@integrity-labs/agt-cli 0.16.0 → 0.16.2

package/dist/{claude-pair-runtime-GS6AOYHS.js → claude-pair-runtime-Q7PNH3ZK.js}

@@ -1,6 +1,9 @@
 // src/lib/claude-pair-runtime.ts
 import { execFile } from "child_process";
 import { promisify } from "util";
+import { existsSync, statSync } from "fs";
+import { join } from "path";
+import { homedir } from "os";
 
 // src/lib/claude-pair-parser.ts
 var ANSI_ESC = String.fromCharCode(27);
@@ -97,7 +100,7 @@ async function spawnPairSession(session) {
     return { ok: true };
   } catch {
   }
-  const { resolveClaudeBinary } = await import("./persistent-session-VRS3MFQ3.js");
+  const { resolveClaudeBinary } = await import("./persistent-session-YEUFJMWF.js");
   const claudeBin = resolveClaudeBinary();
   try {
     await execFileAsync("tmux", [
@@ -128,6 +131,41 @@ async function spawnPairSession(session) {
   }
   return { ok: true };
 }
+async function finalizeClaudePairOnboarding(session, log, opts = {}) {
+  const maxIterations = opts.maxIterations ?? 10;
+  const intervalMs = opts.intervalMs ?? 1500;
+  const claudeJsonPath = opts.claudeJsonPath ?? join(homedir(), ".claude.json");
+  const initialMtime = existsSync(claudeJsonPath) ? statSync(claudeJsonPath).mtimeMs : 0;
+  for (let i = 0; i < maxIterations; i++) {
+    await sleep(intervalMs);
+    let pane;
+    try {
+      pane = await capturePane(session);
+    } catch (err) {
+      const classified = classifyTmuxError(err);
+      log(`[claude-pair] finalize: capture-pane failed (${classified.kind}); aborting onboarding flow`);
+      return { finalized: false, iterations: i };
+    }
+    if (pane.includes("Login successful") || pane.includes("Logged in as") || /Press Enter to continue/i.test(pane) || pane.includes("Security notes")) {
+      try {
+        await sendKeys(session, "C-m");
+      } catch {
+        log("[claude-pair] finalize: send-keys failed; aborting onboarding flow");
+        return { finalized: false, iterations: i };
+      }
+      continue;
+    }
+    if (existsSync(claudeJsonPath)) {
+      const mtime = statSync(claudeJsonPath).mtimeMs;
+      if (mtime > initialMtime) {
+        log(`[claude-pair] finalize: ~/.claude.json updated (after ${i + 1} dialog dismissal(s))`);
+        return { finalized: true, iterations: i + 1 };
+      }
+    }
+  }
+  log(`[claude-pair] finalize: reached ${maxIterations} iterations without ~/.claude.json being updated`);
+  return { finalized: false, iterations: maxIterations };
+}
 async function killPairSession(session) {
   try {
     await execFileAsync("tmux", ["kill-session", "-t", session]);
@@ -311,6 +349,7 @@ async function getClaudePairStatus(session) {
   return { kind: "idle" };
 }
 export {
+  finalizeClaudePairOnboarding,
   getClaudePairStatus,
   killPairSession,
   pairTmuxSession,
@@ -318,4 +357,4 @@ export {
   startClaudePair,
   submitClaudePairCode
 };
-//# sourceMappingURL=claude-pair-runtime-GS6AOYHS.js.map
+//# sourceMappingURL=claude-pair-runtime-Q7PNH3ZK.js.map

package/dist/claude-pair-runtime-Q7PNH3ZK.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/lib/claude-pair-runtime.ts","../src/lib/claude-pair-parser.ts"],"sourcesContent":["/**\n * ENG-4580: manager-side runtime for the Claude Code OAuth pairing flow.\n *\n * These functions own the actual tmux dance — sending `/login`,\n * polling the pane until Claude Code prints the OAuth URL, sending\n * the auth code, and detecting success/failure. They are the\n * counterpart to the pure parser in `claude-pair-parser.ts`.\n *\n * The API surface in ENG-4581 will wrap these — they don't include\n * any HTTP / DB code so the unit tests can target the parser layer\n * without spinning up a fake API. Errors are classified into the\n * `SessionError` shape so the API can translate them into structured\n * 4xx responses (e.g. `session_missing`).\n *\n * Architectural note: tmux capture-pane on a session that doesn't\n * exist exits non-zero with `can't find session`. Same goes for tmux\n * not being installed. classifyTmuxError covers both.\n */\n\nimport { execFile } from 'node:child_process';\nimport { promisify } from 'node:util';\nimport { existsSync, statSync } from 'node:fs';\nimport { join } from 'node:path';\nimport { homedir } from 'node:os';\n\nimport {\n  classifyTmuxError,\n  detectAuthOutcome,\n  extractOAuthUrl,\n  isUrlPromptReady,\n  type AuthOutcome,\n  type SessionError,\n} from './claude-pair-parser.js';\n\nconst execFileAsync = promisify(execFile);\n\n// Pair-scoped tmux session name. The pairing flow runs inside a\n// throwaway `claude` instance — never inside an agent's persistent\n// session — so first-time auth on a fresh host works (no chicken-and-\n// egg) and re-auth doesn't disrupt an in-flight agent conversation.\nexport function pairTmuxSession(pairId: string): string {\n  return `agt-pair-${pairId.slice(0, 12)}`;\n}\n\n// ---------------------------------------------------------------------------\n// Low-level helpers\n// ---------------------------------------------------------------------------\n\ninterface CapturePaneOpts {\n  /** How many lines of scrollback to include (negative = lines back). Default -200. */\n  scrollback?: number;\n}\n\nasync function capturePane(session: string, opts: CapturePaneOpts = {}): Promise<string> {\n  const scrollback = opts.scrollback ?? -200;\n  const { stdout } = await execFileAsync('tmux', [\n    'capture-pane',\n    '-t',\n    session,\n    '-p',\n    '-S',\n    String(scrollback),\n  ]);\n  return stdout;\n}\n\nasync function sendKeys(session: string, ...keys: string[]): Promise<void> {\n  await execFileAsync('tmux', ['send-keys', '-t', session, ...keys]);\n}\n\nasync function sleep(ms: number): Promise<void> {\n  return new Promise((r) => setTimeout(r, ms));\n}\n\n// ---------------------------------------------------------------------------\n// Pair-scoped tmux session lifecycle\n// ---------------------------------------------------------------------------\n\n/**\n * Spawn a throwaway tmux session running `claude` for the pairing flow.\n * Idempotent — if the session already exists, returns success silently.\n * Caller is responsible for `killPairSession` once the pair reaches a\n * terminal state.\n *\n * Uses an absolute path to the claude binary so we don't depend on the\n * inherited PATH (the manager runs with cloud-init's minimal env on\n * EC2). resolveClaudeBinary checks CLAUDE_PATH, then `which`, then\n * canonical Linux/macOS Homebrew install dirs.\n */\nexport async function spawnPairSession(session: string): Promise<{ ok: true } | { ok: false; error: SessionError }> {\n  try {\n    await execFileAsync('tmux', ['has-session', '-t', session]);\n    return { ok: true };\n  } catch {\n    // session doesn't exist yet — fall through to create it\n  }\n\n  const { resolveClaudeBinary } = await import('./persistent-session.js');\n  const claudeBin = resolveClaudeBinary();\n\n  try {\n    // -x 240 -y 50 — wide enough that Claude Code's OAuth URL (~350\n    // chars after PKCE expansion) doesn't soft-wrap. The dewrap pass in\n    // extractOAuthUrl handles any leftover wrapping, but giving the URL\n    // a single line in the first place is more robust against future\n    // claude UI changes.