JSON.parse(calls[0]!.function.arguments)).toEqual({ path: '/tmp/foo' });
-    });
-
-    it('supports single-quoted attributes', () => {
-      const input = "<invoke name='view_file'><parameter name='path'>/tmp/foo</parameter></invoke>";
-      const calls = parseToolCallsFromText(input);
-      expect(calls).toHaveLength(1);
-      expect(calls[0]!.function.name).toBe('view_file');
-    });
-  });
-});
-
-describe('constants', () => {
-  it('TOOL_XML_SIGNALS includes all three signal prefixes', () => {
-    expect(TOOL_XML_SIGNALS).toContain('<tool_call>');
-    expect(TOOL_XML_SIGNALS).toContain('<function=');
-    expect(TOOL_XML_SIGNALS).toContain('<invoke');
-  });
-
-  it('nudge constants are non-empty strings', () => {
-    expect(BUDGET_EXHAUSTED_NUDGE.length).toBeGreaterThan(0);
-    expect(DUPLICATE_CALL_NUDGE.length).toBeGreaterThan(0);
-    expect(TOOL_ERROR_NUDGE.length).toBeGreaterThan(0);
-  });
-
-  it('TOOL_ERROR_PREFIXES is a non-empty tuple', () => {
-    expect(TOOL_ERROR_PREFIXES.length).toBeGreaterThan(0);
-    expect(TOOL_ERROR_PREFIXES).toContain('Error');
+describe('delimiter constants', () => {
+  it('exports the expected delimiters', () => {
+    expect(INVOKE_TOOL_OPEN).toBe('<invoke');
+    expect(INVOKE_TOOL_CLOSE).toBe('</invoke>');
+    expect(XML_TOOL_OPEN).toBe('<tool_call>');
+    expect(XML_TOOL_CLOSE).toBe('</tool_call>');
   });
 });

apps/server/src/services/agents.ts

@@ -88,6 +88,12 @@ interface ParsedFrontmatter {
   top_k?: number;
   min_p?: number;
   presence_penalty?: number;
+  // v2.6 sampling-streamjson-tokens (#11): llama.cpp sampler extensions.
+  top_n_sigma?: number;
+  dry_multiplier?: number;
+  dry_base?: number;
+  dry_allowed_length?: number;
+  dry_penalty_last_n?: number;
   tools?: string[];
   description?: string;
   model?: string;
@@ -178,6 +184,63 @@ function parseFrontmatter(yaml: string): { data: ParsedFrontmatter; errors: stri
       } else {
         errors.push(`presence_penalty must be a number (got "${valueRaw}")`);
       }
+    } else if (key === 'top_n_sigma') {
+      // v2.6 #11: llama.cpp top-n-sigma sampler. Float ≥ 0 (typical 0-3).
+      // Mirrors top_p/min_p: store then warn on out-of-range (non-numeric
+      // hard-fails the block).
+      const n = Number(valueRaw);
+      if (Number.isFinite(n)) {
+        data.top_n_sigma = n;
+        if (n < 0) {
+          console.warn(`agents: top_n_sigma ${n} out of range (≥0), ignoring (falling back to default)`);
+        }
+      } else {
+        errors.push(`top_n_sigma must be a number (got "${valueRaw}")`);
+      }
+    } else if (key === 'dry_multiplier') {
+      // v2.6 #11: DRY repetition-penalty multiplier. Float ≥ 0 (0 disables DRY).
+      const n = Number(valueRaw);
+      if (Number.isFinite(n)) {
+        data.dry_multiplier = n;
+        if (n < 0) {
+          console.warn(`agents: dry_multiplier ${n} out of range (≥0), ignoring (falling back to default)`);
+        }
+      } else {
+        errors.push(`dry_multiplier must be a number (got "${valueRaw}")`);
+      }
+    } else if (key === 'dry_base') {
+      // v2.6 #11: DRY penalty growth base. Float ≥ 0.
+      const n = Number(valueRaw);
+      if (Number.isFinite(n)) {
+        data.dry_base = n;
+        if (n < 0) {
+          console.warn(`agents: dry_base ${n} out of range (≥0), ignoring (falling back to default)`);
+        }
+      } else {
+        errors.push(`dry_base must be a number (got "${valueRaw}")`);
+      }
+    } else if (key === 'dry_allowed_length') {
+      // v2.6 #11: DRY max sequence length not penalized. Integer ≥ 0.
+      const n = Number(valueRaw);
+      if (Number.isInteger(n)) {
+        data.dry_allowed_length = n;
+        if (n < 0) {
+          console.warn(`agents: dry_allowed_length ${n} out of range (≥0), ignoring (falling back to default)`);
+        }
+      } else {
+        errors.push(`dry_allowed_length must be an integer (got "${valueRaw}")`);
+      }
+    } else if (key === 'dry_penalty_last_n') {
+      // v2.6 #11: DRY lookback window. Integer ≥ -1 (-1 = whole context, 0 = off).
+      const n = Number(valueRaw);
+      if (Number.isInteger(n)) {
+        data.dry_penalty_last_n = n;
+        if (n < -1) {
+          console.warn(`agents: dry_penalty_last_n ${n} out of range (≥-1), ignoring (falling back to default)`);
+        }
+      } else {
+        errors.push(`dry_penalty_last_n must be an integer (got "${valueRaw}")`);
+      }
     } else if (key === 'tools') {
       if (valueRaw === '') {
         data.tools = [];
@@ -354,6 +417,11 @@ function parseAgentSection(section: RawSection): Omit<Agent, 'source'> {
     top_k: typeof fm.top_k === 'number' ? fm.top_k : null,
     min_p: typeof fm.min_p === 'number' ? fm.min_p : null,
     presence_penalty: typeof fm.presence_penalty === 'number' ? fm.presence_penalty : null,
+    top_n_sigma: typeof fm.top_n_sigma === 'number' ? fm.top_n_sigma : null,
+    dry_multiplier: typeof fm.dry_multiplier === 'number' ? fm.dry_multiplier : null,
+    dry_base: typeof fm.dry_base === 'number' ? fm.dry_base : null,
+    dry_allowed_length: typeof fm.dry_allowed_length === 'number' ? fm.dry_allowed_length : null,
+    dry_penalty_last_n: typeof fm.dry_penalty_last_n === 'number' ? fm.dry_penalty_last_n : null,
     tools: filteredTools,
     model: typeof fm.model === 'string' && fm.model.length > 0 ? fm.model : null,
     max_tool_calls: typeof fm.max_tool_calls === 'number' ? fm.max_tool_calls : null,

apps/server/src/services/coder-notify.ts

@@ -0,0 +1,64 @@
+// v2.6.10 Phase 3 (server wiring) — fire-and-forget BooCoder close hooks.
+//
+// BooCoder (apps/coder, host systemd) added close hooks in
+// apps/coder/src/routes/lifecycle.ts:
+//   POST /api/chats/:chatId/close      — evict the chat's warm (chat,agent)
+//                                        backends, close its opencode session,
+//                                        mark agent_sessions closed, and remove
+//                                        the shared worktree on the last chat.
+//   POST /api/sessions/:sessionId/close — loop the chat-close path for every
+//                                        chat in the session.
+//
+// apps/server (Docker) can't see the host worktree dirs or reach the warm agent
+// processes, so — exactly like the existing `worktree-risk` guard in
+// routes/sessions.ts — it signals the coder over HTTP and the coder does the
+// real teardown. This call is BEST-EFFORT: the coder's idle-pool eviction and
+// the orphan-worktree reaper backstop a missed/failed call. It MUST NEVER block
+// or fail the user's delete/archive — hence fire-and-forget with a swallowed
+// catch. We do not await the returned promise at the call sites.
+
+import type { FastifyBaseLogger } from 'fastify';
+
+export type CoderCloseKind = 'chat' | 'session';
+
+function coderOrigin(): string {
+  // Same env + default as routes/sessions.ts' worktree-risk fetch.
+  return process.env.BOOCODER_URL ?? 'http://boocoder:3000';
+}
+
+/**
+ * Fire-and-forget POST to the BooCoder close hook for a chat or session.
+ *
+ * Resolves to `true` if the coder acknowledged (HTTP 2xx), `false` otherwise
+ * (non-2xx or network error). Callers SHOULD NOT await this — invoke it and
+ * move on. The returned promise never rejects: every failure path is caught,
+ * logged at debug, and folded into a `false` result so an unreachable or
+ * erroring coder can't surface to the user's delete/archive request.
+ */
+export async function notifyCoderClose(
+  kind: CoderCloseKind,
+  id: string,
+  log?: Pick<FastifyBaseLogger, 'debug'>,
+  fetcher: typeof fetch = fetch,
+): Promise<boolean> {
+  const segment = kind === 'chat' ? 'chats' : 'sessions';
+  const url = `${coderOrigin()}/api/${segment}/${id}/close`;
+  try {
+    const res = await fetcher(url, { method: 'POST' });
+    if (!res.ok) {
+      log?.debug(
+        { kind, id, status: res.status },
+        'coder close hook returned non-2xx (best-effort; reaper backstops)',
+      );
+      return false;
+    }
+    log?.debug({ kind, id }, 'coder close hook acknowledged');
+    return true;
+  } catch (err) {
+    log?.debug(
+      { kind, id, err: err instanceof Error ? err.message : String(err) },
+      'coder close hook unreachable (best-effort; reaper backstops)',
+    );
+    return false;
+  }
+}

apps/server/src/services/inference/llama-args-validator.ts

@@ -1,80 +1,139 @@
-// SPDX-License-Identifier: AGPL-3.0-only
-// Copyright 2026-present the Unsloth AI Inc. team. All rights reserved.
-// Ported from studio/backend/core/inference/llama_server_args.py.
-// Original: https://github.com/unslothai/unsloth/blob/main/studio/backend/core/inference/llama_server_args.py
+// Guards against agent-supplied llama-server CLI flags that would clash with
+// values BooCode sets itself. Two concerns live here:
+//
+//   1. A hard denylist of flags that BooCode owns outright (model selection,
+//      the listening socket, credentials, the bundled web UI). Passing any of
+//      these is a configuration error and is rejected loudly.
+//
+//   2. A "shadowing" set of flags that are legal to pass but, because of
+//      llama.cpp's last-wins argument parsing, would override a first-class
+//      BooCode setting. These are silently removed from the auto-generated
+//      argv so the agent's explicit choice takes precedence without leaving a
+//      duplicate flag behind.
+//
+// All flag spellings below are the public llama-server option names (short and
+// long aliases) documented in its --help output.
 
-// Each group is the full set of aliases (short + long) for one hard-denied
-// flag, taken from the llama-server README. Flags NOT in this list pass
-// through and override auto-set values via llama.cpp's last-wins CLI parsing.
-const DENYLIST_GROUPS: ReadonlyArray<ReadonlySet<string>> = [
-  // Model identity
-  new Set(['-m', '--model']),
-  new Set(['-mu', '--model-url']),
-  new Set(['-dr', '--docker-repo']),
-  new Set(['-hf', '-hfr', '--hf-repo']),
-  new Set(['-hff', '--hf-file']),
-  new Set(['-hfv', '-hfrv', '--hf-repo-v']),
-  new Set(['-hffv', '--hf-file-v']),
-  new Set(['-hft', '--hf-token']),
-  new Set(['-mm', '--mmproj']),
-  new Set(['-mmu', '--mmproj-url']),
-  // Networking
-  new Set(['--host']),
-  new Set(['--port']),
-  new Set(['--path']),
-  new Set(['--api-prefix']),
-  new Set(['--reuse-port']),
-  // Auth / TLS
-  new Set(['--api-key']),
-  new Set(['--api-key-file']),
-  new Set(['--ssl-key-file']),
-  new Set(['--ssl-cert-file']),
-  // Single-model server / UI
-  new Set(['--webui', '--no-webui']),
-  new Set(['--ui', '--no-ui']),
-  new Set(['--ui-config']),
-  new Set(['--ui-config-file']),
-  new Set(['--ui-mcp-proxy', '--no-ui-mcp-proxy']),
-  new Set(['--models-dir']),
-  new Set(['--models-preset']),
-  new Set(['--models-max']),
-  new Set(['--models-autoload', '--no-models-autoload']),
+// --- Hard denylist -------------------------------------------------------
+
+// Authored as named buckets purely for readability; every alias is folded
+// into one flat lookup set at module load. Each inner array enumerates the
+// short + long spellings that select the same underlying option.
+const MODEL_SOURCE_FLAGS = [
+  ['-m', '--model'],
+  ['-mu', '--model-url'],
+  ['-dr', '--docker-repo'],
+  ['-hf', '-hfr', '--hf-repo'],
+  ['-hff', '--hf-file'],
+  ['-hfv', '-hfrv', '--hf-repo-v'],
+  ['-hffv', '--hf-file-v'],
+  ['-hft', '--hf-token'],
+  ['-mm', '--mmproj'],
+  ['-mmu', '--mmproj-url'],
 ];
 
-const DENYLIST: ReadonlySet<string> = new Set(
-  DENYLIST_GROUPS.flatMap((g) => [...g]),
+const LISTEN_FLAGS = [
+  ['--host'],
+  ['--port'],
+  ['--path'],
+  ['--api-prefix'],
+  ['--reuse-port'],
+];
+
+const CREDENTIAL_FLAGS = [
+  ['--api-key'],
+  ['--api-key-file'],
+  ['--ssl-key-file'],
+  ['--ssl-cert-file'],
+];
+
+const WEBUI_FLAGS = [
+  ['--webui', '--no-webui'],
+  ['--ui', '--no-ui'],
+  ['--ui-config'],
+  ['--ui-config-file'],
+  ['--ui-mcp-proxy', '--no-ui-mcp-proxy'],
+  ['--models-dir'],
+  ['--models-preset'],
+  ['--models-max'],
+  ['--models-autoload', '--no-models-autoload'],
+];
+
+const MANAGED_FLAGS: ReadonlySet<string> = new Set(
+  [
+    ...MODEL_SOURCE_FLAGS,
+    ...LISTEN_FLAGS,
+    ...CREDENTIAL_FLAGS,
+    ...WEBUI_FLAGS,
+  ].flat(),
 );
 
-function flagName(token: string): string | null {
-  if (!token.startsWith('-') || token === '-' || token === '--') return null;
-  if (token.length >= 2 && (token[1]!.match(/\d/) || token[1] === '.')) return null;
-  return token.split('=', 1)[0]!;
+// --- Token parsing -------------------------------------------------------
+
+const DIGIT = /^[0-9]$/;
+
+/**
+ * Extract the flag name from a single argv token, or `null` when the token is
+ * not a flag.
+ *
+ * A token is treated as a flag only when it begins with `-` and the character
+ * after the leading dash is neither a digit nor a decimal point — that rule
+ * keeps negative numeric values such as `-1` or `-0.5` from being mistaken for
+ * options. A bare `-` or `--` is not a flag either. The returned name is the
+ * portion before any `=`, so `--ctx-size=4096` yields `--ctx-size`.
+ */
+function parseFlag(token: string): string | null {
+  if (!token.startsWith('-')) return null;
+  if (token === '-' || token === '--') return null;
+
+  const second = token[1]!;
+  if (DIGIT.test(second) || second === '.') return null;
+
+  const eq = token.indexOf('=');
+  return eq === -1 ? token : token.slice(0, eq);
 }
 
