Add Mission Control integration with per-project toggle

When enabled, the entrypoint clones mission-control into ~/mission-control
(persisted on the home volume) and symlinks it to /workspace/mission-control.
Flight Control global and project instructions are programmatically appended
to CLAUDE.md. Container recreation is triggered on toggle change.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

.gitea/workflows/build-app.yml

@@ -19,6 +19,8 @@ env:
 jobs:
   build-linux:
     runs-on: ubuntu-latest
+    outputs:
+      version: ${{ steps.version.outputs.VERSION }}
     steps:
       - name: Install Node.js 22
         run: |
@@ -374,3 +376,96 @@ jobs:
             echo Uploading %%~nxf...
             curl -s -X POST -H "Authorization: token %TOKEN%" -H "Content-Type: application/octet-stream" --data-binary "@%%f" "%GITEA_URL%/api/v1/repos/%REPO%/releases/%RELEASE_ID%/assets?name=%%~nxf"
           )
+
+  sync-to-github:
+    runs-on: ubuntu-latest
+    needs: [build-linux, build-macos, build-windows]
+    if: gitea.event_name == 'push'
+    env:
+      GH_PAT: ${{ secrets.GH_PAT }}
+      GITHUB_REPO: shadowdao/triple-c
+    steps:
+      - name: Download artifacts from Gitea releases
+        env:
+          TOKEN: ${{ secrets.REGISTRY_TOKEN }}
+          VERSION: ${{ needs.build-linux.outputs.version }}
+        run: |
+          set -e
+          mkdir -p artifacts
+
+          # Download assets from all 3 platform releases
+          for TAG_SUFFIX in "" "-mac" "-win"; do
+            TAG="v${VERSION}${TAG_SUFFIX}"
+            echo "==> Fetching assets for release ${TAG}..."
+
+            RELEASE_JSON=$(curl -sf \
+              -H "Authorization: token ${TOKEN}" \
+              "${GITEA_URL}/api/v1/repos/${REPO}/releases/tags/${TAG}" 2>/dev/null || echo "{}")
+
+            echo "$RELEASE_JSON" | jq -r '.assets[]? | "\(.name) \(.browser_download_url)"' | while read -r NAME URL; do
+              [ -z "$NAME" ] && continue
+              echo "    Downloading ${NAME}..."
+              curl -sfL \
+                -H "Authorization: token ${TOKEN}" \
+                -o "artifacts/${NAME}" \
+                "$URL"
+            done
+          done
+
+          echo "==> All downloaded artifacts:"
+          ls -la artifacts/
+
+      - name: Create GitHub release and upload artifacts
+        env:
+          VERSION: ${{ needs.build-linux.outputs.version }}
+          COMMIT_SHA: ${{ gitea.sha }}
+        run: |
+          set -e
+          TAG="v${VERSION}"
+
+          echo "==> Creating unified release ${TAG} on GitHub..."
+
+          # Delete existing release if present (idempotent re-runs)
+          EXISTING=$(curl -sf \
+            -H "Authorization: Bearer ${GH_PAT}" \
+            -H "Accept: application/vnd.github+json" \
+            "https://api.github.com/repos/${GITHUB_REPO}/releases/tags/${TAG}" 2>/dev/null || echo "{}")
+          EXISTING_ID=$(echo "$EXISTING" | jq -r '.id // empty')
+          if [ -n "$EXISTING_ID" ]; then
+            echo "    Deleting existing GitHub release ${TAG} (id: ${EXISTING_ID})..."
+            curl -sf -X DELETE \
+              -H "Authorization: Bearer ${GH_PAT}" \
+              -H "Accept: application/vnd.github+json" \
+              "https://api.github.com/repos/${GITHUB_REPO}/releases/${EXISTING_ID}"
+          fi
+
+          RESPONSE=$(curl -sf -X POST \
+            -H "Authorization: Bearer ${GH_PAT}" \
+            -H "Accept: application/vnd.github+json" \
+            -H "Content-Type: application/json" \
+            "https://api.github.com/repos/${GITHUB_REPO}/releases" \
+            -d "{
+              \"tag_name\": \"${TAG}\",
+              \"name\": \"Triple-C ${TAG}\",
+              \"body\": \"Automated build from commit ${COMMIT_SHA}\n\nIncludes Linux, macOS, and Windows artifacts.\",
+              \"draft\": false,
+              \"prerelease\": false
+            }")
+
+          UPLOAD_URL=$(echo "$RESPONSE" | jq -r '.upload_url' | sed 's/{?name,label}//')
+          echo "==> Upload URL: ${UPLOAD_URL}"
+
+          for file in artifacts/*; do
+            [ -f "$file" ] || continue
+            FILENAME=$(basename "$file")
+            MIME="application/octet-stream"
+            echo "==> Uploading ${FILENAME}..."
+            curl -sf -X POST \
+              -H "Authorization: Bearer ${GH_PAT}" \
+              -H "Accept: application/vnd.github+json" \
+              -H "Content-Type: ${MIME}" \
+              --data-binary "@${file}" \
+              "${UPLOAD_URL}?name=$(python3 -c "import urllib.parse, sys; print(urllib.parse.quote(sys.argv[1]))" "${FILENAME}")"
+          done
+
+          echo "==> GitHub release sync complete."

.gitea/workflows/sync-release.yml

@@ -1,8 +1,7 @@
 name: Sync Release to GitHub
 
 on:
-  release:
-    types: [published]
+  workflow_dispatch:
 
 jobs:
   sync-release:

app/public/audio-capture-processor.js

@@ -0,0 +1,17 @@
+class AudioCaptureProcessor extends AudioWorkletProcessor {
+  process(inputs, outputs, parameters) {
+    const input = inputs[0];
+    if (input && input.length > 0 && input[0].length > 0) {
+      const samples = input[0]; // Float32Array, mono channel
+      const int16 = new Int16Array(samples.length);
+      for (let i = 0; i < samples.length; i++) {
+        const s = Math.max(-1, Math.min(1, samples[i]));
+        int16[i] = s < 0 ? s * 0x8000 : s * 0x7FFF;
+      }
+      this.port.postMessage(int16.buffer, [int16.buffer]);
+    }
+    return true;
+  }
+}
+
+registerProcessor('audio-capture-processor', AudioCaptureProcessor);

app/src-tauri/Cargo.lock

@@ -4681,6 +4681,7 @@ dependencies = [
  "reqwest 0.12.28",
  "serde",
  "serde_json",
+ "sha2",
  "tar",
  "tauri",
  "tauri-build",

app/src-tauri/Cargo.toml

@@ -30,6 +30,7 @@ fern = { version = "0.7", features = ["date-based"] }
 tar = "0.4"
 reqwest = { version = "0.12", default-features = false, features = ["json", "rustls-tls"] }
 iana-time-zone = "0.1"
+sha2 = "0.10"
 
