@dmsdc-ai/aigentry-telepty 0.5.5 → 0.5.7

package/daemon.js

@@ -88,8 +88,18 @@ sessionStateManager.onTransition((sessionId, from, to, detail) => {
     // Mark as idle-notified (but keep the entry — REPORT is still pending).
     // Entry is cleared when REPORT arrives (via inject endpoint) OR session dies.
     if (pendingReport.idleNotified) return; // only fire once
+    // #545: only an OSC133-marked idle with the injected body consumed from the PTY outputRing
+    // is trustworthy enough to report TASK_COMPLETE. A weak prompt-glyph / silence flip (the
+    // residual WORKING case the THINKING-only state guard doesn't cover) stays
+    // TASK_IDLE_UNCONFIRMED — never a false complete.
+    const idleTrigger = detail && detail.detail ? detail.detail.trigger : null;
+    const bodyText = pendingReport.injectedBodyPreview;
+    const bodyVisible = bodyText
+      ? submitGate.observeBodyVisibility(session, bodyText).visible === true
+      : false;
+    const idleEvidenceReliable = idleTrigger === 'osc_133_prompt' && !bodyVisible;
     // real-idle: the state manager observed a genuine busy→idle transition.
-    fireAutoReport(sessionId, session, pendingReport, 'real-idle');
+    fireAutoReport(sessionId, session, pendingReport, 'real-idle', { idleEvidenceReliable });
   }
 
   // Fire TASK_DEAD_NO_REPORT when session dies with a pending report
@@ -129,6 +139,13 @@ app.use(express.json());
 // Peer allowlist: comma-separated IPs/CIDRs in TELEPTY_PEER_ALLOWLIST env
 const PEER_ALLOWLIST = (process.env.TELEPTY_PEER_ALLOWLIST || '').split(',').map(s => s.trim()).filter(Boolean);
 
+// #533 Phase 2 — peer-lane inject guardrail. The orchestrator sid(s) define the
+// ORCH LANE (always allowed). Space-separated; default matches aigentry-orchestrator
+// bin/ask.sh so both ends agree on "who is the orchestrator" from one config. If this
+// resolves empty the guardrail fails OPEN (see classifyPeerLaneInject).
+const ORCHESTRATOR_SIDS = (process.env.AIGENTRY_ORCHESTRATOR_SIDS || 'orchestrator aigentry-orchestrator-claude')
+  .split(/\s+/).map(s => s.trim()).filter(Boolean);
+
 // Cross-machine bus relay: forward bus events to peer daemons
 const relayToPeers = createPeerRelay({
   relayPeers: relayPeersFromEnv(process.env),
@@ -307,11 +324,23 @@ function fireAutoReport(targetId, targetSession, pendingReport, trigger, deps =
     pendingReport.submitConfirmedAt ||
     (pendingReport.submitConfirm && pendingReport.submitConfirm.accepted === true)
   );
+  // #545: a `real-idle` flip with weak evidence (no OSC133 REPL-done mark / injected body still
+  // visible in the PTY outputRing) must NOT be reported TASK_COMPLETE — a still-busy worker that
+  // merely paused output gets the honest TASK_IDLE_UNCONFIRMED. The caller (onTransition) sets
+  // deps.idleEvidenceReliable; === false forces the downgrade. Scoped to submitExpected (the #545
+  // symptom — a submit-confirmed worker still thinking), consistent with the BUG-B confirm gate;
+  // plain non-submit injects keep their existing floor-based completion. Absent flag / other
+  // triggers preserve prior behavior.
+  const idleEvidenceUnreliable = trigger === 'real-idle'
+    && pendingReport.submitExpected
+    && deps.idleEvidenceReliable === false;
   const confirmed = trigger === 'ready-signal' && pendingReport.submitExpected
     ? false
-    : pendingReport.submitExpected
-      ? strongSubmitConfirmed
-      : (elapsedNum >= AUTO_REPORT_MIN_REAL_SECONDS || hasSubmitEvidence);
+    : idleEvidenceUnreliable
+      ? false
+      : pendingReport.submitExpected
+        ? strongSubmitConfirmed
+        : (elapsedNum >= AUTO_REPORT_MIN_REAL_SECONDS || hasSubmitEvidence);
   const injTag = pendingReport.injectId ? ` inject=${pendingReport.injectId}` : '';
   const reportMsg = confirmed
     ? `TASK_COMPLETE: ${targetId} is now idle after processing inject (${elapsed}s, via ${trigger}${injTag})`
@@ -346,6 +375,68 @@ function respondWithError(res, httpStatus, code, error, extra = {}) {
   return res.status(httpStatus).json(buildErrorBody(code, error, extra));
 }
 
