@companyhelm/cli 0.0.2 → 0.0.5

package/README.md

@@ -1,95 +1,57 @@
-# CompanyHelm Runner
+# CompanyHelm CLI
 
-Run coding agents in yolo mode inside secure Docker containers, locally.
-
-Features:
-
-- Secure agent containers: no risk of agents going rogue on your main file system
-- Yolo mode: no more permission prompts
-- DinD (Docker-in-Docker): allows agents to spin up your services (backend, frontend, etc.) and test end-to-end
-- Multi-agent support: each agent gets its own environment and can operate autonomously
-
----
-
-## Why CompanyHelm Runner?
-
-Modern coding agents are powerful, but they often run directly on your machine.
-
-CompanyHelm Runner adds:
-
-- Isolation
-- Docker-in-Docker (DIND)
-- Clean workspace lifecycle
-
-Think:
-
-Codex or Claude Code, but inside a sandbox you control.
-
----
+Run coding agents in isolated Docker sandboxes on your machine.
 
 ## Install
 
 ```bash
-npm install -g companyhelm
+npm install -g @companyhelm/cli
 ```
 
-Or run directly:
+Or run it without installing globally:
 
 ```bash
-npx companyhelm
+npx @companyhelm/cli --help
 ```
 
----
+Package: [@companyhelm/cli](https://www.npmjs.com/package/@companyhelm/cli)
 
-## Quick Start
+## Basic Usage
 
-Run companyhelm runner inside your workspace:
+Start the CLI in the foreground:
 
 ```bash
-companyhelm
+companyhelm-runner
 ```
 
-## Database Migrations (Drizzle Kit)
-
-Generate SQL migrations from the schema:
-
-```bash
-npm run db:generate
-```
-
-Apply migrations directly with Drizzle Kit (defaults to `~/.local/share/companyhelm/state.db`):
+Start it as a daemon:
 
 ```bash
-npm run db:migrate
+companyhelm-runner --daemon
 ```
 
-Override the migration target database path when needed:
+Check whether the daemon is running:
 
 ```bash
-DRIZZLE_DB_PATH=/absolute/path/to/state.db npm run db:migrate
+companyhelm-runner status
 ```
 
-## Thread-Level MCP E2E Check
+The `status` command prints:
 
-Use the runtime helper to validate thread-level MCP end-to-end behavior for:
+- whether the daemon is running
+- the recorded daemon PID
+- the daemon log directory and log file path
 
-- a local known-good stdio MCP server (`local_echo`)
-- Context7 stdio MCP (`resolve-library-id`, `query-docs`)
+## Why Use It
 
-Prerequisites:
-
-- CompanyHelm API is running and reachable at `http://127.0.0.1:4000/graphql` (or pass `--api-url`)
-- at least one connected runner for the target company with `codex` SDK and an available model
-
-Run:
-
-```bash
-scripts/runtime/e2e-thread-mcp --company-id <company-id>
-```
+- Runs agents in isolated containers instead of directly on your machine
+- Supports Docker-in-Docker for end-to-end workflows
+- Keeps runner state in a local SQLite database
+- Supports long-running daemon mode for background operation
 
-The script exits non-zero on failed assertions and prints a JSON summary on success, including created MCP/agent/thread IDs.
+## For Developers
 
----
+Development and maintenance notes live in [DEVELOPING.md](./DEVELOPING.md).
 
 ## License
 

package/RUNTIME_IMAGE_VERSION

@@ -1 +1 @@
-0.0.7
+0.0.8

package/dist/cli.js

@@ -21,4 +21,32 @@ program
     .description("Run coding agents in fully isolated Docker sandboxes, locally.")
     .version(getVersion());
 (0, register_commands_js_1.registerCommands)(program);
-program.parse(process.argv);
+function formatCliError(error) {
+    if (error instanceof commander_1.CommanderError) {
+        return {
+            message: error.message,
+            exitCode: error.exitCode,
+        };
+    }
+    if (error instanceof Error) {
+        return {
+            message: error.message,
+            exitCode: 1,
+        };
+    }
+    return {
+        message: String(error),
+        exitCode: 1,
+    };
+}
+async function main() {
+    try {
+        await program.parseAsync(process.argv);
+    }
+    catch (error) {
+        const { message, exitCode } = formatCliError(error);
+        process.stderr.write(`${message}\n`);
+        process.exitCode = exitCode;
+    }
+}
+void main();