+// --- Public API ----------------------------------------------------------
+
+/**
+ * Validate a sequence of extra llama-server args, rejecting any that name a
+ * BooCode-managed flag. Returns the args materialised as a string[] when they
+ * all pass.
+ */
 export function validateExtraArgs(args?: Iterable<string>): string[] {
-  if (!args) return [];
-  const out: string[] = [];
-  for (const raw of args) {
-    const token = String(raw);
-    const flag = flagName(token);
-    if (flag !== null && DENYLIST.has(flag)) {
+  const result: string[] = [];
+  if (!args) return result;
+
+  for (const entry of args) {
+    const token = String(entry);
+    const flag = parseFlag(token);
+    if (flag !== null && MANAGED_FLAGS.has(flag)) {
       throw new Error(
         `llama-server flag '${flag}' is managed and cannot be passed as an extra arg`,
       );
     }
-    out.push(token);
+    result.push(token);
   }
-  return out;
+
+  return result;
 }
 
+/** True when `flag` is a BooCode-managed flag that callers may not override. */
 export function isManagedFlag(flag: string): boolean {
-  return DENYLIST.has(flag);
+  return MANAGED_FLAGS.has(flag);
 }
 
-// Shadowing flag groups: pass-through flags that shadow first-class settings.
-const CONTEXT_FLAGS = new Set(['-c', '--ctx-size']);
-const CACHE_FLAGS = new Set(['-ctk', '--cache-type-k', '-ctv', '--cache-type-v']);
-const SPEC_FLAGS = new Set([
+// --- Shadowing flags -----------------------------------------------------
+
+// Flags below are legal for an agent to pass, but each shadows a setting
+// BooCode applies itself. They are categorised so a caller can opt out of
+// stripping any one category.
+
+const SHADOW_CONTEXT = ['-c', '--ctx-size'];
+
+const SHADOW_CACHE = ['-ctk', '--cache-type-k', '-ctv', '--cache-type-v'];
+
+const SHADOW_SPEC = [
   '--spec-default',
   '--spec-type',
   '--spec-ngram-size-n',
@@ -88,17 +147,22 @@ const SPEC_FLAGS = new Set([
   '--spec-ngram-mod-n-match',
   '--spec-ngram-mod-n-min',
   '--spec-ngram-mod-n-max',
-]);
-const TEMPLATE_FLAGS = new Set([
+];
+
+const SHADOW_TEMPLATE = [
   '--chat-template',
   '--chat-template-file',
   '--chat-template-kwargs',
   '--jinja',
   '--no-jinja',
-]);
+];
 
-const BOOLEAN_SHADOWING_FLAGS = new Set([
-  '--spec-default', '--jinja', '--no-jinja',
+// Shadowing flags that take no value — a boolean switch — so the stripper must
+// not also drop the following token.
+const VALUELESS_SHADOW_FLAGS: ReadonlySet<string> = new Set([
+  '--spec-default',
+  '--jinja',
+  '--no-jinja',
 ]);
 
 export interface StripOptions {
@@ -108,35 +172,49 @@ export interface StripOptions {
   stripTemplate?: boolean;
 }
 
+/**
+ * Remove shadowing flags (and their values) from an argv sequence.
+ *
+ * Each category is stripped by default; pass the matching `strip*: false`
+ * option to retain that category. When a stripped flag carries its value as a
+ * separate following token (e.g. `-c 4096`), that token is removed too; the
+ * `--flag=value` and boolean-switch forms consume only the single token.
+ */
 export function stripShadowingFlags(
   args: Iterable<string>,
   opts?: StripOptions,
 ): string[] {
-  const shadowing = new Set<string>();
-  if (opts?.stripContext !== false) for (const f of CONTEXT_FLAGS) shadowing.add(f);
-  if (opts?.stripCache !== false) for (const f of CACHE_FLAGS) shadowing.add(f);
-  if (opts?.stripSpec !== false) for (const f of SPEC_FLAGS) shadowing.add(f);
-  if (opts?.stripTemplate !== false) for (const f of TEMPLATE_FLAGS) shadowing.add(f);
+  const targets = new Set<string>();
+  if (opts?.stripContext !== false) for (const f of SHADOW_CONTEXT) targets.add(f);
+  if (opts?.stripCache !== false) for (const f of SHADOW_CACHE) targets.add(f);
+  if (opts?.stripSpec !== false) for (const f of SHADOW_SPEC) targets.add(f);
+  if (opts?.stripTemplate !== false) for (const f of SHADOW_TEMPLATE) targets.add(f);
 
-  const tokens = [...args].map(String);
-  const out: string[] = [];
-  let i = 0;
-  const n = tokens.length;
-  while (i < n) {
-    const tok = tokens[i]!;
-    const flag = flagName(tok);
-    if (flag === null || !shadowing.has(flag)) {
-      out.push(tok);
-      i++;
+  const tokens = Array.from(args, String);
+  const kept: string[] = [];
+
+  for (let i = 0; i < tokens.length; i++) {
+    const token = tokens[i]!;
+    const flag = parseFlag(token);
+
+    // Not a targeted shadow flag — keep it verbatim.
+    if (flag === null || !targets.has(flag)) {
+      kept.push(token);
       continue;
     }
-    if (BOOLEAN_SHADOWING_FLAGS.has(flag) || tok.includes('=')) {
-      i++;
-    } else if (i + 1 < n && flagName(tokens[i + 1]!) === null) {
-      i += 2;
-    } else {
-      i++;
+
+    // Targeted: drop it. Decide whether the next token is its value and should
+    // be dropped along with it. Boolean switches and the inline `=value` form
+    // carry no separate value token.
+    const carriesInlineValue = token.includes('=');
+    const isBoolean = VALUELESS_SHADOW_FLAGS.has(flag);
+    const next = tokens[i + 1];
+    const nextIsValue = next !== undefined && parseFlag(next) === null;
+
+    if (!isBoolean && !carriesInlineValue && nextIsValue) {
+      i++; // also skip the value token
     }
   }
-  return out;
+
+  return kept;
 }

apps/server/src/services/inference/sentinel-summaries.ts

@@ -86,7 +86,7 @@ export async function runCapHitSummary(
       ctx,
       session.model,
       messages,
-      { tools: null, temperature: agent?.temperature, top_p: agent?.top_p ?? undefined, top_k: agent?.top_k ?? undefined, min_p: agent?.min_p ?? undefined, presence_penalty: agent?.presence_penalty ?? undefined },
+      { tools: null, temperature: agent?.temperature, top_p: agent?.top_p ?? undefined, top_k: agent?.top_k ?? undefined, min_p: agent?.min_p ?? undefined, presence_penalty: agent?.presence_penalty ?? undefined, top_n_sigma: agent?.top_n_sigma ?? undefined, dry_multiplier: agent?.dry_multiplier ?? undefined, dry_base: agent?.dry_base ?? undefined, dry_allowed_length: agent?.dry_allowed_length ?? undefined, dry_penalty_last_n: agent?.dry_penalty_last_n ?? undefined },
       (delta) => {
         accumulated += delta;
         ctx.publish(sessionId, {
@@ -346,7 +346,7 @@ export async function runDoomLoopSummary(
       ctx,
       session.model,
       messages,
-      { tools: null, temperature: agent?.temperature, top_p: agent?.top_p ?? undefined, top_k: agent?.top_k ?? undefined, min_p: agent?.min_p ?? undefined, presence_penalty: agent?.presence_penalty ?? undefined },
+      { tools: null, temperature: agent?.temperature, top_p: agent?.top_p ?? undefined, top_k: agent?.top_k ?? undefined, min_p: agent?.min_p ?? undefined, presence_penalty: agent?.presence_penalty ?? undefined, top_n_sigma: agent?.top_n_sigma ?? undefined, dry_multiplier: agent?.dry_multiplier ?? undefined, dry_base: agent?.dry_base ?? undefined, dry_allowed_length: agent?.dry_allowed_length ?? undefined, dry_penalty_last_n: agent?.dry_penalty_last_n ?? undefined },
       (delta) => {
         accumulated += delta;
         ctx.publish(sessionId, {
@@ -545,7 +545,7 @@ export async function runStepCapSummary(
       ctx,
       session.model,
       messages,
-      { tools: null, temperature: agent?.temperature, top_p: agent?.top_p ?? undefined, top_k: agent?.top_k ?? undefined, min_p: agent?.min_p ?? undefined, presence_penalty: agent?.presence_penalty ?? undefined },
+      { tools: null, temperature: agent?.temperature, top_p: agent?.top_p ?? undefined, top_k: agent?.top_k ?? undefined, min_p: agent?.min_p ?? undefined, presence_penalty: agent?.presence_penalty ?? undefined, top_n_sigma: agent?.top_n_sigma ?? undefined, dry_multiplier: agent?.dry_multiplier ?? undefined, dry_base: agent?.dry_base ?? undefined, dry_allowed_length: agent?.dry_allowed_length ?? undefined, dry_penalty_last_n: agent?.dry_penalty_last_n ?? undefined },
       (delta) => {
         accumulated += delta;
         ctx.publish(sessionId, {

apps/server/src/services/inference/stream-phase.ts

@@ -33,6 +33,39 @@ interface StreamOptions {
   top_k?: number | null;
   min_p?: number | null;
   presence_penalty?: number | null;
+  // v2.6 sampling-streamjson-tokens (#11): llama.cpp sampler extensions. These
+  // are NOT standard AI-SDK streamText options and are NOT serialized by the
+  // openai-compatible provider's standardized-settings path (topK is even
+  // explicitly dropped with an "unsupported feature: topK" warning). They reach
+  // llama-server only via providerOptions.openaiCompatible (see buildSamplerProviderOptions).
+  top_n_sigma?: number | null;
+  dry_multiplier?: number | null;
+  dry_base?: number | null;
+  dry_allowed_length?: number | null;
+  dry_penalty_last_n?: number | null;
+}
+
+// v2.6 #11: build the providerOptions.openaiCompatible extraBody object for the
+// llama.cpp sampler extensions. @ai-sdk/openai-compatible (2.0.47) merges every
+// non-reserved key under providerOptions.openaiCompatible straight into the
+// chat-completion request body (see its getArgs: the Object.fromEntries spread
+// filtered against openaiCompatibleLanguageModelChatOptions.shape). This is the
+// ONLY working passthrough for these params:
+//   - top_k / min_p were latently dropped before this: top_k was passed as the
+//     AI-SDK `topK` setting which the openai-compatible provider rejects as
+//     unsupported; min_p was never passed to streamText at all.
+//   - top_n_sigma + the dry_* family have no AI-SDK equivalent.
+// Keys use llama-server's snake_case body names so they land verbatim.
+function buildSamplerProviderOptions(opts: StreamOptions): Record<string, number> | undefined {
+  const body: Record<string, number> = {};
+  if (typeof opts.top_k === 'number') body.top_k = opts.top_k;
+  if (typeof opts.min_p === 'number') body.min_p = opts.min_p;
+  if (typeof opts.top_n_sigma === 'number') body.top_n_sigma = opts.top_n_sigma;
+  if (typeof opts.dry_multiplier === 'number') body.dry_multiplier = opts.dry_multiplier;
+  if (typeof opts.dry_base === 'number') body.dry_base = opts.dry_base;
+  if (typeof opts.dry_allowed_length === 'number') body.dry_allowed_length = opts.dry_allowed_length;
+  if (typeof opts.dry_penalty_last_n === 'number') body.dry_penalty_last_n = opts.dry_penalty_last_n;
+  return Object.keys(body).length > 0 ? body : undefined;
 }
 
 // v1.13.1-A: convert BooCode's OpenAI-shaped history into AI SDK
@@ -195,6 +228,14 @@ export async function streamCompletion(
     return toolCall;
   };
 
+  // v2.6 #11: llama.cpp sampler extensions (top_k, min_p, top_n_sigma, dry_*)
+  // ride providerOptions.openaiCompatible — they are NOT standardized streamText
+  // settings. NB: top_k used to be passed below as the AI-SDK `topK` setting;
+  // the openai-compatible provider dropped it with an "unsupported feature: topK"
+  // warning and min_p was never wired at all, so both were dead on the wire
+  // before this. They now go through the same extraBody path as the new params.
+  const samplerBody = buildSamplerProviderOptions(opts);
+
   const result = streamText({
     model: upstreamModel(ctx.config, model, agent ?? null),
     messages: aiMessages,
@@ -203,8 +244,8 @@ export async function streamCompletion(
       : {}),
     ...(typeof opts.temperature === 'number' ? { temperature: opts.temperature } : {}),
     ...(typeof opts.top_p === 'number' ? { topP: opts.top_p } : {}),
-    ...(typeof opts.top_k === 'number' ? { topK: opts.top_k } : {}),
     ...(typeof opts.presence_penalty === 'number' ? { presencePenalty: opts.presence_penalty } : {}),
+    ...(samplerBody ? { providerOptions: { openaiCompatible: samplerBody } } : {}),
     abortSignal: signal,
   });
 
@@ -398,6 +439,12 @@ export async function executeStreamPhase(
   const effectiveTopK = agent?.top_k ?? undefined;
   const effectiveMinP = agent?.min_p ?? undefined;
   const effectivePresencePenalty = agent?.presence_penalty ?? undefined;
+  // v2.6 #11: llama.cpp sampler extensions, threaded the same way as top_k/min_p.
+  const effectiveTopNSigma = agent?.top_n_sigma ?? undefined;
+  const effectiveDryMultiplier = agent?.dry_multiplier ?? undefined;
+  const effectiveDryBase = agent?.dry_base ?? undefined;
+  const effectiveDryAllowedLength = agent?.dry_allowed_length ?? undefined;
+  const effectiveDryPenaltyLastN = agent?.dry_penalty_last_n ?? undefined;
 
   // v1.12.2: ctx_max lookup is cached after the first hit per model, so this
   // is a Map probe in steady state. We capture nCtx once at the top of the
@@ -435,7 +482,19 @@ export async function executeStreamPhase(
       ctx,
       session.model,
       messages,
-      { tools: effectiveTools, temperature: effectiveTemperature, top_p: effectiveTopP, top_k: effectiveTopK, min_p: effectiveMinP, presence_penalty: effectivePresencePenalty },
+      {
+        tools: effectiveTools,
+        temperature: effectiveTemperature,
+        top_p: effectiveTopP,
+        top_k: effectiveTopK,
+        min_p: effectiveMinP,
+        presence_penalty: effectivePresencePenalty,
+        top_n_sigma: effectiveTopNSigma,
+        dry_multiplier: effectiveDryMultiplier,
+        dry_base: effectiveDryBase,
+        dry_allowed_length: effectiveDryAllowedLength,
+        dry_penalty_last_n: effectiveDryPenaltyLastN,
+      },
       (delta) => {
         state.accumulated += delta;
         ctx.publish(sessionId, {

apps/server/src/services/inference/tool-call-parser.ts

@@ -1,7 +1,7 @@
-// SPDX-License-Identifier: AGPL-3.0-only
-// Copyright 2026-present the Unsloth AI Inc. team. All rights reserved.
-// Ported from studio/backend/core/inference/tool_call_parser.py.
-// Original: https://github.com/unslothai/unsloth/blob/main/studio/backend/core/inference/tool_call_parser.py
+// Streaming tool-call extraction for the qwen3.6 XML fallback path.
+// `extractToolCallBlocks` is the incremental streaming scanner used by
+// stream-phase.ts; `stripToolMarkup` removes tool-call wire markup from
+// assistant prose (used by tool-phase.ts and error-handler.ts).
 
