@slock-ai/computer 0.0.35 → 0.0.37

package/dist/index.js

@@ -16617,8 +16617,8 @@ var require_snapshot_recorder = __commonJS({
   "../../node_modules/.pnpm/undici@7.24.8/node_modules/undici/lib/mock/snapshot-recorder.js"(exports, module) {
     "use strict";
     init_esm_shims();
-    var { writeFile: writeFile13, readFile: readFile17, mkdir: mkdir17 } = __require("fs/promises");
-    var { dirname: dirname14, resolve: resolve2 } = __require("path");
+    var { writeFile: writeFile12, readFile: readFile15, mkdir: mkdir15 } = __require("fs/promises");
+    var { dirname: dirname13, resolve: resolve2 } = __require("path");
     var { setTimeout: setTimeout2, clearTimeout: clearTimeout2 } = __require("timers");
     var { InvalidArgumentError: InvalidArgumentError2, UndiciError } = require_errors();
     var { hashId, isUrlExcludedFactory, normalizeHeaders, createHeaderFilters } = require_snapshot_utils();
@@ -16819,7 +16819,7 @@ var require_snapshot_recorder = __commonJS({
           throw new InvalidArgumentError2("Snapshot path is required");
         }
         try {
-          const data = await readFile17(resolve2(path3), "utf8");
+          const data = await readFile15(resolve2(path3), "utf8");
           const parsed = JSON.parse(data);
           if (Array.isArray(parsed)) {
             this.#snapshots.clear();
@@ -16849,12 +16849,12 @@ var require_snapshot_recorder = __commonJS({
           throw new InvalidArgumentError2("Snapshot path is required");
         }
         const resolvedPath = resolve2(path3);
-        await mkdir17(dirname14(resolvedPath), { recursive: true });
+        await mkdir15(dirname13(resolvedPath), { recursive: true });
         const data = Array.from(this.#snapshots.entries()).map(([hash, snapshot]) => ({
           hash,
           snapshot
         }));
-        await writeFile13(resolvedPath, JSON.stringify(data, null, 2), { flush: true });
+        await writeFile12(resolvedPath, JSON.stringify(data, null, 2), { flush: true });
       }
       /**
        * Clears all recorded snapshots
@@ -28469,8 +28469,8 @@ var require_graceful_fs = __commonJS({
       fs2.createReadStream = createReadStream;
       fs2.createWriteStream = createWriteStream;
       var fs$readFile = fs2.readFile;
-      fs2.readFile = readFile17;
-      function readFile17(path3, options, cb) {
+      fs2.readFile = readFile15;
+      function readFile15(path3, options, cb) {
         if (typeof options === "function")
           cb = options, options = null;
         return go$readFile(path3, options, cb);
@@ -28486,8 +28486,8 @@ var require_graceful_fs = __commonJS({
         }
       }
       var fs$writeFile = fs2.writeFile;
-      fs2.writeFile = writeFile13;
-      function writeFile13(path3, data, options, cb) {
+      fs2.writeFile = writeFile12;
+      function writeFile12(path3, data, options, cb) {
         if (typeof options === "function")
           cb = options, options = null;
         return go$writeFile(path3, data, options, cb);
@@ -28522,8 +28522,8 @@ var require_graceful_fs = __commonJS({
       }
       var fs$copyFile = fs2.copyFile;
       if (fs$copyFile)
-        fs2.copyFile = copyFile2;
-      function copyFile2(src, dest, flags, cb) {
+        fs2.copyFile = copyFile;
+      function copyFile(src, dest, flags, cb) {
         if (typeof flags === "function") {
           cb = flags;
           flags = 0;
@@ -28541,9 +28541,9 @@ var require_graceful_fs = __commonJS({
         }
       }
       var fs$readdir = fs2.readdir;
-      fs2.readdir = readdir5;
+      fs2.readdir = readdir4;
       var noReaddirOptionVersions = /^v[0-5]\./;
-      function readdir5(path3, options, cb) {
+      function readdir4(path3, options, cb) {
         if (typeof options === "function")
           cb = options, options = null;
         var go$readdir = noReaddirOptionVersions.test(process.version) ? function go$readdir2(path4, options2, cb2, startTime) {
@@ -29193,11 +29193,11 @@ var require_mtime_precision = __commonJS({
     function probe(file, fs, callback) {
       const cachedPrecision = fs[cacheSymbol];
       if (cachedPrecision) {
-        return fs.stat(file, (err, stat5) => {
+        return fs.stat(file, (err, stat4) => {
           if (err) {
             return callback(err);
           }
-          callback(null, stat5.mtime, cachedPrecision);
+          callback(null, stat4.mtime, cachedPrecision);
         });
       }
       const mtime = new Date(Math.ceil(Date.now() / 1e3) * 1e3 + 5);
@@ -29205,13 +29205,13 @@ var require_mtime_precision = __commonJS({
         if (err) {
           return callback(err);
         }
-        fs.stat(file, (err2, stat5) => {
+        fs.stat(file, (err2, stat4) => {
           if (err2) {
             return callback(err2);
           }
-          const precision = stat5.mtime.getTime() % 1e3 === 0 ? "s" : "ms";
+          const precision = stat4.mtime.getTime() % 1e3 === 0 ? "s" : "ms";
           Object.defineProperty(fs, cacheSymbol, { value: precision });
-          callback(null, stat5.mtime, precision);
+          callback(null, stat4.mtime, precision);
         });
       });
     }
@@ -29266,14 +29266,14 @@ var require_lockfile = __commonJS({
         if (options.stale <= 0) {
           return callback(Object.assign(new Error("Lock file is already being held"), { code: "ELOCKED", file }));
         }
-        options.fs.stat(lockfilePath, (err2, stat5) => {
+        options.fs.stat(lockfilePath, (err2, stat4) => {
           if (err2) {
             if (err2.code === "ENOENT") {
               return acquireLock(file, { ...options, stale: 0 }, callback);
             }
             return callback(err2);
           }
-          if (!isLockStale(stat5, options)) {
+          if (!isLockStale(stat4, options)) {
             return callback(Object.assign(new Error("Lock file is already being held"), { code: "ELOCKED", file }));
           }
           removeLock(file, options, (err3) => {
@@ -29285,8 +29285,8 @@ var require_lockfile = __commonJS({
         });
       });
     }
-    function isLockStale(stat5, options) {
-      return stat5.mtime.getTime() < Date.now() - options.stale;
+    function isLockStale(stat4, options) {
+      return stat4.mtime.getTime() < Date.now() - options.stale;
     }
     function removeLock(file, options, callback) {
       options.fs.rmdir(getLockFile(file, options), (err) => {
@@ -29304,7 +29304,7 @@ var require_lockfile = __commonJS({
       lock2.updateDelay = lock2.updateDelay || options.update;
       lock2.updateTimeout = setTimeout(() => {
         lock2.updateTimeout = null;
-        options.fs.stat(lock2.lockfilePath, (err, stat5) => {
+        options.fs.stat(lock2.lockfilePath, (err, stat4) => {
           const isOverThreshold = lock2.lastUpdate + options.stale < Date.now();
           if (err) {
             if (err.code === "ENOENT" || isOverThreshold) {
@@ -29313,7 +29313,7 @@ var require_lockfile = __commonJS({
             lock2.updateDelay = 1e3;
             return updateLock(file, options);
           }
-          const isMtimeOurs = lock2.mtime.getTime() === stat5.mtime.getTime();
+          const isMtimeOurs = lock2.mtime.getTime() === stat4.mtime.getTime();
           if (!isMtimeOurs) {
             return setLockAsCompromised(
               file,
@@ -29438,11 +29438,11 @@ var require_lockfile = __commonJS({
         if (err) {
           return callback(err);
         }
-        options.fs.stat(getLockFile(file2, options), (err2, stat5) => {
+        options.fs.stat(getLockFile(file2, options), (err2, stat4) => {
           if (err2) {
             return err2.code === "ENOENT" ? callback(null, false) : callback(err2);
           }
-          return callback(null, !isLockStale(stat5, options));
+          return callback(null, !isLockStale(stat4, options));
         });
       });
     }
@@ -29570,6 +29570,7 @@ var require_proper_lockfile = __commonJS({
 
 // src/index.ts
 init_esm_shims();
+import { pathToFileURL } from "url";
 
 // ../../node_modules/.pnpm/commander@12.1.0/node_modules/commander/esm.mjs
 init_esm_shims();
@@ -30042,12 +30043,6 @@ function adoptionLogPath(slockHome) {
 function channelPath(slockHome) {
   return path2.join(computerDir(slockHome), "channel");
 }
-function upgradeStagingDir(slockHome, version) {
-  return path2.join(computerDir(slockHome), "upgrade-staging", version);
-}
-function upgradeSnapshotPath(slockHome) {
-  return path2.join(computerDir(slockHome), "upgrade-snapshot.json");
-}
 function upgradeLogPath(slockHome) {
   return path2.join(computerDir(slockHome), "upgrade.log");
 }
@@ -30510,8 +30505,8 @@ async function runAttach(opts) {
 // src/setup.ts
 init_esm_shims();
 var import_undici3 = __toESM(require_undici(), 1);
-import { chmod as chmod4, mkdir as mkdir9, readFile as readFile8, rename as rename3, rm as rm2, writeFile as writeFile8 } from "fs/promises";
-import { dirname as dirname9 } from "path";
+import { chmod as chmod5, mkdir as mkdir11, readFile as readFile10, rename as rename4, rm as rm3, writeFile as writeFile10 } from "fs/promises";
+import { dirname as dirname10 } from "path";
 
 // src/lib/migration.ts
 init_esm_shims();
@@ -31018,11 +31013,14 @@ async function appendAdoptionLog(slockHome, line) {
 // src/service.ts
 init_esm_shims();
 import { spawn as spawn2 } from "child_process";
+import { createRequire as createRequire2 } from "module";
 
 // src/version.ts
 init_esm_shims();
 import { createRequire } from "module";
 function readComputerVersion(moduleUrl = import.meta.url) {
+  const baked = process.env.SLOCK_COMPUTER_VERSION;
+  if (typeof baked === "string" && baked.length > 0) return baked;
   try {
     const require2 = createRequire(moduleUrl);
     const pkg = require2("../package.json");
@@ -31034,8 +31032,8 @@ function readComputerVersion(moduleUrl = import.meta.url) {
 var COMPUTER_VERSION = readComputerVersion();
 
 // src/service.ts
-import { mkdir as mkdir8, readFile as readFile7, writeFile as writeFile7, open, rename as rename2 } from "fs/promises";
-import { dirname as dirname8, join as joinPath } from "path";
+import { mkdir as mkdir10, readFile as readFile9, writeFile as writeFile9, open, rename as rename3 } from "fs/promises";
+import { dirname as dirname9, join as joinPath } from "path";
 import { fileURLToPath as fileURLToPath2 } from "url";
 
 // src/cleanup.ts
@@ -31792,14 +31790,317 @@ async function detach(input, options = {}) {
   };
 }
 
