@companyhelm/cli 0.0.8 → 0.0.11

package/LICENSE

@@ -1,201 +1,21 @@
-                                 Apache License
-                           Version 2.0, January 2004
-                        http://www.apache.org/licenses/
-
-   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
-
-   1. Definitions.
-
-      "License" shall mean the terms and conditions for use, reproduction,
-      and distribution as defined by Sections 1 through 9 of this document.
-
-      "Licensor" shall mean the copyright owner or entity authorized by
-      the copyright owner that is granting the License.
-
-      "Legal Entity" shall mean the union of the acting entity and all
-      other entities that control, are controlled by, or are under common
-      control with that entity. For the purposes of this definition,
-      "control" means (i) the power, direct or indirect, to cause the
-      direction or management of such entity, whether by contract or
-      otherwise, or (ii) ownership of fifty percent (50%) or more of the
-      outstanding shares, or (iii) beneficial ownership of such entity.
-
-      "You" (or "Your") shall mean an individual or Legal Entity
-      exercising permissions granted by this License.
-
-      "Source" form shall mean the preferred form for making modifications,
-      including but not limited to software source code, documentation
-      source, and configuration files.
-
-      "Object" form shall mean any form resulting from mechanical
-      transformation or translation of a Source form, including but
-      not limited to compiled object code, generated documentation,
-      and conversions to other media types.
-
-      "Work" shall mean the work of authorship, whether in Source or
-      Object form, made available under the License, as indicated by a
-      copyright notice that is included in or attached to the work
-      (an example is provided in the Appendix below).
-
-      "Derivative Works" shall mean any work, whether in Source or Object
-      form, that is based on (or derived from) the Work and for which the
-      editorial revisions, annotations, elaborations, or other modifications
-      represent, as a whole, an original work of authorship. For the purposes
-      of this License, Derivative Works shall not include works that remain
-      separable from, or merely link (or bind by name) to the interfaces of,
-      the Work and Derivative Works thereof.
-
-      "Contribution" shall mean any work of authorship, including
-      the original version of the Work and any modifications or additions
-      to that Work or Derivative Works thereof, that is intentionally
-      submitted to Licensor for inclusion in the Work by the copyright owner
-      or by an individual or Legal Entity authorized to submit on behalf of
-      the copyright owner. For the purposes of this definition, "submitted"
-      means any form of electronic, verbal, or written communication sent
-      to the Licensor or its representatives, including but not limited to
-      communication on electronic mailing lists, source code control systems,
-      and issue tracking systems that are managed by, or on behalf of, the
-      Licensor for the purpose of discussing and improving the Work, but
-      excluding communication that is conspicuously marked or otherwise
-      designated in writing by the copyright owner as "Not a Contribution."
-
-      "Contributor" shall mean Licensor and any individual or Legal Entity
-      on behalf of whom a Contribution has been received by Licensor and
-      subsequently incorporated within the Work.
-
-   2. Grant of Copyright License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      copyright license to reproduce, prepare Derivative Works of,
-      publicly display, publicly perform, sublicense, and distribute the
-      Work and such Derivative Works in Source or Object form.
-
-   3. Grant of Patent License. Subject to the terms and conditions of
-      this License, each Contributor hereby grants to You a perpetual,
-      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
-      (except as stated in this section) patent license to make, have made,
-      use, offer to sell, sell, import, and otherwise transfer the Work,
-      where such license applies only to those patent claims licensable
-      by such Contributor that are necessarily infringed by their
-      Contribution(s) alone or by combination of their Contribution(s)
-      with the Work to which such Contribution(s) was submitted. If You
-      institute patent litigation against any entity (including a
-      cross-claim or counterclaim in a lawsuit) alleging that the Work
-      or a Contribution incorporated within the Work constitutes direct
-      or contributory patent infringement, then any patent licenses
-      granted to You under this License for that Work shall terminate
-      as of the date such litigation is filed.
-
-   4. Redistribution. You may reproduce and distribute copies of the
-      Work or Derivative Works thereof in any medium, with or without
-      modifications, and in Source or Object form, provided that You
-      meet the following conditions:
-
-      (a) You must give any other recipients of the Work or
-          Derivative Works a copy of this License; and
-
-      (b) You must cause any modified files to carry prominent notices
-          stating that You changed the files; and
-
-      (c) You must retain, in the Source form of any Derivative Works
-          that You distribute, all copyright, patent, trademark, and
-          attribution notices from the Source form of the Work,
-          excluding those notices that do not pertain to any part of
-          the Derivative Works; and
-
-      (d) If the Work includes a "NOTICE" text file as part of its
-          distribution, then any Derivative Works that You distribute must
-          include a readable copy of the attribution notices contained
-          within such NOTICE file, excluding those notices that do not
-          pertain to any part of the Derivative Works, in at least one
-          of the following places: within a NOTICE text file distributed
-          as part of the Derivative Works; within the Source form or
-          documentation, if provided along with the Derivative Works; or,
-          within a display generated by the Derivative Works, if and
-          wherever such third-party notices normally appear. The contents
-          of the NOTICE file are for informational purposes only and
-          do not modify the License. You may add Your own attribution
-          notices within Derivative Works that You distribute, alongside
-          or as an addendum to the NOTICE text from the Work, provided
-          that such additional attribution notices cannot be construed
-          as modifying the License.
-
-      You may add Your own copyright statement to Your modifications and
-      may provide additional or different license terms and conditions
-      for use, reproduction, or distribution of Your modifications, or
-      for any such Derivative Works as a whole, provided Your use,
-      reproduction, and distribution of the Work otherwise complies with
-      the conditions stated in this License.
-
-   5. Submission of Contributions. Unless You explicitly state otherwise,
-      any Contribution intentionally submitted for inclusion in the Work
-      by You to the Licensor shall be under the terms and conditions of
-      this License, without any additional terms or conditions.
-      Notwithstanding the above, nothing herein shall supersede or modify
-      the terms of any separate license agreement you may have executed
-      with Licensor regarding such Contributions.
-
-   6. Trademarks. This License does not grant permission to use the trade
-      names, trademarks, service marks, or product names of the Licensor,
-      except as required for reasonable and customary use in describing the
-      origin of the Work and reproducing the content of the NOTICE file.
-
-   7. Disclaimer of Warranty. Unless required by applicable law or
-      agreed to in writing, Licensor provides the Work (and each
-      Contributor provides its Contributions) on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
-      implied, including, without limitation, any warranties or conditions
-      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
-      PARTICULAR PURPOSE. You are solely responsible for determining the
-      appropriateness of using or redistributing the Work and assume any
-      risks associated with Your exercise of permissions under this License.
-
-   8. Limitation of Liability. In no event and under no legal theory,
-      whether in tort (including negligence), contract, or otherwise,
-      unless required by applicable law (such as deliberate and grossly
-      negligent acts) or agreed to in writing, shall any Contributor be
-      liable to You for damages, including any direct, indirect, special,
-      incidental, or consequential damages of any character arising as a
-      result of this License or out of the use or inability to use the
-      Work (including but not limited to damages for loss of goodwill,
-      work stoppage, computer failure or malfunction, or any and all
-      other commercial damages or losses), even if such Contributor
-      has been advised of the possibility of such damages.
-
-   9. Accepting Warranty or Additional Liability. While redistributing
-      the Work or Derivative Works thereof, You may choose to offer,
-      and charge a fee for, acceptance of support, warranty, indemnity,
-      or other liability obligations and/or rights consistent with this
-      License. However, in accepting such obligations, You may act only
-      on Your own behalf and on Your sole responsibility, not on behalf
-      of any other Contributor, and only if You agree to indemnify,
-      defend, and hold each Contributor harmless for any liability
-      incurred by, or claims asserted against, such Contributor by reason
-      of your accepting any such warranty or additional liability.
-
-   END OF TERMS AND CONDITIONS
-
-   APPENDIX: How to apply the Apache License to your work.
-
-      To apply the Apache License to your work, attach the following
-      boilerplate notice, with the fields enclosed by brackets "[]"
-      replaced with your own identifying information. (Don't include
-      the brackets!)  The text should be enclosed in the appropriate
-      comment syntax for the file format. We also recommend that a
-      file or class name and description of purpose be included on the
-      same "printed page" as the copyright notice for easier
-      identification within third-party archives.
-
-   Copyright [yyyy] [name of copyright owner]
-
-   Licensed under the Apache License, Version 2.0 (the "License");
-   you may not use this file except in compliance with the License.
-   You may obtain a copy of the License at
-
-       http://www.apache.org/licenses/LICENSE-2.0
-
-   Unless required by applicable law or agreed to in writing, software
-   distributed under the License is distributed on an "AS IS" BASIS,
-   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-   See the License for the specific language governing permissions and
-   limitations under the License.
+MIT License
+
+Copyright (c) 2026 CompanyHelm
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -55,4 +55,4 @@ Development and maintenance notes live in [DEVELOPING.md](./DEVELOPING.md).
 
