@harperfast/harper-pro 5.0.1 → 5.0.2

package/analytics/profile.ts

@@ -6,6 +6,10 @@ import { recordAction } from '../core/resources/analytics/write.ts';
 import { getHdbBasePath } from '../core/utility/environment/environmentManager.js';
 import { PACKAGE_ROOT } from '../core/utility/packageUtils.js';
 import { realpathSync, readFileSync, readdirSync } from 'node:fs';
+import { execFile } from 'node:child_process';
+import { promisify } from 'node:util';
+
+const execFileAsync = promisify(execFile);
 import { time as timeProfiler } from '@datadog/pprof';
 import { getWorkerIndex } from '../core/server/threads/manageThreads.js';
 import * as log from '../core/utility/logging/harper_logger.js';
@@ -42,6 +46,7 @@ export function handleApplication({ options }: Scope) {
 	}, 1000); // wait for everything to load before we start the profiler
 }
 let lastChildCpuTime = 0;
+let gpuAvailable = true;
 
 export async function captureProfile(delayToNextCapture = (capturePeriod ?? 60) * 1000): Promise<void> {
 	clearTimeout(profilerTimer);
@@ -58,6 +63,8 @@ export async function captureProfile(delayToNextCapture = (capturePeriod ?? 60)
 	const samplesByLocationId = new Map<number, number>();
 	let totalUserCount = 0;
 	let totalHarperCount = 0;
+	// Start GPU measurement early so it runs in parallel with CPU profiling work
+	const gpuPromise = getWorkerIndex() === 0 && gpuAvailable ? getGpuUtilization() : null;
 	try {
 		const profile = timeProfiler.stop(true);
 		const strings = profile.stringTable.strings;
@@ -89,6 +96,11 @@ export async function captureProfile(delayToNextCapture = (capturePeriod ?? 60)
 					recordAction(childCpuTimeInInterval, 'cpu-usage', 'user', 'child-processes');
 				lastChildCpuTime = childCpuTime;
 			}
+			// Record GPU utilization for this process and child processes
+			const gpuSeconds = await gpuPromise;
+			if (gpuSeconds !== null) {
+				recordAction(gpuSeconds, 'gpu-usage', 'user');
+			}
 		}
 	} catch (error) {
 		log.error?.('analytics profiler error:', error);
@@ -177,6 +189,41 @@ function getChildProcessCpuTime(): number | null {
 	}
 }
 
+/**
+ * Get the total SM (shader/streaming multiprocessor) utilization percentage across all GPUs
+ * for this process and all descendant processes.
+ * Uses nvidia-smi pmon for per-process GPU utilization.
+ * Only works on Linux with NVIDIA GPUs. Returns null if unavailable.
+ */
+async function getGpuUtilization(): Promise<number | null> {
+	try {
+		const currentPid = process.pid;
+		const descendants = findAllDescendants(currentPid);
+		const pidsToMonitor = new Set([currentPid, ...descendants]);
+
+		const { stdout } = await execFileAsync('nvidia-smi', ['pmon', '-c', '1', '-s', 'u']);
+
+		let totalSmPercent = 0;
+		for (const line of stdout.split('\n')) {
+			if (line.startsWith('#') || !line.trim()) continue;
+			const parts = line.trim().split(/\s+/);
+			// pmon -s u format: gpu pid type fb sm enc dec jpg ofa command
+			if (parts.length < 5) continue;
+			const pid = parseInt(parts[1], 10);
+			if (isNaN(pid) || !pidsToMonitor.has(pid)) continue;
+			const sm = parseInt(parts[4], 10); // SM utilization %
+			if (!isNaN(sm)) totalSmPercent += sm;
+		}
+
+		// Convert SM utilization % to GPU-seconds over the capture period
+		// e.g. 50% utilization over 60s = 30 GPU-seconds
+		return (totalSmPercent / 100) * (capturePeriod / 1000);
+	} catch {
+		gpuAvailable = false;
+		return null;
+	}
+}
+
 /**
  * Recursively find all descendant PIDs of the given parent PID.
  */

