Fixes for PR #76 review comments (greptile, cubic, codex):

backend/
- protocol.py:
  * FlowSummary now validates finishedAt as a float (raises
    ProtocolError instead of silently storing a non-numeric)
  * Coerce header pairs through str() for safety
  * New sanitize_session_id(raw, fallback) — restricts chat ids to
    [A-Za-z0-9._-], rejects "." / ".." / absolute paths / null
    bytes / 128+ chars, used by both server and session
- server.py:
  * resolve_base_dir() helper; no longer appends "rae-agent-sessions"
    when RAE_AGENT_WORKDIR is set by the Swift sidecar, so sessions
    land at <support>/agent-sessions/<chat-id>/... instead of double
    nesting
  * ValueError from SessionDirs is surfaced as an AgentEvent.error
- session.py:
  * SessionDirs.make resolves and verifies the session root stays
    inside base before creating directories (path traversal defense)
  * file_written event now fires from the ToolResult phase (not
    ToolUse), and only when the result is not an error — so the UI
    only badges files the SDK actually wrote
  * sanitize_session_id replaces raw chat ids before path joining

macos/Sources/ReverseAPI/Agent/
- AgentSidecar:
  * LaunchSpec now carries (executablePath, arguments) explicitly,
    with factory `python3(workdir:)` that runs `/usr/bin/env` with
    `python3` as its first argument. Previously Process.executableURL
    was given the full "/usr/bin/env python3" string and failed to
    start.
  * waitForBoundPort uses readabilityHandler + an async sleep loop
    instead of blocking availableData reads, and respects the timeout
  * Process is terminated and cleared on port-discovery failure so
    failed launches do not leave orphans
- AgentSession.clear: when status was .failed, drop to .idle (not
  .ready), so ensureRunning() can actually relaunch on the next send
- AgentSession.ensureRunning: terminate sidecar + disconnect client
  on launch failure so the next attempt starts clean
- AgentClient.connect: replaces a dead URLSessionWebSocketTask instead
  of returning early when one already exists
- AgentFlowPayload.encodedBody: cap payloads at 64 KiB per body
  (configurable), with a "…<truncated N bytes>" suffix, to avoid
  hitting websocket message-too-large on large captures

Tests:
- backend/tests/test_protocol.py extended to 27 cases (sanitize_session_id
  subgroup, finishedAt type validation, event serializations)
- backend/tests/test_server_resolution.py: 3 tests on resolve_base_dir
- backend/tests/test_session_dirs.py: 5 tests including path-traversal
  rejection
- macos/Tests/ReverseAPITests/AgentProtocolTests.swift: 13 tests on
  AgentFlowPayload.encodedBody (empty / UTF-8 / truncation / binary)
  and AgentEventDecoder (all event types + invalid input)
- Package.swift: ReverseAPITests testTarget

Introduce three foundation modules consumed by the upcoming UI redesign:

- Theme: near-black dark palette (#050506 → #16161A surfaces), method/
  status colors, border tokens. Replaces ad-hoc Color(nsColor: .windowBackgroundColor)
  references scattered across views.
- Controls: NSSegmentedControl wrapper (.capsule style) and PillStyle
  primitives + .pillBackground modifier so chips, search button, and
  segmented tabs share identical hover/active states.
- Markdown: lightweight block parser for assistant output. Supports
  fenced code blocks, headings, bullet/ordered lists, and inline
  bold/italic/code via AttributedString.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Replace the heavy 312pt sidebar + cluttered triple panel layout with a
much cleaner shell:

- Drop CaptureToolbar entirely. Capture/mode/CA/route/export/clear move
  to a borderless toolbar (record icon only, neutral tint, danger when
  active) plus a … menu. Window title is hidden via AppKit so no "rae"
  duplication.
- ContentView: native NSWindow chrome via WindowAccessor — transparent
  titlebar + window.backgroundColor in sync with Theme.appBackground so
  the toolbar matches the rest of the canvas. Configure runs on the
  next runloop tick to avoid CATransaction commit-phase exceptions on
  macOS 14+.
- ActionBar replaces the old sidebar sections: native NSSegmented
  capsule for Device/Manual, full-width scrollable filter chips with
  hover state, and a ⌘K SearchButton pill that opens the command
  palette.
- TrafficListView: replace SwiftUI Table (which forces system accent
  selection blue) with a custom LazyVStack so selected rows use
  Theme.elevated instead of the system tint. Time/Method/Host/Path/
  Status columns only — Size and Duration removed to reduce density.
- AgentPanel always mounted with offset+width animation so toggling
  ⌘J slides the panel from the right without layout shift.
- StatusBar pinned at the bottom with capture state, CA trust, and
  flow count.
- CommandPalette (⌘K): two-pane layout — results list on the left,
  live preview pane on the right with method, status, content-type,
  size, duration. NSVisualEffectView glass background, scale+offset+
  opacity transitions wired at the conditional root in ContentView so
  the panel actually animates (previous .transition() on inner VStack
  was ignored). Native SwiftUI TextField + @focusstate, .onKeyPress
  for up/down/escape (avoids the NSEvent monitor crash from earlier).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Inspector gets a real Preview tab and unifies its tab bar with the
rest of the app:

- Tabs (Overview / Request / Response / Preview) now use the shared
  NSSegmented capsule control — identical visuals + interactions to
  ModeToggle in ActionBar.
- New Preview tab appears automatically when the response content-type
  is renderable:
  • image/*: NSImage decoded and drawn over a photoshop-style
    checkerboard (white@7% / white@2% tiles, 12pt). Tiny assets are
    capped at 16× scale instead of stretched to the full pane, and
    .interpolation(.none) keeps pixel art crisp. Tracking pixels
    (≤4×4) get a "tracking pixel" chip next to the dimensions so a
    1×1 transparent GIF isn't mistaken for a broken image.
  • text/html: WKWebView with JavaScript disabled
    (defaultWebpagePreferences.allowsContentJavaScript = false) loads
    the raw HTML with the flow URL as baseURL so relative assets
    resolve. Layer-rounded container with subtle border to match the
    rest of the dark surfaces.
  • application/pdf: placeholder for a future PDFKit integration.
- Strip nested rounded panels and gradient backgrounds out of the
  header/sections; rely on small SCREAMING-CAPS section labels and
  Theme.* colors so the inspector matches the rest of the redesigned
  shell.
- Close button to dismiss the inspector inline without selecting
  another row.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

- AssistantRow renders the agent's text through MarkdownView so
  headings, lists, fenced code blocks (with language tag and copy
  button), and inline bold/italic/code show correctly instead of one
  flat blob.
- Tool calls and tool results collapse to a single chevron row each
  by default — expand to reveal the JSON / output. Cuts the visual
  noise dramatically during long tool-use chains.
- Header, timeline, and composer all share Theme.appBackground (no
  more border between header/messages or messages/composer). The
  composer is a real NSTextView wrapped in SwiftUI: multi-line, ⇧⏎
  for newline, ⏎ to send, ⌘⏎ also sends. Placeholder is drawn via a
  CATextLayer when the field is empty.
- Send button: white pill on black with arrow.up, disabled state in
  Theme.elevated. Matches the rest of the dark UI.
- ThinkingRow with three pulsing dots when status is .streaming for
  feedback during long agent runs.
- FileWritten / Complete / GeneratedFiles rows now share a consistent
  surface (Theme.elevated + Theme.border) so each event-type doesn't
  scream a different color.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

SwiftUI TextField + @focusstate wasn't reliably routing keystrokes
when the command palette was presented as an overlay or when the
agent composer was inside the right-hand panel — focus appeared to
move but the field never received key events. Replace both with
NSViewRepresentable wrappers that talk to AppKit directly:

- NativeSearchField wraps NSTextField (single-line) for the command
  palette query. textColor / placeholderAttributedString /
  insertionPointColor are all set explicitly against Theme.* so the
  text stays visible on the near-black background. First responder
  is grabbed via window.makeFirstResponder(field) on the next
  runloop tick so the palette is type-ready the moment it opens.
- NativeMultilineTextField wraps NSTextView (multi-line, axis is
  effectively vertical) for the agent composer. Same explicit color
  setup; Return submits, Shift-Return inserts a newline via the
  textView(_:doCommandBy:) delegate hook. Drops the previous
  CATextLayer placeholder hack (added a sublayer to NSTextView,
  which interfered with the field's internal layer management).
  Placeholder is now a SwiftUI Text overlay with
  .allowsHitTesting(false) shown when the bound string is empty.

While in the same files, also clean up the agent panel's empty
state: drop "Reverse engineer with the agent" + "N filtered flows
will be shared" and show a single centered chevron.left.forwardslash.
chevron.right — the </> SF Symbol that doubles as a logo for the
reverse-API-engineer name. Less text, more breathing room when no
conversation has started yet.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

claude_agent_sdk 0.1.48 defines StreamEvent in its `types` module but
does not re-export it from the package's public namespace, so the
top-level import added in the streaming commit blew up with
`ImportError: cannot import name 'StreamEvent' from
'claude_agent_sdk'`, taking the entire sidecar down at launch.

Pull StreamEvent from claude_agent_sdk.types directly. If a future
SDK release ever drops the type, fall back to a private stub class
so `isinstance(message, StreamEvent)` is always callable — we just
lose the streaming path and the sidecar still boots and serves
non-streaming AssistantMessage events.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Replace the hand-rolled block parser in Markdown.swift with a thin
wrapper around gonzalezreal/swift-markdown-ui's Markdown view. The
new dependency handles the full CommonMark + GFM grammar — tables,
task lists, nested code blocks, autolinks, soft/hard breaks, escapes
— which our parser silently dropped.

Theme.rae customizes the library for the dark agent panel:

- Body text uses Theme.textPrimary at 13pt; links pick up
  Theme.accent with an underline.
- Inline code gets a subtle white@8% pill on the monospaced font.
- Headings 1-3 are sized down for the side panel (18 / 16 / 14pt
  semibold) instead of MarkdownUI's defaults that overpower a 380pt
  column.
- Code blocks render against Theme.appBackground inside a rounded
  Theme.border outline, with the optional language label and a copy
  button living on a small Theme.elevated header — same look the
  old custom parser had, but now driven by the library.
- Blockquotes get a 2pt Theme.border bar on the left and muted
  Theme.textSecondary content.
- Paragraph/list spacing tightened with markdownMargin so consecutive
  blocks read like Claude's web chat rather than a Markdown rendered
  document.