package/dist/commands/register-commands.js

@@ -4,9 +4,11 @@ exports.registerCommands = registerCommands;
 const root_js_1 = require("./root.js");
 const shell_js_1 = require("./shell.js");
 const register_sdk_commands_js_1 = require("./sdk/register-sdk-commands.js");
+const status_js_1 = require("./status.js");
 const register_thread_commands_js_1 = require("./thread/register-thread-commands.js");
 function registerCommands(program) {
     (0, root_js_1.registerRootCommand)(program);
+    (0, status_js_1.registerStatusCommand)(program);
     (0, register_thread_commands_js_1.registerThreadCommands)(program);
     (0, shell_js_1.registerShellCommand)(program);
     (0, register_sdk_commands_js_1.registerSdkCommands)(program);

package/dist/commands/root.js

@@ -33,6 +33,7 @@ var __importStar = (this && this.__importStar) || (function () {
     };
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.isRetryableApiConnectionError = isRetryableApiConnectionError;
 exports.shouldUseTurnSteer = shouldUseTurnSteer;
 exports.isNoActiveTurnSteerError = isNoActiveTurnSteerError;
 exports.isNoRunningTurnInterruptError = isNoRunningTurnInterruptError;
@@ -40,11 +41,13 @@ exports.normalizeThreadAgentApiUrlForRuntime = normalizeThreadAgentApiUrlForRunt
 exports.extractThreadNameUpdateFromNotification = extractThreadNameUpdateFromNotification;
 exports.extractServerMessageRequestId = extractServerMessageRequestId;
 exports.runRootCommand = runRootCommand;
+exports.buildRootConfig = buildRootConfig;
 exports.registerRootCommand = registerRootCommand;
 const protobuf_1 = require("@bufbuild/protobuf");
 const protos_1 = require("@companyhelm/protos");
 const drizzle_orm_1 = require("drizzle-orm");
 const grpc = __importStar(require("@grpc/grpc-js"));
+const node_child_process_1 = require("node:child_process");
 const node_crypto_1 = require("node:crypto");
 const node_fs_1 = require("node:fs");
 const node_path_1 = require("node:path");
@@ -60,8 +63,10 @@ const thread_runtime_js_1 = require("../service/thread_runtime.js");
 const thread_turn_state_js_1 = require("../service/thread_turn_state.js");
 const thread_user_message_request_store_js_1 = require("../service/thread_user_message_request_store.js");
 const thread_lifecycle_js_1 = require("../service/thread_lifecycle.js");
+const daemon_state_js_1 = require("../state/daemon_state.js");
 const db_js_1 = require("../state/db.js");
 const schema_js_1 = require("../state/schema.js");
+const daemon_js_1 = require("../utils/daemon.js");
 const logger_js_1 = require("../utils/logger.js");
 const workspace_agents_js_1 = require("../service/workspace_agents.js");
 const COMMAND_CHANNEL_CONNECT_RETRY_DELAY_MS = 1000;
@@ -83,6 +88,7 @@ const YOLO_SANDBOX_MODE = "danger-full-access";
 const YOLO_SANDBOX_POLICY = { type: "dangerFullAccess" };
 const DOCKER_INTERNAL_HOSTNAME = "host.docker.internal";
 const LOCALHOST_HOSTNAMES = new Set(["localhost", "127.0.0.1", "0.0.0.0", "::1"]);
+const DAEMON_STARTUP_TIMEOUT_MS = 15000;
 const threadAppServerSessions = new Map();
 const threadRolloutPaths = new Map();
 function rememberThreadRolloutPath(threadId, rolloutPath) {
@@ -193,6 +199,26 @@ function normalizeReasoningLevels(value) {
 function toErrorMessage(error) {
     return error instanceof Error ? error.message : String(error);
 }
+function getGrpcStatusCode(error) {
+    if (!error || typeof error !== "object" || !("code" in error)) {
+        return undefined;
+    }
+    const { code } = error;
+    return typeof code === "number" ? code : undefined;
+}
+function isRetryableApiConnectionError(error) {
+    return getGrpcStatusCode(error) !== grpc.status.UNAUTHENTICATED;
+}
+function toApiConnectionFailureMessage(error, secret) {
+    const message = toErrorMessage(error);
+    if (getGrpcStatusCode(error) !== grpc.status.UNAUTHENTICATED) {
+        return message;
+    }
+    if (!secret || secret.trim().length === 0) {
+        return `${message} Provide --secret <secret> to authenticate.`;
+    }
+    return message;
+}
 function shouldUseTurnSteer(allowSteer, startedFromIdle) {
     return allowSteer && !startedFromIdle;
 }
@@ -202,6 +228,9 @@ function isNoActiveTurnSteerError(error) {
 function isNoRunningTurnInterruptError(error) {
     return /no running turn to interrupt/i.test(toErrorMessage(error));