 [build-dependencies]
 tauri-build = { version = "2", features = [] }

app/src-tauri/src/commands/terminal_commands.rs

@@ -1,7 +1,74 @@
 use tauri::{AppHandle, Emitter, State};
 
+use crate::models::{AuthMode, BedrockAuthMethod, Project};
 use crate::AppState;
 
+/// Build the command to run in the container terminal.
+///
+/// For Bedrock Profile projects, wraps `claude` in a bash script that validates
+/// the AWS session first. If the SSO session is expired, runs `aws sso login`
+/// so the user can re-authenticate (the URL is clickable via xterm.js WebLinksAddon).
+fn build_terminal_cmd(project: &Project, state: &AppState) -> Vec<String> {
+    let is_bedrock_profile = project.auth_mode == AuthMode::Bedrock
+        && project
+            .bedrock_config
+            .as_ref()
+            .map(|b| b.auth_method == BedrockAuthMethod::Profile)
+            .unwrap_or(false);
+
+    if !is_bedrock_profile {
+        return vec![
+            "claude".to_string(),
+            "--dangerously-skip-permissions".to_string(),
+        ];
+    }
+
+    // Resolve AWS profile: project-level → global settings → "default"
+    let profile = project
+        .bedrock_config
+        .as_ref()
+        .and_then(|b| b.aws_profile.clone())
+        .or_else(|| state.settings_store.get().global_aws.aws_profile.clone())
+        .unwrap_or_else(|| "default".to_string());
+
+    // Build a bash wrapper that validates credentials, re-auths if needed,
+    // then exec's into claude.
+    let script = format!(
+        r#"
+echo "Validating AWS session for profile '{profile}'..."
+if aws sts get-caller-identity --profile '{profile}' >/dev/null 2>&1; then
+    echo "AWS session valid."
+else
+    echo "AWS session expired or invalid."
+    # Check if this profile uses SSO (has sso_start_url configured)
+    if aws configure get sso_start_url --profile '{profile}' >/dev/null 2>&1; then
+        echo "Starting SSO login — click the URL below to authenticate:"
+        echo ""
+        aws sso login --profile '{profile}'
+        if [ $? -ne 0 ]; then
+            echo ""
+            echo "SSO login failed or was cancelled. Starting Claude anyway..."
+            echo "You may see authentication errors."
+            echo ""
+        fi
+    else
+        echo "Profile '{profile}' does not use SSO. Check your AWS credentials."
+        echo "Starting Claude anyway..."
+        echo ""
+    fi
+fi
+exec claude --dangerously-skip-permissions
+"#,
+        profile = profile
+    );
+
+    vec![
+        "bash".to_string(),
+        "-c".to_string(),
+        script,
+    ]
+}
+
 #[tauri::command]
 pub async fn open_terminal_session(
     project_id: String,
@@ -19,10 +86,7 @@ pub async fn open_terminal_session(
         .as_ref()
         .ok_or_else(|| "Container not running".to_string())?;
 
-    let cmd = vec![
-        "claude".to_string(),
-        "--dangerously-skip-permissions".to_string(),
-    ];
+    let cmd = build_terminal_cmd(&project, &state);
 
     let output_event = format!("terminal-output-{}", session_id);
     let exit_event = format!("terminal-exit-{}", session_id);
@@ -69,6 +133,10 @@ pub async fn close_terminal_session(
     session_id: String,
     state: State<'_, AppState>,
 ) -> Result<(), String> {
+    // Close audio bridge if it exists
+    let audio_session_id = format!("audio-{}", session_id);
+    state.exec_manager.close_session(&audio_session_id).await;
+    // Close terminal session
     state.exec_manager.close_session(&session_id).await;
     Ok(())
 }
@@ -92,3 +160,53 @@ pub async fn paste_image_to_terminal(
         .write_file_to_container(&container_id, &file_name, &image_data)
         .await
 }
+
+#[tauri::command]
+pub async fn start_audio_bridge(
+    session_id: String,
+    state: State<'_, AppState>,
+) -> Result<(), String> {
+    // Get container_id from the terminal session
+    let container_id = state.exec_manager.get_container_id(&session_id).await?;
+
+    // Create audio bridge exec session with ID "audio-{session_id}"
+    // The loop handles reconnection when the FIFO reader (fake rec) is killed and restarted
+    let audio_session_id = format!("audio-{}", session_id);
+    let cmd = vec![
+        "bash".to_string(),
+        "-c".to_string(),
+        "FIFO=/tmp/triple-c-audio-input; [ -p \"$FIFO\" ] || mkfifo \"$FIFO\"; trap '' PIPE; while true; do cat > \"$FIFO\" 2>/dev/null; sleep 0.1; done".to_string(),
+    ];
+
+    state
+        .exec_manager
+        .create_session_with_tty(
+            &container_id,
+            &audio_session_id,
+            cmd,
+            false,
+            |_data| { /* ignore output from the audio bridge */ },
+            Box::new(|| { /* no exit handler needed */ }),
+        )
+        .await
+}
+
+#[tauri::command]
+pub async fn send_audio_data(
+    session_id: String,
+    data: Vec<u8>,
+    state: State<'_, AppState>,
+) -> Result<(), String> {
+    let audio_session_id = format!("audio-{}", session_id);
+    state.exec_manager.send_input(&audio_session_id, data).await
+}
+
+#[tauri::command]
+pub async fn stop_audio_bridge(
+    session_id: String,
+    state: State<'_, AppState>,
+) -> Result<(), String> {
+    let audio_session_id = format!("audio-{}", session_id);
+    state.exec_manager.close_session(&audio_session_id).await;
+    Ok(())
+}

app/src-tauri/src/docker/container.rs

@@ -5,8 +5,7 @@ use bollard::container::{
 use bollard::image::{CommitContainerOptions, RemoveImageOptions};
 use bollard::models::{ContainerSummary, HostConfig, Mount, MountTypeEnum, PortBinding};
 use std::collections::HashMap;
-use std::collections::hash_map::DefaultHasher;
-use std::hash::{Hash, Hasher};
+use sha2::{Sha256, Digest};
 
 use super::client::get_docker;
 use crate::models::{AuthMode, BedrockAuthMethod, ContainerInfo, EnvVar, GlobalAwsSettings, McpServer, McpTransportType, PortMapping, Project, ProjectPath};
@@ -41,6 +40,54 @@ After tasks run, check notifications with `triple-c-scheduler notifications` and
 ### Timezone
 Scheduled times use the container's configured timezone (check with `date`). If no timezone is configured, UTC is used."#;
 
