Add Kilo Code (VS Code extension + CLI) configuration following the
established hub-and-spoke pattern used by Claude Code, Cursor, Codex,
and OpenCode.

New files:
- .kilocode/mcp.json: MCP server config (streamableHttp for remote, stdio for local)
- .kilocode/skills/: 8 skills converted from .agents/commands/
- kilo.json: CLI MCP config using remote/local schema

Updated files:
- AGENTS.md: Added Kilo Code to Agent Rule superset-sh#4
- .gitignore: Track .kilocode/mcp.json and .kilocode/skills/

- host-service ai-branch-name: run trailing-trim after slice so a
  100-char truncation can't re-introduce a bare "." or "-" that git
  rejects as an invalid ref (coderabbit / cubic #2, #7).
- host-service workspace-creation.generateBranchName: reuse the
  existing listBranchNames helper instead of the inline git walk,
  which classified off the short refname and could conflate a local
  "origin/foo" with refs/remotes/origin/foo (coderabbit #3).
- packages/chat shared/small-model: drop the unused
  hasSmallModelCredentials export; only a test mock consumed it
  (greptile #4).
- resolveAnthropicCredential: on refresh failure, return null instead
  of kind:"oauth" with a stale expiresAt so callers fall back cleanly
  (cubic #8).
- chat-service.getAnthropicAuthStatus: log context when refresh throws
  instead of silently swallowing (cubic #9).

…3517)

* remove 7 day rule

* Upgrade mastra

* upgrade ai

* Ad mastra

* refactor(desktop): remove dead provider-diagnostics plumbing

The provider-diagnostics store was fed by callSmallModel's per-attempt
reporting, which was removed when small-model tasks moved to direct AI-SDK
+ mastracode's AuthStorage. Nothing writes to the issue map anymore, so the
clearIssue mutation, getStatuses query, and diagnosticStatus plumbing in
ModelsSettings were all no-ops.

Settings still surfaces "Session expired / Reconnect" via auth-status alone.
ProviderIssue type collapsed from 8 codes to just "expired" to match.

* fix(auth): auto-refresh expired Anthropic OAuth tokens

Anthropic credentials were read via authStorage.get() everywhere, so
mastracode's built-in refresh flow never ran. Once the 1-hour access
token expired, status flipped to "Reconnect" and users had to do a
full PKCE re-auth, even though a valid refresh token was already
stored.

Resolvers now call authStorage.getApiKey() for oauth creds on expiry,
which triggers refreshToken() and persists the refreshed credential.
getAnthropicAuthStatus does the same before declaring issue: "expired".
Mirrors the pattern already used for OpenAI small-model auth.

* review: address PR feedback from cubic + coderabbit + greptile

- host-service ai-branch-name: run trailing-trim after slice so a
  100-char truncation can't re-introduce a bare "." or "-" that git
  rejects as an invalid ref (coderabbit / cubic #2, #7).
- host-service workspace-creation.generateBranchName: reuse the
  existing listBranchNames helper instead of the inline git walk,
  which classified off the short refname and could conflate a local
  "origin/foo" with refs/remotes/origin/foo (coderabbit #3).
- packages/chat shared/small-model: drop the unused
  hasSmallModelCredentials export; only a test mock consumed it
  (greptile #4).
- resolveAnthropicCredential: on refresh failure, return null instead
  of kind:"oauth" with a stale expiresAt so callers fall back cleanly
  (cubic #8).
- chat-service.getAnthropicAuthStatus: log context when refresh throws
  instead of silently swallowing (cubic #9).

* fix(chat): read auth.json directly instead of importing mastracode

Importing createAuthStorage from mastracode loads the entire CLI tree
(fastembed → onnxruntime-node's 208 MB native binary) via eager
top-level requires in mastracode's CJS entry. This crashed
electron-vite bundling and bloated the get-small-model chunk.

getSmallModel now reads mastracode's auth.json file directly using
the same path resolution logic (~/Library/Application Support/mastracode/
on macOS). Zero mastracode import, zero bundle impact. The chunk stays
at 1.2 MB (just @ai-sdk/anthropic + @ai-sdk/openai).

