@botcord/daemon 0.2.74 → 0.2.76

package/src/cloud-settle.ts

@@ -0,0 +1,182 @@
+/**
+ * Cloud Agent run settle helper.
+ *
+ * After a `cloud_run` envelope completes (or fails), the daemon POSTs the
+ * observed usage back to the Hub so the wallet ledger can finalize the
+ * reservation. The Hub-side endpoint is
+ * `POST /internal/cloud-agents/runs/{run_id}/settle` — see
+ * ``backend/hub/services/cloud_agent_usage.py``.
+ *
+ * Auth: the cloud daemon authenticates with its cloud-daemon-access JWT
+ * (the same token used for the WS upgrade). The Hub-side endpoint accepts
+ * either that JWT (scoped to the daemon's bound agents) or the operator
+ * `INTERNAL_API_SECRET` header — see ``hub/routers/cloud_agent_internal.py``.
+ */
+import { normalizeAndValidateHubUrl } from "@botcord/protocol-core";
+
+/** Token usage breakdown reported alongside the wall-clock time. */
+export interface CloudRunSettleUsage {
+  provider: string;
+  model: string;
+  inputCacheHitTokens: number;
+  inputCacheMissTokens: number;
+  outputTokens: number;
+  sandboxSeconds: number;
+}
+
+/** Inputs accepted by {@link postCloudRunSettle}. */
+export interface CloudRunSettleInput extends CloudRunSettleUsage {
+  hubUrl: string;
+  accessToken: string;
+  runId: string;
+  /** Override the idempotency key. Defaults to `<run_id>:settle`. */
+  idempotencyKey?: string;
+  /** Test seam — override `fetch`. */
+  fetchFn?: typeof fetch;
+  /** Override timeout for the POST. Defaults to 10s. */
+  timeoutMs?: number;
+}
+
+/** Outcome of {@link postCloudRunSettle}. */
+export interface CloudRunSettleResult {
+  ok: boolean;
+  status: number;
+  /** Raw response body, when the Hub returned one. */
+  body?: unknown;
+}
+
+/**
+ * POST the settle payload to the Hub. Resolves with `ok=false` for non-2xx
+ * responses instead of throwing so the caller can decide whether to retry
+ * or surface the failure into the runtime log; throws only on transport
+ * errors (timeout / DNS) which are fully outside the daemon's control.
+ *
+ * Body shape matches the Hub-side `UsageEventCreate`-like contract:
+ *
+ *   {
+ *     "provider":                <str>,
+ *     "model":                   <str>,
+ *     "input_cache_hit_tokens":  <int>,
+ *     "input_cache_miss_tokens": <int>,
+ *     "output_tokens":           <int>,
+ *     "sandbox_seconds":         <int>,
+ *     "idempotency_key":         "<run_id>:settle"
+ *   }
+ *
+ * Snake_case is intentional: the Hub's Pydantic models use snake_case for
+ * the public surface even when the surrounding daemon control plane uses
+ * camelCase.
+ */
+export interface CloudRunSettleHookDeps {
+  hubUrl: string;
+  accessToken: string;
+  /** Fallback model name when the envelope doesn't carry one. */
+  defaultModel?: string;
+  /** Logger surface — only `warn` / `info` used. */
+  log?: {
+    info(msg: string, ctx?: Record<string, unknown>): void;
+    warn(msg: string, ctx?: Record<string, unknown>): void;
+  };
+  /** Test seam. */
+  fetchFn?: typeof fetch;
+}
+
+/** Minimal subset of an inbound message needed by the settle hook. */
+export interface CloudRunSettleHookEvent {
+  envelopeType?: string | undefined;
+  runId?: string | undefined;
+  wallTimeMs: number;
+  tokens?: {
+    inputCacheHitTokens?: number;
+    inputCacheMissTokens?: number;
