@ouro.bot/cli 0.1.0-alpha.519 → 0.1.0-alpha.520

package/changelog.json

@@ -1,6 +1,33 @@
 {
   "_note": "This changelog is maintained as part of the PR/version-bump workflow. Agent-curated, not auto-generated. Agents read this file directly via read_file to understand what changed between versions.",
   "versions": [
+    {
+      "version": "0.1.0-alpha.520",
+      "changes": [
+        "`ouro up` now prints the current runtime version in the update-check phase before asking npm for newer bits, so a stalled registry or update path no longer hides what is actually running.",
+        "Production `ouro up` starts or refreshes the daemon before provider health checks and repair prompts. Broken credentials for one agent are reported as degraded provider state after the daemon is answering instead of preventing every agent from coming online.",
+        "Daemon startup now opens the command socket before autostarting provider-dependent workers and kicks agent/sense autostart concurrently. A thrown or stalled config check is contained to that agent's crashed snapshot, leaving the daemon and sibling agents reachable.",
+        "BlueBubbles no longer auto-learns a one-to-one chat partner as the agent's own iMessage handle after an outbound reply, so the next inbound text from that person is not filtered as self-talk.",
+        "Mail tools and the Ouro Mailbox now retry runtime/config resolution when a sense process cached a transient vault-unavailable state, and prompt sense-status rendering reads the same cached vault runtime truth instead of stale local config.",
+        "`ouro up` now times out unresolved daemon startup polling instead of spinning forever, and daemon worker startup ignores duplicate start attempts while a provider/config check is already in flight. Stopping during a pending config check no longer lets that worker spawn afterward.",
+        "BlueBubbles self-handle filtering is now group-echo scoped and bypasses known non-self friends, so a stale `ownHandles` entry cannot make real Ari messages disappear from Slugger's iMessage turn loop.",
+        "`ouro up` now trusts daemon-published provider readiness after startup instead of doing a second foreground vault read, so a slow Bitwarden provider check cannot freeze the command or report a false auth prompt after the daemon is already healthy.",
+        "Bitwarden vault login/unlock now passes the saved vault unlock secret through `bw --passwordenv` instead of process arguments, so the secret does not appear in `ps` output while `ouro up` or a sense startup is unlocking the agent vault.",
+        "Production Bitwarden reads for structured runtime/provider item names now use bounded exact search with isolated app data instead of a full-vault listing, reducing the startup window where `ouro up` appears quiet while the vault CLI is busy.",
+        "Daemon startup provider health checks now cache the selected provider credentials they just verified, so the first MCP or iMessage turn does not re-open Bitwarden before using the already-checked `openai-codex` key.",
+        "Managed sense workers now receive the daemon's already-verified provider credential snapshot over IPC at startup, so BlueBubbles and other child processes do not reopen Bitwarden mid-message after `ouro up` has already proved the selected provider is ready.",
+        "Daemon health recovery no longer cancels an agent whose config check is still in flight, so a slow provider/vault check cannot leave the inner-dialog worker stopped after `ouro up`.",
+        "`ouro up` no longer waits on optional sense runtime/config vault refreshes. Sense workers use cached config for the boot decision, refresh their runtime config in the background, and retry once fresh config arrives, while entrypoints start their worker before best-effort runtime refresh completes.",
+        "Daemon health recovery now invalidates stale no-process startup attempts before retrying, so an old hung provider check cannot keep an agent stuck in `starting` forever or spawn a stale worker after recovery; stale recovery defaults to 45s so the next health pass can clear it.",
+        "Provider initialization failures during daemon-handled sense turns now throw back to the command boundary instead of calling `process.exit(1)`, so a bad provider/vault read can fail one MCP or iMessage turn without killing the `ouro up` supervisor.",
+        "Provider retry and single-provider read paths now refresh only the selected provider's vault item, so a slow or broken credential for another provider cannot stall a healthy `openai-codex` turn.",
+        "`ouro status --agent <name>` now refreshes only the providers selected by that agent's outward/inner lanes, and skips vault reads entirely when local provider state is missing, so an unused broken provider cannot freeze status.",
+        "`ouro up` now keeps its startup poll finite while allowing enough time for bounded Bitwarden retry paths before labeling an otherwise-progressing worker as timed out.",
+        "User-facing session transcript summaries and searches now hide tool-result chatter for outward sessions while keeping full tool traces available in `self/inner`, so iMessage history reads as the human conversation instead of shell logs.",
+        "Small transcript-tail reads now always keep the latest visible user and assistant turns even after tool-heavy BlueBubbles activity, so Slugger does not mistake a live iMessage session for stale history.",
+        "Custom-socket daemon runs, including hermetic integration sandboxes, no longer touch the production daemon pidfile or orphan-cleanup sweep, so tests and dev harnesses cannot SIGTERM the real `ouro up` daemon while validating startup."
+      ]
+    },
     {
       "version": "0.1.0-alpha.519",
       "changes": [

