From d1be9ff9841684b7aefd8bb51c5ee8975c6355a7 Mon Sep 17 00:00:00 2001
From: Noley Holland <hollandnoley@gmail.com>
Date: Tue, 26 May 2026 07:42:17 -0700
Subject: [PATCH 1/2] Push live instance and device state to subscribed team
 members via MQTT/WS

---
 forge/comms/aclManager.js                     |  62 ++++-
 forge/comms/commsClient.js                    |   5 +-
 forge/comms/devices.js                        |   1 +
 forge/comms/index.js                          |  41 ++-
 forge/routes/api/device.js                    |   3 +
 forge/routes/api/project.js                   |   3 +
 frontend/src/components/DevicesBrowser.vue    |  45 +++-
 frontend/src/composables/MqttTeamChannel.js   |  91 +++++++
 frontend/src/pages/application/index.vue      |  42 ++-
 frontend/src/pages/device/index.vue           |  39 ++-
 frontend/src/pages/instance/index.vue         |  35 ++-
 .../components/compact/InstanceTile.vue       |  34 ++-
 frontend/src/pages/team/Instances.vue         |  49 +++-
 frontend/src/services/team-channel.service.ts | 121 ++++++++-
 .../src/types/services/team-channel.types.ts  |  11 +
 test/unit/forge/comms/authRoutesV2_spec.js    |  93 +++++++
 .../services/team-channel.service.spec.js     | 239 +++++++++++++++++-
 17 files changed, 882 insertions(+), 32 deletions(-)
 create mode 100644 frontend/src/composables/MqttTeamChannel.js

diff --git a/forge/comms/aclManager.js b/forge/comms/aclManager.js
index ec816e2b25..f8ffeae505 100644
--- a/forge/comms/aclManager.js
+++ b/forge/comms/aclManager.js
@@ -140,6 +140,58 @@ module.exports = function (app) {
                 return false
             }
         },
+        checkUserCanReadInstance: async function (requestParts, usernameParts) {
+            // requestParts = [ fullTopic, <teamHash>, <projectId> ]
+            // usernameParts = [ 'team-frontend', <userHash>, <teamHash>, <sessionId> ]
+            const topicTeamHash = requestParts[1]
+            const projectId = requestParts[2]
+            const usernameUserHash = usernameParts[1]
+            const usernameTeamHash = usernameParts[2]
+            if (topicTeamHash !== usernameTeamHash) {
+                return false
+            }
+            try {
+                const team = await app.db.models.Team.byId(usernameTeamHash)
+                if (!team) return false
+                const user = await app.db.models.User.byId(usernameUserHash)
+                if (!user) return false
+                const membership = await app.db.models.TeamMember.getTeamMembership(user.id, team.id, false)
+                if (!membership) return false
+                const project = await app.db.models.Project.byId(projectId)
+                if (!project || project.TeamId !== team.id) return false
+                const applicationId = app.db.models.Application.encodeHashid(project.ApplicationId)
+                return app.hasPermission(membership, 'project:read', { applicationId })
+            } catch (error) {
+                app.log.error('Unexpected error during instance-state ACL check', { requestParts, usernameParts, error })
+                return false
+            }
+        },
+        checkUserCanReadDevice: async function (requestParts, usernameParts) {
+            // requestParts = [ fullTopic, <teamHash>, <deviceId> ]
+            // usernameParts = [ 'team-frontend', <userHash>, <teamHash>, <sessionId> ]
+            const topicTeamHash = requestParts[1]
+            const deviceId = requestParts[2]
+            const usernameUserHash = usernameParts[1]
+            const usernameTeamHash = usernameParts[2]
+            if (topicTeamHash !== usernameTeamHash) {
+                return false
+            }
+            try {
+                const team = await app.db.models.Team.byId(usernameTeamHash)
+                if (!team) return false
+                const user = await app.db.models.User.byId(usernameUserHash)
+                if (!user) return false
+                const membership = await app.db.models.TeamMember.getTeamMembership(user.id, team.id, false)
+                if (!membership) return false
+                const device = await app.db.models.Device.byId(deviceId)
+                if (!device || device.TeamId !== team.id) return false
+                const applicationId = device.ApplicationId ? app.db.models.Application.encodeHashid(device.ApplicationId) : null
+                return app.hasPermission(membership, 'device:read', { applicationId })
+            } catch (error) {
+                app.log.error('Unexpected error during device-state ACL check', { requestParts, usernameParts, error })
+                return false
+            }
+        },
         checkExpertTopic: async function (topicParts, usernameParts, acl) {
             // topicParts = [ fullTopic , <userid>, <sessionid>, <entityType>, <entityId> [, <inflightType>] ]
             // usernameParts = [ 'expert-client' | 'expert-agent', <userid> [, <sessionid>] ]
@@ -320,6 +372,10 @@ module.exports = function (app) {
                 { topic: /^ff\/v1\/[^/]+\/team\/updated$/ },
                 // - ff/v1/<team>/u/<user>/membership
                 { topic: /^ff\/v1\/[^/]+\/u\/[^/]+\/membership$/ },
+                // - ff/v1/<team>/p/<project>/state
+                { topic: /^ff\/v1\/[^/]+\/p\/[^/]+\/state$/ },
+                // - ff/v1/<team>/d/<device>/state
+                { topic: /^ff\/v1\/[^/]+\/d\/[^/]+\/state$/ },
                 // ff/v1/platform/sync
                 { topic: /^ff\/v1\/platform\/sync$/ },
                 // ff/v1/platform/leader
@@ -383,7 +439,11 @@ module.exports = function (app) {
                 // - ff/v1/<team>/team/updated
                 { topic: /^ff\/v1\/([^/]+)\/team\/updated$/, verify: 'checkUserIsTeamMember' },
                 // - ff/v1/<team>/u/<user>/membership
-                { topic: /^ff\/v1\/([^/]+)\/u\/([^/]+)\/membership$/, verify: 'checkUserIsTeamMember' }
+                { topic: /^ff\/v1\/([^/]+)\/u\/([^/]+)\/membership$/, verify: 'checkUserIsTeamMember' },
+                // - ff/v1/<team>/p/<project>/state
+                { topic: /^ff\/v1\/([^/]+)\/p\/([^/]+)\/state$/, verify: 'checkUserCanReadInstance' },
+                // - ff/v1/<team>/d/<device>/state
+                { topic: /^ff\/v1\/([^/]+)\/d\/([^/]+)\/state$/, verify: 'checkUserCanReadDevice' }
             ],
             pub: []
         },
diff --git a/forge/comms/commsClient.js b/forge/comms/commsClient.js
index a5922cc24a..02bd6b9138 100644
--- a/forge/comms/commsClient.js
+++ b/forge/comms/commsClient.js
@@ -47,17 +47,20 @@ class CommsClient extends EventEmitter {
             })
             this.client.on('message', (topic, message) => {
                 const topicParts = topic.split('/')
+                const teamId = topicParts[2]
                 const ownerType = topicParts[3]
                 const ownerId = topicParts[4]
                 const messageType = topicParts[5]
-                if (ownerType === 'p') {
+                if (ownerType === 'l' && messageType === 'status') {
                     this.emit('status/project', {
+                        teamId,
                         id: ownerId,
                         status: message.toString()
                     })
                 } else if (ownerType === 'd') {
                     if (messageType === 'status') {
                         this.emit('status/device', {
+                            teamId,
                             id: ownerId,
                             status: message.toString()
                         })
diff --git a/forge/comms/devices.js b/forge/comms/devices.js
index ab85b6d9cc..54867ac852 100644
--- a/forge/comms/devices.js
+++ b/forge/comms/devices.js
@@ -123,6 +123,7 @@ class DeviceCommsHandler {
             try {
                 const payload = JSON.parse(status.status)
                 await this.app.db.controllers.Device.updateState(device, payload)
+                this.app.comms?.team?.publishDeviceState(teamId, deviceId, payload)
 
                 if (payload === null) {
                     // This device is busy updating - don't interrupt it
diff --git a/forge/comms/index.js b/forge/comms/index.js
index 4cb7bf79c5..2df9934020 100644
--- a/forge/comms/index.js
+++ b/forge/comms/index.js
@@ -31,11 +31,36 @@ module.exports = fp(async function (app, _opts) {
         // Create the handler for any device-related messages
         const deviceCommsHandler = DeviceCommsHandler(app, client)
 
