@agfpd/iapeer 0.2.25 → 0.2.27

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@agfpd/iapeer",
-  "version": "0.2.25",
+  "version": "0.2.27",
   "description": "Foundation core for the iapeer multi-agent ecosystem: identity, registry, storage, codec.",
   "type": "module",
   "bin": {

package/src/cli/cli.test.ts

@@ -130,6 +130,17 @@ describe('remove (registry record via the locked writer)', () => {
     expect((await removePeerCli('twice', { env: e })).action).toBe('removed')
     expect((await removePeerCli('twice', { env: e })).action).toBe('absent')
   })
+  test('self-done arms the caller\'s own quiet-reap (non-waking silent finish); refuses without PEER_IDENTITY', async () => {
+    const e = env()
+    // no PEER_IDENTITY → self-call refusal
+    expect(await runCli(['self-done'], e)).toBe(1)
+    // with PEER_IDENTITY → marker set, exit 0, nobody contacted
+    const e2 = { ...e, PEER_IDENTITY: 'claude-silentworker' }
+    expect(await runCli(['self-done'], e2)).toBe(0)
+    const { hasEphemeralArmed } = await import('../lifecycle/index.ts')
+    expect(hasEphemeralArmed(loadLifecycleConfig(e2), 'claude-silentworker')).toBe(true)
+  })
+
   test('purges identity-keyed lifecycle state with the record — a namesake newborn must not inherit a dead peer\'s parking (boris 10.06)', async () => {
     await register('reborn')
     const e = env()

package/src/cli/index.ts

@@ -30,11 +30,13 @@ import {
   clearStopped,
   folderLaunch,
   isLaunchdManaged,
+  isEphemeralPeer,
   isStopped,
   killSession,
   loadLifecycleConfig,
   purgeIdentityState,
   removeSessionState,
+  setEphemeralArmed,
   setIdleReaped,
   setNewEager,
   setStopped,
@@ -348,8 +350,9 @@ export async function sendMessage(
   // unawaited in-process wake would die with it; the daemon's supervise-tick
   // drain scan (≤60 s) picks the queue up — the EXISTING retry path for failed
   // kicks, not a new mechanism.
-  const { makeEphemeralRouteDeps } = await import('../daemon/main.ts')
+  const { makeArmEphemeralOnDelivered, makeEphemeralRouteDeps } = await import('../daemon/main.ts')
   const cfg = loadLifecycleConfig(env)
+  const t0 = Date.now()
   const result = await routeSend(
     caller,
     {
@@ -361,7 +364,39 @@ export async function sendMessage(
     },
     { wake: cliWake, ephemeral: makeEphemeralRouteDeps(cfg, env, () => {}) },
   )
+  // delivery.log sink — CLI-path parity (boris's observability gap 10.06: enqueues
+  // routed through the CLI left to=<peer> at ZERO for the day while real wakes
+  // happened; the daemon tool-path logs, this path was blind). Same fields, plus
+  // path=cli so the two entry points are distinguishable. Both branches logged.
+  const { appendDeliveryEvent } = await import('../daemon/deliverylog.ts')
+  appendDeliveryEvent(cfg.eventLogDir, {
+    ev: 'delivery',
+    path: 'cli',
+    caller: caller.address,
+    to: opts.target,
+    rt: opts.runtime,
+    ok: String(result.ok),
+    via: result.ok ? `${result.value.delivered_to.runtime}-${result.value.delivered_to.personality}` : undefined,
+    woke: result.ok ? String(result.value.woke) : undefined,
+    queued: result.ok && result.value.queued ? 'true' : undefined,
+    qd: result.ok ? result.value.queueDepth : undefined,
+    ms: Date.now() - t0,
+    len: opts.message.length,
+    att: opts.attachments?.length || undefined,
+    topic: opts.topic,
+    err: result.ok ? undefined : result.error.message,
+  })
   if (!result.ok) throw new Error(result.error.message)
+  // M2 arm-on-outbound — CLI-path parity (live gap 10.06: an ephemeral worker's
+  // final reply sent through the CLI fallback — e.g. inside a daemon-restart
+  // window, four deploys that day — never armed, so the worker idled to the
+  // unarmed bound and stalled its FIFO). Same hook the daemon path uses; ONLY on
+  // an ok outcome, errors swallowed (arming is best-effort, never fails the send).
+  try {
+    makeArmEphemeralOnDelivered(cfg)(caller)
+  } catch {
+    /* best-effort */
+  }
   return {
     ok: true,
     delivered_to: result.value.delivered_to,
@@ -432,6 +467,7 @@ const USAGE = `usage: iapeer <verb> [args]
   interrupt <peer> [runtime]                                     interrupt the current turn (Escape) — context intact
   compact <peer> [runtime]                                       compact the peer's context (/compact)
   self-fresh                                                     (agent self-call) mark /new eager-fresh + self-kill — the daemon relaunches fresh
+  self-done                                                      (agent self-call, ephemeral) silent finish: arm own quiet-reap, wake no one
   native-memory <off|on> (--peer <p> | --all)                    gate/restore runtimes' native memory (canonized lever; контракт «Слот памяти»)
   memory-plugin <on|off> (--peer <p> | --all)                    install/remove the slot-declared provider plugin (claude per-peer, codex host-global)
 `
@@ -913,6 +949,37 @@ export async function runCli(argv: string[], env: NodeJS.ProcessEnv = process.en
         if (!positionals[0] || !positionals[1]) return usage(errOut)
         return await runAlwaysOn(positionals[0], positionals[1], process.cwd())
       }
+      case 'self-done': {
+        // SILENT-FINISH self-call for an ephemeral worker (контракт ЖЦ §wake_policy;
+        // развилка boris 10.06): a worker whose task produced NOTHING to send must
+        // still release its M3 FIFO — but an EMPTY report would violate Артур's
+        // invariant «событие-всё-отфильтровано = тишина» (no empty wakes of the
+        // target). This verb is the non-waking arm: it sets the worker's OWN
+        // .ephemeral-armed (same marker the ok-outbound hook sets), so the quiet
+        // window reaps it within seconds and the drain feeds the next task — nobody
+        // is woken. Doctrine for silent finishers: «нечего отправлять → iapeer
+        // self-done вместо ответа». The unarmed idle bound (ephemeralUnarmedIdleSecs)
+        // remains the backstop for workers that do neither. On a NON-ephemeral peer
+        // the marker is inert (quiet-reap keys on wake_policy) — warn, exit 0.
+        const identity = env.PEER_IDENTITY?.trim()
+        if (!identity) {
+          errOut('self-done: PEER_IDENTITY is not set — this verb is an agent self-call from inside a session\n')
+          return 1
+        }
+        if (!parseSessionName(identity)) {
+          errOut(`self-done: invalid PEER_IDENTITY "${identity}" — expected <runtime>-<personality>\n`)
+          return 1
+        }
+        const cfg = loadLifecycleConfig(env)
+        setEphemeralArmed(cfg, identity)
+        const ephemeral = isEphemeralPeer(process.cwd())
+        out(
+          `self-done: armed ${identity} for the quiet-window reap (no one woken)` +
+            (ephemeral ? '' : ' — NOTE: this peer is not wake_policy:ephemeral, the marker is inert') +
+            '\n',
+        )
+        return 0
+      }
       case 'self-fresh': {
         // /new AGENT-FACING TRIGGER (TARGET redesign). Run BY the agent itself as the
         // FINAL step of a /new graceful wind-down (the owner triggers it via a per-peer