package/dist/heart/agent-entry.js

@@ -54,7 +54,7 @@ const runtime_1 = require("../nerves/runtime");
 // Dynamic import: agent-entry is boot-time wiring that starts a sense process.
 // Using dynamic import avoids a static heart/ -> senses/ dependency.
 Promise.resolve().then(() => __importStar(require("./runtime-credentials"))).then(async ({ refreshRuntimeCredentialConfig }) => {
-    await refreshRuntimeCredentialConfig(agentName, { preserveCachedOnFailure: true }).catch(() => undefined);
+    void refreshRuntimeCredentialConfig(agentName, { preserveCachedOnFailure: true }).catch(() => undefined);
     const { startInnerDialogWorker } = await Promise.resolve().then(() => __importStar(require("../senses/inner-dialog-worker")));
     await startInnerDialogWorker();
 })

package/dist/heart/auth/auth-flow.js

@@ -388,6 +388,7 @@ async function runRuntimeAuthFlow(input, deps = {}) {
     });
     writeAuthProgress(input, `checking ${input.agentName}'s vault access...`);
     const vault = await (0, provider_credentials_1.refreshProviderCredentialPool)(input.agentName, {
+        providers: [input.provider],
         onProgress: (message) => writeAuthProgress(input, message),
     });
     if (!vault.ok && vault.reason === "unavailable") {

package/dist/heart/core.js

@@ -118,21 +118,24 @@ async function getProviderRuntime(facing = "human") {
             event: "engine.provider_init_error",
             component: "engine",
             message: msg,
-            meta: {},
+            meta: { facing },
         });
         // eslint-disable-next-line no-console -- pre-boot guard: provider init failure
         console.error(`\n[fatal] ${msg}\n`);
-        process.exit(1);
+        throw error instanceof Error ? error : new Error(msg);
     }
     if (!_providerRuntimes[facing]) {
+        const msg = "provider runtime could not be initialized.";
         (0, runtime_1.emitNervesEvent)({
             level: "error",
             event: "engine.provider_init_error",
             component: "engine",
-            message: "provider runtime could not be initialized.",
-            meta: {},
+            message: msg,
+            meta: { facing },
         });
-        process.exit(1);
+        // eslint-disable-next-line no-console -- pre-boot guard: provider init failure
+        console.error(`\n[fatal] ${msg}\n`);
+        throw new Error(msg);
     }
     return _providerRuntimes[facing].runtime;
 }
@@ -759,7 +762,10 @@ async function runAgent(messages, callbacks, channel, signal, options) {
                     const seconds = delayMs / 1000;
                     const cause = RETRY_LABELS[record.classification];
                     try {
-                        await (0, provider_credentials_1.refreshProviderCredentialPool)((0, identity_2.getAgentName)(), { preserveCachedOnFailure: true });
+                        await (0, provider_credentials_1.refreshProviderCredentialPool)((0, identity_2.getAgentName)(), {
+                            preserveCachedOnFailure: true,
+                            providers: [record.provider],
+                        });
                         _providerRuntimes[facing] = null;
                         providerRuntime = await getProviderRuntime(facing);
                         providerRuntime.resetTurnState(messages);