package/core/components/Application.ts

@@ -172,15 +172,30 @@ export async function extractApplication(application: Application) {
 				}
 			}
 		} else {
-			// Given a package, resolve using `npm pack` (downloads the package as a tarball and writes the path to stdout)
-			const {
-				stdout: tarballFilePath,
-				code,
-				stderr,
-			} = await nonInteractiveSpawn(application.name, 'npm', ['pack', application.packageIdentifier], parentDirPath);
-			if (code !== 0) throw new Error(`Failed to download package ${application.packageIdentifier}: ${stderr}`);
-			tarballPath = join(parentDirPath, tarballFilePath.trim());
-			// Create a Readable from the tarball
+			// `npm pack --json` writes a JSON array describing the packed tarball(s).
+			const { stdout, code, stderr } = await nonInteractiveSpawn(
+				application.name,
+				'npm',
+				['pack', '--json', application.packageIdentifier],
+				parentDirPath
+			);
+			if (code !== 0) {
+				throw new Error(`Failed to download package ${application.packageIdentifier}: ${stderr}`);
+			}
+
+			let packResult: Array<{ filename: string }>;
+			try {
+				packResult = JSON.parse(stdout.slice(stdout.indexOf('[')));
+			} catch (err) {
+				throw new Error(
+					`Failed to parse npm pack output for ${application.packageIdentifier}: ${err.message}\nstdout: ${stdout}`
+				);
+			}
+			if (!Array.isArray(packResult) || typeof packResult[0]?.filename !== 'string') {
+				throw new Error(`Unexpected npm pack output for ${application.packageIdentifier}:\n${stdout}`);
+			}
+
+			tarballPath = join(parentDirPath, packResult[0].filename);
 			tarball = createReadStream(tarballPath);
 		}
 	}

package/core/components/ApplicationScope.ts

@@ -21,10 +21,10 @@ export class ApplicationScope {
 	server: Server;
 	mode?: 'native' | 'vm' | 'vm-current-context' | 'compartment'; // option to set this from the scope
 	dependencyLoader?: 'native' | 'app' | 'auto'; // option to set this from the scope
-	verifyPath?: string;
+	allowedPath?: string;
 	config: any;
 	moduleCache: any; // used by the loader to retain a cache of modules, type is an internal detail of the loader
-	constructor(name: string, resources: Resources, server: Server, isInternal = false, verifyPath?: string) {
+	constructor(name: string, resources: Resources, server: Server, isInternal = false) {
 		this.logger = forComponent(name, !isInternal);
 
 		this.resources = resources;
@@ -32,7 +32,6 @@ export class ApplicationScope {
 
 		this.mode = env.get(CONFIG_PARAMS.APPLICATIONS_MODULELOADER) ?? 'vm';
 		this.dependencyLoader = env.get(CONFIG_PARAMS.APPLICATIONS_DEPENDENCYLOADER);
-		this.verifyPath = verifyPath;
 	}
 
 	/**

package/core/components/componentLoader.ts

@@ -274,7 +274,7 @@ export async function loadComponent(
 		autoReload,
 		appName,
 	} = options;
-	applicationScope.verifyPath ??= componentDirectory;
+	applicationScope.allowedPath ??= realpathSync(componentDirectory);
 	if (providedLoadedComponents) loadedComponents = providedLoadedComponents;
 	try {
 		let config;
@@ -326,8 +326,13 @@ export async function loadComponent(
 
 			let extensionModule: any;
 			const pkg = componentConfig.package;
+			const loadComponentOption = componentConfig.loadComponent ?? 'always';
 			try {
 				if (pkg) {
+					if (loadComponentOption === 'dev-only' && !process.env.DEV_MODE) {
+						componentLifecycle.loaded(componentStatusName, `Component '${componentStatusName}' skipped (dev-only)`);
+						continue;
+					}
 					let componentPath: string | null = null;
 					if (isRoot) {
 						componentPath = join(componentDirectory, 'components', componentName);
@@ -344,7 +349,7 @@ export async function loadComponent(
 						}
 					}
 					if (componentPath) {
-						subApplicationScope.verifyPath ??= componentPath;
+						subApplicationScope.allowedPath ??= realpathSync(componentPath);
 						if (!process.env.HARPER_SAFE_MODE) {
 							extensionModule = await loadComponent(componentPath, resources, origin, {
 								isRoot: false,
@@ -354,6 +359,12 @@ export async function loadComponent(
 							});
 							componentFunctionality[componentName] = true;
 						}
+					} else if (loadComponentOption === 'if-installed') {
+						componentLifecycle.loaded(
+							componentStatusName,
+							`Component '${componentStatusName}' skipped (not installed)`
+						);
+						continue;
 					} else {
 						throw new Error(`Unable to find package ${componentName}:${pkg}`);
 					}