+const MISSION_CONTROL_GLOBAL_INSTRUCTIONS: &str = r#"## Mission Control
+
+The `/workspace/mission-control/` directory contains **Flight Control** — an AI-first development methodology for structured project management. Use it for all project work.
+
+### How It Works
+
+- **Mission Control is a tool, not a project.** It provides skills and methodology for managing other projects.
+- All Flight Control skills live in `/workspace/mission-control/.claude/skills/`
+- The projects registry at `/workspace/mission-control/projects.md` lists all active projects
+
+### When to Use
+
+When working on any project that has a `.flightops/` directory, follow the Flight Control methodology:
+1. Read the project's `.flightops/ARTIFACTS.md` to understand artifact storage
+2. Read `.flightops/FLIGHT_OPERATIONS.md` for the implementation workflow
+3. Use Mission Control skills for planning and execution
+
+### Available Skills
+
+| Skill | When to Use |
+|-------|-------------|
+| `/init-project` | Setting up a new project for Flight Control |
+| `/mission` | Defining new work outcomes (days-to-weeks scope) |
+| `/flight` | Creating technical specs from missions (hours-to-days scope) |
+| `/leg` | Generating implementation steps from flights (minutes-to-hours scope) |
+| `/agentic-workflow` | Executing legs with multi-agent workflow (implement, review, commit) |
+| `/flight-debrief` | Post-flight analysis after a flight lands |
+| `/mission-debrief` | Post-mission retrospective after completion |
+| `/daily-briefing` | Cross-project status report |
+
+### Key Rules
+
+- **Planning skills produce artifacts only** — never modify source code directly
+- **Phase gates require human confirmation** — missions before flights, flights before legs
+- **Legs are immutable once in-flight** — create new ones instead of modifying
+- **`/agentic-workflow` orchestrates implementation** — it spawns separate Developer and Reviewer agents
+- **Artifacts live in the target project** — not in mission-control"#;
+
+const MISSION_CONTROL_PROJECT_INSTRUCTIONS: &str = r#"## Flight Operations
+
+This project uses [Flight Control](https://github.com/msieurthenardier/mission-control) for structured development.
+
+**Before any mission/flight/leg work, read these files in order:**
+1. `.flightops/README.md` — What the flightops directory contains
+2. `.flightops/FLIGHT_OPERATIONS.md` — **The workflow you MUST follow**
+3. `.flightops/ARTIFACTS.md` — Where all artifacts are stored
+4. `.flightops/agent-crews/` — Project crew definitions for each phase (read the relevant crew file)"#;
+
 /// Build the full CLAUDE_INSTRUCTIONS value by merging global + project
 /// instructions, appending port mapping docs, and appending scheduler docs.
 /// Used by both create_container() and container_needs_recreation() to ensure
@@ -49,8 +96,13 @@ fn build_claude_instructions(
     global_instructions: Option<&str>,
     project_instructions: Option<&str>,
     port_mappings: &[PortMapping],
+    mission_control_enabled: bool,
 ) -> Option<String> {
-    let mut combined = merge_claude_instructions(global_instructions, project_instructions);
+    let mut combined = merge_claude_instructions(
+        global_instructions,
+        project_instructions,
+        mission_control_enabled,
+    );
 
     if !port_mappings.is_empty() {
         let mut port_lines: Vec<String> = Vec::new();
@@ -117,32 +169,63 @@ fn merge_custom_env_vars(global: &[EnvVar], project: &[EnvVar]) -> Vec<EnvVar> {
 }
 
 /// Merge global and per-project Claude instructions into a single string.
+/// When mission_control_enabled is true, appends Mission Control global
+/// instructions after global and project instructions after project.
 fn merge_claude_instructions(
     global_instructions: Option<&str>,
     project_instructions: Option<&str>,
+    mission_control_enabled: bool,
 ) -> Option<String> {
-    match (global_instructions, project_instructions) {
+    // Build the global portion (user global + optional MC global)
+    let global_part = if mission_control_enabled {
+        match global_instructions {
+            Some(g) => Some(format!("{}\n\n{}", g, MISSION_CONTROL_GLOBAL_INSTRUCTIONS)),
+            None => Some(MISSION_CONTROL_GLOBAL_INSTRUCTIONS.to_string()),
+        }
+    } else {
+        global_instructions.map(|g| g.to_string())
+    };
+
+    // Build the project portion (user project + optional MC project)
+    let project_part = if mission_control_enabled {
+        match project_instructions {
+            Some(p) => Some(format!("{}\n\n{}", p, MISSION_CONTROL_PROJECT_INSTRUCTIONS)),
+            None => Some(MISSION_CONTROL_PROJECT_INSTRUCTIONS.to_string()),
+        }
+    } else {
+        project_instructions.map(|p| p.to_string())
+    };
+
+    match (global_part, project_part) {
         (Some(g), Some(p)) => Some(format!("{}\n\n{}", g, p)),
-        (Some(g), None) => Some(g.to_string()),
-        (None, Some(p)) => Some(p.to_string()),
+        (Some(g), None) => Some(g),
+        (None, Some(p)) => Some(p),
         (None, None) => None,
     }
 }
 
