…persistence

Fixes 3 bugs in terminal session restoration:
- Bug #1: Terminal blank after attach failure - auto-reconnect with retry backoff
- Bug #2: Wrong dimensions after restore - pass actual cols/rows to attachSession
- Bug #3: Cannot type after restore - lifecycle routes writes through connected PTY

Changes:
- Add SessionLifecycle class with states: disconnected→connecting→connected→reconnecting→failed→closed
- Add TmuxError classification for intelligent retry decisions
- Add -d flag to detach other clients before attaching
- Integrate lifecycle into TerminalManager (write, resize, kill, detach, cleanup)

…persistence

Fixes 3 bugs in terminal session restoration:
- Bug #1: Terminal blank after attach failure - auto-reconnect with retry backoff
- Bug #2: Wrong dimensions after restore - pass actual cols/rows to attachSession
- Bug #3: Cannot type after restore - lifecycle routes writes through connected PTY

Changes:
- Add SessionLifecycle class with states: disconnected→connecting→connected→reconnecting→failed→closed
- Add TmuxError classification for intelligent retry decisions
- Add -d flag to detach other clients before attaching
- Integrate lifecycle into TerminalManager (write, resize, kill, detach, cleanup)

…persistence

Fixes 3 bugs in terminal session restoration:
- Bug #1: Terminal blank after attach failure - auto-reconnect with retry backoff
- Bug #2: Wrong dimensions after restore - pass actual cols/rows to attachSession
- Bug #3: Cannot type after restore - lifecycle routes writes through connected PTY

Changes:
- Add SessionLifecycle class with states: disconnected→connecting→connected→reconnecting→failed→closed
- Add TmuxError classification for intelligent retry decisions
- Add -d flag to detach other clients before attaching
- Integrate lifecycle into TerminalManager (write, resize, kill, detach, cleanup)

…persistence

Fixes 3 bugs in terminal session restoration:
- Bug #1: Terminal blank after attach failure - auto-reconnect with retry backoff
- Bug #2: Wrong dimensions after restore - pass actual cols/rows to attachSession
- Bug #3: Cannot type after restore - lifecycle routes writes through connected PTY

Changes:
- Add SessionLifecycle class with states: disconnected→connecting→connected→reconnecting→failed→closed
- Add TmuxError classification for intelligent retry decisions
- Add -d flag to detach other clients before attaching
- Integrate lifecycle into TerminalManager (write, resize, kill, detach, cleanup)

* WIP

* WIP

* WIP - tried to restore code

* WIP - tried to restore code

* WIP - tried to restore code

* WIP - tried to restore code

* chore: update bun.lock after rebase

Regenerated lockfile after rebasing onto latest origin/main.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* WIP

* fix(desktop): use auth client instead of server to avoid database dependency

Split @superset/auth package exports to separate server and client.
Desktop app now imports from @superset/auth/client which doesn't
require DATABASE_URL, fixing startup crash in production builds.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* fix(auth): use Better Auth client API and split server/client exports

- Updated desktop app to use correct Better Auth client API methods:
  - authClient.getSession() instead of auth.api.getSession()
  - authClient.organization.setActive() instead of auth.api.setActiveOrganization()
- Renamed packages/auth/src/index.ts to server.ts
- Changed package exports from "." to "./server" for clarity
- Removed unnecessary createAuthApiClient factory function
- Updated all imports from @superset/auth to @superset/auth/server

This fixes the typecheck errors and database dependency issue in the
desktop app by properly separating server-side auth (requires DB) from
client-side auth (HTTP API calls only).

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

* chore: add BETTER_AUTH_SECRET to app env.ts files for tree-shaking

---------

Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>

- host-service ai-branch-name: run trailing-trim after slice so a
  100-char truncation can't re-introduce a bare "." or "-" that git
  rejects as an invalid ref (coderabbit / cubic #2, #7).
- host-service workspace-creation.generateBranchName: reuse the
  existing listBranchNames helper instead of the inline git walk,
  which classified off the short refname and could conflate a local
  "origin/foo" with refs/remotes/origin/foo (coderabbit #3).
- packages/chat shared/small-model: drop the unused
  hasSmallModelCredentials export; only a test mock consumed it
  (greptile #4).
- resolveAnthropicCredential: on refresh failure, return null instead
  of kind:"oauth" with a stale expiresAt so callers fall back cleanly
  (cubic #8).
- chat-service.getAnthropicAuthStatus: log context when refresh throws
  instead of silently swallowing (cubic #9).

