@portel/photon 1.26.0 → 1.27.0

package/dist/daemon/server.js

@@ -14,6 +14,7 @@ import * as fs from 'fs';
 import * as path from 'path';
 import * as os from 'os';
 import * as crypto from 'crypto';
+import { spawnSync } from 'child_process';
 import { SessionManager } from './session-manager.js';
 import { transferHotReloadState } from './hot-reload-state.js';
 import { resolveWithGlobalFallback } from './session-resolver.js';
@@ -47,10 +48,24 @@ const pidFile = path.join(path.dirname(socketPath), 'daemon.pid');
 const ownerFile = getOwnerFilePath(socketPath);
 let daemonOwnershipConfirmed = false;
 async function isSocketResponsive(target) {
-    if (process.platform === 'win32' || !fs.existsSync(target))
+    // Windows named pipes have no filesystem entry; skip the FS gate on
+    // win32 and let net.createConnection probe the pipe directly. The
+    // 'error' handler below resolves false on failure; the try/catch
+    // wrapper guards against sync throws.
+    const isPipe = process.platform === 'win32' && target.startsWith('\\\\.\\pipe\\');
+    if (!isPipe && !fs.existsSync(target))
         return false;
     return new Promise((resolve) => {
-        const client = net.createConnection(target);
+        let client;
+        try {
+            // Bun can throw synchronously on a missing/unreachable unix socket
+            // before the 'error' listener attaches — TOCTOU vs. existsSync above.
+            client = net.createConnection(target);
+        }
+        catch {
+            resolve(false);
+            return;
+        }
         const timer = setTimeout(() => {
             client.destroy();
             resolve(false);
@@ -437,6 +452,19 @@ staleMapCleanupInterval.unref();
  */
 const scheduledJobs = new Map();
 const jobTimers = new Map();
+/**
+ * Per-job count of consecutive failures whose error message points at a
+ * missing photon source file (ENOENT against a *.photon.ts path). When
+ * the count exceeds AUTO_SUPPRESS_THRESHOLD, the schedule is suppressed
+ * and unscheduled — see runJob's catch block. Reset on any successful
+ * run or non-ENOENT failure.
+ *
+ * Without this, a deleted photon file leaves its scheduled methods
+ * firing forever (every minute / hour / etc.) — each run failing with
+ * ENOENT, log spam, no recovery, no operator signal beyond the noise.
+ */
+const photonFileMissingFailures = new Map();
+const AUTO_SUPPRESS_THRESHOLD = 3;
 // parseCron moved to ./cron.ts so the boot loader and tests can reuse it.
 function scheduleJob(job) {
     const { isValid, nextRun } = parseCron(job.cron);
@@ -471,7 +499,13 @@ async function runJob(jobId) {
     const job = scheduledJobs.get(jobId);
     if (!job)
         return;
-    const key = compositeKey(job.photonName, job.workingDir);
+    // `key` may be recomputed after the legacy-base self-heal below — the
+    // initial value reflects the schedule's stored workingDir (often undefined
+    // for legacy ScheduleProvider files), and the post-pin value reflects the
+    // resolved owning base. trackExecution/untrackExecution must run against
+    // the post-pin key so hot-reload drain sees the in-flight execution under
+    // the same key that other code paths use for the photon. Codex P3.
+    let key = compositeKey(job.photonName, job.workingDir);
     // Phantom prune: when a ScheduleProvider-sourced job's backing file
     // has been deleted (e.g. `this.schedule.cancel()` ran the unlink
     // but the in-memory registration survived daemon restart), stop
@@ -515,9 +549,64 @@ async function runJob(jobId) {
         }
     }
     if (!sessionManager) {
-        logger.warn('Cannot run job - photon not initialized', { jobId, photon: job.photonName });
-        scheduleJob(job); // Reschedule anyway
-        return;
+        // Ghost-schedule guard: when the photon source is gone from every known
+        // base, the lazy-load can never succeed. Rescheduling here would loop
+        // every interval forever. A reinstall in flight may briefly fail this
+        // probe — the lost tick is acceptable because photons rebuild their
+        // schedules on first invocation.
+        const probe = probePhotonSource(job.photonName, job.workingDir);
+        if (!probe.resolved) {
+            logger.warn('Dropping orphan scheduled job — photon source missing', {
+                jobId,
+                photon: job.photonName,
+                sourceFile: job.sourceFile,
+            });
+            if (job.sourceFile) {
+                try {
+                    fs.unlinkSync(job.sourceFile);
+                }
+                catch {
+                    // File may have been removed by a concurrent cleanup
+                }
+            }
+            unscheduleJob(jobId);
+            return;
+        }
+        // Legacy schedule with no workingDir but the photon lives in a
+        // registered non-default base: pin workingDir and retry the lazy-load
+        // once. Without this self-heal, the probe says OK but the next
+        // `getOrCreateSessionManager` (which only checks workingDir +
+        // defaultBase) returns null again and the schedule reschedules forever.
+        if (!job.workingDir && probe.ownerBase) {
+            job.workingDir = probe.ownerBase;
+            // Recompute the execution key against the resolved base so
+            // trackExecution/untrackExecution and any consumer that looks up the
+            // base-scoped key (notably hot-reload drain) see this run under the
+            // same identity as the rest of the photon's lifecycle.
+            key = compositeKey(job.photonName, job.workingDir);
+            logger.info('Pinned scheduled job to resolved base — retrying lazy-load', {
+                jobId,
+                photon: job.photonName,
+                resolvedBase: probe.ownerBase,
+            });
+            try {
+                sessionManager =
+                    (await getOrCreateSessionManager(job.photonName, job.photonPath, job.workingDir)) ??
