@ait-co/devtools 0.1.88 → 0.1.90

package/dist/mcp/cli.js

@@ -84,6 +84,40 @@ function startParentWatcher(onOrphaned, opts) {
 		clearInterval(handle);
 	} };
 }
+/**
+* Starts a periodic watchdog that calls `onExpired` once after `maxAgeMs`
+* milliseconds have elapsed since the watchdog was created.
+*
+* Motivation (issue #571): cloudflared quick-tunnel lifetimes are finite (a
+* few hours). A daemon that has been running for days will have outlived its
+* tunnel regardless of whether the tunnel process exited cleanly. This watchdog
+* caps the daemon's maximum age and forces a fresh start so the tunnel is
+* replaced before it silently expires.
+*
+* @param onExpired  - Called once when the maximum age is reached. The caller
+*                     should call `shutdown()` then `process.exit(0)`.
+* @param opts.maxAgeMs    - Maximum daemon lifetime in ms. Default 6 h.
+* @param opts.intervalMs  - Check interval in ms. Default 60 000 (1 min).
+* @param opts.now         - Time source (injectable for tests). Default `Date.now`.
+*
+* @returns `stop` — call during shutdown to clear the interval.
+*/
+function startMaxAgeWatchdog(onExpired, opts = {}) {
+	const { maxAgeMs = 360 * 60 * 1e3, intervalMs = 6e4, now = () => Date.now() } = opts;
+	const startedAt = now();
+	let fired = false;
+	const handle = setInterval(() => {
+		if (fired) return;
+		if (now() - startedAt >= maxAgeMs) {
+			fired = true;
+			clearInterval(handle);
+			onExpired();
+		}
+	}, intervalMs);
+	return { stop() {
+		clearInterval(handle);
+	} };
+}
 //#endregion
 //#region src/mcp/ait-chii-source.ts
 function isObject$4(value) {
@@ -369,7 +403,12 @@ var ChiiCdpConnection = class {
 	}
 	/** Refresh the attached-target list from the relay's `GET /targets`. */
 	async refreshTargets() {
-		const res = await fetch(`${this.relayBaseUrl}/targets`);
+		let targetsUrl = `${this.relayBaseUrl}/targets`;
+		if (this.totpSecret) {
+			const code = generateTotp(this.totpSecret);
+			targetsUrl += `?at=${encodeURIComponent(code)}`;
+		}
+		const res = await fetch(targetsUrl);
 		if (!res.ok) throw new Error(`Chii relay /targets returned HTTP ${res.status} ${res.statusText}`);
 		const body = await res.json();
 		const list = isObject$3(body) && Array.isArray(body.targets) ? body.targets : [];
@@ -934,14 +973,28 @@ async function startChiiRelay(options = {}) {
 	};
 	if (verifyAuth) httpServer.on("request", (req, res) => {
 		const rewritten = rewriteAtPathPrefix(req.url ?? "");
-		if (rewritten === null) return;
-		req.url = rewritten;
-		if (!verifyAuth(req)) {
-			res.statusCode = 401;
-			res.setHeader("Access-Control-Allow-Origin", "*");
-			res.setHeader("Content-Type", "application/json");
-			res.end(JSON.stringify({ error: RELAY_AUTH_REJECT_REASON }));
-			notifyAuthReject("http-request");
+		if (rewritten !== null) {
+			req.url = rewritten;
+			if (!verifyAuth(req)) {
+				res.statusCode = 401;
+				res.setHeader("Access-Control-Allow-Origin", "*");
+				res.setHeader("Content-Type", "application/json");
+				res.end(JSON.stringify({ error: RELAY_AUTH_REJECT_REASON }));
+				notifyAuthReject("http-request");
+			}
+			return;
+		}
+		const pathname = (req.url ?? "").split("?")[0];
+		if (pathname === "/targets" || pathname === "/targets/") {
+			if (!verifyAuth(req)) {
+				res.statusCode = 401;
+				res.setHeader("Access-Control-Allow-Origin", "*");
+				res.setHeader("Content-Type", "application/json");
