@open-code-review/cli 1.11.0 → 2.1.0

package/dist/lib/db/index.js

@@ -1,9 +1,209 @@
 // src/lib/db/index.ts
-import { existsSync as existsSync2, mkdirSync as mkdirSync2, readFileSync as readFileSync2, renameSync as renameSync2, writeFileSync as writeFileSync2 } from "node:fs";
-import { dirname as dirname2, join as join2 } from "node:path";
+import {
+  existsSync as existsSync3,
+  mkdirSync as mkdirSync2,
+  copyFileSync,
+  statSync,
+  mkdtempSync,
+  rmSync
+} from "node:fs";
+import { tmpdir } from "node:os";
+import { dirname as dirname3, join as join3 } from "node:path";
+
+// src/lib/db/engine.ts
 import { createRequire } from "node:module";
-import { spawnSync } from "node:child_process";
-import initSqlJs from "sql.js";
+
+// src/lib/runtime-checks.ts
+var NODE_FLOOR = { major: 22, minor: 5 };
+function isSupportedNode(version) {
+  const [major = 0, minor = 0] = version.split(".").map((n) => Number.parseInt(n, 10) || 0);
+  return major > NODE_FLOOR.major || major === NODE_FLOOR.major && minor >= NODE_FLOOR.minor;
+}
+function nodeVersionGuardMessage(version) {
+  return `
+Open Code Review requires Node.js >= ${NODE_FLOOR.major}.${NODE_FLOOR.minor} (it uses Node's built-in SQLite, \`node:sqlite\`).
+You have Node ${version}. Upgrade Node (e.g. \`nvm install 22 && nvm use 22\`) and re-run.
+
+`;
+}
+function isSuppressibleSqliteWarning(warning) {
+  const message = typeof warning === "string" ? warning : warning?.message;
+  return typeof message === "string" && message.includes("SQLite is an experimental feature");
+}
+
+// src/lib/db/engine.ts
+var SQLITE_BUSY = 5;
+var SQLITE_BUSY_SNAPSHOT = 261;
+var BUSY_RETRY_ATTEMPTS = 5;
+var BUSY_RETRY_BACKOFF_MS = 50;
+var savepointName = (depth) => `ocr_sp_${depth}`;
+var nodeRequire = createRequire(import.meta.url);
+var _preconditionsApplied = false;
+function applyEnginePreconditions() {
+  if (_preconditionsApplied) return;
+  _preconditionsApplied = true;
+  const originalEmitWarning = process.emitWarning.bind(process);
+  process.emitWarning = (warning, ...args) => {
+    if (isSuppressibleSqliteWarning(warning)) return;
+    originalEmitWarning(warning, ...args);
+  };
+}
+var _DatabaseSyncCtor;
+function newDatabase(path) {
+  if (!_DatabaseSyncCtor) {
+    applyEnginePreconditions();
+    try {
+      _DatabaseSyncCtor = nodeRequire("node:sqlite").DatabaseSync;
+    } catch (e) {
+      if (!isSupportedNode(process.versions.node)) {
+        throw new Error(nodeVersionGuardMessage(process.versions.node).trim());
+      }
+      throw e;
+    }
+  }
+  return new _DatabaseSyncCtor(path);
+}
+function isBusyError(e) {
+  const errcode = e?.errcode;
+  return errcode === SQLITE_BUSY || errcode === SQLITE_BUSY_SNAPSHOT;
+}
+var SLEEP_BUF = new Int32Array(new SharedArrayBuffer(4));
+function sleepSync(ms) {
+  Atomics.wait(SLEEP_BUF, 0, 0, ms);
+}
+var NodeSqliteAdapter = class {
+  raw;
+  /**
+   * Transaction nesting depth. `node:sqlite` has no transaction helper, so we
+   * drive `BEGIN IMMEDIATE` ourselves and use SAVEPOINTs for nested calls
+   * (better-sqlite3 did this automatically). 0 = no transaction open.
+   */
+  txnDepth = 0;
+  constructor(db) {
+    this.raw = db;
+  }
+  exec(sql, params) {
+    const stmt = this.raw.prepare(sql);
+    const cols = stmt.columns();
+    if (cols.length === 0) {
+      stmt.run(...params ?? []);
+      return [];
+    }
+    stmt.setReturnArrays(true);
+    const values = stmt.all(...params ?? []);
+    return values.length > 0 ? [{ columns: cols.map((c) => c.name), values }] : [];
+  }
+  run(sql, params) {
+    if (params !== void 0) {
+      this.raw.prepare(sql).run(...params);
+      return;
+    }
+    this.raw.exec(sql);
+  }
+  prepare(sql) {
+    return this.raw.prepare(sql);
+  }
+  transaction(fn) {
+    return this.txnDepth > 0 ? this.runNested(fn) : this.runOuter(fn);
+  }
+  /**
+   * Nested call: a SAVEPOINT within the outer transaction's write lock. No
+   * busy-retry — the outer transaction already holds the lock. The savepoint
+   * lets the inner block roll back independently while the outer continues.
+   */
+  runNested(fn) {
+    const name = savepointName(this.txnDepth);
+    this.raw.exec(`SAVEPOINT ${name}`);
+    this.txnDepth++;
+    try {
+      const result = fn();
+      this.raw.exec(`RELEASE ${name}`);
+      return result;
+    } catch (e) {
+      try {
+        this.raw.exec(`ROLLBACK TO ${name}`);
+        this.raw.exec(`RELEASE ${name}`);
+      } catch {
+      }
+      throw e;
+    } finally {
+      this.txnDepth--;
+    }
+  }
+  /**
+   * Outer transaction: `BEGIN IMMEDIATE` acquires the write lock up front so
+   * cross-process writers serialize cleanly under WAL instead of failing late
+   * on upgrade. `busy_timeout` covers most contention; a bounded synchronous
+   * retry absorbs the residual SQLITE_BUSY (another connection holds the lock
+   * past the timeout, or BUSY_SNAPSHOT). Non-busy errors and the final attempt
+   * re-throw so genuine failures propagate.