 ## License
 
-Apache-2.0
+MIT

package/RUNTIME_IMAGE_VERSION

@@ -1 +1 @@
-0.0.8
+0.0.9

package/dist/cli.js

@@ -4,6 +4,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 const node_fs_1 = require("node:fs");
 const node_path_1 = require("node:path");
 const commander_1 = require("commander");
+const global_options_js_1 = require("./commands/global-options.js");
 const register_commands_js_1 = require("./commands/register-commands.js");
 function getVersion() {
     try {
@@ -20,7 +21,11 @@ program
     .name("companyhelm")
     .description("Run coding agents in fully isolated Docker sandboxes, locally.")
     .version(getVersion());
+(0, global_options_js_1.addGlobalOptions)(program);
 (0, register_commands_js_1.registerCommands)(program);
+program.hook("preAction", (_thisCommand, actionCommand) => {
+    (0, global_options_js_1.applyGlobalOptionEnvironment)(actionCommand);
+});
 function formatCliError(error) {
     if (error instanceof commander_1.CommanderError) {
         return {

package/dist/commands/global-options.js

@@ -0,0 +1,20 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CONFIG_PATH_OPTION_DESCRIPTION = void 0;
+exports.addGlobalOptions = addGlobalOptions;
+exports.applyGlobalOptionEnvironment = applyGlobalOptionEnvironment;
+const config_js_1 = require("../config.js");
+exports.CONFIG_PATH_OPTION_DESCRIPTION = `Config directory override (defaults to $${config_js_1.CONFIG_PATH_ENV} or ${config_js_1.DEFAULT_CONFIG_DIRECTORY}).`;
+function addGlobalOptions(program) {
+    return program.option("--config-path <path>", exports.CONFIG_PATH_OPTION_DESCRIPTION);
+}
+function applyGlobalOptionEnvironment(command) {
+    const options = command.optsWithGlobals();
+    if (typeof options.configPath !== "string") {
+        return;
+    }
+    const configPath = options.configPath.trim();
+    if (configPath.length > 0) {
+        process.env[config_js_1.CONFIG_PATH_ENV] = configPath;
+    }
+}