-        // Not in the current release, but when we handle Launcher status
-        // via MQTT, it will arrive here. Compare to the status/device handler in `devices.js`
-        // client.on('status/project', (status) => {
-        //     // console.info(status)
-        // })
+        function publishInstanceState (teamHash, instanceId, meta) {
+            if (!teamHash || !instanceId) return
+            const msg = { id: instanceId, meta: meta || null, ts: Date.now() }
+            client.publish(`ff/v1/${teamHash}/p/${instanceId}/state`, JSON.stringify(msg), { retain: true })
+        }
+        function publishDeviceState (teamHash, deviceId, meta) {
+            if (!teamHash || !deviceId) return
+            const msg = { id: deviceId, meta: meta || null, ts: Date.now() }
+            client.publish(`ff/v1/${teamHash}/d/${deviceId}/state`, JSON.stringify(msg), { retain: true })
+        }
+        // empty + retain:true clears the broker's retained message
+        function clearInstanceState (teamHash, instanceId) {
+            if (!teamHash || !instanceId) return
+            client.publish(`ff/v1/${teamHash}/p/${instanceId}/state`, '', { retain: true })
+        }
+        function clearDeviceState (teamHash, deviceId) {
+            if (!teamHash || !deviceId) return
+            client.publish(`ff/v1/${teamHash}/d/${deviceId}/state`, '', { retain: true })
+        }
+
+        client.on('status/project', (status) => {
+            try {
+                const meta = status.status ? JSON.parse(status.status) : null
+                publishInstanceState(status.teamId, status.id, meta)
+            } catch (err) {
+                if (!(err instanceof SyntaxError)) {
+                    app.log.error({ msg: 'Failed to relay instance state', project: status.id, team: status.teamId, err: err.message })
+                }
+            }
+        })
 
         // Setup the platform API for the comms component
         app.decorate('comms', {
@@ -71,7 +96,11 @@ module.exports = fp(async function (app, _opts) {
                     if (!teamHash || !userHash) return
                     const msg = { reason: reason || null, srcId: srcId || null }
                     client.publish(`ff/v1/${teamHash}/u/${userHash}/membership`, JSON.stringify(msg))
-                }
+                },
+                publishInstanceState,
+                publishDeviceState,
+                clearInstanceState,
+                clearDeviceState
             }
         })
 
diff --git a/forge/routes/api/device.js b/forge/routes/api/device.js
index a9167e422d..3cc74c2075 100644
--- a/forge/routes/api/device.js
+++ b/forge/routes/api/device.js
@@ -427,7 +427,10 @@ module.exports = async function (app) {
                     { model: app.db.models.TeamType }
                 ]
             })
+            const teamHash = team.hashid
+            const deviceHash = request.device.hashid
             await request.device.destroy()
+            app.comms?.team?.clearDeviceState(teamHash, deviceHash)
             await app.auditLog.Team.team.device.deleted(request.session.User, null, team, request.device)
             if (app.license.active() && app.billing) {
                 await app.billing.updateTeamBillingCounts(team)
diff --git a/forge/routes/api/project.js b/forge/routes/api/project.js
index 6af261ce62..493ab05025 100644
--- a/forge/routes/api/project.js
+++ b/forge/routes/api/project.js
@@ -280,7 +280,10 @@ module.exports = async function (app) {
                 })
             }
 
+            const teamHash = request.project.Team.hashid
+            const instanceId = request.project.id
             await request.project.destroy()
+            app.comms?.team?.clearInstanceState(teamHash, instanceId)
             await app.auditLog.Team.project.deleted(request.session.User, null, request.project.Team, request.project)
             await app.auditLog.Project.project.deleted(request.session.User, null, request.project.Team, request.project)
             reply.send({ status: 'okay' })
diff --git a/frontend/src/components/DevicesBrowser.vue b/frontend/src/components/DevicesBrowser.vue
index 6e44c23e60..5afdf20835 100644
--- a/frontend/src/components/DevicesBrowser.vue
+++ b/frontend/src/components/DevicesBrowser.vue
@@ -352,6 +352,7 @@ import { markRaw } from 'vue'
 import deviceApi from '../api/devices.js'
 import teamApi from '../api/team.js'
 import DropdownMenu from '../components/DropdownMenu.vue'
+import { useMqttAvailability, useMqttResourceList } from '../composables/MqttTeamChannel.js'
 import usePermissions from '../composables/Permissions.js'
 import { getTeamProperty } from '../composables/TeamProperties.js'
 import deviceActionsMixin from '../mixins/DeviceActions.js'
@@ -429,8 +430,16 @@ export default {
     emits: ['instance-updated'],
     setup () {
         const { hasPermission } = usePermissions()
+        const { mqttAvailable, resolveMqttAvailability } = useMqttAvailability()
+        const { syncMqttSubscriptions, teardownMqttSubscriptions } = useMqttResourceList('device')
 
-        return { hasPermission }
+        return {
+            hasPermission,
+            mqttAvailable,
+            resolveMqttAvailability,
+            syncMqttSubscriptions,
+            teardownMqttSubscriptions
+        }
     },
     data () {
         return {
@@ -607,12 +616,18 @@ export default {
             }
         }
     },
-    mounted () {
+    async mounted () {
+        await this.resolveMqttAvailability()
         this.fullReloadOfData()
-        this.pollTimer = createPollTimer(this.pollTimerElapsed, POLL_TIME) // auto starts
+        if (!this.mqttAvailable) {
+            this.pollTimer = createPollTimer(this.pollTimerElapsed, POLL_TIME) // auto starts
+        }
     },
     async unmounted () {
-        this.pollTimer.stop()
+        if (this.pollTimer) {
+            this.pollTimer.stop()
+        }
+        this.teardownMqttSubscriptions()
         if (this.deviceCountDeltaSincePageLoad !== 0) {
             // Trigger a refresh of team info to resync following device
             // changes
@@ -854,6 +869,11 @@ export default {
         fullReloadOfData () {
             this.checkedDevices = []
             this.loadDevices(true)
+                .then(() => {
+                    this.resyncMqtt()
+                    return undefined
+                })
+                .catch(() => undefined)
             this.pollForDeviceStatuses(true)
         },
 
@@ -865,6 +885,7 @@ export default {
 
         async loadMoreDevices () {
             await this.fetchDevices()
+            this.resyncMqtt()
         },
 
         async pollForDeviceStatuses (reset) {
@@ -873,6 +894,22 @@ export default {
             }
         },
 