\n    await execFileAsync('tmux', [\n      'new-session',\n      '-d',\n      '-x',\n      '240',\n      '-y',\n      '50',\n      '-s',\n      session,\n      claudeBin,\n    ]);\n  } catch (err) {\n    return { ok: false, error: classifyTmuxError(err) };\n  }\n\n  // `tmux new-session` returns 0 even if the command exited immediately\n  // (binary missing, claude crashed, etc.) — the session is created and\n  // then torn down. Without this verification we'd propagate a generic\n  // `session_missing` to the operator on the next has-session call,\n  // hiding the real failure. Sleep briefly to give claude a beat to\n  // crash-or-stay-alive, then check.\n  await sleep(500);\n  try {\n    await execFileAsync('tmux', ['has-session', '-t', session]);\n  } catch {\n    return {\n      ok: false,\n      error: {\n        kind: 'unknown',\n        message: `claude exited immediately after launch (binary at ${claudeBin}). Run \\`${claudeBin}\\` manually on the host to see why — likely missing TTY, missing HOME, or a startup error.`,\n      },\n    };\n  }\n  return { ok: true };\n}\n\n/**\n * ENG-4633: drive Claude Code through its post-OAuth dialogs so it\n * persists `~/.claude.json` (the device-state + onboarding-complete\n * file) before we tear down the pair tmux session.\n *\n * Without this step, the pair flow leaves the host with only\n * `~/.claude/.credentials.json` written. On the next agent launch,\n * Claude Code interactive mode sees no `~/.claude.json` and falls\n * back to the login picker — even though the OAuth tokens are\n * sitting right there. This was the root cause of the 2026-05-01\n * prod scout outage.\n *\n * After successful code submission, claude shows in sequence:\n *   1. \"Logged in as <email> / Login successful. Press Enter to continue…\"\n *   2. \"Security notes / Press Enter to continue…\"\n *   3. (depending on cwd) trust-folder prompt and/or bypass-permissions\n *      warning. The pair tmux session has neither a project dir nor\n *      `--dangerously-skip-permissions`, so we usually only see the\n *      first two.\n *\n * For each iteration: capture the pane, match a known prompt, send\n * Enter, repeat. Bail when `~/.claude.json`'s mtime advances past\n * the snapshot we took at entry — proxy for \"claude has rewritten\n * the file with post-login state\". The actual contents (e.g.\n * `hasCompletedOnboarding: true`) are not parsed here; we trust\n * claude to write a coherent file once it gets the chance, and\n * mtime-only is enough to gate the success log line. Returns\n * `finalized` so the caller can warn if onboarding never flushed —\n * the pair is still considered successful (OAuth tokens are valid\n * regardless), the worst-case fallout is a one-time login picker\n * on the next agent launch.\n */\nexport async function finalizeClaudePairOnboarding(\n  session: string,\n  log: (msg: string) => void,\n  opts: { maxIterations?: number; intervalMs?: number; claudeJsonPath?: string } = {},\n): Promise<{ finalized: boolean; iterations: number }> {\n  const maxIterations = opts.maxIterations ?? 10;\n  const intervalMs = opts.intervalMs ?? 1500;\n  const claudeJsonPath = opts.claudeJsonPath ?? join(homedir(), '.claude.json');\n\n  // Snapshot the file's existence + mtime so we can detect the moment\n  // claude actually writes it. We can't simply check \"does the file\n  // exist\" because a stale file from a prior pair attempt would\n  // satisfy that on the first iteration.\n  const initialMtime = existsSync(claudeJsonPath)\n    ? statSync(claudeJsonPath).mtimeMs\n    : 0;\n\n  for (let i = 0; i < maxIterations; i++) {\n    await sleep(intervalMs);\n    let pane: string;\n    try {\n      pane = await capturePane(session);\n    } catch (err) {\n      // Session likely dead. Reading it back as failure here is fine —\n      // the upstream caller already considered the pair successful, so\n      // we report finalized=false and let it decide whether to fail\n      // soft.\n      const classified = classifyTmuxError(err);\n      log(`[claude-pair] finalize: capture-pane failed (${classified.kind}); aborting onboarding flow`);\n      return { finalized: false, iterations: i };\n    }\n\n    // Pattern-match the post-OAuth dialogs claude shows in succession.\n    // Keep these matchers loose — claude's wording shifts between\n    // versions, and a missed match just means we send Enter on the\n    // generic \"Press Enter to continue\" branch below.\n    if (\n      pane.includes('Login successful') ||\n      pane.includes('Logged in as') ||\n      /Press Enter to continue/i.test(pane) ||\n      pane.includes('Security notes')\n    ) {\n      try {\n        await sendKeys(session, 'C-m');\n      } catch {\n        // sendKeys failure → session dead. Same fallthrough as above.\n        log('[claude-pair] finalize: send-keys failed; aborting onboarding flow');\n        return { finalized: false, iterations: i };\n      }\n      continue;\n    }\n\n    // Has claude rewritten ~/.claude.json since we entered this\n    // function? mtime advance is our proxy for \"post-login state has\n    // been flushed to disk\" — we don't crack the JSON open to verify\n    // hasCompletedOnboarding because claude's exact write timing is\n    // version-dependent and we'd be guessing about which key to look\n    // at. Mtime-only is good enough for the smoke contract.\n    if (existsSync(claudeJsonPath)) {\n      const mtime = statSync(claudeJsonPath).mtimeMs;\n      if (mtime > initialMtime) {\n        log(`[claude-pair] finalize: ~/.claude.json updated (after ${i + 1} dialog dismissal(s))`);\n        return { finalized: true, iterations: i + 1 };\n      }\n    }\n  }\n\n  log(`[claude-pair] finalize: reached ${maxIterations} iterations without ~/.claude.json being updated`);\n  return { finalized: false, iterations: maxIterations };\n}\n\n/**\n * Returns true if the session is gone afterwards (either kill succeeded\n * or it was already missing). Returns false only if `kill-session`\n * failed for a non-missing-session reason — caller should treat this\n * as \"still tracked, will retry next poll\".\n */\nexport async function killPairSession(session: string): Promise<boolean> {\n  try {\n    await execFileAsync('tmux', ['kill-session', '-t', session]);\n    return true;\n  } catch (err) {\n    // \"can't find session\" is success-equivalent — the desired end state\n    // is \"this session does not exist\" and that's already true.\n    if (classifyTmuxError(err).kind === 'no-session') return true;\n    return false;\n  }\n}\n\n// ---------------------------------------------------------------------------\n// Result shapes\n// ---------------------------------------------------------------------------\n\nexport type ClaudePairStartResult =\n  | { kind: 'url'; url: string }\n  | { kind: 'timeout' }\n  | { kind: 'error'; error: SessionError };\n\nexport type ClaudePairSubmitResult =\n  | { kind: 'success'; rawMatch: string }\n  | { kind: 'failure'; rawMatch: string }\n  | { kind: 'timeout' }\n  | { kind: 'error'; error: SessionError };\n\nexport type ClaudePairStatusResult =\n  | { kind: 'idle' }\n  | { kind: 'awaiting-code'; url: string }\n  | { kind: 'success' }\n  | { kind: 'failure'; rawMatch: string }\n  | { kind: 'session-missing' }\n  | { kind: 'error'; error: SessionError };\n\n// ---------------------------------------------------------------------------\n// start — send `/login`, wait for the OAuth URL prompt\n// ---------------------------------------------------------------------------\n\nexport interface ClaudePairStartOpts {\n  /** Pair-scoped tmux session name (see pairTmuxSession). */\n  session: string;\n  /** Total time to wait for Claude Code to print the URL prompt. Default 60s. */\n  timeoutMs?: number;\n  /** How often to re-capture and check the pane. Default 500ms. */\n  pollIntervalMs?: number;\n}\n\nexport async function startClaudePair(opts: ClaudePairStartOpts): Promise<ClaudePairStartResult> {\n  const { session } = opts;\n  // Pair sessions cold-start `claude` from scratch — first-run on a fresh\n  // host can take 10-30s before the prompt is interactive enough to\n  // accept `/login`. Stay generous.