package/src/launch/canary.test.ts

@@ -10,7 +10,9 @@ import { tmpdir } from 'os'
 import { join } from 'path'
 import {
   canaryChannel,
+  canaryProcessPattern,
   canaryScript,
+  dismissCanary,
   ensureServerCanary,
   exitLogPath,
   serverDeathsDir,
@@ -53,7 +55,7 @@ describe('canary script (pure)', () => {
     expect(exitLogPath('/r/logs/iapeer')).toBe('/r/logs/iapeer/exits.log')
   })
 
-  test('script carries the protocol: wait-for channel, silent-exit guards, record line, forensics', () => {
+  test('script carries the v2 protocol: wait-for channel, deliberate-silence guards, liveness probe, record line, forensics', () => {
     const s = canaryScript({
       identity: 'claude-bob',
       sock: '/tmp/x.sock',
@@ -62,8 +64,15 @@ describe('canary script (pure)', () => {
       forensicsDir: '/r/logs/iapeer/server-deaths',
     })
     expect(s).toContain(`wait-for 'iap-canary-claude-bob'`) // the blocking client
-    expect(s).toContain(`trap 'exit 0' HUP INT TERM`) // signaled canary = silent
-    expect(s).toContain(`[ "$rc" -eq 0 ] || [ "$rc" -ge 128 ]`) // clean/signaled guards
+    expect(s).toContain(`trap 'exit 0' HUP INT TERM`) // dismissed sh = silent (the ONLY deliberate silencer)
+    // v2: NO exit code is trusted as deliberate (a TERMed client returns rc=0 —
+    // proven live); the SERVER's liveness decides, after a dismissal grace sleep.
+    expect(s).not.toContain(`[ "$rc" -eq 0 ] || [ "$rc" -ge 128 ]; then exit 0`) // the v1 hole
+    expect(s).toContain('sleep 2') // dismissal grace window
+    expect(s).toContain(`has-session 2>/dev/null; then exit 0`) // server alive → nothing to record
+    expect(s).toContain('cause=server-vanished') // connection drop (SIGKILL/OOM class)
+    expect(s).toContain('cause=signaled-server-gone') // rc=0: channel/client-TERM, server died
+    expect(s).toContain('cause=client-killed-server-gone') // rc≥128: client took a hard kill
     expect(s).toContain('ev=server-exit identity=claude-bob') // the exits.log record
     expect(s).toContain(`>> '/r/logs/iapeer/exits.log'`)
     expect(s).toContain('/r/logs/iapeer/server-deaths/claude-bob') // forensics file
@@ -74,6 +83,19 @@ describe('canary script (pure)', () => {
   test('ensureServerCanary without exitLogDir → skipped (observability off)', () => {
     expect(ensureServerCanary({ identity: 'claude-none', sock: '/tmp/none.sock' })).toBe('skipped')
   })
+
+  test('canaryProcessPattern is identity-anchored (no prefix bleed) and matches both canary processes', () => {
+    const p = canaryProcessPattern('claude-iap')
+    expect(p).toBe('iap-canary-claude-iap([^a-z0-9-]|$)')
+    const re = new RegExp(p)
+    expect(re.test(`/opt/homebrew/bin/tmux -S /tmp/x.sock wait-for iap-canary-claude-iap`)).toBe(true) // client argv
+    expect(re.test(`/bin/sh -c ... wait-for 'iap-canary-claude-iap'\n...`)).toBe(true) // sh -c script (quoted channel)
+    expect(re.test(`tmux wait-for iap-canary-claude-iap-memory`)).toBe(false) // prefix identity must NOT match
+  })
+
+  test('dismissCanary is a harmless no-op when no canary runs', () => {
+    expect(() => dismissCanary('claude-nobody-here')).not.toThrow()
+  })
 })
 