Production build verified: compile:app succeeds, Electron main process
boots with no onnxruntime error.

* docs(desktop): add manual testing plan for PR #3517

* fix api key storage slot

* fix(auth): store API keys in dedicated slot so OAuth doesn't clobber them

setApiKeyForProvider and setStoredAnthropicApiKeyFromEnvVariables now
use authStorage.setStoredApiKey() (writes to "apikey:<provider>")
instead of authStorage.set() (writes to the main "<provider>" slot
shared with OAuth). This way connecting/disconnecting OAuth doesn't
overwrite or delete a stored API key.

resolveAuthMethodForProvider falls back to hasStoredApiKey() after
checking the main slot, so status correctly reports authenticated
when only an API key is stored.

* fix(auth): backup/restore API keys across OAuth connect/disconnect

mastracode's resolveModel only reads API keys from the main
authStorage slot (authStorage.get("anthropic")). OAuth login
overwrites this slot, and disconnect removes it — losing any
previously saved API key.

Fix: backup the API key to the dedicated apikey: slot before OAuth
connect, restore it after disconnect. setApiKeyForProvider now writes
to both slots (main for resolveModel compatibility, apikey: for
backup). resolveAuthMethodForProvider checks both.

Applies to both Anthropic and OpenAI providers.

* chore: add upstream PR reference to auth workaround

Point to mastra-ai/mastra#15483 so the backup/restore code can be
removed once upstream lands and we bump mastracode.

* refactor(desktop): derive settings provider action from status

Replace the cascade of if/else + canDisconnect flag with a single
getProviderAction(status) → connect | reconnect | logout | null.
Fixes "Active" badge + "Connect" button showing simultaneously
when authenticated via API key.

* fix(desktop): always show Logout when provider is active

Active providers now always show a Logout button. Clears OAuth or
API key depending on authMethod — no more "Active" badge with no
way to disconnect.

* fix(desktop): simplify OpenAI OAuth dialog + auto-open browser

Match Anthropic dialog's layout: remove the raw OAuth URL display
and "Tip" block, auto-open the browser on OAuth start. Change
"Back" to "Cancel" for consistency.

* refactor(desktop): unify OAuth dialogs into shared OAuthDialog

Extract shared OAuthDialog component with provider config object.
AnthropicOAuthDialog and OpenAIOAuthDialog become thin wrappers
that pass provider-specific labels and options.

* fix(desktop): show 'Copied!' feedback on Copy URL button

* refactor(desktop): merge provider account + API key into single card

Each provider section now renders AccountCard + ConfigRow inside
one rounded card with a divider, instead of two separate cards.
Removes the standalone "API Keys" collapsible section.

* refactor(desktop): compact OAuth row in provider settings card

OAuth row is now a single inline row (label + status + action)
instead of a stacked AccountCard. Both providers share the same
2-row card layout: OAuth row + API key row with divider.

* fix(desktop): contextual buttons in provider settings

Connect is now primary (filled). Save only shows when there's input.
Clear only shows when a key is saved. Removes visual noise from
empty-state provider cards.

* ui(desktop): add provider icons to settings section headers

* ui(desktop): show 'Not connected' badge instead of subtitle for disconnected providers

* ui: remove redundant disconnected subtitle

* ui: remove subtitle text from OAuth rows

* chore: remove dead AccountCard + getProviderSubtitle

* docs: update test plan to match current UI

* chore: move shipped plans to done/

---------

Co-authored-by: AviPeltz <aj.peltz@gmail.com>

…3999)

* perf(workspace-fs): cap searchIndexCache + pathTypes for worktree scaling

Both maps previously had no eviction and grew monotonically with worktree
count (searchIndexCache) and file event count (pathTypes). Adds LRU(12) +
30-min idle TTL to searchIndexCache and LRU(10k) cap to per-watcher
pathTypes. Eviction in pathTypes loses only the directory-type hint; the
next event for that path falls back to stat() (existing slow path).