+/// Hash a string with SHA-256 and return the hex digest.
+fn sha256_hex(input: &str) -> String {
+    let mut hasher = Sha256::new();
+    hasher.update(input.as_bytes());
+    format!("{:x}", hasher.finalize())
+}
+
 /// Compute a fingerprint for the Bedrock configuration so we can detect changes.
 fn compute_bedrock_fingerprint(project: &Project) -> String {
     if let Some(ref bedrock) = project.bedrock_config {
-        let mut hasher = DefaultHasher::new();
-        format!("{:?}", bedrock.auth_method).hash(&mut hasher);
-        bedrock.aws_region.hash(&mut hasher);
-        bedrock.aws_access_key_id.hash(&mut hasher);
-        bedrock.aws_secret_access_key.hash(&mut hasher);
-        bedrock.aws_session_token.hash(&mut hasher);
-        bedrock.aws_profile.hash(&mut hasher);
-        bedrock.aws_bearer_token.hash(&mut hasher);
-        bedrock.model_id.hash(&mut hasher);
-        bedrock.disable_prompt_caching.hash(&mut hasher);
-        format!("{:x}", hasher.finish())
+        let parts = vec![
+            format!("{:?}", bedrock.auth_method),
+            bedrock.aws_region.clone(),
+            bedrock.aws_access_key_id.as_deref().unwrap_or("").to_string(),
+            bedrock.aws_secret_access_key.as_deref().unwrap_or("").to_string(),
+            bedrock.aws_session_token.as_deref().unwrap_or("").to_string(),
+            bedrock.aws_profile.as_deref().unwrap_or("").to_string(),
+            bedrock.aws_bearer_token.as_deref().unwrap_or("").to_string(),
+            bedrock.model_id.as_deref().unwrap_or("").to_string(),
+            format!("{}", bedrock.disable_prompt_caching),
+        ];
+        sha256_hex(&parts.join("|"))
     } else {
         String::new()
     }
@@ -157,9 +240,7 @@ fn compute_paths_fingerprint(paths: &[ProjectPath]) -> String {
         .collect();
     parts.sort();
     let joined = parts.join(",");
-    let mut hasher = DefaultHasher::new();
-    joined.hash(&mut hasher);
-    format!("{:x}", hasher.finish())
+    sha256_hex(&joined)
 }
 
 /// Compute a fingerprint for port mappings so we can detect changes.
@@ -171,9 +252,7 @@ fn compute_ports_fingerprint(port_mappings: &[PortMapping]) -> String {
         .collect();
     parts.sort();
     let joined = parts.join(",");
-    let mut hasher = DefaultHasher::new();
-    joined.hash(&mut hasher);
-    format!("{:x}", hasher.finish())
+    sha256_hex(&joined)
 }
 
 /// Build the JSON value for MCP servers config to be injected into ~/.claude.json.
@@ -250,9 +329,7 @@ fn compute_mcp_fingerprint(servers: &[McpServer]) -> String {
         return String::new();
     }
     let json = build_mcp_servers_json(servers);
-    let mut hasher = DefaultHasher::new();
-    json.hash(&mut hasher);
-    format!("{:x}", hasher.finish())
+    sha256_hex(&json)
 }
 
 pub async fn find_existing_container(project: &Project) -> Result<Option<String>, String> {
@@ -425,11 +502,17 @@ pub async fn create_container(
         }
     }
 
+    // Mission Control env var
+    if project.mission_control_enabled {
+        env_vars.push("MISSION_CONTROL_ENABLED=1".to_string());
+    }
+
     // Claude instructions (global + per-project, plus port mapping info + scheduler docs)
     let combined_instructions = build_claude_instructions(
         global_claude_instructions,
         project.claude_instructions.as_deref(),
         &project.port_mappings,
+        project.mission_control_enabled,
     );
 
     if let Some(ref instructions) = combined_instructions {
@@ -507,7 +590,7 @@ pub async fn create_container(
         if let Some(ref aws_path) = aws_dir {
             if aws_path.exists() {
                 mounts.push(Mount {
-                    target: Some("/home/claude/.aws".to_string()),
+                    target: Some("/tmp/.host-aws".to_string()),
                     source: Some(aws_path.to_string_lossy().to_string()),
                     typ: Some(MountTypeEnum::BIND),
                     read_only: Some(true),
@@ -566,6 +649,7 @@ pub async fn create_container(
     labels.insert("triple-c.image".to_string(), image_name.to_string());
     labels.insert("triple-c.timezone".to_string(), timezone.unwrap_or("").to_string());
     labels.insert("triple-c.mcp-fingerprint".to_string(), compute_mcp_fingerprint(mcp_servers));
+    labels.insert("triple-c.mission-control".to_string(), project.mission_control_enabled.to_string());
 
     let host_config = HostConfig {
         mounts: Some(mounts),
@@ -884,11 +968,20 @@ pub async fn container_needs_recreation(
         return Ok(true);
     }
 
+    // ── Mission Control ────────────────────────────────────────────────────
+    let expected_mc = project.mission_control_enabled.to_string();
+    let container_mc = get_label("triple-c.mission-control").unwrap_or_else(|| "false".to_string());
+    if container_mc != expected_mc {
+        log::info!("Mission Control mismatch (container={:?}, expected={:?})", container_mc, expected_mc);
+        return Ok(true);
+    }
+
     // ── Claude instructions ───────────────────────────────────────────────
     let expected_instructions = build_claude_instructions(
         global_claude_instructions,
         project.claude_instructions.as_deref(),
         &project.port_mappings,
+        project.mission_control_enabled,
     );
     let container_instructions = get_env("CLAUDE_INSTRUCTIONS");
     if container_instructions.as_deref() != expected_instructions.as_deref() {

app/src-tauri/src/docker/exec.rs

@@ -60,6 +60,22 @@ impl ExecSessionManager {
         on_output: F,
         on_exit: Box<dyn FnOnce() + Send>,
     ) -> Result<(), String>
+    where
+        F: Fn(Vec<u8>) + Send + 'static,
+    {
+        self.create_session_with_tty(container_id, session_id, cmd, true, on_output, on_exit)
+            .await
+    }
+
+    pub async fn create_session_with_tty<F>(
+        &self,
+        container_id: &str,
+        session_id: &str,
+        cmd: Vec<String>,
+        tty: bool,
+        on_output: F,
+        on_exit: Box<dyn FnOnce() + Send>,
+    ) -> Result<(), String>
     where
         F: Fn(Vec<u8>) + Send + 'static,
     {
@@ -72,7 +88,7 @@ impl ExecSessionManager {
                     attach_stdin: Some(true),
                     attach_stdout: Some(true),
                     attach_stderr: Some(true),
-                    tty: Some(true),
+                    tty: Some(tty),
                     cmd: Some(cmd),
                     user: Some("claude".to_string()),
                     working_dir: Some("/workspace".to_string()),

app/src-tauri/src/lib.rs

@@ -101,6 +101,9 @@ pub fn run() {
             commands::terminal_commands::terminal_resize,
             commands::terminal_commands::close_terminal_session,
             commands::terminal_commands::paste_image_to_terminal,
+            commands::terminal_commands::start_audio_bridge,
+            commands::terminal_commands::send_audio_data,
+            commands::terminal_commands::stop_audio_bridge,
             // MCP
             commands::mcp_commands::list_mcp_servers,
             commands::mcp_commands::add_mcp_server,