 describe.if(tmuxAvailable)('canary live (sandbox tmux servers)', () => {
@@ -90,11 +112,22 @@ describe.if(tmuxAvailable)('canary live (sandbox tmux servers)', () => {
     return { sock, logDir: join(dir, `logs-${identity}`) }
   }
 
+  const allIds = [
+    'claude-canadirty',
+    'claude-canaclean',
+    'claude-canakill',
+    'notifier-canatear',
+    'claude-canasweep',
+    'claude-canaclient',
+  ]
+
   afterAll(() => {
     for (const sock of socks) {
-      // teardown is DELIBERATE → signal each canary before killing its server
-      for (const id of ['claude-canadirty', 'claude-canaclean', 'claude-canakill', 'notifier-canatear']) {
+      // teardown is DELIBERATE → silence each canary (signal + dismiss) before
+      // killing its server — the v2 contract for every deliberate path.
+      for (const id of allIds) {
         signalCanaryClean(sock, id)
+        dismissCanary(id)
       }
       spawnSync('tmux', ['-S', sock, 'kill-server'], { stdio: 'ignore' })
     }
@@ -197,4 +230,59 @@ describe.if(tmuxAvailable)('canary live (sandbox tmux servers)', () => {
     },
     20000,
   )
+
+  test(
+    'death-#4 shape: external killer sweeps server AND canary client → ev=server-exit cause=client-signaled',
+    async () => {
+      const identity = 'claude-canasweep'
+      const { sock, logDir } = bringUp(identity)
+      const pid = serverPid(sock)
+      expect(ensureServerCanary({ identity, sock, exitLogDir: logDir })).toBe('spawned')
+      expect(await waitFor(() => canaryRunning(identity), 3000)).toBe(true)
+      await sleep(500)
+
+      // The pre-clean-shaped external killer: one pattern takes the server AND
+      // the canary CLIENT (both argv contain `tmux -S <sock> `), the sh recorder
+      // survives. The TERMed client returns rc=0 (proven live) — v1 read that as
+      // a clean channel signal and stayed silent; exactly how deaths #4–#6
+      // (10.06) left zero records. v2 probes the server instead: dead → record.
+      spawnSync('pkill', ['-f', `tmux -S ${sock} `], { stdio: 'ignore' })
+      const log = exitLogPath(logDir)
+      expect(
+        await waitFor(() => existsSync(log) && readFileSync(log, 'utf8').includes('ev=server-exit'), 10000),
+      ).toBe(true)
+      const line = readFileSync(log, 'utf8')
+      expect(line).toContain(`ev=server-exit identity=${identity}`)
+      expect(line).toContain('cause=signaled-server-gone') // rc=0 shape, server found dead
+      expect(line).toContain(`server_pid=${pid}`)
+      expect(readdirSync(serverDeathsDir(logDir)).length).toBe(1) // forensics captured
+    },
+    20000,
+  )
+
+  test(
+    'canary client killed while server lives → silent (no false record), canary gone for the retrofit to re-arm',
+    async () => {
+      const identity = 'claude-canaclient'
+      const { sock, logDir } = bringUp(identity)
+      expect(ensureServerCanary({ identity, sock, exitLogDir: logDir })).toBe('spawned')
+      expect(await waitFor(() => canaryRunning(identity), 3000)).toBe(true)
+      await sleep(500)
+
+      // TERM the CLIENT only (argv ends with the bare channel — the sh's quoted
+      // form does not match this $-anchored pattern), server stays up.
+      spawnSync('pkill', ['-f', `wait-for ${canaryChannel(identity)}$`], { stdio: 'ignore' })
+      // the sh probes (≈2 s), finds the server ALIVE → exits silently
+      expect(await waitFor(() => !canaryRunning(identity), 6000)).toBe(true)
+      await sleep(300)
+      expect(
+        existsSync(exitLogPath(logDir)) && readFileSync(exitLogPath(logDir), 'utf8').includes('ev=server-exit'),
+      ).toBe(false) // no false server-death while the server lives
+      // server must still be alive — and ensure re-arms a fresh canary (the
+      // retrofit path; in prod the supervise tick does this and logs it)
+      expect(spawnSync('tmux', ['-S', sock, 'has-session', '-t', identity], { stdio: 'ignore' }).status).toBe(0)
+      expect(ensureServerCanary({ identity, sock, exitLogDir: logDir })).toBe('spawned')
+    },
+    20000,
+  )
 })