The AgentPanel.AssistantRow callsite is unchanged — it still imports
`MarkdownView(text:)` from this file. The public surface stays the
same; the implementation just defers to a tested library now.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Add FlowStore.delete(ids:) — single source of truth that removes
the records from both the in-memory list and the on-disk SQLite
table in one shot, then bumps the generation counter so any
in-flight persistence task for one of the deleted ids is skipped.

AppState.deleteFlows wraps it and also:
- clears state.selectedFlowID if the deleted set included the row
  currently in the inspector (otherwise the inspector kept
  pointing at a dangling UUID)
- prunes the agent selection (next commit) so the agent panel
  can't try to send rows the user just dropped

The UI side comes in a follow-up commit — this one keeps the model
plumbing focused.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

…xt menu

Sending every captured flow to the agent is too coarse — running the
proxy on the whole machine collects far more traffic than belongs in
a single reverse-engineering task. Give the user explicit control:

Traffic list:
- New checkbox column on the leading edge of every row. Tapping the
  square toggles the flow's UUID in state.agentSelection — selected
  rows are marked with a Theme.accent filled checkmark, deselected
  ones with a Theme.textTertiary outline.
- Header checkbox does select-all / deselect-all over the currently
  visible rows, with a tri-state minus glyph when only some of the
  visible rows are selected.
- Context menu per row: "Add to agent selection" / "Remove from
  agent selection", a divider, and a destructive "Delete" that
  routes through AppState.deleteFlows.

AgentPanel:
- AgentPanel.flowsToSend prefers state.agentSelection when it's
  non-empty; otherwise falls back to the existing
  state.store.flows.filter { state.filter.matches } .prefix(100)
  behavior so a fresh session still has context.
- AgentHeader subtitle now reads "Idle · 12 selected" or
  "Ready · 47 filtered" so the user can see at a glance which set
  of flows will be shared when they hit Send.

The bottom-status footer was already gone, so there's no other
place flow counts live — this is now the canonical "what does the
agent see" indicator.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

The previous tool rows were two collapsible disclosure rows with
generic icons — fine but noisy and offered no preview of what the
agent was actually doing.

ToolUseRow:
- Rounded Theme.elevated card with a 1pt Theme.border so each tool
  call reads as a discrete event, not a flat list of toggles.
- Semantic icon per tool name: doc.text for Read, square.and.pencil
  for Write, pencil for Edit, terminal for Bash, magnifyingglass for
  Glob/Grep. Falls back to wrench.adjustable for anything else.
- Inline summary parses the tool input JSON and pulls the most
  meaningful argument (file_path / path / command / pattern / url /
  query) so the row reads "Read · flows.json", "Write · client.py",
  "Bash · npm install" before expansion.
- Chevron is the same affordance everywhere and animates from 0° to
  90° on expand via rotationEffect.
- Expanded body sits below an inline Divider so the JSON args feel
  attached to the call, not a popover.

ToolResultRow:
- Renders flush against the preceding tool call (24pt leading
  indent so it sits under the call's content, no surrounding box).
- Headline is the first non-empty line of output trimmed to 80
  chars — quick "what came back" preview that matches the call's
  inline summary on the row above. Errors render in Theme.danger.
- Same rotating chevron for the expand affordance.

Net effect: a Read+result pair now reads more like a single git-style
log entry than two unrelated rows.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Adds a built-in file viewer so the user doesn't have to reveal in
Finder + open the file in a separate editor just to confirm what
the agent produced. Tap a row in either FileWrittenRow (the inline
"Wrote foo.swift" pill) or GeneratedFilesRow and a sheet slides up
with the file contents.

AgentFileViewer (new):
- Rounded 14pt continuous-corner card on Theme.surface with a
  Theme.border outline, sized 720-880pt wide × 480-640pt tall so
  it's roomy without dominating the window.
- Header shows a tool-style icon picked from the file extension
  (curlybraces for source code, doc.richtext for markdown, terminal
  for shell, etc.), the filename in monospaced semibold, and a
  metadata line ("Python · 3.4 KB" / "JSON · 821 bytes") parsed
  from the file attributes. Right-aligned actions: Reveal in Finder,
  Copy contents, Close.
- Body is a horizontally-and-vertically scrollable monospaced
  rendering against Theme.appBackground with a Theme.surface line
  gutter — the visual cue lands somewhere between a GitHub blob
  preview and a side-by-side diff pane, which matches the user's
  ask for "un truc un peu comme un git diff."
- File loads off-main on a detached task; binary files fall back to
  a "<binary file · N bytes>" sentinel instead of crashing.

AppState:
- New `viewingFile: AgentFileRef?` slot (Identifiable URL wrapper for
  SwiftUI's .sheet(item:) API) and `viewFile(at:)` helper that the
  agent panel rows call.

ContentView:
- .sheet(item:) on the root binds to state.viewingFile, presenting
  AgentFileViewer when set and clearing the slot on dismiss.