+				res.end(JSON.stringify({ error: RELAY_AUTH_REJECT_REASON }));
+				notifyAuthReject("http-request");
+				return;
+			}
+			return;
 		}
 	});
 	const chiiWssClass = keepaliveIntervalMs > 0 ? tryLoadChiiWssClass() : null;
@@ -3472,10 +3525,12 @@ function readLock(lockPath) {
 		const parsed = JSON.parse(raw);
 		if (typeof parsed === "object" && parsed !== null && "pid" in parsed && typeof parsed.pid === "number" && "startedAt" in parsed && typeof parsed.startedAt === "string") {
 			const p = parsed;
+			const tunnelChildPid = typeof p.tunnelChildPid === "number" ? p.tunnelChildPid : null;
 			return {
 				pid: p.pid,
 				wssUrl: typeof p.wssUrl === "string" ? p.wssUrl : null,
-				startedAt: p.startedAt
+				startedAt: p.startedAt,
+				tunnelChildPid
 			};
 		}
 		return null;
@@ -3541,16 +3596,19 @@ function acquireLock(options = {}) {
 	const { force = false } = options;
 	const lockPath = lockFilePath();
 	const existing = readLock(lockPath);
-	if (existing !== null) if (isPidAlive(existing.pid)) if (force) {
-		process.stderr.write(`[ait-debug] --force: terminating existing session PID=${existing.pid} …\n`);
-		killAndWait(existing.pid);
-		process.stderr.write(`[ait-debug] --force: PID=${existing.pid} stopped, taking over.\n`);
-	} else {
-		const urlPart = existing.wssUrl != null ? `wssUrl=${existing.wssUrl}` : "wssUrl=(tunnel starting)";
-		process.stderr.write(`[ait-debug] 기존 debug-mode 세션이 이미 실행 중 — PID=${existing.pid}, started ${existing.startedAt}, ${urlPart}\n[ait-debug] 회복: \`kill ${existing.pid}\` 또는 \`npx @ait-co/devtools devtools-mcp --force\`\n`);
-		throw new ServerLockConflictError(existing.pid, existing.wssUrl, existing.startedAt);
-	}
-	else process.stderr.write(`[ait-debug] stale lock from PID ${existing.pid} recovered — starting fresh.\n`);
+	if (existing !== null) if (isPidAlive(existing.pid)) {
+		const tunnelChildPid = existing.tunnelChildPid;
+		if (typeof tunnelChildPid === "number" && !isPidAlive(tunnelChildPid)) process.stderr.write(`[ait-debug] stale lock: holder PID=${existing.pid} alive but tunnel child PID=${tunnelChildPid} is dead — reclaiming lock.\n`);
+		else if (force) {
+			process.stderr.write(`[ait-debug] --force: terminating existing session PID=${existing.pid} …\n`);
+			killAndWait(existing.pid);
+			process.stderr.write(`[ait-debug] --force: PID=${existing.pid} stopped, taking over.\n`);
+		} else {
+			const urlPart = existing.wssUrl != null ? `wssUrl=${existing.wssUrl}` : "wssUrl=(tunnel starting)";
+			process.stderr.write(`[ait-debug] 기존 debug-mode 세션이 이미 실행 중 — PID=${existing.pid}, started ${existing.startedAt}, ${urlPart}\n[ait-debug] 회복: \`kill ${existing.pid}\` 또는 \`npx @ait-co/devtools devtools-mcp --force\`\n`);
+			throw new ServerLockConflictError(existing.pid, existing.wssUrl, existing.startedAt);
+		}
+	} else process.stderr.write(`[ait-debug] stale lock from PID ${existing.pid} recovered — starting fresh.\n`);
 	const data = {
 		pid: process.pid,
 		wssUrl: null,
@@ -3564,6 +3622,11 @@ function acquireLock(options = {}) {
 			data.wssUrl = wssUrl;
 			writeLock(lockPath, data);
 		},
+		updateTunnelChildPid(pid) {
+			if (released) return;
+			data.tunnelChildPid = pid;
+			writeLock(lockPath, data);
+		},
 		release() {
 			if (released) return;
 			released = true;
@@ -4781,7 +4844,7 @@ async function readMcpSdkVersion() {
 * some test environments that skip the build step).