package/src/launch/canary.ts

@@ -8,17 +8,32 @@
 // Mechanism: one tiny detached `sh` per LIVE tmux server, holding a blocking
 // client `tmux -S <sock> wait-for iap-canary-<identity>` — a process OUTSIDE the
 // dying server, connected via its socket, so the server's death (any cause,
-// including SIGKILL) is observed the moment the connection drops. Protocol:
-//   • clean teardown (idle-reap / stop / pre-clean / killServerIfEmpty) SIGNALS
-//     the channel first (`wait-for -S`) → the canary exits 0, silently;
-//   • the canary itself signaled (TERM/HUP/INT, e.g. launch pre-clean pkill) →
-//     rc ≥ 128 / trap → exit silently (someone manages it deliberately);
-//   • anything else (wait-for returns an error = the server vanished under us)
-//     → ONE logfmt line `ev=server-exit` into exits.log (the per-peer death-cause
-//     home, next to pane-died's `ev=session-exit`) + a forensics snapshot file
-//     (vm_stat / swap / top-RSS ps / fresh DiagnosticReports) captured WITHIN
-//     SECONDS of the death — the evidence the 60 s supervise tick can never
+// including SIGKILL) is observed the moment the connection drops. Protocol (v2 —
+// death #4 10.06 15:42Z proved v1's exit-code trust wrong twice over: the killer
+// took the SERVER and the canary CLIENT together, AND a TERMed tmux client
+// returns rc=0 — indistinguishable from a clean channel signal — so the rc-based
+// `0 || ≥128 → silent` guard silenced a real death):
+//   • DELIBERATE silence is an explicit act, never an exit-code inference:
+//     every deliberate teardown (idle-reap / stop / pre-clean / pane-died hook /
+//     bootout teardown) signals the channel (`wait-for -S`) AND dismisses the
+//     sh recorder (`dismissCanary` → TERM → trap → silent exit). POSIX trap
+//     semantics make this race-free: the trap runs before any recording.
+//   • When wait-for returns — ANY code — the script sleeps 2 s (a concurrent
+//     dismissal TERM wins here), then probes SERVER LIVENESS: alive → exit
+//     silently (a lost canary is re-armed and logged by the supervise retrofit
+//     within a tick); dead with nobody having dismissed us → the death is real
+//     and unclaimed → ONE logfmt line `ev=server-exit` into exits.log (the
+//     per-peer death-cause home, next to pane-died's `ev=session-exit`) + a
+//     forensics snapshot (vm_stat / swap / top-RSS ps / fresh DiagnosticReports)
+//     captured within seconds — the evidence the 60 s supervise tick can never
 //     recover ("системных следов ноль" was the recurring investigation outcome).
+//     The raw wait_rc still ATTRIBUTES the death (cause=server-vanished /
+//     signaled-server-gone / client-killed-server-gone).
+// Residual blind spot (structural): a killer that SIGKILLs the sh recorder
+// itself leaves no in-process way to record. With v2 the ABSENCE of a record on
+// a server-dead reap narrows the diagnosis to exactly that shape; the canary
+// ensure-state lines in lifecycle.log (origin=launch/retrofit) evidence the
+// churn post-hoc.
 //
 // The canary is pure observability: it never wakes, reaps, restarts or otherwise
 // manages anything (H4-compatible by construction), it fires at most once, and
@@ -69,24 +84,45 @@ export function canaryScript(o: CanaryScriptOptions): string {
   return [
     // Server PID captured while alive — the postmortem grep key for system logs.
     `SPID="$('${o.tmuxBin}' -S '${o.sock}' display-message -p '#{pid}' 2>/dev/null)"`,
-    // A signal to the CANARY is deliberate management (pre-clean pkill) → silent.
+    // A signal to the SH WRAPPER is deliberate dismissal (dismissCanary) or host
+    // shutdown → silent. POSIX: the trap runs after the foreground command
+    // completes — so a TERM delivered during wait-for/sleep always exits us
+    // BEFORE any recording below (the race-free deliberate-silence guarantee).
     `trap 'exit 0' HUP INT TERM`,
     `'${o.tmuxBin}' -S '${o.sock}' wait-for '${ch}'`,
     `rc=$?`,
-    // rc=0 → clean-teardown signal; rc≥128 → the tmux client itself was signaled.
-    `if [ "$rc" -eq 0 ] || [ "$rc" -ge 128 ]; then exit 0; fi`,
-    // The server vanished under us — record, within seconds of the death.
+    // NO wait-for exit code is trusted as "deliberate" by itself — PROVEN live
+    // (death-#4 postmortem): a TERM to the tmux CLIENT returns rc=0, identical
+    // to a clean channel signal, so an external killer sweeping server+client
+    // rides the clean-looking code straight past any rc-based guard (v1's
+    // `rc=0 || rc>=128 → silent` was exactly that hole). v2 contract instead:
+    //   • deliberate teardowns DISMISS this sh (TERM → trap above) — the sleep
+    //     below gives a concurrently-delivered dismissal time to win;
+    //   • then the SERVER's liveness, not the exit code, decides: alive →
+    //     nothing to record (a lost canary is re-armed and logged by the
+    //     supervise retrofit within a tick); dead and nobody dismissed us →
+    //     the death is real and unclaimed → record it.
+    `sleep 2`,
+    `if '${o.tmuxBin}' -S '${o.sock}' has-session 2>/dev/null; then exit 0; fi`,
+    // The exit code still ATTRIBUTES the recorded death (raw wait_rc is kept):
+    //   rc=0   → signaled-server-gone   (channel signal or client-TERM, server died)
+    //   rc≥128 → client-killed-server-gone (client took a non-TERM kill)
+    //   else   → server-vanished        (connection drop — SIGKILL/OOM class)
+    `cause=server-vanished`,
+    `if [ "$rc" -eq 0 ]; then cause=signaled-server-gone; fi`,
+    `if [ "$rc" -ge 128 ]; then cause=client-killed-server-gone; fi`,
+    // The server is gone under us — record, within seconds of the death.
     `ts="$(date -u +%Y-%m-%dT%H:%M:%SZ)"`,
     `f='${o.forensicsDir}/${o.identity}'-"$(date +%s)".txt`,
     `{`,
-    `  echo "server-death identity=${o.identity} ts=$ts server_pid=$SPID wait_rc=$rc"`,
+    `  echo "server-death identity=${o.identity} ts=$ts server_pid=$SPID wait_rc=$rc cause=$cause"`,
     `  echo '--- vm_stat'; vm_stat`,
     `  echo '--- swapusage'; sysctl -n vm.swapusage`,
     `  echo '--- ps-top-rss'; ps axo pid,ppid,rss,etime,command | sort -rn -k3 | head -25`,
     `  echo '--- diagnosticreports-user'; ls -t "$HOME/Library/Logs/DiagnosticReports" 2>/dev/null | head`,
     `  echo '--- diagnosticreports-system'; ls -t /Library/Logs/DiagnosticReports 2>/dev/null | head`,
     `} > "$f" 2>&1`,
-    `printf 'ts=%s ev=server-exit identity=${o.identity} server_pid=%s wait_rc=%s forensics=%s\\n' "$ts" "$SPID" "$rc" "$f" >> '${o.exitLogFile}'`,
+    `printf 'ts=%s ev=server-exit identity=${o.identity} server_pid=%s wait_rc=%s cause=%s forensics=%s\\n' "$ts" "$SPID" "$rc" "$cause" "$f" >> '${o.exitLogFile}'`,
   ].join('\n')
 }
 