package/core/config/harperConfigEnvVars.ts

@@ -15,6 +15,7 @@ import type { Logger } from '../utility/logging/logger.ts';
 import * as fs from 'fs-extra';
 import * as path from 'node:path';
 import * as crypto from 'node:crypto';
+import { cloneDeep } from 'lodash';
 import { getBackupDirPath } from './configHelpers.ts';
 
 const STATE_FILE_NAME = '.harper-config-state.json';
@@ -590,6 +591,39 @@ function cleanupRemovedEnvVar(
 	logger.debug?.(`${envVarName} removed, cleaned up values`);
 }
 
+/**
+ * Compose a merged config from HARPER_DEFAULT_CONFIG and HARPER_SET_CONFIG
+ * layered with an optional base. Later layers win:
+ *   HARPER_DEFAULT_CONFIG  <  base  <  HARPER_SET_CONFIG
+ *
+ * HARPER_DEFAULT_CONFIG provides scaffolding defaults, the base (e.g., the
+ * user's existing config file) is layered on top, and HARPER_SET_CONFIG
+ * force-overrides everything. This matches the precedence applied by the
+ * runtime pipeline in applyRuntimeEnvConfig.
+ *
+ * Unlike applyRuntimeEnvConfig, this does NOT read or write the config state
+ * file and does NOT track sources — it returns a fresh object. Use when you
+ * need the effective value of a config key before the state/file wiring is in
+ * place (e.g., during clone / pre-install).
+ */
+export function composeConfigFromEnv(base: ConfigObject = {}): ConfigObject {
+	const result: ConfigObject = {};
+	const layers: (ConfigObject | null)[] = [
+		parseConfigEnvVar(process.env.HARPER_DEFAULT_CONFIG, 'HARPER_DEFAULT_CONFIG'),
+		cloneDeep(base),
+		parseConfigEnvVar(process.env.HARPER_SET_CONFIG, 'HARPER_SET_CONFIG'),
+	];
+
+	for (const layer of layers) {
+		if (!layer) continue;
+		for (const [p, value] of Object.entries(flattenObject(layer))) {
+			setNestedValue(result, p, value);
+		}
+	}
+
+	return result;
+}
+
 /**
  * Apply HARPER_DEFAULT_CONFIG and HARPER_SET_CONFIG
  * Can be used for both install-time and runtime

package/core/resources/Table.ts

@@ -2262,7 +2262,9 @@ export function makeTable(options) {
 						return (entryA, entryB) => {
 							const a = getAttributeValue(entryA, order.attribute, context);
 							const b = getAttributeValue(entryB, order.attribute, context);
-							const diff = descending ? compareKeys(b, a) : compareKeys(a, b);
+							const diff = descending
+								? compareKeys(convertToComparableKeys(b), convertToComparableKeys(a))
+								: compareKeys(convertToComparableKeys(a), convertToComparableKeys(b));
 							if (diff === 0) return nextComparator?.(entryA, entryB) || 0;
 							return diff;
 						};
@@ -4572,3 +4574,12 @@ function hasOtherProcesses(store) {
 			return +line.match(/\d+/)?.[0] != pid;
 		});
 }
+function convertToComparableKeys(a) {
+	if (a instanceof Date) {
+		return a.getTime();
+	}
+	if (Array.isArray(a)) {
+		return a.map(convertToComparableKeys);
+	}
+	return a;
+}

package/core/resources/analytics/write.ts

@@ -219,15 +219,12 @@ export async function recordHostname() {
 	const nodeId = stableNodeId(hostname);
 	log.trace?.('recordHostname nodeId:', nodeId);
 	const hostnamesTable = getAnalyticsHostnameTable();
-	const record = await hostnamesTable.get(nodeId);
-	if (!record) {
-		const hostnameRecord = {
-			id: nodeId,
-			hostname,
-		};
-		log.trace?.(`recordHostname storing hostname: ${JSON.stringify(hostnameRecord)}`);
-		await hostnamesTable.put(hostnameRecord.id, hostnameRecord);
-	}
+	const hostnameRecord = {
+		id: nodeId,
+		hostname,
+	};
+	log.trace?.(`recordHostname storing hostname: ${JSON.stringify(hostnameRecord)}`);
+	await hostnamesTable.put(hostnameRecord.id, hostnameRecord);
 }
 