+        resyncMqtt () {
+            this.syncMqttSubscriptions(this.devices.keys(), this.mqttAvailable, this.onMqttDeviceState)
+        },
+        onMqttDeviceState (id, payload) {
+            const meta = (payload && payload.meta) || {}
+            const existing = this.allDeviceStatuses.get(id) || { id }
+            this.allDeviceStatuses.set(id, {
+                ...existing,
+                id,
+                status: meta.state || existing.status,
+                mode: meta.mode || existing.mode,
+                lastSeenAt: new Date().toISOString(),
+                lastSeenMs: 0
+            })
+        },
+
         async fetchDevices (resetPage = false) {
             if (resetPage) {
                 this.nextCursor = null
diff --git a/frontend/src/composables/MqttTeamChannel.js b/frontend/src/composables/MqttTeamChannel.js
new file mode 100644
index 0000000000..9d1a4850ac
--- /dev/null
+++ b/frontend/src/composables/MqttTeamChannel.js
@@ -0,0 +1,91 @@
+import { inject, ref } from 'vue'
+
+export function useMqttAvailability () {
+    const services = inject('$services', null)
+    const mqttAvailable = ref(false)
+
+    async function resolveMqttAvailability () {
+        const teamChannel = services?.teamChannel
+        if (!teamChannel) {
+            mqttAvailable.value = false
+            return false
+        }
+        try {
+            mqttAvailable.value = await teamChannel.ready()
+        } catch {
+            mqttAvailable.value = false
+        }
+        return mqttAvailable.value
+    }
+
+    return { mqttAvailable, resolveMqttAvailability }
+}
+
+function subscribeFor (teamChannel, kind, id, onPayload) {
+    return kind === 'instance'
+        ? teamChannel.subscribeInstance(id, onPayload)
+        : teamChannel.subscribeDevice(id, onPayload)
+}
+
+export function useMqttResourceSubscription (kind) {
+    const services = inject('$services', null)
+    let unsubscriber = null
+
+    function setupMqttSubscription (id, onPayload) {
+        teardownMqttSubscription()
+        if (!id || typeof onPayload !== 'function') return
+        const teamChannel = services?.teamChannel
+        if (!teamChannel) return
+        unsubscriber = subscribeFor(teamChannel, kind, id, onPayload)
+    }
+
+    function teardownMqttSubscription () {
+        if (!unsubscriber) return
+        try { unsubscriber() } catch {}
+        unsubscriber = null
+    }
+
+    return { setupMqttSubscription, teardownMqttSubscription }
+}
+
+export function useMqttResourceList (kind) {
+    const services = inject('$services', null)
+    const unsubscribers = new Map()
+
+    function syncMqttSubscriptions (visibleIds, available, onPayload) {
+        if (!available) {
+            teardownMqttSubscriptions()
+            return
+        }
+        const teamChannel = services?.teamChannel
+        if (!teamChannel) return
+        const visible = new Set(visibleIds)
+        for (const [id, unsub] of unsubscribers) {
+            if (!visible.has(id)) {
+                try { unsub() } catch {}
+                unsubscribers.delete(id)
+            }
+        }
+        for (const id of visible) {
+            if (!unsubscribers.has(id)) {
+                unsubscribers.set(id, subscribeFor(teamChannel, kind, id, (payload) => onPayload(id, payload)))
+            }
+        }
+    }
+
+    function dropMqttSubscription (id) {
+        const unsub = unsubscribers.get(id)
+        if (!unsub) return
+        try { unsub() } catch {}
+        unsubscribers.delete(id)
+    }
+
+    function teardownMqttSubscriptions () {
+        for (const unsub of unsubscribers.values()) {
+            try { unsub() } catch {}
+        }
+        unsubscribers.clear()
+    }
+
+    return { syncMqttSubscriptions, dropMqttSubscription, teardownMqttSubscriptions }
+}
diff --git a/frontend/src/pages/application/index.vue b/frontend/src/pages/application/index.vue
index 9d63f3eb0b..3100a47b72 100644
--- a/frontend/src/pages/application/index.vue
+++ b/frontend/src/pages/application/index.vue
@@ -25,7 +25,9 @@
                 @instance-delete="instanceShowConfirmDelete"
             />
 
-            <InstanceStatusPolling v-for="instance in instancesArray" :key="instance.id" :instance="instance" @instance-updated="instanceUpdated" />
+            <template v-if="!mqttAvailable">
+                <InstanceStatusPolling v-for="instance in instancesArray" :key="instance.id" :instance="instance" @instance-updated="instanceUpdated" />
+            </template>
         </div>
     </main>
 </template>
@@ -34,6 +36,7 @@
 import { mapState } from 'pinia'
 
 import InstanceStatusPolling from '../../components/InstanceStatusPolling.vue'
+import { useMqttAvailability, useMqttResourceList } from '../../composables/MqttTeamChannel.js'
 import usePermissions from '../../composables/Permissions.js'
 
 import applicationMixin from '../../mixins/Application.js'
@@ -56,8 +59,17 @@ export default {
     mixins: [applicationMixin, instanceActionsMixin],
     setup () {
         const { hasPermission, isVisitingAdmin } = usePermissions()
+        const { mqttAvailable, resolveMqttAvailability } = useMqttAvailability()
+        const { syncMqttSubscriptions, teardownMqttSubscriptions } = useMqttResourceList('instance')
 
-        return { hasPermission, isVisitingAdmin }
+        return {
+            hasPermission,
+            isVisitingAdmin,
+            mqttAvailable,
+            resolveMqttAvailability,
+            syncMqttSubscriptions,
+            teardownMqttSubscriptions
+        }
     },
     computed: {
         ...mapState(useContextStore, ['team']),
@@ -133,6 +145,32 @@ export default {
         '$route.params': {
             handler: 'updateApplication',
             immediate: true
+        },
+        instancesArray: 'resyncMqtt'
+    },
+    async mounted () {
+        await this.resolveMqttAvailability()
+        this.resyncMqtt()
+    },
+    beforeUnmount () {
+        this.teardownMqttSubscriptions()
+    },
+    methods: {
+        resyncMqtt () {
+            this.syncMqttSubscriptions(
+                this.applicationInstances?.keys?.() || [],
+                this.mqttAvailable,
+                this.onMqttStateMessage
+            )
+        },
+        onMqttStateMessage (id, payload) {
+            const current = this.applicationInstances.get(id)
+            if (!current) return
+            const meta = (payload && payload.meta) || {}
+            this.applicationInstances.set(id, {
+                ...current,
+                meta: { ...(current.meta || {}), ...meta }
+            })
         }
     }
 }
diff --git a/frontend/src/pages/device/index.vue b/frontend/src/pages/device/index.vue
index 45d549131e..6b881f15d7 100644
--- a/frontend/src/pages/device/index.vue
+++ b/frontend/src/pages/device/index.vue
@@ -146,6 +146,7 @@ import SectionNavigationHeader from '../../components/SectionNavigationHeader.vu
 import StatusBadge from '../../components/StatusBadge.vue'
 import SubscriptionExpiredBanner from '../../components/banners/SubscriptionExpired.vue'
 import TeamTrialBanner from '../../components/banners/TeamTrial.vue'
+import { useMqttAvailability, useMqttResourceSubscription } from '../../composables/MqttTeamChannel.js'
 import { useNavigationHelper } from '../../composables/NavigationHelper.js'
 import usePermissions from '../../composables/Permissions.js'
 import deviceActionsMixin from '../../mixins/DeviceActions.js'
@@ -207,8 +208,19 @@ export default {
     setup () {
         const { hasPermission, isVisitingAdmin } = usePermissions()
         const { navigateTo, openInANewTab } = useNavigationHelper()
+        const { mqttAvailable, resolveMqttAvailability } = useMqttAvailability()
+        const { setupMqttSubscription, teardownMqttSubscription } = useMqttResourceSubscription('device')
 
-        return { hasPermission, isVisitingAdmin, navigateTo, openInANewTab }
+        return {
+            hasPermission,
+            isVisitingAdmin,
+            navigateTo,
+            openInANewTab,
+            mqttAvailable,
+            resolveMqttAvailability,
+            setupMqttSubscription,
+            teardownMqttSubscription
+        }
     },
     data: function () {
         return {
@@ -363,15 +375,22 @@ export default {
         }
     },
     watch: {
-        device: 'deviceChanged'
+        device: 'deviceChanged',
+        'device.id': function (newId, oldId) {
+            if (newId === oldId) return
+            this.refreshMqttSubscription()
+        }
     },
     async mounted () {
         this.mounted = true
+        await this.resolveMqttAvailability()
         await this.loadDevice()
         this.setContextualDevice(this.device)
+        this.refreshMqttSubscription()
     },
     beforeUnmount () {
         this.setContextualDevice(null)
+        this.teardownMqttSubscription()
     },
     unmounted () {
         this.pollTimer?.stop()
@@ -410,7 +429,7 @@ export default {
                     return this.$router.push({ name: 'Home' })
                 }
             }
-            if (!this.pollTimer) {
+            if (!this.pollTimer && !this.mqttAvailable) {
                 this.pollTimer = createPollTimer(this.pollTimerElapsed, POLL_TIME)
             }
 