Measured (cache-and-paths-memory.bench.test.ts):
- searchIndexCache @ 130 worktrees: 6.87 MB → 2.02 MB (-71%)
- pathTypes @ 20k unique paths: 8.69 MB → 2.54 MB (-71%)
- searchIndexCache cap holds at 12 entries, pathTypes at 10000

Adds findings audit + fix plan + reproduction tests + benchmarks for the
broader v2 worktree-perf investigation. Notably, the host-service
syncWorkspaceBranches 30s polling (1542 ms/tick at N=20 worktrees, real git
subprocesses) is documented and reproduced but not fixed in this commit;
follow-up PR will subscribe the pull-requests runtime to GitWatcher.onChanged.

See plans/v2-paths-worktree-perf-findings.md for the full audit and
plans/v2-paths-worktree-perf-fix-plan.md for the remaining work.

* docs: expand fix plan with handoff checklist + Fix #1 implementation notes

Adds concrete pickup steps, app.ts wiring order, concurrency notes, and a
mapping of which existing tests/benchmarks change vs stay. The next session
(or fresh agent) implementing Fix #1 should be able to read the plan
top-to-bottom and execute without re-deriving context.

* perf(host-service): event-driven pull-requests sync via GitWatcher

Replaces the unconditional 30s `syncWorkspaceBranches` polling timer with a
`GitWatcher.onChanged` subscription so idle worktrees cost ~0 git
subprocesses regardless of N. Branch / HEAD / upstream changes are picked
up at ~430 ms p50 (was up to 30 s).

Lift `GitWatcher` to a standalone instance in `app.ts` so both `EventBus`
(broadcasts to clients) and `PullRequestRuntimeManager` (event-driven
branch sync) share one watcher.

`syncWorkspaceBranches` becomes the safety-net sweep: still O(N) per call,
but cadence drops from 30 s → 5 min. Project-level PR refresh interval
also drops from 20 s → 5 min — branch changes drive their own
`refreshProject` via `syncOneWorkspace`, so the polling is only there to
catch external PR opens.

Concurrency stays safe via the existing `inFlightProjects` guard. Workspace
deletion races no-op cleanly via a fresh row lookup in `syncOneWorkspace`.

Tests updated:
- Existing scaling unit + integration tests now describe the safety-net
  sweep (still pin the O(N) per-call shape).
- New integration test wires a real `GitWatcher` + `WorkspaceFilesystemManager`
  and asserts a `git commit` in 1/5 worktrees triggers exactly 4 git ops
  on 1 worktree.
- Bench replaces "ms per polling tick" with event-to-DB-update latency
  (427 ms measured) plus the long-cadence safety-net sweep cost.

Closes Fix #1 + Fix #4 in plans/v2-paths-worktree-perf-fix-plan.md.

* fix(perf): address PR review — TTL on cache hit, sync serialization, test timeout

- search.ts: enforce idle TTL on cache hits — previously a hot key was bumped
  forever and only sibling-key misses ran the TTL sweep, so a 30+ min idle
  entry would still be served stale on next access. Now the hit path checks
  freshness and rebuilds when expired.

- pull-requests.ts: serialize syncOneWorkspace per workspaceId via
  Map<workspaceId, Promise>. GitWatcher only debounces 300 ms; two bursts
  far enough apart could run concurrent git reads and let the slower write
  clobber the newer snapshot.

- pull-requests-scaling.integration.test.ts: fix `timeout` → `timeoutMs`
  in two waitFor calls. The wrong key was silently dropped, falling back
  to the 5 s default and risking flake on slow CI.

* fix(perf): coalesce per-workspace sync — running + rerun-pending flag

Replaces the linear promise chain with a "running + rerun pending"
flag so N events for the same workspace collapse into at most one
running sync + one queued rerun. Since each sync reads fresh state,
queuing additional redundant syncs adds no value — it just wastes
git subprocesses.

Bounded under sustained watcher noise (long interactive rebase,
bulk ref churn), where the previous chain could pile up dozens of
sequential no-op syncs.