 export interface Metric {
@@ -514,7 +511,7 @@ async function aggregation(fromPeriod, toPeriod = 60000) {
 		await rest();
 	}
 	for (const entry of threadsToAverage) {
-		// eslint-disable-next-line @typescript-eslint/no-unused-vars,prefer-const
+		// eslint-disable-next-line @typescript-eslint/no-unused-vars
 		let { path, method, type, metric, count, total, distribution, threads, ...measures } = entry;
 		threads = threads.filter((thread) => thread);
 		for (const measureName in measures) {

package/core/resources/indexes/HierarchicalNavigableSmallWorld.ts

@@ -130,8 +130,8 @@ export class HierarchicalNavigableSmallWorld {
 			// Generate random level for this new element
 			const level = oldNode.level ?? Math.min(Math.floor(-Math.log(Math.random()) * this.mL), MAX_LEVEL);
 			let currentLevel = entryPoint.level;
-			if (level >= currentLevel) {
-				// if we are at this level or higher, make this the new entry point
+			if (level > currentLevel) {
+				// if we are at a higher level, make this the new entry point
 				if (typeof nodeId !== 'number') {
 					throw new Error('Invalid nodeId: ' + nodeId);
 				}
@@ -232,6 +232,19 @@ export class HierarchicalNavigableSmallWorld {
 							oldNode[l] = oldConnections;
 						}
 						oldConnections.splice(oldPosition, 1);
+						// update the distance in the reverse connection if the vector changed
+						if (oldConnection.distance !== distance) {
+							const neighborNode = updateNode(id, node);
+							if (neighborNode[l]) {
+								if (Object.isFrozen(neighborNode[l])) {
+									neighborNode[l] = neighborNode[l].slice();
+								}
+								const reverseIdx = neighborNode[l].findIndex(({ id: nid }) => nid === nodeId);
+								if (reverseIdx >= 0) {
+									neighborNode[l][reverseIdx] = { id: nodeId, distance };
+								}
+							}
+						}
 					} else {
 						// add new connection since this is truly a new connection now
 						this.addConnection(id, updateNode(id, node), nodeId, l, distance, updateNode, options);
@@ -360,7 +373,7 @@ export class HierarchicalNavigableSmallWorld {
 		const candidates = [
 			{
 				id: entryPointId,
-				distance: this.distance(queryVector, entryPoint.vector),
+				distance: distanceFunction(queryVector, entryPoint.vector),
 				node: entryPoint,
 			},
 		];
@@ -531,10 +544,13 @@ export class HierarchicalNavigableSmallWorld {
 				if (removedNode) {
 					// Remove the reverse connection if it exists
 					if (removedNode[level]) {
-						removedNode = updateNode(removed.id, removedNode);
-						removedNode[level] = removedNode[level].filter(({ id }) => id !== fromId);
-						if (level === 0 && removedNode[level].length === 0) {
-							logger.info?.('should not remove last connection', fromId, toId);
+						const filtered = removedNode[level].filter(({ id }) => id !== fromId);
+						if (level === 0 && filtered.length === 0) {
+							// don't remove the last connection at level 0 — it would orphan this node
+							logger.info?.('skipping removal of last connection', fromId, toId);
+						} else {
+							removedNode = updateNode(removed.id, removedNode);
+							removedNode[level] = filtered;
 						}
 					}
 				}

package/core/security/jsLoader.ts

@@ -14,7 +14,16 @@ import * as child_process from 'node:child_process';
 import { CONFIG_PARAMS } from '../utility/hdbTerms.ts';
 import { contentTypes } from '../server/serverHelpers/contentTypes.ts';
 import type { CompartmentOptions } from 'ses';
-import { mkdirSync, readFileSync, writeFileSync, unlinkSync, openSync, closeSync, statSync } from 'node:fs';
+import {
+	mkdirSync,
+	readFileSync,
+	writeFileSync,
+	unlinkSync,
+	openSync,
+	closeSync,
+	statSync,
+	realpathSync,
+} from 'node:fs';
 import { join } from 'node:path';
 import { EventEmitter } from 'node:events';
 import { whenComponentsLoaded } from '../server/threads/threadServer.js';
@@ -495,13 +504,13 @@ async function loadModuleWithVM(moduleUrl: string, scope: ApplicationScope, useC
 		}
 
 		if (url.startsWith('file://') && usePrivateGlobal) {
-			checkAllowedModulePath(url, scope.verifyPath);
+			checkAllowedModulePath(url, scope.allowedPath);
 			const source = readFileSync(new URL(url), { encoding: 'utf-8' });
 			return createModuleFromSource(url, source, usePrivateGlobal);
 		}
 
