diff --git a/packages/cli/bin/tps.ts b/packages/cli/bin/tps.ts
index c2e33bf..19a97cf 100755
--- a/packages/cli/bin/tps.ts
+++ b/packages/cli/bin/tps.ts
@@ -125,6 +125,9 @@ const cli = meow(
       priority: { type: "string" },
       version: { type: "string" },
       verbose: { type: "boolean", default: false },
+      // ops-7x9y: office join supervision flags (--force is already declared above)
+      tunnelVia: { type: "string" },
+      keepUnits: { type: "boolean", default: false },
       // Task envelope flags (mail send --task)
       task: { type: "string" },
       taskId: { type: "string" },
@@ -562,16 +565,27 @@ async function main() {
       } else if (action === "join") {
         const joinToken = rest[2];
         if (!rest[1] || !joinToken) {
-          console.error("Usage: tps office join <name> <join-token-url>");
+          console.error("Usage: tps office join <name> <join-token-url> [--tunnel-via <ssh-host>] [--port <n>] [--force]");
           process.exit(1);
         }
-        await runOffice({ action: "join", agent: rest[1], joinToken });
+        await runOffice({
+          action: "join",
+          agent: rest[1],
+          joinToken,
+          tunnelVia: cli.flags.tunnelVia as string | undefined,
+          port: cli.flags.port as number | undefined,
+          force: cli.flags.force as boolean,
+        });
       } else if (action === "revoke") {
         if (!rest[1]) {
-          console.error("Usage: tps office revoke <name>");
+          console.error("Usage: tps office revoke <name> [--keep-units]");
           process.exit(1);
         }
-        await runOffice({ action: "revoke", agent: rest[1] });
+        await runOffice({
+          action: "revoke",
+          agent: rest[1],
+          keepUnits: cli.flags.keepUnits as boolean,
+        });
       } else if (action === "setup") {
         const dryRun = process.argv.includes("--dry-run") || process.argv.includes("--dry");
         await runOffice({ action: "setup", agent: rest[1], dryRun });
diff --git a/packages/cli/src/commands/office-supervision.ts b/packages/cli/src/commands/office-supervision.ts
new file mode 100644
index 0000000..2202f51
--- /dev/null
+++ b/packages/cli/src/commands/office-supervision.ts
@@ -0,0 +1,463 @@
+/**
+ * ops-7x9y: launchd supervision for `tps office join --tunnel-via`.
+ *
+ * Generates and manages macOS launchd plists that keep SSH tunnels and
+ * office-connect processes alive across reboots. Each branch-office gets
+ * two units:
+ *   - ai.tpsdev.tunnel-<name>: autossh-style port forward
+ *   - ai.tpsdev.office-<name>: persistent office connect
+ *
+ * All state is tracked in ~/.tps/branch-office/<name>/supervision.json.
+ */
+
+import { execSync, spawnSync } from "node:child_process";
+import {
+  existsSync,
+  mkdirSync,
+  readFileSync,
+  renameSync,
+  unlinkSync,
+  writeFileSync,
+} from "node:fs";
+import { homedir } from "node:os";
+import { join } from "node:path";
+
+// ---- Port scanning ----
+
+const PORT_RANGE_START = 33700;
+const PORT_RANGE_END = 33999;
+
+/**
+ * Find the first unused local TCP port in the deterministic range 33700–33999.
+ * A port is considered "taken" if a launchd plist in ~/Library/LaunchAgents
+ * references it in a -L argument.
+ */
+export function findFreeLaunchdPort(home: string = homedir()): number {
+  const launchAgentsDir = join(home, "Library", "LaunchAgents");
+  const taken = new Set<number>();
+
+  if (existsSync(launchAgentsDir)) {
+    const { readdirSync } = require("node:fs");
+    for (const f of readdirSync(launchAgentsDir)) {
+      if (!f.endsWith(".plist")) continue;
+      try {
+        const content = readFileSync(join(launchAgentsDir, f), "utf-8");
+        // Match -L <port>:127.0.0.1:<port> or -L <port>:localhost:<port>
+        const re = /<string>-L<\/string>\s*<string>(\d+):/g;
+        for (const m of content.matchAll(re)) {
+          taken.add(parseInt(m[1], 10));
+        }
+      } catch {
+        // unreadable plist → skip
+      }
+    }
+  }
+
+  for (let port = PORT_RANGE_START; port <= PORT_RANGE_END; port++) {
+    if (!taken.has(port)) return port;
+  }
+
+  throw new Error(
+    `No free port found in range ${PORT_RANGE_START}–${PORT_RANGE_END}. ` +
+      `Free up a port or use --port to choose manually.`
+  );
+}
+
+// ---- Plist generation ----
+
+function resolveBun(): string {
+  try {
+    return execSync("which bun", { encoding: "utf-8" }).trim();
+  } catch {
+    return "/opt/homebrew/bin/bun";
+  }
+}
+
+function resolveSsh(): string {
+  try {
+    return execSync("which ssh", { encoding: "utf-8" }).trim();
+  } catch {
+    return "/usr/bin/ssh";
+  }
+}
+
+/**
+ * Resolve the path to the bundled tps.js CLI entrypoint.
+ * Precedence: 1) TPS_CLI_PATH env var, 2) <home>/ops/tps/packages/cli/dist/bin/tps.js
+ */
+function resolveTpsJs(home: string): string {
+  if (process.env.TPS_CLI_PATH) return process.env.TPS_CLI_PATH;
+  return join(home, "ops/tps/packages/cli/dist/bin/tps.js");
+}
+
+/**
+ * Escape XML special characters for safe string interpolation into plist XML.