* fix(workspace-fs): exempt directories from pathTypes LRU + de-flake cap test

Splits WatcherState.pathTypes into filePaths (LRU-capped at 10k) and
directoryPaths (uncapped Set). Pre-fix, the unified Map could LRU-evict
a directory hint, after which a delete event for that directory fell
back to isDirectory=false and patchSearchIndexesForRoot only pruned
the exact path — leaving descendant search-index entries stale until
the next full rebuild. Directory count per worktree is bounded by repo
structure (O(100s) even for huge repos), so tracking them uncapped is
fine; only the file-path stream grows unboundedly.

Also fixes the cap-eviction test which was polling on a 95% event-count
threshold (10_000 cap × 95% = 9,690 events, which can land before
eviction triggers and stall under coalesced delivery). Now polls on
the actual eviction outcome — `pathTypes.has(cap-0.tmp) === false` —
and asserts cap on filePaths.size directly via a new getFilePathsSize
helper. Bench predicate is similarly capped at min(target, FILE_PATHS_MAX)
to avoid spinning the deadline once size plateaus.

* fix(perf): route safety-net sweep through workspaceSyncState queue

The serialization queue added previously only covered the watcher-driven
path; `syncWorkspaceBranches` (initial startup sweep + 5-min safety net)
still called `syncWorkspaceRow` directly, so it could race a concurrent
watcher-triggered sync for the same workspace and clobber newer state.

The sweep now iterates ids and routes each through enqueueWorkspaceSync,
which coalesces — if a watcher sync is already running for a workspace,
the sweep just flips rerunPending and awaits the running promise.
Sequential per-workspace iteration matches the original sweep's
git-subprocess concurrency profile.

Test mocks override syncOneWorkspace to bypass the drizzle .where()
chain, since the sweep now performs a per-workspace row lookup that
doesn't compose cleanly with the existing chained mock structure.

* fix(perf): address remaining PR review nits

- watch.ts: serialize normalizeEvent calls in flushPendingEvents — replaces
  Promise.all with a sequential for-of loop so LRU mutations land in event
  order, not stat-completion order. Net code roughly unchanged but removes
  the concurrency hazard coderabbit flagged.

- watch-pathtypes-growth.test.ts: consolidate manager cleanup into afterEach.
  Tests register managers via createManager() and stop calling unsubscribe()
  + manager.close() inline. afterEach closes them all even if a test throws.
  Net code reduction (-16 lines).

- pull-requests.test.ts: tighten warn assertion to match the actual
  "Failed to sync workspace" prefix instead of accepting any console.warn.

- v2-paths-worktree-perf-fix-plan.md: align acceptance criteria wording with
  the tests that actually landed.

* refactor(workspace-fs): drop dead TTL sweep + inline one-shot bump helper

`evictStaleSearchIndexEntries` is redundant: per-hit TTL check on
getSearchIndex line 299-307 already discards stale entries on access,
and the hard LRU cap of 12 bounds memory regardless of TTL behavior.
The build-path sweep over all entries was duplicated work that did
nothing the LRU eviction wasn't already doing.

`bumpAndReturnCachedIndex` had one caller and was 4 lines of body —
inlined directly into the hit path. Net -23 lines.

* fix(ci): remove typecheck shim, exclude benches from default test run

CI typecheck failed because workspace-fs had a hand-rolled
src/bun-test.d.ts shim with a minimal `expect` (only `toContain` /
`toEqual` / `toHaveLength` / `toBeNull` / `toBeTruthy`) that shadowed
the real bun-types definitions. Adding bun-types as a devDependency
and dropping the shim restores the full matcher surface.

CI tests OOM'd on @superset/workspace-fs#test (exit 137). The
cache-and-paths-memory bench creates 130 worktrees × 200 files +
heap snapshots and was being picked up by default `bun test` because
of its `.bench.test.ts` suffix. Renamed both bench files to
`.bench.ts` (off the auto-discovery pattern) and added explicit
`bun run bench` scripts so they're still runnable on demand.

Also tightened search-cache-eviction.test.ts array typings: previous
`unknown[]` was fine under the shim's permissive `expect` but doesn't
typecheck against the real signature. Now uses
`Awaited<ReturnType<typeof getSearchIndex>>[]` with explicit guards
for noUncheckedIndexedAccess.