+    outputTokens?: number;
+  };
+  messageId?: string;
+}
+
+/**
+ * Build the settle hook used by ``startCloudDaemon``. Extracted so unit
+ * tests can drive it directly without standing up the full gateway.
+ */
+export function buildCloudRunSettleHook(
+  deps: CloudRunSettleHookDeps,
+): (event: CloudRunSettleHookEvent) => Promise<void> {
+  const log = deps.log;
+  const model = deps.defaultModel ?? "deepseek-v4-flash";
+  return async (event) => {
+    if (event.envelopeType !== "cloud_run") return;
+    const runId = event.runId;
+    if (typeof runId !== "string" || runId.length === 0) {
+      log?.warn("cloud_run envelope missing run_id; skipping settle", {
+        messageId: event.messageId ?? "<unknown>",
+      });
+      return;
+    }
+    const sandboxSeconds = Math.max(1, Math.round(event.wallTimeMs / 1000));
+    try {
+      const settleResult = await postCloudRunSettle({
+        hubUrl: deps.hubUrl,
+        accessToken: deps.accessToken,
+        runId,
+        provider: "deepseek",
+        model,
+        // The deepseek-tui adapter does not yet surface token counts;
+        // ``UsageService`` charges by sandbox-seconds when tokens are
+        // zero. Filling these in is the next runtime-adapter PR.
+        inputCacheHitTokens: event.tokens?.inputCacheHitTokens ?? 0,
+        inputCacheMissTokens: event.tokens?.inputCacheMissTokens ?? 0,
+        outputTokens: event.tokens?.outputTokens ?? 0,
+        sandboxSeconds,
+        ...(deps.fetchFn ? { fetchFn: deps.fetchFn } : {}),
+      });
+      if (!settleResult.ok) {
+        log?.warn("cloud_run settle returned non-2xx", {
+          runId,
+          status: settleResult.status,
+        });
+      } else {
+        log?.info("cloud_run settled", { runId, sandboxSeconds });
+      }
+    } catch (err) {
+      // Transport errors only — Hub-side rejections surface as ok=false.
+      log?.warn("cloud_run settle threw — continuing", {
+        runId,
+        error: err instanceof Error ? err.message : String(err),
+      });
+    }
+  };
+}
+
+export async function postCloudRunSettle(
+  input: CloudRunSettleInput,
+): Promise<CloudRunSettleResult> {
+  const base = normalizeAndValidateHubUrl(input.hubUrl);
+  const url = `${base}/internal/cloud-agents/runs/${encodeURIComponent(input.runId)}/settle`;
+  const idempotencyKey = input.idempotencyKey ?? `${input.runId}:settle`;
+  const body = {
+    provider: input.provider,
+    model: input.model,
+    input_cache_hit_tokens: Math.max(0, Math.floor(input.inputCacheHitTokens)),
+    input_cache_miss_tokens: Math.max(0, Math.floor(input.inputCacheMissTokens)),
+    output_tokens: Math.max(0, Math.floor(input.outputTokens)),
+    sandbox_seconds: Math.max(0, Math.floor(input.sandboxSeconds)),
+    idempotency_key: idempotencyKey,
+  };
+  const doFetch = input.fetchFn ?? fetch;
+  const resp = await doFetch(url, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+      Authorization: `Bearer ${input.accessToken}`,
+    },
+    body: JSON.stringify(body),
+    signal: AbortSignal.timeout(input.timeoutMs ?? 10_000),
+  });
+  let parsed: unknown = undefined;
+  try {
+    parsed = await resp.json();
+  } catch {
+    // Empty body on 204, etc. — leave parsed as undefined.
+  }
+  return { ok: resp.ok, status: resp.status, body: parsed };
+}