+   */
+  runOuter(fn) {
+    for (let attempt = 0; attempt < BUSY_RETRY_ATTEMPTS; attempt++) {
+      try {
+        return this.runOnce(fn);
+      } catch (e) {
+        if (!isBusyError(e) || attempt === BUSY_RETRY_ATTEMPTS - 1) throw e;
+        sleepSync(BUSY_RETRY_BACKOFF_MS);
+      }
+    }
+    throw new Error("transaction retry budget exhausted");
+  }
+  /** One `BEGIN IMMEDIATE` / `COMMIT` / `ROLLBACK` lifecycle. */
+  runOnce(fn) {
+    this.raw.exec("BEGIN IMMEDIATE");
+    this.txnDepth = 1;
+    try {
+      const result = fn();
+      this.raw.exec("COMMIT");
+      return result;
+    } catch (e) {
+      try {
+        this.raw.exec("ROLLBACK");
+      } catch {
+      }
+      throw e;
+    } finally {
+      this.txnDepth = 0;
+    }
+  }
+  pragma(source) {
+    this.raw.exec(`PRAGMA ${source}`);
+    return void 0;
+  }
+  close() {
+    try {
+      this.raw.exec("PRAGMA wal_checkpoint(TRUNCATE)");
+    } catch {
+    }
+    try {
+      this.raw.close();
+    } catch (e) {
+      const message = e?.message ?? "";
+      if (!/database is not open/i.test(message)) throw e;
+    }
+  }
+};
+function probeEngine() {
+  try {
+    const db = newDatabase(":memory:");
+    db.exec("PRAGMA journal_mode = WAL");
+    db.exec("CREATE TABLE _probe(x); INSERT INTO _probe VALUES (1);");
+    const row = db.prepare("SELECT sqlite_version() AS v").get();
+    db.close();
+    return { ok: true, version: row.v };
+  } catch (e) {
+    return { ok: false, error: e instanceof Error ? e.message : String(e) };
+  }
+}
+function openEngine(dbPath) {
+  const native = newDatabase(dbPath);
+  native.exec("PRAGMA journal_mode = WAL");
+  native.exec("PRAGMA foreign_keys = ON");
+  native.exec("PRAGMA busy_timeout = 5000");
+  native.exec("PRAGMA synchronous = NORMAL");
+  return new NodeSqliteAdapter(native);
+}
 
 // src/lib/db/migrations.ts
 var MIGRATIONS = [
@@ -327,8 +527,157 @@ var MIGRATIONS = [
       DROP INDEX IF EXISTS idx_agent_sessions_status_heartbeat;
       DROP TABLE IF EXISTS agent_sessions;
     `
+  },
+  {
+    version: 12,
+    description: "Event-sourced lifecycle hardening: event_type taxonomy guard, sweep indexes, session_completeness view",
+    sql: `
+      -- \u2500\u2500 Indexes for the now-periodic stale-session sweep + round derivation \u2500\u2500
+      -- The sweep filters sessions by status and rolls up MAX(created_at) per
+      -- session over the event log; deriveNextRound does MAX(round). Index both.
+      CREATE INDEX IF NOT EXISTS idx_sessions_status ON sessions(status);
+      CREATE INDEX IF NOT EXISTS idx_events_session_created
+        ON orchestration_events(session_id, created_at);
+
+      -- \u2500\u2500 Event-type taxonomy guard \u2500\u2500
+      -- orchestration_events.event_type is the spine of all lifecycle
+      -- derivation. A typo (e.g. 'round_complete' vs 'round_completed') would
+      -- silently break deriveNextRound and the completeness view. SQLite cannot
+      -- add a CHECK to an existing column without a table rebuild, so enforce
+      -- the closed vocabulary with a BEFORE INSERT trigger instead.
+      CREATE TRIGGER IF NOT EXISTS trg_events_known_type
+      BEFORE INSERT ON orchestration_events
+      WHEN NEW.event_type NOT IN (
+        'session_created', 'session_resumed', 'round_started', 'phase_transition',
+        'round_completed', 'map_completed', 'session_closed', 'session_aborted',
+        'session_auto_closed_stale', 'session_synced', 'session_legacy_import'
+      )
+      BEGIN
+        SELECT RAISE(ABORT, 'unknown orchestration_events.event_type');
+      END;
+
+      -- \u2500\u2500 Close-guard (DB backstop for the completion invariant) \u2500\u2500
+      -- A session cannot transition active \u2192 closed unless its current
+      -- round/run has a terminal artifact event, OR an explicit reason event
+      -- (abort / auto-close-stale / sync / legacy-import) is present. Only a
+      -- *silent* premature close is banned \u2014 every legitimate non-artifact
+      -- close carries a reason event and passes. App-level guards in
+      -- stateClose/finish are the primary check; this makes the illegal state
+      -- unrepresentable even via raw SQL.