* fix(ci): slim integration test — drop scaling cases covered by mock units

CI host-service#test was OOMing (exit 137) because the integration
test created 4 scenarios with simple-git + WorkspaceFilesystemManager +
GitWatcher per scenario (15 worktrees + 15 parcel-watcher subscriptions
total). Two of those scenarios just re-asserted what the mock-based
unit test in test/pull-requests-scaling.test.ts already pins —
linearity of git-subprocess count and "safety-net walks all N".

Removes the duplicative integration scaling cases. Keeps only the
event-driven scenario, which is the unique integration coverage
(verifies a real `git commit` in one workspace triggers exactly one
single-workspace sync, with the others staying quiet). Reduced from
5 to 3 worktrees — enough to prove "only the target was touched".

Net: -142 lines, ~80% fewer worktrees spawned per test file run.

Resolves 11 findings from greptile + coderabbit review on the
remote-control feature:

- #1 (P1): `remoteControl.get` is now `publicProcedure` and accepts the
  raw token, hashing it for constant-time comparison against the row's
  `tokenHash`. Anonymous viewers can resolve `wsUrl` without a Superset
  session — the share link itself is the credential.
- #10 (Major): the host-side `sendInput` no longer round-trips bytes
  through a latin1 string before `pty.write` re-encodes them as UTF-8
  (which corrupted any byte ≥ 0x80). Adds `pty.writeBytes` that
  forwards a `Uint8Array` straight to the daemon.
- #2: a single `cleanup()` helper now handles `onClose` and `onError`,
  removing the viewer from the session's set, detaching the handle, and
  unsubscribing the revoke listener idempotently. Fixes a leak where
  abrupt teardown could orphan up to four `MAX_VIEWERS` slots until host
  restart.
- #8: client WebSocket payloads are validated via a zod discriminated
  union before dispatch; `resize` and `runCommand` are wrapped in
  try/catch like `input` was.
- #5: `TerminalRemoteControlButton` hydrates from
  `remoteControl.listForWorkspace` on mount and refreshes every 30s, so
  the live badge survives remounts and reflects backend revocation /
  expiry. The original `webUrl` is unrecoverable after `create` (the
  cloud only stores `tokenHash`), so Copy Link is disabled when we
  don't hold it.
- #3: handshake-time auth result is cached on the WS context; per-
  message handling just compares `expiresAt` against `now` instead of
  re-running HMAC + SHA-256 at 200/s/viewer.
- #4: the bearer token is now passed in the URL fragment
  (`#remoteControlToken=…`), not the query string. The fragment never
  reaches the server, never appears in `Referer` headers, and stays out
  of access logs and history. A new `RemoteTerminalLoader` client
  component reads `location.hash` after mount.
- #7: the web viewer writes a one-time dim hint into xterm when the
  user types in `command` mode so silent drops are explained.
- #9: oversized PTY chunks (> 256 KB in one event) now have their tail
  preserved instead of being pushed-and-immediately-shifted out of the
  ring, which would have left late-joining viewers with an empty
  snapshot.
- #11: host-side mintToken schema now `.min(MIN_TTL).max(MAX_TTL)`,
  matching `mintRemoteControlToken`'s internal clamp.
- #12: revoke `UPDATE` adds `organizationId` and `status='active'` to
  the `WHERE` so re-revoke is idempotent and cannot transition an
  `expired` row to `revoked`.

Skipped: #6 (relay replay/tunnel-ownership) — the existing host proxy
paths don't call `maybeReplay` either, so this PR doesn't regress the
single-region behavior. Multi-region replay is a broader gap tracked
separately.

* feat: browser-based remote control for v2 desktop terminals

Adds an end-to-end remote control flow: a desktop user clicks Share on a
v2 terminal pane, gets a one-time URL, and anyone opening the link in a
browser sees the live terminal output and can type into it.

