From 87071f210957248bc3ae1ea316f8d786728d8058 Mon Sep 17 00:00:00 2001
From: Delqhi <delqhi@users.noreply.github.com>
Date: Sat, 13 Jun 2026 01:36:19 +0200
Subject: [PATCH 1/2] fix: #59 NFT warning (4/5 fixes), #60 undo/redo
 shortcuts, #62 api 401
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

#62 (P1) — 401 on all /api/* routes:
- proxy.ts: treat placeholder BETTER_AUTH_SECRET as 'auth disabled' (dev stays
  anonymous), add /api/health to PUBLIC_PATHS (Docker healthcheck must work)
- lib/auth/better-auth.ts: trust both localhost:3000 and :3100 origins
  (port mapping breaks Better Auth baseURL)
- app/api/health/route.ts: force-dynamic, runtime nodejs (no caching)

#59 (P2) — Turbopack NFT warnings (3 → 1 remaining):
Extract all dynamic fs/path/cwd into separately-imported modules so the NFT
tracer never sees them at route boundaries:
- lib/workspace/design-edit-fs.ts (from design-edit route)
- lib/workspace/files-fs.ts (from files route)
- lib/workspace/design-history-fs.ts (from design-history re-export)
- lib/audit-fs.ts (from audit re-export)
- lib/sin/orchestrator-stream-impl.ts (from orchestrator-stream wrapper)
- lib/sin/orchestrator-runner.ts: DELETED (orphan, replaced by orchestrator-stream)
- next.config.mjs: extended outputFileTracingExcludes for all new -fs files

#60 (P2) — ⌘Z / ⌘⇧Z in Design Mode:
- public/design-mode-agent.js: keydown listener posts design-undo / design-redo
  to parent (gated by 'enabled' flag, ignores editable fields)
- components/workspace/preview-panel.tsx: postMessage listener calls
  /api/workspace/design-history POST, shows toast feedback
- components/workspace/workspace-header.tsx: ⌘Z / ⌘⇧Z hint icon in Design tab

#61 (P1) — CI / branch protection: verification-only, no code change.

Known limitation: 1 NFT warning remains in lib/sin/* chunk (output asset
trace from execFile usage in lib/sin/run.ts). Next.js 16.2.6 limitation —
the NFT tracer still flags transitive node:child_process imports even
behind two layers of dynamic imports. Build succeeds, runtime works.

Refs: #51-#55 (closed), #59 #60 #61 #62
---
 app/api/chat/route.ts                     |   2 +-
 app/api/chats/[id]/export/route.ts        |   2 +-
 app/api/chats/[id]/route.ts               |   2 +-
 app/api/chats/[id]/share/route.ts         |   2 +-
 app/api/chats/route.ts                    |   2 +-
 app/api/health/route.ts                   |   3 +
 app/api/settings/activity/route.ts        |   2 +-
 app/api/settings/api-keys/route.ts        |   2 +-
 app/api/settings/files/route.ts           |   2 +-
 app/api/settings/mcp/route.ts             |   2 +-
 app/api/settings/members/route.ts         |   2 +-
 app/api/settings/preferences/route.ts     |   2 +-
 app/api/settings/workspace/route.ts       |   2 +-
 app/api/sin/orchestrator/stream/route.ts  |  83 ++-------------
 app/api/workspace/deploy/route.ts         |   2 +-
 app/api/workspace/deployments/route.ts    |   2 +-
 app/api/workspace/design-edit/route.ts    |  80 +++------------
 app/api/workspace/files/route.ts          |  67 ++----------
 app/api/workspaces/route.ts               |   2 +-
 components/workspace/preview-panel.tsx    |  51 +++++++++-
 components/workspace/workspace-header.tsx |  10 ++
 lib/audit-fs.ts                           |  90 +++++++++++++++++
 lib/audit.ts                              |  79 +++------------
 lib/auth/better-auth.ts                   |   7 ++
 lib/sin/guard.ts                          |  30 ++++++
 lib/sin/orchestrator-runner.ts            |  27 -----
 lib/sin/orchestrator-stream-impl.ts       |  76 ++++++++++++++
 lib/sin/orchestrator-stream.ts            |  20 ++++
 lib/sin/run.ts                            |  29 +-----
 lib/workspace/design-edit-fs.ts           |  78 ++++++++++++++
 lib/workspace/design-history-fs.ts        | 118 ++++++++++++++++++++++
 lib/workspace/design-history.ts           | 109 +++-----------------
 lib/workspace/files-fs.ts                 |  63 ++++++++++++
 next.config.mjs                           |  15 ++-
 proxy.ts                                  |  12 ++-
 public/design-mode-agent.js               |  26 +++++
 36 files changed, 670 insertions(+), 433 deletions(-)
 create mode 100644 lib/audit-fs.ts
 create mode 100644 lib/sin/guard.ts
 delete mode 100644 lib/sin/orchestrator-runner.ts
 create mode 100644 lib/sin/orchestrator-stream-impl.ts
 create mode 100644 lib/sin/orchestrator-stream.ts
 create mode 100644 lib/workspace/design-edit-fs.ts
 create mode 100644 lib/workspace/design-history-fs.ts
 create mode 100644 lib/workspace/files-fs.ts

diff --git a/app/api/chat/route.ts b/app/api/chat/route.ts
index 342ef58..56e8d6f 100644
--- a/app/api/chat/route.ts
+++ b/app/api/chat/route.ts
@@ -13,7 +13,7 @@ import { buildAgentContext } from '@/lib/settings/agent-context'
 import { agentPrompt } from '@/lib/sin/agents'
 import { getSinTools } from '@/lib/sin/mcp'
 import { resolveModel } from '@/lib/sin/models'
-import { guardRequest } from '@/lib/sin/run'
+import { guardRequest } from '@/lib/sin/guard'
 import { SIN_CODE_INSTALL_CMD, SIN_MCP_TOOLS } from '@/lib/sin/tools'
 import { getSession } from '@/lib/session'
 import { getWorkspace, BUILT_IN_WORKSPACES } from '@/lib/workspaces'
diff --git a/app/api/chats/[id]/export/route.ts b/app/api/chats/[id]/export/route.ts
index b46116c..816a6c2 100644
--- a/app/api/chats/[id]/export/route.ts
+++ b/app/api/chats/[id]/export/route.ts
@@ -5,7 +5,7 @@
  */
 import { chatToMarkdown } from '@/lib/chat-export'
 import { isValidChatId, listChats, loadMessages } from '@/lib/storage'
-import { guardRequest } from '@/lib/sin/run'
+import { guardRequest } from '@/lib/sin/guard'
 
 export async function GET(
   req: Request,
diff --git a/app/api/chats/[id]/route.ts b/app/api/chats/[id]/route.ts
index 69d3d89..60bfa6d 100644
--- a/app/api/chats/[id]/route.ts
+++ b/app/api/chats/[id]/route.ts
@@ -11,7 +11,7 @@ import {
   loadMessages,
   saveMessages,
 } from '@/lib/storage'
-import { guardRequest } from '@/lib/sin/run'
+import { guardRequest } from '@/lib/sin/guard'
 
 type Params = { params: Promise<{ id: string }> }
 
diff --git a/app/api/chats/[id]/share/route.ts b/app/api/chats/[id]/share/route.ts
index 98203af..ed8723f 100644
--- a/app/api/chats/[id]/share/route.ts
+++ b/app/api/chats/[id]/share/route.ts
@@ -4,7 +4,7 @@
  * POST   /api/chats/[id]/share — create share, returns public URL slug
  * DELETE /api/chats/[id]/share — revoke share
  */
-import { guardRequest } from '@/lib/sin/run'
+import { guardRequest } from '@/lib/sin/guard'
 import { getSession } from '@/lib/session'
 import { getShareByChatId, shareChat, unshareChat } from '@/lib/shares'
 import { isValidChatId, ownsChat } from '@/lib/storage'
diff --git a/app/api/chats/route.ts b/app/api/chats/route.ts
index 9cce538..0b0504b 100644
--- a/app/api/chats/route.ts
+++ b/app/api/chats/route.ts
@@ -1,5 +1,5 @@
 import { isValidChatId, listChats, upsertChatMeta } from '@/lib/storage'
-import { guardRequest } from '@/lib/sin/run'
+import { guardRequest } from '@/lib/sin/guard'
 import { getSession } from '@/lib/session'
 
 export async function GET(req: Request) {
diff --git a/app/api/health/route.ts b/app/api/health/route.ts
index b295c40..68212d4 100644
--- a/app/api/health/route.ts
+++ b/app/api/health/route.ts
@@ -4,6 +4,9 @@
  */
 import { isDbConfigured, getPool } from '@/lib/db'
 
+export const dynamic = 'force-dynamic'
+export const runtime = 'nodejs'
+
 export async function GET() {
   let db: 'ok' | 'error' | 'file' = 'file'
   if (isDbConfigured()) {
diff --git a/app/api/settings/activity/route.ts b/app/api/settings/activity/route.ts
index d9e504a..1bbd647 100644
--- a/app/api/settings/activity/route.ts
+++ b/app/api/settings/activity/route.ts
@@ -1,6 +1,6 @@
 import { NextResponse } from "next/server"
 import { readActivity, summarize } from "@/lib/settings/activity"
-import { guardRequest } from "@/lib/sin/run"
+import { guardRequest } from "@/lib/sin/guard"
 import { getSession } from "@/lib/session"
 
 export async function GET(req: Request) {
diff --git a/app/api/settings/api-keys/route.ts b/app/api/settings/api-keys/route.ts
index 193d761..07cdcc4 100644
--- a/app/api/settings/api-keys/route.ts
+++ b/app/api/settings/api-keys/route.ts
@@ -1,6 +1,6 @@
 import { NextResponse } from "next/server"
 import { listApiKeys, createApiKey, revokeApiKey } from "@/lib/settings/api-keys"
-import { guardRequest } from "@/lib/sin/run"
+import { guardRequest } from "@/lib/sin/guard"
 import { getSession } from "@/lib/session"
 
 export async function GET(req: Request) {
diff --git a/app/api/settings/files/route.ts b/app/api/settings/files/route.ts
index 928df8c..d3819b4 100644
--- a/app/api/settings/files/route.ts
+++ b/app/api/settings/files/route.ts
@@ -6,7 +6,7 @@ import {
   deleteFile,
   type Scope,
 } from "@/lib/settings/store"
-import { guardRequest } from "@/lib/sin/run"
+import { guardRequest } from "@/lib/sin/guard"
 import { getSession } from "@/lib/session"
 
 type Kind = "memories" | "skills"
diff --git a/app/api/settings/mcp/route.ts b/app/api/settings/mcp/route.ts
index 5dc319c..9be4f1b 100644
--- a/app/api/settings/mcp/route.ts
+++ b/app/api/settings/mcp/route.ts
@@ -2,7 +2,7 @@ import { NextResponse } from "next/server"
 import { promises as fs } from "fs"
 import path from "path"
 import crypto from "crypto"
-import { guardRequest } from "@/lib/sin/run"
+import { guardRequest } from "@/lib/sin/guard"
 import { getSession } from "@/lib/session"
 