+// src/upgradeSea.ts
+init_esm_shims();
+import { createHash as createHash3 } from "crypto";
+import { chmod as chmod4, mkdir as mkdir9, readFile as readFile8, rename as rename2, rm as rm2, writeFile as writeFile8 } from "fs/promises";
+import { join as join4 } from "path";
+
+// src/channel.ts
+init_esm_shims();
+import { readFile as readFile7, writeFile as writeFile7, mkdir as mkdir8 } from "fs/promises";
+import { dirname as dirname8 } from "path";
+var DEFAULT_CHANNEL = "latest";
+var SEMVER_RE = /^\d+\.\d+\.\d+(-[\w.]+)?$/;
+function parseChannel(raw) {
+  const v = raw.trim();
+  if (v === "latest" || v === "alpha") return v;
+  if (v.startsWith("pinned:")) {
+    const semver = v.slice("pinned:".length);
+    if (SEMVER_RE.test(semver)) return `pinned:${semver}`;
+    return null;
+  }
+  return null;
+}
+async function readChannel(slockHome) {
+  try {
+    const raw = await readFile7(channelPath(slockHome), "utf8");
+    const parsed = parseChannel(raw);
+    if (parsed !== null) return parsed;
+  } catch {
+  }
+  return DEFAULT_CHANNEL;
+}
+async function writeChannel(slockHome, channel2) {
+  const p = channelPath(slockHome);
+  await mkdir8(dirname8(p), { recursive: true });
+  await writeFile7(p, `${channel2}
+`, { mode: 384 });
+}
+async function runChannelShow(slockHome) {
+  void computerDir;
+  const channel2 = await readChannel(slockHome);
+  info(channel2);
+}
+async function runChannelSet(slockHome, raw) {
+  const parsed = parseChannel(raw);
+  if (parsed === null) {
+    fail(
+      "CHANNEL_INVALID",
+      `Invalid channel "${raw}". Accepted: \`latest\`, \`alpha\`, or \`pinned:<semver>\` (e.g. pinned:0.52.2).`
+    );
+  }
+  await writeChannel(slockHome, parsed);
+  info(`Channel set to ${parsed}.`);
+  info(`Note: service reads channel at startup; restart \`slock-computer start\` to apply.`);
+}
+
+// src/upgradeSea.ts
+var DEFAULT_UPGRADE_BASE_URL = "https://cdn.slock.ai/computer";
+var UPGRADE_BASE_URL_ENV = "SLOCK_COMPUTER_UPGRADE_BASE_URL";
+function resolveUpgradeBaseUrl(env = process.env) {
+  const override = env[UPGRADE_BASE_URL_ENV];
+  if (typeof override === "string" && override.trim().length > 0) {
+    return override.trim().replace(/\/+$/, "");
+  }
+  return DEFAULT_UPGRADE_BASE_URL;
+}
+async function stageSeaPhase(stagingDir, version, platform, arch, deps = {}) {
+  const fetchFn = deps.fetchFn ?? fetch;
+  const baseUrl = deps.baseUrl ?? resolveUpgradeBaseUrl();
+  const targetKey = `${platform}-${arch}`;
+  const manifestUrl = `${baseUrl}/${version}/manifest.json`;
+  const manifestRes = await fetchFn(manifestUrl);
+  if (!manifestRes.ok) {
+    throw new Error(`UPGRADE_MANIFEST_FETCH_FAILED: ${manifestRes.status} for ${manifestUrl}`);
+  }
+  const manifest = await manifestRes.json();
+  const target = manifest.targets?.[targetKey];
+  if (!target || typeof target.file !== "string" || typeof target.sha256 !== "string") {
+    throw new Error(
+      `UPGRADE_NO_BINARY_FOR_PLATFORM: manifest for ${version} has no usable binary for ${targetKey}`
+    );
+  }
+  const binaryUrl = `${baseUrl}/${version}/${target.file}`;
+  const binRes = await fetchFn(binaryUrl);
+  if (!binRes.ok) {
+    throw new Error(`UPGRADE_DOWNLOAD_FAILED: ${binRes.status} for ${binaryUrl}`);
+  }
+  const onProgress = deps.onProgress;
+  const progressRequestId = deps.requestId ?? "";
+  const emitDownloadProgress = (downloaded, total) => {
+    if (!onProgress) return;
+    if (total == null || total <= 0) {
+      onProgress({ requestId: progressRequestId, phase: "downloading" });
+      return;
+    }
+    onProgress({
+      requestId: progressRequestId,
+      phase: "downloading",
+      percent: Math.min(100, Math.floor(downloaded / total * 100))
+    });
+  };
+  let bytes;
+  const body = binRes.body;
+  if (onProgress && body) {
+    const totalHeader = binRes.headers?.get?.("content-length");
+    const total = totalHeader != null && /^\d+$/.test(totalHeader) ? Number(totalHeader) : null;
+    const reader = body.getReader();
+    const chunks = [];
+    let downloaded = 0;
+    const THROTTLE_MS = 200;
+    let lastEmit = 0;
+    try {
+      for (; ; ) {
+        const { done, value } = await reader.read();
+        if (done) break;
+        if (value) {
+          chunks.push(value);
+          downloaded += value.byteLength;
+          const now = Date.now();
+          if (now - lastEmit >= THROTTLE_MS) {
+            lastEmit = now;
+            emitDownloadProgress(downloaded, total);
+          }
+        }
+      }
+    } finally {
+      await reader.cancel().catch(() => {
+      });
+    }
+    emitDownloadProgress(downloaded, total);
+    bytes = Buffer.concat(chunks);
+  } else {
+    bytes = Buffer.from(await binRes.arrayBuffer());
+  }
+  const actualSha = createHash3("sha256").update(bytes).digest("hex");
+  if (actualSha !== target.sha256) {
+    throw new Error(
+      `UPGRADE_SHA_MISMATCH: ${targetKey} ${version} expected ${target.sha256} got ${actualSha}`
+    );
+  }
+  await mkdir9(stagingDir, { recursive: true });
+  const stagedBinaryPath = join4(stagingDir, target.file);
+  await writeFile8(stagedBinaryPath, bytes, { mode: 493 });
+  await chmod4(stagedBinaryPath, 493);
+  return { stagedBinaryPath, version, sha256: actualSha };
+}
+async function swapSeaPhase(currentBinaryPath, stagedBinaryPath) {
+  const prevBinaryPath = `${currentBinaryPath}.prev`;
+  await rm2(prevBinaryPath, { force: true });
+  await rename2(currentBinaryPath, prevBinaryPath);
+  try {
+    await rename2(stagedBinaryPath, currentBinaryPath);
+    await chmod4(currentBinaryPath, 493);
+  } catch (err) {
+    await rename2(prevBinaryPath, currentBinaryPath).catch(() => {
+    });
+    throw err;
+  }
+  return { prevBinaryPath, currentBinaryPath };
+}
+function pendingUpgradeMarkerPath(slockHome) {
+  return join4(slockHome, "upgrade-pending.json");
+}
+async function writePendingUpgradeMarker(slockHome, marker) {
+  const path3 = pendingUpgradeMarkerPath(slockHome);
+  const tmp = `${path3}.tmp`;
+  await mkdir9(slockHome, { recursive: true });
+  await writeFile8(tmp, `${JSON.stringify(marker, null, 2)}
+`, "utf8");
+  await rename2(tmp, path3);
+}
+async function readPendingUpgradeMarker(slockHome) {
+  try {
+    const raw = await readFile8(pendingUpgradeMarkerPath(slockHome), "utf8");
+    const parsed = JSON.parse(raw);
+    if (typeof parsed.requestId === "string" && typeof parsed.targetVersion === "string" && typeof parsed.fromVersion === "string" && typeof parsed.startedAt === "string") {
+      return parsed;
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+async function clearPendingUpgradeMarker(slockHome) {
+  await rm2(pendingUpgradeMarkerPath(slockHome), { force: true });
+}
+async function runSeaUpgrade(opts) {
+  const d = opts.deps ?? {};
+  const platform = opts.platform ?? process.platform;
+  const arch = opts.arch ?? process.arch;
+  const emit7 = (phase, message) => d.onProgress?.({ requestId: opts.requestId, phase, message });
+  const stagingDir = d.stagingDir ?? join4(opts.slockHome, "upgrade-staging", opts.targetVersion);
+  emit7("downloading", `downloading ${opts.targetVersion}`);
+  let staged;
+  try {
+    staged = await (d.stageFn ?? stageSeaPhase)(stagingDir, opts.targetVersion, platform, arch, {
+      fetchFn: d.fetchFn,
+      baseUrl: d.baseUrl,
+      // Thread requestId + the progress sink so the stage can stream throttled
+      // byte-% `downloading` frames (otherwise the bar sits static at the
+      // downloading milestone for the whole download).
+      requestId: opts.requestId,
+      onProgress: d.onProgress
+    });
+  } catch (e) {
+    return { ok: false, failedPhase: "stage", reason: e instanceof Error ? e.message : String(e) };
+  }
+  emit7("verifying", `verified sha256 ${staged.sha256.slice(0, 12)}`);
+  await writePendingUpgradeMarker(opts.slockHome, {
+    requestId: opts.requestId,
+    fromVersion: opts.fromVersion,
+    targetVersion: opts.targetVersion,
+    startedAt: opts.nowIso
+  });
+  emit7("applying", "swapping binary");
+  let swap;
+  try {
+    swap = await (d.swapFn ?? swapSeaPhase)(opts.currentBinaryPath, staged.stagedBinaryPath);
+  } catch (e) {
+    await clearPendingUpgradeMarker(opts.slockHome).catch(() => {
+    });
+    return { ok: false, failedPhase: "swap", reason: e instanceof Error ? e.message : String(e) };
+  }
+  emit7("restarting", "restarting service on new version");
+  return { ok: true, swap };
+}
+async function fetchComputerDistTags(fetchFn = fetch) {
+  const url = "https://registry.npmjs.org/@slock-ai/computer";
+  const controller = new AbortController();
+  const timeoutId = setTimeout(() => controller.abort(), 1e4);
+  try {
+    const res = await fetchFn(url, { signal: controller.signal, headers: { accept: "application/json" } });
+    if (!res.ok) return null;
+    const data = await res.json();
+    return data["dist-tags"] ?? null;
+  } catch {
+    return null;
+  } finally {
+    clearTimeout(timeoutId);
+  }
+}
+async function resolveSeaTargetVersion(channel2, fetchDistTags = () => fetchComputerDistTags()) {
+  if (channel2.startsWith("pinned:")) {
+    const v = channel2.slice("pinned:".length);
+    return SEMVER_RE.test(v) ? v : null;
+  }
+  const tags = await fetchDistTags();
+  const resolved = tags?.[channel2];
+  return typeof resolved === "string" && resolved.length > 0 ? resolved : null;
+}
+async function resolveAndRunSeaUpgrade(opts) {
+  const d = opts.deps ?? {};
+  let targetVersion;
+  try {
+    if (d.resolveTargetVersion) {
+      targetVersion = await d.resolveTargetVersion();
+    } else {
+      const channel2 = await (d.readChannelFn ?? readChannel)(opts.slockHome);
+      targetVersion = await resolveSeaTargetVersion(channel2, d.fetchDistTags);
+    }
+  } catch (e) {
+    return { ok: false, failedPhase: "resolve", reason: e instanceof Error ? e.message : String(e) };
+  }
+  if (!targetVersion) {
+    return { ok: false, failedPhase: "resolve", reason: "UPGRADE_VERSION_RESOLVE_FAILED" };
+  }
+  if (targetVersion === opts.fromVersion) {
+    return { ok: true, alreadyCurrent: true, targetVersion };
+  }
+  const result = await (d.runSeaUpgradeFn ?? runSeaUpgrade)({
+    slockHome: opts.slockHome,
+    requestId: opts.requestId,
+    fromVersion: opts.fromVersion,
+    targetVersion,
+    currentBinaryPath: opts.currentBinaryPath,
+    nowIso: opts.nowIso,
+    platform: opts.platform,
+    arch: opts.arch,
+    deps: {
+      baseUrl: d.baseUrl,
+      fetchFn: d.fetchFn,
+      onProgress: d.onProgress,
+      stageFn: d.stageFn,
+      swapFn: d.swapFn,
+      stagingDir: d.stagingDir
+    }
+  });
+  return { ...result, targetVersion };
+}
+
 // src/service.ts
-function buildResidentSpawn(mode, serverId, selfEntry = process.argv[1] ?? "", execArgv = process.execArgv) {
+var seaRequire = createRequire2(import.meta.url);
+var cachedIsSea;
+function isSeaBinary() {
+  if (cachedIsSea !== void 0) return cachedIsSea;
+  try {
+    cachedIsSea = seaRequire("node:sea").isSea();
+  } catch {
+    cachedIsSea = false;
+  }
+  return cachedIsSea;
+}
+function buildResidentSpawn(mode, serverId, selfEntry = process.argv[1] ?? "", execArgv = process.execArgv, isSea = isSeaBinary()) {
   const tail = serverId ? [mode, serverId] : [mode];
+  if (isSea) {
+    return { command: process.execPath, args: [...execArgv, ...tail] };
+  }
   return { command: process.execPath, args: [...execArgv, selfEntry, ...tail] };
 }
 var PARENT_LOCK_HELD_ENV_VAR = "SLOCK_COMPUTER_PARENT_MUTATION_LOCK_HELD";
 async function spawnDetachedService(slockHome) {
-  await mkdir8(serviceRunDir(slockHome), { recursive: true });
+  await mkdir10(serviceRunDir(slockHome), { recursive: true });
   const supLogFd = await open(serviceLogPath(slockHome), "a");
   const { command, args } = buildResidentSpawn("__service", null);
   const child = spawn2(command, args, {
@@ -31824,7 +32125,22 @@ async function spawnDetachedService(slockHome) {
   return pid;
 }
 var EX_CONFIG_EXIT_CODE = 78;
+async function ensureSeaRuntimePackageDir() {
+  if (!isSeaBinary() || process.env.PI_PACKAGE_DIR) return;
+  try {
+    const dir = joinPath(resolveSlockHome(), "runtime-pkg");
+    await mkdir10(dir, { recursive: true });
+    await writeFile9(
+      joinPath(dir, "package.json"),
+      `${JSON.stringify({ name: "slock-computer-sea-runtime", version: COMPUTER_VERSION })}
+`
+    );
+    process.env.PI_PACKAGE_DIR = dir;
+  } catch {
+  }
+}
 var defaultCoreFactory = async (creds) => {
+  await ensureSeaRuntimePackageDir();
   let coreMod;
   try {
     coreMod = await import("@slock-ai/daemon/core");
@@ -31849,37 +32165,85 @@ var defaultCoreFactory = async (creds) => {
     serverUrl: creds.serverUrl,
     apiKey: creds.apiKey,
     localTrace: true,
+    // In a SEA single-binary there is no sidecar `slock` CLI script for the
+    // daemon to resolve, so inject the `__cli` sentinel: the agent CLI wrapper
+    // then execs `<exe> __cli "$@"`, re-execing this binary in CLI mode
+    // (runBundledSlockCli). Normal installs leave this unset → the daemon
+    // resolves the bundled CLI dist path as before.
+    slockCliPath: isSeaBinary() ? "__cli" : void 0,
     // Managed-Computer remote control (server → WS → runner). This runner
     // is the service's in-process `__run` child, so:
     //   restart → SIGTERM ourselves → runResident's shutdown does
     //     core.stop() + exit 0 → classifyRunnerExit = graceful → the
     //     service supervisor respawns this runner (effective restart).
-    //   upgrade → launch `slock-computer upgrade` out-of-band (detached)
-    //     so the §12 drain+swap+restart runs outside this event loop.
-    onComputerControl: (action) => {
+    //   upgrade (SEA + requestId) → run the SEA upgrade IN-PROCESS so we can
+    //     stream `computer:upgrade:progress` over this live WS, then SIGTERM
+    //     ourselves; the supervisor respawns the swapped binary and the new
+    //     process reports `done` via onComputerUpgradeReconcile on reconnect.
+    //   upgrade (non-SEA dev run, or no requestId) → SEA-only no-op. The
+    //     npm-install-root upgrade path is retired: a managed Computer is a
+    //     SEA single binary; a source/dev run has no binary to self-swap.
+    onComputerControl: (action, ctx) => {
       if (action === "restart") {
         process.kill(process.pid, "SIGTERM");
         return;
       }
-      try {
-        const selfEntry = process.argv[1] ?? "";
-        const child = spawn2(process.execPath, [...process.execArgv, selfEntry, "upgrade"], {
-          detached: true,
-          stdio: "ignore",
-          windowsHide: true,
-          // Attribute this upgrade to the web surface in upgrade.log — the
-          // `upgrade` command reads SLOCK_UPGRADE_TRIGGER and defaults to
-          // "cli" when unset.
-          env: { ...process.env, SLOCK_UPGRADE_TRIGGER: "web" }
-        });
-        child.on("error", () => {
-        });
-        child.unref();
-      } catch {
+      if (isSeaBinary() && ctx.requestId) {
+        return runManagedSeaUpgrade(ctx.requestId, ctx);
       }
+      console.warn(
+        `[Computer] Ignoring upgrade request: in-process SEA upgrade unavailable (isSea=${isSeaBinary()}, requestId=${ctx.requestId ? "present" : "absent"}). Managed upgrade requires a SEA binary invoked with a requestId.`
+      );
+    },
+    // Blip-stitch: on every (re)connect, if THIS process booted from a freshly
+    // swapped binary (a pending-upgrade marker is present), report the upgrade
+    // done with the version we actually are now, then clear the marker.
+    onComputerUpgradeReconcile: async (emitDone) => {
+      const slockHome = resolveSlockHome();
+      const marker = await readPendingUpgradeMarker(slockHome);
+      if (!marker) return;
+      const rolledBack = COMPUTER_VERSION !== marker.targetVersion;
+      emitDone({
+        requestId: marker.requestId,
+        ok: !rolledBack,
+        newVersion: COMPUTER_VERSION,
+        ...rolledBack ? { rolledBack: true } : {}
+      });
+      await clearPendingUpgradeMarker(slockHome);
     }
   });
 };
+function seaProgressToFrame(e) {
+  return { phase: e.phase, message: e.message, percent: e.percent };
+}
+async function runManagedSeaUpgrade(requestId, ctx) {
+  const slockHome = resolveSlockHome();
+  let result;
+  try {
+    result = await resolveAndRunSeaUpgrade({
+      slockHome,
+      requestId,
+      fromVersion: COMPUTER_VERSION,
+      currentBinaryPath: process.execPath,
+      nowIso: (/* @__PURE__ */ new Date()).toISOString(),
+      deps: {
+        onProgress: (e) => ctx.emitUpgradeProgress(seaProgressToFrame(e))
+      }
+    });
+  } catch (err) {
+    ctx.emitUpgradeDone({ ok: false, error: err instanceof Error ? err.message : String(err) });
+    return;
+  }
+  if (!result.ok) {
+    ctx.emitUpgradeDone({ ok: false, error: result.reason ?? result.failedPhase ?? "upgrade_failed" });
+    return;
+  }
+  if (result.alreadyCurrent) {
+    ctx.emitUpgradeDone({ ok: true, newVersion: COMPUTER_VERSION });
+    return;
+  }
+  process.kill(process.pid, "SIGTERM");
+}
 function classifyRunnerExit(code, signal) {
   if (code === EX_CONFIG_EXIT_CODE) return "config-error";
   if (signal === "SIGTERM" || signal === "SIGINT") return "graceful";
@@ -31918,6 +32282,9 @@ async function runResident(serverId, deps = {}) {
 }
 var RECONCILE_INTERVAL_MS = 5e3;
 var CHILD_RESTART_BACKOFF_MS = 2e3;
+function canSupervisorSpawnChild(serverId, running, restarting) {
+  return !running.has(serverId) && !restarting.has(serverId);
+}
 function formatReadySummary(ready, serverIds, opts) {
   if (opts.serverId && serverIds.length === 1) {
     const pid = ready.get(opts.serverId);
@@ -31958,10 +32325,10 @@ async function runServiceStartupRecovery(slockHome) {
 }
 async function resolveServiceIdentity() {
   const here = fileURLToPath2(import.meta.url);
-  const installRoot = dirname8(dirname8(here));
+  const installRoot = dirname9(dirname9(here));
   let version = null;
   try {
-    const raw = await readFile7(joinPath(installRoot, "package.json"), "utf8");
+    const raw = await readFile9(joinPath(installRoot, "package.json"), "utf8");
     const parsed = JSON.parse(raw);
     if (typeof parsed.version === "string" && parsed.version.length > 0) {
       version = parsed.version;
@@ -31981,8 +32348,8 @@ async function writeServiceVersionEvidence(slockHome) {
     };
     const dest = serviceVersionPath(slockHome);
     const tmp = `${dest}.tmp`;
-    await writeFile7(tmp, JSON.stringify(payload) + "\n", { mode: 384 });
-    await rename2(tmp, dest);
+    await writeFile9(tmp, JSON.stringify(payload) + "\n", { mode: 384 });
+    await rename3(tmp, dest);
   } catch (err) {
     const msg = err instanceof Error ? err.message : String(err);
     process.stderr.write(
@@ -31991,34 +32358,19 @@ async function writeServiceVersionEvidence(slockHome) {
     );
   }
 }
-async function readServiceVersionEvidence(slockHome) {
-  try {
-    const raw = await readFile7(serviceVersionPath(slockHome), "utf8");
-    const parsed = JSON.parse(raw);
-    if (typeof parsed.installRoot !== "string" || typeof parsed.pid !== "number" || typeof parsed.writtenAt !== "string" || parsed.version !== null && typeof parsed.version !== "string") {
-      return null;
-    }
-    return {
-      version: parsed.version ?? null,
-      installRoot: parsed.installRoot,
-      pid: parsed.pid,
-      writtenAt: parsed.writtenAt
-    };
-  } catch {
-    return null;
-  }
-}
 async function runService() {
   const slockHome = resolveSlockHome();
-  await mkdir8(serviceRunDir(slockHome), { recursive: true });
+  await mkdir10(serviceRunDir(slockHome), { recursive: true });
   await runServiceStartupRecovery(slockHome);
   await writePidfileAt(servicePidPath(slockHome), process.pid);
   await writeServiceVersionEvidence(slockHome);
   const children = /* @__PURE__ */ new Map();
+  const restarting = /* @__PURE__ */ new Set();
   const { [PARENT_LOCK_HELD_ENV_VAR]: _parentLockMarker, ...childEnv } = process.env;
   const spawnChild = async (serverId) => {
+    if (children.has(serverId)) return;
     const logPath = serverRunnerLogPath(slockHome, serverId);
-    await mkdir8(dirname8(logPath), { recursive: true });
+    await mkdir10(dirname9(logPath), { recursive: true });
     const logFd = await open(logPath, "a");
     const { command, args } = buildResidentSpawn("__run", serverId);
     const child = spawn2(command, args, {
@@ -32049,9 +32401,14 @@ async function runService() {
           return;
         }
         if (classification === "graceful") {
-          await new Promise((r) => setTimeout(r, CHILD_RESTART_BACKOFF_MS));
-          if (await readServerAttachment(slockHome, serverId) && !shuttingDown) {
-            await spawnChild(serverId);
+          restarting.add(serverId);
+          try {
+            await new Promise((r) => setTimeout(r, CHILD_RESTART_BACKOFF_MS));
+            if (await readServerAttachment(slockHome, serverId) && !shuttingDown) {
+              await spawnChild(serverId);
+            }
+          } finally {
+            restarting.delete(serverId);
           }
           return;
         }
@@ -32066,9 +32423,14 @@ async function runService() {
           );
           return;
         }
-        await new Promise((r) => setTimeout(r, CHILD_RESTART_BACKOFF_MS));
-        if (await readServerAttachment(slockHome, serverId) && !shuttingDown) {
-          await spawnChild(serverId);
+        restarting.add(serverId);
+        try {
+          await new Promise((r) => setTimeout(r, CHILD_RESTART_BACKOFF_MS));
+          if (await readServerAttachment(slockHome, serverId) && !shuttingDown) {
+            await spawnChild(serverId);
+          }
+        } finally {
+          restarting.delete(serverId);
         }
       })();
     });
@@ -32083,7 +32445,7 @@ async function runService() {
   const reconcile = async () => {
     const wanted = new Set(await listManagedServerIds(slockHome));
     for (const id of wanted) {
-      if (!children.has(id)) await spawnChild(id);
+      if (canSupervisorSpawnChild(id, children, restarting)) await spawnChild(id);
     }
     for (const [id, handle] of children) {
       if (!wanted.has(id)) killChild(handle);
@@ -32219,7 +32581,7 @@ async function runDetach(serverId, serverLabel = serverId) {
 var USER_SESSION_EXPIRY_LEEWAY_MS = 3e4;
 async function readUserSessionAuth(slockHome) {
   try {
-    const parsed = JSON.parse(await readFile8(userSessionPath(slockHome), "utf8"));
+    const parsed = JSON.parse(await readFile10(userSessionPath(slockHome), "utf8"));
     return {
       accessToken: typeof parsed.accessToken === "string" ? parsed.accessToken : "",
       ...typeof parsed.serverUrl === "string" ? { serverUrl: parsed.serverUrl } : {}
@@ -32230,7 +32592,7 @@ async function readUserSessionAuth(slockHome) {
 }
 async function hasValidUserSession(slockHome) {
   try {
-    const parsed = JSON.parse(await readFile8(userSessionPath(slockHome), "utf8"));
+    const parsed = JSON.parse(await readFile10(userSessionPath(slockHome), "utf8"));
     return parsed.kind === "user-session" && typeof parsed.accessToken === "string" && parsed.accessToken.length > 0 && !isJwtExpired(parsed.accessToken);
   } catch {
     return false;
@@ -32250,7 +32612,7 @@ async function refreshUserSession(slockHome, serverUrl) {
   const file = userSessionPath(slockHome);
   let session;
   try {
-    session = JSON.parse(await readFile8(file, "utf8"));
+    session = JSON.parse(await readFile10(file, "utf8"));
   } catch {
     return false;
   }
@@ -32269,8 +32631,8 @@ async function refreshUserSession(slockHome, serverUrl) {
     if (res.status !== 200 || typeof body?.accessToken !== "string" || typeof body.refreshToken !== "string") {
       return false;
     }
-    await mkdir9(dirname9(file), { recursive: true });
-    await writeFile8(
+    await mkdir11(dirname10(file), { recursive: true });
+    await writeFile10(
       tmpFile,
       JSON.stringify(
         {
@@ -32287,11 +32649,11 @@ async function refreshUserSession(slockHome, serverUrl) {
       ),
       { mode: 384 }
     );
-    await chmod4(tmpFile, 384);
-    await rename3(tmpFile, file);
+    await chmod5(tmpFile, 384);
+    await rename4(tmpFile, file);
     return true;
   } catch {
-    await rm2(tmpFile, { force: true }).catch(() => void 0);
+    await rm3(tmpFile, { force: true }).catch(() => void 0);
     return false;
   }
 }
@@ -32599,10 +32961,10 @@ async function runSetup(opts, deps = {}) {
 