\n  const timeoutMs = opts.timeoutMs ?? 60_000;\n  const pollIntervalMs = opts.pollIntervalMs ?? 500;\n\n  // Quick precheck — fail fast if the tmux session doesn't exist\n  // rather than blasting `/login` into an unrelated pane.\n  try {\n    await execFileAsync('tmux', ['has-session', '-t', session]);\n  } catch (err) {\n    return { kind: 'error', error: classifyTmuxError(err) };\n  }\n\n  // Drive claude through its first-run onboarding to reach a state\n  // where the OAuth URL is on screen. Possible paths:\n  //\n  //  • Fresh host: theme picker → \"Trust folder?\" → login method picker\n  //    (option 1 = Claude subscription, already highlighted) → OAuth URL.\n  //    No `/login` needed — option 1 IS the login.\n  //  • Already onboarded: regular prompt → we send `/login` ourselves →\n  //    login method picker → OAuth URL.\n  //\n  // Auto-advance every onboarding screen we recognize. Keep going until\n  // we either see the URL prompt or hit the deadline.\n  const onboardingDeadline = Date.now() + Math.min(45_000, timeoutMs);\n  let lastDispatchAt = 0;\n  let loginCommandSent = false;\n  const dispatchEnter = async (): Promise<void> => {\n    if (Date.now() - lastDispatchAt < 1_500) return;\n    lastDispatchAt = Date.now();\n    try { await sendKeys(session, 'C-m'); } catch { /* keep polling */ }\n  };\n\n  while (Date.now() < onboardingDeadline) {\n    await sleep(pollIntervalMs);\n    let pane: string;\n    try {\n      // VIEWPORT ONLY (no scrollback). With scrollback included, the\n      // theme picker / login picker text lingers in the buffer after\n      // claude advances to the URL-paste prompt. The match would then\n      // dispatch Enter on the empty paste field — submitting an empty\n      // code and triggering \"OAuth error: Invalid code\". Visible-only\n      // capture ensures we only react to what's actually on screen.\n      pane = await capturePane(session, { scrollback: 0 });\n    } catch (err) {\n      return { kind: 'error', error: classifyTmuxError(err) };\n    }\n\n    // Already at the URL prompt — done driving onboarding, fall through\n    // to the URL-extraction loop below.\n    if (isUrlPromptReady(pane)) {\n      const url = extractOAuthUrl(pane);\n      if (url) return { kind: 'url', url };\n    }\n\n    // Stuck on \"OAuth error: Invalid code. Press Enter to retry\" — usually\n    // because claude has cached partial state from a previous failed login\n    // attempt on this host. Pressing Enter would just resubmit the bad\n    // code and loop forever, so bail with an actionable error.\n    //\n    // Capture WITH scrollback for this check: claude's TUI sometimes\n    // re-renders the splash/banner over the OAuth error so the viewport\n    // alone misses it (we'd then time out instead of giving the operator\n    // an actionable error). OAuth-retry is a sticky state — claude waits\n    // for input — so checking recent scrollback is safe; a false positive\n    // from stale scrollback would only fire if a previous attempt actually\n    // failed, in which case bailing is the right call.\n    let scrollPane = pane;\n    try {\n      scrollPane = await capturePane(session, { scrollback: -50 });\n    } catch { /* fall back to viewport-only check */ }\n    const hasOAuthInvalidCode = /OAuth error[\\s\\S]*Invalid code/i.test(scrollPane);\n    const hasOAuthRetryPrompt = /OAuth error/i.test(scrollPane) && /Press Enter to retry/i.test(scrollPane);\n    if (hasOAuthInvalidCode || hasOAuthRetryPrompt) {\n      return {\n        kind: 'error',\n        error: {\n          kind: 'oauth-retry-stuck',\n          message:\n            'claude is stuck on a previous failed-login retry prompt. SSH to the host and clear ~/.claude/.credentials.json (and any *.json next to it), then retry pair-via-browser.',\n        },\n      };\n    }\n\n    // Login method picker — option 1 (Claude subscription) is already\n    // highlighted, Enter selects it.\n    if (/Select login method:/i.test(pane)) {\n      await dispatchEnter();\n      continue;\n    }\n    // First-run theme picker. Accept the highlighted default; operator\n    // can change it later via /theme.\n    if (/\\bDark mode\\b/.test(pane) && /\\bLight mode\\b/.test(pane)) {\n      await dispatchEnter();\n      continue;\n    }\n    // \"Trust this folder?\" — Enter accepts the default (Yes).\n    if (/Do you trust the files in this folder\\?/i.test(pane)) {\n      await dispatchEnter();\n      continue;\n    }\n    // Onboarding \"Press Enter to continue\" splashes.\n    if (/press\\s+enter\\s+to\\s+continue/i.test(pane)) {\n      await dispatchEnter();\n      continue;\n    }\n    // Regular interactive prompt — this means claude was already\n    // onboarded. Send `/login` once to surface the login picker, then\n    // the next iteration handles it via the picker branch above.\n    const promptVisible =\n      /[│|]\\s*>\\s/.test(pane) || /Try .+ to .+/.test(pane) || /^\\s*>\\s*$/m.test(pane);\n    if (promptVisible && !loginCommandSent) {\n      loginCommandSent = true;\n      try {\n        await sendKeys(session, '/login', 'C-m');\n      } catch (err) {\n        return { kind: 'error', error: classifyTmuxError(err) };\n      }\n      continue;\n    }\n  }\n\n  // Onboarding deadline hit without seeing a URL — surface the pane so\n  // operators can see what was on screen when we gave up.\n  let lastPane = '';\n  try { lastPane = await capturePane(session); } catch { /* best-effort */ }\n  return {\n    kind: 'error',\n    error: {\n      kind: 'unknown',\n      message: `claude never reached OAuth URL prompt within ${timeoutMs}ms. Last pane: ${lastPane.slice(-500)}`,\n    },\n  };\n}\n\n// ---------------------------------------------------------------------------\n// submit-code — paste the auth code, wait for outcome\n// ---------------------------------------------------------------------------\n\nexport interface ClaudePairSubmitOpts {\n  /** Pair-scoped tmux session name (see pairTmuxSession). */\n  session: string;\n  code: string;\n  /** Total time to wait for the success/failure marker. Default 30s. */\n  timeoutMs?: number;\n  pollIntervalMs?: number;\n}\n\nexport async function submitClaudePairCode(\n  opts: ClaudePairSubmitOpts,\n): Promise<ClaudePairSubmitResult> {\n  const { session } = opts;\n  const timeoutMs = opts.timeoutMs ?? 30_000;\n  const pollIntervalMs = opts.pollIntervalMs ?? 500;\n\n  // Validate code shape minimally — Claude Code's auth codes are\n  // alphanumeric with dashes, ~40-80 chars. Accept anything within\n  // that envelope; reject blank or whitespace-only to avoid\n  // accidentally submitting an empty buffer.