@evomap/evolver 1.89.2 → 1.89.3

package/src/adapters/scripts/_lockPaths.js

@@ -0,0 +1,74 @@
+// _lockPaths.js
+// Single source of truth for the daemon singleton-lock location and lease
+// tunables, shared by the daemon (index.js) and the session-start hook's
+// auto-restart guard (evolver-session-start.js).
+//
+// Issue #176: the hook used to replicate this logic inline ("keep index.js
+// out of the hook's require graph"), which could silently diverge whenever
+// the daemon's lock resolution changed. This module keeps that property —
+// it depends only on fs/os/path — while making divergence structurally
+// impossible.
+//
+// Deployed-layout constraint (PR #163): hook scripts are COPIED into the
+// host's hooks dir (e.g. `.claude/hooks/`) and run from there, so every
+// same-dir helper they require must be a sibling file listed in
+// hookAdapter.js's copy/remove lists (enforced by test/adapters.test.js).
+
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+
+// Round-4 (see the history note above index.js's daemon-lock block): the
+// pidfile previously defaulted to __dirname, which differs per install mode
+// (global install vs dev clone vs npx cache), so two daemons launched under
+// different install modes never saw each other's lock. Default now lives
+// under the per-user state dir so all install modes converge.
+// EVOLVER_LOCK_DIR still overrides for tests / sandboxed runs — note the
+// basename differs from the default in that case (`evolver.pid` vs
+// `instance.lock`).
+function getLockFilePath(env) {
+  const e = env || process.env;
+  if (e.EVOLVER_LOCK_DIR) {
+    return path.join(e.EVOLVER_LOCK_DIR, 'evolver.pid');
+  }
+  // os.homedir() is cross-platform; process.env.HOME is unset on Windows.
+  return path.join(os.homedir(), '.evomap', 'instance.lock');
+}
+
+// Round-9: lease tunables for the daemon lock. A live daemon refreshes the
+// lock mtime every LOCK_REFRESH_MS; a lock whose mtime is older than
+// STALE_LOCK_TTL_MS (and that was written by a lease-aware daemon) is
+// treated as stale even if its PID happens to be alive — closing the
+// "crash + PID reuse -> new daemon silently refuses to start" hole and the
+// "SIGKILL leaves a stale lock nobody reclaims" hole. The TTL is well above
+// the heartbeat interval (default 6min) so a healthy daemon never trips it.
+// On Windows, SIGTERM is implemented as TerminateProcess() (not a catchable
+// signal), so the daemon's releaseLock() never runs and the lock file stays
+// on disk with the dead PID — hence the shorter Windows TTL, with a 1-min
+// refresh (3x margin against transient FS hiccups). Unix: 5 min TTL is
+// 2.5x the 2-min refresh cadence.
+const STALE_LOCK_TTL_MS = process.platform === 'win32' ? 3 * 60_000 : 5 * 60_000;
+const LOCK_REFRESH_MS = process.platform === 'win32' ? 1 * 60_000 : 2 * 60_000;
+
+// Returns true if the lock was written by a lease-aware daemon AND its
+// mtime is older than the stale TTL — i.e. no live owner is refreshing it,
+// so it is safe to treat the recorded PID as dead regardless of whether
+// process.kill(pid, 0) resolves (the PID may have been reused). Locks
+// written by pre-lease daemons (payload.lease !== true) are never judged
+// stale by mtime, so we never falsely steal an older daemon's lock.
+function lockIsStaleByLease(lockFile, payload) {
+  if (!payload || payload.lease !== true) return false;
+  try {
+    const ageMs = Date.now() - fs.statSync(lockFile).mtimeMs;
+    return ageMs > STALE_LOCK_TTL_MS;
+  } catch (_) {
+    return false;
+  }
+}
+
+module.exports = {
+  getLockFilePath,
+  lockIsStaleByLease,
+  STALE_LOCK_TTL_MS,
+  LOCK_REFRESH_MS,
+};

package/src/adapters/scripts/evolver-session-start.js

@@ -9,6 +9,10 @@ const os = require('os');
 
 const { findEvolverRoot, findMemoryGraph, resolveProjectDir, resolveWorkspaceId, isGitWorkspace } = require('./_runtimePaths');
 const { filterRelevantOutcomes } = require('./_memoryFiltering');
+// Top-level on purpose: a missing sibling helper in the deployed hooks dir
+// must fail LOUD at load time (the #547 failure mode), not vanish inside
+// _maybeRestartDaemon's catch-all and silently disable daemon auto-restart.
+const lockPaths = require('./_lockPaths');
 