@@ -573,6 +592,20 @@ export default {
         deviceChanged () {
             this.deviceStateMutator = new DeviceStateMutator(this.device)
         },
+        refreshMqttSubscription () {
+            if (!this.mqttAvailable) return
+            this.setupMqttSubscription(this.device?.id, (payload) => this.onMqttDeviceState(payload))
+        },
+        onMqttDeviceState (payload) {
+            const meta = (payload && payload.meta) || {}
+            if (!this.device) return
+            const next = { ...this.device }
+            if (meta.state !== undefined) next.status = meta.state
+            if (meta.mode !== undefined) next.mode = meta.mode
+            next.lastSeenAt = new Date().toISOString()
+            this.device = next
+            this.deviceStateMutator?.clearState()
+        },
         showConfirmDeleteDialog () {
             Dialog.show({
                 header: 'Delete Device',
diff --git a/frontend/src/pages/instance/index.vue b/frontend/src/pages/instance/index.vue
index 82e1e25491..b736bee60d 100644
--- a/frontend/src/pages/instance/index.vue
+++ b/frontend/src/pages/instance/index.vue
@@ -70,7 +70,7 @@
             />
         </div>
 
-        <InstanceStatusPolling :instance="instance" @instance-updated="instanceUpdated" />
+        <InstanceStatusPolling v-if="!mqttAvailable" :instance="instance" @instance-updated="instanceUpdated" />
     </ff-page>
 </template>
 
@@ -84,6 +84,7 @@ import StatusBadge from '../../components/StatusBadge.vue'
 import SubscriptionExpiredBanner from '../../components/banners/SubscriptionExpired.vue'
 import TeamTrialBanner from '../../components/banners/TeamTrial.vue'
 import InstanceActionsButton from '../../components/instance/ActionButton.vue'
+import { useMqttAvailability, useMqttResourceSubscription } from '../../composables/MqttTeamChannel.js'
 import usePermissions from '../../composables/Permissions.js'
 
 import instanceMixin from '../../mixins/Instance.js'
@@ -113,10 +114,16 @@ export default {
     mixins: [instanceMixin],
     setup () {
         const { hasPermission, isVisitingAdmin } = usePermissions()
+        const { mqttAvailable, resolveMqttAvailability } = useMqttAvailability()
+        const { setupMqttSubscription, teardownMqttSubscription } = useMqttResourceSubscription('instance')
 
         return {
             hasPermission,
-            isVisitingAdmin
+            isVisitingAdmin,
+            mqttAvailable,
+            resolveMqttAvailability,
+            setupMqttSubscription,
+            teardownMqttSubscription
         }
     },
     data: function () {
@@ -175,8 +182,30 @@ export default {
             return null
         }
     },
-    mounted () {
+    watch: {
+        'instance.id': function (newId, oldId) {
+            if (newId === oldId) return
+            this.refreshMqttSubscription()
+        }
+    },
+    async mounted () {
         this.mounted = true
+        await this.resolveMqttAvailability()
+        this.refreshMqttSubscription()
+    },
+    beforeUnmount () {
+        this.teardownMqttSubscription()
+    },
+    methods: {
+        refreshMqttSubscription () {
+            if (!this.mqttAvailable) return
+            this.setupMqttSubscription(this.instance?.id, (payload) => this.onMqttInstanceState(payload))
+        },
+        onMqttInstanceState (payload) {
+            const meta = payload && payload.meta
+            if (!meta) return
+            this.instanceUpdated({ meta })
+        }
     }
 }
 </script>
diff --git a/frontend/src/pages/team/Applications/components/compact/InstanceTile.vue b/frontend/src/pages/team/Applications/components/compact/InstanceTile.vue
index 6c3ecc9e1f..3ec824f33b 100644
--- a/frontend/src/pages/team/Applications/components/compact/InstanceTile.vue
+++ b/frontend/src/pages/team/Applications/components/compact/InstanceTile.vue
@@ -82,7 +82,7 @@
             </ff-kebab-menu>
         </div>
     </div>
-    <InstanceStatusPolling :instance="localInstance" @instance-updated="instanceUpdated" />
+    <InstanceStatusPolling v-if="!mqttAvailable" :instance="localInstance" @instance-updated="instanceUpdated" />
 </template>
 
 <script>
@@ -90,6 +90,7 @@ import { mapState } from 'pinia'
 
 import InstanceStatusPolling from '../../../../../components/InstanceStatusPolling.vue'
 import TextCopier from '../../../../../components/TextCopier.vue'
+import { useMqttAvailability, useMqttResourceSubscription } from '../../../../../composables/MqttTeamChannel.js'
 import { useNavigationHelper } from '../../../../../composables/NavigationHelper.js'
 import usePermissions from '../../../../../composables/Permissions.js'
 import AuditMixin from '../../../../../mixins/Audit.js'
@@ -134,8 +135,17 @@ export default {
     setup () {
         const { hasPermission } = usePermissions()
         const { openInANewTab } = useNavigationHelper()
+        const { mqttAvailable, resolveMqttAvailability } = useMqttAvailability()
+        const { setupMqttSubscription, teardownMqttSubscription } = useMqttResourceSubscription('instance')
 
-        return { hasPermission, openInANewTab }
+        return {
+            hasPermission,
+            openInANewTab,
+            mqttAvailable,
+            resolveMqttAvailability,
+            setupMqttSubscription,
+            teardownMqttSubscription
+        }
     },
     data () {
         return {
@@ -166,8 +176,19 @@ export default {
     watch: {
         instance (newValue) {
             this.instanceUpdated(newValue)
+        },
+        'localInstance.id': function (newId, oldId) {
+            if (newId === oldId) return
+            this.refreshMqttSubscription()
         }
     },
+    async mounted () {
+        await this.resolveMqttAvailability()
+        this.refreshMqttSubscription()
+    },
+    beforeUnmount () {
+        this.teardownMqttSubscription()
+    },
     methods: {
         navigateToInstance () {
             this.$router.push({ name: 'Instance', params: { id: this.localInstance.id } })
@@ -182,6 +203,15 @@ export default {
             mutator.clearState()
 
             this.localInstance = { ...this.localInstance, ...instanceData }
+        },
+        refreshMqttSubscription () {
+            if (!this.mqttAvailable) return
+            this.setupMqttSubscription(this.localInstance?.id, (payload) => this.onMqttStateMessage(payload))
+        },
+        onMqttStateMessage (payload) {
+            const meta = payload && payload.meta
+            if (!meta) return
+            this.instanceUpdated({ meta })
         }
     }
 }
diff --git a/frontend/src/pages/team/Instances.vue b/frontend/src/pages/team/Instances.vue
index eec4bf6ad1..b167caff56 100644
--- a/frontend/src/pages/team/Instances.vue
+++ b/frontend/src/pages/team/Instances.vue
@@ -151,7 +151,9 @@
                 </EmptyState>
             </template>
         </div>
-        <InstanceStatusPolling v-for="instance in instances" :key="instance.id" :instance="instance" @instance-updated="instanceUpdated" />
+        <template v-if="!mqttAvailable">
+            <InstanceStatusPolling v-for="instance in instances" :key="instance.id" :instance="instance" @instance-updated="instanceUpdated" />
+        </template>
         <ConfirmInstanceDeleteDialog ref="confirmInstanceDeleteDialog" @confirm="onInstanceDeleted" />
     </ff-page>
 </template>
@@ -167,6 +169,7 @@ import EmptyState from '../../components/EmptyState.vue'
 import InstanceStatusPolling from '../../components/InstanceStatusPolling.vue'
 import FeatureUnavailableToTeam from '../../components/banners/FeatureUnavailableToTeam.vue'
 import { useInstanceStates } from '../../composables/InstanceStates.js'
+import { useMqttAvailability, useMqttResourceList } from '../../composables/MqttTeamChannel.js'
 import { useNavigationHelper } from '../../composables/NavigationHelper.js'
 import usePermissions from '../../composables/Permissions.js'
 import instanceActionsMixin from '../../mixins/InstanceActions.js'
@@ -205,8 +208,19 @@ export default {
         const { isRunningState } = useInstanceStates()
         const { navigateTo } = useNavigationHelper()
         const { hasPermission } = usePermissions()
+        const { mqttAvailable, resolveMqttAvailability } = useMqttAvailability()
+        const { syncMqttSubscriptions, dropMqttSubscription, teardownMqttSubscriptions } = useMqttResourceList('instance')
 