 }
+function isTurnCompletionTimeoutError(error) {
+    return /timed out waiting for completion of turn/i.test(toErrorMessage(error));
+}
 function isRecord(value) {
     return typeof value === "object" && value !== null;
 }
@@ -1280,8 +1309,9 @@ async function sendRequestError(commandChannel, errorMessage, requestId) {
     });
     await commandChannel.send(message);
 }
-async function sendThreadUpdate(commandChannel, threadId, status) {
+async function sendThreadUpdate(commandChannel, threadId, status, requestId) {
     const message = (0, protobuf_1.create)(protos_1.ClientMessageSchema, {
+        requestId,
         payload: {
             case: "threadUpdate",
             value: {
@@ -1416,11 +1446,18 @@ async function resolveThreadAuthMode(cfg) {
 }
 async function handleCreateThreadRequest(cfg, commandChannel, request, requestId, apiClient, apiCallOptions, logger) {
     const threadId = (request.threadId ?? "").trim();
+    const modelName = (request.model ?? "").trim();
+    const requestedReasoningLevel = (request.reasoningLevel ?? "").trim();
     if (!threadId) {
         logger.warn("Rejecting createThreadRequest: threadId is required.");
         await sendRequestError(commandChannel, "Thread id is required.", requestId);
         return;
     }
+    if (!modelName) {
+        logger.warn("Rejecting createThreadRequest: model is required.");
+        await sendRequestError(commandChannel, "Model is required.", requestId);
+        return;
+    }
     const { db, client } = await (0, db_js_1.initDb)(cfg.state_db_path);
     const threadDirectory = (0, thread_lifecycle_js_1.resolveThreadDirectory)(cfg.config_directory, cfg.workspaces_directory, threadId);
     const containerNames = (0, thread_lifecycle_js_1.buildThreadContainerNames)(threadId);
@@ -1429,16 +1466,40 @@ async function handleCreateThreadRequest(cfg, commandChannel, request, requestId
     const threadGitSkillPackages = normalizeThreadGitSkillPackagesForThreadConfig(request.gitSkillPackages, logger);
     const threadMcpServers = normalizeThreadMcpServersForThreadConfig(request.mcpServers, logger);
     const cliSecret = String(request.cliSecret ?? "").trim();
-    logger.debug(`Received createThreadRequest for thread '${threadId}' (model '${request.model}', reasoning '${request.reasoningLevel ?? ""}', additional instructions length '${normalizedAdditionalModelInstructions?.length ?? 0}', git skill packages '${threadGitSkillPackages.length}', MCP servers '${threadMcpServers.length}').`);
+    logger.debug(`Received createThreadRequest for thread '${threadId}' (model '${modelName}', reasoning '${requestedReasoningLevel}', additional instructions length '${normalizedAdditionalModelInstructions?.length ?? 0}', git skill packages '${threadGitSkillPackages.length}', MCP servers '${threadMcpServers.length}').`);
     let authMode;
     try {
         authMode = await resolveThreadAuthMode(cfg);
+        const modelConfig = await db
+            .select({
+            name: schema_js_1.llmModels.name,
+            reasoningLevels: schema_js_1.llmModels.reasoningLevels,
+        })
+            .from(schema_js_1.llmModels)
+            .where((0, drizzle_orm_1.eq)(schema_js_1.llmModels.name, modelName))
+            .get();
+        const configuredModelSample = await db
+            .select({ name: schema_js_1.llmModels.name })
+            .from(schema_js_1.llmModels)
+            .limit(1)
+            .all();
+        if (configuredModelSample.length > 0) {
+            if (!modelConfig) {
+                throw new Error(`Model '${modelName}' is not configured.`);
+            }
+            if (requestedReasoningLevel.length > 0) {
+                const supportedReasoningLevels = normalizeReasoningLevels(modelConfig.reasoningLevels);
+                if (supportedReasoningLevels.length > 0 && !supportedReasoningLevels.includes(requestedReasoningLevel)) {
+                    throw new Error(`Reasoning level '${requestedReasoningLevel}' is not configured for model '${modelName}'.`);
+                }
+            }
+        }
         await db.insert(schema_js_1.threads).values({
             id: threadId,
             sdkThreadId: null,
             cliSecret: cliSecret.length > 0 ? cliSecret : null,