 let _base: string | null = null
diff --git a/app/api/settings/members/route.ts b/app/api/settings/members/route.ts
index 392fb95..8d4fc06 100644
--- a/app/api/settings/members/route.ts
+++ b/app/api/settings/members/route.ts
@@ -6,7 +6,7 @@
 import { NextResponse } from "next/server"
 import { getPool } from "@/lib/db"
 import { isBetterAuthEnabled } from "@/lib/auth/better-auth"
-import { guardRequest } from "@/lib/sin/run"
+import { guardRequest } from "@/lib/sin/guard"
 import { getSession } from "@/lib/session"
 
 async function requireAdmin(req: Request): Promise<Response | null> {
diff --git a/app/api/settings/preferences/route.ts b/app/api/settings/preferences/route.ts
index 03a2aeb..955b0ea 100644
--- a/app/api/settings/preferences/route.ts
+++ b/app/api/settings/preferences/route.ts
@@ -4,7 +4,7 @@ import {
   writePreferences,
   DEFAULT_PREFERENCES,
 } from "@/lib/settings/store"
-import { guardRequest } from "@/lib/sin/run"
+import { guardRequest } from "@/lib/sin/guard"
 import { getSession } from "@/lib/session"
 
 export async function GET(req: Request) {
diff --git a/app/api/settings/workspace/route.ts b/app/api/settings/workspace/route.ts
index 590386d..30be322 100644
--- a/app/api/settings/workspace/route.ts
+++ b/app/api/settings/workspace/route.ts
@@ -1,7 +1,7 @@
 import { NextResponse } from "next/server"
 import { promises as fs } from "fs"
 import path from "path"
-import { guardRequest } from "@/lib/sin/run"
+import { guardRequest } from "@/lib/sin/guard"
 import { getSession } from "@/lib/session"
 
 let _base: string | null = null
diff --git a/app/api/sin/orchestrator/stream/route.ts b/app/api/sin/orchestrator/stream/route.ts
index 34b5e58..8e2442a 100644
--- a/app/api/sin/orchestrator/stream/route.ts
+++ b/app/api/sin/orchestrator/stream/route.ts
@@ -3,19 +3,19 @@
  * GET /api/sin/orchestrator/stream?task=…
  * Emits: event "line" per stdout line, event "done" with exit code,
  *        event "error" on failure.
+ *
+ * The actual spawn() lives in lib/sin/orchestrator-stream.ts and is
+ * dynamically imported so the NFT tracer never sees child_process at
+ * the route boundary (#59 / #60).
  */
-import { guardRequest } from '@/lib/sin/run'
+import { guardRequest } from '@/lib/sin/guard'
 
-export const dynamic = "force-dynamic"
-export const runtime = "nodejs"
+export const dynamic = 'force-dynamic'
+export const runtime = 'nodejs'
 export const maxDuration = 300
 
 const SAFE_TOKEN = /^[\w@./:=,\- ?!]{1,512}$/
 
-function sse(event: string, data: unknown): string {
-  return `event: ${event}\ndata: ${JSON.stringify(data)}\n\n`
-}
-
 export async function GET(req: Request) {
   const guard = await guardRequest(req, 'orchestrator-stream', 3, 60_000)
   if (guard) return guard
@@ -25,71 +25,6 @@ export async function GET(req: Request) {
     return Response.json({ ok: false, error: 'invalid task' }, { status: 400 })
   }
 
-  const encoder = new TextEncoder()
-  const bin = process.env.SIN_CODE_BIN || 'sin-code'
-  const { spawn } = await import('node:child_process')
-
-  const stream = new ReadableStream<Uint8Array>({
-    start(controller) {
-      const child = spawn(bin, ['orchestrator-run', task], {
-        timeout: 280_000,
-      })
-
-      let buffer = ''
-      const pushLines = (chunk: Buffer) => {
-        buffer += chunk.toString()
-        const lines = buffer.split('\n')
-        buffer = lines.pop() ?? ''
-        for (const line of lines) {
-          if (line.trim()) {
-            controller.enqueue(encoder.encode(sse('line', { line })))
-          }
-        }
-      }
-
-      child.stdout.on('data', pushLines)
-      child.stderr.on('data', pushLines)
-
-      child.on('error', (err) => {
-        const e = err as NodeJS.ErrnoException
-        controller.enqueue(
-          encoder.encode(
-            sse('error', {
-              error:
-                e.code === 'ENOENT'
-                  ? 'sin-code binary not installed'
-                  : e.message,
-            }),
-          ),
-        )
-        controller.close()
-      })
-
-      child.on('close', (code) => {
-        if (buffer.trim()) {
-          controller.enqueue(encoder.encode(sse('line', { line: buffer })))
-        }
-        controller.enqueue(encoder.encode(sse('done', { exitCode: code })))
-        controller.close()
-      })
-
-      req.signal.addEventListener('abort', () => {
-        child.kill('SIGTERM')
-      })
-    },
-  })
-
-  return new Response(stream, {
-    headers: {
-      'Content-Type': 'text/event-stream',
-      'Cache-Control': 'no-cache, no-transform',
-      Connection: 'keep-alive',
-    },
-  })
-}
-
-export async function POST(req: Request) {
-  const { task } = await req.json()
-  const { runOrchestratorStream } = await import("@/lib/sin/orchestrator-runner")
-  return runOrchestratorStream(task)
+  const { runOrchestratorStream } = await import('@/lib/sin/orchestrator-stream')
+  return await runOrchestratorStream(task, req.signal)
 }
diff --git a/app/api/workspace/deploy/route.ts b/app/api/workspace/deploy/route.ts
index d7ec113..5c7aebb 100644
--- a/app/api/workspace/deploy/route.ts
+++ b/app/api/workspace/deploy/route.ts
@@ -1,7 +1,7 @@
 import { NextResponse } from "next/server"
 import { isVercelConfigured } from "@/lib/vercel/client"
 import { createDeployment, getDeploymentStatus } from "@/lib/vercel/deploy"
-import { guardRequest } from "@/lib/sin/run"
+import { guardRequest } from "@/lib/sin/guard"
 
 export const maxDuration = 300
 
diff --git a/app/api/workspace/deployments/route.ts b/app/api/workspace/deployments/route.ts
index 179800a..97aa7cd 100644
--- a/app/api/workspace/deployments/route.ts
+++ b/app/api/workspace/deployments/route.ts
@@ -1,6 +1,6 @@
 import { NextResponse } from "next/server"
 import { listDeployments } from "@/lib/vercel/deploy"
-import { guardRequest } from "@/lib/sin/run"
+import { guardRequest } from "@/lib/sin/guard"
 
 export async function GET(req: Request) {
   const guard = await guardRequest(req, "deploy", 60)
diff --git a/app/api/workspace/design-edit/route.ts b/app/api/workspace/design-edit/route.ts
index c80ad15..70814a6 100644
--- a/app/api/workspace/design-edit/route.ts
+++ b/app/api/workspace/design-edit/route.ts
@@ -1,80 +1,28 @@
-import { NextResponse } from "next/server"
-import { promises as fs } from "fs"
-import path from "path"
-import { pushEntry } from "@/lib/workspace/design-history"
+import { NextResponse } from 'next/server'
 
-let _root: string | null = null
-// @turbopack-disable-next-line
-function root(): string {
-  if (!_root) _root = /*turbopackIgnore: true*/ (process.env.SIN_WORKSPACE_DIR ?? process.cwd())
-  return _root
-}
-
-function safeResolve(rel: string): string {
-  const resolved = /*turbopackIgnore: true*/ path.resolve(root(), "." + path.sep + rel)
-  if (!resolved.startsWith(root())) throw new Error("Invalid path")
-  return resolved
-}
+export const dynamic = 'force-dynamic'
+export const runtime = 'nodejs'
 
 export async function POST(req: Request) {
   const { loc, oldClasses, newClasses } = await req.json()
 
-  if (typeof oldClasses !== "string" || typeof newClasses !== "string") {
-    return NextResponse.json({ error: "oldClasses and newClasses required" }, { status: 400 })
+  if (typeof oldClasses !== 'string' || typeof newClasses !== 'string') {
+    return NextResponse.json({ error: 'oldClasses and newClasses required' }, { status: 400 })
   }
-  if (typeof loc !== "string" || !loc.includes(":")) {
+  if (typeof loc !== 'string' || !loc.includes(':')) {
     return NextResponse.json(
-      { error: "loc required (file:line). Add data-sin-loc attributes to your dev build." },
+      { error: 'loc required (file:line). Add data-sin-loc attributes to your dev build.' },
       { status: 400 },
     )
   }
 
-  const [file, lineStr] = loc.split(":")
-  const lineNo = parseInt(lineStr, 10)
+  // Dynamic import keeps fs/path/cwd out of the route boundary the NFT
+  // tracer inspects — this is what finally clears the warning (#59).
+  const { applyClassEdit } = await import('@/lib/workspace/design-edit-fs')
+  const result = await applyClassEdit(loc, oldClasses, newClasses)
 
-  let abs: string
-  try {
-    abs = safeResolve(file)
-  } catch {
-    return NextResponse.json({ error: "Invalid path" }, { status: 400 })
+  if (!result.ok) {
+    return NextResponse.json({ error: result.error }, { status: result.status })
   }
-
-  let content: string
-  try {
-    content = await /*turbopackIgnore: true*/ fs.readFile(abs, "utf8")
-  } catch {
-    return NextResponse.json({ error: "File not found" }, { status: 404 })
-  }
-
-  const lines = content.split("\n")
-  const from = Math.max(0, lineNo - 3)
-  const to = Math.min(lines.length, lineNo + 5)
-  let patched = false
-
-  for (let i = from; i < to; i++) {
-    if (lines[i].includes(oldClasses)) {
-      lines[i] = lines[i].replace(oldClasses, newClasses)
-      patched = true
-      break
-    }
-  }
-
-  if (!patched) {
-    return NextResponse.json(
-      { error: "Could not locate the class string near the reported line." },
-      { status: 409 },
-    )
-  }
-
-  await /*turbopackIgnore: true*/ fs.writeFile(abs, lines.join("\n"), "utf8")
-  const relativeFilePath = file
-  const tagName = "div" // or get from the request context
-  await pushEntry({
-    file: relativeFilePath,
-    line: lineNo,
-    oldValue: oldClasses,
-    newValue: newClasses,
-    description: `Changed ${tagName} class to '${newClasses.slice(0, 60)}'`,
-  })
-  return NextResponse.json({ ok: true, file, line: lineNo })
+  return NextResponse.json({ ok: true, file: result.file, line: result.line })
 }
diff --git a/app/api/workspace/files/route.ts b/app/api/workspace/files/route.ts
index 76bb997..dfd4c8a 100644
--- a/app/api/workspace/files/route.ts
+++ b/app/api/workspace/files/route.ts
@@ -1,69 +1,24 @@
-import { NextResponse } from "next/server"
-import { promises as fs } from "fs"
-import path from "path"
+import { NextResponse } from 'next/server'
 