+                        undefined;
+            }
+            catch (err) {
+                logger.warn('Lazy-load retry after base pin failed', {
+                    jobId,
+                    photon: job.photonName,
+                    error: getErrorMessage(err),
+                });
+            }
+        }
+        if (!sessionManager) {
+            logger.warn('Cannot run job - photon not initialized', { jobId, photon: job.photonName });
+            scheduleJob(job); // Reschedule anyway
+            return;
+        }
     }
     logger.info('Running scheduled job', { jobId, method: job.method, photon: job.photonName });
     trackExecution(key);
@@ -525,6 +614,7 @@ async function runJob(jobId) {
     let status = 'success';
     let errorMessage;
     let result;
+    let suppressedThisRun = false;
     try {
         const session = await sessionManager.getOrCreateSession('scheduler', 'scheduler');
         result = await sessionManager.loader.executeTool(session.instance, job.method, job.args || {});
@@ -542,6 +632,7 @@ async function runJob(jobId) {
             runCount: job.runCount,
         });
         logger.info('Job completed', { jobId, method: job.method, runCount: job.runCount });
+        photonFileMissingFailures.delete(jobId);
     }
     catch (error) {
         status = 'error';
@@ -553,6 +644,53 @@ async function runJob(jobId) {
             method: job.method,
             error: errorMessage,
         });
+        // Auto-suppress when the photon source file has clearly vanished.
+        // Without this, a deleted .photon.ts keeps its scheduled methods
+        // firing forever — every fire failing with ENOENT, log spam, no
+        // recovery, no operator signal beyond the noise.
+        const isPhotonFileMissing = errorMessage.includes('ENOENT') &&
+            (errorMessage.includes('.photon.ts') ||
+                (job.photonPath != null && errorMessage.includes(job.photonPath)) ||
+                (job.sourceFile != null && errorMessage.includes(job.sourceFile)));
+        if (isPhotonFileMissing) {
+            const count = (photonFileMissingFailures.get(jobId) ?? 0) + 1;
+            photonFileMissingFailures.set(jobId, count);
+            if (count >= AUTO_SUPPRESS_THRESHOLD) {
+                // Cross-check with the authoritative source probe before suppressing —
+                // a transient ENOENT during reinstall shouldn't kill the schedule.
+                const probe = probePhotonSource(job.photonName, job.workingDir);
+                if (!probe.resolved) {
+                    const suppressBase = path.resolve(job.workingDir ?? probe.ownerBase ?? getDefaultContext().baseDir);
+                    logger.error('Auto-suppressing schedule: photon source missing for ' +
+                        `${count} consecutive runs. Re-enable with \`photon ps enable ${job.photonName}:${job.method}\` ` +
+                        'after the source file is restored.', {
+                        jobId,
+                        photon: job.photonName,
+                        method: job.method,
+                        suppressBase,
+                    });
+                    try {
+                        writeSuppressedEntry(suppressBase, job.photonName, job.method);
+                    }
+                    catch (writeErr) {
+                        logger.warn('Failed to persist suppression entry', {
+                            error: getErrorMessage(writeErr),
+                        });
+                    }
+                    unscheduleJob(jobId);
+                    suppressedThisRun = true;
+                }
+                else {
+                    // Source reappeared between failures — reset counter.
+                    photonFileMissingFailures.set(jobId, 0);
+                }
+            }
+        }
+        else {
+            // Different failure class — reset the photon-missing counter so
+            // unrelated noise doesn't accumulate toward suppression.
+            photonFileMissingFailures.delete(jobId);
+        }
     }
     finally {
         untrackExecution(key);
@@ -566,6 +704,8 @@ async function runJob(jobId) {
             outputPreview: status === 'success' ? previewResult(result) : undefined,
         }, job.workingDir);
     }
+    if (suppressedThisRun)
+        return;
     scheduleJob(job);
 }
 function unscheduleJob(jobId) {
@@ -578,8 +718,52 @@ function unscheduleJob(jobId) {
     if (existed) {
         logger.info('Job unscheduled', { jobId });
     }
+    // Forget any auto-suppress counter for this slot — if the same key
+    // is later re-scheduled, the count starts fresh.
+    photonFileMissingFailures.delete(jobId);
     return existed;
 }
+/**
+ * Append a suppressed entry to a base's active-schedules file so the
+ * daemon won't re-register the schedule at next boot. Idempotent on the
+ * (photon, method) pair.
+ */
+function writeSuppressedEntry(baseDir, photon, method) {
+    const file = readActiveSchedulesFile(baseDir);
+    const suppressed = file.suppressed ?? [];
+    if (!suppressed.some((s) => s.photon === photon && s.method === method)) {
+        suppressed.push({ photon, method, suppressedAt: new Date().toISOString() });
+        file.suppressed = suppressed;
+    }
+    // Drop any active-row that matches — no point keeping it around.
+    file.active = file.active.filter((e) => !(e.photon === photon && e.method === method));
+    writeActiveSchedulesFile(baseDir, file);
+}
+/**
+ * Evict a scheduled job by its raw ID. Used by both the IPC `unschedule`
+ * handler and the in-process bridge that the loader uses when it's
+ * running inside the daemon. Returns true iff a job was actually removed.
+ */
+function evictScheduledJobByRawId(rawJobId) {
+    const jobId = asScheduleKey(rawJobId);
+    let actualJobId = jobId;
+    if (!scheduledJobs.has(jobId)) {
+        // The loader hands us a bare UUID-shaped ID; the registry stores
+        // it under a `<base>::<photon>:ipc:<uuid>` key, so probe both.
+        for (const key of scheduledJobs.keys()) {
+            if (key.endsWith(`:ipc:${jobId}`)) {
+                actualJobId = key;
+                break;
+            }
+        }
+    }
+    const job = scheduledJobs.get(actualJobId);
+    const removed = unscheduleJob(actualJobId);
+    if (removed && job) {
+        deletePersistedIpcSchedule(actualJobId, job.photonName);
+    }
+    return removed;
+}
 /**
  * Resolve the canonical schedules dir for a photon under the Option B
  * contract: {workingDir || default baseDir}/.data/{photonName}/schedules/.