-            model: request.model,
-            reasoningLevel: request.reasoningLevel ?? "",
+            model: modelName,
+            reasoningLevel: requestedReasoningLevel,
             additionalModelInstructions: normalizedAdditionalModelInstructions,
             status: "pending",
             currentSdkTurnId: null,
@@ -1508,9 +1569,73 @@ async function handleCreateThreadRequest(cfg, commandChannel, request, requestId
         await sendRequestError(commandChannel, `Failed to create containers for thread '${threadId}': ${toErrorMessage(error)}`, requestId);
         return;
     }
+    let readyRequestId;
     const { db: updateDb, client: updateClient } = await (0, db_js_1.initDb)(cfg.state_db_path);
     try {
-        await updateDb.update(schema_js_1.threads).set({ status: "ready" }).where((0, drizzle_orm_1.eq)(schema_js_1.threads.id, threadId));
+        const threadState = await (0, thread_turn_state_js_1.loadThreadMessageExecutionState)(cfg.state_db_path, threadId);
+        if (!threadState) {
+            throw new Error(`Thread '${threadId}' disappeared before SDK bootstrap.`);
+        }
+        const threadMcpSetup = buildThreadCodexMcpSetup(readWorkspaceThreadMcpConfig(threadState.workspace, logger));
+        const threadAgentCliConfig = readWorkspaceThreadAgentCliConfig(threadState.workspace, logger);
+        const appServerSession = await getOrCreateThreadAppServerSession(threadId, threadState.runtimeContainer, threadMcpSetup.appServerEnv, cfg.codex.app_server_client_name, logger);
+        const runtimeUser = {
+            uid: threadState.uid,
+            gid: threadState.gid,
+            agentUser: cfg.agent_user,
+            agentHomeDirectory: threadState.homeDirectory,
+        };
+        await (0, thread_runtime_js_1.ensureThreadRuntimeReady)({
+            dindContainer: threadState.dindContainer,
+            runtimeContainer: threadState.runtimeContainer,
+            containerService,
+            gitUserName: cfg.git_user_name,
+            gitUserEmail: cfg.git_user_email,
+            user: runtimeUser,
+        });
+        await ensureThreadGitSkillsInRuntime(cfg, threadState, containerService, logger);
+        if (threadAgentCliConfig) {
+            await containerService.ensureRuntimeContainerAgentCliConfig(threadState.runtimeContainer, runtimeUser, threadAgentCliConfig);
+        }
+        if (!appServerSession.started) {
+            await containerService.ensureRuntimeContainerCodexConfig(threadState.runtimeContainer, runtimeUser, threadMcpSetup.configToml);
+        }
+        await ensureThreadAppServerSessionStarted(appServerSession);
+        const developerInstructions = buildThreadDeveloperInstructions(threadState.additionalModelInstructions);
+        logger.debug(`Starting app-server thread '${threadId}' with developer instructions: ${JSON.stringify(developerInstructions)}.`);
+        const threadStartResponse = await appServerSession.appServer.startThreadWithResponse({
+            model: threadState.model,
+            modelProvider: null,
+            cwd: "/workspace",
+            approvalPolicy: YOLO_APPROVAL_POLICY,
+            sandbox: YOLO_SANDBOX_MODE,
+            config: null,
+            baseInstructions: null,
+            developerInstructions,
+            personality: null,
+            ephemeral: null,
+            experimentalRawEvents: false,
+            persistExtendedHistory: true,
+        }, requestId);
+        if (requestId && threadStartResponse.id !== requestId) {
+            throw new Error(`App-server thread/start response id '${String(threadStartResponse.id)}' did not match runner request id '${requestId}'.`);
+        }
+        if (!threadStartResponse.result.thread?.id) {
+            throw new Error(`App-server thread/start did not return an SDK thread id for thread '${threadId}'.`);
+        }
+        readyRequestId = typeof threadStartResponse.id === "string" && threadStartResponse.id.length > 0
+            ? threadStartResponse.id
+            : undefined;
+        appServerSession.sdkThreadId = threadStartResponse.result.thread.id;
+        appServerSession.rolloutPath = threadStartResponse.result.thread.path;
+        rememberThreadRolloutPath(threadId, threadStartResponse.result.thread.path);