 // src/status.ts
 init_esm_shims();
-import { readFile as readFile9 } from "fs/promises";
+import { readFile as readFile11 } from "fs/promises";
 async function readUserSession(path3) {
   try {
-    const parsed = JSON.parse(await readFile9(path3, "utf8"));
+    const parsed = JSON.parse(await readFile11(path3, "utf8"));
     if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
       return { state: "present", session: parsed, error: null };
     }
@@ -32962,15 +33324,10 @@ async function runDoctorChecks() {
 }
 async function runDoctor(opts) {
   const slockHome = resolveSlockHome();
-  if (opts.resetHealth && opts.serverId) {
-    await resetHealth(slockHome, opts.serverId);
-    info(`Reset health state for server ${opts.serverLabel ?? opts.serverId}.`);
-    info(`Service will resume auto-restart on next daemon exit.`);
-  }
   const checks = await runDoctorChecks();
   const allOk = checks.every((c) => c.ok);
   let cleanupReport = null;
-  if (opts.cleanup || opts.fix) {
+  if (opts.cleanup) {
     cleanupReport = await runFullCleanup(slockHome);
   }
   let crashes = [];
@@ -33000,7 +33357,7 @@ async function runDoctor(opts) {
       info(`  - ${c.at}${code}${sig}`);
     }
     info(`  \u2192 Once you fix the underlying issue, run`);
-    info(`    \`slock-computer doctor ${opts.serverLabel ?? opts.serverId} --reset-health\` to resume auto-restart.`);
+    info(`    \`slock-computer reset --runner --server ${opts.serverLabel ?? opts.serverId}\` to resume auto-restart.`);
   }
   if (cleanupReport) {
     info("");
@@ -33035,14 +33392,14 @@ async function runDoctor(opts) {
 
 // src/logs.ts
 init_esm_shims();
-import { readFile as readFile10 } from "fs/promises";
+import { readFile as readFile12 } from "fs/promises";
 var DEFAULT_LINES = 200;
 async function runLogs(opts) {
   const home = resolveSlockHome();
   const file = opts.service ? serviceLogPath(home) : serverRunnerLogPath(home, await resolveTargetServerId({ server: opts.server }));
   let content;
   try {
-    content = await readFile10(file, "utf8");
+    content = await readFile12(file, "utf8");
   } catch {
     fail(
       "NO_DAEMON_LOG",
@@ -33061,8 +33418,8 @@ init_esm_shims();
 
 // src/serviceState.ts
 init_esm_shims();
-import { mkdir as mkdir10, readFile as readFile11, writeFile as writeFile9, appendFile as appendFile3 } from "fs/promises";
-import { dirname as dirname10 } from "path";
+import { mkdir as mkdir12, readFile as readFile13, writeFile as writeFile11, appendFile as appendFile3 } from "fs/promises";
+import { dirname as dirname11 } from "path";
 
 // src/lib/state.ts
 init_esm_shims();
@@ -33084,7 +33441,7 @@ var DEFAULT_STATE = {
 };
 async function readServiceState(slockHome) {
   try {
-    const raw = await readFile11(serviceStatePath(slockHome), "utf8");
+    const raw = await readFile13(serviceStatePath(slockHome), "utf8");
     const parsed = JSON.parse(raw);
     if (!parsed || typeof parsed !== "object") return { ...DEFAULT_STATE };
     const obj = parsed;
@@ -33097,8 +33454,8 @@ async function readServiceState(slockHome) {
 }
 async function writeServiceState(slockHome, file) {
   const path3 = serviceStatePath(slockHome);
-  await mkdir10(dirname10(path3), { recursive: true });
-  await writeFile9(path3, JSON.stringify(file), { mode: 384 });
+  await mkdir12(dirname11(path3), { recursive: true });
+  await writeFile11(path3, JSON.stringify(file), { mode: 384 });
 }
 function isCrashEntry(value) {
   if (!value || typeof value !== "object") return false;
@@ -33115,7 +33472,7 @@ async function emitServiceStateTransition(slockHome, fromState, toState, trigger
   };
   try {
     const path3 = serviceLogPath(slockHome);
-    await mkdir10(dirname10(path3), { recursive: true });
+    await mkdir12(dirname11(path3), { recursive: true });
     await appendFile3(path3, JSON.stringify(entry) + "\n");
   } catch {
   }
@@ -33209,14 +33566,14 @@ async function runReset(opts) {
 // src/concurrency.ts
 init_esm_shims();
 var import_proper_lockfile = __toESM(require_proper_lockfile(), 1);
-import { mkdir as mkdir11 } from "fs/promises";
-import { join as join4 } from "path";
+import { mkdir as mkdir13 } from "fs/promises";
+import { join as join5 } from "path";
 var STALE_LOCK_THRESHOLD_MS = 6e4;
 async function withMutationLock(fn) {
   const slockHome = resolveSlockHome();
   const lockTarget = computerDir(slockHome);
-  await mkdir11(lockTarget, { recursive: true });
-  const lockfilePath = join4(lockTarget, ".lock");
+  await mkdir13(lockTarget, { recursive: true });
+  const lockfilePath = join5(lockTarget, ".lock");
   let release = null;
   try {
     release = await import_proper_lockfile.default.lock(lockTarget, {
@@ -33252,1060 +33609,15 @@ async function withMutationLock(fn) {
   }
 }
 
-// src/channel.ts
-init_esm_shims();
-import { readFile as readFile12, writeFile as writeFile10, mkdir as mkdir12 } from "fs/promises";
-import { dirname as dirname11 } from "path";
-var DEFAULT_CHANNEL = "latest";
-var SEMVER_RE = /^\d+\.\d+\.\d+(-[\w.]+)?$/;
-function parseChannel(raw) {
-  const v = raw.trim();
-  if (v === "latest" || v === "alpha") return v;
-  if (v.startsWith("pinned:")) {
-    const semver = v.slice("pinned:".length);
-    if (SEMVER_RE.test(semver)) return `pinned:${semver}`;
-    return null;
-  }
-  return null;
-}
-async function readChannel(slockHome) {
-  try {
-    const raw = await readFile12(channelPath(slockHome), "utf8");
-    const parsed = parseChannel(raw);
-    if (parsed !== null) return parsed;
-  } catch {
-  }
-  return DEFAULT_CHANNEL;
-}
-async function writeChannel(slockHome, channel2) {
-  const p = channelPath(slockHome);
-  await mkdir12(dirname11(p), { recursive: true });
-  await writeFile10(p, `${channel2}
-`, { mode: 384 });
-}
-async function runChannelShow(slockHome) {
-  void computerDir;
-  const channel2 = await readChannel(slockHome);
-  info(channel2);
-}
-async function runChannelSet(slockHome, raw) {
-  const parsed = parseChannel(raw);
-  if (parsed === null) {
-    fail(
-      "CHANNEL_INVALID",
-      `Invalid channel "${raw}". Accepted: \`latest\`, \`alpha\`, or \`pinned:<semver>\` (e.g. pinned:0.52.2).`
-    );
-  }
-  await writeChannel(slockHome, parsed);
-  info(`Channel set to ${parsed}.`);
-  info(`Note: service reads channel at startup; restart \`slock-computer start\` to apply.`);
-}
-
 // src/upgradeCli.ts
 init_esm_shims();
-import { readFile as readFile15 } from "fs/promises";
+import { readFile as readFile14, rm as rm4 } from "fs/promises";
 import { fileURLToPath as fileURLToPath3 } from "url";
-import { dirname as dirname12, join as join7 } from "path";
+import { dirname as dirname12, join as join6 } from "path";
 