-        return { hasPermission, isRunningState, navigateTo }
+        return {
+            hasPermission,
+            isRunningState,
+            navigateTo,
+            mqttAvailable,
+            resolveMqttAvailability,
+            syncMqttSubscriptions,
+            dropMqttSubscription,
+            teardownMqttSubscriptions
+        }
     },
     data () {
         return {
@@ -268,12 +282,21 @@ export default {
         }
     },
     watch: {
-        team: 'fetchData'
+        team: 'onTeamChanged'
     },
-    mounted () {
+    async mounted () {
+        await this.resolveMqttAvailability()
         this.fetchData()
     },
+    unmounted () {
+        this.teardownMqttSubscriptions()
+    },
     methods: {
+        async onTeamChanged () {
+            this.teardownMqttSubscriptions()
+            await this.resolveMqttAvailability()
+            this.fetchData()
+        },
         fetchData: async function () {
             this.loading = true
             let promise
@@ -296,14 +319,13 @@ export default {
                             instance.hideContextMenu = !(instance.canDelete || instance.canChangeStatus)
                             this.instancesMap.set(instance.id, instance)
                         })
+                        this.syncMqttSubscriptions(this.instancesMap.keys(), this.mqttAvailable, this.onMqttStateMessage)
                     })
                     .then(() => this.getInstanceMeta())
                     .catch(e => e)
                     .finally(() => {
                         this.loading = false
                     })
-
-                this.getInstanceMeta()
             } else {
                 this.loading = false
             }
@@ -324,6 +346,20 @@ export default {
                     }))
             })
         },
+        onMqttStateMessage (id, payload) {
+            const current = this.instancesMap.get(id)
+            if (!current) return
+            const meta = (payload && payload.meta) || {}
+            const merged = {
+                ...current,
+                meta: { ...(current.meta || {}), ...meta },
+                running: this.isRunningState(meta.state),
+                notSuspended: meta.state !== 'suspended',
+                pendingStateChange: false,
+                optimisticStateChange: false
+            }
+            this.instancesMap.set(id, merged)
+        },
         openInstance (instance, event) {
             this.navigateTo({
                 name: 'Instance',
@@ -344,6 +380,7 @@ export default {
         },
         onInstanceDeleted (instance) {
             if (this.instancesMap.has(instance.id)) {
+                this.dropMqttSubscription(instance.id)
                 this.instancesMap.delete(instance.id)
             }
         }
diff --git a/frontend/src/services/team-channel.service.ts b/frontend/src/services/team-channel.service.ts
index bd1a05e227..0c8bf3d809 100644
--- a/frontend/src/services/team-channel.service.ts
+++ b/frontend/src/services/team-channel.service.ts
@@ -7,17 +7,33 @@ import { useAccountAuthStore } from '@/stores/account-auth.js'
 import { useContextStore } from '@/stores/context.js'
 import { Maybe } from '@/types/common/types'
 import type { CreateServiceOptions } from '@/types/services/service.types'
-import type { TeamChannelServiceI, TeamRef } from '@/types/services/team-channel.types'
+import type {
+    StatusCallback,
+    StatusPayload,
+    TeamChannelServiceI,
+    TeamRef
+} from '@/types/services/team-channel.types'
 
 const MEMBERSHIP_TOPIC_REGEX = /^ff\/v1\/[^/]+\/u\/([^/]+)\/membership$/
+const INSTANCE_STATE_TOPIC_REGEX = /^ff\/v1\/[^/]+\/p\/([^/]+)\/state$/
+const DEVICE_STATE_TOPIC_REGEX = /^ff\/v1\/[^/]+\/d\/([^/]+)\/state$/
+
+type ResourceKind = 'p' | 'd'
 
 function connectionKey (teamId: string): string {
     return `team:${teamId}`
 }
 
+function stateTopic (teamId: string, kind: ResourceKind, id: string): string {
+    return `ff/v1/${teamId}/${kind}/${id}/state`
+}
+
 class TeamChannelService extends BaseService implements TeamChannelServiceI {
     protected $sessionId: Maybe<string> = null
     protected $connectedTeamId: Maybe<string> = null
+    protected $pendingConnect: Maybe<Promise<void>> = null
+    protected $instanceListeners: Map<string, Set<StatusCallback>> = new Map()
+    protected $deviceListeners: Map<string, Set<StatusCallback>> = new Map()
 
     constructor ({ app, router, services }: CreateServiceOptions) {
         super({
@@ -39,7 +55,27 @@ class TeamChannelService extends BaseService implements TeamChannelServiceI {
         return this.$connectedTeamId !== null
     }
 
+    // Awaits any in-flight connect so callers don't race the initial setTeam handshake.
+    async ready (): Promise<boolean> {
+        while (this.$pendingConnect) {
+            try { await this.$pendingConnect } catch {}
+        }
+        return this.isConnected()
+    }
+
     async connect (team: Maybe<TeamRef>): Promise<void> {
+        const promise = this._doConnect(team)
+        this.$pendingConnect = promise
+        try {
+            await promise
+        } finally {
+            if (this.$pendingConnect === promise) {
+                this.$pendingConnect = null
+            }
+        }
+    }
+
+    protected async _doConnect (team: Maybe<TeamRef>): Promise<void> {
         if (!team?.id || typeof team.id !== 'string' || team.id.length === 0) return
         const authStore = useAccountAuthStore()
         const userId = authStore.user?.id
@@ -72,11 +108,67 @@ class TeamChannelService extends BaseService implements TeamChannelServiceI {
         }
     }
 
+    subscribeInstance (id: string, cb: StatusCallback): () => void {
+        return this._subscribeResource('p', id, cb, this.$instanceListeners)
+    }
+
+    subscribeDevice (id: string, cb: StatusCallback): () => void {
+        return this._subscribeResource('d', id, cb, this.$deviceListeners)
+    }
+
+    protected _subscribeResource (
+        kind: ResourceKind,
+        id: string,
+        cb: StatusCallback,
+        map: Map<string, Set<StatusCallback>>
+    ): () => void {
+        if (!id || typeof cb !== 'function') return () => {}
+        const teamId = this.$connectedTeamId
+        if (!teamId) return () => {}
+
+        let set = map.get(id)
+        const firstListener = !set
+        if (!set) {
+            set = new Set()
+            map.set(id, set)
+        }
+        set.add(cb)
+
+        if (firstListener) {
+            const mqtt = this.$services?.mqtt
+            // mqtt.service replays subscriptions on reconnect — no explicit retry needed.
+            mqtt?.subscribe(connectionKey(teamId), stateTopic(teamId, kind, id), { qos: 1 })
+                .catch(() => undefined)
+        }
+
+        return () => this._unsubscribeResource(kind, id, cb, map)
+    }
+
+    protected _unsubscribeResource (
+        kind: ResourceKind,
+        id: string,
+        cb: StatusCallback,
+        map: Map<string, Set<StatusCallback>>
+    ): void {
+        const set = map.get(id)
+        if (!set) return
+        set.delete(cb)
+        if (set.size > 0) return
+        map.delete(id)
+        const teamId = this.$connectedTeamId
+        if (!teamId) return
+        const mqtt = this.$services?.mqtt
+        mqtt?.unsubscribe(connectionKey(teamId), stateTopic(teamId, kind, id))
+            .catch(() => undefined)
+    }
+
     async disconnect (): Promise<void> {
         if (!this.$connectedTeamId) return
         const mqtt = this.$services?.mqtt
         const key = connectionKey(this.$connectedTeamId)
         this.$connectedTeamId = null
+        this.$instanceListeners.clear()
+        this.$deviceListeners.clear()
         if (!mqtt) return
         try {
             await mqtt.destroyClient(key)
@@ -122,7 +214,7 @@ class TeamChannelService extends BaseService implements TeamChannelServiceI {
     }
 