+        await updateDb
+            .update(schema_js_1.threads)
+            .set({
+            status: "ready",
+            sdkThreadId: threadStartResponse.result.thread.id,
+        })
+            .where((0, drizzle_orm_1.eq)(schema_js_1.threads.id, threadId));
     }
     catch (error) {
         logger.warn(`Failed to mark thread '${threadId}' as ready: ${toErrorMessage(error)}`);
@@ -1527,7 +1652,7 @@ async function handleCreateThreadRequest(cfg, commandChannel, request, requestId
         updateClient.close();
     }
     logger.info(`Thread '${threadId}' created and ready.`);
-    await sendThreadUpdate(commandChannel, threadId, protos_1.ThreadStatus.READY);
+    await sendThreadUpdate(commandChannel, threadId, protos_1.ThreadStatus.READY, readyRequestId);
 }
 async function deleteThreadWithCleanup(cfg, request) {
     const { db, client } = await (0, db_js_1.initDb)(cfg.state_db_path);
@@ -1742,6 +1867,7 @@ async function executeCreateUserMessageRequest(cfg, commandChannel, request, req
     let keepRuntimeWarm = false;
     let shouldTrackTurnCompletion = trackTurnCompletion;
     let enqueuedRequestTurnId = null;
+    let turnCompletionWaitStarted = false;
     try {
         await (0, thread_runtime_js_1.ensureThreadRuntimeReady)({
             dindContainer: threadState.dindContainer,
@@ -1827,14 +1953,18 @@ async function executeCreateUserMessageRequest(cfg, commandChannel, request, req
             if (!threadState.currentSdkTurnId) {
                 throw new Error(`Thread '${request.threadId}' is marked running but has no current SDK turn id.`);
             }
+            const activeSdkTurnId = threadState.currentSdkTurnId;
             const steerParams = {
                 threadId: resolvedSdkThreadId,
                 input,
-                expectedTurnId: threadState.currentSdkTurnId,
+                expectedTurnId: activeSdkTurnId,
             };
             try {
                 const turnSteerResult = await appServer.steerTurn(steerParams);
-                sdkTurnId = turnSteerResult.turnId;
+                if (turnSteerResult.turnId && turnSteerResult.turnId !== activeSdkTurnId) {
+                    logger.debug(`turn/steer returned turn '${turnSteerResult.turnId}' for thread '${request.threadId}', preserving active turn '${activeSdkTurnId}' as the canonical turn id.`);
+                }
+                sdkTurnId = activeSdkTurnId;
             }
             catch (error) {
                 if (!isNoActiveTurnSteerError(error)) {
@@ -1864,6 +1994,7 @@ async function executeCreateUserMessageRequest(cfg, commandChannel, request, req
             keepRuntimeWarm = true;
             return;
         }
+        turnCompletionWaitStarted = true;
         const terminalStatus = await waitForThreadTurnCompletion(cfg.state_db_path, appServer, commandChannel, request.threadId, sdkThreadId, sdkTurnId, logger, requestId);
         await updateThreadTurnState(cfg, request.threadId, {
             currentSdkTurnId: sdkTurnId,
@@ -1886,7 +2017,12 @@ async function executeCreateUserMessageRequest(cfg, commandChannel, request, req
         if (enqueuedRequestTurnId && requestId) {
             await (0, thread_user_message_request_store_js_1.removePendingUserMessageRequestIdForTurn)(cfg.state_db_path, request.threadId, enqueuedRequestTurnId, requestId);
         }
-        if (startedFromIdle && !turnAccepted) {
+        if (turnCompletionWaitStarted && !isTurnCompletionTimeoutError(error)) {
+            await updateThreadTurnState(cfg, request.threadId, {
+                isCurrentTurnRunning: false,
+            }).catch(() => undefined);
+        }
+        else if (startedFromIdle && !turnAccepted) {
             await updateThreadTurnState(cfg, request.threadId, {
                 isCurrentTurnRunning: false,
             }).catch(() => undefined);
@@ -1979,25 +2115,109 @@ function buildGrpcAuthCallOptions(secret) {
     metadata.set("authorization", `Bearer ${secret}`);
     return { metadata };
 }
-async function runRootCommand(options) {
+function isInternalDaemonChildProcess() {
+    return process.env[daemon_js_1.DAEMON_CHILD_ENV] === "1";
+}
+function resolveEffectiveDaemonLogPath(cfg) {
+    const envPath = process.env[daemon_js_1.DAEMON_LOG_PATH_ENV];