+ * Covers: & < > "
+ */
+function xmlEscape(s: string): string {
+  return s
+    .replace(/&/g, "&amp;")
+    .replace(/</g, "&lt;")
+    .replace(/>/g, "&gt;")
+    .replace(/"/g, "&quot;");
+}
+
+export interface TunnelPlistParams {
+  name: string;
+  localPort: number;
+  tunnelVia: string;
+  home?: string;
+}
+
+export function generateTunnelPlist(params: TunnelPlistParams): string {
+  const home = params.home ?? homedir();
+  const label = `ai.tpsdev.tunnel-${params.name}`;
+  const ssh = resolveSsh();
+  const logDir = join(home, ".tps", "logs");
+
+  return `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
+  "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>Label</key>
+  <string>${label}</string>
+
+  <key>ProgramArguments</key>
+  <array>
+    <string>${xmlEscape(ssh)}</string>
+    <string>-N</string>
+    <string>-L</string>
+    <string>${params.localPort}:127.0.0.1:${params.localPort}</string>
+    <string>--</string>
+    <string>${xmlEscape(params.tunnelVia)}</string>
+  </array>
+
+  <key>RunAtLoad</key>
+  <true/>
+
+  <key>KeepAlive</key>
+  <true/>
+
+  <key>StandardOutPath</key>
+  <string>${join(logDir, `tunnel-${params.name}.log`)}</string>
+
+  <key>StandardErrorPath</key>
+  <string>${join(logDir, `tunnel-${params.name}.error.log`)}</string>
+</dict>
+</plist>
+`;
+}
+
+export interface OfficePlistParams {
+  name: string;
+  home?: string;
+}
+
+export function generateOfficePlist(params: OfficePlistParams): string {
+  const home = params.home ?? homedir();
+  const label = `ai.tpsdev.office-${params.name}`;
+  const bun = resolveBun();
+  const tpsJs = resolveTpsJs(home);
+  const logDir = join(home, ".tps", "logs");
+
+  return `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
+  "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>Label</key>
+  <string>${label}</string>
+
+  <key>ProgramArguments</key>
+  <array>
+    <string>${xmlEscape(bun)}</string>
+    <string>run</string>
+    <string>${xmlEscape(tpsJs)}</string>
+    <string>office</string>
+    <string>connect</string>
+    <string>${params.name}</string>
+  </array>
+
+  <key>WorkingDirectory</key>
+  <string>${join(home, "ops/tps")}</string>
+
+  <key>RunAtLoad</key>
+  <true/>
+
+  <key>KeepAlive</key>
+  <true/>
+
+  <key>StandardOutPath</key>
+  <string>${join(logDir, `office-${params.name}.log`)}</string>
+
+  <key>StandardErrorPath</key>
+  <string>${join(logDir, `office-${params.name}.error.log`)}</string>
+</dict>
+</plist>
+`;
+}
+
+// ---- Atomic plist writes ----
+
+function plistPath(label: string, home: string = homedir()): string {
+  return join(home, "Library", "LaunchAgents", `${label}.plist`);
+}
+
+export function writePlist(label: string, content: string, home?: string): string {
+  const h = home ?? homedir();
+  const dest = plistPath(label, h);
+  const tmp = `${dest}.${process.pid}.tmp`;
+
+  mkdirSync(join(h, "Library", "LaunchAgents"), { recursive: true });
+  writeFileSync(tmp, content, { encoding: "utf-8", mode: 0o644 });
+  renameSync(tmp, dest);
+  return dest;
+}
+
+export function deletePlist(label: string, home?: string): void {
+  const dest = plistPath(label, home);
+  if (existsSync(dest)) {
+    unlinkSync(dest);
+  }
+}
+
+// ---- launchctl helpers ----
+
+function isUnitLoaded(label: string): boolean {
+  try {
+    const out = execSync(`launchctl list "${label}" 2>/dev/null || true`, {
+      encoding: "utf-8",
+    }).trim();
+    return out.length > 0 && out !== "-";
+  } catch {
+    return false;
+  }
+}
+
+export function loadUnit(plistPath: string): void {
+  execSync(`launchctl load "${plistPath}"`, { stdio: "pipe" });
+}
+
+export function unloadUnit(plistPath: string, label: string): void {
+  // Try to unload; if it's already gone that's fine
+  try {
+    if (isUnitLoaded(label)) {
+      execSync(`launchctl unload "${plistPath}" 2>/dev/null || true`, {
+        stdio: "pipe",
+      });
+    }
+  } catch {
+    // Best-effort
+  }
+}
+
+export interface UnitState {
+  label: string;
+  loaded: boolean;
+  pid: number | null;
+  lastExitStatus: number | null;
+}
+
+export function getUnitState(label: string): UnitState {
+  const state: UnitState = { label, loaded: false, pid: null, lastExitStatus: null };
+  try {
+    // `launchctl list <label>` outputs "PID\tSTATUS\tLABEL" or just "-"
+    const out = execSync(`launchctl list "${label}" 2>/dev/null || true`, {
+      encoding: "utf-8",
+    }).trim();
+    if (!out) return state; // not loaded
+
+    state.loaded = true;
+    const parts = out.split(/\s+/);
+    const pidStr = parts[0];
+    if (pidStr && pidStr !== "-") {
+      state.pid = parseInt(pidStr, 10);
+    }
+    if (parts.length >= 2 && parts[1] !== "-") {
+      state.lastExitStatus = parseInt(parts[1], 10);
+    }
+  } catch {
+    // best-effort
+  }
+
+  // Also try the richer `launchctl print` format
