@dmsdc-ai/aigentry-telepty 0.5.3 → 0.5.5

package/daemon.js

@@ -298,9 +298,20 @@ function fireAutoReport(targetId, targetSession, pendingReport, trigger, deps =
   const srcSession = _sessions[srcId];
   if (!srcSession) return;
 
+  // #537 / Bug B: a never-started worker (transient submit failure → claude startup
+  // busy→idle settle at ~4.5s) must NOT be reported TASK_COMPLETE. When a submit was
+  // expected, the elapsed floor and startup-polluted sawWorkingAfterInject are NOT trusted
+  // as proof of processing — require positive submit confirmation (screen-poll verify /
+  // honest force / gate-off). Paths with no submit expected keep the legacy floor/work rule.
+  const strongSubmitConfirmed = !!(
+    pendingReport.submitConfirmedAt ||
+    (pendingReport.submitConfirm && pendingReport.submitConfirm.accepted === true)
+  );
   const confirmed = trigger === 'ready-signal' && pendingReport.submitExpected
     ? false
-    : (elapsedNum >= AUTO_REPORT_MIN_REAL_SECONDS || hasSubmitEvidence);
+    : pendingReport.submitExpected
+      ? strongSubmitConfirmed
+      : (elapsedNum >= AUTO_REPORT_MIN_REAL_SECONDS || hasSubmitEvidence);
   const injTag = pendingReport.injectId ? ` inject=${pendingReport.injectId}` : '';
   const reportMsg = confirmed
     ? `TASK_COMPLETE: ${targetId} is now idle after processing inject (${elapsed}s, via ${trigger}${injTag})`
@@ -1169,21 +1180,39 @@ async function writeDataToSession(id, session, data) {
 }
 
 /**
- * Submit Enter to a session using terminal-level methods.
+ * Submit Enter to a session via the PTY/context layer.
  * Used by POST /submit endpoint for explicit terminal-level submit.
- * Priority: kitty send-text → cmux send-key → PTY \r fallback.
- * Returns the strategy name or null on failure.
+ *
+ * Submit is a CONTEXT operation (telepty-owned), not a SURFACE operation
+ * (cmux/kitty adaptor-owned). Deliver the submit Enter via the PTY only — a bare
+ * 0x0D into the CLI's innermost node-pty. The former kitty `send-text` (P1) and
+ * `cmux send-key` (P2) branches were SURFACE ops on a flaky side channel (75×
+ * "Failed to write to socket" vs 0× for pty_cr in a 222k-line run; live
+ * 2026-06-07 confirmed pty-only works 3/3). `submitViaCmux`/`sendViaKitty` defs
+ * are kept (non-submit callers); codebase removal is gated on the warp/tmux
+ * matrix. See docs/adr/2026-06-07-submit-via-pty-context-layer.md.
+ *
+ * Returns the strategy name ('pty_cr') or null on failure.
  */
 function terminalLevelSubmit(id, session) {
-  // Priority 1: kitty send-text (terminal-level, bypasses PTY raw mode quirks)
-  if (session.type === 'wrapped' && sendViaKitty(id, '\r')) return 'kitty';
-  // Priority 2: cmux send-key
-  if (session.backend === 'cmux' && session.cmuxWorkspaceId && submitViaCmux(id)) return 'cmux';
-  // Priority 3: PTY \r
   if (submitViaPty(session)) return 'pty_cr';
   return null;
 }
 