package/dist/heart/daemon/agent-config-check.js

@@ -415,7 +415,7 @@ async function checkAgentConfigWithProviderHealth(agentName, bundlesRoot, deps =
     const poolResult = await (0, provider_credentials_1.refreshProviderCredentialPool)(agentName, {
         ...(deps.onProgress ? { onProgress: mapVaultRefreshProgress(agentName, deps.onProgress) } : {}),
         providers,
-        skipCache: true,
+        preserveCachedOnFailure: true,
     });
     const pingGroups = new Map();
     const lanes = ["outward", "inner"];

package/dist/heart/daemon/cli-exec.js

@@ -200,8 +200,7 @@ async function runCliUpdateCheckWithTimeout(checkForCliUpdate, timeoutMs = updat
         /* v8 ignore stop */
     });
 }
-async function checkAgentProviders(deps, agentsOverride, onProgress) {
-    const agents = agentsOverride ?? await listCliAgents(deps);
+async function checkAgentProviders(deps, agents, onProgress) {
     const bundlesRoot = deps.bundlesRoot ?? (0, identity_1.getAgentBundlesRoot)();
     const degraded = [];
     for (const agent of [...new Set(agents)]) {
@@ -238,6 +237,58 @@ async function checkAgentProviders(deps, agentsOverride, onProgress) {
     }
     return degraded;
 }
+function degradedFromStatusProviderRow(row) {
+    const binding = row.provider === "unconfigured" ? row.provider : `${row.provider} / ${row.model}`;
+    const detail = row.detail ? `: ${row.detail}` : "";
+    const fixHint = row.detail && row.detail.startsWith("ouro ")
+        ? `Run \`${row.detail}\`.`
+        : "Run `ouro status` or `ouro doctor` for provider details.";
+    return {
+        agent: row.agent,
+        errorReason: `${row.lane} provider ${binding} readiness is ${row.readiness}${detail}`,
+        fixHint,
+    };
+}
+function providerStatusRowsCoverAgents(rows, agents) {
+    for (const agent of agents) {
+        const lanes = new Set(rows.filter((row) => row.agent === agent).map((row) => row.lane));
+        if (!lanes.has("outward") || !lanes.has("inner"))
+            return false;
+    }
+    return true;
+}
+async function checkAgentProvidersFromDaemonStatus(deps, agents, onProgress) {
+    const uniqueAgents = [...new Set(agents)];
+    if (uniqueAgents.length === 0)
+        return [];
+    let response;
+    try {
+        response = await deps.sendCommand(deps.socketPath, { kind: "daemon.status" });
+    }
+    catch {
+        // Fall through to the same foreground-check fallback used for empty status responses.
+    }
+    if (!response || !response.ok)
+        return null;
+    const payload = (0, cli_render_1.parseStatusPayload)(response.data);
+    if (!payload)
+        return null;
+    const rows = payload.providers.filter((row) => uniqueAgents.includes(row.agent));
+    if (!providerStatusRowsCoverAgents(rows, uniqueAgents))
+        return null;
+    const degraded = [];
+    const degradedAgents = new Set();
+    for (const row of rows) {
+        if (row.readiness === "ready" || degradedAgents.has(row.agent))
+            continue;
+        degraded.push(degradedFromStatusProviderRow(row));
+        degradedAgents.add(row.agent);
+    }
+    onProgress?.(degraded.length === 0
+        ? "provider readiness confirmed by daemon status"
+        : "provider readiness reported by daemon status");
+    return degraded;
+}
 async function checkAgentProviderHealth(agentName, bundlesRoot, deps, onProgress, options = {}) {
     const liveDeps = {};
     if (deps.homeDir)
@@ -402,7 +453,11 @@ function managedAgentsSignature(agentNames) {
     return unique.length > 0 ? unique.join(",") : "(none)";
 }
 async function checkAlreadyRunningAgentProviders(deps, onProgress) {
-    return checkAgentProviders(deps, undefined, onProgress);
+    const agents = await listCliAgents(deps);
+    const statusResult = await checkAgentProvidersFromDaemonStatus(deps, agents, onProgress);
+    if (statusResult)
+        return statusResult;
+    return checkAgentProviders(deps, agents, onProgress);
 }
 function readinessIssueFromDegraded(entry) {
     return entry.issue ?? (0, readiness_repair_1.genericReadinessIssue)({
@@ -490,10 +545,8 @@ function writeSyncProbeSummary(deps, findings) {
     }
     deps.writeStdout(lines.join("\n"));
 }
-function bootPhasePlan(daemonAlive) {
-    return daemonAlive
-        ? ["update check", "system setup", "sync probe", "starting daemon", "provider checks", "final daemon check"]