+  if (state.loaded) {
+    try {
+      const detail = execSync(`launchctl print "user/$(id -u)/${label}" 2>/dev/null || true`, {
+        encoding: "utf-8",
+        shell: "/bin/sh",
+      });
+      const pidMatch = detail.match(/"PID"\s*=\s*(\d+)/);
+      if (pidMatch) state.pid = parseInt(pidMatch[1], 10);
+    } catch {
+      // fall through
+    }
+  }
+
+  return state;
+}
+
+// ---- Supervision manifest ----
+
+export interface SupervisionManifest {
+  tunnel: {
+    plistLabel: string;
+    plistPath: string;
+    localPort: number;
+    tunnelVia: string;
+  };
+  office: {
+    plistLabel: string;
+    plistPath: string;
+  };
+  installedAt: string;
+}
+
+function supervisionDir(name: string, home?: string): string {
+  return join(home ?? homedir(), ".tps", "branch-office", name);
+}
+
+function supervisionPath(name: string, home?: string): string {
+  return join(supervisionDir(name, home), "supervision.json");
+}
+
+export function supervisionExists(name: string, home?: string): boolean {
+  return existsSync(supervisionPath(name, home));
+}
+
+export function readSupervision(name: string, home?: string): SupervisionManifest | null {
+  const p = supervisionPath(name, home);
+  if (!existsSync(p)) return null;
+  let raw: any;
+  try {
+    raw = JSON.parse(readFileSync(p, "utf-8"));
+  } catch {
+    throw new Error(`Supervision manifest corrupt at ${p}: invalid JSON`);
+  }
+  // Basic validation
+  if (!raw.tunnel || !raw.office || !raw.installedAt) return null;
+  return raw as SupervisionManifest;
+}
+
+export function writeSupervision(
+  name: string,
+  manifest: SupervisionManifest,
+  home?: string
+): string {
+  const dir = supervisionDir(name, home);
+  mkdirSync(dir, { recursive: true });
+  const p = supervisionPath(name, home);
+  // mode 0644 — no secrets
+  writeFileSync(p, JSON.stringify(manifest, null, 2), { encoding: "utf-8", mode: 0o644 });
+  return p;
+}
+
+export function deleteSupervision(name: string, home?: string): void {
+  const p = supervisionPath(name, home);
+  if (existsSync(p)) unlinkSync(p);
+}
+
+// ---- SSH validation ----
+
+export function validateSshReachable(host: string): void {
+  // Test with a simple `ssh <host> exit 0` — the actual reachability check.
+  // Use `--` to terminate option processing so hostnames starting with `-`
+  // aren't misinterpreted as SSH options.
+  const result = spawnSync("ssh", ["--", host, "exit", "0"], {
+    stdio: "pipe",
+    encoding: "utf-8",
+    timeout: 15_000,
+  });
+  if (result.status !== 0) {
+    const stderr = (result.stderr || "").trim();
+    const fullCmd = `ssh -- ${host} exit 0`;
+    throw new Error(
+      `SSH reachability check failed: ${fullCmd}\n` +
+        (stderr ? `  ${stderr}` : `  exit code ${result.status}`)
+    );
+  }
+}
+
+// ---- Full install / teardown ----
+
+export interface InstallResult {
+  localPort: number;
+  tunnelLabel: string;
+  officeLabel: string;
+  manifest: SupervisionManifest;
+}
+
+export function installSupervision(
+  name: string,
+  tunnelVia: string,
+  portOverride?: number,
+  home?: string
+): InstallResult {
+  const h = home ?? homedir();
+  const logDir = join(h, ".tps", "logs");
+  mkdirSync(logDir, { recursive: true });
+
+  // Validate SSH reachability
+  validateSshReachable(tunnelVia);
+
+  // Auto-pick or use override
+  const localPort = portOverride ?? findFreeLaunchdPort(h);
+
+  // Generate plists
+  const tunnelLabel = `ai.tpsdev.tunnel-${name}`;
+  const officeLabel = `ai.tpsdev.office-${name}`;
+
+  const tunnelContent = generateTunnelPlist({ name, localPort, tunnelVia, home: h });
+  const officeContent = generateOfficePlist({ name, home: h });
+
+  // Atomic write
+  const tunnelPath = writePlist(tunnelLabel, tunnelContent, h);
+  const officePath = writePlist(officeLabel, officeContent, h);
+
+  // Load both
+  loadUnit(tunnelPath);
+  loadUnit(officePath);
+
+  // Persist manifest
+  const manifest: SupervisionManifest = {
+    tunnel: {
+      plistLabel: tunnelLabel,
+      plistPath: tunnelPath,
+      localPort,
+      tunnelVia,
+    },
+    office: {
+      plistLabel: officeLabel,
+      plistPath: officePath,
+    },
+    installedAt: new Date().toISOString(),
+  };
+
+  writeSupervision(name, manifest, h);
+
+  return { localPort, tunnelLabel, officeLabel, manifest };
+}
+
+export function teardownSupervision(
+  name: string,
+  home?: string
+): { tunnelLabel: string; officeLabel: string } | null {
+  const manifest = readSupervision(name, home);
+  if (!manifest) return null;
+
+  const { tunnel, office } = manifest;
+
+  // Unload
+  unloadUnit(tunnel.plistPath, tunnel.plistLabel);
+  unloadUnit(office.plistPath, office.plistLabel);
+
+  // Delete plists
+  deletePlist(tunnel.plistLabel, home);
+  deletePlist(office.plistLabel, home);
+
+  // Delete manifest