 // ── Constants ────────────────────────────────────────────────────────────
 
@@ -10,34 +10,6 @@ export const XML_TOOL_CLOSE = '</tool_call>';
 export const INVOKE_TOOL_OPEN = '<invoke';
 export const INVOKE_TOOL_CLOSE = '</invoke>';
 
-export const TOOL_XML_SIGNALS = [XML_TOOL_OPEN, '<function=', INVOKE_TOOL_OPEN] as const;
-
-export const TOOL_ERROR_PREFIXES = [
-  'Error',
-  'Search failed',
-  'Execution error',
-  'Blocked:',
-  'Exit code',
-  'Failed to fetch',
-  'Failed to resolve',
-  'No query provided',
-] as const;
-
-export const DUPLICATE_CALL_NUDGE =
-  'You already made this exact call. Do not repeat the same tool ' +
-  'call. Try a different approach: fetch a URL from previous ' +
-  'results, use Python to process data you already have, or ' +
-  'provide your final answer now.';
-
-export const TOOL_ERROR_NUDGE =
-  '\n\nThe tool call encountered an issue. Please try a different ' +
-  'approach or rephrase your request.';
-
-export const BUDGET_EXHAUSTED_NUDGE =
-  'You have used all available tool calls. Based on everything you ' +
-  'have found so far, provide your final answer now. Do not call ' +
-  'any more tools.';
-
 // ── Strip patterns ───────────────────────────────────────────────────────
 
 const TOOL_CLOSED_PATS = [
@@ -53,7 +25,7 @@ const TOOL_ALL_PATS = [
   /<invoke\s[^>]*>.*$/gs,
 ];
 
-// ── Strip / signal ───────────────────────────────────────────────────────
+// ── Strip ────────────────────────────────────────────────────────────────
 
 export function stripToolMarkup(text: string, opts?: { final?: boolean }): string {
   const pats = opts?.final ? TOOL_ALL_PATS : TOOL_CLOSED_PATS;
@@ -63,206 +35,6 @@ export function stripToolMarkup(text: string, opts?: { final?: boolean }): strin
   return opts?.final ? text.trim() : text;
 }
 
-export function hasToolSignal(text: string): boolean {
-  return TOOL_XML_SIGNALS.some((s) => text.includes(s));
-}
-
-// ── parseToolCallsFromText (Unsloth port + Anthropic extension) ──────────
-
-export interface OpenAiToolCall {
-  id: string;
-  type: 'function';
-  function: { name: string; arguments: string };
-}
-
-const TC_JSON_START_RE = /<tool_call>\s*\{/g;
-const TC_FUNC_START_RE = /<function=(\w+)>\s*/g;
-const TC_END_TAG_RE = /<\/tool_call>/;
-const TC_FUNC_CLOSE_RE = /\s*<\/function>\s*$/;
-const TC_PARAM_START_RE = /<parameter=(\w+)>\s*/g;
-const TC_PARAM_CLOSE_RE = /\s*<\/parameter>\s*$/;
-
-const TC_INVOKE_START_RE = /<invoke\s+name\s*=\s*(?:"([^"]*)"|'([^']*)')\s*>/g;
-const TC_INVOKE_CLOSE_RE = /\s*<\/invoke>\s*$/;
-const TC_INVOKE_PARAM_RE = /<parameter\s+name\s*=\s*(?:"([^"]*)"|'([^']*)')\s*>/g;
-const TC_INVOKE_PARAM_CLOSE_RE = /\s*<\/parameter>\s*$/;
-
-function scanBalancedBraces(content: string, start: number): number {
-  let depth = 0;
-  let i = start;
-  let inString = false;
-  while (i < content.length) {
-    const ch = content[i]!;
-    if (inString) {
-      if (ch === '\\' && i + 1 < content.length) {
-        i += 2;
-        continue;
-      }
-      if (ch === '"') inString = false;
-    } else if (ch === '"') {
-      inString = true;
-    } else if (ch === '{') {
-      depth++;
-    } else if (ch === '}') {
-      depth--;
-      if (depth === 0) return i;
-    }
-    i++;
-  }
-  return -1;
-}
-
-export function parseToolCallsFromText(
-  content: string,
-  opts?: { idOffset?: number },
-): OpenAiToolCall[] {
-  const toolCalls: OpenAiToolCall[] = [];
-  const idOffset = opts?.idOffset ?? 0;
-
-  // Pattern 1: <tool_call>{json}</tool_call> -- balanced-brace JSON scanner.
-  // Skips braces inside JSON strings so nested objects parse correctly.
-  TC_JSON_START_RE.lastIndex = 0;
-  let m: RegExpExecArray | null;
-  while ((m = TC_JSON_START_RE.exec(content)) !== null) {
-    const braceStart = m.index + m[0].length - 1;
-    const braceEnd = scanBalancedBraces(content, braceStart);
-    if (braceEnd === -1) continue;
-    const jsonStr = content.slice(braceStart, braceEnd + 1);
-    try {
-      const obj = JSON.parse(jsonStr) as Record<string, unknown>;
-      const name = typeof obj.name === 'string' ? obj.name : '';
-      let args: string;
-      const rawArgs = obj.arguments ?? {};
-      if (typeof rawArgs === 'string') {
-        args = rawArgs;
-      } else {
-        args = JSON.stringify(rawArgs);
-      }
-      toolCalls.push({
-        id: `call_${idOffset + toolCalls.length}`,
-        type: 'function',
-        function: { name, arguments: args },
-      });
-    } catch {
-      // malformed JSON -- skip
-    }
-  }
-
-  // Pattern 2: <function=name><parameter=key>value -- closing tags optional.
-  // Body boundary uses </tool_call> or next <function= (not </function>,
-  // because code parameter values can contain that literal).
-  if (toolCalls.length === 0) {
-    TC_FUNC_START_RE.lastIndex = 0;
-    const funcStarts: Array<{ match: RegExpExecArray; name: string }> = [];
-    while ((m = TC_FUNC_START_RE.exec(content)) !== null) {
-      funcStarts.push({ match: m, name: m[1]! });
-    }
-    for (let idx = 0; idx < funcStarts.length; idx++) {
-      const { match: fm, name: funcName } = funcStarts[idx]!;
-      const bodyStart = fm.index + fm[0].length;
-      const nextFunc = idx + 1 < funcStarts.length
-        ? funcStarts[idx + 1]!.match.index
-        : content.length;
-      const endTag = TC_END_TAG_RE.exec(content.slice(bodyStart));
-      let bodyEnd = endTag ? bodyStart + endTag.index : content.length;
-      bodyEnd = Math.min(bodyEnd, nextFunc);
-      let body = content.slice(bodyStart, bodyEnd);
-      body = body.replace(TC_FUNC_CLOSE_RE, '');
-
-      const args: Record<string, string> = {};
-      TC_PARAM_START_RE.lastIndex = 0;
-      const paramStarts: Array<{ match: RegExpExecArray; name: string }> = [];
-      let pm: RegExpExecArray | null;
-      while ((pm = TC_PARAM_START_RE.exec(body)) !== null) {
-        paramStarts.push({ match: pm, name: pm[1]! });
-      }
-      if (paramStarts.length === 1) {
-        // Single param: take everything to body end so embedded
-        // </parameter> in code strings is preserved.
-        const p = paramStarts[0]!;
-        let val = body.slice(p.match.index + p.match[0].length);
-        val = val.replace(TC_PARAM_CLOSE_RE, '');
-        args[p.name] = val.trim();
-      } else {
-        for (let pidx = 0; pidx < paramStarts.length; pidx++) {
-          const p = paramStarts[pidx]!;
-          const valStart = p.match.index + p.match[0].length;
-          const nextParam = pidx + 1 < paramStarts.length
-            ? paramStarts[pidx + 1]!.match.index
-            : body.length;
-          let val = body.slice(valStart, nextParam);
-          val = val.replace(TC_PARAM_CLOSE_RE, '');
-          args[p.name] = val.trim();
-        }
-      }
-
-      toolCalls.push({
-        id: `call_${idOffset + toolCalls.length}`,
-        type: 'function',
-        function: { name: funcName, arguments: JSON.stringify(args) },
-      });
-    }
-  }
-
-  // Pattern 3: <invoke name="..."><parameter name="...">value -- Anthropic
-  // shape that qwen3.6 drifts to from Claude Code documentation residue.
-  // Closing tags optional; same single-param fast path as pattern 2.
-  if (toolCalls.length === 0) {
-    TC_INVOKE_START_RE.lastIndex = 0;
-    const invokeStarts: Array<{ match: RegExpExecArray; name: string }> = [];
-    while ((m = TC_INVOKE_START_RE.exec(content)) !== null) {
-      const name = (m[1] ?? m[2] ?? '').trim();
-      if (name) invokeStarts.push({ match: m, name });
-    }
-    for (let idx = 0; idx < invokeStarts.length; idx++) {
-      const { match: im, name: invokeName } = invokeStarts[idx]!;
-      const bodyStart = im.index + im[0].length;
-      const nextInvoke = idx + 1 < invokeStarts.length
-        ? invokeStarts[idx + 1]!.match.index
-        : content.length;
-      const closeTag = content.slice(bodyStart).match(/<\/invoke>/);
-      let bodyEnd = closeTag ? bodyStart + (closeTag.index ?? 0) : content.length;
-      bodyEnd = Math.min(bodyEnd, nextInvoke);
-      let body = content.slice(bodyStart, bodyEnd);
-      body = body.replace(TC_INVOKE_CLOSE_RE, '');
-
-      const args: Record<string, string> = {};
-      TC_INVOKE_PARAM_RE.lastIndex = 0;
-      const paramStarts: Array<{ match: RegExpExecArray; name: string }> = [];
-      let pm: RegExpExecArray | null;
-      while ((pm = TC_INVOKE_PARAM_RE.exec(body)) !== null) {
-        const pname = (pm[1] ?? pm[2] ?? '').trim();
-        if (pname) paramStarts.push({ match: pm, name: pname });
-      }
-      if (paramStarts.length === 1) {
-        const p = paramStarts[0]!;
-        let val = body.slice(p.match.index + p.match[0].length);
-        val = val.replace(TC_INVOKE_PARAM_CLOSE_RE, '');
-        args[p.name] = val.trim();
-      } else {
-        for (let pidx = 0; pidx < paramStarts.length; pidx++) {
-          const p = paramStarts[pidx]!;
-          const valStart = p.match.index + p.match[0].length;
-          const nextParam = pidx + 1 < paramStarts.length
-            ? paramStarts[pidx + 1]!.match.index
-            : body.length;
-          let val = body.slice(valStart, nextParam);
-          val = val.replace(TC_INVOKE_PARAM_CLOSE_RE, '');
-          args[p.name] = val.trim();
-        }
-      }
-
-      toolCalls.push({
-        id: `call_${idOffset + toolCalls.length}`,
-        type: 'function',
-        function: { name: invokeName, arguments: JSON.stringify(args) },
-      });
-    }
-  }
-
-  return toolCalls;
-}
-
 // ── BooCode streaming helpers ────────────────────────────────────────────
 
 export interface ParsedCall {

apps/server/src/services/web/html-to-md.ts

@@ -1,347 +1,24 @@
-// SPDX-License-Identifier: AGPL-3.0-only
-// Copyright 2026-present the Unsloth AI Inc. team. All rights reserved.
-// Ported from studio/backend/core/inference/_html_to_md.py.
-// Original: https://github.com/unslothai/unsloth/blob/main/studio/backend/core/inference/_html_to_md.py
+import { NodeHtmlMarkdown } from 'node-html-markdown';
 
-import { parse, type DefaultTreeAdapterTypes } from 'parse5';
-
-type Document = DefaultTreeAdapterTypes.Document;
-type ChildNode = DefaultTreeAdapterTypes.ChildNode;
-type Element = DefaultTreeAdapterTypes.Element;
-type TextNode = DefaultTreeAdapterTypes.TextNode;
-
-const SKIP_TAGS = new Set([
-  'script', 'style', 'head', 'noscript', 'svg', 'math', 'nav', 'footer',
-]);
-
-const BLOCK_TAGS = new Set([
-  'p', 'div', 'section', 'article', 'main', 'aside', 'figure',
-  'figcaption', 'details', 'summary', 'dl', 'dt', 'dd',
-]);
-
-const HEADING_TAGS = new Set(['h1', 'h2', 'h3', 'h4', 'h5', 'h6']);
-
-const INLINE_EMPHASIS: Record<string, string> = {
-  strong: '**', b: '**', em: '*', i: '*',
+// MIT-licensed HTML→Markdown rendering for the web_fetch tool. Output feeds an
+// LLM, so structural fidelity matters more than exact whitespace.
+const OPTIONS = {
+  // GFM-style emphasis markers (matches what most models expect).
+  emDelimiter: '*',
+  strongDelimiter: '**',
+  bulletMarker: '*',
+  codeFence: '```',
+  codeBlockStyle: 'fenced' as const,
+  // Always use []() syntax for links rather than <url> autolinks.
+  useInlineLinks: false,
+  // Collapse runs of blank lines to a single separator.
+  maxConsecutiveNewlines: 1,
+  // Strip non-content elements entirely (script/style are skipped by default,
+  // but listing them here is explicit; head/nav/footer/etc. drop their text).
+  ignore: ['script', 'style', 'head', 'noscript', 'svg', 'math', 'nav', 'footer'],
 };
 