-        : ["update check", "system setup", "sync probe", "provider checks", "starting daemon", "final daemon check"];
+function bootPhasePlan(_daemonAlive) {
+    return ["update check", "system setup", "sync probe", "starting daemon", "provider checks", "final daemon check"];
 }
 /**
  * Layer 2: brief, scannable summary of a boot-sync-probe finding for the
@@ -601,25 +654,6 @@ async function verifyDaemonReadyForHandoff(deps) {
         };
     }
 }
-async function reportPostRepairProviderHealth(deps, repairedAgents, onProgress) {
-    const remainingDegraded = await checkAgentProviders(deps, repairedAgents, onProgress);
-    (0, runtime_1.emitNervesEvent)({
-        level: remainingDegraded.length > 0 ? "warn" : "info",
-        component: "daemon",
-        event: "daemon.post_repair_provider_check",
-        message: remainingDegraded.length > 0
-            ? "post-repair provider health check still degraded"
-            : "post-repair provider health check recovered",
-        meta: { degradedCount: remainingDegraded.length, repairedAgents },
-    });
-    if (remainingDegraded.length === 0) {
-        deps.writeStdout("All set. Provider checks recovered after repair.");
-        return remainingDegraded;
-    }
-    writeProviderRepairSummary(deps, "Still needs attention", remainingDegraded);
-    deps.writeStdout("Run `ouro up` again after these are fixed.");
-    return remainingDegraded;
-}
 async function checkProviderHealthBeforeChat(agentName, deps) {
     const bundlesRoot = deps.bundlesRoot ?? (0, identity_1.getAgentBundlesRoot)();
     const result = await checkAgentProviderHealth(agentName, bundlesRoot, deps);
@@ -4300,7 +4334,7 @@ function pingAttemptCount(result) {
     return undefined;
 }
 async function readProviderCredentialRecord(agent, provider, _deps, options = {}) {
-    const poolResult = await (0, provider_credentials_1.refreshProviderCredentialPool)(agent, options);
+    const poolResult = await (0, provider_credentials_1.refreshProviderCredentialPool)(agent, { ...options, providers: [provider] });
     if (poolResult.ok) {
         const existing = poolResult.pool.providers[provider];
         if (existing)
@@ -4506,15 +4540,23 @@ function renderProviderCredentialLine(agentName, credential) {
 async function executeProviderStatus(command, deps) {
     const agentRoot = providerCliAgentRoot(command, deps);
     const progress = createHumanCommandProgress(deps, "provider status");
+    const stateResult = (0, provider_state_1.readProviderState)(agentRoot);
     try {
-        await runCommandProgressPhase(progress, "reading provider credentials", () => (0, provider_credentials_1.refreshProviderCredentialPool)(command.agent, {
-            onProgress: (message) => progress.updateDetail(message),
-        }), (poolResult) => {
-            if (!poolResult.ok)
-                return poolResult.reason;
-            const summary = (0, provider_credentials_1.summarizeProviderCredentialPool)(poolResult.pool);
-            return summary.providers.map((provider) => provider.provider).join(", ") || "none stored";
-        });
+        if (stateResult.ok) {
+            const selectedProviders = [...new Set([
+                    stateResult.state.lanes.outward.provider,
+                    stateResult.state.lanes.inner.provider,
+                ])];
+            await runCommandProgressPhase(progress, "reading selected provider credentials", () => (0, provider_credentials_1.refreshProviderCredentialPool)(command.agent, {
+                providers: selectedProviders,
+                onProgress: (message) => progress.updateDetail(message),
+            }), (poolResult) => {
+                if (!poolResult.ok)
+                    return poolResult.reason;
+                const summary = (0, provider_credentials_1.summarizeProviderCredentialPool)(poolResult.pool);
+                return summary.providers.map((provider) => provider.provider).join(", ") || "none stored";
+            });
+        }
     }
     finally {
         progress.end();
@@ -5620,7 +5662,7 @@ async function runOuroCli(args, deps = (0, cli_defaults_1.createDefaultOuroCliDe
         // ── versioned CLI update check ──
         if (deps.checkForCliUpdate) {
             progress.startPhase("update check");