AgentPanel:
- FileWrittenRow + GeneratedFilesRow become Button wrappers so the
  whole row is a tap target. Trailing chevron + cursor-pointer
  affordance hints at the disclosure; "Reveal in Finder" moves to
  the context menu on FileWrittenRow so the primary action stays
  "view inline."

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Add RaeSyntaxHighlighter — a CodeSyntaxHighlighter implementation
that ships with the app instead of pulling in a JS bundle or a
TextMate-grammar dependency. Pure Swift, regex-based, tuned for the
languages the agent realistically emits when reverse-engineering an
API: Swift, Python, JavaScript / TypeScript / JSX / TSX, JSON,
Shell (bash/zsh), HTML, CSS, and SQL.

How it works:

- SyntaxColorizer.colorize walks the source once per rule, in
  priority order (comments → strings → numbers → keywords →
  builtins → JSON property keys) and writes foregroundColor onto
  an AttributedString. A rule never overwrites a range that's
  already non-default-color, which prevents bugs like coloring the
  word "if" inside a string literal.
- Per-language rule sets pick the right comment markers (`//`, `#`,
  `<!-- -->`) and string delimiters (triple-quoted for Python,
  backticks for JS template strings, etc.).
- Palette inspired by VS Code Dark+: purple-pink keywords, warm
  orange strings, soft-green numbers, muted-green comments, teal
  types, yellow functions, light-blue JSON keys. Tuned against
  Theme.appBackground (#050506) so contrast is comfortable on the
  near-black canvas.
- Exposes itself as `.rae` via a `CodeSyntaxHighlighter` extension
  so MarkdownUI consumers can write `.markdownCodeSyntaxHighlighter(.rae)`.

Fallback language `.generic` still picks up strings + numbers so
even an unknown fence has some visual structure.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

…ists, HR

Extend the rae markdown theme so the agent's full GFM output renders
properly inside the side panel. Previously only paragraphs / headings
/ lists / code blocks were styled; tables fell back to MarkdownUI's
defaults (which on a dark background look unreadable), code blocks
had no copy-state feedback, task lists rendered as ASCII brackets,
images / horizontal rules / emphasis / strikethrough were all
unstyled.

Inline elements:
- emphasis renders italic
- strikethrough renders single-line through Theme.textTertiary
- code uses white@8% backdrop on a monospaced variant — matches the
  inline-code pill style ChatGPT/Claude.app use

Block elements:
- heading4 styled (13pt semibold) so deep section nesting still
  reads as a heading instead of a paragraph
- thematicBreak renders a Theme.border Divider with vertical
  padding instead of MarkdownUI's default Divider
- image rendering clips to an 8pt rounded rect so inline screenshots
  don't blow out the panel edge
- blockquote bar promoted to Theme.borderStrong so the left rail is
  visible

Code blocks:
- Hook in the syntax highlighter via `.markdownCodeSyntaxHighlighter(.rae)`
- Header is a discrete view with `Theme.elevated` background, the
  language slug in lowercased monospace, and a copy button that
  swaps to a checkmark + "Copied" for 1.2s on click
- Body still scrolls horizontally for long lines

Task lists & list markers:
- bulletedListMarker = .disc, numberedListMarker = .decimal so
  nested lists look consistent
- taskListMarker renders an SF Symbol filled checkbox in Theme.accent
  for completed items, hollow square in Theme.textTertiary otherwise

Tables (the previously broken bit):
- `.table` wraps the content in a rounded Theme.border outline, picks
  up the `.alternatingRows` backgroundStyle so every other row has a
  Theme.textPrimary @ 2.5% wash for readability, and uses a
  1pt all-borders style in Theme.border
- `.tableCell` adds proper 10×6 padding, bumps the first row to
  semibold Theme.textPrimary (header row), keeps body cells at
  Theme.textSecondary

The MarkdownView wrapper is unchanged externally — AssistantRow still
just renders `MarkdownView(text:)`.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

The main window switches from "traffic | optional inspector | optional
agent" into two always-on inset cards: traffic on the left, agent on
the right, both with rounded corners + Theme.border on Theme.surface,
separated by an HSplitView so the user can resize the column ratio.

ContentView:
- New Card { content } wrapper applies clipShape(RoundedRectangle 10pt
  continuous) + 1pt Theme.border outline + Theme.surface background.
- Outer HSplitView with 10pt padding around both cards. The agent card
  starts at 380pt ideal width / 320pt min; the traffic card takes the
  rest with a 420pt min.
- Inside the traffic card, an inner HSplitView shows the table on the
  left and (when state.selectedFlowID is set) the inspector on the
  right — both views now live inside the same card instead of as
  separate columns.
- Drops the agent-toggle plumbing entirely: no more isAgentVisible
  binding, no more sparkles button in the toolbar, no more AppStorage
  key. The agent is always visible.

ReverseAPIApp:
- Removes the @AppStorage("rae.agent.visible") and the binding it
  passed to ContentView.

SessionsListView (new):
- "Sessions" title + count chip + "+" button on the right of the
  card header. Tap "+" to call agent.startNewSession().
- Body is a ScrollView+LazyVStack of SessionRow entries sorted by
  recency (the store does that on reload). Each row shows the
  auto-derived title (up to 2 lines), a relative "5m ago" timestamp,
  and the user+assistant message count. Hover paints Theme.elevated.
- Context menu on each row exposes "Delete" (destructive) — routes
  through agent.deleteSession(id:).
- Empty state when there are no sessions yet: bubble icon + "No
  sessions yet · Tap + to start a new conversation".