package/src/daemon-singleton.ts

@@ -0,0 +1,122 @@
+import { existsSync, readFileSync, unlinkSync, writeFileSync } from "node:fs";
+import { PID_PATH } from "./config.js";
+
+export interface SingletonLogger {
+  info(message: string, meta?: Record<string, unknown>): void;
+  warn(message: string, meta?: Record<string, unknown>): void;
+}
+
+const noopLogger: SingletonLogger = {
+  info() {
+    // noop
+  },
+  warn() {
+    // noop
+  },
+};
+
+export function readPid(pidPath = PID_PATH): number | null {
+  if (!existsSync(pidPath)) return null;
+  const raw = readFileSync(pidPath, "utf8").trim();
+  const pid = Number(raw);
+  return Number.isFinite(pid) && pid > 0 ? pid : null;
+}
+
+export function pidAlive(pid: number): boolean {
+  try {
+    process.kill(pid, 0);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+export async function waitForPidExit(pid: number, timeoutMs: number): Promise<boolean> {
+  const deadline = Date.now() + timeoutMs;
+  while (Date.now() < deadline) {
+    if (!pidAlive(pid)) return true;
+    await delay(100);
+  }
+  return !pidAlive(pid);
+}
+
+export async function stopExistingDaemonForRestart(
+  pid: number,
+  opts: {
+    pidPath?: string;
+    currentPid?: number;
+    logger?: SingletonLogger;
+  } = {},
+): Promise<void> {
+  const pidPath = opts.pidPath ?? PID_PATH;
+  const currentPid = opts.currentPid ?? process.pid;
+  const logger = opts.logger ?? noopLogger;
+  if (pid === currentPid) return;
+  logger.info("existing daemon found; restarting", { pid });
+  try {
+    process.kill(pid, "SIGTERM");
+  } catch {
+    removePidFile(pidPath);
+    return;
+  }
+  if (!(await waitForPidExit(pid, 5_000))) {
+    logger.warn("existing daemon did not stop after SIGTERM; sending SIGKILL", { pid });
+    try {
+      process.kill(pid, "SIGKILL");
+    } catch {
+      // ignore
+    }
+    await waitForPidExit(pid, 2_000);
+  }
+  removePidFile(pidPath);
+}
+
+export async function stopDaemonFromPidFileForRestart(
+  opts: {
+    pidPath?: string;
+    currentPid?: number;
+    logger?: SingletonLogger;
+  } = {},
+): Promise<void> {
+  const pidPath = opts.pidPath ?? PID_PATH;
+  const existing = readPid(pidPath);
+  if (existing && pidAlive(existing)) {
+    await stopExistingDaemonForRestart(existing, opts);
+  }
+}
+
+export function ensureNoOtherDaemonFromPidFile(
+  opts: {
+    pidPath?: string;
+    currentPid?: number;
+  } = {},
+): number | null {
+  const pidPath = opts.pidPath ?? PID_PATH;
+  const currentPid = opts.currentPid ?? process.pid;
+  const existing = readPid(pidPath);
+  if (existing && existing !== currentPid && pidAlive(existing)) {
+    return existing;
+  }
+  return null;
+}
+
+export function writeCurrentPid(
+  opts: {
+    pidPath?: string;
+    currentPid?: number;
+  } = {},
+): void {
+  writeFileSync(opts.pidPath ?? PID_PATH, String(opts.currentPid ?? process.pid), { mode: 0o600 });
+}
+
+export function removePidFile(pidPath = PID_PATH): void {
+  try {
+    unlinkSync(pidPath);
+  } catch {
+    // ignore
+  }
+}
+
+function delay(ms: number): Promise<void> {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}

package/src/daemon.ts

@@ -28,6 +28,7 @@ import { toGatewayConfig } from "./daemon-config-map.js";
 import { log as daemonLog } from "./log.js";
 import {
   adoptDiscoveredOpenclawAgents,
+  attachRuntimeHealth,
   collectRuntimeSnapshot,
   createProvisioner,
   type OnAgentInstalledHook,
@@ -222,8 +223,12 @@ export interface RuntimeSnapshotSink {
  * failure is non-fatal (the Hub will re-query via `list_runtimes` on demand
  * or wait for the next daemon restart). Exported for unit tests.
  */
-export function pushRuntimeSnapshot(sink: RuntimeSnapshotSink): boolean {
-  const snap = collectRuntimeSnapshot();
+export function pushRuntimeSnapshot(
+  sink: RuntimeSnapshotSink,
+  liveSnapshot?: GatewayRuntimeSnapshot,
+): boolean {
+  const base = collectRuntimeSnapshot();
+  const snap = liveSnapshot ? attachRuntimeHealth(base, liveSnapshot) : base;
   const ok = sink.send({
     id: `rt_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`,
     type: CONTROL_FRAME_TYPES.RUNTIME_SNAPSHOT,
@@ -502,7 +507,15 @@ export async function startDaemon(opts: DaemonRuntimeOptions): Promise<DaemonHan
     }
   };
 