package/dist/commands/root.js

@@ -43,6 +43,7 @@ exports.isNoRunningTurnInterruptError = isNoRunningTurnInterruptError;
 exports.normalizeThreadAgentApiUrlForRuntime = normalizeThreadAgentApiUrlForRuntime;
 exports.extractThreadNameUpdateFromNotification = extractThreadNameUpdateFromNotification;
 exports.extractServerMessageRequestId = extractServerMessageRequestId;
+exports.runCommandLoop = runCommandLoop;
 exports.isInternalDaemonChildProcess = isInternalDaemonChildProcess;
 exports.runDetachedDaemonProcess = runDetachedDaemonProcess;
 exports.sendDaemonParentMessage = sendDaemonParentMessage;
@@ -73,6 +74,8 @@ const db_js_1 = require("../state/db.js");
 const schema_js_1 = require("../state/schema.js");
 const daemon_js_1 = require("../utils/daemon.js");
 const logger_js_1 = require("../utils/logger.js");
+const path_js_1 = require("../utils/path.js");
+const terminal_js_1 = require("../utils/terminal.js");
 const workspace_agents_js_1 = require("../service/workspace_agents.js");
 const COMMAND_CHANNEL_CONNECT_RETRY_DELAY_MS = 1000;
 const COMMAND_CHANNEL_OPEN_TIMEOUT_MS = 5000;
@@ -94,6 +97,12 @@ const YOLO_SANDBOX_POLICY = { type: "dangerFullAccess" };
 const DOCKER_INTERNAL_HOSTNAME = "host.docker.internal";
 const LOCALHOST_HOSTNAMES = new Set(["localhost", "127.0.0.1", "0.0.0.0", "::1"]);
 const DAEMON_STARTUP_TIMEOUT_MS = 15000;
+class RootCommandInterruptedError extends Error {
+    constructor(message = "Root command interrupted.") {
+        super(message);
+        this.name = "RootCommandInterruptedError";
+    }
+}
 const threadAppServerSessions = new Map();
 const threadRolloutPaths = new Map();
 function rememberThreadRolloutPath(threadId, rolloutPath) {
@@ -1369,6 +1378,16 @@ async function sendRequestError(commandChannel, errorMessage, requestId) {
     });
     await commandChannel.send(message);
 }
+async function sendHeartbeatResponse(commandChannel, requestId) {
+    const message = (0, protobuf_1.create)(protos_1.ClientMessageSchema, {
+        requestId,
+        payload: {
+            case: "heartbeatResponse",
+            value: {},
+        },
+    });
+    await commandChannel.send(message);
+}
 async function sendThreadUpdate(commandChannel, threadId, status, requestId) {
     const message = (0, protobuf_1.create)(protos_1.ClientMessageSchema, {
         requestId,
@@ -2166,6 +2185,9 @@ async function runCommandLoop(cfg, commandChannel, commandMessageSink, apiClient
             case "interruptTurnRequest":
                 await handleInterruptTurnRequest(cfg, commandMessageSink, serverMessage.request.value, logger);
                 break;
+            case "heartbeatRequest":
+                await sendHeartbeatResponse(commandMessageSink, requestId);
+                break;
             default:
                 break;
         }
@@ -2182,16 +2204,104 @@ function buildGrpcAuthCallOptions(secret) {
 function isInternalDaemonChildProcess() {
     return process.env[daemon_js_1.DAEMON_CHILD_ENV] === "1";
 }
+function abortErrorFromSignal(signal) {
+    return signal.reason instanceof Error ? signal.reason : new RootCommandInterruptedError();
+}
+function throwIfAborted(signal) {
+    if (signal.aborted) {
+        throw abortErrorFromSignal(signal);
+    }
+}
+function raceWithAbort(promise, signal) {
+    if (signal.aborted) {
+        return Promise.reject(abortErrorFromSignal(signal));
+    }
+    return Promise.race([
+        promise,
+        new Promise((_, reject) => {
+            const onAbort = () => {
+                signal.removeEventListener("abort", onAbort);
+                reject(abortErrorFromSignal(signal));
+            };
+            signal.addEventListener("abort", onAbort, { once: true });
+        }),
+    ]);
+}
+function delayWithAbort(delayMs, signal) {
+    if (signal.aborted) {
+        return Promise.reject(abortErrorFromSignal(signal));
+    }
+    return new Promise((resolve, reject) => {
+        const timeout = setTimeout(() => {
+            signal.removeEventListener("abort", onAbort);
+            resolve();
+        }, delayMs);
+        const onAbort = () => {
+            clearTimeout(timeout);
+            signal.removeEventListener("abort", onAbort);
+            reject(abortErrorFromSignal(signal));
+        };
+        signal.addEventListener("abort", onAbort, { once: true });
+    });
+}
+function installRootInterruptHandlers(logger, onInterrupt) {
+    const controller = new AbortController();
+    const requestInterrupt = (reason) => {
+        if (controller.signal.aborted) {
+            return;
+        }
+        (0, terminal_js_1.restoreInteractiveTerminalState)();
+        process.exitCode = 130;
+        logger.info(`${reason} received. Shutting down root command.`);
+        try {
+            onInterrupt();
+        }
+        catch {
+            // Best-effort shutdown hook.
+        }
+        controller.abort(new RootCommandInterruptedError(reason));
+    };
+    const handleSigint = () => {
+        requestInterrupt("SIGINT");
+    };
+    const handleSigterm = () => {
+        requestInterrupt("SIGTERM");
+    };
+    const handleStdinData = (chunk) => {
+        const input = typeof chunk === "string" ? chunk : chunk.toString("utf8");
+        if ((0, terminal_js_1.containsCtrlCInterruptInput)(input)) {
+            requestInterrupt("Ctrl-C");
+        }
+    };
+    process.on("SIGINT", handleSigint);
+    process.on("SIGTERM", handleSigterm);
+    if (process.stdin.isTTY) {
+        process.stdin.on("data", handleStdinData);
+        process.stdin.resume();
+    }
+    return {
+        signal: controller.signal,
+        dispose: () => {
+            process.off("SIGINT", handleSigint);
+            process.off("SIGTERM", handleSigterm);
+            if (process.stdin.isTTY) {
+                process.stdin.off("data", handleStdinData);
+            }
+        },
+    };
+}
 function resolveEffectiveDaemonLogPath(cfg) {
     const envPath = process.env[daemon_js_1.DAEMON_LOG_PATH_ENV];
     if (envPath && envPath.trim().length > 0) {
-        return envPath;
+        return (0, path_js_1.expandHome)(envPath);
     }
     return (0, daemon_js_1.resolveDaemonLogPath)(cfg.state_db_path);
 }
 async function runDetachedDaemonProcess(options) {
     const cfg = buildRootConfig(options);
-    const logPath = (0, daemon_js_1.resolveDaemonLogPath)(cfg.state_db_path);
+    const logPath = options.logPath && options.logPath.trim().length > 0
+        ? (0, path_js_1.expandHome)(options.logPath)
+        : (0, daemon_js_1.resolveDaemonLogPath)(cfg.state_db_path);
     (0, node_fs_1.mkdirSync)((0, node_path_1.dirname)(logPath), { recursive: true });
     const logFd = (0, node_fs_1.openSync)(logPath, "a");
     try {
@@ -2274,6 +2384,7 @@ async function runRootCommand(options, runtimeOptions) {
     }
     if (!configuredSdks) {
         await (0, startup_js_1.startup)(cfg);
+        (0, terminal_js_1.restoreInteractiveTerminalState)();
     }
     await refreshCodexModelsForRegistration(cfg, logger);
     const registerRequest = await buildRegisterRunnerRequest(cfg);
@@ -2287,16 +2398,25 @@ async function runRootCommand(options, runtimeOptions) {
         logger,
     });
     let reconnectAttempt = 0;
+    let activeApiClient = null;
+    let activeCommandChannel = null;
+    const interruptState = installRootInterruptHandlers(logger, () => {
+        activeCommandChannel?.cancel();
+        activeApiClient?.close();
+    });
     try {
         while (true) {
+            throwIfAborted(interruptState.signal);
             const apiClient = new companyhelm_api_client_js_1.CompanyhelmApiClient({ apiUrl: cfg.companyhelm_api_url, logger });
+            activeApiClient = apiClient;
             let commandChannel = null;
             let githubInstallationsSyncAbortController = null;
             let githubInstallationsSyncTask = null;
             try {
                 reconnectAttempt += 1;
                 commandChannel = await apiClient.connect(registerRequest, apiCallOptions);
-                await commandChannel.waitForOpen(COMMAND_CHANNEL_OPEN_TIMEOUT_MS);
+                activeCommandChannel = commandChannel;
+                await raceWithAbort(commandChannel.waitForOpen(COMMAND_CHANNEL_OPEN_TIMEOUT_MS), interruptState.signal);
                 commandMessageSink.bind(commandChannel);
                 const bufferedMessages = commandMessageSink.getBufferedMessageCount();
                 if (bufferedMessages > 0) {
@@ -2312,10 +2432,13 @@ async function runRootCommand(options, runtimeOptions) {
                         logger.warn(`GitHub installation sync loop exited unexpectedly: ${toErrorMessage(error)}`);
                     }
                 });
-                await runCommandLoop(cfg, commandChannel, commandMessageSink, apiClient, apiCallOptions, logger);
+                await raceWithAbort(runCommandLoop(cfg, commandChannel, commandMessageSink, apiClient, apiCallOptions, logger), interruptState.signal);
                 logger.warn("CompanyHelm API command channel closed. Reconnecting...");
             }
             catch (error) {
+                if (error instanceof RootCommandInterruptedError) {
+                    return;
+                }
                 const failureMessage = formatApiConnectionFailureMessage(error, cfg.companyhelm_api_url, options.secret);
                 const diagnostics = formatApiConnectionFailureDiagnostics(error);
                 if (diagnostics) {
@@ -2333,17 +2456,25 @@ async function runRootCommand(options, runtimeOptions) {
                 }
                 void githubInstallationsSyncTask;
                 if (commandChannel) {
+                    commandChannel.cancel();
                     commandMessageSink.unbind(commandChannel);
                 }
                 else {
                     commandMessageSink.unbind();
                 }
+                if (activeCommandChannel === commandChannel) {
+                    activeCommandChannel = null;
+                }
+                if (activeApiClient === apiClient) {
+                    activeApiClient = null;
+                }
                 apiClient.close();
             }
-            await new Promise((resolve) => setTimeout(resolve, COMMAND_CHANNEL_CONNECT_RETRY_DELAY_MS));
+            await delayWithAbort(COMMAND_CHANNEL_CONNECT_RETRY_DELAY_MS, interruptState.signal);
         }
     }
     finally {
+        interruptState.dispose();
         const droppedMessages = commandMessageSink.getDroppedMessageCount();
         if (droppedMessages > 0) {
             logger.warn(`Dropped ${droppedMessages} outbound client message(s) while command channel was disconnected.`);