@@ -598,6 +782,131 @@ function unscheduleJob(jobId) {
 function resolveScheduleDir(photonName, workingDir) {
     return getPhotonSchedulesDir('', photonName, workingDir || getDefaultContext().baseDir);
 }
+const PHOTON_SOURCE_EXTENSIONS = ['.photon.ts', '.photon.tsx', '.photon.js'];
+const HOST_DISABLE_MARKER = '.photon-no-host';
+/**
+ * A base is "host-disabled" when a `.photon-no-host` marker file exists at
+ * its root. The daemon will not load ScheduleProvider files, auto-register
+ * `@scheduled` annotations, or wire `@webhook` routes for that base.
+ *
+ * Manual `photon run` on a photon under that base still works — host mode
+ * only suppresses background activation. Used to keep one machine the sole
+ * scheduler/runner across a multi-host setup that shares a `~/Projects`
+ * tree (e.g. via Syncthing): place the marker at the base root on every
+ * host that should be quiet.
+ */
+function isHostDisabledBase(basePath) {
+    try {
+        return fs.existsSync(path.join(basePath, HOST_DISABLE_MARKER));
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Synchronous probe for whether a photon's source file is resolvable.
+ * Mirrors the resolution semantics used by `runJob` and the photon-core
+ * async `resolvePhotonPath`: namespace-qualified names (`team:foo`) only
+ * search `<base>/team/foo.photon.{ts,tsx,js}`; unqualified names search
+ * flat files first, then one-level namespace subdirs.
+ *
+ * Scoping rules:
+ *   - When `baseHint` is supplied (per-base layout: schedule has a
+ *     `workingDir`), probe ONLY that base + the default base. This is the
+ *     resolver runJob actually uses, so a ghost detected here is exactly a
+ *     schedule whose lazy-load would fail at fire time. Do NOT walk every
+ *     registered base — a legitimate copy of `claw` at `~/Projects/claw/`
+ *     must not mask stale claw schedule files left in
+ *     `~/Projects/kith/.data/claw/schedules/`.
+ *   - When `baseHint` is undefined (legacy `~/.photon/schedules/<photon>/`
+ *     layout — no `workingDir` recorded on the task), the schedule could
+ *     belong to a photon in any registered base. Walk every base in the
+ *     active registry. This avoids deleting valid legacy ScheduleProvider
+ *     files for photons that live in a non-default PHOTON_DIR (Codex P2
+ *     finding).
+ *
+ * Sync so cron tick handlers and the boot schedule loader can call it
+ * without an await.
+ */
+function probePhotonSource(photonName, baseHint) {
+    // Parse `namespace:name` format the same way photon-core's resolvePath does.
+    // Without this, a namespaced photon like `team:foo` would be probed as the
+    // literal string `team:foo.photon.ts` (which never exists) and its valid
+    // schedule file under `<base>/team/foo.photon.ts` would be unlinked at
+    // boot. Codex P2 finding.
+    const colonIdx = photonName.indexOf(':');
+    let namespace;
+    let bareName = photonName;
+    if (colonIdx !== -1) {
+        namespace = photonName.slice(0, colonIdx);
+        bareName = photonName.slice(colonIdx + 1);
+    }
+    const candidates = [];
+    let defaultBase;
+    try {
+        defaultBase = path.resolve(getDefaultContext().baseDir);
+    }
+    catch {
+        /* default context may be missing in early boot */
+    }
+    if (baseHint) {
+        candidates.push(path.resolve(baseHint));
+        if (defaultBase && !candidates.includes(defaultBase))
+            candidates.push(defaultBase);
+    }
+    else {
+        // Legacy layout: no owning base recorded. The photon could live in
+        // any registered base — walk all of them before declaring missing.
+        if (defaultBase)
+            candidates.push(defaultBase);
+        try {
+            for (const b of listActiveBases()) {
+                const resolved = path.resolve(b.path);
+                if (!candidates.includes(resolved))
+                    candidates.push(resolved);
+            }
+        }
+        catch {
+            /* registry may not be initialized */
+        }
+    }
+    for (const base of candidates) {
+        if (namespace) {
+            // Namespace-qualified: only `<base>/<namespace>/<name>.photon.{ts,tsx,js}`.
+            for (const ext of PHOTON_SOURCE_EXTENSIONS) {
+                if (fs.existsSync(path.join(base, namespace, `${bareName}${ext}`))) {
+                    return { resolved: true, ownerBase: base };
+                }
+            }
+            continue;
+        }
+        // Unqualified: flat first, then one-level namespace subdirs.
+        for (const ext of PHOTON_SOURCE_EXTENSIONS) {
+            if (fs.existsSync(path.join(base, `${bareName}${ext}`))) {
+                return { resolved: true, ownerBase: base };
+            }
+        }
+        let entries;
+        try {
+            entries = fs.readdirSync(base, { withFileTypes: true });
+        }
+        catch {
+            continue;
+        }
+        for (const entry of entries) {
+            if (!entry.isDirectory())
+                continue;
+            if (entry.name.startsWith('.') || entry.name.startsWith('_'))
+                continue;
+            for (const ext of PHOTON_SOURCE_EXTENSIONS) {
+                if (fs.existsSync(path.join(base, entry.name, `${bareName}${ext}`))) {
+                    return { resolved: true, ownerBase: base };
+                }
+            }
+        }
+    }
+    return { resolved: false };
+}
 /**
  * Root of the legacy schedules tree (pre-Option-B layout).