Pieces:
- v2_remote_control_sessions table + remote_control_session_{mode,status}
  enums, with a unique index on token_hash. Cloud row stores the SHA-256
  hash only; the host-service mints and verifies the HMAC-signed token
  end-to-end so a leaked DB row cannot grant new sessions.
- Shared protocol module (packages/shared/remote-control-protocol)
  pinning the wire format, capabilities, and limits.
- Host-service: session manager (token mint/verify, registry, expiry
  sweep), /remote-control/:sessionId WS route, attachTerminalViewer fan-
  out on TerminalSession (256 KB tail ring, output sequence, viewer
  set), and terminal.remoteControl.{mintToken,revoke,listActive} tRPC.
- Cloud tRPC: remoteControl.{create,get,revoke,listForWorkspace,
  expireStale}; mints a short user JWT for the relay POST and inserts
  the row only after the host returns a token.
- Relay: lets /hosts/:hostId/remote-control/* skip the user-JWT gate;
  the per-session HMAC validated by the host is the credential.
- Desktop UI: TerminalRemoteControlButton on v2 terminal panes (radio
  icon -> live badge dropdown with copy/stop) wired through pane
  registry. Host-service spawn now propagates HOST_SERVICE_SECRET into
  the child env so the secret derivation is stable.
- Web viewer: /agents/remote-control/[sessionId] page + RemoteTerminal
  client component (xterm.js + addon-fit, mobile-only key toolbar,
  status badge, copy/stop controls).

Out of scope: viewer-count fan-out, host->cloud heartbeat for
last_connected_at, host-driven resize push, and rebuilding the in-
memory session registry across host-service restarts (viewers see
session-not-found and the desktop user re-shares).

* style(web): match desktop terminal theme in remote-control viewer

Pulls the xterm options and color palette from the desktop's default
"dark" (Ember) theme so the browser viewer renders identical font, font
size, scrollback, ANSI colors, cursor, and selection. The chrome (header,
buttons, banners, mobile toolbar) now uses the same warm-dark surface
tones (#151110/#1a1716/#2a2827) and matches the ANSI accent colors for
status badges and the destructive Stop button.

`vtExtensions` (kittyKeyboard) and `scrollbar` are intentionally omitted
because they only exist on the desktop's xterm beta build; the stable
web release does not type them.

* fix(remote-control): address PR review findings

Resolves 11 findings from greptile + coderabbit review on the
remote-control feature:

- #1 (P1): `remoteControl.get` is now `publicProcedure` and accepts the
  raw token, hashing it for constant-time comparison against the row's
  `tokenHash`. Anonymous viewers can resolve `wsUrl` without a Superset
  session — the share link itself is the credential.
- #10 (Major): the host-side `sendInput` no longer round-trips bytes
  through a latin1 string before `pty.write` re-encodes them as UTF-8
  (which corrupted any byte ≥ 0x80). Adds `pty.writeBytes` that
  forwards a `Uint8Array` straight to the daemon.
- #2: a single `cleanup()` helper now handles `onClose` and `onError`,
  removing the viewer from the session's set, detaching the handle, and
  unsubscribing the revoke listener idempotently. Fixes a leak where
  abrupt teardown could orphan up to four `MAX_VIEWERS` slots until host
  restart.
- #8: client WebSocket payloads are validated via a zod discriminated
  union before dispatch; `resize` and `runCommand` are wrapped in
  try/catch like `input` was.
- #5: `TerminalRemoteControlButton` hydrates from
  `remoteControl.listForWorkspace` on mount and refreshes every 30s, so
  the live badge survives remounts and reflects backend revocation /
  expiry. The original `webUrl` is unrecoverable after `create` (the
  cloud only stores `tokenHash`), so Copy Link is disabled when we
  don't hold it.
- #3: handshake-time auth result is cached on the WS context; per-
  message handling just compares `expiresAt` against `now` instead of
  re-running HMAC + SHA-256 at 200/s/viewer.
- #4: the bearer token is now passed in the URL fragment
  (`#remoteControlToken=…`), not the query string. The fragment never
  reaches the server, never appears in `Referer` headers, and stays out
  of access logs and history. A new `RemoteTerminalLoader` client
  component reads `location.hash` after mount.
- #7: the web viewer writes a one-time dim hint into xterm when the
  user types in `command` mode so silent drops are explained.
- #9: oversized PTY chunks (> 256 KB in one event) now have their tail
  preserved instead of being pushed-and-immediately-shifted out of the
  ring, which would have left late-joining viewers with an empty
  snapshot.
- #11: host-side mintToken schema now `.min(MIN_TTL).max(MAX_TTL)`,
  matching `mintRemoteControlToken`'s internal clamp.
- #12: revoke `UPDATE` adds `organizationId` and `status='active'` to
  the `WHERE` so re-revoke is idempotent and cannot transition an
  `expired` row to `revoked`.