 */
 function readDevtoolsVersion() {
-	return "0.1.88";
+	return "0.1.90";
 }
 /**
 * Derives the next recommended action from a completed diagnostics snapshot.
@@ -4840,7 +4903,7 @@ function computeNextRecommendedAction(tunnel, pages, env, authRejects = null) {
 *   - Lock file data contains only pid + startedAt + wssUrl — no secrets.
 */
 async function getDiagnostics(input) {
-	const { tunnel, connection, env, envReason, collector, readLock: readLockFn, recentErrorsLimit = 10, getMcpVersion = readMcpSdkVersion, checkParentAlive = () => isPidAlive(process.ppid) } = input;
+	const { tunnel, connection, env, envReason, collector, readLock: readLockFn, recentErrorsLimit = 10, getMcpVersion = readMcpSdkVersion, checkParentAlive = () => isPidAlive(process.ppid), tunnelChildPid } = input;
 	const [mcpVersion, devtoolsVersion] = await Promise.all([getMcpVersion(), Promise.resolve(readDevtoolsVersion())]);
 	const lockData = readLockFn();
 	const serverLockHolder = lockData ? {
@@ -4848,8 +4911,11 @@ async function getDiagnostics(input) {
 		startedAt: lockData.startedAt,
 		wssUrl: lockData.wssUrl
 	} : null;
+	const effectiveTunnelChildPid = tunnelChildPid ?? lockData?.tunnelChildPid ?? null;
+	let effectiveUp = tunnel.up;
+	if (tunnel.up && typeof effectiveTunnelChildPid === "number" && effectiveTunnelChildPid !== null && !isPidAlive(effectiveTunnelChildPid)) effectiveUp = false;
 	const tunnelInfo = {
-		up: tunnel.up,
+		up: effectiveUp,
 		wssUrl: tunnel.wssUrl,
 		pid: lockData?.pid ?? null,
 		startedAt: lockData?.startedAt ?? null,
@@ -4937,6 +5003,11 @@ async function ensureCloudflaredBin() {
 /**
 * Opens a cloudflared quick tunnel to the local relay port and resolves once
 * the public URL is assigned.
+*
+* FIX 1 (issue #571): after URL resolution the returned `QuickTunnel` object
+* watches the cloudflared child process for unexpected exits and calls any
+* registered `onUnexpectedExit` callback so the health probe can immediately
+* trigger reissue instead of waiting for the next poll interval.
 */
 async function startQuickTunnel(localPort) {
 	await ensureCloudflaredBin();
@@ -4963,10 +5034,20 @@ async function startQuickTunnel(localPort) {
 		tunnel.once("error", onError);
 		tunnel.once("exit", onExit);
 	});
+	let intentionalStop = false;
+	let unexpectedExitCb = null;
+	tunnel.once("exit", (code) => {
+		if (!intentionalStop && unexpectedExitCb !== null) unexpectedExitCb(code);
+	});
 	return {
 		url,
 		wssUrl: url.replace(/^https/, "wss"),
-		stop: () => {
+		childPid: tunnel.process?.pid,
+		onUnexpectedExit(cb) {
+			unexpectedExitCb = cb;
+		},
+		stop() {
+			intentionalStop = true;
 			tunnel.stop();
 		}
 	};
@@ -5088,6 +5169,10 @@ async function probeTunnel(httpsUrl, timeoutMs = 1e4) {
 * times). On success the caller is notified via `onReissue`; on permanent
 * failure via `onPermanentDrop`.
 *
+* FIX 1 (issue #571): the probe also subscribes to each tunnel's
+* `onUnexpectedExit` callback to detect child death *immediately* instead of
+* waiting for the next probe interval (which could be 60 s away).
+*
 * @returns `stop` — call during server shutdown to clear the probe interval.