  * Honors `PHOTON_SCHEDULES_DIR` only for the one-release deprecation
@@ -729,6 +1038,56 @@ function loadDaemonSchedulesFromDir(schedulesPath, ttlMs, photonNameHint, workin
     return loadPersistedSchedulesFromDir(schedulesPath, ttlMs, photonNameHint, workingDirHint, {
         alreadyRegistered: (id) => scheduledJobs.has(asScheduleKey(id)),
         register: (job) => {
+            // Drop schedules whose photon source is gone before they ever enter the
+            // cron map. Without this, every daemon boot reloads ghost schedules
+            // from `<base>/.data/<photon>/schedules/*.json`; long-cron ghosts then
+            // sit dormant in memory and resurrect on the next restart even after
+            // the runJob orphan probe would have caught them.
+            const probe = probePhotonSource(job.photonName, job.workingDir);
+            if (!probe.resolved) {
+                logger.warn('Dropping persisted schedule — photon source missing', {
+                    jobId: job.id,
+                    photon: job.photonName,
+                    workingDir: job.workingDir,
+                    sourceFile: job.sourceFile,
+                });
+                if (job.sourceFile) {
+                    try {
+                        fs.unlinkSync(job.sourceFile);
+                    }
+                    catch {
+                        // File may have been removed concurrently
+                    }
+                }
+                return false;
+            }
+            // Legacy schedules carry no `workingDir`. Pin the resolved base so
+            // runJob's lazy-load (which only checks workingDir + defaultBase, not
+            // every registered base) can find the photon at fire time. Without
+            // this, the probe says "OK" but `getOrCreateSessionManager` returns
+            // null for photons living in non-default bases — back to the
+            // reschedule loop. Codex P2 finding.
+            if (!job.workingDir && probe.ownerBase) {
+                job.workingDir = probe.ownerBase;
+                logger.info('Pinned legacy schedule to resolved base', {
+                    jobId: job.id,
+                    photon: job.photonName,
+                    resolvedBase: probe.ownerBase,
+                });
+            }
+            // Host mode: the per-base loader already gates by isHostDisabledBase
+            // before calling probePhotonSource, but the legacy flat-root path
+            // (~/.photon/schedules/<photon>/*.json) walks ALL bases via probe and
+            // could resolve to a host-disabled base. Drop here so legacy files
+            // can't reanimate a quiet machine.
+            if (job.workingDir && isHostDisabledBase(job.workingDir)) {
+                logger.info('Skipping persisted schedule — owning base is host-disabled', {
+                    jobId: job.id,
+                    photon: job.photonName,
+                    base: job.workingDir,
+                });
+                return false;
+            }
             // Seed in-memory lastRun from persisted lastExecutionAt so the post-run
             // reschedule path keeps updating the same field instead of starting at 0.
             const scheduledJob = job;
@@ -927,9 +1286,18 @@ function loadAllPersistedSchedules() {
     // Always include the default base even if the registry hasn't recorded it yet.
     const defaultBase = getDefaultContext().baseDir;
     if (!bases.some((b) => b.path === path.resolve(defaultBase))) {
-        scanBaseDataRoot(defaultBase);
+        if (isHostDisabledBase(defaultBase)) {
+            logger.info('Skipping schedule load — host-disabled base', { base: defaultBase });
+        }
+        else {
+            scanBaseDataRoot(defaultBase);
+        }
     }
     for (const base of bases) {
+        if (isHostDisabledBase(base.path)) {
+            logger.info('Skipping schedule load — host-disabled base', { base: base.path });
+            continue;
+        }
         scanBaseDataRoot(base.path);
     }
     // Legacy location for schedules that predate the per-base layout.
@@ -1123,6 +1491,12 @@ async function discoverProactiveMetadataAtBoot() {
     // Lazy import to keep daemon startup cheap for users with no bases.
     const core = await import('@portel/photon-core');
     for (const basePath of baseCandidates) {
+        if (isHostDisabledBase(basePath)) {
+            logger.info('Skipping proactive metadata discovery — host-disabled base', {
+                base: basePath,
+            });
+            continue;
+        }
         let photons;
         try {
             photons = await core.listPhotonFilesWithNamespace(basePath);
@@ -1189,6 +1563,10 @@ async function discoverProactiveMetadataAtBoot() {
 function watchBaseForProactiveMetadata(basePath, _isDefaultBase) {
     if (baseDirWatchers.has(basePath))
         return;
+    if (isHostDisabledBase(basePath)) {
+        logger.info('Skipping proactive metadata watcher — host-disabled base', { base: basePath });
+        return;
+    }
     try {
         if (!fs.existsSync(basePath))
             return;
@@ -1292,6 +1670,10 @@ function syncActiveSchedulesAtBoot() {
     let registered = 0;
     let missingRefs = 0;
     for (const basePath of bases) {
+        if (isHostDisabledBase(basePath)) {
+            logger.info('Skipping active-schedules sync — host-disabled base', { base: basePath });
+            continue;
+        }
         const file = readActiveSchedulesFile(basePath);
         let dirty = false;
         // One-time migration: seed the active list from the current
@@ -1340,6 +1722,36 @@ function syncActiveSchedulesAtBoot() {
             if (suppressedSet.has(`${entry.photon}:${entry.method}`))
                 continue;
             const key = declaredKey(entry.photon, entry.method, basePath);
+            // Manual entry: cron is embedded directly, no @scheduled declaration
+            // required. Re-validate the cron each boot since the file is hand-editable.