Skipped: #6 (relay replay/tunnel-ownership) — the existing host proxy
paths don't call `maybeReplay` either, so this PR doesn't regress the
single-region behavior. Multi-region replay is a broader gap tracked
separately.

* fix(remote-control): address second-round PR review

Resolves four further findings on PR #4345:

- High: redact `remoteControlToken` (and any `token` query param) from the
  relay's request logger. The viewer has to put the bearer on the WS
  upgrade URL because browser WebSockets can't carry custom headers, and
  Hono's default `logger()` would otherwise spill the raw token into Fly
  logs / Sentry breadcrumbs.

- High: when the bypass for `/hosts/:hostId/remote-control/*` skips the
  user-JWT `authMiddleware`, still run the tunnel-presence check + Fly
  `maybeReplay`. Previously a viewer landing on a relay instance that
  doesn't own the destination tunnel would get a hard failure instead
  of a `fly-replay` to the right region/instance.

- Medium: the web viewer's Stop button now calls a new public
  `remoteControl.revokeWithToken({ sessionId, token })` mutation. The
  protected `revoke` requires a Superset session, which anonymous share
  recipients don't have, so the previous wiring silently 401'd. The
  bearer token IS the credential — anyone holding it has the same
  authority as whoever they got the link from. Constant-time SHA-256
  match against `tokenHash`, then revoke + best-effort host tear-down.

- Medium: `revoke` (protected) and `listForWorkspace` now require host
  membership in addition to active org membership, matching the gate
  on `create`. Otherwise an org member who isn't on the host could
  enumerate or revoke other people's share sessions.

The shared host-revoke flow is factored into `callHostRevoke()` so both
the protected and public revoke paths use the same best-effort tear-
down.

* fix(remote-control): make anonymous viewers actually work in prod

- Move /agents/remote-control/[sessionId] out of the `(agents)` route
  group into `(public)` so it skips `getAgentsUiAccess`, and add it to
  `proxy.ts` publicRoutes so unauthenticated viewers aren't redirected
  to /sign-in before the page mounts.
- Allow the relay WebSocket origin in the prod CSP `connect-src` so
  `wss://relay…` isn't blocked once `ws:/wss:` are dropped outside dev.
- Stop swallowing host-revoke failures: both revoke paths now throw a
  TRPCError if the host call fails, so the Stop button can't report
  success while in-memory host sessions (and connected viewers) live on.
  The cloud row still flips to `revoked` first, so retries stay
  idempotent and new attaches via `get` are blocked either way.

* fix(remote-control): keep bearer tokens out of URLs and harden cloud gates

- Convert `remoteControl.get` from a query to a mutation so tRPC's
  httpBatchLink puts the bearer token in the POST body instead of the
  URL query string (which would land in access logs and Referer). The
  web viewer now calls `.mutate()`.
- `get` refuses to hand out `wsUrl`/`routingKey` for non-active rows
  (revoked/expired). Also promotes active rows past `expiresAt` to
  `expired` even if the sweep hasn't run, so a just-expired share
  can't slip through. `SessionMeta.wsUrl` is now `string | null` and
  the WS-connect effect gates on it.
- Add `timeoutMs: 5000` to the mintToken relayMutation in `create`
  so a stuck host can't pin the Share button in "Starting…".
- Wrap the cloud `INSERT` in try/catch; on failure best-effort call
  `callHostRevoke` so the host-side minted token isn't orphaned and
  invisible to `listForWorkspace`/`revoke` until the host TTL sweep.