 */
 function startTunnelHealthProbe(initialTunnel, localPort, options) {
@@ -5096,6 +5181,43 @@ function startTunnelHealthProbe(initialTunnel, localPort, options) {
 	let consecutiveFailures = 0;
 	let reissueAttempts = 0;
 	let stopped = false;
+	const doReissueOrDrop = async () => {
+		if (stopped) return;
+		reissueAttempts += 1;
+		if (reissueAttempts > 3) return;
+		log(`[ait-debug] tunnel drop detected — reissuing (attempt ${reissueAttempts}/3)\n`);
+		try {
+			const newTunnel = await spawnTunnel(localPort);
+			try {
+				currentTunnel.stop();
+			} catch {}
+			currentTunnel = newTunnel;
+			consecutiveFailures = 0;
+			armChildExitWatch(newTunnel);
+			log(`[ait-debug] tunnel reissued — new relay: ${newTunnel.wssUrl}\n`);
+			onReissue(newTunnel);
+		} catch (err) {
+			const message = err instanceof Error ? err.message : String(err);
+			log(`[ait-debug] tunnel reissue attempt ${reissueAttempts} failed: ${message}\n`);
+			if (reissueAttempts >= 3) {
+				clearInterval(handle);
+				stopped = true;
+				const droppedAt = (/* @__PURE__ */ new Date()).toISOString();
+				log(`[ait-debug] tunnel permanently dropped after 3 reissue attempts — restart the debug server to continue (npx @ait-co/devtools devtools-mcp).
+`);
+				onPermanentDrop(droppedAt);
+			}
+		}
+	};
+	const armChildExitWatch = (t) => {
+		t.onUnexpectedExit((code) => {
+			if (stopped) return;
+			log(`[ait-debug] cloudflared child exited unexpectedly (code=${code}) — triggering immediate reissue\n`);
+			consecutiveFailures = failuresBeforeReissue;
+			doReissueOrDrop();
+		});
+	};
+	armChildExitWatch(initialTunnel);
 	const handle = setInterval(() => {
 		(async () => {
 			if (stopped) return;
@@ -5109,30 +5231,7 @@ function startTunnelHealthProbe(initialTunnel, localPort, options) {
 			consecutiveFailures += 1;
 			log(`[ait-debug] tunnel health probe: failure ${consecutiveFailures}/${failuresBeforeReissue} (url=${httpsUrl})\n`);
 			if (consecutiveFailures < failuresBeforeReissue) return;
-			reissueAttempts += 1;
-			if (reissueAttempts > 3) return;
-			log(`[ait-debug] tunnel drop detected — reissuing (attempt ${reissueAttempts}/3)\n`);
-			try {
-				const newTunnel = await spawnTunnel(localPort);
-				try {
-					currentTunnel.stop();
-				} catch {}
-				currentTunnel = newTunnel;
-				consecutiveFailures = 0;
-				log(`[ait-debug] tunnel reissued — new relay: ${newTunnel.wssUrl}\n`);
-				onReissue(newTunnel);
-			} catch (err) {
-				const message = err instanceof Error ? err.message : String(err);
-				log(`[ait-debug] tunnel reissue attempt ${reissueAttempts} failed: ${message}\n`);
-				if (reissueAttempts >= 3) {
-					clearInterval(handle);
-					stopped = true;
-					const droppedAt = (/* @__PURE__ */ new Date()).toISOString();
-					log(`[ait-debug] tunnel permanently dropped after 3 reissue attempts — restart the debug server to continue (npx @ait-co/devtools devtools-mcp).
-`);
-					onPermanentDrop(droppedAt);
-				}
-			}
+			await doReissueOrDrop();
 		})();
 	}, probeIntervalMs);
 	return { stop() {
@@ -5282,15 +5381,16 @@ function waitForAttachWithEvents(connection, filterFn, timeoutMs, pollIntervalMs
 * naturally via `enableDomains`). The tier only controls visibility.