+            if (entry.cron) {
+                const { isValid } = parseCron(entry.cron);
+                if (!isValid) {
+                    logger.warn('Manual schedule has invalid cron — skipping', {
+                        base: basePath,
+                        photon: entry.photon,
+                        method: entry.method,
+                        cron: entry.cron,
+                    });
+                    continue;
+                }
+                if (scheduledJobs.has(key))
+                    continue;
+                const ok = scheduleJob({
+                    id: key,
+                    method: entry.method,
+                    args: {},
+                    cron: entry.cron,
+                    runCount: 0,
+                    createdAt: Date.now(),
+                    createdBy: 'manual',
+                    photonName: entry.photon,
+                    workingDir: basePath,
+                });
+                if (ok)
+                    registered++;
+                continue;
+            }
             const decl = declaredSchedules.get(key);
             if (!decl) {
                 missingRefs++;
@@ -1353,6 +1765,44 @@ function syncActiveSchedulesAtBoot() {
             }
             if (scheduledJobs.has(key))
                 continue;
+            // Boot-time annotation-vs-provider dedup: a photon that uses both
+            // `@scheduled` AND `this.schedule.create()` for the same method ends
+            // up with both a persisted ScheduleProvider file and an annotation
+            // job. The runtime dedup in autoRegisterFromMetadata only catches
+            // this AFTER the photon is loaded into a session — at boot, both
+            // already landed in scheduledJobs from loadAllPersistedSchedules.
+            // The annotation is the source of truth (codebase intent), so drop
+            // the provider sibling and unlink its persisted file. Without this,
+            // a kith-sync method like scheduled_freshness_scan fires every 15
+            // minutes from BOTH timers; field reports show duplicate browser
+            // navigation and double API calls.
+            for (const [staleKey, job] of Array.from(scheduledJobs.entries())) {
+                if (job.photonName !== entry.photon || job.method !== entry.method)
+                    continue;
+                if (staleKey === key)
+                    continue;
+                if (!staleKey.includes(':sched:'))
+                    continue; // only ScheduleProvider keys
+                const jobBase = job.workingDir ? path.resolve(job.workingDir) : undefined;
+                if (jobBase && jobBase !== basePath)
+                    continue; // scope to this base
+                logger.info('Dropping ScheduleProvider duplicate of @scheduled method', {
+                    photon: entry.photon,
+                    method: entry.method,
+                    providerJobId: staleKey,
+                    annotationJobId: key,
+                    sourceFile: job.sourceFile,
+                });
+                if (job.sourceFile) {
+                    try {
+                        fs.unlinkSync(job.sourceFile);
+                    }
+                    catch {
+                        // File may have been removed concurrently
+                    }
+                }
+                unscheduleJob(staleKey);
+            }
             const ok = scheduleJob({
                 id: key,
                 method: decl.method,
@@ -2000,10 +2450,19 @@ function readActiveSchedulesFile(baseDir) {
         if (parsed && typeof parsed === 'object' && Array.isArray(parsed.active)) {
             return {
                 version: 1,
-                active: parsed.active.filter((e) => e &&
+                active: parsed.active
+                    .filter((e) => e &&
                     typeof e.photon === 'string' &&
                     typeof e.method === 'string' &&
-                    typeof e.enabledAt === 'string'),
+                    typeof e.enabledAt === 'string')
+                    .map((e) => ({
+                    photon: e.photon,
+                    method: e.method,
+                    enabledAt: e.enabledAt,
+                    enabledBy: typeof e.enabledBy === 'string' ? e.enabledBy : 'unknown',
+                    paused: !!e.paused,
+                    cron: typeof e.cron === 'string' ? e.cron : undefined,
+                })),
                 suppressed: Array.isArray(parsed.suppressed)
                     ? parsed.suppressed.filter((s) => s && typeof s.photon === 'string' && typeof s.method === 'string')
                     : undefined,
@@ -2036,6 +2495,17 @@ async function autoRegisterFromMetadata(photonName, manager) {
     if (autoRegistered.has(autoKey))
         return;
     autoRegistered.add(autoKey);
+    // Host mode: skip @scheduled / @webhook auto-registration when this base
+    // has the .photon-no-host marker. Manual `photon run` still works because
+    // it goes through the command handler, not this auto-register path.
+    const baseForHostCheck = manager.loader?.baseDir ?? getDefaultContext().baseDir;
+    if (isHostDisabledBase(baseForHostCheck)) {
+        logger.debug('Skipping auto-register — host-disabled base', {
+            photon: photonName,
+            base: baseForHostCheck,
+        });
+        return;
+    }
     try {
         // Get a session to access the loaded photon's tools
         const session = await manager.getOrCreateSession('__autoregister', 'system');
@@ -2522,6 +2992,31 @@ async function handleRequest(request, socket) {
                 suggestion: 'Include photonName in the request payload',
             };
         }
+        // Host mode: refuse to arm a cron when the owning base is host-disabled.
+        // Without this, a manual `photon run` on a host-disabled machine could
+        // call this.schedule.create() and immediately install a timer — silently
+        // defeating the marker. The check uses the request's workingDir (or the
+        // default base when unset), matching the resolution that scheduleJob
+        // would otherwise apply.
+        const scheduleBase = request.workingDir
+            ? path.resolve(request.workingDir)
+            : path.resolve(getDefaultContext().baseDir);
+        if (isHostDisabledBase(scheduleBase)) {
+            logger.info('Refusing schedule create — host-disabled base', {
+                base: scheduleBase,
+                photon: photonName,
+                method: request.method,
+            });
+            return {
+                type: 'result',
+                id: request.id,
+                success: false,
+                data: {
+                    scheduled: false,
+                    reason: `host-disabled: ${scheduleBase} has a .photon-no-host marker`,
+                },
+            };
+        }
         // Generate IPC job ID with workingDir hash to prevent cross-project collisions
         const dirHash = request.workingDir
             ? crypto.createHash('sha256').update(request.workingDir).digest('hex').slice(0, 8)
@@ -2558,28 +3053,13 @@ async function handleRequest(request, socket) {
     if (request.type === 'unschedule') {
         // IPC input: coerce at the boundary. Job IDs shipped over the protocol
         // are already ScheduleKey-shaped (<base>::<photon>:<method>).