app/src-tauri/src/models/app_settings.rs

@@ -70,6 +70,8 @@ pub struct AppSettings {
     pub dismissed_update_version: Option<String>,
     #[serde(default)]
     pub timezone: Option<String>,
+    #[serde(default)]
+    pub default_microphone: Option<String>,
 }
 
 impl Default for AppSettings {
@@ -87,6 +89,7 @@ impl Default for AppSettings {
             auto_check_updates: true,
             dismissed_update_version: None,
             timezone: None,
+            default_microphone: None,
         }
     }
 }

app/src-tauri/src/models/project.rs

@@ -34,8 +34,10 @@ pub struct Project {
     pub auth_mode: AuthMode,
     pub bedrock_config: Option<BedrockConfig>,
     pub allow_docker_access: bool,
+    #[serde(default)]
+    pub mission_control_enabled: bool,
     pub ssh_key_path: Option<String>,
-    #[serde(skip_serializing)]
+    #[serde(skip_serializing, default)]
     pub git_token: Option<String>,
     pub git_user_name: Option<String>,
     pub git_user_email: Option<String>,
@@ -100,14 +102,14 @@ impl Default for BedrockAuthMethod {
 pub struct BedrockConfig {
     pub auth_method: BedrockAuthMethod,
     pub aws_region: String,
-    #[serde(skip_serializing)]
+    #[serde(skip_serializing, default)]
     pub aws_access_key_id: Option<String>,
-    #[serde(skip_serializing)]
+    #[serde(skip_serializing, default)]
     pub aws_secret_access_key: Option<String>,
-    #[serde(skip_serializing)]
+    #[serde(skip_serializing, default)]
     pub aws_session_token: Option<String>,
     pub aws_profile: Option<String>,
-    #[serde(skip_serializing)]
+    #[serde(skip_serializing, default)]
     pub aws_bearer_token: Option<String>,
     pub model_id: Option<String>,
     pub disable_prompt_caching: bool,
@@ -125,6 +127,7 @@ impl Project {
             auth_mode: AuthMode::default(),
             bedrock_config: None,
             allow_docker_access: false,
+            mission_control_enabled: false,
             ssh_key_path: None,
             git_token: None,
             git_user_name: None,

app/src/components/projects/ProjectCard.tsx

@@ -30,6 +30,9 @@ export default function ProjectCard({ project }: Props) {
   const [progressMsg, setProgressMsg] = useState<string | null>(null);
   const [activeOperation, setActiveOperation] = useState<"starting" | "stopping" | "resetting" | null>(null);
   const [operationCompleted, setOperationCompleted] = useState(false);
+  const [showRemoveConfirm, setShowRemoveConfirm] = useState(false);
+  const [isEditingName, setIsEditingName] = useState(false);
+  const [editName, setEditName] = useState(project.name);
   const isSelected = selectedProjectId === project.id;
   const isStopped = project.status === "stopped" || project.status === "error";
 
@@ -54,6 +57,7 @@ export default function ProjectCard({ project }: Props) {
 
   // Sync local state when project prop changes (e.g., after save or external update)
   useEffect(() => {
+    setEditName(project.name);
     setPaths(project.paths ?? []);
     setSshKeyPath(project.ssh_key_path ?? "");
     setGitName(project.git_user_name ?? "");
@@ -309,7 +313,41 @@ export default function ProjectCard({ project }: Props) {
     >
       <div className="flex items-center gap-2">
         <span className={`w-2 h-2 rounded-full flex-shrink-0 ${statusColor}`} />
-        <span className="text-sm font-medium truncate flex-1">{project.name}</span>
+        {isEditingName ? (
+          <input
+            autoFocus
+            value={editName}
+            onChange={(e) => setEditName(e.target.value)}
+            onBlur={async () => {
+              setIsEditingName(false);
+              const trimmed = editName.trim();
+              if (trimmed && trimmed !== project.name) {
+                try {
+                  await update({ ...project, name: trimmed });
+                } catch (err) {
+                  console.error("Failed to rename project:", err);
+                  setEditName(project.name);
+                }
+              } else {
+                setEditName(project.name);
+              }
+            }}
+            onKeyDown={(e) => {
+              if (e.key === "Enter") (e.target as HTMLInputElement).blur();
+              if (e.key === "Escape") { setEditName(project.name); setIsEditingName(false); }
+            }}
+            onClick={(e) => e.stopPropagation()}
+            className="text-sm font-medium flex-1 min-w-0 px-1 py-0 bg-[var(--bg-primary)] border border-[var(--accent)] rounded text-[var(--text-primary)] focus:outline-none"
+          />
+        ) : (
+          <span
+            className="text-sm font-medium truncate flex-1 cursor-text"
+            title="Double-click to rename"
+            onDoubleClick={(e) => { e.stopPropagation(); setIsEditingName(true); }}
+          >
+            {project.name}
+          </span>
+        )}
       </div>
       <div className="mt-0.5 ml-4 space-y-0.5">
         {project.paths.map((pp, i) => (
@@ -385,16 +423,34 @@ export default function ProjectCard({ project }: Props) {
               disabled={false}
               label={showConfig ? "Hide" : "Config"}
             />
-            <ActionButton
-              onClick={async () => {
-                if (confirm(`Remove project "${project.name}"?`)) {
+            {showRemoveConfirm ? (
+              <span className="inline-flex items-center gap-1 text-xs">
+                <span className="text-[var(--text-secondary)]">Remove?</span>
+                <button
+                  onClick={async (e) => {
+                    e.stopPropagation();
+                    setShowRemoveConfirm(false);
                     await remove(project.id);
-                }
                   }}
+                  className="px-1.5 py-0.5 rounded text-white bg-[var(--error)] hover:opacity-80 transition-colors"
+                >
+                  Yes
+                </button>
+                <button
+                  onClick={(e) => { e.stopPropagation(); setShowRemoveConfirm(false); }}
+                  className="px-1.5 py-0.5 rounded text-[var(--text-secondary)] hover:text-[var(--text-primary)] hover:bg-[var(--bg-primary)] transition-colors"
+                >
+                  No
+                </button>
+              </span>
+            ) : (
+              <ActionButton
+                onClick={() => setShowRemoveConfirm(true)}
                 disabled={loading}
                 label="Remove"
                 danger
               />
+            )}
           </div>
 