 */
 function createDebugServer(deps) {
-	const { connection, router: routerDep, aitSource, getTunnelStatus, waitForAttachTimeoutMs = 6e4, qrHttpServer, getEnvironment: getEnvDep, getEnvironmentReason: getEnvReasonDep, diagnosticsCollector: collectorDep, totpSecret, onAttachUrlBuilt } = deps;
+	const { connection, router: routerDep, aitSource, getTunnelStatus, waitForAttachTimeoutMs = 6e4, qrHttpServer, getEnvironment: getEnvDep, getEnvironmentReason: getEnvReasonDep, diagnosticsCollector: collectorDep, totpSecret, onAttachUrlBuilt, getTunnelChildPid, readLock: readLockDep } = deps;
 	const getTotpSecret = deps.getTotpSecret ?? (() => totpSecret);
+	const readLockFn = readLockDep ?? readServerLock;
 	const router = routerDep ?? makeSingleConnectionRouter(connection);
 	const resolveEnvironment = getEnvDep ?? (() => deriveEnvironment(router.active.kind, getLiveIntent(), router.activeRelayOrigin));
 	const resolveEnvironmentReason = getEnvReasonDep ?? (() => `derived:kind=${router.active.kind},liveIntent=${getLiveIntent()}`);
 	const collector = collectorDep ?? new InMemoryDiagnosticsCollector();
 	const server = new Server({
 		name: "ait-debug",
-		version: "0.1.88"
+		version: "0.1.90"
 	}, { capabilities: { tools: { listChanged: true } } });
 	server.setRequestHandler(ListToolsRequestSchema, () => {
 		const conn = router.active;
@@ -5355,8 +5455,9 @@ function createDebugServer(deps) {
 				env,
 				envReason,
 				collector,
-				readLock: readServerLock,
-				recentErrorsLimit
+				readLock: readLockFn,
+				recentErrorsLimit,
+				tunnelChildPid: getTunnelChildPid?.() ?? void 0
 			}), name, env, conn.listTargets().length > 0);
 		} catch (err) {
 			return errorResult(err, name);
@@ -6049,12 +6150,14 @@ async function bootRelayFamily(options = {}) {
 		tunnel = t;
 		tunnelStatus = makeTunnelStatus(true, t.wssUrl);
 		options.onWssUrl?.(t.wssUrl);
+		if (t.childPid !== void 0) options.onTunnelChildPid?.(t.childPid);
 		logInfo("tunnel.up", { totpEnabled });
 		tunnelProbe = startTunnelHealthProbe(t, relay.port, {
 			onReissue: (newTunnel) => {
 				tunnel = newTunnel;
 				tunnelStatus = makeTunnelStatus(true, newTunnel.wssUrl, null, 0);
 				options.onWssUrl?.(newTunnel.wssUrl);
+				if (newTunnel.childPid !== void 0) options.onTunnelChildPid?.(newTunnel.childPid);
 				printAttachBanner({
 					wssUrl: newTunnel.wssUrl,
 					totpEnabled
@@ -6387,6 +6490,7 @@ async function runDebugServer(options = {}) {
 	const lockHandle = acquireLock({ force: options.force ?? false });
 	const devtoolsOpener = new AutoDevtoolsOpener();
 	const diagnosticsCollector = new InMemoryDiagnosticsCollector();
+	let activeTunnelChildPid = null;
 	const router = new DualConnectionRouter({
 		bootLazyFor: async (key, projectRoot) => key === "relay-sandbox" ? bootExternalRelayFamily(await readMobileRelayBaseUrl(process.env, projectRoot), await readRelayLocalUrl(process.env, projectRoot)) : key === "local-browser" ? bootLocalFamily() : bootRelayFamily({
 			relayPort: options.relayPort,
@@ -6395,6 +6499,10 @@ async function runDebugServer(options = {}) {
 				lockHandle.updateWssUrl(wssUrl);
 				qrServer?.notifyStateChange();
 			},
+			onTunnelChildPid: (pid) => {
+				activeTunnelChildPid = pid;
+				lockHandle.updateTunnelChildPid(pid);
+			},
 			onAuthReject: () => diagnosticsCollector.recordAuthReject()
 		}),
 		diagnosticsCollector,
@@ -6466,6 +6574,7 @@ async function runDebugServer(options = {}) {
 		router,
 		aitSource,
 		getTunnelStatus: () => router.relayTunnelStatus(),