-        const jobId = asScheduleKey(request.jobId);
-        // Try exact match first, then look for IPC-prefixed version
-        let actualJobId = jobId;
-        if (!scheduledJobs.has(jobId)) {
-            // Search for IPC-prefixed job
-            for (const key of scheduledJobs.keys()) {
-                if (key.endsWith(`:ipc:${jobId}`)) {
-                    actualJobId = key;
-                    break;
-                }
-            }
-        }
-        const job = scheduledJobs.get(actualJobId);
-        const unscheduled = unscheduleJob(actualJobId);
-        if (unscheduled && job) {
-            deletePersistedIpcSchedule(actualJobId, job.photonName);
-        }
+        const rawJobId = request.jobId;
+        const unscheduled = evictScheduledJobByRawId(rawJobId);
         return {
             type: 'result',
             id: request.id,
             success: true,
-            data: { unscheduled, jobId: actualJobId },
+            data: { unscheduled, jobId: asScheduleKey(rawJobId) },
         };
     }
     // Handle list jobs (legacy shape — just the active cron jobs)
@@ -2664,6 +3144,112 @@ async function handleRequest(request, socket) {
             data: { active, declared, webhooks, sessions, suppressed },
         };
     }
+    // Add an ad-hoc cron schedule for any public method on a photon. Unlike
+    // `enable_schedule`, this does not require an `@scheduled` JSDoc tag in
+    // source — the cron expression is supplied by the caller and persisted
+    // directly in the active-schedules file. Used by the Pulse UI's
+    // "Add schedule" form.
+    if (request.type === 'add_manual_schedule') {
+        const photon = request.photonName;
+        const method = request.method;
+        const cron = request.cron;
+        if (!photon || !method || !cron) {
+            return {
+                type: 'error',
+                id: request.id,
+                error: '`add_manual_schedule` requires photonName, method, and cron',
+            };
+        }
+        const cronCheck = parseCron(cron);
+        if (!cronCheck.isValid) {
+            return {
+                type: 'error',
+                id: request.id,
+                error: `Invalid cron expression: "${cron}"`,
+            };
+        }
+        const preferredBase = request.workingDir;
+        // Refuse to shadow a `@scheduled` declaration — direct the user to
+        // `enable_schedule` so the source-of-truth stays the JSDoc tag.
+        const declMatches = findDeclarationsFor(photon, method, preferredBase);
+        if (declMatches.length > 0) {
+            return {
+                type: 'error',
+                id: request.id,
+                error: `${photon}:${method} already has a @scheduled declaration. ` +
+                    `Use enable/disable to manage it, or remove the @scheduled tag first.`,
+            };
+        }
+        const base = path.resolve(preferredBase ?? probePhotonSource(photon).ownerBase ?? getDefaultContext().baseDir);
+        if (isHostDisabledBase(base)) {
+            return {
+                type: 'error',
+                id: request.id,
+                error: `Cannot add manual schedule for ${photon}:${method} — base ${base} is host-disabled ` +
+                    `(remove ${base}/.photon-no-host to allow scheduling).`,
+            };
+        }
+        const file = readActiveSchedulesFile(base);
+        const existing = file.active.find((e) => e.photon === photon && e.method === method);
+        const nowIso = new Date().toISOString();
+        if (existing) {
+            // Update the cron in place — same semantics as resave.
+            existing.cron = cron;
+            existing.paused = false;
+            existing.enabledAt = nowIso;
+            existing.enabledBy = request.source || 'manual';
+        }
+        else {
+            file.active.push({
+                photon,
+                method,
+                cron,
+                enabledAt: nowIso,
+                enabledBy: request.source || 'manual',
+            });
+        }
+        // Clear any matching suppression — manual add is an explicit re-enable.
+        if (file.suppressed) {
+            file.suppressed = file.suppressed.filter((s) => !(s.photon === photon && s.method === method));
+        }
+        writeActiveSchedulesFile(base, file);
+        try {
+            touchBase(base);
+        }
+        catch {
+            /* non-fatal */
+        }
+        const key = declaredKey(photon, method, base);
+        // If a timer for this key was already running (e.g. previous manual entry
+        // with a different cron), unscheduleJob first so scheduleJob arms the new cron.
+        if (scheduledJobs.has(key)) {
+            unscheduleJob(key);
+        }
+        const ok = scheduleJob({
+            id: key,
+            method,
+            args: {},
+            cron,
+            runCount: 0,
+            createdAt: Date.now(),
+            createdBy: 'manual',
+            photonName: photon,
+            workingDir: base,
+        });
+        if (!ok) {
+            return {
+                type: 'error',
+                id: request.id,
+                error: `Failed to schedule ${photon}:${method} — see daemon logs.`,
+            };
+        }
+        return {
+            type: 'result',
+            id: request.id,
+            success: true,
+            data: { photon, method, cron, base, status: 'active' },
+        };
+    }
     // Enroll a declared @scheduled method into the active list.
     if (request.type === 'enable_schedule') {
         const photon = request.photonName;
@@ -2696,6 +3282,17 @@ async function handleRequest(request, socket) {
         }
         const { key, decl } = matches[0];
         const base = path.resolve(decl.workingDir || getDefaultContext().baseDir);
+        // Host mode: refuse to arm a timer when the owning base is host-disabled.
+        // Disable still works (broad sweep) so users can clear stale state from
+        // any machine; only enabling background work is blocked.
+        if (isHostDisabledBase(base)) {
+            return {
+                type: 'error',
+                id: request.id,
+                error: `Cannot enable ${photon}:${method} — base ${base} is host-disabled ` +
+                    `(remove ${base}/.photon-no-host to allow scheduling).`,
+            };
+        }
         const file = readActiveSchedulesFile(base);
         const existing = file.active.find((e) => e.photon === photon && e.method === method);
         if (existing) {
@@ -2767,7 +3364,13 @@ async function handleRequest(request, socket) {
         }
         const match = matches[0];
         // Disable tolerates a missing declaration so the caller can clean up
-        // orphan active-schedule rows after the source file is deleted.