+      --
+      -- DEFENCE-IN-DEPTH NOTE (intentional, documented gap): the reason-event
+      -- branch below (event_type IN (...)) is NOT round-scoped \u2014 a reason event
+      -- recorded for an earlier round would also satisfy a later close. The
+      -- app-level guards ARE round-scoped (hasCompletionInvariant checks the
+      -- current round/run), so the precise check lives in the application; this
+      -- trigger is a coarse backstop against a *silent* premature close via raw
+      -- SQL. Tightening it to be round-scoped would require a new migration
+      -- (this v12 trigger is append-only and already shipped); the residual
+      -- risk is a non-artifact close carrying a stale reason event, which is
+      -- still an explicit, audited terminal \u2014 not the failure mode this guards.
+      CREATE TRIGGER IF NOT EXISTS trg_sessions_close_guard
+      BEFORE UPDATE OF status ON sessions
+      WHEN NEW.status = 'closed' AND OLD.status <> 'closed'
+        AND NOT EXISTS (
+          SELECT 1 FROM orchestration_events e
+           WHERE e.session_id = NEW.id
+             AND (
+               (NEW.workflow_type = 'review' AND e.event_type = 'round_completed' AND e.round = NEW.current_round)
+               OR (NEW.workflow_type = 'map' AND e.event_type = 'map_completed'   AND e.round = NEW.current_map_run)
+               OR e.event_type IN ('session_aborted','session_auto_closed_stale','session_synced','session_legacy_import')
+             )
+        )
+      BEGIN
+        SELECT RAISE(ABORT, 'cannot close session without a completed round/run or an explicit reason event');
+      END;
+
+      -- \u2500\u2500 session_completeness view \u2500\u2500
+      -- The published contract for "is this session actually complete, and if
+      -- not, what's missing". Completion is DERIVED from the event log, never a
+      -- mutable flag: a session is complete iff it is closed AND a terminal
+      -- artifact event exists for its current round/run. The dashboard's
+      -- outcome derivation and the agent 'status' command read this view, so
+      -- they cannot disagree.
+      --
+      -- completeness_state is an INTENTIONAL HYBRID: it combines the mutable
+      -- status column (marked_closed) with append-only event evidence (the
+      -- terminal artifact event). This is sound precisely because the
+      -- close-guard trigger above makes the status column trustworthy \u2014 a row
+      -- can only reach status='closed' with a completed round/run or an
+      -- explicit reason event \u2014 so reading the column is not a regression to
+      -- the old "mutable flag that could lie" model.
+      --
+      --   completeness_state:
+      --     'complete'                \u2014 closed + terminal artifact for current round/run
+      --     'closed_without_artifact' \u2014 closed but no terminal artifact (the
+      --                                 "completed too soon" condition)
+      --     'in_flight'               \u2014 open with a dependent process still running
+      --     'open_no_artifact'        \u2014 open, no in-flight dependents
+      CREATE VIEW IF NOT EXISTS session_completeness AS
+      SELECT
+        s.id              AS session_id,
+        s.workflow_type   AS workflow_type,
+        s.status          AS status,
+        s.current_round   AS current_round,
+        s.current_map_run AS current_map_run,
+        CASE WHEN EXISTS (
+          SELECT 1 FROM orchestration_events e
+           WHERE e.session_id = s.id
+             AND (
+               (s.workflow_type = 'review' AND e.event_type = 'round_completed' AND e.round = s.current_round)
+               OR (s.workflow_type = 'map' AND e.event_type = 'map_completed'   AND e.round = s.current_map_run)
+             )
+        ) THEN 1 ELSE 0 END AS has_terminal_artifact,
+        CASE WHEN s.status = 'closed' THEN 1 ELSE 0 END AS marked_closed,
+        CASE WHEN NOT EXISTS (
+          SELECT 1 FROM command_executions ce
+           WHERE ce.workflow_id = s.id AND ce.finished_at IS NULL
+        ) THEN 1 ELSE 0 END AS dependents_settled,
+        CASE
+          WHEN s.status = 'closed' AND EXISTS (
+            SELECT 1 FROM orchestration_events e
+             WHERE e.session_id = s.id
+               AND (
+                 (s.workflow_type = 'review' AND e.event_type = 'round_completed' AND e.round = s.current_round)
+                 OR (s.workflow_type = 'map' AND e.event_type = 'map_completed'   AND e.round = s.current_map_run)
+               )
+          ) THEN 'complete'
+          WHEN s.status = 'closed' THEN 'closed_without_artifact'
+          WHEN EXISTS (
+            SELECT 1 FROM command_executions ce
+             WHERE ce.workflow_id = s.id AND ce.finished_at IS NULL
+          ) THEN 'in_flight'
+          ELSE 'open_no_artifact'
+        END AS completeness_state
+      FROM sessions s;
+    `
+  },
+  {
+    version: 13,
+    description: "Retire dead parent_id column on command_executions (never written; row kind is derived from command)",
+    // parent_id was reserved for an AI-instance → dashboard-spawn lineage link
+    // that was never wired (no writer, no reader). A process's KIND (supervisor
+    // / reviewer-instance / utility) is derived from columns that are always
+    // present (command + last_heartbeat_at), so the dead lineage column and its
+    // all-NULL index are removed. Re-add a wired parent_id alongside a real
+    // consumer (e.g. a parent→child tree view) if lineage is ever needed.
+    //
+    // Imperative + guarded so the DROP COLUMN (which SQLite can't express as
+    // IF EXISTS) is idempotent under re-application.