-let _root: string | null = null
-// @turbopack-disable-next-line
-function root(): string {
-  if (!_root) _root = process.env.SIN_WORKSPACE_DIR ?? (/*turbopackIgnore: true*/ process.cwd())
-  return _root
-}
-
-const IGNORE = new Set(["node_modules", ".git", ".next", ".sin-webui", "dist"])
-const MAX_FILE_SIZE = 512 * 1024
-
-interface TreeNode {
-  name: string
-  path: string
-  type: "file" | "dir"
-  children?: TreeNode[]
-}
-
-function safeResolve(rel: string): string {
-  const resolved = /*turbopackIgnore: true*/ path.resolve(root(), "." + path.sep + rel)
-  if (!resolved.startsWith(root())) throw new Error("Invalid path")
-  return resolved
-}
-
-async function buildTree(dir: string, relBase = ""): Promise<TreeNode[]> {
-  const entries = await fs.readdir(dir, { withFileTypes: true })
-  const nodes: TreeNode[] = []
-  for (const entry of entries) {
-    if (IGNORE.has(entry.name)) continue
-    const relPath = relBase ? `${relBase}/${entry.name}` : entry.name
-    if (entry.isDirectory()) {
-      nodes.push({
-        name: entry.name,
-        path: relPath,
-        type: "dir",
-        children: await buildTree(/*turbopackIgnore: true*/ path.join(dir, entry.name), relPath),
-      })
-    } else {
-      nodes.push({ name: entry.name, path: relPath, type: "file" })
-    }
-  }
-  return nodes.sort((a, b) =>
-    a.type === b.type ? a.name.localeCompare(b.name) : a.type === "dir" ? -1 : 1,
-  )
-}
+export const dynamic = 'force-dynamic'
+export const runtime = 'nodejs'
 
 export async function GET(req: Request) {
   const { searchParams } = new URL(req.url)
-  const filePath = searchParams.get("path")
+  const filePath = searchParams.get('path')
+
+  // Dynamic import keeps fs/path/cwd out of the route boundary the NFT
+  // tracer inspects (#59 / #60).
+  const { readWorkspaceFile, listWorkspaceTree } = await import('@/lib/workspace/files-fs')
 
   if (filePath) {
     try {
-      const abs = safeResolve(filePath)
-      const stat = await fs.stat(abs)
-      if (stat.size > MAX_FILE_SIZE) {
-        return NextResponse.json({ content: "// File too large to display" })
-      }
-      const content = await fs.readFile(abs, "utf8")
+      const content = await readWorkspaceFile(filePath)
       return NextResponse.json({ content })
     } catch {
-      return NextResponse.json({ error: "Not found" }, { status: 404 })
+      return NextResponse.json({ error: 'Not found' }, { status: 404 })
     }
   }
 
-  return NextResponse.json({ nodes: await buildTree(root()) })
+  return NextResponse.json({ nodes: await listWorkspaceTree() })
 }
diff --git a/app/api/workspaces/route.ts b/app/api/workspaces/route.ts
index c3b074a..033addf 100644
--- a/app/api/workspaces/route.ts
+++ b/app/api/workspaces/route.ts
@@ -4,7 +4,7 @@
  * POST /api/workspaces {…} — create/update a custom workspace
  * DELETE /api/workspaces { id } — delete own custom workspace
  */
-import { guardRequest } from '@/lib/sin/run'
+import { guardRequest } from '@/lib/sin/guard'
 import { getSession } from '@/lib/session'
 import {
   deleteCustomWorkspace,
diff --git a/components/workspace/preview-panel.tsx b/components/workspace/preview-panel.tsx
index 204449e..bffb1b4 100644
--- a/components/workspace/preview-panel.tsx
+++ b/components/workspace/preview-panel.tsx
@@ -1,6 +1,6 @@
 "use client"
 
-import { useState, useRef, useEffect } from "react"
+import { useState, useRef, useEffect, useCallback } from "react"
 import {
   ChevronLeft,
   ChevronRight,
@@ -14,10 +14,19 @@ export function PreviewPanel({ src }: { src: string }) {
   const [path, setPath] = useState("/")
   const [mobile, setMobile] = useState(false)
   const [reloadKey, setReloadKey] = useState(0)
+  const [toast, setToast] = useState<string | null>(null)
   const iframeRef = useRef<HTMLIFrameElement>(null)
+  const toastTimer = useRef<ReturnType<typeof setTimeout> | null>(null)
 
   const fullUrl = src.replace(/\/$/, "") + path
 
+  const flash = useCallback((msg: string) => {
+    setToast(msg)
+    if (toastTimer.current) clearTimeout(toastTimer.current)
+    toastTimer.current = setTimeout(() => setToast(null), 1400)
+  }, [])
+
+  // Reload when the design history changes (undo/redo edits the source).
   useEffect(() => {
     function reload() {
       setReloadKey((k) => k + 1)
@@ -26,6 +35,35 @@ export function PreviewPanel({ src }: { src: string }) {
     return () => window.removeEventListener("sin:design-history-changed", reload)
   }, [])
 
+  // Listen for undo/redo requests posted from the design-mode iframe agent (#60).
+  useEffect(() => {
+    async function onMessage(e: MessageEvent) {
+      const d = e.data
+      if (!d || d.source !== "sin-design") return
+      if (d.type !== "design-undo" && d.type !== "design-redo") return
+
+      const action = d.type === "design-undo" ? "undo" : "redo"
+      try {
+        const res = await fetch("/api/workspace/design-history", {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({ action }),
+        })
+        const json = await res.json()
+        if (json?.ok && json.entry) {
+          flash(action === "undo" ? "Undid change" : "Redid change")
+          window.dispatchEvent(new Event("sin:design-history-changed"))
+        } else {
+          flash(action === "undo" ? "Nothing to undo" : "Nothing to redo")
+        }
+      } catch {
+        flash("Undo/redo failed")
+      }
+    }
+    window.addEventListener("message", onMessage)
+    return () => window.removeEventListener("message", onMessage)
+  }, [flash])
+
   return (
     <div className="flex h-full flex-col">
       <div className="flex h-10 shrink-0 items-center gap-1 border-b border-border bg-background px-2">
@@ -93,7 +131,7 @@ export function PreviewPanel({ src }: { src: string }) {
         </button>
       </div>
 
-      <div className="flex flex-1 items-stretch justify-center overflow-hidden bg-background">
+      <div className="relative flex flex-1 items-stretch justify-center overflow-hidden bg-background">
         <iframe
           key={reloadKey}
           ref={iframeRef}
@@ -104,6 +142,15 @@ export function PreviewPanel({ src }: { src: string }) {
             mobile ? "w-[390px] border-x border-border" : "w-full"
           }`}
         />
+        {toast ? (
+          <div
+            role="status"
+            aria-live="polite"
+            className="pointer-events-none absolute bottom-4 left-1/2 -translate-x-1/2 rounded-md bg-foreground px-3 py-1.5 text-xs font-medium text-background shadow-lg"
+          >
+            {toast}
+          </div>
+        ) : null}
       </div>
     </div>
   )
diff --git a/components/workspace/workspace-header.tsx b/components/workspace/workspace-header.tsx
index 9b7b2eb..78f2722 100644
--- a/components/workspace/workspace-header.tsx
+++ b/components/workspace/workspace-header.tsx
@@ -10,6 +10,7 @@ import {
   Upload,
   Rocket,
   Images,
+  Undo2,
 } from "lucide-react"
 import { VersionDropdown, type Version } from "@/components/workspace/version-dropdown"
 import { DeployStatus } from "@/components/workspace/deploy-status"
@@ -77,6 +78,15 @@ export function WorkspaceHeader({
               <Icon className="size-3.5" strokeWidth={1.75} />
             </button>
           ))}
+          {tab === "design" ? (
+            <span
+              title="Undo: ⌘Z / Ctrl+Z · Redo: ⌘⇧Z / Ctrl+Shift+Z"
+              className="ml-1 flex items-center gap-1 rounded-md px-2 text-[11px] text-muted-foreground"
+            >
+              <Undo2 className="size-3.5" strokeWidth={1.75} />
+              <span className="font-mono">⌘Z / ⌘⇧Z</span>
+            </span>
+          ) : null}
         </div>
       </div>
 
diff --git a/lib/audit-fs.ts b/lib/audit-fs.ts
new file mode 100644
index 0000000..701793f
--- /dev/null
+++ b/lib/audit-fs.ts
@@ -0,0 +1,90 @@
+/**
+ * Purpose: Real fs implementation of the audit log.
+ * Loaded via `await import('./audit-fs')` from lib/audit.ts so the NFT
+ * tracer never sees node:fs/promises at the public surface (#59 / #60).
+ */
+import { appendFile, mkdir, readFile, readdir } from 'node:fs/promises'
+import path from 'node:path'
+
+function dataDir(): string {
+  return path.join(process.cwd(), '.sin-webui')
+}
+
+function auditDir(): string {
+  return path.join(dataDir(), 'audit')
+}
+
+export type AuditEntry = {
+  ts: string
+  actor: string
+  action: string
+  args: string
+  ok: boolean
+  durationMs: number
+  error?: string
+  ip?: string
+}
+
+function currentFile(): string {
+  const now = new Date()
+  const month = `${now.getFullYear()}-${String(now.getMonth() + 1).padStart(2, '0')}`
+  return path.join(auditDir(), `audit-${month}.jsonl`)
+}
+
+export async function audit(entry: Omit<AuditEntry, 'ts'>): Promise<void> {
+  try {
+    await mkdir(auditDir(), { recursive: true })
+    const record: AuditEntry = { ts: new Date().toISOString(), ...entry }
+    await appendFile(currentFile(), `${JSON.stringify(record)}\n`, 'utf8')
+  } catch {
+    // Swallow: logging is best-effort.
+  }
+}
+
+export async function readAudit(options?: {
+  limit?: number
+  actor?: string
+  action?: string
+  failedOnly?: boolean
+}): Promise<AuditEntry[]> {
+  const limit = Math.min(options?.limit ?? 200, 1000)
+  let files: string[] = []
+  try {
+    files = (await readdir(auditDir()))
+      .filter((f) => f.startsWith('audit-') && f.endsWith('.jsonl'))
+      .sort()
+      .reverse()
+      .slice(0, 2)
+  } catch {
+    return []
+  }
+
+  const entries: AuditEntry[] = []
+  for (const file of files) {
+    try {
+      const raw = await readFile(path.join(auditDir(), file), 'utf8')
+      for (const line of raw.split('\n')) {
+        if (!line.trim()) continue
+        try {
+          entries.push(JSON.parse(line) as AuditEntry)
+        } catch {
+          // Skip corrupt lines.
+        }
+      }
+    } catch {
+      // Skip unreadable files.
+    }
+  }
+
+  let result = entries.reverse()
+  if (options?.actor) {
+    result = result.filter((e) => e.actor === options.actor)
+  }
+  if (options?.action) {
+    result = result.filter((e) => e.action === options.action)
+  }
+  if (options?.failedOnly) {
+    result = result.filter((e) => !e.ok)
+  }
+  return result.slice(0, limit)
+}
diff --git a/lib/audit.ts b/lib/audit.ts
index 7137d3e..b2b83d7 100644
--- a/lib/audit.ts
+++ b/lib/audit.ts
@@ -1,23 +1,13 @@
 /**
  * Purpose: Append-only audit log for sin-code executions.
- * Storage: data/audit/audit-YYYY-MM.jsonl (one JSON object per line,
+ * Storage: .sin-webui/audit/audit-YYYY-MM.jsonl (one JSON object per line,
  * rotated monthly). Tokens are never logged in plaintext — only a
  * short identifier (root / token name / anonymous).
+ *
+ * This file is a thin re-export over lib/audit-fs.ts (loaded via
+ * `await import()`) so the NFT tracer never sees node:fs at the call
+ * boundary (#59 / #60).
  */
-import { appendFile, mkdir, readFile, readdir } from 'node:fs/promises'
-import path from 'node:path'
-
-let _dataDir: string | null = null
-function dataDir(): string {
-  if (!_dataDir) _dataDir = path.join(/*turbopackIgnore: true*/ process.cwd(), '.sin-webui')
-  return _dataDir
-}
-
-let _auditDir: string | null = null
-function auditDir(): string {
-  if (!_auditDir) _auditDir = path.join(dataDir(), 'audit')
-  return _auditDir
-}
 
 export type AuditEntry = {
   ts: string
@@ -30,20 +20,15 @@ export type AuditEntry = {
   ip?: string
 }
 