\n  if (!opts.code || !opts.code.trim()) {\n    return {\n      kind: 'error',\n      error: { kind: 'unknown', message: 'empty auth code' },\n    };\n  }\n  if (opts.code.length > 1024) {\n    return {\n      kind: 'error',\n      error: { kind: 'unknown', message: 'auth code suspiciously long' },\n    };\n  }\n\n  // Send the code + Enter. We use the literal value as one send-keys\n  // argument; tmux handles spaces fine, but newlines would terminate\n  // early so reject those as well.\n  if (/[\\r\\n]/.test(opts.code)) {\n    return {\n      kind: 'error',\n      error: { kind: 'unknown', message: 'auth code contains newline' },\n    };\n  }\n\n  // Send the code as LITERAL text (-l) so tmux doesn't try to interpret\n  // any chars as key tokens. Then a 250ms breather so claude's\n  // ink/React render loop finishes processing the paste before Enter\n  // lands. Without that wait the Enter often gets swallowed mid-render\n  // and the code stays in the input box unsubmitted.\n  try {\n    await execFileAsync('tmux', ['send-keys', '-t', session, '-l', opts.code.trim()]);\n  } catch (err) {\n    return { kind: 'error', error: classifyTmuxError(err) };\n  }\n  await sleep(250);\n  try {\n    // Use Enter (semantic) plus a fallback C-m on the next iteration if\n    // claude still hasn't moved.\n    await sendKeys(session, 'Enter');\n  } catch (err) {\n    return { kind: 'error', error: classifyTmuxError(err) };\n  }\n\n  const deadline = Date.now() + timeoutMs;\n  let enterRetried = false;\n  let lastPane = '';\n  while (Date.now() < deadline) {\n    await sleep(pollIntervalMs);\n    try {\n      lastPane = await capturePane(session);\n    } catch (err) {\n      return { kind: 'error', error: classifyTmuxError(err) };\n    }\n    const outcome: AuthOutcome = detectAuthOutcome(lastPane);\n    if (outcome.kind === 'success') return { kind: 'success', rawMatch: outcome.rawMatch };\n    if (outcome.kind === 'failure') return { kind: 'failure', rawMatch: outcome.rawMatch };\n\n    // After ~5s with no outcome, retry Enter once — covers the case\n    // where the first Enter landed mid-render and claude swallowed it.\n    // The \"Paste code here\" prompt is still on screen if submission\n    // didn't take; if it advanced, we'd already have an outcome above.\n    if (!enterRetried && Date.now() - (deadline - timeoutMs) > 5_000 && /Paste code here/i.test(lastPane)) {\n      enterRetried = true;\n      try { await sendKeys(session, 'C-m'); } catch { /* keep polling */ }\n    }\n  }\n  // Include pane snippet in the error path so operators can see what\n  // claude was actually showing — outcome detection is brittle and the\n  // session is killed immediately after this returns, so this is our\n  // only chance to capture state for debugging regex updates.\n  return {\n    kind: 'error',\n    error: {\n      kind: 'unknown',\n      message: `submit timed out after ${timeoutMs}ms — outcome regex didn't match. Last pane: ${lastPane.slice(-600)}`,\n    },\n  };\n}\n\n// ---------------------------------------------------------------------------\n// status — non-mutating peek at the pane state\n// ---------------------------------------------------------------------------\n\nexport async function getClaudePairStatus(session: string): Promise<ClaudePairStatusResult> {\n  try {\n    await execFileAsync('tmux', ['has-session', '-t', session]);\n  } catch (err) {\n    const classified = classifyTmuxError(err);\n    if (classified.kind === 'no-session') return { kind: 'session-missing' };\n    return { kind: 'error', error: classified };\n  }\n\n  let pane: string;\n  try {\n    pane = await capturePane(session);\n  } catch (err) {\n    return { kind: 'error', error: classifyTmuxError(err) };\n  }\n\n  // Outcome takes priority — if the pane already shows success/failure\n  // from a recent submission, the API can short-circuit without\n  // restarting the flow.\n  const outcome = detectAuthOutcome(pane);\n  if (outcome.kind === 'success') return { kind: 'success' };\n  if (outcome.kind === 'failure') return { kind: 'failure', rawMatch: outcome.rawMatch };\n\n  if (isUrlPromptReady(pane)) {\n    const url = extractOAuthUrl(pane);\n    if (url) return { kind: 'awaiting-code', url };\n  }\n  return { kind: 'idle' };\n}\n","/**\n * ENG-4580: pane-scrape parser for Claude Code's `/login` OAuth flow.\n *\n * The manager drives the flow by sending `/login` into the agent's\n * persistent tmux session, capturing the pane after a short poll, and\n * extracting the OAuth URL Claude Code prints. After the operator\n * pastes the auth code via the UI, the manager sends it back into the\n * pane and polls for a success / failure marker.\n *\n * Everything in this module is pure — no tmux calls, no fs I/O. The\n * runtime side (apps/cli/src/lib/manager-worker.ts) shells out and\n * feeds the captured pane string through these functions.\n *\n * Why a dedicated module: pane scraping is fragile across Claude Code\n * versions, terminal widths, and locale changes. Centralising the\n * regexes + the ANSI stripper makes them easy to fixture-test and\n * iterate on without touching the runtime path.\n */\n\n// ---------------------------------------------------------------------------\n// ANSI escape sequence stripper\n// ---------------------------------------------------------------------------\n\n/**\n * Strip the ANSI escape sequences a terminal emits for colour, cursor\n * movement, screen clears, and bracketed paste mode. The pattern below\n * covers:\n *\n *   - CSI sequences: `ESC [ ... <final byte>` where the final byte is\n *     in the 0x40-0x7E range (covers SGR colour, cursor-position,\n *     erase-in-line/display, etc.)\n *   - OSC sequences: `ESC ] ... BEL` or `ESC ] ... ESC \\` (used for\n *     window titles and hyperlinks)\n *   - Single-character `ESC <char>` two-byte escapes (e.g. `ESC =`,\n *     `ESC >`, the `ESC c` reset)\n *\n * We keep newlines and printable text intact so pane content remains\n * matchable after stripping.\n *\n * The regex uses Unicode-friendly character classes; we explicitly\n * avoid `\\x1b` named escapes in source to keep the file ASCII-safe.\n */\nconst ANSI_ESC = String.fromCharCode(0x1b);\nconst ANSI_BEL = String.fromCharCode(0x07);\n\nconst CSI_RE = new RegExp(`${ANSI_ESC}\\\\[[0-?]*[ -/]*[@-~]`, 'g');\nconst OSC_RE = new RegExp(\n  `${ANSI_ESC}\\\\][^${ANSI_BEL}${ANSI_ESC}]*(?:${ANSI_BEL}|${ANSI_ESC}\\\\\\\\)`,\n  'g',\n);\nconst TWO_BYTE_RE = new RegExp(`${ANSI_ESC}[=>cM78]`, 'g');\n\nexport function stripAnsi(text: string): string {\n  return text.replace(CSI_RE, '').replace(OSC_RE, '').replace(TWO_BYTE_RE, '');\n}\n\n// ---------------------------------------------------------------------------\n// OAuth URL extraction\n// ---------------------------------------------------------------------------\n\n/**\n * Anchored to Anthropic-owned domains that Claude Code's `/login`\n * actually prints. Adding more hosts is fine — keep them allowlisted\n * rather than matching arbitrary `https://` to avoid pulling random\n * URLs from the user's previous shell output.\n *\n * Note: Claude Code currently emits URLs at `claude.com/cai/oauth/...`\n * (the consumer-facing domain), but `claude.ai` and the console hosts\n * have appeared historically and are kept here for tolerance.