package/dist/commands/runner/common.js

@@ -1,13 +1,15 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.addRunnerStartOptions = addRunnerStartOptions;
+const global_options_js_1 = require("../global-options.js");
 function addRunnerStartOptions(command) {
     return command
-        .option("--config-path <path>", "Config directory override (defaults to ~/.config/companyhelm).")
+        .option("--config-path <path>", global_options_js_1.CONFIG_PATH_OPTION_DESCRIPTION)
         .option("--server-url <url>", "CompanyHelm gRPC API URL override.")
         .option("--agent-api-url <url>", "Agent gRPC API URL for companyhelm-agent in runtime containers (localhost is rewritten to http://host.docker.internal).")
         .option("--secret <secret>", "Bearer secret used as gRPC Authorization header.")
-        .option("--state-db-path <path>", "State database path override (defaults to ~/.local/share/companyhelm/state.db).")
+        .option("--state-db-path <path>", "State database path override (defaults to state.db under the active config directory).")
+        .option("--log-path <path>", "Daemon log file override.")
         .option("--use-host-docker-runtime", "Mount host Docker socket into runtime containers instead of creating DinD sidecars.")
         .option("--host-docker-path <path>", "Host Docker endpoint when --use-host-docker-runtime is enabled (unix:///<socket-path> or tcp://localhost:<port>).")
         .option("--thread-git-skills-directory <path>", "Container path where thread git skill repositories are cloned before linking into ~/.codex/skills.")

package/dist/commands/runner/stop.js

@@ -48,7 +48,7 @@ function registerRunnerStopCommand(runnerCommand) {
     runnerCommand
         .command("stop")
         .description("Stop the local CompanyHelm runner daemon.")
-        .option("--state-db-path <path>", "State database path override (defaults to ~/.local/share/companyhelm/state.db).")
+        .option("--state-db-path <path>", "State database path override (defaults to state.db under the active config directory).")
         .action(async (options) => {
         await runRunnerStopCommand(options);
     });