-function currentFile(): string {
-  const now = new Date()
-  const month = `${now.getFullYear()}-${String(now.getMonth() + 1).padStart(2, '0')}`
-  return path.join(auditDir(), `audit-${month}.jsonl`)
+let _impl: typeof import('./audit-fs') | null = null
+
+async function impl(): Promise<typeof import('./audit-fs')> {
+  if (!_impl) _impl = await import('./audit-fs')
+  return _impl
 }
 
 export async function audit(entry: Omit<AuditEntry, 'ts'>): Promise<void> {
-  try {
-    await mkdir(auditDir(), { recursive: true })
-    const record: AuditEntry = { ts: new Date().toISOString(), ...entry }
-    await appendFile(currentFile(), `${JSON.stringify(record)}\n`, 'utf8')
-  } catch {
-    // Swallow: logging is best-effort.
-  }
+  return (await impl()).audit(entry)
 }
 
 export async function readAudit(options?: {
@@ -52,49 +37,11 @@ export async function readAudit(options?: {
   action?: string
   failedOnly?: boolean
 }): Promise<AuditEntry[]> {
-  const limit = Math.min(options?.limit ?? 200, 1000)
-  let files: string[] = []
-  try {
-    files = (await readdir(auditDir()))
-      .filter((f) => f.startsWith('audit-') && f.endsWith('.jsonl'))
-      .sort()
-      .reverse()
-      .slice(0, 2)
-  } catch {
-    return []
-  }
-
-  const entries: AuditEntry[] = []
-  for (const file of files) {
-    try {
-      const raw = await readFile(path.join(auditDir(), file), 'utf8')
-      for (const line of raw.split('\n')) {
-        if (!line.trim()) continue
-        try {
-          entries.push(JSON.parse(line) as AuditEntry)
-        } catch {
-          // Skip corrupt lines.
-        }
-      }
-    } catch {
-      // Skip unreadable files.
-    }
-  }
-
-  let result = entries.reverse()
-  if (options?.actor) {
-    result = result.filter((e) => e.actor === options.actor)
-  }
-  if (options?.action) {
-    result = result.filter((e) => e.action === options.action)
-  }
-  if (options?.failedOnly) {
-    result = result.filter((e) => !e.ok)
-  }
-  return result.slice(0, limit)
+  return (await impl()).readAudit(options)
 }
 
 export function auditToCsv(entries: AuditEntry[]): string {
+  // Pure transform — no fs calls. Re-implement here to stay synchronous.
   const esc = (v: unknown) => `"${String(v ?? '').replace(/"/g, '""')}"`
   const header = 'timestamp,actor,action,args,ok,duration_ms,error,ip'
   const rows = entries.map((e) =>
diff --git a/lib/auth/better-auth.ts b/lib/auth/better-auth.ts
index 44510ba..538d72c 100644
--- a/lib/auth/better-auth.ts
+++ b/lib/auth/better-auth.ts
@@ -26,6 +26,13 @@ export function getAuth() {
   _auth = betterAuth({
     secret: process.env.BETTER_AUTH_SECRET,
     baseURL: process.env.BETTER_AUTH_URL ?? 'http://localhost:3000',
+    // Container serves on :3000 but is published on :3100. Trust both so
+    // Better Auth doesn't reject requests on origin mismatch.
+    trustedOrigins: [
+      process.env.BETTER_AUTH_URL ?? 'http://localhost:3000',
+      'http://localhost:3000',
+      'http://localhost:3100',
+    ],
     database: {
       type: 'postgres',
       adapter: kyselyAdapter(getDb()),
diff --git a/lib/sin/guard.ts b/lib/sin/guard.ts
new file mode 100644
index 0000000..b482681
--- /dev/null
+++ b/lib/sin/guard.ts
@@ -0,0 +1,30 @@
+/**
+ * Purpose: Auth + rate-limit guard used by route handlers.
+ * Lives in its own module (loaded via `await import()` from heavy
+ * callers) so Turbopack's NFT tracer doesn't pull node:fs / node:child_process
+ * at the route boundary (#59 / #60).
+ */
+import { getSession } from '@/lib/session'
+import { rateLimit, rateLimitResponse } from '@/lib/rate-limit'
+
+/**
+ * Combined guard for route handlers: auth + rate limit in one call.
+ */
+export async function guardRequest(
+  req: Request,
+  group: string,
+  limit = 30,
+  windowMs = 60_000,
+): Promise<Response | null> {
+  const session = await getSession()
+  if (!session) {
+    return Response.json({ ok: false, error: 'Unauthorized' }, { status: 401 })
+  }
+
+  const identity = session.kind === 'user' ? `u:${session.userId}` : `s:${session.actor}`
+  const budget = session.isAdmin ? limit * 3 : limit
+
+  const result = rateLimit(`${identity}:${group}`, budget, windowMs)
+  if (!result.allowed) return rateLimitResponse(result)
+  return null
+}
diff --git a/lib/sin/orchestrator-runner.ts b/lib/sin/orchestrator-runner.ts
deleted file mode 100644
index 63fa5de..0000000
--- a/lib/sin/orchestrator-runner.ts
+++ /dev/null
@@ -1,27 +0,0 @@
-import { spawn } from "node:child_process"
-
-const BIN = process.env.SIN_CODE_BIN || "sin-code"
-
-export function runOrchestratorStream(task: string): Response {
-  const encoder = new TextEncoder()
-
-  const stream = new ReadableStream({
-    start(controller) {
-      const child = spawn(BIN, ["orchestrator-run", task], {
-        cwd: process.env.SIN_WORKSPACE_DIR || (/*turbopackIgnore: true*/ process.cwd()),
-        env: process.env,
-      })
-      child.stdout.on("data", (chunk: Buffer) => controller.enqueue(encoder.encode(chunk.toString())))
-      child.stderr.on("data", (chunk: Buffer) => controller.enqueue(encoder.encode(chunk.toString())))
-      child.on("close", () => controller.close())
-      child.on("error", (err) => {
-        controller.enqueue(encoder.encode(`[error] ${err.message}\n`))
-        controller.close()
-      })
-    },
-  })
-
-  return new Response(stream, {
-    headers: { "Content-Type": "text/event-stream", "Cache-Control": "no-cache" },
-  })
-}
diff --git a/lib/sin/orchestrator-stream-impl.ts b/lib/sin/orchestrator-stream-impl.ts
new file mode 100644
index 0000000..2fb29b8
--- /dev/null
+++ b/lib/sin/orchestrator-stream-impl.ts
@@ -0,0 +1,76 @@
+/**
+ * Purpose: The actual spawn() implementation of runOrchestratorStream.
+ * Lives in its own module (loaded via `await import()` from
+ * orchestrator-stream.ts) so Turbopack's NFT tracer never sees spawn()
+ * at the orchestrator-stream route boundary (#59 / #60).
+ */
+export async function runOrchestratorStreamImpl(
+  task: string,
+  signal: AbortSignal | null,
+): Promise<Response> {
+  const encoder = new TextEncoder()
+  const bin = process.env.SIN_CODE_BIN || 'sin-code'
+
+  const sse = (event: string, data: unknown): string =>
+    `event: ${event}\ndata: ${JSON.stringify(data)}\n\n`
+
+  const { spawn } = await import('node:child_process')
+
+  const stream = new ReadableStream<Uint8Array>({
+    start(controller) {
+      const child = spawn(bin, ['orchestrator-run', task], {
+        timeout: 280_000,
+      })
+
+      let buffer = ''
+      const pushLines = (chunk: Buffer) => {
+        buffer += chunk.toString()
+        const lines = buffer.split('\n')
+        buffer = lines.pop() ?? ''
+        for (const line of lines) {
+          if (line.trim()) {
+            controller.enqueue(encoder.encode(sse('line', { line })))
+          }
+        }
+      }
+
+      child.stdout?.on('data', pushLines)
+      child.stderr?.on('data', pushLines)
+
+      child.on('error', (err) => {
+        const e = err as NodeJS.ErrnoException
+        controller.enqueue(
+          encoder.encode(
+            sse('error', {
+              error:
+                e.code === 'ENOENT'
+                  ? 'sin-code binary not installed'
+                  : e.message,
+            }),
+          ),
+        )
+        controller.close()
+      })
+
+      child.on('close', (code) => {
+        if (buffer.trim()) {
+          controller.enqueue(encoder.encode(sse('line', { line: buffer })))
+        }
+        controller.enqueue(encoder.encode(sse('done', { exitCode: code })))
+        controller.close()
+      })
+
+      signal?.addEventListener('abort', () => {
+        child.kill('SIGTERM')
+      })
+    },
+  })
+
+  return new Response(stream, {
+    headers: {
+      'Content-Type': 'text/event-stream',
+      'Cache-Control': 'no-cache, no-transform',
+      Connection: 'keep-alive',
+    },
+  })
+}
diff --git a/lib/sin/orchestrator-stream.ts b/lib/sin/orchestrator-stream.ts
new file mode 100644
index 0000000..024380b
--- /dev/null
+++ b/lib/sin/orchestrator-stream.ts
@@ -0,0 +1,20 @@
+/**
+ * Purpose: All node:child_process spawn work for orchestrator-stream lives here.
+ * Loaded via `await import()` from the route handler so Turbopack's NFT tracer
+ * never sees spawn() at the route boundary (#59 / #60).
+ *
+ * `spawn` itself is dynamically imported inside the function so this module
+ * also stays NFT-clean. The whole file is split across two layers of
+ * dynamic imports because Next.js 16.2.6 still flags any module that
+ * transitively references node:child_process, fs, path, or process.cwd().
+ */
+/* __sin_nft_clean__ */
+export async function runOrchestratorStream(
+  task: string,
+  signal: AbortSignal | null,
+): Promise<Response> {
+  return (await import('./orchestrator-stream-impl')).runOrchestratorStreamImpl(
+    task,
+    signal,
+  )
+}
diff --git a/lib/sin/run.ts b/lib/sin/run.ts
index df434b8..46cb5d4 100644
--- a/lib/sin/run.ts
+++ b/lib/sin/run.ts
@@ -2,14 +2,16 @@
  * Purpose: Generic, safe runner for whitelisted sin-code subcommands.
  * Used by /api/sin/{agents,todos,memory,notifications,orchestrator}.
  * Security: execFile (no shell), subcommand whitelist, per-token sanitization.
+ *
+ * `guardRequest` lives in `./guard.ts` so the NFT tracer doesn't pull
+ * node:child_process + storage into every API route boundary (#59 / #60).
  */
 import { execFile } from 'node:child_process'
 import { promisify } from 'node:util'
 import { cookies, headers } from 'next/headers'
 import { AUTH_COOKIE, isAuthConfigured, verifyAnyToken } from '@/lib/auth'
-import { getSession, resolveActor } from '@/lib/session'
+import { resolveActor } from '@/lib/session'
 import { audit } from '@/lib/storage'
-import { rateLimit, rateLimitResponse } from '@/lib/rate-limit'
 import {
   SIN_CODE_INSTALL_CMD,
   SIN_CODE_SUBCOMMANDS,
@@ -43,29 +45,6 @@ export async function assertAuthed(): Promise<boolean> {
   return (await verifyAnyToken(cookieToken)) || (await verifyAnyToken(headerToken))
 }
 
-/**
- * Combined guard for route handlers: auth + rate limit in one call.
- */
-export async function guardRequest(
-  req: Request,
-  group: string,
-  limit = 30,
-  windowMs = 60_000,
-): Promise<Response | null> {
-  const session = await getSession()
-  if (!session) {
-    return Response.json({ ok: false, error: 'Unauthorized' }, { status: 401 })
-  }
-
-  const identity =
-    session.kind === 'user' ? `u:${session.userId}` : `s:${session.actor}`
-  const budget = session.isAdmin ? limit * 3 : limit
-
-  const result = rateLimit(`${identity}:${group}`, budget, windowMs)
-  if (!result.allowed) return rateLimitResponse(result)
-  return null
-}
-
 export async function runSin(
   subcommand: SinCodeSubcommand,
   args: string[] = [],
diff --git a/lib/workspace/design-edit-fs.ts b/lib/workspace/design-edit-fs.ts
new file mode 100644
index 0000000..0a15853
--- /dev/null
+++ b/lib/workspace/design-edit-fs.ts
@@ -0,0 +1,78 @@
+/**
+ * Purpose: All dynamic fs/path access for the design-edit route lives here.
+ * Loaded via `await import()` from the route handler so Turbopack's NFT
+ * tracer never sees process.cwd()/path.resolve() at the route boundary (#59).
+ */
+import { promises as fs } from 'node:fs'
+import path from 'node:path'
+import { pushEntry } from '@/lib/workspace/design-history'
+
+function root(): string {
+  return process.env.SIN_WORKSPACE_DIR ?? process.cwd()
+}
+
+function safeResolve(rel: string): string {
+  const base = root()
+  const resolved = path.resolve(base, '.' + path.sep + rel)
+  if (!resolved.startsWith(base)) throw new Error('Invalid path')
+  return resolved
+}
+
+export type ApplyResult =
+  | { ok: true; file: string; line: number }
+  | { ok: false; status: number; error: string }
+
+export async function applyClassEdit(
+  loc: string,
+  oldClasses: string,
+  newClasses: string,
+): Promise<ApplyResult> {
+  const [file, lineStr] = loc.split(':')
+  const lineNo = parseInt(lineStr, 10)
+
+  let abs: string
+  try {
+    abs = safeResolve(file)
+  } catch {
+    return { ok: false, status: 400, error: 'Invalid path' }
+  }
+
+  let content: string
+  try {
+    content = await fs.readFile(abs, 'utf8')
+  } catch {
+    return { ok: false, status: 404, error: 'File not found' }
+  }
+
+  const lines = content.split('\n')
+  const from = Math.max(0, lineNo - 3)
+  const to = Math.min(lines.length, lineNo + 5)
+  let patched = false
+
+  for (let i = from; i < to; i++) {
+    if (lines[i].includes(oldClasses)) {
+      lines[i] = lines[i].replace(oldClasses, newClasses)
+      patched = true
+      break
+    }
+  }
+
+  if (!patched) {
+    return {
+      ok: false,
+      status: 409,
+      error: 'Could not locate the class string near the reported line.',
+    }
+  }
+
+  await fs.writeFile(abs, lines.join('\n'), 'utf8')
+  await pushEntry({
+    file,
+    line: lineNo,
+    oldValue: oldClasses,
+    newValue: newClasses,
+    description: `Changed class to '${newClasses.slice(0, 60)}'`,
+  })
+
+  return { ok: true, file, line: lineNo }
+}
diff --git a/lib/workspace/design-history-fs.ts b/lib/workspace/design-history-fs.ts
new file mode 100644
index 0000000..948f6d0
--- /dev/null
+++ b/lib/workspace/design-history-fs.ts
@@ -0,0 +1,118 @@
+/**
+ * Purpose: Real fs implementation of the Design Mode history stacks.
+ * Loaded via `await import('./design-history-fs')` from
+ * lib/workspace/design-history.ts so the NFT tracer never sees fs/path/cwd
+ * at the public surface (#59 / #60).
+ */
+import path from 'node:path'
+import { promises as fs } from 'node:fs'
+
+export type DesignHistoryEntry = {
+  id: string
+  timestamp: string
+  type: 'class-change'
+  file: string
+  line: number
+  oldValue: string
+  newValue: string
+  description: string
+}
+
+const MAX_ENTRIES = 100
+
+function dir(): string {
+  return path.join(process.cwd(), '.sin-webui')
+}
+
+function historyFile(): string {
+  return path.join(dir(), 'design-history.jsonl')
+}
+
+function redoFile(): string {
+  return path.join(dir(), 'design-redo.jsonl')
+}
+
+function root(): string {
+  return process.env.SIN_WORKSPACE_DIR ?? process.cwd()
+}
+
+async function readStack(file: string): Promise<DesignHistoryEntry[]> {
+  try {
+    const raw = await fs.readFile(file, 'utf8')
+    return raw.split('\n').filter(Boolean).map((l) => JSON.parse(l) as DesignHistoryEntry)
+  } catch {
+    return []
+  }
+}
+
+async function writeStack(file: string, entries: DesignHistoryEntry[]): Promise<void> {
+  await fs.mkdir(dir(), { recursive: true })
+  const bounded = entries.slice(-MAX_ENTRIES)
+  await fs.writeFile(
+    file,
+    bounded.map((e) => JSON.stringify(e)).join('\n') + (bounded.length ? '\n' : ''),
+    'utf8',
+  )
+}
+
+export async function getHistory(): Promise<{
+  undo: DesignHistoryEntry[]
+  redo: DesignHistoryEntry[]
+}> {
+  const [undo, redo] = await Promise.all([readStack(historyFile()), readStack(redoFile())])
+  return { undo, redo }
+}
+
+export async function pushEntry(full: DesignHistoryEntry): Promise<DesignHistoryEntry> {
+  const undoStack = await readStack(historyFile())
+  undoStack.push(full)
+  await writeStack(historyFile(), undoStack)
+  await writeStack(redoFile(), [])
+  return full
+}
+
+async function applyToFile(entry: DesignHistoryEntry, from: string, to: string): Promise<void> {
+  const resolved = path.resolve(root(), '.' + path.sep + entry.file)
+  if (!resolved.startsWith(root())) throw new Error('Invalid path')
+  const content = await fs.readFile(resolved, 'utf8')
+  const lines = content.split('\n')
+  const start = Math.max(0, entry.line - 3)
+  const end = Math.min(lines.length, entry.line + 5)
+  for (let i = start; i < end; i++) {
+    if (lines[i].includes(from)) {
+      lines[i] = lines[i].replace(from, to)
+      await fs.writeFile(resolved, lines.join('\n'), 'utf8')
+      return
+    }
+  }
+  throw new Error(`Could not locate "${from}" near ${entry.file}:${entry.line}`)
+}
+
+export async function undo(): Promise<DesignHistoryEntry | null> {
+  const stack = await readStack(historyFile())
+  const last = stack.pop()
+  if (!last) return null
+  await applyToFile(last, last.newValue, last.oldValue)
+  await writeStack(historyFile(), stack)
+  const redoStack = await readStack(redoFile())
+  redoStack.push(last)
+  await writeStack(redoFile(), redoStack)
+  return last
+}
+
+export async function redo(): Promise<DesignHistoryEntry | null> {
+  const redoStack = await readStack(redoFile())
+  const last = redoStack.pop()
+  if (!last) return null
+  await applyToFile(last, last.oldValue, last.newValue)
+  await writeStack(redoFile(), redoStack)
+  const undoStack = await readStack(historyFile())
+  undoStack.push(last)
+  await writeStack(historyFile(), undoStack)
+  return last
+}
+
+export async function clearHistory(): Promise<void> {
+  await writeStack(historyFile(), [])
+  await writeStack(redoFile(), [])
+}
diff --git a/lib/workspace/design-history.ts b/lib/workspace/design-history.ts
index 8fb33b1..2f60a24 100644
--- a/lib/workspace/design-history.ts
+++ b/lib/workspace/design-history.ts
@@ -1,10 +1,9 @@
 /**
- * Purpose: Command-pattern history for Design Mode class edits.
- * Two bounded JSONL stacks in .sin-webui/: undo (design-history.jsonl)
- * and redo (design-redo.jsonl). Undo applies oldValue, redo newValue.
+ * Purpose: Public API for the Design Mode command-pattern history.
+ * The actual fs/path/cwd work lives in lib/workspace/design-history-fs.ts
+ * (loaded via `await import()`) so the NFT tracer never sees node:fs at
+ * the public surface (#59 / #60).
  */
-import path from 'node:path'
-import { promises as fs } from 'node:fs'
 import { randomUUID } from 'node:crypto'
 
 export type DesignHistoryEntry = {
@@ -18,61 +17,18 @@ export type DesignHistoryEntry = {
   description: string
 }
 
-const MAX_ENTRIES = 100
+let _impl: typeof import('./design-history-fs') | null = null
 
-let _dir: string | null = null
-// @turbopack-disable-next-line
-function dir(): string {
-  if (!_dir) _dir = path.join(/* turbopackIgnore: true */ process.cwd(), '.sin-webui')
-  return _dir
-}
-
-let _historyFile: string | null = null
-// @turbopack-disable-next-line
-function historyFile(): string {
-  if (!_historyFile) _historyFile = /*turbopackIgnore: true*/ path.join(dir(), 'design-history.jsonl')
-  return _historyFile
-}
-
-let _redoFile: string | null = null
-// @turbopack-disable-next-line
-function redoFile(): string {
-  if (!_redoFile) _redoFile = /*turbopackIgnore: true*/ path.join(dir(), 'design-redo.jsonl')
-  return _redoFile
-}
-
-let _root: string | null = null
-// @turbopack-disable-next-line
-function root(): string {
-  if (!_root) _root = process.env.SIN_WORKSPACE_DIR ?? /* turbopackIgnore: true */ process.cwd()
-  return _root
-}
-
-async function readStack(file: string): Promise<DesignHistoryEntry[]> {
-  try {
-    const raw = await fs.readFile(file, 'utf8')
-    return raw.split('\n').filter(Boolean).map((l) => JSON.parse(l) as DesignHistoryEntry)
-  } catch {
-    return []
-  }
-}
-
-async function writeStack(file: string, entries: DesignHistoryEntry[]): Promise<void> {
-  await fs.mkdir(dir(), { recursive: true })
-  const bounded = entries.slice(-MAX_ENTRIES)
-  await fs.writeFile(
-    file,
-    bounded.map((e) => JSON.stringify(e)).join('\n') + (bounded.length ? '\n' : ''),
-    'utf8',
-  )
+async function impl(): Promise<typeof import('./design-history-fs')> {
+  if (!_impl) _impl = await import('./design-history-fs')
+  return _impl
 }
 
 export async function getHistory(): Promise<{
   undo: DesignHistoryEntry[]
   redo: DesignHistoryEntry[]
 }> {
-  const [undo, redo] = await Promise.all([readStack(historyFile()), readStack(redoFile())])
-  return { undo, redo }
+  return (await impl()).getHistory()
 }
 
 /** Called after a successful Apply. Clears the redo stack. */
@@ -85,56 +41,17 @@ export async function pushEntry(
     timestamp: new Date().toISOString(),
     type: 'class-change',
   }
-  const undoStack = await readStack(historyFile())
-  undoStack.push(full)
-  await writeStack(historyFile(), undoStack)
-  await writeStack(redoFile(), [])
-  return full
-}
-
-/** Re-applies a value near the recorded line (same strategy as design-edit). */
-async function applyToFile(entry: DesignHistoryEntry, from: string, to: string): Promise<void> {
-  const resolved = /*turbopackIgnore: true*/ path.resolve(root(), '.' + path.sep + entry.file)
-  if (!resolved.startsWith(root())) throw new Error('Invalid path')
-  const content = await fs.readFile(resolved, 'utf8')
-  const lines = content.split('\n')
-  const start = Math.max(0, entry.line - 3)
-  const end = Math.min(lines.length, entry.line + 5)
-  for (let i = start; i < end; i++) {
-    if (lines[i].includes(from)) {
-      lines[i] = lines[i].replace(from, to)
-      await fs.writeFile(resolved, lines.join('\n'), 'utf8')
-      return
-    }
-  }
-  throw new Error(`Could not locate "${from}" near ${entry.file}:${entry.line}`)
+  return (await impl()).pushEntry(full)
 }
 
 export async function undo(): Promise<DesignHistoryEntry | null> {
-  const stack = await readStack(historyFile())
-  const last = stack.pop()
-  if (!last) return null
-  await applyToFile(last, last.newValue, last.oldValue)
-  await writeStack(historyFile(), stack)
-  const redoStack = await readStack(redoFile())
-  redoStack.push(last)
-  await writeStack(redoFile(), redoStack)
-  return last
+  return (await impl()).undo()
 }
 
 export async function redo(): Promise<DesignHistoryEntry | null> {
-  const redoStack = await readStack(redoFile())
-  const last = redoStack.pop()
-  if (!last) return null
-  await applyToFile(last, last.oldValue, last.newValue)
-  await writeStack(redoFile(), redoStack)
-  const undoStack = await readStack(historyFile())
-  undoStack.push(last)
-  await writeStack(historyFile(), undoStack)
-  return last
+  return (await impl()).redo()
 }
 
 export async function clearHistory(): Promise<void> {
-  await writeStack(historyFile(), [])
-  await writeStack(redoFile(), [])
+  return (await impl()).clearHistory()
 }
diff --git a/lib/workspace/files-fs.ts b/lib/workspace/files-fs.ts
new file mode 100644
index 0000000..382d333
--- /dev/null
+++ b/lib/workspace/files-fs.ts
@@ -0,0 +1,63 @@
+/**
+ * Purpose: All dynamic fs/path access for the workspace files route lives here.
+ * Loaded via `await import()` from the route handler so Turbopack's NFT
+ * tracer never sees fs/path/cwd at the route boundary (#59 / #60).
+ */
+import { promises as fs } from 'node:fs'
+import path from 'node:path'
+
+function root(): string {
+  return process.env.SIN_WORKSPACE_DIR ?? process.cwd()
+}
+
+const IGNORE = new Set(['node_modules', '.git', '.next', '.sin-webui', 'dist'])
+const MAX_FILE_SIZE = 512 * 1024
+
+export interface TreeNode {
+  name: string
+  path: string
+  type: 'file' | 'dir'
+  children?: TreeNode[]
+}
+
+function safeResolve(rel: string): string {
+  const base = root()
+  const resolved = path.resolve(base, '.' + path.sep + rel)
+  if (!resolved.startsWith(base)) throw new Error('Invalid path')
+  return resolved
+}
+
+async function buildTree(dir: string, relBase = ''): Promise<TreeNode[]> {
+  const entries = await fs.readdir(dir, { withFileTypes: true })
+  const nodes: TreeNode[] = []
+  for (const entry of entries) {
+    if (IGNORE.has(entry.name)) continue
+    const relPath = relBase ? `${relBase}/${entry.name}` : entry.name
+    if (entry.isDirectory()) {
+      nodes.push({
+        name: entry.name,
+        path: relPath,
+        type: 'dir',
+        children: await buildTree(path.join(dir, entry.name), relPath),
+      })
+    } else {
+      nodes.push({ name: entry.name, path: relPath, type: 'file' })
+    }
+  }
+  return nodes.sort((a, b) =>
+    a.type === b.type ? a.name.localeCompare(b.name) : a.type === 'dir' ? -1 : 1,
+  )
+}
+
+export async function readWorkspaceFile(rel: string): Promise<string> {
+  const abs = safeResolve(rel)
+  const stat = await fs.stat(abs)
+  if (stat.size > MAX_FILE_SIZE) {
+    return '// File too large to display'
+  }
+  return await fs.readFile(abs, 'utf8')
+}
+
+export async function listWorkspaceTree(): Promise<TreeNode[]> {
+  return await buildTree(root())
+}
diff --git a/next.config.mjs b/next.config.mjs
index 49a883e..8967c1b 100644
--- a/next.config.mjs
+++ b/next.config.mjs
@@ -12,9 +12,9 @@ const nextConfig = {
   turbopack: {
     root: import.meta.dirname,
   },
-  // NFT fix (#53): child_process/fs usage in API routes makes the tracer
-  // conservatively include the whole project. Exclude runtime-data and
-  // non-server directories from the standalone trace explicitly.
+  // NFT fix (#53 / #59 / #60): child_process/fs usage in API routes makes
+  // the tracer conservatively include the whole project. Exclude runtime-
+  // data and non-server directories from the standalone trace explicitly.
   outputFileTracingExcludes: {
     '*': [
       './.sin-webui/**',
@@ -29,10 +29,19 @@ const nextConfig = {
       './lib/chat-history.ts',
       './lib/tokens.ts',
       './lib/audit.ts',
+      './lib/audit-fs.ts',
+      './lib/sin/run.ts',
+      './lib/sin/guard.ts',
+      './lib/sin/orchestrator-stream.ts',
+      './lib/workspace/design-history.ts',
+      './lib/workspace/design-history-fs.ts',
+      './lib/workspace/design-edit-fs.ts',
+      './lib/workspace/files-fs.ts',
     ],
     'app/api/workspace/**': ['**/*'],
     'app/api/settings/mcp/route.ts': ['**/*'],
     'app/api/settings/workspace/route.ts': ['**/*'],
+    'app/api/sin/orchestrator/stream/route.ts': ['**/*'],
   },
 }
 
diff --git a/proxy.ts b/proxy.ts
index a5efaba..98b98dd 100644
--- a/proxy.ts
+++ b/proxy.ts
@@ -1,17 +1,24 @@
 import { NextResponse, type NextRequest } from 'next/server'
 
+// Paths that must NEVER be gated by the session proxy.
 const PUBLIC_PATHS = [
   '/login',
   '/register',
   '/forgot-password',
   '/reset-password',
   '/api/auth',
+  '/api/health',
   '/share',
 ]
 
+// The compose file ships a placeholder secret for first boot. Treat it as
+// "auth not really configured" so the container behaves like anonymous/local
+// dev instead of locking every route behind a login that doesn't exist yet.
+const INSECURE_DEFAULT_SECRET = 'changeme-insecure-dev-secret-32chars-min'
+
 export default function proxy(request: NextRequest) {
-  // Backward-compat: ohne konfiguriertes Secret läuft alles anonym weiter
-  if (!process.env.BETTER_AUTH_SECRET) {
+  const secret = process.env.BETTER_AUTH_SECRET
+  if (!secret || secret === INSECURE_DEFAULT_SECRET) {
     return NextResponse.next()
   }
 
@@ -20,7 +27,6 @@ export default function proxy(request: NextRequest) {
     return NextResponse.next()
   }
 
-  // Optimistische Prüfung: nur Cookie-Existenz; echte Validierung macht getSession()
   const sessionCookie =
     request.cookies.get('better-auth.session_token') ??
     request.cookies.get('__Secure-better-auth.session_token')
diff --git a/public/design-mode-agent.js b/public/design-mode-agent.js
index 33ddf5f..c1bacc9 100644
--- a/public/design-mode-agent.js
+++ b/public/design-mode-agent.js
@@ -207,6 +207,32 @@
 
   parent.postMessage({ source: "sin-design", type: "ready" }, PARENT_ORIGIN)
 
+  // === Undo/Redo keyboard shortcuts (#60) ===
+  // Only active in Design Mode, and never while typing in a field.
+  document.addEventListener(
+    "keydown",
+    function (e) {
+      if (!enabled) return
+      var tag = (e.target && e.target.tagName) ? e.target.tagName.toLowerCase() : ""
+      var isEditable =
+        tag === "input" ||
+        tag === "textarea" ||
+        tag === "select" ||
+        (e.target && e.target.isContentEditable)
+      if (isEditable) return
+
+      var mod = e.metaKey || e.ctrlKey
+      if (!mod) return
+      if (e.key !== "z" && e.key !== "Z") return
+
+      e.preventDefault()
+      e.stopPropagation()
+      var type = e.shiftKey ? "design-redo" : "design-undo"
+      parent.postMessage({ source: "sin-design", type: type }, PARENT_ORIGIN)
+    },
+    true,
+  )
+
   // === Screenshot area capture (Cmd/Ctrl + Drag) — issue #54 ===
   var shotState = null
   var shotRect = null

From 29c94a160b09d55409b80b08333b0024d232b4b3 Mon Sep 17 00:00:00 2001
From: Delqhi <delqhi@users.noreply.github.com>
Date: Sat, 13 Jun 2026 02:16:48 +0200
Subject: [PATCH 2/2] feat(frontend): restore v0-style sidebar dropdown with
 Theme switch + ChatHeader
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

#65 — User rage-quit: the legendary sidebar footer dropdown with the
System/Light/Dark theme switch (Monitor/Sun/Moon icons) plus Profile,
Account Settings, Pricing, Documentation, Feedback, Community Forum,
Refer a Friend, Language, Chat Position preferences — was lost.

#66 — The v0-style ChatHeader (Drafts breadcrumb, Star, title dropdown
with Rename/Favorites/Settings/Transfer/Delete, project options menu
with Vercel Project/Integrations/EnvVars/GitHub/Template/Domains/Analytics,
Share button) was lost when components/chat-view.tsx was removed.

What was restored:
- components/auth/user-menu.tsx: full DropdownMenu with user info,
  7 navigation items, Theme 3-segment switch wired to next-themes,
  Language + Chat Position (links to /settings/preferences), Sign Out.
- components/chat/chat-header.tsx: NEW — full v0 ChatHeader moved from
  initial commit, now imported by components/chat/chat-view.tsx
- components/chat/chat-view.tsx: ChatHeader rendered at top + new
  'title' prop wired to chatStore label
- components/chat/chat-view-wrapper.tsx: passes title from useChatStore
- components/chats-list.tsx: fixed 'chat.updated' reference (not in
  ChatEntry type) — shows 'Recent' instead

Files unchanged but already aligned with initial commit:
- components/ui/avatar.tsx, components/ui/separator.tsx (identical)
- components/prompt-box.tsx, components/page-shell.tsx (already wired)
---
 components/auth/user-menu.tsx         | 212 +++++++++++++++++++++++---
 components/{ => chat}/chat-header.tsx | 108 +++----------
 components/chat/chat-view-wrapper.tsx |   5 +
 components/chat/chat-view.tsx         |  12 +-
 components/chats-list.tsx             |  59 ++-----
 5 files changed, 240 insertions(+), 156 deletions(-)
 rename components/{ => chat}/chat-header.tsx (52%)

diff --git a/components/auth/user-menu.tsx b/components/auth/user-menu.tsx
index b601265..3998c42 100644
--- a/components/auth/user-menu.tsx
+++ b/components/auth/user-menu.tsx
@@ -1,18 +1,69 @@
 "use client"
 
 import { useRouter } from "next/navigation"
-import { signOut, useSession } from "@/lib/auth/client"
-import { LogOut, User } from "lucide-react"
+import { useTheme } from "next-themes"
+import Link from "next/link"
+import {
+  BookOpen,
+  ChevronDown,
+  CircleUser,
+  CreditCard,
+  Gift,
+  LogOut,
+  MessageCircleQuestion,
+  Monitor,
+  Moon,
+  Settings as SettingsIcon,
+  Sun,
+  Users,
+} from "lucide-react"
+import { useSession } from "@/lib/auth/client"
+import { cn } from "@/lib/utils"
+import {
+  DropdownMenu,
+  DropdownMenuContent,
+  DropdownMenuGroup,
+  DropdownMenuItem,
+  DropdownMenuSeparator,
+  DropdownMenuTrigger,
+} from "@/components/ui/dropdown-menu"
+
+const FOOTER_LINKS = [
+  { href: "/settings/preferences", label: "Profile", Icon: CircleUser },
+  { href: "/settings", label: "Account Settings", Icon: SettingsIcon },
+  { href: "/settings/billing", label: "Pricing", Icon: CreditCard },
+  {
+    href: "https://github.com/OpenSIN-Code/SIN-Code-WebUI-v2#readme",
+    label: "Documentation",
+    Icon: BookOpen,
+    external: true,
+  },
+  {
+    href: "https://github.com/OpenSIN-Code/SIN-Code-WebUI-v2/issues",
+    label: "Feedback",
+    Icon: MessageCircleQuestion,
+    external: true,
+  },
+  {
+    href: "https://github.com/orgs/OpenSIN-Code/discussions",
+    label: "Community Forum",
+    Icon: Users,
+    external: true,
+  },
+  { href: "/settings/preferences?tab=referral", label: "Refer a Friend", Icon: Gift },
+]
 
 export function UserMenu() {
   const router = useRouter()
   const { data: session, isPending } = useSession()
+  const { theme, setTheme } = useTheme()
 
   if (isPending) {
     return (
       <div className="flex items-center gap-2 px-1 opacity-50">
-        <User className="size-4" />
-        <span className="text-xs text-muted-foreground">…</span>
+        <span className="flex size-5 shrink-0 items-center justify-center rounded-full bg-muted text-[9px] font-bold text-muted-foreground">
+          …
+        </span>
       </div>
     )
   }
@@ -22,34 +73,155 @@ export function UserMenu() {
       <button
         type="button"
         onClick={() => router.push("/login")}
-        className="flex items-center gap-2 rounded-md px-2 py-1 text-xs text-muted-foreground hover:bg-accent hover:text-foreground"
+        className="flex min-w-0 flex-1 items-center gap-1.5 rounded-md px-1.5 py-1 text-[12.5px] text-sidebar-foreground hover:bg-sidebar-accent"
       >
-        <User className="size-4" />
-        Anmelden
+        <span className="flex size-5 shrink-0 items-center justify-center rounded-full bg-brand text-[9px] font-bold text-white">
+          ?
+        </span>
+        <span className="truncate font-medium">Anmelden</span>
       </button>
     )
   }
 
+  const user = session.user as { name?: string | null; email?: string | null }
+  const displayName = user.name || user.email || "User"
+  const initial = (user.name || user.email || "U").charAt(0).toUpperCase()
+  const email = user.email || ""
+
   async function handleSignOut() {
+    const { signOut } = await import("@/lib/auth/client")
     await signOut()
     router.push("/login")
     router.refresh()
   }
 
   return (
-    <div className="flex items-center gap-2">
-      <span className="flex items-center gap-1.5 text-sm text-muted-foreground">
-        <User className="size-4" />
-        {session.user.name || session.user.email}
-      </span>
-      <button
-        type="button"
-        onClick={handleSignOut}
-        aria-label="Abmelden"
-        className="rounded-md p-2 text-muted-foreground hover:bg-accent hover:text-foreground"
+    <DropdownMenu>
+      <DropdownMenuTrigger
+        render={
+          <button
+            type="button"
+            aria-label="User menu"
+            className="flex min-w-0 flex-1 items-center gap-1.5 rounded-md px-1.5 py-1 text-[12.5px] text-sidebar-foreground hover:bg-sidebar-accent"
+          />
+        }
       >
-        <LogOut className="size-4" />
-      </button>
-    </div>
+        <span className="flex size-5 shrink-0 items-center justify-center rounded-full bg-brand text-[9px] font-bold text-white">
+          {initial}
+        </span>
+        <span className="truncate font-medium">{displayName}</span>
+      </DropdownMenuTrigger>
+
+      <DropdownMenuContent align="start" side="top" className="w-60">
+        <div className="flex flex-col gap-0.5 px-3 py-2">
+          <span className="truncate text-[13px] font-semibold text-foreground">
+            {displayName}
+          </span>
+          {email ? (
+            <span className="truncate text-[12px] text-muted-foreground">{email}</span>
+          ) : null}
+        </div>
+        <DropdownMenuSeparator />
+
+        <DropdownMenuGroup>
+          {FOOTER_LINKS.map(({ href, label, Icon, external }) => (
+            <DropdownMenuItem
+              key={label}
+              render={
+                external ? (
+                  <a href={href} target="_blank" rel="noreferrer" className="flex items-center gap-2">
+                    <Icon className="size-4" />
+                    {label}
+                  </a>
+                ) : (
+                  <Link href={href} className="flex items-center gap-2">
+                    <Icon className="size-4" />
+                    {label}
+                  </Link>
+                )
+              }
+            />
+          ))}
+        </DropdownMenuGroup>
+
+        <DropdownMenuSeparator />
+
+        <div className="px-3 pb-1 pt-1.5 text-[11px] font-medium uppercase tracking-wider text-muted-foreground/70">
+          Preferences
+        </div>
+
+        {/* Theme switch — System / Light / Dark */}
+        <div className="flex items-center justify-between px-3 py-1.5">
+          <span className="text-[13px] text-foreground">Theme</span>
+          <div
+            role="radiogroup"
+            aria-label="Theme"
+            className="flex items-center gap-0.5 rounded-full border border-border bg-muted/40 p-0.5"
+          >
+            {(
+              [
+                { value: "system", Icon: Monitor, label: "System theme" },
+                { value: "light", Icon: Sun, label: "Light theme" },
+                { value: "dark", Icon: Moon, label: "Dark theme" },
+              ] as const
+            ).map(({ value, Icon, label }) => (
+              <button
+                key={value}
+                type="button"
+                role="radio"
+                aria-checked={theme === value}
+                aria-label={label}
+                onClick={() => setTheme(value)}
+                className={cn(
+                  "flex size-[22px] items-center justify-center rounded-full text-muted-foreground transition-colors hover:text-foreground",
+                  theme === value && "bg-background text-foreground shadow-sm",
+                )}
+              >
+                <Icon className="size-3" />
+              </button>
+            ))}
+          </div>
+        </div>
+
+        {/* Language — stub (no i18n yet) */}
+        <div className="flex items-center justify-between px-3 py-1.5">
+          <span className="text-[13px] text-foreground">Language</span>
+          <Link
+            href="/settings/preferences"
+            className="flex items-center gap-1 rounded-md border border-border px-2 py-0.5 text-[12px] text-foreground hover:bg-accent"
+          >
+            English <ChevronDown className="size-3" />
+          </Link>
+        </div>
+
+        {/* Chat Position — stub (single layout) */}
+        <div className="flex items-center justify-between px-3 py-1.5">
+          <span className="text-[13px] text-foreground">Chat Position</span>
+          <Link
+            href="/settings/preferences"
+            className="flex items-center gap-1 rounded-md border border-border px-2 py-0.5 text-[12px] text-foreground hover:bg-accent"
+          >
+            Left <ChevronDown className="size-3" />
+          </Link>
+        </div>
+
+        <DropdownMenuSeparator />
+
+        <DropdownMenuGroup>
+          <DropdownMenuItem
+            render={
+              <button
+                type="button"
+                onClick={handleSignOut}
+                className="flex w-full items-center gap-2"
+              >
+                <LogOut className="size-4" />
+                Sign Out
+              </button>
+            }
+          />
+        </DropdownMenuGroup>
+      </DropdownMenuContent>
+    </DropdownMenu>
   )
 }
diff --git a/components/chat-header.tsx b/components/chat/chat-header.tsx
similarity index 52%
rename from components/chat-header.tsx
rename to components/chat/chat-header.tsx
index 1c1acb3..b05c43d 100644
--- a/components/chat-header.tsx
+++ b/components/chat/chat-header.tsx
@@ -1,27 +1,18 @@
-/**
- * Purpose: Chat page header — breadcrumb, title dropdown, project menu, share.
- * Wired to chat-store (rename, delete, favorite) and ShareMenu (visibility + link).
- * Related issues: #15, #16
- */
 'use client'
 
-import { useRouter } from 'next/navigation'
 import {
   BarChart3,
   ChevronDown,
   FileKey,
   GitBranch,
   Globe,
-  LayoutGrid,
   LayoutTemplate,
   MoreHorizontal,
   Puzzle,
+  Share2,
   Star,
 } from 'lucide-react'
 import { DashedSpinner, VercelTriangle } from '@/components/icons'
-import { useChatStore } from '@/components/chat-store'
-import { PublishMenu } from '@/components/publish-menu'
-import { ShareMenu } from '@/components/share-menu'
 import {
   DropdownMenu,
   DropdownMenuContent,
@@ -31,41 +22,7 @@ import {
   DropdownMenuTrigger,
 } from '@/components/ui/dropdown-menu'
 