     protected _onMqttMessage (topic: string, message: Buffer | Uint8Array | string): void {
-        let payload: { reason?: string } = {}
+        let payload: Record<string, unknown> = {}
         try {
             const raw = typeof message === 'string'
                 ? message
@@ -134,11 +226,34 @@ class TeamChannelService extends BaseService implements TeamChannelServiceI {
 
         const membershipMatch = MEMBERSHIP_TOPIC_REGEX.exec(topic)
         if (membershipMatch) {
-            this._handleMembership(payload)
+            this._handleMembership(payload as { reason?: string })
             return
         }
         if (topic.endsWith('/team/updated')) {
             this._handleTeamUpdated()
+            return
+        }
+        const instanceMatch = INSTANCE_STATE_TOPIC_REGEX.exec(topic)
+        if (instanceMatch) {
+            this._dispatchStatus(this.$instanceListeners, instanceMatch[1], payload as StatusPayload)
+            return
+        }
+        const deviceMatch = DEVICE_STATE_TOPIC_REGEX.exec(topic)
+        if (deviceMatch) {
+            this._dispatchStatus(this.$deviceListeners, deviceMatch[1], payload as StatusPayload)
+        }
+    }
+
+    protected _dispatchStatus (
+        map: Map<string, Set<StatusCallback>>,
+        id: string,
+        payload: StatusPayload
+    ): void {
+        const set = map.get(id)
+        if (!set) return
+        // Snapshot so a listener that unsubscribes during dispatch doesn't mutate the iterator.
+        for (const cb of Array.from(set)) {
+            try { cb(payload) } catch {}
         }
     }
 
diff --git a/frontend/src/types/services/team-channel.types.ts b/frontend/src/types/services/team-channel.types.ts
index 5201e1a88a..b3c72984c7 100644
--- a/frontend/src/types/services/team-channel.types.ts
+++ b/frontend/src/types/services/team-channel.types.ts
@@ -4,10 +4,21 @@ export interface TeamRef {
     id: string
 }
 
+export interface StatusPayload {
+    id?: string
+    meta?: Record<string, unknown> | null
+    ts?: number
+}
+
+export type StatusCallback = (payload: StatusPayload) => void
+
 export interface TeamChannelServiceI extends AppService {
     connect(team: TeamRef | null | undefined): Promise<void>
     disconnect(): Promise<void>
     destroy(): Promise<void>
     isConnected(): boolean
+    ready(): Promise<boolean>
     getSessionId(): string
+    subscribeInstance(id: string, cb: StatusCallback): () => void
+    subscribeDevice(id: string, cb: StatusCallback): () => void
 }
diff --git a/test/unit/forge/comms/authRoutesV2_spec.js b/test/unit/forge/comms/authRoutesV2_spec.js
index 1c4df923bb..a08d779e8a 100644
--- a/test/unit/forge/comms/authRoutesV2_spec.js
+++ b/test/unit/forge/comms/authRoutesV2_spec.js
@@ -1324,15 +1324,24 @@ describe('Broker Auth v2 API', async function () {
             let membershipTopic
             let otherTeam
             let bob
+            let deviceInATeam
+            let projectInOtherTeam
+            let instanceStateTopic
+            let deviceStateTopic
 
             before(async function () {
                 await setupCE()
                 bob = await factory.createUser({ username: 'bob', name: 'Bob', email: 'bob@example.com', password: 'bbPassword1!' })
                 await TestObjects.ATeam.addUser(bob, { through: { role: Roles.Member } })
                 otherTeam = await factory.createTeam({ name: 'BTeam' })
+                deviceInATeam = await factory.createDevice({ name: 'team-frontend-device', type: 'test device' }, TestObjects.ATeam, null, null)
+                projectInOtherTeam = await app.db.models.Project.create({ name: 'project-in-other-team', type: '', url: '' })
+                await otherTeam.addProject(projectInOtherTeam)
                 teamFrontendUsername = `team-frontend:${TestObjects.alice.hashid}:${TestObjects.ATeam.hashid}:session-1234567890`
                 teamUpdatedTopic = `ff/v1/${TestObjects.ATeam.hashid}/team/updated`
                 membershipTopic = `ff/v1/${TestObjects.ATeam.hashid}/u/${TestObjects.alice.hashid}/membership`
+                instanceStateTopic = `ff/v1/${TestObjects.ATeam.hashid}/p/${TestObjects.ProjectA.id}/state`
+                deviceStateTopic = `ff/v1/${TestObjects.ATeam.hashid}/d/${deviceInATeam.hashid}/state`
             })
 
             after(async function () {
@@ -1388,6 +1397,90 @@ describe('Broker Auth v2 API', async function () {
                     topic: membershipTopic
                 })
             })
+
+            it('allows a team member to subscribe to an instance-state topic for a project in their team', async function () {
+                await allowRead({
+                    username: teamFrontendUsername,
+                    topic: instanceStateTopic
+                })
+            })
+            it('denies subscribe when the instance-state topic team-hash mismatches the credential', async function () {
+                await denyRead({
+                    username: teamFrontendUsername,
+                    topic: `ff/v1/${otherTeam.hashid}/p/${TestObjects.ProjectA.id}/state`
+                })
+            })
+            it('denies subscribe to an instance-state topic for a project owned by a different team', async function () {
+                await denyRead({
+                    username: teamFrontendUsername,
+                    topic: `ff/v1/${TestObjects.ATeam.hashid}/p/${projectInOtherTeam.id}/state`
+                })
+            })
+            it('denies subscribe to an instance-state topic for a non-existent project', async function () {
+                await denyRead({
+                    username: teamFrontendUsername,
+                    topic: `ff/v1/${TestObjects.ATeam.hashid}/p/00000000-0000-0000-0000-000000000000/state`
+                })
+            })
+            it('denies subscribe to an instance-state topic for a user who is not a member of the team', async function () {
+                const dave = await factory.createUser({ username: 'dave', name: 'Dave', email: 'dave@example.com', password: 'ddPassword1!' })
+                const daveUsername = `team-frontend:${dave.hashid}:${TestObjects.ATeam.hashid}:session-1234567890`
+                await denyRead({
+                    username: daveUsername,
+                    topic: instanceStateTopic
+                })
+            })
+            it('denies team-frontend from publishing on an instance-state topic', async function () {
+                await denyWrite({
+                    username: teamFrontendUsername,
+                    topic: instanceStateTopic
+                })
+            })
+            it('allows forge_platform to publish an instance-state topic', async function () {
+                await allowWrite({
+                    username: 'forge_platform',
+                    topic: instanceStateTopic
+                })
+            })
+
+            it('allows a team member to subscribe to a device-state topic for a device in their team', async function () {
+                await allowRead({
+                    username: teamFrontendUsername,
+                    topic: deviceStateTopic
+                })
+            })
+            it('denies subscribe when the device-state topic team-hash mismatches the credential', async function () {
+                await denyRead({
+                    username: teamFrontendUsername,
+                    topic: `ff/v1/${otherTeam.hashid}/d/${deviceInATeam.hashid}/state`
+                })
+            })
+            it('denies subscribe to a device-state topic for a non-existent device', async function () {
+                await denyRead({
+                    username: teamFrontendUsername,
+                    topic: `ff/v1/${TestObjects.ATeam.hashid}/d/missing-device-hashid/state`
+                })
+            })
+            it('denies subscribe to a device-state topic for a user who is not a member of the team', async function () {
+                const erin = await factory.createUser({ username: 'erin', name: 'Erin', email: 'erin@example.com', password: 'eePassword1!' })
+                const erinUsername = `team-frontend:${erin.hashid}:${TestObjects.ATeam.hashid}:session-1234567890`
+                await denyRead({
+                    username: erinUsername,
+                    topic: deviceStateTopic
+                })
+            })
+            it('denies team-frontend from publishing on a device-state topic', async function () {
+                await denyWrite({
+                    username: teamFrontendUsername,
+                    topic: deviceStateTopic
+                })
+            })
+            it('allows forge_platform to publish a device-state topic', async function () {
+                await allowWrite({
+                    username: 'forge_platform',
+                    topic: deviceStateTopic
+                })
+            })
         })
     })
 })
diff --git a/test/unit/frontend/services/team-channel.service.spec.js b/test/unit/frontend/services/team-channel.service.spec.js
index f6bbc66753..84e90adf13 100644
--- a/test/unit/frontend/services/team-channel.service.spec.js
+++ b/test/unit/frontend/services/team-channel.service.spec.js
@@ -17,7 +17,8 @@ function makeMqttService () {
     return {
         createClient: vi.fn(),
         destroyClient: vi.fn().mockResolvedValue(undefined),
-        subscribe: vi.fn().mockResolvedValue(undefined)
+        subscribe: vi.fn().mockResolvedValue(undefined),
+        unsubscribe: vi.fn().mockResolvedValue(undefined)
     }
 }
 