-// src/upgrade.ts
-init_esm_shims();
-import { spawn as spawn4 } from "child_process";
-import { mkdir as mkdir13, readFile as readFile14, writeFile as writeFile11, rm as rm3, rename as rename4 } from "fs/promises";
-import { join as join6 } from "path";
-import { createHash as createHash3 } from "crypto";
-
-// src/preflightDepDrift.ts
+// src/upgradeLog.ts
 init_esm_shims();
-import { readFile as readFile13 } from "fs/promises";
-import { spawn as spawn3 } from "child_process";
-import { createRequire as createRequire2 } from "module";
-import { join as join5 } from "path";
-import { pathToFileURL } from "url";
-var DAEMON_PACKAGE_NAME = "@slock-ai/daemon";
-async function preflightDepDriftCheck(currentBinaryDir, stagedTarballPath, deps = {}) {
-  const readTarball = deps.readTarballPackageJson ?? defaultReadTarballPackageJson;
-  const readCurrent = deps.readCurrentPackageJson ?? defaultReadCurrentPackageJson;
-  const satisfies = deps.semverSatisfies ?? defaultSemverSatisfies;
-  const allowUnsafe = deps.allowUnsafeSpec === true;
-  let targetPkg;
-  let currentPkg;
-  try {
-    targetPkg = await readTarball(stagedTarballPath);
-  } catch (e) {
-    return {
-      ok: false,
-      reason: "read_failed",
-      detail: `cannot read target tarball package.json: ${errMsg(e)}`
-    };
-  }
-  try {
-    currentPkg = await readCurrent(currentBinaryDir);
-  } catch (e) {
-    return {
-      ok: false,
-      reason: "read_failed",
-      detail: `cannot read current binary package.json: ${errMsg(e)}`
-    };
-  }
-  const targetSpec = targetPkg.dependencies?.[DAEMON_PACKAGE_NAME];
-  const currentSpec = currentPkg.dependencies?.[DAEMON_PACKAGE_NAME];
-  if (typeof targetSpec !== "string" || targetSpec.length === 0) {
-    return {
-      ok: false,
-      reason: "read_failed",
-      detail: `target tarball package.json has no ${DAEMON_PACKAGE_NAME} dependency entry`,
-      currentSpec
-    };
-  }
-  const unsafeTarget = isUnsafeSpec(targetSpec) || isUnparseableRange(targetSpec);
-  if (!allowUnsafe && unsafeTarget) {
-    return {
-      ok: false,
-      reason: "unsafe_spec",
-      detail: `${DAEMON_PACKAGE_NAME} target spec is not a safe semver range (target="${targetSpec}"). Auto-upgrade only supports target semver ranges that can be hydrated and verified before swap.`,
-      currentSpec,
-      targetSpec
-    };
-  }
-  void satisfies;
-  return { ok: true, currentSpec, targetSpec };
-}
-async function verifyHydratedDaemonDependency(extractedPackageDir, targetSpec, deps = {}) {
-  const readInstalled = deps.readInstalledDaemonVersion ?? defaultReadInstalledDaemonVersion;
-  const satisfies = deps.semverSatisfies ?? defaultSemverSatisfies;
-  const allowUnsafe = deps.allowUnsafeSpec === true;
-  const unsafeTarget = isUnsafeSpec(targetSpec) || isUnparseableRange(targetSpec);
-  if (!allowUnsafe && unsafeTarget) {
-    return {
-      ok: false,
-      reason: "unsafe_spec",
-      detail: `${DAEMON_PACKAGE_NAME} target spec is not a safe semver range (target="${targetSpec}").`,
-      targetSpec
-    };
-  }
-  let installedVersion;
-  try {
-    installedVersion = await readInstalled(extractedPackageDir);
-  } catch (e) {
-    return {
-      ok: false,
-      reason: "read_failed",
-      detail: `cannot read hydrated ${DAEMON_PACKAGE_NAME} version: ${errMsg(e)}`,
-      targetSpec
-    };
-  }
-  if (installedVersion === null || installedVersion.length === 0) {
-    return {
-      ok: false,
-      reason: "read_failed",
-      detail: `${DAEMON_PACKAGE_NAME} is not installed in the hydrated staged package`,
-      targetSpec
-    };
-  }
-  if (allowUnsafe && unsafeTarget) {
-    return { ok: true, targetSpec, installedVersion };
-  }
-  if (!satisfies(installedVersion, targetSpec)) {
-    return {
-      ok: false,
-      reason: "installed_unsatisfied",
-      detail: `hydrated ${DAEMON_PACKAGE_NAME}@${installedVersion} does not satisfy target spec "${targetSpec}".`,
-      targetSpec,
-      installedVersion
-    };
-  }
-  return { ok: true, targetSpec, installedVersion };
-}
-function isUnparseableRange(spec) {
-  const s = spec.trim();
-  if (s.length === 0) return true;
-  if (/\s/.test(s) && !s.includes("||")) {
-    return s.split(/\s+/).some((p) => isUnparseableRange(p));
-  }
-  if (s.includes("||")) {
-    return s.split("||").every((p) => isUnparseableRange(p.trim()));
-  }
-  if (s.includes("x") || s.split(".").length < 3) {
-    const canon = s.replace(/\.x/g, ".0");
-    const padded = canon.split(".").length < 3 ? `${canon}.0.0`.split(".").slice(0, 3).join(".") : canon;
-    return parseSemver(padded) === null;
-  }
-  let core = s;
-  if (core.startsWith(">=") || core.startsWith("<=")) core = core.slice(2);
-  else if (core.startsWith("^") || core.startsWith("~") || core.startsWith(">") || core.startsWith("<") || core.startsWith("=")) {
-    core = core.slice(1);
-  }
-  return parseSemver(core) === null;
-}
-function isUnsafeSpec(spec) {
-  const s = spec.trim();
-  if (s.length === 0) return true;
-  if (s === "*" || s === "latest") return true;
-  if (s.startsWith("workspace:")) return true;
-  if (s.startsWith("file:") || s.startsWith("link:")) return true;
-  if (s.startsWith("git+") || s.startsWith("git:")) return true;
-  if (s.startsWith("github:") || /^[^/\s]+\/[^/\s]+(?:#.*)?$/.test(s)) {
-    return true;
-  }
-  if (s.startsWith("http://") || s.startsWith("https://")) return true;
-  if (s.startsWith("npm:")) return true;
-  if (s.startsWith("./") || s.startsWith("../") || s.startsWith("/")) return true;
-  return false;
-}
-function errMsg(e) {
-  return e instanceof Error ? e.message : String(e);
-}
-async function defaultReadTarballPackageJson(tarballPath) {
-  const raw = await new Promise((resolve2, reject) => {
-    const child = spawn3("tar", ["-xzOf", tarballPath, "package/package.json"], {
-      stdio: ["ignore", "pipe", "pipe"]
-    });
-    let stdoutBuf = "";
-    let stderrBuf = "";
-    child.stdout.on("data", (chunk) => {
-      stdoutBuf += String(chunk);
-    });
-    child.stderr.on("data", (chunk) => {
-      stderrBuf += String(chunk);
-    });
-    child.on("error", (err) => reject(err));
-    child.on("close", (code) => {
-      if (code !== 0) {
-        reject(new Error(`tar -xzOf exited ${code}: ${stderrBuf.slice(0, 300)}`));
-        return;
-      }
-      resolve2(stdoutBuf);
-    });
-  });
-  return JSON.parse(raw);
-}
-async function defaultReadCurrentPackageJson(currentBinaryDir) {
-  const raw = await readFile13(join5(currentBinaryDir, "package.json"), "utf8");
-  return JSON.parse(raw);
-}
-async function defaultReadInstalledDaemonVersion(currentBinaryDir) {
-  let searchPaths;
-  try {
-    const anchor = pathToFileURL(join5(currentBinaryDir, "package.json"));
-    const req = createRequire2(anchor);
-    searchPaths = req.resolve.paths(DAEMON_PACKAGE_NAME);
-  } catch {
-    return null;
-  }
-  if (!searchPaths || searchPaths.length === 0) return null;
-  const subPath = DAEMON_PACKAGE_NAME.split("/");
-  for (const base of searchPaths) {
-    const candidate = join5(base, ...subPath, "package.json");
-    try {
-      const raw = await readFile13(candidate, "utf8");
-      const parsed = JSON.parse(raw);
-      if (parsed.name !== DAEMON_PACKAGE_NAME) continue;
-      if (typeof parsed.version === "string" && parsed.version.length > 0) {
-        return parsed.version;
-      }
-      return null;
-    } catch {
-    }
-  }
-  return null;
-}
-function defaultSemverSatisfies(version, range) {
-  const ver = parseSemver(version);
-  if (ver === null) return false;
-  const trimmed = range.trim();
-  if (trimmed.length === 0) return false;
-  if (/\s/.test(trimmed) && !trimmed.includes("||")) {
-    return trimmed.split(/\s+/).every((part) => defaultSemverSatisfies(version, part));
-  }
-  if (trimmed.includes("||")) {
-    return trimmed.split("||").some((part) => defaultSemverSatisfies(version, part.trim()));
-  }
-  if (trimmed.startsWith("^")) {
-    return satisfiesCaret(ver, trimmed.slice(1));
-  }
-  if (trimmed.startsWith("~")) {
-    return satisfiesTilde(ver, trimmed.slice(1));
-  }
-  if (trimmed.startsWith(">=")) return cmp(ver, trimmed.slice(2)) >= 0;
-  if (trimmed.startsWith("<=")) return cmp(ver, trimmed.slice(2)) <= 0;
-  if (trimmed.startsWith(">")) return cmp(ver, trimmed.slice(1)) > 0;
-  if (trimmed.startsWith("<")) return cmp(ver, trimmed.slice(1)) < 0;
-  if (trimmed.startsWith("=")) return cmp(ver, trimmed.slice(1)) === 0;
-  if (trimmed.includes("x") || trimmed.split(".").length < 3) {
-    const canon = trimmed.replace(/\.x/g, ".0");
-    const padded = canon.split(".").length < 3 ? `${canon}.0.0`.split(".").slice(0, 3).join(".") : canon;
-    return satisfiesCaret(ver, padded);
-  }
-  return cmp(ver, trimmed) === 0;
-}
-function parseSemver(s) {
-  const m = /^(\d+)\.(\d+)\.(\d+)(?:-([0-9A-Za-z.-]+))?(?:\+[0-9A-Za-z.-]+)?$/.exec(s.trim());
-  if (!m) return null;
-  return {
-    major: Number.parseInt(m[1], 10),
-    minor: Number.parseInt(m[2], 10),
-    patch: Number.parseInt(m[3], 10),
-    pre: m[4] ?? ""
-  };
-}
-function cmp(a, bStr) {
-  const b = parseSemver(bStr);
-  if (b === null) return Number.NaN;
-  if (a.major !== b.major) return a.major - b.major;
-  if (a.minor !== b.minor) return a.minor - b.minor;
-  if (a.patch !== b.patch) return a.patch - b.patch;
-  if (a.pre === "" && b.pre !== "") return 1;
-  if (a.pre !== "" && b.pre === "") return -1;
-  if (a.pre === b.pre) return 0;
-  return a.pre < b.pre ? -1 : 1;
-}
-function satisfiesCaret(ver, base) {
-  const b = parseSemver(base);
-  if (b === null) return false;
-  if (cmp(ver, base) < 0) return false;
-  if (b.major > 0) return ver.major === b.major;
-  if (b.minor > 0) return ver.major === 0 && ver.minor === b.minor;
-  return ver.major === 0 && ver.minor === 0 && ver.patch === b.patch;
-}
-function satisfiesTilde(ver, base) {
-  const b = parseSemver(base);
-  if (b === null) return false;
-  if (cmp(ver, base) < 0) return false;
-  return ver.major === b.major && ver.minor === b.minor;
-}
-
-// src/upgrade.ts
-async function stagePhase(slockHome, version, deps = {}) {
-  const npmPack = deps.npmPack ?? defaultNpmPack;
-  const fsReadFile = deps.fsReadFile ?? readFile14;
-  const stagedPath = upgradeStagingDir(slockHome, version);
-  await mkdir13(stagedPath, { recursive: true });
-  const packageRef = `@slock-ai/computer@${version}`;
-  const result = await npmPack(stagedPath, packageRef);
-  if (result.exitCode !== 0) {
-    const err = new Error(
-      `npm pack failed for ${packageRef}: exit ${result.exitCode}. stderr: ${result.stderr.slice(0, 500)}`
-    );
-    err.code = "UPGRADE_DOWNLOAD_FAILED";
-    throw err;
-  }
-  let tarballBytes;
-  try {
-    tarballBytes = await fsReadFile(result.tarballPath);
-  } catch (e) {
-    const msg = e instanceof Error ? e.message : String(e);
-    const err = new Error(`staged tarball missing at ${result.tarballPath}: ${msg}`);
-    err.code = "UPGRADE_DOWNLOAD_FAILED";
-    throw err;
-  }
-  const tarballSha1 = createHash3("sha1").update(tarballBytes).digest("hex");
-  return { stagedPath, version, tarballSha1 };
-}
-function defaultNpmPack(cwd, packageRef) {
-  return new Promise((resolve2) => {
-    const child = spawn4("npm", ["pack", packageRef, "--json"], {
-      cwd,
-      stdio: ["ignore", "pipe", "pipe"]
-    });
-    let stdoutBuf = "";
-    let stderrBuf = "";
-    child.stdout.on("data", (chunk) => {
-      stdoutBuf += String(chunk);
-    });
-    child.stderr.on("data", (chunk) => {
-      stderrBuf += String(chunk);
-    });
-    child.on("error", (err) => {
-      resolve2({ tarballPath: "", exitCode: 1, stderr: String(err) });
-    });
-    child.on("close", (code) => {
-      if (code !== 0) {
-        resolve2({ tarballPath: "", exitCode: code ?? 1, stderr: stderrBuf });
-        return;
-      }
-      try {
-        const parsed = JSON.parse(stdoutBuf);
-        const filename = parsed[0]?.filename;
-        if (!filename) {
-          resolve2({ tarballPath: "", exitCode: 1, stderr: "npm pack returned no filename" });
-          return;
-        }
-        resolve2({ tarballPath: join6(cwd, filename), exitCode: 0, stderr: stderrBuf });
-      } catch (e) {
-        resolve2({ tarballPath: "", exitCode: 1, stderr: `parse npm pack output: ${e}` });
-      }
-    });
-  });
-}
-async function verifyPhase(staged, deps = {}) {
-  const fetchAdvertisedHash = deps.fetchAdvertisedHash ?? defaultFetchAdvertisedHash;
-  let advertised;
-  try {
-    advertised = await fetchAdvertisedHash(staged.version);
-  } catch (e) {
-    void e;
-    return { ok: false, reason: "registry_fetch_failed" };
-  }
-  if (advertised === null) {
-    return { ok: false, reason: "no_advertised_sha" };
-  }
-  if (staged.tarballSha1 !== advertised) {
-    return {
-      ok: false,
-      reason: "checksum_mismatch",
-      actual: staged.tarballSha1,
-      advertised
-    };
-  }
-  return { ok: true, actual: staged.tarballSha1, advertised };
-}
-async function defaultFetchAdvertisedHash(version) {
-  const url = "https://registry.npmjs.org/@slock-ai/computer";
-  const controller = new AbortController();
-  const timeoutId = setTimeout(() => controller.abort(), 1e4);
-  try {
-    const res = await fetch(url, {
-      signal: controller.signal,
-      headers: { accept: "application/json" }
-    });
-    if (!res.ok) return null;
-    const data = await res.json();
-    const shasum = data.versions?.[version]?.dist?.shasum;
-    return typeof shasum === "string" && shasum.length > 0 ? shasum : null;
-  } catch {
-    return null;
-  } finally {
-    clearTimeout(timeoutId);
-  }
-}
-async function cleanupStaged(slockHome, version) {
-  try {
-    await rm3(upgradeStagingDir(slockHome, version), { recursive: true, force: true });
-  } catch {
-  }
-}
-async function snapshotPhase(slockHome, snap) {
-  const path3 = upgradeSnapshotPath(slockHome);
-  const tmp = `${path3}.tmp`;
-  await mkdir13(computerDir(slockHome), { recursive: true });
-  await writeFile11(tmp, JSON.stringify(snap, null, 2), { mode: 384 });
-  await rename4(tmp, path3);
-}
-async function clearUpgradeSnapshot(slockHome) {
-  try {
-    const { unlink: unlink5 } = await import("fs/promises");
-    await unlink5(upgradeSnapshotPath(slockHome));
-  } catch {
-  }
-}
-async function extractTarball(tarballPath, destDir, deps = {}) {
-  const tarSpawn = deps.tarSpawn ?? defaultTarSpawn;
-  await mkdir13(destDir, { recursive: true });
-  const result = await tarSpawn(tarballPath, destDir);
-  if (result.exitCode !== 0) {
-    const err = new Error(
-      `tar -xzf failed for ${tarballPath}: exit ${result.exitCode}. stderr: ${result.stderr.slice(0, 500)}`
-    );
-    err.code = "UPGRADE_EXTRACT_FAILED";
-    throw err;
-  }
-  return { extractedPackageDir: join6(destDir, "package") };
-}
-function defaultTarSpawn(tarballPath, destDir) {
-  return new Promise((resolve2) => {
-    const child = spawn4("tar", ["-xzf", tarballPath, "-C", destDir], {
-      stdio: ["ignore", "ignore", "pipe"]
-    });
-    let stderrBuf = "";
-    child.stderr.on("data", (chunk) => {
-      stderrBuf += String(chunk);
-    });
-    child.on("error", (err) => {
-      resolve2({ exitCode: 1, stderr: String(err) });
-    });
-    child.on("close", (code) => {
-      resolve2({ exitCode: code ?? 1, stderr: stderrBuf });
-    });
-  });
-}
-async function hydrateStagedDependencies(extractedPackageDir, deps = {}) {
-  const npmInstall = deps.npmInstall ?? defaultNpmInstallProductionDeps;
-  const result = await npmInstall(extractedPackageDir);
-  if (result.exitCode !== 0) {
-    const err = new Error(
-      `npm install failed for staged package dependencies: exit ${result.exitCode}`
-    );
-    err.code = "UPGRADE_DEPENDENCY_INSTALL_FAILED";
-    throw err;
-  }
-}
-function defaultNpmInstallProductionDeps(cwd) {
-  return new Promise((resolve2) => {
-    const child = spawn4(
-      "npm",
-      [
-        "install",
-        "--omit=dev",
-        "--ignore-scripts",
-        "--no-audit",
-        "--no-fund",
-        "--package-lock=false"
-      ],
-      {
-        cwd,
-        stdio: ["ignore", "ignore", "pipe"]
-      }
-    );
-    let stderrBuf = "";
-    child.stderr.on("data", (chunk) => {
-      stderrBuf += String(chunk);
-    });
-    child.on("error", (err) => {
-      resolve2({ exitCode: 1, stderr: String(err) });
-    });
-    child.on("close", (code) => {
-      resolve2({ exitCode: code ?? 1, stderr: stderrBuf });
-    });
-  });
-}
-async function swapPhase(currentBinaryDir, stagedBinaryDir, deps = {}) {
-  const fsRename = deps.fsRename ?? rename4;
-  const fsRm = deps.fsRm ?? ((p) => rm3(p, { recursive: true, force: true }));
-  const prevBinaryDir = `${currentBinaryDir}.prev`;
-  try {
-    await fsRm(prevBinaryDir);
-  } catch {
-  }
-  await fsRename(currentBinaryDir, prevBinaryDir);
-  try {
-    await fsRename(stagedBinaryDir, currentBinaryDir);
-  } catch (e) {
-    try {
-      await fsRename(prevBinaryDir, currentBinaryDir);