+        // orphan active-schedule rows after the source file is deleted. When
+        // there's no declaration AND no caller-pinned base, treat the disable
+        // as a hard guarantee and broaden the in-memory sweep + persisted-file
+        // walk across every known base — the user can't be expected to know
+        // which PHOTON_DIR seeded a ghost schedule.
+        const orphan = !match;
+        const broaden = orphan && !preferredBase;
         const base = path.resolve(match?.decl.workingDir ?? preferredBase ?? getDefaultContext().baseDir);
         const file = readActiveSchedulesFile(base);
         const before = file.active.length;
@@ -2792,13 +3395,15 @@ async function handleRequest(request, socket) {
         // flagged.
         const key = match?.key ?? declaredKey(photon, method, base);
         unscheduleJob(key);
+        let filesRemoved = 0;
         // Defensive sweep: during upgrade transitions a daemon may still hold
         // timers registered under the pre-base-scoping `${photon}:${method}` key
         // format. Report-success-but-keep-firing is worse than a noisy sweep, so
-        // also drop any job matching this request — but only when the job is
-        // scoped to THIS base (or the legacy "no base" form). Without this check,
-        // disabling foo:bar under base X would also stop foo:bar under base Y,
-        // silently breaking the other PHOTON_DIR's timer.
+        // also drop any job matching this request. Restrict to `base` unless this
+        // is an orphan disable without a preferred base — see comment above.
+        // Persisted ScheduleProvider files are unlinked here so they don't
+        // resurrect on the next daemon restart; without this, disable was a
+        // memory-only operation and the boot loader would replay the ghost.
         for (const staleKey of Array.from(scheduledJobs.keys())) {
             const job = scheduledJobs.get(staleKey);
             if (!job)
@@ -2807,17 +3412,78 @@ async function handleRequest(request, socket) {
                 continue;
             if (staleKey === key)
                 continue; // already handled above
-            // Only sweep legacy keys (no base prefix) and keys scoped to `base`.
             const jobBase = job.workingDir ? path.resolve(job.workingDir) : undefined;
-            if (jobBase && jobBase !== base)
+            if (!broaden && jobBase && jobBase !== base)
                 continue;
+            if (job.sourceFile) {
+                try {
+                    fs.unlinkSync(job.sourceFile);
+                    filesRemoved++;
+                }
+                catch {
+                    // File may have been removed concurrently
+                }
+            }
             unscheduleJob(staleKey);
         }
+        // Even when no in-memory job matched, scan persisted ScheduleProvider
+        // files. Useful for ghost schedules whose timer was already dropped
+        // (e.g. by the runJob orphan check) but whose JSON file would
+        // otherwise revive the ghost on the next daemon restart.
+        if (orphan) {
+            const basesToScan = new Set();
+            basesToScan.add(base);
+            if (broaden) {
+                try {
+                    basesToScan.add(path.resolve(getDefaultContext().baseDir));
+                }
+                catch {
+                    /* ignore */
+                }
+                try {
+                    for (const b of listActiveBases())
+                        basesToScan.add(path.resolve(b.path));
+                }
+                catch {
+                    /* ignore */
+                }
+            }
+            for (const baseDir of basesToScan) {
+                const dir = resolveScheduleDir(photon, baseDir);
+                let entries;
+                try {
+                    entries = fs.readdirSync(dir).filter((f) => f.endsWith('.json'));
+                }
+                catch {
+                    continue;
+                }
+                for (const f of entries) {
+                    const fp = path.join(dir, f);
+                    try {
+                        const task = JSON.parse(fs.readFileSync(fp, 'utf-8'));
+                        if (task.method === method) {
+                            fs.unlinkSync(fp);
+                            filesRemoved++;
+                        }
+                    }
+                    catch {
+                        // Ignore malformed file or unlink race
+                    }
+                }
+            }
+        }
         return {
             type: 'result',
             id: request.id,
             success: true,
-            data: { photon, method, base, removed: removed > 0, status: 'disabled' },
+            data: {
+                photon,
+                method,
+                base,
+                removed: removed > 0 || filesRemoved > 0,
+                filesRemoved,
+                status: 'disabled',
+            },
         };
     }
     // Pause: keep the enrollment record but cancel the timer.
@@ -2847,6 +3513,17 @@ async function handleRequest(request, socket) {
         const decl = match?.decl;
         const base = path.resolve(decl?.workingDir ?? preferredBase ?? getDefaultContext().baseDir);
         const key = match?.key ?? declaredKey(photon, method, base);
+        // Host mode: pause is allowed (it stops background work, consistent with
+        // the marker's intent). Resume is rejected because it would arm a timer
+        // on a quiet machine.
+        if (!pause && isHostDisabledBase(base)) {
+            return {
+                type: 'error',
+                id: request.id,
+                error: `Cannot resume ${photon}:${method} — base ${base} is host-disabled ` +
+                    `(remove ${base}/.photon-no-host to allow scheduling).`,
+            };
+        }
         const file = readActiveSchedulesFile(base);
         const entry = file.active.find((e) => e.photon === photon && e.method === method);
         if (!entry) {
@@ -4398,6 +5075,17 @@ function startupWatchPhotons() {
     const photonDir = getDefaultContext().baseDir;
     if (!fs.existsSync(photonDir))
         return;
+    // Host mode: when the default base is host-disabled, skip the file
+    // watcher, the eager onInitialize loader, and the directory watcher
+    // entirely. They all activate background work that the marker is
+    // supposed to suppress. The photon-paths map stays empty for this
+    // base; manual `photon run` populates entries on demand.