-function isElement(node: ChildNode): node is Element {
-  return 'tagName' in node;
-}
-
-function isText(node: ChildNode): node is TextNode {
-  return node.nodeName === '#text';
-}
-
-class MarkdownRenderer {
-  private out: string[] = [];
-
-  private inLink = false;
-  private linkHref: string | null = null;
-  private linkTextParts: string[] = [];
-
-  private listStack: string[] = [];
-  private olCounter: number[] = [];
-
-  private inTable = false;
-  private currentRow: string[] = [];
-  private cellParts: string[] = [];
-  private inCell = false;
-  private headerRowDone = false;
-  private rowHasTh = false;
-  private isFirstRow = false;
-
-  private inPre = false;
-  private preParts: string[] = [];
-  private preLanguage: string | null = null;
-  private inInlineCode = false;
-
-  private bqStack: string[][] = [];
-
-  private emit(text: string): void {
-    if (this.inLink) {
-      this.linkTextParts.push(text);
-    } else if (this.inCell) {
-      this.cellParts.push(text);
-    } else if (this.inPre) {
-      this.preParts.push(text);
-    } else if (this.bqStack.length > 0) {
-      this.bqStack[this.bqStack.length - 1]!.push(text);
-    } else {
-      this.out.push(text);
-    }
-  }
-
-  private prefixBlockquote(content: string): string {
-    content = content.replace(/[ \t]+$/gm, '');
-    content = content.replace(/\n{3,}/g, '\n\n').trim();
-    if (!content) return '';
-    return content.split('\n').map(line =>
-      line.trim() ? '> ' + line : '>'
-    ).join('\n');
-  }
-
-  private finishCell(): void {
-    if (!this.inCell) return;
-    this.inCell = false;
-    let cellText = this.cellParts.join('').trim().replace(/\n/g, ' ');
-    cellText = cellText.replace(/\|/g, '\\|');
-    this.currentRow.push(cellText);
-    this.cellParts = [];
-  }
-
-  private finishRow(): void {
-    if (this.currentRow.length === 0) return;
-    const line = '| ' + this.currentRow.join(' | ') + ' |';
-    this.emit(line + '\n');
-    if (!this.headerRowDone && (this.rowHasTh || this.isFirstRow)) {
-      const sep = '| ' + this.currentRow.map(() => '---').join(' | ') + ' |';
-      this.emit(sep + '\n');
-      this.headerRowDone = true;
-    }
-    this.isFirstRow = false;
-    this.currentRow = [];
-    this.rowHasTh = false;
-  }
-
-  private finishLink(): void {
-    const text = this.linkTextParts.join('').replace(/\s+/g, ' ').trim();
-    const href = this.linkHref ?? '';
-    this.inLink = false;
-    if (href && text) {
-      this.emit(`[${text}](${href})`);
-    } else if (text) {
-      this.emit(text);
-    }
-  }
-
-  private getAttr(el: Element, name: string): string | undefined {
-    return el.attrs.find(a => a.name === name)?.value;
-  }
-
-  private handleOpen(el: Element): void {
-    const tag = el.tagName.toLowerCase();
-
-    if (HEADING_TAGS.has(tag)) {
-      const level = parseInt(tag[1]!, 10);
-      this.emit('\n\n' + '#'.repeat(level) + ' ');
-    } else if (tag === 'a') {
-      this.linkHref = this.getAttr(el, 'href') ?? null;
-      this.linkTextParts = [];
-      this.inLink = true;
-    } else if (tag in INLINE_EMPHASIS) {
-      this.emit(INLINE_EMPHASIS[tag]!);
-    } else if (tag === 'br') {
-      this.emit('\n');
-    } else if (BLOCK_TAGS.has(tag)) {
-      this.emit('\n\n');
-    } else if (tag === 'hr') {
-      this.emit('\n\n---\n\n');
-    } else if (tag === 'blockquote') {
-      this.emit('\n\n');
-      this.bqStack.push([]);
-    } else if (tag === 'ul') {
-      this.listStack.push('ul');
-      this.emit('\n');
-    } else if (tag === 'ol') {
-      this.listStack.push('ol');
-      const startAttr = this.getAttr(el, 'start');
-      let start = 1;
-      if (startAttr != null) {
-        const parsed = parseInt(startAttr, 10);
-        if (!isNaN(parsed)) start = parsed;
-      }
-      this.olCounter.push(start - 1);
-      this.emit('\n');
-    } else if (tag === 'li') {
-      const indent = '  '.repeat(Math.max(0, this.listStack.length - 1));
-      if (this.listStack.length > 0 && this.listStack[this.listStack.length - 1] === 'ol') {
-        if (this.olCounter.length > 0) {
-          this.olCounter[this.olCounter.length - 1]!++;
-          this.emit(`\n${indent}${this.olCounter[this.olCounter.length - 1]}. `);
-        } else {
-          this.emit(`\n${indent}1. `);
-        }
-      } else {
-        this.emit(`\n${indent}* `);
-      }
-    } else if (tag === 'pre') {
-      this.preParts = [];
-      this.inPre = true;
-      this.preLanguage = null;
-      const codeChild = el.childNodes.find(
-        (c): c is Element => isElement(c) && c.tagName === 'code'
-      );
-      if (codeChild) {
-        const cls = this.getAttr(codeChild, 'class') ?? '';
-        const langMatch = cls.match(/(?:^|\s)language-(\S+)/);
-        if (langMatch) this.preLanguage = langMatch[1]!;
-      }
-    } else if (tag === 'code' && !this.inPre) {
-      this.inInlineCode = true;
-      this.emit('`');
-    } else if (tag === 'table') {
-      this.inTable = true;
-      this.headerRowDone = false;
-      this.isFirstRow = true;
-      this.emit('\n\n');
-    } else if (tag === 'tr') {
-      this.finishCell();
-      this.finishRow();
-    } else if (tag === 'th' || tag === 'td') {
-      this.finishCell();
-      this.cellParts = [];
-      this.inCell = true;
-      if (tag === 'th') this.rowHasTh = true;
-    }
-  }
-
-  private handleClose(tag: string): void {
-    tag = tag.toLowerCase();
-
-    if (HEADING_TAGS.has(tag)) {
-      this.emit('\n\n');
-    } else if (tag === 'a') {
-      this.finishLink();
-    } else if (tag in INLINE_EMPHASIS) {
-      this.emit(INLINE_EMPHASIS[tag]!);
-    } else if (BLOCK_TAGS.has(tag)) {
-      this.emit('\n\n');
-    } else if (tag === 'blockquote') {
-      if (this.bqStack.length > 0) {
-        const content = this.bqStack.pop()!.join('');
-        const prefixed = this.prefixBlockquote(content);
-        if (prefixed) this.emit('\n\n' + prefixed + '\n\n');
-      }
-    } else if (tag === 'ul') {
-      if (this.listStack.length > 0 && this.listStack[this.listStack.length - 1] === 'ul') {
-        this.listStack.pop();
-      }
-      this.emit('\n');
-    } else if (tag === 'ol') {
-      if (this.listStack.length > 0 && this.listStack[this.listStack.length - 1] === 'ol') {
-        this.listStack.pop();
-        if (this.olCounter.length > 0) this.olCounter.pop();
-      }
-      this.emit('\n');
-    } else if (tag === 'pre') {
-      const raw = this.preParts.join('');
-      this.inPre = false;
-      const lang = this.preLanguage ?? '';
-      const block = '```' + lang + '\n' + raw + '\n```';
-      this.emit('\n\n' + block + '\n\n');
-      this.preLanguage = null;
-    } else if (tag === 'code' && !this.inPre) {
-      this.inInlineCode = false;
-      this.emit('`');
-    } else if (tag === 'th' || tag === 'td') {
-      this.finishCell();
-    } else if (tag === 'tr') {
-      this.finishCell();
-      this.finishRow();
-    } else if (tag === 'table') {
-      this.finishCell();
-      this.finishRow();
-      this.inTable = false;
-      this.emit('\n');
-    }
-  }
-
-  private handleText(data: string): void {
-    if (this.inPre) {
-      this.preParts.push(data);
-      return;
-    }
-    if (this.inInlineCode) {
-      this.emit(data);
-      return;
-    }
-    const text = data.replace(/\s+/g, ' ');
-    if (this.inTable && !this.inCell && !text.trim()) return;
-    this.emit(text);
-  }
-
-  walk(node: ChildNode | Document): void {
-    if (isText(node as ChildNode)) {
-      this.handleText((node as TextNode).value);
-      return;
-    }
-    if (node.nodeName === '#comment') return;
-
-    if (isElement(node as ChildNode)) {
-      const el = node as Element;
-      const tag = el.tagName.toLowerCase();
-      if (SKIP_TAGS.has(tag)) return;
-      if (tag === 'img') return;
-
-      this.handleOpen(el);
-
-      if (tag === 'pre') {
-        for (const child of el.childNodes) {
-          if (isElement(child) && child.tagName === 'code') {
-            for (const grandchild of child.childNodes) {
-              this.walk(grandchild);
-            }
-          } else {
-            this.walk(child);
-          }
-        }
-      } else {
-        for (const child of el.childNodes) {
-          this.walk(child);
-        }
-      }
-
-      this.handleClose(tag);
-      return;
-    }
-
-    if ('childNodes' in node) {
-      for (const child of (node as Document).childNodes) {
-        this.walk(child);
-      }
-    }
-  }
-
-  getOutput(): string {
-    return this.out.join('');
-  }
-}
-
-function cleanup(text: string): string {
-  const lines = text.split('\n');
-  const out: string[] = [];
-  let inFence = false;
-  let blankRun = 0;
-
-  for (const line of lines) {
-    const stripped = line.replace(/[ \t]+$/, '');
-    if (stripped.startsWith('```')) {
-      inFence = !inFence;
-      blankRun = 0;
-      out.push(stripped);
-      continue;
-    }
-    if (inFence) {
-      out.push(line);
-      continue;
-    }
-    if (!stripped) {
-      blankRun++;
-      if (blankRun <= 1) out.push('');
-      continue;
-    }
-    blankRun = 0;
-    out.push(stripped);
-  }
-
-  return out.join('\n').trim();
-}
-
 export function htmlToMarkdown(sourceHtml: string): string {
-  sourceHtml = sourceHtml.replace(/\r\n/g, '\n').replace(/\r/g, '\n');
-  const doc = parse(sourceHtml);
-  const renderer = new MarkdownRenderer();
-  renderer.walk(doc);
-  return cleanup(renderer.getOutput());
+  if (!sourceHtml) return '';
+  return NodeHtmlMarkdown.translate(sourceHtml, OPTIONS).trim();
 }

apps/server/src/types/api.ts

@@ -117,6 +117,15 @@ export interface Agent {
   top_k: number | null;  // null means omit from request body
   min_p: number | null;  // null means omit from request body
   presence_penalty: number | null;  // null means omit from request body
+  // v2.6 sampling-streamjson-tokens (#11): llama.cpp sampler extensions.
+  // null = omit from request body. top_n_sigma + the DRY repetition family
+  // help the doom-loop-prone local model. All travel via the same
+  // providerOptions.openaiCompatible extraBody channel as top_k/min_p.
+  top_n_sigma: number | null;
+  dry_multiplier: number | null;
+  dry_base: number | null;
+  dry_allowed_length: number | null;
+  dry_penalty_last_n: number | null;
   tools: string[];       // whitelist of tool names; empty = no tools allowed
   model: string | null;  // null means "session.model wins"
   source: AgentSource;

apps/web/package.json

@@ -44,5 +44,5 @@
     "typescript": "^5.5.0",
     "vite": "^5.3.4"
   },
-  "license": "AGPL-3.0-only"
+  "license": "MIT"
 }

apps/web/src/api/client.ts

@@ -34,6 +34,30 @@ export interface AgentSessionInfo {
   status: string;
   has_session: boolean;
   last_active_at: string | null;
+  // v2.6.8 per-(chat,agent) running token/cost totals (sampling-streamjson-tokens
+  // #8). input_tokens/output_tokens are BIGINT and may arrive as strings; cost is
+  // DOUBLE. AgentComposerBar coerces with Number(...) before rendering.
+  input_tokens: number;
+  output_tokens: number;
+  cost: number;
+}
+
+// write-edit-robustness #4: a pre-turn worktree snapshot anchored to an
+// assistant message. Returned by GET .../checkpoints; drives the per-message
+// "Restore to here" affordance in CoderMessageList.
+export interface CoderCheckpoint {
+  id: string;
+  message_id: string;
+  created_at: string;
+  label: string | null;
+}
+
+// write-edit-robustness #4: result of POST .../checkpoints/:id/restore.
+export interface CoderRestoreResult {
+  checkpoint_id: string;
+  messages_deleted: number;
+  worktree_reset: boolean;
+  backend_reset: boolean;
 }
 
 export class ApiError extends Error {
@@ -407,6 +431,22 @@ export const api = {
           ...(config?.thinking_option_id ? { thinking_option_id: config.thinking_option_id } : {}),
         }),
       }),
+    // write-edit-robustness #4: worktree checkpoints. List which assistant
+    // messages in a chat have a pre-turn worktree snapshot ("Restore to here"
+    // is offered only on those). Proxied to boocoder.
+    getCheckpoints: (sessionId: string, chatId: string) =>
+      request<{ checkpoints: CoderCheckpoint[] }>(
+        `/api/coder/sessions/${sessionId}/checkpoints?chat_id=${encodeURIComponent(chatId)}`,
+      ),
+    // write-edit-robustness #4: reset the worktree to a checkpoint, trim the
+    // transcript past its anchor message, and reset the agent backend. After it
+    // returns, the caller refetches messages (+ checkpoints) so the trimmed
+    // transcript shows.
+    restoreCheckpoint: (sessionId: string, checkpointId: string) =>
+      request<CoderRestoreResult>(
+        `/api/coder/sessions/${sessionId}/checkpoints/${encodeURIComponent(checkpointId)}/restore`,
+        { method: 'POST' },
+      ),
     // Queue a new-file create from the RightRail browser → BooCoder
     // pending_changes (operation='create'). Surfaces in the CoderPane DiffPanel
     // for explicit apply. A WriteGuardError comes back as a 422 whose { error }

apps/web/src/components/AgentComposerBar.tsx

@@ -185,6 +185,14 @@ interface Props {
   hasPriorTurn?: boolean;
 }
 
+// Condensed token count: 950 → "950", 12_400 → "12.4K", 3_200_000 → "3.2M".
+// Sub-1000 stays exact; thousands/millions get one decimal, trailing .0 trimmed.
+function abbrevTokens(n: number): string {
+  if (!Number.isFinite(n) || n < 1000) return String(Math.max(0, Math.round(n)));
+  if (n < 1_000_000) return `${(n / 1000).toFixed(1).replace(/\.0$/, '')}K`;
+  return `${(n / 1_000_000).toFixed(1).replace(/\.0$/, '')}M`;
+}
+
 // Relative-time formatter for the resumed-chip title (e.g. "3m ago").
 function relativeTime(iso: string | null): string {
   if (!iso) return 'unknown';
@@ -353,6 +361,21 @@ export function AgentComposerBar({ projectPath, value, onChange, onProviderComma
           : { label: 'new session', title: `${value.provider} starts a fresh session this turn` }
       : null;
 
+  // sampling-streamjson-tokens #8: condensed per-(chat,agent) token/cost readout
+  // beside the session chip. Coerce — input/output are BIGINT (string over wire).
+  // Hidden when no session row or all totals are zero (e.g. native boocode, which
+  // holds no agent_sessions row, or a provider that hasn't run yet).
+  const usageReadout = (() => {
+    if (!sessionChip || !sessionRow) return null;
+    const inTok = Number(sessionRow.input_tokens) || 0;
+    const outTok = Number(sessionRow.output_tokens) || 0;
+    const cost = Number(sessionRow.cost) || 0;
+    if (inTok <= 0 && outTok <= 0 && cost <= 0) return null;
+    const parts = [`${abbrevTokens(inTok)} in`, `${abbrevTokens(outTok)} out`];
+    if (cost > 0) parts.push(`$${cost.toFixed(2)}`);
+    return parts.join(' · ');
+  })();
+
   return (
     <div className="flex flex-wrap items-center gap-1 px-2 py-1 border-b border-border bg-muted/20 shrink-0">
       <CompactPicker
@@ -374,6 +397,14 @@ export function AgentComposerBar({ projectPath, value, onChange, onProviderComma
           {sessionChip.label}
         </span>
       )}
+      {usageReadout && (
+        <span
+          className="text-[10px] text-muted-foreground tabular-nums whitespace-nowrap shrink-0"
+          title="Tokens in · out · cost for this agent session"
+        >
+          {usageReadout}
+        </span>
+      )}
       <CompactPicker
         label="Mode"
         value={value.modeId ?? ''}

apps/web/src/components/MessageBubble.tsx

@@ -1,6 +1,6 @@
 import { useEffect, useState } from 'react';
 import type { ReactNode } from 'react';
-import { ChevronDown, ChevronRight, Copy, RefreshCw, Check, Share2, RotateCw, GitFork, Trash2, Brain } from 'lucide-react';
+import { ChevronDown, ChevronRight, Copy, RefreshCw, Check, Share2, RotateCw, GitFork, Trash2, Brain, History } from 'lucide-react';
 import { toast } from 'sonner';
 import type { Chat, ErrorReason, Message } from '@/api/types';
 import { api } from '@/api/client';
@@ -110,6 +110,10 @@ export interface MessageActions {
   onResend?: (chatId: string, content: string) => Promise<void>;
   onFork?: (chatId: string, messageId: string) => Promise<void>;
   onDelete?: (chatId: string, messageId: string) => Promise<void>;
+  // write-edit-robustness #4 (BooCoder only): reset the worktree to this
+  // message's pre-turn checkpoint and trim the transcript past it. BooChat
+  // passes no such callback → the "Restore to here" control never renders.
+  onRestoreCheckpoint?: (chatId: string, messageId: string) => Promise<void>;
 }
 
 interface Props {
@@ -119,6 +123,17 @@ interface Props {
   actions?: MessageActions;
   /** Hide actions that don't apply (fork, delete). */
   hideActions?: ('fork' | 'delete')[];
+  /**
+   * write-edit-robustness #4: this assistant message has a worktree checkpoint
+   * → render "Restore to here" (only when `actions.onRestoreCheckpoint` is also
+   * provided). CoderMessageList sets this from the checkpoint set.
+   */
+  hasCheckpoint?: boolean;
+  /**
+   * write-edit-robustness #4: suppress the restore control during an active
+   * turn (mirrors composer gating). Defaults to enabled.
+   */
+  restoreDisabled?: boolean;
 }
 
 function StatsLine({ message }: { message: Message }) {
@@ -155,16 +170,22 @@ function ActionRow({
   message,
   actions,
   hiddenSet,
+  hasCheckpoint = false,
+  restoreDisabled = false,
 }: {
   message: Message;
   actions?: MessageActions;
   hiddenSet: Set<string>;
+  hasCheckpoint?: boolean;
+  restoreDisabled?: boolean;
 }) {
   const [justCopied, setJustCopied] = useState(false);
   const [regenerating, setRegenerating] = useState(false);
   const [forking, setForking] = useState(false);
   const [deleteOpen, setDeleteOpen] = useState(false);
   const [deleting, setDeleting] = useState(false);
+  const [restoreOpen, setRestoreOpen] = useState(false);
+  const [restoring, setRestoring] = useState(false);
 
   async function copy() {
     try {
@@ -240,12 +261,33 @@ function ActionRow({
     }
   }
 