Add backend + frontend for resolving jj conflict markers in-app:

- New jj-conflicts.ts router: jjConflictList (parses `jj resolve --list`),
  jjConflictContent (reads raw file + parses regions via shared marker
  parser), jjConflictResolve (writes user's merged content)
- ConflictEditor dialog: file list on the left, editable result pane
  in the middle, side superset-sh#1 / side superset-sh#2 read-only panels flanking it, with
  "Use side superset-sh#1 / base / side superset-sh#2" buttons that splice the first
  unresolved region. Uses plain textarea (fallback from codemirror/merge).
- Conflict marker parser lives in the main process and a tiny shared
  copy in the renderer so the editor can re-scan regions as the user
  types.
- JjChangesView shows a yellow warning bar with the conflicted file
  count and a Resolve… button opening ConflictEditor.

…3517)

* remove 7 day rule

* Upgrade mastra

* upgrade ai

* Ad mastra

* refactor(desktop): remove dead provider-diagnostics plumbing

The provider-diagnostics store was fed by callSmallModel's per-attempt
reporting, which was removed when small-model tasks moved to direct AI-SDK
+ mastracode's AuthStorage. Nothing writes to the issue map anymore, so the
clearIssue mutation, getStatuses query, and diagnosticStatus plumbing in
ModelsSettings were all no-ops.

Settings still surfaces "Session expired / Reconnect" via auth-status alone.
ProviderIssue type collapsed from 8 codes to just "expired" to match.

* fix(auth): auto-refresh expired Anthropic OAuth tokens

Anthropic credentials were read via authStorage.get() everywhere, so
mastracode's built-in refresh flow never ran. Once the 1-hour access
token expired, status flipped to "Reconnect" and users had to do a
full PKCE re-auth, even though a valid refresh token was already
stored.

Resolvers now call authStorage.getApiKey() for oauth creds on expiry,
which triggers refreshToken() and persists the refreshed credential.
getAnthropicAuthStatus does the same before declaring issue: "expired".
Mirrors the pattern already used for OpenAI small-model auth.

* review: address PR feedback from cubic + coderabbit + greptile

- host-service ai-branch-name: run trailing-trim after slice so a
  100-char truncation can't re-introduce a bare "." or "-" that git
  rejects as an invalid ref (coderabbit / cubic #2, #7).
- host-service workspace-creation.generateBranchName: reuse the
  existing listBranchNames helper instead of the inline git walk,
  which classified off the short refname and could conflate a local
  "origin/foo" with refs/remotes/origin/foo (coderabbit #3).
- packages/chat shared/small-model: drop the unused
  hasSmallModelCredentials export; only a test mock consumed it
  (greptile #4).
- resolveAnthropicCredential: on refresh failure, return null instead
  of kind:"oauth" with a stale expiresAt so callers fall back cleanly
  (cubic #8).
- chat-service.getAnthropicAuthStatus: log context when refresh throws
  instead of silently swallowing (cubic #9).

* fix(chat): read auth.json directly instead of importing mastracode

Importing createAuthStorage from mastracode loads the entire CLI tree
(fastembed → onnxruntime-node's 208 MB native binary) via eager
top-level requires in mastracode's CJS entry. This crashed
electron-vite bundling and bloated the get-small-model chunk.

getSmallModel now reads mastracode's auth.json file directly using
the same path resolution logic (~/Library/Application Support/mastracode/
on macOS). Zero mastracode import, zero bundle impact. The chunk stays
at 1.2 MB (just @ai-sdk/anthropic + @ai-sdk/openai).

Production build verified: compile:app succeeds, Electron main process
boots with no onnxruntime error.

* docs(desktop): add manual testing plan for PR #3517

* fix api key storage slot

* fix(auth): store API keys in dedicated slot so OAuth doesn't clobber them

setApiKeyForProvider and setStoredAnthropicApiKeyFromEnvVariables now
use authStorage.setStoredApiKey() (writes to "apikey:<provider>")
instead of authStorage.set() (writes to the main "<provider>" slot
shared with OAuth). This way connecting/disconnecting OAuth doesn't
overwrite or delete a stored API key.

resolveAuthMethodForProvider falls back to hasStoredApiKey() after
checking the main slot, so status correctly reports authenticated
when only an API key is stored.

* fix(auth): backup/restore API keys across OAuth connect/disconnect

mastracode's resolveModel only reads API keys from the main
authStorage slot (authStorage.get("anthropic")). OAuth login
overwrites this slot, and disconnect removes it — losing any
previously saved API key.