+// #533 Phase 2 — pure peer-lane inject policy verdict (self-contained; no parser
+// dependency). The PEER LANE is sender ≠ orchestrator AND target ≠ orchestrator.
+// On that lane the body MUST be a sanctioned compact-JSON envelope (the shape
+// produced by aigentry-orchestrator bin/ask.sh build_envelope); anything else is
+// out-of-policy peer→peer traffic (e.g. work-delegation) and is blocked.
+// Returns { lane, decision, reason, kind, envelopePresent }:
+//   lane ∈ 'orchestrator' | 'peer' | 'disabled'
+//   decision ∈ 'allow' | 'block'
+//   kind ∈ 'ask-request' | 'ask-reply' | null
+const PEER_INJECT_KINDS = new Set(['ask-request', 'ask-reply']);
+
+function classifyPeerLaneInject({ from, to, prompt, orchestratorSids } = {}) {
+  const orchSet = Array.isArray(orchestratorSids) ? orchestratorSids : [];
+  // Fail-OPEN: with no known orchestrator sid we cannot tell the orch lane apart
+  // from the peer lane (every inject would look peer-lane), which would over-block
+  // legitimate orchestrator traffic and brick the mesh. Degrade to allow + warn;
+  // the Phase-1 orchestrator-side auditor still detects raw bypass (defense in depth).
+  if (orchSet.length === 0) {
+    return { lane: 'disabled', decision: 'allow', reason: 'orch-sid-unconfigured-fail-open', kind: null, envelopePresent: false };
+  }
+  // No sender → operator/CLI/multicast/broadcast, never peer-lane.
+  if (!from) {
+    return { lane: 'orchestrator', decision: 'allow', reason: 'no-sender', kind: null, envelopePresent: false };
+  }
+  // Orchestrator lane (either end is the orchestrator) → always allowed, untouched.
+  if (orchSet.includes(from) || orchSet.includes(to)) {
+    return { lane: 'orchestrator', decision: 'allow', reason: 'orch-lane', kind: null, envelopePresent: false };
+  }
+
+  // Peer lane: require a sanctioned envelope on the first non-empty line.
+  let env = null;
+  try {
+    const firstLine = String(prompt || '').split(/\r?\n/).map(l => l.trim()).find(l => l.length > 0);
+    if (firstLine) {
+      const parsed = JSON.parse(firstLine);
+      if (parsed && typeof parsed === 'object' && !Array.isArray(parsed)) env = parsed;
+    }
+  } catch {
+    env = null;
+  }
+  if (!env) {
+    return { lane: 'peer', decision: 'block', reason: 'malformed-envelope', kind: null, envelopePresent: false };
+  }
+  if (!PEER_INJECT_KINDS.has(env.kind)) {
+    return { lane: 'peer', decision: 'block', reason: 'wrong-kind', kind: null, envelopePresent: true };
+  }
+  // Common required fields + per-kind payload (matches ask.sh build_envelope).
+  const nonEmptyStr = (v) => typeof v === 'string' && v.length > 0;
+  const baseOk = nonEmptyStr(env.from) && nonEmptyStr(env.to) && nonEmptyStr(env.thread_id) && Number.isInteger(env.round);
+  const payloadOk = env.kind === 'ask-request' ? nonEmptyStr(env.question) : nonEmptyStr(env.answer);
+  if (!baseOk || !payloadOk) {
+    return { lane: 'peer', decision: 'block', reason: 'invalid-field', kind: null, envelopePresent: true };
+  }
+  // Sender-consistency: the envelope's declared sender must match the inject's
+  // from (cheap anti-spoof). `to` is NOT cross-checked — the route resolves aliases,
+  // which would false-block legitimate aliased targets.
+  if (env.from !== from) {
+    return { lane: 'peer', decision: 'block', reason: 'from-mismatch', kind: null, envelopePresent: true };
+  }
+  return { lane: 'peer', decision: 'allow', reason: 'sanctioned-envelope', kind: env.kind, envelopePresent: true };
+}
+
 function normalizeNullableText(value) {
   if (value === undefined || value === null) {
     return null;
@@ -1188,9 +1279,10 @@ async function writeDataToSession(id, session, data) {
  * 0x0D into the CLI's innermost node-pty. The former kitty `send-text` (P1) and
  * `cmux send-key` (P2) branches were SURFACE ops on a flaky side channel (75×
  * "Failed to write to socket" vs 0× for pty_cr in a 222k-line run; live
- * 2026-06-07 confirmed pty-only works 3/3). `submitViaCmux`/`sendViaKitty` defs
- * are kept (non-submit callers); codebase removal is gated on the warp/tmux
- * matrix. See docs/adr/2026-06-07-submit-via-pty-context-layer.md.
+ * 2026-06-07 confirmed pty-only works 3/3). The `submitViaCmux`/`sendViaKitty`
+ * defs were since removed (#544/#546 — submit-all also migrated to PTY, leaving
+ * zero cmux send-key in the submit path). See
+ * docs/adr/2026-06-07-submit-via-pty-context-layer.md.
  *
  * Returns the strategy name ('pty_cr') or null on failure.
  */
@@ -2018,45 +2110,6 @@ function findKittyWindowId(socket, sessionId) {
   return null;
 }
 