@@ -150,3 +186,27 @@ export function signalCanaryClean(sock: string, identity: string): void {
     /* best-effort */
   }
 }
+
+/** The pgrep/pkill ERE matching BOTH canary processes of ONE identity — the sh
+ *  wrapper (its -c script quotes the channel: `…'iap-canary-<id>'…`) and the
+ *  tmux client (argv ends with the bare channel). Anchored so an identity can
+ *  never match another identity's prefix (claude-iapeer ≠ claude-iapeer-memory). */
+export function canaryProcessPattern(identity: string): string {
+  return `${canaryChannel(identity)}([^a-z0-9-]|$)`
+}
+
+/**
+ * Dismiss this identity's canary BEFORE a deliberate server teardown: TERM the
+ * sh wrapper (trap → silent exit, race-free — the trap always runs before the
+ * v2 recording branch) and the tmux client. The explicit counterpart of the
+ * channel signal: with v2 a signaled CLIENT alone is no longer read as
+ * deliberate, so every deliberate path must dismiss the RECORDER (the sh).
+ * Best-effort: no canary running → harmless no-op (pkill exits 1).
+ */
+export function dismissCanary(identity: string): void {
+  try {
+    spawnSync('pkill', ['-f', canaryProcessPattern(identity)], { stdio: 'ignore' })
+  } catch {
+    /* best-effort */
+  }
+}

package/src/launch/index.ts

@@ -19,7 +19,8 @@ import { dirname } from 'path'
 import { spawnSync } from 'child_process'
 import { CODEX_BEARER_ENV_VAR, CODEX_DUMMY_BEARER, type Runtime } from '../core/constants.ts'
 import { readLaunchEnv } from '../storage/index.ts'
-import { ensureServerCanary, exitLogPath, signalCanaryClean } from './canary.ts'
+import { canaryChannel, dismissCanary, ensureServerCanary, exitLogPath, signalCanaryClean } from './canary.ts'
+import { appendLifecycleEvent } from '../lifecycle/eventlog.ts'
 import { claudeAdapter } from './adapters/claude.ts'
 import { codexAdapter } from './adapters/codex.ts'
 import { telegramAdapter } from './adapters/telegram.ts'
@@ -155,7 +156,18 @@ export function exitCauseHook(identity: string, exitLogFile: string): string {
     `dead_status=#{pane_dead_status} dead_signal=#{pane_dead_signal}\\n`
   const log =
     `printf "${line}" "$(date -u +%Y-%m-%dT%H:%M:%SZ)" >> "${exitLogFile}"`
-  return `run-shell '${log}' ; kill-session -t "${identity}"`
+  // Silence the server-death canary BEFORE kill-session: with a single-session
+  // server the kill empties the server and exit-empty takes it down — without
+  // explicit silence the canary would append a second, muddier `ev=server-exit`
+  // record for a death this very hook just captured (the session-exit line is
+  // the richer, authoritative one: it has the exit code/signal). v2 contract:
+  // deliberate = channel signal (tmux-NATIVE wait-for -S) + DISMISS the sh
+  // recorder (abs-path /usr/bin/pkill — survives the minimal launchd PATH;
+  // `\$` keeps the regex anchor literal through the sh double-quote layer; the
+  // `[i]` class keeps the pattern from matching its OWN occurrence in this
+  // hook-sh's cmdline — the pgrep self-match classic).
+  const dismiss = `/usr/bin/pkill -f "[i]${canaryChannel(identity).slice(1)}([^a-z0-9-]|\\$)"`
+  return `run-shell '${log} ; ${dismiss}' ; wait-for -S "${canaryChannel(identity)}" ; kill-session -t "${identity}"`
 }
 