Fix: backup the API key to the dedicated apikey: slot before OAuth
connect, restore it after disconnect. setApiKeyForProvider now writes
to both slots (main for resolveModel compatibility, apikey: for
backup). resolveAuthMethodForProvider checks both.

Applies to both Anthropic and OpenAI providers.

* chore: add upstream PR reference to auth workaround

Point to mastra-ai/mastra#15483 so the backup/restore code can be
removed once upstream lands and we bump mastracode.

* refactor(desktop): derive settings provider action from status

Replace the cascade of if/else + canDisconnect flag with a single
getProviderAction(status) → connect | reconnect | logout | null.
Fixes "Active" badge + "Connect" button showing simultaneously
when authenticated via API key.

* fix(desktop): always show Logout when provider is active

Active providers now always show a Logout button. Clears OAuth or
API key depending on authMethod — no more "Active" badge with no
way to disconnect.

* fix(desktop): simplify OpenAI OAuth dialog + auto-open browser

Match Anthropic dialog's layout: remove the raw OAuth URL display
and "Tip" block, auto-open the browser on OAuth start. Change
"Back" to "Cancel" for consistency.

* refactor(desktop): unify OAuth dialogs into shared OAuthDialog

Extract shared OAuthDialog component with provider config object.
AnthropicOAuthDialog and OpenAIOAuthDialog become thin wrappers
that pass provider-specific labels and options.

* fix(desktop): show 'Copied!' feedback on Copy URL button

* refactor(desktop): merge provider account + API key into single card

Each provider section now renders AccountCard + ConfigRow inside
one rounded card with a divider, instead of two separate cards.
Removes the standalone "API Keys" collapsible section.

* refactor(desktop): compact OAuth row in provider settings card

OAuth row is now a single inline row (label + status + action)
instead of a stacked AccountCard. Both providers share the same
2-row card layout: OAuth row + API key row with divider.

* fix(desktop): contextual buttons in provider settings

Connect is now primary (filled). Save only shows when there's input.
Clear only shows when a key is saved. Removes visual noise from
empty-state provider cards.

* ui(desktop): add provider icons to settings section headers

* ui(desktop): show 'Not connected' badge instead of subtitle for disconnected providers

* ui: remove redundant disconnected subtitle

* ui: remove subtitle text from OAuth rows

* chore: remove dead AccountCard + getProviderSubtitle

* docs: update test plan to match current UI

* chore: move shipped plans to done/

---------

Co-authored-by: AviPeltz <aj.peltz@gmail.com>

Resolves 11 findings from greptile + coderabbit review on the
remote-control feature:

- #1 (P1): `remoteControl.get` is now `publicProcedure` and accepts the
  raw token, hashing it for constant-time comparison against the row's
  `tokenHash`. Anonymous viewers can resolve `wsUrl` without a Superset
  session — the share link itself is the credential.
- #10 (Major): the host-side `sendInput` no longer round-trips bytes
  through a latin1 string before `pty.write` re-encodes them as UTF-8
  (which corrupted any byte ≥ 0x80). Adds `pty.writeBytes` that
  forwards a `Uint8Array` straight to the daemon.
- #2: a single `cleanup()` helper now handles `onClose` and `onError`,
  removing the viewer from the session's set, detaching the handle, and
  unsubscribing the revoke listener idempotently. Fixes a leak where
  abrupt teardown could orphan up to four `MAX_VIEWERS` slots until host
  restart.
- #8: client WebSocket payloads are validated via a zod discriminated
  union before dispatch; `resize` and `runCommand` are wrapped in
  try/catch like `input` was.
- #5: `TerminalRemoteControlButton` hydrates from
  `remoteControl.listForWorkspace` on mount and refreshes every 30s, so
  the live badge survives remounts and reflects backend revocation /
  expiry. The original `webUrl` is unrecoverable after `create` (the
  cloud only stores `tokenHash`), so Copy Link is disabled when we
  don't hold it.
- #3: handshake-time auth result is cached on the WS context; per-
  message handling just compares `expiresAt` against `now` instead of
  re-running HMAC + SHA-256 at 200/s/viewer.
- #4: the bearer token is now passed in the URL fragment
  (`#remoteControlToken=…`), not the query string. The fragment never
  reaches the server, never appears in `Referer` headers, and stays out
  of access logs and history. A new `RemoteTerminalLoader` client
  component reads `location.hash` after mount.
- #7: the web viewer writes a one-time dim hint into xterm when the
  user types in `command` mode so silent drops are explained.
- #9: oversized PTY chunks (> 256 KB in one event) now have their tail
  preserved instead of being pushed-and-immediately-shifted out of the
  ring, which would have left late-joining viewers with an empty
  snapshot.
- #11: host-side mintToken schema now `.min(MIN_TTL).max(MAX_TTL)`,
  matching `mintRemoteControlToken`'s internal clamp.
- #12: revoke `UPDATE` adds `organizationId` and `status='active'` to
  the `WHERE` so re-revoke is idempotent and cannot transition an
  `expired` row to `revoked`.