\n */\nconst OAUTH_URL_RE =\n  /https:\\/\\/(?:claude\\.com|claude\\.ai|platform\\.claude\\.com|console\\.anthropic\\.com|auth\\.anthropic\\.com)\\/[^\\s)\\]]*/;\n\n/**\n * Strip ANSI + reassemble URLs that were soft-wrapped across terminal\n * lines. tmux capture-pane emits hard newlines for wrapped lines, and\n * Claude Code's OAuth URL routinely runs >300 chars — much wider than\n * the manager's default tmux window. Iteratively strip newlines that\n * fall inside what looks like a URL until convergence (a single URL\n * can wrap 5+ times).\n *\n * Shared between extractOAuthUrl and isUrlPromptReady so the readiness\n * check sees the same string the extractor would.\n */\nfunction dewrapPane(rawPane: string): string {\n  const stripped = stripAnsi(rawPane);\n  let dewrapped = stripped;\n  let prev = '';\n  while (prev !== dewrapped) {\n    prev = dewrapped;\n    dewrapped = dewrapped.replace(/(https?:\\/\\/\\S+?)\\n(?=\\S)/, (_m, head: string) => head);\n  }\n  return dewrapped;\n}\n\nexport function extractOAuthUrl(rawPane: string): string | null {\n  const match = OAUTH_URL_RE.exec(dewrapPane(rawPane));\n  if (!match) return null;\n  // Trim trailing punctuation that often clings to URLs in TUIs.\n  return match[0].replace(/[.,;:!?]+$/, '');\n}\n\n// ---------------------------------------------------------------------------\n// Prompt readiness — \"we've printed the URL, now waiting for a code\"\n// ---------------------------------------------------------------------------\n\nconst URL_PROMPT_RE =\n  /(?:Paste code here|Paste your code|Enter (?:the )?code|Authorization code)/i;\n\nexport function isUrlPromptReady(rawPane: string): boolean {\n  const dewrapped = dewrapPane(rawPane);\n  // Both anchors must be present: the URL itself AND the paste-code\n  // prompt. The prompt alone could appear during a stale screen redraw;\n  // the URL alone could be a stray match in command history. Use the\n  // dewrapped pane so a wrapped URL still matches OAUTH_URL_RE.\n  return OAUTH_URL_RE.test(dewrapped) && URL_PROMPT_RE.test(dewrapped);\n}\n\n// ---------------------------------------------------------------------------\n// Outcome detection after submitting the code\n// ---------------------------------------------------------------------------\n\n// Claude Code's success/failure copy has drifted across versions\n// (\"Logged in\" → \"Login successful\" → \"Signed in as ...\" → etc.).\n// Keep the alternations broad-but-specific — phrases that only appear\n// after a real auth roundtrip, never in welcome / tutorial text.\n// \"Welcome back\" was tried and rejected: it shows up in onboarding\n// help blurbs and produced false positives.\nconst SUCCESS_RE =\n  /(?:Logged in|Login successful|Successfully (?:logged in|authenticated|signed in)|Authentication successful|Sign-?in (?:complete|successful)|You(?:'|’)?re signed in|Signed in as)/i;\nconst FAILURE_RE =\n  /(?:Invalid (?:code|authorization code)|OAuth error|Authentication failed|Error (?:logging in|during authentication)|Login failed|Sign-?in failed|Failed to (?:authenticate|sign in|log in))/i;\n\nexport type AuthOutcome =\n  | { kind: 'success'; rawMatch: string }\n  | { kind: 'failure'; rawMatch: string }\n  | { kind: 'pending' };\n\nexport function detectAuthOutcome(rawPane: string): AuthOutcome {\n  const stripped = stripAnsi(rawPane);\n  // Failure first — Claude Code sometimes prints a stale \"logged in\" from\n  // a previous successful session above the new failure banner. The\n  // most-recent line wins, so we scan from the end of the pane.\n  const failureMatch = lastMatch(stripped, FAILURE_RE);\n  const successMatch = lastMatch(stripped, SUCCESS_RE);\n\n  if (failureMatch && successMatch) {\n    // Whichever is later on the pane is the live state.\n    if (failureMatch.index > successMatch.index) {\n      return { kind: 'failure', rawMatch: failureMatch.match };\n    }\n    return { kind: 'success', rawMatch: successMatch.match };\n  }\n  if (failureMatch) return { kind: 'failure', rawMatch: failureMatch.match };\n  if (successMatch) return { kind: 'success', rawMatch: successMatch.match };\n  return { kind: 'pending' };\n}\n\nfunction lastMatch(haystack: string, re: RegExp): { match: string; index: number } | null {\n  // Construct a sticky/global variant if needed. Most of our REs are\n  // anchored to small phrases; iterating with a `g`-flagged RegExp is\n  // cheap and correct.\n  const globalRe = new RegExp(re.source, re.flags.includes('g') ? re.flags : `${re.flags}g`);\n  let last: RegExpExecArray | null = null;\n  let m: RegExpExecArray | null;\n  while ((m = globalRe.exec(haystack)) !== null) {\n    last = m;\n    // Prevent zero-length matches from looping.\n    if (m.index === globalRe.lastIndex) globalRe.lastIndex++;\n  }\n  return last ? { match: last[0], index: last.index } : null;\n}\n\n// ---------------------------------------------------------------------------\n// \"Session not running / tmux missing\" — surface as a structured signal\n// ---------------------------------------------------------------------------\n\n/**\n * The runtime path will throw when `tmux capture-pane` fails. This\n * helper classifies the failure for the API layer so the UI can show\n * \"start a session first\" rather than a generic 500.\n */\nexport type SessionError =\n  | { kind: 'no-session' }\n  | { kind: 'tmux-missing' }\n  | { kind: 'pane-empty' }\n  /** Claude is sitting on the \"OAuth error: Invalid code. Press Enter to\n   *  retry.\" prompt from a previous failed login — pressing Enter would\n   *  resubmit the bad code, so the runtime bails with operator-actionable\n   *  guidance instead. Distinct from `unknown` so telemetry / UI can\n   *  surface a specific message rather than a generic 500. */\n  | { kind: 'oauth-retry-stuck'; message: string }\n  | { kind: 'unknown'; message: string };\n\nexport function classifyTmuxError(err: unknown): SessionError {\n  const msg = err instanceof Error ? err.message : String(err);\n  if (/can't find session|no server running/i.test(msg)) return { kind: 'no-session' };\n  if (/command not found.*tmux|ENOENT.*tmux/i.test(msg)) return { kind: 'tmux-missing' };\n  return { kind: 'unknown', message: msg };\n}\n"],"mappings":";AAmBA,SAAS,gBAAgB;AACzB,SAAS,iBAAiB;AAC1B,SAAS,YAAY,gBAAgB;AACrC,SAAS,YAAY;AACrB,SAAS,eAAe;;;ACmBxB,IAAM,WAAW,OAAO,aAAa,EAAI;AACzC,IAAM,WAAW,OAAO,aAAa,CAAI;AAEzC,IAAM,SAAS,IAAI,OAAO,GAAG,QAAQ,wBAAwB,GAAG;AAChE,IAAM,SAAS,IAAI;AAAA,EACjB,GAAG,QAAQ,QAAQ,QAAQ,GAAG,QAAQ,QAAQ,QAAQ,IAAI,QAAQ;AAAA,EAClE;AACF;AACA,IAAM,cAAc,IAAI,OAAO,GAAG,QAAQ,YAAY,GAAG;AAElD,SAAS,UAAU,MAAsB;AAC9C,SAAO,KAAK,QAAQ,QAAQ,EAAE,EAAE,QAAQ,QAAQ,EAAE,EAAE,QAAQ,aAAa,EAAE;AAC7E;AAgBA,IAAM,eACJ;AAaF,SAAS,WAAW,SAAyB;AAC3C,QAAM,WAAW,UAAU,OAAO;AAClC,MAAI,YAAY;AAChB,MAAI,OAAO;AACX,SAAO,SAAS,WAAW;AACzB,WAAO;AACP,gBAAY,UAAU,QAAQ,6BAA6B,CAAC,IAAI,SAAiB,IAAI;AAAA,EACvF;AACA,SAAO;AACT;AAEO,SAAS,gBAAgB,SAAgC;AAC9D,QAAM,QAAQ,aAAa,KAAK,WAAW,OAAO,CAAC;AACnD,MAAI,CAAC,MAAO,QAAO;AAEnB,SAAO,MAAM,CAAC,EAAE,QAAQ,cAAc,EAAE;AAC1C;AAMA,IAAM,gBACJ;AAEK,SAAS,iBAAiB,SAA0B;AACzD,QAAM,YAAY,WAAW,OAAO;AAKpC,SAAO,aAAa,KAAK,SAAS,KAAK,cAAc,KAAK,SAAS;AACrE;AAYA,IAAM,aACJ;AACF,IAAM,aACJ;AAOK,SAAS,kBAAkB,SAA8B;AAC9D,QAAM,WAAW,UAAU,OAAO;AAIlC,QAAM,eAAe,UAAU,UAAU,UAAU;AACnD,QAAM,eAAe,UAAU,UAAU,UAAU;AAEnD,MAAI,gBAAgB,cAAc;AAEhC,QAAI,aAAa,QAAQ,aAAa,OAAO;AAC3C,aAAO,EAAE,MAAM,WAAW,UAAU,aAAa,MAAM;AAAA,IACzD;AACA,WAAO,EAAE,MAAM,WAAW,UAAU,aAAa,MAAM;AAAA,EACzD;AACA,MAAI,aAAc,QAAO,EAAE,MAAM,WAAW,UAAU,aAAa,MAAM;AACzE,MAAI,aAAc,QAAO,EAAE,MAAM,WAAW,UAAU,aAAa,MAAM;AACzE,SAAO,EAAE,MAAM,UAAU;AAC3B;AAEA,SAAS,UAAU,UAAkB,IAAqD;AAIxF,QAAM,WAAW,IAAI,OAAO,GAAG,QAAQ,GAAG,MAAM,SAAS,GAAG,IAAI,GAAG,QAAQ,GAAG,GAAG,KAAK,GAAG;AACzF,MAAI,OAA+B;AACnC,MAAI;AACJ,UAAQ,IAAI,SAAS,KAAK,QAAQ,OAAO,MAAM;AAC7C,WAAO;AAEP,QAAI,EAAE,UAAU,SAAS,UAAW,UAAS;AAAA,EAC/C;AACA,SAAO,OAAO,EAAE,OAAO,KAAK,CAAC,GAAG,OAAO,KAAK,MAAM,IAAI;AACxD;AAuBO,SAAS,kBAAkB,KAA4B;AAC5D,QAAM,MAAM,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAC3D,MAAI,wCAAwC,KAAK,GAAG,EAAG,QAAO,EAAE,MAAM,aAAa;AACnF,MAAI,wCAAwC,KAAK,GAAG,EAAG,QAAO,EAAE,MAAM,eAAe;AACrF,SAAO,EAAE,MAAM,WAAW,SAAS,IAAI;AACzC;;;ADrKA,IAAM,gBAAgB,UAAU,QAAQ;AAMjC,SAAS,gBAAgB,QAAwB;AACtD,SAAO,YAAY,OAAO,MAAM,GAAG,EAAE,CAAC;AACxC;AAWA,eAAe,YAAY,SAAiB,OAAwB,CAAC,GAAoB;AACvF,QAAM,aAAa,KAAK,cAAc;AACtC,QAAM,EAAE,OAAO,IAAI,MAAM,cAAc,QAAQ;AAAA,IAC7C;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,OAAO,UAAU;AAAA,EACnB,CAAC;AACD,SAAO;AACT;AAEA,eAAe,SAAS,YAAoB,MAA+B;AACzE,QAAM,cAAc,QAAQ,CAAC,aAAa,MAAM,SAAS,GAAG,IAAI,CAAC;AACnE;AAEA,eAAe,MAAM,IAA2B;AAC9C,SAAO,IAAI,QAAQ,CAAC,MAAM,WAAW,GAAG,EAAE,CAAC;AAC7C;AAiBA,eAAsB,iBAAiB,SAA6E;AAClH,MAAI;AACF,UAAM,cAAc,QAAQ,CAAC,eAAe,MAAM,OAAO,CAAC;AAC1D,WAAO,EAAE,IAAI,KAAK;AAAA,EACpB,QAAQ;AAAA,EAER;AAEA,QAAM,EAAE,oBAAoB,IAAI,MAAM,OAAO,kCAAyB;AACtE,QAAM,YAAY,oBAAoB;AAEtC,MAAI;AAMF,UAAM,cAAc,QAAQ;AAAA,MAC1B;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,MACA;AAAA,IACF,CAAC;AAAA,EACH,SAAS,KAAK;AACZ,WAAO,EAAE,IAAI,OAAO,OAAO,kBAAkB,GAAG,EAAE;AAAA,EACpD;AAQA,QAAM,MAAM,GAAG;AACf,MAAI;AACF,UAAM,cAAc,QAAQ,CAAC,eAAe,MAAM,OAAO,CAAC;AAAA,EAC5D,QAAQ;AACN,WAAO;AAAA,MACL,IAAI;AAAA,MACJ,OAAO;AAAA,QACL,MAAM;AAAA,QACN,SAAS,qDAAqD,SAAS,YAAY,SAAS;AAAA,MAC9F;AAAA,IACF;AAAA,EACF;AACA,SAAO,EAAE,IAAI,KAAK;AACpB;AAkCA,eAAsB,6BACpB,SACA,KACA,OAAiF,CAAC,GAC7B;AACrD,QAAM,gBAAgB,KAAK,iBAAiB;AAC5C,QAAM,aAAa,KAAK,cAAc;AACtC,QAAM,iBAAiB,KAAK,kBAAkB,KAAK,QAAQ,GAAG,cAAc;AAM5E,QAAM,eAAe,WAAW,cAAc,IAC1C,SAAS,cAAc,EAAE,UACzB;AAEJ,WAAS,IAAI,GAAG,IAAI,eAAe,KAAK;AACtC,UAAM,MAAM,UAAU;AACtB,QAAI;AACJ,QAAI;AACF,aAAO,MAAM,YAAY,OAAO;AAAA,IAClC,SAAS,KAAK;AAKZ,YAAM,aAAa,kBAAkB,GAAG;AACxC,UAAI,gDAAgD,WAAW,IAAI,6BAA6B;AAChG,aAAO,EAAE,WAAW,OAAO,YAAY,EAAE;AAAA,IAC3C;AAMA,QACE,KAAK,SAAS,kBAAkB,KAChC,KAAK,SAAS,cAAc,KAC5B,2BAA2B,KAAK,IAAI,KACpC,KAAK,SAAS,gBAAgB,GAC9B;AACA,UAAI;AACF,cAAM,SAAS,SAAS,KAAK;AAAA,MAC/B,QAAQ;AAEN,YAAI,oEAAoE;AACxE,eAAO,EAAE,WAAW,OAAO,YAAY,EAAE;AAAA,MAC3C;AACA;AAAA,IACF;AAQA,QAAI,WAAW,cAAc,GAAG;AAC9B,YAAM,QAAQ,SAAS,cAAc,EAAE;AACvC,UAAI,QAAQ,cAAc;AACxB,YAAI,yDAAyD,IAAI,CAAC,uBAAuB;AACzF,eAAO,EAAE,WAAW,MAAM,YAAY,IAAI,EAAE;AAAA,MAC9C;AAAA,IACF;AAAA,EACF;AAEA,MAAI,mCAAmC,aAAa,kDAAkD;AACtG,SAAO,EAAE,WAAW,OAAO,YAAY,cAAc;AACvD;AAQA,eAAsB,gBAAgB,SAAmC;AACvE,MAAI;AACF,UAAM,cAAc,QAAQ,CAAC,gBAAgB,MAAM,OAAO,CAAC;AAC3D,WAAO;AAAA,EACT,SAAS,KAAK;AAGZ,QAAI,kBAAkB,GAAG,EAAE,SAAS,aAAc,QAAO;AACzD,WAAO;AAAA,EACT;AACF;AAsCA,eAAsB,gBAAgB,MAA2D;AAC/F,QAAM,EAAE,QAAQ,IAAI;AAIpB,QAAM,YAAY,KAAK,aAAa;AACpC,QAAM,iBAAiB,KAAK,kBAAkB;AAI9C,MAAI;AACF,UAAM,cAAc,QAAQ,CAAC,eAAe,MAAM,OAAO,CAAC;AAAA,EAC5D,SAAS,KAAK;AACZ,WAAO,EAAE,MAAM,SAAS,OAAO,kBAAkB,GAAG,EAAE;AAAA,EACxD;AAaA,QAAM,qBAAqB,KAAK,IAAI,IAAI,KAAK,IAAI,MAAQ,SAAS;AAClE,MAAI,iBAAiB;AACrB,MAAI,mBAAmB;AACvB,QAAM,gBAAgB,YAA2B;AAC/C,QAAI,KAAK,IAAI,IAAI,iBAAiB,KAAO;AACzC,qBAAiB,KAAK,IAAI;AAC1B,QAAI;AAAE,YAAM,SAAS,SAAS,KAAK;AAAA,IAAG,QAAQ;AAAA,IAAqB;AAAA,EACrE;AAEA,SAAO,KAAK,IAAI,IAAI,oBAAoB;AACtC,UAAM,MAAM,cAAc;AAC1B,QAAI;AACJ,QAAI;AAOF,aAAO,MAAM,YAAY,SAAS,EAAE,YAAY,EAAE,CAAC;AAAA,IACrD,SAAS,KAAK;AACZ,aAAO,EAAE,MAAM,SAAS,OAAO,kBAAkB,GAAG,EAAE;AAAA,IACxD;AAIA,QAAI,iBAAiB,IAAI,GAAG;AAC1B,YAAM,MAAM,gBAAgB,IAAI;AAChC,UAAI,IAAK,QAAO,EAAE,MAAM,OAAO,IAAI;AAAA,IACrC;AAcA,QAAI,aAAa;AACjB,QAAI;AACF,mBAAa,MAAM,YAAY,SAAS,EAAE,YAAY,IAAI,CAAC;AAAA,IAC7D,QAAQ;AAAA,IAAyC;AACjD,UAAM,sBAAsB,kCAAkC,KAAK,UAAU;AAC7E,UAAM,sBAAsB,eAAe,KAAK,UAAU,KAAK,wBAAwB,KAAK,UAAU;AACtG,QAAI,uBAAuB,qBAAqB;AAC9C,aAAO;AAAA,QACL,MAAM;AAAA,QACN,OAAO;AAAA,UACL,MAAM;AAAA,UACN,SACE;AAAA,QACJ;AAAA,MACF;AAAA,IACF;AAIA,QAAI,wBAAwB,KAAK,IAAI,GAAG;AACtC,YAAM,cAAc;AACpB;AAAA,IACF;AAGA,QAAI,gBAAgB,KAAK,IAAI,KAAK,iBAAiB,KAAK,IAAI,GAAG;AAC7D,YAAM,cAAc;AACpB;AAAA,IACF;AAEA,QAAI,2CAA2C,KAAK,IAAI,GAAG;AACzD,YAAM,cAAc;AACpB;AAAA,IACF;AAEA,QAAI,iCAAiC,KAAK,IAAI,GAAG;AAC/C,YAAM,cAAc;AACpB;AAAA,IACF;AAIA,UAAM,gBACJ,aAAa,KAAK,IAAI,KAAK,eAAe,KAAK,IAAI,KAAK,aAAa,KAAK,IAAI;AAChF,QAAI,iBAAiB,CAAC,kBAAkB;AACtC,yBAAmB;AACnB,UAAI;AACF,cAAM,SAAS,SAAS,UAAU,KAAK;AAAA,MACzC,SAAS,KAAK;AACZ,eAAO,EAAE,MAAM,SAAS,OAAO,kBAAkB,GAAG,EAAE;AAAA,MACxD;AACA;AAAA,IACF;AAAA,EACF;AAIA,MAAI,WAAW;AACf,MAAI;AAAE,eAAW,MAAM,YAAY,OAAO;AAAA,EAAG,QAAQ;AAAA,EAAoB;AACzE,SAAO;AAAA,IACL,MAAM;AAAA,IACN,OAAO;AAAA,MACL,MAAM;AAAA,MACN,SAAS,gDAAgD,SAAS,kBAAkB,SAAS,MAAM,IAAI,CAAC;AAAA,IAC1G;AAAA,EACF;AACF;AAeA,eAAsB,qBACpB,MACiC;AACjC,QAAM,EAAE,QAAQ,IAAI;AACpB,QAAM,YAAY,KAAK,aAAa;AACpC,QAAM,iBAAiB,KAAK,kBAAkB;AAM9C,MAAI,CAAC,KAAK,QAAQ,CAAC,KAAK,KAAK,KAAK,GAAG;AACnC,WAAO;AAAA,MACL,MAAM;AAAA,MACN,OAAO,EAAE,MAAM,WAAW,SAAS,kBAAkB;AAAA,IACvD;AAAA,EACF;AACA,MAAI,KAAK,KAAK,SAAS,MAAM;AAC3B,WAAO;AAAA,MACL,MAAM;AAAA,MACN,OAAO,EAAE,MAAM,WAAW,SAAS,8BAA8B;AAAA,IACnE;AAAA,EACF;AAKA,MAAI,SAAS,KAAK,KAAK,IAAI,GAAG;AAC5B,WAAO;AAAA,MACL,MAAM;AAAA,MACN,OAAO,EAAE,MAAM,WAAW,SAAS,6BAA6B;AAAA,IAClE;AAAA,EACF;AAOA,MAAI;AACF,UAAM,cAAc,QAAQ,CAAC,aAAa,MAAM,SAAS,MAAM,KAAK,KAAK,KAAK,CAAC,CAAC;AAAA,EAClF,SAAS,KAAK;AACZ,WAAO,EAAE,MAAM,SAAS,OAAO,kBAAkB,GAAG,EAAE;AAAA,EACxD;AACA,QAAM,MAAM,GAAG;AACf,MAAI;AAGF,UAAM,SAAS,SAAS,OAAO;AAAA,EACjC,SAAS,KAAK;AACZ,WAAO,EAAE,MAAM,SAAS,OAAO,kBAAkB,GAAG,EAAE;AAAA,EACxD;AAEA,QAAM,WAAW,KAAK,IAAI,IAAI;AAC9B,MAAI,eAAe;AACnB,MAAI,WAAW;AACf,SAAO,KAAK,IAAI,IAAI,UAAU;AAC5B,UAAM,MAAM,cAAc;AAC1B,QAAI;AACF,iBAAW,MAAM,YAAY,OAAO;AAAA,IACtC,SAAS,KAAK;AACZ,aAAO,EAAE,MAAM,SAAS,OAAO,kBAAkB,GAAG,EAAE;AAAA,IACxD;AACA,UAAM,UAAuB,kBAAkB,QAAQ;AACvD,QAAI,QAAQ,SAAS,UAAW,QAAO,EAAE,MAAM,WAAW,UAAU,QAAQ,SAAS;AACrF,QAAI,QAAQ,SAAS,UAAW,QAAO,EAAE,MAAM,WAAW,UAAU,QAAQ,SAAS;AAMrF,QAAI,CAAC,gBAAgB,KAAK,IAAI,KAAK,WAAW,aAAa,OAAS,mBAAmB,KAAK,QAAQ,GAAG;AACrG,qBAAe;AACf,UAAI;AAAE,cAAM,SAAS,SAAS,KAAK;AAAA,MAAG,QAAQ;AAAA,MAAqB;AAAA,IACrE;AAAA,EACF;AAKA,SAAO;AAAA,IACL,MAAM;AAAA,IACN,OAAO;AAAA,MACL,MAAM;AAAA,MACN,SAAS,0BAA0B,SAAS,oDAA+C,SAAS,MAAM,IAAI,CAAC;AAAA,IACjH;AAAA,EACF;AACF;AAMA,eAAsB,oBAAoB,SAAkD;AAC1F,MAAI;AACF,UAAM,cAAc,QAAQ,CAAC,eAAe,MAAM,OAAO,CAAC;AAAA,EAC5D,SAAS,KAAK;AACZ,UAAM,aAAa,kBAAkB,GAAG;AACxC,QAAI,WAAW,SAAS,aAAc,QAAO,EAAE,MAAM,kBAAkB;AACvE,WAAO,EAAE,MAAM,SAAS,OAAO,WAAW;AAAA,EAC5C;AAEA,MAAI;AACJ,MAAI;AACF,WAAO,MAAM,YAAY,OAAO;AAAA,EAClC,SAAS,KAAK;AACZ,WAAO,EAAE,MAAM,SAAS,OAAO,kBAAkB,GAAG,EAAE;AAAA,EACxD;AAKA,QAAM,UAAU,kBAAkB,IAAI;AACtC,MAAI,QAAQ,SAAS,UAAW,QAAO,EAAE,MAAM,UAAU;AACzD,MAAI,QAAQ,SAAS,UAAW,QAAO,EAAE,MAAM,WAAW,UAAU,QAAQ,SAAS;AAErF,MAAI,iBAAiB,IAAI,GAAG;AAC1B,UAAM,MAAM,gBAAgB,IAAI;AAChC,QAAI,IAAK,QAAO,EAAE,MAAM,iBAAiB,IAAI;AAAA,EAC/C;AACA,SAAO,EAAE,MAAM,OAAO;AACxB;","names":[]}

package/dist/lib/manager-worker.js

@@ -22,7 +22,7 @@ import {
   resolveChannels,
   resolveDmTarget,
   wrapScheduledTaskPrompt
-} from "../chunk-LU6L2J32.js";
+} from "../chunk-MEJGM5RV.js";
 import {
   findTaskByTemplate,
   getProjectDir,
@@ -33,16 +33,21 @@ import {
 } from "../chunk-M6FSTVGG.js";
 import {
   buildAllowedTools,
+  getLastFailureContext,