AgentPanel:
- Now a 2-mode router: when agent.mode == .list, render
  SessionsListView; when .session, render ActiveSessionView.
- ActiveSessionView wraps SessionHeader + AgentTimeline +
  AgentComposer the way the old panel did, just split into a
  separate type.
- SessionHeader replaces AgentHeader: drops the "Agent" label, the
  status dot, the "Idle · N selected" subtitle, and the trash
  button. Keeps just a back chevron (returns to the sessions list)
  and the language picker. Status feedback is now implicit — the
  composer's send button is disabled while launching, the streaming
  dots still appear in the timeline.

The Card primitive is reusable: the file viewer could later adopt
it for consistency, but that's out of scope here.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

… fix card spacing, neutral checkboxes

The previous tabular traffic row had fixed columns (time / method /
host / path / status) that broke once the traffic card got squeezed
below ~500pt with the inspector or a narrow window — the host
column overflowed into the path column, columns collapsed onto
themselves, and the header label row stopped lining up with the
data rows. Same story in the inspector: 150pt fixed header-name
column wasted space and the URL line ran past the card edge.

TrafficListView:
- Header row replaced with a compact "Traffic · N" title + select-all
  checkbox at the leading edge. No more tabular HeaderLabel columns —
  the new rows aren't strictly tabular anyway.
- TrafficRow is a two-line layout: checkbox + method badge on the
  left, host on top and path below in the flex middle column, status
  + timestamp stacked on the right. The middle column truncates host
  and path with .middle so the most identifying part of the URL
  survives at any width.
- Survives down to ~260pt of card width without overlap. Hover and
  selected backgrounds unchanged (Theme.elevated on select,
  white@3% on hover).
- AgentCheckbox checked-state color flips from Theme.accent (blue)
  to Theme.textPrimary (off-white). The select-all header checkbox
  follows the same rule. The user kept asking for a less loud color
  for the selection affordance.

InspectorView:
- Header repacks: METHOD + STATUS on the top row with a Theme.elevated
  pill close button on the right; the URL splits into a host line +
  path line below in the same style as the traffic row so the
  identification stays consistent between the two views.
- Padding tightened from 16pt to 14pt (matches the traffic header
  and rows).
- Tab bar wraps in a horizontal ScrollView so the four-tab
  NSSegmented stays usable even when the card is too narrow to fit
  all labels.
- HeadersSection switches from "name | value" fixed-width side-by-side
  to a vertical layout: lowercase muted name on top, mono value
  below. Reads like a typical HTTP request listing in browser
  devtools and stops clipping when the panel is narrow.
- Overview metric rows: key column shrinks from 100pt to 84pt and
  values get a 2-line truncation cap so a long Content-Type header
  doesn't push the row off the trailing edge.

ContentView:
- Card spacing: traffic card gets `.padding(.trailing, 6)`, agent
  card gets `.padding(.leading, 6)` — visible 12pt gap between
  cards instead of the previous flush HSplitView divider. Outer
  padding around the pair bumped from 10pt to 12pt for breathing
  room.
- Min widths: traffic card minWidth = 320pt (was 420), table inside
  it = 280pt (was 360), inspector inside it = 320pt (unchanged) so
  the user can shrink the window further without breaking the
  layout. Agent card stays 340–380pt range so it doesn't fall below
  the size where the composer becomes unusable.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

The ThinDivider() between the ActionBar (filters / search / state
chips) and the HSplitView underneath was load-bearing back when the
main area was a flat panel with no other visual separation. Now
that the traffic and agent cards each draw their own
RoundedRectangle outline with Theme.border and there's 12pt of
padding around the pair, the divider is redundant — it just adds a
horizontal line through what should already read as a clean
separation between the action bar and the inset cards.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

… min width

A small batch of cleanups so the two cards read as visually
matched and the user can't squeeze the traffic card into a glitchy
state any more.

ContentView:
- Traffic card minWidth bumps from 320pt to 540pt (~½ the 980pt
  minimum window). Below that we hit the layout issues from earlier
  iterations — host/path collisions, inspector tabs scrolling under
  themselves, the table header desync from rows. The HSplitView
  divider now stops at this floor so the user can't drag the
  traffic side narrower than usable.

AgentPanel / SessionsListView:
- AgentPanel drops its own `.background(Theme.appBackground)`
  override. Both modes (list + active session) now inherit
  Theme.surface from the enclosing Card, which keeps the agent
  card's color identical to the traffic card. Previously the agent
  card read distinctly darker because Theme.appBackground sits a
  shade below Theme.surface.
- AgentTimeline ScrollView + EmptyAgentState frame + AgentComposer
  outer background all repointed to Theme.surface for the same
  reason. The send button's arrow glyph stays in Theme.appBackground
  since it sits against a Theme.textPrimary white circle and needs
  the contrast.
- SessionsListView header drops the `N` session count chip — the
  count was already obvious from the visible list, the badge was
  just noise. Header content keeps the title + "+" affordance on
  the trailing edge.
- New session "+" button shrinks to 22pt (from 26pt) so the header
  has the same intrinsic height as the traffic header.
- Same 22pt sizing applied to the SessionHeader back-chevron
  button (active session mode).