-            progress.updateDetail("checking npm registry\ncontinuing startup if it stays quiet");
+            progress.updateDetail(`current runtime: ${(0, bundle_manifest_1.getPackageVersion)()}\nchecking npm registry\ncontinuing startup if it stays quiet`);
             let pendingReExec = false;
             let updateCheckStatus = "up to date";
             try {
@@ -5785,41 +5827,6 @@ async function runOuroCli(args, deps = (0, cli_defaults_1.createDefaultOuroCliDe
         }
         const daemonAliveBeforeStart = await deps.checkSocketAlive(deps.socketPath);
         progress.setPhasePlan?.(bootPhasePlan(daemonAliveBeforeStart));
-        let providerChecksAlreadyRun = false;
-        if (!daemonAliveBeforeStart) {
-            progress.startPhase("provider checks");
-            const preflightProviderDegraded = await checkAgentProviders(deps, undefined, (msg) => progress.updateDetail(msg));
-            providerChecksAlreadyRun = true;
-            progress.completePhase("provider checks", providerRepairCountSummary(preflightProviderDegraded.length));
-            if (preflightProviderDegraded.length > 0) {
-                progress.end();
-                if (command.noRepair) {
-                    writeProviderRepairSummary(deps, "Provider checks need attention", preflightProviderDegraded);
-                    // Layer 4: drift advisories ride along with the provider-repair
-                    // summary under --no-repair. Non-blocking; failure to collect
-                    // findings (e.g. malformed agent.json on one bundle) is swallowed
-                    // by `collectAgentDriftAdvisories` so the rest of the boot path
-                    // is unaffected.
-                    const driftAdvisories = await collectAgentDriftAdvisories(deps);
-                    writeDriftAdvisorySummary(deps, driftAdvisories);
-                    const message = "daemon not started: provider checks need repair. Run `ouro repair` or rerun `ouro up` to choose a repair path.";
-                    return returnCliFailure(deps, message);
-                }
-                const repairResult = await runReadinessRepairForDegraded(preflightProviderDegraded, deps);
-                if (!repairResult.repairsAttempted) {
-                    writeProviderRepairSummary(deps, "Provider checks still need attention", repairResult.remainingDegraded);
-                    const message = "daemon not started: provider checks need repair. Run `ouro repair` or rerun `ouro up` to choose a repair path.";
-                    return returnCliFailure(deps, message);
-                }
-                const remainingDegraded = repairResult.remainingDegraded;
-                if (remainingDegraded.length > 0) {
-                    writeProviderRepairSummary(deps, "Still needs attention", remainingDegraded);
-                    const message = "daemon not started: provider checks still need repair.";
-                    return returnCliFailure(deps, message);
-                }
-                deps.writeStdout("All set. Provider checks recovered after repair.");
-            }
-        }
         progress.startPhase("starting daemon");
         const daemonResult = await ensureDaemonRunning({
             ...deps,
@@ -5835,12 +5842,10 @@ async function runOuroCli(args, deps = (0, cli_defaults_1.createDefaultOuroCliDe
             return returnCliFailure(deps, daemonResult.message);
         }
         progress.completePhase("starting daemon", daemonProgressSummary(daemonResult));
-        if (!providerChecksAlreadyRun || daemonResult.alreadyRunning) {
-            progress.startPhase("provider checks");
-            const providerDegraded = await checkAlreadyRunningAgentProviders(deps, (msg) => progress.updateDetail(msg));
-            daemonResult.stability = mergeStartupStability(daemonResult.stability, providerDegraded);
-            progress.completePhase("provider checks", providerRepairCountSummary(providerDegraded.length));
-        }
+        progress.startPhase("provider checks");
+        const providerDegraded = await checkAlreadyRunningAgentProviders(deps, (msg) => progress.updateDetail(msg));
+        daemonResult.stability = mergeStartupStability(daemonResult.stability, providerDegraded);
+        progress.completePhase("provider checks", providerRepairCountSummary(providerDegraded.length));