package/dist/commands/sdk/codex/auth.js

@@ -0,0 +1,200 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.defaultUseDedicatedCodexAuthDependencies = exports.defaultSetCodexHostAuthDependencies = void 0;
+exports.isErrnoException = isErrnoException;
+exports.buildDockerMissingError = buildDockerMissingError;
+exports.ensureDockerAvailable = ensureDockerAvailable;
+exports.listCodexStartupAuthOptions = listCodexStartupAuthOptions;
+exports.setCodexHostAuthInDb = setCodexHostAuthInDb;
+exports.setCodexDedicatedAuthInDb = setCodexDedicatedAuthInDb;
+exports.runSetCodexHostAuth = runSetCodexHostAuth;
+exports.runDedicatedCodexAuth = runDedicatedCodexAuth;
+exports.runUseDedicatedCodexAuth = runUseDedicatedCodexAuth;
+const node_child_process_1 = require("node:child_process");
+const node_fs_1 = require("node:fs");
+const node_path_1 = require("node:path");
+const drizzle_orm_1 = require("drizzle-orm");
+const host_js_1 = require("../../../service/host.js");
+const db_js_1 = require("../../../state/db.js");
+const schema_js_1 = require("../../../state/schema.js");
+const path_js_1 = require("../../../utils/path.js");
+exports.defaultSetCodexHostAuthDependencies = {
+    getHostInfoFn: host_js_1.getHostInfo,
+    initDbFn: db_js_1.initDb,
+};
+exports.defaultUseDedicatedCodexAuthDependencies = {
+    initDbFn: db_js_1.initDb,
+    logInfo: console.log,
+    logSuccess: console.log,
+    spawnCommand: node_child_process_1.spawn,
+    spawnSyncCommand: node_child_process_1.spawnSync,
+};
+function isErrnoException(error) {
+    return error instanceof Error && "code" in error;
+}
+function buildDockerMissingError() {
+    return new Error("Docker is not installed or not available on PATH. Install Docker and retry.");
+}
+function ensureDockerAvailable(spawnSyncCommand) {
+    const result = spawnSyncCommand("docker", ["--version"], { stdio: "ignore" });
+    if (isErrnoException(result.error) && result.error.code === "ENOENT") {
+        throw buildDockerMissingError();
+    }
+}
+function listCodexStartupAuthOptions(cfg, getHostInfoFn = host_js_1.getHostInfo) {
+    const options = [
+        {
+            value: "dedicated",
+            label: "Dedicated",
+            hint: "recommended -- runs Codex login inside a container",
+        },
+    ];
+    const hostInfo = getHostInfoFn(cfg.codex.codex_auth_path);
+    if (hostInfo.codexAuthExists) {
+        options.push({
+            value: "host",
+            label: "Host",
+            hint: `reuse existing credentials from ${cfg.codex.codex_auth_path}`,
+        });
+    }
+    return options;
+}
+async function setCodexHostAuthInDb(db) {
+    const existingSdk = await db.select().from(schema_js_1.agentSdks).where((0, drizzle_orm_1.eq)(schema_js_1.agentSdks.name, "codex")).get();
+    if (existingSdk) {
+        await db
+            .update(schema_js_1.agentSdks)
+            .set({ authentication: "host" })
+            .where((0, drizzle_orm_1.eq)(schema_js_1.agentSdks.name, "codex"));
+        return;
+    }
+    await db.insert(schema_js_1.agentSdks).values({ name: "codex", authentication: "host" });
+}
+async function setCodexDedicatedAuthInDb(db) {
+    const existingSdk = await db.select().from(schema_js_1.agentSdks).where((0, drizzle_orm_1.eq)(schema_js_1.agentSdks.name, "codex")).get();
+    if (existingSdk) {
+        await db
+            .update(schema_js_1.agentSdks)
+            .set({ authentication: "dedicated" })
+            .where((0, drizzle_orm_1.eq)(schema_js_1.agentSdks.name, "codex"));
+        return;
+    }
+    await db.insert(schema_js_1.agentSdks).values({ name: "codex", authentication: "dedicated" });
+}
+async function runSetCodexHostAuth(cfg, overrides = {}) {
+    const deps = { ...exports.defaultSetCodexHostAuthDependencies, ...overrides };
+    const authPath = (0, path_js_1.expandHome)(cfg.codex.codex_auth_path);
+    const hostInfo = deps.getHostInfoFn(cfg.codex.codex_auth_path);
+    if (!hostInfo.codexAuthExists) {
+        throw new Error(`Codex host auth file not found at ${authPath}.`);
+    }
+    const { db, client } = await deps.initDbFn(cfg.state_db_path);
+    try {
+        await setCodexHostAuthInDb(db);
+    }
+    finally {
+        client.close();
+    }
+    return authPath;
+}
+async function runDedicatedCodexAuth(cfg, db, deps) {
+    ensureDockerAvailable(deps.spawnSyncCommand);
+    const port = cfg.codex.codex_auth_port;
+    const socatPort = port + 1;
+    const containerName = `companyhelm-codex-auth-${Date.now()}`;
+    deps.logInfo("Starting Codex login inside a container...");
+    deps.logInfo("A browser URL will appear -- open it to complete authentication.");
+    const configDir = (0, path_js_1.expandHome)(cfg.config_directory);
+    if (!(0, node_fs_1.existsSync)(configDir)) {
+        (0, node_fs_1.mkdirSync)(configDir, { recursive: true });
+    }
+    const destPath = (0, node_path_1.join)(configDir, cfg.codex.codex_auth_file_path);
+    let authCopied = false;
+    await new Promise((resolve, reject) => {
+        let settled = false;
+        let poll;
+        const rejectOnce = (error) => {
+            if (settled) {
+                return;
+            }
+            settled = true;
+            if (poll) {
+                clearInterval(poll);
+            }
+            deps.spawnSyncCommand("docker", ["rm", "-f", containerName], { stdio: "ignore" });
+            reject(error);
+        };
+        const resolveOnce = () => {
+            if (settled) {
+                return;
+            }
+            settled = true;
+            if (poll) {
+                clearInterval(poll);
+            }
+            resolve();
+        };
+        const child = deps.spawnCommand("docker", [
+            "run",
+            "-it",
+            "--name",
+            containerName,
+            "-p",
+            `${port}:${socatPort}`,
+            "--entrypoint",
+            "bash",
+            cfg.runtime_image,
+            "-c",
+            `source "$NVM_DIR/nvm.sh"; socat TCP-LISTEN:${socatPort},fork,bind=0.0.0.0,reuseaddr TCP:127.0.0.1:${port} 2>/dev/null & codex`,
+        ], { stdio: "inherit" });
+        child.on("error", (error) => {
+            if (isErrnoException(error) && error.code === "ENOENT") {
+                rejectOnce(buildDockerMissingError());
+                return;
+            }
+            rejectOnce(new Error(`Failed to start Codex login container: ${error.message}`));
+        });
+        poll = setInterval(() => {
+            if (settled) {
+                return;
+            }
+            const check = deps.spawnSyncCommand("docker", ["exec", containerName, "sh", "-c", `test -f ${cfg.codex.codex_auth_path}`], {
+                stdio: "ignore",
+            });
+            if (check.status === 0) {
+                const resolveResult = deps.spawnSyncCommand("docker", ["exec", containerName, "sh", "-c", `echo ${cfg.codex.codex_auth_path}`], {
+                    encoding: "utf-8",
+                });
+                const containerAuthAbsPath = resolveResult.stdout.trim();
+                const cpResult = deps.spawnSyncCommand("docker", ["cp", `${containerName}:${containerAuthAbsPath}`, destPath], {
+                    stdio: "ignore",
+                });
+                if (cpResult.status !== 0) {
+                    rejectOnce(new Error("Failed to extract auth file from container."));
+                    return;
+                }
+                authCopied = true;
+                deps.spawnSyncCommand("docker", ["rm", "-f", containerName], { stdio: "ignore" });
+                resolveOnce();
+            }
+        }, 1000);
+        child.on("exit", () => {
+            if (!authCopied) {
+                rejectOnce(new Error("Codex login failed or was cancelled."));
+            }
+        });
+    });
+    await setCodexDedicatedAuthInDb(db);
+    deps.logSuccess(`Codex auth saved to ${destPath}`);
+    return destPath;
+}
+async function runUseDedicatedCodexAuth(cfg, overrides = {}) {
+    const deps = { ...exports.defaultUseDedicatedCodexAuthDependencies, ...overrides };
+    const { db, client } = await deps.initDbFn(cfg.state_db_path);
+    try {
+        return await runDedicatedCodexAuth(cfg, db, deps);
+    }
+    finally {
+        client.close();
+    }
+}

package/dist/commands/sdk/codex/register-codex-sdk-commands.js

@@ -0,0 +1,12 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.registerCodexSdkCommands = registerCodexSdkCommands;
+const use_dedicated_auth_js_1 = require("./use-dedicated-auth.js");
+const use_host_auth_js_1 = require("./use-host-auth.js");
+function registerCodexSdkCommands(sdkCommand) {
+    const codexCommand = sdkCommand
+        .command("codex")
+        .description("Manage Codex SDK authentication.");
+    (0, use_host_auth_js_1.registerSdkCodexUseHostAuthCommand)(codexCommand);
+    (0, use_dedicated_auth_js_1.registerSdkCodexUseDedicatedAuthCommand)(codexCommand);
+}