@@ -290,4 +291,240 @@ describe('TeamChannelService', async () => {
             expect(service.getSessionId()).not.toBe(sessionIdBefore)
         })
     })
+
+    describe('ready', () => {
+        test('resolves to true once connect succeeds', async () => {
+            const { service, mqtt } = createService()
+            mqtt.createClient.mockResolvedValue(undefined)
+            await service.connect({ id: 'team-1' })
+            await expect(service.ready()).resolves.toBe(true)
+        })
+
+        test('resolves to false when no connect has been attempted', async () => {
+            const { service } = createService()
+            await expect(service.ready()).resolves.toBe(false)
+        })
+
+        test('resolves to false when connect failed (graceful degrade)', async () => {
+            const { service, mqtt } = createService()
+            mqtt.createClient.mockRejectedValue(new Error('comms_unavailable'))
+            await service.connect({ id: 'team-1' })
+            await expect(service.ready()).resolves.toBe(false)
+        })
+
+        test('awaits an in-flight connect before resolving', async () => {
+            const { service, mqtt } = createService()
+            let resolveCreate
+            mqtt.createClient.mockImplementation(() => new Promise(resolve => { resolveCreate = resolve }))
+            const connecting = service.connect({ id: 'team-1' })
+            const ready = service.ready()
+            let readyResolved = false
+            ready
+                .then(() => {
+                    readyResolved = true
+                    return undefined
+                })
+                .catch(() => undefined)
+            await new Promise((resolve) => { setTimeout(resolve, 5) })
+            expect(readyResolved).toBe(false)
+            resolveCreate(undefined)
+            await connecting
+            await expect(ready).resolves.toBe(true)
+        })
+    })
+
+    describe('subscribeInstance / subscribeDevice', () => {
+        async function connectedService () {
+            const { service, mqtt } = createService()
+            let onMessage
+            mqtt.createClient.mockImplementation(async (_key, opts) => {
+                onMessage = opts.onMessage
+            })
+            await service.connect({ id: 'team-1' })
+            mqtt.subscribe.mockClear()
+            return { service, mqtt, onMessage }
+        }
+
+        test('subscribeInstance returns a no-op when not connected', async () => {
+            const { service, mqtt } = createService()
+            const cb = vi.fn()
+            const unsub = service.subscribeInstance('proj-1', cb)
+            expect(typeof unsub).toBe('function')
+            expect(() => unsub()).not.toThrow()
+            expect(mqtt.subscribe).not.toHaveBeenCalled()
+        })
+
+        test('subscribeDevice returns a no-op when not connected', async () => {
+            const { service, mqtt } = createService()
+            const cb = vi.fn()
+            const unsub = service.subscribeDevice('dev-1', cb)
+            expect(typeof unsub).toBe('function')
+            expect(() => unsub()).not.toThrow()
+            expect(mqtt.subscribe).not.toHaveBeenCalled()
+        })
+
+        test('first subscribeInstance issues a broker subscribe with the per-resource state topic', async () => {
+            const { service, mqtt } = await connectedService()
+            service.subscribeInstance('proj-1', vi.fn())
+            expect(mqtt.subscribe).toHaveBeenCalledWith(
+                'team:team-1',
+                'ff/v1/team-1/p/proj-1/state',
+                { qos: 1 }
+            )
+        })
+
+        test('first subscribeDevice issues a broker subscribe with the per-resource state topic', async () => {
+            const { service, mqtt } = await connectedService()
+            service.subscribeDevice('dev-1', vi.fn())
+            expect(mqtt.subscribe).toHaveBeenCalledWith(
+                'team:team-1',
+                'ff/v1/team-1/d/dev-1/state',
+                { qos: 1 }
+            )
+        })
+
+        test('second subscribe to the same id ref-counts (no extra broker subscribe)', async () => {
+            const { service, mqtt } = await connectedService()
+            service.subscribeInstance('proj-1', vi.fn())
+            service.subscribeInstance('proj-1', vi.fn())
+            expect(mqtt.subscribe).toHaveBeenCalledTimes(1)
+        })
+
+        test('distinct ids each get their own broker subscribe', async () => {
+            const { service, mqtt } = await connectedService()
+            service.subscribeInstance('proj-1', vi.fn())
+            service.subscribeInstance('proj-2', vi.fn())
+            expect(mqtt.subscribe).toHaveBeenCalledTimes(2)
+            expect(mqtt.subscribe).toHaveBeenCalledWith('team:team-1', 'ff/v1/team-1/p/proj-1/state', { qos: 1 })
+            expect(mqtt.subscribe).toHaveBeenCalledWith('team:team-1', 'ff/v1/team-1/p/proj-2/state', { qos: 1 })
+        })
+
+        test('last unsubscribe per id issues a broker unsubscribe', async () => {
+            const { service, mqtt } = await connectedService()
+            const cb1 = vi.fn()
+            const cb2 = vi.fn()
+            const unsub1 = service.subscribeInstance('proj-1', cb1)
+            const unsub2 = service.subscribeInstance('proj-1', cb2)
+            unsub1()
+            expect(mqtt.unsubscribe).not.toHaveBeenCalled()
+            unsub2()
+            expect(mqtt.unsubscribe).toHaveBeenCalledWith('team:team-1', 'ff/v1/team-1/p/proj-1/state')
+        })
+
+        test('idempotent unsubscribe (calling twice does nothing on second call)', async () => {
+            const { service, mqtt } = await connectedService()
+            const unsub = service.subscribeInstance('proj-1', vi.fn())
+            unsub()
+            unsub()
+            expect(mqtt.unsubscribe).toHaveBeenCalledTimes(1)
+        })
+
+        test('swallows broker subscribe failures (mqtt.service replays on reconnect)', async () => {
+            const { service, mqtt } = await connectedService()
+            mqtt.subscribe.mockRejectedValue(new Error('subscribe failed'))
+            expect(() => service.subscribeInstance('proj-1', vi.fn())).not.toThrow()
+        })
+
+        test('instance and device id namespaces are isolated', async () => {
+            const { service, onMessage } = await connectedService()
+            const instanceCb = vi.fn()
+            const deviceCb = vi.fn()
+            service.subscribeInstance('xyz', instanceCb)
+            service.subscribeDevice('xyz', deviceCb)
+            onMessage('ff/v1/team-1/p/xyz/state', Buffer.from(JSON.stringify({ id: 'xyz', meta: { state: 'running' } })))
+            expect(instanceCb).toHaveBeenCalledTimes(1)
+            expect(deviceCb).not.toHaveBeenCalled()
+        })
+    })
+
+    describe('state message routing', () => {
+        async function connectedService () {
+            const { service, mqtt } = createService()
+            let onMessage
+            mqtt.createClient.mockImplementation(async (_key, opts) => {
+                onMessage = opts.onMessage
+            })
+            await service.connect({ id: 'team-1' })
+            return { service, mqtt, onMessage }
+        }
+
+        test('instance-state message reaches the matching listener', async () => {
+            const { service, onMessage } = await connectedService()
+            const cb = vi.fn()
+            service.subscribeInstance('proj-1', cb)
+            onMessage(
+                'ff/v1/team-1/p/proj-1/state',
+                Buffer.from(JSON.stringify({ id: 'proj-1', meta: { state: 'running' }, ts: 1700000000000 }))
+            )
+            expect(cb).toHaveBeenCalledWith({ id: 'proj-1', meta: { state: 'running' }, ts: 1700000000000 })
+        })
+
+        test('device-state message reaches the matching listener', async () => {
+            const { service, onMessage } = await connectedService()
+            const cb = vi.fn()
+            service.subscribeDevice('dev-1', cb)
+            onMessage(
+                'ff/v1/team-1/d/dev-1/state',
+                Buffer.from(JSON.stringify({ id: 'dev-1', meta: { state: 'idle' } }))
+            )
+            expect(cb).toHaveBeenCalledWith({ id: 'dev-1', meta: { state: 'idle' } })
+        })
+
+        test('multiple listeners on the same id all receive the message', async () => {
+            const { service, onMessage } = await connectedService()
+            const cb1 = vi.fn()
+            const cb2 = vi.fn()
+            service.subscribeInstance('proj-1', cb1)
+            service.subscribeInstance('proj-1', cb2)
+            onMessage('ff/v1/team-1/p/proj-1/state', Buffer.from(JSON.stringify({ meta: { state: 'starting' } })))
+            expect(cb1).toHaveBeenCalledTimes(1)
+            expect(cb2).toHaveBeenCalledTimes(1)
+        })
+
+        test('listeners are scoped per id (no cross-talk)', async () => {
+            const { service, onMessage } = await connectedService()
+            const cb1 = vi.fn()
+            const cb2 = vi.fn()
+            service.subscribeInstance('proj-1', cb1)
+            service.subscribeInstance('proj-2', cb2)
+            onMessage('ff/v1/team-1/p/proj-1/state', Buffer.from(JSON.stringify({ meta: { state: 'running' } })))
+            expect(cb1).toHaveBeenCalledTimes(1)
+            expect(cb2).not.toHaveBeenCalled()
+        })
+
+        test('empty payload (retained-clear on resource delete) dispatches an empty object', async () => {
+            const { service, onMessage } = await connectedService()
+            const cb = vi.fn()
+            service.subscribeInstance('proj-1', cb)
+            onMessage('ff/v1/team-1/p/proj-1/state', Buffer.from(''))
+            expect(cb).toHaveBeenCalledWith({})
+        })
+
+        test('a listener that throws does not block dispatch to peers', async () => {
+            const { service, onMessage } = await connectedService()
+            const throwing = vi.fn(() => { throw new Error('handler boom') })
+            const ok = vi.fn()
+            service.subscribeInstance('proj-1', throwing)
+            service.subscribeInstance('proj-1', ok)
+            onMessage('ff/v1/team-1/p/proj-1/state', Buffer.from('{}'))
+            expect(throwing).toHaveBeenCalled()
+            expect(ok).toHaveBeenCalled()
+        })
+    })
+
+    describe('disconnect clears listener maps', () => {
+        test('disconnect drops all listeners; later messages do not fire stale callbacks', async () => {
+            const { service, mqtt } = createService()
+            let onMessage
+            mqtt.createClient.mockImplementation(async (_key, opts) => {
+                onMessage = opts.onMessage
+            })
+            await service.connect({ id: 'team-1' })
+            const cb = vi.fn()
+            service.subscribeInstance('proj-1', cb)
+            await service.disconnect()
+            onMessage('ff/v1/team-1/p/proj-1/state', Buffer.from(JSON.stringify({ meta: { state: 'x' } })))
+            expect(cb).not.toHaveBeenCalled()
+        })
+    })
 })