         progress.startPhase("final daemon check");
         const finalDaemonCheck = await verifyDaemonReadyForHandoff(deps);
         if (!finalDaemonCheck.ok) {
@@ -5861,6 +5866,7 @@ async function runOuroCli(args, deps = (0, cli_defaults_1.createDefaultOuroCliDe
                 // degraded summary too — same rationale as the preflight path.
                 const driftAdvisories = await collectAgentDriftAdvisories(deps);
                 writeDriftAdvisorySummary(deps, driftAdvisories);
+                deps.setExitCode?.(1);
                 (0, runtime_1.emitNervesEvent)({
                     level: "warn",
                     component: "daemon",
@@ -5876,13 +5882,13 @@ async function runOuroCli(args, deps = (0, cli_defaults_1.createDefaultOuroCliDe
                 const typedDegraded = daemonResult.stability.degraded.filter((entry) => (0, readiness_repair_1.isKnownReadinessIssue)(entry.issue));
                 const untypedDegraded = daemonResult.stability.degraded.filter((entry) => !(0, readiness_repair_1.isKnownReadinessIssue)(entry.issue));
                 let repairsAttempted = false;
-                const repairedAgents = new Set();
+                let remainingDegraded = [];
                 if (typedDegraded.length > 0) {
                     const guidedRepair = await runReadinessRepairForDegraded(typedDegraded, deps);
                     if (guidedRepair.repairsAttempted) {
                         repairsAttempted = true;
-                        typedDegraded.forEach((entry) => repairedAgents.add(entry.agent));
                     }
+                    remainingDegraded = mergeRemainingDegraded(remainingDegraded, guidedRepair.remainingDegraded);
                 }
                 // Layer 3: extended activation contract — fires when there are
                 // untyped degraded entries OR when typed entries stack to ≥3 (compound
@@ -5962,15 +5968,32 @@ async function runOuroCli(args, deps = (0, cli_defaults_1.createDefaultOuroCliDe
                     });
                     if (repairResult.repairsAttempted) {
                         repairsAttempted = true;
-                        untypedDegraded
+                        const repairedUntypedAgents = untypedDegraded
                             .filter(interactive_repair_1.hasRunnableInteractiveRepair)
-                            .forEach((entry) => repairedAgents.add(entry.agent));
+                            .map((entry) => entry.agent);
+                        const recheckedUntyped = repairedUntypedAgents.length > 0
+                            ? await checkAgentProviders(deps, repairedUntypedAgents, (msg) => progress.updateDetail(msg))
+                            : [];
+                        const untouchedUntyped = untypedDegraded.filter((entry) => !repairedUntypedAgents.includes(entry.agent));
+                        remainingDegraded = mergeRemainingDegraded([...remainingDegraded, ...untouchedUntyped], recheckedUntyped);
+                    }
+                    else {
+                        remainingDegraded = mergeRemainingDegraded(remainingDegraded, untypedDegraded);
                     }
                 }
                 if (repairsAttempted) {
                     progress.startPhase("post-repair check");
-                    await reportPostRepairProviderHealth(deps, [...repairedAgents], (msg) => progress.updateDetail(msg));
-                    progress.completePhase("post-repair check", providerRepairCountSummary(repairedAgents.size));
+                    progress.completePhase("post-repair check", providerRepairCountSummary(remainingDegraded.length));
+                    if (remainingDegraded.length === 0) {
+                        deps.writeStdout("All set. Provider checks recovered after repair.");
+                    }
+                    else {
+                        writeProviderRepairSummary(deps, "Still needs attention", remainingDegraded);
+                        deps.writeStdout("Run `ouro up` again after these are fixed.");
+                    }
+                }
+                else if (untypedDegraded.length > 0) {
+                    writeProviderRepairSummary(deps, "Provider checks need attention", remainingDegraded);
                 }
             }
         }