+    run: (db) => {
+      if (!columnExists(db, "command_executions", "parent_id")) return;
+      db.run("DROP INDEX IF EXISTS idx_command_executions_parent;");
+      db.run("ALTER TABLE command_executions DROP COLUMN parent_id;");
+    }
   }
 ];
+function columnExists(db, table, column) {
+  const result = db.exec(`PRAGMA table_info(${table})`);
+  const first = result[0];
+  if (!first) return false;
+  const nameIdx = first.columns.indexOf("name");
+  return first.values.some((row) => row[nameIdx] === column);
+}
 function ensureSchemaVersionTable(db) {
   db.run(`
     CREATE TABLE IF NOT EXISTS schema_version (
@@ -338,6 +687,10 @@ function ensureSchemaVersionTable(db) {
     );
   `);
 }
+function getSchemaVersion(db) {
+  ensureSchemaVersionTable(db);
+  return getCurrentVersion(db);
+}
 function getCurrentVersion(db) {
   const result = db.exec(
     "SELECT MAX(version) as v FROM schema_version"
@@ -355,9 +708,10 @@ function runMigrations(db) {
     if (migration.version <= currentVersion) {
       continue;
     }
-    db.run("BEGIN TRANSACTION;");
+    db.run("BEGIN IMMEDIATE;");
     try {
-      db.run(migration.sql);
+      if (migration.sql) db.run(migration.sql);
+      migration.run?.(db);
       db.run(
         "INSERT INTO schema_version (version, description) VALUES (?, ?);",
         [migration.version, migration.description]
@@ -370,6 +724,10 @@ function runMigrations(db) {
   }
 }
 
+// src/lib/db/reconcile.ts
+import { existsSync } from "node:fs";
+import { isAbsolute, join, dirname } from "node:path";
+
 // src/lib/db/result-mapper.ts
 function resultToRows(result) {
   if (result.length === 0 || !result[0]) {
@@ -497,11 +855,196 @@ function getLatestEventId(db) {
   const val = result[0]?.values[0]?.[0];
   return typeof val === "number" ? val : 0;
 }
+function commitReasonClose(db, sessionId, reasonEvent, projectionUpdates) {
+  db.transaction(() => {
+    insertEvent(db, { session_id: sessionId, ...reasonEvent });
+    updateSession(db, sessionId, projectionUpdates);
+  });
+}
 
-// src/lib/db/agent-sessions.ts
-var ORPHAN_EXIT_CODE = -3;
+// src/lib/db/reconcile.ts
+var DEFAULT_STALE_THRESHOLD_SECONDS = 7 * 24 * 60 * 60;
+function hasTerminalArtifactEvent(db, sessionId, workflowType, currentRound, currentMapRun) {
+  const eventType = workflowType === "map" ? "map_completed" : "round_completed";
+  const round = workflowType === "map" ? currentMapRun : currentRound;
+  const r = db.exec(
+    `SELECT 1 FROM orchestration_events
+       WHERE session_id = ? AND event_type = ? AND round = ? LIMIT 1`,
+    [sessionId, eventType, round]
+  );
+  return (r[0]?.values.length ?? 0) > 0;
+}
+function hasReasonEvent(db, sessionId) {
+  const r = db.exec(
+    `SELECT 1 FROM orchestration_events
+       WHERE session_id = ?
+         AND event_type IN ('session_aborted','session_auto_closed_stale','session_synced','session_legacy_import')
+       LIMIT 1`,
+    [sessionId]
+  );
+  return (r[0]?.values.length ?? 0) > 0;
+}
+function lastEventAgeSeconds(db, sessionId) {
+  const r = db.exec(
+    `SELECT (julianday('now') - julianday(MAX(created_at))) * 86400
+       FROM orchestration_events WHERE session_id = ?`,
+    [sessionId]
+  );
+  const v = r[0]?.values[0]?.[0];
+  return typeof v === "number" ? v : null;
+}
+function hasInFlightDependents(db, sessionId) {
+  const r = db.exec(
+    `SELECT 1 FROM command_executions
+       WHERE workflow_id = ? AND finished_at IS NULL LIMIT 1`,
+    [sessionId]
+  );
+  return (r[0]?.values.length ?? 0) > 0;
+}
+function resolveSessionDir(ocrDir, sessionDir) {
+  if (!sessionDir) return null;
+  if (isAbsolute(sessionDir)) return sessionDir;
+  return join(dirname(ocrDir), sessionDir);
+}
+function reconcileLegacyState(db, ocrDir, opts = {}) {
+  const dryRun = opts.dryRun ?? false;
+  const threshold = opts.staleThresholdSeconds ?? DEFAULT_STALE_THRESHOLD_SECONDS;
+  const actions = [];
+  for (const s of getAllSessions(db)) {
+    const dir = resolveSessionDir(ocrDir, s.session_dir);
+    if (s.status === "closed") {
+      if (hasTerminalArtifactEvent(db, s.id, s.workflow_type, s.current_round, s.current_map_run) || hasReasonEvent(db, s.id)) {
+        continue;
+      }
+      const reviewFinal = s.workflow_type === "review" && dir ? existsSync(join(dir, "rounds", `round-${s.current_round}`, "final.md")) : false;
+      const mapFinal = s.workflow_type === "map" && dir ? existsSync(join(dir, "map", "runs", `run-${s.current_map_run}`, "map.md")) : false;
+      if (reviewFinal) {
+        actions.push({
+          sessionId: s.id,
+          kind: "synthesize-round-completed",
+          detail: `final.md present for round ${s.current_round}; synthesizing round_completed`
+        });
+        if (!dryRun) {
+          insertEvent(db, {
+            session_id: s.id,
+            event_type: "round_completed",
+            phase: "synthesis",
+            phase_number: 7,
+            round: s.current_round,
+            metadata: JSON.stringify({ source: "reconciled", synthesized_from: "final.md" })