   getProjectDir as getProjectDir2,
   injectMessage,
+  isAgentIdle,
   isSessionHealthy,
+  isStaleForToday,
+  peekCurrentSession,
+  prepareForRespawn,
   resetRestartCount,
   resolveClaudeBinary,
   sanitizeMcpJson,
   startPersistentSession,
   stopAllSessionsAndWait,
   stopPersistentSession
-} from "../chunk-AFUG4KD3.js";
+} from "../chunk-EG5D3KUV.js";
 
 // src/lib/manager-worker.ts
 import { createHash } from "crypto";
@@ -794,6 +799,44 @@ async function sweepChannelProcesses(opts) {
     dryRun
   };
 }
+function pickTeardownTargets(processes, codeName) {
+  return processes.filter((p) => p.codeName === codeName);
+}
+function defaultKillSignal(pid, signal) {
+  try {
+    process.kill(pid, signal);
+  } catch {
+  }
+}
+function defaultPs() {
+  return execFileSync("ps", ["eww", "-o", "pid=,ppid=,etime=,command="], {
+    encoding: "utf-8",
+    timeout: 5e3,
+    maxBuffer: 10 * 1024 * 1024
+  });
+}
+function killAgentChannelProcesses(codeName, opts) {
+  const { log: log2, dryRun = false } = opts;
+  const kill = opts.killFn ?? defaultKillSignal;
+  const ps = opts.psFn ?? defaultPs;
+  let psOutput = "";
+  try {
+    psOutput = ps();
+  } catch (err) {
+    log2(`[channel-teardown] ps failed for '${codeName}': ${err.message}`);
+    return [];
+  }
+  const targets = pickTeardownTargets(parsePsOutput(psOutput), codeName);
+  if (targets.length === 0) return [];
+  const pids = targets.map((t) => t.pid);
+  log2(
+    `[channel-teardown]${dryRun ? "[dry-run]" : ""} de-provision '${codeName}': killing ${targets.length} channel MCP(s) \u2014 ` + targets.map((t) => `${t.channelType}#${t.pid}`).join(", ")
+  );
+  if (!dryRun) {
+    for (const pid of pids) kill(pid, "SIGTERM");
+  }
+  return pids;
+}
 
 // src/lib/delivery-hint.ts
 var DEFAULT_PROBABILITY = 0.1;
@@ -1361,6 +1404,12 @@ var lastChannelSweepAt = 0;
 var config = null;
 var running = false;
 var pollTimer = null;
+var PANE_TAIL_PREVIEW_LINES = 5;
+function truncateForLog(s) {
+  const lines = s.split("\n").filter((l) => l.length > 0);
+  return lines.slice(-PANE_TAIL_PREVIEW_LINES).map((l) => `    | ${l}`).join("\n");
+}
+var KNOWN_SAFE_TAIL_SIGNATURES = /* @__PURE__ */ new Set(["session_id_in_use"]);
 var knownVersions = /* @__PURE__ */ new Map();
 var knownStatuses = /* @__PURE__ */ new Map();
 var knownChannels = /* @__PURE__ */ new Map();
@@ -1435,7 +1484,7 @@ function clearAgentCaches(agentId, codeName) {
 var cachedFrameworkVersion = null;
 var lastVersionCheckAt = 0;
 var VERSION_CHECK_INTERVAL_MS = 5 * 60 * 1e3;
-var agtCliVersion = true ? "0.16.0" : "dev";
+var agtCliVersion = true ? "0.16.2" : "dev";
 function resolveBrewPath(execFileSync2) {
   try {
     const out = execFileSync2("which", ["brew"], { timeout: 5e3 }).toString().trim();
@@ -2312,7 +2361,7 @@ async function pollCycle() {
     }
     try {
       const { detectHostSecurity } = await import("../host-security-6PDFG7F5.js");
-      const { collectDiagnostics } = await import("../persistent-session-VRS3MFQ3.js");
+      const { collectDiagnostics } = await import("../persistent-session-YEUFJMWF.js");
       const diagCodeNames = [...persistentSessionAgents];
       const agentDiagnostics = diagCodeNames.length > 0 ? collectDiagnostics(diagCodeNames) : void 0;
       let tailscaleHostname;
@@ -2412,6 +2461,13 @@ async function pollCycle() {
         log(`Agent '${prev.codeName}' removed from host (deleted or unassigned)`);
         const adapter = resolveAgentFramework(prev.codeName);
         await stopGatewayIfRunning(prev.codeName, adapter);
+        stopPersistentSession(prev.codeName, log);
+        try {
+          const { execSync: es } = await import("child_process");
+          es(`tmux kill-session -t agt-${prev.codeName} 2>/dev/null`, { stdio: "ignore" });
+        } catch {
+        }
+        killAgentChannelProcesses(prev.codeName, { log });
         freePort(prev.codeName);
         const agentDir = join3(adapter.getAgentDir(prev.codeName), "provision");
         await cleanupAgentFiles(prev.codeName, agentDir);
@@ -2539,6 +2595,7 @@ async function processAgent(agent, agentStates) {
       es(`tmux kill-session -t agt-${agent.code_name} 2>/dev/null`, { stdio: "ignore" });
     } catch {
     }
+    killAgentChannelProcesses(agent.code_name, { log });
     freePort(agent.code_name);
     await cleanupAgentFiles(agent.code_name, agentDir);
     clearAgentCaches(agent.agent_id, agent.code_name);
@@ -3778,6 +3835,24 @@ async function finishRun(runId, outcome, options = {}) {
     log(`[runs] finish failed for run_id=${runId} outcome=${outcome} error_id=${errId}`);
   }
 }
+var MAX_PRIOR_RUNS = 5;
+async function fetchPriorScheduledRuns(agentId, taskId) {
+  try {
+    const data = await api.post("/host/scheduled-tasks/recent-outputs", {
+      agent_id: agentId,
+      task_id: taskId,
+      since_hours: 24,
+      limit: MAX_PRIOR_RUNS
+    });
+    const rows = Array.isArray(data?.runs) ? data.runs.slice(0, MAX_PRIOR_RUNS) : [];
+    return rows.filter((r) => typeof r.output_text === "string" && r.output_text.length > 0).map((r) => ({ startedAt: r.started_at, output: r.output_text }));
+  } catch (err) {
+    const errText = err instanceof Error ? err.message : String(err);
+    const errId = createHash("sha256").update(errText).digest("hex").slice(0, 12);
+    log(`[runs] prior-runs lookup failed for task_id=${taskId} error_id=${errId}`);
+    return [];
+  }
+}
 async function executeAndProcessClaudeTask(codeName, agentId, task, prompt) {
   const projectDir = getProjectDir(codeName);
   const mcpConfigPath = join3(projectDir, ".mcp.json");
@@ -3785,7 +3860,8 @@ async function executeAndProcessClaudeTask(codeName, agentId, task, prompt) {
   let kanbanItemId = null;
   let taskResult;
   sanitizeMcpJson(mcpConfigPath, requireHost());
-  prompt = wrapScheduledTaskPrompt(prompt);
+  const priorRuns = await fetchPriorScheduledRuns(agentId, task.taskId);
+  prompt = wrapScheduledTaskPrompt(prompt, { priorRuns });
   try {
     const claudeMdPath = join3(projectDir, "CLAUDE.md");
     const serverNames = [];
@@ -4061,9 +4137,34 @@ async function ensurePersistentSession(agent, tasks, boardItems, refreshData) {
     stopPersistentSession(codeName, log);
     persistentSessionAgents.delete(codeName);
   }
+  if (isStaleForToday(codeName) && isSessionHealthy(codeName)) {
+    const current = peekCurrentSession(codeName);
+    if (current) {
+      const idle = isAgentIdle(projectDir, current.sessionId);
+      if (idle) {
+        log(
+          `[persistent-session] Day rollover for '${codeName}' (yesterday=${current.date}) \u2014 agent idle, restarting to mint fresh session`
+        );
+        stopPersistentSession(codeName, log);
+        persistentSessionAgents.delete(codeName);
+      } else {
+        log(
+          `[persistent-session] Day rollover for '${codeName}' deferred \u2014 agent still active on session ${current.sessionId} (will retry next tick)`
+        );
+      }
+    }
+  }
   if (!isSessionHealthy(codeName)) {
     if (persistentSessionAgents.has(codeName)) {
-      log(`[persistent-session] Session for '${codeName}' is unhealthy, will restart`);
+      const ctx = getLastFailureContext(codeName);
+      const recovery = prepareForRespawn(codeName);