-  const gateway = new Gateway({
+  let controlChannel: ControlChannel | null = null;
+  let gateway: Gateway;
+  const pushLiveRuntimeSnapshot = (): void => {
+    if (!controlChannel) return;
+    const pushed = pushRuntimeSnapshot(controlChannel, gateway.snapshot());
+    logger.info("control-channel: live runtime_snapshot push", { ok: pushed });
+  };
+
+  gateway = new Gateway({
     config: gwConfig,
     sessionStorePath: opts.sessionStorePath ?? SESSIONS_PATH,
     createChannel: (chCfg: GatewayChannelConfig): ChannelAdapter =>
@@ -517,6 +530,7 @@ export async function startDaemon(opts: DaemonRuntimeOptions): Promise<DaemonHan
     buildMemoryContext,
     onInbound,
     onOutbound,
+    onRuntimeCircuitBreakerChange: pushLiveRuntimeSnapshot,
     composeUserTurn: composeBotCordUserTurn,
     attentionGate,
     resolveHubUrl,
@@ -575,7 +589,6 @@ export async function startDaemon(opts: DaemonRuntimeOptions): Promise<DaemonHan
   // Control channel is optional — daemon still runs (data-plane only)
   // when user-auth hasn't been set up yet. Operators can `login` later
   // without restarting, but for P0 we require a restart to pick it up.
-  let controlChannel: ControlChannel | null = null;
   if (userAuth?.current && !opts.disableControlChannel) {
     logger.info("control-channel: enabling", {
       userId: userAuth.current.userId,
@@ -614,7 +627,7 @@ export async function startDaemon(opts: DaemonRuntimeOptions): Promise<DaemonHan
       // Plan §8.5 P0 — push one runtime snapshot immediately after connect
       // so Hub's `daemon_instances.runtimes_json` is populated for the
       // dashboard even before any user action. No periodic refresh in P0.
-      const pushed = pushRuntimeSnapshot(controlChannel);
+      const pushed = pushRuntimeSnapshot(controlChannel, gateway.snapshot());
       logger.info("control-channel: initial runtime_snapshot push", {
         ok: pushed,
       });

package/src/doctor.ts

@@ -1,6 +1,7 @@
 import type { RuntimeProbeEntry } from "./adapters/runtimes.js";
 import type { DaemonConfig } from "./config.js";
 import { resolveBootAgents } from "./agent-discovery.js";
+import { probeClaudeAuth, type ClaudeAuthProbeResult } from "./gateway/runtimes/claude-code.js";
 
 /** Summary of a single channel's readiness, printable by the doctor command. */
 export interface ChannelProbeResult {
@@ -54,6 +55,7 @@ export interface DoctorRuntimeEndpoint {
 /** Augmented runtime entry that may carry endpoint probe results. */
 export interface DoctorRuntimeEntry extends RuntimeProbeEntry {
   endpoints?: DoctorRuntimeEndpoint[];
+  auth?: ClaudeAuthProbeResult;
 }
 
 /** Input for the rendered doctor output. */
@@ -167,12 +169,11 @@ export async function probeChannel(
     return result;
   }
 