+// #544 / #537 / Bug B: with PTY-native submit (terminalLevelSubmit → pty_cr only),
+// a successful pty_cr IS real delivery on every backend — the bare 0x0D reaches the
+// CLI's innermost node-pty directly (live 2026-06-07: pty-only delivered 3/3 even
+// when cmux send-key failed). The honest "was it accepted?" signal is the
+// PTY-derived confirm (confirmSubmitAccepted: state∈{working,thinking} since≥
+// submittedAt, or body consumed from outputRing) — NOT the strategy name. We no
+// longer special-case pty_cr-on-cmux as undelivered; that false-negative was the
+// direct cause of the BUG B bogus UNCONFIRMED reports + worker re-send loops.
+// Pure + exported so the decision is unit-testable.
+// See docs/adr/2026-06-07-submit-via-pty-context-layer.md.
+function forceSubmitDeliveredToSurface(session, strategy) {
+  return !!strategy;
+}
+
 async function deliverInjectionToSession(id, session, prompt, options = {}) {
   const now = Date.now();
   if (!options.bypassBootstrapQueue && shouldQueueBootstrapOperation(session)) {
@@ -2190,11 +2219,19 @@ app.post('/api/sessions/:id/submit', async (req, res) => {
     }
     const strategy = terminalLevelSubmit(id, session);
     if (strategy) {
+      // #537 / Bug B: force-confirm must reflect ACTUAL delivery. A pty_cr fallback on a
+      // cmux surface means cmux send-key failed and Enter never reached the CLI — record
+      // UNCONFIRMED so the ENFORCE-REPORT gate never labels a never-delivered inject DONE.
+      const deliveredToSurface = forceSubmitDeliveredToSurface(session, strategy);
       if (injectedBody) {
-        markPendingReportSubmitConfirmed(id, { reason: 'force', attempts: 1 });
+        if (deliveredToSurface) {
+          markPendingReportSubmitConfirmed(id, { reason: 'force', attempts: 1 });
+        } else {
+          markPendingReportSubmitUnconfirmed(id, { reason: 'cmux_send_failed', attempts: 1, retryable: true });
+        }
       }
-      emitSubmitBus({ strategy, attempts: 1, gated: false, forced: true });
-      return res.json({ success: true, strategy, attempts: 1, gated: false, forced: true });
+      emitSubmitBus({ strategy, attempts: 1, gated: false, forced: true, submit_confirmed: deliveredToSurface });
+      return res.json({ success: true, strategy, attempts: 1, gated: false, forced: true, submit_confirmed: deliveredToSurface });
     }
     if (injectedBody) {
       markPendingReportSubmitUnconfirmed(id, { reason: 'strategy_failed', attempts: 0, retryable: false });
@@ -3488,6 +3525,9 @@ if (require.main === module) {
 // production call sites is unchanged. NOT a public API — internal/test use only.
 module.exports = {
   fireAutoReport,                 // #32: provenance-tagged auto-report (deps DI: now/deliver/...)
+  forceSubmitDeliveredToSurface,  // #544/#537/Bug B: PTY-native force-confirm (pty_cr = delivered)
+  terminalLevelSubmit,            // #544: PTY-only submit path (pty_cr | null)
+  submitViaPty,                   // #544: bare-0x0D submit into the innermost node-pty
   failBootstrapQueueOnTimeout,    // #31: actionable bootstrap-timeout queue flush
   shouldApplyOwnerAliveFloor,     // #29: owner-alive optimistic-floor decision (deps DI: isProcessRunning/...)
   scheduleBootstrapPromptPoll,    // #29: arms the floor timer (deps DI: setTimeout/...)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dmsdc-ai/aigentry-telepty",
-  "version": "0.5.3",
+  "version": "0.5.5",
   "main": "daemon.js",
   "bin": {
     "aigentry-telepty": "install.js",
@@ -35,9 +35,9 @@
   ],
   "scripts": {
     "postinstall": "node scripts/postinstall.js",
-    "test": "node --test test/auth.test.js test/http-auth.test.js test/daemon.test.js test/daemon-singleton.test.js test/integration/daemon-launch.test.js test/cli.test.js test/telepty-kill.test.js test/idle-ttl.test.js test/telepty-clean-older-than.test.js test/lifecycle-transport-agnostic.test.js test/skill-installer.test.js test/interactive-terminal.test.js test/runtime-info.test.js test/session-routing.test.js test/session-state.test.js test/session-store-persistence.test.js test/mailbox-lock.test.js test/report-enforcement.test.js test/enforce-report.test.js test/submit-gate.test.js test/prompt-symbol-registry.test.js test/inject-submit-flags.test.js test/inject-submit-force-env.test.js test/host-spec.test.js test/cross-host-inject.test.js test/cross-machine-ssh-routing.test.js test/init.test.js test/win-resolve-executable.test.js test/version-handshake.test.js test/win-kill-process.test.js test/daemon-control-port-owner.test.js test/banner-stderr-jq-safety.test.js test/bridge-supervisor-ipc.test.js test/bridge-j3-shim.test.js test/bridge-e2e.test.js test/release-0.4.5-bugfixes.test.js && git diff --exit-code tests/snippet-protocol/v1/",
-    "test:watch": "node --test --watch test/auth.test.js test/http-auth.test.js test/daemon.test.js test/daemon-singleton.test.js test/integration/daemon-launch.test.js test/cli.test.js test/telepty-kill.test.js test/idle-ttl.test.js test/telepty-clean-older-than.test.js test/lifecycle-transport-agnostic.test.js test/skill-installer.test.js test/interactive-terminal.test.js test/runtime-info.test.js test/session-routing.test.js test/session-state.test.js test/session-store-persistence.test.js test/mailbox-lock.test.js test/report-enforcement.test.js test/enforce-report.test.js test/submit-gate.test.js test/prompt-symbol-registry.test.js test/inject-submit-flags.test.js test/inject-submit-force-env.test.js test/host-spec.test.js test/cross-host-inject.test.js test/cross-machine-ssh-routing.test.js test/init.test.js test/win-resolve-executable.test.js test/version-handshake.test.js test/win-kill-process.test.js test/daemon-control-port-owner.test.js test/banner-stderr-jq-safety.test.js test/bridge-supervisor-ipc.test.js test/bridge-j3-shim.test.js test/bridge-e2e.test.js test/release-0.4.5-bugfixes.test.js",