-function sendViaKitty(sessionId, text) {
-  const { execSync } = require('child_process');
-  const socket = findKittySocket();
-  if (!socket) return false;
-
-  const windowId = findKittyWindowId(socket, sessionId);
-  if (!windowId) {
-    console.error(`[KITTY] No window found for ${sessionId}`);
-    return false;
-  }
-
-  try {
-    // Split text and CR — send-text for both (send-key corrupts keyboard protocol)
-    const hasCr = text.endsWith('\r') || text.endsWith('\n');
-    const textOnly = hasCr ? text.slice(0, -1) : text;
-    if (textOnly.length > 0) {
-      const escaped = textOnly.replace(/\\/g, '\\\\').replace(/'/g, "'\\''");
-      execSync(`kitty @ --to unix:${socket} send-text --match id:${windowId} '${escaped}'`, {
-        timeout: 5000, stdio: ['pipe', 'pipe', 'pipe']
-      });
-    }
-    if (hasCr) {
-      // Delay before sending Return — only when text was sent in the same call
-      // (when CR-only, text was already delivered via a different path)
-      if (textOnly.length > 0) {
-        execSync('sleep 0.5', { timeout: 2000 });
-      }
-      execSync(`kitty @ --to unix:${socket} send-text --match id:${windowId} $'\\r'`, {
-        timeout: 3000, stdio: ['pipe', 'pipe', 'pipe']
-      });
-    }
-    console.log(`[KITTY] Sent ${textOnly.length} chars${hasCr ? ' + Return' : ''} to ${sessionId} (window ${windowId})`);
-    return true;
-  } catch (err) {
-    console.error(`[KITTY] Failed for ${sessionId}:`, err.message);
-    return false;
-  }
-}
-
 function submitViaOsascript(sessionId, keyCombo) {
   const { execSync } = require('child_process');
   const session = sessions[sessionId];
@@ -2107,22 +2160,6 @@ function submitViaOsascript(sessionId, keyCombo) {
   }
 }
 
-function submitViaCmux(sessionId) {
-  const { execSync } = require('child_process');
-  const session = sessions[sessionId];
-  if (!session || !session.cmuxWorkspaceId) return false;
-  try {
-    execSync(`cmux send-key --workspace ${session.cmuxWorkspaceId} return`, {
-      timeout: 5000, stdio: ['pipe', 'pipe', 'pipe']
-    });
-    console.log(`[SUBMIT] cmux send-key return for ${sessionId} (workspace ${session.cmuxWorkspaceId})`);
-    return true;
-  } catch (err) {
-    console.error(`[SUBMIT] cmux send-key failed for ${sessionId}:`, err.message);
-    return false;
-  }
-}
-
 // POST /api/sessions/:id/submit — render-gated CLI-aware submit
 //
 // Default behavior (0.3.0+): wait for the target REPL to be ready (sessionStateManager
@@ -2419,27 +2456,22 @@ app.post('/api/sessions/:id/submit', async (req, res) => {
   return res.json(responseBody);
 });
 