-  // Probe `/` — the hub is ASGI and responds 2xx/3xx/404 which is fine for
-  // "reachable". We treat any response as reachable; network errors fall
-  // through to hubOk=false.
+  // Probe `/` — the hub is ASGI and may answer 404 when the host is still
+  // reachable. Network errors fall through to hubOk=false.
   const probeUrl = `${result.hubUrl.replace(/\/+$/, "")}/`;
   const http = await opts.fetcher(probeUrl, opts.timeoutMs);
-  if (http.ok) {
+  if (http.ok || http.status === 404) {
     result.hubOk = true;
     result.hubMessage = `reachable (HTTP ${http.status})`;
   } else if (http.status !== undefined) {
@@ -260,6 +261,10 @@ export function renderDoctor(input: DoctorInput): string {
     if (!e.result.available && e.installHint) {
       lines.push(`    → ${e.installHint}`);
     }
+    if (e.auth) {
+      const authStatus = e.auth.checked ? (e.auth.ok ? "ok" : "failed") : "skipped";
+      lines.push(`    auth ${authStatus}: ${e.auth.message}`);
+    }
     if (e.endpoints && e.endpoints.length > 0) {
       for (const ep of e.endpoints) {
         const mark = ep.reachable ? "✓" : "✗";
@@ -312,15 +317,23 @@ export function renderDoctor(input: DoctorInput): string {
  * text. Keeps `index.ts` free of probe wiring.
  */
 export async function runDoctor(
-  runtimes: RuntimeProbeEntry[],
+  runtimes: DoctorRuntimeEntry[],
   channels: ChannelProbeConfig[],
   opts: {
     credentialsPath: (accountId: string) => string;
     fileReader: DoctorFileReader;
     fetcher: DoctorHttpFetcher;
     timeoutMs?: number;
+    authCheck?: boolean;
   },
 ): Promise<DoctorInput> {
+  if (opts.authCheck) {
+    for (const runtime of runtimes) {
+      if (runtime.id === "claude-code" && runtime.result.available) {
+        runtime.auth = probeClaudeAuth();
+      }
+    }
+  }
   const channelResults = await probeChannels({
     channels,
     credentialsPath: opts.credentialsPath,

package/src/gateway/__tests__/botcord-channel.test.ts

@@ -269,6 +269,39 @@ describe("createBotCordChannel — inbox normalization", () => {
     }
   });
 
+  it("polls inbox periodically as a fallback after websocket auth", async () => {
+    const server = await startAuthOkServer();
+    const pollInbox = vi.fn().mockResolvedValue({ messages: [], count: 0, has_more: false });
+    const client = makeClient({
+      pollInbox,
+      getHubUrl: vi.fn().mockReturnValue(server.url),
+    });
+    const channel = createBotCordChannel({
+      id: "botcord-main",
+      accountId: "ag_self",
+      agentId: "ag_self",
+      client,
+      hubBaseUrl: server.url,
+      pollIntervalMs: 10,
+    });
+    const abort = new AbortController();
+    const startPromise = channel.start({
+      config: stubConfig,
+      accountId: "ag_self",
+      abortSignal: abort.signal,
+      log: silentLog,
+      emit: async () => {},
+      setStatus: () => {},
+    });
+    try {
+      await vi.waitFor(() => expect(pollInbox.mock.calls.length).toBeGreaterThanOrEqual(2));
+    } finally {
+      abort.abort();
+      await startPromise;
+      await server.close();
+    }
+  });
+
   it("maps a group-room InboxMessage to a GatewayInboundMessage", async () => {
     const { emits, server } = await startWithInbox([
       makeInbox({
@@ -868,6 +901,47 @@ describe("createBotCordChannel — streamBlock()", () => {
     }
   });
 