+  deleteSupervision(name, home);
+
+  return { tunnelLabel: tunnel.plistLabel, officeLabel: office.plistLabel };
+}
diff --git a/packages/cli/src/commands/office.ts b/packages/cli/src/commands/office.ts
index 9f47e1c..d754d34 100644
--- a/packages/cli/src/commands/office.ts
+++ b/packages/cli/src/commands/office.ts
@@ -27,6 +27,10 @@ export interface OfficeArgs {
   joinToken?: string;
   dryRun?: boolean;
   json?: boolean;
+  tunnelVia?: string;
+  port?: number;
+  force?: boolean;
+  keepUnits?: boolean;
 }
 
 
@@ -544,6 +548,31 @@ export async function runOffice(args: OfficeArgs): Promise<void> {
           console.log(`   Review: ${pausedDir}`);
         }
       }
+
+      // ops-7x9y: report supervision state via launchd
+      try {
+        const { readSupervision, getUnitState } = await import("./office-supervision.js");
+        const sup = readSupervision(agent);
+        if (sup) {
+          const tunnelState = getUnitState(sup.tunnel.plistLabel);
+          const officeState = getUnitState(sup.office.plistLabel);
+          
+          const loadedIcon = (s: { loaded: boolean }) => s.loaded ? "🟢" : "🔴";
+          
+          if (args.json) {
+            // Already printed json above — re-print with supervision added
+            console.error("Note: --json output for supervised offices is not yet merged. Use plain text status.");
+          } else {
+            console.log(`\n🔒 Supervision (launchd):`);
+            console.log(`   ${loadedIcon(tunnelState)} Tunnel: ${sup.tunnel.plistLabel} → port ${sup.tunnel.localPort} via ${sup.tunnel.tunnelVia}${tunnelState.pid ? ` (PID ${tunnelState.pid})` : ""}`);
+            console.log(`   ${loadedIcon(officeState)} Office: ${sup.office.plistLabel}${officeState.pid ? ` (PID ${officeState.pid})` : ""}`);
+            console.log(`   Installed: ${sup.installedAt}`);
+          }
+        }
+      } catch {
+        // best-effort — status should never crash on missing supervision module
+      }
+
       return;
     }
 
@@ -587,7 +616,7 @@ export async function runOffice(args: OfficeArgs): Promise<void> {
 
     case "join": {
       if (!args.agent || !args.joinToken) {
-        console.error("Usage: tps office join <name> <join-token>");
+        console.error("Usage: tps office join <name> <join-token> [--tunnel-via <ssh-host>] [--port <n>] [--force]");
         process.exit(1);
       }
       const agent = validateAgent(args.agent);
@@ -651,11 +680,48 @@ export async function runOffice(args: OfficeArgs): Promise<void> {
       await channel.close();
       console.log(`Branch '${agent}' registered.`);
       console.log("Host pubkey sent to branch.");
+
+      // ops-7x9y: provision launchd supervision when --tunnel-via is given
+      if (args.tunnelVia) {
+        const { installSupervision, supervisionExists: supExists, teardownSupervision } = await import("./office-supervision.js");
+
+        if (supExists(agent)) {
+          if (!args.force) {
+            console.error(
+              `❌ Supervision already exists for '${agent}'.\n` +
+              `   Use --force to regenerate and reload, or tps office revoke ${agent} to tear down.`
+            );
+            process.exit(1);
+          }
+          // With --force: tear down existing first, then reinstall
+          console.log("♻️  Force-regenerating supervision units...");
+          teardownSupervision(agent);
+        }
+
+        try {
+          const result = installSupervision(agent, args.tunnelVia, args.port);
+          console.log("");
+          console.log("🔒 Supervision installed (launchd):");
+          console.log(`   Tunnel:    ${result.tunnelLabel} → port ${result.localPort} via ${args.tunnelVia}`);
+          console.log(`   Office:    ${result.officeLabel}`);
+          console.log(`   Manifest:  ~/.tps/branch-office/${agent}/supervision.json`);
+          console.log(`   Logs:      ~/.tps/logs/`);
+          console.log("");
+          console.log("   Units auto-start at login and restart on crash.");
+          console.log(`   Revoke with: tps office revoke ${agent}`);
+        } catch (e: any) {
+          console.error(`❌ Supervision provisioning failed: ${e.message}`);
+          // Don't undo the join — the branch is still registered
+          // But warn that supervision didn't take
+        }
+      }
+
       return;
     }
 
     case "revoke": {
       const agent = validateAgent(args.agent);
+
       revokeBranch(agent, "manual revocation");
       const ws = workspacePath(agent);
       const rPath = join(ws, "remote.json");
@@ -663,6 +729,24 @@ export async function runOffice(args: OfficeArgs): Promise<void> {
         try { unlinkSync(rPath); } catch {}
       }
       console.log(`Branch '${agent}' revoked.`);
+
+      // ops-7x9y: tear down supervision AFTER branch revocation succeeds.