+  async function confirmRestore() {
+    if (restoring || !actions?.onRestoreCheckpoint) return;
+    setRestoring(true);
+    try {
+      await actions.onRestoreCheckpoint(message.chat_id, message.id);
+      setRestoreOpen(false);
+    } catch (err) {
+      toast.error(err instanceof Error ? err.message : 'restore failed');
+    } finally {
+      setRestoring(false);
+    }
+  }
+
   const isAssistant = message.role === 'assistant';
   const isUser = message.role === 'user';
   const canRegen = isAssistant && message.status !== 'streaming';
   const canResend = isUser && message.status === 'complete' && !!message.content?.trim();
   const canFork = message.status === 'complete';
   const canDelete = message.status !== 'streaming';
+  // write-edit-robustness #4: show "Restore to here" only for a completed
+  // assistant message that has a checkpoint AND when the coder wired the
+  // callback. Disabled (but visible) during an active turn.
+  const canRestore =
+    isAssistant &&
+    hasCheckpoint &&
+    message.status === 'complete' &&
+    !!actions?.onRestoreCheckpoint;
 
   return (
     <>
@@ -306,6 +348,18 @@ function ActionRow({
           <Trash2 className="size-3" />
         </button>
         )}
+        {canRestore && (
+          <button
+            type="button"
+            onClick={() => setRestoreOpen(true)}
+            disabled={restoreDisabled || restoring}
+            className="inline-flex items-center justify-center size-6 rounded text-muted-foreground hover:bg-muted hover:text-foreground disabled:opacity-40 disabled:cursor-not-allowed max-md:min-h-[44px] max-md:min-w-[44px]"
+            aria-label="Restore to here"
+            title="Restore worktree to this point"
+          >
+            <History className="size-3" />
+          </button>
+        )}
       </div>
       <Dialog
         open={deleteOpen}
@@ -338,6 +392,39 @@ function ActionRow({
           </DialogFooter>
         </DialogContent>
       </Dialog>
+      <Dialog
+        open={restoreOpen}
+        onOpenChange={(open) => {
+          if (!restoring) setRestoreOpen(open);
+        }}
+      >
+        <DialogContent>
+          <DialogHeader>
+            <DialogTitle>Restore to this point?</DialogTitle>
+            <DialogDescription>
+              This resets the worktree to before this turn, removes every later
+              message in this chat, and resets the agent's session. This cannot
+              be undone.
+            </DialogDescription>
+          </DialogHeader>
+          <DialogFooter>
+            <Button
+              variant="outline"
+              onClick={() => setRestoreOpen(false)}
+              disabled={restoring}
+            >
+              Cancel
+            </Button>
+            <Button
+              variant="destructive"
+              onClick={() => void confirmRestore()}
+              disabled={restoring}
+            >
+              {restoring ? 'Restoring…' : 'Restore'}
+            </Button>
+          </DialogFooter>
+        </DialogContent>
+      </Dialog>
     </>
   );
 }
@@ -550,7 +637,15 @@ function ReasoningBlock({ text, streaming }: { text: string; streaming: boolean
   );
 }
 
-export function MessageBubble({ message, sessionChats, capHitInfo, actions, hideActions }: Props) {
+export function MessageBubble({
+  message,
+  sessionChats,
+  capHitInfo,
+  actions,
+  hideActions,
+  hasCheckpoint,
+  restoreDisabled,
+}: Props) {
   const hiddenSet = new Set(hideActions ?? []);
   // v1.11: anchored rolling summary row. Checked BEFORE the kind==='compact'
   // branch because summary=true never coexists with kind='compact' (new
@@ -652,7 +747,15 @@ export function MessageBubble({ message, sessionChats, capHitInfo, actions, hide
         </div>
       )}
       {!isStreaming && <StatsLine message={message} />}
-      {!isStreaming && hasContent && <ActionRow message={message} actions={actions} hiddenSet={hiddenSet} />}
+      {!isStreaming && hasContent && (
+        <ActionRow
+          message={message}
+          actions={actions}
+          hiddenSet={hiddenSet}
+          hasCheckpoint={hasCheckpoint}
+          restoreDisabled={restoreDisabled}
+        />
+      )}
     </div>
   );
 }

apps/web/src/components/panes/CoderMessageList.tsx

@@ -147,11 +147,24 @@ interface Props {
   chatId?: string;
   footer?: ReactNode;
   actions?: MessageActions;
+  // write-edit-robustness #4: assistant message ids that have a worktree
+  // checkpoint. The "Restore to here" control renders only on these.
+  checkpointMessageIds?: Set<string>;
+  // write-edit-robustness #4: suppress restore during an active turn (mirrors
+  // composer gating in CoderPane).
+  restoreDisabled?: boolean;
 }
 
 const CODER_HIDDEN_ACTIONS: ('fork' | 'delete')[] = ['fork'];
 
-export function CoderMessageList({ messages, chatId, footer, actions }: Props) {
+export function CoderMessageList({
+  messages,
+  chatId,
+  footer,
+  actions,
+  checkpointMessageIds,
+  restoreDisabled,
+}: Props) {
   const endRef = useRef<HTMLDivElement>(null);
   const scrollRef = useRef<HTMLDivElement>(null);
   const isNearBottomRef = useRef(true);
@@ -189,6 +202,8 @@ export function CoderMessageList({ messages, chatId, footer, actions }: Props) {
                 message={item.message as unknown as Message}
                 actions={actions}
                 hideActions={CODER_HIDDEN_ACTIONS}
+                hasCheckpoint={checkpointMessageIds?.has(item.message.id) ?? false}
+                restoreDisabled={restoreDisabled}
               />
             );
           }

apps/web/src/components/panes/CoderPane.tsx

@@ -381,6 +381,29 @@ function usePendingChanges(sessionId: string) {
   return { changes, loading, refresh, approve, reject };
 }
 
+// write-edit-robustness #4: which assistant messages in this chat have a
+// worktree checkpoint, so CoderMessageList can offer "Restore to here" only on
+// those. Refetched on message_complete (same trigger as pending changes) and
+// after a successful restore.
+function useCheckpoints(sessionId: string, chatId: string | undefined) {
+  const [messageIds, setMessageIds] = useState<Set<string>>(() => new Set());
+
+  const refresh = useCallback(() => {
+    if (!chatId) {
+      setMessageIds(new Set());
+      return Promise.resolve();
+    }
+    return api.coder
+      .getCheckpoints(sessionId, chatId)
+      .then((res) => setMessageIds(new Set(res.checkpoints.map((c) => c.message_id))))
+      .catch(() => {/* boocoder may be down / endpoint not ready */});
+  }, [sessionId, chatId]);
+
+  useEffect(() => { void refresh(); }, [refresh]);
+
+  return { checkpointMessageIds: messageIds, refreshCheckpoints: refresh };
+}
+
 // ---------------------------------------------------------------------------
 // Sub-components
 // ---------------------------------------------------------------------------
@@ -388,12 +411,14 @@ function usePendingChanges(sessionId: string) {
 function DiffPanel({
   changes,
   loading,
+  currentProvider,
   onRefresh,
   onApprove,
   onReject,
 }: {
   changes: PendingChange[];
   loading: boolean;
+  currentProvider: string;
   onRefresh: () => void;
   onApprove: (id: string) => void;
   onReject: (id: string) => void;
@@ -409,6 +434,29 @@ function DiffPanel({
       ? `Changes from ${distinctAgents.map((a) => providerLabel(a)).join(', ')}`
       : null;
 
+  // v2.6 §9c: staging-boundary caveat. External agents (opencode/goose/qwen/
+  // claude) edit *inside their worktree*; native boocode reads/writes the
+  // *project root* via pending_changes. Unapplied edits don't cross that
+  // boundary. When the currently-selected provider can't see another side's
+  // staged-but-unapplied edits, surface a muted one-liner. agent===null
+  // (manual) is boundary-neutral. Pure derivation — no new state/fetch.
+  const isNativeProvider = currentProvider === 'boocode';
+  const boundaryHint = (() => {
+    if (isNativeProvider) {
+      // Native boocode is selected: it won't see external-worktree edits.
+      const external = distinctAgents.filter((a) => a !== null && a !== 'boocode');
+      if (external.length === 0) return null;
+      const who =
+        external.length === 1
+          ? providerLabel(external[0]!)
+          : external.map((a) => providerLabel(a)).join(', ');
+      return `${who}'s edits live in its worktree — BooCode won't see them until applied.`;
+    }
+    // An external agent is selected: it won't see boocode's project-root edits.
+    if (!distinctAgents.includes('boocode')) return null;
+    return `BooCode's edits live in the project root — ${providerLabel(currentProvider)} won't see them until applied.`;
+  })();
+
   return (
     <div className="flex flex-col h-full border-t border-border">
       <div className="flex items-center justify-between px-3 py-1.5 border-b border-border bg-muted/30">
@@ -430,6 +478,14 @@ function DiffPanel({
           {mixedNote}
         </div>
       )}
+      {boundaryHint && (
+        <div
+          className="px-3 py-1 border-b border-border bg-muted/10 text-xs text-muted-foreground"
+          title={boundaryHint}
+        >
+          {boundaryHint}
+        </div>
+      )}
       <div className="flex-1 overflow-y-auto">
         {pending.length === 0 ? (
           <div className="flex items-center justify-center h-full text-sm text-muted-foreground">
@@ -607,6 +663,7 @@ export function CoderPane({
     },
   });
   const { changes, loading, refresh, approve, reject } = usePendingChanges(sessionId);
+  const { checkpointMessageIds, refreshCheckpoints } = useCheckpoints(sessionId, chatId);
   const [input, setInput] = useState('');
   const [sending, setSending] = useState(false);
   const [queue, setQueue] = useState<string[]>([]);
@@ -619,15 +676,18 @@ export function CoderPane({
 
   // Refresh pending changes (and agent-session state for the §9b chip) when a
   // message_complete arrives — same trigger usePendingChanges already uses.
+  // write-edit-robustness #4: also refetch checkpoints so a new turn's snapshot
+  // surfaces its "Restore to here" control.
   useEffect(() => {
     const lastAssistant = [...messages].reverse().find(
       (m): m is CoderMessage => m.role === 'assistant',
     );
     if (lastAssistant?.status === 'complete') {
       refresh();
+      void refreshCheckpoints();
       void refreshAgentSessions(sessionId);
     }
-  }, [messages, refresh, sessionId]);
+  }, [messages, refresh, refreshCheckpoints, sessionId]);
 
   // The §9b chip only shows once the chat has ≥1 prior turn (a completed
   // assistant message). Hidden on a brand-new chat.
@@ -834,6 +894,38 @@ export function CoderPane({
     }
   }, [activeTaskId]);
 
+  // write-edit-robustness #4: reset the worktree to a message's checkpoint and
+  // trim the transcript past it. The confirm lives in MessageBubble's ActionRow
+  // (plain Cancel/Restore). The restore route is keyed by checkpoint id, so we
+  // resolve message→checkpoint via a fresh GET (cheap, and avoids a stale id if
+  // the set changed). On success, refetch messages so the trimmed transcript
+  // shows, plus checkpoints (later ones were deleted server-side) and pending
+  // changes (the worktree was reset).
+  const handleRestoreCheckpoint = useCallback(async (_chatId: string, messageId: string) => {
+    if (!chatId || generating) return;
+    let checkpointId: string | undefined;
+    try {
+      const res = await api.coder.getCheckpoints(sessionId, chatId);
+      checkpointId = res.checkpoints.find((c) => c.message_id === messageId)?.id;
+    } catch (err) {
+      toast.error(err instanceof Error ? err.message : 'failed to load checkpoint');
+      return;
+    }
+    if (!checkpointId) {
+      toast.error('No checkpoint found for this message');
+      return;
+    }
+    try {
+      await api.coder.restoreCheckpoint(sessionId, checkpointId);
+      await loadMessages();
+      await refreshCheckpoints();
+      refresh();
+      toast.success('Restored to checkpoint');
+    } catch (err) {
+      toast.error(err instanceof Error ? err.message : 'restore failed');
+    }
+  }, [chatId, generating, sessionId, loadMessages, refreshCheckpoints, refresh]);
+
   const handleChatInputSlash = useCallback(async (skillName: string, userMessage: string) => {
     if (!chatId) return;
     // Only BooCoder skills route here; an agent's own commands (not skills) fall
@@ -888,8 +980,11 @@ export function CoderPane({
           <CoderMessageList
             messages={messages as CoderTimelineWire[]}
             chatId={chatId}
+            checkpointMessageIds={checkpointMessageIds}
+            restoreDisabled={generating}
             actions={{
               onResend: async (_chatId, content) => { await sendOneMessage(content); },
+              onRestoreCheckpoint: handleRestoreCheckpoint,
             }}
             footer={
               activeTaskId && !permissionPrompt && sending === false ? (
@@ -914,6 +1009,7 @@ export function CoderPane({
           <DiffPanel
             changes={changes}
             loading={loading}
+            currentProvider={agentConfig.provider}
             onRefresh={refresh}
             onApprove={approve}
             onReject={reject}

boocode_roadmap.md

@@ -348,7 +348,7 @@ Per-session Docker sandbox spawned by BooCoder on first write. Only project path
 
 -----
 
-## Shipped (v2.2.2–v2.6.9 — interactive ACP, provider lifecycle, persistent agent sessions, workspace UX)
+## Shipped (v2.2.2–v2.6.11 — interactive ACP, provider lifecycle, persistent agent sessions, workspace UX)
 
 All tags `vMAJOR.MINOR.PATCH-slug`, monotonic per minor, assigned at ship time (planning slugs differ — see the numbering-discipline note below). `CHANGELOG.md` is the canonical per-tag record. **Note on numbering divergence:** the *planned-feature* "v2.3 — Provider lifecycle" actually shipped under the **v2.5.4–v2.5.13** tags; the *planned-feature* "v2.4 — BooCoder as ACP agent" remains **unshipped** even though v2.4.0/v2.4.1 *tags* shipped unrelated content (Unsloth lifts, sidecar routing). The patch-tag thread and the conceptual-milestone thread have diverged — read tags as the ship record, the `## v2.x` feature sections below as the milestone plan. The v2.3.0–v2.5.1 tags were never CHANGELOG-backfilled; summarized here from commit bodies.
 
@@ -384,6 +384,8 @@ All tags `vMAJOR.MINOR.PATCH-slug`, monotonic per minor, assigned at ship time (
 - `v2.6.7-interrupt-guard` — **F.1 fix:** post-interrupt stale-terminal bug in the opencode warm-server backend (one-click reachable since `v2.6.5`'s Stop button). opencode emits one trailing `session.idle`/`session.error` for a cancelled turn (sessionID only, no turn id) that settled the *next* turn early as success. Pure per-session guard (`backends/turn-guard.ts` — arm-on-abort / swallow-one-orphan / self-heal-on-activity) wired into `opencode-server.ts`; 3 regression tests (TDD). First item of the v2.6 openspec "remaining" plan; Phase 1-UX / 2 / 3 still open
 - `v2.6.8-agent-attribution` — **v2.6 Phase 1-UX** (U.1–U.6), built by 3 parallel subagents over disjoint files. Backend: `pending_changes.agent` stamped at every queue site + flows through `listPending`; new `GET /api/sessions/:id/agent-sessions` route; opencode warm-server consumes `session.next.step.ended` → accumulates `input_tokens`/`output_tokens`/`cost` on `agent_sessions`. Frontend: DiffPanel per-row agent badges + multi-agent note; AgentComposerBar resumed/history/new-session chip (gated on optional `sessionId`, BooChat unaffected); shared `providerIcons.tsx` + `useAgentSessions` hook. 9 new tests; web+coder tsc clean. Both surfaces deployed (boocoder restart + `boocode` Docker rebuild). Phase 2/3 remain
 - `v2.6.9-warm-acp` — **v2.6 Phase 2:** goose/qwen run as **warm ACP backends** (one persistent `goose acp`/`qwen --acp` child + `ClientSideConnection` + ACP session per `(chat,agent)`, `initialize`+`session/new` once, reused across turns) instead of one-shot. New `WarmAcpBackend` (same `AgentBackend` interface as opencode); abort = `session/cancel` the prompt only (never kills the child); dispatcher routes goose/qwen chat-tab tasks via pure `shouldUseWarmBackend` (one-shot fallback kept for arena/MCP/`new_task`); `handleSessionUpdate` extracted to a shared pure `acp-event-map.ts` (one-shot path byte-identical). SDK concern resolved (`@agentclientprotocol/sdk@^0.22.1` has stable resume; moot warm, deferred to Phase 3). 15 new tests, 180 coder tests pass. Backend-only deploy (boocoder restart). **Smoke 2/2b pending live.** Phase 3 (lifecycle hardening) is the last v2.6 phase
+- `v2.6.10-lifecycle-hardening` — **v2.6 Phase 3 (final phase — completes v2.6).** Idle TTL eviction (`AGENT_POOL_IDLE_TTL_MS`=30min) + LRU cap (`AGENT_POOL_MAX_LIVE`=10), busy backends never evicted; pure `lifecycle-decisions.ts`. Crash recovery via openchamber's health-monitor + busy-aware-restart + stale-grace state machine in `opencode-server.ts` (+ port reclaim) + `warm-acp.ts` (opencode → fresh sessions; ACP → re-`session/new`; F.1 guard + U.6 usage preserved). Orphan worktree reaper (1h grace, superset-style dirty/unpushed preflight, Paseo soft-delete) + close hooks + re-baseline after apply. 35 new tests + DB-opt-in reconnect test; 215 coder tests pass. Backend-only deploy. **Follow-ups (out of v2.6 scope): apps/server close-hook caller, 3.7 DiffPanel staging hint (frontend), live Smoke 2/2b/3.** With this, **v2.6 persistent agent sessions is complete** (Phase 0–3 + F.1 + Phase 1-UX)
+- `v2.6.11-close-hooks-staging` — the two v2.6 follow-ups. **apps/server close-hook caller:** BooChat fire-and-forgets BooCoder's Phase-3 close hooks (new `coder-notify.ts`, never-rejects) on session-delete + chat archive/delete, so warm backends + worktrees tear down immediately (the idle-evict/reaper was the backstop). **Task 3.7 staging hint:** BooCoder DiffPanel shows a muted one-liner when the selected provider can't see another agent's unapplied worktree edits (pure derivation from per-change `agent` + current provider). 6 new server tests; web+server tsc/build clean; deploys via the `boocode` Docker container. **The v2.6 openspec is now fully closed** — only live Smoke 2/2b/3 remain (manual)
 
 -----
 
@@ -445,24 +447,22 @@ All tags `vMAJOR.MINOR.PATCH-slug`, monotonic per minor, assigned at ship time (
 
 -----
 
-## License-debt — relicense AGPL-3.0 → MIT (planned)
+## License-debt — relicense AGPL-3.0 → MIT (shipped 2026-06-01)
 
-**Status: planned, not started.** Recorded 2026-05-31 from the v2 external review (`boocode_code_review_v2.md` §5k) + a direct tree audit. **Decision (Sam, 2026-05-31): relicense the project back to MIT.**
+**Status: SHIPPED 2026-06-01** (openspec `license-debt-mit`). Recorded 2026-05-31 from the v2 external review (`boocode_code_review_v2.md` §5k) + a direct tree audit. **Decision (Sam, 2026-05-31): relicense the project back to MIT.**
 
-**Current state (the problem):** the tree is **currently AGPL-3.0** — root `LICENSE` is GNU Affero GPL v3 and all five `package.json` declare `"license": "AGPL-3.0-only"`. Cause: the `v2.4.0`/`v2.4.1` Unsloth-Studio lifts pulled in AGPL-3.0-only code, which makes the whole network-served work AGPL-encumbered. This batch clears that so the MIT flip is valid; **nothing else AGPL remains once these files are gone.**
+**What was the problem:** the tree was AGPL-3.0 — root `LICENSE` was GNU Affero GPL v3 and all five `package.json` declared `"license": "AGPL-3.0-only"`. Cause: the `v2.4.0`/`v2.4.1` Unsloth-Studio lifts pulled in three AGPL-3.0-only files, making the whole network-served work AGPL-encumbered (AGPL §13 network-copyleft). Clearing those three files made the MIT flip valid.
 
-**The three AGPL-3.0-only files to clear** (each `SPDX-License-Identifier: AGPL-3.0-only`, ported from Unsloth Studio):
-1. `apps/server/src/services/inference/tool-call-parser.ts` (← `tool_call_parser.py`) — remove by routing tool-call parsing to **native llama-server** template parsing + a **clean-room `<invoke>`-only fallback** (no Unsloth provenance).
-2. `apps/server/src/services/web/html-to-md.ts` (← `_html_to_md.py`, used by `web_fetch`) — replace with a permissively-licensed library (`turndown` / `node-html-markdown`) or a clean-room walker.
-3. `apps/server/src/services/inference/llama-args-validator.ts` (← `llama_server_args.py`, the v2.4.1 sidecar flag-denylist) — clean-room rewrite from the llama-server README flag list (the denylist is facts, not copyrightable).
+**The three AGPL-3.0-only files (cleared):**
+1. `apps/server/src/services/inference/tool-call-parser.ts` (← `tool_call_parser.py`) — the Unsloth-ported algorithm (`parseToolCallsFromText`/`scanBalancedBraces` + unused nudge constants) was **dead code** (no production import; only the file + its test referenced it). Deleted it. The load-bearing parser (`extractToolCallBlocks` + the BooCode-authored streaming helpers) and `stripToolMarkup` were kept byte-identical and the AGPL header dropped. **No behavior change to the live tool-call path.**
+2. `apps/server/src/services/web/html-to-md.ts` (← `_html_to_md.py`, used by `web_fetch`) — **swapped** to the MIT `node-html-markdown` library (a distinct third-party lib, not a rewrite-from-memory); `parse5` dropped. `htmlToMarkdown(html): string` signature preserved.
+3. `apps/server/src/services/inference/llama-args-validator.ts` (← `llama_server_args.py`) — **clean-room rewrite** with independent structure; the managed-flag denylist re-derived from the public llama-server flag list (facts, not copyrightable).
 
-**Steps:**
-1. Confirm native llama-server tool-parsing on **live qwen3.6** (jinja gate already green — `--jinja` + qwen3.x template live; llama.cpp server-side template parser, v2 review §4a).
-2. Run native parsing **behind a flag for one release** (qwen3.6 was historically unreliable — validate before deleting).
-3. **Delete** the ~250 Unsloth-derived parser lines + clean-room the `<invoke>` fallback; replace `html-to-md.ts`; clean-room `llama-args-validator.ts`.
-4. **Flip the license:** root `LICENSE` AGPL→MIT, the five `package.json` `license` fields `AGPL-3.0-only`→`MIT`, remove the per-file AGPL SPDX headers, and update roadmap/README prose. After this, **no AGPL remains in the tree** and the "BooCode is MIT" claim becomes true.
+**Key correction to the original plan:** the native-llama-server-parsing retirement (which would have needed a live qwen3.6 validation window "behind a flag for one release") was **decoupled** from the relicense and proved unnecessary — the ported parser code was already dead, so the relicense stripped *provenance, not capability*. The native-parsing retirement remains a separate, optional future optimization.
 
-**Source:** `boocode_code_review_v2.md` §1 #1, §5k. **Prerequisite for the license flip — this batch is the blocker, not optional.**
+**License flip:** root `LICENSE` AGPL→MIT (`Copyright (c) 2026 indifferentketchup`); the five `package.json` `license` fields → `MIT`; AGPL SPDX headers removed from all three files; a `## License` section added to `README.md`; a guard test asserts no AGPL header / SPDX-AGPL survives. The `boocode_code_review*.md` point-in-time snapshots were left as-is. **No AGPL remains in the tree.**
+
+**Source:** `boocode_code_review_v2.md` §1 #1, §5k; openspec `license-debt-mit`.
 
 -----
 
@@ -706,7 +706,6 @@ Full per-tag detail in the **Shipped (v2.2.2–v2.6.6)** section above and in `C
 
 ### In flight
 
-- **License-debt → relicense AGPL-3.0 → MIT** — see the planned batch above; the tree is currently AGPL-3.0 and three Unsloth-derived files must be cleared before the MIT flip. Prerequisite, blocker-status.
 - **v2.6 persistent agent sessions — Phase 2/3** — warm ACP backend for goose/qwen (persistent process reused across turns) + lifecycle hardening (idle eviction, crash recovery, worktree cleanup/reaper, post-apply re-baseline) + the Phase-1 UX attribution work (DiffPanel agent badges, resumed/new-session chip). See openspec `v2-6-persistent-agent-sessions/tasks.md`.
 
 ### Numbering and scope-revision discipline during v1.13.x (2026-05-23)

data/AGENTS.md

@@ -6,6 +6,10 @@ Operating rules for every agent in this registry. Full procedures live in the `c
 
 **Worktrees** — Isolate work in a worktree when it is parallel to in-progress work, risky/experimental, a hotfix interrupting other work, or splits into independent units — just create when clear, propose in one line when ambiguous, skip quick/small single-stream work. Branch from a stable base (default branch); worktrees persist (never auto-remove or auto-merge); they isolate code state, not runtime (ports/DBs/services still collide). Full heuristic: invoke `using-worktrees`.
 
+**Sampling knobs** — Each `## Name` frontmatter block accepts these per-agent sampler fields, threaded into the llama-swap chat-completion request: `temperature`, `top_p`, `top_k`, `min_p`, `presence_penalty`, and (v2.6) `top_n_sigma`, `dry_multiplier`, `dry_base`, `dry_allowed_length`, `dry_penalty_last_n`. The `top_n_sigma` + `dry_*` repetition family curb the doom-loop-prone local model. Omit a field to leave it at the server default. Example: `top_n_sigma: 1.0`, `dry_multiplier: 0.8`, `dry_base: 1.75`, `dry_allowed_length: 2`, `dry_penalty_last_n: -1` (-1 = whole context).
+
+**Reasoning budget** — To cap a reasoning model's thinking tokens, pass `--reasoning-budget` through `llama_extra_args` (already permitted by the deny-list validator; routes the agent to llama-sidecar). Example frontmatter line: `llama_extra_args: ["--reasoning-budget", "2048"]`. This is a sidecar process flag, not a chat-completion body param — distinct from the sampling knobs above.
+
 ## Code Reviewer
 ---
 temperature: 0.6

openspec/changes/license-debt-mit/proposal.md

@@ -0,0 +1,51 @@
+# License-debt — relicense AGPL-3.0 → MIT
+
+**Status:** in progress (started 2026-06-01)
+**Decision:** Sam, 2026-05-31 — relicense BooCode back to MIT.
+**Source:** `boocode_code_review_v2.md` §1 #1, §5k; roadmap `## License-debt` batch.
+
+## Why
+
+The tree is **currently AGPL-3.0** — root `LICENSE` is GNU Affero GPL v3 and all five
+`package.json` declare `"license": "AGPL-3.0-only"`. Cause: the `v2.4.0`/`v2.4.1`
+Unsloth-Studio lifts pulled in three AGPL-3.0-only files. BooCode is network-served, so
+AGPL §13 network-copyleft is a live liability. Clearing the three files makes the MIT flip
+valid; nothing else AGPL remains once they are gone.
+
+## Core insight (supersedes the roadmap's staged steps)
+
+The roadmap entangled the relicense with retiring `tool-call-parser.ts` behind a live
+qwen3.6 validation window. That is **not necessary**: the Unsloth-ported algorithm
+(`parseToolCallsFromText` / `scanBalancedBraces` + unused constants) is **dead code** —
+no production consumer imports it (verified: only the file and its test reference it). The
+load-bearing parser (`extractToolCallBlocks`, under the file's own "BooCode streaming
+helpers" banner) and `stripToolMarkup` are BooCode-authored. So the relicense **strips
+provenance, not capability** — zero behavior change, no validation gate. The
+native-llama-server-parsing retirement remains a separate, optional future optimization.
+
+## The three AGPL-3.0-only files to clear
+
+1. `apps/server/src/services/web/html-to-md.ts` (← `_html_to_md.py`) — **swap** to
+   `node-html-markdown` (MIT). A different third-party library, not a rewrite-from-memory
+   (which would still be a derivative). Consumed by `web_fetch` via `web/index.ts`;
+   `htmlToMarkdown(html): string` signature preserved.
+2. `apps/server/src/services/inference/llama-args-validator.ts` (← `llama_server_args.py`)
+   — **clean-room** re-derive the flag denylist from the public llama-server README (CLI
+   flag names are facts, not copyrightable); the shadowing logic is already BooCode's own.
+3. `apps/server/src/services/inference/tool-call-parser.ts` (← `tool_call_parser.py`) —
+   **delete** the dead Unsloth-ported code; keep BooCode's streaming helpers +
+   `stripToolMarkup` (re-derive its strip regexes from qwen's wire format); drop the header.
+   No change to the live tool-call path.
+
+## Decisions (Sam, 2026-06-01)
+
+- html-to-md library: **node-html-markdown** (single MIT dep, GFM tables built-in).
+- tool-call-parser: **relicense-only** — defer native-parsing retirement.
+- MIT copyright line: **`Copyright (c) 2026 indifferentketchup`**.
+- Leave `boocode_code_review*.md` (point-in-time snapshots) untouched; update the roadmap
+  batch (planned → shipped) and add a README License section.
+
+## Out of scope
+
+- Retiring `tool-call-parser` patterns 1 & 2 in favour of native llama-server parsing.
+- Bumping the stale README "Latest release" line / AGENTS.md pointer.

openspec/changes/license-debt-mit/tasks.md

@@ -0,0 +1,51 @@
+# Tasks — relicense AGPL-3.0 → MIT
+
+Four units. A/B/C are disjoint files (parallelizable); D is the join (runs after A/B/C).
+The shared `node-html-markdown` dependency swap + `pnpm install` is done before A so the
+parallel agents don't race on `apps/server/package.json`.
+
+## Pre: dependency swap (done by coordinator)
+- [ ] Add `node-html-markdown` to `apps/server/package.json` dependencies; remove `parse5`
+      (only html-to-md consumed it).
+- [ ] `pnpm install`.
+
+## A — html-to-md → node-html-markdown
+- [ ] Replace `apps/server/src/services/web/html-to-md.ts` with a thin MIT wrapper exporting
+      `htmlToMarkdown(sourceHtml: string): string` over `NodeHtmlMarkdown.translate`.
+- [ ] Drop the AGPL/Unsloth SPDX header.
+- [ ] Update `html-to-md.test.ts` to the new library's output (structure-level `.toContain`
+      where whitespace differs; output feeds an LLM so exact format is not load-bearing).
+- [ ] Keep `web/index.ts` re-export and `web_fetch.ts` untouched.
+
+## B — llama-args-validator → clean-room
+- [ ] Rewrite `apps/server/src/services/inference/llama-args-validator.ts`: re-derive the
+      managed-flag denylist from the public llama-server README; keep the BooCode
+      shadowing-flag logic. Same exports (`validateExtraArgs`, `isManagedFlag`,
+      `stripShadowingFlags`, `StripOptions`).
+- [ ] Drop the AGPL/Unsloth SPDX header.
+- [ ] Keep `llama-args-validator.test.ts` green (it pins the contract).
+
+## C — tool-call-parser → minimal clean (relicense-only)
+- [ ] Delete dead Unsloth-ported exports: `parseToolCallsFromText`, `scanBalancedBraces`,
+      `OpenAiToolCall`, `hasToolSignal`, and the unused nudge constants
+      (`DUPLICATE_CALL_NUDGE`, `TOOL_ERROR_NUDGE`, `TOOL_ERROR_PREFIXES`,
+      `BUDGET_EXHAUSTED_NUDGE`).
+- [ ] Keep `extractToolCallBlocks` + streaming helpers + `stripToolMarkup` (re-derive its
+      strip regexes from qwen's wire format). Drop the AGPL/Unsloth SPDX header.
+- [ ] Remove the now-dead tests from `tool-call-parser.test.ts`; keep streaming/strip tests.
+- [ ] Verify `stream-phase.ts` (`extractToolCallBlocks`) + `tool-phase.ts` / `error-handler.ts`
+      (`stripToolMarkup`) still compile.
+
+## D — license flip (join)
+- [ ] `LICENSE`: replace AGPL-3.0 text with MIT, `Copyright (c) 2026 indifferentketchup`.
+- [ ] Flip `"license"` to `"MIT"` in all 5 `package.json` (root, server, web, coder, booterm).
+- [ ] Confirm no `SPDX-License-Identifier: AGPL` header survives in the 3 files.
+- [ ] Roadmap `License-debt` batch: planned → shipped (note the decoupled-from-parser-retirement
+      approach). Add a `## License` section to `README.md` (MIT).
+- [ ] Optional guard test: assert no `AGPL` SPDX header in `apps/**` and all 5 `package.json`
+      are MIT.
+
+## Verify
+- [ ] `pnpm -C apps/server test`
+- [ ] `pnpm -C apps/server build`
+- [ ] root `npx tsc --noEmit`

openspec/changes/sampling-streamjson-tokens/proposal.md

@@ -0,0 +1,45 @@
+# Small wins — sampling knobs + PTY stream-json + token UI
+
+**Status:** in progress (started 2026-06-01)
+**Source:** `boocode_code_review_v2.md` §1 #11 / #7 / #8 (config-adopt + qwen-code §5g + opencode §3 #4).
+
+Three independent BooCode improvements, disjoint subsystems (apps/server / apps/coder / apps/web).
+
+## #11 — New sampling knobs (apps/server)
+Per-agent `top_n_sigma` + the `dry_*` repetition family help the doom-loop-prone local model.
+Today the Agent type threads `temperature/top_p/top_k/min_p/presence_penalty` into the inference
+request (`stream-phase.ts:396–438`). Add `top_n_sigma`, `dry_multiplier`, `dry_base`,
+`dry_allowed_length`, `dry_penalty_last_n` as first-class Agent fields (`types/api.ts`), parse them in
+`agents.ts:parseFrontmatter` (same bounded per-field numeric pattern + out-of-range warn), and thread
+them into the request body **via the same mechanism `top_k`/`min_p` already use** (the agent must
+confirm whether that's an AI-SDK `providerOptions`/`extraBody` passthrough — these are llama.cpp
+extensions, not standard OpenAI fields — and ride it; surface it if `top_k`/`min_p` turn out to be
+silently dropped today). `--reasoning-budget` is a llama-server CLI flag already permitted by the
+deny-list validator, so it works via `llama_extra_args: ["--reasoning-budget","N"]` now — document it
+in `data/AGENTS.md`. apps/server only.
+
+## #7 — Live PTY stream-json NDJSON parsing (apps/coder)
+qwen/claude PTY dispatch slices stdout opaque (`dispatcher.ts` PTY path; qwen already runs
+`--output-format stream-json`). Add a parser for the Claude-Code-compatible NDJSON
+(`system`/`assistant`/`result`/`stream_event` → `content_block_delta` text/thinking/tool deltas +
+`usage` + `session_id`) that maps to the existing `AgentEvent` union (`agent-backend.ts`). **Live
+incremental** (decision 2026-06-01): line-buffer the PTY stdout `data` events, parse each complete
+NDJSON line as it arrives, and emit broker frames live (text/reasoning/tool) like the ACP/opencode
+paths — plus accumulate for `persistExternalAgentTurn`. claude gets `--output-format stream-json` too.
+One parser serves both (same schema). apps/coder only (`pty-dispatch.ts`, `dispatcher.ts`, new
+`stream-json-parser.ts` + test).
+
+## #8 — Surface opencode token usage (apps/coder route + apps/web)
+`agent_sessions.input_tokens/output_tokens/cost` are accumulated (v2.6.8) but the
+`GET /api/sessions/:id/agent-sessions` SELECT + the `AgentSessionInfo` type drop them. Add the 3
+columns to both, render condensed beside the existing session chip in `AgentComposerBar`
+(ChatThroughput styling: `tabular-nums`, muted, e.g. "12.4K in / 3.2K out / $0.25"). MUST NOT touch
+Sam's uncommitted WIP (`ChatTabBar`, `SessionLandingPage`, `Workspace`, `useWorkspacePanes`,
+`PaneHeaderActions`).
+
+## Decisions (2026-06-01)
+- #7 surfacing: **live incremental** streaming (not parse-at-end).
+
+## Verify
+- `pnpm -C apps/server test` (+ new agent-parse tests); `pnpm -C apps/coder test` (+ new parser tests)
+- `pnpm -C apps/server build && pnpm -C apps/coder build`; `npx tsc -p apps/web/tsconfig.app.json --noEmit`

openspec/changes/v2-6-persistent-agent-sessions/tasks.md

@@ -54,20 +54,17 @@ ACP follows; hardening last.
       resumes the SAME `agent_session_id` (memory intact), boocode saw opencode's turns as
       history, all three shared the one worktree, and no agent was locked to the chat.
 
-## Phase 3 — Lifecycle hardening — ⬜ REMAINING
+## Phase 3 — Lifecycle hardening — ✅ COMPLETE (`v2.6.10` 3.1–3.6; `v2.6.11` closed 3.7 + the apps/server close-hook caller)
 
 > **Lift (design §10):** hardening from **openchamber** (MIT, same warm-opencode-server architecture) — health-monitor + crash auto-restart + busy-aware restart + port reclaim (`killProcessOnPort`/`waitForPortRelease`) + stall-SSE = a concrete state machine for 3.1/3.2/3.6. Reaper (3.3/3.4): Paseo worktree-archive cascade + superset destroy-saga (preflight dirty/unpushed inspect) + LRU cap on warm-server Maps. Do crash-recovery + reaper together (shared supervision loop).
 
-- [ ] 3.1 Idle TTL eviction keyed per `(chat, agent)`; reattach-on-next-turn from `agent_sessions`.
-- [ ] 3.2 Crash recovery: opencode server restart recreates sessions; ACP re-`session/new`.
-- [ ] 3.3 Chat close/archive hook → `closeSession` for every `(chat, agent)` + remove the
-      chat's **`worktrees`** row + worktree (NOT `session_worktrees` — superseded P1.5-b); mark agent rows `status='closed'`.
-- [ ] 3.4 Orphan worktree reaper (extend periodic sweeper) + max-live-worktrees LRU cap.
-- [ ] 3.5 Re-baseline worktree diff after `apply_pending`.
-- [ ] 3.6 Reconnect test: restart BooCoder mid-session → next turn reattaches/recreates cleanly.
-- [ ] 3.7 Staging-boundary hint in DiffPanel (§9c): muted one-liner when the selected
-      provider can't see another agent's unapplied worktree edits (derived from per-change
-      `agent` + current provider; no new state).
+- [x] 3.1 Idle TTL eviction per `(chat, agent)` (`AGENT_POOL_IDLE_TTL_MS`=30min) + LRU cap (`AGENT_POOL_MAX_LIVE`=10), busy never evicted; reattach next turn. Pure `lifecycle-decisions.ts` (TDD).
+- [x] 3.2 Crash recovery: openchamber health-monitor + busy-aware-restart + stale-grace state machine in `opencode-server.ts` (+ port reclaim) + `warm-acp.ts`. opencode → fresh sessions; ACP → re-`session/new`. F.1 guard + U.6 usage preserved.
+- [x] 3.3 Close hooks (`/api/chats/:id/close`, `/api/sessions/:id/close`) → `closeChat` evicts backends + archives the `worktrees` row + removes the worktree. **apps/server caller wired in `v2.6.11`** (`coder-notify.ts`, fire-and-forget on session-delete + chat archive/delete).
+- [x] 3.4 Orphan worktree reaper (periodic, 1h grace, superset-style dirty/unpushed preflight, Paseo soft-delete) + LRU cap on the pool.
+- [x] 3.5 Re-baseline `worktrees.base_commit` after a successful `apply_pending` (both apply routes).
+- [x] 3.6 Reconnect integration test (DB-opt-in): restart mid-session → next turn reattaches/recreates from `agent_sessions`/`worktrees`.
+- [x] 3.7 Staging-boundary hint in DiffPanel (§9c) — `v2.6.11`: muted one-liner when the selected provider can't see another agent's unapplied worktree edits (derived from per-change `agent` + current provider; no new state).
 
 ## Tests — ⬜ REMAINING (none of T.1–T.3 exist yet)
 

openspec/changes/write-edit-robustness/proposal.md

@@ -0,0 +1,101 @@
+# Write/edit robustness — fuzzy patch applier + worktree checkpoints
+
+**Status:** in progress (started 2026-06-01)
+**Source:** `boocode_code_review_v2.md` §1 #3 + #4, §5b/§5d–5e (cline, Apache-2.0 — algorithm clean-reimplemented, not vendored).
+
+Two independent BooCoder hardening features for local quantized models.
+
+## #3 — Fuzzy patch applier
+
+**Problem:** `applyOne`'s edit case (`apps/coder/src/services/pending_changes.ts:124`) does exact
+`content.includes(oldStr)` → throw, then `content.replace(oldStr, newStr)` (first occurrence).
+`rewindOne` (line 206) is the same. Local models (qwen3.6) drift `old_string` by whitespace/
+indentation/unicode (curly quotes, en/em-dash, nbsp), so a valid edit fails at apply with
+"old_string not found" and is lost.
+
+**Design:** new pure module `apps/coder/src/services/fuzzy-match.ts`:
+`locateMatch(content: string, needle: string): { kind: 'exact'|'fuzzy'; start: number; end: number }
+| { kind: 'ambiguous'; count: number } | { kind: 'not_found' }`. Match ladder:
+1. **Exact** `indexOf`. If exactly one → exact span. If >1 → **ambiguous** (refuse; decision
+   2026-06-01: safer than silently editing the first).
+2. **Per-line whitespace-insensitive** — compare `needle` lines to file line-windows ignoring per-line
+   `trimEnd`/leading-trailing blank lines.
+3. **Unicode canonicalization** — normalize curly→straight quotes, en/em-dash→`-`, nbsp→space on both
+   sides, then retry the whitespace pass.
+4. **Levenshtein** similarity ≥ 0.66 over line-windows sized to `needle`'s line count; best window wins.
+
+Non-exact (fuzzy) matches return the actual file span so the caller replaces the real file text with
+`new_string`. `pending_changes.ts` `applyOne`/`rewindOne` use `locateMatch`; `ambiguous`/`not_found`
+return `success:false` with a clear message (no throw escaping the existing catch). Unit-tested
+(`apps/coder/src/services/__tests__/fuzzy-match.test.ts`), per the `turn-guard.ts` pure-helper pattern.
+
+## #4 — Worktree checkpoint + conversation-trim
+
+**Problem:** `rewind` only reverses BooCode's own `pending_changes` (applied to the project root).
+External agents (opencode/goose/qwen/claude) write **directly into the session worktree**
+(`/tmp/booworktrees/sess-<id>`); rewind has zero coverage there.
+
+**Schema** (`apps/coder/src/schema.sql`):
+```sql
+CREATE TABLE IF NOT EXISTS checkpoints (
+  id          UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  chat_id     UUID NOT NULL REFERENCES chats(id) ON DELETE CASCADE,
+  session_id  UUID,
+  worktree_id UUID REFERENCES worktrees(id) ON DELETE SET NULL,
+  message_id  UUID,            -- anchor: the assistant turn row this checkpoint precedes
+  commit_sha  TEXT NOT NULL,   -- shadow-commit capturing the pre-turn worktree tree
+  label       TEXT,
+  created_at  TIMESTAMPTZ NOT NULL DEFAULT clock_timestamp()
+);
+CREATE INDEX IF NOT EXISTS checkpoints_chat_created_idx ON checkpoints(chat_id, created_at);
+```
+
+**Create** (`apps/coder/src/services/checkpoints.ts` → `createCheckpoint`): hooked into the three
+external-agent dispatch paths in `dispatcher.ts` (`runWarmAcpTask` ~821, `runOpenCodeServerTask` ~513,
+`runExternalAgent` ~255) — after `ensureSessionWorktree()` and the assistant-message insert (so the
+anchor `message_id` exists), before the backend runs. Snapshot captures tracked **+ untracked** via a
+temp-index shadow commit, stored in a private GC-safe ref:
+```
+cd <wt> && TMP=$(mktemp) && GIT_INDEX_FILE="$TMP" git read-tree HEAD \
+  && GIT_INDEX_FILE="$TMP" git add -A \
+  && TREE=$(GIT_INDEX_FILE="$TMP" git write-tree) \
+  && SHA=$(git commit-tree "$TREE" -p HEAD -m "boocode checkpoint") \
+  && git update-ref refs/boocode/checkpoints/<id> "$SHA" && rm -f "$TMP" && echo "$SHA"
+```
+Best-effort: a checkpoint failure logs and never breaks the turn. Native-boocode turns (project-root,
+rewind-covered) get no checkpoint.
+
+**Restore** (`POST /api/sessions/:sessionId/checkpoints/:checkpointId/restore`, proxied `/api/coder/*`):
+1. Resolve + validate the checkpoint belongs to the session.
+2. Reset worktree: `git -C <wt> reset --hard <commit_sha> && git -C <wt> clean -fd` (hostExec+shellEscape).
+3. Trim transcript: `DELETE FROM messages WHERE chat_id = <cp.chat_id> AND created_at >=
+   (SELECT created_at FROM messages WHERE id = <cp.message_id>)` (+ explicit `message_parts` delete if
+   the FK isn't ON DELETE CASCADE — verify).
+4. Reset backend (decision 2026-06-01): `UPDATE agent_sessions SET status='crashed' WHERE
+   chat_id=<cp.chat_id>` and evict the live pool session for `(chat,agent)` if present, so the next turn
+   re-establishes a fresh backend — transcript, files, and agent context all consistent at the restore
+   point. (Warm backends hold context server-side; no partial rewind exists.)
+5. Delete now-orphaned later checkpoints: `DELETE FROM checkpoints WHERE chat_id=? AND created_at >
+   <cp.created_at>`.
+6. Return `{ checkpoint_id, messages_deleted, worktree_reset, backend_reset }`.
+
+**Frontend:** per-message "Restore to here" in `CoderMessageList.tsx` (via a new optional
+`onRestoreCheckpoint?(chatId, messageId)` on `MessageActions` in `MessageBubble.tsx`), wired in
+`CoderPane.tsx`; guarded to `status==='complete'` and to messages that have a checkpoint. After the call
+returns, refetch the chat's messages (existing GET) — no new WS frame required.
+
+## Decisions (2026-06-01)
+- Multi-exact-match → **refuse as ambiguous** (#3).
+- #4 **full** scope incl. conversation-trim.
+- Restore **resets** the external-agent backend session (context re-established fresh).
+
+## Parallelization
+- **Unit 1 (#3)** — fully independent (`fuzzy-match.ts` + `pending_changes.ts` + test).
+- **Unit 2 (#4 backend)** — schema + `checkpoints.ts` (create+restore) + 3 dispatcher hooks + restore route + backend reset. One agent owns all #4 coder backend (shared `checkpoints.ts`).
+- **Unit 3 (#4 frontend)** — `CoderMessageList`/`MessageBubble`/`CoderPane`, against the pinned restore contract. Parallel with Unit 2. MUST NOT touch Sam's uncommitted WIP (`ChatTabBar`, `SessionLandingPage`, `Workspace`, `useWorkspacePanes`, `PaneHeaderActions`).
+
+## Verify
+- `pnpm -C apps/coder test` (incl. new `fuzzy-match` + any checkpoint pure-helper tests)
+- `pnpm -C apps/server build` then `pnpm -C apps/coder build`
+- `npx tsc -p apps/web/tsconfig.app.json --noEmit`
+- Live smoke (manual, host): external-agent edit → checkpoint row; "Restore to here" → worktree reset + transcript trimmed + next turn fresh.

package.json

@@ -11,5 +11,5 @@
   "devDependencies": {
     "typescript": "^5.5.0"
   },
-  "license": "AGPL-3.0-only"
+  "license": "MIT"
 }

pnpm-lock.yaml

@@ -158,9 +158,9 @@ importers:
       fastify:
         specifier: ^4.28.1
         version: 4.29.1
-      parse5:
-        specifier: ^8.0.1
-        version: 8.0.1
+      node-html-markdown:
+        specifier: ^1.3.0
+        version: 1.3.0
       postgres:
         specifier: ^3.4.4
         version: 3.4.9
@@ -2108,6 +2108,9 @@ packages:
     resolution: {integrity: sha512-oP5VkATKlNwcgvxi0vM0p/D3n2C3EReYVX+DNYs5TjZFn/oQt2j+4sVJtSMr18pdRr8wjTcBl6LoV+FUwzPmNA==}
     engines: {node: '>=18'}
 
+  boolbase@1.0.0:
+    resolution: {integrity: sha512-JZOSA7Mo9sNGB8+UjSgzdLtokWAky1zbztM3WRLCbZ70/3cTANmQmOdR7y2g+J0e2WXywy1yS468tY+IruqEww==}
+
   brace-expansion@2.1.0:
     resolution: {integrity: sha512-TN1kCZAgdgweJhWWpgKYrQaMNHcDULHkWwQIspdtjV4Y5aurRdZpjAqn6yX3FPqTA9ngHCc4hJxMAMgGfve85w==}
 
@@ -2270,6 +2273,13 @@ packages:
     resolution: {integrity: sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA==}
     engines: {node: '>= 8'}
 
+  css-select@5.2.2:
+    resolution: {integrity: sha512-TizTzUddG/xYLA3NXodFM0fSbNizXjOKhqiQQwvhlspadZokn1KDy0NZFS0wuEubIYAV5/c1/lAr0TaaFXEXzw==}
+
+  css-what@6.2.2:
+    resolution: {integrity: sha512-u/O3vwbptzhMs3L1fQE82ZSLHQQfto5gyZzwteVIEyeaY5Fc7R4dapF/BvRoSYFeqfBk4m0V1Vafq5Pjv25wvA==}
+    engines: {node: '>= 6'}
+
   cssesc@3.0.0:
     resolution: {integrity: sha512-/Tb/JcjK111nNScGob5MNtsntNM1aCNUDipB/TkwZFhyDrrE47SOx/18wF2bbjgc3ZzCSKW1T5nt5EbFoAz/Vg==}
     engines: {node: '>=4'}
@@ -2344,6 +2354,19 @@ packages:
     resolution: {integrity: sha512-DPi0FmjiSU5EvQV0++GFDOJ9ASQUVFh5kD+OzOnYdi7n3Wpm9hWWGfB/O2blfHcMVTL5WkQXSnRiK9makhrcnw==}
     engines: {node: '>=0.3.1'}
 
+  dom-serializer@2.0.0:
+    resolution: {integrity: sha512-wIkAryiqt/nV5EQKqQpo3SToSOV9J0DnbJqwK7Wv/Trc92zIAYZ4FlMu+JPFW1DfGFt81ZTCGgDEabffXeLyJg==}
+
+  domelementtype@2.3.0:
+    resolution: {integrity: sha512-OLETBj6w0OsagBwdXnPdN0cnMfF9opN69co+7ZrbfPGrdpPVNBUj02spi6B1N7wChLQiPn4CSH/zJvXw56gmHw==}
+
+  domhandler@5.0.3:
+    resolution: {integrity: sha512-cgwlv/1iFQiFnU96XXgROh8xTeetsnJiDsTc7TYCLFd9+/WNkIqPTxiM/8pSd8VIrhXGTf1Ny1q1hquVqDJB5w==}
+    engines: {node: '>= 4'}
+
+  domutils@3.2.2:
+    resolution: {integrity: sha512-6kZKyUajlDuqlHKVX1w7gyslj9MPIXzIFiz/rGu35uC1wMi+kMhQwGhl4lt9unC9Vb9INnY9Z3/ZA3+FhASLaw==}
+
   dotenv@17.4.2:
     resolution: {integrity: sha512-nI4U3TottKAcAD9LLud4Cb7b2QztQMUEfHbvhTH09bqXTxnSie8WnjPALV/WMCrJZ6UV/qHJ6L03OqO3LcdYZw==}
     engines: {node: '>=12'}
@@ -2391,9 +2414,9 @@ packages:
     resolution: {integrity: sha512-QyL119InA+XXEkNLNTPCXPugSvOfhwv0JOlGNzvxs0hZaiHLNvXSpudUWsOlsXGWJh8G6ckCScEkVHfX3kw/2Q==}
     engines: {node: '>=10.13.0'}
 
-  entities@8.0.0:
-    resolution: {integrity: sha512-zwfzJecQ/Uej6tusMqwAqU/6KL2XaB2VZ2Jg54Je6ahNBGNH6Ek6g3jjNCF0fG9EWQKGZNddNjU5F1ZQn/sBnA==}
-    engines: {node: '>=20.19.0'}
+  entities@4.5.0:
+    resolution: {integrity: sha512-V0hjH4dGPh9Ao5p0MoRY6BVqtwCjhz6vI5LT8AJ55H+4g9/4vbHx1I54fS0XuclLhDHArPQCiMjDxjaL8fPxhw==}
+    engines: {node: '>=0.12'}
 
   env-paths@2.2.1:
     resolution: {integrity: sha512-+h1lkLKhZMTYjog1VEpJNG7NZJWcuc2DDk/qsqSTRRCOXiLjeQ1d1/udrUGhqMxUgAlwKNZ0cf2uqan5GLuS2A==}
@@ -2662,6 +2685,10 @@ packages:
   hast-util-whitespace@3.0.0:
     resolution: {integrity: sha512-88JUN06ipLwsnv+dVn+OIYOvAuvBMy/Qoi6O7mQHxdPXpjy+Cd6xRkWwux7DKO+4sYILtLBRIKgsdpS2gQc7qw==}
 
+  he@1.2.0:
+    resolution: {integrity: sha512-F/1DnUGPopORZi0ni+CvrCgHQ5FyEAHRLSApuYWMmrbSwoN2Mn/7k+Gl38gJnR7yyDZk6WLXwiGod1JOWNDKGw==}
+    hasBin: true
+
   headers-polyfill@5.0.1:
     resolution: {integrity: sha512-1TJ6Fih/b8h5TIcv+1+Hw0PDQWJTKDKzFZzcKOiW1wJza3XoAQlkCuXLbymPYB8+ZQyw8mHvdw560e8zVFIWyA==}
 
@@ -3210,6 +3237,13 @@ packages:
     resolution: {integrity: sha512-dRB78srN/l6gqWulah9SrxeYnxeddIG30+GOqK/9OlLVyLg3HPnr6SqOWTWOXKRwC2eGYCkZ59NNuSgvSrpgOA==}
     engines: {node: ^12.20.0 || ^14.13.1 || >=16.0.0}
 
+  node-html-markdown@1.3.0:
+    resolution: {integrity: sha512-OeFi3QwC/cPjvVKZ114tzzu+YoR+v9UXW5RwSXGUqGb0qCl0DvP406tzdL7SFn8pZrMyzXoisfG2zcuF9+zw4g==}
+    engines: {node: '>=10.0.0'}
+
+  node-html-parser@6.1.13:
+    resolution: {integrity: sha512-qIsTMOY4C/dAa5Q5vsobRpOOvPfC4pB61UVW2uSwZNUp0QU/jCekTal1vMmbO0DgdHeLUJpv/ARmDqErVxA3Sg==}
+
   node-pty@1.1.0:
     resolution: {integrity: sha512-20JqtutY6JPXTUnL0ij1uad7Qe1baT46lyolh2sSENDd4sTzKZ4nmAFkeAARDKwmlLjPx6XKRlwRUxwjOy+lUg==}
 
@@ -3224,6 +3258,9 @@ packages:
     resolution: {integrity: sha512-9qny7Z9DsQU8Ou39ERsPU4OZQlSTP47ShQzuKZ6PRXpYLtIFgl/DEBYEXKlvcEa+9tHVcK8CF81Y2V72qaZhWA==}
     engines: {node: '>=18'}
 
+  nth-check@2.1.1:
+    resolution: {integrity: sha512-lqjrjmaOoAnWfMmBPL+XNnynZh2+swxiX3WUE0s4yEHI6m+AwrK2UZOimIRl3X/4QctVqS8AiZjFqyOGrMXb/w==}
+
   object-assign@4.1.1:
     resolution: {integrity: sha512-rJgTQnkUnH1sFw8yT6VSU3zD3sWmu6sZhIseY8VX+GRu3P6F7Fu+JNDoXfklElbLJSnc3FUQHVe4cU5hj+BcUg==}
     engines: {node: '>=0.10.0'}
@@ -3287,9 +3324,6 @@ packages:
     resolution: {integrity: sha512-TXfryirbmq34y8QBwgqCVLi+8oA3oWx2eAnSn62ITyEhEYaWRlVZ2DvMM9eZbMs/RfxPu/PK/aBLyGj4IrqMHw==}
     engines: {node: '>=18'}
 
-  parse5@8.0.1:
-    resolution: {integrity: sha512-z1e/HMG90obSGeidlli3hj7cbocou0/wa5HacvI3ASx34PecNjNQeaHNo5WIZpWofN9kgkqV1q5YvXe3F0FoPw==}
-
   parseurl@1.3.3:
     resolution: {integrity: sha512-CiyeOxFT/JZyN5m0z9PfXw4SCBJ6Sygz1Dpl0wqjlhDEGGBP1GnsUVEL0p63hoG1fcj3fHynXi9NYO4nWOL+qQ==}
     engines: {node: '>= 0.8'}
@@ -5904,6 +5938,8 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
+  boolbase@1.0.0: {}
+
   brace-expansion@2.1.0:
     dependencies:
       balanced-match: 1.0.2
@@ -6040,6 +6076,16 @@ snapshots:
       shebang-command: 2.0.0
       which: 2.0.2
 
+  css-select@5.2.2:
+    dependencies:
+      boolbase: 1.0.0
+      css-what: 6.2.2
+      domhandler: 5.0.3
+      domutils: 3.2.2
+      nth-check: 2.1.1
+
+  css-what@6.2.2: {}
+
   cssesc@3.0.0: {}
 
   csstype@3.2.3: {}
@@ -6083,6 +6129,24 @@ snapshots:
 
   diff@8.0.4: {}
 
+  dom-serializer@2.0.0:
+    dependencies:
+      domelementtype: 2.3.0
+      domhandler: 5.0.3
+      entities: 4.5.0
+
+  domelementtype@2.3.0: {}
+
+  domhandler@5.0.3:
+    dependencies:
+      domelementtype: 2.3.0
+
+  domutils@3.2.2:
+    dependencies:
+      dom-serializer: 2.0.0
+      domelementtype: 2.3.0
+      domhandler: 5.0.3
+
   dotenv@17.4.2: {}
 
   dunder-proto@1.0.1:
@@ -6130,7 +6194,7 @@ snapshots:
       graceful-fs: 4.2.11
       tapable: 2.3.3
 
-  entities@8.0.0: {}
+  entities@4.5.0: {}
 
   env-paths@2.2.1: {}
 
@@ -6519,6 +6583,8 @@ snapshots:
     dependencies:
       '@types/hast': 3.0.4
 
+  he@1.2.0: {}
+
   headers-polyfill@5.0.1:
     dependencies:
       '@types/set-cookie-parser': 2.4.10
@@ -7196,6 +7262,15 @@ snapshots:
       fetch-blob: 3.2.0
       formdata-polyfill: 4.0.10
 
+  node-html-markdown@1.3.0:
+    dependencies:
+      node-html-parser: 6.1.13
+
+  node-html-parser@6.1.13:
+    dependencies:
+      css-select: 5.2.2
+      he: 1.2.0
+
   node-pty@1.1.0:
     dependencies:
       node-addon-api: 7.1.1
@@ -7211,6 +7286,10 @@ snapshots:
       path-key: 4.0.0
       unicorn-magic: 0.3.0
 
+  nth-check@2.1.1:
+    dependencies:
+      boolbase: 1.0.0
+
   object-assign@4.1.1: {}
 
   object-inspect@1.13.4: {}
@@ -7289,10 +7368,6 @@ snapshots:
 
   parse-ms@4.0.0: {}
 
-  parse5@8.0.1:
-    dependencies:
-      entities: 8.0.0
-
   parseurl@1.3.3: {}
 
   path-browserify@1.0.1: {}