-    } catch {
-    }
-    const msg = e instanceof Error ? e.message : String(e);
-    const err = new Error(`swap failed (staged \u2192 current): ${msg}`);
-    err.code = "UPGRADE_SWAP_FAILED";
-    throw err;
-  }
-  return { prevBinaryDir, newBinaryDir: currentBinaryDir };
-}
-async function rollbackSwap(currentBinaryDir, deps = {}) {
-  const fsRename = deps.fsRename ?? rename4;
-  const fsRm = deps.fsRm ?? ((p) => rm3(p, { recursive: true, force: true }));
-  const prevBinaryDir = `${currentBinaryDir}.prev`;
-  try {
-    await fsRm(currentBinaryDir);
-    await fsRename(prevBinaryDir, currentBinaryDir);
-    return { rolledBack: true };
-  } catch {
-    return { rolledBack: false };
-  }
-}
-async function rollbackRestart(slockHome, currentBinaryDir, deps = {}) {
-  const readServicePid = deps.readServicePid ?? (() => defaultReadServicePid(slockHome));
-  const isProcessAlive4 = deps.isProcessAlive ?? defaultIsProcessAlive;
-  const killService = deps.killService ?? defaultKillService;
-  const forceKillService = deps.forceKillService ?? defaultForceKillService;
-  const waitForExit = deps.waitForExit ?? defaultWaitForExit;
-  const spawnFreshService = deps.spawnFreshService;
-  const healthCheck = deps.healthCheck ?? (() => defaultHealthCheck(slockHome));
-  const healthTimeoutMs = deps.healthTimeoutMs ?? 3e4;
-  const healthPollIntervalMs = deps.healthPollIntervalMs ?? 500;
-  let serviceStopped = false;
-  try {
-    const pid = await readServicePid();
-    if (pid === null || !isProcessAlive4(pid)) {
-      serviceStopped = true;
-    } else {
-      await killService(pid);
-      const exited = await waitForExit(pid, 1e4);
-      if (!exited) {
-        await forceKillService(pid);
-        const escalatedExit = await waitForExit(pid, 5e3);
-        serviceStopped = escalatedExit;
-      } else {
-        serviceStopped = true;
-      }
-    }
-  } catch (e) {
-    return {
-      binaryRestored: false,
-      serviceStopped: false,
-      serviceRespawned: false,
-      serviceHealthy: false,
-      failedStep: "stop",
-      reason: e instanceof Error ? e.message : String(e)
-    };
-  }
-  if (!serviceStopped) {
-    return {
-      binaryRestored: false,
-      serviceStopped: false,
-      serviceRespawned: false,
-      serviceHealthy: false,
-      failedStep: "stop",
-      reason: "new-version service did not exit (graceful + SIGKILL both timed out)"
-    };
-  }
-  const swapRb = await rollbackSwap(currentBinaryDir, {
-    fsRename: deps.fsRename,
-    fsRm: deps.fsRm
-  });
-  if (!swapRb.rolledBack) {
-    return {
-      binaryRestored: false,
-      serviceStopped: true,
-      serviceRespawned: false,
-      serviceHealthy: false,
-      failedStep: "binary",
-      reason: "could not restore .prev \u2192 currentBinaryDir"
-    };
-  }
-  if (!spawnFreshService) {
-    return {
-      binaryRestored: true,
-      serviceStopped: true,
-      serviceRespawned: false,
-      serviceHealthy: false,
-      failedStep: "respawn",
-      reason: "no spawnFreshService callback wired; old service not respawned"
-    };
-  }
-  try {
-    await spawnFreshService();
-  } catch (e) {
-    return {
-      binaryRestored: true,
-      serviceStopped: true,
-      serviceRespawned: false,
-      serviceHealthy: false,
-      failedStep: "respawn",
-      reason: e instanceof Error ? e.message : String(e)
-    };
-  }
-  const start2 = Date.now();
-  let healthy = false;
-  while (Date.now() - start2 < healthTimeoutMs) {
-    if (await healthCheck()) {
-      healthy = true;
-      break;
-    }
-    await new Promise((r) => setTimeout(r, healthPollIntervalMs));
-  }
-  if (!healthy) {
-    return {
-      binaryRestored: true,
-      serviceStopped: true,
-      serviceRespawned: true,
-      serviceHealthy: false,
-      failedStep: "health",
-      reason: "old service failed health check after rollback respawn"
-    };
-  }
-  return {
-    binaryRestored: true,
-    serviceStopped: true,
-    serviceRespawned: true,
-    serviceHealthy: true
-  };
-}
-async function restartPhase(slockHome, deps = {}) {
-  const readServicePid = deps.readServicePid ?? (() => defaultReadServicePid(slockHome));
-  const killService = deps.killService ?? defaultKillService;
-  const forceKillService = deps.forceKillService ?? defaultForceKillService;
-  const waitForExit = deps.waitForExit ?? defaultWaitForExit;
-  const spawnFreshService = deps.spawnFreshService;
-  const healthCheck = deps.healthCheck ?? (() => defaultHealthCheck(slockHome));
-  const healthTimeoutMs = deps.healthTimeoutMs ?? 3e4;
-  const healthPollIntervalMs = deps.healthPollIntervalMs ?? 500;
-  const forceKill = deps.forceKill === true;
-  const oldPid = await readServicePid();
-  if (oldPid !== null) {
-    try {
-      if (forceKill) {
-        await forceKillService(oldPid);
-      } else {
-        await killService(oldPid);
-        const exited = await waitForExit(oldPid, 1e4);
-        if (!exited) {
-          await forceKillService(oldPid);
-          const escalatedExit = await waitForExit(oldPid, 5e3);
-          if (!escalatedExit) {
-            return { ok: false, reason: "service_kill_failed" };
-          }
-        }
-      }
-    } catch {
-      return { ok: false, reason: "service_kill_failed" };
-    }
-  }
-  if (spawnFreshService) {
-    try {
-      await spawnFreshService();
-    } catch {
-      return { ok: false, reason: "spawn_failed" };
-    }
-  }
-  const start2 = Date.now();
-  while (Date.now() - start2 < healthTimeoutMs) {
-    if (await healthCheck()) {
-      return { ok: true, healthAfterMs: Date.now() - start2 };
-    }
-    await new Promise((r) => setTimeout(r, healthPollIntervalMs));
-  }
-  return { ok: false, reason: "health_check_timeout" };
-}
-async function defaultReadServicePid(slockHome) {
-  const { pid } = await findLiveServicePid(slockHome);
-  return pid;
-}
-async function defaultKillService(pid) {
-  try {
-    process.kill(pid, "SIGTERM");
-  } catch (err) {
-    if (err.code === "ESRCH") return;
-    throw err;
-  }
-}
-async function defaultForceKillService(pid) {
-  try {
-    process.kill(pid, "SIGKILL");
-  } catch (err) {
-    if (err.code === "ESRCH") return;
-    throw err;
-  }
-}
-async function defaultIsDaemonBusy(_slockHome) {
-  return false;
-}
-async function defaultWaitForExit(pid, timeoutMs) {
-  const start2 = Date.now();
-  while (Date.now() - start2 < timeoutMs) {
-    try {
-      process.kill(pid, 0);
-    } catch (err) {
-      if (err.code === "ESRCH") return true;
-    }
-    await new Promise((r) => setTimeout(r, 200));
-  }
-  return false;
-}
-async function defaultHealthCheck(slockHome) {
-  const pid = await defaultReadServicePid(slockHome);
-  if (pid === null) return false;
-  try {
-    process.kill(pid, 0);
-    return true;
-  } catch (err) {
-    return err.code === "EPERM";
-  }
-}
-async function cleanupSuccessPhase(slockHome, version, prevBinaryDir) {
-  await cleanupStaged(slockHome, version);
-  await clearUpgradeSnapshot(slockHome);
-  try {
-    await rm3(prevBinaryDir, { recursive: true, force: true });
-  } catch {
-  }
-}
-async function runUpgrade(slockHome, opts) {
-  const deps = opts.deps ?? {};
-  const drainMode = opts.drainMode ?? "drain";
-  if (drainMode === "defer") {
-    const isBusy = deps.isDaemonBusy ?? defaultIsDaemonBusy;
-    let busy = false;
-    try {
-      busy = await isBusy(slockHome);
-    } catch {
-      busy = false;
-    }
-    if (busy) {
-      return {
-        ok: false,
-        phase: "drain",
-        reason: "deferred: daemon busy (--drain defer)"
-      };
-    }
-  }
-  let staged;
-  try {
-    staged = await stagePhase(slockHome, opts.targetVersion, {
-      npmPack: deps.npmPack,
-      fsReadFile: deps.fsReadFile
-    });
-  } catch (e) {
-    await cleanupStaged(slockHome, opts.targetVersion);
-    return { ok: false, phase: "stage", reason: e instanceof Error ? e.message : String(e) };
-  }
-  const verify = await verifyPhase(staged, { fetchAdvertisedHash: deps.fetchAdvertisedHash });
-  if (!verify.ok) {
-    await cleanupStaged(slockHome, opts.targetVersion);
-    return { ok: false, phase: "verify", reason: verify.reason, staged, verify };
-  }
-  let stagedTarballPath;
-  try {
-    stagedTarballPath = await locateStagedTarball(staged.stagedPath);
-  } catch (e) {
-    await cleanupStaged(slockHome, opts.targetVersion);
-    return {
-      ok: false,
-      phase: "preflight",
-      reason: e instanceof Error ? e.message : String(e),
-      staged,
-      verify
-    };
-  }
-  const preflight = await preflightDepDriftCheck(
-    opts.currentBinaryDir,
-    stagedTarballPath,
-    deps.preflight ?? {}
-  );
-  if (!preflight.ok) {
-    await cleanupStaged(slockHome, opts.targetVersion);
-    return {
-      ok: false,
-      phase: "preflight",
-      reason: preflight.detail ?? preflight.reason ?? "dep_drift",
-      staged,
-      verify,
-      preflight
-    };
-  }
-  const targetDaemonSpec = preflight.targetSpec;
-  if (typeof targetDaemonSpec !== "string" || targetDaemonSpec.length === 0) {
-    await cleanupStaged(slockHome, opts.targetVersion);
-    return {
-      ok: false,
-      phase: "preflight",
-      reason: `${preflight.detail ?? preflight.reason ?? "dep_drift"}: missing target ${DAEMON_PACKAGE_NAME} spec`,
-      staged,
-      verify,
-      preflight
-    };
-  }
-  const snap = {
-    at: (/* @__PURE__ */ new Date()).toISOString(),
-    fromVersion: opts.fromVersion,
-    toVersion: opts.targetVersion,
-    channel: opts.channel
-  };
-  try {
-    await snapshotPhase(slockHome, snap);
-  } catch (e) {
-    await cleanupStaged(slockHome, opts.targetVersion);
-    return {
-      ok: false,
-      phase: "snapshot",
-      reason: e instanceof Error ? e.message : String(e),
-      staged,
-      verify
-    };
-  }
-  let extractedPackageDir;
-  try {
-    const ex = await extractTarball(
-      stagedTarballPath,
-      join6(staged.stagedPath, "extracted"),
-      { tarSpawn: deps.tarSpawn }
-    );
-    extractedPackageDir = ex.extractedPackageDir;
-  } catch (e) {
-    await cleanupStaged(slockHome, opts.targetVersion);
-    await clearUpgradeSnapshot(slockHome);
-    return {
-      ok: false,
-      phase: "extract",
-      reason: e instanceof Error ? e.message : String(e),
-      staged,
-      verify
-    };
-  }
-  try {
-    await hydrateStagedDependencies(extractedPackageDir, { npmInstall: deps.npmInstall });
-  } catch (e) {
-    await cleanupStaged(slockHome, opts.targetVersion);
-    await clearUpgradeSnapshot(slockHome);
-    return {
-      ok: false,
-      phase: "hydrate",
-      reason: e instanceof Error ? e.message : String(e),
-      staged,
-      verify
-    };
-  }
-  const hydratedDaemon = await verifyHydratedDaemonDependency(
-    extractedPackageDir,
-    targetDaemonSpec,
-    deps.preflight ?? {}
-  );
-  if (!hydratedDaemon.ok) {
-    await cleanupStaged(slockHome, opts.targetVersion);
-    await clearUpgradeSnapshot(slockHome);
-    return {
-      ok: false,
-      phase: "hydrate",
-      reason: `staged dependency tree verification failed: ${hydratedDaemon.detail ?? hydratedDaemon.reason ?? "hydrated dependency verification failed"}`,
-      staged,
-      verify,
-      preflight,
-      hydratedDaemon
-    };
-  }
-  let swap;
-  try {
-    swap = await swapPhase(opts.currentBinaryDir, extractedPackageDir, {
-      fsRename: deps.fsRename,
-      fsRm: deps.fsRm
-    });
-  } catch (e) {
-    return {
-      ok: false,
-      phase: "swap",
-      reason: e instanceof Error ? e.message : String(e),
-      staged,
-      verify
-    };
-  }
-  const restart = await restartPhase(slockHome, {
-    readServicePid: deps.readServicePid,
-    killService: deps.killService,
-    forceKillService: deps.forceKillService,
-    waitForExit: deps.waitForExit,
-    spawnFreshService: deps.spawnFreshService,
-    healthCheck: deps.healthCheck,
-    healthTimeoutMs: deps.healthTimeoutMs,
-    healthPollIntervalMs: deps.healthPollIntervalMs,
-    forceKill: drainMode === "force"
-  });
-  if (!restart.ok) {
-    const rb = await rollbackRestart(slockHome, opts.currentBinaryDir, {
-      readServicePid: deps.readServicePid,
-      isProcessAlive: deps.isProcessAlive,
-      killService: deps.killService,
-      forceKillService: deps.forceKillService,
-      waitForExit: deps.waitForExit,
-      spawnFreshService: deps.spawnFreshService,
-      healthCheck: deps.healthCheck,
-      healthTimeoutMs: deps.healthTimeoutMs,
-      healthPollIntervalMs: deps.healthPollIntervalMs,
-      fsRename: deps.fsRename,
-      fsRm: deps.fsRm
-    });
-    return {
-      ok: false,
-      phase: "restart",
-      reason: restart.reason,
-      staged,
-      verify,
-      swap,
-      restart,
-      rolledBack: rb.binaryRestored && rb.serviceHealthy,
-      rollback: rb
-    };
-  }
-  const rolling = await rollingDaemonHealthCheck(slockHome, {
-    listManagedServerIds: deps.listManagedServerIds,
-    readDaemonPid: deps.readDaemonPid,
-    isProcessAlive: deps.isProcessAlive,
-    perDaemonTimeoutMs: deps.perDaemonTimeoutMs,
-    pollIntervalMs: deps.daemonPollIntervalMs
-  });
-  if (!rolling.ok) {
-    const rb = await rollbackRestart(slockHome, opts.currentBinaryDir, {
-      readServicePid: deps.readServicePid,
-      isProcessAlive: deps.isProcessAlive,
-      killService: deps.killService,
-      forceKillService: deps.forceKillService,
-      waitForExit: deps.waitForExit,
-      spawnFreshService: deps.spawnFreshService,
-      healthCheck: deps.healthCheck,
-      healthTimeoutMs: deps.healthTimeoutMs,
-      healthPollIntervalMs: deps.healthPollIntervalMs,
-      fsRename: deps.fsRename,
-      fsRm: deps.fsRm
-    });
-    const failed = rolling.daemons.find((d) => !d.ok);
-    return {
-      ok: false,
-      phase: "rolling_health",
-      reason: failed ? `daemon ${failed.serverId} unhealthy after restart: ${failed.reason ?? "unknown"}` : "rolling daemon health failed",
-      staged,
-      verify,
-      swap,
-      restart,
-      rolling,
-      rolledBack: rb.binaryRestored && rb.serviceHealthy,
-      rollback: rb
-    };
-  }
-  await cleanupSuccessPhase(slockHome, opts.targetVersion, swap.prevBinaryDir);
-  return { ok: true, phase: "cleanup", staged, verify, preflight, hydratedDaemon, swap, restart, rolling };
-}
-async function rollingDaemonHealthCheck(slockHome, deps = {}) {
-  const list = deps.listManagedServerIds ?? listManagedServerIds;
-  const readDaemonPid = deps.readDaemonPid ?? defaultReadDaemonPid;
-  const isProcessAlive4 = deps.isProcessAlive ?? defaultIsProcessAlive;
-  const perDaemonTimeoutMs = deps.perDaemonTimeoutMs ?? 3e4;
-  const pollIntervalMs = deps.pollIntervalMs ?? 500;
-  const managed = await list(slockHome);
-  const daemons = [];
-  for (const serverId of managed) {
-    const start2 = Date.now();
-    let lastReason = "timeout";
-    let healthy = false;
-    while (Date.now() - start2 < perDaemonTimeoutMs) {
-      const pid = await readDaemonPid(slockHome, serverId);
-      if (pid === null) {
-        lastReason = "pidfile_missing";
-      } else if (!isProcessAlive4(pid)) {
-        lastReason = "process_dead";
-      } else {
-        healthy = true;
-        break;
-      }
-      await new Promise((r) => setTimeout(r, pollIntervalMs));
-    }
-    const entry = healthy ? { serverId, ok: true, healthAfterMs: Date.now() - start2 } : { serverId, ok: false, reason: lastReason };
-    daemons.push(entry);
-    if (!healthy) {
-      return { ok: false, daemons };
-    }
-  }
-  return { ok: true, daemons };
-}
-async function defaultReadDaemonPid(slockHome, serverId) {
-  try {
-    const raw = (await readFile14(serverRunnerPidPath(slockHome, serverId), "utf8")).trim();
-    const pid = Number.parseInt(raw, 10);
-    return Number.isInteger(pid) && pid > 0 ? pid : null;
-  } catch {
-    return null;
-  }
-}
-function defaultIsProcessAlive(pid) {
-  if (!Number.isInteger(pid) || pid <= 0) return false;
-  try {
-    process.kill(pid, 0);
-    return true;
-  } catch (err) {
-    return err.code === "EPERM";
-  }
-}
-async function locateStagedTarball(stagedPath) {
-  const { readdir: readdir5 } = await import("fs/promises");
-  const entries = await readdir5(stagedPath);
-  const tgz = entries.find((e) => e.endsWith(".tgz"));
-  if (!tgz) {
-    throw new Error(`no .tgz tarball found in staged dir ${stagedPath}`);
-  }
-  return join6(stagedPath, tgz);
-}
-
-// src/upgradeLog.ts
-init_esm_shims();
-import { chmod as chmod5, mkdir as mkdir14, open as open2 } from "fs/promises";
+import { chmod as chmod6, mkdir as mkdir14, open as open2 } from "fs/promises";
 var FILE_MODE = 384;
 function resolveUpgradeTrigger(raw) {
   return raw === "web" || raw === "tray" ? raw : "cli";
@@ -34365,31 +33677,29 @@ async function appendUpgradeLogEntry(slockHome, entry) {
     await handle.close();
   }
   if (process.platform !== "win32") {
-    await chmod5(path3, FILE_MODE);
+    await chmod6(path3, FILE_MODE);
   }
 }
 