-// POST /api/sessions/submit-all — Submit all active sessions
-app.post('/api/sessions/submit-all', (req, res) => {
+// Submit Enter to every active session. #546: submit is a PTY/context op (bare 0x0D) for every
+// wrapped + spawned backend INCLUDING cmux — the path validated 3/3 live for per-session submit
+// (#544). The cmux `send-key --surface return` surface op is removed (ZERO cmux send-key);
+// osascript Cmd+Enter remains only for app-window sessions with no PTY bridge. Exported (pure
+// over the passed sessions map) so the dispatch is unit-testable without starting the daemon.
+function runSubmitAll(sessionsMap) {
   const results = { successful: [], failed: [] };
 
-  for (const [id, session] of Object.entries(sessions)) {
+  for (const [id, session] of Object.entries(sessionsMap)) {
     const strategy = getSubmitStrategy(session.command);
     let success = false;
 
-    // cmux per-session backend
-    if (session.backend === 'cmux') {
-      success = terminalBackend.cmuxSendEnter(id);
-    }
-    if (!success && session.backend === 'cmux' && session.cmuxWorkspaceId) {
-      success = submitViaCmux(id);
-    }
-    if (!success) {
-      if (strategy === 'pty_cr') {
-        success = submitViaPty(session);
-      } else if (strategy === 'osascript_cmd_enter') {
-        success = submitViaOsascript(id, 'cmd_enter');
-      }
+    if (strategy === 'pty_cr') {
+      success = submitViaPty(session);
+    } else if (strategy === 'osascript_cmd_enter') {
+      success = submitViaOsascript(id, 'cmd_enter');
     }
 
     if (success) {
@@ -2449,7 +2481,12 @@ app.post('/api/sessions/submit-all', (req, res) => {
     }
   }
 
-  res.json({ success: true, results });
+  return results;
+}
+
+// POST /api/sessions/submit-all — Submit all active sessions
+app.post('/api/sessions/submit-all', (req, res) => {
+  res.json({ success: true, results: runSubmitAll(sessions) });
 });
 