 		// For Node.js built-in modules (node:) and npm packages without application loader for dependency
-		const replacedModule = checkAllowedModulePath(url, scope.verifyPath);
+		const replacedModule = checkAllowedModulePath(url, scope.allowedPath);
 		if (replacedModule) {
 			return createSyntheticModule(url, normalizeImportedModule(replacedModule));
 		}
@@ -570,7 +579,7 @@ async function getCompartment(scope: ApplicationScope, globals) {
 					}
 					return new StaticModuleRecord(moduleText, moduleSpecifier);
 				} else {
-					checkAllowedModulePath(moduleSpecifier, scope.verifyPath);
+					checkAllowedModulePath(moduleSpecifier, scope.allowedPath);
 					const moduleExports = await import(moduleSpecifier);
 					return {
 						imports: [],
@@ -761,23 +770,54 @@ function isProcessRunning(pid: number): boolean {
  * Acquires an exclusive lock using the PID file itself (synchronously with busy-wait)
  * Returns 0 if lock was acquired (need to spawn new process), or the existing PID if process is running
  */
-function acquirePidFileLock(pidFilePath: string, maxRetries = 100, retryDelay = 5): number {
+function parsePidFile(content: string): { pid: number; version: number } {
+	const lines = content.trim().split('\n');
+	const pid = Number.parseInt(lines[0], 10);
+	const version = lines.length > 1 ? parseInt(lines[1], 10) : 0;
+	return { pid, version };
+}
+
+function acquirePidFileLock(
+	pidFilePath: string,
+	requestedVersion?: number,
+	maxRetries = 100,
+	retryDelay = 5
+): { pid: number; version: number } {
 	for (let attempt = 0; attempt < maxRetries; attempt++) {
 		try {
 			// Try to open exclusively - 'wx' fails if file exists
 			const fd = openSync(pidFilePath, 'wx');
 			closeSync(fd);
-			return 0; // Successfully acquired lock (file created), caller should spawn process
+			return { pid: 0, version: 0 }; // Successfully acquired lock (file created), caller should spawn process
 		} catch (err) {
 			if (err.code === 'EEXIST') {
 				// File exists - check if it contains a valid running process
 				try {
 					const pidContent = readFileSync(pidFilePath, 'utf-8');
-					const existingPid = parseInt(pidContent.trim(), 10);
+					const { pid: existingPid, version: existingVersion } = parsePidFile(pidContent);
 
 					if (!isNaN(existingPid) && isProcessRunning(existingPid)) {
-						// Valid process is running, return its PID immediately
-						return existingPid;
+						// If the version isn't the one we want, kill the existing process and re-acquire
+						if (requestedVersion != null && requestedVersion !== existingVersion) {
+							try {
+								process.kill(existingPid);
+							} catch {
+								// Process may have already exited
+							}
+							try {
+								unlinkSync(pidFilePath);
+							} catch {
+								// Another thread may have removed it
+							}
+							// Retry to acquire the lock for the new version
+							const start = Date.now();
+							while (Date.now() - start < retryDelay) {
+								// Busy wait for process cleanup
+							}
+							continue;
+						}
+						// Valid process is running at same or higher version, return its PID
+						return { pid: existingPid, version: existingVersion };
 					}
 
 					// Invalid/empty PID - check file age to determine if it's stale or being written
@@ -824,6 +864,7 @@ function createSpawn(spawnFunction: (...args: any) => child_process.ChildProcess
 			throw new Error(
 				`Calling ${spawnFunction.name} in Harper must have a process "name" in the options to ensure that a single process is started and reused`
 			);
+		const requestedVersion = options?.version;
 