Skipped: #6 (relay replay/tunnel-ownership) — the existing host proxy
paths don't call `maybeReplay` either, so this PR doesn't regress the
single-region behavior. Multi-region replay is a broader gap tracked
separately.

* feat: browser-based remote control for v2 desktop terminals

Adds an end-to-end remote control flow: a desktop user clicks Share on a
v2 terminal pane, gets a one-time URL, and anyone opening the link in a
browser sees the live terminal output and can type into it.

Pieces:
- v2_remote_control_sessions table + remote_control_session_{mode,status}
  enums, with a unique index on token_hash. Cloud row stores the SHA-256
  hash only; the host-service mints and verifies the HMAC-signed token
  end-to-end so a leaked DB row cannot grant new sessions.
- Shared protocol module (packages/shared/remote-control-protocol)
  pinning the wire format, capabilities, and limits.
- Host-service: session manager (token mint/verify, registry, expiry
  sweep), /remote-control/:sessionId WS route, attachTerminalViewer fan-
  out on TerminalSession (256 KB tail ring, output sequence, viewer
  set), and terminal.remoteControl.{mintToken,revoke,listActive} tRPC.
- Cloud tRPC: remoteControl.{create,get,revoke,listForWorkspace,
  expireStale}; mints a short user JWT for the relay POST and inserts
  the row only after the host returns a token.
- Relay: lets /hosts/:hostId/remote-control/* skip the user-JWT gate;
  the per-session HMAC validated by the host is the credential.
- Desktop UI: TerminalRemoteControlButton on v2 terminal panes (radio
  icon -> live badge dropdown with copy/stop) wired through pane
  registry. Host-service spawn now propagates HOST_SERVICE_SECRET into
  the child env so the secret derivation is stable.
- Web viewer: /agents/remote-control/[sessionId] page + RemoteTerminal
  client component (xterm.js + addon-fit, mobile-only key toolbar,
  status badge, copy/stop controls).

Out of scope: viewer-count fan-out, host->cloud heartbeat for
last_connected_at, host-driven resize push, and rebuilding the in-
memory session registry across host-service restarts (viewers see
session-not-found and the desktop user re-shares).

* style(web): match desktop terminal theme in remote-control viewer

Pulls the xterm options and color palette from the desktop's default
"dark" (Ember) theme so the browser viewer renders identical font, font
size, scrollback, ANSI colors, cursor, and selection. The chrome (header,
buttons, banners, mobile toolbar) now uses the same warm-dark surface
tones (#151110/#1a1716/#2a2827) and matches the ANSI accent colors for
status badges and the destructive Stop button.

`vtExtensions` (kittyKeyboard) and `scrollbar` are intentionally omitted
because they only exist on the desktop's xterm beta build; the stable
web release does not type them.

* fix(remote-control): address PR review findings

Resolves 11 findings from greptile + coderabbit review on the
remote-control feature:

- #1 (P1): `remoteControl.get` is now `publicProcedure` and accepts the
  raw token, hashing it for constant-time comparison against the row's
  `tokenHash`. Anonymous viewers can resolve `wsUrl` without a Superset
  session — the share link itself is the credential.
- #10 (Major): the host-side `sendInput` no longer round-trips bytes
  through a latin1 string before `pty.write` re-encodes them as UTF-8
  (which corrupted any byte ≥ 0x80). Adds `pty.writeBytes` that
  forwards a `Uint8Array` straight to the daemon.
- #2: a single `cleanup()` helper now handles `onClose` and `onError`,
  removing the viewer from the session's set, detaching the handle, and
  unsubscribing the revoke listener idempotently. Fixes a leak where
  abrupt teardown could orphan up to four `MAX_VIEWERS` slots until host
  restart.
- #8: client WebSocket payloads are validated via a zod discriminated
  union before dispatch; `resize` and `runCommand` are wrapped in
  try/catch like `input` was.
- #5: `TerminalRemoteControlButton` hydrates from
  `remoteControl.listForWorkspace` on mount and refreshes every 30s, so
  the live badge survives remounts and reflects backend revocation /
  expiry. The original `webUrl` is unrecoverable after `create` (the
  cloud only stores `tokenHash`), so Copy Link is disabled when we
  don't hold it.
- #3: handshake-time auth result is cached on the WS context; per-
  message handling just compares `expiresAt` against `now` instead of
  re-running HMAC + SHA-256 at 200/s/viewer.
- #4: the bearer token is now passed in the URL fragment
  (`#remoteControlToken=…`), not the query string. The fragment never
  reaches the server, never appears in `Referer` headers, and stays out
  of access logs and history. A new `RemoteTerminalLoader` client
  component reads `location.hash` after mount.
- #7: the web viewer writes a one-time dim hint into xterm when the
  user types in `command` mode so silent drops are explained.
- #9: oversized PTY chunks (> 256 KB in one event) now have their tail
  preserved instead of being pushed-and-immediately-shifted out of the
  ring, which would have left late-joining viewers with an empty
  snapshot.
- #11: host-side mintToken schema now `.min(MIN_TTL).max(MAX_TTL)`,
  matching `mintRemoteControlToken`'s internal clamp.
- #12: revoke `UPDATE` adds `organizationId` and `status='active'` to
  the `WHERE` so re-revoke is idempotent and cannot transition an
  `expired` row to `revoked`.

Skipped: #6 (relay replay/tunnel-ownership) — the existing host proxy
paths don't call `maybeReplay` either, so this PR doesn't regress the
single-region behavior. Multi-region replay is a broader gap tracked
separately.

* fix(remote-control): address second-round PR review

Resolves four further findings on PR #4345:

- High: redact `remoteControlToken` (and any `token` query param) from the
  relay's request logger. The viewer has to put the bearer on the WS
  upgrade URL because browser WebSockets can't carry custom headers, and
  Hono's default `logger()` would otherwise spill the raw token into Fly
  logs / Sentry breadcrumbs.

- High: when the bypass for `/hosts/:hostId/remote-control/*` skips the
  user-JWT `authMiddleware`, still run the tunnel-presence check + Fly
  `maybeReplay`. Previously a viewer landing on a relay instance that
  doesn't own the destination tunnel would get a hard failure instead
  of a `fly-replay` to the right region/instance.

- Medium: the web viewer's Stop button now calls a new public
  `remoteControl.revokeWithToken({ sessionId, token })` mutation. The
  protected `revoke` requires a Superset session, which anonymous share
  recipients don't have, so the previous wiring silently 401'd. The
  bearer token IS the credential — anyone holding it has the same
  authority as whoever they got the link from. Constant-time SHA-256
  match against `tokenHash`, then revoke + best-effort host tear-down.

- Medium: `revoke` (protected) and `listForWorkspace` now require host
  membership in addition to active org membership, matching the gate
  on `create`. Otherwise an org member who isn't on the host could
  enumerate or revoke other people's share sessions.

The shared host-revoke flow is factored into `callHostRevoke()` so both
the protected and public revoke paths use the same best-effort tear-
down.

* fix(remote-control): make anonymous viewers actually work in prod

- Move /agents/remote-control/[sessionId] out of the `(agents)` route
  group into `(public)` so it skips `getAgentsUiAccess`, and add it to
  `proxy.ts` publicRoutes so unauthenticated viewers aren't redirected
  to /sign-in before the page mounts.
- Allow the relay WebSocket origin in the prod CSP `connect-src` so
  `wss://relay…` isn't blocked once `ws:/wss:` are dropped outside dev.
- Stop swallowing host-revoke failures: both revoke paths now throw a
  TRPCError if the host call fails, so the Stop button can't report
  success while in-memory host sessions (and connected viewers) live on.
  The cloud row still flips to `revoked` first, so retries stay
  idempotent and new attaches via `get` are blocked either way.