+    if (envPath && envPath.trim().length > 0) {
+        return envPath;
+    }
+    return (0, daemon_js_1.resolveDaemonLogPath)(cfg.state_db_path);
+}
+async function runDetachedDaemonProcess(options) {
+    const cfg = buildRootConfig(options);
+    const logPath = (0, daemon_js_1.resolveDaemonLogPath)(cfg.state_db_path);
+    (0, node_fs_1.mkdirSync)((0, node_path_1.dirname)(logPath), { recursive: true });
+    const logFd = (0, node_fs_1.openSync)(logPath, "a");
+    try {
+        await new Promise((resolve, reject) => {
+            const child = (0, node_child_process_1.spawn)(process.execPath, process.argv.slice(1), {
+                cwd: process.cwd(),
+                detached: true,
+                env: {
+                    ...process.env,
+                    [daemon_js_1.DAEMON_CHILD_ENV]: "1",
+                    [daemon_js_1.DAEMON_LOG_PATH_ENV]: logPath,
+                },
+                stdio: ["ignore", logFd, logFd, "ipc"],
+                windowsHide: true,
+            });
+            let settled = false;
+            const timeout = setTimeout(() => {
+                if (settled) {
+                    return;
+                }
+                settled = true;
+                child.kill();
+                reject(new Error(`Timed out waiting for daemon startup confirmation. See ${logPath}.`));
+            }, DAEMON_STARTUP_TIMEOUT_MS);
+            const finish = (callback) => {
+                if (settled) {
+                    return;
+                }
+                settled = true;
+                clearTimeout(timeout);
+                callback();
+            };
+            child.once("error", (error) => {
+                finish(() => reject(error));
+            });
+            child.once("exit", (code, signal) => {
+                finish(() => {
+                    reject(new Error(`Daemon exited before startup completed (code=${code ?? "null"}, signal=${signal ?? "null"}). See ${logPath}.`));
+                });
+            });
+            child.on("message", (message) => {
+                if (!message || typeof message !== "object" || !("type" in message)) {
+                    return;
+                }
+                const type = message.type;
+                if (type === "daemon-ready") {
+                    finish(() => {
+                        if (child.connected) {
+                            child.disconnect();
+                        }
+                        child.unref();
+                        console.log(`CompanyHelm daemon started (pid ${child.pid}). Logs: ${logPath}`);
+                        resolve();
+                    });
+                    return;
+                }
+                if (type === "daemon-error") {
+                    const messageValue = message.message;
+                    const daemonErrorMessage = typeof messageValue === "string" ? messageValue : `Daemon startup failed. See ${logPath}.`;
+                    finish(() => reject(new Error(daemonErrorMessage)));
+                }
+            });
+        });
+    }
+    finally {
+        (0, node_fs_1.closeSync)(logFd);
+    }
+}
+function sendDaemonParentMessage(message) {
+    if (typeof process.send === "function") {
+        process.send(message);
+    }
+}
+async function runRootCommand(options, runtimeOptions) {
     const logger = (0, logger_js_1.createLogger)(options.logLevel ?? "INFO", { daemonMode: options.daemon ?? false });
-    const cfg = config_js_1.config.parse({
-        companyhelm_api_url: options.serverUrl,
-        agent_api_url: options.agentApiUrl,
-        use_host_docker_runtime: options.useHostDockerRuntime,
-        host_docker_path: options.hostDockerPath,
-        thread_git_skills_directory: options.threadGitSkillsDirectory,
-    });
+    const cfg = buildRootConfig(options);
     const configuredSdks = await hasConfiguredSdks(cfg);
     if (!configuredSdks && options.daemon) {
         throw new Error("No SDKs configured. Daemon mode requires at least one configured SDK.");
     }
     if (!configuredSdks) {
-        await (0, startup_js_1.startup)();
+        await (0, startup_js_1.startup)(cfg);
     }
     await refreshCodexModelsForRegistration(cfg, logger);
     const registerRequest = await buildRegisterRunnerRequest(cfg);