 app.post('/api/sessions/:id/inject', async (req, res) => {
@@ -2467,6 +2504,32 @@ app.post('/api/sessions/:id/inject', async (req, res) => {
   // Routing metadata stays in session/bus state, not in the visible prompt text.
   const finalPrompt = prompt;
   const inject_id = crypto.randomUUID();
+
+  // #533 Phase 2 — peer-lane inject guardrail (in-band hard block, before delivery).
+  // Out-of-policy peer→peer injects (no sanctioned ask-request/ask-reply envelope)
+  // are blocked here so raw work-delegation bypass is prevented, not just detected.
+  // Orchestrator↔peer, broadcast/multicast (no `from`), and existing kinds are untouched.
+  const peerVerdict = classifyPeerLaneInject({ from, to: requestedId, prompt, orchestratorSids: ORCHESTRATOR_SIDS });
+  if (peerVerdict.decision === 'block') {
+    broadcastSessionEvent('peer_inject_blocked', id, session, {
+      extra: {
+        target_agent: id,
+        from: from || null,
+        reason: peerVerdict.reason,
+        attempted_kind: peerVerdict.kind,
+        envelope_present: peerVerdict.envelopePresent,
+        inject_id
+      }
+    });
+    console.warn(`[PEER-GUARD] blocked peer inject ${from} → ${id} (${peerVerdict.reason})`);
+    return respondWithError(res, 403, 'PEER_INJECT_BLOCKED',
+      'Peer-lane inject blocked: not a sanctioned ask-request/ask-reply envelope. Use bin/ask.sh.',
+      { reason: peerVerdict.reason, sanctioned_channel: 'bin/ask.sh' });
+  }
+  if (peerVerdict.lane === 'disabled') {
+    console.warn('[PEER-GUARD] orchestrator sid unconfigured (AIGENTRY_ORCHESTRATOR_SIDS empty) — peer guardrail disabled (fail-open)');
+  }
+
   try {
     const delivery = await deliverInjectionToSession(id, session, finalPrompt, {
       noEnter: !!no_enter,
@@ -3528,9 +3591,11 @@ module.exports = {
   forceSubmitDeliveredToSurface,  // #544/#537/Bug B: PTY-native force-confirm (pty_cr = delivered)
   terminalLevelSubmit,            // #544: PTY-only submit path (pty_cr | null)
   submitViaPty,                   // #544: bare-0x0D submit into the innermost node-pty
+  runSubmitAll,                   // #546: submit-all via PTY for every backend (no cmux send-key)
   failBootstrapQueueOnTimeout,    // #31: actionable bootstrap-timeout queue flush
   shouldApplyOwnerAliveFloor,     // #29: owner-alive optimistic-floor decision (deps DI: isProcessRunning/...)
   scheduleBootstrapPromptPoll,    // #29: arms the floor timer (deps DI: setTimeout/...)
   decideSurfaceGc,                // #17: surface-liveness verdict→action (incl. INV-17 unknown→skip)
   applySurfaceMismatchProbe,      // surface_mismatched debounce + payload helper (deps DI: emit/clock)
+  classifyPeerLaneInject,         // #533 Phase 2: pure peer-lane inject policy verdict
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@dmsdc-ai/aigentry-telepty",
-  "version": "0.5.5",
+  "version": "0.5.7",
   "main": "daemon.js",
   "bin": {
     "aigentry-telepty": "install.js",
@@ -35,9 +35,9 @@
   ],
   "scripts": {
     "postinstall": "node scripts/postinstall.js",
-    "test": "node --test test/auth.test.js test/http-auth.test.js test/daemon.test.js test/daemon-singleton.test.js test/integration/daemon-launch.test.js test/cli.test.js test/telepty-kill.test.js test/idle-ttl.test.js test/telepty-clean-older-than.test.js test/lifecycle-transport-agnostic.test.js test/skill-installer.test.js test/interactive-terminal.test.js test/runtime-info.test.js test/session-routing.test.js test/session-state.test.js test/session-store-persistence.test.js test/mailbox-lock.test.js test/report-enforcement.test.js test/enforce-report.test.js test/enforce-submit-gate.test.js test/submit-gate.test.js test/submit-via-pty.test.js test/prompt-symbol-registry.test.js test/inject-submit-flags.test.js test/inject-submit-force-env.test.js test/host-spec.test.js test/cross-host-inject.test.js test/cross-machine-ssh-routing.test.js test/init.test.js test/win-resolve-executable.test.js test/version-handshake.test.js test/win-kill-process.test.js test/daemon-control-port-owner.test.js test/banner-stderr-jq-safety.test.js test/bridge-supervisor-ipc.test.js test/bridge-j3-shim.test.js test/bridge-e2e.test.js test/release-0.4.5-bugfixes.test.js && git diff --exit-code tests/snippet-protocol/v1/",
-    "test:watch": "node --test --watch test/auth.test.js test/http-auth.test.js test/daemon.test.js test/daemon-singleton.test.js test/integration/daemon-launch.test.js test/cli.test.js test/telepty-kill.test.js test/idle-ttl.test.js test/telepty-clean-older-than.test.js test/lifecycle-transport-agnostic.test.js test/skill-installer.test.js test/interactive-terminal.test.js test/runtime-info.test.js test/session-routing.test.js test/session-state.test.js test/session-store-persistence.test.js test/mailbox-lock.test.js test/report-enforcement.test.js test/enforce-report.test.js test/enforce-submit-gate.test.js test/submit-gate.test.js test/submit-via-pty.test.js test/prompt-symbol-registry.test.js test/inject-submit-flags.test.js test/inject-submit-force-env.test.js test/host-spec.test.js test/cross-host-inject.test.js test/cross-machine-ssh-routing.test.js test/init.test.js test/win-resolve-executable.test.js test/version-handshake.test.js test/win-kill-process.test.js test/daemon-control-port-owner.test.js test/banner-stderr-jq-safety.test.js test/bridge-supervisor-ipc.test.js test/bridge-j3-shim.test.js test/bridge-e2e.test.js test/release-0.4.5-bugfixes.test.js",