+  it("marks DeepSeek terminal events for owner-chat stream cleanup", async () => {
+    const fetchSpy = vi.fn().mockResolvedValue(new Response(null, { status: 204 }));
+    const realFetch = globalThis.fetch;
+    globalThis.fetch = fetchSpy as unknown as typeof fetch;
+    try {
+      const client = makeClient({
+        getHubUrl: vi.fn().mockReturnValue("https://hub.example.com"),
+      });
+      const channel = createBotCordChannel({
+        id: "botcord-main",
+        accountId: "ag_self",
+        agentId: "ag_self",
+        client,
+        hubBaseUrl: "https://hub.example.com",
+      });
+      await channel.streamBlock!({
+        traceId: "m_trace",
+        accountId: "ag_self",
+        conversationId: "rm_oc_1",
+        block: {
+          kind: "other",
+          seq: 6,
+          raw: {
+            event: "turn.finished",
+            payload: { thread_id: "thr_1", turn_id: "turn_1" },
+          },
+        },
+        log: silentLog,
+      });
+      const [, init] = fetchSpy.mock.calls[0];
+      const body = JSON.parse(init.body as string);
+      expect(body.block).toMatchObject({
+        kind: "other",
+        seq: 6,
+        payload: { terminal: true, event: "turn.finished" },
+      });
+    } finally {
+      globalThis.fetch = realFetch;
+    }
+  });
+
   it("normalizes a thinking block with phase/label/source payload", async () => {
     const fetchSpy = vi.fn().mockResolvedValue(new Response(null, { status: 204 }));
     const realFetch = globalThis.fetch;

package/src/gateway/__tests__/claude-code-adapter.test.ts

@@ -2,7 +2,8 @@ import { afterAll, describe, expect, it } from "vitest";
 import { mkdtempSync, rmSync, writeFileSync, chmodSync } from "node:fs";
 import os from "node:os";
 import path from "node:path";
-import { ClaudeCodeAdapter } from "../runtimes/claude-code.js";
+import { ClaudeCodeAdapter, probeClaudeAuth } from "../runtimes/claude-code.js";
+import type { RuntimeRunOptions } from "../types.js";
 
 // The adapter spawns whatever binary we point it at; we point it at a small
 // Node script so we control stdout/stderr/exit precisely without needing the
@@ -33,6 +34,20 @@ function runAdapter(script: string, sessionId: string | null = null) {
   });
 }
 
+class EnvProbeClaudeCodeAdapter extends ClaudeCodeAdapter {
+  env(opts: Partial<RuntimeRunOptions> = {}) {
+    return this.spawnEnv({
+      text: "hi",
+      sessionId: null,
+      accountId: "ag_test",
+      cwd: tmpRoot,
+      signal: new AbortController().signal,
+      trustLevel: "owner",
+      ...opts,
+    } as RuntimeRunOptions);
+  }
+}
+
 describe("ClaudeCodeAdapter", () => {
   it("parses session_id from system init + concatenates assistant text", async () => {
     const script = makeScript(
@@ -150,6 +165,91 @@ process.exit(2);
     expect(res.error).toMatch(/auth failure/);
   });
 