     const apiCallOptions = buildGrpcAuthCallOptions(options.secret);
+    if (options.daemon) {
+        await (0, daemon_state_js_1.claimCurrentDaemonState)(cfg.state_db_path, process.pid, resolveEffectiveDaemonLogPath(cfg));
+        runtimeOptions?.onDaemonReady?.();
+    }
     const commandMessageSink = new buffered_client_message_sender_js_1.BufferedClientMessageSender({
         maxBufferedEvents: cfg.client_message_buffer_limit,
         logger,
@@ -2032,7 +2252,10 @@ async function runRootCommand(options) {
                 logger.warn("CompanyHelm API command channel closed. Reconnecting...");
             }
             catch (error) {
-                const failureMessage = toErrorMessage(error);
+                const failureMessage = toApiConnectionFailureMessage(error, options.secret);
+                if (!isRetryableApiConnectionError(error)) {
+                    throw new Error(failureMessage);
+                }
                 logger.warn(`CompanyHelm API connection attempt ${reconnectAttempt} failed: ${failureMessage}. ` +
                     "Retrying...");
             }
@@ -2057,21 +2280,58 @@ async function runRootCommand(options) {
         if (droppedMessages > 0) {
             logger.warn(`Dropped ${droppedMessages} outbound client message(s) while command channel was disconnected.`);
         }
+        if (options.daemon) {
+            await (0, daemon_state_js_1.clearCurrentDaemonState)(cfg.state_db_path, process.pid).catch((error) => {
+                logger.warn(`Failed to clear daemon state: ${toErrorMessage(error)}`);
+            });
+        }
         await stopAllThreadAppServerSessions();
         await stopAllThreadContainers(cfg, logger);
     }
 }
+function buildRootConfig(options) {
+    return config_js_1.config.parse({
+        config_directory: options.configPath,
+        state_db_path: options.stateDbPath,
+        companyhelm_api_url: options.serverUrl,
+        agent_api_url: options.agentApiUrl,
+        use_host_docker_runtime: options.useHostDockerRuntime,
+        host_docker_path: options.hostDockerPath,
+        thread_git_skills_directory: options.threadGitSkillsDirectory,
+    });
+}
 function registerRootCommand(program) {
     program
+        .option("--config-path <path>", "Config directory override (defaults to ~/.config/companyhelm).")
         .option("--server-url <url>", "CompanyHelm gRPC API URL override.")
         .option("--agent-api-url <url>", "Agent gRPC API URL for companyhelm-agent in runtime containers (localhost is rewritten to http://host.docker.internal).")
         .option("--secret <secret>", "Bearer secret used as gRPC Authorization header.")
+        .option("--state-db-path <path>", "State database path override (defaults to ~/.local/share/companyhelm/state.db).")
         .option("--use-host-docker-runtime", "Mount host Docker socket into runtime containers instead of creating DinD sidecars.")
         .option("--host-docker-path <path>", "Host Docker endpoint when --use-host-docker-runtime is enabled (unix:///<socket-path> or tcp://localhost:<port>).")
         .option("--thread-git-skills-directory <path>", "Container path where thread git skill repositories are cloned before linking into ~/.codex/skills.")
         .option("-d, --daemon", "Run in daemon mode and fail fast when no SDK is configured.")
         .option("--log-level <level>", "Log level (DEBUG, INFO, WARN, ERROR).", "INFO")
         .action(async () => {
-        await runRootCommand(program.opts());
+        const options = program.opts();
+        if (options.daemon && !isInternalDaemonChildProcess()) {
+            await runDetachedDaemonProcess(options);
+            return;
+        }
+        try {
+            await runRootCommand(options, isInternalDaemonChildProcess()
+                ? {
+                    onDaemonReady: () => {
+                        sendDaemonParentMessage({ type: "daemon-ready" });
+                    },
+                }
+                : undefined);
+        }
+        catch (error) {
+            if (isInternalDaemonChildProcess()) {
+                sendDaemonParentMessage({ type: "daemon-error", message: toErrorMessage(error) });
+            }
+            throw error;
+        }
     });
 }