 /** Install the exit-cause observability on a freshly-created session: ensure the
@@ -212,11 +224,15 @@ export const launch: LaunchFn = async (
   mkdirSync(dirname(sock), { recursive: true })
 
   // (1) Pre-clean any stale tmux server on this socket, then launch detached.
-  //     Signal the server-death canary FIRST: this teardown is deliberate, the
-  //     canary must exit silently, not record a false server-death (the pkill
-  //     below also matches the canary's cmdline — by design, it sweeps a stale
-  //     canary along with the stale server; a signaled canary is already gone).
+  //     Silence the server-death canary EXPLICITLY first — this teardown is
+  //     deliberate: signal the channel (client exits 0) AND dismiss the sh
+  //     recorder (TERM → trap → silent; canary v2 no longer reads a signaled
+  //     client alone as deliberate — an external killer sweeping server+client
+  //     was exactly the death-#4 silence). Only then sweep the server processes
+  //     (the pkill also matches a leftover canary client — harmless, both
+  //     canary processes are already dismissed).
   signalCanaryClean(sock, identity)
+  dismissCanary(identity)
   spawnSync('pkill', ['-f', `tmux -S ${sock} `], { stdio: 'ignore' })
   tmux(sock, 'kill-server')
 
@@ -268,7 +284,14 @@ export const launch: LaunchFn = async (
   //       that records `ev=server-exit` + a forensics snapshot when the whole
   //       server dies dirty (SIGKILL/OOM class). Same gate as the exit hook;
   //       best-effort by construction (every failure → a state, never a throw).
-  ensureServerCanary({ identity, sock, exitLogDir: cfg.exitLogDir, env })
+  //       The ensure-state is logged (origin=launch) so the arming trail is
+  //       complete in lifecycle.log: 'spawned' is the newborn-server norm here,
+  //       'failed' a newborn server starting its life UNWATCHED (death-#4
+  //       postmortem hinged on this very question being unanswerable).
+  const canaryState = ensureServerCanary({ identity, sock, exitLogDir: cfg.exitLogDir, env })
+  if (canaryState !== 'skipped') {
+    appendLifecycleEvent(cfg.exitLogDir, { ev: 'canary', identity, state: canaryState, origin: 'launch' }, { env })
+  }
 
   // (3) pipe-pane the session output to the per-identity log.
   mkdirSync(cfg.logDir, { recursive: true, mode: 0o700 })

package/src/launch/launch.test.ts

@@ -227,6 +227,14 @@ describe('exitCauseHook (exit-cause observability)', () => {
     // tmux-NATIVE kill-session (no shell `tmux`) → needs no PATH (launchd minimal env).
     expect(hook).toContain('kill-session -t "claude-iapeer"')
   })
+  test('silences the server-death canary (native wait-for -S) BEFORE kill-session — no double record', () => {
+    // kill-session on a single-session server → exit-empty takes the server down;
+    // without the signal the canary would add a second `ev=server-exit` record for
+    // a death this hook just captured (session-exit carries the code/signal).
+    expect(hook).toContain('wait-for -S "iap-canary-claude-iapeer"')
+    expect(hook.indexOf('wait-for -S')).toBeLessThan(hook.indexOf('kill-session'))
+    expect(hook.indexOf('run-shell')).toBeLessThan(hook.indexOf('wait-for -S')) // log first
+  })
   test('quoting: single-quoted run-shell arg (tmux layer) wrapping double-quoted sh', () => {
     expect(hook).toMatch(/run-shell '.*'/)
     expect(hook).not.toContain("''") // no empty/again-collapsed single-quote pair

package/src/launch/launchdRun.ts

@@ -23,7 +23,7 @@ import { buildProcessAddress, buildSocketPath } from '../core/socket.ts'
 import { peerLogsDir, pluginLogsDir } from '../storage/index.ts'
 import { readPeerProfile } from '../identity/index.ts'
 import { getAdapter, launch } from './index.ts'
-import { signalCanaryClean } from './canary.ts'
+import { dismissCanary, signalCanaryClean } from './canary.ts'
 import type { LaunchConfig, LaunchSpec } from './types.ts'
 
 /** Block-watch poll cadence — seconds, deliberately NOT a tight loop (the session
@@ -55,7 +55,10 @@ function sessionAlive(sock: string, identity: string): boolean {
  * both paths now converge on the same end state.
  */
 export function teardownAlwaysOnSession(sock: string, identity: string): void {
+  // Explicit canary silence (v2): channel signal (client exits 0) + dismiss the
+  // sh recorder — a signaled client alone is no longer read as deliberate.
   signalCanaryClean(sock, identity)
+  dismissCanary(identity)
   spawnSync('tmux', ['-S', sock, 'kill-session', '-t', identity], { stdio: 'ignore' })
   const ls = spawnSync('tmux', ['-S', sock, 'list-sessions', '-F', '#{session_name}'], { encoding: 'utf8' })
   if (!(ls.stdout ?? '').trim()) {

package/src/lifecycle/index.ts

@@ -46,7 +46,7 @@ import {
   type LaunchSpec,
 } from '../launch/index.ts'
 import { composeSystemPrompt, gatherPromptInput } from '../launch/composeSystemPrompt.ts'
-import { ensureServerCanary, signalCanaryClean } from '../launch/canary.ts'
+import { dismissCanary, ensureServerCanary, signalCanaryClean } from '../launch/canary.ts'
 import { appendLifecycleEvent, superviseLogVerbose } from './eventlog.ts'
 