+          });
+        }
+      } else if (mapFinal) {
+        actions.push({
+          sessionId: s.id,
+          kind: "synthesize-map-completed",
+          detail: `map.md present for run ${s.current_map_run}; synthesizing map_completed`
+        });
+        if (!dryRun) {
+          insertEvent(db, {
+            session_id: s.id,
+            event_type: "map_completed",
+            phase: "synthesis",
+            phase_number: 5,
+            round: s.current_map_run,
+            metadata: JSON.stringify({ source: "reconciled", synthesized_from: "map.md" })
+          });
+        }
+      } else {
+        actions.push({
+          sessionId: s.id,
+          kind: "grandfather",
+          detail: "no provable artifact; recording session_legacy_import"
+        });
+        if (!dryRun) {
+          insertEvent(db, {
+            session_id: s.id,
+            event_type: "session_legacy_import",
+            phase: "complete",
+            metadata: JSON.stringify({ source: "reconciled" })
+          });
+        }
+      }
+      continue;
+    }
+    const age = lastEventAgeSeconds(db, s.id);
+    const stale = (age === null || age > threshold) && !hasInFlightDependents(db, s.id);
+    if (stale) {
+      actions.push({
+        sessionId: s.id,
+        kind: "stale-close",
+        detail: age === null ? "active with no events and no in-flight dependents" : `active, last event ${Math.round(age / 86400)}d ago, no in-flight dependents`
+      });
+      if (!dryRun) {
+        commitReasonClose(
+          db,
+          s.id,
+          {
+            event_type: "session_auto_closed_stale",
+            phase: "complete",
+            metadata: JSON.stringify({ source: "reconciled", threshold_seconds: threshold })
+          },
+          { status: "closed", current_phase: "complete" }
+        );
+      }
+    }
+  }
+  return { dryRun, actions };
+}
+
+// src/lib/db/liveness.ts
+var PID_REUSE_GUARD_MS = 24 * 60 * 60 * 1e3;
+function defaultIsAlive(pid) {
+  try {
+    process.kill(pid, 0);
+    return true;
+  } catch (err) {
+    return !(err instanceof Error && "code" in err && err.code === "ESRCH");
+  }
+}
+function sqliteUtcMs(ts) {
+  const sqliteShape = ts.includes(" ");
+  return new Date(sqliteShape ? ts.replace(" ", "T") + "Z" : ts).getTime();
+}
+
+// src/lib/state/exit-codes.ts
+var STATE_EXIT = {
+  OK: 0,
+  USAGE: 2,
+  AMBIGUOUS: 3,
+  NOT_FOUND: 4,
+  ILLEGAL_TRANSITION: 5,
+  INVARIANT_UNMET: 6,
+  SCHEMA_INVALID: 7,
+  /** Database was locked past the bounded retry budget (SQLITE_BUSY). */
+  BUSY: 8
+};
+var StateError = class extends Error {
+  constructor(code, message) {
+    super(message);
+    this.code = code;
+    this.name = "StateError";
+  }
+};
 var CANCELLED_EXIT_CODE = -2;
+var ORPHAN_EXIT_CODE = -3;
+var CASCADE_CLOSE_EXIT_CODE = -4;
+
+// src/lib/db/agent-sessions.ts
 var NOTE_ORPHAN_PREFIX = "orphaned by liveness sweep";
+var INSTANCE_COMMAND = "session-instance";
+function cascadeTerminateExecutions(db, workflowId, exitCode, note) {
+  db.run(
+    `UPDATE command_executions
+       SET finished_at = datetime('now'),
+           exit_code   = ?,
+           pid         = NULL,
+           notes       = COALESCE(notes || char(10), '') || ?
+     WHERE workflow_id = ?
+       AND finished_at IS NULL`,
+    [exitCode, note, workflowId]
+  );
+}
 function rowToAgentSession(row) {
   return {
     // The OCR-owned id is the `uid` column. Fall back to the integer
@@ -516,6 +1059,7 @@ function rowToAgentSession(row) {
     resolved_model: row.resolved_model,
     phase: null,
     status: deriveStatus(row),
+    kind: rowKind(row),
     pid: row.pid,
     started_at: row.started_at,
     last_heartbeat_at: row.last_heartbeat_at ?? row.started_at,
@@ -529,7 +1073,9 @@ function deriveStatus(row) {
     return "running";
   }
   if (row.exit_code === ORPHAN_EXIT_CODE) return "orphaned";
-  if (row.exit_code === CANCELLED_EXIT_CODE) return "cancelled";
+  if (row.exit_code === CANCELLED_EXIT_CODE || row.exit_code === CASCADE_CLOSE_EXIT_CODE) {
+    return "cancelled";
+  }
   if (row.exit_code === 0) return "done";
   return "crashed";
 }
@@ -545,7 +1091,7 @@ function insertAgentSession(db, params) {
     pid = null,
     notes = null
   } = params;
-  const command = persona && instance_index !== null ? `session-instance:${persona}-${instance_index}` : "session-instance";
+  const command = persona && instance_index !== null ? `${INSTANCE_COMMAND}:${persona}-${instance_index}` : INSTANCE_COMMAND;
   db.run(
     `INSERT INTO command_executions
        (uid, command, args, workflow_id, vendor, persona, instance_index, name,
@@ -750,38 +1296,112 @@ function updateAgentSession(db, id, params) {
     values
   );
 }
-function sweepStaleAgentSessions(db, thresholdSeconds) {
-  const staleSql = `
-    SELECT uid, id FROM command_executions
-    WHERE finished_at IS NULL
-      AND last_heartbeat_at IS NOT NULL
-      AND (julianday('now') - julianday(last_heartbeat_at)) * 86400 > ?