 		// Ensure PID directory exists
 		const pidDir = join(basePath, 'pids');
@@ -831,20 +872,22 @@ function createSpawn(spawnFunction: (...args: any) => child_process.ChildProcess
 
 		const pidFilePath = join(pidDir, `${processName}.pid`);
 
-		// Try to acquire lock - returns 0 if acquired, or existing PID
-		const existingPid = acquirePidFileLock(pidFilePath);
+		// Try to acquire lock - returns pid: 0 if acquired, or existing PID/version
+		const existing = acquirePidFileLock(pidFilePath, requestedVersion);
 
-		if (existingPid !== 0) {
+		if (existing.pid !== 0) {
 			// Existing process is running, return wrapper
-			return new ExistingProcessWrapper(existingPid);
+			return new ExistingProcessWrapper(existing.pid);
 		}
 
 		// We acquired the lock (file was created), spawn new process
 		const childProcess = spawnFunction(command, args, options, callback);
 
-		// Write PID to the file we just created
+		// Write PID (and version if provided) to the file we just created
+		const pidFileContent =
+			requestedVersion != null ? `${childProcess.pid}\n${requestedVersion}` : childProcess.pid.toString();
 		try {
-			writeFileSync(pidFilePath, childProcess.pid.toString(), 'utf-8');
+			writeFileSync(pidFilePath, pidFileContent, 'utf-8');
 		} catch (err) {
 			// Failed to write PID, clean up
 			try {
@@ -869,21 +912,24 @@ function createSpawn(spawnFunction: (...args: any) => child_process.ChildProcess
 
 /**
  * Validates whether a module can be loaded based on security restrictions and returns the module path or replacement.
- * For file URLs, ensures the module is within the containing folder.
+ * For file URLs, ensures the module is within the allowed path.
  * For node built-in modules, checks against an allowlist and returns any replacements.
  *
  * @param {string} moduleUrl - The URL or identifier of the module to be loaded, which may be a file: URL, node: URL, or bare module specifier.
- * @param {string} containingFolder - The absolute path of the folder that contains the application, used to validate file: URLs are within bounds.
+ * @param {string} allowedPath - The absolute path that the module is allowed to load from.
  * @return {any} Returns undefined for allowed file paths, or a replacement module identifier for allowed node built-in modules.
- * @throws {Error} Throws an error if the module is outside the application folder or if the module is not in the allowed list.
+ * @throws {Error} Throws an error if the module is outside the allowed path or if the module is not in the allowed list.
  */
-function checkAllowedModulePath(moduleUrl: string, containingFolder?: string): boolean {
+function checkAllowedModulePath(moduleUrl: string, allowedPath?: string): boolean {
 	if (moduleUrl.startsWith('file:')) {
-		const path = moduleUrl.slice(7);
-		if (!containingFolder || path.startsWith(containingFolder)) {
+		let path = moduleUrl.slice(7);
+		try {
+			path = realpathSync(path);
+		} catch {}
+		if (!allowedPath || path.startsWith(allowedPath)) {
 			return;
 		}
-		throw new Error(`Can not load module outside of application folder ${containingFolder}`);
+		throw new Error(`Can not load module outside of allowed path`);
 	}
 	let simpleName = moduleUrl.startsWith('node:') ? moduleUrl.slice(5) : moduleUrl;
 	simpleName = simpleName.split('/')[0];

package/core/security/user.ts

@@ -258,14 +258,16 @@ async function userInfo(body): Promise<string | User> {
 	}
 
 	let user = _.cloneDeep(body.hdb_user);
-	let roleData = await search.searchByHash({
-		schema: 'system',
-		table: 'hdb_role',
-		hash_values: [user.role.id],
-		get_attributes: ['*'],
-	});
+	let roleData =
+		user.role &&
+		(await search.searchByHash({
+			schema: 'system',
+			table: 'hdb_role',
+			hash_values: [user.role.id],
+			get_attributes: ['*'],
+		}));
 