-    "test:ci": "node --test --test-reporter=spec test/auth.test.js test/http-auth.test.js test/daemon.test.js test/daemon-singleton.test.js test/integration/daemon-launch.test.js test/cli.test.js test/telepty-kill.test.js test/idle-ttl.test.js test/telepty-clean-older-than.test.js test/lifecycle-transport-agnostic.test.js test/skill-installer.test.js test/interactive-terminal.test.js test/runtime-info.test.js test/session-routing.test.js test/session-state.test.js test/session-store-persistence.test.js test/mailbox-lock.test.js test/report-enforcement.test.js test/enforce-report.test.js test/submit-gate.test.js test/prompt-symbol-registry.test.js test/inject-submit-flags.test.js test/inject-submit-force-env.test.js test/host-spec.test.js test/cross-host-inject.test.js test/cross-machine-ssh-routing.test.js test/init.test.js test/win-resolve-executable.test.js test/version-handshake.test.js test/win-kill-process.test.js test/daemon-control-port-owner.test.js test/banner-stderr-jq-safety.test.js test/bridge-supervisor-ipc.test.js test/bridge-j3-shim.test.js test/bridge-e2e.test.js test/release-0.4.5-bugfixes.test.js && git diff --exit-code tests/snippet-protocol/v1/",
+    "test": "node --test test/auth.test.js test/http-auth.test.js test/daemon.test.js test/daemon-singleton.test.js test/integration/daemon-launch.test.js test/cli.test.js test/telepty-kill.test.js test/idle-ttl.test.js test/telepty-clean-older-than.test.js test/lifecycle-transport-agnostic.test.js test/skill-installer.test.js test/interactive-terminal.test.js test/runtime-info.test.js test/session-routing.test.js test/session-state.test.js test/session-store-persistence.test.js test/mailbox-lock.test.js test/report-enforcement.test.js test/enforce-report.test.js test/enforce-submit-gate.test.js test/submit-gate.test.js test/submit-via-pty.test.js test/prompt-symbol-registry.test.js test/inject-submit-flags.test.js test/inject-submit-force-env.test.js test/host-spec.test.js test/cross-host-inject.test.js test/cross-machine-ssh-routing.test.js test/init.test.js test/win-resolve-executable.test.js test/version-handshake.test.js test/win-kill-process.test.js test/daemon-control-port-owner.test.js test/banner-stderr-jq-safety.test.js test/bridge-supervisor-ipc.test.js test/bridge-j3-shim.test.js test/bridge-e2e.test.js test/release-0.4.5-bugfixes.test.js && git diff --exit-code tests/snippet-protocol/v1/",
+    "test:watch": "node --test --watch test/auth.test.js test/http-auth.test.js test/daemon.test.js test/daemon-singleton.test.js test/integration/daemon-launch.test.js test/cli.test.js test/telepty-kill.test.js test/idle-ttl.test.js test/telepty-clean-older-than.test.js test/lifecycle-transport-agnostic.test.js test/skill-installer.test.js test/interactive-terminal.test.js test/runtime-info.test.js test/session-routing.test.js test/session-state.test.js test/session-store-persistence.test.js test/mailbox-lock.test.js test/report-enforcement.test.js test/enforce-report.test.js test/enforce-submit-gate.test.js test/submit-gate.test.js test/submit-via-pty.test.js test/prompt-symbol-registry.test.js test/inject-submit-flags.test.js test/inject-submit-force-env.test.js test/host-spec.test.js test/cross-host-inject.test.js test/cross-machine-ssh-routing.test.js test/init.test.js test/win-resolve-executable.test.js test/version-handshake.test.js test/win-kill-process.test.js test/daemon-control-port-owner.test.js test/banner-stderr-jq-safety.test.js test/bridge-supervisor-ipc.test.js test/bridge-j3-shim.test.js test/bridge-e2e.test.js test/release-0.4.5-bugfixes.test.js",
+    "test:ci": "node --test --test-reporter=spec test/auth.test.js test/http-auth.test.js test/daemon.test.js test/daemon-singleton.test.js test/integration/daemon-launch.test.js test/cli.test.js test/telepty-kill.test.js test/idle-ttl.test.js test/telepty-clean-older-than.test.js test/lifecycle-transport-agnostic.test.js test/skill-installer.test.js test/interactive-terminal.test.js test/runtime-info.test.js test/session-routing.test.js test/session-state.test.js test/session-store-persistence.test.js test/mailbox-lock.test.js test/report-enforcement.test.js test/enforce-report.test.js test/enforce-submit-gate.test.js test/submit-gate.test.js test/submit-via-pty.test.js test/prompt-symbol-registry.test.js test/inject-submit-flags.test.js test/inject-submit-force-env.test.js test/host-spec.test.js test/cross-host-inject.test.js test/cross-machine-ssh-routing.test.js test/init.test.js test/win-resolve-executable.test.js test/version-handshake.test.js test/win-kill-process.test.js test/daemon-control-port-owner.test.js test/banner-stderr-jq-safety.test.js test/bridge-supervisor-ipc.test.js test/bridge-j3-shim.test.js test/bridge-e2e.test.js test/release-0.4.5-bugfixes.test.js && git diff --exit-code tests/snippet-protocol/v1/",
     "typecheck": "tsc --noEmit",
     "regen-fixtures": "node scripts/regen-snippet-fixtures.js"
   },