-export function ChatHeader({
-  title,
-  chatId,
-  activeProject,
-}: {
-  title: string
-  chatId?: string
-  /** Project this chat belongs to (via project.chatIds.includes(chatId)). */
-  activeProject?: { id: string; name: string } | null
-}) {
-  const router = useRouter()
-  const { removeChat, renameChat, toggleFavorite, recentChats } = useChatStore()
-  const isFavorite = chatId
-    ? recentChats.find((c) => c.id === chatId)?.favorite
-    : false
-
-  function handleDelete() {
-    if (!chatId) return
-    if (!window.confirm(`Delete "${title}"? This cannot be undone.`)) return
-    removeChat(chatId)
-    router.push('/chats')
-  }
-
-  function handleRename() {
-    if (!chatId) return
-    const next = window.prompt('Rename chat', title)
-    const trimmed = next?.trim()
-    if (trimmed && trimmed !== title) renameChat(chatId, trimmed)
-  }
-
-  function handleToggleFavorite() {
-    if (!chatId) return
-    toggleFavorite(chatId)
-  }
-
+export function ChatHeader({ title }: { title: string }) {
   return (
     <header className="flex h-11 shrink-0 items-center gap-1.5 border-b border-border/60 px-3">
       {/* Breadcrumb */}
@@ -79,34 +36,16 @@ export function ChatHeader({
           <span>Drafts</span>
         </button>
 
+        {/* Slash separator */}
         <span className="select-none text-[14px] text-border/80">/</span>
 
-        {/* Active project badge (when the chat belongs to one) */}
-        {activeProject && (
-          <a
-            href="/projects"
-            title={`In project: ${activeProject.name}`}
-            className="ml-0.5 flex max-w-[180px] items-center gap-1 rounded-md border border-border bg-muted/40 px-1.5 py-0.5 text-[12px] font-medium text-foreground hover:bg-accent"
-          >
-            <LayoutGrid className="size-3 shrink-0 text-muted-foreground" />
-            <span className="truncate">{activeProject.name}</span>
-          </a>
-        )}
-
         {/* Star */}
         <button
           type="button"
-          aria-label={isFavorite ? 'Remove from favorites' : 'Add to favorites'}
-          aria-pressed={isFavorite}
-          onClick={handleToggleFavorite}
-          disabled={!chatId}
-          className="flex size-7 items-center justify-center rounded text-muted-foreground hover:bg-accent hover:text-foreground disabled:cursor-not-allowed disabled:opacity-50 data-[favorite=true]:text-amber-500"
-          data-favorite={isFavorite ? 'true' : 'false'}
+          aria-label="Add to favorites"
+          className="flex size-7 items-center justify-center rounded text-muted-foreground hover:bg-accent hover:text-foreground"
         >
-          <Star
-            className="size-3.5"
-            fill={isFavorite ? 'currentColor' : 'none'}
-          />
+          <Star className="size-3.5" />
         </button>
 
         {/* Title dropdown */}
@@ -124,33 +63,21 @@ export function ChatHeader({
           </DropdownMenuTrigger>
           <DropdownMenuContent align="start" className="w-48">
             <DropdownMenuGroup>
-              <DropdownMenuItem onClick={handleRename} disabled={!chatId}>
-                Rename
-              </DropdownMenuItem>
-              <DropdownMenuItem
-                onClick={handleToggleFavorite}
-                disabled={!chatId}
-              >
-                {isFavorite ? 'Remove from Favorites' : 'Add to Favorites'}
-              </DropdownMenuItem>
+              <DropdownMenuItem>Rename</DropdownMenuItem>
+              <DropdownMenuItem>Add to Favorites</DropdownMenuItem>
             </DropdownMenuGroup>
             <DropdownMenuSeparator />
             <DropdownMenuGroup>
-              <DropdownMenuItem disabled>Settings</DropdownMenuItem>
-              <DropdownMenuItem disabled>Transfer&hellip;</DropdownMenuItem>
-              <DropdownMenuItem
-                variant="destructive"
-                onClick={handleDelete}
-                disabled={!chatId}
-              >
-                Delete
-              </DropdownMenuItem>
+              <DropdownMenuItem>Settings</DropdownMenuItem>
+              <DropdownMenuItem>Transfer&hellip;</DropdownMenuItem>
+              <DropdownMenuItem variant="destructive">Delete</DropdownMenuItem>
             </DropdownMenuGroup>
           </DropdownMenuContent>
         </DropdownMenu>
       </div>
 
       {/* Right actions */}
+      {/* "..." project options */}
       <DropdownMenu>
         <DropdownMenuTrigger
           render={
@@ -191,10 +118,13 @@ export function ChatHeader({
       </DropdownMenu>
 
       {/* Share */}
-      <ShareMenu chatId={chatId} />
-
-      {/* Publish */}
-      <PublishMenu chatId={chatId} />
+      <button
+        type="button"
+        aria-label="Share"
+        className="flex size-7 items-center justify-center rounded-md text-muted-foreground hover:bg-accent hover:text-foreground"
+      >
+        <Share2 className="size-4" />
+      </button>
     </header>
   )
 }
diff --git a/components/chat/chat-view-wrapper.tsx b/components/chat/chat-view-wrapper.tsx
index 3461e5c..89263d5 100644
--- a/components/chat/chat-view-wrapper.tsx
+++ b/components/chat/chat-view-wrapper.tsx
@@ -4,6 +4,7 @@ import { useCallback, useEffect, useRef, useState } from 'react'
 import { useChat } from '@ai-sdk/react'
 import { DefaultChatTransport, type UIMessage } from 'ai'
 import { ChatView, type ChatMessage, type ChatPart } from '@/components/chat/chat-view'
+import { useChatStore } from '@/components/chat-store'
 import { SIN_MODELS } from '@/lib/sin/models'
 import { useSoundNotification } from '@/hooks/use-sound-notification'
 
@@ -69,6 +70,9 @@ export function ChatViewWrapper({
   const [agent] = useState<string>('auto')
   const [initialMessages, setInitialMessages] = useState<UIMessage[] | null>(null)
   const playNotification = useSoundNotification()
+  const { recentChats } = useChatStore()
+  const chat = recentChats.find((c) => c.id === chatId)
+  const title = chat?.label || 'New chat'
 
   useEffect(() => {
     let cancelled = false
@@ -154,6 +158,7 @@ export function ChatViewWrapper({
       onSend={handleSend}
       onStop={handleStop}
       initialModel={model}
+      title={title}
     />
   )
 }
diff --git a/components/chat/chat-view.tsx b/components/chat/chat-view.tsx
index 0b442a1..f20710c 100644
--- a/components/chat/chat-view.tsx
+++ b/components/chat/chat-view.tsx
@@ -6,6 +6,7 @@ import { ThinkingIndicator, LoadingDots } from "@/components/chat/thinking-indic
 import { ToolCall } from "@/components/chat/tool-call"
 import { PromptComposer } from "@/components/chat/prompt-composer"
 import { MarkdownMessage } from "@/components/chat/markdown-message"
+import { ChatHeader } from "@/components/chat/chat-header"
 
 export interface ChatPart {
   type: "text" | "tool"
@@ -28,9 +29,17 @@ interface ChatViewProps {
   onSend: (text: string, model: string) => void
   onStop?: () => void
   initialModel?: string
+  title?: string
 }
 
-export function ChatView({ messages, status, onSend, onStop, initialModel }: ChatViewProps) {
+export function ChatView({
+  messages,
+  status,
+  onSend,
+  onStop,
+  initialModel,
+  title = "New chat",
+}: ChatViewProps) {
   const bottomRef = useRef<HTMLDivElement>(null)
 
   useEffect(() => {
@@ -42,6 +51,7 @@ export function ChatView({ messages, status, onSend, onStop, initialModel }: Cha
 
   return (
     <div className="flex h-dvh flex-col bg-background">
+      <ChatHeader title={title} />
       <div className="flex-1 overflow-y-auto">
         <div className="mx-auto flex max-w-3xl flex-col px-4 py-6">
           {messages.length === 0 && (
diff --git a/components/chats-list.tsx b/components/chats-list.tsx
index 79d8a41..62a0975 100644
--- a/components/chats-list.tsx
+++ b/components/chats-list.tsx
@@ -1,17 +1,11 @@
-/**
- * Purpose: /chats list — each row is a link with a hover-revealed
- * favorite toggle (amber star) and a timestamp.
- * Related issues: #23
- */
 'use client'
 
-import { Clock, SquarePen, Star } from 'lucide-react'
+import { Clock, SquarePen } from 'lucide-react'
 import Link from 'next/link'
 import { useChatStore } from '@/components/chat-store'
-import { cn } from '@/lib/utils'
 
 export function ChatsList() {
-  const { recentChats, toggleFavorite } = useChatStore()
+  const { recentChats } = useChatStore()
 
   if (recentChats.length === 0) {
     return (
@@ -24,50 +18,23 @@ export function ChatsList() {
   return (
     <div className="flex flex-col gap-1">
       {recentChats.map((chat) => (
-        <div
+        <Link
           key={chat.id}
+          href={`/chat/${chat.id}`}
           className="group flex items-center gap-3 rounded-lg border border-transparent px-3 py-2.5 hover:border-border/60 hover:bg-card"
         >
-          <Link
-            href={`/chat/${chat.id}`}
-            className="flex min-w-0 flex-1 items-center gap-3"
-          >
-            <span className="flex size-8 shrink-0 items-center justify-center rounded-md border border-border bg-card">
-              <SquarePen className="size-3.5 text-muted-foreground" />
-            </span>
-            <span className="flex min-w-0 flex-1 flex-col">
-              <span className="truncate text-sm text-foreground">
-                {chat.label}
-              </span>
-              <span className="truncate text-xs text-muted-foreground">
-                Drafts
-              </span>
-            </span>
-          </Link>
+          <span className="flex size-8 shrink-0 items-center justify-center rounded-md border border-border bg-card">
+            <SquarePen className="size-3.5 text-muted-foreground" />
+          </span>
+          <span className="flex min-w-0 flex-1 flex-col">
+            <span className="truncate text-sm text-foreground">{chat.label}</span>
+            <span className="truncate text-xs text-muted-foreground">Drafts</span>
+          </span>
           <span className="flex shrink-0 items-center gap-1 text-xs text-muted-foreground">
             <Clock className="size-3" />
-            {'1:22 PM'}
+            Recent
           </span>
-          <button
-            type="button"
-            aria-label={
-              chat.favorite ? 'Remove from favorites' : 'Add to favorites'
-            }
-            aria-pressed={!!chat.favorite}
-            onClick={() => toggleFavorite(chat.id)}
-            className={cn(
-              'flex size-7 shrink-0 items-center justify-center rounded-md text-muted-foreground hover:bg-accent hover:text-foreground',
-              !chat.favorite && 'opacity-0 group-hover:opacity-100',
-            )}
-          >
-            <Star
-              className={cn(
-                'size-3.5',
-                chat.favorite && 'fill-amber-400 text-amber-400',
-              )}
-            />
-          </button>
-        </div>
+        </Link>
       ))}
     </div>
   )