+      // Doing it after ensures supervision is not orphaned if revokeBranch throws.
+      if (!args.keepUnits) {
+        try {
+          const { teardownSupervision, supervisionExists: supExists } = await import("./office-supervision.js");
+          if (supExists(agent)) {
+            const result = teardownSupervision(agent);
+            if (result) {
+              console.log(`🧹 Supervision units unloaded: ${result.tunnelLabel}, ${result.officeLabel}`);
+            }
+          }
+        } catch (e: any) {
+          console.error(`⚠️  Supervision teardown warning: ${e.message}`);
+          // Don't fail — revocation already succeeded
+        }
+      }
+
       return;
     }
 
diff --git a/packages/cli/test/office-supervision.test.ts b/packages/cli/test/office-supervision.test.ts
new file mode 100644
index 0000000..c633796
--- /dev/null
+++ b/packages/cli/test/office-supervision.test.ts
@@ -0,0 +1,484 @@
+/**
+ * ops-7x9y — unit tests for office supervision (launchd auto-provisioning).
+ *
+ * Tests: manifest I/O, plist rendering, port scanning, teardown logic,
+ * and K&S regression coverage for findings 1–5.
+ */
+
+import { describe, test, expect, beforeEach, afterEach } from "bun:test";
+import { existsSync, mkdirSync, rmSync, writeFileSync, readFileSync } from "node:fs";
+import { join } from "node:path";
+import { homedir } from "node:os";
+import {
+  generateTunnelPlist,
+  generateOfficePlist,
+  writePlist,
+  deletePlist,
+  findFreeLaunchdPort,
+  writeSupervision,
+  readSupervision,
+  supervisionExists,
+  deleteSupervision,
+  teardownSupervision,
+  validateSshReachable,
+} from "../src/commands/office-supervision.js";
+
+// ---------------------------------------------------------------------------
+// Test fixtures
+// ---------------------------------------------------------------------------
+
+const TMP_HOME = join(homedir(), ".tps-test-supervision");
+const LAUNCH_AGENTS_DIR = join(TMP_HOME, "Library", "LaunchAgents");
+const BRANCH_DIR = join(TMP_HOME, ".tps", "branch-office", "test-branch");
+const LOGS_DIR = join(TMP_HOME, ".tps", "logs");
+
+beforeEach(() => {
+  rmSync(TMP_HOME, { recursive: true, force: true });
+  mkdirSync(TMP_HOME, { recursive: true });
+  mkdirSync(LAUNCH_AGENTS_DIR, { recursive: true });
+  mkdirSync(BRANCH_DIR, { recursive: true });
+  mkdirSync(LOGS_DIR, { recursive: true });
+});
+
+afterEach(() => {
+  rmSync(TMP_HOME, { recursive: true, force: true });
+});
+
+// ---------------------------------------------------------------------------
+// 1. Supervision manifest read/write/round-trip
+// ---------------------------------------------------------------------------
+
+describe("supervision manifest", () => {
+  test("writes and reads a valid supervision manifest", () => {
+    const manifest = {
+      tunnel: {
+        plistLabel: "ai.tpsdev.tunnel-test-branch",
+        plistPath: join(TMP_HOME, "Library", "LaunchAgents", "ai.tpsdev.tunnel-test-branch.plist"),
+        localPort: 33744,
+        tunnelVia: "tps-reed",
+      },
+      office: {
+        plistLabel: "ai.tpsdev.office-test-branch",
+        plistPath: join(TMP_HOME, "Library", "LaunchAgents", "ai.tpsdev.office-test-branch.plist"),
+      },
+      installedAt: "2026-05-17T14:57:00.000Z",
+    };
+
+    writeSupervision("test-branch", manifest, TMP_HOME);
+
+    // Verify file exists
+    const manifestPath = join(BRANCH_DIR, "supervision.json");
+    expect(existsSync(manifestPath)).toBe(true);
+
+    // Verify mode is 0644 (no secrets)
+    const stat = require("node:fs").statSync(manifestPath);
+    const mode = (stat.mode & 0o777).toString(8);
+    expect(mode).toBe("644");
+
+    // Verify round-trip
+    const read = readSupervision("test-branch", TMP_HOME);
+    expect(read).not.toBeNull();
+    expect(read!.tunnel.plistLabel).toBe("ai.tpsdev.tunnel-test-branch");
+    expect(read!.tunnel.localPort).toBe(33744);
+    expect(read!.tunnel.tunnelVia).toBe("tps-reed");
+    expect(read!.office.plistLabel).toBe("ai.tpsdev.office-test-branch");
+    expect(read!.installedAt).toBe("2026-05-17T14:57:00.000Z");
+  });
+
+  test("returns null for missing manifest", () => {
+    expect(readSupervision("nonexistent", TMP_HOME)).toBeNull();
+    expect(supervisionExists("nonexistent", TMP_HOME)).toBe(false);
+  });
+
+  test("deleteSupervision removes the manifest", () => {
+    const manifest = {
+      tunnel: {
+        plistLabel: "ai.tpsdev.tunnel-temp",
+        plistPath: join(TMP_HOME, "Library", "LaunchAgents", "x.plist"),
+        localPort: 33900,
+        tunnelVia: "test",
+      },
+      office: {
+        plistLabel: "ai.tpsdev.office-temp",
+        plistPath: join(TMP_HOME, "Library", "LaunchAgents", "y.plist"),
+      },
+      installedAt: "2026-01-01T00:00:00Z",
+    };