package/dist/heart/daemon/daemon-health.js

@@ -113,6 +113,7 @@ exports.HEALTH_TRACKED_EVENTS = new Set([
     "daemon.agent_config_failure",
     "daemon.agent_entry_missing",
     "daemon.agent_spawn_failed",
+    "daemon.agent_startup_stale_recovered",
     "daemon.agent_restart_exhausted",
     "daemon.agent_permanent_failure",
     "daemon.agent_cooldown_recovery",

package/dist/heart/daemon/daemon.js

@@ -66,6 +66,7 @@ const outlook_types_1 = require("../outlook/outlook-types");
 const outlook_read_1 = require("../outlook/outlook-read");
 const outlook_view_1 = require("../outlook/outlook-view");
 const provider_visibility_1 = require("../provider-visibility");
+const socket_client_1 = require("./socket-client");
 const PIDFILE_PATH = path.join(os.homedir(), ".ouro-cli", "daemon.pids");
 /**
  * Defense-in-depth: detect if we're running under vitest. The pidfile lives
@@ -205,7 +206,20 @@ function runPsCheck(pids) {
  * manual cleanup). The scope is narrow on purpose — see parseOrphanPidsFromPs.
  */
 /* v8 ignore start -- process lifecycle: uses kill/ps, tested via deployment @preserve */
-function killOrphanProcesses() {
+function isProductionDaemonSocketPath(socketPath) {
+    return socketPath === socket_client_1.DEFAULT_DAEMON_SOCKET_PATH;
+}
+function killOrphanProcesses(socketPath = socket_client_1.DEFAULT_DAEMON_SOCKET_PATH) {
+    if (!isProductionDaemonSocketPath(socketPath)) {
+        (0, runtime_1.emitNervesEvent)({
+            level: "warn",
+            component: "daemon",
+            event: "daemon.orphan_cleanup_nonproduction_blocked",
+            message: "blocked orphan cleanup for non-production daemon socket",
+            meta: { socketPath, pidfilePath: PIDFILE_PATH },
+        });
+        return;
+    }
     if (isVitestProcess()) {
         (0, runtime_1.emitNervesEvent)({
             level: "warn",
@@ -271,7 +285,17 @@ function killOrphanProcesses() {
  * Write all managed PIDs (daemon + children) to the pidfile.
  * Called after all agents and senses are spawned.
  */
-function writePidfile(extraPids = []) {
+function writePidfile(extraPids = [], socketPath = socket_client_1.DEFAULT_DAEMON_SOCKET_PATH) {
+    if (!isProductionDaemonSocketPath(socketPath)) {
+        (0, runtime_1.emitNervesEvent)({
+            level: "warn",
+            component: "daemon",
+            event: "daemon.write_pidfile_nonproduction_blocked",
+            message: "blocked production pidfile write for non-production daemon socket",
+            meta: { socketPath, pidfilePath: PIDFILE_PATH, attemptedPids: extraPids.length },
+        });
+        return;
+    }
     if (isVitestProcess()) {
         (0, runtime_1.emitNervesEvent)({
             level: "warn",
@@ -392,6 +416,7 @@ class OuroDaemon {
     server = null;
     outlookServer = null;
     socketIdentity = null;
+    senseAutostartTimer = null;
     outlookServerFactory;
     constructor(options) {
         this.socketPath = options.socketPath;
@@ -579,15 +604,16 @@ class OuroDaemon {
         // MCP connections are lazily initialized per-agent during senseTurn
         // (daemon manages multiple agents; agent identity must be set before loading MCP config)
         /* v8 ignore start -- orphan cleanup + pidfile: calls process management functions @preserve */
-        killOrphanProcesses();
+        killOrphanProcesses(this.socketPath);
         /* v8 ignore stop */
-        await this.processManager.startAutoStartAgents();