package/dist/commands/sdk/codex/use-dedicated-auth.js

@@ -0,0 +1,18 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runSdkCodexUseDedicatedAuthCommand = runSdkCodexUseDedicatedAuthCommand;
+exports.registerSdkCodexUseDedicatedAuthCommand = registerSdkCodexUseDedicatedAuthCommand;
+const config_js_1 = require("../../../config.js");
+const auth_js_1 = require("./auth.js");
+async function runSdkCodexUseDedicatedAuthCommand(cfg = config_js_1.config.parse({}), overrides = {}) {
+    const deps = { ...auth_js_1.defaultUseDedicatedCodexAuthDependencies, ...overrides };
+    await (0, auth_js_1.runUseDedicatedCodexAuth)(cfg, deps);
+}
+function registerSdkCodexUseDedicatedAuthCommand(codexCommand) {
+    codexCommand
+        .command("use-dedicated-auth")
+        .description("Configure the Codex SDK to use dedicated authentication.")
+        .action(async () => {
+        await runSdkCodexUseDedicatedAuthCommand();
+    });
+}

package/dist/commands/sdk/codex/use-host-auth.js

@@ -0,0 +1,19 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runSdkCodexUseHostAuthCommand = runSdkCodexUseHostAuthCommand;
+exports.registerSdkCodexUseHostAuthCommand = registerSdkCodexUseHostAuthCommand;
+const config_js_1 = require("../../../config.js");
+const auth_js_1 = require("./auth.js");
+async function runSdkCodexUseHostAuthCommand(cfg = config_js_1.config.parse({}), overrides = {}) {
+    const deps = { ...auth_js_1.defaultSetCodexHostAuthDependencies, ...overrides };
+    const authPath = await (0, auth_js_1.runSetCodexHostAuth)(cfg, deps);
+    console.log(`Codex SDK configured with host authentication using ${authPath}.`);
+}
+function registerSdkCodexUseHostAuthCommand(codexCommand) {
+    codexCommand
+        .command("use-host-auth")
+        .description("Configure the Codex SDK to use host authentication.")
+        .action(async () => {
+        await runSdkCodexUseHostAuthCommand();
+    });
+}

package/dist/commands/sdk/register-sdk-commands.js

@@ -1,6 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.registerSdkCommands = registerSdkCommands;
+const register_codex_sdk_commands_js_1 = require("./codex/register-codex-sdk-commands.js");
 const list_js_1 = require("./list.js");
 const refresh_models_js_1 = require("./refresh-models.js");
 function registerSdkCommands(program) {
@@ -9,4 +10,5 @@ function registerSdkCommands(program) {
         .description("Manage configured SDKs and their model capabilities.");
     (0, list_js_1.registerSdkListCommand)(sdkCommand);
     (0, refresh_models_js_1.registerSdkRefreshModelsCommand)(sdkCommand);
+    (0, register_codex_sdk_commands_js_1.registerCodexSdkCommands)(sdkCommand);
 }