* fix(remote-control): keep bearer tokens out of URLs and harden cloud gates

- Convert `remoteControl.get` from a query to a mutation so tRPC's
  httpBatchLink puts the bearer token in the POST body instead of the
  URL query string (which would land in access logs and Referer). The
  web viewer now calls `.mutate()`.
- `get` refuses to hand out `wsUrl`/`routingKey` for non-active rows
  (revoked/expired). Also promotes active rows past `expiresAt` to
  `expired` even if the sweep hasn't run, so a just-expired share
  can't slip through. `SessionMeta.wsUrl` is now `string | null` and
  the WS-connect effect gates on it.
- Add `timeoutMs: 5000` to the mintToken relayMutation in `create`
  so a stuck host can't pin the Share button in "Starting…".
- Wrap the cloud `INSERT` in try/catch; on failure best-effort call
  `callHostRevoke` so the host-side minted token isn't orphaned and
  invisible to `listForWorkspace`/`revoke` until the host TTL sweep.

* chore(db): renumber remote-control migration to 0050 after main merge

Main shipped its own 0048 + 0049 while this branch had the original
0048_add_v2_remote_control_sessions. Regenerated via drizzle-kit
generate; same DDL, new slot.

* feat(remote-control): gate Share button on PostHog flag + add Open-in-browser

- New \`WEB_REMOTE_CONTROL_ACCESS\` (\`web-remote-control-access\`) feature
  flag controls who sees the Share button on v2 desktop terminal panes.
  Evaluated against the sharer's user id; the per-session HMAC stays the
  credential for anyone with the link, so this only gates session
  creation.
- TerminalRemoteControlButton returns null when the flag is off and skips
  the 30s cloud-hydrate poll for that user, so non-cohort users don't
  pay a tRPC round-trip every interval.
- Adds an "Open in browser" item to the live-badge dropdown that uses
  \`window.open(url, "_blank")\` (Electron routes it to the system
  browser), so the sharer can verify the link without leaving the app
  to paste it.

* refactor(remote-control): one-folder-per-component layout for web viewer

- Promote `RemoteTerminalLoader` to a sibling folder under `[sessionId]/
  components/RemoteTerminalLoader/` so `page.tsx`'s import resolves
  through a barrel that actually points at it (used to import the
  loader via the `RemoteTerminal` barrel, which was misleading).
- Extract inline `MobileToolbar` from `RemoteTerminal.tsx` into nested
  `RemoteTerminal/components/MobileToolbar/MobileToolbar.tsx` per the
  project's one-folder-per-component convention. No behavior change.

* fix(remote-control): close enumeration, schema leak, observability gaps

- Collapse `get` + `revokeWithToken` into a single generic 401
  ("Invalid remote control session or token") whether the row is
  missing or the token is wrong. Always runs the constant-time
  compare — against the row's tokenHash when present, otherwise
  against DUMMY_TOKEN_HASH — so timing and response both equalize
  and sessionIds can't be probed via these endpoints.
- Wrap the raw drizzle/pg error in `create`'s INSERT-failure path
  with TRPCError so pg constraint / column names don't get echoed
  back to clients through the default tRPC serializer.
- Upgrade the orphan-cleanup swallow from `console.warn` to a
  structured `console.error("[remote-control:orphan-host-session]",
  { sessionId, hostId, organizationId, insertError, revokeError })`
  so log scrapers can alert and a future Sentry
  `captureConsoleIntegration` picks it up automatically.

* docs(remote-control): plan for remaining work

* fix(remote-control): debounce viewer resize broadcasts via requestAnimationFrame

ResizeObserver can fire at refresh-rate (~60Hz) during a window-drag,
which immediately trips the host's REMOTE_CONTROL_RESIZE_RATE_PER_SEC
= 10 rate limit and surfaces a spurious "rate-limited" banner in the
viewer during normal use. Coalesce to one fit+broadcast per animation
frame and cancel any pending frame in the cleanup so we don't
fit+send after the WS is gone.

* fix(remote-control): trailing-debounce resize broadcasts to fix rate-limit banner

The RAF coalescing from the previous commit didn't actually help —
ResizeObserver already fires once per layout, so RAF was a no-op for
sustained window-drag, and the host's 10/s bucket still drained in
~166ms and tripped the "rate-limited" error.

Switch to a trailing 200ms debounce: keep calling `fit()` per event so
local rendering stays responsive, but only fire the host-side resize
message once after the user stops dragging. 5 Hz worst case, well
under the host's 10/s cap.

* ci(sherif): allow @xterm/{xterm,addon-fit} version split

Desktop's terminal-runtime uses the @xterm beta 6.x track for
kittyKeyboard + scrollbar options; the new web remote-control viewer
uses stable 5.x because the beta is too churny for a fresh feature.
The split is intentional and documented in the viewer's source, so
tell Sherif to ignore those two deps rather than force-aligning to
either track.