package/src/submit-gate.js

@@ -308,10 +308,16 @@ function observeBodyVisibility(session, bodyText, opts = {}) {
   };
 }
 
+// PTY-native confirm (#544): do NOT shell to `cmux read-screen` for the submit
+// confirm. The body-visibility source is the PTY-fed outputRing
+// (observeBodyVisibility falls through to it when this returns null). An explicit
+// opts.readScreen seam is still honored (tests / future surface adaptors); the
+// cmux default is dropped so confirmation is screen-free and no longer depends on
+// the flaky cmux surface. The pre-submit readiness probe (awaitPromptSymbol) keeps
+// its own defaultReadScreen — that is a separate concern, out of scope here.
+// See docs/adr/2026-06-07-submit-via-pty-context-layer.md.
 function readCurrentScreen(session, opts = {}) {
-  const readScreen = typeof opts.readScreen === 'function'
-    ? opts.readScreen
-    : (session && session.backend === 'cmux' && session.cmuxWorkspaceId ? defaultReadScreen : null);
+  const readScreen = typeof opts.readScreen === 'function' ? opts.readScreen : null;
   if (!readScreen || !session || !session.cmuxWorkspaceId) return null;
   const tailLines = Number.isFinite(opts.tailLines) ? opts.tailLines : 30;
   try {