-	user.role = roleData[0];
+	user.role = roleData?.[0];
 	delete user.password;
 	delete user.refresh_token;
 	delete user.hash;
@@ -429,7 +431,7 @@ async function getSuperUser(): Promise<User | undefined> {
 		await setUsersWithRolesCache();
 	}
 	for (let [, user] of usersWithRolesMap) {
-		if (user.role.role === 'super_user') return user;
+		if (user.role?.role === 'super_user') return user;
 	}
 }
 

package/core/static/defaultConfig.yaml

@@ -24,7 +24,7 @@ analytics:
   aggregatePeriod: 60
   replicate: false
 applications:
-  lockdown: freeze
+  lockdown: freeze-after-load
   moduleLoader: vm
   dependencyLoader: auto
   allowedSpawnCommands:

package/dist/analytics/profile.js

@@ -44,6 +44,9 @@ const write_ts_1 = require("../core/resources/analytics/write.js");
 const environmentManager_js_1 = require("../core/utility/environment/environmentManager.js");
 const packageUtils_js_1 = require("../core/utility/packageUtils.js");
 const node_fs_1 = require("node:fs");
+const node_child_process_1 = require("node:child_process");
+const node_util_1 = require("node:util");
+const execFileAsync = (0, node_util_1.promisify)(node_child_process_1.execFile);
 const pprof_1 = require("@datadog/pprof");
 const manageThreads_js_1 = require("../core/server/threads/manageThreads.js");
 const log = __importStar(require("../core/utility/logging/harper_logger.js"));
@@ -77,6 +80,7 @@ function handleApplication({ options }) {
     }, 1000); // wait for everything to load before we start the profiler
 }
 let lastChildCpuTime = 0;
+let gpuAvailable = true;
 async function captureProfile(delayToNextCapture = (capturePeriod ?? 60) * 1000) {
     clearTimeout(profilerTimer);
     if (!profilerStarted) {
@@ -92,6 +96,8 @@ async function captureProfile(delayToNextCapture = (capturePeriod ?? 60) * 1000)
     const samplesByLocationId = new Map();
     let totalUserCount = 0;
     let totalHarperCount = 0;
+    // Start GPU measurement early so it runs in parallel with CPU profiling work
+    const gpuPromise = (0, manageThreads_js_1.getWorkerIndex)() === 0 && gpuAvailable ? getGpuUtilization() : null;
     try {
         const profile = pprof_1.time.stop(true);
         const strings = profile.stringTable.strings;
@@ -122,6 +128,11 @@ async function captureProfile(delayToNextCapture = (capturePeriod ?? 60) * 1000)
                     (0, write_ts_1.recordAction)(childCpuTimeInInterval, 'cpu-usage', 'user', 'child-processes');
                 lastChildCpuTime = childCpuTime;
             }
+            // Record GPU utilization for this process and child processes
+            const gpuSeconds = await gpuPromise;
+            if (gpuSeconds !== null) {
+                (0, write_ts_1.recordAction)(gpuSeconds, 'gpu-usage', 'user');
+            }
         }
     }
     catch (error) {
@@ -211,6 +222,42 @@ function getChildProcessCpuTime() {
         return null;
     }
 }
+/**
+ * Get the total SM (shader/streaming multiprocessor) utilization percentage across all GPUs
+ * for this process and all descendant processes.
+ * Uses nvidia-smi pmon for per-process GPU utilization.
+ * Only works on Linux with NVIDIA GPUs. Returns null if unavailable.
+ */
+async function getGpuUtilization() {
+    try {
+        const currentPid = process.pid;
+        const descendants = findAllDescendants(currentPid);
+        const pidsToMonitor = new Set([currentPid, ...descendants]);
+        const { stdout } = await execFileAsync('nvidia-smi', ['pmon', '-c', '1', '-s', 'u']);
+        let totalSmPercent = 0;
+        for (const line of stdout.split('\n')) {
+            if (line.startsWith('#') || !line.trim())
+                continue;
+            const parts = line.trim().split(/\s+/);
+            // pmon -s u format: gpu pid type fb sm enc dec jpg ofa command
+            if (parts.length < 5)
+                continue;
+            const pid = parseInt(parts[1], 10);
+            if (isNaN(pid) || !pidsToMonitor.has(pid))
+                continue;
+            const sm = parseInt(parts[4], 10); // SM utilization %
+            if (!isNaN(sm))
+                totalSmPercent += sm;
+        }
+        // Convert SM utilization % to GPU-seconds over the capture period
+        // e.g. 50% utilization over 60s = 30 GPU-seconds
+        return (totalSmPercent / 100) * (capturePeriod / 1000);
+    }
+    catch {
+        gpuAvailable = false;
+        return null;
+    }
+}
 /**
  * Recursively find all descendant PIDs of the given parent PID.
  */