TrafficListView header:
- Same horizontal padding (12pt) as TrafficRow so the select-all
  checkbox sits in the same column as the per-row AgentCheckbox.
- Both headers (Sessions list, Traffic) now use `.frame(height: 44)`
  instead of varying vertical padding, so the title row in the two
  cards lines up at the exact same Y position.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

…verflow

The overflow glitch the user kept seeing on a narrow traffic card —
rounded border disappearing, rows clipped past the right edge, scroll
+ row hit-testing broken — was a hard layout conflict. The card's
inner HSplitView holds the table (minWidth 320) + the inspector
(minWidth 340) = 660pt minimum when both are shown. The outer Card
was capped at 540pt, so SwiftUI rendered the inner panes wider than
the Card frame, leaking past the clipShape.

Two fixes:

- Traffic card frame minWidth is now conditional:
  - No flow selected: 380pt — the user can still compress the card
    down when the inspector isn't taking up space.
  - Flow selected: 700pt — covers the inner content min with
    headroom for the HSplitView divider so the inner views always
    fit inside the rounded clipShape.
  When the user clicks a flow, SwiftUI smoothly grows the card to
  the new minimum (eating into the agent card's flex room, which
  has its own 340pt floor).

- Inner table minWidth bumped from 300pt → 320pt; inner inspector
  from 320pt → 340pt. Both have a touch more breathing room before
  their internal content (host/path stacks, header sections, tabs)
  starts feeling cramped.

Window minimum width bumped from 980pt to 1100pt so the new
expanded layout (traffic 700 + agent 340 + 36pt padding/gap = 1076)
fits at the smallest window the user is allowed to create. On
13-inch MacBook Airs at scaled resolutions this still leaves plenty
of room above the 1100pt floor.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

…raffic card header

The action bar was getting cluttered: it owned both window-level
status (capture state, CA trust, search) and traffic-scoped controls
(capture mode toggle, resource-kind filter chips, reset filters
badge). Split them so each lives where it makes sense.

ActionBar (top, app-wide controls):
- Drops the Device/Manual NSSegmented capture mode toggle. The same
  setting is already exposed inside the … menu in the toolbar
  (ActionsMenu), so there's no functionality lost.
- Drops the ResourceKindStrip chip row — that filter UI moves into
  the traffic card itself (next section).
- Drops the inline "X filters active" reset badge — same reason; the
  filter UI now lives next to the traffic.
- Result: ActionBar is just CaptureStateChip + CATrustChip + Search
  (⌘K) pill. Much calmer; reads as "the current state of the
  proxy" rather than "every control we have."
- Also removes the now-orphaned ModeToggle, ResourceKindStrip, and
  Chip private structs from ContentView since nothing references
  them anymore.

TrafficListHeader (per-card controls):
- New FilterButton — round button on the right with a
  `line.3.horizontal.decrease` icon. Opens a SwiftUI Menu containing
  the full filter surface: Errors-only toggle at the top, then
  Sections for Type (resource kinds), Method (driven by the live
  store.methodOptions), and Status buckets. Each option is a Toggle
  bound through a Binding<Bool> wrapper that updates the
  TrafficFilter set in place.
- When at least one filter is active, the button shows a small
  Theme.success dot in the top-right corner so the user always
  sees there's an active filter without opening the menu. The menu
  surface gets a trailing destructive "Reset filters" action under
  a Divider — appears only when activeFilterCount > 0 so the menu
  stays tight in the default case.
- New DeleteAllButton — round trash icon button next to the filter,
  routes through state.clearFlows. Disabled (Theme.textTertiary)
  when the traffic list is empty.
- Both new buttons sized at 22×22pt with Theme.elevated circle
  background, matching the "+" button in the sessions card header
  and the back chevron in the active-session header — same visual
  language across the two cards.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

User feedback: the previous near-black canvas (#050506) read too
sharp. Bump every background tier up roughly 6% luminance and lean
a touch into a cool grey so the surfaces still feel dark but no
longer charcoal-black:

- appBackground: #050506 → #12131A
- surface     : #0B0B0D → #1B1C1F
- elevated    : #16161A → #28292E
- input       : #0F0F11 → #1F2024

The relative gap between tiers stays ~5% luminance, so hover and
selected states keep their contrast. Border + text tokens are
untouched.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

User feedback: the black bar between the traffic + agent cards looked
weird, and the traffic-card minWidth conditional wasn't actually
forcing the card to grow when the inspector opened — SwiftUI was
still letting the inner content overflow past the rounded clipShape.