-  `;
-  const stale = resultToRows(
-    db.exec(staleSql, [thresholdSeconds])
+function sweepStaleAgentSessions(db, thresholdSeconds, isAlive = defaultIsAlive) {
+  const candidates = resultToRows(
+    db.exec(
+      `SELECT uid, id, pid, started_at, workflow_id, command, last_heartbeat_at
+         FROM command_executions
+        WHERE finished_at IS NULL
+          AND pid IS NOT NULL
+          AND last_heartbeat_at IS NOT NULL
+          AND (julianday('now') - julianday(last_heartbeat_at)) * 86400 > ?`,
+      [thresholdSeconds]
+    )
   );
-  if (stale.length === 0) {
-    return { orphanedIds: [] };
+  if (candidates.length === 0) {
+    return { orphanedIds: [], cascadedWorkflowIds: [] };
+  }
+  const reuseCutoffMs = Date.now() - PID_REUSE_GUARD_MS;
+  const dead = candidates.filter((row) => {
+    if (row.pid === null) return false;
+    if (sqliteUtcMs(row.started_at) < reuseCutoffMs) return false;
+    return !isAlive(row.pid);
+  });
+  if (dead.length === 0) {
+    return { orphanedIds: [], cascadedWorkflowIds: [] };
   }
   const note = `${NOTE_ORPHAN_PREFIX} (threshold ${thresholdSeconds}s)`;
-  db.run(
-    `UPDATE command_executions
-       SET finished_at = datetime('now'),
-           exit_code = ?,
-           notes = COALESCE(notes || char(10), '') || ?
-     WHERE finished_at IS NULL
-       AND last_heartbeat_at IS NOT NULL
-       AND (julianday('now') - julianday(last_heartbeat_at)) * 86400 > ?`,
-    [ORPHAN_EXIT_CODE, note, thresholdSeconds]
-  );
+  const placeholders = dead.map(() => "?").join(", ");
+  const cascadedWorkflowIds = [];
+  db.transaction(() => {
+    db.run(
+      `UPDATE command_executions
+          SET finished_at = datetime('now'),
+              exit_code = ?,
+              pid = NULL,
+              notes = COALESCE(notes || char(10), '') || ?
+        WHERE id IN (${placeholders})
+          AND finished_at IS NULL`,
+      [ORPHAN_EXIT_CODE, note, ...dead.map((r) => r.id)]
+    );
+    for (const row of dead) {
+      if (row.workflow_id && rowKind(row) === "supervisor") {
+        cascadeTerminateExecutions(
+          db,
+          row.workflow_id,
+          CASCADE_CLOSE_EXIT_CODE,
+          "cascade-closed: workflow process orphaned by liveness sweep"
+        );
+        cascadedWorkflowIds.push(row.workflow_id);
+      }
+    }
+  });
   return {
-    orphanedIds: stale.map((row) => row.uid ?? String(row.id))
+    orphanedIds: dead.map((r) => r.uid ?? String(r.id)),
+    cascadedWorkflowIds
   };
 }
+function rowKind(row) {
+  if (row.command === INSTANCE_COMMAND || row.command.startsWith(`${INSTANCE_COMMAND}:`)) {
+    return "instance";
+  }
+  return row.last_heartbeat_at == null ? "utility" : "supervisor";
+}
+function sweepStaleSessions(db, thresholdSeconds) {
+  const sql = `
+    SELECT s.id
+      FROM sessions s
+      LEFT JOIN (
+        SELECT session_id, MAX(created_at) AS last_event_at
+          FROM orchestration_events
+         GROUP BY session_id
+      ) e ON e.session_id = s.id
+     WHERE s.status = 'active'
+       AND (
+         e.last_event_at IS NULL
+         OR (julianday('now') - julianday(e.last_event_at)) * 86400 > ?