 // ─────────────────────────────────────────────────────────────────────────────
@@ -79,6 +79,16 @@ export interface LifecycleConfig {
    *  transcript mtime is a LIVENESS proxy — "no longer writing" — not a semantic
    *  "done" signal. */
   ephemeralQuietSecs: number
+  /** wake_policy:ephemeral — the UNARMED idle bound (seconds): an ephemeral session
+   *  that never armed (finished silently / lost its arm to a daemon-restart window)
+   *  is reaped after this much activity-proxy silence. Live case (scriber 10.06):
+   *  a worker that ended «тихо» without its final outbound stalled its M3 FIFO for
+   *  the FULL generic idleSecs (1 h) — with serial drain that blocks the whole
+   *  conveyor per silent worker. Bound chosen ≫ the legitimate silent-tool case
+   *  (sleep-180) and ≪ idleSecs. DOCUMENTED RISK: an ephemeral worker whose tool
+   *  stays silent longer than this MID-TASK is reaped and its consumed queue item
+   *  is lost — ephemeral workers must emit activity (or their reply) within it. */
+  ephemeralUnarmedIdleSecs: number
 }
 
 export function loadLifecycleConfig(env: NodeJS.ProcessEnv = process.env): LifecycleConfig {
@@ -102,6 +112,7 @@ export function loadLifecycleConfig(env: NodeJS.ProcessEnv = process.env): Lifec
     crashLoopMax: num(env.IAPEER_CRASHLOOP_MAX, 3),
     crashLoopWindowSecs: num(env.IAPEER_CRASHLOOP_WINDOW_SECS, 300),
     ephemeralQuietSecs: num(env.IAPEER_EPHEMERAL_QUIET_SECS, 20),
+    ephemeralUnarmedIdleSecs: num(env.IAPEER_EPHEMERAL_UNARMED_IDLE_SECS, 600),
   }
 }
 
@@ -998,9 +1009,11 @@ export function killSession(sock: string, identity: string): void {
   tmux(sock, 'kill-session', '-t', identity)
   const sessions = tmux(sock, 'list-sessions', '-F', '#{session_name}').out
   if (!sessions.trim()) {
-    // Deliberate server teardown → signal the server-death canary FIRST so it
-    // exits silently instead of recording a false `ev=server-exit` (canary.ts).
+    // Deliberate server teardown → silence the canary EXPLICITLY first: signal
+    // the channel (client exits 0) AND dismiss the sh recorder (canary v2 no
+    // longer reads a signaled client alone as deliberate — see canary.ts).
     signalCanaryClean(sock, identity)
+    dismissCanary(identity)
     tmux(sock, 'kill-server')
     try {
       rmSync(sock, { force: true })
@@ -1140,6 +1153,30 @@ export function superviseTick(cfg: LifecycleConfig, deps: SuperviseDeps = {}): S
       trace({ identity: s.identity, action: 'reaped-ephemeral', age: `${ageSecs}s`, outcome: 'ephemeral-done' })
       continue
     }
+    // UNARMED ephemeral idle bound (live case scriber 10.06): a worker that ended
+    // SILENTLY (no final outbound → never armed; or its arm was lost to a CLI/
+    // daemon-restart window) used to wait out the FULL generic idleSecs (1 h) —
+    // and the M3 serial drain waits for the session's death, so ONE silent worker
+    // stalled its whole conveyor. This bound is the defense-in-depth backstop:
+    // ≫ the legitimate silent-tool case (sleep-180), ≪ idleSecs. The ШТАТНЫЙ
+    // silent-finish path is `iapeer self-done` (arm without waking anyone —
+    // Артур's invariant «нет пустых пробуждений» stays intact); this branch only
+    // bounds the damage when a worker does neither. Policy reap: NO .idle-reaped
+    // (ephemeral never resumes), NO recordDeath (the ring counts faults).
+    if (isEphemeralPeer(s.cwd) && ageSecs > cfg.ephemeralUnarmedIdleSecs) {
+      killSession(sock, s.identity)
+      clearEphemeralArmed(cfg, s.identity)
+      removeSessionState(cfg, s.identity)
+      out.push({
+        identity: s.identity,
+        action: 'reaped-ephemeral',
+        reason: `unarmed idle ${ageSecs}s (silent-finish backstop; штатный путь — iapeer self-done)`,
+        personality: s.personality,
+        runtime: s.runtime,
+      })
+      trace({ identity: s.identity, action: 'reaped-ephemeral', age: `${ageSecs}s`, outcome: 'ephemeral-unarmed-bound' })
+      continue
+    }
     if (ageSecs > cfg.idleSecs) {
       // THE ONLY place .idle-reaped is written: this is the one death the daemon
       // INITIATES. Its presence on the next wake = the session was parked cleanly =
@@ -1155,7 +1192,15 @@ export function superviseTick(cfg: LifecycleConfig, deps: SuperviseDeps = {}): S
       // every ALIVE daemon-owned server — covers a fleet launched by older code
       // within one tick of a deploy, no session restarts. Idempotent (pgrep on
       // the per-identity wait-for channel), best-effort, pure observability.
-      ensureServerCanary({ identity: s.identity, sock, exitLogDir: cfg.eventLogDir, env })
+      // A non-'already' state IS a decision-grade event (not verbose-gated):
+      // post-0.2.22 every launch arms a canary, so a retrofit 'spawned' on an
+      // alive server means the previous canary VANISHED mid-watch (the death-#4
+      // blind spot was exactly this churn being invisible); 'failed' means the
+      // server is currently UNWATCHED. At most one line per loss, not per tick.
+      const canaryState = ensureServerCanary({ identity: s.identity, sock, exitLogDir: cfg.eventLogDir, env })
+      if (canaryState !== 'already') {
+        trace({ identity: s.identity, action: 'canary', state: canaryState, origin: 'retrofit' })
+      }
       out.push({ identity: s.identity, action: 'alive' })
       if (verbose) trace({ identity: s.identity, action: 'alive', age: `${ageSecs}s` })
     }