Swap the outer HSplitView for a hand-rolled HStack split:

- SplitLayout (new): computes the traffic + agent widths from the
  current GeometryReader width, the user-driven trafficWidth state,
  and whether the inspector is open. Mins live as static constants
  (trafficMinNoInspector 380, trafficMinWithInspector 720, agentMin
  340, handleWidth 12, outerPadding 12), so clamping is one struct
  away from any caller. trafficMax is `usable - agentMin` so the
  agent never gets squeezed under its minimum.
- DragHandle (new): a 12pt-wide invisible Rectangle between the
  cards. NSCursor.resizeLeftRight on hover gives the resize
  affordance, and a DragGesture forwards the translation back to
  the parent. Because the rectangle is `Color.clear`, the gap
  between the two cards reads as just app-background showing
  through — no more system splitter line.
- ContentView: tracks `@State var trafficWidth` (seed 720pt) and
  `@State var dragStartWidth: CGFloat?`. The drag start snapshot is
  what fixes the cumulative-translation drift you get from naïve
  DragGesture handling.
- `onChange(of: selectedFlowID)` runs the new flow through
  SplitLayout to detect whether the inspector's bigger minimum
  pushed the traffic card past its current width — if so, it
  animates the traffic card open with easeOut(0.2). The animation
  smooths the layout shift that used to feel jarring.

The inner HSplitView between table and inspector inside the traffic
card is unchanged. That divider lives inside the card's rounded
clipShape and reads as expected.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

…fic card

The previous Filter button surfaced everything through a SwiftUI Menu
which made multi-toggle filtering tedious (close menu to see the
table, reopen to flip the next chip). Bring filters back inline —
the user asked for the resource-kind chips like before, plus
matching chip rows for methods and statuses, and a search input that
isn't the system .searchable bar.

TrafficFilterBar (new, lives between the card header and the row
list):

- Custom text filter row — an NSTextField wrapped via
  NSViewRepresentable so we don't ship the SwiftUI default search
  bar. Mag-glass icon on the left, "xmark.circle.fill" clear
  affordance on the right when there's content. Background is
  Theme.input behind a 7pt rounded rectangle, matching the agent
  composer's text well. Esc inside the field clears the search.
- ResourceKindRow — horizontal scroll of chips, one per
  TrafficFilter.ResourceKind. Tint defaults to Theme.textPrimary.
- MethodRow — same layout, but each chip is tinted with its method
  color (GET blue, POST green, PUT/PATCH orange, DELETE red,
  CONNECT purple) so selected method chips read at a glance. Only
  renders when state.store.methodOptions has at least one method
  (avoids an empty scroll strip on a fresh capture).
- StatusRow — same again, tinted per status bucket: 1xx neutral,
  2xx success green, 3xx blue, 4xx orange, 5xx red.

FilterChip (new): reusable chip with a `tint` parameter. Selected
state paints `tint.opacity(0.18)` background with a `tint.opacity(0.5)`
stroke; idle state is transparent with a Theme.border stroke; hover
nudges the background to white@5%. Foreground flips to the tint
when selected so the chips read as colored pills, not generic
toggles.

TrafficListHeader cleanup:
- Drops the old FilterButton menu — its job is now done by the
  inline chips + text filter.
- Adds ResetFiltersButton next to DeleteAllButton, but only when at
  least one filter (search, kinds, methods, statuses, hosts,
  onlyErrors) is active. Same 22×22 round Theme.elevated button
  style as the trash and "+" buttons across the app.
- DeleteAllButton stays untouched.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

The inline filter bar (text input + three chip rows under the header)
read as too much chrome — three horizontally-scrolling chip strips
plus a search field plus the row list itself, all stacked. Collapse
the whole thing behind one filter button.

TrafficListView body drops the always-visible TrafficFilterBar. The
filter button in the header opens a SwiftUI popover containing the
same surface, just hidden by default:

FilterButton (header):
- Same 22×22 round Theme.elevated affordance as DeleteAllButton.
- `line.3.horizontal.decrease` glyph.
- Theme.success dot in the top-right when at least one filter is
  active, so the user can see the state without opening the
  popover. The hasActiveFilters check covers search, only-errors,
  resource kinds, methods, status buckets, and host inclusions.
- Tap toggles the popover, anchored to the top of the button.
- Drops the inline ResetFiltersButton — reset lives inside the
  popover now (only rendered when at least one filter is active).

FilterPopoverContent:
- 320pt wide popover with 14pt padding.
- Custom text filter row at the top (still the NSTextField wrapper,
  not SwiftUI's .searchable) on Theme.input rounded background with
  the mag-glass icon and a clear button.
- Three sections — Type, Method, Status — each labeled with a small
  uppercased Theme.textTertiary header (FilterSectionLabel) above
  the corresponding chip row. Method section is skipped entirely
  when no traffic has been captured yet.
- Errors-only toggle as a SwiftUI Toggle with .switch style tinted
  Theme.success. Sits as its own row under the chip groups.
- Reset footer (Theme.border divider + counterclockwise icon +
  "Reset filters" label) appears under all sections only when there
  is something to reset.