+       )
+       AND NOT EXISTS (
+         SELECT 1 FROM command_executions ce
+          WHERE ce.workflow_id = s.id
+            AND ce.finished_at IS NULL
+       )
+  `;
+  const rows = resultToRows(db.exec(sql, [thresholdSeconds]));
+  if (rows.length === 0) {
+    return { closedSessionIds: [] };
+  }
+  for (const row of rows) {
+    commitReasonClose(
+      db,
+      row.id,
+      {
+        event_type: "session_auto_closed_stale",
+        phase: "complete",
+        metadata: JSON.stringify({
+          reason: "no events past threshold; no in-flight dependents",
+          threshold_seconds: thresholdSeconds
+        })
+      },
+      { status: "closed", current_phase: "complete" }
+    );
+  }
+  return { closedSessionIds: rows.map((r) => r.id) };
+}
 
 // src/lib/db/command-log.ts
-import { appendFileSync, existsSync, mkdirSync, readFileSync, renameSync, writeFileSync } from "node:fs";
-import { dirname, join } from "node:path";
+import { appendFileSync, existsSync as existsSync2, mkdirSync, readFileSync, renameSync, writeFileSync } from "node:fs";
+import { dirname as dirname2, join as join2 } from "node:path";
 import { randomUUID } from "node:crypto";
 var CACHE_DIR = ".cache";
 var FILENAME = "command-history.jsonl";
@@ -792,16 +1412,16 @@ function generateCommandUid() {
   return randomUUID();
 }
 function cacheDir(ocrDir) {
-  return join(ocrDir, "data", CACHE_DIR);
+  return join2(ocrDir, "data", CACHE_DIR);
 }
 function commandLogPath(ocrDir) {
-  return join(cacheDir(ocrDir), FILENAME);
+  return join2(cacheDir(ocrDir), FILENAME);
 }
 function appendCommandLog(ocrDir, entry) {
   try {
     const filePath = commandLogPath(ocrDir);
-    const dir = dirname(filePath);
-    if (!existsSync(dir)) mkdirSync(dir, { recursive: true });
+    const dir = dirname2(filePath);
+    if (!existsSync2(dir)) mkdirSync(dir, { recursive: true });
     const line = JSON.stringify(entry) + "\n";
     appendFileSync(filePath, line, { encoding: "utf-8" });
     if (approxLineCount >= 0) approxLineCount++;
@@ -811,7 +1431,7 @@ function appendCommandLog(ocrDir, entry) {
 }
 function readCommandLog(ocrDir) {
   const filePath = commandLogPath(ocrDir);
-  if (!existsSync(filePath)) return [];
+  if (!existsSync2(filePath)) return [];
   const content = readFileSync(filePath, "utf-8");
   const entries = [];
   for (const line of content.split("\n")) {
@@ -877,93 +1497,117 @@ function rotateIfNeeded(filePath) {
 }
 
 // src/lib/db/index.ts
-var connections = /* @__PURE__ */ new Map();
-function locateWasm() {
-  const require2 = createRequire(import.meta.url);
-  const sqlJsPath = require2.resolve("sql.js");
-  return join2(dirname2(sqlJsPath), "sql-wasm.wasm");
+var V2_SCHEMA_VERSION = 12;
+function maybeSnapshotBeforeUpgrade(db, dbPath, fromVersion) {
+  if (fromVersion < 1 || fromVersion >= V2_SCHEMA_VERSION) return null;
+  const bakPath = `${dbPath}.bak.v${fromVersion}`;
+  if (existsSync3(bakPath)) return bakPath;
+  try {
+    if (!existsSync3(dbPath) || statSync(dbPath).size === 0) return null;
+    db.pragma("wal_checkpoint(TRUNCATE)");
+    copyFileSync(dbPath, bakPath);
+    return bakPath;
+  } catch {
+    return null;
+  }
 }
-function applyPragmas(db) {
-  db.run("PRAGMA foreign_keys = ON;");
-  db.run("PRAGMA journal_mode = WAL;");
-  db.run("PRAGMA busy_timeout = 5000;");
+function formatUpgradeNotice(bakPath, reconcile) {
+  const lines = [
+    "Storage upgraded to v2.0 \u2014 durable SQLite engine (WAL), event-sourced lifecycle."
+  ];
+  if (bakPath) {
+    lines.push(`  A backup of your previous database was saved to: ${bakPath}`);
+  }
+  const repairs = (reconcile?.actions ?? []).filter((a) => a.kind !== "ok");
+  if (repairs.length > 0) {
+    const n = (kind) => repairs.filter((a) => a.kind === kind).length;
+    const parts = [];
+    const finalized = n("synthesize-round-completed") + n("synthesize-map-completed");
+    if (finalized > 0) parts.push(`${finalized} finalized from artifacts`);
+    if (n("grandfather") > 0) parts.push(`${n("grandfather")} grandfathered`);
+    if (n("stale-close") > 0) parts.push(`${n("stale-close")} stale closed`);
+    lines.push(
+      `  Reconciled ${repairs.length} legacy session(s): ${parts.join(", ")}.`
+    );
+  }
+  lines.push("  Run `ocr doctor` to verify the storage engine.");
+  return lines.map((l) => `[ocr] ${l}`).join("\n");
 }
+var connections = /* @__PURE__ */ new Map();
 async function openDatabase(dbPath) {
   const cached = connections.get(dbPath);
   if (cached) {
     return cached;
   }
-  const wasmBuffer = readFileSync2(locateWasm());
-  const wasmBinary = wasmBuffer.buffer.slice(
-    wasmBuffer.byteOffset,
-    wasmBuffer.byteOffset + wasmBuffer.byteLength
-  );
-  const SQL = await initSqlJs({
-    wasmBinary
-  });
-  let db;
-  if (existsSync2(dbPath)) {
-    const fileBuffer = readFileSync2(dbPath);
-    db = new SQL.Database(fileBuffer);
-  } else {
-    db = new SQL.Database();
+  const dir = dirname3(dbPath);
+  if (!existsSync3(dir)) {
+    mkdirSync2(dir, { recursive: true });
   }
-  applyPragmas(db);
+  const db = openEngine(dbPath);