           {/* Config panel */}
@@ -576,6 +632,28 @@ export default function ProjectCard({ project }: Props) {
                 </button>
               </div>
 
+              {/* Mission Control toggle */}
+              <div className="flex items-center gap-2">
+                <label className="text-xs text-[var(--text-secondary)]">Mission Control</label>
+                <button
+                  onClick={async () => {
+                    try {
+                      await update({ ...project, mission_control_enabled: !project.mission_control_enabled });
+                    } catch (err) {
+                      console.error("Failed to update Mission Control setting:", err);
+                    }
+                  }}
+                  disabled={!isStopped}
+                  className={`px-2 py-0.5 text-xs rounded transition-colors disabled:opacity-50 ${
+                    project.mission_control_enabled
+                      ? "bg-[var(--success)] text-white"
+                      : "bg-[var(--bg-primary)] border border-[var(--border-color)] text-[var(--text-secondary)]"
+                  }`}
+                >
+                  {project.mission_control_enabled ? "ON" : "OFF"}
+                </button>
+              </div>
+
               {/* Environment Variables */}
               <div className="flex items-center justify-between">
                 <label className="text-xs text-[var(--text-secondary)]">
@@ -869,3 +947,4 @@ function ActionButton({
     </button>
   );
 }
+

app/src/components/settings/MicrophoneSettings.tsx

@@ -0,0 +1,101 @@
+import { useState, useEffect, useCallback } from "react";
+import { useSettings } from "../../hooks/useSettings";
+
+interface AudioDevice {
+  deviceId: string;
+  label: string;
+}
+
+export default function MicrophoneSettings() {
+  const { appSettings, saveSettings } = useSettings();
+  const [devices, setDevices] = useState<AudioDevice[]>([]);
+  const [selected, setSelected] = useState(appSettings?.default_microphone ?? "");
+  const [loading, setLoading] = useState(false);
+  const [permissionNeeded, setPermissionNeeded] = useState(false);
+
+  // Sync local state when appSettings change
+  useEffect(() => {
+    setSelected(appSettings?.default_microphone ?? "");
+  }, [appSettings?.default_microphone]);
+
+  const enumerateDevices = useCallback(async () => {
+    setLoading(true);
+    setPermissionNeeded(false);
+    try {
+      // Request mic permission first so device labels are available
+      const stream = await navigator.mediaDevices.getUserMedia({ audio: true });
+      stream.getTracks().forEach((t) => t.stop());
+
+      const allDevices = await navigator.mediaDevices.enumerateDevices();
+      const mics = allDevices
+        .filter((d) => d.kind === "audioinput")
+        .map((d) => ({
+          deviceId: d.deviceId,
+          label: d.label || `Microphone (${d.deviceId.slice(0, 8)}...)`,
+        }));
+      setDevices(mics);
+    } catch {
+      setPermissionNeeded(true);
+    } finally {
+      setLoading(false);
+    }
+  }, []);
+
+  // Enumerate devices on mount
+  useEffect(() => {
+    enumerateDevices();
+  }, [enumerateDevices]);
+
+  const handleChange = async (deviceId: string) => {
+    setSelected(deviceId);
+    if (appSettings) {
+      await saveSettings({ ...appSettings, default_microphone: deviceId || null });
+    }
+  };
+
+  return (
+    <div>
+      <label className="block text-sm font-medium mb-1">Microphone</label>
+      <p className="text-xs text-[var(--text-secondary)] mb-1.5">
+        Audio input device for Claude Code voice mode (/voice)
+      </p>
+      {permissionNeeded ? (
+        <div className="flex items-center gap-2">
+          <span className="text-xs text-[var(--text-secondary)]">
+            Microphone permission required
+          </span>
+          <button
+            onClick={enumerateDevices}
+            className="text-xs px-2 py-0.5 text-[var(--accent)] hover:text-[var(--accent-hover)] hover:bg-[var(--bg-primary)] rounded transition-colors"
+          >
+            Grant Access
+          </button>
+        </div>
+      ) : (
+        <div className="flex items-center gap-2">
+          <select
+            value={selected}
+            onChange={(e) => handleChange(e.target.value)}
+            disabled={loading}
+            className="flex-1 px-2 py-1 text-sm bg-[var(--bg-primary)] border border-[var(--border-color)] rounded focus:outline-none focus:border-[var(--accent)]"
+          >
+            <option value="">System Default</option>
+            {devices.map((d) => (
+              <option key={d.deviceId} value={d.deviceId}>
+                {d.label}
+              </option>
+            ))}
+          </select>
+          <button
+            onClick={enumerateDevices}
+            disabled={loading}
+            title="Refresh microphone list"
+            className="text-xs px-2 py-1 text-[var(--text-secondary)] hover:text-[var(--text-primary)] hover:bg-[var(--bg-primary)] rounded transition-colors disabled:opacity-50"
+          >
+            {loading ? "..." : "Refresh"}
+          </button>
+        </div>
+      )}
+    </div>
+  );
+}

app/src/components/terminal/TerminalView.tsx

@@ -82,6 +82,25 @@ export default function TerminalView({ sessionId, active }: Props) {
     // Send initial size
     resize(sessionId, term.cols, term.rows);
 
+    // Handle OSC 52 clipboard write sequences from programs inside the container.
+    // When a program (e.g. Claude Code) copies text via xclip/xsel/pbcopy, the
+    // container's shim emits an OSC 52 escape sequence which xterm.js routes here.
+    const osc52Disposable = term.parser.registerOscHandler(52, (data) => {
+      const idx = data.indexOf(";");
+      if (idx === -1) return false;
+      const payload = data.substring(idx + 1);
+      if (payload === "?") return false; // clipboard read request, not supported
+      try {
+        const decoded = atob(payload);
+        navigator.clipboard.writeText(decoded).catch((e) =>
+          console.error("OSC 52 clipboard write failed:", e),
+        );
+      } catch (e) {
+        console.error("OSC 52 decode failed:", e);
+      }
+      return true;
+    });
+
     // Handle user input -> backend
     const inputDisposable = term.onData((data) => {
       sendInput(sessionId, data);
@@ -170,6 +189,7 @@ export default function TerminalView({ sessionId, active }: Props) {
       aborted = true;
       detector.dispose();
       detectorRef.current = null;
+      osc52Disposable.dispose();
       inputDisposable.dispose();
       scrollDisposable.dispose();
       containerRef.current?.removeEventListener("paste", handlePaste, { capture: true });