package/dist/commands/startup.js

@@ -37,66 +37,34 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.startup = startup;
-const node_fs_1 = require("node:fs");
-const node_path_1 = require("node:path");
 const node_child_process_1 = require("node:child_process");
 const p = __importStar(require("@clack/prompts"));
 const figlet_1 = __importDefault(require("figlet"));
 const config_js_1 = require("../config.js");
 const db_js_1 = require("../state/db.js");
 const schema_js_1 = require("../state/schema.js");
-const host_js_1 = require("../service/host.js");
 const refresh_models_js_1 = require("../service/sdk/refresh_models.js");
-const path_js_1 = require("../utils/path.js");
+const terminal_js_1 = require("../utils/terminal.js");
+const auth_js_1 = require("./sdk/codex/auth.js");
 function banner() {
     console.log();
     console.log(figlet_1.default.textSync("CompanyHelm", { font: "Small" }));
     console.log();
 }
-function isErrnoException(error) {
-    return error instanceof Error && "code" in error;
-}
-function buildDockerMissingError() {
-    return new Error("Docker is not installed or not available on PATH. Install Docker and retry.");
-}
 const defaultStartupDependencies = {
-    getHostInfoFn: host_js_1.getHostInfo,
+    getHostInfoFn: auth_js_1.defaultSetCodexHostAuthDependencies.getHostInfoFn,
     initDbFn: db_js_1.initDb,
     promptApi: p,
     refreshSdkModelsFn: refresh_models_js_1.refreshSdkModels,
     spawnCommand: node_child_process_1.spawn,
     spawnSyncCommand: node_child_process_1.spawnSync,
 };
-function ensureDockerAvailable(spawnSyncCommand) {
-    const result = spawnSyncCommand("docker", ["--version"], { stdio: "ignore" });
-    if (isErrnoException(result.error) && result.error.code === "ENOENT") {
-        throw buildDockerMissingError();
-    }
-}
-function restoreInteractiveTerminalState() {
-    try {
-        if (process.stdin.isTTY && typeof process.stdin.setRawMode === "function") {
-            process.stdin.setRawMode(false);
-        }
-    }
-    catch {
-        // Best-effort prompt cleanup.
-    }
-    try {
-        if (process.stdout.isTTY) {
-            process.stdout.write("\u001B[?25h");
-        }
-    }
-    catch {
-        // Best-effort prompt cleanup.
-    }
-}
 function exitStartup(code) {
-    restoreInteractiveTerminalState();
+    (0, terminal_js_1.restoreInteractiveTerminalState)();
     process.exit(code);
 }
 async function refreshCodexModelsInStartup(deps) {
-    ensureDockerAvailable(deps.spawnSyncCommand);
+    (0, auth_js_1.ensureDockerAvailable)(deps.spawnSyncCommand);
     const spinner = deps.promptApi.spinner();
     const seenStatusMessages = new Set();
     spinner.start("Preparing Codex runtime image and refreshing model catalog via app-server");
@@ -113,96 +81,6 @@ async function refreshCodexModelsInStartup(deps) {
     const count = results[0]?.modelCount ?? 0;
     spinner.stop(`Codex model catalog refreshed (${count} models).`);
 }
-async function dedicatedAuth(cfg, db, deps) {
-    ensureDockerAvailable(deps.spawnSyncCommand);
-    const port = cfg.codex.codex_auth_port;
-    const socatPort = port + 1;
-    const containerName = `companyhelm-codex-auth-${Date.now()}`;
-    deps.promptApi.log.info("Starting Codex login inside a container...");
-    deps.promptApi.log.info("A browser URL will appear -- open it to complete authentication.");
-    const configDir = (0, path_js_1.expandHome)(cfg.config_directory);
-    if (!(0, node_fs_1.existsSync)(configDir)) {
-        (0, node_fs_1.mkdirSync)(configDir, { recursive: true });
-    }
-    const destPath = (0, node_path_1.join)(configDir, cfg.codex.codex_auth_file_path);
-    let authCopied = false;
-    await new Promise((resolve, reject) => {
-        let settled = false;
-        let poll;
-        const rejectOnce = (error) => {
-            if (settled) {
-                return;
-            }
-            settled = true;
-            if (poll) {
-                clearInterval(poll);
-            }
-            deps.spawnSyncCommand("docker", ["rm", "-f", containerName], { stdio: "ignore" });
-            reject(error);
-        };
-        const resolveOnce = () => {
-            if (settled) {
-                return;
-            }
-            settled = true;
-            if (poll) {
-                clearInterval(poll);
-            }
-            resolve();
-        };
-        const child = deps.spawnCommand("docker", [
-            "run",
-            "-it",
-            "--name",
-            containerName,
-            "-p",
-            `${port}:${socatPort}`,
-            "--entrypoint",
-            "bash",
-            cfg.runtime_image,
-            "-c",
-            `source "$NVM_DIR/nvm.sh"; socat TCP-LISTEN:${socatPort},fork,bind=0.0.0.0,reuseaddr TCP:127.0.0.1:${port} 2>/dev/null & codex`,
-        ], { stdio: "inherit" });
-        child.on("error", (error) => {
-            if (isErrnoException(error) && error.code === "ENOENT") {
-                rejectOnce(buildDockerMissingError());
-                return;
-            }
-            rejectOnce(new Error(`Failed to start Codex login container: ${error.message}`));
-        });
-        poll = setInterval(() => {
-            if (settled) {
-                return;
-            }
-            const check = deps.spawnSyncCommand("docker", ["exec", containerName, "sh", "-c", `test -f ${cfg.codex.codex_auth_path}`], {
-                stdio: "ignore",
-            });
-            if (check.status === 0) {
-                const resolveResult = deps.spawnSyncCommand("docker", ["exec", containerName, "sh", "-c", `echo ${cfg.codex.codex_auth_path}`], {
-                    encoding: "utf-8",
-                });
-                const containerAuthAbsPath = resolveResult.stdout.trim();
-                const cpResult = deps.spawnSyncCommand("docker", ["cp", `${containerName}:${containerAuthAbsPath}`, destPath], {
-                    stdio: "ignore",
-                });
-                if (cpResult.status !== 0) {
-                    rejectOnce(new Error("Failed to extract auth file from container."));
-                    return;
-                }
-                authCopied = true;
-                deps.spawnSyncCommand("docker", ["rm", "-f", containerName], { stdio: "ignore" });
-                resolveOnce();
-            }
-        }, 1000);
-        child.on("exit", () => {
-            if (!authCopied) {
-                rejectOnce(new Error("Codex login failed or was cancelled."));
-            }
-        });
-    });
-    await db.insert(schema_js_1.agentSdks).values({ name: "codex", authentication: "dedicated" });
-    deps.promptApi.log.success(`Codex auth saved to ${destPath}`);
-}
 async function selectStartupAuthMode(options, deps) {
     if (options.length === 1) {
         return options[0].value;
@@ -230,30 +108,21 @@ async function startup(cfg = config_js_1.config.parse({}), overrides = {}) {
         return;
     }
     deps.promptApi.intro("No agent SDK configured. Let's set up Codex authentication.");
-    const hostInfo = deps.getHostInfoFn(cfg.codex.codex_auth_path);
-    const options = [
-        {
-            value: "dedicated",
-            label: "Dedicated",
-            hint: "recommended -- runs Codex login inside a container",
-        },
-    ];
-    if (hostInfo.codexAuthExists) {
-        options.push({
-            value: "host",
-            label: "Host",
-            hint: `reuse existing credentials from ${cfg.codex.codex_auth_path}`,
-        });
-    }
+    const options = (0, auth_js_1.listCodexStartupAuthOptions)(cfg, deps.getHostInfoFn);
     try {
         const authMode = await selectStartupAuthMode(options, deps);
         if (authMode === "host") {
-            await db.insert(schema_js_1.agentSdks).values({ name: "codex", authentication: "host" });
+            await (0, auth_js_1.setCodexHostAuthInDb)(db);
             await refreshCodexModelsInStartup(deps);
             deps.promptApi.outro("Codex SDK configured with host authentication.");
             return;
         }
-        await dedicatedAuth(cfg, db, deps);
+        await (0, auth_js_1.runDedicatedCodexAuth)(cfg, db, {
+            logInfo: deps.promptApi.log.info,
+            logSuccess: deps.promptApi.log.success,
+            spawnCommand: deps.spawnCommand,
+            spawnSyncCommand: deps.spawnSyncCommand,
+        });
         await refreshCodexModelsInStartup(deps);
         deps.promptApi.outro("Codex login successful!");
     }
@@ -263,6 +132,6 @@ async function startup(cfg = config_js_1.config.parse({}), overrides = {}) {
         exitStartup(1);
     }
     finally {
-        restoreInteractiveTerminalState();
+        (0, terminal_js_1.restoreInteractiveTerminalState)();
     }
 }

package/dist/commands/status.js

@@ -10,7 +10,7 @@ function registerStatusCommand(program) {
     program
         .command("status")
         .description("Show whether the local CompanyHelm daemon is running.")
-        .option("--state-db-path <path>", "State database path override (defaults to ~/.local/share/companyhelm/state.db).")
+        .option("--state-db-path <path>", "State database path override (defaults to state.db under the active config directory).")
         .action(async (options) => {
         const cfg = config_js_1.config.parse({
             state_db_path: options.stateDbPath,