   connections.set(dbPath, db);
   return db;
 }
-function saveDatabase(db, dbPath) {
-  const data = db.export();
-  const dir = dirname2(dbPath);
-  if (!existsSync2(dir)) {
-    mkdirSync2(dir, { recursive: true });
-  }
-  const tmpPath = `${dbPath}.${process.pid}.tmp`;
-  writeFileSync2(tmpPath, Buffer.from(data));
-  renameSync2(tmpPath, dbPath);
-}
 async function getDb(ocrDir) {
-  const dbPath = join2(ocrDir, "data", "ocr.db");
+  const dbPath = join3(ocrDir, "data", "ocr.db");
   return openDatabase(dbPath);
 }
 async function ensureDatabase(ocrDir) {
-  const dataDir = join2(ocrDir, "data");
-  if (!existsSync2(dataDir)) {
+  const dataDir = join3(ocrDir, "data");
+  if (!existsSync3(dataDir)) {
     mkdirSync2(dataDir, { recursive: true });
   }
-  const dbPath = join2(dataDir, "ocr.db");
+  const dbPath = join3(dataDir, "ocr.db");
   const db = await openDatabase(dbPath);
+  let before = 0;
+  try {
+    before = getSchemaVersion(db);
+  } catch {
+    before = 0;
+  }
+  const isLegacyUpgrade = before >= 1 && before < V2_SCHEMA_VERSION;
+  const bakPath = maybeSnapshotBeforeUpgrade(db, dbPath, before);
   runMigrations(db);
-  saveDatabase(db, dbPath);
+  let reconcile;
+  if (before < V2_SCHEMA_VERSION) {
+    try {
+      reconcile = reconcileLegacyState(db, ocrDir);
+    } catch (err) {
+      console.error(
+        `[ocr] legacy reconciliation skipped: ${err instanceof Error ? err.message : String(err)}`
+      );
+    }
+  }
+  if (isLegacyUpgrade) {
+    const notice = formatUpgradeNotice(bakPath, reconcile);
+    if (notice) console.error(notice);
+  }
   return db;
 }
 function walCheckpointTruncate(dbPath) {
-  if (!existsSync2(dbPath)) {
+  if (!existsSync3(dbPath)) {
     return "skipped";
   }
-  try {
-    const probe = spawnSync("sqlite3", ["-version"], {
-      stdio: "ignore",
-      timeout: 2e3
-    });
-    if (probe.status !== 0) {
-      return "skipped";
+  const cached = connections.get(dbPath);
+  if (cached) {
+    try {
+      cached.pragma("wal_checkpoint(TRUNCATE)");
+      return "checkpointed";
+    } catch {
+      return "failed";
     }
-  } catch {
-    return "skipped";
   }
+  let transient;
   try {
-    const result = spawnSync(
-      "sqlite3",
-      [dbPath, "PRAGMA wal_checkpoint(TRUNCATE);"],
-      {
-        stdio: "ignore",
-        timeout: 5e3
-      }
-    );
-    return result.status === 0 ? "checkpointed" : "failed";
+    transient = openEngine(dbPath);
+    transient.pragma("wal_checkpoint(TRUNCATE)");
+    return "checkpointed";
   } catch {
     return "failed";
+  } finally {
+    try {
+      transient?.close();
+    } catch {
+    }
   }
 }
 function closeDatabase(dbPath) {
@@ -979,17 +1623,61 @@ function closeAllDatabases() {
     connections.delete(path);
   }
 }
+function probeWrite() {
+  let dir;
+  try {
+    dir = mkdtempSync(join3(tmpdir(), "ocr-probe-"));
+    const db = openEngine(join3(dir, "probe.db"));
+    try {
+      db.run("CREATE TABLE _probe_write (id INTEGER PRIMARY KEY, v TEXT)");
+      db.transaction(() => {
+        db.run("INSERT INTO _probe_write (v) VALUES (?)", ["written-in-txn"]);
+      });
+      const value = db.exec("SELECT v FROM _probe_write")[0]?.values[0]?.[0];
+      if (value !== "written-in-txn") {
+        return { ok: false, error: `unexpected probe value: ${String(value)}` };
+      }
+      return { ok: true };
+    } finally {
+      db.close();
+    }
+  } catch (e) {
+    return { ok: false, error: e instanceof Error ? e.message : String(e) };
+  } finally {
+    if (dir) rmDirBestEffort(dir);
+  }
+}
+function rmDirBestEffort(dir) {
+  for (let attempt = 0; attempt < 3; attempt++) {
+    try {
+      rmSync(dir, { recursive: true, force: true });
+      return;
+    } catch {
+      if (attempt === 2) return;
+      Atomics.wait(new Int32Array(new SharedArrayBuffer(4)), 0, 0, 10);
+    }
+  }
+}
 export {
+  CANCELLED_EXIT_CODE,
+  CASCADE_CLOSE_EXIT_CODE,
   MIGRATIONS,
+  ORPHAN_EXIT_CODE,
+  PID_REUSE_GUARD_MS,
+  STATE_EXIT,
+  StateError,
   appendCommandLog,
-  applyPragmas,
   bindVendorSessionIdOpportunistically,
   bumpAgentSessionHeartbeat,
   cacheDir,
+  cascadeTerminateExecutions,
   closeAllDatabases,
   closeDatabase,
   commandLogPath,
+  commitReasonClose,
+  defaultIsAlive,
   ensureDatabase,
+  formatUpgradeNotice,
   generateCommandUid,
   getAgentSession,
   getAllSessions,
@@ -998,24 +1686,30 @@ export {
   getLatestActiveSession,
   getLatestAgentSessionWithVendorId,
   getLatestEventId,
+  getSchemaVersion,
   getSession,
   insertAgentSession,
   insertEvent,
   insertSession,
+  isBusyError,
   linkDashboardInvocationToWorkflow,
   listAgentSessionsForWorkflow,
-  locateWasm,
   openDatabase,
+  probeEngine,
+  probeWrite,
   readCommandLog,
+  reconcileLegacyState,
   recordVendorSessionIdForExecution,
   replayCommandLog,
   resultToRow,
   resultToRows,
+  rowKind,
   runMigrations,
-  saveDatabase,
   setAgentSessionStatus,
   setAgentSessionVendorId,
+  sqliteUtcMs,
   sweepStaleAgentSessions,
+  sweepStaleSessions,
   updateAgentSession,
   updateSession,
   walCheckpointTruncate