package/src/lifecycle/lifecycle.test.ts

@@ -802,6 +802,69 @@ describe('superviseTick quiet-reap (M2 die-after-reply, real tmux)', () => {
     },
     30000,
   )
+
+  test.if(tmuxAvailable)(
+    'UNARMED ephemeral past the unarmed idle bound → reaped-ephemeral (silent-finish backstop; live case scriber 10.06)',
+    () => {
+      const root = mkdtempSync(join(tmpdir(), 'iapeer-eu-root-'))
+      const laDir = mkdtempSync(join(tmpdir(), 'iapeer-eu-la-'))
+      const cwd = profileCwd(false, true) // ephemeral worker profile
+      const env = {
+        ...process.env,
+        IAPEER_ROOT: root,
+        IAPEER_LAUNCHAGENTS_DIR: laDir,
+        IAPEER_SOCK_DIR: join(root, 'socks'),
+        IAPEER_EPHEMERAL_UNARMED_IDLE_SECS: '30', // ≪ the 60s age below, ≫ quiet 20s
+      }
+      const cfg = loadLifecycleConfig(env)
+      const identity = 'claude-eu'
+      const sock = join(root, 'socks', 'tmux-iap-claude-eu.sock')
+      const alive = () => spawnSync('tmux', ['-S', sock, 'has-session', '-t', identity]).status === 0
+      try {
+        mkdirSync(join(root, 'socks'), { recursive: true })
+        spawnSync('tmux', ['-S', sock, 'new-session', '-d', '-s', identity, 'sleep', '300'])
+        expect(alive()).toBe(true)
+        mkdirSync(cfg.stateDir, { recursive: true })
+        writeFileSync(
+          join(cfg.stateDir, `${identity}.session`),
+          JSON.stringify({ identity, runtime: 'claude', personality: 'eu', cwd, wokeAt: Date.now() - 60_000 }),
+        )
+        // NOT armed (the worker ended silently) — past the unarmed bound → policy reap
+        const o = superviseTick(cfg, { env }).find(x => x.identity === identity)
+        expect(o?.action).toBe('reaped-ephemeral')
+        expect(o?.reason).toContain('unarmed idle')
+        expect(o?.personality).toBe('eu') // M3 drain fields present → queue feeds next
+        expect(alive()).toBe(false)
+        // policy death: no resume-eligibility, no crash-loop count
+        expect(hasIdleReaped(cfg, identity)).toBe(false)
+        expect(readDeaths(cfg, identity).length).toBe(0)
+        const logged = readFileSync(join(cfg.eventLogDir, 'lifecycle.log'), 'utf8')
+        expect(logged).toContain('outcome=ephemeral-unarmed-bound')
+        // a NON-ephemeral peer with the same age is untouched by this bound
+        // (its session lives on ITS OWN identity-derived socket — the tick keys
+        // sockets on runtime-personality, not on the test's prior sock)
+        const plainCwd = profileCwd(false, false)
+        const eupSock = join(root, 'socks', 'tmux-iap-claude-eup.sock')
+        try {
+          writeFileSync(
+            join(cfg.stateDir, `claude-eup.session`),
+            JSON.stringify({ identity: 'claude-eup', runtime: 'claude', personality: 'eup', cwd: plainCwd, wokeAt: Date.now() - 60_000 }),
+          )
+          spawnSync('tmux', ['-S', eupSock, 'new-session', '-d', '-s', 'claude-eup', 'sleep', '300'])
+          expect(superviseTick(cfg, { env }).find(x => x.identity === 'claude-eup')?.action).toBe('alive')
+        } finally {
+          spawnSync('tmux', ['-S', eupSock, 'kill-server'], { stdio: 'ignore' })
+          rmSync(plainCwd, { recursive: true, force: true })
+        }
+      } finally {
+        spawnSync('tmux', ['-S', sock, 'kill-server'], { stdio: 'ignore' })
+        rmSync(root, { recursive: true, force: true })
+        rmSync(laDir, { recursive: true, force: true })
+        rmSync(cwd, { recursive: true, force: true })
+      }
+    },
+    30000,
+  )
 })
 
 // ─────────────────────────────────────────────────────────────────────────────