+      const tailSummary = !ctx.tail ? "" : KNOWN_SAFE_TAIL_SIGNATURES.has(ctx.signature) ? `; last pane output (${PANE_TAIL_PREVIEW_LINES} of ~20 lines):
+${truncateForLog(ctx.tail)}` : `; pane_tail_hash=sha256:${createHash("sha256").update(ctx.tail).digest("hex").slice(0, 12)} (raw at ~/.augmented/${codeName}/pane.log)`;
+      const sigSummary = ctx.signature !== "unknown" ? `; signature=${ctx.signature}` : "";
+      const recoverySummary = recovery ? `; recovery=${recovery}` : "";
+      log(
+        `[persistent-session] Session for '${codeName}' is unhealthy (restart #${ctx.restartCount}${sigSummary}${recoverySummary}), will restart${tailSummary}`
+      );
     }
     try {
       provisionStopHook(codeName);
@@ -4288,6 +4389,7 @@ function ensureRealtimeAssignStarted(agentStates) {
       hostId: exchange.hostId,
       onAssign: (payload) => {
         log(`[realtime] Agent ${payload.agent_id} assigned \u2014 will pick up next cycle`);
+        markAgentForFreshMemorySync(payload.agent_id);
       },
       onUnassign: (payload) => {
         log(`[realtime] Agent ${payload.agent_id} unassigned`);
@@ -5374,8 +5476,9 @@ async function processClaudePairSessions(agents) {
     submitClaudePairCode,
     spawnPairSession,
     killPairSession,
-    pairTmuxSession
-  } = await import("../claude-pair-runtime-GS6AOYHS.js");
+    pairTmuxSession,
+    finalizeClaudePairOnboarding
+  } = await import("../claude-pair-runtime-Q7PNH3ZK.js");
   for (const pairId of pendingResp.cancelled_pair_ids ?? []) {
     log(`[claude-pair] sweeping orphan tmux session for pair ${pairId.slice(0, 8)}`);
     const killed = await killPairSession(pairTmuxSession(pairId));
@@ -5450,6 +5553,10 @@ async function processClaudePairSessions(agents) {
           code: session.code
         });
         if (result.kind === "success") {
+          const finalize = await finalizeClaudePairOnboarding(pairSession, log);
+          if (!finalize.finalized) {
+            log(`[claude-pair] WARN: ~/.claude.json was not updated during onboarding (pair ${session.pair_id.slice(0, 8)}) \u2014 first agent launch may show the login picker`);
+          }
           await reportAndCleanup(session.pair_id, { status: "success" });
         } else if (result.kind === "failure") {
           await reportAndCleanup(session.pair_id, {
@@ -5616,6 +5723,13 @@ function generateArtifacts(agent, refreshData, adapter) {
 var memoryFileHashes = /* @__PURE__ */ new Map();
 var lastDownloadHash = /* @__PURE__ */ new Map();
 var lastLocalFileHash = /* @__PURE__ */ new Map();
+var pendingFreshMemorySync = /* @__PURE__ */ new Set();
+function markAgentForFreshMemorySync(agentId) {
+  pendingFreshMemorySync.add(agentId);
+  memoryFileHashes.delete(agentId);
+  lastDownloadHash.delete(agentId);
+  lastLocalFileHash.delete(agentId);
+}
 function parseMemoryFile(raw, fallbackName) {
   const trimmed = raw.trim();
   if (!trimmed) return null;
@@ -5642,6 +5756,16 @@ function parseMemoryFile(raw, fallbackName) {
 async function syncMemories(agent, configDir, log2) {
   const projectDir = join3(configDir, agent.code_name, "project");
   const memoryDir = join3(projectDir, "memory");
+  const isFreshSync = pendingFreshMemorySync.has(agent.agent_id);
+  if (isFreshSync) {
+    log2(`[memory-sync] Fresh-sync requested for '${agent.code_name}' \u2014 pulling DB first`);
+    const ok = await downloadMemories(agent, memoryDir, log2, { force: true });
+    if (!ok) {
+      log2(`[memory-sync] Fresh-sync download failed for '${agent.code_name}' \u2014 skipping upload, will retry next tick`);
+      return;
+    }
+    pendingFreshMemorySync.delete(agent.agent_id);
+  }
   if (existsSync2(memoryDir)) {
     const prevHashes = memoryFileHashes.get(agent.agent_id) ?? /* @__PURE__ */ new Map();
     const currentHashes = /* @__PURE__ */ new Map();
@@ -5682,6 +5806,11 @@ async function syncMemories(agent, configDir, log2) {
       }
     }
   }
+  if (!isFreshSync) {
+    await downloadMemories(agent, memoryDir, log2, { force: false });
+  }
+}
+async function downloadMemories(agent, memoryDir, log2, { force }) {
   const localFiles = existsSync2(memoryDir) ? readdirSync2(memoryDir).filter((f) => f.endsWith(".md")).sort() : [];
   const localListHash = createHash("sha256").update(localFiles.join(",")).digest("hex").slice(0, 16);
   const prevLocalHash = lastLocalFileHash.get(agent.agent_id);
@@ -5691,20 +5820,21 @@ async function syncMemories(agent, configDir, log2) {
       agent_id: agent.agent_id
     });
     const responseHash = createHash("sha256").update(JSON.stringify(dbMemories.memories ?? [])).digest("hex").slice(0, 16);
-    if (prevDownload && prevLocalHash === localListHash && lastDownloadHash.get(agent.agent_id) === responseHash) {
-      return;
+    if (!force && prevDownload && prevLocalHash === localListHash && lastDownloadHash.get(agent.agent_id) === responseHash) {
+      return true;
     }
     lastDownloadHash.set(agent.agent_id, responseHash);
     lastLocalFileHash.set(agent.agent_id, localListHash);
     if (dbMemories.memories?.length) {
       mkdirSync2(memoryDir, { recursive: true });
-      const existingFileSet = new Set(localFiles.map((f) => f.replace(/\.md$/, "").toLowerCase()));
       let written = 0;
-      for (const mem of dbMemories.memories) {
+      let overwritten = 0;
+      for (let i = 0; i < dbMemories.memories.length; i++) {
+        const mem = dbMemories.memories[i];
         const rawSlug = mem.name.toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/(^-|-$)/g, "").slice(0, 60);
-        const slug = rawSlug || `memory-${written}`;
-        if (existingFileSet.has(slug)) continue;
-        const fileContent = `---
+        const slug = rawSlug || `memory-${i}`;
+        const filePath = join3(memoryDir, `${slug}.md`);
+        const desired = `---
 name: ${JSON.stringify(mem.name)}
 type: ${mem.type}
 description: ${JSON.stringify(mem.content.slice(0, 200))}
@@ -5712,17 +5842,30 @@ description: ${JSON.stringify(mem.content.slice(0, 200))}
 
 ${mem.content}
 `;
-        writeFileSync2(join3(memoryDir, `${slug}.md`), fileContent);
-        written++;
+        if (existsSync2(filePath)) {
+          let existing = "";
+          try {
+            existing = readFileSync2(filePath, "utf-8");
+          } catch {
+          }
+          if (existing === desired) continue;
+          writeFileSync2(filePath, desired);
+          overwritten++;
+        } else {
+          writeFileSync2(filePath, desired);
+          written++;
+        }
       }
-      if (written > 0) {
+      if (written > 0 || overwritten > 0) {
         const updatedFiles = readdirSync2(memoryDir).filter((f) => f.endsWith(".md")).sort();
         lastLocalFileHash.set(agent.agent_id, createHash("sha256").update(updatedFiles.join(",")).digest("hex").slice(0, 16));
-        log2(`Exported ${written} DB memories to local files for '${agent.code_name}'`);
+        log2(`Memory download for '${agent.code_name}': wrote ${written} new, overwrote ${overwritten} stale`);
       }
     }
+    return true;
   } catch (err) {
     log2(`Memory download failed for '${agent.code_name}': ${err.message}`);
+    return false;
   }
 }
 async function cleanupAgentFiles(codeName, agentDir) {
@@ -6056,6 +6199,7 @@ process.on("disconnect", () => {
 });
 export {
   ChildProcessError,
+  markAgentForFreshMemorySync,
   startManager,
   stopManager
 };