+    if (isHostDisabledBase(photonDir)) {
+        logger.info('Skipping startupWatchPhotons — host-disabled default base', {
+            base: photonDir,
+        });
+        return;
+    }
     let entries;
     try {
         entries = fs.readdirSync(photonDir, { withFileTypes: true });
@@ -4516,7 +5204,10 @@ function startupWatchPhotons() {
 }
 function startServer() {
     const server = net.createServer((socket) => {
-        logger.info('Client connected');
+        // Demoted from info to debug: scheduler healthchecks open a fresh
+        // connection every minute. At info level these two lines pair up to
+        // dominate the daemon log (5.6M lines / 558 MB seen in the wild).
+        logger.debug('Client connected');
         connectedSockets.add(socket);
         let buffer = '';
         socket.on('data', (chunk) => {
@@ -4548,7 +5239,7 @@ function startServer() {
             })();
         });
         socket.on('end', () => {
-            logger.info('Client disconnected');
+            logger.debug('Client disconnected');
             connectedSockets.delete(socket);
             cleanupSocketSubscriptions(socket);
         });
@@ -4590,6 +5281,60 @@ function startServer() {
         });
     });
 }
+/**
+ * Scan the OS process table for any other process whose argv looks like
+ * a Photon daemon for THIS exact socket path. Returns their PIDs. Used to
+ * defend against the multi-daemon-on-one-socket failure mode where a
+ * previous daemon survived a stop/start race (or was launched bypassing
+ * the DaemonManager entirely, e.g. directly via `node server.js` from a
+ * test or worktree). The owner-record check only spots siblings the
+ * previous daemon successfully recorded; an argv scan finds the rest
+ * regardless of which runtime (node/bun/deno) launched them.
+ *
+ * Match shape: argv contains `daemon/server.js` AND the literal socket
+ * path. Self is filtered. Windows is skipped (named-pipe IPC has its own
+ * exclusivity guarantees and `ps` isn't available).
+ */
+function findImposterDaemonPids() {
+    if (process.platform === 'win32')
+        return [];
+    const pids = [];
+    try {
+        const result = spawnSync('ps', ['-ax', '-o', 'pid=,args='], {
+            encoding: 'utf-8',
+            timeout: 3000,
+        });
+        if (result.status !== 0)
+            return [];
+        const myPid = process.pid;
+        for (const rawLine of (result.stdout || '').split('\n')) {
+            const line = rawLine.trim();
+            if (!line)
+                continue;
+            const m = line.match(/^(\d+)\s+(.*)$/);
+            if (!m)
+                continue;
+            const pid = parseInt(m[1], 10);
+            const cmd = m[2];
+            if (!Number.isFinite(pid) || pid === myPid)
+                continue;
+            if (!cmd.includes('daemon/server.js'))
+                continue;
+            // Match the socket path as a whitespace-bounded token so a daemon
+            // for `/tmp/foo.sock` doesn't accidentally match `/tmp/foo.sock.bak`.
+            if (!new RegExp(`(^|\\s)${escapeRegExp(socketPath)}(\\s|$)`).test(cmd))
+                continue;
+            pids.push(pid);
+        }
+    }
+    catch (err) {
+        logger.warn('Failed to scan for imposter daemons', { error: getErrorMessage(err) });
+    }
+    return pids;
+}
+function escapeRegExp(s) {
+    return s.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
 async function claimExclusiveOwnership() {
     const owner = readOwnerRecord(ownerFile);
     if (owner && owner.socketPath === socketPath && owner.pid !== process.pid) {
@@ -4626,6 +5371,46 @@ async function claimExclusiveOwnership() {
         }
         removeOwnerRecord(ownerFile);
     }
+    // Belt-and-suspenders: even after the owner-record path, scan the OS
+    // process table for any other process running `daemon/server.js` against
+    // this same socket. Catches imposters that bypassed DaemonManager (direct
+    // `node server.js` invocations from tests/worktrees, leftover daemons whose
+    // owner record was wiped, daemons started by a different runtime than the
+    // one currently bound).
+    const imposters = findImposterDaemonPids();
+    if (imposters.length > 0) {
+        logger.warn('Imposter daemon(s) detected via argv scan', {
+            socketPath,
+            currentPid: process.pid,
+            imposterPids: imposters,
+        });
+        for (const pid of imposters) {
+            try {
+                process.kill(pid, 'SIGTERM');
+            }
+            catch {
+                // Already gone
+            }
+        }
+        // Wait for graceful exit, then escalate to SIGKILL on holdouts.
+        const deadline = Date.now() + 5000;
+        while (Date.now() < deadline) {
+            if (imposters.every((pid) => !isPidAlive(pid)))
+                break;
+            await new Promise((r) => setTimeout(r, 100));
+        }
+        for (const pid of imposters) {
+            if (!isPidAlive(pid))
+                continue;
+            logger.warn('Imposter daemon ignored SIGTERM, escalating to SIGKILL', { pid });
+            try {
+                process.kill(pid, 'SIGKILL');
+            }
+            catch {
+                /* ignore */
+            }
+        }
+    }
     if (process.platform !== 'win32' && fs.existsSync(socketPath)) {
         const responsive = await isSocketResponsive(socketPath);
         if (!responsive) {
@@ -4779,6 +5564,16 @@ function shutdown() {
 // Main execution
 void (async () => {
     await claimExclusiveOwnership();
+    // Register in-process adapters BEFORE the loader can be invoked, so
+    // any photon code path that goes through schedule.cancel() while
+    // running inside the daemon evicts directly instead of round-tripping
+    // through our own Unix socket (which fails during recovery windows).
+    const { registerInProcessAdapters } = await import('./in-process-bridge.js');
+    registerInProcessAdapters({
+        unscheduleJob: async (_photonName, jobId) => {
+            return evictScheduledJobByRawId(jobId);
+        },
+    });
     startupWatchPhotons();
     startServer();
     migrateLegacyIpcSchedules();