TrafficSearchField, ResourceKindRow, MethodRow, StatusRow, and
FilterChip are unchanged — they were already the right primitives,
they just moved from the inline bar to the popover content view.
TrafficFilterBar struct itself is gone since the popover is its
replacement.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Surface the response time inline so the user can spot slow requests
without opening the inspector. The duration trails the start
timestamp in parentheses, monospaced, slightly dimmer than the
timestamp itself to keep the timestamp as the primary glance value:

  200
  12:34:56 (234ms)

Format:
- Sub-second responses render as "234ms"
- Anything ≥ 1s renders as "1.23s"
- Nothing shown while the response is still streaming
  (flow.finishedAt is nil) — the row simply ends after the
  timestamp until the response lands.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

…heck liveness

Two P1 bugs in waitForBoundPort + takeLine surfaced in PR review:

- takeLine matched the announcement line even when the trailing
  newline hadn't arrived yet, because `text.split(separator: "\n")`
  happily returns the final trailing fragment as its own segment.
  On a fragmented stdout read that's "RAE_AGENT_LISTENING:5" (the
  client still flushing the rest of "54321\n"), so `launch()` would
  hand back port 5 and the WebSocket client would connect to the
  wrong process. Now we only accept the prefixed line when it's
  truly complete: either `text` ends with `\n`, or the line sits
  before another segment.

- After parsing the port, `launch()` returned immediately. If the
  sidecar announced the port and then crashed one runloop tick
  later (Python exception during `serve()` accept loop, etc.),
  callers connected a WebSocket to a dead pid and saw confusing
  "notConnected" errors with no signal of what went wrong. Sleep
  20ms then re-check `process.isRunning`; if the process exited
  between the announcement and the recheck, surface the stderr
  snapshot (or processDied) so the UI gets the real cause.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

When `claude_agent_sdk.types.StreamEvent` isn't exposed by the
installed SDK build, the import fallback substitutes a sentinel
class so isinstance(...) checks never match. Previously the
AssistantMessage handler still unconditionally `continue`d on every
TextBlock — the rationale being "the text already came through as
a StreamEvent chunk" — but with the stub class, no StreamEvents
ever arrive, so the user got tool calls and the completion event
but never the assistant's reply.

Track whether streaming was actually wired up (`_STREAMING_ENABLED`)
and only skip TextBlocks when it is. In the fallback path, emit
the whole TextBlock as `assistant_text` so the UI still renders the
reply — just bulk instead of streaming, matching the pre-streaming
behavior.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

…lear

Two related P2 issues around flow deletion:

- FlowStore.delete(ids:) caught the database write failure, logged
  it, and then still purged the rows from the in-memory list. The
  on-disk store and the live `flows` array could drift apart, and
  the user could "delete" rows that reappeared on next launch.
  Return after the catch so failed deletes leave both sides
  untouched and the user can retry.

- AppState.clearFlows wiped the store + selectedFlowID but never
  reset agentSelection. Stale UUIDs hung around, leaving the
  agent panel in explicit-selection mode (header reading "N
  selected") with nothing matchable in store.flows — so the next
  send went out with zero flows attached. Wipe agentSelection
  alongside selectedFlowID after a successful store.clear().

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

…ntent-type

Two P2 inspector issues from PR review:

- The HTML Preview tab was passing the flow's original URL as the
  WKWebView baseURL, so when the user inspected a captured HTML
  response WebKit would resolve `<link href="…">`, `<img src="…">`,
  `<script src="…">` etc. against the live site and silently fire
  off network requests the proxy never saw — defeating the offline-
  inspection guarantee and possibly re-pinging private endpoints.
  Pass nil baseURL so all relative references resolve to nothing.
  The `flowURL` parameter on PreviewPaneContent is gone too — it
  was only used for this purpose.

- copyableBody gated the UTF-8 text path on
  `contentType.contains("text")`. Tons of perfectly readable
  payloads (JSON without an explicit Content-Type, application/xml,
  application/x-www-form-urlencoded, application/csp-report, etc.)
  fell through to the binary + base64 fallback even though they
  decode cleanly. Always prefer the UTF-8 dump when the bytes
  decode, regardless of MIME type — only fall back to base64 when
  decoding actually fails.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

…to current turn

Two P2 agent bugs flagged in PR review:

- AgentFlowPayload.encodedBody truncated bodies at the raw byte
  limit and then ran `String(data:encoding: .utf8)` on the result.
  When the cut landed mid-codepoint the decode failed and a
  perfectly readable text body fell through to the
  "<binary:N bytes, truncated>" placeholder. Step back up to 3
  bytes (max UTF-8 continuation length) to find a valid prefix
  before giving up — works for every payload that was
  misclassified before, no false binaries.

- recordStreamedAssistantTextIntoHistory walked the entire timeline
  backward looking for the most recent assistantText. If the
  current turn ended without one (tool-only turn, error mid-stream),
  it would happily find the *previous* turn's reply and append it
  again, duplicating that message in history. Scope the walk to
  events after the most recent userText event — that's where the
  current turn started — so we never re-commit a past turn.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

PR review pointed out two P3 cleanups in CommandPalette:

- `footer` (the ↑↓/↵/esc keyboard-hint strip) was implemented but
  never added to the view hierarchy after the user explicitly
  asked to remove the bottom bar. The view, FooterHint, and
  EscBadge helpers were all dead code — delete them. The hint
  information lives in tooltips on the relevant affordances now.

- ResultRow and PreviewPane each carried identical methodColor /
  statusColor switches. Future palette changes had to be made in
  two places or risk visual drift. Extract a fileprivate
  PaletteColors enum with `method(_:)` and `status(_:)` static
  functions; both views now call into it.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>