refactor: codebase audit cleanup — dead code, dedup, module splits

Multi-agent audit + aggressive cleanup across server/web/coder/booterm, delivered behind a DEFER discipline so none of the in-flight files were touched. Removes dead code/deps/columns, dedups server + coder helpers, and splits the oversized modules (tools.ts, opencode-server.ts, sentinel-summaries, turn.ts, TerminalPane.tsx) behind stable contracts. Adds 78 parity/unit tests (server 587, coder 323); fixes two latent bugs (ChatPane queue keys, FileViewerOverlay blank-line parity). Intended tag: v2.7.12-audit-cleanup. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
fix(coder): include model in WS snapshot SELECT so the attribution chip survives refresh
2026-06-02 21:12:29 +00:00 · 2026-06-02 18:03:10 +00:00 · 2026-06-02 17:27:59 +00:00 · 2026-06-02 17:26:27 +00:00 · 2026-06-02 17:01:11 +00:00 · 2026-06-02 17:01:03 +00:00
211 changed files with 12797 additions and 6400 deletions
--- a/.env.example
+++ b/.env.example
@@ -11,6 +11,10 @@ POSTGRES_PASSWORD=CHANGE_ME
 # point BooCode at a different SearXNG instance.
 SEARXNG_URL=http://100.114.205.53:8888

+# Context7 MCP key. Referenced from data/mcp.json as "{env:CONTEXT7_API_KEY}"
+# ({env:VAR} substitution, opencode-compatible). Leave unset to send no key.
+# CONTEXT7_API_KEY=ctx7sk-...
+
 # Task model: lightweight model for auto-naming, search rewrite, etc.
 # Direct llama-server instance (NOT llama-swap). Falls back to LLAMA_SWAP_URL
 # with FAST_MODEL when unset.
--- a/.gitignore
+++ b/.gitignore
@@ -15,6 +15,6 @@ secrets/
 data/*
 !data/AGENTS.md
 !data/skills/
-!data/mcp.json
+!data/mcp.example.json
 !data/coder-providers.example.json
 codecontext/fork.tar.gz
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,50 @@

 All notable changes per release tag. Most recent on top, ordered by tag creation date (which matches the git history). Tag names follow `vMAJOR.MINOR.PATCH-slug` — the slug describes what shipped, so the tag name alone is enough to recall the batch.

+## v2.7.12-audit-cleanup — 2026-06-02
+
+A repo-wide audit and aggressive cleanup pass, run as a multi-agent orchestration (five read-only Opus auditors over server/web/coder/booterm + cross-cutting deps/build/parity + a structural-architecture lens) followed by phased, behavior-preserving implementation — every change gated on the per-app test suites and delivered behind a strict DEFER discipline that never touched the files in flight for `v2.7.9`–`v2.7.11` (`mcp-config`, the `ws-frames` pair, `dispatcher`, `claude-sdk-map`, `AgentComposerBar`/`CoderMessageList`/`CoderPane`), so the branch rebased onto current main with zero conflicts. **Dead code/deps/schema**: removed ~9 dead files and a swathe of dead exports/write-only state across all four apps, dropped dead deps (`next-themes`, `@xterm/addon-webgl`, booterm `tslib`; `shadcn`→devDep), and idempotently dropped dead schema columns/tables (`sessions.tags`, `tasks.worktree_path`/`feature_values`, `available_agents.supports_mcp_client`, the superseded `session_worktrees` table, the always-empty `list_worktrees` MCP tool) — chat/session/message DATA untouched, only never-read columns. **Server dedup + reshapes**: collapsed the dead `budget.ts` tier system (surfacing a latent `READ_ONLY_TOOL_NAMES` drift, then deleted), extracted shared `MESSAGE_COLUMNS`/`selectProject`/`stripQuotes`/`SENTINEL_KINDS`/`samplerOptsFromAgent`/`createContentFlusher`/`insertSentinel`/a `makeCodecontextTool` factory/a pending-tool-call resolver, split `tools.ts` (799→46 barrel + `tools/{types,fs-tools,misc-tools,registry,tiers}`, register-through registry preserved so coder's import contract stays byte-stable), and decomposed the inference pipeline (`sentinel-summaries`→`runWrapUpSummary`, `turn.ts`→`turn-config`+`step-decision`, a pure `stream-phase-adapter`, shared finalize atoms — stopping short of fusing synthesis to preserve frame timing). **Coder reshapes**: split the 1062-line `opencode-server.ts` god-class into supervisor / sse-loop / pure event-map / port-utils + extracted `buildAcpClient`/`makeFrameEmitter`/`worktree-risk`, plus happy-path-safe concurrency hardening (reconnect backoff, double-spawn guard; a defensive busy-assert + ensureSession coalescing flagged for review). **Web**: `React.memo` on `MessageBubble`/`MarkdownRenderer` + module-hoisted markdown components (the streaming re-parse was the biggest perf cost), shared `linkifyPaths`/artifact/tab dedup, two latent bug fixes (`ChatPane` index-keys → stable ids; `FileViewerOverlay` blank-line line-number desync), and decomposed the 1298-line `TerminalPane.tsx` into fit/socket/selection hooks + presentational pieces (verbatim move, all ~30 listeners/timers inventoried; the label-dep fix stops a live terminal tearing down on pane renumber). +78 parity/unit tests (server 597, coder 328 green; `apps/web` has no harness, so its changes are typecheck + manual/device QA). Net ≈ −4,600 LOC. Deferred (designed; blueprints in the audit reports): the `tasks` dual-CREATE / `project_id` FK (a cross-service deploy-ordering decision, not a data migration), web structural decomposition of `useWorkspacePanes`/`MessageBubble` (needs a web test harness first), a `@boocode/contracts` shared package, and the `dispatcher.ts` split — the last two now unblocked since their in-flight files shipped in `v2.7.9`–`v2.7.11`. Rebased clean onto `v2.7.11-coder-model-snapshot`.
+
+## v2.7.11-coder-model-snapshot — 2026-06-02
+
+Hotfix for the coder model-attribution chip vanishing on refresh. The chip showed during a live turn (the `message_complete` frame carries `model`) but disappeared when a BooCoder session was reloaded — only in the coder, not BooChat. Root cause: `CoderPane`'s `useCoderMessages` hydrates from two sources on load — the HTTP `listMessages` fetch (whose SELECT includes `model`, added `v2.7.8`) AND the WS `snapshot` frame — and the WS snapshot's query in `apps/coder/src/routes/ws.ts` had its own column list that omitted `model`. The client's `snapshot` handler `setMessages`-overwrites the HTTP load, so the model-less rows won, and with no later `message_complete` for historical messages the chip stayed gone. Fix is one column: add `model` to the WS snapshot SELECT so both hydration paths agree. The `apps/coder/CLAUDE.md` "update every mapper" note now lists the WS snapshot SELECT explicitly (it was the one place not enumerated). apps/server + apps/coder builds green; deployed via `systemctl restart boocoder` (host service — the earlier `v2.7.10` docker deploy rebuilt only the container, never this route). Fixes the chip shipped in `v2.7.8-ember-coder-tabs-model-chips` / completed in `v2.7.9-mcp-keys-docs-coder-fixes`.
+
+## v2.7.10-composer-chips — 2026-06-02
+
+A composer control-row refresh shared by BooChat and BooCoder via `ChatInput`. The slash-commands menu moves out of the full-width `AgentCommandsHint` disclosure (now removed) into a compact chip in the message box's bottom controls row — clicking it opens the existing `SlashCommandPicker` anchored to the chip and selecting inserts `/<name> `, while the typed-`/` autocomplete is unchanged. A new attach-file button sits beside it, opening a native multi-file picker that funnels picks through the same drag-drop pipeline (5 MB / binary gate, 10-attachment cap, chips + preview, `source:'drop'`). On mobile both collapse to icon-only — the slash count is `max-md:hidden` and the paperclip is icon-only — so the row stays on one line per the no-scroll toolbar rule. Web tsc + build green; deployed (docker). Builds on the BooCode 2.0 composer work in `v2.7.8-ember-coder-tabs-model-chips`.
+
+## v2.7.9-mcp-keys-docs-coder-fixes — 2026-06-02
+
+The MCP-key hygiene feature plus accumulated in-flight coder fixes and a docs refactor. **MCP `{env:VAR}` substitution** (`mcp-config.ts:substituteEnvVars`, opencode-compatible) recursively resolves `{env:NAME}` references in any string value of `data/mcp.json` from `process.env` *before* Zod validation, so real keys live in `.env` (`env_file`) instead of the gitignored config — an unset var resolves to `''` with a boot-log warning, and on a validation failure the loader names the unset vars alongside the field errors (an empty `{env:VAR}` in a strict url/command field invalidates the whole config, an otherwise-disconnected warning). `data/mcp.json` is now untracked (`.gitignore` flips `!data/mcp.json` → `!data/mcp.example.json`); the tracked template `data/mcp.example.json` carries `"CONTEXT7_API_KEY": "{env:CONTEXT7_API_KEY}"` and `.env.example` documents the key (9 mcp-config tests). **Two coder bug fixes** ride along: the `message_complete` frame's `model` is widened `string` → `string | null` in both ws-frames copies (server + web parity) and the dispatcher now publishes `model: task.model` at all four external assistant-completion points — without the nullable widen a null model would fail-closed in `publishFrame` and drop the entire frame including the `status:'complete'` transition (regression test added); and Claude-SDK `mapUserToolResults` now maps `user`-message `tool_result` blocks → terminal `tool_update` events (completed/failed with output) so external-agent tool snapshots resolve instead of spinning forever (the SDK feeds tool output back as a user message, previously unmapped). On the view side the `AgentComposerBar` drops the §9b resumed/history/new-session chip and token-usage readout and loses `flex-wrap` so the control row stays on one line, while `CoderPane` gains a per-chat `localStorage` agent-config cache (provider/model/mode/thinking keyed by chat id, restoring the last model on reopen) and threads the new `model` field into the timeline + attribution chip. **Docs refactor**: the root `CLAUDE.md` is slimmed (~190 lines) with per-app deep references split into `apps/{coder,server,web}/CLAUDE.md` (auto-loaded in-subtree), plus a new 372-line `docs/coder-backends.md` dispatch reference, a `docs/project-discovery.md` stack inventory, and a `docs/coding-standards/` set (the `cross-app-contract-parity` standard, fronted by `.claude/rules` path-scoped indexes) — `ARCHITECTURE.md` links the backends doc. Server 555 + coder 299 tests passing (incl. new mcp-config, ws-frames, and claude-sdk-map suites), web tsc + server + coder builds green. Builds on `v2.7.8-ember-coder-tabs-model-chips`.
+
+## v2.7.8-ember-coder-tabs-model-chips — 2026-06-01
+
+The BooCode 2.0 visual identity plus two workflow features. **Ember theme** (`styles/themes/ember.css`, now `DEFAULT_THEME_ID`) is the signature orange-on-near-black look — rebuilt on Obsidian's flat charcoal structure (`#0c0c0e`/`#15151a`/`#1f1f23`) with `#ff7a18` swapped in for the purple, after a Reinvented-direction detour (neon borders + a scanline/glow texture overlay) was dialed back to taste; the server `theme_id` whitelist gains `ember` so it can actually be selected. The **brand banner** (`ProjectSidebar`) shows the eye-patch Westie mascot + the `>_BooCode` wordmark big and edge-to-edge on transparent backgrounds — the source PNGs shipped with baked-white canvases, so they were flood-filled to transparency from the corners (preserving the white dog, which a naive white-key would have destroyed) and cropped to bounds. **Coder panes are now multi-tab**: `+` opens a new BooCode tab (a fresh chat = a new agent context sharing the session worktree) while the split button still opens a pane — coder panes reuse the shared `ChatTabBar` via a kind-aware `tabKind`, backed by a new `createCoderTab` action with `closeOtherTabs`/tab-numbering extended to coder kind. **Model-attribution chips**: a new `messages.model` column (both apps share the table) stamped at `finalizeCompletion` (BooChat + native coder) and at the dispatcher's assistant-row creation (external coder), surfaced through the `messages_with_parts` view + wire types + the live `message_complete` frame (the Zod already allowed `model`; nothing consumed it), and rendered as a subtle accent chip with a shortened label (`shortenModelName` → `Sonnet 4.6`, `Qwen3.6 35B`) beside the message stats — so swapping models mid-coder-session stays legible. Also the composer moved its Web toggle into a boxed, focus-ringed input, tool rows lead with a glowing accent dot, and the Claude-SDK-backend follow-ups validated live this session (1M context window, follow-up-message fix, collapsed thinking/tool chips) land with `CLAUDE_SDK_BACKEND=1` flipped on. One snag fixed mid-deploy: the view's new `m.model` was first inserted mid-list and `CREATE OR REPLACE VIEW` can't reorder columns (42P16) — appended at the end. Web tsc + server + coder builds green; deployed (docker + boocoder, tools:34). Builds on `v2.7.7-pane-header-actions`.
+
+## v2.7.7-pane-header-actions — 2026-06-01
+
+In-flight workspace UX work, committed alongside the v2.7 review batches. Extracts a shared `PaneHeaderActions` cluster (the +/Split/Reopen-closed-pane/Session-history/Close controls) used across the `ChatTabBar` and the desktop coder + terminal pane headers in `Workspace`, replacing the divergent per-header copies, with `SessionLandingPage` history enhancements and `useWorkspacePanes` tweaks. Also fixes a coder-side correctness bug: `resolveChatId` (`apps/coder/src/routes/chat-resolve.ts`) still read `sessions.workspace_panes` as a bare `WorkspacePane[]`, but `v2.6.5-panes-tabs-composer` widened it to a `WorkspaceState` envelope — so it mis-read the panes and, worse, clobbered `tabNumbers`/`nextTabNumber`/`closedPaneStack` back to a bare array on every pane-chat write; a new `normalizeWorkspaceState` accepts either shape and preserves the envelope (with a regression test). Plus a CLAUDE.md doc-sync (apps/coder vitest suite, deploy-by-surface, dual-remote push, in-flight-web-WIP staging, release-branch naming). Web tsc + coder build + coder tests green. Builds on `v2.7.6-agent-status-normalize`.
+
+## v2.7.6-agent-status-normalize — 2026-06-01
+
+The scoped half of `boocode_code_review_v2.md` §1 #10 — normalized external-agent status, surfaced from BooCoder's own dispatch observation (the heavier config-injection notify-hook, clean-room from superset's ELv2 `agent-setup`, is documented as the follow-on). The review's premise ("PTY agents have no status") had partly aged out — warm-ACP/opencode/SDK already carry working/done — so the real gap was that BooCoder never *published* a normalized per-`(chat,agent)` status (blocked-on-permission was invisible; crash/idle weren't pushed). Adds an `agent_status_updated` WS frame (`working|blocked|idle|error`, server+web parity) published from the dispatcher's turn boundaries across all four external paths (warm-acp/opencode/sdk/pty — `working` at start, `idle`/`error` at end) and the permission flow (`blocked` on request, `working` on resolve), best-effort so it never breaks a turn. A clean-room `normalizeAgentEvent` helper (superset's ~30-vendor-event → Start/blocked/Stop collapse, reimplemented with the event names as facts) ships now with 25 tests so the deferred notify-hook injection reuses it verbatim. The `AgentComposerBar` gains a normalized status dot (working=spinner, blocked=amber, idle=gray, error=red) distinct from the WS-liveness dot, fed by a `useAgentStatus` map `CoderPane` tracks per `(chat,agent)`. Built by two parallel agents (data plane + view plane) against a pinned frame contract; server 545 + coder 294 tests passing (25 new), web tsc + builds clean, ws-frames parity green. Clears the actionable review backlog (#1/#3/#4/#6–#12). Builds on `v2.7.5-claude-sdk-sessionstore`; openspec `agent-status-normalize`.
+
+## v2.7.5-claude-sdk-sessionstore — 2026-06-01
+
+Lands the Claude Agent SDK direction (`boocode_code_review_v2.md` §1 #9, §6.2 "lean SDK") behind a flag. Adds `@anthropic-ai/claude-agent-sdk@0.3.159` (Commercial Terms — runtime dep, code reference-only) and builds a warm, resumable claude backend to supersede one-shot PTY dispatch — env-gated (`CLAUDE_SDK_BACKEND`, default off) so production claude stays on the unchanged PTY path until a host smoke. **Clean-room `PostgresSessionStore`** implements the SDK's real `SessionStore` type (`append`/`load`/`listSessions`/`delete`/`listSubkeys`) over a new `claude_session_entries` table — typechecked against the installed SDK type, 8 DB-integration tests. **`ClaudeSdkBackend`** (`implements AgentBackend`, mirroring warm-acp/opencode-server) drives one persistent `query()` per `(chat,'claude')` in streaming-input mode via a pushable async-iterable pump, with `sessionStore` + `resume` for cross-turn/cross-restart continuity, a pure `mapSdkMessage`→`AgentEvent` mapper, `session_id` captured from the `init` message, and `result.usage`/`total_cost_usd` accumulated onto `agent_sessions` (backend CHECK gains `'claude_sdk'`). Built against the REAL SDK 0.3.159 types after installing it — surfacing shapes a blind build would have missed (`SDKPartialAssistantMessage` is `type:'stream_event'` needing `includePartialMessages`; `SDKUserMessage.message` is `MessageParam`; the `SDKResultMessage` error arm). Also fixes a latent test-infra deadlock — three DB-integration suites applying the full schema in parallel under `DATABASE_URL` deadlocked, now serialized via `fileParallelism:false`. ~32 new tests (8 store + 10 mapper + 8 pushable + 6 routing); coder suite 269 passing default / 290 with DB; tsc clean against the SDK types; builds clean. **The live streaming pump + resume + an actual claude turn need a host smoke (`CLAUDE_SDK_BACKEND=1` + claude binary + ANTHROPIC auth) — cannot run from the dev container.** The zod peer-dep wants `^4` (workspace `3.25`) — watch at runtime. Builds on `v2.7.4-mistake-tracker-ledger`; openspec `claude-sdk-sessionstore`.
+
+## v2.7.4-mistake-tracker-ledger — 2026-06-01
+
+Two native-inference hardening features from `boocode_code_review_v2.md` §1 #12 (cline, algorithm-reimplemented). **MistakeTracker:** complements the doom-loop guard (identical repeats) and cap-hit (budget) by catching a run of consecutive tool *failures*. A new pure `mistake-tracker.ts` tracks heterogeneous failure kinds (`zod_reject`/`tool_not_found`/`exec_error`/`api_error`/`permission_denied`, surfaced per tool from `tool-phase.ts`); after 3 consecutive failures the `turn.ts` loop does a **soft nudge** — injects model-facing recovery guidance into the next step + drops a `mistake_recovery` UI sentinel + resets — then **escalates** to stopping the turn (cap-hit-style, with a Continue affordance) if it re-trips without an intervening success, so heterogeneous failures can't burn the whole step budget. **File-provenance ledger:** `compaction.ts` now derives a deterministic, sorted `## Files Read` list from the head messages' read-tool calls (`view_file`/`grep`/`find_files`/`list_dir`) and injects it into the rolling-summary prompt so file provenance survives compaction (no new table; prompt-driven merge, read-only since BooChat has no write tools). The `mistake_recovery` sentinel adds an arm to `MessageMetadata` in both server + web type copies plus a `MessageBubble` render branch. Built by two parallel agents (backend + frontend sentinel) over disjoint apps; server 545 tests passing (23 new: 12 mistake-tracker + 11 compaction), build + web tsc clean. Native-inference only (external agents run their own loops). Builds on `v2.7.3-sampling-streamjson-tokens`; openspec `mistake-tracker-file-ledger`.
+
+## v2.7.3-sampling-streamjson-tokens — 2026-06-01
+
+Three small BooCode wins from `boocode_code_review_v2.md` §1 #11/#7/#8. **Sampling knobs:** per-agent `top_n_sigma` + the `dry_*` repetition family (`dry_multiplier`/`dry_base`/`dry_allowed_length`/`dry_penalty_last_n`) are now first-class Agent frontmatter fields, parsed in `agents.ts` and threaded into the llama-swap chat-completion body via `providerOptions.openaiCompatible` (the `@ai-sdk/openai-compatible` extra-body channel). This surfaced and fixed a **latent bug**: `top_k` (rejected by the AI-SDK provider as unsupported) and `min_p` (never passed to `streamText` at all) had been dead on the wire — no agent's `top_k`/`min_p` ever affected sampling; both now route through the same channel, so agents that set them will start using them. `--reasoning-budget` is documented in `data/AGENTS.md` (already works via `llama_extra_args`, permitted by the deny-list validator). **Live PTY stream-json:** qwen/claude PTY dispatch sliced stdout opaque; a new `stream-json-parser.ts` line-buffers the Claude-Code-compatible NDJSON and emits text/reasoning/tool frames live as they arrive (mirroring the ACP/opencode paths) + persists the structured parts, with a clean fallback to the old opaque slice when output isn't NDJSON (claude now runs `--output-format stream-json --verbose`). **Token UI:** the per-`(chat,agent)` `agent_sessions.input_tokens`/`output_tokens`/`cost` columns (accumulated since `v2.6.8` but dropped by the read route + wire type) now flow through and render condensed beside the AgentComposerBar session chip. Built by three parallel agents over disjoint subsystems; server 523 + coder 245 tests passing (incl. 11 new stream-json-parser + new agent-parse tests), all builds + web tsc clean. Builds on `v2.7.2-checkpoint-idor`; openspec `sampling-streamjson-tokens`. The qwen-vs-claude `usage` field names in #7 are best-guess pending a live smoke.
+
+## v2.7.2-checkpoint-idor — 2026-06-01
+
+Closes two IDOR authorization holes in the `v2.7.1-write-edit-robustness` checkpoint routes, flagged by the automated push security review. The `GET /api/sessions/:id/checkpoints?chat_id=` list route scoped its `chat_id` branch by `chat_id` alone — any session's `chat_id` would read its checkpoints; it now joins through `chats` and gates on `chats.session_id` (authoritative; `checkpoints.session_id` is a nullable denormalized hint). The `restoreCheckpoint` scope guard was fail-open — `cp.session_id && cp.session_id !== sessionId` fell through whenever the checkpoint's denormalized `session_id` was null, allowing a cross-session restore (worktree reset + transcript trim) — it now resolves the owning session via the checkpoint's chat and denies on any missing-or-mismatched row. A DB-integration regression covers the exact null-`session_id` cross-session case. Real-world blast radius is small (BooCoder is single-user behind Authelia on loopback), but both are genuine authorization bugs. Coder suite 234 passing (7/7 checkpoint tests incl. the regression against live postgres+git), typecheck clean. Hotfix on `v2.7.1-write-edit-robustness`.
+
 ## v2.7.1-write-edit-robustness — 2026-06-01

 Two BooCoder hardening features for local quantized models, algorithm-reimplemented (not vendored) from the cline findings in `boocode_code_review_v2.md` §1 #3/#4. **Fuzzy patch applier:** `edit_file`'s apply path was exact-`.includes`-or-throw + first-occurrence `.replace` (`pending_changes.ts`), so a qwen3.6 whitespace/indentation/unicode drift in `old_string` lost the edit; a new pure `fuzzy-match.ts` (`locateMatch`) now runs an exact → per-line-trim → unicode-canon (curly quotes/dashes/nbsp) → Levenshtein-≥0.66 ladder and returns the real file span, refusing multi-exact matches as ambiguous rather than silently editing the first. `applyOne`/`rewindOne` both use it. **Worktree checkpoints + conversation-trim:** `rewind` only reversed BooCode's own `pending_changes`, blind to what external agents (opencode/goose/qwen/claude) write directly into the session worktree — so a new `checkpoints` table + `checkpoints.ts` shadow-commit (tracked **and** untracked, captured via a temp-index `read-tree`/`add`/`write-tree`/`commit-tree` into a GC-safe `refs/boocode/checkpoints/<id>`) snapshots the worktree before each external-agent turn (hooked into all three dispatcher paths), anchored to the turn's assistant message. A new `POST /api/sessions/:id/checkpoints/:cid/restore` resets the worktree (`reset --hard` + `clean -fd`), trims the transcript past that message, and resets the `(chat,agent)` backend session so files, transcript, and agent context land consistent at the restore point; a per-message "Restore to here" affordance in `CoderMessageList` drives it. Built by three parallel agents over disjoint files; DB-integration testing caught a microsecond-`created_at` self-deletion bug in the later-checkpoint cleanup. Full coder suite 234 passing (incl. 17 fuzzy-match + 6 checkpoint tests), server+coder build + web tsc clean. Builds on `v2.7.0-mit`; openspec `write-edit-robustness`. Live host smoke (dispatcher hook + restore UI end-to-end) still to run.
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -2,11 +2,11 @@

 This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.

-**Cursor agents:** start with `docs/ARCHITECTURE.md` (diagram). This file is the deep engineering reference. (Note: the root navigation `AGENTS.md` was removed in v1.12; `data/AGENTS.md` is the agent *registry*, not navigation.)
+**Cursor agents:** start with `docs/ARCHITECTURE.md` (diagram); this file is the deep engineering reference. `data/AGENTS.md` is the agent *registry*, not navigation (the root navigation `AGENTS.md` was removed).

 ## What is BooCode

-Self-hosted single-user developer chat app. AI assistant with read-only file tools (view_file, list_dir, grep, find_files) running against a local llama-swap inference server. Sessions organized by project, with a multi-pane workspace (chat + file browser side by side).
+Self-hosted single-user developer chat app. AI assistant with read-only file tools (view_file, list_dir, grep, find_files) against a local llama-swap inference server. Sessions organized by project, multi-pane workspace (chat + file browser side by side).

 Plus `apps/booterm` (second container, port 9501, bookworm-slim+glibc): Fastify + node-pty + tmux. Browser terminal panes WS to `/ws/term/sessions/:sid/panes/:pid`; per-session tmux session `bc-<sid>`, per-pane window `term-<pid>`. Shells drop privs to samkintop via `gosu` in `tmux.conf` default-command.

@@ -35,85 +35,22 @@ npx tsc -p apps/web/tsconfig.app.json --noEmit  # web app specifically
 docker compose build --no-cache boocode && docker compose up -d
 ```

-Tests: `pnpm -C apps/server test` runs the vitest suite. No test harness on `apps/web` (adding it requires installing vitest as a new devDep). Vitest pinned to `^3` because Vite 5 / vitest 4 are incompatible. No linters configured. Vitest include glob is `src/**/__tests__/**/*.test.ts` (see `apps/server/vitest.config.ts`) — tests outside `src/**/__tests__/` silently won't run; match the per-domain convention (`apps/server/src/services/__tests__/foo.test.ts`).
+Tests: `pnpm -C apps/server test` (vitest); `apps/coder` has its own suite — `pnpm -C apps/coder test` (`globals:false`, so import `describe`/`it`/`expect` from `vitest`). No `apps/web` test harness, no linters. Vitest pinned to `^3` (Vite 5 / vitest 4 incompatible). Include glob is `src/**/__tests__/**/*.test.ts` — tests outside it silently won't run. Extract pure helpers to unit-test (`backends/turn-guard.ts`, `lifecycle-decisions.ts` are the pattern).

 ## Architecture

-**Monorepo**: pnpm workspaces with `apps/server` (Fastify + postgres), `apps/web` (React + Vite), and `apps/booterm` (Fastify + node-pty + tmux).
+**Monorepo**: pnpm workspaces with `apps/server` (Fastify + postgres), `apps/web` (React + Vite), `apps/booterm` (Fastify + node-pty + tmux), `apps/coder` (BooCoder, host service).

-### Server (`apps/server/src/`)
+### Per-app deep references

- **Fastify** with `@fastify/websocket` and `@fastify/static` (serves built frontend)
- **postgres** (porsager/postgres) with tagged-template SQL — no ORM. Schema in `schema.sql`, applied on startup. LSP may false-positive on `sql<Type[]>\`...\`` generics; CLI `tsc` / `pnpm build` is authoritative.
- **Zod** for request validation and config parsing.
+Detailed engineering notes live in per-app `CLAUDE.md` files, **auto-loaded when you read/edit files in that subtree** (and worth opening before non-trivial work there):

-Key services:
- **`services/inference/`** — Public surface re-exported via `inference/index.ts`; callers import from `./services/inference/index.js` explicitly (NodeNext doesn't honor directory-index resolution). Layout: `turn.ts` (runAssistantTurn / runInference / createInferenceRunner; exports `InferenceFrame`, `InferenceContext`, `TurnArgs`, `StreamResult`, `MAX_STEPS`), `stream-phase.ts` (streamCompletion as a v1.13.1-A AI SDK adapter + executeStreamPhase), `provider.ts` (`upstreamModel(baseURL, modelId)` wrapping `createOpenAICompatible` against llama-swap), `tool-phase.ts` (executeToolPhase → returns `ToolPhaseResult`; no longer recurses into runAssistantTurn — v1.14.0 converted the recursion to an explicit while loop in turn.ts), `sentinel-summaries.ts` (runCapHitSummary + runDoomLoopSummary + runStepCapSummary + their sentinel inserters), `error-handler.ts` (handleAbortOrError, finalizeCompletion), `payload.ts` (buildMessagesPayload, loadContext, maybeFlagForCompaction, `OpenAiMessage`), `sentinels.ts` (`detectDoomLoop`, `DOOM_LOOP_THRESHOLD`, sentinel predicates), `budget.ts` (resolveToolBudget), `xml-parser.ts` (qwen3.6 XML tool-call fallback — KEEP, AI SDK doesn't handle inline-XML tool calls), `parts.ts` (parts-table write helpers: `partsFromAssistantMessage`, `partsFromToolMessage`, `insertParts` — v1.13.20 made parts the sole source of truth), `prune.ts` (v1.13.4 two-tier compaction; `selectPruneTargets` is the pure decision helper), `types.ts` (`StreamPhaseState`, `DB_FLUSH_INTERVAL_MS`). **`TurnArgs`** is the per-turn state envelope populated from loop locals each iteration; reset in `runInference` at user-message boundary. The outer loop in `runAssistantTurn` (v1.14.0) runs `while (stepNumber < effectiveCap)` where `effectiveCap = Math.min(agent.steps ?? Infinity, MAX_STEPS=200)`. Per-agent `steps:` field in AGENTS.md frontmatter. `steps: 0` means text-only (no tool execution). Step-cap hit writes a `cap_hit` sentinel so `CapHitSentinel.tsx` renders it.
- **AI SDK v6 streamCompletion adapter** (v1.13.1-A; `services/inference/stream-phase.ts`). `streamText` is the underlying call; the BooCode layer above (executeStreamPhase, finalize, dual-write) is shape-preserved via an adapter. Five gotchas the LSP/test suite won't catch:
-  - **Abort signals are swallowed.** `streamText`'s `fullStream` iterator exits cleanly when `abortSignal` fires — no throw. Post-iteration `if (signal?.aborted) throw <AbortError>` is required; without it the row finalizes as `complete` instead of `cancelled`. Comment in stream-phase.ts pins this; don't refactor it away.
-  - **Usage lands only at stream end** via `await result.usage` (`inputTokens` / `outputTokens` v6 names → mapped to `promptTokens` / `completionTokens` for the existing onUsage callback). Mid-stream live tok/s is gone vs v1.12.2; ChatThroughput shows a single value at stream end.
-  - **Tools have NO `execute` field.** BooCode dispatches tools in tool-phase.ts, not the AI SDK loop. Only `description` + `inputSchema: jsonSchema(parameters)` — surfacing tool-call parts via `fullStream` and stopping is what we want.
-  - **`includeUsage: true` MUST be set on `createOpenAICompatible`** in `services/inference/provider.ts`. The adapter defaults it false, omitting `stream_options.include_usage` from the request body; llama-swap then never emits the usage block and `result.usage.inputTokens/outputTokens` resolve to `undefined`. Latent regression from v1.13.1-A through v1.13.7 — every assistant row in that window has `tokens_used`/`ctx_used` NULL. Don't remove this flag during refactor.
-  - **Tool-call-only turns may emit a leading `\n` text-delta** as the assistant content. `MessageList.flatten`'s `hasText` and `MessageBubble`'s `hasContent` both `.trim()` before the length check — otherwise whitespace-only content renders an empty bubble + ActionRow between every tool call (v1.13.7 fix). `payload.ts:buildMessagesPayload` also skips `status='failed'` AND complete-but-empty (no content, no tool_calls) assistant rows to avoid "Cannot have 2 or more assistant messages at the end of the list" upstream rejections after cap-hit + Continue.
- **AI SDK ModelMessage conversion** (`toModelMessages` in stream-phase.ts). Tool messages need a `toolName` for `ToolResultPart` — BooCode's OpenAI-shape history doesn't carry it, so a forward-scan builds a `tool_call_id → toolName` map from prior assistant `tool_calls`. Tool outputs wrapped as `{ type: 'json' | 'text', value }` matching the v6 `ToolResultOutput` union. Assistant messages with reasoning emit a `ReasoningPart` first in the content array (v1.13.1-C).
- **`experimental_repairToolCall`** (v1.13.3) wired into `streamText` to keep the stream alive when qwen3.6 emits malformed tool args. Pass-through implementation — logs the bad call and returns it unmodified; `executeToolPhase`'s existing zod-reject error path routes it to the model on the next turn.
- **`chat_status` frame shape** (published via `broker.publishUser`) — `status: 'streaming' | 'tool_running' | 'waiting_for_input' | 'idle' | 'error'` (widened from `working|idle|error` in v1.12.1). Frontend `useChatStatus` derives `idle_warm` (<30s since idle) vs `idle_cold`. `ChatThroughput` renders inline beside `StatusDot` only when streaming or tool_running, fed by 500ms-throttled `'usage'` WS frames (`completion_tokens` + `ctx_used` + `ctx_max`). The `POST /api/chats/:id/discard_stale` endpoint exists to mark a stuck-streaming row as `failed` when the frontend's 60s no-token-activity timer (`ChatPane` content-length watcher) gives up.
- **Boot-time stale-streaming sweep** in `apps/server/src/index.ts` after `applySchema()`: any `messages.status='streaming'` older than 5 minutes flips to `'failed'`. Logs only on non-zero count. Recovers from container restart while inference was mid-stream (v1.12.1).
- **Periodic 60s sweeper** in `apps/server/src/index.ts` (v1.13.3 + v1.13.5). Same `setInterval` runs `sweepStaleStreaming` (marks `messages.status='streaming'` older than 5 min as `failed`, publishes `chat_status='idle'` so the UI dot drops) and `cleanupTruncations` (TTL + orphan reap of tmpfs truncation files). `app.addHook('onClose')` clears the timer. No-op when nothing to reap.
- **`services/broker.ts`** — In-memory pub/sub with two channel types: per-session (message streaming) and per-user (sidebar updates). No persistence; clients reconnect on restart. v1.13.11: every WS publish goes through `broker.publishFrame(sessionId, frame)` or `broker.publishUserFrame(user, frame)` — both Zod-validate against `WsFrameSchema` (`types/ws-frames.ts`) and fail-closed (log + drop). `ctx.publish` / `ctx.publishUser` in inference + auto_name route through the index.ts adapter that calls publishFrame internally. The schema is duplicated byte-identical at `apps/web/src/api/ws-frames.ts`; a `ws-frames.test.ts` case enforces parity. Don't add new raw `broker.publish()` / `publishUser()` calls.
- **`services/tools.ts`** — Tool registry (`ALL_TOOLS`, `READ_ONLY_TOOL_NAMES`, `TOOLS_BY_NAME`). Filesystem tools (view_file/list_dir/grep/find_files) go through three guard layers: `path_guard.ts` (workspace scope), `secret_guard.ts` (filename deny list), `url_guard.ts` (SSRF/private-IP block for web_fetch). v1.11.8+ web tools (`web_search`, `web_fetch`) are opt-in per chat via `session.web_search_enabled` (resolved with `project.default_web_search_enabled` fallback) and filtered out of the LLM's tool schema when false. v1.13.5 truncation: when a tool slice cuts content, `services/truncate.ts` stashes the full text on tmpfs at `BOOCODE_TRUNCATION_DIR` (default `/tmp/boocode-truncations`, 0o700) keyed by an opaque `tr_<12 base32 chars>` id, and the `view_truncated_output(id)` tool retrieves it. 5MB cap (matches `view_file`'s `MAX_FILE_BYTES`), 7-day TTL, reaped by the periodic sweeper. Tmpfs path means container restart loses retrieval — acceptable, the model usually has moved on.
- **`services/compaction.ts`** + **`services/model-context.ts`** — v1.11.0 anchored rolling summary (single `summary=true` assistant row per chat, supersedes itself on each compaction). Triggered when `chats.needs_compaction` is set after an inference turn exceeds `usable(ctx_max) = floor(0.85 × ctx_max)` (v1.13.9 opencode-pattern early trigger; was `ctx_max - 20k` pre-v1.13.9, which gave only 7.6% headroom at 262k and 0 budget for ≤20k contexts). **`ctx_max` comes from `model-context.getModelContext()` which fetches `${LLAMA_SWAP_URL}/upstream/<model>/props`** — NOT from `parsed.timings.n_ctx` (the stream completion's `timings` doesn't carry n_ctx; that read was dead code until v1.11.3 ripped it out). First inferences after a boocode boot may have `ctx_max=NULL` if llama-swap hasn't loaded the model yet; negative cache TTL is 60s, recovers on next turn. v1.13.6: `buildHeadPayload` embeds `reasoning_parts` as a `<reasoning>...</reasoning>` prose prefix on the assistant `content` (OpenAI wire shape has no structured reasoning field; the summarizer reads text). Standalone tag when content is empty (tool-call-only turn). `buildHeadPayload` + `OpenAiMessage` exported for test access — keep them exported.
- **`services/system-prompt.ts`** — `buildSystemPrompt` is the string-returning shim; `buildSystemPromptWithFingerprint` is the canonical impl returning `{prompt, fingerprint, drift}`. v1.13.8 instrumentation: SHA-256 of the assembled prefix is logged per `buildMessagesPayload` call (msg `prefix-fingerprint`, level=info); a `Map<sessionId, lastHash>` observer fires `prefix-drift` (level=warn) on hash change with a field-level `changed_inputs` diff. Smoke proved the prefix is byte-stable across turns in steady-state — the originally-planned `system_prompt_cache` DB table was dropped as redundant against the v1.12.0 input-layer mtime caches (BOOCHAT.md here + AGENTS.md global+per-project in `agents.ts:safeStat`).
- **`services/inference/budget.ts`** — tool-call budgets: `BUDGET_READ_ONLY = 30`, `BUDGET_NON_READ_ONLY = 10` (forward-looking; no write tools yet), `BUDGET_NO_AGENT = 30` (v1.13.7; was 15 — every tool in `ALL_TOOLS` is read-only today, so no-agent mode shares the read-only-agent cap). Per-agent `max_tool_calls` from AGENTS.md frontmatter overrides.
- **`messages_with_parts` view** (v1.13.1-B; `schema.sql`). Read sites that need `tool_calls` / `tool_results` / `reasoning_parts` SELECT from this view, NOT `messages` directly. v1.13.20 dropped the legacy `messages.tool_calls` / `messages.tool_results` JSON columns; the view now reads parts-only subselects. Writes target `message_parts` exclusively via `insertParts` (or via the helpers `partsFromAssistantMessage` / `partsFromToolMessage`). The `Message` wire type still carries `tool_calls?` / `tool_results?` because the view synthesizes them from parts — frontend reads are unchanged. Shapes: `tool_calls jsonb[]`, `tool_results jsonb` single object, `reasoning_parts jsonb[]` of `{text}`. If you ever need to UPDATE a message and return its full Message shape, do a two-step UPDATE returning `id` followed by SELECT from the view — RETURNING off the bare `messages` table no longer carries the tool fields.
- **`services/file_ops.ts`** — Shared file operation implementations used by both inference tools and HTTP routes.
- **`services/auto_name.ts`** — Non-streaming LLM call to generate 4-word session titles after first assistant reply.
- **`apps/coder/src/services/provider-registry.ts`** (BooCoder, NOT apps/server) — Static registry of provider metadata (label, transport, model source). `PROVIDERS` array, `PROVIDERS_BY_NAME` map. 5 providers: boocode (native), opencode (acp), goose (pty), claude (pty), qwen (pty).
- **`apps/coder/src/services/agent-probe.ts`** (BooCoder) — Startup probe using direct `exec()` (not SSH). Discovers installed agents on host, their versions, ACP support, and models. Qwen models read from `~/.qwen/settings.json`. Claude models are static from the registry. Results persisted to `available_agents` table.
- **`apps/coder/src/routes/providers.ts`** (BooCoder) — `GET /api/providers` returns installed providers with models. Transport field reflects actual capability (checks `supports_acp` from DB, not just registry preference). The apps/server side of this flow is the "Provider picker dispatch" bullet below.
- **Provider picker dispatch**: when `provider !== 'boocode'`, the message route creates a `tasks` row (with `session_id` set) instead of calling `inference.enqueue`. The dispatcher picks it up and dispatches via ACP or PTY using the agent's `install_path`.
+- **`apps/server/CLAUDE.md`** — inference pipeline, AI-SDK adapter gotchas, tools, compaction, broker, the `messages_with_parts` view, sidecar routing, secret guard, the `data/AGENTS.md` registry.
+- **`apps/coder/CLAUDE.md`** — BooCoder dispatch, provider registry/probe/snapshot, opencode/ACP/PTY/Claude-SDK backends, `agent_sessions` resume.
+- **`apps/web/CLAUDE.md`** — React app, hooks/event buses, font & CSS pipeline, multi-pane workspace, all UI conventions.
+- **`docs/project-discovery.md`** — full stack / tooling / command inventory across all packages (read-on-demand).

-Route registration: all routes registered in `index.ts` via `register*Routes(app, sql, ...)` functions. Routes are in `routes/*.ts`.
-
-### BooCoder (`apps/coder/src/`)
-
- Write-capable coding agent. Runs as a **systemd service on the host** (`boocoder.service`), NOT in Docker. Fastify server at port 9502, connects to postgres at `127.0.0.1:5500`.
- **Workspace dependency on `@boocode/server`**: imports `createInferenceRunner`, `createBroker`, `ALL_TOOLS`, `appendMcpTools` from the server's compiled `dist/`. apps/server's `package.json` has an `exports` map with `types` conditions for NodeNext resolution. apps/server must build FIRST.
- Build + deploy: `pnpm -C apps/server build && pnpm -C apps/coder build && sudo systemctl restart boocoder`. Env file at `apps/coder/.env.host`. Service file at `/etc/systemd/system/boocoder.service`.
- After `pnpm -C apps/coder build` the host `boocoder.service` keeps running the OLD process until `sudo systemctl restart boocoder` — a stale process shows **new routes 404 with `{error:'not found'}` while old routes still 200** (the `/api` not-found handler returns that shape). Restart, don't re-debug.
- Agent dispatch spawns binaries directly using `install_path` from `available_agents` — no `spawn('sh', ['-c', ...])` (fails under systemd). Follows Paseo's pattern: `spawn(fullBinaryPath, argsArray, { cwd })`.
- systemd hardening: only `NoNewPrivileges=true` is safe. `ProtectSystem`, `ProtectHome`, `PrivateTmp` all break agent dispatch (agents need full filesystem access to read configs, write to worktrees).
- `apps/server/tsconfig.json` has `declaration: true` so `.d.ts` files exist for workspace consumers.
- Write tools (`edit_file`, `create_file`, `delete_file`, `apply_pending`, `rewind`) queue in `pending_changes` table. Nothing hits disk until `apply_pending` is called. `write_guard.ts` validates paths (resolve + prefix-check, no realpath since files may not exist for creates).
- Frontend: NOT a separate SPA. BooCoder is a `'coder'` pane type within BooChat's SPA (`apps/web/`). `CoderPane.tsx` in `apps/web/src/components/panes/`. API requests go through `/api/coder/*` proxy (Vite dev + Fastify production) which rewrites to the boocoder host service (`BOOCODER_URL` env var, default `http://100.114.205.53:9502`). WS connects directly to `:9502`.
- `apps/coder/web/` is a STANDALONE fallback SPA served at `:9502` directly. The PRIMARY BooCoder frontend is the `CoderPane` in BooChat's SPA (`apps/web/src/components/panes/CoderPane.tsx`), accessible via the "Coder" pane in the workspace at `code.indifferentketchup.com`. Both exist; the pane is what Sam uses.
- **Provider snapshot lifecycle** (`apps/coder/src/services/`): `provider-config.ts` (Zod config, never-throws on bad input) → `provider-config-registry.ts` (`buildResolvedRegistry`, singleton) → `provider-snapshot.ts` (two-tier probe: tier-1 fast presence, tier-2 cold ACP probe skipped unless force / stale `PROVIDER_PROBE_TTL_MS` 24h / dbEmpty; cached). Verify live: `curl http://100.114.205.53:9502/api/providers/snapshot` — returns providers + models + commands, the exact shape `AgentComposerBar` renders.
- `PATCH /api/providers/config` replaces a provider id's override object **wholesale** (per-id shallow merge) — to flip one field send `{...existing, enabled}`, or a custom ACP entry's `command`/`label` is wiped and it drops out of the resolved registry. `data/coder-providers.json` is **gitignored** (it's live runtime config — the coder reads AND writes it on UI toggles); the tracked reference is `data/coder-providers.example.json`. The loader falls back to `{providers:{}}` (built-ins only) when the live file is absent, so a fresh checkout needs no copy.
- **opencode** runs as a warm HTTP server (v2.6 Phase 1, `services/backends/opencode-server.ts` — `opencode serve` per BooCoder process, one opencode session per BooCode session, resumed via `agent_sessions`). goose/qwen/claude still dispatch **one-shot** ACP/PTY with no ctx/token usage; only native `boocode` (llama-swap engine) tracks ctx. Paseo's per-provider native clients (design §12) deliberately not ported.
- **opencode SSE** (`opencode-server.ts`): live streaming arrives as `session.next.text.delta` / `session.next.reasoning.delta` / `session.next.tool.{called,success,failed}` — NOT `message.part.*` (those are terminal/post-hoc). `client.event.subscribe({ directory })` MUST pass the session's worktree directory; omit it and opencode scopes events to the server's `process.cwd()` → zero session events (empty turns, 180s watchdog timeout). Per-session SSE (P1.5-a): each live session owns its own `event.subscribe({directory})` loop + AbortController, so concurrent sessions in different worktrees stream independently; a `sessionID` demux guard drops cross-session events when two share a dir. Turn completes on `session.idle`; `promptAsync` is fire-and-forget (204).
- **opencode model strings** must be provider-prefixed (`llama-swap/<model>`) AND exist in `~/.config/opencode/opencode.json` `provider.llama-swap.models` — not merely loadable by llama-swap. `parseModel` infers `llama-swap/` for a bare id; the dispatcher coalesces empty→DEFAULT_MODEL then prefixes. `agent-probe` populates opencode's `available_agents.models` via `mergeLlamaSwap` (fetches `/v1/models`); empty model list → frontend sends `''` → no inference (`input:0`, empty turn).
- **agent_sessions resume**: `config_hash = sha256('opencode_server|<model>')` — must NOT include the server port (random per boot; including it breaks cross-restart resume). P1.5-b: `agent_sessions` is keyed `(chat_id, agent)` — the tab/chat is the context unit (two opencode tabs in one session = two contexts sharing one worktree). `chat_id` CASCADEs from `chats`; `session_id`/`worktree_id` are informational `SET NULL`. The `worktrees` table (one-per-session, `session_id` SET NULL so it survives session delete) supersedes the defanged `session_worktrees`. `tasks.chat_id` threads the tab id to the dispatcher; `runOpenCodeServerTask` falls back to resolve-or-create a chat when it's null (arena/MCP/new_task). The `@opencode-ai/sdk` v2 client takes flattened params (`{sessionID, directory, parts, model:{providerID,modelID}}`), imports `createOpencodeClient` from `@opencode-ai/sdk/v2/client`.
-
-### Frontend (`apps/web/src/`)
-
- **React 18** + React Router v6 + **Tailwind v4** + shadcn/radix-ui primitives.
- **Shiki** for syntax highlighting (async `codeToHtml` in `CodeBlock.tsx` and `FileViewer` in `FileBrowserPane.tsx`).
- Path alias: `@/` maps to `src/`.
- **Mobile interaction primitives** (post-v1.6): `useViewport` (matchMedia, breakpoints mobile <768 / tablet 768–1023 / desktop ≥1024), `useSidebarDrawer` / `useRightRailDrawer` (Context + auto-close on `useLocation().pathname` change), `useLongPress` (500ms timer, dispatches synthetic `contextmenu` on `[data-tab-id]`), `usePullToRefresh` (80px threshold, 600ms hold), `SwipeablePaneTab` (60px close, 30px vertical bail). Tap-target convention: `max-md:min-h-[44px] max-md:min-w-[44px]`. Mobile headers: `border-b px-3 sm:px-4 py-2` + `style={{ paddingTop: 'max(0.5rem, env(safe-area-inset-top))' }}`. Hamburger left, FolderTree right.
-
-Key patterns:
- **`hooks/sessionEvents.ts`** — Module-singleton event bus (Set of listeners). Used for cross-component communication: session renames, file-open events, attachment dispatch. 9 event types in the discriminated union. When adding a new event type to the `SessionEvent` union, you must also add a case to the `applyEvent` switch in `useSidebar.ts` (even if it's a no-op `return prev`).
- **`hooks/useSessionStream.ts`** — WebSocket per session, `applyFrame` reducer builds message list from streaming frames.
- **`hooks/useUserEvents.ts`** — Single app-level WS to `/api/ws/user` with exponential backoff reconnect. Forwards frames onto the sessionEvents bus.
- **`hooks/useSidebar.ts`** — Module-singleton with Set<setState> subscriber pattern; one bus subscription guarded by `globalThis.__boocode_sidebar_subscribed` for HMR safety. Every new `SessionEvent` type needs a `case` in the `applyEvent` switch (no-op `return prev` is fine).
- **`api/client.ts`** — Centralized typed fetch wrapper. All endpoints under `api.*` namespace.
-
-Font / CSS pipeline (apps/web):
- Tailwind v4's `@import "tailwindcss"` directive strips font URLs from subsequent CSS `@import`s — `@fontsource*` packages must be imported as JS side-effect modules in `apps/web/src/main.tsx`, not via `@import` in `globals.css`. Otherwise the woff2 files never make it to `dist/`.
- Lightning CSS (inside `@tailwindcss/postcss` v4) collapses contiguous unicode-ranges to wildcard shorthand (`U+0000-FFFF` → `U+????`), which iOS Safari/Vivaldi mishandles (silently drops the font from those codepoints). Use explicit non-wildcard-collapsible subranges (e.g. `U+2500-259F` not `U+2500-25FF`). The `apps/web` build script greps `dist/assets/*.css` for `U+2500-259F` and fails the build if missing — preserve that guard.
- `@font-face` blocks must live AFTER all `@import` statements (CSS spec). Earlier placement silently breaks every subsequent `@import` (this broke the 18 theme palette imports in globals.css for one session).
- JetBrainsMono Nerd Font self-hosted in `apps/web/src/fonts/` (TTF from ryanoasis/nerd-fonts release) — needed because `@fontsource-variable/jetbrains-mono` ships subsetted woff2s that don't cover `U+2500-259F` (box drawing + block elements, used by opencode's banner). "NL" = No Ligatures (matches `font-feature-settings: "liga" 0`); "Mono" = single-cell icon width so TUI layouts don't desync.
- xterm-addon-webgl rasterizes glyphs via Canvas2D into a GPU texture atlas. Canvas2D does NOT honor `font-display: block` — it uses whatever font is currently registered. Gate xterm initialization on `document.fonts.load(<font-name>)` resolving before calling `term.open()` (see `fontsReady` useState in `TerminalPane.tsx`). iOS Safari/Vivaldi also reclaims WebGL contexts from backgrounded tabs: keep `webgl.onContextLoss(() => webgl.dispose())` + recreate via visibilitychange. Do NOT manually dispose+recreate the addon after font load — iOS silently fails the second GL context creation and the terminal drops to DOM renderer with stale metrics.
+Cross-app contracts (WS-frame & provider-type parity, sentinels) and everything below stay here.

 ### Data flow for chat

@@ -124,90 +61,64 @@ Font / CSS pipeline (apps/web):
 5. Tool calls: inference executes tools server-side, publishes tool_call/tool_result frames, loops back to LLM
 6. Terminal states (complete/error): DB updated with final content + token counts, `session_updated` frame published on user channel

-### Multi-pane workspace
-
-Sessions hold 1–5 panes (chat / empty / placeholder terminal+agent). v1.12.1 moved pane state from per-device localStorage to `sessions.workspace_panes jsonb` for cross-device sync. `PATCH /api/sessions/:id/workspace` persists; `session_workspace_updated` user-channel frame broadcasts to every device watching the session. `useWorkspacePanes` debounces saves 300ms and dedups echoes by JSON string. Legacy localStorage key `boocode.workspace.panes.<sessionId>` is read once on first hydrate (one-time seed-and-delete migration when server is empty but localStorage has data); no longer written. The deprecated `session_panes` table was dropped. `validatePanes(validChatIds)` prunes panes referencing chat IDs that no longer exist (called by `useSessionChats` after the chat list fetch lands). Each chat lives in at most one pane; tab strip is per-pane and tracks `chatIds[]` + `activeChatIdx`. Tab reorder via native HTML5 drag events. v2.6.5: `workspace_panes` is now a `WorkspaceState` envelope `{panes, tabNumbers (chatId→stable session-scoped tab number, assigned on chat-pane open, retired on close, never reused), nextTabNumber, closedPaneStack (reopen LIFO, max 10, persisted so it survives reload)}` — not a bare `WorkspacePane[]`. Hydrate (`toWorkspaceState`) and the server PATCH validator (`z.union([array, envelope])` in `routes/sessions.ts`) both accept the legacy array and normalize to the envelope on read/write. Closing a chat pane relocates its tabs to the oldest chat/empty pane; `reopenPane` strips the restored chatIds from all live panes first (no duplication). `read_tab_by_number` resolves a number→chatId through `tabNumbers`.
-
 ## Database

-PostgreSQL 16. Database name: `boochat` (renamed from `boocode` in v2.0.0-alpha; Docker service name stays `boocode_db`). Tables: `projects`, `sessions`, `chats`, `messages`, `settings`, `message_parts` (v1.13.0), `pending_changes` (v2.0.0), `tasks` (v2.0.0), `available_agents` (v2.0.0). Views: `messages_with_parts` (v1.13.1-B parts-merge read path), `tool_cost_stats` (v1.13.10 per-tool 100-call rolling window), `human_inbox` (v2.0.0 — tasks WHERE state IN blocked/failed). (`session_panes` was dropped in v1.12.1; workspace pane state lives in `sessions.workspace_panes jsonb`.) Schema applied idempotently on startup via `applySchema()`. Use `clock_timestamp()` (not `NOW()`) inside transactions. CHECK constraints in place: `projects_status_chk` ('open'|'archived'), `sessions_status_chk` (same), `chats_status_chk` (same), `messages_role_chk`, `messages_status_chk` — keep in sync with the `*_STATUSES` const arrays in `apps/server/src/types/api.ts`. The older anonymous `messages_status_check` (without 'cancelled') and `messages_role_check` (without 'system') were dropped in v1.12.1; only the `_chk` variants remain. **Two schema files, one DB:** `apps/server/src/schema.sql` owns `sessions`/`chats`/`messages`/`message_parts`; `apps/coder/src/schema.sql` (applied by the boocoder host service) owns `agent_sessions`, `worktrees`, `pending_changes`, `available_agents` and extends `tasks`. Both apply idempotently to the one `boochat` DB — so e.g. an `agent_sessions` FK change goes in the **coder** schema, not the server one. Idempotent FK-action flips (e.g. `ON DELETE CASCADE`→`SET NULL`) guard on `pg_constraint.confdeltype` so a re-run/fresh-deploy is a no-op (see the `session_worktrees`/`agent_sessions` defang blocks).
+PostgreSQL 16. DB name: `boochat` (Docker service stays `boocode_db`). Tables: `projects`, `sessions`, `chats`, `messages`, `settings`, `message_parts`, `pending_changes`, `tasks`, `available_agents`. Views: `messages_with_parts` (parts-merge read path), `tool_cost_stats` (per-tool 100-call rolling window), `human_inbox` (tasks WHERE state IN blocked/failed). Schema applied idempotently on startup via `applySchema()`. Use `clock_timestamp()` (not `NOW()`) inside transactions. CHECK constraints: `projects_status_chk`/`sessions_status_chk`/`chats_status_chk` ('open'|'archived'), `messages_role_chk`, `messages_status_chk` — keep in sync with the `*_STATUSES` const arrays in `apps/server/src/types/api.ts`. **Two schema files, one DB:** `apps/server/src/schema.sql` owns `sessions`/`chats`/`messages`/`message_parts`; `apps/coder/src/schema.sql` (applied by the boocoder host service) owns `agent_sessions`, `worktrees`, `pending_changes`, `available_agents` and extends `tasks` — so e.g. an `agent_sessions` FK change goes in the **coder** schema. Idempotent FK-action flips (e.g. `ON DELETE CASCADE`→`SET NULL`) guard on `pg_constraint.confdeltype` so re-runs are no-ops.

-Schema CHECK migration order when renaming allowed values: (1) `ALTER TABLE ... DROP CONSTRAINT IF EXISTS <system_name>` (inline `CREATE TABLE` checks get `<table>_<column>_check`), (2) `UPDATE` rows to new values, (3) wrap new constraint ADD in `DO $$ ... pg_constraint` guard — that block is the only way to get `ADD CONSTRAINT IF NOT EXISTS`.
+Schema CHECK migration order when renaming allowed values: (1) `ALTER TABLE ... DROP CONSTRAINT IF EXISTS <system_name>` (inline `CREATE TABLE` checks get `<table>_<column>_check`), (2) `UPDATE` rows to new values, (3) wrap the new constraint ADD in a `DO $$ ... pg_constraint` guard — the only way to get `ADD CONSTRAINT IF NOT EXISTS`.

+**`CREATE OR REPLACE VIEW` can't reorder/rename columns** (Postgres `42P16`): append a new `messages_with_parts` column at the END of the SELECT — a mid-list insert shifts an existing column → crash-loops boot. Add it to each explicit read SELECT too (`routes/messages.ts`/`chats.ts`/`ws.ts`).

 ## Environment

-Required: `DATABASE_URL`, `LLAMA_SWAP_URL`. Optional: `PORT` (3000), `HOST` (0.0.0.0), `PROJECT_ROOT_WHITELIST` (/opt, read-only scope for add-existing path resolution), `BOOTSTRAP_ROOT` (/opt/projects, writable scope for create-new-project bootstrap mkdir target — host must `mkdir -p /opt/projects` before container start), `DEFAULT_MODEL`, `LOG_LEVEL`, `SEARXNG_URL` (default `http://100.114.205.53:8888` — internal Tailscale Fathom; the public `search.indifferentketchup.com` is behind Authelia and unusable from server context), `BOOCODE_TOOLS` (`core` | `standard` | `all`, default `all`; v1.13.15-tools tier filter — ceiling, never expands an agent's whitelist), `MCP_CONFIG_PATH` (optional; default `/data/mcp.json` — JSON config for MCP servers matching opencode's `mcpServers` shape; file missing = no MCP).
+Required: `DATABASE_URL`, `LLAMA_SWAP_URL`. Optional: `PORT` (3000), `HOST` (0.0.0.0), `PROJECT_ROOT_WHITELIST` (/opt, read-only add-existing scope), `BOOTSTRAP_ROOT` (/opt/projects, writable bootstrap mkdir target — host must `mkdir -p` it before container start), `DEFAULT_MODEL`, `LOG_LEVEL`, `SEARXNG_URL` (default `http://100.114.205.53:8888` — internal Tailscale; the public host is behind Authelia, unusable from server context), `BOOCODE_TOOLS` (`core`|`standard`|`all`, default `all`; a ceiling, never expands an agent's whitelist), `MCP_CONFIG_PATH` (default `/data/mcp.json`, opencode `mcpServers` shape; missing = no MCP), `CONTEXT7_API_KEY` (the Context7 MCP key, referenced from `data/mcp.json` as `"{env:CONTEXT7_API_KEY}"`). `data/mcp.json` is **gitignored** but no longer holds secrets — string values support opencode-style `{env:VAR}` substitution (`mcp-config.ts:substituteEnvVars`, applied before Zod validation; unset var → `''` + warn), so real keys live in `.env`; template `data/mcp.example.json`. A config-only edit there needs only `docker compose restart boocode` (data/ is bind-mounted); changing a referenced secret edits `.env`. MCP loads at server startup with per-server graceful degradation; the coder does NOT load MCP (BooChat only).

 BooCoder at port 9502: `curl http://100.114.205.53:9502/api/health`. Runs as `boocoder.service` on the host (not Docker). Deploy: `pnpm -C apps/server build && pnpm -C apps/coder build && sudo systemctl restart boocoder`. Health reports tool count: `{"ok":true,"db":true,"tools":33}`.

- `FAST_MODEL` (optional) — cheaper model for titles, summaries, labeling (auto_name.ts, tool-summaries.ts). Falls back to session model or DEFAULT_MODEL when unset. Set to a small model on llama-swap (e.g. `nemotron-nano-4b`) to avoid loading the 35B for 20-token calls.
- Qwen Code dispatch: `OPENAI_BASE_URL=http://100.101.41.16:8401/v1 OPENAI_API_KEY=dummy qwen -p "<task>" --output-format stream-json`. Install: `npm install -g @qwen-code/qwen-code@latest`. Node ≥22 required on host (container stays Node 20; BooCoder dispatches via direct spawn on host). No `--yolo` flag — non-interactive mode (`-p`) runs autonomously without approval prompts. ACP bridge is HTTP daemon (not stdio); use PTY dispatch.
- Arena (v2.0.5): `POST /api/arena {project_id, input, contestants: [{agent?, model?}]}` dispatches the same task to N models/agents in parallel. Each contestant gets its own task + worktree. `GET /api/arena/:id` for results. `POST /api/arena/:id/select/:task_id` picks winner.
+- `FAST_MODEL` (optional) — cheaper model for titles, summaries, labeling (auto_name.ts, tool-summaries.ts). Falls back to session model or DEFAULT_MODEL. Set to a small llama-swap model (e.g. `nemotron-nano-4b`) to avoid loading the 35B for 20-token calls.
+- Qwen Code dispatch: `OPENAI_BASE_URL=http://100.101.41.16:8401/v1 OPENAI_API_KEY=dummy qwen -p "<task>" --output-format stream-json`. Install: `npm install -g @qwen-code/qwen-code@latest`. Node ≥22 on host (container stays Node 20; BooCoder dispatches via direct spawn on host). No `--yolo` flag — `-p` runs autonomously without prompts. ACP bridge is an HTTP daemon (not stdio); use PTY dispatch.
+- Arena: `POST /api/arena {project_id, input, contestants: [{agent?, model?}]}` dispatches the same task to N models/agents in parallel; each contestant gets its own task + worktree. `GET /api/arena/:id` for results; `POST /api/arena/:id/select/:task_id` picks a winner.

 ## Workflow

 - Sam reviews all diffs and commits manually. Do not commit unless explicitly asked.
- Per-batch docs live under `openspec/changes/<slug>/{proposal,tasks,design}.md`. Already-shipped batches are snapshots in `openspec/changes/archived/`. New batches follow the proposal+tasks shape; see `openspec/README.md` for the convention.
- Tag naming: `vMAJOR.MINOR.PATCH-slug` (e.g. `v1.13.13-ws-publish`). Monotonic per minor — the slug describes the batch's content so the tag name alone is enough to recall what shipped. No letter suffixes (`-a`/`-b`), no pseudo-ranges (`v1.11.x`), no slug-only sub-versions sharing a number (`v1.13.15-tools` + `-openspec` + `-agentlint` — split into sequential patches instead).
- `CHANGELOG.md` is the per-tag release log, most-recent on top. When a new tag is created, add a `## <tag> — <YYYY-MM-DD>` section with a 3–6 sentence paragraph summarizing what shipped, drawn from the commit body. Cross-reference other tags by name when the batch builds on, fixes, or pairs with prior work (e.g. "pairs with `v1.13.12-ws-schemas`", "fixed in `v1.13.5-stability-bundle`"). No nested bullets — one paragraph.
- Deploy: `cd /opt/boocode && docker compose up --build -d` (or `docker compose build --no-cache boocode && docker compose up -d` if you suspect a layer-cache issue).
- The `boocode` container is `build: .` — it builds web+server from the **working tree**, so uncommitted changes deploy. Web edits are live on the Vite dev server (HMR) but NOT on production (`:9500` / code.indifferentketchup.com) until `docker compose up --build -d boocode`.
- Git push to Gitea: `GIT_SSH_COMMAND="ssh -i /opt/boocode/secrets/boocode_gitea -o IdentitiesOnly=yes" git push origin <branch>`. The default agent identity is rejected; the in-repo deploy key (`secrets/`, gitignored) is the working one. Transient `Connection reset by peer` retries cleanly after `sleep 5`.
+- Sam often has uncommitted `apps/web` work in flight — stage your own commits **explicitly by path** (never `git add -A`); `docker compose up --build -d boocode` builds the working tree, so a container rebuild also ships his uncommitted web changes.
+- **Deploy by surface:** an `apps/coder` change → `sudo systemctl restart boocoder`; an `apps/web` or `apps/server` change → `docker compose up --build -d boocode` (rebuilds web+server from the working tree). The `boocode` container is `build: .`, so uncommitted changes deploy; web edits are live on the Vite dev server (HMR) but NOT on production (`:9500` / code.indifferentketchup.com) until a rebuild. Use `docker compose build --no-cache boocode && docker compose up -d` if you suspect a layer-cache issue.
+- Cutting a release: name the feature branch DIFFERENTLY from the tag (branch `f1-interrupt-guard`, tag `v2.6.7-interrupt-guard`) — identical names trigger `warning: refname ... is ambiguous`.
+- Per-batch docs live under `openspec/changes/<slug>/{proposal,tasks,design}.md`; shipped batches are snapshots in `openspec/changes/archived/`. New batches follow the proposal+tasks shape (see `openspec/README.md`).
+- Tag naming: `vMAJOR.MINOR.PATCH-slug` (e.g. `v1.13.13-ws-publish`), monotonic per minor — the slug alone recalls what shipped. No letter suffixes, no pseudo-ranges, no slug-only sub-versions sharing a number (split into sequential patches).
+- `CHANGELOG.md` is the per-tag release log, newest on top. New tag → add a `## <tag> — <YYYY-MM-DD>` section, one 3–6 sentence paragraph (no nested bullets) from the commit body; cross-reference related tags by name when the batch builds on / fixes / pairs with prior work.
+- Git push to Gitea: `GIT_SSH_COMMAND="ssh -i /opt/boocode/secrets/boocode_gitea -o IdentitiesOnly=yes" git push origin <branch>`. The default agent identity is rejected; the in-repo deploy key (`secrets/`, gitignored) is the working one. Transient `Connection reset by peer` retries cleanly after `sleep 5`. Keep both remotes synced: push `main` + the release tag to `origin` (Gitea, deploy key above) AND `backup` (`git@github.com:indifferentketchup/boocode.git`, default key).
 - Don't accumulate `.bak-*` files. Clean them up in the same batch or immediately after merge.
- DB-integration tests opt-in via env var: `DATABASE_URL='postgres://boocode:devpass@localhost:5500/boochat' pnpm -C apps/server test`. Host port is 5500 (mapped from `boocode_db:5432`); password is `${POSTGRES_PASSWORD}` from `.env` (`devpass`), NOT the literal in `.env`'s `DATABASE_URL=postgres://boocode:Ketchup1479@boocode_db:5432/...` line. `psql` is not on the host PATH — for an interactive query use `docker exec boocode_db psql -U boocode -d boochat -c "..."`. Pattern: `describe.runIf(!!process.env.DATABASE_URL)(...)` with a `beforeAll` that applies the schema via `sql.unsafe(readFileSync(schemaPath))`. Tests skip cleanly when var is unset. `tool_cost_stats.test.ts` is the reference.
- Host-side smoke endpoint: `curl http://100.114.205.53:9500/api/...`. The boocode container's port mapping binds to the Tailscale IP, not `0.0.0.0`, so `localhost:9500` doesn't work from the host shell. Same for booterm at `:9501`.
- Frontend blank-screen / runtime crash: get the stack-trace column offset from the browser console, then `cut -c <start>-<end> apps/web/dist/assets/index-*.js | sed -n '<line>p'` to read the exact minified expression that threw. Faster than bisecting source. Watch for `=== null`/`!== null` on optional fields fed an `as unknown as` cast — those bypass tsc.
- Fastify global JSON parser tolerates empty bodies (overridden in `index.ts`); bodyless POSTs (archive, unarchive, stop) work without setting `Content-Type` tricks on the client.
+- DB-integration tests opt-in via env var: `DATABASE_URL='postgres://boocode:devpass@localhost:5500/boochat' pnpm -C apps/server test`. Host port 5500; password is `${POSTGRES_PASSWORD}` from `.env` (`devpass`), NOT the literal in `.env`'s `DATABASE_URL` line. `psql` isn't on host PATH — use `docker exec boocode_db psql -U boocode -d boochat -c "..."`. Pattern: `describe.runIf(!!process.env.DATABASE_URL)(...)` + `beforeAll` applying schema via `sql.unsafe(readFileSync(schemaPath))`. `tool_cost_stats.test.ts` is the reference.
+- Host-side smoke endpoint: `curl http://100.114.205.53:9500/api/...`. The container's port mapping binds to the Tailscale IP, not `0.0.0.0`, so `localhost:9500` doesn't work from the host shell. Same for booterm at `:9501`.
+- Frontend blank-screen / runtime crash: get the stack-trace column offset from the browser console, then `cut -c <start>-<end> apps/web/dist/assets/index-*.js | sed -n '<line>p'` to read the exact minified expression that threw. Watch for `=== null`/`!== null` on optional fields fed an `as unknown as` cast — those bypass tsc.
+- Fastify global JSON parser tolerates empty bodies (overridden in `index.ts`); bodyless POSTs (archive, unarchive, stop) work without `Content-Type` tricks on the client.
 - Event dedup discipline: for any mutation the server publishes via `broker.publishUser`, do NOT add a local `sessionEvents.emit(...)` after the API call — `useUserEvents` forwards the WS frame onto the bus. Frontend mutation handlers must be idempotent (dedup by id, no-op on already-present).
 - `node:20-*` base images ship a `node` user at uid/gid 1000 — delete it (`userdel`/`groupdel` on debian, `deluser`/`delgroup` on alpine) before adding samkintop at 1000.
 - node-pty's compiled `.node` is libc-specific: proddeps and runtime Dockerfile stages must share libc (alpine↔musl or bookworm-slim↔glibc); the TS-only builder stage can stay alpine for speed.