+		getTunnelChildPid: () => activeTunnelChildPid,
 		get qrHttpServer() {
 			return qrServer;
 		},
@@ -6479,10 +6588,12 @@ async function runDebugServer(options = {}) {
 	const transport = new StdioServerTransport();
 	let closed = false;
 	let parentWatcher = null;
+	let maxAgeWatchdog = null;
 	const shutdown = () => {
 		if (closed) return;
 		closed = true;
 		parentWatcher?.stop();
+		maxAgeWatchdog?.stop();
 		if (totpRefreshHandle) clearInterval(totpRefreshHandle);
 		router.stopWatcher();
 		for (const family of router.bootedFamilies()) family.stop();
@@ -6497,6 +6608,7 @@ async function runDebugServer(options = {}) {
 		if (!closed) {
 			closed = true;
 			parentWatcher?.stop();
+			maxAgeWatchdog?.stop();
 			if (totpRefreshHandle) clearInterval(totpRefreshHandle);
 			router.stopWatcher();
 			for (const family of router.bootedFamilies()) family.stop();
@@ -6535,6 +6647,11 @@ async function runDebugServer(options = {}) {
 			process.exit(0);
 		});
 	}
+	if (process.env.AIT_DEBUG_NO_MAX_AGE !== "1") maxAgeWatchdog = startMaxAgeWatchdog(() => {
+		process.stderr.write("[ait-debug] max-age watchdog: daemon lifetime exceeded — shutting down for a fresh start.\n");
+		shutdown();
+		process.exit(0);
+	}, { maxAgeMs: process.env.AIT_DEBUG_MAX_AGE_MS ? Number.parseInt(process.env.AIT_DEBUG_MAX_AGE_MS, 10) || void 0 : void 0 });
 }
 /**
 * Serves the debug stack over stdio with the local browser as the default
@@ -6586,6 +6703,7 @@ async function runLocalDebugServer(options = {}) {
 	};
 	const devtoolsOpener = new AutoDevtoolsOpener();
 	const diagnosticsCollector = new InMemoryDiagnosticsCollector();
+	let activeTunnelChildPid = null;
 	const router = new DualConnectionRouter({
 		bootLazyFor: async (key, projectRoot) => key === "relay-sandbox" ? bootExternalRelayFamily(await readMobileRelayBaseUrl(process.env, projectRoot), await readRelayLocalUrl(process.env, projectRoot)) : key === "local-browser" ? bootLocalFamilyForEntry() : bootRelayFamily({
 			verifyAuth: buildRelayVerifyAuth(),
@@ -6593,6 +6711,10 @@ async function runLocalDebugServer(options = {}) {
 				lockHandle.updateWssUrl(wssUrl);
 				qrServer?.notifyStateChange();
 			},
+			onTunnelChildPid: (pid) => {
+				activeTunnelChildPid = pid;
+				lockHandle.updateTunnelChildPid(pid);
+			},
 			onAuthReject: () => diagnosticsCollector.recordAuthReject()
 		}),
 		diagnosticsCollector,
@@ -6663,6 +6785,7 @@ async function runLocalDebugServer(options = {}) {
 		router,
 		aitSource,
 		getTunnelStatus: () => router.relayTunnelStatus(),
+		getTunnelChildPid: () => activeTunnelChildPid,
 		get qrHttpServer() {
 			return qrServer;
 		},
@@ -6676,10 +6799,12 @@ async function runLocalDebugServer(options = {}) {
 	const transport = new StdioServerTransport();
 	let closed = false;
 	let parentWatcher = null;
+	let maxAgeWatchdog = null;
 	const shutdown = () => {
 		if (closed) return;
 		closed = true;
 		parentWatcher?.stop();
+		maxAgeWatchdog?.stop();
 		if (totpRefreshHandle) clearInterval(totpRefreshHandle);
 		router.stopWatcher();
 		for (const family of router.bootedFamilies()) family.stop();
@@ -6694,6 +6819,7 @@ async function runLocalDebugServer(options = {}) {
 		if (!closed) {
 			closed = true;
 			parentWatcher?.stop();
+			maxAgeWatchdog?.stop();
 			if (totpRefreshHandle) clearInterval(totpRefreshHandle);
 			router.stopWatcher();
 			for (const family of router.bootedFamilies()) family.stop();
@@ -6734,6 +6860,11 @@ async function runLocalDebugServer(options = {}) {