app/src/components/terminal/osc52.test.ts

@@ -0,0 +1,59 @@
+import { describe, it, expect, vi, beforeEach } from "vitest";
+
+/**
+ * Tests the OSC 52 clipboard parsing logic used in TerminalView.
+ * Extracted here to validate the decode/write path independently.
+ */
+
+// Mirrors the handler registered in TerminalView.tsx
+function handleOsc52(data: string): string | null {
+  const idx = data.indexOf(";");
+  if (idx === -1) return null;
+  const payload = data.substring(idx + 1);
+  if (payload === "?") return null;
+  try {
+    return atob(payload);
+  } catch {
+    return null;
+  }
+}
+
+describe("OSC 52 clipboard handler", () => {
+  it("decodes a valid clipboard write sequence", () => {
+    // "c;BASE64" where BASE64 encodes "https://example.com"
+    const encoded = btoa("https://example.com");
+    const result = handleOsc52(`c;${encoded}`);
+    expect(result).toBe("https://example.com");
+  });
+
+  it("decodes multi-line content", () => {
+    const text = "line1\nline2\nline3";
+    const encoded = btoa(text);
+    const result = handleOsc52(`c;${encoded}`);
+    expect(result).toBe(text);
+  });
+
+  it("handles primary selection target (p)", () => {
+    const encoded = btoa("selected text");
+    const result = handleOsc52(`p;${encoded}`);
+    expect(result).toBe("selected text");
+  });
+
+  it("returns null for clipboard read request (?)", () => {
+    expect(handleOsc52("c;?")).toBe(null);
+  });
+
+  it("returns null for missing semicolon", () => {
+    expect(handleOsc52("invalid")).toBe(null);
+  });
+
+  it("returns null for invalid base64", () => {
+    expect(handleOsc52("c;!!!not-base64!!!")).toBe(null);
+  });
+
+  it("handles empty payload after selection target", () => {
+    // btoa("") = ""
+    const result = handleOsc52("c;");
+    expect(result).toBe("");
+  });
+});

app/src/hooks/useVoice.ts

@@ -0,0 +1,103 @@
+import { useCallback, useRef, useState } from "react";
+import * as commands from "../lib/tauri-commands";
+
+type VoiceState = "inactive" | "starting" | "active" | "error";
+
+export function useVoice(sessionId: string, deviceId?: string | null) {
+  const [state, setState] = useState<VoiceState>("inactive");
+  const [error, setError] = useState<string | null>(null);
+
+  const audioContextRef = useRef<AudioContext | null>(null);
+  const streamRef = useRef<MediaStream | null>(null);
+  const workletRef = useRef<AudioWorkletNode | null>(null);
+
+  const start = useCallback(async () => {
+    if (state === "active" || state === "starting") return;
+    setState("starting");
+    setError(null);
+
+    try {
+      // 1. Start the audio bridge in the container (creates FIFO writer)
+      await commands.startAudioBridge(sessionId);
+
+      // 2. Get microphone access (use specific device if configured)
+      const audioConstraints: MediaTrackConstraints = {
+        channelCount: 1,
+        echoCancellation: true,
+        noiseSuppression: true,
+        autoGainControl: true,
+      };
+      if (deviceId) {
+        audioConstraints.deviceId = { exact: deviceId };
+      }
+
+      const stream = await navigator.mediaDevices.getUserMedia({
+        audio: audioConstraints,
+      });
+      streamRef.current = stream;
+
+      // 3. Create AudioContext at 16kHz (browser handles resampling)
+      const audioContext = new AudioContext({ sampleRate: 16000 });
+      audioContextRef.current = audioContext;
+
+      // 4. Load AudioWorklet processor
+      await audioContext.audioWorklet.addModule("/audio-capture-processor.js");
+
+      // 5. Connect: mic → worklet → (silent) destination
+      const source = audioContext.createMediaStreamSource(stream);
+      const processor = new AudioWorkletNode(audioContext, "audio-capture-processor");
+      workletRef.current = processor;
+
+      // 6. Handle PCM chunks from the worklet
+      processor.port.onmessage = (event: MessageEvent<ArrayBuffer>) => {
+        const bytes = Array.from(new Uint8Array(event.data));
+        commands.sendAudioData(sessionId, bytes).catch(() => {
+          // Audio bridge may have been closed — ignore send errors
+        });
+      };
+
+      source.connect(processor);
+      processor.connect(audioContext.destination);
+
+      setState("active");
+    } catch (e) {
+      const msg = e instanceof Error ? e.message : String(e);
+      setError(msg);
+      setState("error");
+      // Clean up on failure
+      await commands.stopAudioBridge(sessionId).catch(() => {});
+    }
+  }, [sessionId, state, deviceId]);
+
+  const stop = useCallback(async () => {
+    // Tear down audio pipeline
+    workletRef.current?.disconnect();
+    workletRef.current = null;
+
+    if (audioContextRef.current) {
+      await audioContextRef.current.close().catch(() => {});
+      audioContextRef.current = null;
+    }
+
+    if (streamRef.current) {
+      streamRef.current.getTracks().forEach((t) => t.stop());
+      streamRef.current = null;
+    }
+
+    // Stop the container-side audio bridge
+    await commands.stopAudioBridge(sessionId).catch(() => {});
+
+    setState("inactive");
+    setError(null);
+  }, [sessionId]);
+
+  const toggle = useCallback(async () => {
+    if (state === "active") {
+      await stop();
+    } else {
+      await start();
+    }
+  }, [state, start, stop]);
+
+  return { state, error, start, stop, toggle };
+}

app/src/lib/tauri-commands.ts

@@ -49,6 +49,12 @@ export const closeTerminalSession = (sessionId: string) =>
   invoke<void>("close_terminal_session", { sessionId });
 export const pasteImageToTerminal = (sessionId: string, imageData: number[]) =>
   invoke<string>("paste_image_to_terminal", { sessionId, imageData });
+export const startAudioBridge = (sessionId: string) =>
+  invoke<void>("start_audio_bridge", { sessionId });
+export const sendAudioData = (sessionId: string, data: number[]) =>
+  invoke<void>("send_audio_data", { sessionId, data });
+export const stopAudioBridge = (sessionId: string) =>
+  invoke<void>("stop_audio_bridge", { sessionId });
 