+    writeSupervision("temp", manifest, TMP_HOME);
+    expect(supervisionExists("temp", TMP_HOME)).toBe(true);
+
+    deleteSupervision("temp", TMP_HOME);
+    expect(supervisionExists("temp", TMP_HOME)).toBe(false);
+  });
+
+  // K&S finding 4: corrupt manifest throws with descriptive error
+  test("throws descriptive error on corrupt/invalid JSON manifest", () => {
+    const dir = join(TMP_HOME, ".tps", "branch-office", "corrupt");
+    mkdirSync(dir, { recursive: true });
+    writeFileSync(join(dir, "supervision.json"), "{ this is not json }", "utf-8");
+
+    expect(() => readSupervision("corrupt", TMP_HOME)).toThrow(
+      /Supervision manifest corrupt.*supervision\.json.*invalid JSON/
+    );
+  });
+});
+
+// ---------------------------------------------------------------------------
+// 2. Plist template rendering
+// ---------------------------------------------------------------------------
+
+describe("generateTunnelPlist", () => {
+  test("renders correct SSH tunnel plist template", () => {
+    const plist = generateTunnelPlist({
+      name: "test-branch",
+      localPort: 33744,
+      tunnelVia: "tps-reed",
+      home: TMP_HOME,
+    });
+
+    // Structure
+    expect(plist).toContain('<?xml version="1.0" encoding="UTF-8"?>');
+    expect(plist).toContain("<!DOCTYPE plist PUBLIC");
+    expect(plist).toContain('<plist version="1.0">');
+
+    // Label (canonical: ai.tpsdev.tunnel-<name>)
+    expect(plist).toContain("<key>Label</key>");
+    expect(plist).toContain("<string>ai.tpsdev.tunnel-test-branch</string>");
+
+    // ProgramArguments: ssh -N -L <port>:127.0.0.1:<port> -- <tunnel-via>
+    expect(plist).toContain("<key>ProgramArguments</key>");
+    expect(plist).toContain("<string>-N</string>");
+    expect(plist).toContain("<string>-L</string>");
+    expect(plist).toContain("<string>33744:127.0.0.1:33744</string>");
+
+    // K&S finding 5: `--` terminator before hostname
+    expect(plist).toContain("<string>--</string>");
+    expect(plist).toContain("<string>tps-reed</string>");
+
+    // KeepAlive (simple true, not a dict with Crashed)
+    expect(plist).toContain("<key>KeepAlive</key>");
+    expect(plist).toContain("<true/>");
+
+    // RunAtLoad
+    expect(plist).toContain("<key>RunAtLoad</key>");
+    expect(plist).toContain("<true/>");
+
+    // Log paths under ~/.tps/logs/
+    expect(plist).toContain("<key>StandardOutPath</key>");
+    expect(plist).toContain(`<string>${join(LOGS_DIR, "tunnel-test-branch.log")}</string>`);
+    expect(plist).toContain("<key>StandardErrorPath</key>");
+    expect(plist).toContain(`<string>${join(LOGS_DIR, "tunnel-test-branch.error.log")}</string>`);
+  });
+
+  test("renders different port correctly", () => {
+    const plist = generateTunnelPlist({
+      name: "branch-b",
+      localPort: 33998,
+      tunnelVia: "other-host",
+      home: TMP_HOME,
+    });
+
+    expect(plist).toContain("<string>33998:127.0.0.1:33998</string>");
+    expect(plist).toContain("<string>--</string>");
+    expect(plist).toContain("<string>other-host</string>");
+    expect(plist).toContain("<string>ai.tpsdev.tunnel-branch-b</string>");
+  });
+
+  // K&S finding 5: hostnames with special XML chars are escaped
+  test("XML-escapes hostname with metacharacters", () => {
+    const plist = generateTunnelPlist({
+      name: "safe",
+      localPort: 33701,
+      tunnelVia: "evil-host&<>\"",
+      home: TMP_HOME,
+    });
+
+    expect(plist).not.toContain("evil-host&<>\"");
+    expect(plist).toContain("evil-host&amp;&lt;&gt;&quot;");
+  });
+
+  // K&S finding 5: hostname starting with - is after -- terminator
+  test("handles hostname starting with dash (SSH option injection prevention)", () => {
+    const plist = generateTunnelPlist({
+      name: "safe",
+      localPort: 33702,
+      tunnelVia: "-oProxyCommand=evil",
+      home: TMP_HOME,
+    });
+
+    // Verify `--` appears before the hostname in the XML argument array
+    const dashIdx = plist.indexOf("<string>--</string>");
+    const hostIdx = plist.indexOf("<string>-oProxyCommand=evil</string>");
+    expect(dashIdx).toBeGreaterThan(0);
+    expect(hostIdx).toBeGreaterThan(dashIdx);
+  });
+});
+
+describe("generateOfficePlist", () => {
+  test("renders correct office connect plist template", () => {
+    const plist = generateOfficePlist({ name: "test-branch", home: TMP_HOME });
+
+    // Structure
+    expect(plist).toContain('<?xml version="1.0" encoding="UTF-8"?>');
+    expect(plist).toContain("<!DOCTYPE plist PUBLIC");
+    expect(plist).toContain('<plist version="1.0">');
+
+    // Label (canonical: ai.tpsdev.office-<name>)
+    expect(plist).toContain("<key>Label</key>");
+    expect(plist).toContain("<string>ai.tpsdev.office-test-branch</string>");
+
+    // ProgramArguments: bun run <tpsJs> office connect <name>