-    "test:ci": "node --test --test-reporter=spec test/auth.test.js test/http-auth.test.js test/daemon.test.js test/daemon-singleton.test.js test/integration/daemon-launch.test.js test/cli.test.js test/telepty-kill.test.js test/idle-ttl.test.js test/telepty-clean-older-than.test.js test/lifecycle-transport-agnostic.test.js test/skill-installer.test.js test/interactive-terminal.test.js test/runtime-info.test.js test/session-routing.test.js test/session-state.test.js test/session-store-persistence.test.js test/mailbox-lock.test.js test/report-enforcement.test.js test/enforce-report.test.js test/enforce-submit-gate.test.js test/submit-gate.test.js test/submit-via-pty.test.js test/prompt-symbol-registry.test.js test/inject-submit-flags.test.js test/inject-submit-force-env.test.js test/host-spec.test.js test/cross-host-inject.test.js test/cross-machine-ssh-routing.test.js test/init.test.js test/win-resolve-executable.test.js test/version-handshake.test.js test/win-kill-process.test.js test/daemon-control-port-owner.test.js test/banner-stderr-jq-safety.test.js test/bridge-supervisor-ipc.test.js test/bridge-j3-shim.test.js test/bridge-e2e.test.js test/release-0.4.5-bugfixes.test.js && git diff --exit-code tests/snippet-protocol/v1/",
+    "test": "node --test test/auth.test.js test/http-auth.test.js test/daemon.test.js test/daemon-singleton.test.js test/integration/daemon-launch.test.js test/cli.test.js test/telepty-kill.test.js test/idle-ttl.test.js test/telepty-clean-older-than.test.js test/lifecycle-transport-agnostic.test.js test/skill-installer.test.js test/interactive-terminal.test.js test/runtime-info.test.js test/session-routing.test.js test/session-state.test.js test/session-store-persistence.test.js test/mailbox-lock.test.js test/report-enforcement.test.js test/enforce-report.test.js test/peer-inject-validator.test.js test/enforce-submit-gate.test.js test/submit-gate.test.js test/submit-via-pty.test.js test/prompt-symbol-registry.test.js test/inject-submit-flags.test.js test/inject-submit-force-env.test.js test/host-spec.test.js test/cross-host-inject.test.js test/cross-machine-ssh-routing.test.js test/init.test.js test/win-resolve-executable.test.js test/version-handshake.test.js test/win-kill-process.test.js test/daemon-control-port-owner.test.js test/banner-stderr-jq-safety.test.js test/bridge-supervisor-ipc.test.js test/bridge-j3-shim.test.js test/bridge-e2e.test.js test/release-0.4.5-bugfixes.test.js && git diff --exit-code tests/snippet-protocol/v1/",
+    "test:watch": "node --test --watch test/auth.test.js test/http-auth.test.js test/daemon.test.js test/daemon-singleton.test.js test/integration/daemon-launch.test.js test/cli.test.js test/telepty-kill.test.js test/idle-ttl.test.js test/telepty-clean-older-than.test.js test/lifecycle-transport-agnostic.test.js test/skill-installer.test.js test/interactive-terminal.test.js test/runtime-info.test.js test/session-routing.test.js test/session-state.test.js test/session-store-persistence.test.js test/mailbox-lock.test.js test/report-enforcement.test.js test/enforce-report.test.js test/peer-inject-validator.test.js test/enforce-submit-gate.test.js test/submit-gate.test.js test/submit-via-pty.test.js test/prompt-symbol-registry.test.js test/inject-submit-flags.test.js test/inject-submit-force-env.test.js test/host-spec.test.js test/cross-host-inject.test.js test/cross-machine-ssh-routing.test.js test/init.test.js test/win-resolve-executable.test.js test/version-handshake.test.js test/win-kill-process.test.js test/daemon-control-port-owner.test.js test/banner-stderr-jq-safety.test.js test/bridge-supervisor-ipc.test.js test/bridge-j3-shim.test.js test/bridge-e2e.test.js test/release-0.4.5-bugfixes.test.js",
+    "test:ci": "node --test --test-reporter=spec test/auth.test.js test/http-auth.test.js test/daemon.test.js test/daemon-singleton.test.js test/integration/daemon-launch.test.js test/cli.test.js test/telepty-kill.test.js test/idle-ttl.test.js test/telepty-clean-older-than.test.js test/lifecycle-transport-agnostic.test.js test/skill-installer.test.js test/interactive-terminal.test.js test/runtime-info.test.js test/session-routing.test.js test/session-state.test.js test/session-store-persistence.test.js test/mailbox-lock.test.js test/report-enforcement.test.js test/enforce-report.test.js test/peer-inject-validator.test.js test/enforce-submit-gate.test.js test/submit-gate.test.js test/submit-via-pty.test.js test/prompt-symbol-registry.test.js test/inject-submit-flags.test.js test/inject-submit-force-env.test.js test/host-spec.test.js test/cross-host-inject.test.js test/cross-machine-ssh-routing.test.js test/init.test.js test/win-resolve-executable.test.js test/version-handshake.test.js test/win-kill-process.test.js test/daemon-control-port-owner.test.js test/banner-stderr-jq-safety.test.js test/bridge-supervisor-ipc.test.js test/bridge-j3-shim.test.js test/bridge-e2e.test.js test/release-0.4.5-bugfixes.test.js && git diff --exit-code tests/snippet-protocol/v1/",
     "typecheck": "tsc --noEmit",
     "regen-fixtures": "node scripts/regen-snippet-fixtures.js"
   },