From 29bfb5fb214e1e7d2dfed718c7da1ac22229bcad Mon Sep 17 00:00:00 2001
From: Noley Holland <hollandnoley@gmail.com>
Date: Tue, 26 May 2026 13:41:16 -0700
Subject: [PATCH 2/2] Drop retain:true helpers

---
 forge/comms/index.js        | 17 +++--------------
 forge/routes/api/device.js  |  3 ---
 forge/routes/api/project.js |  3 ---
 3 files changed, 3 insertions(+), 20 deletions(-)

diff --git a/forge/comms/index.js b/forge/comms/index.js
index 2df9934020..8e925f3edb 100644
--- a/forge/comms/index.js
+++ b/forge/comms/index.js
@@ -34,21 +34,12 @@ module.exports = fp(async function (app, _opts) {
         function publishInstanceState (teamHash, instanceId, meta) {
             if (!teamHash || !instanceId) return
             const msg = { id: instanceId, meta: meta || null, ts: Date.now() }
-            client.publish(`ff/v1/${teamHash}/p/${instanceId}/state`, JSON.stringify(msg), { retain: true })
+            client.publish(`ff/v1/${teamHash}/p/${instanceId}/state`, JSON.stringify(msg))
         }
         function publishDeviceState (teamHash, deviceId, meta) {
             if (!teamHash || !deviceId) return
             const msg = { id: deviceId, meta: meta || null, ts: Date.now() }
-            client.publish(`ff/v1/${teamHash}/d/${deviceId}/state`, JSON.stringify(msg), { retain: true })
-        }
-        // empty + retain:true clears the broker's retained message
-        function clearInstanceState (teamHash, instanceId) {
-            if (!teamHash || !instanceId) return
-            client.publish(`ff/v1/${teamHash}/p/${instanceId}/state`, '', { retain: true })
-        }
-        function clearDeviceState (teamHash, deviceId) {
-            if (!teamHash || !deviceId) return
-            client.publish(`ff/v1/${teamHash}/d/${deviceId}/state`, '', { retain: true })
+            client.publish(`ff/v1/${teamHash}/d/${deviceId}/state`, JSON.stringify(msg))
         }
 
         client.on('status/project', (status) => {
@@ -98,9 +89,7 @@ module.exports = fp(async function (app, _opts) {
                     client.publish(`ff/v1/${teamHash}/u/${userHash}/membership`, JSON.stringify(msg))
                 },
                 publishInstanceState,
-                publishDeviceState,
-                clearInstanceState,
-                clearDeviceState
+                publishDeviceState
             }
         })
 
diff --git a/forge/routes/api/device.js b/forge/routes/api/device.js
index 3cc74c2075..a9167e422d 100644
--- a/forge/routes/api/device.js
+++ b/forge/routes/api/device.js
@@ -427,10 +427,7 @@ module.exports = async function (app) {
                     { model: app.db.models.TeamType }
                 ]
             })
-            const teamHash = team.hashid
-            const deviceHash = request.device.hashid
             await request.device.destroy()
-            app.comms?.team?.clearDeviceState(teamHash, deviceHash)
             await app.auditLog.Team.team.device.deleted(request.session.User, null, team, request.device)
             if (app.license.active() && app.billing) {
                 await app.billing.updateTeamBillingCounts(team)
diff --git a/forge/routes/api/project.js b/forge/routes/api/project.js
index 493ab05025..6af261ce62 100644
--- a/forge/routes/api/project.js
+++ b/forge/routes/api/project.js
@@ -280,10 +280,7 @@ module.exports = async function (app) {
                 })
             }
 
-            const teamHash = request.project.Team.hashid
-            const instanceId = request.project.id
             await request.project.destroy()
-            app.comms?.team?.clearInstanceState(teamHash, instanceId)
             await app.auditLog.Team.project.deleted(request.session.User, null, request.project.Team, request.project)
             await app.auditLog.Project.project.deleted(request.session.User, null, request.project.Team, request.project)
             reply.send({ status: 'okay' })