 // src/upgradeCli.ts
-function isEphemeralNpxContext(binaryDir) {
-  return binaryDir.split(/[\\/]/).includes("_npx");
-}
-async function readBundledDaemonVersion(binaryDir) {
-  try {
-    const pkgPath = join7(binaryDir, "package.json");
-    const raw = await readFile15(pkgPath, "utf8");
-    const parsed = JSON.parse(raw);
-    const pinned = parsed.dependencies?.["@slock-ai/daemon"];
-    if (typeof pinned !== "string" || pinned.length === 0) return null;
-    if (pinned === "workspace:*") return null;
-    return pinned;
-  } catch {
-    return null;
+function mapSeaFailedPhaseToCode(failedPhase, reason) {
+  switch (failedPhase) {
+    case "resolve":
+      return "UPGRADE_NETWORK_FAILED";
+    case "stage":
+      return reason && /sha[_ ]?mismatch|UPGRADE_SHA_MISMATCH/i.test(reason) ? "UPGRADE_INTEGRITY_FAILED" : "UPGRADE_NETWORK_FAILED";
+    case "swap":
+      return "UPGRADE_SWAP_FAILED";
   }
 }
-async function defaultSpawnFreshService(slockHome) {
-  await spawnDetachedService(slockHome);
-}
 async function runUpgradeCli(slockHome, opts, deps = {}) {
+  const isSea = deps.isSeaBinary ?? isSeaBinary;
+  if (!isSea()) {
+    fail(
+      "UPGRADE_SEA_ONLY",
+      "`slock-computer upgrade` self-upgrades the SEA single-binary; this run is not a SEA binary (npm-installed or source/dev). Re-install the SEA binary to upgrade: `curl -fsSL https://github.com/botiverse/slock/releases/latest/download/install.sh | sh`."
+    );
+  }
   let channel2;
   if (opts.channel !== void 0) {
     const parsed = parseChannel(opts.channel);
@@ -34423,8 +33733,7 @@ async function runUpgradeCli(slockHome, opts, deps = {}) {
         `Could not reach npm registry to resolve ${channel2} dist-tag. Check connectivity or pass --target-version <semver>.`
       );
     }
-    const tagName = channel2;
-    const resolved = tags[tagName];
+    const resolved = tags[channel2];
     if (typeof resolved !== "string" || resolved.length === 0) {
       fail(
         "UPGRADE_VERSION_RESOLVE_FAILED",
@@ -34434,14 +33743,7 @@ async function runUpgradeCli(slockHome, opts, deps = {}) {
     targetVersion = resolved;
   }
   const fromVersion = await (deps.currentVersion ?? defaultCurrentVersion)();
-  const currentBinaryDir = (deps.currentBinaryDir ?? defaultCurrentBinaryDir)();
-  const isEphemeralFn = deps.isEphemeralNpxContext ?? isEphemeralNpxContext;
-  if (isEphemeralFn(currentBinaryDir)) {
-    fail(
-      "UPGRADE_EPHEMERAL_CONTEXT",
-      `You're running upgrade via the npx ephemeral entrypoint, which can't reach your installed Computer service. Please run the installed \`slock-computer upgrade\` instead. If \`slock-computer\` isn't on your PATH, install it globally first: \`npm i -g @slock-ai/computer@latest\`.`
-    );
-  }
+  const currentBinaryPath = (deps.currentBinaryPath ?? (() => process.execPath))();
   if (targetVersion === fromVersion) {
     info(`Already at ${fromVersion} (channel ${channel2}). No upgrade target.`);
     await appendUpgradeLogEntry(slockHome, {
@@ -34457,87 +33759,60 @@ async function runUpgradeCli(slockHome, opts, deps = {}) {
   }
   info(`Planning upgrade: ${fromVersion} \u2192 ${targetVersion} (channel ${channel2}).`);
   if (opts.dryRun) {
-    const stagePhaseFn = deps.stagePhaseFn ?? stagePhase;
-    const verifyPhaseFn = deps.verifyPhaseFn ?? verifyPhase;
-    let staged;
+    const stageFn = deps.stageSeaPhaseFn ?? stageSeaPhase;
+    const stagingDir = join6(slockHome, "upgrade-staging", `${targetVersion}-dryrun`);
     try {
-      staged = await stagePhaseFn(slockHome, targetVersion);
+      const staged = await stageFn(stagingDir, targetVersion, process.platform, process.arch);
+      info(
+        `Dry run OK: ${targetVersion} downloaded + verified (sha256 ${staged.sha256.slice(0, 12)}). No swap performed.`
+      );
     } catch (e) {
       const msg = e instanceof Error ? e.message : String(e);
-      fail("UPGRADE_DOWNLOAD_FAILED", `Dry run aborted: stage failed: ${msg}`);
-    }
-    const verify = await verifyPhaseFn(staged);
-    await cleanupStaged(slockHome, targetVersion);
-    if (!verify.ok) {
-      fail(
-        "UPGRADE_VERIFY_FAILED",
-        `Dry run: verify failed (${verify.reason}). actual=${verify.actual ?? "?"} advertised=${verify.advertised ?? "?"}.`
-      );
+      const code2 = mapSeaFailedPhaseToCode("stage", msg);
+      await rm4(stagingDir, { recursive: true, force: true }).catch(() => {
+      });
+      fail(code2, `Dry run aborted: stage failed: ${msg}`);
     }
-    info(
-      `Dry run OK: ${targetVersion} downloaded + verified (sha1 ${verify.actual}). No swap performed.`
-    );
+    await rm4(stagingDir, { recursive: true, force: true }).catch(() => {
+    });
     return;
   }
-  let drainMode = opts.drain;
-  if (drainMode === void 0 && opts.force === true) {
-    drainMode = "force";
-  }
-  if (drainMode !== void 0 && drainMode !== "drain") {
-    info(`Drain mode: ${drainMode}${drainMode === "force" ? " (in-flight turns will be dropped)" : ""}.`);
-  }
-  const readBundledFn = deps.readBundledDaemonVersion ?? readBundledDaemonVersion;
-  const fromBundledDaemonVersion = await readBundledFn(currentBinaryDir);
-  const runUpgradeFn = deps.runUpgradeFn ?? runUpgrade;
-  const spawnFreshService = deps.spawnFreshService ?? defaultSpawnFreshService;
-  const outcome = await runUpgradeFn(slockHome, {
-    targetVersion,
+  const runFn = deps.resolveAndRunSeaUpgradeFn ?? resolveAndRunSeaUpgrade;
+  const result = await runFn({
+    slockHome,
+    // Synthetic requestId — the CLI path has no remote requestId; the marker
+    // is still written so a post-restart reconcile reports done coherently.
+    requestId: `cli-${Date.now()}`,
     fromVersion,
-    channel: channel2,
-    currentBinaryDir,
-    drainMode,
+    currentBinaryPath,
+    nowIso: (/* @__PURE__ */ new Date()).toISOString(),
     deps: {
-      // Wire the production service-spawn into BOTH phase 5 (happy)
-      // and the operational-rollback respawn path inside `runUpgrade`.
-      // Without this, phase 5 falls through to a no-spawn health-poll
-      // and rollback later trips `failedStep="respawn"`. See Dayu
-      // blocker (#wg-slock-computer:b43b36fb msg=911eb84e).
-      spawnFreshService: () => spawnFreshService(slockHome)
+      // Force the already-resolved target so the SEA flow doesn't re-resolve
+      // the channel (and so `--target-version` / `--channel` overrides win).
+      resolveTargetVersion: async () => targetVersion
     }
   });
-  const toBundledDaemonVersion = await readBundledFn(currentBinaryDir);
-  const bundle = (version, bundledDaemonVersion) => bundledDaemonVersion !== null ? { computerVersion: version, bundledDaemonVersion } : { computerVersion: version };
-  const fromBundle = bundle(fromVersion, fromBundledDaemonVersion);
-  const toBundle = bundle(targetVersion, toBundledDaemonVersion);
   const logTrigger = opts.trigger ?? "cli";
-  if (outcome.ok) {
-    info(
-      `Upgrade ${fromVersion} \u2192 ${targetVersion} succeeded (health-OK in ${outcome.restart?.healthAfterMs ?? 0}ms).`
-    );
-    await appendUpgradeLogEntry(slockHome, {
-      fromBundle,
-      toBundle,
-      channel: channel2,
-      trigger: logTrigger,
-      outcome: "ok"
-    }).catch(() => {
-    });
-    return;
-  }
-  const rolledBack = outcome.rolledBack === true ? " (swap rolled back)" : "";
-  if (outcome.phase === "drain") {
-    info(
-      `Upgrade deferred: --drain=defer and daemons are busy. Re-run when idle, or use --force to interrupt in-flight turns.`
-    );
-    return;
-  }
-  if (outcome.phase === "cleanup") {
+  if (result.ok) {
+    if (result.alreadyCurrent) {
+      info(`Already at ${fromVersion} (channel ${channel2}). No upgrade target.`);
+      await appendUpgradeLogEntry(slockHome, {
+        fromBundle: { computerVersion: fromVersion },
+        toBundle: { computerVersion: fromVersion },
+        channel: channel2,
+        trigger: logTrigger,
+        outcome: "err",
+        errorCode: "UPGRADE_NO_TARGET"
+      }).catch(() => {
+      });
+      return;
+    }
     info(
-      `Upgrade ${fromVersion} \u2192 ${targetVersion} succeeded; cleanup phase reported a non-fatal issue: ${outcome.reason ?? "unknown"}. Active layout + service are healthy.`
+      `Upgrade staged: ${fromVersion} \u2192 ${targetVersion} downloaded, verified, and swapped. Restart the Computer service to run the new version (the managed supervisor does this automatically).`
     );
     await appendUpgradeLogEntry(slockHome, {
-      fromBundle,
-      toBundle,
+      fromBundle: { computerVersion: fromVersion },
+      toBundle: { computerVersion: targetVersion },
       channel: channel2,
       trigger: logTrigger,
       outcome: "ok"
@@ -34545,10 +33820,10 @@ async function runUpgradeCli(slockHome, opts, deps = {}) {
     });
     return;
   }
-  const code = mapFailurePhaseToCode(outcome);
+  const code = mapSeaFailedPhaseToCode(result.failedPhase ?? "stage", result.reason);
   await appendUpgradeLogEntry(slockHome, {
-    fromBundle,
-    toBundle,
+    fromBundle: { computerVersion: fromVersion },
+    toBundle: { computerVersion: targetVersion },
     channel: channel2,
     trigger: logTrigger,
     outcome: "err",
@@ -34557,39 +33832,9 @@ async function runUpgradeCli(slockHome, opts, deps = {}) {
   });
   fail(
     code,
-    `Upgrade failed at phase=${outcome.phase}: ${outcome.reason ?? "unknown"}${rolledBack}.`
+    `Upgrade failed at phase=${result.failedPhase ?? "stage"}: ${result.reason ?? "unknown"}.`
   );
 }
-function mapFailurePhaseToCode(outcome) {
-  switch (outcome.phase) {
-    case "stage":
-      return "UPGRADE_NETWORK_FAILED";
-    case "verify":
-      return "UPGRADE_INTEGRITY_FAILED";
-    case "preflight":
-      return "UPGRADE_DEPS_CHANGED";
-    case "snapshot":
-      return "UPGRADE_SWAP_FAILED";
-    case "extract":
-      return "UPGRADE_INTEGRITY_FAILED";
-    case "hydrate":
-      if (outcome.hydratedDaemon?.ok === false) {
-        return "UPGRADE_INTEGRITY_FAILED";
-      }
-      return "UPGRADE_NETWORK_FAILED";
-    case "swap":
-      return "UPGRADE_SWAP_FAILED";
-    case "restart":
-      return "UPGRADE_RESTART_FAILED";
-    case "rolling_health":
-      return "UPGRADE_RESTART_FAILED";
-    case "drain":
-    case "cleanup":
-      throw new Error(
-        `mapFailurePhaseToCode: phase=${outcome.phase} should be handled by caller (silenced), not mapped to a closed-set code`
-      );
-  }
-}
 async function defaultFetchDistTags() {
   const url = "https://registry.npmjs.org/@slock-ai/computer";
   const controller = new AbortController();
@@ -34613,9 +33858,10 @@ function defaultCurrentBinaryDir() {
   return dirname12(dirname12(here));
 }
 async function defaultCurrentVersion() {
-  const pkgPath = join7(defaultCurrentBinaryDir(), "package.json");
+  if (isSeaBinary()) return COMPUTER_VERSION;
+  const pkgPath = join6(defaultCurrentBinaryDir(), "package.json");
   try {
-    const raw = await readFile15(pkgPath, "utf8");
+    const raw = await readFile14(pkgPath, "utf8");
     const parsed = JSON.parse(raw);
     if (typeof parsed.version === "string" && parsed.version.length > 0) {
       return parsed.version;
@@ -34625,337 +33871,6 @@ async function defaultCurrentVersion() {
   throw new CliExit(1);
 }
 