 - pnpm 10 `--frozen-lockfile` skips node-pty's postinstall — the Docker proddeps stage runs `cd node_modules/node-pty && npm run install` to force the native compile.
 - A local PreToolUse hook (`security_reminder_hook.py`) regex-flags Node's older `child_process` spawn helpers as unsafe (false positive even on the File-suffixed variant). Use `spawn` — it's accepted.
- `/opt/boolab` hosts a working sibling BooCode terminal at `boocode.indifferentketchup.com`. Useful for visual side-by-side comparison on the same iPhone when debugging booterm rendering. Boolab uses Tailwind v3 (`@tailwind base`); boocode uses v4 — many subtle build differences. Don't assume parity.
- booterm SSHs to the host as `samkintop@100.114.205.53` (the Tailscale IP). The hostname `ubuntu-homelab` (shown in the bash prompt after login) does NOT resolve from inside the container — only the host's `/etc/hosts` knows it. Override via `BOOTERM_SSH_HOST` / `BOOTERM_SSH_USER` env vars in docker-compose if you ever move the shell to a different machine.
- codecontext sidecar lives at `/opt/boocode/codecontext/`. Sidecar HTTP API at `http://codecontext:8080/v1/<tool_name>` over the `boocode_net` bridge (no host port). BooCode wrappers in `apps/server/src/services/tools/codecontext/`. The `.codecontextignore` at project root is honored when `--respect-gitignore` is passed (enabled in the shim).
- codecontext fork at `/opt/forks/codecontext/` — separate git repo (branch `boocode-ts`), pushed via the same boocode_gitea SSH key to `indifferentketchup/codecontext`. Build: `go build ./...`. Test: `go test ./...`. Docker rebuild requires staging the fork source first: `tar -czf codecontext/fork.tar.gz -C /opt/forks/codecontext --exclude=.git --exclude=bin .` then `docker compose build --no-cache codecontext`. The Dockerfile COPYs `fork.tar.gz` into the builder stage (Gitea is behind Authelia, no HTTP clone). `fork.tar.gz` is gitignored.
- Go binary: `/snap/go/current/bin/go` (not on PATH by default). Use `export PATH=$PATH:/snap/go/current/bin` or full path for Go commands.
- `os/exec` child supervisors must explicitly call `child.Wait()` in a goroutine and `os.Exit` on child death. `Signal(0)` returns nil on zombies and is NOT a liveness check. Without `Wait()`, docker's `restart: unless-stopped` policy never fires because the parent stays alive. The `codecontext/shim.go` implementation is the reference pattern.
+- `/opt/boolab` hosts a sibling BooCode at `boocode.indifferentketchup.com` — useful for side-by-side iPhone comparison when debugging booterm rendering. It uses Tailwind v3, boocode uses v4 — don't assume build parity.
+- booterm SSHs to the host as `samkintop@100.114.205.53` (the Tailscale IP). The hostname `ubuntu-homelab` (in the bash prompt) does NOT resolve inside the container. Override via `BOOTERM_SSH_HOST` / `BOOTERM_SSH_USER` env vars in docker-compose if the shell moves to a different machine.
+- codecontext sidecar lives at `/opt/boocode/codecontext/`. HTTP API at `http://codecontext:8080/v1/<tool_name>` over the `boocode_net` bridge (no host port). BooCode wrappers in `apps/server/src/services/tools/codecontext/`. The `.codecontextignore` at project root is honored when `--respect-gitignore` is passed (enabled in the shim).
+- codecontext fork at `/opt/forks/codecontext/` — separate git repo (branch `boocode-ts`), pushed via the boocode_gitea SSH key to `indifferentketchup/codecontext`. Build `go build ./...`; test `go test ./...`. Docker rebuild requires staging the fork first: `tar -czf codecontext/fork.tar.gz -C /opt/forks/codecontext --exclude=.git --exclude=bin .` then `docker compose build --no-cache codecontext` (the Dockerfile COPYs `fork.tar.gz` into the builder stage; Gitea is behind Authelia, no HTTP clone). `fork.tar.gz` is gitignored.
+- Go binary: `/snap/go/current/bin/go` (not on PATH). Use `export PATH=$PATH:/snap/go/current/bin` or the full path.
+- `os/exec` child supervisors must call `child.Wait()` in a goroutine and `os.Exit` on child death. `Signal(0)` returns nil on zombies and is NOT a liveness check. Without `Wait()`, docker's `restart: unless-stopped` never fires because the parent stays alive. `codecontext/shim.go` is the reference.

 ## Conventions

- `overflowWrap` not `wordWrap` — TypeScript's CSSStyleDeclaration marks `wordWrap` as deprecated (error 6385).
+Cross-cutting only. Per-app conventions live in the matching `apps/*/CLAUDE.md`.
+
 - No app-layer auth. Authelia handles auth at the reverse proxy. All `broker.publishUser`/`subscribeUser` calls use `'default'` as the user key.
- TypeScript strict mode. Both apps share `tsconfig.base.json`.
- Server uses NodeNext module resolution (`.js` extensions in imports).
+- TypeScript strict mode. Both apps share `tsconfig.base.json`. Server + coder use NodeNext module resolution (`.js` extensions in imports).
 - Discriminated unions for type narrowing: `Pane` (by `kind`), `SessionEvent` (by `type`), `InferenceFrame` (by `type`).
- **Adding a new WS frame type** requires updating BOTH the server's `InferenceFrame` (loose `type:` union + optional fields in `services/inference/turn.ts`) AND the web `WsFrame` (strict discriminated union in `apps/web/src/api/types.ts`). Server publish is permissive; the frontend type is the wire-format gate. The `'usage'` frame added in v1.12.2 needed both sides; missing the web side silently drops the frame at JSON-parse.
- shadcn primitives live in `components/ui/`. Don't modify them unless adding a new primitive.
- `ui/` primitives present: button, card, context-menu, dialog, dropdown-menu, input, label, radio-group, sonner, textarea. No switch/sheet/drawer/badge/checkbox — use a `<button role="switch" aria-checked>` toggle (a hand-rolled `Switch` already lives in `SettingsPane.tsx`) and a Dialog-based panel for "drawers".
- `inferLanguage()` from `lib/attachments.ts` is the canonical file-extension-to-language map. `CodeBlock.tsx` keeps its own `LANG_MAP` because it also resolves markdown fence names.
- Two UI event buses: `hooks/sessionEvents.ts` for DB-state events (chat_created, session_updated); `lib/events.ts` for ephemeral UI (`sendToTerminal`, `terminalsRegistry`). Don't merge — different subscriber lifecycles.
- `vite.config.ts` proxy entries are order-sensitive: more-specific prefixes (`/api/term`, `/ws/term`) must come BEFORE `/api`.
- Mobile pane URL sync (`Session.tsx`): the `?pane=<id>` effect resets `activePaneIdx` whenever `panes` changes. New-pane creation on mobile must push `?pane=` atomically — `addPaneAndSwitch` is the wrapper that does this. `addSplitPane` returns the new pane id for callers.
- A scrollable list inside a Dialog on mobile: cap `DialogContent` (`max-h-[85vh]` + `grid-rows-[auto_minmax(0,1fr)_auto]`) and make the list the single scroll region with `overscroll-contain` — otherwise touch-scroll drags the whole fixed modal / chains to the page.
- xterm.js v5 uses canvas rendering — browser doesn't see xterm's selection; the native right-click menu has no working Copy for terminal text. App keybindings (`Cmd/Ctrl-C`, `Cmd/Ctrl-Shift-C`) are the path.
- **New tools** live in their own `services/<name>.ts` file (see `web_search.ts`, `web_fetch.ts`) — exports a pure `executeFoo(input, ...deps)` for direct test access plus a `ToolDef` wrapper that `loadConfig()`s its real dependencies. Register the ToolDef in `tools.ts` `ALL_TOOLS` (and `READ_ONLY_TOOL_NAMES` if applicable). Inject `fetcher: typeof fetch = fetch` rather than `vi.spyOn(globalThis, 'fetch')` — cleanup is simpler and the production call site stays unchanged.
- **DB/session-aware tools** take an optional 4th `ToolExecCtx { sql, sessionId }` arg on `ToolDef.execute`, plumbed `executeToolPhase`→`executeToolCall`→`execute`. It's optional so the filesystem tools and the `apps/coder` `ALL_TOOLS` consumer stay compatible; filesystem tools ignore it. `read_tab_by_number` (reads `sessions.workspace_panes` + the chat's messages via `sql`) is the reference.
- **Sentinels** are `role='system'` rows with structured `metadata.kind` (`cap_hit`, `doom_loop`). UI-only — `buildMessagesPayload` strips them via `isAnySentinel` so the LLM never sees them. A new kind requires arms in `MessageMetadata` in BOTH `apps/server/src/types/api.ts` AND `apps/web/src/api/types.ts`, plus a render branch in `apps/web/src/components/MessageBubble.tsx`.
- **ReadableStream test stubs** use `pull()` (not `start()`) so chunks are produced lazily — `start()` enqueues everything and calls `controller.close()` before the consumer reads, so a subsequent `reader.cancel()` finds the stream already closed and the `cancel()` callback never fires. Also provide MORE chunks than the test will consume so the source stays in 'readable' state when cancel runs (e.g. cap test reads ~6 chunks, stub provides 10).
- React **StrictMode is on** (`main.tsx`): an updater passed to one `setState` that itself calls another `setState` (e.g. `setClosedPaneStack` inside a `setPanes` updater) is double-invoked in dev. Make such nested updates idempotent — `useWorkspacePanes`'s `appendClosed` dedupes a value-identical top entry for exactly this reason.
- Tool-name whitelists must derive from `ALL_TOOLS` in `services/tools.ts`, never hardcoded. `services/agents.ts` `ALL_TOOL_NAMES` had this drift class until v1.12 — same pattern applies to any future tool-aware code.
- Agent registry lives at `data/AGENTS.md` (global, bind-mounted at `/data/AGENTS.md`). No per-project `AGENTS.md` in this repo — removed in v1.12 to eliminate the two-files-must-stay-in-sync drift. The `getAgentsForProject` per-project override mechanism remains for *other* projects.
- `data/AGENTS.md` is PARSED (`agents.ts` `splitSections`/`parseAgentSection`): each `## <Name>` is one agent and must be followed by a `---` frontmatter fence or the block throws; content before the first `## ` is discarded. Do NOT add free-form `## ` rule sections — they break the registry. Cross-cutting agent rules go in CLAUDE.md or a parser-ignored preamble.
- Skills live in `data/skills/<vendor>/`; Sam's own namespace is `boocode/` (`committing-changes`, `using-worktrees`, `improving-boocode-guidance`) — `SKILL.md` + optional `eval.yaml` (gerund names; eval = `skill:` + `tasks:` of `prompt`+`grader`, incl. a negative-trigger task). `data/skills/` is canonical; a divergent mirror at `/opt/skills/` exists.
- MCP stdio transport uses newline-delimited JSON (NDJSON), NOT LSP-style `Content-Length` headers. The `codecontext/shim.go` framing implementation is the reference; per the MCP spec (modelcontextprotocol.io/specification/server/transports).
- **Workspace dependency pattern** (`apps/coder` → `@boocode/server`): the consuming package adds `"@boocode/server": "workspace:*"` in `package.json`. The provider's `package.json` needs `exports` with `types` + `default` conditions per subpath: `"./inference": { "types": "./dist/.../index.d.ts", "default": "./dist/.../index.js" }`. Without the `types` condition, NodeNext resolution can't find `.d.ts` files and tsc fails with "Cannot find module" in the consumer.
- **JSONB columns**: use `sql.json(value as never)` — NOT `${JSON.stringify(value)}::jsonb` which double-serializes (stores a JSON string instead of a JSON object/array). Pattern established in `parts.ts`, `settings.ts`.
- **`payload.ts:loadContext` SELECT**: must include every `Session` field that downstream code reads. The tool phase reads `session.allowed_read_paths`; if the SELECT omits it, cross-repo read grants silently fail. The `Session` TypeScript type doesn't catch this because `sql<Session[]>` doesn't enforce column coverage.
- **Sidecar routing** (`services/inference/provider.ts`): `upstreamModel(config, modelId, agent)` routes to `LLAMA_SIDECAR_URL` when agent has `llama_extra_args`, otherwise `LLAMA_SWAP_URL`. `resolveRoute(agent)` returns `{route: 'swap'|'sidecar', flags}`. Sidecar provider created fresh per call (not cached) because `X-Agent-Flags` header varies per agent. Boot-time guard in `index.ts` refuses to start if any agent has `llama_extra_args` but `LLAMA_SIDECAR_URL` is unset.
- **Secret guard safe patterns** (`services/secret_guard.ts`): `.env.example`, `.env.sample`, `.env.template`, `.env.defaults` are allowlisted via `SAFE_PATTERNS` set. Do NOT add `.env.production`/`.env.development`/`.env.test` — those can hold real secrets.
- **CoderPane uses ChatInput** (`components/panes/CoderPane.tsx`): shares the same `ChatInput` component as BooChat for full parity — attachments, paste-to-chip, auto-grow textarea, queued messages during send. CoderPane's `sendOneMessage` is the send callback; queued messages drain via `useEffect` when `sending` goes false.
- **Adding a new `SessionEvent` type**: add the interface, add it to the `SessionEvent` union, add a `case` in `useSidebar.ts` `applyEvent` switch (no-op `return prev` is fine), and subscribe in any hook that needs it (e.g. `useSessionStream` for `refetch_messages`).
- **BooCoder provider registry** (`apps/coder/src/services/provider-registry.ts`): static list of provider defs (boocode, opencode, goose, claude, qwen). `PROBED_AGENT_NAMES` derives from it. Adding/removing providers means editing this file, not the frontend.
- **AgentComposerBar filters `e.installed`**: provider snapshot entries with `installed:false` (loading/unavailable) are dropped from the dropdown. `getProviderSnapshot` must await the full build — returning synchronous `loading` placeholders makes every provider vanish (the v2.5.7 "no providers showing up" regression); surfacing loading states needs a client poll.
- **Coder↔web provider-type parity** (`apps/coder/src/services/provider-types.ts` ↔ `apps/web/src/api/types.ts`): enforced by runtime `provider-types-parity.test.ts` (compile-time cross-import is blocked by TS6307 on web's composite tsconfig). Mirror of the ws-frames parity pattern — edit both copies together or the test fails.
- **ACP command discovery is async**: `acp-probe.ts` must poll after `newSession` for `available_commands_update` (commands arrive in a later notification; reading synchronously captures 0). PTY providers (claude) instead discover from disk via `claude-command-discovery.ts` (`~/.claude/commands` + `enabledPlugins` `skills/`+`commands/`, bare names, deduped). `AgentCommand.kind` tags `'command'` vs `'skill'`; `CoderPane`'s `slashGroups` splits them into icon'd groups. `SlashCommandPicker`'s `groups?` prop is opt-in — BooChat passes flat `items` (unchanged).
- **Pane header architecture (mobile vs desktop)**: Desktop coder pane header (BooCode label + [+] [×]) lives in `Workspace.tsx` gated by `isCoder && !isMobile`. Mobile coder controls (● ×) live in `Session.tsx` header row next to `MobileTabSwitcher`/`NewPaneMenu`. `AgentComposerBar` (provider/mode/model pickers) renders inside `CoderPane.tsx` on both. The ● status dot is passed via `connected` prop from CoderPane to AgentComposerBar.
- **MessageBubble shared between BooChat and BooCoder** (`components/MessageBubble.tsx`): accepts optional `actions?: MessageActions` callbacks (onRegenerate, onResend, onFork, onDelete) and `hideActions?: ('fork'|'delete'|'openInPane')[]`. Defaults use BooChat API; CoderPane overrides via `CoderMessageList` props. `CoderTextBubble` was removed. **`CoderMessageList` passes `CoderMessageWire as unknown as Message`** — the coder wire shape lacks `metadata`/`kind`/`summary`, so those fields are `undefined` (not `null`) on coder messages. Null-guards on any `Message` field MUST use loose `!= null`, not strict `!== null` (`undefined !== null` is `true` → `.kind` throws → blank-screen crash). The `as unknown as` cast hides this from tsc; build + typecheck pass while runtime crashes.
- **llama-sidecar** (`/opt/forks/llama-sidecar/`): Go daemon for per-agent llama-server process pool. Cross-compile: `GOOS=windows GOARCH=amd64 /snap/go/current/bin/go build -o bin/llama-sidecar.exe ./cmd/llama-sidecar`. Gitea: `indifferentketchup/llama-sidecar`. Windows child process gotchas: use `context.Background()` for child lifetime (not request ctx), `os.Open(os.DevNull)` for stdin, `os.Pipe()` for stdout with drain goroutine, `DETACHED_PROCESS | CREATE_NEW_PROCESS_GROUP` creation flags. SSH to sam-desktop: `ssh samki@100.101.41.16`; use `schtasks` for persistent process spawning (SSH `start /B` doesn't survive session close).
+- **Adding a new WS frame type** (cross-app) requires updating BOTH the server's `InferenceFrame` (loose `type:` union + optional fields in `services/inference/turn.ts`) AND the web `WsFrame` (strict discriminated union in `apps/web/src/api/types.ts`). Server publish is permissive; the frontend type is the wire-format gate — missing the web side silently drops the frame at JSON-parse.
+- **Sentinels** (cross-app) are `role='system'` rows with structured `metadata.kind` (`cap_hit`, `doom_loop`). UI-only — `buildMessagesPayload` strips them via `isAnySentinel` so the LLM never sees them. A new kind requires arms in `MessageMetadata` in BOTH `apps/server/src/types/api.ts` AND `apps/web/src/api/types.ts`, plus a render branch in `apps/web/src/components/MessageBubble.tsx`.
+- **Coder↔web provider-type parity** (`apps/coder/src/services/provider-types.ts` ↔ `apps/web/src/api/types.ts`): enforced by runtime `provider-types-parity.test.ts` (compile-time cross-import is blocked by TS6307 on web's composite tsconfig). Mirror of the ws-frames parity pattern — edit both copies together.
+- **JSONB columns**: use `sql.json(value as never)` — NOT `${JSON.stringify(value)}::jsonb` which double-serializes (stores a JSON string instead of an object/array). Pattern in `parts.ts`, `settings.ts`.
+- Skills live in `data/skills/<vendor>/`; Sam's own namespace is `boocode/` (`committing-changes`, `using-worktrees`, `improving-boocode-guidance`, `systematic-debugging`) — `SKILL.md` + optional `eval.yaml` (gerund names; eval = `skill:` + `tasks:` of `prompt`+`grader`, incl. a negative-trigger task). `data/skills/` is canonical; a divergent mirror at `/opt/skills/` exists.
+
+### Coding standards
+
+Coding standards live in `docs/coding-standards/` (canonical, human-readable). They are exposed to Claude Code through per-file-type/subsystem index files under `.claude/rules/coding-standards/`. Each index is a path-scoped rule that lists the standards relevant to its `paths:` glob with a one-line description of each. When Claude reads a file matching an index's `paths:`, it loads only that small index and then decides which (if any) standards to open with Read — the full text of a standard is never loaded automatically, and standards do not appear in the skills picker. Browse `docs/coding-standards/` for the readable form.
--- a/CURRENT.md
+++ b/CURRENT.md
@@ -1,10 +1,9 @@
 # Current focus

-Last updated: 2026-05-26
+Last updated: 2026-06-02

- **Batch:** v2.3-provider-lifecycle (openspec drafted; not started)
- **Branch:** `main`
- **Blockers:** none
- **Last shipped:** `v2.2.2-xml-placeholder-reject`
+- **Last shipped:** `v2.7.8-ember-coder-tabs-model-chips` (2026-06-01)
+- **Branch:** `codebase-audit-cleanup` (audit + cleanup epic, off main HEAD)
+- **In progress:** Phase 3 — stale comments + docs refresh

-Update this file when starting or finishing a batch. Agents: read this first for session intent; if stale vs `CHANGELOG.md`, trust CHANGELOG for shipped state.
+See `CHANGELOG.md` for the full shipped history. That file is always authoritative; this file is a quick orientation pointer only.
--- a/apps/booterm/package.json
+++ b/apps/booterm/package.json
@@ -15,7 +15,6 @@
    "fastify": "^4.28.1",
    "node-pty": "^1.0.0",
    "pg": "^8.13.0",
-    "tslib": "^2.6.3",
    "zod": "^3.23.8"
  },
  "devDependencies": {
--- a/apps/booterm/src/config.ts
+++ b/apps/booterm/src/config.ts
@@ -9,7 +9,7 @@ const ConfigSchema = z.object({
  TMUX_CONF_PATH: z.string().default('/etc/booterm/tmux.conf'),
 });

-export type Config = z.infer<typeof ConfigSchema>;
+type Config = z.infer<typeof ConfigSchema>;

 let cached: Config | null = null;

--- a/apps/booterm/src/db.ts
+++ b/apps/booterm/src/db.ts
@@ -10,7 +10,7 @@ export function getPool(databaseUrl: string): pg.Pool {
  return pool;
 }

-export interface SessionInfo {
+interface SessionInfo {
  id: string;
  project_id: string;
  project_path: string;
--- a/apps/booterm/src/pty/pty.ts
+++ b/apps/booterm/src/pty/pty.ts
@@ -1,7 +1,7 @@
 import * as pty from 'node-pty';
 import type { IPty } from 'node-pty';

-export interface AttachPtyOptions {
+interface AttachPtyOptions {
  sessionName: string;
  projectRoot: string;
  cols: number;
--- a/apps/coder/.env.host
+++ b/apps/coder/.env.host
@@ -14,3 +14,4 @@ GITEA_SSH_HOST=100.114.205.53:2222
 MCP_CONFIG_PATH=/data/mcp.json
 SKILLS_ROOT=/opt/boocode/data/skills
 CODER_PROVIDERS_PATH=/opt/boocode/data/coder-providers.json
+CLAUDE_SDK_BACKEND=1
--- a/apps/coder/CLAUDE.md
+++ b/apps/coder/CLAUDE.md
@@ -0,0 +1,34 @@
+# apps/coder — BooCoder (deep reference)
+
+> Per-app engineering notes for `apps/coder/src/`. BooCoder runs as a **systemd service on the host** (`boocoder.service`), NOT in Docker — Fastify at port 9502, postgres at `127.0.0.1:5500`. Cross-cutting commands, database, environment, workflow, and cross-app contracts live in the **root `CLAUDE.md`**. This file auto-loads when you read/edit files under `apps/coder/`.
+
+## Probe & provider discovery
+
+- **`services/provider-registry.ts`** — Static registry of provider metadata (label, transport, model source). `PROVIDERS` array, `PROVIDERS_BY_NAME` map. 5 providers: boocode (native), opencode (acp), goose (pty), claude (pty), qwen (pty). `PROBED_AGENT_NAMES` derives from it — adding/removing providers means editing this file, not the frontend.
+- **`services/agent-probe.ts`** — Startup probe via direct `exec()` (not SSH): discovers installed agents, versions, ACP support, models. Qwen models from `~/.qwen/settings.json`; Claude models static from the registry. Persisted to `available_agents`.
+- **`routes/providers.ts`** — `GET /api/providers` returns installed providers with models. Transport reflects actual capability (checks `supports_acp` from DB, not just registry preference). The apps/server side is "Provider picker dispatch" (see `apps/server/CLAUDE.md`).
+- **Provider snapshot lifecycle** (`services/`): `provider-config.ts` (Zod config, never-throws) → `provider-config-registry.ts` (`buildResolvedRegistry`, singleton) → `provider-snapshot.ts` (two-tier probe: tier-1 fast presence, tier-2 cold ACP probe skipped unless force / stale `PROVIDER_PROBE_TTL_MS` 24h / dbEmpty; cached). Verify live: `curl http://100.114.205.53:9502/api/providers/snapshot` — returns providers + models + commands, the exact shape `AgentComposerBar` renders.
+- `PATCH /api/providers/config` replaces a provider id's override object **wholesale** (per-id shallow merge) — to flip one field send `{...existing, enabled}`, or a custom ACP entry's `command`/`label` is wiped and it drops out of the resolved registry. `data/coder-providers.json` is **gitignored** (live runtime config — the coder reads AND writes it on UI toggles); tracked reference is `data/coder-providers.example.json`. The loader falls back to `{providers:{}}` (built-ins only) when absent, so a fresh checkout needs no copy.
+
+## Build, deploy, dispatch
+
+- **Workspace dependency on `@boocode/server`**: imports `createInferenceRunner`, `createBroker`, `ALL_TOOLS`, `appendMcpTools` from the server's compiled `dist/`. apps/server's `package.json` has an `exports` map with `types` conditions for NodeNext resolution. **apps/server must build FIRST.**
+- Build + deploy: `pnpm -C apps/server build && pnpm -C apps/coder build && sudo systemctl restart boocoder`. Env file at `apps/coder/.env.host`. Service file at `/etc/systemd/system/boocoder.service`.
+- After `pnpm -C apps/coder build` the host service keeps running the OLD process until `sudo systemctl restart boocoder` — a stale process shows **new routes 404 with `{error:'not found'}` while old routes still 200** (the `/api` not-found handler shape). Restart, don't re-debug.
+- `:9502/api/health` is down ~15–20s after a boocoder restart while the startup agent-probe scan runs — retry; an early connection-refused is not a failed deploy.
+- Agent dispatch spawns binaries directly using `install_path` from `available_agents` — no `spawn('sh', ['-c', ...])` (fails under systemd). Paseo's pattern: `spawn(fullBinaryPath, argsArray, { cwd })`.
+- systemd hardening: only `NoNewPrivileges=true` is safe. `ProtectSystem`, `ProtectHome`, `PrivateTmp` all break agent dispatch (agents need full filesystem access to read configs, write to worktrees).
+- `apps/server/tsconfig.json` has `declaration: true` so `.d.ts` files exist for workspace consumers. The provider's `package.json` needs `exports` with `types` + `default` conditions per subpath (`"./inference": { "types": "./dist/.../index.d.ts", "default": "./dist/.../index.js" }`) — without the `types` condition, NodeNext can't find `.d.ts` files and tsc fails "Cannot find module" here.
+- Write tools (`edit_file`, `create_file`, `delete_file`, `apply_pending`, `rewind`) queue in `pending_changes`. Nothing hits disk until `apply_pending`. `write_guard.ts` validates paths (resolve + prefix-check, no realpath since files may not exist for creates).
+
+## Backends
+
+> Behavioral overview + flows + data model: see [/docs/coder-backends.md](/docs/coder-backends.md). The notes below are the deep per-fact reference.
+
+- **opencode** runs as a warm HTTP server (`services/backends/opencode-server.ts` — `opencode serve` per BooCoder process, one opencode session per BooCode session, resumed via `agent_sessions`). goose/qwen/claude dispatch **one-shot** ACP/PTY with no ctx/token usage; only native `boocode` (llama-swap) tracks ctx.
+- **opencode SSE** (`opencode-server.ts`): live streaming is `session.next.text.delta` / `.reasoning.delta` / `.tool.{called,success,failed}` — NOT `message.part.*` (terminal/post-hoc). `client.event.subscribe({ directory })` MUST pass the session's worktree dir; omit it and opencode scopes events to the server `process.cwd()` → zero session events (empty turns, 180s timeout). Each live session owns its own subscribe loop + AbortController (a `sessionID` demux guard drops cross-session events when two share a dir). Turn completes on `session.idle`; `promptAsync` is fire-and-forget (204).
+- **opencode model strings** must be provider-prefixed (`llama-swap/<model>`) AND exist in `~/.config/opencode/opencode.json` `provider.llama-swap.models` — not merely loadable by llama-swap. `parseModel` infers `llama-swap/` for a bare id; the dispatcher coalesces empty→DEFAULT_MODEL then prefixes. `agent-probe` populates opencode's `available_agents.models` via `mergeLlamaSwap` (fetches `/v1/models`); empty model list → frontend sends `''` → no inference (empty turn).
+- **agent_sessions resume**: `config_hash = sha256('opencode_server|<model>')` — must NOT include the server port (random per boot; breaks cross-restart resume). Keyed `(chat_id, agent)` — the tab/chat is the context unit (two opencode tabs = two contexts sharing one worktree). `chat_id` CASCADEs from `chats`; `session_id`/`worktree_id` are informational `SET NULL`. The `worktrees` table (one-per-session, survives session delete) supersedes the defanged `session_worktrees`. `tasks.chat_id` threads the tab id to the dispatcher; `runOpenCodeServerTask` resolves-or-creates a chat when null. The `@opencode-ai/sdk` v2 client takes flattened params (`{sessionID, directory, parts, model:{providerID,modelID}}`), `createOpencodeClient` from `@opencode-ai/sdk/v2/client`.
+- **Claude SDK backend tool RESULTS arrive as `type:'user'` SDK messages** (tool_result content blocks): `mapSdkMessage` (`claude-sdk-map.ts`) MUST map the `user` case → a terminal `tool_update` (completed/failed + output), else the tool_call persists `status:'running'` and the UI spinner never stops. The dispatcher's `tool_update` path then publishes + persists it.
+- **ACP command discovery is async**: `acp-probe.ts` must poll after `newSession` for `available_commands_update` (commands arrive in a later notification; reading synchronously captures 0). PTY providers (claude) discover from disk via `claude-command-discovery.ts` (`~/.claude/commands` + `enabledPlugins`, bare names, deduped). `AgentCommand.kind` tags `'command'` vs `'skill'`; `CoderPane`'s `slashGroups` splits them into icon'd groups. `SlashCommandPicker`'s `groups?` prop is opt-in.
+- **A new per-message coder field silently drops unless you update every mapper**: the HTTP read SELECT + `mapCoderMessageRow` (`apps/coder/src/routes/messages.ts`), **the WS `snapshot` SELECT (`apps/coder/src/routes/ws.ts`)** — it has its OWN column list and the client's `snapshot` handler `setMessages`-overwrites the HTTP load, so a field present in the HTTP route but absent here shows live yet vanishes on refresh — `CoderPane.tsx` (`RawCoderMessage`/`CoderMessage`/`mapCoderTimelineRow` + the live `message_complete` WS reducer), `CoderMessageWire` (`CoderMessageList.tsx`), and `api/types.ts`. The client `mapCoderTimelineRow` whitelists fields — easiest to forget. This bit `model` twice: the client chain (`v2.7.9`) and then the WS snapshot SELECT (`v2.7.11`) — the chip showed live but vanished on coder refresh until both were fixed.
--- a/apps/coder/package.json
+++ b/apps/coder/package.json
@@ -14,11 +14,12 @@
  },
  "dependencies": {
    "@agentclientprotocol/sdk": "^0.22.1",
+    "@anthropic-ai/claude-agent-sdk": "^0.3.159",
    "@boocode/server": "workspace:*",
    "@fastify/static": "^7.0.4",
-    "@opencode-ai/sdk": "~1.15.0",
    "@fastify/websocket": "^10.0.1",
    "@modelcontextprotocol/sdk": "^1.29.0",
+    "@opencode-ai/sdk": "~1.15.0",
    "fastify": "^4.28.1",
    "postgres": "^3.4.4",
    "ws": "^8.18.0",
--- a/apps/coder/src/index.ts
+++ b/apps/coder/src/index.ts
@@ -42,6 +42,7 @@ import { createOrphanWorktreeReaper } from './services/orphan-worktree-reaper.js
 import { probeAgents } from './services/agent-probe.js';
 import { getProviderSnapshot, persistProbedModels } from './services/provider-snapshot.js';
 import { setPermissionHooks } from './services/permission-waiter.js';
+import { publishAgentStatus } from './services/agent-status-publish.js';
 import { homedir } from 'node:os';

 async function main() {
@@ -82,6 +83,21 @@ async function main() {
  // Broker: in-memory pub/sub for session + user channel streaming.
  const broker = createBroker(app.log);

+  // agent-status-normalize (#10): the permission hooks carry only taskId +
+  // sessionId, but the tasks row holds the (chat_id, agent) pair the status frame
+  // is keyed on. Resolve it best-effort so a blocked/working status accompanies
+  // every permission_requested/permission_resolved. Returns null when the task
+  // lacks a chat_id or agent (sessionless creators) — we simply skip the status.
+  const resolveChatAgent = async (
+    taskId: string,
+  ): Promise<{ chatId: string; agent: string } | null> => {
+    const [row] = await sql<{ chat_id: string | null; agent: string | null }[]>`
+      SELECT chat_id, agent FROM tasks WHERE id = ${taskId}
+    `;
+    if (!row?.chat_id || !row.agent) return null;
+    return { chatId: row.chat_id, agent: row.agent };
+  };
+
  setPermissionHooks({
    onPrompt: async (prompt) => {
      await sql`
@@ -96,6 +112,18 @@ async function main() {
        ...(prompt.input ? { input: prompt.input } : {}),
        options: prompt.options.map((o) => ({ option_id: o.optionId, label: o.label })),
      } as WsFrame);
+      // #10: agent is blocked on a human decision.
+      const ca = await resolveChatAgent(prompt.taskId).catch(() => null);
+      if (ca) {
+        publishAgentStatus(
+          broker.publishFrame,
+          prompt.sessionId,
+          ca.chatId,
+          ca.agent,
+          'blocked',
+          'permission_request',
+        );
+      }
    },
    onResolved: async (taskId, sessionId) => {
      await sql`
@@ -106,6 +134,18 @@ async function main() {
        task_id: taskId,
        session_id: sessionId,
      } as WsFrame);
+      // #10: human responded — agent resumes work.
+      const ca = await resolveChatAgent(taskId).catch(() => null);
+      if (ca) {
+        publishAgentStatus(
+          broker.publishFrame,
+          sessionId,
+          ca.chatId,
+          ca.agent,
+          'working',
+          'permission_resolved',
+        );
+      }
    },
  });

--- a/apps/coder/src/routes/tests/chat-resolve.test.ts
+++ b/apps/coder/src/routes/tests/chat-resolve.test.ts
@@ -0,0 +1,110 @@
+import { describe, it, expect } from 'vitest';
+import { resolveChatId } from '../chat-resolve.js';
+import type { Sql } from '../../db.js';
+
+// Mock the porsager/postgres surface that chat-resolve.ts uses: a tagged-template
+// `tx` (dispatched by query substring), `tx.json`, and `sql.begin(fn)` which just
+// runs fn(tx). Captures the value written back to workspace_panes so we can assert
+// the WorkspaceState envelope survives the UPDATE.
+interface MockState {
+  stored: unknown; // initial sessions.workspace_panes value
+  existingChatOpen: boolean; // whether `SELECT id FROM chats ...` finds the active chat
+  newChatId: string;
+  written?: unknown; // captured tx.json(...) payload from `UPDATE sessions`
+  inserted: boolean; // whether INSERT INTO chats ran
+}
+
+interface MockTx {
+  (strings: TemplateStringsArray): Promise<unknown>;
+  json: (v: unknown) => unknown;
+}
+
+function mockSql(state: MockState): Sql {
+  const tx = ((strings: TemplateStringsArray) => {
+    const q = strings.join('');
+    if (q.includes('SELECT workspace_panes FROM sessions')) {
+      return Promise.resolve([{ workspace_panes: state.stored }]);
+    }
+    if (q.includes('FROM chats')) {
+      return Promise.resolve(state.existingChatOpen ? [{ id: 'placeholder' }] : []);
+    }
+    if (q.includes('INSERT INTO chats')) {
+      state.inserted = true;
+      return Promise.resolve([{ id: state.newChatId }]);
+    }
+    if (q.includes('UPDATE sessions')) {
+      return Promise.resolve([]);
+    }
+    return Promise.resolve([]);
+  }) as unknown as MockTx;
+  tx.json = (v: unknown) => {
+    state.written = v;
+    return v;
+  };
+  const sql = {
+    begin: (fn: (t: Sql) => Promise<unknown>) => fn(tx as unknown as Sql),
+  };
+  return sql as unknown as Sql;
+}
+
+const ENVELOPE = () => ({
+  panes: [{ id: 'pane-1', kind: 'coder', chatIds: [] as string[], activeChatIdx: 0 }],
+  tabNumbers: { 'chat-x': 3 },
+  nextTabNumber: 7,
+  closedPaneStack: [{ kind: 'coder', chatIds: ['old'], activeChatIdx: 0 }],
+});
+
+describe('resolveChatId — v2.6.5 WorkspaceState envelope', () => {
+  it('reads panes from the envelope without crashing (regression: panes.findIndex is not a function)', async () => {
+    const state: MockState = {
+      stored: ENVELOPE(),
+      existingChatOpen: false,
+      newChatId: 'new-chat-1',
+      inserted: false,
+    };
+    const chatId = await resolveChatId(mockSql(state), 'session-1', 'pane-1');
+    expect(chatId).toBe('new-chat-1');
+    expect(state.inserted).toBe(true);
+  });
+
+  it('preserves the envelope (tabNumbers/nextTabNumber/closedPaneStack) on write-back', async () => {
+    const state: MockState = {
+      stored: ENVELOPE(),
+      existingChatOpen: false,
+      newChatId: 'new-chat-1',
+      inserted: false,
+    };
+    await resolveChatId(mockSql(state), 'session-1', 'pane-1');
+    const w = state.written as Record<string, unknown>;
+    expect(Array.isArray(w.panes)).toBe(true); // envelope, not a bare array
+    expect(w.tabNumbers).toEqual({ 'chat-x': 3 });
+    expect(w.nextTabNumber).toBe(7);
+    expect(w.closedPaneStack).toEqual([{ kind: 'coder', chatIds: ['old'], activeChatIdx: 0 }]);
+  });
+
+  it('returns the existing open chat when the pane already has one', async () => {
+    const env = ENVELOPE();
+    env.panes[0]!.chatIds = ['existing-1'];
+    const state: MockState = {
+      stored: env,
+      existingChatOpen: true,
+      newChatId: 'should-not-be-used',
+      inserted: false,
+    };
+    const chatId = await resolveChatId(mockSql(state), 'session-1', 'pane-1');
+    expect(chatId).toBe('existing-1');
+    expect(state.inserted).toBe(false);
+  });
+
+  it('still accepts a legacy bare WorkspacePane[] array', async () => {
+    const state: MockState = {
+      stored: [{ id: 'pane-1', kind: 'coder', chatId: 'legacy-1', chatIds: ['legacy-1'], activeChatIdx: 0 }],
+      existingChatOpen: true,
+      newChatId: 'should-not-be-used',
+      inserted: false,
+    };
+    const chatId = await resolveChatId(mockSql(state), 'session-1', 'pane-1');
+    expect(chatId).toBe('legacy-1');
+    expect(state.inserted).toBe(false);
+  });
+});
--- a/apps/coder/src/routes/agent-sessions.ts
+++ b/apps/coder/src/routes/agent-sessions.ts
@@ -16,6 +16,11 @@ export interface AgentSessionRow {
  status: string;
  has_session: boolean;
  last_active_at: string | null;
+  // v2.6.8 per-(chat,agent) running token/cost totals (sampling-streamjson-tokens
+  // #8). BIGINT columns arrive as strings over the wire; the frontend coerces.
+  input_tokens: number;
+  output_tokens: number;
+  cost: number;
 }

 export function registerAgentSessionRoutes(app: FastifyInstance, sql: Sql): void {
@@ -39,7 +44,10 @@ export function registerAgentSessionRoutes(app: FastifyInstance, sql: Sql): void
          a.agent AS agent,
          a.status AS status,
          (a.agent_session_id IS NOT NULL) AS has_session,
-          a.last_active_at AS last_active_at
+          a.last_active_at AS last_active_at,
+          a.input_tokens AS input_tokens,
+          a.output_tokens AS output_tokens,
+          a.cost AS cost
        FROM agent_sessions a
        JOIN chats c ON c.id = a.chat_id
        WHERE c.session_id = ${sessionId}
--- a/apps/coder/src/routes/chat-resolve.ts
+++ b/apps/coder/src/routes/chat-resolve.ts
@@ -8,6 +8,36 @@ interface WorkspacePaneRow {
  activeChatIdx?: number;
 }

+// v2.6.5: sessions.workspace_panes widened from a bare WorkspacePane[] to a
+// WorkspaceState envelope { panes, tabNumbers, nextTabNumber, closedPaneStack }.
+// (See the union validator in apps/server routes/sessions.ts + normalizeWorkspaceState
+// in apps/server read_tab_by_number.ts — this is the coder-side mirror.)
+interface WorkspaceStateRow {
+  panes: WorkspacePaneRow[];
+  tabNumbers: Record<string, number>;
+  nextTabNumber: number;
+  closedPaneStack: unknown[];
+}
+
+// MIGRATION: the stored value may be the legacy bare array OR the envelope.
+// Normalize to a full envelope so callers always read `.panes` as an array and
+// write the envelope back intact (preserving tabNumbers/nextTabNumber/closedPaneStack).
+export function normalizeWorkspaceState(v: unknown): WorkspaceStateRow {
+  if (Array.isArray(v)) {
+    return { panes: v as WorkspacePaneRow[], tabNumbers: {}, nextTabNumber: 1, closedPaneStack: [] };
+  }
+  if (v && typeof v === 'object' && Array.isArray((v as { panes?: unknown }).panes)) {
+    const env = v as Partial<WorkspaceStateRow>;
+    return {
+      panes: env.panes ?? [],
+      tabNumbers: env.tabNumbers ?? {},
+      nextTabNumber: env.nextTabNumber ?? 1,
+      closedPaneStack: env.closedPaneStack ?? [],
+    };
+  }
+  return { panes: [], tabNumbers: {}, nextTabNumber: 1, closedPaneStack: [] };
+}
+
 function chatNameForKind(kind: string): string {
  if (kind === 'coder' || kind === 'agent') return 'BooCoder';
  if (kind === 'terminal') return 'Terminal';
@@ -28,12 +58,13 @@ export async function resolveChatId(
  paneId: string,
 ): Promise<string | null> {
  return sql.begin(async (tx) => {
-    const sessionRows = await tx<{ workspace_panes: WorkspacePaneRow[] }[]>`
+    const sessionRows = await tx<{ workspace_panes: unknown }[]>`
      SELECT workspace_panes FROM sessions WHERE id = ${sessionId} FOR UPDATE
    `;
    if (sessionRows.length === 0) return null;

-    const panes = sessionRows[0]!.workspace_panes ?? [];
+    const state = normalizeWorkspaceState(sessionRows[0]!.workspace_panes);
+    const panes = state.panes;
    const paneIdx = panes.findIndex((p) => p.id === paneId);
    if (paneIdx < 0) return null;

@@ -69,9 +100,10 @@ export async function resolveChatId(
        : p,
    );

+    const nextState: WorkspaceStateRow = { ...state, panes: nextPanes };
    await tx`
      UPDATE sessions
-      SET workspace_panes = ${tx.json(nextPanes as never)},
+      SET workspace_panes = ${tx.json(nextState as never)},
          updated_at = clock_timestamp()
      WHERE id = ${sessionId}
    `;
--- a/apps/coder/src/routes/checkpoints.ts
+++ b/apps/coder/src/routes/checkpoints.ts
@@ -26,18 +26,24 @@ export function registerCheckpointRoutes(app: FastifyInstance, sql: Sql): void {
        return { error: 'session not found' };
      }

+      // Scope authoritatively through chats.session_id (always set) — NOT the
+      // denormalized checkpoints.session_id (nullable). The chat_id branch must
+      // still be session-gated or it's an IDOR (any session's chat_id reads its
+      // checkpoints).
      const rows = chatId
        ? await sql<{ id: string; chat_id: string; message_id: string | null; label: string | null; created_at: Date }[]>`
-            SELECT id, chat_id, message_id, label, created_at
-            FROM checkpoints
-            WHERE chat_id = ${chatId}
-            ORDER BY created_at
+            SELECT cp.id, cp.chat_id, cp.message_id, cp.label, cp.created_at
+            FROM checkpoints cp
+            JOIN chats c ON c.id = cp.chat_id
+            WHERE cp.chat_id = ${chatId} AND c.session_id = ${sessionId}
+            ORDER BY cp.created_at
          `
        : await sql<{ id: string; chat_id: string; message_id: string | null; label: string | null; created_at: Date }[]>`
-            SELECT id, chat_id, message_id, label, created_at
-            FROM checkpoints
-            WHERE session_id = ${sessionId}
-            ORDER BY created_at
+            SELECT cp.id, cp.chat_id, cp.message_id, cp.label, cp.created_at
+            FROM checkpoints cp
+            JOIN chats c ON c.id = cp.chat_id
+            WHERE c.session_id = ${sessionId}
+            ORDER BY cp.created_at
          `;
      return rows;
    },
--- a/apps/coder/src/routes/messages.ts
+++ b/apps/coder/src/routes/messages.ts
@@ -53,6 +53,9 @@ interface MessageRow {
  role: string;
  content: string | null;
  status: string | null;
+  model: string | null;
+  ctx_used: number | null;
+  ctx_max: number | null;
  tool_calls: Array<{ id: string; name: string; args?: Record<string, unknown> }> | null;
  tool_results: {
    tool_call_id: string;
@@ -88,6 +91,9 @@ function mapCoderMessageRow(row: MessageRow) {
    role: row.role as 'user' | 'assistant' | 'system',
    content: row.content ?? '',
    status: (row.status ?? 'complete') as 'streaming' | 'complete' | 'failed',
+    ...(row.model ? { model: row.model } : {}),
+    ...(row.ctx_used != null ? { ctx_used: row.ctx_used } : {}),
+    ...(row.ctx_max != null ? { ctx_max: row.ctx_max } : {}),
    ...(reasoningText ? { reasoning_text: reasoningText } : {}),
    ...(tool_calls?.length ? { tool_calls } : {}),
  };
@@ -126,13 +132,13 @@ export function registerMessageRoutes(

      const rows = chatId
        ? await sql<MessageRow[]>`
-            SELECT id, role, content, status, tool_calls, tool_results, reasoning_parts
+            SELECT id, role, content, status, model, ctx_used, ctx_max, tool_calls, tool_results, reasoning_parts
            FROM messages_with_parts
            WHERE session_id = ${sessionId} AND chat_id = ${chatId}
            ORDER BY created_at ASC, id ASC
          `
        : await sql<MessageRow[]>`
-            SELECT id, role, content, status, tool_calls, tool_results, reasoning_parts
+            SELECT id, role, content, status, model, ctx_used, ctx_max, tool_calls, tool_results, reasoning_parts
            FROM messages_with_parts
            WHERE session_id = ${sessionId}
            ORDER BY created_at ASC, id ASC
--- a/apps/coder/src/routes/tasks.ts
+++ b/apps/coder/src/routes/tasks.ts
@@ -95,7 +95,7 @@ export function registerTaskRoutes(app: FastifyInstance, sql: Sql, inference: In
  // GET /api/tasks/:id — single task detail
  app.get<{ Params: { id: string } }>('/api/tasks/:id', async (req, reply) => {
    const rows = await sql`
-      SELECT id, project_id, parent_task_id, state, input, output_summary, agent, model, execution_path, worktree_path, session_id, cost_tokens, started_at, ended_at, created_at
+      SELECT id, project_id, parent_task_id, state, input, output_summary, agent, model, execution_path, session_id, cost_tokens, started_at, ended_at, created_at
      FROM tasks
      WHERE id = ${req.params.id}
    `;
--- a/apps/coder/src/routes/worktree-safety.ts
+++ b/apps/coder/src/routes/worktree-safety.ts
@@ -9,7 +9,7 @@
 */
 import type { FastifyInstance } from 'fastify';
 import type { Sql } from '../db.js';
-import { checkWorktreeWorkAtRisk, stashWorktree } from '../services/worktrees.js';
+import { checkWorktreeWorkAtRisk, stashWorktree } from '../services/worktree-risk.js';

 export function registerWorktreeSafetyRoutes(app: FastifyInstance, sql: Sql): void {
  // GET risk for a session's worktree(s). One row per session today (PK on
--- a/apps/coder/src/routes/ws.ts
+++ b/apps/coder/src/routes/ws.ts
@@ -25,7 +25,7 @@ export function registerWebSocket(

      // Send snapshot of existing messages so client can hydrate
      const messages = await sql<Record<string, unknown>[]>`
-        SELECT id, session_id, chat_id, role, content, kind, tool_calls, tool_results, reasoning_parts, status, last_seq,
+        SELECT id, session_id, chat_id, role, content, kind, tool_calls, tool_results, reasoning_parts, status, model, last_seq,
               tokens_used, ctx_used, ctx_max, started_at, finished_at, created_at, metadata,
               summary, tail_start_id, compacted_at
        FROM messages_with_parts
--- a/apps/coder/src/schema.sql
+++ b/apps/coder/src/schema.sql
@@ -25,7 +25,6 @@ CREATE TABLE IF NOT EXISTS tasks (
  agent TEXT,
  model TEXT,
  execution_path TEXT,
-  worktree_path TEXT,
  cost_tokens INTEGER,
  started_at TIMESTAMPTZ,
  ended_at TIMESTAMPTZ,
@@ -39,9 +38,9 @@ CREATE TABLE IF NOT EXISTS available_agents (
  install_path TEXT,
  version TEXT,
  supports_acp BOOLEAN NOT NULL DEFAULT false,
-  supports_mcp_client BOOLEAN NOT NULL DEFAULT false,
  last_probed_at TIMESTAMPTZ
 );
+ALTER TABLE available_agents DROP COLUMN IF EXISTS supports_mcp_client;

 -- v2.0.0 Phase 4: link tasks to their inference sessions.
 ALTER TABLE tasks ADD COLUMN IF NOT EXISTS session_id UUID REFERENCES sessions(id);
@@ -74,31 +73,10 @@ ALTER TABLE available_agents ADD COLUMN IF NOT EXISTS commands JSONB DEFAULT '[]
 -- v2.2.0: Paseo-style session config on tasks.
 ALTER TABLE tasks ADD COLUMN IF NOT EXISTS mode_id TEXT;
 ALTER TABLE tasks ADD COLUMN IF NOT EXISTS thinking_option_id TEXT;
-ALTER TABLE tasks ADD COLUMN IF NOT EXISTS feature_values JSONB;
-
-- v2.6: one shared worktree per session (all agents/panes in the session operate in it).
-CREATE TABLE IF NOT EXISTS session_worktrees (
-  session_id UUID PRIMARY KEY REFERENCES sessions(id) ON DELETE CASCADE,
-  worktree_path TEXT NOT NULL,
-  base_commit TEXT,
-  created_at TIMESTAMPTZ NOT NULL DEFAULT clock_timestamp()
-);
-- P1.5-b: DEFANG the CASCADE — a session delete must no longer wipe its worktree
-- row. This table is SUPERSEDED by `worktrees` below; all readers are repointed
-- this phase, so the row just persists (dead) on session delete until a later
-- cleanup drops the table. session_id is this table's PRIMARY KEY, so it cannot be
-- nullable → SET NULL is invalid and NO ACTION/RESTRICT would block deletes; the
-- only valid defang is to drop the FK with no replacement. Idempotent: only fires
-- while the FK is still ON DELETE CASCADE ('c').
-DO $$ BEGIN
-  IF EXISTS (
-    SELECT 1 FROM pg_constraint
-    WHERE conname = 'session_worktrees_session_id_fkey'
-      AND confdeltype = 'c'
-  ) THEN
-    ALTER TABLE session_worktrees DROP CONSTRAINT session_worktrees_session_id_fkey;
-  END IF;
-END $$;
+-- tasks.feature_values and tasks.worktree_path were never read or written by any
+-- code path; drop them from existing DBs (fresh DBs never had them in the CREATE).
+ALTER TABLE tasks DROP COLUMN IF EXISTS feature_values;
+ALTER TABLE tasks DROP COLUMN IF EXISTS worktree_path;

 -- v2.6: one backend session per (session, agent); resumed on switch-back.
 CREATE TABLE IF NOT EXISTS agent_sessions (
@@ -168,12 +146,9 @@ CREATE TABLE IF NOT EXISTS worktrees (
 );
 CREATE UNIQUE INDEX IF NOT EXISTS worktrees_active_path_uidx ON worktrees(path) WHERE status='active';

-- Migrate any surviving session_worktrees rows → worktrees (idempotent; 0 rows
-- after the test-session delete, kept for generality / fresh-DB safety).
-INSERT INTO worktrees (session_id, path, branch, base_commit, status)
-SELECT sw.session_id, sw.worktree_path, 'session-' || sw.session_id, sw.base_commit, 'active'
-FROM session_worktrees sw
-WHERE NOT EXISTS (SELECT 1 FROM worktrees w WHERE w.session_id = sw.session_id AND w.status='active');
+-- session_worktrees was superseded by worktrees (v2.6/P1.5-b); all rows migrated
+-- before P2 cleanup. Drop the dead table; no-op on fresh DBs that never had it.
+DROP TABLE IF EXISTS session_worktrees;

 -- Dispatch hint: which chat (tab) a task belongs to. The coder message route and
 -- skills route set it from the frontend tab; session-less creators (arena, MCP,
@@ -261,6 +236,34 @@ CREATE TABLE IF NOT EXISTS checkpoints (
 );
 CREATE INDEX IF NOT EXISTS checkpoints_chat_created_idx ON checkpoints(chat_id, created_at);

+-- claude-sdk-sessionstore #9 (Part 1): append-only mirror of Claude Agent SDK
+-- session transcripts. The SDK's SessionStore adapter writes one JSONL line per
+-- entry; PostgresSessionStore (services/backends/claude-session-store.ts) inserts
+-- one row per entry and replays them ORDER BY id on resume. The store is generic
+-- per the SDK's SessionKey (project_key, session_id, subpath) — chat↔session
+-- ownership lives in agent_sessions, not here. subpath '' is the main transcript
+-- (the SDK's undefined subpath maps to '' in the column).
+CREATE TABLE IF NOT EXISTS claude_session_entries (
+  id          BIGSERIAL PRIMARY KEY,
+  project_key TEXT NOT NULL,
+  session_id  TEXT NOT NULL,
+  subpath     TEXT NOT NULL DEFAULT '',   -- '' = main transcript (SDK's undefined subpath maps here)
+  entry       JSONB NOT NULL,
+  created_at  TIMESTAMPTZ NOT NULL DEFAULT clock_timestamp()
+);
+CREATE INDEX IF NOT EXISTS claude_session_entries_key_idx ON claude_session_entries (project_key, session_id, subpath, id);
+
+-- claude-sdk-sessionstore #9 (Part 2): the warm Claude-SDK backend persists its
+-- agent_sessions rows with backend='claude_sdk'. Widen the named CHECK to accept
+-- it. Idempotent: DROP the named constraint (the inline CREATE TABLE check above
+-- carries this explicit name, so DROP IF EXISTS targets it) + re-ADD the widened
+-- list. Re-runs/fresh deploys land on the same final constraint (the table-level
+-- CREATE already includes only the old two values on a fresh DB; this block then
+-- replaces it with the three-value list).
+ALTER TABLE agent_sessions DROP CONSTRAINT IF EXISTS agent_sessions_backend_chk;
+ALTER TABLE agent_sessions ADD CONSTRAINT agent_sessions_backend_chk
+  CHECK (backend IN ('opencode_server', 'acp_warm', 'claude_sdk'));
+
 -- LISTEN/NOTIFY fast path: every tasks INSERT (from any call site — routes,
 -- new_task tool, arena, MCP server) fires pg_notify('tasks_new') in the same
 -- transaction, so the dispatcher reacts immediately instead of waiting for the
--- a/apps/coder/src/services/tests/acp-client.test.ts
+++ b/apps/coder/src/services/tests/acp-client.test.ts
@@ -0,0 +1,74 @@
+import { describe, it, expect, vi } from 'vitest';
+import type { RequestPermissionRequest, CreateElicitationRequest, SessionNotification } from '@agentclientprotocol/sdk';
+import { buildAcpClient, type AcpTurnContext } from '../acp-client.js';
+
+/**
+ * buildAcpClient (v2.7 audit reshape): the shared ACP `Client` closures. These
+ * tests cover the pure routing decisions that don't require the permission-waiter
+ * broker machinery — the auto-select/decline fallbacks and the between-turns drop.
+ */
+
+describe('buildAcpClient — sessionUpdate', () => {
+  it('drops the update when no turn is active (resolveTurn → null)', async () => {
+    const client = buildAcpClient('/wt', () => null);
+    // Must resolve without throwing and without an onSessionUpdate to call.
+    await expect(client.sessionUpdate({ sessionId: 's', update: {} } as unknown as SessionNotification)).resolves.toBeUndefined();
+  });
+
+  it('forwards the update to the active turn', async () => {
+    const onSessionUpdate = vi.fn();
+    const turn: AcpTurnContext = { taskId: 't', sessionId: 's', modeId: undefined, agent: 'goose', onSessionUpdate };
+    const client = buildAcpClient('/wt', () => turn);
+    const note = { sessionId: 's', update: {} } as unknown as SessionNotification;
+    await client.sessionUpdate(note);
+    expect(onSessionUpdate).toHaveBeenCalledWith(note);
+  });
+});
+
+describe('buildAcpClient — requestPermission fallback (no UI routing)', () => {
+  function req(options: Array<{ optionId: string }>): RequestPermissionRequest {
+    return { options } as unknown as RequestPermissionRequest;
+  }
+
+  it('auto-selects the first option when there is no turn', async () => {
+    const client = buildAcpClient('/wt', () => null);
+    const res = await client.requestPermission(req([{ optionId: 'allow' }, { optionId: 'deny' }]));
+    expect(res).toEqual({ outcome: { outcome: 'selected', optionId: 'allow' } });
+  });
+
+  it('cancels when there is no turn and no options', async () => {
+    const client = buildAcpClient('/wt', () => null);
+    const res = await client.requestPermission(req([]));
+    expect(res).toEqual({ outcome: { outcome: 'cancelled' } });
+  });
+
+  it('auto-selects when the turn has no taskId (UI routing gated off)', async () => {
+    const turn: AcpTurnContext = { taskId: undefined, sessionId: 's', modeId: undefined, agent: 'goose', onSessionUpdate: () => {} };
+    const client = buildAcpClient('/wt', () => turn);
+    const res = await client.requestPermission(req([{ optionId: 'ok' }]));
+    expect(res).toEqual({ outcome: { outcome: 'selected', optionId: 'ok' } });
+  });
+});
+
+describe('buildAcpClient — elicitation fallback', () => {
+  it('declines when there is no turn', async () => {
+    const client = buildAcpClient('/wt', () => null);
+    const res = await client.unstable_createElicitation!({} as CreateElicitationRequest);
+    expect(res).toEqual({ action: 'decline' });
+  });
+
+  it('declines when the turn has no taskId', async () => {
+    const turn: AcpTurnContext = { taskId: undefined, sessionId: 's', modeId: undefined, agent: 'goose', onSessionUpdate: () => {} };
+    const client = buildAcpClient('/wt', () => turn);
+    const res = await client.unstable_createElicitation!({} as CreateElicitationRequest);
+    expect(res).toEqual({ action: 'decline' });
+  });
+});
+
+describe('buildAcpClient — createTerminal', () => {
+  it('returns the noop terminal id', async () => {
+    const client = buildAcpClient('/wt', () => null);
+    const res = await client.createTerminal!({} as never);
+    expect(res).toEqual({ terminalId: 'noop' });
+  });
+});
--- a/apps/coder/src/services/tests/checkpoints.test.ts
+++ b/apps/coder/src/services/tests/checkpoints.test.ts
@@ -233,4 +233,20 @@ describe.runIf(!!process.env.DATABASE_URL)('checkpoint create + restore (DB + gi
    ).rejects.toBeInstanceOf(CheckpointNotFoundError);
    await sql`DELETE FROM checkpoints WHERE id = ${cp!.id}`;
  });
+
+  it('restoreCheckpoint denies a NULL-session_id checkpoint from another session (no fail-open IDOR)', async () => {
+    // Regression for the fail-open authorization bug: a checkpoint row whose
+    // denormalized session_id is NULL must STILL be scoped via its chat's owning
+    // session (chats.session_id), not skipped. The old guard `cp.session_id &&
+    // cp.session_id !== sessionId` fell through on NULL → cross-session restore.
+    const [row] = await sql<{ id: string }[]>`
+      INSERT INTO checkpoints (chat_id, session_id, message_id, commit_sha)
+      VALUES (${chatId}, NULL, NULL, 'deadbeef')
+      RETURNING id
+    `;
+    await expect(
+      restoreCheckpoint(sql, row!.id, { sessionId: '22222222-2222-2222-2222-222222222222' }),
+    ).rejects.toBeInstanceOf(CheckpointNotFoundError);
+    await sql`DELETE FROM checkpoints WHERE id = ${row!.id}`;
+  });
 });
--- a/apps/coder/src/services/tests/frame-emitter.test.ts
+++ b/apps/coder/src/services/tests/frame-emitter.test.ts
@@ -0,0 +1,102 @@
+import { describe, it, expect } from 'vitest';
+import type { Broker } from '@boocode/server/broker';
+import { makeFrameEmitter } from '../frame-emitter.js';
+import { makeDcpStreamStripper } from '../dcp-strip.js';
+import type { AcpToolSnapshot } from '../acp-tool-snapshot.js';
+
+/**
+ * makeFrameEmitter (v2.7 audit reshape): the AgentEvent → WS-frame mapping + turn
+ * accumulators extracted from AcpStreamContext. Pure-ish over an injected broker.
+ */
+
+function fakeBroker(): { broker: Broker; frames: Array<{ sid: string; frame: Record<string, unknown> }> } {
+  const frames: Array<{ sid: string; frame: Record<string, unknown> }> = [];
+  const broker = {
+    publishFrame: (sid: string, frame: unknown) => {
+      frames.push({ sid, frame: frame as Record<string, unknown> });
+    },
+  } as unknown as Broker;
+  return { broker, frames };
+}
+
+const toolSnap: AcpToolSnapshot = { toolCallId: 'c1', title: 'grep', status: 'completed', rawOutput: 'x' };
+
+describe('makeFrameEmitter — streaming frames', () => {
+  it('maps text/reasoning/tool events to delta/reasoning_delta/tool_call frames', () => {
+    const { broker, frames } = fakeBroker();
+    const em = makeFrameEmitter({ broker, sessionId: 's1', chatId: 'ch1', assistantId: 'm1' });
+
+    em.onEvent({ type: 'text', text: 'hello ' });
+    em.onEvent({ type: 'reasoning', text: 'mulling' });
+    em.onEvent({ type: 'tool_call', toolCall: toolSnap });
+
+    expect(frames.map((f) => f.frame.type)).toEqual(['delta', 'reasoning_delta', 'tool_call']);
+    expect(frames[0]!.frame).toMatchObject({ message_id: 'm1', chat_id: 'ch1', content: 'hello ' });
+    expect(frames[2]!.frame).toMatchObject({ message_id: 'm1', chat_id: 'ch1' });
+    expect(em.output).toBe('hello ');
+    expect(em.reasoningText).toBe('mulling');
+    expect(em.snapshots).toHaveLength(1);
+  });
+
+  it('publishes a tool_call frame for BOTH tool_call and tool_update events', () => {
+    const { broker, frames } = fakeBroker();
+    const em = makeFrameEmitter({ broker, sessionId: 's1', chatId: 'ch1', assistantId: 'm1' });
+    em.onEvent({ type: 'tool_update', toolCall: toolSnap });
+    expect(frames).toHaveLength(1);
+    expect(frames[0]!.frame.type).toBe('tool_call');
+  });
+
+  it('publishes an agent_commands frame and merges the command cache', () => {
+    const { broker, frames } = fakeBroker();
+    const taskId = `task-fe-${Math.floor(performance.now())}-${frames.length}`;
+    const em = makeFrameEmitter({ broker, sessionId: 's1', chatId: 'ch1', assistantId: 'm1', taskId });
+    em.onEvent({ type: 'commands', commands: [{ name: 'plan' }] });
+    expect(frames).toHaveLength(1);
+    expect(frames[0]!.frame).toMatchObject({ type: 'agent_commands', task_id: taskId, session_id: 's1' });
+  });
+
+  it('does not publish a commands frame without a taskId', () => {
+    const { broker, frames } = fakeBroker();
+    const em = makeFrameEmitter({ broker, sessionId: 's1', chatId: 'ch1', assistantId: 'm1' });
+    em.onEvent({ type: 'commands', commands: [{ name: 'plan' }] });
+    expect(frames).toHaveLength(0);
+  });
+});
+
+describe('makeFrameEmitter — no broker (one-shot accumulation)', () => {
+  it('accumulates output/reasoning/snapshots but publishes nothing', () => {
+    const em = makeFrameEmitter({ sessionId: 's1', chatId: 'ch1', assistantId: 'm1' });
+    em.onEvent({ type: 'text', text: 'abc' });
+    em.onEvent({ type: 'reasoning', text: 'r' });
+    em.onEvent({ type: 'tool_call', toolCall: toolSnap });
+    expect(em.output).toBe('abc');
+    expect(em.reasoningText).toBe('r');
+    expect(em.snapshots).toHaveLength(1);
+  });
+});
+
+describe('makeFrameEmitter — dcp stripping (opencode path contract)', () => {
+  it('strips a split dcp tag across deltas and flushes the tail on finalize', () => {
+    const { broker, frames } = fakeBroker();
+    const em = makeFrameEmitter({ broker, sessionId: 's1', chatId: 'ch1', assistantId: 'm1', dcp: makeDcpStreamStripper() });
+
+    for (const chunk of ['Answer.', '<dcp', '-message', '-id>m1</dcp', '-message-id>', ' tail']) {
+      em.onEvent({ type: 'text', text: chunk });
+    }
+    em.finalize();
+
+    expect(em.output).toBe('Answer. tail');
+    const published = frames.filter((f) => f.frame.type === 'delta').map((f) => f.frame.content).join('');
+    expect(published).toBe('Answer. tail');
+  });
+
+  it('finalize is a no-op without a dcp stripper', () => {
+    const { broker, frames } = fakeBroker();
+    const em = makeFrameEmitter({ broker, sessionId: 's1', chatId: 'ch1', assistantId: 'm1' });
+    em.onEvent({ type: 'text', text: 'raw <dcp-message-id>m</dcp-message-id>' });
+    em.finalize();
+    // No stripping without a stripper — verbatim text (prior ACP-path behavior).
+    expect(em.output).toBe('raw <dcp-message-id>m</dcp-message-id>');
+    expect(frames).toHaveLength(1);
+  });
+});
--- a/apps/coder/src/services/tests/stream-json-parser.test.ts
+++ b/apps/coder/src/services/tests/stream-json-parser.test.ts
@@ -0,0 +1,189 @@
+import { describe, it, expect } from 'vitest';
+import {
+  makeStreamJsonParser,
+  makeStreamJsonState,
+  parseStreamJsonLine,
+  type AgentEventList,
+} from '../stream-json-parser.js';
+import type { AgentEvent } from '../agent-backend.js';
+import type { AcpToolSnapshot } from '../acp-tool-snapshot.js';
+
+// Helpers to JSON-encode the representative Claude-Code stream-json lines.
+const sys = (sessionId: string) =>
+  JSON.stringify({ type: 'system', subtype: 'init', session_id: sessionId, tools: ['read', 'edit'] });
+
+const streamEvent = (event: unknown) => JSON.stringify({ type: 'stream_event', event });
+
+const textDelta = (index: number, text: string) =>
+  streamEvent({ type: 'content_block_delta', index, delta: { type: 'text_delta', text } });
+
+const thinkingDelta = (index: number, thinking: string) =>
+  streamEvent({ type: 'content_block_delta', index, delta: { type: 'thinking_delta', thinking } });
+
+const toolStart = (index: number, id: string, name: string) =>
+  streamEvent({ type: 'content_block_start', index, content_block: { type: 'tool_use', id, name } });
+
+const inputJsonDelta = (index: number, partial: string) =>
+  streamEvent({ type: 'content_block_delta', index, delta: { type: 'input_json_delta', partial_json: partial } });
+
+const blockStop = (index: number) => streamEvent({ type: 'content_block_stop', index });
+
+const resultLine = (input: number, output: number, sessionId?: string) =>
+  JSON.stringify({ type: 'result', subtype: 'success', session_id: sessionId, usage: { input_tokens: input, output_tokens: output } });
+
+describe('parseStreamJsonLine (pure per-line mapping)', () => {
+  it('captures session_id from the system init line and emits no events', () => {
+    const state = makeStreamJsonState();
+    const events = parseStreamJsonLine(sys('sess-abc'), state);
+    expect(events).toEqual([]);
+    expect(state.sessionId).toBe('sess-abc');
+  });
+
+  it('maps a text_delta stream_event → a text event', () => {
+    const state = makeStreamJsonState();
+    expect(parseStreamJsonLine(textDelta(0, 'Hello'), state)).toEqual([{ type: 'text', text: 'Hello' }]);
+  });
+
+  it('maps a thinking_delta stream_event → a reasoning event', () => {
+    const state = makeStreamJsonState();
+    expect(parseStreamJsonLine(thinkingDelta(0, 'pondering'), state)).toEqual([
+      { type: 'reasoning', text: 'pondering' },
+    ]);
+  });
+
+  it('tolerates a garbage / non-JSON line (returns [], no throw)', () => {
+    const state = makeStreamJsonState();
+    expect(parseStreamJsonLine('not json at all {{{', state)).toEqual([]);
+    expect(parseStreamJsonLine('', state)).toEqual([]);
+    expect(parseStreamJsonLine('   ', state)).toEqual([]);
+    // A truncated/partial JSON object also yields [] rather than throwing.
+    expect(parseStreamJsonLine('{"type":"stream_event","eve', state)).toEqual([]);
+  });
+
+  it('ignores unknown top-level line types and the user (tool-result) line', () => {
+    const state = makeStreamJsonState();
+    expect(parseStreamJsonLine(JSON.stringify({ type: 'user', message: {} }), state)).toEqual([]);
+    expect(parseStreamJsonLine(JSON.stringify({ type: 'whatever' }), state)).toEqual([]);
+  });
+
+  it('assembles a tool call across input_json_delta chunks (split across lines)', () => {
+    const state = makeStreamJsonState();
+    // start → tool_call (running, empty args)
+    const start = parseStreamJsonLine(toolStart(1, 'toolu_1', 'edit_file'), state);
+    expect(start).toHaveLength(1);
+    expect(start[0]!.type).toBe('tool_call');
+    const startSnap = (start[0] as { type: 'tool_call'; toolCall: AcpToolSnapshot }).toolCall;
+    expect(startSnap.toolCallId).toBe('toolu_1');
+    expect(startSnap.title).toBe('edit_file');
+    expect(startSnap.status).toBe('in_progress');
+    expect(startSnap.rawInput).toEqual({});
+
+    // args streamed in fragments — no events until stop
+    expect(parseStreamJsonLine(inputJsonDelta(1, '{"path":"a'), state)).toEqual([]);
+    expect(parseStreamJsonLine(inputJsonDelta(1, '.ts","content":'), state)).toEqual([]);
+    expect(parseStreamJsonLine(inputJsonDelta(1, '"hi"}'), state)).toEqual([]);
+
+    // stop → tool_update with the parsed, fully-assembled input
+    const stop = parseStreamJsonLine(blockStop(1), state);
+    expect(stop).toHaveLength(1);
+    expect(stop[0]!.type).toBe('tool_update');
+    const stopSnap = (stop[0] as { type: 'tool_update'; toolCall: AcpToolSnapshot }).toolCall;
+    expect(stopSnap.toolCallId).toBe('toolu_1');
+    expect(stopSnap.status).toBe('completed');
+    expect(stopSnap.rawInput).toEqual({ path: 'a.ts', content: 'hi' });
+  });
+
+  it('falls back to {_raw} when accumulated tool args are not valid JSON', () => {
+    const state = makeStreamJsonState();
+    parseStreamJsonLine(toolStart(0, 'toolu_x', 'run'), state);
+    parseStreamJsonLine(inputJsonDelta(0, '{"broken'), state);
+    const stop = parseStreamJsonLine(blockStop(0), state);
+    const snap = (stop[0] as { type: 'tool_update'; toolCall: AcpToolSnapshot }).toolCall;
+    expect(snap.rawInput).toEqual({ _raw: '{"broken' });
+  });
+
+  it('captures usage from message_delta and result lines', () => {
+    const state = makeStreamJsonState();
+    parseStreamJsonLine(streamEvent({ type: 'message_delta', usage: { output_tokens: 42 } }), state);
+    expect(state.usage.outputTokens).toBe(42);
+    parseStreamJsonLine(resultLine(100, 250, 'sess-z'), state);
+    expect(state.usage.inputTokens).toBe(100);
+    expect(state.usage.outputTokens).toBe(250);
+    expect(state.sessionId).toBe('sess-z');
+  });
+
+  it('maps a terminal assistant message (fallback) → text + reasoning + tool events', () => {
+    const state = makeStreamJsonState();
+    const line = JSON.stringify({
+      type: 'assistant',
+      session_id: 'sess-asst',
+      message: {
+        content: [
+          { type: 'thinking', thinking: 'let me think' },
+          { type: 'text', text: 'Here is the answer' },
+          { type: 'tool_use', id: 'toolu_9', name: 'view_file', input: { path: 'x.ts' } },
+        ],
+        usage: { input_tokens: 5, output_tokens: 7 },
+      },
+    });
+    const events = parseStreamJsonLine(line, state);
+    expect(events).toEqual([
+      { type: 'reasoning', text: 'let me think' },
+      { type: 'text', text: 'Here is the answer' },
+      {
+        type: 'tool_update',
+        toolCall: { toolCallId: 'toolu_9', title: 'view_file', kind: null, status: 'completed', rawInput: { path: 'x.ts' } },
+      },
+    ]);
+    expect(state.usage).toEqual({ inputTokens: 5, outputTokens: 7 });
+    expect(state.sessionId).toBe('sess-asst');
+  });
+});
+
+describe('makeStreamJsonParser (stateful wrapper over a full turn)', () => {
+  it('streams a representative turn: init → text → thinking → tool → result', () => {
+    const parser = makeStreamJsonParser();
+    const all: AgentEvent[] = [];
+    const feed = (line: string): AgentEventList => {
+      const evs = parser.push(line);
+      all.push(...evs);
+      return evs;
+    };
+
+    feed(sys('sess-1'));
+    feed(textDelta(0, 'Reading '));
+    feed(textDelta(0, 'the file. '));
+    feed(thinkingDelta(0, 'I should edit it'));
+    feed(toolStart(1, 'toolu_a', 'edit_file'));
+    feed(inputJsonDelta(1, '{"path":'));
+    feed(inputJsonDelta(1, '"main.ts"}'));
+    feed(blockStop(1));
+    feed(textDelta(0, 'Done.'));
+    feed(resultLine(120, 80, 'sess-1'));
+
+    expect(all).toEqual([
+      { type: 'text', text: 'Reading ' },
+      { type: 'text', text: 'the file. ' },
+      { type: 'reasoning', text: 'I should edit it' },
+      {
+        type: 'tool_call',
+        toolCall: { toolCallId: 'toolu_a', title: 'edit_file', kind: null, status: 'in_progress', rawInput: {} },
+      },
+      {
+        type: 'tool_update',
+        toolCall: { toolCallId: 'toolu_a', title: 'edit_file', kind: null, status: 'completed', rawInput: { path: 'main.ts' } },
+      },
+      { type: 'text', text: 'Done.' },
+    ]);
+
+    expect(parser.usage()).toEqual({ inputTokens: 120, outputTokens: 80 });
+    expect(parser.sessionId()).toBe('sess-1');
+  });
+
+  it('a garbage line interleaved mid-turn does not derail subsequent parsing', () => {
+    const parser = makeStreamJsonParser();
+    expect(parser.push(textDelta(0, 'a'))).toEqual([{ type: 'text', text: 'a' }]);
+    expect(parser.push('>>> not json <<<')).toEqual([]);
+    expect(parser.push(textDelta(0, 'b'))).toEqual([{ type: 'text', text: 'b' }]);
+  });
+});
--- a/apps/coder/src/services/acp-client.ts
+++ b/apps/coder/src/services/acp-client.ts
@@ -0,0 +1,88 @@
+/**
+ * Shared ACP `Client` builder — the callback closures every ACP connection needs
+ * (worktree-scoped FS bridge + permission/elicitation routing + session updates).
+ *
+ * Extracted (v2.7 audit reshape) from the byte-identical `buildClient` closures in
+ * `acp-dispatch.ts` (one-shot) and `backends/warm-acp.ts` (warm). The two differed
+ * only in WHERE the per-turn context comes from (a fixed dispatch vs. the warm
+ * backend's `activeTurn`) and a trivially-equivalent permission gate — both are now
+ * supplied via the `resolveTurn` callback, so the FS/permission/elicitation wiring
+ * lives once. Behavior is preserved exactly:
+ *   - `sessionUpdate` drops when `resolveTurn()` returns null (between turns).
+ *   - permission/elicitation route to the UI only when BOTH a taskId AND sessionId
+ *     are present (warm always has a sessionId, so this matches its prior
+ *     `turn?.taskId` gate); otherwise the same auto-select-first / decline fallback.
+ */
+import type {
+  Client,
+  SessionNotification,
+  RequestPermissionRequest,
+  RequestPermissionResponse,
+  ReadTextFileRequest,
+  ReadTextFileResponse,
+  WriteTextFileRequest,
+  WriteTextFileResponse,
+  CreateTerminalRequest,
+  CreateTerminalResponse,
+  CreateElicitationRequest,
+  CreateElicitationResponse,
+} from '@agentclientprotocol/sdk';
+import { readWorktreeTextFile, writeWorktreeTextFile } from './acp-client-fs.js';
+import { waitForPermissionResponse, waitForElicitationResponse } from './permission-waiter.js';
+
+/** The per-turn context an ACP `Client` closure needs, resolved lazily per call. */
+export interface AcpTurnContext {
+  /** Per-turn task id, for routing permission/elicitation prompts back to the UI. */
+  taskId: string | undefined;
+  /** BooCode session id (for permission-waiter's broker frames). */
+  sessionId: string | undefined;
+  /** Per-turn mode id (autonomous-mode gate in permission-waiter). */
+  modeId: string | undefined;
+  /** The agent name (for permission-waiter routing). */
+  agent: string;
+  /** Forward a session/update notification to the turn's event sink. */
+  onSessionUpdate: (params: SessionNotification) => void | Promise<void>;
+}
+
+/**
+ * Build the ACP `Client` callbacks once per connection. `resolveTurn` is called at
+ * the moment each callback fires and returns the live turn context (or null when no
+ * turn is active — `sessionUpdate` then drops, matching the warm backend's
+ * between-turns behavior). The FS bridge is scoped to `worktreePath`.
+ */
+export function buildAcpClient(worktreePath: string, resolveTurn: () => AcpTurnContext | null): Client {
+  return {
+    sessionUpdate: async (params: SessionNotification): Promise<void> => {
+      const turn = resolveTurn();
+      if (!turn) return; // between turns — drop (no orphan settles a future turn)
+      await turn.onSessionUpdate(params);
+    },
+    requestPermission: async (params: RequestPermissionRequest): Promise<RequestPermissionResponse> => {
+      const turn = resolveTurn();
+      if (turn && turn.taskId && turn.sessionId) {
+        return waitForPermissionResponse(turn.taskId, turn.sessionId, turn.agent, turn.modeId, params);
+      }
+      const firstOption = params.options[0];
+      if (firstOption) return { outcome: { outcome: 'selected', optionId: firstOption.optionId } };
+      return { outcome: { outcome: 'cancelled' } };
+    },
+    readTextFile: async (params: ReadTextFileRequest): Promise<ReadTextFileResponse> => {
+      const content = await readWorktreeTextFile(worktreePath, params.path, params.line, params.limit);
+      return { content };
+    },
+    writeTextFile: async (params: WriteTextFileRequest): Promise<WriteTextFileResponse> => {
+      await writeWorktreeTextFile(worktreePath, params.path, params.content);
+      return {};
+    },
+    createTerminal: async (_params: CreateTerminalRequest): Promise<CreateTerminalResponse> => {
+      return { terminalId: 'noop' };
+    },
+    unstable_createElicitation: async (params: CreateElicitationRequest): Promise<CreateElicitationResponse> => {
+      const turn = resolveTurn();
+      if (turn && turn.taskId && turn.sessionId) {
+        return waitForElicitationResponse(turn.taskId, turn.sessionId, turn.agent, turn.modeId, params);
+      }
+      return { action: 'decline' };
+    },
+  };
+}
--- a/apps/coder/src/services/acp-dispatch.ts
+++ b/apps/coder/src/services/acp-dispatch.ts
@@ -9,35 +9,20 @@ import {
  ClientSideConnection,
  type Client,
  type SessionNotification,
-  type RequestPermissionRequest,
-  type RequestPermissionResponse,
-  type ReadTextFileRequest,
-  type ReadTextFileResponse,
-  type WriteTextFileRequest,
-  type WriteTextFileResponse,
-  type CreateTerminalRequest,
-  type CreateTerminalResponse,
-  type CreateElicitationRequest,
-  type CreateElicitationResponse,
  type SessionConfigOption,
  type ClientSideConnection as ConnectionType,
 } from '@agentclientprotocol/sdk';
 import type { Broker } from '@boocode/server/broker';
-import type { WsFrame } from '@boocode/server/ws-frames';
 import { spawn } from 'node:child_process';
 import { findThoughtLevelConfigId } from './acp-derive.js';
 import { resolveLaunchSpec } from './acp-spawn.js';
 import { getResolvedRegistry, type ResolvedProviderDef } from './provider-config-registry.js';
 import { createAcpNdJsonStream } from './acp-stream.js';
-import { waitForPermissionResponse, waitForElicitationResponse, cancelPendingPermission } from './permission-waiter.js';
-import { mergeTaskCommands, getTaskCommands } from './agent-commands-cache.js';
-import { readWorktreeTextFile, writeWorktreeTextFile } from './acp-client-fs.js';
+import { cancelPendingPermission } from './permission-waiter.js';
 import { mapSessionUpdate } from './acp-event-map.js';
-import {
-  type AcpToolSnapshot,
-  snapshotToWireToolCall,
-  synthesizeCanceledSnapshots,
-} from './acp-tool-snapshot.js';
+import { type AcpToolSnapshot, synthesizeCanceledSnapshots } from './acp-tool-snapshot.js';
+import { makeFrameEmitter, type FrameEmitter } from './frame-emitter.js';
+import { buildAcpClient } from './acp-client.js';

 export interface AcpDispatchResult {
  exitCode: number;
@@ -111,144 +96,61 @@ async function applySessionOverrides(
 }

 class AcpStreamContext {
-  readonly textChunks: string[] = [];
-  readonly reasoningChunks: string[] = [];
-  readonly toolSnapshots = new Map<string, AcpToolSnapshot>();
-  private aborted = false;
+  /** AgentEvent → WS-frame mapping + text/reasoning/tool accumulation (shared
+   *  `makeFrameEmitter`). The one-shot path passes no `dcp` stripper, so text is
+   *  emitted verbatim — byte-identical to the prior inline switch. */
+  private readonly emitter: FrameEmitter;

  constructor(
-    private readonly opts: Pick<
-      AcpDispatchOpts,
-      'broker' | 'sessionId' | 'chatId' | 'messageId' | 'taskId'
-    >,
+    opts: Pick<AcpDispatchOpts, 'broker' | 'sessionId' | 'chatId' | 'messageId' | 'taskId'>,
    private readonly worktreePath: string,
-  ) {}
+  ) {
+    this.emitter = makeFrameEmitter({
+      broker: opts.broker,
+      sessionId: opts.sessionId,
+      chatId: opts.chatId,
+      assistantId: opts.messageId,
+      taskId: opts.taskId,
+    });
+  }

  get reasoningText(): string {
-    return this.reasoningChunks.join('');
+    return this.emitter.reasoningText;
  }

  get output(): string {
-    return this.textChunks.join('');
+    return this.emitter.output;
  }

  get snapshots(): AcpToolSnapshot[] {
-    return [...this.toolSnapshots.values()];
+    return this.emitter.snapshots;
  }

  markAborted(): void {
-    this.aborted = true;
-    for (const snap of synthesizeCanceledSnapshots(this.toolSnapshots.values())) {
-      this.toolSnapshots.set(snap.toolCallId, snap);
-      this.publishToolSnapshot(snap);
+    // Synthesize 'canceled' updates for still-running tool calls so the UI doesn't
+    // leave them spinning, then emit them through the same frame path (tool_update
+    // → the same `tool_call` wire frame the original published).
+    for (const snap of synthesizeCanceledSnapshots(this.emitter.toolSnapshots.values())) {
+      this.emitter.onEvent({ type: 'tool_update', toolCall: snap });
    }
  }

-  private canStream(): boolean {
-    return !!(this.opts.broker && this.opts.sessionId && this.opts.chatId && this.opts.messageId);
-  }
-
-  private publishToolSnapshot(snapshot: AcpToolSnapshot): void {
-    if (!this.canStream()) return;
-    const wire = snapshotToWireToolCall(snapshot);
-    this.opts.broker!.publishFrame(this.opts.sessionId!, {
-      type: 'tool_call',
-      message_id: this.opts.messageId!,
-      chat_id: this.opts.chatId!,
-      tool_call: wire,
-    } as WsFrame);
-  }
-
-  async handleSessionUpdate(params: SessionNotification): Promise<void> {
-    // v2.6 Phase 2: the case-by-case mapping now lives in the shared, pure
-    // `mapSessionUpdate` (reused by the warm ACP backend). This method keeps the
-    // identical broker-publishing side effects — it just translates the normalized
-    // AgentEvents back into the same frames it always emitted. `this.toolSnapshots`
-    // is the merge accumulator, so a later tool_call_update merges over its
-    // tool_call (the prior `handleToolUpdate` behavior, byte-for-byte).
-    for (const event of mapSessionUpdate(params, this.toolSnapshots)) {
-      switch (event.type) {
-        case 'text':
-          this.textChunks.push(event.text);
-          if (this.canStream()) {
-            this.opts.broker!.publishFrame(this.opts.sessionId!, {
-              type: 'delta',
-              message_id: this.opts.messageId!,
-              chat_id: this.opts.chatId!,
-              content: event.text,
-            } as WsFrame);
-          }
-          break;
-        case 'reasoning':
-          this.reasoningChunks.push(event.text);
-          if (this.canStream()) {
-            this.opts.broker!.publishFrame(this.opts.sessionId!, {
-              type: 'reasoning_delta',
-              message_id: this.opts.messageId!,
-              chat_id: this.opts.chatId!,
-              content: event.text,
-            } as WsFrame);
-          }
-          break;
-        case 'tool_call':
-        case 'tool_update':
-          // mapSessionUpdate already stored the merged snapshot in this.toolSnapshots.
-          this.publishToolSnapshot(event.toolCall);
-          break;
-        case 'commands':
-          if (this.opts.taskId && event.commands.length > 0) {
-            mergeTaskCommands(this.opts.taskId, event.commands);
-            if (this.canStream() && this.opts.sessionId) {
-              const all = getTaskCommands(this.opts.taskId) ?? event.commands;
-              this.opts.broker!.publishFrame(this.opts.sessionId, {
-                type: 'agent_commands',
-                task_id: this.opts.taskId,
-                session_id: this.opts.sessionId,
-                commands: all,
-              } as WsFrame);
-            }
-          }
-          break;
-      }
+  handleSessionUpdate(params: SessionNotification): void {
+    // The merge accumulator (`this.emitter.toolSnapshots`) is the same Map the
+    // emitter publishes from, so a later tool_call_update merges over its tool_call.
+    for (const event of mapSessionUpdate(params, this.emitter.toolSnapshots)) {
+      this.emitter.onEvent(event);
    }
  }

  buildClient(agent: string, modeId: string | undefined, taskId: string | undefined, sessionId: string | undefined): Client {
-    return {
-      sessionUpdate: (params) => this.handleSessionUpdate(params),
-      requestPermission: async (params: RequestPermissionRequest): Promise<RequestPermissionResponse> => {
-        if (taskId && sessionId) {
-          return waitForPermissionResponse(taskId, sessionId, agent, modeId, params);
-        }
-        const firstOption = params.options[0];
-        if (firstOption) {
-          return { outcome: { outcome: 'selected', optionId: firstOption.optionId } };
-        }
-        return { outcome: { outcome: 'cancelled' } };
-      },
-      readTextFile: async (params: ReadTextFileRequest): Promise<ReadTextFileResponse> => {
-        const content = await readWorktreeTextFile(
-          this.worktreePath,
-          params.path,
-          params.line,
-          params.limit,
-        );
-        return { content };
-      },
-      writeTextFile: async (params: WriteTextFileRequest): Promise<WriteTextFileResponse> => {
-        await writeWorktreeTextFile(this.worktreePath, params.path, params.content);
-        return {};
-      },
-      createTerminal: async (_params: CreateTerminalRequest): Promise<CreateTerminalResponse> => {
-        return { terminalId: 'noop' };
-      },
-      unstable_createElicitation: async (params: CreateElicitationRequest): Promise<CreateElicitationResponse> => {
-        if (taskId && sessionId) {
-          return waitForElicitationResponse(taskId, sessionId, agent, modeId, params);
-        }
-        return { action: 'decline' };
-      },
-    };
+    return buildAcpClient(this.worktreePath, () => ({
+      taskId,
+      sessionId,
+      modeId,
+      agent,
+      onSessionUpdate: (params) => this.handleSessionUpdate(params),
+    }));
  }
 }

--- a/apps/coder/src/services/acp-stream.ts
+++ b/apps/coder/src/services/acp-stream.ts
@@ -2,7 +2,7 @@ import { Readable, Writable } from 'node:stream';
 import type { ChildProcess } from 'node:child_process';
 import { ndJsonStream } from '@agentclientprotocol/sdk';

-export function nodeReadableToWeb(nodeStream: NodeJS.ReadableStream): ReadableStream<Uint8Array> {
+function nodeReadableToWeb(nodeStream: NodeJS.ReadableStream): ReadableStream<Uint8Array> {
  return new ReadableStream<Uint8Array>({
    start(controller) {
      nodeStream.on('data', (chunk: Buffer) => controller.enqueue(new Uint8Array(chunk)));
@@ -17,7 +17,7 @@ export function nodeReadableToWeb(nodeStream: NodeJS.ReadableStream): ReadableSt
  });
 }

-export function nodeWritableToWeb(nodeStream: NodeJS.WritableStream): WritableStream<Uint8Array> {
+function nodeWritableToWeb(nodeStream: NodeJS.WritableStream): WritableStream<Uint8Array> {
  return new WritableStream<Uint8Array>({
    write(chunk) {
      return new Promise<void>((resolve, reject) => {
--- a/apps/coder/src/services/agent-backend.ts
+++ b/apps/coder/src/services/agent-backend.ts
@@ -13,7 +13,7 @@ import type { AcpToolSnapshot } from './acp-tool-snapshot.js';
 import type { AgentCommand } from './provider-types.js';

 /** Backend transport kind. Mirrors `agent_sessions.backend` CHECK in schema.sql. */
-export type AgentBackendKind = 'opencode_server' | 'acp_warm';
+export type AgentBackendKind = 'opencode_server' | 'acp_warm' | 'claude_sdk';

 /**
 * Normalized, transport-agnostic events a backend emits during a turn (§2).
@@ -82,6 +82,12 @@ export interface PromptCtx {
 export interface TurnResult {
  ok: boolean;
  error?: string;
+  // Optional context-window telemetry (claude SDK): the model's reported window
+  // (ctxMax, 1M-aware) and the peak request input ≈ current fill (ctxUsed). The
+  // dispatcher writes these onto the assistant message so the ContextBar renders a
+  // real fill for the turn. Omitted by backends that don't report a window.
+  ctxUsed?: number;
+  ctxMax?: number;
 }

 /**
--- a/apps/coder/src/services/agent-status-publish.ts
+++ b/apps/coder/src/services/agent-status-publish.ts
@@ -0,0 +1,55 @@
+/**
+ * agent-status-publish (#10) — builds + publishes the `agent_status_updated`
+ * WS frame on the per-session channel (the same channel CoderPane subscribes to).
+ *
+ * Kept separate from normalize-agent-status.ts so that module stays a pure,
+ * broker-free helper (trivially unit-testable; reused by the config-injection
+ * follow-on). The frame contract is pinned in apps/server/src/types/ws-frames.ts
+ * (`AgentStatusUpdatedFrame`) and mirrored byte-identical in apps/web.
+ */
+import type { Broker } from '@boocode/server/broker';
+import type { WsFrame } from '@boocode/server/ws-frames';
+import type { AgentStatus } from './normalize-agent-status.js';
+
+// The exact slice of Broker we need — accepting just the bound method keeps call
+// sites flexible (pass `broker.publishFrame.bind(broker)` or, since the broker's
+// publishFrame doesn't read `this`, `broker.publishFrame` directly).
+type PublishFrame = Broker['publishFrame'];
+
+/**
+ * Best-effort publish of a normalized agent status. The broker's publishFrame
+ * already fail-closes (validates + logs + drops on bad input, never throws), but
+ * we additionally swallow any unexpected error so a publish can NEVER break the
+ * turn it's reporting on.
+ *
+ * @param publishFrame  the session channel publisher (broker.publishFrame)
+ * @param sessionId     WS subscription channel (CoderPane subscribes per-session)
+ * @param chatId        the (chat) half of the (chat, agent) status key
+ * @param agent         the (agent) half of the key
+ * @param status        normalized lifecycle status
+ * @param reason        free-form discriminator (turn_start / turn_complete / …)
+ * @param at            ISO timestamp; defaults to now
+ */
+export function publishAgentStatus(
+  publishFrame: PublishFrame,
+  sessionId: string,
+  chatId: string,
+  agent: string,
+  status: AgentStatus,
+  reason?: string,
+  at: string = new Date().toISOString(),
+): void {
+  try {
+    const frame: WsFrame = {
+      type: 'agent_status_updated',
+      chat_id: chatId,
+      agent,
+      status,
+      ...(reason ? { reason } : {}),
+      at,
+    };
+    publishFrame(sessionId, frame);
+  } catch {
+    // never let a status publish break the turn — best-effort only.
+  }
+}
--- a/apps/coder/src/services/backends/tests/claude-sdk-map.test.ts
+++ b/apps/coder/src/services/backends/tests/claude-sdk-map.test.ts
@@ -0,0 +1,251 @@
+import { describe, it, expect } from 'vitest';
+import type { SDKMessage } from '@anthropic-ai/claude-agent-sdk';
+import { mapSdkMessage, createClaudeSdkMapState } from '../claude-sdk-map.js';
+import type { AgentEvent } from '../../agent-backend.js';
+
+/**
+ * Pure mapper for Claude-SDK messages → AgentEvents (claude-sdk-sessionstore #9 Part 2).
+ * Verifies the partial-stream → live-delta mapping, tool assembly across blocks, and
+ * the final-assistant dedup, with no live `claude` binary involved.
+ *
+ * Messages are cast through `unknown` to `SDKMessage`: the real SDK shapes carry many
+ * fields (uuid, parent_tool_use_id, …) irrelevant to the mapper, which reads only the
+ * `type`/`event`/`message.content` it discriminates on. The cast keeps the fixtures
+ * minimal while the production code path sees the full real types (the backend's
+ * typecheck against the real SDK is the type-safety proof).
+ */
+function msg(m: unknown): SDKMessage {
+  return m as SDKMessage;
+}
+
+/** A partial-stream message wrapping one BetaRawMessageStreamEvent. */
+function streamEvent(event: unknown): SDKMessage {
+  return msg({ type: 'stream_event', event, parent_tool_use_id: null, uuid: 'u', session_id: 's' });
+}
+
+describe('mapSdkMessage — partial stream deltas', () => {
+  it('maps a text_delta to a text event', () => {
+    const state = createClaudeSdkMapState();
+    const out = mapSdkMessage(
+      streamEvent({ type: 'content_block_delta', index: 0, delta: { type: 'text_delta', text: 'Hello' } }),
+      state,
+    );
+    expect(out).toEqual<AgentEvent[]>([{ type: 'text', text: 'Hello' }]);
+  });
+
+  it('maps a thinking_delta to a reasoning event', () => {
+    const state = createClaudeSdkMapState();
+    const out = mapSdkMessage(
+      streamEvent({
+        type: 'content_block_delta',
+        index: 0,
+        delta: { type: 'thinking_delta', thinking: 'pondering', estimated_tokens: null },
+      }),
+      state,
+    );
+    expect(out).toEqual<AgentEvent[]>([{ type: 'reasoning', text: 'pondering' }]);
+  });
+
+  it('drops empty text/thinking deltas', () => {
+    const state = createClaudeSdkMapState();
+    expect(
+      mapSdkMessage(streamEvent({ type: 'content_block_delta', index: 0, delta: { type: 'text_delta', text: '' } }), state),
+    ).toEqual([]);
+    expect(
+      mapSdkMessage(
+        streamEvent({ type: 'content_block_delta', index: 0, delta: { type: 'thinking_delta', thinking: '', estimated_tokens: null } }),
+        state,
+      ),
+    ).toEqual([]);
+  });
+
+  it('ignores message framing + signature/citation deltas', () => {
+    const state = createClaudeSdkMapState();
+    expect(mapSdkMessage(streamEvent({ type: 'message_start', message: {} }), state)).toEqual([]);
+    expect(mapSdkMessage(streamEvent({ type: 'message_stop' }), state)).toEqual([]);
+    expect(
+      mapSdkMessage(streamEvent({ type: 'content_block_delta', index: 0, delta: { type: 'signature_delta', signature: 'x' } }), state),
+    ).toEqual([]);
+  });
+});
+
+describe('mapSdkMessage — tool assembly across blocks', () => {
+  it('opens a tool_call on content_block_start, buffers input_json_delta, emits tool_update with parsed input on stop', () => {
+    const state = createClaudeSdkMapState();
+
+    const started = mapSdkMessage(
+      streamEvent({
+        type: 'content_block_start',
+        index: 1,
+        content_block: { type: 'tool_use', id: 'tool-1', name: 'view_file', input: {} },
+      }),
+      state,
+    );
+    expect(started).toEqual<AgentEvent[]>([
+      { type: 'tool_call', toolCall: { toolCallId: 'tool-1', title: 'view_file', kind: null, status: 'in_progress', rawInput: {}, rawOutput: undefined } },
+    ]);
+
+    // args stream in fragments under the same block index
+    expect(
+      mapSdkMessage(streamEvent({ type: 'content_block_delta', index: 1, delta: { type: 'input_json_delta', partial_json: '{"path":' } }), state),
+    ).toEqual([]);
+    expect(
+      mapSdkMessage(streamEvent({ type: 'content_block_delta', index: 1, delta: { type: 'input_json_delta', partial_json: '"a.ts"}' } }), state),
+    ).toEqual([]);
+
+    const stopped = mapSdkMessage(streamEvent({ type: 'content_block_stop', index: 1 }), state);
+    expect(stopped).toHaveLength(1);
+    const ev = stopped[0]!;
+    expect(ev.type).toBe('tool_update');
+    if (ev.type === 'tool_update') {
+      expect(ev.toolCall.toolCallId).toBe('tool-1');
+      expect(ev.toolCall.title).toBe('view_file');
+      expect(ev.toolCall.rawInput).toEqual({ path: 'a.ts' });
+    }
+  });
+
+  it('content_block_stop for a non-tool block (no tracked index) emits nothing', () => {
+    const state = createClaudeSdkMapState();
+    // text block was streamed at index 0 but never tracked as a tool
+    mapSdkMessage(streamEvent({ type: 'content_block_delta', index: 0, delta: { type: 'text_delta', text: 'hi' } }), state);
+    expect(mapSdkMessage(streamEvent({ type: 'content_block_stop', index: 0 }), state)).toEqual([]);
+  });
+
+  it('falls back to the prior input when the buffered tool JSON is invalid', () => {
+    const state = createClaudeSdkMapState();
+    mapSdkMessage(
+      streamEvent({ type: 'content_block_start', index: 2, content_block: { type: 'tool_use', id: 't2', name: 'grep', input: { q: 'seed' } } }),
+      state,
+    );
+    mapSdkMessage(streamEvent({ type: 'content_block_delta', index: 2, delta: { type: 'input_json_delta', partial_json: '{not json' } }), state);
+    const stopped = mapSdkMessage(streamEvent({ type: 'content_block_stop', index: 2 }), state);
+    const ev = stopped[0]!;
+    if (ev.type === 'tool_update') {
+      expect(ev.toolCall.rawInput).toEqual({ q: 'seed' });
+    } else {
+      throw new Error('expected tool_update');
+    }
+  });
+});
+
+describe('mapSdkMessage — final assistant message', () => {
+  function assistant(content: unknown[]): SDKMessage {
+    return msg({ type: 'assistant', message: { content }, parent_tool_use_id: null, uuid: 'u', session_id: 's' });
+  }
+
+  it('dedups text/thinking (already streamed) and emits a completed tool_update per tool_use block', () => {
+    const state = createClaudeSdkMapState();
+    const out = mapSdkMessage(
+      assistant([
+        { type: 'text', text: 'final answer', citations: null },
+        { type: 'thinking', thinking: 'reasoned', signature: 'sig' },
+        { type: 'tool_use', id: 'tool-9', name: 'find_files', input: { glob: '**/*.ts' } },
+      ]),
+      state,
+    );
+    expect(out).toEqual<AgentEvent[]>([
+      {
+        type: 'tool_update',
+        toolCall: { toolCallId: 'tool-9', title: 'find_files', kind: null, status: 'completed', rawInput: { glob: '**/*.ts' }, rawOutput: undefined },
+      },
+    ]);
+  });
+
+  it('preserves a title from a prior partial tool_call snapshot', () => {
+    const state = createClaudeSdkMapState();
+    mapSdkMessage(
+      streamEvent({ type: 'content_block_start', index: 0, content_block: { type: 'tool_use', id: 'tool-x', name: 'view_file', input: {} } }),
+      state,
+    );
+    const out = mapSdkMessage(assistant([{ type: 'tool_use', id: 'tool-x', name: 'view_file', input: { path: 'z' } }]), state);
+    const ev = out[0]!;
+    if (ev.type === 'tool_update') {
+      expect(ev.toolCall.status).toBe('completed');
+      expect(ev.toolCall.title).toBe('view_file');
+      expect(ev.toolCall.rawInput).toEqual({ path: 'z' });
+    } else {
+      throw new Error('expected tool_update');
+    }
+  });
+});
+
+describe('mapSdkMessage — non-content messages', () => {
+  it('returns [] for system/init, status, result, and other variants', () => {
+    const state = createClaudeSdkMapState();
+    expect(mapSdkMessage(msg({ type: 'system', subtype: 'init', session_id: 's', uuid: 'u' }), state)).toEqual([]);
+    expect(mapSdkMessage(msg({ type: 'system', subtype: 'status', status: null, session_id: 's', uuid: 'u' }), state)).toEqual([]);
+    expect(
+      mapSdkMessage(msg({ type: 'result', subtype: 'success', result: 'done', session_id: 's', uuid: 'u' }), state),
+    ).toEqual([]);
+  });
+});
+
+describe('mapSdkMessage — user tool results', () => {
+  /** A `user` message carrying tool_result blocks (the SDK feeds tool output back here). */
+  function userMsg(content: unknown): SDKMessage {
+    return msg({ type: 'user', message: { role: 'user', content }, parent_tool_use_id: null, uuid: 'u', session_id: 's' });
+  }
+
+  it('maps a string tool_result to a completed tool_update carrying the output', () => {
+    const state = createClaudeSdkMapState();
+    const out = mapSdkMessage(userMsg([{ type: 'tool_result', tool_use_id: 't1', content: 'done' }]), state);
+    expect(out).toEqual<AgentEvent[]>([
+      {
+        type: 'tool_update',
+        toolCall: { toolCallId: 't1', title: 't1', kind: null, status: 'completed', rawInput: undefined, rawOutput: 'done' },
+      },
+    ]);
+  });
+
+  it('marks an is_error result failed', () => {
+    const state = createClaudeSdkMapState();
+    const out = mapSdkMessage(userMsg([{ type: 'tool_result', tool_use_id: 't1', content: 'boom', is_error: true }]), state);
+    const ev = out[0]!;
+    if (ev.type !== 'tool_update') throw new Error('expected tool_update');
+    expect(ev.toolCall.status).toBe('failed');
+    expect(ev.toolCall.rawOutput).toBe('boom');
+  });
+
+  it('flattens array text blocks (skipping non-text) and reuses a prior snapshot title', () => {
+    const state = createClaudeSdkMapState();
+    mapSdkMessage(
+      streamEvent({ type: 'content_block_start', index: 1, content_block: { type: 'tool_use', id: 't2', name: 'view_file', input: {} } }),
+      state,
+    );
+    const out = mapSdkMessage(
+      userMsg([
+        {
+          type: 'tool_result',
+          tool_use_id: 't2',
+          content: [
+            { type: 'text', text: 'line1' },
+            { type: 'image', source: {} },
+            { type: 'text', text: 'line2' },
+          ],
+        },
+      ]),
+      state,
+    );
+    const ev = out[0]!;
+    if (ev.type !== 'tool_update') throw new Error('expected tool_update');
+    expect(ev.toolCall.toolCallId).toBe('t2');
+    expect(ev.toolCall.title).toBe('view_file');
+    expect(ev.toolCall.status).toBe('completed');
+    expect(ev.toolCall.rawOutput).toBe('line1\nline2');
+  });
+
+  it('surfaces a result for an unknown tool_use_id with the id as the title', () => {
+    const state = createClaudeSdkMapState();
+    const out = mapSdkMessage(userMsg([{ type: 'tool_result', tool_use_id: 'orphan-id', content: 'x' }]), state);
+    expect(out[0]).toMatchObject({
+      type: 'tool_update',
+      toolCall: { toolCallId: 'orphan-id', title: 'orphan-id', kind: null, status: 'completed' },
+    });
+  });
+
+  it('ignores non-tool_result blocks and non-array content', () => {
+    const state = createClaudeSdkMapState();
+    expect(mapSdkMessage(userMsg([{ type: 'text', text: 'hi' }]), state)).toEqual([]);
+    expect(mapSdkMessage(userMsg('plain string'), state)).toEqual([]);
+  });
+});
--- a/apps/coder/src/services/backends/tests/claude-sdk-routing.test.ts
+++ b/apps/coder/src/services/backends/tests/claude-sdk-routing.test.ts
@@ -0,0 +1,49 @@
+import { describe, it, expect } from 'vitest';
+import { shouldUseClaudeSdk, claudeSdkBackendEnabled } from '../claude-sdk-routing.js';
+
+/**
+ * Env-flagged routing for the warm Claude-SDK backend. With CLAUDE_SDK_BACKEND off
+ * (the production default) every claude task falls through to the unchanged PTY path;
+ * with it on, only chat-tab claude tasks (session_id + chat_id) route to the SDK.
+ */
+const ON = { CLAUDE_SDK_BACKEND: '1' } as NodeJS.ProcessEnv;
+const OFF = {} as NodeJS.ProcessEnv;
+
+describe('claudeSdkBackendEnabled', () => {
+  it('is false when unset or falsy', () => {
+    expect(claudeSdkBackendEnabled({} as NodeJS.ProcessEnv)).toBe(false);
+    expect(claudeSdkBackendEnabled({ CLAUDE_SDK_BACKEND: '' } as NodeJS.ProcessEnv)).toBe(false);
+    expect(claudeSdkBackendEnabled({ CLAUDE_SDK_BACKEND: '0' } as NodeJS.ProcessEnv)).toBe(false);
+    expect(claudeSdkBackendEnabled({ CLAUDE_SDK_BACKEND: 'false' } as NodeJS.ProcessEnv)).toBe(false);
+    expect(claudeSdkBackendEnabled({ CLAUDE_SDK_BACKEND: 'off' } as NodeJS.ProcessEnv)).toBe(false);
+    expect(claudeSdkBackendEnabled({ CLAUDE_SDK_BACKEND: 'no' } as NodeJS.ProcessEnv)).toBe(false);
+  });
+
+  it('is true for any other truthy value', () => {
+    expect(claudeSdkBackendEnabled({ CLAUDE_SDK_BACKEND: '1' } as NodeJS.ProcessEnv)).toBe(true);
+    expect(claudeSdkBackendEnabled({ CLAUDE_SDK_BACKEND: 'true' } as NodeJS.ProcessEnv)).toBe(true);
+    expect(claudeSdkBackendEnabled({ CLAUDE_SDK_BACKEND: 'on' } as NodeJS.ProcessEnv)).toBe(true);
+  });
+});
+
+describe('shouldUseClaudeSdk', () => {
+  it('is always false while the env flag is off — production claude stays on PTY', () => {
+    expect(shouldUseClaudeSdk({ agent: 'claude', session_id: 's1', chat_id: 'c1' }, OFF)).toBe(false);
+  });
+
+  it('routes a chat-tab claude task to the SDK when the flag is on', () => {
+    expect(shouldUseClaudeSdk({ agent: 'claude', session_id: 's1', chat_id: 'c1' }, ON)).toBe(true);
+  });
+
+  it('only applies to the claude agent', () => {
+    expect(shouldUseClaudeSdk({ agent: 'qwen', session_id: 's1', chat_id: 'c1' }, ON)).toBe(false);
+    expect(shouldUseClaudeSdk({ agent: 'opencode', session_id: 's1', chat_id: 'c1' }, ON)).toBe(false);
+    expect(shouldUseClaudeSdk({ agent: null, session_id: 's1', chat_id: 'c1' }, ON)).toBe(false);
+  });
+
+  it('requires both session_id and chat_id (session-less creators stay one-shot)', () => {
+    expect(shouldUseClaudeSdk({ agent: 'claude', session_id: null, chat_id: null }, ON)).toBe(false);
+    expect(shouldUseClaudeSdk({ agent: 'claude', session_id: 's1', chat_id: null }, ON)).toBe(false);
+    expect(shouldUseClaudeSdk({ agent: 'claude', session_id: null, chat_id: 'c1' }, ON)).toBe(false);
+  });
+});
--- a/apps/coder/src/services/backends/tests/claude-session-store.test.ts
+++ b/apps/coder/src/services/backends/tests/claude-session-store.test.ts
@@ -0,0 +1,135 @@
+import { describe, it, expect, beforeAll, afterAll } from 'vitest';
+import { readFileSync } from 'node:fs';
+import { resolve } from 'node:path';
+import postgres from 'postgres';
+import { PostgresSessionStore } from '../claude-session-store.js';
+import type { SessionStoreEntry } from '@anthropic-ai/claude-agent-sdk';
+
+/**
+ * claude-sdk-sessionstore #9 (Part 1) — PostgresSessionStore tests.
+ *
+ * DB-opt-in (DATABASE_URL), mirrors checkpoints.test.ts: skips cleanly when the
+ * var is unset; otherwise applies the server + coder schemas and exercises the
+ * real append/load/listSessions/delete/listSubkeys round trips against postgres.
+ * Rows are namespaced under a unique project_key so concurrent suites / leftover
+ * data can't collide, and afterAll deletes everything written.
+ */
+describe.runIf(!!process.env.DATABASE_URL)('PostgresSessionStore (DB)', () => {
+  let sql: ReturnType<typeof postgres>;
+  let store: PostgresSessionStore;
+  const projectKey = `claude-store-test-${Date.now()}`;
+
+  const entry = (type: string, extra: Record<string, unknown> = {}): SessionStoreEntry => ({
+    type,
+    ...extra,
+  });
+
+  beforeAll(async () => {
+    sql = postgres(process.env.DATABASE_URL!, { max: 3 });
+    const serverSchema = resolve(__dirname, '../../../../../server/src/schema.sql');
+    const coderSchema = resolve(__dirname, '../../../schema.sql');
+    await sql.unsafe(readFileSync(serverSchema, 'utf8'));
+    await sql.unsafe(readFileSync(coderSchema, 'utf8'));
+    store = new PostgresSessionStore(sql);
+  });
+
+  afterAll(async () => {
+    if (sql) {
+      await sql`DELETE FROM claude_session_entries WHERE project_key = ${projectKey}`.catch(() => {});
+      await sql.end({ timeout: 5 });
+    }
+  });
+
+  it('append → load round-trips and preserves order across two appends', async () => {
+    const key = { projectKey, sessionId: 'sess-order' };
+    await store.append(key, [entry('user', { uuid: 'u1' }), entry('assistant', { uuid: 'a1' })]);
+    await store.append(key, [entry('result', { uuid: 'r1' })]);
+
+    const loaded = await store.load(key);
+    expect(loaded).not.toBeNull();
+    expect(loaded!.map((e) => e.uuid)).toEqual(['u1', 'a1', 'r1']);
+    expect(loaded!.map((e) => e.type)).toEqual(['user', 'assistant', 'result']);
+  });
+
+  it('append with an empty batch is a no-op (load still null for an otherwise-unseen key)', async () => {
+    const key = { projectKey, sessionId: 'sess-empty' };
+    await store.append(key, []);
+    expect(await store.load(key)).toBeNull();
+  });
+
+  it('load of a key that was never written returns null', async () => {
+    expect(await store.load({ projectKey, sessionId: 'never-seen' })).toBeNull();
+  });
+
+  it('isolates the main transcript from a subpath (load each independently)', async () => {
+    const sessionId = 'sess-subpath';
+    const mainKey = { projectKey, sessionId };
+    const subKey = { projectKey, sessionId, subpath: 'subagents/x' };
+
+    await store.append(mainKey, [entry('user', { uuid: 'main-1' })]);
+    await store.append(subKey, [entry('assistant', { uuid: 'sub-1' })]);
+
+    const main = await store.load(mainKey);
+    const sub = await store.load(subKey);
+    expect(main!.map((e) => e.uuid)).toEqual(['main-1']);
+    expect(sub!.map((e) => e.uuid)).toEqual(['sub-1']);
+  });
+
+  it('listSessions returns the session with a numeric mtime (main transcripts only)', async () => {
+    const sessionId = 'sess-list';
+    await store.append({ projectKey, sessionId }, [entry('user', { uuid: 'l1' })]);
+    // A subagent-only session must NOT surface as a main-transcript session.
+    await store.append(
+      { projectKey, sessionId: 'sess-sub-only', subpath: 'subagents/y' },
+      [entry('user', { uuid: 's1' })],
+    );
+
+    const sessions = await store.listSessions(projectKey);
+    const ids = sessions.map((s) => s.sessionId);
+    expect(ids).toContain(sessionId);
+    expect(ids).not.toContain('sess-sub-only');
+
+    const row = sessions.find((s) => s.sessionId === sessionId)!;
+    expect(typeof row.mtime).toBe('number');
+    expect(Number.isFinite(row.mtime)).toBe(true);
+    expect(row.mtime).toBeGreaterThan(0);
+  });
+
+  it('delete with a subpath removes only that subpath', async () => {
+    const sessionId = 'sess-del-subpath';
+    const mainKey = { projectKey, sessionId };
+    const subKey = { projectKey, sessionId, subpath: 'subagents/z' };
+    await store.append(mainKey, [entry('user', { uuid: 'keep-1' })]);
+    await store.append(subKey, [entry('assistant', { uuid: 'drop-1' })]);
+
+    await store.delete(subKey);
+
+    expect(await store.load(subKey)).toBeNull();
+    expect((await store.load(mainKey))!.map((e) => e.uuid)).toEqual(['keep-1']);
+  });
+
+  it('delete without a subpath removes the whole session (all subpaths)', async () => {
+    const sessionId = 'sess-del-all';
+    const mainKey = { projectKey, sessionId };
+    const subKey = { projectKey, sessionId, subpath: 'subagents/w' };
+    await store.append(mainKey, [entry('user', { uuid: 'm' })]);
+    await store.append(subKey, [entry('assistant', { uuid: 's' })]);
+
+    await store.delete({ projectKey, sessionId });
+
+    expect(await store.load(mainKey)).toBeNull();
+    expect(await store.load(subKey)).toBeNull();
+    expect(await store.listSubkeys({ projectKey, sessionId })).toEqual([]);
+  });
+
+  it('listSubkeys returns the distinct non-main subpaths', async () => {
+    const sessionId = 'sess-subkeys';
+    await store.append({ projectKey, sessionId }, [entry('user', { uuid: 'main' })]);
+    await store.append({ projectKey, sessionId, subpath: 'subagents/a' }, [entry('user', { uuid: 'a1' })]);
+    await store.append({ projectKey, sessionId, subpath: 'subagents/a' }, [entry('user', { uuid: 'a2' })]);
+    await store.append({ projectKey, sessionId, subpath: 'subagents/b' }, [entry('user', { uuid: 'b1' })]);
+
+    const subkeys = await store.listSubkeys({ projectKey, sessionId });
+    expect(subkeys.sort()).toEqual(['subagents/a', 'subagents/b']);
+  });
+});
--- a/apps/coder/src/services/backends/tests/opencode-concurrency.test.ts
+++ b/apps/coder/src/services/backends/tests/opencode-concurrency.test.ts
@@ -0,0 +1,173 @@
+import { describe, it, expect, vi } from 'vitest';
+import type { Event, OpencodeClient } from '@opencode-ai/sdk/v2/client';
+import {
+  reconnectDecision,
+  runSessionEventLoop,
+  DEFAULT_RECONNECT_POLICY,
+  type SessionState,
+  type SseLoopDeps,
+} from '../opencode-sse.js';
+import { shouldStartServer } from '../opencode-server-process.js';
+
+/**
+ * v2.7 concurrency hardening (Phase 7): the pure decision cores for SSE reconnect
+ * backoff + the ensureServer double-spawn guard, plus a deterministic exercise of
+ * the loop's breaker (injected sleep, fake client). Happy path is asserted to be
+ * unchanged (clean stream end → reset → base-delay reconnect).
+ */
+
+function freshState(): SessionState {
+  return {
+    boocodeSessionId: 'boo1',
+    agentSessionId: 'oc1',
+    worktreePath: '/wt',
+    streamedPartKeys: new Set(),
+    partTypeById: new Map(),
+    activeTurn: { onEvent: () => {}, settle: () => {} },
+    watchdog: null,
+    sseAbort: null,
+    swallowNextTerminal: false,
+  };
+}
+
+const silentLog = {
+  warn: () => {},
+  info: () => {},
+  error: () => {},
+  debug: () => {},
+} as unknown as SseLoopDeps['log'];
+
+describe('reconnectDecision (pure backoff + breaker)', () => {
+  it('first failure uses the base delay (matches pre-hardening flat delay)', () => {
+    expect(reconnectDecision(1)).toEqual({ action: 'reconnect', delayMs: DEFAULT_RECONNECT_POLICY.baseMs });
+  });
+
+  it('grows exponentially and caps at maxMs', () => {
+    const policy = { baseMs: 1000, maxMs: 30_000, maxAttempts: 10 };
+    expect(reconnectDecision(2, policy)).toEqual({ action: 'reconnect', delayMs: 2000 });
+    expect(reconnectDecision(3, policy)).toEqual({ action: 'reconnect', delayMs: 4000 });
+    expect(reconnectDecision(6, policy)).toEqual({ action: 'reconnect', delayMs: 30_000 }); // 32000 capped
+    expect(reconnectDecision(9, policy)).toEqual({ action: 'reconnect', delayMs: 30_000 });
+  });
+
+  it('gives up once failures exceed maxAttempts', () => {
+    const policy = { baseMs: 1, maxMs: 8, maxAttempts: 3 };
+    expect(reconnectDecision(3, policy).action).toBe('reconnect');
+    expect(reconnectDecision(4, policy)).toEqual({ action: 'give-up' });
+  });
+});
+
+describe('shouldStartServer (double-spawn guard)', () => {
+  it('does not start when the server is live', () => {
+    expect(shouldStartServer({ up: true, hasClient: true, serverStarting: true, childDead: false, startInFlight: false })).toBe(false);
+  });
+
+  it('starts on a fresh process (no start in flight)', () => {
+    expect(shouldStartServer({ up: false, hasClient: false, serverStarting: false, childDead: false, startInFlight: false })).toBe(true);
+  });
+
+  it('re-spawns after a crash once the prior start finished', () => {
+    expect(shouldStartServer({ up: false, hasClient: false, serverStarting: true, childDead: true, startInFlight: false })).toBe(true);
+  });
+
+  it('does NOT double-spawn while a start is already in flight (the race fix)', () => {
+    expect(shouldStartServer({ up: false, hasClient: false, serverStarting: true, childDead: true, startInFlight: true })).toBe(false);
+  });
+
+  it('does NOT double-spawn when a crash nulled serverStarting mid-start', () => {
+    // The narrow window: a crash during the in-flight start (await freePort) nulls
+    // serverStarting while startInFlight is still true. The startInFlight guard must
+    // win over the !serverStarting branch, else a second server spawns on a new port.
+    expect(shouldStartServer({ up: false, hasClient: false, serverStarting: false, childDead: true, startInFlight: true })).toBe(false);
+  });
+
+  it('waits (no spawn) when a cached start exists and the child is still alive', () => {
+    expect(shouldStartServer({ up: false, hasClient: false, serverStarting: true, childDead: false, startInFlight: false })).toBe(false);
+  });
+});
+
+describe('runSessionEventLoop — happy path (unchanged)', () => {
+  it('dispatches streamed events, reconciles on clean end, reconnects at base delay', async () => {
+    const state = freshState();
+    const abort = new AbortController();
+    const events = [
+      { type: 'session.next.text.delta', properties: { sessionID: 'oc1', delta: 'hi' } },
+      { type: 'session.idle', properties: { sessionID: 'oc1' } },
+    ] as unknown as Event[];
+
+    const client = {
+      event: {
+        subscribe: vi.fn(async () => ({
+          stream: (async function* () {
+            for (const ev of events) yield ev;
+          })(),
+        })),
+      },
+    } as unknown as OpencodeClient;
+
+    const dispatched: Event[] = [];
+    const sleeps: number[] = [];
+    let reconciles = 0;
+
+    const deps: SseLoopDeps = {
+      isUp: () => true,
+      getClient: () => client,
+      dispatchEvent: (ev) => dispatched.push(ev),
+      reconcile: async () => {
+        reconciles += 1;
+        abort.abort(); // stop the loop after the first clean cycle
+        return false;
+      },
+      onReconnectGiveUp: () => {
+        throw new Error('should not give up on the happy path');
+      },
+      log: silentLog,
+      sleep: async (ms) => {
+        sleeps.push(ms);
+      },
+    };
+
+    await runSessionEventLoop(state, abort, deps);
+
+    expect(dispatched).toHaveLength(2);
+    expect(reconciles).toBe(1);
+    expect(sleeps).toEqual([DEFAULT_RECONNECT_POLICY.baseMs]); // base delay, not backed off
+  });
+});
+
+describe('runSessionEventLoop — circuit breaker', () => {
+  it('backs off on repeated throws then gives up + fails the turn', async () => {
+    const state = freshState();
+    const abort = new AbortController();
+    const policy = { baseMs: 1, maxMs: 8, maxAttempts: 3 };
+
+    const subscribe = vi.fn(async () => {
+      throw new Error('connection refused');
+    });
+    const client = { event: { subscribe } } as unknown as OpencodeClient;
+
+    const sleeps: number[] = [];
+    const gaveUp = vi.fn();
+
+    const deps: SseLoopDeps = {
+      isUp: () => true,
+      getClient: () => client,
+      dispatchEvent: () => {},
+      reconcile: async () => false,
+      onReconnectGiveUp: gaveUp,
+      log: silentLog,
+      sleep: async (ms) => {
+        sleeps.push(ms);
+      },
+      policy,
+    };
+
+    await runSessionEventLoop(state, abort, deps);
+
+    // 3 backoff sleeps (1, 2, 4), then the 4th failure trips the breaker.
+    expect(sleeps).toEqual([1, 2, 4]);
+    expect(subscribe).toHaveBeenCalledTimes(4);
+    expect(gaveUp).toHaveBeenCalledTimes(1);
+    expect(gaveUp).toHaveBeenCalledWith(state);
+  });
+});
--- a/apps/coder/src/services/backends/tests/opencode-event-map.test.ts
+++ b/apps/coder/src/services/backends/tests/opencode-event-map.test.ts
@@ -0,0 +1,226 @@
+import { describe, it, expect } from 'vitest';
+import type { Event, Part } from '@opencode-ai/sdk/v2/client';
+import {
+  stripDcpTags,
+  eventSessionId,
+  resolvePartDedupeKey,
+  mapToolStatus,
+  toolPartToSnapshot,
+  toolCalledSnapshot,
+  toolSuccessSnapshot,
+  toolFailedSnapshot,
+  classifyPartDelta,
+  classifyUpdatedPart,
+  errToString,
+  errMsg,
+  type DedupState,
+} from '../opencode-event-map.js';
+
+/**
+ * Pure opencode Event → AgentEvent translation + dedup gate (v2.7 audit reshape).
+ * Mirrors the original `dispatchEvent` / `handleUpdatedPart` arms verbatim — no
+ * I/O, so it's unit-testable. The slimmed backend keeps the routing + side effects.
+ */
+
+function freshDedup(): DedupState {
+  return { streamedPartKeys: new Set(), partTypeById: new Map() };
+}
+
+describe('stripDcpTags', () => {
+  it('removes a complete dcp tag', () => {
+    expect(stripDcpTags('hi <dcp-message-id>m1</dcp-message-id> there')).toBe('hi  there');
+  });
+  it('leaves untagged text untouched', () => {
+    expect(stripDcpTags('plain text <div>')).toBe('plain text <div>');
+  });
+});
+
+describe('eventSessionId', () => {
+  it('reads properties.sessionID for a normal event', () => {
+    const ev = { type: 'session.idle', properties: { sessionID: 's1' } } as unknown as Event;
+    expect(eventSessionId(ev)).toBe('s1');
+  });
+  it('reads properties.part.sessionID for message.part.updated', () => {
+    const ev = {
+      type: 'message.part.updated',
+      properties: { part: { sessionID: 's2' } },
+    } as unknown as Event;
+    expect(eventSessionId(ev)).toBe('s2');
+  });
+  it('returns null when there is no session', () => {
+    const ev = { type: 'server.connected', properties: {} } as unknown as Event;
+    expect(eventSessionId(ev)).toBeNull();
+  });
+});
+
+describe('resolvePartDedupeKey', () => {
+  it('prefers the part id', () => {
+    expect(resolvePartDedupeKey({ id: 'p1', messageID: 'm1' }, 'text')).toBe('text:p1');
+  });
+  it('falls back to the message id', () => {
+    expect(resolvePartDedupeKey({ id: '  ', messageID: 'm1' }, 'reasoning')).toBe('reasoning:message:m1');
+  });
+  it('returns null when neither is present', () => {
+    expect(resolvePartDedupeKey({ id: '', messageID: '' }, 'text')).toBeNull();
+  });
+});
+
+describe('mapToolStatus', () => {
+  it('maps the opencode tool states to ACP statuses', () => {
+    expect(mapToolStatus('pending')).toBe('pending');
+    expect(mapToolStatus('running')).toBe('in_progress');
+    expect(mapToolStatus('completed')).toBe('completed');
+    expect(mapToolStatus('error')).toBe('failed');
+    expect(mapToolStatus(undefined)).toBeNull();
+  });
+});
+
+describe('session.next.tool.* snapshot builders', () => {
+  it('toolCalledSnapshot → in_progress with tool title + raw input', () => {
+    expect(toolCalledSnapshot({ callID: 'c1', tool: 'read_file', input: { path: 'a.ts' } })).toEqual({
+      toolCallId: 'c1',
+      title: 'read_file',
+      kind: null,
+      status: 'in_progress',
+      rawInput: { path: 'a.ts' },
+      rawOutput: undefined,
+    });
+  });
+  it('toolSuccessSnapshot → completed with joined text content', () => {
+    const snap = toolSuccessSnapshot({ callID: 'c1', content: [{ text: 'foo' }, { text: 'bar' }, { other: 1 }] });
+    expect(snap.status).toBe('completed');
+    expect(snap.title).toBe('c1');
+    expect(snap.rawOutput).toBe('foobar');
+  });
+  it('toolSuccessSnapshot → empty output when content is missing', () => {
+    expect(toolSuccessSnapshot({ callID: 'c1' }).rawOutput).toBe('');
+  });
+  it('toolFailedSnapshot → failed with stringified error', () => {
+    const snap = toolFailedSnapshot({ callID: 'c1', error: 'boom' });
+    expect(snap.status).toBe('failed');
+    expect(snap.title).toBe('c1');
+    expect(snap.rawOutput).toBe('boom');
+  });
+});
+
+describe('toolPartToSnapshot', () => {
+  it('extracts input/output/title/status from the tool state', () => {
+    const part = {
+      type: 'tool',
+      callID: 'c1',
+      tool: 'grep',
+      state: { status: 'completed', input: { q: 'x' }, output: 'result', title: 'Grep run' },
+    } as unknown as Parameters<typeof toolPartToSnapshot>[0];
+    expect(toolPartToSnapshot(part)).toEqual({
+      toolCallId: 'c1',
+      title: 'Grep run',
+      kind: null,
+      status: 'completed',
+      rawInput: { q: 'x' },
+      rawOutput: 'result',
+    });
+  });
+  it('falls back to the tool name and uses error as output', () => {
+    const part = {
+      type: 'tool',
+      callID: 'c2',
+      tool: 'edit',
+      state: { status: 'error', error: 'nope' },
+    } as unknown as Parameters<typeof toolPartToSnapshot>[0];
+    const snap = toolPartToSnapshot(part);
+    expect(snap.title).toBe('edit');
+    expect(snap.status).toBe('failed');
+    expect(snap.rawOutput).toBe('nope');
+  });
+});
+
+describe('classifyPartDelta (message.part.delta dedup recording)', () => {
+  it('records a reasoning key and emits a reasoning event', () => {
+    const st = freshDedup();
+    const e = classifyPartDelta({ partID: 'p1', field: 'reasoning', delta: 'thinking' }, st);
+    expect(e).toEqual({ type: 'reasoning', text: 'thinking' });
+    expect(st.streamedPartKeys.has('reasoning:p1')).toBe(true);
+  });
+  it('records a text key, strips dcp, and emits text', () => {
+    const st = freshDedup();
+    const e = classifyPartDelta({ partID: 'p2', field: 'text', delta: 'hi <dcp-message-id>m</dcp-message-id>' }, st);
+    expect(e).toEqual({ type: 'text', text: 'hi ' });
+    expect(st.streamedPartKeys.has('text:p2')).toBe(true);
+  });
+  it('still records the text key even when the cleaned delta is empty', () => {
+    const st = freshDedup();
+    const e = classifyPartDelta({ partID: 'p3', field: 'text', delta: '<dcp-message-id>m</dcp-message-id>' }, st);
+    expect(e).toBeNull();
+    expect(st.streamedPartKeys.has('text:p3')).toBe(true);
+  });
+  it('uses the recorded part type when the field is absent', () => {
+    const st = freshDedup();
+    st.partTypeById.set('p4', 'reasoning');
+    const e = classifyPartDelta({ partID: 'p4', delta: 'more' }, st);
+    expect(e).toEqual({ type: 'reasoning', text: 'more' });
+  });
+  it('returns null for an unknown field', () => {
+    expect(classifyPartDelta({ partID: 'p5', field: 'other', delta: 'x' }, freshDedup())).toBeNull();
+  });
+});
+
+describe('classifyUpdatedPart (message.part.updated dedup gate)', () => {
+  function textPart(over: Partial<Part> = {}): Part {
+    return {
+      type: 'text',
+      id: 'p1',
+      messageID: 'm1',
+      sessionID: 's1',
+      text: 'final text',
+      time: { start: 1, end: 2 },
+      ...over,
+    } as unknown as Part;
+  }
+
+  it('drops a terminal part already streamed via deltas', () => {
+    const st = freshDedup();
+    st.streamedPartKeys.add('text:p1');
+    expect(classifyUpdatedPart(textPart(), st)).toBeNull();
+    // the key is consumed
+    expect(st.streamedPartKeys.has('text:p1')).toBe(false);
+  });
+  it('emits a finished (ended) text part not seen via deltas', () => {
+    const st = freshDedup();
+    expect(classifyUpdatedPart(textPart(), st)).toEqual({ type: 'text', text: 'final text' });
+    expect(st.partTypeById.get('p1')).toBe('text');
+  });
+  it('does not emit a part that has not ended yet', () => {
+    const st = freshDedup();
+    expect(classifyUpdatedPart(textPart({ time: { start: 1 } as never }), st)).toBeNull();
+  });
+  it('strips dcp tags from the finished text', () => {
+    const st = freshDedup();
+    const part = textPart({ text: 'a <dcp-message-id>m</dcp-message-id>b' });
+    expect(classifyUpdatedPart(part, st)).toEqual({ type: 'text', text: 'a b' });
+  });
+  it('maps a running tool part to tool_call', () => {
+    const st = freshDedup();
+    const part = { type: 'tool', callID: 'c1', tool: 'grep', state: { status: 'running' } } as unknown as Part;
+    const e = classifyUpdatedPart(part, st);
+    expect(e?.type).toBe('tool_call');
+  });
+  it('maps a completed tool part to tool_update', () => {
+    const st = freshDedup();
+    const part = { type: 'tool', callID: 'c1', tool: 'grep', state: { status: 'completed', output: 'x' } } as unknown as Part;
+    const e = classifyUpdatedPart(part, st);
+    expect(e?.type).toBe('tool_update');
+  });
+});
+
+describe('error formatters', () => {
+  it('errMsg unwraps Error.message', () => {
+    expect(errMsg(new Error('x'))).toBe('x');
+    expect(errMsg('plain')).toBe('plain');
+  });
+  it('errToString handles null/string/Error/object', () => {
+    expect(errToString(null)).toBe('unknown error');
+    expect(errToString('s')).toBe('s');
+    expect(errToString(new Error('e'))).toBe('e');
+    expect(errToString({ a: 1 })).toBe('{"a":1}');
+  });
+});
--- a/apps/coder/src/services/backends/tests/pushable-iterable.test.ts
+++ b/apps/coder/src/services/backends/tests/pushable-iterable.test.ts
@@ -0,0 +1,96 @@
+import { describe, it, expect } from 'vitest';
+import { createPushable } from '../pushable-iterable.js';
+
+/**
+ * The pushable async-iterable that feeds the Claude SDK's streaming-input query()
+ * one message per turn while staying open across turns. Tests cover the ordering
+ * contract (push/close/async-iterate) without any SDK shape.
+ */
+describe('createPushable — push/iterate ordering', () => {
+  it('yields buffered values in FIFO order then parks', async () => {
+    const p = createPushable<number>();
+    const it = p.iterable[Symbol.asyncIterator]();
+
+    p.push(1);
+    p.push(2);
+    expect(await it.next()).toEqual({ value: 1, done: false });
+    expect(await it.next()).toEqual({ value: 2, done: false });
+
+    // No more buffered → next() parks; resolve it by pushing.
+    const parked = it.next();
+    p.push(3);
+    expect(await parked).toEqual({ value: 3, done: false });
+  });
+
+  it('hands a value directly to a parked consumer (push after await)', async () => {
+    const p = createPushable<string>();
+    const it = p.iterable[Symbol.asyncIterator]();
+    const pending = it.next(); // parks immediately (empty buffer)
+    p.push('hello');
+    expect(await pending).toEqual({ value: 'hello', done: false });
+  });
+
+  it('close() resolves a parked consumer as done and reports done thereafter', async () => {
+    const p = createPushable<number>();
+    const it = p.iterable[Symbol.asyncIterator]();
+    const pending = it.next();
+    p.close();
+    expect(await pending).toEqual({ value: undefined, done: true });
+    expect(await it.next()).toEqual({ value: undefined, done: true });
+    expect(p.closed).toBe(true);
+  });
+
+  it('still drains values buffered BEFORE close', async () => {
+    const p = createPushable<number>();
+    const it = p.iterable[Symbol.asyncIterator]();
+    p.push(10);
+    p.push(20);
+    p.close();
+    expect(await it.next()).toEqual({ value: 10, done: false });
+    expect(await it.next()).toEqual({ value: 20, done: false });
+    expect(await it.next()).toEqual({ value: undefined, done: true });
+  });
+
+  it('drops values pushed after close', async () => {
+    const p = createPushable<number>();
+    const it = p.iterable[Symbol.asyncIterator]();
+    p.close();
+    p.push(99); // no-op
+    expect(await it.next()).toEqual({ value: undefined, done: true });
+  });
+
+  it('close() is idempotent', () => {
+    const p = createPushable<number>();
+    p.close();
+    expect(() => p.close()).not.toThrow();
+    expect(p.closed).toBe(true);
+  });
+
+  it('works with a for-await loop driven by interleaved pushes', async () => {
+    const p = createPushable<number>();
+    const seen: number[] = [];
+    const consumer = (async () => {
+      for await (const v of p.iterable) seen.push(v);
+    })();
+
+    p.push(1);
+    await Promise.resolve();
+    p.push(2);
+    await Promise.resolve();
+    p.close();
+    await consumer;
+    expect(seen).toEqual([1, 2]);
+  });
+
+  it('return() on the iterator closes the queue (for-await break)', async () => {
+    const p = createPushable<number>();
+    const it = p.iterable[Symbol.asyncIterator]();
+    p.push(1);
+    expect(await it.next()).toEqual({ value: 1, done: false });
+    // Simulate a `break` in for-await: the runtime calls return().
+    expect(await it.return!()).toEqual({ value: undefined, done: true });
+    expect(p.closed).toBe(true);
+    p.push(2); // dropped — queue is closed
+    expect(await it.next()).toEqual({ value: undefined, done: true });
+  });
+});
--- a/apps/coder/src/services/backends/claude-sdk-map.ts
+++ b/apps/coder/src/services/backends/claude-sdk-map.ts
@@ -0,0 +1,245 @@
+/**
+ * claude-sdk-sessionstore #9 (Part 2) — PURE Claude-SDK message → AgentEvent mapper.
+ *
+ * `ClaudeSdkBackend` drives one `query()` per (chat, agent) session and feeds each
+ * `SDKMessage` it yields through this function, forwarding the returned
+ * `AgentEvent[]` to the dispatcher's `onEvent` (which maps them to WS frames +
+ * persists). Kept PURE (one message + a caller-owned accumulator → events) so it's
+ * unit-testable without a live `claude` binary — the whole point of Part 2's
+ * typecheck-and-unit-test gate (the live pump needs a host smoke).
+ *
+ * SDK shapes (verified against @anthropic-ai/claude-agent-sdk@0.3.159 sdk.d.ts +
+ * @anthropic-ai/sdk beta messages d.ts):
+ *   - `SDKPartialAssistantMessage` (`type:'stream_event'`) carries a
+ *     `BetaRawMessageStreamEvent` — the LIVE delta stream (only emitted when
+ *     `options.includePartialMessages` is set, which the backend sets). We map:
+ *       · content_block_delta + text_delta      → { text }
+ *       · content_block_delta + thinking_delta   → { reasoning }
+ *       · content_block_start  + tool_use block  → { tool_call } (in_progress)
+ *       · content_block_delta + input_json_delta → buffered into the tool's args
+ *         (no event; the assembled input rides the terminal tool_update)
+ *   - `SDKAssistantMessage` (`type:'assistant'`) carries the FINAL `message.content`
+ *     blocks. Text/thinking there are post-hoc repeats of what the partials already
+ *     streamed, so we DROP them (dedup) and only emit a terminal `tool_update`
+ *     (status completed) per `tool_use` block, with its now-complete `input`.
+ *   - All other `SDKMessage` variants (system/init, status, result, hooks, task
+ *     notifications, …) carry no renderable turn content → return [].
+ *
+ * Tool assembly spans messages: a tool_use block opens in a partial
+ * `content_block_start`, its args stream as `input_json_delta` frames keyed by the
+ * block `index`, and the final assistant message restates the complete block. The
+ * caller owns a `ClaudeSdkMapState` (snapshot map + per-index tool tracking) that
+ * threads this across calls, mirroring the `Map<string, AcpToolSnapshot>` the other
+ * backends pass into `mapSessionUpdate`. The result frames carry the SAME
+ * `AcpToolSnapshot` shape, so `persistExternalAgentTurn` / `snapshotToWireToolCall`
+ * are reused unchanged.
+ */
+import type { SDKMessage } from '@anthropic-ai/claude-agent-sdk';
+import type { AgentEvent } from '../agent-backend.js';
+import type { AcpToolSnapshot } from '../acp-tool-snapshot.js';
+
+/**
+ * The underlying `@anthropic-ai/sdk` Beta message types (`BetaRawMessageStreamEvent`,
+ * `BetaContentBlock`) are a TRANSITIVE dep of `@anthropic-ai/claude-agent-sdk` — not
+ * a direct dependency of apps/coder — so a `@anthropic-ai/sdk/...` import does NOT
+ * resolve here under pnpm's strict node_modules. We instead DERIVE both shapes from
+ * the SDK's own exported message types, which is also more correct (it tracks the
+ * exact `event` / `content` shapes the SDK yields, not a hand-picked import path).
+ */
+type StreamEvent = Extract<SDKMessage, { type: 'stream_event' }>['event'];
+type AssistantContent = Extract<SDKMessage, { type: 'assistant' }>['message']['content'];
+type ContentBlock = AssistantContent extends readonly (infer B)[] ? B : never;
+type UserContent = Extract<SDKMessage, { type: 'user' }>['message']['content'];
+
+/**
+ * Caller-owned accumulator threaded across `mapSdkMessage` calls within ONE turn.
+ * The backend creates a fresh one per turn and clears it at turn end.
+ */
+export interface ClaudeSdkMapState {
+  /** Stable tool-call snapshots by tool_use id, merged across start/delta/stop. */
+  snapshots: Map<string, AcpToolSnapshot>;
+  /**
+   * Partial-stream block index → in-flight tool assembly. Anthropic's stream keys
+   * blocks by a numeric `index`; tool_use args arrive as `input_json_delta`s under
+   * that index with no id, so we map index→id to route them and buffer the raw
+   * JSON fragments until the block closes (or the final assistant message lands).
+   */
+  toolByIndex: Map<number, { id: string; name: string; jsonBuf: string }>;
+}
+
+/** Construct a fresh per-turn accumulator. */
+export function createClaudeSdkMapState(): ClaudeSdkMapState {
+  return { snapshots: new Map(), toolByIndex: new Map() };
+}
+
+/**
+ * Map one `SDKMessage` → zero or more `AgentEvent`s, mutating `state` for
+ * cross-message tool assembly + dedup. Pure w.r.t. its inputs otherwise.
+ */
+export function mapSdkMessage(msg: SDKMessage, state: ClaudeSdkMapState): AgentEvent[] {
+  switch (msg.type) {
+    case 'stream_event':
+      return mapStreamEvent(msg.event, state);
+    case 'assistant':
+      return mapFinalAssistant(msg.message.content, state);
+    case 'user':
+      // Tool RESULTS ride in as user messages (tool_result blocks): the SDK ran
+      // the tool and feeds its output back. Without mapping these, the tool_call
+      // never reaches a terminal snapshot — it persists as status:'running' with
+      // no output and the UI spinner never stops (the bug this fixes).
+      return mapUserToolResults(msg.message.content, state);
+    default:
+      // system/init, status, result, hooks, task_*, etc. — no turn content here.
+      // (The backend reads session_id off the init message and usage/cost off the
+      // result message directly; neither produces a renderable AgentEvent.)
+      return [];
+  }
+}
+
+/** Live partial-stream delta → AgentEvent(s). */
+function mapStreamEvent(event: StreamEvent, state: ClaudeSdkMapState): AgentEvent[] {
+  switch (event.type) {
+    case 'content_block_start': {
+      const block = event.content_block;
+      if (block.type === 'tool_use') {
+        const snap: AcpToolSnapshot = {
+          toolCallId: block.id,
+          title: block.name,
+          kind: null,
+          status: 'in_progress',
+          rawInput: block.input ?? undefined,
+          rawOutput: undefined,
+        };
+        state.snapshots.set(block.id, snap);
+        state.toolByIndex.set(event.index, { id: block.id, name: block.name, jsonBuf: '' });
+        return [{ type: 'tool_call', toolCall: snap }];
+      }
+      return [];
+    }
+    case 'content_block_delta': {
+      const delta = event.delta;
+      if (delta.type === 'text_delta') {
+        return delta.text ? [{ type: 'text', text: delta.text }] : [];
+      }
+      if (delta.type === 'thinking_delta') {
+        return delta.thinking ? [{ type: 'reasoning', text: delta.thinking }] : [];
+      }
+      if (delta.type === 'input_json_delta') {
+        // Buffer the tool's streamed args under its block index; no event yet —
+        // the assembled input rides the terminal tool_update (or the final block).
+        const t = state.toolByIndex.get(event.index);
+        if (t) t.jsonBuf += delta.partial_json ?? '';
+        return [];
+      }
+      // signature_delta / citations_delta / compaction_delta — nothing to render.
+      return [];
+    }
+    case 'content_block_stop': {
+      // Close out a streamed tool block: parse its buffered JSON args and emit a
+      // tool_update carrying the assembled input. The final assistant message will
+      // restate the same block, but its snapshot is dedup-merged (same id) so this
+      // is harmless — we emit here so a tool's input renders even if the assistant
+      // message is delayed/dropped.
+      const t = state.toolByIndex.get(event.index);
+      if (!t) return [];
+      state.toolByIndex.delete(event.index);
+      const prev = state.snapshots.get(t.id);
+      const snap: AcpToolSnapshot = {
+        toolCallId: t.id,
+        title: prev?.title ?? t.name,
+        kind: null,
+        status: 'in_progress',
+        rawInput: parseJsonOr(t.jsonBuf, prev?.rawInput),
+        rawOutput: undefined,
+      };
+      state.snapshots.set(t.id, snap);
+      return [{ type: 'tool_update', toolCall: snap }];
+    }
+    default:
+      // message_start / message_delta / message_stop — turn framing, no content.
+      return [];
+  }
+}
+
+/**
+ * Final assistant message content blocks. Text/thinking are post-hoc repeats of
+ * the partial stream → dropped (dedup). Only tool_use blocks emit a terminal
+ * tool_update carrying the complete `input`.
+ */
+function mapFinalAssistant(content: ContentBlock[], state: ClaudeSdkMapState): AgentEvent[] {
+  const out: AgentEvent[] = [];
+  for (const block of content) {
+    if (block.type === 'tool_use') {
+      const prev = state.snapshots.get(block.id);
+      const snap: AcpToolSnapshot = {
+        toolCallId: block.id,
+        title: prev?.title ?? block.name,
+        kind: null,
+        status: 'completed',
+        rawInput: block.input ?? prev?.rawInput,
+        rawOutput: undefined,
+      };
+      state.snapshots.set(block.id, snap);
+      out.push({ type: 'tool_update', toolCall: snap });
+    }
+    // text / thinking / redacted_thinking blocks: already streamed via partials.
+  }
+  return out;
+}
+
+/**
+ * User-message tool_result blocks → terminal tool_update events. The SDK runs
+ * each tool and feeds the output back in a `user` message; we mark the matching
+ * snapshot completed (or failed, on is_error) WITH its output so the snapshot
+ * persists/renders as resolved instead of spinning. Unknown ids (no prior
+ * snapshot) are still surfaced so a stray result isn't silently lost.
+ */
+function mapUserToolResults(content: UserContent, state: ClaudeSdkMapState): AgentEvent[] {
+  if (!Array.isArray(content)) return [];
+  const out: AgentEvent[] = [];
+  for (const raw of content) {
+    const block = raw as { type?: string; tool_use_id?: string; content?: unknown; is_error?: boolean };
+    if (block.type !== 'tool_result' || !block.tool_use_id) continue;
+    const prev = state.snapshots.get(block.tool_use_id);
+    const snap: AcpToolSnapshot = {
+      toolCallId: block.tool_use_id,
+      title: prev?.title ?? block.tool_use_id,
+      kind: prev?.kind ?? null,
+      status: block.is_error ? 'failed' : 'completed',
+      rawInput: prev?.rawInput,
+      rawOutput: toolResultText(block.content),
+    };
+    state.snapshots.set(block.tool_use_id, snap);
+    out.push({ type: 'tool_update', toolCall: snap });
+  }
+  return out;
+}
+
+/** tool_result content is a string OR an array of content blocks (text/image).
+ *  Flatten text blocks; fall back to the raw value so nothing is lost. */
+function toolResultText(content: unknown): unknown {
+  if (typeof content === 'string') return content;
+  if (Array.isArray(content)) {
+    const text = content
+      .map((c) =>
+        c && typeof c === 'object' && (c as { type?: string }).type === 'text'
+          ? String((c as { text?: unknown }).text ?? '')
+          : '',
+      )
+      .filter(Boolean)
+      .join('\n');
+    return text || content;
+  }
+  return content ?? '';
+}
+
+/** Parse a buffered JSON string; fall back to a prior value on empty/invalid. */
+function parseJsonOr(buf: string, fallback: unknown): unknown {
+  const s = buf.trim();
+  if (!s) return fallback;
+  try {
+    return JSON.parse(s);
+  } catch {
+    return fallback;
+  }
+}
--- a/apps/coder/src/services/backends/claude-sdk-routing.ts
+++ b/apps/coder/src/services/backends/claude-sdk-routing.ts
@@ -0,0 +1,38 @@
+/**
+ * claude-sdk-sessionstore #9 (Part 2) — claude-SDK-vs-PTY routing predicate.
+ *
+ * Sibling to `shouldUseWarmBackend` (warm-acp-routing.ts). The warm Claude-SDK
+ * backend keys its persistent `query()` on (chat_id, agent) — exactly like the
+ * warm-ACP / opencode-server backends — so a task only routes to it when it carries
+ * BOTH a `session_id` and a `chat_id` (a real chat tab).
+ *
+ * CRUCIALLY this is ALSO gated behind the `CLAUDE_SDK_BACKEND` env flag (default
+ * OFF). While off — the production default — claude always falls through to the
+ * existing one-shot PTY `runExternalAgent` path, UNCHANGED. The live SDK streaming
+ * pump + cross-turn resume need a host smoke against the real `claude` binary, so
+ * we keep the working PTY path as the default until that lands. Flip the env var
+ * on a host (any truthy value) to opt a deployment into the SDK backend.
+ *
+ * Pure (env read injected) so it's unit-testable; the dispatcher consumes it.
+ */
+
+/** True iff the `CLAUDE_SDK_BACKEND` env flag is set to a truthy value. */
+export function claudeSdkBackendEnabled(env: NodeJS.ProcessEnv = process.env): boolean {
+  const v = env.CLAUDE_SDK_BACKEND;
+  if (v == null) return false;
+  const s = v.trim().toLowerCase();
+  return s !== '' && s !== '0' && s !== 'false' && s !== 'off' && s !== 'no';
+}
+
+export function shouldUseClaudeSdk(
+  task: {
+    agent: string | null;
+    session_id: string | null;
+    chat_id: string | null;
+  },
+  env: NodeJS.ProcessEnv = process.env,
+): boolean {
+  if (!claudeSdkBackendEnabled(env)) return false;
+  if (task.agent !== 'claude') return false;
+  return task.session_id != null && task.chat_id != null;
+}
--- a/apps/coder/src/services/backends/claude-sdk.ts
+++ b/apps/coder/src/services/backends/claude-sdk.ts
@@ -0,0 +1,425 @@
+/**
+ * claude-sdk-sessionstore #9 (Part 2) — ClaudeSdkBackend.
+ *
+ * A warm, resumable backend for the `claude` agent built on the Claude Agent SDK
+ * (`@anthropic-ai/claude-agent-sdk`), implementing the Phase-0 `AgentBackend`
+ * contract (same shape as `WarmAcpBackend` / `OpenCodeServerBackend`). One
+ * persistent `query()` per (chat, agent) session, driven in STREAMING-INPUT mode:
+ * the `prompt` is a pushable `AsyncIterable<SDKUserMessage>` that stays open across
+ * turns, so the SDK subprocess + conversation stay warm between `prompt()` calls
+ * until `closeSession`/`dispose`.
+ *
+ * ⚠ LIVE PUMP IS HOST-ONLY. The actual streaming turn needs the real `claude`
+ * binary + ANTHROPIC auth on a host — it CANNOT run in the dev container. This file
+ * is written against the REAL SDK types so it TYPECHECKS, and the PURE pieces (the
+ * `mapSdkMessage` mapper + the `createPushable` queue) are unit-tested. Routing to
+ * this backend is gated behind `CLAUDE_SDK_BACKEND` (default OFF) so production
+ * claude stays on the working PTY path until a host smoke validates the pump +
+ * cross-turn resume.
+ *
+ * Lifecycle (mirrors warm-acp.ts / opencode-server.ts):
+ *   - `ensureSession`: resolve the resume id from `agent_sessions(chat_id,'claude')`
+ *     and (re)build the single `query()` if not already live. The SDK's own
+ *     `sessionStore` (Part 1 PostgresSessionStore) materializes the transcript on
+ *     resume; `options.resume` carries the provider session id.
+ *   - `prompt`: push ONE user message onto the open queue, iterate the generator,
+ *     map each `SDKMessage` → `AgentEvent`s via `mapSdkMessage`, forward to
+ *     `ctx.onEvent`, and resolve when the turn's `result` message lands. Capture the
+ *     `session_id` from the `init` message and persist it to `agent_sessions`;
+ *     accumulate `result.usage` / `total_cost_usd` onto the row (mirrors opencode U.6).
+ *   - `closeSession` / `dispose`: close the queue + dispose the query generator.
+ *   - A thrown error or `result.subtype==='error*'` marks `agent_sessions.status='crashed'`.
+ *
+ * Turn serialization: like warm-acp, exactly one turn is in flight at a time on a
+ * given backend (the dispatcher's per-session `inflight` map enforces this upstream;
+ * `isBusy()` reports it so the pool never evicts mid-turn).
+ */
+import { query, type Query, type SDKMessage, type SDKUserMessage, type Options } from '@anthropic-ai/claude-agent-sdk';
+import type { FastifyBaseLogger } from 'fastify';
+import type { Sql } from '../../db.js';
+import { PostgresSessionStore } from './claude-session-store.js';
+import { createPushable, type Pushable } from './pushable-iterable.js';
+import { mapSdkMessage, createClaudeSdkMapState, type ClaudeSdkMapState } from './claude-sdk-map.js';
+import type {
+  AgentBackend,
+  AgentSessionHandle,
+  EnsureSessionOpts,
+  PromptCtx,
+  TurnResult,
+} from '../agent-backend.js';
+
+export interface ClaudeSdkBackendDeps {
+  sql: Sql;
+  log: FastifyBaseLogger;
+  /** The (chat, agent) this backend serves — its pool identity + DB key. */
+  chatId: string;
+  /** Always 'claude' today; kept explicit so the pool key + DB writes stay honest. */
+  agent: string;
+  /** Resolved `claude` binary path (available_agents.install_path); null → SDK default. */
+  installPath: string | null;
+}
+
+export class ClaudeSdkBackend implements AgentBackend {
+  readonly backend = 'claude_sdk' as const;
+
+  private readonly sql: Sql;
+  private readonly log: FastifyBaseLogger;
+  private readonly chatId: string;
+  private readonly agent: string;
+  private readonly installPath: string | null;
+  private readonly sessionStore: PostgresSessionStore;
+
+  /** The single persistent query() generator; null until the first turn builds it. */
+  private query: Query | null = null;
+  /** The open input queue feeding the generator one SDKUserMessage per turn. */
+  private input: Pushable<SDKUserMessage> | null = null;
+  /** The provider's own session id (resume token), captured from the init message. */
+  private agentSessionId: string | null = null;
+  /** Resolved model the live query() was built with; a change forces a rebuild. */
+  private builtModel: string | null = null;
+  /** True between prompt() start and settle. */
+  private busy = false;
+  private up = false;
+
+  constructor(deps: ClaudeSdkBackendDeps) {
+    this.sql = deps.sql;
+    this.log = deps.log;
+    this.chatId = deps.chatId;
+    this.agent = deps.agent;
+    this.installPath = deps.installPath;
+    this.sessionStore = new PostgresSessionStore(deps.sql);
+  }
+
+  /** §2: liveness for the health endpoint + dispatcher fallback decision. */
+  health(): 'up' | 'down' {
+    return this.up ? 'up' : 'down';
+  }
+
+  /** Phase 3: busy iff a turn is in flight (pool never evicts a busy backend). */
+  isBusy(): boolean {
+    return this.busy;
+  }
+
+  // ─── ensureSession: resolve resume id + (re)build the warm query ──────────────
+
+  async ensureSession(sessionId: string, opts: EnsureSessionOpts): Promise<AgentSessionHandle> {
+    // Resolve the resume token from the (chat_id, agent) row. A crashed row is not
+    // resumed (the SDK would fail to load a dead session); we create fresh.
+    const [row] = await this.sql<{ agent_session_id: string | null; status: string }[]>`
+      SELECT agent_session_id, status FROM agent_sessions
+      WHERE chat_id = ${opts.chatId} AND agent = ${opts.agent}
+    `;
+    const resumeId = row && row.status !== 'crashed' ? row.agent_session_id : null;
+
+    // (Re)build the warm query if there is none, or the model changed (the SDK can
+    // change model mid-session via setModel, but a fresh build is simplest + matches
+    // opencode's config-drift → fresh-session rule). The query stays alive across
+    // turns; only closeSession/dispose tears it down.
+    if (!this.query || this.builtModel !== opts.model) {
+      await this.teardownQuery();
+      this.buildQuery(opts.worktreePath, opts.model, resumeId);
+    }
+
+    // Seed the in-memory resume id from the DB so a handle built before the first
+    // turn's init message still carries the last-known token. The init message
+    // overwrites it with the authoritative current id during the turn.
+    if (this.agentSessionId == null) this.agentSessionId = resumeId;
+
+    // Upsert the agent_sessions row (backend='claude_sdk'). agent_session_id may be
+    // null until the first turn captures it from the init message; prompt() updates it.
+    await this.sql`
+      INSERT INTO agent_sessions
+        (chat_id, session_id, worktree_id, agent, backend, agent_session_id, server_port, status, last_active_at)
+      VALUES
+        (${opts.chatId}, ${sessionId}, ${opts.worktreeId}, ${opts.agent}, 'claude_sdk', ${this.agentSessionId}, NULL, 'active', clock_timestamp())
+      ON CONFLICT (chat_id, agent) DO UPDATE SET
+        session_id = EXCLUDED.session_id,
+        worktree_id = EXCLUDED.worktree_id,
+        backend = 'claude_sdk',
+        agent_session_id = COALESCE(EXCLUDED.agent_session_id, agent_sessions.agent_session_id),
+        server_port = NULL,
+        status = 'active',
+        last_active_at = clock_timestamp()
+    `.catch((err) => {
+      this.log.warn({ err: errMsg(err), chatId: opts.chatId, agent: opts.agent }, 'claude-sdk: agent_sessions upsert failed (non-fatal)');
+    });
+
+    return {
+      sessionId,
+      agent: opts.agent,
+      backend: 'claude_sdk',
+      chatId: opts.chatId,
+      worktreeId: opts.worktreeId,
+      agentSessionId: this.agentSessionId,
+      serverPort: null,
+    };
+  }
+
+  /** Build the persistent query() in streaming-input mode. Lazy — no subprocess
+   *  work happens until the generator is first iterated in prompt(). */
+  private buildQuery(worktreePath: string, model: string, resumeId: string | null): void {
+    const input = createPushable<SDKUserMessage>();
+    const options: Options = {
+      sessionStore: this.sessionStore,
+      cwd: worktreePath,
+      // Stream partial assistant messages so text/thinking/tool deltas arrive live
+      // (the mapper reads them; without this only terminal messages land).
+      includePartialMessages: true,
+      // BooCode default: enable the documented 1M-context-window beta. Active on
+      // models that support it (the SDK lists Sonnet 4/4.5); a non-supporting model
+      // simply doesn't get the larger window. The TRUE window is read back from
+      // `result.modelUsage[*].contextWindow` and shown in the ContextBar, so whatever
+      // window a model actually gets is surfaced truthfully (no guessing).
+      betas: ['context-1m-2025-08-07'],
+      ...(model ? { model } : {}),
+      ...(resumeId ? { resume: resumeId } : {}),
+      ...(this.installPath ? { pathToClaudeCodeExecutable: this.installPath } : {}),
+      // ANTHROPIC auth/env must reach the child; inherit the process env (host concern).
+      env: process.env as Record<string, string>,
+    };
+    this.input = input;
+    this.query = query({ prompt: input.iterable, options });
+    this.builtModel = model;
+    this.up = true;
+    this.log.info({ chatId: this.chatId, agent: this.agent, model, resume: resumeId ?? null }, 'claude-sdk: warm query built');
+  }
+
+  // ─── prompt: push one user message + drain the generator until result ─────────
+
+  async prompt(handle: AgentSessionHandle, input: string, ctx: PromptCtx): Promise<TurnResult> {
+    if (!this.query || !this.input) {
+      // ensureSession should have built it; rebuild defensively (e.g. evicted/raced).
+      this.buildQuery(ctx.worktreePath, ctx.model, handle.agentSessionId);
+    }
+    const gen = this.query!;
+    const queue = this.input!;
+
+    if (ctx.signal.aborted) return { ok: false, error: 'aborted' };
+
+    this.busy = true;
+    const state: ClaudeSdkMapState = createClaudeSdkMapState();
+    // Peak per-request input (incl. cache) across the turn ≈ the conversation context
+    // held in the window. result.usage SUMS input over the turn's internal requests
+    // (overcounts for multi-tool turns), so the per-request peak is the accurate
+    // "context used" for the ContextBar (paseo's approach).
+    let maxInputTokens = 0;
+    // Per-turn abort: interrupt the in-flight query on the SAME generator (never
+    // tear down the warm query — that's the pool's lifetime). The generator then
+    // emits its terminal result and the drain loop exits.
+    let aborted = false;
+    const onAbort = () => {
+      if (aborted) return;
+      aborted = true;
+      void gen.interrupt().catch(() => {});
+    };
+    ctx.signal.addEventListener('abort', onAbort, { once: true });
+
+    // Push the turn's user message onto the open queue. session_id is optional on
+    // the wire; the SDK manages it via resume + the init message.
+    const userMsg: SDKUserMessage = {
+      type: 'user',
+      message: { role: 'user', content: input },
+      parent_tool_use_id: null,
+      ...(handle.agentSessionId ? { session_id: handle.agentSessionId } : {}),
+    };
+    queue.push(userMsg);
+
+    try {
+      // Manual iteration — NOT `for await (… of gen)`. Returning out of a for-await
+      // loop calls gen.return(), which CLOSES the async generator; that killed the
+      // warm streaming-input query after a single turn, so every FOLLOW-UP message
+      // hit a dead generator and failed. gen.next() leaves the generator suspended
+      // (alive) for the next pushed user message — the warm query is only closed
+      // deliberately in teardownQuery()/dispose().
+      while (true) {
+        const next = await gen.next();
+        if (next.done) {
+          // Generator ended (e.g. disposed) without a result — non-fatal incomplete.
+          if (aborted) return { ok: false, error: 'aborted' };
+          return { ok: false, error: 'claude-sdk: query ended before result' };
+        }
+        const msg = next.value;
+        // Track the peak per-request input from message_start usage (delivered by
+        // includePartialMessages) — the largest single request's input is the real
+        // context fill, unlike the summed result.usage.
+        if (msg.type === 'stream_event') {
+          const sev = msg.event as { type?: string; message?: { usage?: Record<string, unknown> } };
+          if (sev?.type === 'message_start' && sev.message?.usage) {
+            const ru = sev.message.usage;
+            const reqInput =
+              num(ru.input_tokens) + num(ru.cache_read_input_tokens) + num(ru.cache_creation_input_tokens);
+            if (reqInput > maxInputTokens) maxInputTokens = reqInput;
+          }
+        }
+        // Capture the provider session id from the init message (authoritative).
+        if (msg.type === 'system' && msg.subtype === 'init' && msg.session_id) {
+          if (this.agentSessionId !== msg.session_id) {
+            this.agentSessionId = msg.session_id;
+            await this.persistAgentSessionId(msg.session_id);
+          }
+        }
+        // The result message ends THIS turn (it does not close the generator —
+        // streaming-input keeps it alive for the next pushed message).
+        if (msg.type === 'result') {
+          await this.accumulateUsage(msg);
+          const ok = msg.subtype === 'success' && !aborted;
+          if (!ok) {
+            // error_during_execution / error_max_turns / aborted → crashed row.
+            await this.markCrashed();
+          } else {
+            await this.markIdle();
+          }
+          if (aborted) return { ok: false, error: 'aborted' };
+          if (!ok) return { ok: false, error: resultErrorMessage(msg) };
+          // Context-window telemetry for the ContextBar (paseo's method):
+          //   ctxMax = the model's OWN reported window (1M-aware — reflects the active
+          //            window, so the bar shows the truth per model);
+          //   ctxUsed = peak request input (history in the window) + this turn's output.
+          const ctxMax = extractMaxContextWindow((msg as { modelUsage?: unknown }).modelUsage);
+          const fallbackInput =
+            num(msg.usage?.input_tokens) +
+            num(msg.usage?.cache_read_input_tokens) +
+            num(msg.usage?.cache_creation_input_tokens);
+          const ctxUsed = (maxInputTokens || fallbackInput) + num(msg.usage?.output_tokens);
+          return {
+            ok: true,
+            ...(ctxMax > 0 ? { ctxMax } : {}),
+            ...(ctxUsed > 0 ? { ctxUsed } : {}),
+          };
+        }
+        // Map renderable content → AgentEvents for the dispatcher's onEvent.
+        for (const ev of mapSdkMessage(msg, state)) {
+          ctx.onEvent(ev);
+        }
+      }
+    } catch (err) {
+      if (aborted) return { ok: false, error: 'aborted' };
+      await this.markCrashed();
+      return { ok: false, error: errMsg(err) };
+    } finally {
+      ctx.signal.removeEventListener('abort', onAbort);
+      this.busy = false;
+    }
+  }
+
+  // ─── persistence helpers ──────────────────────────────────────────────────────
+
+  private async persistAgentSessionId(id: string): Promise<void> {
+    await this.sql`
+      UPDATE agent_sessions
+      SET agent_session_id = ${id}, last_active_at = clock_timestamp()
+      WHERE chat_id = ${this.chatId} AND agent = ${this.agent}
+    `.catch((err) => {
+      this.log.warn({ err: errMsg(err), chatId: this.chatId }, 'claude-sdk: failed to persist agent_session_id (non-fatal)');
+    });
+  }
+
+  /**
+   * Accumulate the turn's usage/cost onto the (chat_id, agent) row — mirrors the
+   * opencode U.6 running-total pattern. The SDK reports usage once per turn on the
+   * result message (not per step), so this fires once per prompt(). Cache read/write
+   * input tokens fold into `input_tokens`; usage telemetry never fails a turn.
+   */
+  private async accumulateUsage(result: Extract<SDKMessage, { type: 'result' }>): Promise<void> {
+    const u = result.usage;
+    const input = num(u?.input_tokens) + num(u?.cache_read_input_tokens) + num(u?.cache_creation_input_tokens);
+    const output = num(u?.output_tokens);
+    const cost = numF(result.total_cost_usd);
+    if (input === 0 && output === 0 && cost === 0) return;
+    await this.sql`
+      UPDATE agent_sessions SET
+        input_tokens = input_tokens + ${input},
+        output_tokens = output_tokens + ${output},
+        cost = cost + ${cost}
+      WHERE chat_id = ${this.chatId} AND agent = ${this.agent}
+    `.catch((err) => {
+      this.log.warn({ err: errMsg(err), chatId: this.chatId }, 'claude-sdk: failed to persist usage (non-fatal)');
+    });
+  }
+
+  private async markIdle(): Promise<void> {
+    await this.sql`
+      UPDATE agent_sessions SET status = 'idle', last_active_at = clock_timestamp()
+      WHERE chat_id = ${this.chatId} AND agent = ${this.agent}
+    `.catch(() => {});
+  }
+
+  private async markCrashed(): Promise<void> {
+    await this.sql`
+      UPDATE agent_sessions SET status = 'crashed'
+      WHERE chat_id = ${this.chatId} AND agent = ${this.agent}
+    `.catch(() => {});
+  }
+
+  // ─── teardown ────────────────────────────────────────────────────────────────
+
+  async closeSession(handle: AgentSessionHandle): Promise<void> {
+    await this.teardownQuery();
+    await this.sql`
+      UPDATE agent_sessions SET status = 'closed'
+      WHERE chat_id = ${handle.chatId} AND agent = ${handle.agent}
+    `.catch(() => {});
+  }
+
+  async dispose(): Promise<void> {
+    await this.teardownQuery();
+  }
+
+  /** Close the input queue + dispose the generator. Idempotent. */
+  private async teardownQuery(): Promise<void> {
+    this.up = false;
+    this.busy = false;
+    const q = this.query;
+    const queue = this.input;
+    this.query = null;
+    this.input = null;
+    this.builtModel = null;
+    queue?.close();
+    if (q) {
+      // return() ends the AsyncGenerator and lets the SDK clean up its subprocess.
+      await q.return(undefined).catch(() => {});
+    }
+  }
+}
+
+// ─── helpers ──────────────────────────────────────────────────────────────────
+
+/** Coerce to a non-negative finite integer (tokens). */
+function num(v: unknown): number {
+  const x = typeof v === 'number' ? v : Number(v);
+  return Number.isFinite(x) && x > 0 ? Math.round(x) : 0;
+}
+
+/** Coerce to a non-negative finite float (cost USD). */
+function numF(v: unknown): number {
+  const x = typeof v === 'number' ? v : Number(v);
+  return Number.isFinite(x) && x > 0 ? x : 0;
+}
+
+/** Largest context-window the SDK reports across `result.modelUsage` (a
+ *  `Record<model, ModelUsage>`, each with a `contextWindow`). This is the model's
+ *  OWN window — 1M when the 1M model/beta is active, 200K otherwise — so the
+ *  ContextBar shows the true window without us mapping model→size ourselves. */
+function extractMaxContextWindow(modelUsage: unknown): number {
+  if (!modelUsage || typeof modelUsage !== 'object') return 0;
+  let max = 0;
+  for (const v of Object.values(modelUsage as Record<string, unknown>)) {
+    if (v && typeof v === 'object') {
+      const cw = (v as { contextWindow?: unknown }).contextWindow;
+      if (typeof cw === 'number' && Number.isFinite(cw) && cw > max) max = cw;
+    }
+  }
+  return max;
+}
+
+/** Build a human-readable error from an SDK error-result message. */
+function resultErrorMessage(result: Extract<SDKMessage, { type: 'result' }>): string {
+  if (result.subtype === 'success') return 'ok';
+  const errs = (result as { errors?: string[] }).errors;
+  if (Array.isArray(errs) && errs.length > 0) return `${result.subtype}: ${errs.join('; ')}`;
+  return result.subtype;
+}
+
+function errMsg(e: unknown): string {
+  return e instanceof Error ? e.message : String(e);
+}
--- a/apps/coder/src/services/backends/claude-session-store.ts
+++ b/apps/coder/src/services/backends/claude-session-store.ts
@@ -0,0 +1,117 @@
+import type { SessionStore, SessionKey, SessionStoreEntry } from '@anthropic-ai/claude-agent-sdk';
+import type { Sql } from '../../db.js';
+
+/**
+ * claude-sdk-sessionstore #9 (Part 1) — clean-room PostgresSessionStore.
+ *
+ * A Postgres-backed implementation of the Claude Agent SDK's `SessionStore`
+ * adapter type. The SDK mirrors each transcript line (a JSON-safe POJO with a
+ * `type` discriminant) to this store via `append`; on resume it calls `load`
+ * to materialize the full transcript back. We treat entries as opaque blobs and
+ * preserve append order via a BIGSERIAL `id` — `load` replays `ORDER BY id`.
+ *
+ * Storage shape: one row per entry in `claude_session_entries`, keyed by the
+ * SDK's `SessionKey` (project_key, session_id, subpath). The SDK uses an
+ * *undefined* subpath for the main transcript and disallows the empty string;
+ * we collapse `undefined → ''` so the main transcript and subagent files share
+ * one table, distinguished by the `subpath` column (`'' = main`).
+ *
+ * Clean-room: written against the SDK's published `SessionStore` type contract
+ * and BooCode's existing SQL conventions (porsager tagged templates, `sql.json`
+ * for JSONB). No SDK example/reference code was consulted.
+ */
+export class PostgresSessionStore implements SessionStore {
+  constructor(private readonly sql: Sql) {}
+
+  /**
+   * Mirror a batch of transcript entries. No-op on an empty batch; otherwise a
+   * single multi-row INSERT writes them in array order. Because `id` is a
+   * monotonically-increasing BIGSERIAL, the insert order is the replay order
+   * `load` reconstructs — entries within one call land in the order given.
+   */
+  async append(key: SessionKey, entries: SessionStoreEntry[]): Promise<void> {
+    if (entries.length === 0) return;
+    const subpath = key.subpath ?? '';
+    const rows = entries.map((entry) => ({
+      project_key: key.projectKey,
+      session_id: key.sessionId,
+      subpath,
+      entry: this.sql.json(entry as never),
+    }));
+    await this.sql`
+      INSERT INTO claude_session_entries ${this.sql(rows, 'project_key', 'session_id', 'subpath', 'entry')}
+    `;
+  }
+
+  /**
+   * Load a full transcript for resume. Returns the entries in append order, or
+   * `null` for a (project_key, session_id, subpath) key that was never written.
+   */
+  async load(key: SessionKey): Promise<SessionStoreEntry[] | null> {
+    const subpath = key.subpath ?? '';
+    const rows = await this.sql<{ entry: SessionStoreEntry }[]>`
+      SELECT entry
+      FROM claude_session_entries
+      WHERE project_key = ${key.projectKey}
+        AND session_id = ${key.sessionId}
+        AND subpath = ${subpath}
+      ORDER BY id
+    `;
+    if (rows.length === 0) return null;
+    return rows.map((r) => r.entry);
+  }
+
+  /**
+   * List the main transcripts for a project. `mtime` is the storage write time
+   * (latest `created_at` for the session) in Unix epoch milliseconds; the SDK
+   * sorts the result by mtime descending.
+   */
+  async listSessions(projectKey: string): Promise<Array<{ sessionId: string; mtime: number }>> {
+    const rows = await this.sql<{ session_id: string; mtime: string }[]>`
+      SELECT session_id, extract(epoch FROM max(created_at)) * 1000 AS mtime
+      FROM claude_session_entries
+      WHERE project_key = ${projectKey}
+        AND subpath = ''
+      GROUP BY session_id
+    `;
+    return rows.map((r) => ({ sessionId: r.session_id, mtime: Number(r.mtime) }));
+  }
+
+  /**
+   * Delete a session. With a `subpath` set, only that subpath's rows are
+   * removed; with `subpath` omitted, every row for the session is removed
+   * (all subpaths, including the main transcript).
+   */
+  async delete(key: SessionKey): Promise<void> {
+    if (key.subpath !== undefined) {
+      await this.sql`
+        DELETE FROM claude_session_entries
+        WHERE project_key = ${key.projectKey}
+          AND session_id = ${key.sessionId}
+          AND subpath = ${key.subpath}
+      `;
+      return;
+    }
+    await this.sql`
+      DELETE FROM claude_session_entries
+      WHERE project_key = ${key.projectKey}
+        AND session_id = ${key.sessionId}
+    `;
+  }
+
+  /**
+   * List the distinct non-main subpaths under a session (e.g. subagent files).
+   * Used during resume to discover and materialize subagent transcripts; the
+   * main transcript (`subpath = ''`) is excluded.
+   */
+  async listSubkeys(key: { projectKey: string; sessionId: string }): Promise<string[]> {
+    const rows = await this.sql<{ subpath: string }[]>`
+      SELECT DISTINCT subpath
+      FROM claude_session_entries
+      WHERE project_key = ${key.projectKey}
+        AND session_id = ${key.sessionId}
+        AND subpath <> ''
+    `;
+    return rows.map((r) => r.subpath);
+  }
+}
--- a/apps/coder/src/services/backends/opencode-event-map.ts
+++ b/apps/coder/src/services/backends/opencode-event-map.ts
@@ -0,0 +1,203 @@
+/**
+ * Pure opencode `Event` → normalized `AgentEvent` translation.
+ *
+ * Extracted (v2.7 audit reshape) from `OpenCodeServerBackend.dispatchEvent` /
+ * `handleUpdatedPart` and the file-local helpers. NO I/O, no timers, no DB, no
+ * `byOpencodeId` — every function here is a deterministic transform over its
+ * arguments (the dedup state is caller-owned and mutated in place, mirroring the
+ * `acp-event-map.ts` `priorSnapshots` pattern). This is the unit-testable core; the
+ * backend keeps the routing + side effects (watchdog, usage persistence, settle).
+ *
+ * Depends only on SDK TYPES + AcpToolSnapshot — safe to import anywhere.
+ */
+import type { Event, Part, ToolPart, ToolState } from '@opencode-ai/sdk/v2/client';
+import type { ToolCallStatus } from '@agentclientprotocol/sdk';
+import type { AcpToolSnapshot } from '../acp-tool-snapshot.js';
+import type { AgentEvent } from '../agent-backend.js';
+
+/** Per-(opencode session) dedup state the part-stream classifiers read + mutate. */
+export interface DedupState {
+  /** dedup gate: `${type}:${id}` added on delta, deleted-and-tested on updated. */
+  streamedPartKeys: Set<string>;
+  /** partID → 'text' | 'reasoning', so a delta with a non-'reasoning' field is still classed right. */
+  partTypeById: Map<string, string>;
+}
+
+/** Strip opencode-dcp plugin tags that render as literal text in the UI. */
+export function stripDcpTags(s: string): string {
+  return s.replace(/<dcp-message-id>[^<]*<\/dcp-message-id>/g, '');
+}
+
+/** Extract the opencode sessionID an event belongs to, across event shapes.
+ *  Most carry `properties.sessionID`; `message.part.updated` nests it under
+ *  `properties.part.sessionID`. Returns null when the event has no session
+ *  (the per-session loop then leaves it to dispatchEvent, which drops it). */
+export function eventSessionId(ev: Event): string | null {
+  const props = (ev as { properties?: unknown }).properties;
+  if (!props || typeof props !== 'object') return null;
+  if (ev.type === 'message.part.updated') {
+    const part = (props as { part?: { sessionID?: string } }).part;
+    return part?.sessionID ?? null;
+  }
+  return (props as { sessionID?: string }).sessionID ?? null;
+}
+
+/** Ported verbatim from Paseo opencode-agent.ts: id → message-id fallback → null. */
+export function resolvePartDedupeKey(part: { id: string; messageID: string }, type: string): string | null {
+  if (part.id.trim().length > 0) return `${type}:${part.id}`;
+  if (part.messageID.trim().length > 0) return `${type}:message:${part.messageID}`;
+  return null;
+}
+
+export function mapToolStatus(s: ToolState['status'] | undefined): ToolCallStatus | null {
+  switch (s) {
+    case 'pending':
+      return 'pending';
+    case 'running':
+      return 'in_progress';
+    case 'completed':
+      return 'completed';
+    case 'error':
+      return 'failed';
+    default:
+      return null;
+  }
+}
+
+/** opencode ToolPart → ACP-shaped snapshot (reuses the existing persist/render path). */
+export function toolPartToSnapshot(part: ToolPart): AcpToolSnapshot {
+  const state = part.state;
+  let rawInput: unknown;
+  let rawOutput: unknown;
+  let title: string | undefined;
+  if (state) {
+    if ('input' in state) rawInput = (state as { input?: unknown }).input;
+    if ('output' in state) rawOutput = (state as { output?: unknown }).output;
+    else if ('error' in state) rawOutput = (state as { error?: unknown }).error;
+    if ('title' in state) title = (state as { title?: string }).title;
+  }
+  return {
+    toolCallId: part.callID,
+    title: title ?? part.tool,
+    kind: null,
+    status: mapToolStatus(state?.status),
+    rawInput,
+    rawOutput,
+  };
+}
+
+// ─── session.next.tool.* snapshot builders ───────────────────────────────────
+
+/** `session.next.tool.called` → an in-progress tool_call snapshot. */
+export function toolCalledSnapshot(p: { callID: string; tool: string; input: unknown }): AcpToolSnapshot {
+  return {
+    toolCallId: p.callID,
+    title: p.tool,
+    kind: null,
+    status: 'in_progress',
+    rawInput: p.input,
+    rawOutput: undefined,
+  };
+}
+
+/** `session.next.tool.success` → a completed tool snapshot (text content joined). */
+export function toolSuccessSnapshot(p: { callID: string; content?: ReadonlyArray<unknown> | null }): AcpToolSnapshot {
+  const output = p.content?.map((c) => (c && typeof c === 'object' && 'text' in c ? (c as { text: string }).text : '')).join('') ?? '';
+  return {
+    toolCallId: p.callID,
+    title: p.callID,
+    kind: null,
+    status: 'completed',
+    rawInput: undefined,
+    rawOutput: output,
+  };
+}
+
+/** `session.next.tool.failed` → a failed tool snapshot (error stringified). */
+export function toolFailedSnapshot(p: { callID: string; error: unknown }): AcpToolSnapshot {
+  return {
+    toolCallId: p.callID,
+    title: p.callID,
+    kind: null,
+    status: 'failed',
+    rawInput: undefined,
+    rawOutput: errToString(p.error),
+  };
+}
+
+// ─── message.part.* dedup gate ────────────────────────────────────────────────
+
+/**
+ * `message.part.delta`: mark the part as streamed (so a later `message.part.updated`
+ * for the same part is deduped) and return the AgentEvent to emit, or null when the
+ * field is neither reasoning nor text, or a text delta strips down to empty. Mutates
+ * `st.streamedPartKeys` exactly as the original inline arm did (the key is recorded
+ * for text even when the cleaned delta is empty).
+ */
+export function classifyPartDelta(
+  p: { partID: string; field?: string; delta: string },
+  st: DedupState,
+): AgentEvent | null {
+  const isReasoning = p.field === 'reasoning' || st.partTypeById.get(p.partID) === 'reasoning';
+  if (isReasoning) {
+    st.streamedPartKeys.add(`reasoning:${p.partID}`);
+    return { type: 'reasoning', text: p.delta };
+  }
+  if (p.field === 'text') {
+    st.streamedPartKeys.add(`text:${p.partID}`);
+    const cleaned = stripDcpTags(p.delta);
+    return cleaned ? { type: 'text', text: cleaned } : null;
+  }
+  return null;
+}
+
+/**
+ * `message.part.updated` terminal part: the dedup gate for text/reasoning (drop a
+ * part already streamed via deltas; otherwise emit the finished text) plus the
+ * tool-part → tool_call/tool_update mapping. Returns null when nothing should be
+ * emitted. Mutates `st.partTypeById` / `st.streamedPartKeys` like the original.
+ */
+export function classifyUpdatedPart(part: Part, st: DedupState): AgentEvent | null {
+  if (part.type === 'text' || part.type === 'reasoning') {
+    st.partTypeById.set(part.id, part.type);
+    const key = resolvePartDedupeKey(part, part.type);
+    if (key && st.streamedPartKeys.delete(key)) return null; // already streamed via delta
+    const raw = part.text ?? '';
+    const text = part.type === 'text' ? stripDcpTags(raw) : raw;
+    if (text && part.time?.end != null) {
+      return { type: part.type, text };
+    }
+    return null;
+  }
+
+  if (part.type === 'tool') {
+    const snap = toolPartToSnapshot(part);
+    const status = part.state?.status;
+    // tool_call on start (pending/running), tool_update on terminal (completed/error).
+    // The current ACP path merges both into one frame; the contract keeps them
+    // distinct because opencode's SSE distinguishes start from result.
+    return status === 'completed' || status === 'error'
+      ? { type: 'tool_update', toolCall: snap }
+      : { type: 'tool_call', toolCall: snap };
+  }
+  // NOTE: opencode's SSE payload union carries no available-commands event, so the
+  // AgentEvent 'commands' arm is intentionally never emitted here.
+  return null;
+}
+
+// ─── shared error formatters (pure) ───────────────────────────────────────────
+
+export function errMsg(e: unknown): string {
+  return e instanceof Error ? e.message : String(e);
+}
+
+export function errToString(e: unknown): string {
+  if (e == null) return 'unknown error';
+  if (typeof e === 'string') return e;
+  if (e instanceof Error) return e.message;
+  try {
+    return JSON.stringify(e);
+  } catch {
+    return String(e);
+  }
+}
--- a/apps/coder/src/services/backends/opencode-server-process.ts
+++ b/apps/coder/src/services/backends/opencode-server-process.ts
@@ -0,0 +1,325 @@
+/**
+ * OpenCodeServerSupervisor — the opencode `serve` child + HTTP client + port +
+ * health-counter lifecycle, extracted (v2.7 audit reshape) from the backend
+ * god-class. Owns spawn / ready / crash / proactive-health restart / dispose and
+ * exposes `client` / `port` / `health()` / `tickHealth()` to the backend.
+ *
+ * Session-level recovery (failing in-flight turns, marking agent_sessions crashed,
+ * tearing down SSE loops) is NOT a process concern — it's delegated back to the
+ * backend through the injected `hooks.onServerDown` callback, keeping this module
+ * free of the demux map / SQL / turn state.
+ *
+ * v2.7 concurrency hardening: `ensureServer` is guarded against the crash-window
+ * double-spawn (two concurrent callers each re-spawning on different ports) via a
+ * synchronous `startInFlight` flag — see `shouldStartServer`.
+ */
+import { spawn, type ChildProcess } from 'node:child_process';
+import { createOpencodeClient, type OpencodeClient } from '@opencode-ai/sdk/v2/client';
+import type { FastifyBaseLogger } from 'fastify';
+import { decideRestart, DEFAULT_HEALTH_FAILURE_THRESHOLD } from './lifecycle-decisions.js';
+import { reclaimPort, waitForPortRelease, freePort } from '../net/port-utils.js';
+
+const READY_TIMEOUT_MS = 30_000;
+
+/** Info handed to the backend when the server goes down (crash or forced restart). */
+export interface ServerDownInfo {
+  code: number | null;
+  signal: NodeJS.Signals | null;
+  port: number;
+}
+
+export interface SupervisorHooks {
+  /** True iff ANY pooled session has an in-flight turn (defers a busy restart). */
+  isBusy: () => boolean;
+  /** Session-level recovery: fail in-flight turns, mark crashed, drop demux state. */
+  onServerDown: (info: ServerDownInfo) => void;
+}
+
+export interface OpenCodeServerSupervisorDeps {
+  /** Absolute path to the opencode binary (resolved from available_agents). */
+  opencodeBinary: string;
+  log: FastifyBaseLogger;
+  hooks: SupervisorHooks;
+}
+
+/**
+ * Pure decision for `ensureServer`: should we (re)spawn the server right now?
+ *
+ * - A live, ready server (`up && client`) → no.
+ * - A start already in flight (`startInFlight`) → no, NEVER double-spawn — join the
+ *   running start instead. This is checked BEFORE `serverStarting` because the crash
+ *   handler can null `serverStarting` mid-start (a crash during `await freePort()`),
+ *   and without this guard the `!serverStarting` branch would spawn a second server
+ *   on a different port while the first is still coming up.
+ * - No start cached/running → yes (fresh start or post-crash re-spawn, since the
+ *   crash handler nulls `serverStarting`).
+ * - A cached start that already finished, but the child has since died and the crash
+ *   handler hasn't reset us yet → yes.
+ */
+export function shouldStartServer(s: {
+  up: boolean;
+  hasClient: boolean;
+  serverStarting: boolean;
+  childDead: boolean;
+  startInFlight: boolean;
+}): boolean {
+  if (s.up && s.hasClient) return false;
+  if (s.startInFlight) return false;
+  if (!s.serverStarting) return true;
+  if (!s.up && s.childDead) return true;
+  return false;
+}
+
+export class OpenCodeServerSupervisor {
+  private readonly opencodeBinary: string;
+  private readonly log: FastifyBaseLogger;
+  private readonly hooks: SupervisorHooks;
+
+  private childProc: ChildProcess | null = null;
+  private opencodeClient: OpencodeClient | null = null;
+  private serverPort: number | null = null;
+  private up = false;
+  private serverStarting: Promise<void> | null = null;
+  /** True from the synchronous head of startServer() until it settles — the
+   *  double-spawn guard reads it so a concurrent ensureServer joins instead of
+   *  kicking a second spawn. */
+  private startInFlight = false;
+  // Phase 3 busy-aware health monitor (openchamber lift): consecutive failed
+  // probes + the start of an unhealthy-while-busy window feed `decideRestart`.
+  private consecutiveHealthFailures = 0;
+  private unhealthyBusySince = 0;
+  private restarting: Promise<void> | null = null;
+
+  constructor(deps: OpenCodeServerSupervisorDeps) {
+    this.opencodeBinary = deps.opencodeBinary;
+    this.log = deps.log;
+    this.hooks = deps.hooks;
+  }
+
+  /** The live opencode HTTP client, or null between (re)starts. */
+  get client(): OpencodeClient | null {
+    return this.opencodeClient;
+  }
+
+  /** The current server port, or null before the first start. */
+  get port(): number | null {
+    return this.serverPort;
+  }
+
+  /** §2: liveness for the health endpoint + dispatcher fallback decision. */
+  health(): 'up' | 'down' {
+    return this.up ? 'up' : 'down';
+  }
+
+  isUp(): boolean {
+    return this.up;
+  }
+
+  // ─── lifecycle (spawn once + client + ready; crash-restart) ──────────────────
+
+  /**
+   * Lazy: start the single server on first use; re-spawn after a crash. Idempotent
+   * within one live server — `serverStarting` caches the in-flight start, reset to
+   * null by the crash handler so the NEXT ensureServer re-spawns. A dead-but-not-
+   * yet-reaped child (exit handler raced) is also treated as needing a restart.
+   * Concurrent callers in a crash window are coalesced via `startInFlight`.
+   */
+  ensureServer(): Promise<void> {
+    if (this.up && this.opencodeClient) return Promise.resolve();
+    const childDead =
+      this.childProc != null && (this.childProc.exitCode !== null || this.childProc.signalCode !== null);
+    if (
+      shouldStartServer({
+        up: this.up,
+        hasClient: this.opencodeClient != null,
+        serverStarting: this.serverStarting != null,
+        childDead,
+        startInFlight: this.startInFlight,
+      })
+    ) {
+      this.serverStarting = this.startServer();
+    }
+    return this.serverStarting ?? Promise.resolve();
+  }
+
+  private async startServer(): Promise<void> {
+    // Set synchronously (before the first await) so a concurrent ensureServer sees
+    // the in-flight start and joins `serverStarting` instead of double-spawning.
+    this.startInFlight = true;
+    try {
+      const port = await freePort();
+
+      // Phase 1: run unsecured on loopback (opencode's documented default — serve.ts
+      // only WARNS when OPENCODE_SERVER_PASSWORD is unset). The real boundary is the
+      // 127.0.0.1 bind.
+      const child = spawn(this.opencodeBinary, ['serve', '--hostname', '127.0.0.1', '--port', String(port)], {
+        stdio: ['ignore', 'pipe', 'pipe'],
+        env: { ...process.env },
+      });
+      this.childProc = child;
+      this.serverPort = port;
+
+      // Child lifetime is the backend's (the pool's), NOT a request's. On unexpected
+      // exit we recover: settle in-flight turns, mark sessions crashed (the backend's
+      // onServerDown), reclaim the port, and reset state so the next ensureServer
+      // re-spawns.
+      child.on('exit', (code, signal) => {
+        // Only react to THIS child's exit (a restart may have swapped in a new one).
+        if (this.childProc !== child) return;
+        this.handleCrash(code, signal, port);
+      });
+
+      await waitForReady(child, READY_TIMEOUT_MS);
+
+      this.opencodeClient = createOpencodeClient({ baseUrl: `http://127.0.0.1:${port}` });
+      this.up = true;
+      this.log.info({ port }, 'opencode-server: ready');
+    } finally {
+      this.startInFlight = false;
+    }
+  }
+
+  /**
+   * Server down (crash-exit or forced restart): reset process/port state, delegate
+   * session-level recovery to the backend, and reclaim the port. Mirrors the
+   * original `handleServerCrash` ordering (up=false → session cleanup → client/
+   * serverStarting null → reclaimPort).
+   */
+  private handleCrash(code: number | null, signal: NodeJS.Signals | null, port: number): void {
+    this.up = false;
+    this.hooks.onServerDown({ code, signal, port });
+    this.opencodeClient = null;
+    this.serverStarting = null; // force a re-spawn on the next ensureServer
+    // Reclaim the port so a re-spawn on a fixed/leaked port isn't blocked. Best
+    // effort; the next start uses a fresh ephemeral port anyway.
+    reclaimPort(port);
+  }
+
+  /**
+   * Phase 3 proactive health monitor (openchamber `runHealthCheckCycle` lift,
+   * busy-aware). Probes /global/health; on a sustained failure of a NON-busy server,
+   * force a restart so the next turn isn't blocked by a wedged process. Busy servers
+   * are deferred via the stale-grace in `decideRestart`. No-op when never started or
+   * a restart is already in flight.
+   */
+  async tickHealth(now: number = Date.now()): Promise<void> {
+    if (!this.childProc || this.restarting) return;
+    const childExited = this.childProc.exitCode !== null || this.childProc.signalCode !== null;
+    // An exited child is recovered lazily by ensureServer; don't double-restart it.
+    if (childExited) return;
+
+    const healthy = await this.probeHealth();
+    if (healthy) {
+      this.consecutiveHealthFailures = 0;
+      this.unhealthyBusySince = 0;
+      return;
+    }
+    this.consecutiveHealthFailures += 1;
+    const busy = this.hooks.isBusy();
+    const decision = decideRestart({
+      processExited: false,
+      consecutiveFailures: this.consecutiveHealthFailures,
+      busy,
+      unhealthyBusySince: this.unhealthyBusySince,
+      now,
+      failureThreshold: DEFAULT_HEALTH_FAILURE_THRESHOLD,
+    });
+    // Stamp the start of an unhealthy-while-busy window so the stale-grace can fire.
+    if (busy && this.unhealthyBusySince === 0) this.unhealthyBusySince = now;
+    if (decision.action === 'restart') {
+      this.log.warn(
+        { failures: this.consecutiveHealthFailures, busy, reason: decision.reason },
+        'opencode-server: health monitor forcing restart',
+      );
+      this.consecutiveHealthFailures = 0;
+      this.unhealthyBusySince = 0;
+      await this.restartServer();
+    }
+  }
+
+  private async probeHealth(): Promise<boolean> {
+    if (!this.opencodeClient) return false;
+    try {
+      const res = await this.opencodeClient.global.health();
+      return !res.error;
+    } catch {
+      return false;
+    }
+  }
+
+  /** Force-kill the current server + reclaim its port; the next ensureServer
+   *  re-spawns (lazy). Mirrors handleCrash's state reset but is initiated by the
+   *  health monitor rather than the OS. */
+  private async restartServer(): Promise<void> {
+    if (this.restarting) return this.restarting;
+    this.restarting = (async () => {
+      const child = this.childProc;
+      const port = this.serverPort;
+      this.up = false;
+      // Fail in-flight turns + mark sessions crashed via the same path as a crash.
+      if (child) {
+        this.handleCrash(null, null, port ?? 0);
+        if (!child.killed) child.kill('SIGTERM');
+      }
+      if (port) {
+        reclaimPort(port);
+        await waitForPortRelease(port, 3_000);
+      }
+      this.childProc = null;
+    })().finally(() => {
+      this.restarting = null;
+    });
+    return this.restarting;
+  }
+
+  /** Full teardown of the child + client + port state. */
+  async dispose(): Promise<void> {
+    this.up = false;
+    const child = this.childProc;
+    this.childProc = null;
+    this.opencodeClient = null;
+    if (child && !child.killed) {
+      child.kill('SIGTERM');
+      const t = setTimeout(() => {
+        if (!child.killed) child.kill('SIGKILL');
+      }, 5_000);
+      t.unref();
+    }
+  }
+}
+
+/** Resolve when the child prints the ready line; reject on timeout or early exit. */
+function waitForReady(child: ChildProcess, timeoutMs: number): Promise<void> {
+  return new Promise((resolve, reject) => {
+    let done = false;
+    let stderrBuf = '';
+
+    const finish = (err?: Error) => {
+      if (done) return;
+      done = true;
+      clearTimeout(timer);
+      child.stdout?.off('data', onOut);
+      child.stderr?.off('data', onErr);
+      child.off('exit', onExit);
+      if (err) reject(err);
+      else resolve();
+    };
+
+    const onOut = (buf: Buffer) => {
+      if (buf.toString().includes('opencode server listening on')) finish();
+    };
+    const onErr = (buf: Buffer) => {
+      stderrBuf += buf.toString();
+    };
+    const onExit = (code: number | null) =>
+      finish(new Error(`opencode serve exited before ready (code ${code}); stderr: ${stderrBuf.slice(-2000)}`));
+    const timer = setTimeout(
+      () => finish(new Error(`opencode serve not ready in ${timeoutMs}ms; stderr: ${stderrBuf.slice(-2000)}`)),
+      timeoutMs,
+    );
+
+    child.stdout?.on('data', onOut);
+    child.stderr?.on('data', onErr);
+    child.on('exit', onExit);
+  });
+}
--- a/apps/coder/src/services/backends/opencode-server.ts
+++ b/apps/coder/src/services/backends/opencode-server.ts
@@ -1,91 +1,64 @@
 /**
- * v2.6 Phase 1 — OpenCodeServerBackend.
+ * v2.6 Phase 1 — OpenCodeServerBackend (slimmed, v2.7 audit reshape).
 *
 * Warm, multi-turn backend for the `opencode` agent. One `opencode serve` HTTP
 * server per BooCoder process; one opencode session per BooCode session (resumed
 * on switch-back); one SSE read loop PER session, each scoped to that session's
- * worktree directory so sessions in different directories stream concurrently
- * (P1.5-a — replaced the Phase-1 single-stream-last-directory model).
+ * worktree directory so sessions in different directories stream concurrently.
+ *
+ * This file is now just the `AgentBackend` SURFACE — ensureSession / prompt /
+ * accumulateUsage / closeSession + the per-session demux side effects (watchdog,
+ * reconcile, usage). It composes three extracted collaborators:
+ *   - `OpenCodeServerSupervisor` (opencode-server-process.ts) — child/client/port/
+ *     health lifecycle, spawn/crash/restart/dispose.
+ *   - the per-session SSE loop (opencode-sse.ts) — subscribe + reconnect/backoff.
+ *   - the pure event map (opencode-event-map.ts) — Event → AgentEvent translation,
+ *     dedup gate, dcp-strip, tool-snapshot.
 *
 * Implements the Phase 0 `AgentBackend` interface. Emits transport-agnostic
- * `AgentEvent`s — the dispatcher (Phase 1.7, NOT wired in this batch) maps them
- * to WS frames. No dispatcher/route references this file yet.
+ * `AgentEvent`s; the dispatcher maps them to WS frames.
 *
 * Spec: openspec/changes/v2-6-persistent-agent-sessions/design.md §2 / §2a.
- * SDK shapes verified by direct read of @opencode-ai/sdk@1.15.12 dist .d.ts:
- *   - client methods take FLATTENED params (sessionID/directory/body all inline),
- *     not {path,query,body}. create→{directory}, promptAsync→{sessionID,directory,
- *     parts,model}, abort→{sessionID,directory}. model is {providerID,modelID}.
- *   - client.event() resolves to { stream: AsyncGenerator<GlobalEvent> }; the
- *     real event is chunk.payload (discriminate on chunk.payload.type).
- *   - promptAsync is fire-and-forget (204); the turn completes via a
- *     'session.idle' event for that opencode session id.
 */
-import { spawn, spawnSync, type ChildProcess } from 'node:child_process';
 import { createHash } from 'node:crypto';
-import { createServer, connect as netConnect } from 'node:net';
 import type { FastifyBaseLogger } from 'fastify';
-import {
-  createOpencodeClient,
-  type OpencodeClient,
-  type Event,
-  type Part,
-  type ToolPart,
-  type ToolState,
-  type AssistantMessage,
-} from '@opencode-ai/sdk/v2/client';
-import type { ToolCallStatus } from '@agentclientprotocol/sdk';
+import type { Event, AssistantMessage } from '@opencode-ai/sdk/v2/client';
 import type { Sql } from '../../db.js';
-import type { AcpToolSnapshot } from '../acp-tool-snapshot.js';
 import { armAbortGuard, noteTurnActivity, consumeTerminal } from './turn-guard.js';
 import { stepEndedToUsage, type StepUsage } from './opencode-usage.js';
-import { decideRestart, DEFAULT_HEALTH_FAILURE_THRESHOLD } from './lifecycle-decisions.js';
+import { OpenCodeServerSupervisor, type ServerDownInfo } from './opencode-server-process.js';
+import {
+  startSessionEventLoop,
+  type SessionState,
+  type TurnState,
+  type SseLoopDeps,
+} from './opencode-sse.js';
+import {
+  classifyPartDelta,
+  classifyUpdatedPart,
+  toolCalledSnapshot,
+  toolSuccessSnapshot,
+  toolFailedSnapshot,
+  stripDcpTags,
+  errMsg,
+  errToString,
+} from './opencode-event-map.js';
 import type {
  AgentBackend,
-  AgentEvent,
  AgentSessionHandle,
  EnsureSessionOpts,
  PromptCtx,
  TurnResult,
 } from '../agent-backend.js';

-const READY_TIMEOUT_MS = 30_000;
-const SSE_RECONNECT_DELAY_MS = 1_000;
 /**
 * No-activity backstop for an in-flight turn. opencode streams reasoning/text/tool
 * deltas continuously while working, so "zero events for this long" means the turn
- * is wedged or its terminal event (session.idle) was lost (see the reconnect race
- * below). Generous so a legitimately slow turn never trips it.
+ * is wedged or its terminal event (session.idle) was lost. Generous so a
+ * legitimately slow turn never trips it.
 */
 const TURN_INACTIVITY_MS = 180_000;

-/** One in-flight turn's emitter + completion settler. */
-interface TurnState {
-  onEvent: (e: AgentEvent) => void;
-  settle: (r: TurnResult) => void;
-}
-
-/** Per-(opencode session) demux state. dedup sets scoped here, cleared per turn. */
-interface SessionState {
-  boocodeSessionId: string;
-  agentSessionId: string;
-  /** Worktree directory for SDK `directory` routing; refreshed each turn from ctx. */
-  worktreePath: string;
-  /** dedup gate: `${type}:${id}` added on delta, deleted-and-tested on updated. Cleared at turn end. */
-  streamedPartKeys: Set<string>;
-  /** partID → 'text' | 'reasoning', so a delta with a non-'reasoning' field is still classed right. Cleared at turn end. */
-  partTypeById: Map<string, string>;
-  activeTurn: TurnState | null;
-  /** Inactivity backstop timer for the active turn; null when no turn in flight. */
-  watchdog: ReturnType<typeof setTimeout> | null;
-  /** Per-session SSE subscription handle. Non-null while the loop is running;
-   *  aborting it tears down the underlying fetch and exits the loop. */
-  sseAbort: AbortController | null;
-  /** F.1 post-abort orphan-terminal guard: swallow the one session.idle/error
-   *  opencode emits for an aborted turn so it can't settle the next turn. */
-  swallowNextTerminal: boolean;
-}
-
 export interface OpenCodeServerBackendDeps {
  sql: Sql;
  log: FastifyBaseLogger;
@@ -98,36 +71,32 @@ export class OpenCodeServerBackend implements AgentBackend {

  private readonly sql: Sql;
  private readonly log: FastifyBaseLogger;
-  private readonly opencodeBinary: string;
-
-  private child: ChildProcess | null = null;
-  private client: OpencodeClient | null = null;
-  private port: number | null = null;
-  private up = false;
-  private serverStarting: Promise<void> | null = null;
-  // Phase 3 busy-aware health monitor (openchamber lift): consecutive failed
-  // probes + the start of an unhealthy-while-busy window feed `decideRestart`.
-  private consecutiveHealthFailures = 0;
-  private unhealthyBusySince = 0;
-  private restarting: Promise<void> | null = null;
+  private readonly supervisor: OpenCodeServerSupervisor;

  /** opencode session id → demux state. Maintained by ensureSession; read by the SSE loop. */
  private readonly byOpencodeId = new Map<string, SessionState>();
+  /** Coalesces concurrent ensureSession calls for the same (chat, agent) key. */
+  private readonly ensuring = new Map<string, Promise<AgentSessionHandle>>();

  constructor(deps: OpenCodeServerBackendDeps) {
    this.sql = deps.sql;
    this.log = deps.log;
-    this.opencodeBinary = deps.opencodeBinary;
+    this.supervisor = new OpenCodeServerSupervisor({
+      opencodeBinary: deps.opencodeBinary,
+      log: deps.log,
+      hooks: {
+        isBusy: () => this.isBusy(),
+        onServerDown: (info) => this.onServerDown(info),
+      },
+    });
  }

  /** §2: liveness for the health endpoint + dispatcher fallback decision. */
  health(): 'up' | 'down' {
-    return this.up ? 'up' : 'down';
+    return this.supervisor.health();
  }

-  /** Phase 3: busy iff ANY pooled opencode session has an in-flight turn. The
-   *  pool reads this to skip idle/LRU eviction and the health-monitor to defer a
-   *  restart (never tear down a session mid-stream). */
+  /** Phase 3: busy iff ANY pooled opencode session has an in-flight turn. */
  isBusy(): boolean {
    for (const st of this.byOpencodeId.values()) {
      if (st.activeTurn) return true;
@@ -135,72 +104,23 @@ export class OpenCodeServerBackend implements AgentBackend {
    return false;
  }

-  // ─── Server lifecycle (1.2: spawn once + client + ready; Phase 3 crash-restart) ──
-
-  /**
-   * Lazy: start the single server on first use; re-spawn after a crash. Idempotent
-   * within one live server — `serverStarting` caches the in-flight start, and is
-   * reset to null by the crash handler so the NEXT ensureServer re-spawns a fresh
-   * server (Phase 3 crash recovery). A dead-but-not-yet-reaped child (exit handler
-   * raced) is also treated as needing a restart.
-   */
-  private ensureServer(): Promise<void> {
-    const childDead = this.child != null && (this.child.exitCode !== null || this.child.signalCode !== null);
-    if (!this.serverStarting || (!this.up && childDead)) {
-      this.serverStarting = this.startServer();
-    }
-    return this.serverStarting;
-  }
-
-  private async startServer(): Promise<void> {
-    const port = await freePort();
-
-    // Phase 1: run unsecured on loopback (opencode's documented default — serve.ts
-    // only WARNS when OPENCODE_SERVER_PASSWORD is unset). The real boundary is the
-    // 127.0.0.1 bind. Defense-in-depth basic-auth is deferred: the hey-api client's
-    // auth wiring + opencode's exact scheme must be confirmed against a live server
-    // first, else every request 401s. Recon explicitly said "do NOT block on it".
-    const child = spawn(this.opencodeBinary, ['serve', '--hostname', '127.0.0.1', '--port', String(port)], {
-      stdio: ['ignore', 'pipe', 'pipe'],
-      env: { ...process.env },
-    });
-    this.child = child;
-    this.port = port;
-
-    // Child lifetime is the backend's (the pool's), NOT a request's. We never tie
-    // it to a per-turn abort signal. Phase 3: on unexpected exit we recover —
-    // settle any in-flight turns as failed, mark their agent_sessions rows crashed,
-    // and reset `serverStarting` so the next ensureServer re-spawns. opencode keeps
-    // sessions on disk, but a fresh server's in-memory state is gone, so the next
-    // turn's ensureSession (rows now 'crashed') creates fresh opencode sessions.
-    child.on('exit', (code, signal) => {
-      // Only react to THIS child's exit (a restart may have swapped in a new one).
-      if (this.child !== child) return;
-      this.handleServerCrash(code, signal, port);
-    });
-
-    await waitForReady(child, READY_TIMEOUT_MS);
-
-    this.client = createOpencodeClient({ baseUrl: `http://127.0.0.1:${port}` });
-    this.up = true;
-    this.log.info({ port }, 'opencode-server: ready');
+  /** Phase 3 proactive health probe + busy-aware self-restart, run by the pool's
+   *  periodic sweep. Delegates to the supervisor. */
+  async tickHealth(now: number = Date.now()): Promise<void> {
+    await this.supervisor.tickHealth(now);
  }

  /**
-   * Crash handler (Phase 3, lift of openchamber's restart-on-exit path). The
-   * server died with N live opencode sessions; we can't restart it here (the next
-   * turn does, lazily — avoids a restart storm if the binary is broken). We:
-   *   1. fail every in-flight turn so its dispatcher unblocks + publishes an error,
-   *   2. mark each session's agent_sessions row 'crashed' so ensureSession won't
-   *      resume a now-dead native session id (it creates fresh),
-   *   3. tear down the SSE loops + demux state (stale against the dead server),
-   *   4. reclaim the port + reset state so the next ensureServer re-spawns.
+   * Server down (crash-exit or forced restart): fail every in-flight turn so its
+   * dispatcher unblocks, mark each session crashed so ensureSession won't resume a
+   * now-dead native id, and tear down the SSE loops + demux state. Invoked by the
+   * supervisor (it owns the process/port reset). Mirrors the original
+   * handleServerCrash session-half byte-for-byte.
   */
-  private handleServerCrash(code: number | null, signal: NodeJS.Signals | null, port: number): void {
-    this.up = false;
+  private onServerDown(info: ServerDownInfo): void {
    const states = [...this.byOpencodeId.values()];
    this.log.warn(
-      { code, signal, port, liveSessions: states.length },
+      { code: info.code, signal: info.signal, port: info.port, liveSessions: states.length },
      'opencode-server: child exited — recovering (fail in-flight, mark crashed, re-spawn next turn)',
    );

@@ -219,8 +139,6 @@ export class OpenCodeServerBackend implements AgentBackend {
    }
    // Drop the demux map: every session id is stale against a fresh server.
    this.byOpencodeId.clear();
-    this.client = null;
-    this.serverStarting = null; // force a re-spawn on the next ensureServer

    if (crashedIds.length > 0) {
      this.sql`
@@ -230,146 +148,20 @@ export class OpenCodeServerBackend implements AgentBackend {
        this.log.warn({ err: errMsg(err) }, 'opencode-server: failed to mark crashed sessions (non-fatal)');
      });
    }
-
-    // Reclaim the port so a re-spawn on a fixed/leaked port isn't blocked. Best
-    // effort; the next start uses a fresh ephemeral port anyway.
-    reclaimPort(port);
  }

-  /**
-   * Phase 3 proactive health monitor (openchamber `runHealthCheckCycle` lift,
-   * busy-aware). Probes the server's /global/health; on a sustained failure of a
-   * NON-busy server, force a restart so the next turn isn't blocked by a wedged
-   * (hung-but-not-exited) process. Busy servers are deferred via the stale-grace in
-   * `decideRestart` — never tear down live work. Driven by the pool's periodic
-   * sweep (best-effort; a crash-exit is already handled by `handleServerCrash` +
-   * lazy `ensureServer` re-spawn, so this only catches the hung case). No-op when
-   * the server was never started or a restart is already in flight.
-   */
-  async tickHealth(now: number = Date.now()): Promise<void> {
-    if (!this.child || this.restarting) return;
-    const childExited = this.child.exitCode !== null || this.child.signalCode !== null;
-    // An exited child is recovered lazily by ensureServer; don't double-restart it.
-    if (childExited) return;
+  // ─── SSE loop wiring ─────────────────────────────────────────────────────────

-    const healthy = await this.probeHealth();
-    if (healthy) {
-      this.consecutiveHealthFailures = 0;
-      this.unhealthyBusySince = 0;
-      return;
-    }
-    this.consecutiveHealthFailures += 1;
-    const busy = this.isBusy();
-    const decision = decideRestart({
-      processExited: false,
-      consecutiveFailures: this.consecutiveHealthFailures,
-      busy,
-      unhealthyBusySince: this.unhealthyBusySince,
-      now,
-      failureThreshold: DEFAULT_HEALTH_FAILURE_THRESHOLD,
-    });
-    // Stamp the start of an unhealthy-while-busy window so the stale-grace can fire.
-    if (busy && this.unhealthyBusySince === 0) this.unhealthyBusySince = now;
-    if (decision.action === 'restart') {
-      this.log.warn(
-        { failures: this.consecutiveHealthFailures, busy, reason: decision.reason },
-        'opencode-server: health monitor forcing restart',
-      );
-      this.consecutiveHealthFailures = 0;
-      this.unhealthyBusySince = 0;
-      await this.restartServer();
-    }
-  }
-
-  private async probeHealth(): Promise<boolean> {
-    if (!this.client) return false;
-    try {
-      const res = await this.client.global.health();
-      return !res.error;
-    } catch {
-      return false;
-    }
-  }
-
-  /** Force-kill the current server + reclaim its port; the next ensureServer
-   *  re-spawns (lazy). Mirrors handleServerCrash's state reset but is initiated by
-   *  the health monitor rather than the OS. */
-  private async restartServer(): Promise<void> {
-    if (this.restarting) return this.restarting;
-    this.restarting = (async () => {
-      const child = this.child;
-      const port = this.port;
-      this.up = false;
-      // Fail in-flight turns + mark sessions crashed via the same path as a crash.
-      if (child) {
-        this.handleServerCrash(null, null, port ?? 0);
-        if (!child.killed) child.kill('SIGTERM');
-      }
-      if (port) {
-        reclaimPort(port);
-        await waitForPortRelease(port, 3_000);
-      }
-      this.child = null;
-    })().finally(() => {
-      this.restarting = null;
-    });
-    return this.restarting;
-  }
-
-  // ─── SSE read loop + demux + translate (1.3) + dedup (1.4) ───────────────────
-
-  /** Per-session SSE subscription, scoped to the session's worktree directory.
-   *  opencode scopes events by the `directory` query param (defaults to the
-   *  server's cwd if omitted), so two sessions in different worktrees each get
-   *  their own dir-scoped stream and never drop each other's events. Idempotent:
-   *  a no-op if this session's loop is already running. Started from ensureSession
-   *  (and defensively from prompt) once worktreePath is known. */
-  private startSessionEventLoop(state: SessionState): void {
-    if (state.sseAbort) return; // already running
-    const abort = new AbortController();
-    state.sseAbort = abort;
-    void this.runSessionEventLoop(state, abort).finally(() => {
-      // Only clear if this controller is still the live one (a later restart may
-      // have already installed a new one).
-      if (state.sseAbort === abort) state.sseAbort = null;
-    });
-  }
-
-  private async runSessionEventLoop(state: SessionState, abort: AbortController): Promise<void> {
-    const signal = abort.signal;
-    while (this.up && this.client && !signal.aborted) {
-      try {
-        // Re-read worktreePath each (re)subscribe so a directory refresh is picked
-        // up on reconnect. Passing `signal` lets close/dispose tear down a stream
-        // that's parked in `for await` between events.
-        const sub = await this.client.event.subscribe(
-          { directory: state.worktreePath },
-          { signal },
-        );
-        for await (const ev of sub.stream) {
-          if (signal.aborted) break;
-          // Dir-scoped streams should only carry this session's events, but two
-          // sessions sharing a worktree (possible post-P1.5-b) each receive BOTH
-          // sessions' events — so drop anything that isn't ours, else the other
-          // session's deltas get processed twice (once per loop).
-          const sid = eventSessionId(ev);
-          if (sid != null && sid !== state.agentSessionId) continue;
-          this.dispatchEvent(ev);
-        }
-        if (this.up && !signal.aborted) {
-          await this.reconcile(state); // recover an idle/error lost during the gap
-          await sleep(SSE_RECONNECT_DELAY_MS);
-        }
-      } catch (err) {
-        if (!this.up || signal.aborted) break;
-        this.log.warn(
-          { err: errMsg(err), agentSessionId: state.agentSessionId },
-          'opencode-server: session event loop error; reconnecting',
-        );
-        await this.reconcile(state);
-        await sleep(SSE_RECONNECT_DELAY_MS);
-      }
-    }
+  /** The dependency bundle the per-session SSE loop reads. */
+  private sseDeps(): SseLoopDeps {
+    return {
+      isUp: () => this.supervisor.isUp(),
+      getClient: () => this.supervisor.client,
+      dispatchEvent: (ev) => this.dispatchEvent(ev),
+      reconcile: (st) => this.reconcile(st),
+      onReconnectGiveUp: (st) => this.onReconnectGiveUp(st),
+      log: this.log,
+    };
  }

  /** Demux one event to the owning session's active turn. Unknown/between-turns → drop. */
@@ -398,15 +190,7 @@ export class OpenCodeServerBackend implements AgentBackend {
        const st = this.byOpencodeId.get(p.sessionID);
        if (!st?.activeTurn) return;
        this.bumpActivity(st);
-        const snap: AcpToolSnapshot = {
-          toolCallId: p.callID,
-          title: p.tool,
-          kind: null,
-          status: 'in_progress',
-          rawInput: p.input,
-          rawOutput: undefined,
-        };
-        st.activeTurn.onEvent({ type: 'tool_call', toolCall: snap });
+        st.activeTurn.onEvent({ type: 'tool_call', toolCall: toolCalledSnapshot(p) });
        return;
      }
      case 'session.next.tool.success': {
@@ -414,16 +198,7 @@ export class OpenCodeServerBackend implements AgentBackend {
        const st = this.byOpencodeId.get(p.sessionID);
        if (!st?.activeTurn) return;
        this.bumpActivity(st);
-        const output = p.content?.map((c) => ('text' in c ? (c as { text: string }).text : '')).join('') ?? '';
-        const snap: AcpToolSnapshot = {
-          toolCallId: p.callID,
-          title: p.callID,
-          kind: null,
-          status: 'completed',
-          rawInput: undefined,
-          rawOutput: output,
-        };
-        st.activeTurn.onEvent({ type: 'tool_update', toolCall: snap });
+        st.activeTurn.onEvent({ type: 'tool_update', toolCall: toolSuccessSnapshot(p) });
        return;
      }
      case 'session.next.tool.failed': {
@@ -431,15 +206,7 @@ export class OpenCodeServerBackend implements AgentBackend {
        const st = this.byOpencodeId.get(p.sessionID);
        if (!st?.activeTurn) return;
        this.bumpActivity(st);
-        const snap: AcpToolSnapshot = {
-          toolCallId: p.callID,
-          title: p.callID,
-          kind: null,
-          status: 'failed',
-          rawInput: undefined,
-          rawOutput: errToString(p.error),
-        };
-        st.activeTurn.onEvent({ type: 'tool_update', toolCall: snap });
+        st.activeTurn.onEvent({ type: 'tool_update', toolCall: toolFailedSnapshot(p) });
        return;
      }
      // ─── per-step usage (U.6) — token/cost accounting for opencode sessions ──
@@ -449,8 +216,7 @@ export class OpenCodeServerBackend implements AgentBackend {
        if (!st?.activeTurn) return;
        this.bumpActivity(st);
        // Accumulate this step's normalized usage onto the (chat_id, agent) row.
-        // Fire-and-forget: a DB hiccup must not stall the turn. opencode emits this
-        // once per LLM step, so a multi-tool turn sums several deltas.
+        // Fire-and-forget: a DB hiccup must not stall the turn.
        const usage = stepEndedToUsage(p);
        void this.accumulateUsage(st, usage);
        return;
@@ -461,15 +227,8 @@ export class OpenCodeServerBackend implements AgentBackend {
        const st = this.byOpencodeId.get(p.sessionID);
        if (!st?.activeTurn) return;
        this.bumpActivity(st);
-        const isReasoning = p.field === 'reasoning' || st.partTypeById.get(p.partID) === 'reasoning';
-        if (isReasoning) {
-          st.streamedPartKeys.add(`reasoning:${p.partID}`);
-          st.activeTurn.onEvent({ type: 'reasoning', text: p.delta });
-        } else if (p.field === 'text') {
-          st.streamedPartKeys.add(`text:${p.partID}`);
-          const cleaned = stripDcpTags(p.delta);
-          if (cleaned) st.activeTurn.onEvent({ type: 'text', text: cleaned });
-        }
+        const e = classifyPartDelta(p, st);
+        if (e) st.activeTurn.onEvent(e);
        return;
      }
      case 'message.part.updated': {
@@ -477,7 +236,8 @@ export class OpenCodeServerBackend implements AgentBackend {
        const st = this.byOpencodeId.get(part.sessionID);
        if (!st?.activeTurn) return;
        this.bumpActivity(st);
-        this.handleUpdatedPart(part, st);
+        const e = classifyUpdatedPart(part, st);
+        if (e) st.activeTurn.onEvent(e);
        return;
      }
      // ─── lifecycle ─────────────────────────────────────────────────────────
@@ -502,40 +262,6 @@ export class OpenCodeServerBackend implements AgentBackend {
    }
  }

-  /** Terminal part: dedup gate for text/reasoning; tool parts → tool_call/tool_update. */
-  private handleUpdatedPart(part: Part, st: SessionState): void {
-    const turn = st.activeTurn;
-    if (!turn) return;
-
-    if (part.type === 'text' || part.type === 'reasoning') {
-      st.partTypeById.set(part.id, part.type);
-      const key = resolvePartDedupeKey(part, part.type);
-      if (key && st.streamedPartKeys.delete(key)) return; // already streamed via delta
-      const raw = part.text ?? '';
-      const text = part.type === 'text' ? stripDcpTags(raw) : raw;
-      if (text && part.time?.end != null) {
-        turn.onEvent({ type: part.type, text });
-      }
-      return;
-    }
-
-    if (part.type === 'tool') {
-      const snap = toolPartToSnapshot(part);
-      const status = part.state?.status;
-      // tool_call on start (pending/running), tool_update on terminal (completed/error).
-      // The current ACP path merges both into one frame; the contract keeps them
-      // distinct because opencode's SSE distinguishes start from result.
-      const event: AgentEvent =
-        status === 'completed' || status === 'error'
-          ? { type: 'tool_update', toolCall: snap }
-          : { type: 'tool_call', toolCall: snap };
-      turn.onEvent(event);
-      return;
-    }
-    // NOTE: opencode's SSE payload union carries no available-commands event, so the
-    // AgentEvent 'commands' arm is intentionally never emitted here (1.3).
-  }
-
  // ─── turn-completion resilience (watchdog + reconnect reconcile) ─────────────

  /** Reset the inactivity backstop on any event routed to a session's active turn. */
@@ -550,8 +276,8 @@ export class OpenCodeServerBackend implements AgentBackend {
    st.watchdog.unref?.();
  }

-  /** Watchdog fired: reconcile once; if the server says still-running we can't tell, so fail closed.
-   *  Also mark the agent_sessions row crashed so a stale session isn't resumed next turn. */
+  /** Watchdog fired: reconcile once; if still-running we can't tell, so fail closed.
+   *  Also mark the agent_sessions row crashed so a stale session isn't resumed. */
  private async onTurnStall(st: SessionState): Promise<void> {
    const settled = await this.reconcile(st);
    if (!settled) {
@@ -564,16 +290,27 @@ export class OpenCodeServerBackend implements AgentBackend {
    }
  }

+  /** SSE circuit-breaker fired (reconnect gave up): fail the active turn + mark the
+   *  session crashed so it isn't resumed. The next turn re-creates a fresh session. */
+  private async onReconnectGiveUp(st: SessionState): Promise<void> {
+    if (!st.activeTurn) return;
+    await this.sql`
+      UPDATE agent_sessions SET status = 'crashed'
+      WHERE agent_session_id = ${st.agentSessionId}
+    `.catch(() => {});
+    st.activeTurn?.settle({ ok: false, error: 'opencode SSE stream lost (reconnect gave up)' });
+  }
+
  /**
   * Ask the server whether this session's turn already finished — recovers a
   * session.idle/error lost during an SSE gap. Returns true if it settled the turn.
-   * Inconclusive (still running / call failed) → false; the watchdog covers that.
   */
  private async reconcile(st: SessionState): Promise<boolean> {
    const turn = st.activeTurn;
-    if (!turn || !this.client) return false;
+    const client = this.supervisor.client;
+    if (!turn || !client) return false;
    try {
-      const res = await this.client.session.messages({
+      const res = await client.session.messages({
        sessionID: st.agentSessionId,
        directory: st.worktreePath,
      });
@@ -605,10 +342,8 @@ export class OpenCodeServerBackend implements AgentBackend {

  /**
   * Accumulate one `session.next.step.ended`'s normalized usage onto the session's
-   * agent_sessions row, keyed by the resumed `agent_session_id` (unique per active
-   * row — the dispatcher's `(chat_id, agent)` lookup wrote it). Running totals for
-   * the whole conversation context (not last-step). Zero-delta steps are skipped to
-   * avoid a no-op write. Errors are swallowed: usage telemetry must never fail a turn.
+   * agent_sessions row. Running totals for the whole conversation context. Zero-delta
+   * steps are skipped. Errors are swallowed: usage telemetry must never fail a turn.
   */
  private async accumulateUsage(st: SessionState, u: StepUsage): Promise<void> {
    if (u.input === 0 && u.output === 0 && u.cost === 0) return;
@@ -631,13 +366,29 @@ export class OpenCodeServerBackend implements AgentBackend {
  // ─── ensureSession: create-or-resume against agent_sessions (1.5) ────────────

  async ensureSession(sessionId: string, opts: EnsureSessionOpts): Promise<AgentSessionHandle> {
-    await this.ensureServer();
-    if (!this.client) throw new Error('opencode-server: client not ready after ensureServer');
+    // Coalesce concurrent first-turns for the same (chat, agent) so the SELECT…
+    // create…upsert can't race into two opencode sessions (the second orphaning
+    // the first). A single (non-concurrent) call is unaffected — the entry is set
+    // and removed within this call. Defensive: the dispatcher already serializes
+    // turns per (chat, agent) via its inflight map.
+    const key = `${opts.chatId}:${opts.agent}`;
+    const existing = this.ensuring.get(key);
+    if (existing) return existing;
+    const p = this.ensureSessionInner(sessionId, opts).finally(() => {
+      if (this.ensuring.get(key) === p) this.ensuring.delete(key);
+    });
+    this.ensuring.set(key, p);
+    return p;
+  }
+
+  private async ensureSessionInner(sessionId: string, opts: EnsureSessionOpts): Promise<AgentSessionHandle> {
+    await this.supervisor.ensureServer();
+    const client = this.supervisor.client;
+    if (!client) throw new Error('opencode-server: client not ready after ensureServer');

    const configHash = sessionConfigHash(opts.model);
    // P1.5-b: agent_sessions is keyed (chat_id, agent) — the tab/chat is the
    // context unit (two tabs in one session = two contexts sharing one worktree).
-    // session_id + worktree_id are retained as informational (SET NULL) columns.
    const [row] = await this.sql<{ agent_session_id: string | null; status: string; config_hash: string | null }[]>`
      SELECT agent_session_id, status, config_hash FROM agent_sessions
      WHERE chat_id = ${opts.chatId} AND agent = ${opts.agent}
@@ -655,7 +406,7 @@ export class OpenCodeServerBackend implements AgentBackend {
          'opencode-server: not resuming stale session, creating fresh');
        this.byOpencodeId.delete(agentSessionId);
      }
-      const created = await this.client.session.create({ directory: opts.worktreePath });
+      const created = await client.session.create({ directory: opts.worktreePath });
      if (created.error || !created.data) {
        throw new Error(`opencode-server: session.create failed: ${errToString(created.error)}`);
      }
@@ -664,7 +415,7 @@ export class OpenCodeServerBackend implements AgentBackend {
        INSERT INTO agent_sessions
          (chat_id, session_id, worktree_id, agent, backend, agent_session_id, server_port, status, last_active_at, config_hash)
        VALUES
-          (${opts.chatId}, ${sessionId}, ${opts.worktreeId}, ${opts.agent}, 'opencode_server', ${agentSessionId}, ${this.port}, 'active', clock_timestamp(), ${configHash})
+          (${opts.chatId}, ${sessionId}, ${opts.worktreeId}, ${opts.agent}, 'opencode_server', ${agentSessionId}, ${this.supervisor.port}, 'active', clock_timestamp(), ${configHash})
        ON CONFLICT (chat_id, agent) DO UPDATE SET
          session_id = EXCLUDED.session_id,
          worktree_id = EXCLUDED.worktree_id,
@@ -678,7 +429,7 @@ export class OpenCodeServerBackend implements AgentBackend {
    } else {
      await this.sql`
        UPDATE agent_sessions
-        SET status = 'active', last_active_at = clock_timestamp(), server_port = ${this.port}, config_hash = ${configHash}
+        SET status = 'active', last_active_at = clock_timestamp(), server_port = ${this.supervisor.port}, config_hash = ${configHash}
        WHERE chat_id = ${opts.chatId} AND agent = ${opts.agent}
      `;
    }
@@ -693,24 +444,13 @@ export class OpenCodeServerBackend implements AgentBackend {
      state.boocodeSessionId = sessionId;
      state.worktreePath = opts.worktreePath;
    } else {
-      state = {
-        boocodeSessionId: sessionId,
-        agentSessionId: ocSessionId,
-        worktreePath: opts.worktreePath,
-        streamedPartKeys: new Set(),
-        partTypeById: new Map(),
-        activeTurn: null,
-        watchdog: null,
-        sseAbort: null,
-        swallowNextTerminal: false,
-      };
+      state = this.makeSessionState(sessionId, ocSessionId, opts.worktreePath);
      this.byOpencodeId.set(ocSessionId, state);
    }

    // Start this session's own SSE loop, scoped to its worktree directory. Both
-    // fresh-create and resume reach here; idempotent, so a re-ensure (e.g. a
-    // second turn) won't spawn a duplicate loop.
-    this.startSessionEventLoop(state);
+    // fresh-create and resume reach here; idempotent.
+    startSessionEventLoop(state, this.sseDeps());

    return {
      sessionId,
@@ -719,23 +459,16 @@ export class OpenCodeServerBackend implements AgentBackend {
      chatId: opts.chatId,
      worktreeId: opts.worktreeId,
      agentSessionId: ocSessionId,
-      serverPort: this.port,
+      serverPort: this.supervisor.port,
    };
  }

-  // ─── prompt: send one turn (1.6) ─────────────────────────────────────────────
-
-  async prompt(handle: AgentSessionHandle, input: string, ctx: PromptCtx): Promise<TurnResult> {
-    if (!this.client) throw new Error('opencode-server: client not ready');
-    const oc = handle.agentSessionId;
-    if (!oc) throw new Error('opencode-server: handle has no agentSessionId');
-
-    let state = this.byOpencodeId.get(oc);
-    if (!state) {
-      state = {
-        boocodeSessionId: handle.sessionId,
-        agentSessionId: oc,
-        worktreePath: ctx.worktreePath,
+  /** Fresh per-(opencode session) demux state. */
+  private makeSessionState(boocodeSessionId: string, agentSessionId: string, worktreePath: string): SessionState {
+    return {
+      boocodeSessionId,
+      agentSessionId,
+      worktreePath,
      streamedPartKeys: new Set(),
      partTypeById: new Map(),
      activeTurn: null,
@@ -743,16 +476,36 @@ export class OpenCodeServerBackend implements AgentBackend {
      sseAbort: null,
      swallowNextTerminal: false,
    };
+  }
+
+  // ─── prompt: send one turn (1.6) ─────────────────────────────────────────────
+
+  async prompt(handle: AgentSessionHandle, input: string, ctx: PromptCtx): Promise<TurnResult> {
+    const client = this.supervisor.client;
+    if (!client) throw new Error('opencode-server: client not ready');
+    const oc = handle.agentSessionId;
+    if (!oc) throw new Error('opencode-server: handle has no agentSessionId');
+
+    let state = this.byOpencodeId.get(oc);
+    if (!state) {
+      state = this.makeSessionState(handle.sessionId, oc, ctx.worktreePath);
      this.byOpencodeId.set(oc, state);
    }
    const session = state;
+
+    // v2.7 busy-assert: one in-flight turn per session. The dispatcher serializes
+    // turns per (chat, agent), so this never fires in normal dispatch — but if a
+    // second prompt arrives while one is live it would silently overwrite the slot
+    // and orphan the first turn, so reject instead.
+    if (session.activeTurn) {
+      return { ok: false, error: 'opencode-server: session already has an in-flight turn' };
+    }
+
    // Authoritative per-turn directory for SDK routing + reconcile.
    session.worktreePath = ctx.worktreePath;
    // Defensive: ensureSession normally starts the loop, but if prompt is reached
    // with a freshly-created state (no loop yet), start it so the turn streams.
-    // Idempotent when ensureSession already started one.
-    this.startSessionEventLoop(session);
-    const client = this.client;
+    startSessionEventLoop(session, this.sseDeps());

    return await new Promise<TurnResult>((resolve) => {
      let settled = false;
@@ -781,7 +534,8 @@ export class OpenCodeServerBackend implements AgentBackend {
        settle({ ok: false, error: 'aborted' });
      };

-      session.activeTurn = { onEvent: ctx.onEvent, settle };
+      const turn: TurnState = { onEvent: ctx.onEvent, settle };
+      session.activeTurn = turn;
      this.bumpActivity(session); // arm the inactivity backstop

      if (ctx.signal.aborted) {
@@ -822,39 +576,15 @@ export class OpenCodeServerBackend implements AgentBackend {
  }

  async dispose(): Promise<void> {
-    this.up = false;
    // Abort every per-session SSE loop so none survive the teardown.
    for (const st of this.byOpencodeId.values()) st.sseAbort?.abort();
-    const child = this.child;
-    this.child = null;
-    this.client = null;
    this.byOpencodeId.clear();
-    if (child && !child.killed) {
-      child.kill('SIGTERM');
-      const t = setTimeout(() => {
-        if (!child.killed) child.kill('SIGKILL');
-      }, 5_000);
-      t.unref();
-    }
+    await this.supervisor.dispose();
  }
 }

 // ─── helpers ──────────────────────────────────────────────────────────────────

-/** Extract the opencode sessionID an event belongs to, across event shapes.
- *  Most carry `properties.sessionID`; `message.part.updated` nests it under
- *  `properties.part.sessionID`. Returns null when the event has no session
- *  (the per-session loop then leaves it to dispatchEvent, which drops it). */
-function eventSessionId(ev: Event): string | null {
-  const props = (ev as { properties?: unknown }).properties;
-  if (!props || typeof props !== 'object') return null;
-  if (ev.type === 'message.part.updated') {
-    const part = (props as { part?: { sessionID?: string } }).part;
-    return part?.sessionID ?? null;
-  }
-  return (props as { sessionID?: string }).sessionID ?? null;
-}
-
 /** BooCoder model string "provider/model" → opencode's structured {providerID, modelID}. */
 function parseModel(model: string | undefined): { providerID: string; modelID: string } | undefined {
  if (!model || !model.trim()) return undefined;
@@ -864,199 +594,14 @@ function parseModel(model: string | undefined): { providerID: string; modelID: s
    return { providerID: trimmed.slice(0, idx), modelID: trimmed.slice(idx + 1) };
  }
  // No slash but non-empty → infer llama-swap (the only configured provider).
-  // Guard against bare '/' or trailing/leading slash.
  if (idx < 0 && trimmed.length > 0) {
    return { providerID: 'llama-swap', modelID: trimmed };
  }
  return undefined;
 }

-/** Ported verbatim from Paseo opencode-agent.ts: id → message-id fallback → null. */
-function resolvePartDedupeKey(part: { id: string; messageID: string }, type: string): string | null {
-  if (part.id.trim().length > 0) return `${type}:${part.id}`;
-  if (part.messageID.trim().length > 0) return `${type}:message:${part.messageID}`;
-  return null;
-}
-
-/** opencode ToolPart → ACP-shaped snapshot (reuses the existing persist/render path). */
-function toolPartToSnapshot(part: ToolPart): AcpToolSnapshot {
-  const state = part.state;
-  let rawInput: unknown;
-  let rawOutput: unknown;
-  let title: string | undefined;
-  if (state) {
-    if ('input' in state) rawInput = (state as { input?: unknown }).input;
-    if ('output' in state) rawOutput = (state as { output?: unknown }).output;
-    else if ('error' in state) rawOutput = (state as { error?: unknown }).error;
-    if ('title' in state) title = (state as { title?: string }).title;
-  }
-  return {
-    toolCallId: part.callID,
-    title: title ?? part.tool,
-    kind: null,
-    status: mapToolStatus(state?.status),
-    rawInput,
-    rawOutput,
-  };
-}
-
-function mapToolStatus(s: ToolState['status'] | undefined): ToolCallStatus | null {
-  switch (s) {
-    case 'pending':
-      return 'pending';
-    case 'running':
-      return 'in_progress';
-    case 'completed':
-      return 'completed';
-    case 'error':
-      return 'failed';
-    default:
-      return null;
-  }
-}
-
-/**
- * Reclaim a loopback port a dead opencode child may still hold (lift of
- * openchamber `killProcessOnPort`). Best-effort, POSIX-only (`lsof`/`kill`); a
- * failure is harmless because the next spawn allocates a fresh ephemeral port.
- * Never kills this process. Synchronous + short-timeout so the crash handler
- * doesn't block.
- */
-function reclaimPort(port: number | null): void {
-  if (!port || process.platform === 'win32') return;
-  try {
-    const res = spawnSync('lsof', ['-ti', `:${port}`], { encoding: 'utf8', timeout: 3_000, windowsHide: true });
-    const out = res.stdout || '';
-    const myPid = process.pid;
-    for (const pidStr of out.split(/\s+/)) {
-      const pid = parseInt(pidStr.trim(), 10);
-      if (pid && pid !== myPid) {
-        try {
-          spawnSync('kill', ['-9', String(pid)], { stdio: 'ignore', timeout: 2_000 });
-        } catch {
-          // ignore — best effort
-        }
-      }
-    }
-  } catch {
-    // lsof absent or failed — the fresh-ephemeral-port spawn doesn't need this.
-  }
-}
-
-/**
- * Resolve true once nothing is listening on `port` (lift of openchamber
- * `waitForPortRelease`). Used before re-spawning on a fixed port; with ephemeral
- * ports it's a fast no-op. Probes 127.0.0.1; resolves false at the deadline.
- */
-function waitForPortRelease(port: number, timeoutMs: number): Promise<boolean> {
-  const deadline = Date.now() + timeoutMs;
-  return new Promise((resolve) => {
-    const attempt = () => {
-      const socket = netConnect({ port, host: '127.0.0.1' });
-      let settled = false;
-      const finish = (released: boolean) => {
-        if (settled) return;
-        settled = true;
-        socket.removeAllListeners();
-        socket.destroy();
-        if (released || Date.now() >= deadline) {
-          resolve(released);
-          return;
-        }
-        setTimeout(attempt, 150);
-      };
-      socket.once('connect', () => finish(false));
-      socket.once('error', (err: NodeJS.ErrnoException) => {
-        if (err && (err.code === 'ECONNREFUSED' || err.code === 'EHOSTUNREACH')) finish(true);
-        else finish(false);
-      });
-      socket.setTimeout(500, () => finish(true));
-    };
-    attempt();
-  });
-}
-
-/** Bind-probe an ephemeral port on loopback. */
-function freePort(): Promise<number> {
-  return new Promise((resolve, reject) => {
-    const srv = createServer();
-    srv.unref();
-    srv.on('error', reject);
-    srv.listen(0, '127.0.0.1', () => {
-      const addr = srv.address();
-      if (addr && typeof addr === 'object') {
-        const { port } = addr;
-        srv.close(() => resolve(port));
-      } else {
-        srv.close(() => reject(new Error('opencode-server: could not determine a free port')));
-      }
-    });
-  });
-}
-
-/** Resolve when the child prints the ready line; reject on timeout or early exit. */
-function waitForReady(child: ChildProcess, timeoutMs: number): Promise<void> {
-  return new Promise((resolve, reject) => {
-    let done = false;
-    let stderrBuf = '';
-
-    const finish = (err?: Error) => {
-      if (done) return;
-      done = true;
-      clearTimeout(timer);
-      child.stdout?.off('data', onOut);
-      child.stderr?.off('data', onErr);
-      child.off('exit', onExit);
-      if (err) reject(err);
-      else resolve();
-    };
-
-    const onOut = (buf: Buffer) => {
-      if (buf.toString().includes('opencode server listening on')) finish();
-    };
-    const onErr = (buf: Buffer) => {
-      stderrBuf += buf.toString();
-    };
-    const onExit = (code: number | null) =>
-      finish(new Error(`opencode serve exited before ready (code ${code}); stderr: ${stderrBuf.slice(-2000)}`));
-    const timer = setTimeout(
-      () => finish(new Error(`opencode serve not ready in ${timeoutMs}ms; stderr: ${stderrBuf.slice(-2000)}`)),
-      timeoutMs,
-    );
-
-    child.stdout?.on('data', onOut);
-    child.stderr?.on('data', onErr);
-    child.on('exit', onExit);
-  });
-}
-
-function sleep(ms: number): Promise<void> {
-  return new Promise((r) => setTimeout(r, ms));
-}
-
-/** Strip opencode-dcp plugin tags that render as literal text in the UI. */
-function stripDcpTags(s: string): string {
-  return s.replace(/<dcp-message-id>[^<]*<\/dcp-message-id>/g, '');
-}
-
-function errMsg(e: unknown): string {
-  return e instanceof Error ? e.message : String(e);
-}
-
-function errToString(e: unknown): string {
-  if (e == null) return 'unknown error';
-  if (typeof e === 'string') return e;
-  if (e instanceof Error) return e.message;
-  try {
-    return JSON.stringify(e);
-  } catch {
-    return String(e);
-  }
-}
-
 /** Hash of stable config — detects model changes across sessions without
- *  invalidating on ephemeral state like the random server port (which changes
- *  every BooCoder restart). */
+ *  invalidating on ephemeral state like the random server port. */
 function sessionConfigHash(model: string): string {
  return createHash('sha256').update(`opencode_server|${model}`).digest('hex').slice(0, 16);
 }
--- a/apps/coder/src/services/backends/opencode-sse.ts
+++ b/apps/coder/src/services/backends/opencode-sse.ts
@@ -0,0 +1,181 @@
+/**
+ * Per-session SSE subscribe loop + reconnect/backoff + eventSessionId demux.
+ *
+ * Extracted (v2.7 audit reshape) from `OpenCodeServerBackend.startSessionEventLoop`
+ * / `runSessionEventLoop`. opencode scopes events by the `directory` query param, so
+ * each session runs its own dir-scoped stream and never drops a sibling's events.
+ *
+ * The loop is intentionally thin: it owns subscribe + the demux filter + reconnect
+ * timing only. Translating an event into turn side effects (watchdog, usage,
+ * settle) stays on the backend via the injected `dispatchEvent` / `reconcile`
+ * callbacks — `opencode-sse` knows nothing about turns or the DB.
+ *
+ * v2.7 concurrency hardening: the throw-driven reconnect path now backs off
+ * exponentially and trips a circuit-breaker (`onReconnectGiveUp`) after a bounded
+ * number of consecutive failures, instead of looping forever at a flat 1s. The
+ * HAPPY PATH is unchanged — a clean stream end (server still up) reconnects after
+ * `baseMs` (1s, as before) and resets the failure counter, so a long-lived session
+ * that re-subscribes normally never backs off.
+ */
+import type { FastifyBaseLogger } from 'fastify';
+import type { Event, OpencodeClient } from '@opencode-ai/sdk/v2/client';
+import type { AgentEvent } from '../agent-backend.js';
+import type { TurnResult } from '../agent-backend.js';
+import { eventSessionId, errMsg } from './opencode-event-map.js';
+
+export const SSE_RECONNECT_DELAY_MS = 1_000;
+
+/** One in-flight turn's emitter + completion settler. */
+export interface TurnState {
+  onEvent: (e: AgentEvent) => void;
+  settle: (r: TurnResult) => void;
+}
+
+/** Per-(opencode session) demux state. dedup sets scoped here, cleared per turn. */
+export interface SessionState {
+  boocodeSessionId: string;
+  agentSessionId: string;
+  /** Worktree directory for SDK `directory` routing; refreshed each turn from ctx. */
+  worktreePath: string;
+  /** dedup gate: `${type}:${id}` added on delta, deleted-and-tested on updated. Cleared at turn end. */
+  streamedPartKeys: Set<string>;
+  /** partID → 'text' | 'reasoning', so a delta with a non-'reasoning' field is still classed right. Cleared at turn end. */
+  partTypeById: Map<string, string>;
+  activeTurn: TurnState | null;
+  /** Inactivity backstop timer for the active turn; null when no turn in flight. */
+  watchdog: ReturnType<typeof setTimeout> | null;
+  /** Per-session SSE subscription handle. Non-null while the loop is running;
+   *  aborting it tears down the underlying fetch and exits the loop. */
+  sseAbort: AbortController | null;
+  /** F.1 post-abort orphan-terminal guard: swallow the one session.idle/error
+   *  opencode emits for an aborted turn so it can't settle the next turn. */
+  swallowNextTerminal: boolean;
+}
+
+// ─── reconnect backoff (pure) ────────────────────────────────────────────────
+
+export interface ReconnectPolicy {
+  /** First retry delay (and the steady-state clean-reconnect delay). */
+  baseMs: number;
+  /** Cap on the exponential delay. */
+  maxMs: number;
+  /** Consecutive failures tolerated before the breaker trips (give up). */
+  maxAttempts: number;
+}
+
+export const DEFAULT_RECONNECT_POLICY: ReconnectPolicy = {
+  baseMs: SSE_RECONNECT_DELAY_MS,
+  maxMs: 30_000,
+  maxAttempts: 6,
+};
+
+export type ReconnectDecision =
+  | { action: 'reconnect'; delayMs: number }
+  | { action: 'give-up' };
+
+/**
+ * Pure backoff decision after `failures` consecutive throwing reconnect attempts
+ * (1-based: the first failure passes `failures=1`). Returns an exponentially
+ * growing delay capped at `maxMs`, or `give-up` once the count exceeds
+ * `maxAttempts`. `failures=1` yields `baseMs`, so the very first retry matches the
+ * pre-hardening flat delay (happy-path-preserving).
+ */
+export function reconnectDecision(
+  failures: number,
+  policy: ReconnectPolicy = DEFAULT_RECONNECT_POLICY,
+): ReconnectDecision {
+  if (failures > policy.maxAttempts) return { action: 'give-up' };
+  const exp = policy.baseMs * 2 ** (failures - 1);
+  return { action: 'reconnect', delayMs: Math.min(policy.maxMs, exp) };
+}
+
+// ─── the loop ────────────────────────────────────────────────────────────────
+
+export interface SseLoopDeps {
+  /** Live iff the server is up (read each iteration so a crash stops the loop). */
+  isUp: () => boolean;
+  /** The current opencode client (null between server restarts). */
+  getClient: () => OpencodeClient | null;
+  /** Route one demuxed event to its turn (backend side effects live here). */
+  dispatchEvent: (ev: Event) => void;
+  /** Recover an idle/error lost during an SSE gap. Returns true if it settled. */
+  reconcile: (state: SessionState) => Promise<boolean>;
+  /** Circuit-breaker: called once the backoff gives up; fail the active turn. */
+  onReconnectGiveUp: (state: SessionState) => Promise<void> | void;
+  log: FastifyBaseLogger;
+  /** Injectable for tests; defaults to a real timer sleep. */
+  sleep?: (ms: number) => Promise<void>;
+  policy?: ReconnectPolicy;
+}
+
+function defaultSleep(ms: number): Promise<void> {
+  return new Promise((r) => setTimeout(r, ms));
+}
+
+/** Per-session SSE subscription, scoped to the session's worktree directory.
+ *  Idempotent: a no-op if this session's loop is already running. */
+export function startSessionEventLoop(state: SessionState, deps: SseLoopDeps): void {
+  if (state.sseAbort) return; // already running
+  const abort = new AbortController();
+  state.sseAbort = abort;
+  void runSessionEventLoop(state, abort, deps).finally(() => {
+    // Only clear if this controller is still the live one (a later restart may
+    // have already installed a new one).
+    if (state.sseAbort === abort) state.sseAbort = null;
+  });
+}
+
+export async function runSessionEventLoop(
+  state: SessionState,
+  abort: AbortController,
+  deps: SseLoopDeps,
+): Promise<void> {
+  const signal = abort.signal;
+  const sleep = deps.sleep ?? defaultSleep;
+  const policy = deps.policy ?? DEFAULT_RECONNECT_POLICY;
+  let failures = 0;
+  while (deps.isUp() && deps.getClient() && !signal.aborted) {
+    const client = deps.getClient()!;
+    try {
+      // Re-read worktreePath each (re)subscribe so a directory refresh is picked
+      // up on reconnect. Passing `signal` lets close/dispose tear down a stream
+      // that's parked in `for await` between events.
+      const sub = await client.event.subscribe({ directory: state.worktreePath }, { signal });
+      for await (const ev of sub.stream) {
+        if (signal.aborted) break;
+        // Dir-scoped streams should only carry this session's events, but two
+        // sessions sharing a worktree (possible post-P1.5-b) each receive BOTH
+        // sessions' events — so drop anything that isn't ours, else the other
+        // session's deltas get processed twice (once per loop).
+        const sid = eventSessionId(ev);
+        if (sid != null && sid !== state.agentSessionId) continue;
+        deps.dispatchEvent(ev);
+      }
+      // Clean stream end — a healthy reconnect, NOT a failure: recover any lost
+      // terminal then re-subscribe at the base delay (pre-hardening behavior).
+      failures = 0;
+      if (deps.isUp() && !signal.aborted) {
+        await deps.reconcile(state); // recover an idle/error lost during the gap
+        await sleep(policy.baseMs);
+      }
+    } catch (err) {
+      if (!deps.isUp() || signal.aborted) break;
+      failures += 1;
+      const decision = reconnectDecision(failures, policy);
+      deps.log.warn(
+        { err: errMsg(err), agentSessionId: state.agentSessionId, failures, action: decision.action },
+        'opencode-server: session event loop error; reconnecting',
+      );
+      await deps.reconcile(state);
+      if (decision.action === 'give-up') {
+        deps.log.warn(
+          { agentSessionId: state.agentSessionId, failures },
+          'opencode-server: SSE reconnect gave up (circuit breaker) — failing active turn',
+        );
+        await deps.onReconnectGiveUp(state);
+        break;
+      }
+      await sleep(decision.delayMs);
+    }
+  }
+}
--- a/apps/coder/src/services/backends/pushable-iterable.ts
+++ b/apps/coder/src/services/backends/pushable-iterable.ts
@@ -0,0 +1,96 @@
+/**
+ * claude-sdk-sessionstore #9 (Part 2) — a tiny PURE pushable async-iterable.
+ *
+ * The Claude Agent SDK's streaming-input mode wants `query({ prompt })` where
+ * `prompt` is an `AsyncIterable<SDKUserMessage>`. To keep ONE `query()` generator
+ * alive across many turns (the "warm" property), the backend feeds it ONE user
+ * message per `prompt()` turn through a queue that stays open between turns and is
+ * only closed at `closeSession`/`dispose`. This is that queue.
+ *
+ * Semantics (the bit worth unit-testing — push/close/iterate ordering):
+ *   - `push(v)` enqueues a value. If a consumer is parked in `await next()`, it's
+ *     handed the value immediately; otherwise the value buffers in FIFO order.
+ *   - The async iterator yields buffered/pushed values in push order, and PARKS
+ *     (never busy-loops) when the buffer is empty — so the SDK generator waits for
+ *     the next turn's message instead of seeing end-of-input.
+ *   - `close()` ends the iterable: any parked consumer resolves `{done:true}` and
+ *     all future `next()`s return done. Values pushed after close are dropped.
+ *   - It's single-consumer (one `query()` reads it); concurrent consumers are not a
+ *     supported shape and not needed here.
+ *
+ * No SDK import — generic over the pushed value `T` — so the pure push/close/iterate
+ * ordering is testable without the `SDKUserMessage` shape or a live binary.
+ */
+export interface Pushable<T> {
+  /** Enqueue a value (or hand it to a parked consumer). No-op after close. */
+  push(value: T): void;
+  /** End the iterable. Idempotent; a parked consumer resolves done. */
+  close(): void;
+  /** True once `close()` has been called. */
+  readonly closed: boolean;
+  /** The async-iterable the consumer (the SDK `query`) drives. */
+  readonly iterable: AsyncIterable<T>;
+}
+
+export function createPushable<T>(): Pushable<T> {
+  const buffer: T[] = [];
+  // A waiting consumer's resolver (null when none is parked). Single-consumer.
+  let pendingResolve: ((res: IteratorResult<T>) => void) | null = null;
+  let closed = false;
+
+  function push(value: T): void {
+    if (closed) return;
+    if (pendingResolve) {
+      const resolve = pendingResolve;
+      pendingResolve = null;
+      resolve({ value, done: false });
+      return;
+    }
+    buffer.push(value);
+  }
+
+  function close(): void {
+    if (closed) return;
+    closed = true;
+    if (pendingResolve) {
+      const resolve = pendingResolve;
+      pendingResolve = null;
+      resolve({ value: undefined, done: true });
+    }
+  }
+
+  const iterator: AsyncIterator<T> = {
+    next(): Promise<IteratorResult<T>> {
+      // Drain the buffer first (FIFO), regardless of close — buffered values
+      // pushed before close are still delivered.
+      if (buffer.length > 0) {
+        return Promise.resolve({ value: buffer.shift() as T, done: false });
+      }
+      if (closed) {
+        return Promise.resolve({ value: undefined, done: true });
+      }
+      // Park until the next push/close. Single-consumer: only one waiter at a time.
+      return new Promise<IteratorResult<T>>((resolve) => {
+        pendingResolve = resolve;
+      });
+    },
+    return(): Promise<IteratorResult<T>> {
+      // Consumer abandoned the loop (e.g. `break`) → close so a later push no-ops.
+      close();
+      return Promise.resolve({ value: undefined, done: true });
+    },
+  };
+
+  return {
+    push,
+    close,
+    get closed() {
+      return closed;
+    },
+    iterable: {
+      [Symbol.asyncIterator]() {
+        return iterator;
+      },
+    },
+  };
+}
--- a/apps/coder/src/services/backends/warm-acp.ts
+++ b/apps/coder/src/services/backends/warm-acp.ts
@@ -36,29 +36,15 @@
 */
 import { spawn, type ChildProcess } from 'node:child_process';
 import type { FastifyBaseLogger } from 'fastify';
-import {
-  ClientSideConnection,
-  type Client,
-  type SessionNotification,
-  type RequestPermissionRequest,
-  type RequestPermissionResponse,
-  type ReadTextFileRequest,
-  type ReadTextFileResponse,
-  type WriteTextFileRequest,
-  type WriteTextFileResponse,
-  type CreateTerminalRequest,
-  type CreateTerminalResponse,
-  type CreateElicitationRequest,
-  type CreateElicitationResponse,
-} from '@agentclientprotocol/sdk';
+import { ClientSideConnection, type Client } from '@agentclientprotocol/sdk';
 import type { Sql } from '../../db.js';
 import { resolveLaunchSpec } from '../acp-spawn.js';
 import { isTurnOkForStopReason } from './warm-acp-routing.js';
 import { getResolvedRegistry, type ResolvedProviderDef } from '../provider-config-registry.js';
 import { createAcpNdJsonStream } from '../acp-stream.js';
 import { mapSessionUpdate } from '../acp-event-map.js';
-import { readWorktreeTextFile, writeWorktreeTextFile } from '../acp-client-fs.js';
-import { waitForPermissionResponse, waitForElicitationResponse, cancelPendingPermission } from '../permission-waiter.js';
+import { buildAcpClient } from '../acp-client.js';
+import { cancelPendingPermission } from '../permission-waiter.js';
 import { type AcpToolSnapshot, synthesizeCanceledSnapshots } from '../acp-tool-snapshot.js';
 import type {
  AgentBackend,
@@ -211,47 +197,25 @@ export class WarmAcpBackend implements AgentBackend {
    );
  }

-  /** Build the ACP Client callbacks ONCE per connection. They read `this.activeTurn`
-   *  so each turn's events/permissions route to the right place — exactly the
-   *  opencode-server `activeTurn` pattern. Worktree-scoped FS like AcpStreamContext. */
+  /** Build the ACP Client callbacks ONCE per connection (shared `buildAcpClient`).
+   *  `resolveTurn` reads `this.activeTurn` at each callback so events/permissions
+   *  route to the live turn — exactly the prior behavior. The warm session always
+   *  has a non-empty `sessionId`, so the shared `taskId && sessionId` permission
+   *  gate is equivalent to the old `turn?.taskId` gate. */
  private buildClient(worktreePath: string): Client {
+    return buildAcpClient(worktreePath, () => {
+      const turn = this.activeTurn;
+      if (!turn) return null;
      return {
-      sessionUpdate: async (params: SessionNotification): Promise<void> => {
-        const turn = this.activeTurn;
-        if (!turn) return; // between turns — drop (no orphan settles a future turn)
-        for (const event of mapSessionUpdate(params, turn.snapshots)) {
-          turn.onEvent(event);
-        }
-      },
-      requestPermission: async (params: RequestPermissionRequest): Promise<RequestPermissionResponse> => {
-        const turn = this.activeTurn;
-        if (turn?.taskId) {
-          // Route to the UI via the per-turn task id (same as the one-shot path).
-          return waitForPermissionResponse(turn.taskId, turn.sessionId, this.agent, turn.modeId, params);
-        }
-        const firstOption = params.options[0];
-        if (firstOption) return { outcome: { outcome: 'selected', optionId: firstOption.optionId } };
-        return { outcome: { outcome: 'cancelled' } };
-      },
-      readTextFile: async (params: ReadTextFileRequest): Promise<ReadTextFileResponse> => {
-        const content = await readWorktreeTextFile(worktreePath, params.path, params.line, params.limit);
-        return { content };
-      },
-      writeTextFile: async (params: WriteTextFileRequest): Promise<WriteTextFileResponse> => {
-        await writeWorktreeTextFile(worktreePath, params.path, params.content);
-        return {};
-      },
-      createTerminal: async (_params: CreateTerminalRequest): Promise<CreateTerminalResponse> => {
-        return { terminalId: 'noop' };
-      },
-      unstable_createElicitation: async (params: CreateElicitationRequest): Promise<CreateElicitationResponse> => {
-        const turn = this.activeTurn;
-        if (turn?.taskId) {
-          return waitForElicitationResponse(turn.taskId, turn.sessionId, this.agent, turn.modeId, params);
-        }
-        return { action: 'decline' };
+        taskId: turn.taskId,
+        sessionId: turn.sessionId,
+        modeId: turn.modeId,
+        agent: this.agent,
+        onSessionUpdate: (params) => {
+          for (const event of mapSessionUpdate(params, turn.snapshots)) turn.onEvent(event);
        },
      };
+    });
  }

  // ─── ensureSession: create-or-reuse the warm session (2.1) ───────────────────
@@ -303,6 +267,14 @@ export class WarmAcpBackend implements AgentBackend {
      return { ok: false, error: 'warm-acp: no live ACP connection' };
    }

+    // v2.7 busy-assert: one in-flight turn per warm session. The dispatcher
+    // serializes turns per (chat, agent), so this never fires in normal dispatch —
+    // but a second concurrent prompt would silently overwrite `activeTurn` and
+    // orphan the first turn, so reject instead.
+    if (this.activeTurn) {
+      return { ok: false, error: 'warm-acp: session already has an in-flight turn' };
+    }
+
    const snapshots = new Map<string, AcpToolSnapshot>();
    // taskId routes permission/elicitation prompts back to the UI. The dispatcher
    // passes it (plus mode) on the per-turn PromptCtx; permission-waiter keys on it.
--- a/apps/coder/src/services/checkpoints.ts
+++ b/apps/coder/src/services/checkpoints.ts
@@ -159,9 +159,18 @@ export async function restoreCheckpoint(
  if (!cp) {
    throw new CheckpointNotFoundError('checkpoint not found');
  }
-  if (opts?.sessionId && cp.session_id && cp.session_id !== opts.sessionId) {
+  // Authorization scope (fail-safe): the checkpoint's chat must belong to the
+  // requested session. cp.session_id is a denormalized hint that may be null, so
+  // gating on it directly fails open — resolve the owning session via chats
+  // (authoritative; chat_id is NOT NULL) and deny on any mismatch or missing row.
+  if (opts?.sessionId) {
+    const [owner] = await sql<{ session_id: string | null }[]>`
+      SELECT session_id FROM chats WHERE id = ${cp.chat_id}
+    `;
+    if (!owner || owner.session_id !== opts.sessionId) {
      throw new CheckpointNotFoundError('checkpoint not in session');
    }
+  }

  // 2. Resolve the worktree path (by worktree_id, else the session's active one).
  let worktreePath: string | null = null;
--- a/apps/coder/src/services/dispatcher.ts
+++ b/apps/coder/src/services/dispatcher.ts
@@ -16,8 +16,12 @@ import { snapshotToWireToolCall, type AcpToolSnapshot } from './acp-tool-snapsho
 import { agentPool, OPENCODE_POOL_KEY } from './agent-pool.js';
 import { OpenCodeServerBackend } from './backends/opencode-server.js';
 import { WarmAcpBackend } from './backends/warm-acp.js';
+import { ClaudeSdkBackend } from './backends/claude-sdk.js';
 import { shouldUseWarmBackend } from './backends/warm-acp-routing.js';
+import { shouldUseClaudeSdk } from './backends/claude-sdk-routing.js';
 import type { AgentBackend, AgentEvent } from './agent-backend.js';
+import { publishAgentStatus } from './agent-status-publish.js';
+import type { AgentStatus } from './normalize-agent-status.js';

 interface InferenceRunner {
  enqueue: (sessionId: string, chatId: string, assistantId: string, user: string) => void;
@@ -64,6 +68,21 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
    return task.session_id ?? `task:${task.id}`;
  }

+  // agent-status-normalize (#10): publish a normalized per-(chat,agent) status on
+  // the session channel. Every external-agent path (warm-acp / opencode / claude-sdk /
+  // pty one-shot) reports `working` at turn start, `idle` on clean completion, and
+  // `error` on the failure path through this single helper so the four paths stay
+  // DRY and consistent. Best-effort — publishAgentStatus never throws.
+  function emitAgentStatus(
+    sessionId: string,
+    chatId: string,
+    agent: string,
+    status: AgentStatus,
+    reason: string,
+  ): void {
+    publishAgentStatus(broker.publishFrame, sessionId, chatId, agent, status, reason);
+  }
+
  async function poll(): Promise<void> {
    // `polling` serializes poll() execution itself (timer + NOTIFY can fire
    // concurrently) so we never double-select a task. It does NOT serialize task
@@ -131,6 +150,12 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
        // existing one-shot worktree-per-task ACP/PTY path untouched.
        if (task.agent === 'opencode') {
          await runOpenCodeServerTask(task, agentRow.install_path);
+        } else if (shouldUseClaudeSdk(task)) {
+          // claude-sdk-sessionstore #9 (Part 2): env-flagged (CLAUDE_SDK_BACKEND, default
+          // OFF) warm Claude-SDK backend for chat-tab claude tasks. When the flag is off
+          // (production default) this predicate returns false and claude falls through to
+          // the UNCHANGED one-shot PTY runExternalAgent path below.
+          await runClaudeSdkTask(task, agentRow.install_path);
        } else if (shouldUseWarmBackend(task)) {
          await runWarmAcpTask(task, agentRow.install_path);
        } else {
@@ -188,8 +213,8 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
        RETURNING id
      `;
      const [assistantMsg] = await sql<{ id: string }[]>`
-        INSERT INTO messages (session_id, chat_id, role, content, status, created_at)
-        VALUES (${sessionId}, ${chatId}, 'assistant', '', 'streaming', clock_timestamp())
+        INSERT INTO messages (session_id, chat_id, role, content, status, model, created_at)
+        VALUES (${sessionId}, ${chatId}, 'assistant', '', 'streaming', ${task.model}, clock_timestamp())
        RETURNING id
      `;
      const assistantId = assistantMsg!.id;
@@ -290,6 +315,11 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
    // Create an abort controller for this task
    const ac = new AbortController();

+    // #10: hoisted above the try so the catch block can report `error` status with
+    // the (chat, agent) key. Empty until resolved below; guarded before use.
+    let sessionId = '';
+    let chatId = '';
+
    try {
      // Mark running
      await sql`
@@ -298,9 +328,6 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
        WHERE id = ${taskId}
      `;

-      let sessionId: string;
-      let chatId: string;
-
      if (task.session_id) {
        sessionId = task.session_id;
        const chats = await sql<{ id: string }[]>`
@@ -353,8 +380,8 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
      let acpReasoning = '';

      const [assistantMsg] = await sql<{ id: string }[]>`
-        INSERT INTO messages (session_id, chat_id, role, content, status, created_at)
-        VALUES (${sessionId}, ${chatId}, 'assistant', '', 'streaming', clock_timestamp())
+        INSERT INTO messages (session_id, chat_id, role, content, status, model, created_at)
+        VALUES (${sessionId}, ${chatId}, 'assistant', '', 'streaming', ${task.model}, clock_timestamp())
        RETURNING id
      `;
      const assistantId = assistantMsg!.id;
@@ -376,6 +403,9 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
        role: 'assistant',
      } as WsFrame);

+      // #10: external-agent turn begins.
+      emitAgentStatus(sessionId, chatId, agent, 'working', 'turn_start');
+
      const manifestCommands = getManifestCommands(agent);
      if (manifestCommands.length > 0) {
        setTaskCommands(taskId, manifestCommands);
@@ -410,6 +440,52 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
        outputSummary = result.output.slice(0, 500);
        await persistExternalAgentTurn(sql, assistantId, result.toolSnapshots, acpReasoning);
      } else {
+        // v#7 (stream-json): claude + qwen run with --output-format stream-json.
+        // Parse the NDJSON live in pty-dispatch and forward AgentEvents here so we
+        // publish the SAME live frames the warm-ACP / opencode paths emit (text,
+        // reasoning, tool) and persist structured parts. Accumulate for the final
+        // message content + persistence; fall back to the opaque stdout slice when
+        // nothing parsed (agent ran without the flag, or crashed before emitting).
+        const ptyTextChunks: string[] = [];
+        const ptyReasoningChunks: string[] = [];
+        const ptyToolSnaps = new Map<string, AcpToolSnapshot>();
+
+        const onPtyEvent = (e: AgentEvent): void => {
+          switch (e.type) {
+            case 'text':
+              ptyTextChunks.push(e.text);
+              broker.publishFrame(sessionId, {
+                type: 'delta',
+                message_id: assistantId,
+                chat_id: chatId,
+                content: e.text,
+              } as WsFrame);
+              break;
+            case 'reasoning':
+              ptyReasoningChunks.push(e.text);
+              broker.publishFrame(sessionId, {
+                type: 'reasoning_delta',
+                message_id: assistantId,
+                chat_id: chatId,
+                content: e.text,
+              } as WsFrame);
+              break;
+            case 'tool_call':
+            case 'tool_update':
+              ptyToolSnaps.set(e.toolCall.toolCallId, e.toolCall);
+              broker.publishFrame(sessionId, {
+                type: 'tool_call',
+                message_id: assistantId,
+                chat_id: chatId,
+                tool_call: snapshotToWireToolCall(e.toolCall),
+              } as WsFrame);
+              break;
+            case 'commands':
+              // stream-json carries no commands today; ignore if it ever does.
+              break;
+          }
+        };
+
        const result = await dispatchViaPty({
          agent,
          task: task.input,
@@ -420,7 +496,22 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
          thinkingOptionId: task.thinking_option_id ?? undefined,
          signal: ac.signal,
          log,
+          onEvent: onPtyEvent,
        });
+
+        if (result.streamed) {
+          assistantContent = ptyTextChunks.join('').slice(0, 50_000);
+          // stream-json text can be empty for a tool-only turn — surface stderr or a
+          // placeholder so the message row isn't blank.
+          if (!assistantContent) {
+            assistantContent = (result.stderr || '(no text output)').slice(0, 50_000);
+          }
+          outputSummary = (ptyTextChunks.join('') || result.stderr).slice(0, 500);
+          acpReasoning = ptyReasoningChunks.join('').slice(0, 200_000);
+          await persistExternalAgentTurn(sql, assistantId, [...ptyToolSnaps.values()], acpReasoning);
+        } else {
+          // Fallback: agent produced no parseable NDJSON (ran without the flag, or
+          // crashed). Preserve today's opaque stdout-slice + single delta behavior.
          assistantContent = (result.stdout || result.stderr || '(no output)').slice(0, 50_000);
          outputSummary = (result.stdout || result.stderr).slice(0, 500);

@@ -433,6 +524,7 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
            } as WsFrame);
          }
        }
+      }

      await sql`
        UPDATE messages
@@ -444,6 +536,7 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
        type: 'message_complete',
        message_id: assistantId,
        chat_id: chatId,
+        model: task.model,
      } as WsFrame);

      if (stopping) {
@@ -488,6 +581,8 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
        WHERE id = ${taskId}
      `;
      log.info({ taskId, agent, costTokens: extCostTokens }, 'dispatcher: task completed (external)');
+      // #10: external-agent turn completed cleanly.
+      emitAgentStatus(sessionId, chatId, agent, 'idle', 'turn_complete');
      clearTaskCommands(taskId);

    } catch (err) {
@@ -500,6 +595,11 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
        WHERE id = ${taskId}
      `.catch(() => {});

+      // #10: external-agent turn failed/crashed. chatId may be unbound if the throw
+      // preceded its assignment — guard so the status publish never masks the real
+      // error.
+      if (chatId) emitAgentStatus(sessionId, chatId, agent, 'error', 'failed');
+
      // Best-effort cleanup
      await cleanupWorktree(projectPath, taskId);
      clearTaskCommands(taskId);
@@ -554,6 +654,10 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v

    const ac = new AbortController();

+    // #10: hoisted so the catch can report `error` with the (chat, agent) key.
+    let sessionId = '';
+    let chatId = '';
+
    try {
      // execution_path = 'acp' — the schema CHECK has no 'opencode_server' value
      // (schema is frozen at Phase 0); the warm-vs-one-shot distinction lives in
@@ -570,8 +674,6 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
      // it directly. Session-less creators (arena, MCP, new_task, generic
      // /api/tasks) leave it null; fall back to resolving/creating a real chat so
      // ensureSession never receives a degenerate (null, agent) key.
-      let sessionId: string;
-      let chatId: string;
      if (task.chat_id && task.session_id) {
        sessionId = task.session_id;
        chatId = task.chat_id;
@@ -622,8 +724,8 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
      log.info({ taskId, worktreePath }, 'dispatcher: session worktree ready');

      const [assistantMsg] = await sql<{ id: string }[]>`
-        INSERT INTO messages (session_id, chat_id, role, content, status, created_at)
-        VALUES (${sessionId}, ${chatId}, 'assistant', '', 'streaming', clock_timestamp())
+        INSERT INTO messages (session_id, chat_id, role, content, status, model, created_at)
+        VALUES (${sessionId}, ${chatId}, 'assistant', '', 'streaming', ${task.model}, clock_timestamp())
        RETURNING id
      `;
      const assistantId = assistantMsg!.id;
@@ -644,6 +746,9 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
        role: 'assistant',
      } as WsFrame);

+      // #10: opencode-server turn begins.
+      emitAgentStatus(sessionId, chatId, agent, 'working', 'turn_start');
+
      const manifestCommands = getManifestCommands(agent);
      if (manifestCommands.length > 0) {
        setTaskCommands(taskId, manifestCommands);
@@ -760,6 +865,7 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
        type: 'message_complete',
        message_id: assistantId,
        chat_id: chatId,
+        model: task.model,
      } as WsFrame);

      if (stopping) {
@@ -803,6 +909,14 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
        WHERE id = ${taskId}
      `;
      log.info({ taskId, agent, finalState, costTokens: extCostTokens }, 'dispatcher: task finished (opencode server)');
+      // #10: clean completion → idle; backend-reported failure → error.
+      emitAgentStatus(
+        sessionId,
+        chatId,
+        agent,
+        result.ok ? 'idle' : 'error',
+        result.ok ? 'turn_complete' : 'failed',
+      );
      clearTaskCommands(taskId);
    } catch (err) {
      const errMsg = err instanceof Error ? err.message : String(err);
@@ -812,6 +926,8 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
        SET state = 'failed', ended_at = clock_timestamp(), output_summary = ${errMsg.slice(0, 500)}
        WHERE id = ${taskId}
      `.catch(() => {});
+      // #10: turn crashed.
+      if (chatId) emitAgentStatus(sessionId, chatId, agent, 'error', 'crashed');
      clearTaskCommands(taskId);
      // No worktree cleanup (persistent); backend stays warm for the next turn.
    }
@@ -890,8 +1006,8 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
      log.info({ taskId, worktreePath }, 'dispatcher: session worktree ready (warm ACP)');

      const [assistantMsg] = await sql<{ id: string }[]>`
-        INSERT INTO messages (session_id, chat_id, role, content, status, created_at)
-        VALUES (${sessionId}, ${chatId}, 'assistant', '', 'streaming', clock_timestamp())
+        INSERT INTO messages (session_id, chat_id, role, content, status, model, created_at)
+        VALUES (${sessionId}, ${chatId}, 'assistant', '', 'streaming', ${task.model}, clock_timestamp())
        RETURNING id
      `;
      const assistantId = assistantMsg!.id;
@@ -912,6 +1028,9 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
        role: 'assistant',
      } as WsFrame);

+      // #10: warm-ACP turn begins.
+      emitAgentStatus(sessionId, chatId, agent, 'working', 'turn_start');
+
      const manifestCommands = getManifestCommands(agent);
      if (manifestCommands.length > 0) {
        setTaskCommands(taskId, manifestCommands);
@@ -1011,6 +1130,7 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
        type: 'message_complete',
        message_id: assistantId,
        chat_id: chatId,
+        model: task.model,
      } as WsFrame);

      if (stopping) {
@@ -1053,6 +1173,14 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
        WHERE id = ${taskId}
      `;
      log.info({ taskId, agent, finalState }, 'dispatcher: task finished (warm ACP)');
+      // #10: clean completion → idle; backend-reported failure → error.
+      emitAgentStatus(
+        sessionId,
+        chatId,
+        agent,
+        result.ok ? 'idle' : 'error',
+        result.ok ? 'turn_complete' : 'failed',
+      );
      clearTaskCommands(taskId);
    } catch (err) {
      const errMsg = err instanceof Error ? err.message : String(err);
@@ -1062,6 +1190,266 @@ export function createDispatcher(deps: Deps): { start(): void; stop(): Promise<v
        SET state = 'failed', ended_at = clock_timestamp(), output_summary = ${errMsg.slice(0, 500)}
        WHERE id = ${taskId}
      `.catch(() => {});
+      // #10: turn crashed.
+      emitAgentStatus(sessionId, chatId, agent, 'error', 'crashed');
+      clearTaskCommands(taskId);
+      // No worktree cleanup (persistent); backend stays warm for the next turn.
+    }
+  }
+
+  // ─── Path B (claude SDK): warm Claude-SDK backend (v2.6 #9 Part 2) ───────────
+
+  // Claude-SDK backends are per (chat, agent) — each owns ONE persistent query()
+  // generator driven in streaming-input mode. Pool key = chatId (secondary = agent),
+  // mirroring agent_sessions' (chat_id, agent) PK + the warm-ACP pooling.
+  function getClaudeSdkBackend(chatId: string, agent: string, installPath: string | null): ClaudeSdkBackend {
+    let backend = agentPool.get(chatId, agent);
+    if (!backend) {
+      backend = new ClaudeSdkBackend({ sql, log, chatId, agent, installPath });
+      agentPool.register(chatId, agent, backend);
+    }
+    return backend as ClaudeSdkBackend;
+  }
+
+  async function runClaudeSdkTask(
+    task: {
+      id: string;
+      project_id: string;
+      input: string;
+      agent: string | null;
+      model: string | null;
+      mode_id: string | null;
+      thinking_option_id: string | null;
+      session_id: string | null;
+      chat_id: string | null;
+    },
+    installPath: string | null,
+  ): Promise<void> {
+    const taskId = task.id;
+    const agent = task.agent!;
+    // shouldUseClaudeSdk guarantees both non-null before we get here.
+    const sessionId = task.session_id!;
+    const chatId = task.chat_id!;
+    log.info({ taskId, agent, chatId }, 'dispatcher: starting task (path B — claude SDK)');
+
+    const [project] = await sql<{ path: string | null }[]>`
+      SELECT path FROM projects WHERE id = ${task.project_id}
+    `;
+    const projectPath = project?.path;
+    if (!projectPath) {
+      await sql`
+        UPDATE tasks
+        SET state = 'failed', ended_at = clock_timestamp(), output_summary = 'Project has no path — cannot create worktree'
+        WHERE id = ${taskId}
+      `;
+      return;
+    }
+
+    const ac = new AbortController();
+
+    try {
+      await sql`
+        UPDATE tasks
+        SET state = 'running', started_at = clock_timestamp(), execution_path = 'acp'
+        WHERE id = ${taskId}
+      `;
+
+      // Persistent, session-keyed worktree (shared across turns + agents; NOT torn
+      // down per turn — Phase 3 reaps it). Same as the opencode/warm-ACP paths so a
+      // chat that switches agents shares one worktree.
+      const { worktreeId, worktreePath, baseCommit } = await ensureSessionWorktree(sql, projectPath, sessionId, {
+        signal: ac.signal,
+      });
+      log.info({ taskId, worktreePath }, 'dispatcher: session worktree ready (claude SDK)');
+
+      const [assistantMsg] = await sql<{ id: string }[]>`
+        INSERT INTO messages (session_id, chat_id, role, content, status, model, created_at)
+        VALUES (${sessionId}, ${chatId}, 'assistant', '', 'streaming', ${task.model}, clock_timestamp())
+        RETURNING id
+      `;
+      const assistantId = assistantMsg!.id;
+
+      // write-edit-robustness #4: pre-turn checkpoint of the persistent session
+      // worktree (best-effort; never breaks dispatch).
+      await createCheckpoint(
+        sql,
+        { chatId, sessionId, worktreeId, worktreePath, messageId: assistantId },
+        { signal: ac.signal, log },
+      ).catch(() => null);
+
+      broker.publishFrame(sessionId, {
+        type: 'message_started',
+        message_id: assistantId,
+        chat_id: chatId,
+        role: 'assistant',
+      } as WsFrame);
+
+      // #10: claude-SDK turn begins.
+      emitAgentStatus(sessionId, chatId, agent, 'working', 'turn_start');
+
+      const manifestCommands = getManifestCommands(agent);
+      if (manifestCommands.length > 0) {
+        setTaskCommands(taskId, manifestCommands);
+        broker.publishFrame(sessionId, {
+          type: 'agent_commands',
+          task_id: taskId,
+          session_id: sessionId,
+          commands: manifestCommands,
+        } as WsFrame);
+      }
+
+      // Accumulate the turn's stream for persistence + the final message content.
+      const textChunks: string[] = [];
+      const reasoningChunks: string[] = [];
+      const toolSnaps = new Map<string, AcpToolSnapshot>();
+
+      // Map transport-agnostic AgentEvents → the SAME WS frames the warm-ACP /
+      // opencode paths emit. This boundary attaches message_id/chat_id.
+      const onEvent = (e: AgentEvent): void => {
+        switch (e.type) {
+          case 'text':
+            textChunks.push(e.text);
+            broker.publishFrame(sessionId, {
+              type: 'delta',
+              message_id: assistantId,
+              chat_id: chatId,
+              content: e.text,
+            } as WsFrame);
+            break;
+          case 'reasoning':
+            reasoningChunks.push(e.text);
+            broker.publishFrame(sessionId, {
+              type: 'reasoning_delta',
+              message_id: assistantId,
+              chat_id: chatId,
+              content: e.text,
+            } as WsFrame);
+            break;
+          case 'tool_call':
+          case 'tool_update':
+            toolSnaps.set(e.toolCall.toolCallId, e.toolCall);
+            broker.publishFrame(sessionId, {
+              type: 'tool_call',
+              message_id: assistantId,
+              chat_id: chatId,
+              tool_call: snapshotToWireToolCall(e.toolCall),
+            } as WsFrame);
+            break;
+          case 'commands':
+            if (e.commands.length > 0) {
+              setTaskCommands(taskId, e.commands);
+              broker.publishFrame(sessionId, {
+                type: 'agent_commands',
+                task_id: taskId,
+                session_id: sessionId,
+                commands: e.commands,
+              } as WsFrame);
+            }
+            break;
+        }
+      };
+
+      const model = task.model ?? undefined;
+      const backend = getClaudeSdkBackend(chatId, agent, installPath);
+      const handle = await backend.ensureSession(sessionId, {
+        agent,
+        model: model ?? '',
+        chatId,
+        worktreePath,
+        worktreeId,
+        projectId: task.project_id,
+      });
+      const result = await backend.prompt(handle, task.input, {
+        worktreePath,
+        model: model ?? '',
+        signal: ac.signal,
+        onEvent,
+        taskId,
+        modeId: task.mode_id ?? undefined,
+      });
+      // Phase 3: keep the pooled (chat,agent) backend warm across the turn.
+      agentPool.touch(chatId, agent);
+
+      const assistantContent = textChunks.join('').slice(0, 50_000);
+      const reasoningText = reasoningChunks.join('').slice(0, 200_000);
+      const outputSummary = (result.ok ? textChunks.join('') : result.error ?? 'claude SDK turn failed').slice(0, 500);
+
+      await persistExternalAgentTurn(sql, assistantId, [...toolSnaps.values()], reasoningText);
+
+      // ctx_used/ctx_max from the SDK result (1M-aware) → the assistant message, so
+      // the ContextBar renders a real context-window fill for claude.
+      await sql`
+        UPDATE messages
+        SET content = ${assistantContent}, status = 'complete', finished_at = clock_timestamp(),
+            ctx_used = ${result.ctxUsed ?? null}, ctx_max = ${result.ctxMax ?? null}
+        WHERE id = ${assistantId}
+      `;
+      broker.publishFrame(sessionId, {
+        type: 'message_complete',
+        message_id: assistantId,
+        chat_id: chatId,
+        model: task.model,
+      } as WsFrame);
+
+      if (stopping) {
+        await sql`UPDATE tasks SET state = 'cancelled', ended_at = clock_timestamp() WHERE id = ${taskId}`;
+        return; // worktree persists (no cleanup); backend stays warm
+      }
+
+      // Diff the persistent worktree against its captured baseline and SUPERSEDE
+      // the session's prior pending row (latest-wins) — identical to opencode/ACP.
+      const diff = await diffWorktree(worktreePath, projectPath, {
+        signal: ac.signal,
+        baseRef: baseCommit ?? 'HEAD',
+      });
+      if (diff) {
+        await sql`
+          DELETE FROM pending_changes WHERE session_id = ${sessionId} AND status = 'pending'
+        `;
+        await sql`
+          INSERT INTO pending_changes (session_id, task_id, file_path, operation, diff, agent)
+          VALUES (${sessionId}, ${taskId}, ${projectPath}, 'edit', ${diff}, ${agent})
+        `;
+        log.info({ taskId, diffLength: diff.length }, 'dispatcher: diff superseded prior pending change (claude SDK)');
+      } else {
+        log.info({ taskId }, 'dispatcher: no changes detected in session worktree (claude SDK)');
+      }
+
+      // NO worktree cleanup — persistent (Phase 3 reaps it). Backend stays warm.
+
+      const [extCostRow] = await sql<{ total: number | null }[]>`
+        SELECT SUM(tokens_used)::int AS total
+        FROM messages
+        WHERE session_id = ${sessionId} AND tokens_used IS NOT NULL
+      `;
+      const extCostTokens = extCostRow?.total ?? null;
+
+      const finalState = result.ok ? 'completed' : 'failed';
+      await sql`
+        UPDATE tasks
+        SET state = ${finalState}, ended_at = clock_timestamp(), output_summary = ${outputSummary}, cost_tokens = ${extCostTokens}
+        WHERE id = ${taskId}
+      `;
+      log.info({ taskId, agent, finalState }, 'dispatcher: task finished (claude SDK)');
+      // #10: clean completion → idle; backend-reported failure → error.
+      emitAgentStatus(
+        sessionId,
+        chatId,
+        agent,
+        result.ok ? 'idle' : 'error',
+        result.ok ? 'turn_complete' : 'failed',
+      );
+      clearTaskCommands(taskId);
+    } catch (err) {
+      const errMsg = err instanceof Error ? err.message : String(err);
+      log.error({ taskId, agent, err: errMsg }, 'dispatcher: claude SDK error');
+      await sql`
+        UPDATE tasks
+        SET state = 'failed', ended_at = clock_timestamp(), output_summary = ${errMsg.slice(0, 500)}
+        WHERE id = ${taskId}
+      `.catch(() => {});
+      // #10: turn crashed.
+      emitAgentStatus(sessionId, chatId, agent, 'error', 'crashed');
      clearTaskCommands(taskId);
      // No worktree cleanup (persistent); backend stays warm for the next turn.
    }
--- a/apps/coder/src/services/frame-emitter.ts
+++ b/apps/coder/src/services/frame-emitter.ts
@@ -0,0 +1,142 @@
+/**
+ * AgentEvent → WS-frame emitter + turn accumulators.
+ *
+ * Extracted (v2.7 audit reshape) from `AcpStreamContext.handleSessionUpdate` in
+ * `acp-dispatch.ts` — the `AgentEvent → broker.publishFrame` switch that maps a
+ * backend's normalized events onto the wire frames the UI consumes, while
+ * accumulating the turn's text / reasoning / tool snapshots for persistence.
+ *
+ * The same shape backs the dispatcher's 4 inline `onEvent` copies (DEFERRED while
+ * dispatcher.ts has uncommitted edits), hence the optional `dcp` stripper + the
+ * `finalize()` flush: the opencode dispatch path strips dcp tags from text deltas,
+ * the ACP path does not (passes no `dcp`, so text is emitted verbatim — identical
+ * to the prior AcpStreamContext behavior).
+ *
+ * Publishing is gated on `canStream()` (all of broker/sessionId/chatId/assistantId
+ * present) exactly as the original — a one-shot dispatch with no broker accumulates
+ * but never publishes.
+ */
+import type { Broker } from '@boocode/server/broker';
+import type { WsFrame } from '@boocode/server/ws-frames';
+import type { AgentEvent } from './agent-backend.js';
+import { type AcpToolSnapshot, snapshotToWireToolCall } from './acp-tool-snapshot.js';
+import { mergeTaskCommands, getTaskCommands } from './agent-commands-cache.js';
+import type { DcpStreamStripper } from './dcp-strip.js';
+
+export interface FrameEmitterOpts {
+  broker?: Broker;
+  sessionId?: string;
+  chatId?: string;
+  /** The assistant message id — the frames' `message_id`. */
+  assistantId?: string;
+  /** Per-turn task id, for the agent_commands frame + command cache. */
+  taskId?: string;
+  /** Optional cross-chunk dcp stripper for text deltas (opencode path). When
+   *  provided, text is stripped before push/publish and `finalize()` flushes the
+   *  held-back tail. The ACP path passes none → text emitted verbatim. */
+  dcp?: DcpStreamStripper;
+}
+
+export interface FrameEmitter {
+  /** Map one AgentEvent to its WS frame(s) + accumulate it. */
+  onEvent: (e: AgentEvent) => void;
+  /** Flush a dcp stripper's held-back tail at turn end (no-op without `dcp`). */
+  finalize: () => void;
+  /** The merge accumulator for tool snapshots (toolCallId → snapshot). */
+  readonly toolSnapshots: Map<string, AcpToolSnapshot>;
+  /** Accumulated assistant text (post-dcp-strip when a stripper is set). */
+  readonly output: string;
+  /** Accumulated reasoning text. */
+  readonly reasoningText: string;
+  /** Tool snapshots in insertion order. */
+  readonly snapshots: AcpToolSnapshot[];
+}
+
+export function makeFrameEmitter(opts: FrameEmitterOpts): FrameEmitter {
+  const { broker, sessionId, chatId, assistantId, taskId, dcp } = opts;
+  const textChunks: string[] = [];
+  const reasoningChunks: string[] = [];
+  const toolSnapshots = new Map<string, AcpToolSnapshot>();
+
+  const canStream = (): boolean => !!(broker && sessionId && chatId && assistantId);
+
+  const publishText = (content: string): void => {
+    textChunks.push(content);
+    if (canStream()) {
+      broker!.publishFrame(sessionId!, {
+        type: 'delta',
+        message_id: assistantId!,
+        chat_id: chatId!,
+        content,
+      } as WsFrame);
+    }
+  };
+
+  const onEvent = (e: AgentEvent): void => {
+    switch (e.type) {
+      case 'text': {
+        const safe = dcp ? dcp.push(e.text) : e.text;
+        if (safe) publishText(safe);
+        break;
+      }
+      case 'reasoning':
+        reasoningChunks.push(e.text);
+        if (canStream()) {
+          broker!.publishFrame(sessionId!, {
+            type: 'reasoning_delta',
+            message_id: assistantId!,
+            chat_id: chatId!,
+            content: e.text,
+          } as WsFrame);
+        }
+        break;
+      case 'tool_call':
+      case 'tool_update':
+        toolSnapshots.set(e.toolCall.toolCallId, e.toolCall);
+        if (canStream()) {
+          broker!.publishFrame(sessionId!, {
+            type: 'tool_call',
+            message_id: assistantId!,
+            chat_id: chatId!,
+            tool_call: snapshotToWireToolCall(e.toolCall),
+          } as WsFrame);
+        }
+        break;
+      case 'commands':
+        if (taskId && e.commands.length > 0) {
+          mergeTaskCommands(taskId, e.commands);
+          if (canStream() && sessionId) {
+            const all = getTaskCommands(taskId) ?? e.commands;
+            broker!.publishFrame(sessionId, {
+              type: 'agent_commands',
+              task_id: taskId,
+              session_id: sessionId,
+              commands: all,
+            } as WsFrame);
+          }
+        }
+        break;
+    }
+  };
+
+  const finalize = (): void => {
+    if (!dcp) return;
+    const tail = dcp.flush();
+    if (tail) publishText(tail);
+  };
+
+  return {
+    onEvent,
+    finalize,
+    toolSnapshots,
+    get output() {
+      return textChunks.join('');
+    },
+    get reasoningText() {
+      return reasoningChunks.join('');
+    },
+    get snapshots() {
+      return [...toolSnapshots.values()];
+    },
+  };
+}
--- a/apps/coder/src/services/mcp-server.ts
+++ b/apps/coder/src/services/mcp-server.ts
@@ -25,13 +25,6 @@ interface PendingRow {
  session_id: string;
 }

-interface WorktreeRow {
-  id: string;
-  worktree_path: string;
-  agent: string;
-  started_at: string;
-}
-
 interface ProjectPathRow {
  path: string;
 }
@@ -196,28 +189,6 @@ export async function startMcpServer(sql: Sql): Promise<void> {
    },
  );

-  // 6. boocoder.list_worktrees
-  server.tool(
-    'boocoder.list_worktrees',
-    'List active worktrees from running tasks',
-    {},
-    async () => {
-      const rows = await sql<WorktreeRow[]>`
-        SELECT id, worktree_path, agent, started_at
-        FROM tasks
-        WHERE worktree_path IS NOT NULL AND state = 'running'
-        ORDER BY started_at DESC
-      `;
-      const items = rows.map((r) => ({
-        task_id: r.id,
-        worktree_path: r.worktree_path,
-        agent: r.agent,
-        started_at: r.started_at,
-      }));
-      return textResult(items);
-    },
-  );
-
  // Connect via stdio
  const transport = new StdioServerTransport();
  await server.connect(transport);
--- a/apps/coder/src/services/net/port-utils.ts
+++ b/apps/coder/src/services/net/port-utils.ts
@@ -0,0 +1,88 @@
+/**
+ * Generic POSIX loopback-port utilities.
+ *
+ * Extracted verbatim (v2.7 audit reshape) from `backends/opencode-server.ts`,
+ * where they were embedded in the backend god-class. They have nothing to do with
+ * opencode semantics — they reclaim/await/allocate a 127.0.0.1 port — so they live
+ * here as reusable infra. No behavior change from the original.
+ */
+import { createServer, connect as netConnect } from 'node:net';
+import { spawnSync } from 'node:child_process';
+
+/**
+ * Reclaim a loopback port a dead child may still hold (lift of openchamber
+ * `killProcessOnPort`). Best-effort, POSIX-only (`lsof`/`kill`); a failure is
+ * harmless because the next spawn allocates a fresh ephemeral port. Never kills
+ * this process. Synchronous + short-timeout so a crash handler doesn't block.
+ */
+export function reclaimPort(port: number | null): void {
+  if (!port || process.platform === 'win32') return;
+  try {
+    const res = spawnSync('lsof', ['-ti', `:${port}`], { encoding: 'utf8', timeout: 3_000, windowsHide: true });
+    const out = res.stdout || '';
+    const myPid = process.pid;
+    for (const pidStr of out.split(/\s+/)) {
+      const pid = parseInt(pidStr.trim(), 10);
+      if (pid && pid !== myPid) {
+        try {
+          spawnSync('kill', ['-9', String(pid)], { stdio: 'ignore', timeout: 2_000 });
+        } catch {
+          // ignore — best effort
+        }
+      }
+    }
+  } catch {
+    // lsof absent or failed — the fresh-ephemeral-port spawn doesn't need this.
+  }
+}
+
+/**
+ * Resolve true once nothing is listening on `port` (lift of openchamber
+ * `waitForPortRelease`). Used before re-spawning on a fixed port; with ephemeral
+ * ports it's a fast no-op. Probes 127.0.0.1; resolves false at the deadline.
+ */
+export function waitForPortRelease(port: number, timeoutMs: number): Promise<boolean> {
+  const deadline = Date.now() + timeoutMs;
+  return new Promise((resolve) => {
+    const attempt = () => {
+      const socket = netConnect({ port, host: '127.0.0.1' });
+      let settled = false;
+      const finish = (released: boolean) => {
+        if (settled) return;
+        settled = true;
+        socket.removeAllListeners();
+        socket.destroy();
+        if (released || Date.now() >= deadline) {
+          resolve(released);
+          return;
+        }
+        setTimeout(attempt, 150);
+      };
+      socket.once('connect', () => finish(false));
+      socket.once('error', (err: NodeJS.ErrnoException) => {
+        if (err && (err.code === 'ECONNREFUSED' || err.code === 'EHOSTUNREACH')) finish(true);
+        else finish(false);
+      });
+      socket.setTimeout(500, () => finish(true));
+    };
+    attempt();
+  });
+}
+
+/** Bind-probe an ephemeral port on loopback. */
+export function freePort(): Promise<number> {
+  return new Promise((resolve, reject) => {
+    const srv = createServer();
+    srv.unref();
+    srv.on('error', reject);
+    srv.listen(0, '127.0.0.1', () => {
+      const addr = srv.address();
+      if (addr && typeof addr === 'object') {
+        const { port } = addr;
+        srv.close(() => resolve(port));
+      } else {
+        srv.close(() => reject(new Error('port-utils: could not determine a free port')));
+      }
+    });
+  });
+}
--- a/apps/coder/src/services/normalize-agent-status.ts
+++ b/apps/coder/src/services/normalize-agent-status.ts
@@ -0,0 +1,23 @@
+/**
+ * normalize-agent-status (#10) — clean-room vendor-event → bucket mapping.
+ *
+ * Different coding agents (claude, opencode, codex/gemini, goose, qwen) emit
+ * lifecycle hook events under inconsistent names: PascalCase (`SessionStart`),
+ * snake_case (`session_start`), camelCase (`sessionStart`), and a handful of
+ * provider-specific approval events (`exec_approval_request`). This module
+ * collapses every known event name into one of three coarse signals:
+ *
+ *   working  — the agent is actively progressing a turn
+ *   blocked  — the agent is waiting on a human (permission / approval / question)
+ *   done     — the turn / session ended cleanly
+ *
+ * `null` is returned for anything unrecognized so callers can ignore noise.
+ *
+ * Built now for the scoped status-publish, but specifically shaped for reuse by
+ * the documented config-injection follow-on: a future notify-hook injected into
+ * each agent's native config will POST the RAW vendor event name to a BooCoder
+ * endpoint, which runs this helper to derive the normalized status. The names
+ * below are facts about each agent's hook surface — not copied vendor code.
+ */
+
+export type AgentStatus = 'working' | 'blocked' | 'idle' | 'error';
--- a/apps/coder/src/services/orphan-worktree-reaper.ts
+++ b/apps/coder/src/services/orphan-worktree-reaper.ts
@@ -21,7 +21,8 @@ import { readdir, stat } from 'node:fs/promises';
 import { join } from 'node:path';
 import type { FastifyBaseLogger } from 'fastify';
 import type { Sql } from '../db.js';
-import { WORKTREE_BASE, checkWorktreeWorkAtRisk } from './worktrees.js';
+import { WORKTREE_BASE } from './worktrees.js';
+import { checkWorktreeWorkAtRisk } from './worktree-risk.js';
 import { hostExec } from './host-exec.js';
 import {
  selectOrphanWorktreeTargets,
--- a/apps/coder/src/services/pending_changes.ts
+++ b/apps/coder/src/services/pending_changes.ts
@@ -181,10 +181,6 @@ export async function rejectOne(sql: Sql, changeId: string): Promise<void> {
  await sql`UPDATE pending_changes SET status = 'rejected' WHERE id = ${changeId} AND status = 'pending'`;
 }

-export async function rejectAll(sql: Sql, sessionId: string): Promise<void> {
-  await sql`UPDATE pending_changes SET status = 'rejected' WHERE session_id = ${sessionId} AND status = 'pending'`;
-}
-
 // --- Rewind functions --------------------------------------------------------

 export async function rewindOne(
--- a/apps/coder/src/services/provider-config-registry.ts
+++ b/apps/coder/src/services/provider-config-registry.ts
@@ -127,7 +127,3 @@ export function getResolvedRegistry(): Map<string, ResolvedProviderDef> {
  return cachedRegistry ?? buildResolvedRegistry(PROVIDERS, { providers: {} });
 }

-/** Resolved provider ids in registry order. */
-export function getResolvedProviderIds(): string[] {
-  return [...getResolvedRegistry().keys()];
-}
--- a/apps/coder/src/services/provider-registry.ts
+++ b/apps/coder/src/services/provider-registry.ts
@@ -38,6 +38,12 @@ export const PROVIDERS: ProviderDef[] = [
  },
  {
    name: 'claude',
+    // transport stays 'pty' — the DEFAULT dispatch path (one-shot `claude
+    // --output-format stream-json`). claude-sdk-sessionstore #9 (Part 2) adds a warm
+    // Claude-Agent-SDK backend (services/backends/claude-sdk.ts) routed ONLY when the
+    // `CLAUDE_SDK_BACKEND` env flag is truthy AND the task is a chat tab; with the flag
+    // off (production default) claude always uses this PTY path, so the transport label
+    // is left unchanged. Flip the env var on a host (after a live smoke) to opt in.
    label: 'Claude Code',
    transport: 'pty',
    modelSource: 'static',
--- a/apps/coder/src/services/pty-dispatch.ts
+++ b/apps/coder/src/services/pty-dispatch.ts
@@ -1,13 +1,29 @@
 /**
 * PTY dispatch — runs external agents directly on the host.
+ *
+ * claude + qwen run with `--output-format stream-json` and emit Claude-Code's
+ * stream-json NDJSON on stdout. When an `onEvent` callback is supplied we
+ * line-buffer that stdout (split on `\n`, hold the partial tail) and feed complete
+ * lines to `makeStreamJsonParser` so deltas surface live as AgentEvents. The raw
+ * stdout is still accumulated + returned for back-compat (and the dispatcher's
+ * fallback when nothing parsed). See `stream-json-parser.ts`.
 */
 import type { FastifyBaseLogger } from 'fastify';
 import { spawn } from 'node:child_process';
+import type { AgentEvent } from './agent-backend.js';
+import { makeStreamJsonParser, type StreamJsonUsage } from './stream-json-parser.js';

 export interface DispatchResult {
  exitCode: number;
  stdout: string;
  stderr: string;
+  /** True iff at least one NDJSON AgentEvent was parsed from stdout (v#7). When
+   *  false the dispatcher falls back to slicing stdout as the assistant content. */
+  streamed: boolean;
+  /** Final usage parsed from the stream-json `result` / `message_delta`, if any. */
+  usage?: StreamJsonUsage;
+  /** Provider session id from the stream-json `system` init line, if any. */
+  agentSessionId?: string | null;
 }

 export interface PtyDispatchOpts {
@@ -20,6 +36,10 @@ export interface PtyDispatchOpts {
  installPath?: string;
  signal?: AbortSignal;
  log: FastifyBaseLogger;
+  /** Optional live event sink. When set, stdout is line-buffered + NDJSON-parsed
+   *  and each AgentEvent is forwarded here as it arrives. Absent → opaque (old)
+   *  behavior: stdout is accumulated and returned, no parsing. */
+  onEvent?: (e: AgentEvent) => void;
 }

 interface PtySpawnSpec {
@@ -40,7 +60,9 @@ function buildPtySpawnSpec(

  switch (agent) {
    case 'claude': {
-      const args = ['-p'];
+      // stream-json on -p requires --verbose (Claude Code rejects stream-json
+      // print mode without it). qwen needs no such flag.
+      const args = ['-p', '--output-format', 'stream-json', '--verbose'];
      if (model) args.push('--model', model);
      if (modeId) args.push('--permission-mode', modeId);
      if (thinkingOptionId) args.push('--effort', thinkingOptionId);
@@ -73,7 +95,7 @@ function buildPtySpawnSpec(
 }

 export async function dispatchViaPty(opts: PtyDispatchOpts): Promise<DispatchResult> {
-  const { agent, task, worktreePath, model, modeId, thinkingOptionId, installPath, signal, log } = opts;
+  const { agent, task, worktreePath, model, modeId, thinkingOptionId, installPath, signal, log, onEvent } = opts;

  const cmd = buildPtySpawnSpec(agent, task, model, modeId, thinkingOptionId, installPath);
  if (!cmd) {
@@ -81,6 +103,7 @@ export async function dispatchViaPty(opts: PtyDispatchOpts): Promise<DispatchRes
      exitCode: 1,
      stdout: '',
      stderr: `Agent '${agent}' is not yet supported for PTY dispatch.`,
+      streamed: false,
    };
  }

@@ -102,7 +125,32 @@ export async function dispatchViaPty(opts: PtyDispatchOpts): Promise<DispatchRes
    let stderr = '';
    let killed = false;

-    child.stdout!.on('data', (chunk: Buffer) => { stdout += chunk.toString(); });
+    // Live NDJSON parsing (only when a sink is supplied). Line-buffer: split on
+    // '\n', dispatch complete lines, hold the partial tail until the next chunk.
+    const parser = onEvent ? makeStreamJsonParser() : null;
+    let lineBuf = '';
+    let streamed = false;
+    const feedLine = (line: string): void => {
+      if (!parser || !onEvent) return;
+      for (const e of parser.push(line)) {
+        streamed = true;
+        onEvent(e);
+      }
+    };
+
+    child.stdout!.on('data', (chunk: Buffer) => {
+      const text = chunk.toString();
+      stdout += text;
+      if (!parser) return;
+      lineBuf += text;
+      let nl = lineBuf.indexOf('\n');
+      while (nl !== -1) {
+        const line = lineBuf.slice(0, nl);
+        lineBuf = lineBuf.slice(nl + 1);
+        feedLine(line);
+        nl = lineBuf.indexOf('\n');
+      }
+    });
    child.stderr!.on('data', (chunk: Buffer) => { stderr += chunk.toString(); });

    const cleanup = () => {
@@ -116,7 +164,7 @@ export async function dispatchViaPty(opts: PtyDispatchOpts): Promise<DispatchRes
    if (signal) {
      if (signal.aborted) {
        cleanup();
-        resolve({ exitCode: 130, stdout: '', stderr: 'Aborted before start' });
+        resolve({ exitCode: 130, stdout: '', stderr: 'Aborted before start', streamed: false });
        return;
      }
      signal.addEventListener('abort', cleanup, { once: true });
@@ -124,8 +172,18 @@ export async function dispatchViaPty(opts: PtyDispatchOpts): Promise<DispatchRes

    child.on('close', (code) => {
      if (signal) signal.removeEventListener('abort', cleanup);
-      log.info({ agent, exitCode: code }, 'pty-dispatch: completed');
-      resolve({ exitCode: code ?? 1, stdout, stderr });
+      // Flush any final line with no trailing newline.
+      if (lineBuf.trim()) feedLine(lineBuf);
+      lineBuf = '';
+      log.info({ agent, exitCode: code, streamed }, 'pty-dispatch: completed');
+      resolve({
+        exitCode: code ?? 1,
+        stdout,
+        stderr,
+        streamed,
+        usage: parser?.usage(),
+        agentSessionId: parser?.sessionId() ?? null,
+      });
    });

    child.on('error', (err) => {
--- a/apps/coder/src/services/stream-json-parser.ts
+++ b/apps/coder/src/services/stream-json-parser.ts
@@ -0,0 +1,296 @@
+/**
+ * Claude-Code-compatible stream-json NDJSON parser (feature #7,
+ * openspec `sampling-streamjson-tokens`).
+ *
+ * qwen (`--output-format stream-json`) and claude (`--output-format stream-json`)
+ * both emit Claude-Code's stream-json NDJSON on stdout: one JSON object per line.
+ * This module turns that stream into the same transport-agnostic `AgentEvent`s the
+ * ACP / opencode-server backends emit, so the PTY dispatch path can publish live
+ * broker frames + persist structured parts instead of slicing stdout opaque.
+ *
+ * Two surfaces:
+ *  - `parseStreamJsonLine(line, state)` — PURE per-line mapping (unit-testable).
+ *    `state` is the caller-owned accumulator (open tool blocks + usage/session_id).
+ *  - `makeStreamJsonParser()` — a thin stateful wrapper holding the state, with a
+ *    `push(line)` that returns the events for that line and getters for the final
+ *    `usage` / `sessionId`.
+ *
+ * Defensive by contract: a non-JSON / partial / garbage line yields `[]` and never
+ * throws. Tool args (`input_json_delta`) arrive fragmented across many lines; we
+ * accumulate the partial JSON string per content-block index and only surface the
+ * parsed `rawInput` once the block stops (or, as a fallback, off the terminal
+ * `assistant` message which carries the fully-assembled `tool_use` blocks).
+ *
+ * Schema (keyed on top-level `type`):
+ *  - `system`     — init: { session_id, tools, ... }
+ *  - `assistant`  — { message: { content: [ {type:'text'|'thinking'|'tool_use', ...} ], usage? } }
+ *  - `user`       — tool results (ignored — diffing the worktree captures effects)
+ *  - `result`     — final: { usage: { input_tokens, output_tokens }, session_id? }
+ *  - `stream_event` — { event: { type, index?, content_block?, delta?, usage? } }
+ *      event.type:
+ *        content_block_start  — { index, content_block: {type, id?, name?} }
+ *        content_block_delta  — { index, delta: {type, text?|thinking?|partial_json?} }
+ *        content_block_stop   — { index }
+ *        message_delta        — { usage: { output_tokens } }
+ *        message_start        — { message: { usage } }
+ */
+import type { AgentEvent } from './agent-backend.js';
+import type { AcpToolSnapshot } from './acp-tool-snapshot.js';
+
+/** Convenience alias for the per-line return value. */
+export type AgentEventList = AgentEvent[];
+
+export interface StreamJsonUsage {
+  inputTokens?: number;
+  outputTokens?: number;
+}
+
+/** Per-open-content-block accumulation for tool args assembled across deltas. */
+interface OpenToolBlock {
+  toolCallId: string;
+  name: string;
+  /** Concatenated `input_json_delta.partial_json` fragments. */
+  partialJson: string;
+}
+
+export interface StreamJsonState {
+  /** content-block index → open tool block (only `tool_use` blocks are tracked). */
+  toolBlocks: Map<number, OpenToolBlock>;
+  sessionId: string | null;
+  usage: StreamJsonUsage;
+}
+
+export function makeStreamJsonState(): StreamJsonState {
+  return { toolBlocks: new Map(), sessionId: null, usage: {} };
+}
+
+function asRecord(value: unknown): Record<string, unknown> | null {
+  if (value && typeof value === 'object' && !Array.isArray(value)) {
+    return value as Record<string, unknown>;
+  }
+  return null;
+}
+
+function asString(value: unknown): string | undefined {
+  return typeof value === 'string' ? value : undefined;
+}
+
+function asNumber(value: unknown): number | undefined {
+  return typeof value === 'number' && Number.isFinite(value) ? value : undefined;
+}
+
+/** Pull token counts out of an Anthropic-shape `usage` object, mutating state. */
+function captureUsage(usage: Record<string, unknown> | null, state: StreamJsonState): void {
+  if (!usage) return;
+  const input = asNumber(usage.input_tokens);
+  const output = asNumber(usage.output_tokens);
+  if (input !== undefined) state.usage.inputTokens = input;
+  // output_tokens is reported incrementally on message_delta; keep the latest.
+  if (output !== undefined) state.usage.outputTokens = output;
+}
+
+/** Parse the accumulated tool-arg JSON; tolerate an unparseable/partial body. */
+function parseToolInput(partialJson: string): unknown {
+  const trimmed = partialJson.trim();
+  if (!trimmed) return {};
+  try {
+    return JSON.parse(trimmed);
+  } catch {
+    return { _raw: partialJson };
+  }
+}
+
+function toolSnapshot(block: OpenToolBlock, rawInput: unknown, status: AcpToolSnapshot['status']): AcpToolSnapshot {
+  return {
+    toolCallId: block.toolCallId,
+    title: block.name,
+    kind: null,
+    status,
+    rawInput,
+  };
+}
+
+/**
+ * Map one stream-event sub-object (the `event` field of a `stream_event` line) to
+ * AgentEvents, mutating `state` for open tool blocks + usage.
+ */
+function handleStreamEvent(event: Record<string, unknown>, state: StreamJsonState): AgentEvent[] {
+  const eventType = asString(event.type);
+  if (!eventType) return [];
+
+  switch (eventType) {
+    case 'content_block_start': {
+      const index = asNumber(event.index);
+      const block = asRecord(event.content_block);
+      if (index === undefined || !block) return [];
+      if (asString(block.type) !== 'tool_use') return [];
+      const toolCallId = asString(block.id) ?? `tool_${index}`;
+      const name = asString(block.name) ?? 'tool';
+      const open: OpenToolBlock = { toolCallId, name, partialJson: '' };
+      state.toolBlocks.set(index, open);
+      // Surface the tool start immediately (running, no args yet) so the UI shows
+      // the call before the args finish streaming.
+      return [{ type: 'tool_call', toolCall: toolSnapshot(open, {}, 'in_progress') }];
+    }
+
+    case 'content_block_delta': {
+      const index = asNumber(event.index);
+      const delta = asRecord(event.delta);
+      if (delta === null) return [];
+      const deltaType = asString(delta.type);
+      if (deltaType === 'text_delta') {
+        const text = asString(delta.text);
+        return text ? [{ type: 'text', text }] : [];
+      }
+      if (deltaType === 'thinking_delta') {
+        const text = asString(delta.thinking);
+        return text ? [{ type: 'reasoning', text }] : [];
+      }
+      if (deltaType === 'input_json_delta') {
+        // Accumulate tool args; no event until the block stops.
+        const fragment = asString(delta.partial_json);
+        if (index !== undefined && fragment) {
+          const open = state.toolBlocks.get(index);
+          if (open) open.partialJson += fragment;
+        }
+        return [];
+      }
+      return [];
+    }
+
+    case 'content_block_stop': {
+      const index = asNumber(event.index);
+      if (index === undefined) return [];
+      const open = state.toolBlocks.get(index);
+      if (!open) return [];
+      state.toolBlocks.delete(index);
+      const rawInput = parseToolInput(open.partialJson);
+      return [{ type: 'tool_update', toolCall: toolSnapshot(open, rawInput, 'completed') }];
+    }
+
+    case 'message_start': {
+      const message = asRecord(event.message);
+      captureUsage(asRecord(message?.usage), state);
+      return [];
+    }
+
+    case 'message_delta': {
+      captureUsage(asRecord(event.usage), state);
+      return [];
+    }
+
+    default:
+      return [];
+  }
+}
+
+/**
+ * Map the terminal `assistant` message (post-hoc full message) to AgentEvents. Used
+ * as a fallback for transports that emit only the assembled `assistant` line and no
+ * incremental `stream_event`s. When stream_events already streamed a block, the
+ * caller dedups by toolCallId, so re-emitting the assembled tool_use is harmless.
+ */
+function handleAssistantMessage(message: Record<string, unknown>, state: StreamJsonState): AgentEvent[] {
+  captureUsage(asRecord(message.usage), state);
+  const content = message.content;
+  if (!Array.isArray(content)) return [];
+  const out: AgentEvent[] = [];
+  let toolIdx = 0;
+  for (const rawBlock of content) {
+    const block = asRecord(rawBlock);
+    if (!block) continue;
+    const blockType = asString(block.type);
+    if (blockType === 'text') {
+      const text = asString(block.text);
+      if (text) out.push({ type: 'text', text });
+    } else if (blockType === 'thinking') {
+      const text = asString(block.thinking);
+      if (text) out.push({ type: 'reasoning', text });
+    } else if (blockType === 'tool_use') {
+      const toolCallId = asString(block.id) ?? `tool_${toolIdx}`;
+      const name = asString(block.name) ?? 'tool';
+      const rawInput = 'input' in block ? block.input : {};
+      out.push({
+        type: 'tool_update',
+        toolCall: { toolCallId, title: name, kind: null, status: 'completed', rawInput },
+      });
+    }
+    toolIdx++;
+  }
+  return out;
+}
+
+/**
+ * Pure per-line mapping. `line` is a single complete NDJSON line (no trailing
+ * newline required; surrounding whitespace tolerated). Returns the AgentEvents the
+ * line produces and mutates `state` (open tool blocks, usage, session_id). A blank,
+ * non-JSON, or unrecognized line yields `[]` and never throws.
+ */
+export function parseStreamJsonLine(line: string, state: StreamJsonState): AgentEvent[] {
+  const trimmed = line.trim();
+  if (!trimmed) return [];
+
+  let obj: Record<string, unknown> | null;
+  try {
+    const parsed: unknown = JSON.parse(trimmed);
+    obj = asRecord(parsed);
+  } catch {
+    return [];
+  }
+  if (!obj) return [];
+
+  const type = asString(obj.type);
+  switch (type) {
+    case 'system': {
+      const sid = asString(obj.session_id);
+      if (sid) state.sessionId = sid;
+      return [];
+    }
+
+    case 'stream_event': {
+      const event = asRecord(obj.event);
+      return event ? handleStreamEvent(event, state) : [];
+    }
+
+    case 'assistant': {
+      const sid = asString(obj.session_id);
+      if (sid) state.sessionId = sid;
+      const message = asRecord(obj.message);
+      return message ? handleAssistantMessage(message, state) : [];
+    }
+
+    case 'result': {
+      const sid = asString(obj.session_id);
+      if (sid) state.sessionId = sid;
+      captureUsage(asRecord(obj.usage), state);
+      return [];
+    }
+
+    default:
+      // `user` (tool results) and any unknown line type — ignore.
+      return [];
+  }
+}
+
+export interface StreamJsonParser {
+  /** Feed one complete NDJSON line; returns its AgentEvents (never throws). */
+  push(line: string): AgentEvent[];
+  /** Final usage (input/output tokens) accumulated so far. */
+  usage(): StreamJsonUsage;
+  /** Provider session id from the init `system` line / `result`, if seen. */
+  sessionId(): string | null;
+}
+
+/**
+ * Stateful wrapper around `parseStreamJsonLine`. Holds per-tool-block accumulation
+ * + usage/session_id across the turn. Line-buffering (splitting stdout on `\n` and
+ * holding the partial tail) is the caller's job — see `pty-dispatch.ts`.
+ */
+export function makeStreamJsonParser(): StreamJsonParser {
+  const state = makeStreamJsonState();
+  return {
+    push: (line: string) => parseStreamJsonLine(line, state),
+    usage: () => ({ ...state.usage }),
+    sessionId: () => state.sessionId,
+  };
+}
--- a/apps/coder/src/services/tools/index.ts
+++ b/apps/coder/src/services/tools/index.ts
@@ -26,9 +26,4 @@ export const WRITE_TOOLS: readonly ToolDef<any>[] = [
  checkTaskStatusTool,
 ];

-// eslint-disable-next-line @typescript-eslint/no-explicit-any
-export const WRITE_TOOLS_BY_NAME: ReadonlyMap<string, ToolDef<any>> = new Map(
-  WRITE_TOOLS.map((t) => [t.name, t]),
-);
-
 export { editFileTool, createFileTool, deleteFileTool, applyPendingTool, rewindTool, newTaskTool, listTasksTool, checkTaskStatusTool };
--- a/apps/coder/src/services/worktree-risk.ts
+++ b/apps/coder/src/services/worktree-risk.ts
@@ -0,0 +1,175 @@
+/**
+ * Worktree work-at-risk assessment (split out of `worktrees.ts`, v2.7 audit
+ * reshape). The git-worktree create/diff/remove lifecycle stays in `worktrees.ts`;
+ * this module owns the orthogonal "would deleting this worktree lose work?" gate
+ * the server consults before a session delete, plus the recoverable stash escape.
+ *
+ * Session delete itself lives in apps/server (Docker), which CANNOT see the host
+ * worktree dirs or run git on them — only BooCoder (host systemd) can — so the
+ * server calls the routes that wrap these helpers. Behavior is unchanged from the
+ * original worktrees.ts implementation.
+ */
+import { hostExec } from './host-exec.js';
+
+/**
+ * Risk report for a single worktree, returned by checkWorktreeWorkAtRisk.
+ * `atRisk` is the gate the server reads before allowing a session delete.
+ * A git error never silently passes — it forces `atRisk` true and surfaces
+ * the message in `error` (fail-closed).
+ */
+export interface RiskReport {
+  worktreePath: string;
+  branch: string;
+  dirty: boolean;   // uncommitted working-tree changes (incl. untracked)
+  unpushed: number; // commits ahead of upstream, or -1 if no upstream is set
+  unmerged: number; // commits on this branch not in the project default branch
+  atRisk: boolean;  // dirty || unmerged > 0 || (upstream && unpushed > 0) || git error
+  error?: string;   // populated on a git failure; presence forces atRisk
+}
+
+/**
+ * Resolve the project's default branch as a git-usable ref (e.g. "origin/main").
+ *
+ * `refs/remotes/origin/HEAD` lives in the repo's COMMON git dir and is shared
+ * across every linked worktree, so reading it from the session worktree returns
+ * the REMOTE's default branch — never this worktree's own `session-<id>` branch
+ * (that would be `symbolic-ref HEAD`, a different ref). Falls back to probing
+ * common defaults by verified existence when origin/HEAD isn't set (e.g. a repo
+ * that never ran `git remote set-head`). Returns null if none resolve, in which
+ * case the unmerged check is skipped (dirty + unpushed still protect the work).
+ */
+async function detectDefaultBranchRef(
+  worktreePath: string,
+  opts?: { signal?: AbortSignal },
+): Promise<string | null> {
+  const head = await hostExec(
+    `git -C ${shellEscape(worktreePath)} symbolic-ref --short refs/remotes/origin/HEAD`,
+    { signal: opts?.signal, timeoutMs: 10_000 },
+  );
+  if (head.exitCode === 0) {
+    const ref = head.stdout.trim(); // e.g. "origin/main"
+    if (ref) {
+      const verify = await hostExec(
+        `git -C ${shellEscape(worktreePath)} rev-parse --verify --quiet ${shellEscape(ref + '^{commit}')}`,
+        { signal: opts?.signal, timeoutMs: 10_000 },
+      );
+      if (verify.exitCode === 0 && verify.stdout.trim()) return ref;
+    }
+  }
+  // origin/HEAD unset or unresolvable — probe common defaults. Prefer the
+  // remote-tracking ref (always resolvable in a fresh worktree) over the local
+  // head, which may not exist if the default branch lives only in the main tree.
+  for (const cand of ['origin/main', 'origin/master', 'main', 'master']) {
+    const verify = await hostExec(
+      `git -C ${shellEscape(worktreePath)} rev-parse --verify --quiet ${shellEscape(cand + '^{commit}')}`,
+      { signal: opts?.signal, timeoutMs: 10_000 },
+    );
+    if (verify.exitCode === 0 && verify.stdout.trim()) return cand;
+  }
+  return null;
+}
+
+/**
+ * Inspect a worktree for work that would be lost if its session were deleted.
+ * Three checks, all via the audited hostExec + shellEscape path (every
+ * interpolated value — paths, refs — is single-quote-escaped; no bare
+ * interpolation). Any unexpected git failure is treated as at-risk, never a
+ * silent pass.
+ */
+export async function checkWorktreeWorkAtRisk(
+  worktreePath: string,
+  opts?: { signal?: AbortSignal },
+): Promise<RiskReport> {
+  // Branch name — also doubles as the "is this still a git worktree?" probe.
+  const br = await hostExec(
+    `git -C ${shellEscape(worktreePath)} rev-parse --abbrev-ref HEAD`,
+    { signal: opts?.signal, timeoutMs: 10_000 },
+  );
+  if (br.exitCode !== 0) {
+    return {
+      worktreePath,
+      branch: '',
+      dirty: false,
+      unpushed: 0,
+      unmerged: 0,
+      atRisk: true,
+      error: `git rev-parse failed: ${br.stderr.trim() || 'not a git worktree'}`,
+    };
+  }
+  const branch = br.stdout.trim();
+
+  // (a) Uncommitted (dirty working tree, including untracked files).
+  const st = await hostExec(
+    `git -C ${shellEscape(worktreePath)} status --porcelain`,
+    { signal: opts?.signal, timeoutMs: 15_000 },
+  );
+  if (st.exitCode !== 0) {
+    return {
+      worktreePath,
+      branch,
+      dirty: false,
+      unpushed: 0,
+      unmerged: 0,
+      atRisk: true,
+      error: `git status failed: ${st.stderr.trim()}`,
+    };
+  }
+  const dirty = st.stdout.trim().length > 0;
+
+  // (b) Unpushed commits. No upstream configured => work exists only locally;
+  // treat as unpushed-by-definition (-1) rather than an error.
+  const up = await hostExec(
+    `git -C ${shellEscape(worktreePath)} rev-list --count ${shellEscape('@{u}..HEAD')}`,
+    { signal: opts?.signal, timeoutMs: 15_000 },
+  );
+  const unpushed = up.exitCode === 0 ? (parseInt(up.stdout.trim() || '0', 10) || 0) : -1;
+
+  // (c) Unmerged commits — on this branch but not in the project default branch.
+  const defaultRef = await detectDefaultBranchRef(worktreePath, opts);
+  let unmerged = 0;
+  if (defaultRef) {
+    const rl = await hostExec(
+      `git -C ${shellEscape(worktreePath)} rev-list --count ${shellEscape(defaultRef + '..HEAD')}`,
+      { signal: opts?.signal, timeoutMs: 15_000 },
+    );
+    if (rl.exitCode === 0) unmerged = parseInt(rl.stdout.trim() || '0', 10) || 0;
+  }
+
+  // unpushed only contributes when an upstream actually exists. Session branches
+  // (session-<id>) never have one (unpushed === -1), and any real local-only work
+  // there already surfaces as unmerged > 0 — so the no-upstream case adds no
+  // protection, only friction (it flagged every pristine worktree-backed session).
+  // The unpushed > 0 arm stays forward-compatible with P1.5 pushable branches.
+  const hasUpstream = unpushed !== -1;
+  const atRisk = dirty || unmerged > 0 || (hasUpstream && unpushed > 0);
+  return { worktreePath, branch, dirty, unpushed, unmerged, atRisk };
+}
+
+/**
+ * Stash a worktree's uncommitted changes (including untracked, via -u) so the
+ * working tree is clean. Stash entries live in the repo's common git dir, so
+ * they survive worktree-dir removal — this is the recoverable, safe-by-default
+ * escape. Note it only clears the *dirty* risk; unpushed/unmerged commits
+ * remain on the branch, so a re-attempted delete may still block on those.
+ */
+export async function stashWorktree(
+  worktreePath: string,
+  opts?: { signal?: AbortSignal },
+): Promise<{ stashed: boolean; error?: string }> {
+  const r = await hostExec(
+    `git -C ${shellEscape(worktreePath)} stash push -u -m ${shellEscape('boocode: pre-delete stash')}`,
+    { signal: opts?.signal, timeoutMs: 30_000 },
+  );
+  if (r.exitCode !== 0) {
+    return { stashed: false, error: r.stderr.trim() || r.stdout.trim() };
+  }
+  // "No local changes to save" => exit 0, nothing stashed — not an error.
+  const stashed = !/no local changes to save/i.test(r.stdout);
+  return { stashed };
+}
+
+/** Minimal shell escape for paths (single-quote wrapping). */
+function shellEscape(s: string): string {
+  // Replace single quotes with escaped version, wrap in single quotes
+  return "'" + s.replace(/'/g, "'\\''") + "'";
+}
--- a/apps/coder/src/services/worktrees.ts
+++ b/apps/coder/src/services/worktrees.ts
@@ -8,6 +8,7 @@
 */
 import type { Sql } from '../db.js';
 import { hostExec } from './host-exec.js';
+import { checkWorktreeWorkAtRisk } from './worktree-risk.js';

 export const WORKTREE_BASE = '/tmp/booworktrees';

@@ -378,165 +379,6 @@ export async function rebaselineWorktreeAfterApply(
  return { rebaselined: true, newBaseCommit: newBase };
 }

-// ─── Session-delete work-loss guard ─────────────────────────────────────────
-
-/**
- * Risk report for a single worktree, returned by checkWorktreeWorkAtRisk.
- * `atRisk` is the gate the server reads before allowing a session delete.
- * A git error never silently passes — it forces `atRisk` true and surfaces
- * the message in `error` (fail-closed).
- */
-export interface RiskReport {
-  worktreePath: string;
-  branch: string;
-  dirty: boolean;   // uncommitted working-tree changes (incl. untracked)
-  unpushed: number; // commits ahead of upstream, or -1 if no upstream is set
-  unmerged: number; // commits on this branch not in the project default branch
-  atRisk: boolean;  // dirty || unmerged > 0 || (upstream && unpushed > 0) || git error
-  error?: string;   // populated on a git failure; presence forces atRisk
-}
-
-/**
- * Resolve the project's default branch as a git-usable ref (e.g. "origin/main").
- *
- * `refs/remotes/origin/HEAD` lives in the repo's COMMON git dir and is shared
- * across every linked worktree, so reading it from the session worktree returns
- * the REMOTE's default branch — never this worktree's own `session-<id>` branch
- * (that would be `symbolic-ref HEAD`, a different ref). Falls back to probing
- * common defaults by verified existence when origin/HEAD isn't set (e.g. a repo
- * that never ran `git remote set-head`). Returns null if none resolve, in which
- * case the unmerged check is skipped (dirty + unpushed still protect the work).
- */
-async function detectDefaultBranchRef(
-  worktreePath: string,
-  opts?: { signal?: AbortSignal },
-): Promise<string | null> {
-  const head = await hostExec(
-    `git -C ${shellEscape(worktreePath)} symbolic-ref --short refs/remotes/origin/HEAD`,
-    { signal: opts?.signal, timeoutMs: 10_000 },
-  );
-  if (head.exitCode === 0) {
-    const ref = head.stdout.trim(); // e.g. "origin/main"
-    if (ref) {
-      const verify = await hostExec(
-        `git -C ${shellEscape(worktreePath)} rev-parse --verify --quiet ${shellEscape(ref + '^{commit}')}`,
-        { signal: opts?.signal, timeoutMs: 10_000 },
-      );
-      if (verify.exitCode === 0 && verify.stdout.trim()) return ref;
-    }
-  }
-  // origin/HEAD unset or unresolvable — probe common defaults. Prefer the
-  // remote-tracking ref (always resolvable in a fresh worktree) over the local
-  // head, which may not exist if the default branch lives only in the main tree.
-  for (const cand of ['origin/main', 'origin/master', 'main', 'master']) {
-    const verify = await hostExec(
-      `git -C ${shellEscape(worktreePath)} rev-parse --verify --quiet ${shellEscape(cand + '^{commit}')}`,
-      { signal: opts?.signal, timeoutMs: 10_000 },
-    );
-    if (verify.exitCode === 0 && verify.stdout.trim()) return cand;
-  }
-  return null;
-}
-
-/**
- * Inspect a worktree for work that would be lost if its session were deleted.
- * Three checks, all via the audited hostExec + shellEscape path (every
- * interpolated value — paths, refs — is single-quote-escaped; no bare
- * interpolation). Any unexpected git failure is treated as at-risk, never a
- * silent pass.
- */
-export async function checkWorktreeWorkAtRisk(
-  worktreePath: string,
-  opts?: { signal?: AbortSignal },
-): Promise<RiskReport> {
-  // Branch name — also doubles as the "is this still a git worktree?" probe.
-  const br = await hostExec(
-    `git -C ${shellEscape(worktreePath)} rev-parse --abbrev-ref HEAD`,
-    { signal: opts?.signal, timeoutMs: 10_000 },
-  );
-  if (br.exitCode !== 0) {
-    return {
-      worktreePath,
-      branch: '',
-      dirty: false,
-      unpushed: 0,
-      unmerged: 0,
-      atRisk: true,
-      error: `git rev-parse failed: ${br.stderr.trim() || 'not a git worktree'}`,
-    };
-  }
-  const branch = br.stdout.trim();
-
-  // (a) Uncommitted (dirty working tree, including untracked files).
-  const st = await hostExec(
-    `git -C ${shellEscape(worktreePath)} status --porcelain`,
-    { signal: opts?.signal, timeoutMs: 15_000 },
-  );
-  if (st.exitCode !== 0) {
-    return {
-      worktreePath,
-      branch,
-      dirty: false,
-      unpushed: 0,
-      unmerged: 0,
-      atRisk: true,
-      error: `git status failed: ${st.stderr.trim()}`,
-    };
-  }
-  const dirty = st.stdout.trim().length > 0;
-
-  // (b) Unpushed commits. No upstream configured => work exists only locally;
-  // treat as unpushed-by-definition (-1) rather than an error.
-  const up = await hostExec(
-    `git -C ${shellEscape(worktreePath)} rev-list --count ${shellEscape('@{u}..HEAD')}`,
-    { signal: opts?.signal, timeoutMs: 15_000 },
-  );
-  const unpushed = up.exitCode === 0 ? (parseInt(up.stdout.trim() || '0', 10) || 0) : -1;
-
-  // (c) Unmerged commits — on this branch but not in the project default branch.
-  const defaultRef = await detectDefaultBranchRef(worktreePath, opts);
-  let unmerged = 0;
-  if (defaultRef) {
-    const rl = await hostExec(
-      `git -C ${shellEscape(worktreePath)} rev-list --count ${shellEscape(defaultRef + '..HEAD')}`,
-      { signal: opts?.signal, timeoutMs: 15_000 },
-    );
-    if (rl.exitCode === 0) unmerged = parseInt(rl.stdout.trim() || '0', 10) || 0;
-  }
-
-  // unpushed only contributes when an upstream actually exists. Session branches
-  // (session-<id>) never have one (unpushed === -1), and any real local-only work
-  // there already surfaces as unmerged > 0 — so the no-upstream case adds no
-  // protection, only friction (it flagged every pristine worktree-backed session).
-  // The unpushed > 0 arm stays forward-compatible with P1.5 pushable branches.
-  const hasUpstream = unpushed !== -1;
-  const atRisk = dirty || unmerged > 0 || (hasUpstream && unpushed > 0);
-  return { worktreePath, branch, dirty, unpushed, unmerged, atRisk };
-}
-
-/**
- * Stash a worktree's uncommitted changes (including untracked, via -u) so the
- * working tree is clean. Stash entries live in the repo's common git dir, so
- * they survive worktree-dir removal — this is the recoverable, safe-by-default
- * escape. Note it only clears the *dirty* risk; unpushed/unmerged commits
- * remain on the branch, so a re-attempted delete may still block on those.
- */
-export async function stashWorktree(
-  worktreePath: string,
-  opts?: { signal?: AbortSignal },
-): Promise<{ stashed: boolean; error?: string }> {
-  const r = await hostExec(
-    `git -C ${shellEscape(worktreePath)} stash push -u -m ${shellEscape('boocode: pre-delete stash')}`,
-    { signal: opts?.signal, timeoutMs: 30_000 },
-  );
-  if (r.exitCode !== 0) {
-    return { stashed: false, error: r.stderr.trim() || r.stdout.trim() };
-  }
-  // "No local changes to save" => exit 0, nothing stashed — not an error.
-  const stashed = !/no local changes to save/i.test(r.stdout);
-  return { stashed };
-}
-
 /** Minimal shell escape for paths (single-quote wrapping). */
 function shellEscape(s: string): string {
  // Replace single quotes with escaped version, wrap in single quotes
--- a/apps/coder/vitest.config.ts
+++ b/apps/coder/vitest.config.ts
@@ -5,5 +5,11 @@ export default defineConfig({
    environment: 'node',
    globals: false,
    include: ['src/**/__tests__/**/*.test.ts'],
+    // DB-integration suites (checkpoints, claude-session-store, reconnect, etc.)
+    // each apply the full schema in beforeAll against the one shared dev DB; running
+    // test files in parallel makes those concurrent DDL applies deadlock under
+    // DATABASE_URL. Serialize file execution — the suites are fast, so the cost is
+    // negligible and the default (no-DATABASE_URL) run is unaffected.
+    fileParallelism: false,
  },
 });
--- a/apps/coder/web/vite.config.d.ts
+++ b/apps/coder/web/vite.config.d.ts
@@ -1,2 +0,0 @@
-declare const _default: import("vite").UserConfig;
-export default _default;
--- a/apps/coder/web/vite.config.js
+++ b/apps/coder/web/vite.config.js
@@ -1,25 +0,0 @@
-import { defineConfig } from 'vite';
-import react from '@vitejs/plugin-react';
-import path from 'node:path';
-export default defineConfig({
-    plugins: [react()],
-    resolve: {
-        alias: {
-            '@': path.resolve(__dirname, './src'),
-        },
-    },
-    server: {
-        port: 5174,
-        proxy: {
-            '/api': {
-                target: 'http://127.0.0.1:3000',
-                changeOrigin: true,
-                ws: true,
-            },
-        },
-    },
-    build: {
-        outDir: 'dist',
-        emptyOutDir: true,
-    },
-});
--- a/apps/server/CLAUDE.md
+++ b/apps/server/CLAUDE.md
@@ -0,0 +1,48 @@
+# apps/server — BooChat backend (deep reference)
+
+> Per-app engineering notes for `apps/server/src/`. Cross-cutting commands, database, environment, workflow, and cross-app contracts (WS-frame / provider-type parity, sentinels) live in the **root `CLAUDE.md`**. This file auto-loads when you read/edit files under `apps/server/`.
+
+## Stack
+
+- **Fastify** with `@fastify/websocket` and `@fastify/static` (serves the built frontend).
+- **postgres** (porsager/postgres) with tagged-template SQL — no ORM. Schema in `schema.sql`, applied on startup. LSP may false-positive on `sql<Type[]>\`...\`` generics; CLI `tsc` / `pnpm build` is authoritative.
+- **Zod** for request validation and config parsing.
+
+## Key services
+
+- **`services/inference/`** — Public surface re-exported via `inference/index.ts`; callers import from `./services/inference/index.js` explicitly (NodeNext doesn't honor directory-index resolution). Layout: `turn.ts` (runAssistantTurn/runInference/createInferenceRunner; exports `InferenceFrame`, `InferenceContext`, `TurnArgs`, `StreamResult`, `MAX_STEPS`); `stream-phase.ts` (streamCompletion AI SDK adapter + executeStreamPhase); `provider.ts` (`upstreamModel(baseURL, modelId)` wrapping `createOpenAICompatible` against llama-swap); `tool-phase.ts` (executeToolPhase → `ToolPhaseResult`; the turn loop lives in turn.ts, not recursion); `sentinel-summaries.ts` (cap-hit/doom-loop/step-cap summaries + inserters); `error-handler.ts` (handleAbortOrError, finalizeCompletion); `payload.ts` (buildMessagesPayload, loadContext, maybeFlagForCompaction, `OpenAiMessage`); `sentinels.ts` (`detectDoomLoop`, `DOOM_LOOP_THRESHOLD`); `budget.ts` (resolveToolBudget); `xml-parser.ts` (qwen3.6 XML tool-call fallback — KEEP, AI SDK doesn't handle inline-XML tool calls); `parts.ts` (`partsFromAssistantMessage`/`partsFromToolMessage`/`insertParts` — parts are the sole source of truth); `prune.ts` (two-tier compaction; `selectPruneTargets` is the pure helper); `types.ts` (`StreamPhaseState`, `DB_FLUSH_INTERVAL_MS`). **`TurnArgs`** is the per-turn state envelope, reset in `runInference` at the user-message boundary. Outer loop: `while (stepNumber < effectiveCap)`, `effectiveCap = Math.min(agent.steps ?? Infinity, MAX_STEPS=200)`. Per-agent `steps:` in AGENTS.md frontmatter; `steps: 0` = text-only. Step-cap hit writes a `cap_hit` sentinel (`CapHitSentinel.tsx` renders it).
+- **AI SDK v6 streamCompletion adapter** (`services/inference/stream-phase.ts`). `streamText` is the underlying call; the BooCode layer (executeStreamPhase, finalize, dual-write) is shape-preserved via an adapter. Five gotchas the LSP/tests won't catch:
+  - **Abort signals are swallowed.** `streamText`'s `fullStream` exits cleanly when `abortSignal` fires — no throw. Post-iteration `if (signal?.aborted) throw <AbortError>` is required, else the row finalizes `complete` instead of `cancelled`. Don't refactor away the pinning comment.
+  - **Usage lands only at stream end** via `await result.usage` (v6 `inputTokens`/`outputTokens` → mapped to `promptTokens`/`completionTokens`). No mid-stream tok/s; ChatThroughput shows one value at stream end.
+  - **Tools have NO `execute` field.** BooCode dispatches tools in tool-phase.ts, not the AI SDK loop — only `description` + `inputSchema: jsonSchema(parameters)`.
+  - **`includeUsage: true` MUST be set on `createOpenAICompatible`** in `provider.ts`. The adapter defaults it false → no `stream_options.include_usage` → llama-swap emits no usage block → `result.usage` resolves `undefined` (NULL token counts). Don't remove during refactor.
+  - **Tool-call-only turns may emit a leading `\n` text-delta.** `MessageList.flatten`'s `hasText` and `MessageBubble`'s `hasContent` both `.trim()` before the length check, else whitespace-only content renders an empty bubble + ActionRow between tool calls. `buildMessagesPayload` also skips `status='failed'` and complete-but-empty assistant rows (avoids "Cannot have 2 or more assistant messages at the end of the list" upstream rejection after cap-hit + Continue).
+- **AI SDK ModelMessage conversion** (`toModelMessages` in stream-phase.ts). Tool messages need a `toolName` for `ToolResultPart`; BooCode's OpenAI-shape history lacks it, so a forward-scan builds a `tool_call_id → toolName` map from prior assistant `tool_calls`. Tool outputs wrapped as `{ type: 'json' | 'text', value }` (v6 `ToolResultOutput`). Reasoning emits a `ReasoningPart` first in the content array.
+- **`experimental_repairToolCall`** wired into `streamText` to keep the stream alive when qwen3.6 emits malformed tool args. Pass-through: logs the bad call, returns it unmodified; `executeToolPhase`'s zod-reject path routes it back to the model next turn.
+- **`chat_status` frame** (via `broker.publishUser`) — `status: 'streaming' | 'tool_running' | 'waiting_for_input' | 'idle' | 'error'`. Frontend `useChatStatus` derives `idle_warm` (<30s since idle) vs `idle_cold`. `ChatThroughput` renders beside `StatusDot` only when streaming/tool_running, fed by 500ms-throttled `'usage'` frames (`completion_tokens` + `ctx_used` + `ctx_max`). `POST /api/chats/:id/discard_stale` marks a stuck-streaming row `failed` when the frontend's 60s no-token timer gives up.
+- **Stale-streaming sweeps** (`apps/server/src/index.ts`): a boot-time pass after `applySchema()` and a periodic 60s `setInterval` both flip `messages.status='streaming'` older than 5 min to `failed` (publishing `chat_status='idle'`); the interval also runs `cleanupTruncations` (TTL + orphan reap of tmpfs truncation files). `onClose` hook clears the timer. Recovers from a container restart mid-stream.
+- **`services/broker.ts`** — In-memory pub/sub, two channel types: per-session (message streaming) and per-user (sidebar). No persistence; clients reconnect on restart. Every WS publish goes through `broker.publishFrame(sessionId, frame)` / `publishUserFrame(user, frame)` — both Zod-validate against `WsFrameSchema` (`types/ws-frames.ts`) and fail-closed (log + drop). Schema duplicated byte-identical at `apps/web/src/api/ws-frames.ts`; `ws-frames.test.ts` enforces parity. Don't add raw `broker.publish()`/`publishUser()` calls.
+- **`services/tools.ts`** — Tool registry (`ALL_TOOLS`, `READ_ONLY_TOOL_NAMES`, `TOOLS_BY_NAME`). Filesystem tools (view_file/list_dir/grep/find_files) pass three guards: `path_guard.ts` (workspace scope), `secret_guard.ts` (filename deny list), `url_guard.ts` (SSRF/private-IP block for web_fetch). Web tools (`web_search`, `web_fetch`) are opt-in per chat via `session.web_search_enabled` (falls back to `project.default_web_search_enabled`) and filtered out of the LLM tool schema when false. Truncation: when a tool slice cuts content, `services/truncate.ts` stashes the full text on tmpfs (`BOOCODE_TRUNCATION_DIR`, default `/tmp/boocode-truncations`, 0o700) keyed by `tr_<12 base32>`; `view_truncated_output(id)` retrieves it. 5MB cap, 7-day TTL, reaped by the sweeper. Container restart loses retrieval — acceptable.
+- **`services/compaction.ts`** + **`services/model-context.ts`** — Anchored rolling summary (single `summary=true` assistant row per chat, supersedes itself each compaction). Triggered when `chats.needs_compaction` is set after a turn exceeds `usable(ctx_max) = floor(0.85 × ctx_max)`. **`ctx_max` comes from `model-context.getModelContext()` fetching `${LLAMA_SWAP_URL}/upstream/<model>/props`** — NOT from `parsed.timings.n_ctx`. First inferences after boot may have `ctx_max=NULL` if llama-swap hasn't loaded the model; negative cache TTL 60s, recovers next turn. `buildHeadPayload` embeds `reasoning_parts` as a `<reasoning>...</reasoning>` prose prefix on assistant `content` (OpenAI wire shape has no structured reasoning field); standalone tag when content is empty. `buildHeadPayload` + `OpenAiMessage` exported for tests — keep them exported.
+- **`services/system-prompt.ts`** — `buildSystemPrompt` is the string shim; `buildSystemPromptWithFingerprint` is the canonical impl returning `{prompt, fingerprint, drift}`. SHA-256 of the assembled prefix is logged per `buildMessagesPayload` (`prefix-fingerprint`, info); a `Map<sessionId, lastHash>` fires `prefix-drift` (warn) on change with a `changed_inputs` diff. The prefix is byte-stable in steady-state, so prefix caching is left to the input-layer mtime caches (BOOCHAT.md + AGENTS.md global/per-project in `agents.ts:safeStat`).
+- **`services/inference/budget.ts`** — tool-call budgets: `BUDGET_READ_ONLY = 30`, `BUDGET_NON_READ_ONLY = 10` (forward-looking; no write tools yet), `BUDGET_NO_AGENT = 30` (every `ALL_TOOLS` tool is read-only today, so no-agent shares the read-only cap). Per-agent `max_tool_calls` from AGENTS.md overrides.
+- **`messages_with_parts` view** (`schema.sql`). Read sites needing `tool_calls` / `tool_results` / `reasoning_parts` SELECT from this view, NOT `messages` — the legacy `messages.tool_calls`/`tool_results` JSON columns were dropped; the view reads parts-only subselects. Writes target `message_parts` via `insertParts` (or `partsFromAssistantMessage`/`partsFromToolMessage`). The `Message` wire type still carries `tool_calls?`/`tool_results?` because the view synthesizes them. Shapes: `tool_calls jsonb[]`, `tool_results jsonb` (single object), `reasoning_parts jsonb[]` of `{text}`. To UPDATE a message and return its full shape, do a two-step UPDATE returning `id` then SELECT from the view — RETURNING off bare `messages` no longer carries the tool fields. **`messages.model`** (attribution chip) stamps the model per assistant turn — at `finalizeCompletion` (BooChat + native coder) + the dispatcher's assistant-row INSERT (external coder); read via the view + the `message_complete` frame, rendered by `shortenModelName`.
+- **`services/file_ops.ts`** — Shared file operation implementations used by both inference tools and HTTP routes.
+- **`services/auto_name.ts`** — Non-streaming LLM call to generate 4-word session titles after the first assistant reply.
+- **Provider picker dispatch**: when `provider !== 'boocode'`, the message route creates a `tasks` row (with `session_id` set) instead of calling `inference.enqueue`. The dispatcher (in `apps/coder`) picks it up and dispatches via ACP or PTY using the agent's `install_path`.
+
+Route registration: all routes registered in `index.ts` via `register*Routes(app, sql, ...)`. Routes live in `routes/*.ts`.
+
+## Server conventions
+
+- **New tools** live in their own `services/<name>.ts` (see `web_search.ts`, `web_fetch.ts`) — a pure `executeFoo(input, ...deps)` for direct test access plus a `ToolDef` wrapper that `loadConfig()`s its real deps. Register the ToolDef in `tools.ts` `ALL_TOOLS` (and `READ_ONLY_TOOL_NAMES` if applicable). Inject `fetcher: typeof fetch = fetch` rather than `vi.spyOn(globalThis, 'fetch')`.
+- **DB/session-aware tools** take an optional 4th `ToolExecCtx { sql, sessionId }` arg on `ToolDef.execute`, plumbed `executeToolPhase`→`executeToolCall`→`execute`. Optional so filesystem tools and the `apps/coder` `ALL_TOOLS` consumer stay compatible; filesystem tools ignore it. `read_tab_by_number` is the reference.
+- **ReadableStream test stubs** use `pull()` (not `start()`) so chunks are produced lazily — `start()` enqueues everything and closes before the consumer reads, so a later `reader.cancel()` finds the stream closed and the `cancel()` callback never fires. Provide MORE chunks than the test consumes so the source stays 'readable' when cancel runs.
+- Tool-name whitelists must derive from `ALL_TOOLS` in `services/tools.ts`, never hardcoded (this drift class hit `services/agents.ts` `ALL_TOOL_NAMES` before).
+- Agent registry lives at `data/AGENTS.md` (global, bind-mounted at `/data/AGENTS.md`). No per-project `AGENTS.md` in this repo (removed to eliminate two-files-must-stay-in-sync drift); the `getAgentsForProject` per-project override mechanism remains for *other* projects.
+- `data/AGENTS.md` is PARSED (`agents.ts` `splitSections`/`parseAgentSection`): each `## <Name>` is one agent and must be followed by a `---` frontmatter fence or the block throws; content before the first `## ` is discarded. Do NOT add free-form `## ` rule sections — they break the registry. Cross-cutting agent rules go in CLAUDE.md or a parser-ignored preamble.
+- MCP stdio transport uses newline-delimited JSON (NDJSON), NOT LSP-style `Content-Length` headers. `codecontext/shim.go` is the reference (per the MCP spec, modelcontextprotocol.io/specification/server/transports).
+- **`payload.ts:loadContext` SELECT** must include every `Session` field downstream code reads. The tool phase reads `session.allowed_read_paths`; if the SELECT omits it, cross-repo read grants silently fail. `sql<Session[]>` doesn't enforce column coverage, so the type doesn't catch it.
+- **Sidecar routing** (`services/inference/provider.ts`): `upstreamModel(config, modelId, agent)` routes to `LLAMA_SIDECAR_URL` when the agent has `llama_extra_args`, else `LLAMA_SWAP_URL`. `resolveRoute(agent)` returns `{route, flags}`. Sidecar provider created fresh per call (not cached) because `X-Agent-Flags` varies per agent. Boot-time guard in `index.ts` refuses to start if any agent has `llama_extra_args` but `LLAMA_SIDECAR_URL` is unset.
+- **Secret guard safe patterns** (`services/secret_guard.ts`): `.env.example`, `.env.sample`, `.env.template`, `.env.defaults` are allowlisted via `SAFE_PATTERNS`. Do NOT add `.env.production`/`.env.development`/`.env.test` — those can hold real secrets.
+- **llama-sidecar** (`/opt/forks/llama-sidecar/`): Go daemon for a per-agent llama-server process pool (routed to via "Sidecar routing" above). Cross-compile: `GOOS=windows GOARCH=amd64 /snap/go/current/bin/go build -o bin/llama-sidecar.exe ./cmd/llama-sidecar`. Gitea: `indifferentketchup/llama-sidecar`. Windows child-process gotchas: `context.Background()` for child lifetime (not request ctx), `os.Open(os.DevNull)` for stdin, `os.Pipe()` for stdout with a drain goroutine, `DETACHED_PROCESS | CREATE_NEW_PROCESS_GROUP` flags. SSH to sam-desktop: `ssh samki@100.101.41.16`; use `schtasks` for persistent spawning (SSH `start /B` doesn't survive session close).
--- a/apps/server/src/config.ts
+++ b/apps/server/src/config.ts
@@ -18,7 +18,6 @@ const ConfigSchema = z.object({
  GITEA_BASE_URL: z.string().url().default('https://git.indifferentketchup.com'),
  GITEA_USER: z.string().default('indifferentketchup'),
  GITEA_TOKEN: z.string().optional(),
-  GITEA_SSH_HOST: z.string().default('100.114.205.53:2222'),
  // v1.15.0-mcp-multi: path to the MCP config JSON file. Default /data/mcp.json
  // (bind-mounted alongside AGENTS.md). File missing = no MCP (opt-in).
  MCP_CONFIG_PATH: z.string().optional(),
--- a/apps/server/src/routes/chats.ts
+++ b/apps/server/src/routes/chats.ts
@@ -5,6 +5,7 @@ import type { Broker } from '../services/broker.js';
 import type { Chat, Message } from '../types/api.js';
 import { getModelContext } from '../services/model-context.js';
 import { notifyCoderClose } from '../services/coder-notify.js';
+import { MESSAGE_COLUMNS } from '../services/message-columns.js';

 const CreateBody = z.object({
  name: z.string().min(1).max(200).optional(),
@@ -439,9 +440,7 @@ export function registerChatRoutes(
      }
      // v1.13.1-B: reads tool_calls/tool_results via the parts-merged view.
      const rows = await sql<Message[]>`
-        SELECT id, session_id, chat_id, role, content, kind, tool_calls, tool_results, status, last_seq,
-               tokens_used, ctx_used, ctx_max, started_at, finished_at, created_at, metadata,
-               summary, tail_start_id, compacted_at
+        SELECT ${sql.unsafe(MESSAGE_COLUMNS)}
        FROM messages_with_parts
        WHERE chat_id = ${req.params.id}
        ORDER BY created_at ASC, id ASC
--- a/apps/server/src/routes/messages.ts
+++ b/apps/server/src/routes/messages.ts
@@ -8,6 +8,81 @@ import type { Chat, Message, Session, ToolCall } from '../types/api.js';
 // decision time (not at request time) so concurrent project changes don't
 // stale-bind the resolution.
 import { resolveGrantRoot } from '../services/grant_resolver.js';
+import { MESSAGE_COLUMNS } from '../services/message-columns.js';
+
+// Shared lookup for the answer_user_input + grant_read_access pause-resume
+// endpoints. Finds the originating assistant tool_call by id in message_parts,
+// validates the tool name, finds the pending tool_result part, and checks the
+// already-answered guard. Returns ok:true+context on success, ok:false+HTTP
+// status+body on any error (caller does reply.code(ctx.code); return ctx.body).
+type PendingToolLookupResult =
+  | {
+      ok: true;
+      foundCall: ToolCall;
+      toolMessageId: string;
+      toolRow: { message_id: string; payload: { tool_call_id: string; output: unknown } };
+    }
+  | { ok: false; code: number; body: Record<string, unknown> };
+
+async function lookupPendingToolCall(
+  sql: Sql,
+  chatId: string,
+  tool_call_id: string,
+  expectedToolName: string,
+  wrongToolError: string,
+): Promise<PendingToolLookupResult> {
+  // Find the assistant's tool_call by id via message_parts.
+  const callerRows = await sql<{
+    message_id: string;
+    payload: { id: string; name: string; args: Record<string, unknown> };
+  }[]>`
+    SELECT p.message_id, p.payload
+    FROM message_parts p
+    JOIN messages m ON m.id = p.message_id
+    WHERE m.chat_id = ${chatId}
+      AND m.role = 'assistant'
+      AND p.kind = 'tool_call'
+      AND p.payload->>'id' = ${tool_call_id}
+    ORDER BY m.created_at DESC
+    LIMIT 1
+  `;
+  const callerRow = callerRows[0];
+  if (!callerRow) return { ok: false, code: 404, body: { error: 'unknown_tool_call_id' } };
+
+  const foundCall: ToolCall = {
+    id: callerRow.payload.id,
+    name: callerRow.payload.name,
+    args: callerRow.payload.args,
+  };
+  if (foundCall.name !== expectedToolName) {
+    return { ok: false, code: 400, body: { error: wrongToolError } };
+  }
+
+  // Find the pending tool_result part by tool_call_id.
+  const toolRows = await sql<{
+    message_id: string;
+    payload: { tool_call_id: string; output: unknown };
+  }[]>`
+    SELECT p.message_id, p.payload
+    FROM message_parts p
+    JOIN messages m ON m.id = p.message_id
+    WHERE m.chat_id = ${chatId}
+      AND m.role = 'tool'
+      AND p.kind = 'tool_result'
+      AND p.payload->>'tool_call_id' = ${tool_call_id}
+    ORDER BY m.created_at DESC
+    LIMIT 1
+  `;
+  const toolRow = toolRows[0];
+  if (!toolRow) {
+    return { ok: false, code: 404, body: { error: 'unknown_tool_call_id', detail: 'tool message not found' } };
+  }
+  if (toolRow.payload && toolRow.payload.output !== null) {
+    return { ok: false, code: 409, body: { error: 'tool_call_already_answered' } };
+  }
+
+  return { ok: true, foundCall, toolMessageId: toolRow.message_id, toolRow };
+}

 const SendBody = z.object({
  content: z.string().min(1).max(64_000),
@@ -116,9 +191,7 @@ export function registerMessageRoutes(
      // see services/inference.ts loadContext + services/compaction.ts.
      // v1.13.1-B: reads tool_calls/tool_results via the parts-merged view.
      const rows = await sql<Message[]>`
-        SELECT id, session_id, chat_id, role, content, kind, tool_calls, tool_results, status, last_seq,
-               tokens_used, ctx_used, ctx_max, started_at, finished_at, created_at, metadata,
-               summary, tail_start_id, compacted_at
+        SELECT ${sql.unsafe(MESSAGE_COLUMNS)}
        FROM messages_with_parts
        WHERE session_id = ${req.params.id}
        ORDER BY created_at ASC, id ASC
@@ -493,40 +566,16 @@ export function registerMessageRoutes(
      const chat = chatRows[0]!;
      const sessionId = chat.session_id;

-      // v1.13.1-C: find the assistant's tool_call by indexing message_parts
-      // directly on payload->>'id'. Scoped by chat_id + role via the JOIN.
-      // Pre-v1.13.0 history has no parts rows — those tool_calls become
-      // unreachable here (404). Acceptable per the dispatch decision: any
-      // pending elicitation from before v1.13.0 is long timed out by now;
-      // promote to a hotfix with a JSON-column fallback if it ever surfaces.
-      const callerRows = await sql<{
-        message_id: string;
-        payload: { id: string; name: string; args: Record<string, unknown> };
-      }[]>`
-        SELECT p.message_id, p.payload
-        FROM message_parts p
-        JOIN messages m ON m.id = p.message_id
-        WHERE m.chat_id = ${chat.id}
-          AND m.role = 'assistant'
-          AND p.kind = 'tool_call'
-          AND p.payload->>'id' = ${tool_call_id}
-        ORDER BY m.created_at DESC
-        LIMIT 1
-      `;
-      const callerRow = callerRows[0];
-      if (!callerRow) {
-        reply.code(404);
-        return { error: 'unknown_tool_call_id' };
-      }
-      const foundCall: ToolCall = {
-        id: callerRow.payload.id,
-        name: callerRow.payload.name,
-        args: callerRow.payload.args,
-      };
-      if (foundCall.name !== 'ask_user_input') {
-        reply.code(400);
-        return { error: 'tool_call_not_ask_user_input' };
+      // v1.13.1-C: resolve the originating tool_call + pending tool row.
+      // Pre-v1.13.0 history has no parts rows — those become unreachable (404).
+      const ctx = await lookupPendingToolCall(
+        sql, chat.id, tool_call_id, 'ask_user_input', 'tool_call_not_ask_user_input',
+      );
+      if (!ctx.ok) {
+        reply.code(ctx.code);
+        return ctx.body;
      }
+      const { foundCall, toolMessageId } = ctx;

      // Validate the args themselves — the LLM could have emitted bad JSON.
      const argsParsed = AskUserInputArgs.safeParse(foundCall.args);
@@ -569,33 +618,6 @@ export function registerMessageRoutes(
        }
      }

-      // v1.13.1-C: find the pending tool row via message_parts on
-      // payload->>'tool_call_id'. Same fallback caveat as the caller lookup
-      // above — pre-v1.13.0 rows are unreachable here.
-      const toolRows = await sql<{
-        message_id: string;
-        payload: { tool_call_id: string; output: unknown };
-      }[]>`
-        SELECT p.message_id, p.payload
-        FROM message_parts p
-        JOIN messages m ON m.id = p.message_id
-        WHERE m.chat_id = ${chat.id}
-          AND m.role = 'tool'
-          AND p.kind = 'tool_result'
-          AND p.payload->>'tool_call_id' = ${tool_call_id}
-        ORDER BY m.created_at DESC
-        LIMIT 1
-      `;
-      const toolRow = toolRows[0];
-      if (!toolRow) {
-        reply.code(404);
-        return { error: 'unknown_tool_call_id', detail: 'tool message not found' };
-      }
-      if (toolRow.payload && toolRow.payload.output !== null) {
-        reply.code(409);
-        return { error: 'tool_call_already_answered' };
-      }
-
      const answerSet = { answers };
      const newToolResults = {
        tool_call_id,
@@ -603,7 +625,6 @@ export function registerMessageRoutes(
        truncated: false,
      };

-      const toolMessageId = toolRow.message_id;
      const result = await sql.begin(async (tx) => {
        // v1.13.20: parts-only. Replace the pending tool_result part inserted
        // at message creation (tool-phase.ts) with the answered one. Delete-
@@ -681,35 +702,15 @@ export function registerMessageRoutes(
      const chat = chatRows[0]!;
      const sessionId = chat.session_id;

-      // Mirror the /answer lookup: assistant tool_call by id via message_parts.
-      const callerRows = await sql<{
-        message_id: string;
-        payload: { id: string; name: string; args: Record<string, unknown> };
-      }[]>`
-        SELECT p.message_id, p.payload
-        FROM message_parts p
-        JOIN messages m ON m.id = p.message_id
-        WHERE m.chat_id = ${chat.id}
-          AND m.role = 'assistant'
-          AND p.kind = 'tool_call'
-          AND p.payload->>'id' = ${tool_call_id}
-        ORDER BY m.created_at DESC
-        LIMIT 1
-      `;
-      const callerRow = callerRows[0];
-      if (!callerRow) {
-        reply.code(404);
-        return { error: 'unknown_tool_call_id' };
-      }
-      const foundCall: ToolCall = {
-        id: callerRow.payload.id,
-        name: callerRow.payload.name,
-        args: callerRow.payload.args,
-      };
-      if (foundCall.name !== 'request_read_access') {
-        reply.code(400);
-        return { error: 'tool_call_not_request_read_access' };
+      const grantCtx = await lookupPendingToolCall(
+        sql, chat.id, tool_call_id, 'request_read_access', 'tool_call_not_request_read_access',
+      );
+      if (!grantCtx.ok) {
+        reply.code(grantCtx.code);
+        return grantCtx.body;
      }
+      const { foundCall, toolMessageId } = grantCtx;
+
      const argsParsed = RequestReadAccessArgs.safeParse(foundCall.args);
      if (!argsParsed.success) {
        reply.code(400);
@@ -717,31 +718,6 @@ export function registerMessageRoutes(
      }
      const requestedPath = argsParsed.data.path;

-      // Find the pending tool row.
-      const toolRows = await sql<{
-        message_id: string;
-        payload: { tool_call_id: string; output: unknown };
-      }[]>`
-        SELECT p.message_id, p.payload
-        FROM message_parts p
-        JOIN messages m ON m.id = p.message_id
-        WHERE m.chat_id = ${chat.id}
-          AND m.role = 'tool'
-          AND p.kind = 'tool_result'
-          AND p.payload->>'tool_call_id' = ${tool_call_id}
-        ORDER BY m.created_at DESC
-        LIMIT 1
-      `;
-      const toolRow = toolRows[0];
-      if (!toolRow) {
-        reply.code(404);
-        return { error: 'unknown_tool_call_id', detail: 'tool message not found' };
-      }
-      if (toolRow.payload && toolRow.payload.output !== null) {
-        reply.code(409);
-        return { error: 'tool_call_already_answered' };
-      }
-
      // Look up session + project so we can re-resolve the grant root and
      // append to allowed_read_paths atomically. We don't need agent or
      // history here — just the project path for the resolver.
@@ -790,7 +766,6 @@ export function registerMessageRoutes(
        output: resultOutput,
        truncated: false,
      };
-      const toolMessageId = toolRow.message_id;
      const dbResult = await sql.begin(async (tx) => {
        // v1.13.20: parts-only. Same delete+insert dance as /answer —
        // UNIQUE (message_id, sequence) blocks plain UPDATE on append-style
--- a/apps/server/src/routes/projects.ts
+++ b/apps/server/src/routes/projects.ts
@@ -67,6 +67,20 @@ export async function resolveProjectPath(
  return { real, name: basename(real) };
 }

+async function selectProject(sql: Sql, id: string): Promise<Project | null> {
+  const rows = await sql<Project[]>`
+    SELECT id, name, path, added_at, last_session_id, status, gitea_remote,
+           default_system_prompt, default_web_search_enabled
+    FROM projects WHERE id = ${id}
+  `;
+  return rows[0] ?? null;
+}
+
+async function selectProjectPath(sql: Sql, id: string): Promise<string | null> {
+  const rows = await sql<{ path: string }[]>`SELECT path FROM projects WHERE id = ${id}`;
+  return rows[0]?.path ?? null;
+}
+
 export function registerProjectRoutes(
  app: FastifyInstance,
  sql: Sql,
@@ -199,16 +213,12 @@ export function registerProjectRoutes(
  // v1.9: single-project fetch so the settings pane can refetch on
  // project_updated without pulling the whole project list.
  app.get<{ Params: { id: string } }>('/api/projects/:id', async (req, reply) => {
-    const rows = await sql<Project[]>`
-      SELECT id, name, path, added_at, last_session_id, status, gitea_remote,
-             default_system_prompt, default_web_search_enabled
-      FROM projects WHERE id = ${req.params.id}
-    `;
-    if (rows.length === 0) {
+    const project = await selectProject(sql, req.params.id);
+    if (!project) {
      reply.code(404);
      return { error: 'not found' };
    }
-    return rows[0];
+    return project;
  });

  app.patch<{ Params: { id: string } }>('/api/projects/:id', async (req, reply) => {
@@ -340,18 +350,14 @@ export function registerProjectRoutes(
      const { id } = req.params;
      const relPath = req.query.path ?? '.';

-      const rows = await sql<Project[]>`
-        SELECT id, name, path, added_at, last_session_id, status, gitea_remote
-        FROM projects WHERE id = ${id}
-      `;
-      if (rows.length === 0) {
+      const projectPath = await selectProjectPath(sql, id);
+      if (projectPath === null) {
        reply.code(404);
        return { error: 'not found' };
      }
-      const project = rows[0]!;
      let projectRoot: string;
      try {
-        projectRoot = await resolveProjectRoot(project.path);
+        projectRoot = await resolveProjectRoot(projectPath);
      } catch (err) {
        if (err instanceof PathScopeError) {
          reply.code(404);
@@ -385,18 +391,14 @@ export function registerProjectRoutes(
        return { error: 'path is required' };
      }

-      const rows = await sql<Project[]>`
-        SELECT id, name, path, added_at, last_session_id, status, gitea_remote
-        FROM projects WHERE id = ${id}
-      `;
-      if (rows.length === 0) {
+      const projectPath = await selectProjectPath(sql, id);
+      if (projectPath === null) {
        reply.code(404);
        return { error: 'not found' };
      }
-      const project = rows[0]!;
      let projectRoot: string;
      try {
-        projectRoot = await resolveProjectRoot(project.path);
+        projectRoot = await resolveProjectRoot(projectPath);
      } catch (err) {
        if (err instanceof PathScopeError) {
          reply.code(404);
@@ -431,18 +433,14 @@ export function registerProjectRoutes(
    '/api/projects/:id/git',
    async (req, reply) => {
      const { id } = req.params;
-      const rows = await sql<Project[]>`
-        SELECT id, name, path, added_at, last_session_id, status, gitea_remote
-        FROM projects WHERE id = ${id}
-      `;
-      if (rows.length === 0) {
+      const projectPath = await selectProjectPath(sql, id);
+      if (projectPath === null) {
        reply.code(404);
        return { error: 'not found' };
      }
-      const project = rows[0]!;
      let projectRoot: string;
      try {
-        projectRoot = await resolveProjectRoot(project.path);
+        projectRoot = await resolveProjectRoot(projectPath);
      } catch (err) {
        if (err instanceof PathScopeError) {
          reply.code(404);
@@ -461,18 +459,14 @@ export function registerProjectRoutes(
    async (req, reply) => {
      const { id } = req.params;

-      const rows = await sql<Project[]>`
-        SELECT id, name, path, added_at, last_session_id, status, gitea_remote
-        FROM projects WHERE id = ${id}
-      `;
-      if (rows.length === 0) {
+      const projectPath = await selectProjectPath(sql, id);
+      if (projectPath === null) {
        reply.code(404);
        return { error: 'not found' };
      }
-      const project = rows[0]!;
      let projectRoot: string;
      try {
-        projectRoot = await resolveProjectRoot(project.path);
+        projectRoot = await resolveProjectRoot(projectPath);
      } catch (err) {
        if (err instanceof PathScopeError) {
          reply.code(404);
--- a/apps/server/src/routes/settings.ts
+++ b/apps/server/src/routes/settings.ts
@@ -22,8 +22,9 @@ export async function setSetting(
  `;
 }

-// themes-v1: whitelist of the 18 preset theme ids. Kept in sync with
+// themes-v1: whitelist of the preset theme ids. Kept in sync with
 // docs/themes_v1.md §1 and apps/web/src/lib/theme.ts THEMES.
+// (+ 'ember' — the BooCode 2.0 signature, now the default.)
 const THEME_IDS = [
  'obsidian',
  'gunmetal',
@@ -43,6 +44,7 @@ const THEME_IDS = [
  'chalk',
  'cobalt',
  'midnight-sapphire',
+  'ember',
 ] as const;

 const THEME_MODES = ['dark', 'light', 'system'] as const;
--- a/apps/server/src/routes/ws.ts
+++ b/apps/server/src/routes/ws.ts
@@ -2,6 +2,7 @@ import type { FastifyInstance } from 'fastify';
 import type { Sql } from '../db.js';
 import type { Broker } from '../services/broker.js';
 import type { Message } from '../types/api.js';
+import { MESSAGE_COLUMNS } from '../services/message-columns.js';

 export function registerWebSocket(
  app: FastifyInstance,
@@ -25,9 +26,7 @@ export function registerWebSocket(
      // render the SummaryCard for summary=true rows on first connect.
      // v1.13.1-B: reads tool_calls/tool_results via the parts-merged view.
      const messages = await sql<Message[]>`
-        SELECT id, session_id, chat_id, role, content, kind, tool_calls, tool_results, status, last_seq,
-               tokens_used, ctx_used, ctx_max, started_at, finished_at, created_at, metadata,
-               summary, tail_start_id, compacted_at
+        SELECT ${sql.unsafe(MESSAGE_COLUMNS)}
        FROM messages_with_parts
        WHERE session_id = ${sessionId}
        ORDER BY created_at ASC, id ASC
--- a/apps/server/src/schema.sql
+++ b/apps/server/src/schema.sql
@@ -1,5 +1,5 @@
 -- v1.13.3: statement_timeout is set at database level via:
--   ALTER DATABASE boocode SET statement_timeout = '30s';
+--   ALTER DATABASE boochat SET statement_timeout = '30s';
 -- ALTER DATABASE can't run inside a DO block, so this is an operational
 -- step rather than schema. Re-apply after a volume reset (the setting
 -- lives in pg_db which survives `docker compose up --build` but NOT a
@@ -30,8 +30,6 @@ CREATE TABLE IF NOT EXISTS messages (
  session_id UUID NOT NULL REFERENCES sessions(id) ON DELETE CASCADE,
  role TEXT NOT NULL,
  content TEXT NOT NULL DEFAULT '',
-  tool_calls JSONB,
-  tool_results JSONB,
  status TEXT NOT NULL DEFAULT 'complete',
  last_seq INT NOT NULL DEFAULT 0,
  created_at TIMESTAMPTZ NOT NULL DEFAULT clock_timestamp()
@@ -39,11 +37,10 @@ CREATE TABLE IF NOT EXISTS messages (

 CREATE INDEX IF NOT EXISTS idx_messages_session ON messages(session_id, created_at);

-- v1.13.0: granular message parts table for AI SDK migration. Old
-- messages.content / tool_calls / tool_results columns stay authoritative
-- for reads in v1.13.0; this table is dual-written so the swap can happen
-- in a later dispatch without a backfill window. ON DELETE CASCADE means
-- removing a message removes its parts in one go.
+-- v1.13.0: granular message parts table. v1.13.20: legacy tool_calls/
+-- tool_results columns dropped; message_parts is now the sole source of
+-- truth for tool calls, tool results, and reasoning. ON DELETE CASCADE
+-- means removing a message removes its parts in one go.
 CREATE TABLE IF NOT EXISTS message_parts (
  id uuid PRIMARY KEY DEFAULT gen_random_uuid(),
  message_id uuid NOT NULL REFERENCES messages(id) ON DELETE CASCADE,
@@ -107,6 +104,11 @@ END $$;
 -- a single jsonb object {tool_call_id, output, truncated, error?}.
 -- reasoning_parts is consumed by the inference history fetch (payload.ts)
 -- for v1.13.1-C reasoning round-tripping. Not surfaced in external APIs.
+-- model-attribution: which model produced an assistant message (NULL for
+-- user/system rows and pre-existing messages). Stamped at finalize (BooChat /
+-- native coder) and at assistant-row creation (external coder dispatcher).
+ALTER TABLE messages ADD COLUMN IF NOT EXISTS model TEXT;
+
 CREATE OR REPLACE VIEW messages_with_parts AS
 SELECT
  m.id, m.session_id, m.chat_id, m.role, m.content, m.kind, m.status,
@@ -122,7 +124,10 @@ SELECT
    ORDER BY p.sequence LIMIT 1) AS tool_results,
  (SELECT jsonb_agg(p.payload ORDER BY p.sequence)
     FROM message_parts p
-    WHERE p.message_id = m.id AND p.kind = 'reasoning' AND p.hidden_at IS NULL) AS reasoning_parts
+    WHERE p.message_id = m.id AND p.kind = 'reasoning' AND p.hidden_at IS NULL) AS reasoning_parts,
+  -- NEW columns MUST be appended at the end: CREATE OR REPLACE VIEW can't
+  -- reorder/rename existing columns (42P16). m.model added last.
+  m.model
 FROM messages m;

 -- v1.13.20: drop legacy tool_calls/tool_results columns. Reads have routed
@@ -134,10 +139,9 @@ ALTER TABLE messages DROP COLUMN IF EXISTS tool_calls;
 ALTER TABLE messages DROP COLUMN IF EXISTS tool_results;

 -- v1.13.10: per-tool token cost rolling window. Derives from
-- messages_with_parts (the v1.13.1-B view that COALESCEs message_parts over
-- the legacy JSON column) so this works whether the chat predates v1.13.0
-- or postdates v1.13.2 (column drop). No new write site — all source data
-- already lands via the existing tool-phase.ts:94-95 UPDATE.
+-- messages_with_parts (the v1.13.1-B view; v1.13.20 removed the legacy
+-- JSON-column COALESCE fallback — parts are sole source). No new write
+-- site — all source data already lands via tool-phase.ts:94-95 UPDATE.
 --
 -- Attribution model: equal split. A turn emitting N tool calls divides its
 -- prompt/completion tokens by N before attribution. See v1.13.10 dispatch
@@ -344,7 +348,7 @@ INSERT INTO settings (key, value) VALUES ('theme_mode', '"dark"') ON CONFLICT (k
 ALTER TABLE projects ADD COLUMN IF NOT EXISTS default_system_prompt TEXT NOT NULL DEFAULT '';
 ALTER TABLE projects ADD COLUMN IF NOT EXISTS default_web_search_enabled BOOLEAN NOT NULL DEFAULT false;
 ALTER TABLE sessions ADD COLUMN IF NOT EXISTS web_search_enabled BOOLEAN;
-ALTER TABLE sessions ADD COLUMN IF NOT EXISTS tags TEXT[] DEFAULT '{}';
+ALTER TABLE sessions DROP COLUMN IF EXISTS tags;

 -- v1.11: anchored rolling compaction.
 --   compacted_at  — marks rows that are "behind the curtain" of the latest
@@ -383,9 +387,7 @@ CREATE TABLE IF NOT EXISTS tasks (
  model             TEXT,
  mode_id           TEXT,
  thinking_option_id TEXT,
-  feature_values    JSONB,
  execution_path    TEXT CHECK (execution_path IS NULL OR execution_path IN ('native','acp','pty','qwen')),
-  worktree_path     TEXT,
  cost_tokens       INTEGER,
  started_at        TIMESTAMPTZ,
  ended_at          TIMESTAMPTZ,
--- a/apps/server/src/services/tests/agents.test.ts
+++ b/apps/server/src/services/tests/agents.test.ts
@@ -1,4 +1,4 @@
-import { describe, it, expect } from 'vitest';
+import { describe, it, expect, vi, afterEach } from 'vitest';
 import { isAgentRegistryMarkdown, parseAgentsMd } from '../agents.js';

 describe('isAgentRegistryMarkdown', () => {
@@ -31,3 +31,87 @@ Start here
    expect(r.errors.length).toBeGreaterThan(0);
  });
 });
+
+// v2.6 sampling-streamjson-tokens (#11): per-agent llama.cpp sampler extensions.
+describe('parseAgentsMd: v2.6 sampling knobs', () => {
+  afterEach(() => {
+    vi.restoreAllMocks();
+  });
+
+  const withFrontmatter = (lines: string) => `# Agents
+
+## Sampler
+---
+temperature: 0.6
+${lines}
+tools: [view_file]
+description: test
+---
+You sample.
+`;
+
+  it('parses top_n_sigma and the dry_* family from frontmatter', () => {
+    const md = withFrontmatter(
+      [
+        'top_n_sigma: 1.5',
+        'dry_multiplier: 0.8',
+        'dry_base: 1.75',
+        'dry_allowed_length: 2',
+        'dry_penalty_last_n: -1',
+      ].join('\n'),
+    );
+    const { agents, errors } = parseAgentsMd(md);
+    expect(errors).toHaveLength(0);
+    expect(agents).toHaveLength(1);
+    const a = agents[0]!;
+    expect(a.top_n_sigma).toBe(1.5);
+    expect(a.dry_multiplier).toBe(0.8);
+    expect(a.dry_base).toBe(1.75);
+    expect(a.dry_allowed_length).toBe(2);
+    expect(a.dry_penalty_last_n).toBe(-1);
+  });
+
+  it('defaults the new sampler fields to null when omitted', () => {
+    const { agents } = parseAgentsMd(withFrontmatter('top_p: 0.95'));
+    const a = agents[0]!;
+    expect(a.top_n_sigma).toBeNull();
+    expect(a.dry_multiplier).toBeNull();
+    expect(a.dry_base).toBeNull();
+    expect(a.dry_allowed_length).toBeNull();
+    expect(a.dry_penalty_last_n).toBeNull();
+  });
+
+  it('warns (does not error) on out-of-range top_n_sigma / dry_* values', () => {
+    const warn = vi.spyOn(console, 'warn').mockImplementation(() => {});
+    const md = withFrontmatter(
+      [
+        'top_n_sigma: -1',
+        'dry_multiplier: -0.5',
+        'dry_base: -2',
+        'dry_allowed_length: -3',
+        'dry_penalty_last_n: -5',
+      ].join('\n'),
+    );
+    const { agents, errors } = parseAgentsMd(md);
+    expect(errors).toHaveLength(0);
+    expect(agents).toHaveLength(1);
+    // Mirrors top_k/min_p: out-of-range still stored, with a warning.
+    expect(warn).toHaveBeenCalled();
+    const warnings = warn.mock.calls.map((c) => String(c[0])).join('\n');
+    expect(warnings).toContain('top_n_sigma');
+    expect(warnings).toContain('dry_multiplier');
+    expect(warnings).toContain('dry_base');
+    expect(warnings).toContain('dry_allowed_length');
+    expect(warnings).toContain('dry_penalty_last_n');
+  });
+
+  it('errors on non-numeric / non-integer sampler values', () => {
+    const md = withFrontmatter(
+      ['top_n_sigma: high', 'dry_allowed_length: 2.5'].join('\n'),
+    );
+    const { errors } = parseAgentsMd(md);
+    const joined = errors.map((e) => e.reason).join('\n');
+    expect(joined).toContain('top_n_sigma must be a number');
+    expect(joined).toContain('dry_allowed_length must be an integer');
+  });
+});
--- a/apps/server/src/services/tests/budget.test.ts
+++ b/apps/server/src/services/tests/budget.test.ts
@@ -0,0 +1,46 @@
+import { describe, expect, it } from 'vitest';
+import { resolveToolBudget } from '../inference/budget.js';
+import type { Agent } from '../../types/api.js';
+
+const BASE_AGENT: Agent = {
+  id: 'test-agent',
+  name: 'Test',
+  description: 'test',
+  system_prompt: '',
+  temperature: 0.7,
+  top_p: null,
+  top_k: null,
+  min_p: null,
+  presence_penalty: null,
+  top_n_sigma: null,
+  dry_multiplier: null,
+  dry_base: null,
+  dry_allowed_length: null,
+  dry_penalty_last_n: null,
+  tools: ['view_file'],
+  model: null,
+  source: 'global',
+  max_tool_calls: null,
+  steps: null,
+  llama_extra_args: null,
+};
+
+describe('resolveToolBudget', () => {
+  it('returns 100 when agent is null (no-agent raw chat)', () => {
+    expect(resolveToolBudget(null)).toBe(100);
+  });
+
+  it('returns 100 when agent has no max_tool_calls override', () => {
+    expect(resolveToolBudget(BASE_AGENT)).toBe(100);
+  });
+
+  it('returns max_tool_calls when agent overrides the default', () => {
+    const agent: Agent = { ...BASE_AGENT, max_tool_calls: 25 };
+    expect(resolveToolBudget(agent)).toBe(25);
+  });
+
+  it('returns 0 when max_tool_calls is explicitly 0 (text-only mode)', () => {
+    const agent: Agent = { ...BASE_AGENT, max_tool_calls: 0 };
+    expect(resolveToolBudget(agent)).toBe(0);
+  });
+});
--- a/apps/server/src/services/tests/compaction.test.ts
+++ b/apps/server/src/services/tests/compaction.test.ts
@@ -7,6 +7,8 @@ import {
  select,
  buildPrompt,
  buildHeadPayload,
+  deriveFilesRead,
+  buildFilesReadContext,
  type CompactionMessage,
 } from '../compaction.js';
 import { SUMMARY_TEMPLATE } from '../compaction-prompt.js';
@@ -321,3 +323,105 @@ describe('buildHeadPayload reasoning render', () => {
    expect(out[1]!.content).not.toContain('<reasoning>');
  });
 });
+
+// ---- buildHeadPayload sentinel stripping (#12) -------------------------------
+
+describe('buildHeadPayload strips all UI sentinels', () => {
+  it('drops cap_hit, doom_loop, and mistake_recovery system rows', () => {
+    const out = buildHeadPayload([
+      mkMsg('user', 'do the thing'),
+      mkMsg('system', 'budget reached', { metadata: { kind: 'cap_hit' } }),
+      mkMsg('system', 'looping', { metadata: { kind: 'doom_loop' } }),
+      mkMsg('system', 'repeated errors', { metadata: { kind: 'mistake_recovery' } }),
+      mkMsg('assistant', 'answer'),
+    ]);
+    // Only the user + assistant rows survive; all three sentinels stripped.
+    expect(out).toHaveLength(2);
+    expect(out[0]!.role).toBe('user');
+    expect(out[1]!.role).toBe('assistant');
+  });
+
+  it('keeps a non-sentinel system row (e.g. compact bridge) untouched', () => {
+    const out = buildHeadPayload([
+      mkMsg('system', 'legacy compact', { kind: 'compact', metadata: null }),
+      mkMsg('user', 'q'),
+    ]);
+    expect(out[0]!.role).toBe('system');
+    expect(out[0]!.content).toBe('legacy compact');
+  });
+});
+
+// ---- file-provenance ledger (#12, Part B) -----------------------------------
+
+describe('deriveFilesRead', () => {
+  it('returns [] when the head has no read-tool calls', () => {
+    expect(deriveFilesRead([mkMsg('user', 'hi'), mkMsg('assistant', 'hello')])).toEqual([]);
+  });
+
+  it('extracts the path arg from view_file / list_dir / grep / find_files', () => {
+    const head = [
+      mkMsg('assistant', '', {
+        tool_calls: [
+          { id: 'c1', name: 'view_file', args: { path: 'src/index.ts' } },
+          { id: 'c2', name: 'list_dir', args: { path: 'src' } },
+          { id: 'c3', name: 'grep', args: { pattern: 'TODO', path: 'apps' } },
+          { id: 'c4', name: 'find_files', args: { pattern: '**/*.ts', path: 'lib' } },
+        ],
+      }),
+    ];
+    expect(deriveFilesRead(head)).toEqual(['apps', 'lib', 'src', 'src/index.ts']);
+  });
+
+  it('dedupes and sorts paths across multiple assistant turns', () => {
+    const head = [
+      mkMsg('assistant', '', { tool_calls: [{ id: 'c1', name: 'view_file', args: { path: 'b.ts' } }] }),
+      mkMsg('assistant', '', { tool_calls: [{ id: 'c2', name: 'view_file', args: { path: 'a.ts' } }] }),
+      mkMsg('assistant', '', { tool_calls: [{ id: 'c3', name: 'view_file', args: { path: 'b.ts' } }] }),
+    ];
+    expect(deriveFilesRead(head)).toEqual(['a.ts', 'b.ts']);
+  });
+
+  it('ignores non-read tools and grep calls without a path arg', () => {
+    const head = [
+      mkMsg('assistant', '', {
+        tool_calls: [
+          { id: 'c1', name: 'web_search', args: { query: 'x' } },
+          { id: 'c2', name: 'grep', args: { pattern: 'foo' } }, // no path → root, skipped
+          { id: 'c3', name: 'view_file', args: { path: 'kept.ts' } },
+        ],
+      }),
+    ];
+    expect(deriveFilesRead(head)).toEqual(['kept.ts']);
+  });
+
+  it('ignores read-tool calls on non-assistant rows', () => {
+    const head = [
+      mkMsg('user', '', { tool_calls: [{ id: 'c1', name: 'view_file', args: { path: 'nope.ts' } }] }),
+    ];
+    expect(deriveFilesRead(head)).toEqual([]);
+  });
+});
+
+describe('buildFilesReadContext', () => {
+  it('returns null when nothing was read (no empty section injected)', () => {
+    expect(buildFilesReadContext([mkMsg('user', 'hi')])).toBeNull();
+  });
+
+  it('formats a ## Files Read block with sorted bullet paths', () => {
+    const head = [
+      mkMsg('assistant', '', {
+        tool_calls: [
+          { id: 'c1', name: 'view_file', args: { path: 'z.ts' } },
+          { id: 'c2', name: 'view_file', args: { path: 'a.ts' } },
+        ],
+      }),
+    ];
+    expect(buildFilesReadContext(head)).toBe('## Files Read\n- a.ts\n- z.ts');
+  });
+});
+
+describe('SUMMARY_TEMPLATE includes the Files Read section (#12)', () => {
+  it('declares a ## Files Read section the model must maintain', () => {
+    expect(SUMMARY_TEMPLATE).toContain('## Files Read');
+  });
+});
--- a/apps/server/src/services/tests/inference-helpers.test.ts
+++ b/apps/server/src/services/tests/inference-helpers.test.ts
@@ -0,0 +1,149 @@
+import { describe, expect, it, vi, afterEach } from 'vitest';
+import { samplerOptsFromAgent } from '../inference/stream-phase.js';
+import { createContentFlusher } from '../inference/content-flusher.js';
+import type { Sql } from '../../db.js';
+import type { Agent } from '../../types/api.js';
+
+const BASE_AGENT: Agent = {
+  id: 'test-agent',
+  name: 'Test',
+  description: 'test',
+  system_prompt: '',
+  temperature: 0.7,
+  top_p: null,
+  top_k: null,
+  min_p: null,
+  presence_penalty: null,
+  top_n_sigma: null,
+  dry_multiplier: null,
+  dry_base: null,
+  dry_allowed_length: null,
+  dry_penalty_last_n: null,
+  tools: ['view_file'],
+  model: null,
+  source: 'global',
+  max_tool_calls: null,
+  steps: null,
+  llama_extra_args: null,
+};
+
+describe('samplerOptsFromAgent', () => {
+  it('maps every nullable sampler field to undefined when agent is null', () => {
+    expect(samplerOptsFromAgent(null)).toEqual({
+      temperature: undefined,
+      top_p: undefined,
+      top_k: undefined,
+      min_p: undefined,
+      presence_penalty: undefined,
+      top_n_sigma: undefined,
+      dry_multiplier: undefined,
+      dry_base: undefined,
+      dry_allowed_length: undefined,
+      dry_penalty_last_n: undefined,
+    });
+  });
+
+  it('strips null sampler fields to undefined but keeps numeric values', () => {
+    const agent: Agent = {
+      ...BASE_AGENT,
+      temperature: 0.5,
+      top_p: 0.9,
+      top_k: null,
+      min_p: 0.05,
+      presence_penalty: null,
+      top_n_sigma: 1,
+      dry_multiplier: null,
+      dry_base: 1.75,
+      dry_allowed_length: null,
+      dry_penalty_last_n: 256,
+    };
+    expect(samplerOptsFromAgent(agent)).toEqual({
+      temperature: 0.5,
+      top_p: 0.9,
+      top_k: undefined,
+      min_p: 0.05,
+      presence_penalty: undefined,
+      top_n_sigma: 1,
+      dry_multiplier: undefined,
+      dry_base: 1.75,
+      dry_allowed_length: undefined,
+      dry_penalty_last_n: 256,
+    });
+  });
+
+  it('never includes a tools field (callers add it)', () => {
+    expect('tools' in samplerOptsFromAgent(BASE_AGENT)).toBe(false);
+  });
+});
+
+describe('createContentFlusher', () => {
+  afterEach(() => {
+    vi.useRealTimers();
+  });
+
+  // A tagged-template stub matching postgres' sql`...` shape. Records the
+  // interpolated content snapshot (values[0]) of each UPDATE.
+  function makeSqlSpy() {
+    const writes: string[] = [];
+    const sql = ((_strings: TemplateStringsArray, ...values: unknown[]) => {
+      writes.push(values[0] as string);
+      return Promise.resolve([]);
+    }) as unknown as Sql;
+    return { sql, writes };
+  }
+
+  it('debounces: many scheduleFlush calls in one window produce one write', async () => {
+    vi.useFakeTimers();
+    const { sql, writes } = makeSqlSpy();
+    let content = '';
+    const flusher = createContentFlusher(sql, 'msg-1', () => content, 500);
+
+    content = 'a';
+    flusher.scheduleFlush();
+    content = 'ab';
+    flusher.scheduleFlush();
+    content = 'abc';
+    flusher.scheduleFlush();
+
+    expect(writes).toHaveLength(0); // nothing before the interval elapses
+    vi.advanceTimersByTime(500);
+    await flusher.drain();
+
+    expect(writes).toHaveLength(1);
+    // snapshot is read at fire time → latest content, not the value at schedule time
+    expect(writes[0]).toBe('abc');
+  });
+
+  it('arms a fresh timer after a flush fires', async () => {
+    vi.useFakeTimers();
+    const { sql, writes } = makeSqlSpy();
+    let content = 'one';
+    const flusher = createContentFlusher(sql, 'msg-1', () => content, 500);
+
+    flusher.scheduleFlush();
+    vi.advanceTimersByTime(500);
+    await Promise.resolve();
+
+    content = 'two';
+    flusher.scheduleFlush();
+    vi.advanceTimersByTime(500);
+    await flusher.drain();
+
+    expect(writes).toEqual(['one', 'two']);
+  });
+
+  it('drain cancels a pending timer without performing a final flush', async () => {
+    vi.useFakeTimers();
+    const { sql, writes } = makeSqlSpy();
+    let content = 'pending';
+    const flusher = createContentFlusher(sql, 'msg-1', () => content, 500);
+
+    flusher.scheduleFlush();
+    // Drain before the timer fires — the pending flush is cancelled, not forced.
+    await flusher.drain();
+    vi.advanceTimersByTime(500);
+    await Promise.resolve();
+
+    expect(writes).toHaveLength(0);
+  });
+});
--- a/apps/server/src/services/tests/mcp-config.test.ts
+++ b/apps/server/src/services/tests/mcp-config.test.ts
@@ -0,0 +1,93 @@
+/**
+ * Unit tests for `{env:VAR}` substitution in the MCP config loader.
+ * Pure — no live MCP server. Verifies secrets resolve from process.env
+ * (so real keys live in `.env`, not the gitignored config file).
+ */
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { substituteEnvVars } from '../mcp-config.js';
+
+// Minimal FastifyBaseLogger stub — only .warn is exercised here.
+function fakeLog() {
+  const warnings: string[] = [];
+  const log = {
+    warn: (msg: unknown) => {
+      warnings.push(typeof msg === 'string' ? msg : JSON.stringify(msg));
+    },
+  };
+  return { log: log as never, warnings };
+}
+
+describe('substituteEnvVars', () => {
+  const SAVED = process.env.MCP_TEST_SECRET;
+  beforeEach(() => {
+    process.env.MCP_TEST_SECRET = 'resolved-value';
+  });
+  afterEach(() => {
+    if (SAVED === undefined) delete process.env.MCP_TEST_SECRET;
+    else process.env.MCP_TEST_SECRET = SAVED;
+    delete process.env.MCP_TEST_MISSING;
+  });
+
+  it('replaces a {env:VAR} reference in a string value', () => {
+    const { log } = fakeLog();
+    expect(substituteEnvVars('{env:MCP_TEST_SECRET}', log)).toBe('resolved-value');
+  });
+
+  it('substitutes inside nested objects and arrays', () => {
+    const { log } = fakeLog();
+    const out = substituteEnvVars(
+      {
+        headers: { CONTEXT7_API_KEY: '{env:MCP_TEST_SECRET}' },
+        args: ['--token', '{env:MCP_TEST_SECRET}'],
+      },
+      log,
+    );
+    expect(out).toEqual({
+      headers: { CONTEXT7_API_KEY: 'resolved-value' },
+      args: ['--token', 'resolved-value'],
+    });
+  });
+
+  it('leaves object keys untouched, only transforms values', () => {
+    const { log } = fakeLog();
+    const out = substituteEnvVars({ '{env:MCP_TEST_SECRET}': 'literal' }, log) as Record<string, string>;
+    expect(Object.keys(out)).toEqual(['{env:MCP_TEST_SECRET}']);
+  });
+
+  it('resolves an unset var to empty string and warns', () => {
+    const { log, warnings } = fakeLog();
+    expect(substituteEnvVars('{env:MCP_TEST_MISSING}', log)).toBe('');
+    expect(warnings.some((w) => w.includes('MCP_TEST_MISSING'))).toBe(true);
+  });
+
+  it('passes non-string scalars through unchanged', () => {
+    const { log } = fakeLog();
+    expect(substituteEnvVars(true, log)).toBe(true);
+    expect(substituteEnvVars(42, log)).toBe(42);
+    expect(substituteEnvVars(null, log)).toBe(null);
+  });
+
+  it('leaves strings without a reference unchanged', () => {
+    const { log } = fakeLog();
+    expect(substituteEnvVars('https://mcp.context7.com/mcp', log)).toBe('https://mcp.context7.com/mcp');
+  });
+
+  it('resolves multiple references in one string (global flag)', () => {
+    const { log } = fakeLog();
+    expect(substituteEnvVars('{env:MCP_TEST_SECRET}/{env:MCP_TEST_SECRET}', log)).toBe(
+      'resolved-value/resolved-value',
+    );
+  });
+
+  it('passes an empty string through unchanged', () => {
+    const { log } = fakeLog();
+    expect(substituteEnvVars('', log)).toBe('');
+  });
+
+  it('collects unset var names into the optional collector set', () => {
+    const { log } = fakeLog();
+    const unset = new Set<string>();
+    substituteEnvVars({ url: '{env:MCP_TEST_MISSING}', headers: { k: '{env:MCP_TEST_SECRET}' } }, log, unset);
+    expect([...unset]).toEqual(['MCP_TEST_MISSING']);
+  });
+});
--- a/apps/server/src/services/tests/mistake-tracker.test.ts
+++ b/apps/server/src/services/tests/mistake-tracker.test.ts
@@ -0,0 +1,164 @@
+import { describe, it, expect } from 'vitest';
+import {
+  MISTAKE_THRESHOLD,
+  freshMistakeState,
+  recordStep,
+  detectMistakePattern,
+  MISTAKE_RECOVERY_NOTE,
+  type FailureKind,
+} from '../inference/mistake-tracker.js';
+
+// ---- helpers ----------------------------------------------------------------
+// Replays a sequence of outcomes against a fresh state, returning the final
+// state so assertions can read .run / .nudges. The caller mimics turn.ts: after
+// each recordStep we consult detectMistakePattern and, if it returns 'nudge',
+// bump nudges + reset run (the loop's nudge-handling side effect).
+
+function replay(
+  outcomes: (FailureKind | 'success')[],
+  { applyNudge = false }: { applyNudge?: boolean } = {},
+) {
+  const state = freshMistakeState();
+  const decisions: (ReturnType<typeof detectMistakePattern>)[] = [];
+  for (const o of outcomes) {
+    recordStep(state, o);
+    const decision = detectMistakePattern(state);
+    decisions.push(decision);
+    if (applyNudge && decision === 'nudge') {
+      // Mirror turn.ts's nudge side effect: bump the counter, reset the streak.
+      state.nudges += 1;
+      state.run = [];
+    }
+  }
+  return { state, decisions };
+}
+
+// ---- fresh state ------------------------------------------------------------
+
+describe('freshMistakeState', () => {
+  it('starts with an empty run and zero nudges', () => {
+    const s = freshMistakeState();
+    expect(s.run).toEqual([]);
+    expect(s.nudges).toBe(0);
+  });
+});
+
+// ---- below threshold --------------------------------------------------------
+
+describe('detectMistakePattern — below threshold', () => {
+  it('returns null on a fresh state', () => {
+    expect(detectMistakePattern(freshMistakeState())).toBeNull();
+  });
+
+  it('returns null after fewer than MISTAKE_THRESHOLD failures', () => {
+    const { decisions } = replay(['zod_reject', 'exec_error']);
+    expect(decisions).toEqual([null, null]);
+  });
+});
+
+// ---- success reset ----------------------------------------------------------
+
+describe('recordStep — success resets', () => {
+  it("'success' clears both the run streak and the nudge counter", () => {
+    const state = freshMistakeState();
+    recordStep(state, 'zod_reject');
+    recordStep(state, 'exec_error');
+    state.nudges = 2; // simulate prior nudges
+    recordStep(state, 'success');
+    expect(state.run).toEqual([]);
+    expect(state.nudges).toBe(0);
+  });
+
+  it('a success mid-streak prevents the threshold from tripping', () => {
+    // fail, fail, success, fail, fail → streak never reaches 3.
+    const { decisions } = replay([
+      'zod_reject',
+      'exec_error',
+      'success',
+      'tool_not_found',
+      'permission_denied',
+    ]);
+    expect(decisions.every((d) => d === null)).toBe(true);
+  });
+});
+
+// ---- 3-streak nudge ---------------------------------------------------------
+
+describe('detectMistakePattern — nudge on 3-streak', () => {
+  it("returns 'nudge' the first time the streak reaches MISTAKE_THRESHOLD", () => {
+    const { decisions } = replay(['zod_reject', 'exec_error', 'tool_not_found']);
+    expect(decisions).toEqual([null, null, 'nudge']);
+  });
+
+  it("fires 'nudge' for a streak of identical kinds too (kind-agnostic)", () => {
+    const { decisions } = replay(['exec_error', 'exec_error', 'exec_error']);
+    expect(decisions[2]).toBe('nudge');
+  });
+});
+
+// ---- re-trip escalate -------------------------------------------------------
+
+describe('detectMistakePattern — escalate on re-trip', () => {
+  it("escalates when the streak re-trips after a nudge with no intervening success", () => {
+    // 3 fails → nudge (run reset, nudges=1), then 3 more fails → escalate.
+    const { decisions } = replay(
+      [
+        'zod_reject',
+        'exec_error',
+        'tool_not_found',
+        'permission_denied',
+        'exec_error',
+        'zod_reject',
+      ],
+      { applyNudge: true },
+    );
+    expect(decisions[2]).toBe('nudge');
+    expect(decisions[5]).toBe('escalate');
+  });
+
+  it("does NOT escalate if a success lands between the nudge and the next streak", () => {
+    const { decisions } = replay(
+      [
+        'zod_reject',
+        'exec_error',
+        'tool_not_found', // nudge here
+        'success', // clears nudges back to 0
+        'exec_error',
+        'zod_reject',
+        'tool_not_found', // 3-streak again → nudge, NOT escalate
+      ],
+      { applyNudge: true },
+    );
+    expect(decisions[2]).toBe('nudge');
+    expect(decisions[6]).toBe('nudge');
+    expect(decisions).not.toContain('escalate');
+  });
+});
+
+// ---- mixed kinds ------------------------------------------------------------
+
+describe('detectMistakePattern — mixed failure kinds', () => {
+  it('counts a streak of all five distinct kinds toward the threshold', () => {
+    const { state, decisions } = replay([
+      'zod_reject',
+      'tool_not_found',
+      'exec_error',
+    ]);
+    expect(decisions[2]).toBe('nudge');
+    expect(state.run).toEqual(['zod_reject', 'tool_not_found', 'exec_error']);
+  });
+});
+
+// ---- contract ---------------------------------------------------------------
+
+describe('MISTAKE_THRESHOLD + MISTAKE_RECOVERY_NOTE', () => {
+  it('threshold is a positive integer (tests assume 3)', () => {
+    expect(MISTAKE_THRESHOLD).toBeGreaterThan(0);
+    expect(Number.isInteger(MISTAKE_THRESHOLD)).toBe(true);
+  });
+
+  it('recovery note is a non-empty model-facing string', () => {
+    expect(typeof MISTAKE_RECOVERY_NOTE).toBe('string');
+    expect(MISTAKE_RECOVERY_NOTE.length).toBeGreaterThan(0);
+  });
+});
--- a/apps/server/src/services/tests/model-context.test.ts
+++ b/apps/server/src/services/tests/model-context.test.ts
@@ -9,12 +9,9 @@ import {

 const TEST_URL = 'http://llama-swap.test:8401';

-function mockOkProps(n_ctx: number, total_slots = 1) {
+function mockOkProps(n_ctx: number) {
  return new Response(
-    JSON.stringify({
-      default_generation_settings: { n_ctx },
-      total_slots,
-    }),
+    JSON.stringify({ default_generation_settings: { n_ctx } }),
    { status: 200, headers: { 'Content-Type': 'application/json' } },
  );
 }
@@ -33,12 +30,10 @@ afterEach(() => {

 describe('getModelContext — positive cache', () => {
  it('returns the parsed body on a 200 with valid shape', async () => {
-    const fetchSpy = vi.spyOn(globalThis, 'fetch').mockResolvedValueOnce(mockOkProps(262_144, 1));
+    const fetchSpy = vi.spyOn(globalThis, 'fetch').mockResolvedValueOnce(mockOkProps(262_144));
    const result = await getModelContext('qwen3.6');
    expect(result).not.toBeNull();
    expect(result!.n_ctx).toBe(262_144);
-    expect(result!.total_slots).toBe(1);
-    expect(typeof result!.fetched_at).toBe('number');
    // Verify the URL was constructed correctly — encodes the model name in
    // case it contains characters that would break the path.
    expect(fetchSpy).toHaveBeenCalledExactlyOnceWith(
@@ -57,19 +52,6 @@ describe('getModelContext — positive cache', () => {
    expect(fetchSpy).toHaveBeenCalledTimes(1);
  });

-  it('defaults total_slots to 1 when the server omits it', async () => {
-    // Mirror the docstring claim — total_slots is informational and we don't
-    // reject the response just because it's missing.
-    vi.spyOn(globalThis, 'fetch').mockResolvedValueOnce(
-      new Response(JSON.stringify({ default_generation_settings: { n_ctx: 8192 } }), {
-        status: 200,
-      }),
-    );
-    const result = await getModelContext('partial-model');
-    expect(result).not.toBeNull();
-    expect(result!.n_ctx).toBe(8192);
-    expect(result!.total_slots).toBe(1);
-  });
 });

 // ---- negative cache (single-shot) ------------------------------------------
--- a/apps/server/src/services/tests/sentinels.test.ts
+++ b/apps/server/src/services/tests/sentinels.test.ts
@@ -0,0 +1,87 @@
+import { describe, it, expect } from 'vitest';
+import { SENTINEL_KINDS, isAnySentinel, isCapHitSentinel, isDoomLoopSentinel, isMistakeRecoverySentinel } from '../inference/sentinels.js';
+import type { Message } from '../../types/api.js';
+
+function makeSentinel(kind: string): Message {
+  return {
+    id: 'msg-1',
+    session_id: 's',
+    chat_id: 'c',
+    role: 'system',
+    content: '',
+    kind: 'message',
+    tool_calls: null,
+    tool_results: null,
+    status: 'complete',
+    last_seq: 0,
+    tokens_used: null,
+    ctx_used: null,
+    ctx_max: null,
+    started_at: null,
+    finished_at: null,
+    created_at: new Date().toISOString(),
+    metadata: { kind } as unknown as import('../../types/api.js').MessageMetadata,
+    summary: false,
+    tail_start_id: null,
+    compacted_at: null,
+  };
+}
+
+describe('SENTINEL_KINDS — single source of truth', () => {
+  it('contains the three known sentinel kinds', () => {
+    expect(SENTINEL_KINDS.has('cap_hit')).toBe(true);
+    expect(SENTINEL_KINDS.has('doom_loop')).toBe(true);
+    expect(SENTINEL_KINDS.has('mistake_recovery')).toBe(true);
+  });
+
+  it('does not contain arbitrary strings', () => {
+    expect(SENTINEL_KINDS.has('user')).toBe(false);
+    expect(SENTINEL_KINDS.has('assistant')).toBe(false);
+    expect(SENTINEL_KINDS.has('')).toBe(false);
+  });
+});
+
+describe('isAnySentinel', () => {
+  it('returns true for cap_hit', () => {
+    expect(isAnySentinel(makeSentinel('cap_hit'))).toBe(true);
+  });
+
+  it('returns true for doom_loop', () => {
+    expect(isAnySentinel(makeSentinel('doom_loop'))).toBe(true);
+  });
+
+  it('returns true for mistake_recovery', () => {
+    expect(isAnySentinel(makeSentinel('mistake_recovery'))).toBe(true);
+  });
+
+  it('returns false for non-system role', () => {
+    const m = { ...makeSentinel('cap_hit'), role: 'user' as const };
+    expect(isAnySentinel(m)).toBe(false);
+  });
+
+  it('returns false for null metadata', () => {
+    const m = { ...makeSentinel('cap_hit'), metadata: null };
+    expect(isAnySentinel(m)).toBe(false);
+  });
+
+  it('returns false for unknown kind', () => {
+    expect(isAnySentinel(makeSentinel('unknown_kind'))).toBe(false);
+  });
+});
+
+describe('individual sentinel predicates still work', () => {
+  it('isCapHitSentinel matches cap_hit only', () => {
+    expect(isCapHitSentinel(makeSentinel('cap_hit'))).toBe(true);
+    expect(isCapHitSentinel(makeSentinel('doom_loop'))).toBe(false);
+  });
+
+  it('isDoomLoopSentinel matches doom_loop only', () => {
+    expect(isDoomLoopSentinel(makeSentinel('doom_loop'))).toBe(true);
+    expect(isDoomLoopSentinel(makeSentinel('cap_hit'))).toBe(false);
+  });
+
+  it('isMistakeRecoverySentinel matches mistake_recovery only', () => {
+    expect(isMistakeRecoverySentinel(makeSentinel('mistake_recovery'))).toBe(true);
+    expect(isMistakeRecoverySentinel(makeSentinel('cap_hit'))).toBe(false);
+  });
+});
--- a/apps/server/src/services/tests/step-decision.test.ts
+++ b/apps/server/src/services/tests/step-decision.test.ts
@@ -0,0 +1,111 @@
+import { describe, expect, it } from 'vitest';
+import { resolveTurnConfig, MAX_STEPS } from '../inference/turn-config.js';
+import { decideStep, decidePostToolAction } from '../inference/step-decision.js';
+import { DOOM_LOOP_THRESHOLD } from '../inference/sentinels.js';
+import type { MistakeState } from '../inference/mistake-tracker.js';
+import type { Agent, ToolCall } from '../../types/api.js';
+
+const BASE_AGENT: Agent = {
+  id: 'test-agent',
+  name: 'Test',
+  description: 'test',
+  system_prompt: '',
+  temperature: 0.7,
+  top_p: null,
+  top_k: null,
+  min_p: null,
+  presence_penalty: null,
+  top_n_sigma: null,
+  dry_multiplier: null,
+  dry_base: null,
+  dry_allowed_length: null,
+  dry_penalty_last_n: null,
+  tools: ['view_file'],
+  model: null,
+  source: 'global',
+  max_tool_calls: null,
+  steps: null,
+  llama_extra_args: null,
+};
+
+function call(name: string, args: Record<string, unknown> = {}): ToolCall {
+  return { id: `tc-${name}-${JSON.stringify(args)}`, name, args };
+}
+
+describe('resolveTurnConfig', () => {
+  it('no agent → budget 100, cap MAX_STEPS, not text-only', () => {
+    expect(resolveTurnConfig(null)).toEqual({
+      effectiveCap: MAX_STEPS,
+      budget: 100,
+      isTextOnly: false,
+    });
+  });
+
+  it('steps: 0 → effectiveCap 0 and isTextOnly true', () => {
+    expect(resolveTurnConfig({ ...BASE_AGENT, steps: 0 })).toEqual({
+      effectiveCap: 0,
+      budget: 100,
+      isTextOnly: true,
+    });
+  });
+
+  it('steps below MAX_STEPS → effectiveCap is the agent value', () => {
+    expect(resolveTurnConfig({ ...BASE_AGENT, steps: 5 }).effectiveCap).toBe(5);
+  });
+
+  it('steps above MAX_STEPS → effectiveCap clamps to MAX_STEPS', () => {
+    expect(resolveTurnConfig({ ...BASE_AGENT, steps: 9999 }).effectiveCap).toBe(MAX_STEPS);
+  });
+
+  it('max_tool_calls overrides the budget', () => {
+    expect(resolveTurnConfig({ ...BASE_AGENT, max_tool_calls: 12 }).budget).toBe(12);
+  });
+});
+
+describe('decideStep (top-of-loop gate)', () => {
+  it('returns stream when no doom loop and under budget', () => {
+    expect(decideStep({ recentToolCalls: [], toolsUsed: 0, budget: 30 })).toEqual({ kind: 'stream' });
+  });
+
+  it('returns budget when toolsUsed has reached the budget', () => {
+    expect(decideStep({ recentToolCalls: [], toolsUsed: 30, budget: 30 })).toEqual({ kind: 'budget' });
+  });
+
+  it('returns doom (with the looping call) on identical-repeat tail', () => {
+    const recent = Array.from({ length: DOOM_LOOP_THRESHOLD }, () => call('view_file', { path: '/a' }));
+    const d = decideStep({ recentToolCalls: recent, toolsUsed: 1, budget: 30 });
+    expect(d.kind).toBe('doom');
+    if (d.kind === 'doom') {
+      expect(d.loop.name).toBe('view_file');
+      expect(d.loop.args).toEqual({ path: '/a' });
+    }
+  });
+
+  it('doom takes precedence over budget when both would trip', () => {
+    const recent = Array.from({ length: DOOM_LOOP_THRESHOLD }, () => call('grep', { q: 'x' }));
+    expect(decideStep({ recentToolCalls: recent, toolsUsed: 30, budget: 30 }).kind).toBe('doom');
+  });
+});
+
+describe('decidePostToolAction (post-tool decision)', () => {
+  const clean: MistakeState = { run: [], nudges: 0 };
+
+  it('non-continue actions stop the loop without consulting the tracker', () => {
+    expect(decidePostToolAction('paused', { run: ['exec_error', 'exec_error', 'exec_error'], nudges: 0 })).toBe('stop');
+    expect(decidePostToolAction('synthesis_done', clean)).toBe('stop');
+  });
+
+  it('continue with a clean tracker → continue', () => {
+    expect(decidePostToolAction('continue', clean)).toBe('continue');
+  });
+
+  it('continue with a threshold streak and no prior nudge → nudge', () => {
+    const tracker: MistakeState = { run: ['zod_reject', 'tool_not_found', 'exec_error'], nudges: 0 };
+    expect(decidePostToolAction('continue', tracker)).toBe('nudge');
+  });
+
+  it('continue with a threshold streak after a nudge already fired → escalate', () => {
+    const tracker: MistakeState = { run: ['zod_reject', 'tool_not_found', 'exec_error'], nudges: 1 };
+    expect(decidePostToolAction('continue', tracker)).toBe('escalate');
+  });
+});
--- a/apps/server/src/services/tests/tools-registry.test.ts
+++ b/apps/server/src/services/tests/tools-registry.test.ts
@@ -0,0 +1,68 @@
+import { describe, it, expect } from 'vitest';
+import { z } from 'zod';
+import {
+  ALL_TOOLS,
+  TOOLS_BY_NAME,
+  appendMcpTools,
+  toolJsonSchemas,
+  type ToolDef,
+} from '../tools.js';
+
+// Parity test for the register-through MCP-discovery contract (Phase 6 split).
+// `ALL_TOOLS` / `TOOLS_BY_NAME` are `let`-bound in tools/registry.ts and
+// reassigned by appendMcpTools() at startup; this barrel re-exports them.
+// apps/coder relies on this exact behavior: it imports `appendMcpTools` + the
+// live `ALL_TOOLS` binding from @boocode/server/tools, calls appendMcpTools()
+// once, then reads ALL_TOOLS. ESM live bindings must carry the mutation
+// through the barrel re-export — if the split ever snapshots the array instead
+// of re-exporting the live binding, these assertions fail. Each test file gets
+// an isolated module instance (vitest default), so mutating the registry here
+// does not leak into tools.test.ts.
+function makeFakeMcpTool(name: string): ToolDef<unknown> {
+  return {
+    name,
+    description: `fake mcp tool ${name}`,
+    inputSchema: z.object({}) as z.ZodType<unknown>,
+    jsonSchema: {
+      type: 'function',
+      function: {
+        name,
+        description: `fake mcp tool ${name}`,
+        parameters: { type: 'object', properties: {}, additionalProperties: false },
+      },
+    },
+    async execute() {
+      return { ok: true };
+    },
+  };
+}
+
+describe('appendMcpTools register-through contract', () => {
+  it('is a no-op for an empty array', () => {
+    const before = ALL_TOOLS.length;
+    appendMcpTools([]);
+    expect(ALL_TOOLS.length).toBe(before);
+  });
+
+  it('mutates the live ALL_TOOLS / TOOLS_BY_NAME bindings observable through the barrel', () => {
+    const before = ALL_TOOLS.length;
+    // Names chosen so insertion lands away from the array ends, proving the
+    // re-sort runs (a naive concat would leave them at the tail).
+    const a = makeFakeMcpTool('mcp__alpha__probe');
+    const z2 = makeFakeMcpTool('mcp__zeta__probe');
+    appendMcpTools([z2, a]);
+
+    expect(ALL_TOOLS.length).toBe(before + 2);
+    expect(TOOLS_BY_NAME['mcp__alpha__probe']).toBe(a);
+    expect(TOOLS_BY_NAME['mcp__zeta__probe']).toBe(z2);
+
+    // Still alpha-sorted after the append (prompt-cache stability invariant).
+    const names = ALL_TOOLS.map((t) => t.name);
+    expect(names).toEqual([...names].sort((x, y) => x.localeCompare(y)));
+
+    // toolJsonSchemas() reads through the same live binding.
+    const schemaNames = toolJsonSchemas().map((s) => s.function.name);
+    expect(schemaNames).toContain('mcp__alpha__probe');
+    expect(schemaNames).toContain('mcp__zeta__probe');
+  });
+});
--- a/apps/server/src/services/tests/ws-frames.test.ts
+++ b/apps/server/src/services/tests/ws-frames.test.ts
@@ -111,6 +111,19 @@ describe('WsFrameSchema (v1.13.11-a)', () => {
    expect(result.success).toBe(true);
  });

+  it('accepts a message_complete frame with a null model (external coder, no model selected)', () => {
+    // Regression guard: the dispatcher publishes `model: task.model` (string |
+    // null). When null, this MUST validate or publishFrame fail-closes and drops
+    // the whole frame, incl. the status:'complete' transition.
+    const result = WsFrameSchema.safeParse({
+      type: 'message_complete',
+      message_id: VALID_UUID_A,
+      chat_id: VALID_UUID_B,
+      model: null,
+    });
+    expect(result.success).toBe(true);
+  });
+
  it('every KNOWN_FRAME_TYPES entry has a discriminated branch', () => {
    // Probe each known type by attempting a minimal valid construction.
    // Failure here means the union and the KNOWN_FRAME_TYPES list drifted.
--- a/apps/server/src/services/agents.ts
+++ b/apps/server/src/services/agents.ts
@@ -3,6 +3,7 @@ import { join } from 'node:path';
 import type { Agent, AgentsResponse, AgentParseError } from '../types/api.js';
 import { ALL_TOOLS, resolveToolTier } from './tools.js';
 import { validateExtraArgs } from './inference/llama-args-validator.js';
+import { stripQuotes } from '../utils/string-utils.js';

 // v1.8.1: global agents live at /data/AGENTS.md inside the container
 // (./data:/data:ro mount on the host). Per-project AGENTS.md at the project
@@ -88,6 +89,12 @@ interface ParsedFrontmatter {
  top_k?: number;
  min_p?: number;
  presence_penalty?: number;
+  // v2.6 sampling-streamjson-tokens (#11): llama.cpp sampler extensions.
+  top_n_sigma?: number;
+  dry_multiplier?: number;
+  dry_base?: number;
+  dry_allowed_length?: number;
+  dry_penalty_last_n?: number;
  tools?: string[];
  description?: string;
  model?: string;
@@ -101,17 +108,50 @@ interface ParsedFrontmatter {
  llama_extra_args?: string[];
 }

-function stripQuotes(s: string): string {
-  if (
-    s.length >= 2 &&
-    (s[0] === '"' || s[0] === "'") &&
-    s[0] === s[s.length - 1]
-  ) {
-    return s.slice(1, -1);
-  }
-  return s;
+// P5: table-driven validation for the "soft-range" numeric frontmatter fields.
+// Each was a near-identical Number() + finite/integer + range-warn + push-error
+// block. "Soft-range" = the value is STORED whenever the type checks out; an
+// out-of-range value only emits a console.warn (it is NOT skipped). A type
+// mismatch hard-fails the block. The range descriptor in the warn message is
+// `min-max` when both bounds exist, else `(≥min)` — matching the original
+// hand-written strings byte-for-byte.
+//
+// max_tool_calls and steps are deliberately NOT in this table: they are
+// "hard-range" (store ONLY if in range; an in-type-but-out-of-range value is
+// warned AND skipped) with bespoke messages, so they stay explicit below.
+type NumericFieldKey =
+  | 'temperature'
+  | 'top_p'
+  | 'top_k'
+  | 'min_p'
+  | 'presence_penalty'
+  | 'top_n_sigma'
+  | 'dry_multiplier'
+  | 'dry_base'
+  | 'dry_allowed_length'
+  | 'dry_penalty_last_n';
+
+interface NumericFieldSpec {
+  key: NumericFieldKey;
+  isInt: boolean;
+  min?: number;
+  max?: number;
 }

+const NUMERIC_FIELDS: readonly NumericFieldSpec[] = [
+  { key: 'temperature', isInt: false },
+  { key: 'top_p', isInt: false, min: 0, max: 1 },
+  { key: 'top_k', isInt: true, min: 0, max: 200 },
+  { key: 'min_p', isInt: false, min: 0, max: 1 },
+  { key: 'presence_penalty', isInt: false, min: -2, max: 2 },
+  // v2.6 sampling-streamjson-tokens (#11): llama.cpp sampler extensions.
+  { key: 'top_n_sigma', isInt: false, min: 0 },
+  { key: 'dry_multiplier', isInt: false, min: 0 },
+  { key: 'dry_base', isInt: false, min: 0 },
+  { key: 'dry_allowed_length', isInt: true, min: 0 },
+  { key: 'dry_penalty_last_n', isInt: true, min: -1 },
+];
+
 function parseFrontmatter(yaml: string): { data: ParsedFrontmatter; errors: string[] } {
  const data: ParsedFrontmatter = {};
  const errors: string[] = [];
@@ -134,51 +174,33 @@ function parseFrontmatter(yaml: string): { data: ParsedFrontmatter; errors: stri
    const key = line.slice(0, colonIdx).trim();
    const valueRaw = line.slice(colonIdx + 1).trim();

-    if (key === 'temperature') {
+    const numericSpec = NUMERIC_FIELDS.find((f) => f.key === key);
+    if (numericSpec) {
      const n = Number(valueRaw);
-      if (Number.isFinite(n)) data.temperature = n;
-      else errors.push(`temperature must be a number (got "${valueRaw}")`);
-    } else if (key === 'top_p') {
-      const n = Number(valueRaw);
-      if (Number.isFinite(n)) {
-        data.top_p = n;
-        if (n < 0 || n > 1) {
-          console.warn(`agents: top_p ${n} out of range 0-1, ignoring (falling back to default)`);
+      const typeOk = numericSpec.isInt ? Number.isInteger(n) : Number.isFinite(n);
+      if (typeOk) {
+        // Soft-range: store regardless of range; out-of-range only warns.
+        data[numericSpec.key] = n;
+        const below = numericSpec.min !== undefined && n < numericSpec.min;
+        const above = numericSpec.max !== undefined && n > numericSpec.max;
+        if (below || above) {
+          const range =
+            numericSpec.max !== undefined
+              ? `${numericSpec.min}-${numericSpec.max}`
+              : `(≥${numericSpec.min})`;
+          console.warn(
+            `agents: ${numericSpec.key} ${n} out of range ${range}, ignoring (falling back to default)`,
+          );
        }
      } else {
-        errors.push(`top_p must be a number (got "${valueRaw}")`);
+        errors.push(
+          `${numericSpec.key} must be ${numericSpec.isInt ? 'an integer' : 'a number'} (got "${valueRaw}")`,
+        );
      }
-    } else if (key === 'top_k') {
-      const n = Number(valueRaw);
-      if (Number.isInteger(n)) {
-        data.top_k = n;
-        if (n < 0 || n > 200) {
-          console.warn(`agents: top_k ${n} out of range 0-200, ignoring (falling back to default)`);
+      continue;
    }
-      } else {
-        errors.push(`top_k must be an integer (got "${valueRaw}")`);
-      }
-    } else if (key === 'min_p') {
-      const n = Number(valueRaw);
-      if (Number.isFinite(n)) {
-        data.min_p = n;
-        if (n < 0 || n > 1) {
-          console.warn(`agents: min_p ${n} out of range 0-1, ignoring (falling back to default)`);
-        }
-      } else {
-        errors.push(`min_p must be a number (got "${valueRaw}")`);
-      }
-    } else if (key === 'presence_penalty') {
-      const n = Number(valueRaw);
-      if (Number.isFinite(n)) {
-        data.presence_penalty = n;
-        if (n < -2 || n > 2) {
-          console.warn(`agents: presence_penalty ${n} out of range -2-2, ignoring (falling back to default)`);
-        }
-      } else {
-        errors.push(`presence_penalty must be a number (got "${valueRaw}")`);
-      }
-    } else if (key === 'tools') {
+
+    if (key === 'tools') {
      if (valueRaw === '') {
        data.tools = [];
        arrayKey = 'tools';
@@ -354,6 +376,11 @@ function parseAgentSection(section: RawSection): Omit<Agent, 'source'> {
    top_k: typeof fm.top_k === 'number' ? fm.top_k : null,
    min_p: typeof fm.min_p === 'number' ? fm.min_p : null,
    presence_penalty: typeof fm.presence_penalty === 'number' ? fm.presence_penalty : null,
+    top_n_sigma: typeof fm.top_n_sigma === 'number' ? fm.top_n_sigma : null,
+    dry_multiplier: typeof fm.dry_multiplier === 'number' ? fm.dry_multiplier : null,
+    dry_base: typeof fm.dry_base === 'number' ? fm.dry_base : null,
+    dry_allowed_length: typeof fm.dry_allowed_length === 'number' ? fm.dry_allowed_length : null,
+    dry_penalty_last_n: typeof fm.dry_penalty_last_n === 'number' ? fm.dry_penalty_last_n : null,
    tools: filteredTools,
    model: typeof fm.model === 'string' && fm.model.length > 0 ? fm.model : null,
    max_tool_calls: typeof fm.max_tool_calls === 'number' ? fm.max_tool_calls : null,
@@ -410,14 +437,6 @@ interface CacheEntry {
 // corresponding mtime so the next read sees a miss without a watcher.
 const cache = new Map<string, CacheEntry>();

-export function invalidateAgentsCache(projectPath?: string): void {
-  if (projectPath === undefined) {
-    cache.clear();
-  } else {
-    cache.delete(projectPath);
-  }
-}
-
 // v1.13.8: cache-read accessor for the system-prompt prefix-fingerprint log.
 // Returns the AGENTS.md mtimes that getAgentsForProject() observed on its
 // last cache fill for this projectPath. Both fields are null when the cache
--- a/apps/server/src/services/auto_name.ts
+++ b/apps/server/src/services/auto_name.ts
@@ -19,8 +19,6 @@ function cleanTitle(raw: string): string {
  return name;
 }

-// TODO: wire suggestTags after task model validation
-
 export async function maybeAutoNameChat(
  ctx: InferenceContext,
  chatId: string,
--- a/apps/server/src/services/codecontext_client.ts
+++ b/apps/server/src/services/codecontext_client.ts
@@ -113,7 +113,7 @@ export async function callCodecontext(
  fetcher: typeof fetch = fetch,
 ): Promise<CodecontextResponse> {
  // Step 1: realpath the project root, then realpath the requested target_dir
-  // (defaulting to projectPath when the caller didn't pass one — the 8 wrappers
+  // (defaulting to projectPath when the caller didn't pass one — the 12 wrappers
  // never pass target_dir; tests can override). A non-existent target_dir
  // throws before we hit the network so the model gets a sharp error.
  const resolvedProject = await realpath(req.projectPath);
--- a/apps/server/src/services/compaction-prompt.ts
+++ b/apps/server/src/services/compaction-prompt.ts
@@ -31,10 +31,16 @@ export const SUMMARY_TEMPLATE = `Output exactly the Markdown structure shown ins

 ## Relevant Files
 - [file or directory path: why it matters, or "(none)"]
+
+## Files Read
+- [file or directory path that has been read/searched this session, or "(none)"]
 </template>

 Rules:
 - Keep every section, even when empty.
 - Use terse bullets, not prose paragraphs.
 - Preserve exact file paths, commands, error strings, and identifiers when known.
+- For ## Files Read: this is a cumulative provenance ledger. MERGE the paths
+  listed in any "## Files Read" block provided below with those already in the
+  previous summary — never drop a previously-recorded path. Sort and dedupe.
 - Do not mention the summary process or that context was compacted.`;
--- a/apps/server/src/services/compaction.ts
+++ b/apps/server/src/services/compaction.ts
@@ -22,6 +22,8 @@ import type { Config } from '../config.js';
 import type { Broker } from './broker.js';
 import { SUMMARY_TEMPLATE } from './compaction-prompt.js';
 import * as modelContextLookup from './model-context.js';
+import { SENTINEL_KINDS } from './inference/sentinels.js';
+import type { OpenAiMessage } from './inference/payload.js';

 // v1.13.9: ratio-only overflow trigger. Fires compaction at 85% of ctx_max
 // (opencode session/overflow.ts pattern). Replaces the v1.11.0-era
@@ -181,6 +183,54 @@ export function select(
  };
 }

+// === file-provenance ledger (#12, Part B) ===
+
+// Read tools whose path/target arg names a file or directory that was read.
+// BooChat (apps/server) is read-only — there are no write tools, so the ledger
+// only ever has a "Files Read" side (apps/coder can add "Modified" later).
+const READ_TOOL_ARG: Record<string, string> = {
+  view_file: 'path',
+  list_dir: 'path',
+  grep: 'path',
+  find_files: 'path',
+};
+
+// Derive a deterministic, deduped, sorted list of file/dir paths read by the
+// HEAD messages being summarized. Pure — scans assistant tool_calls only; the
+// boundary (which messages are "head") is decided by select() at the call site.
+// We derive at compaction time rather than via a live accumulator because
+// TurnArgs resets per turn and would miss reads on non-compacting turns; the
+// head messages are the authoritative record of what was read in the window
+// being summarized. The result propagates forward as summary text across
+// compactions (the LLM merges it into ## Files Read), so a path read long ago
+// survives even after its originating messages are compacted out.
+export function deriveFilesRead(head: CompactionMessage[]): string[] {
+  const paths = new Set<string>();
+  for (const m of head) {
+    if (m.role !== 'assistant') continue;
+    if (!m.tool_calls) continue;
+    for (const tc of m.tool_calls) {
+      const argName = READ_TOOL_ARG[tc.name];
+      if (!argName) continue;
+      const raw = (tc.args as Record<string, unknown> | null)?.[argName];
+      if (typeof raw === 'string' && raw.trim().length > 0) {
+        paths.add(raw.trim());
+      }
+    }
+  }
+  return [...paths].sort();
+}
+
+// Format the derived paths as a deterministic ## Files Read block for injection
+// into buildPrompt's context array. Returns null when nothing was read (so we
+// don't inject an empty section). The summarizer merges this into the rolling
+// summary's ## Files Read section per the SUMMARY_TEMPLATE instructions.
+export function buildFilesReadContext(head: CompactionMessage[]): string | null {
+  const paths = deriveFilesRead(head);
+  if (paths.length === 0) return null;
+  return ['## Files Read', ...paths.map((p) => `- ${p}`)].join('\n');
+}
+
 // === prompt assembly ===

 // Build the final user message that asks the model to (re)produce the
@@ -208,27 +258,23 @@ export function buildPrompt(
 // would silently drop pre-legacy-compact history before the LLM sees it.
 // Compaction wants to send the entire head, full stop.) ===

-// v1.13.6: exported for unit-test access (reasoning render coverage).
-export interface OpenAiMessage {
-  role: 'system' | 'user' | 'assistant' | 'tool';
-  content: string | null;
-  tool_calls?: Array<{
-    id: string;
-    type: 'function';
-    function: { name: string; arguments: string };
-  }>;
-  tool_call_id?: string;
-}
-
-function isCapHitSentinel(m: CompactionMessage): boolean {
-  return m.role === 'system' && m.metadata != null && m.metadata.kind === 'cap_hit';
+// #12: SENTINEL_KINDS imported from inference/sentinels.ts (single source).
+// OpenAiMessage imported from inference/payload.ts (structurally compatible —
+// compaction's head payload doesn't need the optional reasoning? field).
+function isAnySentinel(m: CompactionMessage): boolean {
+  return (
+    m.role === 'system' &&
+    m.metadata != null &&
+    typeof m.metadata.kind === 'string' &&
+    SENTINEL_KINDS.has(m.metadata.kind)
+  );
 }

 // v1.13.6: exported for unit-test access (reasoning render coverage).
 export function buildHeadPayload(head: CompactionMessage[]): OpenAiMessage[] {
  const out: OpenAiMessage[] = [];
  for (const m of head) {
-    if (isCapHitSentinel(m)) continue;
+    if (isAnySentinel(m)) continue;
    if (m.role === 'assistant' && (m.status === 'streaming' || m.status === 'cancelled')) continue;
    if (m.kind === 'compact') {
      // Legacy compact row — pass through as system context. The new
@@ -417,7 +463,14 @@ export async function process(input: ProcessInput): Promise<void> {
  // user message carrying buildPrompt(previousSummary, []). No system prompt
  // — matches opencode (`system: []`); the template + anchor are sufficient.
  const headPayload = buildHeadPayload(sel.head);
-  const finalUser: OpenAiMessage = { role: 'user', content: buildPrompt(previousSummary, []) };
+  // #12 Part B: derive the file-provenance ledger from the head's read-tool
+  // calls and inject it as a deterministic ## Files Read context block so the
+  // summarizer merges it into the rolling summary. Empty → no injection.
+  const filesReadCtx = buildFilesReadContext(sel.head);
+  const finalUser: OpenAiMessage = {
+    role: 'user',
+    content: buildPrompt(previousSummary, filesReadCtx ? [filesReadCtx] : []),
+  };
  const payload = [...headPayload, finalUser];

  log.info(
--- a/apps/server/src/services/file_ops.ts
+++ b/apps/server/src/services/file_ops.ts
@@ -200,7 +200,7 @@ export async function grep(
 export async function findFiles(
  projectRoot: string,
  pattern?: string,
-  opts?: { type?: 'file' | 'dir'; max_results?: number; path?: string; extra_roots?: readonly string[] }
+  opts?: { max_results?: number; path?: string; extra_roots?: readonly string[] }
 ): Promise<FindFilesResult> {
  const limit = Math.min(
    Math.max(opts?.max_results ?? DEFAULT_FIND_RESULTS, 1),
--- a/apps/server/src/services/git_meta.ts
+++ b/apps/server/src/services/git_meta.ts
@@ -83,10 +83,3 @@ export async function getGitMeta(rootPath: string): Promise<GitMeta | null> {
  return value;
 }

-export function invalidateGitMetaCache(rootPath?: string): void {
-  if (rootPath) {
-    cache.delete(rootPath);
-  } else {
-    cache.clear();
-  }
-}
--- a/apps/server/src/services/inference/budget.ts
+++ b/apps/server/src/services/inference/budget.ts
@@ -1,32 +1,10 @@
 import type { Agent } from '../../types/api.js';
-import { READ_ONLY_TOOL_NAMES } from '../tools.js';
-
-// v1.8.2: tool-call budget defaults. Resolved per-turn by resolveToolBudget.
-//   - Agent with explicit max_tool_calls: that value.
-//   - Agent with read-only-only tools:    BUDGET_READ_ONLY (50).
-//   - Agent with any non-read-only tool:  BUDGET_NON_READ_ONLY (10).
-//   - No agent (raw chat):                BUDGET_NO_AGENT (50).
-// v1.13.7: bumped BUDGET_NO_AGENT 15→30 to match BUDGET_READ_ONLY. Every tool
-// in ALL_TOOLS today is read-only (see services/tools.ts comment at
-// READ_ONLY_TOOL_NAMES); the cautious 15-cap was a forward-looking guard for
-// write tools that haven't landed yet. No-agent mode gets the same toolset as
-// an all-read-only agent at runtime, so they should share the same budget.
-// v1.13.12: bumped read-only caps 30→50. Real recon sessions were hitting 30
-// with ~3 turns wasted on codecontext parse failures (empty node_modules
-// files); legitimate need was ~27, and Architect-class system overviews want
-// deeper recon than a 30-cap permits. Headroom of 20 absorbs failure-retry
-// turns + deeper exploration without changing the safety floor materially —
-// the doom-loop guard (3 identical calls → abort) catches the actual failure
-// mode this cap was guarding against.
-export const BUDGET_READ_ONLY = 100;
-export const BUDGET_NON_READ_ONLY = 100;
-export const BUDGET_NO_AGENT = 100;
-
-const READ_ONLY_SET: ReadonlySet<string> = new Set(READ_ONLY_TOOL_NAMES);

+// Tool-call budget. All three historical tiers (read-only, non-read-only,
+// no-agent) converged to 100 as of v1.13.12, collapsing the tier logic.
+// The only remaining override is per-agent max_tool_calls from AGENTS.md
+// frontmatter. Flat default of 100; doom-loop guard in sentinels.ts catches
+// pathological cases well before the cap is reached.
 export function resolveToolBudget(agent: Agent | null): number {
-  if (agent?.max_tool_calls != null) return agent.max_tool_calls;
-  if (!agent) return BUDGET_NO_AGENT;
-  const allReadOnly = agent.tools.every((t) => READ_ONLY_SET.has(t));
-  return allReadOnly ? BUDGET_READ_ONLY : BUDGET_NON_READ_ONLY;
+  return agent?.max_tool_calls ?? 100;
 }
--- a/apps/server/src/services/inference/content-flusher.ts
+++ b/apps/server/src/services/inference/content-flusher.ts
@@ -0,0 +1,64 @@
+// P5: the debounced DB content-flush timer, extracted from the verbatim copy
+// that lived in executeStreamPhase + the three sentinel summaries (4 sites).
+// Each site streamed deltas into a local `accumulated`/`state.accumulated`
+// string and threw an UPDATE at the row at most once per DB_FLUSH_INTERVAL_MS
+// to bound write rate under heavy streaming.
+//
+// The accumulated string stays owned by the caller (stream-phase keeps it on
+// the shared StreamPhaseState; the summaries keep a local) — the flusher reads
+// it through a `getContent` thunk at fire time, snapshotting the latest value
+// exactly as the inline `const snapshot = accumulated` did. No final flush is
+// performed on drain (matches the originals): every caller writes the full
+// content itself in its terminal UPDATE, so drain only cancels the pending
+// timer and awaits whatever write is already chained.
+
+import type { Sql } from '../../db.js';
+import { DB_FLUSH_INTERVAL_MS } from './types.js';
+
+export interface ContentFlusher {
+  // Arm a debounced flush. No-op if one is already pending (the in-flight timer
+  // will pick up the latest content via getContent when it fires).
+  scheduleFlush: () => void;
+  // Cancel any pending timer and await the in-flight write chain. Does NOT
+  // perform a final flush — the caller's terminal UPDATE owns the final write.
+  drain: () => Promise<void>;
+}
+
+export function createContentFlusher(
+  sql: Sql,
+  messageId: string,
+  getContent: () => string,
+  intervalMs: number = DB_FLUSH_INTERVAL_MS,
+): ContentFlusher {
+  let pendingFlushTimer: NodeJS.Timeout | null = null;
+  let flushPromise: Promise<unknown> = Promise.resolve();
+
+  const flushNow = () => {
+    if (pendingFlushTimer) {
+      clearTimeout(pendingFlushTimer);
+      pendingFlushTimer = null;
+    }
+    const snapshot = getContent();
+    flushPromise = flushPromise.then(() =>
+      sql`UPDATE messages SET content = ${snapshot} WHERE id = ${messageId}`
+    );
+  };
+
+  const scheduleFlush = () => {
+    if (pendingFlushTimer) return;
+    pendingFlushTimer = setTimeout(() => {
+      pendingFlushTimer = null;
+      flushNow();
+    }, intervalMs);
+  };
+
+  const drain = async () => {
+    if (pendingFlushTimer) {
+      clearTimeout(pendingFlushTimer);
+      pendingFlushTimer = null;
+    }
+    await flushPromise;
+  };
+
+  return { scheduleFlush, drain };
+}
--- a/apps/server/src/services/inference/error-handler.ts
+++ b/apps/server/src/services/inference/error-handler.ts
@@ -10,7 +10,7 @@ import { maybeFlagForCompaction } from './payload.js';
 import { insertParts, partsFromAssistantMessage } from './parts.js';
 import type { PartInsert } from './parts.js';
 import { stripToolMarkup } from './tool-call-parser.js';
-import type { InferenceContext, StreamResult, TurnArgs } from './turn.js';
+import type { InferenceContext, StreamResult, TurnArgs } from './types.js';

 export async function handleAbortOrError(
  ctx: InferenceContext,
@@ -95,6 +95,90 @@ export async function handleAbortOrError(
  }
 }

+// P5: the success-finalize atom shared by the wrap-up summaries
+// (sentinel-summaries.ts) and the synthesis pass (synthesisPipeline.ts). Both
+// previously hand-rolled this exact ceremony — n_ctx lookup, the complete
+// UPDATE (content/status/tokens/ctx/ctx_max/finished_at; NO model column), and
+// the message_complete frame with the full token fields. Single-sourcing it
+// means a message_complete frame-contract change lands in one place instead of
+// silently skipping the summary/synthesis paths.
+//
+// `beforeComplete` runs AFTER the UPDATE and BEFORE the message_complete frame
+// — synthesis uses it to write its kind='synthesis' part in the original order
+// (UPDATE → insertParts → message_complete), preserving timing exactly.
+//
+// NOTE: finalizeCompletion does NOT use this — it additionally writes the
+// `model` column, the text/reasoning/html_artifact parts, the compaction flag,
+// and the session_updated bump, which this atom deliberately omits (the summary
+// and synthesis paths handle those — or not — themselves).
+export async function finalizeStreamedRow(
+  ctx: InferenceContext,
+  opts: {
+    sessionId: string;
+    chatId: string;
+    messageId: string;
+    model: string;
+    content: string;
+    completionTokens: number | null;
+    promptTokens: number | null;
+    startedAt: string | null;
+    beforeComplete?: () => Promise<void>;
+  },
+): Promise<void> {
+  // v1.11.3: see executeToolPhase for the rationale.
+  const mctx = await modelContext.getModelContext(opts.model);
+  const nCtx = mctx?.n_ctx ?? null;
+  const [updated] = await ctx.sql<
+    { tokens_used: number | null; ctx_used: number | null; ctx_max: number | null; finished_at: string | null }[]
+  >`
+    UPDATE messages
+    SET content = ${opts.content},
+        status = 'complete',
+        tokens_used = ${opts.completionTokens},
+        ctx_used = ${opts.promptTokens},
+        ctx_max = ${nCtx},
+        finished_at = clock_timestamp()
+    WHERE id = ${opts.messageId}
+    RETURNING tokens_used, ctx_used, ctx_max, finished_at
+  `;
+  if (opts.beforeComplete) await opts.beforeComplete();
+  ctx.publish(opts.sessionId, {
+    type: 'message_complete',
+    message_id: opts.messageId,
+    chat_id: opts.chatId,
+    tokens_used: updated?.tokens_used ?? null,
+    ctx_used: updated?.ctx_used ?? null,
+    ctx_max: updated?.ctx_max ?? null,
+    started_at: opts.startedAt,
+    finished_at: updated?.finished_at ?? null,
+    model: opts.model,
+  });
+}
+
+// P5: minimal empty-finalize for the mistake-escalate path. The escalate
+// branch in runAssistantTurn stops the turn cap-hit-style; the next assistant
+// row is still 'streaming', so it's finalized as an empty complete row (no
+// tokens, no parts, no session bump — the escalate branch handles the sentinel
+// + chat_status itself). Centralizing the status-column write + message_complete
+// frame here keeps it next to the other finalize paths so a status-column
+// change is found in one place.
+export async function finalizeEmpty(
+  ctx: InferenceContext,
+  args: TurnArgs,
+): Promise<void> {
+  const { sessionId, chatId, assistantMessageId } = args;
+  await ctx.sql`
+    UPDATE messages
+    SET content = '', status = 'complete', finished_at = clock_timestamp()
+    WHERE id = ${assistantMessageId}
+  `;
+  ctx.publish(sessionId, {
+    type: 'message_complete',
+    message_id: assistantMessageId,
+    chat_id: chatId,
+  });
+}
+
 export async function finalizeCompletion(
  ctx: InferenceContext,
  args: TurnArgs,
@@ -119,6 +203,7 @@ export async function finalizeCompletion(
        tokens_used = ${completionTokens},
        ctx_used = ${promptTokens},
        ctx_max = ${nCtx},
+        model = ${session.model},
        finished_at = clock_timestamp()
    WHERE id = ${assistantMessageId}
    RETURNING tokens_used, ctx_used, ctx_max, finished_at
--- a/apps/server/src/services/inference/index.ts
+++ b/apps/server/src/services/inference/index.ts
@@ -7,18 +7,17 @@
 export {
  createInferenceRunner,
  MAX_STEPS,
-  runAssistantTurn,
  runInference,
 } from './turn.js';
+// P5: the shared pipeline types moved from turn.ts to types.ts (breaking the
+// hub-and-leaf near-cycle). Re-exported here so the public surface is unchanged.
 export type {
  FramePublisher,
  InferenceContext,
  InferenceFrame,
  StreamResult,
  TurnArgs,
-} from './turn.js';
+} from './types.js';
 export type { ToolPhaseResult } from './tool-phase.js';
 export { detectDoomLoop, DOOM_LOOP_THRESHOLD } from './sentinels.js';
 export { buildMessagesPayload } from './payload.js';
-export { generateToolUseSummary } from './tool-summaries.js';
-export type { ToolInfo } from './tool-summaries.js';
--- a/apps/server/src/services/inference/mistake-tracker.ts
+++ b/apps/server/src/services/inference/mistake-tracker.ts
@@ -0,0 +1,69 @@
+// v#12 MistakeTracker: heterogeneous-failure recovery. Complements the
+// doom-loop guard (sentinels.ts:detectDoomLoop, which only catches *identical*
+// repeats) by catching a run of consecutive tool FAILURES the model isn't
+// recovering from — even when each failure is a *different* error. Algorithm
+// reimplemented from cline's mistake-counting pattern (NOT vendored).
+//
+// Pure module — mirrors sentinels.ts:detectDoomLoop. No DB, no I/O. The state
+// lives loop-local in TurnArgs (reset per runInference, like recentToolCalls).
+
+// The failure taxonomy already distinguished in tool-phase.ts:executeToolCall.
+// 'api_error' is reserved for upstream-model failures surfaced as tool outcomes
+// (no current emit site on apps/server, but the union mirrors the design doc
+// so a future caller can record it without a type change).
+export type FailureKind =
+  | 'zod_reject'
+  | 'tool_not_found'
+  | 'exec_error'
+  | 'api_error'
+  | 'permission_denied';
+
+// Smallest streak that doesn't false-positive on a model that retries once
+// after a transient error. Matches DOOM_LOOP_THRESHOLD's rationale.
+export const MISTAKE_THRESHOLD = 3;
+
+export interface MistakeState {
+  // The current consecutive-failure streak (any successful tool step clears it).
+  run: FailureKind[];
+  // How many recovery nudges have fired without an intervening success. Used to
+  // escalate (stop the turn) on the second trip rather than nudging forever.
+  nudges: number;
+}
+
+export function freshMistakeState(): MistakeState {
+  return { run: [], nudges: 0 };
+}
+
+// Record one tool step's outcome. A 'success' clears BOTH the streak and the
+// nudge counter (the model recovered). A FailureKind pushes onto the streak.
+export function recordStep(
+  state: MistakeState,
+  outcome: FailureKind | 'success',
+): void {
+  if (outcome === 'success') {
+    state.run = [];
+    state.nudges = 0;
+    return;
+  }
+  state.run.push(outcome);
+}
+
+// Decide whether to intervene given the current streak. When the streak has
+// reached MISTAKE_THRESHOLD: 'nudge' the first time (no nudge fired yet),
+// 'escalate' if it trips again while a nudge is already outstanding (no
+// intervening success cleared `nudges`). Below threshold → null.
+//
+// Pure — the caller is responsible for mutating `nudges`/`run` after acting on
+// the decision (mirrors how turn.ts consumes detectDoomLoop's result).
+export function detectMistakePattern(
+  state: MistakeState,
+): 'nudge' | 'escalate' | null {
+  if (state.run.length < MISTAKE_THRESHOLD) return null;
+  return state.nudges === 0 ? 'nudge' : 'escalate';
+}
+
+// Model-facing guidance injected (transiently, for the next step only) when a
+// nudge fires. Short + declarative for the same reliability reason as the
+// cap-hit / doom-loop notes.
+export const MISTAKE_RECOVERY_NOTE =
+  "You've hit several different errors in a row. Stop retrying variations — re-read the tool schemas, verify file paths and arguments exist before calling, and try a fundamentally different approach.";
--- a/apps/server/src/services/inference/parts.ts
+++ b/apps/server/src/services/inference/parts.ts
@@ -1,11 +1,10 @@
 import type { Sql } from '../../db.js';
 import type { ToolCall, ToolResult } from '../../types/api.js';

-// v1.13.0: dual-write helper. Every site that writes the legacy
-// messages.tool_calls / messages.tool_results JSON columns calls into here
-// to mirror the same data into message_parts rows. Reads still go to the
-// JSON columns; the swap to parts-as-source-of-truth happens in a later
-// v1.13 dispatch alongside the AI SDK streamText migration.
+// v1.13.0: message_parts write helpers. v1.13.20: legacy tool_calls/
+// tool_results JSON columns dropped; message_parts is the sole source of
+// truth. All writes go through insertParts / partsFromAssistantMessage /
+// partsFromToolMessage. Reads use the messages_with_parts view.

 // v1.13.13: 'synthesis' added. Schema CHECK constraint is updated in lockstep
 // (schema.sql adds 'synthesis' to message_parts_kind_chk on startup). The
--- a/apps/server/src/services/inference/payload.ts
+++ b/apps/server/src/services/inference/payload.ts
@@ -10,7 +10,8 @@ import * as compaction from '../compaction.js';
 import { buildSystemPromptWithFingerprint } from '../system-prompt.js';
 import { isAnySentinel } from './sentinels.js';
 import { PRUNE_TRIGGER_TOKENS, prune } from './prune.js';
-import type { InferenceContext } from './turn.js';
+import type { InferenceContext } from './types.js';
+import { INFERENCE_MESSAGE_COLUMNS } from '../message-columns.js';

 export interface OpenAiMessage {
  role: 'system' | 'user' | 'assistant' | 'tool';
@@ -205,9 +206,7 @@ export async function loadContext(
  // v1.13.1-C: also pull reasoning_parts so assistant messages from
  // reasoning models can be replayed with their reasoning context preserved.
  const history = await sql<Message[]>`
-    SELECT id, session_id, chat_id, role, content, kind, tool_calls, tool_results, status, last_seq,
-           tokens_used, ctx_used, ctx_max, started_at, finished_at, created_at, metadata,
-           reasoning_parts
+    SELECT ${sql.unsafe(INFERENCE_MESSAGE_COLUMNS)}
    FROM messages_with_parts
    WHERE chat_id = ${chatId} AND compacted_at IS NULL
    ORDER BY created_at ASC, id ASC
--- a/apps/server/src/services/inference/sentinel-summaries.ts
+++ b/apps/server/src/services/inference/sentinel-summaries.ts
@@ -5,16 +5,16 @@ import type {
  Project,
  Session,
 } from '../../types/api.js';
-import * as modelContext from '../model-context.js';
 import { buildMessagesPayload } from './payload.js';
 import { DOOM_LOOP_THRESHOLD } from './sentinels.js';
-import { streamCompletion } from './stream-phase.js';
-import { DB_FLUSH_INTERVAL_MS } from './types.js';
+import { streamCompletion, samplerOptsFromAgent } from './stream-phase.js';
+import { createContentFlusher } from './content-flusher.js';
+import { finalizeStreamedRow } from './error-handler.js';
 import type {
  InferenceContext,
  StreamResult,
  TurnArgs,
-} from './turn.js';
+} from './types.js';

 // Synthetic system note appended to the cap-hit summary call. Verbatim from
 // the v1.8.2 spec — do not paraphrase: the model is more reliable when the
@@ -25,21 +25,50 @@ const CAP_HIT_SUMMARY_NOTE = (limit: number) =>
 const DOOM_LOOP_NOTE = (name: string) =>
  `You called ${name} with the same arguments ${DOOM_LOOP_THRESHOLD} times in a row. Stop calling it. Produce the best answer you can with what you have.`;

-export async function runCapHitSummary(
+// v1.14.0: step-cap wrap-up note. Names the step limit rather than the tool
+// budget. The sentinel reuses metadata.kind = 'cap_hit' so the frontend
+// CapHitSentinel component renders it without changes.
+const STEP_CAP_NOTE = (steps: number, cap: number) =>
+  `You've reached the step limit (${steps}/${cap} steps). Produce the best answer you can with what you have. Do not call more tools.`;
+
+// P5: the ONE generic wrap-up flow shared by the three sentinel summaries
+// (cap-hit, doom-loop, step-cap). Each reuses the in-flight assistant slot to
+// stream a short tools-disabled summary, finalizes via the same 3-outcome
+// branch (complete / cancelled / failed), bumps the session, then drops a
+// sentinel and the chat_status. The three differ only in:
+//   - `note`: the synthetic system instruction appended to the summary call.
+//   - `errorText`: the fallback used in the failed-status metadata + error frame.
+//   - sentinel timing: cap-hit inserts BEFORE the stream (`beforeStream`);
+//     doom-loop + step-cap insert AFTER the session bump (`afterSession`).
+//   - `logMsg` / `logFields`: per-kind log line + extra fields.
+// All three use error_reason / chat_status reason = 'summary_after_cap_failed'
+// (doom-loop reuses it deliberately — the user-visible failure mode is the
+// same "model gave up mid-summary"; the ErrorReason union is shared and the UI
+// surfaces a generic "summary failed" line for every sentinel path).
+interface WrapUpOpts {
+  note: string;
+  errorText: string;
+  logMsg: string;
+  logFields: Record<string, unknown>;
+  beforeStream?: () => Promise<void>;
+  afterSession?: () => Promise<void>;
+}
+
+async function runWrapUpSummary(
  ctx: InferenceContext,
  args: TurnArgs,
  session: Session,
  project: Project,
  history: Message[],
  agent: Agent | null,
-  budget: number,
+  opts: WrapUpOpts,
 ): Promise<void> {
  const { sessionId, chatId, assistantMessageId, signal } = args;

-  await insertCapHitSentinel(ctx, sessionId, chatId, agent, budget);
+  if (opts.beforeStream) await opts.beforeStream();

  const messages = await buildMessagesPayload(session, project, history, agent, ctx.log);
-  messages.push({ role: 'system', content: CAP_HIT_SUMMARY_NOTE(budget) });
+  messages.push({ role: 'system', content: opts.note });

  const startedRow = await ctx.sql<{ started_at: string }[]>`
    UPDATE messages
@@ -57,25 +86,7 @@ export async function runCapHitSummary(
  });

  let accumulated = '';
-  let pendingFlushTimer: NodeJS.Timeout | null = null;
-  let flushPromise: Promise<unknown> = Promise.resolve();
-  const flushNow = () => {
-    if (pendingFlushTimer) {
-      clearTimeout(pendingFlushTimer);
-      pendingFlushTimer = null;
-    }
-    const snapshot = accumulated;
-    flushPromise = flushPromise.then(() =>
-      ctx.sql`UPDATE messages SET content = ${snapshot} WHERE id = ${assistantMessageId}`
-    );
-  };
-  const scheduleFlush = () => {
-    if (pendingFlushTimer) return;
-    pendingFlushTimer = setTimeout(() => {
-      pendingFlushTimer = null;
-      flushNow();
-    }, DB_FLUSH_INTERVAL_MS);
-  };
+  const flusher = createContentFlusher(ctx.sql, assistantMessageId, () => accumulated);

  let summaryOk = false;
  let summarySoftCancelled = false;
@@ -86,7 +97,7 @@ export async function runCapHitSummary(
      ctx,
      session.model,
      messages,
-      { tools: null, temperature: agent?.temperature, top_p: agent?.top_p ?? undefined, top_k: agent?.top_k ?? undefined, min_p: agent?.min_p ?? undefined, presence_penalty: agent?.presence_penalty ?? undefined },
+      { tools: null, ...samplerOptsFromAgent(agent) },
      (delta) => {
        accumulated += delta;
        ctx.publish(sessionId, {
@@ -95,7 +106,7 @@ export async function runCapHitSummary(
          chat_id: chatId,
          content: delta,
        });
-        scheduleFlush();
+        flusher.scheduleFlush();
      },
      undefined,
      signal,
@@ -108,44 +119,23 @@ export async function runCapHitSummary(
      summaryError = err instanceof Error ? err.message : String(err);
    }
  } finally {
-    if (pendingFlushTimer) {
-      clearTimeout(pendingFlushTimer);
-      pendingFlushTimer = null;
-    }
-    await flushPromise;
+    await flusher.drain();
  }

-  // Finalize the summary message based on the three outcomes. The sentinel
-  // is inserted regardless so the user always has the Continue affordance —
-  // even on a partial / failed summary the chat history shows where the
-  // budget was hit.
+  // Finalize the summary message based on the three outcomes. The sentinel is
+  // inserted regardless (before or after, per opts) so the user always has the
+  // appropriate affordance — even on a partial / failed summary the chat
+  // history shows where the loop stopped.
  if (summaryOk && result) {
-    // v1.11.3: see executeToolPhase for the rationale.
-    const mctx = await modelContext.getModelContext(session.model);
-    const nCtx = mctx?.n_ctx ?? null;
-    const [updated] = await ctx.sql<
-      { tokens_used: number | null; ctx_used: number | null; ctx_max: number | null; finished_at: string | null }[]
-    >`
-      UPDATE messages
-      SET content = ${result.content},
-          status = 'complete',
-          tokens_used = ${result.completionTokens},
-          ctx_used = ${result.promptTokens},
-          ctx_max = ${nCtx},
-          finished_at = clock_timestamp()
-      WHERE id = ${assistantMessageId}
-      RETURNING tokens_used, ctx_used, ctx_max, finished_at
-    `;
-    ctx.publish(sessionId, {
-      type: 'message_complete',
-      message_id: assistantMessageId,
-      chat_id: chatId,
-      tokens_used: updated?.tokens_used ?? null,
-      ctx_used: updated?.ctx_used ?? null,
-      ctx_max: updated?.ctx_max ?? null,
-      started_at: startedAt,
-      finished_at: updated?.finished_at ?? null,
+    await finalizeStreamedRow(ctx, {
+      sessionId,
+      chatId,
+      messageId: assistantMessageId,
      model: session.model,
+      content: result.content,
+      completionTokens: result.completionTokens,
+      promptTokens: result.promptTokens,
+      startedAt,
    });
  } else if (summarySoftCancelled) {
    await ctx.sql`
@@ -164,7 +154,7 @@ export async function runCapHitSummary(
    const errMeta: MessageMetadata = {
      kind: 'error',
      error_reason: 'summary_after_cap_failed',
-      error_text: summaryError ?? 'summary failed',
+      error_text: summaryError ?? opts.errorText,
    };
    await ctx.sql`
      UPDATE messages
@@ -178,7 +168,7 @@ export async function runCapHitSummary(
      type: 'error',
      message_id: assistantMessageId,
      chat_id: chatId,
-      error: summaryError ?? 'summary failed',
+      error: summaryError ?? opts.errorText,
      reason: 'summary_after_cap_failed',
    });
  }
@@ -197,11 +187,11 @@ export async function runCapHitSummary(
    updated_at: sessRow!.updated_at,
  });

+  if (opts.afterSession) await opts.afterSession();
+
  // Status frame fires last so the dot color reflects the terminal state.
  // Success → idle, abort → idle (user-driven stop), error → error+reason.
-  if (summaryOk) {
-    ctx.publishUser({ type: 'chat_status', chat_id: chatId, status: 'idle', at: new Date().toISOString() });
-  } else if (summarySoftCancelled) {
+  if (summaryOk || summarySoftCancelled) {
    ctx.publishUser({ type: 'chat_status', chat_id: chatId, status: 'idle', at: new Date().toISOString() });
  } else {
    ctx.publishUser({
@@ -214,11 +204,113 @@ export async function runCapHitSummary(
  }

  ctx.log.info(
-    { sessionId, chatId, assistantMessageId, budget, summaryOk, summaryCancelled: summarySoftCancelled },
-    'inference cap-hit summary finished',
+    { sessionId, chatId, assistantMessageId, ...opts.logFields, summaryOk, summaryCancelled: summarySoftCancelled },
+    opts.logMsg,
  );
 }

+// v1.8.2: cap-hit summary flow. Called instead of erroring when the loop hits
+// its budget. The cap-hit sentinel is inserted FIRST (before the summary
+// stream) so the UI shows the Continue affordance regardless of summary
+// outcome.
+export async function runCapHitSummary(
+  ctx: InferenceContext,
+  args: TurnArgs,
+  session: Session,
+  project: Project,
+  history: Message[],
+  agent: Agent | null,
+  budget: number,
+): Promise<void> {
+  await runWrapUpSummary(ctx, args, session, project, history, agent, {
+    note: CAP_HIT_SUMMARY_NOTE(budget),
+    errorText: 'summary failed',
+    logMsg: 'inference cap-hit summary finished',
+    logFields: { budget },
+    beforeStream: () => insertCapHitSentinel(ctx, args.sessionId, args.chatId, agent, budget),
+  });
+}
+
+// v1.11.6: doom-loop wrap-up. The doom-loop sentinel is inserted AFTER the
+// session bump (no Continue affordance — continuing would re-trigger the loop
+// with the same tools available; the user needs to restate or switch agents).
+export async function runDoomLoopSummary(
+  ctx: InferenceContext,
+  args: TurnArgs,
+  session: Session,
+  project: Project,
+  history: Message[],
+  agent: Agent | null,
+  loop: { name: string; args: Record<string, unknown> },
+): Promise<void> {
+  await runWrapUpSummary(ctx, args, session, project, history, agent, {
+    note: DOOM_LOOP_NOTE(loop.name),
+    errorText: 'doom-loop summary failed',
+    logMsg: 'inference doom-loop summary finished',
+    logFields: { loopedTool: loop.name },
+    afterSession: () => insertDoomLoopSentinel(ctx, args.sessionId, args.chatId, loop),
+  });
+}
+
+// v1.14.0: step-cap wrap-up. Reuses the cap_hit sentinel (inserted AFTER the
+// session bump) so the frontend CapHitSentinel component renders it without
+// changes; the content text distinguishes step cap from budget.
+export async function runStepCapSummary(
+  ctx: InferenceContext,
+  args: TurnArgs,
+  session: Session,
+  project: Project,
+  history: Message[],
+  agent: Agent | null,
+  steps: number,
+  cap: number,
+): Promise<void> {
+  await runWrapUpSummary(ctx, args, session, project, history, agent, {
+    note: STEP_CAP_NOTE(steps, cap),
+    errorText: 'step-cap summary failed',
+    logMsg: 'inference step-cap summary finished',
+    logFields: { steps, cap },
+    afterSession: () => insertCapHitSentinel(ctx, args.sessionId, args.chatId, agent, cap),
+  });
+}
+
+// P5: the ONE INSERT + message_started → delta → message_complete frame
+// sequence shared by every sentinel inserter. The sentinel row is a
+// role='system', status='complete' message; the static content rides the same
+// streaming-frame path useSessionStream's reducer uses for assistant messages
+// (the delta carries the full text in one chunk).
+async function insertSentinel(
+  ctx: InferenceContext,
+  sessionId: string,
+  chatId: string,
+  metadata: MessageMetadata,
+  content: string,
+): Promise<void> {
+  const [row] = await ctx.sql<{ id: string }[]>`
+    INSERT INTO messages (session_id, chat_id, role, content, status, created_at, metadata)
+    VALUES (${sessionId}, ${chatId}, 'system', ${content}, 'complete', clock_timestamp(), ${ctx.sql.json(metadata as never)})
+    RETURNING id
+  `;
+  ctx.publish(sessionId, {
+    type: 'message_started',
+    message_id: row!.id,
+    chat_id: chatId,
+    role: 'system',
+  });
+  ctx.publish(sessionId, {
+    type: 'delta',
+    message_id: row!.id,
+    chat_id: chatId,
+    content,
+  });
+  ctx.publish(sessionId, {
+    type: 'message_complete',
+    message_id: row!.id,
+    chat_id: chatId,
+    metadata,
+  });
+}
+
 async function insertCapHitSentinel(
  ctx: InferenceContext,
  sessionId: string,
@@ -246,430 +338,7 @@ async function insertCapHitSentinel(
    can_continue: canContinue,
  };
  const content = `Reached tool budget (${budget}/${budget}). Continue to extend.`;
-
-  const [row] = await ctx.sql<{ id: string }[]>`
-    INSERT INTO messages (session_id, chat_id, role, content, status, created_at, metadata)
-    VALUES (${sessionId}, ${chatId}, 'system', ${content}, 'complete', clock_timestamp(), ${ctx.sql.json(metadata as never)})
-    RETURNING id
-  `;
-
-  // The sentinel content is static, but we still walk the standard frame
-  // sequence (started → delta → complete) so useSessionStream's reducer
-  // appends it via the same path it uses for streaming assistant messages.
-  // The delta carries the full text in one chunk.
-  ctx.publish(sessionId, {
-    type: 'message_started',
-    message_id: row!.id,
-    chat_id: chatId,
-    role: 'system',
-  });
-  ctx.publish(sessionId, {
-    type: 'delta',
-    message_id: row!.id,
-    chat_id: chatId,
-    content,
-  });
-  ctx.publish(sessionId, {
-    type: 'message_complete',
-    message_id: row!.id,
-    chat_id: chatId,
-    metadata,
-  });
-}
-
-// v1.11.6: doom-loop wrap-up. Mirrors runCapHitSummary structurally — same
-// in-flight-slot reuse, same tools-disabled streaming-summary call, same
-// post-finalize sentinel insert + chat_status drop. Differences:
-//   - synthetic note text comes from DOOM_LOOP_NOTE (names the looping tool)
-//   - sentinel metadata is { kind: 'doom_loop', tool_name, args, threshold }
-//     and has no Continue affordance (manual retry would just re-loop)
-//   - chat_status error path uses reason: 'doom_loop_summary_failed'
-// Kept as a clone rather than refactored into a shared helper because the
-// two summary paths still differ in error reason + sentinel shape; a third
-// sentinel would justify factoring out runWrapUpSummary(opts).
-export async function runDoomLoopSummary(
-  ctx: InferenceContext,
-  args: TurnArgs,
-  session: Session,
-  project: Project,
-  history: Message[],
-  agent: Agent | null,
-  loop: { name: string; args: Record<string, unknown> },
-): Promise<void> {
-  const { sessionId, chatId, assistantMessageId, signal } = args;
-
-  const messages = await buildMessagesPayload(session, project, history, agent, ctx.log);
-  messages.push({ role: 'system', content: DOOM_LOOP_NOTE(loop.name) });
-
-  const startedRow = await ctx.sql<{ started_at: string }[]>`
-    UPDATE messages
-    SET started_at = clock_timestamp()
-    WHERE id = ${assistantMessageId}
-    RETURNING started_at
-  `;
-  const startedAt = startedRow[0]?.started_at ?? null;
-
-  ctx.publish(sessionId, {
-    type: 'message_started',
-    message_id: assistantMessageId,
-    chat_id: chatId,
-    role: 'assistant',
-  });
-
-  let accumulated = '';
-  let pendingFlushTimer: NodeJS.Timeout | null = null;
-  let flushPromise: Promise<unknown> = Promise.resolve();
-  const flushNow = () => {
-    if (pendingFlushTimer) {
-      clearTimeout(pendingFlushTimer);
-      pendingFlushTimer = null;
-    }
-    const snapshot = accumulated;
-    flushPromise = flushPromise.then(() =>
-      ctx.sql`UPDATE messages SET content = ${snapshot} WHERE id = ${assistantMessageId}`
-    );
-  };
-  const scheduleFlush = () => {
-    if (pendingFlushTimer) return;
-    pendingFlushTimer = setTimeout(() => {
-      pendingFlushTimer = null;
-      flushNow();
-    }, DB_FLUSH_INTERVAL_MS);
-  };
-
-  let summaryOk = false;
-  let summarySoftCancelled = false;
-  let summaryError: string | null = null;
-  let result: StreamResult | null = null;
-  try {
-    result = await streamCompletion(
-      ctx,
-      session.model,
-      messages,
-      { tools: null, temperature: agent?.temperature, top_p: agent?.top_p ?? undefined, top_k: agent?.top_k ?? undefined, min_p: agent?.min_p ?? undefined, presence_penalty: agent?.presence_penalty ?? undefined },
-      (delta) => {
-        accumulated += delta;
-        ctx.publish(sessionId, {
-          type: 'delta',
-          message_id: assistantMessageId,
-          chat_id: chatId,
-          content: delta,
-        });
-        scheduleFlush();
-      },
-      undefined,
-      signal,
-    );
-    summaryOk = true;
-  } catch (err) {
-    if (err instanceof Error && err.name === 'AbortError') {
-      summarySoftCancelled = true;
-    } else {
-      summaryError = err instanceof Error ? err.message : String(err);
-    }
-  } finally {
-    if (pendingFlushTimer) {
-      clearTimeout(pendingFlushTimer);
-      pendingFlushTimer = null;
-    }
-    await flushPromise;
-  }
-
-  if (summaryOk && result) {
-    const mctx = await modelContext.getModelContext(session.model);
-    const nCtx = mctx?.n_ctx ?? null;
-    const [updated] = await ctx.sql<
-      { tokens_used: number | null; ctx_used: number | null; ctx_max: number | null; finished_at: string | null }[]
-    >`
-      UPDATE messages
-      SET content = ${result.content},
-          status = 'complete',
-          tokens_used = ${result.completionTokens},
-          ctx_used = ${result.promptTokens},
-          ctx_max = ${nCtx},
-          finished_at = clock_timestamp()
-      WHERE id = ${assistantMessageId}
-      RETURNING tokens_used, ctx_used, ctx_max, finished_at
-    `;
-    ctx.publish(sessionId, {
-      type: 'message_complete',
-      message_id: assistantMessageId,
-      chat_id: chatId,
-      tokens_used: updated?.tokens_used ?? null,
-      ctx_used: updated?.ctx_used ?? null,
-      ctx_max: updated?.ctx_max ?? null,
-      started_at: startedAt,
-      finished_at: updated?.finished_at ?? null,
-      model: session.model,
-    });
-  } else if (summarySoftCancelled) {
-    await ctx.sql`
-      UPDATE messages
-      SET content = ${accumulated},
-          status = 'cancelled',
-          finished_at = clock_timestamp()
-      WHERE id = ${assistantMessageId}
-    `;
-    ctx.publish(sessionId, {
-      type: 'message_complete',
-      message_id: assistantMessageId,
-      chat_id: chatId,
-    });
-  } else {
-    // Doom-loop summary failure reuses the existing summary_after_cap_failed
-    // error reason — the ErrorReason union is shared between sentinel paths
-    // and the UI surfaces a generic "summary failed" line for both. We don't
-    // add a new reason code because the user-visible failure mode is the
-    // same (model gave up mid-summary). Sentinel below still fires.
-    const errMeta: MessageMetadata = {
-      kind: 'error',
-      error_reason: 'summary_after_cap_failed',
-      error_text: summaryError ?? 'doom-loop summary failed',
-    };
-    await ctx.sql`
-      UPDATE messages
-      SET content = ${accumulated},
-          status = 'failed',
-          finished_at = clock_timestamp(),
-          metadata = ${ctx.sql.json(errMeta as never)}
-      WHERE id = ${assistantMessageId}
-    `;
-    ctx.publish(sessionId, {
-      type: 'error',
-      message_id: assistantMessageId,
-      chat_id: chatId,
-      error: summaryError ?? 'doom-loop summary failed',
-      reason: 'summary_after_cap_failed',
-    });
-  }
-
-  const [sessRow] = await ctx.sql<{ project_id: string; name: string; updated_at: string }[]>`
-    UPDATE sessions SET updated_at = clock_timestamp()
-    WHERE id = ${sessionId}
-    RETURNING project_id, name, updated_at
-  `;
-  ctx.publishUser({
-    type: 'session_updated',
-    session_id: sessionId,
-    project_id: sessRow!.project_id,
-    name: sessRow!.name,
-    updated_at: sessRow!.updated_at,
-  });
-
-  await insertDoomLoopSentinel(ctx, sessionId, chatId, loop);
-
-  if (summaryOk || summarySoftCancelled) {
-    ctx.publishUser({ type: 'chat_status', chat_id: chatId, status: 'idle', at: new Date().toISOString() });
-  } else {
-    ctx.publishUser({
-      type: 'chat_status',
-      chat_id: chatId,
-      status: 'error',
-      at: new Date().toISOString(),
-      reason: 'summary_after_cap_failed',
-    });
-  }
-
-  ctx.log.info(
-    { sessionId, chatId, assistantMessageId, loopedTool: loop.name, summaryOk, summaryCancelled: summarySoftCancelled },
-    'inference doom-loop summary finished',
-  );
-}
-
-// v1.14.0: step-cap wrap-up. Mirrors runCapHitSummary structurally — same
-// in-flight-slot reuse, same tools-disabled streaming-summary call, same
-// post-finalize sentinel insert + chat_status drop. Difference: the note
-// text names the step limit rather than the tool budget. Sentinel reuses
-// metadata.kind = 'cap_hit' so the frontend CapHitSentinel component
-// renders it without changes.
-const STEP_CAP_NOTE = (steps: number, cap: number) =>
-  `You've reached the step limit (${steps}/${cap} steps). Produce the best answer you can with what you have. Do not call more tools.`;
-
-export async function runStepCapSummary(
-  ctx: InferenceContext,
-  args: TurnArgs,
-  session: Session,
-  project: Project,
-  history: Message[],
-  agent: Agent | null,
-  steps: number,
-  cap: number,
-): Promise<void> {
-  const { sessionId, chatId, assistantMessageId, signal } = args;
-
-  const messages = await buildMessagesPayload(session, project, history, agent, ctx.log);
-  messages.push({ role: 'system', content: STEP_CAP_NOTE(steps, cap) });
-
-  const startedRow = await ctx.sql<{ started_at: string }[]>`
-    UPDATE messages
-    SET started_at = clock_timestamp()
-    WHERE id = ${assistantMessageId}
-    RETURNING started_at
-  `;
-  const startedAt = startedRow[0]?.started_at ?? null;
-
-  ctx.publish(sessionId, {
-    type: 'message_started',
-    message_id: assistantMessageId,
-    chat_id: chatId,
-    role: 'assistant',
-  });
-
-  let accumulated = '';
-  let pendingFlushTimer: NodeJS.Timeout | null = null;
-  let flushPromise: Promise<unknown> = Promise.resolve();
-  const flushNow = () => {
-    if (pendingFlushTimer) {
-      clearTimeout(pendingFlushTimer);
-      pendingFlushTimer = null;
-    }
-    const snapshot = accumulated;
-    flushPromise = flushPromise.then(() =>
-      ctx.sql`UPDATE messages SET content = ${snapshot} WHERE id = ${assistantMessageId}`
-    );
-  };
-  const scheduleFlush = () => {
-    if (pendingFlushTimer) return;
-    pendingFlushTimer = setTimeout(() => {
-      pendingFlushTimer = null;
-      flushNow();
-    }, DB_FLUSH_INTERVAL_MS);
-  };
-
-  let summaryOk = false;
-  let summarySoftCancelled = false;
-  let summaryError: string | null = null;
-  let result: StreamResult | null = null;
-  try {
-    result = await streamCompletion(
-      ctx,
-      session.model,
-      messages,
-      { tools: null, temperature: agent?.temperature, top_p: agent?.top_p ?? undefined, top_k: agent?.top_k ?? undefined, min_p: agent?.min_p ?? undefined, presence_penalty: agent?.presence_penalty ?? undefined },
-      (delta) => {
-        accumulated += delta;
-        ctx.publish(sessionId, {
-          type: 'delta',
-          message_id: assistantMessageId,
-          chat_id: chatId,
-          content: delta,
-        });
-        scheduleFlush();
-      },
-      undefined,
-      signal,
-    );
-    summaryOk = true;
-  } catch (err) {
-    if (err instanceof Error && err.name === 'AbortError') {
-      summarySoftCancelled = true;
-    } else {
-      summaryError = err instanceof Error ? err.message : String(err);
-    }
-  } finally {
-    if (pendingFlushTimer) {
-      clearTimeout(pendingFlushTimer);
-      pendingFlushTimer = null;
-    }
-    await flushPromise;
-  }
-
-  if (summaryOk && result) {
-    const mctx = await modelContext.getModelContext(session.model);
-    const nCtx = mctx?.n_ctx ?? null;
-    const [updated] = await ctx.sql<
-      { tokens_used: number | null; ctx_used: number | null; ctx_max: number | null; finished_at: string | null }[]
-    >`
-      UPDATE messages
-      SET content = ${result.content},
-          status = 'complete',
-          tokens_used = ${result.completionTokens},
-          ctx_used = ${result.promptTokens},
-          ctx_max = ${nCtx},
-          finished_at = clock_timestamp()
-      WHERE id = ${assistantMessageId}
-      RETURNING tokens_used, ctx_used, ctx_max, finished_at
-    `;
-    ctx.publish(sessionId, {
-      type: 'message_complete',
-      message_id: assistantMessageId,
-      chat_id: chatId,
-      tokens_used: updated?.tokens_used ?? null,
-      ctx_used: updated?.ctx_used ?? null,
-      ctx_max: updated?.ctx_max ?? null,
-      started_at: startedAt,
-      finished_at: updated?.finished_at ?? null,
-      model: session.model,
-    });
-  } else if (summarySoftCancelled) {
-    await ctx.sql`
-      UPDATE messages
-      SET content = ${accumulated},
-          status = 'cancelled',
-          finished_at = clock_timestamp()
-      WHERE id = ${assistantMessageId}
-    `;
-    ctx.publish(sessionId, {
-      type: 'message_complete',
-      message_id: assistantMessageId,
-      chat_id: chatId,
-    });
-  } else {
-    const errMeta: MessageMetadata = {
-      kind: 'error',
-      error_reason: 'summary_after_cap_failed',
-      error_text: summaryError ?? 'step-cap summary failed',
-    };
-    await ctx.sql`
-      UPDATE messages
-      SET content = ${accumulated},
-          status = 'failed',
-          finished_at = clock_timestamp(),
-          metadata = ${ctx.sql.json(errMeta as never)}
-      WHERE id = ${assistantMessageId}
-    `;
-    ctx.publish(sessionId, {
-      type: 'error',
-      message_id: assistantMessageId,
-      chat_id: chatId,
-      error: summaryError ?? 'step-cap summary failed',
-      reason: 'summary_after_cap_failed',
-    });
-  }
-
-  const [sessRow] = await ctx.sql<{ project_id: string; name: string; updated_at: string }[]>`
-    UPDATE sessions SET updated_at = clock_timestamp()
-    WHERE id = ${sessionId}
-    RETURNING project_id, name, updated_at
-  `;
-  ctx.publishUser({
-    type: 'session_updated',
-    session_id: sessionId,
-    project_id: sessRow!.project_id,
-    name: sessRow!.name,
-    updated_at: sessRow!.updated_at,
-  });
-
-  // Reuse cap_hit sentinel so the frontend CapHitSentinel component renders
-  // it without changes. The content text distinguishes step cap from budget.
-  await insertCapHitSentinel(ctx, sessionId, chatId, agent, cap);
-
-  if (summaryOk || summarySoftCancelled) {
-    ctx.publishUser({ type: 'chat_status', chat_id: chatId, status: 'idle', at: new Date().toISOString() });
-  } else {
-    ctx.publishUser({
-      type: 'chat_status',
-      chat_id: chatId,
-      status: 'error',
-      at: new Date().toISOString(),
-      reason: 'summary_after_cap_failed',
-    });
-  }
-
-  ctx.log.info(
-    { sessionId, chatId, assistantMessageId, steps, cap, summaryOk, summaryCancelled: summarySoftCancelled },
-    'inference step-cap summary finished',
-  );
+  await insertSentinel(ctx, sessionId, chatId, metadata, content);
 }

 async function insertDoomLoopSentinel(
@@ -689,31 +358,33 @@ async function insertDoomLoopSentinel(
    threshold: DOOM_LOOP_THRESHOLD,
  };
  const content = `Detected ${DOOM_LOOP_THRESHOLD} identical calls to ${loop.name}. Stopping the tool-call loop. Produce the best answer you can with what you have.`;
-
-  const [row] = await ctx.sql<{ id: string }[]>`
-    INSERT INTO messages (session_id, chat_id, role, content, status, created_at, metadata)
-    VALUES (${sessionId}, ${chatId}, 'system', ${content}, 'complete', clock_timestamp(), ${ctx.sql.json(metadata as never)})
-    RETURNING id
-  `;
-
-  // Standard frame sequence — same as cap-hit sentinel — so
-  // useSessionStream's reducer appends the row via the existing path.
-  ctx.publish(sessionId, {
-    type: 'message_started',
-    message_id: row!.id,
-    chat_id: chatId,
-    role: 'system',
-  });
-  ctx.publish(sessionId, {
-    type: 'delta',
-    message_id: row!.id,
-    chat_id: chatId,
-    content,
-  });
-  ctx.publish(sessionId, {
-    type: 'message_complete',
-    message_id: row!.id,
-    chat_id: chatId,
-    metadata,
-  });
+  await insertSentinel(ctx, sessionId, chatId, metadata, content);
+}
+
+// #12 MistakeTracker: heterogeneous-failure recovery sentinel. A role='system',
+// status='complete' row firing the standard sentinel frame sequence. Two
+// variants distinguished by `escalated`:
+//   - escalated:false → a nudge fired; recovery guidance was injected into the
+//     model's next step and the loop continued. can_continue is true (the turn
+//     is still live).
+//   - escalated:true  → the nudge didn't break the failure run; the turn was
+//     stopped (cap-hit-style). can_continue is true so the UI can still offer a
+//     Continue affordance — a fresh user turn resets the tracker.
+export async function insertMistakeRecoverySentinel(
+  ctx: InferenceContext,
+  sessionId: string,
+  chatId: string,
+  opts: { failureKinds: string[]; count: number; escalated: boolean; canContinue: boolean },
+): Promise<void> {
+  const metadata: MessageMetadata = {
+    kind: 'mistake_recovery',
+    failure_kinds: opts.failureKinds,
+    count: opts.count,
+    escalated: opts.escalated,
+    can_continue: opts.canContinue,
+  };
+  const content = opts.escalated
+    ? `Repeated different errors persisted after a recovery nudge (${opts.count} in a row). Stopping the tool-call loop.`
+    : `Hit ${opts.count} different errors in a row. Injected recovery guidance and continuing.`;
+  await insertSentinel(ctx, sessionId, chatId, metadata, content);
 }
--- a/apps/server/src/services/inference/sentinels.ts
+++ b/apps/server/src/services/inference/sentinels.ts
@@ -27,6 +27,10 @@ export function detectDoomLoop(
  return { name: ref.name, args: ref.args };
 }

+// All sentinel kinds. isAnySentinel and compaction.ts's local predicate both
+// consume this set — single source so a new kind can't be missed in one.
+export const SENTINEL_KINDS = new Set(['cap_hit', 'doom_loop', 'mistake_recovery']);
+
 export function isCapHitSentinel(m: Message): boolean {
  return (
    m.role === 'system' &&
@@ -48,6 +52,23 @@ export function isDoomLoopSentinel(m: Message): boolean {
  );
 }

-export function isAnySentinel(m: Message): boolean {
-  return isCapHitSentinel(m) || isDoomLoopSentinel(m);
+// #12: mistake-recovery sentinel. Same UI-only semantics as cap-hit /
+// doom-loop — never sent to the LLM (filtered via the isAnySentinel check
+// below, which buildMessagesPayload + buildHeadPayload both consult).
+export function isMistakeRecoverySentinel(m: Message): boolean {
+  return (
+    m.role === 'system' &&
+    m.metadata !== null &&
+    typeof m.metadata === 'object' &&
+    (m.metadata as { kind?: unknown }).kind === 'mistake_recovery'
+  );
+}
+
+export function isAnySentinel(m: Message): boolean {
+  return (
+    m.role === 'system' &&
+    m.metadata !== null &&
+    typeof m.metadata === 'object' &&
+    SENTINEL_KINDS.has((m.metadata as { kind?: unknown }).kind as string)
+  );
 }
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
indifferentketchup	8c200216eb	refactor: codebase audit cleanup — dead code, dedup, module splits Multi-agent audit + aggressive cleanup across server/web/coder/booterm, delivered behind a DEFER discipline so none of the in-flight files were touched. Removes dead code/deps/columns, dedups server + coder helpers, and splits the oversized modules (tools.ts, opencode-server.ts, sentinel-summaries, turn.ts, TerminalPane.tsx) behind stable contracts. Adds 78 parity/unit tests (server 587, coder 323); fixes two latent bugs (ChatPane queue keys, FileViewerOverlay blank-line parity). Intended tag: v2.7.12-audit-cleanup. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-02 21:12:29 +00:00
indifferentketchup	e5ce01ae72	fix(coder): include model in WS snapshot SELECT so the attribution chip survives refresh CoderPane hydrates from the HTTP listMessages fetch (SELECT has model) AND the WS snapshot frame, and the snapshot handler setMessages-overwrites the HTTP load. The snapshot query in apps/coder/src/routes/ws.ts had its own column list that omitted model, so on coder refresh the chip's model was lost (it showed live via the message_complete frame). One-column fix: add model to that SELECT. CLAUDE.md mapper-chain note updated to list the WS snapshot SELECT. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-02 18:03:10 +00:00
indifferentketchup	81470f5a77	Merge composer-chips: v2.7.10 composer attach-file button + slash-commands chip (icon-only on mobile) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-02 17:27:59 +00:00
indifferentketchup	35dba828e1	feat: composer attach-file button + slash-commands chip (icon-only on mobile) Move the slash-commands menu out of the full-width AgentCommandsHint disclosure into a compact chip in the composer's bottom controls row, and add an attach-file button that reuses the existing drag-drop pipeline (5MB/binary gate, 10-attachment cap, chips + preview). On mobile both collapse to icon-only (count hidden). Shared ChatInput, so it applies to both BooChat and BooCoder; typed-/ autocomplete is unchanged. Removes the now-unused AgentCommandsHint component. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-02 17:26:27 +00:00
indifferentketchup	ce621bc003	Merge mcp-env-keys-batch: v2.7.9 MCP {env:VAR} key substitution + coder model/tool-result fixes + docs refactor	2026-06-02 17:01:11 +00:00
indifferentketchup	afaca9e426	feat: MCP {env:VAR} key substitution + coder model/tool-result fixes + docs refactor (v2.7.9) - MCP secrets: substituteEnvVars recursively resolves {env:NAME} in mcp.json string values from process.env before Zod (opencode-compatible); unset -> '' + boot warning, and invalid-config log names the unset vars (an empty {env:VAR} in a strict url/command field invalidates the whole config) - data/mcp.json now untracked (.gitignore flips !data/mcp.json -> !data/mcp.example.json); tracked template data/mcp.example.json carries "{env:CONTEXT7_API_KEY}"; .env.example documents the key (9 mcp-config tests) - Coder fix: message_complete frame model widened string -> string\|null (server+web ws-frames parity); dispatcher publishes model: task.model at all 4 external completion points — a null model otherwise fail-closed in publishFrame and dropped the whole frame incl. status:'complete' (regression test) - Coder fix: claude-sdk mapUserToolResults maps user-message tool_result blocks -> terminal tool_update events (completed/failed w/ output) so tool snapshots resolve instead of spinning forever - Composer: AgentComposerBar drops §9b resumed/history/new chip + token readout, loses flex-wrap so the row stays one line; CoderPane gains a per-chat localStorage agent-config cache (restores last model on reopen) + threads model into the timeline/chip - Docs: root CLAUDE.md slimmed (~190 lines), per-app refs split to apps/{coder,server,web}/CLAUDE.md; new docs/coder-backends.md, docs/project-discovery.md, docs/coding-standards/ (cross-app-contract-parity); ARCHITECTURE.md links the backends doc Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-02 17:01:03 +00:00
indifferentketchup	7ca4a6b344	chore: prune unused brand PNGs (keep banner-mascot + banner-wordmark) Removes boo-badge / boocode-icon / boocode-wordmark / boocode-wordmark-tight — copied from the design bundle but unreferenced; only the two banner badges are imported (ProjectSidebar). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-01 23:10:12 +00:00
indifferentketchup	27f3a6c463	Merge boocode-ui-ember-coder-model: v2.7.8 Ember theme + brand banner + coder tabs + model-attribution chips	2026-06-01 22:30:58 +00:00
indifferentketchup	3a646fd6df	feat: BooCode 2.0 UI — Ember theme, brand banner, coder tabs, model-attribution chips - Ember theme (Obsidian charcoal + #ff7a18 orange), now DEFAULT_THEME_ID; server theme_id whitelist gains 'ember' - Brand banner: transparent Westie mascot + >_BooCode wordmark, big/edge-to-edge (flood-filled to transparency + cropped) - Coder panes are multi-tab: + opens a BooCode tab, split opens a pane (shared ChatTabBar via tabKind + createCoderTab; closeOtherTabs/tab-numbering extended to coder) - Model-attribution: new messages.model column stamped at finalizeCompletion (BooChat/native coder) + dispatcher assistant-row creation (external coder); surfaced via view + wire types + live frame; rendered as a subtle shortened-name chip (shortenModelName) - Composer Web toggle moved into a boxed focus-ringed input; glowing accent dot on tool rows - Claude SDK follow-ups (1M context, follow-up-message fix, collapsed thinking/tool chips) + CLAUDE_SDK_BACKEND=1 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-01 22:30:47 +00:00
indifferentketchup	7098014261	Merge pane-header-shared: v2.7.7 shared pane-header cluster + chat-resolve WorkspaceState fix	2026-06-01 14:29:00 +00:00
indifferentketchup	c56d169ef9	feat: shared PaneHeaderActions + chat-resolve WorkspaceState fix (v2.7.7) In-flight workspace UX work. - Extract a shared PaneHeaderActions cluster (+/Split/Reopen/History/Close) used by ChatTabBar + the Workspace coder/terminal pane headers, replacing the divergent per-header copies; SessionLandingPage history + useWorkspacePanes tweaks. - Fix coder-side correctness bug: resolveChatId read sessions.workspace_panes as a bare WorkspacePane[] but v2.6.5 widened it to a WorkspaceState envelope, so it mis-read panes and clobbered tabNumbers/nextTabNumber/closedPaneStack on every pane-chat write. New normalizeWorkspaceState handles either shape and preserves the envelope (+ regression test). - CLAUDE.md doc-sync (coder vitest suite, deploy-by-surface, dual-remote push, in-flight-web-WIP staging, release-branch naming). Web tsc + coder build + coder tests green. Builds on v2.7.6. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-01 14:28:49 +00:00
indifferentketchup	b7fb254e5d	Merge agent-status-dot: v2.7.6 normalized external-agent status (scoped #10 )	2026-06-01 14:04:26 +00:00
indifferentketchup	59cf082e06	feat: normalized external-agent status (#10 scoped) (v2.7.6) Scoped half of boocode_code_review_v2 §1 #10 — publish the agent status BooCoder already observes (the config-injection notify-hook is the documented follow-on, clean-room from superset ELv2). - agent_status_updated WS frame (working\|blocked\|idle\|error), server+web parity. - Published from the dispatcher's turn boundaries (warm-acp/opencode/sdk/pty: working at start, idle/error at end) + the permission flow (blocked/working). Best-effort, never breaks a turn. - Clean-room normalizeAgentEvent helper (superset's vendor-event -> Start/blocked /Stop collapse, event names as facts) + 25 tests — reused by the follow-on. - AgentComposerBar status dot (distinct from the WS-liveness dot), tracked per (chat,agent) by a useAgentStatus map in CoderPane. Built by 2 parallel agents vs a pinned frame contract. Server 545 + coder 294 tests passing (25 new); web tsc + builds clean; ws-frames parity green. Clears the actionable review backlog (#1/#3/#4/#6-#12). Builds on v2.7.5. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-01 14:04:04 +00:00
indifferentketchup	6fc3175730	Merge claude-sdk-backend: v2.7.5 Claude SDK backend + clean-room PostgresSessionStore	2026-06-01 13:38:05 +00:00
indifferentketchup	f3a0197d6a	feat: Claude Agent SDK backend + clean-room PostgresSessionStore (v2.7.5) Lands the lean-SDK direction (boocode_code_review_v2 §1 #9) behind a flag. Adds @anthropic-ai/claude-agent-sdk@0.3.159 (Commercial Terms, runtime dep). - PostgresSessionStore: clean-room impl of the SDK's real SessionStore type over a new claude_session_entries table. Typechecks against the SDK type; 8 DB-integration tests. - ClaudeSdkBackend (implements AgentBackend): one warm query() per (chat,claude) in streaming-input mode via a pushable async-iterable pump, sessionStore + resume continuity, pure mapSdkMessage->AgentEvent, session_id from init, usage/cost onto agent_sessions (backend CHECK gains 'claude_sdk'). - Routing env-gated by CLAUDE_SDK_BACKEND (default off) -> PTY path UNCHANGED. - Built against real SDK 0.3.159 types (install paid off: partial=stream_event needing includePartialMessages, MessageParam, result error arm). - Fix latent test-infra deadlock: serialize DB suites (fileParallelism:false). Coder 269 passing default / 290 with DB; tsc clean vs SDK types; builds clean. LIVE pump + resume + actual claude turn need a host smoke (CLAUDE_SDK_BACKEND=1 + claude binary + auth). zod peer-dep wants ^4 (workspace 3.25). Builds on v2.7.4. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-01 13:37:57 +00:00
indifferentketchup	7e0ecde83d	Merge mistake-tracker-ledger: v2.7.4 heterogeneous-failure recovery + file-read ledger	2026-06-01 13:05:19 +00:00
indifferentketchup	bcc89d8adc	feat: MistakeTracker + file-provenance ledger (v2.7.4) Two native-inference hardening features from boocode_code_review_v2 §1 #12. MistakeTracker: new pure mistake-tracker.ts tracks consecutive heterogeneous tool failures (kinds surfaced per tool from tool-phase.ts). On 3 in a row the turn loop soft-nudges (model-facing recovery guidance + mistake_recovery sentinel + reset), then escalates to stopping the turn (cap-hit-style, Continue affordance) on a re-trip. Complements doom-loop (identical repeats) + cap-hit. File-provenance ledger: compaction.ts derives a deterministic ## Files Read list from the head messages' read-tool calls and injects it into the rolling-summary prompt so provenance survives compaction (no new table; read-only). mistake_recovery sentinel: MessageMetadata arm (server + web) + MessageBubble render branch. Built by 2 parallel agents. Server 545 tests passing (23 new); build + web tsc clean. Native-inference only. Builds on v2.7.3. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-01 13:05:03 +00:00
indifferentketchup	f53d6a8afd	Merge sampling-knobs-streamjson: v2.7.3 sampling knobs + live PTY stream-json + token UI	2026-06-01 12:47:31 +00:00
indifferentketchup	a584dd16b0	feat: sampling knobs + live PTY stream-json + token UI (v2.7.3) Three small wins from boocode_code_review_v2 §1 #11/#7/#8. #11 sampling knobs: top_n_sigma + dry_* family as first-class Agent fields, threaded into the request body via providerOptions.openaiCompatible. Fixes a latent bug — top_k (rejected by the AI-SDK provider) and min_p (never passed to streamText) were dead on the wire; both now route through the same channel. --reasoning-budget documented in data/AGENTS.md. #7 live PTY stream-json: new stream-json-parser.ts line-buffers qwen/claude NDJSON and emits text/reasoning/tool frames live + persists, with a fallback to the old opaque slice. claude gets --output-format stream-json --verbose. #8 token UI: agent_sessions input/output_tokens/cost now flow through the route + type and render beside the AgentComposerBar session chip. Built by 3 parallel agents. Server 523 + coder 245 tests passing; builds + web tsc clean. Builds on v2.7.2. openspec sampling-streamjson-tokens. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-01 12:47:17 +00:00
indifferentketchup	5651f56039	Merge checkpoint-idor-fix: v2.7.2 close 2 checkpoint IDOR holes	2026-06-01 12:16:08 +00:00
indifferentketchup	9c7d80e2d8	fix(security): scope checkpoint routes to session — close 2 IDORs (v2.7.2) Flagged by the automated push security review on v2.7.1. - GET /checkpoints?chat_id= : the chat_id branch filtered by chat_id alone (any session's chat_id read its checkpoints). Now joins chats and gates on chats.session_id. - restoreCheckpoint scope guard was fail-open: `cp.session_id && cp.session_id !== sessionId` fell through on a null denormalized session_id, allowing a cross-session restore (worktree reset + transcript trim). Now resolves the owning session via the checkpoint's chat and denies on missing/mismatch. - Adds a DB-integration regression for the null-session_id cross-session case. Both scope authoritatively through chats.session_id (checkpoints.session_id is a nullable hint). Coder suite 234 passing; 7/7 checkpoint tests (incl. the regression) against live postgres+git; typecheck clean. Hotfix on v2.7.1. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>	2026-06-01 12:15:54 +00:00
indifferentketchup	a41a02a62b	Merge fuzzy-checkpoints: v2.7.1 write/edit robustness (fuzzy applier + worktree checkpoints)	2026-06-01 12:02:06 +00:00