package/session-state.js

@@ -356,8 +356,7 @@ class SessionStateMachine {
     });
   }
 
-  _tick() {
-    const now = Date.now();
+  _tick(now = Date.now()) {
     const silenceMs = now - this._lastOutputAt;
 
     // Don't override lifecycle states
@@ -389,6 +388,16 @@ class SessionStateMachine {
         : '';
 
       const hasOsc133 = this._lastOsc133At && (now - this._lastOsc133At) < this.config.idle_timeout_ms * 2;
+
+      // #545: a THINKING session that merely went quiet is STILL thinking. The claude TUI
+      // input-box glyph (›/❯) false-matches PROMPT_PATTERNS and pure silence flips at 0.6, so
+      // a weak signal would wrongly end thinking. Only a reliable REPL-done mark (OSC 133) may.
+      // WORKING is intentionally NOT guarded — a real shell prompt `$ ` legitimately settles
+      // working→idle (test 255); the daemon real-idle gate covers the residual WORKING case.
+      if (this._state === STATES.THINKING && !hasOsc133) {
+        return;
+      }
+
       const hasPrompt = this._matchesAny(lastLine, PROMPT_PATTERNS);
       const confidence = hasOsc133 ? 0.95 : (hasPrompt ? 0.9 : 0.6);
 

package/terminal-backend.js

@@ -107,24 +107,6 @@ function cmuxSendText(sessionId, text) {
   }
 }
 
-// Send enter key to a cmux surface
-function cmuxSendEnter(sessionId) {
-  const surface = findSurface(sessionId);
-  if (!surface) return false;
-
-  try {
-    execSync(`cmux send-key --surface ${surface} return`, {
-      timeout: 5000, stdio: ['pipe', 'pipe', 'pipe']
-    });
-    console.log(`[BACKEND] cmux send-key return to ${sessionId} (${surface})`);
-    return true;
-  } catch (err) {
-    console.error(`[BACKEND] cmux send-key failed for ${sessionId}:`, err.message);
-    surfaceCache.delete(sessionId);
-    return false;
-  }
-}
-
 // Invalidate cache for a session (e.g., when surface changes)
 function invalidateCache(sessionId) {
   surfaceCache.delete(sessionId);
@@ -534,7 +516,6 @@ module.exports = {
   detectTerminal,
   findSurface,
   cmuxSendText,
-  cmuxSendEnter,
   refreshSurfaceCache,
   invalidateCache,
   clearCache,