* chore(db): renumber remote-control migration to 0050 after main merge

Main shipped its own 0048 + 0049 while this branch had the original
0048_add_v2_remote_control_sessions. Regenerated via drizzle-kit
generate; same DDL, new slot.

* feat(remote-control): gate Share button on PostHog flag + add Open-in-browser

- New \`WEB_REMOTE_CONTROL_ACCESS\` (\`web-remote-control-access\`) feature
  flag controls who sees the Share button on v2 desktop terminal panes.
  Evaluated against the sharer's user id; the per-session HMAC stays the
  credential for anyone with the link, so this only gates session
  creation.
- TerminalRemoteControlButton returns null when the flag is off and skips
  the 30s cloud-hydrate poll for that user, so non-cohort users don't
  pay a tRPC round-trip every interval.
- Adds an "Open in browser" item to the live-badge dropdown that uses
  \`window.open(url, "_blank")\` (Electron routes it to the system
  browser), so the sharer can verify the link without leaving the app
  to paste it.

* refactor(remote-control): one-folder-per-component layout for web viewer

- Promote `RemoteTerminalLoader` to a sibling folder under `[sessionId]/
  components/RemoteTerminalLoader/` so `page.tsx`'s import resolves
  through a barrel that actually points at it (used to import the
  loader via the `RemoteTerminal` barrel, which was misleading).
- Extract inline `MobileToolbar` from `RemoteTerminal.tsx` into nested
  `RemoteTerminal/components/MobileToolbar/MobileToolbar.tsx` per the
  project's one-folder-per-component convention. No behavior change.

* fix(remote-control): close enumeration, schema leak, observability gaps

- Collapse `get` + `revokeWithToken` into a single generic 401
  ("Invalid remote control session or token") whether the row is
  missing or the token is wrong. Always runs the constant-time
  compare — against the row's tokenHash when present, otherwise
  against DUMMY_TOKEN_HASH — so timing and response both equalize
  and sessionIds can't be probed via these endpoints.
- Wrap the raw drizzle/pg error in `create`'s INSERT-failure path
  with TRPCError so pg constraint / column names don't get echoed
  back to clients through the default tRPC serializer.
- Upgrade the orphan-cleanup swallow from `console.warn` to a
  structured `console.error("[remote-control:orphan-host-session]",
  { sessionId, hostId, organizationId, insertError, revokeError })`
  so log scrapers can alert and a future Sentry
  `captureConsoleIntegration` picks it up automatically.

* docs(remote-control): plan for remaining work

* fix(remote-control): debounce viewer resize broadcasts via requestAnimationFrame

ResizeObserver can fire at refresh-rate (~60Hz) during a window-drag,
which immediately trips the host's REMOTE_CONTROL_RESIZE_RATE_PER_SEC
= 10 rate limit and surfaces a spurious "rate-limited" banner in the
viewer during normal use. Coalesce to one fit+broadcast per animation
frame and cancel any pending frame in the cleanup so we don't
fit+send after the WS is gone.

* fix(remote-control): trailing-debounce resize broadcasts to fix rate-limit banner

The RAF coalescing from the previous commit didn't actually help —
ResizeObserver already fires once per layout, so RAF was a no-op for
sustained window-drag, and the host's 10/s bucket still drained in
~166ms and tripped the "rate-limited" error.

Switch to a trailing 200ms debounce: keep calling `fit()` per event so
local rendering stays responsive, but only fire the host-side resize
message once after the user stops dragging. 5 Hz worst case, well
under the host's 10/s cap.

* ci(sherif): allow @xterm/{xterm,addon-fit} version split

Desktop's terminal-runtime uses the @xterm beta 6.x track for
kittyKeyboard + scrollbar options; the new web remote-control viewer
uses stable 5.x because the beta is too churny for a fresh feature.
The split is intentional and documented in the viewer's source, so
tell Sherif to ignore those two deps rather than force-aligning to
either track.