 // MCP Servers
 export const listMcpServers = () => invoke<McpServer[]>("list_mcp_servers");

app/src/lib/types.ts

@@ -23,6 +23,7 @@ export interface Project {
   auth_mode: AuthMode;
   bedrock_config: BedrockConfig | null;
   allow_docker_access: boolean;
+  mission_control_enabled: boolean;
   ssh_key_path: string | null;
   git_token: string | null;
   git_user_name: string | null;
@@ -100,6 +101,7 @@ export interface AppSettings {
   auto_check_updates: boolean;
   dismissed_update_version: string | null;
   timezone: string | null;
+  default_microphone: string | null;
 }
 
 export interface UpdateInfo {

container/Dockerfile

@@ -101,6 +101,24 @@ WORKDIR /workspace
 
 # ── Switch back to root for entrypoint (handles UID/GID remapping) ─────────
 USER root
+
+# ── OSC 52 clipboard support ─────────────────────────────────────────────
+# Provides xclip/xsel/pbcopy shims that emit OSC 52 escape sequences,
+# allowing programs inside the container to copy to the host clipboard.
+COPY osc52-clipboard /usr/local/bin/osc52-clipboard
+RUN chmod +x /usr/local/bin/osc52-clipboard \
+    && ln -sf /usr/local/bin/osc52-clipboard /usr/local/bin/xclip \
+    && ln -sf /usr/local/bin/osc52-clipboard /usr/local/bin/xsel \
+    && ln -sf /usr/local/bin/osc52-clipboard /usr/local/bin/pbcopy
+
+# ── Audio capture shim (voice mode) ────────────────────────────────────────
+# Provides fake rec/arecord that read PCM from a FIFO instead of a real mic,
+# allowing Claude Code voice mode to work inside the container.
+COPY audio-shim /usr/local/bin/audio-shim
+RUN chmod +x /usr/local/bin/audio-shim \
+    && ln -sf /usr/local/bin/audio-shim /usr/local/bin/rec \
+    && ln -sf /usr/local/bin/audio-shim /usr/local/bin/arecord
+
 COPY entrypoint.sh /usr/local/bin/entrypoint.sh
 RUN chmod +x /usr/local/bin/entrypoint.sh
 COPY triple-c-scheduler /usr/local/bin/triple-c-scheduler

container/audio-shim

@@ -0,0 +1,16 @@
+#!/bin/bash
+# Audio capture shim for Triple-C voice mode.
+# Claude Code spawns `rec` or `arecord` to capture mic audio.
+# Inside Docker there is no mic, so this shim reads PCM data from a
+# FIFO that the Tauri host app writes to, and outputs it on stdout.
+
+FIFO=/tmp/triple-c-audio-input
+
+# Create the FIFO if it doesn't already exist
+[ -p "$FIFO" ] || mkfifo "$FIFO" 2>/dev/null
+
+# Clean exit on SIGTERM (Claude Code sends this when recording stops)
+trap 'exit 0' TERM INT
+
+# Stream PCM from the FIFO to stdout until we get a signal or EOF
+cat "$FIFO"

container/entrypoint.sh

@@ -73,6 +73,19 @@ su -s /bin/bash claude -c '
     sort -u -o /home/claude/.ssh/known_hosts /home/claude/.ssh/known_hosts
 '
 
+# ── AWS config setup ──────────────────────────────────────────────────────────
+# Host AWS dir is mounted read-only at /tmp/.host-aws.
+# Copy to /home/claude/.aws so AWS CLI can write to sso/cache and cli/cache.
+if [ -d /tmp/.host-aws ]; then
+    rm -rf /home/claude/.aws
+    cp -a /tmp/.host-aws /home/claude/.aws
+    chown -R claude:claude /home/claude/.aws
+    chmod 700 /home/claude/.aws
+    # Ensure writable cache directories exist
+    mkdir -p /home/claude/.aws/sso/cache /home/claude/.aws/cli/cache
+    chown -R claude:claude /home/claude/.aws/sso /home/claude/.aws/cli
+fi
+
 # ── Git credential helper (for HTTPS token) ─────────────────────────────────
 if [ -n "$GIT_TOKEN" ]; then
     CRED_FILE="/home/claude/.git-credentials"
@@ -103,6 +116,24 @@ if [ -n "$CLAUDE_INSTRUCTIONS" ]; then
     unset CLAUDE_INSTRUCTIONS
 fi
 
+# ── Mission Control setup ───────────────────────────────────────────────────
+if [ "$MISSION_CONTROL_ENABLED" = "1" ]; then
+    MC_HOME="/home/claude/mission-control"
+    MC_LINK="/workspace/mission-control"
+    if [ ! -d "$MC_HOME/.git" ]; then
+        echo "entrypoint: cloning mission-control..."
+        su -s /bin/bash claude -c \
+            'git clone https://github.com/msieurthenardier/mission-control.git /home/claude/mission-control' \
+            || echo "entrypoint: warning — failed to clone mission-control"
+    else
+        echo "entrypoint: mission-control already present, skipping clone"
+    fi
+    # Symlink into workspace so Claude sees it at /workspace/mission-control
+    ln -sfn "$MC_HOME" "$MC_LINK"
+    chown -h claude:claude "$MC_LINK"
+    unset MISSION_CONTROL_ENABLED
+fi
+
 # ── MCP server configuration ────────────────────────────────────────────────
 # Merge MCP server config into ~/.claude.json (preserves existing keys like
 # OAuth tokens). Creates the file if it doesn't exist.

container/osc52-clipboard

@@ -0,0 +1,26 @@
+#!/bin/bash
+# OSC 52 clipboard provider — sends clipboard data to the host system clipboard
+# via OSC 52 terminal escape sequences. Installed as xclip/xsel/pbcopy so that
+# programs inside the container (e.g. Claude Code) can copy to clipboard.
+#
+# Supports common invocations:
+#   echo "text" | xclip -selection clipboard
+#   echo "text" | xsel --clipboard --input
+#   echo "text" | pbcopy
+#
+# Paste/output requests exit silently (not supported via OSC 52).
+
+# Detect paste/output mode — exit silently since we can't read the host clipboard
+for arg in "$@"; do
+    case "$arg" in
+        -o|--output) exit 0 ;;
+    esac
+done
+
+# Read all input from stdin
+data=$(cat)
+[ -z "$data" ] && exit 0
+
+# Base64 encode and write OSC 52 escape sequence to the controlling terminal
+encoded=$(printf '%s' "$data" | base64 | tr -d '\n')
+printf '\033]52;c;%s\a' "$encoded" > /dev/tty 2>/dev/null