package/dist/config.js

@@ -1,9 +1,12 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.config = exports.codexConfig = void 0;
+exports.config = exports.codexConfig = exports.DEFAULT_CONFIG_DIRECTORY = exports.CONFIG_PATH_ENV = void 0;
 const node_fs_1 = require("node:fs");
 const node_path_1 = require("node:path");
 const zod_1 = require("zod");
+const path_js_1 = require("./utils/path.js");
+exports.CONFIG_PATH_ENV = "COMPANYHELM_CONFIG_PATH";
+exports.DEFAULT_CONFIG_DIRECTORY = "~/.config/companyhelm";
 const DEFAULT_RUNTIME_IMAGE_REPOSITORY = "companyhelm/runner";
 const FALLBACK_RUNTIME_IMAGE_VERSION = "latest";
 function loadRuntimeImageVersion() {
@@ -19,6 +22,19 @@ function loadRuntimeImageVersion() {
     return FALLBACK_RUNTIME_IMAGE_VERSION;
 }
 const DEFAULT_RUNTIME_IMAGE = `${DEFAULT_RUNTIME_IMAGE_REPOSITORY}:${loadRuntimeImageVersion()}`;
+function resolveConfigRelativePath(configDirectory, pathValue) {
+    if ((0, node_path_1.isAbsolute)((0, path_js_1.expandHome)(pathValue))) {
+        return pathValue;
+    }
+    return (0, node_path_1.join)(configDirectory, pathValue);
+}
+function resolveConfigDirectoryDefault() {
+    const envValue = process.env[exports.CONFIG_PATH_ENV]?.trim();
+    if (envValue && envValue.length > 0) {
+        return envValue;
+    }
+    return exports.DEFAULT_CONFIG_DIRECTORY;
+}
 exports.codexConfig = zod_1.z.object({
     codex_auth_file_path: zod_1.z.string()
         .describe("The path to the Codex authentication file on the host, relative to config_directory.")
@@ -36,13 +52,13 @@ exports.codexConfig = zod_1.z.object({
 exports.config = zod_1.z.object({
     config_directory: zod_1.z.string()
         .describe("The directory where the config files are stored.")
-        .default("~/.config/companyhelm"),
+        .default(resolveConfigDirectoryDefault),
     workspaces_directory: zod_1.z.string()
         .describe("The directory where thread workspaces are stored, relative to config_directory when not absolute.")
         .default("workspaces"),
     state_db_path: zod_1.z.string()
-        .describe("The path to the state database.")
-        .default("~/.local/share/companyhelm/state.db"),
+        .describe("The path to the state database, relative to the config directory.")
+        .default("state.db"),
     companyhelm_api_url: zod_1.z.string()
         .describe("CompanyHelm control plane gRPC endpoint URL.")
         .default("https://api.companyhelm.com:50051"),
@@ -83,4 +99,7 @@ exports.config = zod_1.z.object({
         .describe("Default git author email used when runtime repositories are missing user.email.")
         .default("agent@companyhelm.com"),
     codex: exports.codexConfig.default(() => exports.codexConfig.parse({})),
-});
+}).transform((value) => ({
+    ...value,
+    state_db_path: resolveConfigRelativePath(value.config_directory, value.state_db_path),
+}));

package/dist/utils/process.js

@@ -1,12 +1,73 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.parseProcStatState = parseProcStatState;
+exports.isZombieProcessState = isZombieProcessState;
 exports.isProcessRunning = isProcessRunning;
+const node_child_process_1 = require("node:child_process");
+const node_fs_1 = require("node:fs");
+function parseProcStatState(statLine) {
+    const trimmed = statLine.trim();
+    if (trimmed.length === 0) {
+        return null;
+    }
+    const closingParenIndex = trimmed.lastIndexOf(")");
+    if (closingParenIndex < 0) {
+        return null;
+    }
+    const suffix = trimmed.slice(closingParenIndex + 1).trim();
+    if (suffix.length === 0) {
+        return null;
+    }
+    const state = suffix[0]?.trim();
+    return state && state.length > 0 ? state : null;
+}
+function isZombieProcessState(state) {
+    return state === "Z";
+}
+function readProcessState(pid) {
+    if (process.platform === "linux") {
+        try {
+            return parseProcStatState((0, node_fs_1.readFileSync)(`/proc/${pid}/stat`, "utf8"));
+        }
+        catch (error) {
+            const code = typeof error === "object" && error && "code" in error ? error.code : undefined;
+            if (code === "ENOENT") {
+                return null;
+            }
+            return undefined;
+        }
+    }
+    if (process.platform === "darwin" || process.platform === "freebsd" || process.platform === "openbsd" || process.platform === "sunos") {
+        try {
+            const status = (0, node_child_process_1.execFileSync)("ps", ["-o", "stat=", "-p", String(pid)], { encoding: "utf8" }).trim();
+            if (!status) {
+                return null;
+            }
+            return status[0] ?? null;
+        }
+        catch (error) {
+            const status = typeof error === "object" && error && "status" in error ? error.status : undefined;
+            if (status === 1) {
+                return null;
+            }
+            return undefined;
+        }
+    }
+    return undefined;
+}
 function isProcessRunning(pid) {
     if (!Number.isInteger(pid) || pid <= 0) {
         return false;
     }
     try {
         process.kill(pid, 0);
+        const state = readProcessState(pid);
+        if (state === null) {
+            return false;
+        }
+        if (isZombieProcessState(state)) {
+            return false;
+        }
         return true;
     }
     catch (error) {

package/dist/utils/terminal.js

@@ -0,0 +1,34 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.containsCtrlCInterruptInput = containsCtrlCInterruptInput;
+exports.restoreInteractiveTerminalState = restoreInteractiveTerminalState;
+const CTRL_C_ETX = "\u0003";
+const CTRL_C_CSI_U_PATTERN = /\u001b\[99;5(?::\d+)?u/;
+const CTRL_C_MODIFY_OTHER_KEYS_PATTERN = /\u001b\[27;5;99~/;
+const RESTORE_KEYBOARD_PROTOCOL_SEQUENCE = "\u001b[<u";
+const SHOW_CURSOR_SEQUENCE = "\u001b[?25h";
+function containsCtrlCInterruptInput(input) {
+    return input.includes(CTRL_C_ETX) ||
+        CTRL_C_CSI_U_PATTERN.test(input) ||
+        CTRL_C_MODIFY_OTHER_KEYS_PATTERN.test(input);
+}
+function restoreInteractiveTerminalState(stdin = process.stdin, stdout = process.stdout) {
+    try {
+        if (stdin.isTTY && typeof stdin.setRawMode === "function") {
+            stdin.setRawMode(false);
+        }
+    }
+    catch {
+        // Best-effort prompt cleanup.
+    }
+    try {
+        if (stdout.isTTY) {
+            // Restore normal keyboard reporting if a prompt enabled kitty/xterm CSI-u handling.
+            stdout.write(RESTORE_KEYBOARD_PROTOCOL_SEQUENCE);
+            stdout.write(SHOW_CURSOR_SEQUENCE);
+        }
+    }
+    catch {
+        // Best-effort prompt cleanup.
+    }
+}

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "@companyhelm/cli",
-  "version": "0.0.8",
+  "version": "0.0.11",
   "description": "Run coding agents in fully isolated Docker sandboxes, locally.",
-  "license": "Apache-2.0",
+  "license": "MIT",
   "repository": {
     "type": "git",
     "url": "https://github.com/CompanyHelm/companyhelm-cli"
@@ -31,7 +31,7 @@
   "dependencies": {
     "@bufbuild/protobuf": "^2.11.0",
     "@clack/prompts": "^1.0.1",
-    "@companyhelm/protos": "0.5.13",
+    "@companyhelm/protos": "0.5.16",
     "@grpc/grpc-js": "^1.14.3",
     "@libsql/client": "^0.17.0",
     "commander": "^14.0.0",