+  it("treats Claude Code auth failures emitted as success results as runtime errors", async () => {
+    const script = makeScript(
+      "auth-success.js",
+      `
+process.stdout.write(JSON.stringify({type:"system", subtype:"init", session_id:"sid-auth"}) + "\\n");
+process.stdout.write(JSON.stringify({type:"assistant", message:{content:[{type:"text", text:"partial"}]}}) + "\\n");
+process.stdout.write(JSON.stringify({
+  type:"result",
+  subtype:"success",
+  session_id:"sid-bad",
+  total_cost_usd:0,
+  result:"Failed to authenticate. API Error: 403 Request not allowed"
+}) + "\\n");
+`,
+    );
+    const res = await runAdapter(script);
+    expect(res.text).toBe("");
+    expect(res.newSessionId).toBe("");
+    expect(res.error).toContain("Failed to authenticate");
+    expect(res.costUsd).toBe(0);
+  });
+
+  it("scrubs Claude Code auth env that can override stored login credentials", () => {
+    const previous = {
+      ANTHROPIC_API_KEY: process.env.ANTHROPIC_API_KEY,
+      ANTHROPIC_AUTH_TOKEN: process.env.ANTHROPIC_AUTH_TOKEN,
+      ANTHROPIC_BASE_URL: process.env.ANTHROPIC_BASE_URL,
+      ANTHROPIC_CUSTOM_HEADERS: process.env.ANTHROPIC_CUSTOM_HEADERS,
+      CLAUDE_CODE_OAUTH_TOKEN: process.env.CLAUDE_CODE_OAUTH_TOKEN,
+    };
+    try {
+      process.env.ANTHROPIC_API_KEY = "stale-key";
+      process.env.ANTHROPIC_AUTH_TOKEN = "stale-token";
+      process.env.ANTHROPIC_BASE_URL = "https://wrong.example";
+      process.env.ANTHROPIC_CUSTOM_HEADERS = "Authorization: Bearer stale";
+      process.env.CLAUDE_CODE_OAUTH_TOKEN = "stale-oauth";
+
+      const env = new EnvProbeClaudeCodeAdapter().env();
+      expect(env.ANTHROPIC_API_KEY).toBeUndefined();
+      expect(env.ANTHROPIC_AUTH_TOKEN).toBeUndefined();
+      expect(env.ANTHROPIC_BASE_URL).toBeUndefined();
+      expect(env.ANTHROPIC_CUSTOM_HEADERS).toBeUndefined();
+      expect(env.CLAUDE_CODE_OAUTH_TOKEN).toBeUndefined();
+    } finally {
+      for (const [key, value] of Object.entries(previous)) {
+        if (value === undefined) delete process.env[key];
+        else process.env[key] = value;
+      }
+    }
+  });
+
+  it("auth probe recognizes success-shaped Claude Code auth failures", () => {
+    const res = probeClaudeAuth({
+      execFileSyncFn: ((command: string, args: string[]) => {
+        if (command === "which") return "/usr/bin/claude\n";
+        expect(args).toEqual(["-p", "ping", "--output-format", "stream-json"]);
+        return `${JSON.stringify({
+          type: "result",
+          subtype: "success",
+          total_cost_usd: 0,
+          result: "Failed to authenticate. API Error: 403 Request not allowed",
+        })}\n`;
+      }) as never,
+    });
+    expect(res.checked).toBe(true);
+    expect(res.ok).toBe(false);
+    expect(res.message).toContain("Failed to authenticate");
+  });
+
+  it("auth probe reports ok when Claude Code returns a normal result", () => {
+    const res = probeClaudeAuth({
+      execFileSyncFn: ((command: string, args: string[]) => {
+        if (command === "which") return "/usr/bin/claude\n";
+        expect(args).toEqual(["-p", "ping", "--output-format", "stream-json"]);
+        return `${JSON.stringify({
+          type: "result",
+          subtype: "success",
+          total_cost_usd: 0.001,
+          result: "pong",
+        })}\n`;
+      }) as never,
+    });
+    expect(res).toEqual({ checked: true, ok: true, message: "claude-code auth ok" });
+  });
+
   it("wipes newSessionId on non-success result so dispatcher can drop the stale entry", async () => {
     // Mirrors what Claude Code emits when `--resume <missing-uuid>` is used:
     // a fresh `session_id` for the just-spawned empty session, plus a non-success

package/src/gateway/__tests__/deepseek-tui-adapter.test.ts

@@ -150,6 +150,25 @@ describe("DeepseekTuiAdapter", () => {
     }
   });
 
+  it("treats DeepSeek embedded terminal events as turn completion", async () => {
+    const server = await startMockDeepseekServer({
+      events: [
+        { event: "status", data: { event: "turn.started", thread_id: "thr_test", turn_id: "turn_test" } },
+        { event: "message.delta", data: { thread_id: "thr_test", turn_id: "turn_test", content: "done" } },
+        { event: "status", data: { event: "turn.finished", thread_id: "thr_test", turn_id: "turn_test" } },
+      ],
+    });
+    try {
+      const { result, blocks, status } = runAdapter(server.baseUrl, server.token);
+      const res = await result;
+      expect(res).toEqual({ text: "done", newSessionId: server.threadId });
+      expect(blocks).toContain("assistant_text");
+      expect(status.at(-1)).toEqual({ phase: "stopped", label: undefined });
+    } finally {
+      await server.close();
+    }
+  });
+
   it("reuses an existing DeepSeek thread id and patches per-turn system context", async () => {
     const server = await startMockDeepseekServer({ threadId: "thr_existing" });
     try {