 // Auto-restart guard: if the evolver daemon is not running when a new agent
 // session starts, attempt a background restart. This covers the "idle-death"
@@ -35,43 +39,31 @@ function _maybeRestartDaemon(evolverRoot) {
     if (!lifecyclePath || !fs.existsSync(lifecyclePath)) return;
 
     // Check if daemon is running by looking for the PID file / lock file.
-    // R12: index.js:getLockFilePath honors EVOLVER_LOCK_DIR. If that env is
-    // set the lock file lives at <EVOLVER_LOCK_DIR>/evolver.pid (basename
-    // differs from the default!); otherwise fall back to the canonical
-    // ~/.evomap/instance.lock. We replicate the logic inline rather than
-    // importing index.js, since pulling the daemon module into the hook
-    // would load far more than we need.
-    var lockFile = process.env.EVOLVER_LOCK_DIR
-      ? path.join(process.env.EVOLVER_LOCK_DIR, 'evolver.pid')
-      : path.join(os.homedir(), '.evomap', 'instance.lock');
-    // R1: PID-reuse defense. process.kill(pid, 0) only proves SOME process
-    // owns that PID -- after macOS sleep / OOM, the kernel may have reused
-    // the slain daemon's PID for an unrelated process (Chrome tab, shell).
-    // Mirror index.js:_lockIsStaleByLease (search for STALE_LOCK_TTL_MS
-    // around line 373): a lease-aware daemon refreshes the lock mtime on a
-    // timer, so if mtime is older than the TTL the daemon is dead/wedged
-    // regardless of kill(0). Constants inlined to keep index.js out of the
-    // hook's require graph.
-    var STALE_LOCK_TTL_MS = process.platform === 'win32' ? 3 * 60_000 : 5 * 60_000;
+    // Lock resolution + lease staleness live in ./_lockPaths (issue #176) —
+    // the same module index.js uses, so the hook can never drift from the
+    // daemon again. It is fs/os/path-only, keeping index.js out of the
+    // hook's require graph (R12), and ships in hookAdapter.js's copy list
+    // for the deployed `.claude/hooks/` layout (PR #163).
+    var lockFile = lockPaths.getLockFilePath();
     var daemonRunning = false;
     try {
       if (fs.existsSync(lockFile)) {
         var raw = fs.readFileSync(lockFile, 'utf8').trim();
         var payload = raw && raw[0] === '{' ? JSON.parse(raw) : { pid: parseInt(raw, 10) };
         if (payload && payload.pid > 0) {
+          // R1: PID-reuse defense. process.kill(pid, 0) only proves SOME
+          // process owns that PID -- after macOS sleep / OOM, the kernel may
+          // have reused the slain daemon's PID for an unrelated process.
           try { process.kill(payload.pid, 0); daemonRunning = true; } catch (e) {
             // EPERM = process exists but owned by a different user; still a live daemon.
             if (e && e.code === 'EPERM') daemonRunning = true;
           }
-          // Lease staleness overrides kill(0)=alive. Only trust mtime when
-          // the payload came from a lease-aware daemon (matches index.js's
-          // _lockIsStaleByLease guard) so we never falsely steal an older
-          // pre-lease daemon's lock.
-          if (daemonRunning && payload.lease === true) {
-            try {
-              var ageMs = Date.now() - fs.statSync(lockFile).mtimeMs;
-              if (ageMs > STALE_LOCK_TTL_MS) daemonRunning = false;
-            } catch (_) { /* stat failed: leave running flag as-is */ }
+          // Lease staleness overrides kill(0)=alive: a lease-aware daemon
+          // refreshes the lock mtime on a timer, so an expired lease means
+          // dead/wedged regardless of kill(0). Pre-lease locks are never
+          // judged stale by mtime (lockIsStaleByLease handles both).
+          if (daemonRunning && lockPaths.lockIsStaleByLease(lockFile, payload)) {
+            daemonRunning = false;
           }
         }
       }