 			process.exit(0);
 		});
 	}
+	if (process.env.AIT_DEBUG_NO_MAX_AGE !== "1") maxAgeWatchdog = startMaxAgeWatchdog(() => {
+		process.stderr.write("[ait-debug] max-age watchdog: daemon lifetime exceeded — shutting down for a fresh start.\n");
+		shutdown();
+		process.exit(0);
+	}, { maxAgeMs: process.env.AIT_DEBUG_MAX_AGE_MS ? Number.parseInt(process.env.AIT_DEBUG_MAX_AGE_MS, 10) || void 0 : void 0 });
 }
 /**
 * Serves the env-2 (real-device PWA) debug stack over stdio with the external
@@ -6767,6 +6898,7 @@ async function runMobileDebugServer(options = {}) {
 	const lockHandle = acquireLock({ force: options.force ?? false });
 	const devtoolsOpener = new AutoDevtoolsOpener();
 	const diagnosticsCollector = new InMemoryDiagnosticsCollector();
+	let activeTunnelChildPid = null;
 	const router = new DualConnectionRouter({
 		bootLazyFor: async (key) => key === "relay-sandbox" ? bootExternalRelayFamily(relayBaseUrl, await readRelayLocalUrl(process.env, options.projectRoot ?? process.cwd())) : key === "local-browser" ? bootLocalFamily() : bootRelayFamily({
 			verifyAuth: buildRelayVerifyAuth(),
@@ -6774,6 +6906,10 @@ async function runMobileDebugServer(options = {}) {
 				lockHandle.updateWssUrl(wssUrl);
 				qrServer?.notifyStateChange();
 			},
+			onTunnelChildPid: (pid) => {
+				activeTunnelChildPid = pid;
+				lockHandle.updateTunnelChildPid(pid);
+			},
 			onAuthReject: () => diagnosticsCollector.recordAuthReject()
 		}),
 		diagnosticsCollector,
@@ -6844,6 +6980,7 @@ async function runMobileDebugServer(options = {}) {
 		router,
 		aitSource,
 		getTunnelStatus: () => router.relayTunnelStatus(),
+		getTunnelChildPid: () => activeTunnelChildPid,
 		get qrHttpServer() {
 			return qrServer;
 		},
@@ -6857,10 +6994,12 @@ async function runMobileDebugServer(options = {}) {
 	const transport = new StdioServerTransport();
 	let closed = false;
 	let parentWatcher = null;
+	let maxAgeWatchdog = null;
 	const shutdown = () => {
 		if (closed) return;
 		closed = true;
 		parentWatcher?.stop();
+		maxAgeWatchdog?.stop();
 		if (totpRefreshHandle) clearInterval(totpRefreshHandle);
 		router.stopWatcher();
 		for (const family of router.bootedFamilies()) family.stop();
@@ -6875,6 +7014,7 @@ async function runMobileDebugServer(options = {}) {
 		if (!closed) {
 			closed = true;
 			parentWatcher?.stop();
+			maxAgeWatchdog?.stop();
 			if (totpRefreshHandle) clearInterval(totpRefreshHandle);
 			router.stopWatcher();
 			for (const family of router.bootedFamilies()) family.stop();
@@ -6915,6 +7055,11 @@ async function runMobileDebugServer(options = {}) {
 			process.exit(0);
 		});
 	}
+	if (process.env.AIT_DEBUG_NO_MAX_AGE !== "1") maxAgeWatchdog = startMaxAgeWatchdog(() => {
+		process.stderr.write("[ait-debug] max-age watchdog: daemon lifetime exceeded — shutting down for a fresh start.\n");
+		shutdown();
+		process.exit(0);
+	}, { maxAgeMs: process.env.AIT_DEBUG_MAX_AGE_MS ? Number.parseInt(process.env.AIT_DEBUG_MAX_AGE_MS, 10) || void 0 : void 0 });
 }
 //#endregion
 //#region src/mcp/ait-http-source.ts
@@ -7344,7 +7489,7 @@ function createDevServer(deps = {}) {
 	const aitSource = deps.aitSource ?? new HttpAitSource({ stateEndpoint });
 	const server = new Server({
 		name: "ait-devtools",
-		version: "0.1.88"
+		version: "0.1.90"
 	}, { capabilities: { tools: {} } });
 	server.setRequestHandler(ListToolsRequestSchema, () => ({ tools: DEV_TOOL_DEFINITIONS.map((tool) => ({ ...tool })) }));
 	server.setRequestHandler(CallToolRequestSchema, async (request) => {