-// src/upgradeTestHarness.ts
-init_esm_shims();
-import { mkdir as mkdir15, readdir as readdir4, stat as stat4, writeFile as writeFile12 } from "fs/promises";
-import { join as join8 } from "path";
-import { createHash as createHash4 } from "crypto";
-var PHASES = /* @__PURE__ */ new Set([
-  "stage",
-  "verify",
-  "snapshot",
-  "extract",
-  "swap",
-  "restart",
-  "rolling_health",
-  "cleanup"
-]);
-function validateHarnessOptions(opts) {
-  if (opts.simulateFail !== void 0 && !PHASES.has(opts.simulateFail)) {
-    return `--simulate-fail: unknown phase "${opts.simulateFail}". Accepted: ${[...PHASES].join(" | ")}.`;
-  }
-  if (opts.simulateNetworkLossAt !== void 0 && opts.simulateNetworkLossAt !== "stage" && opts.simulateNetworkLossAt !== "verify") {
-    return `--simulate-network-loss-at: only "stage" or "verify" are network-bound phases (got "${opts.simulateNetworkLossAt}").`;
-  }
-  if (opts.simulateSleepWakeMs !== void 0) {
-    if (!Number.isFinite(opts.simulateSleepWakeMs) || opts.simulateSleepWakeMs < 0) {
-      return `--simulate-sleep-wake: must be a non-negative number of ms (got ${opts.simulateSleepWakeMs}).`;
-    }
-    if (opts.simulateSleepWakeMs > 6e4) {
-      return `--simulate-sleep-wake: max 60000ms to keep the harness bounded (got ${opts.simulateSleepWakeMs}).`;
-    }
-  }
-  return null;
-}
-function buildSimulatedDeps(slockHome, opts) {
-  const targetVersion = opts.targetVersion ?? "0.99.0";
-  const fromVersion = opts.fromVersion ?? "0.0.0-test";
-  const tarballBytes = Buffer.from(`harness-tarball-${targetVersion}`, "utf8");
-  const expectedSha = createHash4("sha1").update(tarballBytes).digest("hex");
-  const sleepMs = opts.simulateSleepWakeMs ?? 0;
-  const maybeSleep = async () => {
-    if (sleepMs > 0) {
-      await new Promise((r) => setTimeout(r, sleepMs));
-    }
-  };
-  let spawnCalls = 0;
-  let healthCalls = 0;
-  return {
-    opts: {
-      targetVersion,
-      fromVersion,
-      channel: "latest",
-      currentBinaryDir: join8(slockHome, "harness-current"),
-      drainMode: opts.drain,
-      deps: {
-        npmPack: async (cwd) => {
-          if (opts.simulateNetworkLossAt === "stage") {
-            throw new Error("simulated network loss during stage (npm pack)");
-          }
-          if (opts.simulateFail === "stage") {
-            return { tarballPath: "", exitCode: 1, stderr: "simulated stage failure" };
-          }
-          const filename = `slock-ai-computer-${targetVersion}.tgz`;
-          await writeFile12(join8(cwd, filename), tarballBytes);
-          return { tarballPath: join8(cwd, filename), exitCode: 0, stderr: "" };
-        },
-        fetchAdvertisedHash: async () => {
-          if (opts.simulateNetworkLossAt === "verify") return null;
-          if (opts.simulateFail === "verify") return "deadbeef";
-          return expectedSha;
-        },
-        tarSpawn: async (_t, destDir) => {
-          if (opts.simulateFail === "extract") {
-            return { exitCode: 1, stderr: "simulated extract failure" };
-          }
-          await mkdir15(join8(destDir, "package"), { recursive: true });
-          await writeFile12(join8(destDir, "package", "marker.txt"), `NEW@${targetVersion}`);
-          return { exitCode: 0, stderr: "" };
-        },
-        npmInstall: async () => ({ exitCode: 0, stderr: "" }),
-        fsRename: opts.simulateFail === "swap" ? async () => {
-          throw new Error("simulated swap failure: fsRename");
-        } : void 0,
-        readServicePid: async () => null,
-        spawnFreshService: async () => {
-          await maybeSleep();
-          spawnCalls += 1;
-          if (opts.simulateFail === "restart" && spawnCalls === 1) {
-            throw new Error("simulated spawn failure");
-          }
-        },
-        healthCheck: async () => {
-          await maybeSleep();
-          healthCalls += 1;
-          if (opts.simulateFail === "restart" && spawnCalls <= 1) return false;
-          return true;
-        },
-        healthTimeoutMs: opts.simulateFail === "restart" ? 200 : 5e3,
-        healthPollIntervalMs: 10,
-        listManagedServerIds: async () => {
-          if (opts.simulateFail === "rolling_health") {
-            return ["aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"];
-          }
-          return [];
-        },
-        readDaemonPid: async () => null,
-        perDaemonTimeoutMs: 50,
-        daemonPollIntervalMs: 10,
-        // PR-E 18/n phase 1.5 dep-drift preflight: the harness mocks
-        // `npmPack` to write fake tarball BYTES (not a real tar archive),
-        // so the production preflight's `tar -xzOf` would fail. Inject
-        // an always-passing predicate so the harness keeps exercising
-        // phases 3-6 (the surface it was built to cover). Dep-drift
-        // refusal semantics are covered by `preflightDepDrift.test.ts`
-        // and the new `runUpgrade: preflight fail …` integration tests
-        // in `upgrade.test.ts`, not here.
-        preflight: {
-          readTarballPackageJson: async () => ({
-            dependencies: { "@slock-ai/daemon": "^0.0.0-harness" }
-          }),
-          readCurrentPackageJson: async () => ({
-            dependencies: { "@slock-ai/daemon": "^0.0.0-harness" }
-          }),
-          readInstalledDaemonVersion: async () => "0.0.0-harness",
-          semverSatisfies: () => true,
-          allowUnsafeSpec: true
-        }
-        // snapshot-phase failure: caller arranges that `mkdir` on the
-        // snapshot path fails. We don't have a snapshot-phase dep hook,
-        // so we instead pre-create the snapshot file as a directory:
-        // that's handled outside `deps` via `arrangeSnapshotFailure`.
-      }
-    }
-  };
-}
-async function arrangeSnapshotFailure(slockHome) {
-  const snapshotPath = join8(slockHome, "computer", "upgrade-snapshot.json");
-  await mkdir15(snapshotPath, { recursive: true });
-}
-async function pathInfo(path3) {
-  try {
-    const s = await stat4(path3);
-    if (s.isDirectory()) return { kind: "dir", size: 0 };
-    if (s.isFile()) return { kind: "file", size: s.size };
-    return null;
-  } catch {
-    return null;
-  }
-}
-async function captureStateSnapshot(slockHome, version, currentBinaryDir) {
-  const stagingPath = upgradeStagingDir(slockHome, version);
-  const stagingExists = await pathInfo(stagingPath);
-  let stagingEntries = null;
-  if (stagingExists?.kind === "dir") {
-    try {
-      stagingEntries = (await readdir4(stagingPath)).sort();
-    } catch {
-      stagingEntries = null;
-    }
-  }
-  let servers = [];
-  try {
-    const ids = await readdir4(serversDir(slockHome));
-    servers = await Promise.all(
-      ids.map(async (serverId) => ({
-        serverId,
-        attachment: await pathInfo(serverAttachmentPath(slockHome, serverId)),
-        managed: await pathInfo(serverManagedFlagPath(slockHome, serverId))
-      }))
-    );
-  } catch {
-  }
-  return {
-    upgradeSnapshot: await pathInfo(upgradeSnapshotPath(slockHome)),
-    stagingDir: stagingExists,
-    stagingEntries,
-    servicePid: await pathInfo(servicePidPath(slockHome)),
-    channelFile: await pathInfo(join8(computerDir(slockHome), "channel")),
-    computerDir: await pathInfo(computerDir(slockHome)),
-    servers,
-    prevBinary: await pathInfo(currentBinaryDir + ".prev"),
-    currentBinary: await pathInfo(currentBinaryDir)
-  };
-}
-async function runUpgradeTestHarness(slockHome, opts, writer = (s) => process.stdout.write(s)) {
-  const err = validateHarnessOptions(opts);
-  if (err !== null) {
-    process.stderr.write(`__upgrade-test: ${err}
-`);
-    process.exitCode = 1;
-    return;
-  }
-  await mkdir15(slockHome, { recursive: true });
-  if (opts.simulateFail === "snapshot") {
-    await arrangeSnapshotFailure(slockHome);
-  }
-  const { opts: upgradeOpts } = buildSimulatedDeps(slockHome, opts);
-  await mkdir15(upgradeOpts.currentBinaryDir, { recursive: true });
-  let outcome;
-  try {
-    outcome = await runUpgrade(slockHome, upgradeOpts);
-  } catch (e) {
-    outcome = {
-      ok: false,
-      phase: "stage",
-      reason: `harness_exception: ${e instanceof Error ? e.message : String(e)}`
-    };
-  }
-  const state = await captureStateSnapshot(
-    slockHome,
-    upgradeOpts.targetVersion,
-    upgradeOpts.currentBinaryDir
-  );
-  const payload = {
-    ok: outcome.ok,
-    phase: outcome.phase,
-    reason: outcome.reason ?? null,
-    rolledBack: outcome.rolledBack ?? false,
-    // Operational rollback per-step status, surfaced so QA can assert
-    // that disk + process both recovered (not just disk). null when no
-    // rollback was attempted (phases ≤ swap, or ok=true).
-    rollback: outcome.rollback ?? null,
-    simulated: {
-      fail: opts.simulateFail ?? null,
-      networkLossAt: opts.simulateNetworkLossAt ?? null,
-      sleepWakeMs: opts.simulateSleepWakeMs ?? null,
-      drain: opts.drain ?? null
-    },
-    state
-  };
-  writer(JSON.stringify(payload) + "\n");
-}
-
-// src/upgradeInstallSmoke.ts
-init_esm_shims();
-import { copyFile, mkdir as mkdir16, readFile as readFile16 } from "fs/promises";
-import { createHash as createHash5 } from "crypto";
-import { dirname as dirname13, isAbsolute, join as join9, resolve as pathResolve } from "path";
-import { fileURLToPath as fileURLToPath4 } from "url";
-async function runUpgradeInstallSmoke(slockHome, opts, deps = {}) {
-  if (typeof opts.packageTarball !== "string" || opts.packageTarball.trim().length === 0) {
-    throw new Error("__upgrade-install-smoke: --package-tarball is required.");
-  }
-  const tarballPath = isAbsolute(opts.packageTarball) ? opts.packageTarball : pathResolve(opts.packageTarball);
-  let tarballBytes;
-  try {
-    tarballBytes = await readFile16(tarballPath);
-  } catch (e) {
-    const msg = e instanceof Error ? e.message : String(e);
-    throw new Error(`__upgrade-install-smoke: cannot read --package-tarball ${tarballPath}: ${msg}`);
-  }
-  const tarballSha1 = createHash5("sha1").update(tarballBytes).digest("hex");
-  const currentBinaryDir = opts.currentBinaryDir ?? (deps.currentBinaryDir ?? defaultCurrentBinaryDirLocal)();
-  const fromVersion = opts.fromVersion ?? await (deps.currentVersion ?? defaultCurrentVersionLocal)();
-  const channel2 = opts.channel ?? "latest";
-  const spawnFreshService = deps.spawnFreshService ?? (async (h) => {
-    await spawnDetachedService(h);
-  });
-  await mkdir16(slockHome, { recursive: true });
-  const outcome = await runUpgrade(slockHome, {
-    targetVersion: opts.targetVersion,
-    fromVersion,
-    channel: channel2,
-    currentBinaryDir,
-    deps: {
-      // QA-only bypass of `npm pack <pkg>@<ver>`: copy the caller-supplied
-      // tarball into the staging dir under the expected filename. This is
-      // the ONLY deviation from production `runUpgrade` plumbing — every
-      // other dep falls back to its production default.
-      npmPack: async (cwd) => {
-        const filename = `slock-ai-computer-${opts.targetVersion}.tgz`;
-        const stagedTarball = join9(cwd, filename);
-        await copyFile(tarballPath, stagedTarball);
-        return { tarballPath: stagedTarball, exitCode: 0, stderr: "" };
-      },
-      // We trust the local tarball (caller built it from source via
-      // build-disposable-install.mjs). Return its sha1 as the
-      // "advertised" hash so verify is always satisfied.
-      fetchAdvertisedHash: async () => tarballSha1,
-      // Local QA tarballs are built from the workspace and may still
-      // carry workspace/file specs. The production upgrade path hydrates
-      // dependencies from the registry; this smoke isolates the swap /
-      // restart mechanics and keeps dependency hydration out of scope.
-      npmInstall: async () => ({ exitCode: 0, stderr: "" }),
-      spawnFreshService: () => spawnFreshService(slockHome),
-      // PR-E 18/n: the workspace-built tarball still carries
-      // `workspace:*` (or `file:` after pack-rewrite in some workflows)
-      // for `@slock-ai/daemon`, which production preflight rejects as
-      // unsafe. The harness opts in to `allowUnsafeSpec` so the smoke
-      // can run; production `runUpgrade` never sets this flag. The
-      // spec-equality + installed-satisfies checks still run on
-      // semver-shaped specs.
-      preflight: { allowUnsafeSpec: true }
-    }
-  });
-  const activeVersion = await readServiceVersionEvidence(slockHome);
-  return { outcome, activeVersion };
-}
-async function runUpgradeInstallSmokeCli(slockHome, opts, writer = (s) => process.stdout.write(s), deps = {}) {
-  let report;
-  try {
-    report = await runUpgradeInstallSmoke(slockHome, opts, deps);
-  } catch (e) {
-    const msg = e instanceof Error ? e.message : String(e);
-    writer(
-      JSON.stringify({
-        outcome: { ok: false, phase: "stage", reason: `harness_exception: ${msg}` },
-        activeVersion: null
-      }) + "\n"
-    );
-    return;
-  }
-  writer(JSON.stringify(report) + "\n");
-}
-function defaultCurrentBinaryDirLocal() {
-  const here = fileURLToPath4(import.meta.url);
-  return dirname13(dirname13(here));
-}
-async function defaultCurrentVersionLocal() {
-  const pkgPath = join9(defaultCurrentBinaryDirLocal(), "package.json");
-  try {
-    const raw = await readFile16(pkgPath, "utf8");
-    const parsed = JSON.parse(raw);
-    if (typeof parsed.version === "string" && parsed.version.length > 0) {
-      return parsed.version;
-    }
-  } catch {
-  }
-  throw new Error(
-    "__upgrade-install-smoke: cannot read current binary version from package.json; pass --from-version explicitly."
-  );
-}
-
 // src/index.ts
 function withCliExit(fn) {
   return async (...args) => {
@@ -34970,17 +33885,20 @@ function withCliExit(fn) {
     }
   };
 }
+var FOREGROUND_DESC = "run the service in this terminal instead of the background";
+var SERVER_SLUG_TARGET_DESC = "target Slock server slug (canonical form `/myserver`; bare `myserver` accepted)";
+var SERVER_SLUG_OPTIONAL_DESC = "optional: scope to one attached server (canonical `/myserver`; bare accepted; default: all attached)";
 var program2 = new Command();
 program2.name("slock-computer").description("Slock Computer \u2014 local-machine control plane (login + N per-server attachments).").version(COMPUTER_VERSION);
 program2.command("login").description("Log in via device-code (one user identity per Computer / SLOCK_HOME).").option("--server-url <url>", `Slock API base URL; defaults to SLOCK_SERVER_URL or ${DEFAULT_SLOCK_SERVER_URL}`).action(withCliExit(async (opts) => {