+    expect(plist).toContain("<key>ProgramArguments</key>");
+    expect(plist).toContain("<string>run</string>");
+    expect(plist).toContain(`<string>${join(TMP_HOME, "ops/tps/packages/cli/dist/bin/tps.js")}</string>`);
+    expect(plist).toContain("<string>office</string>");
+    expect(plist).toContain("<string>connect</string>");
+    expect(plist).toContain("<string>test-branch</string>");
+
+    // WorkingDirectory: ~/ops/tps
+    expect(plist).toContain("<key>WorkingDirectory</key>");
+    expect(plist).toContain(`<string>${join(TMP_HOME, "ops/tps")}</string>`);
+
+    // KeepAlive
+    expect(plist).toContain("<key>KeepAlive</key>");
+    expect(plist).toContain("<true/>");
+
+    // Logs
+    expect(plist).toContain(`<string>${join(LOGS_DIR, "office-test-branch.log")}</string>`);
+    expect(plist).toContain(`<string>${join(LOGS_DIR, "office-test-branch.error.log")}</string>`);
+  });
+
+  // K&S finding 3: TPS_CLI_PATH env var overrides default path
+  test("uses TPS_CLI_PATH env var when set", () => {
+    const customPath = "/opt/custom/tps.js";
+    process.env.TPS_CLI_PATH = customPath;
+    try {
+      const plist = generateOfficePlist({ name: "custom-path", home: TMP_HOME });
+      expect(plist).toContain(`<string>${customPath}</string>`);
+      expect(plist).not.toContain("/ops/tps/packages/cli/dist/bin/tps.js");
+    } finally {
+      delete process.env.TPS_CLI_PATH;
+    }
+  });
+});
+
+// ---------------------------------------------------------------------------
+// 3. Port scanning
+// ---------------------------------------------------------------------------
+
+const PORT_RANGE_START = 33700;
+const PORT_RANGE_END = 33999;
+
+describe("findFreeLaunchdPort", () => {
+  test("returns first port in range when no plists exist", () => {
+    const port = findFreeLaunchdPort(TMP_HOME);
+    expect(port).toBeGreaterThanOrEqual(PORT_RANGE_START);
+    expect(port).toBeLessThanOrEqual(PORT_RANGE_END);
+  });
+
+  test("skips ports referenced in existing plists", () => {
+    // Write a dummy plist claiming port 33700
+    const occupyingPlist = `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
+  "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>ProgramArguments</key>
+  <array>
+    <string>/usr/bin/ssh</string>
+    <string>-N</string>
+    <string>-L</string>
+    <string>33700:127.0.0.1:33700</string>
+    <string>some-host</string>
+  </array>
+</dict>
+</plist>`;
+    writeFileSync(join(LAUNCH_AGENTS_DIR, "ai.tpsdev.tunnel-existing.plist"), occupyingPlist, "utf-8");
+
+    const port = findFreeLaunchdPort(TMP_HOME);
+    expect(port).toBe(33701); // 33700 is taken
+  });
+
+  test("skips multiple adjacent occupied ports", () => {
+    // Occupy 33700 and 33701
+    for (let i = 0; i < 2; i++) {
+      const plist = `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
+  "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>ProgramArguments</key>
+  <array><string>ssh</string><string>-N</string><string>-L</string><string>${PORT_RANGE_START + i}:127.0.0.1:${PORT_RANGE_START + i}</string><string>x</string></array>
+</dict>
+</plist>`;
+      writeFileSync(join(LAUNCH_AGENTS_DIR, `ai.tpsdev.tunnel-${i}.plist`), plist, "utf-8");
+    }
+
+    const port = findFreeLaunchdPort(TMP_HOME);
+    expect(port).toBe(PORT_RANGE_START + 2);
+  });
+
+  test("throws when all ports in range are taken", () => {
+    // Fill the entire range — just enough entries to trigger the throw
+    const dummyPlist = `<?xml version="1.0" encoding="UTF-8"?>
+<plist version="1.0"><dict><key>ProgramArguments</key><array><string>-L</string><string>X</string></array></dict></plist>`;
+    for (let p = PORT_RANGE_START; p <= PORT_RANGE_END; p++) {
+      writeFileSync(
+        join(LAUNCH_AGENTS_DIR, `plist-${p}.plist`),
+        dummyPlist.replace("X", `${p}:127.0.0.1:${p}`),
+        "utf-8"
+      );
+    }
+
+    expect(() => findFreeLaunchdPort(TMP_HOME)).toThrow(/No free port/);
+  });
+
+  // K&S finding 5: ports that appear after `--` are NOT treated as occupied
+  // (they're hostnames, not -L port-bindings)
+  test("does not treat hostname-looking tokens after -- as ports", () => {
+    // A plist where the hostname happens to contain a number that looks like a port
+    const plist = `<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
+  "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>ProgramArguments</key>
+  <array>
+    <string>/usr/bin/ssh</string>
+    <string>-N</string>
+    <string>-L</string>
+    <string>33700:127.0.0.1:33700</string>
+    <string>--</string>
+    <string>host-33888</string>
+  </array>
+</dict>
+</plist>`;
+    writeFileSync(join(LAUNCH_AGENTS_DIR, "ai.tpsdev.tunnel-with-dash.plist"), plist, "utf-8");
+
+    // Port 33700 is taken by -L, but host-33888 should NOT be treated as a port
+    const port = findFreeLaunchdPort(TMP_HOME);
+    expect(port).toBe(33701); // 33700 is taken, 33701 is free
+    // Importantly: 33888 is NOT taken (it's after --, not a -L binding)
+    expect(port).toBeLessThan(33888);
+  });
+});
+
+// ---------------------------------------------------------------------------
+// 4. Atomic plist write/delete
+// ---------------------------------------------------------------------------
+
+describe("writePlist / deletePlist", () => {
+  test("writes plist atomically to ~/Library/LaunchAgents", () => {
+    const label = "ai.tpsdev.tunnel-test-atom";
+    const content = `<?xml version="1.0"?>
+<plist version="1.0">
+<dict><key>Label</key><string>${label}</string></dict>
+</plist>`;
+
+    const dest = writePlist(label, content, TMP_HOME);
+    expect(existsSync(dest)).toBe(true);
+
+    // Verify no .tmp left behind
+    const tmp = `${dest}.${process.pid}.tmp`;
+    expect(existsSync(tmp)).toBe(false);
+
+    // Verify content
+    const read = readFileSync(dest, "utf-8");
+    expect(read).toBe(content);
+  });
+
+  test("deletePlist removes the file", () => {
+    const label = "ai.tpsdev.tunnel-test-delete";
+    const dest = writePlist(label, "<plist/>", TMP_HOME);
+    expect(existsSync(dest)).toBe(true);
+
+    deletePlist(label, TMP_HOME);
+    expect(existsSync(dest)).toBe(false);
+  });
+
+  test("deletePlist is a no-op for nonexistent plists", () => {
+    // Should not throw
+    expect(() => deletePlist("nonexistent", TMP_HOME)).not.toThrow();
+  });
+});
+
+// ---------------------------------------------------------------------------
+// 5. Revoke teardown
+// ---------------------------------------------------------------------------
+
+describe("teardownSupervision", () => {
+  test("removes plist files and manifest on teardown", () => {
+    const name = "branch-teardown";
+
+    // Create dummy plist files
+    const tunnelLabel = "ai.tpsdev.tunnel-branch-teardown";
+    const officeLabel = "ai.tpsdev.office-branch-teardown";
+    writePlist(tunnelLabel, `<plist><dict><key>Label</key><string>${tunnelLabel}</string></dict></plist>`, TMP_HOME);
+    writePlist(officeLabel, `<plist><dict><key>Label</key><string>${officeLabel}</string></dict></plist>`, TMP_HOME);
+
+    // Create manifest
+    const manifest = {
+      tunnel: {
+        plistLabel: tunnelLabel,
+        plistPath: join(LAUNCH_AGENTS_DIR, `${tunnelLabel}.plist`),
+        localPort: 33750,
+        tunnelVia: "tps-reed",
+      },
+      office: {
+        plistLabel: officeLabel,
+        plistPath: join(LAUNCH_AGENTS_DIR, `${officeLabel}.plist`),
+      },
+      installedAt: "2026-05-17T00:00:00Z",
+    };
+    writeSupervision(name, manifest, TMP_HOME);
+
+    // Verify fixtures exist
+    expect(existsSync(join(LAUNCH_AGENTS_DIR, `${tunnelLabel}.plist`))).toBe(true);
+    expect(existsSync(join(LAUNCH_AGENTS_DIR, `${officeLabel}.plist`))).toBe(true);
+    expect(supervisionExists(name, TMP_HOME)).toBe(true);
+
+    // Teardown
+    const result = teardownSupervision(name, TMP_HOME);
+    expect(result).not.toBeNull();
+    expect(result!.tunnelLabel).toBe(tunnelLabel);
+    expect(result!.officeLabel).toBe(officeLabel);
+
+    // Verify cleanup
+    expect(existsSync(join(LAUNCH_AGENTS_DIR, `${tunnelLabel}.plist`))).toBe(false);
+    expect(existsSync(join(LAUNCH_AGENTS_DIR, `${officeLabel}.plist`))).toBe(false);
+    expect(supervisionExists(name, TMP_HOME)).toBe(false);
+  });
+
+  test("returns null when no supervision manifest exists", () => {
+    const result = teardownSupervision("nonexistent", TMP_HOME);
+    expect(result).toBeNull();
+  });
+});
+
+// ---------------------------------------------------------------------------
+// 6. K&S finding 5: SSH option injection in validateSshReachable
+// ---------------------------------------------------------------------------
+
+describe("validateSshReachable", () => {
+  test("includes -- before hostname to prevent option injection", () => {
+    // We can't actually reach an SSH server in this test env,
+    // but we verify the command format by checking the error message
+    // includes the `--` terminator
+    try {
+      validateSshReachable("-oProxyCommand=evil");
+    } catch (e: any) {
+      // The error message should show `ssh -- -oProxyCommand=evil exit 0`
+      // which means -- was properly inserted before the hostname
+      expect(e.message).toContain("ssh -- -oProxyCommand=evil exit 0");
+    }
+  });
+
+  test("reports full ssh command in error for debugging", () => {
+    try {
+      validateSshReachable("nonexistent-host.local");
+    } catch (e: any) {
+      expect(e.message).toContain("ssh -- nonexistent-host.local exit 0");
+      expect(e.message).toContain("SSH reachability check failed");
+    }
+  });
+});