-        await this.senseManager?.startAutoStartSenses();
+        await this.openCommandSocket();
+        this.triggerAutoStartAgents();
+        this.triggerAutoStartSensesWhenAgentsSettled();
         // Write all managed PIDs to disk so the next daemon can clean up
         /* v8 ignore start -- pidfile write: collects PIDs from process managers @preserve */
         const agentPids = this.processManager.listAgentSnapshots().map((s) => s.pid).filter((p) => p !== null);
         const sensePids = this.senseManager?.listManagedPids?.() ?? [];
-        writePidfile([...agentPids, ...sensePids]);
+        writePidfile([...agentPids, ...sensePids], this.socketPath);
         /* v8 ignore stop */
         this.scheduler.start?.();
         await this.scheduler.reconcile?.();
@@ -608,6 +634,55 @@ class OuroDaemon {
                 meta: { port: outlook_types_1.OUTLOOK_DEFAULT_PORT },
             });
         }
+    }
+    triggerAutoStartAgents() {
+        if (this.processManager.triggerAutoStartAgents) {
+            this.processManager.triggerAutoStartAgents();
+            return;
+        }
+        void this.processManager.startAutoStartAgents().catch((error) => {
+            (0, runtime_1.emitNervesEvent)({
+                level: "error",
+                component: "daemon",
+                event: "daemon.agent_autostart_error",
+                message: "agent autostart failed after daemon socket opened",
+                meta: { error: error instanceof Error ? error.message : String(error) },
+            });
+        });
+    }
+    triggerAutoStartSenses() {
+        /* v8 ignore next -- defensive: callers already check senseManager before delegating here @preserve */
+        if (!this.senseManager)
+            return;
+        if (this.senseManager.triggerAutoStartSenses) {
+            this.senseManager.triggerAutoStartSenses();
+            return;
+        }
+        void this.senseManager.startAutoStartSenses().catch((error) => {
+            (0, runtime_1.emitNervesEvent)({
+                level: "error",
+                component: "daemon",
+                event: "daemon.sense_autostart_error",
+                message: "sense autostart failed after daemon socket opened",
+                meta: { error: error instanceof Error ? error.message : String(error) },
+            });
+        });
+    }
+    triggerAutoStartSensesWhenAgentsSettled() {
+        if (!this.senseManager)
+            return;
+        const waitingOnAgents = this.processManager.listAgentSnapshots()
+            .some((snapshot) => snapshot.status === "starting");
+        if (!waitingOnAgents) {
+            this.triggerAutoStartSenses();
+            return;
+        }
+        this.senseAutostartTimer = setTimeout(() => {
+            this.senseAutostartTimer = null;
+            this.triggerAutoStartSensesWhenAgentsSettled();
+        }, 250);
+    }
+    async openCommandSocket() {
         if (fs.existsSync(this.socketPath)) {
             fs.unlinkSync(this.socketPath);
         }
@@ -831,6 +906,10 @@ class OuroDaemon {
         (0, update_checker_1.stopUpdateChecker)();
         (0, mcp_manager_1.shutdownSharedMcpManager)();
         this.scheduler.stop?.();
+        if (this.senseAutostartTimer) {
+            clearTimeout(this.senseAutostartTimer);
+            this.senseAutostartTimer = null;
+        }
         await this.processManager.stopAll();
         await this.senseManager?.stopAll();
         if (this.server) {