   await runLogin({ serverUrl: opts.serverUrl });
 }));
-program2.command("attach").argument("<serverSlug>", "target Slock server slug (canonical form `/myserver`; bare `myserver` accepted)").description("Attach this Computer to one Slock server (add-not-replace; multi-server OK).").option("--server-url <url>", `Slock API base URL; defaults to the saved user session, SLOCK_SERVER_URL, or ${DEFAULT_SLOCK_SERVER_URL}`).option("--name <name>", "Computer display name; defaults to a sanitized hostname").option("--no-run", "only authorize + write local state; do not start the service").option("--foreground", "run the service in this terminal instead of the background").action(withCliExit(async (serverSlug, opts) => {
+program2.command("attach").argument("<serverSlug>", SERVER_SLUG_TARGET_DESC).description("Attach this Computer to one Slock server (add-not-replace; multi-server OK).").option("--server-url <url>", `Slock API base URL; defaults to the saved user session, SLOCK_SERVER_URL, or ${DEFAULT_SLOCK_SERVER_URL}`).option("--name <name>", "Computer display name; defaults to a sanitized hostname").option("--no-run", "only authorize + write local state; do not start the service").option("--foreground", FOREGROUND_DESC).action(withCliExit(async (serverSlug, opts) => {
   await withMutationLock(
     () => runAttach({ serverSlug, serverUrl: opts.serverUrl, name: opts.name, run: opts.run, foreground: opts.foreground })
   );
 }));
-program2.command("setup").argument("<serverSlug>", "target Slock server slug (canonical form `/myserver`; bare `myserver` accepted)").description("Set up this Computer for one server: login if needed, attach (or \xA7X.1 migrate-prompt) if needed, then start.").option("--server-url <url>", `Slock API base URL; defaults to the saved user session, SLOCK_SERVER_URL, or ${DEFAULT_SLOCK_SERVER_URL}`).option("--name <name>", "Computer display name for a new attachment; defaults to a sanitized hostname").option("--no-start", "stop after login + attach; do not start the service").option("--foreground", "run the service in this terminal instead of the background").option("-y, --yes", "allow non-interactive setup after confirming the planned actions").action(
+program2.command("setup").argument("<serverSlug>", SERVER_SLUG_TARGET_DESC).description("Set up this Computer for one server: login if needed, attach (or \xA7X.1 migrate-prompt) if needed, then start.").option("--server-url <url>", `Slock API base URL; defaults to the saved user session, SLOCK_SERVER_URL, or ${DEFAULT_SLOCK_SERVER_URL}`).option("--name <name>", "Computer display name for a new attachment; defaults to a sanitized hostname").option("--no-start", "stop after login + attach; do not start the service").option("--foreground", FOREGROUND_DESC).option("-y, --yes", "allow non-interactive setup after confirming the planned actions").action(
   withCliExit(async (serverSlug, opts) => {
     await withMutationLock(
       () => runSetup({
@@ -34994,13 +33912,13 @@ program2.command("setup").argument("<serverSlug>", "target Slock server slug (ca
     );
   })
 );
-program2.command("detach").argument("<serverSlug>", "server slug to detach from this Computer (canonical form `/myserver`)").description("Remove ONE server's local attachment; never touches user-session or other servers.").action(withCliExit(async (serverSlug) => {
+program2.command("detach").argument("<serverSlug>", `${SERVER_SLUG_TARGET_DESC} (the server to detach from this Computer)`).description("Remove ONE server's local attachment; never touches user-session or other servers.").action(withCliExit(async (serverSlug) => {
   await withMutationLock(async () => runDetach(await resolveTargetServerId({ server: serverSlug }), serverSlug));
 }));
 program2.command("status").description("Show this Computer's aggregate state (login + service + per-server server-runners).").option("--json", "emit the machine-readable report").action(withCliExit(async (opts) => {
   await runStatus({ json: opts.json });
 }));
-program2.command("start").argument("[serverSlug]", "optional: verify this server is attached and ensure its server-runner is reconciled (default: ensure all attached)").description("Start/ensure the Computer service (manages all per-server server-runners).").option("--foreground", "stay in this terminal instead of detaching").action(withCliExit(async (serverSlug, opts) => {
+program2.command("start").argument("[serverSlug]", SERVER_SLUG_OPTIONAL_DESC).description("Start/ensure the Computer service (manages all per-server server-runners).").option("--foreground", FOREGROUND_DESC).action(withCliExit(async (serverSlug, opts) => {
   await withMutationLock(
     async () => runStart({
       foreground: opts.foreground,
@@ -35012,17 +33930,25 @@ program2.command("start").argument("[serverSlug]", "optional: verify this server
 program2.command("stop").description("Stop the Computer service (and all managed per-server server-runners).").action(withCliExit(async () => {
   await withMutationLock(() => runStop());
 }));
-program2.command("doctor").argument("[serverSlug]", "optional: scope detail (recent crashes) to one server").description("Diagnose login + per-server attachments + per-server preflight (no secrets).").option("--json", "emit the machine-readable report").option("--cleanup", "after diagnosis, run the local residue cleanup pass").option("--fix", "alias for --cleanup (same behavior)").option("--reset-health", "clear <serverSlug>'s crash history so service resumes auto-restart").action(
+program2.command("restart").argument("[serverSlug]", SERVER_SLUG_OPTIONAL_DESC).description("Restart the Computer service (stop + start; all managed per-server server-runners).").option("--foreground", FOREGROUND_DESC).action(withCliExit(async (serverSlug, opts) => {
+  await withMutationLock(async () => {
+    await runStop();
+    await runStart({
+      foreground: opts.foreground,
+      serverId: serverSlug ? await resolveTargetServerId({ server: serverSlug }) : null,
+      serverLabel: serverSlug ?? null
+    });
+  });
+}));
+program2.command("doctor").argument("[serverSlug]", `${SERVER_SLUG_OPTIONAL_DESC} (scopes recent-crash detail to that server)`).description("Diagnose login + per-server attachments + per-server preflight (no secrets).").option("--json", "emit the machine-readable report").option("--fix", "after diagnosis, run the local residue cleanup pass").action(
   withCliExit(
     async (serverSlug, opts) => {
       const serverId = serverSlug ? await resolveTargetServerId({ server: serverSlug }) : void 0;
       await runDoctor({
         json: opts.json,
-        cleanup: opts.cleanup,
-        fix: opts.fix,
+        cleanup: opts.fix,
         serverId,
-        serverLabel: serverSlug,
-        resetHealth: opts.resetHealth
+        serverLabel: serverSlug
       });
     }
   )
@@ -35039,8 +33965,8 @@ program2.command("reset").description("Clear a degraded state and resume the ser
     );
   })
 );
-program2.command("logs").description("Tail one server's server-runner log (or the service log); secrets redacted.").option("--lines <n>", "trailing lines to show (default 200)", (v) => Number.parseInt(v, 10)).option("--server <slug>", "select target server slug (required when \u22652 attached)").option("--service", "tail the global service log instead of a per-server server-runner log").action(withCliExit(async (opts) => {
-  await runLogs({ lines: opts.lines, server: opts.server ?? null, service: !!opts.service });
+program2.command("logs").argument("[serverSlug]", `${SERVER_SLUG_OPTIONAL_DESC} (required when \u22652 attached; ignored with --service)`).description("Tail one server's server-runner log (or the service log); secrets redacted.").option("--lines <n>", "trailing lines to show (default 200)", (v) => Number.parseInt(v, 10)).option("--service", "tail the global service log instead of a per-server server-runner log").action(withCliExit(async (serverSlug, opts) => {
+  await runLogs({ lines: opts.lines, server: serverSlug ?? null, service: !!opts.service });
 }));
 var runners = program2.command("runners").description("Computer runner control plane (per-server scoped; \xA712 whitelist server-side).");
 runners.command("list").description("List runners on one attached server.").option("--json", "emit the machine-readable list").option("--server <slug>", "select target server slug (required when \u22652 attached)").action(withCliExit(async (opts) => {
@@ -35062,26 +33988,16 @@ channel.command("set").argument("<channel>", "channel value: latest | alpha | pi
 );
 program2.command("upgrade").description(
   [
-    "Auto-upgrade this Computer to the latest version in its channel (or --target-version <semver>).",
+    "Auto-upgrade this Computer (SEA single-binary) to the latest version in its channel (or --target-version <semver>).",
     "",
-    "Stages the target package, hydrates production dependencies, verifies the",
-    "hydrated @slock-ai/daemon version, then swaps the Computer package root."
+    "Downloads + sha256-verifies the target-version binary for this platform,",
+    "then atomically swaps the running single executable. The managed service",
+    "supervisor restarts on the swapped binary. SEA-only: a non-SEA (npm/dev)",
+    "run has no single binary to self-swap and is refused (UPGRADE_SEA_ONLY)."
   ].join("\n")
-).option("--dry-run", "stage + verify only; do not swap or restart").option("--channel <name>", "override channel for this invocation (latest | alpha | pinned:<semver>)").option("--target-version <semver>", "override target version explicitly (bypasses channel resolution)").option("--drain <mode>", "\xA72.7 drain mode: drain (default) | defer (abort if daemon busy) | force (SIGKILL, drop in-flight)").option("--force", "alias for --drain force (stuck-daemon recovery; drops in-flight turns)").action(
+).option("--dry-run", "download + sha256-verify only; do not swap or restart").option("--channel <name>", "override channel for this invocation (latest | alpha | pinned:<semver>)").option("--target-version <semver>", "override target version explicitly (bypasses channel resolution)").action(
   withCliExit(
     async (opts) => {
-      let drain;
-      if (opts.drain !== void 0) {
-        if (opts.drain !== "drain" && opts.drain !== "defer" && opts.drain !== "force") {
-          process.stderr.write(
-            `slock-computer: UPGRADE_DRAIN_INVALID: Invalid --drain "${opts.drain}". Accepted: drain | defer | force.
-`
-          );
-          process.exitCode = 1;
-          return;
-        }
-        drain = opts.drain;
-      }
       const slockHome = resolveSlockHome();
       const trigger = resolveUpgradeTrigger(process.env.SLOCK_UPGRADE_TRIGGER);
       try {
@@ -35090,8 +34006,6 @@ program2.command("upgrade").description(
             dryRun: opts.dryRun,
             channel: opts.channel,
             targetVersion: opts.targetVersion,
-            drain,
-            force: opts.force,
             trigger
           })
         );
@@ -35128,43 +34042,29 @@ program2.command("__service", { hidden: true }).action(withCliExit(async () => {
 program2.command("__run", { hidden: true }).argument("<serverId>", "server id this daemon child is bound to").action(withCliExit(async (serverId) => {
   await runResident(serverId);
 }));
-program2.command("__upgrade-test", { hidden: true }).option("--simulate-fail <phase>", "inject deterministic failure at named phase").option("--simulate-network-loss-at <phase>", "drop the fetch right when phase begins (stage|verify)").option("--simulate-sleep-wake <ms>", "insert pause inside spawn/health-poll (max 60000)").option("--drain <mode>", "drain mode forwarded to runUpgrade").option("--target-version <semver>", "label for the simulated upgrade (default 0.99.0)").option("--from-version <semver>", "label for the simulated from-version (default 0.0.0-test)").action(
-  withCliExit(async (opts) => {
-    const drain = opts.drain;
-    if (drain !== void 0 && drain !== "drain" && drain !== "defer" && drain !== "force") {
-      process.stderr.write(`__upgrade-test: invalid --drain "${drain}".
+async function runCli() {
+  if (process.argv[2] === "__cli") {
+    const { runBundledSlockCli } = await import("@slock-ai/daemon/core");
+    await runBundledSlockCli(process.argv.slice(3));
+    return;
+  }
+  await program2.parseAsync(process.argv);
+}
+var invokedAsMain = process.argv[1] !== void 0 && import.meta.url === pathToFileURL(process.argv[1]).href;
+if (invokedAsMain) {
+  runCli().catch((err) => {
+    process.stderr.write(`slock-computer: ${err instanceof Error ? err.message : String(err)}
 `);
-      process.exitCode = 1;
-      return;
-    }
-    await runUpgradeTestHarness(resolveSlockHome(), {
-      simulateFail: opts.simulateFail,
-      simulateNetworkLossAt: opts.simulateNetworkLossAt,
-      simulateSleepWakeMs: opts.simulateSleepWake !== void 0 ? Number(opts.simulateSleepWake) : void 0,
-      drain,
-      targetVersion: opts.targetVersion,
-      fromVersion: opts.fromVersion
-    });
-  })
-);
-program2.command("__upgrade-install-smoke", { hidden: true }).requiredOption("--package-tarball <path>", "local tarball to swap in for stage (QA only)").option("--target-version <semver>", "target version label", "0.99.0-smoke").option("--from-version <semver>", "from-version label (defaults to current binary's package.json version)").option("--channel <name>", "channel label for snapshot", "latest").option("--current-binary-dir <path>", "override install root (defaults to currently-running binary)").action(
-  withCliExit(async (opts) => {
-    await withMutationLock(
-      () => runUpgradeInstallSmokeCli(resolveSlockHome(), {
-        packageTarball: opts.packageTarball,
-        targetVersion: opts.targetVersion,
-        fromVersion: opts.fromVersion,
-        channel: opts.channel,
-        currentBinaryDir: opts.currentBinaryDir
-      })
-    );
-  })
-);
-program2.parseAsync(process.argv).catch((err) => {
-  process.stderr.write(`slock-computer: ${err instanceof Error ? err.message : String(err)}
+    if (process.env.SLOCK_COMPUTER_DEBUG_STACK && err instanceof Error && err.stack) {
+      process.stderr.write(`${err.stack}
 `);
-  process.exitCode = 1;
-});
+    }
+    process.exitCode = 1;
+  });
+}
+export {
+  program2 as program
+};
 /*! Bundled license information:
 
 undici/lib/web/fetch/body.js: